@electric-ax/agents-server 0.4.5 → 0.4.6

package/dist/index.cjs

@@ -600,7 +600,7 @@ var PostgresRegistry = class {
 		const heartbeatAt = input.heartbeatAt ?? new Date();
 		await this.db.update(consumerClaims).set({
 			lastHeartbeatAt: heartbeatAt,
-			leaseExpiresAt: input.leaseExpiresAt ?? null,
+			...input.leaseExpiresAt !== void 0 ? { leaseExpiresAt: input.leaseExpiresAt } : {},
 			updatedAt: heartbeatAt
 		}).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(consumerClaims.tenantId, this.tenantId), (0, drizzle_orm.eq)(consumerClaims.consumerId, input.consumerId), (0, drizzle_orm.eq)(consumerClaims.epoch, input.epoch)));
 	}
@@ -613,17 +613,24 @@ var PostgresRegistry = class {
 			updatedAt: releasedAt
 		}).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(consumerClaims.tenantId, this.tenantId), (0, drizzle_orm.eq)(consumerClaims.consumerId, input.consumerId), (0, drizzle_orm.eq)(consumerClaims.epoch, input.epoch))).returning();
 		const claim = rows[0] ? this.rowToConsumerClaim(rows[0]) : null;
-		if (claim) await this.db.update(entityDispatchState).set({
-			activeConsumerId: null,
-			activeRunnerId: null,
-			activeEpoch: null,
-			activeClaimedAt: null,
-			activeLeaseExpiresAt: null,
-			lastReleasedAt: releasedAt,
-			lastCompletedAt: releasedAt,
-			updatedAt: releasedAt
-		}).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(entityDispatchState.tenantId, this.tenantId), (0, drizzle_orm.eq)(entityDispatchState.entityUrl, claim.entity_url), (0, drizzle_orm.eq)(entityDispatchState.activeConsumerId, input.consumerId), (0, drizzle_orm.eq)(entityDispatchState.activeEpoch, input.epoch)));
-		return claim;
+		let entityCleared = false;
+		if (claim) {
+			const cleared = await this.db.update(entityDispatchState).set({
+				activeConsumerId: null,
+				activeRunnerId: null,
+				activeEpoch: null,
+				activeClaimedAt: null,
+				activeLeaseExpiresAt: null,
+				lastReleasedAt: releasedAt,
+				lastCompletedAt: releasedAt,
+				updatedAt: releasedAt
+			}).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(entityDispatchState.tenantId, this.tenantId), (0, drizzle_orm.eq)(entityDispatchState.entityUrl, claim.entity_url), (0, drizzle_orm.eq)(entityDispatchState.activeConsumerId, input.consumerId), (0, drizzle_orm.eq)(entityDispatchState.activeEpoch, input.epoch))).returning({ entityUrl: entityDispatchState.entityUrl });
+			entityCleared = cleared.length > 0;
+		}
+		return {
+			claim,
+			entityCleared
+		};
 	}
 	async getActiveClaimsForRunner(runnerId) {
 		const rows = await this.db.select().from(consumerClaims).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(consumerClaims.tenantId, this.tenantId), (0, drizzle_orm.eq)(consumerClaims.runnerId, runnerId), (0, drizzle_orm.eq)(consumerClaims.status, `active`)));
@@ -6144,6 +6151,87 @@ function sqlStringLiteral(value) {
 	return `'${value.replace(/'/g, `''`)}'`;
 }
 
+//#endregion
+//#region src/webhook-signing.ts
+const encoder = new TextEncoder();
+const defaultWebhookSigner = createEd25519WebhookSigner();
+function createEd25519WebhookSigner(options = {}) {
+	const privateKey = options.privateKey ? importPrivateKey(options.privateKey) : (0, node_crypto.generateKeyPairSync)(`ed25519`).privateKey;
+	if (privateKey.asymmetricKeyType !== `ed25519`) throw new Error(`Webhook signing key must be an Ed25519 private key`);
+	const publicJwk = buildPublicJwk(privateKey, options.kid);
+	return {
+		sign: (body) => signWebhookBody(privateKey, publicJwk.kid, body),
+		jwks: () => ({ keys: [{ ...publicJwk }] })
+	};
+}
+function getDefaultWebhookSigner() {
+	return defaultWebhookSigner;
+}
+async function webhookSigningMetadata(signer, streamRootUrl) {
+	const jwks = await signer.jwks();
+	const key = jwks.keys[0];
+	if (!key) throw new Error(`Webhook signer did not provide any public keys`);
+	return {
+		alg: `ed25519`,
+		kid: key.kid,
+		jwks_url: (0, __electric_ax_agents_runtime.appendPathToUrl)(streamRootUrl, `/__ds/jwks.json`)
+	};
+}
+function signWebhookBody(privateKey, kid, body) {
+	const timestamp$1 = Math.floor(Date.now() / 1e3);
+	const payload = bytesWithTimestamp(timestamp$1, body);
+	const signature = (0, node_crypto.sign)(null, payload, privateKey).toString(`base64url`);
+	return `t=${timestamp$1},kid=${kid},ed25519=${signature}`;
+}
+function bytesWithTimestamp(timestamp$1, body) {
+	const prefix = encoder.encode(`${timestamp$1}.`);
+	const bodyBytes = typeof body === `string` ? encoder.encode(body) : body;
+	return Buffer.concat([Buffer.from(prefix), Buffer.from(bodyBytes)]);
+}
+function importPrivateKey(input) {
+	if (isKeyObject(input)) return input;
+	if (typeof input === `string`) {
+		const trimmed = input.trim();
+		if (trimmed.startsWith(`{`)) return (0, node_crypto.createPrivateKey)({
+			key: JSON.parse(trimmed),
+			format: `jwk`
+		});
+		return (0, node_crypto.createPrivateKey)(trimmed.replace(/\\n/g, `\n`));
+	}
+	if (Buffer.isBuffer(input)) return (0, node_crypto.createPrivateKey)(input);
+	return (0, node_crypto.createPrivateKey)({
+		key: input,
+		format: `jwk`
+	});
+}
+function isKeyObject(input) {
+	return typeof input === `object` && `type` in input && input.type === `private`;
+}
+function buildPublicJwk(privateKey, kid) {
+	const exported = (0, node_crypto.createPublicKey)(privateKey).export({ format: `jwk` });
+	if (exported.kty !== `OKP` || exported.crv !== `Ed25519` || !exported.x) throw new Error(`Failed to export Ed25519 webhook signing key`);
+	return {
+		kty: `OKP`,
+		crv: `Ed25519`,
+		x: exported.x,
+		kid: kid ?? deriveKeyId({
+			kty: exported.kty,
+			crv: exported.crv,
+			x: exported.x
+		}),
+		use: `sig`,
+		alg: `EdDSA`
+	};
+}
+function deriveKeyId(jwk) {
+	const thumbprintInput = JSON.stringify({
+		crv: jwk.crv,
+		kty: jwk.kty,
+		x: jwk.x
+	});
+	return `ds_${(0, node_crypto.createHash)(`sha256`).update(thumbprintInput).digest(`base64url`)}`;
+}
+
 //#endregion
 //#region src/routing/durable-streams-router.ts
 const subscriptionProxyBodySchema = __sinclair_typebox.Type.Object({ webhook: __sinclair_typebox.Type.Optional(__sinclair_typebox.Type.Object({ url: __sinclair_typebox.Type.String() }, { additionalProperties: true })) }, { additionalProperties: true });
@@ -6160,6 +6248,7 @@ durableStreamsRouter.delete(`/__ds/subscriptions/:subscriptionId`, deleteSubscri
 durableStreamsRouter.post(`/__ds/subscriptions/:subscriptionId/streams`, postSubscriptionStreams);
 durableStreamsRouter.delete(`/__ds/subscriptions/:subscriptionId/streams/:streamPath+`, deleteSubscriptionStream);
 for (const action of subscriptionControlActions) durableStreamsRouter.post(`/__ds/subscriptions/:subscriptionId/${action}`, subscriptionAction(action));
+durableStreamsRouter.get(`/__ds/jwks.json`, webhookJwks);
 durableStreamsRouter.all(`/__ds`, controlPassThrough);
 durableStreamsRouter.all(`/__ds/*`, controlPassThrough);
 durableStreamsRouter.post(`*`, streamAppend);
@@ -6168,12 +6257,16 @@ function bodyFromBytes$1(body) {
 	return body.buffer.slice(body.byteOffset, body.byteOffset + body.byteLength);
 }
 function responseFromUpstream$1(response, body) {
-	return new Response(body ? bodyFromBytes$1(body) : response.body, {
+	const responseBody = forbidsResponseBody$1(response.status) ? null : body !== void 0 ? bodyFromBytes$1(body) : response.body;
+	return new Response(responseBody, {
 		status: response.status,
 		statusText: response.statusText,
 		headers: responseHeaders(response)
 	});
 }
+function forbidsResponseBody$1(status$4) {
+	return status$4 === 204 || status$4 === 205 || status$4 === 304;
+}
 async function forwardToDurableStreams(ctx, request, body, route = `stream`, urlOverride, durableStreamsBearerMode = `overwrite`) {
 	const headers = new Headers(request.headers);
 	headers.delete(`host`);
@@ -6207,28 +6300,32 @@ function rewriteSubscriptionBodyForBackend(payload, service, routingAdapter) {
 		return next;
 	});
 }
-function rewriteSubscriptionResponseForClient(bytes, response, service, routingAdapter) {
+async function rewriteSubscriptionResponseForClient(bytes, response, ctx, routingAdapter) {
 	if (!response.headers.get(`content-type`)?.includes(`application/json`)) return bytes;
 	const payload = decodeJson(bytes);
 	if (!payload) return bytes;
-	if (typeof payload.pattern === `string`) payload.pattern = routingAdapter.toRuntimeStreamPath(service, payload.pattern);
+	if (typeof payload.pattern === `string`) payload.pattern = routingAdapter.toRuntimeStreamPath(ctx.service, payload.pattern);
 	if (Array.isArray(payload.streams)) payload.streams = payload.streams.map((stream) => {
-		if (typeof stream === `string`) return routingAdapter.toRuntimeStreamPath(service, stream);
+		if (typeof stream === `string`) return routingAdapter.toRuntimeStreamPath(ctx.service, stream);
 		if (stream && typeof stream === `object` && typeof stream.path === `string`) return {
 			...stream,
-			path: routingAdapter.toRuntimeStreamPath(service, stream.path)
+			path: routingAdapter.toRuntimeStreamPath(ctx.service, stream.path)
 		};
 		return stream;
 	});
-	if (typeof payload.wake_stream === `string`) payload.wake_stream = routingAdapter.toRuntimeStreamPath(service, payload.wake_stream);
-	if (typeof payload.stream === `string`) payload.stream = routingAdapter.toRuntimeStreamPath(service, payload.stream);
+	if (typeof payload.wake_stream === `string`) payload.wake_stream = routingAdapter.toRuntimeStreamPath(ctx.service, payload.wake_stream);
+	if (typeof payload.stream === `string`) payload.stream = routingAdapter.toRuntimeStreamPath(ctx.service, payload.stream);
 	if (Array.isArray(payload.acks)) payload.acks = payload.acks.map((ack) => {
 		if (!ack || typeof ack !== `object`) return ack;
 		const next = { ...ack };
-		if (typeof next.stream === `string`) next.stream = routingAdapter.toRuntimeStreamPath(service, next.stream);
-		if (typeof next.path === `string`) next.path = routingAdapter.toRuntimeStreamPath(service, next.path);
+		if (typeof next.stream === `string`) next.stream = routingAdapter.toRuntimeStreamPath(ctx.service, next.stream);
+		if (typeof next.path === `string`) next.path = routingAdapter.toRuntimeStreamPath(ctx.service, next.path);
 		return next;
 	});
+	if (payload.webhook && typeof payload.webhook === `object` && !Array.isArray(payload.webhook)) {
+		const webhook = payload.webhook;
+		webhook.signing = await webhookSigningMetadata(resolveWebhookSigner$1(ctx), ctx.publicUrl);
+	}
 	return new TextEncoder().encode(JSON.stringify(payload));
 }
 function decodeJson(bytes) {
@@ -6247,6 +6344,9 @@ function routeParam$2(request, name) {
 function subscriptionRoutingAdapter(ctx) {
 	return resolveDurableStreamsRoutingAdapter(ctx.durableStreamsRouting, ctx.durableStreamsUrl);
 }
+function resolveWebhookSigner$1(ctx) {
+	return ctx.webhookSigner ?? getDefaultWebhookSigner();
+}
 async function rewriteSubscriptionRequestBody(request, ctx, subscriptionId, routingAdapter) {
 	const body = await readRequestBody(request);
 	if (body.length === 0) return {
@@ -6275,7 +6375,7 @@ async function rewriteSubscriptionRequestBody(request, ctx, subscriptionId, rout
 async function forwardSubscriptionRequest(request, ctx, routingAdapter, opts = {}) {
 	const upstream = await forwardToDurableStreams(ctx, request, opts.body, `control`, opts.requestUrl, opts.bearerMode ?? `overwrite`);
 	let responseBytes = upstream.body ? new Uint8Array(await upstream.arrayBuffer()) : new Uint8Array();
-	responseBytes = rewriteSubscriptionResponseForClient(responseBytes, upstream, ctx.service, routingAdapter);
+	responseBytes = await rewriteSubscriptionResponseForClient(responseBytes, upstream, ctx, routingAdapter);
 	return {
 		upstream,
 		response: responseFromUpstream$1(upstream, responseBytes)
@@ -6348,6 +6448,15 @@ async function controlPassThrough(request, ctx) {
 	const upstream = await forwardToDurableStreams(ctx, request, void 0, `control`);
 	return responseFromUpstream$1(upstream);
 }
+async function webhookJwks(_request, ctx) {
+	return new Response(JSON.stringify(await resolveWebhookSigner$1(ctx).jwks()), {
+		status: 200,
+		headers: {
+			"content-type": `application/jwk-set+json`,
+			"cache-control": `public, max-age=300`
+		}
+	});
+}
 async function streamAppend(request, ctx) {
 	return await electricAgentsStreamAppendRouter.fetch(createStreamAppendRouteRequest(request), ctx.runtime, (req, body) => forwardFetchRequest({
 		request: {
@@ -7338,12 +7447,16 @@ function bodyFromBytes(body) {
 	return body.buffer.slice(body.byteOffset, body.byteOffset + body.byteLength);
 }
 function responseFromUpstream(response, body) {
-	return new Response(body ? bodyFromBytes(body) : response.body, {
+	const responseBody = forbidsResponseBody(response.status) ? null : body !== void 0 ? bodyFromBytes(body) : response.body;
+	return new Response(responseBody, {
 		status: response.status,
 		statusText: response.statusText,
 		headers: responseHeaders(response)
 	});
 }
+function forbidsResponseBody(status$4) {
+	return status$4 === 204 || status$4 === 205 || status$4 === 304;
+}
 function forwardHeadersFromRequest(request) {
 	const headers = new Headers(request.headers);
 	headers.delete(`host`);
@@ -7352,6 +7465,45 @@ function forwardHeadersFromRequest(request) {
 function durableStreamsSubscriptionCallback(value) {
 	return value.startsWith(DS_SUBSCRIPTION_CALLBACK_PREFIX) ? value.slice(DS_SUBSCRIPTION_CALLBACK_PREFIX.length) : null;
 }
+function resolveWebhookSigner(ctx) {
+	return ctx.webhookSigner ?? getDefaultWebhookSigner();
+}
+function durableStreamsWebhookJwksUrl(ctx) {
+	if (!ctx.durableStreamsRouting) return (0, __electric_ax_agents_runtime.appendPathToUrl)(ctx.durableStreamsUrl, `/__ds/jwks.json`);
+	return resolveDurableStreamsRoutingAdapter(ctx.durableStreamsRouting, ctx.durableStreamsUrl).controlUrl({
+		durableStreamsUrl: ctx.durableStreamsUrl,
+		serviceId: ctx.service,
+		requestUrl: (0, __electric_ax_agents_runtime.appendPathToUrl)(ctx.publicUrl, `/__ds/jwks.json`)
+	}).toString();
+}
+function durableStreamsJwksFetchClient(ctx) {
+	return async (input, init) => {
+		const headers = new Headers(init?.headers);
+		await applyDurableStreamsBearer(headers, ctx.durableStreamsBearer, { overwrite: false });
+		const nextInit = {
+			...init ?? {},
+			headers
+		};
+		if (ctx.durableStreamsDispatcher) nextInit.dispatcher = ctx.durableStreamsDispatcher;
+		return await fetch(input, nextInit);
+	};
+}
+function resolveDurableStreamsWebhookSignature(ctx) {
+	if (ctx.durableStreamsWebhookSignature === false) return false;
+	return {
+		jwksUrl: ctx.durableStreamsWebhookSignature?.jwksUrl ?? durableStreamsWebhookJwksUrl(ctx),
+		toleranceSeconds: ctx.durableStreamsWebhookSignature?.toleranceSeconds,
+		cacheTtlMs: ctx.durableStreamsWebhookSignature?.cacheTtlMs,
+		fetchClient: ctx.durableStreamsWebhookSignature?.fetchClient ?? durableStreamsJwksFetchClient(ctx)
+	};
+}
+async function verifyDurableStreamsWebhook(request, ctx, body) {
+	const config = resolveDurableStreamsWebhookSignature(ctx);
+	if (config === false) return null;
+	const verification = await (0, __electric_ax_agents_runtime.verifyWebhookSignature)(body, request.headers.get(`webhook-signature`), config);
+	if (verification.ok) return null;
+	return apiError(verification.status, verification.status === 401 ? ErrCodeUnauthorized : `WEBHOOK_SIGNATURE_UNAVAILABLE`, verification.error);
+}
 function claimTokenFromRequest(request) {
 	const electricClaimToken = request.headers.get(`electric-claim-token`)?.trim();
 	if (electricClaimToken) return electricClaimToken;
@@ -7385,7 +7537,10 @@ async function webhookForward(request, ctx) {
 	const rootSpan = getRequestSpan(request);
 	rootSpan?.updateName(`webhook-forward`);
 	rootSpan?.setAttribute(`electric_agents.webhook.subscription_id`, subscriptionId);
-	const lookupPromise = tracer.startActiveSpan(`db.lookupSubscription`, async (span) => {
+	const body = await readRequestBody(request);
+	const signatureError = await verifyDurableStreamsWebhook(request, ctx, body);
+	if (signatureError) return signatureError;
+	const targetWebhookUrl = await tracer.startActiveSpan(`db.lookupSubscription`, async (span) => {
 		try {
 			const rows = await ctx.pgDb.select().from(subscriptionWebhooks).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(subscriptionWebhooks.tenantId, ctx.service), (0, drizzle_orm.eq)(subscriptionWebhooks.subscriptionId, subscriptionId))).limit(1);
 			return rows[0]?.webhookUrl ?? null;
@@ -7393,7 +7548,6 @@ async function webhookForward(request, ctx) {
 			span.end();
 		}
 	});
-	const [targetWebhookUrl, body] = await Promise.all([lookupPromise, readRequestBody(request)]);
 	if (!targetWebhookUrl) return apiError(404, ErrCodeSubscriptionNotFound, `Unknown webhook subscription`);
 	const parsedBodyResult = validateOptionalJsonBody(webhookForwardBodySchema, body, request.headers.get(`content-type`));
 	if (!parsedBodyResult.ok) return parsedBodyResult.response;
@@ -7482,6 +7636,7 @@ async function webhookForward(request, ctx) {
 	const headers = forwardHeadersFromRequest(request);
 	headers.set(`content-type`, `application/json`);
 	headers.delete(`content-length`);
+	headers.set(`webhook-signature`, await resolveWebhookSigner(ctx).sign(forwardBody));
 	let upstream;
 	try {
 		upstream = await tracer.startActiveSpan(`fetch.agent-handler`, async (span) => {
@@ -7569,8 +7724,9 @@ async function callbackForward(request, ctx) {
 			serverLog.info(`[callback-forward] done received for stream=${target.primaryStream} consumer=${consumerId}`);
 			const stillOwnsClaim = ctx.runtime.claimWriteTokens.owns(ctx.service, target.primaryStream, consumerId);
 			const entity = await ctx.entityManager.registry.getEntityByStream(target.primaryStream);
-			if (entity && stillOwnsClaim) {
-				if (epoch !== void 0) await ctx.entityManager.registry.materializeReleasedClaim?.({
+			let entityCleared = false;
+			if (epoch !== void 0) {
+				const result = await ctx.entityManager.registry.materializeReleasedClaim?.({
 					consumerId,
 					epoch,
 					ackedStreams: Array.isArray(requestBody?.acks) ? requestBody.acks.flatMap((ack) => {
@@ -7582,13 +7738,15 @@ async function callbackForward(request, ctx) {
 						}] : [];
 					}) : void 0
 				});
+				entityCleared = result?.entityCleared ?? false;
+			}
+			if (entity && (entityCleared || stillOwnsClaim)) {
 				await ctx.entityManager.registry.updateStatus(entity.url, `idle`);
-				ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
 				await ctx.entityBridgeManager.onEntityChanged(entity.url);
 				serverLog.info(`[callback-forward] status updated to idle for ${entity.url}`);
-			} else if (stillOwnsClaim) ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
-			else if (entity) serverLog.info(`[callback-forward] done ignored for stale claim stream=${target.primaryStream} consumer=${consumerId}`);
-			else serverLog.warn(`[callback-forward] done received but no entity found for stream=${target.primaryStream}`);
+			} else if (!entity) serverLog.warn(`[callback-forward] done received but no entity found for stream=${target.primaryStream}`);
+			if (stillOwnsClaim) ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
+			else if (entity) serverLog.info(`[callback-forward] done arrived after in-memory token evicted (stream=${target.primaryStream} consumer=${consumerId})`);
 		} else if (requestBody?.done === true) serverLog.warn(`[callback-forward] done received but skipped: upstream.ok=${upstream.ok} primaryStream=${target.primaryStream ?? `null`} consumer=${consumerId}`);
 	} catch (err) {
 		serverLog.error(`[callback-forward] error processing done for consumer=${consumerId}: ${err instanceof Error ? err.message : String(err)}`);
@@ -7646,9 +7804,12 @@ exports.DEFAULT_TENANT_ID = DEFAULT_TENANT_ID
 exports.StreamClient = StreamClient
 exports.UnregisteredTenantError = UnregisteredTenantError
 exports.createDb = createDb
+exports.createEd25519WebhookSigner = createEd25519WebhookSigner
+exports.getDefaultWebhookSigner = getDefaultWebhookSigner
 exports.globalRouter = globalRouter
 exports.isUnregisteredTenantError = isUnregisteredTenantError
 exports.pathPrefixedSingleTenantDurableStreamsRoutingAdapter = pathPrefixedSingleTenantDurableStreamsRoutingAdapter
 exports.runMigrations = runMigrations
 exports.streamRootDurableStreamsRoutingAdapter = streamRootDurableStreamsRoutingAdapter
-exports.tenantRootDurableStreamsRoutingAdapter = tenantRootDurableStreamsRoutingAdapter
+exports.tenantRootDurableStreamsRoutingAdapter = tenantRootDurableStreamsRoutingAdapter
+exports.webhookSigningMetadata = webhookSigningMetadata

package/dist/index.d.cts

@@ -187,11 +187,12 @@ import * as drizzle_orm_pg_core238 from "drizzle-orm/pg-core";
 import * as drizzle_orm_pg_core239 from "drizzle-orm/pg-core";
 import * as drizzle_orm73 from "drizzle-orm";
 import * as drizzle_orm74 from "drizzle-orm";
-import { EntityTags, WebhookNotification } from "@electric-ax/agents-runtime";
+import { EntityTags, WebhookNotification, WebhookSignatureVerifierConfig } from "@electric-ax/agents-runtime";
 import "@sinclair/typebox";
 import { MaybePromise } from "@durable-streams/client";
 import { AutoRouterType, IRequest } from "itty-router";
 import { Agent } from "undici";
+import { JsonWebKey, KeyObject } from "node:crypto";
 
 //#region rolldown:runtime
 declare namespace schema_d_exports {
@@ -3523,7 +3524,10 @@ declare class PostgresRegistry {
   setRunnerAdminStatus(runnerId: string, adminStatus: RunnerAdminStatus): Promise<ElectricAgentsRunner | null>;
   materializeActiveClaim(input: MaterializeActiveClaimInput): Promise<void>;
   materializeHeartbeatClaim(input: MaterializeHeartbeatClaimInput): Promise<void>;
-  materializeReleasedClaim(input: MaterializeReleasedClaimInput): Promise<ConsumerClaim | null>;
+  materializeReleasedClaim(input: MaterializeReleasedClaimInput): Promise<{
+    claim: ConsumerClaim | null;
+    entityCleared: boolean;
+  }>;
   getActiveClaimsForRunner(runnerId: string): Promise<Array<ConsumerClaim>>;
   getDispatchStatsForRunner(runnerId: string): Promise<{
     entities_with_active_claim: number;
@@ -3631,11 +3635,15 @@ interface SubscriptionResponse {
   streams?: Array<string | SubscriptionStreamInfo>;
   webhook?: {
     url?: string;
+    signing?: {
+      alg?: string;
+      kid?: string;
+      jwks_url?: string;
+    };
   };
   wake_stream?: string;
   callback_url?: string;
   callback_token?: string;
-  webhook_secret?: string;
 }
 interface SubscriptionCreateInput {
   type: `webhook` | `pull-wake`;
@@ -3691,10 +3699,7 @@ declare class StreamClient {
     contentType: string;
   }): Promise<void>;
   exists(path: string): Promise<boolean>;
-  createSubscription(pattern: string, subscriptionId: string, webhookUrl: string, description?: string): Promise<{
-    subscription_id: string;
-    webhook_secret?: string;
-  }>;
+  createSubscription(pattern: string, subscriptionId: string, webhookUrl: string, description?: string): Promise<SubscriptionResponse>;
   putSubscription(subscriptionId: string, input: SubscriptionCreateInput): Promise<SubscriptionResponse>;
   getSubscription(subscriptionId: string): Promise<SubscriptionResponse | null>;
   deleteSubscription(subscriptionId: string): Promise<void>;
@@ -4368,6 +4373,37 @@ declare const streamRootDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapt
 declare const pathPrefixedSingleTenantDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapter;
 declare const tenantRootDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapter;
 
+//#endregion
+//#region src/webhook-signing.d.ts
+interface WebhookPublicJwk {
+  kty: `OKP`;
+  crv: `Ed25519`;
+  x: string;
+  kid: string;
+  use: `sig`;
+  alg: `EdDSA`;
+}
+interface WebhookJwks {
+  keys: Array<WebhookPublicJwk>;
+}
+interface WebhookSigningMetadata {
+  alg: `ed25519`;
+  kid: string;
+  jwks_url: string;
+}
+interface WebhookSigner {
+  sign: (body: Uint8Array | string) => string | Promise<string>;
+  jwks: () => WebhookJwks | Promise<WebhookJwks>;
+}
+type WebhookSigningKeyInput = string | Buffer | JsonWebKey | KeyObject;
+interface Ed25519WebhookSignerOptions {
+  privateKey?: WebhookSigningKeyInput;
+  kid?: string;
+}
+declare function createEd25519WebhookSigner(options?: Ed25519WebhookSignerOptions): WebhookSigner;
+declare function getDefaultWebhookSigner(): WebhookSigner;
+declare function webhookSigningMetadata(signer: WebhookSigner, streamRootUrl: string): Promise<WebhookSigningMetadata>;
+
 //#endregion
 //#region src/routing/context.d.ts
 /**
@@ -4386,6 +4422,8 @@ interface TenantContext {
   durableStreamsBearer?: DurableStreamsBearerProvider;
   durableStreamsRouting?: DurableStreamsRoutingAdapter;
   durableStreamsDispatcher: Agent;
+  durableStreamsWebhookSignature?: false | Partial<WebhookSignatureVerifierConfig>;
+  webhookSigner?: WebhookSigner;
   electricUrl?: string;
   electricSecret?: string;
   ownAgentHandlerPaths?: ReadonlyArray<string>;
@@ -4413,4 +4451,4 @@ declare class UnregisteredTenantError extends Error {
 declare function isUnregisteredTenantError(error: unknown): error is UnregisteredTenantError;
 
 //#endregion
-export { AgentsHost, AgentsHostOptions, AgentsHostTenantConfig, AgentsHostTenantRuntime, AuthenticateRequest, ConsumerClaim, DEFAULT_TENANT_ID, DispatchPolicy, DispatchTarget, DrizzleDB, DurableStreamsBearerProvider, DurableStreamsRoutingAdapter, DurableStreamsRoutingInput, ElectricAgentsRunner, ElectricAgentsUser, EntityBridgeCoordinator, EntityDispatchState, GlobalRoutes, PgClient, Principal, PrincipalKind, PublicWakeNotification, RegisterRunnerRequest, RequestPrincipal, RunnerAdminStatus, RunnerHeartbeatRequest, RunnerKind, RunnerLiveness, SourceStreamOffset, StreamClient, StreamClientOptions, SubscriptionClaimResponse, SubscriptionCreateInput, SubscriptionResponse, SubscriptionStreamInfo, TenantContext, UnregisteredTenantError, WakeNotificationRow, createDb, globalRouter, isUnregisteredTenantError, pathPrefixedSingleTenantDurableStreamsRoutingAdapter, runMigrations, streamRootDurableStreamsRoutingAdapter, tenantRootDurableStreamsRoutingAdapter };
+export { AgentsHost, AgentsHostOptions, AgentsHostTenantConfig, AgentsHostTenantRuntime, AuthenticateRequest, ConsumerClaim, DEFAULT_TENANT_ID, DispatchPolicy, DispatchTarget, DrizzleDB, DurableStreamsBearerProvider, DurableStreamsRoutingAdapter, DurableStreamsRoutingInput, Ed25519WebhookSignerOptions, ElectricAgentsRunner, ElectricAgentsUser, EntityBridgeCoordinator, EntityDispatchState, GlobalRoutes, PgClient, Principal, PrincipalKind, PublicWakeNotification, RegisterRunnerRequest, RequestPrincipal, RunnerAdminStatus, RunnerHeartbeatRequest, RunnerKind, RunnerLiveness, SourceStreamOffset, StreamClient, StreamClientOptions, SubscriptionClaimResponse, SubscriptionCreateInput, SubscriptionResponse, SubscriptionStreamInfo, TenantContext, UnregisteredTenantError, WakeNotificationRow, WebhookJwks, WebhookPublicJwk, WebhookSigner, WebhookSigningKeyInput, WebhookSigningMetadata, createDb, createEd25519WebhookSigner, getDefaultWebhookSigner, globalRouter, isUnregisteredTenantError, pathPrefixedSingleTenantDurableStreamsRoutingAdapter, runMigrations, streamRootDurableStreamsRoutingAdapter, tenantRootDurableStreamsRoutingAdapter, webhookSigningMetadata };

package/dist/index.d.ts

@@ -188,7 +188,8 @@ import * as drizzle_orm_pg_core236 from "drizzle-orm/pg-core";
 import * as drizzle_orm_pg_core237 from "drizzle-orm/pg-core";
 import * as drizzle_orm_pg_core238 from "drizzle-orm/pg-core";
 import * as drizzle_orm_pg_core239 from "drizzle-orm/pg-core";
-import { EntityTags, WebhookNotification } from "@electric-ax/agents-runtime";
+import { JsonWebKey, KeyObject } from "node:crypto";
+import { EntityTags, WebhookNotification, WebhookSignatureVerifierConfig } from "@electric-ax/agents-runtime";
 import { MaybePromise } from "@durable-streams/client";
 import "@sinclair/typebox";
 import { AutoRouterType, IRequest } from "itty-router";
@@ -3524,7 +3525,10 @@ declare class PostgresRegistry {
   setRunnerAdminStatus(runnerId: string, adminStatus: RunnerAdminStatus): Promise<ElectricAgentsRunner | null>;
   materializeActiveClaim(input: MaterializeActiveClaimInput): Promise<void>;
   materializeHeartbeatClaim(input: MaterializeHeartbeatClaimInput): Promise<void>;
-  materializeReleasedClaim(input: MaterializeReleasedClaimInput): Promise<ConsumerClaim | null>;
+  materializeReleasedClaim(input: MaterializeReleasedClaimInput): Promise<{
+    claim: ConsumerClaim | null;
+    entityCleared: boolean;
+  }>;
   getActiveClaimsForRunner(runnerId: string): Promise<Array<ConsumerClaim>>;
   getDispatchStatsForRunner(runnerId: string): Promise<{
     entities_with_active_claim: number;
@@ -3632,11 +3636,15 @@ interface SubscriptionResponse {
   streams?: Array<string | SubscriptionStreamInfo>;
   webhook?: {
     url?: string;
+    signing?: {
+      alg?: string;
+      kid?: string;
+      jwks_url?: string;
+    };
   };
   wake_stream?: string;
   callback_url?: string;
   callback_token?: string;
-  webhook_secret?: string;
 }
 interface SubscriptionCreateInput {
   type: `webhook` | `pull-wake`;
@@ -3692,10 +3700,7 @@ declare class StreamClient {
     contentType: string;
   }): Promise<void>;
   exists(path: string): Promise<boolean>;
-  createSubscription(pattern: string, subscriptionId: string, webhookUrl: string, description?: string): Promise<{
-    subscription_id: string;
-    webhook_secret?: string;
-  }>;
+  createSubscription(pattern: string, subscriptionId: string, webhookUrl: string, description?: string): Promise<SubscriptionResponse>;
   putSubscription(subscriptionId: string, input: SubscriptionCreateInput): Promise<SubscriptionResponse>;
   getSubscription(subscriptionId: string): Promise<SubscriptionResponse | null>;
   deleteSubscription(subscriptionId: string): Promise<void>;
@@ -4369,6 +4374,37 @@ declare const streamRootDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapt
 declare const pathPrefixedSingleTenantDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapter;
 declare const tenantRootDurableStreamsRoutingAdapter: DurableStreamsRoutingAdapter;
 
+//#endregion
+//#region src/webhook-signing.d.ts
+interface WebhookPublicJwk {
+  kty: `OKP`;
+  crv: `Ed25519`;
+  x: string;
+  kid: string;
+  use: `sig`;
+  alg: `EdDSA`;
+}
+interface WebhookJwks {
+  keys: Array<WebhookPublicJwk>;
+}
+interface WebhookSigningMetadata {
+  alg: `ed25519`;
+  kid: string;
+  jwks_url: string;
+}
+interface WebhookSigner {
+  sign: (body: Uint8Array | string) => string | Promise<string>;
+  jwks: () => WebhookJwks | Promise<WebhookJwks>;
+}
+type WebhookSigningKeyInput = string | Buffer | JsonWebKey | KeyObject;
+interface Ed25519WebhookSignerOptions {
+  privateKey?: WebhookSigningKeyInput;
+  kid?: string;
+}
+declare function createEd25519WebhookSigner(options?: Ed25519WebhookSignerOptions): WebhookSigner;
+declare function getDefaultWebhookSigner(): WebhookSigner;
+declare function webhookSigningMetadata(signer: WebhookSigner, streamRootUrl: string): Promise<WebhookSigningMetadata>;
+
 //#endregion
 //#region src/routing/context.d.ts
 /**
@@ -4387,6 +4423,8 @@ interface TenantContext {
   durableStreamsBearer?: DurableStreamsBearerProvider;
   durableStreamsRouting?: DurableStreamsRoutingAdapter;
   durableStreamsDispatcher: Agent;
+  durableStreamsWebhookSignature?: false | Partial<WebhookSignatureVerifierConfig>;
+  webhookSigner?: WebhookSigner;
   electricUrl?: string;
   electricSecret?: string;
   ownAgentHandlerPaths?: ReadonlyArray<string>;
@@ -4414,4 +4452,4 @@ declare class UnregisteredTenantError extends Error {
 declare function isUnregisteredTenantError(error: unknown): error is UnregisteredTenantError;
 
 //#endregion
-export { AgentsHost, AgentsHostOptions, AgentsHostTenantConfig, AgentsHostTenantRuntime, AuthenticateRequest, ConsumerClaim, DEFAULT_TENANT_ID, DispatchPolicy, DispatchTarget, DrizzleDB, DurableStreamsBearerProvider, DurableStreamsRoutingAdapter, DurableStreamsRoutingInput, ElectricAgentsRunner, ElectricAgentsUser, EntityBridgeCoordinator, EntityDispatchState, GlobalRoutes, PgClient, Principal, PrincipalKind, PublicWakeNotification, RegisterRunnerRequest, RequestPrincipal, RunnerAdminStatus, RunnerHeartbeatRequest, RunnerKind, RunnerLiveness, SourceStreamOffset, StreamClient, StreamClientOptions, SubscriptionClaimResponse, SubscriptionCreateInput, SubscriptionResponse, SubscriptionStreamInfo, TenantContext, UnregisteredTenantError, WakeNotificationRow, createDb, globalRouter, isUnregisteredTenantError, pathPrefixedSingleTenantDurableStreamsRoutingAdapter, runMigrations, streamRootDurableStreamsRoutingAdapter, tenantRootDurableStreamsRoutingAdapter };
+export { AgentsHost, AgentsHostOptions, AgentsHostTenantConfig, AgentsHostTenantRuntime, AuthenticateRequest, ConsumerClaim, DEFAULT_TENANT_ID, DispatchPolicy, DispatchTarget, DrizzleDB, DurableStreamsBearerProvider, DurableStreamsRoutingAdapter, DurableStreamsRoutingInput, Ed25519WebhookSignerOptions, ElectricAgentsRunner, ElectricAgentsUser, EntityBridgeCoordinator, EntityDispatchState, GlobalRoutes, PgClient, Principal, PrincipalKind, PublicWakeNotification, RegisterRunnerRequest, RequestPrincipal, RunnerAdminStatus, RunnerHeartbeatRequest, RunnerKind, RunnerLiveness, SourceStreamOffset, StreamClient, StreamClientOptions, SubscriptionClaimResponse, SubscriptionCreateInput, SubscriptionResponse, SubscriptionStreamInfo, TenantContext, UnregisteredTenantError, WakeNotificationRow, WebhookJwks, WebhookPublicJwk, WebhookSigner, WebhookSigningKeyInput, WebhookSigningMetadata, createDb, createEd25519WebhookSigner, getDefaultWebhookSigner, globalRouter, isUnregisteredTenantError, pathPrefixedSingleTenantDurableStreamsRoutingAdapter, runMigrations, streamRootDurableStreamsRoutingAdapter, tenantRootDurableStreamsRoutingAdapter, webhookSigningMetadata };