@stepflowjs/adapter-shared 0.0.1

package/dist/index.d.ts

@@ -0,0 +1,230 @@
+/**
+ * Route names that can be configured for authorization and enable/disable.
+ */
+type RouteName = "trigger" | "notify" | "runs" | "runsStream" | "health" | "workflowsTrigger" | "workflowsStream" | "eventsNotify";
+/**
+ * Sensitive routes that typically require authorization.
+ */
+type SensitiveRouteName = "trigger" | "notify" | "workflowsTrigger" | "workflowsStream" | "eventsNotify";
+/**
+ * Preset configurations for endpoint visibility.
+ *
+ * - `all` / `public`: All endpoints enabled (default, backward-compatible)
+ * - `none`: All endpoints disabled
+ * - `private`: Disable trigger/notify endpoints (backend-only mode)
+ * - `internal`: Only health endpoint enabled
+ */
+type EndpointPreset = "all" | "none" | "public" | "private" | "internal";
+/**
+ * Fine-grained endpoint configuration.
+ * Each key controls whether that endpoint is enabled.
+ */
+interface EndpointConfig {
+    /** POST /trigger/:workflowId */
+    trigger?: boolean;
+    /** POST /notify/:eventId */
+    notify?: boolean;
+    /** GET /runs/:runId */
+    runs?: boolean;
+    /** GET /runs/:runId/stream */
+    runsStream?: boolean;
+    /** GET /health */
+    health?: boolean;
+    /** POST /workflows/:workflowId/trigger (client SDK alias) */
+    workflowsTrigger?: boolean;
+    /** POST /workflows/:workflowId/stream (client SDK alias) */
+    workflowsStream?: boolean;
+    /** POST /events/:eventId/notify (client SDK alias) */
+    eventsNotify?: boolean;
+}
+/**
+ * Endpoint configuration can be a preset string or fine-grained config.
+ */
+type EndpointOption = EndpointPreset | EndpointConfig;
+/**
+ * Context passed to authorization handlers.
+ * Generic types allow framework-specific request/response objects.
+ */
+interface AuthContext<TRequest = unknown, TExtra = unknown> {
+    /** The route being accessed */
+    route: RouteName;
+    /** Workflow ID (for trigger routes) */
+    workflowId?: string;
+    /** Event ID (for notify routes) */
+    eventId?: string;
+    /** Run ID (for runs routes) */
+    runId?: string;
+    /** The original request object (framework-specific) */
+    request: TRequest;
+    /** Additional framework-specific context (e.g., Hono's Context, Express's Response) */
+    extra?: TExtra;
+}
+/**
+ * Result of an authorization check.
+ */
+type AuthResult = {
+    ok: true;
+} | {
+    ok: false;
+    /** HTTP status code (default: 401 for missing auth, 403 for denied) */
+    status?: number;
+    /** Error message for the response */
+    message?: string;
+    /** Error code for programmatic handling */
+    code?: string;
+};
+/**
+ * Authorization handler function.
+ * Returns AuthResult or void (void = allow).
+ */
+type AuthHandler<TRequest = unknown, TExtra = unknown> = (ctx: AuthContext<TRequest, TExtra>) => Promise<AuthResult | void> | AuthResult | void;
+/**
+ * Per-route authorization configuration.
+ * Global handler applies to all routes; specific handlers override global.
+ */
+interface AuthConfig<TRequest = unknown, TExtra = unknown> {
+    /** Global auth handler applied to all routes (unless overridden) */
+    global?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for POST /trigger/:workflowId */
+    trigger?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for POST /notify/:eventId */
+    notify?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for GET /runs/:runId */
+    runs?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for GET /runs/:runId/stream */
+    runsStream?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for GET /health */
+    health?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for POST /workflows/:workflowId/trigger */
+    workflowsTrigger?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for POST /workflows/:workflowId/stream */
+    workflowsStream?: AuthHandler<TRequest, TExtra>;
+    /** Auth handler for POST /events/:eventId/notify */
+    eventsNotify?: AuthHandler<TRequest, TExtra>;
+}
+/**
+ * Base options for all Stepflow adapters.
+ * Extended by framework-specific adapter options.
+ */
+interface BaseAdapterOptions<TRequest = unknown, TExtra = unknown> {
+    /** Base path prefix for all routes (e.g., "/api/stepflow") */
+    basePath?: string;
+    /** Custom health check function */
+    healthCheck?: () => Promise<boolean>;
+    /** Endpoint configuration - preset or fine-grained */
+    endpoints?: EndpointOption;
+    /** Authorization configuration */
+    auth?: AuthConfig<TRequest, TExtra>;
+    /**
+     * Callback when authorization fails.
+     * Use for logging, metrics, or custom error responses.
+     */
+    onAuthFailure?: (ctx: AuthContext<TRequest, TExtra>, result: AuthResult & {
+        ok: false;
+    }) => void | Promise<void>;
+}
+/**
+ * Standard error response body format.
+ */
+interface ErrorResponseBody {
+    error: {
+        code: string;
+        message: string;
+    };
+}
+/**
+ * Creates a standard error response body.
+ */
+declare function createErrorBody(code: string, message: string): ErrorResponseBody;
+
+/**
+ * Resolves endpoint option to a full EndpointConfig.
+ * If undefined, defaults to 'all' (backward-compatible).
+ */
+declare function resolveEndpoints(option?: EndpointOption): EndpointConfig;
+/**
+ * Checks if a specific route is enabled.
+ */
+declare function isRouteEnabled(route: RouteName, option?: EndpointOption): boolean;
+/**
+ * Gets all enabled routes.
+ */
+declare function getEnabledRoutes(option?: EndpointOption): RouteName[];
+/**
+ * Gets all disabled routes.
+ */
+declare function getDisabledRoutes(option?: EndpointOption): RouteName[];
+/**
+ * Validates that at least one endpoint is enabled.
+ * Throws if all endpoints are disabled.
+ */
+declare function validateEndpoints(option?: EndpointOption): void;
+
+/**
+ * Normalizes auth handler result.
+ * - void or undefined = allow (returns { ok: true })
+ * - AuthResult = returns as-is
+ */
+declare function normalizeAuthResult(result: AuthResult | void): AuthResult;
+/**
+ * Gets the appropriate auth handler for a route.
+ * Route-specific handler takes precedence over global.
+ */
+declare function getAuthHandler<TRequest, TExtra>(route: RouteName, config?: AuthConfig<TRequest, TExtra>): AuthHandler<TRequest, TExtra> | undefined;
+/**
+ * Runs authorization for a route.
+ * Returns normalized AuthResult.
+ */
+declare function runAuth<TRequest, TExtra>(ctx: AuthContext<TRequest, TExtra>, config?: AuthConfig<TRequest, TExtra>): Promise<AuthResult>;
+/**
+ * Creates default auth failure response data.
+ */
+declare function getAuthFailureResponse(result: AuthResult & {
+    ok: false;
+}): {
+    status: number;
+    code: string;
+    message: string;
+};
+/**
+ * Determines if a route is considered "sensitive" (typically requires auth).
+ * Sensitive routes: trigger, notify, and their aliases.
+ */
+declare function isSensitiveRoute(route: RouteName): boolean;
+/**
+ * Creates an API key auth handler.
+ * Checks for the API key in the specified header.
+ */
+declare function createApiKeyAuth(expectedKey: string, options?: {
+    header?: string;
+    code?: string;
+    message?: string;
+}): AuthHandler<{
+    headers: {
+        get(name: string): string | null;
+    };
+}>;
+/**
+ * Creates a Bearer token auth handler.
+ * Validates the token using the provided validator function.
+ */
+declare function createBearerAuth<TRequest extends {
+    headers: {
+        get(name: string): string | null;
+    };
+}>(validator: (token: string, ctx: AuthContext<TRequest>) => Promise<boolean> | boolean, options?: {
+    code?: string;
+    message?: string;
+}): AuthHandler<TRequest>;
+/**
+ * Combines multiple auth handlers with OR logic.
+ * Returns allow if ANY handler allows, deny if ALL deny.
+ */
+declare function anyOf<TRequest, TExtra>(...handlers: AuthHandler<TRequest, TExtra>[]): AuthHandler<TRequest, TExtra>;
+/**
+ * Combines multiple auth handlers with AND logic.
+ * Returns allow if ALL handlers allow, deny if ANY denies.
+ */
+declare function allOf<TRequest, TExtra>(...handlers: AuthHandler<TRequest, TExtra>[]): AuthHandler<TRequest, TExtra>;
+
+export { type AuthConfig, type AuthContext, type AuthHandler, type AuthResult, type BaseAdapterOptions, type EndpointConfig, type EndpointOption, type EndpointPreset, type ErrorResponseBody, type RouteName, type SensitiveRouteName, allOf, anyOf, createApiKeyAuth, createBearerAuth, createErrorBody, getAuthFailureResponse, getAuthHandler, getDisabledRoutes, getEnabledRoutes, isRouteEnabled, isSensitiveRoute, normalizeAuthResult, resolveEndpoints, runAuth, validateEndpoints };

package/dist/index.js

@@ -0,0 +1,265 @@
+// src/types.ts
+function createErrorBody(code, message) {
+  return {
+    error: {
+      code,
+      message
+    }
+  };
+}
+
+// src/endpoints.ts
+var PRESETS = {
+  /** All endpoints enabled (default) */
+  all: {
+    trigger: true,
+    notify: true,
+    runs: true,
+    runsStream: true,
+    health: true,
+    workflowsTrigger: true,
+    workflowsStream: true,
+    eventsNotify: true
+  },
+  /** Alias for 'all' - all endpoints enabled */
+  public: {
+    trigger: true,
+    notify: true,
+    runs: true,
+    runsStream: true,
+    health: true,
+    workflowsTrigger: true,
+    workflowsStream: true,
+    eventsNotify: true
+  },
+  /** All endpoints disabled */
+  none: {
+    trigger: false,
+    notify: false,
+    runs: false,
+    runsStream: false,
+    health: false,
+    workflowsTrigger: false,
+    workflowsStream: false,
+    eventsNotify: false
+  },
+  /** Backend-only mode: disable trigger/notify endpoints */
+  private: {
+    trigger: false,
+    notify: false,
+    runs: true,
+    runsStream: true,
+    health: true,
+    workflowsTrigger: false,
+    workflowsStream: false,
+    eventsNotify: false
+  },
+  /** Internal mode: only health endpoint enabled */
+  internal: {
+    trigger: false,
+    notify: false,
+    runs: false,
+    runsStream: false,
+    health: true,
+    workflowsTrigger: false,
+    workflowsStream: false,
+    eventsNotify: false
+  }
+};
+function resolveEndpoints(option) {
+  if (option === void 0) {
+    return PRESETS.all;
+  }
+  if (typeof option === "string") {
+    return PRESETS[option] ?? PRESETS.all;
+  }
+  return {
+    ...PRESETS.all,
+    ...option
+  };
+}
+function isRouteEnabled(route, option) {
+  const config = resolveEndpoints(option);
+  return config[route] ?? true;
+}
+function getEnabledRoutes(option) {
+  const config = resolveEndpoints(option);
+  const routes = [];
+  for (const [key, value] of Object.entries(config)) {
+    if (value) {
+      routes.push(key);
+    }
+  }
+  return routes;
+}
+function getDisabledRoutes(option) {
+  const config = resolveEndpoints(option);
+  const routes = [];
+  for (const [key, value] of Object.entries(config)) {
+    if (!value) {
+      routes.push(key);
+    }
+  }
+  return routes;
+}
+function validateEndpoints(option) {
+  const enabled = getEnabledRoutes(option);
+  if (enabled.length === 0) {
+    throw new Error(
+      "All endpoints are disabled. At least one endpoint must be enabled."
+    );
+  }
+}
+
+// src/auth.ts
+function normalizeAuthResult(result) {
+  if (result === void 0 || result === null) {
+    return { ok: true };
+  }
+  return result;
+}
+function getAuthHandler(route, config) {
+  if (!config) return void 0;
+  const routeHandler = config[route];
+  if (routeHandler !== void 0) {
+    return routeHandler;
+  }
+  return config.global;
+}
+async function runAuth(ctx, config) {
+  const handler = getAuthHandler(ctx.route, config);
+  if (!handler) {
+    return { ok: true };
+  }
+  try {
+    const result = await handler(ctx);
+    return normalizeAuthResult(result);
+  } catch (error) {
+    return {
+      ok: false,
+      status: 500,
+      code: "auth_error",
+      message: error instanceof Error ? error.message : "Authorization error"
+    };
+  }
+}
+function getAuthFailureResponse(result) {
+  return {
+    status: result.status ?? 401,
+    code: result.code ?? "unauthorized",
+    message: result.message ?? "Unauthorized"
+  };
+}
+function isSensitiveRoute(route) {
+  const sensitiveRoutes = [
+    "trigger",
+    "notify",
+    "workflowsTrigger",
+    "workflowsStream",
+    "eventsNotify"
+  ];
+  return sensitiveRoutes.includes(route);
+}
+function createApiKeyAuth(expectedKey, options = {}) {
+  const headerName = options.header ?? "x-api-key";
+  return ({ request }) => {
+    const key = request.headers.get(headerName);
+    if (!key) {
+      return {
+        ok: false,
+        status: 401,
+        code: options.code ?? "missing_api_key",
+        message: options.message ?? "API key is required"
+      };
+    }
+    if (key !== expectedKey) {
+      return {
+        ok: false,
+        status: 401,
+        code: options.code ?? "invalid_api_key",
+        message: options.message ?? "Invalid API key"
+      };
+    }
+    return { ok: true };
+  };
+}
+function createBearerAuth(validator, options = {}) {
+  return async (ctx) => {
+    const authHeader = ctx.request.headers.get("authorization");
+    if (!authHeader) {
+      return {
+        ok: false,
+        status: 401,
+        code: options.code ?? "missing_token",
+        message: options.message ?? "Authorization header is required"
+      };
+    }
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    if (!match) {
+      return {
+        ok: false,
+        status: 401,
+        code: options.code ?? "invalid_auth_format",
+        message: options.message ?? "Invalid authorization format. Use: Bearer <token>"
+      };
+    }
+    const token = match[1];
+    const isValid = await validator(token, ctx);
+    if (!isValid) {
+      return {
+        ok: false,
+        status: 401,
+        code: options.code ?? "invalid_token",
+        message: options.message ?? "Invalid or expired token"
+      };
+    }
+    return { ok: true };
+  };
+}
+function anyOf(...handlers) {
+  return async (ctx) => {
+    let lastDeny = {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "Unauthorized"
+    };
+    for (const handler of handlers) {
+      const result = normalizeAuthResult(await handler(ctx));
+      if (result.ok) {
+        return result;
+      }
+      lastDeny = result;
+    }
+    return lastDeny;
+  };
+}
+function allOf(...handlers) {
+  return async (ctx) => {
+    for (const handler of handlers) {
+      const result = normalizeAuthResult(await handler(ctx));
+      if (!result.ok) {
+        return result;
+      }
+    }
+    return { ok: true };
+  };
+}
+export {
+  allOf,
+  anyOf,
+  createApiKeyAuth,
+  createBearerAuth,
+  createErrorBody,
+  getAuthFailureResponse,
+  getAuthHandler,
+  getDisabledRoutes,
+  getEnabledRoutes,
+  isRouteEnabled,
+  isSensitiveRoute,
+  normalizeAuthResult,
+  resolveEndpoints,
+  runAuth,
+  validateEndpoints
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts","../src/endpoints.ts","../src/auth.ts"],"sourcesContent":["// ============================================================================\n// Endpoint Types\n// ============================================================================\n\n/**\n * Route names that can be configured for authorization and enable/disable.\n */\nexport type RouteName =\n  | \"trigger\"\n  | \"notify\"\n  | \"runs\"\n  | \"runsStream\"\n  | \"health\"\n  | \"workflowsTrigger\"\n  | \"workflowsStream\"\n  | \"eventsNotify\";\n\n/**\n * Sensitive routes that typically require authorization.\n */\nexport type SensitiveRouteName =\n  | \"trigger\"\n  | \"notify\"\n  | \"workflowsTrigger\"\n  | \"workflowsStream\"\n  | \"eventsNotify\";\n\n/**\n * Preset configurations for endpoint visibility.\n *\n * - `all` / `public`: All endpoints enabled (default, backward-compatible)\n * - `none`: All endpoints disabled\n * - `private`: Disable trigger/notify endpoints (backend-only mode)\n * - `internal`: Only health endpoint enabled\n */\nexport type EndpointPreset = \"all\" | \"none\" | \"public\" | \"private\" | \"internal\";\n\n/**\n * Fine-grained endpoint configuration.\n * Each key controls whether that endpoint is enabled.\n */\nexport interface EndpointConfig {\n  /** POST /trigger/:workflowId */\n  trigger?: boolean;\n  /** POST /notify/:eventId */\n  notify?: boolean;\n  /** GET /runs/:runId */\n  runs?: boolean;\n  /** GET /runs/:runId/stream */\n  runsStream?: boolean;\n  /** GET /health */\n  health?: boolean;\n  /** POST /workflows/:workflowId/trigger (client SDK alias) */\n  workflowsTrigger?: boolean;\n  /** POST /workflows/:workflowId/stream (client SDK alias) */\n  workflowsStream?: boolean;\n  /** POST /events/:eventId/notify (client SDK alias) */\n  eventsNotify?: boolean;\n}\n\n/**\n * Endpoint configuration can be a preset string or fine-grained config.\n */\nexport type EndpointOption = EndpointPreset | EndpointConfig;\n\n// ============================================================================\n// Authorization Types\n// ============================================================================\n\n/**\n * Context passed to authorization handlers.\n * Generic types allow framework-specific request/response objects.\n */\nexport interface AuthContext<TRequest = unknown, TExtra = unknown> {\n  /** The route being accessed */\n  route: RouteName;\n  /** Workflow ID (for trigger routes) */\n  workflowId?: string;\n  /** Event ID (for notify routes) */\n  eventId?: string;\n  /** Run ID (for runs routes) */\n  runId?: string;\n  /** The original request object (framework-specific) */\n  request: TRequest;\n  /** Additional framework-specific context (e.g., Hono's Context, Express's Response) */\n  extra?: TExtra;\n}\n\n/**\n * Result of an authorization check.\n */\nexport type AuthResult =\n  | { ok: true }\n  | {\n      ok: false;\n      /** HTTP status code (default: 401 for missing auth, 403 for denied) */\n      status?: number;\n      /** Error message for the response */\n      message?: string;\n      /** Error code for programmatic handling */\n      code?: string;\n    };\n\n/**\n * Authorization handler function.\n * Returns AuthResult or void (void = allow).\n */\nexport type AuthHandler<TRequest = unknown, TExtra = unknown> = (\n  ctx: AuthContext<TRequest, TExtra>,\n) => Promise<AuthResult | void> | AuthResult | void;\n\n/**\n * Per-route authorization configuration.\n * Global handler applies to all routes; specific handlers override global.\n */\nexport interface AuthConfig<TRequest = unknown, TExtra = unknown> {\n  /** Global auth handler applied to all routes (unless overridden) */\n  global?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for POST /trigger/:workflowId */\n  trigger?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for POST /notify/:eventId */\n  notify?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for GET /runs/:runId */\n  runs?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for GET /runs/:runId/stream */\n  runsStream?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for GET /health */\n  health?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for POST /workflows/:workflowId/trigger */\n  workflowsTrigger?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for POST /workflows/:workflowId/stream */\n  workflowsStream?: AuthHandler<TRequest, TExtra>;\n  /** Auth handler for POST /events/:eventId/notify */\n  eventsNotify?: AuthHandler<TRequest, TExtra>;\n}\n\n// ============================================================================\n// Adapter Options Types\n// ============================================================================\n\n/**\n * Base options for all Stepflow adapters.\n * Extended by framework-specific adapter options.\n */\nexport interface BaseAdapterOptions<TRequest = unknown, TExtra = unknown> {\n  /** Base path prefix for all routes (e.g., \"/api/stepflow\") */\n  basePath?: string;\n  /** Custom health check function */\n  healthCheck?: () => Promise<boolean>;\n  /** Endpoint configuration - preset or fine-grained */\n  endpoints?: EndpointOption;\n  /** Authorization configuration */\n  auth?: AuthConfig<TRequest, TExtra>;\n  /**\n   * Callback when authorization fails.\n   * Use for logging, metrics, or custom error responses.\n   */\n  onAuthFailure?: (\n    ctx: AuthContext<TRequest, TExtra>,\n    result: AuthResult & { ok: false },\n  ) => void | Promise<void>;\n}\n\n// ============================================================================\n// Error Response Types\n// ============================================================================\n\n/**\n * Standard error response body format.\n */\nexport interface ErrorResponseBody {\n  error: {\n    code: string;\n    message: string;\n  };\n}\n\n/**\n * Creates a standard error response body.\n */\nexport function createErrorBody(\n  code: string,\n  message: string,\n): ErrorResponseBody {\n  return {\n    error: {\n      code,\n      message,\n    },\n  };\n}\n","import type {\n  EndpointConfig,\n  EndpointOption,\n  EndpointPreset,\n  RouteName,\n} from \"./types.js\";\n\n// ============================================================================\n// Preset Definitions\n// ============================================================================\n\n/**\n * Preset configurations for endpoint visibility.\n */\nconst PRESETS: Record<EndpointPreset, EndpointConfig> = {\n  /** All endpoints enabled (default) */\n  all: {\n    trigger: true,\n    notify: true,\n    runs: true,\n    runsStream: true,\n    health: true,\n    workflowsTrigger: true,\n    workflowsStream: true,\n    eventsNotify: true,\n  },\n  /** Alias for 'all' - all endpoints enabled */\n  public: {\n    trigger: true,\n    notify: true,\n    runs: true,\n    runsStream: true,\n    health: true,\n    workflowsTrigger: true,\n    workflowsStream: true,\n    eventsNotify: true,\n  },\n  /** All endpoints disabled */\n  none: {\n    trigger: false,\n    notify: false,\n    runs: false,\n    runsStream: false,\n    health: false,\n    workflowsTrigger: false,\n    workflowsStream: false,\n    eventsNotify: false,\n  },\n  /** Backend-only mode: disable trigger/notify endpoints */\n  private: {\n    trigger: false,\n    notify: false,\n    runs: true,\n    runsStream: true,\n    health: true,\n    workflowsTrigger: false,\n    workflowsStream: false,\n    eventsNotify: false,\n  },\n  /** Internal mode: only health endpoint enabled */\n  internal: {\n    trigger: false,\n    notify: false,\n    runs: false,\n    runsStream: false,\n    health: true,\n    workflowsTrigger: false,\n    workflowsStream: false,\n    eventsNotify: false,\n  },\n};\n\n// ============================================================================\n// Endpoint Helpers\n// ============================================================================\n\n/**\n * Resolves endpoint option to a full EndpointConfig.\n * If undefined, defaults to 'all' (backward-compatible).\n */\nexport function resolveEndpoints(option?: EndpointOption): EndpointConfig {\n  if (option === undefined) {\n    return PRESETS.all;\n  }\n\n  if (typeof option === \"string\") {\n    return PRESETS[option] ?? PRESETS.all;\n  }\n\n  // Merge with 'all' preset to fill in any missing keys\n  return {\n    ...PRESETS.all,\n    ...option,\n  };\n}\n\n/**\n * Checks if a specific route is enabled.\n */\nexport function isRouteEnabled(\n  route: RouteName,\n  option?: EndpointOption,\n): boolean {\n  const config = resolveEndpoints(option);\n  return config[route] ?? true;\n}\n\n/**\n * Gets all enabled routes.\n */\nexport function getEnabledRoutes(option?: EndpointOption): RouteName[] {\n  const config = resolveEndpoints(option);\n  const routes: RouteName[] = [];\n\n  for (const [key, value] of Object.entries(config)) {\n    if (value) {\n      routes.push(key as RouteName);\n    }\n  }\n\n  return routes;\n}\n\n/**\n * Gets all disabled routes.\n */\nexport function getDisabledRoutes(option?: EndpointOption): RouteName[] {\n  const config = resolveEndpoints(option);\n  const routes: RouteName[] = [];\n\n  for (const [key, value] of Object.entries(config)) {\n    if (!value) {\n      routes.push(key as RouteName);\n    }\n  }\n\n  return routes;\n}\n\n/**\n * Validates that at least one endpoint is enabled.\n * Throws if all endpoints are disabled.\n */\nexport function validateEndpoints(option?: EndpointOption): void {\n  const enabled = getEnabledRoutes(option);\n  if (enabled.length === 0) {\n    throw new Error(\n      \"All endpoints are disabled. At least one endpoint must be enabled.\",\n    );\n  }\n}\n","import type {\n  AuthConfig,\n  AuthContext,\n  AuthHandler,\n  AuthResult,\n  RouteName,\n} from \"./types.js\";\n\n// ============================================================================\n// Auth Helpers\n// ============================================================================\n\n/**\n * Normalizes auth handler result.\n * - void or undefined = allow (returns { ok: true })\n * - AuthResult = returns as-is\n */\nexport function normalizeAuthResult(result: AuthResult | void): AuthResult {\n  if (result === undefined || result === null) {\n    return { ok: true };\n  }\n  return result;\n}\n\n/**\n * Gets the appropriate auth handler for a route.\n * Route-specific handler takes precedence over global.\n */\nexport function getAuthHandler<TRequest, TExtra>(\n  route: RouteName,\n  config?: AuthConfig<TRequest, TExtra>,\n): AuthHandler<TRequest, TExtra> | undefined {\n  if (!config) return undefined;\n\n  // Check for route-specific handler first\n  const routeHandler = config[route] as\n    | AuthHandler<TRequest, TExtra>\n    | undefined;\n  if (routeHandler !== undefined) {\n    return routeHandler;\n  }\n\n  // Fall back to global handler\n  return config.global;\n}\n\n/**\n * Runs authorization for a route.\n * Returns normalized AuthResult.\n */\nexport async function runAuth<TRequest, TExtra>(\n  ctx: AuthContext<TRequest, TExtra>,\n  config?: AuthConfig<TRequest, TExtra>,\n): Promise<AuthResult> {\n  const handler = getAuthHandler(ctx.route, config);\n\n  if (!handler) {\n    // No auth configured = allow\n    return { ok: true };\n  }\n\n  try {\n    const result = await handler(ctx);\n    return normalizeAuthResult(result);\n  } catch (error) {\n    // Auth handler threw an error = deny with 500\n    return {\n      ok: false,\n      status: 500,\n      code: \"auth_error\",\n      message: error instanceof Error ? error.message : \"Authorization error\",\n    };\n  }\n}\n\n/**\n * Creates default auth failure response data.\n */\nexport function getAuthFailureResponse(result: AuthResult & { ok: false }): {\n  status: number;\n  code: string;\n  message: string;\n} {\n  return {\n    status: result.status ?? 401,\n    code: result.code ?? \"unauthorized\",\n    message: result.message ?? \"Unauthorized\",\n  };\n}\n\n/**\n * Determines if a route is considered \"sensitive\" (typically requires auth).\n * Sensitive routes: trigger, notify, and their aliases.\n */\nexport function isSensitiveRoute(route: RouteName): boolean {\n  const sensitiveRoutes: RouteName[] = [\n    \"trigger\",\n    \"notify\",\n    \"workflowsTrigger\",\n    \"workflowsStream\",\n    \"eventsNotify\",\n  ];\n  return sensitiveRoutes.includes(route);\n}\n\n// ============================================================================\n// Common Auth Patterns\n// ============================================================================\n\n/**\n * Creates an API key auth handler.\n * Checks for the API key in the specified header.\n */\nexport function createApiKeyAuth(\n  expectedKey: string,\n  options: {\n    header?: string;\n    code?: string;\n    message?: string;\n  } = {},\n): AuthHandler<{ headers: { get(name: string): string | null } }> {\n  const headerName = options.header ?? \"x-api-key\";\n\n  return ({ request }) => {\n    const key = request.headers.get(headerName);\n\n    if (!key) {\n      return {\n        ok: false,\n        status: 401,\n        code: options.code ?? \"missing_api_key\",\n        message: options.message ?? \"API key is required\",\n      };\n    }\n\n    if (key !== expectedKey) {\n      return {\n        ok: false,\n        status: 401,\n        code: options.code ?? \"invalid_api_key\",\n        message: options.message ?? \"Invalid API key\",\n      };\n    }\n\n    return { ok: true };\n  };\n}\n\n/**\n * Creates a Bearer token auth handler.\n * Validates the token using the provided validator function.\n */\nexport function createBearerAuth<\n  TRequest extends { headers: { get(name: string): string | null } },\n>(\n  validator: (\n    token: string,\n    ctx: AuthContext<TRequest>,\n  ) => Promise<boolean> | boolean,\n  options: {\n    code?: string;\n    message?: string;\n  } = {},\n): AuthHandler<TRequest> {\n  return async (ctx) => {\n    const authHeader = ctx.request.headers.get(\"authorization\");\n\n    if (!authHeader) {\n      return {\n        ok: false,\n        status: 401,\n        code: options.code ?? \"missing_token\",\n        message: options.message ?? \"Authorization header is required\",\n      };\n    }\n\n    const match = authHeader.match(/^Bearer\\s+(.+)$/i);\n    if (!match) {\n      return {\n        ok: false,\n        status: 401,\n        code: options.code ?? \"invalid_auth_format\",\n        message:\n          options.message ??\n          \"Invalid authorization format. Use: Bearer <token>\",\n      };\n    }\n\n    const token = match[1];\n    const isValid = await validator(token, ctx);\n\n    if (!isValid) {\n      return {\n        ok: false,\n        status: 401,\n        code: options.code ?? \"invalid_token\",\n        message: options.message ?? \"Invalid or expired token\",\n      };\n    }\n\n    return { ok: true };\n  };\n}\n\n/**\n * Combines multiple auth handlers with OR logic.\n * Returns allow if ANY handler allows, deny if ALL deny.\n */\nexport function anyOf<TRequest, TExtra>(\n  ...handlers: AuthHandler<TRequest, TExtra>[]\n): AuthHandler<TRequest, TExtra> {\n  return async (ctx) => {\n    let lastDeny: AuthResult & { ok: false } = {\n      ok: false,\n      status: 401,\n      code: \"unauthorized\",\n      message: \"Unauthorized\",\n    };\n\n    for (const handler of handlers) {\n      const result = normalizeAuthResult(await handler(ctx));\n      if (result.ok) {\n        return result;\n      }\n      lastDeny = result;\n    }\n\n    return lastDeny;\n  };\n}\n\n/**\n * Combines multiple auth handlers with AND logic.\n * Returns allow if ALL handlers allow, deny if ANY denies.\n */\nexport function allOf<TRequest, TExtra>(\n  ...handlers: AuthHandler<TRequest, TExtra>[]\n): AuthHandler<TRequest, TExtra> {\n  return async (ctx) => {\n    for (const handler of handlers) {\n      const result = normalizeAuthResult(await handler(ctx));\n      if (!result.ok) {\n        return result;\n      }\n    }\n\n    return { ok: true };\n  };\n}\n"],"mappings":";AAoLO,SAAS,gBACd,MACA,SACmB;AACnB,SAAO;AAAA,IACL,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;AChLA,IAAM,UAAkD;AAAA;AAAA,EAEtD,KAAK;AAAA,IACH,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAAA;AAAA,EAEA,QAAQ;AAAA,IACN,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAAA;AAAA,EAEA,MAAM;AAAA,IACJ,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAAA;AAAA,EAEA,SAAS;AAAA,IACP,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAAA;AAAA,EAEA,UAAU;AAAA,IACR,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AACF;AAUO,SAAS,iBAAiB,QAAyC;AACxE,MAAI,WAAW,QAAW;AACxB,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,QAAQ,MAAM,KAAK,QAAQ;AAAA,EACpC;AAGA,SAAO;AAAA,IACL,GAAG,QAAQ;AAAA,IACX,GAAG;AAAA,EACL;AACF;AAKO,SAAS,eACd,OACA,QACS;AACT,QAAM,SAAS,iBAAiB,MAAM;AACtC,SAAO,OAAO,KAAK,KAAK;AAC1B;AAKO,SAAS,iBAAiB,QAAsC;AACrE,QAAM,SAAS,iBAAiB,MAAM;AACtC,QAAM,SAAsB,CAAC;AAE7B,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,QAAI,OAAO;AACT,aAAO,KAAK,GAAgB;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,kBAAkB,QAAsC;AACtE,QAAM,SAAS,iBAAiB,MAAM;AACtC,QAAM,SAAsB,CAAC;AAE7B,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,QAAI,CAAC,OAAO;AACV,aAAO,KAAK,GAAgB;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,kBAAkB,QAA+B;AAC/D,QAAM,UAAU,iBAAiB,MAAM;AACvC,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;ACrIO,SAAS,oBAAoB,QAAuC;AACzE,MAAI,WAAW,UAAa,WAAW,MAAM;AAC3C,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AACA,SAAO;AACT;AAMO,SAAS,eACd,OACA,QAC2C;AAC3C,MAAI,CAAC,OAAQ,QAAO;AAGpB,QAAM,eAAe,OAAO,KAAK;AAGjC,MAAI,iBAAiB,QAAW;AAC9B,WAAO;AAAA,EACT;AAGA,SAAO,OAAO;AAChB;AAMA,eAAsB,QACpB,KACA,QACqB;AACrB,QAAM,UAAU,eAAe,IAAI,OAAO,MAAM;AAEhD,MAAI,CAAC,SAAS;AAEZ,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAEA,MAAI;AACF,UAAM,SAAS,MAAM,QAAQ,GAAG;AAChC,WAAO,oBAAoB,MAAM;AAAA,EACnC,SAAS,OAAO;AAEd,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IACpD;AAAA,EACF;AACF;AAKO,SAAS,uBAAuB,QAIrC;AACA,SAAO;AAAA,IACL,QAAQ,OAAO,UAAU;AAAA,IACzB,MAAM,OAAO,QAAQ;AAAA,IACrB,SAAS,OAAO,WAAW;AAAA,EAC7B;AACF;AAMO,SAAS,iBAAiB,OAA2B;AAC1D,QAAM,kBAA+B;AAAA,IACnC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,gBAAgB,SAAS,KAAK;AACvC;AAUO,SAAS,iBACd,aACA,UAII,CAAC,GAC2D;AAChE,QAAM,aAAa,QAAQ,UAAU;AAErC,SAAO,CAAC,EAAE,QAAQ,MAAM;AACtB,UAAM,MAAM,QAAQ,QAAQ,IAAI,UAAU;AAE1C,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,QAAQ,QAAQ;AAAA,QACtB,SAAS,QAAQ,WAAW;AAAA,MAC9B;AAAA,IACF;AAEA,QAAI,QAAQ,aAAa;AACvB,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,QAAQ,QAAQ;AAAA,QACtB,SAAS,QAAQ,WAAW;AAAA,MAC9B;AAAA,IACF;AAEA,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AACF;AAMO,SAAS,iBAGd,WAIA,UAGI,CAAC,GACkB;AACvB,SAAO,OAAO,QAAQ;AACpB,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI,eAAe;AAE1D,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,QAAQ,QAAQ;AAAA,QACtB,SAAS,QAAQ,WAAW;AAAA,MAC9B;AAAA,IACF;AAEA,UAAM,QAAQ,WAAW,MAAM,kBAAkB;AACjD,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,QAAQ,QAAQ;AAAA,QACtB,SACE,QAAQ,WACR;AAAA,MACJ;AAAA,IACF;AAEA,UAAM,QAAQ,MAAM,CAAC;AACrB,UAAM,UAAU,MAAM,UAAU,OAAO,GAAG;AAE1C,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,QAAQ,QAAQ;AAAA,QACtB,SAAS,QAAQ,WAAW;AAAA,MAC9B;AAAA,IACF;AAEA,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AACF;AAMO,SAAS,SACX,UAC4B;AAC/B,SAAO,OAAO,QAAQ;AACpB,QAAI,WAAuC;AAAA,MACzC,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAEA,eAAW,WAAW,UAAU;AAC9B,YAAM,SAAS,oBAAoB,MAAM,QAAQ,GAAG,CAAC;AACrD,UAAI,OAAO,IAAI;AACb,eAAO;AAAA,MACT;AACA,iBAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AACF;AAMO,SAAS,SACX,UAC4B;AAC/B,SAAO,OAAO,QAAQ;AACpB,eAAW,WAAW,UAAU;AAC9B,YAAM,SAAS,oBAAoB,MAAM,QAAQ,GAAG,CAAC;AACrD,UAAI,CAAC,OAAO,IAAI;AACd,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AACF;","names":[]}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@stepflowjs/adapter-shared",
+  "version": "0.0.1",
+  "description": "Shared utilities for Stepflow framework adapters",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "devDependencies": {
+    "tsup": "^8.5.1",
+    "typescript": "^5.8.3",
+    "vitest": "^4.0.17"
+  },
+  "license": "MIT",
+  "author": "Stepflow Contributors",
+  "repository": {
+    "type": "git",
+    "url": "https://stepflow-production.up.railway.app",
+    "directory": "packages/adapters/shared"
+  },
+  "homepage": "https://stepflow-production.up.railway.app",
+  "bugs": {
+    "url": "https://stepflow-production.up.railway.app"
+  },
+  "keywords": [
+    "stepflow",
+    "adapter",
+    "shared",
+    "utilities",
+    "workflow",
+    "orchestration"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest",
+    "clean": "rm -rf dist"
+  }
+}