@radaros/transport 0.3.46 → 0.3.49

package/dist/index.cjs

@@ -28,6 +28,9 @@ __export(index_exports, {
   createAgentRouter: () => createAgentRouter,
   createBrowserGateway: () => createBrowserGateway,
   createFileUploadMiddleware: () => createFileUploadMiddleware,
+  createGatewayRouter: () => createGatewayRouter,
+  createJwtMiddleware: () => createJwtMiddleware,
+  createRbacMiddleware: () => createRbacMiddleware,
   createVisionGateway: () => createVisionGateway,
   createVoiceGateway: () => createVoiceGateway,
   errorHandler: () => errorHandler,
@@ -722,6 +725,165 @@ function buildMultiModalInput(body, files) {
   return parts;
 }
 
+// src/express/gateway.ts
+var import_node_module4 = require("module");
+var _require4 = (0, import_node_module4.createRequire)(importMetaUrl);
+function createGatewayRouter(config) {
+  let express;
+  try {
+    express = _require4("express");
+  } catch {
+    throw new Error("express is required for gateway router. Install it: npm install express");
+  }
+  const router = express.Router();
+  const remoteHealth = /* @__PURE__ */ new Map();
+  async function checkHealth(remote) {
+    try {
+      const path = remote.healthPath ?? "/agents";
+      const res = await fetch(`${remote.baseUrl}${path}`, {
+        headers: remote.headers ?? {},
+        signal: AbortSignal.timeout(5e3)
+      });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  if (config.healthCheckIntervalMs) {
+    const interval = setInterval(async () => {
+      for (const remote of config.remotes) {
+        const healthy = await checkHealth(remote);
+        remoteHealth.set(remote.baseUrl, healthy);
+      }
+    }, config.healthCheckIntervalMs);
+    interval.unref?.();
+  }
+  async function proxyRequest(baseUrl, path, req, res, headers) {
+    try {
+      const proxyRes = await fetch(`${baseUrl}${path}`, {
+        method: req.method,
+        headers: {
+          "Content-Type": "application/json",
+          ...headers ?? {},
+          ...Object.fromEntries(
+            Object.entries(req.headers).filter(([k]) => k.startsWith("x-") || k === "authorization")
+          )
+        },
+        body: req.method !== "GET" ? JSON.stringify(req.body) : void 0,
+        signal: AbortSignal.timeout(12e4)
+      });
+      const contentType = proxyRes.headers.get("content-type") ?? "";
+      if (contentType.includes("text/event-stream")) {
+        res.writeHead(200, {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache",
+          Connection: "keep-alive"
+        });
+        const reader = proxyRes.body?.getReader();
+        if (reader) {
+          const decoder = new TextDecoder();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            res.write(decoder.decode(value, { stream: true }));
+          }
+        }
+        res.end();
+      } else {
+        const data = await proxyRes.json();
+        res.status(proxyRes.status).json(data);
+      }
+    } catch (err) {
+      res.status(502).json({ error: `Gateway proxy error: ${err.message}` });
+    }
+  }
+  for (const remote of config.remotes) {
+    if (remote.agents) {
+      for (const agentName of remote.agents) {
+        router.post(
+          `/agents/${agentName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/agents/${agentName}/run`, req, res, remote.headers)
+        );
+        router.post(
+          `/agents/${agentName}/stream`,
+          (req, res) => proxyRequest(remote.baseUrl, `/agents/${agentName}/stream`, req, res, remote.headers)
+        );
+      }
+    }
+    if (remote.teams) {
+      for (const teamName of remote.teams) {
+        router.post(
+          `/teams/${teamName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/teams/${teamName}/run`, req, res, remote.headers)
+        );
+        router.post(
+          `/teams/${teamName}/stream`,
+          (req, res) => proxyRequest(remote.baseUrl, `/teams/${teamName}/stream`, req, res, remote.headers)
+        );
+      }
+    }
+    if (remote.workflows) {
+      for (const wfName of remote.workflows) {
+        router.post(
+          `/workflows/${wfName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/workflows/${wfName}/run`, req, res, remote.headers)
+        );
+      }
+    }
+  }
+  router.get("/gateway/health", async (_req, res) => {
+    const status = {};
+    for (const remote of config.remotes) {
+      const cached = remoteHealth.get(remote.baseUrl);
+      status[remote.baseUrl] = cached ?? await checkHealth(remote);
+    }
+    res.json({ remotes: status });
+  });
+  return router;
+}
+
+// src/express/jwt-middleware.ts
+var import_node_module5 = require("module");
+var _require5 = (0, import_node_module5.createRequire)(importMetaUrl);
+function createJwtMiddleware(config) {
+  let jwt;
+  try {
+    jwt = _require5("jsonwebtoken");
+  } catch {
+    throw new Error("jsonwebtoken is required for JWT middleware. Install it: npm install jsonwebtoken");
+  }
+  const extractFrom = config.extractFrom ?? "header";
+  const cookieName = config.cookieName ?? "token";
+  return (req, res, next) => {
+    let token;
+    if (extractFrom === "header") {
+      const auth = req.headers.authorization;
+      if (auth?.startsWith("Bearer ")) {
+        token = auth.slice(7);
+      }
+    } else if (extractFrom === "cookie") {
+      token = req.cookies?.[cookieName];
+    }
+    if (!token) {
+      return res.status(401).json({ error: "Authentication required" });
+    }
+    try {
+      const verifyOpts = {};
+      if (config.algorithm) verifyOpts.algorithms = [config.algorithm];
+      if (config.issuer) verifyOpts.issuer = config.issuer;
+      if (config.audience) verifyOpts.audience = config.audience;
+      const decoded = jwt.verify(token, config.secret, verifyOpts);
+      req.user = decoded;
+      next();
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        return res.status(401).json({ error: "Token expired" });
+      }
+      return res.status(401).json({ error: "Invalid token" });
+    }
+  };
+}
+
 // src/express/middleware.ts
 function errorHandler(options) {
   const log = options?.logger ?? console;
@@ -743,16 +905,81 @@ function requestLogger(options) {
   };
 }
 
+// src/express/rbac-middleware.ts
+var DEFAULT_SCOPE_MAP = {
+  "POST /agents/:name/run": ["agents:run"],
+  "POST /agents/:name/stream": ["agents:run"],
+  "GET /agents": ["agents:read"],
+  "POST /teams/:name/run": ["teams:run"],
+  "POST /teams/:name/stream": ["teams:run"],
+  "GET /teams": ["teams:read"],
+  "POST /workflows/:name/run": ["workflows:run"],
+  "GET /workflows": ["workflows:read"],
+  "GET /admin": ["admin:*"],
+  "POST /admin": ["admin:*"],
+  "DELETE /admin": ["admin:*"]
+};
+function normalizeRoute(method, path) {
+  const normalized = path.replace(/\/[a-zA-Z0-9_-]+(?=\/(?:run|stream|card|checkpoints))/g, "/:name");
+  return `${method} ${normalized}`;
+}
+function createRbacMiddleware(config = {}) {
+  const scopeField = config.scopeField ?? "scopes";
+  const scopeMap = { ...DEFAULT_SCOPE_MAP, ...config.defaultScopes ?? {} };
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Authentication required" });
+    }
+    const userScopes = user[scopeField] ?? user.scope?.split(" ") ?? [];
+    if (userScopes.includes("admin:*") || userScopes.includes("*")) {
+      return next();
+    }
+    const routeKey = normalizeRoute(req.method, req.path);
+    let requiredScopes = [];
+    for (const [pattern, scopes] of Object.entries(scopeMap)) {
+      if (routeKey === pattern || routeMatches(routeKey, pattern)) {
+        requiredScopes = scopes;
+        break;
+      }
+    }
+    if (config.agentScopes && req.params?.name) {
+      const agentSpecific = config.agentScopes[req.params.name];
+      if (agentSpecific) {
+        requiredScopes = [...requiredScopes, ...agentSpecific];
+      }
+    }
+    if (requiredScopes.length === 0) {
+      return next();
+    }
+    const hasRequired = requiredScopes.every((scope) => userScopes.includes(scope));
+    if (!hasRequired) {
+      return res.status(403).json({
+        error: "Insufficient permissions",
+        required: requiredScopes,
+        provided: userScopes
+      });
+    }
+    next();
+  };
+}
+function routeMatches(actual, pattern) {
+  const actualParts = actual.split(/[\s/]+/).filter(Boolean);
+  const patternParts = pattern.split(/[\s/]+/).filter(Boolean);
+  if (actualParts.length !== patternParts.length) return false;
+  return patternParts.every((part, i) => part.startsWith(":") || part === actualParts[i]);
+}
+
 // src/express/router-factory.ts
-var import_node_module5 = require("module");
+var import_node_module7 = require("module");
 var import_core3 = require("@radaros/core");
 
 // src/express/swagger.ts
-var import_node_module4 = require("module");
-var _require4 = (0, import_node_module4.createRequire)(importMetaUrl);
+var import_node_module6 = require("module");
+var _require6 = (0, import_node_module6.createRequire)(importMetaUrl);
 function zodSchemaToJsonSchema(schema) {
   try {
-    const zodToJsonSchema = _require4("zod-to-json-schema").default ?? _require4("zod-to-json-schema");
+    const zodToJsonSchema = _require6("zod-to-json-schema").default ?? _require6("zod-to-json-schema");
     const result = zodToJsonSchema(schema, { target: "openApi3" });
     const { $schema, ...rest } = result;
     return rest;
@@ -1188,7 +1415,7 @@ ${agentDesc}`,
 function serveSwaggerUI(spec) {
   let swaggerUiExpress;
   try {
-    swaggerUiExpress = _require4("swagger-ui-express");
+    swaggerUiExpress = _require6("swagger-ui-express");
   } catch {
     throw new Error("swagger-ui-express is required for Swagger UI. Install it: npm install swagger-ui-express");
   }
@@ -1202,7 +1429,7 @@ function serveSwaggerUI(spec) {
 }
 
 // src/express/router-factory.ts
-var _require5 = (0, import_node_module5.createRequire)(importMetaUrl);
+var _require7 = (0, import_node_module7.createRequire)(importMetaUrl);
 function corsMiddleware(origins) {
   return (req, res, next) => {
     const origin = req.headers.origin;
@@ -1302,7 +1529,7 @@ function createAgentRouter(opts) {
   const reg = opts.registry === false ? null : opts.registry ?? import_core3.registry;
   let express;
   try {
-    express = _require5("express");
+    express = _require7("express");
   } catch {
     throw new Error("express is required for createAgentRouter. Install it: npm install express");
   }
@@ -1314,6 +1541,12 @@ function createAgentRouter(opts) {
     const config = opts.rateLimit === true ? {} : opts.rateLimit;
     router.use(rateLimitMiddleware(config));
   }
+  if (opts.jwt) {
+    router.use(createJwtMiddleware(opts.jwt));
+  }
+  if (opts.rbac) {
+    router.use(createRbacMiddleware(opts.rbac));
+  }
   if (opts.middleware) {
     for (const mw of opts.middleware) {
       router.use(mw);
@@ -2344,6 +2577,9 @@ function createVoiceGateway(opts) {
   createAgentRouter,
   createBrowserGateway,
   createFileUploadMiddleware,
+  createGatewayRouter,
+  createJwtMiddleware,
+  createRbacMiddleware,
   createVisionGateway,
   createVoiceGateway,
   errorHandler,

package/dist/index.d.cts

@@ -127,12 +127,22 @@ interface FileUploadOptions {
 declare function createFileUploadMiddleware(opts?: FileUploadOptions): any;
 declare function buildMultiModalInput(body: any, files?: any[]): string | any[];
 
-declare function errorHandler(options?: {
-    logger?: Pick<Console, "error">;
-}): (err: any, _req: any, res: any, _next: any) => void;
-declare function requestLogger(options?: {
-    logger?: Pick<Console, "log">;
-}): (req: any, _res: any, next: any) => void;
+interface RbacConfig {
+    scopeField?: string;
+    defaultScopes?: Record<string, string[]>;
+    agentScopes?: Record<string, string[]>;
+}
+declare function createRbacMiddleware(config?: RbacConfig): (req: any, res: any, next: any) => any;
+
+interface JwtConfig {
+    secret: string;
+    algorithm?: string;
+    issuer?: string;
+    audience?: string;
+    extractFrom?: "header" | "cookie";
+    cookieName?: string;
+}
+declare function createJwtMiddleware(config: JwtConfig): (req: any, res: any, next: any) => any;
 
 interface SwaggerOptions {
     /** Enable Swagger UI at /docs. Default: false */
@@ -210,7 +220,39 @@ interface RouterOptions {
      * MetricsExporter instance from `@radaros/observability` for `/metrics` endpoints.
      */
     metricsExporter?: any;
+    /**
+     * JWT authentication middleware. Verifies tokens and attaches decoded payload to `req.user`.
+     * Requires `jsonwebtoken` package.
+     */
+    jwt?: JwtConfig;
+    /**
+     * Role-based access control. Checks `req.user.scopes` against required scopes per route.
+     * Requires `jwt` to be configured first.
+     */
+    rbac?: RbacConfig;
+}
+
+interface RemoteEndpoint {
+    baseUrl: string;
+    agents?: string[];
+    teams?: string[];
+    workflows?: string[];
+    headers?: Record<string, string>;
+    healthPath?: string;
 }
+interface GatewayConfig {
+    locals?: RouterOptions;
+    remotes: RemoteEndpoint[];
+    healthCheckIntervalMs?: number;
+}
+declare function createGatewayRouter(config: GatewayConfig): any;
+
+declare function errorHandler(options?: {
+    logger?: Pick<Console, "error">;
+}): (err: any, _req: any, res: any, _next: any) => void;
+declare function requestLogger(options?: {
+    logger?: Pick<Console, "log">;
+}): (req: any, _res: any, next: any) => void;
 
 declare function createAgentRouter(opts: RouterOptions): any;
 
@@ -348,4 +390,4 @@ interface VoiceGatewayOptions {
 }
 declare function createVoiceGateway(opts: VoiceGatewayOptions): void;
 
-export { type A2AServerOptions, type AdminRouterOptions, type BrowserGatewayOptions, type FileUploadOptions, type GatewayOptions, MCPManager, type MCPServerEntry, type MCPServerSummary, type RouterOptions, type SwaggerOptions, type VisionGatewayOptions, type VoiceGatewayOptions, buildMultiModalInput, createA2AServer, createAdminRouter, createAgentGateway, createAgentRouter, createBrowserGateway, createFileUploadMiddleware, createVisionGateway, createVoiceGateway, errorHandler, generateAgentCard, generateMultiAgentCard, generateOpenAPISpec, requestLogger };
+export { type A2AServerOptions, type AdminRouterOptions, type BrowserGatewayOptions, type FileUploadOptions, type GatewayConfig, type GatewayOptions, type JwtConfig, MCPManager, type MCPServerEntry, type MCPServerSummary, type RbacConfig, type RemoteEndpoint, type RouterOptions, type SwaggerOptions, type VisionGatewayOptions, type VoiceGatewayOptions, buildMultiModalInput, createA2AServer, createAdminRouter, createAgentGateway, createAgentRouter, createBrowserGateway, createFileUploadMiddleware, createGatewayRouter, createJwtMiddleware, createRbacMiddleware, createVisionGateway, createVoiceGateway, errorHandler, generateAgentCard, generateMultiAgentCard, generateOpenAPISpec, requestLogger };

package/dist/index.d.ts

@@ -127,12 +127,22 @@ interface FileUploadOptions {
 declare function createFileUploadMiddleware(opts?: FileUploadOptions): any;
 declare function buildMultiModalInput(body: any, files?: any[]): string | any[];
 
-declare function errorHandler(options?: {
-    logger?: Pick<Console, "error">;
-}): (err: any, _req: any, res: any, _next: any) => void;
-declare function requestLogger(options?: {
-    logger?: Pick<Console, "log">;
-}): (req: any, _res: any, next: any) => void;
+interface RbacConfig {
+    scopeField?: string;
+    defaultScopes?: Record<string, string[]>;
+    agentScopes?: Record<string, string[]>;
+}
+declare function createRbacMiddleware(config?: RbacConfig): (req: any, res: any, next: any) => any;
+
+interface JwtConfig {
+    secret: string;
+    algorithm?: string;
+    issuer?: string;
+    audience?: string;
+    extractFrom?: "header" | "cookie";
+    cookieName?: string;
+}
+declare function createJwtMiddleware(config: JwtConfig): (req: any, res: any, next: any) => any;
 
 interface SwaggerOptions {
     /** Enable Swagger UI at /docs. Default: false */
@@ -210,7 +220,39 @@ interface RouterOptions {
      * MetricsExporter instance from `@radaros/observability` for `/metrics` endpoints.
      */
     metricsExporter?: any;
+    /**
+     * JWT authentication middleware. Verifies tokens and attaches decoded payload to `req.user`.
+     * Requires `jsonwebtoken` package.
+     */
+    jwt?: JwtConfig;
+    /**
+     * Role-based access control. Checks `req.user.scopes` against required scopes per route.
+     * Requires `jwt` to be configured first.
+     */
+    rbac?: RbacConfig;
+}
+
+interface RemoteEndpoint {
+    baseUrl: string;
+    agents?: string[];
+    teams?: string[];
+    workflows?: string[];
+    headers?: Record<string, string>;
+    healthPath?: string;
 }
+interface GatewayConfig {
+    locals?: RouterOptions;
+    remotes: RemoteEndpoint[];
+    healthCheckIntervalMs?: number;
+}
+declare function createGatewayRouter(config: GatewayConfig): any;
+
+declare function errorHandler(options?: {
+    logger?: Pick<Console, "error">;
+}): (err: any, _req: any, res: any, _next: any) => void;
+declare function requestLogger(options?: {
+    logger?: Pick<Console, "log">;
+}): (req: any, _res: any, next: any) => void;
 
 declare function createAgentRouter(opts: RouterOptions): any;
 
@@ -348,4 +390,4 @@ interface VoiceGatewayOptions {
 }
 declare function createVoiceGateway(opts: VoiceGatewayOptions): void;
 
-export { type A2AServerOptions, type AdminRouterOptions, type BrowserGatewayOptions, type FileUploadOptions, type GatewayOptions, MCPManager, type MCPServerEntry, type MCPServerSummary, type RouterOptions, type SwaggerOptions, type VisionGatewayOptions, type VoiceGatewayOptions, buildMultiModalInput, createA2AServer, createAdminRouter, createAgentGateway, createAgentRouter, createBrowserGateway, createFileUploadMiddleware, createVisionGateway, createVoiceGateway, errorHandler, generateAgentCard, generateMultiAgentCard, generateOpenAPISpec, requestLogger };
+export { type A2AServerOptions, type AdminRouterOptions, type BrowserGatewayOptions, type FileUploadOptions, type GatewayConfig, type GatewayOptions, type JwtConfig, MCPManager, type MCPServerEntry, type MCPServerSummary, type RbacConfig, type RemoteEndpoint, type RouterOptions, type SwaggerOptions, type VisionGatewayOptions, type VoiceGatewayOptions, buildMultiModalInput, createA2AServer, createAdminRouter, createAgentGateway, createAgentRouter, createBrowserGateway, createFileUploadMiddleware, createGatewayRouter, createJwtMiddleware, createRbacMiddleware, createVisionGateway, createVoiceGateway, errorHandler, generateAgentCard, generateMultiAgentCard, generateOpenAPISpec, requestLogger };

package/dist/index.js

@@ -678,6 +678,165 @@ function buildMultiModalInput(body, files) {
   return parts;
 }
 
+// src/express/gateway.ts
+import { createRequire as createRequire4 } from "module";
+var _require4 = createRequire4(import.meta.url);
+function createGatewayRouter(config) {
+  let express;
+  try {
+    express = _require4("express");
+  } catch {
+    throw new Error("express is required for gateway router. Install it: npm install express");
+  }
+  const router = express.Router();
+  const remoteHealth = /* @__PURE__ */ new Map();
+  async function checkHealth(remote) {
+    try {
+      const path = remote.healthPath ?? "/agents";
+      const res = await fetch(`${remote.baseUrl}${path}`, {
+        headers: remote.headers ?? {},
+        signal: AbortSignal.timeout(5e3)
+      });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  if (config.healthCheckIntervalMs) {
+    const interval = setInterval(async () => {
+      for (const remote of config.remotes) {
+        const healthy = await checkHealth(remote);
+        remoteHealth.set(remote.baseUrl, healthy);
+      }
+    }, config.healthCheckIntervalMs);
+    interval.unref?.();
+  }
+  async function proxyRequest(baseUrl, path, req, res, headers) {
+    try {
+      const proxyRes = await fetch(`${baseUrl}${path}`, {
+        method: req.method,
+        headers: {
+          "Content-Type": "application/json",
+          ...headers ?? {},
+          ...Object.fromEntries(
+            Object.entries(req.headers).filter(([k]) => k.startsWith("x-") || k === "authorization")
+          )
+        },
+        body: req.method !== "GET" ? JSON.stringify(req.body) : void 0,
+        signal: AbortSignal.timeout(12e4)
+      });
+      const contentType = proxyRes.headers.get("content-type") ?? "";
+      if (contentType.includes("text/event-stream")) {
+        res.writeHead(200, {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache",
+          Connection: "keep-alive"
+        });
+        const reader = proxyRes.body?.getReader();
+        if (reader) {
+          const decoder = new TextDecoder();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            res.write(decoder.decode(value, { stream: true }));
+          }
+        }
+        res.end();
+      } else {
+        const data = await proxyRes.json();
+        res.status(proxyRes.status).json(data);
+      }
+    } catch (err) {
+      res.status(502).json({ error: `Gateway proxy error: ${err.message}` });
+    }
+  }
+  for (const remote of config.remotes) {
+    if (remote.agents) {
+      for (const agentName of remote.agents) {
+        router.post(
+          `/agents/${agentName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/agents/${agentName}/run`, req, res, remote.headers)
+        );
+        router.post(
+          `/agents/${agentName}/stream`,
+          (req, res) => proxyRequest(remote.baseUrl, `/agents/${agentName}/stream`, req, res, remote.headers)
+        );
+      }
+    }
+    if (remote.teams) {
+      for (const teamName of remote.teams) {
+        router.post(
+          `/teams/${teamName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/teams/${teamName}/run`, req, res, remote.headers)
+        );
+        router.post(
+          `/teams/${teamName}/stream`,
+          (req, res) => proxyRequest(remote.baseUrl, `/teams/${teamName}/stream`, req, res, remote.headers)
+        );
+      }
+    }
+    if (remote.workflows) {
+      for (const wfName of remote.workflows) {
+        router.post(
+          `/workflows/${wfName}/run`,
+          (req, res) => proxyRequest(remote.baseUrl, `/workflows/${wfName}/run`, req, res, remote.headers)
+        );
+      }
+    }
+  }
+  router.get("/gateway/health", async (_req, res) => {
+    const status = {};
+    for (const remote of config.remotes) {
+      const cached = remoteHealth.get(remote.baseUrl);
+      status[remote.baseUrl] = cached ?? await checkHealth(remote);
+    }
+    res.json({ remotes: status });
+  });
+  return router;
+}
+
+// src/express/jwt-middleware.ts
+import { createRequire as createRequire5 } from "module";
+var _require5 = createRequire5(import.meta.url);
+function createJwtMiddleware(config) {
+  let jwt;
+  try {
+    jwt = _require5("jsonwebtoken");
+  } catch {
+    throw new Error("jsonwebtoken is required for JWT middleware. Install it: npm install jsonwebtoken");
+  }
+  const extractFrom = config.extractFrom ?? "header";
+  const cookieName = config.cookieName ?? "token";
+  return (req, res, next) => {
+    let token;
+    if (extractFrom === "header") {
+      const auth = req.headers.authorization;
+      if (auth?.startsWith("Bearer ")) {
+        token = auth.slice(7);
+      }
+    } else if (extractFrom === "cookie") {
+      token = req.cookies?.[cookieName];
+    }
+    if (!token) {
+      return res.status(401).json({ error: "Authentication required" });
+    }
+    try {
+      const verifyOpts = {};
+      if (config.algorithm) verifyOpts.algorithms = [config.algorithm];
+      if (config.issuer) verifyOpts.issuer = config.issuer;
+      if (config.audience) verifyOpts.audience = config.audience;
+      const decoded = jwt.verify(token, config.secret, verifyOpts);
+      req.user = decoded;
+      next();
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        return res.status(401).json({ error: "Token expired" });
+      }
+      return res.status(401).json({ error: "Invalid token" });
+    }
+  };
+}
+
 // src/express/middleware.ts
 function errorHandler(options) {
   const log = options?.logger ?? console;
@@ -699,16 +858,81 @@ function requestLogger(options) {
   };
 }
 
+// src/express/rbac-middleware.ts
+var DEFAULT_SCOPE_MAP = {
+  "POST /agents/:name/run": ["agents:run"],
+  "POST /agents/:name/stream": ["agents:run"],
+  "GET /agents": ["agents:read"],
+  "POST /teams/:name/run": ["teams:run"],
+  "POST /teams/:name/stream": ["teams:run"],
+  "GET /teams": ["teams:read"],
+  "POST /workflows/:name/run": ["workflows:run"],
+  "GET /workflows": ["workflows:read"],
+  "GET /admin": ["admin:*"],
+  "POST /admin": ["admin:*"],
+  "DELETE /admin": ["admin:*"]
+};
+function normalizeRoute(method, path) {
+  const normalized = path.replace(/\/[a-zA-Z0-9_-]+(?=\/(?:run|stream|card|checkpoints))/g, "/:name");
+  return `${method} ${normalized}`;
+}
+function createRbacMiddleware(config = {}) {
+  const scopeField = config.scopeField ?? "scopes";
+  const scopeMap = { ...DEFAULT_SCOPE_MAP, ...config.defaultScopes ?? {} };
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Authentication required" });
+    }
+    const userScopes = user[scopeField] ?? user.scope?.split(" ") ?? [];
+    if (userScopes.includes("admin:*") || userScopes.includes("*")) {
+      return next();
+    }
+    const routeKey = normalizeRoute(req.method, req.path);
+    let requiredScopes = [];
+    for (const [pattern, scopes] of Object.entries(scopeMap)) {
+      if (routeKey === pattern || routeMatches(routeKey, pattern)) {
+        requiredScopes = scopes;
+        break;
+      }
+    }
+    if (config.agentScopes && req.params?.name) {
+      const agentSpecific = config.agentScopes[req.params.name];
+      if (agentSpecific) {
+        requiredScopes = [...requiredScopes, ...agentSpecific];
+      }
+    }
+    if (requiredScopes.length === 0) {
+      return next();
+    }
+    const hasRequired = requiredScopes.every((scope) => userScopes.includes(scope));
+    if (!hasRequired) {
+      return res.status(403).json({
+        error: "Insufficient permissions",
+        required: requiredScopes,
+        provided: userScopes
+      });
+    }
+    next();
+  };
+}
+function routeMatches(actual, pattern) {
+  const actualParts = actual.split(/[\s/]+/).filter(Boolean);
+  const patternParts = pattern.split(/[\s/]+/).filter(Boolean);
+  if (actualParts.length !== patternParts.length) return false;
+  return patternParts.every((part, i) => part.startsWith(":") || part === actualParts[i]);
+}
+
 // src/express/router-factory.ts
-import { createRequire as createRequire5 } from "module";
+import { createRequire as createRequire7 } from "module";
 import { classifyServables, collectToolkitTools, describeToolLibrary, registry as globalRegistry } from "@radaros/core";
 
 // src/express/swagger.ts
-import { createRequire as createRequire4 } from "module";
-var _require4 = createRequire4(import.meta.url);
+import { createRequire as createRequire6 } from "module";
+var _require6 = createRequire6(import.meta.url);
 function zodSchemaToJsonSchema(schema) {
   try {
-    const zodToJsonSchema = _require4("zod-to-json-schema").default ?? _require4("zod-to-json-schema");
+    const zodToJsonSchema = _require6("zod-to-json-schema").default ?? _require6("zod-to-json-schema");
     const result = zodToJsonSchema(schema, { target: "openApi3" });
     const { $schema, ...rest } = result;
     return rest;
@@ -1144,7 +1368,7 @@ ${agentDesc}`,
 function serveSwaggerUI(spec) {
   let swaggerUiExpress;
   try {
-    swaggerUiExpress = _require4("swagger-ui-express");
+    swaggerUiExpress = _require6("swagger-ui-express");
   } catch {
     throw new Error("swagger-ui-express is required for Swagger UI. Install it: npm install swagger-ui-express");
   }
@@ -1158,7 +1382,7 @@ function serveSwaggerUI(spec) {
 }
 
 // src/express/router-factory.ts
-var _require5 = createRequire5(import.meta.url);
+var _require7 = createRequire7(import.meta.url);
 function corsMiddleware(origins) {
   return (req, res, next) => {
     const origin = req.headers.origin;
@@ -1258,7 +1482,7 @@ function createAgentRouter(opts) {
   const reg = opts.registry === false ? null : opts.registry ?? globalRegistry;
   let express;
   try {
-    express = _require5("express");
+    express = _require7("express");
   } catch {
     throw new Error("express is required for createAgentRouter. Install it: npm install express");
   }
@@ -1270,6 +1494,12 @@ function createAgentRouter(opts) {
     const config = opts.rateLimit === true ? {} : opts.rateLimit;
     router.use(rateLimitMiddleware(config));
   }
+  if (opts.jwt) {
+    router.use(createJwtMiddleware(opts.jwt));
+  }
+  if (opts.rbac) {
+    router.use(createRbacMiddleware(opts.rbac));
+  }
   if (opts.middleware) {
     for (const mw of opts.middleware) {
       router.use(mw);
@@ -2299,6 +2529,9 @@ export {
   createAgentRouter,
   createBrowserGateway,
   createFileUploadMiddleware,
+  createGatewayRouter,
+  createJwtMiddleware,
+  createRbacMiddleware,
   createVisionGateway,
   createVoiceGateway,
   errorHandler,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@radaros/transport",
-  "version": "0.3.46",
+  "version": "0.3.49",
   "description": "HTTP and WebSocket transport layer for RadarOS agents",
   "license": "MIT",
   "repository": {
@@ -42,7 +42,7 @@
     "typescript": "^5.6.0"
   },
   "peerDependencies": {
-    "@radaros/core": "^0.3.46",
+    "@radaros/core": "^0.3.49",
     "@types/express": "^4.0.0 || ^5.0.0",
     "express": "^4.0.0 || ^5.0.0",
     "multer": ">=2.0.0",