@astrale-os/sdk 0.1.7 → 0.1.9

package/dist/server/worker-entry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"worker-entry.d.ts","sourceRoot":"","sources":["../../src/server/worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAMlD,KAAK,OAAO,GAAG;IAAE,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAAE,CAAA;AAGxE,MAAM,WAAW,iBAAiB,CAAC,KAAK;IACtC;;;;OAIG;IACH,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,KAAK,kBAAkB,CAAC,KAAK,CAAC,CAAA;IAC7D;;;;;;;;;OASG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,KAAK,MAAM,CAAA;IAC1D,gFAAgF;IAChF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACxD;;;;;;;;;OASG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACtE;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CACP,GAAG,EAAE,KAAK,EACV,GAAG,EAAE,GAAG,EACR,OAAO,EAAE,OAAO,KACb,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAAA;IACzD;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAA;CAC3D;AAED,MAAM,WAAW,WAAW,CAAC,KAAK;IAChC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAClE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,CAM/D;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE;IAClC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CACrD,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,SAAS,CAiBvF;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CA0E7F"}
+{"version":3,"file":"worker-entry.d.ts","sourceRoot":"","sources":["../../src/server/worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAMlD,KAAK,OAAO,GAAG;IAAE,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAAE,CAAA;AACxE,KAAK,GAAG,GAAG;IAAE,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAAE,CAAA;AAEpE;yCACyC;AACzC,KAAK,SAAS,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAC1C,CAAC,EAAE,GAAG,EACN,GAAG,EAAE;IACH,IAAI,EAAE,OAAO,GAAG,IAAI,CAAA;IACpB,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAA;IACzB,QAAQ,EAAE,KAAK,GAAG,IAAI,CAAA;IACtB,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;CACvE,GACA;IAAE,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAAE,GAAG,IAAI,CAWlE;AAED,MAAM,WAAW,iBAAiB,CAAC,KAAK;IACtC;;;;OAIG;IACH,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,KAAK,kBAAkB,CAAC,KAAK,CAAC,CAAA;IAC7D;;;;;;;;;OASG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,KAAK,MAAM,CAAA;IAC1D,gFAAgF;IAChF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACxD;;;;;;;;;OASG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACtE;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CACP,GAAG,EAAE,KAAK,EACV,GAAG,EAAE,GAAG,EACR,OAAO,EAAE,OAAO,KACb,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAAA;IACzD;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAA;CAC3D;AAED,MAAM,WAAW,WAAW,CAAC,KAAK;IAChC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CAClE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,CAM/D;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE;IAClC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CACrD,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,SAAS,CAiBvF;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAsE7F"}

package/dist/server/worker-entry.js

@@ -24,6 +24,43 @@
 import { createRemoteServer } from './create';
 import { requireEnv } from './require-env';
 import { canonicalizeServingUrl } from './serving-url';
+/**
+ * Choose where an OUTBOUND subrequest to `u` is routed — or `null` to let the
+ * real `fetch` handle it. Order matters and same-origin wins FIRST: a call to
+ * this worker's OWN serving origin is a self-dispatch, not an edge fetch — and
+ * the caller's `routeSubrequest` policy may itself match our own host (e.g. an
+ * `isInstanceHost` predicate matches every `*.svc.astrale.ai`, ours included),
+ * so it must never get first look at a same-origin call.
+ *
+ *   • same-origin + SELF binding present → the SELF fetcher: a fresh same-script
+ *     invocation. The normal Cloudflare path — a Worker can't fetch its own
+ *     hostname over the edge, so it re-enters itself through the binding.
+ *   • same-origin + NO SELF binding → the cached app, dispatched IN-PROCESS. A
+ *     Workers-for-Platforms dispatch-namespace tenant can't service-bind to
+ *     itself (its script name is platform-renamed), so it has no SELF binding; an
+ *     in-process dispatch reaches the same script with no edge hop and no binding.
+ *     `App` and the SELF `Fetcher` share the `{ fetch(request) }` shape, so the
+ *     caller drives both identically.
+ *   • else, the caller's `routeSubrequest` policy matched → its fetcher.
+ *   • else → `null`: passthrough to the real network fetch.
+ *
+ * Pure (no closure over instance state) so the routing decision is unit-testable
+ * without standing up a real app.
+ */
+export function selectSubrequestTarget(u, ctx) {
+    // Same-origin self-subrequest → the same script (SELF binding, else in-process).
+    for (const cached of ctx.apps) {
+        if (cached.origin === u.origin)
+            return ctx.self ?? cached.app;
+    }
+    // Caller policy (e.g. a platform router on the same zone) → its fetcher.
+    if (ctx.routeSubrequest && ctx.routeEnv) {
+        const via = ctx.routeSubrequest(u, ctx.routeEnv);
+        if (via)
+            return via;
+    }
+    return null;
+}
 /**
  * The request origin as the CLIENT reached it — i.e. the origin a fallback
  * serving URL (and therefore the `iss`) may be derived from. Behind a
@@ -104,31 +141,26 @@ export function createWorkerEntry(config) {
         apps.set(url, { origin: new URL(url).origin, app });
         return app;
     }
-    // A Worker can't fetch its own hostname (SELF), nor — on Cloudflare — a
+    // A Worker can't fetch its own hostname over the edge, nor — on Cloudflare — a
     // same-zone hostname routed to another Worker (the `routeSubrequest` case).
     // When either is configured, override `globalThis.fetch` to redirect those
-    // subrequests through the caller's fetcher. Workers with neither get no global
-    // mutation. (A self-issued credential's JWKS is resolved in-memory by the
-    // verifier, not fetched — see `auth/verify.ts` — so no self-JWKS shim is needed.)
+    // subrequests through the right target (see `selectSubrequestTarget`). Workers
+    // with neither selfBinding nor routeSubrequest get no global mutation. (A
+    // self-issued credential's JWKS is resolved in-memory by the verifier, not
+    // fetched — see `auth/verify.ts` — so no self-JWKS shim is needed.)
     if (config.selfBinding || config.routeSubrequest) {
         const originalFetch = globalThis.fetch;
         globalThis.fetch = (async (input, init) => {
             const href = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url;
             try {
-                const u = new URL(href);
-                // same-origin → SELF (a Worker can't fetch its own hostname)
-                if (self && apps.size > 0) {
-                    for (const cached of apps.values()) {
-                        if (cached.origin === u.origin)
-                            return self.fetch(new Request(input, init));
-                    }
-                }
-                // caller policy → its fetcher (e.g. a platform router on the same zone)
-                if (config.routeSubrequest && routeEnv) {
-                    const via = config.routeSubrequest(u, routeEnv);
-                    if (via)
-                        return via.fetch(new Request(input, init));
-                }
+                const target = selectSubrequestTarget(new URL(href), {
+                    self,
+                    apps: apps.values(),
+                    routeEnv,
+                    routeSubrequest: config.routeSubrequest,
+                });
+                if (target)
+                    return target.fetch(new Request(input, init));
             }
             catch {
                 // non-absolute URL — fall through to the original fetch

package/dist/server/worker-entry.js.map

@@ -1 +1 @@
-{"version":3,"file":"worker-entry.js","sourceRoot":"","sources":["../../src/server/worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AA2DtD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,GAAQ,EAAE,OAAgB;IACrD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,GAAG,CAAC,MAAM,CAAA;IAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;IAC1D,mFAAmF;IACnF,MAAM,MAAM,GAAG,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAC7D,OAAO,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,WAAW,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,MAAM,CAAQ,IAI7B;IACC,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACrD,MAAM,MAAM,GAAG,GAAG,IAAI,GAAG,CAAA;IACzB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,SAAS,CAAA;QAC9B,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAA;QAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAA;QACnC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;YAC1C,OAAO,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;QAC9E,CAAC;QACD,oEAAoE;QACpE,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAA;QACvD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5D,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAA;IACvD,CAAC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAQ,MAAgC;IACvE,6EAA6E;IAC7E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,qEAAqE;IACrE,uDAAuD;IACvD,MAAM,eAAe,GAAG,CAAC,CAAA;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAwC,CAAA;IAC5D,IAAI,IAAI,GAAmB,IAAI,CAAA;IAC/B,IAAI,QAAQ,GAAiB,IAAI,CAAA;IAEjC,SAAS,MAAM,CAAC,GAAW,EAAE,GAAU;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,GAAG,CAAA;QAC7B,MAAM,EAAE,GAAG,EAAE,GAAG,kBAAkB,CAAQ,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAA;QACjE,IAAI,IAAI,CAAC,IAAI,IAAI,eAAe,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;YACvC,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC/C,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACnD,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,wEAAwE;IACxE,4EAA4E;IAC5E,2EAA2E;IAC3E,+EAA+E;IAC/E,0EAA0E;IAC1E,kFAAkF;IAClF,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QACjD,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAA;QACtC,UAAU,CAAC,KAAK,GAAG,CAAC,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YACzE,MAAM,IAAI,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAA;YAC9F,IAAI,CAAC;gBACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAA;gBACvB,6DAA6D;gBAC7D,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;oBAC1B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;wBACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;4BAAE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAA;oBAC7E,CAAC;gBACH,CAAC;gBACD,wEAAwE;gBACxE,IAAI,MAAM,CAAC,eAAe,IAAI,QAAQ,EAAE,CAAC;oBACvC,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;oBAC/C,IAAI,GAAG;wBAAE,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAA;gBACrD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,wDAAwD;YAC1D,CAAC;YACD,OAAO,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QACnC,CAAC,CAAiB,CAAA;IACpB,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAU;YACtC,IAAI,MAAM,CAAC,WAAW;gBAAE,IAAI,KAAK,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;YAChE,IAAI,MAAM,CAAC,eAAe;gBAAE,QAAQ,GAAG,GAAG,CAAA;YAC1C,4DAA4D;YAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACnF,IAAI,MAAM,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;gBAChC,wEAAwE;gBACxE,2EAA2E;gBAC3E,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,CAAC,CAAA;gBAC7D,IAAI,OAAO,KAAK,SAAS;oBAAE,OAAO,OAAO,CAAA;YAC3C,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU;gBAC3B,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,YAAY,CAAC,UAAW,EAAE,OAAO,CAAC,CAAC;gBAC5D,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,YAAY,EAAE,oDAAoD,CAAC,CAAA;YACvF,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACvC,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAA;YACxF,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;QAC3C,CAAC;KACF,CAAA;AACH,CAAC"}
+{"version":3,"file":"worker-entry.js","sourceRoot":"","sources":["../../src/server/worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AAStD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,sBAAsB,CACpC,CAAM,EACN,GAKC;IAED,iFAAiF;IACjF,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,CAAA;IAC/D,CAAC;IACD,yEAAyE;IACzE,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAA;QAChD,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAwDD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,GAAQ,EAAE,OAAgB;IACrD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,GAAG,CAAC,MAAM,CAAA;IAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;IAC1D,mFAAmF;IACnF,MAAM,MAAM,GAAG,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAC7D,OAAO,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,WAAW,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,MAAM,CAAQ,IAI7B;IACC,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACrD,MAAM,MAAM,GAAG,GAAG,IAAI,GAAG,CAAA;IACzB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,SAAS,CAAA;QAC9B,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAA;QAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAA;QACnC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;YAC1C,OAAO,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;QAC9E,CAAC;QACD,oEAAoE;QACpE,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAA;QACvD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5D,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAA;IACvD,CAAC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAQ,MAAgC;IACvE,6EAA6E;IAC7E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,qEAAqE;IACrE,uDAAuD;IACvD,MAAM,eAAe,GAAG,CAAC,CAAA;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAqB,CAAA;IACzC,IAAI,IAAI,GAAmB,IAAI,CAAA;IAC/B,IAAI,QAAQ,GAAiB,IAAI,CAAA;IAEjC,SAAS,MAAM,CAAC,GAAW,EAAE,GAAU;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,GAAG,CAAA;QAC7B,MAAM,EAAE,GAAG,EAAE,GAAG,kBAAkB,CAAQ,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAA;QACjE,IAAI,IAAI,CAAC,IAAI,IAAI,eAAe,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;YACvC,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC/C,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACnD,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,+EAA+E;IAC/E,4EAA4E;IAC5E,2EAA2E;IAC3E,+EAA+E;IAC/E,0EAA0E;IAC1E,2EAA2E;IAC3E,oEAAoE;IACpE,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QACjD,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAA;QACtC,UAAU,CAAC,KAAK,GAAG,CAAC,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YACzE,MAAM,IAAI,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAA;YAC9F,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE;oBACnD,IAAI;oBACJ,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE;oBACnB,QAAQ;oBACR,eAAe,EAAE,MAAM,CAAC,eAAe;iBACxC,CAAC,CAAA;gBACF,IAAI,MAAM;oBAAE,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAA;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,wDAAwD;YAC1D,CAAC;YACD,OAAO,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QACnC,CAAC,CAAiB,CAAA;IACpB,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAU;YACtC,IAAI,MAAM,CAAC,WAAW;gBAAE,IAAI,KAAK,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;YAChE,IAAI,MAAM,CAAC,eAAe;gBAAE,QAAQ,GAAG,GAAG,CAAA;YAC1C,4DAA4D;YAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACnF,IAAI,MAAM,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;gBAChC,wEAAwE;gBACxE,2EAA2E;gBAC3E,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,CAAC,CAAA;gBAC7D,IAAI,OAAO,KAAK,SAAS;oBAAE,OAAO,OAAO,CAAA;YAC3C,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU;gBAC3B,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,YAAY,CAAC,UAAW,EAAE,OAAO,CAAC,CAAC;gBAC5D,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,YAAY,EAAE,oDAAoD,CAAC,CAAA;YACvF,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAA;YACvC,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAA;YACxF,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;QAC3C,CAAC;KACF,CAAA;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrale-os/sdk",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Astrale Remote Domain SDK - Define and deploy domains as standalone Hono servers",
   "keywords": [
     "astrale",

package/src/cli/run.ts

@@ -1,5 +1,5 @@
 /**
- * The `astrale-domain` CLI — dev | build | deploy.
+ * The `astrale-domain` CLI — dev | build | deploy | publish.
  *
  * Thin by design: it reads `astrale.config.ts`, resolves `envs[<env>] → params`
  * via the adapter, loads the env's secrets file, then drives `adapter.watch`
@@ -18,14 +18,17 @@
  *   astrale-domain prod              # = deploy prod
  *   astrale-domain deploy <env>      # any env key
  *   astrale-domain build             # rebuild spec only (placeholder URL)
- *   astrale-domain publish [env]     # = deploy [prod] then register the URL
+ *   astrale-domain publish [env]     # register the deployed URL in the admin catalog (NO deploy)
  *
- * `publish` (and the `--publish` tail-flag on deploy) deploys, then registers
- * the resulting URL in the admin catalog by SHELLING OUT to the operator CLI
- * (`astrale domain publish --origin --name --public-url`). Auth lives entirely
- * in that CLI — this build tool never touches credentials; it just hands off the
- * fresh URL it alone knows. Requires `astrale` on PATH (the same CLI the deploy
- * footer already points you at for `domain install`).
+ * `publish` registers a domain's ALREADY-deployed URL in the admin catalog by
+ * SHELLING OUT to the operator CLI (`astrale domain publish --origin --name
+ * --public-url`); it does NOT deploy — run `prod` / `deploy <env>` first, or use
+ * `deploy --publish` to deploy AND register in one step. Standalone publish
+ * defaults the registered address to `https://<origin>` (what every fleet domain
+ * serves at); pass `--public-url` for workers.dev / split-host deploys. Auth
+ * lives entirely in the operator CLI — this build tool never touches
+ * credentials. Requires `astrale` on PATH (the same CLI the deploy footer
+ * already points you at for `domain install`).
  */
 
 import { spawn } from 'node:child_process'
@@ -44,19 +47,21 @@ import { buildProjectSpec } from './spec'
 const CONFIG_NAMES = ['astrale.config.ts', 'astrale.config.js', 'astrale.config.mjs']
 
 type ParsedArgs = {
-  command: 'dev' | 'build' | 'deploy'
+  command: 'dev' | 'build' | 'deploy' | 'publish'
   env: string
   watch: boolean
   /** `--port <n>` (dev only) — overrides the env's local dev port. */
   port?: number
   /** `--host <url>` (dev only) — public URL of a tunnel/proxy front: binds 0.0.0.0 + pins WORKER_URL. */
   host?: string
-  /** Register the deployed URL in the admin catalog (the `publish` command / `--publish` flag). */
+  /** `--publish` tail-flag on deploy/prod: ALSO register the freshly-deployed URL (deploy + register). */
   publish?: boolean
-  /** `--name <slug>` — registry name to publish under (default: package.json `name`). */
+  /** `--name <slug>` — registry name to publish under (default: the origin's first label, e.g. `ai-gateway`). */
   name?: string
   /** `--install-by-default` — mark the published domain for install on every new instance. */
   installByDefault?: boolean
+  /** `--public-url <url>` — (publish only) the address the catalog points at (default: `https://<origin>`). */
+  publicUrl?: string
 }
 
 export async function run(argv: readonly string[]): Promise<number> {
@@ -131,6 +136,25 @@ export async function run(argv: readonly string[]): Promise<number> {
     return 0
   }
 
+  if (parsed.command === 'publish') {
+    // Register the already-deployed URL in the admin catalog — NO deploy. The
+    // public address defaults to `https://<origin>` (the canonical custom-domain
+    // prod URL — what every fleet domain serves at); `--public-url` overrides it
+    // for workers.dev / split-host deploys. No adapter, secrets, or params: this
+    // only points the registry at an address the author already deployed.
+    const pkg = readPackageMeta(projectDir)
+    const name = parsed.name ?? def.origin.split('.')[0] ?? def.origin
+    const url = parsed.publicUrl ?? `https://${def.origin}`
+    info(`registering ${def.origin} → ${url} in the admin catalog (no deploy)`)
+    return await publishToAdmin({
+      origin: def.origin,
+      name,
+      url,
+      ...(pkg.description ? { description: pkg.description } : {}),
+      ...(parsed.installByDefault ? { installByDefault: true } : {}),
+    })
+  }
+
   const adapter = def.adapter as DomainAdapter<unknown>
   // CLI param overrides — applied over the env's params here AND re-applied by
   // the config hot-regen path, which re-resolves `adapter.params` from the
@@ -184,9 +208,10 @@ export async function run(argv: readonly string[]): Promise<number> {
   if (parsed.publish) {
     const pkg = readPackageMeta(projectDir)
     // The registry `name` is a short catalog slug, distinct from the FQDN-like
-    // `origin`. It isn't in the domain definition, so default to the project's
-    // package.json `name`, then the origin's first label; `--name` overrides.
-    const name = parsed.name ?? pkg.name ?? def.origin.split('.')[0] ?? def.origin
+    // `origin` AND from the npm package name (`@scope/…` for a published domain —
+    // illegal as a catalog slug). Default to the origin's first label (the fleet
+    // convention, e.g. `ai-gateway`); `--name` overrides.
+    const name = parsed.name ?? def.origin.split('.')[0] ?? def.origin
     return await publishToAdmin({
       origin: def.origin,
       name,
@@ -539,6 +564,7 @@ export function parseArgs(argv: readonly string[]): ParsedArgs {
   let port: number | undefined
   let host: string | undefined
   let name: string | undefined
+  let publicUrl: string | undefined
   const cleaned: string[] = []
   for (let i = 0; i < rest.length; i++) {
     const a = rest[i]!
@@ -560,6 +586,12 @@ export function parseArgs(argv: readonly string[]): ParsedArgs {
       if (!name) throw new Error('--name needs a value (the registry slug to publish under)')
     } else if (a.startsWith('--name=')) {
       name = a.slice('--name='.length)
+    } else if (a === '--public-url') {
+      publicUrl = rest[++i]
+      if (!publicUrl)
+        throw new Error('--public-url needs a value (the address the catalog points at)')
+    } else if (a.startsWith('--public-url=')) {
+      publicUrl = a.slice('--public-url='.length)
     } else {
       cleaned.push(a)
     }
@@ -590,13 +622,15 @@ export function parseArgs(argv: readonly string[]): ParsedArgs {
       return { command: 'deploy', env, watch, ...(publish ? { publish } : {}), ...pub }
     }
     case 'publish':
-      // Sugar for `deploy [prod] --publish`: deploy, then register the URL.
+      // Register the ALREADY-deployed URL in the admin catalog — NO deploy.
+      // (Use `deploy [env] --publish` to deploy AND register in one step.) The
+      // public address defaults to `https://<origin>`; `--public-url` overrides.
       return {
-        command: 'deploy',
+        command: 'publish',
         env: positionals[0] ?? 'prod',
         watch: false,
-        publish: true,
         ...pub,
+        ...(publicUrl !== undefined ? { publicUrl } : {}),
       }
     case 'build':
       // Spec-only — no env resolution happens on this path.
@@ -664,11 +698,12 @@ function printUsage(msg?: string): void {
       `  astrale-domain dev               # deploy dev --watch (hot-reload, prints URL)\n` +
       `  astrale-domain prod              # deploy prod\n` +
       `  astrale-domain deploy <env>      # deploy any env key (--watch optional)\n` +
-      `  astrale-domain publish [env]     # deploy [prod], then register the URL in the admin catalog\n` +
+      `  astrale-domain publish [env]     # register the already-deployed URL in the admin catalog (NO deploy)\n` +
       `  astrale-domain build             # rebuild the diagnostic spec only\n` +
       `\nFlags:\n` +
-      `  --publish                        # on deploy/prod: register the deployed URL (= the publish command)\n` +
-      `  --name <slug>                    # registry name to publish under (default: package.json name)\n` +
+      `  --publish                        # on deploy/prod: ALSO register the deployed URL (deploy + register)\n` +
+      `  --name <slug>                    # registry name to publish under (default: the origin's first label)\n` +
+      `  --public-url <url>               # (publish) address the catalog points at (default: https://<origin>)\n` +
       `  --install-by-default             # mark the published domain for install on every new instance\n` +
       `\n  publish shells out to \`astrale domain publish\` (needs \`astrale\` on PATH).\n\n`,
   )

package/src/define/remote-function.ts

@@ -19,24 +19,28 @@
 import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed'
 import type { FnMap } from '@astrale-os/kernel-client'
 import type { BoundClientSessionView } from '@astrale-os/kernel-client/session'
-import type { AuthContext } from '@astrale-os/kernel-core'
 import type { Context } from 'hono'
 import type { z } from 'zod'
 
 import type { CallRemoteFn } from '../dispatch/call-remote'
-import type { KernelForAuth } from '../method/context'
+import type { AuthForPolicy, KernelForAuth } from '../method/context'
 
 export type RemoteFunctionContext<
   TParams,
   TDeps = unknown,
   TKernel = BoundClientSessionView<FnMap> | null,
+  TAuth extends AuthPolicy = AuthPolicy,
 > = {
   /** Validated params (Zod-checked against `inputSchema`). */
   params: TParams
   /** Hono request context — escape hatch for headers, raw body, etc. */
   c: Context
-  /** Resolved auth context. `null` when `auth: 'public'` or absent. */
-  auth: AuthContext | null
+  /**
+   * Resolved auth context. Its nullability follows the function's `auth`
+   * policy: non-null for the default `'required'`, `... | null` for
+   * `'optional'`, and `null` for `'public'`.
+   */
+  auth: AuthForPolicy<TAuth>
   /** Typed dependency container injected at server startup. */
   deps: TDeps
   /**
@@ -96,18 +100,19 @@ export type RemoteFunctionDef<
   binding?: FunctionBinding
   /**
    * Authentication policy. Defaults to `'required'`. Captured as a literal type
-   * so it drives {@link KernelForAuth} on the `execute`/`authorize` context:
-   * omit it (or `'required'`) → `ctx.kernel` non-null; `'optional'` → `… | null`;
-   * `'public'` → `null` (webhooks reach the graph via `ctx.selfKernel`).
+   * so it drives `ctx.auth` and {@link KernelForAuth} on the
+   * `execute`/`authorize` context: omit it (or `'required'`) makes both
+   * non-null; `'optional'` widens them to `... | null`; `'public'` makes them
+   * `null` (webhooks reach the graph via `ctx.selfKernel`).
    */
   auth?: TAuth
   /** Optional pre-execute authorization. Throw to deny. */
   authorize?: (
-    ctx: RemoteFunctionContext<TParams, TDeps, KernelForAuth<TAuth>>,
+    ctx: RemoteFunctionContext<TParams, TDeps, KernelForAuth<TAuth>, TAuth>,
   ) => void | Promise<void>
   /** The function body. May be async. */
   execute: (
-    ctx: RemoteFunctionContext<TParams, TDeps, KernelForAuth<TAuth>>,
+    ctx: RemoteFunctionContext<TParams, TDeps, KernelForAuth<TAuth>, TAuth>,
   ) => TResult | Promise<TResult>
   /** Optional human-readable description. */
   description?: string

package/src/define/view.ts

@@ -21,11 +21,12 @@
 import type { AuthPolicy, FunctionBinding } from '@astrale-os/kernel-api/routed'
 import type { FnMap } from '@astrale-os/kernel-client'
 import type { BoundClientSessionView } from '@astrale-os/kernel-client/session'
-import type { AuthContext } from '@astrale-os/kernel-core'
 import type { EdgeEndpoint } from '@astrale-os/kernel-dsl'
 import type { Context } from 'hono'
 
-export type ViewRenderContext<TDeps = unknown> = {
+import type { AuthForPolicy } from '../method/context'
+
+export type ViewRenderContext<TDeps = unknown, TAuth extends AuthPolicy = AuthPolicy> = {
   /** Hono request context — read params, headers, query, etc. */
   c: Context
   /**
@@ -34,8 +35,12 @@ export type ViewRenderContext<TDeps = unknown> = {
    * the binding has no placeholders.
    */
   params: Record<string, string>
-  /** Resolved auth context. `null` when `auth: 'public'` or absent. */
-  auth: AuthContext | null
+  /**
+   * Resolved auth context. Its nullability follows the View's `auth` policy:
+   * non-null for `'required'`, `... | null` for `'optional'`, and `null` for
+   * `'public'`.
+   */
+  auth: AuthForPolicy<TAuth>
   /** Typed dependency container injected at server startup. */
   deps: TDeps
   /**
@@ -48,7 +53,7 @@ export type ViewRenderContext<TDeps = unknown> = {
   selfKernel: (kernelUrl?: string) => Promise<BoundClientSessionView<FnMap>>
 }
 
-export type ViewDef<TDeps = unknown> = {
+export type ViewDef<TDeps = unknown, TAuth extends AuthPolicy = AuthPolicy> = {
   /**
    * Override the binding (URL + route shape). When absent, SDK defaults to
    * `{ remoteUrl: ${url}/<viewsFolder>/<slug> }`. The HTTP verb (GET for
@@ -68,18 +73,18 @@ export type ViewDef<TDeps = unknown> = {
    */
   mount?: string
   /** Authentication policy. Defaults to `'required'`. */
-  auth?: AuthPolicy
+  auth?: TAuth
   /**
    * Optional pre-render authorization. Runs after auth resolution; throw to
    * deny. SDK wraps as 403.
    */
-  authorize?: (ctx: ViewRenderContext<TDeps>) => void | Promise<void>
+  authorize?: (ctx: ViewRenderContext<TDeps, TAuth>) => void | Promise<void>
   /**
    * Render the iframe response. May return a redirect, a proxy, or inline
    * HTML. When omitted, no worker route is mounted — the binding URL
    * points elsewhere (CDN, external service).
    */
-  render?: (ctx: ViewRenderContext<TDeps>) => Response | Promise<Response>
+  render?: (ctx: ViewRenderContext<TDeps, TAuth>) => Response | Promise<Response>
   /**
    * Optional target(s) the View attaches to via `view_for` edge(s). Typically
    * `selfOf(SomeClass)` to bind to a class meta-node, or a `CorePath`
@@ -96,6 +101,8 @@ export type ViewDef<TDeps = unknown> = {
  * `defineRemoteDomain` consumes the typed shape and the author retains
  * full type inference on `render` / `authorize`.
  */
-export function defineView<TDeps = unknown>(def: ViewDef<TDeps>): ViewDef<TDeps> {
+export function defineView<TDeps = unknown, TAuth extends AuthPolicy = 'required'>(
+  def: ViewDef<TDeps, TAuth>,
+): ViewDef<TDeps, TAuth> {
   return def
 }

package/src/index.ts

@@ -1,5 +1,6 @@
 // ─── Method authoring ────────────────────────────────────────────────────
 export type {
+  AuthForPolicy,
   Kernel,
   KernelForAuth,
   RemoteContext,

package/src/method/context.ts

@@ -43,11 +43,32 @@ export type KernelForAuth<TAuth extends AuthPolicy> = TAuth extends 'public'
     ? Kernel | null
     : Kernel
 
-export type RemoteContext<TParams, TSelf, TDeps, TKernel = Kernel | null> = {
+/**
+ * The resolved auth context a handler receives, derived from its declared
+ * `auth` policy. Mirrors {@link KernelForAuth}: required methods have a
+ * verified auth context, optional/public methods encode the nullable cases.
+ */
+export type AuthForPolicy<TAuth extends AuthPolicy> = TAuth extends 'public'
+  ? null
+  : TAuth extends 'optional'
+    ? AuthContext | null
+    : AuthContext
+
+export type RemoteContext<
+  TParams,
+  TSelf,
+  TDeps,
+  TKernel = Kernel | null,
+  TAuth extends AuthPolicy = AuthPolicy,
+> = {
   /** Validated params (Zod-checked against the method's `inputSchema`). */
   params: TParams
-  /** Auth context resolved from the inbound delegation credential. `null` for public or unauthenticated optional methods. */
-  auth: AuthContext | null
+  /**
+   * Auth context resolved from the inbound delegation credential. Its
+   * nullability follows the method's `auth` policy: non-null for the default
+   * `'required'`, `... | null` for `'optional'`, and `null` for `'public'`.
+   */
+  auth: AuthForPolicy<TAuth>
   /** Bound node instance — `undefined` for static methods. */
   self: TSelf
   /** Typed dependency container injected at server startup. */

package/src/method/index.ts

@@ -1,4 +1,4 @@
-export type { Kernel, KernelForAuth, RemoteContext } from './context'
+export type { AuthForPolicy, Kernel, KernelForAuth, RemoteContext } from './context'
 export type { RemoteHandler, AnyRemoteHandler, MethodImpl } from './single'
 export { remoteMethod } from './single'
 export type { ClassMethodsImpl, InterfaceMethodsImpl, SchemaMethodsImpl } from './class'

package/src/method/single.ts

@@ -38,7 +38,7 @@ import type { KernelForAuth, RemoteContext } from './context'
 export type RemoteHandler<TParams, TResult, TSelf, TDeps, TAuth extends AuthPolicy = 'required'> = {
   /** The handler body. May be async or an async generator (for `output: 'stream'`). */
   execute?: (
-    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>>,
+    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>, TAuth>,
   ) => TResult | Promise<TResult> | AsyncGenerator<TResult>
   /**
    * Optional REST binding — attaches a native HTTP route to this method.
@@ -55,9 +55,10 @@ export type RemoteHandler<TParams, TResult, TSelf, TDeps, TAuth extends AuthPoli
   description?: string
   /**
    * Authentication policy. Defaults to `'required'` when absent. Captured as a
-   * literal type so it drives {@link KernelForAuth} on the `execute`/`authorize`
-   * context: omit it (or set `'required'`) and `ctx.kernel` is non-null;
-   * `'optional'` widens it to `… | null`; `'public'` makes it `null`.
+   * literal type so it drives `ctx.auth` and {@link KernelForAuth} on the
+   * `execute`/`authorize` context: omit it (or set `'required'`) and both
+   * `ctx.auth` and `ctx.kernel` are non-null; `'optional'` widens them to
+   * `... | null`; `'public'` makes both `null`.
    */
   auth?: TAuth
   /**
@@ -75,7 +76,7 @@ export type RemoteHandler<TParams, TResult, TSelf, TDeps, TAuth extends AuthPoli
    * additive ergonomic gating on top, not a replacement.
    */
   authorize?: (
-    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>>,
+    ctx: RemoteContext<TParams, TSelf, TDeps, KernelForAuth<TAuth>, TAuth>,
   ) => void | Promise<void>
 }
 

package/src/server/worker-entry.ts

@@ -31,6 +31,54 @@ import { canonicalizeServingUrl } from './serving-url'
 type Fetcher = { fetch(request: Request): Response | Promise<Response> }
 type App = { fetch(request: Request): Response | Promise<Response> }
 
+/** A built app cached by its serving URL: `origin` for same-origin matching,
+ * `app` for in-process self-dispatch. */
+type CachedApp = { origin: string; app: App }
+
+/**
+ * Choose where an OUTBOUND subrequest to `u` is routed — or `null` to let the
+ * real `fetch` handle it. Order matters and same-origin wins FIRST: a call to
+ * this worker's OWN serving origin is a self-dispatch, not an edge fetch — and
+ * the caller's `routeSubrequest` policy may itself match our own host (e.g. an
+ * `isInstanceHost` predicate matches every `*.svc.astrale.ai`, ours included),
+ * so it must never get first look at a same-origin call.
+ *
+ *   • same-origin + SELF binding present → the SELF fetcher: a fresh same-script
+ *     invocation. The normal Cloudflare path — a Worker can't fetch its own
+ *     hostname over the edge, so it re-enters itself through the binding.
+ *   • same-origin + NO SELF binding → the cached app, dispatched IN-PROCESS. A
+ *     Workers-for-Platforms dispatch-namespace tenant can't service-bind to
+ *     itself (its script name is platform-renamed), so it has no SELF binding; an
+ *     in-process dispatch reaches the same script with no edge hop and no binding.
+ *     `App` and the SELF `Fetcher` share the `{ fetch(request) }` shape, so the
+ *     caller drives both identically.
+ *   • else, the caller's `routeSubrequest` policy matched → its fetcher.
+ *   • else → `null`: passthrough to the real network fetch.
+ *
+ * Pure (no closure over instance state) so the routing decision is unit-testable
+ * without standing up a real app.
+ */
+export function selectSubrequestTarget<TDeps>(
+  u: URL,
+  ctx: {
+    self: Fetcher | null
+    apps: Iterable<CachedApp>
+    routeEnv: TDeps | null
+    routeSubrequest?: (url: URL, env: TDeps) => Fetcher | null | undefined
+  },
+): { fetch(request: Request): Response | Promise<Response> } | null {
+  // Same-origin self-subrequest → the same script (SELF binding, else in-process).
+  for (const cached of ctx.apps) {
+    if (cached.origin === u.origin) return ctx.self ?? cached.app
+  }
+  // Caller policy (e.g. a platform router on the same zone) → its fetcher.
+  if (ctx.routeSubrequest && ctx.routeEnv) {
+    const via = ctx.routeSubrequest(u, ctx.routeEnv)
+    if (via) return via
+  }
+  return null
+}
+
 export interface WorkerEntryConfig<TDeps> {
   /**
    * Build the `createRemoteServer` config for the resolved serving `url`. Called
@@ -152,7 +200,7 @@ export function createWorkerEntry<TDeps>(config: WorkerEntryConfig<TDeps>): Work
   // every alternation. The bound caps abuse via attacker-minted Host /
   // X-Forwarded-Proto values on that same fallback path.
   const MAX_CACHED_APPS = 4
-  const apps = new Map<string, { origin: string; app: App }>()
+  const apps = new Map<string, CachedApp>()
   let self: Fetcher | null = null
   let routeEnv: TDeps | null = null
 
@@ -168,29 +216,25 @@ export function createWorkerEntry<TDeps>(config: WorkerEntryConfig<TDeps>): Work
     return app
   }
 
-  // A Worker can't fetch its own hostname (SELF), nor — on Cloudflare — a
+  // A Worker can't fetch its own hostname over the edge, nor — on Cloudflare — a
   // same-zone hostname routed to another Worker (the `routeSubrequest` case).
   // When either is configured, override `globalThis.fetch` to redirect those
-  // subrequests through the caller's fetcher. Workers with neither get no global
-  // mutation. (A self-issued credential's JWKS is resolved in-memory by the
-  // verifier, not fetched — see `auth/verify.ts` — so no self-JWKS shim is needed.)
+  // subrequests through the right target (see `selectSubrequestTarget`). Workers
+  // with neither selfBinding nor routeSubrequest get no global mutation. (A
+  // self-issued credential's JWKS is resolved in-memory by the verifier, not
+  // fetched — see `auth/verify.ts` — so no self-JWKS shim is needed.)
   if (config.selfBinding || config.routeSubrequest) {
     const originalFetch = globalThis.fetch
     globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit) => {
       const href = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url
       try {
-        const u = new URL(href)
-        // same-origin → SELF (a Worker can't fetch its own hostname)
-        if (self && apps.size > 0) {
-          for (const cached of apps.values()) {
-            if (cached.origin === u.origin) return self.fetch(new Request(input, init))
-          }
-        }
-        // caller policy → its fetcher (e.g. a platform router on the same zone)
-        if (config.routeSubrequest && routeEnv) {
-          const via = config.routeSubrequest(u, routeEnv)
-          if (via) return via.fetch(new Request(input, init))
-        }
+        const target = selectSubrequestTarget(new URL(href), {
+          self,
+          apps: apps.values(),
+          routeEnv,
+          routeSubrequest: config.routeSubrequest,
+        })
+        if (target) return target.fetch(new Request(input, init))
       } catch {
         // non-absolute URL — fall through to the original fetch
       }