@amodalai/runtime 0.3.70 → 0.3.72

package/dist/src/auth/strategies/auth-modes.integration.test.js

@@ -0,0 +1,363 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * End-to-end tests for the simpler auth modes — `none`, `header`,
+ * `jwt_secret`, `custom`, `amodal` — exercised through a real Express
+ * app over real HTTP. The OIDC strategy gets its own integration file
+ * (`oidc.integration.test.ts`) since it requires booting a full IdP.
+ *
+ * Each test:
+ *  1. Constructs the strategy via `createAuthStrategy(config)` so the
+ *     factory's wiring is on the hot path (not just the strategy's
+ *     constructor).
+ *  2. Mounts it on a real Express server bound to a random port.
+ *  3. Hits a protected route with appropriate credentials.
+ *  4. Asserts both the success and rejection paths.
+ */
+import http from 'node:http';
+import { randomBytes, generateKeyPairSync } from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+import express from 'express';
+import { SignJWT, exportJWK } from 'jose';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { createAuthStrategy } from '../factory.js';
+import { authenticate, getSession } from '../compose.js';
+async function startProtectedApp(strategy) {
+    const app = express();
+    app.get('/protected', authenticate(strategy), (_req, res) => {
+        const session = getSession(res);
+        res.json({ user: session?.user, method: session?.method });
+    });
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            resolve({
+                url: `http://127.0.0.1:${addr.port}`,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => err ? closeReject(err) : closeResolve());
+                }),
+            });
+        });
+    });
+}
+async function getJson(url, init = {}) {
+    const res = await fetch(url, init);
+    let body = {};
+    if (res.headers.get('content-type')?.includes('application/json')) {
+        body = (await res.json());
+    }
+    return { status: res.status, body };
+}
+// ---------------------------------------------------------------------------
+// none
+// ---------------------------------------------------------------------------
+describe('none mode — integration', () => {
+    let app;
+    beforeAll(async () => {
+        const strategy = await createAuthStrategy({ type: 'none' });
+        app = await startProtectedApp(strategy);
+    });
+    afterAll(async () => {
+        if (app)
+            await app.close();
+    });
+    it('lets every request through with the synthesized anonymous user', async () => {
+        const { status, body } = await getJson(`${app.url}/protected`);
+        expect(status).toBe(200);
+        expect(body.user?.id).toBe('anonymous');
+        expect(body.method).toBe('none');
+    });
+    it('respects a custom userId override', async () => {
+        const strategy = await createAuthStrategy({ type: 'none', userId: 'guest' });
+        const guestApp = await startProtectedApp(strategy);
+        try {
+            const { status, body } = await getJson(`${guestApp.url}/protected`);
+            expect(status).toBe(200);
+            expect(body.user?.id).toBe('guest');
+        }
+        finally {
+            await guestApp.close();
+        }
+    });
+});
+// ---------------------------------------------------------------------------
+// header
+// ---------------------------------------------------------------------------
+describe('header mode — integration', () => {
+    let app;
+    beforeAll(async () => {
+        const strategy = await createAuthStrategy({ type: 'header' });
+        app = await startProtectedApp(strategy);
+    });
+    afterAll(async () => {
+        if (app)
+            await app.close();
+    });
+    it('reads identity from the default X-Auth-User header', async () => {
+        const { status, body } = await getJson(`${app.url}/protected`, {
+            headers: { 'X-Auth-User': 'alice' },
+        });
+        expect(status).toBe(200);
+        expect(body.user?.id).toBe('alice');
+        expect(body.method).toBe('header');
+    });
+    it('rejects requests with no identity header', async () => {
+        const { status } = await getJson(`${app.url}/protected`);
+        expect(status).toBe(401);
+    });
+    it('honours a configured headerName', async () => {
+        const strategy = await createAuthStrategy({
+            type: 'header',
+            headerName: 'X-Forwarded-User',
+        });
+        const customApp = await startProtectedApp(strategy);
+        try {
+            const ok = await getJson(`${customApp.url}/protected`, {
+                headers: { 'X-Forwarded-User': 'bob' },
+            });
+            expect(ok.status).toBe(200);
+            expect(ok.body.user?.id).toBe('bob');
+            // wrong header → rejected
+            const bad = await getJson(`${customApp.url}/protected`, {
+                headers: { 'X-Auth-User': 'eve' },
+            });
+            expect(bad.status).toBe(401);
+        }
+        finally {
+            await customApp.close();
+        }
+    });
+});
+// ---------------------------------------------------------------------------
+// jwt_secret
+// ---------------------------------------------------------------------------
+describe('jwt_secret mode — integration', () => {
+    const SECRET = 'shared-hmac-secret-please-rotate';
+    let app;
+    async function mintToken(claims = {}, ttl = 300) {
+        const key = new TextEncoder().encode(SECRET);
+        return new SignJWT({ sub: 'user-1', email: 'u1@example.com', name: 'User One', ...claims })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime(`${ttl}s`)
+            .sign(key);
+    }
+    beforeAll(async () => {
+        const strategy = await createAuthStrategy({ type: 'jwt_secret', secret: SECRET });
+        app = await startProtectedApp(strategy);
+    });
+    afterAll(async () => {
+        if (app)
+            await app.close();
+    });
+    it('accepts a valid HS256 bearer token', async () => {
+        const token = await mintToken();
+        const { status, body } = await getJson(`${app.url}/protected`, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        expect(status).toBe(200);
+        expect(body.user?.id).toBe('user-1');
+        expect(body.user?.email).toBe('u1@example.com');
+    });
+    it('rejects a tampered signature', async () => {
+        const token = await mintToken();
+        const tampered = `${token.slice(0, -3)}AAA`;
+        const { status } = await getJson(`${app.url}/protected`, {
+            headers: { Authorization: `Bearer ${tampered}` },
+        });
+        expect(status).toBe(401);
+    });
+    it('rejects a token signed with a different secret', async () => {
+        const wrongKey = new TextEncoder().encode('different-secret-of-similar-length');
+        const token = await new SignJWT({ sub: 'imposter' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('5m')
+            .sign(wrongKey);
+        const { status } = await getJson(`${app.url}/protected`, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        expect(status).toBe(401);
+    });
+    it('rejects when no Authorization header is sent', async () => {
+        const { status } = await getJson(`${app.url}/protected`);
+        expect(status).toBe(401);
+    });
+    it('enforces issuer when configured', async () => {
+        const strategy = await createAuthStrategy({
+            type: 'jwt_secret',
+            secret: SECRET,
+            issuer: 'expected-issuer',
+        });
+        const issuerApp = await startProtectedApp(strategy);
+        try {
+            const goodKey = new TextEncoder().encode(SECRET);
+            const goodToken = await new SignJWT({ sub: 'user-1' })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuedAt()
+                .setExpirationTime('5m')
+                .setIssuer('expected-issuer')
+                .sign(goodKey);
+            const badToken = await new SignJWT({ sub: 'user-1' })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuedAt()
+                .setExpirationTime('5m')
+                .setIssuer('other-issuer')
+                .sign(goodKey);
+            const ok = await getJson(`${issuerApp.url}/protected`, {
+                headers: { Authorization: `Bearer ${goodToken}` },
+            });
+            expect(ok.status).toBe(200);
+            const bad = await getJson(`${issuerApp.url}/protected`, {
+                headers: { Authorization: `Bearer ${badToken}` },
+            });
+            expect(bad.status).toBe(401);
+        }
+        finally {
+            await issuerApp.close();
+        }
+    });
+});
+// ---------------------------------------------------------------------------
+// custom
+// ---------------------------------------------------------------------------
+describe('custom mode — integration', () => {
+    let app;
+    beforeAll(async () => {
+        // Resolve the fixture path relative to this test file so the dynamic
+        // import works regardless of cwd.
+        const here = dirname(fileURLToPath(import.meta.url));
+        const modulePath = resolve(here, '../__fixtures__/custom-strategy.ts');
+        const strategy = await createAuthStrategy({ type: 'custom', module: modulePath });
+        app = await startProtectedApp(strategy);
+    });
+    afterAll(async () => {
+        if (app)
+            await app.close();
+    });
+    it('authenticates when the fixture token matches', async () => {
+        const { status, body } = await getJson(`${app.url}/protected`, {
+            headers: { 'X-Custom-Token': 'secret-value' },
+        });
+        expect(status).toBe(200);
+        expect(body.user?.id).toBe('custom-user');
+        expect(body.method).toBe('custom-test');
+    });
+    it('rejects when the fixture token is wrong', async () => {
+        const { status } = await getJson(`${app.url}/protected`, {
+            headers: { 'X-Custom-Token': 'not-the-secret' },
+        });
+        expect(status).toBe(401);
+    });
+    it('rejects when the fixture header is missing', async () => {
+        const { status } = await getJson(`${app.url}/protected`);
+        expect(status).toBe(401);
+    });
+    it('throws at construction when the module path does not exist', async () => {
+        await expect(createAuthStrategy({ type: 'custom', module: '/path/that/does/not/exist.ts' })).rejects.toThrow(/Failed to load custom auth strategy/);
+    });
+});
+async function startJwksServer() {
+    // jose's exportJWK + SignJWT accept Node's KeyObject as a valid KeyLike.
+    const { publicKey, privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 });
+    const publicJwk = await exportJWK(publicKey);
+    const kid = randomBytes(8).toString('hex');
+    publicJwk.kid = kid;
+    publicJwk.alg = 'RS256';
+    publicJwk.use = 'sig';
+    const app = express();
+    app.get('/.well-known/jwks.json', (_req, res) => {
+        res.json({ keys: [publicJwk] });
+    });
+    const signingKey = privateKey;
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            const url = `http://127.0.0.1:${addr.port}`;
+            resolve({
+                url,
+                jwksUrl: `${url}/.well-known/jwks.json`,
+                signingKey,
+                kid,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => err ? closeReject(err) : closeResolve());
+                }),
+            });
+        });
+    });
+}
+describe('amodal mode — integration', () => {
+    const ISSUER = 'integration-test-platform';
+    let jwks;
+    let app;
+    async function mintPlatformToken(claims = {}, issuer = ISSUER) {
+        return new SignJWT({ sub: 'amodal-user-1', email: 'a1@amodal.test', ...claims })
+            .setProtectedHeader({ alg: 'RS256', kid: jwks.kid })
+            .setIssuedAt()
+            .setIssuer(issuer)
+            .setExpirationTime('5m')
+            .sign(jwks.signingKey);
+    }
+    beforeAll(async () => {
+        jwks = await startJwksServer();
+        const strategy = await createAuthStrategy({
+            type: 'amodal',
+            jwksUrl: jwks.jwksUrl,
+            issuer: ISSUER,
+        });
+        app = await startProtectedApp(strategy);
+    });
+    afterAll(async () => {
+        if (app)
+            await app.close();
+        if (jwks)
+            await jwks.close();
+    });
+    it('accepts a platform-signed JWT verified against the JWKS', async () => {
+        const token = await mintPlatformToken();
+        const { status, body } = await getJson(`${app.url}/protected`, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        expect(status).toBe(200);
+        expect(body.user?.id).toBe('amodal-user-1');
+        expect(body.method).toBe('amodal');
+    });
+    it('rejects a token with the wrong issuer', async () => {
+        const token = await mintPlatformToken({}, 'someone-elses-platform');
+        const { status } = await getJson(`${app.url}/protected`, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        expect(status).toBe(401);
+    });
+    it('rejects a token signed by a different key', async () => {
+        const otherJwks = await startJwksServer();
+        try {
+            const token = await new SignJWT({ sub: 'imposter' })
+                .setProtectedHeader({ alg: 'RS256', kid: otherJwks.kid })
+                .setIssuedAt()
+                .setIssuer(ISSUER)
+                .setExpirationTime('5m')
+                .sign(otherJwks.signingKey);
+            const { status } = await getJson(`${app.url}/protected`, {
+                headers: { Authorization: `Bearer ${token}` },
+            });
+            expect(status).toBe(401);
+        }
+        finally {
+            await otherJwks.close();
+        }
+    });
+    it('rejects when no bearer token is sent', async () => {
+        const { status } = await getJson(`${app.url}/protected`);
+        expect(status).toBe(401);
+    });
+});
+//# sourceMappingURL=auth-modes.integration.test.js.map

package/dist/src/auth/strategies/auth-modes.integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-modes.integration.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/auth-modes.integration.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;;GAaG;AACH,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAC,WAAW,EAAE,mBAAmB,EAAC,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAC,aAAa,EAAC,MAAM,UAAU,CAAC;AACvC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAC,MAAM,WAAW,CAAC;AAC3C,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAC,OAAO,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AAExC,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAC,MAAM,QAAQ,CAAC;AAEjE,OAAO,EAAC,kBAAkB,EAAC,MAAM,eAAe,CAAC;AACjD,OAAO,EAAC,YAAY,EAAE,UAAU,EAAC,MAAM,eAAe,CAAC;AAQvD,KAAK,UAAU,iBAAiB,CAAC,QAAsB;IACrD,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC1D,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAiB,CAAC;YAC7C,OAAO,CAAC;gBACN,GAAG,EAAE,oBAAoB,IAAI,CAAC,IAAI,EAAE;gBACpC,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CACnB,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CACxC,CAAC;gBACJ,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAOD,KAAK,UAAU,OAAO,CAAC,GAAW,EAAE,OAAoB,EAAE;IAIxD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACnC,IAAI,IAAI,GAAoB,EAAE,CAAC;IAC/B,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAClE,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;IAC/C,CAAC;IACD,OAAO,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAC,CAAC;AACpC,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,IAAI,GAAe,CAAC;IAEpB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAC,IAAI,EAAE,MAAM,EAAC,CAAC,CAAC;QAC1D,GAAG,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC,CAAC;QAC3E,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,QAAQ,CAAC,GAAG,YAAY,CAAC,CAAC;YAClE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;gBAAS,CAAC;YACT,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC;QACzB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAI,GAAe,CAAC;IAEpB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAC,IAAI,EAAE,QAAQ,EAAC,CAAC,CAAC;QAC5D,GAAG,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC3D,OAAO,EAAE,EAAC,aAAa,EAAE,OAAO,EAAC;SAClC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC;YACxC,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,kBAAkB;SAC/B,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,YAAY,EAAE;gBACrD,OAAO,EAAE,EAAC,kBAAkB,EAAE,KAAK,EAAC;aACrC,CAAC,CAAC;YACH,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAErC,0BAA0B;YAC1B,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,YAAY,EAAE;gBACtD,OAAO,EAAE,EAAC,aAAa,EAAE,KAAK,EAAC;aAChC,CAAC,CAAC;YACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,MAAM,MAAM,GAAG,kCAAkC,CAAC;IAClD,IAAI,GAAe,CAAC;IAEpB,KAAK,UAAU,SAAS,CAAC,SAAkC,EAAE,EAAE,GAAG,GAAG,GAAG;QACtE,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7C,OAAO,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,MAAM,EAAC,CAAC;aACtF,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,EAAE;aACb,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;aAC5B,IAAI,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAC,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QAChF,GAAG,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAC;QAChC,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC3D,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QAC5C,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YACrD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,QAAQ,EAAE,EAAC;SAC/C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,oCAAoC,CAAC,CAAC;QAChF,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,UAAU,EAAC,CAAC;aAC/C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,EAAE;aACb,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClB,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YACrD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC;YACxC,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,iBAAiB;SAC1B,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,SAAS,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,QAAQ,EAAC,CAAC;iBACjD,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,WAAW,EAAE;iBACb,iBAAiB,CAAC,IAAI,CAAC;iBACvB,SAAS,CAAC,iBAAiB,CAAC;iBAC5B,IAAI,CAAC,OAAO,CAAC,CAAC;YACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,QAAQ,EAAC,CAAC;iBAChD,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,WAAW,EAAE;iBACb,iBAAiB,CAAC,IAAI,CAAC;iBACvB,SAAS,CAAC,cAAc,CAAC;iBACzB,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjB,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,YAAY,EAAE;gBACrD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,SAAS,EAAE,EAAC;aAChD,CAAC,CAAC;YACH,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAE5B,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,YAAY,EAAE;gBACtD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,QAAQ,EAAE,EAAC;aAC/C,CAAC,CAAC;YACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAI,GAAe,CAAC;IAEpB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,qEAAqE;QACrE,kCAAkC;QAClC,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,oCAAoC,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAC,CAAC,CAAC;QAChF,GAAG,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC3D,OAAO,EAAE,EAAC,gBAAgB,EAAE,cAAc,EAAC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YACrD,OAAO,EAAE,EAAC,gBAAgB,EAAE,gBAAgB,EAAC;SAC9C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,MAAM,CACV,kBAAkB,CAAC,EAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,8BAA8B,EAAC,CAAC,CAC7E,CAAC,OAAO,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAcH,KAAK,UAAU,eAAe;IAC5B,yEAAyE;IACzE,MAAM,EAAC,SAAS,EAAE,UAAU,EAAC,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAC,aAAa,EAAE,IAAI,EAAC,CAAC,CAAC;IAClF,MAAM,SAAS,GAAQ,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC3C,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC;IACpB,SAAS,CAAC,GAAG,GAAG,OAAO,CAAC;IACxB,SAAS,CAAC,GAAG,GAAG,KAAK,CAAC;IAEtB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC9C,GAAG,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,CAAC,SAAS,CAAC,EAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,UAAU,CAAC;IAE9B,OAAO,IAAI,OAAO,CAAc,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAiB,CAAC;YAC7C,MAAM,GAAG,GAAG,oBAAoB,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5C,OAAO,CAAC;gBACN,GAAG;gBACH,OAAO,EAAE,GAAG,GAAG,wBAAwB;gBACvC,UAAU;gBACV,GAAG;gBACH,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CACnB,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CACxC,CAAC;gBACJ,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,MAAM,GAAG,2BAA2B,CAAC;IAC3C,IAAI,IAAiB,CAAC;IACtB,IAAI,GAAe,CAAC;IAEpB,KAAK,UAAU,iBAAiB,CAC9B,SAAkC,EAAE,EACpC,MAAM,GAAG,MAAM;QAEf,OAAO,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,GAAG,MAAM,EAAC,CAAC;aAC3E,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAC,CAAC;aACjD,WAAW,EAAE;aACb,SAAS,CAAC,MAAM,CAAC;aACjB,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3B,CAAC;IAED,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC;YACxC,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,IAAI;YAAE,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,KAAK,GAAG,MAAM,iBAAiB,EAAE,CAAC;QACxC,MAAM,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC3D,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC;QACpE,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YACrD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;QAC1C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,UAAU,EAAC,CAAC;iBAC/C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAC,CAAC;iBACtD,WAAW,EAAE;iBACb,SAAS,CAAC,MAAM,CAAC;iBACjB,iBAAiB,CAAC,IAAI,CAAC;iBACvB,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;YAC9B,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;gBACrD,OAAO,EAAE,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;aAC5C,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,EAAC,MAAM,EAAC,GAAG,MAAM,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/strategies/cookie.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * CookieSessionStrategy — reads a session JWT from a cookie and verifies
+ * it against a JWKS endpoint. Useful for SPA + runtime stacks that don't
+ * sit behind cf-worker (or any other Bearer-injecting proxy) and need
+ * cookie-based session continuity in the browser.
+ *
+ * The JWT contract is the same as `JwksAuthStrategy` — same JWKS, same
+ * issuer check, same claim shape. The only difference is where the token
+ * lives (cookie vs Authorization header).
+ */
+import { createRemoteJWKSet } from 'jose';
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface CookieSessionStrategyOptions {
+    /** Cookie name to read. Defaults to `'amodal_session'`. */
+    cookieName?: string;
+    /** JWKS endpoint URL — same shape as `JwksAuthStrategy`. */
+    jwksUrl: string;
+    /** Required `iss` claim. Defaults to no issuer check. */
+    issuer?: string;
+    /** Override `AuthSession.method`. Defaults to `'cookie'`. */
+    authMethod?: string;
+    /** Pass-through to `jose.createRemoteJWKSet`. */
+    jwksOptions?: Parameters<typeof createRemoteJWKSet>[1];
+}
+export declare class CookieSessionStrategy implements AuthStrategy {
+    readonly name = "cookie";
+    private readonly cookieName;
+    private readonly jwks;
+    private readonly issuer?;
+    private readonly authMethod;
+    constructor(options: CookieSessionStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    private readCookie;
+}

package/dist/src/auth/strategies/cookie.js

@@ -0,0 +1,84 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * CookieSessionStrategy — reads a session JWT from a cookie and verifies
+ * it against a JWKS endpoint. Useful for SPA + runtime stacks that don't
+ * sit behind cf-worker (or any other Bearer-injecting proxy) and need
+ * cookie-based session continuity in the browser.
+ *
+ * The JWT contract is the same as `JwksAuthStrategy` — same JWKS, same
+ * issuer check, same claim shape. The only difference is where the token
+ * lives (cookie vs Authorization header).
+ */
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+export class CookieSessionStrategy {
+    name = 'cookie';
+    cookieName;
+    jwks;
+    issuer;
+    authMethod;
+    constructor(options) {
+        this.cookieName = options.cookieName ?? 'amodal_session';
+        this.jwks = createRemoteJWKSet(new URL(options.jwksUrl), options.jwksOptions);
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        this.authMethod = options.authMethod ?? 'cookie';
+    }
+    valid(req) {
+        return Boolean(this.readCookie(req));
+    }
+    async authenticate(req) {
+        const token = this.readCookie(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No session cookie' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.jwks, this.issuer ? { issuer: this.issuer } : {});
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `Cookie session JWT invalid: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+    readCookie(req) {
+        const header = req.headers['cookie'];
+        if (typeof header !== 'string' || header.length === 0)
+            return null;
+        for (const pair of header.split(';')) {
+            const trimmed = pair.trim();
+            const eq = trimmed.indexOf('=');
+            if (eq === -1)
+                continue;
+            const name = trimmed.slice(0, eq);
+            if (name !== this.cookieName)
+                continue;
+            const value = trimmed.slice(eq + 1);
+            return value.length > 0 ? decodeURIComponent(value) : null;
+        }
+        return null;
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string')
+        session.agentId = payload['agent_id'];
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    session.claims = { ...payload };
+    return session;
+}
+//# sourceMappingURL=cookie.js.map

package/dist/src/auth/strategies/cookie.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../../../src/auth/strategies/cookie.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;GASG;AACH,OAAO,EAAC,kBAAkB,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AAkBnD,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,QAAQ,CAAC;IACR,UAAU,CAAS;IACnB,IAAI,CAAkB;IACtB,MAAM,CAAU;IAChB,UAAU,CAAS;IAEpC,YAAY,OAAqC;QAC/C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,gBAAgB,CAAC;QACzD,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAC5B,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EACxB,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,QAAQ,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAC,CAAC;QAEnE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,KAAK,EACL,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC;YACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,+BAA+B,MAAM,EAAE,EAAC,CAAC;QAC7E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;IAEO,UAAU,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAAE,SAAS;YACxB,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAClC,IAAI,IAAI,KAAK,IAAI,CAAC,UAAU;gBAAE,SAAS;YACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACpC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/src/auth/strategies/custom-loader.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Load a custom AuthStrategy from a user-supplied module path. Used by
+ * `AuthConfig` `{type: 'custom', module: './path'}` to let agent owners
+ * drop in a verifier function for any auth system they already use
+ * (Auth0 SDK, Supabase getUser, internal verify endpoint, etc.).
+ *
+ * The module's default export must be an `AuthStrategy` (object with
+ * `name`, `valid`, `authenticate`). The shape is validated; a wrong-
+ * shape export throws at startup with a clear message.
+ */
+import type { AuthStrategy } from '../types.js';
+export declare function loadCustomStrategy(modulePath: string): Promise<AuthStrategy>;

package/dist/src/auth/strategies/custom-loader.js

@@ -0,0 +1,37 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export async function loadCustomStrategy(modulePath) {
+    let mod;
+    try {
+        mod = await import(modulePath);
+    }
+    catch (err) {
+        const detail = err instanceof Error ? err.message : String(err);
+        throw new Error(`Failed to load custom auth strategy from '${modulePath}': ${detail}`, { cause: err });
+    }
+    if (typeof mod !== 'object' || mod === null) {
+        throw new Error(`Custom auth strategy at '${modulePath}' did not export anything`);
+    }
+    const candidate = 'default' in mod
+        ? mod.default
+        : mod;
+    if (!isStrategy(candidate)) {
+        throw new Error(`Custom auth strategy at '${modulePath}' default export does not match the AuthStrategy shape ` +
+            `({name: string, valid(req): boolean, authenticate(req): Promise<AuthResult>})`);
+    }
+    return candidate;
+}
+function isStrategy(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    if (!('name' in value) || !('valid' in value) || !('authenticate' in value)) {
+        return false;
+    }
+    return (typeof value.name === 'string' &&
+        typeof value.valid === 'function' &&
+        typeof value.authenticate === 'function');
+}
+//# sourceMappingURL=custom-loader.js.map

package/dist/src/auth/strategies/custom-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-loader.js","sourceRoot":"","sources":["../../../../src/auth/strategies/custom-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAkB;IAElB,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,6CAA6C,UAAU,MAAM,MAAM,EAAE,EACrE,EAAC,KAAK,EAAE,GAAG,EAAC,CACb,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,4BAA4B,UAAU,2BAA2B,CAClE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GACb,SAAS,IAAI,GAAG;QACd,CAAC,CAAE,GAA0B,CAAC,OAAO;QACrC,CAAC,CAAE,GAAe,CAAC;IACvB,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,4BAA4B,UAAU,yDAAyD;YAC7F,+EAA+E,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,cAAc,IAAI,KAAK,CAAC,EAAE,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,CACL,OAAQ,KAAyB,CAAC,IAAI,KAAK,QAAQ;QACnD,OAAQ,KAA0B,CAAC,KAAK,KAAK,UAAU;QACvD,OAAQ,KAAiC,CAAC,YAAY,KAAK,UAAU,CACtE,CAAC;AACJ,CAAC"}

package/dist/src/auth/strategies/header.d.ts

@@ -0,0 +1,35 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * HeaderAuthStrategy — reads the user identity from a configured request
+ * header (default `X-Auth-User`). For service-to-service calls behind a
+ * trusted proxy that authenticates upstream and writes the verified
+ * identity into a header.
+ *
+ * Security: never expose a route protected by this strategy directly to
+ * the public internet. Trusted-header strategies presume an upstream
+ * proxy strips the header on inbound requests and writes its own.
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface HeaderAuthStrategyOptions {
+    /** Header name to read (case-insensitive). Defaults to `'X-Auth-User'`. */
+    headerName?: string;
+    /** Optional `agentId` to attach to the resulting session. */
+    agentId?: string;
+    /** Override `AuthSession.method`. Defaults to `'header'`. */
+    authMethod?: string;
+}
+export declare class HeaderAuthStrategy implements AuthStrategy {
+    readonly name = "header";
+    private readonly headerName;
+    private readonly agentId?;
+    private readonly authMethod;
+    constructor(options?: HeaderAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    private read;
+}

package/dist/src/auth/strategies/header.js

@@ -0,0 +1,42 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export class HeaderAuthStrategy {
+    name = 'header';
+    headerName;
+    agentId;
+    authMethod;
+    constructor(options = {}) {
+        this.headerName = (options.headerName ?? 'X-Auth-User').toLowerCase();
+        if (options.agentId !== undefined)
+            this.agentId = options.agentId;
+        this.authMethod = options.authMethod ?? 'header';
+    }
+    valid(req) {
+        return Boolean(this.read(req));
+    }
+    async authenticate(req) {
+        const userId = this.read(req);
+        if (!userId)
+            return { kind: 'rejected', reason: 'Missing identity header' };
+        return {
+            kind: 'authenticated',
+            session: {
+                user: { id: userId },
+                method: this.authMethod,
+                ...(this.agentId ? { agentId: this.agentId } : {}),
+                scopeId: userId,
+            },
+        };
+    }
+    read(req) {
+        const value = req.headers[this.headerName];
+        const id = Array.isArray(value) ? value[0] : value;
+        if (typeof id !== 'string' || id.length === 0)
+            return null;
+        return id;
+    }
+}
+//# sourceMappingURL=header.js.map