@authrim/setup 0.1.0

package/dist/core/keys.js

@@ -0,0 +1,287 @@
+/**
+ * Authrim Key Generation Module
+ *
+ * Generates RSA key pairs for JWT signing and other cryptographic secrets.
+ * Based on the existing setup-keys.sh script functionality.
+ */
+import { randomBytes, generateKeyPairSync, createPublicKey, createPrivateKey } from 'node:crypto';
+import { writeFile, mkdir, readFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+// =============================================================================
+// Key ID Generation
+// =============================================================================
+/**
+ * Generate a unique key ID (kid)
+ *
+ * Format: {prefix}-key-{timestamp}-{random}
+ */
+export function generateKeyId(prefix = 'dev') {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const randomStr = randomBytes(4).toString('base64url').slice(0, 6);
+    return `${prefix}-key-${timestamp}-${randomStr}`;
+}
+// =============================================================================
+// RSA Key Pair Generation
+// =============================================================================
+/**
+ * Generate an RSA key pair for JWT signing
+ *
+ * @param keyId - Custom key ID or auto-generated
+ * @param keySize - RSA key size in bits (default: 2048)
+ */
+export function generateRsaKeyPair(keyId, keySize = 2048) {
+    const kid = keyId || generateKeyId();
+    // Generate RSA key pair
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', {
+        modulusLength: keySize,
+        publicKeyEncoding: {
+            type: 'spki',
+            format: 'pem',
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8',
+            format: 'pem',
+        },
+    });
+    // Convert public key to JWK format
+    const publicKeyObject = createPublicKey({
+        key: publicKey,
+        format: 'pem',
+    });
+    const publicJwk = publicKeyObject.export({ format: 'jwk' });
+    // Add standard JWK properties
+    const jwkWithMetadata = {
+        ...publicJwk,
+        kid,
+        use: 'sig',
+        alg: 'RS256',
+    };
+    return {
+        privateKeyPem: privateKey,
+        publicKeyJwk: jwkWithMetadata,
+        keyId: kid,
+        createdAt: new Date().toISOString(),
+    };
+}
+// =============================================================================
+// Secret Generation
+// =============================================================================
+/**
+ * Generate a random hex-encoded secret
+ *
+ * @param bytes - Number of random bytes (default: 32 = 256 bits)
+ */
+export function generateHexSecret(bytes = 32) {
+    return randomBytes(bytes).toString('hex');
+}
+/**
+ * Generate a random base64url-encoded secret
+ *
+ * @param bytes - Number of random bytes (default: 32 = 256 bits)
+ */
+export function generateBase64Secret(bytes = 32) {
+    return randomBytes(bytes).toString('base64url');
+}
+/**
+ * Generate all required secrets for Authrim
+ */
+export function generateAllSecrets(keyId) {
+    const keyPair = generateRsaKeyPair(keyId);
+    return {
+        keyPair,
+        rpTokenEncryptionKey: generateHexSecret(32), // 256-bit key
+        adminApiSecret: generateBase64Secret(32), // 256-bit secret
+        keyManagerSecret: generateBase64Secret(32), // 256-bit secret
+        setupToken: generateHexSecret(32), // 256-bit token for initial setup
+    };
+}
+// =============================================================================
+// File Operations
+// =============================================================================
+/**
+ * Validate that a directory path is safe for writing keys
+ * - Must not contain path traversal patterns
+ * - Must be within the current working directory or an absolute path that's safe
+ */
+function validateKeysDirectory(keysDir) {
+    // Reject path traversal patterns
+    if (keysDir.includes('..')) {
+        throw new Error('Invalid keys directory: path traversal (..) not allowed');
+    }
+    // Reject null bytes (path truncation attack)
+    if (keysDir.includes('\0')) {
+        throw new Error('Invalid keys directory: null bytes not allowed');
+    }
+    // Reject shell metacharacters
+    if (/[;&|`$(){}[\]<>!#*?]/.test(keysDir)) {
+        throw new Error('Invalid keys directory: shell metacharacters not allowed');
+    }
+    // Reject absolute paths to system directories (Unix)
+    const absolutePath = resolve(keysDir);
+    const dangerousPaths = ['/etc', '/usr', '/bin', '/sbin', '/var', '/tmp', '/root', '/home'];
+    for (const dangerous of dangerousPaths) {
+        if (absolutePath.startsWith(dangerous + '/') || absolutePath === dangerous) {
+            throw new Error(`Invalid keys directory: writing to ${dangerous} is not allowed`);
+        }
+    }
+    // Reject Windows system directories
+    const windowsDangerous = ['C:\\Windows', 'C:\\Program Files', 'C:\\System32'];
+    for (const dangerous of windowsDangerous) {
+        if (absolutePath.toLowerCase().startsWith(dangerous.toLowerCase())) {
+            throw new Error(`Invalid keys directory: writing to system directories is not allowed`);
+        }
+    }
+}
+/**
+ * Save keys and secrets to the .keys directory
+ */
+export async function saveKeysToDirectory(secrets, keysDir = '.keys') {
+    // Security: Validate directory path to prevent path traversal
+    validateKeysDirectory(keysDir);
+    // Ensure directory exists
+    if (!existsSync(keysDir)) {
+        await mkdir(keysDir, { recursive: true });
+    }
+    const paths = {
+        privateKey: join(keysDir, 'private.pem'),
+        publicKey: join(keysDir, 'public.jwk.json'),
+        rpTokenEncryptionKey: join(keysDir, 'rp_token_encryption_key.txt'),
+        adminApiSecret: join(keysDir, 'admin_api_secret.txt'),
+        keyManagerSecret: join(keysDir, 'key_manager_secret.txt'),
+        setupToken: join(keysDir, 'setup_token.txt'),
+        metadata: join(keysDir, 'metadata.json'),
+    };
+    // Write private key
+    await writeFile(paths.privateKey, secrets.keyPair.privateKeyPem, 'utf-8');
+    // Write public key (JWK)
+    await writeFile(paths.publicKey, JSON.stringify(secrets.keyPair.publicKeyJwk, null, 2), 'utf-8');
+    // Write other secrets
+    await writeFile(paths.rpTokenEncryptionKey, secrets.rpTokenEncryptionKey, 'utf-8');
+    await writeFile(paths.adminApiSecret, secrets.adminApiSecret, 'utf-8');
+    await writeFile(paths.keyManagerSecret, secrets.keyManagerSecret, 'utf-8');
+    if (secrets.setupToken) {
+        await writeFile(paths.setupToken, secrets.setupToken, 'utf-8');
+    }
+    // Write metadata
+    const metadata = {
+        kid: secrets.keyPair.keyId,
+        algorithm: 'RS256',
+        keySize: 2048,
+        createdAt: secrets.keyPair.createdAt,
+        files: {
+            privateKey: paths.privateKey,
+            publicKey: paths.publicKey,
+            rpTokenEncryptionKey: paths.rpTokenEncryptionKey,
+        },
+    };
+    await writeFile(paths.metadata, JSON.stringify(metadata, null, 2), 'utf-8');
+}
+/**
+ * Load existing keys from directory
+ */
+export async function loadKeysFromDirectory(keysDir = '.keys') {
+    const metadataPath = join(keysDir, 'metadata.json');
+    if (!existsSync(metadataPath)) {
+        return {};
+    }
+    try {
+        const metadataContent = await readFile(metadataPath, 'utf-8');
+        const metadata = JSON.parse(metadataContent);
+        // Load public key JWK
+        const publicKeyPath = join(keysDir, 'public.jwk.json');
+        let publicKeyJwk;
+        if (existsSync(publicKeyPath)) {
+            const publicKeyContent = await readFile(publicKeyPath, 'utf-8');
+            publicKeyJwk = JSON.parse(publicKeyContent);
+        }
+        return {
+            keyPair: {
+                keyId: metadata.kid,
+                publicKeyJwk,
+                createdAt: metadata.createdAt,
+            },
+            metadata,
+        };
+    }
+    catch {
+        return {};
+    }
+}
+// =============================================================================
+// Wrangler Secret Commands
+// =============================================================================
+/**
+ * Validate a path parameter to prevent path traversal attacks
+ */
+function validatePath(path, paramName) {
+    // Reject paths with traversal patterns
+    if (path.includes('..') || path.includes('\0')) {
+        throw new Error(`Invalid ${paramName}: path traversal detected`);
+    }
+    // Reject shell metacharacters
+    if (/[;&|`$(){}[\]<>!#*?]/.test(path)) {
+        throw new Error(`Invalid ${paramName}: shell metacharacters not allowed`);
+    }
+}
+/**
+ * Validate environment name
+ */
+function validateEnvName(env) {
+    if (!/^[a-z][a-z0-9-]*$/.test(env)) {
+        throw new Error(`Invalid environment name: must be lowercase alphanumeric with hyphens`);
+    }
+}
+/**
+ * Generate wrangler commands for uploading secrets
+ * @deprecated Use uploadSecrets from deploy.ts instead for programmatic upload
+ */
+export function generateWranglerSecretCommands(secrets, keysDir = '.keys', env) {
+    // Validate inputs to prevent command injection
+    validatePath(keysDir, 'keysDir');
+    if (env) {
+        validateEnvName(env);
+    }
+    const envFlag = env ? ` --env ${env}` : '';
+    const commands = [];
+    // Private key (multiline secret)
+    commands.push(`cat ${join(keysDir, 'private.pem')} | wrangler secret put PRIVATE_KEY_PEM${envFlag}`);
+    // RP Token encryption key
+    commands.push(`echo -n "$(cat ${join(keysDir, 'rp_token_encryption_key.txt')})" | wrangler secret put RP_TOKEN_ENCRYPTION_KEY${envFlag}`);
+    // Admin API secret
+    commands.push(`echo -n "$(cat ${join(keysDir, 'admin_api_secret.txt')})" | wrangler secret put ADMIN_API_SECRET${envFlag}`);
+    // Key Manager secret
+    commands.push(`echo -n "$(cat ${join(keysDir, 'key_manager_secret.txt')})" | wrangler secret put KEY_MANAGER_SECRET${envFlag}`);
+    return commands;
+}
+// =============================================================================
+// Validation
+// =============================================================================
+/**
+ * Validate that a private key PEM is valid RSA
+ */
+export function validatePrivateKey(pem) {
+    try {
+        const key = createPrivateKey({
+            key: pem,
+            format: 'pem',
+        });
+        return key.type === 'private' && key.asymmetricKeyType === 'rsa';
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Validate that a public key JWK has required properties
+ */
+export function validatePublicKeyJwk(jwk) {
+    if (!jwk.kty || jwk.kty !== 'RSA')
+        return false;
+    if (!jwk.n || !jwk.e)
+        return false;
+    if (!jwk.kid)
+        return false;
+    return true;
+}
+//# sourceMappingURL=keys.js.map

package/dist/core/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/core/keys.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA6D1C,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,KAAK;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,MAAM,QAAQ,SAAS,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc,EAAE,UAAkB,IAAI;IACvE,MAAM,GAAG,GAAG,KAAK,IAAI,aAAa,EAAE,CAAC;IAErC,wBAAwB;IACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,eAAe,GAAG,eAAe,CAAC;QACtC,GAAG,EAAE,SAAS;QACd,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAQ,CAAC;IAEnE,8BAA8B;IAC9B,MAAM,eAAe,GAAQ;QAC3B,GAAG,SAAS;QACZ,GAAG;QACH,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;KACb,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,UAAU;QACzB,YAAY,EAAE,eAAe;QAC7B,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE;IAClD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB,EAAE;IACrD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAE1C,OAAO;QACL,OAAO;QACP,oBAAoB,EAAE,iBAAiB,CAAC,EAAE,CAAC,EAAE,cAAc;QAC3D,cAAc,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC3D,gBAAgB,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC7D,UAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC,EAAE,kCAAkC;KACtE,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,iCAAiC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,6CAA6C;IAC7C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,qDAAqD;IACrD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3F,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,sCAAsC,SAAS,iBAAiB,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IACD,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,CAAC,aAAa,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;IAC9E,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,UAAkB,OAAO;IAEzB,8DAA8D;IAC9D,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE/B,0BAA0B;IAC1B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC;QACxC,SAAS,EAAE,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC;QAC3C,oBAAoB,EAAE,IAAI,CAAC,OAAO,EAAE,6BAA6B,CAAC;QAClE,cAAc,EAAE,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC;QACrD,gBAAgB,EAAE,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC;QACzD,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC;QAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC;KACzC,CAAC;IAEF,oBAAoB;IACpB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAE1E,yBAAyB;IACzB,MAAM,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEjG,sBAAsB;IACtB,MAAM,SAAS,CAAC,KAAK,CAAC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;IACnF,MAAM,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,SAAS,CAAC,KAAK,CAAC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAE3E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,MAAM,QAAQ,GAAgB;QAC5B,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;QAC1B,SAAS,EAAE,OAAO;QAClB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;QACpC,KAAK,EAAE;YACL,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;SACjD;KACF,CAAC;IAEF,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC9E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,UAAkB,OAAO;IAInE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAEpD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAgB,CAAC;QAE5D,sBAAsB;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;QACvD,IAAI,YAA6B,CAAC;QAElC,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAChE,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,GAAG;gBACnB,YAAY;gBACZ,SAAS,EAAE,QAAQ,CAAC,SAAS;aAC9B;YACD,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;GAEG;AACH,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,uCAAuC;IACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,2BAA2B,CAAC,CAAC;IACnE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,oCAAoC,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,OAAyB,EACzB,UAAkB,OAAO,EACzB,GAAY;IAEZ,+CAA+C;IAC/C,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACjC,IAAI,GAAG,EAAE,CAAC;QACR,eAAe,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,iCAAiC;IACjC,QAAQ,CAAC,IAAI,CACX,OAAO,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,yCAAyC,OAAO,EAAE,CACtF,CAAC;IAEF,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,6BAA6B,CAAC,mDAAmD,OAAO,EAAE,CAC3H,CAAC;IAEF,mBAAmB;IACnB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC,4CAA4C,OAAO,EAAE,CAC7G,CAAC;IAEF,qBAAqB;IACrB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,8CAA8C,OAAO,EAAE,CACjH,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,gBAAgB,CAAC;YAC3B,GAAG,EAAE,GAAG;YACR,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,iBAAiB,KAAK,KAAK,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAQ;IAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/core/lock.d.ts

@@ -0,0 +1,220 @@
+/**
+ * Authrim Lock File Module
+ *
+ * Manages authrim-lock.json which records created resource IDs.
+ * This file allows re-deployment and resource management.
+ */
+import { z } from 'zod';
+import type { ProvisionedResources } from './cloudflare.js';
+declare const ResourceEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    id: string;
+}, {
+    name: string;
+    id: string;
+}>;
+declare const KVResourceEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    id: z.ZodString;
+} & {
+    previewId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    id: string;
+    previewId?: string | undefined;
+}, {
+    name: string;
+    id: string;
+    previewId?: string | undefined;
+}>;
+declare const WorkerEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    deployedAt: z.ZodOptional<z.ZodString>;
+    version: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    version?: string | undefined;
+    deployedAt?: string | undefined;
+}, {
+    name: string;
+    version?: string | undefined;
+    deployedAt?: string | undefined;
+}>;
+export declare const AuthrimLockSchema: z.ZodObject<{
+    version: z.ZodDefault<z.ZodString>;
+    createdAt: z.ZodString;
+    updatedAt: z.ZodOptional<z.ZodString>;
+    env: z.ZodString;
+    d1: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        id: string;
+    }, {
+        name: string;
+        id: string;
+    }>>>;
+    kv: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        id: z.ZodString;
+    } & {
+        previewId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        id: string;
+        previewId?: string | undefined;
+    }, {
+        name: string;
+        id: string;
+        previewId?: string | undefined;
+    }>>>;
+    queues: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        id: string;
+    }, {
+        name: string;
+        id: string;
+    }>>>;
+    r2: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+    }, {
+        name: string;
+    }>>>;
+    workers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        deployedAt: z.ZodOptional<z.ZodString>;
+        version: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        version?: string | undefined;
+        deployedAt?: string | undefined;
+    }, {
+        name: string;
+        version?: string | undefined;
+        deployedAt?: string | undefined;
+    }>>>;
+}, "strip", z.ZodTypeAny, {
+    version: string;
+    createdAt: string;
+    env: string;
+    d1: Record<string, {
+        name: string;
+        id: string;
+    }>;
+    kv: Record<string, {
+        name: string;
+        id: string;
+        previewId?: string | undefined;
+    }>;
+    r2?: Record<string, {
+        name: string;
+    }> | undefined;
+    updatedAt?: string | undefined;
+    queues?: Record<string, {
+        name: string;
+        id: string;
+    }> | undefined;
+    workers?: Record<string, {
+        name: string;
+        version?: string | undefined;
+        deployedAt?: string | undefined;
+    }> | undefined;
+}, {
+    createdAt: string;
+    env: string;
+    r2?: Record<string, {
+        name: string;
+    }> | undefined;
+    version?: string | undefined;
+    updatedAt?: string | undefined;
+    d1?: Record<string, {
+        name: string;
+        id: string;
+    }> | undefined;
+    kv?: Record<string, {
+        name: string;
+        id: string;
+        previewId?: string | undefined;
+    }> | undefined;
+    queues?: Record<string, {
+        name: string;
+        id: string;
+    }> | undefined;
+    workers?: Record<string, {
+        name: string;
+        version?: string | undefined;
+        deployedAt?: string | undefined;
+    }> | undefined;
+}>;
+export type AuthrimLock = z.infer<typeof AuthrimLockSchema>;
+export type ResourceEntry = z.infer<typeof ResourceEntrySchema>;
+export type KVResourceEntry = z.infer<typeof KVResourceEntrySchema>;
+export type WorkerEntry = z.infer<typeof WorkerEntrySchema>;
+/**
+ * Create a new lock file from provisioned resources
+ */
+export declare function createLockFile(env: string, resources: ProvisionedResources): AuthrimLock;
+/**
+ * Save lock file to disk
+ */
+export declare function saveLockFile(lock: AuthrimLock, path?: string): Promise<void>;
+/** Error class for lock file operations */
+export declare class LockFileError extends Error {
+    readonly cause?: Error | undefined;
+    constructor(message: string, cause?: Error | undefined);
+}
+/**
+ * Load lock file from disk
+ * @throws LockFileError if file exists but cannot be parsed
+ */
+export declare function loadLockFile(path?: string): Promise<AuthrimLock | null>;
+/**
+ * Update worker deployment info in lock file
+ */
+export declare function updateWorkerDeployment(lock: AuthrimLock, workerName: string, deploymentName: string, version?: string): AuthrimLock;
+/**
+ * Convert lock file to ResourceIds format for wrangler.ts
+ */
+export declare function lockToResourceIds(lock: AuthrimLock): {
+    d1: Record<string, {
+        id: string;
+        name: string;
+    }>;
+    kv: Record<string, {
+        id: string;
+        name: string;
+    }>;
+    queues?: Record<string, {
+        id: string;
+        name: string;
+    }>;
+    r2?: Record<string, {
+        name: string;
+    }>;
+};
+/**
+ * Merge two lock files (for updating existing)
+ */
+export declare function mergeLockFiles(existing: AuthrimLock, newData: Partial<AuthrimLock>): AuthrimLock;
+/**
+ * Validate that all required resources exist in lock file
+ */
+export declare function validateLockFile(lock: AuthrimLock): {
+    valid: boolean;
+    missing: string[];
+};
+/**
+ * Generate summary of resources in lock file
+ */
+export declare function getLockFileSummary(lock: AuthrimLock): string;
+export {};
+//# sourceMappingURL=lock.d.ts.map

package/dist/core/lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../../src/core/lock.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAM5D,QAAA,MAAM,mBAAmB;;;;;;;;;EAGvB,CAAC;AAEH,QAAA,MAAM,qBAAqB;;;;;;;;;;;;;EAEzB,CAAC;AAEH,QAAA,MAAM,iBAAiB;;;;;;;;;;;;EAIrB,CAAC;AAEH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAW5B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAM5D;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,oBAAoB,GAAG,WAAW,CAmDxF;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE,MAA4B,GACjC,OAAO,CAAC,IAAI,CAAC,CAGf;AAED,2CAA2C;AAC3C,qBAAa,aAAc,SAAQ,KAAK;aAGpB,KAAK,CAAC,EAAE,KAAK;gBAD7B,OAAO,EAAE,MAAM,EACC,KAAK,CAAC,EAAE,KAAK,YAAA;CAKhC;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,IAAI,GAAE,MAA4B,GACjC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAsB7B;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,WAAW,EACjB,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,WAAW,CAYb;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,WAAW,GAAG;IACpD,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtD,EAAE,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACvC,CASA;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,WAAW,CAWhG;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,WAAW,GAAG;IACnD,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAuBA;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,WAAW,GAAG,MAAM,CAwC5D"}