veryfront 0.1.321 → 0.1.322

package/esm/src/embedding/veryfront-cloud/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/src/embedding/veryfront-cloud/provider.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQhE,wBAAgB,kCAAkC,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,CA2BpF"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/src/embedding/veryfront-cloud/provider.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAShE,wBAAgB,kCAAkC,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,CA6BpF"}

package/esm/src/embedding/veryfront-cloud/provider.js

@@ -1,6 +1,7 @@
 import { createError, toError } from "../../errors/veryfront-error.js";
 import { createGoogleEmbeddingRuntime } from "../../provider/runtime-loader.js";
 import { createVeryfrontCloudFetch, getVeryfrontCloudGatewayBaseUrl, parseVeryfrontCloudModelId, requireVeryfrontCloudBootstrap, } from "../../provider/veryfront-cloud/shared.js";
+import { createVeryfrontCloudOpenAIEmbeddingModel } from "../../provider/veryfront-cloud/openai.js";
 export function createVeryfrontCloudEmbeddingModel(modelId) {
     const { provider, modelId: upstreamModelId } = parseVeryfrontCloudModelId(modelId, "embedding");
     const { apiBaseUrl, apiToken } = requireVeryfrontCloudBootstrap();
@@ -8,7 +9,11 @@ export function createVeryfrontCloudEmbeddingModel(modelId) {
     const fetch = createVeryfrontCloudFetch(apiToken);
     switch (provider) {
         case "openai":
-            throw new Error("OpenAI provider not installed. Add @veryfront/ext-openai to use openai embedding models via veryfront-cloud.");
+            return createVeryfrontCloudOpenAIEmbeddingModel(upstreamModelId, {
+                apiToken,
+                baseURL,
+                fetch,
+            });
         case "google":
             return createGoogleEmbeddingRuntime({
                 apiKey: apiToken,

package/esm/src/provider/shared/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Shared plumbing consumed by the `@veryfront/ext-*` provider extensions.
+ *
+ * This barrel is the stable public surface: implementations currently live
+ * in `runtime-loader.ts` and `runtime-loader/` subdirectory. Future PRs
+ * (post ext-anthropic / ext-google extraction) may move the implementations
+ * into this directory; extensions keep importing from here unchanged.
+ *
+ * @module provider/shared
+ */
+export { getAnthropicMessagesUrl, getGoogleEmbeddingUrl, getGoogleGenerateContentUrl, getGoogleStreamGenerateContentUrl, getOpenAIChatCompletionsUrl, getOpenAIEmbeddingUrl, getOpenAIResponsesUrl, } from "../runtime-loader/provider-endpoints.js";
+export { createAnthropicRequestInit, createGoogleRequestInit, createOpenAIRequestInit, } from "../runtime-loader/provider-request-init.js";
+export { TOOL_INPUT_PENDING_THRESHOLD_MS, withToolInputStatusTransitions, } from "../runtime-loader/tool-input-status.js";
+export { buildProviderError, createWarningCollector, isNumberArray, mergeUsage, parseRetryAfterMs, ProviderError, ProviderOverloadedError, ProviderQuotaError, ProviderRateLimitError, ProviderRequestError, readProviderOptions, readRecord, readTextParts, requestJson, requestStream, stringifyJsonValue, toOpenAICompatibleMessages, toOpenAICompatibleTools, } from "../runtime-loader.js";
+export type { OpenAICompatibleChatMessage, OpenAICompatibleChatRequest, RuntimePromptMessage, } from "../runtime-loader.js";
+//# sourceMappingURL=index.d.ts.map

package/esm/src/provider/shared/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/provider/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,2BAA2B,EAC3B,iCAAiC,EACjC,2BAA2B,EAC3B,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,yCAAyC,CAAC;AAGjD,OAAO,EACL,0BAA0B,EAC1B,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,4CAA4C,CAAC;AAGpD,OAAO,EACL,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,wCAAwC,CAAC;AAGhD,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,uBAAuB,EACvB,kBAAkB,EAClB,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,aAAa,EACb,WAAW,EACX,aAAa,EACb,kBAAkB,EAClB,0BAA0B,EAC1B,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAE9B,YAAY,EACV,2BAA2B,EAC3B,2BAA2B,EAC3B,oBAAoB,GACrB,MAAM,sBAAsB,CAAC"}

package/esm/src/provider/shared/index.js

@@ -0,0 +1,18 @@
+/**
+ * Shared plumbing consumed by the `@veryfront/ext-*` provider extensions.
+ *
+ * This barrel is the stable public surface: implementations currently live
+ * in `runtime-loader.ts` and `runtime-loader/` subdirectory. Future PRs
+ * (post ext-anthropic / ext-google extraction) may move the implementations
+ * into this directory; extensions keep importing from here unchanged.
+ *
+ * @module provider/shared
+ */
+// URL builders
+export { getAnthropicMessagesUrl, getGoogleEmbeddingUrl, getGoogleGenerateContentUrl, getGoogleStreamGenerateContentUrl, getOpenAIChatCompletionsUrl, getOpenAIEmbeddingUrl, getOpenAIResponsesUrl, } from "../runtime-loader/provider-endpoints.js";
+// Request init builders
+export { createAnthropicRequestInit, createGoogleRequestInit, createOpenAIRequestInit, } from "../runtime-loader/provider-request-init.js";
+// Tool-input status transitions
+export { TOOL_INPUT_PENDING_THRESHOLD_MS, withToolInputStatusTransitions, } from "../runtime-loader/tool-input-status.js";
+// Retry / error / HTTP plumbing (currently in runtime-loader.ts).
+export { buildProviderError, createWarningCollector, isNumberArray, mergeUsage, parseRetryAfterMs, ProviderError, ProviderOverloadedError, ProviderQuotaError, ProviderRateLimitError, ProviderRequestError, readProviderOptions, readRecord, readTextParts, requestJson, requestStream, stringifyJsonValue, toOpenAICompatibleMessages, toOpenAICompatibleTools, } from "../runtime-loader.js";

package/esm/src/provider/veryfront-cloud/openai.d.ts

@@ -0,0 +1,10 @@
+import type { EmbeddingRuntime, ModelRuntime } from "../types.js";
+interface VeryfrontCloudOpenAIConfig {
+    apiToken: string;
+    baseURL: string;
+    fetch: typeof globalThis.fetch;
+}
+export declare function createVeryfrontCloudOpenAIModel(modelId: string, config: VeryfrontCloudOpenAIConfig): ModelRuntime;
+export declare function createVeryfrontCloudOpenAIEmbeddingModel(modelId: string, config: VeryfrontCloudOpenAIConfig): EmbeddingRuntime;
+export {};
+//# sourceMappingURL=openai.d.ts.map

package/esm/src/provider/veryfront-cloud/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../../src/src/provider/veryfront-cloud/openai.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAKlE,UAAU,0BAA0B;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CAChC;AAED,wBAAgB,+BAA+B,CAC7C,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,0BAA0B,GACjC,YAAY,CAOd;AAED,wBAAgB,wCAAwC,CACtD,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,0BAA0B,GACjC,gBAAgB,CAOlB"}

package/esm/src/provider/veryfront-cloud/openai.js

@@ -0,0 +1,18 @@
+import { OpenAIProvider } from "../../../extensions/ext-openai/src/openai-provider.js";
+const openAIProvider = new OpenAIProvider();
+export function createVeryfrontCloudOpenAIModel(modelId, config) {
+    return openAIProvider.createModel(modelId, {
+        credential: config.apiToken,
+        baseURL: config.baseURL,
+        name: "veryfront-cloud",
+        fetch: config.fetch,
+    });
+}
+export function createVeryfrontCloudOpenAIEmbeddingModel(modelId, config) {
+    return openAIProvider.createEmbedding(modelId, {
+        credential: config.apiToken,
+        baseURL: config.baseURL,
+        name: "veryfront-cloud",
+        fetch: config.fetch,
+    });
+}

package/esm/src/provider/veryfront-cloud/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/src/provider/veryfront-cloud/provider.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQhD,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAiEvE"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/src/provider/veryfront-cloud/provider.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAShD,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAmEvE"}

package/esm/src/provider/veryfront-cloud/provider.js

@@ -3,6 +3,7 @@ import { createAnthropicModelRuntime, createGoogleModelRuntime } from "../runtim
 import { tryResolve } from "../../extensions/contracts.js";
 import { AIProviderRegistryName } from "../../extensions/interfaces/index.js";
 import { createVeryfrontCloudFetch, getVeryfrontCloudGatewayBaseUrl, parseVeryfrontCloudModelId, requireVeryfrontCloudBootstrap, } from "./shared.js";
+import { createVeryfrontCloudOpenAIModel } from "./openai.js";
 export function createVeryfrontCloudModel(modelId) {
     const { provider, modelId: upstreamModelId } = parseVeryfrontCloudModelId(modelId, "language");
     const { apiBaseUrl, apiToken, projectSlug } = requireVeryfrontCloudBootstrap();
@@ -50,7 +51,11 @@ export function createVeryfrontCloudModel(modelId) {
                     fetch,
                 });
             }
-            throw new Error("OpenAI provider not installed. Add @veryfront/ext-openai to use openai/moonshotai models via veryfront-cloud.");
+            return createVeryfrontCloudOpenAIModel(upstreamModelId, {
+                apiToken,
+                baseURL,
+                fetch,
+            });
         }
         default: {
             const _exhaustive = provider;

package/esm/src/proxy/main.js

@@ -23,6 +23,8 @@ import * as dntShim from "../../_dnt.shims.js";
 import { createProxyHandler, INTERNAL_PROXY_HEADERS } from "./handler.js";
 import { createCacheFromEnv } from "./cache/index.js";
 import { isRetryableConnectionError } from "./retry.js";
+import { register } from "../extensions/contracts.js";
+import { createAuthProvider } from "../../extensions/ext-jwt/src/index.js";
 import { endSpan, extractContext, initializeOTLPWithApis, injectContext, ProxySpanNames, shutdownOTLP, startServerSpan, withContext, withSpan, } from "./tracing.js";
 import { proxyLogger, runWithProxyRequestContext } from "./logger.js";
 import { getProxyFailureLogLevel } from "./log-noise.js";
@@ -80,6 +82,7 @@ const DEFAULT_SERVER_RETRY_COUNT = 1;
 const DEFAULT_SERVER_RETRY_DELAY_MS = 100;
 const VERYFRONT_SERVER_RETRY_COUNT = parseInt(getEnv("VERYFRONT_SERVER_RETRY_COUNT") || String(DEFAULT_SERVER_RETRY_COUNT));
 const VERYFRONT_SERVER_RETRY_DELAY_MS = parseInt(getEnv("VERYFRONT_SERVER_RETRY_DELAY_MS") || String(DEFAULT_SERVER_RETRY_DELAY_MS));
+register("AuthProvider", createAuthProvider({}));
 // Initialize cache and proxy handler
 const cache = await createCacheFromEnv();
 const proxyHandler = createProxyHandler({

package/esm/src/utils/version-constant.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.1.321";
+export declare const VERSION = "0.1.322";
 //# sourceMappingURL=version-constant.d.ts.map

package/esm/src/utils/version-constant.js

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.321";
+export const VERSION = "0.1.322";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "veryfront",
-  "version": "0.1.321",
+  "version": "0.1.322",
   "description": "The simplest way to build AI-powered apps",
   "keywords": [
     "react",
@@ -225,6 +225,7 @@
     "esbuild": "0.27.4",
     "github-slugger": "2.0.0",
     "gray-matter": "4.0.3",
+    "jose": "5.9.6",
     "mdast-util-to-string": "4.0.0",
     "react": "19.2.4",
     "react-dom": "19.2.4",

package/src/deno.js

@@ -1,6 +1,6 @@
 export default {
   "name": "veryfront",
-  "version": "0.1.321",
+  "version": "0.1.322",
   "license": "Apache-2.0",
   "nodeModulesDir": "auto",
   "workspace": [

package/src/extensions/ext-jwt/src/index.ts

@@ -0,0 +1,173 @@
+/**
+ * ext-jwt — AuthProvider implementation backed by `jose`.
+ *
+ * Provides the `AuthProvider` contract: sign / verify (HS256 by default),
+ * verify-with-remote-JWKS, and decode-header.
+ *
+ * @module extensions/ext-jwt
+ */
+import * as dntShim from "../../../_dnt.shims.js";
+
+
+import {
+  createRemoteJWKSet,
+  decodeProtectedHeader,
+  type JWTPayload,
+  jwtVerify,
+  type KeyLike,
+  SignJWT,
+} from "jose";
+
+import type { ExtensionFactory } from "../../../src/extensions/index.js";
+import type {
+  AuthProvider,
+  SignOptions,
+  TokenHeader,
+  TokenPayload,
+  VerifyOptions,
+} from "../../../src/extensions/interfaces/index.js";
+
+/**
+ * Signature used by jose's verify step to resolve a key for a given header.
+ *
+ * Matches the shape returned by `createRemoteJWKSet` / `createLocalJWKSet`
+ * and lets tests inject an in-memory key set without reaching the network.
+ */
+export type JwksResolver = Parameters<typeof jwtVerify>[1] & object;
+
+/**
+ * Factory for building a JWKS resolver from a URL.
+ *
+ * The default uses `createRemoteJWKSet`; tests can inject a stub that returns
+ * a local resolver bound to an in-memory key set.
+ */
+export type JwksResolverFactory = (jwksUrl: string) => JwksResolver;
+
+/**
+ * Optional configuration for the ext-jwt factory.
+ *
+ * - `secret`: HMAC secret for `sign`/`verify`. Falls back to the `JWT_SECRET`
+ *   environment variable. Without one, `sign`/`verify` throw.
+ * - `jwksResolverFactory`: test seam that overrides JWKS resolution.
+ */
+export interface ExtJwtConfig {
+  secret?: string | Uint8Array;
+  jwksResolverFactory?: JwksResolverFactory;
+}
+
+function defaultJwksResolverFactory(jwksUrl: string): JwksResolver {
+  return createRemoteJWKSet(new URL(jwksUrl)) as unknown as JwksResolver;
+}
+
+function toUint8Array(secret: string | Uint8Array): Uint8Array {
+  return typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+}
+
+function getSecret(configSecret?: string | Uint8Array): Uint8Array {
+  if (configSecret !== undefined) return toUint8Array(configSecret);
+  const env = typeof dntShim.Deno !== "undefined" ? dntShim.Deno.env.get("JWT_SECRET") : undefined;
+  if (!env) {
+    throw new Error(
+      "ext-jwt: no HMAC secret configured. Pass `secret` to the extension " +
+        "factory or set the JWT_SECRET environment variable.",
+    );
+  }
+  return new TextEncoder().encode(env);
+}
+
+function createAuthProvider(config: ExtJwtConfig): AuthProvider {
+  const jwksResolverFactory = config.jwksResolverFactory ??
+    defaultJwksResolverFactory;
+
+  // Cache one resolver per JWKS URL; `createRemoteJWKSet` maintains its own
+  // internal key cache with cooldown/rotation semantics, so reusing the
+  // same resolver is required for the cache to be effective.
+  const jwksResolvers = new Map<string, JwksResolver>();
+
+  function getJwksResolver(jwksUrl: string): JwksResolver {
+    const existing = jwksResolvers.get(jwksUrl);
+    if (existing) return existing;
+    const created = jwksResolverFactory(jwksUrl);
+    jwksResolvers.set(jwksUrl, created);
+    return created;
+  }
+
+  return {
+    async sign(payload: TokenPayload, options?: SignOptions): Promise<string> {
+      const secret = getSecret(config.secret);
+      const algorithm = options?.algorithm ?? "HS256";
+      const { sub, ...rest } = payload;
+      const builder = new SignJWT(rest as JWTPayload)
+        .setProtectedHeader({ alg: algorithm })
+        .setSubject(sub);
+      if (options?.expiresIn !== undefined) {
+        // jose's setExpirationTime accepts `string | number | Date`.
+        builder.setExpirationTime(
+          options.expiresIn as string | number,
+        );
+      }
+      return await builder.sign(secret);
+    },
+
+    async verify(
+      token: string,
+      options?: VerifyOptions,
+    ): Promise<TokenPayload> {
+      const secret = getSecret(config.secret);
+      const algorithms = options?.algorithms ?? ["HS256"];
+      const { payload } = await jwtVerify(token, secret, { algorithms });
+      return payload as TokenPayload;
+    },
+
+    async verifyWithJwks(
+      token: string,
+      jwksUrl: string,
+      options?: VerifyOptions,
+    ): Promise<TokenPayload> {
+      const resolver = getJwksResolver(jwksUrl);
+      const { algorithms, ...rest } = options ?? {};
+      const verifyOpts: Record<string, unknown> = { ...rest };
+      if (algorithms) verifyOpts.algorithms = algorithms;
+      const { payload } = await jwtVerify(
+        token,
+        resolver as unknown as KeyLike,
+        verifyOpts,
+      );
+      return payload as TokenPayload;
+    },
+
+    decode(token: string): TokenHeader | undefined {
+      try {
+        return decodeProtectedHeader(token) as TokenHeader;
+      } catch {
+        return undefined;
+      }
+    },
+  };
+}
+
+/**
+ * Default export — the ext-jwt extension factory.
+ *
+ * Produces an extension that registers an `AuthProvider` contract
+ * implementation backed by `jose`.
+ */
+const extJwt: ExtensionFactory = (config?: unknown) => {
+  const cfg = (config ?? {}) as ExtJwtConfig;
+  const provider = createAuthProvider(cfg);
+
+  return {
+    name: "ext-jwt",
+    version: "0.1.0",
+    capabilities: [
+      { type: "contract", name: "AuthProvider" },
+      { type: "network", host: "*" },
+    ],
+    provides: {
+      AuthProvider: provider,
+    },
+  };
+};
+
+export default extJwt;
+export { createAuthProvider };