satgate 1.5.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 TheCryptoDonkey
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,207 @@
+# satgate
+
+[![MIT licence](https://img.shields.io/badge/licence-MIT-blue.svg)](./LICENSE)
+[![Nostr](https://img.shields.io/badge/Nostr-Zap%20me-purple)](https://primal.net/p/npub1mgvlrnf5hm9yf0n5mf9nqmvarhvxkc6remu5ec3vf8r0txqkuk7su0e7q2)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.8-blue)](https://www.typescriptlang.org/)
+[![Node](https://img.shields.io/badge/Node-%3E%3D22-green)](https://nodejs.org/)
+
+**Your GPU is burning money. Make it earn money.**
+
+satgate sits in front of Ollama, vLLM, llama.cpp — any OpenAI-compatible backend — and turns it into a pay-per-token API. No accounts. No API keys. No Stripe. Clients pay per token, you earn sats before the response finishes streaming.
+
+![satgate demo](demo/satgate-demo.gif)
+
+## Quick start
+
+```bash
+npx satgate --upstream http://localhost:11434
+```
+
+That's it. satgate auto-detects your models, starts accepting payments, and proxies inference requests. Clients pay per token, you earn sats.
+
+---
+
+## Try it live
+
+A public instance is running at [satgate.trotters.dev](https://satgate.trotters.dev). Open it in a browser for the chat playground, or use curl:
+
+```bash
+# 250 sats of free usage per day per IP — after that you'll get a 402 + invoice
+curl -s -w '\n%{http_code}\n' https://satgate.trotters.dev/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{"model":"qwen3:0.6b","messages":[{"role":"user","content":"What is Bitcoin?"}]}'
+
+# Check pricing
+curl -s https://satgate.trotters.dev/.well-known/l402 | jq .
+
+# Machine-readable description
+curl -s https://satgate.trotters.dev/llms.txt
+```
+
+---
+
+## The old way vs satgate
+
+| | The old way | With satgate |
+|---|---|---|
+| **Sell GPU time** | Sign up for a marketplace (OpenRouter, Together). They set the price, take a cut, own the customer. | `npx satgate --upstream http://localhost:11434`. You set the price. You keep 100%. |
+| **Handle billing** | Stripe account, KYC, usage tracking, invoices, chargebacks | Payments settle before the response finishes streaming. No accounts, no disputes. |
+| **Serve AI agents** | OAuth flows, API key management, billing portals — none of which machines can use | Agents discover your endpoint, pay per token from their own wallet, no human in the loop. |
+| **Price fairly** | Flat rate per request, regardless of whether it's 10 tokens or 10,000 | Actual tokens counted from the response. Overpayments credited back. |
+
+---
+
+## Built for machines
+
+satgate doesn't just serve humans with `curl`. It's designed for AI agents that pay for their own resources.
+
+Every satgate instance exposes three discovery endpoints — no auth required:
+
+| Endpoint | Who reads it |
+|---|---|
+| `/.well-known/l402` | Machines — pricing, models, payment methods as structured JSON |
+| `/llms.txt` | AI agents — plain-text description of what you're selling |
+| `/openapi.json` | Code generators — full OpenAPI spec |
+
+Pair with [l402-mcp](https://github.com/TheCryptoDonkey/l402-mcp) and an AI agent can autonomously discover your endpoint, check your prices, pay from its own wallet, and start prompting — no human involved.
+
+```mermaid
+sequenceDiagram
+    participant A as AI Agent
+    participant M as l402-mcp
+    participant T as satgate
+    participant G as Your GPU
+
+    A->>M: "Use this inference endpoint"
+    M->>T: GET /.well-known/l402
+    T-->>M: Pricing, models, payment methods
+    M->>T: POST /v1/chat/completions
+    T-->>M: 402 + Lightning invoice
+    M->>M: Pay invoice from wallet
+    M->>T: Retry with L402 credential
+    T->>G: Proxy request
+    G-->>T: Stream response
+    T-->>M: Stream completion
+    M-->>A: Response
+```
+
+---
+
+## The secret
+
+Everything you just saw — the payment gating, the multi-rail support, the credit system, the free tier, the macaroon credentials — that's not satgate. That's [toll-booth](https://github.com/TheCryptoDonkey/toll-booth).
+
+satgate is ~400 lines of glue on top of toll-booth. It adds the AI-specific bits: token counting, model pricing, streaming reconciliation, capacity management. Everything else comes from the middleware.
+
+**You could build your own satgate for your domain in an afternoon.**
+
+Monetise a routing API. Gate a translation service. Sell weather data per request. toll-booth handles the payments — you just write the product logic.
+
+→ [**See toll-booth**](https://github.com/TheCryptoDonkey/toll-booth)
+
+```mermaid
+graph TB
+    subgraph "satgate (~400 lines)"
+        TC[Token counting]
+        MP[Model pricing]
+        SR[Streaming reconciliation]
+        CM[Capacity management]
+        AD[Agent discovery]
+    end
+    subgraph "toll-booth"
+        L402[L402 protocol]
+        CR[Credit system]
+        FT[Free tier]
+        PR[Payment rails]
+        MA[Macaroon auth]
+    end
+    TC --> L402
+    MP --> CR
+    SR --> CR
+    CM --> L402
+    AD --> L402
+```
+
+---
+
+## What satgate adds
+
+- **Pay-per-token** — actual token count from the response, not estimated. Streaming and buffered.
+- **Model-specific pricing** — 1 sat/1k for Llama, 5 sats/1k for DeepSeek. You set the rates.
+- **Streaming reconciliation** — estimated charge upfront, reconciled to actual usage after. Overpayments credited back.
+- **Capacity management** — limit concurrent inference requests to protect your GPU.
+- **Auto-detect models** — queries your upstream on startup. No manual model list.
+- **Four payment rails** — Lightning, Cashu ecash, NWC, and x402 stablecoins. Operator picks what to accept.
+- **Privacy by design** — no personal data collected or stored. No accounts, no cookies, no IP logging. GDPR-safe out of the box.
+- **Instant public URL** — auto-spawns a Cloudflare tunnel. Your GPU is reachable from the internet in seconds.
+
+---
+
+## How it works
+
+```mermaid
+sequenceDiagram
+    participant C as Client
+    participant T as satgate
+    participant G as Your GPU
+
+    C->>T: POST /v1/chat/completions
+    T-->>C: 402 + Lightning invoice (estimated cost)
+    C->>C: Pay invoice
+    C->>T: Retry with L402 credential
+    T->>G: Proxy request
+    G-->>T: Stream response
+    T->>T: Count actual tokens
+    T-->>C: Stream completion
+    T->>T: Reconcile: credit back overpayment
+```
+
+Charges are estimated upfront based on model pricing, then reconciled to actual token usage after the response completes. Operators are never short-changed — costs round up. Overpayments are credited to the client's balance for the next request.
+
+---
+
+## Configuration
+
+Zero config works (just `--upstream`). For production, create `satgate.yaml`:
+
+```yaml
+upstream: http://localhost:11434
+port: 3000
+pricing:
+  default: 1          # 1 sat per 1k tokens
+  models:
+    llama3: 1
+    deepseek-r1: 5
+freeTier:
+  creditsPerDay: 250
+capacity:
+  maxConcurrent: 4
+```
+
+CLI flags > environment variables > config file > defaults.
+
+---
+
+## Get started
+
+```bash
+# Monetise your local Ollama
+npx satgate --upstream http://localhost:11434
+
+# Or point at any OpenAI-compatible backend
+npx satgate --upstream http://your-vllm-server:8000
+```
+
+→ [**toll-booth**](https://github.com/TheCryptoDonkey/toll-booth) — the middleware that powers all of this. Build your own.
+→ [**l402-mcp**](https://github.com/TheCryptoDonkey/l402-mcp) — give AI agents a wallet. Let them pay for your GPU.
+
+---
+
+Built by [@TheCryptoDonkey](https://github.com/TheCryptoDonkey).
+
+- Lightning tips: `thedonkey@strike.me`
+- Nostr: `npub1mgvlrnf5hm9yf0n5mf9nqmvarhvxkc6remu5ec3vf8r0txqkuk7su0e7q2`
+
+---
+
+[MIT](./LICENSE)

package/dist/bin/satgate.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=satgate.d.ts.map

package/dist/bin/satgate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"satgate.d.ts","sourceRoot":"","sources":["../../bin/satgate.ts"],"names":[],"mappings":""}

package/dist/bin/satgate.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import { main } from '../src/cli.js';
+main().catch((err) => {
+    console.error('[satgate] Fatal:', err.message);
+    process.exit(1);
+});
+//# sourceMappingURL=satgate.js.map

package/dist/bin/satgate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"satgate.js","sourceRoot":"","sources":["../../bin/satgate.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAA;AACpC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAA;IAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}

package/dist/src/auth/allowlist.d.ts

@@ -0,0 +1,24 @@
+export interface AllowlistResult {
+    allowed: boolean;
+    identity?: string;
+}
+export interface RequestContext {
+    url: string;
+    method: string;
+}
+/**
+ * Checks whether the Authorization header matches an entry in the allowlist.
+ *
+ * Identity types:
+ * - Bearer <secret> — matched against non-pubkey entries (strings that are
+ *   NOT 64-char hex and NOT npub1-prefixed)
+ * - Nostr <base64-event> — NIP-98 verification against pubkey entries
+ *
+ * Security: hex pubkeys and npub entries are NEVER treated as Bearer secrets.
+ * Only entries that don't look like pubkeys are valid Bearer secrets.
+ */
+/**
+ * @param now - Optional Unix timestamp (seconds) for testing. Defaults to current time.
+ */
+export declare function checkAllowlist(authHeader: string | undefined, allowlist: string[], request: RequestContext, now?: number): AllowlistResult;
+//# sourceMappingURL=allowlist.d.ts.map

package/dist/src/auth/allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.d.ts","sourceRoot":"","sources":["../../../src/auth/allowlist.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;CACf;AA2DD;;;;;;;;;;GAUG;AACH;;GAEG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,SAAS,EAAE,MAAM,EAAE,EACnB,OAAO,EAAE,cAAc,EACvB,GAAG,CAAC,EAAE,MAAM,GACX,eAAe,CA4BjB"}

package/dist/src/auth/allowlist.js

@@ -0,0 +1,130 @@
+import { schnorr } from '@noble/curves/secp256k1.js';
+import { hexToBytes } from '@noble/curves/utils.js';
+import { bech32 } from '@scure/base';
+import { createHash, timingSafeEqual } from 'node:crypto';
+const HEX_PUBKEY_RE = /^[0-9a-f]{64}$/;
+/**
+ * Decode an npub (bech32-encoded) to a hex pubkey.
+ */
+function npubToHex(npub) {
+    try {
+        const { prefix, words } = bech32.decode(npub);
+        if (prefix !== 'npub')
+            return null;
+        const bytes = bech32.fromWords(words);
+        return Buffer.from(bytes).toString('hex');
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Normalise allowlist entries to hex pubkeys.
+ * Returns only the pubkey entries (npub or hex), not shared secrets.
+ */
+function extractPubkeys(allowlist) {
+    const pubkeys = [];
+    for (const entry of allowlist) {
+        if (entry.startsWith('npub1')) {
+            const hex = npubToHex(entry);
+            if (hex)
+                pubkeys.push(hex);
+        }
+        else if (HEX_PUBKEY_RE.test(entry)) {
+            pubkeys.push(entry);
+        }
+    }
+    return pubkeys;
+}
+/**
+ * Constant-time string comparison to prevent timing attacks on Bearer tokens.
+ */
+function constantTimeEqual(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length) {
+        // Compare against self to keep constant time even on length mismatch
+        timingSafeEqual(bufA, bufA);
+        return false;
+    }
+    return timingSafeEqual(bufA, bufB);
+}
+/**
+ * Checks whether the Authorization header matches an entry in the allowlist.
+ *
+ * Identity types:
+ * - Bearer <secret> — matched against non-pubkey entries (strings that are
+ *   NOT 64-char hex and NOT npub1-prefixed)
+ * - Nostr <base64-event> — NIP-98 verification against pubkey entries
+ *
+ * Security: hex pubkeys and npub entries are NEVER treated as Bearer secrets.
+ * Only entries that don't look like pubkeys are valid Bearer secrets.
+ */
+/**
+ * @param now - Optional Unix timestamp (seconds) for testing. Defaults to current time.
+ */
+export function checkAllowlist(authHeader, allowlist, request, now) {
+    if (!authHeader || allowlist.length === 0) {
+        return { allowed: false };
+    }
+    const spaceIdx = authHeader.indexOf(' ');
+    if (spaceIdx === -1)
+        return { allowed: false };
+    const scheme = authHeader.slice(0, spaceIdx);
+    const credential = authHeader.slice(spaceIdx + 1);
+    if (scheme === 'Bearer') {
+        // Only match entries that are NOT pubkeys (hex or npub)
+        const secrets = allowlist.filter(entry => !entry.startsWith('npub1') && !HEX_PUBKEY_RE.test(entry));
+        const match = secrets.find(s => constantTimeEqual(s, credential));
+        if (match) {
+            return { allowed: true, identity: credential.slice(0, 8) + '...' };
+        }
+        return { allowed: false };
+    }
+    if (scheme === 'Nostr') {
+        return verifyNip98(credential, allowlist, request, now);
+    }
+    return { allowed: false };
+}
+/**
+ * Verify a NIP-98 HTTP Auth event against the allowlist of pubkeys.
+ */
+function verifyNip98(base64Event, allowlist, request, nowOverride) {
+    try {
+        const json = Buffer.from(base64Event, 'base64').toString('utf-8');
+        const event = JSON.parse(json);
+        // Must be kind 27235 (NIP-98 HTTP Auth)
+        if (event.kind !== 27235)
+            return { allowed: false };
+        // Check created_at is within 60 seconds (injectable for testing)
+        const now = nowOverride ?? Math.floor(Date.now() / 1000);
+        if (Math.abs(now - event.created_at) > 60)
+            return { allowed: false };
+        // Validate URL and method tags match the actual request
+        const urlTag = event.tags.find(t => t[0] === 'u')?.[1];
+        const methodTag = event.tags.find(t => t[0] === 'method')?.[1];
+        if (urlTag !== request.url)
+            return { allowed: false };
+        if (methodTag?.toUpperCase() !== request.method.toUpperCase())
+            return { allowed: false };
+        // Verify event ID
+        const serialised = JSON.stringify([0, event.pubkey, event.created_at, event.kind, event.tags, event.content]);
+        const expectedId = createHash('sha256').update(serialised).digest('hex');
+        if (event.id !== expectedId)
+            return { allowed: false };
+        // Verify schnorr signature
+        const valid = schnorr.verify(hexToBytes(event.sig), hexToBytes(event.id), hexToBytes(event.pubkey));
+        if (!valid)
+            return { allowed: false };
+        // Check pubkey against allowlist (normalise npub → hex)
+        const allowedPubkeys = extractPubkeys(allowlist);
+        if (allowedPubkeys.includes(event.pubkey)) {
+            return { allowed: true, identity: event.pubkey.slice(0, 8) + '...' };
+        }
+        return { allowed: false };
+    }
+    catch {
+        return { allowed: false };
+    }
+}
+//# sourceMappingURL=allowlist.js.map

package/dist/src/auth/allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.js","sourceRoot":"","sources":["../../../src/auth/allowlist.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAA;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAYzD,MAAM,aAAa,GAAG,gBAAgB,CAAA;AAYtC;;GAEG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,IAA6B,CAAC,CAAA;QACtE,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAA;QAClC,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,SAAmB;IACzC,MAAM,OAAO,GAAa,EAAE,CAAA;IAC5B,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,CAAA;YAC5B,IAAI,GAAG;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC5B,CAAC;aAAM,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC3B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,qEAAqE;QACrE,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAC3B,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;;;;GAUG;AACH;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,UAA8B,EAC9B,SAAmB,EACnB,OAAuB,EACvB,GAAY;IAEZ,IAAI,CAAC,UAAU,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;IAC3B,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;IAE9C,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IAC5C,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAEjD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,wDAAwD;QACxD,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAC9B,KAAK,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAClE,CAAA;QACD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAA;QACjE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,CAAA;QACpE,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;IAC3B,CAAC;IAED,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAClB,WAAmB,EACnB,SAAmB,EACnB,OAAuB,EACvB,WAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QACjE,MAAM,KAAK,GAAe,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAE1C,wCAAwC;QACxC,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAEnD,iEAAiE;QACjE,MAAM,GAAG,GAAG,WAAW,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QACxD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAEpE,wDAAwD;QACxD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QACtD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9D,IAAI,MAAM,KAAK,OAAO,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QACrD,IAAI,SAAS,EAAE,WAAW,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAExF,kBAAkB;QAClB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC7G,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACxE,IAAI,KAAK,CAAC,EAAE,KAAK,UAAU;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAEtD,2BAA2B;QAC3B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QACnG,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAErC,wDAAwD;QACxD,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,CAAC,CAAA;QAChD,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,CAAA;QACtE,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;IAC3B,CAAC;AACH,CAAC"}

package/dist/src/auth/middleware.d.ts

@@ -0,0 +1,15 @@
+import type { MiddlewareHandler } from 'hono';
+export interface AuthMiddlewareConfig {
+    authMode: 'open' | 'lightning' | 'allowlist';
+    allowlist: string[];
+}
+/**
+ * Creates Hono middleware that handles auth based on the configured mode.
+ *
+ * - open: pass through (no checks)
+ * - allowlist: check Authorization header against allowlist
+ * - lightning: pass through — toll-booth's authMiddleware is mounted separately
+ *   in server.ts for the lightning path
+ */
+export declare function createAuthMiddleware(config: AuthMiddlewareConfig): MiddlewareHandler;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/src/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAG7C,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,WAAW,CAAA;IAC5C,SAAS,EAAE,MAAM,EAAE,CAAA;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,iBAAiB,CAmBpF"}

package/dist/src/auth/middleware.js

@@ -0,0 +1,29 @@
+import { checkAllowlist } from './allowlist.js';
+/**
+ * Creates Hono middleware that handles auth based on the configured mode.
+ *
+ * - open: pass through (no checks)
+ * - allowlist: check Authorization header against allowlist
+ * - lightning: pass through — toll-booth's authMiddleware is mounted separately
+ *   in server.ts for the lightning path
+ */
+export function createAuthMiddleware(config) {
+    if (config.authMode === 'allowlist') {
+        return async (c, next) => {
+            const authHeader = c.req.header('Authorization');
+            const requestUrl = c.req.url;
+            const requestMethod = c.req.method;
+            const result = checkAllowlist(authHeader, config.allowlist, {
+                url: requestUrl,
+                method: requestMethod,
+            });
+            if (!result.allowed) {
+                return c.json({ error: 'Forbidden' }, 403);
+            }
+            await next();
+        };
+    }
+    // open mode and lightning mode: pass through
+    return async (_c, next) => { await next(); };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/src/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAA;AAO/C;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAC/D,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACvB,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAChD,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAA;YAC5B,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;YAClC,MAAM,MAAM,GAAG,cAAc,CAAC,UAAU,EAAE,MAAM,CAAC,SAAS,EAAE;gBAC1D,GAAG,EAAE,UAAU;gBACf,MAAM,EAAE,aAAa;aACtB,CAAC,CAAA;YACF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAA;YAC5C,CAAC;YACD,MAAM,IAAI,EAAE,CAAA;QACd,CAAC,CAAA;IACH,CAAC;IAED,6CAA6C;IAC7C,OAAO,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,MAAM,IAAI,EAAE,CAAA,CAAC,CAAC,CAAA;AAC7C,CAAC"}

package/dist/src/cli.d.ts

@@ -0,0 +1,2 @@
+export declare function main(argv?: string[]): Promise<void>;
+//# sourceMappingURL=cli.d.ts.map

package/dist/src/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":"AAqHA,wBAAsB,IAAI,CAAC,IAAI,GAAE,MAAM,EAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqHvE"}