@authrim/setup 0.1.140 → 0.1.142

package/dist/core/keys.js

@@ -4,13 +4,14 @@
  * Generates RSA key pairs for JWT signing and other cryptographic secrets.
  * Based on the existing setup-keys.sh script functionality.
  *
- * Supports both legacy (.keys/{env}/) and new (.authrim/{env}/keys/) structures.
+ * Supports external (.authrim-keys/{env}/), internal (.authrim/{env}/keys/),
+ * and legacy (.keys/{env}/) key storage structures.
  */
 import { randomBytes, generateKeyPairSync, createPublicKey, createPrivateKey } from 'node:crypto';
-import { writeFile, mkdir, readFile } from 'node:fs/promises';
+import { writeFile, mkdir, readFile, chmod } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
 import { join, resolve } from 'node:path';
-import { getEnvironmentPaths, getLegacyPaths, resolvePaths, } from './paths.js';
+import { getEnvironmentPaths, getExternalKeysDir, getLegacyPaths, findKeysDirectory, resolvePaths, } from './paths.js';
 // =============================================================================
 // Key ID Generation
 // =============================================================================
@@ -120,8 +121,14 @@ function validateKeysDirectory(keysDir) {
     if (/[;&|`$(){}[\]<>!#*?]/.test(keysDir)) {
         throw new Error('Invalid keys directory: shell metacharacters not allowed');
     }
-    // Reject absolute paths to system directories (Unix)
     const absolutePath = resolve(keysDir);
+    const cwd = process.cwd();
+    // Allow paths within the current working directory (project paths are safe)
+    // This allows CI environments like GitHub Actions (/home/runner/work/...)
+    if (absolutePath.startsWith(cwd + '/') || absolutePath === cwd) {
+        return;
+    }
+    // Reject absolute paths to system directories (Unix)
     const dangerousPaths = ['/etc', '/usr', '/bin', '/sbin', '/var', '/tmp', '/root', '/home'];
     for (const dangerous of dangerousPaths) {
         if (absolutePath.startsWith(dangerous + '/') || absolutePath === dangerous) {
@@ -139,7 +146,12 @@ function validateKeysDirectory(keysDir) {
 /**
  * Get environment-specific keys directory path
  *
- * @param baseDir - Base directory (usually cwd)
+ * Search order when keysBaseDir is provided:
+ * 1. External: {keysBaseDir}/.authrim-keys/{env}/
+ * 2. Internal: {baseDir}/.authrim/{env}/keys/
+ * 3. Legacy: {baseDir}/.keys/{env}/
+ *
+ * @param baseDir - Base directory (usually source dir)
  * @param env - Environment name
  * @param options - Options for path resolution
  * @returns Path to the keys directory
@@ -148,6 +160,15 @@ export function getKeysDirectory(baseDir, env, options) {
     if (options?.legacy) {
         return getLegacyPaths(baseDir, env).keys;
     }
+    // If keysBaseDir is provided, use findKeysDirectory for 3-tier fallback
+    if (options?.keysBaseDir) {
+        const found = findKeysDirectory({ env, sourceDir: baseDir, keysBaseDir: options.keysBaseDir });
+        if (found) {
+            return found.path;
+        }
+        // Default to external for new environments
+        return getExternalKeysDir(env, options.keysBaseDir);
+    }
     // Check if existing structure should be used
     const resolved = resolvePaths({ baseDir, env });
     if (resolved.type === 'legacy') {
@@ -170,9 +191,20 @@ export function getLegacyKeysDirectory(baseDir, env) {
 }
 /**
  * Check if keys already exist for an environment
- * Checks both new and legacy structures
+ * Checks external, internal (new), and legacy structures
+ *
+ * @param baseDir - Source directory
+ * @param env - Environment name
+ * @param keysBaseDir - Optional base directory for external keys
  */
-export function keysExistForEnvironment(baseDir, env) {
+export function keysExistForEnvironment(baseDir, env, keysBaseDir) {
+    // Check external structure
+    if (keysBaseDir) {
+        const externalDir = getExternalKeysDir(env, keysBaseDir);
+        if (existsSync(join(externalDir, 'metadata.json'))) {
+            return true;
+        }
+    }
     // Check new structure
     const newPaths = getEnvironmentPaths({ baseDir, env });
     const newMetadataPath = join(newPaths.keys, 'metadata.json');
@@ -202,12 +234,16 @@ export async function saveKeysToDirectory(secrets, options = {}, legacyEnv) {
         targetDir = legacyEnv ? join(options, legacyEnv) : options;
     }
     else {
-        const { baseDir = process.cwd(), env, legacy, targetDir: explicitDir } = options;
+        const { baseDir = process.cwd(), env, legacy, targetDir: explicitDir, keysBaseDir } = options;
         if (explicitDir) {
             targetDir = explicitDir;
         }
         else if (env) {
-            if (legacy) {
+            if (keysBaseDir) {
+                // External keys: {keysBaseDir}/.authrim-keys/{env}/
+                targetDir = getExternalKeysDir(env, keysBaseDir);
+            }
+            else if (legacy) {
                 targetDir = getLegacyPaths(baseDir, env).keys;
             }
             else {
@@ -220,9 +256,9 @@ export async function saveKeysToDirectory(secrets, options = {}, legacyEnv) {
     }
     // Security: Validate directory path to prevent path traversal
     validateKeysDirectory(targetDir);
-    // Ensure directory exists
+    // Ensure directory exists with restrictive permissions (owner-only access)
     if (!existsSync(targetDir)) {
-        await mkdir(targetDir, { recursive: true });
+        await mkdir(targetDir, { recursive: true, mode: 0o700 });
     }
     const paths = {
         privateKey: join(targetDir, 'private.pem'),
@@ -233,16 +269,24 @@ export async function saveKeysToDirectory(secrets, options = {}, legacyEnv) {
         setupToken: join(targetDir, 'setup_token.txt'),
         metadata: join(targetDir, 'metadata.json'),
     };
+    // Sensitive file permission: owner read/write only
+    const SENSITIVE_FILE_MODE = 0o600;
     // Write private key
     await writeFile(paths.privateKey, secrets.keyPair.privateKeyPem, 'utf-8');
+    await chmod(paths.privateKey, SENSITIVE_FILE_MODE);
     // Write public key (JWK)
     await writeFile(paths.publicKey, JSON.stringify(secrets.keyPair.publicKeyJwk, null, 2), 'utf-8');
+    await chmod(paths.publicKey, SENSITIVE_FILE_MODE);
     // Write other secrets
     await writeFile(paths.rpTokenEncryptionKey, secrets.rpTokenEncryptionKey, 'utf-8');
+    await chmod(paths.rpTokenEncryptionKey, SENSITIVE_FILE_MODE);
     await writeFile(paths.adminApiSecret, secrets.adminApiSecret, 'utf-8');
+    await chmod(paths.adminApiSecret, SENSITIVE_FILE_MODE);
     await writeFile(paths.keyManagerSecret, secrets.keyManagerSecret, 'utf-8');
+    await chmod(paths.keyManagerSecret, SENSITIVE_FILE_MODE);
     if (secrets.setupToken) {
         await writeFile(paths.setupToken, secrets.setupToken, 'utf-8');
+        await chmod(paths.setupToken, SENSITIVE_FILE_MODE);
     }
     // Write metadata
     const metadata = {
@@ -257,6 +301,7 @@ export async function saveKeysToDirectory(secrets, options = {}, legacyEnv) {
         },
     };
     await writeFile(paths.metadata, JSON.stringify(metadata, null, 2), 'utf-8');
+    await chmod(paths.metadata, SENSITIVE_FILE_MODE);
 }
 /**
  * Load existing keys from directory
@@ -273,18 +318,31 @@ export async function loadKeysFromDirectory(options = {}, legacyEnv) {
         targetDir = legacyEnv ? join(options, legacyEnv) : options;
     }
     else {
-        const { baseDir = process.cwd(), env, targetDir: explicitDir } = options;
+        const { baseDir = process.cwd(), env, targetDir: explicitDir, keysBaseDir } = options;
         if (explicitDir) {
             targetDir = explicitDir;
         }
         else if (env) {
-            // Auto-detect which structure to use
-            const resolved = resolvePaths({ baseDir, env });
-            if (resolved.type === 'legacy') {
-                targetDir = resolved.paths.keys;
+            // Use findKeysDirectory for 3-tier search when keysBaseDir is provided
+            if (keysBaseDir) {
+                const found = findKeysDirectory({ env, sourceDir: baseDir, keysBaseDir });
+                if (found) {
+                    targetDir = found.path;
+                }
+                else {
+                    // No keys found anywhere
+                    return {};
+                }
             }
             else {
-                targetDir = resolved.paths.keys;
+                // Auto-detect which structure to use
+                const resolved = resolvePaths({ baseDir, env });
+                if (resolved.type === 'legacy') {
+                    targetDir = resolved.paths.keys;
+                }
+                else {
+                    targetDir = resolved.paths.keys;
+                }
             }
         }
         else {
@@ -356,6 +414,8 @@ export function generateWranglerSecretCommands(secrets, keysDir = '.keys', env)
     const commands = [];
     // Private key (multiline secret)
     commands.push(`cat ${join(keysDir, 'private.pem')} | wrangler secret put PRIVATE_KEY_PEM${envFlag}`);
+    // Public JWK
+    commands.push(`cat ${join(keysDir, 'public.jwk.json')} | wrangler secret put PUBLIC_JWK_JSON${envFlag}`);
     // RP Token encryption key
     commands.push(`echo -n "$(cat ${join(keysDir, 'rp_token_encryption_key.txt')})" | wrangler secret put RP_TOKEN_ENCRYPTION_KEY${envFlag}`);
     // Admin API secret

package/dist/core/keys.js.map

@@ -1 +1 @@
-{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/core/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,YAAY,GAGb,MAAM,YAAY,CAAC;AA6DpB,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,KAAK;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,MAAM,QAAQ,SAAS,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc,EAAE,UAAkB,IAAI;IACvE,MAAM,GAAG,GAAG,KAAK,IAAI,aAAa,EAAE,CAAC;IAErC,wBAAwB;IACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,eAAe,GAAG,eAAe,CAAC;QACtC,GAAG,EAAE,SAAS;QACd,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAQ,CAAC;IAEnE,8BAA8B;IAC9B,MAAM,eAAe,GAAQ;QAC3B,GAAG,SAAS;QACZ,GAAG;QACH,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;KACb,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,UAAU;QACzB,YAAY,EAAE,eAAe;QAC7B,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE;IAClD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB,EAAE;IACrD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAE1C,OAAO;QACL,OAAO;QACP,oBAAoB,EAAE,iBAAiB,CAAC,EAAE,CAAC,EAAE,cAAc;QAC3D,cAAc,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC3D,gBAAgB,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC7D,UAAU,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,2CAA2C;KAClF,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,iCAAiC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,6CAA6C;IAC7C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,qDAAqD;IACrD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3F,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,sCAAsC,SAAS,iBAAiB,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IACD,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,CAAC,aAAa,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;IAC9E,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,GAAW,EACX,OAA8B;IAE9B,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;QACpB,OAAO,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAQ,QAAQ,CAAC,KAAqB,CAAC,IAAI,CAAC;IAC9C,CAAC;IAED,OAAQ,QAAQ,CAAC,KAA0B,CAAC,IAAI,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,GAAW;IAC9D,OAAO,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe,EAAE,GAAW;IACjE,OAAO,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAe,EAAE,GAAW;IAClE,sBAAsB;IACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAC7D,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IACnE,OAAO,UAAU,CAAC,kBAAkB,CAAC,CAAC;AACxC,CAAC;AAaD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,UAAoC,EAAE,EACtC,SAAkB;IAElB,IAAI,SAAiB,CAAC;IAEtB,gFAAgF;IAChF,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,4DAA4D;QAC5D,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;QAEjF,IAAI,WAAW,EAAE,CAAC;YAChB,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,IAAI,MAAM,EAAE,CAAC;gBACX,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAEjC,0BAA0B;IAC1B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC;QAC1C,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;QAC7C,oBAAoB,EAAE,IAAI,CAAC,SAAS,EAAE,6BAA6B,CAAC;QACpE,cAAc,EAAE,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC;QACvD,gBAAgB,EAAE,IAAI,CAAC,SAAS,EAAE,wBAAwB,CAAC;QAC3D,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;QAC9C,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;KAC3C,CAAC;IAEF,oBAAoB;IACpB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAE1E,yBAAyB;IACzB,MAAM,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEjG,sBAAsB;IACtB,MAAM,SAAS,CAAC,KAAK,CAAC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;IACnF,MAAM,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,SAAS,CAAC,KAAK,CAAC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAE3E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,MAAM,QAAQ,GAAgB;QAC5B,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;QAC1B,SAAS,EAAE,OAAO;QAClB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;QACpC,KAAK,EAAE;YACL,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;SACjD;KACF,CAAC;IAEF,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC9E,CAAC;AAWD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,UAAoC,EAAE,EACtC,SAAkB;IAKlB,IAAI,SAAiB,CAAC;IAEtB,2EAA2E;IAC3E,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;QAEzE,IAAI,WAAW,EAAE,CAAC;YAChB,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,qCAAqC;YACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YAChD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC/B,SAAS,GAAI,QAAQ,CAAC,KAAqB,CAAC,IAAI,CAAC;YACnD,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAI,QAAQ,CAAC,KAA0B,CAAC,IAAI,CAAC;YACxD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAgB,CAAC;QAE5D,sBAAsB;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QACzD,IAAI,YAA6B,CAAC;QAElC,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAChE,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,GAAG;gBACnB,YAAY;gBACZ,SAAS,EAAE,QAAQ,CAAC,SAAS;aAC9B;YACD,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;GAEG;AACH,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,uCAAuC;IACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,2BAA2B,CAAC,CAAC;IACnE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,oCAAoC,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,OAAyB,EACzB,UAAkB,OAAO,EACzB,GAAY;IAEZ,+CAA+C;IAC/C,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACjC,IAAI,GAAG,EAAE,CAAC;QACR,eAAe,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,iCAAiC;IACjC,QAAQ,CAAC,IAAI,CACX,OAAO,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,yCAAyC,OAAO,EAAE,CACtF,CAAC;IAEF,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,6BAA6B,CAAC,mDAAmD,OAAO,EAAE,CAC3H,CAAC;IAEF,mBAAmB;IACnB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC,4CAA4C,OAAO,EAAE,CAC7G,CAAC;IAEF,qBAAqB;IACrB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,8CAA8C,OAAO,EAAE,CACjH,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,gBAAgB,CAAC;YAC3B,GAAG,EAAE,GAAG;YACR,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,iBAAiB,KAAK,KAAK,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAQ;IAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/core/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,YAAY,GAGb,MAAM,YAAY,CAAC;AA6DpB,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,KAAK;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,MAAM,QAAQ,SAAS,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc,EAAE,UAAkB,IAAI;IACvE,MAAM,GAAG,GAAG,KAAK,IAAI,aAAa,EAAE,CAAC;IAErC,wBAAwB;IACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,eAAe,GAAG,eAAe,CAAC;QACtC,GAAG,EAAE,SAAS;QACd,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAQ,CAAC;IAEnE,8BAA8B;IAC9B,MAAM,eAAe,GAAQ;QAC3B,GAAG,SAAS;QACZ,GAAG;QACH,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;KACb,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,UAAU;QACzB,YAAY,EAAE,eAAe;QAC7B,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE;IAClD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB,EAAE;IACrD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAE1C,OAAO;QACL,OAAO;QACP,oBAAoB,EAAE,iBAAiB,CAAC,EAAE,CAAC,EAAE,cAAc;QAC3D,cAAc,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC3D,gBAAgB,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,iBAAiB;QAC7D,UAAU,EAAE,oBAAoB,CAAC,EAAE,CAAC,EAAE,2CAA2C;KAClF,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,iCAAiC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,6CAA6C;IAC7C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE1B,4EAA4E;IAC5E,0EAA0E;IAC1E,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,IAAI,YAAY,KAAK,GAAG,EAAE,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,qDAAqD;IACrD,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3F,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,sCAAsC,SAAS,iBAAiB,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IACD,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,CAAC,aAAa,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;IAC9E,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;AACH,CAAC;AASD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,GAAW,EACX,OAA8B;IAE9B,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;QACpB,OAAO,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,wEAAwE;IACxE,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;QAC/F,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QACD,2CAA2C;QAC3C,OAAO,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IACtD,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAQ,QAAQ,CAAC,KAAqB,CAAC,IAAI,CAAC;IAC9C,CAAC;IAED,OAAQ,QAAQ,CAAC,KAA0B,CAAC,IAAI,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,GAAW;IAC9D,OAAO,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe,EAAE,GAAW;IACjE,OAAO,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;AAC3C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,GAAW,EACX,WAAoB;IAEpB,2BAA2B;IAC3B,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACzD,IAAI,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAC7D,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IACnE,OAAO,UAAU,CAAC,kBAAkB,CAAC,CAAC;AACxC,CAAC;AAeD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,UAAoC,EAAE,EACtC,SAAkB;IAElB,IAAI,SAAiB,CAAC;IAEtB,gFAAgF;IAChF,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,4DAA4D;QAC5D,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;QAE9F,IAAI,WAAW,EAAE,CAAC;YAChB,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,IAAI,WAAW,EAAE,CAAC;gBAChB,oDAAoD;gBACpD,SAAS,GAAG,kBAAkB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;YACnD,CAAC;iBAAM,IAAI,MAAM,EAAE,CAAC;gBAClB,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,mBAAmB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAEjC,2EAA2E;IAC3E,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC;QAC1C,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;QAC7C,oBAAoB,EAAE,IAAI,CAAC,SAAS,EAAE,6BAA6B,CAAC;QACpE,cAAc,EAAE,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC;QACvD,gBAAgB,EAAE,IAAI,CAAC,SAAS,EAAE,wBAAwB,CAAC;QAC3D,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;QAC9C,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;KAC3C,CAAC;IAEF,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,KAAK,CAAC;IAElC,oBAAoB;IACpB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAC1E,MAAM,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;IAEnD,yBAAyB;IACzB,MAAM,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACjG,MAAM,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAElD,sBAAsB;IACtB,MAAM,SAAS,CAAC,KAAK,CAAC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;IACnF,MAAM,KAAK,CAAC,KAAK,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC;IAC7D,MAAM,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,KAAK,CAAC,KAAK,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC;IACvD,MAAM,SAAS,CAAC,KAAK,CAAC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAC3E,MAAM,KAAK,CAAC,KAAK,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC;IAEzD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/D,MAAM,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;IACrD,CAAC;IAED,iBAAiB;IACjB,MAAM,QAAQ,GAAgB;QAC5B,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;QAC1B,SAAS,EAAE,OAAO;QAClB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;QACpC,KAAK,EAAE;YACL,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;SACjD;KACF,CAAC;IAEF,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAC5E,MAAM,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;AACnD,CAAC;AAaD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,UAAoC,EAAE,EACtC,SAAkB;IAKlB,IAAI,SAAiB,CAAC;IAEtB,2EAA2E;IAC3E,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;QAEtF,IAAI,WAAW,EAAE,CAAC;YAChB,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,uEAAuE;YACvE,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;gBAC1E,IAAI,KAAK,EAAE,CAAC;oBACV,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACN,yBAAyB;oBACzB,OAAO,EAAE,CAAC;gBACZ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,qCAAqC;gBACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC/B,SAAS,GAAI,QAAQ,CAAC,KAAqB,CAAC,IAAI,CAAC;gBACnD,CAAC;qBAAM,CAAC;oBACN,SAAS,GAAI,QAAQ,CAAC,KAA0B,CAAC,IAAI,CAAC;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAgB,CAAC;QAE5D,sBAAsB;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QACzD,IAAI,YAA6B,CAAC;QAElC,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAChE,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,GAAG;gBACnB,YAAY;gBACZ,SAAS,EAAE,QAAQ,CAAC,SAAS;aAC9B;YACD,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;GAEG;AACH,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,uCAAuC;IACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,2BAA2B,CAAC,CAAC;IACnE,CAAC;IACD,8BAA8B;IAC9B,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,oCAAoC,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,OAAyB,EACzB,UAAkB,OAAO,EACzB,GAAY;IAEZ,+CAA+C;IAC/C,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACjC,IAAI,GAAG,EAAE,CAAC;QACR,eAAe,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,iCAAiC;IACjC,QAAQ,CAAC,IAAI,CACX,OAAO,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,yCAAyC,OAAO,EAAE,CACtF,CAAC;IAEF,aAAa;IACb,QAAQ,CAAC,IAAI,CACX,OAAO,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,yCAAyC,OAAO,EAAE,CAC1F,CAAC;IAEF,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,6BAA6B,CAAC,mDAAmD,OAAO,EAAE,CAC3H,CAAC;IAEF,mBAAmB;IACnB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC,4CAA4C,OAAO,EAAE,CAC7G,CAAC;IAEF,qBAAqB;IACrB,QAAQ,CAAC,IAAI,CACX,kBAAkB,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,8CAA8C,OAAO,EAAE,CACjH,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,gBAAgB,CAAC;YAC3B,GAAG,EAAE,GAAG;YACR,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,iBAAiB,KAAK,KAAK,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAQ;IAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/core/login-ui-client.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Login UI Client Auto-Creation Module
+ *
+ * Creates an OAuth client for the Login UI during deployment.
+ * The Login UI needs its own client_id for SDK integration and
+ * OAuth callback handling.
+ *
+ * Flow:
+ * 1. After workers are deployed, Admin API is available
+ * 2. Read ADMIN_API_SECRET from keys directory
+ * 3. Check if Login UI client already exists
+ * 4. Create client via POST /api/admin/clients with Bearer token
+ * 5. Return client_id for inclusion in ui.env
+ */
+export interface LoginUiClientConfig {
+    /** API base URL (e.g., https://prod-ar-router.workers.dev) */
+    apiBaseUrl: string;
+    /** Login UI URL (e.g., https://prod-ar-login-ui.pages.dev) */
+    loginUiUrl: string;
+    /** Path to admin_api_secret.txt */
+    adminApiSecretPath: string;
+    /** Progress callback */
+    onProgress?: (message: string) => void;
+}
+export interface LoginUiClientResult {
+    /** Whether the operation succeeded */
+    success: boolean;
+    /** The client_id of the Login UI client */
+    clientId?: string;
+    /** Whether the client already existed */
+    alreadyExists?: boolean;
+    /** Error message if failed */
+    error?: string;
+}
+/**
+ * Ensure a Login UI OAuth client exists, creating one if necessary.
+ *
+ * This is idempotent: if a client named "Login UI" with is_trusted=true
+ * already exists, its client_id is returned without creating a new one.
+ */
+export declare function ensureLoginUiClient(config: LoginUiClientConfig): Promise<LoginUiClientResult>;
+//# sourceMappingURL=login-ui-client.d.ts.map

package/dist/core/login-ui-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-ui-client.d.ts","sourceRoot":"","sources":["../../src/core/login-ui-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH,MAAM,WAAW,mBAAmB;IAClC,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACxC;AAED,MAAM,WAAW,mBAAmB;IAClC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA8KD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CA8C9B"}

package/dist/core/login-ui-client.js

@@ -0,0 +1,173 @@
+/**
+ * Login UI Client Auto-Creation Module
+ *
+ * Creates an OAuth client for the Login UI during deployment.
+ * The Login UI needs its own client_id for SDK integration and
+ * OAuth callback handling.
+ *
+ * Flow:
+ * 1. After workers are deployed, Admin API is available
+ * 2. Read ADMIN_API_SECRET from keys directory
+ * 3. Check if Login UI client already exists
+ * 4. Create client via POST /api/admin/clients with Bearer token
+ * 5. Return client_id for inclusion in ui.env
+ */
+import { readFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+// =============================================================================
+// Constants
+// =============================================================================
+/** Client name used for the Login UI */
+const LOGIN_UI_CLIENT_NAME = 'Login UI';
+// =============================================================================
+// Implementation
+// =============================================================================
+/**
+ * Build the redirect URIs for the Login UI client
+ */
+function buildRedirectUris(loginUiUrl) {
+    // Remove trailing slash
+    const baseUrl = loginUiUrl.replace(/\/$/, '');
+    return [
+        `${baseUrl}/callback`,
+        `${baseUrl}/reauth/callback`,
+        `${baseUrl}/device/callback`,
+        `${baseUrl}/ciba/callback`,
+    ];
+}
+/**
+ * Read the admin API secret from the keys directory
+ */
+async function readAdminApiSecret(secretPath) {
+    if (!existsSync(secretPath)) {
+        throw new Error(`Admin API secret not found: ${secretPath}`);
+    }
+    const secret = await readFile(secretPath, 'utf-8');
+    return secret.trim();
+}
+/**
+ * Check if a Login UI client already exists.
+ * Returns client_id and whether migration to public client is needed.
+ */
+async function findExistingClient(apiBaseUrl, adminSecret) {
+    const response = await fetch(`${apiBaseUrl}/api/admin/clients?search=${encodeURIComponent(LOGIN_UI_CLIENT_NAME)}&limit=10`, {
+        method: 'GET',
+        headers: {
+            Authorization: `Bearer ${adminSecret}`,
+            Accept: 'application/json',
+        },
+    });
+    if (!response.ok) {
+        return null;
+    }
+    const data = (await response.json());
+    const existing = data.clients?.find((c) => c.client_name === LOGIN_UI_CLIENT_NAME && c.is_trusted === true);
+    if (!existing)
+        return null;
+    return {
+        clientId: existing.client_id,
+        needsMigration: existing.token_endpoint_auth_method !== 'none' || existing.require_pkce !== true,
+    };
+}
+/**
+ * Update an existing Login UI client to use public client configuration.
+ * Migrates from client_secret_basic to none + require_pkce.
+ */
+async function updateClientToPublic(apiBaseUrl, adminSecret, clientId) {
+    const response = await fetch(`${apiBaseUrl}/api/admin/clients/${clientId}`, {
+        method: 'PUT',
+        headers: {
+            Authorization: `Bearer ${adminSecret}`,
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        body: JSON.stringify({
+            token_endpoint_auth_method: 'none',
+            require_pkce: true,
+        }),
+    });
+    if (!response.ok) {
+        const errorBody = await response.text().catch(() => 'Unknown error');
+        throw new Error(`Failed to update Login UI client to public client (${response.status}): ${errorBody}`);
+    }
+}
+/**
+ * Create a new Login UI client via Admin API
+ */
+async function createClient(apiBaseUrl, adminSecret, loginUiUrl) {
+    const redirectUris = buildRedirectUris(loginUiUrl);
+    const response = await fetch(`${apiBaseUrl}/api/admin/clients`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${adminSecret}`,
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        body: JSON.stringify({
+            client_name: LOGIN_UI_CLIENT_NAME,
+            redirect_uris: redirectUris,
+            grant_types: ['authorization_code'],
+            response_types: ['code'],
+            scope: 'openid profile email',
+            is_trusted: true,
+            skip_consent: true,
+            token_endpoint_auth_method: 'none',
+            require_pkce: true,
+        }),
+    });
+    if (!response.ok) {
+        const errorBody = await response.text().catch(() => 'Unknown error');
+        throw new Error(`Failed to create Login UI client (${response.status}): ${errorBody}`);
+    }
+    const data = (await response.json());
+    return data.client.client_id;
+}
+/**
+ * Ensure a Login UI OAuth client exists, creating one if necessary.
+ *
+ * This is idempotent: if a client named "Login UI" with is_trusted=true
+ * already exists, its client_id is returned without creating a new one.
+ */
+export async function ensureLoginUiClient(config) {
+    const { apiBaseUrl, loginUiUrl, adminApiSecretPath, onProgress } = config;
+    try {
+        // Read admin secret
+        onProgress?.('Reading admin API secret...');
+        const adminSecret = await readAdminApiSecret(adminApiSecretPath);
+        // Check for existing client
+        onProgress?.('Checking for existing Login UI client...');
+        const existingClient = await findExistingClient(apiBaseUrl, adminSecret);
+        if (existingClient) {
+            if (existingClient.needsMigration) {
+                onProgress?.(`Migrating Login UI client to public client: ${existingClient.clientId}`);
+                await updateClientToPublic(apiBaseUrl, adminSecret, existingClient.clientId);
+                onProgress?.('Login UI client migrated to public client (token_endpoint_auth_method=none, require_pkce=true)');
+            }
+            else {
+                onProgress?.(`Login UI client already exists: ${existingClient.clientId}`);
+            }
+            return {
+                success: true,
+                clientId: existingClient.clientId,
+                alreadyExists: true,
+            };
+        }
+        // Create new client
+        onProgress?.('Creating Login UI OAuth client...');
+        const clientId = await createClient(apiBaseUrl, adminSecret, loginUiUrl);
+        onProgress?.(`Login UI client created: ${clientId}`);
+        return {
+            success: true,
+            clientId,
+            alreadyExists: false,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            success: false,
+            error: message,
+        };
+    }
+}
+//# sourceMappingURL=login-ui-client.js.map

package/dist/core/login-ui-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-ui-client.js","sourceRoot":"","sources":["../../src/core/login-ui-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAoDrC,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,wCAAwC;AACxC,MAAM,oBAAoB,GAAG,UAAU,CAAC;AAExC,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF;;GAEG;AACH,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,wBAAwB;IACxB,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAE9C,OAAO;QACL,GAAG,OAAO,WAAW;QACrB,GAAG,OAAO,kBAAkB;QAC5B,GAAG,OAAO,kBAAkB;QAC5B,GAAG,OAAO,gBAAgB;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAAC,UAAkB;IAClD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,UAAU,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;AACvB,CAAC;AAOD;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAC/B,UAAkB,EAClB,WAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,UAAU,6BAA6B,kBAAkB,CAAC,oBAAoB,CAAC,WAAW,EAC7F;QACE,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,MAAM,EAAE,kBAAkB;SAC3B;KACF,CACF,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CACjC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,oBAAoB,IAAI,CAAC,CAAC,UAAU,KAAK,IAAI,CACvE,CAAC;IAEF,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,SAAS;QAC5B,cAAc,EACZ,QAAQ,CAAC,0BAA0B,KAAK,MAAM,IAAI,QAAQ,CAAC,YAAY,KAAK,IAAI;KACnF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,oBAAoB,CACjC,UAAkB,EAClB,WAAmB,EACnB,QAAgB;IAEhB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,UAAU,sBAAsB,QAAQ,EAAE,EAAE;QAC1E,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,0BAA0B,EAAE,MAAM;YAClC,YAAY,EAAE,IAAI;SACnB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QACrE,MAAM,IAAI,KAAK,CACb,sDAAsD,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CACvF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,YAAY,CACzB,UAAkB,EAClB,WAAmB,EACnB,UAAkB;IAElB,MAAM,YAAY,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,UAAU,oBAAoB,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,WAAW,EAAE,oBAAoB;YACjC,aAAa,EAAE,YAAY;YAC3B,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,KAAK,EAAE,sBAAsB;YAC7B,UAAU,EAAE,IAAI;YAChB,YAAY,EAAE,IAAI;YAClB,0BAA0B,EAAE,MAAM;YAClC,YAAY,EAAE,IAAI;SACnB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IAClE,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAA2B;IAE3B,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,kBAAkB,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IAE1E,IAAI,CAAC;QACH,oBAAoB;QACpB,UAAU,EAAE,CAAC,6BAA6B,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,kBAAkB,CAAC,CAAC;QAEjE,4BAA4B;QAC5B,UAAU,EAAE,CAAC,0CAA0C,CAAC,CAAC;QACzD,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAEzE,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,cAAc,CAAC,cAAc,EAAE,CAAC;gBAClC,UAAU,EAAE,CAAC,+CAA+C,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACvF,MAAM,oBAAoB,CAAC,UAAU,EAAE,WAAW,EAAE,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAC7E,UAAU,EAAE,CACV,gGAAgG,CACjG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,EAAE,CAAC,mCAAmC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7E,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,aAAa,EAAE,IAAI;aACpB,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,UAAU,EAAE,CAAC,mCAAmC,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAEzE,UAAU,EAAE,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QACrD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ;YACR,aAAa,EAAE,KAAK;SACrB,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,OAAO;SACf,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/core/migrate.d.ts

@@ -92,4 +92,41 @@ export declare function getMigrationStatus(baseDir?: string): {
     environments: string[];
     legacyFiles: string[];
 };
+export interface MigrateKeysToExternalOptions {
+    /** Source directory containing .authrim/ or .keys/ */
+    sourceDir: string;
+    /** Target base directory for external keys (keys go to {keysBaseDir}/.authrim-keys/{env}/) */
+    keysBaseDir: string;
+    /** Environment name */
+    env: string;
+    /** Dry run - don't actually copy files */
+    dryRun?: boolean;
+    /** Progress callback */
+    onProgress?: (msg: string) => void;
+}
+export interface MigrateKeysToExternalResult {
+    success: boolean;
+    /** Source location where keys were found */
+    sourceLocation?: 'internal' | 'legacy';
+    /** Source path */
+    sourcePath?: string;
+    /** Destination path */
+    destPath?: string;
+    /** Files copied */
+    files: string[];
+    /** Error message if failed */
+    error?: string;
+}
+/**
+ * Migrate keys from internal/legacy location to external .authrim-keys/{env}/ directory
+ *
+ * Copies key files from:
+ * - {sourceDir}/.authrim/{env}/keys/ (internal), or
+ * - {sourceDir}/.keys/{env}/ (legacy)
+ *
+ * To: {keysBaseDir}/.authrim-keys/{env}/
+ *
+ * After copy, updates config.json with new secretsPath and storageType.
+ */
+export declare function migrateKeysToExternal(options: MigrateKeysToExternalOptions): Promise<MigrateKeysToExternalResult>;
 //# sourceMappingURL=migrate.d.ts.map

package/dist/core/migrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/core/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAyCH,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,yBAAyB;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,+BAA+B;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,mBAAmB;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAMD;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,MAAsB,GAAG,OAAO,CAGvE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,GAAE,MAAsB,GAAG,MAAM,EAAE,CAkClF;AAMD;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,GAAE,MAAsB,EAC/B,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACjC,OAAO,CAAC,YAAY,CAAC,CAqDvB;AAwDD;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,eAAe,CAAC,CAkF1B;AAwPD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAoE/F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,GAAE,MAAsB,GAAG;IACnE,cAAc,EAAE,OAAO,CAAC;IACxB,gBAAgB,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC5C,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAuBA"}
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/core/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AA2CH,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,yBAAyB;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,+BAA+B;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,mBAAmB;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAMD;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,MAAsB,GAAG,OAAO,CAGvE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,GAAE,MAAsB,GAAG,MAAM,EAAE,CAkClF;AAMD;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,GAAE,MAAsB,EAC/B,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACjC,OAAO,CAAC,YAAY,CAAC,CAqDvB;AAwDD;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,eAAe,CAAC,CAkF1B;AAwPD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAoE/F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,GAAE,MAAsB,GAAG;IACnE,cAAc,EAAE,OAAO,CAAC;IACxB,gBAAgB,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC5C,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAuBA;AAMD,MAAM,WAAW,4BAA4B;IAC3C,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8FAA8F;IAC9F,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACpC;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,UAAU,GAAG,QAAQ,CAAC;IACvC,kBAAkB;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB;IACnB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,4BAA4B,GACpC,OAAO,CAAC,2BAA2B,CAAC,CA6FtC"}

package/dist/core/migrate.js

@@ -21,9 +21,9 @@
  */
 import { existsSync } from 'node:fs';
 import { mkdir, copyFile, readFile, writeFile, readdir, rm, chmod } from 'node:fs/promises';
-import { join } from 'node:path';
+import { join, resolve } from 'node:path';
 import { createRequire } from 'node:module';
-import { LEGACY_CONFIG_FILE, LEGACY_LOCK_FILE, LEGACY_KEYS_DIR, getEnvironmentPaths, getLegacyPaths, detectStructure, listEnvironments, validateEnvName, } from './paths.js';
+import { LEGACY_CONFIG_FILE, LEGACY_LOCK_FILE, LEGACY_KEYS_DIR, getEnvironmentPaths, getExternalKeysDir, findKeysDirectory, getLegacyPaths, detectStructure, listEnvironments, validateEnvName, } from './paths.js';
 import { AuthrimConfigSchema } from './config.js';
 import { AuthrimLockSchema } from './lock.js';
 import { saveMasterWranglerConfigs } from './wrangler-sync.js';
@@ -546,4 +546,94 @@ export function getMigrationStatus(baseDir = process.cwd()) {
         legacyFiles,
     };
 }
+/**
+ * Migrate keys from internal/legacy location to external .authrim-keys/{env}/ directory
+ *
+ * Copies key files from:
+ * - {sourceDir}/.authrim/{env}/keys/ (internal), or
+ * - {sourceDir}/.keys/{env}/ (legacy)
+ *
+ * To: {keysBaseDir}/.authrim-keys/{env}/
+ *
+ * After copy, updates config.json with new secretsPath and storageType.
+ */
+export async function migrateKeysToExternal(options) {
+    const { sourceDir, keysBaseDir, env, dryRun = false, onProgress } = options;
+    // Security: Validate environment name
+    if (!validateEnvName(env)) {
+        return {
+            success: false,
+            files: [],
+            error: `Invalid environment name: ${env}`,
+        };
+    }
+    // Security: Validate keysBaseDir to prevent path traversal
+    if (keysBaseDir.includes('\0')) {
+        return {
+            success: false,
+            files: [],
+            error: 'Invalid keysBaseDir: null bytes not allowed',
+        };
+    }
+    // Find existing keys
+    const found = findKeysDirectory({ env, sourceDir });
+    if (!found) {
+        return {
+            success: false,
+            files: [],
+            error: `No keys found for environment "${env}" in ${sourceDir}`,
+        };
+    }
+    const destDir = getExternalKeysDir(env, keysBaseDir);
+    const files = [];
+    onProgress?.(`Migrating keys from ${found.path} to ${destDir}`);
+    if (!dryRun) {
+        // Create destination directory with secure permissions
+        await mkdir(destDir, { recursive: true, mode: DIRECTORY_MODE });
+        // Copy all key files
+        const entries = await readdir(found.path, { withFileTypes: true });
+        for (const entry of entries) {
+            // Skip symbolic links and directories
+            if (entry.isSymbolicLink() || entry.isDirectory()) {
+                continue;
+            }
+            const srcPath = join(found.path, entry.name);
+            const destPath = join(destDir, entry.name);
+            await copyFile(srcPath, destPath);
+            // Set restrictive permissions on sensitive files
+            if (isSensitiveFile(entry.name)) {
+                await chmod(destPath, SENSITIVE_FILE_MODE);
+            }
+            files.push(entry.name);
+        }
+        onProgress?.(`  Copied ${files.length} key files`);
+        // Update config.json if it exists
+        const configPath = getEnvironmentPaths({ baseDir: sourceDir, env }).config;
+        if (existsSync(configPath)) {
+            try {
+                const content = await readFile(configPath, 'utf-8');
+                const config = JSON.parse(content);
+                if (config.keys) {
+                    config.keys.secretsPath = resolve(keysBaseDir, '.authrim-keys', env) + '/';
+                    config.keys.storageType = 'external';
+                }
+                await writeFile(configPath, JSON.stringify(config, null, 2));
+                onProgress?.('  Updated config.json with external keys path');
+            }
+            catch (error) {
+                onProgress?.(`  Warning: Could not update config.json: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+    }
+    else {
+        onProgress?.(`  Would copy keys from ${found.path} to ${destDir}`);
+    }
+    return {
+        success: true,
+        sourceLocation: found.location === 'legacy' ? 'legacy' : 'internal',
+        sourcePath: found.path,
+        destPath: destDir,
+        files,
+    };
+}
 //# sourceMappingURL=migrate.js.map