@astrale-os/sdk 0.1.0 → 0.1.2

package/dist/auth/verify.js

@@ -0,0 +1,96 @@
+/**
+ * Inbound credential verification.
+ *
+ * Uses kernel-core's credential verification infrastructure
+ * (CredentialMethodResolver, MethodRegistry) instead of manual JWT handling.
+ * Not tied to JWT — supports any credential method kernel-core provides.
+ */
+import { CredentialMethodResolver, MethodRegistry, verifyAudience, verifyCredential, } from '@astrale-os/kernel-core';
+import { createLocalJWKSet, createRemoteJWKSet } from 'jose';
+import { derivePublicJwk } from '../server/jwks';
+import { canonicalizeServingUrl } from '../server/serving-url';
+const methodResolver = new CredentialMethodResolver(new MethodRegistry());
+/**
+ * Build the key resolver for one verifying server. Captures `config` so it can
+ * short-circuit the server's OWN issuer (`config.issuer`): a self-issued
+ * credential is verified against the in-memory public key, never fetched — a
+ * Worker can't fetch its own hostname, and it already holds the key. Every other
+ * issuer is resolved live via JWKS (`createRemoteJWKSet`).
+ */
+function makeResolveKeys(config) {
+    // The worker's own canonical iss. STRICT: `config.issuer` is the serving URL
+    // by contract (both producers — buildIdentityMap / buildAuxIdentityMap — feed
+    // it `canonicalizeServingUrl(config.url)`), so a value that doesn't parse is
+    // a construction-time config error. Swallowing it would silently disable
+    // self-verification and route self-issued credentials to a JWKS fetch on the
+    // worker's own hostname — which Cloudflare forbids — turning a config bug
+    // into an opaque per-call failure.
+    const selfIssuer = canonicalizeServingUrl(config.issuer);
+    // TODO(cache): Re-add JWKS caching with a short TTL or kid-miss retry.
+    // A prior implementation cached `createRemoteJWKSet` per issuer URL
+    // indefinitely. jose's internal cache (30s cooldown, 10min max-age) caused
+    // stale keys when the issuer restarted — the resolver served old keys and
+    // jose refused to refetch within the cooldown window. On CF Workers the
+    // module-level Map persisted across requests, making it worse. For now we
+    // create a fresh resolver per call (jose deduplicates concurrent fetches).
+    return async (issuer, _method, _kid) => {
+        const url = issuer;
+        // Self-issued credential (iss == this worker's own serving URL): resolve
+        // from the in-memory public key. Never fetch self — Cloudflare forbids a
+        // Worker fetching its own hostname, and the published JWKS is this key.
+        if (selfIssuer !== undefined) {
+            let canonical;
+            try {
+                canonical = canonicalizeServingUrl(url);
+            }
+            catch {
+                canonical = undefined;
+            }
+            if (canonical === selfIssuer) {
+                return createLocalJWKSet({ keys: [derivePublicJwk(config.privateKey)] });
+            }
+        }
+        // M-28 fix: a bare-slug iss (`mails.localhost`) makes
+        // `new URL('mails.localhost/.well-known/jwks.json')` throw "Invalid
+        // URL string". The dispatcher's identity map normalizes the iss it
+        // signs with, but inbound creds from older clients may still carry
+        // the slug form. Coerce to a URL with a default `https://` scheme
+        // (matches kernel.astrale.ai canonical form). If the actual receiver
+        // is on http://localhost the receiver-side resolver still works
+        // because both endpoints are on localhost — but for prod targets
+        // requiring TLS this is the right default.
+        const normalized = /^https?:\/\//.test(url) ? url : `https://${url}`;
+        return createRemoteJWKSet(new URL(`${normalized}/.well-known/jwks.json`));
+    };
+}
+/**
+ * Verify an inbound delegation credential using kernel-core's verification.
+ *
+ * @throws AuthenticationError subclasses from kernel-core on verification failure
+ */
+export async function verifyInboundCredential(credential, config) {
+    // Verify using kernel-core's credential verification pipeline
+    const verified = await verifyCredential({
+        methodResolver,
+        resolveKeys: makeResolveKeys(config),
+    }, credential);
+    // Validate audience matches this function's issuer (its serving URL).
+    // kernel-core's verifyAudience compares canonically.
+    verifyAudience(verified, config.issuer);
+    // Extract attestation and delegation from claims
+    const attestation = verified.claims.attestation;
+    if (!attestation?.expr) {
+        throw new Error('Credential missing attestation');
+    }
+    const delegation = verified.claims.delegation;
+    if (!delegation?.credential) {
+        throw new Error('Credential missing delegation');
+    }
+    return {
+        verified,
+        issuer: verified.iss,
+        attestation,
+        delegation,
+    };
+}
+//# sourceMappingURL=verify.js.map

package/dist/auth/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,EACL,wBAAwB,EACxB,cAAc,EACd,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAY,MAAM,MAAM,CAAA;AAItE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAA;AAa9D,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC,IAAI,cAAc,EAAE,CAAC,CAAA;AAEzE;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,MAA4B;IACnD,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,yEAAyE;IACzE,6EAA6E;IAC7E,0EAA0E;IAC1E,mCAAmC;IACnC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAExD,uEAAuE;IACvE,oEAAoE;IACpE,2EAA2E;IAC3E,0EAA0E;IAC1E,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,OAAO,KAAK,EAAE,MAAgB,EAAE,OAAe,EAAE,IAAa,EAAE,EAAE;QAChE,MAAM,GAAG,GAAG,MAAgB,CAAA;QAE5B,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,SAA6B,CAAA;YACjC,IAAI,CAAC;gBACH,SAAS,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,SAAS,CAAA;YACvB,CAAC;YACD,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B,OAAO,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAQ,CAAC,EAAE,CAAC,CAAA;YACjF,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,oEAAoE;QACpE,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,qEAAqE;QACrE,gEAAgE;QAChE,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAA;QACpE,OAAO,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,UAAU,wBAAwB,CAAC,CAAC,CAAA;IAC3E,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAA2B,EAC3B,MAA4B;IAE5B,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC;QACE,cAAc;QACd,WAAW,EAAE,eAAe,CAAC,MAAM,CAAC;KACrC,EACD,UAAU,CACX,CAAA;IAED,sEAAsE;IACtE,qDAAqD;IACrD,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAkB,CAAC,CAAA;IAEnD,iDAAiD;IACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAsC,CAAA;IAC1E,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAoC,CAAA;IACvE,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,QAAQ,CAAC,GAAa;QAC9B,WAAW;QACX,UAAU;KACX,CAAA;AACH,CAAC"}

package/dist/define/index.d.ts

@@ -0,0 +1,5 @@
+export { defineView } from './view';
+export type { ViewDef, ViewRenderContext } from './view';
+export { defineRemoteFunction } from './remote-function';
+export type { AnyRemoteFunctionDef, RemoteFunctionContext, RemoteFunctionDef, } from './remote-function';
+//# sourceMappingURL=index.d.ts.map

package/dist/define/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/define/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AACnC,YAAY,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAA;AAExD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,mBAAmB,CAAA"}

package/dist/define/index.js

@@ -0,0 +1,3 @@
+export { defineView } from './view';
+export { defineRemoteFunction } from './remote-function';
+//# sourceMappingURL=index.js.map

package/dist/define/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/define/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAGnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/define/remote-function.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Authoring a standalone remote function — a callable not bound to a class.
+ * (The verb keeps the `defineRemoteFunction` name; the node it materializes is
+ * the canonical kernel `Function` class, the former distribution `RemoteFunction`.)
+ *
+ * Each entry in `defineRemoteDomain({ remoteFunctions: { ... } })` becomes:
+ *   - a graph node at `/${origin}/core/<functionsFolder>/<slug>`, materialized
+ *     as the kernel `Function` class by `buildCorePath` so kernel discovery /
+ *     `View.resolve` can list it. The `core/` anchor appears in the GRAPH path only.
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<functionsFolder>/<slug>` POST by default — no `core/` in the URL).
+ *
+ * The slug = the map key (single source of truth, no duplication).
+ *
+ * `ref` is auto-derived as `function.<slug>` if omitted — used as
+ * `Function.ref` on the graph node and as the dispatch key.
+ */
+import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed';
+import type { FnMap } from '@astrale-os/kernel-client';
+import type { BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { AuthContext } from '@astrale-os/kernel-core';
+import type { Context } from 'hono';
+import type { z } from 'zod';
+import type { CallRemoteFn } from '../dispatch/call-remote';
+export type RemoteFunctionContext<TParams, TDeps = unknown> = {
+    /** Validated params (Zod-checked against `inputSchema`). */
+    params: TParams;
+    /** Hono request context — escape hatch for headers, raw body, etc. */
+    c: Context;
+    /** Resolved auth context. `null` when `auth: 'public'` or absent. */
+    auth: AuthContext | null;
+    /** Typed dependency container injected at server startup. */
+    deps: TDeps;
+    /**
+     * `BoundClientSessionView` to the parent kernel, bound to the composed
+     * credential `union(delegation, self)` — same shape as `RemoteContext.kernel`
+     * for `remoteMethod`. `null` when `auth: 'public'`, or `auth: 'optional'`
+     * with no inbound credential.
+     */
+    kernel: BoundClientSessionView<FnMap> | null;
+    /**
+     * Call another worker's remote method, re-minting the credential for the
+     * target's audience. Same contract as {@link RemoteContext.callRemote}: throws
+     * on a public/unauthenticated request; needs `USE` on
+     * `Identity.mintDelegationCredential` + the target method's grants.
+     */
+    callRemote: CallRemoteFn;
+};
+export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {
+    /**
+     * Canonical callable identity. Auto-derived as `function.<slug>` (where
+     * `<slug>` is the map key) when omitted. Stored as `Function.ref` on the
+     * graph node and used by the kernel dispatcher to route the call.
+     */
+    ref?: string;
+    /** Zod schema for the call's parameters. */
+    inputSchema: z.ZodType<TParams>;
+    /** Zod schema for the call's result. */
+    outputSchema: z.ZodType<TResult>;
+    /**
+     * Override the binding (URL + route shape). When absent, SDK defaults to
+     * `{ remoteUrl: ${url}/<functionsFolder>/<slug> }`. The HTTP verb (POST
+     * for functions) is applied by the worker route mounter at mount time — it is
+     * NOT stored on the binding, so the materialized `Function.binding` carries
+     * `remoteUrl` only.
+     *
+     * Use this to bind to a custom host or REST-style path. Host + path
+     * placeholders both supported.
+     */
+    binding?: FunctionBinding;
+    /** Authentication policy. Defaults to `'required'`. */
+    auth?: AuthPolicy;
+    /** Optional pre-execute authorization. Throw to deny. */
+    authorize?: (ctx: RemoteFunctionContext<TParams, TDeps>) => void | Promise<void>;
+    /** The function body. May be async. */
+    execute: (ctx: RemoteFunctionContext<TParams, TDeps>) => TResult | Promise<TResult>;
+    /** Optional human-readable description. */
+    description?: string;
+};
+export type AnyRemoteFunctionDef = RemoteFunctionDef<any, any, any>;
+/**
+ * Identity helper for authoring a RemoteFunction. Returns its argument
+ * unchanged — `defineRemoteDomain` consumes the typed shape.
+ */
+export declare function defineRemoteFunction<TParams, TResult, TDeps = unknown>(def: RemoteFunctionDef<TParams, TResult, TDeps>): RemoteFunctionDef<TParams, TResult, TDeps>;
+//# sourceMappingURL=remote-function.d.ts.map

package/dist/define/remote-function.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IACrF;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/B,wCAAwC;IACxC,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChF,uCAAuC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACnF,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAGD,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAEnE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EACpE,GAAG,EAAE,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,GAC9C,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAE5C"}

package/dist/define/remote-function.js

@@ -0,0 +1,25 @@
+/**
+ * Authoring a standalone remote function — a callable not bound to a class.
+ * (The verb keeps the `defineRemoteFunction` name; the node it materializes is
+ * the canonical kernel `Function` class, the former distribution `RemoteFunction`.)
+ *
+ * Each entry in `defineRemoteDomain({ remoteFunctions: { ... } })` becomes:
+ *   - a graph node at `/${origin}/core/<functionsFolder>/<slug>`, materialized
+ *     as the kernel `Function` class by `buildCorePath` so kernel discovery /
+ *     `View.resolve` can list it. The `core/` anchor appears in the GRAPH path only.
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<functionsFolder>/<slug>` POST by default — no `core/` in the URL).
+ *
+ * The slug = the map key (single source of truth, no duplication).
+ *
+ * `ref` is auto-derived as `function.<slug>` if omitted — used as
+ * `Function.ref` on the graph node and as the dispatch key.
+ */
+/**
+ * Identity helper for authoring a RemoteFunction. Returns its argument
+ * unchanged — `defineRemoteDomain` consumes the typed shape.
+ */
+export function defineRemoteFunction(def) {
+    return def;
+}
+//# sourceMappingURL=remote-function.js.map

package/dist/define/remote-function.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAuEH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAA+C;IAE/C,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/define/view.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Authoring a `View` — iframe-mountable callable served by the domain worker.
+ *
+ * Each entry in `defineRemoteDomain({ views: { ... } })` becomes both:
+ *   - a graph node at `/${origin}/core/<viewsFolder>/<slug>` (auto-materialized
+ *     by the SDK; the `core/` segment is the universal anchor injected by
+ *     `buildCorePath`. `<slug>` is the map key, so it lives in exactly one place)
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<viewsFolder>/<slug>` by default — note: no `core/` in the URL).
+ *
+ * The `core/` segment appears in the GRAPH path only; the URL path that
+ * lands in `Function.binding.remoteUrl` is `${url}/<viewsFolder>/<slug>`.
+ *
+ * The author can override the URL via `binding` — host and/or path
+ * placeholders are supported (the kernel's `route` mechanism does the
+ * substitution + Hono matching, same as for methods). When `render` is
+ * omitted, no worker route is mounted — useful for Views whose iframe
+ * lives at an external host.
+ */
+import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed';
+import type { AuthContext } from '@astrale-os/kernel-core';
+import type { EdgeEndpoint } from '@astrale-os/kernel-dsl';
+import type { Context } from 'hono';
+export type ViewRenderContext<TDeps = unknown> = {
+    /** Hono request context — read params, headers, query, etc. */
+    c: Context;
+    /**
+     * Placeholders extracted from the request URL (host + path placeholders
+     * declared in `binding.remoteUrl` / `binding.route.path`). Empty when
+     * the binding has no placeholders.
+     */
+    params: Record<string, string>;
+    /** Resolved auth context. `null` when `auth: 'public'` or absent. */
+    auth: AuthContext | null;
+    /** Typed dependency container injected at server startup. */
+    deps: TDeps;
+};
+export type ViewDef<TDeps = unknown> = {
+    /**
+     * Override the binding (URL + route shape). When absent, SDK defaults to
+     * `{ remoteUrl: ${url}/<viewsFolder>/<slug> }`. The HTTP verb (GET for
+     * views) is applied by the worker route mounter at mount time — it is NOT
+     * stored on the binding.
+     *
+     * Use this to bind to a custom host (e.g. `https://{tenant}.example.com`)
+     * or REST-style path. Host + path placeholders both supported.
+     */
+    binding?: FunctionBinding;
+    /**
+     * Worker-relative path the View's iframe is served from (e.g. `'/ui/note'`),
+     * for Views backed by the client SPA instead of a `render`. The spec producer
+     * resolves it against the serving url (`binding.remoteUrl = ${url}${mount}`)
+     * at materialize time — so the dev never hardcodes a URL. Mutually exclusive
+     * with `render`; takes precedence over `binding`.
+     */
+    mount?: string;
+    /** Authentication policy. Defaults to `'required'`. */
+    auth?: AuthPolicy;
+    /**
+     * Optional pre-render authorization. Runs after auth resolution; throw to
+     * deny. SDK wraps as 403.
+     */
+    authorize?: (ctx: ViewRenderContext<TDeps>) => void | Promise<void>;
+    /**
+     * Render the iframe response. May return a redirect, a proxy, or inline
+     * HTML. When omitted, no worker route is mounted — the binding URL
+     * points elsewhere (CDN, external service).
+     */
+    render?: (ctx: ViewRenderContext<TDeps>) => Response | Promise<Response>;
+    /**
+     * Optional target(s) the View attaches to via `view_for` edge(s). Typically
+     * `selfOf(SomeClass)` to bind to a class meta-node, or a `CorePath`
+     * pointing at a specific instance. Pass an array to attach the same View
+     * to multiple targets (one `view_for` edge is materialized per entry).
+     */
+    viewFor?: EdgeEndpoint | EdgeEndpoint[];
+    /** Optional human-readable description. */
+    description?: string;
+};
+/**
+ * Identity helper for authoring a View. Returns its argument unchanged —
+ * `defineRemoteDomain` consumes the typed shape and the author retains
+ * full type inference on `render` / `authorize`.
+ */
+export declare function defineView<TDeps = unknown>(def: ViewDef<TDeps>): ViewDef<TDeps>;
+//# sourceMappingURL=view.d.ts.map

package/dist/define/view.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"view.d.ts","sourceRoot":"","sources":["../../src/define/view.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAEnC,MAAM,MAAM,iBAAiB,CAAC,KAAK,GAAG,OAAO,IAAI;IAC/C,+DAA+D;IAC/D,CAAC,EAAE,OAAO,CAAA;IACV;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC9B,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;CACZ,CAAA;AAED,MAAM,MAAM,OAAO,CAAC,KAAK,GAAG,OAAO,IAAI;IACrC;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB;;;OAGG;IACH,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnE;;;;OAIG;IACH,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACxE;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAA;IACvC,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,GAAG,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAE/E"}

package/dist/define/view.js

@@ -0,0 +1,28 @@
+/**
+ * Authoring a `View` — iframe-mountable callable served by the domain worker.
+ *
+ * Each entry in `defineRemoteDomain({ views: { ... } })` becomes both:
+ *   - a graph node at `/${origin}/core/<viewsFolder>/<slug>` (auto-materialized
+ *     by the SDK; the `core/` segment is the universal anchor injected by
+ *     `buildCorePath`. `<slug>` is the map key, so it lives in exactly one place)
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<viewsFolder>/<slug>` by default — note: no `core/` in the URL).
+ *
+ * The `core/` segment appears in the GRAPH path only; the URL path that
+ * lands in `Function.binding.remoteUrl` is `${url}/<viewsFolder>/<slug>`.
+ *
+ * The author can override the URL via `binding` — host and/or path
+ * placeholders are supported (the kernel's `route` mechanism does the
+ * substitution + Hono matching, same as for methods). When `render` is
+ * omitted, no worker route is mounted — useful for Views whose iframe
+ * lives at an external host.
+ */
+/**
+ * Identity helper for authoring a View. Returns its argument unchanged —
+ * `defineRemoteDomain` consumes the typed shape and the author retains
+ * full type inference on `render` / `authorize`.
+ */
+export function defineView(def) {
+    return def;
+}
+//# sourceMappingURL=view.js.map

package/dist/define/view.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"view.js","sourceRoot":"","sources":["../../src/define/view.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAiEH;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAkB,GAAmB;IAC7D,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/deploy/check.d.ts

@@ -0,0 +1,30 @@
+import type { Meta } from './meta';
+export type DeployCheckOptions = {
+    /** Deployed worker URL (e.g. `https://dist.astrale.ai`). */
+    url: string;
+    /**
+     * Expected `meta.schemaHash` — the hash of the locally-built `spec.json`
+     * (via `hashSpecFile`). REQUIRED to verify schema drift: when the worker
+     * advertises a `schemaHash` but this is absent, the check fails loudly rather
+     * than silently "passing" an unverified deploy. Per-domain deploy scripts
+     * compute it (`hashSpecFile('./spec.json')`) and pass it.
+     */
+    expectedSchemaHash?: string;
+    /**
+     * Path to the SDK repo used to read `sdkCommit`. If omitted and
+     * `workspaceRoot` is provided, defaults to `<workspaceRoot>/sdk`.
+     */
+    sdkRepoPath?: string;
+    /** Astrale workspace root — enables auto-resolution of `sdkRepoPath` (`<root>/sdk`). */
+    workspaceRoot?: string;
+    /** Sink for progress output. Defaults to `console.log`. */
+    log?: (line: string) => void;
+};
+/**
+ * Validate a deployed worker against local state by fetching `/meta` and
+ * verifying sdkCommit / schemaHash / JWKS reachability.
+ *
+ * Throws on any mismatch. Returns `Meta` on success.
+ */
+export declare function deployCheck(opts: DeployCheckOptions): Promise<Meta>;
+//# sourceMappingURL=check.d.ts.map

package/dist/deploy/check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/deploy/check.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAA;AAIlC,MAAM,MAAM,kBAAkB,GAAG;IAC/B,4DAA4D;IAC5D,GAAG,EAAE,MAAM,CAAA;IACX;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,2DAA2D;IAC3D,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;CAC7B,CAAA;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBzE"}

package/dist/deploy/check.js

@@ -0,0 +1,82 @@
+import { spawnSync } from 'node:child_process';
+import { join } from 'node:path';
+import { MetaSchema } from './meta';
+/**
+ * Validate a deployed worker against local state by fetching `/meta` and
+ * verifying sdkCommit / schemaHash / JWKS reachability.
+ *
+ * Throws on any mismatch. Returns `Meta` on success.
+ */
+export async function deployCheck(opts) {
+    // oxlint-disable-next-line no-console
+    const log = opts.log ?? ((line) => console.log(line));
+    const base = opts.url.replace(/\/+$/, '');
+    log(`# deploy:check ${base}`);
+    const meta = await fetchMeta(base);
+    log(`  meta: ${JSON.stringify(meta)}`);
+    // `meta.iss` is required + non-empty by `MetaSchema`, enforced in `fetchMeta`.
+    await Promise.all([
+        checkSdkCommit(meta, opts, log),
+        checkSchemaHash(meta, opts, log),
+        checkJwks(meta.iss, log),
+    ]);
+    return meta;
+}
+async function fetchMeta(base) {
+    const res = await fetch(`${base}/meta`);
+    if (!res.ok)
+        throw new Error(`GET ${base}/meta → ${res.status}`);
+    return MetaSchema.parse(await res.json());
+}
+async function checkSdkCommit(meta, opts, log) {
+    if (!meta.sdkCommit) {
+        log('  ! meta.sdkCommit absent — skipping sdkCommit check');
+        return;
+    }
+    const sdkRepo = opts.sdkRepoPath ?? (opts.workspaceRoot ? join(opts.workspaceRoot, 'sdk') : undefined);
+    if (!sdkRepo) {
+        log(`  ! no sdkRepoPath / workspaceRoot — skipping sdkCommit check`);
+        return;
+    }
+    const localSha = gitHead(sdkRepo);
+    if (!localSha) {
+        log(`  ! could not read git HEAD from ${sdkRepo} — skipping sdkCommit check`);
+        return;
+    }
+    if (!localSha.startsWith(meta.sdkCommit) && !meta.sdkCommit.startsWith(localSha)) {
+        throw new Error(`sdkCommit mismatch: deployed=${meta.sdkCommit} local=${localSha} (${sdkRepo})`);
+    }
+    log(`  ✓ sdkCommit ${meta.sdkCommit} matches local HEAD`);
+}
+async function checkSchemaHash(meta, opts, log) {
+    if (!meta.schemaHash)
+        return;
+    // Fail loud: the worker advertises a schemaHash, so a missing expected value
+    // means we CANNOT verify drift — never silently "pass" an unverified deploy.
+    if (!opts.expectedSchemaHash) {
+        throw new Error(`worker advertises schemaHash=${meta.schemaHash} but no expectedSchemaHash was provided — ` +
+            `cannot verify schema drift (pass expectedSchemaHash, e.g. hashSpecFile('./spec.json'))`);
+    }
+    if (meta.schemaHash !== opts.expectedSchemaHash) {
+        throw new Error(`schemaHash mismatch: deployed=${meta.schemaHash} local=${opts.expectedSchemaHash}`);
+    }
+    log(`  ✓ schemaHash ${meta.schemaHash} matches local`);
+}
+async function checkJwks(iss, log) {
+    const jwksUrl = `${iss.replace(/\/+$/, '')}/.well-known/jwks.json`;
+    const res = await fetch(jwksUrl);
+    if (!res.ok)
+        throw new Error(`GET ${jwksUrl} → ${res.status}`);
+    const body = (await res.json());
+    const keys = body.keys ?? [];
+    if (keys.length === 0)
+        throw new Error(`${jwksUrl} returned no keys`);
+    log(`  ✓ JWKS resolves (${keys.length} key${keys.length === 1 ? '' : 's'})`);
+}
+function gitHead(repoPath) {
+    const r = spawnSync('git', ['-C', repoPath, 'rev-parse', 'HEAD'], { encoding: 'utf-8' });
+    if (r.status !== 0)
+        return null;
+    return r.stdout.trim();
+}
+//# sourceMappingURL=check.js.map

package/dist/deploy/check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/deploy/check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAIhC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAwBnC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAwB;IACxD,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAEzC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAA;IAE7B,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAA;IAClC,GAAG,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACtC,+EAA+E;IAE/E,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC;QAC/B,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;KACzB,CAAC,CAAA;IAEF,OAAO,IAAI,CAAA;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAY;IACnC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,CAAA;IACvC,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,WAAW,GAAG,CAAC,MAAM,EAAE,CAAC,CAAA;IAChE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,IAAU,EACV,IAAwB,EACxB,GAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACpB,GAAG,CAAC,sDAAsD,CAAC,CAAA;QAC3D,OAAM;IACR,CAAC;IACD,MAAM,OAAO,GACX,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IACxF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,GAAG,CAAC,+DAA+D,CAAC,CAAA;QACpE,OAAM;IACR,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACjC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,GAAG,CAAC,oCAAoC,OAAO,6BAA6B,CAAC,CAAA;QAC7E,OAAM;IACR,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,SAAS,UAAU,QAAQ,KAAK,OAAO,GAAG,CAAC,CAAA;IAClG,CAAC;IACD,GAAG,CAAC,iBAAiB,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAA;AAC3D,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAU,EACV,IAAwB,EACxB,GAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAM;IAC5B,6EAA6E;IAC7E,6EAA6E;IAC7E,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,gCAAgC,IAAI,CAAC,UAAU,4CAA4C;YACzF,wFAAwF,CAC3F,CAAA;IACH,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,UAAU,UAAU,IAAI,CAAC,kBAAkB,EAAE,CACpF,CAAA;IACH,CAAC;IACD,GAAG,CAAC,kBAAkB,IAAI,CAAC,UAAU,gBAAgB,CAAC,CAAA;AACxD,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,GAA2B;IAC/D,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,wBAAwB,CAAA;IAClE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;IAChC,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,OAAO,MAAM,GAAG,CAAC,MAAM,EAAE,CAAC,CAAA;IAC9D,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuC,CAAA;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAA;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAA;IACrE,GAAG,CAAC,sBAAsB,IAAI,CAAC,MAAM,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAA;AAC9E,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB;IAC/B,MAAM,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAA;IACxF,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC/B,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC"}

package/dist/deploy/hash-spec.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Hash a `spec.json` file deterministically. Only the schema payload
+ * (`nodes` + `edges`) is hashed — the `meta` block carries `builtAt`
+ * timestamps that would poison drift detection.
+ *
+ * Returns `sha256:<hex>`.
+ */
+export declare function hashSpecFile(path: string): string;
+//# sourceMappingURL=hash-spec.d.ts.map

package/dist/deploy/hash-spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-spec.d.ts","sourceRoot":"","sources":["../../src/deploy/hash-spec.ts"],"names":[],"mappings":"AAKA;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKjD"}

package/dist/deploy/hash-spec.js

@@ -0,0 +1,29 @@
+import { createHash } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+const HASH_ALGORITHM = 'sha256';
+/**
+ * Hash a `spec.json` file deterministically. Only the schema payload
+ * (`nodes` + `edges`) is hashed — the `meta` block carries `builtAt`
+ * timestamps that would poison drift detection.
+ *
+ * Returns `sha256:<hex>`.
+ */
+export function hashSpecFile(path) {
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = JSON.parse(raw);
+    const canonical = canonicalJson({ nodes: parsed.nodes ?? [], edges: parsed.edges ?? [] });
+    return `${HASH_ALGORITHM}:${createHash(HASH_ALGORITHM).update(canonical).digest('hex')}`;
+}
+function canonicalJson(value) {
+    if (value === null || typeof value !== 'object')
+        return JSON.stringify(value);
+    if (Array.isArray(value))
+        return '[' + value.map(canonicalJson).join(',') + ']';
+    const keys = Object.keys(value).sort();
+    return ('{' +
+        keys
+            .map((k) => JSON.stringify(k) + ':' + canonicalJson(value[k]))
+            .join(',') +
+        '}');
+}
+//# sourceMappingURL=hash-spec.js.map

package/dist/deploy/hash-spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-spec.js","sourceRoot":"","sources":["../../src/deploy/hash-spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAEtC,MAAM,cAAc,GAAG,QAAQ,CAAA;AAE/B;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IACvC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyC,CAAA;IACtE,MAAM,SAAS,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC,CAAA;IACzF,OAAO,GAAG,cAAc,IAAI,UAAU,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;AAC1F,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAC7E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;IAC/E,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAgC,CAAC,CAAC,IAAI,EAAE,CAAA;IACjE,OAAO,CACL,GAAG;QACH,IAAI;aACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,aAAa,CAAE,KAAiC,CAAC,CAAC,CAAC,CAAC,CAAC;aAC1F,IAAI,CAAC,GAAG,CAAC;QACZ,GAAG,CACJ,CAAA;AACH,CAAC"}

package/dist/deploy/index.d.ts

@@ -0,0 +1,4 @@
+export { MetaSchema, type Meta } from './meta';
+export { hashSpecFile } from './hash-spec';
+export { deployCheck, type DeployCheckOptions } from './check';
+//# sourceMappingURL=index.d.ts.map

package/dist/deploy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/deploy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,MAAM,QAAQ,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,SAAS,CAAA"}

package/dist/deploy/index.js

@@ -0,0 +1,4 @@
+export { MetaSchema } from './meta';
+export { hashSpecFile } from './hash-spec';
+export { deployCheck } from './check';
+//# sourceMappingURL=index.js.map

package/dist/deploy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/deploy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAa,MAAM,QAAQ,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,WAAW,EAA2B,MAAM,SAAS,CAAA"}

package/dist/deploy/meta.d.ts

@@ -0,0 +1,18 @@
+/**
+ * `/meta` payload — the contract between `createRemoteServer` (producer)
+ * and `deployCheck` (verifier). Both sides parse through `MetaSchema`, so
+ * a new field added here flows to both paths and drift is caught at the
+ * boundary rather than silently skipped.
+ *
+ * Scope: **domain workers only**. Kernels rely on OIDC discovery
+ * (`/.well-known/openid-configuration`) + JWKS — they have no `/meta`.
+ */
+import { z } from 'zod';
+export declare const MetaSchema: z.ZodObject<{
+    iss: z.ZodString;
+    sdkCommit: z.ZodOptional<z.ZodString>;
+    schemaHash: z.ZodOptional<z.ZodString>;
+    domainName: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type Meta = z.infer<typeof MetaSchema>;
+//# sourceMappingURL=meta.d.ts.map

package/dist/deploy/meta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta.d.ts","sourceRoot":"","sources":["../../src/deploy/meta.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,UAAU;;;;;iBAUrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA"}

package/dist/deploy/meta.js

@@ -0,0 +1,22 @@
+/**
+ * `/meta` payload — the contract between `createRemoteServer` (producer)
+ * and `deployCheck` (verifier). Both sides parse through `MetaSchema`, so
+ * a new field added here flows to both paths and drift is caught at the
+ * boundary rather than silently skipped.
+ *
+ * Scope: **domain workers only**. Kernels rely on OIDC discovery
+ * (`/.well-known/openid-configuration`) + JWKS — they have no `/meta`.
+ */
+import { z } from 'zod';
+export const MetaSchema = z.object({
+    /** Base URL where JWKS is published. Always stamped by `createRemoteServer`
+     *  and required by `deployCheck` to verify JWKS reachability. */
+    iss: z.string().min(1),
+    /** Short git SHA of the SDK used to build the worker. */
+    sdkCommit: z.string().optional(),
+    /** Deterministic hash of the compiled spec (`sha256:<hex>`). */
+    schemaHash: z.string().optional(),
+    /** Local directory name under `kernel/domains/<...>/` — used to auto-resolve the local spec. */
+    domainName: z.string().optional(),
+});
+//# sourceMappingURL=meta.js.map

package/dist/deploy/meta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta.js","sourceRoot":"","sources":["../../src/deploy/meta.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC;qEACiE;IACjE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,yDAAyD;IACzD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,gEAAgE;IAChE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,gGAAgG;IAChG,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAClC,CAAC,CAAA"}

package/dist/dispatch/authorize.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Shared `authorize`-hook runner.
+ *
+ * Both the method dispatcher (`dispatcher.ts`) and the worker-side aux routes
+ * (`server/auxiliary-routes.ts`) let an author deny a call by throwing from an
+ * `authorize` hook. They MUST agree on the wire semantics: an already-typed
+ * `AuthorizationDeniedError` passes through unchanged (so callers can attach
+ * hints), and any other thrown error is wrapped into `AuthorizationDeniedError`
+ * (→ `PERMISSION_DENIED` / HTTP 403). Centralised here so the two call sites
+ * cannot drift — previously the aux routes awaited `authorize` directly, so a
+ * plain `Error` thrown to deny leaked out as a 500 instead of a 403.
+ */
+export declare function runAuthorize<C>(hook: (ctx: C) => void | Promise<void>, ctx: C): Promise<void>;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/dispatch/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/dispatch/authorize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,wBAAsB,YAAY,CAAC,CAAC,EAClC,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,EACtC,GAAG,EAAE,CAAC,GACL,OAAO,CAAC,IAAI,CAAC,CAUf"}