@zauso-ai/capstan-auth 0.2.0 → 0.3.1

package/dist/dpop.d.ts

@@ -0,0 +1,46 @@
+import type { KeyValueStore } from "./store.js";
+/**
+ * Result of a successful DPoP proof validation.
+ */
+export interface DpopValidationResult {
+    /** Base64url-encoded JWK thumbprint (RFC 7638) of the proof key. */
+    thumbprint: string;
+}
+/**
+ * Replace the default in-memory DPoP replay store with a custom implementation.
+ *
+ * Call this at application startup before any DPoP proofs are validated.
+ */
+export declare function setDpopReplayStore(store: KeyValueStore<true>): void;
+/**
+ * Validate a DPoP proof JWT per RFC 9449.
+ *
+ * The proof is a compact-serialized JWT whose header contains the public key
+ * (`jwk`) used to sign the proof.  The function:
+ *
+ * 1. Parses the JOSE header and verifies `typ: "dpop+jwt"` and a supported `alg`.
+ * 2. Extracts the embedded `jwk` and imports it via Web Crypto.
+ * 3. Verifies the JWT signature using the imported key.
+ * 4. Validates required claims:
+ *    - `htm` — must match the provided HTTP method.
+ *    - `htu` — must match the provided HTTP URI (scheme + authority + path).
+ *    - `iat` — must be within the acceptable time window.
+ *    - `jti` — must be unique (checked against an in-memory replay cache).
+ * 5. If an `accessToken` is provided, verifies the `ath` (access token hash)
+ *    claim matches the SHA-256 hash of the token.
+ *
+ * Returns the JWK thumbprint on success, or `null` if validation fails.
+ *
+ * @param proof   - The DPoP proof from the `DPoP` request header.
+ * @param method  - The HTTP method of the request (e.g. "POST").
+ * @param url     - The full request URL.
+ * @param accessToken - Optional access token to verify `ath` binding.
+ */
+export declare function validateDpopProof(proof: string, method: string, url: string, accessToken?: string): Promise<DpopValidationResult | null>;
+/**
+ * Clear the DPoP JTI replay cache.
+ *
+ * Useful for tests so state does not leak between test cases.
+ */
+export declare function clearDpopReplayCache(): Promise<void>;
+//# sourceMappingURL=dpop.d.ts.map

package/dist/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../src/dpop.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAOhD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;CACpB;AAoBD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,aAAa,CAAC,IAAI,CAAC,GAAG,IAAI,CAEnE;AAmGD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CA4JtC;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,IAAI,CAAC,CAE1D"}

package/dist/dpop.js

@@ -0,0 +1,259 @@
+import { createHash } from "node:crypto";
+import { MemoryStore } from "./store.js";
+/** Maximum age (in seconds) for a DPoP proof's `iat` claim. */
+const MAX_PROOF_AGE_SECONDS = 300; // 5 minutes
+/** Minimum age (in seconds) — reject proofs from the far future. */
+const MAX_CLOCK_SKEW_SECONDS = 60;
+/** TTL for JTI replay cache entries (proof age + clock skew). */
+const JTI_TTL_MS = (MAX_PROOF_AGE_SECONDS + MAX_CLOCK_SKEW_SECONDS) * 1000;
+/**
+ * Pluggable store for tracking recently seen `jti` values to prevent replay.
+ *
+ * Each entry stores `true` as a sentinel value with a TTL equal to the proof
+ * window.  The `MemoryStore` default lazily expires entries on access; custom
+ * implementations (e.g. Redis) can use native TTL support.
+ */
+let dpopReplayStore = new MemoryStore();
+/**
+ * Replace the default in-memory DPoP replay store with a custom implementation.
+ *
+ * Call this at application startup before any DPoP proofs are validated.
+ */
+export function setDpopReplayStore(store) {
+    dpopReplayStore = store;
+}
+// ---------------------------------------------------------------------------
+// Base64url helpers
+// ---------------------------------------------------------------------------
+function base64urlDecode(str) {
+    // Convert base64url to standard base64.
+    let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+    // Pad with '=' to make length a multiple of 4.
+    while (base64.length % 4 !== 0) {
+        base64 += "=";
+    }
+    return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
+}
+function base64urlEncode(buffer) {
+    const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+    let binary = "";
+    for (const b of bytes) {
+        binary += String.fromCharCode(b);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// ---------------------------------------------------------------------------
+// JWK Thumbprint (RFC 7638)
+// ---------------------------------------------------------------------------
+/**
+ * Compute the JWK thumbprint per RFC 7638.
+ *
+ * For RSA keys the required members are: e, kty, n
+ * For EC keys: crv, kty, x, y
+ */
+function computeJwkThumbprint(jwk) {
+    let canonicalMembers;
+    if (jwk.kty === "RSA") {
+        canonicalMembers = { e: jwk.e, kty: jwk.kty, n: jwk.n };
+    }
+    else if (jwk.kty === "EC") {
+        canonicalMembers = {
+            crv: jwk.crv,
+            kty: jwk.kty,
+            x: jwk.x,
+            y: jwk.y,
+        };
+    }
+    else {
+        throw new Error(`Unsupported key type: ${jwk.kty}`);
+    }
+    // Lexicographic ordering of keys (JSON Canonicalization is just sorted keys
+    // for the required members).
+    const sortedKeys = Object.keys(canonicalMembers).sort();
+    const json = "{" +
+        sortedKeys
+            .map((k) => `${JSON.stringify(k)}:${JSON.stringify(canonicalMembers[k])}`)
+            .join(",") +
+        "}";
+    const hash = createHash("sha256").update(json).digest();
+    return base64urlEncode(hash);
+}
+function mapAlgorithm(alg) {
+    switch (alg) {
+        case "RS256":
+            return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+        case "RS384":
+            return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" };
+        case "RS512":
+            return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" };
+        case "ES256":
+            return { name: "ECDSA", hash: "SHA-256", namedCurve: "P-256" };
+        case "ES384":
+            return { name: "ECDSA", hash: "SHA-384", namedCurve: "P-384" };
+        case "ES512":
+            return { name: "ECDSA", hash: "SHA-512", namedCurve: "P-521" };
+        default:
+            return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Validate a DPoP proof JWT per RFC 9449.
+ *
+ * The proof is a compact-serialized JWT whose header contains the public key
+ * (`jwk`) used to sign the proof.  The function:
+ *
+ * 1. Parses the JOSE header and verifies `typ: "dpop+jwt"` and a supported `alg`.
+ * 2. Extracts the embedded `jwk` and imports it via Web Crypto.
+ * 3. Verifies the JWT signature using the imported key.
+ * 4. Validates required claims:
+ *    - `htm` — must match the provided HTTP method.
+ *    - `htu` — must match the provided HTTP URI (scheme + authority + path).
+ *    - `iat` — must be within the acceptable time window.
+ *    - `jti` — must be unique (checked against an in-memory replay cache).
+ * 5. If an `accessToken` is provided, verifies the `ath` (access token hash)
+ *    claim matches the SHA-256 hash of the token.
+ *
+ * Returns the JWK thumbprint on success, or `null` if validation fails.
+ *
+ * @param proof   - The DPoP proof from the `DPoP` request header.
+ * @param method  - The HTTP method of the request (e.g. "POST").
+ * @param url     - The full request URL.
+ * @param accessToken - Optional access token to verify `ath` binding.
+ */
+export async function validateDpopProof(proof, method, url, accessToken) {
+    // ── 1. Split compact serialization ──────────────────────────────
+    const parts = proof.split(".");
+    if (parts.length !== 3)
+        return null;
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // ── 2. Parse header ─────────────────────────────────────────────
+    let header;
+    try {
+        header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    }
+    catch {
+        return null;
+    }
+    // Must be typ: dpop+jwt
+    if (header.typ !== "dpop+jwt")
+        return null;
+    // Must have a supported algorithm
+    if (!header.alg)
+        return null;
+    const algMapping = mapAlgorithm(header.alg);
+    if (!algMapping)
+        return null;
+    // Must have an embedded JWK
+    if (!header.jwk || typeof header.jwk !== "object")
+        return null;
+    // The JWK must not contain a private key
+    if ("d" in header.jwk)
+        return null;
+    // ── 3. Import the public key and verify signature ───────────────
+    let importAlg;
+    if (algMapping.name === "RSASSA-PKCS1-v1_5") {
+        importAlg = { name: algMapping.name, hash: algMapping.hash };
+    }
+    else {
+        importAlg = {
+            name: algMapping.name,
+            namedCurve: algMapping.namedCurve,
+        };
+    }
+    let publicKey;
+    try {
+        publicKey = await crypto.subtle.importKey("jwk", header.jwk, importAlg, false, ["verify"]);
+    }
+    catch {
+        return null;
+    }
+    // Verify the signature over header.payload
+    const signingInput = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
+    const signature = base64urlDecode(signatureB64);
+    let verifyAlg;
+    if (algMapping.name === "ECDSA") {
+        verifyAlg = { name: "ECDSA", hash: algMapping.hash };
+    }
+    else {
+        verifyAlg = { name: algMapping.name };
+    }
+    let valid;
+    try {
+        valid = await crypto.subtle.verify(verifyAlg, publicKey, signature.buffer, signingInput);
+    }
+    catch {
+        return null;
+    }
+    if (!valid)
+        return null;
+    // ── 4. Parse and validate payload claims ────────────────────────
+    let payload;
+    try {
+        payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+    }
+    catch {
+        return null;
+    }
+    // htm — HTTP method must match
+    if (typeof payload.htm !== "string")
+        return null;
+    if (payload.htm.toUpperCase() !== method.toUpperCase())
+        return null;
+    // htu — HTTP URI must match (scheme + authority + path, no query/fragment)
+    if (typeof payload.htu !== "string")
+        return null;
+    try {
+        const proofUrl = new URL(payload.htu);
+        const requestUrl = new URL(url);
+        // Compare origin + pathname (ignoring query string and fragment).
+        if (proofUrl.origin !== requestUrl.origin ||
+            proofUrl.pathname !== requestUrl.pathname) {
+            return null;
+        }
+    }
+    catch {
+        return null;
+    }
+    // iat — issued at must be recent
+    if (typeof payload.iat !== "number")
+        return null;
+    const nowSeconds = Math.floor(Date.now() / 1000);
+    if (payload.iat > nowSeconds + MAX_CLOCK_SKEW_SECONDS)
+        return null;
+    if (nowSeconds - payload.iat > MAX_PROOF_AGE_SECONDS)
+        return null;
+    // jti — unique identifier, prevent replay
+    if (typeof payload.jti !== "string" || payload.jti.length === 0)
+        return null;
+    if (await dpopReplayStore.has(payload.jti))
+        return null;
+    // Record the jti with a TTL matching the proof window.
+    await dpopReplayStore.set(payload.jti, true, JTI_TTL_MS);
+    // ── 5. Access token hash binding (ath) ──────────────────────────
+    if (accessToken !== undefined) {
+        const expectedAth = base64urlEncode(createHash("sha256").update(accessToken).digest());
+        if (payload.ath !== expectedAth)
+            return null;
+    }
+    // ── 6. Compute JWK thumbprint ───────────────────────────────────
+    let thumbprint;
+    try {
+        thumbprint = computeJwkThumbprint(header.jwk);
+    }
+    catch {
+        return null;
+    }
+    return { thumbprint };
+}
+/**
+ * Clear the DPoP JTI replay cache.
+ *
+ * Useful for tests so state does not leak between test cases.
+ */
+export async function clearDpopReplayCache() {
+    await dpopReplayStore.clear();
+}
+//# sourceMappingURL=dpop.js.map

package/dist/dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../src/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAczC,+DAA+D;AAC/D,MAAM,qBAAqB,GAAG,GAAG,CAAC,CAAC,YAAY;AAE/C,oEAAoE;AACpE,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC,iEAAiE;AACjE,MAAM,UAAU,GAAG,CAAC,qBAAqB,GAAG,sBAAsB,CAAC,GAAG,IAAI,CAAC;AAE3E;;;;;;GAMG;AACH,IAAI,eAAe,GAAwB,IAAI,WAAW,EAAE,CAAC;AAE7D;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAA0B;IAC3D,eAAe,GAAG,KAAK,CAAC;AAC1B,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW;IAClC,wCAAwC;IACxC,IAAI,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,+CAA+C;IAC/C,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,CAAC;IAChB,CAAC;IACD,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,eAAe,CAAC,MAAgC;IACvD,MAAM,KAAK,GACT,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACjE,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,GAAe;IAC3C,IAAI,gBAAoD,CAAC;IAEzD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QACtB,gBAAgB,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;IAC1D,CAAC;SAAM,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5B,gBAAgB,GAAG;YACjB,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,CAAC,EAAE,GAAG,CAAC,CAAC;YACR,CAAC,EAAE,GAAG,CAAC,CAAC;SACT,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,4EAA4E;IAC5E,6BAA6B;IAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GACR,GAAG;QACH,UAAU;aACP,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACzE,IAAI,CAAC,GAAG,CAAC;QACZ,GAAG,CAAC;IAEN,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;IACxD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAYD,SAAS,YAAY,CAAC,GAAW;IAC/B,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACxD,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACxD,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACxD,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QACjE,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QACjE,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QACjE;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,MAAc,EACd,GAAW,EACX,WAAoB;IAEpB,mEAAmE;IACnE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAI7C,CAAC;IAEF,mEAAmE;IACnE,IAAI,MAIH,CAAC;IACF,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CACjB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CACrD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAE3C,kCAAkC;IAClC,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAE7B,4BAA4B;IAC5B,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE/D,yCAAyC;IACzC,IAAI,GAAG,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEnC,mEAAmE;IACnE,IAAI,SAAoD,CAAC;IACzD,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QAC5C,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC,IAAK,EAAE,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,SAAS,GAAG;YACV,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,UAAU,EAAE,UAAU,CAAC,UAAW;SACnC,CAAC;IACJ,CAAC;IAED,IAAI,SAAoB,CAAC;IACzB,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,MAAM,CAAC,GAAG,EACV,SAAS,EACT,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2CAA2C;IAC3C,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAC3C,GAAG,SAAS,IAAI,UAAU,EAAE,CAC7B,CAAC;IACF,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAEhD,IAAI,SAA4C,CAAC;IACjD,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAChC,SAAS,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,IAAK,EAAE,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC;IACxC,CAAC;IAED,IAAI,KAAc,CAAC;IACnB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAChC,SAAS,EACT,SAAS,EACT,SAAS,CAAC,MAAqB,EAC/B,YAAY,CACb,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,mEAAmE;IACnE,IAAI,OAMH,CAAC;IACF,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAClB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CACtD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,WAAW,EAAE;QAAE,OAAO,IAAI,CAAC;IAEpE,2EAA2E;IAC3E,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAChC,kEAAkE;QAClE,IACE,QAAQ,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM;YACrC,QAAQ,CAAC,QAAQ,KAAK,UAAU,CAAC,QAAQ,EACzC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iCAAiC;IACjC,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,GAAG,UAAU,GAAG,sBAAsB;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,GAAG,qBAAqB;QAAE,OAAO,IAAI,CAAC;IAElE,0CAA0C;IAC1C,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,IAAI,MAAM,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAExD,uDAAuD;IACvD,MAAM,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;IAEzD,mEAAmE;IACnE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,eAAe,CACjC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAClD,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;IAC/C,CAAC;IAED,mEAAmE;IACnE,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,CAAC;AACxB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,MAAM,eAAe,CAAC,KAAK,EAAE,CAAC;AAChC,CAAC"}

package/dist/execution.d.ts

@@ -0,0 +1,10 @@
+import type { ActorIdentity, DelegationLink, ExecutionIdentity, ExecutionKind } from "./types.js";
+export declare function createExecutionIdentity(kind: ExecutionKind, source: string, options?: {
+    parentId?: string;
+    metadata?: Record<string, unknown>;
+}): ExecutionIdentity;
+export declare function createRequestExecution(request: Request, options?: {
+    parentId?: string;
+}): ExecutionIdentity;
+export declare function createDelegationLink(from: ActorIdentity | ExecutionIdentity, to: ActorIdentity | ExecutionIdentity, reason: string, metadata?: Record<string, unknown>): DelegationLink;
+//# sourceMappingURL=execution.d.ts.map

package/dist/execution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"execution.d.ts","sourceRoot":"","sources":["../src/execution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EAEd,iBAAiB,EACjB,aAAa,EACd,MAAM,YAAY,CAAC;AASpB,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GACA,iBAAiB,CAQnB;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,iBAAiB,CAoBnB;AASD,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,aAAa,GAAG,iBAAiB,EACvC,EAAE,EAAE,aAAa,GAAG,iBAAiB,EACrC,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,cAAc,CAWhB"}

package/dist/execution.js

@@ -0,0 +1,50 @@
+function buildExecutionId(kind, source) {
+    if (kind === "request") {
+        return source;
+    }
+    return `${kind}:${source}`;
+}
+export function createExecutionIdentity(kind, source, options) {
+    const execution = {
+        kind,
+        id: buildExecutionId(kind, source),
+    };
+    if (options?.parentId !== undefined)
+        execution.parentId = options.parentId;
+    if (options?.metadata !== undefined)
+        execution.metadata = options.metadata;
+    return execution;
+}
+export function createRequestExecution(request, options) {
+    const url = new URL(request.url);
+    const createOptions = {
+        metadata: {
+            method: request.method,
+            pathname: url.pathname,
+            origin: url.origin,
+        },
+    };
+    if (options?.parentId !== undefined) {
+        createOptions.parentId = options.parentId;
+    }
+    return createExecutionIdentity("request", `${request.method} ${url.pathname}`, createOptions);
+}
+function toTargetRef(target) {
+    return {
+        kind: target.kind,
+        id: target.id,
+    };
+}
+export function createDelegationLink(from, to, reason, metadata) {
+    const link = {
+        from: toTargetRef(from),
+        to: toTargetRef(to),
+        reason,
+        issuedAt: new Date().toISOString(),
+    };
+    if (metadata !== undefined) {
+        link.metadata = metadata;
+    }
+    return link;
+}
+//# sourceMappingURL=execution.js.map

package/dist/execution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"execution.js","sourceRoot":"","sources":["../src/execution.ts"],"names":[],"mappings":"AAQA,SAAS,gBAAgB,CAAC,IAAmB,EAAE,MAAc;IAC3D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,IAAmB,EACnB,MAAc,EACd,OAGC;IAED,MAAM,SAAS,GAAsB;QACnC,IAAI;QACJ,EAAE,EAAE,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC;KACnC,CAAC;IACF,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,SAAS,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3E,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,SAAS,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAgB,EAChB,OAEC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,aAAa,GAGf;QACF,QAAQ,EAAE;YACR,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM,EAAE,GAAG,CAAC,MAAM;SACnB;KACF,CAAC;IACF,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;QACpC,aAAa,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC5C,CAAC;IACD,OAAO,uBAAuB,CAC5B,SAAS,EACT,GAAG,OAAO,CAAC,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,EACnC,aAAa,CACd,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAyC;IAC5D,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,EAAE,EAAE,MAAM,CAAC,EAAE;KACd,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,IAAuC,EACvC,EAAqC,EACrC,MAAc,EACd,QAAkC;IAElC,MAAM,IAAI,GAAmB;QAC3B,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC;QACvB,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC;QACnB,MAAM;QACN,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;IACF,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/harness-authorizer.d.ts

@@ -0,0 +1,10 @@
+import type { RuntimeGrantSupplier } from "./runtime-authorizer.js";
+import { type RuntimeGrantAuthorizationResult, type RuntimeGrantAuthorizerRequest } from "./runtime-authorizer.js";
+export interface HarnessGrantAuthorizationRequest {
+    action: string;
+    runId?: string;
+    detail?: Record<string, unknown>;
+}
+export declare function toRuntimeGrantRequest(request: HarnessGrantAuthorizationRequest): RuntimeGrantAuthorizerRequest;
+export declare function createHarnessGrantAuthorizer(supplier: RuntimeGrantSupplier): (request: HarnessGrantAuthorizationRequest) => Promise<RuntimeGrantAuthorizationResult>;
+//# sourceMappingURL=harness-authorizer.d.ts.map

package/dist/harness-authorizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"harness-authorizer.d.ts","sourceRoot":"","sources":["../src/harness-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EAEL,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EACnC,MAAM,yBAAyB,CAAC;AAEjC,MAAM,WAAW,gCAAgC;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAiGD,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,gCAAgC,GACxC,6BAA6B,CAa/B;AAED,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,IAIvE,SAAS,gCAAgC,KACxC,OAAO,CAAC,+BAA+B,CAAC,CAE5C"}

package/dist/harness-authorizer.js

@@ -0,0 +1,90 @@
+import { createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
+function readString(source, key) {
+    const value = source?.[key];
+    return typeof value === "string" && value.trim().length > 0 ? value : undefined;
+}
+function readRecord(source, key) {
+    const value = source?.[key];
+    return value != null && typeof value === "object" && !Array.isArray(value)
+        ? value
+        : undefined;
+}
+function deriveMemoryAttributes(detail) {
+    const kind = readString(detail, "kind");
+    if (kind === "session_memory") {
+        return { memoryKind: "session" };
+    }
+    if (kind === "persistent_memory") {
+        return { memoryKind: "persistent" };
+    }
+    const kinds = Array.isArray(detail?.["kinds"])
+        ? detail["kinds"].filter((entry) => typeof entry === "string")
+        : [];
+    if (kinds.length === 1 && kinds[0] === "session_memory") {
+        return { memoryKind: "session" };
+    }
+    if (kinds.length === 1 && kinds[0] === "persistent_memory") {
+        return { memoryKind: "persistent" };
+    }
+    return undefined;
+}
+function deriveApprovalAttributes(detail) {
+    const pendingApproval = readRecord(detail, "pendingApproval");
+    const directKind = readString(detail, "kind");
+    const nestedKind = readString(pendingApproval, "kind");
+    const approvalKind = directKind === "tool" || directKind === "task"
+        ? directKind
+        : nestedKind === "tool" || nestedKind === "task"
+            ? nestedKind
+            : undefined;
+    return approvalKind ? { approvalKind } : undefined;
+}
+function buildScope(request) {
+    if (request.action.endsWith(":list")) {
+        return request.runId ? { runId: request.runId } : undefined;
+    }
+    const detail = request.detail;
+    const pendingApproval = readRecord(detail, "pendingApproval");
+    const pendingToolCall = readRecord(detail, "pendingToolCall");
+    const scope = {};
+    if (request.runId) {
+        scope.runId = request.runId;
+    }
+    const scopedFields = [
+        ["approvalId", readString(detail, "approvalId") ?? readString(pendingApproval, "id")],
+        ["artifactId", readString(detail, "artifactId")],
+        ["memoryId", readString(detail, "memoryId")],
+        ["summaryId", readString(detail, "summaryId")],
+        ["taskId", readString(detail, "taskId")],
+        [
+            "tool",
+            readString(detail, "tool") ??
+                readString(pendingApproval, "tool") ??
+                readString(pendingToolCall, "tool"),
+        ],
+    ];
+    for (const [key, value] of scopedFields) {
+        if (value) {
+            scope[key] = value;
+        }
+    }
+    return Object.keys(scope).length > 0 ? scope : undefined;
+}
+export function toRuntimeGrantRequest(request) {
+    const detail = request.detail;
+    const attributes = {
+        ...(request.action.startsWith("memory:") ? deriveMemoryAttributes(detail) ?? {} : {}),
+        ...(request.action.startsWith("approval:") ? deriveApprovalAttributes(detail) ?? {} : {}),
+    };
+    const scope = buildScope(request);
+    return {
+        action: request.action,
+        ...(scope ? { scope } : {}),
+        ...(Object.keys(attributes).length > 0 ? { attributes } : {}),
+    };
+}
+export function createHarnessGrantAuthorizer(supplier) {
+    const runtimeAuthorizer = createRuntimeGrantAuthorizer(supplier);
+    return async (request) => runtimeAuthorizer(toRuntimeGrantRequest(request));
+}
+//# sourceMappingURL=harness-authorizer.js.map

package/dist/harness-authorizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"harness-authorizer.js","sourceRoot":"","sources":["../src/harness-authorizer.ts"],"names":[],"mappings":"AACA,OAAO,EACL,4BAA4B,GAG7B,MAAM,yBAAyB,CAAC;AAQjC,SAAS,UAAU,CACjB,MAA2C,EAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAClF,CAAC;AAED,SAAS,UAAU,CACjB,MAA2C,EAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,KAAK,IAAI,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,SAAS,sBAAsB,CAC7B,MAA2C;IAE3C,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACjC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;QAC/E,CAAC,CAAC,EAAE,CAAC;IACP,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,gBAAgB,EAAE,CAAC;QACxD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,mBAAmB,EAAE,CAAC;QAC3D,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAA2C;IAE3C,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACvD,MAAM,YAAY,GAChB,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,MAAM;QAC5C,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,MAAM;YAC9C,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,SAAS,CAAC;IAElB,OAAO,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CACjB,OAAyC;IAEzC,IAAI,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9D,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9B,CAAC;IAED,MAAM,YAAY,GAAwC;QACxD,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,UAAU,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;QACrF,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC5C,CAAC,WAAW,EAAE,UAAU,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC9C,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxC;YACE,MAAM;YACN,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC;gBACxB,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC;gBACnC,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC;SACtC;KACF,CAAC;IAEF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAyC;IAEzC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrF,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1F,CAAC;IACF,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAElC,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,QAA8B;IACzE,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;IAEjE,OAAO,KAAK,EACV,OAAyC,EACC,EAAE,CAC5C,iBAAiB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC;AACtD,CAAC"}

package/dist/index.d.ts

@@ -1,6 +1,18 @@
 export { signSession, verifySession } from "./session.js";
 export { generateApiKey, verifyApiKey, extractApiKeyPrefix, } from "./api-key.js";
 export { createAuthMiddleware } from "./middleware.js";
-export { checkPermission, derivePermission } from "./permissions.js";
-export type { AuthConfig, SessionPayload, AgentCredential, AuthContext, AuthResolverDeps, } from "./types.js";
+export { authorizeGrant, checkGrant, checkPermission, derivePermission, normalizePermissionsToGrants, serializeGrantsToPermissions, } from "./permissions.js";
+export { createExecutionIdentity, createRequestExecution, createDelegationLink, } from "./execution.js";
+export { createGrant, grantRunActions, grantRunCollectionActions, grantApprovalActions, grantApprovalCollectionActions, grantEventActions, grantEventCollectionActions, grantArtifactActions, grantCheckpointActions, grantTaskActions, grantSummaryActions, grantSummaryCollectionActions, grantMemoryActions, grantContextActions, grantRuntimePathsActions, } from "./runtime-grants.js";
+export { deriveRuntimeGrantRequirements, authorizeRuntimeAction, createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
+export { createHarnessGrantAuthorizer, toRuntimeGrantRequest, } from "./harness-authorizer.js";
+export { validateDpopProof, clearDpopReplayCache, setDpopReplayStore } from "./dpop.js";
+export { extractWorkloadIdentity, isValidSpiffeId } from "./workload.js";
+export { googleProvider, githubProvider, createOAuthHandlers, } from "./oauth.js";
+export type { DpopValidationResult } from "./dpop.js";
+export type { WorkloadIdentity } from "./workload.js";
+export type { OAuthProvider, OAuthConfig, OAuthHandlers } from "./oauth.js";
+export type { ActorIdentity, AuthConfig, SessionPayload, SessionSigningOptions, SessionVerificationOptions, AgentCredential, AuthEnvelope, AuthGrant, AuthGrantRequirement, AuthContext, AuthResolverDeps, CredentialProof, DelegationLink, ExecutionIdentity, } from "./types.js";
+export type { RuntimeGrantAuthorizerRequest, RuntimeGrantAuthorizationResult, RuntimeGrantSupplier, } from "./runtime-authorizer.js";
+export type { HarnessGrantAuthorizationRequest } from "./harness-authorizer.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,YAAY,EACV,UAAU,EACV,cAAc,EACd,eAAe,EACf,WAAW,EACX,gBAAgB,GACjB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,eAAe,EACf,yBAAyB,EACzB,oBAAoB,EACpB,8BAA8B,EAC9B,iBAAiB,EACjB,2BAA2B,EAC3B,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EACL,cAAc,EACd,cAAc,EACd,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC5E,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,qBAAqB,EACrB,0BAA0B,EAC1B,eAAe,EACf,YAAY,EACZ,SAAS,EACT,oBAAoB,EACpB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,6BAA6B,EAC7B,+BAA+B,EAC/B,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/index.js

@@ -1,5 +1,12 @@
 export { signSession, verifySession } from "./session.js";
 export { generateApiKey, verifyApiKey, extractApiKeyPrefix, } from "./api-key.js";
 export { createAuthMiddleware } from "./middleware.js";
-export { checkPermission, derivePermission } from "./permissions.js";
+export { authorizeGrant, checkGrant, checkPermission, derivePermission, normalizePermissionsToGrants, serializeGrantsToPermissions, } from "./permissions.js";
+export { createExecutionIdentity, createRequestExecution, createDelegationLink, } from "./execution.js";
+export { createGrant, grantRunActions, grantRunCollectionActions, grantApprovalActions, grantApprovalCollectionActions, grantEventActions, grantEventCollectionActions, grantArtifactActions, grantCheckpointActions, grantTaskActions, grantSummaryActions, grantSummaryCollectionActions, grantMemoryActions, grantContextActions, grantRuntimePathsActions, } from "./runtime-grants.js";
+export { deriveRuntimeGrantRequirements, authorizeRuntimeAction, createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
+export { createHarnessGrantAuthorizer, toRuntimeGrantRequest, } from "./harness-authorizer.js";
+export { validateDpopProof, clearDpopReplayCache, setDpopReplayStore } from "./dpop.js";
+export { extractWorkloadIdentity, isValidSpiffeId } from "./workload.js";
+export { googleProvider, githubProvider, createOAuthHandlers, } from "./oauth.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,eAAe,EACf,yBAAyB,EACzB,oBAAoB,EACpB,8BAA8B,EAC9B,iBAAiB,EACjB,2BAA2B,EAC3B,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EACL,cAAc,EACd,cAAc,EACd,mBAAmB,GACpB,MAAM,YAAY,CAAC"}

package/dist/middleware.d.ts

@@ -4,11 +4,14 @@ import type { AuthConfig, AuthContext, AuthResolverDeps } from "./types.js";
  * incoming `Request`.
  *
  * Resolution order:
- * 1. Session cookie (`capstan_session`) — verifies JWT, returns human context.
- * 2. `Authorization: Bearer <token>` header — if the token matches the
+ * 1. Client certificate / workload identity (`X-Client-Cert` or
+ *    `X-Forwarded-Client-Cert` header) — extracts SPIFFE ID, validates
+ *    trust domain, returns workload context.
+ * 2. Session cookie (`capstan_session`) — verifies JWT, returns human context.
+ * 3. `Authorization: Bearer <token>` header — if the token matches the
  *    configured API key prefix, looks up the agent credential and verifies
  *    the key hash.
- * 3. Falls back to `{ type: "anonymous", isAuthenticated: false }`.
+ * 4. Falls back to `{ type: "anonymous", isAuthenticated: false }`.
  */
 export declare function createAuthMiddleware(config: AuthConfig, deps: AuthResolverDeps): (request: Request) => Promise<AuthContext>;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,gBAAgB,EACjB,MAAM,YAAY,CAAC;AA2BpB;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,gBAAgB,GACrB,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,CAAC,CAuD5C"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EAGX,gBAAgB,EAEjB,MAAM,YAAY,CAAC;AA6CpB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,gBAAgB,GACrB,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,CAAC,CAiP5C"}