npm - @treeseed/agent - Versions diffs - 0.8.5 - Mend

@treeseed/agent 0.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/Dockerfile +7 -0
package/README.md +198 -0
package/dist/agent-runtime.d.ts +17 -0
package/dist/agent-runtime.js +117 -0
package/dist/agents/adapters/execution.d.ts +41 -0
package/dist/agents/adapters/execution.js +73 -0
package/dist/agents/adapters/mutations.d.ts +22 -0
package/dist/agents/adapters/mutations.js +30 -0
package/dist/agents/adapters/notification.d.ts +26 -0
package/dist/agents/adapters/notification.js +46 -0
package/dist/agents/adapters/repository.d.ts +28 -0
package/dist/agents/adapters/repository.js +61 -0
package/dist/agents/adapters/research.d.ts +26 -0
package/dist/agents/adapters/research.js +59 -0
package/dist/agents/adapters/verification.d.ts +36 -0
package/dist/agents/adapters/verification.js +62 -0
package/dist/agents/cli-tools.d.ts +1 -0
package/dist/agents/cli-tools.js +5 -0
package/dist/agents/cli.d.ts +15 -0
package/dist/agents/cli.js +109 -0
package/dist/agents/contracts/messages.d.ts +88 -0
package/dist/agents/contracts/messages.js +138 -0
package/dist/agents/contracts/run.d.ts +21 -0
package/dist/agents/contracts/run.js +0 -0
package/dist/agents/index.d.ts +1 -0
package/dist/agents/index.js +5 -0
package/dist/agents/kernel/agent-kernel.d.ts +63 -0
package/dist/agents/kernel/agent-kernel.js +291 -0
package/dist/agents/kernel/trigger-resolver.d.ts +19 -0
package/dist/agents/kernel/trigger-resolver.js +157 -0
package/dist/agents/registry-helper.d.ts +4 -0
package/dist/agents/registry-helper.js +14 -0
package/dist/agents/registry.d.ts +6 -0
package/dist/agents/registry.js +98 -0
package/dist/agents/runtime-types.d.ts +118 -0
package/dist/agents/runtime-types.js +0 -0
package/dist/agents/spec-loader.d.ts +18 -0
package/dist/agents/spec-loader.js +54 -0
package/dist/agents/spec-normalizer.d.ts +2 -0
package/dist/agents/spec-normalizer.js +327 -0
package/dist/agents/spec-types.d.ts +64 -0
package/dist/agents/spec-types.js +0 -0
package/dist/agents/testing/agents-smoke.d.ts +1 -0
package/dist/agents/testing/agents-smoke.js +32 -0
package/dist/agents/testing/e2e-harness.d.ts +44 -0
package/dist/agents/testing/e2e-harness.js +503 -0
package/dist/api/agent-routes.d.ts +13 -0
package/dist/api/agent-routes.js +327 -0
package/dist/api/app.d.ts +8 -0
package/dist/api/app.js +444 -0
package/dist/api/auth/d1-database.d.ts +3 -0
package/dist/api/auth/d1-database.js +20 -0
package/dist/api/auth/d1-provider.d.ts +79 -0
package/dist/api/auth/d1-provider.js +92 -0
package/dist/api/auth/d1-store.d.ts +114 -0
package/dist/api/auth/d1-store.js +895 -0
package/dist/api/auth/memory-provider.d.ts +77 -0
package/dist/api/auth/memory-provider.js +249 -0
package/dist/api/auth/rbac.d.ts +22 -0
package/dist/api/auth/rbac.js +162 -0
package/dist/api/auth/tokens.d.ts +18 -0
package/dist/api/auth/tokens.js +56 -0
package/dist/api/capabilities.d.ts +9 -0
package/dist/api/capabilities.js +33 -0
package/dist/api/config.d.ts +2 -0
package/dist/api/config.js +77 -0
package/dist/api/http.d.ts +28 -0
package/dist/api/http.js +51 -0
package/dist/api/index.d.ts +9 -0
package/dist/api/index.js +20 -0
package/dist/api/operations-routes.d.ts +11 -0
package/dist/api/operations-routes.js +87 -0
package/dist/api/operations.d.ts +3 -0
package/dist/api/operations.js +26 -0
package/dist/api/project-routes.d.ts +8 -0
package/dist/api/project-routes.js +585 -0
package/dist/api/providers.d.ts +2 -0
package/dist/api/providers.js +62 -0
package/dist/api/railway.d.ts +51 -0
package/dist/api/railway.js +71 -0
package/dist/api/sdk-dispatch.d.ts +5 -0
package/dist/api/sdk-dispatch.js +13 -0
package/dist/api/sdk-routes.d.ts +11 -0
package/dist/api/sdk-routes.js +29 -0
package/dist/api/server.d.ts +2 -0
package/dist/api/server.js +10 -0
package/dist/api/templates.d.ts +3 -0
package/dist/api/templates.js +31 -0
package/dist/api/types.d.ts +237 -0
package/dist/api/types.js +0 -0
package/dist/env.yaml +957 -0
package/dist/index.d.ts +14 -0
package/dist/index.js +41 -0
package/dist/scripts/assert-release-tag-version.d.ts +1 -0
package/dist/scripts/assert-release-tag-version.js +20 -0
package/dist/scripts/build-dist.d.ts +1 -0
package/dist/scripts/build-dist.js +106 -0
package/dist/scripts/package-tools.d.ts +1 -0
package/dist/scripts/package-tools.js +7 -0
package/dist/scripts/publish-package.d.ts +1 -0
package/dist/scripts/publish-package.js +24 -0
package/dist/scripts/release-verify.d.ts +1 -0
package/dist/scripts/release-verify.js +152 -0
package/dist/scripts/test-smoke.d.ts +1 -0
package/dist/scripts/test-smoke.js +23 -0
package/dist/scripts/treeseed-agent-api.d.ts +2 -0
package/dist/scripts/treeseed-agent-api.js +25 -0
package/dist/scripts/treeseed-agent-service.d.ts +2 -0
package/dist/scripts/treeseed-agent-service.js +36 -0
package/dist/scripts/treeseed-agents.d.ts +2 -0
package/dist/scripts/treeseed-agents.js +13 -0
package/dist/services/agents.d.ts +17 -0
package/dist/services/agents.js +48 -0
package/dist/services/common.d.ts +66 -0
package/dist/services/common.js +212 -0
package/dist/services/index.d.ts +6 -0
package/dist/services/index.js +19 -0
package/dist/services/manager.d.ts +333 -0
package/dist/services/manager.js +1368 -0
package/dist/services/remote-runner.d.ts +30 -0
package/dist/services/remote-runner.js +230 -0
package/dist/services/workday-content.d.ts +53 -0
package/dist/services/workday-content.js +190 -0
package/dist/services/workday-manager.d.ts +391 -0
package/dist/services/workday-manager.js +163 -0
package/dist/services/workday-report.d.ts +238 -0
package/dist/services/workday-report.js +17 -0
package/dist/services/workday-start.d.ts +238 -0
package/dist/services/workday-start.js +17 -0
package/dist/services/worker-capacity.d.ts +58 -0
package/dist/services/worker-capacity.js +208 -0
package/dist/services/worker-pool-scaler.d.ts +27 -0
package/dist/services/worker-pool-scaler.js +127 -0
package/dist/services/worker.d.ts +19 -0
package/dist/services/worker.js +436 -0
package/dist/templates/github/deploy-processing.workflow.yml +119 -0
package/package.json +136 -0
package/templates/github/deploy-processing.workflow.yml +119 -0

package/dist/api/app.js ADDED Viewed

@@ -0,0 +1,444 @@
+import crypto from "node:crypto";
+import { AgentSdk, TREESEED_REMOTE_CONTRACT_HEADER, TREESEED_REMOTE_CONTRACT_VERSION } from "@treeseed/sdk";
+import { Hono } from "hono";
+import { registerAgentRoutes } from "./agent-routes.js";
+import { resolveApiConfig } from "./config.js";
+import { bearerTokenFromRequest, jsonError, requirePermission, requireScope } from "./http.js";
+import { registerOperationRoutes } from "./operations-routes.js";
+import { resolveApiRuntimeProviders } from "./providers.js";
+import { registerProjectRoutes } from "./project-routes.js";
+import { registerSdkRoutes } from "./sdk-routes.js";
+import { loadTemplateCatalog } from "./templates.js";
+function mergeApiOptions(options) {
+  const baseConfig = resolveApiConfig();
+  return {
+    config: {
+      ...baseConfig,
+      ...options.config ?? {},
+      providers: {
+        ...baseConfig.providers,
+        ...options.config?.providers ?? {},
+        agents: {
+          ...baseConfig.providers.agents,
+          ...options.config?.providers?.agents ?? {}
+        }
+      }
+    },
+    surfaces: {
+      auth: true,
+      templates: true,
+      sdk: true,
+      agent: true,
+      operations: true,
+      project: true,
+      ...options.surfaces ?? {}
+    },
+    scopes: {
+      authMe: "auth:me",
+      sdk: "sdk",
+      agent: "agent",
+      operations: "operations",
+      ...options.scopes ?? {}
+    }
+  };
+}
+function normalizePrefix(prefix) {
+  if (!prefix?.trim()) return "";
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function principalScopes(permissions) {
+  const scopes = /* @__PURE__ */ new Set(["auth:me"]);
+  if (permissions.includes("*:*:*") || permissions.includes("sdk:execute:global")) scopes.add("sdk");
+  if (permissions.includes("*:*:*") || permissions.includes("agent:execute:global")) scopes.add("agent");
+  if (permissions.includes("*:*:*") || permissions.includes("operations:execute:global")) scopes.add("operations");
+  return [...scopes];
+}
+function buildProjectApiPrincipal(config) {
+  return {
+    id: `project:${config.projectId}`,
+    displayName: config.projectApiLabel,
+    roles: ["project_api"],
+    permissions: [...config.projectApiPermissions],
+    scopes: principalScopes(config.projectApiPermissions),
+    metadata: {
+      projectId: config.projectId
+    }
+  };
+}
+function matchesProjectApiKey(token, projectApiKey) {
+  if (!projectApiKey) return false;
+  const left = Buffer.from(token);
+  const right = Buffer.from(projectApiKey);
+  return left.length === right.length && crypto.timingSafeEqual(left, right);
+}
+function createTreeseedApiRouter(options = {}) {
+  const resolved = mergeApiOptions(options);
+  const runtimeProviders = resolveApiRuntimeProviders(resolved.config, options.runtimeProviders);
+  const sharedSdk = options.sdk ?? new AgentSdk({ repoRoot: resolved.config.repoRoot });
+  const app = new Hono();
+  const internalPrefix = normalizePrefix(options.internalPrefix);
+  const runtime = {
+    resolved,
+    runtimeProviders,
+    sharedSdk,
+    internalPrefix
+  };
+  const extensionMounts = [];
+  app.use("*", async (c, next) => {
+    c.set("requestId", crypto.randomUUID());
+    c.set("config", resolved.config);
+    c.set("principal", null);
+    c.set("actingUser", null);
+    c.set("credential", null);
+    c.set("actorType", "anonymous");
+    c.set("permissionGrants", []);
+    c.header(TREESEED_REMOTE_CONTRACT_HEADER, String(TREESEED_REMOTE_CONTRACT_VERSION));
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const serviceId = c.req.header("x-treeseed-service-id");
+    const serviceSecret = c.req.header("x-treeseed-service-secret");
+    if (serviceId && serviceSecret) {
+      const result = await runtimeProviders.auth.authenticateServiceCredential(serviceId, serviceSecret);
+      if (!result) {
+        return jsonError(c, 401, "Invalid internal service credential.");
+      }
+      c.set("principal", result.principal);
+      c.set("credential", result.credential);
+      c.set("actorType", "service");
+      c.set("permissionGrants", result.principal.permissions);
+    }
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const token = bearerTokenFromRequest(c.req.raw);
+    if (token) {
+      if (matchesProjectApiKey(token, resolved.config.projectApiKey)) {
+        const principal = buildProjectApiPrincipal(resolved.config);
+        c.set("principal", principal);
+        c.set("credential", {
+          type: "project_api_key",
+          id: resolved.config.projectId,
+          label: resolved.config.projectApiLabel
+        });
+        c.set("actorType", "project");
+        c.set("permissionGrants", principal.permissions);
+        await next();
+        return;
+      }
+      const result = await runtimeProviders.auth.authenticateBearerToken(token);
+      if (result) {
+        c.set("principal", result.principal);
+        c.set("credential", result.credential);
+        c.set("actorType", result.credential.type === "service_token" ? "service" : "user");
+        c.set("permissionGrants", result.principal.permissions);
+      }
+    }
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const assertion = c.req.header("x-treeseed-user-assertion");
+    if (c.get("actorType") === "service" && assertion) {
+      const claims = runtimeProviders.auth.verifyTrustedUserAssertion(assertion);
+      if (!claims) {
+        return jsonError(c, 401, "Invalid trusted user assertion.");
+      }
+      const exchange = await runtimeProviders.auth.exchangeTrustedUserAssertion(claims);
+      c.set("actingUser", exchange.principal);
+      c.set("principal", exchange.principal);
+      c.set("actorType", "user");
+      c.set("permissionGrants", exchange.principal.permissions);
+    }
+    await next();
+  });
+  app.get("/healthz", (c) => c.json({
+    ok: true,
+    service: resolved.config.name,
+    status: "ok",
+    requestId: c.get("requestId")
+  }));
+  app.get("/readyz", (c) => c.json({
+    ok: true,
+    ready: true,
+    providers: runtimeProviders.selections,
+    surfaces: resolved.surfaces
+  }));
+  app.get("/internal/capabilities", (c) => c.json({
+    ok: true,
+    payload: {
+      service: resolved.config.name,
+      capabilities: [
+        "graph.refresh",
+        "workday.manage",
+        "task.execute",
+        "report.publish",
+        "capacity-provider.heartbeat"
+      ]
+    }
+  }));
+  app.get("/internal/capacity-provider/health", (c) => c.json({
+    ok: true,
+    payload: {
+      ok: true,
+      status: process.env.TREESEED_PROCESSING_DRAIN === "1" ? "degraded" : "active",
+      capabilities: [
+        "graph.refresh",
+        "workday.manage",
+        "task.execute",
+        "report.publish"
+      ],
+      queueDepth: 0,
+      activeWorkers: Number(process.env.TREESEED_ACTIVE_WORKERS ?? 0),
+      draining: process.env.TREESEED_PROCESSING_DRAIN === "1",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  }));
+  app.post("/internal/capacity-provider/register", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    return c.json({
+      ok: true,
+      payload: {
+        id: String(body.id ?? process.env.TREESEED_CAPACITY_PROVIDER_ID ?? resolved.config.projectId),
+        teamId: String(body.teamId ?? process.env.TREESEED_CAPACITY_PROVIDER_TEAM_ID ?? resolved.config.projectId),
+        providerKind: "processing-host",
+        serviceBaseUrl: String(body.serviceBaseUrl ?? resolved.config.baseUrl),
+        environments: Array.isArray(body.environments) ? body.environments : ["local"],
+        capabilities: Array.isArray(body.capabilities) ? body.capabilities : ["graph.refresh", "workday.manage", "task.execute", "report.publish"],
+        status: "active",
+        heartbeatAt: (/* @__PURE__ */ new Date()).toISOString(),
+        limits: {
+          maxWorkers: Number(process.env.TREESEED_AGENT_POOL_MAX_WORKERS ?? 1),
+          dailyTaskCreditBudget: Number(process.env.TREESEED_WORKDAY_TASK_CREDIT_BUDGET ?? 100),
+          maxQueuedTasks: Number(process.env.TREESEED_MANAGER_MAX_QUEUED_TASKS ?? 100)
+        }
+      }
+    });
+  });
+  app.post("/internal/capacity-provider/heartbeat", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    return c.json({
+      ok: true,
+      payload: {
+        providerId: String(body.providerId ?? process.env.TREESEED_CAPACITY_PROVIDER_ID ?? resolved.config.projectId),
+        status: process.env.TREESEED_PROCESSING_DRAIN === "1" ? "degraded" : "active",
+        heartbeatAt: (/* @__PURE__ */ new Date()).toISOString(),
+        queueDepth: Number(body.queueDepth ?? 0),
+        activeWorkers: Number(body.activeWorkers ?? process.env.TREESEED_ACTIVE_WORKERS ?? 0),
+        draining: process.env.TREESEED_PROCESSING_DRAIN === "1"
+      }
+    });
+  });
+  if (resolved.surfaces.templates) {
+    app.get("/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
+    app.get("/search/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
+    app.get("/templates/:id", (c) => {
+      const catalog = loadTemplateCatalog(resolved.config);
+      const item = catalog.items.find((entry) => entry.id === c.req.param("id"));
+      return item ? c.json({ ok: true, payload: item }) : jsonError(c, 404, `Unknown template "${c.req.param("id")}".`);
+    });
+  }
+  if (resolved.surfaces.auth) {
+    app.post("/auth/device/start", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      return c.json(await runtimeProviders.auth.startDeviceFlow(body));
+    });
+    app.post("/auth/device/poll", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      const response = await runtimeProviders.auth.pollDeviceFlow(body);
+      return c.json(response, { status: response.ok ? 200 : response.status === "expired" ? 410 : 400 });
+    });
+    app.post("/auth/device/approve", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      try {
+        return c.json(await runtimeProviders.auth.approveDeviceFlow(body));
+      } catch (error) {
+        return jsonError(c, 400, error instanceof Error ? error.message : String(error));
+      }
+    });
+    app.post("/auth/token/refresh", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      try {
+        return c.json(await runtimeProviders.auth.refreshAccessToken(body));
+      } catch (error) {
+        return jsonError(c, 401, error instanceof Error ? error.message : String(error));
+      }
+    });
+    app.get("/auth/me", (c) => {
+      const unauthorized = requireScope(c, resolved.scopes.authMe);
+      if (unauthorized) return unauthorized;
+      return c.json({
+        ok: true,
+        payload: c.get("principal")
+      });
+    });
+    app.post("/auth/pat", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:create:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      const body = await c.req.json().catch(() => ({}));
+      if (!body.name?.trim() || !principal) {
+        return jsonError(c, 400, "Token name is required.");
+      }
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.createPersonalAccessToken(principal.id, {
+          name: body.name.trim(),
+          scopes: body.scopes,
+          expiresAt: body.expiresAt ?? null
+        })
+      });
+    });
+    app.get("/auth/pat", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:read:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      if (!principal) return jsonError(c, 401, "Authentication required.");
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.listPersonalAccessTokens(principal.id)
+      });
+    });
+    app.delete("/auth/pat/:id", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:delete:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      if (!principal) return jsonError(c, 401, "Authentication required.");
+      await runtimeProviders.auth.revokePersonalAccessToken(principal.id, c.req.param("id"));
+      return c.json({ ok: true });
+    });
+    app.post("/auth/admin/users", async (c) => {
+      const unauthorized = requirePermission(c, "users:manage:global");
+      if (unauthorized) return unauthorized;
+      if (!runtimeProviders.auth.createUser) {
+        return jsonError(c, 501, "User management is unavailable for this auth provider.");
+      }
+      const body = await c.req.json().catch(() => ({}));
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.createUser({
+          email: body.email ?? null,
+          displayName: body.displayName ?? null,
+          metadata: typeof body.metadata === "object" && body.metadata ? body.metadata : {}
+        })
+      });
+    });
+    app.post("/auth/admin/users/:userId/roles", async (c) => {
+      const unauthorized = requirePermission(c, "roles:manage:global");
+      if (unauthorized) return unauthorized;
+      if (!runtimeProviders.auth.setUserRoles) {
+        return jsonError(c, 501, "Role management is unavailable for this auth provider.");
+      }
+      const body = await c.req.json().catch(() => ({}));
+      const roles = Array.isArray(body.roles) ? body.roles.map(String) : [];
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.setUserRoles(c.req.param("userId"), roles)
+      });
+    });
+  }
+  app.post("/internal/auth/web/sync-user", async (c) => {
+    if (c.get("actorType") !== "service") {
+      return jsonError(c, 401, "Trusted service authentication required.");
+    }
+    const unauthorized = requirePermission(c, "services:impersonate:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.syncUserIdentity(body)
+    });
+  });
+  app.post("/internal/auth/web/exchange", async (c) => {
+    if (c.get("actorType") !== "service") {
+      return jsonError(c, 401, "Trusted service authentication required.");
+    }
+    const unauthorized = requirePermission(c, "services:impersonate:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    return c.json(await runtimeProviders.auth.exchangeTrustedUserAssertion(body));
+  });
+  app.post("/internal/auth/service/token", async (c) => {
+    const unauthorized = requirePermission(c, "services:manage:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    if (!body.serviceId?.trim() || !body.name?.trim()) {
+      return jsonError(c, 400, "serviceId and name are required.");
+    }
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.createServiceToken({
+        serviceId: body.serviceId.trim(),
+        name: body.name.trim(),
+        roles: body.roles,
+        permissions: body.permissions
+      })
+    });
+  });
+  app.post("/internal/auth/service/rotate", async (c) => {
+    const unauthorized = requirePermission(c, "services:manage:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    if (!body.serviceId?.trim()) {
+      return jsonError(c, 400, "serviceId is required.");
+    }
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.rotateServiceToken(body.serviceId.trim())
+    });
+  });
+  if (resolved.surfaces.sdk) {
+    registerSdkRoutes(app, {
+      config: resolved.config,
+      sharedSdk,
+      scope: resolved.scopes.sdk,
+      prefix: internalPrefix
+    });
+  }
+  if (resolved.surfaces.agent) {
+    registerAgentRoutes(app, {
+      sdk: sharedSdk,
+      prefix: `${internalPrefix}/agent`,
+      scope: resolved.scopes.agent,
+      projectId: resolved.config.projectId,
+      defaultActor: "api"
+    });
+  }
+  if (resolved.surfaces.operations) {
+    registerOperationRoutes(app, {
+      config: resolved.config,
+      scope: resolved.scopes.operations,
+      prefix: internalPrefix,
+      sdk: sharedSdk,
+      executeOperation: options.workflowExecutor
+    });
+  }
+  if (resolved.surfaces.project) {
+    registerProjectRoutes(app, {
+      config: resolved.config,
+      sharedSdk
+    });
+  }
+  for (const extension of options.extensions ?? []) {
+    const mounted = extension.mount(app, runtime);
+    if (mounted && typeof mounted.then === "function") {
+      extensionMounts.push(mounted);
+    }
+  }
+  options.extendApp?.(app, runtime);
+  if (extensionMounts.length > 0) {
+    app.use("*", async (_c, next) => {
+      await Promise.all(extensionMounts);
+      await next();
+    });
+  }
+  app.notFound((c) => jsonError(c, 404, "Not found."));
+  return app;
+}
+function createTreeseedApiApp(options = {}) {
+  return createTreeseedApiRouter(options);
+}
+export {
+  createTreeseedApiApp,
+  createTreeseedApiRouter
+};

package/dist/api/auth/d1-database.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
+import type { ApiConfig } from '../types.ts';
+export declare function resolveApiD1Database(config: ApiConfig): D1DatabaseLike;

package/dist/api/auth/d1-database.js ADDED Viewed

@@ -0,0 +1,20 @@
+import { CloudflareHttpD1Database } from "@treeseed/sdk";
+import { NodeSqliteD1Database } from "@treeseed/sdk/db/node-sqlite";
+function resolveApiD1Database(config) {
+  if (config.cloudflareAccountId && config.cloudflareApiToken && config.d1DatabaseId) {
+    return new CloudflareHttpD1Database({
+      accountId: config.cloudflareAccountId,
+      apiToken: config.cloudflareApiToken,
+      databaseId: config.d1DatabaseId
+    });
+  }
+  if (config.d1LocalPersistTo || config.d1DatabaseName) {
+    return new NodeSqliteD1Database(config.d1LocalPersistTo);
+  }
+  throw new Error(
+    "Treeseed API auth requires either CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN + TREESEED_API_D1_DATABASE_ID for remote D1 access, or TREESEED_API_D1_LOCAL_PERSIST_TO for local SQLite-backed D1-compatible access."
+  );
+}
+export {
+  resolveApiD1Database
+};

package/dist/api/auth/d1-provider.d.ts ADDED Viewed

@@ -0,0 +1,79 @@
+import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
+import type { ApiAuthProvider, ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
+export declare class D1AuthProvider implements ApiAuthProvider {
+    private readonly config;
+    readonly id = "d1";
+    private readonly store;
+    constructor(config: ApiConfig, options?: {
+        db?: D1DatabaseLike;
+    });
+    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
+    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
+    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
+        ok: true;
+    }>;
+    authenticateBearerToken(token: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    authenticateServiceCredential(serviceId: string, secret: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    createPersonalAccessToken(userId: string, input: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: string | null;
+    }): Promise<{
+        id: `${string}-${string}-${string}-${string}-${string}`;
+        token: string;
+        prefix: string;
+        name: string;
+        expiresAt: string | null;
+    }>;
+    listPersonalAccessTokens(userId: string): Promise<{
+        id: string;
+        name: string;
+        token_prefix: string;
+        expires_at: string | null;
+        last_used_at: string | null;
+        revoked_at: string | null;
+        created_at: string;
+    }[]>;
+    revokePersonalAccessToken(userId: string, tokenId: string): Promise<void>;
+    syncUserIdentity(identity: UserIdentityProfileInput): Promise<{
+        identityId: string | null;
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    createUser(input: {
+        email?: string | null;
+        displayName?: string | null;
+        metadata?: Record<string, unknown>;
+    }): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    setUserRoles(userId: string, roles: string[]): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    createServiceToken(input: {
+        serviceId: string;
+        name: string;
+        roles?: string[];
+        permissions?: string[];
+    }): Promise<import("./d1-store.ts").ServiceCredentialResult>;
+    rotateServiceToken(serviceId: string): Promise<import("./d1-store.ts").ServiceCredentialResult>;
+    createTrustedUserAssertion(claims: TrustedUserAssertionClaims): string;
+    verifyTrustedUserAssertion(assertion: string): TrustedUserAssertionClaims | null;
+    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
+        ok: true;
+        accessToken: string;
+        tokenType: "Bearer";
+        expiresAt: string;
+        expiresInSeconds: number;
+        principal: ApiPrincipal;
+    }>;
+}

package/dist/api/auth/d1-provider.js ADDED Viewed

@@ -0,0 +1,92 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+import { D1AuthStore } from "./d1-store.js";
+function encodePayload(payload) {
+  return Buffer.from(JSON.stringify(payload)).toString("base64url");
+}
+function decodePayload(value) {
+  return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
+}
+function signPayload(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+class D1AuthProvider {
+  constructor(config, options = {}) {
+    this.config = config;
+    if (!options.db) {
+      throw new Error("D1AuthProvider requires an explicit database binding or adapter.");
+    }
+    this.store = new D1AuthStore(config, options.db);
+  }
+  config;
+  id = "d1";
+  store;
+  startDeviceFlow(request) {
+    return this.store.startDeviceFlow(request);
+  }
+  pollDeviceFlow(request) {
+    return this.store.pollDeviceFlow(request);
+  }
+  refreshAccessToken(request) {
+    return this.store.refreshAccessToken(request);
+  }
+  approveDeviceFlow(request) {
+    return this.store.approveDeviceFlow(request);
+  }
+  authenticateBearerToken(token) {
+    return this.store.authenticateBearerToken(token);
+  }
+  authenticateServiceCredential(serviceId, secret) {
+    return this.store.authenticateService(serviceId, secret);
+  }
+  createPersonalAccessToken(userId, input) {
+    return this.store.createPersonalAccessToken(userId, input);
+  }
+  listPersonalAccessTokens(userId) {
+    return this.store.listPersonalAccessTokens(userId);
+  }
+  revokePersonalAccessToken(userId, tokenId) {
+    return this.store.revokePersonalAccessToken(userId, tokenId);
+  }
+  syncUserIdentity(identity) {
+    return this.store.syncUser(identity);
+  }
+  createUser(input) {
+    return this.store.createUser(input);
+  }
+  setUserRoles(userId, roles) {
+    return this.store.setUserRoles(userId, roles);
+  }
+  createServiceToken(input) {
+    return this.store.createServiceCredential(input);
+  }
+  rotateServiceToken(serviceId) {
+    return this.store.rotateServiceCredential(serviceId);
+  }
+  createTrustedUserAssertion(claims) {
+    const payload = encodePayload(claims);
+    const signature = signPayload(payload, this.config.webAssertionSecret);
+    return `${payload}.${signature}`;
+  }
+  verifyTrustedUserAssertion(assertion) {
+    const [payload, signature] = assertion.split(".");
+    if (!payload || !signature) return null;
+    const expectedSignature = signPayload(payload, this.config.webAssertionSecret);
+    if (!safeEqual(signature, expectedSignature)) return null;
+    const claims = decodePayload(payload);
+    if (!claims.expiresAt || new Date(claims.expiresAt).getTime() <= Date.now()) {
+      return null;
+    }
+    return claims;
+  }
+  exchangeTrustedUserAssertion(claims) {
+    return this.store.exchangeTrustedUserAssertion(claims);
+  }
+}
+export {
+  D1AuthProvider
+};