@treeseed/core 0.4.9 → 0.4.10

package/README.md

@@ -51,7 +51,6 @@ That means the fixture may reference package surfaces owned by `sdk`, `core`, an
 npm run dev
 npm run dev:web
 npm run dev:api
-npm run dev:manager
 npm run dev:worker
 npm run dev:workday-start
 npm run dev:workday-report
@@ -68,7 +67,7 @@ What they do:
 - `dev`: starts the integrated Astro UI and Hono API local runtime from `core`
 - `dev:web`: starts only the Astro UI dev surface through the `core` runtime
 - `dev:api`: starts only the Hono API dev surface through the `core` runtime
-- `dev:manager`, `dev:worker`, `dev:workday-start`, `dev:workday-report`: start the worker-service entrypoints from `core`
+- `dev:worker`, `dev:workday-start`, `dev:workday-report`: start the worker-service entrypoints from `core`
 - `fixtures:check`: verifies that the pinned shared fixture is initialized and usable
 - `build:dist`: builds the publishable `dist/` package output
 - `test:unit`: runs package unit tests with Vitest

package/dist/agent.d.ts

@@ -2,7 +2,6 @@ export { AgentKernel } from './agents/kernel/agent-kernel.ts';
 export { listTreeseedAgentCommands, renderTreeseedAgentHelp, runTreeseedAgentCli } from './agents/cli.ts';
 export { resolveAgentHandler, listRegisteredAgentHandlers } from './agents/registry.ts';
 export { resolveAgentRuntimeProviders } from './agent-runtime.ts';
-export { createManagerApp } from './services/manager.ts';
 export { runWorkerCycle, startWorkerLoop } from './services/worker.ts';
 export { runWorkdayStart } from './services/workday-start.ts';
 export { runWorkdayReport } from './services/workday-report.ts';

package/dist/agent.js

@@ -2,7 +2,6 @@ import { AgentKernel } from "./agents/kernel/agent-kernel.js";
 import { listTreeseedAgentCommands, renderTreeseedAgentHelp, runTreeseedAgentCli } from "./agents/cli.js";
 import { resolveAgentHandler, listRegisteredAgentHandlers } from "./agents/registry.js";
 import { resolveAgentRuntimeProviders } from "./agent-runtime.js";
-import { createManagerApp } from "./services/manager.js";
 import { runWorkerCycle, startWorkerLoop } from "./services/worker.js";
 import { runWorkdayStart } from "./services/workday-start.js";
 import { runWorkdayReport } from "./services/workday-report.js";
@@ -10,7 +9,6 @@ import { parseAgentMessagePayload, AGENT_MESSAGE_TYPES } from "./agents/contract
 export {
   AGENT_MESSAGE_TYPES,
   AgentKernel,
-  createManagerApp,
   listRegisteredAgentHandlers,
   listTreeseedAgentCommands,
   parseAgentMessagePayload,

package/dist/agents/spec-types.d.ts

@@ -1,4 +1,4 @@
-import type { AgentCliOptions, AgentExecutionConfig, AgentHandlerKind, AgentOutputContract, AgentPermissionConfig, AgentRuntimeSpec, AgentTriggerConfig } from '@treeseed/sdk/types/agents';
+import type { AgentCliOptions, AgentExecutionConfig, AgentHandlerKind, AgentOutputContract, AgentPermissionConfig, AgentTriggerConfig } from '@treeseed/sdk/types/agents';
 export type AgentSpecDiagnosticSeverity = 'error' | 'warning';
 export interface AgentSpecDiagnostic {
     severity: AgentSpecDiagnosticSeverity;
@@ -6,15 +6,6 @@ export interface AgentSpecDiagnostic {
     field: string;
     message: string;
 }
-export interface NormalizedAgentRuntimeSpec extends AgentRuntimeSpec {
-    name?: string;
-    description?: string;
-    summary?: string;
-    operator?: string;
-    runtimeStatus?: string;
-    capabilities?: string[];
-    tags?: string[];
-}
 export interface AgentSpecValidationContext {
     registeredHandlers: readonly AgentHandlerKind[];
     messageTypes: readonly string[];
@@ -62,3 +53,12 @@ export interface AgentSpecParts {
     execution: AgentExecutionConfig;
     outputs: AgentOutputContract;
 }
+export type NormalizedAgentRuntimeSpec = AgentSpecParts & {
+    name?: string;
+    description?: string;
+    summary?: string;
+    operator?: string;
+    runtimeStatus?: string;
+    capabilities?: string[];
+    tags?: string[];
+};

package/dist/api/agent-routes.d.ts

@@ -1,13 +1,13 @@
 import type { Hono } from 'hono';
 import type { AgentSdk } from '@treeseed/sdk';
-import type { GatewayQueueProducer } from './types.ts';
+import type { ApiContext } from './http.ts';
 interface RegisterAgentRoutesOptions {
     sdk: AgentSdk;
     prefix?: string;
     scope?: string | null;
     projectId?: string;
-    queueProducer?: GatewayQueueProducer;
     defaultActor?: string;
+    authorize?: (c: ApiContext) => Response | null;
 }
 export declare function registerAgentRoutes(app: Hono<any>, options: RegisterAgentRoutesOptions): void;
 export {};

package/dist/api/agent-routes.js

@@ -1,58 +1,24 @@
-import crypto from "node:crypto";
 import { listRegisteredAgentHandlers as listCoreRegisteredAgentHandlers } from "../agents/registry.js";
+import { buildTaskContext, enqueueTaskFromSdk } from "../services/common.js";
 import { jsonError, requireScope } from "./http.js";
 async function listRegisteredHandlers() {
   return listCoreRegisteredAgentHandlers();
 }
-function queueEnvelopeForTask(task) {
-  return {
-    messageId: crypto.randomUUID(),
-    taskId: String(task.id ?? ""),
-    workDayId: String(task.workDayId ?? task.work_day_id ?? ""),
-    agentId: String(task.agentId ?? task.agent_id ?? ""),
-    taskType: String(task.type ?? ""),
-    idempotencyKey: String(task.idempotencyKey ?? task.idempotency_key ?? ""),
-    attempt: Number(task.attemptCount ?? task.attempt_count ?? 0) + 1,
-    payloadRef: `d1:tasks/${String(task.id ?? "")}`,
-    graphVersion: task.graphVersion !== void 0 && task.graphVersion !== null ? String(task.graphVersion) : task.graph_version !== void 0 && task.graph_version !== null ? String(task.graph_version) : null,
-    budgetHint: 1
-  };
-}
 function withPrefix(prefix, path) {
   return `${prefix}${path}`.replace(/\/{2,}/g, "/");
 }
 function actor(body, fallback) {
   return String(body.actor ?? fallback);
 }
-async function enqueueTask(options, request) {
-  if (!options.queueProducer) {
-    throw new Error("Queue producer not configured.");
+function authorizeRequest(c, options) {
+  const routeUnauthorized = options.authorize?.(c);
+  if (routeUnauthorized) {
+    return routeUnauthorized;
   }
-  const task = await options.sdk.get({ model: "task", id: request.taskId });
-  if (!task.payload) {
-    throw new Error("Unknown task.");
+  if (options.scope) {
+    return requireScope(c, options.scope);
   }
-  await options.queueProducer.enqueue({
-    queueName: request.queueName,
-    message: queueEnvelopeForTask(task.payload),
-    delaySeconds: request.deliveryDelaySeconds ?? 0
-  });
-  await options.sdk.recordTaskProgress({
-    id: request.taskId,
-    state: "queued",
-    appendEvent: { kind: "queued", data: { queueName: request.queueName ?? null } },
-    actor: request.actor
-  });
-  return { ok: true, taskId: request.taskId, queued: true };
-}
-async function buildTaskContext(sdk, taskId) {
-  const context = await sdk.getManagerContext(taskId);
-  const task = context.payload.task;
-  const agent = task ? (await sdk.get({ model: "agent", slug: String(task.agentId) })).payload : null;
-  return {
-    ...context.payload,
-    agent
-  };
+  return null;
 }
 function registerAgentRoutes(app, options) {
   const prefix = options.prefix ?? "/agent";
@@ -63,10 +29,8 @@ function registerAgentRoutes(app, options) {
     handlerCount: (await listRegisteredHandlers()).length
   }));
   app.get(withPrefix(prefix, "/specs"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const payload = await options.sdk.listAgentSpecs({ enabled: true });
     return c.json({
       ok: true,
@@ -75,10 +39,8 @@ function registerAgentRoutes(app, options) {
     });
   });
   app.post(withPrefix(prefix, "/workdays/start"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const graphRefresh = await options.sdk.refreshGraph();
     const result = await options.sdk.startWorkDay({
@@ -92,10 +54,8 @@ function registerAgentRoutes(app, options) {
     return c.json(result);
   });
   app.post(withPrefix(prefix, "/workdays/:id/close"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.closeWorkDay({
       id: c.req.param("id"),
@@ -106,10 +66,8 @@ function registerAgentRoutes(app, options) {
     return result.payload ? c.json(result) : jsonError(c, 404, "Unknown work day.");
   });
   app.post(withPrefix(prefix, "/tasks"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.createTask({
       id: typeof body.id === "string" ? body.id : void 0,
@@ -130,10 +88,8 @@ function registerAgentRoutes(app, options) {
     return c.json(result);
   });
   app.post(withPrefix(prefix, "/tasks/search"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.searchTasks({
       workDayId: typeof body.workDayId === "string" ? body.workDayId : void 0,
@@ -144,10 +100,8 @@ function registerAgentRoutes(app, options) {
     return c.json(result);
   });
   app.post(withPrefix(prefix, "/tasks/:id/claim"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.claimTask({
       id: c.req.param("id"),
@@ -158,10 +112,8 @@ function registerAgentRoutes(app, options) {
     return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
   });
   app.post(withPrefix(prefix, "/tasks/:id/progress"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.recordTaskProgress({
       id: c.req.param("id"),
@@ -174,10 +126,8 @@ function registerAgentRoutes(app, options) {
     return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
   });
   app.post(withPrefix(prefix, "/tasks/:id/complete"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.completeTask({
       id: c.req.param("id"),
@@ -189,10 +139,8 @@ function registerAgentRoutes(app, options) {
     return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
   });
   app.post(withPrefix(prefix, "/tasks/:id/fail"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.failTask({
       id: c.req.param("id"),
@@ -205,13 +153,11 @@ function registerAgentRoutes(app, options) {
     return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
   });
   app.post(withPrefix(prefix, "/tasks/:id/requeue"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     try {
-      return c.json(await enqueueTask(options, {
+      return c.json(await enqueueTaskFromSdk(options.sdk, {
         taskId: c.req.param("id"),
         queueName: typeof body.queueName === "string" ? body.queueName : void 0,
         deliveryDelaySeconds: body.delaySeconds === void 0 ? void 0 : Number(body.delaySeconds),
@@ -223,10 +169,8 @@ function registerAgentRoutes(app, options) {
     }
   });
   app.post(withPrefix(prefix, "/tasks/:id/followups"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const current = await options.sdk.get({ model: "task", id: c.req.param("id") });
     if (!current.payload) {
@@ -251,13 +195,11 @@ function registerAgentRoutes(app, options) {
     return c.json({ ok: true, payload: created.map((entry) => entry.payload) });
   });
   app.post(withPrefix(prefix, "/queue/enqueue"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     try {
-      return c.json(await enqueueTask(options, {
+      return c.json(await enqueueTaskFromSdk(options.sdk, {
         taskId: String(body.taskId ?? ""),
         queueName: typeof body.queueName === "string" ? body.queueName : void 0,
         deliveryDelaySeconds: body.deliveryDelaySeconds === void 0 ? void 0 : Number(body.deliveryDelaySeconds),
@@ -265,14 +207,12 @@ function registerAgentRoutes(app, options) {
       }));
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
-      return jsonError(c, /Unknown task/.test(message) ? 404 : /Queue producer/.test(message) ? 501 : 500, message);
+      return jsonError(c, /Unknown task/.test(message) ? 404 : /Queue push client/.test(message) ? 501 : 500, message);
     }
   });
   app.post(withPrefix(prefix, "/reports"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const result = await options.sdk.createReport({
       id: typeof body.id === "string" ? body.id : void 0,
@@ -286,10 +226,8 @@ function registerAgentRoutes(app, options) {
     return c.json(result);
   });
   app.post(withPrefix(prefix, "/context/resolve-task"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     return c.json({
       ok: true,
@@ -297,10 +235,8 @@ function registerAgentRoutes(app, options) {
     });
   });
   app.post(withPrefix(prefix, "/graph/search"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const query = String(body.query ?? "");
     const scope = String(body.scope ?? "sections");
@@ -308,10 +244,8 @@ function registerAgentRoutes(app, options) {
     return c.json({ ok: true, payload });
   });
   app.post(withPrefix(prefix, "/graph/subgraph"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const payload = await options.sdk.getSubgraph(
       Array.isArray(body.seedIds) ? body.seedIds.map(String) : [],
@@ -320,10 +254,8 @@ function registerAgentRoutes(app, options) {
     return c.json({ ok: true, payload });
   });
   app.post(withPrefix(prefix, "/graph/query"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const payload = await options.sdk.queryGraph(body);
     if (typeof body.workDayId === "string" && body.workDayId) {
@@ -344,10 +276,8 @@ function registerAgentRoutes(app, options) {
     return c.json({ ok: true, payload });
   });
   app.post(withPrefix(prefix, "/graph/context-pack"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const payload = await options.sdk.buildContextPack(body);
     if (typeof body.workDayId === "string" && body.workDayId) {
@@ -372,19 +302,15 @@ function registerAgentRoutes(app, options) {
     return c.json({ ok: true, payload });
   });
   app.post(withPrefix(prefix, "/graph/parse-dsl"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const body = await c.req.json().catch(() => ({}));
     const payload = await options.sdk.parseGraphDsl(String(body.source ?? body.query ?? ""));
     return c.json({ ok: true, payload });
   });
   app.get(withPrefix(prefix, "/graph/node/:id"), async (c) => {
-    if (options.scope) {
-      const unauthorized = requireScope(c, options.scope);
-      if (unauthorized) return unauthorized;
-    }
+    const unauthorized = authorizeRequest(c, options);
+    if (unauthorized) return unauthorized;
     const payload = await options.sdk.getGraphNode(c.req.param("id"));
     return payload ? c.json({ ok: true, payload }) : jsonError(c, 404, "Unknown graph node.");
   });

package/dist/api/app.js

@@ -3,7 +3,7 @@ import { AgentSdk, TREESEED_REMOTE_CONTRACT_HEADER, TREESEED_REMOTE_CONTRACT_VER
 import { Hono } from "hono";
 import { registerAgentRoutes } from "./agent-routes.js";
 import { resolveApiConfig } from "./config.js";
-import { bearerTokenFromRequest, jsonError, requireAuthentication, requirePermission, requireScope } from "./http.js";
+import { bearerTokenFromRequest, jsonError, requirePermission, requireScope } from "./http.js";
 import { registerOperationRoutes } from "./operations-routes.js";
 import { resolveApiRuntimeProviders } from "./providers.js";
 import { registerSdkRoutes } from "./sdk-routes.js";
@@ -40,11 +40,42 @@ function mergeApiOptions(options) {
     }
   };
 }
+function normalizePrefix(prefix) {
+  if (!prefix?.trim()) return "";
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function principalScopes(permissions) {
+  const scopes = /* @__PURE__ */ new Set(["auth:me"]);
+  if (permissions.includes("*:*:*") || permissions.includes("sdk:execute:global")) scopes.add("sdk");
+  if (permissions.includes("*:*:*") || permissions.includes("agent:execute:global")) scopes.add("agent");
+  if (permissions.includes("*:*:*") || permissions.includes("operations:execute:global")) scopes.add("operations");
+  return [...scopes];
+}
+function buildProjectApiPrincipal(config) {
+  return {
+    id: `project:${config.projectId}`,
+    displayName: config.projectApiLabel,
+    roles: ["project_api"],
+    permissions: [...config.projectApiPermissions],
+    scopes: principalScopes(config.projectApiPermissions),
+    metadata: {
+      projectId: config.projectId
+    }
+  };
+}
+function matchesProjectApiKey(token, projectApiKey) {
+  if (!projectApiKey) return false;
+  const left = Buffer.from(token);
+  const right = Buffer.from(projectApiKey);
+  return left.length === right.length && crypto.timingSafeEqual(left, right);
+}
 function createTreeseedApiApp(options = {}) {
   const resolved = mergeApiOptions(options);
   const runtimeProviders = resolveApiRuntimeProviders(resolved.config, options.runtimeProviders);
   const sharedSdk = options.sdk ?? new AgentSdk({ repoRoot: resolved.config.repoRoot });
   const app = new Hono();
+  const internalPrefix = normalizePrefix(options.internalPrefix);
   app.use("*", async (c, next) => {
     c.set("requestId", crypto.randomUUID());
     c.set("config", resolved.config);
@@ -74,6 +105,19 @@ function createTreeseedApiApp(options = {}) {
   app.use("*", async (c, next) => {
     const token = bearerTokenFromRequest(c.req.raw);
     if (token) {
+      if (matchesProjectApiKey(token, resolved.config.projectApiKey)) {
+        const principal = buildProjectApiPrincipal(resolved.config);
+        c.set("principal", principal);
+        c.set("credential", {
+          type: "project_api_key",
+          id: resolved.config.projectId,
+          label: resolved.config.projectApiLabel
+        });
+        c.set("actorType", "project");
+        c.set("permissionGrants", principal.permissions);
+        await next();
+        return;
+      }
       const result = await runtimeProviders.auth.authenticateBearerToken(token);
       if (result) {
         c.set("principal", result.principal);
@@ -244,24 +288,32 @@ function createTreeseedApiApp(options = {}) {
     registerSdkRoutes(app, {
       config: resolved.config,
       sharedSdk,
-      scope: resolved.scopes.sdk
+      scope: resolved.scopes.sdk,
+      prefix: internalPrefix
     });
   }
   if (resolved.surfaces.agent) {
     registerAgentRoutes(app, {
       sdk: sharedSdk,
-      prefix: "/agent",
+      prefix: `${internalPrefix}/agent`,
       scope: resolved.scopes.agent,
-      projectId: "treeseed-market",
+      projectId: resolved.config.projectId,
       defaultActor: "api"
     });
   }
   if (resolved.surfaces.operations) {
     registerOperationRoutes(app, {
       scope: resolved.scopes.operations,
+      prefix: internalPrefix,
       executeOperation: options.workflowExecutor
     });
   }
+  options.extendApp?.(app, {
+    resolved,
+    runtimeProviders,
+    sharedSdk,
+    internalPrefix
+  });
   app.notFound((c) => jsonError(c, 404, "Not found."));
   return app;
 }

package/dist/api/auth/d1-store.d.ts

@@ -27,6 +27,7 @@ export declare class D1AuthStore {
     private loadIdentityByProvider;
     private rolesForUser;
     private permissionsForUser;
+    private permissionsForRoles;
     private scopesForPrincipal;
     private principalForUser;
     private assignRole;

package/dist/api/auth/d1-store.js

@@ -119,6 +119,21 @@ class D1AuthStore {
     );
     return rows.map((row) => row.key);
   }
+  async permissionsForRoles(roleKeys) {
+    if (roleKeys.length === 0) {
+      return [];
+    }
+    const placeholders = roleKeys.map(() => "?").join(", ");
+    const rows = await this.all(
+      `SELECT DISTINCT permissions.key AS key
+			 FROM roles
+			 INNER JOIN role_permissions ON role_permissions.role_id = roles.id
+			 INNER JOIN permissions ON permissions.id = role_permissions.permission_id
+			 WHERE roles.key IN (${placeholders})`,
+      roleKeys
+    );
+    return rows.map((row) => row.key);
+  }
   scopesForPrincipal(permissions) {
     const scopes = /* @__PURE__ */ new Set(["auth:me"]);
     if (permissions.includes("*:*:*") || permissions.includes("sdk:execute:global")) scopes.add("sdk");
@@ -573,7 +588,12 @@ class D1AuthStore {
     if (!equalHash(row.secret_hash, incomingHash)) return null;
     await this.run(`UPDATE service_credentials SET last_used_at = ?, updated_at = ? WHERE id = ?`, [isoNow(), isoNow(), row.id]);
     const roles = parseJson(row.roles_json, []);
-    const permissions = parseJson(row.permissions_json, []);
+    const permissions = [
+      .../* @__PURE__ */ new Set([
+        ...await this.permissionsForRoles(roles),
+        ...parseJson(row.permissions_json, [])
+      ])
+    ];
     return {
       principal: {
         id: serviceId,

package/dist/api/config.js

@@ -32,7 +32,11 @@ function resolveApiConfig(env = process.env) {
     baseUrl,
     issuer,
     repoRoot,
+    projectId: env.TREESEED_PROJECT_ID?.trim() || "treeseed-project",
     authSecret: env.TREESEED_API_AUTH_SECRET?.trim() || "treeseed-api-dev-secret",
+    projectApiKey: env.TREESEED_API_PROJECT_KEY?.trim() || void 0,
+    projectApiLabel: env.TREESEED_API_PROJECT_LABEL?.trim() || "Project API Key",
+    projectApiPermissions: parseCsv(env.TREESEED_API_PROJECT_KEY_PERMISSIONS).length > 0 ? parseCsv(env.TREESEED_API_PROJECT_KEY_PERMISSIONS) : ["sdk:execute:global", "agent:execute:global", "operations:execute:global"],
     cloudflareAccountId: env.CLOUDFLARE_ACCOUNT_ID?.trim() || void 0,
     cloudflareApiToken: env.CLOUDFLARE_API_TOKEN?.trim() || void 0,
     d1DatabaseId: env.TREESEED_API_D1_DATABASE_ID?.trim() || void 0,

package/dist/api/http.d.ts

@@ -18,6 +18,10 @@ export declare function requireAuthentication(c: ApiContext): Response & import(
     ok: false;
     error: string;
 }, never, "json">;
+export declare function requireActorType(c: ApiContext, actorType: 'anonymous' | 'user' | 'service' | 'project', message?: string): Response & import("hono").TypedResponse<{
+    ok: false;
+    error: string;
+}, never, "json">;
 export declare function requirePermission(c: ApiContext, permission: string): Response & import("hono").TypedResponse<{
     ok: false;
     error: string;

package/dist/api/http.js

@@ -27,6 +27,12 @@ function requireAuthentication(c) {
   }
   return null;
 }
+function requireActorType(c, actorType, message = "Trusted service authentication required.") {
+  if (c.get("actorType") !== actorType) {
+    return jsonError(c, 401, message);
+  }
+  return null;
+}
 function requirePermission(c, permission) {
   const principal = c.get("principal");
   if (!principal || !permissionGranted(c.get("permissionGrants"), permission)) {
@@ -38,6 +44,7 @@ export {
   bearerTokenFromRequest,
   hasScope,
   jsonError,
+  requireActorType,
   requireAuthentication,
   requirePermission,
   requireScope

package/dist/api/index.d.ts

@@ -1,8 +1,8 @@
 export { createTreeseedApiApp } from './app.ts';
-export { createTreeseedGatewayApp } from './gateway.ts';
 export { resolveApiConfig } from './config.ts';
 export { createRailwayTreeseedApiServer } from './railway.ts';
 export { resolveApiRuntimeProviders } from './providers.ts';
+export { resolveApiD1Database } from './auth/d1-database.ts';
 export { loadTemplateCatalog } from './templates.ts';
 export { MemoryDeviceCodeAuthProvider } from './auth/memory-provider.ts';
 export { D1AuthProvider } from './auth/d1-provider.ts';

package/dist/api/index.js

@@ -1,8 +1,8 @@
 import { createTreeseedApiApp } from "./app.js";
-import { createTreeseedGatewayApp } from "./gateway.js";
 import { resolveApiConfig } from "./config.js";
 import { createRailwayTreeseedApiServer } from "./railway.js";
 import { resolveApiRuntimeProviders } from "./providers.js";
+import { resolveApiD1Database } from "./auth/d1-database.js";
 import { loadTemplateCatalog } from "./templates.js";
 import { MemoryDeviceCodeAuthProvider } from "./auth/memory-provider.js";
 import { D1AuthProvider } from "./auth/d1-provider.js";
@@ -11,8 +11,8 @@ export {
   MemoryDeviceCodeAuthProvider,
   createRailwayTreeseedApiServer,
   createTreeseedApiApp,
-  createTreeseedGatewayApp,
   loadTemplateCatalog,
   resolveApiConfig,
+  resolveApiD1Database,
   resolveApiRuntimeProviders
 };