feat(cloud): mint steward agent JWTs

Co-authored-by: wakesync <shadow@shad0w.xyz>

Author: 0xSolace

packages/cloud-api/.well-known/jwks.json/route.ts

@@ -4,17 +4,27 @@
  */
 
 import { Hono } from "hono";
+import {
+  getAgentTokenJWKS,
+  isAgentTokenSigningConfigured,
+} from "@/lib/auth/agent-token";
 import { getJWKS, isJWKSConfigured } from "@/lib/auth/jwks";
 import type { AppEnv } from "@/types/cloud-worker-env";
 
 const app = new Hono<AppEnv>();
 
 app.get("/", async (c) => {
-  if (!isJWKSConfigured()) {
+  const keys = [];
+  if (isJWKSConfigured()) {
+    keys.push(...(await getJWKS()).keys);
+  }
+  if (isAgentTokenSigningConfigured()) {
+    keys.push(...(await getAgentTokenJWKS()).keys);
+  }
+  if (keys.length === 0) {
     return c.json({ error: "JWKS not configured" }, 503);
   }
-  const jwks = await getJWKS();
-  return c.json(jwks, 200, {
+  return c.json({ keys }, 200, {
     "Cache-Control": "public, max-age=300",
     "Content-Type": "application/json",
   });

packages/cloud-api/src/_router.generated.ts

@@ -2,7 +2,7 @@
  * AUTO-GENERATED by src/_generate-router.mjs - do not edit by hand.
  * Re-run `bun run codegen` after adding or removing a route.ts file.
  *
- * 560 routes mounted, 0 skipped (still Next-shaped).
+ * 561 routes mounted, 0 skipped (still Next-shaped).
  */
 
 /* eslint-disable */
@@ -238,6 +238,7 @@ import _route_v1_advertising_campaigns_route from "../v1/advertising/campaigns/r
 import _route_v1_advertising_creatives_p_id_route from "../v1/advertising/creatives/[id]/route";
 import _route_v1_affiliates_link_route from "../v1/affiliates/link/route";
 import _route_v1_affiliates_route from "../v1/affiliates/route";
+import _route_v1_agent_tokens_route from "../v1/agent-tokens/route";
 import _route_v1_agents_by_token_route from "../v1/agents/by-token/route";
 import _route_v1_agents_p_agentId_logs_route from "../v1/agents/[agentId]/logs/route";
 import _route_v1_agents_p_agentId_monetization_route from "../v1/agents/[agentId]/monetization/route";
@@ -1157,6 +1158,7 @@ export function mountRoutes(app: Hono<AppEnv>): void {
   );
   app.route("/api/v1/affiliates/link", _route_v1_affiliates_link_route);
   app.route("/api/v1/affiliates", _route_v1_affiliates_route);
+  app.route("/api/v1/agent-tokens", _route_v1_agent_tokens_route);
   app.route("/api/v1/agents/by-token", _route_v1_agents_by_token_route);
   app.route(
     "/api/v1/agents/:agentId/logs",

packages/cloud-api/src/bootstrap-app.ts

@@ -16,6 +16,7 @@ import { runWithCloudBindingsAsync } from "@/lib/runtime/cloud-bindings";
 import { setRuntimeR2Bucket } from "@/lib/storage/r2-runtime-binding";
 import { logger } from "@/lib/utils/logger";
 import type { AppEnv } from "@/types/cloud-worker-env";
+import jwksRoute from "../.well-known/jwks.json/route";
 import { handleBlueBubblesWebhook } from "../webhooks/bluebubbles/route";
 import { mountRoutes } from "./_router.generated";
 import { authMiddleware } from "./middleware/auth";
@@ -68,6 +69,8 @@ export function createApp(): Hono<AppEnv> {
       },
     );
   });
+  app.route("/.well-known/jwks.json", jwksRoute);
+
   app.use("*", authMiddleware);
 
   app.all("/steward", embeddedStewardHandler);

packages/cloud-api/src/middleware/auth.ts

@@ -49,6 +49,7 @@ const publicPathPrefixes = [
   "/api/v1/models",
   "/api/v1/pricing/summary",
   "/api/v1/agents/by-token",
+  "/api/v1/agent-tokens",
   "/api/v1/credits/topup",
   "/api/v1/topup",
   "/api/v1/x402",

packages/cloud-api/v1/agent-tokens/route.ts

@@ -0,0 +1,97 @@
+/**
+ * POST /api/v1/agent-tokens
+ * Mints a short-lived, RS256 Steward agent JWT for a cloud-provisioned agent.
+ *
+ * Auth: service-account bearer/header token, or an authenticated admin user.
+ * Body: { agentId: string; ttl?: number }
+ * Response: { token, expiresAt }
+ */
+
+import { Hono } from "hono";
+import { mintAgentToken } from "@/lib/auth/agent-token";
+import { getCurrentUser } from "@/lib/auth/workers-hono-auth";
+import { logger } from "@/lib/utils/logger";
+import type { AppContext, AppEnv } from "@/types/cloud-worker-env";
+
+const app = new Hono<AppEnv>();
+
+function bearerToken(c: {
+  req: { header: (name: string) => string | undefined };
+}): string | null {
+  const auth = c.req.header("authorization");
+  return auth?.startsWith("Bearer ") ? auth.slice(7) : null;
+}
+
+function serviceToken(c: AppEnv["Bindings"]): string | null {
+  const candidates = [c.ELIZA_CLOUD_SERVICE_TOKEN, c.AGENT_TOKEN_SERVICE_TOKEN];
+  for (const candidate of candidates) {
+    if (typeof candidate === "string" && candidate.trim())
+      return candidate.trim();
+  }
+  return null;
+}
+
+function hasServiceAccountAuth(c: AppContext): boolean {
+  const expected = serviceToken(c.env);
+  if (!expected) return false;
+  const supplied =
+    bearerToken(c) ??
+    c.req.header("x-eliza-service-token") ??
+    c.req.header("x-service-token");
+  return supplied === expected;
+}
+
+async function hasAdminAuth(c: AppContext): Promise<boolean> {
+  const existing = c.get("user");
+  if (existing?.role === "admin") return true;
+  const user = await getCurrentUser(c).catch(() => null);
+  return user?.role === "admin";
+}
+
+app.post("/", async (c) => {
+  const serviceAccount = hasServiceAccountAuth(c);
+  const admin = serviceAccount ? false : await hasAdminAuth(c);
+  if (!serviceAccount && !admin) {
+    return c.json(
+      {
+        success: false,
+        error: "admin or container service-account auth required",
+      },
+      401,
+    );
+  }
+
+  const body = (await c.req.json().catch(() => ({}))) as {
+    agentId?: unknown;
+    ttl?: unknown;
+  };
+  const agentId = typeof body.agentId === "string" ? body.agentId : "";
+  if (!agentId.trim()) {
+    return c.json({ success: false, error: "agentId is required" }, 400);
+  }
+
+  try {
+    const minted = await mintAgentToken(agentId, body.ttl);
+    logger.info("[agent-token] minted Steward JWT", {
+      agentId: agentId.trim(),
+      expiresAt: minted.expiresAt,
+      actor: serviceAccount ? "service-account" : "admin",
+    });
+    return c.json(minted);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message === "invalid agentId") {
+      return c.json({ success: false, error: message }, 400);
+    }
+    if (message.includes("AGENT_TOKEN_PRIVATE_KEY_PEM")) {
+      return c.json(
+        { success: false, error: "agent-token signing key is not configured" },
+        503,
+      );
+    }
+    logger.error("[agent-token] failed to mint Steward JWT", { error });
+    return c.json({ success: false, error: "failed to mint agent token" }, 500);
+  }
+});
+
+export default app;

packages/cloud-shared/src/lib/auth/agent-token.ts

@@ -0,0 +1,147 @@
+import { calculateJwkThumbprint, exportJWK, importPKCS8, type JWK, SignJWT } from "jose";
+
+import { getCloudAwareEnv } from "../runtime/cloud-bindings";
+
+export type AgentTokenMintResult = {
+  token: string;
+  expiresAt: string;
+};
+
+const DEFAULT_TTL_SECONDS = 15 * 60;
+const MIN_TTL_SECONDS = 60;
+const MAX_TTL_SECONDS = 60 * 60;
+const ISSUER = "eliza-cloud";
+const AUDIENCE = "steward";
+const ALGORITHM = "RS256";
+
+let cachedPrivateKey: CryptoKey | null = null;
+let cachedPrivateKeySource: string | null = null;
+let cachedPublicJwk: JWK | null = null;
+let cachedPublicJwkSource: string | null = null;
+let cachedKeyId: string | null = null;
+let cachedKeyIdSource: string | null = null;
+
+function envString(name: string): string | undefined {
+  const value = getCloudAwareEnv()[name];
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+
+function normalizePem(value: string): string {
+  const trimmed = value.trim().replace(/\\n/g, "\n");
+  if (trimmed.includes("-----BEGIN")) return trimmed;
+  return `-----BEGIN PRIVATE KEY-----\n${trimmed}\n-----END PRIVATE KEY-----`;
+}
+
+function getPrivateKeyPem(): string | undefined {
+  const raw =
+    envString("AGENT_TOKEN_PRIVATE_KEY_PEM") ?? envString("ELIZA_AGENT_TOKEN_PRIVATE_KEY_PEM");
+  return raw ? normalizePem(raw) : undefined;
+}
+
+export function isAgentTokenSigningConfigured(): boolean {
+  return Boolean(getPrivateKeyPem());
+}
+
+export function normalizeAgentTokenTtl(ttl?: unknown): number {
+  const requested =
+    typeof ttl === "number" && Number.isFinite(ttl) ? Math.floor(ttl) : DEFAULT_TTL_SECONDS;
+  return Math.min(Math.max(requested, MIN_TTL_SECONDS), MAX_TTL_SECONDS);
+}
+
+function normalizeAgentId(agentId: string): string {
+  const normalized = agentId.trim();
+  if (!/^[a-zA-Z0-9_.:-]{1,128}$/.test(normalized)) {
+    throw new Error("invalid agentId");
+  }
+  return normalized;
+}
+
+async function getAgentTokenPrivateKey(): Promise<CryptoKey> {
+  const pem = getPrivateKeyPem();
+  if (!pem) {
+    throw new Error("AGENT_TOKEN_PRIVATE_KEY_PEM is not configured");
+  }
+  if (cachedPrivateKey && cachedPrivateKeySource === pem) return cachedPrivateKey;
+  cachedPrivateKey = await importPKCS8(pem, ALGORITHM, { extractable: true });
+  cachedPrivateKeySource = pem;
+  cachedPublicJwk = null;
+  cachedPublicJwkSource = null;
+  cachedKeyId = null;
+  cachedKeyIdSource = null;
+  return cachedPrivateKey;
+}
+
+async function exportedPublicJwkForCurrentKey(): Promise<JWK> {
+  const privateKey = await getAgentTokenPrivateKey();
+  const jwk = await exportJWK(privateKey);
+  // Strip private RSA parameters before exposing the public JWK.
+  delete jwk.d;
+  delete jwk.p;
+  delete jwk.q;
+  delete jwk.dp;
+  delete jwk.dq;
+  delete jwk.qi;
+  delete (jwk as Record<string, unknown>).oth;
+  return jwk;
+}
+
+export async function getAgentTokenKeyId(): Promise<string> {
+  const configured = envString("AGENT_TOKEN_KEY_ID") ?? envString("ELIZA_AGENT_TOKEN_KEY_ID");
+  if (configured) return configured;
+
+  const pem = getPrivateKeyPem();
+  if (!pem) {
+    throw new Error("AGENT_TOKEN_PRIVATE_KEY_PEM is not configured");
+  }
+  if (cachedKeyId && cachedKeyIdSource === pem) return cachedKeyId;
+
+  cachedKeyId = (
+    await calculateJwkThumbprint(await exportedPublicJwkForCurrentKey(), "sha256")
+  ).slice(0, 16);
+  cachedKeyIdSource = pem;
+  return cachedKeyId;
+}
+
+export async function getAgentTokenPublicJwk(): Promise<JWK> {
+  const pem = getPrivateKeyPem();
+  if (!pem) {
+    throw new Error("AGENT_TOKEN_PRIVATE_KEY_PEM is not configured");
+  }
+  if (cachedPublicJwk && cachedPublicJwkSource === pem) return cachedPublicJwk;
+
+  const jwk = await exportedPublicJwkForCurrentKey();
+  jwk.kid = await getAgentTokenKeyId();
+  jwk.alg = ALGORITHM;
+  jwk.use = "sig";
+
+  cachedPublicJwk = jwk;
+  cachedPublicJwkSource = pem;
+  return jwk;
+}
+
+export async function getAgentTokenJWKS(): Promise<{ keys: JWK[] }> {
+  return { keys: [await getAgentTokenPublicJwk()] };
+}
+
+export async function mintAgentToken(
+  agentId: string,
+  ttl?: unknown,
+): Promise<AgentTokenMintResult> {
+  const normalizedAgentId = normalizeAgentId(agentId);
+  const ttlSeconds = normalizeAgentTokenTtl(ttl);
+  const issuedAt = Math.floor(Date.now() / 1000);
+  const expiresAtSeconds = issuedAt + ttlSeconds;
+  const privateKey = await getAgentTokenPrivateKey();
+
+  const token = await new SignJWT({ agent_id: normalizedAgentId })
+    .setProtectedHeader({ alg: ALGORITHM, typ: "JWT", kid: await getAgentTokenKeyId() })
+    .setSubject(`agent:${normalizedAgentId}`)
+    .setIssuer(ISSUER)
+    .setAudience(AUDIENCE)
+    .setIssuedAt(issuedAt)
+    .setNotBefore(issuedAt)
+    .setExpirationTime(expiresAtSeconds)
+    .sign(privateKey);
+
+  return { token, expiresAt: new Date(expiresAtSeconds * 1000).toISOString() };
+}