@aster-rpc/aster 0.1.2

package/dist/index.js

@@ -0,0 +1,101 @@
+/**
+ * @aster-rpc/aster -- Aster RPC framework for TypeScript.
+ *
+ * P2P services with type safety, streaming, and trust.
+ * Built on Iroh (QUIC, blobs, docs, gossip).
+ *
+ * Works with Node.js 20+, Bun 1.0+, and Deno (via Node compat).
+ * All examples use TypeScript; plain JavaScript works by omitting type annotations.
+ *
+ * @packageDocumentation
+ */
+// Status codes and errors
+export { StatusCode, statusName, RpcError, CancelledError, UnknownRpcError, InvalidArgumentError, DeadlineExceededError, NotFoundError, AlreadyExistsError, PermissionDeniedError, ResourceExhaustedError, FailedPreconditionError, AbortedError, OutOfRangeError, UnimplementedError, InternalError, UnavailableError, DataLossError, UnauthenticatedError, ContractViolationError, } from './status.js';
+// Types and enums
+export { SerializationMode, RpcPattern, RpcScope, RPC_ALPN, DEFAULT_BACKOFF, DEFAULT_RETRY, } from './types.js';
+// Security limits
+export { MAX_FRAME_SIZE, MAX_DECOMPRESSED_SIZE, DEFAULT_FRAME_READ_TIMEOUT_S, MAX_METADATA_ENTRIES, MAX_METADATA_TOTAL_BYTES, MAX_STATUS_MESSAGE_LEN, HEX_FIELD_LENGTHS, LimitExceeded, validateHexField, validateMetadata, validateStatusMessage, } from './limits.js';
+// Framing
+export { COMPRESSED, TRAILER, HEADER, ROW_SCHEMA, CALL, CANCEL, FramingError, writeFrame, readFrame, encodeFrame, decodeFrame, } from './framing.js';
+// Protocol types
+export { StreamHeader, CallHeader, RpcStatus } from './protocol.js';
+// Service metadata and registry
+export { SERVICE_INFO_KEY, METHOD_INFO_KEY, getServiceInfo, ServiceRegistry, getMethod, hasMethod, getDefaultRegistry, setDefaultRegistry, } from './service.js';
+// Metadata
+export { Metadata } from './metadata.js';
+// Decorators
+export { Service, Rpc, ServerStream, ClientStream, BidiStream, WireType, WIRE_TYPE_KEY, WIRE_TYPE_FIELDS_KEY, } from './decorators.js';
+// Codec
+export { JsonCodec, ForyCodec, DEFAULT_COMPRESSION_THRESHOLD, walkTypeGraph, wireType, resolveForyConfig, } from './codec.js';
+export { LocalTransport, MemRecvStream } from './transport/local.js';
+// Client
+export { createClient, createLocalClient, timeSleep, timeouts, ServiceClient, } from './client.js';
+// Interceptors
+export { CallContext, buildCallContext, applyRequestInterceptors, applyResponseInterceptors, applyErrorInterceptors, normalizeError, } from './interceptors/base.js';
+export { DeadlineInterceptor } from './interceptors/deadline.js';
+export { MetricsInterceptor } from './interceptors/metrics.js';
+export { RetryInterceptor } from './interceptors/retry.js';
+export { RateLimitInterceptor } from './interceptors/rate-limit.js';
+export { AuthInterceptor } from './interceptors/auth.js';
+export { CircuitBreakerInterceptor } from './interceptors/circuit-breaker.js';
+export { CompressionInterceptor } from './interceptors/compression.js';
+export { AuditLogInterceptor } from './interceptors/audit.js';
+export { CapabilityInterceptor } from './interceptors/capability.js';
+// Contract identity (delegated to Rust core via NAPI)
+export { canonicalXlangBytes, computeContractId, contractIdFromContract, contractIdFromJson, contractIdFromService, buildTypeGraph, fromServiceInfo, setNativeContract, TypeKind as ContractTypeKind, ContainerKind, TypeDefKind, MethodPattern, CapabilityKind, ScopeKind, } from './contract/identity.js';
+// Contract manifest and publication
+export { FatalContractMismatch, verifyManifestOrFatal, manifestToJson, manifestFromJson, extractMethodDescriptors, saveManifest, } from './contract/manifest.js';
+export { buildCollection, publishContract, uploadCollection, fetchFromCollection, fetchContract, } from './contract/publication.js';
+// Dynamic type factory
+export { DynamicTypeFactory, createDynamicType, } from './dynamic.js';
+// Session-scoped services (extended)
+export { SessionServer, SessionStub, createSession } from './session.js';
+// Transport implementations
+export { IrohTransport } from './transport/iroh.js';
+// Configuration
+export { configFromEnv, configFromFile, loadEndpointConfig, resolveRootPubkey, toEndpointConfig, loadIdentity, loadIdentityFile, findPeer, getProducerTokens, parseSimpleToml, printConfig, } from './config.js';
+// Logging
+export { AsterLogger, createLogger, withRequestContext, getRequestContext, } from './logging.js';
+// Health
+export { HealthServer, ConnectionMetrics as HealthConnectionMetrics, AdmissionMetrics as HealthAdmissionMetrics, getConnectionMetrics, getAdmissionMetrics, resetMetrics, checkHealth, checkReady, healthStatus, readyStatus, metricsSnapshot, } from './health.js';
+// High-level API
+export { AsterServer, AsterClientWrapper, ProxyClient, AdmissionDeniedError, } from './runtime.js';
+// @aster endpoint registration
+export { loadProducerTokens, resolveAsterAddress, startRegistrationLoop, } from './registration.js';
+// Capability helpers
+export { anyOf, allOf } from './capabilities.js';
+// Trust & Security
+export { generateKeypair, generateRootKeypair, loadPrivateKey, loadPublicKey, verifySignature, sign, verify, ATTR_ROLE, ATTR_NAME, canonicalJson, producerSigningBytes, consumerSigningBytes, credentialSigningBytes, signCredential, verifyCredentialSignature, hexToBytes, bytesToHex, } from './trust/credentials.js';
+export { verifyConsumerCredential, verifyProducerCredential, checkOffline, checkRuntime, admit, } from './trust/admission.js';
+export { AllowAllPolicy, DenyAllPolicy, MeshEndpointHook, CONSUMER_ADMISSION_ALPN, } from './trust/hooks.js';
+export { MeshState, saveMeshState, loadMeshState, } from './trust/mesh.js';
+// Producer admission
+export { handleProducerAdmission, serveProducerAdmission, PRODUCER_ADMISSION_ALPN, } from './trust/producer.js';
+// Nonce store
+export { InMemoryNonceStore, } from './trust/nonce.js';
+// RCAN validation
+export { evaluateCapability, extractCallerRoles, validateRcan, encodeRcan, decodeRcan, } from './trust/rcan.js';
+// IID (cloud identity)
+export { verifyIID, getIIDBackend, MockIIDBackend, AWSIIDBackend, GCPIIDBackend, AzureIIDBackend, ATTR_IID_PROVIDER, ATTR_IID_ACCOUNT, ATTR_IID_REGION, ATTR_IID_ROLE_ARN, } from './trust/iid.js';
+// Clock drift
+export { ClockDriftTracker, computeDrift, shouldIsolate, DEFAULT_CLOCK_DRIFT_CONFIG, } from './trust/clock.js';
+// Producer mesh gossip
+export { ProducerMessageType, deriveGossipTopic, producerMessageSigningBytes, signProducerMessage, verifyProducerMessage, handleProducerMessage, encodeIntroducePayload, encodeDepartPayload, encodeContractPublishedPayload, encodeLeaseUpdatePayload, startLeaseHeartbeat, runLeaseHeartbeat, } from './trust/gossip.js';
+// Mesh bootstrap
+export { startFoundingNode, joinMesh, applyAdmissionResponse, handleAdmissionRpc, handleProducerAdmissionConnection, makeEphemeralMeshState, } from './trust/bootstrap.js';
+// Connection & Admission Metrics (from metrics.ts)
+export { ConnectionMetrics, AdmissionMetrics } from './metrics.js';
+// RPC Server (QUIC accept loop)
+export { RpcServer } from './server.js';
+// Registry
+export { RegistryClient, registryKey, } from './registry/client.js';
+export { RegistryPublisher, } from './registry/publisher.js';
+export { RegistryACL, } from './registry/acl.js';
+export { RegistryGossip, } from './registry/gossip.js';
+export { contractKey, versionKey, channelKey, tagKey, leaseKey, leasePrefix, aclKey, configKey, REGISTRY_PREFIXES, } from './registry/keys.js';
+export { HealthStatus, GossipEventType, validate as validateHealthStatus, isLeaseFresh, isLeaseRoutable, } from './registry/models.js';
+// Consumer admission
+export { performAdmission, consumerCredToJson, consumerCredFromJson, handleConsumerAdmissionRpc, handleConsumerAdmissionConnection, serveConsumerAdmission, } from './trust/consumer.js';
+// Delegated admission (aster.admission ALPN)
+export { verifyAttestation, verifyToken, verifyProofOfPossession, buildChallengeBytes, handleDelegatedAdmissionConnection, } from './trust/delegated.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,0BAA0B;AAC1B,OAAO,EACL,UAAU,EACV,UAAU,EACV,QAAQ,EACR,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,qBAAqB,EACrB,aAAa,EACb,kBAAkB,EAClB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,YAAY,EACZ,eAAe,EACf,kBAAkB,EAClB,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AAErB,kBAAkB;AAClB,OAAO,EACL,iBAAiB,EACjB,UAAU,EACV,QAAQ,EACR,QAAQ,EACR,eAAe,EACf,aAAa,GAGd,MAAM,YAAY,CAAC;AAEpB,kBAAkB;AAClB,OAAO,EACL,cAAc,EACd,qBAAqB,EACrB,4BAA4B,EAC5B,oBAAoB,EACpB,wBAAwB,EACxB,sBAAsB,EACtB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,aAAa,CAAC;AAErB,UAAU;AACV,OAAO,EACL,UAAU,EACV,OAAO,EACP,MAAM,EACN,UAAU,EACV,IAAI,EACJ,MAAM,EACN,YAAY,EACZ,UAAU,EACV,SAAS,EACT,WAAW,EACX,WAAW,GAEZ,MAAM,cAAc,CAAC;AAEtB,iBAAiB;AACjB,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAEpE,gCAAgC;AAChC,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,eAAe,EACf,SAAS,EACT,SAAS,EACT,kBAAkB,EAClB,kBAAkB,GAInB,MAAM,cAAc,CAAC;AAEtB,WAAW;AACX,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,aAAa;AACb,OAAO,EACL,OAAO,EACP,GAAG,EACH,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,QAAQ,EACR,aAAa,EACb,oBAAoB,GAGrB,MAAM,iBAAiB,CAAC;AAEzB,QAAQ;AACR,OAAO,EACL,SAAS,EACT,SAAS,EACT,6BAA6B,EAC7B,aAAa,EACb,QAAQ,EACR,iBAAiB,GAIlB,MAAM,YAAY,CAAC;AAQpB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErE,SAAS;AACT,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,QAAQ,EACR,aAAa,GAGd,MAAM,aAAa,CAAC;AAErB,eAAe;AACf,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,wBAAwB,EACxB,yBAAyB,EACzB,sBAAsB,EACtB,cAAc,GAEf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAyB,MAAM,8BAA8B,CAAC;AAC3F,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,yBAAyB,EAA8B,MAAM,mCAAmC,CAAC;AAC1G,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAoC,MAAM,yBAAyB,CAAC;AAChG,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAErE,sDAAsD;AACtD,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,sBAAsB,EACtB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,QAAQ,IAAI,gBAAgB,EAC5B,aAAa,EACb,WAAW,EACX,aAAa,EACb,cAAc,EACd,SAAS,GAIV,MAAM,wBAAwB,CAAC;AAEhC,oCAAoC;AACpC,OAAO,EAIL,qBAAqB,EACrB,qBAAqB,EACrB,cAAc,EACd,gBAAgB,EAChB,wBAAwB,EACxB,YAAY,GACb,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAEL,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,GACd,MAAM,2BAA2B,CAAC;AAEnC,uBAAuB;AACvB,OAAO,EACL,kBAAkB,EAClB,iBAAiB,GAElB,MAAM,cAAc,CAAC;AAEtB,qCAAqC;AACrC,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAEzE,4BAA4B;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,gBAAgB;AAChB,OAAO,EACL,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,QAAQ,EACR,iBAAiB,EACjB,eAAe,EACf,WAAW,GAGZ,MAAM,aAAa,CAAC;AAErB,UAAU;AACV,OAAO,EACL,WAAW,EACX,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,GAGlB,MAAM,cAAc,CAAC;AAEtB,SAAS;AACT,OAAO,EACL,YAAY,EACZ,iBAAiB,IAAI,uBAAuB,EAC5C,gBAAgB,IAAI,sBAAsB,EAC1C,oBAAoB,EACpB,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,UAAU,EACV,YAAY,EACZ,WAAW,EACX,eAAe,GAGhB,MAAM,aAAa,CAAC;AAErB,iBAAiB;AACjB,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,oBAAoB,GAGrB,MAAM,cAAc,CAAC;AAEtB,+BAA+B;AAC/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,GAKtB,MAAM,mBAAmB,CAAC;AAE3B,qBAAqB;AACrB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAEjD,mBAAmB;AACnB,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,IAAI,EACJ,MAAM,EACN,SAAS,EACT,SAAS,EAGT,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,EACd,yBAAyB,EACzB,UAAU,EACV,UAAU,GACX,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,YAAY,EACZ,YAAY,EACZ,KAAK,GAGN,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,uBAAuB,GAGxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,SAAS,EACT,aAAa,EACb,aAAa,GAEd,MAAM,iBAAiB,CAAC;AAEzB,qBAAqB;AACrB,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,uBAAuB,GAIxB,MAAM,qBAAqB,CAAC;AAE7B,cAAc;AACd,OAAO,EACL,kBAAkB,GAEnB,MAAM,kBAAkB,CAAC;AAE1B,kBAAkB;AAClB,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,YAAY,EACZ,UAAU,EACV,UAAU,GACX,MAAM,iBAAiB,CAAC;AAEzB,uBAAuB;AACvB,OAAO,EACL,SAAS,EACT,aAAa,EACb,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,iBAAiB,GAElB,MAAM,gBAAgB,CAAC;AAExB,cAAc;AACd,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,0BAA0B,GAE3B,MAAM,kBAAkB,CAAC;AAE1B,uBAAuB;AACvB,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,2BAA2B,EAC3B,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,wBAAwB,EACxB,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,mBAAmB,CAAC;AAE3B,iBAAiB;AACjB,OAAO,EACL,iBAAiB,EACjB,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,iCAAiC,EACjC,sBAAsB,GAEvB,MAAM,sBAAsB,CAAC;AAE9B,mDAAmD;AACnD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEnE,gCAAgC;AAChC,OAAO,EAAE,SAAS,EAAsB,MAAM,aAAa,CAAC;AAE5D,WAAW;AACX,OAAO,EACL,cAAc,EACd,WAAW,GAGZ,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,iBAAiB,GAElB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,cAAc,GACf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,WAAW,EACX,UAAU,EACV,UAAU,EACV,MAAM,EACN,QAAQ,EACR,WAAW,EACX,MAAM,EACN,SAAS,EACT,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,YAAY,EACZ,eAAe,EACf,QAAQ,IAAI,oBAAoB,EAChC,YAAY,EACZ,eAAe,GAKhB,MAAM,sBAAsB,CAAC;AAE9B,qBAAqB;AACrB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,EAC1B,iCAAiC,EACjC,sBAAsB,GAKvB,MAAM,qBAAqB,CAAC;AAE7B,6CAA6C;AAC7C,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,uBAAuB,EACvB,mBAAmB,EACnB,kCAAkC,GAOnC,MAAM,sBAAsB,CAAC"}

package/dist/interceptors/audit.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Audit log interceptor — logs RPC calls for compliance/debugging.
+ */
+import type { Interceptor } from './base.js';
+import { CallContext } from './base.js';
+import { RpcError } from '../status.js';
+export type AuditLogFn = (entry: AuditEntry) => void;
+export interface AuditEntry {
+    timestamp: string;
+    service: string;
+    method: string;
+    callId: string;
+    peer: string | undefined;
+    status: 'started' | 'completed' | 'failed';
+    errorCode?: string;
+    errorMessage?: string;
+}
+export declare class AuditLogInterceptor implements Interceptor {
+    private log;
+    constructor(logFn?: AuditLogFn);
+    onRequest(ctx: CallContext, request: unknown): Promise<unknown>;
+    onResponse(ctx: CallContext, response: unknown): Promise<unknown>;
+    onError(ctx: CallContext, error: RpcError): Promise<RpcError>;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/interceptors/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/interceptors/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAc,MAAM,cAAc,CAAC;AAEpD,MAAM,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AAErD,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,GAAG,CAAa;gBAEZ,KAAK,CAAC,EAAE,UAAU;IAIxB,SAAS,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAY/D,UAAU,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAYjE,OAAO,CAAC,GAAG,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;CAapE"}

package/dist/interceptors/audit.js

@@ -0,0 +1,46 @@
+/**
+ * Audit log interceptor — logs RPC calls for compliance/debugging.
+ */
+import { statusName } from '../status.js';
+export class AuditLogInterceptor {
+    log;
+    constructor(logFn) {
+        this.log = logFn ?? ((entry) => console.log(JSON.stringify(entry)));
+    }
+    async onRequest(ctx, request) {
+        this.log({
+            timestamp: new Date().toISOString(),
+            service: ctx.service,
+            method: ctx.method,
+            callId: ctx.callId,
+            peer: ctx.peer,
+            status: 'started',
+        });
+        return request;
+    }
+    async onResponse(ctx, response) {
+        this.log({
+            timestamp: new Date().toISOString(),
+            service: ctx.service,
+            method: ctx.method,
+            callId: ctx.callId,
+            peer: ctx.peer,
+            status: 'completed',
+        });
+        return response;
+    }
+    async onError(ctx, error) {
+        this.log({
+            timestamp: new Date().toISOString(),
+            service: ctx.service,
+            method: ctx.method,
+            callId: ctx.callId,
+            peer: ctx.peer,
+            status: 'failed',
+            errorCode: statusName(error.code),
+            errorMessage: error.message,
+        });
+        return error;
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/interceptors/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/interceptors/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAY,UAAU,EAAE,MAAM,cAAc,CAAC;AAepD,MAAM,OAAO,mBAAmB;IACtB,GAAG,CAAa;IAExB,YAAY,KAAkB;QAC5B,IAAI,CAAC,GAAG,GAAG,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAgB,EAAE,OAAgB;QAChD,IAAI,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAgB,EAAE,QAAiB;QAClD,IAAI,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAgB,EAAE,KAAe;QAC7C,IAAI,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC;YACjC,YAAY,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/interceptors/auth.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Auth interceptor — injects or validates auth tokens in metadata.
+ */
+import type { Interceptor } from './base.js';
+import { CallContext } from './base.js';
+export declare class AuthInterceptor implements Interceptor {
+    private readonly tokenProvider?;
+    private readonly tokenValidator?;
+    private readonly headerKey;
+    constructor(tokenProvider?: (() => string | Promise<string>) | undefined, tokenValidator?: ((token: string) => boolean | Promise<boolean>) | undefined, headerKey?: string);
+    onRequest(ctx: CallContext, request: unknown): Promise<unknown>;
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/interceptors/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/interceptors/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAGxC,qBAAa,eAAgB,YAAW,WAAW;IAE/C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;IAC/B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;IAChC,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAFT,aAAa,CAAC,GAAE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAA,EAC9C,cAAc,CAAC,GAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,aAAA,EAC9D,SAAS,SAAkB;IAGxC,SAAS,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;CAqBtE"}

package/dist/interceptors/auth.js

@@ -0,0 +1,34 @@
+/**
+ * Auth interceptor — injects or validates auth tokens in metadata.
+ */
+import { RpcError, StatusCode } from '../status.js';
+export class AuthInterceptor {
+    tokenProvider;
+    tokenValidator;
+    headerKey;
+    constructor(tokenProvider, tokenValidator, headerKey = 'authorization') {
+        this.tokenProvider = tokenProvider;
+        this.tokenValidator = tokenValidator;
+        this.headerKey = headerKey;
+    }
+    async onRequest(ctx, request) {
+        // Client-side: inject token
+        if (this.tokenProvider) {
+            const token = await this.tokenProvider();
+            ctx.metadata[this.headerKey] = token;
+        }
+        // Server-side: validate token
+        if (this.tokenValidator) {
+            const token = ctx.metadata[this.headerKey];
+            if (!token) {
+                throw new RpcError(StatusCode.UNAUTHENTICATED, 'missing auth token');
+            }
+            const valid = await this.tokenValidator(token);
+            if (!valid) {
+                throw new RpcError(StatusCode.UNAUTHENTICATED, 'invalid auth token');
+            }
+        }
+        return request;
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/interceptors/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/interceptors/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpD,MAAM,OAAO,eAAe;IAEP;IACA;IACA;IAHnB,YACmB,aAA8C,EAC9C,cAA8D,EAC9D,YAAY,eAAe;QAF3B,kBAAa,GAAb,aAAa,CAAiC;QAC9C,mBAAc,GAAd,cAAc,CAAgD;QAC9D,cAAS,GAAT,SAAS,CAAkB;IAC3C,CAAC;IAEJ,KAAK,CAAC,SAAS,CAAC,GAAgB,EAAE,OAAgB;QAChD,4BAA4B;QAC5B,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;QACvC,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,eAAe,EAAE,oBAAoB,CAAC,CAAC;YACvE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,eAAe,EAAE,oBAAoB,CAAC,CAAC;YACvE,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/interceptors/base.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Base interceptor primitives and helpers.
+ *
+ * Interceptors form a middleware chain for RPC calls:
+ * - Request path: interceptor1 -> interceptor2 -> ... -> handler
+ * - Response path: same order
+ * - Error path: reverse order (LIFO)
+ */
+import { RpcError } from '../status.js';
+import type { RpcPattern } from '../types.js';
+/** Context describing a single RPC invocation. */
+export declare class CallContext {
+    service: string;
+    method: string;
+    callId: string;
+    sessionId: string | undefined;
+    peer: string | undefined;
+    metadata: Record<string, string>;
+    attributes: Record<string, string>;
+    deadline: number | undefined;
+    isStreaming: boolean;
+    pattern: RpcPattern | undefined;
+    idempotent: boolean;
+    attempt: number;
+    constructor(init: {
+        service: string;
+        method: string;
+        callId?: string;
+        sessionId?: string;
+        peer?: string;
+        metadata?: Record<string, string>;
+        attributes?: Record<string, string>;
+        deadline?: number;
+        isStreaming?: boolean;
+        pattern?: RpcPattern;
+        idempotent?: boolean;
+        attempt?: number;
+    });
+    /** Seconds until deadline, or undefined if no deadline set. */
+    get remainingSeconds(): number | undefined;
+    /** True if deadline has passed. */
+    get expired(): boolean;
+}
+/** Base interceptor interface. */
+export interface Interceptor {
+    onRequest?(ctx: CallContext, request: unknown): Promise<unknown>;
+    onResponse?(ctx: CallContext, response: unknown): Promise<unknown>;
+    onError?(ctx: CallContext, error: RpcError): Promise<RpcError | null>;
+}
+/** Convert deadline epoch ms to Unix seconds, or undefined. */
+export declare function deadlineFromEpochMs(ms: number): number | undefined;
+/** Build a CallContext from common parameters. */
+export declare function buildCallContext(opts: {
+    service: string;
+    method: string;
+    metadata?: Record<string, string>;
+    deadlineEpochMs?: number;
+    peer?: string;
+    isStreaming?: boolean;
+    pattern?: RpcPattern;
+    idempotent?: boolean;
+    callId?: string;
+    sessionId?: string;
+    attributes?: Record<string, string>;
+}): CallContext;
+/** Apply request interceptors in order. */
+export declare function applyRequestInterceptors(interceptors: Interceptor[], ctx: CallContext, request: unknown): Promise<unknown>;
+/** Apply response interceptors in order. */
+export declare function applyResponseInterceptors(interceptors: Interceptor[], ctx: CallContext, response: unknown): Promise<unknown>;
+/** Apply error interceptors in reverse order (LIFO). */
+export declare function applyErrorInterceptors(interceptors: Interceptor[], ctx: CallContext, error: RpcError): Promise<RpcError | null>;
+/** Normalize any error into an RpcError. */
+export declare function normalizeError(error: unknown): RpcError;
+//# sourceMappingURL=base.d.ts.map

package/dist/interceptors/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/interceptors/base.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAc,MAAM,cAAc,CAAC;AACpD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,kDAAkD;AAClD,qBAAa,WAAW;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,WAAW,EAAE,OAAO,CAAC;IACrB,OAAO,EAAE,UAAU,GAAG,SAAS,CAAC;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;gBAEJ,IAAI,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,OAAO,CAAC,EAAE,UAAU,CAAC;QACrB,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;IAeD,+DAA+D;IAC/D,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAGzC;IAED,mCAAmC;IACnC,IAAI,OAAO,IAAI,OAAO,CAGrB;CACF;AAED,kCAAkC;AAClC,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACjE,UAAU,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACnE,OAAO,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;CACvE;AAED,+DAA+D;AAC/D,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAElE;AAED,kDAAkD;AAClD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC,GAAG,WAAW,CAKd;AAED,2CAA2C;AAC3C,wBAAsB,wBAAwB,CAC5C,YAAY,EAAE,WAAW,EAAE,EAC3B,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED,4CAA4C;AAC5C,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,WAAW,EAAE,EAC3B,GAAG,EAAE,WAAW,EAChB,QAAQ,EAAE,OAAO,GAChB,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED,wDAAwD;AACxD,wBAAsB,sBAAsB,CAC1C,YAAY,EAAE,WAAW,EAAE,EAC3B,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,QAAQ,GACd,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAQ1B;AAED,4CAA4C;AAC5C,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,QAAQ,CASvD"}

package/dist/interceptors/base.js

@@ -0,0 +1,103 @@
+/**
+ * Base interceptor primitives and helpers.
+ *
+ * Interceptors form a middleware chain for RPC calls:
+ * - Request path: interceptor1 -> interceptor2 -> ... -> handler
+ * - Response path: same order
+ * - Error path: reverse order (LIFO)
+ */
+import { RpcError, StatusCode } from '../status.js';
+/** Context describing a single RPC invocation. */
+export class CallContext {
+    service;
+    method;
+    callId;
+    sessionId;
+    peer;
+    metadata;
+    attributes;
+    deadline; // Unix seconds
+    isStreaming;
+    pattern;
+    idempotent;
+    attempt;
+    constructor(init) {
+        this.service = init.service;
+        this.method = init.method;
+        this.callId = init.callId ?? crypto.randomUUID();
+        this.sessionId = init.sessionId;
+        this.peer = init.peer;
+        this.metadata = init.metadata ?? {};
+        this.attributes = init.attributes ?? {};
+        this.deadline = init.deadline;
+        this.isStreaming = init.isStreaming ?? false;
+        this.pattern = init.pattern;
+        this.idempotent = init.idempotent ?? false;
+        this.attempt = init.attempt ?? 1;
+    }
+    /** Seconds until deadline, or undefined if no deadline set. */
+    get remainingSeconds() {
+        if (this.deadline === undefined)
+            return undefined;
+        return Math.max(0, this.deadline - Date.now() / 1000);
+    }
+    /** True if deadline has passed. */
+    get expired() {
+        const remaining = this.remainingSeconds;
+        return remaining !== undefined && remaining <= 0;
+    }
+}
+/** Convert deadline epoch ms to Unix seconds, or undefined. */
+export function deadlineFromEpochMs(ms) {
+    return ms > 0 ? ms / 1000 : undefined;
+}
+/** Build a CallContext from common parameters. */
+export function buildCallContext(opts) {
+    return new CallContext({
+        ...opts,
+        deadline: deadlineFromEpochMs(opts.deadlineEpochMs ?? 0),
+    });
+}
+/** Apply request interceptors in order. */
+export async function applyRequestInterceptors(interceptors, ctx, request) {
+    let current = request;
+    for (const i of interceptors) {
+        if (i.onRequest)
+            current = await i.onRequest(ctx, current);
+    }
+    return current;
+}
+/** Apply response interceptors in order. */
+export async function applyResponseInterceptors(interceptors, ctx, response) {
+    let current = response;
+    for (const i of interceptors) {
+        if (i.onResponse)
+            current = await i.onResponse(ctx, current);
+    }
+    return current;
+}
+/** Apply error interceptors in reverse order (LIFO). */
+export async function applyErrorInterceptors(interceptors, ctx, error) {
+    let current = error;
+    for (let idx = interceptors.length - 1; idx >= 0; idx--) {
+        if (current === null)
+            return null;
+        const i = interceptors[idx];
+        if (i.onError)
+            current = await i.onError(ctx, current);
+    }
+    return current;
+}
+/** Normalize any error into an RpcError. */
+export function normalizeError(error) {
+    if (error instanceof RpcError)
+        return error;
+    if (error instanceof Error && error.name === 'TimeoutError') {
+        return new RpcError(StatusCode.DEADLINE_EXCEEDED, 'deadline exceeded');
+    }
+    if (error instanceof Error) {
+        return new RpcError(StatusCode.UNKNOWN, error.message);
+    }
+    return new RpcError(StatusCode.UNKNOWN, String(error));
+}
+//# sourceMappingURL=base.js.map

package/dist/interceptors/base.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.js","sourceRoot":"","sources":["../../src/interceptors/base.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAGpD,kDAAkD;AAClD,MAAM,OAAO,WAAW;IACtB,OAAO,CAAS;IAChB,MAAM,CAAS;IACf,MAAM,CAAS;IACf,SAAS,CAAqB;IAC9B,IAAI,CAAqB;IACzB,QAAQ,CAAyB;IACjC,UAAU,CAAyB;IACnC,QAAQ,CAAqB,CAAC,eAAe;IAC7C,WAAW,CAAU;IACrB,OAAO,CAAyB;IAChC,UAAU,CAAU;IACpB,OAAO,CAAS;IAEhB,YAAY,IAaX;QACC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACjD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC;QAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,+DAA+D;IAC/D,IAAI,gBAAgB;QAClB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAClD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACxD,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO;QACT,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC;QACxC,OAAO,SAAS,KAAK,SAAS,IAAI,SAAS,IAAI,CAAC,CAAC;IACnD,CAAC;CACF;AASD,+DAA+D;AAC/D,MAAM,UAAU,mBAAmB,CAAC,EAAU;IAC5C,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AACxC,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,gBAAgB,CAAC,IAYhC;IACC,OAAO,IAAI,WAAW,CAAC;QACrB,GAAG,IAAI;QACP,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED,2CAA2C;AAC3C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,YAA2B,EAC3B,GAAgB,EAChB,OAAgB;IAEhB,IAAI,OAAO,GAAG,OAAO,CAAC;IACtB,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,SAAS;YAAE,OAAO,GAAG,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,YAA2B,EAC3B,GAAgB,EAChB,QAAiB;IAEjB,IAAI,OAAO,GAAG,QAAQ,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,UAAU;YAAE,OAAO,GAAG,MAAM,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,YAA2B,EAC3B,GAAgB,EAChB,KAAe;IAEf,IAAI,OAAO,GAAoB,KAAK,CAAC;IACrC,KAAK,IAAI,GAAG,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC;QACxD,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAClC,MAAM,CAAC,GAAG,YAAY,CAAC,GAAG,CAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,OAAO;YAAE,OAAO,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,IAAI,KAAK,YAAY,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5D,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/interceptors/capability.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Capability interceptor — validates method-level access control.
+ *
+ * Checks that the caller's role (from admission attributes) satisfies
+ * the method's capability requirement.
+ */
+import type { Interceptor } from './base.js';
+import { CallContext } from './base.js';
+import type { CapabilityRequirement } from '../service.js';
+export declare class CapabilityInterceptor implements Interceptor {
+    private requirements;
+    /** Register a capability requirement for a method. */
+    setRequirement(service: string, method: string, req: CapabilityRequirement | string): void;
+    onRequest(ctx: CallContext, request: unknown): Promise<unknown>;
+}
+//# sourceMappingURL=capability.d.ts.map

package/dist/interceptors/capability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../../src/interceptors/capability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAoB3D,qBAAa,qBAAsB,YAAW,WAAW;IACvD,OAAO,CAAC,YAAY,CAA4C;IAEhE,sDAAsD;IACtD,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,qBAAqB,GAAG,MAAM,GAAG,IAAI;IAOpF,SAAS,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;CA4BtE"}

package/dist/interceptors/capability.js

@@ -0,0 +1,63 @@
+/**
+ * Capability interceptor — validates method-level access control.
+ *
+ * Checks that the caller's role (from admission attributes) satisfies
+ * the method's capability requirement.
+ */
+import { RpcError, StatusCode } from '../status.js';
+/**
+ * Normalise a `requires` value to a `CapabilityRequirement` object.
+ *
+ * `@Rpc({ requires: Role.ADMIN })` passes a bare string for the common
+ * single-role case; `anyOf()`/`allOf()` produce a structured object. Both
+ * forms are accepted here so the interceptor logic stays uniform.
+ */
+function normaliseRequirement(req) {
+    if (req == null)
+        return null;
+    if (typeof req === 'string') {
+        return { kind: 'role', roles: [req] };
+    }
+    if (typeof req === 'object' && req !== null && 'kind' in req && 'roles' in req) {
+        return req;
+    }
+    return null;
+}
+export class CapabilityInterceptor {
+    requirements = new Map();
+    /** Register a capability requirement for a method. */
+    setRequirement(service, method, req) {
+        const normalised = normaliseRequirement(req);
+        if (normalised) {
+            this.requirements.set(`${service}/${method}`, normalised);
+        }
+    }
+    async onRequest(ctx, request) {
+        const key = `${ctx.service}/${ctx.method}`;
+        const req = this.requirements.get(key);
+        if (!req)
+            return request;
+        // aster.role is a comma-separated list: "ops.status,ops.logs,ops.admin"
+        const roleStr = ctx.attributes['aster.role'] ?? '';
+        const callerRoles = new Set(roleStr.split(',').map(r => r.trim()).filter(Boolean));
+        switch (req.kind) {
+            case 'role':
+                if (!callerRoles.has(req.roles[0])) {
+                    throw new RpcError(StatusCode.PERMISSION_DENIED, `requires role: ${req.roles.join(', ')}`);
+                }
+                break;
+            case 'any_of':
+                if (!req.roles.some(r => callerRoles.has(r))) {
+                    throw new RpcError(StatusCode.PERMISSION_DENIED, `requires any of: ${req.roles.join(', ')}`);
+                }
+                break;
+            case 'all_of':
+                if (!req.roles.every(r => callerRoles.has(r))) {
+                    throw new RpcError(StatusCode.PERMISSION_DENIED, `requires all of: ${req.roles.join(', ')}`);
+                }
+                break;
+        }
+        return request;
+    }
+}
+//# sourceMappingURL=capability.js.map

package/dist/interceptors/capability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability.js","sourceRoot":"","sources":["../../src/interceptors/capability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAGpD;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,GAAG,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,MAAM,IAAI,GAAG,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;QAC/E,OAAO,GAA4B,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,OAAO,qBAAqB;IACxB,YAAY,GAAG,IAAI,GAAG,EAAiC,CAAC;IAEhE,sDAAsD;IACtD,cAAc,CAAC,OAAe,EAAE,MAAc,EAAE,GAAmC;QACjF,MAAM,UAAU,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,OAAO,IAAI,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAgB,EAAE,OAAgB;QAChD,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,GAAG;YAAE,OAAO,OAAO,CAAC;QAEzB,wEAAwE;QACxE,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAEnF,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,MAAM;gBACT,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,iBAAiB,EAAE,kBAAkB,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC7F,CAAC;gBACD,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC7C,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,iBAAiB,EAAE,oBAAoB,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC/F,CAAC;gBACD,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9C,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,iBAAiB,EAAE,oBAAoB,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC/F,CAAC;gBACD,MAAM;QACV,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/interceptors/circuit-breaker.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Circuit breaker interceptor — stops sending requests to failing services.
+ *
+ * States: CLOSED (normal) -> OPEN (failing) -> HALF_OPEN (probe) -> CLOSED
+ */
+import type { Interceptor } from './base.js';
+import { CallContext } from './base.js';
+import { RpcError } from '../status.js';
+type State = 'closed' | 'open' | 'half_open';
+export interface CircuitBreakerOptions {
+    failureThreshold?: number;
+    resetTimeoutMs?: number;
+    halfOpenMaxCalls?: number;
+}
+export declare class CircuitBreakerInterceptor implements Interceptor {
+    private state;
+    private failures;
+    private lastFailure;
+    private halfOpenCalls;
+    private readonly failureThreshold;
+    private readonly resetTimeoutMs;
+    private readonly halfOpenMaxCalls;
+    constructor(opts?: CircuitBreakerOptions);
+    onRequest(_ctx: CallContext, request: unknown): Promise<unknown>;
+    onResponse(_ctx: CallContext, response: unknown): Promise<unknown>;
+    onError(_ctx: CallContext, error: RpcError): Promise<RpcError>;
+    /** Current circuit state. */
+    get currentState(): State;
+    /**
+     * Pre-call gate check — throws if circuit is open.
+     * Alias for the logic in onRequest(), callable without a full call context.
+     */
+    beforeCall(): void;
+    /** Record a successful call — resets the failure count. */
+    recordSuccess(): void;
+    /** Record a failed call — may open the circuit. */
+    recordFailure(): void;
+}
+export {};
+//# sourceMappingURL=circuit-breaker.d.ts.map

package/dist/interceptors/circuit-breaker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"circuit-breaker.d.ts","sourceRoot":"","sources":["../../src/interceptors/circuit-breaker.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAc,MAAM,cAAc,CAAC;AAEpD,KAAK,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;AAE7C,MAAM,WAAW,qBAAqB;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,yBAA0B,YAAW,WAAW;IAC3D,OAAO,CAAC,KAAK,CAAmB;IAChC,OAAO,CAAC,QAAQ,CAAK;IACrB,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,aAAa,CAAK;IAE1B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAE9B,IAAI,GAAE,qBAA0B;IAMtC,SAAS,CAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBhE,UAAU,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAQlE,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IASpE,6BAA6B;IAC7B,IAAI,YAAY,IAAI,KAAK,CAExB;IAED;;;OAGG;IACH,UAAU,IAAI,IAAI;IAelB,2DAA2D;IAC3D,aAAa,IAAI,IAAI;IAKrB,mDAAmD;IACnD,aAAa,IAAI,IAAI;CAOtB"}