@dirxai/core 0.3.0

package/dist/chunk-5BEMU43U.js

@@ -0,0 +1,34 @@
+// src/auth/context.ts
+var AgentContext = class {
+  sub;
+  svc;
+  roles;
+  orgId;
+  teamId;
+  raw;
+  constructor(payload) {
+    this.sub = payload.sub;
+    this.svc = payload.svc ?? "unknown";
+    this.roles = Object.freeze(payload.roles ?? []);
+    this.orgId = payload.org_id;
+    this.teamId = payload.team_id;
+    this.raw = payload;
+  }
+  hasRole(role) {
+    return this.roles.includes(role);
+  }
+  isAgent() {
+    return this.hasRole("agent");
+  }
+  isAdmin() {
+    return this.hasRole("admin");
+  }
+  /** Token expiry as Date, or null if no exp claim. */
+  get expiresAt() {
+    return this.raw.exp ? new Date(this.raw.exp * 1e3) : null;
+  }
+};
+
+export {
+  AgentContext
+};

package/dist/context-C7RRNS5U.d.cts

@@ -0,0 +1,59 @@
+import { JWTPayload } from 'jose';
+
+/**
+ * JWKS client — fetches and caches the DirX gateway's public key set.
+ *
+ * Uses the `jose` library for JWK parsing and JWT verification.
+ * Keys are cached in memory with a configurable TTL (default 5 min).
+ */
+
+interface JwksClientOptions {
+    /** JWKS endpoint URL. Default: https://api.dirx.ai/.well-known/jwks.json */
+    jwksUrl?: string;
+    /** Expected JWT issuer. Default: https://api.dirx.ai */
+    issuer?: string;
+    /** Expected JWT audience. Default: dirx */
+    audience?: string;
+}
+interface DirxTokenPayload extends JWTPayload {
+    sub: string;
+    svc?: string;
+    roles?: string[];
+    org_id?: string;
+    team_id?: string;
+}
+declare class JwksClient {
+    private readonly jwks;
+    private readonly issuer;
+    private readonly audience;
+    constructor(options?: JwksClientOptions);
+    /**
+     * Verify a JWT token against the JWKS endpoint.
+     * Returns the decoded payload on success, throws DirxError on failure.
+     */
+    verify(token: string): Promise<DirxTokenPayload>;
+}
+
+/**
+ * AgentContext — request-scoped context extracted from a verified JWT.
+ *
+ * Provides typed access to the agent identity, roles, and org/team scope.
+ * Created by the Guard middleware and attached to the request.
+ */
+
+declare class AgentContext {
+    readonly sub: string;
+    readonly svc: string;
+    readonly roles: readonly string[];
+    readonly orgId: string | undefined;
+    readonly teamId: string | undefined;
+    readonly raw: DirxTokenPayload;
+    constructor(payload: DirxTokenPayload);
+    hasRole(role: string): boolean;
+    isAgent(): boolean;
+    isAdmin(): boolean;
+    /** Token expiry as Date, or null if no exp claim. */
+    get expiresAt(): Date | null;
+}
+
+export { AgentContext as A, type DirxTokenPayload as D, type JwksClientOptions as J, JwksClient as a };

package/dist/context-C7RRNS5U.d.ts

@@ -0,0 +1,59 @@
+import { JWTPayload } from 'jose';
+
+/**
+ * JWKS client — fetches and caches the DirX gateway's public key set.
+ *
+ * Uses the `jose` library for JWK parsing and JWT verification.
+ * Keys are cached in memory with a configurable TTL (default 5 min).
+ */
+
+interface JwksClientOptions {
+    /** JWKS endpoint URL. Default: https://api.dirx.ai/.well-known/jwks.json */
+    jwksUrl?: string;
+    /** Expected JWT issuer. Default: https://api.dirx.ai */
+    issuer?: string;
+    /** Expected JWT audience. Default: dirx */
+    audience?: string;
+}
+interface DirxTokenPayload extends JWTPayload {
+    sub: string;
+    svc?: string;
+    roles?: string[];
+    org_id?: string;
+    team_id?: string;
+}
+declare class JwksClient {
+    private readonly jwks;
+    private readonly issuer;
+    private readonly audience;
+    constructor(options?: JwksClientOptions);
+    /**
+     * Verify a JWT token against the JWKS endpoint.
+     * Returns the decoded payload on success, throws DirxError on failure.
+     */
+    verify(token: string): Promise<DirxTokenPayload>;
+}
+
+/**
+ * AgentContext — request-scoped context extracted from a verified JWT.
+ *
+ * Provides typed access to the agent identity, roles, and org/team scope.
+ * Created by the Guard middleware and attached to the request.
+ */
+
+declare class AgentContext {
+    readonly sub: string;
+    readonly svc: string;
+    readonly roles: readonly string[];
+    readonly orgId: string | undefined;
+    readonly teamId: string | undefined;
+    readonly raw: DirxTokenPayload;
+    constructor(payload: DirxTokenPayload);
+    hasRole(role: string): boolean;
+    isAgent(): boolean;
+    isAdmin(): boolean;
+    /** Token expiry as Date, or null if no exp claim. */
+    get expiresAt(): Date | null;
+}
+
+export { AgentContext as A, type DirxTokenPayload as D, type JwksClientOptions as J, JwksClient as a };

package/dist/index.cjs

@@ -0,0 +1,228 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AgentContext: () => AgentContext,
+  DirxError: () => DirxError,
+  DirxErrorCode: () => DirxErrorCode,
+  Guard: () => Guard,
+  JwksClient: () => JwksClient,
+  createGuard: () => createGuard
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/auth/jwks.ts
+var import_jose = require("jose");
+
+// src/errors.ts
+var DirxErrorCode = {
+  UNAUTHORIZED: "UNAUTHORIZED",
+  FORBIDDEN: "FORBIDDEN",
+  NOT_FOUND: "NOT_FOUND",
+  BAD_REQUEST: "BAD_REQUEST",
+  RATE_LIMITED: "RATE_LIMITED",
+  UPSTREAM_ERROR: "UPSTREAM_ERROR",
+  INTERNAL: "INTERNAL",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  TOKEN_INVALID: "TOKEN_INVALID",
+  JWKS_FETCH_FAILED: "JWKS_FETCH_FAILED"
+};
+var HTTP_STATUS = {
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  BAD_REQUEST: 400,
+  RATE_LIMITED: 429,
+  UPSTREAM_ERROR: 502,
+  INTERNAL: 500,
+  TOKEN_EXPIRED: 401,
+  TOKEN_INVALID: 401,
+  JWKS_FETCH_FAILED: 502
+};
+var DirxError = class extends Error {
+  code;
+  statusCode;
+  constructor(code, message) {
+    super(message);
+    this.name = "DirxError";
+    this.code = code;
+    this.statusCode = HTTP_STATUS[code];
+  }
+  toJSON() {
+    return {
+      code: this.code,
+      message: this.message,
+      statusCode: this.statusCode
+    };
+  }
+};
+
+// src/auth/jwks.ts
+var JwksClient = class {
+  jwks;
+  issuer;
+  audience;
+  constructor(options) {
+    const jwksUrl = options?.jwksUrl ?? "https://api.dirx.ai/.well-known/jwks.json";
+    this.issuer = options?.issuer ?? "https://api.dirx.ai";
+    this.audience = options?.audience ?? "dirx";
+    this.jwks = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
+  }
+  /**
+   * Verify a JWT token against the JWKS endpoint.
+   * Returns the decoded payload on success, throws DirxError on failure.
+   */
+  async verify(token) {
+    try {
+      const { payload } = await (0, import_jose.jwtVerify)(token, this.jwks, {
+        issuer: this.issuer,
+        audience: this.audience
+      });
+      return payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (message.includes("expired")) {
+        throw new DirxError(
+          DirxErrorCode.TOKEN_EXPIRED,
+          "Token has expired"
+        );
+      }
+      throw new DirxError(
+        DirxErrorCode.TOKEN_INVALID,
+        `Token verification failed: ${message}`
+      );
+    }
+  }
+};
+
+// src/auth/context.ts
+var AgentContext = class {
+  sub;
+  svc;
+  roles;
+  orgId;
+  teamId;
+  raw;
+  constructor(payload) {
+    this.sub = payload.sub;
+    this.svc = payload.svc ?? "unknown";
+    this.roles = Object.freeze(payload.roles ?? []);
+    this.orgId = payload.org_id;
+    this.teamId = payload.team_id;
+    this.raw = payload;
+  }
+  hasRole(role) {
+    return this.roles.includes(role);
+  }
+  isAgent() {
+    return this.hasRole("agent");
+  }
+  isAdmin() {
+    return this.hasRole("admin");
+  }
+  /** Token expiry as Date, or null if no exp claim. */
+  get expiresAt() {
+    return this.raw.exp ? new Date(this.raw.exp * 1e3) : null;
+  }
+};
+
+// src/middleware/guard.ts
+var Guard = class {
+  client;
+  required;
+  constructor(options) {
+    this.client = new JwksClient(options);
+    this.required = options?.required !== false;
+  }
+  /**
+   * Authenticate a raw Bearer token string.
+   * Returns AgentContext on success.
+   */
+  async authenticate(token) {
+    const payload = await this.client.verify(token);
+    return new AgentContext(payload);
+  }
+  /**
+   * Extract Bearer token from an Authorization header value.
+   * Returns null if not present or malformed.
+   */
+  extractToken(authHeader) {
+    if (!authHeader) return null;
+    const parts = authHeader.split(" ");
+    if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+      return null;
+    }
+    return parts[1];
+  }
+  /**
+   * Full flow: extract token from header → verify → return AgentContext.
+   * Throws DirxError if required and no/invalid token.
+   */
+  async fromHeader(authHeader) {
+    const token = this.extractToken(authHeader);
+    if (!token) {
+      if (this.required) {
+        throw new DirxError(
+          DirxErrorCode.UNAUTHORIZED,
+          "Missing or malformed Authorization header"
+        );
+      }
+      return null;
+    }
+    return this.authenticate(token);
+  }
+  /**
+   * Express/Connect-style middleware factory.
+   * Attaches `req.agent` (AgentContext) on success.
+   */
+  express() {
+    return async (req, res, next) => {
+      try {
+        const ctx = await this.fromHeader(req.headers.authorization);
+        if (ctx) {
+          req.agent = ctx;
+        }
+        next();
+      } catch (err) {
+        if (err instanceof DirxError) {
+          res.status(err.statusCode).json({
+            ok: false,
+            error: { code: err.code, message: err.message }
+          });
+          return;
+        }
+        next(err);
+      }
+    };
+  }
+};
+function createGuard(options) {
+  return new Guard(options);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AgentContext,
+  DirxError,
+  DirxErrorCode,
+  Guard,
+  JwksClient,
+  createGuard
+});

package/dist/index.d.cts

@@ -0,0 +1,90 @@
+import { J as JwksClientOptions, A as AgentContext } from './context-C7RRNS5U.cjs';
+export { D as DirxTokenPayload, a as JwksClient } from './context-C7RRNS5U.cjs';
+import 'jose';
+
+/**
+ * Guard middleware — extracts and verifies Bearer tokens from incoming requests.
+ *
+ * Framework-agnostic: works with any Node.js HTTP framework that provides
+ * standard Request/Response objects (Express, Hono, Fastify, etc.).
+ *
+ * Usage:
+ *   import { createGuard } from "@dirxai/core";
+ *   const guard = createGuard({ jwksUrl: "..." });
+ *
+ *   // Express
+ *   app.use(guard.express());
+ *
+ *   // Generic (any framework)
+ *   const ctx = await guard.authenticate(bearerToken);
+ */
+
+interface GuardOptions extends JwksClientOptions {
+    /** If true, requests without a token are rejected. Default: true */
+    required?: boolean;
+}
+declare class Guard {
+    private readonly client;
+    private readonly required;
+    constructor(options?: GuardOptions);
+    /**
+     * Authenticate a raw Bearer token string.
+     * Returns AgentContext on success.
+     */
+    authenticate(token: string): Promise<AgentContext>;
+    /**
+     * Extract Bearer token from an Authorization header value.
+     * Returns null if not present or malformed.
+     */
+    extractToken(authHeader: string | null | undefined): string | null;
+    /**
+     * Full flow: extract token from header → verify → return AgentContext.
+     * Throws DirxError if required and no/invalid token.
+     */
+    fromHeader(authHeader: string | null | undefined): Promise<AgentContext | null>;
+    /**
+     * Express/Connect-style middleware factory.
+     * Attaches `req.agent` (AgentContext) on success.
+     */
+    express(): (req: {
+        headers: Record<string, string | undefined>;
+        agent?: AgentContext;
+    }, res: {
+        status: (code: number) => {
+            json: (body: unknown) => void;
+        };
+    }, next: (err?: unknown) => void) => Promise<void>;
+}
+declare function createGuard(options?: GuardOptions): Guard;
+
+/**
+ * DirX error codes and typed error class.
+ *
+ * Mirrors the server-side DirxEnvelope error model so SDK consumers
+ * can handle errors uniformly across CLI, SDK, and server.
+ */
+declare const DirxErrorCode: {
+    readonly UNAUTHORIZED: "UNAUTHORIZED";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly BAD_REQUEST: "BAD_REQUEST";
+    readonly RATE_LIMITED: "RATE_LIMITED";
+    readonly UPSTREAM_ERROR: "UPSTREAM_ERROR";
+    readonly INTERNAL: "INTERNAL";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly JWKS_FETCH_FAILED: "JWKS_FETCH_FAILED";
+};
+type DirxErrorCode = (typeof DirxErrorCode)[keyof typeof DirxErrorCode];
+declare class DirxError extends Error {
+    readonly code: DirxErrorCode;
+    readonly statusCode: number;
+    constructor(code: DirxErrorCode, message: string);
+    toJSON(): {
+        code: DirxErrorCode;
+        message: string;
+        statusCode: number;
+    };
+}
+
+export { AgentContext, DirxError, DirxErrorCode, Guard, type GuardOptions, JwksClientOptions, createGuard };

package/dist/index.d.ts

@@ -0,0 +1,90 @@
+import { J as JwksClientOptions, A as AgentContext } from './context-C7RRNS5U.js';
+export { D as DirxTokenPayload, a as JwksClient } from './context-C7RRNS5U.js';
+import 'jose';
+
+/**
+ * Guard middleware — extracts and verifies Bearer tokens from incoming requests.
+ *
+ * Framework-agnostic: works with any Node.js HTTP framework that provides
+ * standard Request/Response objects (Express, Hono, Fastify, etc.).
+ *
+ * Usage:
+ *   import { createGuard } from "@dirxai/core";
+ *   const guard = createGuard({ jwksUrl: "..." });
+ *
+ *   // Express
+ *   app.use(guard.express());
+ *
+ *   // Generic (any framework)
+ *   const ctx = await guard.authenticate(bearerToken);
+ */
+
+interface GuardOptions extends JwksClientOptions {
+    /** If true, requests without a token are rejected. Default: true */
+    required?: boolean;
+}
+declare class Guard {
+    private readonly client;
+    private readonly required;
+    constructor(options?: GuardOptions);
+    /**
+     * Authenticate a raw Bearer token string.
+     * Returns AgentContext on success.
+     */
+    authenticate(token: string): Promise<AgentContext>;
+    /**
+     * Extract Bearer token from an Authorization header value.
+     * Returns null if not present or malformed.
+     */
+    extractToken(authHeader: string | null | undefined): string | null;
+    /**
+     * Full flow: extract token from header → verify → return AgentContext.
+     * Throws DirxError if required and no/invalid token.
+     */
+    fromHeader(authHeader: string | null | undefined): Promise<AgentContext | null>;
+    /**
+     * Express/Connect-style middleware factory.
+     * Attaches `req.agent` (AgentContext) on success.
+     */
+    express(): (req: {
+        headers: Record<string, string | undefined>;
+        agent?: AgentContext;
+    }, res: {
+        status: (code: number) => {
+            json: (body: unknown) => void;
+        };
+    }, next: (err?: unknown) => void) => Promise<void>;
+}
+declare function createGuard(options?: GuardOptions): Guard;
+
+/**
+ * DirX error codes and typed error class.
+ *
+ * Mirrors the server-side DirxEnvelope error model so SDK consumers
+ * can handle errors uniformly across CLI, SDK, and server.
+ */
+declare const DirxErrorCode: {
+    readonly UNAUTHORIZED: "UNAUTHORIZED";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly BAD_REQUEST: "BAD_REQUEST";
+    readonly RATE_LIMITED: "RATE_LIMITED";
+    readonly UPSTREAM_ERROR: "UPSTREAM_ERROR";
+    readonly INTERNAL: "INTERNAL";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly JWKS_FETCH_FAILED: "JWKS_FETCH_FAILED";
+};
+type DirxErrorCode = (typeof DirxErrorCode)[keyof typeof DirxErrorCode];
+declare class DirxError extends Error {
+    readonly code: DirxErrorCode;
+    readonly statusCode: number;
+    constructor(code: DirxErrorCode, message: string);
+    toJSON(): {
+        code: DirxErrorCode;
+        message: string;
+        statusCode: number;
+    };
+}
+
+export { AgentContext, DirxError, DirxErrorCode, Guard, type GuardOptions, JwksClientOptions, createGuard };

package/dist/index.js

@@ -0,0 +1,169 @@
+import {
+  AgentContext
+} from "./chunk-5BEMU43U.js";
+
+// src/auth/jwks.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+
+// src/errors.ts
+var DirxErrorCode = {
+  UNAUTHORIZED: "UNAUTHORIZED",
+  FORBIDDEN: "FORBIDDEN",
+  NOT_FOUND: "NOT_FOUND",
+  BAD_REQUEST: "BAD_REQUEST",
+  RATE_LIMITED: "RATE_LIMITED",
+  UPSTREAM_ERROR: "UPSTREAM_ERROR",
+  INTERNAL: "INTERNAL",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  TOKEN_INVALID: "TOKEN_INVALID",
+  JWKS_FETCH_FAILED: "JWKS_FETCH_FAILED"
+};
+var HTTP_STATUS = {
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  BAD_REQUEST: 400,
+  RATE_LIMITED: 429,
+  UPSTREAM_ERROR: 502,
+  INTERNAL: 500,
+  TOKEN_EXPIRED: 401,
+  TOKEN_INVALID: 401,
+  JWKS_FETCH_FAILED: 502
+};
+var DirxError = class extends Error {
+  code;
+  statusCode;
+  constructor(code, message) {
+    super(message);
+    this.name = "DirxError";
+    this.code = code;
+    this.statusCode = HTTP_STATUS[code];
+  }
+  toJSON() {
+    return {
+      code: this.code,
+      message: this.message,
+      statusCode: this.statusCode
+    };
+  }
+};
+
+// src/auth/jwks.ts
+var JwksClient = class {
+  jwks;
+  issuer;
+  audience;
+  constructor(options) {
+    const jwksUrl = options?.jwksUrl ?? "https://api.dirx.ai/.well-known/jwks.json";
+    this.issuer = options?.issuer ?? "https://api.dirx.ai";
+    this.audience = options?.audience ?? "dirx";
+    this.jwks = createRemoteJWKSet(new URL(jwksUrl));
+  }
+  /**
+   * Verify a JWT token against the JWKS endpoint.
+   * Returns the decoded payload on success, throws DirxError on failure.
+   */
+  async verify(token) {
+    try {
+      const { payload } = await jwtVerify(token, this.jwks, {
+        issuer: this.issuer,
+        audience: this.audience
+      });
+      return payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (message.includes("expired")) {
+        throw new DirxError(
+          DirxErrorCode.TOKEN_EXPIRED,
+          "Token has expired"
+        );
+      }
+      throw new DirxError(
+        DirxErrorCode.TOKEN_INVALID,
+        `Token verification failed: ${message}`
+      );
+    }
+  }
+};
+
+// src/middleware/guard.ts
+var Guard = class {
+  client;
+  required;
+  constructor(options) {
+    this.client = new JwksClient(options);
+    this.required = options?.required !== false;
+  }
+  /**
+   * Authenticate a raw Bearer token string.
+   * Returns AgentContext on success.
+   */
+  async authenticate(token) {
+    const payload = await this.client.verify(token);
+    return new AgentContext(payload);
+  }
+  /**
+   * Extract Bearer token from an Authorization header value.
+   * Returns null if not present or malformed.
+   */
+  extractToken(authHeader) {
+    if (!authHeader) return null;
+    const parts = authHeader.split(" ");
+    if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+      return null;
+    }
+    return parts[1];
+  }
+  /**
+   * Full flow: extract token from header → verify → return AgentContext.
+   * Throws DirxError if required and no/invalid token.
+   */
+  async fromHeader(authHeader) {
+    const token = this.extractToken(authHeader);
+    if (!token) {
+      if (this.required) {
+        throw new DirxError(
+          DirxErrorCode.UNAUTHORIZED,
+          "Missing or malformed Authorization header"
+        );
+      }
+      return null;
+    }
+    return this.authenticate(token);
+  }
+  /**
+   * Express/Connect-style middleware factory.
+   * Attaches `req.agent` (AgentContext) on success.
+   */
+  express() {
+    return async (req, res, next) => {
+      try {
+        const ctx = await this.fromHeader(req.headers.authorization);
+        if (ctx) {
+          req.agent = ctx;
+        }
+        next();
+      } catch (err) {
+        if (err instanceof DirxError) {
+          res.status(err.statusCode).json({
+            ok: false,
+            error: { code: err.code, message: err.message }
+          });
+          return;
+        }
+        next(err);
+      }
+    };
+  }
+};
+function createGuard(options) {
+  return new Guard(options);
+}
+export {
+  AgentContext,
+  DirxError,
+  DirxErrorCode,
+  Guard,
+  JwksClient,
+  createGuard
+};

package/dist/testing.cjs

@@ -0,0 +1,79 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/testing.ts
+var testing_exports = {};
+__export(testing_exports, {
+  AgentContext: () => AgentContext,
+  createMockAgent: () => createMockAgent
+});
+module.exports = __toCommonJS(testing_exports);
+
+// src/auth/context.ts
+var AgentContext = class {
+  sub;
+  svc;
+  roles;
+  orgId;
+  teamId;
+  raw;
+  constructor(payload) {
+    this.sub = payload.sub;
+    this.svc = payload.svc ?? "unknown";
+    this.roles = Object.freeze(payload.roles ?? []);
+    this.orgId = payload.org_id;
+    this.teamId = payload.team_id;
+    this.raw = payload;
+  }
+  hasRole(role) {
+    return this.roles.includes(role);
+  }
+  isAgent() {
+    return this.hasRole("agent");
+  }
+  isAdmin() {
+    return this.hasRole("admin");
+  }
+  /** Token expiry as Date, or null if no exp claim. */
+  get expiresAt() {
+    return this.raw.exp ? new Date(this.raw.exp * 1e3) : null;
+  }
+};
+
+// src/testing.ts
+function createMockAgent(options) {
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    sub: options?.sub ?? "test-agent",
+    svc: options?.svc ?? "test",
+    roles: options?.roles ?? ["agent"],
+    org_id: options?.orgId,
+    team_id: options?.teamId,
+    iat: now,
+    exp: now + (options?.expiresInSeconds ?? 3600),
+    iss: "https://api.dirx.ai",
+    aud: "dirx"
+  };
+  return new AgentContext(payload);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AgentContext,
+  createMockAgent
+});

package/dist/testing.d.cts

@@ -0,0 +1,26 @@
+import { A as AgentContext } from './context-C7RRNS5U.cjs';
+export { D as DirxTokenPayload } from './context-C7RRNS5U.cjs';
+import 'jose';
+
+/**
+ * @dirxai/core/testing — Test utilities for DirX SDK consumers.
+ *
+ * Provides helpers to create mock AgentContext and tokens for unit tests
+ * without requiring a real JWKS endpoint.
+ */
+
+interface MockAgentOptions {
+    sub?: string;
+    svc?: string;
+    roles?: string[];
+    orgId?: string;
+    teamId?: string;
+    expiresInSeconds?: number;
+}
+/**
+ * Create a mock AgentContext for testing.
+ * No real JWT or JWKS involved — purely in-memory.
+ */
+declare function createMockAgent(options?: MockAgentOptions): AgentContext;
+
+export { AgentContext, type MockAgentOptions, createMockAgent };

package/dist/testing.d.ts

@@ -0,0 +1,26 @@
+import { A as AgentContext } from './context-C7RRNS5U.js';
+export { D as DirxTokenPayload } from './context-C7RRNS5U.js';
+import 'jose';
+
+/**
+ * @dirxai/core/testing — Test utilities for DirX SDK consumers.
+ *
+ * Provides helpers to create mock AgentContext and tokens for unit tests
+ * without requiring a real JWKS endpoint.
+ */
+
+interface MockAgentOptions {
+    sub?: string;
+    svc?: string;
+    roles?: string[];
+    orgId?: string;
+    teamId?: string;
+    expiresInSeconds?: number;
+}
+/**
+ * Create a mock AgentContext for testing.
+ * No real JWT or JWKS involved — purely in-memory.
+ */
+declare function createMockAgent(options?: MockAgentOptions): AgentContext;
+
+export { AgentContext, type MockAgentOptions, createMockAgent };

package/dist/testing.js

@@ -0,0 +1,24 @@
+import {
+  AgentContext
+} from "./chunk-5BEMU43U.js";
+
+// src/testing.ts
+function createMockAgent(options) {
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    sub: options?.sub ?? "test-agent",
+    svc: options?.svc ?? "test",
+    roles: options?.roles ?? ["agent"],
+    org_id: options?.orgId,
+    team_id: options?.teamId,
+    iat: now,
+    exp: now + (options?.expiresInSeconds ?? 3600),
+    iss: "https://api.dirx.ai",
+    aud: "dirx"
+  };
+  return new AgentContext(payload);
+}
+export {
+  AgentContext,
+  createMockAgent
+};

package/package.json

@@ -0,0 +1,53 @@
+{
+    "name": "@dirxai/core",
+    "version": "0.3.0",
+    "description": "DirX server-side SDK — Guard middleware, JWKS auth, AgentContext, error codes",
+    "license": "MIT",
+    "type": "module",
+    "main": "./dist/index.cjs",
+    "module": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js",
+            "require": "./dist/index.cjs"
+        },
+        "./testing": {
+            "types": "./dist/testing.d.ts",
+            "import": "./dist/testing.js",
+            "require": "./dist/testing.cjs"
+        }
+    },
+    "scripts": {
+        "build": "tsup",
+        "dev": "tsup --watch"
+    },
+    "dependencies": {
+        "jose": "^6.1.3"
+    },
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/dirxai/dirx.git",
+        "directory": "packages/core"
+    },
+    "homepage": "https://dirx.ai",
+    "keywords": [
+        "dirx",
+        "agent",
+        "sdk",
+        "gateway",
+        "guard",
+        "jwks",
+        "jwt"
+    ],
+    "publishConfig": {
+        "access": "public"
+    },
+    "files": [
+        "dist"
+    ],
+    "engines": {
+        "node": ">=18"
+    }
+}