@amodalai/runtime 0.3.70 → 0.3.72

package/dist/src/auth/strategies/header.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"header.js","sourceRoot":"","sources":["../../../../src/auth/strategies/header.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAwBH,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,QAAQ,CAAC;IACR,UAAU,CAAS;IACnB,OAAO,CAAU;IACjB,UAAU,CAAS;IAEpC,YAAY,UAAqC,EAAE;QACjD,IAAI,CAAC,UAAU,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACtE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,QAAQ,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,yBAAyB,EAAC,CAAC;QAC1E,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC;gBAClB,MAAM,EAAE,IAAI,CAAC,UAAU;gBACvB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChD,OAAO,EAAE,MAAM;aAChB;SACF,CAAC;IACJ,CAAC;IAEO,IAAI,CAAC,GAAY;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACnD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3D,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/src/auth/strategies/jwks.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwksAuthStrategy — verifies Bearer JWTs against a remote JWKS endpoint.
+ *
+ * Cloud uses this for cf-worker-injected platform JWTs; self-hosters can
+ * point it at any JWKS-publishing IdP (their own auth server, Auth0,
+ * Keycloak, etc.) when they want a stateless verifier-only flow.
+ */
+import { createRemoteJWKSet } from 'jose';
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface JwksAuthStrategyOptions {
+    /** URL of the JWKS endpoint (e.g. `https://api.example.com/.well-known/jwks.json`). */
+    jwksUrl: string;
+    /** Required `iss` claim. Defaults to no issuer check. */
+    issuer?: string;
+    /** Override the auth method label written to `AuthSession.method`. Defaults to `'jwks'`. */
+    authMethod?: string;
+    /**
+     * Pass-through to `jose.createRemoteJWKSet` for tighter control over
+     * JWKS caching / cooldown / refresh. Useful for ops visibility into
+     * key rotation across multi-instance fleets.
+     */
+    jwksOptions?: Parameters<typeof createRemoteJWKSet>[1];
+}
+export declare class JwksAuthStrategy implements AuthStrategy {
+    readonly name = "jwks";
+    private readonly jwks;
+    private readonly issuer?;
+    private readonly authMethod;
+    constructor(options: JwksAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/jwks.js

@@ -0,0 +1,86 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwksAuthStrategy — verifies Bearer JWTs against a remote JWKS endpoint.
+ *
+ * Cloud uses this for cf-worker-injected platform JWTs; self-hosters can
+ * point it at any JWKS-publishing IdP (their own auth server, Auth0,
+ * Keycloak, etc.) when they want a stateless verifier-only flow.
+ */
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+export class JwksAuthStrategy {
+    name = 'jwks';
+    jwks;
+    issuer;
+    authMethod;
+    constructor(options) {
+        this.jwks = createRemoteJWKSet(new URL(options.jwksUrl), options.jwksOptions);
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        this.authMethod = options.authMethod ?? 'jwks';
+    }
+    valid(req) {
+        const token = readBearer(req);
+        if (!token)
+            return false;
+        return looksLikeJwt(token);
+    }
+    async authenticate(req) {
+        const token = readBearer(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No bearer token' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.jwks, this.issuer ? { issuer: this.issuer } : {});
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `JWT verification failed: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string') {
+        session.agentId = payload['agent_id'];
+    }
+    else if (typeof payload['app_id'] === 'string') {
+        session.agentId = payload['app_id'];
+    }
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    // Stash the full payload under `claims` so callers can read provider-
+    // specific data (groups, custom roles, etc.) without us trying to
+    // narrow it.
+    session.claims = { ...payload };
+    return session;
+}
+function readBearer(req) {
+    const auth = req.headers['authorization'];
+    if (typeof auth !== 'string')
+        return null;
+    if (!auth.startsWith('Bearer '))
+        return null;
+    const token = auth.slice(7);
+    return token.length > 0 ? token : null;
+}
+function looksLikeJwt(token) {
+    if (token.startsWith('ak_'))
+        return false;
+    return token.split('.').length === 3;
+}
+//# sourceMappingURL=jwks.js.map

package/dist/src/auth/strategies/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwks.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AACH,OAAO,EAAC,kBAAkB,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AAoBnD,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,IAAI,CAAkB;IACtB,MAAM,CAAU;IAChB,UAAU,CAAS;IAEpC,YAAY,OAAgC;QAC1C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAC5B,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EACxB,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC;QAEjE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,KAAK,EACL,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC;YACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,4BAA4B,MAAM,EAAE,EAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;SAAM,IAAI,OAAO,OAAO,CAAC,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;QACjD,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,sEAAsE;IACtE,kEAAkE;IAClE,aAAa;IACb,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC"}

package/dist/src/auth/strategies/jwt-secret.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface JwtSecretAuthStrategyOptions {
+    secret: string;
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+    issuer?: string;
+    audience?: string;
+    authMethod?: string;
+}
+export declare class JwtSecretAuthStrategy implements AuthStrategy {
+    readonly name = "jwt-secret";
+    private readonly secretKey;
+    private readonly algorithm;
+    private readonly issuer?;
+    private readonly audience?;
+    private readonly authMethod;
+    constructor(options: JwtSecretAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/jwt-secret.js

@@ -0,0 +1,82 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * JwtSecretAuthStrategy — verifies HMAC-signed Bearer JWTs against a
+ * shared secret. For ISV / server-mediated flows where another server
+ * (the agent owner's backend) mints JWTs and amodal verifies them with
+ * the same shared secret.
+ */
+import { jwtVerify } from 'jose';
+export class JwtSecretAuthStrategy {
+    name = 'jwt-secret';
+    secretKey;
+    algorithm;
+    issuer;
+    audience;
+    authMethod;
+    constructor(options) {
+        this.secretKey = new TextEncoder().encode(options.secret);
+        this.algorithm = options.algorithm ?? 'HS256';
+        if (options.issuer !== undefined)
+            this.issuer = options.issuer;
+        if (options.audience !== undefined)
+            this.audience = options.audience;
+        this.authMethod = options.authMethod ?? 'jwt-secret';
+    }
+    valid(req) {
+        const token = readBearer(req);
+        if (!token)
+            return false;
+        if (token.startsWith('ak_'))
+            return false;
+        return token.split('.').length === 3;
+    }
+    async authenticate(req) {
+        const token = readBearer(req);
+        if (!token)
+            return { kind: 'rejected', reason: 'No bearer token' };
+        let payload;
+        try {
+            const result = await jwtVerify(token, this.secretKey, {
+                algorithms: [this.algorithm],
+                ...(this.issuer ? { issuer: this.issuer } : {}),
+                ...(this.audience ? { audience: this.audience } : {}),
+            });
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `JWT verification failed: ${detail}` };
+        }
+        return { kind: 'authenticated', session: buildSession(payload, this.authMethod) };
+    }
+}
+function buildSession(payload, method) {
+    const userId = typeof payload['user_id'] === 'string'
+        ? payload['user_id']
+        : typeof payload['sub'] === 'string'
+            ? payload['sub']
+            : '';
+    const session = { user: { id: userId }, method };
+    if (typeof payload['email'] === 'string')
+        session.user.email = payload['email'];
+    if (typeof payload['name'] === 'string')
+        session.user.name = payload['name'];
+    if (typeof payload['agent_id'] === 'string')
+        session.agentId = payload['agent_id'];
+    if (typeof payload['scope_id'] === 'string')
+        session.scopeId = payload['scope_id'];
+    session.claims = { ...payload };
+    return session;
+}
+function readBearer(req) {
+    const auth = req.headers['authorization'];
+    if (typeof auth !== 'string' || !auth.startsWith('Bearer '))
+        return null;
+    const token = auth.slice(7);
+    return token.length > 0 ? token : null;
+}
+//# sourceMappingURL=jwt-secret.js.map

package/dist/src/auth/strategies/jwt-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-secret.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwt-secret.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;GAKG;AACH,OAAO,EAAC,SAAS,EAAC,MAAM,MAAM,CAAC;AAa/B,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,YAAY,CAAC;IACZ,SAAS,CAAa;IACtB,SAAS,CAAS;IAClB,MAAM,CAAU;IAChB,QAAQ,CAAU;IAClB,UAAU,CAAS;IAEpC,YAAY,OAAqC;QAC/C,IAAI,CAAC,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;QAC9C,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACrE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC;QAEjE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;gBACpD,UAAU,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC5B,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,4BAA4B,MAAM,EAAE,EAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,SAAS,CAAC,KAAK,QAAQ;QACpC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC,CAAC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,OAAO,GAAgB,EAAC,IAAI,EAAE,EAAC,EAAE,EAAE,MAAM,EAAC,EAAE,MAAM,EAAC,CAAC;IAC1D,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChF,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,IAAI,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnF,OAAO,CAAC,MAAM,GAAG,EAAC,GAAG,OAAO,EAAC,CAAC;IAC9B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC"}

package/dist/src/auth/strategies/jwt-secret.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/jwt-secret.test.js

@@ -0,0 +1,75 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect } from 'vitest';
+import { SignJWT } from 'jose';
+import { JwtSecretAuthStrategy } from './jwt-secret.js';
+const SECRET = 'a-secret-of-at-least-16-chars';
+const KEY = new TextEncoder().encode(SECRET);
+async function mintHs256(payload, { iss, aud } = {}) {
+    let jwt = new SignJWT(payload).setProtectedHeader({ alg: 'HS256' }).setIssuedAt().setExpirationTime('5m');
+    if (iss)
+        jwt = jwt.setIssuer(iss);
+    if (aud)
+        jwt = jwt.setAudience(aud);
+    return jwt.sign(KEY);
+}
+function reqWith(token) {
+    return {
+        headers: token === null ? {} : { authorization: `Bearer ${token}` },
+    };
+}
+describe('JwtSecretAuthStrategy', () => {
+    it('valid() is false without a Bearer header', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith(null))).toBe(false);
+    });
+    it('valid() is false on ak_-prefixed tokens', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith('ak_x'))).toBe(false);
+    });
+    it('valid() is true on a 3-segment Bearer', () => {
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        expect(s.valid(reqWith('aa.bb.cc'))).toBe(true);
+    });
+    it('authenticates a JWT signed with the matching secret', async () => {
+        const token = await mintHs256({ sub: 'u-1', email: 'a@b' });
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(token));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u-1', email: 'a@b' });
+            expect(r.session.method).toBe('jwt-secret');
+        }
+    });
+    it('rejects a JWT signed with a different secret', async () => {
+        const token = await new SignJWT({ sub: 'u-1' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('5m')
+            .sign(new TextEncoder().encode('different-secret-of-16-chars'));
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(token));
+        expect(r.kind).toBe('rejected');
+    });
+    it('enforces issuer when configured', async () => {
+        const goodToken = await mintHs256({ sub: 'u' }, { iss: 'expected-issuer' });
+        const badToken = await mintHs256({ sub: 'u' }, { iss: 'wrong-issuer' });
+        const s = new JwtSecretAuthStrategy({ secret: SECRET, issuer: 'expected-issuer' });
+        expect((await s.authenticate(reqWith(goodToken))).kind).toBe('authenticated');
+        expect((await s.authenticate(reqWith(badToken))).kind).toBe('rejected');
+    });
+    it('rejects an expired token', async () => {
+        const expired = await new SignJWT({ sub: 'u' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt(Math.floor(Date.now() / 1000) - 3600)
+            .setExpirationTime(Math.floor(Date.now() / 1000) - 60)
+            .sign(KEY);
+        const s = new JwtSecretAuthStrategy({ secret: SECRET });
+        const r = await s.authenticate(reqWith(expired));
+        expect(r.kind).toBe('rejected');
+    });
+});
+//# sourceMappingURL=jwt-secret.test.js.map

package/dist/src/auth/strategies/jwt-secret.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-secret.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/jwt-secret.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAC,MAAM,QAAQ,CAAC;AAC5C,OAAO,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAE7B,OAAO,EAAC,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;AAEtD,MAAM,MAAM,GAAG,+BAA+B,CAAC;AAC/C,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAE7C,KAAK,UAAU,SAAS,CAAC,OAAgC,EAAE,EAAC,GAAG,EAAE,GAAG,KAAkC,EAAE;IACtG,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC,CAAC,WAAW,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACxG,IAAI,GAAG;QAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG;QAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,OAAO,CAAC,KAAoB;IACnC,OAAO;QACL,OAAO,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,UAAU,KAAK,EAAE,EAAC;KAC5C,CAAC;AAC1B,CAAC;AAED,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YAC1D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,KAAK,EAAC,CAAC;aAC1C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,EAAE;aACb,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,EAAE,EAAC,GAAG,EAAE,iBAAiB,EAAC,CAAC,CAAC;QACxE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,EAAE,EAAC,GAAG,EAAE,cAAc,EAAC,CAAC,CAAC;QACpE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAC,CAAC,CAAC;QACjF,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9E,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,CAAC;aAC1C,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;aACjD,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;aACrD,IAAI,CAAC,GAAG,CAAC,CAAC;QACb,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/strategies/none.d.ts

@@ -0,0 +1,37 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * NoneAuthStrategy — synthesizes an anonymous identity. Always matches
+ * (`valid()` returns true) and always authenticates with the same
+ * synthetic session, so the chain stops at this strategy.
+ *
+ * Place LAST in the chain to act as a default. For public agents (no
+ * end-user auth) or local dev where you want the runtime to accept any
+ * caller.
+ *
+ * Security: NoneAuthStrategy makes the agent reachable without
+ * authentication. Only use when the agent is intentionally public —
+ * ideally combined with cf-worker's `accessMode: 'public'` upstream.
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface NoneAuthStrategyOptions {
+    /** User id to synthesize for anonymous callers. Defaults to `'anonymous'`. */
+    userId?: string;
+    /** Optional `agentId` to attach. */
+    agentId?: string;
+    /** Override `AuthSession.method`. Defaults to `'none'`. */
+    authMethod?: string;
+}
+export declare class NoneAuthStrategy implements AuthStrategy {
+    readonly name = "none";
+    private readonly userId;
+    private readonly agentId?;
+    private readonly authMethod;
+    constructor(options?: NoneAuthStrategyOptions);
+    valid(_req: Request): boolean;
+    authenticate(_req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/none.js

@@ -0,0 +1,31 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export class NoneAuthStrategy {
+    name = 'none';
+    userId;
+    agentId;
+    authMethod;
+    constructor(options = {}) {
+        this.userId = options.userId ?? 'anonymous';
+        if (options.agentId !== undefined)
+            this.agentId = options.agentId;
+        this.authMethod = options.authMethod ?? 'none';
+    }
+    valid(_req) {
+        return true;
+    }
+    async authenticate(_req) {
+        return {
+            kind: 'authenticated',
+            session: {
+                user: { id: this.userId },
+                method: this.authMethod,
+                ...(this.agentId ? { agentId: this.agentId } : {}),
+            },
+        };
+    }
+}
+//# sourceMappingURL=none.js.map

package/dist/src/auth/strategies/none.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"none.js","sourceRoot":"","sources":["../../../../src/auth/strategies/none.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA2BH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,MAAM,CAAS;IACf,OAAO,CAAU;IACjB,UAAU,CAAS;IAEpC,YAAY,UAAmC,EAAE;QAC/C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC;QAC5C,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,IAAa;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAa;QAC9B,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,CAAC,MAAM,EAAC;gBACvB,MAAM,EAAE,IAAI,CAAC,UAAU;gBACvB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACjD;SACF,CAAC;IACJ,CAAC;CACF"}

package/dist/src/auth/strategies/oidc.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import type { Request, Router as ExpressRouter } from 'express';
+import type { JWTPayload } from 'jose';
+import type { AuthResult, AuthSession, AuthStrategy } from '../types.js';
+export interface OidcAuthStrategyOptions {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    scopes?: readonly string[];
+    /** HMAC secret used to sign the session JWT cookie. Min 16 chars. */
+    sessionSecret: string;
+    /** Cookie name. Defaults to `'amodal_session'`. */
+    cookieName?: string;
+    /** Session TTL in seconds. Defaults to 24h. */
+    sessionTtlSeconds?: number;
+    /**
+     * Authorize hook — given the verified id_token claims, return the
+     * AuthSession.user fields the runtime should use, or `null` to deny.
+     * Defaults to allowing any authenticated user with `id` from `sub`.
+     */
+    authorize?: (claims: JWTPayload) => Promise<AuthSession['user'] | null> | AuthSession['user'] | null;
+    authMethod?: string;
+    /**
+     * Allow plain-HTTP discovery + token exchange. Off by default —
+     * `openid-client` enforces HTTPS in production. Tests against an
+     * in-process IdP need this; production deploys must not enable it.
+     */
+    allowInsecureRequests?: boolean;
+}
+export declare class OidcAuthStrategy implements AuthStrategy {
+    readonly name = "oidc";
+    private readonly opts;
+    private readonly sessionKey;
+    private discoveryPromise;
+    constructor(options: OidcAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    routes(): ExpressRouter;
+    private config;
+    private handleLogin;
+    private handleCallback;
+    private resolveUser;
+}

package/dist/src/auth/strategies/oidc.integration.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};