@astrale-os/sdk 0.1.1 → 0.1.3

package/dist/auth/resolve.js

@@ -0,0 +1,43 @@
+/**
+ * Shared inbound-credential resolution.
+ *
+ * Consumed by both `SdkDispatcher` (kernel envelope) and `mountAuxiliaryRoutes`
+ * (View / RemoteFunction routes). Centralises the auth-policy three-way
+ * (`'required'` / `'optional'` / `'public'`) and the wrap of underlying
+ * verification errors into canonical `AuthMissingError` / `AuthInvalidError`.
+ */
+import { isKernelErrorClassifiable } from '@astrale-os/kernel-api';
+import { authenticateRequest } from './authenticate';
+import { AuthInvalidError, AuthMissingError } from './errors';
+export async function resolveInboundAuth(credential, policy, identity) {
+    const effective = policy ?? 'required';
+    if (effective === 'public')
+        return { auth: null, kernel: null };
+    if (effective === 'optional' && !credential)
+        return { auth: null, kernel: null };
+    if (effective === 'required' && !credential)
+        throw new AuthMissingError();
+    try {
+        const result = await authenticateRequest(credential, identity);
+        return { auth: buildAuthContext(result.authenticated), kernel: result.kernel };
+    }
+    catch (err) {
+        // kernel-core auth errors (UntrustedIssuerError, TrustPolicyDeniedError, …)
+        // already self-classify with a discriminating `data.type`. Rethrow them
+        // unchanged so that classification survives to the wire; only wrap
+        // genuinely unclassified errors into the generic AuthInvalidError.
+        if (isKernelErrorClassifiable(err))
+            throw err;
+        throw new AuthInvalidError(err instanceof Error ? err.message : 'Authentication failed', err);
+    }
+}
+export function buildAuthContext(authenticated) {
+    return {
+        credential: authenticated.credential,
+        principal: authenticated.credential.verified.sub,
+        grant: authenticated.grant,
+        attestation: authenticated.attestation,
+        delegation: authenticated.delegation,
+    };
+}
+//# sourceMappingURL=resolve.js.map

package/dist/auth/resolve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../../src/auth/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAUH,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAA;AAKlE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAO7D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAA2B,EAC3B,MAA8B,EAC9B,QAA8B;IAE9B,MAAM,SAAS,GAAG,MAAM,IAAI,UAAU,CAAA;IAEtC,IAAI,SAAS,KAAK,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAA;IAC/D,IAAI,SAAS,KAAK,UAAU,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAA;IAChF,IAAI,SAAS,KAAK,UAAU,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,gBAAgB,EAAE,CAAA;IAEzE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAC9D,OAAO,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAA;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,4EAA4E;QAC5E,wEAAwE;QACxE,mEAAmE;QACnE,mEAAmE;QACnE,IAAI,yBAAyB,CAAC,GAAG,CAAC;YAAE,MAAM,GAAG,CAAA;QAC7C,MAAM,IAAI,gBAAgB,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAA;IAC/F,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,aAA4B;IAC3D,OAAO;QACL,UAAU,EAAE,aAAa,CAAC,UAAU;QACpC,SAAS,EAAE,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAA4B;QACzE,KAAK,EAAE,aAAa,CAAC,KAAM;QAC3B,WAAW,EAAE,aAAa,CAAC,WAAW;QACtC,UAAU,EAAE,aAAa,CAAC,UAAU;KACrC,CAAA;AACH,CAAC"}

package/dist/auth/sign.d.ts

@@ -0,0 +1,15 @@
+/**
+ * JWT signing utilities for outbound composed credentials.
+ */
+/**
+ * Sign a credential JWT with the given claims and identity config.
+ */
+export declare function signCredential(claims: Record<string, unknown>, config: {
+    issuer: string;
+    subject: string;
+    audience: string;
+    privateKey: JsonWebKey;
+    /** JWT lifetime as a jose-compatible string (e.g. '60s', '5m', '1h'). Default: '60s'. */
+    ttl?: string;
+}): Promise<string>;
+//# sourceMappingURL=sign.d.ts.map

package/dist/auth/sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/auth/sign.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH;;GAEG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE;IACN,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,UAAU,CAAA;IACtB,yFAAyF;IACzF,GAAG,CAAC,EAAE,MAAM,CAAA;CACb,GACA,OAAO,CAAC,MAAM,CAAC,CAejB"}

package/dist/auth/sign.js

@@ -0,0 +1,24 @@
+/**
+ * JWT signing utilities for outbound composed credentials.
+ */
+import { deriveAllowedAlgorithms } from '@astrale-os/kernel-core';
+import { SignJWT, importJWK } from 'jose';
+/**
+ * Sign a credential JWT with the given claims and identity config.
+ */
+export async function signCredential(claims, config) {
+    const alg = deriveAllowedAlgorithms(config.privateKey)[0];
+    if (!alg) {
+        throw new Error(`Cannot derive algorithm from JWK: kty=${config.privateKey.kty}`);
+    }
+    const key = await importJWK(config.privateKey, alg);
+    return new SignJWT(claims)
+        .setProtectedHeader({ alg })
+        .setIssuer(config.issuer)
+        .setSubject(config.subject)
+        .setAudience(config.audience)
+        .setIssuedAt()
+        .setExpirationTime(config.ttl ?? '60s')
+        .sign(key);
+}
+//# sourceMappingURL=sign.js.map

package/dist/auth/sign.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/auth/sign.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAA;AACjE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAEzC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA+B,EAC/B,MAOC;IAED,MAAM,GAAG,GAAG,uBAAuB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IACzD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,yCAAyC,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAA;IACnF,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;IAEnD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC;SACvB,kBAAkB,CAAC,EAAE,GAAG,EAAE,CAAC;SAC3B,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;SACxB,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC;SAC1B,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;SAC5B,WAAW,EAAE;SACb,iBAAiB,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC;SACtC,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC"}

package/dist/auth/verify.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Inbound credential verification.
+ *
+ * Uses kernel-core's credential verification infrastructure
+ * (CredentialMethodResolver, MethodRegistry) instead of manual JWT handling.
+ * Not tied to JWT — supports any credential method kernel-core provides.
+ */
+import type { Attestation, CredentialInput, Delegation, VerifiedCredential } from '@astrale-os/kernel-core';
+import type { RemoteIdentityConfig } from './identity';
+export type VerifiedInbound = {
+    /** The full verified credential (iss, sub, aud, claims) */
+    verified: VerifiedCredential;
+    /** Issuer URL (from credential's iss claim) */
+    issuer: string;
+    /** Attestation — proves caller can invoke this function */
+    attestation: Attestation;
+    /** Delegation — scoped caller permissions as kernel-signed credential */
+    delegation: Delegation;
+};
+/**
+ * Verify an inbound delegation credential using kernel-core's verification.
+ *
+ * @throws AuthenticationError subclasses from kernel-core on verification failure
+ */
+export declare function verifyInboundCredential(credential: CredentialInput, config: RemoteIdentityConfig): Promise<VerifiedInbound>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/auth/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,UAAU,EAEV,kBAAkB,EACnB,MAAM,yBAAyB,CAAA;AAUhC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAKtD,MAAM,MAAM,eAAe,GAAG;IAC5B,2DAA2D;IAC3D,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,2DAA2D;IAC3D,WAAW,EAAE,WAAW,CAAA;IACxB,yEAAyE;IACzE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AA4DD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,eAAe,CAAC,CA+B1B"}

package/dist/auth/verify.js

@@ -0,0 +1,96 @@
+/**
+ * Inbound credential verification.
+ *
+ * Uses kernel-core's credential verification infrastructure
+ * (CredentialMethodResolver, MethodRegistry) instead of manual JWT handling.
+ * Not tied to JWT — supports any credential method kernel-core provides.
+ */
+import { CredentialMethodResolver, MethodRegistry, verifyAudience, verifyCredential, } from '@astrale-os/kernel-core';
+import { createLocalJWKSet, createRemoteJWKSet } from 'jose';
+import { derivePublicJwk } from '../server/jwks';
+import { canonicalizeServingUrl } from '../server/serving-url';
+const methodResolver = new CredentialMethodResolver(new MethodRegistry());
+/**
+ * Build the key resolver for one verifying server. Captures `config` so it can
+ * short-circuit the server's OWN issuer (`config.issuer`): a self-issued
+ * credential is verified against the in-memory public key, never fetched — a
+ * Worker can't fetch its own hostname, and it already holds the key. Every other
+ * issuer is resolved live via JWKS (`createRemoteJWKSet`).
+ */
+function makeResolveKeys(config) {
+    // The worker's own canonical iss. STRICT: `config.issuer` is the serving URL
+    // by contract (both producers — buildIdentityMap / buildAuxIdentityMap — feed
+    // it `canonicalizeServingUrl(config.url)`), so a value that doesn't parse is
+    // a construction-time config error. Swallowing it would silently disable
+    // self-verification and route self-issued credentials to a JWKS fetch on the
+    // worker's own hostname — which Cloudflare forbids — turning a config bug
+    // into an opaque per-call failure.
+    const selfIssuer = canonicalizeServingUrl(config.issuer);
+    // TODO(cache): Re-add JWKS caching with a short TTL or kid-miss retry.
+    // A prior implementation cached `createRemoteJWKSet` per issuer URL
+    // indefinitely. jose's internal cache (30s cooldown, 10min max-age) caused
+    // stale keys when the issuer restarted — the resolver served old keys and
+    // jose refused to refetch within the cooldown window. On CF Workers the
+    // module-level Map persisted across requests, making it worse. For now we
+    // create a fresh resolver per call (jose deduplicates concurrent fetches).
+    return async (issuer, _method, _kid) => {
+        const url = issuer;
+        // Self-issued credential (iss == this worker's own serving URL): resolve
+        // from the in-memory public key. Never fetch self — Cloudflare forbids a
+        // Worker fetching its own hostname, and the published JWKS is this key.
+        if (selfIssuer !== undefined) {
+            let canonical;
+            try {
+                canonical = canonicalizeServingUrl(url);
+            }
+            catch {
+                canonical = undefined;
+            }
+            if (canonical === selfIssuer) {
+                return createLocalJWKSet({ keys: [derivePublicJwk(config.privateKey)] });
+            }
+        }
+        // M-28 fix: a bare-slug iss (`mails.localhost`) makes
+        // `new URL('mails.localhost/.well-known/jwks.json')` throw "Invalid
+        // URL string". The dispatcher's identity map normalizes the iss it
+        // signs with, but inbound creds from older clients may still carry
+        // the slug form. Coerce to a URL with a default `https://` scheme
+        // (matches kernel.astrale.ai canonical form). If the actual receiver
+        // is on http://localhost the receiver-side resolver still works
+        // because both endpoints are on localhost — but for prod targets
+        // requiring TLS this is the right default.
+        const normalized = /^https?:\/\//.test(url) ? url : `https://${url}`;
+        return createRemoteJWKSet(new URL(`${normalized}/.well-known/jwks.json`));
+    };
+}
+/**
+ * Verify an inbound delegation credential using kernel-core's verification.
+ *
+ * @throws AuthenticationError subclasses from kernel-core on verification failure
+ */
+export async function verifyInboundCredential(credential, config) {
+    // Verify using kernel-core's credential verification pipeline
+    const verified = await verifyCredential({
+        methodResolver,
+        resolveKeys: makeResolveKeys(config),
+    }, credential);
+    // Validate audience matches this function's issuer (its serving URL).
+    // kernel-core's verifyAudience compares canonically.
+    verifyAudience(verified, config.issuer);
+    // Extract attestation and delegation from claims
+    const attestation = verified.claims.attestation;
+    if (!attestation?.expr) {
+        throw new Error('Credential missing attestation');
+    }
+    const delegation = verified.claims.delegation;
+    if (!delegation?.credential) {
+        throw new Error('Credential missing delegation');
+    }
+    return {
+        verified,
+        issuer: verified.iss,
+        attestation,
+        delegation,
+    };
+}
+//# sourceMappingURL=verify.js.map

package/dist/auth/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,EACL,wBAAwB,EACxB,cAAc,EACd,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAY,MAAM,MAAM,CAAA;AAItE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAA;AAa9D,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC,IAAI,cAAc,EAAE,CAAC,CAAA;AAEzE;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,MAA4B;IACnD,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,yEAAyE;IACzE,6EAA6E;IAC7E,0EAA0E;IAC1E,mCAAmC;IACnC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAExD,uEAAuE;IACvE,oEAAoE;IACpE,2EAA2E;IAC3E,0EAA0E;IAC1E,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,OAAO,KAAK,EAAE,MAAgB,EAAE,OAAe,EAAE,IAAa,EAAE,EAAE;QAChE,MAAM,GAAG,GAAG,MAAgB,CAAA;QAE5B,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,SAA6B,CAAA;YACjC,IAAI,CAAC;gBACH,SAAS,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,SAAS,CAAA;YACvB,CAAC;YACD,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B,OAAO,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAQ,CAAC,EAAE,CAAC,CAAA;YACjF,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,oEAAoE;QACpE,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,qEAAqE;QACrE,gEAAgE;QAChE,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAA;QACpE,OAAO,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,UAAU,wBAAwB,CAAC,CAAC,CAAA;IAC3E,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAA2B,EAC3B,MAA4B;IAE5B,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC;QACE,cAAc;QACd,WAAW,EAAE,eAAe,CAAC,MAAM,CAAC;KACrC,EACD,UAAU,CACX,CAAA;IAED,sEAAsE;IACtE,qDAAqD;IACrD,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAkB,CAAC,CAAA;IAEnD,iDAAiD;IACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAsC,CAAA;IAC1E,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAoC,CAAA;IACvE,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,QAAQ,CAAC,GAAa;QAC9B,WAAW;QACX,UAAU;KACX,CAAA;AACH,CAAC"}

package/dist/define/index.d.ts

@@ -0,0 +1,5 @@
+export { defineView } from './view';
+export type { ViewDef, ViewRenderContext } from './view';
+export { defineRemoteFunction } from './remote-function';
+export type { AnyRemoteFunctionDef, RemoteFunctionContext, RemoteFunctionDef, } from './remote-function';
+//# sourceMappingURL=index.d.ts.map

package/dist/define/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/define/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AACnC,YAAY,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAA;AAExD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACxD,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,mBAAmB,CAAA"}

package/dist/define/index.js

@@ -0,0 +1,3 @@
+export { defineView } from './view';
+export { defineRemoteFunction } from './remote-function';
+//# sourceMappingURL=index.js.map

package/dist/define/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/define/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAGnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/define/remote-function.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Authoring a standalone remote function — a callable not bound to a class.
+ * (The verb keeps the `defineRemoteFunction` name; the node it materializes is
+ * the canonical kernel `Function` class, the former distribution `RemoteFunction`.)
+ *
+ * Each entry in `defineRemoteDomain({ remoteFunctions: { ... } })` becomes:
+ *   - a graph node at `/${origin}/core/<functionsFolder>/<slug>`, materialized
+ *     as the kernel `Function` class by `buildCorePath` so kernel discovery /
+ *     `View.resolve` can list it. The `core/` anchor appears in the GRAPH path only.
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<functionsFolder>/<slug>` POST by default — no `core/` in the URL).
+ *
+ * The slug = the map key (single source of truth, no duplication).
+ *
+ * `ref` is auto-derived as `function.<slug>` if omitted — used as
+ * `Function.ref` on the graph node and as the dispatch key.
+ */
+import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed';
+import type { FnMap } from '@astrale-os/kernel-client';
+import type { BoundClientSessionView } from '@astrale-os/kernel-client/session';
+import type { AuthContext } from '@astrale-os/kernel-core';
+import type { Context } from 'hono';
+import type { z } from 'zod';
+import type { CallRemoteFn } from '../dispatch/call-remote';
+export type RemoteFunctionContext<TParams, TDeps = unknown> = {
+    /** Validated params (Zod-checked against `inputSchema`). */
+    params: TParams;
+    /** Hono request context — escape hatch for headers, raw body, etc. */
+    c: Context;
+    /** Resolved auth context. `null` when `auth: 'public'` or absent. */
+    auth: AuthContext | null;
+    /** Typed dependency container injected at server startup. */
+    deps: TDeps;
+    /**
+     * `BoundClientSessionView` to the parent kernel, bound to the composed
+     * credential `union(delegation, self)` — same shape as `RemoteContext.kernel`
+     * for `remoteMethod`. `null` when `auth: 'public'`, or `auth: 'optional'`
+     * with no inbound credential.
+     */
+    kernel: BoundClientSessionView<FnMap> | null;
+    /**
+     * Call another worker's remote method, re-minting the credential for the
+     * target's audience. Same contract as {@link RemoteContext.callRemote}: throws
+     * on a public/unauthenticated request; needs `USE` on
+     * `Identity.mintDelegationCredential` + the target method's grants.
+     */
+    callRemote: CallRemoteFn;
+    /**
+     * Acquire a kernel session authenticated as THIS FUNCTION'S OWN identity —
+     * authority = the function's own grants only, no caller delegation. The
+     * webhook seam: when an `auth: 'public'` upstream can't carry an Astrale
+     * token (HMAC-signature webhooks, Stripe-style), VERIFY THE UPSTREAM'S
+     * SIGNATURE FIRST, then act on the graph as yourself. `kernelUrl` defaults
+     * to `deps.KERNEL_URL` (set automatically on managed deploys); pass it
+     * explicitly for other targets.
+     */
+    selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
+};
+export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {
+    /**
+     * Canonical callable identity. Auto-derived as `function.<slug>` (where
+     * `<slug>` is the map key) when omitted. Stored as `Function.ref` on the
+     * graph node and used by the kernel dispatcher to route the call.
+     */
+    ref?: string;
+    /** Zod schema for the call's parameters. */
+    inputSchema: z.ZodType<TParams>;
+    /** Zod schema for the call's result. */
+    outputSchema: z.ZodType<TResult>;
+    /**
+     * Override the binding (URL + route shape). When absent, SDK defaults to
+     * `{ remoteUrl: ${url}/<functionsFolder>/<slug> }`. The HTTP verb (POST
+     * for functions) is applied by the worker route mounter at mount time — it is
+     * NOT stored on the binding, so the materialized `Function.binding` carries
+     * `remoteUrl` only.
+     *
+     * Use this to bind to a custom host or REST-style path. Host + path
+     * placeholders both supported.
+     */
+    binding?: FunctionBinding;
+    /** Authentication policy. Defaults to `'required'`. */
+    auth?: AuthPolicy;
+    /** Optional pre-execute authorization. Throw to deny. */
+    authorize?: (ctx: RemoteFunctionContext<TParams, TDeps>) => void | Promise<void>;
+    /** The function body. May be async. */
+    execute: (ctx: RemoteFunctionContext<TParams, TDeps>) => TResult | Promise<TResult>;
+    /** Optional human-readable description. */
+    description?: string;
+};
+export type AnyRemoteFunctionDef = RemoteFunctionDef<any, any, any>;
+/**
+ * Identity helper for authoring a RemoteFunction. Returns its argument
+ * unchanged — `defineRemoteDomain` consumes the typed shape.
+ */
+export declare function defineRemoteFunction<TParams, TResult, TDeps = unknown>(def: RemoteFunctionDef<TParams, TResult, TDeps>): RemoteFunctionDef<TParams, TResult, TDeps>;
+//# sourceMappingURL=remote-function.d.ts.map

package/dist/define/remote-function.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;IACxB;;;;;;;;OAQG;IACH,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAA;CAC3E,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IACrF;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/B,wCAAwC;IACxC,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChF,uCAAuC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACnF,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAGD,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAEnE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EACpE,GAAG,EAAE,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,GAC9C,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAE5C"}

package/dist/define/remote-function.js

@@ -0,0 +1,25 @@
+/**
+ * Authoring a standalone remote function — a callable not bound to a class.
+ * (The verb keeps the `defineRemoteFunction` name; the node it materializes is
+ * the canonical kernel `Function` class, the former distribution `RemoteFunction`.)
+ *
+ * Each entry in `defineRemoteDomain({ remoteFunctions: { ... } })` becomes:
+ *   - a graph node at `/${origin}/core/<functionsFolder>/<slug>`, materialized
+ *     as the kernel `Function` class by `buildCorePath` so kernel discovery /
+ *     `View.resolve` can list it. The `core/` anchor appears in the GRAPH path only.
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<functionsFolder>/<slug>` POST by default — no `core/` in the URL).
+ *
+ * The slug = the map key (single source of truth, no duplication).
+ *
+ * `ref` is auto-derived as `function.<slug>` if omitted — used as
+ * `Function.ref` on the graph node and as the dispatch key.
+ */
+/**
+ * Identity helper for authoring a RemoteFunction. Returns its argument
+ * unchanged — `defineRemoteDomain` consumes the typed shape.
+ */
+export function defineRemoteFunction(def) {
+    return def;
+}
+//# sourceMappingURL=remote-function.js.map

package/dist/define/remote-function.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAiFH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAA+C;IAE/C,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/define/view.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Authoring a `View` — iframe-mountable callable served by the domain worker.
+ *
+ * Each entry in `defineRemoteDomain({ views: { ... } })` becomes both:
+ *   - a graph node at `/${origin}/core/<viewsFolder>/<slug>` (auto-materialized
+ *     by the SDK; the `core/` segment is the universal anchor injected by
+ *     `buildCorePath`. `<slug>` is the map key, so it lives in exactly one place)
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<viewsFolder>/<slug>` by default — note: no `core/` in the URL).
+ *
+ * The `core/` segment appears in the GRAPH path only; the URL path that
+ * lands in `Function.binding.remoteUrl` is `${url}/<viewsFolder>/<slug>`.
+ *
+ * The author can override the URL via `binding` — host and/or path
+ * placeholders are supported (the kernel's `route` mechanism does the
+ * substitution + Hono matching, same as for methods). When `render` is
+ * omitted, no worker route is mounted — useful for Views whose iframe
+ * lives at an external host.
+ */
+import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed';
+import type { AuthContext } from '@astrale-os/kernel-core';
+import type { EdgeEndpoint } from '@astrale-os/kernel-dsl';
+import type { Context } from 'hono';
+export type ViewRenderContext<TDeps = unknown> = {
+    /** Hono request context — read params, headers, query, etc. */
+    c: Context;
+    /**
+     * Placeholders extracted from the request URL (host + path placeholders
+     * declared in `binding.remoteUrl` / `binding.route.path`). Empty when
+     * the binding has no placeholders.
+     */
+    params: Record<string, string>;
+    /** Resolved auth context. `null` when `auth: 'public'` or absent. */
+    auth: AuthContext | null;
+    /** Typed dependency container injected at server startup. */
+    deps: TDeps;
+};
+export type ViewDef<TDeps = unknown> = {
+    /**
+     * Override the binding (URL + route shape). When absent, SDK defaults to
+     * `{ remoteUrl: ${url}/<viewsFolder>/<slug> }`. The HTTP verb (GET for
+     * views) is applied by the worker route mounter at mount time — it is NOT
+     * stored on the binding.
+     *
+     * Use this to bind to a custom host (e.g. `https://{tenant}.example.com`)
+     * or REST-style path. Host + path placeholders both supported.
+     */
+    binding?: FunctionBinding;
+    /**
+     * Worker-relative path the View's iframe is served from (e.g. `'/ui/note'`),
+     * for Views backed by the client SPA instead of a `render`. The spec producer
+     * resolves it against the serving url (`binding.remoteUrl = ${url}${mount}`)
+     * at materialize time — so the dev never hardcodes a URL. Mutually exclusive
+     * with `render`; takes precedence over `binding`.
+     */
+    mount?: string;
+    /** Authentication policy. Defaults to `'required'`. */
+    auth?: AuthPolicy;
+    /**
+     * Optional pre-render authorization. Runs after auth resolution; throw to
+     * deny. SDK wraps as 403.
+     */
+    authorize?: (ctx: ViewRenderContext<TDeps>) => void | Promise<void>;
+    /**
+     * Render the iframe response. May return a redirect, a proxy, or inline
+     * HTML. When omitted, no worker route is mounted — the binding URL
+     * points elsewhere (CDN, external service).
+     */
+    render?: (ctx: ViewRenderContext<TDeps>) => Response | Promise<Response>;
+    /**
+     * Optional target(s) the View attaches to via `view_for` edge(s). Typically
+     * `selfOf(SomeClass)` to bind to a class meta-node, or a `CorePath`
+     * pointing at a specific instance. Pass an array to attach the same View
+     * to multiple targets (one `view_for` edge is materialized per entry).
+     */
+    viewFor?: EdgeEndpoint | EdgeEndpoint[];
+    /** Optional human-readable description. */
+    description?: string;
+};
+/**
+ * Identity helper for authoring a View. Returns its argument unchanged —
+ * `defineRemoteDomain` consumes the typed shape and the author retains
+ * full type inference on `render` / `authorize`.
+ */
+export declare function defineView<TDeps = unknown>(def: ViewDef<TDeps>): ViewDef<TDeps>;
+//# sourceMappingURL=view.d.ts.map

package/dist/define/view.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"view.d.ts","sourceRoot":"","sources":["../../src/define/view.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAEnC,MAAM,MAAM,iBAAiB,CAAC,KAAK,GAAG,OAAO,IAAI;IAC/C,+DAA+D;IAC/D,CAAC,EAAE,OAAO,CAAA;IACV;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC9B,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;CACZ,CAAA;AAED,MAAM,MAAM,OAAO,CAAC,KAAK,GAAG,OAAO,IAAI;IACrC;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB;;;OAGG;IACH,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnE;;;;OAIG;IACH,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACxE;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAA;IACvC,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,GAAG,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAE/E"}

package/dist/define/view.js

@@ -0,0 +1,28 @@
+/**
+ * Authoring a `View` — iframe-mountable callable served by the domain worker.
+ *
+ * Each entry in `defineRemoteDomain({ views: { ... } })` becomes both:
+ *   - a graph node at `/${origin}/core/<viewsFolder>/<slug>` (auto-materialized
+ *     by the SDK; the `core/` segment is the universal anchor injected by
+ *     `buildCorePath`. `<slug>` is the map key, so it lives in exactly one place)
+ *   - a Hono route on the worker at the path implied by `binding`
+ *     (`/<viewsFolder>/<slug>` by default — note: no `core/` in the URL).
+ *
+ * The `core/` segment appears in the GRAPH path only; the URL path that
+ * lands in `Function.binding.remoteUrl` is `${url}/<viewsFolder>/<slug>`.
+ *
+ * The author can override the URL via `binding` — host and/or path
+ * placeholders are supported (the kernel's `route` mechanism does the
+ * substitution + Hono matching, same as for methods). When `render` is
+ * omitted, no worker route is mounted — useful for Views whose iframe
+ * lives at an external host.
+ */
+/**
+ * Identity helper for authoring a View. Returns its argument unchanged —
+ * `defineRemoteDomain` consumes the typed shape and the author retains
+ * full type inference on `render` / `authorize`.
+ */
+export function defineView(def) {
+    return def;
+}
+//# sourceMappingURL=view.js.map

package/dist/define/view.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"view.js","sourceRoot":"","sources":["../../src/define/view.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAiEH;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAkB,GAAmB;IAC7D,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/deploy/check.d.ts

@@ -0,0 +1,30 @@
+import type { Meta } from './meta';
+export type DeployCheckOptions = {
+    /** Deployed worker URL (e.g. `https://dist.astrale.ai`). */
+    url: string;
+    /**
+     * Expected `meta.schemaHash` — the hash of the locally-built `spec.json`
+     * (via `hashSpecFile`). REQUIRED to verify schema drift: when the worker
+     * advertises a `schemaHash` but this is absent, the check fails loudly rather
+     * than silently "passing" an unverified deploy. Per-domain deploy scripts
+     * compute it (`hashSpecFile('./spec.json')`) and pass it.
+     */
+    expectedSchemaHash?: string;
+    /**
+     * Path to the SDK repo used to read `sdkCommit`. If omitted and
+     * `workspaceRoot` is provided, defaults to `<workspaceRoot>/sdk`.
+     */
+    sdkRepoPath?: string;
+    /** Astrale workspace root — enables auto-resolution of `sdkRepoPath` (`<root>/sdk`). */
+    workspaceRoot?: string;
+    /** Sink for progress output. Defaults to `console.log`. */
+    log?: (line: string) => void;
+};
+/**
+ * Validate a deployed worker against local state by fetching `/meta` and
+ * verifying sdkCommit / schemaHash / JWKS reachability.
+ *
+ * Throws on any mismatch. Returns `Meta` on success.
+ */
+export declare function deployCheck(opts: DeployCheckOptions): Promise<Meta>;
+//# sourceMappingURL=check.d.ts.map

package/dist/deploy/check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/deploy/check.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAA;AAIlC,MAAM,MAAM,kBAAkB,GAAG;IAC/B,4DAA4D;IAC5D,GAAG,EAAE,MAAM,CAAA;IACX;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,2DAA2D;IAC3D,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;CAC7B,CAAA;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBzE"}

package/dist/deploy/check.js

@@ -0,0 +1,82 @@
+import { spawnSync } from 'node:child_process';
+import { join } from 'node:path';
+import { MetaSchema } from './meta';
+/**
+ * Validate a deployed worker against local state by fetching `/meta` and
+ * verifying sdkCommit / schemaHash / JWKS reachability.
+ *
+ * Throws on any mismatch. Returns `Meta` on success.
+ */
+export async function deployCheck(opts) {
+    // oxlint-disable-next-line no-console
+    const log = opts.log ?? ((line) => console.log(line));
+    const base = opts.url.replace(/\/+$/, '');
+    log(`# deploy:check ${base}`);
+    const meta = await fetchMeta(base);
+    log(`  meta: ${JSON.stringify(meta)}`);
+    // `meta.iss` is required + non-empty by `MetaSchema`, enforced in `fetchMeta`.
+    await Promise.all([
+        checkSdkCommit(meta, opts, log),
+        checkSchemaHash(meta, opts, log),
+        checkJwks(meta.iss, log),
+    ]);
+    return meta;
+}
+async function fetchMeta(base) {
+    const res = await fetch(`${base}/meta`);
+    if (!res.ok)
+        throw new Error(`GET ${base}/meta → ${res.status}`);
+    return MetaSchema.parse(await res.json());
+}
+async function checkSdkCommit(meta, opts, log) {
+    if (!meta.sdkCommit) {
+        log('  ! meta.sdkCommit absent — skipping sdkCommit check');
+        return;
+    }
+    const sdkRepo = opts.sdkRepoPath ?? (opts.workspaceRoot ? join(opts.workspaceRoot, 'sdk') : undefined);
+    if (!sdkRepo) {
+        log(`  ! no sdkRepoPath / workspaceRoot — skipping sdkCommit check`);
+        return;
+    }
+    const localSha = gitHead(sdkRepo);
+    if (!localSha) {
+        log(`  ! could not read git HEAD from ${sdkRepo} — skipping sdkCommit check`);
+        return;
+    }
+    if (!localSha.startsWith(meta.sdkCommit) && !meta.sdkCommit.startsWith(localSha)) {
+        throw new Error(`sdkCommit mismatch: deployed=${meta.sdkCommit} local=${localSha} (${sdkRepo})`);
+    }
+    log(`  ✓ sdkCommit ${meta.sdkCommit} matches local HEAD`);
+}
+async function checkSchemaHash(meta, opts, log) {
+    if (!meta.schemaHash)
+        return;
+    // Fail loud: the worker advertises a schemaHash, so a missing expected value
+    // means we CANNOT verify drift — never silently "pass" an unverified deploy.
+    if (!opts.expectedSchemaHash) {
+        throw new Error(`worker advertises schemaHash=${meta.schemaHash} but no expectedSchemaHash was provided — ` +
+            `cannot verify schema drift (pass expectedSchemaHash, e.g. hashSpecFile('./spec.json'))`);
+    }
+    if (meta.schemaHash !== opts.expectedSchemaHash) {
+        throw new Error(`schemaHash mismatch: deployed=${meta.schemaHash} local=${opts.expectedSchemaHash}`);
+    }
+    log(`  ✓ schemaHash ${meta.schemaHash} matches local`);
+}
+async function checkJwks(iss, log) {
+    const jwksUrl = `${iss.replace(/\/+$/, '')}/.well-known/jwks.json`;
+    const res = await fetch(jwksUrl);
+    if (!res.ok)
+        throw new Error(`GET ${jwksUrl} → ${res.status}`);
+    const body = (await res.json());
+    const keys = body.keys ?? [];
+    if (keys.length === 0)
+        throw new Error(`${jwksUrl} returned no keys`);
+    log(`  ✓ JWKS resolves (${keys.length} key${keys.length === 1 ? '' : 's'})`);
+}
+function gitHead(repoPath) {
+    const r = spawnSync('git', ['-C', repoPath, 'rev-parse', 'HEAD'], { encoding: 'utf-8' });
+    if (r.status !== 0)
+        return null;
+    return r.stdout.trim();
+}
+//# sourceMappingURL=check.js.map

package/dist/deploy/check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/deploy/check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAIhC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAwBnC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAwB;IACxD,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAEzC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAA;IAE7B,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAA;IAClC,GAAG,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACtC,+EAA+E;IAE/E,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC;QAC/B,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;KACzB,CAAC,CAAA;IAEF,OAAO,IAAI,CAAA;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAY;IACnC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,CAAA;IACvC,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,WAAW,GAAG,CAAC,MAAM,EAAE,CAAC,CAAA;IAChE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,IAAU,EACV,IAAwB,EACxB,GAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACpB,GAAG,CAAC,sDAAsD,CAAC,CAAA;QAC3D,OAAM;IACR,CAAC;IACD,MAAM,OAAO,GACX,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IACxF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,GAAG,CAAC,+DAA+D,CAAC,CAAA;QACpE,OAAM;IACR,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACjC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,GAAG,CAAC,oCAAoC,OAAO,6BAA6B,CAAC,CAAA;QAC7E,OAAM;IACR,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,SAAS,UAAU,QAAQ,KAAK,OAAO,GAAG,CAAC,CAAA;IAClG,CAAC;IACD,GAAG,CAAC,iBAAiB,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAA;AAC3D,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAU,EACV,IAAwB,EACxB,GAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAM;IAC5B,6EAA6E;IAC7E,6EAA6E;IAC7E,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,gCAAgC,IAAI,CAAC,UAAU,4CAA4C;YACzF,wFAAwF,CAC3F,CAAA;IACH,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,UAAU,UAAU,IAAI,CAAC,kBAAkB,EAAE,CACpF,CAAA;IACH,CAAC;IACD,GAAG,CAAC,kBAAkB,IAAI,CAAC,UAAU,gBAAgB,CAAC,CAAA;AACxD,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,GAA2B;IAC/D,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,wBAAwB,CAAA;IAClE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;IAChC,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,OAAO,MAAM,GAAG,CAAC,MAAM,EAAE,CAAC,CAAA;IAC9D,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuC,CAAA;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAA;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAA;IACrE,GAAG,CAAC,sBAAsB,IAAI,CAAC,MAAM,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAA;AAC9E,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB;IAC/B,MAAM,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAA;IACxF,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC/B,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC"}