npm - @auth-craft/backend-sdk - Versions diffs - 0.0.1 - Mend

@auth-craft/backend-sdk 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,184 @@
+# @auth-craft/backend-sdk
+> ⚠️ **Experimental / Internal Use**
+>
+> This package is published for convenience only.
+>
+> - No stability guarantee
+> - Breaking changes may happen at any time
+> - No documentation
+> - No support
+>
+> Use at your own risk.
+---
+Type-safe internal service SDK for Auth-Craft service-to-service calls. Uses Web Crypto API for edge compatibility — zero external dependencies (except `ts-micro-result`).
+## Installation
+```bash
+npm install @auth-craft/backend-sdk
+```
+## Quick Start
+```typescript
+import { createInternalClient } from '@auth-craft/backend-sdk';
+const client = createInternalClient({
+  baseUrl: 'https://auth.example.com',
+  basePath: '/system',
+  jwt: {
+    strategy: 'hmac',
+    secret: process.env.INTERNAL_JWT_SECRET!,
+    issuer: 'tenant-provisioning-service',
+  },
+});
+const result = await client.bootstrapTenantOwner({
+  tenantId: 'tenant-abc',
+  userId: 'user-123',
+});
+if (result.isOkWithData()) {
+  console.log(result.data);
+  // { message: '...', tenantId: 'tenant-abc', userId: 'user-123', role: 'owner' }
+}
+```
+## API
+### `createInternalClient(config)`
+Creates an `InternalClient` instance.
+**Parameters:**
+| Field | Type | Default | Description |
+|---|---|---|---|
+| `baseUrl` | `string` | — | Base URL of the auth service |
+| `basePath` | `string` | `''` | Path prefix before `/internal` (e.g., `'/system'` → `/system/internal/*`) |
+| `jwt` | `JwtConfig` | — | Service JWT signing configuration |
+| `fetchImpl` | `typeof fetch` | `globalThis.fetch` | Custom fetch implementation |
+| `timeout` | `number` | `30000` | Request timeout in milliseconds |
+| `headers` | `Record<string, string>` | `{}` | Custom headers for all requests |
+**Returns:** `InternalClient`
+### JWT Signing Strategies
+The SDK supports four JWT signing strategies via Web Crypto API:
+```typescript
+// HMAC-SHA256 (symmetric)
+jwt: { strategy: 'hmac', secret: '...' }
+// EdDSA / Ed25519 (asymmetric)
+jwt: { strategy: 'eddsa', privateKey: '...' } // hex string or Uint8Array
+// RS256 / RSA-SHA256 (asymmetric)
+jwt: { strategy: 'rs256', privateKey: '...' } // PEM string or JsonWebKey
+// ES256 / ECDSA P-256 (asymmetric)
+jwt: { strategy: 'es256', privateKey: '...' } // PEM string or JsonWebKey
+```
+Common JWT options:
+| Field | Type | Default | Description |
+|---|---|---|---|
+| `issuer` | `string` | — | JWT `iss` claim |
+| `audience` | `string` | — | JWT `aud` claim |
+| `expiresInSeconds` | `number` | `300` | Token TTL in seconds |
+Tokens are auto-cached and refreshed 60 seconds before expiry.
+### SDK Methods
+#### `bootstrapTenantOwner(request)`
+Bootstrap tenant owner — assign owner role to a user for a new tenant. Typically called by tenant-provisioning service after creating a tenant.
+```typescript
+const result = await client.bootstrapTenantOwner({
+  tenantId: 'tenant-abc',
+  userId: 'user-123',
+});
+if (result.isOkWithData()) {
+  console.log(result.data);
+  // { message: string, tenantId: string, userId: string, role: string }
+}
+```
+#### `getTenantProfile(request)`
+Get per-tenant user profile (internal). Allows services to read tenant profiles without user authentication.
+```typescript
+const result = await client.getTenantProfile({
+  tenantId: 'tenant-abc',
+  userId: 'user-123',
+});
+if (result.isOkWithData()) {
+  console.log(result.data);
+  // { userId, tenantId, displayName?, avatarUrl?, title?, bio?, metadata? }
+}
+```
+## Error Handling
+All methods return `Result<T>` from `ts-micro-result`.
+```typescript
+import { sdkErrors } from '@auth-craft/backend-sdk';
+const result = await client.bootstrapTenantOwner({ tenantId, userId });
+if (result.isError()) {
+  const error = result.errors[0];
+  switch (error?.code) {
+    case 'SDK_NETWORK_ERROR':
+      // Network request failed
+      break;
+    case 'SDK_TIMEOUT':
+      // Request timed out
+      break;
+    case 'SDK_INVALID_RESPONSE':
+      // Non-JSON response from auth service
+      break;
+    case 'SDK_JWT_SIGN_FAILED':
+      // Failed to sign service JWT
+      break;
+    default:
+      // Auth service returned an application-level error
+      break;
+  }
+}
+```
+## Types
+```typescript
+export type {
+  InternalClientConfig,
+  JwtConfig,
+  JwtHmacConfig,
+  JwtEddsaConfig,
+  JwtRs256Config,
+  JwtEs256Config,
+  BootstrapTenantOwnerRequest,
+  BootstrapTenantOwnerResponse,
+  GetTenantProfileRequest,
+  TenantProfileResponse,
+} from '@auth-craft/backend-sdk';
+export { InternalClient, sdkErrors } from '@auth-craft/backend-sdk';
+```
+## License
+MIT

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,317 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; } var _class;// src/http-client.ts
+var _tsmicroresult = require('ts-micro-result');
+// src/jwt-signer.ts
+function base64urlEncode(data) {
+  let binary = "";
+  for (let i = 0; i < data.length; i++) {
+    binary += String.fromCharCode(data[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function hexToUint8Array(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}
+function parsePemToSpki(pem) {
+  const pemBody = pem.replace(/-----BEGIN PRIVATE KEY-----/g, "").replace(/-----END PRIVATE KEY-----/g, "").replace(/\s/g, "");
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacSigningKey(secret) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  return crypto.subtle.importKey(
+    "raw",
+    keyData.buffer,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+}
+async function importEdDSAPrivateKey(privateKey) {
+  const keyBytes = typeof privateKey === "string" ? hexToUint8Array(privateKey) : privateKey;
+  return crypto.subtle.importKey(
+    "raw",
+    keyBytes.buffer,
+    { name: "Ed25519" },
+    false,
+    ["sign"]
+  );
+}
+async function importRsaPrivateKey(privateKey) {
+  if (typeof privateKey === "object") {
+    return crypto.subtle.importKey(
+      "jwk",
+      privateKey,
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+  }
+  const pkcs8Bytes = parsePemToSpki(privateKey);
+  return crypto.subtle.importKey(
+    "pkcs8",
+    pkcs8Bytes.buffer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+}
+async function importEcdsaPrivateKey(privateKey) {
+  if (typeof privateKey === "object") {
+    return crypto.subtle.importKey(
+      "jwk",
+      privateKey,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign"]
+    );
+  }
+  const pkcs8Bytes = parsePemToSpki(privateKey);
+  return crypto.subtle.importKey(
+    "pkcs8",
+    pkcs8Bytes.buffer,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["sign"]
+  );
+}
+async function resolveSignKey(config) {
+  const strategy = config.strategy;
+  switch (strategy) {
+    case "hmac": {
+      const c = config;
+      return {
+        key: await importHmacSigningKey(c.secret),
+        jwtAlgorithm: "HS256",
+        cryptoAlgorithm: "HMAC"
+      };
+    }
+    case "eddsa": {
+      const c = config;
+      return {
+        key: await importEdDSAPrivateKey(c.privateKey),
+        jwtAlgorithm: "EdDSA",
+        cryptoAlgorithm: { name: "Ed25519" }
+      };
+    }
+    case "rs256": {
+      const c = config;
+      return {
+        key: await importRsaPrivateKey(c.privateKey),
+        jwtAlgorithm: "RS256",
+        cryptoAlgorithm: "RSASSA-PKCS1-v1_5"
+      };
+    }
+    case "es256": {
+      const c = config;
+      return {
+        key: await importEcdsaPrivateKey(c.privateKey),
+        jwtAlgorithm: "ES256",
+        cryptoAlgorithm: { name: "ECDSA", hash: "SHA-256" }
+      };
+    }
+  }
+}
+var REFRESH_BUFFER_SECONDS = 60;
+var JwtSigner = (_class = class {
+  constructor(config) {;_class.prototype.__init.call(this);_class.prototype.__init2.call(this);_class.prototype.__init3.call(this);
+    this.config = config;
+  }
+  __init() {this.cachedKeyInfo = null}
+  __init2() {this.cachedToken = null}
+  __init3() {this.cachedExp = 0}
+  /**
+   * Get a valid service JWT token.
+   * Automatically signs a new token when the current one is about to expire.
+   */
+  async getToken() {
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    if (this.cachedToken && nowSeconds < this.cachedExp - REFRESH_BUFFER_SECONDS) {
+      return this.cachedToken;
+    }
+    return this.signNewToken();
+  }
+  async signNewToken() {
+    const keyInfo = await this.getKeyInfo();
+    const encoder = new TextEncoder();
+    const expiresInSeconds = _nullishCoalesce(this.config.expiresInSeconds, () => ( 300));
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const header = base64urlEncode(
+      encoder.encode(JSON.stringify({ alg: keyInfo.jwtAlgorithm, typ: "JWT" }))
+    );
+    const payload = {
+      iat: nowSeconds,
+      exp: nowSeconds + expiresInSeconds
+    };
+    if (this.config.issuer !== void 0) {
+      payload.iss = this.config.issuer;
+    }
+    if (this.config.audience !== void 0) {
+      payload.aud = this.config.audience;
+    }
+    const payloadB64 = base64urlEncode(encoder.encode(JSON.stringify(payload)));
+    const signData = encoder.encode(`${header}.${payloadB64}`);
+    const signatureBytes = new Uint8Array(
+      await crypto.subtle.sign(
+        keyInfo.cryptoAlgorithm,
+        keyInfo.key,
+        signData.buffer
+      )
+    );
+    const signature = base64urlEncode(signatureBytes);
+    const token = `${header}.${payloadB64}.${signature}`;
+    this.cachedToken = token;
+    this.cachedExp = nowSeconds + expiresInSeconds;
+    return token;
+  }
+  async getKeyInfo() {
+    if (!this.cachedKeyInfo) {
+      this.cachedKeyInfo = await resolveSignKey(this.config);
+    }
+    return this.cachedKeyInfo;
+  }
+}, _class);
+// src/errors.ts
+var sdkErrors = {
+  NETWORK_ERROR: _tsmicroresult.defineError.call(void 0, "SDK_NETWORK_ERROR", "Network request failed"),
+  TIMEOUT: _tsmicroresult.defineError.call(void 0, "SDK_TIMEOUT", "Request timed out"),
+  INVALID_RESPONSE: _tsmicroresult.defineError.call(void 0, "SDK_INVALID_RESPONSE", "Invalid response from auth service"),
+  JWT_SIGN_FAILED: _tsmicroresult.defineError.call(void 0, "SDK_JWT_SIGN_FAILED", "Failed to sign service JWT")
+};
+// src/http-client.ts
+var HttpClient = class {
+  constructor(config) {
+    this.signer = new JwtSigner(config.jwt);
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.basePath = _nullishCoalesce(config.basePath, () => ( ""));
+    this.fetchFn = _nullishCoalesce(config.fetchImpl, () => ( globalThis.fetch));
+    this.timeout = _nullishCoalesce(config.timeout, () => ( 3e4));
+    this.customHeaders = _nullishCoalesce(config.headers, () => ( {}));
+  }
+  async request(method, path, options) {
+    try {
+      let token;
+      try {
+        token = await this.signer.getToken();
+      } catch (signError) {
+        const message = signError instanceof Error ? signError.message : String(signError);
+        return _tsmicroresult.err.call(void 0, sdkErrors.JWT_SIGN_FAILED({ message }));
+      }
+      const url = this.buildUrl(path, _optionalChain([options, 'optionalAccess', _ => _.query]));
+      const headers = {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${token}`,
+        ...this.customHeaders
+      };
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      let response;
+      try {
+        response = await this.fetchFn(url, {
+          method,
+          headers,
+          body: _optionalChain([options, 'optionalAccess', _2 => _2.body]) !== void 0 ? JSON.stringify(options.body) : void 0,
+          signal: controller.signal
+        });
+      } finally {
+        clearTimeout(timeoutId);
+      }
+      let envelope;
+      try {
+        envelope = await response.json();
+      } catch (e) {
+        return _tsmicroresult.err.call(void 0,
+          sdkErrors.INVALID_RESPONSE({ message: `HTTP ${response.status}: non-JSON response` }),
+          void 0,
+          response.status
+        );
+      }
+      if (envelope.ok && envelope.data !== void 0) {
+        return _tsmicroresult.ok.call(void 0, envelope.data, envelope.meta);
+      }
+      const errors = _nullishCoalesce(envelope.errors, () => ( [{ code: "UNKNOWN_ERROR", message: `HTTP ${response.status}` }]));
+      return _tsmicroresult.err.call(void 0, errors, envelope.meta, response.status);
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return _tsmicroresult.err.call(void 0, sdkErrors.TIMEOUT({ message: `Request timed out after ${this.timeout}ms` }), void 0, 408);
+      }
+      const message = error instanceof Error ? error.message : String(error);
+      return _tsmicroresult.err.call(void 0, sdkErrors.NETWORK_ERROR({ message }), void 0, 0);
+    }
+  }
+  buildUrl(path, query) {
+    let url = `${this.baseUrl}${this.basePath}/internal${path}`;
+    if (query) {
+      const entries = Object.entries(query).filter(([, v]) => v !== void 0);
+      if (entries.length > 0) {
+        const params = new URLSearchParams(entries);
+        url += `?${params.toString()}`;
+      }
+    }
+    return url;
+  }
+};
+// src/client.ts
+var InternalClient = class {
+  constructor(config) {
+    this.http = new HttpClient(config);
+  }
+  /**
+   * Bootstrap tenant owner (assign owner role to a user for a new tenant).
+   * Typically called by tenant-provisioning service after creating a tenant.
+   */
+  async bootstrapTenantOwner(request) {
+    return this.http.request(
+      "POST",
+      "/tenant/bootstrap-owner",
+      { body: request }
+    );
+  }
+  /**
+   * Get per-tenant user profile (internal).
+   * Allows services to read tenant profiles without user authentication.
+   */
+  async getTenantProfile(request) {
+    return this.http.request(
+      "GET",
+      "/tenant/profile",
+      {
+        query: {
+          tenantId: request.tenantId,
+          userId: request.userId
+        }
+      }
+    );
+  }
+};
+// src/index.ts
+function createInternalClient(config) {
+  return new InternalClient(config);
+}
+exports.InternalClient = InternalClient; exports.createInternalClient = createInternalClient; exports.sdkErrors = sdkErrors;
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["d:\\NodeJS_Projects\\auth-craft\\packages\\backend-sdk\\dist\\index.cjs"],"names":[],"mappings":"AAAA;AACA,gDAAyC;AACzC;AACA;AACA,SAAS,eAAe,CAAC,IAAI,EAAE;AAC/B,EAAE,IAAI,OAAO,EAAE,EAAE;AACjB,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACxC,IAAI,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC1C,EAAE;AACF,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AAChF;AACA,SAAS,eAAe,CAAC,GAAG,EAAE;AAC9B,EAAE,MAAM,MAAM,EAAE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;AAC9C,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC,EAAE;AAC1C,IAAI,KAAK,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;AACxD,EAAE;AACF,EAAE,OAAO,KAAK;AACd;AACA,SAAS,cAAc,CAAC,GAAG,EAAE;AAC7B,EAAE,MAAM,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,8BAA8B,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AAC9H,EAAE,MAAM,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC;AAC9B,EAAE,MAAM,MAAM,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC;AAC7C,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AAC1C,IAAI,KAAK,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;AACnC,EAAE;AACF,EAAE,OAAO,KAAK;AACd;AACA,MAAM,SAAS,oBAAoB,CAAC,MAAM,EAAE;AAC5C,EAAE,MAAM,QAAQ,EAAE,IAAI,WAAW,CAAC,CAAC;AACnC,EAAE,MAAM,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC;AACxC,EAAE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAChC,IAAI,KAAK;AACT,IAAI,OAAO,CAAC,MAAM;AAClB,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;AACrC,IAAI,KAAK;AACT,IAAI,CAAC,MAAM;AACX,EAAE,CAAC;AACH;AACA,MAAM,SAAS,qBAAqB,CAAC,UAAU,EAAE;AACjD,EAAE,MAAM,SAAS,EAAE,OAAO,WAAW,IAAI,SAAS,EAAE,eAAe,CAAC,UAAU,EAAE,EAAE,UAAU;AAC5F,EAAE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAChC,IAAI,KAAK;AACT,IAAI,QAAQ,CAAC,MAAM;AACnB,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC;AACvB,IAAI,KAAK;AACT,IAAI,CAAC,MAAM;AACX,EAAE,CAAC;AACH;AACA,MAAM,SAAS,mBAAmB,CAAC,UAAU,EAAE;AAC/C,EAAE,GAAG,CAAC,OAAO,WAAW,IAAI,QAAQ,EAAE;AACtC,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAClC,MAAM,KAAK;AACX,MAAM,UAAU;AAChB,MAAM,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,UAAU,CAAC;AACpD,MAAM,KAAK;AACX,MAAM,CAAC,MAAM;AACb,IAAI,CAAC;AACL,EAAE;AACF,EAAE,MAAM,WAAW,EAAE,cAAc,CAAC,UAAU,CAAC;AAC/C,EAAE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAChC,IAAI,OAAO;AACX,IAAI,UAAU,CAAC,MAAM;AACrB,IAAI,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,UAAU,CAAC;AAClD,IAAI,KAAK;AACT,IAAI,CAAC,MAAM;AACX,EAAE,CAAC;AACH;AACA,MAAM,SAAS,qBAAqB,CAAC,UAAU,EAAE;AACjD,EAAE,GAAG,CAAC,OAAO,WAAW,IAAI,QAAQ,EAAE;AACtC,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAClC,MAAM,KAAK;AACX,MAAM,UAAU;AAChB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC;AAC5C,MAAM,KAAK;AACX,MAAM,CAAC,MAAM;AACb,IAAI,CAAC;AACL,EAAE;AACF,EAAE,MAAM,WAAW,EAAE,cAAc,CAAC,UAAU,CAAC;AAC/C,EAAE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS;AAChC,IAAI,OAAO;AACX,IAAI,UAAU,CAAC,MAAM;AACrB,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC;AAC1C,IAAI,KAAK;AACT,IAAI,CAAC,MAAM;AACX,EAAE,CAAC;AACH;AACA,MAAM,SAAS,cAAc,CAAC,MAAM,EAAE;AACtC,EAAE,MAAM,SAAS,EAAE,MAAM,CAAC,QAAQ;AAClC,EAAE,OAAO,CAAC,QAAQ,EAAE;AACpB,IAAI,KAAK,MAAM,EAAE;AACjB,MAAM,MAAM,EAAE,EAAE,MAAM;AACtB,MAAM,OAAO;AACb,QAAQ,GAAG,EAAE,MAAM,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC;AACjD,QAAQ,YAAY,EAAE,OAAO;AAC7B,QAAQ,eAAe,EAAE;AACzB,MAAM,CAAC;AACP,IAAI;AACJ,IAAI,KAAK,OAAO,EAAE;AAClB,MAAM,MAAM,EAAE,EAAE,MAAM;AACtB,MAAM,OAAO;AACb,QAAQ,GAAG,EAAE,MAAM,qBAAqB,CAAC,CAAC,CAAC,UAAU,CAAC;AACtD,QAAQ,YAAY,EAAE,OAAO;AAC7B,QAAQ,eAAe,EAAE,EAAE,IAAI,EAAE,UAAU;AAC3C,MAAM,CAAC;AACP,IAAI;AACJ,IAAI,KAAK,OAAO,EAAE;AAClB,MAAM,MAAM,EAAE,EAAE,MAAM;AACtB,MAAM,OAAO;AACb,QAAQ,GAAG,EAAE,MAAM,mBAAmB,CAAC,CAAC,CAAC,UAAU,CAAC;AACpD,QAAQ,YAAY,EAAE,OAAO;AAC7B,QAAQ,eAAe,EAAE;AACzB,MAAM,CAAC;AACP,IAAI;AACJ,IAAI,KAAK,OAAO,EAAE;AAClB,MAAM,MAAM,EAAE,EAAE,MAAM;AACtB,MAAM,OAAO;AACb,QAAQ,GAAG,EAAE,MAAM,qBAAqB,CAAC,CAAC,CAAC,UAAU,CAAC;AACtD,QAAQ,YAAY,EAAE,OAAO;AAC7B,QAAQ,eAAe,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU;AAC1D,MAAM,CAAC;AACP,IAAI;AACJ,EAAE;AACF;AACA,IAAI,uBAAuB,EAAE,EAAE;AAC/B,IAAI,UAAU,YAAE,MAAM;AACtB,EAAE,WAAW,CAAC,MAAM,EAAE;AACtB,IAAI,IAAI,CAAC,OAAO,EAAE,MAAM;AACxB,EAAE;AACF,iBAAE,cAAc,EAAE,KAAI;AACtB,kBAAE,YAAY,EAAE,KAAI;AACpB,kBAAE,UAAU,EAAE,EAAC;AACf;AACA;AACA;AACA;AACA,EAAE,MAAM,QAAQ,CAAC,EAAE;AACnB,IAAI,MAAM,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC;AACnD,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,GAAG,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,sBAAsB,EAAE;AAClF,MAAM,OAAO,IAAI,CAAC,WAAW;AAC7B,IAAI;AACJ,IAAI,OAAO,IAAI,CAAC,YAAY,CAAC,CAAC;AAC9B,EAAE;AACF,EAAE,MAAM,YAAY,CAAC,EAAE;AACvB,IAAI,MAAM,QAAQ,EAAE,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC;AAC3C,IAAI,MAAM,QAAQ,EAAE,IAAI,WAAW,CAAC,CAAC;AACrC,IAAI,MAAM,iBAAiB,mBAAE,IAAI,CAAC,MAAM,CAAC,gBAAiB,UAAG,KAAG;AAChE,IAAI,MAAM,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC;AACnD,IAAI,MAAM,OAAO,EAAE,eAAe;AAClC,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,YAAY,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;AAC9E,IAAI,CAAC;AACL,IAAI,MAAM,QAAQ,EAAE;AACpB,MAAM,GAAG,EAAE,UAAU;AACrB,MAAM,GAAG,EAAE,WAAW,EAAE;AACxB,IAAI,CAAC;AACL,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,KAAK,CAAC,EAAE;AACvC,MAAM,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;AACtC,IAAI;AACJ,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,KAAK,CAAC,EAAE;AACzC,MAAM,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;AACxC,IAAI;AACJ,IAAI,MAAM,WAAW,EAAE,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/E,IAAI,MAAM,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,EAAA;AACA,IAAA;AACA,MAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACA,MAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,EAAA;AACA,EAAA;AACA,IAAA;AACA,MAAA;AACA,IAAA;AACA,IAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,IAAA;AACA,EAAA;AACA,EAAA;AACA,IAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,MAAA;AACA,QAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,UAAA;AACA,UAAA;AACA,UAAA;AACA,UAAA;AACA,QAAA;AACA,MAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,MAAA;AACA,QAAA;AACA,UAAA;AACA,UAAA;AACA,UAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,IAAA;AACA,MAAA;AACA,QAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,IAAA;AACA,EAAA;AACA,EAAA;AACA,IAAA;AACA,IAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,QAAA;AACA,MAAA;AACA,IAAA;AACA,IAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA,EAAA;AACA,IAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA,IAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,IAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA,IAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,QAAA;AACA,UAAA;AACA,UAAA;AACA,QAAA;AACA,MAAA;AACA,IAAA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA,EAAA;AACA;AACA;AACA;AACA;AACA;AACA","file":"D:\\NodeJS_Projects\\auth-craft\\packages\\backend-sdk\\dist\\index.cjs","sourcesContent":[null]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,140 @@
+import * as ts_micro_result from 'ts-micro-result';
+import { Result } from 'ts-micro-result';
+/**
+ * Backend SDK Types
+ * Configuration, request, and response types for internal service-to-service calls
+ */
+/** HMAC-SHA256 symmetric signing */
+interface JwtHmacConfig {
+    strategy: 'hmac';
+    /** Shared HMAC secret. MUST be different from user-facing JWT secret. */
+    secret: string;
+}
+/** EdDSA (Ed25519) asymmetric signing */
+interface JwtEddsaConfig {
+    strategy: 'eddsa';
+    /** Ed25519 private key as hex string or raw bytes */
+    privateKey: string | Uint8Array;
+}
+/** RS256 (RSA-SHA256) asymmetric signing */
+interface JwtRs256Config {
+    strategy: 'rs256';
+    /** RSA private key in PEM or JWK format */
+    privateKey: string | JsonWebKey;
+}
+/** ES256 (ECDSA P-256) asymmetric signing */
+interface JwtEs256Config {
+    strategy: 'es256';
+    /** ECDSA P-256 private key in PEM or JWK format */
+    privateKey: string | JsonWebKey;
+}
+type JwtConfig = (JwtHmacConfig | JwtEddsaConfig | JwtRs256Config | JwtEs256Config) & {
+    /** JWT issuer claim (e.g., 'tenant-provisioning-service') */
+    issuer?: string;
+    /** JWT audience claim (e.g., 'auth-service') */
+    audience?: string;
+    /** Token TTL in seconds @default 300 (5 minutes) */
+    expiresInSeconds?: number;
+};
+interface InternalClientConfig {
+    /** Base URL of the auth service (e.g., 'https://auth.example.com') */
+    baseUrl: string;
+    /**
+     * Base path prefix before /internal (e.g., '/system' → /system/internal/*)
+     * @default ''
+     */
+    basePath?: string;
+    /** Service JWT signing configuration */
+    jwt: JwtConfig;
+    /** Custom fetch implementation (for testing or middleware) */
+    fetchImpl?: typeof fetch;
+    /** Request timeout in milliseconds @default 30000 */
+    timeout?: number;
+    /** Custom headers to include in all requests */
+    headers?: Record<string, string>;
+}
+interface BootstrapTenantOwnerRequest {
+    tenantId: string;
+    userId: string;
+}
+interface GetTenantProfileRequest {
+    tenantId: string;
+    userId: string;
+}
+interface BootstrapTenantOwnerResponse {
+    message: string;
+    tenantId: string;
+    userId: string;
+    role: string;
+}
+interface TenantProfileResponse {
+    userId: string;
+    tenantId: string;
+    displayName?: string;
+    avatarUrl?: string;
+    title?: string;
+    bio?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Internal Client
+ * Type-safe client for auth service internal (service-to-service) API.
+ */
+declare class InternalClient {
+    private readonly http;
+    constructor(config: InternalClientConfig);
+    /**
+     * Bootstrap tenant owner (assign owner role to a user for a new tenant).
+     * Typically called by tenant-provisioning service after creating a tenant.
+     */
+    bootstrapTenantOwner(request: BootstrapTenantOwnerRequest): Promise<Result<BootstrapTenantOwnerResponse>>;
+    /**
+     * Get per-tenant user profile (internal).
+     * Allows services to read tenant profiles without user authentication.
+     */
+    getTenantProfile(request: GetTenantProfileRequest): Promise<Result<TenantProfileResponse>>;
+}
+/**
+ * Backend SDK Error Definitions
+ */
+declare const sdkErrors: {
+    readonly NETWORK_ERROR: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly TIMEOUT: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly INVALID_RESPONSE: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly JWT_SIGN_FAILED: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+};
+/**
+ * @auth-craft/backend-sdk
+ * Type-safe internal service SDK for Auth-Craft service-to-service calls.
+ *
+ * @example
+ * ```ts
+ * import { createInternalClient } from '@auth-craft/backend-sdk';
+ *
+ * const client = createInternalClient({
+ *   baseUrl: 'https://auth.example.com',
+ *   basePath: '/system',
+ *   jwt: {
+ *     strategy: 'hmac',
+ *     secret: process.env.INTERNAL_JWT_SECRET!,
+ *     issuer: 'tenant-provisioning-service',
+ *   },
+ * });
+ *
+ * const result = await client.bootstrapTenantOwner({ tenantId, userId });
+ * ```
+ */
+/**
+ * Create an internal service client for Auth-Craft.
+ *
+ * The client auto-signs service JWTs and refreshes them before expiry.
+ */
+declare function createInternalClient(config: InternalClientConfig): InternalClient;
+export { type BootstrapTenantOwnerRequest, type BootstrapTenantOwnerResponse, type GetTenantProfileRequest, InternalClient, type InternalClientConfig, type JwtConfig, type JwtEddsaConfig, type JwtEs256Config, type JwtHmacConfig, type JwtRs256Config, type TenantProfileResponse, createInternalClient, sdkErrors };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,140 @@
+import * as ts_micro_result from 'ts-micro-result';
+import { Result } from 'ts-micro-result';
+/**
+ * Backend SDK Types
+ * Configuration, request, and response types for internal service-to-service calls
+ */
+/** HMAC-SHA256 symmetric signing */
+interface JwtHmacConfig {
+    strategy: 'hmac';
+    /** Shared HMAC secret. MUST be different from user-facing JWT secret. */
+    secret: string;
+}
+/** EdDSA (Ed25519) asymmetric signing */
+interface JwtEddsaConfig {
+    strategy: 'eddsa';
+    /** Ed25519 private key as hex string or raw bytes */
+    privateKey: string | Uint8Array;
+}
+/** RS256 (RSA-SHA256) asymmetric signing */
+interface JwtRs256Config {
+    strategy: 'rs256';
+    /** RSA private key in PEM or JWK format */
+    privateKey: string | JsonWebKey;
+}
+/** ES256 (ECDSA P-256) asymmetric signing */
+interface JwtEs256Config {
+    strategy: 'es256';
+    /** ECDSA P-256 private key in PEM or JWK format */
+    privateKey: string | JsonWebKey;
+}
+type JwtConfig = (JwtHmacConfig | JwtEddsaConfig | JwtRs256Config | JwtEs256Config) & {
+    /** JWT issuer claim (e.g., 'tenant-provisioning-service') */
+    issuer?: string;
+    /** JWT audience claim (e.g., 'auth-service') */
+    audience?: string;
+    /** Token TTL in seconds @default 300 (5 minutes) */
+    expiresInSeconds?: number;
+};
+interface InternalClientConfig {
+    /** Base URL of the auth service (e.g., 'https://auth.example.com') */
+    baseUrl: string;
+    /**
+     * Base path prefix before /internal (e.g., '/system' → /system/internal/*)
+     * @default ''
+     */
+    basePath?: string;
+    /** Service JWT signing configuration */
+    jwt: JwtConfig;
+    /** Custom fetch implementation (for testing or middleware) */
+    fetchImpl?: typeof fetch;
+    /** Request timeout in milliseconds @default 30000 */
+    timeout?: number;
+    /** Custom headers to include in all requests */
+    headers?: Record<string, string>;
+}
+interface BootstrapTenantOwnerRequest {
+    tenantId: string;
+    userId: string;
+}
+interface GetTenantProfileRequest {
+    tenantId: string;
+    userId: string;
+}
+interface BootstrapTenantOwnerResponse {
+    message: string;
+    tenantId: string;
+    userId: string;
+    role: string;
+}
+interface TenantProfileResponse {
+    userId: string;
+    tenantId: string;
+    displayName?: string;
+    avatarUrl?: string;
+    title?: string;
+    bio?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Internal Client
+ * Type-safe client for auth service internal (service-to-service) API.
+ */
+declare class InternalClient {
+    private readonly http;
+    constructor(config: InternalClientConfig);
+    /**
+     * Bootstrap tenant owner (assign owner role to a user for a new tenant).
+     * Typically called by tenant-provisioning service after creating a tenant.
+     */
+    bootstrapTenantOwner(request: BootstrapTenantOwnerRequest): Promise<Result<BootstrapTenantOwnerResponse>>;
+    /**
+     * Get per-tenant user profile (internal).
+     * Allows services to read tenant profiles without user authentication.
+     */
+    getTenantProfile(request: GetTenantProfileRequest): Promise<Result<TenantProfileResponse>>;
+}
+/**
+ * Backend SDK Error Definitions
+ */
+declare const sdkErrors: {
+    readonly NETWORK_ERROR: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly TIMEOUT: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly INVALID_RESPONSE: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+    readonly JWT_SIGN_FAILED: (params?: ts_micro_result.BaseErrorParams) => ts_micro_result.ErrorDetail;
+};
+/**
+ * @auth-craft/backend-sdk
+ * Type-safe internal service SDK for Auth-Craft service-to-service calls.
+ *
+ * @example
+ * ```ts
+ * import { createInternalClient } from '@auth-craft/backend-sdk';
+ *
+ * const client = createInternalClient({
+ *   baseUrl: 'https://auth.example.com',
+ *   basePath: '/system',
+ *   jwt: {
+ *     strategy: 'hmac',
+ *     secret: process.env.INTERNAL_JWT_SECRET!,
+ *     issuer: 'tenant-provisioning-service',
+ *   },
+ * });
+ *
+ * const result = await client.bootstrapTenantOwner({ tenantId, userId });
+ * ```
+ */
+/**
+ * Create an internal service client for Auth-Craft.
+ *
+ * The client auto-signs service JWTs and refreshes them before expiry.
+ */
+declare function createInternalClient(config: InternalClientConfig): InternalClient;
+export { type BootstrapTenantOwnerRequest, type BootstrapTenantOwnerResponse, type GetTenantProfileRequest, InternalClient, type InternalClientConfig, type JwtConfig, type JwtEddsaConfig, type JwtEs256Config, type JwtHmacConfig, type JwtRs256Config, type TenantProfileResponse, createInternalClient, sdkErrors };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,317 @@
+// src/http-client.ts
+import { ok, err } from "ts-micro-result";
+// src/jwt-signer.ts
+function base64urlEncode(data) {
+  let binary = "";
+  for (let i = 0; i < data.length; i++) {
+    binary += String.fromCharCode(data[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function hexToUint8Array(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}
+function parsePemToSpki(pem) {
+  const pemBody = pem.replace(/-----BEGIN PRIVATE KEY-----/g, "").replace(/-----END PRIVATE KEY-----/g, "").replace(/\s/g, "");
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacSigningKey(secret) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  return crypto.subtle.importKey(
+    "raw",
+    keyData.buffer,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+}
+async function importEdDSAPrivateKey(privateKey) {
+  const keyBytes = typeof privateKey === "string" ? hexToUint8Array(privateKey) : privateKey;
+  return crypto.subtle.importKey(
+    "raw",
+    keyBytes.buffer,
+    { name: "Ed25519" },
+    false,
+    ["sign"]
+  );
+}
+async function importRsaPrivateKey(privateKey) {
+  if (typeof privateKey === "object") {
+    return crypto.subtle.importKey(
+      "jwk",
+      privateKey,
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+  }
+  const pkcs8Bytes = parsePemToSpki(privateKey);
+  return crypto.subtle.importKey(
+    "pkcs8",
+    pkcs8Bytes.buffer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+}
+async function importEcdsaPrivateKey(privateKey) {
+  if (typeof privateKey === "object") {
+    return crypto.subtle.importKey(
+      "jwk",
+      privateKey,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign"]
+    );
+  }
+  const pkcs8Bytes = parsePemToSpki(privateKey);
+  return crypto.subtle.importKey(
+    "pkcs8",
+    pkcs8Bytes.buffer,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["sign"]
+  );
+}
+async function resolveSignKey(config) {
+  const strategy = config.strategy;
+  switch (strategy) {
+    case "hmac": {
+      const c = config;
+      return {
+        key: await importHmacSigningKey(c.secret),
+        jwtAlgorithm: "HS256",
+        cryptoAlgorithm: "HMAC"
+      };
+    }
+    case "eddsa": {
+      const c = config;
+      return {
+        key: await importEdDSAPrivateKey(c.privateKey),
+        jwtAlgorithm: "EdDSA",
+        cryptoAlgorithm: { name: "Ed25519" }
+      };
+    }
+    case "rs256": {
+      const c = config;
+      return {
+        key: await importRsaPrivateKey(c.privateKey),
+        jwtAlgorithm: "RS256",
+        cryptoAlgorithm: "RSASSA-PKCS1-v1_5"
+      };
+    }
+    case "es256": {
+      const c = config;
+      return {
+        key: await importEcdsaPrivateKey(c.privateKey),
+        jwtAlgorithm: "ES256",
+        cryptoAlgorithm: { name: "ECDSA", hash: "SHA-256" }
+      };
+    }
+  }
+}
+var REFRESH_BUFFER_SECONDS = 60;
+var JwtSigner = class {
+  constructor(config) {
+    this.config = config;
+  }
+  cachedKeyInfo = null;
+  cachedToken = null;
+  cachedExp = 0;
+  /**
+   * Get a valid service JWT token.
+   * Automatically signs a new token when the current one is about to expire.
+   */
+  async getToken() {
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    if (this.cachedToken && nowSeconds < this.cachedExp - REFRESH_BUFFER_SECONDS) {
+      return this.cachedToken;
+    }
+    return this.signNewToken();
+  }
+  async signNewToken() {
+    const keyInfo = await this.getKeyInfo();
+    const encoder = new TextEncoder();
+    const expiresInSeconds = this.config.expiresInSeconds ?? 300;
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const header = base64urlEncode(
+      encoder.encode(JSON.stringify({ alg: keyInfo.jwtAlgorithm, typ: "JWT" }))
+    );
+    const payload = {
+      iat: nowSeconds,
+      exp: nowSeconds + expiresInSeconds
+    };
+    if (this.config.issuer !== void 0) {
+      payload.iss = this.config.issuer;
+    }
+    if (this.config.audience !== void 0) {
+      payload.aud = this.config.audience;
+    }
+    const payloadB64 = base64urlEncode(encoder.encode(JSON.stringify(payload)));
+    const signData = encoder.encode(`${header}.${payloadB64}`);
+    const signatureBytes = new Uint8Array(
+      await crypto.subtle.sign(
+        keyInfo.cryptoAlgorithm,
+        keyInfo.key,
+        signData.buffer
+      )
+    );
+    const signature = base64urlEncode(signatureBytes);
+    const token = `${header}.${payloadB64}.${signature}`;
+    this.cachedToken = token;
+    this.cachedExp = nowSeconds + expiresInSeconds;
+    return token;
+  }
+  async getKeyInfo() {
+    if (!this.cachedKeyInfo) {
+      this.cachedKeyInfo = await resolveSignKey(this.config);
+    }
+    return this.cachedKeyInfo;
+  }
+};
+// src/errors.ts
+import { defineError } from "ts-micro-result";
+var sdkErrors = {
+  NETWORK_ERROR: defineError("SDK_NETWORK_ERROR", "Network request failed"),
+  TIMEOUT: defineError("SDK_TIMEOUT", "Request timed out"),
+  INVALID_RESPONSE: defineError("SDK_INVALID_RESPONSE", "Invalid response from auth service"),
+  JWT_SIGN_FAILED: defineError("SDK_JWT_SIGN_FAILED", "Failed to sign service JWT")
+};
+// src/http-client.ts
+var HttpClient = class {
+  signer;
+  baseUrl;
+  basePath;
+  fetchFn;
+  timeout;
+  customHeaders;
+  constructor(config) {
+    this.signer = new JwtSigner(config.jwt);
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.basePath = config.basePath ?? "";
+    this.fetchFn = config.fetchImpl ?? globalThis.fetch;
+    this.timeout = config.timeout ?? 3e4;
+    this.customHeaders = config.headers ?? {};
+  }
+  async request(method, path, options) {
+    try {
+      let token;
+      try {
+        token = await this.signer.getToken();
+      } catch (signError) {
+        const message = signError instanceof Error ? signError.message : String(signError);
+        return err(sdkErrors.JWT_SIGN_FAILED({ message }));
+      }
+      const url = this.buildUrl(path, options?.query);
+      const headers = {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${token}`,
+        ...this.customHeaders
+      };
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      let response;
+      try {
+        response = await this.fetchFn(url, {
+          method,
+          headers,
+          body: options?.body !== void 0 ? JSON.stringify(options.body) : void 0,
+          signal: controller.signal
+        });
+      } finally {
+        clearTimeout(timeoutId);
+      }
+      let envelope;
+      try {
+        envelope = await response.json();
+      } catch {
+        return err(
+          sdkErrors.INVALID_RESPONSE({ message: `HTTP ${response.status}: non-JSON response` }),
+          void 0,
+          response.status
+        );
+      }
+      if (envelope.ok && envelope.data !== void 0) {
+        return ok(envelope.data, envelope.meta);
+      }
+      const errors = envelope.errors ?? [{ code: "UNKNOWN_ERROR", message: `HTTP ${response.status}` }];
+      return err(errors, envelope.meta, response.status);
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return err(sdkErrors.TIMEOUT({ message: `Request timed out after ${this.timeout}ms` }), void 0, 408);
+      }
+      const message = error instanceof Error ? error.message : String(error);
+      return err(sdkErrors.NETWORK_ERROR({ message }), void 0, 0);
+    }
+  }
+  buildUrl(path, query) {
+    let url = `${this.baseUrl}${this.basePath}/internal${path}`;
+    if (query) {
+      const entries = Object.entries(query).filter(([, v]) => v !== void 0);
+      if (entries.length > 0) {
+        const params = new URLSearchParams(entries);
+        url += `?${params.toString()}`;
+      }
+    }
+    return url;
+  }
+};
+// src/client.ts
+var InternalClient = class {
+  http;
+  constructor(config) {
+    this.http = new HttpClient(config);
+  }
+  /**
+   * Bootstrap tenant owner (assign owner role to a user for a new tenant).
+   * Typically called by tenant-provisioning service after creating a tenant.
+   */
+  async bootstrapTenantOwner(request) {
+    return this.http.request(
+      "POST",
+      "/tenant/bootstrap-owner",
+      { body: request }
+    );
+  }
+  /**
+   * Get per-tenant user profile (internal).
+   * Allows services to read tenant profiles without user authentication.
+   */
+  async getTenantProfile(request) {
+    return this.http.request(
+      "GET",
+      "/tenant/profile",
+      {
+        query: {
+          tenantId: request.tenantId,
+          userId: request.userId
+        }
+      }
+    );
+  }
+};
+// src/index.ts
+function createInternalClient(config) {
+  return new InternalClient(config);
+}
+export {
+  InternalClient,
+  createInternalClient,
+  sdkErrors
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/http-client.ts","../src/jwt-signer.ts","../src/errors.ts","../src/client.ts","../src/index.ts"],"sourcesContent":["/**\r\n * Low-level HTTP Client\r\n * Wraps fetch with JWT auth, timeout, and Result<T> mapping.\r\n */\r\n\r\nimport { ok, err } from 'ts-micro-result';\r\nimport type { Result } from 'ts-micro-result';\r\nimport type { InternalClientConfig, ApiResponseEnvelope } from './types';\r\nimport { JwtSigner } from './jwt-signer';\r\nimport { sdkErrors } from './errors';\r\n\r\ntype HttpMethod = 'GET' | 'POST' | 'PATCH' | 'DELETE';\r\n\r\nexport class HttpClient {\r\n private readonly signer: JwtSigner;\r\n private readonly baseUrl: string;\r\n private readonly basePath: string;\r\n private readonly fetchFn: typeof fetch;\r\n private readonly timeout: number;\r\n private readonly customHeaders: Record<string, string>;\r\n\r\n constructor(config: InternalClientConfig) {\r\n this.signer = new JwtSigner(config.jwt);\r\n this.baseUrl = config.baseUrl.replace(/\\/$/, '');\r\n this.basePath = config.basePath ?? '';\r\n this.fetchFn = config.fetchImpl ?? globalThis.fetch;\r\n this.timeout = config.timeout ?? 30000;\r\n this.customHeaders = config.headers ?? {};\r\n }\r\n\r\n async request<T>(\r\n method: HttpMethod,\r\n path: string,\r\n options?: {\r\n body?: unknown;\r\n query?: Record<string, string>;\r\n }\r\n ): Promise<Result<T>> {\r\n try {\r\n // Get service JWT\r\n let token: string;\r\n try {\r\n token = await this.signer.getToken();\r\n } catch (signError) {\r\n const message = signError instanceof Error ? signError.message : String(signError);\r\n return err(sdkErrors.JWT_SIGN_FAILED({ message }));\r\n }\r\n\r\n // Build URL\r\n const url = this.buildUrl(path, options?.query);\r\n\r\n // Build headers\r\n const headers: Record<string, string> = {\r\n 'Content-Type': 'application/json',\r\n 'Authorization': `Bearer ${token}`,\r\n ...this.customHeaders,\r\n };\r\n\r\n // Timeout\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\r\n\r\n // Make request\r\n let response: Response;\r\n try {\r\n response = await this.fetchFn(url, {\r\n method,\r\n headers,\r\n body: options?.body !== undefined ? JSON.stringify(options.body) : undefined,\r\n signal: controller.signal,\r\n });\r\n } finally {\r\n clearTimeout(timeoutId);\r\n }\r\n\r\n // Parse response\r\n let envelope: ApiResponseEnvelope<T>;\r\n try {\r\n envelope = await response.json() as ApiResponseEnvelope<T>;\r\n } catch {\r\n return err(\r\n sdkErrors.INVALID_RESPONSE({ message: `HTTP ${response.status}: non-JSON response` }),\r\n undefined,\r\n response.status\r\n );\r\n }\r\n\r\n // Map to Result\r\n if (envelope.ok && envelope.data !== undefined) {\r\n return ok(envelope.data, envelope.meta);\r\n }\r\n\r\n const errors = envelope.errors ?? [{ code: 'UNKNOWN_ERROR', message: `HTTP ${response.status}` }];\r\n return err(errors, envelope.meta, response.status);\r\n\r\n } catch (error) {\r\n if (error instanceof Error && error.name === 'AbortError') {\r\n return err(sdkErrors.TIMEOUT({ message: `Request timed out after ${this.timeout}ms` }), undefined, 408);\r\n }\r\n\r\n const message = error instanceof Error ? error.message : String(error);\r\n return err(sdkErrors.NETWORK_ERROR({ message }), undefined, 0);\r\n }\r\n }\r\n\r\n private buildUrl(path: string, query?: Record<string, string>): string {\r\n let url = `${this.baseUrl}${this.basePath}/internal${path}`;\r\n\r\n if (query) {\r\n const entries = Object.entries(query).filter(([, v]) => v !== undefined);\r\n if (entries.length > 0) {\r\n const params = new URLSearchParams(entries);\r\n url += `?${params.toString()}`;\r\n }\r\n }\r\n\r\n return url;\r\n }\r\n}\r\n","/**\r\n * Service JWT Signer\r\n * Creates and auto-refreshes JWTs for service-to-service authentication.\r\n * Uses Web Crypto API for edge compatibility — zero dependencies.\r\n *\r\n * Reuses pattern from auth-http-core/middleware/internal-auth.ts\r\n */\r\n\r\nimport type { JwtConfig, JwtHmacConfig, JwtEddsaConfig, JwtRs256Config, JwtEs256Config } from './types';\r\n\r\n// ============================================================\r\n// Base64url helpers\r\n// ============================================================\r\n\r\nfunction base64urlEncode(data: Uint8Array): string {\r\n let binary = '';\r\n for (let i = 0; i < data.length; i++) {\r\n binary += String.fromCharCode(data[i]!);\r\n }\r\n return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\r\n}\r\n\r\nfunction hexToUint8Array(hex: string): Uint8Array {\r\n const bytes = new Uint8Array(hex.length / 2);\r\n for (let i = 0; i < hex.length; i += 2) {\r\n bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);\r\n }\r\n return bytes;\r\n}\r\n\r\nfunction parsePemToSpki(pem: string): Uint8Array {\r\n const pemBody = pem\r\n .replace(/-----BEGIN PRIVATE KEY-----/g, '')\r\n .replace(/-----END PRIVATE KEY-----/g, '')\r\n .replace(/\\s/g, '');\r\n\r\n const binary = atob(pemBody);\r\n const bytes = new Uint8Array(binary.length);\r\n for (let i = 0; i < binary.length; i++) {\r\n bytes[i] = binary.charCodeAt(i);\r\n }\r\n return bytes;\r\n}\r\n\r\n// ============================================================\r\n// Key import helpers (Web Crypto API)\r\n// ============================================================\r\n\r\nasync function importHmacSigningKey(secret: string): Promise<CryptoKey> {\r\n const encoder = new TextEncoder();\r\n const keyData = encoder.encode(secret);\r\n return crypto.subtle.importKey(\r\n 'raw',\r\n keyData.buffer as ArrayBuffer,\r\n { name: 'HMAC', hash: 'SHA-256' },\r\n false,\r\n ['sign']\r\n );\r\n}\r\n\r\nasync function importEdDSAPrivateKey(privateKey: string | Uint8Array): Promise<CryptoKey> {\r\n const keyBytes = typeof privateKey === 'string'\r\n ? hexToUint8Array(privateKey)\r\n : privateKey;\r\n\r\n return crypto.subtle.importKey(\r\n 'raw',\r\n keyBytes.buffer as ArrayBuffer,\r\n { name: 'Ed25519' } as Algorithm,\r\n false,\r\n ['sign']\r\n );\r\n}\r\n\r\nasync function importRsaPrivateKey(privateKey: string | JsonWebKey): Promise<CryptoKey> {\r\n if (typeof privateKey === 'object') {\r\n return crypto.subtle.importKey(\r\n 'jwk',\r\n privateKey,\r\n { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },\r\n false,\r\n ['sign']\r\n );\r\n }\r\n\r\n const pkcs8Bytes = parsePemToSpki(privateKey);\r\n return crypto.subtle.importKey(\r\n 'pkcs8',\r\n pkcs8Bytes.buffer as ArrayBuffer,\r\n { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },\r\n false,\r\n ['sign']\r\n );\r\n}\r\n\r\nasync function importEcdsaPrivateKey(privateKey: string | JsonWebKey): Promise<CryptoKey> {\r\n if (typeof privateKey === 'object') {\r\n return crypto.subtle.importKey(\r\n 'jwk',\r\n privateKey,\r\n { name: 'ECDSA', namedCurve: 'P-256' },\r\n false,\r\n ['sign']\r\n );\r\n }\r\n\r\n const pkcs8Bytes = parsePemToSpki(privateKey);\r\n return crypto.subtle.importKey(\r\n 'pkcs8',\r\n pkcs8Bytes.buffer as ArrayBuffer,\r\n { name: 'ECDSA', namedCurve: 'P-256' },\r\n false,\r\n ['sign']\r\n );\r\n}\r\n\r\n// ============================================================\r\n// Sign key info\r\n// ============================================================\r\n\r\ninterface SignKeyInfo {\r\n key: CryptoKey;\r\n jwtAlgorithm: string;\r\n cryptoAlgorithm: AlgorithmIdentifier;\r\n}\r\n\r\nasync function resolveSignKey(config: JwtConfig): Promise<SignKeyInfo> {\r\n const strategy = config.strategy;\r\n\r\n switch (strategy) {\r\n case 'hmac': {\r\n const c = config as JwtHmacConfig;\r\n return {\r\n key: await importHmacSigningKey(c.secret),\r\n jwtAlgorithm: 'HS256',\r\n cryptoAlgorithm: 'HMAC',\r\n };\r\n }\r\n case 'eddsa': {\r\n const c = config as JwtEddsaConfig;\r\n return {\r\n key: await importEdDSAPrivateKey(c.privateKey),\r\n jwtAlgorithm: 'EdDSA',\r\n cryptoAlgorithm: { name: 'Ed25519' } as Algorithm,\r\n };\r\n }\r\n case 'rs256': {\r\n const c = config as JwtRs256Config;\r\n return {\r\n key: await importRsaPrivateKey(c.privateKey),\r\n jwtAlgorithm: 'RS256',\r\n cryptoAlgorithm: 'RSASSA-PKCS1-v1_5',\r\n };\r\n }\r\n case 'es256': {\r\n const c = config as JwtEs256Config;\r\n return {\r\n key: await importEcdsaPrivateKey(c.privateKey),\r\n jwtAlgorithm: 'ES256',\r\n cryptoAlgorithm: { name: 'ECDSA', hash: 'SHA-256' } as EcdsaParams,\r\n };\r\n }\r\n }\r\n}\r\n\r\n// ============================================================\r\n// JWT Signer\r\n// ============================================================\r\n\r\n/** Minimum remaining TTL (seconds) before auto-refreshing the token */\r\nconst REFRESH_BUFFER_SECONDS = 60;\r\n\r\nexport class JwtSigner {\r\n private cachedKeyInfo: SignKeyInfo | null = null;\r\n private cachedToken: string | null = null;\r\n private cachedExp: number = 0;\r\n\r\n constructor(private readonly config: JwtConfig) {}\r\n\r\n /**\r\n * Get a valid service JWT token.\r\n * Automatically signs a new token when the current one is about to expire.\r\n */\r\n async getToken(): Promise<string> {\r\n const nowSeconds = Math.floor(Date.now() / 1000);\r\n\r\n // Return cached token if still valid (with buffer)\r\n if (this.cachedToken && nowSeconds < this.cachedExp - REFRESH_BUFFER_SECONDS) {\r\n return this.cachedToken;\r\n }\r\n\r\n // Sign new token\r\n return this.signNewToken();\r\n }\r\n\r\n private async signNewToken(): Promise<string> {\r\n const keyInfo = await this.getKeyInfo();\r\n const encoder = new TextEncoder();\r\n const expiresInSeconds = this.config.expiresInSeconds ?? 300;\r\n const nowSeconds = Math.floor(Date.now() / 1000);\r\n\r\n // Header\r\n const header = base64urlEncode(\r\n encoder.encode(JSON.stringify({ alg: keyInfo.jwtAlgorithm, typ: 'JWT' }))\r\n );\r\n\r\n // Payload\r\n const payload: Record<string, unknown> = {\r\n iat: nowSeconds,\r\n exp: nowSeconds + expiresInSeconds,\r\n };\r\n\r\n if (this.config.issuer !== undefined) {\r\n payload.iss = this.config.issuer;\r\n }\r\n if (this.config.audience !== undefined) {\r\n payload.aud = this.config.audience;\r\n }\r\n\r\n const payloadB64 = base64urlEncode(encoder.encode(JSON.stringify(payload)));\r\n\r\n // Sign\r\n const signData = encoder.encode(`${header}.${payloadB64}`);\r\n const signatureBytes = new Uint8Array(\r\n await crypto.subtle.sign(\r\n keyInfo.cryptoAlgorithm,\r\n keyInfo.key,\r\n signData.buffer as ArrayBuffer\r\n )\r\n );\r\n const signature = base64urlEncode(signatureBytes);\r\n\r\n const token = `${header}.${payloadB64}.${signature}`;\r\n\r\n // Cache\r\n this.cachedToken = token;\r\n this.cachedExp = nowSeconds + expiresInSeconds;\r\n\r\n return token;\r\n }\r\n\r\n private async getKeyInfo(): Promise<SignKeyInfo> {\r\n if (!this.cachedKeyInfo) {\r\n this.cachedKeyInfo = await resolveSignKey(this.config);\r\n }\r\n return this.cachedKeyInfo;\r\n }\r\n}\r\n","/**\r\n * Backend SDK Error Definitions\r\n */\r\n\r\nimport { defineError } from 'ts-micro-result';\r\n\r\nexport const sdkErrors = {\r\n NETWORK_ERROR: defineError('SDK_NETWORK_ERROR', 'Network request failed'),\r\n TIMEOUT: defineError('SDK_TIMEOUT', 'Request timed out'),\r\n INVALID_RESPONSE: defineError('SDK_INVALID_RESPONSE', 'Invalid response from auth service'),\r\n JWT_SIGN_FAILED: defineError('SDK_JWT_SIGN_FAILED', 'Failed to sign service JWT'),\r\n} as const;\r\n","/**\r\n * Internal Client\r\n * Type-safe client for auth service internal (service-to-service) API.\r\n */\r\n\r\nimport type { Result } from 'ts-micro-result';\r\nimport type {\r\n InternalClientConfig,\r\n BootstrapTenantOwnerRequest,\r\n BootstrapTenantOwnerResponse,\r\n GetTenantProfileRequest,\r\n TenantProfileResponse,\r\n} from './types';\r\nimport { HttpClient } from './http-client';\r\n\r\nexport class InternalClient {\r\n private readonly http: HttpClient;\r\n\r\n constructor(config: InternalClientConfig) {\r\n this.http = new HttpClient(config);\r\n }\r\n\r\n /**\r\n * Bootstrap tenant owner (assign owner role to a user for a new tenant).\r\n * Typically called by tenant-provisioning service after creating a tenant.\r\n */\r\n async bootstrapTenantOwner(\r\n request: BootstrapTenantOwnerRequest\r\n ): Promise<Result<BootstrapTenantOwnerResponse>> {\r\n return this.http.request<BootstrapTenantOwnerResponse>(\r\n 'POST',\r\n '/tenant/bootstrap-owner',\r\n { body: request }\r\n );\r\n }\r\n\r\n /**\r\n * Get per-tenant user profile (internal).\r\n * Allows services to read tenant profiles without user authentication.\r\n */\r\n async getTenantProfile(\r\n request: GetTenantProfileRequest\r\n ): Promise<Result<TenantProfileResponse>> {\r\n return this.http.request<TenantProfileResponse>(\r\n 'GET',\r\n '/tenant/profile',\r\n {\r\n query: {\r\n tenantId: request.tenantId,\r\n userId: request.userId,\r\n },\r\n }\r\n );\r\n }\r\n}\r\n","/**\r\n * @auth-craft/backend-sdk\r\n * Type-safe internal service SDK for Auth-Craft service-to-service calls.\r\n *\r\n * @example\r\n * ```ts\r\n * import { createInternalClient } from '@auth-craft/backend-sdk';\r\n *\r\n * const client = createInternalClient({\r\n * baseUrl: 'https://auth.example.com',\r\n * basePath: '/system',\r\n * jwt: {\r\n * strategy: 'hmac',\r\n * secret: process.env.INTERNAL_JWT_SECRET!,\r\n * issuer: 'tenant-provisioning-service',\r\n * },\r\n * });\r\n *\r\n * const result = await client.bootstrapTenantOwner({ tenantId, userId });\r\n * ```\r\n */\r\n\r\nimport { InternalClient } from './client';\r\nimport type { InternalClientConfig } from './types';\r\n\r\n/**\r\n * Create an internal service client for Auth-Craft.\r\n *\r\n * The client auto-signs service JWTs and refreshes them before expiry.\r\n */\r\nexport function createInternalClient(config: InternalClientConfig): InternalClient {\r\n return new InternalClient(config);\r\n}\r\n\r\n// Explicit type exports\r\nexport type {\r\n InternalClientConfig,\r\n JwtConfig,\r\n JwtHmacConfig,\r\n JwtEddsaConfig,\r\n JwtRs256Config,\r\n JwtEs256Config,\r\n BootstrapTenantOwnerRequest,\r\n BootstrapTenantOwnerResponse,\r\n GetTenantProfileRequest,\r\n TenantProfileResponse,\r\n} from './types';\r\n\r\nexport { InternalClient } from './client';\r\nexport { sdkErrors } from './errors';\r\n"],"mappings":";AAKA,SAAS,IAAI,WAAW;;;ACSxB,SAAS,gBAAgB,MAA0B;AACjD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,cAAU,OAAO,aAAa,KAAK,CAAC,CAAE;AAAA,EACxC;AACA,SAAO,KAAK,MAAM,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC/E;AAEA,SAAS,gBAAgB,KAAyB;AAChD,QAAM,QAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK,GAAG;AACtC,UAAM,IAAI,CAAC,IAAI,SAAS,IAAI,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;AAAA,EACrD;AACA,SAAO;AACT;AAEA,SAAS,eAAe,KAAyB;AAC/C,QAAM,UAAU,IACb,QAAQ,gCAAgC,EAAE,EAC1C,QAAQ,8BAA8B,EAAE,EACxC,QAAQ,OAAO,EAAE;AAEpB,QAAM,SAAS,KAAK,OAAO;AAC3B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;AAMA,eAAe,qBAAqB,QAAoC;AACtE,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,UAAU,QAAQ,OAAO,MAAM;AACrC,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,QAAQ;AAAA,IACR,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACF;AAEA,eAAe,sBAAsB,YAAqD;AACxF,QAAM,WAAW,OAAO,eAAe,WACnC,gBAAgB,UAAU,IAC1B;AAEJ,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,SAAS;AAAA,IACT,EAAE,MAAM,UAAU;AAAA,IAClB;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACF;AAEA,eAAe,oBAAoB,YAAqD;AACtF,MAAI,OAAO,eAAe,UAAU;AAClC,WAAO,OAAO,OAAO;AAAA,MACnB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,MAC7C;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAAA,EACF;AAEA,QAAM,aAAa,eAAe,UAAU;AAC5C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,WAAW;AAAA,IACX,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IAC7C;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACF;AAEA,eAAe,sBAAsB,YAAqD;AACxF,MAAI,OAAO,eAAe,UAAU;AAClC,WAAO,OAAO,OAAO;AAAA,MACnB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,MACrC;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAAA,EACF;AAEA,QAAM,aAAa,eAAe,UAAU;AAC5C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,WAAW;AAAA,IACX,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,IACrC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACF;AAYA,eAAe,eAAe,QAAyC;AACrE,QAAM,WAAW,OAAO;AAExB,UAAQ,UAAU;AAAA,IAChB,KAAK,QAAQ;AACX,YAAM,IAAI;AACV,aAAO;AAAA,QACL,KAAK,MAAM,qBAAqB,EAAE,MAAM;AAAA,QACxC,cAAc;AAAA,QACd,iBAAiB;AAAA,MACnB;AAAA,IACF;AAAA,IACA,KAAK,SAAS;AACZ,YAAM,IAAI;AACV,aAAO;AAAA,QACL,KAAK,MAAM,sBAAsB,EAAE,UAAU;AAAA,QAC7C,cAAc;AAAA,QACd,iBAAiB,EAAE,MAAM,UAAU;AAAA,MACrC;AAAA,IACF;AAAA,IACA,KAAK,SAAS;AACZ,YAAM,IAAI;AACV,aAAO;AAAA,QACL,KAAK,MAAM,oBAAoB,EAAE,UAAU;AAAA,QAC3C,cAAc;AAAA,QACd,iBAAiB;AAAA,MACnB;AAAA,IACF;AAAA,IACA,KAAK,SAAS;AACZ,YAAM,IAAI;AACV,aAAO;AAAA,QACL,KAAK,MAAM,sBAAsB,EAAE,UAAU;AAAA,QAC7C,cAAc;AAAA,QACd,iBAAiB,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AACF;AAOA,IAAM,yBAAyB;AAExB,IAAM,YAAN,MAAgB;AAAA,EAKrB,YAA6B,QAAmB;AAAnB;AAAA,EAAoB;AAAA,EAJzC,gBAAoC;AAAA,EACpC,cAA6B;AAAA,EAC7B,YAAoB;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ5B,MAAM,WAA4B;AAChC,UAAM,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAG/C,QAAI,KAAK,eAAe,aAAa,KAAK,YAAY,wBAAwB;AAC5E,aAAO,KAAK;AAAA,IACd;AAGA,WAAO,KAAK,aAAa;AAAA,EAC3B;AAAA,EAEA,MAAc,eAAgC;AAC5C,UAAM,UAAU,MAAM,KAAK,WAAW;AACtC,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,mBAAmB,KAAK,OAAO,oBAAoB;AACzD,UAAM,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAG/C,UAAM,SAAS;AAAA,MACb,QAAQ,OAAO,KAAK,UAAU,EAAE,KAAK,QAAQ,cAAc,KAAK,MAAM,CAAC,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAmC;AAAA,MACvC,KAAK;AAAA,MACL,KAAK,aAAa;AAAA,IACpB;AAEA,QAAI,KAAK,OAAO,WAAW,QAAW;AACpC,cAAQ,MAAM,KAAK,OAAO;AAAA,IAC5B;AACA,QAAI,KAAK,OAAO,aAAa,QAAW;AACtC,cAAQ,MAAM,KAAK,OAAO;AAAA,IAC5B;AAEA,UAAM,aAAa,gBAAgB,QAAQ,OAAO,KAAK,UAAU,OAAO,CAAC,CAAC;AAG1E,UAAM,WAAW,QAAQ,OAAO,GAAG,MAAM,IAAI,UAAU,EAAE;AACzD,UAAM,iBAAiB,IAAI;AAAA,MACzB,MAAM,OAAO,OAAO;AAAA,QAClB,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,IACF;AACA,UAAM,YAAY,gBAAgB,cAAc;AAEhD,UAAM,QAAQ,GAAG,MAAM,IAAI,UAAU,IAAI,SAAS;AAGlD,SAAK,cAAc;AACnB,SAAK,YAAY,aAAa;AAE9B,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,aAAmC;AAC/C,QAAI,CAAC,KAAK,eAAe;AACvB,WAAK,gBAAgB,MAAM,eAAe,KAAK,MAAM;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AACF;;;ACnPA,SAAS,mBAAmB;AAErB,IAAM,YAAY;AAAA,EACvB,eAAe,YAAY,qBAAqB,wBAAwB;AAAA,EACxE,SAAS,YAAY,eAAe,mBAAmB;AAAA,EACvD,kBAAkB,YAAY,wBAAwB,oCAAoC;AAAA,EAC1F,iBAAiB,YAAY,uBAAuB,4BAA4B;AAClF;;;AFEO,IAAM,aAAN,MAAiB;AAAA,EACL;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,QAA8B;AACxC,SAAK,SAAS,IAAI,UAAU,OAAO,GAAG;AACtC,SAAK,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAC/C,SAAK,WAAW,OAAO,YAAY;AACnC,SAAK,UAAU,OAAO,aAAa,WAAW;AAC9C,SAAK,UAAU,OAAO,WAAW;AACjC,SAAK,gBAAgB,OAAO,WAAW,CAAC;AAAA,EAC1C;AAAA,EAEA,MAAM,QACJ,QACA,MACA,SAIoB;AACpB,QAAI;AAEF,UAAI;AACJ,UAAI;AACF,gBAAQ,MAAM,KAAK,OAAO,SAAS;AAAA,MACrC,SAAS,WAAW;AAClB,cAAM,UAAU,qBAAqB,QAAQ,UAAU,UAAU,OAAO,SAAS;AACjF,eAAO,IAAI,UAAU,gBAAgB,EAAE,QAAQ,CAAC,CAAC;AAAA,MACnD;AAGA,YAAM,MAAM,KAAK,SAAS,MAAM,SAAS,KAAK;AAG9C,YAAM,UAAkC;AAAA,QACtC,gBAAgB;AAAA,QAChB,iBAAiB,UAAU,KAAK;AAAA,QAChC,GAAG,KAAK;AAAA,MACV;AAGA,YAAM,aAAa,IAAI,gBAAgB;AACvC,YAAM,YAAY,WAAW,MAAM,WAAW,MAAM,GAAG,KAAK,OAAO;AAGnE,UAAI;AACJ,UAAI;AACF,mBAAW,MAAM,KAAK,QAAQ,KAAK;AAAA,UACjC;AAAA,UACA;AAAA,UACA,MAAM,SAAS,SAAS,SAAY,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,UACnE,QAAQ,WAAW;AAAA,QACrB,CAAC;AAAA,MACH,UAAE;AACA,qBAAa,SAAS;AAAA,MACxB;AAGA,UAAI;AACJ,UAAI;AACF,mBAAW,MAAM,SAAS,KAAK;AAAA,MACjC,QAAQ;AACN,eAAO;AAAA,UACL,UAAU,iBAAiB,EAAE,SAAS,QAAQ,SAAS,MAAM,sBAAsB,CAAC;AAAA,UACpF;AAAA,UACA,SAAS;AAAA,QACX;AAAA,MACF;AAGA,UAAI,SAAS,MAAM,SAAS,SAAS,QAAW;AAC9C,eAAO,GAAG,SAAS,MAAM,SAAS,IAAI;AAAA,MACxC;AAEA,YAAM,SAAS,SAAS,UAAU,CAAC,EAAE,MAAM,iBAAiB,SAAS,QAAQ,SAAS,MAAM,GAAG,CAAC;AAChG,aAAO,IAAI,QAAQ,SAAS,MAAM,SAAS,MAAM;AAAA,IAEnD,SAAS,OAAO;AACd,UAAI,iBAAiB,SAAS,MAAM,SAAS,cAAc;AACzD,eAAO,IAAI,UAAU,QAAQ,EAAE,SAAS,2BAA2B,KAAK,OAAO,KAAK,CAAC,GAAG,QAAW,GAAG;AAAA,MACxG;AAEA,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,aAAO,IAAI,UAAU,cAAc,EAAE,QAAQ,CAAC,GAAG,QAAW,CAAC;AAAA,IAC/D;AAAA,EACF;AAAA,EAEQ,SAAS,MAAc,OAAwC;AACrE,QAAI,MAAM,GAAG,KAAK,OAAO,GAAG,KAAK,QAAQ,YAAY,IAAI;AAEzD,QAAI,OAAO;AACT,YAAM,UAAU,OAAO,QAAQ,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,MAAM,MAAS;AACvE,UAAI,QAAQ,SAAS,GAAG;AACtB,cAAM,SAAS,IAAI,gBAAgB,OAAO;AAC1C,eAAO,IAAI,OAAO,SAAS,CAAC;AAAA,MAC9B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AGvGO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EAEjB,YAAY,QAA8B;AACxC,SAAK,OAAO,IAAI,WAAW,MAAM;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,qBACJ,SAC+C;AAC/C,WAAO,KAAK,KAAK;AAAA,MACf;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,iBACJ,SACwC;AACxC,WAAO,KAAK,KAAK;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,QACE,OAAO;AAAA,UACL,UAAU,QAAQ;AAAA,UAClB,QAAQ,QAAQ;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACxBO,SAAS,qBAAqB,QAA8C;AACjF,SAAO,IAAI,eAAe,MAAM;AAClC;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,32 @@
+{
+  "name": "@auth-craft/backend-sdk",
+  "version": "0.0.1",
+  "description": "Type-safe internal service SDK for Auth-Craft service-to-service calls",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "sideEffects": false,
+  "scripts": {
+    "build": "tsup",
+    "type-check": "tsc --noEmit",
+    "dev": "tsup --watch"
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "ts-micro-result": "^3.3.0"
+  },
+  "devDependencies": {
+    "@auth-craft/tsup-config": "workspace:*",
+    "typescript": "^5.9.3"
+  }
+}