npm - @treeseed/agent - Versions diffs - 0.8.5 - Mend

@treeseed/agent 0.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/Dockerfile +7 -0
package/README.md +198 -0
package/dist/agent-runtime.d.ts +17 -0
package/dist/agent-runtime.js +117 -0
package/dist/agents/adapters/execution.d.ts +41 -0
package/dist/agents/adapters/execution.js +73 -0
package/dist/agents/adapters/mutations.d.ts +22 -0
package/dist/agents/adapters/mutations.js +30 -0
package/dist/agents/adapters/notification.d.ts +26 -0
package/dist/agents/adapters/notification.js +46 -0
package/dist/agents/adapters/repository.d.ts +28 -0
package/dist/agents/adapters/repository.js +61 -0
package/dist/agents/adapters/research.d.ts +26 -0
package/dist/agents/adapters/research.js +59 -0
package/dist/agents/adapters/verification.d.ts +36 -0
package/dist/agents/adapters/verification.js +62 -0
package/dist/agents/cli-tools.d.ts +1 -0
package/dist/agents/cli-tools.js +5 -0
package/dist/agents/cli.d.ts +15 -0
package/dist/agents/cli.js +109 -0
package/dist/agents/contracts/messages.d.ts +88 -0
package/dist/agents/contracts/messages.js +138 -0
package/dist/agents/contracts/run.d.ts +21 -0
package/dist/agents/contracts/run.js +0 -0
package/dist/agents/index.d.ts +1 -0
package/dist/agents/index.js +5 -0
package/dist/agents/kernel/agent-kernel.d.ts +63 -0
package/dist/agents/kernel/agent-kernel.js +291 -0
package/dist/agents/kernel/trigger-resolver.d.ts +19 -0
package/dist/agents/kernel/trigger-resolver.js +157 -0
package/dist/agents/registry-helper.d.ts +4 -0
package/dist/agents/registry-helper.js +14 -0
package/dist/agents/registry.d.ts +6 -0
package/dist/agents/registry.js +98 -0
package/dist/agents/runtime-types.d.ts +118 -0
package/dist/agents/runtime-types.js +0 -0
package/dist/agents/spec-loader.d.ts +18 -0
package/dist/agents/spec-loader.js +54 -0
package/dist/agents/spec-normalizer.d.ts +2 -0
package/dist/agents/spec-normalizer.js +327 -0
package/dist/agents/spec-types.d.ts +64 -0
package/dist/agents/spec-types.js +0 -0
package/dist/agents/testing/agents-smoke.d.ts +1 -0
package/dist/agents/testing/agents-smoke.js +32 -0
package/dist/agents/testing/e2e-harness.d.ts +44 -0
package/dist/agents/testing/e2e-harness.js +503 -0
package/dist/api/agent-routes.d.ts +13 -0
package/dist/api/agent-routes.js +327 -0
package/dist/api/app.d.ts +8 -0
package/dist/api/app.js +444 -0
package/dist/api/auth/d1-database.d.ts +3 -0
package/dist/api/auth/d1-database.js +20 -0
package/dist/api/auth/d1-provider.d.ts +79 -0
package/dist/api/auth/d1-provider.js +92 -0
package/dist/api/auth/d1-store.d.ts +114 -0
package/dist/api/auth/d1-store.js +895 -0
package/dist/api/auth/memory-provider.d.ts +77 -0
package/dist/api/auth/memory-provider.js +249 -0
package/dist/api/auth/rbac.d.ts +22 -0
package/dist/api/auth/rbac.js +162 -0
package/dist/api/auth/tokens.d.ts +18 -0
package/dist/api/auth/tokens.js +56 -0
package/dist/api/capabilities.d.ts +9 -0
package/dist/api/capabilities.js +33 -0
package/dist/api/config.d.ts +2 -0
package/dist/api/config.js +77 -0
package/dist/api/http.d.ts +28 -0
package/dist/api/http.js +51 -0
package/dist/api/index.d.ts +9 -0
package/dist/api/index.js +20 -0
package/dist/api/operations-routes.d.ts +11 -0
package/dist/api/operations-routes.js +87 -0
package/dist/api/operations.d.ts +3 -0
package/dist/api/operations.js +26 -0
package/dist/api/project-routes.d.ts +8 -0
package/dist/api/project-routes.js +585 -0
package/dist/api/providers.d.ts +2 -0
package/dist/api/providers.js +62 -0
package/dist/api/railway.d.ts +51 -0
package/dist/api/railway.js +71 -0
package/dist/api/sdk-dispatch.d.ts +5 -0
package/dist/api/sdk-dispatch.js +13 -0
package/dist/api/sdk-routes.d.ts +11 -0
package/dist/api/sdk-routes.js +29 -0
package/dist/api/server.d.ts +2 -0
package/dist/api/server.js +10 -0
package/dist/api/templates.d.ts +3 -0
package/dist/api/templates.js +31 -0
package/dist/api/types.d.ts +237 -0
package/dist/api/types.js +0 -0
package/dist/env.yaml +957 -0
package/dist/index.d.ts +14 -0
package/dist/index.js +41 -0
package/dist/scripts/assert-release-tag-version.d.ts +1 -0
package/dist/scripts/assert-release-tag-version.js +20 -0
package/dist/scripts/build-dist.d.ts +1 -0
package/dist/scripts/build-dist.js +106 -0
package/dist/scripts/package-tools.d.ts +1 -0
package/dist/scripts/package-tools.js +7 -0
package/dist/scripts/publish-package.d.ts +1 -0
package/dist/scripts/publish-package.js +24 -0
package/dist/scripts/release-verify.d.ts +1 -0
package/dist/scripts/release-verify.js +152 -0
package/dist/scripts/test-smoke.d.ts +1 -0
package/dist/scripts/test-smoke.js +23 -0
package/dist/scripts/treeseed-agent-api.d.ts +2 -0
package/dist/scripts/treeseed-agent-api.js +25 -0
package/dist/scripts/treeseed-agent-service.d.ts +2 -0
package/dist/scripts/treeseed-agent-service.js +36 -0
package/dist/scripts/treeseed-agents.d.ts +2 -0
package/dist/scripts/treeseed-agents.js +13 -0
package/dist/services/agents.d.ts +17 -0
package/dist/services/agents.js +48 -0
package/dist/services/common.d.ts +66 -0
package/dist/services/common.js +212 -0
package/dist/services/index.d.ts +6 -0
package/dist/services/index.js +19 -0
package/dist/services/manager.d.ts +333 -0
package/dist/services/manager.js +1368 -0
package/dist/services/remote-runner.d.ts +30 -0
package/dist/services/remote-runner.js +230 -0
package/dist/services/workday-content.d.ts +53 -0
package/dist/services/workday-content.js +190 -0
package/dist/services/workday-manager.d.ts +391 -0
package/dist/services/workday-manager.js +163 -0
package/dist/services/workday-report.d.ts +238 -0
package/dist/services/workday-report.js +17 -0
package/dist/services/workday-start.d.ts +238 -0
package/dist/services/workday-start.js +17 -0
package/dist/services/worker-capacity.d.ts +58 -0
package/dist/services/worker-capacity.js +208 -0
package/dist/services/worker-pool-scaler.d.ts +27 -0
package/dist/services/worker-pool-scaler.js +127 -0
package/dist/services/worker.d.ts +19 -0
package/dist/services/worker.js +436 -0
package/dist/templates/github/deploy-processing.workflow.yml +119 -0
package/package.json +136 -0
package/templates/github/deploy-processing.workflow.yml +119 -0

package/dist/api/auth/memory-provider.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import type { ApiAuthProvider, ApiConfig, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
+export declare class MemoryDeviceCodeAuthProvider implements ApiAuthProvider {
+    private readonly config;
+    readonly id = "memory";
+    private readonly devices;
+    private readonly refreshSessions;
+    constructor(config: ApiConfig);
+    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
+    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
+        ok: true;
+    }>;
+    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
+    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    authenticateBearerToken(token: string): Promise<{
+        principal: ApiPrincipal;
+        credential: {
+            type: "access_token";
+            id: string;
+            label: "service" | "access";
+        };
+    } | null>;
+    authenticateServiceCredential(_serviceId: string, _secret: string): Promise<null>;
+    createPersonalAccessToken(_userId: string, _input: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: string | null;
+    }): Promise<{
+        id: string;
+        token: string;
+        prefix: string;
+        name: string;
+        expiresAt: string | null;
+    }>;
+    listPersonalAccessTokens(): Promise<never[]>;
+    revokePersonalAccessToken(): Promise<void>;
+    syncUserIdentity(identity: UserIdentityProfileInput): Promise<{
+        userId: string;
+        identityId: string;
+        principal: {
+            id: string;
+            displayName: string | undefined;
+            scopes: string[];
+            roles: string[];
+            permissions: string[];
+            metadata: {
+                username: string | undefined;
+                firstName: string | undefined;
+                lastName: string | undefined;
+            };
+        };
+    }>;
+    createServiceToken(_input: {
+        serviceId: string;
+        name: string;
+        roles?: string[];
+        permissions?: string[];
+    }): Promise<{
+        id: string;
+        serviceId: string;
+        secret: string;
+    }>;
+    rotateServiceToken(_serviceId: string): Promise<{
+        id: string;
+        serviceId: string;
+        secret: string;
+    }>;
+    createTrustedUserAssertion(claims: TrustedUserAssertionClaims): string;
+    verifyTrustedUserAssertion(assertion: string): TrustedUserAssertionClaims | null;
+    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
+        ok: true;
+        accessToken: string;
+        tokenType: "Bearer";
+        expiresAt: string;
+        expiresInSeconds: number;
+        principal: ApiPrincipal;
+    }>;
+}

package/dist/api/auth/memory-provider.js ADDED Viewed

@@ -0,0 +1,249 @@
+import { randomUUID } from "node:crypto";
+import {
+  createAccessToken,
+  nextOpaqueToken,
+  principalFromAccessTokenPayload,
+  verifyAccessToken
+} from "./tokens.js";
+function nowSeconds() {
+  return Math.floor(Date.now() / 1e3);
+}
+function formatExpiry(epochSeconds) {
+  return new Date(epochSeconds * 1e3).toISOString();
+}
+function nextUserCode() {
+  return Math.random().toString(36).slice(2, 6).toUpperCase() + "-" + Math.random().toString(36).slice(2, 6).toUpperCase();
+}
+class MemoryDeviceCodeAuthProvider {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  id = "memory";
+  devices = /* @__PURE__ */ new Map();
+  refreshSessions = /* @__PURE__ */ new Map();
+  async startDeviceFlow(request) {
+    const expiresAt = nowSeconds() + this.config.deviceCodeTtlSeconds;
+    const deviceCode = nextOpaqueToken("device");
+    const userCode = nextUserCode();
+    this.devices.set(deviceCode, {
+      deviceCode,
+      userCode,
+      requestedScopes: request.scopes?.length ? [...request.scopes] : ["templates:read", "auth:me", "sdk", "operations"],
+      expiresAt,
+      intervalSeconds: this.config.deviceCodePollIntervalSeconds,
+      status: "pending",
+      principal: null
+    });
+    return {
+      ok: true,
+      deviceCode,
+      userCode,
+      verificationUri: `${this.config.baseUrl}/auth/device/approve`,
+      verificationUriComplete: `${this.config.baseUrl}/auth/device/approve?user_code=${encodeURIComponent(userCode)}`,
+      intervalSeconds: this.config.deviceCodePollIntervalSeconds,
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.deviceCodeTtlSeconds
+    };
+  }
+  async approveDeviceFlow(request) {
+    const record = [...this.devices.values()].find((entry) => entry.userCode === request.userCode);
+    if (!record || record.expiresAt <= nowSeconds()) {
+      throw new Error("Device code approval failed because the user code is unknown or expired.");
+    }
+    record.status = "approved";
+    record.principal = {
+      id: request.principalId,
+      displayName: request.displayName,
+      scopes: request.scopes?.length ? [...request.scopes] : [...record.requestedScopes],
+      roles: ["member"],
+      permissions: ["auth:read:self"],
+      metadata: request.metadata
+    };
+    return { ok: true };
+  }
+  async pollDeviceFlow(request) {
+    const record = this.devices.get(request.deviceCode);
+    if (!record) {
+      return { ok: false, status: "invalid", error: "Unknown device code." };
+    }
+    if (record.expiresAt <= nowSeconds()) {
+      this.devices.delete(request.deviceCode);
+      return { ok: false, status: "expired", error: "Device code expired." };
+    }
+    if (record.status === "pending" || !record.principal) {
+      return {
+        ok: true,
+        status: "pending",
+        intervalSeconds: record.intervalSeconds
+      };
+    }
+    if (record.status === "used") {
+      return { ok: false, status: "already_used", error: "Device code already used." };
+    }
+    record.status = "used";
+    const refreshToken = nextOpaqueToken("refresh");
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    const accessToken = createAccessToken({
+      sub: record.principal.id,
+      displayName: record.principal.displayName,
+      scopes: record.principal.scopes,
+      roles: record.principal.roles,
+      permissions: record.principal.permissions,
+      metadata: record.principal.metadata,
+      iat: nowSeconds(),
+      exp: expiresAt,
+      iss: this.config.issuer,
+      jti: randomUUID(),
+      tokenType: "access"
+    }, this.config.authSecret);
+    this.refreshSessions.set(refreshToken, {
+      principal: record.principal,
+      expiresAt: nowSeconds() + this.config.refreshTokenTtlSeconds
+    });
+    return {
+      ok: true,
+      status: "approved",
+      accessToken,
+      refreshToken,
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal: record.principal
+    };
+  }
+  async refreshAccessToken(request) {
+    const session = this.refreshSessions.get(request.refreshToken);
+    if (!session || session.expiresAt <= nowSeconds()) {
+      throw new Error("Refresh token is invalid or expired.");
+    }
+    const nextRefreshToken = nextOpaqueToken("refresh");
+    this.refreshSessions.delete(request.refreshToken);
+    this.refreshSessions.set(nextRefreshToken, {
+      principal: session.principal,
+      expiresAt: nowSeconds() + this.config.refreshTokenTtlSeconds
+    });
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    const accessToken = createAccessToken({
+      sub: session.principal.id,
+      displayName: session.principal.displayName,
+      scopes: session.principal.scopes,
+      roles: session.principal.roles,
+      permissions: session.principal.permissions,
+      metadata: session.principal.metadata,
+      iat: nowSeconds(),
+      exp: expiresAt,
+      iss: this.config.issuer,
+      jti: randomUUID(),
+      tokenType: "access"
+    }, this.config.authSecret);
+    return {
+      ok: true,
+      accessToken,
+      refreshToken: nextRefreshToken,
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal: session.principal
+    };
+  }
+  async authenticateBearerToken(token) {
+    const payload = verifyAccessToken(token, this.config.authSecret);
+    return payload ? {
+      principal: principalFromAccessTokenPayload(payload),
+      credential: {
+        type: "access_token",
+        id: payload.jti,
+        label: payload.tokenType
+      }
+    } : null;
+  }
+  async authenticateServiceCredential(_serviceId, _secret) {
+    return null;
+  }
+  async createPersonalAccessToken(_userId, _input) {
+    throw new Error("Personal access tokens are unavailable in the memory auth provider.");
+  }
+  async listPersonalAccessTokens() {
+    return [];
+  }
+  async revokePersonalAccessToken() {
+  }
+  async syncUserIdentity(identity) {
+    return {
+      userId: identity.providerSubject,
+      identityId: identity.providerSubject,
+      principal: {
+        id: identity.providerSubject,
+        displayName: identity.displayName ?? void 0,
+        scopes: ["auth:me"],
+        roles: ["member"],
+        permissions: ["auth:read:self"],
+        metadata: {
+          ...identity.profile ?? {},
+          username: identity.username ?? void 0,
+          firstName: typeof identity.profile?.firstName === "string" ? identity.profile.firstName : void 0,
+          lastName: typeof identity.profile?.lastName === "string" ? identity.profile.lastName : void 0
+        }
+      }
+    };
+  }
+  async createServiceToken(_input) {
+    throw new Error("Service credentials are unavailable in the memory auth provider.");
+  }
+  async rotateServiceToken(_serviceId) {
+    throw new Error("Service credentials are unavailable in the memory auth provider.");
+  }
+  createTrustedUserAssertion(claims) {
+    return Buffer.from(JSON.stringify(claims)).toString("base64url");
+  }
+  verifyTrustedUserAssertion(assertion) {
+    try {
+      return JSON.parse(Buffer.from(assertion, "base64url").toString("utf8"));
+    } catch {
+      return null;
+    }
+  }
+  async exchangeTrustedUserAssertion(claims) {
+    const principal = {
+      id: claims.userId,
+      displayName: claims.userId,
+      scopes: ["auth:me"],
+      roles: ["member"],
+      permissions: ["auth:read:self"],
+      metadata: {
+        sessionId: claims.sessionId,
+        identityId: claims.identityId,
+        teamId: claims.teamId ?? null,
+        projectId: claims.projectId ?? null,
+        membershipId: claims.membershipId ?? null,
+        teamRoles: claims.teamRoles ?? [],
+        teamCapabilities: claims.teamCapabilities ?? []
+      }
+    };
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    return {
+      ok: true,
+      accessToken: createAccessToken({
+        sub: principal.id,
+        displayName: principal.displayName,
+        scopes: principal.scopes,
+        roles: principal.roles,
+        permissions: principal.permissions,
+        metadata: principal.metadata,
+        iat: nowSeconds(),
+        exp: expiresAt,
+        iss: this.config.issuer,
+        jti: randomUUID(),
+        tokenType: "access"
+      }, this.config.authSecret),
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal
+    };
+  }
+}
+export {
+  MemoryDeviceCodeAuthProvider
+};

package/dist/api/auth/rbac.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+export declare const CONTENT_RESOURCES: readonly ["pages", "notes", "questions", "objectives", "proposals", "decisions", "people", "agents", "books", "templates", "knowledge_packs", "workdays"];
+export declare const PLATFORM_RESOURCES: readonly ["users", "roles", "api_tokens", "services", "jobs", "audit", "auth", "sdk", "agent", "operations"];
+export declare const ALL_PERMISSION_RESOURCES: readonly ["pages", "notes", "questions", "objectives", "proposals", "decisions", "people", "agents", "books", "templates", "knowledge_packs", "workdays", "users", "roles", "api_tokens", "services", "jobs", "audit", "auth", "sdk", "agent", "operations"];
+export type PermissionResource = (typeof ALL_PERMISSION_RESOURCES)[number];
+export type PermissionAction = 'read' | 'create' | 'update' | 'delete' | 'manage' | 'execute' | 'impersonate';
+export type PermissionScope = 'self' | 'global';
+export interface PermissionDefinition {
+    key: string;
+    resource: PermissionResource | '*';
+    action: PermissionAction | '*';
+    scope: PermissionScope | '*';
+    description: string;
+}
+export interface RoleDefinition {
+    key: string;
+    description: string;
+    permissions: string[];
+}
+export declare function permissionKey(resource: PermissionDefinition['resource'], action: PermissionDefinition['action'], scope: PermissionDefinition['scope']): string;
+export declare const DEFAULT_PERMISSIONS: PermissionDefinition[];
+export declare const DEFAULT_ROLES: RoleDefinition[];
+export declare function permissionGranted(granted: string[], required: string): boolean;

package/dist/api/auth/rbac.js ADDED Viewed

@@ -0,0 +1,162 @@
+const CONTENT_RESOURCES = [
+  "pages",
+  "notes",
+  "questions",
+  "objectives",
+  "proposals",
+  "decisions",
+  "people",
+  "agents",
+  "books",
+  "templates",
+  "knowledge_packs",
+  "workdays"
+];
+const PLATFORM_RESOURCES = [
+  "users",
+  "roles",
+  "api_tokens",
+  "services",
+  "jobs",
+  "audit",
+  "auth",
+  "sdk",
+  "agent",
+  "operations"
+];
+const ALL_PERMISSION_RESOURCES = [...CONTENT_RESOURCES, ...PLATFORM_RESOURCES];
+function permissionKey(resource, action, scope) {
+  return `${resource}:${action}:${scope}`;
+}
+function contentPermission(resource, action, scope, description) {
+  return {
+    key: permissionKey(resource, action, scope),
+    resource,
+    action,
+    scope,
+    description
+  };
+}
+const permissionDefinitions = [
+  {
+    key: permissionKey("*", "*", "*"),
+    resource: "*",
+    action: "*",
+    scope: "*",
+    description: "Full platform access."
+  },
+  contentPermission("auth", "read", "self", "Read the authenticated principal."),
+  contentPermission("api_tokens", "read", "self", "List personal API tokens."),
+  contentPermission("api_tokens", "create", "self", "Create personal API tokens."),
+  contentPermission("api_tokens", "delete", "self", "Revoke personal API tokens."),
+  contentPermission("services", "impersonate", "global", "Allow trusted web and service impersonation flows."),
+  contentPermission("services", "manage", "global", "Manage service credentials and internal service auth."),
+  contentPermission("users", "read", "global", "Read user records."),
+  contentPermission("users", "manage", "global", "Manage user records."),
+  contentPermission("roles", "manage", "global", "Manage role assignments."),
+  contentPermission("audit", "read", "global", "Read audit events."),
+  contentPermission("jobs", "manage", "global", "Manage internal job and worker control surfaces."),
+  contentPermission("sdk", "execute", "global", "Execute SDK routes."),
+  contentPermission("agent", "execute", "global", "Execute agent routes."),
+  contentPermission("operations", "execute", "global", "Execute workflow operation routes.")
+];
+for (const resource of CONTENT_RESOURCES) {
+  permissionDefinitions.push(
+    contentPermission(resource, "read", "global", `Read ${resource}.`),
+    contentPermission(resource, "create", "global", `Create ${resource}.`),
+    contentPermission(resource, "update", "global", `Update ${resource}.`),
+    contentPermission(resource, "delete", "global", `Delete ${resource}.`)
+  );
+}
+const DEFAULT_PERMISSIONS = permissionDefinitions;
+const DEFAULT_ROLES = [
+  {
+    key: "platform_admin",
+    description: "Full platform administration.",
+    permissions: [permissionKey("*", "*", "*")]
+  },
+  {
+    key: "market_admin",
+    description: "Manage market content and core operational surfaces.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self"),
+      permissionKey("sdk", "execute", "global"),
+      permissionKey("agent", "execute", "global"),
+      permissionKey("operations", "execute", "global"),
+      permissionKey("users", "read", "global"),
+      permissionKey("audit", "read", "global"),
+      permissionKey("jobs", "manage", "global")
+    ]
+  },
+  {
+    key: "content_admin",
+    description: "Manage all content resources.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "content_editor",
+    description: "Edit marketplace content.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "member",
+    description: "Authenticated member with personal API tokens.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "viewer",
+    description: "Read-only marketplace viewer.",
+    permissions: [permissionKey("auth", "read", "self")]
+  }
+];
+for (const role of DEFAULT_ROLES) {
+  if (role.key === "content_admin") {
+    for (const resource of CONTENT_RESOURCES) {
+      role.permissions.push(
+        permissionKey(resource, "read", "global"),
+        permissionKey(resource, "create", "global"),
+        permissionKey(resource, "update", "global"),
+        permissionKey(resource, "delete", "global")
+      );
+    }
+  }
+  if (role.key === "content_editor") {
+    for (const resource of CONTENT_RESOURCES) {
+      role.permissions.push(
+        permissionKey(resource, "read", "global"),
+        permissionKey(resource, "create", "global"),
+        permissionKey(resource, "update", "global")
+      );
+    }
+  }
+}
+function permissionGranted(granted, required) {
+  return granted.includes(permissionKey("*", "*", "*")) || granted.includes(required);
+}
+export {
+  ALL_PERMISSION_RESOURCES,
+  CONTENT_RESOURCES,
+  DEFAULT_PERMISSIONS,
+  DEFAULT_ROLES,
+  PLATFORM_RESOURCES,
+  permissionGranted,
+  permissionKey
+};

package/dist/api/auth/tokens.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { ApiPrincipal } from '../types.ts';
+export interface AccessTokenPayload {
+    sub: string;
+    displayName?: string;
+    scopes: string[];
+    roles: string[];
+    permissions: string[];
+    iat: number;
+    exp: number;
+    iss: string;
+    jti: string;
+    tokenType: 'access' | 'service';
+    metadata?: Record<string, unknown>;
+}
+export declare function nextOpaqueToken(prefix: string): string;
+export declare function createAccessToken(payload: AccessTokenPayload, secret: string): string;
+export declare function verifyAccessToken(token: string, secret: string): AccessTokenPayload | null;
+export declare function principalFromAccessTokenPayload(payload: AccessTokenPayload): ApiPrincipal;

package/dist/api/auth/tokens.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { createHmac, randomBytes } from "node:crypto";
+function encodeBase64Url(value) {
+  return Buffer.from(value).toString("base64url");
+}
+function decodeBase64Url(value) {
+  return Buffer.from(value, "base64url").toString("utf8");
+}
+function sign(input, secret) {
+  return createHmac("sha256", secret).update(input).digest("base64url");
+}
+function nextOpaqueToken(prefix) {
+  return `${prefix}_${randomBytes(24).toString("base64url")}`;
+}
+function createAccessToken(payload, secret) {
+  const encodedPayload = encodeBase64Url(JSON.stringify(payload));
+  const encodedSignature = sign(encodedPayload, secret);
+  return `${encodedPayload}.${encodedSignature}`;
+}
+function verifyAccessToken(token, secret) {
+  const [encodedPayload, encodedSignature] = token.split(".");
+  if (!encodedPayload || !encodedSignature) {
+    return null;
+  }
+  const expected = sign(encodedPayload, secret);
+  if (expected !== encodedSignature) {
+    return null;
+  }
+  try {
+    const payload = JSON.parse(decodeBase64Url(encodedPayload));
+    if (!payload.sub || !Array.isArray(payload.scopes) || !payload.exp) {
+      return null;
+    }
+    if (payload.exp <= Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function principalFromAccessTokenPayload(payload) {
+  return {
+    id: payload.sub,
+    displayName: payload.displayName,
+    scopes: [...payload.scopes],
+    roles: [...payload.roles],
+    permissions: [...payload.permissions],
+    metadata: payload.metadata
+  };
+}
+export {
+  createAccessToken,
+  nextOpaqueToken,
+  principalFromAccessTokenPayload,
+  verifyAccessToken
+};

package/dist/api/capabilities.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { ApiPrincipal } from '@treeseed/sdk/remote';
+import { type ApiContext } from './http.ts';
+export declare function principalTeamCapabilities(principal: ApiPrincipal | null): string[];
+export declare function principalTeamRoles(principal: ApiPrincipal | null): string[];
+export declare function hasTeamCapability(principal: ApiPrincipal | null, capability: string): boolean;
+export declare function requireTeamCapability(c: ApiContext, capability: string): (Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">) | null;

package/dist/api/capabilities.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { jsonError } from "./http.js";
+function stringArray(value) {
+  return Array.isArray(value) ? [...new Set(value.filter((entry) => typeof entry === "string" && entry.trim().length > 0))] : [];
+}
+function principalTeamCapabilities(principal) {
+  return stringArray(principal?.metadata?.teamCapabilities);
+}
+function principalTeamRoles(principal) {
+  return stringArray(principal?.metadata?.teamRoles);
+}
+function hasTeamCapability(principal, capability) {
+  if (!principal) return false;
+  if (principal.permissions.includes("*:*:*") || principal.roles.includes("project_api") || principal.roles.includes("platform_admin")) {
+    return true;
+  }
+  const capabilities = principalTeamCapabilities(principal);
+  if (capabilities.includes(capability)) {
+    return true;
+  }
+  return principalTeamRoles(principal).includes("team_owner");
+}
+function requireTeamCapability(c, capability) {
+  if (!hasTeamCapability(c.get("principal"), capability)) {
+    return jsonError(c, 403, "Permission denied.", { capability });
+  }
+  return null;
+}
+export {
+  hasTeamCapability,
+  principalTeamCapabilities,
+  principalTeamRoles,
+  requireTeamCapability
+};

package/dist/api/config.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { ApiConfig } from './types.ts';
2	+ export declare function resolveApiConfig(env?: NodeJS.ProcessEnv): ApiConfig;