@atribu/node 0.1.0

package/dist/oauth/index.cjs

@@ -0,0 +1,299 @@
+'use strict';
+
+// src/errors.ts
+var AtribuError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
+  }
+};
+var AtribuConfigError = class extends AtribuError {
+};
+var AtribuTransportError = class extends AtribuError {
+  cause;
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+  }
+};
+var AtribuOauthError = class extends AtribuError {
+  code;
+  status;
+  description;
+  constructor(args) {
+    super(`[oauth/${args.code}] ${args.description ?? args.code}`);
+    this.code = args.code;
+    this.status = args.status;
+    this.description = args.description;
+  }
+};
+
+// src/oauth/authorize-url.ts
+var DEFAULT_BASE_URL = "https://www.atribu.app";
+function buildAuthorizeUrl(input) {
+  for (const key of ["clientId", "redirectUri", "provider", "state", "idTokenHint"]) {
+    if (!input[key]) throw new AtribuConfigError(`buildAuthorizeUrl: ${key} is required`);
+  }
+  if (input.codeChallenge && !input.codeChallengeMethod) {
+    throw new AtribuConfigError("codeChallengeMethod is required when codeChallenge is set");
+  }
+  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+  const scope = Array.isArray(input.scope) ? input.scope.join(" ") : input.scope;
+  const url = new URL("/oauth/authorize", baseUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", input.clientId);
+  url.searchParams.set("redirect_uri", input.redirectUri);
+  url.searchParams.set("provider", input.provider);
+  url.searchParams.set("scope", scope);
+  url.searchParams.set("state", input.state);
+  url.searchParams.set("id_token_hint", input.idTokenHint);
+  if (input.codeChallenge && input.codeChallengeMethod) {
+    url.searchParams.set("code_challenge", input.codeChallenge);
+    url.searchParams.set("code_challenge_method", input.codeChallengeMethod);
+  }
+  if (input.extras) {
+    for (const [k, v] of Object.entries(input.extras)) url.searchParams.set(k, v);
+  }
+  return url.toString();
+}
+
+// src/version.ts
+var SDK_VERSION = "0.1.0";
+
+// src/runtime.ts
+function detectRuntime() {
+  if (typeof Deno !== "undefined") return "deno";
+  if (typeof Bun !== "undefined") return "bun";
+  if (typeof EdgeRuntime !== "undefined") return "edge";
+  if (typeof process !== "undefined" && typeof process.versions?.node === "string") {
+    return "node";
+  }
+  if (typeof window !== "undefined" && typeof document !== "undefined") return "browser";
+  return "unknown";
+}
+function runtimeTag() {
+  const rt = detectRuntime();
+  if (rt === "node") {
+    const v = process.versions?.node;
+    return v ? `node/${v}` : "node";
+  }
+  return rt;
+}
+
+// src/oauth/exchange.ts
+var DEFAULT_BASE_URL2 = "https://www.atribu.app";
+async function exchangeCode(input) {
+  for (const key of ["clientId", "clientSecret", "code", "redirectUri"]) {
+    if (!input[key]) throw new AtribuConfigError(`exchangeCode: ${key} is required`);
+  }
+  const fetchImpl = input.fetch ?? globalThis.fetch;
+  if (typeof fetchImpl !== "function") {
+    throw new AtribuConfigError("globalThis.fetch is not available; pass a `fetch` impl");
+  }
+  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL2).replace(/\/+$/, "");
+  const url = `${baseUrl}/oauth/token`;
+  const authMethod = input.authMethod ?? "basic";
+  const form = {
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri
+  };
+  if (input.codeVerifier) form.code_verifier = input.codeVerifier;
+  const headers = {
+    Accept: "application/json",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "User-Agent": `@atribu/node/${SDK_VERSION} (${runtimeTag()})`
+  };
+  if (authMethod === "basic") {
+    headers.Authorization = `Basic ${base64(`${input.clientId}:${input.clientSecret}`)}`;
+  } else {
+    form.client_id = input.clientId;
+    form.client_secret = input.clientSecret;
+  }
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), input.timeoutMs ?? 3e4);
+  const signal = input.signal ?? controller.signal;
+  let res;
+  try {
+    res = await fetchImpl(url, {
+      method: "POST",
+      headers,
+      body: new URLSearchParams(form).toString(),
+      signal
+    });
+  } catch (err) {
+    clearTimeout(timeout);
+    throw new AtribuTransportError(
+      err instanceof Error ? err.message : "fetch failed",
+      err
+    );
+  }
+  clearTimeout(timeout);
+  const text = await res.text();
+  const parsed = text ? safeJson(text) : null;
+  if (!res.ok) {
+    const body2 = parsed ?? {};
+    throw new AtribuOauthError({
+      code: typeof body2.error === "string" ? body2.error : "server_error",
+      description: typeof body2.error_description === "string" ? body2.error_description : null,
+      status: res.status
+    });
+  }
+  const body = parsed;
+  return {
+    accessToken: body.access_token,
+    tokenType: "bearer",
+    scope: typeof body.scope === "string" ? body.scope.split(/\s+/).filter(Boolean) : [],
+    connectionId: body.connection_id ?? null,
+    profileId: body.profile_id,
+    workspaceId: body.workspace_id
+  };
+}
+function base64(input) {
+  if (typeof btoa === "function") return btoa(input);
+  return Buffer.from(input, "utf8").toString("base64");
+}
+function safeJson(text) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return text;
+  }
+}
+
+// src/oauth/revoke.ts
+var DEFAULT_BASE_URL3 = "https://www.atribu.app";
+async function revokeToken(input) {
+  for (const key of ["clientId", "clientSecret", "token"]) {
+    if (!input[key]) throw new AtribuConfigError(`revokeToken: ${key} is required`);
+  }
+  const fetchImpl = input.fetch ?? globalThis.fetch;
+  if (typeof fetchImpl !== "function") {
+    throw new AtribuConfigError("globalThis.fetch is not available; pass a `fetch` impl");
+  }
+  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL3).replace(/\/+$/, "");
+  const url = `${baseUrl}/oauth/revoke`;
+  const authMethod = input.authMethod ?? "basic";
+  const form = {
+    token: input.token,
+    token_type_hint: "access_token"
+  };
+  const headers = {
+    Accept: "application/json",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "User-Agent": `@atribu/node/${SDK_VERSION} (${runtimeTag()})`
+  };
+  if (authMethod === "basic") {
+    headers.Authorization = `Basic ${base642(`${input.clientId}:${input.clientSecret}`)}`;
+  } else {
+    form.client_id = input.clientId;
+    form.client_secret = input.clientSecret;
+  }
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), input.timeoutMs ?? 3e4);
+  const signal = input.signal ?? controller.signal;
+  let res;
+  try {
+    res = await fetchImpl(url, {
+      method: "POST",
+      headers,
+      body: new URLSearchParams(form).toString(),
+      signal
+    });
+  } catch (err) {
+    clearTimeout(timeout);
+    throw new AtribuTransportError(
+      err instanceof Error ? err.message : "fetch failed",
+      err
+    );
+  }
+  clearTimeout(timeout);
+  if (res.ok) return;
+  const text = await res.text();
+  let body = {};
+  try {
+    body = text ? JSON.parse(text) : {};
+  } catch {
+    body = {};
+  }
+  throw new AtribuOauthError({
+    code: typeof body.error === "string" ? body.error : "server_error",
+    description: typeof body.error_description === "string" ? body.error_description : null,
+    status: res.status
+  });
+}
+function base642(input) {
+  if (typeof btoa === "function") return btoa(input);
+  return Buffer.from(input, "utf8").toString("base64");
+}
+
+// src/oauth/id-token-hint.ts
+var cachedJose = null;
+var joseLoadAttempted = false;
+async function loadJose() {
+  if (cachedJose) return cachedJose;
+  if (joseLoadAttempted && !cachedJose) {
+    throw new AtribuConfigError(
+      "signIdTokenHint requires the `jose` peer dependency. Run `npm install jose`."
+    );
+  }
+  joseLoadAttempted = true;
+  try {
+    const mod = await import('jose');
+    cachedJose = mod;
+    return mod;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "import failed";
+    throw new AtribuConfigError(
+      `signIdTokenHint requires the \`jose\` peer dependency. Install with \`npm install jose\`. (${message})`
+    );
+  }
+}
+async function signIdTokenHint(input) {
+  if (!input.jwtSigningSecret) {
+    throw new AtribuConfigError("signIdTokenHint: jwtSigningSecret is required");
+  }
+  if (!input.subject) throw new AtribuConfigError("signIdTokenHint: subject is required");
+  if (!input.email) throw new AtribuConfigError("signIdTokenHint: email is required");
+  const jose = await loadJose();
+  const claims = { email: input.email, ...input.extraClaims ?? {} };
+  const jwt = new jose.SignJWT(claims).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setSubject(input.subject).setAudience(input.audience ?? "atribu").setExpirationTime(input.expiresIn ?? "5m");
+  if (input.issuer) jwt.setIssuer(input.issuer);
+  return jwt.sign(new TextEncoder().encode(input.jwtSigningSecret));
+}
+
+// src/oauth/pkce.ts
+var VERIFIER_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function generateCodeVerifier(length = 64) {
+  if (length < 43 || length > 128) {
+    throw new Error("PKCE verifier length must be 43\u2013128");
+  }
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  let out = "";
+  for (let i = 0; i < length; i++) {
+    out += VERIFIER_CHARS[bytes[i] % VERIFIER_CHARS.length];
+  }
+  return out;
+}
+async function computeCodeChallenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bytes).toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+exports.AtribuOauthError = AtribuOauthError;
+exports.buildAuthorizeUrl = buildAuthorizeUrl;
+exports.computeCodeChallenge = computeCodeChallenge;
+exports.exchangeCode = exchangeCode;
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.revokeToken = revokeToken;
+exports.signIdTokenHint = signIdTokenHint;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/oauth/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/errors.ts","../../src/oauth/authorize-url.ts","../../src/version.ts","../../src/runtime.ts","../../src/oauth/exchange.ts","../../src/oauth/revoke.ts","../../src/oauth/id-token-hint.ts","../../src/oauth/pkce.ts"],"names":["DEFAULT_BASE_URL","body","base64"],"mappings":";;;AAiCO,IAAM,WAAA,GAAN,cAA0B,KAAA,CAAM;AAAA,EACrC,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,OAAO,GAAA,CAAA,MAAA,CAAW,IAAA;AAAA,EACzB;AACF,CAAA;AAEO,IAAM,iBAAA,GAAN,cAAgC,WAAA,CAAY;AAAC,CAAA;AAE7C,IAAM,oBAAA,GAAN,cAAmC,WAAA,CAAY;AAAA,EAC3C,KAAA;AAAA,EACT,WAAA,CAAY,SAAiB,KAAA,EAAgB;AAC3C,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF,CAAA;AAsDO,IAAM,gBAAA,GAAN,cAA+B,WAAA,CAAY;AAAA,EACvC,IAAA;AAAA,EACA,MAAA;AAAA,EACA,WAAA;AAAA,EAET,YAAY,IAAA,EAA4E;AACtF,IAAA,KAAA,CAAM,CAAA,OAAA,EAAU,KAAK,IAAI,CAAA,EAAA,EAAK,KAAK,WAAA,IAAe,IAAA,CAAK,IAAI,CAAA,CAAE,CAAA;AAC7D,IAAA,IAAA,CAAK,OAAO,IAAA,CAAK,IAAA;AACjB,IAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACnB,IAAA,IAAA,CAAK,cAAc,IAAA,CAAK,WAAA;AAAA,EAC1B;AACF;;;AC5FA,IAAM,gBAAA,GAAmB,wBAAA;AAQlB,SAAS,kBAAkB,KAAA,EAAuC;AACvE,EAAA,KAAA,MAAW,OAAO,CAAC,UAAA,EAAY,eAAe,UAAA,EAAY,OAAA,EAAS,aAAa,CAAA,EAAY;AAC1F,IAAA,IAAI,CAAC,MAAM,GAAG,CAAA,QAAS,IAAI,iBAAA,CAAkB,CAAA,mBAAA,EAAsB,GAAG,CAAA,YAAA,CAAc,CAAA;AAAA,EACtF;AACA,EAAA,IAAI,KAAA,CAAM,aAAA,IAAiB,CAAC,KAAA,CAAM,mBAAA,EAAqB;AACrD,IAAA,MAAM,IAAI,kBAAkB,2DAA2D,CAAA;AAAA,EACzF;AACA,EAAA,MAAM,WAAW,KAAA,CAAM,OAAA,IAAW,gBAAA,EAAkB,OAAA,CAAQ,QAAQ,EAAE,CAAA;AACtE,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,KAAA,CAAM,KAAK,CAAA,GAAI,KAAA,CAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,KAAA,CAAM,KAAA;AAEzE,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,kBAAA,EAAoB,OAAO,CAAA;AAC/C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAC5C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,KAAA,CAAM,QAAQ,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,KAAA,CAAM,WAAW,CAAA;AACtD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,KAAA,CAAM,QAAQ,CAAA;AAC/C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AACnC,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAA,CAAM,KAAK,CAAA;AACzC,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,KAAA,CAAM,WAAW,CAAA;AACvD,EAAA,IAAI,KAAA,CAAM,aAAA,IAAiB,KAAA,CAAM,mBAAA,EAAqB;AACpD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,KAAA,CAAM,aAAa,CAAA;AAC1D,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,KAAA,CAAM,mBAAmB,CAAA;AAAA,EACzE;AACA,EAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,IAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,CAAA,IAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,CAAM,MAAM,CAAA,EAAG,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,EAC9E;AACA,EAAA,OAAO,IAAI,QAAA,EAAS;AACtB;;;ACvDO,IAAM,WAAA,GAAc,OAAA;;;ACMpB,SAAS,aAAA,GAAyB;AACvC,EAAA,IAAI,OAAO,IAAA,KAAS,WAAA,EAAa,OAAO,MAAA;AACxC,EAAA,IAAI,OAAO,GAAA,KAAQ,WAAA,EAAa,OAAO,KAAA;AACvC,EAAA,IAAI,OAAO,WAAA,KAAgB,WAAA,EAAa,OAAO,MAAA;AAC/C,EAAA,IACE,OAAO,OAAA,KAAY,WAAA,IACnB,OAAQ,OAAA,CAA6C,QAAA,EAAU,SAAS,QAAA,EACxE;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,IAAe,OAAO,QAAA,KAAa,aAAa,OAAO,SAAA;AAC7E,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,UAAA,GAAqB;AACnC,EAAA,MAAM,KAAK,aAAA,EAAc;AACzB,EAAA,IAAI,OAAO,MAAA,EAAQ;AACjB,IAAA,MAAM,CAAA,GAAK,QAA6C,QAAA,EAAU,IAAA;AAClE,IAAA,OAAO,CAAA,GAAI,CAAA,KAAA,EAAQ,CAAC,CAAA,CAAA,GAAK,MAAA;AAAA,EAC3B;AACA,EAAA,OAAO,EAAA;AACT;;;ACYA,IAAMA,iBAAAA,GAAmB,wBAAA;AAEzB,eAAsB,aAAa,KAAA,EAAuD;AACxF,EAAA,KAAA,MAAW,OAAO,CAAC,UAAA,EAAY,cAAA,EAAgB,MAAA,EAAQ,aAAa,CAAA,EAAY;AAC9E,IAAA,IAAI,CAAC,MAAM,GAAG,CAAA,QAAS,IAAI,iBAAA,CAAkB,CAAA,cAAA,EAAiB,GAAG,CAAA,YAAA,CAAc,CAAA;AAAA,EACjF;AACA,EAAA,MAAM,SAAA,GAAY,KAAA,CAAM,KAAA,IAAS,UAAA,CAAW,KAAA;AAC5C,EAAA,IAAI,OAAO,cAAc,UAAA,EAAY;AACnC,IAAA,MAAM,IAAI,kBAAkB,wDAAwD,CAAA;AAAA,EACtF;AACA,EAAA,MAAM,WAAW,KAAA,CAAM,OAAA,IAAWA,iBAAAA,EAAkB,OAAA,CAAQ,QAAQ,EAAE,CAAA;AACtE,EAAA,MAAM,GAAA,GAAM,GAAG,OAAO,CAAA,YAAA,CAAA;AACtB,EAAA,MAAM,UAAA,GAAa,MAAM,UAAA,IAAc,OAAA;AAEvC,EAAA,MAAM,IAAA,GAA+B;AAAA,IACnC,UAAA,EAAY,oBAAA;AAAA,IACZ,MAAM,KAAA,CAAM,IAAA;AAAA,IACZ,cAAc,KAAA,CAAM;AAAA,GACtB;AACA,EAAA,IAAI,KAAA,CAAM,YAAA,EAAc,IAAA,CAAK,aAAA,GAAgB,KAAA,CAAM,YAAA;AAEnD,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,MAAA,EAAQ,kBAAA;AAAA,IACR,cAAA,EAAgB,mCAAA;AAAA,IAChB,YAAA,EAAc,CAAA,aAAA,EAAgB,WAAW,CAAA,EAAA,EAAK,YAAY,CAAA,CAAA;AAAA,GAC5D;AAEA,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAA,CAAQ,aAAA,GAAgB,CAAA,MAAA,EAAS,MAAA,CAAO,CAAA,EAAG,KAAA,CAAM,QAAQ,CAAA,CAAA,EAAI,KAAA,CAAM,YAAY,CAAA,CAAE,CAAC,CAAA,CAAA;AAAA,EACpF,CAAA,MAAO;AACL,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,QAAA;AACvB,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,YAAA;AAAA,EAC7B;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,OAAA,GAAU,WAAW,MAAM,UAAA,CAAW,OAAM,EAAG,KAAA,CAAM,aAAa,GAAM,CAAA;AAC9E,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,MAAA,IAAU,UAAA,CAAW,MAAA;AAE1C,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,MAAM,UAAU,GAAA,EAAK;AAAA,MACzB,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA;AAAA,MACA,IAAA,EAAM,IAAI,eAAA,CAAgB,IAAI,EAAE,QAAA,EAAS;AAAA,MACzC;AAAA,KACD,CAAA;AAAA,EACH,SAAS,GAAA,EAAK;AACZ,IAAA,YAAA,CAAa,OAAO,CAAA;AACpB,IAAA,MAAM,IAAI,oBAAA;AAAA,MACR,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,cAAA;AAAA,MACrC;AAAA,KACF;AAAA,EACF;AACA,EAAA,YAAA,CAAa,OAAO,CAAA;AAEpB,EAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,EAAA,MAAM,MAAA,GAAS,IAAA,GAAO,QAAA,CAAS,IAAI,CAAA,GAAI,IAAA;AAEvC,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAMC,KAAAA,GAAQ,UAAU,EAAC;AACzB,IAAA,MAAM,IAAI,gBAAA,CAAiB;AAAA,MACzB,MAAM,OAAOA,KAAAA,CAAK,KAAA,KAAU,QAAA,GAAWA,MAAK,KAAA,GAAQ,cAAA;AAAA,MACpD,aAAa,OAAOA,KAAAA,CAAK,iBAAA,KAAsB,QAAA,GAAWA,MAAK,iBAAA,GAAoB,IAAA;AAAA,MACnF,QAAQ,GAAA,CAAI;AAAA,KACb,CAAA;AAAA,EACH;AACA,EAAA,MAAM,IAAA,GAAO,MAAA;AAQb,EAAA,OAAO;AAAA,IACL,aAAa,IAAA,CAAK,YAAA;AAAA,IAClB,SAAA,EAAW,QAAA;AAAA,IACX,KAAA,EAAO,OAAO,IAAA,CAAK,KAAA,KAAU,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,KAAA,CAAM,KAAK,CAAA,CAAE,MAAA,CAAO,OAAO,IAAI,EAAC;AAAA,IACnF,YAAA,EAAc,KAAK,aAAA,IAAiB,IAAA;AAAA,IACpC,WAAW,IAAA,CAAK,UAAA;AAAA,IAChB,aAAa,IAAA,CAAK;AAAA,GACpB;AACF;AAEA,SAAS,OAAO,KAAA,EAAuB;AACrC,EAAA,IAAI,OAAO,IAAA,KAAS,UAAA,EAAY,OAAO,KAAK,KAAK,CAAA;AACjD,EAAA,OAAO,OAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAA,CAAE,SAAS,QAAQ,CAAA;AACrD;AAEA,SAAS,SAAS,IAAA,EAAuB;AACvC,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;;;AC3GA,IAAMD,iBAAAA,GAAmB,wBAAA;AAEzB,eAAsB,YAAY,KAAA,EAAwC;AACxE,EAAA,KAAA,MAAW,GAAA,IAAO,CAAC,UAAA,EAAY,cAAA,EAAgB,OAAO,CAAA,EAAY;AAChE,IAAA,IAAI,CAAC,MAAM,GAAG,CAAA,QAAS,IAAI,iBAAA,CAAkB,CAAA,aAAA,EAAgB,GAAG,CAAA,YAAA,CAAc,CAAA;AAAA,EAChF;AACA,EAAA,MAAM,SAAA,GAAY,KAAA,CAAM,KAAA,IAAS,UAAA,CAAW,KAAA;AAC5C,EAAA,IAAI,OAAO,cAAc,UAAA,EAAY;AACnC,IAAA,MAAM,IAAI,kBAAkB,wDAAwD,CAAA;AAAA,EACtF;AACA,EAAA,MAAM,WAAW,KAAA,CAAM,OAAA,IAAWA,iBAAAA,EAAkB,OAAA,CAAQ,QAAQ,EAAE,CAAA;AACtE,EAAA,MAAM,GAAA,GAAM,GAAG,OAAO,CAAA,aAAA,CAAA;AACtB,EAAA,MAAM,UAAA,GAAa,MAAM,UAAA,IAAc,OAAA;AAEvC,EAAA,MAAM,IAAA,GAA+B;AAAA,IACnC,OAAO,KAAA,CAAM,KAAA;AAAA,IACb,eAAA,EAAiB;AAAA,GACnB;AACA,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,MAAA,EAAQ,kBAAA;AAAA,IACR,cAAA,EAAgB,mCAAA;AAAA,IAChB,YAAA,EAAc,CAAA,aAAA,EAAgB,WAAW,CAAA,EAAA,EAAK,YAAY,CAAA,CAAA;AAAA,GAC5D;AACA,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAA,CAAQ,aAAA,GAAgB,CAAA,MAAA,EAASE,OAAAA,CAAO,CAAA,EAAG,KAAA,CAAM,QAAQ,CAAA,CAAA,EAAI,KAAA,CAAM,YAAY,CAAA,CAAE,CAAC,CAAA,CAAA;AAAA,EACpF,CAAA,MAAO;AACL,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,QAAA;AACvB,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,YAAA;AAAA,EAC7B;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,OAAA,GAAU,WAAW,MAAM,UAAA,CAAW,OAAM,EAAG,KAAA,CAAM,aAAa,GAAM,CAAA;AAC9E,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,MAAA,IAAU,UAAA,CAAW,MAAA;AAE1C,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,MAAM,UAAU,GAAA,EAAK;AAAA,MACzB,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA;AAAA,MACA,IAAA,EAAM,IAAI,eAAA,CAAgB,IAAI,EAAE,QAAA,EAAS;AAAA,MACzC;AAAA,KACD,CAAA;AAAA,EACH,SAAS,GAAA,EAAK;AACZ,IAAA,YAAA,CAAa,OAAO,CAAA;AACpB,IAAA,MAAM,IAAI,oBAAA;AAAA,MACR,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,cAAA;AAAA,MACrC;AAAA,KACF;AAAA,EACF;AACA,EAAA,YAAA,CAAa,OAAO,CAAA;AAEpB,EAAA,IAAI,IAAI,EAAA,EAAI;AACZ,EAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,EAAA,IAAI,OAAyD,EAAC;AAC9D,EAAA,IAAI;AACF,IAAA,IAAA,GAAO,IAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,IAAoB,EAAC;AAAA,EACrD,CAAA,CAAA,MAAQ;AACN,IAAA,IAAA,GAAO,EAAC;AAAA,EACV;AACA,EAAA,MAAM,IAAI,gBAAA,CAAiB;AAAA,IACzB,MAAM,OAAO,IAAA,CAAK,KAAA,KAAU,QAAA,GAAW,KAAK,KAAA,GAAQ,cAAA;AAAA,IACpD,aAAa,OAAO,IAAA,CAAK,iBAAA,KAAsB,QAAA,GAAW,KAAK,iBAAA,GAAoB,IAAA;AAAA,IACnF,QAAQ,GAAA,CAAI;AAAA,GACb,CAAA;AACH;AAEA,SAASA,QAAO,KAAA,EAAuB;AACrC,EAAA,IAAI,OAAO,IAAA,KAAS,UAAA,EAAY,OAAO,KAAK,KAAK,CAAA;AACjD,EAAA,OAAO,OAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAA,CAAE,SAAS,QAAQ,CAAA;AACrD;;;ACjDA,IAAI,UAAA,GAAgC,IAAA;AACpC,IAAI,iBAAA,GAAoB,KAAA;AAExB,eAAe,QAAA,GAAgC;AAC7C,EAAA,IAAI,YAAY,OAAO,UAAA;AACvB,EAAA,IAAI,iBAAA,IAAqB,CAAC,UAAA,EAAY;AACpC,IAAA,MAAM,IAAI,iBAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,iBAAA,GAAoB,IAAA;AACpB,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAO,MAAM,OAAO,MAAM,CAAA;AAChC,IAAA,UAAA,GAAa,GAAA;AACb,IAAA,OAAO,GAAA;AAAA,EACT,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,OAAA,GAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,eAAA;AACrD,IAAA,MAAM,IAAI,iBAAA;AAAA,MACR,8FAA8F,OAAO,CAAA,CAAA;AAAA,KACvG;AAAA,EACF;AACF;AAEA,eAAsB,gBAAgB,KAAA,EAA8C;AAClF,EAAA,IAAI,CAAC,MAAM,gBAAA,EAAkB;AAC3B,IAAA,MAAM,IAAI,kBAAkB,+CAA+C,CAAA;AAAA,EAC7E;AACA,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,EAAS,MAAM,IAAI,kBAAkB,sCAAsC,CAAA;AACtF,EAAA,IAAI,CAAC,KAAA,CAAM,KAAA,EAAO,MAAM,IAAI,kBAAkB,oCAAoC,CAAA;AAElF,EAAA,MAAM,IAAA,GAAO,MAAM,QAAA,EAAS;AAC5B,EAAA,MAAM,MAAA,GAAkC,EAAE,KAAA,EAAO,KAAA,CAAM,OAAO,GAAI,KAAA,CAAM,WAAA,IAAe,EAAC,EAAG;AAE3F,EAAA,MAAM,GAAA,GAAM,IAAI,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA,CAChC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,KAAA,EAAO,CAAA,CAC/C,WAAA,EAAY,CACZ,UAAA,CAAW,KAAA,CAAM,OAAO,CAAA,CACxB,WAAA,CAAY,KAAA,CAAM,QAAA,IAAY,QAAQ,CAAA,CACtC,iBAAA,CAAkB,KAAA,CAAM,SAAA,IAAa,IAAI,CAAA;AAC5C,EAAA,IAAI,KAAA,CAAM,MAAA,EAAQ,GAAA,CAAI,SAAA,CAAU,MAAM,MAAM,CAAA;AAE5C,EAAA,OAAO,GAAA,CAAI,KAAK,IAAI,WAAA,GAAc,MAAA,CAAO,KAAA,CAAM,gBAAgB,CAAC,CAAA;AAClE;;;AClFA,IAAM,cAAA,GACJ,oEAAA;AAEK,SAAS,oBAAA,CAAqB,SAAS,EAAA,EAAY;AACxD,EAAA,IAAI,MAAA,GAAS,EAAA,IAAM,MAAA,GAAS,GAAA,EAAK;AAC/B,IAAA,MAAM,IAAI,MAAM,0CAAqC,CAAA;AAAA,EACvD;AACA,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,EAAQ,CAAA,EAAA,EAAK;AAC/B,IAAA,GAAA,IAAO,cAAA,CAAe,KAAA,CAAM,CAAC,CAAA,GAAK,eAAe,MAAM,CAAA;AAAA,EACzD;AACA,EAAA,OAAO,GAAA;AACT;AAEA,eAAsB,qBAAqB,QAAA,EAAmC;AAC5E,EAAA,MAAM,IAAA,GAAO,IAAI,WAAA,EAAY,CAAE,OAAO,QAAQ,CAAA;AAC9C,EAAA,MAAM,SAAS,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,WAAW,IAAI,CAAA;AACzD,EAAA,OAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AAC/C;AAEA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ,CAAA,EAAA,EAAK,GAAA,IAAO,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAE,CAAA;AAC3E,EAAA,MAAM,GAAA,GACJ,OAAO,IAAA,KAAS,UAAA,GACZ,IAAA,CAAK,GAAG,CAAA,GACR,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAA;AAC1C,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtE","file":"index.cjs","sourcesContent":["/**\n * Atribu error class hierarchy.\n *\n * Why typed errors: consumers need to branch on auth-failure vs rate-limit vs\n * server-error vs validation-error to decide whether to retry, refresh\n * credentials, or surface to the user. A single `Error` with a status code\n * forces every consumer to write the same `if (err.status === 401)` ladder.\n *\n * Why no automatic retries: the SDK derives a `retry` hint from status +\n * Retry-After + error code, but consumers' queue/job systems decide whether\n * to act on it. Auto-retry inside the SDK hides backpressure signals and\n * makes error budgets opaque.\n */\n\nimport type { RetryHint } from \"./retry\";\n\nexport type ApiErrorCode =\n  | \"unauthorized\"\n  | \"forbidden\"\n  | \"insufficient_scope\"\n  | \"not_found\"\n  | \"invalid_parameter\"\n  | \"invalid_request\"\n  | \"validation_error\"\n  | \"invalid_content\"\n  | \"invalid_date_range\"\n  | \"rate_limit_exceeded\"\n  | \"connection_not_ready\"\n  | \"provider_error\"\n  | \"service_unavailable\"\n  | \"internal_error\"\n  | string;\n\nexport class AtribuError extends Error {\n  constructor(message: string) {\n    super(message);\n    this.name = new.target.name;\n  }\n}\n\nexport class AtribuConfigError extends AtribuError {}\n\nexport class AtribuTransportError extends AtribuError {\n  readonly cause: unknown;\n  constructor(message: string, cause: unknown) {\n    super(message);\n    this.cause = cause;\n  }\n}\n\nexport interface ApiErrorBody {\n  code: ApiErrorCode;\n  message: string;\n  status: number;\n  request_id?: string;\n}\n\nexport class AtribuApiError extends AtribuError {\n  readonly code: ApiErrorCode;\n  readonly status: number;\n  readonly requestId: string | null;\n  readonly retry: RetryHint;\n  readonly responseBody: unknown;\n\n  constructor(args: {\n    code: ApiErrorCode;\n    message: string;\n    status: number;\n    requestId: string | null;\n    retry: RetryHint;\n    responseBody: unknown;\n  }) {\n    super(`[${args.code}] ${args.message}`);\n    this.code = args.code;\n    this.status = args.status;\n    this.requestId = args.requestId;\n    this.retry = args.retry;\n    this.responseBody = args.responseBody;\n  }\n\n  isRetryable(): boolean {\n    return this.retry.action === \"retry\" || this.retry.action === \"retry_after\";\n  }\n  isAuthFailure(): boolean {\n    return this.status === 401 || this.code === \"unauthorized\";\n  }\n  isRateLimit(): boolean {\n    return this.status === 429 || this.code === \"rate_limit_exceeded\";\n  }\n}\n\nexport type OauthErrorCode =\n  | \"invalid_request\"\n  | \"invalid_client\"\n  | \"invalid_grant\"\n  | \"unauthorized_client\"\n  | \"unsupported_grant_type\"\n  | \"invalid_scope\"\n  | \"server_error\"\n  | \"unsupported_token_type\"\n  | string;\n\nexport class AtribuOauthError extends AtribuError {\n  readonly code: OauthErrorCode;\n  readonly status: number;\n  readonly description: string | null;\n\n  constructor(args: { code: OauthErrorCode; description: string | null; status: number }) {\n    super(`[oauth/${args.code}] ${args.description ?? args.code}`);\n    this.code = args.code;\n    this.status = args.status;\n    this.description = args.description;\n  }\n}\n\nexport type WebhookErrorCode =\n  | \"missing_signature\"\n  | \"malformed_header\"\n  | \"expired_timestamp\"\n  | \"invalid_signature\";\n\nexport class AtribuWebhookError extends AtribuError {\n  readonly code: WebhookErrorCode;\n  constructor(code: WebhookErrorCode, message: string) {\n    super(message);\n    this.code = code;\n  }\n}\n","import { AtribuConfigError } from \"../errors\";\n\nexport type OauthProvider = \"whatsapp\" | \"instagram\";\nexport type OauthScope = \"whatsapp\" | \"instagram\";\n\nexport interface BuildAuthorizeUrlInput {\n  baseUrl?: string;\n  clientId: string;\n  redirectUri: string;\n  provider: OauthProvider;\n  scope: OauthScope | OauthScope[];\n  state: string;\n  /** Pre-signed `id_token_hint` JWT — use `signIdTokenHint` to mint. */\n  idTokenHint: string;\n  /** PKCE challenge (base64url of SHA-256). */\n  codeChallenge?: string;\n  codeChallengeMethod?: \"S256\" | \"plain\";\n  /** Forwards extra query params unchanged. */\n  extras?: Record<string, string>;\n}\n\nconst DEFAULT_BASE_URL = \"https://www.atribu.app\";\n\n/**\n * Build the `/oauth/authorize` URL the user should be redirected to.\n *\n * Pure function — returns a string. No network calls, no crypto. The only\n * runtime check is required-arg validation.\n */\nexport function buildAuthorizeUrl(input: BuildAuthorizeUrlInput): string {\n  for (const key of [\"clientId\", \"redirectUri\", \"provider\", \"state\", \"idTokenHint\"] as const) {\n    if (!input[key]) throw new AtribuConfigError(`buildAuthorizeUrl: ${key} is required`);\n  }\n  if (input.codeChallenge && !input.codeChallengeMethod) {\n    throw new AtribuConfigError(\"codeChallengeMethod is required when codeChallenge is set\");\n  }\n  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL).replace(/\\/+$/, \"\");\n  const scope = Array.isArray(input.scope) ? input.scope.join(\" \") : input.scope;\n\n  const url = new URL(\"/oauth/authorize\", baseUrl);\n  url.searchParams.set(\"response_type\", \"code\");\n  url.searchParams.set(\"client_id\", input.clientId);\n  url.searchParams.set(\"redirect_uri\", input.redirectUri);\n  url.searchParams.set(\"provider\", input.provider);\n  url.searchParams.set(\"scope\", scope);\n  url.searchParams.set(\"state\", input.state);\n  url.searchParams.set(\"id_token_hint\", input.idTokenHint);\n  if (input.codeChallenge && input.codeChallengeMethod) {\n    url.searchParams.set(\"code_challenge\", input.codeChallenge);\n    url.searchParams.set(\"code_challenge_method\", input.codeChallengeMethod);\n  }\n  if (input.extras) {\n    for (const [k, v] of Object.entries(input.extras)) url.searchParams.set(k, v);\n  }\n  return url.toString();\n}\n","export const SDK_VERSION = \"0.1.0\";\n","export type Runtime = \"node\" | \"bun\" | \"deno\" | \"edge\" | \"browser\" | \"unknown\";\n\ndeclare const Deno: unknown;\ndeclare const Bun: unknown;\ndeclare const EdgeRuntime: unknown;\n\nexport function detectRuntime(): Runtime {\n  if (typeof Deno !== \"undefined\") return \"deno\";\n  if (typeof Bun !== \"undefined\") return \"bun\";\n  if (typeof EdgeRuntime !== \"undefined\") return \"edge\";\n  if (\n    typeof process !== \"undefined\" &&\n    typeof (process as { versions?: { node?: string } }).versions?.node === \"string\"\n  ) {\n    return \"node\";\n  }\n  if (typeof window !== \"undefined\" && typeof document !== \"undefined\") return \"browser\";\n  return \"unknown\";\n}\n\nexport function runtimeTag(): string {\n  const rt = detectRuntime();\n  if (rt === \"node\") {\n    const v = (process as { versions?: { node?: string } }).versions?.node;\n    return v ? `node/${v}` : \"node\";\n  }\n  return rt;\n}\n","/**\n * Exchange an authorization code for an Atribu access token.\n *\n * Calls `POST /oauth/token` with form-urlencoded body (RFC 6749 default).\n * Tries `client_secret_basic` (Authorization header) by default; consumers\n * can opt into `client_secret_post` via `authMethod: \"body\"`.\n */\n\nimport {\n  AtribuConfigError,\n  AtribuOauthError,\n  AtribuTransportError,\n} from \"../errors\";\nimport { SDK_VERSION } from \"../version\";\nimport { runtimeTag } from \"../runtime\";\n\nexport interface ExchangeCodeInput {\n  baseUrl?: string;\n  clientId: string;\n  clientSecret: string;\n  code: string;\n  redirectUri: string;\n  codeVerifier?: string;\n  /** \"basic\" (default) sends Authorization: Basic; \"body\" puts creds in form body. */\n  authMethod?: \"basic\" | \"body\";\n  fetch?: typeof fetch;\n  timeoutMs?: number;\n  signal?: AbortSignal;\n}\n\nexport interface ExchangeCodeResult {\n  accessToken: string;\n  tokenType: \"bearer\";\n  scope: string[];\n  connectionId: string | null;\n  profileId: string;\n  workspaceId: string;\n}\n\nconst DEFAULT_BASE_URL = \"https://www.atribu.app\";\n\nexport async function exchangeCode(input: ExchangeCodeInput): Promise<ExchangeCodeResult> {\n  for (const key of [\"clientId\", \"clientSecret\", \"code\", \"redirectUri\"] as const) {\n    if (!input[key]) throw new AtribuConfigError(`exchangeCode: ${key} is required`);\n  }\n  const fetchImpl = input.fetch ?? globalThis.fetch;\n  if (typeof fetchImpl !== \"function\") {\n    throw new AtribuConfigError(\"globalThis.fetch is not available; pass a `fetch` impl\");\n  }\n  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL).replace(/\\/+$/, \"\");\n  const url = `${baseUrl}/oauth/token`;\n  const authMethod = input.authMethod ?? \"basic\";\n\n  const form: Record<string, string> = {\n    grant_type: \"authorization_code\",\n    code: input.code,\n    redirect_uri: input.redirectUri,\n  };\n  if (input.codeVerifier) form.code_verifier = input.codeVerifier;\n\n  const headers: Record<string, string> = {\n    Accept: \"application/json\",\n    \"Content-Type\": \"application/x-www-form-urlencoded\",\n    \"User-Agent\": `@atribu/node/${SDK_VERSION} (${runtimeTag()})`,\n  };\n\n  if (authMethod === \"basic\") {\n    headers.Authorization = `Basic ${base64(`${input.clientId}:${input.clientSecret}`)}`;\n  } else {\n    form.client_id = input.clientId;\n    form.client_secret = input.clientSecret;\n  }\n\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), input.timeoutMs ?? 30_000);\n  const signal = input.signal ?? controller.signal;\n\n  let res: Response;\n  try {\n    res = await fetchImpl(url, {\n      method: \"POST\",\n      headers,\n      body: new URLSearchParams(form).toString(),\n      signal,\n    });\n  } catch (err) {\n    clearTimeout(timeout);\n    throw new AtribuTransportError(\n      err instanceof Error ? err.message : \"fetch failed\",\n      err,\n    );\n  }\n  clearTimeout(timeout);\n\n  const text = await res.text();\n  const parsed = text ? safeJson(text) : null;\n\n  if (!res.ok) {\n    const body = (parsed ?? {}) as { error?: unknown; error_description?: unknown };\n    throw new AtribuOauthError({\n      code: typeof body.error === \"string\" ? body.error : \"server_error\",\n      description: typeof body.error_description === \"string\" ? body.error_description : null,\n      status: res.status,\n    });\n  }\n  const body = parsed as {\n    access_token: string;\n    token_type: string;\n    scope?: string;\n    connection_id?: string;\n    profile_id: string;\n    workspace_id: string;\n  };\n  return {\n    accessToken: body.access_token,\n    tokenType: \"bearer\",\n    scope: typeof body.scope === \"string\" ? body.scope.split(/\\s+/).filter(Boolean) : [],\n    connectionId: body.connection_id ?? null,\n    profileId: body.profile_id,\n    workspaceId: body.workspace_id,\n  };\n}\n\nfunction base64(input: string): string {\n  if (typeof btoa === \"function\") return btoa(input);\n  return Buffer.from(input, \"utf8\").toString(\"base64\");\n}\n\nfunction safeJson(text: string): unknown {\n  try {\n    return JSON.parse(text);\n  } catch {\n    return text;\n  }\n}\n","/**\n * Revoke an Atribu access token via RFC 7009.\n *\n * Always returns void on success — the server returns 200 regardless of\n * whether the token existed (RFC §2.2; no enumeration). Authentication\n * errors (bad client credentials) still throw AtribuOauthError.\n */\n\nimport {\n  AtribuConfigError,\n  AtribuOauthError,\n  AtribuTransportError,\n} from \"../errors\";\nimport { SDK_VERSION } from \"../version\";\nimport { runtimeTag } from \"../runtime\";\n\nexport interface RevokeTokenInput {\n  baseUrl?: string;\n  clientId: string;\n  clientSecret: string;\n  token: string;\n  authMethod?: \"basic\" | \"body\";\n  fetch?: typeof fetch;\n  timeoutMs?: number;\n  signal?: AbortSignal;\n}\n\nconst DEFAULT_BASE_URL = \"https://www.atribu.app\";\n\nexport async function revokeToken(input: RevokeTokenInput): Promise<void> {\n  for (const key of [\"clientId\", \"clientSecret\", \"token\"] as const) {\n    if (!input[key]) throw new AtribuConfigError(`revokeToken: ${key} is required`);\n  }\n  const fetchImpl = input.fetch ?? globalThis.fetch;\n  if (typeof fetchImpl !== \"function\") {\n    throw new AtribuConfigError(\"globalThis.fetch is not available; pass a `fetch` impl\");\n  }\n  const baseUrl = (input.baseUrl ?? DEFAULT_BASE_URL).replace(/\\/+$/, \"\");\n  const url = `${baseUrl}/oauth/revoke`;\n  const authMethod = input.authMethod ?? \"basic\";\n\n  const form: Record<string, string> = {\n    token: input.token,\n    token_type_hint: \"access_token\",\n  };\n  const headers: Record<string, string> = {\n    Accept: \"application/json\",\n    \"Content-Type\": \"application/x-www-form-urlencoded\",\n    \"User-Agent\": `@atribu/node/${SDK_VERSION} (${runtimeTag()})`,\n  };\n  if (authMethod === \"basic\") {\n    headers.Authorization = `Basic ${base64(`${input.clientId}:${input.clientSecret}`)}`;\n  } else {\n    form.client_id = input.clientId;\n    form.client_secret = input.clientSecret;\n  }\n\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), input.timeoutMs ?? 30_000);\n  const signal = input.signal ?? controller.signal;\n\n  let res: Response;\n  try {\n    res = await fetchImpl(url, {\n      method: \"POST\",\n      headers,\n      body: new URLSearchParams(form).toString(),\n      signal,\n    });\n  } catch (err) {\n    clearTimeout(timeout);\n    throw new AtribuTransportError(\n      err instanceof Error ? err.message : \"fetch failed\",\n      err,\n    );\n  }\n  clearTimeout(timeout);\n\n  if (res.ok) return;\n  const text = await res.text();\n  let body: { error?: unknown; error_description?: unknown } = {};\n  try {\n    body = text ? (JSON.parse(text) as typeof body) : {};\n  } catch {\n    body = {};\n  }\n  throw new AtribuOauthError({\n    code: typeof body.error === \"string\" ? body.error : \"server_error\",\n    description: typeof body.error_description === \"string\" ? body.error_description : null,\n    status: res.status,\n  });\n}\n\nfunction base64(input: string): string {\n  if (typeof btoa === \"function\") return btoa(input);\n  return Buffer.from(input, \"utf8\").toString(\"base64\");\n}\n","/**\n * Sign an `id_token_hint` JWT (HS256) for an Atribu OAuth flow.\n *\n * Uses `jose` (optional peer dep). If `jose` isn't installed, throws a\n * clear runtime error. Vitrina-style consumers almost always already have\n * `jose` for their own auth.\n *\n * Why HS256 not RS256: the shared secret is the OAuth app's\n * `jwt_signing_secret` (rotatable, paired). RS256 would mean Atribu\n * publishes a JWKS endpoint and we manage keypairs — out of scope today.\n */\n\nimport { AtribuConfigError } from \"../errors\";\n\nexport interface IdTokenHintPayload {\n  /** End-user's stable identifier in your system. */\n  subject: string;\n  /** End-user's email. Used by Atribu to silent-provision / find existing profile. */\n  email: string;\n  /** Token audience. Use \"atribu\" unless directed otherwise. */\n  audience?: string;\n  /** Issuer (your app's client_id, by convention). */\n  issuer?: string;\n  /** Expiration relative to now. Default \"5m\". Examples: \"5m\", \"10m\", numeric seconds. */\n  expiresIn?: string | number;\n  /** Atribu's recognized claims plus any custom ones. */\n  extraClaims?: Record<string, unknown>;\n}\n\nexport interface SignIdTokenHintInput extends IdTokenHintPayload {\n  /** The OAuth app's `jwt_signing_secret`. */\n  jwtSigningSecret: string;\n}\n\ninterface JoseModule {\n  SignJWT: new (payload: Record<string, unknown>) => {\n    setProtectedHeader(header: { alg: string; typ?: string }): JoseSignJwt;\n    setIssuedAt(time?: number): JoseSignJwt;\n    setExpirationTime(time: string | number): JoseSignJwt;\n    setIssuer(issuer: string): JoseSignJwt;\n    setSubject(subject: string): JoseSignJwt;\n    setAudience(audience: string | string[]): JoseSignJwt;\n    sign(secret: Uint8Array | CryptoKey): Promise<string>;\n  };\n}\ntype JoseSignJwt = InstanceType<JoseModule[\"SignJWT\"]>;\n\nlet cachedJose: JoseModule | null = null;\nlet joseLoadAttempted = false;\n\nasync function loadJose(): Promise<JoseModule> {\n  if (cachedJose) return cachedJose;\n  if (joseLoadAttempted && !cachedJose) {\n    throw new AtribuConfigError(\n      \"signIdTokenHint requires the `jose` peer dependency. Run `npm install jose`.\",\n    );\n  }\n  joseLoadAttempted = true;\n  try {\n    const mod = (await import(\"jose\")) as unknown as JoseModule;\n    cachedJose = mod;\n    return mod;\n  } catch (err) {\n    const message = err instanceof Error ? err.message : \"import failed\";\n    throw new AtribuConfigError(\n      `signIdTokenHint requires the \\`jose\\` peer dependency. Install with \\`npm install jose\\`. (${message})`,\n    );\n  }\n}\n\nexport async function signIdTokenHint(input: SignIdTokenHintInput): Promise<string> {\n  if (!input.jwtSigningSecret) {\n    throw new AtribuConfigError(\"signIdTokenHint: jwtSigningSecret is required\");\n  }\n  if (!input.subject) throw new AtribuConfigError(\"signIdTokenHint: subject is required\");\n  if (!input.email) throw new AtribuConfigError(\"signIdTokenHint: email is required\");\n\n  const jose = await loadJose();\n  const claims: Record<string, unknown> = { email: input.email, ...(input.extraClaims ?? {}) };\n\n  const jwt = new jose.SignJWT(claims)\n    .setProtectedHeader({ alg: \"HS256\", typ: \"JWT\" })\n    .setIssuedAt()\n    .setSubject(input.subject)\n    .setAudience(input.audience ?? \"atribu\")\n    .setExpirationTime(input.expiresIn ?? \"5m\");\n  if (input.issuer) jwt.setIssuer(input.issuer);\n\n  return jwt.sign(new TextEncoder().encode(input.jwtSigningSecret));\n}\n","/**\n * PKCE helpers (RFC 7636).\n *\n * Generates an unguessable `code_verifier` and the base64url(SHA-256) digest\n * to use as `code_challenge` with `code_challenge_method=S256`.\n */\n\nconst VERIFIER_CHARS =\n  \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~\";\n\nexport function generateCodeVerifier(length = 64): string {\n  if (length < 43 || length > 128) {\n    throw new Error(\"PKCE verifier length must be 43–128\");\n  }\n  const bytes = new Uint8Array(length);\n  crypto.getRandomValues(bytes);\n  let out = \"\";\n  for (let i = 0; i < length; i++) {\n    out += VERIFIER_CHARS[bytes[i]! % VERIFIER_CHARS.length];\n  }\n  return out;\n}\n\nexport async function computeCodeChallenge(verifier: string): Promise<string> {\n  const data = new TextEncoder().encode(verifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return base64UrlEncode(new Uint8Array(digest));\n}\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n  let bin = \"\";\n  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]!);\n  const b64 =\n    typeof btoa === \"function\"\n      ? btoa(bin)\n      : Buffer.from(bytes).toString(\"base64\");\n  return b64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n"]}

package/dist/oauth/index.d.cts

@@ -0,0 +1,117 @@
+export { e as AtribuOauthError, O as OauthErrorCode } from '../errors-D3ApBz8J.cjs';
+
+type OauthProvider = "whatsapp" | "instagram";
+type OauthScope = "whatsapp" | "instagram";
+interface BuildAuthorizeUrlInput {
+    baseUrl?: string;
+    clientId: string;
+    redirectUri: string;
+    provider: OauthProvider;
+    scope: OauthScope | OauthScope[];
+    state: string;
+    /** Pre-signed `id_token_hint` JWT — use `signIdTokenHint` to mint. */
+    idTokenHint: string;
+    /** PKCE challenge (base64url of SHA-256). */
+    codeChallenge?: string;
+    codeChallengeMethod?: "S256" | "plain";
+    /** Forwards extra query params unchanged. */
+    extras?: Record<string, string>;
+}
+/**
+ * Build the `/oauth/authorize` URL the user should be redirected to.
+ *
+ * Pure function — returns a string. No network calls, no crypto. The only
+ * runtime check is required-arg validation.
+ */
+declare function buildAuthorizeUrl(input: BuildAuthorizeUrlInput): string;
+
+/**
+ * Exchange an authorization code for an Atribu access token.
+ *
+ * Calls `POST /oauth/token` with form-urlencoded body (RFC 6749 default).
+ * Tries `client_secret_basic` (Authorization header) by default; consumers
+ * can opt into `client_secret_post` via `authMethod: "body"`.
+ */
+interface ExchangeCodeInput {
+    baseUrl?: string;
+    clientId: string;
+    clientSecret: string;
+    code: string;
+    redirectUri: string;
+    codeVerifier?: string;
+    /** "basic" (default) sends Authorization: Basic; "body" puts creds in form body. */
+    authMethod?: "basic" | "body";
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    signal?: AbortSignal;
+}
+interface ExchangeCodeResult {
+    accessToken: string;
+    tokenType: "bearer";
+    scope: string[];
+    connectionId: string | null;
+    profileId: string;
+    workspaceId: string;
+}
+declare function exchangeCode(input: ExchangeCodeInput): Promise<ExchangeCodeResult>;
+
+/**
+ * Revoke an Atribu access token via RFC 7009.
+ *
+ * Always returns void on success — the server returns 200 regardless of
+ * whether the token existed (RFC §2.2; no enumeration). Authentication
+ * errors (bad client credentials) still throw AtribuOauthError.
+ */
+interface RevokeTokenInput {
+    baseUrl?: string;
+    clientId: string;
+    clientSecret: string;
+    token: string;
+    authMethod?: "basic" | "body";
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    signal?: AbortSignal;
+}
+declare function revokeToken(input: RevokeTokenInput): Promise<void>;
+
+/**
+ * Sign an `id_token_hint` JWT (HS256) for an Atribu OAuth flow.
+ *
+ * Uses `jose` (optional peer dep). If `jose` isn't installed, throws a
+ * clear runtime error. Vitrina-style consumers almost always already have
+ * `jose` for their own auth.
+ *
+ * Why HS256 not RS256: the shared secret is the OAuth app's
+ * `jwt_signing_secret` (rotatable, paired). RS256 would mean Atribu
+ * publishes a JWKS endpoint and we manage keypairs — out of scope today.
+ */
+interface IdTokenHintPayload {
+    /** End-user's stable identifier in your system. */
+    subject: string;
+    /** End-user's email. Used by Atribu to silent-provision / find existing profile. */
+    email: string;
+    /** Token audience. Use "atribu" unless directed otherwise. */
+    audience?: string;
+    /** Issuer (your app's client_id, by convention). */
+    issuer?: string;
+    /** Expiration relative to now. Default "5m". Examples: "5m", "10m", numeric seconds. */
+    expiresIn?: string | number;
+    /** Atribu's recognized claims plus any custom ones. */
+    extraClaims?: Record<string, unknown>;
+}
+interface SignIdTokenHintInput extends IdTokenHintPayload {
+    /** The OAuth app's `jwt_signing_secret`. */
+    jwtSigningSecret: string;
+}
+declare function signIdTokenHint(input: SignIdTokenHintInput): Promise<string>;
+
+/**
+ * PKCE helpers (RFC 7636).
+ *
+ * Generates an unguessable `code_verifier` and the base64url(SHA-256) digest
+ * to use as `code_challenge` with `code_challenge_method=S256`.
+ */
+declare function generateCodeVerifier(length?: number): string;
+declare function computeCodeChallenge(verifier: string): Promise<string>;
+
+export { type BuildAuthorizeUrlInput, type ExchangeCodeInput, type ExchangeCodeResult, type IdTokenHintPayload, type OauthProvider, type OauthScope, type RevokeTokenInput, type SignIdTokenHintInput, buildAuthorizeUrl, computeCodeChallenge, exchangeCode, generateCodeVerifier, revokeToken, signIdTokenHint };

package/dist/oauth/index.d.ts

@@ -0,0 +1,117 @@
+export { e as AtribuOauthError, O as OauthErrorCode } from '../errors-D3ApBz8J.js';
+
+type OauthProvider = "whatsapp" | "instagram";
+type OauthScope = "whatsapp" | "instagram";
+interface BuildAuthorizeUrlInput {
+    baseUrl?: string;
+    clientId: string;
+    redirectUri: string;
+    provider: OauthProvider;
+    scope: OauthScope | OauthScope[];
+    state: string;
+    /** Pre-signed `id_token_hint` JWT — use `signIdTokenHint` to mint. */
+    idTokenHint: string;
+    /** PKCE challenge (base64url of SHA-256). */
+    codeChallenge?: string;
+    codeChallengeMethod?: "S256" | "plain";
+    /** Forwards extra query params unchanged. */
+    extras?: Record<string, string>;
+}
+/**
+ * Build the `/oauth/authorize` URL the user should be redirected to.
+ *
+ * Pure function — returns a string. No network calls, no crypto. The only
+ * runtime check is required-arg validation.
+ */
+declare function buildAuthorizeUrl(input: BuildAuthorizeUrlInput): string;
+
+/**
+ * Exchange an authorization code for an Atribu access token.
+ *
+ * Calls `POST /oauth/token` with form-urlencoded body (RFC 6749 default).
+ * Tries `client_secret_basic` (Authorization header) by default; consumers
+ * can opt into `client_secret_post` via `authMethod: "body"`.
+ */
+interface ExchangeCodeInput {
+    baseUrl?: string;
+    clientId: string;
+    clientSecret: string;
+    code: string;
+    redirectUri: string;
+    codeVerifier?: string;
+    /** "basic" (default) sends Authorization: Basic; "body" puts creds in form body. */
+    authMethod?: "basic" | "body";
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    signal?: AbortSignal;
+}
+interface ExchangeCodeResult {
+    accessToken: string;
+    tokenType: "bearer";
+    scope: string[];
+    connectionId: string | null;
+    profileId: string;
+    workspaceId: string;
+}
+declare function exchangeCode(input: ExchangeCodeInput): Promise<ExchangeCodeResult>;
+
+/**
+ * Revoke an Atribu access token via RFC 7009.
+ *
+ * Always returns void on success — the server returns 200 regardless of
+ * whether the token existed (RFC §2.2; no enumeration). Authentication
+ * errors (bad client credentials) still throw AtribuOauthError.
+ */
+interface RevokeTokenInput {
+    baseUrl?: string;
+    clientId: string;
+    clientSecret: string;
+    token: string;
+    authMethod?: "basic" | "body";
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    signal?: AbortSignal;
+}
+declare function revokeToken(input: RevokeTokenInput): Promise<void>;
+
+/**
+ * Sign an `id_token_hint` JWT (HS256) for an Atribu OAuth flow.
+ *
+ * Uses `jose` (optional peer dep). If `jose` isn't installed, throws a
+ * clear runtime error. Vitrina-style consumers almost always already have
+ * `jose` for their own auth.
+ *
+ * Why HS256 not RS256: the shared secret is the OAuth app's
+ * `jwt_signing_secret` (rotatable, paired). RS256 would mean Atribu
+ * publishes a JWKS endpoint and we manage keypairs — out of scope today.
+ */
+interface IdTokenHintPayload {
+    /** End-user's stable identifier in your system. */
+    subject: string;
+    /** End-user's email. Used by Atribu to silent-provision / find existing profile. */
+    email: string;
+    /** Token audience. Use "atribu" unless directed otherwise. */
+    audience?: string;
+    /** Issuer (your app's client_id, by convention). */
+    issuer?: string;
+    /** Expiration relative to now. Default "5m". Examples: "5m", "10m", numeric seconds. */
+    expiresIn?: string | number;
+    /** Atribu's recognized claims plus any custom ones. */
+    extraClaims?: Record<string, unknown>;
+}
+interface SignIdTokenHintInput extends IdTokenHintPayload {
+    /** The OAuth app's `jwt_signing_secret`. */
+    jwtSigningSecret: string;
+}
+declare function signIdTokenHint(input: SignIdTokenHintInput): Promise<string>;
+
+/**
+ * PKCE helpers (RFC 7636).
+ *
+ * Generates an unguessable `code_verifier` and the base64url(SHA-256) digest
+ * to use as `code_challenge` with `code_challenge_method=S256`.
+ */
+declare function generateCodeVerifier(length?: number): string;
+declare function computeCodeChallenge(verifier: string): Promise<string>;
+
+export { type BuildAuthorizeUrlInput, type ExchangeCodeInput, type ExchangeCodeResult, type IdTokenHintPayload, type OauthProvider, type OauthScope, type RevokeTokenInput, type SignIdTokenHintInput, buildAuthorizeUrl, computeCodeChallenge, exchangeCode, generateCodeVerifier, revokeToken, signIdTokenHint };