@astrale-os/sdk 0.1.5 → 0.1.7

package/dist/auth/verify.d.ts

@@ -17,6 +17,8 @@ export type VerifiedInbound = {
     /** Delegation — scoped caller permissions as kernel-signed credential */
     delegation: Delegation;
 };
+/** Clear cached JWKS resolvers. Used in tests when keys rotate between fixtures. */
+export declare function clearJwksCache(): void;
 /**
  * Verify an inbound delegation credential using kernel-core's verification.
  *

package/dist/auth/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,UAAU,EAEV,kBAAkB,EACnB,MAAM,yBAAyB,CAAA;AAUhC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAKtD,MAAM,MAAM,eAAe,GAAG;IAC5B,2DAA2D;IAC3D,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,2DAA2D;IAC3D,WAAW,EAAE,WAAW,CAAA;IACxB,yEAAyE;IACzE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AA4DD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,eAAe,CAAC,CA+B1B"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,UAAU,EAEV,kBAAkB,EACnB,MAAM,yBAAyB,CAAA;AAYhC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAKtD,MAAM,MAAM,eAAe,GAAG;IAC5B,2DAA2D;IAC3D,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,2DAA2D;IAC3D,WAAW,EAAE,WAAW,CAAA;IACxB,yEAAyE;IACzE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAkBD,oFAAoF;AACpF,wBAAgB,cAAc,IAAI,IAAI,CAGrC;AAiFD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,eAAe,EAC3B,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,eAAe,CAAC,CA+C1B"}

package/dist/auth/verify.js

@@ -5,19 +5,68 @@
  * (CredentialMethodResolver, MethodRegistry) instead of manual JWT handling.
  * Not tied to JWT — supports any credential method kernel-core provides.
  */
-import { CredentialMethodResolver, MethodRegistry, verifyAudience, verifyCredential, } from '@astrale-os/kernel-core';
+import { CredentialMethodResolver, MethodRegistry, SignatureVerificationError, SigningKeyNotFoundError, verifyAudience, verifyCredential, } from '@astrale-os/kernel-core';
 import { createLocalJWKSet, createRemoteJWKSet } from 'jose';
 import { derivePublicJwk } from '../server/jwks';
 import { canonicalizeServingUrl } from '../server/serving-url';
 const methodResolver = new CredentialMethodResolver(new MethodRegistry());
+// JWKS resolvers cached per JWKS URL (module-level, like the pools/selfIds
+// Maps in kernel-client.ts). jose handles freshness WITHIN a resolver: 10min
+// max-age, 30s fetch cooldown, and auto-refetch on kid-miss when not cooling
+// down. The one gap — issuer restarts with new keys while the cooldown pins
+// the old set (the incident that got a prior indefinite cache removed) — is
+// covered by evict-and-retry-once in `verifyInboundCredential`, so indefinite
+// Map residency is safe and the per-call JWKS fetch is gone.
+const remoteResolvers = new Map();
+// Self-issued credentials verify against the worker's own in-memory key;
+// cache the local JWKS per canonical self-issuer (one key per worker) so the
+// public-JWK derivation isn't redone on every request.
+const localResolvers = new Map();
+/** Clear cached JWKS resolvers. Used in tests when keys rotate between fixtures. */
+export function clearJwksCache() {
+    remoteResolvers.clear();
+    localResolvers.clear();
+}
+/**
+ * M-28 fix: a bare-slug iss (`mails.localhost`) makes
+ * `new URL('mails.localhost/.well-known/jwks.json')` throw "Invalid URL
+ * string". The dispatcher's identity map normalizes the iss it signs with,
+ * but inbound creds from older clients may still carry the slug form. Coerce
+ * to a URL with a default `https://` scheme (matches kernel.astrale.ai
+ * canonical form). If the actual receiver is on http://localhost the
+ * receiver-side resolver still works because both endpoints are on localhost
+ * — but for prod targets requiring TLS this is the right default.
+ */
+function jwksUrlFor(issuer) {
+    const normalized = /^https?:\/\//.test(issuer) ? issuer : `https://${issuer}`;
+    return `${normalized}/.well-known/jwks.json`;
+}
+function getRemoteResolver(jwksUrl) {
+    let resolver = remoteResolvers.get(jwksUrl);
+    if (!resolver) {
+        resolver = createRemoteJWKSet(new URL(jwksUrl));
+        remoteResolvers.set(jwksUrl, resolver);
+    }
+    return resolver;
+}
+function getLocalResolver(selfIssuer, privateKey) {
+    let resolver = localResolvers.get(selfIssuer);
+    if (!resolver) {
+        resolver = createLocalJWKSet({ keys: [derivePublicJwk(privateKey)] });
+        localResolvers.set(selfIssuer, resolver);
+    }
+    return resolver;
+}
 /**
  * Build the key resolver for one verifying server. Captures `config` so it can
  * short-circuit the server's OWN issuer (`config.issuer`): a self-issued
  * credential is verified against the in-memory public key, never fetched — a
  * Worker can't fetch its own hostname, and it already holds the key. Every other
- * issuer is resolved live via JWKS (`createRemoteJWKSet`).
+ * issuer is resolved via the cached per-URL JWKS resolvers above; every JWKS
+ * URL touched is recorded in `resolvedJwksUrls` so the caller can evict
+ * exactly those resolvers if verification fails on an unknown signing key.
  */
-function makeResolveKeys(config) {
+function makeResolveKeys(config, resolvedJwksUrls) {
     // The worker's own canonical iss. STRICT: `config.issuer` is the serving URL
     // by contract (both producers — buildIdentityMap / buildAuxIdentityMap — feed
     // it `canonicalizeServingUrl(config.url)`), so a value that doesn't parse is
@@ -26,13 +75,6 @@ function makeResolveKeys(config) {
     // worker's own hostname — which Cloudflare forbids — turning a config bug
     // into an opaque per-call failure.
     const selfIssuer = canonicalizeServingUrl(config.issuer);
-    // TODO(cache): Re-add JWKS caching with a short TTL or kid-miss retry.
-    // A prior implementation cached `createRemoteJWKSet` per issuer URL
-    // indefinitely. jose's internal cache (30s cooldown, 10min max-age) caused
-    // stale keys when the issuer restarted — the resolver served old keys and
-    // jose refused to refetch within the cooldown window. On CF Workers the
-    // module-level Map persisted across requests, making it worse. For now we
-    // create a fresh resolver per call (jose deduplicates concurrent fetches).
     return async (issuer, _method, _kid) => {
         const url = issuer;
         // Self-issued credential (iss == this worker's own serving URL): resolve
@@ -47,20 +89,12 @@ function makeResolveKeys(config) {
                 canonical = undefined;
             }
             if (canonical === selfIssuer) {
-                return createLocalJWKSet({ keys: [derivePublicJwk(config.privateKey)] });
+                return getLocalResolver(selfIssuer, config.privateKey);
             }
         }
-        // M-28 fix: a bare-slug iss (`mails.localhost`) makes
-        // `new URL('mails.localhost/.well-known/jwks.json')` throw "Invalid
-        // URL string". The dispatcher's identity map normalizes the iss it
-        // signs with, but inbound creds from older clients may still carry
-        // the slug form. Coerce to a URL with a default `https://` scheme
-        // (matches kernel.astrale.ai canonical form). If the actual receiver
-        // is on http://localhost the receiver-side resolver still works
-        // because both endpoints are on localhost — but for prod targets
-        // requiring TLS this is the right default.
-        const normalized = /^https?:\/\//.test(url) ? url : `https://${url}`;
-        return createRemoteJWKSet(new URL(`${normalized}/.well-known/jwks.json`));
+        const jwksUrl = jwksUrlFor(url);
+        resolvedJwksUrls.add(jwksUrl);
+        return getRemoteResolver(jwksUrl);
     };
 }
 /**
@@ -70,10 +104,31 @@ function makeResolveKeys(config) {
  */
 export async function verifyInboundCredential(credential, config) {
     // Verify using kernel-core's credential verification pipeline
-    const verified = await verifyCredential({
-        methodResolver,
-        resolveKeys: makeResolveKeys(config),
-    }, credential);
+    const resolvedJwksUrls = new Set();
+    const deps = { methodResolver, resolveKeys: makeResolveKeys(config, resolvedJwksUrls) };
+    let verified;
+    try {
+        verified = await verifyCredential(deps, credential);
+    }
+    catch (error) {
+        // A cached resolver can hold a stale key set after the issuer rotates:
+        //  - new kid → jose kid-misses but its 30s fetch cooldown blocks the
+        //    refetch (SigningKeyNotFoundError) — the incident that got a prior
+        //    indefinite cache removed;
+        //  - SAME kid, new key material (kernel kids derive from the subject, so
+        //    a re-keyed issuer reuses its kid) → the signature check fails
+        //    (SignatureVerificationError).
+        // Both: evict the resolver(s) this verification touched and retry ONCE
+        // with fresh ones. Forged-token spam thus costs at most one JWKS fetch
+        // per bad credential — equal to the uncached per-call baseline, never
+        // worse. An empty set means self-issued — refetching can't help, rethrow.
+        const staleKeySuspect = error instanceof SigningKeyNotFoundError || error instanceof SignatureVerificationError;
+        if (!staleKeySuspect || resolvedJwksUrls.size === 0)
+            throw error;
+        for (const url of resolvedJwksUrls)
+            remoteResolvers.delete(url);
+        verified = await verifyCredential(deps, credential);
+    }
     // Validate audience matches this function's issuer (its serving URL).
     // kernel-core's verifyAudience compares canonically.
     verifyAudience(verified, config.issuer);

package/dist/auth/verify.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,EACL,wBAAwB,EACxB,cAAc,EACd,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAY,MAAM,MAAM,CAAA;AAItE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAA;AAa9D,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC,IAAI,cAAc,EAAE,CAAC,CAAA;AAEzE;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,MAA4B;IACnD,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,yEAAyE;IACzE,6EAA6E;IAC7E,0EAA0E;IAC1E,mCAAmC;IACnC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAExD,uEAAuE;IACvE,oEAAoE;IACpE,2EAA2E;IAC3E,0EAA0E;IAC1E,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,OAAO,KAAK,EAAE,MAAgB,EAAE,OAAe,EAAE,IAAa,EAAE,EAAE;QAChE,MAAM,GAAG,GAAG,MAAgB,CAAA;QAE5B,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,SAA6B,CAAA;YACjC,IAAI,CAAC;gBACH,SAAS,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,SAAS,CAAA;YACvB,CAAC;YACD,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B,OAAO,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAQ,CAAC,EAAE,CAAC,CAAA;YACjF,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,oEAAoE;QACpE,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,qEAAqE;QACrE,gEAAgE;QAChE,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAA;QACpE,OAAO,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,UAAU,wBAAwB,CAAC,CAAC,CAAA;IAC3E,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAA2B,EAC3B,MAA4B;IAE5B,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC;QACE,cAAc;QACd,WAAW,EAAE,eAAe,CAAC,MAAM,CAAC;KACrC,EACD,UAAU,CACX,CAAA;IAED,sEAAsE;IACtE,qDAAqD;IACrD,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAkB,CAAC,CAAA;IAEnD,iDAAiD;IACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAsC,CAAA;IAC1E,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAoC,CAAA;IACvE,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,QAAQ,CAAC,GAAa;QAC9B,WAAW;QACX,UAAU;KACX,CAAA;AACH,CAAC"}
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/auth/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,EACL,wBAAwB,EACxB,cAAc,EACd,0BAA0B,EAC1B,uBAAuB,EACvB,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAY,MAAM,MAAM,CAAA;AAItE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAA;AAa9D,MAAM,cAAc,GAAG,IAAI,wBAAwB,CAAC,IAAI,cAAc,EAAE,CAAC,CAAA;AAEzE,2EAA2E;AAC3E,6EAA6E;AAC7E,6EAA6E;AAC7E,4EAA4E;AAC5E,4EAA4E;AAC5E,8EAA8E;AAC9E,6DAA6D;AAC7D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAiD,CAAA;AAEhF,yEAAyE;AACzE,6EAA6E;AAC7E,uDAAuD;AACvD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAgD,CAAA;AAE9E,oFAAoF;AACpF,MAAM,UAAU,cAAc;IAC5B,eAAe,CAAC,KAAK,EAAE,CAAA;IACvB,cAAc,CAAC,KAAK,EAAE,CAAA;AACxB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,UAAU,CAAC,MAAc;IAChC,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAA;IAC7E,OAAO,GAAG,UAAU,wBAAwB,CAAA;AAC9C,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,IAAI,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAA;QAC/C,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACxC,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,gBAAgB,CACvB,UAAkB,EAClB,UAA8C;IAE9C,IAAI,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,UAAU,CAAQ,CAAC,EAAE,CAAC,CAAA;QAC5E,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,eAAe,CAAC,MAA4B,EAAE,gBAA6B;IAClF,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,yEAAyE;IACzE,6EAA6E;IAC7E,0EAA0E;IAC1E,mCAAmC;IACnC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAExD,OAAO,KAAK,EAAE,MAAgB,EAAE,OAAe,EAAE,IAAa,EAAE,EAAE;QAChE,MAAM,GAAG,GAAG,MAAgB,CAAA;QAE5B,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,SAA6B,CAAA;YACjC,IAAI,CAAC;gBACH,SAAS,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,SAAS,CAAA;YACvB,CAAC;YACD,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B,OAAO,gBAAgB,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;QAC/B,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QAC7B,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAA;IACnC,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAA2B,EAC3B,MAA4B;IAE5B,8DAA8D;IAC9D,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAA;IAC1C,MAAM,IAAI,GAAG,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,CAAC,MAAM,EAAE,gBAAgB,CAAC,EAAE,CAAA;IACvF,IAAI,QAA4B,CAAA;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACrD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,uEAAuE;QACvE,qEAAqE;QACrE,uEAAuE;QACvE,+BAA+B;QAC/B,yEAAyE;QACzE,mEAAmE;QACnE,mCAAmC;QACnC,uEAAuE;QACvE,uEAAuE;QACvE,sEAAsE;QACtE,0EAA0E;QAC1E,MAAM,eAAe,GACnB,KAAK,YAAY,uBAAuB,IAAI,KAAK,YAAY,0BAA0B,CAAA;QACzF,IAAI,CAAC,eAAe,IAAI,gBAAgB,CAAC,IAAI,KAAK,CAAC;YAAE,MAAM,KAAK,CAAA;QAChE,KAAK,MAAM,GAAG,IAAI,gBAAgB;YAAE,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC/D,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACrD,CAAC;IAED,sEAAsE;IACtE,qDAAqD;IACrD,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAkB,CAAC,CAAA;IAEnD,iDAAiD;IACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAsC,CAAA;IAC1E,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAoC,CAAA;IACvE,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,QAAQ,CAAC,GAAa;QAC9B,WAAW;QACX,UAAU;KACX,CAAA;AACH,CAAC"}

package/dist/cli/bin.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env bun
+/**
+ * `astrale-domain` bin entry. Runs under bun (native TS) so it can import the
+ * project's `astrale.config.ts` directly — matching the `astrale` CLI.
+ */
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/dist/cli/bin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.d.ts","sourceRoot":"","sources":["../../src/cli/bin.ts"],"names":[],"mappings":";AACA;;;GAGG"}

package/dist/cli/bin.js

@@ -0,0 +1,15 @@
+#!/usr/bin/env bun
+/**
+ * `astrale-domain` bin entry. Runs under bun (native TS) so it can import the
+ * project's `astrale.config.ts` directly — matching the `astrale` CLI.
+ */
+import { run } from './run';
+run(process.argv.slice(2))
+    .then((code) => process.exit(code))
+    .catch((err) => {
+    process.stderr.write(`\x1b[31m✗\x1b[0m ${err.message ?? String(err)}\n`);
+    if (process.env.DEBUG)
+        process.stderr.write(`${err.stack ?? ''}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=bin.js.map

package/dist/cli/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../../src/cli/bin.ts"],"names":[],"mappings":";AACA;;;GAGG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,OAAO,CAAA;AAE3B,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;KACvB,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KAClC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAqB,GAAa,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IACnF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAI,GAAa,CAAC,KAAK,IAAI,EAAE,IAAI,CAAC,CAAA;IAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}

package/dist/cli/dotenv.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Minimal dotenv parser — the secrets-file boundary.
+ *
+ * `secrets: '.env.<env>'` in an adapter's params points a gitignored file whose
+ * entire contents are secrets. `loadDotenvFile` reads it into a flat
+ * `Record<string,string>` the CLI hands the adapter (injected into the local
+ * runtime in dev, pushed to a secret store in prod). No `process.env` mutation,
+ * no interpolation magic beyond `${VAR}` against earlier keys in the same file.
+ */
+export declare function parseDotenv(contents: string): Record<string, string>;
+/** Read + parse a dotenv file. Returns `{}` if the file is absent (CI-safe). */
+export declare function loadDotenvFile(path: string): Record<string, string>;
+//# sourceMappingURL=dotenv.d.ts.map

package/dist/cli/dotenv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dotenv.d.ts","sourceRoot":"","sources":["../../src/cli/dotenv.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAqBpE;AAED,gFAAgF;AAChF,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQnE"}

package/dist/cli/dotenv.js

@@ -0,0 +1,46 @@
+/**
+ * Minimal dotenv parser — the secrets-file boundary.
+ *
+ * `secrets: '.env.<env>'` in an adapter's params points a gitignored file whose
+ * entire contents are secrets. `loadDotenvFile` reads it into a flat
+ * `Record<string,string>` the CLI hands the adapter (injected into the local
+ * runtime in dev, pushed to a secret store in prod). No `process.env` mutation,
+ * no interpolation magic beyond `${VAR}` against earlier keys in the same file.
+ */
+import { readFileSync } from 'node:fs';
+export function parseDotenv(contents) {
+    const out = {};
+    for (const raw of contents.split('\n')) {
+        const line = raw.trim();
+        if (!line || line.startsWith('#'))
+            continue;
+        const match = /^(?:export\s+)?([A-Za-z_]\w*)\s*=\s*(.*)$/.exec(line);
+        if (!match)
+            continue;
+        const [, key, rawValue] = match;
+        let value = rawValue.trim();
+        // Single quotes mean a LITERAL value (standard dotenv): no `${VAR}`
+        // interpolation, so a secret that legitimately contains a literal `${...}`
+        // (e.g. a password) survives intact instead of being silently blanked.
+        const singleQuoted = value.length >= 2 && value.startsWith("'") && value.endsWith("'");
+        if ((value.length >= 2 && value.startsWith('"') && value.endsWith('"')) || singleQuoted) {
+            value = value.slice(1, -1);
+        }
+        out[key] = singleQuoted
+            ? value
+            : value.replace(/\$\{(\w+)\}/g, (_, name) => out[name] ?? '');
+    }
+    return out;
+}
+/** Read + parse a dotenv file. Returns `{}` if the file is absent (CI-safe). */
+export function loadDotenvFile(path) {
+    let contents;
+    try {
+        contents = readFileSync(path, 'utf-8');
+    }
+    catch {
+        return {};
+    }
+    return parseDotenv(contents);
+}
+//# sourceMappingURL=dotenv.js.map

package/dist/cli/dotenv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dotenv.js","sourceRoot":"","sources":["../../src/cli/dotenv.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAEtC,MAAM,UAAU,WAAW,CAAC,QAAgB;IAC1C,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;QACvB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAQ;QAC3C,MAAM,KAAK,GAAG,2CAA2C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACpE,IAAI,CAAC,KAAK;YAAE,SAAQ;QACpB,MAAM,CAAC,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,KAAK,CAAA;QAC/B,IAAI,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAA;QAC3B,oEAAoE;QACpE,2EAA2E;QAC3E,uEAAuE;QACvE,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QACtF,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC;YACxF,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QAC5B,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY;YACrB,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;IACzE,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,IAAI,QAAgB,CAAA;IACpB,IAAI,CAAC;QACH,QAAQ,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;IACD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * `@astrale-os/sdk/cli` — the `astrale-domain` CLI (dev | build | deploy) and
+ * the dotenv secrets-file boundary, folded in from the former
+ * `@astrale-os/devkit` package.
+ *
+ * Node-only: the CLI imports `node:fs`/`node:module`/`node:url` and runs under
+ * Bun (it imports the project's `astrale.config.ts` directly). This subpath is
+ * deliberately NOT re-exported from the package barrel — pulling it into the
+ * isomorphic `.` entry would poison browser/worker bundlers that traverse every
+ * re-export (the same rule that keeps `./server` and `./deploy` off the barrel).
+ * The bin lives at `./bin`.
+ */
+export { run, parseArgs } from './run';
+export { parseDotenv, loadDotenvFile } from './dotenv';
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AACtC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA"}

package/dist/cli/index.js

@@ -0,0 +1,15 @@
+/**
+ * `@astrale-os/sdk/cli` — the `astrale-domain` CLI (dev | build | deploy) and
+ * the dotenv secrets-file boundary, folded in from the former
+ * `@astrale-os/devkit` package.
+ *
+ * Node-only: the CLI imports `node:fs`/`node:module`/`node:url` and runs under
+ * Bun (it imports the project's `astrale.config.ts` directly). This subpath is
+ * deliberately NOT re-exported from the package barrel — pulling it into the
+ * isomorphic `.` entry would poison browser/worker bundlers that traverse every
+ * re-export (the same rule that keeps `./server` and `./deploy` off the barrel).
+ * The bin lives at `./bin`.
+ */
+export { run, parseArgs } from './run';
+export { parseDotenv, loadDotenvFile } from './dotenv';
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AACtC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA"}

package/dist/cli/run.d.ts

@@ -0,0 +1,79 @@
+/**
+ * The `astrale-domain` CLI — dev | build | deploy.
+ *
+ * Thin by design: it reads `astrale.config.ts`, resolves `envs[<env>] → params`
+ * via the adapter, loads the env's secrets file, then drives `adapter.watch`
+ * (dev) or `adapter.deploy` (build+ship). It prints the resulting URL and the
+ * exact `astrale domain install <url> --direct` line. It boots no kernel and knows
+ * nothing provider-specific — that all lives in the adapter.
+ *
+ * The diagnostic spec (`.astrale/spec.json`) is written AFTER watch/deploy
+ * returns, at the live URL: the install graph (and therefore `schemaHash`)
+ * embeds `binding.remoteUrl`s derived from the serving URL, so a spec built at
+ * a guessed URL would carry a hash that never matches the worker's `/meta`.
+ * Only `astrale-domain build` (no URL exists yet) uses an explicit placeholder
+ * and says so.
+ *
+ *   astrale-domain dev               # = deploy dev --watch
+ *   astrale-domain prod              # = deploy prod
+ *   astrale-domain deploy <env>      # any env key
+ *   astrale-domain build             # rebuild spec only (placeholder URL)
+ *   astrale-domain publish [env]     # = deploy [prod] then register the URL
+ *
+ * `publish` (and the `--publish` tail-flag on deploy) deploys, then registers
+ * the resulting URL in the admin catalog by SHELLING OUT to the operator CLI
+ * (`astrale domain publish --origin --name --public-url`). Auth lives entirely
+ * in that CLI — this build tool never touches credentials; it just hands off the
+ * fresh URL it alone knows. Requires `astrale` on PATH (the same CLI the deploy
+ * footer already points you at for `domain install`).
+ */
+import type { DeployConfig } from '../config/deploy';
+type ParsedArgs = {
+    command: 'dev' | 'build' | 'deploy';
+    env: string;
+    watch: boolean;
+    /** `--port <n>` (dev only) — overrides the env's local dev port. */
+    port?: number;
+    /** `--host <url>` (dev only) — public URL of a tunnel/proxy front: binds 0.0.0.0 + pins WORKER_URL. */
+    host?: string;
+    /** Register the deployed URL in the admin catalog (the `publish` command / `--publish` flag). */
+    publish?: boolean;
+    /** `--name <slug>` — registry name to publish under (default: package.json `name`). */
+    name?: string;
+    /** `--install-by-default` — mark the published domain for install on every new instance. */
+    installByDefault?: boolean;
+};
+export declare function run(argv: readonly string[]): Promise<number>;
+/**
+ * Watch `astrale.config.ts` while `dev` runs: on change, re-import the config
+ * (cache-busted), re-resolve env params + secrets, and re-run the adapter's
+ * codegen via `adapter.regenerate` — the running dev server (e.g. `wrangler
+ * dev`, which watches its generated config + entry) reloads them itself, so a
+ * config edit lands without restarting the CLI.
+ *
+ * Watches the config's DIRECTORY, not the file: editors save via atomic
+ * rename, which silently kills an inode-bound watch.
+ *
+ * Deliberate limits, surfaced to the user instead of half-applied:
+ *  • origin / adapter changes re-key the worker's identity → restart;
+ *  • a mid-edit broken config (syntax error, bad env) warns and keeps the
+ *    previous generation running;
+ *  • modules the config IMPORTS (e.g. the schema) stay module-cached — only
+ *    the config file itself is re-evaluated, which covers everything
+ *    `defineDomain` owns (vars, requires, postInstall, wrangler overlay…).
+ */
+export declare function watchConfigForRegen(args: {
+    configPath: string;
+    initial: DeployConfig;
+    env: string;
+    /** CLI flag overrides (dev --port / --host) — re-applied on every regen. */
+    paramOverrides: Record<string, unknown>;
+    projectDir: string;
+    specPath: string;
+    clientDir?: string;
+    url: string;
+    onReload: () => void;
+}): () => void;
+export declare function parseArgs(argv: readonly string[]): ParsedArgs;
+export {};
+//# sourceMappingURL=run.d.ts.map

package/dist/cli/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/cli/run.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAUH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAOpD,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAA;IACnC,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,OAAO,CAAA;IACd,oEAAoE;IACpE,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,uGAAuG;IACvG,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iGAAiG;IACjG,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,uFAAuF;IACvF,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,4FAA4F;IAC5F,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B,CAAA;AAED,wBAAsB,GAAG,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAyIlE;AAqHD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE;IACxC,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,YAAY,CAAA;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,4EAA4E;IAC5E,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACvC,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,IAAI,CAAA;CACrB,GAAG,MAAM,IAAI,CAiFb;AAwGD,wBAAgB,SAAS,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,UAAU,CA6E7D"}