@llui/agent 0.0.30 → 0.0.31

package/dist/server/cloudflare/durable-object.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Durable Object helper for hosting the agent pairing + LAP surface
+ * on Cloudflare Workers. One DO instance owns one `tid` — its
+ * in-memory `PairingRegistry` survives across Worker isolate
+ * invocations because the DO IS persistent.
+ *
+ * This file exports a class designed to be composed into a real
+ * Durable Object in the user's Worker project. We intentionally
+ * don't subclass `DurableObject` from `@cloudflare/workers-types` —
+ * that dependency belongs to the user's project, not ours. Users
+ * wrap an instance of `AgentPairingDurableObject` in their own DO
+ * class and forward `fetch` to it.
+ *
+ * Usage in a Worker project:
+ *
+ * ```ts
+ * // worker.ts
+ * import { AgentPairingDurableObject } from '@llui/agent/server/cloudflare'
+ *
+ * export class AgentDO {
+ *   private agent: AgentPairingDurableObject
+ *   constructor(_state: DurableObjectState, env: Env) {
+ *     this.agent = new AgentPairingDurableObject({
+ *       signingKey: env.AGENT_SIGNING_KEY,
+ *     })
+ *   }
+ *   fetch(req: Request): Promise<Response> {
+ *     return this.agent.fetch(req)
+ *   }
+ * }
+ *
+ * export default {
+ *   async fetch(req: Request, env: Env): Promise<Response> {
+ *     return routeToAgentDO(req, env.AGENT_DO, env.AGENT_SIGNING_KEY)
+ *   },
+ * }
+ * ```
+ *
+ * See `./worker.ts` for `routeToAgentDO` and the full wiring.
+ */
+import type { CoreOptions, AgentCoreHandle } from '../core.js';
+export type DurableObjectOptions = Omit<CoreOptions, 'registry'>;
+/**
+ * Agent server instance scoped to a single Durable Object. All
+ * pairing state lives in the DO's in-process memory — which is safe
+ * here because the DO is a persistent addressable entity, not a
+ * one-shot Worker isolate.
+ *
+ * Users instantiate one of these inside their DO class's constructor
+ * and delegate `fetch` to `agent.fetch(req)`. LAP HTTP routes and
+ * WebSocket upgrades both flow through this single entry.
+ */
+export declare class AgentPairingDurableObject {
+    readonly agent: AgentCoreHandle;
+    constructor(opts: DurableObjectOptions);
+    fetch(req: Request): Promise<Response>;
+}
+//# sourceMappingURL=durable-object.d.ts.map

package/dist/server/cloudflare/durable-object.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"durable-object.d.ts","sourceRoot":"","sources":["../../../src/server/cloudflare/durable-object.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAI9D,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;AAEhE;;;;;;;;;GASG;AACH,qBAAa,yBAAyB;IACpC,QAAQ,CAAC,KAAK,EAAE,eAAe,CAAA;gBAEnB,IAAI,EAAE,oBAAoB;IAIhC,KAAK,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;CAgB7C"}

package/dist/server/cloudflare/durable-object.js

@@ -0,0 +1,33 @@
+import { createLluiAgentCore } from '../core.js';
+import { handleCloudflareUpgrade } from '../web/upgrade.js';
+/**
+ * Agent server instance scoped to a single Durable Object. All
+ * pairing state lives in the DO's in-process memory — which is safe
+ * here because the DO is a persistent addressable entity, not a
+ * one-shot Worker isolate.
+ *
+ * Users instantiate one of these inside their DO class's constructor
+ * and delegate `fetch` to `agent.fetch(req)`. LAP HTTP routes and
+ * WebSocket upgrades both flow through this single entry.
+ */
+export class AgentPairingDurableObject {
+    agent;
+    constructor(opts) {
+        this.agent = createLluiAgentCore(opts);
+    }
+    async fetch(req) {
+        const url = new URL(req.url);
+        // LAP routes (/agent/lap/v1/*, /agent/*). `router` returns null
+        // for non-matching paths so we can fall through to the upgrade.
+        const lapRes = await this.agent.router(req);
+        if (lapRes)
+            return lapRes;
+        // WebSocket upgrade — uses `WebSocketPair`, which only exists in
+        // Cloudflare Workers.
+        if (url.pathname === '/agent/ws') {
+            return handleCloudflareUpgrade(req, this.agent);
+        }
+        return new Response('Not Found', { status: 404 });
+    }
+}
+//# sourceMappingURL=durable-object.js.map

package/dist/server/cloudflare/durable-object.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"durable-object.js","sourceRoot":"","sources":["../../../src/server/cloudflare/durable-object.ts"],"names":[],"mappings":"AAyCA,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAChD,OAAO,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAA;AAI3D;;;;;;;;;GASG;AACH,MAAM,OAAO,yBAAyB;IAC3B,KAAK,CAAiB;IAE/B,YAAY,IAA0B;QACpC,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAY;QACtB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE5B,gEAAgE;QAChE,gEAAgE;QAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,iEAAiE;QACjE,sBAAsB;QACtB,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,OAAO,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QACjD,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACnD,CAAC;CACF","sourcesContent":["/**\n * Durable Object helper for hosting the agent pairing + LAP surface\n * on Cloudflare Workers. One DO instance owns one `tid` — its\n * in-memory `PairingRegistry` survives across Worker isolate\n * invocations because the DO IS persistent.\n *\n * This file exports a class designed to be composed into a real\n * Durable Object in the user's Worker project. We intentionally\n * don't subclass `DurableObject` from `@cloudflare/workers-types` —\n * that dependency belongs to the user's project, not ours. Users\n * wrap an instance of `AgentPairingDurableObject` in their own DO\n * class and forward `fetch` to it.\n *\n * Usage in a Worker project:\n *\n * ```ts\n * // worker.ts\n * import { AgentPairingDurableObject } from '@llui/agent/server/cloudflare'\n *\n * export class AgentDO {\n *   private agent: AgentPairingDurableObject\n *   constructor(_state: DurableObjectState, env: Env) {\n *     this.agent = new AgentPairingDurableObject({\n *       signingKey: env.AGENT_SIGNING_KEY,\n *     })\n *   }\n *   fetch(req: Request): Promise<Response> {\n *     return this.agent.fetch(req)\n *   }\n * }\n *\n * export default {\n *   async fetch(req: Request, env: Env): Promise<Response> {\n *     return routeToAgentDO(req, env.AGENT_DO, env.AGENT_SIGNING_KEY)\n *   },\n * }\n * ```\n *\n * See `./worker.ts` for `routeToAgentDO` and the full wiring.\n */\nimport type { CoreOptions, AgentCoreHandle } from '../core.js'\nimport { createLluiAgentCore } from '../core.js'\nimport { handleCloudflareUpgrade } from '../web/upgrade.js'\n\nexport type DurableObjectOptions = Omit<CoreOptions, 'registry'>\n\n/**\n * Agent server instance scoped to a single Durable Object. All\n * pairing state lives in the DO's in-process memory — which is safe\n * here because the DO is a persistent addressable entity, not a\n * one-shot Worker isolate.\n *\n * Users instantiate one of these inside their DO class's constructor\n * and delegate `fetch` to `agent.fetch(req)`. LAP HTTP routes and\n * WebSocket upgrades both flow through this single entry.\n */\nexport class AgentPairingDurableObject {\n  readonly agent: AgentCoreHandle\n\n  constructor(opts: DurableObjectOptions) {\n    this.agent = createLluiAgentCore(opts)\n  }\n\n  async fetch(req: Request): Promise<Response> {\n    const url = new URL(req.url)\n\n    // LAP routes (/agent/lap/v1/*, /agent/*). `router` returns null\n    // for non-matching paths so we can fall through to the upgrade.\n    const lapRes = await this.agent.router(req)\n    if (lapRes) return lapRes\n\n    // WebSocket upgrade — uses `WebSocketPair`, which only exists in\n    // Cloudflare Workers.\n    if (url.pathname === '/agent/ws') {\n      return handleCloudflareUpgrade(req, this.agent)\n    }\n\n    return new Response('Not Found', { status: 404 })\n  }\n}\n"]}

package/dist/server/cloudflare/index.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Cloudflare Workers + Durable Object adapter. Use this sub-path
+ * from a Cloudflare Workers project where the agent pairing state
+ * lives inside a Durable Object.
+ *
+ * See the full deployment recipe at
+ * https://llui.dev/api/agent#cloudflare-deployment — the short
+ * version:
+ *
+ * ```ts
+ * import {
+ *   AgentPairingDurableObject,
+ *   routeToAgentDO,
+ * } from '@llui/agent/server/cloudflare'
+ *
+ * export class AgentDO {
+ *   private agent: AgentPairingDurableObject
+ *   constructor(_state: DurableObjectState, env: Env) {
+ *     this.agent = new AgentPairingDurableObject({
+ *       signingKey: env.AGENT_SIGNING_KEY,
+ *     })
+ *   }
+ *   fetch(req: Request) {
+ *     return this.agent.fetch(req)
+ *   }
+ * }
+ *
+ * export default {
+ *   async fetch(req: Request, env: Env) {
+ *     return routeToAgentDO(req, env.AGENT_DO, env.AGENT_SIGNING_KEY)
+ *   },
+ * }
+ * ```
+ *
+ * `wrangler.toml`:
+ * ```toml
+ * [[durable_objects.bindings]]
+ * name = "AGENT_DO"
+ * class_name = "AgentDO"
+ *
+ * [[migrations]]
+ * tag = "v1"
+ * new_classes = ["AgentDO"]
+ * ```
+ */
+export { AgentPairingDurableObject, type DurableObjectOptions } from './durable-object.js';
+export { routeToAgentDO, type MinimalDurableObjectNamespace, type MinimalDurableObjectId, type MinimalDurableObjectStub, } from './worker.js';
+export { createWHATWGPairingConnection, handleCloudflareUpgrade, extractToken, } from '../web/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/cloudflare/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/cloudflare/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAE,yBAAyB,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC1F,OAAO,EACL,cAAc,EACd,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,GAC9B,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,6BAA6B,EAC7B,uBAAuB,EACvB,YAAY,GACb,MAAM,iBAAiB,CAAA"}

package/dist/server/cloudflare/index.js

@@ -0,0 +1,49 @@
+/**
+ * Cloudflare Workers + Durable Object adapter. Use this sub-path
+ * from a Cloudflare Workers project where the agent pairing state
+ * lives inside a Durable Object.
+ *
+ * See the full deployment recipe at
+ * https://llui.dev/api/agent#cloudflare-deployment — the short
+ * version:
+ *
+ * ```ts
+ * import {
+ *   AgentPairingDurableObject,
+ *   routeToAgentDO,
+ * } from '@llui/agent/server/cloudflare'
+ *
+ * export class AgentDO {
+ *   private agent: AgentPairingDurableObject
+ *   constructor(_state: DurableObjectState, env: Env) {
+ *     this.agent = new AgentPairingDurableObject({
+ *       signingKey: env.AGENT_SIGNING_KEY,
+ *     })
+ *   }
+ *   fetch(req: Request) {
+ *     return this.agent.fetch(req)
+ *   }
+ * }
+ *
+ * export default {
+ *   async fetch(req: Request, env: Env) {
+ *     return routeToAgentDO(req, env.AGENT_DO, env.AGENT_SIGNING_KEY)
+ *   },
+ * }
+ * ```
+ *
+ * `wrangler.toml`:
+ * ```toml
+ * [[durable_objects.bindings]]
+ * name = "AGENT_DO"
+ * class_name = "AgentDO"
+ *
+ * [[migrations]]
+ * tag = "v1"
+ * new_classes = ["AgentDO"]
+ * ```
+ */
+export { AgentPairingDurableObject } from './durable-object.js';
+export { routeToAgentDO, } from './worker.js';
+export { createWHATWGPairingConnection, handleCloudflareUpgrade, extractToken, } from '../web/index.js';
+//# sourceMappingURL=index.js.map

package/dist/server/cloudflare/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/cloudflare/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAE,yBAAyB,EAA6B,MAAM,qBAAqB,CAAA;AAC1F,OAAO,EACL,cAAc,GAIf,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,6BAA6B,EAC7B,uBAAuB,EACvB,YAAY,GACb,MAAM,iBAAiB,CAAA","sourcesContent":["/**\n * Cloudflare Workers + Durable Object adapter. Use this sub-path\n * from a Cloudflare Workers project where the agent pairing state\n * lives inside a Durable Object.\n *\n * See the full deployment recipe at\n * https://llui.dev/api/agent#cloudflare-deployment — the short\n * version:\n *\n * ```ts\n * import {\n *   AgentPairingDurableObject,\n *   routeToAgentDO,\n * } from '@llui/agent/server/cloudflare'\n *\n * export class AgentDO {\n *   private agent: AgentPairingDurableObject\n *   constructor(_state: DurableObjectState, env: Env) {\n *     this.agent = new AgentPairingDurableObject({\n *       signingKey: env.AGENT_SIGNING_KEY,\n *     })\n *   }\n *   fetch(req: Request) {\n *     return this.agent.fetch(req)\n *   }\n * }\n *\n * export default {\n *   async fetch(req: Request, env: Env) {\n *     return routeToAgentDO(req, env.AGENT_DO, env.AGENT_SIGNING_KEY)\n *   },\n * }\n * ```\n *\n * `wrangler.toml`:\n * ```toml\n * [[durable_objects.bindings]]\n * name = \"AGENT_DO\"\n * class_name = \"AgentDO\"\n *\n * [[migrations]]\n * tag = \"v1\"\n * new_classes = [\"AgentDO\"]\n * ```\n */\nexport { AgentPairingDurableObject, type DurableObjectOptions } from './durable-object.js'\nexport {\n  routeToAgentDO,\n  type MinimalDurableObjectNamespace,\n  type MinimalDurableObjectId,\n  type MinimalDurableObjectStub,\n} from './worker.js'\nexport {\n  createWHATWGPairingConnection,\n  handleCloudflareUpgrade,\n  extractToken,\n} from '../web/index.js'\n"]}

package/dist/server/cloudflare/worker.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Minimal DurableObjectNamespace surface we need — `idFromName` +
+ * `get` returning a `Stub` with `fetch(req)`. Kept structural so we
+ * don't depend on `@cloudflare/workers-types` (the user's project has
+ * them; we shouldn't duplicate).
+ */
+export interface MinimalDurableObjectNamespace {
+    idFromName(name: string): MinimalDurableObjectId;
+    get(id: MinimalDurableObjectId): MinimalDurableObjectStub;
+}
+export interface MinimalDurableObjectId {
+    readonly name?: string;
+}
+export interface MinimalDurableObjectStub {
+    fetch(req: Request): Promise<Response>;
+}
+/**
+ * Route an incoming Worker `fetch` request to the Durable Object
+ * that owns its `tid`.
+ *
+ * The token travels in three places depending on the route:
+ *   - LAP HTTP calls: `Authorization: Bearer <token>` header
+ *   - Mint / resume HTTP calls: no token (identity resolver runs
+ *     inside the DO via the LAP router; we route by origin or a
+ *     special `/agent/mint` path — see below)
+ *   - WebSocket upgrade: `?token=<token>` in the URL
+ *
+ * Requests that don't carry a tid (mint, resume-list, sessions) are
+ * routed to a "root" DO named `__root`, which handles identity /
+ * token store operations centrally. LAP and WS calls route to the
+ * per-tid DO so the pairing state stays local.
+ *
+ * This is the recommended entry for Cloudflare Workers deployments;
+ * users who need custom routing can write their own and call the
+ * underlying primitives (`verifyToken`, `namespace.get`, etc).
+ */
+export declare function routeToAgentDO(req: Request, namespace: MinimalDurableObjectNamespace, signingKey: string | Uint8Array, opts?: {
+    rootName?: string;
+}): Promise<Response>;
+//# sourceMappingURL=worker.d.ts.map

package/dist/server/cloudflare/worker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker.d.ts","sourceRoot":"","sources":["../../../src/server/cloudflare/worker.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,MAAM,WAAW,6BAA6B;IAC5C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,sBAAsB,CAAA;IAChD,GAAG,CAAC,EAAE,EAAE,sBAAsB,GAAG,wBAAwB,CAAA;CAC1D;AACD,MAAM,WAAW,sBAAsB;IAErC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CACvB;AACD,MAAM,WAAW,wBAAwB;IACvC,KAAK,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;CACvC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,6BAA6B,EACxC,UAAU,EAAE,MAAM,GAAG,UAAU,EAC/B,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAO,GAC/B,OAAO,CAAC,QAAQ,CAAC,CA4BnB"}

package/dist/server/cloudflare/worker.js

@@ -0,0 +1,55 @@
+import { verifyToken } from '../token.js';
+/**
+ * Route an incoming Worker `fetch` request to the Durable Object
+ * that owns its `tid`.
+ *
+ * The token travels in three places depending on the route:
+ *   - LAP HTTP calls: `Authorization: Bearer <token>` header
+ *   - Mint / resume HTTP calls: no token (identity resolver runs
+ *     inside the DO via the LAP router; we route by origin or a
+ *     special `/agent/mint` path — see below)
+ *   - WebSocket upgrade: `?token=<token>` in the URL
+ *
+ * Requests that don't carry a tid (mint, resume-list, sessions) are
+ * routed to a "root" DO named `__root`, which handles identity /
+ * token store operations centrally. LAP and WS calls route to the
+ * per-tid DO so the pairing state stays local.
+ *
+ * This is the recommended entry for Cloudflare Workers deployments;
+ * users who need custom routing can write their own and call the
+ * underlying primitives (`verifyToken`, `namespace.get`, etc).
+ */
+export async function routeToAgentDO(req, namespace, signingKey, opts = {}) {
+    const rootName = opts.rootName ?? '__root';
+    const url = new URL(req.url);
+    const path = url.pathname;
+    // Non-LAP / non-WS management endpoints (mint, resume, sessions,
+    // revoke) — there's no per-tid routing; use the root DO which owns
+    // the shared token store + identity resolver.
+    if (path === '/agent/mint' ||
+        path === '/agent/revoke' ||
+        path === '/agent/resume/list' ||
+        path === '/agent/resume/claim' ||
+        path === '/agent/sessions') {
+        const stub = namespace.get(namespace.idFromName(rootName));
+        return stub.fetch(req);
+    }
+    // Token-bearing routes (LAP + WS upgrade) — route by tid.
+    const token = extractTokenFromRequest(req);
+    if (!token)
+        return new Response('Unauthorized', { status: 401 });
+    const verified = await verifyToken(token, signingKey);
+    if (verified.kind !== 'ok')
+        return new Response('Unauthorized', { status: 401 });
+    const stub = namespace.get(namespace.idFromName(verified.payload.tid));
+    return stub.fetch(req);
+}
+function extractTokenFromRequest(req) {
+    const auth = req.headers.get('authorization');
+    if (auth?.startsWith('Bearer '))
+        return auth.slice('Bearer '.length);
+    const url = new URL(req.url);
+    const q = url.searchParams.get('token');
+    return q;
+}
+//# sourceMappingURL=worker.js.map

package/dist/server/cloudflare/worker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker.js","sourceRoot":"","sources":["../../../src/server/cloudflare/worker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAoBzC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAY,EACZ,SAAwC,EACxC,UAA+B,EAC/B,OAA8B,EAAE;IAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAA;IAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;IAEzB,iEAAiE;IACjE,mEAAmE;IACnE,8CAA8C;IAC9C,IACE,IAAI,KAAK,aAAa;QACtB,IAAI,KAAK,eAAe;QACxB,IAAI,KAAK,oBAAoB;QAC7B,IAAI,KAAK,qBAAqB;QAC9B,IAAI,KAAK,iBAAiB,EAC1B,CAAC;QACD,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAA;QAC1D,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IAED,0DAA0D;IAC1D,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAEhE,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAA;IACrD,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAEhF,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;IACtE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;AACxB,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAY;IAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC7C,IAAI,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACpE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC5B,MAAM,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACvC,OAAO,CAAC,CAAA;AACV,CAAC","sourcesContent":["import { verifyToken } from '../token.js'\n\n/**\n * Minimal DurableObjectNamespace surface we need — `idFromName` +\n * `get` returning a `Stub` with `fetch(req)`. Kept structural so we\n * don't depend on `@cloudflare/workers-types` (the user's project has\n * them; we shouldn't duplicate).\n */\nexport interface MinimalDurableObjectNamespace {\n  idFromName(name: string): MinimalDurableObjectId\n  get(id: MinimalDurableObjectId): MinimalDurableObjectStub\n}\nexport interface MinimalDurableObjectId {\n  // Opaque, but DO ids are passed back into `namespace.get()`.\n  readonly name?: string\n}\nexport interface MinimalDurableObjectStub {\n  fetch(req: Request): Promise<Response>\n}\n\n/**\n * Route an incoming Worker `fetch` request to the Durable Object\n * that owns its `tid`.\n *\n * The token travels in three places depending on the route:\n *   - LAP HTTP calls: `Authorization: Bearer <token>` header\n *   - Mint / resume HTTP calls: no token (identity resolver runs\n *     inside the DO via the LAP router; we route by origin or a\n *     special `/agent/mint` path — see below)\n *   - WebSocket upgrade: `?token=<token>` in the URL\n *\n * Requests that don't carry a tid (mint, resume-list, sessions) are\n * routed to a \"root\" DO named `__root`, which handles identity /\n * token store operations centrally. LAP and WS calls route to the\n * per-tid DO so the pairing state stays local.\n *\n * This is the recommended entry for Cloudflare Workers deployments;\n * users who need custom routing can write their own and call the\n * underlying primitives (`verifyToken`, `namespace.get`, etc).\n */\nexport async function routeToAgentDO(\n  req: Request,\n  namespace: MinimalDurableObjectNamespace,\n  signingKey: string | Uint8Array,\n  opts: { rootName?: string } = {},\n): Promise<Response> {\n  const rootName = opts.rootName ?? '__root'\n  const url = new URL(req.url)\n  const path = url.pathname\n\n  // Non-LAP / non-WS management endpoints (mint, resume, sessions,\n  // revoke) — there's no per-tid routing; use the root DO which owns\n  // the shared token store + identity resolver.\n  if (\n    path === '/agent/mint' ||\n    path === '/agent/revoke' ||\n    path === '/agent/resume/list' ||\n    path === '/agent/resume/claim' ||\n    path === '/agent/sessions'\n  ) {\n    const stub = namespace.get(namespace.idFromName(rootName))\n    return stub.fetch(req)\n  }\n\n  // Token-bearing routes (LAP + WS upgrade) — route by tid.\n  const token = extractTokenFromRequest(req)\n  if (!token) return new Response('Unauthorized', { status: 401 })\n\n  const verified = await verifyToken(token, signingKey)\n  if (verified.kind !== 'ok') return new Response('Unauthorized', { status: 401 })\n\n  const stub = namespace.get(namespace.idFromName(verified.payload.tid))\n  return stub.fetch(req)\n}\n\nfunction extractTokenFromRequest(req: Request): string | null {\n  const auth = req.headers.get('authorization')\n  if (auth?.startsWith('Bearer ')) return auth.slice('Bearer '.length)\n  const url = new URL(req.url)\n  const q = url.searchParams.get('token')\n  return q\n}\n"]}

package/dist/server/core-entry.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Runtime-neutral entry point. Import from `@llui/agent/server/core`
+ * when targeting runtimes without the Node `ws` library (Cloudflare
+ * Workers, Deno, Bun, Deno Deploy). Pair with
+ * `@llui/agent/server/web` for WebSocket upgrade helpers.
+ *
+ * Node/standard server processes should keep using the default
+ * `@llui/agent/server` entry, which includes this plus the `ws`-based
+ * upgrade handler.
+ */
+export { createLluiAgentCore } from './core.js';
+export type { CoreOptions, AgentCoreHandle, AcceptResult } from './core.js';
+export { InMemoryPairingRegistry } from './ws/pairing-registry.js';
+export type { PairingConnection, PairingRegistry, FrameSubscriber } from './ws/pairing-registry.js';
+export { rpc, waitForConfirm, waitForChange } from './ws/rpc.js';
+export type { RpcOptions, RpcError } from './ws/rpc.js';
+export { InMemoryTokenStore } from './token-store.js';
+export type { TokenStore } from './token-store.js';
+export { defaultIdentityResolver, signCookieValue } from './identity.js';
+export type { IdentityResolver } from './identity.js';
+export { consoleAuditSink } from './audit.js';
+export type { AuditSink } from './audit.js';
+export { defaultRateLimiter } from './rate-limit.js';
+export type { RateLimiter } from './rate-limit.js';
+export { signToken, verifyToken } from './token.js';
+export type { TokenPayload, VerifyResult } from './token.js';
+//# sourceMappingURL=core-entry.d.ts.map

package/dist/server/core-entry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-entry.d.ts","sourceRoot":"","sources":["../../src/server/core-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAA;AAC/C,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAClE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AACnG,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAChE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AACxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC7C,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACnD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA"}

package/dist/server/core-entry.js

@@ -0,0 +1,19 @@
+/**
+ * Runtime-neutral entry point. Import from `@llui/agent/server/core`
+ * when targeting runtimes without the Node `ws` library (Cloudflare
+ * Workers, Deno, Bun, Deno Deploy). Pair with
+ * `@llui/agent/server/web` for WebSocket upgrade helpers.
+ *
+ * Node/standard server processes should keep using the default
+ * `@llui/agent/server` entry, which includes this plus the `ws`-based
+ * upgrade handler.
+ */
+export { createLluiAgentCore } from './core.js';
+export { InMemoryPairingRegistry } from './ws/pairing-registry.js';
+export { rpc, waitForConfirm, waitForChange } from './ws/rpc.js';
+export { InMemoryTokenStore } from './token-store.js';
+export { defaultIdentityResolver, signCookieValue } from './identity.js';
+export { consoleAuditSink } from './audit.js';
+export { defaultRateLimiter } from './rate-limit.js';
+export { signToken, verifyToken } from './token.js';
+//# sourceMappingURL=core-entry.js.map

package/dist/server/core-entry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-entry.js","sourceRoot":"","sources":["../../src/server/core-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAA;AAE/C,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAEhE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAErD,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAExE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAE7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAEpD,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA","sourcesContent":["/**\n * Runtime-neutral entry point. Import from `@llui/agent/server/core`\n * when targeting runtimes without the Node `ws` library (Cloudflare\n * Workers, Deno, Bun, Deno Deploy). Pair with\n * `@llui/agent/server/web` for WebSocket upgrade helpers.\n *\n * Node/standard server processes should keep using the default\n * `@llui/agent/server` entry, which includes this plus the `ws`-based\n * upgrade handler.\n */\nexport { createLluiAgentCore } from './core.js'\nexport type { CoreOptions, AgentCoreHandle, AcceptResult } from './core.js'\nexport { InMemoryPairingRegistry } from './ws/pairing-registry.js'\nexport type { PairingConnection, PairingRegistry, FrameSubscriber } from './ws/pairing-registry.js'\nexport { rpc, waitForConfirm, waitForChange } from './ws/rpc.js'\nexport type { RpcOptions, RpcError } from './ws/rpc.js'\nexport { InMemoryTokenStore } from './token-store.js'\nexport type { TokenStore } from './token-store.js'\nexport { defaultIdentityResolver, signCookieValue } from './identity.js'\nexport type { IdentityResolver } from './identity.js'\nexport { consoleAuditSink } from './audit.js'\nexport type { AuditSink } from './audit.js'\nexport { defaultRateLimiter } from './rate-limit.js'\nexport type { RateLimiter } from './rate-limit.js'\nexport { signToken, verifyToken } from './token.js'\nexport type { TokenPayload, VerifyResult } from './token.js'\n"]}

package/dist/server/core.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Runtime-neutral core of the LLui agent server. Exports everything
+ * that works on any runtime with `crypto.subtle` + `Request`/`Response`
+ * + long-lived connection primitives — in practice: Node, Bun, Deno,
+ * Deno Deploy, Cloudflare Workers + Durable Objects.
+ *
+ * Intentionally does NOT import the `ws` library or any `node:*`
+ * modules. Node-specific wiring lives in `./factory.ts`
+ * (`createLluiAgentServer`); web runtimes use `./web/` adapters on
+ * top of this core.
+ */
+import type { ServerOptions } from './options.js';
+import type { TokenStore } from './token-store.js';
+import type { IdentityResolver } from './identity.js';
+import type { AuditSink } from './audit.js';
+import type { RateLimiter } from './rate-limit.js';
+import type { PairingConnection, PairingRegistry } from './ws/pairing-registry.js';
+/**
+ * Options accepted by `createLluiAgentCore`. Strict subset of
+ * `ServerOptions` — everything needed to build the router, registry,
+ * and accept-connection primitive. The Node factory adds WebSocket
+ * upgrade wiring on top.
+ */
+export type CoreOptions = {
+    signingKey: ServerOptions['signingKey'];
+    tokenStore?: TokenStore;
+    identityResolver?: IdentityResolver;
+    auditSink?: AuditSink;
+    rateLimiter?: RateLimiter;
+    lapBasePath?: string;
+    /**
+     * Override the default `InMemoryPairingRegistry`. Web runtimes that
+     * need a different pairing implementation (e.g. a Cloudflare
+     * Durable Object that persists across isolates) pass it here.
+     */
+    registry?: PairingRegistry;
+};
+export type AcceptResult = {
+    ok: true;
+    tid: string;
+} | {
+    ok: false;
+    status: number;
+    code: 'auth-failed' | 'revoked';
+};
+/**
+ * Handle returned by `createLluiAgentCore`. Purely runtime-neutral —
+ * `router` is a Fetch-style handler, `acceptConnection` is the
+ * primitive that runtime-specific WebSocket adapters call after
+ * accepting a socket in their native way.
+ */
+export type AgentCoreHandle = {
+    router: (req: Request) => Promise<Response | null>;
+    registry: PairingRegistry;
+    tokenStore: TokenStore;
+    auditSink: AuditSink;
+    /**
+     * Validate an agent token and register a `PairingConnection` with
+     * the registry. Use this after accepting a WebSocket upgrade via
+     * your runtime's native API (e.g. `WebSocketPair` on Cloudflare,
+     * `Deno.upgradeWebSocket` on Deno, `server.upgrade` on Bun).
+     *
+     * On success: marks the token `awaiting-claude`, writes an audit
+     * entry, and returns `{ok: true, tid}`. On failure: returns an
+     * appropriate HTTP status for the caller to encode into the
+     * upgrade response (401 for auth failure, 403 for revoked).
+     */
+    acceptConnection: (token: string, conn: PairingConnection) => Promise<AcceptResult>;
+};
+/**
+ * Compose the runtime-neutral agent server. The returned handle has
+ * everything the LAP HTTP routes and the WebSocket acceptance
+ * plumbing need; runtime adapters wire the native upgrade API on
+ * top (see `@llui/agent/server` for Node, `@llui/agent/server/web`
+ * for WHATWG runtimes).
+ */
+export declare function createLluiAgentCore(opts: CoreOptions): AgentCoreHandle;
+//# sourceMappingURL=core.d.ts.map

package/dist/server/core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../src/server/core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAClD,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAWlF;;;;;GAKG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,aAAa,CAAC,YAAY,CAAC,CAAA;IACvC,UAAU,CAAC,EAAE,UAAU,CAAA;IACvB,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC,SAAS,CAAC,EAAE,SAAS,CAAA;IACrB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,eAAe,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,YAAY,GACpB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GACzB;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,aAAa,GAAG,SAAS,CAAA;CAAE,CAAA;AAElE;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAClD,QAAQ,EAAE,eAAe,CAAA;IACzB,UAAU,EAAE,UAAU,CAAA;IACtB,SAAS,EAAE,SAAS,CAAA;IACpB;;;;;;;;;;OAUG;IACH,gBAAgB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,KAAK,OAAO,CAAC,YAAY,CAAC,CAAA;CACpF,CAAA;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,WAAW,GAAG,eAAe,CA2EtE"}

package/dist/server/core.js

@@ -0,0 +1,84 @@
+import { InMemoryTokenStore } from './token-store.js';
+import { consoleAuditSink } from './audit.js';
+import { defaultRateLimiter } from './rate-limit.js';
+import { createHttpRouter } from './http/router.js';
+import { createLapRouter } from './lap/router.js';
+import { InMemoryPairingRegistry } from './ws/pairing-registry.js';
+import { verifyToken } from './token.js';
+const ANONYMOUS_RESOLVER = async () => null;
+/**
+ * Compose the runtime-neutral agent server. The returned handle has
+ * everything the LAP HTTP routes and the WebSocket acceptance
+ * plumbing need; runtime adapters wire the native upgrade API on
+ * top (see `@llui/agent/server` for Node, `@llui/agent/server/web`
+ * for WHATWG runtimes).
+ */
+export function createLluiAgentCore(opts) {
+    if (!opts.signingKey) {
+        throw new Error('createLluiAgentCore: signingKey is required');
+    }
+    const tokenStore = opts.tokenStore ?? new InMemoryTokenStore();
+    const identityResolver = opts.identityResolver ?? ANONYMOUS_RESOLVER;
+    const auditSink = opts.auditSink ?? consoleAuditSink;
+    const rateLimiter = opts.rateLimiter ?? defaultRateLimiter({ perBucket: '30/minute' });
+    const lapBasePath = opts.lapBasePath ?? '/agent/lap/v1';
+    const registry = opts.registry ??
+        new InMemoryPairingRegistry({
+            onLogAppend: (tid, entry) => {
+                void auditSink.write({
+                    at: entry.at,
+                    tid,
+                    uid: null,
+                    event: 'lap-call',
+                    detail: {
+                        source: 'client-log',
+                        kind: entry.kind,
+                        variant: entry.variant,
+                        intent: entry.intent,
+                    },
+                });
+            },
+        });
+    const httpRouter = createHttpRouter({
+        signingKey: opts.signingKey,
+        tokenStore,
+        identityResolver,
+        auditSink,
+        lapBasePath,
+    });
+    const lapRouter = createLapRouter({
+        signingKey: opts.signingKey,
+        tokenStore,
+        registry,
+        auditSink,
+        rateLimiter,
+    }, lapBasePath);
+    const router = async (req) => {
+        const lapRes = await lapRouter(req);
+        if (lapRes)
+            return lapRes;
+        return httpRouter(req);
+    };
+    const acceptConnection = async (token, conn) => {
+        const verified = await verifyToken(token, opts.signingKey);
+        if (verified.kind !== 'ok')
+            return { ok: false, status: 401, code: 'auth-failed' };
+        const { tid } = verified.payload;
+        const rec = await tokenStore.findByTid(tid);
+        if (!rec || rec.status === 'revoked')
+            return { ok: false, status: 403, code: 'revoked' };
+        registry.register(tid, conn);
+        const nowMs = Date.now();
+        await tokenStore.markAwaitingClaude(tid, nowMs);
+        await auditSink.write({
+            at: nowMs,
+            tid,
+            uid: null,
+            event: 'claim',
+            detail: { transport: 'ws' },
+        });
+        return { ok: true, tid };
+    };
+    return { router, registry, tokenStore, auditSink, acceptConnection };
+}
+//# sourceMappingURL=core.js.map

package/dist/server/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/server/core.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAExC,MAAM,kBAAkB,GAAqB,KAAK,IAAI,EAAE,CAAC,IAAI,CAAA;AAoD7D;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAiB;IACnD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,kBAAkB,EAAE,CAAA;IAC9D,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,IAAI,kBAAkB,CAAA;IACpE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAA;IACtF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,eAAe,CAAA;IAEvD,MAAM,QAAQ,GACZ,IAAI,CAAC,QAAQ;QACb,IAAI,uBAAuB,CAAC;YAC1B,WAAW,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;gBAC1B,KAAK,SAAS,CAAC,KAAK,CAAC;oBACnB,EAAE,EAAE,KAAK,CAAC,EAAE;oBACZ,GAAG;oBACH,GAAG,EAAE,IAAI;oBACT,KAAK,EAAE,UAAU;oBACjB,MAAM,EAAE;wBACN,MAAM,EAAE,YAAY;wBACpB,IAAI,EAAE,KAAK,CAAC,IAAI;wBAChB,OAAO,EAAE,KAAK,CAAC,OAAO;wBACtB,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CAAC,CAAA;YACJ,CAAC;SACF,CAAC,CAAA;IAEJ,MAAM,UAAU,GAAG,gBAAgB,CAAC;QAClC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,UAAU;QACV,gBAAgB;QAChB,SAAS;QACT,WAAW;KACZ,CAAC,CAAA;IAEF,MAAM,SAAS,GAAG,eAAe,CAC/B;QACE,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,UAAU;QACV,QAAQ;QACR,SAAS;QACT,WAAW;KACZ,EACD,WAAW,CACZ,CAAA;IAED,MAAM,MAAM,GAA8B,KAAK,EAAE,GAAG,EAAE,EAAE;QACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAA;QACnC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QACzB,OAAO,UAAU,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC,CAAA;IAED,MAAM,gBAAgB,GAAwC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;QAC1D,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,aAAa,EAAE,CAAA;QAClF,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;QACxF,QAAQ,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACxB,MAAM,UAAU,CAAC,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAC/C,MAAM,SAAS,CAAC,KAAK,CAAC;YACpB,EAAE,EAAE,KAAK;YACT,GAAG;YACH,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,OAAO;YACd,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;SAC5B,CAAC,CAAA;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAA;IAC1B,CAAC,CAAA;IAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAA;AACtE,CAAC","sourcesContent":["/**\n * Runtime-neutral core of the LLui agent server. Exports everything\n * that works on any runtime with `crypto.subtle` + `Request`/`Response`\n * + long-lived connection primitives — in practice: Node, Bun, Deno,\n * Deno Deploy, Cloudflare Workers + Durable Objects.\n *\n * Intentionally does NOT import the `ws` library or any `node:*`\n * modules. Node-specific wiring lives in `./factory.ts`\n * (`createLluiAgentServer`); web runtimes use `./web/` adapters on\n * top of this core.\n */\nimport type { ServerOptions } from './options.js'\nimport type { TokenStore } from './token-store.js'\nimport type { IdentityResolver } from './identity.js'\nimport type { AuditSink } from './audit.js'\nimport type { RateLimiter } from './rate-limit.js'\nimport type { PairingConnection, PairingRegistry } from './ws/pairing-registry.js'\nimport { InMemoryTokenStore } from './token-store.js'\nimport { consoleAuditSink } from './audit.js'\nimport { defaultRateLimiter } from './rate-limit.js'\nimport { createHttpRouter } from './http/router.js'\nimport { createLapRouter } from './lap/router.js'\nimport { InMemoryPairingRegistry } from './ws/pairing-registry.js'\nimport { verifyToken } from './token.js'\n\nconst ANONYMOUS_RESOLVER: IdentityResolver = async () => null\n\n/**\n * Options accepted by `createLluiAgentCore`. Strict subset of\n * `ServerOptions` — everything needed to build the router, registry,\n * and accept-connection primitive. The Node factory adds WebSocket\n * upgrade wiring on top.\n */\nexport type CoreOptions = {\n  signingKey: ServerOptions['signingKey']\n  tokenStore?: TokenStore\n  identityResolver?: IdentityResolver\n  auditSink?: AuditSink\n  rateLimiter?: RateLimiter\n  lapBasePath?: string\n  /**\n   * Override the default `InMemoryPairingRegistry`. Web runtimes that\n   * need a different pairing implementation (e.g. a Cloudflare\n   * Durable Object that persists across isolates) pass it here.\n   */\n  registry?: PairingRegistry\n}\n\nexport type AcceptResult =\n  | { ok: true; tid: string }\n  | { ok: false; status: number; code: 'auth-failed' | 'revoked' }\n\n/**\n * Handle returned by `createLluiAgentCore`. Purely runtime-neutral —\n * `router` is a Fetch-style handler, `acceptConnection` is the\n * primitive that runtime-specific WebSocket adapters call after\n * accepting a socket in their native way.\n */\nexport type AgentCoreHandle = {\n  router: (req: Request) => Promise<Response | null>\n  registry: PairingRegistry\n  tokenStore: TokenStore\n  auditSink: AuditSink\n  /**\n   * Validate an agent token and register a `PairingConnection` with\n   * the registry. Use this after accepting a WebSocket upgrade via\n   * your runtime's native API (e.g. `WebSocketPair` on Cloudflare,\n   * `Deno.upgradeWebSocket` on Deno, `server.upgrade` on Bun).\n   *\n   * On success: marks the token `awaiting-claude`, writes an audit\n   * entry, and returns `{ok: true, tid}`. On failure: returns an\n   * appropriate HTTP status for the caller to encode into the\n   * upgrade response (401 for auth failure, 403 for revoked).\n   */\n  acceptConnection: (token: string, conn: PairingConnection) => Promise<AcceptResult>\n}\n\n/**\n * Compose the runtime-neutral agent server. The returned handle has\n * everything the LAP HTTP routes and the WebSocket acceptance\n * plumbing need; runtime adapters wire the native upgrade API on\n * top (see `@llui/agent/server` for Node, `@llui/agent/server/web`\n * for WHATWG runtimes).\n */\nexport function createLluiAgentCore(opts: CoreOptions): AgentCoreHandle {\n  if (!opts.signingKey) {\n    throw new Error('createLluiAgentCore: signingKey is required')\n  }\n\n  const tokenStore = opts.tokenStore ?? new InMemoryTokenStore()\n  const identityResolver = opts.identityResolver ?? ANONYMOUS_RESOLVER\n  const auditSink = opts.auditSink ?? consoleAuditSink\n  const rateLimiter = opts.rateLimiter ?? defaultRateLimiter({ perBucket: '30/minute' })\n  const lapBasePath = opts.lapBasePath ?? '/agent/lap/v1'\n\n  const registry: PairingRegistry =\n    opts.registry ??\n    new InMemoryPairingRegistry({\n      onLogAppend: (tid, entry) => {\n        void auditSink.write({\n          at: entry.at,\n          tid,\n          uid: null,\n          event: 'lap-call',\n          detail: {\n            source: 'client-log',\n            kind: entry.kind,\n            variant: entry.variant,\n            intent: entry.intent,\n          },\n        })\n      },\n    })\n\n  const httpRouter = createHttpRouter({\n    signingKey: opts.signingKey,\n    tokenStore,\n    identityResolver,\n    auditSink,\n    lapBasePath,\n  })\n\n  const lapRouter = createLapRouter(\n    {\n      signingKey: opts.signingKey,\n      tokenStore,\n      registry,\n      auditSink,\n      rateLimiter,\n    },\n    lapBasePath,\n  )\n\n  const router: AgentCoreHandle['router'] = async (req) => {\n    const lapRes = await lapRouter(req)\n    if (lapRes) return lapRes\n    return httpRouter(req)\n  }\n\n  const acceptConnection: AgentCoreHandle['acceptConnection'] = async (token, conn) => {\n    const verified = await verifyToken(token, opts.signingKey)\n    if (verified.kind !== 'ok') return { ok: false, status: 401, code: 'auth-failed' }\n    const { tid } = verified.payload\n    const rec = await tokenStore.findByTid(tid)\n    if (!rec || rec.status === 'revoked') return { ok: false, status: 403, code: 'revoked' }\n    registry.register(tid, conn)\n    const nowMs = Date.now()\n    await tokenStore.markAwaitingClaude(tid, nowMs)\n    await auditSink.write({\n      at: nowMs,\n      tid,\n      uid: null,\n      event: 'claim',\n      detail: { transport: 'ws' },\n    })\n    return { ok: true, tid }\n  }\n\n  return { router, registry, tokenStore, auditSink, acceptConnection }\n}\n"]}

package/dist/server/factory.d.ts

@@ -1,8 +1,10 @@
 import type { ServerOptions, AgentServerHandle } from './options.js';
 /**
- * Compose the server from its (defaulted) parts. Returns a handle with a
- * `router` that dispatches `/agent/lap/v1/*` (LAP, checked first) then
- * `/agent/*` (HTTP management), and a `wsUpgrade` for `/agent/ws`.
+ * Node adapter. Wraps the runtime-neutral core with a Node-specific
+ * `wsUpgrade` handler that uses the `ws` library. Imports `ws`
+ * eagerly, so this module only works where `ws` is available — use
+ * `@llui/agent/server/web` for Cloudflare Workers, Deno, or other
+ * WHATWG runtimes.
  *
  * Spec §10.1, §10.4.
  */

package/dist/server/factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/server/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAWpE;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,aAAa,GAAG,iBAAiB,CA6D5E"}
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/server/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAIpE;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,aAAa,GAAG,iBAAiB,CAkB5E"}