@voyant-travel/workflows 0.107.10

package/dist/auth/index.js

@@ -0,0 +1,352 @@
+// @voyant-travel/workflows/auth
+//
+// Paired HMAC signer + verifier for the `X-Voyant-Dispatch-Auth`
+// header on `POST /__voyant/workflow-step`. Both sides share a
+// symmetric secret — suitable for local dev and single-region
+// deployments; asymmetric signing (control-plane issuer + tenant
+// public-key) is a later upgrade that keeps the same header shape.
+//
+// Built on Web Crypto (`crypto.subtle`), so it works unchanged in
+// Node 20+, Cloudflare Workers, Deno, Bun, and browsers.
+//
+// Usage on the orchestrator side:
+//
+//   import { createHmacSigner } from "@voyant-travel/workflows/auth";
+//   const sign = await createHmacSigner(process.env.VOYANT_SIGNING_KEY!);
+//   createDispatchStepHandler(script, { dispatcher, sign });
+//
+// Usage on the tenant side:
+//
+//   import { createHmacVerifier } from "@voyant-travel/workflows/auth";
+//   import { createStepHandler } from "@voyant-travel/workflows/handler";
+//   const verify = await createHmacVerifier(env.VOYANT_SIGNING_KEY);
+//   export default { fetch: createStepHandler({ verifyRequest: verify }) };
+export const AUTH_HEADER = "x-voyant-dispatch-auth";
+/**
+ * HMAC header carried on orchestrator → node-step-container dispatches
+ * (`POST /step`). Signed over the raw request body with the shared
+ * `VOYANT_WORKFLOW_STEP_AUTH_SECRET`. See `createCfContainerStepRunner`
+ * (signing side) and `apps/workflows-node-step-container` (verifying side).
+ */
+export const STEP_AUTH_HEADER = "x-voyant-step-auth";
+/**
+ * HMAC header returned by the node-step-container on successful `/step`
+ * responses. Signed over the raw JSON response body with the same
+ * `VOYANT_WORKFLOW_STEP_AUTH_SECRET` so the orchestrator can reject
+ * forged step journal entries before committing run state.
+ */
+export const STEP_RESPONSE_AUTH_HEADER = "x-voyant-step-response-auth";
+/** Parse a comma-separated token/origin list env var into trimmed, non-empty entries. */
+export function parseTokenList(raw) {
+    return (raw ?? "")
+        .split(",")
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+}
+/**
+ * Returns a verifier that accepts `Authorization: Bearer <token>`
+ * where `<token>` matches any of the `validTokens` (case-sensitive,
+ * constant-time compared). Usable as the `verifyRequest` dep on
+ * `handleWorkerRequest` / `createStepHandler` for the public-facing
+ * surface of an orchestrator or tenant Worker.
+ *
+ * Intended for dev + single-tenant deployments. Production should
+ * issue per-tenant, short-lived tokens from a control plane.
+ */
+export function createBearerVerifier(validTokens) {
+    if (validTokens.length === 0) {
+        throw new Error("createBearerVerifier: need at least one valid token");
+    }
+    return (req) => {
+        const header = req.headers.get("authorization");
+        if (!header)
+            throw new Error("missing Authorization header");
+        const match = /^Bearer (.+)$/.exec(header);
+        if (!match) {
+            throw new Error("Authorization header must use the Bearer scheme");
+        }
+        const presented = match[1];
+        for (const valid of validTokens) {
+            if (constantTimeEquals(presented, valid))
+                return;
+        }
+        throw new Error("bearer token does not match any configured value");
+    };
+}
+/**
+ * Constant-time string comparison. Does NOT early-return on length
+ * mismatch: the loop always runs over the longer input (out-of-range
+ * `charCodeAt` is NaN, which coerces to 0 under bitwise ops), and a
+ * length mismatch only sets a diff bit. This avoids leaking how many
+ * leading characters of a secret matched, or whether the length matched.
+ */
+function constantTimeEquals(a, b) {
+    const length = Math.max(a.length, b.length, 1);
+    let diff = a.length === b.length ? 0 : 1;
+    for (let i = 0; i < length; i++) {
+        diff |= (a.charCodeAt(i) | 0) ^ (b.charCodeAt(i) | 0);
+    }
+    return diff === 0;
+}
+// ---- Fail-closed bearer auth resolution ----
+/**
+ * Error thrown by verifiers produced in this module. Carries an HTTP
+ * `status` + machine-readable `code` so HTTP surfaces
+ * (`handleWorkerRequest`, the node dashboard server, step handlers)
+ * can map auth failures to the right response instead of a blanket 401.
+ */
+export class RequestAuthError extends Error {
+    status;
+    code;
+    constructor(status, code, message) {
+        super(message);
+        this.name = "RequestAuthError";
+        this.status = status;
+        this.code = code;
+    }
+}
+const UNAUTHENTICATED_WARNING = "[voyant-workflows] AUTH DISABLED: no bearer tokens are configured and " +
+    "VOYANT_WORKFLOWS_ALLOW_UNAUTHENTICATED is set. Every caller can trigger, read, " +
+    "resume, and cancel workflow runs. This mode is for LOCAL DEVELOPMENT ONLY — " +
+    "configure VOYANT_API_TOKENS before deploying.";
+/**
+ * Build a transport-agnostic bearer authorizer from a raw
+ * `Authorization` header value. Fail-closed semantics:
+ *
+ *   - tokens configured     → exact (constant-time) Bearer match or 401
+ *   - no tokens + opt-out   → always allowed (warns loudly once, at creation)
+ *   - no tokens, no opt-out → always 503 `auth_not_configured`
+ */
+export function createBearerAuthorizer(opts) {
+    const tokens = (opts.tokens ?? []).filter((t) => t.length > 0);
+    if (tokens.length === 0) {
+        if (opts.allowUnauthenticated) {
+            ;
+            (opts.warn ?? console.warn)(UNAUTHENTICATED_WARNING);
+            return () => ({ ok: true });
+        }
+        return () => ({
+            ok: false,
+            status: 503,
+            error: "auth_not_configured",
+            message: "no bearer tokens are configured for this workflows API; set VOYANT_API_TOKENS " +
+                "(or pass tokens explicitly), or opt out for local development with " +
+                "VOYANT_WORKFLOWS_ALLOW_UNAUTHENTICATED=1",
+        });
+    }
+    return (header) => {
+        if (!header) {
+            return {
+                ok: false,
+                status: 401,
+                error: "unauthorized",
+                message: "missing Authorization header",
+            };
+        }
+        const match = /^Bearer (.+)$/.exec(header);
+        if (!match) {
+            return {
+                ok: false,
+                status: 401,
+                error: "unauthorized",
+                message: "Authorization header must use the Bearer scheme",
+            };
+        }
+        const presented = match[1];
+        for (const valid of tokens) {
+            if (constantTimeEquals(presented, valid))
+                return { ok: true };
+        }
+        return {
+            ok: false,
+            status: 401,
+            error: "unauthorized",
+            message: "bearer token does not match any configured value",
+        };
+    };
+}
+/**
+ * Resolve a `verifyRequest` hook (the dep consumed by
+ * `handleWorkerRequest` / `createStepHandler`) with fail-closed
+ * defaults — the missing-token case yields a verifier that rejects
+ * every request with a 503 `auth_not_configured` `RequestAuthError`
+ * instead of `undefined` (which would skip auth entirely).
+ *
+ * Returns `undefined` (auth skipped) ONLY when no tokens are
+ * configured AND `allowUnauthenticated` is explicitly set.
+ */
+export function resolveRequestVerifier(opts) {
+    const tokens = (opts.tokens ?? []).filter((t) => t.length > 0);
+    if (tokens.length === 0 && opts.allowUnauthenticated) {
+        ;
+        (opts.warn ?? console.warn)(UNAUTHENTICATED_WARNING);
+        return undefined;
+    }
+    const authorize = createBearerAuthorizer({ ...opts, allowUnauthenticated: false });
+    return (req) => {
+        const decision = authorize(req.headers.get("authorization"));
+        if (!decision.ok) {
+            throw new RequestAuthError(decision.status, decision.error, decision.message);
+        }
+    };
+}
+/** Returns a signer: `(body: string) => Promise<string>` (base64 HMAC-SHA256). */
+export async function createHmacSigner(secret) {
+    const key = await importKey(secret, ["sign"]);
+    return async (body) => {
+        const sig = await crypto.subtle.sign("HMAC", key, encode(body));
+        return toBase64(sig);
+    };
+}
+/**
+ * Returns a verifier: `(req: Request) => Promise<void>`. Throws if:
+ *   - the header is missing,
+ *   - the signature is malformed,
+ *   - the signature does not match the current body.
+ *
+ * The verifier consumes `req.body` via `req.text()`. Callers that
+ * need the body downstream should pre-clone: `req.clone()` before
+ * passing in.
+ */
+export async function createHmacVerifier(secret) {
+    const key = await importKey(secret, ["verify"]);
+    return async (req) => {
+        const header = req.headers.get(AUTH_HEADER);
+        if (!header) {
+            throw new Error(`missing ${AUTH_HEADER} header`);
+        }
+        let sig;
+        try {
+            sig = fromBase64(header);
+        }
+        catch {
+            throw new Error(`malformed ${AUTH_HEADER} header (expected base64)`);
+        }
+        const body = await req.clone().text();
+        const ok = await crypto.subtle.verify("HMAC", key, sig, encode(body));
+        if (!ok) {
+            throw new Error(`${AUTH_HEADER} signature does not match request body`);
+        }
+    };
+}
+/**
+ * Returns a verifier over a raw body string + detached base64 HMAC
+ * signature (the value of `STEP_AUTH_HEADER`). Suitable for servers
+ * that have already buffered the request body (e.g. the node step
+ * container). `crypto.subtle.verify` is constant-time; malformed
+ * base64 or a missing signature simply yields `false`.
+ */
+export async function createHmacBodyVerifier(secret) {
+    const key = await importKey(secret, ["verify"]);
+    return async (body, signatureBase64) => {
+        if (!signatureBase64)
+            return false;
+        let sig;
+        try {
+            sig = fromBase64(signatureBase64);
+        }
+        catch {
+            return false;
+        }
+        return crypto.subtle.verify("HMAC", key, sig, encode(body));
+    };
+}
+/**
+ * Default bundle source: Cloudflare R2's S3 endpoint
+ * (`<account>.r2.cloudflarestorage.com`), which is where deploy
+ * pipelines stage `container.mjs` and the orchestrator mints
+ * short-lived signed URLs. Anything else must be explicitly
+ * allowlisted via `allowedOrigins`.
+ */
+const R2_HOST_SUFFIX = ".r2.cloudflarestorage.com";
+/**
+ * Build an origin allowlist check for caller-supplied `bundle.url`
+ * values (the node step container dynamically `import()`s the fetched
+ * bytes, so an unrestricted URL is remote-code-execution-adjacent —
+ * the SHA-256 hash pin is supplied by the same caller and is not a
+ * security control on its own).
+ *
+ *   - `allowedOrigins` set (e.g. from `VOYANT_BUNDLE_ALLOWED_ORIGINS`):
+ *     the URL's origin must match one of the entries exactly.
+ *     Invalid entries throw at creation time (misconfiguration should
+ *     fail loudly, not silently widen).
+ *   - unset/empty: only HTTPS URLs on `*.r2.cloudflarestorage.com`
+ *     are allowed — the production bundle source.
+ */
+export function createBundleUrlPolicy(opts) {
+    const entries = (opts?.allowedOrigins ?? []).filter((entry) => entry.length > 0);
+    const allowed = new Set();
+    for (const entry of entries) {
+        let parsed;
+        try {
+            parsed = new URL(entry);
+        }
+        catch {
+            throw new Error(`createBundleUrlPolicy: invalid origin in allowlist: "${entry}"`);
+        }
+        allowed.add(parsed.origin);
+    }
+    return (url) => {
+        let parsed;
+        try {
+            parsed = new URL(url);
+        }
+        catch {
+            return { ok: false, message: `bundle url is not a valid URL: "${url}"` };
+        }
+        if (allowed.size > 0) {
+            if (allowed.has(parsed.origin))
+                return { ok: true };
+            return {
+                ok: false,
+                message: `bundle url origin "${parsed.origin}" is not in the configured allowlist ` +
+                    "(VOYANT_BUNDLE_ALLOWED_ORIGINS)",
+            };
+        }
+        if (parsed.protocol === "https:" && parsed.hostname.endsWith(R2_HOST_SUFFIX)) {
+            return { ok: true };
+        }
+        return {
+            ok: false,
+            message: `bundle url origin "${parsed.origin}" rejected: with no VOYANT_BUNDLE_ALLOWED_ORIGINS ` +
+                `configured, only https://*${R2_HOST_SUFFIX} bundle sources are allowed`,
+        };
+    };
+}
+// ---- Internals ----
+async function importKey(secret, usages) {
+    if (secret.length === 0) {
+        throw new Error("HMAC secret must be a non-empty string");
+    }
+    return crypto.subtle.importKey("raw", encode(secret), { name: "HMAC", hash: "SHA-256" }, false, [
+        ...usages,
+    ]);
+}
+/**
+ * Encode to a freshly-allocated ArrayBuffer. TextEncoder's Uint8Array
+ * is typed as `Uint8Array<ArrayBufferLike>` under recent TS lib, which
+ * doesn't satisfy the `BufferSource` param of `subtle.sign/verify`.
+ * Copying into a new ArrayBuffer sidesteps the nominal mismatch.
+ */
+function encode(s) {
+    const view = new TextEncoder().encode(s);
+    const buf = new ArrayBuffer(view.byteLength);
+    new Uint8Array(buf).set(view);
+    return buf;
+}
+function toBase64(buffer) {
+    // btoa is available in every modern runtime (Node 16+, Workers, browsers).
+    const bytes = new Uint8Array(buffer);
+    let bin = "";
+    for (let i = 0; i < bytes.length; i++)
+        bin += String.fromCharCode(bytes[i]);
+    return btoa(bin);
+}
+function fromBase64(s) {
+    const bin = atob(s);
+    const buf = new ArrayBuffer(bin.length);
+    const view = new Uint8Array(buf);
+    for (let i = 0; i < bin.length; i++)
+        view[i] = bin.charCodeAt(i);
+    return buf;
+}

package/dist/bindings.d.ts

@@ -0,0 +1,119 @@
+export interface Env {
+    [key: string]: Binding;
+}
+export type Binding = D1Database | R2Bucket | KVNamespace | Queue<unknown> | string;
+export interface D1Database {
+    prepare(sql: string): D1PreparedStatement;
+    batch(statements: D1PreparedStatement[]): Promise<D1Result[]>;
+    exec(sql: string): Promise<D1ExecResult>;
+}
+export interface D1PreparedStatement {
+    bind(...values: unknown[]): D1PreparedStatement;
+    first<T = unknown>(column?: string): Promise<T | null>;
+    run(): Promise<D1Result>;
+    all<T = unknown>(): Promise<{
+        results: T[];
+        meta: D1Meta;
+    }>;
+    /** Per-step-invocation read cache. */
+    memoize(): D1PreparedStatement;
+}
+export interface D1Result {
+    success: boolean;
+    meta: D1Meta;
+    results?: unknown[];
+}
+export interface D1ExecResult {
+    count: number;
+    duration: number;
+}
+export interface D1Meta {
+    duration: number;
+    rows_read: number;
+    rows_written: number;
+}
+export interface R2Bucket {
+    get(key: string, opts?: R2GetOptions): Promise<R2Object | null>;
+    put(key: string, value: R2PutBody, opts?: R2PutOptions): Promise<R2Object>;
+    delete(keys: string | string[]): Promise<void>;
+    list(opts?: R2ListOptions): Promise<R2Objects>;
+    head(key: string): Promise<R2Object | null>;
+}
+export interface R2GetOptions {
+    range?: {
+        offset?: number;
+        length?: number;
+    };
+    onlyIf?: {
+        etagMatches?: string;
+    };
+}
+export interface R2PutOptions {
+    httpMetadata?: Record<string, string>;
+    customMetadata?: Record<string, string>;
+}
+export type R2PutBody = ReadableStream | ArrayBuffer | string;
+export interface R2Object {
+    key: string;
+    size: number;
+    etag: string;
+    httpMetadata?: Record<string, string>;
+    customMetadata?: Record<string, string>;
+    body?: ReadableStream;
+    arrayBuffer(): Promise<ArrayBuffer>;
+    text(): Promise<string>;
+    json<T = unknown>(): Promise<T>;
+}
+export interface R2ListOptions {
+    prefix?: string;
+    cursor?: string;
+    limit?: number;
+}
+export interface R2Objects {
+    objects: R2Object[];
+    truncated: boolean;
+    cursor?: string;
+}
+export interface KVNamespace {
+    get<T = string>(key: string, opts?: KVGetOptions<T>): Promise<T | null>;
+    put(key: string, value: string | ArrayBuffer, opts?: KVPutOptions): Promise<void>;
+    delete(key: string): Promise<void>;
+    list(opts?: KVListOptions): Promise<KVList>;
+}
+export interface KVGetOptions<T> {
+    type?: T extends string ? "text" : "json" | "arrayBuffer" | "stream";
+}
+export interface KVPutOptions {
+    expiration?: number;
+    expirationTtl?: number;
+    metadata?: Record<string, unknown>;
+}
+export interface KVListOptions {
+    prefix?: string;
+    cursor?: string;
+    limit?: number;
+}
+export interface KVList {
+    keys: {
+        name: string;
+        expiration?: number;
+        metadata?: unknown;
+    }[];
+    list_complete: boolean;
+    cursor?: string;
+}
+export interface Queue<T> {
+    send(message: T, opts?: {
+        delaySeconds?: number;
+    }): Promise<void>;
+    sendBatch(messages: readonly T[]): Promise<void>;
+}
+/**
+ * The environment object tenant code reads bindings from.
+ *
+ * On the edge runtime, this is a pass-through to the tenant worker's
+ * `env` parameter (CF Workers). On the container runtime, the
+ * platform injects HTTP-based clients that mimic the shapes above.
+ */
+export declare const env: Env;
+//# sourceMappingURL=bindings.d.ts.map

package/dist/bindings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bindings.d.ts","sourceRoot":"","sources":["../src/bindings.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,GAAG;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED,MAAM,MAAM,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;AAEnF,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,mBAAmB,CAAA;IACzC,KAAK,CAAC,UAAU,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAA;IAC7D,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,GAAG,mBAAmB,CAAA;IAC/C,KAAK,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IACtD,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAA;IACxB,GAAG,CAAC,CAAC,GAAG,OAAO,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC3D,sCAAsC;IACtC,OAAO,IAAI,mBAAmB,CAAA;CAC/B;AAED,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,OAAO,EAAE,CAAA;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,MAAM;IACrB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAC/D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC1E,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9C,IAAI,CAAC,IAAI,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;IAC9C,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;CAC5C;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IAC5C,MAAM,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAClC;AACD,MAAM,WAAW,YAAY;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACrC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACxC;AACD,MAAM,MAAM,SAAS,GAAG,cAAc,GAAG,WAAW,GAAG,MAAM,CAAA;AAC7D,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACrC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACvC,IAAI,CAAC,EAAE,cAAc,CAAA;IACrB,WAAW,IAAI,OAAO,CAAC,WAAW,CAAC,CAAA;IACnC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACvB,IAAI,CAAC,CAAC,GAAG,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,CAAA;CAChC;AACD,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AACD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,QAAQ,EAAE,CAAA;IACnB,SAAS,EAAE,OAAO,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,CAAC,GAAG,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IACvE,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjF,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAClC,IAAI,CAAC,IAAI,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAC5C;AAED,MAAM,WAAW,YAAY,CAAC,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,SAAS,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,GAAG,QAAQ,CAAA;CACrE;AACD,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AACD,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AACD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,EAAE,CAAA;IACjE,aAAa,EAAE,OAAO,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,KAAK,CAAC,CAAC;IACtB,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjE,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACjD;AAED;;;;;;GAMG;AACH,eAAO,MAAM,GAAG,EAAE,GAOhB,CAAA"}

package/dist/bindings.js

@@ -0,0 +1,19 @@
+// @voyant-travel/workflows/bindings
+//
+// Runtime binding shim. Edge runtime passes through to native CF bindings;
+// container runtime makes authenticated HTTPS calls to CF's per-binding APIs.
+//
+// Contract defined in docs/sdk-surface.md §9 and docs/design.md §5.2.
+/**
+ * The environment object tenant code reads bindings from.
+ *
+ * On the edge runtime, this is a pass-through to the tenant worker's
+ * `env` parameter (CF Workers). On the container runtime, the
+ * platform injects HTTP-based clients that mimic the shapes above.
+ */
+export const env = new Proxy({}, {
+    get(_, key) {
+        throw new Error(`@voyant-travel/workflows/bindings: env.${key} was accessed outside a workflow / step body. ` +
+            `Bindings are injected by the runtime — see docs/sdk-surface.md §9.`);
+    },
+});

package/dist/client.d.ts

@@ -0,0 +1,135 @@
+import type { WorkflowDriver } from "./driver.js";
+import type { Duration, EnvironmentName, RunStatus } from "./types.js";
+import type { WorkflowHandle } from "./workflow.js";
+export interface WorkflowsClient {
+    trigger<TIn, TOut>(workflow: WorkflowHandle<TIn, TOut> | string, input: TIn, opts?: TriggerOptions): Promise<Run<TOut>>;
+    signal(runId: string, name: string, payload: unknown, opts?: {
+        nonce?: string;
+    }): Promise<void>;
+    completeToken(tokenId: string, payload: unknown): Promise<void>;
+    cancel(runId: string, opts?: {
+        compensate?: boolean;
+        reason?: string;
+    }): Promise<void>;
+    retry(runId: string, opts: {
+        mode: "re-trigger" | "resume";
+    }): Promise<Run>;
+    replay(runId: string, opts?: {
+        fromStepId?: string;
+        input?: unknown;
+    }): Promise<Run>;
+    get(runId: string): Promise<RunDetail>;
+    list(opts?: ListRunsOptions): Promise<{
+        runs: RunSummary[];
+        nextCursor?: string;
+    }>;
+    mintAccessToken(opts: MintAccessTokenOptions): Promise<PublicAccessToken>;
+}
+export interface TriggerOptions {
+    idempotencyKey?: string;
+    delay?: Duration | Date;
+    debounce?: {
+        key: string;
+        delay: Duration;
+        mode?: "leading" | "trailing";
+    };
+    ttl?: Duration;
+    tags?: string[];
+    priority?: number;
+    concurrencyKey?: string;
+    lockToVersion?: string;
+    environment?: EnvironmentName;
+    issuePublicAccessToken?: boolean;
+}
+export interface Run<TOut = unknown> {
+    id: string;
+    workflowId: string;
+    status: RunStatus;
+    startedAt: number;
+    accessToken?: string;
+    /** Phantom; used only for TypeScript inference. */
+    readonly __output?: TOut;
+}
+export interface RunSummary {
+    id: string;
+    workflowId: string;
+    status: RunStatus;
+    startedAt: number;
+    completedAt?: number;
+    tags: string[];
+    environment: EnvironmentName;
+}
+export interface RunDetail<TOut = unknown> extends RunSummary {
+    version: string;
+    input: unknown;
+    output?: TOut;
+    error?: unknown;
+    durationMs?: number;
+}
+export interface ListRunsOptions {
+    workflowId?: string;
+    status?: RunStatus | RunStatus[];
+    environment?: EnvironmentName;
+    tag?: string;
+    since?: Date | number;
+    until?: Date | number;
+    cursor?: string;
+    limit?: number;
+}
+export interface MintAccessTokenOptions {
+    target: {
+        kind: "run";
+        runId: string;
+    } | {
+        kind: "workflow";
+        workflowId: string;
+    } | {
+        kind: "tag";
+        tag: string;
+    };
+    scope: ("read" | "trigger" | "cancel")[];
+    ttl?: Duration;
+}
+export interface PublicAccessToken {
+    token: string;
+    exp: number;
+}
+export interface CloudWorkflowsClientEnv {
+    VOYANT_CLOUD_WORKFLOWS_URL?: string;
+    VOYANT_CLOUD_WORKFLOW_TRIGGER_TOKEN?: string;
+    VOYANT_CLOUD_APP_SLUG?: string;
+    VOYANT_CLOUD_ENVIRONMENT?: string;
+}
+export interface CloudWorkflowsClientOptions {
+    baseUrl?: string;
+    triggerToken?: string;
+    appSlug?: string;
+    environment?: EnvironmentName;
+    fetch?: typeof fetch;
+    env?: CloudWorkflowsClientEnv;
+}
+export interface CloudWorkflowDriverOptions extends CloudWorkflowsClientOptions {
+    /**
+     * Managed Cloud deployments should leave this disabled. Workflow releases
+     * are created by the deployment/control-plane path, not by the app runtime.
+     * The enabled mode exists only for explicitly wired adapters that own their
+     * release-registration boundary.
+     */
+    manifestRegistration?: "disabled" | "enabled";
+}
+/**
+ * Install the process-local `workflows` client implementation used by the
+ * root `@voyant-travel/workflows` singleton. Apps may call this during boot, or
+ * rely on deployment-injected Voyant Cloud environment variables.
+ */
+export declare function configureWorkflowsClient(client: WorkflowsClient): void;
+export declare function getConfiguredWorkflowsClient(): WorkflowsClient | undefined;
+export declare const workflows: WorkflowsClient;
+export declare function createCloudWorkflowsClient(options?: CloudWorkflowsClientOptions): WorkflowsClient;
+/**
+ * Cloud-mode driver for framework event forwarding. It does not execute runs
+ * locally; it forwards triggers/events/manifests to the hosted runtime using
+ * the same deployment-scoped credentials as the client.
+ */
+export declare function createCloudWorkflowDriver(options?: CloudWorkflowDriverOptions): WorkflowDriver;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAwC,cAAc,EAAE,MAAM,aAAa,CAAA;AAEvF,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAEnD,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,GAAG,EAAE,IAAI,EACf,QAAQ,EAAE,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,MAAM,EAC5C,KAAK,EAAE,GAAG,EACV,IAAI,CAAC,EAAE,cAAc,GACpB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;IAErB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/F,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE/D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtF,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,YAAY,GAAG,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAA;IAC3E,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAA;IAEpF,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;IACtC,IAAI,CAAC,IAAI,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAElF,eAAe,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;CAC1E;AAED,MAAM,WAAW,cAAc;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,KAAK,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAA;IACvB,QAAQ,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,QAAQ,CAAC;QAAC,IAAI,CAAC,EAAE,SAAS,GAAG,UAAU,CAAA;KAAE,CAAA;IAC1E,GAAG,CAAC,EAAE,QAAQ,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,eAAe,CAAA;IAC7B,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC;AAED,MAAM,WAAW,GAAG,CAAC,IAAI,GAAG,OAAO;IACjC,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,mDAAmD;IACnD,QAAQ,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAA;CACzB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,WAAW,EAAE,eAAe,CAAA;CAC7B;AAED,MAAM,WAAW,SAAS,CAAC,IAAI,GAAG,OAAO,CAAE,SAAQ,UAAU;IAC3D,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,IAAI,CAAA;IACb,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,EAAE,CAAA;IAChC,WAAW,CAAC,EAAE,eAAe,CAAA;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,GAAG,MAAM,CAAA;IACrB,KAAK,CAAC,EAAE,IAAI,GAAG,MAAM,CAAA;IACrB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EACF;QAAE,IAAI,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAC9B;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GACxC;QAAE,IAAI,EAAE,KAAK,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;IAChC,KAAK,EAAE,CAAC,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE,CAAA;IACxC,GAAG,CAAC,EAAE,QAAQ,CAAA;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,MAAM,WAAW,uBAAuB;IACtC,0BAA0B,CAAC,EAAE,MAAM,CAAA;IACnC,mCAAmC,CAAC,EAAE,MAAM,CAAA;IAC5C,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAC9B,wBAAwB,CAAC,EAAE,MAAM,CAAA;CAClC;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,WAAW,CAAC,EAAE,eAAe,CAAA;IAC7B,KAAK,CAAC,EAAE,OAAO,KAAK,CAAA;IACpB,GAAG,CAAC,EAAE,uBAAuB,CAAA;CAC9B;AAED,MAAM,WAAW,0BAA2B,SAAQ,2BAA2B;IAC7E;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,UAAU,GAAG,SAAS,CAAA;CAC9C;AAMD;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI,CAEtE;AAED,wBAAgB,4BAA4B,IAAI,eAAe,GAAG,SAAS,CAE1E;AAED,eAAO,MAAM,SAAS,EAAE,eAmBtB,CAAA;AAEF,wBAAgB,0BAA0B,CACxC,OAAO,GAAE,2BAAgC,GACxC,eAAe,CAsDjB;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,0BAA+B,GACvC,cAAc,CAwDhB"}