@electric-ax/agents-server 0.4.0 → 0.4.1

package/src/entrypoint-lib.ts

@@ -1,8 +1,4 @@
 import { DurableStreamTestServer } from '@durable-streams/server'
-import {
-  createDevAssertedAuthenticateRequest,
-  devAssertedAuthOptionsFromEnv,
-} from './dev-asserted-auth.js'
 import { ElectricAgentsServer } from './server.js'
 import type { ElectricAgentsServerOptions } from './server.js'
 
@@ -144,12 +140,7 @@ export function resolveElectricAgentsEntrypointOptions(
   ])
   const electricSecret = readEnv(env, [`ELECTRIC_AGENTS_ELECTRIC_SECRET`])
   const baseUrl = readEnv(env, [`ELECTRIC_AGENTS_BASE_URL`, `BASE_URL`])
-  const authenticateRequest = createDevAssertedAuthenticateRequest(
-    devAssertedAuthOptionsFromEnv(env)
-  )
-
   return {
-    ...(authenticateRequest ? { authenticateRequest } : {}),
     service: readEnv(env, [`ELECTRIC_AGENTS_SERVICE`, `SERVICE`]),
     tenantId: readEnv(env, [`ELECTRIC_AGENTS_TENANT_ID`, `TENANT_ID`]),
     baseUrl: baseUrl ? validateUrl(`base URL`, baseUrl) : undefined,

package/src/host.ts

@@ -271,6 +271,8 @@ export class AgentsHost {
   private async startTenantRuntime(
     runtime: AgentsHostTenantRuntime
   ): Promise<void> {
+    await runtime.manager.ensurePrincipalEntityType()
+
     if (this.rehydrateTenantOnStart) {
       await runtime.rehydrateCronSchedules()
     }
@@ -303,6 +305,8 @@ export class AgentsHost {
       entityBridgeManager: this.entityProjector.forTenant(serviceId, registry),
     })
 
+    await runtime.manager.ensurePrincipalEntityType()
+
     return runtime
   }
 

package/src/index.ts

@@ -16,7 +16,6 @@ export type {
   SubscriptionStreamInfo,
 } from './stream-client.js'
 export type {
-  AuthenticatedRequestUser,
   AuthenticateRequest,
   ConsumerClaim,
   DispatchPolicy,
@@ -26,6 +25,7 @@ export type {
   EntityDispatchState,
   PublicWakeNotification,
   RegisterRunnerRequest,
+  RequestPrincipal,
   RunnerAdminStatus,
   RunnerHeartbeatRequest,
   RunnerKind,
@@ -33,6 +33,7 @@ export type {
   SourceStreamOffset,
   WakeNotificationRow,
 } from './electric-agents-types.js'
+export type { Principal, PrincipalKind } from './principal.js'
 export { globalRouter } from './routing/global-router.js'
 export type { GlobalRoutes } from './routing/global-router.js'
 export type { TenantContext } from './routing/context.js'

package/src/principal.ts

@@ -0,0 +1,124 @@
+import { Type } from '@sinclair/typebox'
+
+export type PrincipalKind = `user` | `agent` | `service` | `system`
+
+export interface Principal {
+  kind: PrincipalKind
+  id: string
+  key: string
+  url: string
+}
+
+export const ELECTRIC_PRINCIPAL_HEADER = `electric-principal`
+
+const PRINCIPAL_KINDS = new Set<PrincipalKind>([
+  `user`,
+  `agent`,
+  `service`,
+  `system`,
+])
+
+export function parsePrincipalKey(input: string): Principal {
+  const colon = input.indexOf(`:`)
+  if (colon <= 0) throw new Error(`Invalid principal key`)
+  const kind = input.slice(0, colon) as PrincipalKind
+  const id = input.slice(colon + 1)
+  if (!PRINCIPAL_KINDS.has(kind)) throw new Error(`Invalid principal kind`)
+  if (!id || id.includes(`/`)) throw new Error(`Invalid principal id`)
+  const key = `${kind}:${id}`
+  return { kind, id, key, url: `/principal/${encodeURIComponent(key)}` }
+}
+
+export function principalUrl(key: string): string {
+  return parsePrincipalKey(key).url
+}
+
+export function principalKeyFromUrl(url: string): string | null {
+  if (!url.startsWith(`/principal/`)) return null
+  const segment = url.slice(`/principal/`.length)
+  if (!segment || segment.includes(`/`)) return null
+  try {
+    const key = decodeURIComponent(segment)
+    // Principal URLs produced by parsePrincipalKey/principalUrl are canonical
+    // encoded single path segments, but accept legacy unencoded single-segment
+    // URLs here so callers can canonicalize them via parsePrincipalKey(key).url.
+    return parsePrincipalKey(key).key
+  } catch {
+    return null
+  }
+}
+
+export function getPrincipalFromRequest(request: Request): Principal | null {
+  const value = request.headers.get(ELECTRIC_PRINCIPAL_HEADER)
+  return value ? parsePrincipalKey(value) : null
+}
+
+export function getDevPrincipal(): Principal {
+  return parsePrincipalKey(`system:dev-local`)
+}
+
+const BUILT_IN_SYSTEM_PRINCIPAL_IDS = new Set([
+  `framework`,
+  `auth-sync`,
+  `dev-local`,
+])
+
+export function isBuiltInSystemPrincipalUrl(url: string | undefined): boolean {
+  if (!url?.startsWith(`/principal/`)) return false
+  try {
+    const key = principalKeyFromUrl(url)
+    if (!key) return false
+    const principal = parsePrincipalKey(key)
+    return (
+      principal.kind === `system` &&
+      BUILT_IN_SYSTEM_PRINCIPAL_IDS.has(principal.id)
+    )
+  } catch {
+    return false
+  }
+}
+
+export function principalFromCreatedBy(
+  createdBy: string | undefined
+):
+  | { url: string; key?: string | null; kind?: string; id?: string }
+  | undefined {
+  if (!createdBy) return undefined
+  const key = principalKeyFromUrl(createdBy)
+  if (!key) return { url: createdBy, key: null }
+  const principal = parsePrincipalKey(key)
+  return {
+    url: principal.url,
+    key: principal.key,
+    kind: principal.kind,
+    id: principal.id,
+  }
+}
+
+export const principalIdentityStateSchema = Type.Object(
+  {
+    kind: Type.Union([
+      Type.Literal(`user`),
+      Type.Literal(`agent`),
+      Type.Literal(`service`),
+      Type.Literal(`system`),
+    ]),
+    id: Type.String(),
+    key: Type.String(),
+    url: Type.String(),
+    updated_at: Type.String(),
+    display_name: Type.Optional(Type.String()),
+    email: Type.Optional(Type.String()),
+    avatar_url: Type.Optional(Type.String()),
+    auth_provider: Type.Optional(Type.String()),
+    auth_subject: Type.Optional(Type.String()),
+    claims: Type.Optional(Type.Record(Type.String(), Type.Unknown())),
+    created_at: Type.Optional(Type.String()),
+  },
+  { additionalProperties: false }
+)
+
+export const principalUpdateIdentityMessageSchema = Type.Object(
+  { identity: principalIdentityStateSchema },
+  { additionalProperties: false }
+)

package/src/routing/context.ts

@@ -5,7 +5,7 @@ import type { EntityManager } from '../entity-manager.js'
 import type { ElectricAgentsTenantRuntime } from '../runtime.js'
 import type { StreamClient } from '../stream-client.js'
 import type { DurableStreamsRoutingAdapter } from './durable-streams-routing-adapter.js'
-import type { AuthenticatedRequestUser } from '../electric-agents-types.js'
+import type { Principal } from '../principal.js'
 import type { DurableStreamsBearerProvider } from '../stream-client.js'
 
 /**
@@ -16,7 +16,7 @@ import type { DurableStreamsBearerProvider } from '../stream-client.js'
  */
 export interface TenantContext {
   service: string
-  authenticatedUser?: AuthenticatedRequestUser
+  principal: Principal
   publicUrl: string
   localUrl?: string
   durableStreamsUrl: string

package/src/routing/dispatch-policy.ts

@@ -9,6 +9,7 @@ import {
 } from '../electric-agents-types.js'
 import { runnerWakeStream } from '../entity-registry.js'
 import { rewriteLoopbackWebhookUrl } from '../utils/webhook-url.js'
+import { serverLog } from '../utils/log.js'
 import type {
   DispatchPolicy,
   DispatchTarget,
@@ -81,7 +82,7 @@ export async function backfillEntityDispatchPolicy(
   )
 }
 
-function applyTypeDefaultSubscriptionScope(
+export function applyTypeDefaultSubscriptionScope(
   policy: DispatchPolicy,
   typeDefault: DispatchPolicy | undefined
 ): DispatchPolicy {
@@ -123,14 +124,7 @@ export async function assertDispatchPolicyAllowed(
       404
     )
   }
-  if (!ctx.authenticatedUser) {
-    throw new ElectricAgentsError(
-      ErrCodeUnauthorized,
-      `Authentication is required for runner-targeted dispatch`,
-      401
-    )
-  }
-  if (runner.owner_user_id !== ctx.authenticatedUser.userId) {
+  if (ctx.principal && runner.owner_user_id !== ctx.principal.key) {
     throw new ElectricAgentsError(
       ErrCodeUnauthorized,
       `Runner dispatch requires the authenticated owner`,
@@ -168,7 +162,13 @@ export async function unlinkEntityDispatchSubscription(
   )
   await ctx.streamClient
     .removeSubscriptionStream(subscriptionId, entity.streams.main)
-    .catch(() => {})
+    .catch((err) => {
+      serverLog.warn(
+        `[dispatch-policy] failed to remove stream from subscription`,
+        { subscriptionId, stream: entity.streams.main },
+        err
+      )
+    })
 }
 
 async function linkStreamToTargetSubscription(

package/src/routing/entities-router.ts

@@ -5,10 +5,12 @@
 import { Type, type Static } from '@sinclair/typebox'
 import { Router, json, status } from 'itty-router'
 import { apiError } from '../electric-agents-http.js'
+import { parsePrincipalKey, principalUrl } from '../principal.js'
 import { dispatchPolicySchema } from '../dispatch-policy-schema.js'
 import {
   ErrCodeNotFound,
   ErrCodeUnknownEntityType,
+  ErrCodeInvalidRequest,
   toPublicEntity,
 } from '../electric-agents-types.js'
 import {
@@ -86,11 +88,40 @@ const spawnBodySchema = Type.Object({
 })
 
 const sendBodySchema = Type.Object({
-  from: Type.Optional(Type.String()),
   payload: Type.Optional(Type.Unknown()),
   key: Type.Optional(Type.String()),
   type: Type.Optional(Type.String()),
+  mode: Type.Optional(
+    Type.Union([
+      Type.Literal(`immediate`),
+      Type.Literal(`queued`),
+      Type.Literal(`paused`),
+      Type.Literal(`steer`),
+    ])
+  ),
+  position: Type.Optional(Type.String()),
   afterMs: Type.Optional(Type.Number()),
+  from: Type.Optional(Type.String()),
+})
+
+const inboxMessageBodySchema = Type.Object({
+  payload: Type.Optional(Type.Unknown()),
+  position: Type.Optional(Type.String()),
+  mode: Type.Optional(
+    Type.Union([
+      Type.Literal(`immediate`),
+      Type.Literal(`queued`),
+      Type.Literal(`paused`),
+      Type.Literal(`steer`),
+    ])
+  ),
+  status: Type.Optional(
+    Type.Union([
+      Type.Literal(`pending`),
+      Type.Literal(`processed`),
+      Type.Literal(`cancelled`),
+    ])
+  ),
 })
 
 const forkBodySchema = Type.Object({
@@ -116,8 +147,8 @@ const scheduleBodySchema = Type.Union([
     payload: Type.Unknown(),
     targetUrl: Type.Optional(Type.String()),
     fireAt: Type.String(),
-    from: Type.Optional(Type.String()),
     messageType: Type.Optional(Type.String()),
+    from: Type.Optional(Type.String()),
   }),
 ])
 
@@ -127,6 +158,7 @@ const entitiesRegisterBodySchema = Type.Object({
 
 type SpawnBody = Static<typeof spawnBodySchema>
 type SendBody = Static<typeof sendBodySchema>
+type InboxMessageBody = Static<typeof inboxMessageBodySchema>
 type ForkBody = Static<typeof forkBodySchema>
 type SetTagBody = Static<typeof setTagBodySchema>
 type ScheduleBody = Static<typeof scheduleBodySchema>
@@ -161,6 +193,17 @@ entitiesRouter.post(
   withSchema(sendBodySchema),
   sendEntity
 )
+entitiesRouter.patch(
+  `/:type/:instanceId/inbox/:messageKey`,
+  withExistingEntity,
+  withSchema(inboxMessageBodySchema),
+  updateInboxMessage
+)
+entitiesRouter.delete(
+  `/:type/:instanceId/inbox/:messageKey`,
+  withExistingEntity,
+  deleteInboxMessage
+)
 entitiesRouter.post(
   `/:type/:instanceId/fork`,
   withExistingEntity,
@@ -198,6 +241,13 @@ function entityUrlFromSegments(
   if (type.startsWith(`_`) || type.includes(`*`) || instanceId.includes(`*`)) {
     return null
   }
+  if (type === `principal`) {
+    try {
+      return principalUrl(decodeURIComponent(instanceId))
+    } catch {
+      return null
+    }
+  }
   return `/${type}/${instanceId}`
 }
 
@@ -216,6 +266,20 @@ function requireExistingEntityRoute(
   return request.entityRoute
 }
 
+function rejectPrincipalEntityMutation(
+  request: AgentsRouteRequest,
+  action: string
+): Response | undefined {
+  const { entity } = requireExistingEntityRoute(request)
+  if (entity.type !== `principal`) return undefined
+
+  return apiError(
+    400,
+    ErrCodeInvalidRequest,
+    `Principal entities are built in and cannot be ${action}`
+  )
+}
+
 async function withExistingEntity(
   request: AgentsRouteRequest,
   ctx: TenantContext
@@ -231,6 +295,21 @@ async function withExistingEntity(
     const entityType = await ctx.entityManager.registry.getEntityType(
       request.params.type
     )
+    if (request.params.type === `principal`) {
+      try {
+        const materialized = await ctx.entityManager.ensurePrincipal(
+          parsePrincipalKey(decodeURIComponent(request.params.instanceId))
+        )
+        request.entityRoute = { entityUrl, entity: materialized }
+        return undefined
+      } catch (error) {
+        return apiError(
+          400,
+          ErrCodeInvalidRequest,
+          error instanceof Error ? error.message : `Invalid principal`
+        )
+      }
+    }
     if (entityType) {
       return apiError(404, ErrCodeNotFound, `Entity not found at ${entityUrl}`)
     }
@@ -253,6 +332,14 @@ async function withSpawnableEntityType(
     return undefined
   }
 
+  if (request.params.type === `principal`) {
+    return apiError(
+      400,
+      ErrCodeInvalidRequest,
+      `Principal entities are built in and cannot be spawned directly`
+    )
+  }
+
   const entityType = await ctx.entityManager.registry.getEntityType(
     request.params.type
   )
@@ -275,6 +362,7 @@ async function listEntities(
     type: firstQueryValue(query.type),
     status: firstQueryValue(query.status),
     parent: firstQueryValue(query.parent),
+    created_by: firstQueryValue(query.created_by),
   })
   return json(entities.map((entity) => toPublicEntity(entity)))
 }
@@ -294,6 +382,12 @@ async function upsertSchedule(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `scheduled`
+  )
+  if (principalMutationError) return principalMutationError
+
   const parsed = routeBody<ScheduleBody>(request)
   const { entityUrl } = requireExistingEntityRoute(request)
   const scheduleId = decodeURIComponent(request.params.scheduleId)
@@ -311,12 +405,19 @@ async function upsertSchedule(
   }
 
   if (parsed.scheduleType === `future_send`) {
+    if (parsed.from !== undefined && parsed.from !== ctx.principal.url) {
+      return apiError(
+        400,
+        ErrCodeInvalidRequest,
+        `Request from must match Electric-Principal`
+      )
+    }
     const result = await ctx.entityManager.upsertFutureSendSchedule(entityUrl, {
       id: scheduleId,
       payload: parsed.payload,
       targetUrl: parsed.targetUrl,
       fireAt: parsed.fireAt,
-      from: parsed.from,
+      senderUrl: ctx.principal.url,
       messageType: parsed.messageType,
     })
     return json(result)
@@ -329,6 +430,12 @@ async function deleteSchedule(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `unscheduled`
+  )
+  if (principalMutationError) return principalMutationError
+
   const { entityUrl } = requireExistingEntityRoute(request)
   const result = await ctx.entityManager.deleteSchedule(entityUrl, {
     id: decodeURIComponent(request.params.scheduleId),
@@ -340,6 +447,12 @@ async function setTag(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `tagged`
+  )
+  if (principalMutationError) return principalMutationError
+
   const parsed = routeBody<SetTagBody>(request)
   const { entityUrl } = requireExistingEntityRoute(request)
   const token = writeTokenFromRequest(request)
@@ -356,6 +469,12 @@ async function removeTag(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `untagged`
+  )
+  if (principalMutationError) return principalMutationError
+
   const { entityUrl } = requireExistingEntityRoute(request)
   const token = writeTokenFromRequest(request)
   const updated = await ctx.entityManager.removeTag(
@@ -370,6 +489,12 @@ async function forkEntity(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `forked`
+  )
+  if (principalMutationError) return principalMutationError
+
   const parsed = routeBody<ForkBody>(request)
   const { entityUrl, entity } = requireExistingEntityRoute(request)
   await assertDispatchPolicyAllowed(ctx, entity.dispatch_policy)
@@ -394,6 +519,15 @@ async function sendEntity(
   ctx: TenantContext
 ): Promise<Response> {
   const parsed = routeBody<SendBody>(request)
+  const principal = ctx.principal
+  if (parsed.from !== undefined && parsed.from !== principal.url) {
+    return apiError(
+      400,
+      ErrCodeInvalidRequest,
+      `Request from must match Electric-Principal`
+    )
+  }
+  await ctx.entityManager.ensurePrincipal(principal)
   const { entityUrl, entity } = requireExistingEntityRoute(request)
 
   if (!entity.dispatch_policy) {
@@ -405,30 +539,62 @@ async function sendEntity(
     await ctx.entityManager.enqueueDelayedSend(
       entityUrl,
       {
-        from: parsed.from,
+        from: principal.url,
         payload: parsed.payload,
         key: parsed.key,
         type: parsed.type,
+        mode: parsed.mode,
+        position: parsed.position,
       },
       new Date(Date.now() + parsed.afterMs)
     )
   } else {
     await ctx.entityManager.send(entityUrl, {
-      from: parsed.from,
+      from: principal.url,
       payload: parsed.payload,
       key: parsed.key,
       type: parsed.type,
+      mode: parsed.mode,
+      position: parsed.position,
     })
   }
 
   return status(204)
 }
 
+async function updateInboxMessage(
+  request: AgentsRouteRequest,
+  ctx: TenantContext
+): Promise<Response> {
+  const parsed = routeBody<InboxMessageBody>(request)
+  const { entityUrl } = requireExistingEntityRoute(request)
+  await ctx.entityManager.updateInboxMessage(
+    entityUrl,
+    decodeURIComponent(request.params.messageKey),
+    parsed
+  )
+  return status(204)
+}
+
+async function deleteInboxMessage(
+  request: AgentsRouteRequest,
+  ctx: TenantContext
+): Promise<Response> {
+  const { entityUrl } = requireExistingEntityRoute(request)
+  await ctx.entityManager.deleteInboxMessage(
+    entityUrl,
+    decodeURIComponent(request.params.messageKey)
+  )
+  return status(204)
+}
+
 async function spawnEntity(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
   const parsed = routeBody<SpawnBody>(request)
+  const principal = ctx.principal
+  await ctx.entityManager.ensurePrincipal(principal)
   const dispatchPolicy = await resolveEffectiveDispatchPolicyForSpawn(
     ctx,
     request.params.type,
@@ -446,11 +612,12 @@ async function spawnEntity(
     dispatch_policy: dispatchPolicy,
     initialMessage: undefined,
     wake: parsed.wake,
+    created_by: principal.url,
   })
   await linkEntityDispatchSubscription(ctx, entity)
   if (parsed.initialMessage !== undefined) {
     await ctx.entityManager.send(entity.url, {
-      from: parsed.parent ?? `spawn`,
+      from: principal.url,
       payload: parsed.initialMessage,
     })
   }
@@ -476,6 +643,12 @@ async function killEntity(
   request: AgentsRouteRequest,
   ctx: TenantContext
 ): Promise<Response> {
+  const principalMutationError = rejectPrincipalEntityMutation(
+    request,
+    `killed`
+  )
+  if (principalMutationError) return principalMutationError
+
   const { entityUrl, entity } = requireExistingEntityRoute(request)
   await unlinkEntityDispatchSubscription(ctx, entity)
   const result = await ctx.entityManager.kill(entityUrl)

package/src/routing/hooks.ts

@@ -80,7 +80,7 @@ export function applyCors(
   )
   headers.set(
     `access-control-allow-headers`,
-    `content-type, authorization, electric-claim-token, x-electric-asserted-email, x-electric-asserted-name, ngrok-skip-browser-warning`
+    `content-type, authorization, electric-claim-token, ngrok-skip-browser-warning`
   )
   headers.set(`access-control-expose-headers`, `*`)
   return new Response(response.body, {

package/src/routing/runners-router.ts

@@ -13,6 +13,7 @@ import {
 import { routeBody, withSchema } from './schema.js'
 import { subscriptionIdForDispatchTarget } from './dispatch-policy.js'
 import { withLeadingSlash } from './tenant-stream-paths.js'
+import { principalFromCreatedBy } from '../principal.js'
 import type { JsonRouteRequest } from './schema.js'
 import type { RouterType } from 'itty-router'
 import type { TenantContext } from './context.js'
@@ -104,7 +105,7 @@ async function registerRunner(
   ctx: TenantContext
 ): Promise<Response> {
   const parsed = routeBody<RegisterRunnerBody>(request)
-  const ownerUserId = parsed.owner_user_id ?? ctx.authenticatedUser?.userId
+  const ownerUserId = parsed.owner_user_id ?? ctx.principal?.key
   if (!ownerUserId) {
     throw new ElectricAgentsError(
       ErrCodeInvalidRequest,
@@ -112,7 +113,7 @@ async function registerRunner(
       400
     )
   }
-  if (ctx.authenticatedUser && ownerUserId !== ctx.authenticatedUser.userId) {
+  if (ctx.principal && ownerUserId !== ctx.principal.key) {
     throw new ElectricAgentsError(
       ErrCodeUnauthorized,
       `owner_user_id must match the authenticated user`,
@@ -139,11 +140,7 @@ async function listRunners(
   ctx: TenantContext
 ): Promise<Response> {
   const requestedOwner = firstQueryValue(request.query.owner_user_id)
-  if (
-    ctx.authenticatedUser &&
-    requestedOwner &&
-    requestedOwner !== ctx.authenticatedUser.userId
-  ) {
+  if (ctx.principal && requestedOwner && requestedOwner !== ctx.principal.key) {
     throw new ElectricAgentsError(
       ErrCodeUnauthorized,
       `owner_user_id must match the authenticated user`,
@@ -151,7 +148,7 @@ async function listRunners(
     )
   }
   const runners = await ctx.entityManager.registry.listRunners({
-    ownerUserId: ctx.authenticatedUser?.userId ?? requestedOwner,
+    ownerUserId: ctx.principal?.key ?? requestedOwner,
   })
   return json(runners)
 }
@@ -224,15 +221,8 @@ async function claimWake(
   ctx: TenantContext
 ): Promise<Response> {
   const runnerId = routeParam(request, `id`)
-  if (!ctx.authenticatedUser) {
-    throw new ElectricAgentsError(
-      ErrCodeUnauthorized,
-      `Authentication is required to claim runner work`,
-      401
-    )
-  }
   const runner = await requireRunner(ctx, runnerId)
-  if (runner.owner_user_id !== ctx.authenticatedUser.userId) {
+  if (ctx.principal && runner.owner_user_id !== ctx.principal.key) {
     throw new ElectricAgentsError(
       ErrCodeUnauthorized,
       `Runner claim requires the authenticated owner`,
@@ -308,8 +298,8 @@ function assertRunnerOwnerIfAuthenticated(
   ctx: TenantContext,
   ownerUserId: string
 ): void {
-  if (!ctx.authenticatedUser) return
-  if (ownerUserId === ctx.authenticatedUser.userId) return
+  if (!ctx.principal) return
+  if (ownerUserId === ctx.principal.key) return
   throw new ElectricAgentsError(
     ErrCodeUnauthorized,
     `Runner access requires the authenticated owner`,
@@ -411,6 +401,8 @@ async function notificationFromClaim(
       streams: entity.streams,
       tags: entity.tags,
       spawnArgs: entity.spawn_args,
+      createdBy: entity.created_by,
     },
+    principal: principalFromCreatedBy(entity.created_by),
   }
 }