@a5c-ai/adapters-gateway 5.1.1-staging.52898ebfc24f

package/README.md

@@ -0,0 +1,20 @@
+# @a5c-ai/adapters-gateway
+
+`@a5c-ai/adapters-gateway` is the package scaffold for remote and browser-facing
+adapters surfaces.
+
+Current scope:
+
+- `GatewayConfig` and default configuration helpers
+- `createGateway(config)` returning a start/stop gateway handle
+- token auth, HTTP/WS server, run manager, fanout replay, and runtime hook brokering
+- optional static webui hosting from `@a5c-ai/genty-webui/dist`
+
+Service templates:
+
+- `examples/systemd/adapters-gateway.service`
+- `examples/launchd/ai.a5c.adapters.gateway.plist`
+
+If the web UI package is not installed, `/` returns a helpful 404. Install
+`@a5c-ai/genty-webui` alongside this package or start the CLI with
+`adapters gateway serve --webui /path/to/dist`.

package/dist/auth/bootstrap.d.ts

@@ -0,0 +1,89 @@
+import type { TokenIssueResult, TokenStore } from './tokens.js';
+export type BootstrapAuthMode = 'manual' | 'local-dev' | 'bootstrap-admin';
+export interface BootstrapAuthConfig {
+    mode: BootstrapAuthMode;
+    adminUsername: string | null;
+    adminPassword: string | null;
+    tokenSeed: string | null;
+    bootstrapTokenName: string;
+}
+export interface BootstrapAuthState {
+    mode: BootstrapAuthMode;
+    adminUsername: string;
+    passwordHash: string;
+    bootstrapTokenName: string;
+    bootstrapTokenId: string | null;
+    createdAt: number;
+    updatedAt: number;
+    lastLoginAt: number | null;
+}
+export interface BootstrapAuthStore {
+    get(): Promise<BootstrapAuthState | null>;
+    save(input: {
+        mode: BootstrapAuthMode;
+        adminUsername: string;
+        passwordHash: string;
+        bootstrapTokenName: string;
+        bootstrapTokenId?: string | null;
+    }): Promise<BootstrapAuthState>;
+    touchLogin(): Promise<void>;
+    updateBootstrapToken(tokenId: string | null): Promise<void>;
+    close?(): void;
+}
+export declare class MemoryBootstrapAuthStore implements BootstrapAuthStore {
+    private state;
+    get(): Promise<BootstrapAuthState | null>;
+    save(input: {
+        mode: BootstrapAuthMode;
+        adminUsername: string;
+        passwordHash: string;
+        bootstrapTokenName: string;
+        bootstrapTokenId?: string | null;
+    }): Promise<BootstrapAuthState>;
+    touchLogin(): Promise<void>;
+    updateBootstrapToken(tokenId: string | null): Promise<void>;
+    close(): void;
+}
+export declare class SqliteBootstrapAuthStore implements BootstrapAuthStore {
+    private readonly db;
+    constructor(dbPath: string);
+    get(): Promise<BootstrapAuthState | null>;
+    save(input: {
+        mode: BootstrapAuthMode;
+        adminUsername: string;
+        passwordHash: string;
+        bootstrapTokenName: string;
+        bootstrapTokenId?: string | null;
+    }): Promise<BootstrapAuthState>;
+    touchLogin(): Promise<void>;
+    updateBootstrapToken(tokenId: string | null): Promise<void>;
+    close(): void;
+    private rowToState;
+}
+export interface BootstrapAuthInitResult {
+    enabled: boolean;
+    mode: BootstrapAuthMode;
+    adminUsername: string | null;
+    bootstrapTokenIssued: boolean;
+    bootstrapTokenId: string | null;
+}
+export interface BootstrapLoginInput {
+    username: string;
+    password: string;
+    clientName?: string | null;
+    ttlMs?: number | null;
+}
+export declare class BootstrapAuthService {
+    private readonly config;
+    private readonly store;
+    private readonly tokenStore;
+    constructor(config: BootstrapAuthConfig, store: BootstrapAuthStore, tokenStore: TokenStore);
+    initialize(): Promise<BootstrapAuthInitResult>;
+    login(input: BootstrapLoginInput): Promise<TokenIssueResult | null>;
+    describe(): Promise<{
+        enabled: boolean;
+        mode: BootstrapAuthMode;
+        adminUsername: string | null;
+        bootstrapTokenId: string | null;
+    }>;
+}

package/dist/auth/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../src/auth/bootstrap.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAKhE,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,WAAW,GAAG,iBAAiB,CAAC;AAE3E,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,iBAAiB,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,iBAAiB,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK,EAAE;QACV,IAAI,EAAE,iBAAiB,CAAC;QACxB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAClC,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAChC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5D,KAAK,CAAC,IAAI,IAAI,CAAC;CAChB;AAcD,qBAAa,wBAAyB,YAAW,kBAAkB;IACjE,OAAO,CAAC,KAAK,CAAmC;IAE1C,GAAG,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAIzC,IAAI,CAAC,KAAK,EAAE;QAChB,IAAI,EAAE,iBAAiB,CAAC;QACxB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAClC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAgBzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAS3B,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjE,KAAK,IAAI,IAAI;CACd;AAED,qBAAa,wBAAyB,YAAW,kBAAkB;IACjE,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAM;gBAEb,MAAM,EAAE,MAAM;IAiBpB,GAAG,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IASzC,IAAI,CAAC,KAAK,EAAE;QAChB,IAAI,EAAE,iBAAiB,CAAC;QACxB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAClC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAwCzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAS3B,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjE,KAAK,IAAI,IAAI;IAIb,OAAO,CAAC,UAAU;CAYnB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,iBAAiB,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,qBAAa,oBAAoB;IAE7B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAFV,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE,kBAAkB,EACzB,UAAU,EAAE,UAAU;IAGnC,UAAU,IAAI,OAAO,CAAC,uBAAuB,CAAC;IAiD9C,KAAK,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAqBnE,QAAQ;;;;;;CASf"}

package/dist/auth/bootstrap.js

@@ -0,0 +1,222 @@
+import { createRequire } from 'node:module';
+import { hashSecret, verifySecretHash } from './hashing.js';
+const require = createRequire(import.meta.url);
+const { DatabaseSync } = require('node:sqlite');
+function now() {
+    return Date.now();
+}
+function normalizeString(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+export class MemoryBootstrapAuthStore {
+    state = null;
+    async get() {
+        return this.state ? { ...this.state } : null;
+    }
+    async save(input) {
+        const timestamp = now();
+        const existing = this.state;
+        this.state = {
+            mode: input.mode,
+            adminUsername: input.adminUsername,
+            passwordHash: input.passwordHash,
+            bootstrapTokenName: input.bootstrapTokenName,
+            bootstrapTokenId: input.bootstrapTokenId ?? existing?.bootstrapTokenId ?? null,
+            createdAt: existing?.createdAt ?? timestamp,
+            updatedAt: timestamp,
+            lastLoginAt: existing?.lastLoginAt ?? null,
+        };
+        return { ...this.state };
+    }
+    async touchLogin() {
+        if (!this.state) {
+            return;
+        }
+        const timestamp = now();
+        this.state.lastLoginAt = timestamp;
+        this.state.updatedAt = timestamp;
+    }
+    async updateBootstrapToken(tokenId) {
+        if (!this.state) {
+            return;
+        }
+        this.state.bootstrapTokenId = tokenId;
+        this.state.updatedAt = now();
+    }
+    close() { }
+}
+export class SqliteBootstrapAuthStore {
+    db;
+    constructor(dbPath) {
+        this.db = new DatabaseSync(dbPath);
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS gateway_bootstrap_auth (
+        singleton_key TEXT PRIMARY KEY,
+        mode TEXT NOT NULL,
+        admin_username TEXT NOT NULL,
+        password_hash TEXT NOT NULL,
+        bootstrap_token_name TEXT NOT NULL,
+        bootstrap_token_id TEXT,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL,
+        last_login_at INTEGER
+      );
+    `);
+    }
+    async get() {
+        const row = this.db.prepare(`
+      SELECT mode, admin_username, password_hash, bootstrap_token_name, bootstrap_token_id, created_at, updated_at, last_login_at
+      FROM gateway_bootstrap_auth
+      WHERE singleton_key = 'bootstrap'
+    `).get();
+        return row ? this.rowToState(row) : null;
+    }
+    async save(input) {
+        const existing = await this.get();
+        const timestamp = now();
+        this.db.prepare(`
+      INSERT INTO gateway_bootstrap_auth (
+        singleton_key,
+        mode,
+        admin_username,
+        password_hash,
+        bootstrap_token_name,
+        bootstrap_token_id,
+        created_at,
+        updated_at,
+        last_login_at
+      )
+      VALUES ('bootstrap', ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(singleton_key) DO UPDATE SET
+        mode = excluded.mode,
+        admin_username = excluded.admin_username,
+        password_hash = excluded.password_hash,
+        bootstrap_token_name = excluded.bootstrap_token_name,
+        bootstrap_token_id = excluded.bootstrap_token_id,
+        updated_at = excluded.updated_at
+    `).run(input.mode, input.adminUsername, input.passwordHash, input.bootstrapTokenName, input.bootstrapTokenId ?? existing?.bootstrapTokenId ?? null, existing?.createdAt ?? timestamp, timestamp, existing?.lastLoginAt ?? null);
+        const state = await this.get();
+        if (!state) {
+            throw new Error('bootstrap_auth_state_missing');
+        }
+        return state;
+    }
+    async touchLogin() {
+        const timestamp = now();
+        this.db.prepare(`
+      UPDATE gateway_bootstrap_auth
+      SET last_login_at = ?, updated_at = ?
+      WHERE singleton_key = 'bootstrap'
+    `).run(timestamp, timestamp);
+    }
+    async updateBootstrapToken(tokenId) {
+        this.db.prepare(`
+      UPDATE gateway_bootstrap_auth
+      SET bootstrap_token_id = ?, updated_at = ?
+      WHERE singleton_key = 'bootstrap'
+    `).run(tokenId, now());
+    }
+    close() {
+        this.db.close();
+    }
+    rowToState(row) {
+        return {
+            mode: (row['mode'] === 'bootstrap-admin' || row['mode'] === 'local-dev') ? row['mode'] : 'manual',
+            adminUsername: String(row['admin_username']),
+            passwordHash: String(row['password_hash']),
+            bootstrapTokenName: String(row['bootstrap_token_name']),
+            bootstrapTokenId: row['bootstrap_token_id'] == null ? null : String(row['bootstrap_token_id']),
+            createdAt: Number(row['created_at']),
+            updatedAt: Number(row['updated_at']),
+            lastLoginAt: row['last_login_at'] == null ? null : Number(row['last_login_at']),
+        };
+    }
+}
+export class BootstrapAuthService {
+    config;
+    store;
+    tokenStore;
+    constructor(config, store, tokenStore) {
+        this.config = config;
+        this.store = store;
+        this.tokenStore = tokenStore;
+    }
+    async initialize() {
+        const mode = this.config.mode;
+        const adminUsername = normalizeString(this.config.adminUsername);
+        const adminPassword = normalizeString(this.config.adminPassword);
+        if (mode === 'manual' || !adminUsername || !adminPassword) {
+            return {
+                enabled: false,
+                mode,
+                adminUsername,
+                bootstrapTokenIssued: false,
+                bootstrapTokenId: null,
+            };
+        }
+        const passwordHash = await hashSecret(adminPassword);
+        let state = await this.store.save({
+            mode,
+            adminUsername,
+            passwordHash,
+            bootstrapTokenName: this.config.bootstrapTokenName,
+        });
+        let bootstrapTokenIssued = false;
+        const tokenSeed = normalizeString(this.config.tokenSeed);
+        if (tokenSeed) {
+            const existingToken = await this.tokenStore.verify(tokenSeed);
+            if (existingToken) {
+                await this.store.updateBootstrapToken(existingToken.id);
+                state = (await this.store.get()) ?? state;
+            }
+            else {
+                const issued = await this.tokenStore.create({
+                    name: this.config.bootstrapTokenName,
+                    plaintext: tokenSeed,
+                });
+                bootstrapTokenIssued = true;
+                await this.store.updateBootstrapToken(issued.id);
+                state = (await this.store.get()) ?? state;
+            }
+        }
+        return {
+            enabled: true,
+            mode: state.mode,
+            adminUsername: state.adminUsername,
+            bootstrapTokenIssued,
+            bootstrapTokenId: state.bootstrapTokenId,
+        };
+    }
+    async login(input) {
+        const state = await this.store.get();
+        if (!state) {
+            return null;
+        }
+        const username = normalizeString(input.username);
+        if (!username || username !== state.adminUsername) {
+            return null;
+        }
+        if (!(await verifySecretHash(state.passwordHash, input.password))) {
+            return null;
+        }
+        await this.store.touchLogin();
+        return await this.tokenStore.create({
+            name: normalizeString(input.clientName) ?? `${state.adminUsername}-session`,
+            ttlMs: typeof input.ttlMs === 'number' ? input.ttlMs : null,
+        });
+    }
+    async describe() {
+        const state = await this.store.get();
+        return {
+            enabled: state !== null,
+            mode: state?.mode ?? this.config.mode,
+            adminUsername: state?.adminUsername ?? normalizeString(this.config.adminUsername),
+            bootstrapTokenId: state?.bootstrapTokenId ?? null,
+        };
+    }
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/auth/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/auth/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAG5D,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,aAAa,CAAgD,CAAC;AAqC/F,SAAS,GAAG;IACV,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,eAAe,CAAC,KAAgC;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED,MAAM,OAAO,wBAAwB;IAC3B,KAAK,GAA8B,IAAI,CAAC;IAEhD,KAAK,CAAC,GAAG;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAMV;QACC,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,GAAG;YACX,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,QAAQ,EAAE,gBAAgB,IAAI,IAAI;YAC9E,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,SAAS;YAC3C,SAAS,EAAE,SAAS;YACpB,WAAW,EAAE,QAAQ,EAAE,WAAW,IAAI,IAAI;SAC3C,CAAC;QACF,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO;QACT,CAAC;QACD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAsB;QAC/C,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO;QACT,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,gBAAgB,GAAG,OAAO,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;IAC/B,CAAC;IAED,KAAK,KAAU,CAAC;CACjB;AAED,MAAM,OAAO,wBAAwB;IAClB,EAAE,CAAM;IAEzB,YAAY,MAAc;QACxB,IAAI,CAAC,EAAE,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;KAYZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG;QACP,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;KAI3B,CAAC,CAAC,GAAG,EAAyC,CAAC;QAChD,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAMV;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;KAoBf,CAAC,CAAC,GAAG,CACJ,KAAK,CAAC,IAAI,EACV,KAAK,CAAC,aAAa,EACnB,KAAK,CAAC,YAAY,EAClB,KAAK,CAAC,kBAAkB,EACxB,KAAK,CAAC,gBAAgB,IAAI,QAAQ,EAAE,gBAAgB,IAAI,IAAI,EAC5D,QAAQ,EAAE,SAAS,IAAI,SAAS,EAChC,SAAS,EACT,QAAQ,EAAE,WAAW,IAAI,IAAI,CAC9B,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;KAIf,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAsB;QAC/C,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;KAIf,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAEO,UAAU,CAAC,GAA4B;QAC7C,OAAO;YACL,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,iBAAiB,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ;YACjG,aAAa,EAAE,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC5C,YAAY,EAAE,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAC1C,kBAAkB,EAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACvD,gBAAgB,EAAE,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAC9F,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACpC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACpC,WAAW,EAAE,GAAG,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;SAChF,CAAC;IACJ,CAAC;CACF;AAiBD,MAAM,OAAO,oBAAoB;IAEZ;IACA;IACA;IAHnB,YACmB,MAA2B,EAC3B,KAAyB,EACzB,UAAsB;QAFtB,WAAM,GAAN,MAAM,CAAqB;QAC3B,UAAK,GAAL,KAAK,CAAoB;QACzB,eAAU,GAAV,UAAU,CAAY;IACtC,CAAC;IAEJ,KAAK,CAAC,UAAU;QACd,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAC9B,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjE,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjE,IAAI,IAAI,KAAK,QAAQ,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI;gBACJ,aAAa;gBACb,oBAAoB,EAAE,KAAK;gBAC3B,gBAAgB,EAAE,IAAI;aACvB,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC;QACrD,IAAI,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAChC,IAAI;YACJ,aAAa;YACb,YAAY;YACZ,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SACnD,CAAC,CAAC;QACH,IAAI,oBAAoB,GAAG,KAAK,CAAC;QAEjC,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC9D,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;gBACxD,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,KAAK,CAAC;YAC5C,CAAC;iBAAM,CAAC;gBACN,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;oBAC1C,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBACpC,SAAS,EAAE,SAAS;iBACrB,CAAC,CAAC;gBACH,oBAAoB,GAAG,IAAI,CAAC;gBAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACjD,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,oBAAoB;YACpB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;SACzC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAA0B;QACpC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACrC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QAC9B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAClC,IAAI,EAAE,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,KAAK,CAAC,aAAa,UAAU;YAC3E,KAAK,EAAE,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACrC,OAAO;YACL,OAAO,EAAE,KAAK,KAAK,IAAI;YACvB,IAAI,EAAE,KAAK,EAAE,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI;YACrC,aAAa,EAAE,KAAK,EAAE,aAAa,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACjF,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,IAAI,IAAI;SAClD,CAAC;IACJ,CAAC;CACF"}

package/dist/auth/hashing.d.ts

@@ -0,0 +1,4 @@
+export declare function hashToken(plaintext: string): Promise<string>;
+export declare function verifyTokenHash(hash: string, plaintext: string): Promise<boolean>;
+export declare const hashSecret: typeof hashToken;
+export declare const verifySecretHash: typeof verifyTokenHash;

package/dist/auth/hashing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashing.d.ts","sourceRoot":"","sources":["../../src/auth/hashing.ts"],"names":[],"mappings":"AAaA,wBAAsB,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKlE;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMvF;AAED,eAAO,MAAM,UAAU,kBAAY,CAAC;AACpC,eAAO,MAAM,gBAAgB,wBAAkB,CAAC"}

package/dist/auth/hashing.js

@@ -0,0 +1,27 @@
+import { randomBytes } from 'node:crypto';
+import argon2 from 'argon2';
+const ARGON2_OPTIONS = Object.freeze({
+    type: argon2.argon2id,
+    saltLength: 16,
+    hashLength: 32,
+    parallelism: 1,
+    memoryCost: 64 * 1024,
+    timeCost: 3,
+});
+export async function hashToken(plaintext) {
+    return await argon2.hash(plaintext, {
+        ...ARGON2_OPTIONS,
+        salt: randomBytes(ARGON2_OPTIONS.saltLength),
+    });
+}
+export async function verifyTokenHash(hash, plaintext) {
+    try {
+        return await argon2.verify(hash, plaintext);
+    }
+    catch {
+        return false;
+    }
+}
+export const hashSecret = hashToken;
+export const verifySecretHash = verifyTokenHash;
+//# sourceMappingURL=hashing.js.map

package/dist/auth/hashing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashing.js","sourceRoot":"","sources":["../../src/auth/hashing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC,QAAQ;IACrB,UAAU,EAAE,EAAE;IACd,UAAU,EAAE,EAAE;IACd,WAAW,EAAE,CAAC;IACd,UAAU,EAAE,EAAE,GAAG,IAAI;IACrB,QAAQ,EAAE,CAAC;CACZ,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB;IAC/C,OAAO,MAAM,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE;QAClC,GAAG,cAAc;QACjB,IAAI,EAAE,WAAW,CAAC,cAAc,CAAC,UAAU,CAAC;KAC7C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY,EAAE,SAAiB;IACnE,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAG,SAAS,CAAC;AACpC,MAAM,CAAC,MAAM,gBAAgB,GAAG,eAAe,CAAC"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,3 @@
+import type { TokenStore, TokenRecord } from './tokens.js';
+export declare function parseBearerToken(headerValue: string | null | undefined): string | null;
+export declare function authenticateBearerToken(tokenStore: TokenStore, headerValue: string | null | undefined): Promise<TokenRecord | null>;

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE3D,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAItF;AAED,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GACrC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAO7B"}

package/dist/auth/middleware.js

@@ -0,0 +1,17 @@
+export function parseBearerToken(headerValue) {
+    if (!headerValue)
+        return null;
+    const match = headerValue.match(/^Bearer\s+(.+)$/i);
+    return match?.[1]?.trim() ?? null;
+}
+export async function authenticateBearerToken(tokenStore, headerValue) {
+    const token = parseBearerToken(headerValue);
+    if (!token)
+        return null;
+    const record = await tokenStore.verify(token);
+    if (!record)
+        return null;
+    await tokenStore.touch(record.id);
+    return record;
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,gBAAgB,CAAC,WAAsC;IACrE,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACpD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAAsB,EACtB,WAAsC;IAEtC,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAClC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/auth/tokens.d.ts

@@ -0,0 +1,45 @@
+export interface TokenRecord {
+    id: string;
+    name: string;
+    createdAt: number;
+    updatedAt: number;
+    lastUsedAt: number | null;
+    expiresAt: number | null;
+    revokedAt: number | null;
+}
+export interface TokenIssueResult {
+    id: string;
+    plaintext: string;
+    record: TokenRecord;
+}
+export interface TokenCreateInput {
+    name: string;
+    ttlMs?: number | null;
+    plaintext?: string | null;
+}
+export interface TokenStore {
+    create(input: TokenCreateInput): Promise<TokenIssueResult>;
+    verify(plaintext: string): Promise<TokenRecord | null>;
+    revoke(id: string): Promise<boolean>;
+    list(): Promise<TokenRecord[]>;
+    touch(id: string): Promise<boolean>;
+}
+export declare class MemoryTokenStore implements TokenStore {
+    private readonly records;
+    create(input: TokenCreateInput): Promise<TokenIssueResult>;
+    verify(plaintext: string): Promise<TokenRecord | null>;
+    revoke(id: string): Promise<boolean>;
+    list(): Promise<TokenRecord[]>;
+    touch(id: string): Promise<boolean>;
+}
+export declare class SqliteTokenStore implements TokenStore {
+    private readonly db;
+    constructor(dbPath?: string);
+    create(input: TokenCreateInput): Promise<TokenIssueResult>;
+    verify(plaintext: string): Promise<TokenRecord | null>;
+    revoke(id: string): Promise<boolean>;
+    list(): Promise<TokenRecord[]>;
+    touch(id: string): Promise<boolean>;
+    close(): void;
+    private rowToRecord;
+}

package/dist/auth/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../src/auth/tokens.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3D,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IACvD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/B,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACrC;AA6BD,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAwC;IAE1D,MAAM,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuB1D,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAWtD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQpC,IAAI,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IAI9B,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAO1C;AAED,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAM;gBAEb,MAAM,GAAE,MAA4B;IAiB1C,MAAM,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmC1D,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAiBtD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUpC,IAAI,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IAS9B,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUzC,KAAK,IAAI,IAAI;IAIb,OAAO,CAAC,WAAW;CAYpB"}

package/dist/auth/tokens.js

@@ -0,0 +1,186 @@
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { randomBytes, randomUUID } from 'node:crypto';
+import { mkdirSync } from 'node:fs';
+import { createRequire } from 'node:module';
+import { hashToken, verifyTokenHash } from './hashing.js';
+const require = createRequire(import.meta.url);
+const { DatabaseSync } = require('node:sqlite');
+function defaultSqlitePath() {
+    return path.join(os.homedir(), '.adapters', 'gateway', 'tokens.db');
+}
+function now() {
+    return Date.now();
+}
+function issuePlaintextToken() {
+    return randomBytes(32).toString('base64url');
+}
+function toPublicRecord(record) {
+    const { hash: _hash, ...publicRecord } = record;
+    return publicRecord;
+}
+function isUsable(record, currentTime) {
+    if (record.revokedAt !== null)
+        return false;
+    if (record.expiresAt !== null && record.expiresAt <= currentTime)
+        return false;
+    return true;
+}
+export class MemoryTokenStore {
+    records = new Map();
+    async create(input) {
+        const plaintext = input.plaintext && input.plaintext.trim().length > 0
+            ? input.plaintext
+            : issuePlaintextToken();
+        const createdAt = now();
+        const record = {
+            id: randomUUID(),
+            name: input.name,
+            hash: await hashToken(plaintext),
+            createdAt,
+            updatedAt: createdAt,
+            lastUsedAt: null,
+            expiresAt: input.ttlMs ? createdAt + input.ttlMs : null,
+            revokedAt: null,
+        };
+        this.records.set(record.id, record);
+        return {
+            id: record.id,
+            plaintext,
+            record: toPublicRecord(record),
+        };
+    }
+    async verify(plaintext) {
+        const currentTime = now();
+        for (const record of this.records.values()) {
+            if (!isUsable(record, currentTime))
+                continue;
+            if (await verifyTokenHash(record.hash, plaintext)) {
+                return toPublicRecord(record);
+            }
+        }
+        return null;
+    }
+    async revoke(id) {
+        const record = this.records.get(id);
+        if (!record || record.revokedAt !== null)
+            return false;
+        record.revokedAt = now();
+        record.updatedAt = record.revokedAt;
+        return true;
+    }
+    async list() {
+        return Array.from(this.records.values()).map(toPublicRecord);
+    }
+    async touch(id) {
+        const record = this.records.get(id);
+        if (!record)
+            return false;
+        record.lastUsedAt = now();
+        record.updatedAt = record.lastUsedAt;
+        return true;
+    }
+}
+export class SqliteTokenStore {
+    db;
+    constructor(dbPath = defaultSqlitePath()) {
+        mkdirSync(path.dirname(dbPath), { recursive: true });
+        this.db = new DatabaseSync(dbPath);
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS gateway_tokens (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        hash TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL,
+        last_used_at INTEGER,
+        expires_at INTEGER,
+        revoked_at INTEGER
+      );
+    `);
+    }
+    async create(input) {
+        const plaintext = input.plaintext && input.plaintext.trim().length > 0
+            ? input.plaintext
+            : issuePlaintextToken();
+        const createdAt = now();
+        const record = {
+            id: randomUUID(),
+            name: input.name,
+            hash: await hashToken(plaintext),
+            createdAt,
+            updatedAt: createdAt,
+            lastUsedAt: null,
+            expiresAt: input.ttlMs ? createdAt + input.ttlMs : null,
+            revokedAt: null,
+        };
+        this.db.prepare(`
+      INSERT INTO gateway_tokens (id, name, hash, created_at, updated_at, last_used_at, expires_at, revoked_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(record.id, record.name, record.hash, record.createdAt, record.updatedAt, record.lastUsedAt, record.expiresAt, record.revokedAt);
+        return {
+            id: record.id,
+            plaintext,
+            record: toPublicRecord(record),
+        };
+    }
+    async verify(plaintext) {
+        const rows = this.db.prepare(`
+      SELECT id, name, hash, created_at, updated_at, last_used_at, expires_at, revoked_at
+      FROM gateway_tokens
+      ORDER BY created_at DESC
+    `).all();
+        const currentTime = now();
+        for (const row of rows) {
+            const record = this.rowToRecord(row);
+            if (!isUsable(record, currentTime))
+                continue;
+            if (await verifyTokenHash(record.hash, plaintext)) {
+                return toPublicRecord(record);
+            }
+        }
+        return null;
+    }
+    async revoke(id) {
+        const updatedAt = now();
+        const result = this.db.prepare(`
+      UPDATE gateway_tokens
+      SET revoked_at = ?, updated_at = ?
+      WHERE id = ? AND revoked_at IS NULL
+    `).run(updatedAt, updatedAt, id);
+        return result.changes > 0;
+    }
+    async list() {
+        const rows = this.db.prepare(`
+      SELECT id, name, hash, created_at, updated_at, last_used_at, expires_at, revoked_at
+      FROM gateway_tokens
+      ORDER BY created_at DESC
+    `).all();
+        return rows.map((row) => toPublicRecord(this.rowToRecord(row)));
+    }
+    async touch(id) {
+        const updatedAt = now();
+        const result = this.db.prepare(`
+      UPDATE gateway_tokens
+      SET last_used_at = ?, updated_at = ?
+      WHERE id = ?
+    `).run(updatedAt, updatedAt, id);
+        return result.changes > 0;
+    }
+    close() {
+        this.db.close();
+    }
+    rowToRecord(row) {
+        return {
+            id: String(row['id']),
+            name: String(row['name']),
+            hash: String(row['hash']),
+            createdAt: Number(row['created_at']),
+            updatedAt: Number(row['updated_at']),
+            lastUsedAt: row['last_used_at'] == null ? null : Number(row['last_used_at']),
+            expiresAt: row['expires_at'] == null ? null : Number(row['expires_at']),
+            revokedAt: row['revoked_at'] == null ? null : Number(row['revoked_at']),
+        };
+    }
+}
+//# sourceMappingURL=tokens.js.map