@query-farm/vgi-rpc 0.3.4 → 0.6.0

package/README.md

@@ -15,6 +15,7 @@ Define RPC methods with Arrow-typed schemas, serve them over stdin/stdout, and i
 - **Type-safe streaming state** — generic `<S>` parameter threads state types through init and produce/exchange functions
 - **Runtime introspection** — opt-in `__describe__` method for dynamic service discovery via the CLI
 - **Result validation** — missing required fields in handler results throw descriptive errors at emit time
+- **Authentication** — bearer tokens, JWT, mTLS (PEM-in-header and XFCC), with chainable authenticators
 - **Three client transports** — HTTP, subprocess, and raw pipe, all sharing a unified `RpcClient` interface
 
 ## Installation
@@ -297,6 +298,52 @@ handler: async ({ a, b }) => {
 
 Errors are transmitted as zero-row Arrow batches with `EXCEPTION`-level metadata. The transport remains clean for subsequent requests.
 
+## Authentication
+
+The HTTP handler supports pluggable authentication. Built-in factories cover common strategies:
+
+```typescript
+import {
+  createHttpHandler,
+  chainAuthenticate,
+  mtlsAuthenticateSubject,
+  bearerAuthenticateStatic,
+  jwtAuthenticate,
+  AuthContext,
+} from "@query-farm/vgi-rpc";
+
+// mTLS via proxy-forwarded client certificate
+const mtlsAuth = mtlsAuthenticateSubject({
+  allowedSubjects: new Set(["my-service"]),
+});
+
+// Static API key map
+const apiKeyAuth = bearerAuthenticateStatic({
+  tokens: { "sk-abc123": new AuthContext("apikey", true, "ci-bot") },
+});
+
+// Chain: try mTLS first, fall back to API key
+const auth = chainAuthenticate(mtlsAuth, apiKeyAuth);
+
+const handler = createHttpHandler(protocol, {
+  signingKey: myKey,
+  authenticate: auth,
+});
+```
+
+Available factories:
+
+| Factory | Description |
+|---------|-------------|
+| `bearerAuthenticate` | Custom bearer token validation |
+| `bearerAuthenticateStatic` | Static token map with constant-time comparison |
+| `jwtAuthenticate` | JWT validation via OIDC discovery |
+| `mtlsAuthenticate` | Custom X.509 certificate validation |
+| `mtlsAuthenticateFingerprint` | Certificate fingerprint lookup |
+| `mtlsAuthenticateSubject` | Subject CN extraction with optional allowlist |
+| `mtlsAuthenticateXfcc` | Envoy `x-forwarded-client-cert` header |
+| `chainAuthenticate` | Try multiple strategies in order |
+
 ## Testing with the Python CLI
 
 The [vgi-rpc CLI](https://github.com/Query-farm/vgi-rpc-python) can introspect and call methods on any TypeScript server:

package/dist/auth.d.ts

@@ -0,0 +1,13 @@
+/** Authentication context available to RPC handlers. */
+export declare class AuthContext {
+    readonly domain: string;
+    readonly authenticated: boolean;
+    readonly principal: string | null;
+    readonly claims: Record<string, any>;
+    constructor(domain: string, authenticated: boolean, principal: string | null, claims?: Record<string, any>);
+    /** Create an unauthenticated (anonymous) context. */
+    static anonymous(): AuthContext;
+    /** Throw an RpcError if this context is not authenticated. */
+    requireAuthenticated(): void;
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAKA,wDAAwD;AACxD,qBAAa,WAAW;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;gBAEzB,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM;IAO9G,qDAAqD;IACrD,MAAM,CAAC,SAAS,IAAI,WAAW;IAI/B,8DAA8D;IAC9D,oBAAoB,IAAI,IAAI;CAK7B"}

package/dist/client/connect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/client/connect.ts"],"names":[],"mappings":"AAMA,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAS3F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKpE,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IACxF,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC7E,QAAQ,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACxC,KAAK,IAAI,IAAI,CAAC;CACf;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,GAAG,SAAS,CAkRpF"}
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/client/connect.ts"],"names":[],"mappings":"AAQA,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAS3F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKpE,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IACxF,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC7E,QAAQ,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACxC,KAAK,IAAI,IAAI,CAAC;CACf;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,GAAG,SAAS,CAsSpF"}

package/dist/client/index.d.ts

@@ -1,5 +1,7 @@
 export { httpConnect, type RpcClient } from "./connect.js";
 export { httpIntrospect, type MethodInfo, parseDescribeResponse, type ServiceDescription } from "./introspect.js";
+export type { OAuthResourceMetadataResponse } from "./oauth.js";
+export { fetchOAuthMetadata, httpOAuthMetadata, parseClientId, parseClientSecret, parseDeviceCodeClientId, parseDeviceCodeClientSecret, parseResourceMetadataUrl, parseUseIdTokenAsBearer, } from "./oauth.js";
 export { PipeStreamSession, pipeConnect, subprocessConnect } from "./pipe.js";
 export { HttpStreamSession } from "./stream.js";
 export type { HttpConnectOptions, LogMessage, PipeConnectOptions, StreamSession, SubprocessConnectOptions, } from "./types.js";

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,qBAAqB,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClH,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,kBAAkB,EAClB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,wBAAwB,GACzB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,qBAAqB,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClH,YAAY,EAAE,6BAA6B,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,uBAAuB,EACvB,2BAA2B,EAC3B,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,kBAAkB,EAClB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,wBAAwB,GACzB,MAAM,YAAY,CAAC"}

package/dist/client/introspect.d.ts

@@ -26,5 +26,6 @@ export declare function parseDescribeResponse(batches: RecordBatch[], onLog?: (m
  */
 export declare function httpIntrospect(baseUrl: string, options?: {
     prefix?: string;
+    authorization?: string;
 }): Promise<ServiceDescription>;
 //# sourceMappingURL=introspect.d.ts.map

package/dist/client/introspect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"introspect.d.ts","sourceRoot":"","sources":["../../src/client/introspect.ts"],"names":[],"mappings":"AAGA,OAAO,EAAyB,KAAK,WAAW,EAAqB,KAAK,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAInH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AASD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,GAChC,OAAO,CAAC,kBAAkB,CAAC,CAwE7B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAehH"}
+{"version":3,"file":"introspect.d.ts","sourceRoot":"","sources":["../../src/client/introspect.ts"],"names":[],"mappings":"AAGA,OAAO,EAAyB,KAAK,WAAW,EAAqB,KAAK,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAKnH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AASD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,GAChC,OAAO,CAAC,kBAAkB,CAAC,CAwE7B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GACpD,OAAO,CAAC,kBAAkB,CAAC,CAuB7B"}

package/dist/client/oauth.d.ts

@@ -0,0 +1,62 @@
+/** RFC 9728 OAuth Protected Resource Metadata (client-side response). */
+export interface OAuthResourceMetadataResponse {
+    resource: string;
+    authorizationServers: string[];
+    scopesSupported?: string[];
+    bearerMethodsSupported?: string[];
+    resourceSigningAlgValuesSupported?: string[];
+    resourceName?: string;
+    resourceDocumentation?: string;
+    resourcePolicyUri?: string;
+    resourceTosUri?: string;
+    /** OAuth client_id advertised by the server. */
+    clientId?: string;
+    /** OAuth client_secret advertised by the server. */
+    clientSecret?: string;
+    /** When true, use the OIDC id_token as the Bearer token instead of access_token. */
+    useIdTokenAsBearer?: boolean;
+    /** OAuth client_id for device code flow. */
+    deviceCodeClientId?: string;
+    /** OAuth client_secret for device code flow. */
+    deviceCodeClientSecret?: string;
+}
+/**
+ * Discover OAuth Protected Resource Metadata (RFC 9728) from a vgi-rpc server.
+ * Returns `null` if the server does not serve the well-known endpoint.
+ */
+export declare function httpOAuthMetadata(baseUrl: string, prefix?: string): Promise<OAuthResourceMetadataResponse | null>;
+/**
+ * Fetch OAuth Protected Resource Metadata from an explicit metadata URL.
+ */
+export declare function fetchOAuthMetadata(metadataUrl: string): Promise<OAuthResourceMetadataResponse>;
+/**
+ * Extract the `resource_metadata` URL from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no resource_metadata parameter is found.
+ */
+export declare function parseResourceMetadataUrl(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `client_id` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no client_id parameter is found.
+ */
+export declare function parseClientId(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `client_secret` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no client_secret parameter is found.
+ */
+export declare function parseClientSecret(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `use_id_token_as_bearer` flag from a WWW-Authenticate Bearer challenge.
+ * Returns `true` if the parameter is present and set to "true", `false` otherwise.
+ */
+export declare function parseUseIdTokenAsBearer(wwwAuthenticate: string): boolean;
+/**
+ * Extract the `device_code_client_id` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no device_code_client_id parameter is found.
+ */
+export declare function parseDeviceCodeClientId(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `device_code_client_secret` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no device_code_client_secret parameter is found.
+ */
+export declare function parseDeviceCodeClientSecret(wwwAuthenticate: string): string | null;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/client/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/client/oauth.ts"],"names":[],"mappings":"AAGA,yEAAyE;AACzE,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oFAAoF;IACpF,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gDAAgD;IAChD,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAuBD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAS/C;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,6BAA6B,CAAC,CAOpG;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU/E;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASxE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CASxE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAS9E;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASlF"}

package/dist/client/pipe.d.ts

@@ -1,4 +1,5 @@
 import { Schema } from "@query-farm/apache-arrow";
+import { type ExternalLocationConfig } from "../external.js";
 import { IpcStreamReader } from "../wire/reader.js";
 import type { RpcClient } from "./connect.js";
 import type { LogMessage, PipeConnectOptions, StreamSession, SubprocessConnectOptions } from "./types.js";
@@ -20,6 +21,7 @@ export declare class PipeStreamSession implements StreamSession {
     private _outputSchema;
     private _releaseBusy;
     private _setDrainPromise;
+    private _externalConfig?;
     constructor(opts: {
         reader: IpcStreamReader;
         writeFn: WriteFn;
@@ -28,6 +30,7 @@ export declare class PipeStreamSession implements StreamSession {
         outputSchema: Schema;
         releaseBusy: () => void;
         setDrainPromise: (p: Promise<void>) => void;
+        externalConfig?: ExternalLocationConfig;
     });
     get header(): Record<string, any> | null;
     /**

package/dist/client/pipe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipe.d.ts","sourceRoot":"","sources":["../../src/client/pipe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,MAAM,EAGP,MAAM,0BAA0B,CAAC;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAM1G,UAAU,YAAY;IACpB,KAAK,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,KAAK,CAAC,IAAI,IAAI,CAAC;IACf,GAAG,IAAI,IAAI,CAAC;CACb;AAED,KAAK,OAAO,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AA6C3C,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,YAAY,CAAsC;IAC1D,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,mBAAmB,CAAS;IACpC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,gBAAgB,CAA6B;gBAEzC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,IAAI,CAAC;QACxB,eAAe,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;KAC7C;IAUD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED;;;;OAIG;YACW,gBAAgB;IAiB9B;;;;;OAKG;YACW,mBAAmB;IASjC;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAsG5E;;OAEG;YACW,QAAQ;IAiBtB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAqD7E,KAAK,IAAI,IAAI;CAoCd;AAMD,wBAAgB,WAAW,CACzB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,SAAS,CA4NX;AAMD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAuC9F"}
+{"version":3,"file":"pipe.d.ts","sourceRoot":"","sources":["../../src/client/pipe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,MAAM,EAGP,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,KAAK,sBAAsB,EAAoD,MAAM,gBAAgB,CAAC;AAE/G,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAM1G,UAAU,YAAY;IACpB,KAAK,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,KAAK,CAAC,IAAI,IAAI,CAAC;IACf,GAAG,IAAI,IAAI,CAAC;CACb;AAED,KAAK,OAAO,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AA6C3C,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,YAAY,CAAsC;IAC1D,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,mBAAmB,CAAS;IACpC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,gBAAgB,CAA6B;IACrD,OAAO,CAAC,eAAe,CAAC,CAAyB;gBAErC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,IAAI,CAAC;QACxB,eAAe,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;QAC5C,cAAc,CAAC,EAAE,sBAAsB,CAAC;KACzC;IAWD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED;;;;OAIG;YACW,gBAAgB;IAqB9B;;;;;OAKG;YACW,mBAAmB;IASjC;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAsG5E;;OAEG;YACW,QAAQ;IAiBtB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAqD7E,KAAK,IAAI,IAAI;CAoCd;AAMD,wBAAgB,WAAW,CACzB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,SAAS,CAkOX;AAMD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAwC9F"}

package/dist/client/stream.d.ts

@@ -1,4 +1,5 @@
 import { RecordBatch, Schema } from "@query-farm/apache-arrow";
+import { type ExternalLocationConfig } from "../external.js";
 import type { LogMessage, StreamSession } from "./types.js";
 type CompressFn = (data: Uint8Array, level: number) => Uint8Array;
 type DecompressFn = (data: Uint8Array) => Uint8Array;
@@ -16,6 +17,8 @@ export declare class HttpStreamSession implements StreamSession {
     private _compressionLevel?;
     private _compressFn?;
     private _decompressFn?;
+    private _authorization?;
+    private _externalConfig?;
     constructor(opts: {
         baseUrl: string;
         prefix: string;
@@ -30,6 +33,8 @@ export declare class HttpStreamSession implements StreamSession {
         compressionLevel?: number;
         compressFn?: CompressFn;
         decompressFn?: DecompressFn;
+        authorization?: string;
+        externalConfig?: ExternalLocationConfig;
     });
     get header(): Record<string, any> | null;
     private _buildHeaders;

package/dist/client/stream.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/client/stream.ts"],"names":[],"mappings":"AAGA,OAAO,EAAmB,WAAW,EAAE,MAAM,EAA2B,MAAM,0BAA0B,CAAC;AAKzG,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE5D,KAAK,UAAU,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,KAAK,UAAU,CAAC;AAClE,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,UAAU,KAAK,UAAU,CAAC;AAErD,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,iBAAiB,CAAC,CAAS;IACnC,OAAO,CAAC,WAAW,CAAC,CAAa;IACjC,OAAO,CAAC,aAAa,CAAC,CAAe;gBAEzB,IAAI,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,cAAc,EAAE,WAAW,EAAE,CAAC;QAC9B,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,YAAY,CAAC,EAAE,YAAY,CAAC;KAC7B;IAgBD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED,OAAO,CAAC,aAAa;IAWrB,OAAO,CAAC,YAAY;YAON,aAAa;IAQ3B;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YA0D9D,WAAW;IAoCzB,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YAyC/D,iBAAiB;IAwB/B,KAAK,IAAI,IAAI;CAGd"}
+{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/client/stream.ts"],"names":[],"mappings":"AAGA,OAAO,EAAmB,WAAW,EAAE,MAAM,EAA2B,MAAM,0BAA0B,CAAC;AAGzG,OAAO,EAAE,KAAK,sBAAsB,EAAoD,MAAM,gBAAgB,CAAC;AAG/G,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE5D,KAAK,UAAU,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,KAAK,UAAU,CAAC;AAClE,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,UAAU,KAAK,UAAU,CAAC;AAErD,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,iBAAiB,CAAC,CAAS;IACnC,OAAO,CAAC,WAAW,CAAC,CAAa;IACjC,OAAO,CAAC,aAAa,CAAC,CAAe;IACrC,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAAC,CAAyB;gBAErC,IAAI,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,cAAc,EAAE,WAAW,EAAE,CAAC;QAC9B,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,CAAC,EAAE,sBAAsB,CAAC;KACzC;IAkBD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,YAAY;YAON,aAAa;IAQ3B;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YA0D9D,WAAW;IAuCzB,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YAkD/D,iBAAiB;IA2B/B,KAAK,IAAI,IAAI;CAGd"}

package/dist/client/types.d.ts

@@ -2,6 +2,10 @@ export interface HttpConnectOptions {
     prefix?: string;
     onLog?: (msg: LogMessage) => void;
     compressionLevel?: number;
+    /** Authorization header value (e.g. "Bearer <token>"). Sent with every request. */
+    authorization?: string;
+    /** External storage config for resolving externalized batches. */
+    externalLocation?: import("../external.js").ExternalLocationConfig;
 }
 export interface LogMessage {
     level: string;
@@ -16,6 +20,8 @@ export interface StreamSession {
 }
 export interface PipeConnectOptions {
     onLog?: (msg: LogMessage) => void;
+    /** External storage config for resolving externalized batches. */
+    externalLocation?: import("../external.js").ExternalLocationConfig;
 }
 export interface SubprocessConnectOptions extends PipeConnectOptions {
     cwd?: string;

package/dist/client/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,wBAAyB,SAAQ,kBAAkB;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,OAAO,gBAAgB,EAAE,sBAAsB,CAAC;CACpE;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,OAAO,gBAAgB,EAAE,sBAAsB,CAAC;CACpE;AAED,MAAM,WAAW,wBAAyB,SAAQ,kBAAkB;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC"}

package/dist/constants.d.ts

@@ -9,7 +9,9 @@ export declare const SERVER_ID_KEY = "vgi_rpc.server_id";
 export declare const REQUEST_ID_KEY = "vgi_rpc.request_id";
 export declare const PROTOCOL_NAME_KEY = "vgi_rpc.protocol_name";
 export declare const DESCRIBE_VERSION_KEY = "vgi_rpc.describe_version";
-export declare const DESCRIBE_VERSION = "2";
+export declare const DESCRIBE_VERSION = "3";
 export declare const DESCRIBE_METHOD_NAME = "__describe__";
 export declare const STATE_KEY = "vgi_rpc.stream_state#b64";
+export declare const LOCATION_KEY = "vgi_rpc.location";
+export declare const LOCATION_SHA256_KEY = "vgi_rpc.location.sha256";
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,6DAA6D;AAE7D,eAAO,MAAM,cAAc,mBAAmB,CAAC;AAC/C,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,eAAe,wBAAwB,CAAC;AACrD,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,mBAAmB,4BAA4B,CAAC;AAC7D,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AACzD,eAAO,MAAM,oBAAoB,6BAA6B,CAAC;AAC/D,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,eAAO,MAAM,oBAAoB,iBAAiB,CAAC;AAEnD,eAAO,MAAM,SAAS,6BAA6B,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,6DAA6D;AAE7D,eAAO,MAAM,cAAc,mBAAmB,CAAC;AAC/C,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,eAAe,wBAAwB,CAAC;AACrD,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,mBAAmB,4BAA4B,CAAC;AAC7D,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AACzD,eAAO,MAAM,oBAAoB,6BAA6B,CAAC;AAC/D,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,eAAO,MAAM,oBAAoB,iBAAiB,CAAC;AAEnD,eAAO,MAAM,SAAS,6BAA6B,CAAC;AAEpD,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAC/C,eAAO,MAAM,mBAAmB,4BAA4B,CAAC"}

package/dist/dispatch/describe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"describe.d.ts","sourceRoot":"","sources":["../../src/dispatch/describe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,WAAW,EACX,MAAM,EAIP,MAAM,0BAA0B,CAAC;AASlC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD;;GAEG;AACH,eAAO,MAAM,eAAe,aAW1B,CAAC;AAEH;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CA8FvD"}
+{"version":3,"file":"describe.d.ts","sourceRoot":"","sources":["../../src/dispatch/describe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,WAAW,EACX,MAAM,EAIP,MAAM,0BAA0B,CAAC;AASlC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD;;GAEG;AACH,eAAO,MAAM,eAAe,aAa1B,CAAC;AAEH;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CAgHvD"}

package/dist/dispatch/stream.d.ts

@@ -1,3 +1,4 @@
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { IpcStreamReader } from "../wire/reader.js";
 import type { IpcStreamWriter } from "../wire/writer.js";
@@ -16,5 +17,5 @@ import type { IpcStreamWriter } from "../wire/writer.js";
  * - Server writes output batch(es) for each input
  * - Stream ends when client closes input (EOS)
  */
-export declare function dispatchStream(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, reader: IpcStreamReader, serverId: string, requestId: string | null): Promise<void>;
+export declare function dispatchStream(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, reader: IpcStreamReader, serverId: string, requestId: string | null, externalConfig?: ExternalLocationConfig): Promise<void>;
 //# sourceMappingURL=stream.d.ts.map

package/dist/dispatch/stream.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/dispatch/stream.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,OAAO,CAAC,IAAI,CAAC,CAkHf"}
+{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/dispatch/stream.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,cAAc,CAAC,EAAE,sBAAsB,GACtC,OAAO,CAAC,IAAI,CAAC,CA8Hf"}

package/dist/dispatch/unary.d.ts

@@ -1,3 +1,4 @@
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { IpcStreamWriter } from "../wire/writer.js";
 /**
@@ -5,5 +6,5 @@ import type { IpcStreamWriter } from "../wire/writer.js";
  * Calls the handler with parsed params, writes result or error batch.
  * Supports client-directed logging via ctx.clientLog().
  */
-export declare function dispatchUnary(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, serverId: string, requestId: string | null): Promise<void>;
+export declare function dispatchUnary(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, serverId: string, requestId: string | null, externalConfig?: ExternalLocationConfig): Promise<void>;
 //# sourceMappingURL=unary.d.ts.map

package/dist/dispatch/unary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"unary.d.ts","sourceRoot":"","sources":["../../src/dispatch/unary.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,OAAO,CAAC,IAAI,CAAC,CAcf"}
+{"version":3,"file":"unary.d.ts","sourceRoot":"","sources":["../../src/dispatch/unary.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,cAAc,CAAC,EAAE,sBAAsB,GACtC,OAAO,CAAC,IAAI,CAAC,CAiBf"}

package/dist/external.d.ts

@@ -0,0 +1,45 @@
+/**
+ * External storage support for large Arrow IPC batches.
+ *
+ * When a batch exceeds a configurable threshold, it is serialized to IPC,
+ * optionally compressed with zstd, and uploaded to pluggable storage.
+ * The batch is replaced with a zero-row "pointer batch" containing the
+ * download URL and SHA-256 checksum in metadata.
+ */
+import { type RecordBatch, type Schema } from "@query-farm/apache-arrow";
+/** Pluggable storage backend for uploading large batches. */
+export interface ExternalStorage {
+    /** Upload IPC data and return a URL for retrieval. */
+    upload(data: Uint8Array, contentEncoding: string): Promise<string>;
+}
+/** Configuration for external storage of large batches. */
+export interface ExternalLocationConfig {
+    /** Storage backend for uploading. */
+    storage: ExternalStorage;
+    /** Minimum batch byte size to trigger externalization. Default: 1MB. */
+    externalizeThresholdBytes?: number;
+    /** Optional zstd compression for uploaded data. */
+    compression?: {
+        algorithm: "zstd";
+        level?: number;
+    };
+    /** URL validator called before fetching. Throw to reject. Default: HTTPS-only. */
+    urlValidator?: ((url: string) => void) | null;
+}
+/** Default validator that rejects non-HTTPS URLs. */
+export declare function httpsOnlyValidator(url: string): void;
+/** Returns true if the batch is a zero-row pointer to external data. */
+export declare function isExternalLocationBatch(batch: RecordBatch): boolean;
+/** Create a zero-row pointer batch with location URL and optional SHA-256. */
+export declare function makeExternalLocationBatch(schema: Schema, url: string, sha256?: string): RecordBatch;
+/**
+ * Maybe externalize a batch if it exceeds the threshold.
+ * Returns the original batch unchanged if below threshold or no config.
+ */
+export declare function maybeExternalizeBatch(batch: RecordBatch, config?: ExternalLocationConfig | null): Promise<RecordBatch>;
+/**
+ * Resolve an external pointer batch by fetching the data from the URL.
+ * Returns the original batch unchanged if not a pointer or no config.
+ */
+export declare function resolveExternalLocation(batch: RecordBatch, config?: ExternalLocationConfig | null): Promise<RecordBatch>;
+//# sourceMappingURL=external.d.ts.map

package/dist/external.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external.d.ts","sourceRoot":"","sources":["../src/external.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,WAAW,EAA8C,KAAK,MAAM,EAAE,MAAM,0BAA0B,CAAC;AASrH,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACpE;AAED,2DAA2D;AAC3D,MAAM,WAAW,sBAAsB;IACrC,qCAAqC;IACrC,OAAO,EAAE,eAAe,CAAC;IACzB,wEAAwE;IACxE,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,mDAAmD;IACnD,WAAW,CAAC,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACpD,kFAAkF;IAClF,YAAY,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;CAC/C;AAQD,qDAAqD;AACrD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAKpD;AAoBD,wEAAwE;AACxE,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAKnE;AAMD,8EAA8E;AAC9E,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,WAAW,CAOnG;AA4BD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,sBAAsB,GAAG,IAAI,GACrC,OAAO,CAAC,WAAW,CAAC,CAyBtB;AAMD;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,sBAAsB,GAAG,IAAI,GACrC,OAAO,CAAC,WAAW,CAAC,CA4CtB"}

package/dist/gcs.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Google Cloud Storage backend for external storage of large Arrow IPC batches.
+ *
+ * Requires `@google-cloud/storage` as a peer dependency.
+ *
+ * @example
+ * ```typescript
+ * import { createGCSStorage } from "@query-farm/vgi-rpc/gcs";
+ *
+ * const storage = createGCSStorage({
+ *   bucket: "my-bucket",
+ *   prefix: "vgi-rpc/",
+ * });
+ * const handler = createHttpHandler(protocol, {
+ *   externalLocation: { storage, externalizeThresholdBytes: 1_048_576 },
+ * });
+ * ```
+ */
+import type { ExternalStorage } from "./external.js";
+/** Configuration for the GCS storage backend. */
+export interface GCSStorageConfig {
+    /** GCS bucket name. */
+    bucket: string;
+    /** Key prefix for uploaded objects. Default: "vgi-rpc/". */
+    prefix?: string;
+    /** Lifetime of signed GET URLs in seconds. Default: 3600 (1 hour). */
+    presignExpirySeconds?: number;
+    /** GCS project ID. If omitted, uses Application Default Credentials. */
+    projectId?: string;
+}
+/**
+ * Create a GCS-backed ExternalStorage.
+ *
+ * Lazily imports `@google-cloud/storage` on first upload to avoid
+ * loading the SDK unless needed.
+ */
+export declare function createGCSStorage(config: GCSStorageConfig): ExternalStorage;
+//# sourceMappingURL=gcs.d.ts.map

package/dist/gcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcs.d.ts","sourceRoot":"","sources":["../src/gcs.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD,iDAAiD;AACjD,MAAM,WAAW,gBAAgB;IAC/B,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sEAAsE;IACtE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,wEAAwE;IACxE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,eAAe,CA2C1E"}

package/dist/http/auth.d.ts

@@ -0,0 +1,32 @@
+import type { AuthContext } from "../auth.js";
+/** Async function that authenticates an incoming HTTP request. */
+export type AuthenticateFn = (request: Request) => AuthContext | Promise<AuthContext>;
+/** RFC 9728 OAuth Protected Resource Metadata. */
+export interface OAuthResourceMetadata {
+    resource: string;
+    authorizationServers: string[];
+    scopesSupported?: string[];
+    bearerMethodsSupported?: string[];
+    resourceSigningAlgValuesSupported?: string[];
+    resourceName?: string;
+    resourceDocumentation?: string;
+    resourcePolicyUri?: string;
+    resourceTosUri?: string;
+    /** OAuth client_id that clients should use with the authorization server. */
+    clientId?: string;
+    /** OAuth client_secret that clients should use with the authorization server. */
+    clientSecret?: string;
+    /** OAuth client_id for device code flow. */
+    deviceCodeClientId?: string;
+    /** OAuth client_secret for device code flow. */
+    deviceCodeClientSecret?: string;
+    /** When true, clients should use the OIDC id_token as the Bearer token instead of access_token. */
+    useIdTokenAsBearer?: boolean;
+}
+/** Convert OAuthResourceMetadata to RFC 9728 snake_case JSON object. */
+export declare function oauthResourceMetadataToJson(metadata: OAuthResourceMetadata): Record<string, any>;
+/** Compute the well-known path for OAuth Protected Resource Metadata. */
+export declare function wellKnownPath(prefix: string): string;
+/** Build a WWW-Authenticate header value with optional resource_metadata URL, client_id, client_secret, device_code_client_id, device_code_client_secret, and use_id_token_as_bearer. */
+export declare function buildWwwAuthenticateHeader(metadataUrl?: string, clientId?: string, clientSecret?: string, useIdTokenAsBearer?: boolean, deviceCodeClientId?: string, deviceCodeClientSecret?: string): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/http/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/http/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;AAEtF,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iFAAiF;IACjF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gDAAgD;IAChD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mGAAmG;IACnG,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,wEAAwE;AACxE,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,qBAAqB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAyChG;AAED,yEAAyE;AACzE,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,yLAAyL;AACzL,wBAAgB,0BAA0B,CACxC,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,EACrB,kBAAkB,CAAC,EAAE,OAAO,EAC5B,kBAAkB,CAAC,EAAE,MAAM,EAC3B,sBAAsB,CAAC,EAAE,MAAM,GAC9B,MAAM,CAqBR"}

package/dist/http/bearer.d.ts

@@ -0,0 +1,34 @@
+import type { AuthContext } from "../auth.js";
+import type { AuthenticateFn } from "./auth.js";
+/** Receives the raw bearer token string, returns an AuthContext on success. Must throw on failure. */
+export type BearerValidateFn = (token: string) => AuthContext | Promise<AuthContext>;
+/**
+ * Create a bearer-token authenticate callback.
+ *
+ * Extracts the `Authorization: Bearer <token>` header and delegates
+ * validation to the user-supplied `validate` callback.
+ */
+export declare function bearerAuthenticate(options: {
+    validate: BearerValidateFn;
+}): AuthenticateFn;
+/**
+ * Create a bearer-token authenticate callback from a static token map.
+ *
+ * Convenience wrapper around `bearerAuthenticate` that looks up the
+ * token in a pre-built mapping using constant-time comparison.
+ */
+export declare function bearerAuthenticateStatic(options: {
+    tokens: ReadonlyMap<string, AuthContext> | Record<string, AuthContext>;
+}): AuthenticateFn;
+/**
+ * Chain multiple authenticate callbacks, trying each in order.
+ *
+ * Each authenticator is called in sequence. Plain `Error` (credential
+ * rejection) causes the next authenticator to be tried. Error subclasses
+ * (`TypeError`, `RangeError`, etc.), `PermissionError`-named errors, and
+ * non-Error throws propagate immediately.
+ *
+ * @throws Error if no authenticators are provided.
+ */
+export declare function chainAuthenticate(...authenticators: AuthenticateFn[]): AuthenticateFn;
+//# sourceMappingURL=bearer.d.ts.map

package/dist/http/bearer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer.d.ts","sourceRoot":"","sources":["../../src/http/bearer.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,sGAAsG;AACtG,MAAM,MAAM,gBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;AAErF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAAE,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAAG,cAAc,CAW1F;AAWD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE;IAChD,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACxE,GAAG,cAAc,CAYjB;AAgBD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,cAAc,EAAE,cAAc,EAAE,GAAG,cAAc,CAsBrF"}

package/dist/http/dispatch.d.ts

@@ -1,3 +1,5 @@
+import type { AuthContext } from "../auth.js";
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { StateSerializer } from "./types.js";
 export interface DispatchContext {
@@ -6,6 +8,8 @@ export interface DispatchContext {
     serverId: string;
     maxStreamResponseBytes?: number;
     stateSerializer: StateSerializer;
+    authContext?: AuthContext;
+    externalLocation?: ExternalLocationConfig;
 }
 /** Dispatch a __describe__ request. */
 export declare function httpDispatchDescribe(protocolName: string, methods: Map<string, MethodDefinition>, serverId: string): Response;

package/dist/http/dispatch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch.d.ts","sourceRoot":"","sources":["../../src/http/dispatch.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,uCAAuC;AACvC,wBAAgB,oBAAoB,CAClC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf,QAAQ,CAIV;AAED,qCAAqC;AACrC,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAoBnB;AAED,kEAAkE;AAClE,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAuEnB;AAED,yFAAyF;AACzF,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAmHnB"}
+{"version":3,"file":"dispatch.d.ts","sourceRoot":"","sources":["../../src/http/dispatch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,eAAe,CAAC;IACjC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED,uCAAuC;AACvC,wBAAgB,oBAAoB,CAClC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf,QAAQ,CAIV;AAED,qCAAqC;AACrC,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CA0BnB;AAED,kEAAkE;AAClE,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CA2EnB;AAED,yFAAyF;AACzF,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAqHnB"}

package/dist/http/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/http/handler.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAW/C,OAAO,EAAE,KAAK,kBAAkB,EAAuB,MAAM,YAAY,CAAC;AAI1E;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CA+KpD"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/http/handler.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAa/C,OAAO,EAAE,KAAK,kBAAkB,EAAuB,MAAM,YAAY,CAAC;AAI1E;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiSpD"}

package/dist/http/index.d.ts

@@ -1,5 +1,13 @@
+export type { AuthenticateFn, OAuthResourceMetadata } from "./auth.js";
+export { oauthResourceMetadataToJson } from "./auth.js";
+export type { BearerValidateFn } from "./bearer.js";
+export { bearerAuthenticate, bearerAuthenticateStatic, chainAuthenticate } from "./bearer.js";
 export { ARROW_CONTENT_TYPE } from "./common.js";
 export { createHttpHandler } from "./handler.js";
+export type { JwtAuthenticateOptions } from "./jwt.js";
+export { jwtAuthenticate } from "./jwt.js";
+export type { CertValidateFn, XfccElement, XfccValidateFn } from "./mtls.js";
+export { mtlsAuthenticate, mtlsAuthenticateFingerprint, mtlsAuthenticateSubject, mtlsAuthenticateXfcc, parseXfcc, } from "./mtls.js";
 export { type UnpackedToken, unpackStateToken } from "./token.js";
 export type { HttpHandlerOptions, StateSerializer } from "./types.js";
 export { jsonStateSerializer } from "./types.js";

package/dist/http/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,KAAK,aAAa,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAClE,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvE,OAAO,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,YAAY,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC7E,OAAO,EACL,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,oBAAoB,EACpB,SAAS,GACV,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,KAAK,aAAa,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAClE,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}

package/dist/http/jwt.d.ts

@@ -0,0 +1,21 @@
+import type { AuthenticateFn } from "./auth.js";
+export interface JwtAuthenticateOptions {
+    /** The expected `iss` claim (also used to discover AS metadata). */
+    issuer: string;
+    /** The expected `aud` claim. If an array, tries each audience in order. */
+    audience: string | string[];
+    /** Explicit JWKS URI. If omitted, discovered from issuer metadata. */
+    jwksUri?: string;
+    /** JWT claim to use as the principal. Default: "sub". */
+    principalClaim?: string;
+    /** AuthContext domain. Default: "jwt". */
+    domain?: string;
+}
+/**
+ * Create an AuthenticateFn that validates JWT Bearer tokens using oauth4webapi.
+ *
+ * On first call, discovers the Authorization Server metadata from the issuer
+ * to obtain the JWKS URI (unless `jwksUri` is provided directly).
+ */
+export declare function jwtAuthenticate(options: JwtAuthenticateOptions): AuthenticateFn;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/http/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/http/jwt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,MAAM,WAAW,sBAAsB;IACrC,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,cAAc,CAqD/E"}