@astrale-os/sdk 0.1.2 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/compose.d.ts +19 -0
- package/dist/auth/compose.d.ts.map +1 -1
- package/dist/auth/compose.js +24 -2
- package/dist/auth/compose.js.map +1 -1
- package/dist/auth/kernel-client.d.ts +15 -0
- package/dist/auth/kernel-client.d.ts.map +1 -1
- package/dist/auth/kernel-client.js +82 -9
- package/dist/auth/kernel-client.js.map +1 -1
- package/dist/define/remote-function.d.ts +10 -0
- package/dist/define/remote-function.d.ts.map +1 -1
- package/dist/define/remote-function.js.map +1 -1
- package/dist/server/auxiliary-routes.d.ts.map +1 -1
- package/dist/server/auxiliary-routes.js +3 -1
- package/dist/server/auxiliary-routes.js.map +1 -1
- package/dist/server/start.d.ts.map +1 -1
- package/dist/server/start.js +5 -1
- package/dist/server/start.js.map +1 -1
- package/package.json +5 -5
- package/src/auth/compose.ts +27 -2
- package/src/auth/kernel-client.ts +114 -11
- package/src/define/remote-function.ts +10 -0
- package/src/server/auxiliary-routes.ts +3 -1
- package/src/server/start.ts +5 -1
package/dist/auth/compose.d.ts
CHANGED
|
@@ -9,6 +9,15 @@
|
|
|
9
9
|
* identity. Union means either identity's permissions work.
|
|
10
10
|
*/
|
|
11
11
|
import type { Delegation } from '@astrale-os/kernel-core';
|
|
12
|
+
/**
|
|
13
|
+
* The composed identity expression: union of the caller's delegated access
|
|
14
|
+
* (a kernel-signed credential leaf) and the function's own identity (self).
|
|
15
|
+
*
|
|
16
|
+
* Used both as the grant on outbound kernel calls AND as the delegation
|
|
17
|
+
* expression when minting a NEXT-HOP credential — the next worker receives
|
|
18
|
+
* principal = this function, authority = union(caller's delegated, own).
|
|
19
|
+
*/
|
|
20
|
+
export declare function buildComposedExpr(delegation: Delegation): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
|
|
12
21
|
/**
|
|
13
22
|
* Build the grant expression that unions the caller's delegated access
|
|
14
23
|
* with the function's own identity.
|
|
@@ -19,4 +28,14 @@ import type { Delegation } from '@astrale-os/kernel-core';
|
|
|
19
28
|
export declare function buildComposedGrant(delegation: Delegation): {
|
|
20
29
|
grant: import("@astrale-os/kernel-core").UnresolvedGrant;
|
|
21
30
|
};
|
|
31
|
+
/**
|
|
32
|
+
* The SELF-ONLY expression: the function's own identity, nothing delegated.
|
|
33
|
+
* Used by `selfKernel` sessions (public/webhook handlers acting on their own
|
|
34
|
+
* authority) — both as the credential grant and as the next-hop delegation.
|
|
35
|
+
*/
|
|
36
|
+
export declare function buildSelfExpr(): import("@astrale-os/kernel-core").UnresolvedIdentityExpr;
|
|
37
|
+
/** Self-only grant for `selfKernel` credentials. */
|
|
38
|
+
export declare function buildSelfGrant(): {
|
|
39
|
+
grant: import("@astrale-os/kernel-core").UnresolvedGrant;
|
|
40
|
+
};
|
|
22
41
|
//# sourceMappingURL=compose.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASzD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU;
|
|
1
|
+
{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASzD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,UAAU,4DAEvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU;IAC9C,KAAK;EACf;AAED;;;;GAIG;AACH,wBAAgB,aAAa,6DAE5B;AAED,oDAAoD;AACpD,wBAAgB,cAAc;IACnB,KAAK;EACf"}
|
package/dist/auth/compose.js
CHANGED
|
@@ -9,6 +9,17 @@
|
|
|
9
9
|
* identity. Union means either identity's permissions work.
|
|
10
10
|
*/
|
|
11
11
|
import { createUnresolvedGrant, unresolvedCredential, unresolvedSelf, unresolvedUnion, } from '@astrale-os/kernel-core';
|
|
12
|
+
/**
|
|
13
|
+
* The composed identity expression: union of the caller's delegated access
|
|
14
|
+
* (a kernel-signed credential leaf) and the function's own identity (self).
|
|
15
|
+
*
|
|
16
|
+
* Used both as the grant on outbound kernel calls AND as the delegation
|
|
17
|
+
* expression when minting a NEXT-HOP credential — the next worker receives
|
|
18
|
+
* principal = this function, authority = union(caller's delegated, own).
|
|
19
|
+
*/
|
|
20
|
+
export function buildComposedExpr(delegation) {
|
|
21
|
+
return unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf());
|
|
22
|
+
}
|
|
12
23
|
/**
|
|
13
24
|
* Build the grant expression that unions the caller's delegated access
|
|
14
25
|
* with the function's own identity.
|
|
@@ -17,7 +28,18 @@ import { createUnresolvedGrant, unresolvedCredential, unresolvedSelf, unresolved
|
|
|
17
28
|
* @returns The unresolved grant object with version and expression
|
|
18
29
|
*/
|
|
19
30
|
export function buildComposedGrant(delegation) {
|
|
20
|
-
|
|
21
|
-
|
|
31
|
+
return { grant: createUnresolvedGrant(buildComposedExpr(delegation)) };
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* The SELF-ONLY expression: the function's own identity, nothing delegated.
|
|
35
|
+
* Used by `selfKernel` sessions (public/webhook handlers acting on their own
|
|
36
|
+
* authority) — both as the credential grant and as the next-hop delegation.
|
|
37
|
+
*/
|
|
38
|
+
export function buildSelfExpr() {
|
|
39
|
+
return unresolvedSelf();
|
|
40
|
+
}
|
|
41
|
+
/** Self-only grant for `selfKernel` credentials. */
|
|
42
|
+
export function buildSelfGrant() {
|
|
43
|
+
return { grant: createUnresolvedGrant(buildSelfExpr()) };
|
|
22
44
|
}
|
|
23
45
|
//# sourceMappingURL=compose.js.map
|
package/dist/auth/compose.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,
|
|
1
|
+
{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/auth/compose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,cAAc,EACd,eAAe,GAChB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAsB;IACtD,OAAO,eAAe,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC,CAAA;AACvF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,EAAE,CAAA;AACxE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,cAAc,EAAE,CAAA;AACzB,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,KAAK,EAAE,qBAAqB,CAAC,aAAa,EAAE,CAAC,EAAE,CAAA;AAC1D,CAAC"}
|
|
@@ -25,4 +25,19 @@ import type { RemoteIdentityConfig } from './identity';
|
|
|
25
25
|
* worker-scoped delegation via `@<subject>::mintDelegationCredential`.
|
|
26
26
|
*/
|
|
27
27
|
export declare function bindKernel(delegation: Delegation, kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
|
|
28
|
+
/**
|
|
29
|
+
* Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
|
|
30
|
+
* identity — no inbound delegation, authority = the function's own grants
|
|
31
|
+
* only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
|
|
32
|
+
* signature-verified webhook can act on the graph as itself after verifying
|
|
33
|
+
* the upstream. Next-hop mints delegate self only.
|
|
34
|
+
*/
|
|
35
|
+
export declare function bindSelfKernel(kernelUrl: string, config: RemoteIdentityConfig): Promise<BoundClientSessionView<FnMap>>;
|
|
36
|
+
/**
|
|
37
|
+
* Build the `selfKernel` accessor handed to remote-function handlers.
|
|
38
|
+
* Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
|
|
39
|
+
* (a public request carries no credential, so the parent kernel cannot be
|
|
40
|
+
* inferred — it must be configured).
|
|
41
|
+
*/
|
|
42
|
+
export declare function makeSelfKernel(identity: RemoteIdentityConfig, deps: unknown): (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
|
|
28
43
|
//# sourceMappingURL=kernel-client.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"kernel-client.d.ts","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;
|
|
1
|
+
{"version":3,"file":"kernel-client.d.ts","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAGzD,OAAO,EAAgC,KAAK,KAAK,EAAE,MAAM,2BAA2B,CAAA;AAEpF,OAAO,EAAiB,KAAK,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAE9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAsCtD;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAIxC;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAExC;AAiED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,IAAI,EAAE,OAAO,GACZ,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAehE"}
|
|
@@ -17,9 +17,13 @@
|
|
|
17
17
|
import { KernelClient, SchemaRegistry } from '@astrale-os/kernel-client';
|
|
18
18
|
import { ClientPool } from '@astrale-os/kernel-client/pool';
|
|
19
19
|
import { ClientSession } from '@astrale-os/kernel-client/session';
|
|
20
|
-
import { buildComposedGrant } from './compose';
|
|
20
|
+
import { buildComposedExpr, buildComposedGrant, buildSelfExpr, buildSelfGrant } from './compose';
|
|
21
21
|
import { signCredential } from './sign';
|
|
22
22
|
const DELEGATION_TTL_SECONDS = 3600;
|
|
23
|
+
// The kernel's whoami — returns the AUTHENTICATED principal's graph node, so
|
|
24
|
+
// the resolved id satisfies the mint syscall's `self.id === auth.principal`
|
|
25
|
+
// invariant by construction (same seam the shell uses to resolve self).
|
|
26
|
+
const WHOAMI_PATH = '/:kernel.astrale.ai:interface.Identity:whoami';
|
|
23
27
|
// Shared per kernel URL — the expensive, identity-agnostic state. Sessions are
|
|
24
28
|
// NOT shared (each binds a subject-specific delegation mint), but the pool
|
|
25
29
|
// (connections) and registry (learned schemas) are reused across them.
|
|
@@ -51,12 +55,35 @@ function getPool(url) {
|
|
|
51
55
|
* worker-scoped delegation via `@<subject>::mintDelegationCredential`.
|
|
52
56
|
*/
|
|
53
57
|
export async function bindKernel(delegation, kernelUrl, config) {
|
|
54
|
-
|
|
55
|
-
|
|
58
|
+
return bindSession(kernelUrl, config, buildComposedGrant(delegation).grant, () => buildComposedExpr(delegation));
|
|
59
|
+
}
|
|
60
|
+
/**
|
|
61
|
+
* Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
|
|
62
|
+
* identity — no inbound delegation, authority = the function's own grants
|
|
63
|
+
* only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
|
|
64
|
+
* signature-verified webhook can act on the graph as itself after verifying
|
|
65
|
+
* the upstream. Next-hop mints delegate self only.
|
|
66
|
+
*/
|
|
67
|
+
export async function bindSelfKernel(kernelUrl, config) {
|
|
68
|
+
return bindSession(kernelUrl, config, buildSelfGrant().grant, () => buildSelfExpr());
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Shared session construction: sign a credential as this function's identity
|
|
72
|
+
* carrying `grant`, bind the session to it, and wire the lazy NEXT-HOP mint.
|
|
73
|
+
*/
|
|
74
|
+
async function bindSession(kernelUrl, config, grant, nextHopDelegation) {
|
|
75
|
+
const credential = await signCredential({ grant }, {
|
|
56
76
|
issuer: config.issuer,
|
|
57
77
|
subject: config.subject,
|
|
58
78
|
audience: kernelUrl,
|
|
59
79
|
privateKey: config.privateKey,
|
|
80
|
+
// Long-running handlers (a managed INSTALL saga easily runs minutes on a
|
|
81
|
+
// cold box) make kernel callbacks throughout — the default 60s wall left
|
|
82
|
+
// them unable to even write their own failure records (observed live:
|
|
83
|
+
// install wedged at 'installing' forever). The session credential is
|
|
84
|
+
// per-request and aud-bound; delegated AUTHORITY still expires with the
|
|
85
|
+
// inner delegation's own exp.
|
|
86
|
+
ttl: '30m',
|
|
60
87
|
});
|
|
61
88
|
// Self-reference in the mint closure is lazy — it only fires on a delegation
|
|
62
89
|
// cache miss while following a redirect, long after construction.
|
|
@@ -65,12 +92,18 @@ export async function bindKernel(delegation, kernelUrl, config) {
|
|
|
65
92
|
schema: getRegistry(kernelUrl),
|
|
66
93
|
pool: getPool(kernelUrl),
|
|
67
94
|
delegation: {
|
|
68
|
-
//
|
|
69
|
-
//
|
|
70
|
-
//
|
|
71
|
-
//
|
|
95
|
+
// NEXT-HOP mint: each hop mints AS ITSELF. The anchor is this function's
|
|
96
|
+
// identity NODE id (resolved via whoami — `@` only accepts node ids, not
|
|
97
|
+
// paths), so `self.id === auth.principal` holds by construction. The
|
|
98
|
+
// minted delegation carries the session's authority expression (composed
|
|
99
|
+
// for delegated sessions, self-only for selfKernel): the next worker
|
|
100
|
+
// sees WHO called it while inheriting exactly that authority.
|
|
101
|
+
// `skipDelegation` keeps the whoami + mint from re-entering this
|
|
102
|
+
// closure — both target the kernel (same origin), so no delegation is
|
|
103
|
+
// needed.
|
|
72
104
|
mint: async (audience) => {
|
|
73
|
-
const
|
|
105
|
+
const selfId = await resolveSelfId(session, credential, kernelUrl, config);
|
|
106
|
+
const envelope = await session.call(`@${selfId}::mintDelegationCredential`, { audience, delegation: nextHopDelegation(), ttl: DELEGATION_TTL_SECONDS }, { credential, skipDelegation: true });
|
|
74
107
|
if (typeof envelope !== 'string') {
|
|
75
108
|
throw new Error(`mintDelegationCredential returned ${typeof envelope}, expected a credential string`);
|
|
76
109
|
}
|
|
@@ -79,6 +112,46 @@ export async function bindKernel(delegation, kernelUrl, config) {
|
|
|
79
112
|
ttl: DELEGATION_TTL_SECONDS,
|
|
80
113
|
},
|
|
81
114
|
});
|
|
82
|
-
return session.as(
|
|
115
|
+
return session.as(credential);
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Build the `selfKernel` accessor handed to remote-function handlers.
|
|
119
|
+
* Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
|
|
120
|
+
* (a public request carries no credential, so the parent kernel cannot be
|
|
121
|
+
* inferred — it must be configured).
|
|
122
|
+
*/
|
|
123
|
+
export function makeSelfKernel(identity, deps) {
|
|
124
|
+
return async (kernelUrl) => {
|
|
125
|
+
const env = deps;
|
|
126
|
+
// Prefer the INSTANCE kernel (the graph this domain is installed on);
|
|
127
|
+
// KERNEL_URL on managed services is the HOST kernel (the box) — wrong
|
|
128
|
+
// graph for domain writes, kept only as a last-resort fallback.
|
|
129
|
+
const url = kernelUrl ?? env?.INSTANCE_KERNEL_URL ?? env?.KERNEL_URL;
|
|
130
|
+
if (typeof url !== 'string' || url.length === 0) {
|
|
131
|
+
throw new Error('selfKernel: no kernel URL — pass one explicitly or set INSTANCE_KERNEL_URL in the ' +
|
|
132
|
+
'worker env (managed deploys set it automatically).');
|
|
133
|
+
}
|
|
134
|
+
return bindSelfKernel(url, identity);
|
|
135
|
+
};
|
|
136
|
+
}
|
|
137
|
+
// Function-identity node ids, cached per (kernel, issuer, subject). Sessions
|
|
138
|
+
// are per-request, but a function's identity node is stable for the worker's
|
|
139
|
+
// lifetime — one whoami per function, not one per redirect.
|
|
140
|
+
const selfIds = new Map();
|
|
141
|
+
/**
|
|
142
|
+
* Resolve THIS function's identity node id on the parent kernel via whoami,
|
|
143
|
+
* authenticated with the composed credential (whose principal IS the function).
|
|
144
|
+
*/
|
|
145
|
+
async function resolveSelfId(session, credential, kernelUrl, config) {
|
|
146
|
+
const key = `${kernelUrl}|${config.issuer}|${config.subject}`;
|
|
147
|
+
const cached = selfIds.get(key);
|
|
148
|
+
if (cached)
|
|
149
|
+
return cached;
|
|
150
|
+
const me = (await session.call(WHOAMI_PATH, {}, { credential, skipDelegation: true }));
|
|
151
|
+
if (!me?.id) {
|
|
152
|
+
throw new Error(`whoami returned no identity node for ${config.subject} — cannot anchor the next-hop delegation mint`);
|
|
153
|
+
}
|
|
154
|
+
selfIds.set(key, me.id);
|
|
155
|
+
return me.id;
|
|
83
156
|
}
|
|
84
157
|
//# sourceMappingURL=kernel-client.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"kernel-client.js","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;
|
|
1
|
+
{"version":3,"file":"kernel-client.js","sourceRoot":"","sources":["../../src/auth/kernel-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAc,MAAM,2BAA2B,CAAA;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAA;AAC3D,OAAO,EAAE,aAAa,EAA+B,MAAM,mCAAmC,CAAA;AAI9F,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChG,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAA;AAEvC,MAAM,sBAAsB,GAAG,IAAI,CAAA;AAEnC,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,MAAM,WAAW,GAAG,+CAA+C,CAAA;AAEnE,+EAA+E;AAC/E,2EAA2E;AAC3E,uEAAuE;AACvE,MAAM,KAAK,GAAG,IAAI,GAAG,EAA6B,CAAA;AAClD,MAAM,UAAU,GAAG,IAAI,GAAG,EAA0B,CAAA;AAEpD,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAA;QAC/B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAQ;QACjC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,YAAY,CAAQ,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;KAC5E,CAAC,CAAA;IACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACpB,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAsB,EACtB,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,kBAAkB,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAC/E,iBAAiB,CAAC,UAAU,CAAC,CAC9B,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,MAA4B;IAE5B,OAAO,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC,CAAA;AACtF,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,SAAiB,EACjB,MAA4B,EAC5B,KAAc,EACd,iBAA+C;IAE/C,MAAM,UAAU,GAAG,MAAM,cAAc,CACrC,EAAE,KAAK,EAAE,EACT;QACE,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,yEAAyE;QACzE,yEAAyE;QACzE,sEAAsE;QACtE,qEAAqE;QACrE,wEAAwE;QACxE,8BAA8B;QAC9B,GAAG,EAAE,KAAK;KACX,CACF,CAAA;IAED,6EAA6E;IAC7E,kEAAkE;IAClE,MAAM,OAAO,GAAyB,IAAI,aAAa,CAAQ;QAC7D,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC;QAC9B,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;QACxB,UAAU,EAAE;YACV,yEAAyE;YACzE,yEAAyE;YACzE,qEAAqE;YACrE,yEAAyE;YACzE,qEAAqE;YACrE,8DAA8D;YAC9D,iEAAiE;YACjE,sEAAsE;YACtE,UAAU;YACV,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACvB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAA;gBAC1E,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CACjC,IAAI,MAAM,4BAA4B,EACtC,EAAE,QAAQ,EAAE,UAAU,EAAE,iBAAiB,EAAE,EAAE,GAAG,EAAE,sBAAsB,EAAE,EAC1E,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CACrC,CAAA;gBACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,qCAAqC,OAAO,QAAQ,gCAAgC,CACrF,CAAA;gBACH,CAAC;gBACD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,CAAA;YAC9D,CAAC;YACD,GAAG,EAAE,sBAAsB;SAC5B;KACF,CAAC,CAAA;IACF,OAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,IAAa;IAEb,OAAO,KAAK,EAAE,SAAkB,EAAE,EAAE;QAClC,MAAM,GAAG,GAAG,IAAkF,CAAA;QAC9F,sEAAsE;QACtE,sEAAsE;QACtE,gEAAgE;QAChE,MAAM,GAAG,GAAG,SAAS,IAAI,GAAG,EAAE,mBAAmB,IAAI,GAAG,EAAE,UAAU,CAAA;QACpE,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CACb,oFAAoF;gBAClF,oDAAoD,CACvD,CAAA;QACH,CAAC;QACD,OAAO,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,6EAA6E;AAC7E,6EAA6E;AAC7E,4DAA4D;AAC5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAA;AAEzC;;;GAGG;AACH,KAAK,UAAU,aAAa,CAC1B,OAA6B,EAC7B,UAAkB,EAClB,SAAiB,EACjB,MAA4B;IAE5B,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAA;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAE7E,CAAA;IACR,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,wCAAwC,MAAM,CAAC,OAAO,+CAA+C,CACtG,CAAA;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACvB,OAAO,EAAE,CAAC,EAAE,CAAA;AACd,CAAC"}
|
|
@@ -45,6 +45,16 @@ export type RemoteFunctionContext<TParams, TDeps = unknown> = {
|
|
|
45
45
|
* `Identity.mintDelegationCredential` + the target method's grants.
|
|
46
46
|
*/
|
|
47
47
|
callRemote: CallRemoteFn;
|
|
48
|
+
/**
|
|
49
|
+
* Acquire a kernel session authenticated as THIS FUNCTION'S OWN identity —
|
|
50
|
+
* authority = the function's own grants only, no caller delegation. The
|
|
51
|
+
* webhook seam: when an `auth: 'public'` upstream can't carry an Astrale
|
|
52
|
+
* token (HMAC-signature webhooks, Stripe-style), VERIFY THE UPSTREAM'S
|
|
53
|
+
* SIGNATURE FIRST, then act on the graph as yourself. `kernelUrl` defaults
|
|
54
|
+
* to `deps.KERNEL_URL` (set automatically on managed deploys); pass it
|
|
55
|
+
* explicitly for other targets.
|
|
56
|
+
*/
|
|
57
|
+
selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>;
|
|
48
58
|
};
|
|
49
59
|
export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {
|
|
50
60
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"remote-function.d.ts","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAChF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAE5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAE3D,MAAM,MAAM,qBAAqB,CAAC,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IAC5D,4DAA4D;IAC5D,MAAM,EAAE,OAAO,CAAA;IACf,sEAAsE;IACtE,CAAC,EAAE,OAAO,CAAA;IACV,qEAAqE;IACrE,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,GAAG,IAAI,CAAA;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,YAAY,CAAA;IACxB;;;;;;;;OAQG;IACH,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAA;CAC3E,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,KAAK,GAAG,OAAO,IAAI;IACrF;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/B,wCAAwC;IACxC,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,eAAe,CAAA;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChF,uCAAuC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACnF,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAGD,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAEnE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EACpE,GAAG,EAAE,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,GAC9C,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAE5C"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;
|
|
1
|
+
{"version":3,"file":"remote-function.js","sourceRoot":"","sources":["../../src/define/remote-function.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAiFH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAA+C;IAE/C,OAAO,GAAG,CAAA;AACZ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auxiliary-routes.d.ts","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAW,IAAI,EAAE,MAAM,MAAM,CAAA;AAQzC,OAAO,EAKL,KAAK,eAAe,EAErB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"auxiliary-routes.d.ts","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAW,IAAI,EAAE,MAAM,MAAM,CAAA;AAQzC,OAAO,EAKL,KAAK,eAAe,EAErB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAS1D,MAAM,MAAM,qBAAqB,CAAC,KAAK,IAAI;IACzC,GAAG,EAAE,IAAI,CAAA;IACT,gFAAgF;IAChF,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;IACtD,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IACxD,IAAI,EAAE,KAAK,CAAA;IACX;;;;OAIG;IACH,UAAU,EAAE,cAAc,CAAA;IAC1B;;;;;OAKG;IACH,IAAI,EAAE,UAAU,CAAA;CACjB,CAAA;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,qBAAqB,CAAC,KAAK,CAAC,GAAG,IAAI,CA4EtF"}
|
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
import { isKernelErrorClassifiable, KERNEL_ERROR_CODES, kernelErrorHttpStatus, } from '@astrale-os/kernel-api';
|
|
15
15
|
import { isSubdomainOf, matchHost, compileHostMatcher, parseUrlTemplate, } from '@astrale-os/kernel-api/routed';
|
|
16
16
|
import { buildCorsHeaders } from '@astrale-os/kernel-server';
|
|
17
|
+
import { makeSelfKernel } from '../auth/kernel-client';
|
|
17
18
|
import { resolveInboundAuth } from '../auth/resolve';
|
|
18
19
|
import { runAuthorize } from '../dispatch/authorize';
|
|
19
20
|
import { makeCallRemote } from '../dispatch/call-remote';
|
|
@@ -64,12 +65,13 @@ export function mountAuxiliaryRoutes(config) {
|
|
|
64
65
|
identity,
|
|
65
66
|
corsHeaders,
|
|
66
67
|
run: async ({ c, auth, kernel, callRemote }) => {
|
|
68
|
+
const selfKernel = makeSelfKernel(identity, deps);
|
|
67
69
|
const rawBody = await c.req.json().catch(() => ({}));
|
|
68
70
|
const validation = validateParams(def.inputSchema, rawBody);
|
|
69
71
|
if (!validation.ok) {
|
|
70
72
|
throw new SdkValidationError(validation.issues);
|
|
71
73
|
}
|
|
72
|
-
const ctx = { params: validation.data, c, auth, deps, kernel, callRemote };
|
|
74
|
+
const ctx = { params: validation.data, c, auth, deps, kernel, callRemote, selfKernel };
|
|
73
75
|
if (def.authorize)
|
|
74
76
|
await runAuthorize(def.authorize, ctx);
|
|
75
77
|
const result = await def.execute(ctx);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auxiliary-routes.js","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,EACL,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,GAEtB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,gBAAgB,GAGjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAmB,MAAM,2BAA2B,CAAA;AAQ7E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AACjF,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AA0BrE,MAAM,UAAU,oBAAoB,CAAQ,MAAoC;IAC9E,MAAM,EACJ,GAAG,EACH,GAAG,EACH,KAAK,EACL,YAAY,EACZ,eAAe,EACf,sBAAsB,EACtB,IAAI,EACJ,UAAU,EACV,IAAI,GACL,GAAG,MAAM,CAAA;IAEV,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,WAAW,CAAA;IACpD,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAE1C,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YAClC,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,SAAQ;YACrC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAA;YACzE,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,KAAK;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,sEAAsE;gBACtE,qEAAqE;gBACrE,kEAAkE;gBAClE,0CAA0C;gBAC1C,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;oBACjC,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;oBAC/E,OAAO,GAAG,CAAC,MAAO,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;YAC5C,IAAI,CAAC,OAAO;gBAAE,SAAQ;YACtB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9F,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,MAAM;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;oBAC7C,MAAM,OAAO,GAAY,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;oBAC7D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAA;oBAC3D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;wBACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;oBACjF,CAAC;oBACD,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"auxiliary-routes.js","sourceRoot":"","sources":["../../src/server/auxiliary-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,EACL,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,GAEtB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,gBAAgB,GAGjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAmB,MAAM,2BAA2B,CAAA;AAQ7E,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AACjF,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AA0BrE,MAAM,UAAU,oBAAoB,CAAQ,MAAoC;IAC9E,MAAM,EACJ,GAAG,EACH,GAAG,EACH,KAAK,EACL,YAAY,EACZ,eAAe,EACf,sBAAsB,EACtB,IAAI,EACJ,UAAU,EACV,IAAI,GACL,GAAG,MAAM,CAAA;IAEV,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,WAAW,CAAA;IACpD,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAE1C,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;YAClC,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,SAAQ;YACrC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAA;YACzE,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,KAAK;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,sEAAsE;gBACtE,qEAAqE;gBACrE,kEAAkE;gBAClE,0CAA0C;gBAC1C,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;oBACjC,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;oBAC/E,OAAO,GAAG,CAAC,MAAO,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;YAC5C,IAAI,CAAC,OAAO;gBAAE,SAAQ;YACtB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9F,UAAU,CAAC;gBACT,GAAG;gBACH,OAAO;gBACP,UAAU;gBACV,aAAa,EAAE,MAAM;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,WAAW;gBACX,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;oBAC7C,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;oBACjD,MAAM,OAAO,GAAY,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;oBAC7D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAA;oBAC3D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;wBACnB,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAsC,CAAC,CAAA;oBACjF,CAAC;oBACD,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,CAAA;oBACtF,IAAI,GAAG,CAAC,SAAS;wBAAE,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;oBACzD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrC,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;oBAC9D,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;wBACtB,MAAM,IAAI,wBAAwB,CAChC,aAAa,CAAC,MAA4C,EAC1D,GAAG,CAAC,GAAG,CACR,CAAA;oBACH,CAAC;oBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,CAAC,CAAA;gBAC/C,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,kBAAkB,CACzB,IAAgC,EAChC,IAAY,EACZ,QAA0C;IAE1C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAA;IAC7B,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,KAAK,IAAI,KAAK;QACpE,6CAA6C,IAAI,4BAA4B,CAChF,CAAA;AACH,CAAC;AAqBD,MAAM,cAAc,GAAG,mBAAmB,CAAA;AAE1C,SAAS,UAAU,CAAC,IAAoB;IACtC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAA;IAE1F,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IACnC,IAAI,CAAC,SAAS;QAAE,OAAM;IAEtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAA;IAC1C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC;QAAE,OAAM;IAEhF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,CAAA;IACrE,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,aAAa,CAAA;IACzD,4EAA4E;IAC5E,2EAA2E;IAC3E,6EAA6E;IAC7E,6CAA6C;IAC7C,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,kDAAkD,UAAU,gBAAgB,QAAQ,KAAK;YACvF,kEAAkE,CACrE,CAAA;IACH,CAAC;IACD,0EAA0E;IAC1E,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,WAAW,GACf,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACpF,MAAM,cAAc,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAA;IAExD,MAAM,OAAO,GAAG,KAAK,EAAE,CAAU,EAAqB,EAAE;QACtD,0EAA0E;QAC1E,2EAA2E;QAC3E,2EAA2E;QAC3E,yDAAyD;QACzD,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,IAAI,CAAC;YACH,IAAI,UAAU,GAA2B,EAAE,CAAA;YAC3C,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;gBAChE,IAAI,CAAC,KAAK;oBAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAA;gBAC/B,UAAU,GAAG,KAAK,CAAA;YACpB,CAAC;YAED,MAAM,UAAU,GAA2B,EAAE,CAAA;YAC7C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/B,IAAI,KAAK,KAAK,SAAS;oBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAA;YACvE,CAAC;YAED,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAC7D,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,EACtD,IAAI,EACJ,QAAQ,CACT,CAAA;YAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC;gBACzB,CAAC;gBACD,MAAM,EAAE,EAAE,GAAG,UAAU,EAAE,GAAG,UAAU,EAAE;gBACxC,IAAI,EAAE,YAAY;gBAClB,MAAM;gBACN,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC;aACnC,CAAC,CAAA;YACF,OAAO,mBAAmB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;QACnD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,mBAAmB,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAA;QAC7D,CAAC;IACH,CAAC,CAAA;IAED,IAAI,UAAU,KAAK,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;SAC/C,IAAI,UAAU,KAAK,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAE3D,8DAA8D;IAC9D,0EAA0E;IAC1E,oEAAoE;IACpE,sEAAsE;IACtE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1B,kBAAkB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QAClC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAU,EAAE,OAA+B;IACrE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;AAC5E,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB,EAAE,OAA+B;IAC9E,IAAI,CAAC;QACH,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACtF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,4EAA4E;QAC5E,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAC5C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC5E,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO,EAAE,MAAM;SAChB,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,CAAA;AAC7D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,OAAO,GAAuB,yBAAyB,CAAC,GAAG,CAAC;QAChE,CAAC,CAAC,GAAG,CAAC,oBAAoB,EAAE;QAC5B,CAAC,CAAC;YACE,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SAC/D,CAAA;IACL,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AAC3F,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,CAAS;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACjD,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAA;IAC7C,OAAO,GAAG,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,CAAA;AACjC,CAAC;AAED,oEAAoE;AACpE,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC;SAClC,OAAO,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;AACjC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAA;AAChD,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAElD,wBAAsB,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,SAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,
|
|
1
|
+
{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAElD,wBAAsB,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,SAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA4BzF"}
|
package/dist/server/start.js
CHANGED
|
@@ -6,7 +6,11 @@
|
|
|
6
6
|
* Cloudflare, consumers go through `server.app.fetch` directly.
|
|
7
7
|
*/
|
|
8
8
|
export async function startNodeServer(app, port = 3000) {
|
|
9
|
-
|
|
9
|
+
// Opaque specifier: the `./server` barrel re-exports this module, so worker
|
|
10
|
+
// bundles (wrangler/esbuild) traverse it even though they never call it. A
|
|
11
|
+
// literal import() would make them resolve the optional peer and fail.
|
|
12
|
+
const nodeServerModule = '@hono/node-server';
|
|
13
|
+
const { serve } = (await import(nodeServerModule));
|
|
10
14
|
// oxlint-disable-next-line no-explicit-any
|
|
11
15
|
const server = serve({ fetch: app.fetch, port });
|
|
12
16
|
await new Promise((resolve, reject) => {
|
package/dist/server/start.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"start.js","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAS,EAAE,IAAI,GAAG,IAAI;IAC1D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,
|
|
1
|
+
{"version":3,"file":"start.js","sourceRoot":"","sources":["../../src/server/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAS,EAAE,IAAI,GAAG,IAAI;IAC1D,4EAA4E;IAC5E,2EAA2E;IAC3E,uEAAuE;IACvE,MAAM,gBAAgB,GAAG,mBAAmB,CAAA;IAC5C,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAuC,CAAA;IACxF,2CAA2C;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAQ,CAAA;IAEvD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,OAAO,EAAE,CAAA;QACtC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAA;QACzC,sEAAsE;QACtE,yEAAyE;QACzE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACnD,CAAC,CAAC,CAAA;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAA8C,CAAA;IAC5E,MAAM,UAAU,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAA;IAExC,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAiB,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC,CAAC;KACL,CAAA;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@astrale-os/sdk",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.4",
|
|
4
4
|
"description": "Astrale Remote Domain SDK - Define and deploy domains as standalone Hono servers",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"astrale",
|
|
@@ -40,10 +40,10 @@
|
|
|
40
40
|
"registry": "https://npm.pkg.github.com"
|
|
41
41
|
},
|
|
42
42
|
"dependencies": {
|
|
43
|
-
"@astrale-os/kernel-api": ">=0.4.
|
|
44
|
-
"@astrale-os/kernel-client": ">=0.
|
|
45
|
-
"@astrale-os/kernel-core": ">=0.3
|
|
46
|
-
"@astrale-os/kernel-dsl": ">=0.1.
|
|
43
|
+
"@astrale-os/kernel-api": ">=0.4.5 <1.0.0",
|
|
44
|
+
"@astrale-os/kernel-client": ">=0.2.2 <1.0.0",
|
|
45
|
+
"@astrale-os/kernel-core": ">=0.4.3 <1.0.0",
|
|
46
|
+
"@astrale-os/kernel-dsl": ">=0.1.2 <1.0.0",
|
|
47
47
|
"@astrale-os/kernel-server": ">=0.4.0 <1.0.0",
|
|
48
48
|
"hono": "^4.6.20",
|
|
49
49
|
"jose": "^6.1.3",
|
package/src/auth/compose.ts
CHANGED
|
@@ -18,6 +18,18 @@ import {
|
|
|
18
18
|
unresolvedUnion,
|
|
19
19
|
} from '@astrale-os/kernel-core'
|
|
20
20
|
|
|
21
|
+
/**
|
|
22
|
+
* The composed identity expression: union of the caller's delegated access
|
|
23
|
+
* (a kernel-signed credential leaf) and the function's own identity (self).
|
|
24
|
+
*
|
|
25
|
+
* Used both as the grant on outbound kernel calls AND as the delegation
|
|
26
|
+
* expression when minting a NEXT-HOP credential — the next worker receives
|
|
27
|
+
* principal = this function, authority = union(caller's delegated, own).
|
|
28
|
+
*/
|
|
29
|
+
export function buildComposedExpr(delegation: Delegation) {
|
|
30
|
+
return unresolvedUnion(unresolvedCredential(delegation.credential), unresolvedSelf())
|
|
31
|
+
}
|
|
32
|
+
|
|
21
33
|
/**
|
|
22
34
|
* Build the grant expression that unions the caller's delegated access
|
|
23
35
|
* with the function's own identity.
|
|
@@ -26,6 +38,19 @@ import {
|
|
|
26
38
|
* @returns The unresolved grant object with version and expression
|
|
27
39
|
*/
|
|
28
40
|
export function buildComposedGrant(delegation: Delegation) {
|
|
29
|
-
|
|
30
|
-
|
|
41
|
+
return { grant: createUnresolvedGrant(buildComposedExpr(delegation)) }
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
/**
|
|
45
|
+
* The SELF-ONLY expression: the function's own identity, nothing delegated.
|
|
46
|
+
* Used by `selfKernel` sessions (public/webhook handlers acting on their own
|
|
47
|
+
* authority) — both as the credential grant and as the next-hop delegation.
|
|
48
|
+
*/
|
|
49
|
+
export function buildSelfExpr() {
|
|
50
|
+
return unresolvedSelf()
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
/** Self-only grant for `selfKernel` credentials. */
|
|
54
|
+
export function buildSelfGrant() {
|
|
55
|
+
return { grant: createUnresolvedGrant(buildSelfExpr()) }
|
|
31
56
|
}
|
|
@@ -16,6 +16,7 @@
|
|
|
16
16
|
*/
|
|
17
17
|
|
|
18
18
|
import type { Delegation } from '@astrale-os/kernel-core'
|
|
19
|
+
import type { UnresolvedIdentityExpr } from '@astrale-os/kernel-core'
|
|
19
20
|
|
|
20
21
|
import { KernelClient, SchemaRegistry, type FnMap } from '@astrale-os/kernel-client'
|
|
21
22
|
import { ClientPool } from '@astrale-os/kernel-client/pool'
|
|
@@ -23,11 +24,16 @@ import { ClientSession, type BoundClientSessionView } from '@astrale-os/kernel-c
|
|
|
23
24
|
|
|
24
25
|
import type { RemoteIdentityConfig } from './identity'
|
|
25
26
|
|
|
26
|
-
import { buildComposedGrant } from './compose'
|
|
27
|
+
import { buildComposedExpr, buildComposedGrant, buildSelfExpr, buildSelfGrant } from './compose'
|
|
27
28
|
import { signCredential } from './sign'
|
|
28
29
|
|
|
29
30
|
const DELEGATION_TTL_SECONDS = 3600
|
|
30
31
|
|
|
32
|
+
// The kernel's whoami — returns the AUTHENTICATED principal's graph node, so
|
|
33
|
+
// the resolved id satisfies the mint syscall's `self.id === auth.principal`
|
|
34
|
+
// invariant by construction (same seam the shell uses to resolve self).
|
|
35
|
+
const WHOAMI_PATH = '/:kernel.astrale.ai:interface.Identity:whoami'
|
|
36
|
+
|
|
31
37
|
// Shared per kernel URL — the expensive, identity-agnostic state. Sessions are
|
|
32
38
|
// NOT shared (each binds a subject-specific delegation mint), but the pool
|
|
33
39
|
// (connections) and registry (learned schemas) are reused across them.
|
|
@@ -65,14 +71,49 @@ export async function bindKernel(
|
|
|
65
71
|
kernelUrl: string,
|
|
66
72
|
config: RemoteIdentityConfig,
|
|
67
73
|
): Promise<BoundClientSessionView<FnMap>> {
|
|
68
|
-
|
|
69
|
-
|
|
74
|
+
return bindSession(kernelUrl, config, buildComposedGrant(delegation).grant, () =>
|
|
75
|
+
buildComposedExpr(delegation),
|
|
76
|
+
)
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
/**
|
|
80
|
+
* Build a `BoundClientSessionView` authenticated as the FUNCTION'S OWN
|
|
81
|
+
* identity — no inbound delegation, authority = the function's own grants
|
|
82
|
+
* only. The seam behind `selfKernel` for public/webhook handlers: an HMAC- or
|
|
83
|
+
* signature-verified webhook can act on the graph as itself after verifying
|
|
84
|
+
* the upstream. Next-hop mints delegate self only.
|
|
85
|
+
*/
|
|
86
|
+
export async function bindSelfKernel(
|
|
87
|
+
kernelUrl: string,
|
|
88
|
+
config: RemoteIdentityConfig,
|
|
89
|
+
): Promise<BoundClientSessionView<FnMap>> {
|
|
90
|
+
return bindSession(kernelUrl, config, buildSelfGrant().grant, () => buildSelfExpr())
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
/**
|
|
94
|
+
* Shared session construction: sign a credential as this function's identity
|
|
95
|
+
* carrying `grant`, bind the session to it, and wire the lazy NEXT-HOP mint.
|
|
96
|
+
*/
|
|
97
|
+
async function bindSession(
|
|
98
|
+
kernelUrl: string,
|
|
99
|
+
config: RemoteIdentityConfig,
|
|
100
|
+
grant: unknown,
|
|
101
|
+
nextHopDelegation: () => UnresolvedIdentityExpr,
|
|
102
|
+
): Promise<BoundClientSessionView<FnMap>> {
|
|
103
|
+
const credential = await signCredential(
|
|
70
104
|
{ grant },
|
|
71
105
|
{
|
|
72
106
|
issuer: config.issuer,
|
|
73
107
|
subject: config.subject,
|
|
74
108
|
audience: kernelUrl,
|
|
75
109
|
privateKey: config.privateKey,
|
|
110
|
+
// Long-running handlers (a managed INSTALL saga easily runs minutes on a
|
|
111
|
+
// cold box) make kernel callbacks throughout — the default 60s wall left
|
|
112
|
+
// them unable to even write their own failure records (observed live:
|
|
113
|
+
// install wedged at 'installing' forever). The session credential is
|
|
114
|
+
// per-request and aud-bound; delegated AUTHORITY still expires with the
|
|
115
|
+
// inner delegation's own exp.
|
|
116
|
+
ttl: '30m',
|
|
76
117
|
},
|
|
77
118
|
)
|
|
78
119
|
|
|
@@ -83,15 +124,21 @@ export async function bindKernel(
|
|
|
83
124
|
schema: getRegistry(kernelUrl),
|
|
84
125
|
pool: getPool(kernelUrl),
|
|
85
126
|
delegation: {
|
|
86
|
-
//
|
|
87
|
-
//
|
|
88
|
-
//
|
|
89
|
-
//
|
|
127
|
+
// NEXT-HOP mint: each hop mints AS ITSELF. The anchor is this function's
|
|
128
|
+
// identity NODE id (resolved via whoami — `@` only accepts node ids, not
|
|
129
|
+
// paths), so `self.id === auth.principal` holds by construction. The
|
|
130
|
+
// minted delegation carries the session's authority expression (composed
|
|
131
|
+
// for delegated sessions, self-only for selfKernel): the next worker
|
|
132
|
+
// sees WHO called it while inheriting exactly that authority.
|
|
133
|
+
// `skipDelegation` keeps the whoami + mint from re-entering this
|
|
134
|
+
// closure — both target the kernel (same origin), so no delegation is
|
|
135
|
+
// needed.
|
|
90
136
|
mint: async (audience) => {
|
|
137
|
+
const selfId = await resolveSelfId(session, credential, kernelUrl, config)
|
|
91
138
|
const envelope = await session.call(
|
|
92
|
-
`@${
|
|
93
|
-
{ audience, delegation:
|
|
94
|
-
{ credential
|
|
139
|
+
`@${selfId}::mintDelegationCredential`,
|
|
140
|
+
{ audience, delegation: nextHopDelegation(), ttl: DELEGATION_TTL_SECONDS },
|
|
141
|
+
{ credential, skipDelegation: true },
|
|
95
142
|
)
|
|
96
143
|
if (typeof envelope !== 'string') {
|
|
97
144
|
throw new Error(
|
|
@@ -103,5 +150,61 @@ export async function bindKernel(
|
|
|
103
150
|
ttl: DELEGATION_TTL_SECONDS,
|
|
104
151
|
},
|
|
105
152
|
})
|
|
106
|
-
return session.as(
|
|
153
|
+
return session.as(credential)
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
/**
|
|
157
|
+
* Build the `selfKernel` accessor handed to remote-function handlers.
|
|
158
|
+
* Resolves the kernel URL from the explicit argument or `deps.KERNEL_URL`
|
|
159
|
+
* (a public request carries no credential, so the parent kernel cannot be
|
|
160
|
+
* inferred — it must be configured).
|
|
161
|
+
*/
|
|
162
|
+
export function makeSelfKernel(
|
|
163
|
+
identity: RemoteIdentityConfig,
|
|
164
|
+
deps: unknown,
|
|
165
|
+
): (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>> {
|
|
166
|
+
return async (kernelUrl?: string) => {
|
|
167
|
+
const env = deps as { INSTANCE_KERNEL_URL?: unknown; KERNEL_URL?: unknown } | null | undefined
|
|
168
|
+
// Prefer the INSTANCE kernel (the graph this domain is installed on);
|
|
169
|
+
// KERNEL_URL on managed services is the HOST kernel (the box) — wrong
|
|
170
|
+
// graph for domain writes, kept only as a last-resort fallback.
|
|
171
|
+
const url = kernelUrl ?? env?.INSTANCE_KERNEL_URL ?? env?.KERNEL_URL
|
|
172
|
+
if (typeof url !== 'string' || url.length === 0) {
|
|
173
|
+
throw new Error(
|
|
174
|
+
'selfKernel: no kernel URL — pass one explicitly or set INSTANCE_KERNEL_URL in the ' +
|
|
175
|
+
'worker env (managed deploys set it automatically).',
|
|
176
|
+
)
|
|
177
|
+
}
|
|
178
|
+
return bindSelfKernel(url, identity)
|
|
179
|
+
}
|
|
180
|
+
}
|
|
181
|
+
|
|
182
|
+
// Function-identity node ids, cached per (kernel, issuer, subject). Sessions
|
|
183
|
+
// are per-request, but a function's identity node is stable for the worker's
|
|
184
|
+
// lifetime — one whoami per function, not one per redirect.
|
|
185
|
+
const selfIds = new Map<string, string>()
|
|
186
|
+
|
|
187
|
+
/**
|
|
188
|
+
* Resolve THIS function's identity node id on the parent kernel via whoami,
|
|
189
|
+
* authenticated with the composed credential (whose principal IS the function).
|
|
190
|
+
*/
|
|
191
|
+
async function resolveSelfId(
|
|
192
|
+
session: ClientSession<FnMap>,
|
|
193
|
+
credential: string,
|
|
194
|
+
kernelUrl: string,
|
|
195
|
+
config: RemoteIdentityConfig,
|
|
196
|
+
): Promise<string> {
|
|
197
|
+
const key = `${kernelUrl}|${config.issuer}|${config.subject}`
|
|
198
|
+
const cached = selfIds.get(key)
|
|
199
|
+
if (cached) return cached
|
|
200
|
+
const me = (await session.call(WHOAMI_PATH, {}, { credential, skipDelegation: true })) as {
|
|
201
|
+
id?: string
|
|
202
|
+
} | null
|
|
203
|
+
if (!me?.id) {
|
|
204
|
+
throw new Error(
|
|
205
|
+
`whoami returned no identity node for ${config.subject} — cannot anchor the next-hop delegation mint`,
|
|
206
|
+
)
|
|
207
|
+
}
|
|
208
|
+
selfIds.set(key, me.id)
|
|
209
|
+
return me.id
|
|
107
210
|
}
|
|
@@ -48,6 +48,16 @@ export type RemoteFunctionContext<TParams, TDeps = unknown> = {
|
|
|
48
48
|
* `Identity.mintDelegationCredential` + the target method's grants.
|
|
49
49
|
*/
|
|
50
50
|
callRemote: CallRemoteFn
|
|
51
|
+
/**
|
|
52
|
+
* Acquire a kernel session authenticated as THIS FUNCTION'S OWN identity —
|
|
53
|
+
* authority = the function's own grants only, no caller delegation. The
|
|
54
|
+
* webhook seam: when an `auth: 'public'` upstream can't carry an Astrale
|
|
55
|
+
* token (HMAC-signature webhooks, Stripe-style), VERIFY THE UPSTREAM'S
|
|
56
|
+
* SIGNATURE FIRST, then act on the graph as yourself. `kernelUrl` defaults
|
|
57
|
+
* to `deps.KERNEL_URL` (set automatically on managed deploys); pass it
|
|
58
|
+
* explicitly for other targets.
|
|
59
|
+
*/
|
|
60
|
+
selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>
|
|
51
61
|
}
|
|
52
62
|
|
|
53
63
|
export type RemoteFunctionDef<TParams = unknown, TResult = unknown, TDeps = unknown> = {
|
|
@@ -39,6 +39,7 @@ import type { ViewDef } from '../define/view'
|
|
|
39
39
|
import type { CallRemoteFn } from '../dispatch/call-remote'
|
|
40
40
|
import type { AuxIdentityMap } from '../dispatch/identity'
|
|
41
41
|
|
|
42
|
+
import { makeSelfKernel } from '../auth/kernel-client'
|
|
42
43
|
import { resolveInboundAuth } from '../auth/resolve'
|
|
43
44
|
import { runAuthorize } from '../dispatch/authorize'
|
|
44
45
|
import { makeCallRemote } from '../dispatch/call-remote'
|
|
@@ -124,12 +125,13 @@ export function mountAuxiliaryRoutes<TDeps>(config: AuxiliaryRoutesConfig<TDeps>
|
|
|
124
125
|
identity,
|
|
125
126
|
corsHeaders,
|
|
126
127
|
run: async ({ c, auth, kernel, callRemote }) => {
|
|
128
|
+
const selfKernel = makeSelfKernel(identity, deps)
|
|
127
129
|
const rawBody: unknown = await c.req.json().catch(() => ({}))
|
|
128
130
|
const validation = validateParams(def.inputSchema, rawBody)
|
|
129
131
|
if (!validation.ok) {
|
|
130
132
|
throw new SdkValidationError(validation.issues as SdkValidationError['issues'])
|
|
131
133
|
}
|
|
132
|
-
const ctx = { params: validation.data, c, auth, deps, kernel, callRemote }
|
|
134
|
+
const ctx = { params: validation.data, c, auth, deps, kernel, callRemote, selfKernel }
|
|
133
135
|
if (def.authorize) await runAuthorize(def.authorize, ctx)
|
|
134
136
|
const result = await def.execute(ctx)
|
|
135
137
|
const outValidation = validateResult(def.outputSchema, result)
|
package/src/server/start.ts
CHANGED
|
@@ -11,7 +11,11 @@ import type { Hono } from 'hono'
|
|
|
11
11
|
import type { RemoteServerHandle } from './handle'
|
|
12
12
|
|
|
13
13
|
export async function startNodeServer(app: Hono, port = 3000): Promise<RemoteServerHandle> {
|
|
14
|
-
|
|
14
|
+
// Opaque specifier: the `./server` barrel re-exports this module, so worker
|
|
15
|
+
// bundles (wrangler/esbuild) traverse it even though they never call it. A
|
|
16
|
+
// literal import() would make them resolve the optional peer and fail.
|
|
17
|
+
const nodeServerModule = '@hono/node-server'
|
|
18
|
+
const { serve } = (await import(nodeServerModule)) as typeof import('@hono/node-server')
|
|
15
19
|
// oxlint-disable-next-line no-explicit-any
|
|
16
20
|
const server = serve({ fetch: app.fetch, port }) as any
|
|
17
21
|
|