From 118bf911a309eeb11d8ecbde69828359ac4f842e Mon Sep 17 00:00:00 2001
From: Thomas Bouldin <inlined@google.com>
Date: Thu, 6 Feb 2025 00:49:46 -0800
Subject: [PATCH] Fix esm stuff; update docs

---
 docs/auth.md                              | 136 ++++++++-------
 docs/cloud-run.md                         |   1 +
 docs/deploy-node.md                       |   2 +
 js/core/src/context.ts                    |  40 ++++-
 js/core/src/error.ts                      |   4 +-
 js/core/src/index.ts                      |   3 +
 js/genkit/src/index.ts                    |   6 +
 js/plugins/api-key/.npmignore             |   1 -
 js/plugins/api-key/LICENSE                | 203 ----------------------
 js/plugins/api-key/jest.config.ts         |  46 -----
 js/plugins/api-key/package.json           |  55 ------
 js/plugins/api-key/src/index.ts           |  51 ------
 js/plugins/api-key/tests/index_test.ts    |  66 -------
 js/plugins/api-key/tsup.config.ts         |  22 ---
 js/plugins/firebase/package.json          |   2 -
 js/plugins/firebase/src/context.ts        |   2 +-
 js/plugins/firebase/tests/context_test.ts |   2 +-
 js/plugins/next/package.json              |   3 -
 js/plugins/next/src/client.ts             |   8 +-
 js/plugins/next/src/index.ts              |  37 ++--
 js/pnpm-lock.yaml                         |  49 +-----
 js/testapps/esm/package.json              |   2 +-
 js/testapps/esm/src/index.ts              |   6 +-
 js/testapps/express/src/index.ts          |  82 ++++-----
 24 files changed, 207 insertions(+), 622 deletions(-)
 delete mode 100644 js/plugins/api-key/.npmignore
 delete mode 100644 js/plugins/api-key/LICENSE
 delete mode 100644 js/plugins/api-key/jest.config.ts
 delete mode 100644 js/plugins/api-key/package.json
 delete mode 100644 js/plugins/api-key/src/index.ts
 delete mode 100644 js/plugins/api-key/tests/index_test.ts
 delete mode 100644 js/plugins/api-key/tsup.config.ts

diff --git a/docs/auth.md b/docs/auth.md
index 336269f02..88f150be4 100644
--- a/docs/auth.md
+++ b/docs/auth.md
@@ -15,7 +15,7 @@ Alternatively, Firebase also provides auth context into the flow where it can
 do its own  checks. For non-Functions flows, auth can be managed and set
 through middleware.
 
-## Basic flow authorization
+## Authorizing within a Flow
 
 Flows can check authorization in two ways: either the request binding
 (e.g. `onCallGenkit` for Cloud Functions for Firebase or `express`) can enforce
@@ -24,7 +24,7 @@ where the flow has access to the information for auth managed within the
 flow.
 
 ```ts
-import { genkit, z } from 'genkit';
+import { genkit, z, UserFacingError } from 'genkit';
 
 const ai = genkit({ ... });
 
@@ -34,10 +34,10 @@ export const selfSummaryFlow = ai.defineFlow( {
   outputSchema: z.string(),
 }, async (input, { context }) => {
   if (!context.auth) {
-    throw new Error('Authorization required.');
+    throw new UserFacingErrorError('UNAUTHENTICATED', 'Unauthenticated');
   }
   if (input.uid !== context.auth.uid) {
-    throw new Error('You may only summarize your own profile data.');
+    throw new UserFacingError('PERMISSION_DENIED', 'You may only summarize your own profile data.');
   }
   // Flow logic here...
 });
@@ -112,14 +112,13 @@ object in the UI, or on the command line with the `--context` flag:
 genkit flow:run selfSummaryFlow '{"uid": "abc-def"}' --context '{"auth": {"email_verified": true}}'
 ```
 
-## Cloud Functions for Firebase integration
+## Authorizing with Cloud Functions for Firebase
 
 The Cloud Functions for Firebase SDKs support Genkit including
 integration with Firebase Auth / Google Cloud Identity Platform, as well as
 built-in Firebase App Check support.
 
-### Authorization
-
+### User authentication
 The `onCallGenkit()` wrapper provided by the Firebase Functions library works
 natively with the Cloud Functions for Firebase
 [client SDKs](https://firebase.google.com/docs/functions/callable?gen=2nd#call_the_function).
@@ -192,7 +191,7 @@ export const selfSummary = onCallGenkit({
 }, selfSummaryFlow);
 ```
 
-### Client integrity
+#### Client integrity
 
 Authentication on its own goes a long way to protect your app. But it's also
 important to ensure that only your client apps are calling your functions. The
@@ -228,53 +227,74 @@ export const selfSummary = onCallGenkit({
 
 When deploying flows to a server context outside of Cloud Functions for
 Firebase, you'll want to have a way to set up your own authorization checks
-alongside the native flows. You have two options:
-
-1.  Use whatever server framework you like, and pass the auth context through
-    using the flow call as noted earlier.
-
-1.  Use `startFlowsServer()`, which the `@genkit-ai/express` plugin
-    exposes, and provide Express auth middleware in the flow server config:
-
-    ```ts
-    import { genkit, z } from 'genkit';
-    import { startFlowServer, withAuth } from '@genkit-ai/express';
-
-    const ai = genkit({ ... });;
-
-    export const selfSummaryFlow = ai.defineFlow(
-      {
-        name: 'selfSummaryFlow',
-        inputSchema: z.object({ uid: z.string() }),
-        outputSchema: z.string(),
-      },
-      async (input) => {
-        // Flow logic here...
-      }
-    );
-
-    const authProvider = (req, res, next) => {
-      const token = req.headers['authorization'];
-      const user = yourVerificationLibrary(token);
-
-      // Pass auth information to the flow
-      req.auth = user;
-      next();
-    };
-
-    startFlowServer({
-      flows: [
-        withAuth(selfSummaryFlow, authProvider, ({ auth, action, input, request }) => {
-          if (!auth) {
-            throw new Error('Authorization required.');
-          }
-          if (input.uid !== auth.uid) {
-            throw new Error('You may only summarize your own profile data.');
-          }
-        })
-      ],
-    });  // Registers the auth provider middleware and policy
-    ```
-
-    For more information about using Express, see the
-    [Cloud Run](/genkit/cloud-run) instructions.
+alongside the native flows.
+
+Use a `ContextProvider`, which both populates context values such as `auth` as well
+as allowing you to provide a declarative policy or a policy callback. The genkit
+SDK provides `ContextProvider` such as `apiKey`, and plugins may expose them as well,
+such as `@genkit-ai/firebase/context` which can be used to build Firebase apps with
+backends that are not Cloud Functions for Firebase.
+
+Given the snippet common to all kinds of applications:
+
+```ts
+// Express app with a simple API key
+import { genkit, z } from 'genkit';
+
+const ai = genkit({ ... });;
+
+export const selfSummaryFlow = ai.defineFlow(
+  {
+    name: 'selfSummaryFlow',
+    inputSchema: z.object({ uid: z.string() }),
+    outputSchema: z.string(),
+  },
+  async (input) => {
+    // Flow logic here...
+  }
+);
+```
+
+You could secure a simple "flow server" express app with:
+
+```ts
+import { apiKey } from "genkit";
+import { startFlowServer, withContext } from "@genkit-ai/express";
+
+startFlowServer({
+  flows: [
+    withContext(selfSummaryFlow, apiKey(process.env.REQUIRED_API_KEY))
+  ],
+});
+```
+
+Or you can build a custom express application using the same tools:
+
+```ts
+import { apiKey } from "genkit";
+import * as express from "express";
+import { expressHandler } from "@genkit-ai/express;
+
+const app = express();
+// Capture but don't validate the API key (or its absence)
+app.post('/summary', expressHandler(selfSummaryFlow, { context: apiKey()}))
+
+app.listen(process.env.PORT, () => {
+  console.log(`Listening on port ${process.env.PORT}`);
+})
+```
+
+`ContextProvider`s are intended to be abstract of any web framework, so these
+tools work in other frameworks like Next.js as well. Here is an example of a
+Firebase app built on Next.js.
+
+```ts
+import { appRoute } from "@genkit-ai/express";
+import { firebaseContext } from "@genkit-ai/firebase";
+
+export const POST = appRoute(selfSummaryFlow, { context: firebaseContext })
+```
+
+<!-- NOTE: Should we provide more docs? E.g. docs into various web frameworks and hosting services? -->
+For more information about using Express, see the
+[Cloud Run](/genkit/cloud-run) instructions.
diff --git a/docs/cloud-run.md b/docs/cloud-run.md
index 5551019a1..fe56abd07 100644
--- a/docs/cloud-run.md
+++ b/docs/cloud-run.md
@@ -54,6 +54,7 @@ endpoints.
 
 When you make the call, specify the flows you want to serve:
 
+There is also 
 ```ts
 import { startFlowServer } from '@genkit-ai/express';
 
diff --git a/docs/deploy-node.md b/docs/deploy-node.md
index fd489345c..29aad5cc0 100644
--- a/docs/deploy-node.md
+++ b/docs/deploy-node.md
@@ -1,3 +1,5 @@
+<!-- TODO: Add Next docs too. Maybe we need a web-hosting page that deploy-node
+     and cloud-run links to, which links to express, next, and maybe cloud functions>
 # Deploy flows to any Node.js platform
 
 Firebase Genkit has built-in integrations that help you deploy your flows to
diff --git a/js/core/src/context.ts b/js/core/src/context.ts
index 92ad59f4f..b9e107ae6 100644
--- a/js/core/src/context.ts
+++ b/js/core/src/context.ts
@@ -15,6 +15,7 @@
  */
 
 import { runInActionRuntimeContext } from './action.js';
+import { UserFacingError } from './error.js';
 import { HasRegistry, Registry } from './registry.js';
 
 const contextAlsKey = 'core.auth.context';
@@ -61,7 +62,7 @@ export function getContext(
 
 /**
  * A universal type that request handling extensions (e.g. express, next) can map their request to.
- * This allows middleware to build consistent interfacese on any web framework.
+ * This allows ContextProviders to build consistent interfacese on any web framework.
  * Headers must be lowercase to ensure portability.
  */
 export interface RequestData<T = any> {
@@ -85,3 +86,40 @@ export type ContextProvider<
   C extends ActionContext = ActionContext,
   T = any,
 > = (request: RequestData<T>) => C | Promise<C>;
+
+export interface ApiKeyContext extends ActionContext {
+  auth: {
+    apiKey: string | undefined;
+  };
+}
+
+export function apiKey(
+  policy: (context: ApiKeyContext) => void | Promise<void>
+): ContextProvider<ApiKeyContext>;
+export function apiKey(value?: string): ContextProvider<ApiKeyContext>;
+export function apiKey(
+  valueOrPolicy?: ((context: ApiKeyContext) => void | Promise<void>) | string
+): ContextProvider<ApiKeyContext> {
+  return async function (request: RequestData): Promise<ApiKeyContext> {
+    const context: ApiKeyContext = {
+      auth: { apiKey: request.headers['authorization'] },
+    };
+    if (typeof valueOrPolicy === 'string') {
+      if (!context.auth?.apiKey) {
+        console.error('THROWING UNAUTHENTICATED');
+        throw new UserFacingError('UNAUTHENTICATED', 'Unauthenticated');
+      }
+      if (context.auth?.apiKey != valueOrPolicy) {
+        console.error('Throwing PERMISSION_DENIED');
+        throw new UserFacingError('PERMISSION_DENIED', 'Permission Denied');
+      }
+    } else if (typeof valueOrPolicy === 'function') {
+      await valueOrPolicy(context);
+    } else if (typeof valueOrPolicy !== 'undefined') {
+      throw new Error(
+        `Invalid type ${typeof valueOrPolicy} passed to apiKey()`
+      );
+    }
+    return context;
+  };
+}
diff --git a/js/core/src/error.ts b/js/core/src/error.ts
index 0ff580578..bda27d595 100644
--- a/js/core/src/error.ts
+++ b/js/core/src/error.ts
@@ -17,7 +17,9 @@
 import { Registry } from './registry.js';
 import { httpStatusCode, StatusName } from './statusTypes.js';
 
-interface HttpErrorWireFormat {
+export { StatusName };
+
+export interface HttpErrorWireFormat {
   details?: unknown;
   message: string;
   status: StatusName;
diff --git a/js/core/src/index.ts b/js/core/src/index.ts
index 78a01a7ce..3933ddb53 100644
--- a/js/core/src/index.ts
+++ b/js/core/src/index.ts
@@ -30,9 +30,11 @@ export const GENKIT_REFLECTION_API_SPEC_VERSION = 1;
 export { z } from 'zod';
 export * from './action.js';
 export {
+  apiKey,
   getContext,
   runWithContext,
   type ActionContext,
+  type ApiKeyContext,
   type ContextProvider,
   type RequestData,
 } from './context.js';
@@ -43,6 +45,7 @@ export {
   assertUnstable,
   getCallableJSON,
   getHttpStatus,
+  type StatusName,
 } from './error.js';
 export {
   defineFlow,
diff --git a/js/genkit/src/index.ts b/js/genkit/src/index.ts
index 7f1564fd9..1438cdb97 100644
--- a/js/genkit/src/index.ts
+++ b/js/genkit/src/index.ts
@@ -121,9 +121,12 @@ export {
   StatusCodes,
   StatusSchema,
   UserFacingError,
+  apiKey,
   defineJsonSchema,
   defineSchema,
+  getCallableJSON,
   getCurrentEnv,
+  getHttpStatus,
   getStreamingCallback,
   isDevEnv,
   runWithStreamingCallback,
@@ -131,6 +134,7 @@ export {
   type Action,
   type ActionContext,
   type ActionMetadata,
+  type ApiKeyContext,
   type ContextProvider,
   type Flow,
   type FlowConfig,
@@ -140,8 +144,10 @@ export {
   type JSONSchema7,
   type Middleware,
   type ReflectionServerOptions,
+  type RequestData,
   type RunActionResponse,
   type Status,
+  type StatusName,
   type StreamingCallback,
   type StreamingResponse,
   type TelemetryConfig,
diff --git a/js/plugins/api-key/.npmignore b/js/plugins/api-key/.npmignore
deleted file mode 100644
index b512c09d4..000000000
--- a/js/plugins/api-key/.npmignore
+++ /dev/null
@@ -1 +0,0 @@
-node_modules
\ No newline at end of file
diff --git a/js/plugins/api-key/LICENSE b/js/plugins/api-key/LICENSE
deleted file mode 100644
index 26a870243..000000000
--- a/js/plugins/api-key/LICENSE
+++ /dev/null
@@ -1,203 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-  Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-   
\ No newline at end of file
diff --git a/js/plugins/api-key/jest.config.ts b/js/plugins/api-key/jest.config.ts
deleted file mode 100644
index ec7188b86..000000000
--- a/js/plugins/api-key/jest.config.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * For a detailed explanation regarding each configuration property, visit:
- * https://jestjs.io/docs/configuration
- */
-
-import type { Config } from 'jest';
-
-const config: Config = {
-  // Automatically clear mock calls, instances, contexts and results before every test
-  clearMocks: true,
-
-  // A preset that is used as a base for Jest's configuration
-  preset: 'ts-jest',
-
-  // The glob patterns Jest uses to detect test files
-  testMatch: ['**/tests/**/*_test.ts'],
-
-  // An array of regexp pattern strings that are matched against all test paths, matched tests are skipped
-  testPathIgnorePatterns: ['/node_modules/'],
-
-  // A map from regular expressions to paths to transformers
-  transform: {
-    '^.+\\.ts$': 'ts-jest',
-  },
-
-  // An array of regexp pattern strings that are matched against all source file paths, matched files will skip transformation
-  transformIgnorePatterns: ['/node_modules/'],
-};
-
-export default config;
diff --git a/js/plugins/api-key/package.json b/js/plugins/api-key/package.json
deleted file mode 100644
index 8b6146420..000000000
--- a/js/plugins/api-key/package.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
-  "name": "@genkit-ai/api-key",
-  "description": "Genkit ContextProvider for requests using API key authorization",
-  "keywords": [
-    "genkit",
-    "genkit-plugin",
-    "google cloud",
-    "google ai",
-    "ai",
-    "genai",
-    "generative-ai",
-    "api key",
-    "middleware",
-    "auth policy"
-  ],
-  "version": "1.0.0-rc.16",
-  "type": "commonjs",
-  "scripts": {
-    "check": "tsc",
-    "compile": "tsup-node",
-    "build:clean": "rimraf ./lib",
-    "build": "npm-run-all build:clean check compile",
-    "build:watch": "tsup-node --watch",
-    "test": "jest --verbose"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/firebase/genkit.git",
-    "directory": "js/plugins/api-key"
-  },
-  "author": "genkit",
-  "license": "Apache-2.0",
-  "peerDependencies": {
-    "@genkit-ai/core": "workspace:*"
-  },
-  "devDependencies": {
-    "npm-run-all": "^4.1.5",
-    "rimraf": "^6.0.1",
-    "tsup": "^8.0.2",
-    "tsx": "^4.7.0",
-    "typescript": "^4.9.0",
-    "jest": "^29.7.0",
-    "ts-jest": "^29.1.2",
-    "@jest/globals": "^29.7.0"
-  },
-  "types": "./lib/index.d.ts",
-  "exports": {
-    ".": {
-      "require": "./lib/index.js",
-      "import": "./lib/index.mjs",
-      "types": "./lib/index.d.ts",
-      "default": "./lib/index.js"
-    }
-  }
-}
diff --git a/js/plugins/api-key/src/index.ts b/js/plugins/api-key/src/index.ts
deleted file mode 100644
index 9ba664d01..000000000
--- a/js/plugins/api-key/src/index.ts
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Copyright 2025 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import { ContextProvider, RequestData, UserFacingError } from '@genkit-ai/core';
-
-export interface ApiKeyContext {
-  auth: {
-    apiKey: string | undefined;
-  };
-}
-
-export function apiKey(
-  policy: (context: ApiKeyContext) => void | Promise<void>
-): ContextProvider<ApiKeyContext>;
-export function apiKey(value?: string): ContextProvider<ApiKeyContext>;
-export function apiKey(
-  valueOrPolicy?: ((context: ApiKeyContext) => void | Promise<void>) | string
-): ContextProvider<ApiKeyContext> {
-  return async function (request: RequestData): Promise<ApiKeyContext> {
-    const context: ApiKeyContext = { auth: { apiKey: undefined } };
-    context.auth = { apiKey: request.headers['authorization'] };
-    if (typeof valueOrPolicy === 'string') {
-      if (!context.auth) {
-        throw new UserFacingError('UNAUTHENTICATED', 'Unauthenticated');
-      }
-      if (context.auth?.apiKey != valueOrPolicy) {
-        throw new UserFacingError('PERMISSION_DENIED', 'Permission Denied');
-      }
-    } else if (typeof valueOrPolicy === 'function') {
-      await valueOrPolicy(context);
-    } else if (typeof valueOrPolicy !== 'undefined') {
-      throw new Error(
-        `Invalid type ${typeof valueOrPolicy} passed to apiKey()`
-      );
-    }
-    return context;
-  };
-}
diff --git a/js/plugins/api-key/tests/index_test.ts b/js/plugins/api-key/tests/index_test.ts
deleted file mode 100644
index 76cfe4d5f..000000000
--- a/js/plugins/api-key/tests/index_test.ts
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Copyright 2025 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import { RequestData } from '@genkit-ai/core';
-import { describe, expect, it } from '@jest/globals';
-import { ApiKeyContext, apiKey } from '../src';
-
-function request(key?: string): RequestData {
-  let headers: Record<string, string> = {};
-
-  if (key) {
-    headers = { authorization: key };
-  }
-  return {
-    method: 'POST',
-    headers,
-    input: undefined,
-  };
-}
-
-describe('apiKey', () => {
-  it('can merely save api keys', async () => {
-    expect(await apiKey()(request())).toEqual({});
-    expect(await apiKey()(request('key'))).toEqual({
-      auth: {
-        apiKey: 'key',
-      },
-    });
-  });
-
-  it('can expect specific keys', async () => {
-    expect(await apiKey('key')(request('key'))).toEqual({
-      auth: {
-        apiKey: 'key',
-      },
-    });
-    expect(() => apiKey('key')(request('wrong-key'))).rejects.toThrow();
-    expect(() => apiKey('key')(request())).rejects.toThrow();
-  });
-
-  it('can use a policy function', async () => {
-    await apiKey((context: ApiKeyContext) => {
-      expect(context).toEqual({
-        auth: {
-          apiKey: 'key',
-        },
-      });
-    })(request('key'));
-    await apiKey((context: ApiKeyContext) => {
-      expect(context).toEqual({});
-    })(request());
-  });
-});
diff --git a/js/plugins/api-key/tsup.config.ts b/js/plugins/api-key/tsup.config.ts
deleted file mode 100644
index 01dce0a6b..000000000
--- a/js/plugins/api-key/tsup.config.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import { defineConfig, Options } from 'tsup';
-import { defaultOptions } from '../../tsup.common';
-
-export default defineConfig({
-  ...(defaultOptions as Options),
-});
diff --git a/js/plugins/firebase/package.json b/js/plugins/firebase/package.json
index 51a996959..e0095fd33 100644
--- a/js/plugins/firebase/package.json
+++ b/js/plugins/firebase/package.json
@@ -34,14 +34,12 @@
     "@genkit-ai/google-cloud": "workspace:^"
   },
   "peerDependencies": {
-    "@genkit-ai/core": "workspace:*",
     "@google-cloud/firestore": "^7.6.0",
     "firebase-admin": ">=12.2",
     "genkit": "workspace:^"
   },
   "devDependencies": {
     "genkit": "workspace:*",
-    "@genkit-ai/api-key": "workspace:*",
     "@jest/globals": "^29.7.0",
     "@types/jest": "^29.5.12",
     "@types/node": "^20.11.16",
diff --git a/js/plugins/firebase/src/context.ts b/js/plugins/firebase/src/context.ts
index cb88c4434..7fbdf7e22 100644
--- a/js/plugins/firebase/src/context.ts
+++ b/js/plugins/firebase/src/context.ts
@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-import { ContextProvider, RequestData, UserFacingError } from '@genkit-ai/core';
 import { DecodedAppCheckToken, getAppCheck } from 'firebase-admin/app-check';
 import { DecodedIdToken, getAuth } from 'firebase-admin/auth';
+import { ContextProvider, RequestData, UserFacingError } from 'genkit';
 import { initializeAppIfNecessary } from './helpers.js';
 
 /**
diff --git a/js/plugins/firebase/tests/context_test.ts b/js/plugins/firebase/tests/context_test.ts
index dc7f87b47..2686072b7 100644
--- a/js/plugins/firebase/tests/context_test.ts
+++ b/js/plugins/firebase/tests/context_test.ts
@@ -14,8 +14,8 @@
  * limitations under the License.
  */
 
-import { RequestData } from '@genkit-ai/core';
 import { describe, expect, it } from '@jest/globals';
+import { RequestData } from 'genkit';
 import {
   FirebaseContext,
   fakeToken,
diff --git a/js/plugins/next/package.json b/js/plugins/next/package.json
index 34f5d8228..41cf26573 100644
--- a/js/plugins/next/package.json
+++ b/js/plugins/next/package.json
@@ -33,14 +33,11 @@
   "author": "genkit",
   "license": "Apache-2.0",
   "peerDependencies": {
-    "@genkit-ai/core": "workspace:*",
     "genkit": "workspace:*",
     "next": "^15.0.0",
     "zod": "^3.24.1"
   },
   "devDependencies": {
-    "@genkit-ai/core": "workspace:*",
-    "@genkit-ai/api-key": "workspace:*",
     "genkit": "workspace:*",
     "@types/node": "^20.11.16",
     "@types/react": "^19",
diff --git a/js/plugins/next/src/client.ts b/js/plugins/next/src/client.ts
index 6692d0031..b88953199 100644
--- a/js/plugins/next/src/client.ts
+++ b/js/plugins/next/src/client.ts
@@ -14,18 +14,18 @@
  * limitations under the License.
  */
 
-import { Action } from '@genkit-ai/core';
+import { Action, z } from 'genkit';
 import {
   runFlow as baseRunFlow,
   streamFlow as baseStreamFlow,
 } from 'genkit/beta/client';
 
 type Input<A extends Action> =
-  A extends Action<infer I, any, any> ? I['_output'] : never;
+  A extends Action<infer I extends z.ZodAny, any, any> ? z.infer<I> : never;
 type Output<A extends Action> =
-  A extends Action<any, infer O, any> ? O['_output'] : never;
+  A extends Action<any, infer O extends z.ZodAny, any> ? z.infer<O> : never;
 type Stream<A extends Action> =
-  A extends Action<any, any, infer S> ? S['_output'] : never;
+  A extends Action<any, any, infer S extends z.ZodAny> ? z.infer<S> : never;
 
 export interface RequestData<T> {
   url: string;
diff --git a/js/plugins/next/src/index.ts b/js/plugins/next/src/index.ts
index 91080d35f..b937f10dd 100644
--- a/js/plugins/next/src/index.ts
+++ b/js/plugins/next/src/index.ts
@@ -15,15 +15,16 @@
  */
 
 import {
-  Action,
-  ActionContext,
-  ContextProvider,
   RequestData,
   getCallableJSON,
   getHttpStatus,
   z,
-} from '@genkit-ai/core';
-import { NextRequest, NextResponse } from 'next/server';
+  type Action,
+  type ActionContext,
+  type ContextProvider,
+} from 'genkit';
+import { NextRequest, NextResponse } from 'next/server.js';
+export { NextRequest, NextResponse, z, type Action, type ActionContext };
 
 const delimiter = '\n\n';
 async function getContext<C extends ActionContext, T>(
@@ -49,19 +50,18 @@ async function getContext<C extends ActionContext, T>(
   return await provider(r);
 }
 
-const appRoute =
-  <
-    C extends ActionContext = ActionContext,
-    I extends z.ZodTypeAny = z.ZodTypeAny,
-    O extends z.ZodTypeAny = z.ZodTypeAny,
-    S extends z.ZodTypeAny = z.ZodTypeAny,
-  >(
-    action: Action<I, O, S>,
-    opts?: {
-      context?: ContextProvider<C, I>;
-    }
-  ) =>
-  async (req: NextRequest): Promise<NextResponse> => {
+function appRoute<
+  C extends ActionContext = ActionContext,
+  I extends z.ZodTypeAny = z.ZodTypeAny,
+  O extends z.ZodTypeAny = z.ZodTypeAny,
+  S extends z.ZodTypeAny = z.ZodTypeAny,
+>(
+  action: Action<I, O, S>,
+  opts?: {
+    context?: ContextProvider<C, I>;
+  }
+) {
+  return async (req: NextRequest): Promise<NextResponse> => {
     let context: C = {} as C;
     const { data: input } = await req.json();
     if (req.headers.get('accept') !== 'text/event-stream') {
@@ -143,6 +143,7 @@ const appRoute =
       },
     });
   };
+}
 
 export default appRoute;
 export { appRoute };
diff --git a/js/pnpm-lock.yaml b/js/pnpm-lock.yaml
index 15330a7d6..28f362300 100644
--- a/js/pnpm-lock.yaml
+++ b/js/pnpm-lock.yaml
@@ -238,37 +238,6 @@ importers:
         specifier: ^4.9.0
         version: 4.9.5
 
-  plugins/api-key:
-    dependencies:
-      '@genkit-ai/core':
-        specifier: workspace:*
-        version: link:../../core
-    devDependencies:
-      '@jest/globals':
-        specifier: ^29.7.0
-        version: 29.7.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.16.9)(ts-node@10.9.2(@types/node@20.16.9)(typescript@4.9.5))
-      npm-run-all:
-        specifier: ^4.1.5
-        version: 4.1.5
-      rimraf:
-        specifier: ^6.0.1
-        version: 6.0.1
-      ts-jest:
-        specifier: ^29.1.2
-        version: 29.2.5(@babel/core@7.25.7)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.7))(jest@29.7.0(@types/node@20.16.9)(ts-node@10.9.2(@types/node@20.16.9)(typescript@4.9.5)))(typescript@4.9.5)
-      tsup:
-        specifier: ^8.0.2
-        version: 8.3.5(postcss@8.4.47)(tsx@4.19.2)(typescript@4.9.5)(yaml@2.7.0)
-      tsx:
-        specifier: ^4.7.0
-        version: 4.19.2
-      typescript:
-        specifier: ^4.9.0
-        version: 4.9.5
-
   plugins/checks:
     dependencies:
       '@genkit-ai/ai':
@@ -453,9 +422,6 @@ importers:
 
   plugins/firebase:
     dependencies:
-      '@genkit-ai/core':
-        specifier: workspace:*
-        version: link:../../core
       '@genkit-ai/google-cloud':
         specifier: workspace:^
         version: link:../google-cloud
@@ -466,9 +432,6 @@ importers:
         specifier: '>=12.2'
         version: 12.3.1(encoding@0.1.13)
     devDependencies:
-      '@genkit-ai/api-key':
-        specifier: workspace:*
-        version: link:../api-key
       '@jest/globals':
         specifier: ^29.7.0
         version: 29.7.0
@@ -701,12 +664,6 @@ importers:
 
   plugins/next:
     devDependencies:
-      '@genkit-ai/api-key':
-        specifier: workspace:*
-        version: link:../api-key
-      '@genkit-ai/core':
-        specifier: workspace:*
-        version: link:../../core
       '@jest/globals':
         specifier: ^29.7.0
         version: 29.7.0
@@ -1075,9 +1032,6 @@ importers:
 
   testapps/esm:
     dependencies:
-      '@genkit-ai/api-key':
-        specifier: workspace:*
-        version: link:../../plugins/api-key
       '@genkit-ai/checks':
         specifier: workspace:*
         version: link:../../plugins/checks
@@ -1099,6 +1053,9 @@ importers:
       '@genkit-ai/googleai':
         specifier: workspace:*
         version: link:../../plugins/googleai
+      '@genkit-ai/next':
+        specifier: workspace:^
+        version: link:../../plugins/next
       '@genkit-ai/vertexai':
         specifier: workspace:*
         version: link:../../plugins/vertexai
diff --git a/js/testapps/esm/package.json b/js/testapps/esm/package.json
index 1a3a2f7ce..f1b91375c 100644
--- a/js/testapps/esm/package.json
+++ b/js/testapps/esm/package.json
@@ -18,7 +18,6 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@genkit-ai/api-key": "workspace:*",
     "@genkit-ai/checks": "workspace:*",
     "@genkit-ai/dev-local-vectorstore": "workspace:*",
     "@genkit-ai/evaluator": "workspace:*",
@@ -26,6 +25,7 @@
     "@genkit-ai/firebase": "workspace:*",
     "@genkit-ai/google-cloud": "workspace:*",
     "@genkit-ai/googleai": "workspace:*",
+    "@genkit-ai/next": "workspace:^",
     "@genkit-ai/vertexai": "workspace:*",
     "firebase-admin": ">=12.2",
     "genkit": "workspace:*",
diff --git a/js/testapps/esm/src/index.ts b/js/testapps/esm/src/index.ts
index 23720c324..fbf61e20d 100644
--- a/js/testapps/esm/src/index.ts
+++ b/js/testapps/esm/src/index.ts
@@ -14,7 +14,6 @@
  * limitations under the License.
  */
 
-import { apiKey } from '@genkit-ai/api-key';
 import { checks } from '@genkit-ai/checks';
 import { devLocalVectorstore } from '@genkit-ai/dev-local-vectorstore';
 import { genkitEval } from '@genkit-ai/evaluator';
@@ -23,6 +22,7 @@ import { enableFirebaseTelemetry } from '@genkit-ai/firebase';
 import { firebaseContext } from '@genkit-ai/firebase/context';
 import { enableGoogleCloudTelemetry } from '@genkit-ai/google-cloud';
 import { googleAI } from '@genkit-ai/googleai';
+import { appRoute } from '@genkit-ai/next';
 import { vertexAI } from '@genkit-ai/vertexai';
 import { vertexAIEvaluation } from '@genkit-ai/vertexai/evaluation';
 import { vertexAIModelGarden } from '@genkit-ai/vertexai/modelgarden';
@@ -32,7 +32,6 @@ import { chroma } from 'genkitx-chromadb';
 import { ollama } from 'genkitx-ollama';
 import { pinecone } from 'genkitx-pinecone';
 
-apiKey();
 firebaseContext();
 enableFirebaseTelemetry;
 enableGoogleCloudTelemetry;
@@ -50,4 +49,5 @@ genkitEval;
 
 export const ai = genkit({});
 const hello = ai.defineFlow('hello', () => 'hello');
-expressHandler(hello, { context: apiKey() });
+expressHandler(hello);
+appRoute(hello);
diff --git a/js/testapps/express/src/index.ts b/js/testapps/express/src/index.ts
index 4c4ae6ed1..4717bebca 100644
--- a/js/testapps/express/src/index.ts
+++ b/js/testapps/express/src/index.ts
@@ -14,20 +14,17 @@
  * limitations under the License.
  */
 
-import {
-  AuthPolicy,
-  RequestWithAuth,
-  expressHandler,
-} from '@genkit-ai/express';
+import { expressHandler } from '@genkit-ai/express';
 import { gemini15Flash, googleAI } from '@genkit-ai/googleai';
 import { vertexAI } from '@genkit-ai/vertexai';
-import express, {
-  ErrorRequestHandler,
-  Handler,
-  Request,
-  Response,
-} from 'express';
-import { genkit, z } from 'genkit';
+import express, { Request, Response } from 'express';
+import {
+  ContextProvider,
+  RequestData,
+  UserFacingError,
+  genkit,
+  z,
+} from 'genkit';
 import { logger } from 'genkit/logging';
 import { ollama } from 'genkitx-ollama';
 
@@ -49,7 +46,10 @@ const ai = genkit({
 
 export const jokeFlow = ai.defineFlow(
   { name: 'jokeFlow', inputSchema: z.string(), outputSchema: z.string() },
-  async (subject, { sendChunk }) => {
+  async (subject, { context, sendChunk }) => {
+    if (context!.auth!.username != 'Ali Baba') {
+      throw new UserFacingError('PERMISSION_DENIED', context!.auth!.username!);
+    }
     return await ai.run('call-llm', async () => {
       const llmResponse = await ai.generate({
         prompt: `tell me long joke about ${subject}`,
@@ -65,33 +65,45 @@ export const jokeFlow = ai.defineFlow(
   }
 );
 
-const auth: Handler = (req, resp, next) => {
-  const token = req.header('authorization');
-  // pretend we check auth token
-  (req as RequestWithAuth).auth = {
-    username: token === 'open sesame' ? 'Ali Baba' : '40 thieves',
+interface AuthContext {
+  auth: {
+    username: string;
   };
-  next();
-};
+}
+
+// ContextProviders often follow this pattern, where a factory function
+// creates a ContextProvider that also validates the Context.
+// This is often done either declaratively or with a callback.
+// This type, once defined, can be used in other web frameworks such
+// as Next.js as well.
+function auth(requiredUser?: string): ContextProvider<AuthContext> {
+  return (req: RequestData): AuthContext => {
+    // Parsing:
+    const token = req.headers['authorization'];
+    const context: AuthContext = {
+      auth: {
+        // pretend we check auth token
+        username: token === 'open sesame' ? 'Ali Baba' : '40 thieves',
+      },
+    };
+    // validating
+    if (requiredUser && context.auth.username != requiredUser) {
+      throw new UserFacingError('PERMISSION_DENIED', context.auth.username);
+    }
+    return context;
+  };
+}
 
 const app = express();
 app.use(express.json());
 
-const authPolicies: Record<string, AuthPolicy> = {
-  jokeFlow: ({ auth }) => {
-    if (auth?.username != 'Ali Baba') {
-      throw new Error('unauthorized: ' + JSON.stringify(auth));
-    }
-  },
+const acls: Record<string, string> = {
+  jokeFlow: 'Ali Baba',
 };
 
 // curl http://localhost:5000/jokeFlow?stream=true -d '{"data": "banana"}' -H "content-type: application/json" -H "authorization: open sesame"
 ai.flows.forEach((f) => {
-  app.post(
-    `/${f.name}`,
-    auth,
-    expressHandler(f, { authPolicy: authPolicies[f.name] })
-  );
+  app.post(`/${f.name}`, expressHandler(f, { context: auth(acls[f.name]) }));
 });
 
 // curl http://localhost:5000/jokeHandler?stream=true -d '{"data": "banana"}' -H "content-type: application/json"
@@ -133,14 +145,6 @@ app.get('/jokeStream', async (req: Request, res: Response) => {
   res.end();
 });
 
-const errorHandler: ErrorRequestHandler = (error, request, response, next) => {
-  if (error instanceof Error) {
-    console.log(error.stack);
-  }
-  return response.status(500).send(error);
-};
-app.use(errorHandler);
-
 const port = process.env.PORT || 5000;
 app.listen(port, () => {
   console.log(`Example app listening on port ${port}`);