@arcblock/did-connect-service 4.0.4 → 4.0.6

package/dist/access-key-handler.js

@@ -1,316 +0,0 @@
-/**
- * AccessKeyHandler — HTTP handler for access key management API.
- *
- * API routes (/.well-known/service/api/access-keys):
- *   GET    /                  — List access keys (paginated, searchable)
- *   POST   /                  — Create a new access key
- *   GET    /:id               — Get access key details
- *   PUT    /:id               — Update access key (remark, expireAt)
- *   DELETE /:id               — Delete an access key
- */
-import { generateAccessKey } from "./access/access-key-util.js";
-import { resolveInstanceRole } from "./identity/instance-role.js";
-import { PermissionError, requirePermission } from "./access/rbac.js";
-const API_BASE = "/.well-known/service/api/access-keys";
-const ROLE_RANK = { owner: 3, admin: 2, member: 1, guest: 0 };
-const ADMIN_RANK = 2;
-const MAX_REMARK_LENGTH = 200;
-const MAX_PAGE_SIZE = 100;
-const VALID_ROLES = ["owner", "admin", "member", "guest"];
-export class AccessKeyHandler {
-    store;
-    passkey;
-    apiBase;
-    constructor(options) {
-        this.store = options.store;
-        this.passkey = options.passkey;
-        this.apiBase = options.basePath ?? API_BASE;
-    }
-    /** Main HTTP router. Returns Response or null if path doesn't match. */
-    async fetch(request, instanceDid) {
-        const url = new URL(request.url);
-        const { pathname } = url;
-        if (!pathname.startsWith(this.apiBase))
-            return null;
-        const path = pathname.slice(this.apiBase.length) || "/";
-        return this.handleAPI(request, path, url, instanceDid);
-    }
-    async handleAPI(request, path, url, instanceDid) {
-        const method = request.method;
-        try {
-            const caller = await this.verifyAndCheckApproval(request, instanceDid);
-            // List: GET /
-            if (method === "GET" && path === "/") {
-                return await this.handleList(caller, url, instanceDid);
-            }
-            // Create: POST /
-            if (method === "POST" && path === "/") {
-                return await this.handleCreate(caller, request, instanceDid);
-            }
-            // Detail/Update/Delete: /:id
-            const idMatch = path.match(/^\/([^/]+)$/);
-            if (!idMatch)
-                return this.errorResponse("Not found", 404, "NOT_FOUND");
-            const accessKeyId = decodeURIComponent(idMatch[1]);
-            if (method === "GET") {
-                return await this.handleGet(caller, accessKeyId, instanceDid);
-            }
-            if (method === "PUT") {
-                return await this.handleUpdate(caller, accessKeyId, request, instanceDid);
-            }
-            if (method === "DELETE") {
-                return await this.handleDelete(caller, accessKeyId, instanceDid);
-            }
-            return this.errorResponse("Not found", 404, "NOT_FOUND");
-        }
-        catch (err) {
-            if (err instanceof AccessKeyError) {
-                return this.errorResponse(err.message, err.status, err.code);
-            }
-            if (err instanceof PermissionError) {
-                return this.errorResponse("Insufficient permissions", 403, "FORBIDDEN");
-            }
-            const message = err instanceof Error ? err.message : "Internal error";
-            return this.errorResponse(message, 500, "INTERNAL_ERROR");
-        }
-    }
-    // ─── Auth middleware ─────────────────────────────────────────────────
-    async verifyAndCheckApproval(request, instanceDid) {
-        const caller = await this.passkey.verifyFull(request);
-        if (!caller) {
-            throw new AccessKeyError("Authentication required", 401, "UNAUTHENTICATED");
-        }
-        const user = await this.store.getUserByDid(caller.did);
-        if (!user) {
-            throw new AccessKeyError("User not found", 401, "UNAUTHENTICATED");
-        }
-        if (!user.approved) {
-            throw new AccessKeyError("User is blocked", 403, "BLOCKED");
-        }
-        const ip = request.headers.get("CF-Connecting-IP") ?? undefined;
-        if (instanceDid) {
-            const effectiveRole = await resolveInstanceRole(this.store, caller.did, instanceDid, user.role ?? undefined);
-            if (!effectiveRole) {
-                throw new AccessKeyError("Not a member of this instance", 403, "FORBIDDEN");
-            }
-            return { ...caller, role: effectiveRole, ip };
-        }
-        return {
-            ...caller,
-            role: caller.role ?? user.role ?? "guest",
-            ip,
-        };
-    }
-    // ─── Handlers ────────────────────────────────────────────────────────
-    async handleList(caller, url, instanceDid) {
-        requirePermission(caller.role, "accessKey.list");
-        let page = Number.parseInt(url.searchParams.get("page") ?? "1", 10);
-        let pageSize = Number.parseInt(url.searchParams.get("pageSize") ?? "20", 10);
-        const search = url.searchParams.get("search") ?? undefined;
-        if (page < 1)
-            page = 1;
-        if (pageSize > MAX_PAGE_SIZE)
-            pageSize = MAX_PAGE_SIZE;
-        if (pageSize < 1)
-            pageSize = 20;
-        // Non-admin users only see their own keys
-        const callerRank = ROLE_RANK[caller.role] ?? 0;
-        const createdBy = callerRank >= ADMIN_RANK ? undefined : caller.did;
-        const result = await this.store.getAccessKeys({
-            page,
-            pageSize,
-            search,
-            createdBy,
-            instanceDid,
-        });
-        return this.jsonResponse({ ...result, page, pageSize });
-    }
-    async handleCreate(caller, request, instanceDid) {
-        requirePermission(caller.role, "accessKey.create");
-        const body = await this.parseJSON(request);
-        // Validate role
-        if (!body.role) {
-            throw new AccessKeyError("Missing required field: role", 400, "VALIDATION_ERROR");
-        }
-        if (!VALID_ROLES.includes(body.role)) {
-            throw new AccessKeyError(`Invalid role: ${body.role}. Must be one of: ${VALID_ROLES.join(", ")}`, 400, "VALIDATION_ERROR");
-        }
-        // Role escalation prevention: caller cannot create key with higher role
-        const callerRank = ROLE_RANK[caller.role] ?? 0;
-        const targetRank = ROLE_RANK[body.role] ?? 0;
-        if (targetRank > callerRank) {
-            throw new AccessKeyError("Cannot create key with higher role than your own", 403, "FORBIDDEN");
-        }
-        // Validate expireAt (if provided)
-        if (body.expireAt !== undefined && body.expireAt !== null) {
-            const expireDate = new Date(body.expireAt);
-            if (Number.isNaN(expireDate.getTime())) {
-                throw new AccessKeyError("Invalid expireAt date", 400, "VALIDATION_ERROR");
-            }
-            if (expireDate < new Date()) {
-                throw new AccessKeyError("expireAt must be in the future", 400, "VALIDATION_ERROR");
-            }
-        }
-        // Truncate remark
-        const remark = (body.remark ?? "").slice(0, MAX_REMARK_LENGTH);
-        // Generate access key
-        const key = generateAccessKey();
-        const stored = await this.store.createAccessKey({
-            accessKeyId: key.accessKeyId,
-            accessKeyPublic: key.accessKeyPublic,
-            role: body.role,
-            remark,
-            createdBy: caller.did,
-            expireAt: body.expireAt ?? null,
-            instanceDid,
-        });
-        // Audit log
-        await this.store.createAuditLog({
-            action: "accessKey.create",
-            operatorDid: caller.did,
-            metadata: { accessKeyId: key.accessKeyId, role: body.role, remark },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({
-            ...stored,
-            accessKeySecret: key.accessKeySecret,
-            createdByName: caller.displayName ?? null,
-        }, 201);
-    }
-    async handleGet(caller, accessKeyId, instanceDid) {
-        requirePermission(caller.role, "accessKey.view");
-        const key = await this.store.getAccessKeyById(accessKeyId);
-        if (!key) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Instance ownership check: only instance's own keys are visible
-        if (instanceDid && key.instanceDid !== instanceDid) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Non-admin users can only view their own keys
-        this.requireOwnership(caller, key.createdBy);
-        return this.jsonResponse(key);
-    }
-    async handleUpdate(caller, accessKeyId, request, instanceDid) {
-        requirePermission(caller.role, "accessKey.update");
-        const existing = await this.store.getAccessKeyById(accessKeyId);
-        if (!existing) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Instance ownership check: only instance's own keys are accessible
-        if (instanceDid && existing.instanceDid !== instanceDid) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Non-admin users can only update their own keys
-        this.requireOwnership(caller, existing.createdBy);
-        // Role-rank enforcement (admin+): cannot modify key with higher role
-        const callerRank = ROLE_RANK[caller.role] ?? 0;
-        if (callerRank >= ADMIN_RANK) {
-            const keyRank = ROLE_RANK[existing.role] ?? 0;
-            if (keyRank > callerRank) {
-                throw new AccessKeyError("Cannot modify key with higher role than your own", 403, "FORBIDDEN");
-            }
-        }
-        const body = await this.parseJSON(request);
-        // Validate expireAt
-        if (body.expireAt !== undefined && body.expireAt !== null) {
-            const expireDate = new Date(body.expireAt);
-            if (Number.isNaN(expireDate.getTime())) {
-                throw new AccessKeyError("Invalid expireAt date", 400, "VALIDATION_ERROR");
-            }
-        }
-        // Truncate remark
-        const update = {};
-        if (body.remark !== undefined) {
-            update.remark = body.remark.slice(0, MAX_REMARK_LENGTH);
-        }
-        if ("expireAt" in body) {
-            update.expireAt = body.expireAt;
-        }
-        const updated = await this.store.updateAccessKey(accessKeyId, update);
-        // Audit log
-        await this.store.createAuditLog({
-            action: "accessKey.update",
-            operatorDid: caller.did,
-            targetDid: accessKeyId,
-            metadata: update,
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse(updated);
-    }
-    async handleDelete(caller, accessKeyId, instanceDid) {
-        requirePermission(caller.role, "accessKey.delete");
-        const existing = await this.store.getAccessKeyById(accessKeyId);
-        if (!existing) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Instance ownership check: only instance's own keys are accessible
-        if (instanceDid && existing.instanceDid !== instanceDid) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-        // Non-admin users can only delete their own keys
-        this.requireOwnership(caller, existing.createdBy);
-        // Role-rank enforcement (admin+): cannot delete key with higher role
-        const callerRank = ROLE_RANK[caller.role] ?? 0;
-        if (callerRank >= ADMIN_RANK) {
-            const keyRank = ROLE_RANK[existing.role] ?? 0;
-            if (keyRank > callerRank) {
-                throw new AccessKeyError("Cannot delete key with higher role than your own", 403, "FORBIDDEN");
-            }
-        }
-        await this.store.deleteAccessKey(accessKeyId);
-        // Audit log
-        await this.store.createAuditLog({
-            action: "accessKey.delete",
-            operatorDid: caller.did,
-            targetDid: accessKeyId,
-            metadata: { role: existing.role },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return new Response(null, { status: 204 });
-    }
-    // ─── Helpers ─────────────────────────────────────────────────────────
-    /** Non-admin callers can only operate on keys they created. Admin+ can operate on any key. */
-    requireOwnership(caller, keyCreatedBy) {
-        const callerRank = ROLE_RANK[caller.role] ?? 0;
-        if (callerRank >= ADMIN_RANK)
-            return; // admin+ can access all keys
-        if (caller.did !== keyCreatedBy) {
-            throw new AccessKeyError("Access key not found", 404, "NOT_FOUND");
-        }
-    }
-    jsonResponse(data, status = 200) {
-        return new Response(JSON.stringify(data), {
-            status,
-            headers: {
-                "Content-Type": "application/json",
-                "Cache-Control": "private, no-store",
-            },
-        });
-    }
-    errorResponse(message, status, code) {
-        return this.jsonResponse({ ok: false, error: message, code }, status);
-    }
-    async parseJSON(request) {
-        try {
-            return (await request.json());
-        }
-        catch {
-            throw new AccessKeyError("Invalid JSON body", 400, "VALIDATION_ERROR");
-        }
-    }
-}
-class AccessKeyError extends Error {
-    status;
-    code;
-    constructor(message, status, code) {
-        super(message);
-        this.status = status;
-        this.code = code;
-        this.name = "AccessKeyError";
-    }
-}
-//# sourceMappingURL=access-key-handler.js.map

package/dist/access-key-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-key-handler.js","sourceRoot":"","sources":["../src/access-key-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAItE,MAAM,QAAQ,GAAG,sCAAsC,CAAC;AACxD,MAAM,SAAS,GAA2B,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACtF,MAAM,UAAU,GAAG,CAAC,CAAC;AACrB,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,WAAW,GAAW,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAOlE,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAU;IACf,OAAO,CAAO;IACd,OAAO,CAAS;IAExB,YAAY,OAA6D;QACvE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAC9C,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,WAAoB;QAChD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEzB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;QACxD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;IACzD,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,OAAgB,EAChB,IAAY,EACZ,GAAQ,EACR,WAAoB;QAEpB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAEvE,cAAc;YACd,IAAI,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACrC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YACzD,CAAC;YAED,iBAAiB;YACjB,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACtC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAC/D,CAAC;YAED,6BAA6B;YAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAC1C,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAEvE,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC;YAEpD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;YACnE,CAAC;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/D,CAAC;YACD,IAAI,GAAG,YAAY,eAAe,EAAE,CAAC;gBACnC,OAAO,IAAI,CAAC,aAAa,CAAC,0BAA0B,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAC1E,CAAC;YACD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;YACtE,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,wEAAwE;IAEhE,KAAK,CAAC,sBAAsB,CAClC,OAAgB,EAChB,WAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,cAAc,CAAC,yBAAyB,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,cAAc,CAAC,iBAAiB,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,SAAS,CAAC;QAEhE,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,aAAa,GAAG,MAAM,mBAAmB,CAC7C,IAAI,CAAC,KAAK,EACV,MAAM,CAAC,GAAG,EACV,WAAW,EACX,IAAI,CAAC,IAAI,IAAI,SAAS,CACvB,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,cAAc,CAAC,+BAA+B,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAC9E,CAAC;YACD,OAAO,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,OAAO;YACL,GAAG,MAAM;YACT,IAAI,EAAG,MAAM,CAAC,IAAa,IAAK,IAAI,CAAC,IAAa,IAAI,OAAO;YAC7D,EAAE;SACH,CAAC;IACJ,CAAC;IAED,wEAAwE;IAEhE,KAAK,CAAC,UAAU,CACtB,MAA2B,EAC3B,GAAQ,EACR,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QAEjD,IAAI,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QACpE,IAAI,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7E,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;QAE3D,IAAI,IAAI,GAAG,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC;QACvB,IAAI,QAAQ,GAAG,aAAa;YAAE,QAAQ,GAAG,aAAa,CAAC;QACvD,IAAI,QAAQ,GAAG,CAAC;YAAE,QAAQ,GAAG,EAAE,CAAC;QAEhC,0CAA0C;QAC1C,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YAC5C,IAAI;YACJ,QAAQ;YACR,MAAM;YACN,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,OAAgB,EAChB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAI9B,OAAO,CAAC,CAAC;QAEZ,gBAAgB;QAChB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,cAAc,CAAC,8BAA8B,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAY,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,cAAc,CACtB,iBAAiB,IAAI,CAAC,IAAI,qBAAqB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACvE,GAAG,EACH,kBAAkB,CACnB,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,UAAU,GAAG,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,cAAc,CAAC,uBAAuB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC7E,CAAC;YACD,IAAI,UAAU,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC5B,MAAM,IAAI,cAAc,CAAC,gCAAgC,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAE/D,sBAAsB;QACtB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC;YAC9C,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,IAAI,EAAE,IAAI,CAAC,IAAY;YACvB,MAAM;YACN,SAAS,EAAE,MAAM,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,WAAW;SACZ,CAAC,CAAC;QAEH,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,QAAQ,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE;YACnE,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW;SACZ,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,YAAY,CACtB;YACE,GAAG,MAAM;YACT,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,aAAa,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;SAC1C,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,MAA2B,EAC3B,WAAmB,EACnB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QAEjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iEAAiE;QACjE,IAAI,WAAW,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACnD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;QAE7C,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,WAAmB,EACnB,OAAgB,EAChB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,oEAAoE;QACpE,IAAI,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAElD,qEAAqE;QACrE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAG9B,OAAO,CAAC,CAAC;QAEZ,oBAAoB;QACpB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,cAAc,CAAC,uBAAuB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAkD,EAAE,CAAC;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAEtE,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,WAAW;YACtB,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW;SACZ,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAA2B,EAC3B,WAAmB,EACnB,WAAoB;QAEpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,oEAAoE;QACpE,IAAI,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAElD,qEAAqE;QACrE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CACtB,kDAAkD,EAClD,GAAG,EACH,WAAW,CACZ,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAE9C,YAAY;QACZ,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,kBAAkB;YAC1B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,WAAW;YACtB,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE;YACjC,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW;SACZ,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,wEAAwE;IAExE,8FAA8F;IACtF,gBAAgB,CAAC,MAA2B,EAAE,YAAoB;QACxE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU;YAAE,OAAO,CAAC,6BAA6B;QACnE,IAAI,MAAM,CAAC,GAAG,KAAK,YAAY,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;QAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;YACxC,MAAM;YACN,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,mBAAmB;aACrC;SACF,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,MAAc,EAAE,IAAY;QACjE,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IACxE,CAAC;IAEO,KAAK,CAAC,SAAS,CAAI,OAAgB;QACzC,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAM,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,cAAc,CAAC,mBAAmB,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;CACF;AAED,MAAM,cAAe,SAAQ,KAAK;IAGvB;IACA;IAHT,YACE,OAAe,EACR,MAAc,EACd,IAAY;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QAGnB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF"}

package/dist/access-key-util.d.ts

@@ -1,19 +0,0 @@
-/**
- * Generate a new access key (keypair-based).
- * Returns accessKeyId (DID), accessKeyPublic (for DB storage), and accessKeySecret (shown once).
- */
-export declare function generateAccessKey(): {
-    accessKeyId: string;
-    accessKeyPublic: string;
-    accessKeySecret: string;
-};
-/**
- * Check if a token string looks like an access key token (blocklet-<base58(publicKey)>).
- */
-export declare function isAccessKeyToken(token: unknown): boolean;
-/**
- * Derive the accessKeyId (DID) from an access key token.
- * Returns null if the token is invalid or cannot be decoded.
- */
-export declare function deriveAccessKeyId(token: string): string | null;
-//# sourceMappingURL=access-key-util.d.ts.map

package/dist/access-key-util.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-key-util.d.ts","sourceRoot":"","sources":["../src/access-key-util.ts"],"names":[],"mappings":"AAOA;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CACzB,CAOA;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAKxD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAS9D"}

package/dist/access-key-util.js

@@ -1,45 +0,0 @@
-import { fromBase58, toBase58 } from "@ocap/util";
-import { fromPublicKey, fromRandom } from "@ocap/wallet";
-const ACCESS_KEY_PREFIX = "blocklet-";
-// Valid base58 format: 'z' multibase prefix + base58btc characters (typically 44 chars for Ed25519 32-byte key)
-const BASE58_RE = /^z[1-9A-HJ-NP-Za-km-z]{30,50}$/;
-/**
- * Generate a new access key (keypair-based).
- * Returns accessKeyId (DID), accessKeyPublic (for DB storage), and accessKeySecret (shown once).
- */
-export function generateAccessKey() {
-    const wallet = fromRandom();
-    return {
-        accessKeyId: wallet.address,
-        accessKeyPublic: wallet.publicKey,
-        accessKeySecret: `${ACCESS_KEY_PREFIX}${toBase58(wallet.publicKey)}`,
-    };
-}
-/**
- * Check if a token string looks like an access key token (blocklet-<base58(publicKey)>).
- */
-export function isAccessKeyToken(token) {
-    if (typeof token !== "string")
-        return false;
-    if (!token.startsWith(ACCESS_KEY_PREFIX))
-        return false;
-    const pk = token.slice(ACCESS_KEY_PREFIX.length);
-    return BASE58_RE.test(pk);
-}
-/**
- * Derive the accessKeyId (DID) from an access key token.
- * Returns null if the token is invalid or cannot be decoded.
- */
-export function deriveAccessKeyId(token) {
-    try {
-        if (!isAccessKeyToken(token))
-            return null;
-        const b58 = token.slice(ACCESS_KEY_PREFIX.length);
-        const wallet = fromPublicKey(fromBase58(b58));
-        return wallet.address;
-    }
-    catch {
-        return null;
-    }
-}
-//# sourceMappingURL=access-key-util.js.map

package/dist/access-key-util.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-key-util.js","sourceRoot":"","sources":["../src/access-key-util.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEzD,MAAM,iBAAiB,GAAG,WAAW,CAAC;AACtC,gHAAgH;AAChH,MAAM,SAAS,GAAG,gCAAgC,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAK/B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,OAAO;QAC3B,eAAe,EAAE,MAAM,CAAC,SAAS;QACjC,eAAe,EAAE,GAAG,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE;KACrE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,MAAM,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9C,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/access-policy.d.ts

@@ -1,53 +0,0 @@
-/**
- * Access policy enforcement logic — evaluates route-level access control.
- *
- * Pure functions, no I/O. Used by both the team-handler (API) and the
- * Workers portal middleware (enforcement).
- */
-import type { AccessType, Role } from "./types.js";
-export interface RuleWithPolicy {
-    pathPattern: string;
-    priority: number;
-    id?: string;
-    roles: string | null;
-    reverse: number;
-    enabled?: number;
-}
-export interface AccessResult {
-    allowed: boolean;
-    reason?: "unauthenticated" | "unauthorized" | "no_matching_rule";
-    requiredRoles?: string[];
-}
-/**
- * Evaluate access for a request path against sorted rules + policies.
- *
- * @param rules  - Active rules with inlined policy data (from store.getActiveRulesWithPolicies)
- * @param requestPath - The URL pathname being accessed
- * @param caller - Authenticated caller with role, or null if unauthenticated
- */
-export declare function evaluateAccess(rules: RuleWithPolicy[], requestPath: string, caller: {
-    role: Role;
-} | null): AccessResult;
-/**
- * Convert glob pattern to RegExp.
- *   *    → matches one path segment (no slashes)
- *   **   → matches zero or more path segments (including slashes)
- *   :name → matches one path segment (named, for readability)
- */
-export declare function globToRegex(pattern: string): RegExp;
-export declare function matchPattern(pattern: string, path: string): boolean;
-/**
- * Convert API-level accessType + roles to DB-level roles (JSON) + reverse.
- */
-export declare function accessTypeToDb(accessType: AccessType, roles?: string[]): {
-    roles: string | null;
-    reverse: number;
-};
-/**
- * Convert DB-level roles + reverse to API-level accessType + parsed roles.
- */
-export declare function dbToAccessType(rolesJson: string | null, reverse: number): {
-    accessType: AccessType;
-    roles?: string[];
-};
-//# sourceMappingURL=access-policy.d.ts.map

package/dist/access-policy.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-policy.d.ts","sourceRoot":"","sources":["../src/access-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAInD,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,iBAAiB,GAAG,cAAc,GAAG,kBAAkB,CAAC;IACjE,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAID;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,cAAc,EAAE,EACvB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE;IAAE,IAAI,EAAE,IAAI,CAAA;CAAE,GAAG,IAAI,GAC5B,YAAY,CAmBd;AA+CD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAyBnD;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEnE;AAID;;GAEG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,UAAU,EACtB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf;IAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAiB3C;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,OAAO,EAAE,MAAM,GACd;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAwB9C"}

package/dist/access-policy.js

@@ -1,153 +0,0 @@
-/**
- * Access policy enforcement logic — evaluates route-level access control.
- *
- * Pure functions, no I/O. Used by both the team-handler (API) and the
- * Workers portal middleware (enforcement).
- */
-// ─── Evaluation ───────────────────────────────────────────────────────────
-/**
- * Evaluate access for a request path against sorted rules + policies.
- *
- * @param rules  - Active rules with inlined policy data (from store.getActiveRulesWithPolicies)
- * @param requestPath - The URL pathname being accessed
- * @param caller - Authenticated caller with role, or null if unauthenticated
- */
-export function evaluateAccess(rules, requestPath, caller) {
-    // 1. Sort rules by priority ascending, 'default' rule last
-    const sorted = rules
-        .filter((r) => r.enabled !== 0)
-        .sort((a, b) => {
-        if (a.id === "default")
-            return 1;
-        if (b.id === "default")
-            return -1;
-        return a.priority - b.priority;
-    });
-    // 2. Find first matching rule
-    for (const rule of sorted) {
-        if (matchPattern(rule.pathPattern, requestPath)) {
-            return checkPolicy(rule.roles, rule.reverse, caller);
-        }
-    }
-    // 3. No rule matched → deny (should not happen if default rule exists)
-    return { allowed: false, reason: "no_matching_rule" };
-}
-/**
- * Check a single policy against a caller.
- */
-function checkPolicy(rolesJson, reverse, caller) {
-    const roles = rolesJson !== null ? JSON.parse(rolesJson) : null;
-    const isReverse = reverse === 1;
-    // Public: roles is NULL and reverse is false
-    if (roles === null && !isReverse) {
-        return { allowed: true };
-    }
-    // Any non-public policy requires authentication
-    if (!caller) {
-        return { allowed: false, reason: "unauthenticated" };
-    }
-    // Invited-only: empty roles array with reverse=true → any logged-in user
-    if (roles !== null && roles.length === 0 && isReverse) {
-        return { allowed: true };
-    }
-    // Role-based check
-    if (roles !== null && roles.length > 0) {
-        const allowedRoles = isReverse
-            ? ["owner", "admin", "member", "guest"].filter((r) => !roles.includes(r))
-            : roles;
-        if (allowedRoles.includes(caller.role)) {
-            return { allowed: true };
-        }
-        return { allowed: false, reason: "unauthorized", requiredRoles: allowedRoles };
-    }
-    // Fallback: if roles is empty array and reverse is false → no one can access
-    return { allowed: false, reason: "unauthorized" };
-}
-// ─── Pattern Matching ─────────────────────────────────────────────────────
-/**
- * Convert glob pattern to RegExp.
- *   *    → matches one path segment (no slashes)
- *   **   → matches zero or more path segments (including slashes)
- *   :name → matches one path segment (named, for readability)
- */
-export function globToRegex(pattern) {
-    if (pattern === "*")
-        return /^.*$/; // special: match everything
-    let regex = "^";
-    let i = 0;
-    while (i < pattern.length) {
-        if (pattern[i] === "*" && pattern[i + 1] === "*") {
-            regex += ".*";
-            i += 2;
-            if (pattern[i] === "/")
-                i++; // skip trailing slash after **
-        }
-        else if (pattern[i] === "*") {
-            regex += "[^/]+";
-            i++;
-        }
-        else if (pattern[i] === ":") {
-            // Named param: consume until / or end
-            regex += "[^/]+";
-            i++;
-            while (i < pattern.length && pattern[i] !== "/")
-                i++;
-        }
-        else {
-            regex += pattern[i].replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-            i++;
-        }
-    }
-    regex += "$";
-    return new RegExp(regex);
-}
-export function matchPattern(pattern, path) {
-    return globToRegex(pattern).test(path);
-}
-// ─── AccessType ↔ DB conversion ──────────────────────────────────────────
-/**
- * Convert API-level accessType + roles to DB-level roles (JSON) + reverse.
- */
-export function accessTypeToDb(accessType, roles) {
-    switch (accessType) {
-        case "public":
-            return { roles: null, reverse: 0 };
-        case "invited":
-            return { roles: "[]", reverse: 1 };
-        case "owner":
-            return { roles: '["owner"]', reverse: 0 };
-        case "admin":
-            return { roles: '["owner","admin"]', reverse: 0 };
-        case "roles":
-            return { roles: JSON.stringify(roles ?? []), reverse: 0 };
-        case "roles_reverse":
-            return { roles: JSON.stringify(roles ?? []), reverse: 1 };
-        default:
-            return { roles: null, reverse: 0 };
-    }
-}
-/**
- * Convert DB-level roles + reverse to API-level accessType + parsed roles.
- */
-export function dbToAccessType(rolesJson, reverse) {
-    if (rolesJson === null && reverse === 0) {
-        return { accessType: "public" };
-    }
-    const roles = rolesJson !== null ? JSON.parse(rolesJson) : [];
-    if (roles.length === 0 && reverse === 1) {
-        return { accessType: "invited" };
-    }
-    // Check for built-in presets
-    if (reverse === 0 && roles.length === 1 && roles[0] === "owner") {
-        return { accessType: "owner" };
-    }
-    if (reverse === 0 && roles.length === 2 && roles.includes("owner") && roles.includes("admin")) {
-        return { accessType: "admin" };
-    }
-    // Custom roles
-    if (reverse === 1) {
-        return { accessType: "roles_reverse", roles };
-    }
-    return { accessType: "roles", roles };
-}
-//# sourceMappingURL=access-policy.js.map

package/dist/access-policy.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-policy.js","sourceRoot":"","sources":["../src/access-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAqBH,6EAA6E;AAE7E;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAuB,EACvB,WAAmB,EACnB,MAA6B;IAE7B,2DAA2D;IAC3D,MAAM,MAAM,GAAG,KAAK;SACjB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC;SAC9B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS;YAAE,OAAO,CAAC,CAAC;QACjC,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS;YAAE,OAAO,CAAC,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IACjC,CAAC,CAAC,CAAC;IAEL,8BAA8B;IAC9B,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,IAAI,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;YAChD,OAAO,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAClB,SAAwB,EACxB,OAAe,EACf,MAA6B;IAE7B,MAAM,KAAK,GAAoB,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjF,MAAM,SAAS,GAAG,OAAO,KAAK,CAAC,CAAC;IAEhC,6CAA6C;IAC7C,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACvD,CAAC;IAED,yEAAyE;IACzE,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACtD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,mBAAmB;IACnB,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,YAAY,GAAG,SAAS;YAC5B,CAAC,CAAE,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YACvF,CAAC,CAAC,KAAK,CAAC;QAEV,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;IACjF,CAAC;IAED,6EAA6E;IAC7E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;AACpD,CAAC;AAED,6EAA6E;AAE7E;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,MAAM,CAAC,CAAC,4BAA4B;IAEhE,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACjD,KAAK,IAAI,IAAI,CAAC;YACd,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,CAAC,EAAE,CAAC,CAAC,+BAA+B;QAC9D,CAAC;aAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC9B,KAAK,IAAI,OAAO,CAAC;YACjB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC9B,sCAAsC;YACtC,KAAK,IAAI,OAAO,CAAC;YACjB,CAAC,EAAE,CAAC;YACJ,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,CAAC,EAAE,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,KAAK,IAAI,OAAO,CAAC,CAAC,CAAE,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC5D,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IACD,KAAK,IAAI,GAAG,CAAC;IACb,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,IAAY;IACxD,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzC,CAAC;AAED,4EAA4E;AAE5E;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,UAAsB,EACtB,KAAgB;IAEhB,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,QAAQ;YACX,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACrC,KAAK,SAAS;YACZ,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACrC,KAAK,OAAO;YACV,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5C,KAAK,OAAO;YACV,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACpD,KAAK,OAAO;YACV,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5D,KAAK,eAAe;YAClB,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5D;YACE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACvC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAwB,EACxB,OAAe;IAEf,IAAI,SAAS,KAAK,IAAI,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAClC,CAAC;IAED,MAAM,KAAK,GAAa,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACnC,CAAC;IAED,6BAA6B;IAC7B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;QAChE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9F,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;IACjC,CAAC;IAED,eAAe;IACf,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IAChD,CAAC;IACD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxC,CAAC"}

package/dist/auth-client.d.ts

@@ -1,20 +0,0 @@
-/**
- * Consumer-side helper for Auth Worker Service Binding.
- *
- * Usage:
- *   import { createAuthClient, getCookie } from '@arcblock/did-connect-cloudflare/client';
- *   const client = createAuthClient(env.AUTH);
- *   const caller = await client.verify(request);
- */
-import type { AuthRPCInterface, CallerIdentityDTO } from "./auth-rpc-types.js";
-/** Extract a named cookie value from a Request. */
-export declare function getCookie(request: Request, name: string): string | null;
-/** Create a typed client wrapper around an AuthRPC binding. */
-export declare function createAuthClient(binding: AuthRPCInterface): {
-    verify(request: Request): Promise<CallerIdentityDTO | null>;
-    verifyFull(request: Request): Promise<CallerIdentityDTO | null>;
-    resolveIdentity(request: Request, instanceDid?: string): Promise<CallerIdentityDTO | null>;
-    /** Return a redirect-to-login or 401 response for unauthenticated requests. */
-    unauthorized(request: Request): Response;
-};
-//# sourceMappingURL=auth-client.d.ts.map

package/dist/auth-client.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../src/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAE/E,mDAAmD;AACnD,wBAAgB,SAAS,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKvE;AAED,+DAA+D;AAC/D,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,gBAAgB;oBAEhC,OAAO,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;wBAKvC,OAAO,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;6BAM1D,OAAO,gBACF,MAAM,GACnB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAMpC,+EAA+E;0BACzD,OAAO,GAAG,QAAQ;EAO3C"}