@lumenflow/control-plane-sdk 4.24.0 → 5.0.0

package/dist/agent-host-registry.d.ts

@@ -0,0 +1,61 @@
+export declare const AGENT_HOST_REACHABILITY_CLASSES: {
+    readonly REVERSE_TUNNEL: "reverse-tunnel";
+    readonly PUBLIC: "public";
+    readonly LAN: "lan";
+    readonly UNREACHABLE: "unreachable";
+};
+export declare const AGENT_HOST_REACHABILITY_CLASS_VALUES: readonly ["reverse-tunnel", "public", "lan", "unreachable"];
+export type AgentHostReachabilityClass = (typeof AGENT_HOST_REACHABILITY_CLASS_VALUES)[number];
+export interface AgentHostEnrollmentInput {
+    workspace_id: string;
+    session_id: string;
+    agent_id: string;
+    host_id?: string;
+    client_type?: string;
+    agent_version?: string;
+    lane?: string;
+    wu_id?: string;
+    enrolled_at?: string;
+    last_seen_at?: string;
+    reachable_http_url: string | null;
+    reachability_class: AgentHostReachabilityClass;
+    health_endpoint: string | null;
+    tls_fingerprint: string | null;
+}
+export interface AgentHostRecord extends AgentHostEnrollmentInput {
+    last_seen_at: string;
+}
+export interface ListAgentHostsInput {
+    workspace_id: string;
+}
+export interface ListAgentHostsResult {
+    hosts: AgentHostRecord[];
+}
+export interface QueuedAgentToolCommand {
+    command_id: string;
+    tool_name: string;
+    input?: unknown;
+    context: Record<string, unknown>;
+    enqueued_at?: string;
+}
+export interface AgentHostHeartbeatEnvelope {
+    queued_commands?: QueuedAgentToolCommand[];
+}
+export interface HttpAgentHostRegistryClientOptions {
+    fetchFn?: typeof fetch;
+}
+export declare function normalizeReachabilityClass(value: unknown): AgentHostReachabilityClass | null;
+export declare function inferAgentHostReachabilityClass(reachableHttpUrl: string | null | undefined, explicitReachabilityClass?: AgentHostReachabilityClass | null): AgentHostReachabilityClass;
+export declare function normalizeAgentHostEnrollment(input: AgentHostEnrollmentInput): AgentHostEnrollmentInput;
+export declare function normalizeAgentHostRecord(input: AgentHostEnrollmentInput): AgentHostRecord;
+export declare function buildAgentHostRegistryPath(workspaceId: string): string;
+export declare function buildAgentHostRegistryUrl(endpoint: string, workspaceId: string): string;
+export declare class HttpAgentHostRegistryClient {
+    private readonly endpoint;
+    private readonly token;
+    private readonly fetchFn;
+    constructor(endpoint: string, token: string, options?: HttpAgentHostRegistryClientOptions);
+    registerHost(input: AgentHostEnrollmentInput): Promise<AgentHostRecord>;
+    listHosts(input: ListAgentHostsInput): Promise<ListAgentHostsResult>;
+}
+//# sourceMappingURL=agent-host-registry.d.ts.map

package/dist/agent-host-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-host-registry.d.ts","sourceRoot":"","sources":["../src/agent-host-registry.ts"],"names":[],"mappings":"AAmCA,eAAO,MAAM,+BAA+B;;;;;CAKlC,CAAC;AAEX,eAAO,MAAM,oCAAoC,6DAKvC,CAAC;AAEX,MAAM,MAAM,0BAA0B,GAAG,CAAC,OAAO,oCAAoC,CAAC,CAAC,MAAM,CAAC,CAAC;AAE/F,MAAM,WAAW,wBAAwB;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,kBAAkB,EAAE,0BAA0B,CAAC;IAC/C,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED,MAAM,WAAW,eAAgB,SAAQ,wBAAwB;IAC/D,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,eAAe,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,0BAA0B;IACzC,eAAe,CAAC,EAAE,sBAAsB,EAAE,CAAC;CAC5C;AAED,MAAM,WAAW,kCAAkC;IACjD,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB;AAwED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,0BAA0B,GAAG,IAAI,CAO5F;AAED,wBAAgB,+BAA+B,CAC7C,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC3C,yBAAyB,CAAC,EAAE,0BAA0B,GAAG,IAAI,GAC5D,0BAA0B,CAmB5B;AAED,wBAAgB,4BAA4B,CAC1C,KAAK,EAAE,wBAAwB,GAC9B,wBAAwB,CAoB1B;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,wBAAwB,GAAG,eAAe,CAMzF;AAED,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAItE;AAED,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAEvF;AAaD,qBAAa,2BAA2B;IAIpC,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAJxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;gBAGpB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EAC9B,OAAO,GAAE,kCAAuC;IAKrC,YAAY,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,CAAC,eAAe,CAAC;IAsBvE,SAAS,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAsBlF"}

package/dist/agent-host-registry.js

@@ -0,0 +1,196 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+import { isIP } from 'node:net';
+const HTTP_METHOD = {
+    GET: 'GET',
+    POST: 'POST',
+};
+const HTTP_HEADER = {
+    AUTHORIZATION: 'authorization',
+    CONTENT_TYPE: 'content-type',
+};
+const CONTENT_TYPE_JSON = 'application/json';
+const AGENT_HOST_REGISTRY_ROUTE_PREFIX = '/api/v1/workspaces';
+const AGENT_HOST_REGISTRY_ROUTE_SUFFIX = 'agent-hosts';
+const PRIVATE_HOSTNAME_SUFFIXES = ['.local', '.internal', '.lan'];
+const PRIVATE_IPV4_PREFIXES = ['10.', '127.', '169.254.', '192.168.'];
+const PRIVATE_IPV4_SECOND_OCTET_172_MIN = 16;
+const PRIVATE_IPV4_SECOND_OCTET_172_MAX = 31;
+const PRIVATE_IPV6_PREFIXES = ['::1', 'fc', 'fd', 'fe80'];
+const REVERSE_TUNNEL_HOST_SUFFIXES = [
+    '.gradio.live',
+    '.loca.lt',
+    '.ngrok-free.app',
+    '.ngrok.app',
+    '.ngrok.io',
+    '.trycloudflare.com',
+    '.tunnelmole.net',
+];
+export const AGENT_HOST_REACHABILITY_CLASSES = {
+    REVERSE_TUNNEL: 'reverse-tunnel',
+    PUBLIC: 'public',
+    LAN: 'lan',
+    UNREACHABLE: 'unreachable',
+};
+export const AGENT_HOST_REACHABILITY_CLASS_VALUES = [
+    AGENT_HOST_REACHABILITY_CLASSES.REVERSE_TUNNEL,
+    AGENT_HOST_REACHABILITY_CLASSES.PUBLIC,
+    AGENT_HOST_REACHABILITY_CLASSES.LAN,
+    AGENT_HOST_REACHABILITY_CLASSES.UNREACHABLE,
+];
+function asNonEmptyString(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeEndpoint(endpoint) {
+    return endpoint.endsWith('/') ? endpoint.slice(0, endpoint.length - 1) : endpoint;
+}
+function normalizeOptionalUrl(value) {
+    const normalizedValue = asNonEmptyString(value);
+    if (!normalizedValue) {
+        return null;
+    }
+    try {
+        return new URL(normalizedValue).toString().replace(/\/$/, '');
+    }
+    catch {
+        return null;
+    }
+}
+function isPrivateIpv4Address(hostname) {
+    if (PRIVATE_IPV4_PREFIXES.some((prefix) => hostname.startsWith(prefix))) {
+        return true;
+    }
+    const octets = hostname.split('.');
+    if (octets.length !== 4 || octets[0] !== '172') {
+        return false;
+    }
+    const secondOctet = Number.parseInt(octets[1] ?? '', 10);
+    return (Number.isFinite(secondOctet) &&
+        secondOctet >= PRIVATE_IPV4_SECOND_OCTET_172_MIN &&
+        secondOctet <= PRIVATE_IPV4_SECOND_OCTET_172_MAX);
+}
+function isPrivateIpv6Address(hostname) {
+    const lowerHostname = hostname.toLowerCase();
+    return PRIVATE_IPV6_PREFIXES.some((prefix) => lowerHostname.startsWith(prefix));
+}
+function isLanHostname(hostname) {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    if (normalizedHostname.length === 0 || normalizedHostname === 'localhost') {
+        return true;
+    }
+    if (PRIVATE_HOSTNAME_SUFFIXES.some((suffix) => normalizedHostname.endsWith(suffix))) {
+        return true;
+    }
+    const ipKind = isIP(normalizedHostname);
+    if (ipKind === 4) {
+        return isPrivateIpv4Address(normalizedHostname);
+    }
+    if (ipKind === 6) {
+        return isPrivateIpv6Address(normalizedHostname);
+    }
+    return false;
+}
+function isReverseTunnelHostname(hostname) {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    return REVERSE_TUNNEL_HOST_SUFFIXES.some((suffix) => normalizedHostname.endsWith(suffix));
+}
+export function normalizeReachabilityClass(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const normalized = value.trim().toLowerCase();
+    return AGENT_HOST_REACHABILITY_CLASS_VALUES.find((entry) => entry === normalized) ?? null;
+}
+export function inferAgentHostReachabilityClass(reachableHttpUrl, explicitReachabilityClass) {
+    if (explicitReachabilityClass) {
+        return explicitReachabilityClass;
+    }
+    const normalizedUrl = normalizeOptionalUrl(reachableHttpUrl);
+    if (!normalizedUrl) {
+        return AGENT_HOST_REACHABILITY_CLASSES.UNREACHABLE;
+    }
+    const hostname = new URL(normalizedUrl).hostname;
+    if (isReverseTunnelHostname(hostname)) {
+        return AGENT_HOST_REACHABILITY_CLASSES.REVERSE_TUNNEL;
+    }
+    if (isLanHostname(hostname)) {
+        return AGENT_HOST_REACHABILITY_CLASSES.LAN;
+    }
+    return AGENT_HOST_REACHABILITY_CLASSES.PUBLIC;
+}
+export function normalizeAgentHostEnrollment(input) {
+    const reachableHttpUrl = normalizeOptionalUrl(input.reachable_http_url);
+    const healthEndpoint = normalizeOptionalUrl(input.health_endpoint);
+    const explicitReachabilityClass = normalizeReachabilityClass(input.reachability_class);
+    const reachabilityClass = inferAgentHostReachabilityClass(reachableHttpUrl, explicitReachabilityClass);
+    const now = new Date().toISOString();
+    return {
+        ...input,
+        reachable_http_url: reachableHttpUrl,
+        reachability_class: reachabilityClass,
+        health_endpoint: reachabilityClass === AGENT_HOST_REACHABILITY_CLASSES.UNREACHABLE ? null : healthEndpoint,
+        tls_fingerprint: asNonEmptyString(input.tls_fingerprint),
+        enrolled_at: asNonEmptyString(input.enrolled_at) ?? now,
+        last_seen_at: asNonEmptyString(input.last_seen_at) ?? now,
+    };
+}
+export function normalizeAgentHostRecord(input) {
+    const normalized = normalizeAgentHostEnrollment(input);
+    return {
+        ...normalized,
+        last_seen_at: normalized.last_seen_at ?? normalized.enrolled_at ?? new Date().toISOString(),
+    };
+}
+export function buildAgentHostRegistryPath(workspaceId) {
+    return `${AGENT_HOST_REGISTRY_ROUTE_PREFIX}/${encodeURIComponent(workspaceId)}/${AGENT_HOST_REGISTRY_ROUTE_SUFFIX}`;
+}
+export function buildAgentHostRegistryUrl(endpoint, workspaceId) {
+    return `${normalizeEndpoint(endpoint)}${buildAgentHostRegistryPath(workspaceId)}`;
+}
+function buildRequestHeaders(token) {
+    return {
+        [HTTP_HEADER.AUTHORIZATION]: `Bearer ${token}`,
+        [HTTP_HEADER.CONTENT_TYPE]: CONTENT_TYPE_JSON,
+    };
+}
+async function readJsonResponse(response) {
+    return (await response.json().catch(() => ({})));
+}
+export class HttpAgentHostRegistryClient {
+    endpoint;
+    token;
+    fetchFn;
+    constructor(endpoint, token, options = {}) {
+        this.endpoint = endpoint;
+        this.token = token;
+        this.fetchFn = options.fetchFn ?? fetch;
+    }
+    async registerHost(input) {
+        const normalizedInput = normalizeAgentHostEnrollment(input);
+        const response = await this.fetchFn(buildAgentHostRegistryUrl(this.endpoint, normalizedInput.workspace_id), {
+            method: HTTP_METHOD.POST,
+            headers: buildRequestHeaders(this.token),
+            body: JSON.stringify(normalizedInput),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to register agent host for workspace ${normalizedInput.workspace_id}: HTTP ${response.status}.`);
+        }
+        return normalizeAgentHostRecord((await readJsonResponse(response)) ?? normalizedInput);
+    }
+    async listHosts(input) {
+        const response = await this.fetchFn(buildAgentHostRegistryUrl(this.endpoint, input.workspace_id), {
+            method: HTTP_METHOD.GET,
+            headers: buildRequestHeaders(this.token),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to list agent hosts for workspace ${input.workspace_id}: HTTP ${response.status}.`);
+        }
+        const payload = await readJsonResponse(response);
+        return {
+            hosts: Array.isArray(payload.hosts)
+                ? payload.hosts.map((entry) => normalizeAgentHostRecord(entry))
+                : [],
+        };
+    }
+}
+//# sourceMappingURL=agent-host-registry.js.map

package/dist/agent-host-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-host-registry.js","sourceRoot":"","sources":["../src/agent-host-registry.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAEhC,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,MAAM;CACJ,CAAC;AAEX,MAAM,WAAW,GAAG;IAClB,aAAa,EAAE,eAAe;IAC9B,YAAY,EAAE,cAAc;CACpB,CAAC;AAEX,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAC9D,MAAM,gCAAgC,GAAG,aAAa,CAAC;AAEvD,MAAM,yBAAyB,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAU,CAAC;AAC3E,MAAM,qBAAqB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,CAAU,CAAC;AAC/E,MAAM,iCAAiC,GAAG,EAAE,CAAC;AAC7C,MAAM,iCAAiC,GAAG,EAAE,CAAC;AAC7C,MAAM,qBAAqB,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAU,CAAC;AACnE,MAAM,4BAA4B,GAAG;IACnC,cAAc;IACd,UAAU;IACV,iBAAiB;IACjB,YAAY;IACZ,WAAW;IACX,oBAAoB;IACpB,iBAAiB;CACT,CAAC;AAEX,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,cAAc,EAAE,gBAAgB;IAChC,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;IACV,WAAW,EAAE,aAAa;CAClB,CAAC;AAEX,MAAM,CAAC,MAAM,oCAAoC,GAAG;IAClD,+BAA+B,CAAC,cAAc;IAC9C,+BAA+B,CAAC,MAAM;IACtC,+BAA+B,CAAC,GAAG;IACnC,+BAA+B,CAAC,WAAW;CACnC,CAAC;AAiDX,SAAS,gBAAgB,CAAC,KAAc;IACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACpF,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;AACpF,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAgC;IAC5D,MAAM,eAAe,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IACzD,OAAO,CACL,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,WAAW,IAAI,iCAAiC;QAChD,WAAW,IAAI,iCAAiC,CACjD,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7C,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACzD,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,kBAAkB,KAAK,WAAW,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACpF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACxC,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,OAAO,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,OAAO,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACzD,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5F,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAAc;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,oCAAoC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,UAAU,CAAC,IAAI,IAAI,CAAC;AAC5F,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,gBAA2C,EAC3C,yBAA6D;IAE7D,IAAI,yBAAyB,EAAE,CAAC;QAC9B,OAAO,yBAAyB,CAAC;IACnC,CAAC;IAED,MAAM,aAAa,GAAG,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAC7D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,+BAA+B,CAAC,WAAW,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC;IACjD,IAAI,uBAAuB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtC,OAAO,+BAA+B,CAAC,cAAc,CAAC;IACxD,CAAC;IACD,IAAI,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,OAAO,+BAA+B,CAAC,GAAG,CAAC;IAC7C,CAAC;IAED,OAAO,+BAA+B,CAAC,MAAM,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,KAA+B;IAE/B,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,oBAAoB,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACnE,MAAM,yBAAyB,GAAG,0BAA0B,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACvF,MAAM,iBAAiB,GAAG,+BAA+B,CACvD,gBAAgB,EAChB,yBAAyB,CAC1B,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,OAAO;QACL,GAAG,KAAK;QACR,kBAAkB,EAAE,gBAAgB;QACpC,kBAAkB,EAAE,iBAAiB;QACrC,eAAe,EACb,iBAAiB,KAAK,+BAA+B,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc;QAC3F,eAAe,EAAE,gBAAgB,CAAC,KAAK,CAAC,eAAe,CAAC;QACxD,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,GAAG;QACvD,YAAY,EAAE,gBAAgB,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,GAAG;KAC1D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,KAA+B;IACtE,MAAM,UAAU,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,UAAU;QACb,YAAY,EAAE,UAAU,CAAC,YAAY,IAAI,UAAU,CAAC,WAAW,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KAC5F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,WAAmB;IAC5D,OAAO,GAAG,gCAAgC,IAAI,kBAAkB,CAC9D,WAAW,CACZ,IAAI,gCAAgC,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,QAAgB,EAAE,WAAmB;IAC7E,OAAO,GAAG,iBAAiB,CAAC,QAAQ,CAAC,GAAG,0BAA0B,CAAC,WAAW,CAAC,EAAE,CAAC;AACpF,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,OAAO;QACL,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,UAAU,KAAK,EAAE;QAC9C,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,iBAAiB;KAC9C,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAI,QAAkB;IACnD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAM,CAAC;AACxD,CAAC;AAED,MAAM,OAAO,2BAA2B;IAInB;IACA;IAJF,OAAO,CAAe;IAEvC,YACmB,QAAgB,EAChB,KAAa,EAC9B,UAA8C,EAAE;QAF/B,aAAQ,GAAR,QAAQ,CAAQ;QAChB,UAAK,GAAL,KAAK,CAAQ;QAG9B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IAC1C,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,KAA+B;QACvD,MAAM,eAAe,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CACjC,yBAAyB,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,YAAY,CAAC,EACtE;YACE,MAAM,EAAE,WAAW,CAAC,IAAI;YACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;YACxC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC;SACtC,CACF,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,+CAA+C,eAAe,CAAC,YAAY,UAAU,QAAQ,CAAC,MAAM,GAAG,CACxG,CAAC;QACJ,CAAC;QAED,OAAO,wBAAwB,CAC7B,CAAC,MAAM,gBAAgB,CAA2B,QAAQ,CAAC,CAAC,IAAI,eAAe,CAChF,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,KAA0B;QAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CACjC,yBAAyB,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,EAC5D;YACE,MAAM,EAAE,WAAW,CAAC,GAAG;YACvB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;SACzC,CACF,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,4CAA4C,KAAK,CAAC,YAAY,UAAU,QAAQ,CAAC,MAAM,GAAG,CAC3F,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAyC,QAAQ,CAAC,CAAC;QACzF,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC;gBACjC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;gBAC/D,CAAC,CAAC,EAAE;SACP,CAAC;IACJ,CAAC;CACF"}

package/dist/authenticate.d.ts

@@ -0,0 +1,59 @@
+import type { AuthenticateInput, ControlPlaneIdentity } from './sync-port.js';
+export interface ControlPlaneAuthProfileConfig {
+    scopes: string[];
+    ttl_seconds?: number;
+}
+export interface ScopedControlPlaneIdentity extends ControlPlaneIdentity {
+    scopes: string[];
+    expires_at: string;
+    profile?: string;
+    /**
+     * Authoritative identity claim embedded in the enrollment token.
+     *
+     * Workspace enrollment tokens (WU-2641) may omit this field, in which case
+     * the workspace_id is the authoritative subject. Phone-device enrollment
+     * tokens (WU-2731, ADR-013 §5) set this to `{workspace_id}:phone:{device_id}`
+     * so inbound POSTs can resolve per-device attribution without trusting the
+     * request body.
+     */
+    subject?: string;
+}
+export interface ScopedControlPlaneTokenPayload {
+    version: 1;
+    workspace_id: string;
+    org_id: string;
+    agent_id: string;
+    scopes: string[];
+    expires_at: string;
+    profile?: string;
+    /** See ScopedControlPlaneIdentity.subject. */
+    subject?: string;
+}
+export interface IssueControlPlaneIdentityOptions {
+    scopes?: string[];
+    profile?: string;
+    profiles?: Record<string, ControlPlaneAuthProfileConfig>;
+    ttl_seconds?: number;
+    now?: Date | string;
+    /**
+     * Authoritative identity string written into the token payload. When
+     * omitted the token has no subject claim (workspace identity is derived
+     * from workspace_id).
+     */
+    subject?: string;
+}
+declare module './sync-port.js' {
+    interface AuthenticateInput {
+        profile?: string;
+        requested_scopes?: string[];
+        ttl_seconds?: number;
+    }
+    interface ControlPlaneIdentity {
+        scopes?: string[];
+        expires_at?: string;
+        profile?: string;
+    }
+}
+export declare function issueControlPlaneIdentity(input: AuthenticateInput, options?: IssueControlPlaneIdentityOptions): ScopedControlPlaneIdentity;
+export declare function parseControlPlaneToken(token: string): ScopedControlPlaneTokenPayload | null;
+//# sourceMappingURL=authenticate.d.ts.map

package/dist/authenticate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.d.ts","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAM9E,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,0BAA2B,SAAQ,oBAAoB;IACtE,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,CAAC,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,gCAAgC;IAC/C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC;IACpB;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,OAAO,QAAQ,gBAAgB,CAAC;IAC9B,UAAU,iBAAiB;QACzB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;IAED,UAAU,oBAAoB;QAC5B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;CACF;AAuGD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,iBAAiB,EACxB,OAAO,GAAE,gCAAqC,GAC7C,0BAA0B,CA8B5B;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,8BAA8B,GAAG,IAAI,CAY3F"}

package/dist/authenticate.js

@@ -0,0 +1,113 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+import { normalizeToolScopes } from './scope-grammar.js';
+const DEFAULT_TTL_SECONDS = 60 * 60;
+const TOKEN_PREFIX = 'lfcp1.';
+function resolveNow(input) {
+    if (input instanceof Date) {
+        return new Date(input.getTime());
+    }
+    if (typeof input === 'string') {
+        return new Date(input);
+    }
+    return new Date();
+}
+function asPositiveInteger(value) {
+    return typeof value === 'number' && Number.isInteger(value) && value > 0 ? value : undefined;
+}
+function resolveProfileConfig(profile, profiles) {
+    if (!profile || !profiles) {
+        return undefined;
+    }
+    return profiles[profile];
+}
+function resolveScopes(input, options) {
+    const configuredProfile = resolveProfileConfig(options.profile ?? input.profile, options.profiles);
+    const explicitScopes = options.scopes ?? input.requested_scopes;
+    if (explicitScopes && explicitScopes.length > 0) {
+        return normalizeToolScopes(explicitScopes);
+    }
+    if (configuredProfile?.scopes?.length) {
+        return normalizeToolScopes(configuredProfile.scopes);
+    }
+    return [];
+}
+function resolveTtlSeconds(input, options) {
+    const configuredProfile = resolveProfileConfig(options.profile ?? input.profile, options.profiles);
+    return (asPositiveInteger(options.ttl_seconds) ??
+        asPositiveInteger(input.ttl_seconds) ??
+        asPositiveInteger(configuredProfile?.ttl_seconds) ??
+        DEFAULT_TTL_SECONDS);
+}
+function encodeTokenPayload(payload) {
+    return `${TOKEN_PREFIX}${Buffer.from(JSON.stringify(payload), 'utf8').toString('base64url')}`;
+}
+function parseScopedTokenPayload(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        return null;
+    }
+    const record = value;
+    if (record.version !== 1 ||
+        typeof record.workspace_id !== 'string' ||
+        typeof record.org_id !== 'string' ||
+        typeof record.agent_id !== 'string' ||
+        typeof record.expires_at !== 'string' ||
+        !Array.isArray(record.scopes)) {
+        return null;
+    }
+    const scopes = record.scopes.filter((scope) => typeof scope === 'string');
+    if (scopes.length !== record.scopes.length) {
+        return null;
+    }
+    return {
+        version: 1,
+        workspace_id: record.workspace_id,
+        org_id: record.org_id,
+        agent_id: record.agent_id,
+        expires_at: record.expires_at,
+        scopes: normalizeToolScopes(scopes),
+        ...(typeof record.profile === 'string' ? { profile: record.profile } : {}),
+        ...(typeof record.subject === 'string' ? { subject: record.subject } : {}),
+    };
+}
+export function issueControlPlaneIdentity(input, options = {}) {
+    const scopes = resolveScopes(input, options);
+    const now = resolveNow(options.now);
+    const expiresAt = new Date(now.getTime() + resolveTtlSeconds(input, options) * 1000).toISOString();
+    const profile = options.profile ?? input.profile;
+    const subject = options.subject;
+    const tokenPayload = {
+        version: 1,
+        workspace_id: input.workspace_id,
+        org_id: input.org_id,
+        agent_id: input.agent_id,
+        scopes,
+        expires_at: expiresAt,
+        ...(profile ? { profile } : {}),
+        ...(subject ? { subject } : {}),
+    };
+    return {
+        workspace_id: input.workspace_id,
+        org_id: input.org_id,
+        agent_id: input.agent_id,
+        token: encodeTokenPayload(tokenPayload),
+        scopes,
+        expires_at: expiresAt,
+        ...(profile ? { profile } : {}),
+        ...(subject ? { subject } : {}),
+    };
+}
+export function parseControlPlaneToken(token) {
+    if (!token.startsWith(TOKEN_PREFIX)) {
+        return null;
+    }
+    try {
+        const encodedPayload = token.slice(TOKEN_PREFIX.length);
+        const decoded = Buffer.from(encodedPayload, 'base64url').toString('utf8');
+        return parseScopedTokenPayload(JSON.parse(decoded));
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=authenticate.js.map

package/dist/authenticate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAGtC,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,CAAC;AACpC,MAAM,YAAY,GAAG,QAAQ,CAAC;AA+D9B,SAAS,UAAU,CAAC,KAAgC;IAClD,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC;QAC1B,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/F,CAAC;AAED,SAAS,oBAAoB,CAC3B,OAA2B,EAC3B,QAAmE;IAEnE,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CACpB,KAAwB,EACxB,OAAyC;IAEzC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,EAChC,OAAO,CAAC,QAAQ,CACjB,CAAC;IACF,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC;IAEhE,IAAI,cAAc,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACtC,OAAO,mBAAmB,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAwB,EACxB,OAAyC;IAEzC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,EAChC,OAAO,CAAC,QAAQ,CACjB,CAAC;IAEF,OAAO,CACL,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC;QACtC,iBAAiB,CAAC,KAAK,CAAC,WAAW,CAAC;QACpC,iBAAiB,CAAC,iBAAiB,EAAE,WAAW,CAAC;QACjD,mBAAmB,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAuC;IACjE,OAAO,GAAG,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AAChG,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,KAAgC,CAAC;IAChD,IACE,MAAM,CAAC,OAAO,KAAK,CAAC;QACpB,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;QACvC,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ;QACjC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;QACnC,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAC7B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC;IAC3F,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;QACnC,GAAG,CAAC,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAwB,EACxB,UAA4C,EAAE;IAE9C,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,IAAI,CACxB,GAAG,CAAC,OAAO,EAAE,GAAG,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CACzD,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC;IACjD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAEhC,MAAM,YAAY,GAAmC;QACnD,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,MAAM;QACN,UAAU,EAAE,SAAS;QACrB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAChC,CAAC;IAEF,OAAO;QACL,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,KAAK,EAAE,kBAAkB,CAAC,YAAY,CAAC;QACvC,MAAM;QACN,UAAU,EAAE,SAAS;QACrB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC1E,OAAO,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/delegation-registry.d.ts

@@ -0,0 +1,107 @@
+/**
+ * Apache-2.0 delegation registry schema for lumenflow-cloud (WU-2637, ADR-011 §1).
+ *
+ * Mirrors the delegation lifecycle shape that @lumenflow/core tracks for local
+ * LumenFlow agents, but lives on the Apache-2.0 boundary so that cloud can
+ * validate delegation records without linking the AGPL-3.0-only core package.
+ *
+ * The wrapper document carries an explicit `schema_version`. The parser accepts
+ * the current version as-is and migrates one prior snake_case shape to the
+ * current camelCase shape (the shape used by agents before the schema was
+ * promoted to the public SDK contract).
+ */
+import { z } from 'zod';
+/**
+ * Current (camelCase) registry schema version. Increment when the record shape
+ * changes; add a migration branch to `parseDelegationRegistry` when bumping.
+ */
+export declare const DELEGATION_REGISTRY_SCHEMA_VERSION: 2;
+/**
+ * Legacy snake_case registry schema version. `parseDelegationRegistry` accepts
+ * this version and migrates records forward to the current shape.
+ */
+export declare const DELEGATION_REGISTRY_LEGACY_SCHEMA_VERSION: 1;
+export declare const DELEGATION_STATUSES: readonly ["pending", "completed", "timeout", "crashed", "escalated"];
+export type DelegationStatus = (typeof DELEGATION_STATUSES)[number];
+export declare const DELEGATION_INTENTS: readonly ["delegation", "legacy-spawn"];
+export type DelegationIntent = (typeof DELEGATION_INTENTS)[number];
+export declare const DelegationAttestationSchema: z.ZodObject<{
+    algorithm: z.ZodLiteral<"sha256">;
+    promptHash: z.ZodString;
+    promptLength: z.ZodNumber;
+    generatedAt: z.ZodString;
+    clientName: z.ZodString;
+}, z.core.$strip>;
+export type DelegationAttestation = z.infer<typeof DelegationAttestationSchema>;
+export declare const DelegationRecordSchema: z.ZodObject<{
+    id: z.ZodString;
+    parentWuId: z.ZodString;
+    targetWuId: z.ZodString;
+    lane: z.ZodString;
+    intent: z.ZodOptional<z.ZodEnum<{
+        delegation: "delegation";
+        "legacy-spawn": "legacy-spawn";
+    }>>;
+    delegatedAt: z.ZodString;
+    status: z.ZodEnum<{
+        pending: "pending";
+        completed: "completed";
+        timeout: "timeout";
+        crashed: "crashed";
+        escalated: "escalated";
+    }>;
+    completedAt: z.ZodNullable<z.ZodString>;
+    pickedUpAt: z.ZodOptional<z.ZodString>;
+    pickedUpBy: z.ZodOptional<z.ZodString>;
+    briefAttestation: z.ZodOptional<z.ZodObject<{
+        algorithm: z.ZodLiteral<"sha256">;
+        promptHash: z.ZodString;
+        promptLength: z.ZodNumber;
+        generatedAt: z.ZodString;
+        clientName: z.ZodString;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type DelegationRecord = z.infer<typeof DelegationRecordSchema>;
+declare const DelegationRegistryDocumentSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<2>;
+    records: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        parentWuId: z.ZodString;
+        targetWuId: z.ZodString;
+        lane: z.ZodString;
+        intent: z.ZodOptional<z.ZodEnum<{
+            delegation: "delegation";
+            "legacy-spawn": "legacy-spawn";
+        }>>;
+        delegatedAt: z.ZodString;
+        status: z.ZodEnum<{
+            pending: "pending";
+            completed: "completed";
+            timeout: "timeout";
+            crashed: "crashed";
+            escalated: "escalated";
+        }>;
+        completedAt: z.ZodNullable<z.ZodString>;
+        pickedUpAt: z.ZodOptional<z.ZodString>;
+        pickedUpBy: z.ZodOptional<z.ZodString>;
+        briefAttestation: z.ZodOptional<z.ZodObject<{
+            algorithm: z.ZodLiteral<"sha256">;
+            promptHash: z.ZodString;
+            promptLength: z.ZodNumber;
+            generatedAt: z.ZodString;
+            clientName: z.ZodString;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type DelegationRegistryDocument = z.infer<typeof DelegationRegistryDocumentSchema>;
+/**
+ * Parses a delegation registry document. Accepts the current schema version
+ * verbatim and migrates the legacy snake_case version forward.
+ *
+ * @throws Error with a `schema_version`-prefixed message when the input carries
+ *         an unknown schema version, and a zod ZodError when records fail
+ *         validation.
+ */
+export declare function parseDelegationRegistry(input: unknown): DelegationRegistryDocument;
+export {};
+//# sourceMappingURL=delegation-registry.d.ts.map

package/dist/delegation-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation-registry.d.ts","sourceRoot":"","sources":["../src/delegation-registry.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;GAGG;AACH,eAAO,MAAM,kCAAkC,EAAG,CAAU,CAAC;AAE7D;;;GAGG;AACH,eAAO,MAAM,yCAAyC,EAAG,CAAU,CAAC;AAMpE,eAAO,MAAM,mBAAmB,sEAMtB,CAAC;AAEX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEpE,eAAO,MAAM,kBAAkB,yCAA0C,CAAC;AAE1E,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEnE,eAAO,MAAM,2BAA2B;;;;;;iBAQtC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEhF,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAkBjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE,QAAA,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAGpC,CAAC;AAEH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAiE1F;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,0BAA0B,CAqClF"}