@anby/platform-sdk 0.1.0 → 0.7.0

package/dist/cjs/apps/publish.d.ts

@@ -10,6 +10,7 @@
  * which the registry verifies via `HmacGuard` and then persists via the same
  * `registry.service.publishApp()`.
  */
+import { type AppManifest } from '@anby/manifest-schema';
 export interface PublishAppOptions {
     /**
      * Path to the manifest file. Defaults to `./anby-app.manifest.json` in the
@@ -62,7 +63,29 @@ export interface PublishAppResult {
         appId: string;
         version: string;
     };
+    /**
+     * Ed25519 private key (PEM) returned ONCE on first publish. Used to
+     * assemble the ANBY_APP_TOKEN connection string for the developer to
+     * paste into their app's env. Null on subsequent publishes — the
+     * registry never re-returns the key.
+     *
+     * The CLI uses this to print the assembled token. Programmatic
+     * callers should treat this field as a secret and avoid logging it.
+     */
+    privateKey: string | null;
 }
+/**
+ * Public helper: load the manifest from disk and return it with all
+ * `provides.entities[].schema` paths resolved to inlined JSON content.
+ *
+ * Used both internally by `publishAppFromManifest` and by services that
+ * want to expose the wire-format manifest over HTTP (e.g. a Remix route
+ * at `/_anby/manifest`) so the Marketplace submit form can fetch it
+ * without requiring the publisher to paste anything by hand.
+ */
+export declare function getInlinedManifest(opts?: {
+    manifestPath?: string;
+}): Promise<AppManifest>;
 export declare function publishAppFromManifest(opts?: PublishAppOptions): Promise<PublishAppResult | null>;
 /**
  * Fire-and-forget wrapper for use inside service entrypoints. Logs on both

package/dist/cjs/apps/publish.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"publish.d.ts","sourceRoot":"","sources":["../../../src/apps/publish.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAQH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE;QACH,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7C;AAyFD,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,iBAAsB,GAC3B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA6ElC;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,iBAAsB,GAAG,IAAI,CAMpE"}
+{"version":3,"file":"publish.d.ts","sourceRoot":"","sources":["../../../src/apps/publish.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAI3E,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE;QACH,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C;;;;;;;;OAQG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAcD;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,GAAE;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAO,GACnC,OAAO,CAAC,WAAW,CAAC,CAMtB;AA6ED,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,iBAAsB,GAC3B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAuFlC;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,iBAAsB,GAAG,IAAI,CAMpE"}

package/dist/cjs/apps/publish.js

@@ -11,7 +11,41 @@
  * which the registry verifies via `HmacGuard` and then persists via the same
  * `registry.service.publishApp()`.
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getInlinedManifest = getInlinedManifest;
 exports.publishAppFromManifest = publishAppFromManifest;
 exports.autoPublishOnBoot = autoPublishOnBoot;
 const promises_1 = require("node:fs/promises");
@@ -28,6 +62,20 @@ async function loadManifest(path) {
     }
     return parsed;
 }
+/**
+ * Public helper: load the manifest from disk and return it with all
+ * `provides.entities[].schema` paths resolved to inlined JSON content.
+ *
+ * Used both internally by `publishAppFromManifest` and by services that
+ * want to expose the wire-format manifest over HTTP (e.g. a Remix route
+ * at `/_anby/manifest`) so the Marketplace submit form can fetch it
+ * without requiring the publisher to paste anything by hand.
+ */
+async function getInlinedManifest(opts = {}) {
+    const manifestPath = (0, node_path_1.resolve)(opts.manifestPath ?? (0, node_path_1.join)(process.cwd(), 'anby-app.manifest.json'));
+    const raw = await loadManifest(manifestPath);
+    return inlineEntitySchemas(raw, manifestPath);
+}
 /**
  * Entity schema inliner (CR-4).
  *
@@ -98,16 +146,28 @@ async function inlineEntitySchemas(manifest, manifestPath) {
 async function publishAppFromManifest(opts = {}) {
     try {
         const manifestPath = (0, node_path_1.resolve)(opts.manifestPath ?? (0, node_path_1.join)(process.cwd(), 'anby-app.manifest.json'));
-        const rawManifest = await loadManifest(manifestPath);
         // CR-4: inline schema content before sending. Manifest on disk uses
         // relative paths for DX; wire format sends the actual JSON object.
-        const manifest = await inlineEntitySchemas(rawManifest, manifestPath);
+        const manifest = await getInlinedManifest({ manifestPath });
         const publicUrl = opts.publicUrl ??
             process.env.APP_PUBLIC_URL ??
             `http://localhost:${manifest.runtime.port}`;
-        const registryUrl = opts.registryUrl ??
-            process.env.REGISTRY_URL ??
-            'http://localhost:3003';
+        // PLAN-app-bootstrap-phase2 PR4: prefer the registry URL discovered
+        // by bootstrapFromToken. Falls back to the explicit option, then env,
+        // then localhost. The discovered value is the registry HOST root
+        // (no /registry suffix), so this code can append /registry/apps below.
+        let registryUrl = opts.registryUrl ?? process.env.REGISTRY_URL;
+        if (!registryUrl) {
+            try {
+                // Lazy require to avoid a circular import at module load time.
+                const { getDiscoveredRegistryBaseUrl } = await Promise.resolve().then(() => __importStar(require('../bootstrap/index.js')));
+                registryUrl = await getDiscoveredRegistryBaseUrl();
+            }
+            catch {
+                // bootstrap not started yet — fall back to localhost dev default.
+                registryUrl = 'http://localhost:3003';
+            }
+        }
         const internalApiSecret = opts.internalApiSecret ?? process.env.INTERNAL_API_SECRET ?? '';
         if (!internalApiSecret) {
             throw new Error('INTERNAL_API_SECRET is not set — cannot sign publish request');

package/dist/cjs/apps/publish.js.map

@@ -1 +1 @@
-{"version":3,"file":"publish.js","sourceRoot":"","sources":["../../../src/apps/publish.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAmJH,wDA+EC;AAOD,8CAMC;AA7OD,+CAA4C;AAC5C,yCAA+D;AAC/D,2DAA2E;AAC3E,+CAA4C;AAC5C,qDAAuD;AAsDvD,KAAK,UAAU,YAAY,CAAC,IAAY;IACtC,MAAM,GAAG,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAC9C,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAA,kCAAgB,EAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,eAAe,IAAI,qBAAqB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAChE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,mBAAmB,CAChC,QAAqB,EACrB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7C,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExD,MAAM,WAAW,GAAG,IAAA,mBAAO,EAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QAC3B,yDAAyD;QACzD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACxC,CAAC;QACD,0DAA0D;QAC1D,IAAI,CAAC,KAAK,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAChC,kEAAkE;QAClE,yCAAyC;QACzC,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO;gBACL,GAAG,KAAK;gBACR,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,IAAA,0BAAc,EAAC,KAAK,CAAC,MAAM,CAAC;aACrE,CAAC;QACJ,CAAC;QACD,8DAA8D;QAC9D,uBAAuB;QACvB,MAAM,UAAU,GAAG,IAAA,sBAAU,EAAC,KAAK,CAAC,MAAM,CAAC;YACzC,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,IAAA,mBAAO,EAAC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,IAAA,mBAAQ,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,oCAAoC,UAAU,GAAG;gBACpE,IAAK,GAAa,CAAC,OAAO,GAAG,CAChC,CAAC;QACJ,CAAC;QACD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,qBAAqB,UAAU,uBAAwB,GAAa,CAAC,OAAO,EAAE,CACpG,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,MAAM;YACd,cAAc,EAAE,IAAA,0BAAc,EAAC,MAAM,CAAC;SACvC,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IAEF,OAAO;QACL,GAAG,QAAQ;QACX,QAAQ,EAAE;YACR,GAAG,QAAQ,CAAC,QAAQ;YACpB,QAAQ,EAAE,QAAQ;SACnB;KACF,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,OAA0B,EAAE;IAE5B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAA,mBAAO,EAC1B,IAAI,CAAC,YAAY,IAAI,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,wBAAwB,CAAC,CACnE,CAAC;QACF,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC,CAAC;QACrD,oEAAoE;QACpE,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QAEtE,MAAM,SAAS,GACb,IAAI,CAAC,SAAS;YACd,OAAO,CAAC,GAAG,CAAC,cAAc;YAC1B,oBAAoB,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAE9C,MAAM,WAAW,GACf,IAAI,CAAC,WAAW;YAChB,OAAO,CAAC,GAAG,CAAC,YAAY;YACxB,uBAAuB,CAAC;QAE1B,MAAM,iBAAiB,GACrB,IAAI,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAClE,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,QAAQ,CAAC,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,IAAA,mBAAQ,EAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAE3D,MAAM,IAAI,GAAG;YACX,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,WAAW,EAAE,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACzD,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,SAAS;YACT,WAAW;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;SACT,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,gBAAgB,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,iBAAiB,EAAE,WAAW;gBAC9B,sBAAsB,EAAE,SAAS;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CACxD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;QACtD,OAAO,CAAC,GAAG,CACT,4BAA4B,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,OAAO,OAAO,WAAW,eAAe,SAAS,GAAG,CACzG,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CACV,0DAA2D,GAAa,CAAC,OAAO,EAAE,CACnF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,OAA0B,EAAE;IAC5D,sBAAsB,CAAC,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,sDAAuD,GAAa,CAAC,OAAO,EAAE,CAC/E,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"publish.js","sourceRoot":"","sources":["../../../src/apps/publish.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2FH,gDAQC;AA6ED,wDAyFC;AAOD,8CAMC;AApRD,+CAA4C;AAC5C,yCAA+D;AAC/D,2DAA2E;AAC3E,+CAA4C;AAC5C,qDAAuD;AAgEvD,KAAK,UAAU,YAAY,CAAC,IAAY;IACtC,MAAM,GAAG,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAC9C,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAA,kCAAgB,EAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,eAAe,IAAI,qBAAqB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAChE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,kBAAkB,CACtC,OAAkC,EAAE;IAEpC,MAAM,YAAY,GAAG,IAAA,mBAAO,EAC1B,IAAI,CAAC,YAAY,IAAI,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,wBAAwB,CAAC,CACnE,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC,CAAC;IAC7C,OAAO,mBAAmB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,mBAAmB,CAChC,QAAqB,EACrB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7C,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExD,MAAM,WAAW,GAAG,IAAA,mBAAO,EAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QAC3B,yDAAyD;QACzD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACxC,CAAC;QACD,0DAA0D;QAC1D,IAAI,CAAC,KAAK,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAChC,kEAAkE;QAClE,yCAAyC;QACzC,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO;gBACL,GAAG,KAAK;gBACR,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,IAAA,0BAAc,EAAC,KAAK,CAAC,MAAM,CAAC;aACrE,CAAC;QACJ,CAAC;QACD,8DAA8D;QAC9D,uBAAuB;QACvB,MAAM,UAAU,GAAG,IAAA,sBAAU,EAAC,KAAK,CAAC,MAAM,CAAC;YACzC,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,IAAA,mBAAO,EAAC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,IAAA,mBAAQ,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,oCAAoC,UAAU,GAAG;gBACpE,IAAK,GAAa,CAAC,OAAO,GAAG,CAChC,CAAC;QACJ,CAAC;QACD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,qBAAqB,UAAU,uBAAwB,GAAa,CAAC,OAAO,EAAE,CACpG,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,MAAM;YACd,cAAc,EAAE,IAAA,0BAAc,EAAC,MAAM,CAAC;SACvC,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IAEF,OAAO;QACL,GAAG,QAAQ;QACX,QAAQ,EAAE;YACR,GAAG,QAAQ,CAAC,QAAQ;YACpB,QAAQ,EAAE,QAAQ;SACnB;KACF,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,OAA0B,EAAE;IAE5B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAA,mBAAO,EAC1B,IAAI,CAAC,YAAY,IAAI,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,wBAAwB,CAAC,CACnE,CAAC;QACF,oEAAoE;QACpE,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;QAE5D,MAAM,SAAS,GACb,IAAI,CAAC,SAAS;YACd,OAAO,CAAC,GAAG,CAAC,cAAc;YAC1B,oBAAoB,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAE9C,oEAAoE;QACpE,sEAAsE;QACtE,iEAAiE;QACjE,uEAAuE;QACvE,IAAI,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAC/D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,+DAA+D;gBAC/D,MAAM,EAAE,4BAA4B,EAAE,GAAG,wDAAa,uBAAuB,GAAC,CAAC;gBAC/E,WAAW,GAAG,MAAM,4BAA4B,EAAE,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,WAAW,GAAG,uBAAuB,CAAC;YACxC,CAAC;QACH,CAAC;QAED,MAAM,iBAAiB,GACrB,IAAI,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAClE,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,QAAQ,CAAC,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,IAAA,mBAAQ,EAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAE3D,MAAM,IAAI,GAAG;YACX,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,WAAW,EAAE,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACzD,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,SAAS;YACT,WAAW;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;SACT,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,gBAAgB,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,iBAAiB,EAAE,WAAW;gBAC9B,sBAAsB,EAAE,SAAS;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CACxD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;QACtD,OAAO,CAAC,GAAG,CACT,4BAA4B,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,OAAO,OAAO,WAAW,eAAe,SAAS,GAAG,CACzG,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CACV,0DAA2D,GAAa,CAAC,OAAO,EAAE,CACnF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,OAA0B,EAAE;IAC5D,sBAAsB,CAAC,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,sDAAuD,GAAa,CAAC,OAAO,EAAE,CAC/E,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/auth/index.d.ts

@@ -1,15 +1,45 @@
+export declare const JWT_ISSUER = "anby-auth-service";
+export declare const JWT_AUDIENCE = "anby-platform";
+export declare const TYP_USER = "user";
+export declare const TYP_INTERNAL = "internal";
+export declare const TYP_OAUTH_STATE = "oauth-state";
 export interface AuthUser {
     id: string;
     email: string;
     name?: string;
     tenantId: string;
 }
+/**
+ * Auth SDK config. Pass via configureAuth() before any verify* call.
+ *
+ * After PR4 cleanup, only the RS256 + HMAC fields exist:
+ *  - jwtPublicKey: REQUIRED for any user/internal token verification
+ *  - hmacSecret: REQUIRED for service-to-service HMAC (registry use case)
+ *
+ * For services that only verify JWTs and never use HMAC, pass only jwtPublicKey.
+ * For services that only use HMAC (e.g. app-registry), pass only hmacSecret.
+ */
 export interface AuthConfig {
-    jwtSecret: string;
-    internalApiSecret: string;
+    jwtPublicKey?: string;
+    hmacSecret?: string;
 }
+/**
+ * Configure the SDK's auth state. Call once at service boot, before any
+ * verify* call.
+ */
 export declare function configureAuth(config: AuthConfig): void;
-export declare function verifyJwt(token: string): AuthUser;
+/**
+ * Verify a user session JWT (RS256). CRITICAL (cross-token confusion fix):
+ * rejects tokens with typ != "user". An internal-token (typ:internal) or
+ * oauth-state token (typ:oauth-state) presented as a user session is rejected
+ * even if the signature, iss, aud, and exp would all validate.
+ */
+export declare function verifyUserJwt(token: string): AuthUser;
+/**
+ * Verify an internal-service JWT (RS256). CRITICAL: rejects tokens with
+ * typ != "internal".
+ */
+export declare function verifyInternalJwt(token: string): AuthUser;
 export declare function verifyHmac(userValue: string, signature: string): boolean;
 /**
  * Compute an HMAC signature for service-to-service calls. Pair the returned

package/dist/cjs/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAID,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAEtD;AAOD,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAcjD;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAOxE;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAMnE;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAsCrE;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,CAStD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,UAAU,sBAAsB,CAAC;AAC9C,eAAO,MAAM,YAAY,kBAAkB,CAAC;AAC5C,eAAO,MAAM,QAAQ,SAAS,CAAC;AAC/B,eAAO,MAAM,YAAY,aAAa,CAAC;AACvC,eAAO,MAAM,eAAe,gBAAgB,CAAC;AAE7C,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,UAAU;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AASD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAWtD;AAgBD;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAkBrD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAkBzD;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAaxE;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAMnE;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CA4CrE;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,CAStD"}

package/dist/cjs/auth/index.js

@@ -3,26 +3,45 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.TYP_OAUTH_STATE = exports.TYP_INTERNAL = exports.TYP_USER = exports.JWT_AUDIENCE = exports.JWT_ISSUER = void 0;
 exports.configureAuth = configureAuth;
-exports.verifyJwt = verifyJwt;
+exports.verifyUserJwt = verifyUserJwt;
+exports.verifyInternalJwt = verifyInternalJwt;
 exports.verifyHmac = verifyHmac;
 exports.signHmac = signHmac;
 exports.authenticateRequest = authenticateRequest;
 exports.requireAuth = requireAuth;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const crypto_1 = __importDefault(require("crypto"));
+// JWT claim conventions for the asymmetric (RS256) auth path. Must match
+// anby-auth-service/src/auth/auth.service.ts. All RS256 tokens carry these
+// iss/aud/typ claims; all RS256 verifiers enforce them.
+//
+// PR4 cleanup: HS256 fallback paths removed. SDK is RS256-only.
+exports.JWT_ISSUER = 'anby-auth-service';
+exports.JWT_AUDIENCE = 'anby-platform';
+exports.TYP_USER = 'user';
+exports.TYP_INTERNAL = 'internal';
+exports.TYP_OAUTH_STATE = 'oauth-state';
 let _config = null;
+/**
+ * Configure the SDK's auth state. Call once at service boot, before any
+ * verify* call.
+ */
 function configureAuth(config) {
-    _config = config;
+    const jwtPublicKey = config.jwtPublicKey ?? null;
+    const hmacSecret = config.hmacSecret ?? null;
+    if (!jwtPublicKey && !hmacSecret) {
+        throw new Error('configureAuth: at least one of jwtPublicKey or hmacSecret must be set');
+    }
+    _config = { jwtPublicKey, hmacSecret };
 }
 function getConfig() {
     if (!_config)
         throw new Error('Auth not configured. Call configureAuth() first.');
     return _config;
 }
-function verifyJwt(token) {
-    const config = getConfig();
-    const payload = jsonwebtoken_1.default.verify(token, config.jwtSecret);
+function payloadToAuthUser(payload) {
     return {
         id: payload.sub,
         email: payload.email,
@@ -30,13 +49,68 @@ function verifyJwt(token) {
         tenantId: payload.tenantId || 'default',
     };
 }
+/**
+ * Verify a user session JWT (RS256). CRITICAL (cross-token confusion fix):
+ * rejects tokens with typ != "user". An internal-token (typ:internal) or
+ * oauth-state token (typ:oauth-state) presented as a user session is rejected
+ * even if the signature, iss, aud, and exp would all validate.
+ */
+function verifyUserJwt(token) {
+    const config = getConfig();
+    if (!config.jwtPublicKey) {
+        throw new Error('jwtPublicKey not configured');
+    }
+    if (!token || token.split('.').length !== 3) {
+        throw new Error('Invalid token format');
+    }
+    const payload = jsonwebtoken_1.default.verify(token, config.jwtPublicKey, {
+        algorithms: ['RS256'],
+        issuer: exports.JWT_ISSUER,
+        audience: exports.JWT_AUDIENCE,
+        clockTolerance: 30,
+    });
+    if (payload.typ !== exports.TYP_USER) {
+        throw new Error('Wrong token class for user verifier');
+    }
+    return payloadToAuthUser(payload);
+}
+/**
+ * Verify an internal-service JWT (RS256). CRITICAL: rejects tokens with
+ * typ != "internal".
+ */
+function verifyInternalJwt(token) {
+    const config = getConfig();
+    if (!config.jwtPublicKey) {
+        throw new Error('jwtPublicKey not configured');
+    }
+    if (!token || token.split('.').length !== 3) {
+        throw new Error('Invalid token format');
+    }
+    const payload = jsonwebtoken_1.default.verify(token, config.jwtPublicKey, {
+        algorithms: ['RS256'],
+        issuer: exports.JWT_ISSUER,
+        audience: exports.JWT_AUDIENCE,
+        clockTolerance: 30,
+    });
+    if (payload.typ !== exports.TYP_INTERNAL) {
+        throw new Error('Wrong token class for internal verifier');
+    }
+    return payloadToAuthUser(payload);
+}
 function verifyHmac(userValue, signature) {
     const config = getConfig();
+    if (!config.hmacSecret) {
+        throw new Error('HMAC not configured. Set hmacSecret in configureAuth().');
+    }
     const expected = crypto_1.default
-        .createHmac('sha256', config.internalApiSecret)
+        .createHmac('sha256', config.hmacSecret)
         .update(userValue)
         .digest('hex');
-    return crypto_1.default.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
+    const expectedBuf = Buffer.from(expected);
+    const actualBuf = Buffer.from(signature);
+    if (expectedBuf.length !== actualBuf.length)
+        return false;
+    return crypto_1.default.timingSafeEqual(expectedBuf, actualBuf);
 }
 /**
  * Compute an HMAC signature for service-to-service calls. Pair the returned
@@ -44,47 +118,54 @@ function verifyHmac(userValue, signature) {
  * the receiving side calls `verifyHmac` with the same pair.
  */
 function signHmac(userValue, secret) {
-    const internalApiSecret = secret ?? getConfig().internalApiSecret;
-    return crypto_1.default
-        .createHmac('sha256', internalApiSecret)
-        .update(userValue)
-        .digest('hex');
+    const hmacSecret = secret ?? getConfig().hmacSecret;
+    if (!hmacSecret) {
+        throw new Error('HMAC not configured. Set hmacSecret in configureAuth().');
+    }
+    return crypto_1.default.createHmac('sha256', hmacSecret).update(userValue).digest('hex');
 }
 function authenticateRequest(request) {
-    // Try JWT from Authorization header
+    // Try JWT from Authorization header (user session)
     const authHeader = request.headers.get('authorization');
     if (authHeader?.startsWith('Bearer ')) {
         try {
-            return verifyJwt(authHeader.slice(7));
+            return verifyUserJwt(authHeader.slice(7));
         }
         catch {
             return null;
         }
     }
-    // Try JWT from cookie
+    // Try JWT from cookie (Remix/SSR path)
     const cookies = request.headers.get('cookie') || '';
     const authCookie = cookies.split(';').find(c => c.trim().startsWith('auth-token='));
     if (authCookie) {
         const token = authCookie.split('=')[1]?.trim();
         if (token) {
             try {
-                return verifyJwt(token);
+                return verifyUserJwt(token);
             }
             catch {
                 return null;
             }
         }
     }
-    // Try HMAC (service-to-service)
+    // Try HMAC (service-to-service). Only if hmacSecret is configured.
     const internalUser = request.headers.get('x-internal-user');
     const internalSig = request.headers.get('x-internal-signature');
-    if (internalUser && internalSig && verifyHmac(internalUser, internalSig)) {
-        return {
-            id: 'internal',
-            email: internalUser,
-            name: 'Internal Service',
-            tenantId: request.headers.get('x-tenant-id') || 'default',
-        };
+    if (internalUser && internalSig) {
+        try {
+            if (verifyHmac(internalUser, internalSig)) {
+                return {
+                    id: 'internal',
+                    email: internalUser,
+                    name: 'Internal Service',
+                    tenantId: request.headers.get('x-tenant-id') || 'default',
+                };
+            }
+        }
+        catch {
+            // hmacSecret not configured — fall through
+        }
     }
     return null;
 }

package/dist/cjs/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":";;;;;AAiBA,sCAEC;AAOD,8BAcC;AAED,gCAOC;AAOD,4BAMC;AAED,kDAsCC;AAED,kCASC;AAjHD,gEAA+B;AAC/B,oDAA4B;AAc5B,IAAI,OAAO,GAAsB,IAAI,CAAC;AAEtC,SAAgB,aAAa,CAAC,MAAkB;IAC9C,OAAO,GAAG,MAAM,CAAC;AACnB,CAAC;AAED,SAAS,SAAS;IAChB,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IAClF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAgB,SAAS,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAKjD,CAAC;IACF,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,GAAG;QACf,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS;KACxC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,SAAiB,EAAE,SAAiB;IAC7D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,gBAAM;SACpB,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,iBAAiB,CAAC;SAC9C,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC,CAAC;IACjB,OAAO,gBAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,SAAgB,QAAQ,CAAC,SAAiB,EAAE,MAAe;IACzD,MAAM,iBAAiB,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC,iBAAiB,CAAC;IAClE,OAAO,gBAAM;SACV,UAAU,CAAC,QAAQ,EAAE,iBAAiB,CAAC;SACvC,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,SAAgB,mBAAmB,CAAC,OAAgB;IAClD,oCAAoC;IACpC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACpF,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBACH,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAChE,IAAI,YAAY,IAAI,WAAW,IAAI,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;QACzE,OAAO;YACL,EAAE,EAAE,UAAU;YACd,KAAK,EAAE,YAAY;YACnB,IAAI,EAAE,kBAAkB;YACxB,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,WAAW,CAAC,OAAgB;IAC1C,MAAM,IAAI,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE;YAC5D,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":";;;;;;AA+CA,sCAWC;AAsBD,sCAkBC;AAMD,8CAkBC;AAED,gCAaC;AAOD,4BAMC;AAED,kDA4CC;AAED,kCASC;AA/MD,gEAA+B;AAC/B,oDAA4B;AAE5B,yEAAyE;AACzE,2EAA2E;AAC3E,wDAAwD;AACxD,EAAE;AACF,gEAAgE;AACnD,QAAA,UAAU,GAAG,mBAAmB,CAAC;AACjC,QAAA,YAAY,GAAG,eAAe,CAAC;AAC/B,QAAA,QAAQ,GAAG,MAAM,CAAC;AAClB,QAAA,YAAY,GAAG,UAAU,CAAC;AAC1B,QAAA,eAAe,GAAG,aAAa,CAAC;AA6B7C,IAAI,OAAO,GAA0B,IAAI,CAAC;AAE1C;;;GAGG;AACH,SAAgB,aAAa,CAAC,MAAkB;IAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC;IACjD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC;IAE7C,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,SAAS;IAChB,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IAClF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAY;IACrC,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,GAAG;QACf,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS;KACxC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,KAAa;IACzC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE;QACrD,UAAU,EAAE,CAAC,OAAO,CAAC;QACrB,MAAM,EAAE,kBAAU;QAClB,QAAQ,EAAE,oBAAY;QACtB,cAAc,EAAE,EAAE;KACnB,CAAQ,CAAC;IACV,IAAI,OAAO,CAAC,GAAG,KAAK,gBAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE;QACrD,UAAU,EAAE,CAAC,OAAO,CAAC;QACrB,MAAM,EAAE,kBAAU;QAClB,QAAQ,EAAE,oBAAY;QACtB,cAAc,EAAE,EAAE;KACnB,CAAQ,CAAC;IACV,IAAI,OAAO,CAAC,GAAG,KAAK,oBAAY,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,SAAgB,UAAU,CAAC,SAAiB,EAAE,SAAiB;IAC7D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAM;SACpB,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;SACvC,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC,CAAC;IACjB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,gBAAM,CAAC,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AACxD,CAAC;AAED;;;;GAIG;AACH,SAAgB,QAAQ,CAAC,SAAiB,EAAE,MAAe;IACzD,MAAM,UAAU,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC,UAAU,CAAC;IACpD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,gBAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjF,CAAC;AAED,SAAgB,mBAAmB,CAAC,OAAgB;IAClD,mDAAmD;IACnD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACpF,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBACH,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAChE,IAAI,YAAY,IAAI,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;gBAC1C,OAAO;oBACL,EAAE,EAAE,UAAU;oBACd,KAAK,EAAE,YAAY;oBACnB,IAAI,EAAE,kBAAkB;oBACxB,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS;iBAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,2CAA2C;QAC7C,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,WAAW,CAAC,OAAgB;IAC1C,MAAM,IAAI,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE;YAC5D,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cjs/bootstrap/cache.d.ts

@@ -0,0 +1,4 @@
+import type { CachedBootstrap } from './types.js';
+export declare function readCache(cacheDir: string, appId: string): Promise<CachedBootstrap | null>;
+export declare function writeCache(cacheDir: string, appId: string, entry: CachedBootstrap): Promise<void>;
+//# sourceMappingURL=cache.d.ts.map

package/dist/cjs/bootstrap/cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../../src/bootstrap/cache.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAuBlD,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAkBjC;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,IAAI,CAAC,CAOf"}

package/dist/cjs/bootstrap/cache.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readCache = readCache;
+exports.writeCache = writeCache;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+/**
+ * Disk cache for the bootstrap discovery response. Used to make cold
+ * starts resilient when the platform discovery endpoint is briefly
+ * unreachable.
+ *
+ * Cache is per-app (keyed by appId so multiple apps in the same workdir
+ * don't collide). Atomic write via temp file + rename. File mode 0600 so
+ * the cache file is owner-only on POSIX systems.
+ *
+ * Format: JSON. Contains the discovery response and the auth public key
+ * PEM. Does NOT contain the per-app private key — that comes from the
+ * connection-string token at every boot.
+ */
+function cacheFilePath(cacheDir, appId) {
+    // Sanitize appId for filename safety: keep alphanumerics + dashes + dots,
+    // replace everything else with underscore.
+    const safeId = appId.replace(/[^a-zA-Z0-9.\-_]/g, '_');
+    return (0, node_path_1.join)(cacheDir, `bootstrap-${safeId}.json`);
+}
+async function readCache(cacheDir, appId) {
+    try {
+        const path = cacheFilePath(cacheDir, appId);
+        const raw = await node_fs_1.promises.readFile(path, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed?.fetchedAt !== 'string' ||
+            typeof parsed?.staleAt !== 'string' ||
+            !parsed?.discovery?.endpoints ||
+            typeof parsed?.authPublicKeyPem !== 'string') {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        // ENOENT, parse error, anything — fall back to fresh fetch
+        return null;
+    }
+}
+async function writeCache(cacheDir, appId, entry) {
+    const path = cacheFilePath(cacheDir, appId);
+    await node_fs_1.promises.mkdir((0, node_path_1.dirname)(path), { recursive: true });
+    // Atomic write: stage to temp, rename. Rename is atomic on POSIX.
+    const tmp = `${path}.tmp.${process.pid}`;
+    await node_fs_1.promises.writeFile(tmp, JSON.stringify(entry, null, 2), { mode: 0o600 });
+    await node_fs_1.promises.rename(tmp, path);
+}
+//# sourceMappingURL=cache.js.map

package/dist/cjs/bootstrap/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../../src/bootstrap/cache.ts"],"names":[],"mappings":";;AAyBA,8BAqBC;AAED,gCAWC;AA3DD,qCAAyC;AACzC,yCAA0C;AAG1C;;;;;;;;;;;;GAYG;AAEH,SAAS,aAAa,CAAC,QAAgB,EAAE,KAAa;IACpD,0EAA0E;IAC1E,2CAA2C;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;IACvD,OAAO,IAAA,gBAAI,EAAC,QAAQ,EAAE,aAAa,MAAM,OAAO,CAAC,CAAC;AACpD,CAAC;AAEM,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;QAClD,IACE,OAAO,MAAM,EAAE,SAAS,KAAK,QAAQ;YACrC,OAAO,MAAM,EAAE,OAAO,KAAK,QAAQ;YACnC,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS;YAC7B,OAAO,MAAM,EAAE,gBAAgB,KAAK,QAAQ,EAC5C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;QAC3D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,KAAa,EACb,KAAsB;IAEtB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5C,MAAM,kBAAE,CAAC,KAAK,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,kEAAkE;IAClE,MAAM,GAAG,GAAG,GAAG,IAAI,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,MAAM,kBAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,MAAM,kBAAE,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAC7B,CAAC"}

package/dist/cjs/bootstrap/index.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Third-party app bootstrap (PLAN-app-bootstrap.md PR2).
+ *
+ * `bootstrapFromToken({ appToken })` is the SINGLE platform-init call a
+ * third-party app needs at boot. Given a connection-string token, it:
+ *
+ *   1. Parses the token (sync, no network) → appId, platformUrl, privateKey
+ *   2. Fetches GET ${platformUrl}/registry/discovery (cached on success)
+ *   3. Fetches GET ${endpoints.authPublicKeyUrl} (the user JWT verification key)
+ *   4. Configures the SDK's auth, platform, and entity-identity layers
+ *   5. Schedules a background refresh at 80% of cacheTtlSeconds
+ *
+ * After this returns, the app can use `requireAuth()`, `verifyUserJwt()`,
+ * `publishEvent()`, the entity client, etc. exactly as if it had been
+ * configured via the legacy env-based path.
+ *
+ * Cache: discovery is cached to disk so cold starts survive a brief
+ * registry outage. The token itself is NOT cached — it lives in the env
+ * var. Cached entries are per-app and contain only public information
+ * (URLs and the auth public key PEM, no secrets).
+ */
+import { ANBY_TOKEN_PREFIX, type AnbyAppToken, type DiscoveryResponse } from './types.js';
+export { ANBY_TOKEN_PREFIX, type AnbyAppToken, type DiscoveryResponse };
+/** For tests: clears the module-level bootstrap state so a fresh
+ *  bootstrapFromToken call re-runs from scratch. Not exported from the
+ *  root barrel. */
+export declare function _resetBootstrapForTests(): void;
+/**
+ * Returns the discovery response cached by the most recent successful
+ * bootstrapFromToken call. Throws if bootstrap has not yet started.
+ *
+ * Resolves the in-progress promise if bootstrap is still in flight, so
+ * callers can `await getDiscoveredEndpoints()` from anywhere safely.
+ */
+export declare function getDiscoveredEndpoints(): Promise<DiscoveryResponse['endpoints']>;
+/**
+ * Returns the registry HOST root (e.g. "http://localhost:3003"), without
+ * the /registry path suffix. Use this for callers that already append
+ * /registry/... themselves (autoPublishOnBoot, RegistryPublicKeyVerifier).
+ *
+ * Falls back to discovery.endpoints.registryUrl with /registry stripped
+ * if the registryBaseUrl field is missing (older registries that haven't
+ * deployed PR3 yet).
+ */
+export declare function getDiscoveredRegistryBaseUrl(): Promise<string>;
+export interface BootstrapOptions {
+    appToken: string;
+    /** Where to write the disk cache. Default: process.cwd() + "/.anby-cache". */
+    cacheDir?: string;
+    /** Override the discovery fetch (for tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * Parse an `anby_v1_<base64json>` token. Throws on malformed input.
+ *
+ * Sync, no network. Validates structure but does NOT verify the
+ * Ed25519 private key against any server — that happens later when the
+ * SDK tries to mint a scoped-token.
+ */
+export declare function parseAppToken(token: string): AnbyAppToken;
+/**
+ * The single bootstrap entrypoint a third-party app calls at boot.
+ *
+ * Idempotent: if called multiple times in the same process (e.g. once
+ * from entry.server.tsx and again from a refresh timer), the second call
+ * returns the same in-flight promise instead of starting a parallel
+ * bootstrap.
+ *
+ * @example
+ * ```ts
+ * import { bootstrapFromToken, requireAuth } from '@anby/platform-sdk';
+ *
+ * await bootstrapFromToken({ appToken: process.env.ANBY_APP_TOKEN! });
+ *
+ * app.get('/api/widgets', requireAuth(), handler);
+ * ```
+ */
+export declare function bootstrapFromToken(opts: BootstrapOptions): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/bootstrap/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/bootstrap/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAQH,OAAO,EACL,iBAAiB,EACjB,KAAK,YAAY,EAEjB,KAAK,iBAAiB,EACvB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,iBAAiB,EAAE,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAE,CAAC;AAiBxE;;mBAEmB;AACnB,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CACrD,iBAAiB,CAAC,WAAW,CAAC,CAC/B,CAWA;AAED;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,MAAM,CAAC,CAKpE;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAkDzD;AA2CD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAaxE"}