graviton.protocol.http

Bearer-token authentication middleware.

Extracts Authorization: Bearer <jwt> from the request, delegates to the configured JwtVerifier, and installs the resulting CallerContext on the fiber for the lifetime of the handler. Every downstream resource check, DB read, and audit event sees the same identity.

The middleware is a plain handler combinator — no dependency on HttpAppMiddleware — so it can be composed into both the HttpApi.routes pipeline and the legacy internal pipeline without bringing in the full middleware stack from zio-http.

Routes that should stay open (e.g. /api/health) should not be wrapped.

Development-only token mint endpoint. Active only when a dev shared secret has been configured via GRAVITON_SECURITY_DEV_SHARED_SECRET.

Never mount this endpoint in production. It exists so an operator or a developer can mint an HS256 JWT locally — no external IdP required — and immediately curl the protected HTTP routes. For production, configure an OIDC issuer and an RS256 verifier instead.

Internal-only HTTP surface.

Rules:

• Runs on a separate listener/port.
• Guarded by an explicit internal token (or mTLS in production).
• Default off in deployment wiring.

Minimal "internal-only" guardrail:

• not meant for public clients
• token check is explicit and easy to wire behind a separate listener

Prefer mTLS in real deployments; this is the v1 minimum for avoiding accidental exposure.

High level HTTP client for talking to upload nodes.

The client wraps the multipart lifecycle exposed by the node and provides helpers for single-shot uploads backed by streamed request bodies. All methods are effectful and express failures as UploadNodeHttpClient.Error to keep transport concerns separate from application failures.