@astrale-os/sdk 0.1.1 → 0.1.2

package/dist/dispatch/authorize.js

@@ -0,0 +1,24 @@
+/**
+ * Shared `authorize`-hook runner.
+ *
+ * Both the method dispatcher (`dispatcher.ts`) and the worker-side aux routes
+ * (`server/auxiliary-routes.ts`) let an author deny a call by throwing from an
+ * `authorize` hook. They MUST agree on the wire semantics: an already-typed
+ * `AuthorizationDeniedError` passes through unchanged (so callers can attach
+ * hints), and any other thrown error is wrapped into `AuthorizationDeniedError`
+ * (→ `PERMISSION_DENIED` / HTTP 403). Centralised here so the two call sites
+ * cannot drift — previously the aux routes awaited `authorize` directly, so a
+ * plain `Error` thrown to deny leaked out as a 500 instead of a 403.
+ */
+import { AuthorizationDeniedError } from './errors';
+export async function runAuthorize(hook, ctx) {
+    try {
+        await hook(ctx);
+    }
+    catch (err) {
+        if (err instanceof AuthorizationDeniedError)
+            throw err;
+        throw new AuthorizationDeniedError(err instanceof Error ? err.message : 'Authorization denied', err);
+    }
+}
+//# sourceMappingURL=authorize.js.map

package/dist/dispatch/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/dispatch/authorize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AAEnD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAsC,EACtC,GAAM;IAEN,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,GAAG,CAAC,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,wBAAwB;YAAE,MAAM,GAAG,CAAA;QACtD,MAAM,IAAI,wBAAwB,CAChC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,EAC3D,GAAG,CACJ,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/dispatch/call-remote.d.ts

@@ -0,0 +1,35 @@
+/**
+ * `ctx.callRemote` — call ANOTHER worker's remote method from a handler.
+ *
+ * A worker's `kernel.call('/dom/class.X/method', …)` signs `aud = <kernel>`,
+ * which is correct for a **kernel syscall** (it runs in the kernel) but is
+ * rejected by a **remote method** (a Function with `binding.remoteUrl`, i.e.
+ * another worker) — the target worker verifies `aud` against its own identity
+ * and throws `Credential audience mismatch` at authentication.
+ *
+ * `callRemote` is now a thin wrapper over the bound kernel session: the kernel
+ * resolves a remote-bound path to a redirect carrying the worker's URL and its
+ * `iss`, and the session (configured in `bindKernel`) follows it reactively —
+ * minting a kernel-signed delegation envelope scoped to that `iss` via the
+ * caller's own `@<subject>::mintDelegationCredential`, then dialing the worker.
+ * Instance-method `self` is injected by the kernel resolver into the redirect,
+ * so a bare `kernel.call(path, params)` is all that's needed here.
+ *
+ * Prerequisite (authorization, unchanged): the calling Function's identity must
+ * hold `USE` on `Identity.mintDelegationCredential` AND the target method's own
+ * grants — the session only fixes the audience (authentication), not grants.
+ */
+import type { ClientSessionCallOptions } from '@astrale-os/kernel-client/session';
+/** Minimal kernel-call surface callRemote needs (the bound view satisfies it). */
+type KernelCaller = {
+    call: (method: string, params: unknown, opts?: ClientSessionCallOptions) => Promise<unknown>;
+};
+export type CallRemoteFn = (path: string, params?: Record<string, unknown>) => Promise<unknown>;
+/**
+ * Build the `callRemote` helper for one handler invocation. `kernel` is the
+ * handler's bound kernel view (or `null` for a public/unauthenticated request,
+ * where `callRemote` cannot mint and throws on use).
+ */
+export declare function makeCallRemote(kernel: KernelCaller | null): CallRemoteFn;
+export {};
+//# sourceMappingURL=call-remote.d.ts.map

package/dist/dispatch/call-remote.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"call-remote.d.ts","sourceRoot":"","sources":["../../src/dispatch/call-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAA;AAEjF,kFAAkF;AAClF,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;CAC7F,CAAA;AAED,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;AAE/F;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,GAAG,YAAY,CAWxE"}

package/dist/dispatch/call-remote.js

@@ -0,0 +1,37 @@
+/**
+ * `ctx.callRemote` — call ANOTHER worker's remote method from a handler.
+ *
+ * A worker's `kernel.call('/dom/class.X/method', …)` signs `aud = <kernel>`,
+ * which is correct for a **kernel syscall** (it runs in the kernel) but is
+ * rejected by a **remote method** (a Function with `binding.remoteUrl`, i.e.
+ * another worker) — the target worker verifies `aud` against its own identity
+ * and throws `Credential audience mismatch` at authentication.
+ *
+ * `callRemote` is now a thin wrapper over the bound kernel session: the kernel
+ * resolves a remote-bound path to a redirect carrying the worker's URL and its
+ * `iss`, and the session (configured in `bindKernel`) follows it reactively —
+ * minting a kernel-signed delegation envelope scoped to that `iss` via the
+ * caller's own `@<subject>::mintDelegationCredential`, then dialing the worker.
+ * Instance-method `self` is injected by the kernel resolver into the redirect,
+ * so a bare `kernel.call(path, params)` is all that's needed here.
+ *
+ * Prerequisite (authorization, unchanged): the calling Function's identity must
+ * hold `USE` on `Identity.mintDelegationCredential` AND the target method's own
+ * grants — the session only fixes the audience (authentication), not grants.
+ */
+/**
+ * Build the `callRemote` helper for one handler invocation. `kernel` is the
+ * handler's bound kernel view (or `null` for a public/unauthenticated request,
+ * where `callRemote` cannot mint and throws on use).
+ */
+export function makeCallRemote(kernel) {
+    return async (path, params = {}) => {
+        if (!kernel) {
+            throw new Error('callRemote requires an authenticated request — no kernel credential (public method?)');
+        }
+        // The bound session auto-follows the kernel's redirect and mints for the
+        // worker's `iss`; a remote-bound path therefore just works as a kernel.call.
+        return kernel.call(path, params);
+    };
+}
+//# sourceMappingURL=call-remote.js.map

package/dist/dispatch/call-remote.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"call-remote.js","sourceRoot":"","sources":["../../src/dispatch/call-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAWH;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAA2B;IACxD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,GAAG,EAAE,EAAE,EAAE;QACjC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;QACD,yEAAyE;QACzE,6EAA6E;QAC7E,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IAClC,CAAC,CAAA;AACH,CAAC"}

package/dist/dispatch/dispatcher.d.ts

@@ -0,0 +1,60 @@
+/**
+ * `SdkDispatcher` — implements `KernelAPI` by running the SDK's pipeline.
+ *
+ * Built once at server startup from the domain's `CompiledDomain` plus a typed
+ * deps container and a private JWK. Per-method identity configs are
+ * pre-resolved into a Map so dispatch is O(1) per call.
+ *
+ * Pipeline per call:
+ *   resolve method → authenticate → validate → resolve self → execute
+ */
+import type { AuthedKernelAPI, DispatchResult, KernelAPI } from '@astrale-os/kernel-api';
+import type { CredentialInput, Path } from '@astrale-os/kernel-core';
+import type { CompiledDomain } from '@astrale-os/kernel-core/domain';
+import type { MethodIndex } from './resolve';
+export type SdkDispatcherConfig<TDeps> = {
+    /** The compiled domain — source of the method layout and origin-addressed subs. */
+    compiled: CompiledDomain;
+    /** Pre-built method map: ref → BoundMethod. */
+    methods: MethodIndex;
+    /** Dependency container injected into every handler. */
+    deps: TDeps;
+    /** Private key for signing outbound per-function credentials. */
+    privateKey: JsonWebKey;
+    /**
+     * The worker's identity (`iss`) for outbound per-function credentials — its
+     * serving URL (e.g. `https://crm.test.com`), DECOUPLED from the domain's
+     * addressing `origin`. Matches the `iss` the kernel pins on each node at
+     * install (the URL it fetched the domain at).
+     */
+    issuer: string;
+    /** The worker's serving URL (`config.url`) — exposed to handlers as `ctx.url`. */
+    url: string;
+};
+export declare class SdkDispatcher<TDeps = unknown> implements KernelAPI {
+    private readonly methods;
+    private readonly deps;
+    private readonly identities;
+    private readonly issuer;
+    private readonly url;
+    private readonly privateKey;
+    constructor(config: SdkDispatcherConfig<TDeps>);
+    call(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<unknown>;
+    stream(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<AsyncGenerator<unknown>>;
+    /**
+     * SDK dispatch never redirects — the SDK server IS the remote destination.
+     * Every call resolves locally; we just classify the return as value or stream
+     * and hand it back to the kernel-api orchestrator.
+     */
+    dispatch(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<DispatchResult>;
+    as(credential: CredentialInput): AuthedKernelAPI;
+    private run;
+    private identityFor;
+}
+//# sourceMappingURL=dispatcher.d.ts.map

package/dist/dispatch/dispatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.d.ts","sourceRoot":"","sources":["../../src/dispatch/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAExF,OAAO,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,KAAK,EAAe,cAAc,EAAE,MAAM,gCAAgC,CAAA;AAIjF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAY5C,MAAM,MAAM,mBAAmB,CAAC,KAAK,IAAI;IACvC,mFAAmF;IACnF,QAAQ,EAAE,cAAc,CAAA;IACxB,+CAA+C;IAC/C,OAAO,EAAE,WAAW,CAAA;IACpB,wDAAwD;IACxD,IAAI,EAAE,KAAK,CAAA;IACX,iEAAiE;IACjE,UAAU,EAAE,UAAU,CAAA;IACtB;;;;;OAKG;IACH,MAAM,EAAE,MAAM,CAAA;IACd,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,qBAAa,aAAa,CAAC,KAAK,GAAG,OAAO,CAAE,YAAW,SAAS;IAC9D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAa;IACrC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAO;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA0D;IACrF,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAQ;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAY;IAEvC,YAAY,MAAM,EAAE,mBAAmB,CAAC,KAAK,CAAC,EAY7C;IAEK,IAAI,CACR,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,OAAO,CAAC,CAElB;IAEK,MAAM,CACV,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAMlC;IAED;;;;OAIG;IACG,QAAQ,CACZ,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,cAAc,CAAC,CAKzB;IAED,EAAE,CAAC,UAAU,EAAE,eAAe,GAAG,eAAe,CAK/C;YAEa,GAAG;IA0EjB,OAAO,CAAC,WAAW;CAapB"}

package/dist/dispatch/dispatcher.js

@@ -0,0 +1,177 @@
+/**
+ * `SdkDispatcher` — implements `KernelAPI` by running the SDK's pipeline.
+ *
+ * Built once at server startup from the domain's `CompiledDomain` plus a typed
+ * deps container and a private JWK. Per-method identity configs are
+ * pre-resolved into a Map so dispatch is O(1) per call.
+ *
+ * Pipeline per call:
+ *   resolve method → authenticate → validate → resolve self → execute
+ */
+import { resolveInboundAuth } from '../auth/resolve';
+import { runAuthorize } from './authorize';
+import { makeCallRemote } from './call-remote';
+import { MethodNotFoundError, SdkResultValidationError, SdkValidationError } from './errors';
+import { executeHandler } from './execute';
+import { buildIdentityMap } from './identity';
+import { resolveMethod } from './resolve';
+import { resolveSelf } from './self';
+import { validateParams, validateResult } from './validate';
+export class SdkDispatcher {
+    methods;
+    deps;
+    identities;
+    issuer;
+    url;
+    privateKey;
+    constructor(config) {
+        this.methods = config.methods;
+        this.deps = config.deps;
+        this.issuer = config.issuer;
+        this.url = config.url;
+        this.privateKey = config.privateKey;
+        const methodList = Array.from(new Set(config.methods.values()));
+        const identityMethods = methodList.filter((bound) => methodAuthPolicy(bound) !== 'public');
+        this.identities =
+            identityMethods.length > 0
+                ? buildIdentityMap(config.compiled, identityMethods, config.privateKey, config.issuer)
+                : new Map();
+    }
+    async call(path, credential, params, opts) {
+        return this.run(path, credential, params, opts?.self);
+    }
+    async stream(path, credential, params, opts) {
+        const result = await this.run(path, credential, params, opts?.self);
+        if (!isAsyncGenerator(result)) {
+            throw new Error(`Method "${pathToString(path)}" did not return an async generator`);
+        }
+        return result;
+    }
+    /**
+     * SDK dispatch never redirects — the SDK server IS the remote destination.
+     * Every call resolves locally; we just classify the return as value or stream
+     * and hand it back to the kernel-api orchestrator.
+     */
+    async dispatch(path, credential, params, opts) {
+        const result = await this.run(path, credential, params, opts?.self);
+        return isAsyncGenerator(result)
+            ? { kind: 'stream', generator: result }
+            : { kind: 'value', value: result };
+    }
+    as(credential) {
+        return {
+            call: (path, params) => this.call(path, credential, params),
+            stream: (path, params) => this.stream(path, credential, params),
+        };
+    }
+    async run(path, credential, params, selfRef) {
+        const bound = resolveMethod(this.methods, path);
+        if (!bound)
+            throw new MethodNotFoundError(pathToString(path));
+        const authPolicy = bound.handler.auth ?? 'required';
+        const fnIdentity = this.identityFor(bound);
+        const { auth, kernel } = await resolveInboundAuth(credential, authPolicy, fnIdentity);
+        if (typeof params !== 'object' || params === null || Array.isArray(params)) {
+            throw new SdkValidationError([{ path: [], message: 'Params must be a plain object' }]);
+        }
+        const validation = validateParams(bound.inputSchema, params);
+        if (!validation.ok) {
+            throw new SdkValidationError(validation.issues);
+        }
+        // `undefined` (not `null`) for static methods — matches the `self` type on
+        // `RemoteContext` / `MethodImpl`, which is `undefined` for static methods.
+        let resolvedSelf;
+        if (!bound.isStatic) {
+            if (selfRef === undefined || selfRef === null || selfRef === '') {
+                throw new SdkValidationError([{ path: ['self'], message: 'Required for non-static method' }], `"${bound.owner}.${bound.method}" is an instance method — it needs a target node. ` +
+                    `Either call it via instance dispatch (e.g. "@<nodeId>::${bound.method}" ` +
+                    `or "/path/to/node::${bound.method}"), or pass "self" in dispatch opts ` +
+                    `(e.g. { self: "@<nodeId>" }).`);
+            }
+            try {
+                resolvedSelf = resolveSelf(String(selfRef));
+            }
+            catch (err) {
+                // A malformed caller-supplied `self` is bad client input, not a server
+                // fault — surface it as VALIDATION_ERROR (422), matching the sibling
+                // missing-self branch above, instead of INTERNAL_ERROR (500).
+                throw new SdkValidationError([
+                    {
+                        path: ['self'],
+                        message: err instanceof Error ? err.message : 'Failed to resolve self',
+                    },
+                ], `Invalid "self" target "${selfRef}": ${err instanceof Error ? err.message : 'unparseable path'}`);
+            }
+        }
+        const handler = bound.handler;
+        const handlerParams = validation.data;
+        const callRemote = makeCallRemote(kernel);
+        const ctx = {
+            params: handlerParams,
+            auth,
+            self: resolvedSelf,
+            deps: this.deps,
+            url: this.url,
+            kernel,
+            callRemote,
+        };
+        if (handler.authorize)
+            await runAuthorize(handler.authorize, ctx);
+        const result = await executeHandler({ handler, ref: bound.ref, ...ctx });
+        return validateOutput(bound, result);
+    }
+    identityFor(bound) {
+        const identity = this.identities.get(bound);
+        if (!identity) {
+            if (methodAuthPolicy(bound) === 'public') {
+                return { issuer: this.issuer, subject: bound.ref, privateKey: this.privateKey };
+            }
+            throw new Error(`SdkDispatcher: no identity config for "${bound.owner}.${bound.method}" — ` +
+                `method is registered in the index but missing from the identity map.`);
+        }
+        return identity;
+    }
+}
+function methodAuthPolicy(bound) {
+    return bound.handler.auth ?? 'required';
+}
+function pathToString(path) {
+    return typeof path === 'string' ? path : path.raw;
+}
+/**
+ * Validate a handler's output against `bound.outputSchema`, mirroring the
+ * kernel's dispatcher (`runtime/.../dispatcher.ts` + `events.ts`):
+ *   - `binary` outputs skip validation (no schema applies).
+ *   - async-generator outputs (`output: 'stream'`) are wrapped so each chunk
+ *     is validated as it is yielded.
+ *   - all other (`value`) outputs are validated once and returned parsed.
+ * Returns the synchronous shape (value or generator) so the caller's
+ * `dispatch()` can classify it without awaiting a stream to completion.
+ */
+function validateOutput(bound, result) {
+    if (bound.output === 'binary')
+        return result;
+    if (isAsyncGenerator(result))
+        return validateOutputStream(bound, result);
+    return validateChunk(bound, result);
+}
+async function* validateOutputStream(bound, gen) {
+    for await (const chunk of gen) {
+        yield validateChunk(bound, chunk);
+    }
+}
+/** Parse one output value against `bound.outputSchema` or throw a 500-class error. */
+function validateChunk(bound, value) {
+    const out = validateResult(bound.outputSchema, value);
+    if (!out.ok) {
+        throw new SdkResultValidationError(out.issues, bound.ref);
+    }
+    return out.data;
+}
+function isAsyncGenerator(value) {
+    return (value !== null &&
+        value !== undefined &&
+        typeof value === 'object' &&
+        Symbol.asyncIterator in value);
+}
+//# sourceMappingURL=dispatcher.js.map

package/dist/dispatch/dispatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.js","sourceRoot":"","sources":["../../src/dispatch/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAC9C,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC5F,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,WAAW,EAAmB,MAAM,QAAQ,CAAA;AACrD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAsB3D,MAAM,OAAO,aAAa;IACP,OAAO,CAAa;IACpB,IAAI,CAAO;IACX,UAAU,CAA0D;IACpE,MAAM,CAAQ;IACd,GAAG,CAAQ;IACX,UAAU,CAAY;IAEvC,YAAY,MAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAC7B,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAA;QAC3B,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAA;QACrB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAA;QACnC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QAC/D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAA;QAC1F,IAAI,CAAC,UAAU;YACb,eAAe,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC;gBACtF,CAAC,CAAC,IAAI,GAAG,EAAE,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CACR,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;IACvD,CAAC;IAED,KAAK,CAAC,MAAM,CACV,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;QACnE,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,WAAW,YAAY,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAA;QACrF,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CACZ,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;QACnE,OAAO,gBAAgB,CAAC,MAAM,CAAC;YAC7B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE;YACvC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,EAAE,CAAC,UAA2B;QAC5B,OAAO;YACL,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC;YAC3D,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC;SAChE,CAAA;IACH,CAAC;IAEO,KAAK,CAAC,GAAG,CACf,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,OAAgB;QAEhB,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC/C,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,mBAAmB,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;QAE7D,MAAM,UAAU,GAAgB,KAAK,CAAC,OAAiC,CAAC,IAAI,IAAI,UAAU,CAAA;QAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;QAC1C,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAErF,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3E,MAAM,IAAI,kBAAkB,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CAAC,CAAA;QACxF,CAAC;QACD,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;QAC5D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;YACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;QACjF,CAAC;QAED,2EAA2E;QAC3E,2EAA2E;QAC3E,IAAI,YAAoC,CAAA;QACxC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;YACpB,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;gBAChE,MAAM,IAAI,kBAAkB,CAC1B,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,EAC/D,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,oDAAoD;oBACjF,0DAA0D,KAAK,CAAC,MAAM,IAAI;oBAC1E,sBAAsB,KAAK,CAAC,MAAM,sCAAsC;oBACxE,+BAA+B,CAClC,CAAA;YACH,CAAC;YACD,IAAI,CAAC;gBACH,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAA;YAC7C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,uEAAuE;gBACvE,qEAAqE;gBACrE,8DAA8D;gBAC9D,MAAM,IAAI,kBAAkB,CAC1B;oBACE;wBACE,IAAI,EAAE,CAAC,MAAM,CAAC;wBACd,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB;qBACvE;iBACF,EACD,0BAA0B,OAAO,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,EAAE,CACjG,CAAA;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAGrB,CAAA;QACD,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAA;QACrC,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;QACzC,MAAM,GAAG,GAAG;YACV,MAAM,EAAE,aAAa;YACrB,IAAI;YACJ,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,MAAM;YACN,UAAU;SACX,CAAA;QAED,IAAI,OAAO,CAAC,SAAS;YAAE,MAAM,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;QAEjE,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC,CAAA;QACxE,OAAO,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACtC,CAAC;IAEO,WAAW,CAAC,KAAoC;QACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,gBAAgB,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACzC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAA;YACjF,CAAC;YACD,MAAM,IAAI,KAAK,CACb,0CAA0C,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,MAAM;gBACzE,sEAAsE,CACzE,CAAA;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,KAAoC;IAC5D,OAAQ,KAAK,CAAC,OAAiC,CAAC,IAAI,IAAI,UAAU,CAAA;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,IAAmB;IACvC,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAA;AACnD,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,cAAc,CAAC,KAAoC,EAAE,MAAe;IAC3E,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAA;IAC5C,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACxE,OAAO,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;AACrC,CAAC;AAED,KAAK,SAAS,CAAC,CAAC,oBAAoB,CAClC,KAAoC,EACpC,GAA4B;IAE5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IACnC,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,SAAS,aAAa,CAAC,KAAoC,EAAE,KAAc;IACzE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,wBAAwB,CAAC,GAAG,CAAC,MAA4C,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACjG,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAA;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,OAAO,CACL,KAAK,KAAK,IAAI;QACd,KAAK,KAAK,SAAS;QACnB,OAAO,KAAK,KAAK,QAAQ;QACzB,MAAM,CAAC,aAAa,IAAI,KAAK,CAC9B,CAAA;AACH,CAAC"}

package/dist/dispatch/errors.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Errors thrown by the dispatch pipeline.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import type { KernelErrorPayload, KernelErrorClassifiable } from '@astrale-os/kernel-api';
+/** A single Zod issue, normalized to the path/message the payload carries. */
+type ValidationIssue = {
+    path: (string | number)[];
+    message: string;
+};
+export declare class MethodNotFoundError extends Error implements KernelErrorClassifiable {
+    constructor(method: string);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+export declare class SdkValidationError extends Error implements KernelErrorClassifiable {
+    readonly issues: ValidationIssue[];
+    constructor(issues: ValidationIssue[], message?: string);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+/**
+ * Thrown when a handler's return value (or a stream chunk) fails validation
+ * against its `outputSchema`. This is a server/handler fault — the author's
+ * code produced data that violates its own declared contract — so it maps to
+ * `INTERNAL_ERROR` (→ HTTP 500), NOT the `VALIDATION_ERROR` (422) used for
+ * bad caller input. Mirrors the kernel's `ResultValidationError`.
+ */
+export declare class SdkResultValidationError extends Error implements KernelErrorClassifiable {
+    readonly issues: ValidationIssue[];
+    readonly ref?: string | undefined;
+    constructor(issues: ValidationIssue[], ref?: string | undefined);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+/**
+ * Thrown by a `RemoteHandler.authorize` hook to deny a call.
+ *
+ * Wraps any error the hook throws — handlers can throw a plain `Error` and
+ * the dispatcher converts it. Already-typed `AuthorizationDeniedError`
+ * instances are passed through unchanged so callers can attach hints.
+ */
+export declare class AuthorizationDeniedError extends Error implements KernelErrorClassifiable {
+    constructor(message: string, cause?: unknown);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+export {};
+//# sourceMappingURL=errors.d.ts.map

package/dist/dispatch/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/dispatch/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAA;AAIzF,8EAA8E;AAC9E,KAAK,eAAe,GAAG;IAAE,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAWrE,qBAAa,mBAAoB,SAAQ,KAAM,YAAW,uBAAuB;IAC/E,YAAY,MAAM,EAAE,MAAM,EAGzB;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF;AAED,qBAAa,kBAAmB,SAAQ,KAAM,YAAW,uBAAuB;IAE5E,QAAQ,CAAC,MAAM,EAAE,eAAe,EAAE;IADpC,YACW,MAAM,EAAE,eAAe,EAAE,EAClC,OAAO,CAAC,EAAE,MAAM,EAIjB;IAED,oBAAoB,IAAI,kBAAkB,CAMzC;CACF;AAED;;;;;;GAMG;AACH,qBAAa,wBAAyB,SAAQ,KAAM,YAAW,uBAAuB;IAElF,QAAQ,CAAC,MAAM,EAAE,eAAe,EAAE;IAClC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM;IAFvB,YACW,MAAM,EAAE,eAAe,EAAE,EACzB,GAAG,CAAC,EAAE,MAAM,YAAA,EAItB;IAED,oBAAoB,IAAI,kBAAkB,CAMzC;CACF;AAED;;;;;;GAMG;AACH,qBAAa,wBAAyB,SAAQ,KAAM,YAAW,uBAAuB;IACpF,YAAY,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAG3C;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF"}

package/dist/dispatch/errors.js

@@ -0,0 +1,76 @@
+/**
+ * Errors thrown by the dispatch pipeline.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import { KERNEL_ERROR_CODES } from '@astrale-os/kernel-api';
+/** Shape Zod issues into the `data.errors` array of a `KernelErrorPayload`. */
+function toPayloadErrors(issues) {
+    return issues.map((i) => ({ path: i.path, code: 'INVALID', message: i.message }));
+}
+export class MethodNotFoundError extends Error {
+    constructor(method) {
+        super(`Method not found: ${method}`);
+        this.name = 'MethodNotFoundError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.METHOD_NOT_FOUND, message: this.message };
+    }
+}
+export class SdkValidationError extends Error {
+    issues;
+    constructor(issues, message) {
+        super(message ?? 'Invalid params');
+        this.issues = issues;
+        this.name = 'SdkValidationError';
+    }
+    toKernelErrorPayload() {
+        return {
+            code: KERNEL_ERROR_CODES.VALIDATION_ERROR,
+            message: this.message,
+            data: { errors: toPayloadErrors(this.issues) },
+        };
+    }
+}
+/**
+ * Thrown when a handler's return value (or a stream chunk) fails validation
+ * against its `outputSchema`. This is a server/handler fault — the author's
+ * code produced data that violates its own declared contract — so it maps to
+ * `INTERNAL_ERROR` (→ HTTP 500), NOT the `VALIDATION_ERROR` (422) used for
+ * bad caller input. Mirrors the kernel's `ResultValidationError`.
+ */
+export class SdkResultValidationError extends Error {
+    issues;
+    ref;
+    constructor(issues, ref) {
+        super(`Function${ref ? ` "${ref}"` : ''} returned an invalid result`);
+        this.issues = issues;
+        this.ref = ref;
+        this.name = 'SdkResultValidationError';
+    }
+    toKernelErrorPayload() {
+        return {
+            code: KERNEL_ERROR_CODES.INTERNAL_ERROR,
+            message: this.message,
+            data: { errors: toPayloadErrors(this.issues) },
+        };
+    }
+}
+/**
+ * Thrown by a `RemoteHandler.authorize` hook to deny a call.
+ *
+ * Wraps any error the hook throws — handlers can throw a plain `Error` and
+ * the dispatcher converts it. Already-typed `AuthorizationDeniedError`
+ * instances are passed through unchanged so callers can attach hints.
+ */
+export class AuthorizationDeniedError extends Error {
+    constructor(message, cause) {
+        super(message, { cause });
+        this.name = 'AuthorizationDeniedError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.PERMISSION_DENIED, message: this.message };
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/dispatch/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/dispatch/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AAK3D,+EAA+E;AAC/E,SAAS,eAAe,CAAC,MAAyB;IAKhD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;AACnF,CAAC;AAED,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,MAAc;QACxB,KAAK,CAAC,qBAAqB,MAAM,EAAE,CAAC,CAAA;QACpC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAA;IACnC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IAC7E,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAEhC,MAAM;IADjB,YACW,MAAyB,EAClC,OAAgB;QAEhB,KAAK,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAA;sBAHzB,MAAM;QAIf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;IAClC,CAAC;IAED,oBAAoB;QAClB,OAAO;YACL,IAAI,EAAE,kBAAkB,CAAC,gBAAgB;YACzC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;SAC/C,CAAA;IACH,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IAEtC,MAAM;IACN,GAAG;IAFd,YACW,MAAyB,EACzB,GAAY;QAErB,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,6BAA6B,CAAC,CAAA;sBAH5D,MAAM;mBACN,GAAG;QAGZ,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;IACxC,CAAC;IAED,oBAAoB;QAClB,OAAO;YACL,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;SAC/C,CAAA;IACH,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD,YAAY,OAAe,EAAE,KAAe;QAC1C,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QACzB,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;IACxC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,iBAAiB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IAC9E,CAAC;CACF"}

package/dist/dispatch/execute.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Handler execution — pipeline step 4.
+ *
+ * Calls the resolved handler's `execute` with a fully assembled
+ * `RemoteContext`: validated params, auth context, optional bound self,
+ * typed deps, and a kernel `BoundClientSessionView`. The handler may return a
+ * value, a Promise, or an async generator (for `output: 'stream'`).
+ */
+import type { FnMap } from '@astrale-os/kernel-client';
+import type { BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { AuthContext } from '@astrale-os/kernel-core';
+import type { CallRemoteFn } from './call-remote';
+import type { SelfResult } from './self';
+type HandlerFn = (...args: any[]) => any;
+export type ExecuteParams = {
+    /** Handler may omit `execute` when authored as a stub (spec-only binding). */
+    handler: {
+        execute?: HandlerFn;
+    };
+    /** Namespaced ref of the dispatched method — names the offending method in the
+     *  stub-leak diagnostic below (the dispatcher passes `bound.ref`). */
+    ref?: string;
+    params: Record<string, unknown>;
+    auth: AuthContext | null;
+    self: SelfResult | undefined;
+    deps: unknown;
+    url: string;
+    kernel: BoundClientSessionView<FnMap> | null;
+    callRemote: CallRemoteFn;
+};
+export declare function executeHandler(ctx: ExecuteParams): Promise<unknown>;
+export {};
+//# sourceMappingURL=execute.d.ts.map

package/dist/dispatch/execute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"execute.d.ts","sourceRoot":"","sources":["../../src/dispatch/execute.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAE1D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAGxC,KAAK,SAAS,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAA;AAExC,MAAM,MAAM,aAAa,GAAG;IAC1B,8EAA8E;IAC9E,OAAO,EAAE;QAAE,OAAO,CAAC,EAAE,SAAS,CAAA;KAAE,CAAA;IAChC;0EACsE;IACtE,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,IAAI,EAAE,UAAU,GAAG,SAAS,CAAA;IAC5B,IAAI,EAAE,OAAO,CAAA;IACb,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C,UAAU,EAAE,YAAY,CAAA;CACzB,CAAA;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,CAgBzE"}

package/dist/dispatch/execute.js

@@ -0,0 +1,24 @@
+/**
+ * Handler execution — pipeline step 4.
+ *
+ * Calls the resolved handler's `execute` with a fully assembled
+ * `RemoteContext`: validated params, auth context, optional bound self,
+ * typed deps, and a kernel `BoundClientSessionView`. The handler may return a
+ * value, a Promise, or an async generator (for `output: 'stream'`).
+ */
+export async function executeHandler(ctx) {
+    if (typeof ctx.handler.execute !== 'function') {
+        throw new Error(`executeHandler: handler${ctx.ref ? ` for "${ctx.ref}"` : ''} has no \`execute\` body — ` +
+            `this is a binding stub that should have been resolved to a remote redirect upstream.`);
+    }
+    return ctx.handler.execute({
+        params: ctx.params,
+        auth: ctx.auth,
+        self: ctx.self,
+        deps: ctx.deps,
+        url: ctx.url,
+        kernel: ctx.kernel,
+        callRemote: ctx.callRemote,
+    });
+}
+//# sourceMappingURL=execute.js.map

package/dist/dispatch/execute.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"execute.js","sourceRoot":"","sources":["../../src/dispatch/execute.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA2BH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAkB;IACrD,IAAI,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,0BAA0B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,6BAA6B;YACvF,sFAAsF,CACzF,CAAA;IACH,CAAC;IACD,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QACzB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;KAC3B,CAAC,CAAA;AACJ,CAAC"}

package/dist/dispatch/identity.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Per-callable identity — dispatcher runtime + install-time wiring.
+ *
+ * Two flavors of callable get an identity per the install-time identity
+ * binding: Methods on classes/interfaces (sub = MethodPath) and auto-
+ * materialized core function nodes — RemoteFunctions and Views (sub =
+ * AbsolutePath of the node under `core/{functions,views}/<slug>`).
+ *
+ * At server startup the method dispatcher and the View / RemoteFunction
+ * route mounter pre-compute, for every materialized callable, the
+ * `RemoteIdentityConfig` they sign outbound kernel calls with. The kernel
+ * then matches an existing function identity instead of provisioning a
+ * generic one.
+ *
+ * **Single source of truth:** every helper here is a thin lens over the
+ * canonical `resolveCallables` from `@astrale-os/kernel-core/domain`. The
+ * kernel validates install subs against the SAME function — drift = 0
+ * by construction. This closes the previous SDK-side gap where
+ * `collectMethodPaths` filtered to `own|override` and silently dropped
+ * `sealed`/`default` interface methods (which DO materialize as nodes).
+ */
+import type { BoundMethod, CompiledDomain } from '@astrale-os/kernel-core/domain';
+import type { RemoteIdentityConfig } from '../auth/identity';
+import type { AnyRemoteHandler } from '../method/single';
+/**
+ * For each materialized method node, emit its `MethodPath` (semantic,
+ * layout-independent) keyed by the method's namespaced ref. Used to
+ * build the install `subs` claim and to look up runtime per-method
+ * subjects in `buildIdentityMap`.
+ *
+ * Includes every method node the kernel materializes — class own/override
+ * AND interface own (sealed/default/override). Inherited (non-overriding)
+ * class methods reuse the interface's node via a `method_of` edge and
+ * are correctly absent here.
+ */
+export declare function collectMethodPaths(compiled: CompiledDomain): Record<string, string>;
+/** `{ views, remoteFunctions }` buckets keyed by slug — the shared shape
+ *  for every per-aux-callable map (paths, identity configs). */
+export type AuxBuckets<T> = {
+    views: Record<string, T>;
+    remoteFunctions: Record<string, T>;
+};
+/**
+ * slug → `AbsolutePath.raw` for each auto-materialized aux node
+ * (RemoteFunction / View). These nodes live at
+ * `/<origin>/core/{functions,views}/<slug>` and have no class+method
+ * decomposition that would justify a MethodPath — their identity is their
+ * graph position.
+ */
+export type AuxIdentityPaths = AuxBuckets<string>;
+export declare function collectAuxIdentityPaths(compiled: CompiledDomain): AuxIdentityPaths;
+/**
+ * slug → `RemoteIdentityConfig` for each auto-materialized View /
+ * RemoteFunction. Built once at server startup; consumed by
+ * `mountAuxiliaryRoutes` so each handler signs outbound `kernel.call(...)`
+ * with its own `sub` (the node's AbsolutePath). Mirrors `buildIdentityMap`.
+ */
+export type AuxIdentityMap = AuxBuckets<RemoteIdentityConfig>;
+export declare function buildAuxIdentityMap(compiled: CompiledDomain, privateKey: JsonWebKey, issuer: string): AuxIdentityMap;
+/**
+ * Pre-resolve per-method identity configs. Lookup is by BoundMethod instance,
+ * so the dispatcher pays O(1) per call instead of re-constructing the config.
+ *
+ * `iss` = the worker's own **serving URL** (`issuer` arg, e.g.
+ * `https://crm.test.com`) — its cryptographic identity, DECOUPLED from the
+ * domain's addressing `origin` (a graph slug). The kernel stamps the same
+ * value on each function node at install (it pins `iss` to the URL it fetched
+ * the domain at) and verifies inbound credentials against that issuer's JWKS
+ * (OIDC discovery). The function `sub` stays the origin-addressed MethodPath —
+ * `sub` = which function, `iss` = who signs.
+ */
+export declare function buildIdentityMap(compiled: CompiledDomain, methods: BoundMethod<AnyRemoteHandler>[], privateKey: JsonWebKey, issuer: string): Map<BoundMethod<AnyRemoteHandler>, RemoteIdentityConfig>;
+//# sourceMappingURL=identity.d.ts.map

package/dist/dispatch/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/dispatch/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAA;AAIjF,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAA;AAC5D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAExD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAMnF;AAED;gEACgE;AAChE,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI;IAC1B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;IACxB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;CACnC,CAAA;AAED;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,UAAU,CAAC,MAAM,CAAC,CAAA;AAEjD,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,cAAc,GAAG,gBAAgB,CAoBlF;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAA;AAE7D,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,cAAc,EACxB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,cAAc,CAWhB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,cAAc,EACxB,OAAO,EAAE,WAAW,CAAC,gBAAgB,CAAC,EAAE,EACxC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,GAAG,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,oBAAoB,CAAC,CAmB1D"}