npm - @economic/agents - Versions diffs - 1.2.1 → 1.3.0 - Mend

@economic/agents 1.2.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { Agent as Agent$1, AgentOptions, Connection, ConnectionContext } from "agents";
 import { AIChatAgent, OnChatMessageOptions } from "@cloudflare/ai-chat";
 import { LanguageModel, StreamTextOnFinishCallback, ToolSet, UIMessage, generateText, streamText } from "ai";
+import { JWTPayload } from "jose";
 //#region src/server/types.d.ts
 /**
@@ -14,8 +15,9 @@ import { LanguageModel, StreamTextOnFinishCallback, ToolSet, UIMessage, generate
  * type MyContext = AgentToolContext<MyBody>;
  * ```
  */
-type AgentToolContext<TBody = Record<string, unknown>> = TBody & {
+type AgentToolContext<TBody = Record<string, unknown>, TSession = Record<string, unknown> | undefined> = TBody & {
   logEvent: (message: string, payload?: Record<string, unknown>) => void | Promise<void>;
+  session?: TSession;
 };
 interface AgentEnv {
   AGENT_DB: D1Database;
@@ -100,6 +102,21 @@ declare abstract class Agent<Env extends Cloudflare.Env = Cloudflare.Env> extend
   }): Promise<LLMParams>;
 }
 //#endregion
+//#region src/server/features/auth/index.d.ts
+interface JwtAuthConfig<TClaims extends Record<string, unknown> = Record<string, unknown>> {
+  /** Issuers whose tokens are accepted (exact string or RegExp). */
+  allowedIssuers: readonly (string | RegExp)[];
+  /** Expected `aud` claim. */
+  audience: string;
+  /** Required OAuth scopes; token `scope` must include all (empty = no scope check). */
+  requiredScopes?: readonly string[];
+  /**
+   * Extract the claims you need from the verified JWT payload.
+   * These will be stored and made available in the agent's tool context.
+   */
+  getClaims: (payload: JWTPayload) => TClaims;
+}
+//#endregion
 //#region src/server/agents/ChatAgent.d.ts
 /**
  * Chat agent for Cloudflare Agents SDK: lazy skill loading, audit logging,
@@ -148,6 +165,19 @@ declare abstract class ChatAgent<Env extends Cloudflare.Env = Cloudflare.Env> ex
    * Default is 15.
    */
   protected maxMessagesBeforeCompaction?: number | undefined;
+  /**
+   * Verified session claims from JWT authentication.
+   * Set in `onConnect` when `getJwtAuthConfig` is implemented.
+   */
+  private session?;
+  /**
+   * Override to enable JWT authentication on WebSocket connections.
+   * Return the auth config based on the incoming request, or undefined to skip auth.
+   *
+   * @param request - The WebSocket upgrade request
+   * @returns JWT auth config or undefined to skip authentication
+   */
+  protected getJwtAuthConfig?(request: Request): JwtAuthConfig<Record<string, unknown>> | undefined;
   /**
    * Returns the user ID from the durable object name.
    */

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,7 @@
 import { Agent as Agent$1, callable, routeAgentRequest as routeAgentRequest$1 } from "agents";
 import { AIChatAgent } from "@cloudflare/ai-chat";
 import { Output, convertToModelMessages, generateText, jsonSchema, stepCountIs, streamText, tool } from "ai";
+import { createRemoteJWKSet, decodeJwt, errors, jwtVerify } from "jose";
 //#region src/server/features/skills/index.ts
 const TOOL_NAME_ACTIVATE_SKILL = "activate_skill";
 const TOOL_NAME_LIST_CAPABILITIES = "list_capabilities";
@@ -652,6 +653,106 @@ function getDeleteConversationScheduleIds(schedules) {
 	return schedules.filter((schedule) => schedule.callback === DELETE_CONVERSATION_CALLBACK).map((schedule) => schedule.id);
 }
 //#endregion
+//#region src/server/features/auth/index.ts
+const jwksByIssuer = /* @__PURE__ */ new Map();
+function getJwksForIssuer(issuer) {
+	const normalized = issuer.replace(/\/$/, "");
+	let jwks = jwksByIssuer.get(normalized);
+	if (!jwks) {
+		jwks = createRemoteJWKSet(new URL(`${normalized}/.well-known/openid-configuration/jwks`));
+		jwksByIssuer.set(normalized, jwks);
+	}
+	return jwks;
+}
+function isIssuerAllowed(iss, allowed) {
+	return allowed.some((rule) => typeof rule === "string" ? rule === iss : rule.test(iss));
+}
+function extractTokenFromRequest(request) {
+	const authorization = request.headers.get("Authorization");
+	if (authorization) {
+		const match = authorization.match(/^Bearer\s+(.+)$/i);
+		if (match?.[1]) return match[1].trim();
+	}
+	const wsProtocol = request.headers.get("Sec-WebSocket-Protocol");
+	if (wsProtocol) {
+		const parts = wsProtocol.split(",").map((p) => p.trim());
+		const idx = parts.indexOf("bearer");
+		if (idx !== -1 && parts[idx + 1]) return parts[idx + 1];
+	}
+	return null;
+}
+function hasRequiredScopes(tokenScope, required) {
+	if (required.length === 0) return true;
+	if (tokenScope === void 0) return false;
+	const tokens = Array.isArray(tokenScope) ? tokenScope : tokenScope.split(" ").map((s) => s.trim()).filter(Boolean);
+	const granted = new Set(tokens);
+	return required.every((scope) => granted.has(scope));
+}
+/**
+* Verify a JWT from a request and extract claims.
+*
+* Extracts the token from `Authorization: Bearer` header first,
+* then falls back to `Sec-WebSocket-Protocol: bearer, <token>` for WebSocket connections.
+*
+* Expected auth failures (missing/expired token, insufficient scope) return a failure result.
+* Unexpected errors (network issues, malformed requests, untrusted issuers) throw and should
+* be caught and logged by the caller.
+*
+* @param request - The incoming request (from ConnectionContext)
+* @param config - JWT verification configuration
+* @returns Result object with either verified claims or expected auth failure
+* @throws Error for unexpected failures that should be logged
+*/
+async function verifyJwt(request, config) {
+	const token = extractTokenFromRequest(request);
+	if (!token) return {
+		success: false,
+		status: 401,
+		message: "Unauthorized: Missing authentication token"
+	};
+	let unverifiedPayload;
+	try {
+		unverifiedPayload = decodeJwt(token);
+	} catch {
+		throw new Error("Invalid token format");
+	}
+	const iss = typeof unverifiedPayload.iss === "string" ? unverifiedPayload.iss : void 0;
+	if (!iss) throw new Error("Missing issuer claim in token");
+	if (!isIssuerAllowed(iss, config.allowedIssuers)) throw new Error(`Untrusted issuer: ${iss}`);
+	const jwks = getJwksForIssuer(iss);
+	let payload;
+	try {
+		payload = (await jwtVerify(token, jwks, {
+			issuer: iss,
+			audience: config.audience
+		})).payload;
+	} catch (error) {
+		if (error instanceof errors.JWTExpired) return {
+			success: false,
+			status: 401,
+			message: "Unauthorized: Token expired"
+		};
+		if (error instanceof errors.JWTClaimValidationFailed) return {
+			success: false,
+			status: 401,
+			message: "Unauthorized: Token claim validation failed"
+		};
+		if (error instanceof errors.JWSSignatureVerificationFailed || error instanceof errors.JWKSNoMatchingKey) throw new Error("Invalid token signature");
+		throw error;
+	}
+	const requiredScopes = config.requiredScopes ?? [];
+	const scopeClaim = payload.scope;
+	if (!hasRequiredScopes(scopeClaim, requiredScopes)) return {
+		success: false,
+		status: 403,
+		message: "Forbidden: Insufficient scope"
+	};
+	return {
+		success: true,
+		claims: config.getClaims(payload)
+	};
+}
+//#endregion
 //#region src/server/agents/ChatAgent.ts
 /**
 * Chat agent for Cloudflare Agents SDK: lazy skill loading, audit logging,
@@ -680,6 +781,11 @@ var ChatAgent = class extends AIChatAgent {
 	*/
 	maxMessagesBeforeCompaction = 15;
 	/**
+	* Verified session claims from JWT authentication.
+	* Set in `onConnect` when `getJwtAuthConfig` is implemented.
+	*/
+	session;
+	/**
 	* Returns the user ID from the durable object name.
 	*/
 	getUserId() {
@@ -696,6 +802,24 @@ var ChatAgent = class extends AIChatAgent {
 			connection.close(3e3, "Could not connect to agent, name is not in correct format");
 			return;
 		}
+		if (this.getJwtAuthConfig) {
+			const config = this.getJwtAuthConfig(ctx.request);
+			if (config) {
+				let result;
+				try {
+					result = await verifyJwt(ctx.request, config);
+				} catch (error) {
+					console.error("[ChatAgent] JWT verification error", error);
+					connection.close(4001, "Unauthorized");
+					return;
+				}
+				if (!result.success) {
+					connection.close(result.status === 401 ? 4001 : 4003, result.message);
+					return;
+				}
+				this.session = result.claims;
+			}
+		}
 		return super.onConnect(connection, ctx);
 	}
 	/**
@@ -727,7 +851,9 @@ var ChatAgent = class extends AIChatAgent {
 	async buildLLMParams(config) {
 		const activeSkills = await getStoredSkills(this.sql.bind(this));
 		const experimental_context = {
+			...config.experimental_context,
 			...config.options?.body,
+			session: this.session,
 			logEvent: this.logEvent.bind(this)
 		};
 		const messages = await convertToModelMessages(this.messages);
@@ -872,7 +998,7 @@ var ChatAgentHarness = class extends ChatAgent {
 async function routeAgentRequest(request, env, options) {
 	const response = await routeAgentRequest$1(request, env, options);
 	if (!response) return null;
-	const protocol = request.headers.get("sec-websocket-protocol");
+	const protocol = request.headers.get("Sec-WebSocket-Protocol");
 	if (response.status === 101 && protocol) {
 		const newResponse = new Response(null, response);
 		newResponse.headers.set("Sec-WebSocket-Protocol", protocol.split(",")[0].trim());

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@economic/agents",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "A starter for creating a TypeScript package.",
   "license": "MIT",
   "bin": {
@@ -16,7 +16,6 @@
   "exports": {
     ".": "./dist/index.mjs",
     "./cli": "./dist/cli.mjs",
-    "./hono": "./dist/hono.mjs",
     "./package.json": "./package.json"
   },
   "scripts": {
@@ -35,7 +34,6 @@
     "@types/node": "^25.6.0",
     "@typescript/native-preview": "7.0.0-dev.20260412.1",
     "ai": "^6.0.158",
-    "hono": "^4.12.12",
     "jose": "^6.2.2",
     "tsdown": "^0.21.7",
     "typescript": "^6.0.2",
@@ -45,13 +43,9 @@
     "@cloudflare/ai-chat": ">=0.1.0 <1.0.0",
     "agents": "^0.10.2",
     "ai": "^6.0.0",
-    "hono": "^4.0.0",
     "jose": "^6.0.0"
   },
   "peerDependenciesMeta": {
-    "hono": {
-      "optional": true
-    },
     "jose": {
       "optional": true
     }

package/dist/hono.d.mts DELETED Viewed

@@ -1,28 +0,0 @@
-import { Context, MiddlewareHandler } from "hono";
-//#region src/hono/jwt-auth.d.ts
-interface JwtAuthConfig {
-  /** Issuers whose tokens are accepted (exact string or RegExp). */
-  allowedIssuers: readonly (string | RegExp)[];
-  /** Expected `aud` claim. */
-  audience: string;
-  /** Required OAuth scopes; token `scope` must include all (empty = no scope check). */
-  requiredScopes?: readonly string[];
-  /**
-   * Custom token extraction function.
-   * If provided, replaces the default extraction entirely.
-   * Default checks Authorization header, then Sec-WebSocket-Protocol.
-   */
-  getToken?: (c: Context) => string | null | Promise<string | null>;
-}
-/**
- * Hono middleware: verify JWT via JWKS derived from the token `iss` claim,
- * after `iss` passes `allowedIssuers`.
- *
- * By default, reads the token from `Authorization: Bearer` header first,
- * then falls back to `Sec-WebSocket-Protocol: bearer, <token>` for WebSocket connections.
- * Provide a custom `getToken` function to replace this behavior entirely.
- */
-declare function jwtAuth(config: JwtAuthConfig): MiddlewareHandler;
-//#endregion
-export { type JwtAuthConfig, jwtAuth };

package/dist/hono.mjs DELETED Viewed

@@ -1,86 +0,0 @@
-import { createRemoteJWKSet, decodeJwt, errors, jwtVerify } from "jose";
-//#region src/hono/jwt-auth.ts
-const jwksByIssuer = /* @__PURE__ */ new Map();
-function getJwksForIssuer(issuer) {
-	const normalized = issuer.replace(/\/$/, "");
-	let jwks = jwksByIssuer.get(normalized);
-	if (!jwks) {
-		const jwksUrl = new URL(`${normalized}/.well-known/openid-configuration/jwks`);
-		console.log("jwksUrl", jwksUrl);
-		jwks = createRemoteJWKSet(jwksUrl);
-		jwksByIssuer.set(normalized, jwks);
-	}
-	return jwks;
-}
-function isIssuerAllowed(iss, allowed) {
-	return allowed.some((rule) => typeof rule === "string" ? rule === iss : rule.test(iss));
-}
-function bearerTokenFromAuthorizationHeader(authorization) {
-	if (!authorization) return null;
-	return authorization.match(/^Bearer\s+(.+)$/i)?.[1]?.trim() ?? null;
-}
-function tokenFromWebSocketProtocol(header) {
-	if (!header) return null;
-	const parts = header.split(",").map((p) => p.trim());
-	const idx = parts.indexOf("bearer");
-	return idx !== -1 && parts[idx + 1] ? parts[idx + 1] : null;
-}
-function defaultGetToken(c) {
-	const authToken = bearerTokenFromAuthorizationHeader(c.req.header("Authorization"));
-	if (authToken) return authToken;
-	return tokenFromWebSocketProtocol(c.req.header("Sec-WebSocket-Protocol"));
-}
-function hasRequiredScopes(tokenScope, required) {
-	if (required.length === 0) return true;
-	if (tokenScope === void 0) return false;
-	const tokens = Array.isArray(tokenScope) ? tokenScope : tokenScope.split(" ").map((s) => s.trim()).filter(Boolean);
-	const granted = new Set(tokens);
-	return required.every((scope) => granted.has(scope));
-}
-function authErrorResponse(status, message) {
-	return new Response(message, { status });
-}
-/**
-* Hono middleware: verify JWT via JWKS derived from the token `iss` claim,
-* after `iss` passes `allowedIssuers`.
-*
-* By default, reads the token from `Authorization: Bearer` header first,
-* then falls back to `Sec-WebSocket-Protocol: bearer, <token>` for WebSocket connections.
-* Provide a custom `getToken` function to replace this behavior entirely.
-*/
-function jwtAuth(config) {
-	const requiredScopes = config.requiredScopes ?? [];
-	const getToken = config.getToken ?? defaultGetToken;
-	return async (c, next) => {
-		const token = await getToken(c);
-		if (!token) return authErrorResponse(401, "Unauthorized: Missing authentication token");
-		let unverifiedPayload;
-		try {
-			unverifiedPayload = decodeJwt(token);
-		} catch {
-			return authErrorResponse(401, "Unauthorized: Invalid token");
-		}
-		const iss = typeof unverifiedPayload.iss === "string" ? unverifiedPayload.iss : void 0;
-		if (!iss) return authErrorResponse(401, "Unauthorized: Missing issuer claim");
-		if (!isIssuerAllowed(iss, config.allowedIssuers)) return authErrorResponse(401, "Unauthorized: Untrusted issuer");
-		const jwks = getJwksForIssuer(iss);
-		let payload;
-		try {
-			payload = (await jwtVerify(token, jwks, {
-				issuer: iss,
-				audience: config.audience
-			})).payload;
-		} catch (error) {
-			console.error("Authentication failed", error);
-			if (error instanceof errors.JWTExpired) return authErrorResponse(401, "Unauthorized: Token expired");
-			if (error instanceof errors.JWTClaimValidationFailed) return authErrorResponse(401, "Unauthorized: Token claim validation failed");
-			if (error instanceof errors.JWSSignatureVerificationFailed || error instanceof errors.JWKSNoMatchingKey) return authErrorResponse(401, "Unauthorized: Invalid token signature");
-			return authErrorResponse(401, "Authentication failed");
-		}
-		const scopeClaim = payload.scope;
-		if (!hasRequiredScopes(scopeClaim, requiredScopes)) return authErrorResponse(403, "Forbidden: Insufficient scope");
-		await next();
-	};
-}
-//#endregion
-export { jwtAuth };