npm - @datacules/agent-identity-express - Versions diffs - 0.11.0 → 0.11.1 - Mend

@datacules/agent-identity-express 0.11.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+1. PERMISSION TO USE
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+2. ATTRIBUTION
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+3. COMMERCIAL USE
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+5. MODIFICATIONS
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+6. COMPATIBILITY
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/index.js ADDED Viewed

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.agentIdentityMiddleware = agentIdentityMiddleware;
+/**
+ * Express middleware for @datacules/agent-identity.
+ *
+ * Resolves credentials before any downstream route handler runs.
+ * The resolved credential is attached to req.resolvedCredential.
+ *
+ * Usage:
+ *   import express from 'express';
+ *   import { agentIdentityMiddleware } from '@datacules/agent-identity-express';
+ *
+ *   const app = express();
+ *   app.use(express.json());
+ *   app.use(agentIdentityMiddleware({ credentials, rules, logger }));
+ *
+ *   app.post('/ai/complete', (req, res) => {
+ *     const cred = req.resolvedCredential; // already resolved
+ *   });
+ */
+const agent_identity_1 = require("@datacules/agent-identity");
+function agentIdentityMiddleware(options) {
+    const { credentials, rules, logger, contextKey = 'agentContext', passThrough = true, } = options;
+    const router = (0, agent_identity_1.createRouter)(credentials, rules, logger);
+    return (req, res, next) => {
+        const ctx = req.body?.[contextKey];
+        if (!ctx) {
+            if (passThrough)
+                return next();
+            res.status(400).json({ error: `Missing required field: ${contextKey}` });
+            return;
+        }
+        const resolved = router.resolve(ctx);
+        if (!resolved) {
+            res.status(403).json({ error: 'No credential resolved for this context' });
+            return;
+        }
+        req.resolvedCredential = resolved;
+        next();
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;AAuDA,0DA6BC;AApFD;;;;;;;;;;;;;;;;;GAiBG;AACH,8DAAyD;AAqCzD,SAAgB,uBAAuB,CAAC,OAAuC;IAC7E,MAAM,EACJ,WAAW,EACX,KAAK,EACL,MAAM,EACN,UAAU,GAAG,cAAc,EAC3B,WAAW,GAAG,IAAI,GACnB,GAAG,OAAO,CAAC;IAEZ,MAAM,MAAM,GAAG,IAAA,6BAAY,EAAC,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAExD,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,CAAoC,CAAC;QAEtE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,IAAI,WAAW;gBAAE,OAAO,IAAI,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,UAAU,EAAE,EAAE,CAAC,CAAC;YACzE,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,GAAG,CAAC,kBAAkB,GAAG,QAAQ,CAAC;QAClC,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/index.js ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Express middleware for @datacules/agent-identity.
+ *
+ * Resolves credentials before any downstream route handler runs.
+ * The resolved credential is attached to req.resolvedCredential.
+ *
+ * Usage:
+ *   import express from 'express';
+ *   import { agentIdentityMiddleware } from '@datacules/agent-identity-express';
+ *
+ *   const app = express();
+ *   app.use(express.json());
+ *   app.use(agentIdentityMiddleware({ credentials, rules, logger }));
+ *
+ *   app.post('/ai/complete', (req, res) => {
+ *     const cred = req.resolvedCredential; // already resolved
+ *   });
+ */
+import { createRouter } from '@datacules/agent-identity';
+export function agentIdentityMiddleware(options) {
+    const { credentials, rules, logger, contextKey = 'agentContext', passThrough = true, } = options;
+    const router = createRouter(credentials, rules, logger);
+    return (req, res, next) => {
+        const ctx = req.body?.[contextKey];
+        if (!ctx) {
+            if (passThrough)
+                return next();
+            res.status(400).json({ error: `Missing required field: ${contextKey}` });
+            return;
+        }
+        const resolved = router.resolve(ctx);
+        if (!resolved) {
+            res.status(403).json({ error: 'No credential resolved for this context' });
+            return;
+        }
+        req.resolvedCredential = resolved;
+        next();
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAqCzD,MAAM,UAAU,uBAAuB,CAAC,OAAuC;IAC7E,MAAM,EACJ,WAAW,EACX,KAAK,EACL,MAAM,EACN,UAAU,GAAG,cAAc,EAC3B,WAAW,GAAG,IAAI,GACnB,GAAG,OAAO,CAAC;IAEZ,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAExD,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,CAAoC,CAAC;QAEtE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,IAAI,WAAW;gBAAE,OAAO,IAAI,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,UAAU,EAAE,EAAE,CAAC,CAAC;YACzE,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,GAAG,CAAC,kBAAkB,GAAG,QAAQ,CAAC;QAClC,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/types/index.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { AuditLogger, Credential, ResolvedCredential, RoutingRule } from '@datacules/agent-identity';
+import type { Request, Response, NextFunction } from 'express';
+declare global {
+    namespace Express {
+        interface Request {
+            resolvedCredential?: ResolvedCredential;
+        }
+    }
+}
+export interface AgentIdentityMiddlewareOptions {
+    credentials: Credential[];
+    rules: RoutingRule[];
+    logger?: AuditLogger;
+    /**
+     * Key in req.body that holds the AgentRequestContext.
+     * Default: 'agentContext'
+     */
+    contextKey?: string;
+    /**
+     * If true, the middleware passes through when no agentContext is found
+     * rather than returning 400. Use when the middleware is global and only
+     * some routes are agent-identity-aware.
+     * Default: true
+     */
+    passThrough?: boolean;
+}
+export declare function agentIdentityMiddleware(options: AgentIdentityMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAEV,WAAW,EACX,UAAU,EACV,kBAAkB,EAClB,WAAW,EACZ,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG/D,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;SACzC;KACF;CACF;AAED,MAAM,WAAW,8BAA8B;IAC7C,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,8BAA8B,IAWrE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkB/D"}

package/package.json CHANGED Viewed

@@ -1,17 +1,44 @@
 {
   "name": "@datacules/agent-identity-express",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "Express middleware for @datacules/agent-identity",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/integrations/express"
+  },
+  "keywords": [
+    "agent-identity",
+    "express",
+    "middleware",
+    "credential-routing",
+    "ai-agents",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.8.0",
+    "@datacules/agent-identity": "^0.11.1",
     "express": ">=4.0.0"
   },
   "devDependencies": {

package/src/express.test.ts DELETED Viewed

@@ -1,340 +0,0 @@
-/**
- * express.test.ts
- *
- * Vitest test suite for agentIdentityMiddleware from
- * @datacules/agent-identity-express.
- *
- * Express uses `import type` for Request/Response/NextFunction — those imports
- * are erased at runtime, so no express runtime dependency is needed here.
- * req, res, and next are created as plain typed mock objects.
- *
- * 13 test cases:
- *   passThrough behavior (4): absent context + passThrough=true/false variants
- *   credential resolution (7): attach, next, resolvedFor, 403, expired, logger
- *   custom contextKey (2): reads correct field, 400 names custom key
- */
-import { describe, it, expect, vi } from 'vitest';
-import { agentIdentityMiddleware } from './index';
-import type { Credential, RoutingRule } from '@datacules/agent-identity';
-// ─── Fixtures ────────────────────────────────────────────────────────────────
-const FIXED_CREDENTIAL: Credential = {
-  id: 'cred-openai-fixed',
-  kind: 'fixed',
-  name: 'OpenAI Prod Key',
-  scope: 'read write',
-  status: 'active',
-  provider: 'openai',
-  ref: 'openai-prod-key',
-};
-const USER_DELEGATED_CREDENTIAL: Credential = {
-  id: 'cred-anthropic-user',
-  kind: 'user-delegated',
-  name: 'Anthropic User Token',
-  scope: 'read',
-  status: 'active',
-  provider: 'anthropic',
-  ref: 'anthropic-user-token',
-};
-const EXPIRED_CREDENTIAL: Credential = {
-  id: 'cred-expired',
-  kind: 'fixed',
-  name: 'Expired Key',
-  scope: 'read write',
-  status: 'active',
-  provider: 'openai',
-  ref: 'expired-key',
-  expiresAt: new Date(Date.now() - 1_000).toISOString(), // 1 second in the past
-};
-const RULES: RoutingRule[] = [
-  {
-    id: 'rule-openai-shared',
-    credentialRef: 'openai-prod-key',
-    priority: 10,
-    matchProvider: 'openai',
-    matchResourceKind: 'shared',
-  },
-  {
-    id: 'rule-anthropic-personal',
-    credentialRef: 'anthropic-user-token',
-    priority: 20,
-    matchProvider: 'anthropic',
-    matchResourceKind: 'personal',
-  },
-];
-const EXPIRED_RULES: RoutingRule[] = [
-  {
-    id: 'rule-expired',
-    credentialRef: 'expired-key',
-    priority: 5,
-    matchProvider: 'openai',
-    matchResourceKind: 'shared',
-  },
-];
-const BASE_CONTEXT = {
-  userId: 'user-123',
-  resourceId: 'res-abc',
-  resourceKind: 'shared' as const,
-  provider: 'openai' as const,
-  model: 'gpt-4',
-  action: 'complete',
-  traceId: 'trace-001',
-  requestedAt: new Date().toISOString(),
-};
-// ─── Mock helpers ─────────────────────────────────────────────────────────────
-// req.body can be undefined (before express.json() middleware runs)
-function makeReq(body?: Record<string, unknown>) {
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  return { body } as any;
-}
-// res.status(N).json(obj) — status() returns a plain object whose json property
-// is the same vi.fn() exposed as res.json, so assertions on res.json capture
-// all json() calls made through either the chained or direct path.
-function makeRes() {
-  const json = vi.fn();
-  const status = vi.fn(() => ({ json }));
-  return { status, json };
-}
-function makeNext() {
-  return vi.fn();
-}
-// ─── Tests ────────────────────────────────────────────────────────────────────
-describe('agentIdentityMiddleware', () => {
-  // ─── passThrough behavior ──────────────────────────────────────────────────
-  describe('passThrough behavior', () => {
-    it('calls next() when agentContext is absent and passThrough=true (default)', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      const req = makeReq({ otherField: 'value' });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(next).toHaveBeenCalledOnce();
-      expect(res.status).not.toHaveBeenCalled();
-    });
-    it('calls next() when req.body is undefined and passThrough=true', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      const req = makeReq(undefined);
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(next).toHaveBeenCalledOnce();
-      expect(res.status).not.toHaveBeenCalled();
-    });
-    it('sends 400 when agentContext is absent and passThrough=false', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-        passThrough: false,
-      });
-      const req = makeReq({});
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(res.status).toHaveBeenCalledWith(400);
-      expect(next).not.toHaveBeenCalled();
-    });
-    it('400 error message names the missing contextKey', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-        passThrough: false,
-      });
-      const req = makeReq({});
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      // res.status() returns { json: same-vi-fn }, so res.json captures the call
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('agentContext') })
-      );
-    });
-  });
-  // ─── Credential resolution ─────────────────────────────────────────────────
-  describe('credential resolution', () => {
-    it('attaches resolvedCredential to req on successful resolution', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      const req = makeReq({ agentContext: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(req.resolvedCredential).toBeDefined();
-      expect(req.resolvedCredential?.credentialId).toBe('cred-openai-fixed');
-    });
-    it('calls next() and sends no response on successful resolution', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      const req = makeReq({ agentContext: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(next).toHaveBeenCalledOnce();
-      expect(res.status).not.toHaveBeenCalled();
-    });
-    it('sets resolvedFor to "service" for fixed credentials', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      const req = makeReq({ agentContext: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(req.resolvedCredential?.kind).toBe('fixed');
-      expect(req.resolvedCredential?.resolvedFor).toBe('service');
-    });
-    it('sets resolvedFor to ctx.userId for user-delegated credentials', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL, USER_DELEGATED_CREDENTIAL],
-        rules: RULES,
-      });
-      const anthropicCtx = {
-        ...BASE_CONTEXT,
-        provider: 'anthropic' as const,
-        resourceKind: 'personal' as const,
-      };
-      const req = makeReq({ agentContext: anthropicCtx });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(req.resolvedCredential?.kind).toBe('user-delegated');
-      expect(req.resolvedCredential?.resolvedFor).toBe('user-123');
-    });
-    it('sends 403 when no routing rule matches the context', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-      });
-      // gemini matches no configured rule
-      const ctx = { ...BASE_CONTEXT, provider: 'gemini' as const };
-      const req = makeReq({ agentContext: ctx });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(res.status).toHaveBeenCalledWith(403);
-      expect(next).not.toHaveBeenCalled();
-    });
-    it('sends 403 when the matched credential is expired', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [EXPIRED_CREDENTIAL],
-        rules: EXPIRED_RULES,
-      });
-      const req = makeReq({ agentContext: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(res.status).toHaveBeenCalledWith(403);
-      expect(next).not.toHaveBeenCalled();
-    });
-    it('invokes the audit logger when a credential resolves successfully', () => {
-      const logger = { log: vi.fn() };
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-        logger,
-      });
-      const req = makeReq({ agentContext: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      // logger.log() is called synchronously inside Promise.resolve(logger.log(entry))
-      expect(logger.log).toHaveBeenCalledOnce();
-    });
-  });
-  // ─── Custom contextKey ─────────────────────────────────────────────────────
-  describe('custom contextKey', () => {
-    it('reads the agent context from the custom contextKey field', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-        contextKey: 'identity',
-      });
-      const req = makeReq({ identity: BASE_CONTEXT });
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(req.resolvedCredential).toBeDefined();
-      expect(next).toHaveBeenCalledOnce();
-    });
-    it('400 error message names the custom contextKey when passThrough=false', () => {
-      const mw = agentIdentityMiddleware({
-        credentials: [FIXED_CREDENTIAL],
-        rules: RULES,
-        contextKey: 'identity',
-        passThrough: false,
-      });
-      const req = makeReq({});
-      const res = makeRes();
-      const next = makeNext();
-      mw(req, res as any, next); // eslint-disable-line @typescript-eslint/no-explicit-any
-      expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('identity') })
-      );
-    });
-  });
-});

package/src/index.ts DELETED Viewed

@@ -1,85 +0,0 @@
-/**
- * Express middleware for @datacules/agent-identity.
- *
- * Resolves credentials before any downstream route handler runs.
- * The resolved credential is attached to req.resolvedCredential.
- *
- * Usage:
- *   import express from 'express';
- *   import { agentIdentityMiddleware } from '@datacules/agent-identity-express';
- *
- *   const app = express();
- *   app.use(express.json());
- *   app.use(agentIdentityMiddleware({ credentials, rules, logger }));
- *
- *   app.post('/ai/complete', (req, res) => {
- *     const cred = req.resolvedCredential; // already resolved
- *   });
- */
-import { createRouter } from '@datacules/agent-identity';
-import type {
-  AgentRequestContext,
-  AuditLogger,
-  Credential,
-  ResolvedCredential,
-  RoutingRule,
-} from '@datacules/agent-identity';
-import type { Request, Response, NextFunction } from 'express';
-// Extend Express Request type
-declare global {
-  namespace Express {
-    interface Request {
-      resolvedCredential?: ResolvedCredential;
-    }
-  }
-}
-export interface AgentIdentityMiddlewareOptions {
-  credentials: Credential[];
-  rules: RoutingRule[];
-  logger?: AuditLogger;
-  /**
-   * Key in req.body that holds the AgentRequestContext.
-   * Default: 'agentContext'
-   */
-  contextKey?: string;
-  /**
-   * If true, the middleware passes through when no agentContext is found
-   * rather than returning 400. Use when the middleware is global and only
-   * some routes are agent-identity-aware.
-   * Default: true
-   */
-  passThrough?: boolean;
-}
-export function agentIdentityMiddleware(options: AgentIdentityMiddlewareOptions) {
-  const {
-    credentials,
-    rules,
-    logger,
-    contextKey = 'agentContext',
-    passThrough = true,
-  } = options;
-  const router = createRouter(credentials, rules, logger);
-  return (req: Request, res: Response, next: NextFunction): void => {
-    const ctx = req.body?.[contextKey] as AgentRequestContext | undefined;
-    if (!ctx) {
-      if (passThrough) return next();
-      res.status(400).json({ error: `Missing required field: ${contextKey}` });
-      return;
-    }
-    const resolved = router.resolve(ctx);
-    if (!resolved) {
-      res.status(403).json({ error: 'No credential resolved for this context' });
-      return;
-    }
-    req.resolvedCredential = resolved;
-    next();
-  };
-}