@amodalai/runtime 0.3.70 → 0.3.72

package/dist/src/auth/strategies/oidc.test.js

@@ -0,0 +1,111 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * OIDC strategy tests focus on the bits we own: cookie verification on
+ * subsequent requests, route mounting, logout. The OAuth dance itself
+ * (login redirect, callback exchange) is delegated to `openid-client`
+ * and exercised at the boundary by mocking that module.
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { SignJWT } from 'jose';
+import express from 'express';
+import supertest from 'supertest';
+const oidcMocks = {
+    discovery: vi.fn(),
+    randomPKCECodeVerifier: vi.fn(() => 'pkce-verifier'),
+    calculatePKCECodeChallenge: vi.fn(() => Promise.resolve('pkce-challenge')),
+    randomState: vi.fn(() => 'state-abc'),
+    buildAuthorizationUrl: vi.fn((_cfg, params) => {
+        const u = new URL('https://acme.okta.com/oauth2/v1/authorize');
+        for (const [k, v] of Object.entries(params))
+            u.searchParams.set(k, String(v));
+        return u;
+    }),
+    authorizationCodeGrant: vi.fn(),
+};
+vi.mock('openid-client', () => oidcMocks);
+const { OidcAuthStrategy } = await import('./oidc.js');
+const SESSION_SECRET = 'a-secret-of-at-least-16-chars';
+const KEY = new TextEncoder().encode(SESSION_SECRET);
+function reqWith(cookie) {
+    return { headers: cookie ? { cookie } : {} };
+}
+async function mintSession(payload) {
+    return new SignJWT(payload)
+        .setProtectedHeader({ alg: 'HS256' })
+        .setIssuer('amodal-runtime')
+        .setSubject('u-1')
+        .setIssuedAt()
+        .setExpirationTime('1h')
+        .sign(KEY);
+}
+function newStrategy() {
+    return new OidcAuthStrategy({
+        issuer: 'https://acme.okta.com',
+        clientId: 'abc',
+        clientSecret: 'shh',
+        callbackUrl: 'https://agent.example.com/auth/callback',
+        sessionSecret: SESSION_SECRET,
+    });
+}
+describe('OidcAuthStrategy — cookie verification', () => {
+    beforeEach(() => {
+        Object.values(oidcMocks).forEach((m) => {
+            if (typeof m.mockReset === 'function') {
+                m.mockReset();
+            }
+        });
+    });
+    it('valid() is false without the session cookie', () => {
+        const s = newStrategy();
+        expect(s.valid(reqWith())).toBe(false);
+    });
+    it('authenticates with a valid session cookie', async () => {
+        const token = await mintSession({ sub: 'u-1', email: 'a@b', name: 'Alice', claims: { groups: ['eng'] } });
+        const s = newStrategy();
+        const r = await s.authenticate(reqWith(`amodal_session=${token}`));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u-1', email: 'a@b', name: 'Alice' });
+            expect(r.session.method).toBe('oidc');
+            expect(r.session.claims).toEqual({ groups: ['eng'] });
+        }
+    });
+    it('rejects a session cookie signed with the wrong secret', async () => {
+        const token = await new SignJWT({ sub: 'u' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuer('amodal-runtime')
+            .setIssuedAt()
+            .setExpirationTime('1h')
+            .sign(new TextEncoder().encode('different-secret-of-16-chars'));
+        const s = newStrategy();
+        const r = await s.authenticate(reqWith(`amodal_session=${token}`));
+        expect(r.kind).toBe('rejected');
+    });
+});
+describe('OidcAuthStrategy — routes', () => {
+    it('GET /auth/login redirects to the IdP authorize URL', async () => {
+        const s = newStrategy();
+        const app = express();
+        app.use(s.routes());
+        const res = await supertest(app).get('/auth/login');
+        expect(res.status).toBe(302);
+        expect(res.headers['location']).toContain('https://acme.okta.com/oauth2/v1/authorize');
+        expect(res.headers['location']).toContain('state=state-abc');
+        // Sets the OAuth state cookie for the callback to recover
+        expect(res.headers['set-cookie']?.[0]).toMatch(/amodal_oauth_state=/);
+    });
+    it('POST /auth/logout clears the session cookie', async () => {
+        const s = newStrategy();
+        const app = express();
+        app.use(s.routes());
+        const res = await supertest(app).post('/auth/logout');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual({ ok: true });
+        expect(res.headers['set-cookie']?.[0]).toMatch(/amodal_session=; .*Max-Age=0/);
+    });
+});
+//# sourceMappingURL=oidc.test.js.map

package/dist/src/auth/strategies/oidc.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;GAKG;AACH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAC,MAAM,QAAQ,CAAC;AAC5D,OAAO,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAC7B,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,SAAS,MAAM,WAAW,CAAC;AAElC,MAAM,SAAS,GAAG;IAChB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;IAClB,sBAAsB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC;IACpD,0BAA0B,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC1E,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC;IACrC,qBAAqB,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,IAAa,EAAE,MAA+B,EAAE,EAAE;QAC9E,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,2CAA2C,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9E,OAAO,CAAC,CAAC;IACX,CAAC,CAAC;IACF,sBAAsB,EAAE,EAAE,CAAC,EAAE,EAAE;CAChC,CAAC;AACF,EAAE,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;AAE1C,MAAM,EAAC,gBAAgB,EAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;AAErD,MAAM,cAAc,GAAG,+BAA+B,CAAC;AACvD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAErD,SAAS,OAAO,CAAC,MAAe;IAC9B,OAAO,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,EAAuB,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAgC;IACzD,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;SACxB,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;SAClC,SAAS,CAAC,gBAAgB,CAAC;SAC3B,UAAU,CAAC,KAAK,CAAC;SACjB,WAAW,EAAE;SACb,iBAAiB,CAAC,IAAI,CAAC;SACvB,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,IAAI,gBAAgB,CAAC;QAC1B,MAAM,EAAE,uBAAuB;QAC/B,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,yCAAyC;QACtD,aAAa,EAAE,cAAc;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACtD,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,IAAI,OAAQ,CAA8B,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;gBACnE,CAA6B,CAAC,SAAS,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,EAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAC,MAAM,EAAE,CAAC,KAAK,CAAC,EAAC,EAAC,CAAC,CAAC;QACtG,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAC,CAAC,CAAC;YACzE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,CAAC,KAAK,CAAC,EAAC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,CAAC;aACxC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,SAAS,CAAC,gBAAgB,CAAC;aAC3B,WAAW,EAAE;aACb,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACpD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,2CAA2C,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC7D,0DAA0D;QAC1D,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/strategies/strategies.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/strategies.test.js

@@ -0,0 +1,190 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { ApiKeyAuthStrategy } from './api-key.js';
+import { HeaderAuthStrategy } from './header.js';
+import { NoneAuthStrategy } from './none.js';
+const jwtVerifyMock = vi.fn();
+const createRemoteJWKSetMock = vi.fn(() => () => Promise.resolve({}));
+vi.mock('jose', () => ({
+    jwtVerify: jwtVerifyMock,
+    createRemoteJWKSet: createRemoteJWKSetMock,
+}));
+const { JwksAuthStrategy } = await import('./jwks.js');
+const { CookieSessionStrategy } = await import('./cookie.js');
+function reqAuth(value) {
+    return { headers: value === null ? {} : { authorization: value } };
+}
+function reqHeaders(headers) {
+    return { headers };
+}
+describe('JwksAuthStrategy', () => {
+    beforeEach(() => {
+        jwtVerifyMock.mockReset();
+        createRemoteJWKSetMock.mockClear();
+    });
+    it('valid() is false when there is no Bearer header', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth(null))).toBe(false);
+    });
+    it('valid() is false on ak_-prefixed tokens (lets ApiKeyAuthStrategy handle)', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth('Bearer ak_xyz'))).toBe(false);
+    });
+    it('valid() is true on a 3-segment Bearer token', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth('Bearer aa.bb.cc'))).toBe(true);
+    });
+    it('rejects with reason when jwtVerify rejects', async () => {
+        jwtVerifyMock.mockRejectedValue(new Error('signature verification failed'));
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        const r = await s.authenticate(reqAuth('Bearer aa.bb.cc'));
+        expect(r.kind).toBe('rejected');
+        if (r.kind === 'rejected') {
+            expect(r.reason).toMatch(/signature verification failed/);
+        }
+    });
+    it('builds an authenticated session from the verified payload', async () => {
+        jwtVerifyMock.mockResolvedValue({
+            payload: { sub: 'user-42', email: 'user@example.com', agent_id: 'agent-1', scope_id: 'tenant-7' },
+        });
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        const r = await s.authenticate(reqAuth('Bearer aa.bb.cc'));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'user-42', email: 'user@example.com' });
+            expect(r.session.agentId).toBe('agent-1');
+            expect(r.session.scopeId).toBe('tenant-7');
+            expect(r.session.method).toBe('jwks');
+        }
+    });
+    it('passes jwksOptions through to createRemoteJWKSet', () => {
+        new JwksAuthStrategy({
+            jwksUrl: 'https://example.com/.well-known/jwks.json',
+            jwksOptions: { cooldownDuration: 30_000 },
+        });
+        expect(createRemoteJWKSetMock).toHaveBeenCalledWith(expect.any(URL), expect.objectContaining({ cooldownDuration: 30_000 }));
+    });
+});
+describe('ApiKeyAuthStrategy', () => {
+    it('valid() is false without ak_ prefix', () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        expect(s.valid(reqAuth('Bearer aa.bb.cc'))).toBe(false);
+        expect(s.valid(reqAuth(null))).toBe(false);
+    });
+    it('valid() is true on ak_ Bearer', () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        expect(s.valid(reqAuth('Bearer ak_abc'))).toBe(true);
+    });
+    it('rejects when validate returns null', async () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        const r = await s.authenticate(reqAuth('Bearer ak_bad'));
+        expect(r.kind).toBe('rejected');
+    });
+    it('authenticates when validate returns a result', async () => {
+        const s = new ApiKeyAuthStrategy({
+            validate: () => Promise.resolve({ userId: 'u1', email: 'a@b', agentId: 'agent-1' }),
+        });
+        const r = await s.authenticate(reqAuth('Bearer ak_good'));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u1', email: 'a@b' });
+            expect(r.session.agentId).toBe('agent-1');
+            expect(r.session.method).toBe('api-key');
+        }
+    });
+    it('LRU cache hits skip the validate callback', async () => {
+        const validate = vi.fn(() => Promise.resolve({ userId: 'u1' }));
+        const s = new ApiKeyAuthStrategy({ validate, cacheMaxEntries: 100 });
+        await s.authenticate(reqAuth('Bearer ak_x'));
+        await s.authenticate(reqAuth('Bearer ak_x'));
+        expect(validate).toHaveBeenCalledTimes(1);
+    });
+    it('LRU evicts oldest when cap is hit', async () => {
+        const validate = vi.fn(() => Promise.resolve({ userId: 'u' }));
+        const s = new ApiKeyAuthStrategy({ validate, cacheMaxEntries: 2 });
+        await s.authenticate(reqAuth('Bearer ak_a'));
+        await s.authenticate(reqAuth('Bearer ak_b'));
+        await s.authenticate(reqAuth('Bearer ak_c')); // evicts ak_a
+        await s.authenticate(reqAuth('Bearer ak_a')); // miss → revalidate
+        expect(validate).toHaveBeenCalledTimes(4);
+    });
+});
+describe('HeaderAuthStrategy', () => {
+    it('valid() is false without the configured header', () => {
+        const s = new HeaderAuthStrategy({});
+        expect(s.valid(reqHeaders({}))).toBe(false);
+    });
+    it('reads from default X-Auth-User', async () => {
+        const s = new HeaderAuthStrategy({});
+        const r = await s.authenticate(reqHeaders({ 'x-auth-user': 'u-1' }));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('u-1');
+            expect(r.session.scopeId).toBe('u-1');
+        }
+    });
+    it('honors custom header name (case-insensitive)', async () => {
+        const s = new HeaderAuthStrategy({ headerName: 'X-Subject' });
+        const r = await s.authenticate(reqHeaders({ 'x-subject': 'u-2' }));
+        expect(r.kind).toBe('authenticated');
+    });
+});
+describe('NoneAuthStrategy', () => {
+    it('valid() is always true (chain stops here)', () => {
+        const s = new NoneAuthStrategy();
+        expect(s.valid({})).toBe(true);
+    });
+    it('produces a synthetic anonymous session', async () => {
+        const s = new NoneAuthStrategy();
+        const r = await s.authenticate({});
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('anonymous');
+            expect(r.session.method).toBe('none');
+        }
+    });
+    it('honors a custom userId', async () => {
+        const s = new NoneAuthStrategy({ userId: 'guest' });
+        const r = await s.authenticate({});
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('guest');
+        }
+    });
+});
+describe('CookieSessionStrategy', () => {
+    beforeEach(() => {
+        jwtVerifyMock.mockReset();
+    });
+    it('valid() is false when the cookie is absent', () => {
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        expect(s.valid(reqHeaders({}))).toBe(false);
+    });
+    it('valid() is true when the configured cookie is present', () => {
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        expect(s.valid(reqHeaders({ cookie: 'amodal_session=abc.def.ghi; other=x' }))).toBe(true);
+    });
+    it('verifies the cookie JWT and builds a session', async () => {
+        jwtVerifyMock.mockResolvedValue({ payload: { sub: 'cu-1', email: 'c@x' } });
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        const r = await s.authenticate(reqHeaders({ cookie: 'amodal_session=aa.bb.cc' }));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'cu-1', email: 'c@x' });
+            expect(r.session.method).toBe('cookie');
+        }
+    });
+    it('rejects when JWT verify fails', async () => {
+        jwtVerifyMock.mockRejectedValue(new Error('expired'));
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        const r = await s.authenticate(reqHeaders({ cookie: 'amodal_session=aa.bb.cc' }));
+        expect(r.kind).toBe('rejected');
+        if (r.kind === 'rejected') {
+            expect(r.reason).toMatch(/expired/);
+        }
+    });
+});
+//# sourceMappingURL=strategies.test.js.map

package/dist/src/auth/strategies/strategies.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategies.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/strategies.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAC,MAAM,QAAQ,CAAC;AAE5D,OAAO,EAAC,kBAAkB,EAAC,MAAM,cAAc,CAAC;AAChD,OAAO,EAAC,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAE3C,MAAM,aAAa,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAC9B,MAAM,sBAAsB,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;AAEtE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACrB,SAAS,EAAE,aAAa;IACxB,kBAAkB,EAAE,sBAAsB;CAC3C,CAAC,CAAC,CAAC;AAEJ,MAAM,EAAC,gBAAgB,EAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;AACrD,MAAM,EAAC,qBAAqB,EAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;AAE5D,SAAS,OAAO,CAAC,KAAoB;IACnC,OAAO,EAAC,OAAO,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,KAAK,EAAC,EAAuB,CAAC;AACvF,CAAC;AACD,SAAS,UAAU,CAAC,OAA0C;IAC5D,OAAO,EAAC,OAAO,EAAuB,CAAC;AACzC,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,CAAC,SAAS,EAAE,CAAC;QAC1B,sBAAsB,CAAC,SAAS,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,aAAa,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QAC5E,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,aAAa,CAAC,iBAAiB,CAAC;YAC9B,OAAO,EAAE,EAAC,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAC;SAChG,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAC,CAAC,CAAC;YAC3E,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,IAAI,gBAAgB,CAAC;YACnB,OAAO,EAAE,2CAA2C;YACpD,WAAW,EAAE,EAAC,gBAAgB,EAAE,MAAM,EAAC;SACxC,CAAC,CAAC;QACH,MAAM,CAAC,sBAAsB,CAAC,CAAC,oBAAoB,CACjD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EACf,MAAM,CAAC,gBAAgB,CAAC,EAAC,gBAAgB,EAAE,MAAM,EAAC,CAAC,CACpD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;QACzD,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC;YAC/B,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAC,CAAC;SAClF,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YACzD,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,IAAI,EAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,eAAe,EAAE,GAAG,EAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,eAAe,EAAE,CAAC,EAAC,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,cAAc;QAC5D,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,oBAAoB;QAClE,MAAM,CAAC,QAAQ,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,aAAa,EAAE,KAAK,EAAC,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,UAAU,EAAE,WAAW,EAAC,CAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,WAAW,EAAE,KAAK,EAAC,CAAC,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,EAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,CAAC,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,EAAa,CAAC,CAAC;QAC9C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,MAAM,EAAE,OAAO,EAAC,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,EAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,CAAC,SAAS,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CACJ,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,qCAAqC,EAAC,CAAC,CAAC,CACrE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,aAAa,CAAC,iBAAiB,CAAC,EAAC,OAAO,EAAE,EAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAC,EAAC,CAAC,CAAC;QACxE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,yBAAyB,EAAC,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YAC3D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,aAAa,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,yBAAyB,EAAC,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/types.d.ts

@@ -0,0 +1,95 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * Auth strategy interface — modeled on Rails' Warden.
+ *
+ * Each strategy is two methods:
+ *
+ * - `valid(req)`: cheap, synchronous check — does this strategy apply to
+ *   the request at all? (E.g. JwksStrategy returns false when there's no
+ *   Bearer header; ApiKeyStrategy returns false when the token doesn't
+ *   start with `ak_`.) Strategies that return false are skipped without
+ *   running their `authenticate` step.
+ *
+ * - `authenticate(req)`: the slow path. Verify the token / call the IdP /
+ *   read the cookie. Returns a discriminated union:
+ *
+ *     { kind: 'authenticated', session }   ← chain stops, request proceeds
+ *     { kind: 'rejected', reason }         ← chain stops, request 401s
+ *
+ *   No exceptions for control flow. Plugin authors can't accidentally
+ *   bypass auth by returning the wrong sentinel.
+ *
+ * Strategies that own a login flow (OAuth dance, magic link, etc.)
+ * implement the optional `routes()` method to mount their own routes
+ * onto the auth controller's router (`/auth/<strategy>/start`,
+ * `/auth/<strategy>/callback`, etc.).
+ *
+ * Order = priority. Compose strategies into a chain via `authenticate(...)`.
+ * The first strategy whose `valid(req)` returns true and whose
+ * `authenticate(req)` returns 'authenticated' wins. No merging across
+ * strategies.
+ */
+import type { Request, Router } from 'express';
+/**
+ * The authenticated identity attached to `res.locals.session` by the
+ * auth middleware. Every strategy populates `user.id` (required); other
+ * fields are optional or strategy-specific.
+ */
+export interface AuthSession {
+    user: {
+        /** Stable identifier for the principal. Required. */
+        id: string;
+        email?: string;
+        name?: string;
+    };
+    /** Strategy that authenticated the request (`'jwks'`, `'api-key'`, etc.). */
+    method: string;
+    /**
+     * Stable identifier for the agent this session is scoped to, when the
+     * strategy carries it (e.g. platform JWTs include `agent_id`). Optional.
+     */
+    agentId?: string;
+    /**
+     * End-user scope id — used for per-user data isolation when the agent
+     * has end-user auth configured. Optional.
+     */
+    scopeId?: string;
+    /**
+     * Raw provider claims, opaque to the runtime. Strategies that have
+     * additional payload (OIDC `groups`, custom JWT fields) put it here.
+     */
+    claims?: Record<string, unknown>;
+}
+export type AuthResult = {
+    kind: 'authenticated';
+    session: AuthSession;
+} | {
+    kind: 'rejected';
+    reason: string;
+};
+export interface AuthStrategy {
+    /** Stable identifier (`'jwks'`, `'oidc'`, `'api-key'`, etc.). */
+    readonly name: string;
+    /**
+     * Cheap, synchronous check: does this strategy apply to the request?
+     * Strategies must return false promptly when they don't recognize the
+     * incoming credential shape so the chain falls through to the next
+     * strategy without paying the `authenticate` cost.
+     */
+    valid(req: Request): boolean;
+    /**
+     * Slow path: actually verify the credential. Called only when
+     * `valid(req)` returned true. Must return either an authenticated
+     * session or a rejection reason — never throw for control flow.
+     */
+    authenticate(req: Request): Promise<AuthResult>;
+    /**
+     * Optional: mount strategy-specific routes (login redirects, OAuth
+     * callbacks, magic-link handlers, etc.) onto the auth router.
+     */
+    routes?(): Router;
+}

package/dist/src/auth/types.js

@@ -0,0 +1,7 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/src/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/src/index.d.ts

@@ -27,6 +27,8 @@ export { createStoresRouter } from './agent/routes/stores.js';
 export type { StoreRouterOptions } from './agent/routes/stores.js';
 export { getAuthContext } from './middleware/auth.js';
 export type { AuthContext } from './middleware/auth.js';
+export { authenticate, authRouter, getSession, JwksAuthStrategy, ApiKeyAuthStrategy, HeaderAuthStrategy, NoneAuthStrategy, CookieSessionStrategy, JwtSecretAuthStrategy, OidcAuthStrategy, AmodalAuthStrategy, AuthConfigSchema, parseAuthConfig, createAuthStrategy, loadCustomStrategy, } from './auth/index.js';
+export type { AuthStrategy, AuthResult, AuthSession, AuthLogEvent, AuthenticateOptions, JwksAuthStrategyOptions, ApiKeyAuthStrategyOptions, ApiKeyValidationResult, HeaderAuthStrategyOptions, NoneAuthStrategyOptions, CookieSessionStrategyOptions, JwtSecretAuthStrategyOptions, OidcAuthStrategyOptions, AmodalAuthStrategyOptions, AuthConfig, NoneAuthConfig, JwtSecretAuthConfig, OidcAuthConfig, HeaderAuthConfig, CustomAuthConfig, AmodalAuthConfig, } from './auth/index.js';
 export { commitSetup, composeAmodalJson, SetupNotReadyError, } from './setup/commit-setup.js';
 export type { CommitSetupOptions, CommitSetupResult, CommitSetupSuccess, CommitSetupNotReady, CommitSetupNoState, } from './setup/commit-setup.js';
 export { resolveScope } from './scope.js';
@@ -44,8 +46,8 @@ export { routeOutput } from './output/output-router.js';
 export { errorHandler } from './middleware/error-handler.js';
 export { AmodalError, ProviderError, RateLimitError, ProviderTimeoutError, ToolExecutionError, StoreError, ConnectionError, SessionError, CompactionError, ConfigError, } from './errors.js';
 export type { Result } from './errors.js';
-export { log, setLogLevel, getLogLevel, setLogFormat, getLogFormat, setSanitize, LogLevel, initLogLevel, interceptConsole, verbosityToLogLevel, createLogger } from './logger.js';
-export type { Logger, LoggerConfig, LogFormat } from './logger.js';
+export { log, setLogLevel, getLogLevel, setLogFormat, getLogFormat, setSanitize, subscribeToLogs, LogLevel, initLogLevel, interceptConsole, verbosityToLogLevel, createLogger } from './logger.js';
+export type { Logger, LoggerConfig, LogEntry, LogFormat, LogListener } from './logger.js';
 export { loadConfig } from './config.js';
 export type { AgentConfig as LegacyAgentConfig, ConfigOverrides, LoadConfigOptions, McpServerConfig } from './config.js';
 export { createProvider } from './providers/create-provider.js';

package/dist/src/index.js

@@ -33,6 +33,8 @@ export { createTaskRouter } from './agent/routes/task.js';
 export { createStoresRouter } from './agent/routes/stores.js';
 // Auth types (middleware implementation provided by hosting layer)
 export { getAuthContext } from './middleware/auth.js';
+// Pluggable auth — Warden-shape primitive layer.
+export { authenticate, authRouter, getSession, JwksAuthStrategy, ApiKeyAuthStrategy, HeaderAuthStrategy, NoneAuthStrategy, CookieSessionStrategy, JwtSecretAuthStrategy, OidcAuthStrategy, AmodalAuthStrategy, AuthConfigSchema, parseAuthConfig, createAuthStrategy, loadCustomStrategy, } from './auth/index.js';
 // Setup-completion primitive (Phase E.2). Used by both the agent
 // `request_complete_setup` / `force_complete_setup` tools and the
 // Studio "Finish setup" button via /api/admin-chat/commit-setup.
@@ -57,7 +59,7 @@ export { errorHandler } from './middleware/error-handler.js';
 // Typed error classes
 export { AmodalError, ProviderError, RateLimitError, ProviderTimeoutError, ToolExecutionError, StoreError, ConnectionError, SessionError, CompactionError, ConfigError, } from './errors.js';
 // Logger
-export { log, setLogLevel, getLogLevel, setLogFormat, getLogFormat, setSanitize, LogLevel, initLogLevel, interceptConsole, verbosityToLogLevel, createLogger } from './logger.js';
+export { log, setLogLevel, getLogLevel, setLogFormat, getLogFormat, setSanitize, subscribeToLogs, LogLevel, initLogLevel, interceptConsole, verbosityToLogLevel, createLogger } from './logger.js';
 // Config
 export { loadConfig } from './config.js';
 // LLM Provider (Vercel AI SDK abstraction)

package/dist/src/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,YAAY,EAAuB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGpD,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,oBAAoB,EAA8B,MAAM,uBAAuB,CAAC;AAEzF,0DAA0D;AAC1D,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,OAAO,EACP,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAO5B,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAGlE,gFAAgF;AAChF,2EAA2E;AAC3E,8EAA8E;AAC9E,wCAAwC;AACxC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAEnE,kEAAkE;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,iEAAiE;AACjE,kEAAkE;AAClE,iEAAiE;AACjE,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AASjC,yEAAyE;AACzE,2EAA2E;AAC3E,qEAAqE;AACrE,0CAA0C;AAC1C,gEAAgE;AAEhE,mBAAmB;AACnB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,wBAAwB;AACxB,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE9F,OAAO,EACL,eAAe,EACf,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAM5B,iFAAiF;AACjF,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE3D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAG3D,kDAAkD;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAExD,gBAAgB;AAChB,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,sBAAsB;AACtB,OAAO,EACL,WAAW,EACX,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,eAAe,EACf,WAAW,GACZ,MAAM,aAAa,CAAC;AAGrB,SAAS;AACT,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGlL,SAAS;AACT,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,2CAA2C;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAajE,6BAA6B;AAC7B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAmBvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AASzD,mBAAmB;AACnB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAErC,8CAA8C;AAC9C,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAEhC,+BAA+B;AAC/B,OAAO,EAAC,kBAAkB,EAAC,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAGhF,0BAA0B;AAC1B,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAG/E,cAAc;AACd,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAGlK,6BAA6B;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AAiBjF,kBAAkB;AAClB,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAGnH,uBAAuB;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,qBAAqB;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE5D,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AAEnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,wCAAwC,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,qBAAqB;AACrB,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAO/E,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW,EAAE,YAAoB;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,YAAoB;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,YAAY,CAAC;IAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,KAAK,UAAU,IAAI;IACjB,iBAAiB;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,SAAS,CAAC,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEjE,0BAA0B;IAC1B,IAAI,cAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC;QAE3D,cAAc,GAAG,YAAY,CAAC;YAC5B,MAAM,EAAE;gBACN,IAAI;gBACJ,IAAI;gBACJ,YAAY;gBACZ,WAAW,EAAE,EAAE;gBACf,UAAU;aACX;YACD,OAAO,EAAE,cAAc;SACxB,CAAC,CAAC;QAEH,MAAM,cAAc,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QACvD,GAAG,CAAC,IAAI,CAAC,YAAY,MAAM,oBAAoB,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,KAAK,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,+EAA+E;AAC/E,MAAM,YAAY,GAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACf,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAEnD,IAAI,YAAY,EAAE,CAAC;IACjB,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,YAAY,EAAuB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGpD,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,oBAAoB,EAA8B,MAAM,uBAAuB,CAAC;AAEzF,0DAA0D;AAC1D,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,OAAO,EACP,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAO5B,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAGlE,gFAAgF;AAChF,2EAA2E;AAC3E,8EAA8E;AAC9E,wCAAwC;AACxC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAEnE,kEAAkE;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,iDAAiD;AACjD,OAAO,EACL,YAAY,EACZ,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AAyBzB,iEAAiE;AACjE,kEAAkE;AAClE,iEAAiE;AACjE,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AASjC,yEAAyE;AACzE,2EAA2E;AAC3E,qEAAqE;AACrE,0CAA0C;AAC1C,gEAAgE;AAEhE,mBAAmB;AACnB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,wBAAwB;AACxB,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE9F,OAAO,EACL,eAAe,EACf,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAM5B,iFAAiF;AACjF,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE3D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAG3D,kDAAkD;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAExD,gBAAgB;AAChB,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,sBAAsB;AACtB,OAAO,EACL,WAAW,EACX,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,eAAe,EACf,WAAW,GACZ,MAAM,aAAa,CAAC;AAGrB,SAAS;AACT,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGnM,SAAS;AACT,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,2CAA2C;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAajE,6BAA6B;AAC7B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAmBvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,gBAAgB;AAChB,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AASzD,mBAAmB;AACnB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAErC,8CAA8C;AAC9C,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAEhC,+BAA+B;AAC/B,OAAO,EAAC,kBAAkB,EAAC,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAGhF,0BAA0B;AAC1B,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAG/E,cAAc;AACd,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAGlK,6BAA6B;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AAiBjF,kBAAkB;AAClB,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAGnH,uBAAuB;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAG7E,mBAAmB;AACnB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,qBAAqB;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE5D,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AAEnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,wCAAwC,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,qBAAqB;AACrB,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAO/E,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW,EAAE,YAAoB;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,YAAoB;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,YAAY,CAAC;IAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,KAAK,UAAU,IAAI;IACjB,iBAAiB;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,SAAS,CAAC,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEjE,0BAA0B;IAC1B,IAAI,cAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC;QAE3D,cAAc,GAAG,YAAY,CAAC;YAC5B,MAAM,EAAE;gBACN,IAAI;gBACJ,IAAI;gBACJ,YAAY;gBACZ,WAAW,EAAE,EAAE;gBACf,UAAU;aACX;YACD,OAAO,EAAE,cAAc;SACxB,CAAC,CAAC;QAEH,MAAM,cAAc,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QACvD,GAAG,CAAC,IAAI,CAAC,YAAY,MAAM,oBAAoB,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,KAAK,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,+EAA+E;AAC/E,MAAM,YAAY,GAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACf,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAEnD,IAAI,YAAY,EAAE,CAAC;IACjB,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/logger.d.ts

@@ -10,10 +10,10 @@
  * The Logger interface and core implementation live in @amodalai/core.
  * This module re-exports them and adds runtime-only functions.
  */
-import { createLogger as coreCreateLogger, setLogLevel as coreSetLogLevel, getLogLevel as coreGetLogLevel, setLogFormat as coreSetLogFormat, getLogFormat as coreGetLogFormat, setSanitize as coreSetSanitize, LogLevel } from '@amodalai/core';
-import type { Logger, LoggerConfig, LogFormat } from '@amodalai/core';
+import { createLogger as coreCreateLogger, setLogLevel as coreSetLogLevel, getLogLevel as coreGetLogLevel, setLogFormat as coreSetLogFormat, getLogFormat as coreGetLogFormat, setSanitize as coreSetSanitize, subscribeToLogs as coreSubscribeToLogs, LogLevel } from '@amodalai/core';
+import type { Logger, LoggerConfig, LogEntry, LogFormat, LogListener } from '@amodalai/core';
 export { LogLevel };
-export type { Logger, LoggerConfig, LogFormat };
+export type { Logger, LoggerConfig, LogEntry, LogFormat, LogListener };
 export declare const log: Logger;
 export declare const createLogger: typeof coreCreateLogger;
 export declare const setLogLevel: typeof coreSetLogLevel;
@@ -21,6 +21,7 @@ export declare const getLogLevel: typeof coreGetLogLevel;
 export declare const setLogFormat: typeof coreSetLogFormat;
 export declare const getLogFormat: typeof coreGetLogFormat;
 export declare const setSanitize: typeof coreSetSanitize;
+export declare const subscribeToLogs: typeof coreSubscribeToLogs;
 /**
  * Convert -v count and --quiet flag to a LogLevel.
  * --quiet → ERROR, default → INFO, -v → DEBUG, -vv → TRACE

package/dist/src/logger.js

@@ -10,7 +10,7 @@
  * The Logger interface and core implementation live in @amodalai/core.
  * This module re-exports them and adds runtime-only functions.
  */
-import { log as coreLog, createLogger as coreCreateLogger, setLogLevel as coreSetLogLevel, getLogLevel as coreGetLogLevel, setLogFormat as coreSetLogFormat, getLogFormat as coreGetLogFormat, setSanitize as coreSetSanitize, LogLevel, } from '@amodalai/core';
+import { log as coreLog, createLogger as coreCreateLogger, setLogLevel as coreSetLogLevel, getLogLevel as coreGetLogLevel, setLogFormat as coreSetLogFormat, getLogFormat as coreGetLogFormat, setSanitize as coreSetSanitize, subscribeToLogs as coreSubscribeToLogs, LogLevel, } from '@amodalai/core';
 // Re-export core logger API
 export { LogLevel };
 export const log = coreLog;
@@ -20,6 +20,7 @@ export const getLogLevel = coreGetLogLevel;
 export const setLogFormat = coreSetLogFormat;
 export const getLogFormat = coreGetLogFormat;
 export const setSanitize = coreSetSanitize;
+export const subscribeToLogs = coreSubscribeToLogs;
 /**
  * Convert -v count and --quiet flag to a LogLevel.
  * --quiet → ERROR, default → INFO, -v → DEBUG, -vv → TRACE

package/dist/src/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AAEH,OAAO,EACL,GAAG,IAAI,OAAO,EACd,YAAY,IAAI,gBAAgB,EAChC,WAAW,IAAI,eAAe,EAC9B,WAAW,IAAI,eAAe,EAC9B,YAAY,IAAI,gBAAgB,EAChC,YAAY,IAAI,gBAAgB,EAChC,WAAW,IAAI,eAAe,EAC9B,QAAQ,GACT,MAAM,gBAAgB,CAAC;AAIxB,4BAA4B;AAC5B,OAAO,EAAE,QAAQ,EAAE,CAAC;AAGpB,MAAM,CAAC,MAAM,GAAG,GAAW,OAAO,CAAC;AACnC,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAE3C;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB,EAAE,KAAc;IACnE,IAAI,KAAK;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IACjC,IAAI,SAAS,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IAC1C,IAAI,SAAS,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,IAA2C;IACtE,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,kEAAkE;QAClE,OAAO;IACT,CAAC;IACD,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;;GAGG;AACH,+BAA+B;AAC/B,MAAM,UAAU,gBAAgB;IAC9B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC;IAChC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC;IAEhC,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACnC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,KAAK,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACrC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,IAAI,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACpC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,KAAK,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACrC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,yCAAyC;YACzC,IAAI,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;gBAAE,OAAO;YACnF,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AACD,8BAA8B"}
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AAEH,OAAO,EACL,GAAG,IAAI,OAAO,EACd,YAAY,IAAI,gBAAgB,EAChC,WAAW,IAAI,eAAe,EAC9B,WAAW,IAAI,eAAe,EAC9B,YAAY,IAAI,gBAAgB,EAChC,YAAY,IAAI,gBAAgB,EAChC,WAAW,IAAI,eAAe,EAC9B,eAAe,IAAI,mBAAmB,EACtC,QAAQ,GACT,MAAM,gBAAgB,CAAC;AAIxB,4BAA4B;AAC5B,OAAO,EAAE,QAAQ,EAAE,CAAC;AAGpB,MAAM,CAAC,MAAM,GAAG,GAAW,OAAO,CAAC;AACnC,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAC7C,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC;AAC3C,MAAM,CAAC,MAAM,eAAe,GAAG,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB,EAAE,KAAc;IACnE,IAAI,KAAK;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IACjC,IAAI,SAAS,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IAC1C,IAAI,SAAS,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;IAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,IAA2C;IACtE,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,kEAAkE;QAClE,OAAO;IACT,CAAC;IACD,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;;GAGG;AACH,+BAA+B;AAC/B,MAAM,UAAU,gBAAgB;IAC9B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC;IAChC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC;IAEhC,OAAO,CAAC,GAAG,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACnC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,KAAK,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACrC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,IAAI,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACpC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CAAC,KAAK,GAAG,CAAC,GAAG,IAAe,EAAE,EAAE;QACrC,IAAI,WAAW,EAAE,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,yCAAyC;YACzC,IAAI,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;gBAAE,OAAO;YACnF,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AACD,8BAA8B"}

package/dist/src/logger.test.js

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: MIT
  */
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
-import { log, createLogger, setLogLevel, setLogFormat, setSanitize, LogLevel, } from './logger.js';
+import { log, createLogger, setLogLevel, setLogFormat, setSanitize, subscribeToLogs, LogLevel, } from './logger.js';
 describe('Logger', () => {
     let stderrWrite;
     let originalWrite;
@@ -175,6 +175,27 @@ describe('Logger', () => {
             expect(output).toContain('"service":"scheduler"');
         });
     });
+    describe('log subscribers', () => {
+        it('receives sanitized structured log entries', () => {
+            setSanitize((data) => ({ ...data, token: data['token'] ? '[REDACTED]' : data['token'] }));
+            const entries = [];
+            const unsubscribe = subscribeToLogs((entry) => {
+                entries.push(entry);
+            });
+            log.warn('credential_checked', { token: 'secret-token', provider: 'test' });
+            unsubscribe();
+            expect(entries).toHaveLength(1);
+            expect(entries[0]).toMatchObject({
+                level: 'warn',
+                event: 'credential_checked',
+                data: {
+                    token: '[REDACTED]',
+                    provider: 'test',
+                },
+            });
+            expect(stderrWrite.mock.calls[0]?.[0]).not.toContain('secret-token');
+        });
+    });
     describe('circular reference safety', () => {
         it('does not throw on circular data in text mode', () => {
             const circular = { a: 1 };