@apart-tech/intelligence-core 1.11.3 → 1.11.5

package/dist/auth/delegation-jwt.test.js

@@ -0,0 +1,283 @@
+import { SignJWT } from "jose";
+import { describe, expect, it } from "vitest";
+import { DELEGATION_ALGORITHM, DELEGATION_ISSUER, DELEGATION_KEY_MIN_BYTES, DELEGATION_TTL_SECONDS, DelegationKeyLoadError, DelegationTokenError, loadDelegationKeyFromEnv, mintDelegationToken, peekIssuer, verifyDelegationToken, } from "./delegation-jwt.js";
+// A fixed 32-byte key, re-used across round-trip tests. Using a fixed
+// value rather than random() keeps vitest failures reproducible when
+// the CI environment disagrees with local.
+const KEY_A = new Uint8Array(32).fill(0x11);
+const KEY_B = new Uint8Array(32).fill(0x22);
+const SPAWN_ARGS = {
+    agentRunId: "run-abc-123",
+    userId: "user-xyz-789",
+    organizationId: "org-def-456",
+};
+// ── Constants are source-visible ───────────────────────────────────────────
+describe("delegation-jwt constants", () => {
+    it("publishes the algorithm, TTL, issuer, and key size as module constants", () => {
+        // M6-style guardrail: the security bounds live in our source, not
+        // in a library default that a jose version bump could silently
+        // change. The values themselves are asserted so an accidental edit
+        // to the constants shows up as a failing test rather than a silent
+        // behavior change.
+        expect(DELEGATION_ALGORITHM).toBe("HS256");
+        expect(DELEGATION_TTL_SECONDS).toBe(15 * 60);
+        expect(DELEGATION_ISSUER).toBe("apart-intelligence");
+        expect(DELEGATION_KEY_MIN_BYTES).toBe(32);
+    });
+});
+// ── mint → verify round-trip ──────────────────────────────────────────────
+describe("mintDelegationToken + verifyDelegationToken — round trip", () => {
+    it("mints a token and verifies back to the original claims", async () => {
+        const now = 1_800_000_000; // fixed — no wall-clock dependence
+        const token = await mintDelegationToken({ ...SPAWN_ARGS, nowSeconds: now }, KEY_A);
+        const payload = await verifyDelegationToken(token, KEY_A);
+        expect(payload.sub).toBe(SPAWN_ARGS.agentRunId);
+        expect(payload.behalfOf).toBe(SPAWN_ARGS.userId);
+        expect(payload.organizationId).toBe(SPAWN_ARGS.organizationId);
+        expect(payload.iat).toBe(now);
+        expect(payload.exp).toBe(now + DELEGATION_TTL_SECONDS);
+    });
+    it("respects a custom TTL", async () => {
+        const now = 1_800_000_000;
+        const token = await mintDelegationToken({ ...SPAWN_ARGS, nowSeconds: now, ttlSeconds: 42 }, KEY_A);
+        const payload = await verifyDelegationToken(token, KEY_A);
+        expect(payload.exp - payload.iat).toBe(42);
+    });
+});
+// ── Signature verification ────────────────────────────────────────────────
+describe("verifyDelegationToken — signature checks", () => {
+    it("rejects a token signed with a different key as bad_signature", async () => {
+        const token = await mintDelegationToken(SPAWN_ARGS, KEY_A);
+        await expect(verifyDelegationToken(token, KEY_B)).rejects.toMatchObject({
+            name: "DelegationTokenError",
+            reason: "bad_signature",
+        });
+    });
+    it("rejects a tampered payload as bad_signature", async () => {
+        const token = await mintDelegationToken(SPAWN_ARGS, KEY_A);
+        // Flip a byte in the payload segment. The header and signature
+        // stay valid shape-wise, but the HMAC will not match.
+        const parts = token.split(".");
+        const payloadBytes = Buffer.from(parts[1], "base64url");
+        payloadBytes[0] = payloadBytes[0] ^ 0xff;
+        const tampered = [
+            parts[0],
+            payloadBytes.toString("base64url"),
+            parts[2],
+        ].join(".");
+        await expect(verifyDelegationToken(tampered, KEY_A)).rejects.toMatchObject({
+            reason: "bad_signature",
+        });
+    });
+});
+// ── Expiry ────────────────────────────────────────────────────────────────
+describe("verifyDelegationToken — expiry", () => {
+    it("rejects a token whose exp is in the past as expired", async () => {
+        // Mint with nowSeconds set 1 hour in the past and TTL of 1 second;
+        // the token is stale by the time we verify.
+        const now = Math.floor(Date.now() / 1000) - 3600;
+        const token = await mintDelegationToken({ ...SPAWN_ARGS, nowSeconds: now, ttlSeconds: 1 }, KEY_A);
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            name: "DelegationTokenError",
+            reason: "expired",
+        });
+    });
+});
+// ── Issuer routing ────────────────────────────────────────────────────────
+describe("verifyDelegationToken — issuer", () => {
+    it("rejects a token whose iss is not apart-intelligence as wrong_issuer", async () => {
+        // Mint a token with a different issuer by constructing it
+        // directly with SignJWT — bypasses mintDelegationToken's hard-
+        // coded issuer so we can exercise the verify-side check.
+        const token = await new SignJWT({
+            behalfOf: SPAWN_ARGS.userId,
+            organizationId: SPAWN_ARGS.organizationId,
+        })
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setIssuer("https://apart-next-dev.eu.auth0.com/")
+            .setSubject(SPAWN_ARGS.agentRunId)
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            name: "DelegationTokenError",
+            reason: "wrong_issuer",
+        });
+    });
+    it("rejects a token with no iss at all as wrong_issuer", async () => {
+        const token = await new SignJWT({
+            behalfOf: SPAWN_ARGS.userId,
+            organizationId: SPAWN_ARGS.organizationId,
+        })
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setSubject(SPAWN_ARGS.agentRunId)
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            reason: "wrong_issuer",
+        });
+    });
+});
+// ── Malformed input ───────────────────────────────────────────────────────
+describe("verifyDelegationToken — malformed input", () => {
+    it("rejects a non-JWT string as malformed", async () => {
+        await expect(verifyDelegationToken("this is not a jwt", KEY_A)).rejects.toMatchObject({
+            name: "DelegationTokenError",
+            reason: "malformed",
+        });
+    });
+    it("rejects a two-segment string as malformed", async () => {
+        await expect(verifyDelegationToken("a.b", KEY_A)).rejects.toMatchObject({
+            reason: "malformed",
+        });
+    });
+    it("rejects an empty string as malformed", async () => {
+        await expect(verifyDelegationToken("", KEY_A)).rejects.toMatchObject({
+            reason: "malformed",
+        });
+    });
+});
+// ── Missing claims ────────────────────────────────────────────────────────
+describe("verifyDelegationToken — missing required claims", () => {
+    async function mintWithClaims(claims) {
+        return await new SignJWT(claims)
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setIssuer(DELEGATION_ISSUER)
+            .setSubject("run-abc-123")
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+    }
+    it("rejects when behalfOf is missing as missing_claim", async () => {
+        const token = await mintWithClaims({
+            organizationId: SPAWN_ARGS.organizationId,
+        });
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            reason: "missing_claim",
+            detail: expect.stringContaining("behalfOf"),
+        });
+    });
+    it("rejects when organizationId is missing as missing_claim", async () => {
+        const token = await mintWithClaims({ behalfOf: SPAWN_ARGS.userId });
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            reason: "missing_claim",
+            detail: expect.stringContaining("organizationId"),
+        });
+    });
+    it("rejects when sub is empty string as missing_claim", async () => {
+        // SignJWT requires setSubject() to be called with a non-empty
+        // string, but we can forge one by setting sub as a top-level
+        // claim and explicitly NOT calling setSubject. jose records the
+        // claim verbatim.
+        const token = await new SignJWT({
+            sub: "",
+            behalfOf: SPAWN_ARGS.userId,
+            organizationId: SPAWN_ARGS.organizationId,
+        })
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setIssuer(DELEGATION_ISSUER)
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+        await expect(verifyDelegationToken(token, KEY_A)).rejects.toMatchObject({
+            reason: "missing_claim",
+            detail: expect.stringContaining("sub"),
+        });
+    });
+});
+// ── peekIssuer ────────────────────────────────────────────────────────────
+describe("peekIssuer", () => {
+    it("returns the issuer of a well-formed delegation token", async () => {
+        const token = await mintDelegationToken(SPAWN_ARGS, KEY_A);
+        expect(peekIssuer(token)).toBe(DELEGATION_ISSUER);
+    });
+    it("returns the issuer of a shape-compatible Auth0 token", async () => {
+        // Auth0 tokens are RS256 but peekIssuer doesn't care — it just
+        // parses the payload segment.
+        const token = await new SignJWT({})
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setIssuer("https://apart-next-dev.eu.auth0.com/")
+            .setSubject("auth0|u-1")
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+        expect(peekIssuer(token)).toBe("https://apart-next-dev.eu.auth0.com/");
+    });
+    it("returns null for a token with no iss claim", async () => {
+        const token = await new SignJWT({ foo: "bar" })
+            .setProtectedHeader({ alg: "HS256", typ: "JWT" })
+            .setSubject("x")
+            .setIssuedAt()
+            .setExpirationTime("15m")
+            .sign(KEY_A);
+        expect(peekIssuer(token)).toBeNull();
+    });
+    it("returns null for a non-JWT string", () => {
+        expect(peekIssuer("not-a-jwt")).toBeNull();
+        expect(peekIssuer("a.b")).toBeNull();
+        expect(peekIssuer("")).toBeNull();
+    });
+    it("returns null for a JWT whose payload segment is not valid JSON", () => {
+        // Three segments but middle one is garbage.
+        const garbage = Buffer.from("not json").toString("base64url");
+        const token = `aGVhZGVy.${garbage}.c2ln`;
+        expect(peekIssuer(token)).toBeNull();
+    });
+});
+// ── loadDelegationKeyFromEnv ──────────────────────────────────────────────
+describe("loadDelegationKeyFromEnv", () => {
+    // Use explicit env records rather than mutating process.env so tests
+    // are hermetic. The production default (process.env) is covered by
+    // the one integration-style test below.
+    const validB64 = Buffer.from(new Uint8Array(32).fill(0x99)).toString("base64");
+    const shortB64 = Buffer.from(new Uint8Array(16).fill(0x99)).toString("base64");
+    it("decodes a valid 32-byte base64 key", () => {
+        const key = loadDelegationKeyFromEnv({
+            INTELLIGENCE_DELEGATION_JWT_KEY: validB64,
+        });
+        expect(key).toBeInstanceOf(Uint8Array);
+        expect(key.length).toBe(32);
+        expect(key[0]).toBe(0x99);
+    });
+    it("throws missing when the env var is absent", () => {
+        expect(() => loadDelegationKeyFromEnv({})).toThrow(DelegationKeyLoadError);
+        expect(() => loadDelegationKeyFromEnv({})).toThrow(/missing/);
+    });
+    it("throws missing when the env var is empty string", () => {
+        expect(() => loadDelegationKeyFromEnv({ INTELLIGENCE_DELEGATION_JWT_KEY: "" })).toThrow(/missing/);
+    });
+    it("throws too_short when the decoded key is under 32 bytes", () => {
+        expect(() => loadDelegationKeyFromEnv({ INTELLIGENCE_DELEGATION_JWT_KEY: shortB64 })).toThrow(DelegationKeyLoadError);
+        expect(() => loadDelegationKeyFromEnv({ INTELLIGENCE_DELEGATION_JWT_KEY: shortB64 })).toThrow(/too_short/);
+    });
+    it("treats gibberish that base64-decodes to < 32 bytes as too_short", () => {
+        // Buffer.from(..., "base64") silently drops invalid characters
+        // instead of throwing. A three-character string decodes to
+        // roughly 2 bytes — well under the minimum.
+        expect(() => loadDelegationKeyFromEnv({
+            INTELLIGENCE_DELEGATION_JWT_KEY: "abc",
+        })).toThrow(/too_short/);
+    });
+    it("mint+verify round-trips with a key loaded from env", async () => {
+        const key = loadDelegationKeyFromEnv({
+            INTELLIGENCE_DELEGATION_JWT_KEY: validB64,
+        });
+        const token = await mintDelegationToken(SPAWN_ARGS, key);
+        const payload = await verifyDelegationToken(token, key);
+        expect(payload.sub).toBe(SPAWN_ARGS.agentRunId);
+    });
+});
+// ── Classification of DelegationTokenError ───────────────────────────────
+describe("DelegationTokenError shape", () => {
+    it("is an Error subclass with reason and detail fields", () => {
+        const err = new DelegationTokenError("expired", "exp was 123");
+        expect(err).toBeInstanceOf(Error);
+        expect(err.name).toBe("DelegationTokenError");
+        expect(err.reason).toBe("expired");
+        expect(err.detail).toBe("exp was 123");
+        expect(err.message).toContain("expired");
+        expect(err.message).toContain("exp was 123");
+    });
+});
+//# sourceMappingURL=delegation-jwt.test.js.map

package/dist/auth/delegation-jwt.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation-jwt.test.js","sourceRoot":"","sources":["../../src/auth/delegation-jwt.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,wBAAwB,EACxB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,wBAAwB,EACxB,mBAAmB,EACnB,UAAU,EACV,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAE7B,sEAAsE;AACtE,qEAAqE;AACrE,2CAA2C;AAC3C,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5C,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAE5C,MAAM,UAAU,GAAG;IACjB,UAAU,EAAE,aAAa;IACzB,MAAM,EAAE,cAAc;IACtB,cAAc,EAAE,aAAa;CAC9B,CAAC;AAEF,8EAA8E;AAE9E,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,EAAE,CAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,kEAAkE;QAClE,+DAA+D;QAC/D,mEAAmE;QACnE,mEAAmE;QACnE,mBAAmB;QACnB,MAAM,CAAC,oBAAoB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,CAAC,sBAAsB,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACrD,MAAM,CAAC,wBAAwB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,0DAA0D,EAAE,GAAG,EAAE;IACxE,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,mCAAmC;QAC9D,MAAM,KAAK,GAAG,MAAM,mBAAmB,CACrC,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,EAClC,KAAK,CACN,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAE1D,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAC/D,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,sBAAsB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,GAAG,GAAG,aAAa,CAAC;QAC1B,MAAM,KAAK,GAAG,MAAM,mBAAmB,CACrC,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,EAClD,KAAK,CACN,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACxD,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE3D,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,IAAI,EAAE,sBAAsB;YAC5B,MAAM,EAAE,eAAe;SACxB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC3D,+DAA+D;QAC/D,sDAAsD;QACtD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC;QACzD,YAAY,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC;QAC1C,MAAM,QAAQ,GAAG;YACf,KAAK,CAAC,CAAC,CAAC;YACR,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;YAClC,KAAK,CAAC,CAAC,CAAC;SACT,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,MAAM,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACzE,MAAM,EAAE,eAAe;SACxB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,mEAAmE;QACnE,4CAA4C;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,mBAAmB,CACrC,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,EAAE,EACjD,KAAK,CACN,CAAC;QAEF,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,IAAI,EAAE,sBAAsB;YAC5B,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,0DAA0D;QAC1D,+DAA+D;QAC/D,yDAAyD;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC;YAC9B,QAAQ,EAAE,UAAU,CAAC,MAAM;YAC3B,cAAc,EAAE,UAAU,CAAC,cAAc;SAC1C,CAAC;aACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,SAAS,CAAC,sCAAsC,CAAC;aACjD,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC;aACjC,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;QAEf,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,IAAI,EAAE,sBAAsB;YAC5B,MAAM,EAAE,cAAc;SACvB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC;YAC9B,QAAQ,EAAE,UAAU,CAAC,MAAM;YAC3B,cAAc,EAAE,UAAU,CAAC,cAAc;SAC1C,CAAC;aACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC;aACjC,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;QAEf,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,MAAM,EAAE,cAAc;SACvB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;IACvD,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,MAAM,CACV,qBAAqB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAClD,CAAC,OAAO,CAAC,aAAa,CAAC;YACtB,IAAI,EAAE,sBAAsB;YAC5B,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,MAAM,CAAC,qBAAqB,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACnE,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;IAC/D,KAAK,UAAU,cAAc,CAAC,MAA+B;QAC3D,OAAO,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;aAC7B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,SAAS,CAAC,iBAAiB,CAAC;aAC5B,UAAU,CAAC,aAAa,CAAC;aACzB,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC;YACjC,cAAc,EAAE,UAAU,CAAC,cAAc;SAC1C,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,MAAM,EAAE,eAAe;YACvB,MAAM,EAAE,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC;SAC5C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,EAAE,QAAQ,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QACpE,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,MAAM,EAAE,eAAe;YACvB,MAAM,EAAE,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;SAClD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,kBAAkB;QAClB,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC;YAC9B,GAAG,EAAE,EAAE;YACP,QAAQ,EAAE,UAAU,CAAC,MAAM;YAC3B,cAAc,EAAE,UAAU,CAAC,cAAc;SAC1C,CAAC;aACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,SAAS,CAAC,iBAAiB,CAAC;aAC5B,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;QAEf,MAAM,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YACtE,MAAM,EAAE,eAAe;YACvB,MAAM,EAAE,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,+DAA+D;QAC/D,8BAA8B;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,CAAC;aAChC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,SAAS,CAAC,sCAAsC,CAAC;aACjD,UAAU,CAAC,WAAW,CAAC;aACvB,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;QAEf,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAC5C,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,UAAU,CAAC,GAAG,CAAC;aACf,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,KAAK,CAAC,CAAC;QACf,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC3C,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACrC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,4CAA4C;QAC5C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,YAAY,OAAO,OAAO,CAAC;QACzC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAE7E,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,qEAAqE;IACrE,mEAAmE;IACnE,wCAAwC;IACxC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE/E,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,GAAG,GAAG,wBAAwB,CAAC;YACnC,+BAA+B,EAAE,QAAQ;SAC1C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,EAAE,CACV,wBAAwB,CAAC,EAAE,+BAA+B,EAAE,EAAE,EAAE,CAAC,CAClE,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,CAAC,GAAG,EAAE,CACV,wBAAwB,CAAC,EAAE,+BAA+B,EAAE,QAAQ,EAAE,CAAC,CACxE,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,EAAE,CACV,wBAAwB,CAAC,EAAE,+BAA+B,EAAE,QAAQ,EAAE,CAAC,CACxE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,+DAA+D;QAC/D,2DAA2D;QAC3D,4CAA4C;QAC5C,MAAM,CAAC,GAAG,EAAE,CACV,wBAAwB,CAAC;YACvB,+BAA+B,EAAE,KAAK;SACvC,CAAC,CACH,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,GAAG,GAAG,wBAAwB,CAAC;YACnC,+BAA+B,EAAE,QAAQ;SAC1C,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,4EAA4E;AAE5E,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,GAAG,GAAG,IAAI,oBAAoB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QAC/D,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC9C,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/principal.d.ts

@@ -0,0 +1,94 @@
+/**
+ * The authenticated subject of every request. One of three concrete shapes,
+ * resolved by the API's auth middleware from whichever credential the request
+ * presents (session token, Auth0 JWT, or API key).
+ *
+ * Used by `buildAbility(principal)` in `./ability.ts` to produce a CASL
+ * `AppAbility` which is then consulted via `principal.can(action, subject)`
+ * everywhere in the API service layer.
+ *
+ * This type is the stable contract between the auth middleware, the
+ * authorization layer, and the downstream handlers. Extending it — adding a
+ * new shape, adding a field — is a cross-cutting change; do not do it
+ * casually.
+ *
+ * Naming note: the principal shapes are named `UserPrincipal`, `OrgAgentPrincipal`,
+ * and `DelegatedAgentPrincipal` rather than `User`/`OrgAgent`/`DelegatedAgent`
+ * to avoid colliding with the Prisma-generated `User` model (the DB row) which
+ * is already exported from `@apart-tech/intelligence-core`. The discriminator
+ * strings (`"user"`, `"org_agent"`, `"delegated_agent"`) stay terse.
+ */
+/** Role on `Membership` for a given organization. */
+export type Role = "owner" | "admin" | "member" | "none";
+/**
+ * A human user authenticated via Auth0. `organizationId` is null when the
+ * user has no memberships yet (pre-invite-acceptance) or has multiple
+ * memberships and has not selected one — those states are legal for a
+ * narrow set of routes (`/api/auth/me`, `/api/auth/claim`,
+ * `/api/invites/accept`).
+ */
+export interface UserPrincipal {
+    type: "user";
+    id: string;
+    email: string;
+    organizationId: string | null;
+    role: Role;
+}
+/**
+ * An org-scoped non-human agent. Today constructed either from a real row
+ * in the (future Phase 1c) `OrgAgentType` table via `auth0ClientId`, or
+ * synthetically from a legacy API key (`legacyApiKey = true`) whose ability
+ * matches current full-org-access behavior. Phase 1c tightens the latter by
+ * binding keys to real rows with `intrinsicPolicy` and `toolCatalogue`.
+ */
+export interface OrgAgentPrincipal {
+    type: "org_agent";
+    /**
+     * Row id in `OrgAgentType` once bound, or a synthetic id of the form
+     * `legacy-api-key:<apiKeyId>` while `legacyApiKey` is true.
+     */
+    id: string;
+    organizationId: string;
+    name: string;
+    /**
+     * True when this principal was constructed from a pre-Phase-1c API key
+     * binding. `buildAbility` grants a "full org access" ability for these.
+     * Phase 1c replaces this shortcut with a real agent binding.
+     */
+    legacyApiKey?: boolean;
+}
+/**
+ * An agent acting on behalf of a user within the scope of a specific
+ * `AgentRun`. Under Option B' (see `docs/superpowers/specs/2026-04-14-staging-cicd-environments.md`),
+ * the API resolves this principal by decoding an in-process delegation token,
+ * looking up the `AgentRun`, and rehydrating a CASL ability from
+ * `AgentRun.capturedAbility` — a snapshot of `intersect(user.ability, agent.intrinsicPolicy)`
+ * computed at spawn time.
+ *
+ * Phase 1b defines the type and the rehydration path. Phase 1d wires the
+ * actual delegation token format and the spawn-time intersection. Phase 1c
+ * adds the `AgentRun.captured_ability` column that persists the snapshot.
+ */
+export interface DelegatedAgentPrincipal {
+    type: "delegated_agent";
+    /** Row id of the `AgentRun` carrying this delegation. */
+    agentRunId: string;
+    /** The user the agent is acting for. */
+    behalfOfUserId: string;
+    organizationId: string;
+    /**
+     * CASL `RawRule[]` serialized from the spawn-time intersection. Typed as
+     * `unknown` here to avoid pulling CASL types into the Principal module;
+     * `buildAbility(delegatedAgent)` in `./ability.ts` narrows it.
+     */
+    capturedAbility: unknown;
+}
+/** Discriminated union of every principal shape the API knows how to build. */
+export type Principal = UserPrincipal | OrgAgentPrincipal | DelegatedAgentPrincipal;
+/** Narrow a `Principal` to `UserPrincipal`. */
+export declare function isUserPrincipal(p: Principal): p is UserPrincipal;
+/** Narrow a `Principal` to `OrgAgentPrincipal`. */
+export declare function isOrgAgentPrincipal(p: Principal): p is OrgAgentPrincipal;
+/** Narrow a `Principal` to `DelegatedAgentPrincipal`. */
+export declare function isDelegatedAgentPrincipal(p: Principal): p is DelegatedAgentPrincipal;
+//# sourceMappingURL=principal.d.ts.map

package/dist/auth/principal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../src/auth/principal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,qDAAqD;AACrD,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEzD;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,IAAI,EAAE,IAAI,CAAC;CACZ;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,WAAW,CAAC;IAClB;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,iBAAiB,CAAC;IACxB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,+EAA+E;AAC/E,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,iBAAiB,GAAG,uBAAuB,CAAC;AAEpF,+CAA+C;AAC/C,wBAAgB,eAAe,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,IAAI,aAAa,CAEhE;AAED,mDAAmD;AACnD,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,IAAI,iBAAiB,CAExE;AAED,yDAAyD;AACzD,wBAAgB,yBAAyB,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,IAAI,uBAAuB,CAEpF"}

package/dist/auth/principal.js

@@ -0,0 +1,33 @@
+/**
+ * The authenticated subject of every request. One of three concrete shapes,
+ * resolved by the API's auth middleware from whichever credential the request
+ * presents (session token, Auth0 JWT, or API key).
+ *
+ * Used by `buildAbility(principal)` in `./ability.ts` to produce a CASL
+ * `AppAbility` which is then consulted via `principal.can(action, subject)`
+ * everywhere in the API service layer.
+ *
+ * This type is the stable contract between the auth middleware, the
+ * authorization layer, and the downstream handlers. Extending it — adding a
+ * new shape, adding a field — is a cross-cutting change; do not do it
+ * casually.
+ *
+ * Naming note: the principal shapes are named `UserPrincipal`, `OrgAgentPrincipal`,
+ * and `DelegatedAgentPrincipal` rather than `User`/`OrgAgent`/`DelegatedAgent`
+ * to avoid colliding with the Prisma-generated `User` model (the DB row) which
+ * is already exported from `@apart-tech/intelligence-core`. The discriminator
+ * strings (`"user"`, `"org_agent"`, `"delegated_agent"`) stay terse.
+ */
+/** Narrow a `Principal` to `UserPrincipal`. */
+export function isUserPrincipal(p) {
+    return p.type === "user";
+}
+/** Narrow a `Principal` to `OrgAgentPrincipal`. */
+export function isOrgAgentPrincipal(p) {
+    return p.type === "org_agent";
+}
+/** Narrow a `Principal` to `DelegatedAgentPrincipal`. */
+export function isDelegatedAgentPrincipal(p) {
+    return p.type === "delegated_agent";
+}
+//# sourceMappingURL=principal.js.map

package/dist/auth/principal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../src/auth/principal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AA0EH,+CAA+C;AAC/C,MAAM,UAAU,eAAe,CAAC,CAAY;IAC1C,OAAO,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;AAC3B,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,mBAAmB,CAAC,CAAY;IAC9C,OAAO,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC;AAChC,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,yBAAyB,CAAC,CAAY;IACpD,OAAO,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC;AACtC,CAAC"}

package/dist/config/config.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config.test.d.ts.map

package/dist/config/config.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.d.ts","sourceRoot":"","sources":["../../src/config/config.test.ts"],"names":[],"mappings":""}

package/dist/config/config.test.js

@@ -0,0 +1,57 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { loadConfig } from "./index.js";
+// The config module reads `process.env` directly. Each test restores the
+// relevant vars to whatever they were before the test started so tests
+// remain order-independent.
+const ENV_KEYS = ["ENVIRONMENT"];
+describe("loadConfig — environment (Phase 2)", () => {
+    const originalEnv = {};
+    beforeEach(() => {
+        for (const key of ENV_KEYS) {
+            originalEnv[key] = process.env[key];
+            delete process.env[key];
+        }
+    });
+    afterEach(() => {
+        for (const key of ENV_KEYS) {
+            if (originalEnv[key] === undefined) {
+                delete process.env[key];
+            }
+            else {
+                process.env[key] = originalEnv[key];
+            }
+        }
+        vi.restoreAllMocks();
+    });
+    it("defaults environment to 'local' when ENVIRONMENT is unset", () => {
+        const config = loadConfig();
+        expect(config.environment).toBe("local");
+    });
+    it("defaults environment to 'local' when ENVIRONMENT is the empty string", () => {
+        process.env.ENVIRONMENT = "";
+        const config = loadConfig();
+        expect(config.environment).toBe("local");
+    });
+    it.each(["local", "dev", "staging", "prod"])("respects ENVIRONMENT=%s", (value) => {
+        process.env.ENVIRONMENT = value;
+        const config = loadConfig();
+        expect(config.environment).toBe(value);
+    });
+    it("falls back to 'local' with a warn on an invalid ENVIRONMENT value", () => {
+        const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => { });
+        process.env.ENVIRONMENT = "production"; // common mistake — not in the union
+        const config = loadConfig();
+        expect(config.environment).toBe("local");
+        expect(warnSpy).toHaveBeenCalledTimes(1);
+        expect(warnSpy.mock.calls[0]?.[0]).toContain('ENVIRONMENT="production"');
+    });
+    it("does not warn on the valid values", () => {
+        const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => { });
+        for (const value of ["local", "dev", "staging", "prod"]) {
+            process.env.ENVIRONMENT = value;
+            loadConfig();
+        }
+        expect(warnSpy).not.toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=config.test.js.map

package/dist/config/config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.js","sourceRoot":"","sources":["../../src/config/config.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,yEAAyE;AACzE,uEAAuE;AACvE,4BAA4B;AAC5B,MAAM,QAAQ,GAAG,CAAC,aAAa,CAAU,CAAC;AAE1C,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,MAAM,WAAW,GAAuC,EAAE,CAAC;IAE3D,UAAU,CAAC,GAAG,EAAE;QACd,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,WAAW,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACpC,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,WAAW,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBACnC,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAU,CAAC,CACnD,yBAAyB,EACzB,CAAC,KAAK,EAAE,EAAE;QACR,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,KAAK,CAAC;QAChC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;QAC3E,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,YAAY,CAAC,CAAC,oCAAoC;QAC5E,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACvE,KAAK,MAAM,KAAK,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAU,EAAE,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,KAAK,CAAC;YAChC,UAAU,EAAE,CAAC;QACf,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/config/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AA0DrD,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CAyEpD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAe,MAAM,mBAAmB,CAAC;AA6ElE,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CA0EpD"}

package/dist/config/index.js

@@ -1,7 +1,23 @@
 import { readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
 import { parse as parseYaml } from "yaml";
+const VALID_ENVIRONMENTS = [
+    "local",
+    "dev",
+    "staging",
+    "prod",
+];
+function parseEnvironment(raw) {
+    if (raw === undefined || raw === "")
+        return "local";
+    if (VALID_ENVIRONMENTS.includes(raw)) {
+        return raw;
+    }
+    console.warn(`[apart-intelligence/config] ENVIRONMENT="${raw}" is not one of ${VALID_ENVIRONMENTS.join(", ")} — falling back to "local"`);
+    return "local";
+}
 const DEFAULT_CONFIG = {
+    environment: "local",
     database: {
         url: "postgresql://localhost:5432/apart",
     },
@@ -71,6 +87,7 @@ export function loadConfig(cwd) {
         }
     }
     // Apply env overrides (always, even when YAML config exists)
+    config.environment = parseEnvironment(process.env.ENVIRONMENT);
     if (process.env.APART_DATABASE_URL) {
         config.database = { ...config.database, url: process.env.APART_DATABASE_URL };
     }

package/dist/config/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAG1C,MAAM,cAAc,GAAgB;IAClC,QAAQ,EAAE;QACR,GAAG,EAAE,mCAAmC;KACzC;IACD,UAAU,EAAE;QACV,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,UAAU,EAAE,IAAI;QAChB,cAAc,EAAE,CAAC;QACjB,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,UAAU;SACpB;KACF;IACD,MAAM,EAAE;QACN,cAAc,EAAE,GAAG;QACnB,YAAY,EAAE,EAAE;QAChB,aAAa,EAAE,KAAK;KACrB;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,EAAE;QACZ,YAAY,EAAE,KAAK;KACpB;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;KACb;IACD,OAAO,EAAE;QACP,IAAI,EAAE,aAAa;KACpB;CACF,CAAC;AAEF,SAAS,SAAS,CAChB,MAA2B,EAC3B,MAA2B;IAE3B,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IACE,SAAS;YACT,OAAO,SAAS,KAAK,QAAQ;YAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACzB,SAAS;YACT,OAAO,SAAS,KAAK,QAAQ,EAC7B,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAY;IACrC,MAAM,WAAW,GAAG;QAClB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC;QAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC;QACtD,kBAAkB;QAClB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1C,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,kBAAkB,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,aAAa,EAAE,aAAa,CAAC;KAC5D,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;IAE9B,IAAI,MAAM,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;IAE7C,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAyB,CAAC;YACtD,MAAM,GAAG,SAAS,CAAC,cAAqB,EAAE,MAAa,CAAgB,CAAC;YACxE,MAAM;QACR,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACnC,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;IAChF,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACpC,kBAAkB;QAClB,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;IAC1E,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACnC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;SACzC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACnC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACrC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7B,MAAM,CAAC,OAAO,GAAG;YACf,GAAG,MAAM,CAAC,OAAO;YACjB,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;SACzC,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QACvC,kBAAkB;QAClB,MAAM,CAAC,OAAO,GAAG;YACf,GAAG,MAAM,CAAC,OAAO;YACjB,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SAC5C,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACjD,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClD,IAAI,WAAW,IAAI,aAAa,IAAI,aAAa,EAAE,CAAC;QAClD,MAAM,CAAC,KAAK,GAAG;YACb,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,aAAa;SACxB,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAG1C,MAAM,kBAAkB,GAA2B;IACjD,OAAO;IACP,KAAK;IACL,SAAS;IACT,MAAM;CACE,CAAC;AAEX,SAAS,gBAAgB,CAAC,GAAuB;IAC/C,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,EAAE;QAAE,OAAO,OAAO,CAAC;IACpD,IAAK,kBAAwC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,GAAkB,CAAC;IAC5B,CAAC;IACD,OAAO,CAAC,IAAI,CACV,4CAA4C,GAAG,mBAAmB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAC5H,CAAC;IACF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,cAAc,GAAgB;IAClC,WAAW,EAAE,OAAO;IACpB,QAAQ,EAAE;QACR,GAAG,EAAE,mCAAmC;KACzC;IACD,UAAU,EAAE;QACV,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,UAAU,EAAE,IAAI;QAChB,cAAc,EAAE,CAAC;QACjB,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,UAAU;SACpB;KACF;IACD,MAAM,EAAE;QACN,cAAc,EAAE,GAAG;QACnB,YAAY,EAAE,EAAE;QAChB,aAAa,EAAE,KAAK;KACrB;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,EAAE;QACZ,YAAY,EAAE,KAAK;KACpB;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;KACb;IACD,OAAO,EAAE;QACP,IAAI,EAAE,aAAa;KACpB;CACF,CAAC;AAEF,SAAS,SAAS,CAChB,MAA2B,EAC3B,MAA2B;IAE3B,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IACE,SAAS;YACT,OAAO,SAAS,KAAK,QAAQ;YAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACzB,SAAS;YACT,OAAO,SAAS,KAAK,QAAQ,EAC7B,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAY;IACrC,MAAM,WAAW,GAAG;QAClB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC;QAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC;QACtD,kBAAkB;QAClB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1C,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,kBAAkB,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,aAAa,EAAE,aAAa,CAAC;KAC5D,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;IAE9B,IAAI,MAAM,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;IAE7C,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAyB,CAAC;YACtD,MAAM,GAAG,SAAS,CAAC,cAAqB,EAAE,MAAa,CAAgB,CAAC;YACxE,MAAM;QACR,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,MAAM,CAAC,WAAW,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACnC,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;IAChF,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACpC,kBAAkB;QAClB,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;IAC1E,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACnC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;SACzC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACnC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,CAAC,UAAU,GAAG;YAClB,GAAG,MAAM,CAAC,UAAU;YACpB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACrC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7B,MAAM,CAAC,OAAO,GAAG;YACf,GAAG,MAAM,CAAC,OAAO;YACjB,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;SACzC,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QACvC,kBAAkB;QAClB,MAAM,CAAC,OAAO,GAAG;YACf,GAAG,MAAM,CAAC,OAAO;YACjB,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SAC5C,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACjD,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClD,IAAI,WAAW,IAAI,aAAa,IAAI,aAAa,EAAE,CAAC;QAClD,MAAM,CAAC,KAAK,GAAG;YACb,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,aAAa;SACxB,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts

@@ -7,6 +7,12 @@ export { encryptAesGcm, decryptAesGcm, deriveKey, deriveKeyV2 } from "./lib/cryp
 export { getAgentKeySecret, getPiiKeySecret, getEmbeddingKeySecret } from "./lib/encryption-keys.js";
 export { verifyAuth0Jwt } from "./lib/jwt.js";
 export type { Auth0Config, Auth0JwtPayload } from "./lib/jwt.js";
+export type { Role, UserPrincipal, OrgAgentPrincipal, DelegatedAgentPrincipal, Principal, } from "./auth/principal.js";
+export { isUserPrincipal, isOrgAgentPrincipal, isDelegatedAgentPrincipal, } from "./auth/principal.js";
+export type { AppAction, AppSubject, AppAbility, AppRawRule } from "./auth/ability.js";
+export { buildAbility, intersect, UnsupportedIntersectionError, } from "./auth/ability.js";
+export type { DelegationTokenPayload, MintDelegationTokenArgs, DelegationTokenErrorReason, DelegationKeyLoadErrorReason, } from "./auth/delegation-jwt.js";
+export { DELEGATION_ALGORITHM, DELEGATION_ISSUER, DELEGATION_KEY_MIN_BYTES, DELEGATION_TTL_SECONDS, DelegationKeyLoadError, DelegationTokenError, loadDelegationKeyFromEnv, mintDelegationToken, peekIssuer, verifyDelegationToken, } from "./auth/delegation-jwt.js";
 export * from "./types/index.js";
 export { loadConfig } from "./config/index.js";
 export { NodeService } from "./services/node-service.js";
@@ -32,7 +38,11 @@ export type { OrgAgentTypeRecord, CreateOrgAgentTypeInput, UpdateOrgAgentTypeInp
 export { OrgMcpServerService } from "./services/org-mcp-server-service.js";
 export type { OrgMcpServerRecord, McpServerConfig, CreateOrgMcpServerInput, UpdateOrgMcpServerInput } from "./services/org-mcp-server-service.js";
 export { AgentRunService } from "./services/agent-run-service.js";
-export type { AgentRun } from "./services/agent-run-service.js";
+export type { AgentRun, AgentRunCreateInput } from "./services/agent-run-service.js";
+export { AuditEventService } from "./services/audit-event-service.js";
+export type { AuditAction, AuditResult, RecordAuditEventInput, } from "./services/audit-event-service.js";
+export { cancelOrphanedAgentRuns } from "./services/delegation-cleanup-service.js";
+export type { DelegationCleanupDb, CancelOrphanedAgentRunsResult, } from "./services/delegation-cleanup-service.js";
 export { AgentScheduleService } from "./services/agent-schedule-service.js";
 export type { AgentScheduleRecord, CreateAgentScheduleInput, UpdateAgentScheduleInput } from "./services/agent-schedule-service.js";
 export { CLI_REFERENCE } from "./services/agent-cli-reference.js";
@@ -43,6 +53,8 @@ export { MembershipService } from "./services/membership-service.js";
 export type { MembershipWithUser } from "./services/membership-service.js";
 export { InviteService } from "./services/invite-service.js";
 export type { Invite } from "./services/invite-service.js";
+export { UsageService } from "./services/usage-service.js";
+export type { UsageSnapshot, PlanLimits } from "./services/usage-service.js";
 export { createEmbeddingProvider, validateEmbeddingKey, OpenAIEmbeddingProvider, VoyageEmbeddingProvider, OllamaEmbeddingProvider } from "./providers/index.js";
 export type { CreateEmbeddingProviderOptions } from "./providers/index.js";
 export { BatchingEmbeddingProvider } from "./providers/batching.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AACjE,YAAY,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACvF,YAAY,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAGpD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGrG,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGjE,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAG/C,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,YAAY,EAAE,eAAe,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACnH,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4CAA4C,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,YAAY,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACvF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AACjH,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,YAAY,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,sCAAsC,CAAC;AACvG,YAAY,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,4CAA4C,CAAC;AAChH,OAAO,EAAE,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAC/E,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AACrG,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAC;AACjI,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAC;AAClJ,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,YAAY,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,YAAY,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAC;AACpI,OAAO,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAClE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACrP,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,YAAY,EAAE,IAAI,EAAE,iBAAiB,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,YAAY,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,YAAY,EAAE,MAAM,EAAE,MAAM,8BAA8B,CAAC;AAG3D,OAAO,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAChK,YAAY,EAAE,8BAA8B,EAAE,MAAM,sBAAsB,CAAC;AAC3E,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,YAAY,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACpG,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AACjE,YAAY,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACvF,YAAY,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAGpD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGrG,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGjE,YAAY,EACV,IAAI,EACJ,aAAa,EACb,iBAAiB,EACjB,uBAAuB,EACvB,SAAS,GACV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACvF,OAAO,EACL,YAAY,EACZ,SAAS,EACT,4BAA4B,GAC7B,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EACV,sBAAsB,EACtB,uBAAuB,EACvB,0BAA0B,EAC1B,4BAA4B,GAC7B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,wBAAwB,EACxB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,wBAAwB,EACxB,mBAAmB,EACnB,UAAU,EACV,qBAAqB,GACtB,MAAM,0BAA0B,CAAC;AAGlC,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAG/C,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,YAAY,EAAE,eAAe,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACnH,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4CAA4C,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,YAAY,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACvF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AACjH,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,YAAY,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,sCAAsC,CAAC;AACvG,YAAY,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,4CAA4C,CAAC;AAChH,OAAO,EAAE,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAC/E,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AACrG,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAC;AACjI,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAC;AAClJ,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,YAAY,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,YAAY,EACV,WAAW,EACX,WAAW,EACX,qBAAqB,GACtB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,0CAA0C,CAAC;AACnF,YAAY,EACV,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,YAAY,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAC;AACpI,OAAO,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAClE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACrP,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,YAAY,EAAE,IAAI,EAAE,iBAAiB,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,YAAY,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,YAAY,EAAE,MAAM,EAAE,MAAM,8BAA8B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAG7E,OAAO,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAChK,YAAY,EAAE,8BAA8B,EAAE,MAAM,sBAAsB,CAAC;AAC3E,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,YAAY,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACpG,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC"}