@arcblock/did-connect-service 4.0.5 → 4.0.7

package/dist/identity/csrf.js

@@ -1,56 +0,0 @@
-/**
- * CSRF token — byte-for-byte compatible with blocklet-server's
- * `@blocklet/sdk/lib/util/csrf` so tokens we issue verify under the same scheme:
- *
- *   md5    = HMAC-MD5(secret, loginToken)      → base64url
- *   signed = HMAC-SHA256(secret, md5)          → base64url   (input is the md5 string)
- *   csrf   = `${md5}.${signed}`
- *
- * `secret` mirrors `getCsrfSecret()` (APP_ASK || APP_SK) → our `appSk`,
- * falling back to `jwtSecret` when no app wallet is configured.
- *
- * WebCrypto has no MD5, so HMAC-MD5 is built on the pure-JS MD5 in gravatar.ts;
- * HMAC-SHA256 uses crypto.subtle.
- */
-import { md5Bytes } from "./gravatar.js";
-const BLOCK_SIZE = 64; // both MD5 and SHA-256 use a 64-byte block
-const enc = new TextEncoder();
-function concat(a, b) {
-    const out = new Uint8Array(a.length + b.length);
-    out.set(a);
-    out.set(b, a.length);
-    return out;
-}
-function base64url(bytes) {
-    let bin = "";
-    for (const b of bytes)
-        bin += String.fromCharCode(b);
-    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function hmacMd5(keyBytes, msg) {
-    let key = keyBytes;
-    if (key.length > BLOCK_SIZE)
-        key = md5Bytes(key);
-    const ipad = new Uint8Array(BLOCK_SIZE);
-    const opad = new Uint8Array(BLOCK_SIZE);
-    for (let i = 0; i < BLOCK_SIZE; i++) {
-        const k = key[i] ?? 0;
-        ipad[i] = k ^ 0x36;
-        opad[i] = k ^ 0x5c;
-    }
-    const inner = md5Bytes(concat(ipad, msg));
-    return md5Bytes(concat(opad, inner));
-}
-async function hmacSha256(keyBytes, msg) {
-    const key = await crypto.subtle.importKey("raw", keyBytes, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
-    const sig = await crypto.subtle.sign("HMAC", key, msg);
-    return new Uint8Array(sig);
-}
-/** CSRF token compatible with `@blocklet/sdk` csrf.sign(secret, loginToken). */
-export async function signCsrf(secret, loginToken) {
-    const keyBytes = enc.encode(secret);
-    const md5Part = base64url(hmacMd5(keyBytes, enc.encode(loginToken)));
-    const signedPart = base64url(await hmacSha256(keyBytes, enc.encode(md5Part)));
-    return `${md5Part}.${signedPart}`;
-}
-//# sourceMappingURL=csrf.js.map

package/dist/identity/csrf.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/identity/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,2CAA2C;AAClE,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,SAAS,MAAM,CAAC,CAAa,EAAE,CAAa;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACX,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACrB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,KAAiB;IAClC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,OAAO,CAAC,QAAoB,EAAE,GAAe;IACpD,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,IAAI,GAAG,CAAC,MAAM,GAAG,UAAU;QAAE,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;IACrB,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1C,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,QAAoB,EAAE,GAAe;IAC7D,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,QAAwB,EACxB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAmB,CAAC,CAAC;IACvE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,gFAAgF;AAChF,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAc,EAAE,UAAkB;IAC/D,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC9E,OAAO,GAAG,OAAO,IAAI,UAAU,EAAE,CAAC;AACpC,CAAC"}

package/dist/identity/invitation-util.d.ts

@@ -1,7 +0,0 @@
-import type { D1Store } from "../store/d1-store.js";
-import type { Role } from "../types.js";
-export declare function processPendingInvitation(store: D1Store, userDid: string, invitationId: string | undefined, currentInstanceDid: string | undefined, ip?: string): Promise<{
-    role?: Role;
-    inviterDid?: string;
-} | undefined>;
-//# sourceMappingURL=invitation-util.d.ts.map

package/dist/identity/invitation-util.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"invitation-util.d.ts","sourceRoot":"","sources":["../../src/identity/invitation-util.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAExC,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,kBAAkB,EAAE,MAAM,GAAG,SAAS,EACtC,EAAE,CAAC,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,IAAI,CAAC,EAAE,IAAI,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CAiE3D"}

package/dist/identity/invitation-util.js

@@ -1,66 +0,0 @@
-export async function processPendingInvitation(store, userDid, invitationId, currentInstanceDid, ip) {
-    if (!invitationId)
-        return undefined;
-    // 1. Validate invitation
-    const invitation = await store.getInvitation(invitationId);
-    if (!invitation || invitation.status !== "active" || invitation.useCount >= invitation.maxUses || new Date(invitation.expireAt) < new Date()) {
-        return undefined;
-    }
-    // 2. Prevent cross-tenant privilege escalation
-    if (invitation.instance_did && currentInstanceDid && invitation.instance_did !== currentInstanceDid) {
-        return undefined;
-    }
-    // 3. Atomically consume the invitation
-    const consumed = await store.consumeInvitationAtomically(invitationId);
-    if (!consumed)
-        return undefined;
-    // 4. Apply roles
-    const ROLE_LEVEL = { owner: 3, admin: 2, member: 1, guest: 0 };
-    const invitedLevel = ROLE_LEVEL[invitation.role] ?? 0;
-    let finalRole = invitation.role;
-    if (invitation.instance_did) {
-        // Instance-scoped invitation
-        const existing = await store.getMembership(userDid, invitation.instance_did);
-        if (existing) {
-            if (invitedLevel > (ROLE_LEVEL[existing.role] ?? 0)) {
-                await store.updateMembershipRole(userDid, invitation.instance_did, invitation.role);
-            }
-            else {
-                finalRole = existing.role; // Keep higher existing role
-            }
-        }
-        else {
-            await store.createMembership(userDid, invitation.instance_did, invitation.role, invitation.inviterDid);
-        }
-        await store.createAuditLog({
-            action: "user.accept_invitation",
-            operatorDid: userDid,
-            metadata: { invitationId, role: invitation.role },
-            ip,
-            instanceDid: invitation.instance_did,
-        });
-    }
-    else {
-        // System-level global invitation
-        const user = await store.getUserByDid(userDid);
-        const currentLevel = ROLE_LEVEL[user?.role ?? ""] ?? 0;
-        if (invitedLevel > currentLevel) {
-            await store.updateUserRole(userDid, invitation.role);
-        }
-        else {
-            finalRole = user?.role ?? invitation.role;
-        }
-        await store.createAuditLog({
-            action: "user.accept_invitation",
-            operatorDid: userDid,
-            metadata: { invitationId, role: invitation.role },
-            ip,
-        });
-    }
-    // 5. Link inviter
-    if (invitation.inviterDid) {
-        await store.setUserInviter(userDid, invitation.inviterDid);
-    }
-    return { role: finalRole, inviterDid: invitation.inviterDid };
-}
-//# sourceMappingURL=invitation-util.js.map

package/dist/identity/invitation-util.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"invitation-util.js","sourceRoot":"","sources":["../../src/identity/invitation-util.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAc,EACd,OAAe,EACf,YAAgC,EAChC,kBAAsC,EACtC,EAAW;IAEX,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IAEpC,yBAAyB;IACzB,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,OAAO,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QAC7I,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,+CAA+C;IAC/C,IAAI,UAAU,CAAC,YAAY,IAAI,kBAAkB,IAAI,UAAU,CAAC,YAAY,KAAK,kBAAkB,EAAE,CAAC;QACpG,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,uCAAuC;IACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,2BAA2B,CAAC,YAAY,CAAC,CAAC;IACvE,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC;IAEhC,iBAAiB;IACjB,MAAM,UAAU,GAA2B,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IACvF,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC;IAEhC,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QAC7E,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,YAAY,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBACpD,MAAM,KAAK,CAAC,oBAAoB,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;YACtF,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,QAAQ,CAAC,IAAY,CAAC,CAAC,4BAA4B;YACjE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,CAAC,gBAAgB,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QACzG,CAAC;QACD,MAAM,KAAK,CAAC,cAAc,CAAC;YACzB,MAAM,EAAE,wBAAwB;YAChC,WAAW,EAAE,OAAO;YACpB,QAAQ,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE;YACjD,EAAE;YACF,WAAW,EAAE,UAAU,CAAC,YAAY;SACrC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,iCAAiC;QACjC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,YAAY,GAAG,YAAY,EAAE,CAAC;YAChC,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,SAAS,GAAI,IAAI,EAAE,IAAa,IAAK,UAAU,CAAC,IAAa,CAAC;QAChE,CAAC;QACD,MAAM,KAAK,CAAC,cAAc,CAAC;YACzB,MAAM,EAAE,wBAAwB;YAChC,WAAW,EAAE,OAAO;YACpB,QAAQ,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE;YACjD,EAAE;SACH,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,SAAiB,EAAE,UAAU,EAAE,UAAU,CAAC,UAAU,EAAE,CAAC;AACxE,CAAC"}

package/dist/instance-role.d.ts

@@ -1,10 +0,0 @@
-import type { D1Store } from "./store/d1-store.js";
-import type { Role } from "./types.js";
-/**
- * Resolve the effective role for a caller in an instance context.
- *
- * Priority: membership role > system admin punch-through > reject.
- * Returns null if caller has no access to this instance.
- */
-export declare function resolveInstanceRole(store: D1Store, callerDid: string, instanceDid: string, systemRole: string | undefined): Promise<Role | null>;
-//# sourceMappingURL=instance-role.d.ts.map

package/dist/instance-role.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"instance-role.d.ts","sourceRoot":"","sources":["../src/instance-role.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEvC;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,OAAO,EACd,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,GAAG,SAAS,GAC7B,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAWtB"}

package/dist/instance-role.js

@@ -1,20 +0,0 @@
-/**
- * Resolve the effective role for a caller in an instance context.
- *
- * Priority: membership role > system admin punch-through > reject.
- * Returns null if caller has no access to this instance.
- */
-export async function resolveInstanceRole(store, callerDid, instanceDid, systemRole) {
-    // 1. Check membership first
-    const membership = await store.getMembership(callerDid, instanceDid);
-    if (membership)
-        return membership.role;
-    // 2. System owner/admin punch-through (D11)
-    if (systemRole === "owner")
-        return "owner";
-    if (systemRole === "admin")
-        return "admin";
-    // 3. No access
-    return null;
-}
-//# sourceMappingURL=instance-role.js.map

package/dist/instance-role.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"instance-role.js","sourceRoot":"","sources":["../src/instance-role.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAc,EACd,SAAiB,EACjB,WAAmB,EACnB,UAA8B;IAE9B,4BAA4B;IAC5B,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACrE,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC,IAAY,CAAC;IAE/C,4CAA4C;IAC5C,IAAI,UAAU,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IAC3C,IAAI,UAAU,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IAE3C,eAAe;IACf,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/jwt.d.ts

@@ -1,7 +0,0 @@
-/**
- * Minimal JWT implementation using Web Crypto API (HMAC-SHA256).
- * Works in Cloudflare Workers, Deno, Node, and all modern browsers.
- */
-export declare function signJWT(payload: Record<string, unknown>, secret: string, expiresIn?: number): Promise<string>;
-export declare function verifyJWT(token: string, secret: string): Promise<Record<string, unknown> | null>;
-//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8CH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAA2B,GACrC,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA6BzC"}

package/dist/jwt.js

@@ -1,72 +0,0 @@
-/**
- * Minimal JWT implementation using Web Crypto API (HMAC-SHA256).
- * Works in Cloudflare Workers, Deno, Node, and all modern browsers.
- */
-const ALGORITHM = { name: "HMAC", hash: "SHA-256" };
-const DEFAULT_EXPIRES_IN = 7 * 24 * 60 * 60; // 7 days in seconds
-function base64urlEncode(data) {
-    let binary = "";
-    for (let i = 0; i < data.length; i++) {
-        binary += String.fromCharCode(data[i]);
-    }
-    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64urlDecode(str) {
-    const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-    const binary = atob(padded);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-}
-function textEncode(str) {
-    return new TextEncoder().encode(str);
-}
-// Module-level CryptoKey cache — avoids repeated importKey for the same secret.
-// In a Worker isolate the JWT secret never changes, so this is always a hit after first call.
-const _keyCache = new Map();
-async function importKey(secret) {
-    let key = _keyCache.get(secret);
-    if (!key) {
-        key = await crypto.subtle.importKey("raw", textEncode(secret), ALGORITHM, false, ["sign", "verify"]);
-        _keyCache.set(secret, key);
-    }
-    return key;
-}
-export async function signJWT(payload, secret, expiresIn = DEFAULT_EXPIRES_IN) {
-    const header = { alg: "HS256", typ: "JWT" };
-    const now = Math.floor(Date.now() / 1000);
-    const fullPayload = { ...payload, iat: now, exp: now + expiresIn };
-    const headerB64 = base64urlEncode(textEncode(JSON.stringify(header)));
-    const payloadB64 = base64urlEncode(textEncode(JSON.stringify(fullPayload)));
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const key = await importKey(secret);
-    const sig = await crypto.subtle.sign("HMAC", key, textEncode(signingInput));
-    const signature = new Uint8Array(sig);
-    return `${signingInput}.${base64urlEncode(signature)}`;
-}
-export async function verifyJWT(token, secret) {
-    const parts = token.split(".");
-    if (parts.length !== 3)
-        return null;
-    const [headerB64, payloadB64, signatureB64] = parts;
-    const signingInput = `${headerB64}.${payloadB64}`;
-    try {
-        const key = await importKey(secret);
-        const signature = base64urlDecode(signatureB64);
-        const valid = await crypto.subtle.verify("HMAC", key, signature, textEncode(signingInput));
-        if (!valid)
-            return null;
-        const payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
-        // Check expiration
-        if (typeof payload.exp === "number" && payload.exp < Math.floor(Date.now() / 1000)) {
-            return null;
-        }
-        return payload;
-    }
-    catch {
-        return null;
-    }
-}
-//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,SAAS,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAW,CAAC;AAC7D,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,oBAAoB;AAEjE,SAAS,eAAe,CAAC,IAAgB;IACvC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,gFAAgF;AAChF,8FAA8F;AAC9F,MAAM,SAAS,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE/C,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,IAAI,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACjC,KAAK,EACL,UAAU,CAAC,MAAM,CAAiB,EAClC,SAAS,EACT,KAAK,EACL,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;QACF,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAgC,EAChC,MAAc,EACd,YAAoB,kBAAkB;IAEtC,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,EAAE,CAAC;IAEnE,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAElD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,UAAU,CAAC,YAAY,CAAiB,CAAC,CAAC;IAC5F,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAEtC,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAiC,CAAC;IAChF,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACtC,MAAM,EACN,GAAG,EACH,SAAyB,EACzB,UAAU,CAAC,YAAY,CAAiB,CACzC,CAAC;QACF,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAElF,mBAAmB;QACnB,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YACnF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/login-entry.d.ts

@@ -1,9 +0,0 @@
-/**
- * IIFE bundle entry — re-exports core/ui classes for browser inline script.
- *
- * Built by build-login.mjs → globalName: __LoginBundle
- * Used by page.ts and invite-page.ts via the generated string constant.
- */
-export { LoginPage, runPasskeyAuth } from '@arcblock/did-connect-core/ui';
-export { FetchHttpAdapter } from '@arcblock/did-connect-core';
-//# sourceMappingURL=login-entry.d.ts.map

package/dist/login-entry.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"login-entry.d.ts","sourceRoot":"","sources":["../src/login-entry.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/login-entry.js

@@ -1,9 +0,0 @@
-/**
- * IIFE bundle entry — re-exports core/ui classes for browser inline script.
- *
- * Built by build-login.mjs → globalName: __LoginBundle
- * Used by page.ts and invite-page.ts via the generated string constant.
- */
-export { LoginPage, runPasskeyAuth } from '@arcblock/did-connect-core/ui';
-export { FetchHttpAdapter } from '@arcblock/did-connect-core';
-//# sourceMappingURL=login-entry.js.map

package/dist/login-entry.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"login-entry.js","sourceRoot":"","sources":["../src/login-entry.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/membership-handler.d.ts

@@ -1,27 +0,0 @@
-/**
- * MembershipHandler — per-instance membership management.
- *
- * Routes: /.well-known/service/api/instances/:instanceDid/members/*
- *   GET    /              → list members
- *   POST   /              → create (invite)
- *   PUT    /:did/role     → update role
- *   DELETE /:did          → remove
- *
- * instanceDid is extracted from URL path (D10).
- */
-import type { D1Store } from "./store/d1-store.js";
-import type { CallerIdentity } from "./types.js";
-export declare class MembershipHandler {
-    private store;
-    constructor(store: D1Store);
-    /**
-     * Handle membership routes.
-     * instanceDid is extracted from the URL path by the caller.
-     */
-    fetch(request: Request, caller: CallerIdentity, instanceDid: string): Promise<Response | null>;
-    private handleList;
-    private handleCreate;
-    private handleUpdateRole;
-    private handleRemove;
-}
-//# sourceMappingURL=membership-handler.d.ts.map

package/dist/membership-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"membership-handler.d.ts","sourceRoot":"","sources":["../src/membership-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,qBAAa,iBAAiB;IAChB,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,OAAO;IAElC;;;OAGG;IACG,KAAK,CACT,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,cAAc,EACtB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;YAiCb,UAAU;YAKV,YAAY;YA8BZ,gBAAgB;YAqChB,YAAY;CAsB3B"}

package/dist/membership-handler.js

@@ -1,111 +0,0 @@
-/**
- * MembershipHandler — per-instance membership management.
- *
- * Routes: /.well-known/service/api/instances/:instanceDid/members/*
- *   GET    /              → list members
- *   POST   /              → create (invite)
- *   PUT    /:did/role     → update role
- *   DELETE /:did          → remove
- *
- * instanceDid is extracted from URL path (D10).
- */
-export class MembershipHandler {
-    store;
-    constructor(store) {
-        this.store = store;
-    }
-    /**
-     * Handle membership routes.
-     * instanceDid is extracted from the URL path by the caller.
-     */
-    async fetch(request, caller, instanceDid) {
-        const url = new URL(request.url);
-        const prefix = `/.well-known/service/api/instances/${instanceDid}/members`;
-        if (!url.pathname.startsWith(prefix))
-            return null;
-        const rest = url.pathname.slice(prefix.length);
-        // GET / → list
-        if (request.method === "GET" && (rest === "" || rest === "/")) {
-            return this.handleList(instanceDid);
-        }
-        // POST / → create (invite)
-        if (request.method === "POST" && (rest === "" || rest === "/")) {
-            return this.handleCreate(request, caller, instanceDid);
-        }
-        // PUT /:userDid/role → update role
-        const roleMatch = rest.match(/^\/([^/]+)\/role$/);
-        if (request.method === "PUT" && roleMatch) {
-            return this.handleUpdateRole(request, caller, instanceDid, roleMatch[1]);
-        }
-        // DELETE /:userDid → remove
-        const deleteMatch = rest.match(/^\/([^/]+)$/);
-        if (request.method === "DELETE" && deleteMatch) {
-            return this.handleRemove(caller, instanceDid, deleteMatch[1]);
-        }
-        return null;
-    }
-    async handleList(instanceDid) {
-        const members = await this.store.listMemberships(instanceDid);
-        return Response.json({ ok: true, members });
-    }
-    async handleCreate(request, caller, instanceDid) {
-        const body = (await request.json());
-        if (!body.userDid) {
-            return Response.json({ ok: false, error: "Required: userDid" }, { status: 400 });
-        }
-        const role = body.role ?? "member";
-        // Check if already exists
-        const existing = await this.store.getMembership(body.userDid, instanceDid);
-        if (existing) {
-            return Response.json({ ok: false, error: "Membership already exists" }, { status: 409 });
-        }
-        await this.store.createMembership(body.userDid, instanceDid, role, caller.did);
-        await this.store.createAuditLog({
-            action: "membership.create",
-            operatorDid: caller.did,
-            targetDid: body.userDid,
-            metadata: { instanceDid, role },
-        });
-        return Response.json({ ok: true }, { status: 201 });
-    }
-    async handleUpdateRole(request, caller, instanceDid, targetDid) {
-        const body = (await request.json());
-        if (!body.role) {
-            return Response.json({ ok: false, error: "Required: role" }, { status: 400 });
-        }
-        // Check caller's own membership role
-        const callerMembership = await this.store.getMembership(caller.did, instanceDid);
-        if (!callerMembership ||
-            (callerMembership.role !== "owner" && callerMembership.role !== "admin")) {
-            return Response.json({ ok: false, error: "Insufficient permissions" }, { status: 403 });
-        }
-        // Cannot downgrade self
-        if (targetDid === caller.did) {
-            return Response.json({ ok: false, error: "Cannot change own role" }, { status: 400 });
-        }
-        await this.store.updateMembershipRole(targetDid, instanceDid, body.role);
-        await this.store.createAuditLog({
-            action: "membership.update_role",
-            operatorDid: caller.did,
-            targetDid,
-            metadata: { instanceDid, role: body.role },
-        });
-        return Response.json({ ok: true });
-    }
-    async handleRemove(caller, instanceDid, targetDid) {
-        // Cannot remove owner
-        const target = await this.store.getMembership(targetDid, instanceDid);
-        if (target?.role === "owner") {
-            return Response.json({ ok: false, error: "Cannot remove owner" }, { status: 400 });
-        }
-        await this.store.deleteMembership(targetDid, instanceDid);
-        await this.store.createAuditLog({
-            action: "membership.remove",
-            operatorDid: caller.did,
-            targetDid,
-            metadata: { instanceDid },
-        });
-        return Response.json({ ok: true });
-    }
-}
-//# sourceMappingURL=membership-handler.js.map

package/dist/membership-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"membership-handler.js","sourceRoot":"","sources":["../src/membership-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,MAAM,OAAO,iBAAiB;IACR;IAApB,YAAoB,KAAc;QAAd,UAAK,GAAL,KAAK,CAAS;IAAG,CAAC;IAEtC;;;OAGG;IACH,KAAK,CAAC,KAAK,CACT,OAAgB,EAChB,MAAsB,EACtB,WAAmB;QAEnB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,sCAAsC,WAAW,UAAU,CAAC;QAE3E,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE/C,eAAe;QACf,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,KAAK,EAAE,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACtC,CAAC;QAED,2BAA2B;QAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,KAAK,EAAE,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACzD,CAAC;QAED,mCAAmC;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAClD,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,IAAI,SAAS,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAE,CAAC,CAAC;QAC5E,CAAC;QAED,4BAA4B;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,WAAW,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,CAAE,CAAC,CAAC;QACjE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,WAAmB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAC9D,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9C,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,OAAgB,EAChB,MAAsB,EACtB,WAAmB;QAEnB,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAwC,CAAC;QAC3E,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC;QAEnC,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC3E,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAE/E,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,mBAAmB;YAC3B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO;YACvB,QAAQ,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE;SAChC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,OAAgB,EAChB,MAAsB,EACtB,WAAmB,EACnB,SAAiB;QAEjB,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAsB,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACjF,IACE,CAAC,gBAAgB;YACjB,CAAC,gBAAgB,CAAC,IAAI,KAAK,OAAO,IAAI,gBAAgB,CAAC,IAAI,KAAK,OAAO,CAAC,EACxE,CAAC;YACD,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC1F,CAAC;QAED,wBAAwB;QACxB,IAAI,SAAS,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QAEzE,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,wBAAwB;YAChC,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS;YACT,QAAQ,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;SAC3C,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,MAAsB,EACtB,WAAmB,EACnB,SAAiB;QAEjB,sBAAsB;QACtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,MAAM,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAE1D,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;YAC9B,MAAM,EAAE,mBAAmB;YAC3B,WAAW,EAAE,MAAM,CAAC,GAAG;YACvB,SAAS;YACT,QAAQ,EAAE,EAAE,WAAW,EAAE;SAC1B,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;CACF"}

package/dist/oauth-callback-page.d.ts

@@ -1,9 +0,0 @@
-/**
- * OAuth callback page — postMessage bridge for popup OAuth flow.
- *
- * When OAuth completes, the provider redirects here. This page sends
- * the authorization response back to the opener window via postMessage,
- * then closes itself.
- */
-export declare function renderOAuthCallbackPage(origin: string): string;
-//# sourceMappingURL=oauth-callback-page.d.ts.map

package/dist/oauth-callback-page.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-callback-page.d.ts","sourceRoot":"","sources":["../src/oauth-callback-page.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAsB9D"}

package/dist/oauth-callback-page.js

@@ -1,31 +0,0 @@
-/**
- * OAuth callback page — postMessage bridge for popup OAuth flow.
- *
- * When OAuth completes, the provider redirects here. This page sends
- * the authorization response back to the opener window via postMessage,
- * then closes itself.
- */
-export function renderOAuthCallbackPage(origin) {
-    return `<!DOCTYPE html>
-<html><head><style>
-  body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;background:#0a0a0b;color:#9394a1;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;font-size:14px}
-  .wrap{text-align:center}
-  @keyframes spin{to{transform:rotate(360deg)}}
-  .spinner{display:inline-block;width:20px;height:20px;border:2px solid rgba(255,255,255,0.15);border-top-color:#9280ff;border-radius:50%;animation:spin .6s linear infinite;margin-bottom:12px}
-</style></head><body>
-  <div class="wrap"><div class="spinner"></div><div>Completing sign in...</div></div>
-  <script>
-    var params = new URLSearchParams(location.search);
-    if (window.opener) {
-      window.opener.postMessage({
-        type: 'authorization_response',
-        response: { code: params.get('code'), state: params.get('state') }
-      }, '${origin}');
-      setTimeout(function() { window.close(); }, 300);
-    } else {
-      document.querySelector('.wrap div:last-child').textContent = 'You may close this window.';
-    }
-  </script>
-</body></html>`;
-}
-//# sourceMappingURL=oauth-callback-page.js.map

package/dist/oauth-callback-page.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-callback-page.js","sourceRoot":"","sources":["../src/oauth-callback-page.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,OAAO;;;;;;;;;;;;;;YAcG,MAAM;;;;;;eAMH,CAAC;AAChB,CAAC"}

package/dist/oauth-handler.d.ts

@@ -1,72 +0,0 @@
-/**
- * OAuthHandler — OAuth login/bind/unbind for Cloudflare Workers.
- *
- * Supports pluggable adapters (Google, GitHub, Apple, etc.).
- * OAuth configs are stored in D1 settings table as `oauth:{provider}` JSON.
- *
- * Routes (under /.well-known/service):
- *   GET  /api/oauth/configs                — list configured providers
- *   GET  /api/oauth/:provider/login         — redirect to OAuth provider
- *   GET  /oauth/callback/:provider         — handle OAuth callback
- *   POST /oauth/callback/:provider         — handle Apple POST callback
- *   POST /api/oauth/login                  — API-based code exchange + login
- *   POST /api/oauth/bind                   — bind OAuth to existing account
- *   POST /api/oauth/unbind                 — unbind OAuth from account
- */
-import type { AuthEntrypointInterface } from "./identity/auth-entrypoint.js";
-import type { OAuthAdapter } from "./oauth-adapters/types.js";
-import type { D1Store } from "./store/d1-store.js";
-export interface OAuthHandlerOptions {
-    store: D1Store;
-    appSk: string;
-    jwtSecret: string;
-    jwtExpiresIn: number;
-    cookieName: string;
-    rpID?: string | ((request: Request) => string);
-    /** KV namespace for JWKS caching and OAuth state CSRF. */
-    kv?: KVNamespace;
-    /** Service Binding to master Worker (federated mode). */
-    authMaster?: AuthEntrypointInterface;
-    /** Master site OAuth callback origin (federated mode). */
-    masterOAuthOrigin?: string;
-    /** Instance DID for settings isolation. Falls back to "_global_" if not set. */
-    instanceDid?: string;
-}
-export declare class OAuthHandler {
-    private options;
-    constructor(options: OAuthHandlerOptions);
-    /** Register additional adapters (for Phase 2e providers). */
-    static registerAdapter(adapter: OAuthAdapter): void;
-    /**
-     * Handle an incoming request. Returns Response if matched, null otherwise.
-     */
-    fetch(request: Request): Promise<Response | null>;
-    /** GET /api/oauth/configs — list enabled providers (public, no secrets). */
-    private handleGetConfigs;
-    /** GET /api/oauth/:provider/login — redirect to OAuth authorization URL. */
-    private handleLogin;
-    /** GET/POST /oauth/callback/:provider — handle OAuth callback. */
-    private handleCallback;
-    /** POST /api/oauth/login — exchange code for JWT cookie. */
-    private handleApiLogin;
-    /** POST /api/oauth/bind — bind OAuth provider to current user. */
-    private handleBind;
-    /** POST /api/oauth/unbind — unbind OAuth provider from current user. */
-    private handleUnbind;
-    /**
-     * Parse request body, resolve provider config/adapter, and exchange OAuth code.
-     * Returns a Response on validation/exchange error, or the resolved result.
-     */
-    private exchangeOAuthCode;
-    /** Resolve the instance DID to use for settings lookup. */
-    private get instanceDid();
-    /** Load all OAuth configs from D1 settings. */
-    private loadAllConfigs;
-    /** Load a single provider's config from D1 settings. */
-    private loadProviderConfig;
-    /** Build the callback URL for a provider. In federated mode, uses master origin. */
-    private getCallbackUrl;
-    /** Verify JWT from cookie — returns caller identity or null. */
-    private verifyCaller;
-}
-//# sourceMappingURL=oauth-handler.d.ts.map

package/dist/oauth-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-handler.d.ts","sourceRoot":"","sources":["../src/oauth-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAU7E,OAAO,KAAK,EAAE,YAAY,EAAqC,MAAM,2BAA2B,CAAC;AAEjG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC,CAAC;IAC/C,0DAA0D;IAC1D,EAAE,CAAC,EAAE,WAAW,CAAC;IACjB,yDAAyD;IACzD,UAAU,CAAC,EAAE,uBAAuB,CAAC;IACrC,0DAA0D;IAC1D,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAaD,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAsB;gBAEzB,OAAO,EAAE,mBAAmB;IAIxC,6DAA6D;IAC7D,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI;IAInD;;OAEG;IACG,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IA4CvD,4EAA4E;YAC9D,gBAAgB;IAkB9B,4EAA4E;YAC9D,WAAW;IAgDzB,kEAAkE;YACpD,cAAc;IA+C5B,4DAA4D;YAC9C,cAAc;IAwE5B,kEAAkE;YACpD,UAAU;IA+BxB,wEAAwE;YAC1D,YAAY;IAuC1B;;;OAGG;YACW,iBAAiB;IA2C/B,2DAA2D;IAC3D,OAAO,KAAK,WAAW,GAEtB;IAED,+CAA+C;YACjC,cAAc;IAgB5B,wDAAwD;YAC1C,kBAAkB;IAUhC,oFAAoF;IACpF,OAAO,CAAC,cAAc;IAKtB,gEAAgE;YAClD,YAAY;CAS3B"}