@keelapi/sdk 0.1.0

package/dist/src/errors.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeelError = void 0;
+class KeelError extends Error {
+    constructor(status, message, details, code, field) {
+        super(message);
+        this.name = "KeelError";
+        this.status = status;
+        this.code = code;
+        this.field = field;
+        this.details = details;
+    }
+}
+exports.KeelError = KeelError;

package/dist/src/http.d.ts

@@ -0,0 +1,48 @@
+export type RequestIdProvider = () => string | null | undefined;
+export interface RequestFreshnessOptions {
+    enabled: boolean;
+    nonceFn?: () => string;
+    timestampFn?: () => number;
+}
+export interface HttpTransportOptions {
+    baseUrl: string;
+    apiKey: string;
+    timeoutMs?: number;
+    requestId?: string;
+    requestIdProvider?: RequestIdProvider;
+    requestFreshness?: RequestFreshnessOptions;
+}
+export declare class HttpTransport {
+    private readonly baseUrl;
+    private readonly apiKey;
+    private readonly timeoutMs;
+    private readonly fetchImpl;
+    private readonly requestId?;
+    private readonly requestIdProvider?;
+    private readonly requestFreshness?;
+    constructor(options: HttpTransportOptions);
+    post<T>(path: string, body?: unknown): Promise<T>;
+    postWithMeta<T>(path: string, body?: unknown): Promise<{
+        payload: T;
+        request_id?: string;
+    }>;
+    get<T>(path: string, query?: Record<string, string>): Promise<T>;
+    getWithMeta<T>(path: string, query?: Record<string, string>): Promise<{
+        payload: T;
+        request_id?: string;
+    }>;
+    delete(path: string): Promise<void>;
+    postStream(path: string, body?: unknown): Promise<Response>;
+    getRaw(path: string, query?: Record<string, string>): Promise<Response>;
+    private requestJson;
+    private buildHeaders;
+    private attachFreshnessHeaders;
+    private resolveRequestId;
+    private parseJson;
+    private extractRequestId;
+    extractErrorInfo(payload: unknown, fallback: string): {
+        message: string;
+        code?: string;
+        field?: string;
+    };
+}

package/dist/src/http.js

@@ -0,0 +1,303 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HttpTransport = void 0;
+const undici_1 = require("undici");
+const crypto_1 = require("crypto");
+const errors_1 = require("./errors");
+const DEFAULT_TIMEOUT_MS = 10000;
+function resolveFetch() {
+    if (typeof globalThis.fetch === "function") {
+        return globalThis.fetch.bind(globalThis);
+    }
+    return undici_1.fetch;
+}
+class HttpTransport {
+    constructor(options) {
+        const { baseUrl, apiKey, timeoutMs, requestId, requestIdProvider, requestFreshness, } = options;
+        if (!baseUrl || !baseUrl.trim()) {
+            throw new Error("baseUrl is required");
+        }
+        if (!apiKey || !apiKey.trim()) {
+            throw new Error("apiKey is required");
+        }
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+        this.apiKey = apiKey;
+        this.timeoutMs = timeoutMs ?? DEFAULT_TIMEOUT_MS;
+        this.fetchImpl = resolveFetch();
+        this.requestId = isNonEmptyString(requestId) ? requestId : undefined;
+        this.requestIdProvider = requestIdProvider;
+        this.requestFreshness = resolveRequestFreshness(requestFreshness);
+    }
+    async post(path, body) {
+        const { payload } = await this.requestJson({
+            method: "POST",
+            path,
+            body,
+        });
+        return payload;
+    }
+    async postWithMeta(path, body) {
+        const { payload, requestId } = await this.requestJson({
+            method: "POST",
+            path,
+            body,
+        });
+        return { payload, request_id: requestId };
+    }
+    async get(path, query) {
+        let url = path;
+        if (query) {
+            const filtered = Object.entries(query).filter(([, v]) => v !== undefined && v !== null && v !== "");
+            if (filtered.length > 0) {
+                url += "?" + new URLSearchParams(filtered).toString();
+            }
+        }
+        const { payload } = await this.requestJson({ method: "GET", path: url });
+        return payload;
+    }
+    async getWithMeta(path, query) {
+        let url = path;
+        if (query) {
+            const filtered = Object.entries(query).filter(([, v]) => v !== undefined && v !== null && v !== "");
+            if (filtered.length > 0) {
+                url += "?" + new URLSearchParams(filtered).toString();
+            }
+        }
+        const { payload, requestId } = await this.requestJson({
+            method: "GET",
+            path: url,
+        });
+        return { payload, request_id: requestId };
+    }
+    async delete(path) {
+        await this.requestJson({
+            method: "DELETE",
+            path,
+        });
+    }
+    async postStream(path, body) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), this.timeoutMs * 6);
+        try {
+            const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+                method: "POST",
+                headers: this.buildHeaders(true, body !== undefined),
+                body: body === undefined ? undefined : JSON.stringify(body),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                const payload = await this.parseJson(response);
+                const { message, code, field } = this.extractErrorInfo(payload, response.statusText);
+                throw new errors_1.KeelError(response.status, message, payload, code, field);
+            }
+            return response;
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            if (error instanceof errors_1.KeelError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "AbortError") {
+                throw new errors_1.KeelError(408, `Stream timed out`);
+            }
+            throw new errors_1.KeelError(0, "Network error", error);
+        }
+    }
+    async getRaw(path, query) {
+        let url = path;
+        if (query) {
+            const filtered = Object.entries(query).filter(([, v]) => v !== undefined && v !== null && v !== "");
+            if (filtered.length > 0) {
+                url += "?" + new URLSearchParams(filtered).toString();
+            }
+        }
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await this.fetchImpl(`${this.baseUrl}${url}`, {
+                method: "GET",
+                headers: this.buildHeaders(true, false),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                const payload = await this.parseJson(response);
+                const { message, code, field } = this.extractErrorInfo(payload, response.statusText);
+                throw new errors_1.KeelError(response.status, message, payload, code, field);
+            }
+            return response;
+        }
+        catch (error) {
+            if (error instanceof errors_1.KeelError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "AbortError") {
+                throw new errors_1.KeelError(408, `Request timed out after ${this.timeoutMs}ms`);
+            }
+            throw new errors_1.KeelError(0, "Network error", error);
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    async requestJson({ method, path, body, includeAuth = true, }) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+                method,
+                headers: this.buildHeaders(includeAuth, body !== undefined),
+                body: body === undefined ? undefined : JSON.stringify(body),
+                signal: controller.signal,
+            });
+            const payload = await this.parseJson(response);
+            if (!response.ok) {
+                const { message, code, field } = this.extractErrorInfo(payload, response.statusText);
+                throw new errors_1.KeelError(response.status, message, payload, code, field);
+            }
+            return {
+                payload: payload,
+                requestId: this.extractRequestId(response, payload),
+            };
+        }
+        catch (error) {
+            if (error instanceof errors_1.KeelError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "AbortError") {
+                throw new errors_1.KeelError(408, `Request timed out after ${this.timeoutMs}ms`);
+            }
+            throw new errors_1.KeelError(0, "Network error", error);
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    buildHeaders(includeAuth, includeContentType) {
+        const headers = new Headers();
+        if (includeContentType) {
+            headers.set("Content-Type", "application/json");
+        }
+        if (includeAuth) {
+            headers.set("Authorization", `Bearer ${this.apiKey}`);
+            this.attachFreshnessHeaders(headers);
+        }
+        const requestId = this.resolveRequestId();
+        if (requestId) {
+            headers.set("X-Request-Id", requestId);
+        }
+        return headers;
+    }
+    attachFreshnessHeaders(headers) {
+        if (!this.requestFreshness) {
+            return;
+        }
+        const timestamp = resolveFreshnessTimestamp(this.requestFreshness.timestampFn);
+        const nonce = resolveFreshnessNonce(this.requestFreshness.nonceFn);
+        headers.set("X-Keel-Timestamp", String(timestamp));
+        headers.set("X-Keel-Nonce", nonce);
+    }
+    resolveRequestId() {
+        if (this.requestIdProvider) {
+            const requestIdFromProvider = this.requestIdProvider();
+            if (isNonEmptyString(requestIdFromProvider)) {
+                return requestIdFromProvider;
+            }
+        }
+        if (isNonEmptyString(this.requestId)) {
+            return this.requestId;
+        }
+        return undefined;
+    }
+    async parseJson(response) {
+        const text = await response.text();
+        if (!text) {
+            return {};
+        }
+        try {
+            return JSON.parse(text);
+        }
+        catch {
+            throw new errors_1.KeelError(response.status, "Invalid JSON response", text);
+        }
+    }
+    extractRequestId(response, payload) {
+        const requestIdFromHeader = response.headers.get("x-request-id");
+        if (isNonEmptyString(requestIdFromHeader)) {
+            return requestIdFromHeader;
+        }
+        if (payload && typeof payload === "object") {
+            const requestIdFromPayload = payload
+                .request_id;
+            if (isNonEmptyString(requestIdFromPayload)) {
+                return requestIdFromPayload;
+            }
+        }
+        return undefined;
+    }
+    extractErrorInfo(payload, fallback) {
+        if (payload && typeof payload === "object") {
+            const maybeError = payload.error;
+            if (maybeError && typeof maybeError === "object") {
+                const err = maybeError;
+                const message = typeof err.message === "string" && err.message.trim()
+                    ? err.message
+                    : undefined;
+                const code = typeof err.code === "string" && err.code.trim()
+                    ? err.code
+                    : undefined;
+                const field = typeof err.field === "string" && err.field.trim()
+                    ? err.field
+                    : undefined;
+                if (message) {
+                    return { message, code, field };
+                }
+            }
+            const maybeMessage = payload.message;
+            if (typeof maybeMessage === "string" && maybeMessage.trim()) {
+                return { message: maybeMessage };
+            }
+        }
+        return { message: fallback || "Request failed" };
+    }
+}
+exports.HttpTransport = HttpTransport;
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function resolveRequestFreshness(requestFreshness) {
+    if (!requestFreshness?.enabled) {
+        return undefined;
+    }
+    return {
+        nonceFn: requestFreshness.nonceFn ?? defaultNonce,
+        timestampFn: requestFreshness.timestampFn ?? defaultTimestamp,
+    };
+}
+function resolveFreshnessTimestamp(timestampFn) {
+    const timestamp = timestampFn();
+    if (Number.isFinite(timestamp) && timestamp > 0) {
+        return Math.floor(timestamp);
+    }
+    return defaultTimestamp();
+}
+function resolveFreshnessNonce(nonceFn) {
+    const nonce = nonceFn();
+    if (isNonEmptyString(nonce) && nonce.trim().length >= 16) {
+        return nonce.trim();
+    }
+    return fallbackNonce();
+}
+function defaultTimestamp() {
+    return Math.floor(Date.now() / 1000);
+}
+function defaultNonce() {
+    try {
+        return (0, crypto_1.randomUUID)().replace(/-/g, "");
+    }
+    catch {
+        return fallbackNonce();
+    }
+}
+function fallbackNonce() {
+    return (0, crypto_1.randomBytes)(16).toString("hex");
+}

package/dist/src/index.d.ts

@@ -0,0 +1,15 @@
+export { KeelClient } from "./client";
+export type { KeelClientOptions, RequestFreshnessOptions, RequestIdProvider, } from "./client";
+export { KeelError } from "./errors";
+export { PermitsClient } from "./clients/permits";
+export { ExecutionsClient } from "./clients/executions";
+export { ExecuteClient } from "./clients/execute";
+export { ProxyClient } from "./clients/proxy";
+export { JobsClient } from "./clients/jobs";
+export { RequestsClient } from "./clients/requests";
+export { parseSSEStream } from "./streaming";
+export { keelExpress } from "./middleware/express";
+export type { KeelExpressOptions } from "./middleware/express";
+export { withKeel } from "./middleware/next";
+export type { KeelNextOptions, NextApiHandler, NextApiRequestLike, NextApiResponseLike, } from "./middleware/next";
+export type { Action, ActionMessage, ApiKey, AuthedHealthResponse, ConditionEvaluation, ConditionMatch, ConditionOutcome, CreateApiKeyResponse, Decision, DecisionDetails, ExecuteRequest, ExecutionAssetInput, ExecutionAssetSource, ExecutionCompletedEvent, ExecutionContentDelta, ExecutionCreateRequest, ExecutionDeniedEvent, ExecutionDoneEvent, ExecutionErrorEvent, ExecutionErrorPayload, ExecutionGovernance, ExecutionInputPart, ExecutionInputType, ExecutionMessage, ExecutionMode, ExecutionOperation, ExecutionOutput, ExecutionOutputAsset, ExecutionOutputContentPart, ExecutionParametersInput, ExecutionProviderOptions, ExecutionRawEvent, ExecutionResolved, ExecutionResponse, ExecutionRole, ExecutionRoutingInput, ExecutionRoutingResult, ExecutionRoutingTarget, ExecutionStartedEvent, ExecutionStreamEvent, ExecutionStreamEventName, ExecutionTimelineExecution, ExecutionTimelinePermit, ExecutionTimelineQueue, ExecutionTimelineResponse, ExecutionTimelineRouting, ExecutionTimelineUsage, ExecutionTiming, ExecutionUsage, HealthResponse, InputDescriptor, JobCreateResponse, JobStatus, JobStatusResponse, JobSubmitRequest, ListApiKeysResponse, Metadata, PermitAttestationRequest, PermitAttestResponse, PermitAttestationOut, PermitAuditBundle, PermitAuditItem, PermitAuditListResponse, PermitConditionRule, PermitConditions, PermitDryRunReplayOutcome, PermitDryRunResponse, PermitEvidenceCreateRequest, PermitEvidenceListResponse, PermitEvidenceOut, PermitExportFormat, PermitLineageNode, PermitLineageNodeSummary, PermitLineageResponse, PermitListParams, PermitRequest, PermitResponse, PermitUsageReportRequest, PermitUsageReportResponse, PermitWithMetaResponse, RequestTimelineEvent, RequestTimelineEventSource, RequestTimelinePhase, RequestTimelineResponse, Resource, ResourceAttributes, RevokeApiKeyResponse, RoutingDecision, RoutingPriority, RoutingProvider, RoutingReasonCode, RoutingTarget, Subject, BudgetEnvelopeSummary, } from "./types";

package/dist/src/index.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withKeel = exports.keelExpress = exports.parseSSEStream = exports.RequestsClient = exports.JobsClient = exports.ProxyClient = exports.ExecuteClient = exports.ExecutionsClient = exports.PermitsClient = exports.KeelError = exports.KeelClient = void 0;
+var client_1 = require("./client");
+Object.defineProperty(exports, "KeelClient", { enumerable: true, get: function () { return client_1.KeelClient; } });
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "KeelError", { enumerable: true, get: function () { return errors_1.KeelError; } });
+var permits_1 = require("./clients/permits");
+Object.defineProperty(exports, "PermitsClient", { enumerable: true, get: function () { return permits_1.PermitsClient; } });
+var executions_1 = require("./clients/executions");
+Object.defineProperty(exports, "ExecutionsClient", { enumerable: true, get: function () { return executions_1.ExecutionsClient; } });
+var execute_1 = require("./clients/execute");
+Object.defineProperty(exports, "ExecuteClient", { enumerable: true, get: function () { return execute_1.ExecuteClient; } });
+var proxy_1 = require("./clients/proxy");
+Object.defineProperty(exports, "ProxyClient", { enumerable: true, get: function () { return proxy_1.ProxyClient; } });
+var jobs_1 = require("./clients/jobs");
+Object.defineProperty(exports, "JobsClient", { enumerable: true, get: function () { return jobs_1.JobsClient; } });
+var requests_1 = require("./clients/requests");
+Object.defineProperty(exports, "RequestsClient", { enumerable: true, get: function () { return requests_1.RequestsClient; } });
+var streaming_1 = require("./streaming");
+Object.defineProperty(exports, "parseSSEStream", { enumerable: true, get: function () { return streaming_1.parseSSEStream; } });
+var express_1 = require("./middleware/express");
+Object.defineProperty(exports, "keelExpress", { enumerable: true, get: function () { return express_1.keelExpress; } });
+var next_1 = require("./middleware/next");
+Object.defineProperty(exports, "withKeel", { enumerable: true, get: function () { return next_1.withKeel; } });

package/dist/src/middleware/express.d.ts

@@ -0,0 +1,4 @@
+import type express from "express";
+import { type KeelMiddlewareOptions } from "./shared";
+export type KeelExpressOptions = KeelMiddlewareOptions<express.Request, express.Response>;
+export declare function keelExpress(opts: KeelExpressOptions): express.RequestHandler;

package/dist/src/middleware/express.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keelExpress = keelExpress;
+const shared_1 = require("./shared");
+function keelExpress(opts) {
+    const client = (0, shared_1.createKeelClientForMiddleware)({
+        baseUrl: opts.baseUrl,
+        apiKey: opts.apiKey,
+        requestFreshness: opts.requestFreshness,
+    });
+    return async (req, res, next) => {
+        try {
+            const permitRequest = (0, shared_1.buildPermitRequest)(req, opts);
+            const permitResult = await client.createPermitWithMeta(permitRequest);
+            const outcome = (0, shared_1.enforceDecision)(req, res, permitResult.permit, opts, permitResult.request_id);
+            if (outcome === "allow") {
+                next();
+            }
+            return;
+        }
+        catch (error) {
+            const failure = (0, shared_1.toMiddlewareFailure)(error);
+            res.status(failure.httpStatus).json(failure.body);
+        }
+    };
+}

package/dist/src/middleware/next.d.ts

@@ -0,0 +1,10 @@
+import { type KeelMiddlewareOptions, type MethodUrlLike, type MiddlewareResponseLike } from "./shared";
+export interface NextApiRequestLike extends MethodUrlLike {
+    [key: string]: unknown;
+}
+export interface NextApiResponseLike extends MiddlewareResponseLike {
+    [key: string]: unknown;
+}
+export type NextApiHandler<TReq extends NextApiRequestLike = NextApiRequestLike, TRes extends NextApiResponseLike = NextApiResponseLike> = (req: TReq, res: TRes) => unknown | Promise<unknown>;
+export type KeelNextOptions<TReq extends NextApiRequestLike = NextApiRequestLike, TRes extends NextApiResponseLike = NextApiResponseLike> = KeelMiddlewareOptions<TReq, TRes>;
+export declare function withKeel<TReq extends NextApiRequestLike, TRes extends NextApiResponseLike>(handler: NextApiHandler<TReq, TRes>, opts: KeelNextOptions<TReq, TRes>): NextApiHandler<TReq, TRes>;

package/dist/src/middleware/next.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withKeel = withKeel;
+const shared_1 = require("./shared");
+function withKeel(handler, opts) {
+    const client = (0, shared_1.createKeelClientForMiddleware)({
+        baseUrl: opts.baseUrl,
+        apiKey: opts.apiKey,
+        requestFreshness: opts.requestFreshness,
+    });
+    return async (req, res) => {
+        try {
+            const permitRequest = (0, shared_1.buildPermitRequest)(req, opts);
+            const permitResult = await client.createPermitWithMeta(permitRequest);
+            const outcome = (0, shared_1.enforceDecision)(req, res, permitResult.permit, opts, permitResult.request_id);
+            if (outcome === "allow") {
+                return handler(req, res);
+            }
+            return;
+        }
+        catch (error) {
+            const failure = (0, shared_1.toMiddlewareFailure)(error);
+            return res.status(failure.httpStatus).json(failure.body);
+        }
+    };
+}

package/dist/src/middleware/shared.d.ts

@@ -0,0 +1,40 @@
+import { KeelClient, type RequestFreshnessOptions } from "../client";
+import type { Action, PermitRequest, PermitResponse, Resource, Subject } from "../types";
+export interface MiddlewareResponseLike {
+    status(code: number): MiddlewareResponseLike;
+    json(payload: unknown): unknown;
+}
+export interface KeelMiddlewareOptions<TReq extends MethodUrlLike, TRes extends MiddlewareResponseLike> {
+    baseUrl?: string;
+    apiKey?: string;
+    requestFreshness?: RequestFreshnessOptions;
+    projectId: string;
+    getSubject(req: TReq): Subject;
+    getAction?(req: TReq): Action;
+    getResource(req: TReq): Resource;
+    getContext?(req: TReq): Record<string, any> | null;
+    idempotencyKey?(req: TReq): string;
+    onDeny?(req: TReq, res: TRes, permit: PermitResponse): void;
+    onChallenge?(req: TReq, res: TRes, permit: PermitResponse): void;
+}
+export interface MethodUrlLike {
+    method?: string;
+    originalUrl?: string;
+    url?: string;
+}
+export interface MiddlewareFailure {
+    httpStatus: number;
+    body: {
+        error: "keel_error";
+        message: string;
+        status: number;
+    };
+}
+export declare function createKeelClientForMiddleware(options: {
+    baseUrl?: string;
+    apiKey?: string;
+    requestFreshness?: RequestFreshnessOptions;
+}): KeelClient;
+export declare function buildPermitRequest<TReq extends MethodUrlLike, TRes extends MiddlewareResponseLike>(req: TReq, options: KeelMiddlewareOptions<TReq, TRes>): PermitRequest;
+export declare function enforceDecision<TReq extends MethodUrlLike, TRes extends MiddlewareResponseLike>(req: TReq, res: TRes, permit: PermitResponse, options: Pick<KeelMiddlewareOptions<TReq, TRes>, "onDeny" | "onChallenge">, responseRequestId?: string): "allow" | "handled";
+export declare function toMiddlewareFailure(error: unknown): MiddlewareFailure;

package/dist/src/middleware/shared.js

@@ -0,0 +1,122 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeelClientForMiddleware = createKeelClientForMiddleware;
+exports.buildPermitRequest = buildPermitRequest;
+exports.enforceDecision = enforceDecision;
+exports.toMiddlewareFailure = toMiddlewareFailure;
+const client_1 = require("../client");
+const errors_1 = require("../errors");
+function createKeelClientForMiddleware(options) {
+    const baseUrl = options.baseUrl ?? process.env.KEEL_BASE_URL;
+    const apiKey = options.apiKey ?? process.env.KEEL_API_KEY;
+    if (!baseUrl || !baseUrl.trim()) {
+        throw new Error("Keel middleware requires baseUrl or KEEL_BASE_URL.");
+    }
+    if (!apiKey || !apiKey.trim()) {
+        throw new Error("Keel middleware requires apiKey or KEEL_API_KEY.");
+    }
+    return new client_1.KeelClient({
+        baseUrl,
+        apiKey,
+        requestFreshness: options.requestFreshness,
+    });
+}
+function buildPermitRequest(req, options) {
+    const subject = options.getSubject(req);
+    const action = options.getAction?.(req) ?? {
+        name: "request",
+        attributes: {},
+    };
+    const resource = options.getResource(req);
+    const context = options.getContext?.(req) ?? null;
+    const idempotencyKey = options.idempotencyKey?.(req) ?? defaultIdempotencyKey(req, subject);
+    return {
+        project_id: options.projectId,
+        idempotency_key: idempotencyKey,
+        subject,
+        action,
+        resource,
+        context,
+    };
+}
+function enforceDecision(req, res, permit, options, responseRequestId) {
+    if (permit.decision === "allow") {
+        return "allow";
+    }
+    const requestId = resolveRequestId(permit, responseRequestId);
+    if (permit.decision === "deny") {
+        if (options.onDeny) {
+            options.onDeny(req, res, permit);
+            return "handled";
+        }
+        res.status(403).json({
+            error: "deny",
+            reason: permit.reason,
+            permit,
+            ...(requestId ? { request_id: requestId } : {}),
+        });
+        return "handled";
+    }
+    if (options.onChallenge) {
+        options.onChallenge(req, res, permit);
+        return "handled";
+    }
+    res.status(401).json({
+        error: "challenge",
+        reason: permit.reason,
+        permit,
+        ...(requestId ? { request_id: requestId } : {}),
+    });
+    return "handled";
+}
+function toMiddlewareFailure(error) {
+    if (error instanceof errors_1.KeelError) {
+        const sourceStatus = Number.isFinite(error.status) && error.status > 0 ? error.status : 502;
+        if (sourceStatus >= 400 && sourceStatus < 500) {
+            return {
+                httpStatus: sourceStatus,
+                body: {
+                    error: "keel_error",
+                    message: error.message,
+                    status: sourceStatus,
+                },
+            };
+        }
+        return {
+            httpStatus: 502,
+            body: {
+                error: "keel_error",
+                message: error.message,
+                status: sourceStatus,
+            },
+        };
+    }
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return {
+        httpStatus: 502,
+        body: {
+            error: "keel_error",
+            message,
+            status: 502,
+        },
+    };
+}
+function defaultIdempotencyKey(req, subject) {
+    const method = (req.method || "GET").toUpperCase();
+    const url = req.originalUrl || req.url || "";
+    return `${method}:${url}:${subject.type}:${subject.id}`;
+}
+function resolveRequestId(permit, responseRequestId) {
+    if (isNonEmptyString(responseRequestId)) {
+        return responseRequestId;
+    }
+    const requestIdFromPermit = permit
+        .request_id;
+    if (isNonEmptyString(requestIdFromPermit)) {
+        return requestIdFromPermit;
+    }
+    return undefined;
+}
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}

package/dist/src/streaming.d.ts

@@ -0,0 +1,2 @@
+import type { ExecutionStreamEvent } from "./types";
+export declare function parseSSEStream(response: Response): AsyncGenerator<ExecutionStreamEvent>;