@run402/functions 2.5.1 → 2.6.0

package/dist/index.d.ts

@@ -9,4 +9,9 @@ export { assets } from "./assets.js";
 export type { AssetPutOptions, AssetPutSource, AssetPutSourceInput, AssetRef, AssetVisibility, AssetVariant, AssetListRow, AssetsListFilter, AssetsListOptions, AssetsListResult, AssetsListSort, ImageInfo, } from "./assets.js";
 export { bytes, isRequest, json, routedHttp, text } from "./routed-http.js";
 export type { RoutedHttpHeaderList, RoutedHttpRequestV1, RoutedHttpResponseInit, RoutedHttpResponseV1, } from "./routed-http.js";
+export { cache } from "./cache.js";
+export type { Cache, CacheInvalidateResult, InvalidatePrefixOptions, InvalidateAllOptions, } from "./cache.js";
+export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError, } from "./cache.js";
+export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
+export type { RunRequestContext } from "./runtime-context.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/index.js

@@ -4,4 +4,14 @@ export { email } from "./email.js";
 export { ai } from "./ai.js";
 export { assets } from "./assets.js";
 export { bytes, isRequest, json, routedHttp, text } from "./routed-http.js";
+// Capability `astro-ssr-runtime` (v1.52).
+// `cache.*` — sub-second admin-edit visibility via origin-side ISR
+// cache invalidation. Server-side (function-context) only.
+export { cache } from "./cache.js";
+export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError, } from "./cache.js";
+// Runtime context primitives — used internally by SDK functions to read
+// the current SSR request from AsyncLocalStorage. The SSR Lambda runtime
+// (in @run402/astro) uses `runWithContext` to establish the store; user
+// code typically does not import these directly.
+export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAExD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAgBrC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAExD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAgBrC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC"}

package/dist/lib/jwt.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Minimal HS256/HS512 JWT sign + verify built directly on `node:crypto`.
+ *
+ * Used internally by `@run402/functions` to verify project JWTs in
+ * `getUser`. Replaces a runtime dependency on the `jsonwebtoken` package
+ * (and its transitive tree `jws` / `jwa` / `ecdsa-sig-formatter` /
+ * `lodash.*` / `ms` / `semver` / `safe-buffer`), so this published SDK
+ * has zero crypto deps beyond `node:crypto`. The companion file in
+ * the private gateway package (`packages/gateway/src/lib/jwt.ts`) is
+ * intentionally a verbatim duplicate — the published SDK cannot pull
+ * from the workspace-private `@run402/shared`.
+ */
+export interface JwtPayload {
+    [key: string]: unknown;
+    iat?: number;
+    exp?: number;
+    nbf?: number;
+    iss?: string;
+    aud?: string | string[];
+    sub?: string;
+    jti?: string;
+}
+export type SupportedAlgorithm = "HS256" | "HS512";
+export interface SignOptions {
+    algorithm?: SupportedAlgorithm;
+    expiresIn?: string | number;
+    noTimestamp?: boolean;
+}
+export interface VerifyOptions {
+    algorithms?: ReadonlyArray<SupportedAlgorithm>;
+    issuer?: string;
+    audience?: string | string[];
+    clockTolerance?: number;
+}
+export declare class JsonWebTokenError extends Error {
+    constructor(message: string);
+}
+export declare class TokenExpiredError extends JsonWebTokenError {
+    expiredAt: Date;
+    constructor(message: string, expiredAt: Date);
+}
+export declare class NotBeforeError extends JsonWebTokenError {
+    date: Date;
+    constructor(message: string, date: Date);
+}
+export declare function sign(payload: object, secret: string, options?: SignOptions): string;
+export declare function verify<T = JwtPayload>(token: string, secret: string, options?: VerifyOptions): T;
+export declare function decode<T = JwtPayload>(token: string): T | null;
+declare const jwt: {
+    sign: typeof sign;
+    verify: typeof verify;
+    decode: typeof decode;
+};
+export default jwt;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/lib/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/lib/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,UAAU;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,OAAO,CAAC;AAEnD,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IAC/C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,iBAAkB,SAAQ,iBAAiB;IACtD,SAAS,EAAE,IAAI,CAAC;gBACJ,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI;CAK7C;AAED,qBAAa,cAAe,SAAQ,iBAAiB;IACnD,IAAI,EAAE,IAAI,CAAC;gBACC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;CAKxC;AAqCD,wBAAgB,IAAI,CAClB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,WAAW,GACpB,MAAM,CAmCR;AAED,wBAAgB,MAAM,CAAC,CAAC,GAAG,UAAU,EACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,aAAa,GACtB,CAAC,CA4EH;AAED,wBAAgB,MAAM,CAAC,CAAC,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAW9D;AAED,QAAA,MAAM,GAAG;;;;CAA2B,CAAC;AACrC,eAAe,GAAG,CAAC"}

package/dist/lib/jwt.js

@@ -0,0 +1,196 @@
+/**
+ * Minimal HS256/HS512 JWT sign + verify built directly on `node:crypto`.
+ *
+ * Used internally by `@run402/functions` to verify project JWTs in
+ * `getUser`. Replaces a runtime dependency on the `jsonwebtoken` package
+ * (and its transitive tree `jws` / `jwa` / `ecdsa-sig-formatter` /
+ * `lodash.*` / `ms` / `semver` / `safe-buffer`), so this published SDK
+ * has zero crypto deps beyond `node:crypto`. The companion file in
+ * the private gateway package (`packages/gateway/src/lib/jwt.ts`) is
+ * intentionally a verbatim duplicate — the published SDK cannot pull
+ * from the workspace-private `@run402/shared`.
+ */
+import { createHmac, timingSafeEqual } from "node:crypto";
+export class JsonWebTokenError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "JsonWebTokenError";
+    }
+}
+export class TokenExpiredError extends JsonWebTokenError {
+    expiredAt;
+    constructor(message, expiredAt) {
+        super(message);
+        this.name = "TokenExpiredError";
+        this.expiredAt = expiredAt;
+    }
+}
+export class NotBeforeError extends JsonWebTokenError {
+    date;
+    constructor(message, date) {
+        super(message);
+        this.name = "NotBeforeError";
+        this.date = date;
+    }
+}
+function b64urlEncode(input) {
+    const buf = typeof input === "string" ? Buffer.from(input, "utf8") : input;
+    return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function b64urlDecodeToBuffer(input) {
+    if (!/^[A-Za-z0-9_-]*$/.test(input))
+        throw new JsonWebTokenError("invalid token");
+    const norm = input.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = norm.length % 4 === 0 ? "" : "=".repeat(4 - (norm.length % 4));
+    return Buffer.from(norm + pad, "base64");
+}
+const DURATION_RE = /^(-?\d+(?:\.\d+)?)\s*(s|sec|secs|seconds?|m|min|mins|minutes?|h|hr|hrs|hours?|d|days?|w|weeks?|y|years?)?$/i;
+function parseDurationSeconds(input) {
+    if (typeof input === "number") {
+        if (!Number.isFinite(input))
+            throw new TypeError(`Invalid expiresIn: ${input}`);
+        return Math.floor(input);
+    }
+    const m = DURATION_RE.exec(input.trim());
+    if (!m)
+        throw new TypeError(`Invalid expiresIn duration: ${input}`);
+    const n = parseFloat(m[1]);
+    const unit = (m[2] ?? "s").toLowerCase();
+    if (unit.startsWith("y"))
+        return Math.floor(n * 31_557_600);
+    if (unit.startsWith("w"))
+        return Math.floor(n * 604_800);
+    if (unit.startsWith("d"))
+        return Math.floor(n * 86_400);
+    if (unit.startsWith("h"))
+        return Math.floor(n * 3_600);
+    if (unit === "m" || unit.startsWith("min"))
+        return Math.floor(n * 60);
+    return Math.floor(n);
+}
+function hmacForAlg(alg) {
+    return alg === "HS256" ? "sha256" : "sha512";
+}
+export function sign(payload, secret, options) {
+    const alg = options?.algorithm ?? "HS256";
+    if (alg !== "HS256" && alg !== "HS512") {
+        throw new JsonWebTokenError(`Unsupported algorithm: ${alg}`);
+    }
+    if (typeof secret !== "string" || secret.length === 0) {
+        throw new JsonWebTokenError("secretOrPrivateKey must be provided");
+    }
+    if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+        throw new JsonWebTokenError("payload must be a plain object");
+    }
+    const claims = { ...payload };
+    const noTimestamp = options?.noTimestamp ?? false;
+    if (!noTimestamp && claims.iat === undefined) {
+        claims.iat = Math.floor(Date.now() / 1000);
+    }
+    if (options?.expiresIn !== undefined) {
+        if (claims.exp !== undefined) {
+            throw new JsonWebTokenError("Bad options.expiresIn option the payload already has an exp property");
+        }
+        const offset = parseDurationSeconds(options.expiresIn);
+        const iatRef = typeof claims.iat === "number" ? claims.iat : Math.floor(Date.now() / 1000);
+        claims.exp = iatRef + offset;
+    }
+    const header = { alg, typ: "JWT" };
+    const headerB64 = b64urlEncode(JSON.stringify(header));
+    const payloadB64 = b64urlEncode(JSON.stringify(claims));
+    const sig = createHmac(hmacForAlg(alg), secret)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest();
+    return `${headerB64}.${payloadB64}.${b64urlEncode(sig)}`;
+}
+export function verify(token, secret, options) {
+    if (typeof token !== "string" || token.length === 0) {
+        throw new JsonWebTokenError("jwt must be provided");
+    }
+    if (typeof secret !== "string" || secret.length === 0) {
+        throw new JsonWebTokenError("secret must be provided");
+    }
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        throw new JsonWebTokenError("jwt malformed");
+    const [headerB64, payloadB64, sigB64] = parts;
+    let header;
+    try {
+        header = JSON.parse(b64urlDecodeToBuffer(headerB64).toString("utf8"));
+    }
+    catch {
+        throw new JsonWebTokenError("invalid token");
+    }
+    const allowed = (options?.algorithms ?? ["HS256"]);
+    if (typeof header.alg !== "string" || !allowed.includes(header.alg)) {
+        throw new JsonWebTokenError("invalid algorithm");
+    }
+    if (header.alg !== "HS256" && header.alg !== "HS512") {
+        throw new JsonWebTokenError("invalid algorithm");
+    }
+    const expected = createHmac(hmacForAlg(header.alg), secret)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest();
+    let got;
+    try {
+        got = b64urlDecodeToBuffer(sigB64);
+    }
+    catch {
+        throw new JsonWebTokenError("invalid signature");
+    }
+    if (got.length !== expected.length || !timingSafeEqual(got, expected)) {
+        throw new JsonWebTokenError("invalid signature");
+    }
+    let payload;
+    try {
+        payload = JSON.parse(b64urlDecodeToBuffer(payloadB64).toString("utf8"));
+    }
+    catch {
+        throw new JsonWebTokenError("invalid token");
+    }
+    if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+        throw new JsonWebTokenError("invalid token");
+    }
+    const clockTolerance = options?.clockTolerance ?? 0;
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof payload.exp === "number" && payload.exp + clockTolerance < now) {
+        throw new TokenExpiredError("jwt expired", new Date(payload.exp * 1000));
+    }
+    if (typeof payload.nbf === "number" && payload.nbf - clockTolerance > now) {
+        throw new NotBeforeError("jwt not active", new Date(payload.nbf * 1000));
+    }
+    if (options?.issuer !== undefined && payload.iss !== options.issuer) {
+        throw new JsonWebTokenError(`jwt issuer invalid. expected: ${options.issuer}`);
+    }
+    if (options?.audience !== undefined) {
+        const wantArr = Array.isArray(options.audience) ? options.audience : [options.audience];
+        const haveArr = Array.isArray(payload.aud)
+            ? payload.aud
+            : payload.aud !== undefined
+                ? [payload.aud]
+                : [];
+        if (!wantArr.some((w) => haveArr.includes(w))) {
+            throw new JsonWebTokenError("jwt audience invalid");
+        }
+    }
+    return payload;
+}
+export function decode(token) {
+    if (typeof token !== "string")
+        return null;
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    try {
+        const decoded = JSON.parse(b64urlDecodeToBuffer(parts[1]).toString("utf8"));
+        if (decoded === null || typeof decoded !== "object" || Array.isArray(decoded))
+            return null;
+        return decoded;
+    }
+    catch {
+        return null;
+    }
+}
+const jwt = { sign, verify, decode };
+export default jwt;
+//# sourceMappingURL=jwt.js.map

package/dist/lib/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/lib/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AA4B1D,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,iBAAiB;IACtD,SAAS,CAAO;IAChB,YAAY,OAAe,EAAE,SAAe;QAC1C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,iBAAiB;IACnD,IAAI,CAAO;IACX,YAAY,OAAe,EAAE,IAAU;QACrC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,SAAS,YAAY,CAAC,KAAsB;IAC1C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAC3E,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3E,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,WAAW,GAAG,6GAA6G,CAAC;AAElI,SAAS,oBAAoB,CAAC,KAAsB;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,SAAS,CAAC,sBAAsB,KAAK,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IACD,MAAM,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,SAAS,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;IACpE,MAAM,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;IAC5D,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACzD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IACxD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,UAAU,CAAC,GAAuB;IACzC,OAAO,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,IAAI,CAClB,OAAe,EACf,MAAc,EACd,OAAqB;IAErB,MAAM,GAAG,GAAuB,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC;IAC9D,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACvC,MAAM,IAAI,iBAAiB,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,iBAAiB,CAAC,qCAAqC,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,GAAI,OAAmC,EAAE,CAAC;IACpF,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,KAAK,CAAC;IAClD,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,OAAO,EAAE,SAAS,KAAK,SAAS,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,iBAAiB,CACzB,sEAAsE,CACvE,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC3F,MAAM,CAAC,GAAG,GAAG,MAAM,GAAG,MAAM,CAAC;IAC/B,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACnC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;SAC5C,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,EAAE,CAAC;IACZ,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,MAAM,CACpB,KAAa,EACb,MAAc,EACd,OAAuB;IAEvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,iBAAiB,CAAC,yBAAyB,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IACrE,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IAE9C,IAAI,MAAwC,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAGnE,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,UAAU,IAAI,CAAC,OAAO,CAAC,CAA0B,CAAC;IAC5E,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACrD,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;SACxD,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,EAAE,CAAC;IACZ,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAe,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,cAAc,GAAG,GAAG,EAAE,CAAC;QAC1E,MAAM,IAAI,iBAAiB,CAAC,aAAa,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,cAAc,GAAG,GAAG,EAAE,CAAC;QAC1E,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACpE,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACxF,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,OAAO,CAAC,GAAG;YACb,CAAC,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS;gBACzB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;gBACf,CAAC,CAAC,EAAE,CAAC;QACT,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,OAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,MAAM,CAAiB,KAAa;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAY,CAAC;QACvF,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3F,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACrC,eAAe,GAAG,CAAC"}

package/dist/runtime-context.d.ts

@@ -0,0 +1,152 @@
+/**
+ * SSR request context primitive — capability `functions-sdk-auth-model`.
+ *
+ * The SSR Lambda runtime establishes this context via `als.run(...)`
+ * BEFORE importing or executing the Astro server bundle (or any other
+ * user-supplied code). SDK functions that need request-scoped state
+ * (`db()`, `getUser()`, `cache.*`, `assets.*`, `email.*`, `ai.*`) read
+ * from `getCurrentContext()` rather than requiring explicit context
+ * parameters at the call site.
+ *
+ * The `active` flag exists because Node's AsyncLocalStorage propagates
+ * into timers, microtasks, and unawaited promises created inside
+ * `als.run()`. Without an explicit flag, a `setTimeout(() => db()..., 60_000)`
+ * scheduled inside a handler would, when the timer fires later, still
+ * observe an `als.getStore()` pointing at the (now-completed) request —
+ * leading to stale or incorrect SDK behavior. The SSR runtime sets
+ * `active.value = false` IMMEDIATELY after the response body is fully
+ * materialized; SDK functions check the flag and throw
+ * `R402_SDK_OUTSIDE_REQUEST_CONTEXT` when it's false.
+ *
+ * Likewise `cacheBypassTainted.value` is set to `true` by `getUser()`
+ * and payment-primitive SDK calls during render; the SSR runtime returns
+ * its final value to the gateway in the Lambda response metadata envelope
+ * (NOT via in-process ALS — the gateway runs in a different process).
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
+ * @see openspec/changes/astro-ssr-runtime/specs/routed-http-functions/spec.md
+ */
+import { AsyncLocalStorage } from "node:async_hooks";
+/** The shape stored in AsyncLocalStorage. See the spec referenced above
+ *  for the canonical definition. */
+export interface RunRequestContext {
+    /** Unique per-request id; matches `x-run402-request-id`. */
+    requestId: string;
+    projectId: string;
+    releaseId: string;
+    /** v1.49-negotiated locale string. `null` when the active release has
+     *  no i18n slice. */
+    locale: string | null;
+    /** Echoed verbatim from the active release's `i18n.defaultLocale`,
+     *  `null` when the release has no i18n slice. */
+    defaultLocale: string | null;
+    /** Validated host from the routed-function envelope — NOT the raw
+     *  `Host` header. Cache-key host comes from here. */
+    host: string;
+    /** Request information SDK functions need (cookies for `getUser()`,
+     *  url for invalidate path-form, etc.). Body is intentionally absent
+     *  — user code reads body via the standard Web Request API passed to
+     *  the handler. */
+    request: {
+        method: string;
+        url: string;
+        headers: Record<string, string | string[] | undefined>;
+    };
+    /** Mutable ref: SDK functions that read request-scoped auth or invoke
+     *  payment primitives set `value = true`. The SSR Lambda runtime
+     *  returns the final value to the gateway in the response metadata
+     *  envelope. */
+    cacheBypassTainted: {
+        value: boolean;
+    };
+    /** Mutable ref: SSR runtime sets `value = false` after the response
+     *  body has been fully materialized. SDK functions check this AND
+     *  the store presence; either being false produces
+     *  `R402_SDK_OUTSIDE_REQUEST_CONTEXT`. */
+    active: {
+        value: boolean;
+    };
+}
+/** The shared ALS instance. Modules in @run402/functions read from
+ *  this; the SSR Lambda runtime (in @run402/astro) writes to it. */
+export declare const als: AsyncLocalStorage<RunRequestContext>;
+/**
+ * Read the current request context, or `undefined` if no SSR request
+ * is in flight. SDK functions check both this AND `active.value` to
+ * decide whether to honor the call.
+ */
+export declare function getCurrentContext(): RunRequestContext | undefined;
+/**
+ * Establish a request context and run a callback inside it. The SSR
+ * Lambda runtime calls this exactly once per invocation, wrapping the
+ * full `App.render(request)` + body-materialization sequence.
+ *
+ * The `active` flag is set to `true` initially; the caller (the SSR
+ * runtime) flips it to `false` after the response body is materialized.
+ * Don't call this from user code — it's the runtime's primitive.
+ */
+export declare function runWithContext<T>(context: Omit<RunRequestContext, "cacheBypassTainted" | "active"> & Partial<Pick<RunRequestContext, "cacheBypassTainted" | "active">>, callback: () => Promise<T> | T): Promise<T> | T;
+/**
+ * Throw a structured `R402_SDK_OUTSIDE_REQUEST_CONTEXT` error. Used by
+ * SDK functions when they're invoked with no ALS store OR while the
+ * context has been marked inactive.
+ *
+ * Per the api-error-envelope spec, the thrown error carries:
+ *   - `code: 'R402_SDK_OUTSIDE_REQUEST_CONTEXT'`
+ *   - `message`: names the SDK function and the cause
+ *   - `suggestedFix`: recommends moving the call inside a handler OR
+ *     not scheduling background work that outlives the response
+ *   - `docs`: `https://docs.run402.com/sdk/errors#outside-request-context`
+ */
+export declare class Run402OutsideRequestContextError extends Error {
+    readonly code = "R402_SDK_OUTSIDE_REQUEST_CONTEXT";
+    readonly docs = "https://docs.run402.com/sdk/errors#outside-request-context";
+    readonly suggestedFix: string;
+    readonly sdkFunction: string;
+    readonly cause: "no_context" | "context_inactive";
+    constructor(sdkFunction: string, cause: "no_context" | "context_inactive");
+}
+/**
+ * Assert that a request context is active. Returns the context on
+ * success; throws `Run402OutsideRequestContextError` on failure.
+ *
+ * SDK functions call this as the first line, e.g.:
+ *
+ *   const ctx = requireActiveContext("db");
+ *   // use ctx.projectId, ctx.request.headers, etc.
+ */
+export declare function requireActiveContext(sdkFunction: string): RunRequestContext;
+/**
+ * Flip the cache-bypass taint flag on the current context. Called by
+ * `getUser()` and payment-primitive SDK calls to signal that the
+ * rendered response depends on request-scoped auth state and therefore
+ * MUST NOT be cached publicly.
+ *
+ * No-op if there is no active context (rather than throwing — the taint
+ * is moot when there's no cache layer to inform).
+ */
+export declare function taintCacheBypass(): void;
+/**
+ * Canonical registry of SDK functions that are "payment primitives" for
+ * cache-taint purposes. Calling any of these inside an active request
+ * context MUST flip `cacheBypassTainted.value = true`. The set is
+ * defined here so the spec, runtime, and docs share one source of truth.
+ *
+ * To add a new payment primitive: append to this set AND ensure the
+ * function's implementation calls `taintCacheBypass()` on every entry.
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
+ */
+export declare const PAYMENT_PRIMITIVES: ReadonlySet<string>;
+/**
+ * Helper for payment-primitive implementations. Wraps the body in a
+ * taint-on-entry call so the registry contract is enforced at the
+ * SDK layer rather than relying on each implementation to remember.
+ *
+ * Example:
+ *   export const requirePayment = withPaymentTaint("payments.require", async (opts) => {
+ *     // ... actual implementation
+ *   });
+ */
+export declare function withPaymentTaint<TArgs extends unknown[], TReturn>(name: string, impl: (...args: TArgs) => TReturn): (...args: TArgs) => TReturn;
+//# sourceMappingURL=runtime-context.d.ts.map

package/dist/runtime-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-context.d.ts","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD;oCACoC;AACpC,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB;yBACqB;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB;qDACiD;IACjD,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;yDACqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb;;;uBAGmB;IACnB,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACxD,CAAC;IACF;;;oBAGgB;IAChB,kBAAkB,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IACvC;;;8CAG0C;IAC1C,MAAM,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;CAC5B;AAED;oEACoE;AACpE,eAAO,MAAM,GAAG,sCAA6C,CAAC;AAE9D;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,iBAAiB,GAAG,SAAS,CAEjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAC9B,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,GAAG,QAAQ,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,GAAG,QAAQ,CAAC,CAAC,EACrI,QAAQ,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAC7B,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAOhB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,gCAAiC,SAAQ,KAAK;IACzD,QAAQ,CAAC,IAAI,sCAAsC;IACnD,QAAQ,CAAC,IAAI,gEAAgE;IAC7E,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,YAAY,GAAG,kBAAkB,CAAC;gBAEtC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,kBAAkB;CAc1E;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,iBAAiB,CAS3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAKvC;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAUjD,CAAC;AAEH;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,OAAO,EAAE,EAAE,OAAO,EAC/D,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,KAAK,OAAO,GAChC,CAAC,GAAG,IAAI,EAAE,KAAK,KAAK,OAAO,CAe7B"}

package/dist/runtime-context.js

@@ -0,0 +1,170 @@
+/**
+ * SSR request context primitive — capability `functions-sdk-auth-model`.
+ *
+ * The SSR Lambda runtime establishes this context via `als.run(...)`
+ * BEFORE importing or executing the Astro server bundle (or any other
+ * user-supplied code). SDK functions that need request-scoped state
+ * (`db()`, `getUser()`, `cache.*`, `assets.*`, `email.*`, `ai.*`) read
+ * from `getCurrentContext()` rather than requiring explicit context
+ * parameters at the call site.
+ *
+ * The `active` flag exists because Node's AsyncLocalStorage propagates
+ * into timers, microtasks, and unawaited promises created inside
+ * `als.run()`. Without an explicit flag, a `setTimeout(() => db()..., 60_000)`
+ * scheduled inside a handler would, when the timer fires later, still
+ * observe an `als.getStore()` pointing at the (now-completed) request —
+ * leading to stale or incorrect SDK behavior. The SSR runtime sets
+ * `active.value = false` IMMEDIATELY after the response body is fully
+ * materialized; SDK functions check the flag and throw
+ * `R402_SDK_OUTSIDE_REQUEST_CONTEXT` when it's false.
+ *
+ * Likewise `cacheBypassTainted.value` is set to `true` by `getUser()`
+ * and payment-primitive SDK calls during render; the SSR runtime returns
+ * its final value to the gateway in the Lambda response metadata envelope
+ * (NOT via in-process ALS — the gateway runs in a different process).
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
+ * @see openspec/changes/astro-ssr-runtime/specs/routed-http-functions/spec.md
+ */
+import { AsyncLocalStorage } from "node:async_hooks";
+/** The shared ALS instance. Modules in @run402/functions read from
+ *  this; the SSR Lambda runtime (in @run402/astro) writes to it. */
+export const als = new AsyncLocalStorage();
+/**
+ * Read the current request context, or `undefined` if no SSR request
+ * is in flight. SDK functions check both this AND `active.value` to
+ * decide whether to honor the call.
+ */
+export function getCurrentContext() {
+    return als.getStore();
+}
+/**
+ * Establish a request context and run a callback inside it. The SSR
+ * Lambda runtime calls this exactly once per invocation, wrapping the
+ * full `App.render(request)` + body-materialization sequence.
+ *
+ * The `active` flag is set to `true` initially; the caller (the SSR
+ * runtime) flips it to `false` after the response body is materialized.
+ * Don't call this from user code — it's the runtime's primitive.
+ */
+export function runWithContext(context, callback) {
+    const full = {
+        ...context,
+        cacheBypassTainted: context.cacheBypassTainted ?? { value: false },
+        active: context.active ?? { value: true },
+    };
+    return als.run(full, callback);
+}
+/**
+ * Throw a structured `R402_SDK_OUTSIDE_REQUEST_CONTEXT` error. Used by
+ * SDK functions when they're invoked with no ALS store OR while the
+ * context has been marked inactive.
+ *
+ * Per the api-error-envelope spec, the thrown error carries:
+ *   - `code: 'R402_SDK_OUTSIDE_REQUEST_CONTEXT'`
+ *   - `message`: names the SDK function and the cause
+ *   - `suggestedFix`: recommends moving the call inside a handler OR
+ *     not scheduling background work that outlives the response
+ *   - `docs`: `https://docs.run402.com/sdk/errors#outside-request-context`
+ */
+export class Run402OutsideRequestContextError extends Error {
+    code = "R402_SDK_OUTSIDE_REQUEST_CONTEXT";
+    docs = "https://docs.run402.com/sdk/errors#outside-request-context";
+    suggestedFix;
+    sdkFunction;
+    cause;
+    constructor(sdkFunction, cause) {
+        const causeMsg = cause === "no_context"
+            ? "no active request context (called from module scope or outside a handler)"
+            : "request context marked inactive (called from a timer or unawaited promise after response completion)";
+        super(`${sdkFunction}: ${causeMsg}`);
+        this.name = "Run402OutsideRequestContextError";
+        this.sdkFunction = sdkFunction;
+        this.cause = cause;
+        this.suggestedFix =
+            cause === "no_context"
+                ? `Move the ${sdkFunction} call inside an HTTP request handler or Astro frontmatter. SDK functions cannot resolve project context outside an active request.`
+                : `The request that called ${sdkFunction} has already returned. Don't schedule SDK calls in setTimeout / setInterval / unawaited promises that outlive the handler.`;
+    }
+}
+/**
+ * Assert that a request context is active. Returns the context on
+ * success; throws `Run402OutsideRequestContextError` on failure.
+ *
+ * SDK functions call this as the first line, e.g.:
+ *
+ *   const ctx = requireActiveContext("db");
+ *   // use ctx.projectId, ctx.request.headers, etc.
+ */
+export function requireActiveContext(sdkFunction) {
+    const ctx = als.getStore();
+    if (ctx === undefined) {
+        throw new Run402OutsideRequestContextError(sdkFunction, "no_context");
+    }
+    if (!ctx.active.value) {
+        throw new Run402OutsideRequestContextError(sdkFunction, "context_inactive");
+    }
+    return ctx;
+}
+/**
+ * Flip the cache-bypass taint flag on the current context. Called by
+ * `getUser()` and payment-primitive SDK calls to signal that the
+ * rendered response depends on request-scoped auth state and therefore
+ * MUST NOT be cached publicly.
+ *
+ * No-op if there is no active context (rather than throwing — the taint
+ * is moot when there's no cache layer to inform).
+ */
+export function taintCacheBypass() {
+    const ctx = als.getStore();
+    if (ctx !== undefined) {
+        ctx.cacheBypassTainted.value = true;
+    }
+}
+/**
+ * Canonical registry of SDK functions that are "payment primitives" for
+ * cache-taint purposes. Calling any of these inside an active request
+ * context MUST flip `cacheBypassTainted.value = true`. The set is
+ * defined here so the spec, runtime, and docs share one source of truth.
+ *
+ * To add a new payment primitive: append to this set AND ensure the
+ * function's implementation calls `taintCacheBypass()` on every entry.
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
+ */
+export const PAYMENT_PRIMITIVES = new Set([
+// None implemented yet — the registry exists so the contract is
+// explicit and discoverable. Payment-primitive SDK functions added
+// in future changes (per Run402 x402/MPP roadmap) will register here
+// as they land.
+// Example future entries (commented to keep the set actually empty
+// until the helpers ship):
+//   "payments.require",
+//   "payments.gate",
+//   "payments.fulfill",
+]);
+/**
+ * Helper for payment-primitive implementations. Wraps the body in a
+ * taint-on-entry call so the registry contract is enforced at the
+ * SDK layer rather than relying on each implementation to remember.
+ *
+ * Example:
+ *   export const requirePayment = withPaymentTaint("payments.require", async (opts) => {
+ *     // ... actual implementation
+ *   });
+ */
+export function withPaymentTaint(name, impl) {
+    if (!PAYMENT_PRIMITIVES.has(name)) {
+        // Doesn't throw — adding a new primitive is a code change and the
+        // dev sees this on first invocation. Throwing would block legitimate
+        // experimentation. But emit a warning so the registry stays correct.
+        // eslint-disable-next-line no-console
+        console.warn(`[run402] withPaymentTaint("${name}") called but "${name}" is not in PAYMENT_PRIMITIVES. ` +
+            `Add it to packages/functions/src/runtime-context.ts to keep the cache-taint registry consistent.`);
+    }
+    return (...args) => {
+        taintCacheBypass();
+        return impl(...args);
+    };
+}
+//# sourceMappingURL=runtime-context.js.map

package/dist/runtime-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-context.js","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAuCrD;oEACoE;AACpE,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,iBAAiB,EAAqB,CAAC;AAE9D;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,OAAqI,EACrI,QAA8B;IAE9B,MAAM,IAAI,GAAsB;QAC9B,GAAG,OAAO;QACV,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;KAC1C,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,gCAAiC,SAAQ,KAAK;IAChD,IAAI,GAAG,kCAAkC,CAAC;IAC1C,IAAI,GAAG,4DAA4D,CAAC;IACpE,YAAY,CAAS;IACrB,WAAW,CAAS;IACpB,KAAK,CAAoC;IAElD,YAAY,WAAmB,EAAE,KAAwC;QACvE,MAAM,QAAQ,GACZ,KAAK,KAAK,YAAY;YACpB,CAAC,CAAC,2EAA2E;YAC7E,CAAC,CAAC,sGAAsG,CAAC;QAC7G,KAAK,CAAC,GAAG,WAAW,KAAK,QAAQ,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,kCAAkC,CAAC;QAC/C,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,YAAY;YACf,KAAK,KAAK,YAAY;gBACpB,CAAC,CAAC,YAAY,WAAW,oIAAoI;gBAC7J,CAAC,CAAC,2BAA2B,WAAW,4HAA4H,CAAC;IAC3K,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC3B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,MAAM,IAAI,gCAAgC,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,gCAAgC,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC3B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,GAAG,CAAC,kBAAkB,CAAC,KAAK,GAAG,IAAI,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;AAC7D,gEAAgE;AAChE,mEAAmE;AACnE,qEAAqE;AACrE,gBAAgB;AAChB,mEAAmE;AACnE,2BAA2B;AAC3B,wBAAwB;AACxB,qBAAqB;AACrB,wBAAwB;CACzB,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAY,EACZ,IAAiC;IAEjC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,kEAAkE;QAClE,qEAAqE;QACrE,qEAAqE;QACrE,sCAAsC;QACtC,OAAO,CAAC,IAAI,CACV,8BAA8B,IAAI,kBAAkB,IAAI,kCAAkC;YACxF,kGAAkG,CACrG,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,GAAG,IAAW,EAAW,EAAE;QACjC,gBAAgB,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC"}