@arcblock/did-connect-service 4.0.4 → 4.0.6

package/dist/auth-rpc.d.ts

@@ -1,80 +0,0 @@
-/**
- * AuthRPCImpl — Core RPC logic for Auth Worker Service Binding.
- *
- * This class implements all RPC methods using raw values (JWT strings,
- * header strings) instead of Request objects, making it testable without
- * Cloudflare runtime. The actual WorkerEntrypoint subclass (in auth-worker.ts)
- * delegates to this class.
- */
-import type { AuditLogDTO, CallerIdentityDTO, CreateAuditLogInput, MemberWithUserInfoDTO, RegisterAppConfig, RuleWithPolicyDTO, StoredMembershipDTO, StoredUserDTO } from "./auth-rpc-types.js";
-export declare class AuthRPCImpl {
-    private readonly db;
-    private readonly jwtSecret;
-    private _store?;
-    constructor(db: D1Database, jwtSecret: string);
-    private store;
-    /** Lightweight verify: JWT signature check only, no D1. */
-    verify(jwt: string): Promise<CallerIdentityDTO | null>;
-    /** Full verify: JWT + DB user existence + approval status. */
-    verifyFull(jwt: string): Promise<CallerIdentityDTO | null>;
-    /** Resolve identity: Access Key (Bearer) first, then JWT fallback. */
-    resolveIdentity(jwt: string | null, authorizationHeader: string | null, instanceDid?: string): Promise<CallerIdentityDTO | null>;
-    /** Access policy evaluation — returns serialized decision. */
-    enforceAccess(jwt: string | null, authorizationHeader: string | null, pathname: string, instanceDid?: string): Promise<{
-        allowed: true;
-        caller: CallerIdentityDTO | null;
-    } | {
-        allowed: false;
-        status: 401 | 403;
-    }>;
-    getMembership(userDid: string, instanceDid: string): Promise<StoredMembershipDTO | null>;
-    listMemberships(instanceDid: string): Promise<StoredMembershipDTO[]>;
-    listMembershipsWithUserInfo(instanceDid: string): Promise<MemberWithUserInfoDTO[]>;
-    createMembership(userDid: string, instanceDid: string, role: string, invitedBy?: string): Promise<void>;
-    updateMembershipRole(userDid: string, instanceDid: string, role: string): Promise<void>;
-    deleteMembership(userDid: string, instanceDid: string): Promise<void>;
-    deleteMembershipsByInstance(instanceDid: string): Promise<void>;
-    getSetting(instanceDid: string, key: string): Promise<string | null>;
-    setSetting(instanceDid: string, key: string, value: string): Promise<void>;
-    listSettings(instanceDid: string): Promise<{
-        key: string;
-        value: string | null;
-        updated_at: string;
-    }[]>;
-    deleteSetting(instanceDid: string, key: string): Promise<void>;
-    getAuditLogsForInstance(instanceDid: string, opts: {
-        page: number;
-        pageSize: number;
-        action?: string;
-    }): Promise<{
-        logs: AuditLogDTO[];
-        total: number;
-    }>;
-    getAuditLogById(id: number, instanceDid: string): Promise<AuditLogDTO | null>;
-    createAuditLog(input: CreateAuditLogInput): Promise<void>;
-    getActiveRulesForInstance(instanceDid: string): Promise<RuleWithPolicyDTO[]>;
-    seedInstanceDefaults(instanceDid: string): Promise<void>;
-    getUserByDid(did: string): Promise<StoredUserDTO | null>;
-    createUser(params: {
-        did: string;
-        pk: string;
-        fullName?: string;
-        email?: string;
-        avatar?: string;
-        sourceProvider: string;
-        ip?: string;
-        domain?: string;
-    }): Promise<void>;
-    updateLastLogin(did: string, ip?: string, domain?: string): Promise<void>;
-    saveChallenge(id: string, challenge: string, invitationId?: string): Promise<void>;
-    getChallenge(id: string): Promise<{
-        challenge: string;
-        invitationId: string | null;
-    } | null>;
-    deleteChallenge(id: string): Promise<void>;
-    registerApp(config: RegisterAppConfig): Promise<{
-        instanceDid: string;
-    }>;
-    private resolveAccessKey;
-}
-//# sourceMappingURL=auth-rpc.d.ts.map

package/dist/auth-rpc.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-rpc.d.ts","sourceRoot":"","sources":["../src/auth-rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,KAAK,EACV,WAAW,EACX,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACd,MAAM,qBAAqB,CAAC;AAM7B,qBAAa,WAAW;IAIpB,OAAO,CAAC,QAAQ,CAAC,EAAE;IACnB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAJ5B,OAAO,CAAC,MAAM,CAAC,CAAU;gBAGN,EAAE,EAAE,UAAU,EACd,SAAS,EAAE,MAAM;IAGpC,OAAO,CAAC,KAAK;IAOb,2DAA2D;IACrD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAU5D,8DAA8D;IACxD,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAehE,sEAAsE;IAChE,eAAe,CACnB,GAAG,EAAE,MAAM,GAAG,IAAI,EAClB,mBAAmB,EAAE,MAAM,GAAG,IAAI,EAClC,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAyBpC,8DAA8D;IACxD,aAAa,CACjB,GAAG,EAAE,MAAM,GAAG,IAAI,EAClB,mBAAmB,EAAE,MAAM,GAAG,IAAI,EAClC,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CACN;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAA;KAAE,GACnD;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAA;KAAE,CACxC;IAyDK,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAIxF,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,EAAE,CAAC;IAIpE,2BAA2B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIlF,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAIV,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvF,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrE,2BAA2B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/D,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAIpE,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1E,YAAY,CAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAIjE,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9D,uBAAuB,CAC3B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GACxD,OAAO,CAAC;QAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAO5C,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAI7E,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAI5E,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMxD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAcxD,UAAU,CAAC,MAAM,EAAE;QACvB,GAAG,EAAE,MAAM,CAAC;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,cAAc,EAAE,MAAM,CAAC;QACvB,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,OAAO,CAAC,IAAI,CAAC;IAIX,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzE,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlF,YAAY,CAChB,EAAE,EAAE,MAAM,GACT,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,CAAC;IAI/D,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;YAoBhE,gBAAgB;CAoC/B"}

package/dist/auth-rpc.js

@@ -1,257 +0,0 @@
-/**
- * AuthRPCImpl — Core RPC logic for Auth Worker Service Binding.
- *
- * This class implements all RPC methods using raw values (JWT strings,
- * header strings) instead of Request objects, making it testable without
- * Cloudflare runtime. The actual WorkerEntrypoint subclass (in auth-worker.ts)
- * delegates to this class.
- */
-import { deriveAccessKeyId, isAccessKeyToken, } from "./access/access-key-util.js";
-import { evaluateAccess } from "./access/access-policy.js";
-import { invalidateConfigCache } from "./auth-worker.js";
-import { verifyJWT } from "./identity/jwt.js";
-import { D1Store } from "./store/d1-store.js";
-export class AuthRPCImpl {
-    db;
-    jwtSecret;
-    _store;
-    constructor(db, jwtSecret) {
-        this.db = db;
-        this.jwtSecret = jwtSecret;
-    }
-    store() {
-        this._store ??= new D1Store(this.db);
-        return this._store;
-    }
-    // ── Layer 1: Auth Core ─────────────────────────────────────────────
-    /** Lightweight verify: JWT signature check only, no D1. */
-    async verify(jwt) {
-        const payload = await verifyJWT(jwt, this.jwtSecret);
-        if (!payload?.did || !payload.pk)
-            return null;
-        return {
-            did: payload.did,
-            pk: payload.pk,
-            displayName: payload.displayName,
-        };
-    }
-    /** Full verify: JWT + DB user existence + approval status. */
-    async verifyFull(jwt) {
-        const caller = await this.verify(jwt);
-        if (!caller)
-            return null;
-        const user = await this.store().getUserByDid(caller.did);
-        if (!user?.approved)
-            return null;
-        return {
-            ...caller,
-            displayName: user.fullName ?? caller.displayName,
-            role: user.role ?? "guest",
-            avatar: `/.well-known/service/avatar/${caller.did}`,
-        };
-    }
-    /** Resolve identity: Access Key (Bearer) first, then JWT fallback. */
-    async resolveIdentity(jwt, authorizationHeader, instanceDid) {
-        // 1. Try access key auth
-        if (authorizationHeader) {
-            const akCaller = await this.resolveAccessKey(authorizationHeader, instanceDid);
-            if (akCaller)
-                return akCaller;
-        }
-        // 2. Fall back to JWT
-        if (!jwt)
-            return null;
-        const jwtCaller = await this.verify(jwt);
-        if (!jwtCaller)
-            return null;
-        const user = await this.store().getUserByDid(jwtCaller.did);
-        if (user) {
-            return {
-                ...jwtCaller,
-                role: user.role ?? "guest",
-                avatar: `/.well-known/service/avatar/${jwtCaller.did}`,
-                authMethod: "passkey",
-                approved: !!user.approved,
-            };
-        }
-        return { ...jwtCaller, authMethod: "passkey" };
-    }
-    /** Access policy evaluation — returns serialized decision. */
-    async enforceAccess(jwt, authorizationHeader, pathname, instanceDid) {
-        // 1. Resolve caller identity
-        let callerIdentity = null;
-        let role = null;
-        let blocked = false;
-        if (authorizationHeader) {
-            const akCaller = await this.resolveAccessKey(authorizationHeader, instanceDid);
-            if (akCaller) {
-                callerIdentity = akCaller;
-                role = akCaller.role ?? null;
-                blocked = akCaller.approved === false;
-            }
-        }
-        if (!callerIdentity && jwt) {
-            const jwtCaller = await this.verify(jwt);
-            if (jwtCaller) {
-                callerIdentity = jwtCaller;
-                const user = await this.store().getUserByDid(jwtCaller.did);
-                if (user) {
-                    role = user.role ?? "guest";
-                    blocked = !user.approved;
-                    callerIdentity = { ...jwtCaller, role: role };
-                }
-            }
-        }
-        // 2. Load rules and evaluate
-        const rules = instanceDid
-            ? await this.store().getActiveRulesForInstance(instanceDid)
-            : await this.store().getActiveRulesWithPolicies();
-        const result = evaluateAccess(rules, pathname, role ? { role } : null);
-        // 3. Public routes: allow everyone, even blocked users
-        if (result.allowed) {
-            if (blocked) {
-                const publicCheck = evaluateAccess(rules, pathname, null);
-                if (!publicCheck.allowed) {
-                    return { allowed: false, status: 403 };
-                }
-            }
-            const caller = callerIdentity && !blocked
-                ? { ...callerIdentity, role: (role ?? undefined) }
-                : null;
-            return { allowed: true, caller };
-        }
-        // 4. Access denied
-        if (result.reason === "unauthenticated") {
-            return { allowed: false, status: 401 };
-        }
-        return { allowed: false, status: 403 };
-    }
-    // ── Layer 2: Data RPC ──────────────────────────────────────────────
-    async getMembership(userDid, instanceDid) {
-        return this.store().getMembership(userDid, instanceDid);
-    }
-    async listMemberships(instanceDid) {
-        return this.store().listMemberships(instanceDid);
-    }
-    async listMembershipsWithUserInfo(instanceDid) {
-        return this.store().listMembershipsWithUserInfo(instanceDid);
-    }
-    async createMembership(userDid, instanceDid, role, invitedBy) {
-        await this.store().createMembership(userDid, instanceDid, role, invitedBy);
-    }
-    async updateMembershipRole(userDid, instanceDid, role) {
-        await this.store().updateMembershipRole(userDid, instanceDid, role);
-    }
-    async deleteMembership(userDid, instanceDid) {
-        await this.store().deleteMembership(userDid, instanceDid);
-    }
-    async deleteMembershipsByInstance(instanceDid) {
-        await this.store().deleteMembershipsByInstance(instanceDid);
-    }
-    async getSetting(instanceDid, key) {
-        return this.store().getSetting(instanceDid, key);
-    }
-    async setSetting(instanceDid, key, value) {
-        await this.store().setSetting(instanceDid, key, value);
-    }
-    async listSettings(instanceDid) {
-        return this.store().listSettings(instanceDid);
-    }
-    async deleteSetting(instanceDid, key) {
-        await this.store().deleteSetting(instanceDid, key);
-    }
-    async getAuditLogsForInstance(instanceDid, opts) {
-        return this.store().getAuditLogsForInstance(instanceDid, opts);
-    }
-    async getAuditLogById(id, instanceDid) {
-        return this.store().getAuditLogById(id, instanceDid);
-    }
-    async createAuditLog(input) {
-        await this.store().createAuditLog(input);
-    }
-    async getActiveRulesForInstance(instanceDid) {
-        return this.store().getActiveRulesForInstance(instanceDid);
-    }
-    async seedInstanceDefaults(instanceDid) {
-        await this.store().seedInstanceDefaults(instanceDid);
-    }
-    // ── Layer 3: Lifecycle RPC ─────────────────────────────────────────
-    async getUserByDid(did) {
-        const user = await this.store().getUserByDid(did);
-        if (!user)
-            return null;
-        return {
-            did: user.did,
-            pk: user.pk,
-            fullName: user.fullName ?? undefined,
-            email: user.email ?? undefined,
-            avatar: user.avatar ?? undefined,
-            role: user.role ?? undefined,
-            approved: user.approved,
-        };
-    }
-    async createUser(params) {
-        await this.store().createUser(params);
-    }
-    async updateLastLogin(did, ip, domain) {
-        await this.store().updateLastLogin(did, ip, domain);
-    }
-    async saveChallenge(id, challenge, invitationId) {
-        await this.store().saveChallenge(id, challenge, invitationId);
-    }
-    async getChallenge(id) {
-        return this.store().getChallenge(id);
-    }
-    async deleteChallenge(id) {
-        await this.store().deleteChallenge(id);
-    }
-    async registerApp(config) {
-        const { instanceDid, appSk, appPsk, appName } = config;
-        const s = this.store();
-        // Use store.setSetting for each key — consistent with D1 schema constraints
-        await s.setSetting(instanceDid, "app:sk", appSk);
-        if (appPsk)
-            await s.setSetting(instanceDid, "app:psk", appPsk);
-        if (appName)
-            await s.setSetting(instanceDid, "app:name", appName);
-        // Invalidate config cache so next request picks up the new keys
-        invalidateConfigCache(instanceDid);
-        // Seed instance defaults (idempotent)
-        await s.seedInstanceDefaults(instanceDid);
-        return { instanceDid };
-    }
-    // ── Internal helpers ───────────────────────────────────────────────
-    async resolveAccessKey(authorizationHeader, instanceDid) {
-        const token = authorizationHeader.replace(/^Bearer\s+/i, "").trim();
-        if (!isAccessKeyToken(token))
-            return null;
-        const accessKeyId = deriveAccessKeyId(token);
-        if (!accessKeyId)
-            return null;
-        const key = await this.store().getAccessKeyById(accessKeyId);
-        if (!key)
-            return null;
-        // Check expiration
-        if (key.expireAt && new Date(key.expireAt) < new Date())
-            return null;
-        // Instance ownership check
-        if (instanceDid && key.instanceDid && key.instanceDid !== instanceDid)
-            return null;
-        // Check creator
-        const creator = await this.store().getUserByDid(key.createdBy);
-        if (!creator)
-            return null;
-        // Fire-and-forget: update lastUsedAt
-        this.store().refreshAccessKeyLastUsed(accessKeyId).catch(() => { });
-        return {
-            did: creator.did,
-            pk: creator.pk,
-            displayName: creator.fullName ?? undefined,
-            role: key.role,
-            authMethod: "access-key",
-            accessKeyId,
-            approved: !!creator.approved,
-        };
-    }
-}
-//# sourceMappingURL=auth-rpc.js.map

package/dist/auth-rpc.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-rpc.js","sourceRoot":"","sources":["../src/auth-rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,cAAc,EAAuB,MAAM,2BAA2B,CAAC;AAWhF,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAG9C,MAAM,OAAO,WAAW;IAIH;IACA;IAJX,MAAM,CAAW;IAEzB,YACmB,EAAc,EACd,SAAiB;QADjB,OAAE,GAAF,EAAE,CAAY;QACd,cAAS,GAAT,SAAS,CAAQ;IACjC,CAAC;IAEI,KAAK;QACX,IAAI,CAAC,MAAM,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,sEAAsE;IAEtE,2DAA2D;IAC3D,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO;YACL,GAAG,EAAE,OAAO,CAAC,GAAa;YAC1B,EAAE,EAAE,OAAO,CAAC,EAAY;YACxB,WAAW,EAAE,OAAO,CAAC,WAAiC;SACvD,CAAC;IACJ,CAAC;IAED,8DAA8D;IAC9D,KAAK,CAAC,UAAU,CAAC,GAAW;QAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,EAAE,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEjC,OAAO;YACL,GAAG,MAAM;YACT,WAAW,EAAE,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,WAAW;YAChD,IAAI,EAAG,IAAI,CAAC,IAAkC,IAAI,OAAO;YACzD,MAAM,EAAE,+BAA+B,MAAM,CAAC,GAAG,EAAE;SACpD,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,KAAK,CAAC,eAAe,CACnB,GAAkB,EAClB,mBAAkC,EAClC,WAAoB;QAEpB,yBAAyB;QACzB,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAC;YAC/E,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC;QAChC,CAAC;QAED,sBAAsB;QACtB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC5D,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,GAAG,SAAS;gBACZ,IAAI,EAAG,IAAI,CAAC,IAAkC,IAAI,OAAO;gBACzD,MAAM,EAAE,+BAA+B,SAAS,CAAC,GAAG,EAAE;gBACtD,UAAU,EAAE,SAAS;gBACrB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ;aAC1B,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,GAAG,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACjD,CAAC;IAED,8DAA8D;IAC9D,KAAK,CAAC,aAAa,CACjB,GAAkB,EAClB,mBAAkC,EAClC,QAAgB,EAChB,WAAoB;QAKpB,6BAA6B;QAC7B,IAAI,cAAc,GAA6B,IAAI,CAAC;QACpD,IAAI,IAAI,GAAgB,IAAI,CAAC;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAC;YAC/E,IAAI,QAAQ,EAAE,CAAC;gBACb,cAAc,GAAG,QAAQ,CAAC;gBAC1B,IAAI,GAAI,QAAQ,CAAC,IAAa,IAAI,IAAI,CAAC;gBACvC,OAAO,GAAG,QAAQ,CAAC,QAAQ,KAAK,KAAK,CAAC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,CAAC;YAC3B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,SAAS,EAAE,CAAC;gBACd,cAAc,GAAG,SAAS,CAAC;gBAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC5D,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,GAAI,IAAI,CAAC,IAAa,IAAI,OAAO,CAAC;oBACtC,OAAO,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACzB,cAAc,GAAG,EAAE,GAAG,SAAS,EAAE,IAAI,EAAE,IAAiC,EAAE,CAAC;gBAC7E,CAAC;YACH,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,KAAK,GAAG,WAAW;YACvB,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,yBAAyB,CAAC,WAAW,CAAC;YAC3D,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,0BAA0B,EAAE,CAAC;QACpD,MAAM,MAAM,GAAG,cAAc,CAAC,KAAyB,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE3F,uDAAuD;QACvD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,WAAW,GAAG,cAAc,CAAC,KAAyB,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;gBAC9E,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;oBACzB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,MAAM,MAAM,GAAG,cAAc,IAAI,CAAC,OAAO;gBACvC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,IAAI,EAAE,CAAC,IAAI,IAAI,SAAS,CAA8B,EAAE;gBAC/E,CAAC,CAAC,IAAI,CAAC;YACT,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACnC,CAAC;QAED,mBAAmB;QACnB,IAAI,MAAM,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;YACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACzC,CAAC;IAED,sEAAsE;IAEtE,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,WAAmB;QACtD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,WAAmB;QACvC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,2BAA2B,CAAC,WAAmB;QACnD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,2BAA2B,CAAC,WAAW,CAAqC,CAAC;IACnG,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,WAAmB,EACnB,IAAY,EACZ,SAAkB;QAElB,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAe,EAAE,WAAmB,EAAE,IAAY;QAC3E,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,oBAAoB,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,WAAmB;QACzD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,2BAA2B,CAAC,WAAmB;QACnD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,2BAA2B,CAAC,WAAW,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,WAAmB,EAAE,GAAW;QAC/C,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,WAAmB,EAAE,GAAW,EAAE,KAAa;QAC9D,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,WAAmB;QAEnB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,WAAmB,EAAE,GAAW;QAClD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,uBAAuB,CAC3B,WAAmB,EACnB,IAAyD;QAEzD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,uBAAuB,CAAC,WAAW,EAAE,IAAI,CAG3D,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,EAAU,EAAE,WAAmB;QACnD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,WAAW,CAAgC,CAAC;IACtF,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,KAA0B;QAC7C,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,yBAAyB,CAAC,WAAW,CAAiC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,WAAmB;QAC5C,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;IACvD,CAAC;IAED,sEAAsE;IAEtE,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;YACpC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;YAC9B,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,SAAS;YAChC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,SAAS;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAShB;QACC,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW,EAAE,EAAW,EAAE,MAAe;QAC7D,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,eAAe,CAAC,GAAG,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU,EAAE,SAAiB,EAAE,YAAqB;QACtE,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,EAAU;QAEV,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,EAAU;QAC9B,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAyB;QACzC,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;QACvD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAEvB,4EAA4E;QAC5E,MAAM,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QACjD,IAAI,MAAM;YAAE,MAAM,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAC/D,IAAI,OAAO;YAAE,MAAM,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAElE,gEAAgE;QAChE,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEnC,sCAAsC;QACtC,MAAM,CAAC,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;QAE1C,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;IAED,sEAAsE;IAE9D,KAAK,CAAC,gBAAgB,CAC5B,mBAA2B,EAC3B,WAAoB;QAEpB,MAAM,KAAK,GAAG,mBAAmB,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACpE,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAE1C,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,mBAAmB;QACnB,IAAI,GAAG,CAAC,QAAQ,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QAErE,2BAA2B;QAC3B,IAAI,WAAW,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAEnF,gBAAgB;QAChB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/D,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,qCAAqC;QACrC,IAAI,CAAC,KAAK,EAAE,CAAC,wBAAwB,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEnE,OAAO;YACL,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,WAAW,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS;YAC1C,IAAI,EAAE,GAAG,CAAC,IAAiC;YAC3C,UAAU,EAAE,YAAY;YACxB,WAAW;YACX,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ;SAC7B,CAAC;IACJ,CAAC;CACF"}

package/dist/auth-worker.d.ts

@@ -1,42 +0,0 @@
-/**
- * Auth Worker — Independent Worker entry point for Service Binding mode.
- *
- * Exposes two integration surfaces:
- *   1. `fetch()` — Consumer forwards /.well-known/service/* requests here
- *   2. `AuthRPC` — Consumer calls RPC methods (verify, enforceAccess, etc.)
- *
- * Supports two modes:
- *   - Single-tenant: env.APP_SK set → used directly (playground/dev)
- *   - Multi-tenant: X-Instance-Did header → load appSk/appPsk from D1 settings
- */
-import { type AuthHandler } from "./handlers/auth-handler.js";
-export interface AuthWorkerEnv {
-    BLOCKLET_SERVICE_DB: D1Database;
-    JWT_SECRET: string;
-    /** Optional R2 binding for avatar/logo storage. */
-    AVATAR_BUCKET?: R2Bucket;
-    /** Single-tenant mode: app secret key from env. */
-    APP_SK?: string;
-    /** Single-tenant mode: permanent secret key from env. */
-    APP_PSK?: string;
-    /** Relying Party name for WebAuthn. */
-    RP_NAME?: string;
-    /** Optional email login configuration. */
-    RESEND_API_KEY?: string;
-    EMAIL_FROM?: string;
-}
-/** Clear cached config for an instance (called after registerApp). */
-export declare function invalidateConfigCache(instanceDid: string): void;
-/** Reset all caches — for testing only. */
-export declare function _resetConfigCacheForTesting(): void;
-/**
- * Build an AuthHandler for the given mode:
- *   - Single-tenant: env.APP_SK → use directly
- *   - Multi-tenant: instanceDid → load from D1 settings
- */
-export declare function buildHandler(instanceDid: string | undefined, env: AuthWorkerEnv): Promise<AuthHandler>;
-declare const _default: {
-    fetch(request: Request, env: AuthWorkerEnv): Promise<Response>;
-};
-export default _default;
-//# sourceMappingURL=auth-worker.d.ts.map

package/dist/auth-worker.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-worker.d.ts","sourceRoot":"","sources":["../src/auth-worker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,KAAK,WAAW,EAAqB,MAAM,4BAA4B,CAAC;AAKjF,MAAM,WAAW,aAAa;IAC5B,mBAAmB,EAAE,UAAU,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,mDAAmD;IACnD,aAAa,CAAC,EAAE,QAAQ,CAAC;IACzB,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAyBD,sEAAsE;AACtE,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAE/D;AAED,2CAA2C;AAC3C,wBAAgB,2BAA2B,IAAI,IAAI,CAElD;AAID;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,GAAG,EAAE,aAAa,GACjB,OAAO,CAAC,WAAW,CAAC,CA8BtB;;mBAmCsB,OAAO,OAAO,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC;;AADtE,wBAiBE"}

package/dist/auth-worker.js

@@ -1,120 +0,0 @@
-/**
- * Auth Worker — Independent Worker entry point for Service Binding mode.
- *
- * Exposes two integration surfaces:
- *   1. `fetch()` — Consumer forwards /.well-known/service/* requests here
- *   2. `AuthRPC` — Consumer calls RPC methods (verify, enforceAccess, etc.)
- *
- * Supports two modes:
- *   - Single-tenant: env.APP_SK set → used directly (playground/dev)
- *   - Multi-tenant: X-Instance-Did header → load appSk/appPsk from D1 settings
- */
-import { createAuthHandler } from "./handlers/auth-handler.js";
-import { D1Store } from "./store/d1-store.js";
-const _configCache = new Map();
-const CONFIG_TTL = 5 * 60 * 1000; // 5 minutes
-async function resolveConfig(instanceDid, store) {
-    const cached = _configCache.get(instanceDid);
-    if (cached && Date.now() - cached.at < CONFIG_TTL)
-        return cached.config;
-    const appSk = await store.getSetting(instanceDid, "app:sk");
-    if (!appSk)
-        throw new Error(`No appSk configured for instance: ${instanceDid}`);
-    const appPsk = (await store.getSetting(instanceDid, "app:psk")) ?? undefined;
-    const config = { appSk, appPsk };
-    _configCache.set(instanceDid, { config, at: Date.now() });
-    return config;
-}
-/** Clear cached config for an instance (called after registerApp). */
-export function invalidateConfigCache(instanceDid) {
-    _configCache.delete(instanceDid);
-}
-/** Reset all caches — for testing only. */
-export function _resetConfigCacheForTesting() {
-    _configCache.clear();
-}
-// ─── buildHandler ──────────────────────────────────────────────────────
-/**
- * Build an AuthHandler for the given mode:
- *   - Single-tenant: env.APP_SK → use directly
- *   - Multi-tenant: instanceDid → load from D1 settings
- */
-export async function buildHandler(instanceDid, env) {
-    const store = new D1Store(env.BLOCKLET_SERVICE_DB);
-    // Single-tenant fast path: APP_SK in env
-    if (env.APP_SK) {
-        return createAuthHandler({
-            db: env.BLOCKLET_SERVICE_DB,
-            jwtSecret: env.JWT_SECRET,
-            rpName: env.RP_NAME ?? "DID Connect",
-            appSk: env.APP_SK,
-            appPsk: env.APP_PSK,
-            r2: env.AVATAR_BUCKET,
-            resendApiKey: env.RESEND_API_KEY,
-            emailFrom: env.EMAIL_FROM,
-        });
-    }
-    // Multi-tenant: instanceDid required
-    if (!instanceDid)
-        throw new Error("Missing X-Instance-Did header (multi-tenant mode)");
-    const { appSk, appPsk } = await resolveConfig(instanceDid, store);
-    return createAuthHandler({
-        db: env.BLOCKLET_SERVICE_DB,
-        jwtSecret: env.JWT_SECRET,
-        rpName: env.RP_NAME ?? "DID Connect",
-        appSk,
-        appPsk,
-        r2: env.AVATAR_BUCKET,
-    });
-}
-// ─── AuthRPC (WorkerEntrypoint wrapper) ────────────────────────────────
-//
-// For real Cloudflare deployment, create a thin wrapper:
-//
-//   import { WorkerEntrypoint } from 'cloudflare:workers';
-//   import { AuthRPCImpl } from './auth-rpc.js';
-//
-//   export class AuthRPC extends WorkerEntrypoint<AuthWorkerEnv> {
-//     private _impl?: AuthRPCImpl;
-//     private impl() {
-//       this._impl ??= new AuthRPCImpl(this.env.BLOCKLET_SERVICE_DB, this.env.JWT_SECRET);
-//       return this._impl;
-//     }
-//     verify(jwt: string) { return this.impl().verify(jwt); }
-//     verifyFull(jwt: string) { return this.impl().verifyFull(jwt); }
-//     resolveIdentity(...args: Parameters<AuthRPCImpl['resolveIdentity']>) {
-//       return this.impl().resolveIdentity(...args);
-//     }
-//     enforceAccess(...args: Parameters<AuthRPCImpl['enforceAccess']>) {
-//       return this.impl().enforceAccess(...args);
-//     }
-//     // Delegate all other AuthRPCInterface methods to this.impl()
-//   }
-//
-// Consumer wrangler.toml:
-//   [[services]]
-//   binding = "AUTH"
-//   service = "did-connect-auth"
-//   entrypoint = "AuthRPC"
-// ─── Default fetch handler ─────────────────────────────────────────────
-export default {
-    async fetch(request, env) {
-        try {
-            const instanceDid = request.headers.get("X-Instance-Did") ?? undefined;
-            const auth = await buildHandler(instanceDid, env);
-            const r = await auth.route(request, { instanceDid });
-            if (r)
-                return r;
-            return new Response("Not Found", { status: 404 });
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : "Internal error";
-            const status = msg.includes("Missing X-Instance-Did") ? 400 : 500;
-            return new Response(JSON.stringify({ error: msg }), {
-                status,
-                headers: { "Content-Type": "application/json" },
-            });
-        }
-    },
-};
-//# sourceMappingURL=auth-worker.js.map

package/dist/auth-worker.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-worker.js","sourceRoot":"","sources":["../src/auth-worker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAoB,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AA2B9C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkD,CAAC;AAC/E,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAE9C,KAAK,UAAU,aAAa,CAAC,WAAmB,EAAE,KAAc;IAC9D,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,EAAE,GAAG,UAAU;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IAExE,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,WAAW,EAAE,CAAC,CAAC;IAChF,MAAM,MAAM,GAAG,CAAC,MAAM,KAAK,CAAC,UAAU,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,IAAI,SAAS,CAAC;IAE7E,MAAM,MAAM,GAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACjD,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,qBAAqB,CAAC,WAAmB;IACvD,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,2BAA2B;IACzC,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,0EAA0E;AAE1E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,WAA+B,EAC/B,GAAkB;IAElB,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAEnD,yCAAyC;IACzC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QACf,OAAO,iBAAiB,CAAC;YACvB,EAAE,EAAE,GAAG,CAAC,mBAAmB;YAC3B,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,MAAM,EAAE,GAAG,CAAC,OAAO,IAAI,aAAa;YACpC,KAAK,EAAE,GAAG,CAAC,MAAM;YACjB,MAAM,EAAE,GAAG,CAAC,OAAO;YACnB,EAAE,EAAE,GAAG,CAAC,aAAa;YACrB,YAAY,EAAE,GAAG,CAAC,cAAc;YAChC,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,WAAW;QAAE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IAEvF,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAElE,OAAO,iBAAiB,CAAC;QACvB,EAAE,EAAE,GAAG,CAAC,mBAAmB;QAC3B,SAAS,EAAE,GAAG,CAAC,UAAU;QACzB,MAAM,EAAE,GAAG,CAAC,OAAO,IAAI,aAAa;QACpC,KAAK;QACL,MAAM;QACN,EAAE,EAAE,GAAG,CAAC,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED,0EAA0E;AAC1E,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,2DAA2D;AAC3D,iDAAiD;AACjD,EAAE;AACF,mEAAmE;AACnE,mCAAmC;AACnC,uBAAuB;AACvB,2FAA2F;AAC3F,2BAA2B;AAC3B,QAAQ;AACR,8DAA8D;AAC9D,sEAAsE;AACtE,6EAA6E;AAC7E,qDAAqD;AACrD,QAAQ;AACR,yEAAyE;AACzE,mDAAmD;AACnD,QAAQ;AACR,oEAAoE;AACpE,MAAM;AACN,EAAE;AACF,0BAA0B;AAC1B,iBAAiB;AACjB,qBAAqB;AACrB,iCAAiC;AACjC,2BAA2B;AAE3B,0EAA0E;AAE1E,eAAe;IACb,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAkB;QAC9C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC;YACvE,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;YAClD,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;YACrD,IAAI,CAAC;gBAAE,OAAO,CAAC,CAAC;YAChB,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;YAClE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAClE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE;gBAClD,MAAM;gBACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/blocklet-js-handler.d.ts

@@ -1,22 +0,0 @@
-import type { D1Store } from "./store/d1-store.js";
-export interface BlockletJsOptions {
-    store: D1Store;
-    appSk: string;
-    /** Explicit app DID — otherwise derived from appSk */
-    appDid?: string;
-    /** Permanent secret key (PSK) — for correct appPid when SK has been rotated */
-    appPsk?: string;
-    /** Instance DID for settings scope (defaults to '_global_') */
-    instanceDid?: string;
-    serverVersion?: string;
-}
-export declare class BlockletJsHandler {
-    private options;
-    private appDid;
-    private appPid;
-    private appPk;
-    constructor(options: BlockletJsOptions);
-    fetch(request: Request): Promise<Response | null>;
-    private buildBlockletData;
-}
-//# sourceMappingURL=blocklet-js-handler.d.ts.map

package/dist/blocklet-js-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"blocklet-js-handler.d.ts","sourceRoot":"","sources":["../src/blocklet-js-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAInD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+EAA+E;IAC/E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,iBAAiB;IAKhB,OAAO,CAAC,OAAO;IAJ3B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAS;gBAEF,OAAO,EAAE,iBAAiB;IAOxC,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;YA4BzC,iBAAiB;CAkLhC"}