@slashfi/agents-sdk 0.7.0 → 0.9.0

package/dist/integration-interface.js

@@ -0,0 +1,94 @@
+/**
+ * Integration interface — standard tools that integration agents implement.
+ *
+ * Any agent that acts as an integration source should implement these tools.
+ * They are all internal visibility and only callable by @integrations.
+ */
+import { defineTool } from './define.js';
+/**
+ * Create the standard _integration tools for an agent.
+ * Returns an array of ToolDefinitions to include in the agent's tools.
+ */
+export function createIntegrationTools(config) {
+    const { agentPath, store, discover, setup, connect } = config;
+    const discoverTool = defineTool({
+        name: 'discover_integrations',
+        description: `Discover available integrations for ${agentPath}.`,
+        visibility: 'internal',
+        inputSchema: {
+            type: 'object',
+            properties: {},
+        },
+        execute: async () => {
+            const available = await discover();
+            return available;
+        },
+    });
+    const setupTool = defineTool({
+        name: 'setup_integration',
+        description: `Set up a new integration for ${agentPath}.`,
+        visibility: 'internal',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                config: { type: 'object', description: 'Integration configuration' },
+            },
+            required: ['config'],
+        },
+        execute: async (input, ctx) => {
+            const result = await setup(input.config, ctx);
+            if (result.success && !result.oauthUrl) {
+                // Direct setup (no OAuth needed) — create integration row
+                const integration = await store.create({
+                    agentPath,
+                    config: input.config,
+                    installedBy: ctx.callerId,
+                });
+                return { success: true, integrationId: integration.id };
+            }
+            return result;
+        },
+    });
+    const connectTool = defineTool({
+        name: 'connect_integration',
+        description: `Test or authorize a ${agentPath} integration connection.`,
+        visibility: 'internal',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                integration_id: { type: 'string', description: 'Integration ID to connect' },
+            },
+            required: ['integration_id'],
+        },
+        execute: async (input, ctx) => {
+            if (connect) {
+                const result = await connect(input.integration_id, ctx);
+                if (result.success) {
+                    await store.update(input.integration_id, { status: 'active' });
+                }
+                else {
+                    await store.update(input.integration_id, { status: 'error' });
+                }
+                return result;
+            }
+            return { success: true };
+        },
+    });
+    const listTool = defineTool({
+        name: 'list_integrations',
+        description: `List installed integrations for ${agentPath}.`,
+        visibility: 'internal',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                tenant_id: { type: 'string', description: 'Filter by tenant' },
+            },
+        },
+        execute: async (input) => {
+            const integrations = await store.listByAgent(agentPath, input.tenant_id);
+            return integrations;
+        },
+    });
+    return [discoverTool, setupTool, connectTool, listTool];
+}
+//# sourceMappingURL=integration-interface.js.map

package/dist/integration-interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integration-interface.js","sourceRoot":"","sources":["../src/integration-interface.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAqBzC;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAkC;IACvE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE9D,MAAM,YAAY,GAAG,UAAU,CAAC;QAC9B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,uCAAuC,SAAS,GAAG;QAChE,UAAU,EAAE,UAAmB;QAC/B,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE,EAAE;SACf;QACD,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,MAAM,SAAS,GAAG,MAAM,QAAQ,EAAE,CAAC;YACnC,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,UAAU,CAAC;QAC3B,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,gCAAgC,SAAS,GAAG;QACzD,UAAU,EAAE,UAAmB;QAC/B,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;aACrE;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB;QACD,OAAO,EAAE,KAAK,EAAE,KAA0C,EAAE,GAAgB,EAAE,EAAE;YAC9E,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9C,IAAI,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACvC,0DAA0D;gBAC1D,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC;oBACrC,SAAS;oBACT,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,WAAW,EAAE,GAAG,CAAC,QAAQ;iBAC1B,CAAC,CAAC;gBACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC;YAC1D,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,UAAU,CAAC;QAC7B,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,uBAAuB,SAAS,0BAA0B;QACvE,UAAU,EAAE,UAAmB;QAC/B,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;aAC7E;YACD,QAAQ,EAAE,CAAC,gBAAgB,CAAC;SAC7B;QACD,OAAO,EAAE,KAAK,EAAE,KAAiC,EAAE,GAAgB,EAAE,EAAE;YACrE,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;gBACxD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACnB,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjE,CAAC;qBAAM,CAAC;oBACN,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,OAAO,MAAM,CAAC;YAChB,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,UAAU,CAAC;QAC1B,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,mCAAmC,SAAS,GAAG;QAC5D,UAAU,EAAE,UAAmB;QAC/B,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE;aAC/D;SACF;QACD,OAAO,EAAE,KAAK,EAAE,KAA6B,EAAE,EAAE;YAC/C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;YACzE,OAAO,YAAY,CAAC;QACtB,CAAC;KACF,CAAC,CAAC;IAEH,OAAO,CAAC,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAkC,CAAC;AAC3F,CAAC"}

package/dist/integrations-store.d.ts

@@ -0,0 +1,33 @@
+/**
+ * IntegrationsStore — persistence interface for installed integrations.
+ *
+ * Each integration is an agent that's been configured and connected.
+ * The store tracks what's installed, its config, and status.
+ */
+export interface Integration {
+    id: string;
+    agentPath: string;
+    tenantId?: string;
+    status: 'active' | 'disabled' | 'error';
+    config: Record<string, unknown>;
+    installedBy?: string;
+    installedAt: number;
+    updatedAt: number;
+}
+export interface CreateIntegrationInput {
+    agentPath: string;
+    tenantId?: string;
+    config: Record<string, unknown>;
+    installedBy?: string;
+}
+export interface IntegrationsStore {
+    create(input: CreateIntegrationInput): Promise<Integration>;
+    get(id: string): Promise<Integration | null>;
+    list(tenantId?: string): Promise<Integration[]>;
+    listByAgent(agentPath: string, tenantId?: string): Promise<Integration[]>;
+    update(id: string, updates: Partial<Pick<Integration, 'status' | 'config' | 'updatedAt'>>): Promise<Integration | null>;
+    delete(id: string): Promise<boolean>;
+}
+/** In-memory implementation for testing / lightweight use */
+export declare function createInMemoryIntegrationsStore(): IntegrationsStore;
+//# sourceMappingURL=integrations-store.d.ts.map

package/dist/integrations-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrations-store.d.ts","sourceRoot":"","sources":["../src/integrations-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;IACxC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,KAAK,EAAE,sBAAsB,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAC5D,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAChD,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1E,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC,CAAC,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IACxH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtC;AAED,6DAA6D;AAC7D,wBAAgB,+BAA+B,IAAI,iBAAiB,CAgDnE"}

package/dist/integrations-store.js

@@ -0,0 +1,50 @@
+/**
+ * IntegrationsStore — persistence interface for installed integrations.
+ *
+ * Each integration is an agent that's been configured and connected.
+ * The store tracks what's installed, its config, and status.
+ */
+/** In-memory implementation for testing / lightweight use */
+export function createInMemoryIntegrationsStore() {
+    const integrations = new Map();
+    return {
+        async create(input) {
+            const id = `int_${Math.random().toString(36).slice(2, 14)}`;
+            const now = Date.now();
+            const integration = {
+                id,
+                agentPath: input.agentPath,
+                tenantId: input.tenantId,
+                status: 'active',
+                config: input.config,
+                installedBy: input.installedBy,
+                installedAt: now,
+                updatedAt: now,
+            };
+            integrations.set(id, integration);
+            return integration;
+        },
+        async get(id) {
+            return integrations.get(id) ?? null;
+        },
+        async list(tenantId) {
+            const all = Array.from(integrations.values());
+            return tenantId ? all.filter(i => i.tenantId === tenantId) : all;
+        },
+        async listByAgent(agentPath, tenantId) {
+            return Array.from(integrations.values()).filter(i => i.agentPath === agentPath && (!tenantId || i.tenantId === tenantId));
+        },
+        async update(id, updates) {
+            const existing = integrations.get(id);
+            if (!existing)
+                return null;
+            const updated = { ...existing, ...updates, updatedAt: Date.now() };
+            integrations.set(id, updated);
+            return updated;
+        },
+        async delete(id) {
+            return integrations.delete(id);
+        },
+    };
+}
+//# sourceMappingURL=integrations-store.js.map

package/dist/integrations-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrations-store.js","sourceRoot":"","sources":["../src/integrations-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA6BH,6DAA6D;AAC7D,MAAM,UAAU,+BAA+B;IAC7C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEpD,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,EAAE,GAAG,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,WAAW,GAAgB;gBAC/B,EAAE;gBACF,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,MAAM,EAAE,QAAQ;gBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,WAAW,EAAE,GAAG;gBAChB,SAAS,EAAE,GAAG;aACf,CAAC;YACF,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;YAClC,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,EAAE;YACV,OAAO,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACtC,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,QAAS;YAClB,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9C,OAAO,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACnE,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,QAAS;YACpC,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAC7C,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CACzE,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO;YACtB,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACtC,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC3B,MAAM,OAAO,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACnE,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YAC9B,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,EAAE;YACb,OAAO,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACjC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/jwt.d.ts

@@ -1,38 +1,107 @@
 /**
  * JWT utilities for auth tokens.
  *
- * Minimal JWT implementation using Web Crypto API (HMAC-SHA256).
- * No external dependencies.
+ * Supports two modes:
+ * - ES256 (asymmetric) — for production / cross-registry trust
+ * - HS256 (HMAC) — for backward compat / simple single-server setups
+ *
+ * Uses `jose` library for all crypto operations.
  */
+import { type JWK } from "jose";
 /** JWT payload for auth tokens */
-export interface JwtPayload {
-    /** Subject - the client ID */
+export interface AgentJwtPayload {
+    /** Subject - the client ID or user ID */
     sub: string;
-    /** Client name */
+    /** Client/user name */
     name: string;
+    /** Issuer URL */
+    iss?: string;
     /** Tenant ID */
     tenantId?: string;
+    /** User ID (when acting on behalf of a user) */
+    userId?: string;
     /** Scopes */
     scopes: string[];
+    /** Identities (for cross-registry provisioning) */
+    identities?: Array<{
+        provider: string;
+        id: string;
+        [key: string]: unknown;
+    }>;
     /** Issued at (unix seconds) */
     iat: number;
     /** Expires at (unix seconds) */
     exp: number;
 }
+/** A signing key with metadata */
+export interface SigningKey {
+    /** Unique key ID */
+    kid: string;
+    /** Private key (for signing) */
+    privateKey: CryptoKey;
+    /** Public key (for verification + JWKS) */
+    publicKey: CryptoKey;
+    /** Algorithm */
+    alg: string;
+    /** Status */
+    status: "active" | "deprecated" | "revoked";
+    /** When this key was created */
+    createdAt: number;
+}
+/** Exported key pair for storage */
+export interface ExportedKeyPair {
+    kid: string;
+    alg: string;
+    privateKeyJwk: JWK;
+    publicKeyJwk: JWK;
+    status: "active" | "deprecated" | "revoked";
+    createdAt: number;
+}
 /**
- * Sign a JWT with HMAC-SHA256.
- *
- * @param payload - JWT payload (client_id, scopes, etc.)
- * @param secret - Signing secret (the client's secret hash)
- * @returns Signed JWT string
+ * Generate a new ES256 signing key pair.
  */
-export declare function signJwt(payload: JwtPayload, secret: string): Promise<string>;
+export declare function generateSigningKey(kid?: string): Promise<SigningKey>;
 /**
- * Verify and decode a JWT.
- *
- * @param token - JWT string
- * @param secret - Signing secret to verify against
- * @returns Decoded payload, or null if invalid/expired
+ * Export a signing key to JWK format (for storage).
+ */
+export declare function exportSigningKey(key: SigningKey): Promise<ExportedKeyPair>;
+/**
+ * Import a signing key from stored JWK format.
+ */
+export declare function importSigningKey(exported: ExportedKeyPair): Promise<SigningKey>;
+/**
+ * Build a JWKS (JSON Web Key Set) from signing keys.
+ * Only includes public keys.
+ */
+export declare function buildJwks(keys: SigningKey[]): Promise<{
+    keys: JWK[];
+}>;
+/**
+ * Sign a JWT with ES256 using the server's private key.
+ */
+export declare function signJwtES256(payload: Omit<AgentJwtPayload, "iat" | "exp"> & {
+    iat?: number;
+    exp?: number;
+}, privateKey: CryptoKey, kid: string, issuer?: string, expiresIn?: string): Promise<string>;
+/**
+ * Verify a JWT against a local public key.
+ */
+export declare function verifyJwtLocal(token: string, publicKey: CryptoKey): Promise<AgentJwtPayload | null>;
+/**
+ * Verify a JWT against a remote issuer's JWKS.
+ * Fetches and caches the JWKS from the issuer's /.well-known/jwks.json
+ */
+export declare function verifyJwtFromIssuer(token: string, issuerUrl: string): Promise<AgentJwtPayload | null>;
+/** @deprecated Use AgentJwtPayload instead */
+export type JwtPayload = AgentJwtPayload;
+/**
+ * Sign a JWT with HMAC-SHA256 (legacy).
+ * @deprecated Use signJwtES256 for new code.
+ */
+export declare function signJwt(payload: AgentJwtPayload, secret: string): Promise<string>;
+/**
+ * Verify and decode a JWT (HMAC-SHA256, legacy).
+ * @deprecated Use verifyJwtLocal or verifyJwtFromIssuer for new code.
  */
-export declare function verifyJwt(token: string, secret: string): Promise<JwtPayload | null>;
+export declare function verifyJwt(token: string, secret: string): Promise<AgentJwtPayload | null>;
 //# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA+CH,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;GAMG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAyB5B"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EASL,KAAK,GAAG,EACT,MAAM,MAAM,CAAC;AAMd,kCAAkC;AAClC,MAAM,WAAW,eAAe;IAC9B,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,mDAAmD;IACnD,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC,CAAC;IAC7E,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,gCAAgC;IAChC,UAAU,EAAE,SAAS,CAAC;IACtB,2CAA2C;IAC3C,SAAS,EAAE,SAAS,CAAC;IACrB,gBAAgB;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa;IACb,MAAM,EAAE,QAAQ,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,gCAAgC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,oCAAoC;AACpC,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,GAAG,CAAC;IACnB,YAAY,EAAE,GAAG,CAAC;IAClB,MAAM,EAAE,QAAQ,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAU1E;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAWhF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CAWrF;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAAE,IAAI,EAAE,GAAG,EAAE,CAAA;CAAE,CAAC,CAW5E;AAMD;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,EAC9E,UAAU,EAAE,SAAS,EACrB,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAgBjB;AAMD;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAOjC;AAKD;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAajC;AAoCD,8CAA8C;AAC9C,MAAM,MAAM,UAAU,GAAG,eAAe,CAAC;AAEzC;;;GAGG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,eAAe,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAiBjC"}

package/dist/jwt.js

@@ -1,9 +1,141 @@
 /**
  * JWT utilities for auth tokens.
  *
- * Minimal JWT implementation using Web Crypto API (HMAC-SHA256).
- * No external dependencies.
+ * Supports two modes:
+ * - ES256 (asymmetric) — for production / cross-registry trust
+ * - HS256 (HMAC) — for backward compat / simple single-server setups
+ *
+ * Uses `jose` library for all crypto operations.
+ */
+import { SignJWT, jwtVerify, generateKeyPair, exportJWK, importJWK, createRemoteJWKSet, } from "jose";
+// ============================================
+// Key Generation
+// ============================================
+/**
+ * Generate a new ES256 signing key pair.
+ */
+export async function generateSigningKey(kid) {
+    const { privateKey, publicKey } = await generateKeyPair("ES256");
+    return {
+        kid: kid ?? `key-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        privateKey,
+        publicKey,
+        alg: "ES256",
+        status: "active",
+        createdAt: Date.now(),
+    };
+}
+/**
+ * Export a signing key to JWK format (for storage).
+ */
+export async function exportSigningKey(key) {
+    const privateKeyJwk = await exportJWK(key.privateKey);
+    const publicKeyJwk = await exportJWK(key.publicKey);
+    return {
+        kid: key.kid,
+        alg: key.alg,
+        privateKeyJwk,
+        publicKeyJwk,
+        status: key.status,
+        createdAt: key.createdAt,
+    };
+}
+/**
+ * Import a signing key from stored JWK format.
+ */
+export async function importSigningKey(exported) {
+    const privateKey = await importJWK(exported.privateKeyJwk, exported.alg);
+    const publicKey = await importJWK(exported.publicKeyJwk, exported.alg);
+    return {
+        kid: exported.kid,
+        privateKey,
+        publicKey,
+        alg: exported.alg,
+        status: exported.status,
+        createdAt: exported.createdAt,
+    };
+}
+/**
+ * Build a JWKS (JSON Web Key Set) from signing keys.
+ * Only includes public keys.
+ */
+export async function buildJwks(keys) {
+    const jwks = [];
+    for (const key of keys) {
+        if (key.status === "revoked")
+            continue;
+        const jwk = await exportJWK(key.publicKey);
+        jwk.kid = key.kid;
+        jwk.alg = key.alg;
+        jwk.use = "sig";
+        jwks.push(jwk);
+    }
+    return { keys: jwks };
+}
+// ============================================
+// Signing (ES256)
+// ============================================
+/**
+ * Sign a JWT with ES256 using the server's private key.
+ */
+export async function signJwtES256(payload, privateKey, kid, issuer, expiresIn) {
+    let builder = new SignJWT(payload)
+        .setProtectedHeader({ alg: "ES256", kid })
+        .setIssuedAt();
+    if (issuer)
+        builder = builder.setIssuer(issuer);
+    if (payload.sub)
+        builder = builder.setSubject(payload.sub);
+    if (expiresIn) {
+        builder = builder.setExpirationTime(expiresIn);
+    }
+    else if (payload.exp) {
+        builder = builder.setExpirationTime(payload.exp);
+    }
+    else {
+        builder = builder.setExpirationTime("1h");
+    }
+    return builder.sign(privateKey);
+}
+// ============================================
+// Verification
+// ============================================
+/**
+ * Verify a JWT against a local public key.
  */
+export async function verifyJwtLocal(token, publicKey) {
+    try {
+        const { payload } = await jwtVerify(token, publicKey);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/** JWKS cache for remote issuers */
+const jwksCache = new Map();
+/**
+ * Verify a JWT against a remote issuer's JWKS.
+ * Fetches and caches the JWKS from the issuer's /.well-known/jwks.json
+ */
+export async function verifyJwtFromIssuer(token, issuerUrl) {
+    try {
+        const jwksUrl = issuerUrl.replace(/\/$/, "") + "/.well-known/jwks.json";
+        let jwks = jwksCache.get(jwksUrl);
+        if (!jwks) {
+            jwks = createRemoteJWKSet(new URL(jwksUrl));
+            jwksCache.set(jwksUrl, jwks);
+        }
+        const { payload } = await jwtVerify(token, jwks);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+// ============================================
+// Legacy HMAC (backward compat)
+// ============================================
 const encoder = new TextEncoder();
 function base64UrlEncode(data) {
     const str = btoa(String.fromCharCode(...data));
@@ -24,11 +156,8 @@ async function hmacVerify(data, signature, secret) {
     return crypto.subtle.verify("HMAC", key, signature.buffer, encoder.encode(data));
 }
 /**
- * Sign a JWT with HMAC-SHA256.
- *
- * @param payload - JWT payload (client_id, scopes, etc.)
- * @param secret - Signing secret (the client's secret hash)
- * @returns Signed JWT string
+ * Sign a JWT with HMAC-SHA256 (legacy).
+ * @deprecated Use signJwtES256 for new code.
  */
 export async function signJwt(payload, secret) {
     const header = { alg: "HS256", typ: "JWT" };
@@ -36,15 +165,11 @@ export async function signJwt(payload, secret) {
     const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
     const signingInput = `${headerB64}.${payloadB64}`;
     const signature = await hmacSign(signingInput, secret);
-    const signatureB64 = base64UrlEncode(signature);
-    return `${signingInput}.${signatureB64}`;
+    return `${signingInput}.${base64UrlEncode(signature)}`;
 }
 /**
- * Verify and decode a JWT.
- *
- * @param token - JWT string
- * @param secret - Signing secret to verify against
- * @returns Decoded payload, or null if invalid/expired
+ * Verify and decode a JWT (HMAC-SHA256, legacy).
+ * @deprecated Use verifyJwtLocal or verifyJwtFromIssuer for new code.
  */
 export async function verifyJwt(token, secret) {
     const parts = token.split(".");
@@ -58,10 +183,8 @@ export async function verifyJwt(token, secret) {
         if (!valid)
             return null;
         const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
-        // Check expiration
-        if (payload.exp && payload.exp < Date.now() / 1000) {
+        if (payload.exp && payload.exp < Date.now() / 1000)
             return null;
-        }
         return payload;
     }
     catch {

package/dist/jwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,SAAS,eAAe,CAAC,IAAgB;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/C,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IAClD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACxE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,IAAY,EACZ,SAAqB,EACrB,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,SAAS,CAAC,MAAqB,EAC/B,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;AACJ,CAAC;AAkBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAmB,EACnB,MAAc;IAEd,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAE5C,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAElD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAEhD,OAAO,GAAG,YAAY,IAAI,YAAY,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CACxC,CAAC;QAEhB,mBAAmB;QACnB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,OAAO,EACP,SAAS,EACT,eAAe,EACf,SAAS,EACT,SAAS,EACT,kBAAkB,GAInB,MAAM,MAAM,CAAC;AAsDd,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAY;IACnD,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IACjE,OAAO;QACL,GAAG,EAAE,GAAG,IAAI,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QACzE,UAAU;QACV,SAAS;QACT,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,QAAQ;QAChB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAe;IACpD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpD,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,aAAa;QACb,YAAY;QACZ,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAyB;IAC9D,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,QAAQ,CAAC,GAAG,CAAc,CAAC;IACtF,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,YAAY,EAAE,QAAQ,CAAC,GAAG,CAAc,CAAC;IACpF,OAAO;QACL,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,UAAU;QACV,SAAS;QACT,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;KAC9B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAkB;IAChD,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,SAAS;QACvC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QAClB,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QAClB,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;QAChB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,+CAA+C;AAC/C,kBAAkB;AAClB,+CAA+C;AAE/C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAA8E,EAC9E,UAAqB,EACrB,GAAW,EACX,MAAe,EACf,SAAkB;IAElB,IAAI,OAAO,GAAG,IAAI,OAAO,CAAC,OAAgC,CAAC;SACxD,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;SACzC,WAAW,EAAE,CAAC;IAEjB,IAAI,MAAM;QAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,GAAG;QAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAED,+CAA+C;AAC/C,eAAe;AACf,+CAA+C;AAE/C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,SAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QACtD,OAAO,OAAqC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oCAAoC;AACpC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAiD,CAAC;AAE3E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAa,EACb,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,wBAAwB,CAAC;QACxE,IAAI,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YAC5C,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,OAAqC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+CAA+C;AAC/C,gCAAgC;AAChC,+CAA+C;AAE/C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,SAAS,eAAe,CAAC,IAAgB;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/C,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IAClD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAC7B,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CACnD,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACxE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,SAAqB,EAAE,MAAc;IAC3E,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAC7B,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,CACrD,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,CAAC,MAAqB,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAClG,CAAC;AAKD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAwB,EACxB,MAAc;IAEd,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACvD,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CACnC,CAAC;QACrB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAAE,OAAO,IAAI,CAAC;QAChE,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/registry.d.ts

@@ -10,6 +10,8 @@ import type { AgentDefinition, CallAgentRequest, CallAgentResponse, Visibility }
 export interface AgentRegistryOptions {
     /** Default visibility for agents without explicit visibility */
     defaultVisibility?: Visibility;
+    /** Factory to enrich ToolContext with application-specific data */
+    contextFactory?: ContextFactory;
 }
 /**
  * Agent registry interface.
@@ -44,5 +46,10 @@ export interface AgentRegistry {
  * });
  * ```
  */
+/**
+ * Factory function that enriches the base ToolContext with application-specific data.
+ * Called before every tool execution.
+ */
+export type ContextFactory = (baseCtx: import("./types.js").ToolContext) => import("./types.js").ToolContext;
 export declare function createAgentRegistry(options?: AgentRegistryOptions): AgentRegistry;
 //# sourceMappingURL=registry.d.ts.map

package/dist/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAEV,eAAe,EAMf,gBAAgB,EAChB,iBAAiB,EAIjB,UAAU,EACX,MAAM,YAAY,CAAC;AAapB;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,UAAU,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,QAAQ,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAAC;IAEvC,2BAA2B;IAC3B,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IAE/C,+BAA+B;IAC/B,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IAE3B,iCAAiC;IACjC,IAAI,IAAI,eAAe,EAAE,CAAC;IAE1B,sCAAsC;IACtC,SAAS,IAAI,MAAM,EAAE,CAAC;IAEtB,qCAAqC;IACrC,IAAI,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,GAAE,oBAAyB,GACjC,aAAa,CA4Tf"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAEV,eAAe,EAMf,gBAAgB,EAChB,iBAAiB,EAIjB,UAAU,EACX,MAAM,YAAY,CAAC;AAapB;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,UAAU,CAAC;IAC/B,mEAAmE;IACnE,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,QAAQ,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAAC;IAEvC,2BAA2B;IAC3B,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IAE/C,+BAA+B;IAC/B,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IAE3B,iCAAiC;IACjC,IAAI,IAAI,eAAe,EAAE,CAAC;IAE1B,sCAAsC;IACtC,SAAS,IAAI,MAAM,EAAE,CAAC;IAEtB,qCAAqC;IACrC,IAAI,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAMD;;;;;;;;;;;;;;;GAeG;AACH;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,YAAY,EAAE,WAAW,KAAK,OAAO,YAAY,EAAE,WAAW,CAAC;AAE7G,wBAAgB,mBAAmB,CACjC,OAAO,GAAE,oBAAyB,GACjC,aAAa,CAyUf"}

package/dist/registry.js

@@ -9,25 +9,6 @@ const DEFAULT_SUPPORTED_ACTIONS = [
     "describe_tools",
     "load",
 ];
-// ============================================
-// Create Registry
-// ============================================
-/**
- * Create an agent registry.
- *
- * @example
- * ```typescript
- * const registry = createAgentRegistry();
- * registry.register(myAgent);
- *
- * const result = await registry.call({
- *   action: 'execute_tool',
- *   path: '@my-agent',
- *   tool: 'greet',
- *   params: { name: 'World' }
- * });
- * ```
- */
 export function createAgentRegistry(options = {}) {
     const { defaultVisibility = "internal" } = options;
     const agents = new Map();
@@ -87,6 +68,8 @@ export function createAgentRegistry(options = {}) {
                 return true;
             case "internal":
                 return (callerType === "agent" || (callerType != null && callerId != null));
+            case "authenticated":
+                return callerId != null && callerId !== "anonymous";
             case "private":
                 return callerId === agent.path;
             default:
@@ -173,18 +156,28 @@ export function createAgentRegistry(options = {}) {
                     if (!checkToolAccess(agent, request.tool, request.callerId, request.callerType)) {
                         return {
                             success: false,
-                            error: `Access denied to tool: ${request.tool}`,
+                            error: `Access denied to tool: ${request.tool} (visibility=${tool.visibility}, callerId=${request.callerId}, callerType=${request.callerType})`,
                             code: "ACCESS_DENIED",
                         };
                     }
-                    const ctx = {
+                    let ctx = {
                         tenantId: "default",
                         agentPath: agent.path,
                         callerId: request.callerId ?? "unknown",
                         callerType: request.callerType ?? "system",
                         metadata: request.metadata,
                     };
+                    // Apply contextFactory if provided
+                    if (options.contextFactory) {
+                        ctx = options.contextFactory(ctx);
+                    }
                     try {
+                        if (!tool.execute) {
+                            return {
+                                success: false,
+                                error: `Tool ${request.tool} has no execute function`,
+                            };
+                        }
                         const result = await tool.execute(request.params, ctx);
                         return {
                             success: true,