@astrale-os/sdk 0.1.1 → 0.1.3

package/dist/deploy/hash-spec.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Hash a `spec.json` file deterministically. Only the schema payload
+ * (`nodes` + `edges`) is hashed — the `meta` block carries `builtAt`
+ * timestamps that would poison drift detection.
+ *
+ * Returns `sha256:<hex>`.
+ */
+export declare function hashSpecFile(path: string): string;
+//# sourceMappingURL=hash-spec.d.ts.map

package/dist/deploy/hash-spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-spec.d.ts","sourceRoot":"","sources":["../../src/deploy/hash-spec.ts"],"names":[],"mappings":"AAKA;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKjD"}

package/dist/deploy/hash-spec.js

@@ -0,0 +1,29 @@
+import { createHash } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+const HASH_ALGORITHM = 'sha256';
+/**
+ * Hash a `spec.json` file deterministically. Only the schema payload
+ * (`nodes` + `edges`) is hashed — the `meta` block carries `builtAt`
+ * timestamps that would poison drift detection.
+ *
+ * Returns `sha256:<hex>`.
+ */
+export function hashSpecFile(path) {
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = JSON.parse(raw);
+    const canonical = canonicalJson({ nodes: parsed.nodes ?? [], edges: parsed.edges ?? [] });
+    return `${HASH_ALGORITHM}:${createHash(HASH_ALGORITHM).update(canonical).digest('hex')}`;
+}
+function canonicalJson(value) {
+    if (value === null || typeof value !== 'object')
+        return JSON.stringify(value);
+    if (Array.isArray(value))
+        return '[' + value.map(canonicalJson).join(',') + ']';
+    const keys = Object.keys(value).sort();
+    return ('{' +
+        keys
+            .map((k) => JSON.stringify(k) + ':' + canonicalJson(value[k]))
+            .join(',') +
+        '}');
+}
+//# sourceMappingURL=hash-spec.js.map

package/dist/deploy/hash-spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-spec.js","sourceRoot":"","sources":["../../src/deploy/hash-spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAEtC,MAAM,cAAc,GAAG,QAAQ,CAAA;AAE/B;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IACvC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyC,CAAA;IACtE,MAAM,SAAS,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC,CAAA;IACzF,OAAO,GAAG,cAAc,IAAI,UAAU,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;AAC1F,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAC7E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;IAC/E,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAgC,CAAC,CAAC,IAAI,EAAE,CAAA;IACjE,OAAO,CACL,GAAG;QACH,IAAI;aACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,aAAa,CAAE,KAAiC,CAAC,CAAC,CAAC,CAAC,CAAC;aAC1F,IAAI,CAAC,GAAG,CAAC;QACZ,GAAG,CACJ,CAAA;AACH,CAAC"}

package/dist/deploy/index.d.ts

@@ -0,0 +1,4 @@
+export { MetaSchema, type Meta } from './meta';
+export { hashSpecFile } from './hash-spec';
+export { deployCheck, type DeployCheckOptions } from './check';
+//# sourceMappingURL=index.d.ts.map

package/dist/deploy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/deploy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,MAAM,QAAQ,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,SAAS,CAAA"}

package/dist/deploy/index.js

@@ -0,0 +1,4 @@
+export { MetaSchema } from './meta';
+export { hashSpecFile } from './hash-spec';
+export { deployCheck } from './check';
+//# sourceMappingURL=index.js.map

package/dist/deploy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/deploy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAa,MAAM,QAAQ,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,WAAW,EAA2B,MAAM,SAAS,CAAA"}

package/dist/deploy/meta.d.ts

@@ -0,0 +1,18 @@
+/**
+ * `/meta` payload — the contract between `createRemoteServer` (producer)
+ * and `deployCheck` (verifier). Both sides parse through `MetaSchema`, so
+ * a new field added here flows to both paths and drift is caught at the
+ * boundary rather than silently skipped.
+ *
+ * Scope: **domain workers only**. Kernels rely on OIDC discovery
+ * (`/.well-known/openid-configuration`) + JWKS — they have no `/meta`.
+ */
+import { z } from 'zod';
+export declare const MetaSchema: z.ZodObject<{
+    iss: z.ZodString;
+    sdkCommit: z.ZodOptional<z.ZodString>;
+    schemaHash: z.ZodOptional<z.ZodString>;
+    domainName: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type Meta = z.infer<typeof MetaSchema>;
+//# sourceMappingURL=meta.d.ts.map

package/dist/deploy/meta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta.d.ts","sourceRoot":"","sources":["../../src/deploy/meta.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,UAAU;;;;;iBAUrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA"}

package/dist/deploy/meta.js

@@ -0,0 +1,22 @@
+/**
+ * `/meta` payload — the contract between `createRemoteServer` (producer)
+ * and `deployCheck` (verifier). Both sides parse through `MetaSchema`, so
+ * a new field added here flows to both paths and drift is caught at the
+ * boundary rather than silently skipped.
+ *
+ * Scope: **domain workers only**. Kernels rely on OIDC discovery
+ * (`/.well-known/openid-configuration`) + JWKS — they have no `/meta`.
+ */
+import { z } from 'zod';
+export const MetaSchema = z.object({
+    /** Base URL where JWKS is published. Always stamped by `createRemoteServer`
+     *  and required by `deployCheck` to verify JWKS reachability. */
+    iss: z.string().min(1),
+    /** Short git SHA of the SDK used to build the worker. */
+    sdkCommit: z.string().optional(),
+    /** Deterministic hash of the compiled spec (`sha256:<hex>`). */
+    schemaHash: z.string().optional(),
+    /** Local directory name under `kernel/domains/<...>/` — used to auto-resolve the local spec. */
+    domainName: z.string().optional(),
+});
+//# sourceMappingURL=meta.js.map

package/dist/deploy/meta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta.js","sourceRoot":"","sources":["../../src/deploy/meta.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC;qEACiE;IACjE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,yDAAyD;IACzD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,gEAAgE;IAChE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,gGAAgG;IAChG,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAClC,CAAC,CAAA"}

package/dist/dispatch/authorize.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Shared `authorize`-hook runner.
+ *
+ * Both the method dispatcher (`dispatcher.ts`) and the worker-side aux routes
+ * (`server/auxiliary-routes.ts`) let an author deny a call by throwing from an
+ * `authorize` hook. They MUST agree on the wire semantics: an already-typed
+ * `AuthorizationDeniedError` passes through unchanged (so callers can attach
+ * hints), and any other thrown error is wrapped into `AuthorizationDeniedError`
+ * (→ `PERMISSION_DENIED` / HTTP 403). Centralised here so the two call sites
+ * cannot drift — previously the aux routes awaited `authorize` directly, so a
+ * plain `Error` thrown to deny leaked out as a 500 instead of a 403.
+ */
+export declare function runAuthorize<C>(hook: (ctx: C) => void | Promise<void>, ctx: C): Promise<void>;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/dispatch/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/dispatch/authorize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,wBAAsB,YAAY,CAAC,CAAC,EAClC,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,EACtC,GAAG,EAAE,CAAC,GACL,OAAO,CAAC,IAAI,CAAC,CAUf"}

package/dist/dispatch/authorize.js

@@ -0,0 +1,24 @@
+/**
+ * Shared `authorize`-hook runner.
+ *
+ * Both the method dispatcher (`dispatcher.ts`) and the worker-side aux routes
+ * (`server/auxiliary-routes.ts`) let an author deny a call by throwing from an
+ * `authorize` hook. They MUST agree on the wire semantics: an already-typed
+ * `AuthorizationDeniedError` passes through unchanged (so callers can attach
+ * hints), and any other thrown error is wrapped into `AuthorizationDeniedError`
+ * (→ `PERMISSION_DENIED` / HTTP 403). Centralised here so the two call sites
+ * cannot drift — previously the aux routes awaited `authorize` directly, so a
+ * plain `Error` thrown to deny leaked out as a 500 instead of a 403.
+ */
+import { AuthorizationDeniedError } from './errors';
+export async function runAuthorize(hook, ctx) {
+    try {
+        await hook(ctx);
+    }
+    catch (err) {
+        if (err instanceof AuthorizationDeniedError)
+            throw err;
+        throw new AuthorizationDeniedError(err instanceof Error ? err.message : 'Authorization denied', err);
+    }
+}
+//# sourceMappingURL=authorize.js.map

package/dist/dispatch/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/dispatch/authorize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AAEnD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAsC,EACtC,GAAM;IAEN,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,GAAG,CAAC,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,wBAAwB;YAAE,MAAM,GAAG,CAAA;QACtD,MAAM,IAAI,wBAAwB,CAChC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,EAC3D,GAAG,CACJ,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/dispatch/call-remote.d.ts

@@ -0,0 +1,35 @@
+/**
+ * `ctx.callRemote` — call ANOTHER worker's remote method from a handler.
+ *
+ * A worker's `kernel.call('/dom/class.X/method', …)` signs `aud = <kernel>`,
+ * which is correct for a **kernel syscall** (it runs in the kernel) but is
+ * rejected by a **remote method** (a Function with `binding.remoteUrl`, i.e.
+ * another worker) — the target worker verifies `aud` against its own identity
+ * and throws `Credential audience mismatch` at authentication.
+ *
+ * `callRemote` is now a thin wrapper over the bound kernel session: the kernel
+ * resolves a remote-bound path to a redirect carrying the worker's URL and its
+ * `iss`, and the session (configured in `bindKernel`) follows it reactively —
+ * minting a kernel-signed delegation envelope scoped to that `iss` via the
+ * caller's own `@<subject>::mintDelegationCredential`, then dialing the worker.
+ * Instance-method `self` is injected by the kernel resolver into the redirect,
+ * so a bare `kernel.call(path, params)` is all that's needed here.
+ *
+ * Prerequisite (authorization, unchanged): the calling Function's identity must
+ * hold `USE` on `Identity.mintDelegationCredential` AND the target method's own
+ * grants — the session only fixes the audience (authentication), not grants.
+ */
+import type { ClientSessionCallOptions } from '@astrale-os/kernel-client/session';
+/** Minimal kernel-call surface callRemote needs (the bound view satisfies it). */
+type KernelCaller = {
+    call: (method: string, params: unknown, opts?: ClientSessionCallOptions) => Promise<unknown>;
+};
+export type CallRemoteFn = (path: string, params?: Record<string, unknown>) => Promise<unknown>;
+/**
+ * Build the `callRemote` helper for one handler invocation. `kernel` is the
+ * handler's bound kernel view (or `null` for a public/unauthenticated request,
+ * where `callRemote` cannot mint and throws on use).
+ */
+export declare function makeCallRemote(kernel: KernelCaller | null): CallRemoteFn;
+export {};
+//# sourceMappingURL=call-remote.d.ts.map

package/dist/dispatch/call-remote.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"call-remote.d.ts","sourceRoot":"","sources":["../../src/dispatch/call-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAA;AAEjF,kFAAkF;AAClF,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;CAC7F,CAAA;AAED,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;AAE/F;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,GAAG,YAAY,CAWxE"}

package/dist/dispatch/call-remote.js

@@ -0,0 +1,37 @@
+/**
+ * `ctx.callRemote` — call ANOTHER worker's remote method from a handler.
+ *
+ * A worker's `kernel.call('/dom/class.X/method', …)` signs `aud = <kernel>`,
+ * which is correct for a **kernel syscall** (it runs in the kernel) but is
+ * rejected by a **remote method** (a Function with `binding.remoteUrl`, i.e.
+ * another worker) — the target worker verifies `aud` against its own identity
+ * and throws `Credential audience mismatch` at authentication.
+ *
+ * `callRemote` is now a thin wrapper over the bound kernel session: the kernel
+ * resolves a remote-bound path to a redirect carrying the worker's URL and its
+ * `iss`, and the session (configured in `bindKernel`) follows it reactively —
+ * minting a kernel-signed delegation envelope scoped to that `iss` via the
+ * caller's own `@<subject>::mintDelegationCredential`, then dialing the worker.
+ * Instance-method `self` is injected by the kernel resolver into the redirect,
+ * so a bare `kernel.call(path, params)` is all that's needed here.
+ *
+ * Prerequisite (authorization, unchanged): the calling Function's identity must
+ * hold `USE` on `Identity.mintDelegationCredential` AND the target method's own
+ * grants — the session only fixes the audience (authentication), not grants.
+ */
+/**
+ * Build the `callRemote` helper for one handler invocation. `kernel` is the
+ * handler's bound kernel view (or `null` for a public/unauthenticated request,
+ * where `callRemote` cannot mint and throws on use).
+ */
+export function makeCallRemote(kernel) {
+    return async (path, params = {}) => {
+        if (!kernel) {
+            throw new Error('callRemote requires an authenticated request — no kernel credential (public method?)');
+        }
+        // The bound session auto-follows the kernel's redirect and mints for the
+        // worker's `iss`; a remote-bound path therefore just works as a kernel.call.
+        return kernel.call(path, params);
+    };
+}
+//# sourceMappingURL=call-remote.js.map

package/dist/dispatch/call-remote.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"call-remote.js","sourceRoot":"","sources":["../../src/dispatch/call-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAWH;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAA2B;IACxD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,GAAG,EAAE,EAAE,EAAE;QACjC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;QACD,yEAAyE;QACzE,6EAA6E;QAC7E,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IAClC,CAAC,CAAA;AACH,CAAC"}

package/dist/dispatch/dispatcher.d.ts

@@ -0,0 +1,60 @@
+/**
+ * `SdkDispatcher` — implements `KernelAPI` by running the SDK's pipeline.
+ *
+ * Built once at server startup from the domain's `CompiledDomain` plus a typed
+ * deps container and a private JWK. Per-method identity configs are
+ * pre-resolved into a Map so dispatch is O(1) per call.
+ *
+ * Pipeline per call:
+ *   resolve method → authenticate → validate → resolve self → execute
+ */
+import type { AuthedKernelAPI, DispatchResult, KernelAPI } from '@astrale-os/kernel-api';
+import type { CredentialInput, Path } from '@astrale-os/kernel-core';
+import type { CompiledDomain } from '@astrale-os/kernel-core/domain';
+import type { MethodIndex } from './resolve';
+export type SdkDispatcherConfig<TDeps> = {
+    /** The compiled domain — source of the method layout and origin-addressed subs. */
+    compiled: CompiledDomain;
+    /** Pre-built method map: ref → BoundMethod. */
+    methods: MethodIndex;
+    /** Dependency container injected into every handler. */
+    deps: TDeps;
+    /** Private key for signing outbound per-function credentials. */
+    privateKey: JsonWebKey;
+    /**
+     * The worker's identity (`iss`) for outbound per-function credentials — its
+     * serving URL (e.g. `https://crm.test.com`), DECOUPLED from the domain's
+     * addressing `origin`. Matches the `iss` the kernel pins on each node at
+     * install (the URL it fetched the domain at).
+     */
+    issuer: string;
+    /** The worker's serving URL (`config.url`) — exposed to handlers as `ctx.url`. */
+    url: string;
+};
+export declare class SdkDispatcher<TDeps = unknown> implements KernelAPI {
+    private readonly methods;
+    private readonly deps;
+    private readonly identities;
+    private readonly issuer;
+    private readonly url;
+    private readonly privateKey;
+    constructor(config: SdkDispatcherConfig<TDeps>);
+    call(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<unknown>;
+    stream(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<AsyncGenerator<unknown>>;
+    /**
+     * SDK dispatch never redirects — the SDK server IS the remote destination.
+     * Every call resolves locally; we just classify the return as value or stream
+     * and hand it back to the kernel-api orchestrator.
+     */
+    dispatch(path: Path | string, credential: CredentialInput, params: unknown, opts?: {
+        self?: string;
+    }): Promise<DispatchResult>;
+    as(credential: CredentialInput): AuthedKernelAPI;
+    private run;
+    private identityFor;
+}
+//# sourceMappingURL=dispatcher.d.ts.map

package/dist/dispatch/dispatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.d.ts","sourceRoot":"","sources":["../../src/dispatch/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAExF,OAAO,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,KAAK,EAAe,cAAc,EAAE,MAAM,gCAAgC,CAAA;AAIjF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAY5C,MAAM,MAAM,mBAAmB,CAAC,KAAK,IAAI;IACvC,mFAAmF;IACnF,QAAQ,EAAE,cAAc,CAAA;IACxB,+CAA+C;IAC/C,OAAO,EAAE,WAAW,CAAA;IACpB,wDAAwD;IACxD,IAAI,EAAE,KAAK,CAAA;IACX,iEAAiE;IACjE,UAAU,EAAE,UAAU,CAAA;IACtB;;;;;OAKG;IACH,MAAM,EAAE,MAAM,CAAA;IACd,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,qBAAa,aAAa,CAAC,KAAK,GAAG,OAAO,CAAE,YAAW,SAAS;IAC9D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAa;IACrC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAO;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA0D;IACrF,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAQ;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAY;IAEvC,YAAY,MAAM,EAAE,mBAAmB,CAAC,KAAK,CAAC,EAY7C;IAEK,IAAI,CACR,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,OAAO,CAAC,CAElB;IAEK,MAAM,CACV,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAMlC;IAED;;;;OAIG;IACG,QAAQ,CACZ,IAAI,EAAE,IAAI,GAAG,MAAM,EACnB,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,OAAO,EACf,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GACvB,OAAO,CAAC,cAAc,CAAC,CAKzB;IAED,EAAE,CAAC,UAAU,EAAE,eAAe,GAAG,eAAe,CAK/C;YAEa,GAAG;IA0EjB,OAAO,CAAC,WAAW;CAapB"}

package/dist/dispatch/dispatcher.js

@@ -0,0 +1,177 @@
+/**
+ * `SdkDispatcher` — implements `KernelAPI` by running the SDK's pipeline.
+ *
+ * Built once at server startup from the domain's `CompiledDomain` plus a typed
+ * deps container and a private JWK. Per-method identity configs are
+ * pre-resolved into a Map so dispatch is O(1) per call.
+ *
+ * Pipeline per call:
+ *   resolve method → authenticate → validate → resolve self → execute
+ */
+import { resolveInboundAuth } from '../auth/resolve';
+import { runAuthorize } from './authorize';
+import { makeCallRemote } from './call-remote';
+import { MethodNotFoundError, SdkResultValidationError, SdkValidationError } from './errors';
+import { executeHandler } from './execute';
+import { buildIdentityMap } from './identity';
+import { resolveMethod } from './resolve';
+import { resolveSelf } from './self';
+import { validateParams, validateResult } from './validate';
+export class SdkDispatcher {
+    methods;
+    deps;
+    identities;
+    issuer;
+    url;
+    privateKey;
+    constructor(config) {
+        this.methods = config.methods;
+        this.deps = config.deps;
+        this.issuer = config.issuer;
+        this.url = config.url;
+        this.privateKey = config.privateKey;
+        const methodList = Array.from(new Set(config.methods.values()));
+        const identityMethods = methodList.filter((bound) => methodAuthPolicy(bound) !== 'public');
+        this.identities =
+            identityMethods.length > 0
+                ? buildIdentityMap(config.compiled, identityMethods, config.privateKey, config.issuer)
+                : new Map();
+    }
+    async call(path, credential, params, opts) {
+        return this.run(path, credential, params, opts?.self);
+    }
+    async stream(path, credential, params, opts) {
+        const result = await this.run(path, credential, params, opts?.self);
+        if (!isAsyncGenerator(result)) {
+            throw new Error(`Method "${pathToString(path)}" did not return an async generator`);
+        }
+        return result;
+    }
+    /**
+     * SDK dispatch never redirects — the SDK server IS the remote destination.
+     * Every call resolves locally; we just classify the return as value or stream
+     * and hand it back to the kernel-api orchestrator.
+     */
+    async dispatch(path, credential, params, opts) {
+        const result = await this.run(path, credential, params, opts?.self);
+        return isAsyncGenerator(result)
+            ? { kind: 'stream', generator: result }
+            : { kind: 'value', value: result };
+    }
+    as(credential) {
+        return {
+            call: (path, params) => this.call(path, credential, params),
+            stream: (path, params) => this.stream(path, credential, params),
+        };
+    }
+    async run(path, credential, params, selfRef) {
+        const bound = resolveMethod(this.methods, path);
+        if (!bound)
+            throw new MethodNotFoundError(pathToString(path));
+        const authPolicy = bound.handler.auth ?? 'required';
+        const fnIdentity = this.identityFor(bound);
+        const { auth, kernel } = await resolveInboundAuth(credential, authPolicy, fnIdentity);
+        if (typeof params !== 'object' || params === null || Array.isArray(params)) {
+            throw new SdkValidationError([{ path: [], message: 'Params must be a plain object' }]);
+        }
+        const validation = validateParams(bound.inputSchema, params);
+        if (!validation.ok) {
+            throw new SdkValidationError(validation.issues);
+        }
+        // `undefined` (not `null`) for static methods — matches the `self` type on
+        // `RemoteContext` / `MethodImpl`, which is `undefined` for static methods.
+        let resolvedSelf;
+        if (!bound.isStatic) {
+            if (selfRef === undefined || selfRef === null || selfRef === '') {
+                throw new SdkValidationError([{ path: ['self'], message: 'Required for non-static method' }], `"${bound.owner}.${bound.method}" is an instance method — it needs a target node. ` +
+                    `Either call it via instance dispatch (e.g. "@<nodeId>::${bound.method}" ` +
+                    `or "/path/to/node::${bound.method}"), or pass "self" in dispatch opts ` +
+                    `(e.g. { self: "@<nodeId>" }).`);
+            }
+            try {
+                resolvedSelf = resolveSelf(String(selfRef));
+            }
+            catch (err) {
+                // A malformed caller-supplied `self` is bad client input, not a server
+                // fault — surface it as VALIDATION_ERROR (422), matching the sibling
+                // missing-self branch above, instead of INTERNAL_ERROR (500).
+                throw new SdkValidationError([
+                    {
+                        path: ['self'],
+                        message: err instanceof Error ? err.message : 'Failed to resolve self',
+                    },
+                ], `Invalid "self" target "${selfRef}": ${err instanceof Error ? err.message : 'unparseable path'}`);
+            }
+        }
+        const handler = bound.handler;
+        const handlerParams = validation.data;
+        const callRemote = makeCallRemote(kernel);
+        const ctx = {
+            params: handlerParams,
+            auth,
+            self: resolvedSelf,
+            deps: this.deps,
+            url: this.url,
+            kernel,
+            callRemote,
+        };
+        if (handler.authorize)
+            await runAuthorize(handler.authorize, ctx);
+        const result = await executeHandler({ handler, ref: bound.ref, ...ctx });
+        return validateOutput(bound, result);
+    }
+    identityFor(bound) {
+        const identity = this.identities.get(bound);
+        if (!identity) {
+            if (methodAuthPolicy(bound) === 'public') {
+                return { issuer: this.issuer, subject: bound.ref, privateKey: this.privateKey };
+            }
+            throw new Error(`SdkDispatcher: no identity config for "${bound.owner}.${bound.method}" — ` +
+                `method is registered in the index but missing from the identity map.`);
+        }
+        return identity;
+    }
+}
+function methodAuthPolicy(bound) {
+    return bound.handler.auth ?? 'required';
+}
+function pathToString(path) {
+    return typeof path === 'string' ? path : path.raw;
+}
+/**
+ * Validate a handler's output against `bound.outputSchema`, mirroring the
+ * kernel's dispatcher (`runtime/.../dispatcher.ts` + `events.ts`):
+ *   - `binary` outputs skip validation (no schema applies).
+ *   - async-generator outputs (`output: 'stream'`) are wrapped so each chunk
+ *     is validated as it is yielded.
+ *   - all other (`value`) outputs are validated once and returned parsed.
+ * Returns the synchronous shape (value or generator) so the caller's
+ * `dispatch()` can classify it without awaiting a stream to completion.
+ */
+function validateOutput(bound, result) {
+    if (bound.output === 'binary')
+        return result;
+    if (isAsyncGenerator(result))
+        return validateOutputStream(bound, result);
+    return validateChunk(bound, result);
+}
+async function* validateOutputStream(bound, gen) {
+    for await (const chunk of gen) {
+        yield validateChunk(bound, chunk);
+    }
+}
+/** Parse one output value against `bound.outputSchema` or throw a 500-class error. */
+function validateChunk(bound, value) {
+    const out = validateResult(bound.outputSchema, value);
+    if (!out.ok) {
+        throw new SdkResultValidationError(out.issues, bound.ref);
+    }
+    return out.data;
+}
+function isAsyncGenerator(value) {
+    return (value !== null &&
+        value !== undefined &&
+        typeof value === 'object' &&
+        Symbol.asyncIterator in value);
+}
+//# sourceMappingURL=dispatcher.js.map

package/dist/dispatch/dispatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.js","sourceRoot":"","sources":["../../src/dispatch/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAC9C,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC5F,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,WAAW,EAAmB,MAAM,QAAQ,CAAA;AACrD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAsB3D,MAAM,OAAO,aAAa;IACP,OAAO,CAAa;IACpB,IAAI,CAAO;IACX,UAAU,CAA0D;IACpE,MAAM,CAAQ;IACd,GAAG,CAAQ;IACX,UAAU,CAAY;IAEvC,YAAY,MAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAC7B,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAA;QAC3B,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAA;QACrB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAA;QACnC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QAC/D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAA;QAC1F,IAAI,CAAC,UAAU;YACb,eAAe,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC;gBACtF,CAAC,CAAC,IAAI,GAAG,EAAE,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CACR,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;IACvD,CAAC;IAED,KAAK,CAAC,MAAM,CACV,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;QACnE,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,WAAW,YAAY,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAA;QACrF,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CACZ,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,IAAwB;QAExB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;QACnE,OAAO,gBAAgB,CAAC,MAAM,CAAC;YAC7B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE;YACvC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,EAAE,CAAC,UAA2B;QAC5B,OAAO;YACL,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC;YAC3D,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC;SAChE,CAAA;IACH,CAAC;IAEO,KAAK,CAAC,GAAG,CACf,IAAmB,EACnB,UAA2B,EAC3B,MAAe,EACf,OAAgB;QAEhB,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC/C,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,mBAAmB,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;QAE7D,MAAM,UAAU,GAAgB,KAAK,CAAC,OAAiC,CAAC,IAAI,IAAI,UAAU,CAAA;QAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;QAC1C,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAErF,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3E,MAAM,IAAI,kBAAkB,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CAAC,CAAA;QACxF,CAAC;QACD,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;QAC5D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;YACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;QACjF,CAAC;QAED,2EAA2E;QAC3E,2EAA2E;QAC3E,IAAI,YAAoC,CAAA;QACxC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;YACpB,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;gBAChE,MAAM,IAAI,kBAAkB,CAC1B,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,EAC/D,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,oDAAoD;oBACjF,0DAA0D,KAAK,CAAC,MAAM,IAAI;oBAC1E,sBAAsB,KAAK,CAAC,MAAM,sCAAsC;oBACxE,+BAA+B,CAClC,CAAA;YACH,CAAC;YACD,IAAI,CAAC;gBACH,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAA;YAC7C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,uEAAuE;gBACvE,qEAAqE;gBACrE,8DAA8D;gBAC9D,MAAM,IAAI,kBAAkB,CAC1B;oBACE;wBACE,IAAI,EAAE,CAAC,MAAM,CAAC;wBACd,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB;qBACvE;iBACF,EACD,0BAA0B,OAAO,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,EAAE,CACjG,CAAA;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAGrB,CAAA;QACD,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAA;QACrC,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;QACzC,MAAM,GAAG,GAAG;YACV,MAAM,EAAE,aAAa;YACrB,IAAI;YACJ,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,MAAM;YACN,UAAU;SACX,CAAA;QAED,IAAI,OAAO,CAAC,SAAS;YAAE,MAAM,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;QAEjE,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC,CAAA;QACxE,OAAO,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACtC,CAAC;IAEO,WAAW,CAAC,KAAoC;QACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,gBAAgB,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACzC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAA;YACjF,CAAC;YACD,MAAM,IAAI,KAAK,CACb,0CAA0C,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,MAAM;gBACzE,sEAAsE,CACzE,CAAA;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,KAAoC;IAC5D,OAAQ,KAAK,CAAC,OAAiC,CAAC,IAAI,IAAI,UAAU,CAAA;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,IAAmB;IACvC,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAA;AACnD,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,cAAc,CAAC,KAAoC,EAAE,MAAe;IAC3E,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAA;IAC5C,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACxE,OAAO,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;AACrC,CAAC;AAED,KAAK,SAAS,CAAC,CAAC,oBAAoB,CAClC,KAAoC,EACpC,GAA4B;IAE5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IACnC,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,SAAS,aAAa,CAAC,KAAoC,EAAE,KAAc;IACzE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,wBAAwB,CAAC,GAAG,CAAC,MAA4C,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACjG,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAA;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,OAAO,CACL,KAAK,KAAK,IAAI;QACd,KAAK,KAAK,SAAS;QACnB,OAAO,KAAK,KAAK,QAAQ;QACzB,MAAM,CAAC,aAAa,IAAI,KAAK,CAC9B,CAAA;AACH,CAAC"}

package/dist/dispatch/errors.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Errors thrown by the dispatch pipeline.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import type { KernelErrorPayload, KernelErrorClassifiable } from '@astrale-os/kernel-api';
+/** A single Zod issue, normalized to the path/message the payload carries. */
+type ValidationIssue = {
+    path: (string | number)[];
+    message: string;
+};
+export declare class MethodNotFoundError extends Error implements KernelErrorClassifiable {
+    constructor(method: string);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+export declare class SdkValidationError extends Error implements KernelErrorClassifiable {
+    readonly issues: ValidationIssue[];
+    constructor(issues: ValidationIssue[], message?: string);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+/**
+ * Thrown when a handler's return value (or a stream chunk) fails validation
+ * against its `outputSchema`. This is a server/handler fault — the author's
+ * code produced data that violates its own declared contract — so it maps to
+ * `INTERNAL_ERROR` (→ HTTP 500), NOT the `VALIDATION_ERROR` (422) used for
+ * bad caller input. Mirrors the kernel's `ResultValidationError`.
+ */
+export declare class SdkResultValidationError extends Error implements KernelErrorClassifiable {
+    readonly issues: ValidationIssue[];
+    readonly ref?: string | undefined;
+    constructor(issues: ValidationIssue[], ref?: string | undefined);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+/**
+ * Thrown by a `RemoteHandler.authorize` hook to deny a call.
+ *
+ * Wraps any error the hook throws — handlers can throw a plain `Error` and
+ * the dispatcher converts it. Already-typed `AuthorizationDeniedError`
+ * instances are passed through unchanged so callers can attach hints.
+ */
+export declare class AuthorizationDeniedError extends Error implements KernelErrorClassifiable {
+    constructor(message: string, cause?: unknown);
+    toKernelErrorPayload(): KernelErrorPayload;
+}
+export {};
+//# sourceMappingURL=errors.d.ts.map

package/dist/dispatch/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/dispatch/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAA;AAIzF,8EAA8E;AAC9E,KAAK,eAAe,GAAG;IAAE,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAWrE,qBAAa,mBAAoB,SAAQ,KAAM,YAAW,uBAAuB;IAC/E,YAAY,MAAM,EAAE,MAAM,EAGzB;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF;AAED,qBAAa,kBAAmB,SAAQ,KAAM,YAAW,uBAAuB;IAE5E,QAAQ,CAAC,MAAM,EAAE,eAAe,EAAE;IADpC,YACW,MAAM,EAAE,eAAe,EAAE,EAClC,OAAO,CAAC,EAAE,MAAM,EAIjB;IAED,oBAAoB,IAAI,kBAAkB,CAMzC;CACF;AAED;;;;;;GAMG;AACH,qBAAa,wBAAyB,SAAQ,KAAM,YAAW,uBAAuB;IAElF,QAAQ,CAAC,MAAM,EAAE,eAAe,EAAE;IAClC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM;IAFvB,YACW,MAAM,EAAE,eAAe,EAAE,EACzB,GAAG,CAAC,EAAE,MAAM,YAAA,EAItB;IAED,oBAAoB,IAAI,kBAAkB,CAMzC;CACF;AAED;;;;;;GAMG;AACH,qBAAa,wBAAyB,SAAQ,KAAM,YAAW,uBAAuB;IACpF,YAAY,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAG3C;IAED,oBAAoB,IAAI,kBAAkB,CAEzC;CACF"}

package/dist/dispatch/errors.js

@@ -0,0 +1,76 @@
+/**
+ * Errors thrown by the dispatch pipeline.
+ *
+ * Each implements `KernelErrorClassifiable` so `kernel-api/dispatch` can
+ * convert them into typed `KernelErrorPayload` values automatically.
+ */
+import { KERNEL_ERROR_CODES } from '@astrale-os/kernel-api';
+/** Shape Zod issues into the `data.errors` array of a `KernelErrorPayload`. */
+function toPayloadErrors(issues) {
+    return issues.map((i) => ({ path: i.path, code: 'INVALID', message: i.message }));
+}
+export class MethodNotFoundError extends Error {
+    constructor(method) {
+        super(`Method not found: ${method}`);
+        this.name = 'MethodNotFoundError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.METHOD_NOT_FOUND, message: this.message };
+    }
+}
+export class SdkValidationError extends Error {
+    issues;
+    constructor(issues, message) {
+        super(message ?? 'Invalid params');
+        this.issues = issues;
+        this.name = 'SdkValidationError';
+    }
+    toKernelErrorPayload() {
+        return {
+            code: KERNEL_ERROR_CODES.VALIDATION_ERROR,
+            message: this.message,
+            data: { errors: toPayloadErrors(this.issues) },
+        };
+    }
+}
+/**
+ * Thrown when a handler's return value (or a stream chunk) fails validation
+ * against its `outputSchema`. This is a server/handler fault — the author's
+ * code produced data that violates its own declared contract — so it maps to
+ * `INTERNAL_ERROR` (→ HTTP 500), NOT the `VALIDATION_ERROR` (422) used for
+ * bad caller input. Mirrors the kernel's `ResultValidationError`.
+ */
+export class SdkResultValidationError extends Error {
+    issues;
+    ref;
+    constructor(issues, ref) {
+        super(`Function${ref ? ` "${ref}"` : ''} returned an invalid result`);
+        this.issues = issues;
+        this.ref = ref;
+        this.name = 'SdkResultValidationError';
+    }
+    toKernelErrorPayload() {
+        return {
+            code: KERNEL_ERROR_CODES.INTERNAL_ERROR,
+            message: this.message,
+            data: { errors: toPayloadErrors(this.issues) },
+        };
+    }
+}
+/**
+ * Thrown by a `RemoteHandler.authorize` hook to deny a call.
+ *
+ * Wraps any error the hook throws — handlers can throw a plain `Error` and
+ * the dispatcher converts it. Already-typed `AuthorizationDeniedError`
+ * instances are passed through unchanged so callers can attach hints.
+ */
+export class AuthorizationDeniedError extends Error {
+    constructor(message, cause) {
+        super(message, { cause });
+        this.name = 'AuthorizationDeniedError';
+    }
+    toKernelErrorPayload() {
+        return { code: KERNEL_ERROR_CODES.PERMISSION_DENIED, message: this.message };
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/dispatch/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/dispatch/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AAK3D,+EAA+E;AAC/E,SAAS,eAAe,CAAC,MAAyB;IAKhD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;AACnF,CAAC;AAED,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,MAAc;QACxB,KAAK,CAAC,qBAAqB,MAAM,EAAE,CAAC,CAAA;QACpC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAA;IACnC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IAC7E,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAEhC,MAAM;IADjB,YACW,MAAyB,EAClC,OAAgB;QAEhB,KAAK,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAA;sBAHzB,MAAM;QAIf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;IAClC,CAAC;IAED,oBAAoB;QAClB,OAAO;YACL,IAAI,EAAE,kBAAkB,CAAC,gBAAgB;YACzC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;SAC/C,CAAA;IACH,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IAEtC,MAAM;IACN,GAAG;IAFd,YACW,MAAyB,EACzB,GAAY;QAErB,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,6BAA6B,CAAC,CAAA;sBAH5D,MAAM;mBACN,GAAG;QAGZ,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;IACxC,CAAC;IAED,oBAAoB;QAClB,OAAO;YACL,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;SAC/C,CAAA;IACH,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD,YAAY,OAAe,EAAE,KAAe;QAC1C,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QACzB,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;IACxC,CAAC;IAED,oBAAoB;QAClB,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,iBAAiB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAA;IAC9E,CAAC;CACF"}