a2a-mesh 1.0.0

package/dist/middleware/index.cjs

@@ -0,0 +1,9 @@
+'use strict';
+
+const middleware_index = require('../shared/a2a-mesh.B8CFEj_l.cjs');
+
+
+
+exports.InMemoryRateLimitStore = middleware_index.InMemoryRateLimitStore;
+exports.RedisRateLimitStore = middleware_index.RedisRateLimitStore;
+exports.createRateLimiter = middleware_index.createRateLimiter;

package/dist/middleware/index.d.cts

@@ -0,0 +1,46 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file rateLimiter.ts
+ * Express middleware for per-client request throttling.
+ */
+
+interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+    keyGenerator?: (req: Request) => string;
+}
+interface RateLimitState {
+    count: number;
+    resetTime: number;
+}
+interface RateLimitStore {
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+declare class InMemoryRateLimitStore implements RateLimitStore {
+    private readonly state;
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+interface RedisRateLimitClient {
+    get(key: string): Promise<string | null>;
+    incr(key: string): Promise<number>;
+    pexpire(key: string, ttl: number): Promise<number>;
+    pttl(key: string): Promise<number>;
+}
+declare class RedisRateLimitStore implements RateLimitStore {
+    private readonly client;
+    constructor(client: RedisRateLimitClient);
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+/**
+ * Create an Express middleware that enforces per-client request limits and emits JSON-RPC errors.
+ *
+ * @param config Partial limiter configuration.
+ * @param store Optional backing store implementation.
+ * @returns Express-compatible async middleware.
+ * @since 1.0.0
+ */
+declare function createRateLimiter(config?: Partial<RateLimitConfig>, store?: RateLimitStore): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+export { InMemoryRateLimitStore, RedisRateLimitStore, createRateLimiter };
+export type { RateLimitConfig, RateLimitState, RateLimitStore, RedisRateLimitClient };

package/dist/middleware/index.d.mts

@@ -0,0 +1,46 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file rateLimiter.ts
+ * Express middleware for per-client request throttling.
+ */
+
+interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+    keyGenerator?: (req: Request) => string;
+}
+interface RateLimitState {
+    count: number;
+    resetTime: number;
+}
+interface RateLimitStore {
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+declare class InMemoryRateLimitStore implements RateLimitStore {
+    private readonly state;
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+interface RedisRateLimitClient {
+    get(key: string): Promise<string | null>;
+    incr(key: string): Promise<number>;
+    pexpire(key: string, ttl: number): Promise<number>;
+    pttl(key: string): Promise<number>;
+}
+declare class RedisRateLimitStore implements RateLimitStore {
+    private readonly client;
+    constructor(client: RedisRateLimitClient);
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+/**
+ * Create an Express middleware that enforces per-client request limits and emits JSON-RPC errors.
+ *
+ * @param config Partial limiter configuration.
+ * @param store Optional backing store implementation.
+ * @returns Express-compatible async middleware.
+ * @since 1.0.0
+ */
+declare function createRateLimiter(config?: Partial<RateLimitConfig>, store?: RateLimitStore): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+export { InMemoryRateLimitStore, RedisRateLimitStore, createRateLimiter };
+export type { RateLimitConfig, RateLimitState, RateLimitStore, RedisRateLimitClient };

package/dist/middleware/index.d.ts

@@ -0,0 +1,46 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file rateLimiter.ts
+ * Express middleware for per-client request throttling.
+ */
+
+interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+    keyGenerator?: (req: Request) => string;
+}
+interface RateLimitState {
+    count: number;
+    resetTime: number;
+}
+interface RateLimitStore {
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+declare class InMemoryRateLimitStore implements RateLimitStore {
+    private readonly state;
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+interface RedisRateLimitClient {
+    get(key: string): Promise<string | null>;
+    incr(key: string): Promise<number>;
+    pexpire(key: string, ttl: number): Promise<number>;
+    pttl(key: string): Promise<number>;
+}
+declare class RedisRateLimitStore implements RateLimitStore {
+    private readonly client;
+    constructor(client: RedisRateLimitClient);
+    increment(key: string, windowMs: number): Promise<RateLimitState>;
+}
+/**
+ * Create an Express middleware that enforces per-client request limits and emits JSON-RPC errors.
+ *
+ * @param config Partial limiter configuration.
+ * @param store Optional backing store implementation.
+ * @returns Express-compatible async middleware.
+ * @since 1.0.0
+ */
+declare function createRateLimiter(config?: Partial<RateLimitConfig>, store?: RateLimitStore): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+export { InMemoryRateLimitStore, RedisRateLimitStore, createRateLimiter };
+export type { RateLimitConfig, RateLimitState, RateLimitStore, RedisRateLimitClient };

package/dist/middleware/index.mjs

@@ -0,0 +1 @@
+export { I as InMemoryRateLimitStore, R as RedisRateLimitStore, c as createRateLimiter } from '../shared/a2a-mesh.CpP0sKxA.mjs';

package/dist/shared/a2a-mesh.B8CFEj_l.cjs

@@ -0,0 +1,101 @@
+'use strict';
+
+const ErrorCodes = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603,
+  TaskNotFound: -32004,
+  PushNotificationNotSupported: -32010,
+  UnsupportedOperation: -32011,
+  RateLimitExceeded: -32029,
+  Unauthorized: -32040,
+  ExtensionRequired: -32041
+};
+class JsonRpcError extends Error {
+  code;
+  data;
+  constructor(code, message, data) {
+    super(message);
+    this.code = code;
+    this.data = data;
+  }
+}
+
+class InMemoryRateLimitStore {
+  state = /* @__PURE__ */ new Map();
+  async increment(key, windowMs) {
+    const now = Date.now();
+    const current = this.state.get(key);
+    if (!current || current.resetTime <= now) {
+      const nextState2 = { count: 1, resetTime: now + windowMs };
+      this.state.set(key, nextState2);
+      return nextState2;
+    }
+    const nextState = { ...current, count: current.count + 1 };
+    this.state.set(key, nextState);
+    return nextState;
+  }
+}
+class RedisRateLimitStore {
+  constructor(client) {
+    this.client = client;
+  }
+  async increment(key, windowMs) {
+    const current = await this.client.get(key);
+    if (current === null) {
+      await this.client.incr(key);
+      await this.client.pexpire(key, windowMs);
+      return {
+        count: 1,
+        resetTime: Date.now() + windowMs
+      };
+    }
+    const count = await this.client.incr(key);
+    const ttl = await this.client.pttl(key);
+    return {
+      count,
+      resetTime: Date.now() + Math.max(ttl, 0)
+    };
+  }
+}
+function getClientIp(req) {
+  const forwarded = req.headers["x-forwarded-for"];
+  if (typeof forwarded === "string" && forwarded.length > 0) {
+    return forwarded.split(",")[0]?.trim() ?? "unknown";
+  }
+  return req.ip || req.socket.remoteAddress || "unknown";
+}
+function createRateLimiter(config = {}, store = new InMemoryRateLimitStore()) {
+  const windowMs = config.windowMs ?? 6e4;
+  const maxRequests = config.maxRequests ?? 100;
+  const keyGenerator = config.keyGenerator ?? getClientIp;
+  return async (req, res, next) => {
+    const key = keyGenerator(req);
+    const state = await store.increment(key, windowMs);
+    const remaining = Math.max(maxRequests - state.count, 0);
+    res.setHeader("X-RateLimit-Limit", String(maxRequests));
+    res.setHeader("X-RateLimit-Remaining", String(remaining));
+    res.setHeader("X-RateLimit-Reset", String(Math.floor(state.resetTime / 1e3)));
+    if (state.count > maxRequests) {
+      res.status(429).json({
+        jsonrpc: "2.0",
+        error: {
+          code: ErrorCodes.RateLimitExceeded,
+          message: "Too Many Requests",
+          data: { retryAfterMs: Math.max(state.resetTime - Date.now(), 0) }
+        },
+        id: req.body && typeof req.body === "object" && "id" in req.body ? req.body.id : null
+      });
+      return;
+    }
+    next();
+  };
+}
+
+exports.ErrorCodes = ErrorCodes;
+exports.InMemoryRateLimitStore = InMemoryRateLimitStore;
+exports.JsonRpcError = JsonRpcError;
+exports.RedisRateLimitStore = RedisRateLimitStore;
+exports.createRateLimiter = createRateLimiter;

package/dist/shared/a2a-mesh.CDuHtAfx.d.cts

@@ -0,0 +1,70 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file auth.ts
+ * Authentication and authorization related types.
+ */
+interface BaseAuthScheme {
+    id: string;
+    description?: string;
+}
+interface ApiKeyAuthScheme extends BaseAuthScheme {
+    type: 'apiKey';
+    in: 'header' | 'query';
+    name: string;
+}
+interface HttpAuthScheme extends BaseAuthScheme {
+    type: 'http';
+    scheme: 'bearer';
+    bearerFormat?: string;
+}
+interface OpenIdConnectAuthScheme extends BaseAuthScheme {
+    type: 'openIdConnect';
+    openIdConnectUrl: string;
+    audience?: string | string[];
+    issuer?: string;
+    jwksUri?: string;
+    algorithms?: string[];
+}
+type AuthScheme = ApiKeyAuthScheme | HttpAuthScheme | OpenIdConnectAuthScheme;
+interface ApiKeyCredentialSource {
+    [schemeId: string]: string | string[];
+}
+interface AuthValidationResult {
+    schemeId: string;
+    subject?: string;
+    claims?: Record<string, unknown>;
+}
+
+/**
+ * @file JwtAuthMiddleware.ts
+ * Authentication middleware backed by OIDC discovery, JWKS and API keys.
+ */
+
+interface JwtAuthMiddlewareOptions {
+    securitySchemes: AuthScheme[];
+    security?: Record<string, string[]>[];
+    apiKeys?: ApiKeyCredentialSource;
+}
+/**
+ * Authentication middleware that evaluates A2A security schemes against incoming requests.
+ *
+ * Supports API keys, HTTP bearer tokens, and OIDC discovery with JWKS validation.
+ *
+ * @since 1.0.0
+ */
+declare class JwtAuthMiddleware {
+    private readonly options;
+    private readonly remoteSets;
+    constructor(options: JwtAuthMiddlewareOptions);
+    authenticateRequest(req: Request): Promise<AuthValidationResult>;
+    middleware(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    private validateApiKey;
+    private validateOidcToken;
+    private validateBearerToken;
+    private readBearerToken;
+    private decodeJwtWithoutValidation;
+}
+
+export { JwtAuthMiddleware as J };
+export type { AuthScheme as A, BaseAuthScheme as B, HttpAuthScheme as H, OpenIdConnectAuthScheme as O, JwtAuthMiddlewareOptions as a, ApiKeyAuthScheme as b, ApiKeyCredentialSource as c, AuthValidationResult as d };

package/dist/shared/a2a-mesh.CDuHtAfx.d.mts

@@ -0,0 +1,70 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file auth.ts
+ * Authentication and authorization related types.
+ */
+interface BaseAuthScheme {
+    id: string;
+    description?: string;
+}
+interface ApiKeyAuthScheme extends BaseAuthScheme {
+    type: 'apiKey';
+    in: 'header' | 'query';
+    name: string;
+}
+interface HttpAuthScheme extends BaseAuthScheme {
+    type: 'http';
+    scheme: 'bearer';
+    bearerFormat?: string;
+}
+interface OpenIdConnectAuthScheme extends BaseAuthScheme {
+    type: 'openIdConnect';
+    openIdConnectUrl: string;
+    audience?: string | string[];
+    issuer?: string;
+    jwksUri?: string;
+    algorithms?: string[];
+}
+type AuthScheme = ApiKeyAuthScheme | HttpAuthScheme | OpenIdConnectAuthScheme;
+interface ApiKeyCredentialSource {
+    [schemeId: string]: string | string[];
+}
+interface AuthValidationResult {
+    schemeId: string;
+    subject?: string;
+    claims?: Record<string, unknown>;
+}
+
+/**
+ * @file JwtAuthMiddleware.ts
+ * Authentication middleware backed by OIDC discovery, JWKS and API keys.
+ */
+
+interface JwtAuthMiddlewareOptions {
+    securitySchemes: AuthScheme[];
+    security?: Record<string, string[]>[];
+    apiKeys?: ApiKeyCredentialSource;
+}
+/**
+ * Authentication middleware that evaluates A2A security schemes against incoming requests.
+ *
+ * Supports API keys, HTTP bearer tokens, and OIDC discovery with JWKS validation.
+ *
+ * @since 1.0.0
+ */
+declare class JwtAuthMiddleware {
+    private readonly options;
+    private readonly remoteSets;
+    constructor(options: JwtAuthMiddlewareOptions);
+    authenticateRequest(req: Request): Promise<AuthValidationResult>;
+    middleware(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    private validateApiKey;
+    private validateOidcToken;
+    private validateBearerToken;
+    private readBearerToken;
+    private decodeJwtWithoutValidation;
+}
+
+export { JwtAuthMiddleware as J };
+export type { AuthScheme as A, BaseAuthScheme as B, HttpAuthScheme as H, OpenIdConnectAuthScheme as O, JwtAuthMiddlewareOptions as a, ApiKeyAuthScheme as b, ApiKeyCredentialSource as c, AuthValidationResult as d };

package/dist/shared/a2a-mesh.CDuHtAfx.d.ts

@@ -0,0 +1,70 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * @file auth.ts
+ * Authentication and authorization related types.
+ */
+interface BaseAuthScheme {
+    id: string;
+    description?: string;
+}
+interface ApiKeyAuthScheme extends BaseAuthScheme {
+    type: 'apiKey';
+    in: 'header' | 'query';
+    name: string;
+}
+interface HttpAuthScheme extends BaseAuthScheme {
+    type: 'http';
+    scheme: 'bearer';
+    bearerFormat?: string;
+}
+interface OpenIdConnectAuthScheme extends BaseAuthScheme {
+    type: 'openIdConnect';
+    openIdConnectUrl: string;
+    audience?: string | string[];
+    issuer?: string;
+    jwksUri?: string;
+    algorithms?: string[];
+}
+type AuthScheme = ApiKeyAuthScheme | HttpAuthScheme | OpenIdConnectAuthScheme;
+interface ApiKeyCredentialSource {
+    [schemeId: string]: string | string[];
+}
+interface AuthValidationResult {
+    schemeId: string;
+    subject?: string;
+    claims?: Record<string, unknown>;
+}
+
+/**
+ * @file JwtAuthMiddleware.ts
+ * Authentication middleware backed by OIDC discovery, JWKS and API keys.
+ */
+
+interface JwtAuthMiddlewareOptions {
+    securitySchemes: AuthScheme[];
+    security?: Record<string, string[]>[];
+    apiKeys?: ApiKeyCredentialSource;
+}
+/**
+ * Authentication middleware that evaluates A2A security schemes against incoming requests.
+ *
+ * Supports API keys, HTTP bearer tokens, and OIDC discovery with JWKS validation.
+ *
+ * @since 1.0.0
+ */
+declare class JwtAuthMiddleware {
+    private readonly options;
+    private readonly remoteSets;
+    constructor(options: JwtAuthMiddlewareOptions);
+    authenticateRequest(req: Request): Promise<AuthValidationResult>;
+    middleware(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    private validateApiKey;
+    private validateOidcToken;
+    private validateBearerToken;
+    private readBearerToken;
+    private decodeJwtWithoutValidation;
+}
+
+export { JwtAuthMiddleware as J };
+export type { AuthScheme as A, BaseAuthScheme as B, HttpAuthScheme as H, OpenIdConnectAuthScheme as O, JwtAuthMiddlewareOptions as a, ApiKeyAuthScheme as b, ApiKeyCredentialSource as c, AuthValidationResult as d };

package/dist/shared/a2a-mesh.CpP0sKxA.mjs

@@ -0,0 +1,95 @@
+const ErrorCodes = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603,
+  TaskNotFound: -32004,
+  PushNotificationNotSupported: -32010,
+  UnsupportedOperation: -32011,
+  RateLimitExceeded: -32029,
+  Unauthorized: -32040,
+  ExtensionRequired: -32041
+};
+class JsonRpcError extends Error {
+  code;
+  data;
+  constructor(code, message, data) {
+    super(message);
+    this.code = code;
+    this.data = data;
+  }
+}
+
+class InMemoryRateLimitStore {
+  state = /* @__PURE__ */ new Map();
+  async increment(key, windowMs) {
+    const now = Date.now();
+    const current = this.state.get(key);
+    if (!current || current.resetTime <= now) {
+      const nextState2 = { count: 1, resetTime: now + windowMs };
+      this.state.set(key, nextState2);
+      return nextState2;
+    }
+    const nextState = { ...current, count: current.count + 1 };
+    this.state.set(key, nextState);
+    return nextState;
+  }
+}
+class RedisRateLimitStore {
+  constructor(client) {
+    this.client = client;
+  }
+  async increment(key, windowMs) {
+    const current = await this.client.get(key);
+    if (current === null) {
+      await this.client.incr(key);
+      await this.client.pexpire(key, windowMs);
+      return {
+        count: 1,
+        resetTime: Date.now() + windowMs
+      };
+    }
+    const count = await this.client.incr(key);
+    const ttl = await this.client.pttl(key);
+    return {
+      count,
+      resetTime: Date.now() + Math.max(ttl, 0)
+    };
+  }
+}
+function getClientIp(req) {
+  const forwarded = req.headers["x-forwarded-for"];
+  if (typeof forwarded === "string" && forwarded.length > 0) {
+    return forwarded.split(",")[0]?.trim() ?? "unknown";
+  }
+  return req.ip || req.socket.remoteAddress || "unknown";
+}
+function createRateLimiter(config = {}, store = new InMemoryRateLimitStore()) {
+  const windowMs = config.windowMs ?? 6e4;
+  const maxRequests = config.maxRequests ?? 100;
+  const keyGenerator = config.keyGenerator ?? getClientIp;
+  return async (req, res, next) => {
+    const key = keyGenerator(req);
+    const state = await store.increment(key, windowMs);
+    const remaining = Math.max(maxRequests - state.count, 0);
+    res.setHeader("X-RateLimit-Limit", String(maxRequests));
+    res.setHeader("X-RateLimit-Remaining", String(remaining));
+    res.setHeader("X-RateLimit-Reset", String(Math.floor(state.resetTime / 1e3)));
+    if (state.count > maxRequests) {
+      res.status(429).json({
+        jsonrpc: "2.0",
+        error: {
+          code: ErrorCodes.RateLimitExceeded,
+          message: "Too Many Requests",
+          data: { retryAfterMs: Math.max(state.resetTime - Date.now(), 0) }
+        },
+        id: req.body && typeof req.body === "object" && "id" in req.body ? req.body.id : null
+      });
+      return;
+    }
+    next();
+  };
+}
+
+export { ErrorCodes as E, InMemoryRateLimitStore as I, JsonRpcError as J, RedisRateLimitStore as R, createRateLimiter as c };

package/dist/shared/a2a-mesh.DMPwsFk8.cjs

@@ -0,0 +1,121 @@
+'use strict';
+
+const jose = require('jose');
+
+class JwtAuthMiddleware {
+  constructor(options) {
+    this.options = options;
+  }
+  remoteSets = /* @__PURE__ */ new Map();
+  async authenticateRequest(req) {
+    const securityRequirements = this.options.security && this.options.security.length > 0 ? this.options.security : [Object.fromEntries(this.options.securitySchemes.map((scheme) => [scheme.id, []]))];
+    let lastError;
+    for (const requirement of securityRequirements) {
+      try {
+        for (const schemeId of Object.keys(requirement)) {
+          const scheme = this.options.securitySchemes.find((item) => item.id === schemeId);
+          if (!scheme) {
+            throw new Error(`Unknown security scheme: ${schemeId}`);
+          }
+          if (scheme.type === "apiKey") {
+            return this.validateApiKey(req, scheme);
+          }
+          if (scheme.type === "http") {
+            return this.validateBearerToken(req);
+          }
+          if (scheme.type === "openIdConnect") {
+            return this.validateOidcToken(req, scheme);
+          }
+        }
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+      }
+    }
+    throw lastError ?? new Error("Authentication failed");
+  }
+  middleware() {
+    return async (req, res, next) => {
+      try {
+        const authResult = await this.authenticateRequest(req);
+        Object.assign(req, { auth: authResult });
+        next();
+      } catch (error) {
+        res.status(401).json({
+          jsonrpc: "2.0",
+          error: {
+            code: -32040,
+            message: "Unauthorized",
+            data: { reason: String(error) }
+          },
+          id: req.body && typeof req.body === "object" && "id" in req.body ? req.body.id : null
+        });
+      }
+    };
+  }
+  validateApiKey(req, scheme) {
+    const expected = this.options.apiKeys?.[scheme.id];
+    const validValues = Array.isArray(expected) ? expected : expected ? [expected] : [];
+    if (validValues.length === 0) {
+      throw new Error(`No API key configured for scheme ${scheme.id}`);
+    }
+    const incoming = scheme.in === "header" ? req.header(scheme.name) : typeof req.query[scheme.name] === "string" ? req.query[scheme.name] : void 0;
+    if (typeof incoming !== "string" || !validValues.includes(incoming)) {
+      throw new Error("Invalid API key");
+    }
+    return { schemeId: scheme.id };
+  }
+  async validateOidcToken(req, scheme) {
+    const token = this.readBearerToken(req);
+    const discoveryResponse = await fetch(scheme.openIdConnectUrl);
+    if (!discoveryResponse.ok) {
+      throw new Error(`Failed to fetch OIDC configuration: ${discoveryResponse.status}`);
+    }
+    const discovery = await discoveryResponse.json();
+    const jwksUri = scheme.jwksUri ?? discovery.jwks_uri;
+    if (!jwksUri) {
+      throw new Error("OIDC configuration is missing jwks_uri");
+    }
+    let remoteSet = this.remoteSets.get(jwksUri);
+    if (!remoteSet) {
+      remoteSet = jose.createRemoteJWKSet(new URL(jwksUri));
+      this.remoteSets.set(jwksUri, remoteSet);
+    }
+    const verifyOptions = {
+      ...scheme.audience ? { audience: scheme.audience } : {},
+      ...scheme.issuer ?? discovery.issuer ? { issuer: scheme.issuer ?? discovery.issuer } : {},
+      algorithms: scheme.algorithms ?? ["RS256", "ES256"]
+    };
+    const { payload } = await jose.jwtVerify(token, remoteSet, verifyOptions);
+    return {
+      schemeId: scheme.id,
+      ...payload.sub ? { subject: payload.sub } : {},
+      claims: payload
+    };
+  }
+  async validateBearerToken(req) {
+    const token = this.readBearerToken(req);
+    const payload = this.decodeJwtWithoutValidation(token);
+    return {
+      schemeId: "bearer",
+      ...payload.sub ? { subject: payload.sub } : {},
+      claims: payload
+    };
+  }
+  readBearerToken(req) {
+    const header = req.header("authorization");
+    if (!header || !header.toLowerCase().startsWith("bearer ")) {
+      throw new Error("Missing bearer token");
+    }
+    return header.slice("bearer ".length).trim();
+  }
+  decodeJwtWithoutValidation(token) {
+    const parts = token.split(".");
+    if (parts.length < 2) {
+      throw new Error("Invalid JWT");
+    }
+    const payloadJson = Buffer.from(parts[1] ?? "", "base64url").toString("utf8");
+    return JSON.parse(payloadJson);
+  }
+}
+
+exports.JwtAuthMiddleware = JwtAuthMiddleware;