@astrale-os/sdk 0.1.1 → 0.1.2

package/dist/server/create.js

@@ -0,0 +1,210 @@
+/**
+ * `createRemoteServer` — the SDK's entry point for running a remote domain.
+ *
+ * Identity is per-function: the dispatcher signs `iss` = the worker's serving
+ * URL (`effectiveIssuer`, decoupled from the addressing `origin`) and `sub` =
+ * the origin-addressed function path on each dispatch.
+ *
+ * Composes:
+ *   methods             ← Map keyed by BoundMethod.ref (built by dispatch/resolve)
+ *   effectiveIssuer     ← config.issuer ?? config.url
+ *   dispatcher          ← SdkDispatcher(compiled, methods, deps, privateKey)
+ *   jwks                ← derivePublicJwk(privateKey), keyed by effectiveIssuer
+ *   /meta               ← provenance endpoint (sdkCommit, schemaHash, domainName)
+ *   auxiliary routes    ← view / remote-function handlers from defineRemoteDomain
+ *   app                 ← createKernelApp(dispatcher, contracts, host, jwks, transports, ...)
+ *   start               ← startNodeServer(app, port)
+ */
+import { deriveAllowedAlgorithms } from '@astrale-os/kernel-core';
+import { collectFunctionSubs, domainInstallRequestSchema, hashInstallGraph, } from '@astrale-os/kernel-core/domain';
+import { createKernelApp } from '@astrale-os/kernel-server';
+import { Hono } from 'hono';
+import { importJWK, SignJWT } from 'jose';
+import { MetaSchema } from '../deploy/meta';
+import { SdkDispatcher } from '../dispatch/dispatcher';
+import { buildAuxIdentityMap } from '../dispatch/identity';
+import { buildMethodIndex } from '../dispatch/resolve';
+import { buildInstallGraph, buildInstallGraphHash } from '../domain/build-spec';
+import { toSdkContract } from '../domain/contract';
+import { materializeRemoteDomain } from '../domain/define';
+import { mountAuxiliaryRoutes } from './auxiliary-routes';
+import { derivePublicJwk } from './jwks';
+import { canonicalizeServingUrl } from './serving-url';
+export function createRemoteServer(config) {
+    const methods = buildMethodIndex(config.domain.methods);
+    // The worker's identity (`iss`) is its full serving URL (base path included,
+    // trailing slash stripped) — decoupled from the addressing `origin` slug. One
+    // canonical value drives outbound signing, the JWKS issuer, `/meta`, and the
+    // install credential. Must equal the URL the kernel fetched the domain at.
+    const iss = canonicalizeServingUrl(config.url);
+    // Re-materialize the domain with the real serving url (`iss`) so the aux
+    // View/Function `binding.remoteUrl` resolve to this host — the define-time
+    // placeholder is discarded. `compiled`/`auxiliary` drive everything below;
+    // `iss` is the single source for both bindings and identity.
+    const { compiled, auxiliary } = materializeRemoteDomain(config.domain, iss);
+    const dispatcher = new SdkDispatcher({
+        compiled,
+        methods,
+        deps: config.deps,
+        privateKey: config.privateKey,
+        issuer: iss,
+        // The canonicalized serving URL, NOT the raw config.url: `ctx.url` is
+        // documented as the worker's `iss` identity, so the two must be one value.
+        url: iss,
+    });
+    const publicJwk = derivePublicJwk(config.privateKey);
+    const jwks = {
+        issuer: iss,
+        loadOwnKeys: async () => [publicJwk],
+    };
+    // `/meta`'s `schemaHash` is computed from the LIVE domain graph (lazy +
+    // cached). `hashInstallGraph` is id-independent/deterministic, so an
+    // independent build (a deploy script) produces the SAME hash — `deployCheck`
+    // can compare its expected value against this and detect genuine schema drift.
+    // An explicit `config.meta.schemaHash` still wins as an override for
+    // offline/pinned spec producers, but normal deploys omit it.
+    let cachedSchemaHash = null;
+    const resolveSchemaHash = () => config.meta?.schemaHash !== undefined
+        ? Promise.resolve(config.meta.schemaHash)
+        : (cachedSchemaHash ??= buildInstallGraphHash(config.domain, iss));
+    // Register `/meta` on the host app before `createKernelApp` mounts its
+    // catch-all routes so the verbatim path wins.
+    const hostApp = config.app ?? new Hono();
+    const metaBase = {
+        iss,
+        sdkCommit: config.meta?.sdkCommit,
+        domainName: config.meta?.domainName ?? compiled.$.origin,
+    };
+    hostApp.get('/meta', async (c) => c.json(MetaSchema.parse({ ...metaBase, schemaHash: await resolveSchemaHash() })));
+    hostApp.post('/_astrale/install-domain', async (c) => {
+        const parsed = domainInstallRequestSchema.safeParse(await c.req.json().catch(() => null));
+        if (!parsed.success) {
+            return c.json({ error: 'Invalid install request', issues: parsed.error.issues }, 400);
+        }
+        const token = bearerToken(c.req.header('authorization'));
+        try {
+            await config.install?.authorize?.({
+                c,
+                ...(token ? { token } : {}),
+                kernelIssuer: parsed.data.kernelIssuer,
+                nonce: parsed.data.nonce,
+                deps: config.deps,
+            });
+        }
+        catch (err) {
+            return c.json({ error: 'Install denied', message: err.message }, 403);
+        }
+        // Build the install graph. `buildInstallGraph` re-materializes the domain
+        // with the serving url (`iss`), so every `binding.remoteUrl` points at this
+        // host — the same single value as the credential's `iss` below. The kernel
+        // hashes exactly this graph; no install-time rewrite.
+        const graph = buildInstallGraph(config.domain, iss);
+        const graphHash = await hashInstallGraph(graph);
+        const origin = compiled.$.origin;
+        // `postInstall` + `requires` ride in BOTH the signed credential claims and
+        // the bundle body, and the kernel rejects any bundle field that disagrees
+        // with its signed claim — so derive them once and reuse for both.
+        const bundleExtras = {
+            ...(config.postInstall ? { postInstall: config.postInstall } : {}),
+            ...(config.requires && config.requires.length > 0 ? { requires: config.requires } : {}),
+        };
+        // The credential's `iss` is the worker's serving URL (`iss`, computed above)
+        // — the kernel pins it to the URL it fetched the domain at and verifies this
+        // credential against that issuer's JWKS.
+        const credential = await signInstallCredential({
+            privateKey: config.privateKey,
+            issuer: iss,
+            audience: parsed.data.kernelIssuer,
+            nonce: parsed.data.nonce,
+            graphHash,
+            subs: collectFunctionSubs(compiled),
+            ...bundleExtras,
+        });
+        return c.json({
+            origin,
+            graph,
+            identity: { credential },
+            ...bundleExtras,
+        });
+    });
+    // Resolved once and shared between the kernel envelope (createKernelApp) and
+    // the aux routes (mountAuxiliaryRoutes) so both honor the same policy.
+    const cors = config.cors ?? { origin: '*' };
+    // Worker-side wires for defineView / defineRemoteFunction. Mounted before
+    // the kernel catch-all. Each aux route gets its own per-slug identity
+    // (issuer + key + the aux node's AbsolutePath as subject) so outbound
+    // `kernel.call(...)` from a handler signs with that path — matching the
+    // identity the install-time `subs` claim registered for the node, the
+    // same way Methods work.
+    if (auxiliary) {
+        const auxIdentities = buildAuxIdentityMap(compiled, config.privateKey, iss);
+        mountAuxiliaryRoutes({
+            app: hostApp,
+            url: auxiliary.url,
+            // oxlint-disable-next-line no-explicit-any
+            views: config.domain.views,
+            viewBindings: auxiliary.viewBindings,
+            remoteFunctions: config.domain.remoteFunctions,
+            remoteFunctionBindings: auxiliary.remoteFunctionBindings,
+            deps: config.deps,
+            identities: auxIdentities,
+            cors,
+        });
+    }
+    const { app } = createKernelApp({
+        kernel: dispatcher,
+        domain: config.domain.methods.map(toSdkContract),
+        host: { url: config.url },
+        jwks,
+        transports: config.transports,
+        cors,
+        health: config.health,
+        app: hostApp,
+        ws: config.ws,
+    });
+    return {
+        app,
+        // The canonical serving URL = the worker's `iss` identity. Exposed so a
+        // worker that also seeds `Identity.iss` on graph nodes (e.g. recruitment's
+        // self-seed) stamps the SAME canonical value the dispatcher signs with —
+        // never the raw env.WORKER_URL — so the kernel's exact-match lookup resolves.
+        iss,
+        async start(port) {
+            const nodeStartModule = './start';
+            const { startNodeServer } = await import(nodeStartModule);
+            return startNodeServer(app, port);
+        },
+    };
+}
+function bearerToken(header) {
+    if (!header)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+    return match?.[1];
+}
+async function signInstallCredential(args) {
+    const alg = deriveAllowedAlgorithms(args.privateKey)[0];
+    if (!alg) {
+        throw new Error(`createRemoteServer: cannot derive install signing algorithm from JWK (kty=${args.privateKey.kty}).`);
+    }
+    const kid = args.privateKey.kid;
+    const header = typeof kid === 'string' ? { alg, kid } : { alg };
+    const key = await importJWK(args.privateKey, alg);
+    // `postInstall` + `requires` are signed (not just carried in the bundle) so a
+    // MITM can't retarget the system-authority hook or forge dependencies
+    return new SignJWT({
+        subs: args.subs,
+        nonce: args.nonce,
+        graph_hash: args.graphHash,
+        ...(args.postInstall ? { postInstall: args.postInstall } : {}),
+        ...(args.requires ? { requires: args.requires } : {}),
+    })
+        .setProtectedHeader(header)
+        .setIssuer(args.issuer)
+        .setSubject(args.issuer)
+        .setAudience(args.audience)
+        .setIssuedAt()
+        .setExpirationTime('10m')
+        .sign(key);
+}
+//# sourceMappingURL=create.js.map

package/dist/server/create.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create.js","sourceRoot":"","sources":["../../src/server/create.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAMzC,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAA;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAA;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AACxC,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AAEtD,MAAM,UAAU,kBAAkB,CAAQ,MAAiC;IACzE,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACvD,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,2EAA2E;IAC3E,MAAM,GAAG,GAAG,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IAE9C,yEAAyE;IACzE,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,uBAAuB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAE3E,MAAM,UAAU,GAAG,IAAI,aAAa,CAAQ;QAC1C,QAAQ;QACR,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,MAAM,EAAE,GAAG;QACX,sEAAsE;QACtE,2EAA2E;QAC3E,GAAG,EAAE,GAAG;KACT,CAAC,CAAA;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACpD,MAAM,IAAI,GAAa;QACrB,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC;KACrC,CAAA;IAED,wEAAwE;IACxE,qEAAqE;IACrE,6EAA6E;IAC7E,+EAA+E;IAC/E,qEAAqE;IACrE,6DAA6D;IAC7D,IAAI,gBAAgB,GAA2B,IAAI,CAAA;IACnD,MAAM,iBAAiB,GAAG,GAAoB,EAAE,CAC9C,MAAM,CAAC,IAAI,EAAE,UAAU,KAAK,SAAS;QACnC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACzC,CAAC,CAAC,CAAC,gBAAgB,KAAK,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAA;IAEtE,uEAAuE;IACvE,8CAA8C;IAC9C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAA;IACxC,MAAM,QAAQ,GAAG;QACf,GAAG;QACH,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS;QACjC,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,UAAU,IAAI,QAAQ,CAAC,CAAC,CAAC,MAAM;KACzD,CAAA;IACD,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAC/B,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,GAAG,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,EAAE,EAAE,CAAC,CAAC,CACjF,CAAA;IACD,OAAO,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACnD,MAAM,MAAM,GAAG,0BAA0B,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,CAAA;QACzF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC,CAAA;QACvF,CAAC;QAED,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;gBAChC,CAAC;gBACD,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3B,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY;gBACtC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;gBACxB,IAAI,EAAE,MAAM,CAAC,IAAI;aAClB,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAA;QAClF,CAAC;QAED,0EAA0E;QAC1E,4EAA4E;QAC5E,2EAA2E;QAC3E,sDAAsD;QACtD,MAAM,KAAK,GAAG,iBAAiB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACnD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;QAC/C,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;QAChC,2EAA2E;QAC3E,0EAA0E;QAC1E,kEAAkE;QAClE,MAAM,YAAY,GAAG;YACnB,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxF,CAAA;QACD,6EAA6E;QAC7E,6EAA6E;QAC7E,yCAAyC;QACzC,MAAM,UAAU,GAAG,MAAM,qBAAqB,CAAC;YAC7C,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,GAAG;YACX,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY;YAClC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;YACxB,SAAS;YACT,IAAI,EAAE,mBAAmB,CAAC,QAAQ,CAAC;YACnC,GAAG,YAAY;SAChB,CAAC,CAAA;QAEF,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM;YACN,KAAK;YACL,QAAQ,EAAE,EAAE,UAAU,EAAE;YACxB,GAAG,YAAY;SAChB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,6EAA6E;IAC7E,uEAAuE;IACvE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;IAE3C,0EAA0E;IAC1E,sEAAsE;IACtE,sEAAsE;IACtE,wEAAwE;IACxE,sEAAsE;IACtE,yBAAyB;IACzB,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,aAAa,GAAG,mBAAmB,CAAC,QAAQ,EAAE,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAC3E,oBAAoB,CAAQ;YAC1B,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,2CAA2C;YAC3C,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,KAAmD;YACxE,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe;YAC9C,sBAAsB,EAAE,SAAS,CAAC,sBAAsB;YACxD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,aAAa;YACzB,IAAI;SACL,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,GAAG,eAAe,CAAC;QAC9B,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAChD,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE;QACzB,IAAI;QACJ,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI;QACJ,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,GAAG,EAAE,OAAO;QACZ,EAAE,EAAE,MAAM,CAAC,EAAE;KACd,CAAC,CAAA;IAEF,OAAO;QACL,GAAG;QACH,wEAAwE;QACxE,2EAA2E;QAC3E,yEAAyE;QACzE,8EAA8E;QAC9E,GAAG;QACH,KAAK,CAAC,KAAK,CAAC,IAAa;YACvB,MAAM,eAAe,GAAG,SAAS,CAAA;YACjC,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;YACzD,OAAO,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACnC,CAAC;KACF,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAA0B;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAA;IAC7B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;IACpD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAA;AACnB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,IASpC;IACC,MAAM,GAAG,GAAG,uBAAuB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IACvD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,6EAA6E,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CACrG,CAAA;IACH,CAAC;IACD,MAAM,GAAG,GAAI,IAAI,CAAC,UAAiD,CAAC,GAAG,CAAA;IACvE,MAAM,MAAM,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAA;IAC/D,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;IAEjD,8EAA8E;IAC9E,sEAAsE;IACtE,OAAO,IAAI,OAAO,CAAC;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,UAAU,EAAE,IAAI,CAAC,SAAS;QAC1B,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;SACC,kBAAkB,CAAC,MAAM,CAAC;SAC1B,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC;SACvB,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;SAC1B,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC;SACxB,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC"}

package/dist/server/handle.d.ts

@@ -0,0 +1,35 @@
+/**
+ * `RemoteServer` and `RemoteServerHandle` — output shapes for the SDK server.
+ *
+ * `RemoteServer` is what `createRemoteServer` returns: the assembled Hono
+ * app plus a Node convenience helper. `RemoteServerHandle` is what `start()`
+ * resolves to: the bound port and a `close()` function for graceful shutdown.
+ */
+import type { Hono } from 'hono';
+export type RemoteServer = {
+    /**
+     * The assembled Hono app. Use `app.fetch` for any runtime
+     * (Bun, Deno, Cloudflare Workers, or Node via `@hono/node-server`).
+     */
+    app: Hono;
+    /**
+     * The worker's canonical serving URL — its `iss` identity (full URL, trailing
+     * slash stripped, base path preserved). The single value the dispatcher signs
+     * with and the kernel pins. Read it to seed `Identity.iss` on graph nodes so
+     * the seeded value matches the signing issuer (never re-derive from a raw env).
+     */
+    iss: string;
+    /**
+     * Convenience helper: start a Node HTTP server on the given port using
+     * `@hono/node-server` (loaded via dynamic import). For other runtimes,
+     * use `app.fetch` directly.
+     */
+    start: (port?: number) => Promise<RemoteServerHandle>;
+};
+export type RemoteServerHandle = {
+    /** The port the server is listening on (resolved even if `port: 0` was requested). */
+    port: number;
+    /** Stop the server and release the port. */
+    close: () => Promise<void>;
+};
+//# sourceMappingURL=handle.d.ts.map

package/dist/server/handle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle.d.ts","sourceRoot":"","sources":["../../src/server/handle.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,MAAM,MAAM,YAAY,GAAG;IACzB;;;OAGG;IACH,GAAG,EAAE,IAAI,CAAA;IACT;;;;;OAKG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;;OAIG;IACH,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAA;CACtD,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,sFAAsF;IACtF,IAAI,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC3B,CAAA"}

package/dist/server/handle.js

@@ -0,0 +1,9 @@
+/**
+ * `RemoteServer` and `RemoteServerHandle` — output shapes for the SDK server.
+ *
+ * `RemoteServer` is what `createRemoteServer` returns: the assembled Hono
+ * app plus a Node convenience helper. `RemoteServerHandle` is what `start()`
+ * resolves to: the bound port and a `close()` function for graceful shutdown.
+ */
+export {};
+//# sourceMappingURL=handle.js.map

package/dist/server/handle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle.js","sourceRoot":"","sources":["../../src/server/handle.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/server/index.d.ts

@@ -0,0 +1,11 @@
+export { createRemoteServer } from './create';
+export type { RemoteServerConfig } from './config';
+export type { RemoteServer, RemoteServerHandle } from './handle';
+export { derivePublicJwk } from './jwks';
+export { requireEnv } from './require-env';
+export { canonicalizeServingUrl } from './serving-url';
+export { createWorkerEntry } from './worker-entry';
+export type { WorkerEntry, WorkerEntryConfig } from './worker-entry';
+export { workerMeta } from './worker-meta';
+export { startNodeServer } from './start';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC7C,YAAY,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAClD,YAAY,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA"}

package/dist/server/index.js

@@ -0,0 +1,8 @@
+export { createRemoteServer } from './create';
+export { derivePublicJwk } from './jwks';
+export { requireEnv } from './require-env';
+export { canonicalizeServingUrl } from './serving-url';
+export { createWorkerEntry } from './worker-entry';
+export { workerMeta } from './worker-meta';
+export { startNodeServer } from './start';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAG7C,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAElD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA"}

package/dist/server/jwks.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Derive a public JWK from a private one.
+ *
+ * Strips the private components for both EC keys (drops `d`) and RSA keys
+ * (drops `d`, `p`, `q`, `dp`, `dq`, `qi`, and `oth` — the additional-primes
+ * array on multi-prime RSA keys). The result is safe to publish at
+ * `<url>/.well-known/jwks.json` so downstream verifiers can validate
+ * signatures the server produced.
+ */
+export declare function derivePublicJwk(privateKey: JsonWebKey): Record<string, unknown>;
+//# sourceMappingURL=jwks.d.ts.map

package/dist/server/jwks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.d.ts","sourceRoot":"","sources":["../../src/server/jwks.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,wBAAgB,eAAe,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAO/E"}

package/dist/server/jwks.js

@@ -0,0 +1,15 @@
+/**
+ * Derive a public JWK from a private one.
+ *
+ * Strips the private components for both EC keys (drops `d`) and RSA keys
+ * (drops `d`, `p`, `q`, `dp`, `dq`, `qi`, and `oth` — the additional-primes
+ * array on multi-prime RSA keys). The result is safe to publish at
+ * `<url>/.well-known/jwks.json` so downstream verifiers can validate
+ * signatures the server produced.
+ */
+export function derivePublicJwk(privateKey) {
+    // oxlint-disable-next-line no-unused-vars
+    const { d, p, q, dp, dq, qi, oth, ...publicJwk } = privateKey;
+    return publicJwk;
+}
+//# sourceMappingURL=jwks.js.map

package/dist/server/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../../src/server/jwks.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,UAAU,eAAe,CAAC,UAAsB;IACpD,0CAA0C;IAC1C,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,SAAS,EAAE,GAAG,UAGlD,CAAA;IACD,OAAO,SAAS,CAAA;AAClB,CAAC"}

package/dist/server/require-env.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Read a string-typed env var (process.env on Node, the Worker `env` binding
+ * on Cloudflare) and throw a clear error if it is missing or empty.
+ *
+ * Use this for **identity-bearing** values (issuer, baseDomain, audience,
+ * worker URL) where a guessed default silently mints wrong JWTs or bakes
+ * wrong refs into persisted artifacts. The conventional `?? 'literal'`
+ * fallback is the anti-pattern this exists to replace.
+ *
+ * In local dev these live in each domain worker's `worker/.dev.vars` (read
+ * natively by `wrangler dev`), so this throw never fires in a properly-prepared
+ * dev environment — only when wiring is genuinely missing.
+ */
+export declare function requireEnv(env: unknown, name: string, hint?: string): string;
+//# sourceMappingURL=require-env.d.ts.map

package/dist/server/require-env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-env.d.ts","sourceRoot":"","sources":["../../src/server/require-env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAK5E"}

package/dist/server/require-env.js

@@ -0,0 +1,21 @@
+/**
+ * Read a string-typed env var (process.env on Node, the Worker `env` binding
+ * on Cloudflare) and throw a clear error if it is missing or empty.
+ *
+ * Use this for **identity-bearing** values (issuer, baseDomain, audience,
+ * worker URL) where a guessed default silently mints wrong JWTs or bakes
+ * wrong refs into persisted artifacts. The conventional `?? 'literal'`
+ * fallback is the anti-pattern this exists to replace.
+ *
+ * In local dev these live in each domain worker's `worker/.dev.vars` (read
+ * natively by `wrangler dev`), so this throw never fires in a properly-prepared
+ * dev environment — only when wiring is genuinely missing.
+ */
+export function requireEnv(env, name, hint) {
+    const v = env?.[name];
+    if (typeof v === 'string' && v.length > 0)
+        return v;
+    const help = hint ? ` (${hint})` : '';
+    throw new Error(`Missing required env var: ${name}${help}`);
+}
+//# sourceMappingURL=require-env.js.map

package/dist/server/require-env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-env.js","sourceRoot":"","sources":["../../src/server/require-env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CAAC,GAAY,EAAE,IAAY,EAAE,IAAa;IAClE,MAAM,CAAC,GAAI,GAAkD,EAAE,CAAC,IAAI,CAAC,CAAA;IACrE,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAA;IACnD,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;IACrC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,GAAG,IAAI,EAAE,CAAC,CAAA;AAC7D,CAAC"}

package/dist/server/serving-url.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Canonicalize a worker's serving URL into its `iss` identity.
+ *
+ * Returns the full URL with trailing slash(es) stripped — the base path is
+ * preserved (an issuer may carry a non-empty path, like `…/kernel/host`). This
+ * is the single canonical form used for outbound signing, the JWKS issuer,
+ * `/meta`, the install credential, and any `Identity.iss` a domain seeds, so the
+ * value a worker SIGNS always matches the value the kernel LOOKS UP (the kernel
+ * canonicalizes the verified `iss` the same way and does an exact-match lookup).
+ *
+ * Throws if `url` is not a parseable absolute URL.
+ */
+export declare function canonicalizeServingUrl(url: string): string;
+//# sourceMappingURL=serving-url.d.ts.map

package/dist/server/serving-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serving-url.d.ts","sourceRoot":"","sources":["../../src/server/serving-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAS1D"}

package/dist/server/serving-url.js

@@ -0,0 +1,28 @@
+/**
+ * Canonicalize a worker's serving URL into its `iss` identity.
+ *
+ * Returns the full URL with trailing slash(es) stripped — the base path is
+ * preserved (an issuer may carry a non-empty path, like `…/kernel/host`). This
+ * is the single canonical form used for outbound signing, the JWKS issuer,
+ * `/meta`, the install credential, and any `Identity.iss` a domain seeds, so the
+ * value a worker SIGNS always matches the value the kernel LOOKS UP (the kernel
+ * canonicalizes the verified `iss` the same way and does an exact-match lookup).
+ *
+ * Throws if `url` is not a parseable absolute URL.
+ */
+// INVARIANT (cross-repo): issuer PRODUCERS must strip trailing path slashes
+// BEFORE a value becomes an iss. kernel-core's `normalizeIssuerId` only strips
+// a lone trailing slash on an EMPTY path, so `https://x/base/` and
+// `https://x/base` are distinct issuer identities to the kernel — this
+// function and the kernel's `installSourceBase` both pre-strip with the same
+// rule so the two sides can never mint diverging identities for one worker.
+export function canonicalizeServingUrl(url) {
+    try {
+        return new URL(url).href.replace(/\/+$/, '');
+    }
+    catch {
+        throw new Error(`canonicalizeServingUrl: expected a full URL (got "${url}") — ` +
+            'it is the worker serving URL and its JWT issuer identity.');
+    }
+}
+//# sourceMappingURL=serving-url.js.map

package/dist/server/serving-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serving-url.js","sourceRoot":"","sources":["../../src/server/serving-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,4EAA4E;AAC5E,+EAA+E;AAC/E,mEAAmE;AACnE,uEAAuE;AACvE,6EAA6E;AAC7E,4EAA4E;AAC5E,MAAM,UAAU,sBAAsB,CAAC,GAAW;IAChD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,qDAAqD,GAAG,OAAO;YAC7D,2DAA2D,CAC9D,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/server/start.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Node HTTP convenience starter.
+ *
+ * Dynamically imports `@hono/node-server` so the SDK stays runtime-agnostic
+ * — only Node consumers actually pull in the dep. For Bun / Deno /
+ * Cloudflare, consumers go through `server.app.fetch` directly.
+ */
+import type { Hono } from 'hono';
+import type { RemoteServerHandle } from './handle';
+export declare function startNodeServer(app: Hono, port?: number): Promise<RemoteServerHandle>;
+//# sourceMappingURL=start.d.ts.map

package/dist/server/start.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAElD,wBAAsB,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,SAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAwBzF"}

package/dist/server/start.js

@@ -0,0 +1,30 @@
+/**
+ * Node HTTP convenience starter.
+ *
+ * Dynamically imports `@hono/node-server` so the SDK stays runtime-agnostic
+ * — only Node consumers actually pull in the dep. For Bun / Deno /
+ * Cloudflare, consumers go through `server.app.fetch` directly.
+ */
+export async function startNodeServer(app, port = 3000) {
+    const { serve } = await import('@hono/node-server');
+    // oxlint-disable-next-line no-explicit-any
+    const server = serve({ fetch: app.fetch, port });
+    await new Promise((resolve, reject) => {
+        if (server.listening)
+            return resolve();
+        server.once('listening', () => resolve());
+        // Without this, a bind failure (e.g. EADDRINUSE on a busy port) emits
+        // `'error'` and never `'listening'`, leaving the Promise — and startup —
+        // hung forever with no diagnostic.
+        server.once('error', (err) => reject(err));
+    });
+    const address = server.address();
+    const actualPort = address?.port ?? port;
+    return {
+        port: actualPort,
+        close: () => new Promise((resolve, reject) => {
+            server.close((err) => (err ? reject(err) : resolve()));
+        }),
+    };
+}
+//# sourceMappingURL=start.js.map

package/dist/server/start.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"start.js","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAS,EAAE,IAAI,GAAG,IAAI;IAC1D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;IACnD,2CAA2C;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAQ,CAAA;IAEvD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,OAAO,EAAE,CAAA;QACtC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAA;QACzC,sEAAsE;QACtE,yEAAyE;QACzE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACnD,CAAC,CAAC,CAAA;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAA8C,CAAA;IAC5E,MAAM,UAAU,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAA;IAExC,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAiB,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC,CAAC;KACL,CAAA;AACH,CAAC"}

package/dist/server/worker-entry.d.ts

@@ -0,0 +1,60 @@
+/**
+ * `createWorkerEntry` — the shared worker `fetch` plumbing every Astrale domain
+ * worker (and the cloudflare adapter's codegen) needs, so it lives in ONE place
+ * instead of being copy-pasted per worker:
+ *
+ *   • resolve the serving URL (== `iss`), canonicalize it (so the value matches
+ *     what `createRemoteServer` signs with and the kernel pins), and cache the
+ *     built app per distinct URL;
+ *   • optional self-binding routing: when a `SELF` service binding is provided,
+ *     route same-host subrequests (e.g. `ctx.callRemote` back into this domain)
+ *     through it — Cloudflare forbids a Worker fetching its own hostname. This is
+ *     the ONLY reason a `globalThis.fetch` override is installed, and only when a
+ *     `selfBinding` is configured;
+ *   • optional SPA hook (e.g. `/ui/*` served from an `ASSETS` binding).
+ *
+ * The worker's OWN JWKS (`<url>/.well-known/jwks.json`) is served as a normal
+ * route by `createRemoteServer`; the verifier resolves a self-issued credential
+ * from the in-memory key (see `auth/verify.ts`), so no self-fetch shim is needed.
+ *
+ * The worker file is then just schema + methods + a `build(url, env)` callback.
+ */
+import type { RemoteServerConfig } from './config';
+type Fetcher = {
+    fetch(request: Request): Response | Promise<Response>;
+};
+export interface WorkerEntryConfig<TDeps> {
+    /**
+     * Build the `createRemoteServer` config for the resolved serving `url`. Called
+     * once per distinct URL (the resulting app is cached), with the same `env` the
+     * request carries — so it can read additional bindings (e.g. a base domain).
+     */
+    build: (url: string, env: TDeps) => RemoteServerConfig<TDeps>;
+    /**
+     * Resolve the raw serving URL from `env` (+ the per-request origin, for workers
+     * that fall back to the request host). Defaults to the `WORKER_URL` env var.
+     * The result is always canonicalized before use.
+     */
+    resolveUrl?: (env: TDeps, requestOrigin: string) => string;
+    /** Optional: the `SELF` service binding used to route same-host subrequests. */
+    selfBinding?: (env: TDeps) => Fetcher | null | undefined;
+    /**
+     * Optional: handle a request before it reaches the kernel app — e.g. serve a
+     * SPA under `/ui/*` or a same-origin `/api/*` endpoint the view calls. Return
+     * a `Response` to short-circuit, or `undefined` to fall through to the domain
+     * dispatch.
+     */
+    before?: (env: TDeps, url: URL, request: Request) => Response | undefined | Promise<Response | undefined>;
+    /**
+     * Optional: transform the request on the fall-through path, just before it
+     * reaches the kernel app (e.g. rewrite the hostname for wildcard-subdomain
+     * routing). Not applied when `before` short-circuits.
+     */
+    rewriteRequest?: (env: TDeps, request: Request) => Request;
+}
+export interface WorkerEntry<TDeps> {
+    fetch(request: Request, env: TDeps): Response | Promise<Response>;
+}
+export declare function createWorkerEntry<TDeps>(config: WorkerEntryConfig<TDeps>): WorkerEntry<TDeps>;
+export {};
+//# sourceMappingURL=worker-entry.d.ts.map

package/dist/server/worker-entry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-entry.d.ts","sourceRoot":"","sources":["../../src/server/worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAMlD,KAAK,OAAO,GAAG;IAAE,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAAE,CAAA;AAGxE,MAAM,WAAW,iBAAiB,CAAC,KAAK;IACtC;;;;OAIG;IACH,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,KAAK,kBAAkB,CAAC,KAAK,CAAC,CAAA;IAC7D;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,KAAK,MAAM,CAAA;IAC1D,gFAAgF;IAChF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACxD;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CACP,GAAG,EAAE,KAAK,EACV,GAAG,EAAE,GAAG,EACR,OAAO,EAAE,OAAO,KACb,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAAA;IACzD;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAA;CAC3D;AAED,MAAM,WAAW,WAAW,CAAC,KAAK;IAChC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAClE;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAoD7F"}