import type { RuntimeSessionAuthAttributes, RuntimeSessionAuthContext, RuntimeSessionAuthenticator, RuntimeSessionPrincipalType } from "#runtime/sessions/auth.js"; /** * Shared serializable token-claim projection used by auth verifiers. */ export type RouteAuthAttributes = RuntimeSessionAuthAttributes; /** * One authenticated caller normalized into eve-owned runtime metadata. */ export interface AuthenticatedCallerPrincipal { readonly attributes: RouteAuthAttributes; readonly authenticator: RuntimeSessionAuthenticator; readonly claims: RouteAuthAttributes; readonly issuer?: string; readonly principalId: string; readonly principalType: RuntimeSessionPrincipalType; readonly subject?: string; } /** * Shared resolved token claim matchers. */ export interface ResolvedTokenClaimMatchers { readonly claims?: Readonly>; readonly subjects?: readonly string[]; } /** * Resolved HTTP Basic auth strategy. */ export interface ResolvedHttpBasicAuthStrategy { readonly kind: "http-basic"; readonly password: string; readonly username: string; } /** * Resolved HMAC JWT auth strategy. */ export interface ResolvedJwtHmacAuthStrategy extends ResolvedTokenClaimMatchers { readonly algorithm: "HS256" | "HS384" | "HS512"; readonly audiences: readonly string[]; readonly clockSkewSeconds: number; readonly issuer: string; readonly kind: "jwt-hmac"; readonly secret: string; } /** * Resolved ECDSA JWT auth strategy. */ export interface ResolvedJwtEcdsaAuthStrategy extends ResolvedTokenClaimMatchers { readonly algorithm: "ES256" | "ES384" | "ES512"; readonly audiences: readonly string[]; readonly clockSkewSeconds: number; readonly issuer: string; readonly kind: "jwt-ecdsa"; readonly publicKey: string; } /** * Resolved OIDC auth strategy. */ export interface ResolvedOidcAuthStrategy extends ResolvedTokenClaimMatchers { /** * Vercel-platform extension. When `true` and the token's issuer is * a Vercel OIDC issuer, tokens minted for the current * `VERCEL_PROJECT_ID` are accepted unconditionally — in addition to * the author-supplied `subjects`/`claims` matchers — so the * deployment's own runtime callers (subagent, internal fetches) * always authenticate. Tokens that additionally match the current * `VERCEL_TARGET_ENV` / `VERCEL_ENV` are tagged * `principalType: "runtime"`; other current-project tokens are * tagged `"service"`. * * Vercel OIDC tokens with an `external_sub` claim are user tokens. * They must satisfy the current project/environment constraints when * those environment variables are configured, and then authenticate as * `principalType: "user"` with `external_sub` as their subject and * `external_iss` / `connector_id` as their issuer when present. * * Set exclusively by `verifyVercelOidc`. The generic public * `verifyOidc` always passes `false`. */ readonly acceptCurrentVercelProject: boolean; readonly audiences: readonly string[]; readonly clockSkewSeconds: number; readonly discoveryUrl: string; readonly issuer: string; readonly kind: "oidc"; } /** * Internal strategy verification outcomes used by the route-auth orchestrator. */ export type RouteStrategyAuthenticationResult = { readonly kind: "authenticated"; readonly principal: AuthenticatedCallerPrincipal; } | { readonly kind: "caller-not-allowed"; } | { readonly kind: "misconfigured"; readonly message: string; } | { readonly kind: "not-authenticated"; }; /** * Creates the session-auth projection persisted on runtime state and exposed to * authored code via `ctx.session.auth`. */ export declare function createRuntimeSessionAuthContext(principal: AuthenticatedCallerPrincipal): RuntimeSessionAuthContext;