@arcblock/did-connect-service 4.0.0-beta.8

package/dist/handlers/access-key-connect-handler.js

@@ -0,0 +1,153 @@
+/**
+ * AccessKeyConnectHandler — Browser-auth flow for external services to obtain access keys.
+ *
+ * Flow: caller creates session → opens browser → user logs in & authorizes → caller polls for encrypted key.
+ *
+ * Routes:
+ *   GET  /.well-known/service/gen-access-key             — Browser authorization page
+ *   POST /.well-known/service/api/access-key/session      — Create authorization session
+ *   GET  /.well-known/service/api/access-key/session?sid= — Poll session status
+ *   POST /.well-known/service/api/access-key/authorize    — User authorizes (requires login)
+ *   DELETE /.well-known/service/api/access-key/session?sid= — Delete session
+ */
+import { encryptAES } from "../crypto/aes-gcm.js";
+import { buildGenAccessKeyPageHTML } from "../pages/gen-access-key-page.js";
+const SESSION_TTL_MS = 5 * 60 * 1000; // 5 minutes
+export class AccessKeyConnectHandler {
+    store;
+    auth;
+    accessKeyHandler;
+    pageOptions;
+    constructor(options) {
+        this.store = options.store;
+        this.auth = options.auth;
+        this.accessKeyHandler = options.accessKeyHandler;
+        this.pageOptions = options.pageOptions;
+    }
+    async fetch(request, instanceDid) {
+        const url = new URL(request.url);
+        const { pathname } = url;
+        // Browser authorization page
+        if (pathname === "/.well-known/service/gen-access-key" &&
+            request.method === "GET") {
+            return new Response(buildGenAccessKeyPageHTML(this.pageOptions), {
+                headers: {
+                    "Content-Type": "text/html; charset=utf-8",
+                    "Cache-Control": "no-store",
+                },
+            });
+        }
+        // Session API
+        if (pathname === "/.well-known/service/api/access-key/session") {
+            if (request.method === "POST")
+                return this.createSession(request);
+            if (request.method === "GET")
+                return this.getSession(request);
+            if (request.method === "DELETE")
+                return this.deleteSession(request);
+            return null;
+        }
+        // User authorization
+        if (pathname === "/.well-known/service/api/access-key/authorize" &&
+            request.method === "POST") {
+            return this.authorize(request, instanceDid);
+        }
+        return null;
+    }
+    /** POST /api/access-key/session — create a temporary authorization session */
+    async createSession(_request) {
+        let source = "";
+        try {
+            const body = (await _request.json());
+            source = body.source || "";
+        }
+        catch {
+            // empty body is ok
+        }
+        const id = crypto.randomUUID();
+        const challenge = Array.from(crypto.getRandomValues(new Uint8Array(24)))
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+        const expiresAt = new Date(Date.now() + SESSION_TTL_MS).toISOString();
+        // Opportunistic cleanup of expired sessions
+        await this.store.purgeExpiredAccessKeySessions();
+        await this.store.createAccessKeySession({ id, challenge, source, expiresAt });
+        return jsonResponse({ id, challenge });
+    }
+    /** GET /api/access-key/session?sid= — caller polls for completion */
+    async getSession(request) {
+        const sid = new URL(request.url).searchParams.get("sid");
+        if (!sid)
+            return jsonResponse({ error: "Missing sid" }, 400);
+        const session = await this.store.getAccessKeySession(sid);
+        if (!session) {
+            return jsonResponse({ error: "Session not found or expired" }, 404);
+        }
+        // Never expose challenge in poll response
+        return jsonResponse({
+            status: session.status,
+            accessKeyId: session.access_key_id || null,
+            accessKeySecret: session.access_key_secret_encrypted || null,
+        });
+    }
+    /** DELETE /api/access-key/session?sid= — cleanup */
+    async deleteSession(request) {
+        const sid = new URL(request.url).searchParams.get("sid");
+        if (sid)
+            await this.store.deleteAccessKeySession(sid);
+        return jsonResponse({ ok: true });
+    }
+    /** POST /api/access-key/authorize — user confirms authorization in browser */
+    async authorize(request, instanceDid) {
+        const caller = await this.auth.verifyFull(request);
+        if (!caller) {
+            return jsonResponse({ error: "Authentication required" }, 401);
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return jsonResponse({ error: "Invalid JSON body" }, 400);
+        }
+        const { sid } = body;
+        if (!sid)
+            return jsonResponse({ error: "Missing sid" }, 400);
+        const session = await this.store.getAccessKeySession(sid);
+        if (!session) {
+            return jsonResponse({ error: "Session not found or expired" }, 404);
+        }
+        if (session.status === "completed") {
+            return jsonResponse({ error: "This session has already been authorized" }, 409);
+        }
+        if (session.status !== "pending") {
+            return jsonResponse({ error: "Invalid session state" }, 400);
+        }
+        // Create access key via AccessKeyHandler.createKeyInternal (preserves audit log)
+        const accessKey = await this.accessKeyHandler.createKeyInternal({
+            role: caller.role || "guest",
+            remark: `Authorized: ${session.source || "external"}`,
+            createdBy: caller.did,
+            authType: "simple",
+            instanceDid,
+        });
+        // AES-GCM encrypt secret using session challenge
+        const encrypted = await encryptAES(accessKey.accessKeySecret, session.challenge);
+        await this.store.updateAccessKeySession(sid, {
+            status: "completed",
+            accessKeyId: accessKey.accessKeyId,
+            accessKeySecretEncrypted: encrypted,
+        });
+        return jsonResponse({ ok: true, accessKeyId: accessKey.accessKeyId });
+    }
+}
+function jsonResponse(data, status = 200) {
+    return new Response(JSON.stringify(data), {
+        status,
+        headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": "private, no-store",
+        },
+    });
+}
+//# sourceMappingURL=access-key-connect-handler.js.map

package/dist/handlers/access-key-connect-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-key-connect-handler.js","sourceRoot":"","sources":["../../src/handlers/access-key-connect-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAClD,OAAO,EAAE,yBAAyB,EAAgC,MAAM,iCAAiC,CAAC;AAK1G,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAUlD,MAAM,OAAO,uBAAuB;IAC1B,KAAK,CAAU;IACf,IAAI,CAAO;IACX,gBAAgB,CAAmB;IACnC,WAAW,CAA2B;IAE9C,YAAY,OAAgC;QAC1C,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACjD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,WAAoB;QAChD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEzB,6BAA6B;QAC7B,IACE,QAAQ,KAAK,qCAAqC;YAClD,OAAO,CAAC,MAAM,KAAK,KAAK,EACxB,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,yBAAyB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE;gBAC/D,OAAO,EAAE;oBACP,cAAc,EAAE,0BAA0B;oBAC1C,eAAe,EAAE,UAAU;iBAC5B;aACF,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,IAAI,QAAQ,KAAK,6CAA6C,EAAE,CAAC;YAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YAClE,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK;gBAAE,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,qBAAqB;QACrB,IACE,QAAQ,KAAK,+CAA+C;YAC5D,OAAO,CAAC,MAAM,KAAK,MAAM,EACzB,CAAC;YACD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8EAA8E;IACtE,KAAK,CAAC,aAAa,CAAC,QAAiB;QAC3C,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;YAC5D,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;aACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;QAEtE,4CAA4C;QAC5C,MAAM,IAAI,CAAC,KAAK,CAAC,6BAA6B,EAAE,CAAC;QACjD,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QAE9E,OAAO,YAAY,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,qEAAqE;IAC7D,KAAK,CAAC,UAAU,CAAC,OAAgB;QACvC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzD,IAAI,CAAC,GAAG;YAAE,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,GAAG,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;QAED,0CAA0C;QAC1C,OAAO,YAAY,CAAC;YAClB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,WAAW,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;YAC1C,eAAe,EAAE,OAAO,CAAC,2BAA2B,IAAI,IAAI;SAC7D,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IAC5C,KAAK,CAAC,aAAa,CAAC,OAAgB;QAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzD,IAAI,GAAG;YAAE,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACtD,OAAO,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,8EAA8E;IACtE,KAAK,CAAC,SAAS,CAAC,OAAgB,EAAE,WAAoB;QAC5D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,IAAuC,CAAC;QAC5C,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAsC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,GAAG;YAAE,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,GAAG,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACnC,OAAO,YAAY,CACjB,EAAE,KAAK,EAAE,0CAA0C,EAAE,EACrD,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,YAAY,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;QAED,iFAAiF;QACjF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,CAAC;YAC9D,IAAI,EAAG,MAAM,CAAC,IAA+C,IAAI,OAAO;YACxE,MAAM,EAAE,eAAe,OAAO,CAAC,MAAM,IAAI,UAAU,EAAE;YACrD,SAAS,EAAE,MAAM,CAAC,GAAG;YACrB,QAAQ,EAAE,QAAQ;YAClB,WAAW;SACZ,CAAC,CAAC;QAEH,iDAAiD;QACjD,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,SAAS,CAAC,eAAe,EACzB,OAAO,CAAC,SAAS,CAClB,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,GAAG,EAAE;YAC3C,MAAM,EAAE,WAAW;YACnB,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,wBAAwB,EAAE,SAAS;SACpC,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;IACxE,CAAC;CACF;AAED,SAAS,YAAY,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IAC/C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,mBAAmB;SACrC;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/handlers/access-key-handler.d.ts

@@ -0,0 +1,54 @@
+/**
+ * AccessKeyHandler — HTTP handler for access key management API.
+ *
+ * API routes (/.well-known/service/api/access-keys):
+ *   GET    /                  — List access keys (paginated, searchable)
+ *   POST   /                  — Create a new access key
+ *   GET    /:id               — Get access key details
+ *   PUT    /:id               — Update access key (remark, expireAt)
+ *   DELETE /:id               — Delete an access key
+ */
+import type { D1Store } from "../store/d1-store.js";
+import type { Role } from "../types.js";
+import type { Auth } from "./passkey-handler.js";
+export declare class AccessKeyHandler {
+    private store;
+    private passkey;
+    private apiBase;
+    constructor(options: {
+        store: D1Store;
+        passkey: Auth;
+        basePath?: string;
+    });
+    /**
+     * Create an access key programmatically (internal use — caller must handle auth).
+     * Used by AccessKeyConnectHandler for browser-auth flow.
+     */
+    createKeyInternal(params: {
+        role: Role;
+        remark: string;
+        createdBy: string;
+        authType?: "simple";
+        instanceDid?: string;
+        expireAt?: string | null;
+        ip?: string;
+    }): Promise<{
+        accessKeyId: string;
+        accessKeySecret: string;
+    }>;
+    /** Main HTTP router. Returns Response or null if path doesn't match. */
+    fetch(request: Request, instanceDid?: string): Promise<Response | null>;
+    private handleAPI;
+    private verifyAndCheckApproval;
+    private handleList;
+    private handleCreate;
+    private handleGet;
+    private handleUpdate;
+    private handleDelete;
+    /** Non-admin callers can only operate on keys they created. Admin+ can operate on any key. */
+    private requireOwnership;
+    private jsonResponse;
+    private errorResponse;
+    private parseJSON;
+}
+//# sourceMappingURL=access-key-handler.d.ts.map

package/dist/handlers/access-key-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-key-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/access-key-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAkB,IAAI,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAcjD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAAU;IACvB,OAAO,CAAC,OAAO,CAAO;IACtB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,EAAE;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;IAMzE;;;OAGG;IACG,iBAAiB,CAAC,MAAM,EAAE;QAC9B,IAAI,EAAE,IAAI,CAAC;QACX,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,EAAE,CAAC,EAAE,MAAM,CAAC;KACb,GAAG,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC;IA6B7D,wEAAwE;IAClE,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;YAU/D,SAAS;YAoDT,sBAAsB;YAyCtB,UAAU;YA6BV,YAAY;YAuEZ,SAAS;YAuBT,YAAY;YAuEZ,YAAY;IAkD1B,8FAA8F;IAC9F,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,aAAa;YAIP,SAAS;CAOxB"}

package/dist/handlers/access-key-handler.js

@@ -0,0 +1,336 @@
+/**
+ * AccessKeyHandler — HTTP handler for access key management API.
+ *
+ * API routes (/.well-known/service/api/access-keys):
+ *   GET    /                  — List access keys (paginated, searchable)
+ *   POST   /                  — Create a new access key
+ *   GET    /:id               — Get access key details
+ *   PUT    /:id               — Update access key (remark, expireAt)
+ *   DELETE /:id               — Delete an access key
+ */
+import { generateAccessKey } from "../access/access-key-util.js";
+import { PermissionError, requirePermission } from "../access/rbac.js";
+import { resolveInstanceRole } from "../identity/instance-role.js";
+const API_BASE = "/.well-known/service/api/access-keys";
+const ROLE_RANK = { owner: 3, admin: 2, member: 1, guest: 0 };
+const ADMIN_RANK = 2;
+const MAX_REMARK_LENGTH = 200;
+const MAX_PAGE_SIZE = 100;
+const VALID_ROLES = ["owner", "admin", "member", "guest"];
+export class AccessKeyHandler {
+    store;
+    passkey;
+    apiBase;
+    constructor(options) {
+        this.store = options.store;
+        this.passkey = options.passkey;
+        this.apiBase = options.basePath ?? API_BASE;
+    }
+    /**
+     * Create an access key programmatically (internal use — caller must handle auth).
+     * Used by AccessKeyConnectHandler for browser-auth flow.
+     */
+    async createKeyInternal(params) {
+        const key = generateAccessKey();
+        await this.store.createAccessKey({
+            accessKeyId: key.accessKeyId,
+            accessKeyPublic: key.accessKeyPublic,
+            role: params.role,
+            remark: params.remark,
+            createdBy: params.createdBy,
+            expireAt: params.expireAt ?? null,
+            instanceDid: params.instanceDid,
+        });
+        // Audit log
+        await this.store.createAuditLog({
+            action: "accessKey.create",
+            operatorDid: params.createdBy,
+            metadata: {
+                accessKeyId: key.accessKeyId,
+                role: params.role,
+                remark: params.remark,
+                source: params.authType === "simple" ? "access-key-connect" : "api",
+            },
+            ip: params.ip,
+            instanceDid: params.instanceDid,
+        });
+        return { accessKeyId: key.accessKeyId, accessKeySecret: key.accessKeySecret };
+    }
+    /** Main HTTP router. Returns Response or null if path doesn't match. */
+    async fetch(request, instanceDid) {
+        const url = new URL(request.url);
+        const { pathname } = url;
+        if (!pathname.startsWith(this.apiBase))
+            return null;
+        const path = pathname.slice(this.apiBase.length) || "/";
+        return this.handleAPI(request, path, url, instanceDid);
+    }
+    async handleAPI(request, path, url, instanceDid) {
+        const method = request.method;
+        try {
+            const caller = await this.verifyAndCheckApproval(request, instanceDid);
+            // List: GET /
+            if (method === "GET" && path === "/") {
+                return await this.handleList(caller, url, instanceDid);
+            }
+            // Create: POST /
+            if (method === "POST" && path === "/") {
+                return await this.handleCreate(caller, request, instanceDid);
+            }
+            // Detail/Update/Delete: /:id
+            const idMatch = path.match(/^\/([^/]+)$/);
+            if (!idMatch)
+                return this.errorResponse("Not found", 404, "NOT_FOUND");
+            const accessKeyId = decodeURIComponent(idMatch[1]);
+            if (method === "GET") {
+                return await this.handleGet(caller, accessKeyId, instanceDid);
+            }
+            if (method === "PUT") {
+                return await this.handleUpdate(caller, accessKeyId, request, instanceDid);
+            }
+            if (method === "DELETE") {
+                return await this.handleDelete(caller, accessKeyId, instanceDid);
+            }
+            return this.errorResponse("Not found", 404, "NOT_FOUND");
+        }
+        catch (err) {
+            if (err instanceof AccessKeyError) {
+                return this.errorResponse(err.message, err.status, err.code);
+            }
+            if (err instanceof PermissionError) {
+                return this.errorResponse("Insufficient permissions", 403, "FORBIDDEN");
+            }
+            const message = err instanceof Error ? err.message : "Internal error";
+            return this.errorResponse(message, 500, "INTERNAL_ERROR");
+        }
+    }
+    // ─── Auth middleware ─────────────────────────────────────────────────
+    async verifyAndCheckApproval(request, instanceDid) {
+        const caller = await this.passkey.verifyFull(request);
+        if (!caller) {
+            throw new AccessKeyError("Authentication required", 401, "UNAUTHENTICATED");
+        }
+        const user = await this.store.getUserByDid(caller.did);
+        if (!user) {
+            throw new AccessKeyError("User not found", 401, "UNAUTHENTICATED");
+        }
+        if (!user.approved) {
+            throw new AccessKeyError("User is blocked", 403, "BLOCKED");
+        }
+        const ip = request.headers.get("CF-Connecting-IP") ?? undefined;
+        if (instanceDid) {
+            const effectiveRole = await resolveInstanceRole(this.store, caller.did, instanceDid, user.role ?? undefined);
+            if (!effectiveRole) {
+                throw new AccessKeyError("Not a member of this instance", 403, "FORBIDDEN");
+            }
+            return { ...caller, role: effectiveRole, ip };
+        }
+        return {
+            ...caller,
+            role: caller.role ?? user.role ?? "guest",
+            ip,
+        };
+    }
+    // ─── Handlers ────────────────────────────────────────────────────────
+    async handleList(caller, url, instanceDid) {
+        requirePermission(caller.role, "accessKey.list");
+        let page = Number.parseInt(url.searchParams.get("page") ?? "1", 10);
+        let pageSize = Number.parseInt(url.searchParams.get("pageSize") ?? "20", 10);
+        const search = url.searchParams.get("search") ?? undefined;
+        if (page < 1)
+            page = 1;
+        if (pageSize > MAX_PAGE_SIZE)
+            pageSize = MAX_PAGE_SIZE;
+        if (pageSize < 1)
+            pageSize = 20;
+        // Non-admin users only see their own keys
+        const callerRank = ROLE_RANK[caller.role] ?? 0;
+        const createdBy = callerRank >= ADMIN_RANK ? undefined : caller.did;
+        const result = await this.store.getAccessKeys({
+            page,
+            pageSize,
+            search,
+            createdBy,
+            instanceDid,
+        });
+        return this.jsonResponse({ ...result, page, pageSize });
+    }
+    async handleCreate(caller, request, instanceDid) {
+        requirePermission(caller.role, "accessKey.create");
+        const body = await this.parseJSON(request);
+        // Validate role
+        if (!body.role) {
+            throw new AccessKeyError("Missing required field: role", 400, "VALIDATION_ERROR");
+        }
+        if (!VALID_ROLES.includes(body.role)) {
+            throw new AccessKeyError(`Invalid role: ${body.role}. Must be one of: ${VALID_ROLES.join(", ")}`, 400, "VALIDATION_ERROR");
+        }
+        // Role escalation prevention: caller cannot create key with higher role
+        const callerRank = ROLE_RANK[caller.role] ?? 0;
+        const targetRank = ROLE_RANK[body.role] ?? 0;
+        if (targetRank > callerRank) {
+            throw new AccessKeyError("Cannot create key with higher role than your own", 403, "FORBIDDEN");
+        }
+        // Validate expireAt (if provided)
+        if (body.expireAt !== undefined && body.expireAt !== null) {
+            const expireDate = new Date(body.expireAt);
+            if (Number.isNaN(expireDate.getTime())) {
+                throw new AccessKeyError("Invalid expireAt date", 400, "VALIDATION_ERROR");
+            }
+            if (expireDate < new Date()) {
+                throw new AccessKeyError("expireAt must be in the future", 400, "VALIDATION_ERROR");
+            }
+        }
+        // Truncate remark
+        const remark = (body.remark ?? "").slice(0, MAX_REMARK_LENGTH);
+        const result = await this.createKeyInternal({
+            role: body.role,
+            remark,
+            createdBy: caller.did,
+            expireAt: body.expireAt ?? null,
+            instanceDid,
+            ip: caller.ip,
+        });
+        const stored = await this.store.getAccessKeyById(result.accessKeyId);
+        return this.jsonResponse({
+            ...stored,
+            accessKeySecret: result.accessKeySecret,
+            createdByName: caller.displayName ?? null,
+        }, 201);
+    }
+    async handleGet(caller, accessKeyId, instanceDid) {
+        requirePermission(caller.role, "accessKey.view");
+        const key = await this.store.getAccessKeyById(accessKeyId);
+        if (!key) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Instance ownership check: only instance's own keys are visible
+        if (instanceDid && key.instanceDid !== instanceDid) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Non-admin users can only view their own keys
+        this.requireOwnership(caller, key.createdBy);
+        return this.jsonResponse(key);
+    }
+    async handleUpdate(caller, accessKeyId, request, instanceDid) {
+        requirePermission(caller.role, "accessKey.update");
+        const existing = await this.store.getAccessKeyById(accessKeyId);
+        if (!existing) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Instance ownership check: only instance's own keys are accessible
+        if (instanceDid && existing.instanceDid !== instanceDid) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Non-admin users can only update their own keys
+        this.requireOwnership(caller, existing.createdBy);
+        // Role-rank enforcement (admin+): cannot modify key with higher role
+        const callerRank = ROLE_RANK[caller.role] ?? 0;
+        if (callerRank >= ADMIN_RANK) {
+            const keyRank = ROLE_RANK[existing.role] ?? 0;
+            if (keyRank > callerRank) {
+                throw new AccessKeyError("Cannot modify key with higher role than your own", 403, "FORBIDDEN");
+            }
+        }
+        const body = await this.parseJSON(request);
+        // Validate expireAt
+        if (body.expireAt !== undefined && body.expireAt !== null) {
+            const expireDate = new Date(body.expireAt);
+            if (Number.isNaN(expireDate.getTime())) {
+                throw new AccessKeyError("Invalid expireAt date", 400, "VALIDATION_ERROR");
+            }
+        }
+        // Truncate remark
+        const update = {};
+        if (body.remark !== undefined) {
+            update.remark = body.remark.slice(0, MAX_REMARK_LENGTH);
+        }
+        if ("expireAt" in body) {
+            update.expireAt = body.expireAt;
+        }
+        const updated = await this.store.updateAccessKey(accessKeyId, update);
+        // Audit log
+        await this.store.createAuditLog({
+            action: "accessKey.update",
+            operatorDid: caller.did,
+            targetDid: accessKeyId,
+            metadata: update,
+            ip: caller.ip,
+            instanceDid,
+        });
+        return this.jsonResponse(updated);
+    }
+    async handleDelete(caller, accessKeyId, instanceDid) {
+        requirePermission(caller.role, "accessKey.delete");
+        const existing = await this.store.getAccessKeyById(accessKeyId);
+        if (!existing) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Instance ownership check: only instance's own keys are accessible
+        if (instanceDid && existing.instanceDid !== instanceDid) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+        // Non-admin users can only delete their own keys
+        this.requireOwnership(caller, existing.createdBy);
+        // Role-rank enforcement (admin+): cannot delete key with higher role
+        const callerRank = ROLE_RANK[caller.role] ?? 0;
+        if (callerRank >= ADMIN_RANK) {
+            const keyRank = ROLE_RANK[existing.role] ?? 0;
+            if (keyRank > callerRank) {
+                throw new AccessKeyError("Cannot delete key with higher role than your own", 403, "FORBIDDEN");
+            }
+        }
+        await this.store.deleteAccessKey(accessKeyId);
+        // Audit log
+        await this.store.createAuditLog({
+            action: "accessKey.delete",
+            operatorDid: caller.did,
+            targetDid: accessKeyId,
+            metadata: { role: existing.role },
+            ip: caller.ip,
+            instanceDid,
+        });
+        return new Response(null, { status: 204 });
+    }
+    // ─── Helpers ─────────────────────────────────────────────────────────
+    /** Non-admin callers can only operate on keys they created. Admin+ can operate on any key. */
+    requireOwnership(caller, keyCreatedBy) {
+        const callerRank = ROLE_RANK[caller.role] ?? 0;
+        if (callerRank >= ADMIN_RANK)
+            return; // admin+ can access all keys
+        if (caller.did !== keyCreatedBy) {
+            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
+        }
+    }
+    jsonResponse(data, status = 200) {
+        return new Response(JSON.stringify(data), {
+            status,
+            headers: {
+                "Content-Type": "application/json",
+                "Cache-Control": "private, no-store",
+            },
+        });
+    }
+    errorResponse(message, status, code) {
+        return this.jsonResponse({ ok: false, error: message, code }, status);
+    }
+    async parseJSON(request) {
+        try {
+            return (await request.json());
+        }
+        catch {
+            throw new AccessKeyError("Invalid JSON body", 400, "VALIDATION_ERROR");
+        }
+    }
+}
+class AccessKeyError extends Error {
+    status;
+    code;
+    constructor(message, status, code) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.name = "AccessKeyError";
+    }
+}
+//# sourceMappingURL=access-key-handler.js.map

package/dist/handlers/access-key-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-key-handler.js","sourceRoot":"","sources":["../../src/handlers/access-key-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAKnE,MAAM,QAAQ,GAAG,sCAAsC,CAAC;AACxD,MAAM,SAAS,GAA2B,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACtF,MAAM,UAAU,GAAG,CAAC,CAAC;AACrB,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,WAAW,GAAW,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAOlE,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAU;IACf,OAAO,CAAO;IACd,OAAO,CAAS;IAExB,YAAY,OAA6D;QACvE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,MAQvB;QACC,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC;YAC/B,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,IAAI;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;QAEH,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,QAAQ,EAAE;gBACR,WAAW,EAAE,GAAG,CAAC,WAAW;gBAC5B,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,KAAK;aACpE;YACD,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;IAChF,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,WAAoB;QAChD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEzB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;QACxD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;IACzD,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,OAAgB,EAChB,IAAY,EACZ,GAAQ,EACR,WAAoB;QAEpB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAEvE,cAAc;YACd,IAAI,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACrC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YACzD,CAAC;YAED,iBAAiB;YACjB,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACtC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAC/D,CAAC;YAED,6BAA6B;YAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAC1C,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAEvE,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC;YAEpD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;YACnE,CAAC;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/D,CAAC;YACD,IAAI,GAAG,YAAY,eAAe,EAAE,CAAC;gBACnC,OAAO,IAAI,CAAC,aAAa,CAAC,0BAA0B,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAC1E,CAAC;YACD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;YACtE,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,wEAAwE;IAEhE,KAAK,CAAC,sBAAsB,CAClC,OAAgB,EAChB,WAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,cAAc,CAAC,yBAAyB,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,cAAc,CAAC,iBAAiB,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,SAAS,CAAC;QAEhE,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,aAAa,GAAG,MAAM,mBAAmB,CAC7C,IAAI,CAAC,KAAK,EACV,MAAM,CAAC,GAAG,EACV,WAAW,EACX,IAAI,CAAC,IAAI,IAAI,SAAS,CACvB,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,cAAc,CAAC,+BAA+B,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAC9E,CAAC;YACD,OAAO,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,OAAO;YACL,GAAG,MAAM;YACT,IAAI,EAAG,MAAM,CAAC,IAAa,IAAK,IAAI,CAAC,IAAa,IAAI,OAAO;YAC7D,EAAE;SACH,CAAC;IACJ,CAAC;IAED,wEAAwE;IAEhE,KAAK,CAAC,UAAU,CACtB,MAA2B,EAC3B,GAAQ,EACR,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QAEjD,IAAI,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QACpE,IAAI,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7E,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;QAE3D,IAAI,IAAI,GAAG,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC;QACvB,IAAI,QAAQ,GAAG,aAAa;YAAE,QAAQ,GAAG,aAAa,CAAC;QACvD,IAAI,QAAQ,GAAG,CAAC;YAAE,QAAQ,GAAG,EAAE,CAAC;QAEhC,0CAA0C;QAC1C,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YAC5C,IAAI;YACJ,QAAQ;YACR,MAAM;YACN,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,OAAgB,EAChB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAI9B,OAAO,CAAC,CAAC;QAEZ,gBAAgB;QAChB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,cAAc,CAAC,8BAA8B,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAY,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,cAAc,CACtB,iBAAiB,IAAI,CAAC,IAAI,qBAAqB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACvE,GAAG,EACH,kBAAkB,CACnB,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,UAAU,GAAG,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,cAAc,CAAC,uBAAuB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC7E,CAAC;YACD,IAAI,UAAU,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC5B,MAAM,IAAI,cAAc,CAAC,gCAAgC,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC;YAC1C,IAAI,EAAE,IAAI,CAAC,IAAY;YACvB,MAAM;YACN,SAAS,EAAE,MAAM,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,WAAW;YACX,EAAE,EAAE,MAAM,CAAC,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAErE,OAAO,IAAI,CAAC,YAAY,CACtB;YACE,GAAG,MAAM;YACT,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,aAAa,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;SAC1C,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,MAA2B,EAC3B,WAAmB,EACnB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QAEjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iEAAiE;QACjE,IAAI,WAAW,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACnD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;QAE7C,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,WAAmB,EACnB,OAAgB,EAChB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,oEAAoE;QACpE,IAAI,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAElD,qEAAqE;QACrE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAG9B,OAAO,CAAC,CAAC;QAEZ,oBAAoB;QACpB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,cAAc,CAAC,uBAAuB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAkD,EAAE,CAAC;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAEtE,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,WAAW;YACtB,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW;SACZ,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,WAAmB,EACnB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,oEAAoE;QACpE,IAAI,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAElD,qEAAqE;QACrE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAE9C,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,WAAW;YACtB,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE;YACjC,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW;SACZ,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,wEAAwE;IAExE,8FAA8F;IACtF,gBAAgB,CAAC,MAA2B,EAAE,YAAoB;QACxE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU;YAAE,OAAO,CAAC,6BAA6B;QACnE,IAAI,MAAM,CAAC,GAAG,KAAK,YAAY,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;QAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;YACxC,MAAM;YACN,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,mBAAmB;aACrC;SACF,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,MAAc,EAAE,IAAY;QACjE,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IACxE,CAAC;IAEO,KAAK,CAAC,SAAS,CAAI,OAAgB;QACzC,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAM,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,cAAc,CAAC,mBAAmB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;CACF;AAED,MAAM,cAAe,SAAQ,KAAK;IAGvB;IACA;IAHT,YACE,OAAe,EACR,MAAc,EACd,IAAY;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QAGnB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF"}

package/dist/handlers/admin-instance-handler.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AdminInstanceHandler — Admin-only CRUD for instance registration.
+ *
+ * Routes:
+ *   POST   /.well-known/service/api/admin/instances          — register instance
+ *   GET    /.well-known/service/api/admin/instances           — list instances
+ *   DELETE /.well-known/service/api/admin/instances/:did      — remove instance
+ *   GET    /.well-known/service/admin/instances               — admin UI page
+ */
+import type { D1Store } from "../store/d1-store.js";
+import type { Auth } from "./passkey-handler.js";
+export interface AdminInstanceHandlerOptions {
+    store: D1Store;
+    auth: Auth;
+}
+export declare class AdminInstanceHandler {
+    private options;
+    constructor(options: AdminInstanceHandlerOptions);
+    fetch(request: Request, instanceDid?: string): Promise<Response | null>;
+    /** POST /api/admin/instances — register instance */
+    private register;
+    /** GET /api/admin/instances — list registered instances */
+    private list;
+    /** DELETE /api/admin/instances/:did — remove instance registration (best-effort cleanup) */
+    private remove;
+    /** Render admin UI page */
+    private renderPage;
+}
+//# sourceMappingURL=admin-instance-handler.d.ts.map

package/dist/handlers/admin-instance-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-instance-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/admin-instance-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,MAAM,WAAW,2BAA2B;IAC1C,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,IAAI,CAAC;CACZ;AASD,qBAAa,oBAAoB;IACnB,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,2BAA2B;IAElD,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAuC7E,oDAAoD;YACtC,QAAQ;IAgFtB,2DAA2D;YAC7C,IAAI;IAKlB,4FAA4F;YAC9E,MAAM;IAkBpB,2BAA2B;YACb,UAAU;CASzB"}