@astrale-os/sdk 0.1.2 → 0.1.3

package/dist/auth/compose.d.ts

@@ -9,6 +9,15 @@
  * identity. Union means either identity's permissions work.
  */
 import type { Delegation } from '@astrale-os/kernel-core';
+/**
+ * The composed identity expression: union of the caller's delegated access
+ * (a kernel-signed credential leaf) and the function's own identity (self).
+ *
+ * Used both as the grant on outbound kernel calls AND as the delegation
+ * expression when minting a NEXT-HOP credential — the next worker receives
+ * principal = this function, authority = union(caller's delegated, own).
+ */
+export declare function buildComposedExpr(delegation: Delegation): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
 /**
  * Build the grant expression that unions the caller's delegated access
  * with the function's own identity.
@@ -19,4 +28,14 @@ import type { Delegation } from '@astrale-os/kernel-core';
 export declare function buildComposedGrant(delegation: Delegation): {
     grant: import("@astrale-os/kernel-core").UnresolvedGrant;
 };
+/**
+ * The SELF-ONLY expression: the function's own identity, nothing delegated.
+ * Used by `selfKernel` sessions (public/webhook handlers acting on their own
+ * authority) — both as the credential grant and as the next-hop delegation.
+ */
+export declare function buildSelfExpr(): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
+/** Self-only grant for `selfKernel` credentials. */
+export declare function buildSelfGrant(): {
+    grant: import("@astrale-os/kernel-core").UnresolvedGrant;
+};
 //# sourceMappingURL=compose.d.ts.map

package/dist/auth/compose.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASzD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU;IAE9C,KAAK;EACf"}
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASzD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,UAAU,4DAEvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU;IAC9C,KAAK;EACf;AAED;;;;GAIG;AACH,wBAAgB,aAAa,6DAE5B;AAED,oDAAoD;AACpD,wBAAgB,cAAc;IACnB,KAAK;EACf"}

package/dist/auth/compose.js

@@ -9,6 +9,17 @@
  * identity. Union means either identity's permissions work.
  */
 import { createUnresolvedGrant, unresolvedCredential, unresolvedSelf, unresolvedUnion, } from '@astrale-os/kernel-core';
+/**
+ * The composed identity expression: union of the caller's delegated access
+ * (a kernel-signed credential leaf) and the function's own identity (self).
+ *
+ * Used both as the grant on outbound kernel calls AND as the delegation
+ * expression when minting a NEXT-HOP credential — the next worker receives
+ * principal = this function, authority = union(caller's delegated, own).
+ */
+export function buildComposedExpr(delegation) {
+    return unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf());
+}
 /**
  * Build the grant expression that unions the caller's delegated access
  * with the function's own identity.
@@ -17,7 +28,18 @@ import { createUnresolvedGrant, unresolvedCredential, unresolvedSelf, unresolved
  * @returns The unresolved grant object with version and expression
  */
 export function buildComposedGrant(delegation) {
-    const expr = unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf());
-    return { grant: createUnresolvedGrant(expr) };
+    return { grant: createUnresolvedGrant(buildComposedExpr(delegation)) };
+}
+/**
+ * The SELF-ONLY expression: the function's own identity, nothing delegated.
+ * Used by `selfKernel` sessions (public/webhook handlers acting on their own
+ * authority) — both as the credential grant and as the next-hop delegation.
+ */
+export function buildSelfExpr() {
+    return unresolvedSelf();
+}
+/** Self-only grant for `selfKernel` credentials. */
+export function buildSelfGrant() {
+    return { grant: createUnresolvedGrant(buildSelfExpr()) };
 }
 //# sourceMappingURL=compose.js.map

package/dist/auth/compose.js.map

@@ -1 +1 @@
-{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,MAAM,IAAI,GAAG,eAAe,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC,CAAA;IAC3F,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAA;AAC/C,CAAC"}
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAsB;IACtD,OAAO,eAAe,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC,CAAA;AACvF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,EAAE,CAAA;AACxE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,cAAc,EAAE,CAAA;AACzB,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,aAAa,EAAE,CAAC,EAAE,CAAA;AAC1D,CAAC"}

package/dist/auth/kernel-client.d.ts

@@ -25,4 +25,19 @@ import type { RemoteIdentityConfig } from './identity';
  * worker-scoped delegation via `@<subject>::mintDelegationCredential`.
  */
 export declare function bindKernel(delegation: Delegation, kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
+/**
+ * Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
+ * identity — no inbound delegation, authority = the function's own grants
+ * only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
+ * signature-verified webhook can act on the graph as itself after verifying
+ * the upstream. Next-hop mints delegate self only.
+ */
+export declare function bindSelfKernel(kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
+/**
+ * Build the `selfKernel` accessor handed to remote-function handlers.
+ * Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
+ * (a public request carries no credential, so the parent kernel cannot be
+ * inferred — it must be configured).
+ */
+export declare function makeSelfKernel(identity: RemoteIdentityConfig, deps: unknown): (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
 //# sourceMappingURL=kernel-client.d.ts.map

package/dist/auth/kernel-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"kernel-client.d.ts","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAEzD,OAAO,EAAgC,KAAK,KAAK,EAAE,MAAM,2BAA2B,CAAA;AAEpF,OAAO,EAAiB,KAAK,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAE9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAiCtD;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAwCxC"}
+{"version":3,"file":"kernel-client.d.ts","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAGzD,OAAO,EAAgC,KAAK,KAAK,EAAE,MAAM,2BAA2B,CAAA;AAEpF,OAAO,EAAiB,KAAK,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAE9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAsCtD;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAIxC;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAExC;AA0DD;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,IAAI,EAAE,OAAO,GACZ,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAWhE"}

package/dist/auth/kernel-client.js

@@ -17,9 +17,13 @@
 import { KernelClient, SchemaRegistry } from '@astrale-os/kernel-client';
 import { ClientPool } from '@astrale-os/kernel-client/pool';
 import { ClientSession } from '@astrale-os/kernel-client/session';
-import { buildComposedGrant } from './compose';
+import { buildComposedExpr, buildComposedGrant, buildSelfExpr, buildSelfGrant } from './compose';
 import { signCredential } from './sign';
 const DELEGATION_TTL_SECONDS = 3600;
+// The kernel's whoami — returns the AUTHENTICATED principal's graph node, so
+// the resolved id satisfies the mint syscall's `self.id === auth.principal`
+// invariant by construction (same seam the shell uses to resolve self).
+const WHOAMI_PATH = '/:kernel.astrale.ai:interface.Identity:whoami';
 // Shared per kernel URL — the expensive, identity-agnostic state. Sessions are
 // NOT shared (each binds a subject-specific delegation mint), but the pool
 // (connections) and registry (learned schemas) are reused across them.
@@ -51,8 +55,24 @@ function getPool(url) {
  * worker-scoped delegation via `@<subject>::mintDelegationCredential`.
  */
 export async function bindKernel(delegation, kernelUrl, config) {
-    const { grant } = buildComposedGrant(delegation);
-    const composed = await signCredential({ grant }, {
+    return bindSession(kernelUrl, config, buildComposedGrant(delegation).grant, () => buildComposedExpr(delegation));
+}
+/**
+ * Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
+ * identity — no inbound delegation, authority = the function's own grants
+ * only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
+ * signature-verified webhook can act on the graph as itself after verifying
+ * the upstream. Next-hop mints delegate self only.
+ */
+export async function bindSelfKernel(kernelUrl, config) {
+    return bindSession(kernelUrl, config, buildSelfGrant().grant, () => buildSelfExpr());
+}
+/**
+ * Shared session construction: sign a credential as this function's identity
+ * carrying `grant`, bind the session to it, and wire the lazy NEXT-HOP mint.
+ */
+async function bindSession(kernelUrl, config, grant, nextHopDelegation) {
+    const credential = await signCredential({ grant }, {
         issuer: config.issuer,
         subject: config.subject,
         audience: kernelUrl,
@@ -65,12 +85,18 @@ export async function bindKernel(delegation, kernelUrl, config) {
         schema: getRegistry(kernelUrl),
         pool: getPool(kernelUrl),
         delegation: {
-            // `@<subject>::mintDelegationCredential` satisfies the syscall's
-            // `self.id === auth.principal` invariant (composed's subject IS the
-            // principal). `skipDelegation` keeps this mint from re-entering itself —
-            // it targets the kernel (same origin), so no delegation is needed.
+            // NEXT-HOP mint: each hop mints AS ITSELF. The anchor is this function's
+            // identity NODE id (resolved via whoami — `@` only accepts node ids, not
+            // paths), so `self.id === auth.principal` holds by construction. The
+            // minted delegation carries the session's authority expression (composed
+            // for delegated sessions, self-only for selfKernel): the next worker
+            // sees WHO called it while inheriting exactly that authority.
+            // `skipDelegation` keeps the whoami + mint from re-entering this
+            // closure — both target the kernel (same origin), so no delegation is
+            // needed.
             mint: async (audience) => {
-                const envelope = await session.call(`@${config.subject}::mintDelegationCredential`, { audience, delegation: { kind: 'identity', self: true }, ttl: DELEGATION_TTL_SECONDS }, { credential: composed, skipDelegation: true });
+                const selfId = await resolveSelfId(session, credential, kernelUrl, config);
+                const envelope = await session.call(`@${selfId}::mintDelegationCredential`, { audience, delegation: nextHopDelegation(), ttl: DELEGATION_TTL_SECONDS }, { credential, skipDelegation: true });
                 if (typeof envelope !== 'string') {
                     throw new Error(`mintDelegationCredential returned ${typeof envelope}, expected a credential string`);
                 }
@@ -79,6 +105,42 @@ export async function bindKernel(delegation, kernelUrl, config) {
             ttl: DELEGATION_TTL_SECONDS,
         },
     });
-    return session.as(composed);
+    return session.as(credential);
+}
+/**
+ * Build the `selfKernel` accessor handed to remote-function handlers.
+ * Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
+ * (a public request carries no credential, so the parent kernel cannot be
+ * inferred — it must be configured).
+ */
+export function makeSelfKernel(identity, deps) {
+    return async (kernelUrl) => {
+        const url = kernelUrl ?? deps?.KERNEL_URL;
+        if (typeof url !== 'string' || url.length === 0) {
+            throw new Error('selfKernel: no kernel URL — pass one explicitly or set KERNEL_URL in the worker env ' +
+                '(managed deploys set it automatically).');
+        }
+        return bindSelfKernel(url, identity);
+    };
+}
+// Function-identity node ids, cached per (kernel, issuer, subject). Sessions
+// are per-request, but a function's identity node is stable for the worker's
+// lifetime — one whoami per function, not one per redirect.
+const selfIds = new Map();
+/**
+ * Resolve THIS function's identity node id on the parent kernel via whoami,
+ * authenticated with the composed credential (whose principal IS the function).
+ */
+async function resolveSelfId(session, credential, kernelUrl, config) {
+    const key = `${kernelUrl}|${config.issuer}|${config.subject}`;
+    const cached = selfIds.get(key);
+    if (cached)
+        return cached;
+    const me = (await session.call(WHOAMI_PATH, {}, { credential, skipDelegation: true }));
+    if (!me?.id) {
+        throw new Error(`whoami returned no identity node for ${config.subject} — cannot anchor the next-hop delegation mint`);
+    }
+    selfIds.set(key, me.id);
+    return me.id;
 }
 //# sourceMappingURL=kernel-client.js.map

package/dist/auth/kernel-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"kernel-client.js","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAc,MAAM,2BAA2B,CAAA;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAA;AAC3D,OAAO,EAAE,aAAa,EAA+B,MAAM,mCAAmC,CAAA;AAI9F,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AAEvC,MAAM,sBAAsB,GAAG,IAAI,CAAA;AAEnC,+EAA+E;AAC/E,2EAA2E;AAC3E,uEAAuE;AACvE,MAAM,KAAK,GAAG,IAAI,GAAG,EAA6B,CAAA;AAClD,MAAM,UAAU,GAAG,IAAI,GAAG,EAA0B,CAAA;AAEpD,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAA;QAC/B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAQ;QACjC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,YAAY,CAAQ,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;KAC5E,CAAC,CAAA;IACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACpB,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAsB,EACtB,SAAiB,EACjB,MAA4B;IAE5B,MAAM,EAAE,KAAK,EAAE,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAA;IAChD,MAAM,QAAQ,GAAG,MAAM,cAAc,CACnC,EAAE,KAAK,EAAE,EACT;QACE,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CACF,CAAA;IAED,6EAA6E;IAC7E,kEAAkE;IAClE,MAAM,OAAO,GAAyB,IAAI,aAAa,CAAQ;QAC7D,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC;QAC9B,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;QACxB,UAAU,EAAE;YACV,iEAAiE;YACjE,oEAAoE;YACpE,yEAAyE;YACzE,mEAAmE;YACnE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACvB,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CACjC,IAAI,MAAM,CAAC,OAAO,4BAA4B,EAC9C,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,sBAAsB,EAAE,EACvF,EAAE,UAAU,EAAE,QAAQ,EAAE,cAAc,EAAE,IAAI,EAAE,CAC/C,CAAA;gBACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,qCAAqC,OAAO,QAAQ,gCAAgC,CACrF,CAAA;gBACH,CAAC;gBACD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,CAAA;YAC9D,CAAC;YACD,GAAG,EAAE,sBAAsB;SAC5B;KACF,CAAC,CAAA;IACF,OAAO,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAA;AAC7B,CAAC"}
+{"version":3,"file":"kernel-client.js","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAc,MAAM,2BAA2B,CAAA;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAA;AAC3D,OAAO,EAAE,aAAa,EAA+B,MAAM,mCAAmC,CAAA;AAI9F,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChG,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AAEvC,MAAM,sBAAsB,GAAG,IAAI,CAAA;AAEnC,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,MAAM,WAAW,GAAG,+CAA+C,CAAA;AAEnE,+EAA+E;AAC/E,2EAA2E;AAC3E,uEAAuE;AACvE,MAAM,KAAK,GAAG,IAAI,GAAG,EAA6B,CAAA;AAClD,MAAM,UAAU,GAAG,IAAI,GAAG,EAA0B,CAAA;AAEpD,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAA;QAC/B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAQ;QACjC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,YAAY,CAAQ,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;KAC5E,CAAC,CAAA;IACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACpB,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAsB,EACtB,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,kBAAkB,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAC/E,iBAAiB,CAAC,UAAU,CAAC,CAC9B,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC,CAAA;AACtF,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,SAAiB,EACjB,MAA4B,EAC5B,KAAc,EACd,iBAA+C;IAE/C,MAAM,UAAU,GAAG,MAAM,cAAc,CACrC,EAAE,KAAK,EAAE,EACT;QACE,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CACF,CAAA;IAED,6EAA6E;IAC7E,kEAAkE;IAClE,MAAM,OAAO,GAAyB,IAAI,aAAa,CAAQ;QAC7D,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC;QAC9B,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;QACxB,UAAU,EAAE;YACV,yEAAyE;YACzE,yEAAyE;YACzE,qEAAqE;YACrE,yEAAyE;YACzE,qEAAqE;YACrE,8DAA8D;YAC9D,iEAAiE;YACjE,sEAAsE;YACtE,UAAU;YACV,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACvB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAA;gBAC1E,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CACjC,IAAI,MAAM,4BAA4B,EACtC,EAAE,QAAQ,EAAE,UAAU,EAAE,iBAAiB,EAAE,EAAE,GAAG,EAAE,sBAAsB,EAAE,EAC1E,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CACrC,CAAA;gBACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,qCAAqC,OAAO,QAAQ,gCAAgC,CACrF,CAAA;gBACH,CAAC;gBACD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,CAAA;YAC9D,CAAC;YACD,GAAG,EAAE,sBAAsB;SAC5B;KACF,CAAC,CAAA;IACF,OAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,IAAa;IAEb,OAAO,KAAK,EAAE,SAAkB,EAAE,EAAE;QAClC,MAAM,GAAG,GAAG,SAAS,IAAK,IAAoD,EAAE,UAAU,CAAA;QAC1F,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CACb,sFAAsF;gBACpF,yCAAyC,CAC5C,CAAA;QACH,CAAC;QACD,OAAO,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,6EAA6E;AAC7E,6EAA6E;AAC7E,4DAA4D;AAC5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAA;AAEzC;;;GAGG;AACH,KAAK,UAAU,aAAa,CAC1B,OAA6B,EAC7B,UAAkB,EAClB,SAAiB,EACjB,MAA4B;IAE5B,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAA;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAE7E,CAAA;IACR,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,wCAAwC,MAAM,CAAC,OAAO,+CAA+C,CACtG,CAAA;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACvB,OAAO,EAAE,CAAC,EAAE,CAAA;AACd,CAAC"}

package/dist/define/remote-function.d.ts

@@ -45,6 +45,16 @@ export type RemoteFunctionContext<TParams, TDeps = unknown> = {
      * `Identity.mintDelegationCredential` + the target method's grants.
      */
     callRemote: CallRemoteFn;
+    /**
+     * Acquire a kernel session authenticated as THIS FUNCTION'S OWN identity —
+     * authority = the function's own grants only, no caller delegation. The
+     * webhook seam: when an `auth: 'public'` upstream can't carry an Astrale
+     * token (HMAC-signature webhooks, Stripe-style), VERIFY THE UPSTREAM'S
+     * SIGNATURE FIRST, then act on the graph as yourself. `kernelUrl` defaults
+     * to `deps.KERNEL_URL` (set automatically on managed deploys); pass it
+     * explicitly for other targets.
+     */
+    selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
 };
 export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {
     /**

package/dist/define/remote-function.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IACrF;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/B,wCAAwC;IACxC,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChF,uCAAuC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACnF,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAGD,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAEnE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EACpE,GAAG,EAAE,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,GAC9C,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAE5C"}
+{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;IACxB;;;;;;;;OAQG;IACH,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAA;CAC3E,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IACrF;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/B,wCAAwC;IACxC,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChF,uCAAuC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACnF,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAGD,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAEnE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EACpE,GAAG,EAAE,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,GAC9C,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAE5C"}

package/dist/define/remote-function.js.map

@@ -1 +1 @@
-{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAuEH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAA+C;IAE/C,OAAO,GAAG,CAAA;AACZ,CAAC"}
+{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAiFH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAA+C;IAE/C,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/server/auxiliary-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auxiliary-routes.d.ts","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAW,IAAI,EAAE,MAAM,MAAM,CAAA;AAQzC,OAAO,EAKL,KAAK,eAAe,EAErB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAQ1D,MAAM,MAAM,qBAAqB,CAAC,KAAK,IAAI;IACzC,GAAG,EAAE,IAAI,CAAA;IACT,gFAAgF;IAChF,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;IACtD,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IACxD,IAAI,EAAE,KAAK,CAAA;IACX;;;;OAIG;IACH,UAAU,EAAE,cAAc,CAAA;IAC1B;;;;;OAKG;IACH,IAAI,EAAE,UAAU,CAAA;CACjB,CAAA;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,qBAAqB,CAAC,KAAK,CAAC,GAAG,IAAI,CA2EtF"}
+{"version":3,"file":"auxiliary-routes.d.ts","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAW,IAAI,EAAE,MAAM,MAAM,CAAA;AAQzC,OAAO,EAKL,KAAK,eAAe,EAErB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAS1D,MAAM,MAAM,qBAAqB,CAAC,KAAK,IAAI;IACzC,GAAG,EAAE,IAAI,CAAA;IACT,gFAAgF;IAChF,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;IACtD,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IACxD,IAAI,EAAE,KAAK,CAAA;IACX;;;;OAIG;IACH,UAAU,EAAE,cAAc,CAAA;IAC1B;;;;;OAKG;IACH,IAAI,EAAE,UAAU,CAAA;CACjB,CAAA;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,qBAAqB,CAAC,KAAK,CAAC,GAAG,IAAI,CA4EtF"}

package/dist/server/auxiliary-routes.js

@@ -14,6 +14,7 @@
 import { isKernelErrorClassifiable, KERNEL_ERROR_CODES, kernelErrorHttpStatus, } from '@astrale-os/kernel-api';
 import { isSubdomainOf, matchHost, compileHostMatcher, parseUrlTemplate, } from '@astrale-os/kernel-api/routed';
 import { buildCorsHeaders } from '@astrale-os/kernel-server';
+import { makeSelfKernel } from '../auth/kernel-client';
 import { resolveInboundAuth } from '../auth/resolve';
 import { runAuthorize } from '../dispatch/authorize';
 import { makeCallRemote } from '../dispatch/call-remote';
@@ -64,12 +65,13 @@ export function mountAuxiliaryRoutes(config) {
                 identity,
                 corsHeaders,
                 run: async ({ c, auth, kernel, callRemote }) => {
+                    const selfKernel = makeSelfKernel(identity, deps);
                     const rawBody = await c.req.json().catch(() => ({}));
                     const validation = validateParams(def.inputSchema, rawBody);
                     if (!validation.ok) {
                         throw new SdkValidationError(validation.issues);
                     }
-                    const ctx = { params: validation.data, c, auth, deps, kernel, callRemote };
+                    const ctx = { params: validation.data, c, auth, deps, kernel, callRemote, selfKernel };
                     if (def.authorize)
                         await runAuthorize(def.authorize, ctx);
                     const result = await def.execute(ctx);

package/dist/server/auxiliary-routes.js.map

@@ -1 +1 @@
-{"version":3,"file":"auxiliary-routes.js","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,EACL,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,GAEtB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,gBAAgB,GAGjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAmB,MAAM,2BAA2B,CAAA;AAQ7E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AACjF,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AA0BrE,MAAM,UAAU,oBAAoB,CAAQ,MAAoC;IAC9E,MAAM,EACJ,GAAG,EACH,GAAG,EACH,KAAK,EACL,YAAY,EACZ,eAAe,EACf,sBAAsB,EACtB,IAAI,EACJ,UAAU,EACV,IAAI,GACL,GAAG,MAAM,CAAA;IAEV,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,WAAW,CAAA;IACpD,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAE1C,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YAClC,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,SAAQ;YACrC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAA;YACzE,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,KAAK;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,sEAAsE;gBACtE,qEAAqE;gBACrE,kEAAkE;gBAClE,0CAA0C;gBAC1C,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;oBACjC,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;oBAC/E,OAAO,GAAG,CAAC,MAAO,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;YAC5C,IAAI,CAAC,OAAO;gBAAE,SAAQ;YACtB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9F,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,MAAM;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;oBAC7C,MAAM,OAAO,GAAY,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;oBAC7D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAA;oBAC3D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;wBACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;oBACjF,CAAC;oBACD,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;oBAC1E,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;oBACzD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrC,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;oBAC9D,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;wBACtB,MAAM,IAAI,wBAAwB,CAChC,aAAa,CAAC,MAA4C,EAC1D,GAAG,CAAC,GAAG,CACR,CAAA;oBACH,CAAC;oBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,kBAAkB,CACzB,IAAgC,EAChC,IAAY,EACZ,QAA0C;IAE1C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAA;IAC7B,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,KAAK,IAAI,KAAK;QACpE,6CAA6C,IAAI,4BAA4B,CAChF,CAAA;AACH,CAAC;AAqBD,MAAM,cAAc,GAAG,mBAAmB,CAAA;AAE1C,SAAS,UAAU,CAAC,IAAoB;IACtC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAA;IAE1F,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IACnC,IAAI,CAAC,SAAS;QAAE,OAAM;IAEtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAA;IAC1C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC;QAAE,OAAM;IAEhF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,CAAA;IACrE,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,aAAa,CAAA;IACzD,4EAA4E;IAC5E,2EAA2E;IAC3E,6EAA6E;IAC7E,6CAA6C;IAC7C,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,kDAAkD,UAAU,gBAAgB,QAAQ,KAAK;YACvF,kEAAkE,CACrE,CAAA;IACH,CAAC;IACD,0EAA0E;IAC1E,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,WAAW,GACf,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACpF,MAAM,cAAc,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAA;IAExD,MAAM,OAAO,GAAG,KAAK,EAAE,CAAU,EAAqB,EAAE;QACtD,0EAA0E;QAC1E,2EAA2E;QAC3E,2EAA2E;QAC3E,yDAAyD;QACzD,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,IAAI,CAAC;YACH,IAAI,UAAU,GAA2B,EAAE,CAAA;YAC3C,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;gBAChE,IAAI,CAAC,KAAK;oBAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAA;gBAC/B,UAAU,GAAG,KAAK,CAAA;YACpB,CAAC;YAED,MAAM,UAAU,GAA2B,EAAE,CAAA;YAC7C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/B,IAAI,KAAK,KAAK,SAAS;oBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAA;YACvE,CAAC;YAED,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAC7D,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EACtD,IAAI,EACJ,QAAQ,CACT,CAAA;YAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC;gBACzB,CAAC;gBACD,MAAM,EAAE,EAAE,GAAG,UAAU,EAAE,GAAG,UAAU,EAAE;gBACxC,IAAI,EAAE,YAAY;gBAClB,MAAM;gBACN,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC;aACnC,CAAC,CAAA;YACF,OAAO,mBAAmB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;QACnD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,mBAAmB,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAA;QAC7D,CAAC;IACH,CAAC,CAAA;IAED,IAAI,UAAU,KAAK,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;SAC/C,IAAI,UAAU,KAAK,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAE3D,8DAA8D;IAC9D,0EAA0E;IAC1E,oEAAoE;IACpE,sEAAsE;IACtE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1B,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAU,EAAE,OAA+B;IACrE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;AAC5E,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB,EAAE,OAA+B;IAC9E,IAAI,CAAC;QACH,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACtF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,4EAA4E;QAC5E,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAC5C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC5E,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO,EAAE,MAAM;SAChB,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,CAAA;AAC7D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,OAAO,GAAuB,yBAAyB,CAAC,GAAG,CAAC;QAChE,CAAC,CAAC,GAAG,CAAC,oBAAoB,EAAE;QAC5B,CAAC,CAAC;YACE,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SAC/D,CAAA;IACL,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AAC3F,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,CAAS;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACjD,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAA;IAC7C,OAAO,GAAG,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,CAAA;AACjC,CAAC;AAED,oEAAoE;AACpE,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;AACjC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAA;AAChD,CAAC"}
+{"version":3,"file":"auxiliary-routes.js","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,EACL,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,GAEtB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,gBAAgB,GAGjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAmB,MAAM,2BAA2B,CAAA;AAQ7E,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AACjF,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AA0BrE,MAAM,UAAU,oBAAoB,CAAQ,MAAoC;IAC9E,MAAM,EACJ,GAAG,EACH,GAAG,EACH,KAAK,EACL,YAAY,EACZ,eAAe,EACf,sBAAsB,EACtB,IAAI,EACJ,UAAU,EACV,IAAI,GACL,GAAG,MAAM,CAAA;IAEV,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,WAAW,CAAA;IACpD,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAE1C,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YAClC,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,SAAQ;YACrC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAA;YACzE,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,KAAK;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,sEAAsE;gBACtE,qEAAqE;gBACrE,kEAAkE;gBAClE,0CAA0C;gBAC1C,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;oBACjC,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;oBAC/E,OAAO,GAAG,CAAC,MAAO,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;YAC5C,IAAI,CAAC,OAAO;gBAAE,SAAQ;YACtB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9F,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,MAAM;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;oBAC7C,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;oBACjD,MAAM,OAAO,GAAY,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;oBAC7D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAA;oBAC3D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;wBACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;oBACjF,CAAC;oBACD,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,CAAA;oBACtF,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;oBACzD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrC,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;oBAC9D,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;wBACtB,MAAM,IAAI,wBAAwB,CAChC,aAAa,CAAC,MAA4C,EAC1D,GAAG,CAAC,GAAG,CACR,CAAA;oBACH,CAAC;oBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,kBAAkB,CACzB,IAAgC,EAChC,IAAY,EACZ,QAA0C;IAE1C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAA;IAC7B,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,KAAK,IAAI,KAAK;QACpE,6CAA6C,IAAI,4BAA4B,CAChF,CAAA;AACH,CAAC;AAqBD,MAAM,cAAc,GAAG,mBAAmB,CAAA;AAE1C,SAAS,UAAU,CAAC,IAAoB;IACtC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAA;IAE1F,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IACnC,IAAI,CAAC,SAAS;QAAE,OAAM;IAEtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAA;IAC1C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC;QAAE,OAAM;IAEhF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,CAAA;IACrE,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,aAAa,CAAA;IACzD,4EAA4E;IAC5E,2EAA2E;IAC3E,6EAA6E;IAC7E,6CAA6C;IAC7C,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,kDAAkD,UAAU,gBAAgB,QAAQ,KAAK;YACvF,kEAAkE,CACrE,CAAA;IACH,CAAC;IACD,0EAA0E;IAC1E,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,WAAW,GACf,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACpF,MAAM,cAAc,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAA;IAExD,MAAM,OAAO,GAAG,KAAK,EAAE,CAAU,EAAqB,EAAE;QACtD,0EAA0E;QAC1E,2EAA2E;QAC3E,2EAA2E;QAC3E,yDAAyD;QACzD,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,IAAI,CAAC;YACH,IAAI,UAAU,GAA2B,EAAE,CAAA;YAC3C,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;gBAChE,IAAI,CAAC,KAAK;oBAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAA;gBAC/B,UAAU,GAAG,KAAK,CAAA;YACpB,CAAC;YAED,MAAM,UAAU,GAA2B,EAAE,CAAA;YAC7C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/B,IAAI,KAAK,KAAK,SAAS;oBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAA;YACvE,CAAC;YAED,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAC7D,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EACtD,IAAI,EACJ,QAAQ,CACT,CAAA;YAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC;gBACzB,CAAC;gBACD,MAAM,EAAE,EAAE,GAAG,UAAU,EAAE,GAAG,UAAU,EAAE;gBACxC,IAAI,EAAE,YAAY;gBAClB,MAAM;gBACN,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC;aACnC,CAAC,CAAA;YACF,OAAO,mBAAmB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;QACnD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,mBAAmB,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAA;QAC7D,CAAC;IACH,CAAC,CAAA;IAED,IAAI,UAAU,KAAK,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;SAC/C,IAAI,UAAU,KAAK,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAE3D,8DAA8D;IAC9D,0EAA0E;IAC1E,oEAAoE;IACpE,sEAAsE;IACtE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1B,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAU,EAAE,OAA+B;IACrE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;AAC5E,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB,EAAE,OAA+B;IAC9E,IAAI,CAAC;QACH,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACtF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,4EAA4E;QAC5E,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAC5C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC5E,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO,EAAE,MAAM;SAChB,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,CAAA;AAC7D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,OAAO,GAAuB,yBAAyB,CAAC,GAAG,CAAC;QAChE,CAAC,CAAC,GAAG,CAAC,oBAAoB,EAAE;QAC5B,CAAC,CAAC;YACE,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SAC/D,CAAA;IACL,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AAC3F,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,CAAS;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACjD,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAA;IAC7C,OAAO,GAAG,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,CAAA;AACjC,CAAC;AAED,oEAAoE;AACpE,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;AACjC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAA;AAChD,CAAC"}

package/dist/server/start.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAElD,wBAAsB,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,SAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAwBzF"}
+{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAElD,wBAAsB,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,SAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA4BzF"}

package/dist/server/start.js

@@ -6,7 +6,11 @@
  * Cloudflare, consumers go through `server.app.fetch` directly.
  */
 export async function startNodeServer(app, port = 3000) {
-    const { serve } = await import('@hono/node-server');
+    // Opaque specifier: the `./server` barrel re-exports this module, so worker
+    // bundles (wrangler/esbuild) traverse it even though they never call it. A
+    // literal import() would make them resolve the optional peer and fail.
+    const nodeServerModule = '@hono/node-server';
+    const { serve } = (await import(nodeServerModule));
     // oxlint-disable-next-line no-explicit-any
     const server = serve({ fetch: app.fetch, port });
     await new Promise((resolve, reject) => {

package/dist/server/start.js.map

@@ -1 +1 @@
-{"version":3,"file":"start.js","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAS,EAAE,IAAI,GAAG,IAAI;IAC1D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;IACnD,2CAA2C;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAQ,CAAA;IAEvD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,OAAO,EAAE,CAAA;QACtC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAA;QACzC,sEAAsE;QACtE,yEAAyE;QACzE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACnD,CAAC,CAAC,CAAA;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAA8C,CAAA;IAC5E,MAAM,UAAU,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAA;IAExC,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAiB,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC,CAAC;KACL,CAAA;AACH,CAAC"}
+{"version":3,"file":"start.js","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAS,EAAE,IAAI,GAAG,IAAI;IAC1D,4EAA4E;IAC5E,2EAA2E;IAC3E,uEAAuE;IACvE,MAAM,gBAAgB,GAAG,mBAAmB,CAAA;IAC5C,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAuC,CAAA;IACxF,2CAA2C;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAQ,CAAA;IAEvD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,OAAO,EAAE,CAAA;QACtC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAA;QACzC,sEAAsE;QACtE,yEAAyE;QACzE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACnD,CAAC,CAAC,CAAA;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAA8C,CAAA;IAC5E,MAAM,UAAU,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAA;IAExC,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAiB,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC,CAAC;KACL,CAAA;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrale-os/sdk",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Astrale Remote Domain SDK - Define and deploy domains as standalone Hono servers",
   "keywords": [
     "astrale",
@@ -40,10 +40,10 @@
     "registry": "https://npm.pkg.github.com"
   },
   "dependencies": {
-    "@astrale-os/kernel-api": ">=0.4.0 <1.0.0",
-    "@astrale-os/kernel-client": ">=0.1.0 <1.0.0",
-    "@astrale-os/kernel-core": ">=0.3.0 <1.0.0",
-    "@astrale-os/kernel-dsl": ">=0.1.0 <1.0.0",
+    "@astrale-os/kernel-api": ">=0.4.5 <1.0.0",
+    "@astrale-os/kernel-client": ">=0.2.2 <1.0.0",
+    "@astrale-os/kernel-core": ">=0.4.3 <1.0.0",
+    "@astrale-os/kernel-dsl": ">=0.1.2 <1.0.0",
     "@astrale-os/kernel-server": ">=0.4.0 <1.0.0",
     "hono": "^4.6.20",
     "jose": "^6.1.3",

package/src/auth/compose.ts

@@ -18,6 +18,18 @@ import {
   unresolvedUnion,
 } from '@astrale-os/kernel-core'
 
+/**
+ * The composed identity expression: union of the caller's delegated access
+ * (a kernel-signed credential leaf) and the function's own identity (self).
+ *
+ * Used both as the grant on outbound kernel calls AND as the delegation
+ * expression when minting a NEXT-HOP credential — the next worker receives
+ * principal = this function, authority = union(caller's delegated, own).
+ */
+export function buildComposedExpr(delegation: Delegation) {
+  return unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf())
+}
+
 /**
  * Build the grant expression that unions the caller's delegated access
  * with the function's own identity.
@@ -26,6 +38,19 @@ import {
  * @returns The unresolved grant object with version and expression
  */
 export function buildComposedGrant(delegation: Delegation) {
-  const expr = unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf())
-  return { grant: createUnresolvedGrant(expr) }
+  return { grant: createUnresolvedGrant(buildComposedExpr(delegation)) }
+}
+
+/**
+ * The SELF-ONLY expression: the function's own identity, nothing delegated.
+ * Used by `selfKernel` sessions (public/webhook handlers acting on their own
+ * authority) — both as the credential grant and as the next-hop delegation.
+ */
+export function buildSelfExpr() {
+  return unresolvedSelf()
+}
+
+/** Self-only grant for `selfKernel` credentials. */
+export function buildSelfGrant() {
+  return { grant: createUnresolvedGrant(buildSelfExpr()) }
 }

package/src/auth/kernel-client.ts

@@ -16,6 +16,7 @@
  */
 
 import type { Delegation } from '@astrale-os/kernel-core'
+import type { UnresolvedIdentityExpr } from '@astrale-os/kernel-core'
 
 import { KernelClient, SchemaRegistry, type FnMap } from '@astrale-os/kernel-client'
 import { ClientPool } from '@astrale-os/kernel-client/pool'
@@ -23,11 +24,16 @@ import { ClientSession, type BoundClientSessionView } from '@astrale-os/kernel-c
 
 import type { RemoteIdentityConfig } from './identity'
 
-import { buildComposedGrant } from './compose'
+import { buildComposedExpr, buildComposedGrant, buildSelfExpr, buildSelfGrant } from './compose'
 import { signCredential } from './sign'
 
 const DELEGATION_TTL_SECONDS = 3600
 
+// The kernel's whoami — returns the AUTHENTICATED principal's graph node, so
+// the resolved id satisfies the mint syscall's `self.id === auth.principal`
+// invariant by construction (same seam the shell uses to resolve self).
+const WHOAMI_PATH = '/:kernel.astrale.ai:interface.Identity:whoami'
+
 // Shared per kernel URL — the expensive, identity-agnostic state. Sessions are
 // NOT shared (each binds a subject-specific delegation mint), but the pool
 // (connections) and registry (learned schemas) are reused across them.
@@ -65,8 +71,36 @@ export async function bindKernel(
   kernelUrl: string,
   config: RemoteIdentityConfig,
 ): Promise<BoundClientSessionView<FnMap>> {
-  const { grant } = buildComposedGrant(delegation)
-  const composed = await signCredential(
+  return bindSession(kernelUrl, config, buildComposedGrant(delegation).grant, () =>
+    buildComposedExpr(delegation),
+  )
+}
+
+/**
+ * Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
+ * identity — no inbound delegation, authority = the function's own grants
+ * only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
+ * signature-verified webhook can act on the graph as itself after verifying
+ * the upstream. Next-hop mints delegate self only.
+ */
+export async function bindSelfKernel(
+  kernelUrl: string,
+  config: RemoteIdentityConfig,
+): Promise<BoundClientSessionView<FnMap>> {
+  return bindSession(kernelUrl, config, buildSelfGrant().grant, () => buildSelfExpr())
+}
+
+/**
+ * Shared session construction: sign a credential as this function's identity
+ * carrying `grant`, bind the session to it, and wire the lazy NEXT-HOP mint.
+ */
+async function bindSession(
+  kernelUrl: string,
+  config: RemoteIdentityConfig,
+  grant: unknown,
+  nextHopDelegation: () => UnresolvedIdentityExpr,
+): Promise<BoundClientSessionView<FnMap>> {
+  const credential = await signCredential(
     { grant },
     {
       issuer: config.issuer,
@@ -83,15 +117,21 @@ export async function bindKernel(
     schema: getRegistry(kernelUrl),
     pool: getPool(kernelUrl),
     delegation: {
-      // `@<subject>::mintDelegationCredential` satisfies the syscall's
-      // `self.id === auth.principal` invariant (composed's subject IS the
-      // principal). `skipDelegation` keeps this mint from re-entering itself —
-      // it targets the kernel (same origin), so no delegation is needed.
+      // NEXT-HOP mint: each hop mints AS ITSELF. The anchor is this function's
+      // identity NODE id (resolved via whoami — `@` only accepts node ids, not
+      // paths), so `self.id === auth.principal` holds by construction. The
+      // minted delegation carries the session's authority expression (composed
+      // for delegated sessions, self-only for selfKernel): the next worker
+      // sees WHO called it while inheriting exactly that authority.
+      // `skipDelegation` keeps the whoami + mint from re-entering this
+      // closure — both target the kernel (same origin), so no delegation is
+      // needed.
       mint: async (audience) => {
+        const selfId = await resolveSelfId(session, credential, kernelUrl, config)
         const envelope = await session.call(
-          `@${config.subject}::mintDelegationCredential`,
-          { audience, delegation: { kind: 'identity', self: true }, ttl: DELEGATION_TTL_SECONDS },
-          { credential: composed, skipDelegation: true },
+          `@${selfId}::mintDelegationCredential`,
+          { audience, delegation: nextHopDelegation(), ttl: DELEGATION_TTL_SECONDS },
+          { credential, skipDelegation: true },
         )
         if (typeof envelope !== 'string') {
           throw new Error(
@@ -103,5 +143,57 @@ export async function bindKernel(
       ttl: DELEGATION_TTL_SECONDS,
     },
   })
-  return session.as(composed)
+  return session.as(credential)
+}
+
+/**
+ * Build the `selfKernel` accessor handed to remote-function handlers.
+ * Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
+ * (a public request carries no credential, so the parent kernel cannot be
+ * inferred — it must be configured).
+ */
+export function makeSelfKernel(
+  identity: RemoteIdentityConfig,
+  deps: unknown,
+): (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>> {
+  return async (kernelUrl?: string) => {
+    const url = kernelUrl ?? (deps as { KERNEL_URL?: unknown } | null | undefined)?.KERNEL_URL
+    if (typeof url !== 'string' || url.length === 0) {
+      throw new Error(
+        'selfKernel: no kernel URL — pass one explicitly or set KERNEL_URL in the worker env ' +
+          '(managed deploys set it automatically).',
+      )
+    }
+    return bindSelfKernel(url, identity)
+  }
+}
+
+// Function-identity node ids, cached per (kernel, issuer, subject). Sessions
+// are per-request, but a function's identity node is stable for the worker's
+// lifetime — one whoami per function, not one per redirect.
+const selfIds = new Map<string, string>()
+
+/**
+ * Resolve THIS function's identity node id on the parent kernel via whoami,
+ * authenticated with the composed credential (whose principal IS the function).
+ */
+async function resolveSelfId(
+  session: ClientSession<FnMap>,
+  credential: string,
+  kernelUrl: string,
+  config: RemoteIdentityConfig,
+): Promise<string> {
+  const key = `${kernelUrl}|${config.issuer}|${config.subject}`
+  const cached = selfIds.get(key)
+  if (cached) return cached
+  const me = (await session.call(WHOAMI_PATH, {}, { credential, skipDelegation: true })) as {
+    id?: string
+  } | null
+  if (!me?.id) {
+    throw new Error(
+      `whoami returned no identity node for ${config.subject} — cannot anchor the next-hop delegation mint`,
+    )
+  }
+  selfIds.set(key, me.id)
+  return me.id
 }

package/src/define/remote-function.ts

@@ -48,6 +48,16 @@ export type RemoteFunctionContext<TParams, TDeps = unknown> = {
    * `Identity.mintDelegationCredential` + the target method's grants.
    */
   callRemote: CallRemoteFn
+  /**
+   * Acquire a kernel session authenticated as THIS FUNCTION'S OWN identity —
+   * authority = the function's own grants only, no caller delegation. The
+   * webhook seam: when an `auth: 'public'` upstream can't carry an Astrale
+   * token (HMAC-signature webhooks, Stripe-style), VERIFY THE UPSTREAM'S
+   * SIGNATURE FIRST, then act on the graph as yourself. `kernelUrl` defaults
+   * to `deps.KERNEL_URL` (set automatically on managed deploys); pass it
+   * explicitly for other targets.
+   */
+  selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>
 }
 
 export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {

package/src/server/auxiliary-routes.ts

@@ -39,6 +39,7 @@ import type { ViewDef } from '../define/view'
 import type { CallRemoteFn } from '../dispatch/call-remote'
 import type { AuxIdentityMap } from '../dispatch/identity'
 
+import { makeSelfKernel } from '../auth/kernel-client'
 import { resolveInboundAuth } from '../auth/resolve'
 import { runAuthorize } from '../dispatch/authorize'
 import { makeCallRemote } from '../dispatch/call-remote'
@@ -124,12 +125,13 @@ export function mountAuxiliaryRoutes<TDeps>(config: AuxiliaryRoutesConfig<TDeps>
         identity,
         corsHeaders,
         run: async ({ c, auth, kernel, callRemote }) => {
+          const selfKernel = makeSelfKernel(identity, deps)
           const rawBody: unknown = await c.req.json().catch(() => ({}))
           const validation = validateParams(def.inputSchema, rawBody)
           if (!validation.ok) {
             throw new SdkValidationError(validation.issues as SdkValidationError['issues'])
           }
-          const ctx = { params: validation.data, c, auth, deps, kernel, callRemote }
+          const ctx = { params: validation.data, c, auth, deps, kernel, callRemote, selfKernel }
           if (def.authorize) await runAuthorize(def.authorize, ctx)
           const result = await def.execute(ctx)
           const outValidation = validateResult(def.outputSchema, result)

package/src/server/start.ts

@@ -11,7 +11,11 @@ import type { Hono } from 'hono'
 import type { RemoteServerHandle } from './handle'
 
 export async function startNodeServer(app: Hono, port = 3000): Promise<RemoteServerHandle> {
-  const { serve } = await import('@hono/node-server')
+  // Opaque specifier: the `./server` barrel re-exports this module, so worker
+  // bundles (wrangler/esbuild) traverse it even though they never call it. A
+  // literal import() would make them resolve the optional peer and fail.
+  const nodeServerModule = '@hono/node-server'
+  const { serve } = (await import(nodeServerModule)) as typeof import('@hono/node-server')
   // oxlint-disable-next-line no-explicit-any
   const server = serve({ fetch: app.fetch, port }) as any