@gnomondigital/nebulas-kit-core 0.3.2 → 0.4.1

package/README.md

@@ -8,6 +8,16 @@ Framework-agnostic A2A chat client, Nebulas client, and server handlers.
 npm install @gnomondigital/nebulas-kit-core
 ```
 
+### Subpath exports
+
+| Import path | Use |
+|-------------|-----|
+| `@gnomondigital/nebulas-kit-core` | Full API (Next.js, Express, proxy handlers). |
+| `@gnomondigital/nebulas-kit-core/client` | Browser-only: `sendMessageStream`, Nebulas client, types. **Use from React/Vite** so `next/server` is never bundled. |
+| `@gnomondigital/nebulas-kit-core/express` | Express router only; no Next.js. |
+
+`@gnomondigital/nebulas-kit-react` imports from `/client` internally.
+
 ## Environment Variables
 
 | Variable | Required | Description |
@@ -19,10 +29,49 @@ npm install @gnomondigital/nebulas-kit-core
 | `AUTH0_CLIENT_ID` | For client_credentials, ROP | Auth0 client ID |
 | `AUTH0_CLIENT_SECRET` | For client_credentials, ROP | Auth0 client secret |
 | `AUTH0_A2A_AUDIENCE` | For Auth0 strategies | API audience |
+| `AUTH0_ROP_USERNAME` | For env ROP (`createA2AProxyHandlerFromEnvROP`) | Service user username (server secret) |
+| `AUTH0_ROP_PASSWORD` | For env ROP | Service user password (server secret) |
 | `NEBULAS_API_URL` | For Nebulas | Conversation API base URL |
 | `NEBULAS_API_KEY` | For Nebulas proxy | x-api-key fallback when no session token |
 | `NEBULAS_PROJECT_ID` | For Nebulas | Project ID |
 
+## A2A proxy auth modes (Next.js)
+
+| Mode | When to use | Exports |
+|------|-------------|---------|
+| **Auth0 session** | User signs in with `@auth0/nextjs-auth0`; access token for `AUTH0_A2A_AUDIENCE` comes from the session. | `createA2AProxyHandler`, `createGetHeadersForAuth0`, `handleA2AAuthNextJsPOST` (body ROP, optional) |
+| **Env ROP** | No browser Auth0; a fixed **service user** in env performs Resource Owner Password; token is cached per process. | `createA2AProxyHandlerFromEnvROP`, `createGetHeadersFromEnvROP`, `getCachedAccessTokenFromEnvROP` |
+
+Env ROP example:
+
+```ts
+// app/api/a2a/route.ts
+import { createA2AProxyHandlerFromEnvROP } from "@gnomondigital/nebulas-kit-core";
+
+export const POST = createA2AProxyHandlerFromEnvROP({
+  apiKey: process.env.A2A_API_KEY,
+});
+```
+
+```ts
+// app/api/a2a/config/route.ts
+import type { NextRequest } from "next/server";
+import {
+  handleA2AConfigNextJsGET,
+  createGetHeadersFromEnvROP,
+} from "@gnomondigital/nebulas-kit-core";
+
+const getHeaders = createGetHeadersFromEnvROP({
+  apiKey: process.env.A2A_API_KEY,
+});
+
+export async function GET(request: NextRequest) {
+  return handleA2AConfigNextJsGET(request, { getHeaders });
+}
+```
+
+See `apps/demo_rop` in the monorepo for a full app using env ROP.
+
 ## Usage
 
 ### Client: sendMessageStream
@@ -92,10 +141,26 @@ export const DELETE = handler;
 
 ```ts
 import express from "express";
-import { createA2AExpressRouter } from "@gnomondigital/nebulas-kit-core";
+import { createA2AExpressRouter } from "@gnomondigital/nebulas-kit-core/express";
 
 const app = express();
 app.use(express.json());
 app.use("/api/a2a", createA2AExpressRouter(express));
 app.listen(3000);
 ```
+
+Use **`@gnomondigital/nebulas-kit-core/express`** so the bundle does not load Next.js adapters (`next/server`).
+
+**Env ROP** (service user in `AUTH0_ROP_USERNAME` / `AUTH0_ROP_PASSWORD`, same as Next.js `createA2AProxyHandlerFromEnvROP`):
+
+```ts
+app.use(
+  "/api/a2a",
+  createA2AExpressRouter(express, {
+    useEnvRop: true,
+    envRopApiKey: process.env.A2A_API_KEY,
+  })
+);
+```
+
+See `apps/demo_express_rop` in the monorepo for a full Express + Vite example.

package/dist/a2a-client.d.ts

@@ -2,10 +2,9 @@
  * A2A JSON-RPC client for AI Chat.
  * Communicates with the A2A agent via proxy (configurable endpoint).
  */
+import type { SendMessageStreamOptions } from "./types.js";
 /**
  * Send a message and stream the response via SSE.
  */
-export declare function sendMessageStream(message: string, onDelta: (chunk: string) => void, signal?: AbortSignal, files?: File[], stream?: boolean, sessionId?: string, options?: {
-    endpoint?: string;
-}): Promise<string>;
+export declare function sendMessageStream(message: string, onDelta: (chunk: string) => void, signal?: AbortSignal, files?: File[], stream?: boolean, sessionId?: string, options?: SendMessageStreamOptions): Promise<string>;
 //# sourceMappingURL=a2a-client.d.ts.map

package/dist/a2a-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"a2a-client.d.ts","sourceRoot":"","sources":["../src/a2a-client.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAYH;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,EAChC,MAAM,CAAC,EAAE,WAAW,EACpB,KAAK,CAAC,EAAE,IAAI,EAAE,EACd,MAAM,UAAO,EACb,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC7B,GACA,OAAO,CAAC,MAAM,CAAC,CA4HjB"}
+{"version":3,"file":"a2a-client.d.ts","sourceRoot":"","sources":["../src/a2a-client.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAY3D;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,EAChC,MAAM,CAAC,EAAE,WAAW,EACpB,KAAK,CAAC,EAAE,IAAI,EAAE,EACd,MAAM,UAAO,EACb,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,MAAM,CAAC,CAoIjB"}

package/dist/a2a-client.js

@@ -32,7 +32,15 @@ export async function sendMessageStream(message, onDelta, signal, files, stream
     }
     const method = stream ? "message/stream" : "message/send";
     const messageId = crypto.randomUUID();
-    const headers = { "Content-Type": "application/json" };
+    let extraHeaders = {};
+    if (options?.getHeaders) {
+        const h = options.getHeaders();
+        extraHeaders = h instanceof Promise ? await h : h;
+    }
+    const headers = {
+        ...extraHeaders,
+        "Content-Type": "application/json",
+    };
     const res = await fetch(endpoint, {
         method: "POST",
         headers,

package/dist/client-api.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Browser / React entry: A2A client, Nebulas client, shared types.
+ * Does not load Next.js, Express adapters, or other server-only modules.
+ *
+ * Use from UI code: `import { sendMessageStream } from "@gnomondigital/nebulas-kit-core/client"`
+ */
+export { sendMessageStream } from "./a2a-client.js";
+export { createNebulasClient, nebulasClient, type NebulasConversation, type NebulasChatMessage, type CreateChatMessageParams, type NebulasClientOptions, } from "./nebulas-client.js";
+export { transformUtcDatesToLocal } from "./utils/date-timezone.js";
+export type { ChatMessage, ChatMessagePayload, SendMessageStreamOptions, } from "./types.js";
+//# sourceMappingURL=client-api.d.ts.map

package/dist/client-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-api.d.ts","sourceRoot":"","sources":["../src/client-api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,YAAY,EACV,WAAW,EACX,kBAAkB,EAClB,wBAAwB,GACzB,MAAM,YAAY,CAAC"}

package/dist/client-api.js

@@ -0,0 +1,9 @@
+/**
+ * Browser / React entry: A2A client, Nebulas client, shared types.
+ * Does not load Next.js, Express adapters, or other server-only modules.
+ *
+ * Use from UI code: `import { sendMessageStream } from "@gnomondigital/nebulas-kit-core/client"`
+ */
+export { sendMessageStream } from "./a2a-client.js";
+export { createNebulasClient, nebulasClient, } from "./nebulas-client.js";
+export { transformUtcDatesToLocal } from "./utils/date-timezone.js";

package/dist/express-api.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Express-only entry: avoids pulling Next.js (next/server) from the main package barrel.
+ */
+export { createA2AExpressRouter, type A2AExpressRouterOptions, } from "./server/express.js";
+//# sourceMappingURL=express-api.d.ts.map

package/dist/express-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express-api.d.ts","sourceRoot":"","sources":["../src/express-api.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC"}

package/dist/express-api.js

@@ -0,0 +1,4 @@
+/**
+ * Express-only entry: avoids pulling Next.js (next/server) from the main package barrel.
+ */
+export { createA2AExpressRouter, } from "./server/express.js";

package/dist/index.d.ts

@@ -11,6 +11,7 @@ export { getAuthStrategy, getAuthHeaders, type AuthStrategy, } from "./server/au
 export { exchangePasswordForToken, type ROPAuthRequest, type ROPAuthResponse, } from "./server/auth-handler.js";
 export { createConfigResponse, type ConfigResponse, type AgentCard, type AgentCardCapabilities, } from "./server/config-handler.js";
 export { createA2AExpressRouter, type A2AExpressRouterOptions, } from "./server/express.js";
-export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createA2AProxyHandler, createNebulasProxyHandler, type HandleA2AConfigOptions, type Auth0ClientInterface, type CreateA2AProxyHandlerOptions, type CreateNebulasProxyHandlerOptions, } from "./server/nextjs.js";
+export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createGetHeadersFromEnvROP, createA2AProxyHandler, createA2AProxyHandlerFromEnvROP, createNebulasProxyHandler, type HandleA2AConfigOptions, type Auth0ClientInterface, type CreateA2AProxyHandlerOptions, type CreateA2AProxyHandlerFromEnvROPOptions, type CreateGetHeadersFromEnvROPOptions, type CreateNebulasProxyHandlerOptions, } from "./server/nextjs.js";
+export { getCachedAccessTokenFromEnvROP } from "./server/env-rop-token.js";
 export { handleNebulasProxy, isRefreshTokenInvalid, type NebulasProxyRequest, type NebulasProxyResponse, type NebulasProxyHandlerOptions, } from "./server/nebulas-proxy-handler.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE5F,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,mBAAmB,GACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,eAAe,EACf,cAAc,EACd,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,wBAAwB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,wBAAwB,EACxB,wBAAwB,EACxB,qBAAqB,EACrB,yBAAyB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,4BAA4B,EACjC,KAAK,gCAAgC,GACtC,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE5F,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,mBAAmB,GACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,eAAe,EACf,cAAc,EACd,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,wBAAwB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,wBAAwB,EACxB,wBAAwB,EACxB,0BAA0B,EAC1B,qBAAqB,EACrB,+BAA+B,EAC/B,yBAAyB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,4BAA4B,EACjC,KAAK,sCAAsC,EAC3C,KAAK,iCAAiC,EACtC,KAAK,gCAAgC,GACtC,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAE3E,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC"}

package/dist/index.js

@@ -10,6 +10,7 @@ export { getAuthStrategy, getAuthHeaders, } from "./server/auth-strategies.js";
 export { exchangePasswordForToken, } from "./server/auth-handler.js";
 export { createConfigResponse, } from "./server/config-handler.js";
 export { createA2AExpressRouter, } from "./server/express.js";
-// Usage: import express from "express"; app.use("/api/a2a", createA2AExpressRouter(express));
-export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createA2AProxyHandler, createNebulasProxyHandler, } from "./server/nextjs.js";
+// Express-only apps: import from "@gnomondigital/nebulas-kit-core/express" to avoid loading Next.js.
+export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createGetHeadersFromEnvROP, createA2AProxyHandler, createA2AProxyHandlerFromEnvROP, createNebulasProxyHandler, } from "./server/nextjs.js";
+export { getCachedAccessTokenFromEnvROP } from "./server/env-rop-token.js";
 export { handleNebulasProxy, isRefreshTokenInvalid, } from "./server/nebulas-proxy-handler.js";

package/dist/server/auth-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/server/auth-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA8B1B"}
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/server/auth-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA+B1B"}

package/dist/server/auth-handler.js

@@ -13,17 +13,18 @@ export async function exchangePasswordForToken(username, password) {
     if (!domain || !clientId || !clientSecret) {
         throw new Error("AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET required for ROP");
     }
+    const body = new URLSearchParams({
+        grant_type: "password",
+        username,
+        password,
+        client_id: clientId,
+        client_secret: clientSecret,
+        ...(audience && { audience }),
+    });
     const res = await fetch(`https://${domain}/oauth/token`, {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: new URLSearchParams({
-            grant_type: "password",
-            username,
-            password,
-            client_id: clientId,
-            client_secret: clientSecret,
-            ...(audience && { audience }),
-        }),
+        body: body.toString(),
     });
     if (!res.ok) {
         const body = await res.json().catch(() => ({}));

package/dist/server/config-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-handler.d.ts","sourceRoot":"","sources":["../../src/server/config-handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,MAAM,WAAW,qBAAqB;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kGAAkG;IAClG,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAyBD,wBAAsB,oBAAoB,CACxC,OAAO,CAAC,EAAE,2BAA2B,GACpC,OAAO,CAAC,cAAc,CAAC,CAmBzB"}
+{"version":3,"file":"config-handler.d.ts","sourceRoot":"","sources":["../../src/server/config-handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,qBAAqB;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kGAAkG;IAClG,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAyBD,wBAAsB,oBAAoB,CACxC,OAAO,CAAC,EAAE,2BAA2B,GACpC,OAAO,CAAC,cAAc,CAAC,CAmBzB"}

package/dist/server/config-handler.js

@@ -3,7 +3,8 @@
  * Fetches agent card from A2A_URL/.well-known/agent-card.json when A2A_URL is set.
  * Framework-agnostic; returns JSON response body.
  */
-const A2A_URL = process.env.A2A_URL || process.env.NEXT_PUBLIC_A2A_URL || "";
+import { nodeEnv } from "./node-env.js";
+const A2A_URL = nodeEnv("A2A_URL") || nodeEnv("NEXT_PUBLIC_A2A_URL") || "";
 async function fetchAgentCard(headers) {
     const base = A2A_URL.replace(/\/$/, "");
     if (!base)
@@ -28,7 +29,7 @@ async function fetchAgentCard(headers) {
     }
 }
 export async function createConfigResponse(options) {
-    const nebulasProjectId = process.env.NEBULAS_PROJECT_ID ?? null;
+    const nebulasProjectId = nodeEnv("NEBULAS_PROJECT_ID") ?? null;
     const includeAgentCard = options?.includeAgentCard !== false;
     if (!includeAgentCard) {
         return {

package/dist/server/env-rop-token.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Cached Auth0 Resource Owner Password token using credentials from environment.
+ * Single service user (AUTH0_ROP_USERNAME / AUTH0_ROP_PASSWORD); shared across requests per process.
+ */
+/**
+ * Returns a valid access token, refreshing from Auth0 when near expiry.
+ * Concurrent callers share a single in-flight refresh.
+ */
+export declare function getCachedAccessTokenFromEnvROP(): Promise<string>;
+//# sourceMappingURL=env-rop-token.d.ts.map

package/dist/server/env-rop-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-rop-token.d.ts","sourceRoot":"","sources":["../../src/server/env-rop-token.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8BH;;;GAGG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,MAAM,CAAC,CAiBtE"}

package/dist/server/env-rop-token.js

@@ -0,0 +1,37 @@
+/**
+ * Cached Auth0 Resource Owner Password token using credentials from environment.
+ * Single service user (AUTH0_ROP_USERNAME / AUTH0_ROP_PASSWORD); shared across requests per process.
+ */
+import { exchangePasswordForToken } from "./auth-handler.js";
+const EXPIRY_SKEW_MS = 60000;
+let cache = null;
+let refreshPromise = null;
+async function fetchAndCacheToken() {
+    const username = process.env.AUTH0_ROP_USERNAME;
+    const password = process.env.AUTH0_ROP_PASSWORD;
+    if (!username || !password) {
+        throw new Error("AUTH0_ROP_USERNAME and AUTH0_ROP_PASSWORD are required for env ROP token");
+    }
+    const data = await exchangePasswordForToken(username, password);
+    const expiresInSec = data.expires_in ?? 3600;
+    const expiresAtMs = Date.now() + expiresInSec * 1000;
+    cache = { token: data.access_token, expiresAtMs };
+    return data.access_token;
+}
+/**
+ * Returns a valid access token, refreshing from Auth0 when near expiry.
+ * Concurrent callers share a single in-flight refresh.
+ */
+export async function getCachedAccessTokenFromEnvROP() {
+    if (refreshPromise) {
+        return refreshPromise;
+    }
+    if (cache &&
+        Date.now() < cache.expiresAtMs - EXPIRY_SKEW_MS) {
+        return cache.token;
+    }
+    refreshPromise = fetchAndCacheToken().finally(() => {
+        refreshPromise = null;
+    });
+    return refreshPromise;
+}

package/dist/server/express.d.ts

@@ -28,6 +28,13 @@ import { type ProxyHandlerOptions } from "./proxy-handler.js";
 export interface A2AExpressRouterOptions extends ProxyHandlerOptions {
     /** When provided, uses these headers when fetching agent card (same auth as A2A proxy). */
     configGetHeaders?: (req: Request) => Promise<Record<string, string>>;
+    /**
+     * When true, uses AUTH0_ROP_USERNAME / AUTH0_ROP_PASSWORD for the A2A proxy and agent card
+     * (server-side env ROP), matching Next.js `createA2AProxyHandlerFromEnvROP`.
+     */
+    useEnvRop?: boolean;
+    /** Optional x-api-key when useEnvRop is true (e.g. process.env.A2A_API_KEY). */
+    envRopApiKey?: string;
 }
 /**
  * Create Express router for A2A proxy, auth (ROP), and config.

package/dist/server/express.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/server/express.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED,UAAU,eAAe;IACvB,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,eAAe,CAAC;IAC1C,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,eAAe,CAAC;IAC5D,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/B,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;CAC/B;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAC3G,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,KAAK,IAAI,KAAK,IAAI,CAAC;CAC3F;AAED,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,aAAa,CAAC;CAC7B;AAED,KAAK,OAAO,GAAG,cAAc,CAAC;AAE9B,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI9E,MAAM,WAAW,uBAAwB,SAAQ,mBAAmB;IAClE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACtE;AAeD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,uBAAuB,iBAwElC"}
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/server/express.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED,UAAU,eAAe;IACvB,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,eAAe,CAAC;IAC1C,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,eAAe,CAAC;IAC5D,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/B,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;CAC/B;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAC3G,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,KAAK,IAAI,KAAK,IAAI,CAAC;CAC3F;AAED,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,aAAa,CAAC;CAC7B;AAED,KAAK,OAAO,GAAG,cAAc,CAAC;AAE9B,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAK9E,MAAM,WAAW,uBAAwB,SAAQ,mBAAmB;IAClE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACrE;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAoCD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,uBAAuB,iBAiHlC"}

package/dist/server/express.js

@@ -5,6 +5,23 @@
 import { handleA2AProxy } from "./proxy-handler.js";
 import { exchangePasswordForToken } from "./auth-handler.js";
 import { createConfigResponse } from "./config-handler.js";
+import { getCachedAccessTokenFromEnvROP } from "./env-rop-token.js";
+async function buildEnvRopHeaders(apiKey) {
+    const headers = {};
+    if (apiKey) {
+        headers["x-api-key"] = apiKey;
+    }
+    const token = await getCachedAccessTokenFromEnvROP();
+    headers["Authorization"] = `Bearer ${token}`;
+    return headers;
+}
+function expressRouterProxyOptions(options) {
+    if (!options) {
+        return {};
+    }
+    const { configGetHeaders: _c, useEnvRop: _u, envRopApiKey: _a, ...rest } = options;
+    return rest;
+}
 function getHeadersFromRequest(req) {
     const headers = {};
     const h = req.headers;
@@ -37,7 +54,28 @@ export function createA2AExpressRouter(express, options) {
                 headers: getHeadersFromRequest(req),
                 body: body || undefined,
             };
-            const result = await handleA2AProxy(proxyReq, options);
+            let proxyOptions;
+            if (options?.useEnvRop) {
+                try {
+                    const authHeaders = await buildEnvRopHeaders(options.envRopApiKey);
+                    proxyOptions = {
+                        ...expressRouterProxyOptions(options),
+                        headers: authHeaders,
+                    };
+                }
+                catch (err) {
+                    console.error("[Env ROP] Failed to get access token:", err);
+                    res.status(401).json({
+                        error: "Unauthorized",
+                        hint: "Check AUTH0_ROP_USERNAME, AUTH0_ROP_PASSWORD, AUTH0_DOMAIN, client credentials, and Auth0 ROP configuration.",
+                    });
+                    return;
+                }
+            }
+            else {
+                proxyOptions = expressRouterProxyOptions(options);
+            }
+            const result = await handleA2AProxy(proxyReq, proxyOptions);
             res.status(result.status);
             for (const [k, v] of Object.entries(result.headers)) {
                 res.setHeader(k, v);
@@ -84,13 +122,34 @@ export function createA2AExpressRouter(express, options) {
         }
     });
     router.get("/config", async (req, res) => {
-        const includeAgentCard = req.query?.includeAgentCard !== "false";
-        let headers;
-        if (options?.configGetHeaders && includeAgentCard) {
-            headers = await options.configGetHeaders(req);
+        try {
+            const includeAgentCard = req.query?.includeAgentCard !== "false";
+            let headers;
+            if (includeAgentCard) {
+                if (options?.useEnvRop) {
+                    try {
+                        headers = await buildEnvRopHeaders(options.envRopApiKey);
+                    }
+                    catch (err) {
+                        console.error("[Env ROP] Failed to get access token:", err);
+                        res.status(401).json({
+                            error: "Unauthorized",
+                            hint: "Check AUTH0_ROP_USERNAME, AUTH0_ROP_PASSWORD, AUTH0_DOMAIN, client credentials, and Auth0 ROP configuration.",
+                        });
+                        return;
+                    }
+                }
+                else if (options?.configGetHeaders) {
+                    headers = await options.configGetHeaders(req);
+                }
+            }
+            const config = await createConfigResponse({ includeAgentCard, headers });
+            res.json(config);
+        }
+        catch (err) {
+            console.error("[A2A Express] Config error:", err);
+            res.status(500).json({ error: "Internal server error" });
         }
-        const config = await createConfigResponse({ includeAgentCard, headers });
-        res.json(config);
     });
     return router;
 }

package/dist/server/nebulas-proxy-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nebulas-proxy-handler.d.ts","sourceRoot":"","sources":["../../src/server/nebulas-proxy-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC;CAC1D;AAED,MAAM,WAAW,0BAA0B;IACzC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,mBAAmB,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3E;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAS3D;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAAC,oBAAoB,CAAC,CAwH/B"}
+{"version":3,"file":"nebulas-proxy-handler.d.ts","sourceRoot":"","sources":["../../src/server/nebulas-proxy-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC;CAC1D;AAED,MAAM,WAAW,0BAA0B;IACzC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,mBAAmB,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3E;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAS3D;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAAC,oBAAoB,CAAC,CAwH/B"}

package/dist/server/nebulas-proxy-handler.js

@@ -2,10 +2,11 @@
  * Framework-agnostic Nebulas API proxy handler.
  * Proxies requests to the Nebulas API (conversations, chat_messages).
  */
-const NEBULAS_API_URL = process.env.NEBULAS_API_URL || "http://localhost:8020";
-const A2A_AUDIENCE = process.env.AUTH0_A2A_AUDIENCE;
-const A2A_API_KEY = process.env.A2A_API_KEY;
-const NEBULAS_API_KEY = process.env.NEBULAS_API_KEY;
+import { nodeEnv } from "./node-env.js";
+const NEBULAS_API_URL = nodeEnv("NEBULAS_API_URL") || "http://localhost:8020";
+const A2A_AUDIENCE = nodeEnv("AUTH0_A2A_AUDIENCE");
+const A2A_API_KEY = nodeEnv("A2A_API_KEY");
+const NEBULAS_API_KEY = nodeEnv("NEBULAS_API_KEY");
 /**
  * Check if an error indicates invalid refresh token (for session re-auth).
  */

package/dist/server/nextjs.d.ts

@@ -72,6 +72,24 @@ export interface CreateA2AProxyHandlerOptions {
  *   export const POST = handler;
  */
 export declare function createA2AProxyHandler(options: CreateA2AProxyHandlerOptions): (request: NextRequest) => Promise<Response>;
+export interface CreateGetHeadersFromEnvROPOptions {
+    apiKey?: string;
+}
+/**
+ * Builds Authorization from a cached env-based ROP token (AUTH0_ROP_USERNAME / AUTH0_ROP_PASSWORD).
+ * Optional request parameter reserved for future use (e.g. per-request context).
+ */
+export declare function createGetHeadersFromEnvROP(options?: CreateGetHeadersFromEnvROPOptions): (request?: NextRequest) => Promise<Record<string, string>>;
+export interface CreateA2AProxyHandlerFromEnvROPOptions {
+    apiKey?: string;
+}
+/**
+ * Next.js POST handler for the A2A proxy using env ROP (service user), not Auth0 session.
+ *
+ * Use in app/api/a2a/route.ts:
+ *   export const POST = createA2AProxyHandlerFromEnvROP({ apiKey: process.env.A2A_API_KEY });
+ */
+export declare function createA2AProxyHandlerFromEnvROP(options?: CreateA2AProxyHandlerFromEnvROPOptions): (request: NextRequest) => Promise<Response>;
 /**
  * Options for the Nebulas API proxy handler.
  */

package/dist/server/nextjs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../src/server/nextjs.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAiB9E;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,mBAAmB,qBA6B9B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,OAAO,EAAE,WAAW,qBAyBjE;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACxE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,sBAAsB,qBAcjC;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC7D,cAAc,CACZ,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GACzB,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE;IAChD,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,CACF,OAAO,EAAE,WAAW,EACpB,YAAY,CAAC,EAAE,YAAY,KACxB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAoDnC;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,4BAA4B,IAO3C,SAAS,WAAW,uBAuDnD;AAED;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,gCAAgC,IAE/E,SAAS,WAAW,EACpB,KAAK;IAAE,MAAM,EAAE,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAA;CAAE,oCAkH/C"}
+{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../src/server/nextjs.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAkB,KAAK,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAkB9E;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,mBAAmB,qBA6B9B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,OAAO,EAAE,WAAW,qBAyBjE;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACxE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,sBAAsB,qBAqBjC;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC7D,cAAc,CACZ,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GACzB,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE;IAChD,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,CACF,OAAO,EAAE,WAAW,EACpB,YAAY,CAAC,EAAE,YAAY,KACxB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAoDnC;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,4BAA4B,IAO3C,SAAS,WAAW,uBAuDnD;AAED,MAAM,WAAW,iCAAiC;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,CAAC,EAAE,iCAAiC,GAC1C,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAsB5D;AAED,MAAM,WAAW,sCAAsC;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,CAAC,EAAE,sCAAsC,IAIlB,SAAS,WAAW,uBAiDnD;AAED;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,KAAK,EAAE,oBAAoB,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,gCAAgC,IAE/E,SAAS,WAAW,EACpB,KAAK;IAAE,MAAM,EAAE,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAA;CAAE,oCAiH/C"}

package/dist/server/nextjs.js

@@ -6,6 +6,7 @@ import { NextResponse } from "next/server";
 import { handleA2AProxy } from "./proxy-handler.js";
 import { handleNebulasProxy, isRefreshTokenInvalid, } from "./nebulas-proxy-handler.js";
 import { exchangePasswordForToken } from "./auth-handler.js";
+import { getCachedAccessTokenFromEnvROP } from "./env-rop-token.js";
 import { createConfigResponse } from "./config-handler.js";
 function headersFromRequest(req) {
     const headers = {};
@@ -76,7 +77,15 @@ export async function handleA2AConfigNextJsGET(request, options) {
     const includeAgentCard = request.nextUrl.searchParams.get("includeAgentCard") !== "false";
     let headers;
     if (options?.getHeaders && includeAgentCard) {
-        headers = await options.getHeaders(request);
+        try {
+            headers = await options.getHeaders(request);
+        }
+        catch (e) {
+            if (e instanceof NextResponse) {
+                return e;
+            }
+            throw e;
+        }
     }
     const config = await createConfigResponse({ includeAgentCard, headers });
     return new Response(JSON.stringify(config), {
@@ -199,6 +208,82 @@ export function createA2AProxyHandler(options) {
         return new Response(null, { status: result.status, headers: responseHeaders });
     };
 }
+/**
+ * Builds Authorization from a cached env-based ROP token (AUTH0_ROP_USERNAME / AUTH0_ROP_PASSWORD).
+ * Optional request parameter reserved for future use (e.g. per-request context).
+ */
+export function createGetHeadersFromEnvROP(options) {
+    return async (_request) => {
+        const headers = {};
+        if (options?.apiKey) {
+            headers["x-api-key"] = options.apiKey;
+        }
+        try {
+            const token = await getCachedAccessTokenFromEnvROP();
+            headers["Authorization"] = `Bearer ${token}`;
+        }
+        catch (err) {
+            console.error("[Env ROP] Failed to get access token:", err);
+            throw new NextResponse(JSON.stringify({
+                error: "Unauthorized",
+                hint: "Check AUTH0_ROP_USERNAME, AUTH0_ROP_PASSWORD, AUTH0_DOMAIN, client credentials, and Auth0 ROP configuration.",
+            }), { status: 401, headers: { "Content-Type": "application/json" } });
+        }
+        return headers;
+    };
+}
+/**
+ * Next.js POST handler for the A2A proxy using env ROP (service user), not Auth0 session.
+ *
+ * Use in app/api/a2a/route.ts:
+ *   export const POST = createA2AProxyHandlerFromEnvROP({ apiKey: process.env.A2A_API_KEY });
+ */
+export function createA2AProxyHandlerFromEnvROP(options) {
+    const getHeaders = createGetHeadersFromEnvROP(options);
+    return async function handler(request) {
+        let authHeaders;
+        try {
+            authHeaders = await getHeaders(request);
+        }
+        catch (err) {
+            if (err instanceof NextResponse) {
+                return err;
+            }
+            throw err;
+        }
+        let body;
+        try {
+            const text = await request.text();
+            body = text.length > 0 ? text : undefined;
+        }
+        catch {
+            return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+        }
+        const proxyReq = {
+            method: request.method,
+            headers: headersFromRequest(request),
+            body,
+        };
+        const result = await handleA2AProxy(proxyReq, { headers: authHeaders });
+        const responseHeaders = new Headers();
+        for (const [k, v] of Object.entries(result.headers)) {
+            responseHeaders.set(k, v);
+        }
+        if (typeof result.body === "string") {
+            return new Response(result.body, {
+                status: result.status,
+                headers: responseHeaders,
+            });
+        }
+        if (result.body instanceof ReadableStream) {
+            return new Response(result.body, {
+                status: result.status,
+                headers: responseHeaders,
+            });
+        }
+        return new Response(null, { status: result.status, headers: responseHeaders });
+    };
+}
 /**
  * Creates a Next.js App Router handler for the Nebulas API proxy (catch-all [...path]).
  * Proxies requests to NEBULAS_API_URL with Auth0 session token or API key.

package/dist/server/node-env.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Read `process.env` only when `process` exists (Node). Prevents ReferenceError if server
+ * modules are accidentally included in a browser bundle (e.g. incomplete tree-shaking).
+ */
+export declare function nodeEnv(name: string): string | undefined;
+//# sourceMappingURL=node-env.d.ts.map

package/dist/server/node-env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-env.d.ts","sourceRoot":"","sources":["../../src/server/node-env.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAKxD"}

package/dist/server/node-env.js

@@ -0,0 +1,12 @@
+/**
+ * Read `process.env` only when `process` exists (Node). Prevents ReferenceError if server
+ * modules are accidentally included in a browser bundle (e.g. incomplete tree-shaking).
+ */
+export function nodeEnv(name) {
+    if (typeof process === "undefined")
+        return undefined;
+    const env = process.env;
+    if (!env)
+        return undefined;
+    return env[name];
+}

package/dist/server/proxy-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"proxy-handler.d.ts","sourceRoot":"","sources":["../../src/server/proxy-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IACrE;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,YAAY,EACjB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,aAAa,CAAC,CAkFxB"}
+{"version":3,"file":"proxy-handler.d.ts","sourceRoot":"","sources":["../../src/server/proxy-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAYH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IACrE;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,YAAY,EACjB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,aAAa,CAAC,CAkFxB"}

package/dist/server/proxy-handler.js

@@ -3,7 +3,8 @@
  * Accepts a minimal request/response interface.
  */
 import { getAuthStrategy, getAuthHeaders, } from "./auth-strategies.js";
-const A2A_URL = process.env.A2A_URL || process.env.NEXT_PUBLIC_A2A_URL || "http://localhost:9999";
+import { nodeEnv } from "./node-env.js";
+const A2A_URL = nodeEnv("A2A_URL") || nodeEnv("NEXT_PUBLIC_A2A_URL") || "http://localhost:9999";
 /**
  * Handle A2A proxy request. Returns response to send.
  */
@@ -26,7 +27,7 @@ export async function handleA2AProxy(req, options = {}) {
         else if (strategy === "session" && options.getSessionToken) {
             bearerToken = await options.getSessionToken(req);
         }
-        if (strategy === "session" && !bearerToken && !process.env.A2A_API_KEY) {
+        if (strategy === "session" && !bearerToken && !nodeEnv("A2A_API_KEY")) {
             return {
                 status: 401,
                 headers: { "Content-Type": "application/json" },

package/dist/types.d.ts

@@ -14,14 +14,13 @@ export interface ChatMessagePayload {
     role: "user" | "assistant";
     content: string;
 }
+/** Options for {@link import("./a2a-client.js").sendMessageStream}. */
 export interface SendMessageStreamOptions {
-    endpoint: string;
-    message: string;
-    onDelta: (chunk: string) => void;
-    signal?: AbortSignal;
-    files?: File[];
-    stream?: boolean;
-    sessionId?: string;
-    getHeaders?: () => Promise<Record<string, string>>;
+    endpoint?: string;
+    /**
+     * Extra headers merged before Content-Type (e.g. Authorization Bearer for ROP).
+     * Sync or async; Content-Type is always set to application/json after merge.
+     */
+    getHeaders?: () => Record<string, string> | Promise<Record<string, string>>;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,GAAG,WAAW,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IACjC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACpD"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,GAAG,WAAW,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,uEAAuE;AACvE,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC7E"}

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@gnomondigital/nebulas-kit-core",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "type": "module",
+  "sideEffects": false,
   "main": "./dist/index.js",
   "module": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -9,6 +10,14 @@
     ".": {
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
+    },
+    "./express": {
+      "import": "./dist/express-api.js",
+      "types": "./dist/express-api.d.ts"
+    },
+    "./client": {
+      "import": "./dist/client-api.js",
+      "types": "./dist/client-api.d.ts"
     }
   },
   "files": [