auth/daemon_token_middleware.ts

Create middleware that authenticates via daemon token.

Checks the X-Daemon-Token header. Behavior: - No header: pass through (don't touch existing context). - Header present + Zod-invalid: return 401 (fail-closed). - Header present + invalid value: return 401 (fail-closed, no downgrade). - Header present + valid + keeper_account_id null: return 503. - Header present + valid + ok: set `c.var.auth_account_id = state.keeper_account_id, CREDENTIAL_TYPE_KEY = 'daemon_token'` (overrides any existing session / bearer identity).

Acting-actor resolution + RequestContext construction are deferred to the dispatcher's authorization phase. Multi-actor keeper accounts surface actor_required from there if a daemon caller doesn't pass an explicit acting value.

Result of starting daemon token rotation.

Options for daemon token rotation.

Deps for writing the daemon token to disk.

Default rotation interval in milliseconds (30 seconds).

Get the daemon token file path (~/.{name}/run/daemon_token).

Resolve the keeper account ID by querying for the account with an active keeper role_grant.

There is exactly one keeper account (the bootstrap account). Runs once at server startup — the result is cached in DaemonTokenState.keeper_account_id. The acting actor is resolved per-request by the dispatcher's authorization phase (which runs resolve_acting_actor against this account id), so multi-actor keeper accounts surface actor_required if a daemon caller doesn't pass an explicit acting.

Start daemon token rotation.

Generates an initial token, writes it to disk, resolves the keeper account, and sets up periodic rotation. Returns the mutable state object and a stop function.

Write the current token to disk atomically.

Uses write_file_atomic (temp file + rename) and optionally sets mode 0600.