@llui/agent 0.0.29

package/dist/server/http/resume.js

@@ -0,0 +1,89 @@
+import { signToken } from '../token.js';
+export async function handleResumeList(req, deps) {
+    if (req.method !== 'POST')
+        return methodNotAllowed();
+    const body = (await req.json().catch(() => null));
+    if (!body || !Array.isArray(body.tids))
+        return badRequest();
+    const uid = await deps.identityResolver(req);
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    const out = [];
+    for (const tid of body.tids) {
+        const rec = await deps.tokenStore.findByTid(tid);
+        if (!rec)
+            continue;
+        if (rec.uid !== uid)
+            continue;
+        if (rec.status !== 'pending-resume')
+            continue;
+        if (rec.pendingResumeUntil === null || rec.pendingResumeUntil < nowMs)
+            continue;
+        out.push({
+            tid: rec.tid,
+            label: rec.label ?? '(unknown)',
+            status: 'pending-resume',
+            createdAt: rec.createdAt,
+            lastSeenAt: rec.lastSeenAt,
+        });
+    }
+    const payload = { sessions: out };
+    return jsonResponse(payload, 200);
+}
+export async function handleResumeClaim(req, deps) {
+    if (req.method !== 'POST')
+        return methodNotAllowed();
+    if (!deps.signingKey)
+        return new Response(null, { status: 500 });
+    const body = (await req.json().catch(() => null));
+    if (!body || typeof body.tid !== 'string')
+        return badRequest();
+    const uid = await deps.identityResolver(req);
+    const rec = await deps.tokenStore.findByTid(body.tid);
+    if (!rec)
+        return forbidden();
+    if (rec.uid !== uid)
+        return forbidden();
+    if (rec.status !== 'pending-resume')
+        return forbidden();
+    const origin = new URL(req.url).origin;
+    if (rec.origin !== origin)
+        return forbidden();
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    const hardExpiryMs = deps.hardExpiryMs ?? 24 * 60 * 60 * 1000;
+    const iat = Math.floor(nowMs / 1000);
+    const exp = Math.floor((nowMs + hardExpiryMs) / 1000);
+    const payload = { tid: rec.tid, iat, exp, scope: 'agent' };
+    const token = signToken(payload, deps.signingKey);
+    await deps.tokenStore.markActive(rec.tid, rec.label ?? '(resumed)', nowMs);
+    await deps.auditSink.write({
+        at: nowMs,
+        tid: rec.tid,
+        uid: rec.uid,
+        event: 'claim',
+        detail: { origin },
+    });
+    const wsUrl = toWsUrl(origin) + '/agent/ws';
+    const out = { token, wsUrl };
+    return jsonResponse(out, 200);
+}
+function jsonResponse(body, status) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+function methodNotAllowed() {
+    return jsonResponse({ error: { code: 'method-not-allowed' } }, 405);
+}
+function badRequest() {
+    return jsonResponse({ error: { code: 'invalid' } }, 400);
+}
+function forbidden() {
+    return jsonResponse({ error: { code: 'revoked' } }, 403);
+}
+function toWsUrl(httpOrigin) {
+    return httpOrigin.startsWith('https://')
+        ? 'wss://' + httpOrigin.slice('https://'.length)
+        : 'ws://' + httpOrigin.slice('http://'.length);
+}
+//# sourceMappingURL=resume.js.map

package/dist/server/http/resume.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resume.js","sourceRoot":"","sources":["../../../src/server/http/resume.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAmBvC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAY,EAAE,IAAgB;IACnE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;QAAE,OAAO,gBAAgB,EAAE,CAAA;IACpD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA6B,CAAA;IAC7E,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,UAAU,EAAE,CAAA;IAE3D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,MAAM,GAAG,GAAmB,EAAE,CAAA;IAC9B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QAChD,IAAI,CAAC,GAAG;YAAE,SAAQ;QAClB,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG;YAAE,SAAQ;QAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,gBAAgB;YAAE,SAAQ;QAC7C,IAAI,GAAG,CAAC,kBAAkB,KAAK,IAAI,IAAI,GAAG,CAAC,kBAAkB,GAAG,KAAK;YAAE,SAAQ;QAC/E,GAAG,CAAC,IAAI,CAAC;YACP,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,WAAW;YAC/B,MAAM,EAAE,gBAAgB;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,UAAU,EAAE,GAAG,CAAC,UAAU;SAC3B,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,OAAO,GAAuB,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;IACrD,OAAO,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAY,EAAE,IAAgB;IACpE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;QAAE,OAAO,gBAAgB,EAAE,CAAA;IACpD,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAEhE,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA8B,CAAA;IAC9E,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,UAAU,EAAE,CAAA;IAE9D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,EAAE,CAAA;IAC5B,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG;QAAE,OAAO,SAAS,EAAE,CAAA;IACvC,IAAI,GAAG,CAAC,MAAM,KAAK,gBAAgB;QAAE,OAAO,SAAS,EAAE,CAAA;IAEvD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAA;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;QAAE,OAAO,SAAS,EAAE,CAAA;IAE7C,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,CAAA;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,YAAY,CAAC,GAAG,IAAI,CAAC,CAAA;IACrD,MAAM,OAAO,GAAiB,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;IACxE,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEjD,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,WAAW,EAAE,KAAK,CAAC,CAAA;IAE1E,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QACzB,EAAE,EAAE,KAAK;QACT,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,KAAK,EAAE,OAAO;QACd,MAAM,EAAE,EAAE,MAAM,EAAE;KACnB,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,WAAW,CAAA;IAC3C,MAAM,GAAG,GAAwB,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACjD,OAAO,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC/B,CAAC;AAED,SAAS,YAAY,CAAC,IAAa,EAAE,MAAc;IACjD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AACrE,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AAC1D,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AAC1D,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC;QACtC,CAAC,CAAC,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAChD,CAAC,CAAC,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;AAClD,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { IdentityResolver } from '../identity.js'\nimport type { AuditSink } from '../audit.js'\nimport { signToken } from '../token.js'\nimport type {\n  ResumeListRequest,\n  ResumeListResponse,\n  ResumeClaimRequest,\n  ResumeClaimResponse,\n  TokenPayload,\n  AgentSession,\n} from '../../protocol.js'\n\nexport type ResumeDeps = {\n  tokenStore: TokenStore\n  identityResolver: IdentityResolver\n  auditSink: AuditSink\n  signingKey?: string | Uint8Array\n  now?: () => number\n  hardExpiryMs?: number\n}\n\nexport async function handleResumeList(req: Request, deps: ResumeDeps): Promise<Response> {\n  if (req.method !== 'POST') return methodNotAllowed()\n  const body = (await req.json().catch(() => null)) as ResumeListRequest | null\n  if (!body || !Array.isArray(body.tids)) return badRequest()\n\n  const uid = await deps.identityResolver(req)\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  const out: AgentSession[] = []\n  for (const tid of body.tids) {\n    const rec = await deps.tokenStore.findByTid(tid)\n    if (!rec) continue\n    if (rec.uid !== uid) continue\n    if (rec.status !== 'pending-resume') continue\n    if (rec.pendingResumeUntil === null || rec.pendingResumeUntil < nowMs) continue\n    out.push({\n      tid: rec.tid,\n      label: rec.label ?? '(unknown)',\n      status: 'pending-resume',\n      createdAt: rec.createdAt,\n      lastSeenAt: rec.lastSeenAt,\n    })\n  }\n\n  const payload: ResumeListResponse = { sessions: out }\n  return jsonResponse(payload, 200)\n}\n\nexport async function handleResumeClaim(req: Request, deps: ResumeDeps): Promise<Response> {\n  if (req.method !== 'POST') return methodNotAllowed()\n  if (!deps.signingKey) return new Response(null, { status: 500 })\n\n  const body = (await req.json().catch(() => null)) as ResumeClaimRequest | null\n  if (!body || typeof body.tid !== 'string') return badRequest()\n\n  const uid = await deps.identityResolver(req)\n  const rec = await deps.tokenStore.findByTid(body.tid)\n  if (!rec) return forbidden()\n  if (rec.uid !== uid) return forbidden()\n  if (rec.status !== 'pending-resume') return forbidden()\n\n  const origin = new URL(req.url).origin\n  if (rec.origin !== origin) return forbidden()\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  const hardExpiryMs = deps.hardExpiryMs ?? 24 * 60 * 60 * 1000\n  const iat = Math.floor(nowMs / 1000)\n  const exp = Math.floor((nowMs + hardExpiryMs) / 1000)\n  const payload: TokenPayload = { tid: rec.tid, iat, exp, scope: 'agent' }\n  const token = signToken(payload, deps.signingKey)\n\n  await deps.tokenStore.markActive(rec.tid, rec.label ?? '(resumed)', nowMs)\n\n  await deps.auditSink.write({\n    at: nowMs,\n    tid: rec.tid,\n    uid: rec.uid,\n    event: 'claim',\n    detail: { origin },\n  })\n\n  const wsUrl = toWsUrl(origin) + '/agent/ws'\n  const out: ResumeClaimResponse = { token, wsUrl }\n  return jsonResponse(out, 200)\n}\n\nfunction jsonResponse(body: unknown, status: number): Response {\n  return new Response(JSON.stringify(body), {\n    status,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n\nfunction methodNotAllowed(): Response {\n  return jsonResponse({ error: { code: 'method-not-allowed' } }, 405)\n}\n\nfunction badRequest(): Response {\n  return jsonResponse({ error: { code: 'invalid' } }, 400)\n}\n\nfunction forbidden(): Response {\n  return jsonResponse({ error: { code: 'revoked' } }, 403)\n}\n\nfunction toWsUrl(httpOrigin: string): string {\n  return httpOrigin.startsWith('https://')\n    ? 'wss://' + httpOrigin.slice('https://'.length)\n    : 'ws://' + httpOrigin.slice('http://'.length)\n}\n"]}

package/dist/server/http/revoke.d.ts

@@ -0,0 +1,11 @@
+import type { TokenStore } from '../token-store.js';
+import type { IdentityResolver } from '../identity.js';
+import type { AuditSink } from '../audit.js';
+export type RevokeDeps = {
+    tokenStore: TokenStore;
+    identityResolver: IdentityResolver;
+    auditSink: AuditSink;
+    now?: () => number;
+};
+export declare function handleRevoke(req: Request, deps: RevokeDeps): Promise<Response>;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/server/http/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../../src/server/http/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAG5C,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,SAAS,EAAE,SAAS,CAAA;IACpB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiBpF"}

package/dist/server/http/revoke.js

@@ -0,0 +1,24 @@
+export async function handleRevoke(req, deps) {
+    if (req.method !== 'POST') {
+        return json({ error: { code: 'method-not-allowed' } }, 405);
+    }
+    const body = (await req.json().catch(() => null));
+    if (!body || typeof body.tid !== 'string')
+        return json({ error: { code: 'invalid' } }, 400);
+    const uid = await deps.identityResolver(req);
+    const rec = await deps.tokenStore.findByTid(body.tid);
+    if (!rec || rec.uid !== uid)
+        return json({ error: { code: 'revoked' } }, 403);
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    await deps.tokenStore.revoke(body.tid);
+    await deps.auditSink.write({ at: nowMs, tid: body.tid, uid, event: 'revoke', detail: {} });
+    const out = { status: 'revoked' };
+    return json(out, 200);
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=revoke.js.map

package/dist/server/http/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../../src/server/http/revoke.ts"],"names":[],"mappings":"AAYA,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAY,EAAE,IAAgB;IAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC7D,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAyB,CAAA;IACzE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAE3F,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAE7E,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAA;IAE1F,MAAM,GAAG,GAAmB,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACjD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACvB,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { IdentityResolver } from '../identity.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RevokeRequest, RevokeResponse } from '../../protocol.js'\n\nexport type RevokeDeps = {\n  tokenStore: TokenStore\n  identityResolver: IdentityResolver\n  auditSink: AuditSink\n  now?: () => number\n}\n\nexport async function handleRevoke(req: Request, deps: RevokeDeps): Promise<Response> {\n  if (req.method !== 'POST') {\n    return json({ error: { code: 'method-not-allowed' } }, 405)\n  }\n  const body = (await req.json().catch(() => null)) as RevokeRequest | null\n  if (!body || typeof body.tid !== 'string') return json({ error: { code: 'invalid' } }, 400)\n\n  const uid = await deps.identityResolver(req)\n  const rec = await deps.tokenStore.findByTid(body.tid)\n  if (!rec || rec.uid !== uid) return json({ error: { code: 'revoked' } }, 403)\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  await deps.tokenStore.revoke(body.tid)\n  await deps.auditSink.write({ at: nowMs, tid: body.tid, uid, event: 'revoke', detail: {} })\n\n  const out: RevokeResponse = { status: 'revoked' }\n  return json(out, 200)\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/http/router.d.ts

@@ -0,0 +1,13 @@
+import { type MintDeps } from './mint.js';
+import { type ResumeDeps } from './resume.js';
+import { type RevokeDeps } from './revoke.js';
+import { type SessionsDeps } from './sessions.js';
+export type RouterDeps = MintDeps & ResumeDeps & RevokeDeps & SessionsDeps;
+/**
+ * Matches any /agent/* request and returns the appropriate Response.
+ * Returns `null` when the request doesn't match any known path — caller
+ * can fall through to their framework's 404 handling. LAP and WS paths
+ * are NOT handled here (they land in Plan 5 + factory composition).
+ */
+export declare function createHttpRouter(deps: RouterDeps): (req: Request) => Promise<Response | null>;
+//# sourceMappingURL=router.d.ts.map

package/dist/server/http/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../../src/server/http/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,QAAQ,EAAE,MAAM,WAAW,CAAA;AACrD,OAAO,EAAuC,KAAK,UAAU,EAAE,MAAM,aAAa,CAAA;AAClF,OAAO,EAAgB,KAAK,UAAU,EAAE,MAAM,aAAa,CAAA;AAC3D,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,eAAe,CAAA;AAEjE,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,YAAY,CAAA;AAE1E;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAa7F"}

package/dist/server/http/router.js

@@ -0,0 +1,28 @@
+import { handleMint } from './mint.js';
+import { handleResumeList, handleResumeClaim } from './resume.js';
+import { handleRevoke } from './revoke.js';
+import { handleSessions } from './sessions.js';
+/**
+ * Matches any /agent/* request and returns the appropriate Response.
+ * Returns `null` when the request doesn't match any known path — caller
+ * can fall through to their framework's 404 handling. LAP and WS paths
+ * are NOT handled here (they land in Plan 5 + factory composition).
+ */
+export function createHttpRouter(deps) {
+    return async (req) => {
+        const url = new URL(req.url);
+        const path = url.pathname;
+        if (path === '/agent/mint')
+            return handleMint(req, deps);
+        if (path === '/agent/resume/list')
+            return handleResumeList(req, deps);
+        if (path === '/agent/resume/claim')
+            return handleResumeClaim(req, deps);
+        if (path === '/agent/revoke')
+            return handleRevoke(req, deps);
+        if (path === '/agent/sessions')
+            return handleSessions(req, deps);
+        return null;
+    };
+}
+//# sourceMappingURL=router.js.map

package/dist/server/http/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../../src/server/http/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAiB,MAAM,WAAW,CAAA;AACrD,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAmB,MAAM,aAAa,CAAA;AAClF,OAAO,EAAE,YAAY,EAAmB,MAAM,aAAa,CAAA;AAC3D,OAAO,EAAE,cAAc,EAAqB,MAAM,eAAe,CAAA;AAIjE;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAgB;IAC/C,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;QAEzB,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACxD,IAAI,IAAI,KAAK,oBAAoB;YAAE,OAAO,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACrE,IAAI,IAAI,KAAK,qBAAqB;YAAE,OAAO,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACvE,IAAI,IAAI,KAAK,eAAe;YAAE,OAAO,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAC5D,IAAI,IAAI,KAAK,iBAAiB;YAAE,OAAO,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAEhE,OAAO,IAAI,CAAA;IACb,CAAC,CAAA;AACH,CAAC","sourcesContent":["import { handleMint, type MintDeps } from './mint.js'\nimport { handleResumeList, handleResumeClaim, type ResumeDeps } from './resume.js'\nimport { handleRevoke, type RevokeDeps } from './revoke.js'\nimport { handleSessions, type SessionsDeps } from './sessions.js'\n\nexport type RouterDeps = MintDeps & ResumeDeps & RevokeDeps & SessionsDeps\n\n/**\n * Matches any /agent/* request and returns the appropriate Response.\n * Returns `null` when the request doesn't match any known path — caller\n * can fall through to their framework's 404 handling. LAP and WS paths\n * are NOT handled here (they land in Plan 5 + factory composition).\n */\nexport function createHttpRouter(deps: RouterDeps): (req: Request) => Promise<Response | null> {\n  return async (req) => {\n    const url = new URL(req.url)\n    const path = url.pathname\n\n    if (path === '/agent/mint') return handleMint(req, deps)\n    if (path === '/agent/resume/list') return handleResumeList(req, deps)\n    if (path === '/agent/resume/claim') return handleResumeClaim(req, deps)\n    if (path === '/agent/revoke') return handleRevoke(req, deps)\n    if (path === '/agent/sessions') return handleSessions(req, deps)\n\n    return null\n  }\n}\n"]}

package/dist/server/http/sessions.d.ts

@@ -0,0 +1,8 @@
+import type { TokenStore } from '../token-store.js';
+import type { IdentityResolver } from '../identity.js';
+export type SessionsDeps = {
+    tokenStore: TokenStore;
+    identityResolver: IdentityResolver;
+};
+export declare function handleSessions(req: Request, deps: SessionsDeps): Promise<Response>;
+//# sourceMappingURL=sessions.d.ts.map

package/dist/server/http/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../src/server/http/sessions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGtD,MAAM,MAAM,YAAY,GAAG;IACzB,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,gBAAgB,CAAA;CACnC,CAAA;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAmBxF"}

package/dist/server/http/sessions.js

@@ -0,0 +1,27 @@
+export async function handleSessions(req, deps) {
+    if (req.method !== 'GET') {
+        return json({ error: { code: 'method-not-allowed' } }, 405);
+    }
+    const uid = await deps.identityResolver(req);
+    if (uid === null) {
+        return json({ sessions: [] }, 200);
+    }
+    const records = await deps.tokenStore.listByIdentity(uid);
+    const sessions = records
+        .filter((r) => r.status === 'active' || r.status === 'pending-resume')
+        .map((r) => ({
+        tid: r.tid,
+        label: r.label ?? '(unknown)',
+        status: r.status,
+        createdAt: r.createdAt,
+        lastSeenAt: r.lastSeenAt,
+    }));
+    return json({ sessions }, 200);
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=sessions.js.map

package/dist/server/http/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","sourceRoot":"","sources":["../../../src/server/http/sessions.ts"],"names":[],"mappings":"AASA,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,IAAkB;IACnE,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC7D,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC5C,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,EAA6B,EAAE,GAAG,CAAC,CAAA;IAC/D,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,CAAA;IACzD,MAAM,QAAQ,GAAmB,OAAO;SACrC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,gBAAgB,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,GAAG,EAAE,CAAC,CAAC,GAAG;QACV,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,WAAW;QAC7B,MAAM,EAAE,CAAC,CAAC,MAAqC;QAC/C,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC,CAAC,CAAA;IACL,OAAO,IAAI,CAAC,EAAE,QAAQ,EAA6B,EAAE,GAAG,CAAC,CAAA;AAC3D,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { IdentityResolver } from '../identity.js'\nimport type { AgentSession, SessionsResponse } from '../../protocol.js'\n\nexport type SessionsDeps = {\n  tokenStore: TokenStore\n  identityResolver: IdentityResolver\n}\n\nexport async function handleSessions(req: Request, deps: SessionsDeps): Promise<Response> {\n  if (req.method !== 'GET') {\n    return json({ error: { code: 'method-not-allowed' } }, 405)\n  }\n  const uid = await deps.identityResolver(req)\n  if (uid === null) {\n    return json({ sessions: [] } satisfies SessionsResponse, 200)\n  }\n  const records = await deps.tokenStore.listByIdentity(uid)\n  const sessions: AgentSession[] = records\n    .filter((r) => r.status === 'active' || r.status === 'pending-resume')\n    .map((r) => ({\n      tid: r.tid,\n      label: r.label ?? '(unknown)',\n      status: r.status as 'active' | 'pending-resume',\n      createdAt: r.createdAt,\n      lastSeenAt: r.lastSeenAt,\n    }))\n  return json({ sessions } satisfies SessionsResponse, 200)\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/identity.d.ts

@@ -0,0 +1,8 @@
+export type IdentityResolver = (req: Request) => Promise<string | null>;
+export type IdentityCookieConfig = {
+    name: string;
+    signingKey: string | Uint8Array;
+};
+export declare function defaultIdentityResolver(cfg: IdentityCookieConfig): IdentityResolver;
+export declare function signCookieValue(value: string, signingKey: string | Uint8Array): string;
+//# sourceMappingURL=identity.d.ts.map

package/dist/server/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/server/identity.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;AAEvE,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAA;IACZ,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;CAChC,CAAA;AAED,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,oBAAoB,GAAG,gBAAgB,CA8BnF;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAKtF"}

package/dist/server/identity.js

@@ -0,0 +1,41 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+export function defaultIdentityResolver(cfg) {
+    if (!cfg.signingKey || (typeof cfg.signingKey === 'string' && cfg.signingKey.length < 32)) {
+        throw new Error('IdentityCookie signingKey must be at least 32 bytes');
+    }
+    const keyBuf = typeof cfg.signingKey === 'string'
+        ? Buffer.from(cfg.signingKey, 'utf8')
+        : Buffer.from(cfg.signingKey);
+    return async (req) => {
+        const cookie = req.headers.get('cookie');
+        if (!cookie)
+            return null;
+        const pairs = cookie.split(';').map((s) => s.trim());
+        for (const pair of pairs) {
+            const eq = pair.indexOf('=');
+            if (eq < 0)
+                continue;
+            const name = pair.slice(0, eq);
+            const value = pair.slice(eq + 1);
+            if (name !== cfg.name)
+                continue;
+            const dot = value.indexOf('.');
+            if (dot < 0)
+                return null;
+            const rawValue = value.slice(0, dot);
+            const sigPart = value.slice(dot + 1);
+            const sigBuf = Buffer.from(sigPart, 'base64url');
+            const expected = createHmac('sha256', keyBuf).update(rawValue).digest();
+            if (expected.length !== sigBuf.length || !timingSafeEqual(expected, sigBuf))
+                return null;
+            return rawValue;
+        }
+        return null;
+    };
+}
+export function signCookieValue(value, signingKey) {
+    const keyBuf = typeof signingKey === 'string' ? Buffer.from(signingKey, 'utf8') : Buffer.from(signingKey);
+    const mac = createHmac('sha256', keyBuf).update(value).digest('base64url');
+    return `${value}.${mac}`;
+}
+//# sourceMappingURL=identity.js.map

package/dist/server/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/server/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AASzD,MAAM,UAAU,uBAAuB,CAAC,GAAyB;IAC/D,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;IACxE,CAAC;IACD,MAAM,MAAM,GACV,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAChC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC;QACrC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAEjC,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACxC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;QACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAC5B,IAAI,EAAE,GAAG,CAAC;gBAAE,SAAQ;YACpB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAA;YAChC,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI;gBAAE,SAAQ;YAC/B,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAC9B,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YACxB,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;YACpC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;YACpC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;YAChD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAA;YACvE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAA;YACxF,OAAO,QAAQ,CAAA;QACjB,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,UAA+B;IAC5E,MAAM,MAAM,GACV,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC5F,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAC1E,OAAO,GAAG,KAAK,IAAI,GAAG,EAAE,CAAA;AAC1B,CAAC","sourcesContent":["import { createHmac, timingSafeEqual } from 'node:crypto'\n\nexport type IdentityResolver = (req: Request) => Promise<string | null>\n\nexport type IdentityCookieConfig = {\n  name: string\n  signingKey: string | Uint8Array\n}\n\nexport function defaultIdentityResolver(cfg: IdentityCookieConfig): IdentityResolver {\n  if (!cfg.signingKey || (typeof cfg.signingKey === 'string' && cfg.signingKey.length < 32)) {\n    throw new Error('IdentityCookie signingKey must be at least 32 bytes')\n  }\n  const keyBuf =\n    typeof cfg.signingKey === 'string'\n      ? Buffer.from(cfg.signingKey, 'utf8')\n      : Buffer.from(cfg.signingKey)\n\n  return async (req) => {\n    const cookie = req.headers.get('cookie')\n    if (!cookie) return null\n    const pairs = cookie.split(';').map((s) => s.trim())\n    for (const pair of pairs) {\n      const eq = pair.indexOf('=')\n      if (eq < 0) continue\n      const name = pair.slice(0, eq)\n      const value = pair.slice(eq + 1)\n      if (name !== cfg.name) continue\n      const dot = value.indexOf('.')\n      if (dot < 0) return null\n      const rawValue = value.slice(0, dot)\n      const sigPart = value.slice(dot + 1)\n      const sigBuf = Buffer.from(sigPart, 'base64url')\n      const expected = createHmac('sha256', keyBuf).update(rawValue).digest()\n      if (expected.length !== sigBuf.length || !timingSafeEqual(expected, sigBuf)) return null\n      return rawValue\n    }\n    return null\n  }\n}\n\nexport function signCookieValue(value: string, signingKey: string | Uint8Array): string {\n  const keyBuf =\n    typeof signingKey === 'string' ? Buffer.from(signingKey, 'utf8') : Buffer.from(signingKey)\n  const mac = createHmac('sha256', keyBuf).update(value).digest('base64url')\n  return `${value}.${mac}`\n}\n"]}

package/dist/server/index.d.ts

@@ -0,0 +1,11 @@
+export { createLluiAgentServer } from './factory.js';
+export type { ServerOptions, AgentServerHandle } from './options.js';
+export { InMemoryTokenStore } from './token-store.js';
+export type { TokenStore } from './token-store.js';
+export { defaultIdentityResolver } from './identity.js';
+export type { IdentityResolver } from './identity.js';
+export { consoleAuditSink } from './audit.js';
+export type { AuditSink } from './audit.js';
+export { defaultRateLimiter } from './rate-limit.js';
+export type { RateLimiter } from './rate-limit.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AACpD,YAAY,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AACvD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC7C,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA"}

package/dist/server/index.js

@@ -0,0 +1,6 @@
+export { createLluiAgentServer } from './factory.js';
+export { InMemoryTokenStore } from './token-store.js';
+export { defaultIdentityResolver } from './identity.js';
+export { consoleAuditSink } from './audit.js';
+export { defaultRateLimiter } from './rate-limit.js';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AAEpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAErD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAE7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA","sourcesContent":["export { createLluiAgentServer } from './factory.js'\nexport type { ServerOptions, AgentServerHandle } from './options.js'\nexport { InMemoryTokenStore } from './token-store.js'\nexport type { TokenStore } from './token-store.js'\nexport { defaultIdentityResolver } from './identity.js'\nexport type { IdentityResolver } from './identity.js'\nexport { consoleAuditSink } from './audit.js'\nexport type { AuditSink } from './audit.js'\nexport { defaultRateLimiter } from './rate-limit.js'\nexport type { RateLimiter } from './rate-limit.js'\n"]}

package/dist/server/lap/confirm-result.d.ts

@@ -0,0 +1,14 @@
+import type { TokenStore } from '../token-store.js';
+import type { WsPairingRegistry } from '../ws/pairing-registry.js';
+import type { AuditSink } from '../audit.js';
+import type { RateLimiter } from '../rate-limit.js';
+export type LapConfirmResultDeps = {
+    signingKey: string | Uint8Array;
+    tokenStore: TokenStore;
+    registry: WsPairingRegistry;
+    auditSink: AuditSink;
+    rateLimiter: RateLimiter;
+    now?: () => number;
+};
+export declare function handleLapConfirmResult(req: Request, deps: LapConfirmResultDeps): Promise<Response>;
+//# sourceMappingURL=confirm-result.d.ts.map

package/dist/server/lap/confirm-result.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirm-result.d.ts","sourceRoot":"","sources":["../../../src/server/lap/confirm-result.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAInD,MAAM,MAAM,oBAAoB,GAAG;IACjC,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,SAAS,EAAE,SAAS,CAAA;IACpB,WAAW,EAAE,WAAW,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,QAAQ,CAAC,CA0DnB"}

package/dist/server/lap/confirm-result.js

@@ -0,0 +1,60 @@
+import { verifyAndReadTid } from './describe.js';
+export async function handleLapConfirmResult(req, deps) {
+    const auth = verifyAndReadTid(req, deps.signingKey);
+    if (!auth.ok)
+        return json({ error: { code: auth.code } }, auth.status);
+    const rec = await deps.tokenStore.findByTid(auth.tid);
+    if (!rec || rec.status === 'revoked')
+        return json({ error: { code: 'revoked' } }, 403);
+    if (!deps.registry.isPaired(auth.tid))
+        return json({ error: { code: 'paused' } }, 503);
+    const rlCheck = await deps.rateLimiter.check(auth.tid, 'token');
+    if (!rlCheck.allowed) {
+        return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429);
+    }
+    const body = (await req.json().catch(() => null));
+    if (!body || typeof body.confirmId !== 'string')
+        return json({ error: { code: 'invalid' } }, 400);
+    const timeoutMs = body.timeoutMs ?? 5_000;
+    // Spec: if the confirm was already resolved during the earlier long-poll on
+    // /message, there's no second resolution to wait for. In the current design
+    // /confirm-result is ONLY used when /message bailed out early with
+    // pending-confirmation. So we call waitForConfirm with the given timeoutMs.
+    // If no resolution arrives in time, we surface 'still-pending'.
+    const result = await deps.registry.waitForConfirm(auth.tid, body.confirmId, timeoutMs);
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    if (result.outcome === 'confirmed') {
+        await deps.auditSink.write({
+            at: nowMs,
+            tid: auth.tid,
+            uid: rec.uid,
+            event: 'confirm-approved',
+            detail: { confirmId: body.confirmId },
+        });
+        return json({ status: 'confirmed', stateAfter: result.stateAfter }, 200);
+    }
+    // user-cancelled OR timeout. WsPairingRegistry returns user-cancelled on timeout too;
+    // we distinguish by checking whether the confirm is still in registry.pendingConfirm —
+    // but pendingConfirm cleanup happens inside waitForConfirm's timer, so we can't peek.
+    // For v1: treat user-cancelled as user-cancelled; treat explicit timeout as timeout by
+    // comparing elapsed vs. timeoutMs. Simpler: just return 'still-pending' on the timeout
+    // branch to let Claude poll again. Registry returns {outcome: 'user-cancelled'} on
+    // both timer and actual cancel — so we can't distinguish. Punt: return 'user-cancelled'
+    // (matches registry semantics). Spec §8.2 get_confirm_result allows 'user-cancelled' |
+    // 'timeout' | 'still-pending' — a refinement to distinguish is follow-up work.
+    await deps.auditSink.write({
+        at: nowMs,
+        tid: auth.tid,
+        uid: rec.uid,
+        event: 'confirm-rejected',
+        detail: { confirmId: body.confirmId },
+    });
+    return json({ status: 'rejected', reason: 'user-cancelled' }, 200);
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=confirm-result.js.map

package/dist/server/lap/confirm-result.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirm-result.js","sourceRoot":"","sources":["../../../src/server/lap/confirm-result.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAYhD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,GAAY,EACZ,IAA0B;IAE1B,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;IAEtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IACtF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAEtF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAC/D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAmC,CAAA;IACnF,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IACjG,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAEzC,4EAA4E;IAC5E,4EAA4E;IAC5E,mEAAmE;IACnE,4EAA4E;IAC5E,gEAAgE;IAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;IAEtF,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;YACzB,EAAE,EAAE,KAAK;YACT,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE;SACtC,CAAC,CAAA;QACF,OAAO,IAAI,CACT,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAqC,EACzF,GAAG,CACJ,CAAA;IACH,CAAC;IACD,sFAAsF;IACtF,uFAAuF;IACvF,sFAAsF;IACtF,uFAAuF;IACvF,uFAAuF;IACvF,mFAAmF;IACnF,wFAAwF;IACxF,uFAAuF;IACvF,+EAA+E;IAC/E,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QACzB,EAAE,EAAE,KAAK;QACT,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,KAAK,EAAE,kBAAkB;QACzB,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE;KACtC,CAAC,CAAA;IACF,OAAO,IAAI,CACT,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,gBAAgB,EAAqC,EACnF,GAAG,CACJ,CAAA;AACH,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { WsPairingRegistry } from '../ws/pairing-registry.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RateLimiter } from '../rate-limit.js'\nimport { verifyAndReadTid } from './describe.js'\nimport type { LapConfirmResultRequest, LapConfirmResultResponse } from '../../protocol.js'\n\nexport type LapConfirmResultDeps = {\n  signingKey: string | Uint8Array\n  tokenStore: TokenStore\n  registry: WsPairingRegistry\n  auditSink: AuditSink\n  rateLimiter: RateLimiter\n  now?: () => number\n}\n\nexport async function handleLapConfirmResult(\n  req: Request,\n  deps: LapConfirmResultDeps,\n): Promise<Response> {\n  const auth = verifyAndReadTid(req, deps.signingKey)\n  if (!auth.ok) return json({ error: { code: auth.code } }, auth.status)\n\n  const rec = await deps.tokenStore.findByTid(auth.tid)\n  if (!rec || rec.status === 'revoked') return json({ error: { code: 'revoked' } }, 403)\n  if (!deps.registry.isPaired(auth.tid)) return json({ error: { code: 'paused' } }, 503)\n\n  const rlCheck = await deps.rateLimiter.check(auth.tid, 'token')\n  if (!rlCheck.allowed) {\n    return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429)\n  }\n\n  const body = (await req.json().catch(() => null)) as LapConfirmResultRequest | null\n  if (!body || typeof body.confirmId !== 'string') return json({ error: { code: 'invalid' } }, 400)\n  const timeoutMs = body.timeoutMs ?? 5_000\n\n  // Spec: if the confirm was already resolved during the earlier long-poll on\n  // /message, there's no second resolution to wait for. In the current design\n  // /confirm-result is ONLY used when /message bailed out early with\n  // pending-confirmation. So we call waitForConfirm with the given timeoutMs.\n  // If no resolution arrives in time, we surface 'still-pending'.\n  const result = await deps.registry.waitForConfirm(auth.tid, body.confirmId, timeoutMs)\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  if (result.outcome === 'confirmed') {\n    await deps.auditSink.write({\n      at: nowMs,\n      tid: auth.tid,\n      uid: rec.uid,\n      event: 'confirm-approved',\n      detail: { confirmId: body.confirmId },\n    })\n    return json(\n      { status: 'confirmed', stateAfter: result.stateAfter } satisfies LapConfirmResultResponse,\n      200,\n    )\n  }\n  // user-cancelled OR timeout. WsPairingRegistry returns user-cancelled on timeout too;\n  // we distinguish by checking whether the confirm is still in registry.pendingConfirm —\n  // but pendingConfirm cleanup happens inside waitForConfirm's timer, so we can't peek.\n  // For v1: treat user-cancelled as user-cancelled; treat explicit timeout as timeout by\n  // comparing elapsed vs. timeoutMs. Simpler: just return 'still-pending' on the timeout\n  // branch to let Claude poll again. Registry returns {outcome: 'user-cancelled'} on\n  // both timer and actual cancel — so we can't distinguish. Punt: return 'user-cancelled'\n  // (matches registry semantics). Spec §8.2 get_confirm_result allows 'user-cancelled' |\n  // 'timeout' | 'still-pending' — a refinement to distinguish is follow-up work.\n  await deps.auditSink.write({\n    at: nowMs,\n    tid: auth.tid,\n    uid: rec.uid,\n    event: 'confirm-rejected',\n    detail: { confirmId: body.confirmId },\n  })\n  return json(\n    { status: 'rejected', reason: 'user-cancelled' } satisfies LapConfirmResultResponse,\n    200,\n  )\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/lap/describe.d.ts

@@ -0,0 +1,22 @@
+import type { TokenStore } from '../token-store.js';
+import type { WsPairingRegistry } from '../ws/pairing-registry.js';
+import type { AuditSink } from '../audit.js';
+import type { RateLimiter } from '../rate-limit.js';
+export type LapDescribeDeps = {
+    signingKey: string | Uint8Array;
+    tokenStore: TokenStore;
+    registry: WsPairingRegistry;
+    auditSink: AuditSink;
+    rateLimiter: RateLimiter;
+    now?: () => number;
+};
+export declare function handleLapDescribe(req: Request, deps: LapDescribeDeps): Promise<Response>;
+export declare function verifyAndReadTid(req: Request, key: string | Uint8Array): {
+    ok: true;
+    tid: string;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+};
+//# sourceMappingURL=describe.d.ts.map

package/dist/server/lap/describe.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"describe.d.ts","sourceRoot":"","sources":["../../../src/server/lap/describe.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAGnD,MAAM,MAAM,eAAe,GAAG;IAC5B,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,SAAS,EAAE,SAAS,CAAA;IACpB,WAAW,EAAE,WAAW,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,CAoD9F;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,MAAM,GAAG,UAAU,GACvB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAOzE"}

package/dist/server/lap/describe.js

@@ -0,0 +1,67 @@
+import { verifyToken } from '../token.js';
+export async function handleLapDescribe(req, deps) {
+    const auth = verifyAndReadTid(req, deps.signingKey);
+    if (!auth.ok)
+        return json({ error: { code: auth.code } }, auth.status);
+    const rec = await deps.tokenStore.findByTid(auth.tid);
+    if (!rec || rec.status === 'revoked')
+        return json({ error: { code: 'revoked' } }, 403);
+    if (!deps.registry.isPaired(auth.tid))
+        return json({ error: { code: 'paused' } }, 503);
+    const rlCheck = await deps.rateLimiter.check(auth.tid, 'token');
+    if (!rlCheck.allowed) {
+        return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429);
+    }
+    const hello = deps.registry.getHello(auth.tid);
+    if (!hello)
+        return json({ error: { code: 'paused' } }, 503);
+    const messages = hello.msgSchema;
+    const out = {
+        name: hello.appName,
+        version: hello.appVersion,
+        stateSchema: hello.stateSchema,
+        messages,
+        docs: hello.docs,
+        conventions: {
+            dispatchModel: 'TEA',
+            confirmationModel: 'runtime-mediated',
+            readSurfaces: ['state', 'query_dom', 'describe_visible_content', 'describe_context'],
+        },
+        schemaHash: hello.schemaHash,
+    };
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    // Transition to active: Claude has made its first LAP call to /describe,
+    // confirming both the browser WS and Claude are live.
+    const wasAwaitingClaude = rec.status === 'awaiting-claude';
+    const label = rec.uid ?? 'Claude';
+    await deps.tokenStore.markActive(auth.tid, label, nowMs);
+    // Fire the active signal to the browser only on the first transition.
+    if (wasAwaitingClaude) {
+        deps.registry.notify(auth.tid, { t: 'active' });
+    }
+    await deps.auditSink.write({
+        at: nowMs,
+        tid: auth.tid,
+        uid: rec.uid,
+        event: 'lap-call',
+        detail: { path: '/lap/v1/describe' },
+    });
+    return json(out, 200);
+}
+export function verifyAndReadTid(req, key) {
+    const auth = req.headers.get('authorization');
+    if (!auth || !auth.startsWith('Bearer '))
+        return { ok: false, status: 401, code: 'auth-failed' };
+    const token = auth.slice('Bearer '.length);
+    const v = verifyToken(token, key);
+    if (v.kind !== 'ok')
+        return { ok: false, status: 401, code: 'auth-failed' };
+    return { ok: true, tid: v.payload.tid };
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=describe.js.map

package/dist/server/lap/describe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"describe.js","sourceRoot":"","sources":["../../../src/server/lap/describe.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAgBzC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAY,EAAE,IAAqB;IACzE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;IAEtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IACtF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAEtF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAC/D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAE3D,MAAM,QAAQ,GAAuC,KAAK,CAAC,SAG1D,CAAA;IACD,MAAM,GAAG,GAAwB;QAC/B,IAAI,EAAE,KAAK,CAAC,OAAO;QACnB,OAAO,EAAE,KAAK,CAAC,UAAU;QACzB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,QAAQ;QACR,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE;YACX,aAAa,EAAE,KAAK;YACpB,iBAAiB,EAAE,kBAAkB;YACrC,YAAY,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,0BAA0B,EAAE,kBAAkB,CAAC;SACrF;QACD,UAAU,EAAE,KAAK,CAAC,UAAU;KAC7B,CAAA;IAED,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,yEAAyE;IACzE,sDAAsD;IACtD,MAAM,iBAAiB,GAAG,GAAG,CAAC,MAAM,KAAK,iBAAiB,CAAA;IAC1D,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,IAAI,QAAQ,CAAA;IACjC,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,CAAA;IACxD,sEAAsE;IACtE,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAA;IACjD,CAAC;IACD,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QACzB,EAAE,EAAE,KAAK;QACT,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,KAAK,EAAE,UAAU;QACjB,MAAM,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE;KACrC,CAAC,CAAA;IACF,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACvB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,GAAY,EACZ,GAAwB;IAExB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,aAAa,EAAE,CAAA;IAChG,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IAC1C,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IACjC,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,aAAa,EAAE,CAAA;IAC3E,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;AACzC,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import { verifyToken } from '../token.js'\nimport type { TokenStore } from '../token-store.js'\nimport type { WsPairingRegistry } from '../ws/pairing-registry.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RateLimiter } from '../rate-limit.js'\nimport type { LapDescribeResponse, MessageSchemaEntry } from '../../protocol.js'\n\nexport type LapDescribeDeps = {\n  signingKey: string | Uint8Array\n  tokenStore: TokenStore\n  registry: WsPairingRegistry\n  auditSink: AuditSink\n  rateLimiter: RateLimiter\n  now?: () => number\n}\n\nexport async function handleLapDescribe(req: Request, deps: LapDescribeDeps): Promise<Response> {\n  const auth = verifyAndReadTid(req, deps.signingKey)\n  if (!auth.ok) return json({ error: { code: auth.code } }, auth.status)\n\n  const rec = await deps.tokenStore.findByTid(auth.tid)\n  if (!rec || rec.status === 'revoked') return json({ error: { code: 'revoked' } }, 403)\n  if (!deps.registry.isPaired(auth.tid)) return json({ error: { code: 'paused' } }, 503)\n\n  const rlCheck = await deps.rateLimiter.check(auth.tid, 'token')\n  if (!rlCheck.allowed) {\n    return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429)\n  }\n\n  const hello = deps.registry.getHello(auth.tid)\n  if (!hello) return json({ error: { code: 'paused' } }, 503)\n\n  const messages: Record<string, MessageSchemaEntry> = hello.msgSchema as Record<\n    string,\n    MessageSchemaEntry\n  >\n  const out: LapDescribeResponse = {\n    name: hello.appName,\n    version: hello.appVersion,\n    stateSchema: hello.stateSchema,\n    messages,\n    docs: hello.docs,\n    conventions: {\n      dispatchModel: 'TEA',\n      confirmationModel: 'runtime-mediated',\n      readSurfaces: ['state', 'query_dom', 'describe_visible_content', 'describe_context'],\n    },\n    schemaHash: hello.schemaHash,\n  }\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  // Transition to active: Claude has made its first LAP call to /describe,\n  // confirming both the browser WS and Claude are live.\n  const wasAwaitingClaude = rec.status === 'awaiting-claude'\n  const label = rec.uid ?? 'Claude'\n  await deps.tokenStore.markActive(auth.tid, label, nowMs)\n  // Fire the active signal to the browser only on the first transition.\n  if (wasAwaitingClaude) {\n    deps.registry.notify(auth.tid, { t: 'active' })\n  }\n  await deps.auditSink.write({\n    at: nowMs,\n    tid: auth.tid,\n    uid: rec.uid,\n    event: 'lap-call',\n    detail: { path: '/lap/v1/describe' },\n  })\n  return json(out, 200)\n}\n\nexport function verifyAndReadTid(\n  req: Request,\n  key: string | Uint8Array,\n): { ok: true; tid: string } | { ok: false; status: number; code: string } {\n  const auth = req.headers.get('authorization')\n  if (!auth || !auth.startsWith('Bearer ')) return { ok: false, status: 401, code: 'auth-failed' }\n  const token = auth.slice('Bearer '.length)\n  const v = verifyToken(token, key)\n  if (v.kind !== 'ok') return { ok: false, status: 401, code: 'auth-failed' }\n  return { ok: true, tid: v.payload.tid }\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/lap/forward.d.ts

@@ -0,0 +1,24 @@
+import type { TokenStore } from '../token-store.js';
+import type { WsPairingRegistry } from '../ws/pairing-registry.js';
+import type { AuditSink } from '../audit.js';
+import type { RateLimiter } from '../rate-limit.js';
+export type ForwardDeps = {
+    signingKey: string | Uint8Array;
+    tokenStore: TokenStore;
+    registry: WsPairingRegistry;
+    auditSink: AuditSink;
+    rateLimiter: RateLimiter;
+    now?: () => number;
+};
+/**
+ * Generic LAP handler. `parseArgs` is called with the parsed body (may be
+ * null for empty bodies); it returns the args object to forward or null
+ * to reject as invalid. `tool` is the browser-side tool name.
+ */
+export declare function makeForwardHandler(tool: string, parseArgs: (body: unknown) => object | null, auditDetail?: (tid: string, args: object) => Record<string, unknown>): (req: Request, deps: ForwardDeps) => Promise<Response>;
+export declare const handleLapState: (req: Request, deps: ForwardDeps) => Promise<Response>;
+export declare const handleLapActions: (req: Request, deps: ForwardDeps) => Promise<Response>;
+export declare const handleLapQueryDom: (req: Request, deps: ForwardDeps) => Promise<Response>;
+export declare const handleLapDescribeVisible: (req: Request, deps: ForwardDeps) => Promise<Response>;
+export declare const handleLapContext: (req: Request, deps: ForwardDeps) => Promise<Response>;
+//# sourceMappingURL=forward.d.ts.map

package/dist/server/lap/forward.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"forward.d.ts","sourceRoot":"","sources":["../../../src/server/lap/forward.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAGnD,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,SAAS,EAAE,SAAS,CAAA;IACpB,WAAW,EAAE,WAAW,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,EAC3C,WAAW,GAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAc,IAElE,KAAK,OAAO,EAAE,MAAM,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAoClE;AAUD,eAAO,MAAM,cAAc,QA9CN,OAAO,QAAQ,WAAW,KAAG,OAAO,CAAC,QAAQ,CAkDhE,CAAA;AAEF,eAAO,MAAM,gBAAgB,QApDR,OAAO,QAAQ,WAAW,KAAG,OAAO,CAAC,QAAQ,CAoDY,CAAA;AAE9E,eAAO,MAAM,iBAAiB,QAtDT,OAAO,QAAQ,WAAW,KAAG,OAAO,CAAC,QAAQ,CA0DhE,CAAA;AAEF,eAAO,MAAM,wBAAwB,QA5DhB,OAAO,QAAQ,WAAW,KAAG,OAAO,CAAC,QAAQ,CA4DgC,CAAA;AAElG,eAAO,MAAM,gBAAgB,QA9DR,OAAO,QAAQ,WAAW,KAAG,OAAO,CAAC,QAAQ,CA8DgB,CAAA"}