@qlever-llc/trellis 0.8.3 → 0.9.0-rc.2

package/esm/trellis.js

@@ -9,7 +9,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _Trellis_instances, _Trellis_log, _Trellis_tasks, _Trellis_hasExplicitApi, _Trellis_noResponderMaxRetries, _Trellis_noResponderRetryMs, _Trellis_authBypassMethods, _Trellis_onSessionNotFound, _Trellis_operationStore, _Trellis_createStateFacade, _Trellis_unknownApiError, _Trellis_requestBuiltRpcUnknown, _Trellis_requestBuiltRpc, _Trellis_handleSessionNotFound, _Trellis_handleRPC, _Trellis_processRPCMessage, _Trellis_respondWithError, _Trellis_startEphemeralEvent, _Trellis_handleDurableEvent, _Trellis_parseEventMessage, _Trellis_escapeSubjectToken, _Trellis_createProof, _Trellis_requestMessageWithRetry, _Trellis_requestJson, _Trellis_watchJson;
+var _Trellis_instances, _Trellis_log, _Trellis_tasks, _Trellis_hasExplicitApi, _Trellis_noResponderMaxRetries, _Trellis_noResponderRetryMs, _Trellis_onSessionNotFound, _Trellis_operationStore, _Trellis_createStateFacade, _Trellis_unknownApiError, _Trellis_requestBuiltRpcUnknown, _Trellis_requestBuiltRpc, _Trellis_handleBrowserAuthRequired, _Trellis_authenticateFeedRequest, _Trellis_subscribeFeed, _Trellis_handleFeed, _Trellis_processFeedMessage, _Trellis_handleRPC, _Trellis_processRPCMessage, _Trellis_respondWithPayload, _Trellis_respondWithError, _Trellis_startEphemeralEvent, _Trellis_handleDurableEvent, _Trellis_parseEventMessage, _Trellis_escapeSubjectToken, _Trellis_currentIat, _Trellis_createProof, _Trellis_requestMessageWithRetry, _Trellis_requestJson, _Trellis_watchJson;
 import { jetstream, jetstreamManager, } from "@nats-io/jetstream";
 import { createInbox, headers as natsHeaders, } from "@nats-io/nats-core";
 import { CONTRACT_JOBS_METADATA, CONTRACT_KV_METADATA, CONTRACT_STATE_METADATA, } from "./contract_support/mod.js";
@@ -140,16 +140,22 @@ export async function sha256(data) {
     const digest = await crypto.subtle.digest("SHA-256", toArrayBuffer(data));
     return new Uint8Array(digest);
 }
-export function buildProofInput(sessionKey, subject, payloadHash) {
+export function buildProofInput(sessionKey, subject, payloadHash, iat, requestId) {
     const enc = new TextEncoder();
     const sessionKeyBytes = enc.encode(sessionKey);
     const subjectBytes = enc.encode(subject);
+    const iatBytes = enc.encode(String(iat));
+    const requestIdBytes = enc.encode(requestId);
     const buf = new Uint8Array(4 +
         sessionKeyBytes.length +
         4 +
         subjectBytes.length +
         4 +
-        payloadHash.length);
+        payloadHash.length +
+        4 +
+        iatBytes.length +
+        4 +
+        requestIdBytes.length);
     const view = new DataView(buf.buffer);
     let offset = 0;
     view.setUint32(offset, sessionKeyBytes.length);
@@ -163,6 +169,14 @@ export function buildProofInput(sessionKey, subject, payloadHash) {
     view.setUint32(offset, payloadHash.length);
     offset += 4;
     buf.set(payloadHash, offset);
+    offset += payloadHash.length;
+    view.setUint32(offset, iatBytes.length);
+    offset += 4;
+    buf.set(iatBytes, offset);
+    offset += iatBytes.length;
+    view.setUint32(offset, requestIdBytes.length);
+    offset += 4;
+    buf.set(requestIdBytes, offset);
     return buf;
 }
 /**
@@ -176,6 +190,13 @@ export function isOperationDeferred(value) {
 export function isResultLike(value) {
     return value instanceof Result;
 }
+const DurableOperationSignalSchema = Type.Object({
+    operationId: Type.String(),
+    sequence: Type.Number(),
+    signal: Type.String(),
+    input: Type.Optional(Type.Any()),
+    acceptedAt: Type.String(),
+});
 const DurableOperationSnapshotSchema = Type.Object({
     id: Type.String(),
     service: Type.String(),
@@ -206,6 +227,8 @@ const DurableOperationSnapshotSchema = Type.Object({
 export const DurableOperationRecordSchema = Type.Object({
     ownerSessionKey: Type.String(),
     sequence: Type.Number(),
+    signalSequence: Type.Optional(Type.Number()),
+    signals: Type.Optional(Type.Array(DurableOperationSignalSchema)),
     snapshot: DurableOperationSnapshotSchema,
 });
 export function buildRuntimeOperationSnapshot(runtime, state, patch) {
@@ -462,12 +485,44 @@ const DEFAULT_NO_RESPONDER_MAX_RETRIES = 2;
 const DEFAULT_NO_RESPONDER_RETRY_MS = 200;
 const DEFAULT_AUTH_VALIDATE_SESSION_RETRY_ATTEMPTS = 3;
 const DEFAULT_AUTH_VALIDATE_SESSION_RETRY_MS = 25;
+function activeTraceId(span) {
+    const traceId = span.spanContext().traceId;
+    return traceId === "00000000000000000000000000000000" ? undefined : traceId;
+}
+function traceIdFromTraceparent(traceparent) {
+    const [version, traceId, parentId, flags, extra] = traceparent?.split("-") ??
+        [];
+    if (extra !== undefined ||
+        !/^[0-9a-f]{2}$/u.test(version ?? "") ||
+        version === "ff" ||
+        !/^[0-9a-f]{32}$/u.test(traceId ?? "") ||
+        traceId === "00000000000000000000000000000000" ||
+        !/^[0-9a-f]{16}$/u.test(parentId ?? "") ||
+        parentId === "0000000000000000" ||
+        !/^[0-9a-f]{2}$/u.test(flags ?? "")) {
+        return undefined;
+    }
+    return traceId;
+}
 const EMPTY_TRELLIS_API = {
     rpc: {},
     operations: {},
     events: {},
+    feeds: {},
     subjects: {},
 };
+function isBrowserAuthRequiredError(error) {
+    const isAuthRequiredReason = (reason) => reason === "session_not_found" || reason === "reauth_required";
+    if (error instanceof AuthError) {
+        return isAuthRequiredReason(error.reason);
+    }
+    if (error instanceof RemoteError &&
+        error.remoteError.type === "AuthError") {
+        const reason = Reflect.get(error.remoteError, "reason");
+        return isAuthRequiredReason(reason);
+    }
+    return false;
+}
 function isTransientAuthValidateSessionError(error) {
     if (error instanceof AuthError) {
         return error.reason === "session_not_found";
@@ -475,7 +530,7 @@ function isTransientAuthValidateSessionError(error) {
     if (error instanceof RemoteError &&
         error.remoteError.type === "AuthError") {
         const reason = Reflect.get(error.remoteError, "reason");
-        return typeof reason === "string" && reason === "session_not_found";
+        return reason === "session_not_found";
     }
     return false;
 }
@@ -487,6 +542,20 @@ function isRuntimeRpcErrorDesc(value) {
         typeof Reflect.get(value, "type") === "string" &&
         typeof Reflect.get(value, "fromSerializable") === "function";
 }
+const payloadSizeEncoder = new TextEncoder();
+function payloadByteLength(payload) {
+    return typeof payload === "string"
+        ? payloadSizeEncoder.encode(payload).byteLength
+        : payload.byteLength;
+}
+function causeMessage(cause) {
+    return cause instanceof Error ? cause.message : String(cause);
+}
+function causeLogData(cause) {
+    return cause instanceof Error
+        ? { message: cause.message, stack: cause.stack, name: cause.name }
+        : cause;
+}
 function reconstructDeclaredRpcError(errorNames, runtimeErrors, data, json) {
     if (!isDeclaredRpcError(errorNames, data.type)) {
         return null;
@@ -585,7 +654,6 @@ export class Trellis {
         _Trellis_hasExplicitApi.set(this, void 0);
         _Trellis_noResponderMaxRetries.set(this, void 0);
         _Trellis_noResponderRetryMs.set(this, void 0);
-        _Trellis_authBypassMethods.set(this, void 0);
         _Trellis_onSessionNotFound.set(this, void 0);
         _Trellis_operationStore.set(this, void 0);
         const api = opts?.api;
@@ -602,7 +670,6 @@ export class Trellis {
             DEFAULT_NO_RESPONDER_MAX_RETRIES, "f");
         __classPrivateFieldSet(this, _Trellis_noResponderRetryMs, opts?.noResponderRetry?.baseDelayMs ??
             DEFAULT_NO_RESPONDER_RETRY_MS, "f");
-        __classPrivateFieldSet(this, _Trellis_authBypassMethods, new Set(opts?.authBypassMethods ?? []), "f");
         __classPrivateFieldSet(this, _Trellis_onSessionNotFound, opts?.onSessionNotFound, "f");
         this.connection = opts?.connection ??
             new TrellisConnection({ kind: "client" });
@@ -646,6 +713,8 @@ export class Trellis {
         const record = {
             ownerSessionKey: runtime.ownerSessionKey,
             sequence: runtime.sequence,
+            signalSequence: runtime.signalSequence,
+            signals: runtime.signals,
             snapshot: runtime.snapshot,
         };
         await store.put(runtime.id, record);
@@ -661,6 +730,18 @@ export class Trellis {
         }
         return __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_requestBuiltRpcUnknown).call(this, method, input, ctx, opts);
     }
+    feed(feed) {
+        const descriptor = this.api.feeds?.[feed];
+        if (!descriptor) {
+            throw __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_unknownApiError).call(this, "feed", feed.toString());
+        }
+        return {
+            input: (input) => ({
+                subscribe: (opts) => __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_subscribeFeed).call(this, feed.toString(), descriptor, input, opts),
+            }),
+            handle: (handler) => __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_handleFeed).call(this, feed.toString(), descriptor, handler),
+        };
+    }
     operation(operation) {
         const descriptor = this.api["operations"]?.[operation];
         if (!descriptor) {
@@ -716,20 +797,24 @@ export class Trellis {
                     logger.error({ err: subject.error }, "Failed to template event.");
                     return subject;
                 }
+                const header = {
+                    id: ulid(),
+                    time: new Date().toISOString(),
+                };
                 const payload = {
                     ...data,
-                    header: {
-                        id: ulid(),
-                        time: new Date().toISOString(),
-                    },
+                    header,
                 };
                 const msg = encodeSchema(ctx.event, payload).take();
                 if (isErr(msg)) {
                     logger.error({ err: msg.error }, "Failed to encode event.");
                     return err(new UnexpectedError({ cause: msg.error }));
                 }
+                const headers = natsHeaders();
+                headers.set("Nats-Msg-Id", header.id);
+                injectTraceContext(createNatsHeaderCarrier(headers));
                 logger.trace({ subject }, `Publishing ${event.toString()} event.`);
-                await this.js.publish(subject, msg);
+                await this.js.publish(subject, msg, { headers });
                 return ok(undefined);
             }
             catch (cause) {
@@ -825,10 +910,10 @@ export class Trellis {
     }
     requestAuthValidate(input) {
         const request = this.request.bind(this);
-        return request("Auth.ValidateRequest", input);
+        return request("Auth.Requests.Validate", input);
     }
 }
-_Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplicitApi = new WeakMap(), _Trellis_noResponderMaxRetries = new WeakMap(), _Trellis_noResponderRetryMs = new WeakMap(), _Trellis_authBypassMethods = new WeakMap(), _Trellis_onSessionNotFound = new WeakMap(), _Trellis_operationStore = new WeakMap(), _Trellis_instances = new WeakSet(), _Trellis_createStateFacade = function _Trellis_createStateFacade(state) {
+_Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplicitApi = new WeakMap(), _Trellis_noResponderMaxRetries = new WeakMap(), _Trellis_noResponderRetryMs = new WeakMap(), _Trellis_onSessionNotFound = new WeakMap(), _Trellis_operationStore = new WeakMap(), _Trellis_instances = new WeakSet(), _Trellis_createStateFacade = function _Trellis_createStateFacade(state) {
     const stores = (state ?? {});
     const facade = Object.fromEntries(Object.entries(stores).map(([store, descriptor]) => {
         if (descriptor.kind === "value") {
@@ -920,10 +1005,12 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
         }
         const span = startClientSpan(method, subject);
         const attempt = async () => {
-            const proof = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, msg);
+            const authHeaders = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, msg);
             const headers = natsHeaders();
             headers.set("session-key", this.auth.sessionKey);
-            headers.set("proof", proof);
+            headers.set("proof", authHeaders.proof);
+            headers.set("iat", String(authHeaders.iat));
+            headers.set("request-id", authHeaders.requestId);
             injectTraceContext(createNatsHeaderCarrier(headers), span);
             const msgResult = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_requestMessageWithRetry).call(this, {
                 method,
@@ -968,11 +1055,11 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
                     : undefined;
                 const reconstructed = reconstructDeclaredRpcError(declaredErrorTypes, runtimeErrors, errorData, json);
                 if (reconstructed) {
-                    await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_handleSessionNotFound).call(this, reconstructed);
+                    await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_handleBrowserAuthRequired).call(this, reconstructed);
                     return err(reconstructed);
                 }
                 const remoteError = new RemoteError({ error: errorData });
-                await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_handleSessionNotFound).call(this, remoteError);
+                await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_handleBrowserAuthRequired).call(this, remoteError);
                 return err(remoteError);
             }
             const json = safeJson(response).take();
@@ -1023,11 +1110,284 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             }
         });
     })());
-}, _Trellis_handleSessionNotFound = async function _Trellis_handleSessionNotFound(error) {
-    if (!__classPrivateFieldGet(this, _Trellis_onSessionNotFound, "f") || !isTransientAuthValidateSessionError(error)) {
+}, _Trellis_handleBrowserAuthRequired = async function _Trellis_handleBrowserAuthRequired(error) {
+    if (!__classPrivateFieldGet(this, _Trellis_onSessionNotFound, "f") || !isBrowserAuthRequiredError(error)) {
         return;
     }
     await __classPrivateFieldGet(this, _Trellis_onSessionNotFound, "f").call(this);
+}, _Trellis_authenticateFeedRequest = async function _Trellis_authenticateFeedRequest(args) {
+    const sessionKey = args.msg.headers?.get("session-key");
+    const proof = args.msg.headers?.get("proof");
+    const iatHeader = args.msg.headers?.get("iat");
+    const requestId = args.msg.headers?.get("request-id");
+    if (!sessionKey) {
+        return err(new AuthError({ reason: "missing_session_key" }));
+    }
+    if (!proof)
+        return err(new AuthError({ reason: "missing_proof" }));
+    const iat = Number(iatHeader);
+    if (!Number.isSafeInteger(iat) || !requestId) {
+        return err(new AuthError({ reason: "invalid_signature" }));
+    }
+    const proofInput = buildProofInput(sessionKey, args.subject, args.payloadHash, iat, requestId);
+    const digest = await sha256(proofInput);
+    const verifyResult = await AsyncResult.try(async () => {
+        const publicKeyRaw = base64urlDecode(sessionKey);
+        const pub = await crypto.subtle.importKey("raw", toArrayBuffer(publicKeyRaw), { name: "Ed25519" }, true, ["verify"]);
+        return crypto.subtle.verify({ name: "Ed25519" }, pub, toArrayBuffer(base64urlDecode(proof)), toArrayBuffer(digest));
+    });
+    if (!verifyResult.isOk() || verifyResult.take() !== true) {
+        return err(new AuthError({ reason: "invalid_signature", context: { sessionKey } }));
+    }
+    const auth = await this.requestAuthValidate({
+        sessionKey,
+        proof,
+        subject: args.subject,
+        payloadHash: base64urlEncode(args.payloadHash),
+        iat,
+        requestId,
+        capabilities: [...args.requiredCapabilities],
+    }).take();
+    if (isErr(auth))
+        return err(auth.error);
+    if (!auth.allowed) {
+        return err(new AuthError({
+            reason: "insufficient_permissions",
+            context: {
+                feed: args.feed,
+                requiredCapabilities: args.requiredCapabilities,
+                userCapabilities: auth.caller.capabilities,
+            },
+        }));
+    }
+    if (typeof args.msg.reply !== "string" ||
+        !args.msg.reply.startsWith(`${auth.inboxPrefix}.`)) {
+        return err(new AuthError({
+            reason: "reply_subject_mismatch",
+            context: { expected: auth.inboxPrefix, actual: args.msg.reply },
+        }));
+    }
+    return ok(auth.caller);
+}, _Trellis_subscribeFeed = function _Trellis_subscribeFeed(feed, descriptor, input, opts) {
+    return AsyncResult.from((async () => {
+        const payload = encodeRuntimeSchema(descriptor.input, input).take();
+        if (isErr(payload))
+            return payload;
+        const subject = this.template(descriptor.subject, input).take();
+        if (isErr(subject))
+            return subject;
+        const authHeaders = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, payload);
+        const headers = natsHeaders();
+        headers.set("session-key", this.auth.sessionKey);
+        headers.set("proof", authHeaders.proof);
+        headers.set("iat", String(authHeaders.iat));
+        headers.set("request-id", authHeaders.requestId);
+        injectTraceContext(createNatsHeaderCarrier(headers));
+        const inbox = createInbox(`_INBOX.${this.auth.sessionKey.slice(0, 16)}`);
+        const sub = this.nats.subscribe(inbox);
+        const iterator = sub[Symbol.asyncIterator]();
+        const abort = () => sub.unsubscribe();
+        opts?.signal?.addEventListener("abort", abort, { once: true });
+        try {
+            this.nats.publish(subject, payload, { headers, reply: inbox });
+            await this.nats.flush();
+        }
+        catch (cause) {
+            opts?.signal?.removeEventListener("abort", abort);
+            sub.unsubscribe();
+            return err(createTransportError({
+                code: "trellis.feed.subscribe_failed",
+                message: "Trellis could not subscribe to the feed.",
+                hint: "Retry the subscription. If it keeps failing, check Trellis runtime health.",
+                cause,
+                context: { feed, subject },
+            }));
+        }
+        let timeoutId;
+        let abortHandler;
+        const handshakePromises = [
+            iterator.next(),
+            new Promise((resolve) => {
+                timeoutId = setTimeout(() => resolve("timeout"), this.timeout);
+            }),
+        ];
+        const signal = opts?.signal;
+        if (signal) {
+            handshakePromises.push(new Promise((resolve) => {
+                abortHandler = () => resolve("aborted");
+                signal.addEventListener("abort", abortHandler, { once: true });
+            }));
+        }
+        const firstFrame = await Promise.race(handshakePromises);
+        if (timeoutId !== undefined)
+            clearTimeout(timeoutId);
+        if (signal && abortHandler) {
+            signal.removeEventListener("abort", abortHandler);
+        }
+        if (firstFrame === "timeout" || firstFrame === "aborted") {
+            opts?.signal?.removeEventListener("abort", abort);
+            sub.unsubscribe();
+            return err(createTransportError({
+                code: firstFrame === "timeout"
+                    ? "trellis.feed.subscribe_timeout"
+                    : "trellis.feed.subscribe_aborted",
+                message: firstFrame === "timeout"
+                    ? "Trellis did not receive a feed acknowledgement."
+                    : "The feed subscription was aborted before Trellis acknowledged it.",
+                hint: firstFrame === "timeout"
+                    ? "Check that the target service is running and has the current deployment digest, then retry."
+                    : "Retry the subscription if the feed is still needed.",
+                context: { feed, subject },
+            }));
+        }
+        if (firstFrame.done) {
+            opts?.signal?.removeEventListener("abort", abort);
+            sub.unsubscribe();
+            return err(createTransportError({
+                code: "trellis.feed.subscribe_closed",
+                message: "Trellis closed the feed before acknowledging it.",
+                hint: "Retry the subscription. If it keeps failing, check Trellis runtime health.",
+                context: { feed, subject },
+            }));
+        }
+        const firstMessage = firstFrame.value;
+        if (firstMessage.headers?.get("status") === "error") {
+            opts?.signal?.removeEventListener("abort", abort);
+            sub.unsubscribe();
+            return err(createTransportError({
+                code: "trellis.feed.failed",
+                message: "Trellis rejected the feed subscription.",
+                hint: "Retry the subscription. If it keeps failing, check Trellis runtime health and permissions.",
+                context: { feed, subject, frame: firstMessage.string() },
+            }));
+        }
+        const firstEvent = firstMessage.headers?.get("feed-status") === "ready"
+            ? undefined
+            : firstMessage;
+        const eventSchema = descriptor.event;
+        return ok((async function* () {
+            try {
+                const parseFeedFrame = (msg) => {
+                    if (msg.headers?.get("status") === "error") {
+                        throw createTransportError({
+                            code: "trellis.feed.failed",
+                            message: "Trellis stopped the feed.",
+                            hint: "Retry the subscription. If it keeps failing, check Trellis runtime health.",
+                            context: { feed, subject, frame: msg.string() },
+                        });
+                    }
+                    const json = safeJson(msg).take();
+                    if (isErr(json))
+                        throw json.error;
+                    const parsed = parseRuntimeSchema(eventSchema, json).take();
+                    if (isErr(parsed))
+                        throw parsed.error;
+                    return parsed;
+                };
+                if (firstEvent)
+                    yield parseFeedFrame(firstEvent);
+                while (true) {
+                    const next = await iterator.next();
+                    if (next.done)
+                        break;
+                    yield parseFeedFrame(next.value);
+                }
+            }
+            finally {
+                opts?.signal?.removeEventListener("abort", abort);
+                sub.unsubscribe();
+            }
+        })());
+    })());
+}, _Trellis_handleFeed = async function _Trellis_handleFeed(feed, descriptor, handler) {
+    const subject = this.template(descriptor.subject, {}, true).take();
+    if (isErr(subject))
+        throw subject.error;
+    let sub;
+    try {
+        sub = this.nats.subscribe(subject);
+        await this.nats.flush();
+    }
+    catch (cause) {
+        throw createTransportError({
+            code: "trellis.feed.listen_failed",
+            message: "Trellis could not listen for feed requests.",
+            hint: "Check the service deployment digest and runtime permissions, then restart the service.",
+            cause,
+            context: { feed, subject },
+        });
+    }
+    const task = AsyncResult.try(async () => {
+        for await (const msg of sub) {
+            void (async () => {
+                try {
+                    const result = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_processFeedMessage).call(this, feed, descriptor, msg, handler);
+                    const value = result.take();
+                    if (isErr(value)) {
+                        __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithError).call(this, msg, value.error);
+                    }
+                }
+                catch (cause) {
+                    const error = cause instanceof BaseError
+                        ? cause
+                        : new UnexpectedError({ cause });
+                    __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithError).call(this, msg, error);
+                }
+            })();
+        }
+    });
+    __classPrivateFieldGet(this, _Trellis_tasks, "f").add(`feed:${feed}`, task);
+}, _Trellis_processFeedMessage = async function _Trellis_processFeedMessage(feed, descriptor, msg, handler) {
+    const json = safeJson(msg).take();
+    if (isErr(json))
+        return json;
+    const parsed = parseRuntimeSchema(descriptor.input, json).take();
+    if (isErr(parsed))
+        return parsed;
+    const caller = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_authenticateFeedRequest).call(this, {
+        feed,
+        subject: msg.subject,
+        msg,
+        payloadHash: await sha256(msg.data ?? new Uint8Array()),
+        requiredCapabilities: descriptor.subscribeCapabilities,
+    });
+    const callerValue = caller.take();
+    if (isErr(callerValue))
+        return callerValue;
+    if (!msg.reply) {
+        return err(new UnexpectedError({
+            context: { feed, reason: "missing_reply" },
+        }));
+    }
+    const readyHeaders = natsHeaders();
+    readyHeaders.set("feed-status", "ready");
+    this.nats.publish(msg.reply, new Uint8Array(), { headers: readyHeaders });
+    await this.nats.flush();
+    const controller = new AbortController();
+    try {
+        await handler({
+            input: parsed,
+            caller: callerValue,
+            signal: controller.signal,
+            emit: (event) => AsyncResult.from((async () => {
+                const payload = encodeRuntimeSchema(descriptor.event, event).take();
+                if (isErr(payload))
+                    return payload;
+                if (!msg.reply) {
+                    return err(new UnexpectedError({
+                        context: { feed, reason: "missing_reply" },
+                    }));
+                }
+                this.nats.publish(msg.reply, payload);
+                await this.nats.flush();
+                return ok(undefined);
+            })()),
+        });
+        return ok(undefined);
+    }
+    finally {
+        controller.abort();
+    }
 }, _Trellis_handleRPC = function _Trellis_handleRPC(method, fn, subjectData = {}) {
     // Get API details
     const ctx = this.api["rpc"][method];
@@ -1043,10 +1403,31 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             const resultPromise = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_processRPCMessage).call(this, method, ctx, msg, fn, handlerTrellis);
             const result = resultPromise.take();
             if (isErr(result)) {
-                __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithError).call(this, msg, result.error);
+                __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithError).call(this, msg, result.error, { method: String(method) });
                 continue;
             }
-            msg.respond(result);
+            const sent = __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithPayload).call(this, msg, result, undefined, {
+                method: String(method),
+                responseKind: "success",
+            });
+            if (sent.isErr()) {
+                const responseBytes = payloadByteLength(result);
+                const message = causeMessage(sent.error.cause);
+                __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithError).call(this, msg, new TransportError({
+                    code: "trellis.rpc.response_send_failed",
+                    message: message.includes("max_payload")
+                        ? "Trellis RPC response exceeded NATS max_payload."
+                        : "Trellis could not send the RPC response.",
+                    hint: "Reduce the requested page size or use a narrower RPC that does not include large detail payloads.",
+                    cause: sent.error.cause,
+                    context: {
+                        method: String(method),
+                        subject: msg.subject,
+                        responseBytes,
+                        causeMessage: message,
+                    },
+                }), { method: String(method), responseBytes });
+            }
         }
     });
 }, _Trellis_processRPCMessage = async function _Trellis_processRPCMessage(method, ctx, msg, fn, handlerTrellis) {
@@ -1058,6 +1439,7 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
     }));
     // Start a server span for this RPC handler
     const span = startServerSpan(method, msg.subject, parentContext);
+    const incomingTraceId = traceIdFromTraceparent(msg.headers?.get("traceparent"));
     // Execute the handler within the span's context
     return withSpanAsync(span, async () => {
         const execute = async () => {
@@ -1081,7 +1463,7 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             let caller;
             const callerSessionKey = msg.headers?.get("session-key") ?? "";
             const authRequired = ctx.authRequired ?? true;
-            if (!authRequired || __classPrivateFieldGet(this, _Trellis_authBypassMethods, "f").has(method)) {
+            if (!authRequired) {
                 caller = {
                     type: "service",
                     id: "system",
@@ -1093,6 +1475,8 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             else {
                 const sessionKey = msg.headers?.get("session-key");
                 const proof = msg.headers?.get("proof");
+                const iatHeader = msg.headers?.get("iat");
+                const requestId = msg.headers?.get("request-id");
                 if (!sessionKey) {
                     __classPrivateFieldGet(this, _Trellis_log, "f").warn({ method }, "Missing session-key header");
                     span.setStatus({
@@ -1109,10 +1493,14 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
                     });
                     return err(new AuthError({ reason: "missing_proof" }));
                 }
+                const iat = Number(iatHeader);
+                if (!Number.isSafeInteger(iat) || !requestId) {
+                    return err(new AuthError({ reason: "invalid_signature" }));
+                }
                 // Verify proof signature locally using the raw request bytes we received.
                 const payloadBytes = msg.data ?? new Uint8Array();
                 const payloadHash = await sha256(payloadBytes);
-                const proofInput = buildProofInput(sessionKey, msg.subject, payloadHash);
+                const proofInput = buildProofInput(sessionKey, msg.subject, payloadHash, iat, requestId);
                 const digest = await sha256(proofInput);
                 const verifyResult = await AsyncResult.try(async () => {
                     const publicKeyRaw = base64urlDecode(sessionKey);
@@ -1138,6 +1526,8 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
                         proof,
                         subject: msg.subject,
                         payloadHash: base64urlEncode(payloadHash),
+                        iat,
+                        requestId,
                         capabilities: [...ctx.callerCapabilities],
                     }).take();
                     if (!isErr(authValue)) {
@@ -1165,10 +1555,10 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
                         remoteError: auth instanceof RemoteError
                             ? auth.toSerializable()
                             : undefined,
-                    }, "Auth.ValidateRequest failed");
+                    }, "Auth.Requests.Validate failed");
                     span.setStatus({
                         code: SpanStatusCode.ERROR,
-                        message: "Auth.ValidateRequest failed",
+                        message: "Auth.Requests.Validate failed",
                     });
                     if (auth instanceof BaseError) {
                         return err(auth);
@@ -1203,11 +1593,13 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             }
             span.setAttribute("auth.caller.type", caller.type);
             if (caller.type === "user") {
-                span.setAttribute("user.id", caller.id);
-                span.setAttribute("user.origin", caller.origin);
+                span.setAttribute("user.id", caller.userId);
+                span.setAttribute("user.identity.provider", caller.identity.provider);
+                span.setAttribute("user.identity.subject", caller.identity.subject);
             }
             if (caller.type === "service") {
-                span.setAttribute("service.id", caller.id);
+                const { id } = caller;
+                span.setAttribute("service.id", id);
             }
             if (caller.type === "device") {
                 span.setAttribute("device.id", caller.deviceId);
@@ -1272,25 +1664,61 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
             return ok(encoded);
         };
         const result = await execute();
+        if (isErr(result)) {
+            result.error.withTraceId(activeTraceId(span) ?? incomingTraceId);
+        }
         span.end();
         return result;
     });
-}, _Trellis_respondWithError = function _Trellis_respondWithError(msg, error) {
+}, _Trellis_respondWithPayload = function _Trellis_respondWithPayload(msg, payload, options, context) {
+    const responseBytes = payloadByteLength(payload);
+    try {
+        msg.respond(payload, options);
+        return ok(undefined);
+    }
+    catch (cause) {
+        const error = new UnexpectedError({
+            cause,
+            context: {
+                method: context.method,
+                responseKind: context.responseKind,
+                subject: msg.subject,
+                reply: msg.reply,
+                responseBytes,
+                causeMessage: causeMessage(cause),
+            },
+        });
+        __classPrivateFieldGet(this, _Trellis_log, "f").error({
+            method: context.method,
+            responseKind: context.responseKind,
+            subject: msg.subject,
+            reply: msg.reply,
+            responseBytes,
+            cause: causeLogData(cause),
+        }, "Failed to send RPC response");
+        return err(error);
+    }
+}, _Trellis_respondWithError = function _Trellis_respondWithError(msg, error, context = {}) {
     const trellisError = error instanceof BaseError &&
         !(error instanceof RemoteError)
         ? error
         : new UnexpectedError({ cause: error });
-    __classPrivateFieldGet(this, _Trellis_log, "f").error({ error: trellisError.toSerializable() }, "RPC error");
+    __classPrivateFieldGet(this, _Trellis_log, "f").error({
+        method: context.method,
+        subject: msg.subject,
+        responseBytes: context.responseBytes,
+        error: trellisError.toSerializable(),
+    }, "RPC error");
     const errorData = trellisError.toSerializable();
     const hdrs = natsHeaders();
     hdrs.set("status", "error");
     const serialized = Result.try(() => JSON.stringify(errorData));
     if (serialized.isErr()) {
         __classPrivateFieldGet(this, _Trellis_log, "f").error({ error: serialized.error }, "Failed to serialize error response");
-        msg.respond('{"type":"UnexpectedError","message":"Failed to serialize error"}', { headers: hdrs });
+        __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithPayload).call(this, msg, '{"type":"UnexpectedError","message":"Failed to serialize error"}', { headers: hdrs }, { method: context.method, responseKind: "error" });
         return;
     }
-    msg.respond(serialized.take(), { headers: hdrs });
+    __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_respondWithPayload).call(this, msg, serialized.take(), { headers: hdrs }, { method: context.method, responseKind: "error" });
 }, _Trellis_startEphemeralEvent = function _Trellis_startEphemeralEvent(event, ctx, subject, fn, signal) {
     const sub = this.nats.subscribe(subject);
     if (signal) {
@@ -1358,13 +1786,17 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
         return `_${out}`;
     }
     return out;
+}, _Trellis_currentIat = function _Trellis_currentIat() {
+    return this.auth.currentIat?.() ?? Math.floor(Date.now() / 1000);
 }, _Trellis_createProof = async function _Trellis_createProof(subject, payload) {
     const payloadBytes = new TextEncoder().encode(payload);
     const payloadHash = await sha256(payloadBytes);
-    const input = buildProofInput(this.auth.sessionKey, subject, payloadHash);
+    const iat = __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_currentIat).call(this);
+    const requestId = ulid();
+    const input = buildProofInput(this.auth.sessionKey, subject, payloadHash, iat, requestId);
     const digest = await sha256(input);
     const sigBytes = await this.auth.sign(digest);
-    return base64urlEncode(sigBytes);
+    return { proof: base64urlEncode(sigBytes), iat, requestId };
 }, _Trellis_requestMessageWithRetry = async function _Trellis_requestMessageWithRetry(args) {
     for (let retry = 0; retry <= __classPrivateFieldGet(this, _Trellis_noResponderMaxRetries, "f"); retry++) {
         const result = await AsyncResult.try(() => this.nats.request(args.subject, args.payload, {
@@ -1400,39 +1832,71 @@ _Trellis_log = new WeakMap(), _Trellis_tasks = new WeakMap(), _Trellis_hasExplic
     }));
 }, _Trellis_requestJson = function _Trellis_requestJson(subject, body) {
     return AsyncResult.from((async () => {
-        const payload = JSON.stringify(body);
-        const proof = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, payload);
-        const headers = natsHeaders();
-        headers.set("session-key", this.auth.sessionKey);
-        headers.set("proof", proof);
-        const response = (await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_requestMessageWithRetry).call(this, {
-            subject,
-            payload,
-            headers,
-            timeout: this.timeout,
-        })).take();
-        if (isErr(response)) {
-            return response;
-        }
-        const json = safeJson(response).take();
-        if (isErr(json)) {
-            return err(createTransportError({
-                code: "trellis.request.invalid_response",
-                message: "Trellis returned an invalid response.",
-                hint: "Retry the request. If it keeps happening, reconnect to Trellis and try again.",
-                cause: json.error.cause,
-                context: { subject },
-            }));
-        }
-        return ok(json);
+        const span = startClientSpan(subject, subject);
+        return await withSpanAsync(span, async () => {
+            try {
+                const payload = JSON.stringify(body);
+                const authHeaders = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, payload);
+                const headers = natsHeaders();
+                headers.set("session-key", this.auth.sessionKey);
+                headers.set("proof", authHeaders.proof);
+                headers.set("iat", String(authHeaders.iat));
+                headers.set("request-id", authHeaders.requestId);
+                injectTraceContext(createNatsHeaderCarrier(headers), span);
+                const response = (await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_requestMessageWithRetry).call(this, {
+                    subject,
+                    payload,
+                    headers,
+                    timeout: this.timeout,
+                })).take();
+                if (isErr(response)) {
+                    span.setStatus({
+                        code: SpanStatusCode.ERROR,
+                        message: response.error.message,
+                    });
+                    return response;
+                }
+                const json = safeJson(response).take();
+                if (isErr(json)) {
+                    const error = createTransportError({
+                        code: "trellis.request.invalid_response",
+                        message: "Trellis returned an invalid response.",
+                        hint: "Retry the request. If it keeps happening, reconnect to Trellis and try again.",
+                        cause: json.error.cause,
+                        context: { subject },
+                    });
+                    span.setStatus({
+                        code: SpanStatusCode.ERROR,
+                        message: error.message,
+                    });
+                    return err(error);
+                }
+                span.setStatus({ code: SpanStatusCode.OK });
+                return ok(json);
+            }
+            catch (cause) {
+                const error = new UnexpectedError({ cause });
+                span.setStatus({
+                    code: SpanStatusCode.ERROR,
+                    message: error.message,
+                });
+                span.recordException(error);
+                return err(error);
+            }
+            finally {
+                span.end();
+            }
+        });
     })());
 }, _Trellis_watchJson = function _Trellis_watchJson(subject, body) {
     return AsyncResult.from((async () => {
         const payload = JSON.stringify(body);
-        const proof = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, payload);
+        const authHeaders = await __classPrivateFieldGet(this, _Trellis_instances, "m", _Trellis_createProof).call(this, subject, payload);
         const headers = natsHeaders();
         headers.set("session-key", this.auth.sessionKey);
-        headers.set("proof", proof);
+        headers.set("proof", authHeaders.proof);
+        headers.set("iat", String(authHeaders.iat));
+        headers.set("request-id", authHeaders.requestId);
         const inbox = createInbox(`_INBOX.${this.auth.sessionKey.slice(0, 16)}`);
         const sub = this.nats.subscribe(inbox);
         try {