@query-farm/vgi-rpc 0.4.0 → 0.6.1

package/README.md

@@ -15,6 +15,7 @@ Define RPC methods with Arrow-typed schemas, serve them over stdin/stdout, and i
 - **Type-safe streaming state** — generic `<S>` parameter threads state types through init and produce/exchange functions
 - **Runtime introspection** — opt-in `__describe__` method for dynamic service discovery via the CLI
 - **Result validation** — missing required fields in handler results throw descriptive errors at emit time
+- **Authentication** — bearer tokens, JWT, mTLS (PEM-in-header and XFCC), with chainable authenticators
 - **Three client transports** — HTTP, subprocess, and raw pipe, all sharing a unified `RpcClient` interface
 
 ## Installation
@@ -297,6 +298,52 @@ handler: async ({ a, b }) => {
 
 Errors are transmitted as zero-row Arrow batches with `EXCEPTION`-level metadata. The transport remains clean for subsequent requests.
 
+## Authentication
+
+The HTTP handler supports pluggable authentication. Built-in factories cover common strategies:
+
+```typescript
+import {
+  createHttpHandler,
+  chainAuthenticate,
+  mtlsAuthenticateSubject,
+  bearerAuthenticateStatic,
+  jwtAuthenticate,
+  AuthContext,
+} from "@query-farm/vgi-rpc";
+
+// mTLS via proxy-forwarded client certificate
+const mtlsAuth = mtlsAuthenticateSubject({
+  allowedSubjects: new Set(["my-service"]),
+});
+
+// Static API key map
+const apiKeyAuth = bearerAuthenticateStatic({
+  tokens: { "sk-abc123": new AuthContext("apikey", true, "ci-bot") },
+});
+
+// Chain: try mTLS first, fall back to API key
+const auth = chainAuthenticate(mtlsAuth, apiKeyAuth);
+
+const handler = createHttpHandler(protocol, {
+  signingKey: myKey,
+  authenticate: auth,
+});
+```
+
+Available factories:
+
+| Factory | Description |
+|---------|-------------|
+| `bearerAuthenticate` | Custom bearer token validation |
+| `bearerAuthenticateStatic` | Static token map with constant-time comparison |
+| `jwtAuthenticate` | JWT validation via OIDC discovery |
+| `mtlsAuthenticate` | Custom X.509 certificate validation |
+| `mtlsAuthenticateFingerprint` | Certificate fingerprint lookup |
+| `mtlsAuthenticateSubject` | Subject CN extraction with optional allowlist |
+| `mtlsAuthenticateXfcc` | Envoy `x-forwarded-client-cert` header |
+| `chainAuthenticate` | Try multiple strategies in order |
+
 ## Testing with the Python CLI
 
 The [vgi-rpc CLI](https://github.com/Query-farm/vgi-rpc-python) can introspect and call methods on any TypeScript server:

package/dist/client/connect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/client/connect.ts"],"names":[],"mappings":"AAOA,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAS3F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKpE,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IACxF,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC7E,QAAQ,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACxC,KAAK,IAAI,IAAI,CAAC;CACf;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,GAAG,SAAS,CA+RpF"}
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/client/connect.ts"],"names":[],"mappings":"AAQA,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAS3F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKpE,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IACxF,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC7E,QAAQ,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACxC,KAAK,IAAI,IAAI,CAAC;CACf;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,GAAG,SAAS,CAsSpF"}

package/dist/client/index.d.ts

@@ -1,7 +1,7 @@
 export { httpConnect, type RpcClient } from "./connect.js";
 export { httpIntrospect, type MethodInfo, parseDescribeResponse, type ServiceDescription } from "./introspect.js";
 export type { OAuthResourceMetadataResponse } from "./oauth.js";
-export { fetchOAuthMetadata, httpOAuthMetadata, parseResourceMetadataUrl } from "./oauth.js";
+export { fetchOAuthMetadata, httpOAuthMetadata, parseClientId, parseClientSecret, parseDeviceCodeClientId, parseDeviceCodeClientSecret, parseResourceMetadataUrl, parseUseIdTokenAsBearer, } from "./oauth.js";
 export { PipeStreamSession, pipeConnect, subprocessConnect } from "./pipe.js";
 export { HttpStreamSession } from "./stream.js";
 export type { HttpConnectOptions, LogMessage, PipeConnectOptions, StreamSession, SubprocessConnectOptions, } from "./types.js";

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,qBAAqB,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClH,YAAY,EAAE,6BAA6B,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAC7F,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,kBAAkB,EAClB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,wBAAwB,GACzB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,qBAAqB,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClH,YAAY,EAAE,6BAA6B,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,uBAAuB,EACvB,2BAA2B,EAC3B,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,kBAAkB,EAClB,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,wBAAwB,GACzB,MAAM,YAAY,CAAC"}

package/dist/client/oauth.d.ts

@@ -4,10 +4,21 @@ export interface OAuthResourceMetadataResponse {
     authorizationServers: string[];
     scopesSupported?: string[];
     bearerMethodsSupported?: string[];
+    resourceSigningAlgValuesSupported?: string[];
     resourceName?: string;
     resourceDocumentation?: string;
     resourcePolicyUri?: string;
     resourceTosUri?: string;
+    /** OAuth client_id advertised by the server. */
+    clientId?: string;
+    /** OAuth client_secret advertised by the server. */
+    clientSecret?: string;
+    /** When true, use the OIDC id_token as the Bearer token instead of access_token. */
+    useIdTokenAsBearer?: boolean;
+    /** OAuth client_id for device code flow. */
+    deviceCodeClientId?: string;
+    /** OAuth client_secret for device code flow. */
+    deviceCodeClientSecret?: string;
 }
 /**
  * Discover OAuth Protected Resource Metadata (RFC 9728) from a vgi-rpc server.
@@ -23,4 +34,29 @@ export declare function fetchOAuthMetadata(metadataUrl: string): Promise<OAuthRe
  * Returns `null` if no resource_metadata parameter is found.
  */
 export declare function parseResourceMetadataUrl(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `client_id` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no client_id parameter is found.
+ */
+export declare function parseClientId(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `client_secret` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no client_secret parameter is found.
+ */
+export declare function parseClientSecret(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `use_id_token_as_bearer` flag from a WWW-Authenticate Bearer challenge.
+ * Returns `true` if the parameter is present and set to "true", `false` otherwise.
+ */
+export declare function parseUseIdTokenAsBearer(wwwAuthenticate: string): boolean;
+/**
+ * Extract the `device_code_client_id` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no device_code_client_id parameter is found.
+ */
+export declare function parseDeviceCodeClientId(wwwAuthenticate: string): string | null;
+/**
+ * Extract the `device_code_client_secret` from a WWW-Authenticate Bearer challenge.
+ * Returns `null` if no device_code_client_secret parameter is found.
+ */
+export declare function parseDeviceCodeClientSecret(wwwAuthenticate: string): string | null;
 //# sourceMappingURL=oauth.d.ts.map

package/dist/client/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/client/oauth.ts"],"names":[],"mappings":"AAGA,yEAAyE;AACzE,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAgBD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAS/C;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,6BAA6B,CAAC,CAOpG;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU/E"}
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/client/oauth.ts"],"names":[],"mappings":"AAGA,yEAAyE;AACzE,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oFAAoF;IACpF,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gDAAgD;IAChD,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAuBD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAS/C;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,6BAA6B,CAAC,CAOpG;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU/E;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASxE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CASxE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAS9E;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASlF"}

package/dist/client/pipe.d.ts

@@ -1,4 +1,5 @@
 import { Schema } from "@query-farm/apache-arrow";
+import { type ExternalLocationConfig } from "../external.js";
 import { IpcStreamReader } from "../wire/reader.js";
 import type { RpcClient } from "./connect.js";
 import type { LogMessage, PipeConnectOptions, StreamSession, SubprocessConnectOptions } from "./types.js";
@@ -20,6 +21,7 @@ export declare class PipeStreamSession implements StreamSession {
     private _outputSchema;
     private _releaseBusy;
     private _setDrainPromise;
+    private _externalConfig?;
     constructor(opts: {
         reader: IpcStreamReader;
         writeFn: WriteFn;
@@ -28,6 +30,7 @@ export declare class PipeStreamSession implements StreamSession {
         outputSchema: Schema;
         releaseBusy: () => void;
         setDrainPromise: (p: Promise<void>) => void;
+        externalConfig?: ExternalLocationConfig;
     });
     get header(): Record<string, any> | null;
     /**

package/dist/client/pipe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipe.d.ts","sourceRoot":"","sources":["../../src/client/pipe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,MAAM,EAGP,MAAM,0BAA0B,CAAC;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAM1G,UAAU,YAAY;IACpB,KAAK,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,KAAK,CAAC,IAAI,IAAI,CAAC;IACf,GAAG,IAAI,IAAI,CAAC;CACb;AAED,KAAK,OAAO,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AA6C3C,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,YAAY,CAAsC;IAC1D,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,mBAAmB,CAAS;IACpC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,gBAAgB,CAA6B;gBAEzC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,IAAI,CAAC;QACxB,eAAe,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;KAC7C;IAUD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED;;;;OAIG;YACW,gBAAgB;IAiB9B;;;;;OAKG;YACW,mBAAmB;IASjC;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAsG5E;;OAEG;YACW,QAAQ;IAiBtB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAqD7E,KAAK,IAAI,IAAI;CAoCd;AAMD,wBAAgB,WAAW,CACzB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,SAAS,CA4NX;AAMD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAuC9F"}
+{"version":3,"file":"pipe.d.ts","sourceRoot":"","sources":["../../src/client/pipe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,MAAM,EAGP,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,KAAK,sBAAsB,EAAoD,MAAM,gBAAgB,CAAC;AAE/G,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAM1G,UAAU,YAAY;IACpB,KAAK,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,KAAK,CAAC,IAAI,IAAI,CAAC;IACf,GAAG,IAAI,IAAI,CAAC;CACb;AAED,KAAK,OAAO,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AA6C3C,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,YAAY,CAAsC;IAC1D,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,mBAAmB,CAAS;IACpC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,gBAAgB,CAA6B;IACrD,OAAO,CAAC,eAAe,CAAC,CAAyB;gBAErC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,IAAI,CAAC;QACxB,eAAe,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;QAC5C,cAAc,CAAC,EAAE,sBAAsB,CAAC;KACzC;IAWD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED;;;;OAIG;YACW,gBAAgB;IAqB9B;;;;;OAKG;YACW,mBAAmB;IASjC;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAsG5E;;OAEG;YACW,QAAQ;IAiBtB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;IAqD7E,KAAK,IAAI,IAAI;CAoCd;AAMD,wBAAgB,WAAW,CACzB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,SAAS,CAkOX;AAMD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAwC9F"}

package/dist/client/stream.d.ts

@@ -1,4 +1,5 @@
 import { RecordBatch, Schema } from "@query-farm/apache-arrow";
+import { type ExternalLocationConfig } from "../external.js";
 import type { LogMessage, StreamSession } from "./types.js";
 type CompressFn = (data: Uint8Array, level: number) => Uint8Array;
 type DecompressFn = (data: Uint8Array) => Uint8Array;
@@ -17,6 +18,7 @@ export declare class HttpStreamSession implements StreamSession {
     private _compressFn?;
     private _decompressFn?;
     private _authorization?;
+    private _externalConfig?;
     constructor(opts: {
         baseUrl: string;
         prefix: string;
@@ -32,6 +34,7 @@ export declare class HttpStreamSession implements StreamSession {
         compressFn?: CompressFn;
         decompressFn?: DecompressFn;
         authorization?: string;
+        externalConfig?: ExternalLocationConfig;
     });
     get header(): Record<string, any> | null;
     private _buildHeaders;

package/dist/client/stream.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/client/stream.ts"],"names":[],"mappings":"AAGA,OAAO,EAAmB,WAAW,EAAE,MAAM,EAA2B,MAAM,0BAA0B,CAAC;AAKzG,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE5D,KAAK,UAAU,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,KAAK,UAAU,CAAC;AAClE,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,UAAU,KAAK,UAAU,CAAC;AAErD,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,iBAAiB,CAAC,CAAS;IACnC,OAAO,CAAC,WAAW,CAAC,CAAa;IACjC,OAAO,CAAC,aAAa,CAAC,CAAe;IACrC,OAAO,CAAC,cAAc,CAAC,CAAS;gBAEpB,IAAI,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,cAAc,EAAE,WAAW,EAAE,CAAC;QAC9B,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB;IAiBD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,YAAY;YAON,aAAa;IAQ3B;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YA0D9D,WAAW;IAuCzB,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YAyC/D,iBAAiB;IA2B/B,KAAK,IAAI,IAAI;CAGd"}
+{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/client/stream.ts"],"names":[],"mappings":"AAGA,OAAO,EAAmB,WAAW,EAAE,MAAM,EAA2B,MAAM,0BAA0B,CAAC;AAGzG,OAAO,EAAE,KAAK,sBAAsB,EAAoD,MAAM,gBAAgB,CAAC;AAG/G,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE5D,KAAK,UAAU,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,KAAK,UAAU,CAAC;AAClE,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,UAAU,KAAK,UAAU,CAAC;AAErD,qBAAa,iBAAkB,YAAW,aAAa;IACrD,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,MAAM,CAAC,CAA4B;IAC3C,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,iBAAiB,CAAC,CAAS;IACnC,OAAO,CAAC,WAAW,CAAC,CAAa;IACjC,OAAO,CAAC,aAAa,CAAC,CAAe;IACrC,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAAC,CAAyB;gBAErC,IAAI,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;QAClC,cAAc,EAAE,WAAW,EAAE,CAAC;QAC9B,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;QACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,CAAC,EAAE,sBAAsB,CAAC;KACzC;IAkBD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAEvC;IAED,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,YAAY;YAON,aAAa;IAQ3B;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YA0D9D,WAAW;IAuCzB,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YAkD/D,iBAAiB;IA2B/B,KAAK,IAAI,IAAI;CAGd"}

package/dist/client/types.d.ts

@@ -4,6 +4,8 @@ export interface HttpConnectOptions {
     compressionLevel?: number;
     /** Authorization header value (e.g. "Bearer <token>"). Sent with every request. */
     authorization?: string;
+    /** External storage config for resolving externalized batches. */
+    externalLocation?: import("../external.js").ExternalLocationConfig;
 }
 export interface LogMessage {
     level: string;
@@ -18,6 +20,8 @@ export interface StreamSession {
 }
 export interface PipeConnectOptions {
     onLog?: (msg: LogMessage) => void;
+    /** External storage config for resolving externalized batches. */
+    externalLocation?: import("../external.js").ExternalLocationConfig;
 }
 export interface SubprocessConnectOptions extends PipeConnectOptions {
     cwd?: string;

package/dist/client/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,wBAAyB,SAAQ,kBAAkB;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,OAAO,gBAAgB,EAAE,sBAAsB,CAAC;CACpE;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,IAAI,CAAC;IAClC,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,OAAO,gBAAgB,EAAE,sBAAsB,CAAC;CACpE;AAED,MAAM,WAAW,wBAAyB,SAAQ,kBAAkB;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC"}

package/dist/constants.d.ts

@@ -9,7 +9,9 @@ export declare const SERVER_ID_KEY = "vgi_rpc.server_id";
 export declare const REQUEST_ID_KEY = "vgi_rpc.request_id";
 export declare const PROTOCOL_NAME_KEY = "vgi_rpc.protocol_name";
 export declare const DESCRIBE_VERSION_KEY = "vgi_rpc.describe_version";
-export declare const DESCRIBE_VERSION = "2";
+export declare const DESCRIBE_VERSION = "3";
 export declare const DESCRIBE_METHOD_NAME = "__describe__";
 export declare const STATE_KEY = "vgi_rpc.stream_state#b64";
+export declare const LOCATION_KEY = "vgi_rpc.location";
+export declare const LOCATION_SHA256_KEY = "vgi_rpc.location.sha256";
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,6DAA6D;AAE7D,eAAO,MAAM,cAAc,mBAAmB,CAAC;AAC/C,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,eAAe,wBAAwB,CAAC;AACrD,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,mBAAmB,4BAA4B,CAAC;AAC7D,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AACzD,eAAO,MAAM,oBAAoB,6BAA6B,CAAC;AAC/D,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,eAAO,MAAM,oBAAoB,iBAAiB,CAAC;AAEnD,eAAO,MAAM,SAAS,6BAA6B,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,6DAA6D;AAE7D,eAAO,MAAM,cAAc,mBAAmB,CAAC;AAC/C,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,eAAe,wBAAwB,CAAC;AACrD,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,mBAAmB,4BAA4B,CAAC;AAC7D,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,eAAO,MAAM,aAAa,sBAAsB,CAAC;AACjD,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AACzD,eAAO,MAAM,oBAAoB,6BAA6B,CAAC;AAC/D,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,eAAO,MAAM,oBAAoB,iBAAiB,CAAC;AAEnD,eAAO,MAAM,SAAS,6BAA6B,CAAC;AAEpD,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAC/C,eAAO,MAAM,mBAAmB,4BAA4B,CAAC"}

package/dist/dispatch/describe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"describe.d.ts","sourceRoot":"","sources":["../../src/dispatch/describe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,WAAW,EACX,MAAM,EAIP,MAAM,0BAA0B,CAAC;AASlC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD;;GAEG;AACH,eAAO,MAAM,eAAe,aAW1B,CAAC;AAEH;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CA8FvD"}
+{"version":3,"file":"describe.d.ts","sourceRoot":"","sources":["../../src/dispatch/describe.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,WAAW,EACX,MAAM,EAIP,MAAM,0BAA0B,CAAC;AASlC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD;;GAEG;AACH,eAAO,MAAM,eAAe,aAa1B,CAAC;AAEH;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CAgHvD"}

package/dist/dispatch/stream.d.ts

@@ -1,3 +1,4 @@
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { IpcStreamReader } from "../wire/reader.js";
 import type { IpcStreamWriter } from "../wire/writer.js";
@@ -16,5 +17,5 @@ import type { IpcStreamWriter } from "../wire/writer.js";
  * - Server writes output batch(es) for each input
  * - Stream ends when client closes input (EOS)
  */
-export declare function dispatchStream(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, reader: IpcStreamReader, serverId: string, requestId: string | null): Promise<void>;
+export declare function dispatchStream(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, reader: IpcStreamReader, serverId: string, requestId: string | null, externalConfig?: ExternalLocationConfig): Promise<void>;
 //# sourceMappingURL=stream.d.ts.map

package/dist/dispatch/stream.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/dispatch/stream.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,OAAO,CAAC,IAAI,CAAC,CA0Hf"}
+{"version":3,"file":"stream.d.ts","sourceRoot":"","sources":["../../src/dispatch/stream.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,cAAc,CAAC,EAAE,sBAAsB,GACtC,OAAO,CAAC,IAAI,CAAC,CA8Hf"}

package/dist/dispatch/unary.d.ts

@@ -1,3 +1,4 @@
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { IpcStreamWriter } from "../wire/writer.js";
 /**
@@ -5,5 +6,5 @@ import type { IpcStreamWriter } from "../wire/writer.js";
  * Calls the handler with parsed params, writes result or error batch.
  * Supports client-directed logging via ctx.clientLog().
  */
-export declare function dispatchUnary(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, serverId: string, requestId: string | null): Promise<void>;
+export declare function dispatchUnary(method: MethodDefinition, params: Record<string, any>, writer: IpcStreamWriter, serverId: string, requestId: string | null, externalConfig?: ExternalLocationConfig): Promise<void>;
 //# sourceMappingURL=unary.d.ts.map

package/dist/dispatch/unary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"unary.d.ts","sourceRoot":"","sources":["../../src/dispatch/unary.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,OAAO,CAAC,IAAI,CAAC,CAcf"}
+{"version":3,"file":"unary.d.ts","sourceRoot":"","sources":["../../src/dispatch/unary.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,MAAM,EAAE,eAAe,EACvB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,cAAc,CAAC,EAAE,sBAAsB,GACtC,OAAO,CAAC,IAAI,CAAC,CAiBf"}

package/dist/external.d.ts

@@ -0,0 +1,45 @@
+/**
+ * External storage support for large Arrow IPC batches.
+ *
+ * When a batch exceeds a configurable threshold, it is serialized to IPC,
+ * optionally compressed with zstd, and uploaded to pluggable storage.
+ * The batch is replaced with a zero-row "pointer batch" containing the
+ * download URL and SHA-256 checksum in metadata.
+ */
+import { type RecordBatch, type Schema } from "@query-farm/apache-arrow";
+/** Pluggable storage backend for uploading large batches. */
+export interface ExternalStorage {
+    /** Upload IPC data and return a URL for retrieval. */
+    upload(data: Uint8Array, contentEncoding: string): Promise<string>;
+}
+/** Configuration for external storage of large batches. */
+export interface ExternalLocationConfig {
+    /** Storage backend for uploading. */
+    storage: ExternalStorage;
+    /** Minimum batch byte size to trigger externalization. Default: 1MB. */
+    externalizeThresholdBytes?: number;
+    /** Optional zstd compression for uploaded data. */
+    compression?: {
+        algorithm: "zstd";
+        level?: number;
+    };
+    /** URL validator called before fetching. Throw to reject. Default: HTTPS-only. */
+    urlValidator?: ((url: string) => void) | null;
+}
+/** Default validator that rejects non-HTTPS URLs. */
+export declare function httpsOnlyValidator(url: string): void;
+/** Returns true if the batch is a zero-row pointer to external data. */
+export declare function isExternalLocationBatch(batch: RecordBatch): boolean;
+/** Create a zero-row pointer batch with location URL and optional SHA-256. */
+export declare function makeExternalLocationBatch(schema: Schema, url: string, sha256?: string): RecordBatch;
+/**
+ * Maybe externalize a batch if it exceeds the threshold.
+ * Returns the original batch unchanged if below threshold or no config.
+ */
+export declare function maybeExternalizeBatch(batch: RecordBatch, config?: ExternalLocationConfig | null): Promise<RecordBatch>;
+/**
+ * Resolve an external pointer batch by fetching the data from the URL.
+ * Returns the original batch unchanged if not a pointer or no config.
+ */
+export declare function resolveExternalLocation(batch: RecordBatch, config?: ExternalLocationConfig | null): Promise<RecordBatch>;
+//# sourceMappingURL=external.d.ts.map

package/dist/external.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external.d.ts","sourceRoot":"","sources":["../src/external.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,WAAW,EAA8C,KAAK,MAAM,EAAE,MAAM,0BAA0B,CAAC;AASrH,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACpE;AAED,2DAA2D;AAC3D,MAAM,WAAW,sBAAsB;IACrC,qCAAqC;IACrC,OAAO,EAAE,eAAe,CAAC;IACzB,wEAAwE;IACxE,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,mDAAmD;IACnD,WAAW,CAAC,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACpD,kFAAkF;IAClF,YAAY,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;CAC/C;AAQD,qDAAqD;AACrD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAKpD;AAoBD,wEAAwE;AACxE,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAKnE;AAMD,8EAA8E;AAC9E,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,WAAW,CAOnG;AA4BD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,sBAAsB,GAAG,IAAI,GACrC,OAAO,CAAC,WAAW,CAAC,CAyBtB;AAMD;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,sBAAsB,GAAG,IAAI,GACrC,OAAO,CAAC,WAAW,CAAC,CA4CtB"}

package/dist/gcs.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Google Cloud Storage backend for external storage of large Arrow IPC batches.
+ *
+ * Requires `@google-cloud/storage` as a peer dependency.
+ *
+ * @example
+ * ```typescript
+ * import { createGCSStorage } from "@query-farm/vgi-rpc/gcs";
+ *
+ * const storage = createGCSStorage({
+ *   bucket: "my-bucket",
+ *   prefix: "vgi-rpc/",
+ * });
+ * const handler = createHttpHandler(protocol, {
+ *   externalLocation: { storage, externalizeThresholdBytes: 1_048_576 },
+ * });
+ * ```
+ */
+import type { ExternalStorage } from "./external.js";
+/** Configuration for the GCS storage backend. */
+export interface GCSStorageConfig {
+    /** GCS bucket name. */
+    bucket: string;
+    /** Key prefix for uploaded objects. Default: "vgi-rpc/". */
+    prefix?: string;
+    /** Lifetime of signed GET URLs in seconds. Default: 3600 (1 hour). */
+    presignExpirySeconds?: number;
+    /** GCS project ID. If omitted, uses Application Default Credentials. */
+    projectId?: string;
+}
+/**
+ * Create a GCS-backed ExternalStorage.
+ *
+ * Lazily imports `@google-cloud/storage` on first upload to avoid
+ * loading the SDK unless needed.
+ */
+export declare function createGCSStorage(config: GCSStorageConfig): ExternalStorage;
+//# sourceMappingURL=gcs.d.ts.map

package/dist/gcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcs.d.ts","sourceRoot":"","sources":["../src/gcs.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD,iDAAiD;AACjD,MAAM,WAAW,gBAAgB;IAC/B,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sEAAsE;IACtE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,wEAAwE;IACxE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,eAAe,CA2C1E"}

package/dist/http/auth.d.ts

@@ -7,15 +7,26 @@ export interface OAuthResourceMetadata {
     authorizationServers: string[];
     scopesSupported?: string[];
     bearerMethodsSupported?: string[];
+    resourceSigningAlgValuesSupported?: string[];
     resourceName?: string;
     resourceDocumentation?: string;
     resourcePolicyUri?: string;
     resourceTosUri?: string;
+    /** OAuth client_id that clients should use with the authorization server. */
+    clientId?: string;
+    /** OAuth client_secret that clients should use with the authorization server. */
+    clientSecret?: string;
+    /** OAuth client_id for device code flow. */
+    deviceCodeClientId?: string;
+    /** OAuth client_secret for device code flow. */
+    deviceCodeClientSecret?: string;
+    /** When true, clients should use the OIDC id_token as the Bearer token instead of access_token. */
+    useIdTokenAsBearer?: boolean;
 }
 /** Convert OAuthResourceMetadata to RFC 9728 snake_case JSON object. */
 export declare function oauthResourceMetadataToJson(metadata: OAuthResourceMetadata): Record<string, any>;
 /** Compute the well-known path for OAuth Protected Resource Metadata. */
 export declare function wellKnownPath(prefix: string): string;
-/** Build a WWW-Authenticate header value with optional resource_metadata URL. */
-export declare function buildWwwAuthenticateHeader(metadataUrl?: string): string;
+/** Build a WWW-Authenticate header value with optional resource_metadata URL, client_id, client_secret, device_code_client_id, device_code_client_secret, and use_id_token_as_bearer. */
+export declare function buildWwwAuthenticateHeader(metadataUrl?: string, clientId?: string, clientSecret?: string, useIdTokenAsBearer?: boolean, deviceCodeClientId?: string, deviceCodeClientSecret?: string): string;
 //# sourceMappingURL=auth.d.ts.map

package/dist/http/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/http/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;AAEtF,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wEAAwE;AACxE,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,qBAAqB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAYhG;AAED,yEAAyE;AACzE,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,iFAAiF;AACjF,wBAAgB,0BAA0B,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAKvE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/http/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;AAEtF,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iFAAiF;IACjF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gDAAgD;IAChD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mGAAmG;IACnG,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,wEAAwE;AACxE,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,qBAAqB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAyChG;AAED,yEAAyE;AACzE,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,yLAAyL;AACzL,wBAAgB,0BAA0B,CACxC,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,EACrB,kBAAkB,CAAC,EAAE,OAAO,EAC5B,kBAAkB,CAAC,EAAE,MAAM,EAC3B,sBAAsB,CAAC,EAAE,MAAM,GAC9B,MAAM,CAqBR"}

package/dist/http/bearer.d.ts

@@ -0,0 +1,34 @@
+import type { AuthContext } from "../auth.js";
+import type { AuthenticateFn } from "./auth.js";
+/** Receives the raw bearer token string, returns an AuthContext on success. Must throw on failure. */
+export type BearerValidateFn = (token: string) => AuthContext | Promise<AuthContext>;
+/**
+ * Create a bearer-token authenticate callback.
+ *
+ * Extracts the `Authorization: Bearer <token>` header and delegates
+ * validation to the user-supplied `validate` callback.
+ */
+export declare function bearerAuthenticate(options: {
+    validate: BearerValidateFn;
+}): AuthenticateFn;
+/**
+ * Create a bearer-token authenticate callback from a static token map.
+ *
+ * Convenience wrapper around `bearerAuthenticate` that looks up the
+ * token in a pre-built mapping using constant-time comparison.
+ */
+export declare function bearerAuthenticateStatic(options: {
+    tokens: ReadonlyMap<string, AuthContext> | Record<string, AuthContext>;
+}): AuthenticateFn;
+/**
+ * Chain multiple authenticate callbacks, trying each in order.
+ *
+ * Each authenticator is called in sequence. Plain `Error` (credential
+ * rejection) causes the next authenticator to be tried. Error subclasses
+ * (`TypeError`, `RangeError`, etc.), `PermissionError`-named errors, and
+ * non-Error throws propagate immediately.
+ *
+ * @throws Error if no authenticators are provided.
+ */
+export declare function chainAuthenticate(...authenticators: AuthenticateFn[]): AuthenticateFn;
+//# sourceMappingURL=bearer.d.ts.map

package/dist/http/bearer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer.d.ts","sourceRoot":"","sources":["../../src/http/bearer.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,sGAAsG;AACtG,MAAM,MAAM,gBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;AAErF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAAE,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAAG,cAAc,CAW1F;AAWD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE;IAChD,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACxE,GAAG,cAAc,CAYjB;AAgBD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,cAAc,EAAE,cAAc,EAAE,GAAG,cAAc,CAsBrF"}

package/dist/http/dispatch.d.ts

@@ -1,4 +1,5 @@
 import type { AuthContext } from "../auth.js";
+import { type ExternalLocationConfig } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import type { StateSerializer } from "./types.js";
 export interface DispatchContext {
@@ -8,6 +9,7 @@ export interface DispatchContext {
     maxStreamResponseBytes?: number;
     stateSerializer: StateSerializer;
     authContext?: AuthContext;
+    externalLocation?: ExternalLocationConfig;
 }
 /** Dispatch a __describe__ request. */
 export declare function httpDispatchDescribe(protocolName: string, methods: Map<string, MethodDefinition>, serverId: string): Response;

package/dist/http/dispatch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch.d.ts","sourceRoot":"","sources":["../../src/http/dispatch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,eAAe,CAAC;IACjC,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED,uCAAuC;AACvC,wBAAgB,oBAAoB,CAClC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf,QAAQ,CAIV;AAED,qCAAqC;AACrC,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAoBnB;AAED,kEAAkE;AAClE,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAuEnB;AAED,yFAAyF;AACzF,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAmHnB"}
+{"version":3,"file":"dispatch.d.ts","sourceRoot":"","sources":["../../src/http/dispatch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,OAAO,EAAE,KAAK,sBAAsB,EAAyB,MAAM,gBAAgB,CAAC;AACpF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,eAAe,CAAC;IACjC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED,uCAAuC;AACvC,wBAAgB,oBAAoB,CAClC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACtC,QAAQ,EAAE,MAAM,GACf,QAAQ,CAIV;AAED,qCAAqC;AACrC,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CA0BnB;AAED,kEAAkE;AAClE,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CA2EnB;AAED,yFAAyF;AACzF,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,CAqHnB"}

package/dist/http/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/http/handler.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAY/C,OAAO,EAAE,KAAK,kBAAkB,EAAuB,MAAM,YAAY,CAAC;AAI1E;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAqNpD"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/http/handler.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAa/C,OAAO,EAAE,KAAK,kBAAkB,EAAuB,MAAM,YAAY,CAAC;AAI1E;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiSpD"}

package/dist/http/index.d.ts

@@ -1,9 +1,13 @@
 export type { AuthenticateFn, OAuthResourceMetadata } from "./auth.js";
 export { oauthResourceMetadataToJson } from "./auth.js";
+export type { BearerValidateFn } from "./bearer.js";
+export { bearerAuthenticate, bearerAuthenticateStatic, chainAuthenticate } from "./bearer.js";
 export { ARROW_CONTENT_TYPE } from "./common.js";
 export { createHttpHandler } from "./handler.js";
 export type { JwtAuthenticateOptions } from "./jwt.js";
 export { jwtAuthenticate } from "./jwt.js";
+export type { CertValidateFn, XfccElement, XfccValidateFn } from "./mtls.js";
+export { mtlsAuthenticate, mtlsAuthenticateFingerprint, mtlsAuthenticateSubject, mtlsAuthenticateXfcc, parseXfcc, } from "./mtls.js";
 export { type UnpackedToken, unpackStateToken } from "./token.js";
 export type { HttpHandlerOptions, StateSerializer } from "./types.js";
 export { jsonStateSerializer } from "./types.js";

package/dist/http/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvE,OAAO,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,YAAY,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,KAAK,aAAa,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAClE,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvE,OAAO,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAC9F,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,YAAY,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC7E,OAAO,EACL,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,oBAAoB,EACpB,SAAS,GACV,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,KAAK,aAAa,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAClE,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}

package/dist/http/jwt.d.ts

@@ -2,8 +2,8 @@ import type { AuthenticateFn } from "./auth.js";
 export interface JwtAuthenticateOptions {
     /** The expected `iss` claim (also used to discover AS metadata). */
     issuer: string;
-    /** The expected `aud` claim. */
-    audience: string;
+    /** The expected `aud` claim. If an array, tries each audience in order. */
+    audience: string | string[];
     /** Explicit JWKS URI. If omitted, discovered from issuer metadata. */
     jwksUri?: string;
     /** JWT claim to use as the principal. Default: "sub". */

package/dist/http/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/http/jwt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,MAAM,WAAW,sBAAsB;IACrC,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,cAAc,CAuC/E"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/http/jwt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,MAAM,WAAW,sBAAsB;IACrC,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,cAAc,CAqD/E"}

package/dist/http/mtls.d.ts

@@ -0,0 +1,78 @@
+import { X509Certificate } from "node:crypto";
+import { AuthContext } from "../auth.js";
+import type { AuthenticateFn } from "./auth.js";
+/** A single element from an `x-forwarded-client-cert` header. */
+export interface XfccElement {
+    hash: string | null;
+    cert: string | null;
+    subject: string | null;
+    uri: string | null;
+    dns: readonly string[];
+    by: string | null;
+}
+/** Receives a parsed XFCC element, returns an AuthContext on success. Must throw on failure. */
+export type XfccValidateFn = (element: XfccElement) => AuthContext | Promise<AuthContext>;
+/** Receives a parsed X509Certificate, returns an AuthContext on success. Must throw on failure. */
+export type CertValidateFn = (cert: X509Certificate) => AuthContext | Promise<AuthContext>;
+/**
+ * Parse an `x-forwarded-client-cert` header value.
+ *
+ * Handles comma-separated elements (respecting quoted values),
+ * semicolon-separated key=value pairs within each element, and
+ * URL-encoded Cert/URI/By fields.
+ */
+export declare function parseXfcc(headerValue: string): XfccElement[];
+/**
+ * Create an authenticate callback from Envoy `x-forwarded-client-cert`.
+ *
+ * Parses the `x-forwarded-client-cert` header and extracts client identity.
+ * Does not require any crypto dependencies.
+ *
+ * **Warning:** The reverse proxy MUST strip client-supplied
+ * `x-forwarded-client-cert` headers before forwarding.
+ */
+export declare function mtlsAuthenticateXfcc(options?: {
+    validate?: XfccValidateFn;
+    domain?: string;
+    selectElement?: "first" | "last";
+}): AuthenticateFn;
+/**
+ * Create an mTLS authenticate callback with custom certificate validation.
+ *
+ * Generic factory that parses the client certificate from a proxy header
+ * and delegates identity extraction to a user-supplied `validate` callback.
+ *
+ * **Warning:** The reverse proxy MUST strip client-supplied certificate
+ * headers before forwarding.
+ */
+export declare function mtlsAuthenticate(options: {
+    validate: CertValidateFn;
+    header?: string;
+    checkExpiry?: boolean;
+}): AuthenticateFn;
+/**
+ * Create an mTLS authenticate callback using certificate fingerprint lookup.
+ *
+ * Computes the certificate fingerprint and looks it up in the provided
+ * mapping. Fingerprints must be lowercase hex without colons.
+ */
+export declare function mtlsAuthenticateFingerprint(options: {
+    fingerprints: ReadonlyMap<string, AuthContext> | Record<string, AuthContext>;
+    header?: string;
+    algorithm?: string;
+    domain?: string;
+    checkExpiry?: boolean;
+}): AuthenticateFn;
+/**
+ * Create an mTLS authenticate callback using certificate subject CN.
+ *
+ * Extracts the Subject Common Name as `principal` and populates
+ * `claims` with the full DN, serial number (hex), and `not_valid_after`.
+ */
+export declare function mtlsAuthenticateSubject(options?: {
+    header?: string;
+    domain?: string;
+    allowedSubjects?: ReadonlySet<string> | null;
+    checkExpiry?: boolean;
+}): AuthenticateFn;
+//# sourceMappingURL=mtls.d.ts.map