@astrale-os/sdk 0.1.1 → 0.1.3

package/dist/auth/authenticate.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Authentication orchestrator.
+ *
+ * Verifies an inbound credential, extracts the delegation it carries,
+ * and binds a `BoundClientSessionView` for outbound kernel calls. Delegates
+ * the real work to `verify`, `compose` + `sign` (inside `kernel-client`),
+ * and returns a generic `Authenticated` result plus the bound view.
+ */
+import type { FnMap } from '@astrale-os/kernel-client';
+import type { BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { Authenticated, CredentialInput } from '@astrale-os/kernel-core';
+import type { RemoteIdentityConfig } from './identity';
+export type AuthenticateResult = {
+    authenticated: Authenticated;
+    kernel: BoundClientSessionView<FnMap> | null;
+};
+/**
+ * Verifies an inbound credential and binds a call-back kernel view. The `sub`
+ * claim on the outbound credential is the function's own identity, taken from
+ * `config.subject` (the function node's path), so the kernel matches an
+ * existing function identity instead of provisioning a generic one.
+ */
+export declare function authenticateRequest(credential: CredentialInput, config: RemoteIdentityConfig): Promise<AuthenticateResult>;
+//# sourceMappingURL=authenticate.d.ts.map

package/dist/auth/authenticate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.d.ts","sourceRoot":"","sources":["../../src/auth/authenticate.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAI7E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAKtD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,aAAa,EAAE,aAAa,CAAA;IAC5B,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;CAC7C,CAAA;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAgB7B"}

package/dist/auth/authenticate.js

@@ -0,0 +1,29 @@
+/**
+ * Authentication orchestrator.
+ *
+ * Verifies an inbound credential, extracts the delegation it carries,
+ * and binds a `BoundClientSessionView` for outbound kernel calls. Delegates
+ * the real work to `verify`, `compose` + `sign` (inside `kernel-client`),
+ * and returns a generic `Authenticated` result plus the bound view.
+ */
+import { IdentityId, selfGrant } from '@astrale-os/kernel-core';
+import { bindKernel } from './kernel-client';
+import { verifyInboundCredential } from './verify';
+/**
+ * Verifies an inbound credential and binds a call-back kernel view. The `sub`
+ * claim on the outbound credential is the function's own identity, taken from
+ * `config.subject` (the function node's path), so the kernel matches an
+ * existing function identity instead of provisioning a generic one.
+ */
+export async function authenticateRequest(credential, config) {
+    const { verified, issuer, attestation, delegation } = await verifyInboundCredential(credential, config);
+    const authenticated = {
+        credential: { raw: credential, verified },
+        grant: selfGrant(IdentityId(verified.sub)),
+        attestation,
+        delegation,
+    };
+    const kernel = await bindKernel(delegation, issuer, config);
+    return { authenticated, kernel };
+}
+//# sourceMappingURL=authenticate.js.map

package/dist/auth/authenticate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../../src/auth/authenticate.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AAI/D,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAOlD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,UAA2B,EAC3B,MAA4B;IAE5B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAuB,CACjF,UAAU,EACV,MAAM,CACP,CAAA;IAED,MAAM,aAAa,GAAkB;QACnC,UAAU,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE;QACzC,KAAK,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC1C,WAAW;QACX,UAAU;KACX,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAA;IAE3D,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,CAAA;AAClC,CAAC"}

package/dist/auth/check.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Permission-check helpers for `RemoteHandler.authorize` hooks.
+ *
+ * The kernel already enforces `has_perm` independently — these helpers just
+ * give worker authors a one-line ergonomic way to fail-fast in `authorize`
+ * (so the dispatch never even calls `execute`) instead of letting the
+ * downstream `kernel.call` raise a less specific error mid-flight.
+ *
+ * Pattern:
+ *
+ * ```ts
+ * remoteMethod(WorkerSchema, 'Project', 'addMember', {
+ *   remoteUrl: BASE_URL,
+ *   authorize: async ({ self, auth, kernel }) => {
+ *     await assertPerm(kernel, self.path.raw, auth.principal, EDIT)
+ *   },
+ *   execute: async (ctx) => { ... },
+ * })
+ * ```
+ *
+ * Helpers throw `AuthorizationDeniedError` so the dispatch wrapper can
+ * surface them to the client as `PERMISSION_DENIED` cleanly.
+ */
+import type { FnMap } from '@astrale-os/kernel-client';
+import type { BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { IdentityId } from '@astrale-os/kernel-core';
+export { ALL, EDIT, READ, SHARE, USE } from '@astrale-os/kernel-core';
+/**
+ * Throws `AuthorizationDeniedError` if `principal` lacks `requiredBits` on
+ * `target`. `requiredBits` is a bitmask — pass `READ | EDIT` to require both.
+ *
+ * Implementation: calls `@<principal>::checkPerm` on the kernel (the
+ * `checkPerm` syscall lives on the Identity, not the target). Cheap; adds
+ * one round-trip to the dispatch path.
+ */
+export declare function assertPerm(kernel: BoundClientSessionView<FnMap> | null, target: string, principal: IdentityId | null | undefined, requiredBits: number): Promise<void>;
+/** Shortcut for "caller has SHARE bit on target" (the closest thing to "owns it"). */
+export declare function requireOwnership(kernel: BoundClientSessionView<FnMap> | null, target: string, principal: IdentityId | null | undefined): Promise<void>;
+//# sourceMappingURL=check.d.ts.map

package/dist/auth/check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/auth/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAMzD,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAA;AAErE;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,EAC5C,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,EACxC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED,sFAAsF;AACtF,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,EAC5C,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,GACvC,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/auth/check.js

@@ -0,0 +1,54 @@
+/**
+ * Permission-check helpers for `RemoteHandler.authorize` hooks.
+ *
+ * The kernel already enforces `has_perm` independently — these helpers just
+ * give worker authors a one-line ergonomic way to fail-fast in `authorize`
+ * (so the dispatch never even calls `execute`) instead of letting the
+ * downstream `kernel.call` raise a less specific error mid-flight.
+ *
+ * Pattern:
+ *
+ * ```ts
+ * remoteMethod(WorkerSchema, 'Project', 'addMember', {
+ *   remoteUrl: BASE_URL,
+ *   authorize: async ({ self, auth, kernel }) => {
+ *     await assertPerm(kernel, self.path.raw, auth.principal, EDIT)
+ *   },
+ *   execute: async (ctx) => { ... },
+ * })
+ * ```
+ *
+ * Helpers throw `AuthorizationDeniedError` so the dispatch wrapper can
+ * surface them to the client as `PERMISSION_DENIED` cleanly.
+ */
+import { SHARE } from '@astrale-os/kernel-core';
+import { AuthorizationDeniedError } from '../dispatch/errors';
+export { ALL, EDIT, READ, SHARE, USE } from '@astrale-os/kernel-core';
+/**
+ * Throws `AuthorizationDeniedError` if `principal` lacks `requiredBits` on
+ * `target`. `requiredBits` is a bitmask — pass `READ | EDIT` to require both.
+ *
+ * Implementation: calls `@<principal>::checkPerm` on the kernel (the
+ * `checkPerm` syscall lives on the Identity, not the target). Cheap; adds
+ * one round-trip to the dispatch path.
+ */
+export async function assertPerm(kernel, target, principal, requiredBits) {
+    if (!kernel) {
+        throw new AuthorizationDeniedError('No kernel client — cannot verify permissions');
+    }
+    if (!principal) {
+        throw new AuthorizationDeniedError('No authenticated principal');
+    }
+    const ok = (await kernel.call(`@${principal}::checkPerm`, {
+        node: target,
+        perms: requiredBits,
+    }));
+    if (!ok) {
+        throw new AuthorizationDeniedError(`Permission denied on "${target}" — required bits=${requiredBits} for principal "${principal}"`);
+    }
+}
+/** Shortcut for "caller has SHARE bit on target" (the closest thing to "owns it"). */
+export async function requireOwnership(kernel, target, principal) {
+    await assertPerm(kernel, target, principal, SHARE);
+}
+//# sourceMappingURL=check.js.map

package/dist/auth/check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/auth/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAMH,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAA;AAE/C,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAA;AAE7D,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAA;AAErE;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAA4C,EAC5C,MAAc,EACd,SAAwC,EACxC,YAAoB;IAEpB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,wBAAwB,CAAC,8CAA8C,CAAC,CAAA;IACpF,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,wBAAwB,CAAC,4BAA4B,CAAC,CAAA;IAClE,CAAC;IACD,MAAM,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,SAAS,aAAa,EAAE;QACxD,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,YAAY;KACpB,CAAC,CAAY,CAAA;IACd,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,wBAAwB,CAChC,yBAAyB,MAAM,qBAAqB,YAAY,mBAAmB,SAAS,GAAG,CAChG,CAAA;IACH,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAA4C,EAC5C,MAAc,EACd,SAAwC;IAExC,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAA;AACpD,CAAC"}

package/dist/auth/compose.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Outbound grant expression building.
+ *
+ * Builds a composed grant expression for kernel calls:
+ *   grant = union(credential(delegationJWT), self)
+ *
+ * The kernel resolves this by verifying the delegation JWT (kernel-signed)
+ * to get the caller's scoped identity, and resolving self to the function's
+ * identity. Union means either identity's permissions work.
+ */
+import type { Delegation } from '@astrale-os/kernel-core';
+/**
+ * The composed identity expression: union of the caller's delegated access
+ * (a kernel-signed credential leaf) and the function's own identity (self).
+ *
+ * Used both as the grant on outbound kernel calls AND as the delegation
+ * expression when minting a NEXT-HOP credential — the next worker receives
+ * principal = this function, authority = union(caller's delegated, own).
+ */
+export declare function buildComposedExpr(delegation: Delegation): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
+/**
+ * Build the grant expression that unions the caller's delegated access
+ * with the function's own identity.
+ *
+ * @param delegation - Delegation extracted from the inbound credential
+ * @returns The unresolved grant object with version and expression
+ */
+export declare function buildComposedGrant(delegation: Delegation): {
+    grant: import("@astrale-os/kernel-core").UnresolvedGrant;
+};
+/**
+ * The SELF-ONLY expression: the function's own identity, nothing delegated.
+ * Used by `selfKernel` sessions (public/webhook handlers acting on their own
+ * authority) — both as the credential grant and as the next-hop delegation.
+ */
+export declare function buildSelfExpr(): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
+/** Self-only grant for `selfKernel` credentials. */
+export declare function buildSelfGrant(): {
+    grant: import("@astrale-os/kernel-core").UnresolvedGrant;
+};
+//# sourceMappingURL=compose.d.ts.map

package/dist/auth/compose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASzD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,UAAU,4DAEvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU;IAC9C,KAAK;EACf;AAED;;;;GAIG;AACH,wBAAgB,aAAa,6DAE5B;AAED,oDAAoD;AACpD,wBAAgB,cAAc;IACnB,KAAK;EACf"}

package/dist/auth/compose.js

@@ -0,0 +1,45 @@
+/**
+ * Outbound grant expression building.
+ *
+ * Builds a composed grant expression for kernel calls:
+ *   grant = union(credential(delegationJWT), self)
+ *
+ * The kernel resolves this by verifying the delegation JWT (kernel-signed)
+ * to get the caller's scoped identity, and resolving self to the function's
+ * identity. Union means either identity's permissions work.
+ */
+import { createUnresolvedGrant, unresolvedCredential, unresolvedSelf, unresolvedUnion, } from '@astrale-os/kernel-core';
+/**
+ * The composed identity expression: union of the caller's delegated access
+ * (a kernel-signed credential leaf) and the function's own identity (self).
+ *
+ * Used both as the grant on outbound kernel calls AND as the delegation
+ * expression when minting a NEXT-HOP credential — the next worker receives
+ * principal = this function, authority = union(caller's delegated, own).
+ */
+export function buildComposedExpr(delegation) {
+    return unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf());
+}
+/**
+ * Build the grant expression that unions the caller's delegated access
+ * with the function's own identity.
+ *
+ * @param delegation - Delegation extracted from the inbound credential
+ * @returns The unresolved grant object with version and expression
+ */
+export function buildComposedGrant(delegation) {
+    return { grant: createUnresolvedGrant(buildComposedExpr(delegation)) };
+}
+/**
+ * The SELF-ONLY expression: the function's own identity, nothing delegated.
+ * Used by `selfKernel` sessions (public/webhook handlers acting on their own
+ * authority) — both as the credential grant and as the next-hop delegation.
+ */
+export function buildSelfExpr() {
+    return unresolvedSelf();
+}
+/** Self-only grant for `selfKernel` credentials. */
+export function buildSelfGrant() {
+    return { grant: createUnresolvedGrant(buildSelfExpr()) };
+}
+//# sourceMappingURL=compose.js.map

package/dist/auth/compose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAsB;IACtD,OAAO,eAAe,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC,CAAA;AACvF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,EAAE,CAAA;AACxE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,cAAc,EAAE,CAAA;AACzB,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,aAAa,EAAE,CAAC,EAAE,CAAA;AAC1D,CAAC"}

package/dist/auth/errors.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Errors thrown by the auth bridge.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import type { KernelErrorPayload, KernelErrorClassifiable } from '@astrale-os/kernel-api';
+export declare class AuthMissingError extends Error implements KernelErrorClassifiable {
+    constructor();
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+export declare class AuthInvalidError extends Error implements KernelErrorClassifiable {
+    constructor(message: string, cause?: unknown);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/auth/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAA;AAIzF,qBAAa,gBAAiB,SAAQ,KAAM,YAAW,uBAAuB;IAC5E,cAGC;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF;AAED,qBAAa,gBAAiB,SAAQ,KAAM,YAAW,uBAAuB;IAC5E,YAAY,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAG3C;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF"}

package/dist/auth/errors.js

@@ -0,0 +1,26 @@
+/**
+ * Errors thrown by the auth bridge.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import { KERNEL_ERROR_CODES } from '@astrale-os/kernel-api';
+export class AuthMissingError extends Error {
+    constructor() {
+        super('Missing credentials');
+        this.name = 'AuthMissingError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.AUTH_MISSING, message: this.message };
+    }
+}
+export class AuthInvalidError extends Error {
+    constructor(message, cause) {
+        super(message, { cause });
+        this.name = 'AuthInvalidError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.AUTH_INVALID, message: this.message };
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/auth/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AAE3D,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC;QACE,KAAK,CAAC,qBAAqB,CAAC,CAAA;QAC5B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;IAChC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IACzE,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe,EAAE,KAAe;QAC1C,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QACzB,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;IAChC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IACzE,CAAC;CACF"}

package/dist/auth/identity.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Identity configuration for a remote domain server.
+ *
+ * The issuer must be reachable via JWKS at `<issuer>/.well-known/jwks.json`
+ * (or registered in the kernel's trust store). The private key is used to
+ * sign outbound composed credentials.
+ */
+export type RemoteIdentityConfig = {
+    /** This service's issuer (URL where its JWKS is served, or a registered ID) */
+    issuer: string;
+    /** This service's subject identifier (e.g. "task-service") */
+    subject: string;
+    /** Private key for signing outbound credentials */
+    privateKey: JsonWebKey;
+};
+//# sourceMappingURL=identity.d.ts.map

package/dist/auth/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/auth/identity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAAG;IACjC,+EAA+E;IAC/E,MAAM,EAAE,MAAM,CAAA;IACd,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;IACf,mDAAmD;IACnD,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA"}

package/dist/auth/identity.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=identity.js.map

package/dist/auth/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/auth/identity.ts"],"names":[],"mappings":""}

package/dist/auth/index.d.ts

@@ -0,0 +1,12 @@
+export type { RemoteIdentityConfig } from './identity';
+export type { VerifiedInbound } from './verify';
+export type { AuthenticateResult } from './authenticate';
+export { authenticateRequest } from './authenticate';
+export { resolveInboundAuth, buildAuthContext, type ResolvedAuth } from './resolve';
+export { verifyInboundCredential } from './verify';
+export { buildComposedGrant } from './compose';
+export { signCredential } from './sign';
+export { bindKernel } from './kernel-client';
+export { AuthMissingError, AuthInvalidError } from './errors';
+export { assertPerm, requireOwnership, READ, EDIT, USE, SHARE, ALL } from './check';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AACtD,YAAY,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA;AACpD,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,KAAK,YAAY,EAAE,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,SAAS,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,9 @@
+export { authenticateRequest } from './authenticate';
+export { resolveInboundAuth, buildAuthContext } from './resolve';
+export { verifyInboundCredential } from './verify';
+export { buildComposedGrant } from './compose';
+export { signCredential } from './sign';
+export { bindKernel } from './kernel-client';
+export { AuthMissingError, AuthInvalidError } from './errors';
+export { assertPerm, requireOwnership, READ, EDIT, USE, SHARE, ALL } from './check';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA;AACpD,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAqB,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,SAAS,CAAA"}

package/dist/auth/kernel-client.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Call-back kernel client.
+ *
+ * Every authenticated inbound request produces a `BoundClientSessionView` the
+ * handler uses to call back into the parent kernel. The view is bound to
+ * a composed credential (`union(delegation, self)`) so the kernel
+ * enforces both the caller's scoped identity and the function's own.
+ *
+ * The connection pool and schema registry are cached per kernel URL and reused
+ * across requests. The `ClientSession` itself is per-request: it carries a
+ * delegation mint bound to the calling function's own subject (`config.subject`)
+ * so a remote-bound call (one that redirects to another worker) mints a
+ * worker-scoped credential for the audience the kernel puts on the redirect
+ * (`CallRedirection.iss`) — the worker→worker dance, done reactively instead of
+ * the old proactive `lookupRemoteBinding` resolve-then-dial.
+ */
+import type { Delegation } from '@astrale-os/kernel-core';
+import { type FnMap } from '@astrale-os/kernel-client';
+import { type BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { RemoteIdentityConfig } from './identity';
+/**
+ * Build a `BoundClientSessionView` that signs outbound calls as the composed
+ * identity (the caller's delegation unioned with this function's own
+ * identity). Remote-bound calls auto-follow the kernel's redirect and mint a
+ * worker-scoped delegation via `@<subject>::mintDelegationCredential`.
+ */
+export declare function bindKernel(delegation: Delegation, kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
+/**
+ * Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
+ * identity — no inbound delegation, authority = the function's own grants
+ * only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
+ * signature-verified webhook can act on the graph as itself after verifying
+ * the upstream. Next-hop mints delegate self only.
+ */
+export declare function bindSelfKernel(kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
+/**
+ * Build the `selfKernel` accessor handed to remote-function handlers.
+ * Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
+ * (a public request carries no credential, so the parent kernel cannot be
+ * inferred — it must be configured).
+ */
+export declare function makeSelfKernel(identity: RemoteIdentityConfig, deps: unknown): (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
+//# sourceMappingURL=kernel-client.d.ts.map

package/dist/auth/kernel-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel-client.d.ts","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAGzD,OAAO,EAAgC,KAAK,KAAK,EAAE,MAAM,2BAA2B,CAAA;AAEpF,OAAO,EAAiB,KAAK,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAE9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAsCtD;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAIxC;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAExC;AA0DD;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,IAAI,EAAE,OAAO,GACZ,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAWhE"}

package/dist/auth/kernel-client.js

@@ -0,0 +1,146 @@
+/**
+ * Call-back kernel client.
+ *
+ * Every authenticated inbound request produces a `BoundClientSessionView` the
+ * handler uses to call back into the parent kernel. The view is bound to
+ * a composed credential (`union(delegation, self)`) so the kernel
+ * enforces both the caller's scoped identity and the function's own.
+ *
+ * The connection pool and schema registry are cached per kernel URL and reused
+ * across requests. The `ClientSession` itself is per-request: it carries a
+ * delegation mint bound to the calling function's own subject (`config.subject`)
+ * so a remote-bound call (one that redirects to another worker) mints a
+ * worker-scoped credential for the audience the kernel puts on the redirect
+ * (`CallRedirection.iss`) — the worker→worker dance, done reactively instead of
+ * the old proactive `lookupRemoteBinding` resolve-then-dial.
+ */
+import { KernelClient, SchemaRegistry } from '@astrale-os/kernel-client';
+import { ClientPool } from '@astrale-os/kernel-client/pool';
+import { ClientSession } from '@astrale-os/kernel-client/session';
+import { buildComposedExpr, buildComposedGrant, buildSelfExpr, buildSelfGrant } from './compose';
+import { signCredential } from './sign';
+const DELEGATION_TTL_SECONDS = 3600;
+// The kernel's whoami — returns the AUTHENTICATED principal's graph node, so
+// the resolved id satisfies the mint syscall's `self.id === auth.principal`
+// invariant by construction (same seam the shell uses to resolve self).
+const WHOAMI_PATH = '/:kernel.astrale.ai:interface.Identity:whoami';
+// Shared per kernel URL — the expensive, identity-agnostic state. Sessions are
+// NOT shared (each binds a subject-specific delegation mint), but the pool
+// (connections) and registry (learned schemas) are reused across them.
+const pools = new Map();
+const registries = new Map();
+function getRegistry(url) {
+    let registry = registries.get(url);
+    if (!registry) {
+        registry = new SchemaRegistry();
+        registries.set(url, registry);
+    }
+    return registry;
+}
+function getPool(url) {
+    const cached = pools.get(url);
+    if (cached)
+        return cached;
+    const registry = getRegistry(url);
+    const pool = new ClientPool({
+        clientFactory: (u) => new KernelClient({ url: u, schema: registry }),
+    });
+    pools.set(url, pool);
+    return pool;
+}
+/**
+ * Build a `BoundClientSessionView` that signs outbound calls as the composed
+ * identity (the caller's delegation unioned with this function's own
+ * identity). Remote-bound calls auto-follow the kernel's redirect and mint a
+ * worker-scoped delegation via `@<subject>::mintDelegationCredential`.
+ */
+export async function bindKernel(delegation, kernelUrl, config) {
+    return bindSession(kernelUrl, config, buildComposedGrant(delegation).grant, () => buildComposedExpr(delegation));
+}
+/**
+ * Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
+ * identity — no inbound delegation, authority = the function's own grants
+ * only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
+ * signature-verified webhook can act on the graph as itself after verifying
+ * the upstream. Next-hop mints delegate self only.
+ */
+export async function bindSelfKernel(kernelUrl, config) {
+    return bindSession(kernelUrl, config, buildSelfGrant().grant, () => buildSelfExpr());
+}
+/**
+ * Shared session construction: sign a credential as this function's identity
+ * carrying `grant`, bind the session to it, and wire the lazy NEXT-HOP mint.
+ */
+async function bindSession(kernelUrl, config, grant, nextHopDelegation) {
+    const credential = await signCredential({ grant }, {
+        issuer: config.issuer,
+        subject: config.subject,
+        audience: kernelUrl,
+        privateKey: config.privateKey,
+    });
+    // Self-reference in the mint closure is lazy — it only fires on a delegation
+    // cache miss while following a redirect, long after construction.
+    const session = new ClientSession({
+        default: kernelUrl,
+        schema: getRegistry(kernelUrl),
+        pool: getPool(kernelUrl),
+        delegation: {
+            // NEXT-HOP mint: each hop mints AS ITSELF. The anchor is this function's
+            // identity NODE id (resolved via whoami — `@` only accepts node ids, not
+            // paths), so `self.id === auth.principal` holds by construction. The
+            // minted delegation carries the session's authority expression (composed
+            // for delegated sessions, self-only for selfKernel): the next worker
+            // sees WHO called it while inheriting exactly that authority.
+            // `skipDelegation` keeps the whoami + mint from re-entering this
+            // closure — both target the kernel (same origin), so no delegation is
+            // needed.
+            mint: async (audience) => {
+                const selfId = await resolveSelfId(session, credential, kernelUrl, config);
+                const envelope = await session.call(`@${selfId}::mintDelegationCredential`, { audience, delegation: nextHopDelegation(), ttl: DELEGATION_TTL_SECONDS }, { credential, skipDelegation: true });
+                if (typeof envelope !== 'string') {
+                    throw new Error(`mintDelegationCredential returned ${typeof envelope}, expected a credential string`);
+                }
+                return { credential: envelope, ttl: DELEGATION_TTL_SECONDS };
+            },
+            ttl: DELEGATION_TTL_SECONDS,
+        },
+    });
+    return session.as(credential);
+}
+/**
+ * Build the `selfKernel` accessor handed to remote-function handlers.
+ * Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
+ * (a public request carries no credential, so the parent kernel cannot be
+ * inferred — it must be configured).
+ */
+export function makeSelfKernel(identity, deps) {
+    return async (kernelUrl) => {
+        const url = kernelUrl ?? deps?.KERNEL_URL;
+        if (typeof url !== 'string' || url.length === 0) {
+            throw new Error('selfKernel: no kernel URL — pass one explicitly or set KERNEL_URL in the worker env ' +
+                '(managed deploys set it automatically).');
+        }
+        return bindSelfKernel(url, identity);
+    };
+}
+// Function-identity node ids, cached per (kernel, issuer, subject). Sessions
+// are per-request, but a function's identity node is stable for the worker's
+// lifetime — one whoami per function, not one per redirect.
+const selfIds = new Map();
+/**
+ * Resolve THIS function's identity node id on the parent kernel via whoami,
+ * authenticated with the composed credential (whose principal IS the function).
+ */
+async function resolveSelfId(session, credential, kernelUrl, config) {
+    const key = `${kernelUrl}|${config.issuer}|${config.subject}`;
+    const cached = selfIds.get(key);
+    if (cached)
+        return cached;
+    const me = (await session.call(WHOAMI_PATH, {}, { credential, skipDelegation: true }));
+    if (!me?.id) {
+        throw new Error(`whoami returned no identity node for ${config.subject} — cannot anchor the next-hop delegation mint`);
+    }
+    selfIds.set(key, me.id);
+    return me.id;
+}
+//# sourceMappingURL=kernel-client.js.map

package/dist/auth/kernel-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel-client.js","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAc,MAAM,2BAA2B,CAAA;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAA;AAC3D,OAAO,EAAE,aAAa,EAA+B,MAAM,mCAAmC,CAAA;AAI9F,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChG,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AAEvC,MAAM,sBAAsB,GAAG,IAAI,CAAA;AAEnC,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,MAAM,WAAW,GAAG,+CAA+C,CAAA;AAEnE,+EAA+E;AAC/E,2EAA2E;AAC3E,uEAAuE;AACvE,MAAM,KAAK,GAAG,IAAI,GAAG,EAA6B,CAAA;AAClD,MAAM,UAAU,GAAG,IAAI,GAAG,EAA0B,CAAA;AAEpD,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAA;QAC/B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAQ;QACjC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,YAAY,CAAQ,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;KAC5E,CAAC,CAAA;IACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACpB,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAsB,EACtB,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,kBAAkB,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAC/E,iBAAiB,CAAC,UAAU,CAAC,CAC9B,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC,CAAA;AACtF,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,SAAiB,EACjB,MAA4B,EAC5B,KAAc,EACd,iBAA+C;IAE/C,MAAM,UAAU,GAAG,MAAM,cAAc,CACrC,EAAE,KAAK,EAAE,EACT;QACE,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CACF,CAAA;IAED,6EAA6E;IAC7E,kEAAkE;IAClE,MAAM,OAAO,GAAyB,IAAI,aAAa,CAAQ;QAC7D,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC;QAC9B,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;QACxB,UAAU,EAAE;YACV,yEAAyE;YACzE,yEAAyE;YACzE,qEAAqE;YACrE,yEAAyE;YACzE,qEAAqE;YACrE,8DAA8D;YAC9D,iEAAiE;YACjE,sEAAsE;YACtE,UAAU;YACV,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACvB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAA;gBAC1E,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CACjC,IAAI,MAAM,4BAA4B,EACtC,EAAE,QAAQ,EAAE,UAAU,EAAE,iBAAiB,EAAE,EAAE,GAAG,EAAE,sBAAsB,EAAE,EAC1E,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CACrC,CAAA;gBACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,qCAAqC,OAAO,QAAQ,gCAAgC,CACrF,CAAA;gBACH,CAAC;gBACD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,CAAA;YAC9D,CAAC;YACD,GAAG,EAAE,sBAAsB;SAC5B;KACF,CAAC,CAAA;IACF,OAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,IAAa;IAEb,OAAO,KAAK,EAAE,SAAkB,EAAE,EAAE;QAClC,MAAM,GAAG,GAAG,SAAS,IAAK,IAAoD,EAAE,UAAU,CAAA;QAC1F,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CACb,sFAAsF;gBACpF,yCAAyC,CAC5C,CAAA;QACH,CAAC;QACD,OAAO,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,6EAA6E;AAC7E,6EAA6E;AAC7E,4DAA4D;AAC5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAA;AAEzC;;;GAGG;AACH,KAAK,UAAU,aAAa,CAC1B,OAA6B,EAC7B,UAAkB,EAClB,SAAiB,EACjB,MAA4B;IAE5B,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAA;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAE7E,CAAA;IACR,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,wCAAwC,MAAM,CAAC,OAAO,+CAA+C,CACtG,CAAA;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACvB,OAAO,EAAE,CAAC,EAAE,CAAA;AACd,CAAC"}

package/dist/auth/resolve.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Shared inbound-credential resolution.
+ *
+ * Consumed by both `SdkDispatcher` (kernel envelope) and `mountAuxiliaryRoutes`
+ * (View / RemoteFunction routes). Centralises the auth-policy three-way
+ * (`'required'` / `'optional'` / `'public'`) and the wrap of underlying
+ * verification errors into canonical `AuthMissingError` / `AuthInvalidError`.
+ */
+import type { AuthPolicy } from '@astrale-os/kernel-api/routed';
+import type { AuthContext, Authenticated, CredentialInput } from '@astrale-os/kernel-core';
+import type { AuthenticateResult } from './authenticate';
+import type { RemoteIdentityConfig } from './identity';
+export type ResolvedAuth = {
+    auth: AuthContext | null;
+    kernel: AuthenticateResult['kernel'];
+};
+export declare function resolveInboundAuth(credential: CredentialInput, policy: AuthPolicy | undefined, identity: RemoteIdentityConfig): Promise<ResolvedAuth>;
+export declare function buildAuthContext(authenticated: Authenticated): AuthContext;
+//# sourceMappingURL=resolve.d.ts.map

package/dist/auth/resolve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/auth/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,KAAK,EACV,WAAW,EACX,aAAa,EACb,eAAe,EAEhB,MAAM,yBAAyB,CAAA;AAIhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AACxD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAKtD,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,MAAM,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAA;CACrC,CAAA;AAED,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,UAAU,GAAG,SAAS,EAC9B,QAAQ,EAAE,oBAAoB,GAC7B,OAAO,CAAC,YAAY,CAAC,CAkBvB;AAED,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,aAAa,GAAG,WAAW,CAQ1E"}