khotan-data 0.1.1 → 0.2.0

package/README.md

@@ -53,6 +53,11 @@ import { shopifyProductsSnapshotCache } from "@/lib/khotan/caches/shopify-produc
 
 const khotanData = khotan({
   adapter: drizzleAdapter(db),
+  // Gate the management API behind your auth layer (see "Security" below).
+  authorize: async (request) => {
+    const session = await auth.api.getSession({ headers: request.headers });
+    return Boolean(session?.user);
+  },
   resources: [
     { name: "products", mapping: { connectField: "sku" } },
   ],
@@ -79,6 +84,30 @@ await khotanData.flow("products-inflow", { plugName: "shopify" }).start({
 });
 ```
 
+## Security
+
+The management API (`/api/khotan/*`) exposes plug credentials and operational
+controls. It is **public unless you gate it**. Pass an `authorize` hook — it
+receives the raw `Request` and returns `true`/`false`, so it composes directly
+with session libraries like better-auth:
+
+```typescript
+authorize: async (request) => {
+  const session = await auth.api.getSession({ headers: request.headers });
+  return session?.user?.role === "admin";
+},
+```
+
+- `KHOTAN_SECRET` encrypts plug credentials **at rest** (AES-256-GCM). It is not
+  an auth credential — it never gates requests. Set it to a high-entropy value.
+- Inbound webhooks (verified via per-plug `onVerify`), the cron dispatcher
+  (`CRON_SECRET`), and debug routes (`KHOTAN_DEBUG`, non-production only) are
+  exempt from `authorize` automatically.
+- `KHOTAN_DEBUG` is force-disabled when `NODE_ENV=production`. The cron route
+  fails closed in production when `CRON_SECRET` is unset.
+- Protect the Hub dashboard page (e.g. `/config`) with your app's middleware —
+  `authorize` only guards the API.
+
 ## Caches
 
 Use first-class caches when a flow, relay, catch, or pass needs durable state between runs.

package/dist/cli.js

@@ -5,6 +5,7 @@ import path2 from 'path';
 import { fileURLToPath } from 'url';
 import { execSync } from 'child_process';
 import prompts2 from 'prompts';
+import crypto from 'crypto';
 
 // src/cli/config-template.ts
 function configTemplate(outputDir) {
@@ -152,6 +153,11 @@ var COMPONENTS = {
         outputFile: "wires/wire.ts",
         outputBase: "outputDir"
       },
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "wire-panel.tsx"),
         outputFile: "wire.tsx",
@@ -202,6 +208,11 @@ var COMPONENTS = {
       ]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "hub.tsx"),
         outputFile: "hub.tsx",
@@ -227,6 +238,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "table", "badge", "button"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "logs.tsx"),
         outputFile: "logs.tsx",
@@ -256,6 +272,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "table", "button", "input", "label"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(
           __dirname$1,
@@ -276,6 +297,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "badge", "button", "input", "label"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "plug-debugger.tsx"),
         outputFile: "plug-debugger.tsx",
@@ -523,6 +549,11 @@ var BLOCKS = {
       shadcnComponents: ["card", "badge"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(
           __dirname$1,
@@ -1774,13 +1805,13 @@ function diffSchemas(expected, actual, basePath = "$") {
   }
   return diffObjectSchema(expected, actual, basePath);
 }
-function diffTypedNode(expected, actual, path15) {
+function diffTypedNode(expected, actual, path16) {
   const expectedType = expected["_type"];
   if (expectedType === "array") {
     if (actual.type !== "array") {
       return [
         {
-          path: path15,
+          path: path16,
           issue: "type_mismatch",
           note: `expected array, got ${actual.type}`
         }
@@ -1788,13 +1819,13 @@ function diffTypedNode(expected, actual, path15) {
     }
     const itemSchema = expected["items"];
     if (!itemSchema || !actual.items) return [];
-    return diffSchemas(itemSchema, actual.items, `${path15}[]`);
+    return diffSchemas(itemSchema, actual.items, `${path16}[]`);
   }
   const normalizedExpected = normalizeType(expectedType);
   if (normalizedExpected !== actual.type && actual.type !== "null") {
     return [
       {
-        path: path15,
+        path: path16,
         issue: "type_mismatch",
         note: `expected ${expectedType}, got ${actual.type}`
       }
@@ -1802,11 +1833,11 @@ function diffTypedNode(expected, actual, path15) {
   }
   return [];
 }
-function diffObjectSchema(expected, actual, path15) {
+function diffObjectSchema(expected, actual, path16) {
   if (actual.type !== "object") {
     return [
       {
-        path: path15,
+        path: path16,
         issue: "type_mismatch",
         note: `expected object, got ${actual.type}`
       }
@@ -1815,7 +1846,7 @@ function diffObjectSchema(expected, actual, path15) {
   const mismatches = [];
   const actualProps = actual.properties;
   for (const [key, typeDesc] of Object.entries(expected)) {
-    const childPath = path15 === "$" ? `$.${key}` : `${path15}.${key}`;
+    const childPath = path16 === "$" ? `$.${key}` : `${path16}.${key}`;
     const typeStr = typeof typeDesc === "string" ? typeDesc : null;
     const isOptional = typeStr?.endsWith("?") ?? false;
     if (!(key in actualProps)) {
@@ -1853,7 +1884,7 @@ function diffObjectSchema(expected, actual, path15) {
   }
   for (const key of Object.keys(actualProps)) {
     if (!(key in expected)) {
-      const childPath = path15 === "$" ? `$.${key}` : `${path15}.${key}`;
+      const childPath = path16 === "$" ? `$.${key}` : `${path16}.${key}`;
       mismatches.push({ path: childPath, issue: "extra" });
     }
   }
@@ -1874,6 +1905,48 @@ function normalizeType(typeStr) {
       return lower;
   }
 }
+var CLI_TOKEN_SCHEME = "KhotanCLI";
+function readSecretFromEnvFile(filePath) {
+  try {
+    const content = fs4.readFileSync(filePath, "utf-8");
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const match = /^KHOTAN_SECRET\s*=\s*["']?(.*?)["']?\s*$/.exec(trimmed);
+      if (match) return match[1] ?? null;
+    }
+  } catch {
+  }
+  return null;
+}
+function resolveKhotanSecret(cwd = process.cwd()) {
+  const fromEnv = process.env["KHOTAN_SECRET"]?.trim();
+  if (fromEnv) return fromEnv;
+  return readSecretFromEnvFile(path2.join(cwd, ".env.local")) ?? readSecretFromEnvFile(path2.join(cwd, ".env")) ?? null;
+}
+function cliAuthHeader() {
+  const secret = resolveKhotanSecret();
+  if (!secret) return null;
+  const timestamp = String(Date.now());
+  const sig = crypto.createHmac("sha256", secret).update(`khotan-cli:${timestamp}`).digest("hex");
+  return `${CLI_TOKEN_SCHEME} ${timestamp}.${sig}`;
+}
+function cliFetch(url, init) {
+  const auth = cliAuthHeader();
+  if (!auth) {
+    return init === void 0 ? fetch(url) : fetch(url, init);
+  }
+  const headers = {
+    ...init?.headers ?? {},
+    Authorization: auth
+  };
+  return fetch(url, { ...init, headers });
+}
+function unauthorizedHint() {
+  return resolveKhotanSecret() ? "Unauthorized. The dev server rejected the CLI token \u2014 confirm KHOTAN_SECRET matches the value the server is running with." : "Unauthorized. Set KHOTAN_SECRET in your environment (or .env.local) so the CLI can authenticate against your authorize() hook.";
+}
+
+// src/cli/commands/plug-vars.ts
 function output(obj) {
   process.stdout.write(JSON.stringify(obj, null, 2) + "\n");
 }
@@ -1911,13 +1984,14 @@ function resolvePort(portFlag) {
 async function checkConnectivity(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/plugs`);
+    res = await cliFetch(`${baseUrl}/plugs`);
   } catch {
     fail(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail("unauthorized", unauthorizedHint());
   if (!res.ok) {
     fail(
       "api_unavailable",
@@ -1931,11 +2005,11 @@ var varsCommand = new Command("vars").description("View and manage plug variable
     const baseUrl = `http://localhost:${port}${opts.basePath}`;
     await checkConnectivity(baseUrl);
     if (opts.list) {
-      const plugsRes = await fetch(`${baseUrl}/plugs`);
+      const plugsRes = await cliFetch(`${baseUrl}/plugs`);
       const plugs = await plugsRes.json();
       const variables = await Promise.all(
         plugs.map(async (plug) => {
-          const res = await fetch(`${baseUrl}/variables/${plug.name}`);
+          const res = await cliFetch(`${baseUrl}/variables/${plug.name}`);
           if (res.status === 404) {
             return {
               plugName: plug.name,
@@ -1964,7 +2038,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
     }
     const resolvedAction = action ?? "show";
     if (resolvedAction === "show") {
-      const res = await fetch(`${baseUrl}/variables/${plugName}`);
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`);
       if (res.status === 404) {
         fail("plug_not_found", `Plug "${plugName}" not found.`);
       }
@@ -1991,7 +2065,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
       } catch {
         fail("invalid_json", "Could not parse --json as JSON.");
       }
-      const res = await fetch(`${baseUrl}/variables/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(payload)
@@ -2007,7 +2081,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
       return;
     }
     if (resolvedAction === "clear") {
-      const res = await fetch(`${baseUrl}/variables/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`, {
         method: "DELETE"
       });
       if (!res.ok && res.status !== 204) {
@@ -2075,7 +2149,7 @@ function tryParseJson(value) {
 async function checkConnectivity2(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/debug`);
+    res = await cliFetch(`${baseUrl}/debug`);
   } catch {
     fail2(
       "connect_failed",
@@ -2098,7 +2172,8 @@ var plugCommand = new Command("plug").alias("probe").description(
     if (opts.list) {
       await checkConnectivity2(baseUrl);
       try {
-        const res = await fetch(`${baseUrl}/plugs`);
+        const res = await cliFetch(`${baseUrl}/plugs`);
+        if (res.status === 401) fail2("unauthorized", unauthorizedHint());
         const data = await res.json();
         const raw = Array.isArray(data) ? data : data.plugs ?? [];
         const plugs = raw.map((p) => ({
@@ -2122,7 +2197,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     await checkConnectivity2(baseUrl);
     if (opts.info) {
       try {
-        const res = await fetch(`${baseUrl}/debug/${plugName}`);
+        const res = await cliFetch(`${baseUrl}/debug/${plugName}`);
         if (res.status === 404) {
           fail2(
             "plug_not_found",
@@ -2141,7 +2216,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     let allEndpoints = null;
     if (opts.endpoint) {
       try {
-        const res = await fetch(`${baseUrl}/debug/${plugName}`);
+        const res = await cliFetch(`${baseUrl}/debug/${plugName}`);
         if (res.status === 404) {
           fail2(
             "plug_not_found",
@@ -2205,7 +2280,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     if (extraHeaders) debugPayload["headers"] = extraHeaders;
     let debugRes;
     try {
-      debugRes = await fetch(`${baseUrl}/debug/${plugName}`, {
+      debugRes = await cliFetch(`${baseUrl}/debug/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(debugPayload)
@@ -2252,7 +2327,7 @@ var plugCommand = new Command("plug").alias("probe").description(
       } else {
         if (!allEndpoints) {
           try {
-            const metaRes = await fetch(`${baseUrl}/debug/${plugName}`);
+            const metaRes = await cliFetch(`${baseUrl}/debug/${plugName}`);
             const metaData = await metaRes.json();
             allEndpoints = metaData.endpoints ?? null;
           } catch {
@@ -2327,13 +2402,14 @@ function resolveWebhookOrigin(originFlag) {
 async function checkConnectivity3(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/plugs`);
+    res = await cliFetch(`${baseUrl}/plugs`);
   } catch {
     fail3(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail3("unauthorized", unauthorizedHint());
   if (!res.ok) {
     fail3(
       "api_unavailable",
@@ -2355,11 +2431,11 @@ var wireCommand = new Command("wire").description(
     const baseUrl = `http://localhost:${port}${opts.basePath}`;
     await checkConnectivity3(baseUrl);
     if (opts.list) {
-      const plugsRes = await fetch(`${baseUrl}/plugs`);
+      const plugsRes = await cliFetch(`${baseUrl}/plugs`);
       const plugs = await plugsRes.json();
       const wires = await Promise.all(
         plugs.map(async (plug) => {
-          const res = await fetch(`${baseUrl}/wires/${plug.name}`);
+          const res = await cliFetch(`${baseUrl}/wires/${plug.name}`);
           const data = await res.json();
           return {
             plugName: plug.name,
@@ -2380,7 +2456,7 @@ var wireCommand = new Command("wire").description(
     }
     const resolvedAction = opts.info ? "info" : action ?? "info";
     if (resolvedAction === "info") {
-      const res = await fetch(`${baseUrl}/wires/${plugName}`);
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`);
       if (res.status === 404) {
         fail3("plug_not_found", `Plug "${plugName}" not found.`);
       }
@@ -2395,7 +2471,7 @@ var wireCommand = new Command("wire").description(
     }
     if (resolvedAction === "connect") {
       const callbackUrl = opts.callbackUrl ?? `${resolveWebhookOrigin(opts.webhookOrigin)}/api/khotan/webhook/${plugName}`;
-      const res = await fetch(`${baseUrl}/wires/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ callbackUrl })
@@ -2419,7 +2495,7 @@ var wireCommand = new Command("wire").description(
     if (resolvedAction === "disconnect") {
       let wireId = opts.wireId;
       if (!wireId) {
-        const currentRes = await fetch(`${baseUrl}/wires/${plugName}`);
+        const currentRes = await cliFetch(`${baseUrl}/wires/${plugName}`);
         const current = await currentRes.json();
         wireId = current.wire?.id;
       }
@@ -2429,7 +2505,7 @@ var wireCommand = new Command("wire").description(
           `No active wire found for "${plugName}". Use --wire-id to override.`
         );
       }
-      const res = await fetch(`${baseUrl}/wires/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`, {
         method: "DELETE",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ wireId })
@@ -2487,9 +2563,10 @@ function resolveBaseUrl(opts) {
   return `http://localhost:${resolvePort4(opts.port)}${opts.basePath}`;
 }
 async function fetchJson(url, init) {
-  const res = await fetch(url, init);
+  const res = await cliFetch(url, init);
   const data = await res.json().catch(() => ({}));
   if (!res.ok) {
+    if (res.status === 401) fail4("unauthorized", unauthorizedHint());
     fail4(
       "request_failed",
       data.error ?? `Request to ${url} failed with status ${res.status}`
@@ -2498,20 +2575,22 @@ async function fetchJson(url, init) {
   return data;
 }
 async function checkConnectivity4(baseUrl) {
+  let res;
   try {
-    const res = await fetch(`${baseUrl}/flows`);
-    if (!res.ok) {
-      fail4(
-        "api_unavailable",
-        `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
-      );
-    }
+    res = await cliFetch(`${baseUrl}/flows`);
   } catch {
     fail4(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail4("unauthorized", unauthorizedHint());
+  if (!res.ok) {
+    fail4(
+      "api_unavailable",
+      `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
+    );
+  }
 }
 function parseJsonOption(value, label) {
   if (!value) return void 0;
@@ -2660,9 +2739,10 @@ function resolveBaseUrl2(opts) {
   return `http://localhost:${resolvePort5(opts.port)}${opts.basePath}`;
 }
 async function fetchJson2(url, init) {
-  const res = await fetch(url, init);
+  const res = await cliFetch(url, init);
   const data = await res.json().catch(() => ({}));
   if (!res.ok) {
+    if (res.status === 401) fail5("unauthorized", unauthorizedHint());
     fail5(
       "request_failed",
       data.error ?? `Request to ${url} failed with status ${res.status}`
@@ -2671,20 +2751,22 @@ async function fetchJson2(url, init) {
   return data;
 }
 async function checkConnectivity5(baseUrl) {
+  let res;
   try {
-    const res = await fetch(`${baseUrl}/flows`);
-    if (!res.ok) {
-      fail5(
-        "api_unavailable",
-        `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
-      );
-    }
+    res = await cliFetch(`${baseUrl}/flows`);
   } catch {
     fail5(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail5("unauthorized", unauthorizedHint());
+  if (!res.ok) {
+    fail5(
+      "api_unavailable",
+      `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
+    );
+  }
 }
 function parseJsonObjectOption(value, label) {
   if (!value) return void 0;
@@ -2842,10 +2924,14 @@ withApiOptions2(
 ).action(async (mappingId, opts) => {
   const baseUrl = resolveBaseUrl2(opts);
   await checkConnectivity5(baseUrl);
-  const res = await fetch(`${baseUrl}/mappings/${encodeURIComponent(mappingId)}`, {
-    method: "DELETE"
-  });
+  const res = await cliFetch(
+    `${baseUrl}/mappings/${encodeURIComponent(mappingId)}`,
+    {
+      method: "DELETE"
+    }
+  );
   if (!res.ok) {
+    if (res.status === 401) fail5("unauthorized", unauthorizedHint());
     const data = await res.json().catch(() => ({}));
     fail5(
       "request_failed",

package/dist/factory.cjs

@@ -261,6 +261,47 @@ function hexToBytes(hex) {
 function bytesToHex(bytes) {
   return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
+var CLI_TOKEN_SCHEME = "KhotanCLI";
+var CLI_TOKEN_WINDOW_MS = 6e4;
+async function deriveCliToken(secret, timestamp2) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(`khotan-cli:${timestamp2}`)
+  );
+  return bytesToHex(new Uint8Array(sig));
+}
+function timingSafeEqualHex(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+async function isCliRequestAuthorized(request, secret) {
+  if (process.env["NODE_ENV"] === "production") return false;
+  if (!secret) return false;
+  const header = request.headers.get("authorization");
+  if (!header?.startsWith(`${CLI_TOKEN_SCHEME} `)) return false;
+  const token = header.slice(CLI_TOKEN_SCHEME.length + 1).trim();
+  const dotIdx = token.indexOf(".");
+  if (dotIdx === -1) return false;
+  const timestamp2 = token.slice(0, dotIdx);
+  const provided = token.slice(dotIdx + 1);
+  const ts = Number.parseInt(timestamp2, 10);
+  if (!Number.isFinite(ts)) return false;
+  if (Math.abs(Date.now() - ts) > CLI_TOKEN_WINDOW_MS) return false;
+  const expected = await deriveCliToken(secret, timestamp2);
+  return timingSafeEqualHex(provided, expected);
+}
 function bindPlugWithVars(plug, vars, setVars) {
   const opts = (extra) => ({
     ...extra,
@@ -1106,9 +1147,14 @@ function coerceDate(value) {
 }
 function isCronRequestAuthorized(request) {
   const secret = process.env["CRON_SECRET"]?.trim();
-  if (!secret) return true;
+  if (!secret) {
+    return process.env["NODE_ENV"] !== "production";
+  }
   return request.headers.get("authorization") === `Bearer ${secret}`;
 }
+function isDebugEnabled() {
+  return Boolean(process?.env?.["KHOTAN_DEBUG"]) && process?.env?.["NODE_ENV"] !== "production";
+}
 function isWorkflowCancelledError(error) {
   if (!error || typeof error !== "object") return false;
   const record = error;
@@ -1402,8 +1448,18 @@ function canonicalizeConnectValue(resource, connectValue) {
   );
 }
 function khotan(config) {
-  const { adapter, plugs, resources = [], caches = [] } = config;
+  const { adapter, plugs, resources = [], caches = [], authorize } = config;
   const instanceId = crypto.randomUUID();
+  if (!authorize) {
+    console.warn(
+      "[khotan] No `authorize` hook configured: the management API (/api/khotan/*) is publicly accessible. Pass `authorize` to gate it behind your auth layer (e.g. better-auth). This is required for any deployed environment."
+    );
+  }
+  if (!(config.secret ?? process.env["KHOTAN_SECRET"])) {
+    console.warn(
+      "[khotan] No `secret`/`KHOTAN_SECRET` configured: plug credentials and wire metadata will not be encrypted at rest. Set KHOTAN_SECRET to a high-entropy value."
+    );
+  }
   const plugNames = /* @__PURE__ */ new Set();
   for (const plug of plugs) {
     if (plugNames.has(plug.name)) {
@@ -2230,7 +2286,24 @@ function khotan(config) {
     const webhookEventsIdx = segments.indexOf("webhook-events");
     const variablesIdx = segments.indexOf("variables");
     const cronIdx = segments.indexOf("cron");
+    const webhookIdx = segments.indexOf("webhook");
     const debugIdx = segments.indexOf("debug");
+    const isInboundWebhook = webhookIdx !== -1 && webhookIdx === segments.length - 2;
+    const isCronRoute = cronIdx !== -1 && cronIdx === segments.length - 1;
+    const isDebugRoute = debugIdx !== -1;
+    if (authorize && !isInboundWebhook && !isCronRoute && !isDebugRoute) {
+      let allowed = await isCliRequestAuthorized(request, secret);
+      if (!allowed) {
+        try {
+          allowed = await authorize(request);
+        } catch {
+          allowed = false;
+        }
+      }
+      if (!allowed) {
+        return Response.json({ error: "Unauthorized" }, { status: 401 });
+      }
+    }
     const limit = Math.min(
       Math.max(
         Number.parseInt(url.searchParams.get("limit") ?? "20", 10) || 20,
@@ -2272,15 +2345,13 @@ function khotan(config) {
         return Response.json(result);
       }
       if (debugIdx !== -1 && debugIdx === segments.length - 1) {
-        const debugActive = process?.env?.["KHOTAN_DEBUG"];
-        if (!debugActive) {
+        if (!isDebugEnabled()) {
           return Response.json({ error: "Not found" }, { status: 404 });
         }
         return Response.json({ enabled: true });
       }
       if (debugIdx !== -1 && debugIdx === segments.length - 2) {
-        const debugActive = process?.env?.["KHOTAN_DEBUG"];
-        if (!debugActive) {
+        if (!isDebugEnabled()) {
           return Response.json({ error: "Not found" }, { status: 404 });
         }
         const plugName = segments[debugIdx + 1];
@@ -2582,7 +2653,6 @@ function khotan(config) {
         const result = await dispatchScheduledFlows({ runType });
         return Response.json(result);
       }
-      const webhookIdx = segments.indexOf("webhook");
       if (webhookIdx !== -1 && webhookIdx === segments.length - 2) {
         const plugName = segments[webhookIdx + 1];
         const plugReg = plugs.find((p) => p.name === plugName);
@@ -2799,8 +2869,7 @@ function khotan(config) {
         return Response.json({ received: true }, { status: 202 });
       }
       if (debugIdx !== -1 && debugIdx === segments.length - 2) {
-        const debugActive = process?.env?.["KHOTAN_DEBUG"];
-        if (!debugActive) {
+        if (!isDebugEnabled()) {
           return Response.json({ error: "Not found" }, { status: 404 });
         }
         const plugName = segments[debugIdx + 1];
@@ -3293,6 +3362,7 @@ exports.__setWorkflowGetRunForTests = __setWorkflowGetRunForTests;
 exports.__setWorkflowGetWritableForTests = __setWorkflowGetWritableForTests;
 exports.__setWorkflowStartForTests = __setWorkflowStartForTests;
 exports.bindWorkflowPlug = bindWorkflowPlug;
+exports.deriveCliToken = deriveCliToken;
 exports.drizzleAdapter = drizzleAdapter;
 exports.khotan = khotan;
 exports.khotanCache = khotanCache;