@treeseed/core 0.4.2 → 0.4.5

package/dist/api/auth/memory-provider.js

@@ -0,0 +1,239 @@
+import { randomUUID } from "node:crypto";
+import {
+  createAccessToken,
+  nextOpaqueToken,
+  principalFromAccessTokenPayload,
+  verifyAccessToken
+} from "./tokens.js";
+function nowSeconds() {
+  return Math.floor(Date.now() / 1e3);
+}
+function formatExpiry(epochSeconds) {
+  return new Date(epochSeconds * 1e3).toISOString();
+}
+function nextUserCode() {
+  return Math.random().toString(36).slice(2, 6).toUpperCase() + "-" + Math.random().toString(36).slice(2, 6).toUpperCase();
+}
+class MemoryDeviceCodeAuthProvider {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  id = "memory";
+  devices = /* @__PURE__ */ new Map();
+  refreshSessions = /* @__PURE__ */ new Map();
+  async startDeviceFlow(request) {
+    const expiresAt = nowSeconds() + this.config.deviceCodeTtlSeconds;
+    const deviceCode = nextOpaqueToken("device");
+    const userCode = nextUserCode();
+    this.devices.set(deviceCode, {
+      deviceCode,
+      userCode,
+      requestedScopes: request.scopes?.length ? [...request.scopes] : ["templates:read", "auth:me", "sdk", "operations"],
+      expiresAt,
+      intervalSeconds: this.config.deviceCodePollIntervalSeconds,
+      status: "pending",
+      principal: null
+    });
+    return {
+      ok: true,
+      deviceCode,
+      userCode,
+      verificationUri: `${this.config.baseUrl}/auth/device/approve`,
+      verificationUriComplete: `${this.config.baseUrl}/auth/device/approve?user_code=${encodeURIComponent(userCode)}`,
+      intervalSeconds: this.config.deviceCodePollIntervalSeconds,
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.deviceCodeTtlSeconds
+    };
+  }
+  async approveDeviceFlow(request) {
+    const record = [...this.devices.values()].find((entry) => entry.userCode === request.userCode);
+    if (!record || record.expiresAt <= nowSeconds()) {
+      throw new Error("Device code approval failed because the user code is unknown or expired.");
+    }
+    record.status = "approved";
+    record.principal = {
+      id: request.principalId,
+      displayName: request.displayName,
+      scopes: request.scopes?.length ? [...request.scopes] : [...record.requestedScopes],
+      roles: ["member"],
+      permissions: ["auth:read:self"],
+      metadata: request.metadata
+    };
+    return { ok: true };
+  }
+  async pollDeviceFlow(request) {
+    const record = this.devices.get(request.deviceCode);
+    if (!record) {
+      return { ok: false, status: "invalid", error: "Unknown device code." };
+    }
+    if (record.expiresAt <= nowSeconds()) {
+      this.devices.delete(request.deviceCode);
+      return { ok: false, status: "expired", error: "Device code expired." };
+    }
+    if (record.status === "pending" || !record.principal) {
+      return {
+        ok: true,
+        status: "pending",
+        intervalSeconds: record.intervalSeconds
+      };
+    }
+    if (record.status === "used") {
+      return { ok: false, status: "already_used", error: "Device code already used." };
+    }
+    record.status = "used";
+    const refreshToken = nextOpaqueToken("refresh");
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    const accessToken = createAccessToken({
+      sub: record.principal.id,
+      displayName: record.principal.displayName,
+      scopes: record.principal.scopes,
+      roles: record.principal.roles,
+      permissions: record.principal.permissions,
+      metadata: record.principal.metadata,
+      iat: nowSeconds(),
+      exp: expiresAt,
+      iss: this.config.issuer,
+      jti: randomUUID(),
+      tokenType: "access"
+    }, this.config.authSecret);
+    this.refreshSessions.set(refreshToken, {
+      principal: record.principal,
+      expiresAt: nowSeconds() + this.config.refreshTokenTtlSeconds
+    });
+    return {
+      ok: true,
+      status: "approved",
+      accessToken,
+      refreshToken,
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal: record.principal
+    };
+  }
+  async refreshAccessToken(request) {
+    const session = this.refreshSessions.get(request.refreshToken);
+    if (!session || session.expiresAt <= nowSeconds()) {
+      throw new Error("Refresh token is invalid or expired.");
+    }
+    const nextRefreshToken = nextOpaqueToken("refresh");
+    this.refreshSessions.delete(request.refreshToken);
+    this.refreshSessions.set(nextRefreshToken, {
+      principal: session.principal,
+      expiresAt: nowSeconds() + this.config.refreshTokenTtlSeconds
+    });
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    const accessToken = createAccessToken({
+      sub: session.principal.id,
+      displayName: session.principal.displayName,
+      scopes: session.principal.scopes,
+      roles: session.principal.roles,
+      permissions: session.principal.permissions,
+      metadata: session.principal.metadata,
+      iat: nowSeconds(),
+      exp: expiresAt,
+      iss: this.config.issuer,
+      jti: randomUUID(),
+      tokenType: "access"
+    }, this.config.authSecret);
+    return {
+      ok: true,
+      accessToken,
+      refreshToken: nextRefreshToken,
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal: session.principal
+    };
+  }
+  async authenticateBearerToken(token) {
+    const payload = verifyAccessToken(token, this.config.authSecret);
+    return payload ? {
+      principal: principalFromAccessTokenPayload(payload),
+      credential: {
+        type: "access_token",
+        id: payload.jti,
+        label: payload.tokenType
+      }
+    } : null;
+  }
+  async authenticateServiceCredential(_serviceId, _secret) {
+    return null;
+  }
+  async createPersonalAccessToken(_userId, _input) {
+    throw new Error("Personal access tokens are unavailable in the memory auth provider.");
+  }
+  async listPersonalAccessTokens() {
+    return [];
+  }
+  async revokePersonalAccessToken() {
+  }
+  async syncUserIdentity(identity) {
+    return {
+      userId: identity.providerSubject,
+      identityId: identity.providerSubject,
+      principal: {
+        id: identity.providerSubject,
+        displayName: identity.displayName ?? void 0,
+        scopes: ["auth:me"],
+        roles: ["member"],
+        permissions: ["auth:read:self"],
+        metadata: identity.profile
+      }
+    };
+  }
+  async createServiceToken(_input) {
+    throw new Error("Service credentials are unavailable in the memory auth provider.");
+  }
+  async rotateServiceToken(_serviceId) {
+    throw new Error("Service credentials are unavailable in the memory auth provider.");
+  }
+  createTrustedUserAssertion(claims) {
+    return Buffer.from(JSON.stringify(claims)).toString("base64url");
+  }
+  verifyTrustedUserAssertion(assertion) {
+    try {
+      return JSON.parse(Buffer.from(assertion, "base64url").toString("utf8"));
+    } catch {
+      return null;
+    }
+  }
+  async exchangeTrustedUserAssertion(claims) {
+    const principal = {
+      id: claims.userId,
+      displayName: claims.userId,
+      scopes: ["auth:me"],
+      roles: ["member"],
+      permissions: ["auth:read:self"],
+      metadata: {
+        sessionId: claims.sessionId,
+        identityId: claims.identityId
+      }
+    };
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    return {
+      ok: true,
+      accessToken: createAccessToken({
+        sub: principal.id,
+        displayName: principal.displayName,
+        scopes: principal.scopes,
+        roles: principal.roles,
+        permissions: principal.permissions,
+        metadata: principal.metadata,
+        iat: nowSeconds(),
+        exp: expiresAt,
+        iss: this.config.issuer,
+        jti: randomUUID(),
+        tokenType: "access"
+      }, this.config.authSecret),
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal
+    };
+  }
+}
+export {
+  MemoryDeviceCodeAuthProvider
+};

package/dist/api/auth/rbac.d.ts

@@ -0,0 +1,22 @@
+export declare const CONTENT_RESOURCES: readonly ["pages", "notes", "questions", "objectives", "people", "agents", "books", "templates", "knowledge_downloads"];
+export declare const PLATFORM_RESOURCES: readonly ["users", "roles", "api_tokens", "services", "jobs", "audit", "auth", "sdk", "agent", "operations"];
+export declare const ALL_PERMISSION_RESOURCES: readonly ["pages", "notes", "questions", "objectives", "people", "agents", "books", "templates", "knowledge_downloads", "users", "roles", "api_tokens", "services", "jobs", "audit", "auth", "sdk", "agent", "operations"];
+export type PermissionResource = (typeof ALL_PERMISSION_RESOURCES)[number];
+export type PermissionAction = 'read' | 'create' | 'update' | 'delete' | 'manage' | 'execute' | 'impersonate';
+export type PermissionScope = 'self' | 'global';
+export interface PermissionDefinition {
+    key: string;
+    resource: PermissionResource | '*';
+    action: PermissionAction | '*';
+    scope: PermissionScope | '*';
+    description: string;
+}
+export interface RoleDefinition {
+    key: string;
+    description: string;
+    permissions: string[];
+}
+export declare function permissionKey(resource: PermissionDefinition['resource'], action: PermissionDefinition['action'], scope: PermissionDefinition['scope']): string;
+export declare const DEFAULT_PERMISSIONS: PermissionDefinition[];
+export declare const DEFAULT_ROLES: RoleDefinition[];
+export declare function permissionGranted(granted: string[], required: string): boolean;

package/dist/api/auth/rbac.js

@@ -0,0 +1,158 @@
+const CONTENT_RESOURCES = [
+  "pages",
+  "notes",
+  "questions",
+  "objectives",
+  "people",
+  "agents",
+  "books",
+  "templates",
+  "knowledge_downloads"
+];
+const PLATFORM_RESOURCES = [
+  "users",
+  "roles",
+  "api_tokens",
+  "services",
+  "jobs",
+  "audit",
+  "auth",
+  "sdk",
+  "agent",
+  "operations"
+];
+const ALL_PERMISSION_RESOURCES = [...CONTENT_RESOURCES, ...PLATFORM_RESOURCES];
+function permissionKey(resource, action, scope) {
+  return `${resource}:${action}:${scope}`;
+}
+function contentPermission(resource, action, scope, description) {
+  return {
+    key: permissionKey(resource, action, scope),
+    resource,
+    action,
+    scope,
+    description
+  };
+}
+const permissionDefinitions = [
+  {
+    key: permissionKey("*", "*", "*"),
+    resource: "*",
+    action: "*",
+    scope: "*",
+    description: "Full platform access."
+  },
+  contentPermission("auth", "read", "self", "Read the authenticated principal."),
+  contentPermission("api_tokens", "read", "self", "List personal API tokens."),
+  contentPermission("api_tokens", "create", "self", "Create personal API tokens."),
+  contentPermission("api_tokens", "delete", "self", "Revoke personal API tokens."),
+  contentPermission("services", "impersonate", "global", "Allow trusted web and service impersonation flows."),
+  contentPermission("services", "manage", "global", "Manage service credentials and internal service auth."),
+  contentPermission("users", "read", "global", "Read user records."),
+  contentPermission("roles", "manage", "global", "Manage role assignments."),
+  contentPermission("audit", "read", "global", "Read audit events."),
+  contentPermission("jobs", "manage", "global", "Manage internal job and worker control surfaces."),
+  contentPermission("sdk", "execute", "global", "Execute SDK routes."),
+  contentPermission("agent", "execute", "global", "Execute agent routes."),
+  contentPermission("operations", "execute", "global", "Execute workflow operation routes.")
+];
+for (const resource of CONTENT_RESOURCES) {
+  permissionDefinitions.push(
+    contentPermission(resource, "read", "global", `Read ${resource}.`),
+    contentPermission(resource, "create", "global", `Create ${resource}.`),
+    contentPermission(resource, "update", "global", `Update ${resource}.`),
+    contentPermission(resource, "delete", "global", `Delete ${resource}.`)
+  );
+}
+const DEFAULT_PERMISSIONS = permissionDefinitions;
+const DEFAULT_ROLES = [
+  {
+    key: "platform_admin",
+    description: "Full platform administration.",
+    permissions: [permissionKey("*", "*", "*")]
+  },
+  {
+    key: "market_admin",
+    description: "Manage market content and core operational surfaces.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self"),
+      permissionKey("sdk", "execute", "global"),
+      permissionKey("agent", "execute", "global"),
+      permissionKey("operations", "execute", "global"),
+      permissionKey("users", "read", "global"),
+      permissionKey("audit", "read", "global"),
+      permissionKey("jobs", "manage", "global")
+    ]
+  },
+  {
+    key: "content_admin",
+    description: "Manage all content resources.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "content_editor",
+    description: "Edit marketplace content.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "member",
+    description: "Authenticated member with personal API tokens.",
+    permissions: [
+      permissionKey("auth", "read", "self"),
+      permissionKey("api_tokens", "read", "self"),
+      permissionKey("api_tokens", "create", "self"),
+      permissionKey("api_tokens", "delete", "self")
+    ]
+  },
+  {
+    key: "viewer",
+    description: "Read-only marketplace viewer.",
+    permissions: [permissionKey("auth", "read", "self")]
+  }
+];
+for (const role of DEFAULT_ROLES) {
+  if (role.key === "content_admin") {
+    for (const resource of CONTENT_RESOURCES) {
+      role.permissions.push(
+        permissionKey(resource, "read", "global"),
+        permissionKey(resource, "create", "global"),
+        permissionKey(resource, "update", "global"),
+        permissionKey(resource, "delete", "global")
+      );
+    }
+  }
+  if (role.key === "content_editor") {
+    for (const resource of CONTENT_RESOURCES) {
+      role.permissions.push(
+        permissionKey(resource, "read", "global"),
+        permissionKey(resource, "create", "global"),
+        permissionKey(resource, "update", "global")
+      );
+    }
+  }
+}
+function permissionGranted(granted, required) {
+  return granted.includes(permissionKey("*", "*", "*")) || granted.includes(required);
+}
+export {
+  ALL_PERMISSION_RESOURCES,
+  CONTENT_RESOURCES,
+  DEFAULT_PERMISSIONS,
+  DEFAULT_ROLES,
+  PLATFORM_RESOURCES,
+  permissionGranted,
+  permissionKey
+};

package/dist/api/auth/tokens.d.ts

@@ -0,0 +1,18 @@
+import type { ApiPrincipal } from '../types.ts';
+export interface AccessTokenPayload {
+    sub: string;
+    displayName?: string;
+    scopes: string[];
+    roles: string[];
+    permissions: string[];
+    iat: number;
+    exp: number;
+    iss: string;
+    jti: string;
+    tokenType: 'access' | 'service';
+    metadata?: Record<string, unknown>;
+}
+export declare function nextOpaqueToken(prefix: string): string;
+export declare function createAccessToken(payload: AccessTokenPayload, secret: string): string;
+export declare function verifyAccessToken(token: string, secret: string): AccessTokenPayload | null;
+export declare function principalFromAccessTokenPayload(payload: AccessTokenPayload): ApiPrincipal;

package/dist/api/auth/tokens.js

@@ -0,0 +1,56 @@
+import { createHmac, randomBytes } from "node:crypto";
+function encodeBase64Url(value) {
+  return Buffer.from(value).toString("base64url");
+}
+function decodeBase64Url(value) {
+  return Buffer.from(value, "base64url").toString("utf8");
+}
+function sign(input, secret) {
+  return createHmac("sha256", secret).update(input).digest("base64url");
+}
+function nextOpaqueToken(prefix) {
+  return `${prefix}_${randomBytes(24).toString("base64url")}`;
+}
+function createAccessToken(payload, secret) {
+  const encodedPayload = encodeBase64Url(JSON.stringify(payload));
+  const encodedSignature = sign(encodedPayload, secret);
+  return `${encodedPayload}.${encodedSignature}`;
+}
+function verifyAccessToken(token, secret) {
+  const [encodedPayload, encodedSignature] = token.split(".");
+  if (!encodedPayload || !encodedSignature) {
+    return null;
+  }
+  const expected = sign(encodedPayload, secret);
+  if (expected !== encodedSignature) {
+    return null;
+  }
+  try {
+    const payload = JSON.parse(decodeBase64Url(encodedPayload));
+    if (!payload.sub || !Array.isArray(payload.scopes) || !payload.exp) {
+      return null;
+    }
+    if (payload.exp <= Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function principalFromAccessTokenPayload(payload) {
+  return {
+    id: payload.sub,
+    displayName: payload.displayName,
+    scopes: [...payload.scopes],
+    roles: [...payload.roles],
+    permissions: [...payload.permissions],
+    metadata: payload.metadata
+  };
+}
+export {
+  createAccessToken,
+  nextOpaqueToken,
+  principalFromAccessTokenPayload,
+  verifyAccessToken
+};

package/dist/api/config.d.ts

@@ -0,0 +1,2 @@
+import type { ApiConfig } from './types.ts';
+export declare function resolveApiConfig(env?: NodeJS.ProcessEnv): ApiConfig;

package/dist/api/config.js

@@ -0,0 +1,65 @@
+import { resolve } from "node:path";
+function parseInteger(value, fallback) {
+  if (!value) return fallback;
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+function normalizeUrl(value) {
+  return value.endsWith("/") ? value.slice(0, -1) : value;
+}
+function parseCsv(value) {
+  return (value ?? "").split(",").map((entry) => entry.trim().toLowerCase()).filter(Boolean);
+}
+function resolveBaseUrl(env, host, port) {
+  if (env.TREESEED_API_BASE_URL?.trim()) {
+    return normalizeUrl(env.TREESEED_API_BASE_URL.trim());
+  }
+  if (env.RAILWAY_PUBLIC_DOMAIN?.trim()) {
+    return normalizeUrl(`https://${env.RAILWAY_PUBLIC_DOMAIN.trim()}`);
+  }
+  return normalizeUrl(`http://${host}:${port}`);
+}
+function resolveApiConfig(env = process.env) {
+  const host = env.HOST?.trim() || "0.0.0.0";
+  const port = parseInteger(env.PORT, 3e3);
+  const baseUrl = resolveBaseUrl(env, host === "0.0.0.0" ? "127.0.0.1" : host, port);
+  const issuer = normalizeUrl(env.TREESEED_API_ISSUER?.trim() || baseUrl);
+  const repoRoot = resolve(env.TREESEED_API_REPO_ROOT?.trim() || process.cwd());
+  return {
+    name: env.TREESEED_API_NAME?.trim() || "@treeseed/core/api",
+    host,
+    port,
+    baseUrl,
+    issuer,
+    repoRoot,
+    authSecret: env.TREESEED_API_AUTH_SECRET?.trim() || "treeseed-api-dev-secret",
+    cloudflareAccountId: env.CLOUDFLARE_ACCOUNT_ID?.trim() || void 0,
+    cloudflareApiToken: env.CLOUDFLARE_API_TOKEN?.trim() || void 0,
+    d1DatabaseId: env.TREESEED_API_D1_DATABASE_ID?.trim() || void 0,
+    d1DatabaseName: env.TREESEED_API_D1_DATABASE_NAME?.trim() || env.SITE_DATA_DB?.trim() || void 0,
+    d1LocalPersistTo: env.TREESEED_API_D1_LOCAL_PERSIST_TO?.trim() || resolve(repoRoot, ".wrangler/state/v3/d1"),
+    webServiceId: env.TREESEED_API_WEB_SERVICE_ID?.trim() || "web",
+    webServiceSecret: env.TREESEED_API_WEB_SERVICE_SECRET?.trim() || "treeseed-web-service-dev-secret",
+    webAssertionSecret: env.TREESEED_API_WEB_ASSERTION_SECRET?.trim() || env.TREESEED_API_AUTH_SECRET?.trim() || "treeseed-web-assertion-dev-secret",
+    webExchangeTtlSeconds: parseInteger(env.TREESEED_API_WEB_EXCHANGE_TTL, 300),
+    bootstrapAdminAllowlist: parseCsv(env.TREESEED_API_BOOTSTRAP_ADMIN_ALLOWLIST),
+    accessTokenTtlSeconds: parseInteger(env.TREESEED_API_ACCESS_TOKEN_TTL, 900),
+    refreshTokenTtlSeconds: parseInteger(env.TREESEED_API_REFRESH_TOKEN_TTL, 7 * 24 * 60 * 60),
+    deviceCodeTtlSeconds: parseInteger(env.TREESEED_API_DEVICE_CODE_TTL, 10 * 60),
+    deviceCodePollIntervalSeconds: parseInteger(env.TREESEED_API_DEVICE_CODE_POLL_INTERVAL, 5),
+    templateCatalogPath: env.TREESEED_API_TEMPLATE_CATALOG_PATH?.trim() || void 0,
+    providers: {
+      auth: env.TREESEED_API_PROVIDER_AUTH?.trim() || "d1",
+      agents: {
+        execution: env.TREESEED_API_PROVIDER_AGENT_EXECUTION?.trim() || "stub",
+        queue: env.TREESEED_API_PROVIDER_AGENT_QUEUE?.trim() || "memory",
+        notification: env.TREESEED_API_PROVIDER_AGENT_NOTIFICATION?.trim() || "stub",
+        repository: env.TREESEED_API_PROVIDER_AGENT_REPOSITORY?.trim() || "stub",
+        verification: env.TREESEED_API_PROVIDER_AGENT_VERIFICATION?.trim() || "stub"
+      }
+    }
+  };
+}
+export {
+  resolveApiConfig
+};

package/dist/api/gateway.d.ts

@@ -0,0 +1,5 @@
+import { Hono } from 'hono';
+import type { AppVariables, GatewayServerOptions } from './types.ts';
+export declare function createTreeseedGatewayApp(options: GatewayServerOptions): Hono<{
+    Variables: AppVariables;
+}, import("hono/types").BlankSchema, "/">;

package/dist/api/gateway.js

@@ -0,0 +1,35 @@
+import { Hono } from "hono";
+import { AgentSdk } from "@treeseed/sdk";
+import { registerAgentRoutes } from "./agent-routes.js";
+import { bearerTokenFromRequest, jsonError } from "./http.js";
+function createTreeseedGatewayApp(options) {
+  const sdk = options.sdk instanceof AgentSdk ? options.sdk : new AgentSdk();
+  const app = new Hono();
+  app.use("*", async (c, next) => {
+    const token = bearerTokenFromRequest(c.req.raw);
+    if (token !== options.bearerToken) {
+      return jsonError(c, 401, "Unauthorized gateway request.");
+    }
+    c.set("requestId", "gateway");
+    c.set("config", null);
+    c.set("principal", null);
+    c.set("actingUser", null);
+    c.set("credential", null);
+    c.set("actorType", "service");
+    c.set("permissionGrants", []);
+    await next();
+  });
+  app.get("/healthz", (c) => c.json({ ok: true, service: "treeseed-agent-gateway" }));
+  registerAgentRoutes(app, {
+    sdk,
+    prefix: "",
+    scope: null,
+    projectId: options.projectId,
+    queueProducer: options.queueProducer,
+    defaultActor: "gateway"
+  });
+  return app;
+}
+export {
+  createTreeseedGatewayApp
+};

package/dist/api/http.d.ts

@@ -0,0 +1,24 @@
+import type { Context } from 'hono';
+import type { ApiPrincipal, ApiScope } from '@treeseed/sdk/remote';
+import type { AppVariables } from './types.ts';
+export type ApiContext = Context<{
+    Variables: AppVariables;
+}>;
+export declare function jsonError(c: Context, status: number, error: string, details?: Record<string, unknown>): Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">;
+export declare function bearerTokenFromRequest(request: Request): string;
+export declare function hasScope(principal: ApiPrincipal | null, requiredScope: ApiScope): boolean;
+export declare function requireScope(c: ApiContext, requiredScope: ApiScope): Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">;
+export declare function requireAuthentication(c: ApiContext): Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">;
+export declare function requirePermission(c: ApiContext, permission: string): Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">;

package/dist/api/http.js

@@ -0,0 +1,44 @@
+import { permissionGranted } from "./auth/rbac.js";
+function jsonError(c, status, error, details) {
+  return c.json({
+    ok: false,
+    error,
+    ...details ?? {}
+  }, { status });
+}
+function bearerTokenFromRequest(request) {
+  const header = request.headers.get("authorization");
+  if (!header) return null;
+  const match = header.match(/^Bearer\s+(.+)$/i);
+  return match?.[1] ?? null;
+}
+function hasScope(principal, requiredScope) {
+  return Boolean(principal && (principal.scopes.includes(requiredScope) || principal.scopes.includes("*")));
+}
+function requireScope(c, requiredScope) {
+  if (!hasScope(c.get("principal"), requiredScope)) {
+    return jsonError(c, 401, "Authentication required.", { requiredScope });
+  }
+  return null;
+}
+function requireAuthentication(c) {
+  if (!c.get("principal")) {
+    return jsonError(c, 401, "Authentication required.");
+  }
+  return null;
+}
+function requirePermission(c, permission) {
+  const principal = c.get("principal");
+  if (!principal || !permissionGranted(c.get("permissionGrants"), permission)) {
+    return jsonError(c, 403, "Permission denied.", { permission });
+  }
+  return null;
+}
+export {
+  bearerTokenFromRequest,
+  hasScope,
+  jsonError,
+  requireAuthentication,
+  requirePermission,
+  requireScope
+};