fix: export getAuthKitContext as the public auth context accessor

[nicknisi]

Summary

A customer upgrading 0.8.2 → 0.8.5 reported that authkitMiddleware no longer provides a downstream context type, and that the getAuthKitContext() helper that replaces it isn't publicly exported.

They're right, and it was unintentional: the lazy dynamic-import shell from #85 (shipped in v0.8.3) severed TypeScript's inference of the middleware context. The inline args.next({ context }) call that carried the type moved into middleware-body.ts behind await import(), so the .server() callback's return type — and with it the downstream context type — collapsed to untyped.

Approach

Export the accessor the SDK already uses internally, rather than restoring the inferred type with a cast on the shell. A cast would be unchecked against the body's real context shape (middlewareBody returns any) and fragile against TanStack Start beta type churn — and context.ts already didn't trust the inferred typing (it casts getGlobalStartContext() itself).

• New public AuthKitContext type: auth(), request, redirectUri. The internal AuthKitServerContext extends it with __setPendingHeader, keeping the header-plumbing channel out of the public API.
• getAuthKitContext() and getAuthKitContextOrNull() are exported from the package barrel with the narrowed return type. Deep imports aren't in the exports map, so the barrel is the public boundary.
• Internal __setPendingHeader consumers (storage.ts, server-fn-bodies.ts) move to a new @internal getInternalAuthKitContextOrNull().
• middleware.ts is untouched — no change to the bundle-leak guard surface.

Testing

• pnpm typecheck, pnpm lint (oxlint regression guard intact)
• pnpm test — 222 tests pass; added type-level tests proving __setPendingHeader is absent from the public type, plus export assertions in tests/exports.spec.ts
• pnpm build and cd example && pnpm build — no Node-only module warnings
• pnpm run build:check — no server fingerprints in the example client bundle

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[greptile-apps]

Greptile Summary

This PR fixes a regression from #85 where the lazy dynamic-import shell for authkitMiddleware broke TypeScript's inference of downstream context types, leaving getAuthKitContext() both untyped and unexported. The fix introduces a new public AuthKitContext interface and exports getAuthKitContext / getAuthKitContextOrNull from the package barrel, while keeping the internal __setPendingHeader channel hidden behind a new getInternalAuthKitContextOrNull() accessor.

• New public surface: AuthKitContext type plus getAuthKitContext() and getAuthKitContextOrNull() are now exported; AuthKitServerContext (with __setPendingHeader) is kept internal.
• Internal callers updated: storage.ts and server-fn-bodies.ts now call getInternalAuthKitContextOrNull() to retain access to the header-plumbing channel.
• Tests added: Type-level assertions confirm __setPendingHeader is absent from the public type, and export smoke tests verify the new barrel entries.

Confidence Score: 5/5

Safe to merge. The change is a well-scoped public API surface addition with no logic mutations in the runtime paths.

The diff is clean and consistent: the new public/internal type split is correctly enforced, all three internal callers (storage.ts, server-fn-bodies.ts, and the now-delegating getAuthKitContextOrNull) have been updated, the barrel export does not accidentally expose the internal accessor, and the new tests cover both runtime identity and type-level guarantees. No logic is changed in auth, cookie, or session handling.

No files require special attention.

Important Files Changed

Filename	Overview
src/server/context.ts	Introduces public AuthKitContext interface (auth, request, redirectUri) and narrows the return types of getAuthKitContext and getAuthKitContextOrNull to it; adds getInternalAuthKitContextOrNull for internal callers that need __setPendingHeader. Logic is correct and the type hierarchy (ServerContext extends Context) is sound.
src/server/index.ts	Adds getAuthKitContext, getAuthKitContextOrNull, and AuthKitContext to the public barrel export. getInternalAuthKitContextOrNull is intentionally omitted, maintaining the internal/public boundary.
src/server/storage.ts	Swaps getAuthKitContextOrNull for getInternalAuthKitContextOrNull; no logic change, correctly retains access to __setPendingHeader.
src/server/server-fn-bodies.ts	Swaps getAuthKitContextOrNull for getInternalAuthKitContextOrNull in forwardAuthorizationCookies; no logic change, guard on __setPendingHeader is preserved.
src/server/context.spec.ts	Adds expectTypeOf type-level tests confirming __setPendingHeader is absent from the public type and present on the internal type; also verifies all three accessors return the same underlying object at runtime.
src/server/storage.spec.ts	Mock key updated from getAuthKitContextOrNull to getInternalAuthKitContextOrNull to match the updated import in storage.ts. Correct and complete.
tests/exports.spec.ts	Adds runtime presence checks for getAuthKitContext and getAuthKitContextOrNull in the public exports smoke test.

_{Reviews (1): Last reviewed commit: "fix: export getAuthKitContext as the pub..." | Re-trigger Greptile}