npm - @undefineds.co/xpod - Versions diffs - 0.3.31 → 0.3.33 - Mend

@undefineds.co/xpod 0.3.31 → 0.3.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (218) hide show

package/dist/api/auth/AuthContext.d.ts CHANGED Viewed

@@ -3,7 +3,8 @@
  *
  * Authenticated caller context.
  * - Solid Token: user provides Bearer or DPoP token
- * - API Key: third-party provides client_id, API Server exchanges for token
+ * - CSS client credentials: third-party provides client_id/client_secret,
+ *   API Server exchanges them for a Solid token
  * - Node Token: edge node provides node API key
  */
 export interface SolidAuthContext {
@@ -16,7 +17,7 @@ export interface SolidAuthContext {
     accessToken?: string;
     tokenType?: 'Bearer' | 'DPoP';
     dpopProof?: string;
-    /** Whether this was authenticated via API Key (client credentials) */
+    /** Whether this was authenticated via the sk-* client credentials wrapper */
     viaApiKey?: boolean;
 }
 export interface NodeAuthContext {

package/dist/api/auth/AuthContext.js CHANGED Viewed

@@ -4,7 +4,8 @@
  *
  * Authenticated caller context.
  * - Solid Token: user provides Bearer or DPoP token
- * - API Key: third-party provides client_id, API Server exchanges for token
+ * - CSS client credentials: third-party provides client_id/client_secret,
+ *   API Server exchanges them for a Solid token
  * - Node Token: edge node provides node API key
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/api/auth/AuthContext.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AuthContext.js","sourceRoot":"","sources":["../../../src/api/auth/AuthContext.ts"],"names":[],"mappings":";AAAA~~;;;;;;;GAOG~~;;AA+BH,kCAEC;AAED,gCAEC;AAKD,4BAEC;AAKD,wCAEC;AAKD,oCAQC;AAED,8BAEC;AAED,sCAEC;AAKD,4BAEC;AAhDD,SAAgB,WAAW,CAAC,GAAgB;IAC1C,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AAC9B,CAAC;AAED,SAAgB,UAAU,CAAC,GAAgB;IACzC,OAAO,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAgB,QAAQ,CAAC,GAAgB;IACvC,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAgB;IAC7C,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,GAAgB;IAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC,SAAS,CAAC;IACvB,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,GAAG,CAAC,SAAS,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAgB,SAAS,CAAC,GAAgB;IACxC,OAAO,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC;AAED,SAAgB,aAAa,CAAC,GAAgB;IAC5C,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,QAAQ,CAAC,GAAgB,EAAE,KAAa;IACtD,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC","sourcesContent":["/*\n Authentication context representing the authenticated caller\n * \n * Authenticated caller context.\n * - Solid Token: user provides Bearer or DPoP token\n * - ~~API~~ ~~Key~~: third-party provides client_id, API Server exchanges for token\n * - Node Token: edge node provides node API key\n /\n\nexport interface SolidAuthContext {\n type: 'solid';\n webId: string;\n accountId?: string;\n clientId?: string;\n clientSecret?: string; // For client credentials auth\n displayName?: string;\n accessToken?: string;\n tokenType?: 'Bearer' \| 'DPoP';\n dpopProof?: string;\n /* Whether this was authenticated via ~~API~~ ~~Key~~ (client credentials) /\n viaApiKey?: boolean;\n}\n\nexport interface NodeAuthContext {\n type: 'node';\n nodeId: string;\n accountId?: string;\n}\n\nexport interface ServiceAuthContext {\n type: 'service';\n serviceType: 'local' \| 'business' \| 'cloud' \| 'compute';\n serviceId: string;\n scopes: string[];\n}\n\nexport type AuthContext = SolidAuthContext \| NodeAuthContext \| ServiceAuthContext;\n\nexport function isSolidAuth(ctx: AuthContext): ctx is SolidAuthContext {\n return ctx.type === 'solid';\n}\n\nexport function isNodeAuth(ctx: AuthContext): ctx is NodeAuthContext {\n return ctx.type === 'node';\n}\n\n/\n Get webId from auth context\n /\nexport function getWebId(ctx: AuthContext): string \| undefined {\n return ctx.type === 'solid' ? ctx.webId : undefined;\n}\n\n/\n Get display name from auth context\n /\nexport function getDisplayName(ctx: AuthContext): string \| undefined {\n return ctx.type === 'solid' ? ctx.displayName : undefined;\n}\n\n/\n Get accountId from auth context (if available)\n /\nexport function getAccountId(ctx: AuthContext): string \| undefined {\n if (ctx.type === 'solid') {\n return ctx.accountId;\n }\n if (ctx.type === 'node') {\n return ctx.accountId;\n }\n return undefined;\n}\n\nexport function getNodeId(ctx: AuthContext): string \| undefined {\n return ctx.type === 'node' ? ctx.nodeId : undefined;\n}\n\nexport function isServiceAuth(ctx: AuthContext): ctx is ServiceAuthContext {\n return ctx.type === 'service';\n}\n\n/\n Check if a service auth context has the required scope\n */\nexport function hasScope(ctx: AuthContext, scope: string): boolean {\n return ctx.type === 'service' && ctx.scopes.includes(scope);\n}\n"]}
1	+ {"version":3,"file":"AuthContext.js","sourceRoot":"","sources":["../../../src/api/auth/AuthContext.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA+BH,kCAEC;AAED,gCAEC;AAKD,4BAEC;AAKD,wCAEC;AAKD,oCAQC;AAED,8BAEC;AAED,sCAEC;AAKD,4BAEC;AAhDD,SAAgB,WAAW,CAAC,GAAgB;IAC1C,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AAC9B,CAAC;AAED,SAAgB,UAAU,CAAC,GAAgB;IACzC,OAAO,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAgB,QAAQ,CAAC,GAAgB;IACvC,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAgB;IAC7C,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,GAAgB;IAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC,SAAS,CAAC;IACvB,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,GAAG,CAAC,SAAS,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAgB,SAAS,CAAC,GAAgB;IACxC,OAAO,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC;AAED,SAAgB,aAAa,CAAC,GAAgB;IAC5C,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,QAAQ,CAAC,GAAgB,EAAE,KAAa;IACtD,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC","sourcesContent":["/*\n Authentication context representing the authenticated caller\n * \n * Authenticated caller context.\n * - Solid Token: user provides Bearer or DPoP token\n * - CSS client credentials: third-party provides client_id/client_secret,\n * API Server exchanges them for a Solid token\n * - Node Token: edge node provides node API key\n /\n\nexport interface SolidAuthContext {\n type: 'solid';\n webId: string;\n accountId?: string;\n clientId?: string;\n clientSecret?: string; // For client credentials auth\n displayName?: string;\n accessToken?: string;\n tokenType?: 'Bearer' \| 'DPoP';\n dpopProof?: string;\n /* Whether this was authenticated via the sk-* client credentials wrapper /\n viaApiKey?: boolean;\n}\n\nexport interface NodeAuthContext {\n type: 'node';\n nodeId: string;\n accountId?: string;\n}\n\nexport interface ServiceAuthContext {\n type: 'service';\n serviceType: 'local' \| 'business' \| 'cloud' \| 'compute';\n serviceId: string;\n scopes: string[];\n}\n\nexport type AuthContext = SolidAuthContext \| NodeAuthContext \| ServiceAuthContext;\n\nexport function isSolidAuth(ctx: AuthContext): ctx is SolidAuthContext {\n return ctx.type === 'solid';\n}\n\nexport function isNodeAuth(ctx: AuthContext): ctx is NodeAuthContext {\n return ctx.type === 'node';\n}\n\n/\n Get webId from auth context\n /\nexport function getWebId(ctx: AuthContext): string \| undefined {\n return ctx.type === 'solid' ? ctx.webId : undefined;\n}\n\n/\n Get display name from auth context\n /\nexport function getDisplayName(ctx: AuthContext): string \| undefined {\n return ctx.type === 'solid' ? ctx.displayName : undefined;\n}\n\n/\n Get accountId from auth context (if available)\n /\nexport function getAccountId(ctx: AuthContext): string \| undefined {\n if (ctx.type === 'solid') {\n return ctx.accountId;\n }\n if (ctx.type === 'node') {\n return ctx.accountId;\n }\n return undefined;\n}\n\nexport function getNodeId(ctx: AuthContext): string \| undefined {\n return ctx.type === 'node' ? ctx.nodeId : undefined;\n}\n\nexport function isServiceAuth(ctx: AuthContext): ctx is ServiceAuthContext {\n return ctx.type === 'service';\n}\n\n/\n Check if a service auth context has the required scope\n */\nexport function hasScope(ctx: AuthContext, scope: string): boolean {\n return ctx.type === 'service' && ctx.scopes.includes(scope);\n}\n"]}

package/dist/api/auth/ClientCredentialsAuthenticator.d.ts CHANGED Viewed

@@ -20,12 +20,12 @@ export interface ClientCredentialsAuthenticatorOptions {
     tokenEndpoint: string;
 }
 /**
- * Authenticator for API Keys in sk-xxx format.
+ * Authenticator for CSS client credentials in sk-xxx transport format.
  *
  * Format: sk-base64(client_id:client_secret)
  *
  * This authenticator:
- * 1. Decodes the API Key to get client_id and client_secret
+ * 1. Decodes the transport token to get client_id and client_secret
  * 2. Exchanges them for a Solid Token via CSS token endpoint
  * 3. Extracts webId from the token response
  * 4. Returns a SolidAuthContext
@@ -44,13 +44,3 @@ export declare class ClientCredentialsAuthenticator implements Authenticator {
     private extractWebIdFromJwt;
     private isJwt;
 }
-export interface ClientCredentialsRecord {
-    clientId: string;
-    webId: string;
-    accountId: string;
-    displayName?: string;
-    createdAt: Date;
-}
-export interface ClientCredentialsStore {
-    findByClientId(clientId: string): Promise<ClientCredentialsRecord | undefined>;
-}

package/dist/api/auth/ClientCredentialsAuthenticator.js CHANGED Viewed

@@ -3,12 +3,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ClientCredentialsAuthenticator = void 0;
 const global_logger_factory_1 = require("global-logger-factory");
 /**
- * Authenticator for API Keys in sk-xxx format.
+ * Authenticator for CSS client credentials in sk-xxx transport format.
  *
  * Format: sk-base64(client_id:client_secret)
  *
  * This authenticator:
- * 1. Decodes the API Key to get client_id and client_secret
+ * 1. Decodes the transport token to get client_id and client_secret
  * 2. Exchanges them for a Solid Token via CSS token endpoint
  * 3. Extracts webId from the token response
  * 4. Returns a SolidAuthContext
@@ -24,7 +24,7 @@ class ClientCredentialsAuthenticator {
         if (!auth?.startsWith('Bearer ')) {
             return false;
         }
-        // If there's a DPoP header, it's a Solid Token, not an API Key
+        // If there's a DPoP header, it's a Solid Token, not a client credentials wrapper
         if (request.headers.dpop) {
             return false;
         }
@@ -67,7 +67,7 @@ class ClientCredentialsAuthenticator {
                 }
             }
             else {
-                // Non sk- format not supported without database lookup
+                // Non sk- format is intentionally unsupported; Xpod does not keep an API key mirror table.
                 return { success: false, error: 'Invalid API Key format: must start with sk-' };
             }
             // Check cache first

package/dist/api/auth/ClientCredentialsAuthenticator.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ClientCredentialsAuthenticator.js","sourceRoot":"","sources":["../../../src/api/auth/ClientCredentialsAuthenticator.ts"],"names":[],"mappings":";;;AACA,iEAAqD;AA+BrD;;;;;;;;;;GAUG;AACH,MAAa,8BAA8B;IAKzC,YAAmB,OAA8C;QAJhD,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAK3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAEM,eAAe,CAAC,OAAwB;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,+DAA+D;QAC/D,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,KAAK,CAAC;QACf,CAAC;QACD,8CAA8C;QAC9C,OAAO,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,OAAwB;QAChD,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACpD,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QACpD,CAAC;QAED,IAAI,CAAC;YACH,IAAI,QAAgB,CAAC;YACrB,IAAI,YAAoB,CAAC;YAEzB,+DAA+D;YAC/D,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC9B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAChE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBACxC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;wBACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iDAAiD,EAAE,CAAC;oBACtF,CAAC;oBACD,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;oBACxC,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;oBAE7C,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;wBAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0DAA0D,EAAE,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,uDAAuD;gBACvD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC;YAClF,CAAC;YAED,oBAAoB;YACpB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACnD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;oBAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;oBACvE,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE;4BACP,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,MAAM,CAAC,KAAK;4BACnB,SAAS,EAAE,MAAM,CAAC,KAAK;4BACvB,QAAQ;4BACR,YAAY;4BACZ,WAAW,EAAE,MAAM,CAAC,KAAK;4BACzB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,QAAQ;4BACvC,SAAS,EAAE,IAAI;yBAChB;qBACF,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,qCAAqC;YACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;YAC5E,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACxE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,WAAW,CAAC,OAAO,WAAW,WAAW,CAAC,KAAK,WAAW,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;YAEnI,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;gBACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,IAAI,uBAAuB,EAAE,CAAC;YACjF,CAAC;YAED,kBAAkB;YAClB,IAAI,IAAI,CAAC,UAAU,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;gBAC7C,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACvB,QAAQ,EACR,WAAW,CAAC,KAAM,EAClB,WAAW,CAAC,KAAK,EACjB,WAAW,CAAC,SAAS,EACrB,WAAW,CAAC,SAAS,CACtB,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAqB;gBAChC,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,SAAS,EAAE,WAAW,CAAC,KAAK;gBAC5B,QAAQ;gBACR,YAAY;gBACZ,WAAW,EAAE,WAAW,CAAC,KAAK;gBAC9B,SAAS,EAAE,WAAW,CAAC,SAAS,IAAI,QAAQ;gBAC5C,SAAS,EAAE,IAAI;aAChB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,YAAoB;QAQnE,6BAA6B;QAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qCAAqC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACjF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,aAAa,QAAQ,EAAE;gBAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;gBAC/C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,oBAAoB;oBAChC,SAAS,EAAE,QAAQ;oBACnB,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,QAAQ,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YAChF,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAK/B,CAAC;YAEF,uDAAuD;YACvD,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YACvB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBAChC,KAAK,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACtD,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;YACpF,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU;gBAC/B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,KAAK,CAAC,CAAC,eAAe;gBACvE,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB;YAErD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,IAAI,CAAC,YAAY;gBACxB,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACxE,KAAK;gBACL,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,GAAW;QACrC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9E,OAAO,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAa;QACzB,OAAO,kDAAkD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;CACF;AAvND,wEAuNC","sourcesContent":["import type { IncomingMessage } from 'node:http';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Authenticator, AuthResult } from './Authenticator';\nimport type { SolidAuthContext } from './AuthContext';\n\n/*\n Interface for token cache\n /\nexport interface TokenCache {\n get(clientId: string): Promise<{\n token: string;\n tokenType?: 'Bearer' \| 'DPoP';\n webId: string;\n expiresAt: Date;\n } \| undefined>;\n set(\n clientId: string,\n token: string,\n webId: string,\n expiresAt: Date,\n tokenType?: 'Bearer' \| 'DPoP',\n ): Promise<void>;\n}\n\nexport interface ClientCredentialsAuthenticatorOptions {\n tokenCache?: TokenCache;\n /\n CSS token endpoint URL\n /\n tokenEndpoint: string;\n}\n\n/\n Authenticator for API Keys in sk-xxx format.\n * \n * Format: sk-base64(client_id:client_secret)\n * \n * This authenticator:\n * 1. Decodes the API Key to get client_id and client_secret\n * 2. Exchanges them for a Solid Token via CSS token endpoint\n * 3. Extracts webId from the token response\n * 4. Returns a SolidAuthContext\n /\nexport class ClientCredentialsAuthenticator implements Authenticator {\n private readonly logger = getLoggerFor(this);\n private readonly tokenCache?: TokenCache;\n private readonly tokenEndpoint: string;\n\n public constructor(options: ClientCredentialsAuthenticatorOptions) {\n this.tokenCache = options.tokenCache;\n this.tokenEndpoint = options.tokenEndpoint;\n }\n\n public canAuthenticate(request: IncomingMessage): boolean {\n const auth = request.headers.authorization;\n if (!auth?.startsWith('Bearer ')) {\n return false;\n }\n // If there's a DPoP header, it's a Solid Token, not an API Key\n if (request.headers.dpop) {\n return false;\n }\n const token = auth.slice(7).trim();\n if (!token) {\n return false;\n }\n // Only handle sk-xxx format or non-JWT tokens\n return token.startsWith('sk-') \|\| !this.isJwt(token);\n }\n\n public async authenticate(request: IncomingMessage): Promise<AuthResult> {\n const authorization = request.headers.authorization;\n if (!authorization?.startsWith('Bearer ')) {\n return { success: false, error: 'Missing Bearer token' };\n }\n\n const token = authorization.slice(7).trim();\n if (!token) {\n return { success: false, error: 'Empty API Key' };\n }\n\n try {\n let clientId: string;\n let clientSecret: string;\n\n // Parse sk-xxx format (base64 encoded client_id:client_secret)\n if (token.startsWith('sk-')) {\n const base64 = token.slice(3);\n try {\n const decoded = Buffer.from(base64, 'base64').toString('utf-8');\n const colonIndex = decoded.indexOf(':');\n if (colonIndex === -1) {\n return { success: false, error: 'Invalid API Key format: missing colon separator' };\n }\n clientId = decoded.slice(0, colonIndex);\n clientSecret = decoded.slice(colonIndex + 1);\n \n if (!clientId \|\| !clientSecret) {\n return { success: false, error: 'Invalid API Key format: empty client_id or client_secret' };\n }\n } catch {\n return { success: false, error: 'Invalid API Key encoding' };\n }\n } else {\n // Non sk- format not supported without database lookup\n return { success: false, error: 'Invalid API Key format: must start with sk-' };\n }\n\n // Check cache first\n if (this.tokenCache) {\n const cached = await this.tokenCache.get(clientId);\n if (cached && cached.expiresAt > new Date()) {\n this.logger.debug(`Using cached token for ${clientId.slice(0, 8)}...`);\n return {\n success: true,\n context: {\n type: 'solid',\n webId: cached.webId,\n accountId: cached.webId,\n clientId,\n clientSecret,\n accessToken: cached.token,\n tokenType: cached.tokenType ?? 'Bearer',\n viaApiKey: true,\n },\n };\n }\n }\n\n // Exchange for token at CSS endpoint\n this.logger.debug(`Exchanging client credentials at ${this.tokenEndpoint}`);\n const tokenResult = await this.exchangeForToken(clientId, clientSecret);\n this.logger.debug(`Token exchange result: success=${tokenResult.success}, webId=${tokenResult.webId}, error=${tokenResult.error}`);\n \n if (!tokenResult.success \|\| !tokenResult.webId \|\| !tokenResult.token) {\n return { success: false, error: tokenResult.error \|\| 'Token exchange failed' };\n }\n\n // Cache the token\n if (this.tokenCache && tokenResult.expiresAt) {\n await this.tokenCache.set(\n clientId,\n tokenResult.token!,\n tokenResult.webId,\n tokenResult.expiresAt,\n tokenResult.tokenType,\n );\n }\n\n const context: SolidAuthContext = {\n type: 'solid',\n webId: tokenResult.webId,\n accountId: tokenResult.webId,\n clientId,\n clientSecret,\n accessToken: tokenResult.token,\n tokenType: tokenResult.tokenType ?? 'Bearer',\n viaApiKey: true,\n };\n\n this.logger.debug(`Authenticated API Key for webId: ${tokenResult.webId}`);\n return { success: true, context };\n } catch (error) {\n this.logger.error(`API Key authentication error: ${error}`);\n return { success: false, error: 'Authentication failed' };\n }\n }\n\n private async exchangeForToken(clientId: string, clientSecret: string): Promise<{\n success: boolean;\n token?: string;\n tokenType?: 'Bearer' \| 'DPoP';\n webId?: string;\n expiresAt?: Date;\n error?: string;\n }> {\n // 开发模式：跳过 CSS token exchange\n if (process.env.NODE_ENV === 'development') {\n this.logger.warn(`[DEV] Skipping token exchange for ${clientId.slice(0, 8)}...`);\n return {\n success: true,\n token: `dev-token-${clientId}`,\n expiresAt: new Date(Date.now() + 3600000),\n };\n }\n\n try {\n const response = await fetch(this.tokenEndpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n body: new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n\n if (!response.ok) {\n const error = await response.text();\n this.logger.warn(`Token exchange failed: ${response.status} ${error}`);\n return { success: false, error: `Token exchange failed: ${response.status}` };\n }\n\n const data = await response.json() as {\n access_token: string;\n expires_in?: number;\n token_type: string;\n webid?: string; // CSS returns webid in response\n };\n\n // Extract webId from token response or decode from JWT\n let webId = data.webid;\n if (!webId && data.access_token) {\n webId = this.extractWebIdFromJwt(data.access_token);\n }\n\n if (!webId) {\n return { success: false, error: 'Could not determine webId from token response' };\n }\n\n const expiresAt = data.expires_in\n ? new Date(Date.now() + data.expires_in 1000 - 60000) // 1 min buffer\n : new Date(Date.now() + 3600000); // Default 1 hour\n\n return {\n success: true,\n token: data.access_token,\n tokenType: data.token_type?.toUpperCase() === 'DPOP' ? 'DPoP' : 'Bearer',\n webId,\n expiresAt,\n };\n } catch (error) {\n this.logger.error(`Token exchange error: ${error}`);\n return { success: false, error: 'Token exchange failed' };\n }\n }\n\n /*\n Extract webId from JWT access token\n */\n private extractWebIdFromJwt(jwt: string): string \| undefined {\n try {\n const parts = jwt.split('.');\n if (parts.length !== 3) {\n return undefined;\n }\n const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString('utf-8'));\n return payload.webid \|\| payload.webId \|\| payload.sub;\n } catch {\n return undefined;\n }\n }\n\n private isJwt(token: string): boolean {\n return /^[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+$/.test(token);\n }\n}\n\n// Re-export for backwards compatibility (these are no longer needed but keep for other code)\nexport interface ClientCredentialsRecord {\n clientId: string;\n webId: string;\n accountId: string;\n displayName?: string;\n createdAt: Date;\n}\n\nexport interface ClientCredentialsStore {\n findByClientId(clientId: string): Promise<ClientCredentialsRecord \| undefined>;\n}\n"]}
1	+ {"version":3,"file":"ClientCredentialsAuthenticator.js","sourceRoot":"","sources":["../../../src/api/auth/ClientCredentialsAuthenticator.ts"],"names":[],"mappings":";;;AACA,iEAAqD;AA+BrD;;;;;;;;;;GAUG;AACH,MAAa,8BAA8B;IAKzC,YAAmB,OAA8C;QAJhD,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAK3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAEM,eAAe,CAAC,OAAwB;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,iFAAiF;QACjF,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,KAAK,CAAC;QACf,CAAC;QACD,8CAA8C;QAC9C,OAAO,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,OAAwB;QAChD,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACpD,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QACpD,CAAC;QAED,IAAI,CAAC;YACH,IAAI,QAAgB,CAAC;YACrB,IAAI,YAAoB,CAAC;YAEzB,+DAA+D;YAC/D,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC9B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAChE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBACxC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;wBACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iDAAiD,EAAE,CAAC;oBACtF,CAAC;oBACD,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;oBACxC,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;oBAE7C,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;wBAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0DAA0D,EAAE,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,2FAA2F;gBAC3F,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC;YAClF,CAAC;YAED,oBAAoB;YACpB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACnD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;oBAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;oBACvE,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE;4BACP,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,MAAM,CAAC,KAAK;4BACnB,SAAS,EAAE,MAAM,CAAC,KAAK;4BACvB,QAAQ;4BACR,YAAY;4BACZ,WAAW,EAAE,MAAM,CAAC,KAAK;4BACzB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,QAAQ;4BACvC,SAAS,EAAE,IAAI;yBAChB;qBACF,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,qCAAqC;YACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;YAC5E,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACxE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,WAAW,CAAC,OAAO,WAAW,WAAW,CAAC,KAAK,WAAW,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;YAEnI,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;gBACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,IAAI,uBAAuB,EAAE,CAAC;YACjF,CAAC;YAED,kBAAkB;YAClB,IAAI,IAAI,CAAC,UAAU,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;gBAC7C,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACvB,QAAQ,EACR,WAAW,CAAC,KAAM,EAClB,WAAW,CAAC,KAAK,EACjB,WAAW,CAAC,SAAS,EACrB,WAAW,CAAC,SAAS,CACtB,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAqB;gBAChC,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,SAAS,EAAE,WAAW,CAAC,KAAK;gBAC5B,QAAQ;gBACR,YAAY;gBACZ,WAAW,EAAE,WAAW,CAAC,KAAK;gBAC9B,SAAS,EAAE,WAAW,CAAC,SAAS,IAAI,QAAQ;gBAC5C,SAAS,EAAE,IAAI;aAChB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,YAAoB;QAQnE,6BAA6B;QAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qCAAqC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACjF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,aAAa,QAAQ,EAAE;gBAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;gBAC/C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,oBAAoB;oBAChC,SAAS,EAAE,QAAQ;oBACnB,aAAa,EAAE,YAAY;iBAC5B,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,QAAQ,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YAChF,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAK/B,CAAC;YAEF,uDAAuD;YACvD,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YACvB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBAChC,KAAK,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACtD,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;YACpF,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU;gBAC/B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,KAAK,CAAC,CAAC,eAAe;gBACvE,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB;YAErD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,IAAI,CAAC,YAAY;gBACxB,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACxE,KAAK;gBACL,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,GAAW;QACrC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9E,OAAO,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAa;QACzB,OAAO,kDAAkD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;CACF;AAvND,wEAuNC","sourcesContent":["import type { IncomingMessage } from 'node:http';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Authenticator, AuthResult } from './Authenticator';\nimport type { SolidAuthContext } from './AuthContext';\n\n/*\n Interface for token cache\n /\nexport interface TokenCache {\n get(clientId: string): Promise<{\n token: string;\n tokenType?: 'Bearer' \| 'DPoP';\n webId: string;\n expiresAt: Date;\n } \| undefined>;\n set(\n clientId: string,\n token: string,\n webId: string,\n expiresAt: Date,\n tokenType?: 'Bearer' \| 'DPoP',\n ): Promise<void>;\n}\n\nexport interface ClientCredentialsAuthenticatorOptions {\n tokenCache?: TokenCache;\n /\n CSS token endpoint URL\n /\n tokenEndpoint: string;\n}\n\n/\n Authenticator for CSS client credentials in sk-xxx transport format.\n * \n * Format: sk-base64(client_id:client_secret)\n * \n * This authenticator:\n * 1. Decodes the transport token to get client_id and client_secret\n * 2. Exchanges them for a Solid Token via CSS token endpoint\n * 3. Extracts webId from the token response\n * 4. Returns a SolidAuthContext\n /\nexport class ClientCredentialsAuthenticator implements Authenticator {\n private readonly logger = getLoggerFor(this);\n private readonly tokenCache?: TokenCache;\n private readonly tokenEndpoint: string;\n\n public constructor(options: ClientCredentialsAuthenticatorOptions) {\n this.tokenCache = options.tokenCache;\n this.tokenEndpoint = options.tokenEndpoint;\n }\n\n public canAuthenticate(request: IncomingMessage): boolean {\n const auth = request.headers.authorization;\n if (!auth?.startsWith('Bearer ')) {\n return false;\n }\n // If there's a DPoP header, it's a Solid Token, not a client credentials wrapper\n if (request.headers.dpop) {\n return false;\n }\n const token = auth.slice(7).trim();\n if (!token) {\n return false;\n }\n // Only handle sk-xxx format or non-JWT tokens\n return token.startsWith('sk-') \|\| !this.isJwt(token);\n }\n\n public async authenticate(request: IncomingMessage): Promise<AuthResult> {\n const authorization = request.headers.authorization;\n if (!authorization?.startsWith('Bearer ')) {\n return { success: false, error: 'Missing Bearer token' };\n }\n\n const token = authorization.slice(7).trim();\n if (!token) {\n return { success: false, error: 'Empty API Key' };\n }\n\n try {\n let clientId: string;\n let clientSecret: string;\n\n // Parse sk-xxx format (base64 encoded client_id:client_secret)\n if (token.startsWith('sk-')) {\n const base64 = token.slice(3);\n try {\n const decoded = Buffer.from(base64, 'base64').toString('utf-8');\n const colonIndex = decoded.indexOf(':');\n if (colonIndex === -1) {\n return { success: false, error: 'Invalid API Key format: missing colon separator' };\n }\n clientId = decoded.slice(0, colonIndex);\n clientSecret = decoded.slice(colonIndex + 1);\n \n if (!clientId \|\| !clientSecret) {\n return { success: false, error: 'Invalid API Key format: empty client_id or client_secret' };\n }\n } catch {\n return { success: false, error: 'Invalid API Key encoding' };\n }\n } else {\n // Non sk- format is intentionally unsupported; Xpod does not keep an API key mirror table.\n return { success: false, error: 'Invalid API Key format: must start with sk-' };\n }\n\n // Check cache first\n if (this.tokenCache) {\n const cached = await this.tokenCache.get(clientId);\n if (cached && cached.expiresAt > new Date()) {\n this.logger.debug(`Using cached token for ${clientId.slice(0, 8)}...`);\n return {\n success: true,\n context: {\n type: 'solid',\n webId: cached.webId,\n accountId: cached.webId,\n clientId,\n clientSecret,\n accessToken: cached.token,\n tokenType: cached.tokenType ?? 'Bearer',\n viaApiKey: true,\n },\n };\n }\n }\n\n // Exchange for token at CSS endpoint\n this.logger.debug(`Exchanging client credentials at ${this.tokenEndpoint}`);\n const tokenResult = await this.exchangeForToken(clientId, clientSecret);\n this.logger.debug(`Token exchange result: success=${tokenResult.success}, webId=${tokenResult.webId}, error=${tokenResult.error}`);\n \n if (!tokenResult.success \|\| !tokenResult.webId \|\| !tokenResult.token) {\n return { success: false, error: tokenResult.error \|\| 'Token exchange failed' };\n }\n\n // Cache the token\n if (this.tokenCache && tokenResult.expiresAt) {\n await this.tokenCache.set(\n clientId,\n tokenResult.token!,\n tokenResult.webId,\n tokenResult.expiresAt,\n tokenResult.tokenType,\n );\n }\n\n const context: SolidAuthContext = {\n type: 'solid',\n webId: tokenResult.webId,\n accountId: tokenResult.webId,\n clientId,\n clientSecret,\n accessToken: tokenResult.token,\n tokenType: tokenResult.tokenType ?? 'Bearer',\n viaApiKey: true,\n };\n\n this.logger.debug(`Authenticated API Key for webId: ${tokenResult.webId}`);\n return { success: true, context };\n } catch (error) {\n this.logger.error(`API Key authentication error: ${error}`);\n return { success: false, error: 'Authentication failed' };\n }\n }\n\n private async exchangeForToken(clientId: string, clientSecret: string): Promise<{\n success: boolean;\n token?: string;\n tokenType?: 'Bearer' \| 'DPoP';\n webId?: string;\n expiresAt?: Date;\n error?: string;\n }> {\n // 开发模式：跳过 CSS token exchange\n if (process.env.NODE_ENV === 'development') {\n this.logger.warn(`[DEV] Skipping token exchange for ${clientId.slice(0, 8)}...`);\n return {\n success: true,\n token: `dev-token-${clientId}`,\n expiresAt: new Date(Date.now() + 3600000),\n };\n }\n\n try {\n const response = await fetch(this.tokenEndpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n body: new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n\n if (!response.ok) {\n const error = await response.text();\n this.logger.warn(`Token exchange failed: ${response.status} ${error}`);\n return { success: false, error: `Token exchange failed: ${response.status}` };\n }\n\n const data = await response.json() as {\n access_token: string;\n expires_in?: number;\n token_type: string;\n webid?: string; // CSS returns webid in response\n };\n\n // Extract webId from token response or decode from JWT\n let webId = data.webid;\n if (!webId && data.access_token) {\n webId = this.extractWebIdFromJwt(data.access_token);\n }\n\n if (!webId) {\n return { success: false, error: 'Could not determine webId from token response' };\n }\n\n const expiresAt = data.expires_in\n ? new Date(Date.now() + data.expires_in 1000 - 60000) // 1 min buffer\n : new Date(Date.now() + 3600000); // Default 1 hour\n\n return {\n success: true,\n token: data.access_token,\n tokenType: data.token_type?.toUpperCase() === 'DPOP' ? 'DPoP' : 'Bearer',\n webId,\n expiresAt,\n };\n } catch (error) {\n this.logger.error(`Token exchange error: ${error}`);\n return { success: false, error: 'Token exchange failed' };\n }\n }\n\n /*\n Extract webId from JWT access token\n */\n private extractWebIdFromJwt(jwt: string): string \| undefined {\n try {\n const parts = jwt.split('.');\n if (parts.length !== 3) {\n return undefined;\n }\n const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString('utf-8'));\n return payload.webid \|\| payload.webId \|\| payload.sub;\n } catch {\n return undefined;\n }\n }\n\n private isJwt(token: string): boolean {\n return /^[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+$/.test(token);\n }\n}\n"]}

package/dist/api/auth/ServiceTokenAuthenticator.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import type { IncomingMessage } from 'node:http';
 import type { Authenticator, AuthResult } from './Authenticator';
-import type { ServiceTokenRepository } from '../../identity/drizzle/ServiceTokenRepository';
+import type { ServiceTokenRepositoryPort } from '../../identity/drizzle/ServiceTokenRepository';
 export interface ServiceTokenAuthenticatorOptions {
-    repository: ServiceTokenRepository;
+    repository: ServiceTokenRepositoryPort;
 }
 /**
  * Authenticator for service tokens (Business, Local SP, Cloud, Compute).

package/dist/api/auth/ServiceTokenAuthenticator.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ServiceTokenAuthenticator.js","sourceRoot":"","sources":["../../../src/api/auth/ServiceTokenAuthenticator.ts"],"names":[],"mappings":";;;AACA,iEAAqD;AAQrD;;;;GAIG;AACH,MAAa,yBAAyB;IAIpC,YAAmB,OAAyC;QAH3C,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAI3C,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC;IACjC,CAAC;IAEM,eAAe,CAAC,OAAwB;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,mCAAmC;QACnC,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,OAAwB;QAChD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;YAC5D,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YAEtF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QACpE,CAAC;IACH,CAAC;CACF;AA5CD,8DA4CC","sourcesContent":["import type { IncomingMessage } from 'node:http';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Authenticator, AuthResult } from './Authenticator';\nimport type { ~~ServiceTokenRepository~~ } from '../../identity/drizzle/ServiceTokenRepository';\n\nexport interface ServiceTokenAuthenticatorOptions {\n repository: ~~ServiceTokenRepository~~;\n}\n\n/*\n Authenticator for service tokens (Business, Local SP, Cloud, Compute).\n \n Format: Bearer svc-xxx\n */\nexport class ServiceTokenAuthenticator implements Authenticator {\n private readonly logger = getLoggerFor(this);\n private readonly repo: ~~ServiceTokenRepository~~;\n\n public constructor(options: ServiceTokenAuthenticatorOptions) {\n this.repo = options.repository;\n }\n\n public canAuthenticate(request: IncomingMessage): boolean {\n const auth = request.headers.authorization;\n if (!auth?.startsWith('Bearer ')) {\n return false;\n }\n const token = auth.slice(7).trim();\n // Service tokens start with 'svc-'\n return token.startsWith('svc-');\n }\n\n public async authenticate(request: IncomingMessage): Promise<AuthResult> {\n const auth = request.headers.authorization!;\n const token = auth.slice(7).trim();\n\n try {\n const record = await this.repo.verifyToken(token);\n if (!record) {\n return { success: false, error: 'Invalid service token' };\n }\n\n this.logger.debug(`Authenticated service: ${record.serviceType}:${record.serviceId}`);\n\n return {\n success: true,\n context: {\n type: 'service',\n serviceType: record.serviceType,\n serviceId: record.serviceId,\n scopes: record.scopes,\n },\n };\n } catch (error) {\n this.logger.error(`Service token authentication failed: ${error}`);\n return { success: false, error: 'Internal authentication error' };\n }\n }\n}\n"]}
1	+ {"version":3,"file":"ServiceTokenAuthenticator.js","sourceRoot":"","sources":["../../../src/api/auth/ServiceTokenAuthenticator.ts"],"names":[],"mappings":";;;AACA,iEAAqD;AAQrD;;;;GAIG;AACH,MAAa,yBAAyB;IAIpC,YAAmB,OAAyC;QAH3C,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAI3C,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC;IACjC,CAAC;IAEM,eAAe,CAAC,OAAwB;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,mCAAmC;QACnC,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,OAAwB;QAChD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;YAC5D,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YAEtF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QACpE,CAAC;IACH,CAAC;CACF;AA5CD,8DA4CC","sourcesContent":["import type { IncomingMessage } from 'node:http';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Authenticator, AuthResult } from './Authenticator';\nimport type { ServiceTokenRepositoryPort } from '../../identity/drizzle/ServiceTokenRepository';\n\nexport interface ServiceTokenAuthenticatorOptions {\n repository: ServiceTokenRepositoryPort;\n}\n\n/*\n Authenticator for service tokens (Business, Local SP, Cloud, Compute).\n \n Format: Bearer svc-xxx\n */\nexport class ServiceTokenAuthenticator implements Authenticator {\n private readonly logger = getLoggerFor(this);\n private readonly repo: ServiceTokenRepositoryPort;\n\n public constructor(options: ServiceTokenAuthenticatorOptions) {\n this.repo = options.repository;\n }\n\n public canAuthenticate(request: IncomingMessage): boolean {\n const auth = request.headers.authorization;\n if (!auth?.startsWith('Bearer ')) {\n return false;\n }\n const token = auth.slice(7).trim();\n // Service tokens start with 'svc-'\n return token.startsWith('svc-');\n }\n\n public async authenticate(request: IncomingMessage): Promise<AuthResult> {\n const auth = request.headers.authorization!;\n const token = auth.slice(7).trim();\n\n try {\n const record = await this.repo.verifyToken(token);\n if (!record) {\n return { success: false, error: 'Invalid service token' };\n }\n\n this.logger.debug(`Authenticated service: ${record.serviceType}:${record.serviceId}`);\n\n return {\n success: true,\n context: {\n type: 'service',\n serviceType: record.serviceType,\n serviceId: record.serviceId,\n scopes: record.scopes,\n },\n };\n } catch (error) {\n this.logger.error(`Service token authentication failed: ${error}`);\n return { success: false, error: 'Internal authentication error' };\n }\n }\n}\n"]}

package/dist/api/chatkit/pod-store.d.ts CHANGED Viewed

@@ -61,6 +61,9 @@ export declare class PodChatKitStore implements ChatKitStore<StoreContext>, RunS
     private isoToTimestamp;
     private parseJsonObject;
     private jsonObjectOrNull;
+    private getXpodMetadata;
+    private withXpodMetadata;
+    private withoutXpodMetadata;
     private withTaskAuthBindingMetadata;
     private parseTaskAuthBinding;
     private isBaseRelativeDataResourceId;

package/dist/api/chatkit/pod-store.js CHANGED Viewed

@@ -316,9 +316,12 @@ class PodChatKitStore {
      * ChatKit 边界继续暴露 metadata.chat_id；内部同一值叫 surface_id。
      */
     threadRecordToMetadata(record, chatResourceMap) {
-        const commandKind = record.commandKind === 'task' ? 'task' : 'chat';
-        const surfaceId = record.surfaceId || this.resolveChatSurfaceFromResource(record.chat, chatResourceMap, PodChatKitStore.DEFAULT_CHAT_ID);
         const extra = this.parseJsonObject(record.metadata);
+        const commandKind = record.commandKind === 'task' || extra?.commandKind === 'task' ? 'task' : 'chat';
+        const surfaceId = record.surfaceId
+            || (typeof extra?.surface_id === 'string' ? extra.surface_id : undefined)
+            || (typeof extra?.chat_id === 'string' ? extra.chat_id : undefined)
+            || this.resolveChatSurfaceFromResource(record.chat, chatResourceMap, PodChatKitStore.DEFAULT_CHAT_ID);
         return {
             id: record.id,
             title: record.title || undefined,
@@ -368,6 +371,29 @@ class PodChatKitStore {
     jsonObjectOrNull(value) {
         return value && Object.keys(value).length > 0 ? value : null;
     }
+    getXpodMetadata(metadata) {
+        const value = metadata?.xpod;
+        return value && typeof value === 'object' && !Array.isArray(value)
+            ? value
+            : undefined;
+    }
+    withXpodMetadata(metadata, xpod) {
+        return {
+            ...(metadata ?? {}),
+            xpod: {
+                ...(this.getXpodMetadata(metadata) ?? {}),
+                ...xpod,
+            },
+        };
+    }
+    withoutXpodMetadata(metadata) {
+        if (!metadata) {
+            return undefined;
+        }
+        const result = { ...metadata };
+        delete result.xpod;
+        return Object.keys(result).length > 0 ? result : undefined;
+    }
     withTaskAuthBindingMetadata(metadata, authBinding) {
         if (!authBinding) {
             return metadata;
@@ -487,13 +513,15 @@ class PodChatKitStore {
         return resource;
     }
     runRecordToData(record) {
+        const metadata = this.parseJsonObject(record.metadata);
+        const xpod = this.getXpodMetadata(metadata);
         return {
             id: record.id || '',
-            surfaceId: record.surfaceId || 'default',
+            surfaceId: record.surfaceId || (typeof xpod?.surfaceId === 'string' ? xpod.surfaceId : 'default'),
             task: record.task || undefined,
             thread: record.thread || '',
             workspace: record.workspace || '',
-            commandKind: record.commandKind === 'task' ? 'task' : 'chat',
+            commandKind: record.commandKind === 'task' || xpod?.commandKind === 'task' ? 'task' : 'chat',
             status: (record.status || 'queued'),
             runner: record.runner || '',
             prompt: record.prompt || undefined,
@@ -503,7 +531,7 @@ class PodChatKitStore {
             heartbeatAt: this.isoToTimestamp(record.heartbeatAt),
             cancelRequestedAt: this.isoToTimestamp(record.cancelRequestedAt),
             error: record.error || undefined,
-            metadata: this.parseJsonObject(record.metadata),
+            metadata,
             createdAt: this.isoToTimestamp(record.createdAt) ?? (0, types_1.nowTimestamp)(),
             startedAt: this.isoToTimestamp(record.startedAt),
             completedAt: this.isoToTimestamp(record.completedAt),
@@ -511,36 +539,42 @@ class PodChatKitStore {
         };
     }
     runStepRecordToData(record) {
+        const payload = this.parseJsonObject(record.payload) ?? this.parseJsonObject(record.data);
+        const xpod = this.getXpodMetadata(payload);
         return {
             id: record.id || '',
-            commandKind: record.commandKind === 'task' ? 'task' : 'chat',
-            surfaceId: record.surfaceId || 'default',
-            runId: record.runId || '',
+            commandKind: record.commandKind === 'task' || xpod?.commandKind === 'task' ? 'task' : 'chat',
+            surfaceId: record.surfaceId || (typeof xpod?.surfaceId === 'string' ? xpod.surfaceId : 'default'),
+            runId: record.runId || (typeof xpod?.runId === 'string' ? xpod.runId : ''),
             run: record.run || '',
-            type: record.type || 'runtime.event',
+            type: record.type || record.stepType || 'runtime.event',
             message: record.message || undefined,
-            data: this.parseJsonObject(record.data),
+            data: this.withoutXpodMetadata(payload),
             createdAt: this.isoToTimestamp(record.createdAt) ?? (0, types_1.nowTimestamp)(),
         };
     }
     taskRecordToData(record) {
+        const metadata = this.parseJsonObject(record.metadata);
+        const xpod = this.getXpodMetadata(metadata);
         return {
             id: record.id || '',
-            surfaceId: record.surfaceId || 'default',
+            surfaceId: record.surfaceId || (typeof xpod?.surfaceId === 'string' ? xpod.surfaceId : 'default'),
             title: record.title || undefined,
             prompt: record.prompt || '',
             thread: record.thread || '',
             workspace: record.workspace || '',
-            runner: record.runner || '',
+            runner: record.runner || (typeof xpod?.runner === 'string' ? xpod.runner : ''),
             status: (record.status || 'active'),
-            triggerKind: (record.triggerKind || 'once'),
-            cron: record.cron || undefined,
-            intervalSeconds: typeof record.intervalSeconds === 'number' ? record.intervalSeconds : undefined,
-            eventName: record.eventName || undefined,
-            nextRunAt: this.isoToTimestamp(record.nextRunAt),
-            lastRunAt: this.isoToTimestamp(record.lastRunAt),
-            authBinding: this.parseTaskAuthBinding(this.parseJsonObject(record.metadata)?.authBinding),
-            metadata: this.parseJsonObject(record.metadata),
+            triggerKind: (record.triggerKind || xpod?.triggerKind || 'once'),
+            cron: record.cron || (typeof xpod?.cron === 'string' ? xpod.cron : undefined),
+            intervalSeconds: typeof record.intervalSeconds === 'number'
+                ? record.intervalSeconds
+                : (typeof xpod?.intervalSeconds === 'number' ? xpod.intervalSeconds : undefined),
+            eventName: record.eventName || (typeof xpod?.eventName === 'string' ? xpod.eventName : undefined),
+            nextRunAt: this.isoToTimestamp(record.nextRunAt) ?? (typeof xpod?.nextRunAt === 'number' ? xpod.nextRunAt : undefined),
+            lastRunAt: this.isoToTimestamp(record.lastRunAt) ?? (typeof xpod?.lastRunAt === 'number' ? xpod.lastRunAt : undefined),
+            authBinding: this.parseTaskAuthBinding(metadata?.authBinding),
+            metadata,
             createdAt: this.isoToTimestamp(record.createdAt) ?? (0, types_1.nowTimestamp)(),
             updatedAt: this.isoToTimestamp(record.updatedAt) ?? (0, types_1.nowTimestamp)(),
         };
@@ -876,12 +910,7 @@ class PodChatKitStore {
             surface_id: surfaceId,
             chat_id: surfaceId,
         };
-        // Persist extended metadata except fields that are derived from first-class columns.
-        const metadataToPersist = { ...(thread.metadata ?? {}) };
-        delete metadataToPersist.chat_id;
-        delete metadataToPersist.commandKind;
-        delete metadataToPersist.surface_id;
-        const metadataObject = this.jsonObjectOrNull(metadataToPersist);
+        const metadataObject = this.jsonObjectOrNull(thread.metadata);
         if (commandKind === 'chat') {
             await this.ensureChat(surfaceId, context);
         }
@@ -898,9 +927,8 @@ class PodChatKitStore {
         if (existing) {
             // Update
             await db.updateByIri(schema_1.Thread, threadResource, {
-                commandKind,
-                surfaceId,
                 chat: commandKind === 'chat' ? this.buildChatResourceId(surfaceId) : null,
+                task: commandKind === 'task' ? (0, store_2.buildTaskResourceId)(`index.ttl#${surfaceId}`) : null,
                 title: thread.title || null,
                 status: this.statusToString(thread.status),
                 workspace: thread.workspace || null,
@@ -912,9 +940,8 @@ class PodChatKitStore {
             // Insert
             await db.insert(schema_1.Thread).values({
                 id: threadResourceId,
-                commandKind,
-                surfaceId,
                 chat: commandKind === 'chat' ? this.buildChatResourceId(surfaceId) : null,
+                task: commandKind === 'task' ? (0, store_2.buildTaskResourceId)(`index.ttl#${surfaceId}`) : null,
                 title: thread.title || null,
                 status: this.statusToString(thread.status),
                 workspace: thread.workspace || null,
@@ -1094,8 +1121,6 @@ class PodChatKitStore {
         }
         const messageRecord = {
             id: itemResourceId,
-            commandKind: resolvedThread.commandKind,
-            surfaceId: resolvedThread.surfaceId,
             chat: resolvedThread.commandKind === 'chat' ? this.buildChatResourceId(resolvedThread.surfaceId) : null,
             thread: resolvedThread.thread,
             maker: role === schema_1.MessageRole.USER ? webId : null,
@@ -1104,7 +1129,12 @@ class PodChatKitStore {
             status,
             toolName,
             toolCallId,
-            metadata: this.jsonObjectOrNull(metadata ?? undefined),
+            metadata: this.jsonObjectOrNull({
+                ...(metadata ?? {}),
+                commandKind: resolvedThread.commandKind,
+                surface_id: resolvedThread.surfaceId,
+                chat_id: resolvedThread.surfaceId,
+            }),
             createdAt: new Date(item.created_at * 1000).toISOString(),
         };
         await db.insert(schema_1.Message).values(messageRecord);
@@ -1302,12 +1332,14 @@ WHERE { ${deletePatterns.join(' ')} }
         }
         run.id = (0, store_1.buildRunResourceId)(run);
         const existing = await db.findById(schema_2.Run, run.id);
-        const values = {
+        const metadata = this.withXpodMetadata(run.metadata, {
+            commandKind: run.commandKind,
             surfaceId: run.surfaceId,
+        });
+        const values = {
             task: run.task || null,
             thread: run.thread,
             workspace: run.workspace,
-            commandKind: run.commandKind,
             status: run.status,
             runner: run.runner || null,
             prompt: run.prompt || null,
@@ -1317,7 +1349,7 @@ WHERE { ${deletePatterns.join(' ')} }
             heartbeatAt: this.timestampToIso(run.heartbeatAt),
             cancelRequestedAt: this.timestampToIso(run.cancelRequestedAt),
             error: run.error || null,
-            metadata: this.jsonObjectOrNull(run.metadata),
+            metadata: this.jsonObjectOrNull(metadata),
             createdAt: this.timestampToIso(run.createdAt) ?? new Date().toISOString(),
             startedAt: this.timestampToIso(run.startedAt),
             completedAt: this.timestampToIso(run.completedAt),
@@ -1358,9 +1390,6 @@ WHERE { ${deletePatterns.join(' ')} }
         if (options.workspace) {
             conditions.push((0, drizzle_solid_1.eq)(schema_2.Run.workspace, options.workspace));
         }
-        if (options.commandKind) {
-            conditions.push((0, drizzle_solid_1.eq)(schema_2.Run.commandKind, options.commandKind));
-        }
         if (options.status) {
             conditions.push((0, drizzle_solid_1.eq)(schema_2.Run.status, options.status));
         }
@@ -1368,10 +1397,13 @@ WHERE { ${deletePatterns.join(' ')} }
         const records = conditions.length > 0
             ? await query.where((0, drizzle_solid_1.and)(...conditions))
             : await query;
-        return records
-            .map((record) => this.runRecordToData(record))
+        let runs = records.map((record) => this.runRecordToData(record));
+        if (options.commandKind) {
+            runs = runs.filter((run) => run.commandKind === options.commandKind);
+        }
+        return runs
             .sort((a, b) => b.createdAt - a.createdAt || b.id.localeCompare(a.id))
-            .slice(0, options.limit ?? records.length);
+            .slice(0, options.limit ?? runs.length);
     }
     async appendRunStep(event, context) {
         const db = await this.getDb(context);
@@ -1384,13 +1416,14 @@ WHERE { ${deletePatterns.join(' ')} }
         event.id = (0, store_1.buildRunStepResourceId)(event);
         await db.insert(schema_2.RunStep).values({
             id: event.id,
-            commandKind: event.commandKind,
-            surfaceId: event.surfaceId,
-            runId: event.runId,
             run: event.run,
-            type: event.type,
+            stepType: event.type,
             message: event.message || null,
-            data: this.jsonObjectOrNull(event.data),
+            payload: this.jsonObjectOrNull(this.withXpodMetadata(event.data, {
+                commandKind: event.commandKind,
+                surfaceId: event.surfaceId,
+                runId: event.runId,
+            })),
             createdAt: this.timestampToIso(event.createdAt) ?? new Date().toISOString(),
         });
     }
@@ -1402,8 +1435,7 @@ WHERE { ${deletePatterns.join(' ')} }
         if (!(0, store_1.isRunResourceId)(runId)) {
             throw new Error(`loadRunSteps requires a base-relative Run id: ${runId}`);
         }
-        // runId is a local query field; RunStep.run remains the semantic RDF relation.
-        const records = await db.select().from(schema_2.RunStep).where((0, drizzle_solid_1.eq)(schema_2.RunStep.runId, runId));
+        const records = await db.select().from(schema_2.RunStep).where((0, drizzle_solid_1.eq)(schema_2.RunStep.run, this.resolveDataResource(runId, context)));
         return records
             .map((record) => this.runStepRecordToData(record))
             .sort((a, b) => a.createdAt - b.createdAt || a.id.localeCompare(b.id));
@@ -1431,21 +1463,23 @@ WHERE { ${deletePatterns.join(' ')} }
         }
         task.id = (0, store_2.buildTaskResourceId)(task.id);
         const existing = await db.findById(schema_3.Task, task.id);
-        const values = {
+        const metadata = this.withXpodMetadata(this.withTaskAuthBindingMetadata(task.metadata, task.authBinding), {
             surfaceId: task.surfaceId,
+            runner: task.runner,
+            triggerKind: task.triggerKind,
+            cron: task.cron ?? null,
+            intervalSeconds: task.intervalSeconds ?? null,
+            eventName: task.eventName ?? null,
+            nextRunAt: task.nextRunAt ?? null,
+            lastRunAt: task.lastRunAt ?? null,
+        });
+        const values = {
             title: task.title || null,
+            instruction: task.prompt,
             prompt: task.prompt,
-            thread: task.thread,
             workspace: task.workspace,
-            runner: task.runner,
             status: task.status,
-            triggerKind: task.triggerKind,
-            cron: task.cron || null,
-            intervalSeconds: task.intervalSeconds ?? null,
-            eventName: task.eventName || null,
-            nextRunAt: this.timestampToIso(task.nextRunAt),
-            lastRunAt: this.timestampToIso(task.lastRunAt),
-            metadata: this.jsonObjectOrNull(this.withTaskAuthBindingMetadata(task.metadata, task.authBinding)),
+            metadata: this.jsonObjectOrNull(metadata),
             createdAt: this.timestampToIso(task.createdAt) ?? new Date().toISOString(),
             updatedAt: this.timestampToIso(task.updatedAt) ?? new Date().toISOString(),
         };