@astrale-os/sdk 0.1.6 → 0.1.7

package/src/dispatch/self.ts

@@ -2,31 +2,117 @@
  * Self resolution — pipeline step 3.
  *
  * `_self` is a path reference to the node the non-static method runs on.
- * Currently a thin parse: the caller's string becomes a `Path`, and handlers
- * build recursive paths as `${self.path}::method` (the `Path`'s `toString`
- * yields its raw form, so template literals work unchanged).
+ * `resolveSelf` is a thin PARSE: the caller's string becomes a `Path`, and
+ * handlers build recursive paths as `${self.path}::method` (the `Path`'s
+ * `toString` yields its raw form, so template literals work unchanged). It does
+ * NOT touch the graph — the whole dispatch pipeline (resolve → authenticate →
+ * validate → self → execute) reaches the handler without a single `Node::get`.
  *
  * `resolveSelf` receives the bare self target (`@<id>` or a tree path) — the
  * method ref travels in a separate dispatch channel, so `::method` never
  * reaches here. For the `@<id>` form the parsed `Path` is an `IdPath` which
  * already carries the node id; surfacing it on `SelfResult.id` saves every
- * worker handler from either parsing `self.path.raw` by hand or doing a
- * `Node::get` round-trip just to recover the id of the node it's already
- * operating on.
+ * worker handler from parsing `self.path.raw` by hand to recover the id of the
+ * node it is already operating on.
  *
- * Kept as a distinct step so a future implementation can do a real
- * resolution here (e.g. hydrate a node/accessor) without touching callers.
+ * `withNode` enriches the parsed self with the lazy `node()` accessor — the one
+ * place a handler can fetch its own node's full record (`{ id, class, props }`)
+ * without hand-rolling a `::get`. Construction stays split from parsing so
+ * `resolveSelf` remains pure and trivially testable; the dispatcher attaches the
+ * accessor once it holds the request's kernel.
  */
 
+import type { Node } from '@astrale-os/kernel-core/graph'
+
 import { IdPath, Path, type NodeId } from '@astrale-os/kernel-core'
+import { classPathSchema } from '@astrale-os/kernel-core/domain'
+import { absolutePathSchema } from '@astrale-os/kernel-core/tree'
+import { z } from 'zod'
+
+import type { Kernel } from '../method/context'
 
-export type SelfResult = {
+/** The node a non-static method runs on — its full record, id guaranteed. */
+export type ResolvedSelfNode = Node & { id: NodeId }
+
+/** The bare parse of a self target — no kernel, no fetch. */
+export type ParsedSelf = {
   path: Path
   /** Set when `path` is an `IdPath` (i.e. `@<id>::method` calls). */
   id?: NodeId
 }
 
-export function resolveSelf(ref: string): SelfResult {
+export type SelfResult = ParsedSelf & {
+  /**
+   * Lazily read THIS node's full record via one `::get` on the handler's
+   * kernel. Memoized for the dispatch: repeated and concurrent calls share a
+   * single in-flight fetch, and a failure clears the cache so it stays
+   * retryable. Pass `{ reload: true }` to force a fresh read.
+   *
+   * The result is a point-in-time SNAPSHOT, not a live view — for
+   * read-modify-write, treat it as the value as of the read (or `reload`).
+   * `props` is returned structurally validated only, NOT typed against the
+   * node's declared schema: the kernel does not hydrate declared props at
+   * runtime, so a node-typed `self` would be unsound. Read the concrete backend
+   * off `node.class` (a `ClassPath`) — that is the persisted discriminator.
+   */
+  node(opts?: { reload?: boolean }): Promise<ResolvedSelfNode>
+}
+
+export function resolveSelf(ref: string): ParsedSelf {
   const path = Path.parse(ref)
   return path instanceof IdPath ? { path, id: path.id } : { path }
 }
+
+/**
+ * Attach the memoized `node()` accessor, binding it to the handler's kernel.
+ * `kernel` is `null` for methods whose auth policy yields none (`public`, or an
+ * unauthenticated `optional`) — there `node()` rejects with a clear error
+ * rather than reading the graph unauthenticated.
+ */
+export function withNode(parsed: ParsedSelf, kernel: Kernel | null): SelfResult {
+  let cached: Promise<ResolvedSelfNode> | undefined
+  const node = (opts?: { reload?: boolean }): Promise<ResolvedSelfNode> => {
+    if (opts?.reload) cached = undefined
+    if (!cached) {
+      cached = fetchSelfNode(parsed.path, kernel).catch((err: unknown) => {
+        cached = undefined // never cache a rejection — a later call may succeed
+        throw err
+      })
+    }
+    return cached
+  }
+  return { ...parsed, node }
+}
+
+/**
+ * Boundary schema for a node record off the wire. Structurally identical to
+ * kernel-core's `nodeSchema`, re-declared here from its public coercers
+ * (`classPathSchema` from `/domain`, `absolutePathSchema` from `/tree`) on
+ * purpose: importing the schema from `#graph` would pull zod into the graph
+ * barrel and cycle with `AbsolutePath` init (see `kernel/core/graph/index.ts`).
+ * Coercing through the canonical schemas yields a real `ClassPath` / `AbsolutePath`.
+ */
+const nodeRecordSchema = z.object({
+  class: classPathSchema(),
+  path: absolutePathSchema(),
+  props: z.record(z.string(), z.unknown()),
+  id: z.string().optional(),
+  __labels: z.array(z.string()).optional(),
+})
+
+async function fetchSelfNode(path: Path, kernel: Kernel | null): Promise<ResolvedSelfNode> {
+  if (!kernel) {
+    throw new Error(
+      `self.node() needs an authenticated kernel to read "${path.raw}", but this method ran ` +
+        `without one (its auth policy yields no kernel — e.g. 'public'). Read the node from a ` +
+        `method whose auth is 'required', or supply a credential.`,
+    )
+  }
+  const record = nodeRecordSchema.parse(await kernel.call(`${path.raw}::get`, {}))
+  if (record.id === undefined) {
+    throw new Error(`self.node(): "${path.raw}::get" returned a record with no id`)
+  }
+  // Validated at the wire boundary: id is now known-present, props are
+  // structurally checked. Bridge the parse output to the canonical `Node`.
+  return { ...record, id: record.id as NodeId } as ResolvedSelfNode
+}

package/src/domain/define.ts

@@ -12,7 +12,7 @@
  *
  * The domain definition is deployment-agnostic: it carries NO serving url. The
  * url is supplied late by the spec producer (`createRemoteServer({ url })` at
- * runtime, the devkit CLI offline) and stamped onto every `binding.remoteUrl`
+ * runtime, the `astrale-domain` CLI offline) and stamped onto every `binding.remoteUrl`
  * by `materializeRemoteDomain`. There is exactly one notion of `url` in the SDK
  * — the worker serving URL, which is also `iss` and the binding base.
  */
@@ -128,8 +128,8 @@ export function defineRemoteDomain<TDeps>() {
  * Materialize a `RemoteDomain` at its real serving `url`: re-runs `extendCore`
  * so every aux View/Function `binding.remoteUrl` points at the actual host,
  * and returns the binding maps the auxiliary routes mount from. Called by the
- * only two spec producers — `createRemoteServer` (`config.url`) and the devkit
- * CLI. Returns the define-time `compiled` untouched when there is no aux to
+ * only two spec producers — `createRemoteServer` (`config.url`) and the
+ * `astrale-domain` CLI. Returns the define-time `compiled` untouched when there is no aux to
  * stamp. `extendCore`/`compileDomain` are pure, so this is safe to call
  * repeatedly (and is memoized per cold isolate by the callers).
  */

package/src/index.ts

@@ -1,5 +1,7 @@
 // ─── Method authoring ────────────────────────────────────────────────────
 export type {
+  Kernel,
+  KernelForAuth,
   RemoteContext,
   RemoteHandler,
   MethodImpl,
@@ -9,9 +11,28 @@ export type {
 } from './method'
 export { remoteMethod, remoteClassMethods, remoteInterfaceMethods } from './method'
 
-// ─── Domain ──────────────────────────────────────────────────────────────
-export { defineRemoteDomain, buildInstallGraph, buildInstallGraphHash } from './domain'
-export type { RemoteDomain, RemoteDomainConfig } from './domain'
+// ─── Domain configuration (astrale.config.ts) ────────────────────────────
+// The author-facing way to declare a standalone domain + how it deploys. The
+// runtime-domain COMPILER (`defineRemoteDomain`) is internal machinery — reach
+// it via the `@astrale-os/sdk/domain` subpath when hand-rolling a worker, or
+// (preferred) use `domainWorkerEntry` from `@astrale-os/sdk/server`.
+export { defineDomain, deploy, defineAdapter } from './config'
+export type {
+  ClientBinding,
+  DefineDomainConfig,
+  DomainDefinition,
+  DeployConfig,
+  AdapterSpec,
+  DeployCtx,
+  DeployResult,
+  DomainAdapter,
+  DomainInfo,
+  WatchCtx,
+  WatchHandle,
+} from './config'
+
+// ─── Install graph (advanced) ────────────────────────────────────────────
+export { buildInstallGraph, buildInstallGraphHash } from './domain'
 
 // ─── Declarative resource helpers ────────────────────────────────────────
 // Author Views (iframe-mountable) and RemoteFunctions (standalone callables)
@@ -74,4 +95,4 @@ export {
   SdkValidationError,
   SdkResultValidationError,
 } from './dispatch'
-export type { SelfResult, CallRemoteFn } from './dispatch'
+export type { SelfResult, CallRemoteFn, KernelCaller } from './dispatch'

package/src/method/class.ts

@@ -52,9 +52,10 @@ type InterfaceMethodHandler<
     ? MC extends { readonly static: true }
       ? RemoteHandler<ResolveParams<MC>, ResolveReturn<MC>, undefined, TDeps>
       : // Non-static interface methods receive the same `self` the dispatcher
-        // actually delivers — `SelfResult` ({ path, id? }) — exactly as the
-        // class-method path (`MethodImpl`) does. The node's declared props are
-        // NOT hydrated at runtime, so a node-typed self would be unsound.
+        // actually delivers — `SelfResult` ({ path, id?, node() }) — exactly as
+        // the class-method path (`MethodImpl`) does. Declared props are NOT
+        // hydrated onto `self` (a node-typed self would be unsound); a handler
+        // that needs the node's class/props reads them via `self.node()`.
         RemoteHandler<ResolveParams<MC>, ResolveReturn<MC>, SelfResult, TDeps>
     : never
   : never

package/src/method/context.ts

@@ -7,13 +7,43 @@
  * `BoundClientSessionView` to call back into the parent kernel.
  */
 
+import type { AuthPolicy } from '@astrale-os/kernel-api/routed'
 import type { FnMap } from '@astrale-os/kernel-client'
 import type { BoundClientSessionView } from '@astrale-os/kernel-client/session'
 import type { AuthContext } from '@astrale-os/kernel-core'
 
 import type { CallRemoteFn } from '../dispatch/call-remote'
 
-export type RemoteContext<TParams, TSelf, TDeps> = {
+/**
+ * The kernel session a handler holds: a credential-bound view over the parent
+ * kernel — the FULL dispatch surface (`call`/`stream`/`binary`/`signal`,
+ * `withSchema` typed dispatch, `as` to rebind the acting credential), not just
+ * `call`. Name it from `@astrale-os/sdk` instead of reaching into
+ * `@astrale-os/kernel-client`. (For the narrow `{ call }` contract — e.g. a
+ * tiny test double — see {@link KernelCaller}.)
+ */
+export type Kernel = BoundClientSessionView<FnMap>
+
+/**
+ * The `kernel` a handler receives, derived from its declared `auth` policy.
+ * The runtime guarantee (see `auth/resolve.ts`) is exact:
+ *   - `'required'` (the default) — the dispatcher rejects a credentialless call
+ *     before `execute`, so the kernel is ALWAYS present → non-null.
+ *   - `'optional'` — a kernel only when a credential was supplied → `… | null`.
+ *   - `'public'` — never any inbound credential → `null`. (Public handlers that
+ *     must touch the graph use `selfKernel` after verifying their own upstream.)
+ *
+ * Distributes over a `AuthPolicy` union (e.g. when `auth` is typed but not a
+ * literal) to the widened `Kernel | null` — the safe superset, matching the
+ * pre-conditional behaviour.
+ */
+export type KernelForAuth<TAuth extends AuthPolicy> = TAuth extends 'public'
+  ? null
+  : TAuth extends 'optional'
+    ? Kernel | null
+    : Kernel
+
+export type RemoteContext<TParams, TSelf, TDeps, TKernel = Kernel | null> = {
   /** Validated params (Zod-checked against the method's `inputSchema`). */
   params: TParams
   /** Auth context resolved from the inbound delegation credential. `null` for public or unauthenticated optional methods. */
@@ -26,13 +56,14 @@ export type RemoteContext<TParams, TSelf, TDeps> = {
   url: string
   /**
    * `BoundClientSessionView` to the parent kernel, bound to the composed
-   * credential `union(delegation, self)`. `null` when `auth: 'public'`, or
-   * `auth: 'optional'` with no inbound credential. Use for kernel syscalls +
-   * same-domain methods. For ANOTHER worker's remote method use
-   * {@link RemoteContext.callRemote} — `kernel.call` to a remote method fails
-   * the audience check.
+   * credential `union(delegation, self)`. Its nullability is `{@link
+   * KernelForAuth}` of the method's `auth`: non-null for the default
+   * `'required'`, `… | null` for `'optional'`, `null` for `'public'`. Use for
+   * kernel syscalls + same-domain methods. For ANOTHER worker's remote method
+   * use {@link RemoteContext.callRemote} — `kernel.call` to a remote method
+   * fails the audience check.
    */
-  kernel: BoundClientSessionView<FnMap> | null
+  kernel: TKernel
   /**
    * Call another worker's remote method (a Function with `binding.remoteUrl`),
    * re-minting the credential for the target's audience so it isn't rejected at

package/src/method/index.ts

@@ -1,4 +1,4 @@
-export type { RemoteContext } from './context'
+export type { Kernel, KernelForAuth, RemoteContext } from './context'
 export type { RemoteHandler, AnyRemoteHandler, MethodImpl } from './single'
 export { remoteMethod } from './single'
 export type { ClassMethodsImpl, InterfaceMethodsImpl, SchemaMethodsImpl } from './class'

package/src/method/single.ts

@@ -20,7 +20,7 @@ import type {
 import type { Schema } from '@astrale-os/kernel-dsl'
 
 import type { SelfResult } from '../dispatch/self'
-import type { RemoteContext } from './context'
+import type { KernelForAuth, RemoteContext } from './context'
 
 /**
  * Remote function handler — execute with full typed context.
@@ -35,10 +35,10 @@ import type { RemoteContext } from './context'
  * dispatcher throws — that's a programmer error indicating a stub leaked into
  * a code path that was supposed to execute it.
  */
-export type RemoteHandler<TParams, TResult, TSelf, TDeps> = {
+export type RemoteHandler<TParams, TResult, TSelf, TDeps, TAuth extends AuthPolicy = 'required'> = {
   /** The handler body. May be async or an async generator (for `output: 'stream'`). */
   execute?: (
-    ctx: RemoteContext<TParams, TSelf, TDeps>,
+    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>>,
   ) => TResult | Promise<TResult> | AsyncGenerator<TResult>
   /**
    * Optional REST binding — attaches a native HTTP route to this method.
@@ -53,8 +53,13 @@ export type RemoteHandler<TParams, TResult, TSelf, TDeps> = {
   remoteUrl?: string
   /** Optional human-readable description. Appears in generated docs. */
   description?: string
-  /** Authentication policy. Defaults to `'required'` when absent. */
-  auth?: AuthPolicy
+  /**
+   * Authentication policy. Defaults to `'required'` when absent. Captured as a
+   * literal type so it drives {@link KernelForAuth} on the `execute`/`authorize`
+   * context: omit it (or set `'required'`) and `ctx.kernel` is non-null;
+   * `'optional'` widens it to `… | null`; `'public'` makes it `null`.
+   */
+  auth?: TAuth
   /**
    * Optional pre-execute authorization check. Runs after auth resolution and
    * `_self` resolution, before `execute`. Throw any error to deny the call —
@@ -69,11 +74,17 @@ export type RemoteHandler<TParams, TResult, TSelf, TDeps> = {
    * The kernel still enforces `has_perm` independently — `authorize` is
    * additive ergonomic gating on top, not a replacement.
    */
-  authorize?: (ctx: RemoteContext<TParams, TSelf, TDeps>) => void | Promise<void>
+  authorize?: (
+    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>>,
+  ) => void | Promise<void>
 }
 
+// `TAuth = AuthPolicy` (the full union, not the `'required'` default) keeps this
+// maximally permissive: it accepts a handler of ANY declared policy, and its
+// `ctx.kernel` widens to `BoundClientSessionView<FnMap> | null`. Used by the
+// dispatcher/index where the concrete policy is erased.
 // oxlint-disable-next-line no-explicit-any
-export type AnyRemoteHandler = RemoteHandler<any, any, any, any>
+export type AnyRemoteHandler = RemoteHandler<any, any, any, any, AuthPolicy>
 
 /**
  * Fully typed method implementation — resolves params/result/self from the
@@ -84,6 +95,7 @@ export type MethodImpl<
   K extends MethodClassKeys<S> & string,
   M extends string,
   TDeps = unknown,
+  TAuth extends AuthPolicy = 'required',
 > =
   ClassMethodConfig<S, K, M> extends {
     params: infer P
@@ -91,7 +103,7 @@ export type MethodImpl<
     self: unknown
     isStatic: infer St
   }
-    ? RemoteHandler<P, R, St extends true ? undefined : SelfResult, TDeps>
+    ? RemoteHandler<P, R, St extends true ? undefined : SelfResult, TDeps, TAuth>
     : never
 
 type ImplementableMethodName<S extends Schema, K extends MethodClassKeys<S> & string> = (
@@ -113,17 +125,24 @@ export function remoteMethod<TDeps>(): <
   S extends Schema,
   K extends MethodClassKeys<S> & string,
   M extends ImplementableMethodName<S, K>,
+  TAuth extends AuthPolicy = 'required',
 >(
   schema: S,
   className: K,
   methodName: M,
-  impl: MethodImpl<S, K, M, TDeps>,
-) => MethodImpl<S, K, M, TDeps>
+  impl: MethodImpl<S, K, M, TDeps, TAuth>,
+) => MethodImpl<S, K, M, TDeps, TAuth>
 export function remoteMethod<
   S extends Schema,
   K extends MethodClassKeys<S> & string,
   M extends ImplementableMethodName<S, K>,
->(schema: S, className: K, methodName: M, impl: MethodImpl<S, K, M>): MethodImpl<S, K, M>
+  TAuth extends AuthPolicy = 'required',
+>(
+  schema: S,
+  className: K,
+  methodName: M,
+  impl: MethodImpl<S, K, M, unknown, TAuth>,
+): MethodImpl<S, K, M, unknown, TAuth>
 export function remoteMethod(...args: unknown[]) {
   if (args.length === 0) {
     return (...innerArgs: unknown[]) => innerArgs[3]

package/src/server/domain-entry.ts

@@ -0,0 +1,113 @@
+/**
+ * `domainWorkerEntry` — the one-call worker entry for a standalone domain.
+ *
+ * It folds the three steps every hand-rolled worker used to wire by hand —
+ * compile the runtime domain (`defineRemoteDomain`), build the server
+ * (`createRemoteServer`), and wrap it in the shared fetch plumbing
+ * (`createWorkerEntry`) — into a single declaration. The author passes the raw
+ * modules (`schema` / `methods` / `views` / `functions`) plus the identity and
+ * deploy bits; the helper does the rest. This is what the cloudflare adapter's
+ * codegen emits, and the recommended surface for a hand-rolled worker.
+ *
+ * Drop down to `createWorkerEntry` + `defineRemoteDomain` (from
+ * `@astrale-os/sdk/domain`) only when the worker needs something this config
+ * can't express — e.g. a serving-URL-dependent domain build (views stamped with
+ * the live url) or a globally-injected signing key resolved per request.
+ */
+
+import type { Core, Schema } from '@astrale-os/kernel-dsl'
+import type { Hono } from 'hono'
+
+import type { AnyRemoteFunctionDef, ViewDef } from '../define'
+import type { SchemaMethodsImpl } from '../method'
+import type { RemoteServerConfig } from './config'
+import type { WorkerEntry, WorkerEntryConfig } from './worker-entry'
+
+import { defineRemoteDomain } from '../domain'
+import { createWorkerEntry } from './worker-entry'
+
+export interface DomainWorkerEntryConfig<S extends Schema, TEnv, TDeps> {
+  /** The domain schema. */
+  schema: S
+  /** Method implementations, typed against `schema` under `TDeps`. */
+  methods: SchemaMethodsImpl<S, TDeps>
+  /** Optional Core override (extra genesis nodes / wiring). */
+  core?: Core<S>
+  /** Views (iframe-mountable UIs) keyed by slug. */
+  views?: Record<string, ViewDef<TDeps>>
+  /** Standalone Functions (callables not bound to a class) keyed by slug. */
+  functions?: Record<string, AnyRemoteFunctionDef>
+
+  /**
+   * The worker's signing key (its `iss` identity material). A static JWK, or a
+   * resolver from `env` for keys injected as a secret / shared globally.
+   */
+  privateKey: JsonWebKey | ((env: TEnv) => JsonWebKey)
+  /** Cross-domain deps by origin — verified present at install. */
+  requires?: readonly string[]
+  /** Typed colon-path the kernel calls once as __SYSTEM__ after install. */
+  postInstall?: string
+  /** Provenance stamped on `/meta`. */
+  meta?: RemoteServerConfig<TDeps>['meta']
+
+  /**
+   * Map the worker `env` to the handler dependency container. Defaults to
+   * passing `env` straight through (the common case where handlers read
+   * bindings directly).
+   */
+  deps?: (env: TEnv, url: string) => TDeps
+  /** Optional pre-built host Hono app (CORS / logging / extra routes). */
+  app?: (env: TEnv) => Hono
+
+  // ── createWorkerEntry plumbing (passed through verbatim) ──────────────────
+  resolveUrl?: WorkerEntryConfig<TEnv>['resolveUrl']
+  selfBinding?: WorkerEntryConfig<TEnv>['selfBinding']
+  routeSubrequest?: WorkerEntryConfig<TEnv>['routeSubrequest']
+  before?: WorkerEntryConfig<TEnv>['before']
+  rewriteRequest?: WorkerEntryConfig<TEnv>['rewriteRequest']
+}
+
+/**
+ * Curried so `TDeps` can be fixed explicitly (it types `methods`/`views`) while
+ * `S` is inferred from `schema` — mirroring `defineRemoteDomain`. The common
+ * case `domainWorkerEntry<Env>()({ … })` leaves `TDeps = TEnv` (handlers read
+ * the env directly); pass both — `domainWorkerEntry<Env, Deps>()` — when the
+ * handler deps differ from the worker bindings and a `deps` mapper is supplied.
+ */
+export function domainWorkerEntry<TEnv, TDeps = TEnv>() {
+  return function <S extends Schema>(
+    config: DomainWorkerEntryConfig<S, TEnv, TDeps>,
+  ): WorkerEntry<TEnv> {
+    const domain = defineRemoteDomain<TDeps>()({
+      schema: config.schema,
+      methods: config.methods,
+      ...(config.core ? { core: config.core } : {}),
+      ...(config.views ? { views: config.views } : {}),
+      ...(config.functions ? { remoteFunctions: config.functions } : {}),
+    })
+
+    return createWorkerEntry<TEnv>({
+      ...(config.resolveUrl ? { resolveUrl: config.resolveUrl } : {}),
+      ...(config.selfBinding ? { selfBinding: config.selfBinding } : {}),
+      ...(config.routeSubrequest ? { routeSubrequest: config.routeSubrequest } : {}),
+      ...(config.before ? { before: config.before } : {}),
+      ...(config.rewriteRequest ? { rewriteRequest: config.rewriteRequest } : {}),
+      // `createWorkerEntry` conflates the worker env and the handler deps into a
+      // single type param; we keep them distinct in the public config and bridge
+      // here. The runtime deps (and the methods typed against them) are correct;
+      // only this assembly is cast.
+      build: (url, env) =>
+        ({
+          domain,
+          deps: config.deps ? config.deps(env, url) : (env as unknown as TDeps),
+          url,
+          privateKey:
+            typeof config.privateKey === 'function' ? config.privateKey(env) : config.privateKey,
+          ...(config.requires && config.requires.length > 0 ? { requires: config.requires } : {}),
+          ...(config.postInstall ? { postInstall: config.postInstall } : {}),
+          ...(config.meta ? { meta: config.meta } : {}),
+          ...(config.app ? { app: config.app(env) } : {}),
+        }) as unknown as RemoteServerConfig<TEnv>,
+    })
+  }
+}

package/src/server/index.ts

@@ -4,7 +4,9 @@ export type { RemoteServer, RemoteServerHandle } from './handle'
 export { derivePublicJwk } from './jwks'
 export { requireEnv } from './require-env'
 export { canonicalizeServingUrl } from './serving-url'
-export { createWorkerEntry } from './worker-entry'
+export { assets, createWorkerEntry } from './worker-entry'
 export type { WorkerEntry, WorkerEntryConfig } from './worker-entry'
+export { domainWorkerEntry } from './domain-entry'
+export type { DomainWorkerEntryConfig } from './domain-entry'
 export { workerMeta } from './worker-meta'
 export { startNodeServer } from './start'