@authsec/sdk 4.0.0

package/dist/spiffe/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WorkloadSVID = exports.QuickStartSVID = exports.WorkloadAPIClient = void 0;
+var workload_api_client_js_1 = require("./workload-api-client.js");
+Object.defineProperty(exports, "WorkloadAPIClient", { enumerable: true, get: function () { return workload_api_client_js_1.WorkloadAPIClient; } });
+var quick_start_svid_js_1 = require("./quick-start-svid.js");
+Object.defineProperty(exports, "QuickStartSVID", { enumerable: true, get: function () { return quick_start_svid_js_1.QuickStartSVID; } });
+var workload_svid_js_1 = require("./workload-svid.js");
+Object.defineProperty(exports, "WorkloadSVID", { enumerable: true, get: function () { return workload_svid_js_1.WorkloadSVID; } });
+//# sourceMappingURL=index.js.map

package/dist/spiffe/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/spiffe/index.ts"],"names":[],"mappings":";;;AAAA,mEAA6D;AAApD,2HAAA,iBAAiB,OAAA;AAC1B,6DAAuD;AAA9C,qHAAA,cAAc,OAAA;AACvB,uDAAkD;AAAzC,gHAAA,YAAY,OAAA"}

package/dist/spiffe/proto/workload.proto

@@ -0,0 +1,126 @@
+// SPIFFE Workload API
+// Based on: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md
+
+syntax = "proto3";
+
+package spiffe.workload;
+
+option go_package = "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workload";
+
+// SpiffeWorkloadAPI provides methods for workloads to retrieve their SPIFFE identities
+service SpiffeWorkloadAPI {
+    // Fetch X.509-SVID - Workloads subscribe to this RPC to receive X.509 SVIDs
+    // SVIDs are streamed to the workload and automatically updated before expiry
+    rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
+
+    // Fetch X.509 bundles - Returns trust bundles for federated trust domains
+    rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
+
+    // Validate JWT-SVID - Validates a JWT-SVID token
+    rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse);
+
+    // Fetch JWT-SVID - Fetches a JWT-SVID with specified audience
+    rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse);
+
+    // Fetch JWT bundles
+    rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse);
+}
+
+// X.509-SVID Request
+message X509SVIDRequest {
+    // Empty - workload is identified by Unix socket peer credentials
+}
+
+// X.509-SVID Response
+message X509SVIDResponse {
+    // List of X.509 SVIDs
+    repeated X509SVID svids = 1;
+
+    // X.509 certificate bundles (trust bundles)
+    // Key is trust domain name (e.g., "example.org")
+    map<string, bytes> crl = 2;
+
+    // Federated bundles (trust bundles for federated trust domains)
+    map<string, bytes> federated_bundles = 3;
+}
+
+// X.509 SVID
+message X509SVID {
+    // SPIFFE ID
+    string spiffe_id = 1;
+
+    // X.509 certificate (PEM encoded)
+    bytes x509_svid = 2;
+
+    // Private key (PEM encoded)
+    bytes x509_svid_key = 3;
+
+    // Certificate bundle (PEM encoded)
+    bytes bundle = 4;
+}
+
+// X.509 Bundles Request
+message X509BundlesRequest {
+    // Empty
+}
+
+// X.509 Bundles Response
+message X509BundlesResponse {
+    // X.509 certificate bundles
+    // Key is trust domain name
+    map<string, bytes> bundles = 1;
+}
+
+// JWT-SVID Request
+message JWTSVIDRequest {
+    // Audience for JWT
+    repeated string audience = 1;
+
+    // SPIFFE ID (optional - defaults to workload's default identity)
+    string spiffe_id = 2;
+}
+
+// JWT-SVID Response
+message JWTSVIDResponse {
+    // List of JWT SVIDs
+    repeated JWTSVID svids = 1;
+}
+
+// JWT SVID
+message JWTSVID {
+    // SPIFFE ID
+    string spiffe_id = 1;
+
+    // JWT token
+    string svid = 2;
+}
+
+// JWT Bundles Request
+message JWTBundlesRequest {
+    // Empty
+}
+
+// JWT Bundles Response
+message JWTBundlesResponse {
+    // JWT bundles (JWKS)
+    // Key is trust domain name
+    map<string, bytes> bundles = 1;
+}
+
+// Validate JWT-SVID Request
+message ValidateJWTSVIDRequest {
+    // JWT token to validate
+    string svid = 1;
+
+    // Expected audience
+    string audience = 2;
+}
+
+// Validate JWT-SVID Response
+message ValidateJWTSVIDResponse {
+    // SPIFFE ID extracted from validated token
+    string spiffe_id = 1;
+
+    // Claims from validated token
+    map<string, string> claims = 2;
+}

package/dist/spiffe/quick-start-svid.d.ts

@@ -0,0 +1,74 @@
+/**
+ * QuickStartSVID - Simplified SPIRE SVID integration (singleton)
+ * Mirrors Python QuickStartSVID from spire_sdk.py
+ *
+ * Connects directly to SPIRE agent via gRPC and fetches X.509-SVIDs.
+ * Provides automatic certificate renewal every 30 minutes.
+ */
+import * as tls from 'node:tls';
+export declare class QuickStartSVID {
+    private static instance;
+    private static initPromise;
+    private svid;
+    private grpcClient;
+    private renewalTimer;
+    private running;
+    private constructor();
+    /**
+     * Initialize SPIRE workload identity (singleton pattern).
+     *
+     * This method:
+     * 1. Connects to SPIRE agent via gRPC
+     * 2. Fetches X.509-SVID from agent
+     * 3. Writes certificates to disk
+     * 4. Starts automatic renewal (every 30 minutes)
+     *
+     * @param socketPath Path to SPIRE agent socket
+     * @param certDir Directory to store certificates (default: /tmp/spiffe-certs)
+     * @returns QuickStartSVID instance with SVID ready for mTLS
+     */
+    static initialize(socketPath?: string, certDir?: string): Promise<QuickStartSVID>;
+    /**
+     * Get the singleton instance (must call initialize() first).
+     */
+    static get(): Promise<QuickStartSVID>;
+    private fetch;
+    private renewSvid;
+    /** Get SPIFFE ID */
+    get spiffeId(): string;
+    /** Get certificate PEM */
+    get certificate(): string;
+    /** Get private key PEM */
+    get privateKey(): string;
+    /** Get trust bundle PEM */
+    get trustBundle(): string;
+    /** Get certificate file path */
+    get certFilePath(): string | null;
+    /** Get private key file path */
+    get keyFilePath(): string | null;
+    /** Get CA bundle file path */
+    get caFilePath(): string | null;
+    /**
+     * Create TLS options for server.
+     * Returns options suitable for `https.createServer(options, app)`.
+     */
+    createTlsOptionsForServer(): tls.SecureContextOptions & {
+        requestCert: boolean;
+        rejectUnauthorized: boolean;
+    };
+    /**
+     * Create TLS options for client.
+     * Returns options suitable for `https.Agent(options)`.
+     */
+    createTlsOptionsForClient(): tls.SecureContextOptions & {
+        rejectUnauthorized: boolean;
+    };
+    /** Get certificate data as dict for easy passing to HTTP clients */
+    getCertificateDict(): {
+        cert: string;
+        key: string;
+    };
+    /** Shutdown SVID renewal and gRPC client */
+    shutdown(): Promise<void>;
+}
+//# sourceMappingURL=quick-start-svid.d.ts.map

package/dist/spiffe/quick-start-svid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"quick-start-svid.d.ts","sourceRoot":"","sources":["../../src/spiffe/quick-start-svid.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAIhC,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA+B;IACtD,OAAO,CAAC,MAAM,CAAC,WAAW,CAAwC;IAElE,OAAO,CAAC,IAAI,CAA6B;IACzC,OAAO,CAAC,UAAU,CAAkC;IACpD,OAAO,CAAC,YAAY,CAA+C;IACnE,OAAO,CAAC,OAAO,CAAS;IAExB,OAAO;IAEP;;;;;;;;;;;;OAYG;WACU,UAAU,CACrB,UAAU,GAAE,MAAwC,EACpD,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC;IAwB1B;;OAEG;WACU,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC;YAO7B,KAAK;YAsCL,SAAS;IAmBvB,oBAAoB;IACpB,IAAI,QAAQ,IAAI,MAAM,CAGrB;IAED,0BAA0B;IAC1B,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,0BAA0B;IAC1B,IAAI,UAAU,IAAI,MAAM,CAGvB;IAED,2BAA2B;IAC3B,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,gCAAgC;IAChC,IAAI,YAAY,IAAI,MAAM,GAAG,IAAI,CAGhC;IAED,gCAAgC;IAChC,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAG/B;IAED,8BAA8B;IAC9B,IAAI,UAAU,IAAI,MAAM,GAAG,IAAI,CAG9B;IAED;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,WAAW,EAAE,OAAO,CAAC;QAAC,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAK7G;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAKvF,oEAAoE;IACpE,kBAAkB,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE;IAQnD,4CAA4C;IACtC,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAehC"}

package/dist/spiffe/quick-start-svid.js

@@ -0,0 +1,191 @@
+"use strict";
+/**
+ * QuickStartSVID - Simplified SPIRE SVID integration (singleton)
+ * Mirrors Python QuickStartSVID from spire_sdk.py
+ *
+ * Connects directly to SPIRE agent via gRPC and fetches X.509-SVIDs.
+ * Provides automatic certificate renewal every 30 minutes.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.QuickStartSVID = void 0;
+const workload_api_client_js_1 = require("./workload-api-client.js");
+const workload_svid_js_1 = require("./workload-svid.js");
+class QuickStartSVID {
+    static instance = null;
+    static initPromise = null;
+    svid = null;
+    grpcClient = null;
+    renewalTimer = null;
+    running = false;
+    constructor() { }
+    /**
+     * Initialize SPIRE workload identity (singleton pattern).
+     *
+     * This method:
+     * 1. Connects to SPIRE agent via gRPC
+     * 2. Fetches X.509-SVID from agent
+     * 3. Writes certificates to disk
+     * 4. Starts automatic renewal (every 30 minutes)
+     *
+     * @param socketPath Path to SPIRE agent socket
+     * @param certDir Directory to store certificates (default: /tmp/spiffe-certs)
+     * @returns QuickStartSVID instance with SVID ready for mTLS
+     */
+    static async initialize(socketPath = '/run/spire/sockets/agent.sock', certDir) {
+        if (QuickStartSVID.instance) {
+            return QuickStartSVID.instance;
+        }
+        // Prevent concurrent initialization
+        if (QuickStartSVID.initPromise) {
+            return QuickStartSVID.initPromise;
+        }
+        QuickStartSVID.initPromise = (async () => {
+            const instance = new QuickStartSVID();
+            await instance.fetch(socketPath, certDir);
+            QuickStartSVID.instance = instance;
+            return instance;
+        })();
+        try {
+            return await QuickStartSVID.initPromise;
+        }
+        finally {
+            QuickStartSVID.initPromise = null;
+        }
+    }
+    /**
+     * Get the singleton instance (must call initialize() first).
+     */
+    static async get() {
+        if (!QuickStartSVID.instance) {
+            throw new Error('Call QuickStartSVID.initialize() first');
+        }
+        return QuickStartSVID.instance;
+    }
+    async fetch(socketPath, certDir) {
+        console.log('Fetching SPIFFE SVID via gRPC...');
+        try {
+            this.grpcClient = new workload_api_client_js_1.WorkloadAPIClient({ socketPath });
+            await this.grpcClient.connect();
+            const success = await this.grpcClient.fetchX509SvidOnce();
+            if (!success) {
+                throw new Error('Failed to fetch SVID from agent');
+            }
+            this.svid = new workload_svid_js_1.WorkloadSVID({
+                spiffeId: this.grpcClient.spiffeId,
+                certificate: this.grpcClient.certificate,
+                privateKey: this.grpcClient.privateKey,
+                trustBundle: this.grpcClient.trustBundle,
+                certDir,
+            });
+            console.log(`SVID initialized: ${this.svid.spiffeId}`);
+            console.log('Certificates ready for mTLS');
+            // Start automatic renewal (every 30 minutes)
+            this.running = true;
+            this.renewalTimer = setInterval(() => {
+                this.renewSvid().catch((e) => {
+                    console.error(`SVID renewal failed: ${e.message ?? e}`);
+                });
+            }, 30 * 60 * 1000);
+            console.log('Automatic SVID renewal enabled (30 min interval)');
+        }
+        catch (e) {
+            console.error(`SVID initialization failed: ${e.message ?? e}`);
+            throw new Error(`Failed to initialize SVID: ${e.message ?? e}`);
+        }
+    }
+    async renewSvid() {
+        if (!this.grpcClient) {
+            throw new Error('gRPC client not available');
+        }
+        const success = await this.grpcClient.fetchX509SvidOnce();
+        if (!success) {
+            throw new Error('Failed to renew SVID from agent');
+        }
+        this.svid.refresh(this.grpcClient.certificate, this.grpcClient.privateKey, this.grpcClient.trustBundle);
+        console.log('SVID renewed successfully');
+    }
+    /** Get SPIFFE ID */
+    get spiffeId() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.spiffeId;
+    }
+    /** Get certificate PEM */
+    get certificate() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.certificate;
+    }
+    /** Get private key PEM */
+    get privateKey() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.privateKey;
+    }
+    /** Get trust bundle PEM */
+    get trustBundle() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.trustBundle;
+    }
+    /** Get certificate file path */
+    get certFilePath() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.certFilePath;
+    }
+    /** Get private key file path */
+    get keyFilePath() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.keyFilePath;
+    }
+    /** Get CA bundle file path */
+    get caFilePath() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.caFilePath;
+    }
+    /**
+     * Create TLS options for server.
+     * Returns options suitable for `https.createServer(options, app)`.
+     */
+    createTlsOptionsForServer() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.createTlsOptionsForServer();
+    }
+    /**
+     * Create TLS options for client.
+     * Returns options suitable for `https.Agent(options)`.
+     */
+    createTlsOptionsForClient() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return this.svid.createTlsOptionsForClient();
+    }
+    /** Get certificate data as dict for easy passing to HTTP clients */
+    getCertificateDict() {
+        if (!this.svid)
+            throw new Error('SVID not initialized');
+        return {
+            cert: this.svid.certificate,
+            key: this.svid.privateKey,
+        };
+    }
+    /** Shutdown SVID renewal and gRPC client */
+    async shutdown() {
+        this.running = false;
+        if (this.renewalTimer) {
+            clearInterval(this.renewalTimer);
+            this.renewalTimer = null;
+        }
+        if (this.grpcClient) {
+            await this.grpcClient.disconnect();
+            this.grpcClient = null;
+        }
+        console.log('SVID renewal stopped');
+    }
+}
+exports.QuickStartSVID = QuickStartSVID;
+//# sourceMappingURL=quick-start-svid.js.map

package/dist/spiffe/quick-start-svid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quick-start-svid.js","sourceRoot":"","sources":["../../src/spiffe/quick-start-svid.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,qEAA6D;AAC7D,yDAAkD;AAElD,MAAa,cAAc;IACjB,MAAM,CAAC,QAAQ,GAA0B,IAAI,CAAC;IAC9C,MAAM,CAAC,WAAW,GAAmC,IAAI,CAAC;IAE1D,IAAI,GAAwB,IAAI,CAAC;IACjC,UAAU,GAA6B,IAAI,CAAC;IAC5C,YAAY,GAA0C,IAAI,CAAC;IAC3D,OAAO,GAAG,KAAK,CAAC;IAExB,gBAAuB,CAAC;IAExB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,KAAK,CAAC,UAAU,CACrB,aAAqB,+BAA+B,EACpD,OAAgB;QAEhB,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;YAC5B,OAAO,cAAc,CAAC,QAAQ,CAAC;QACjC,CAAC;QAED,oCAAoC;QACpC,IAAI,cAAc,CAAC,WAAW,EAAE,CAAC;YAC/B,OAAO,cAAc,CAAC,WAAW,CAAC;QACpC,CAAC;QAED,cAAc,CAAC,WAAW,GAAG,CAAC,KAAK,IAAI,EAAE;YACvC,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;YACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1C,cAAc,CAAC,QAAQ,GAAG,QAAQ,CAAC;YACnC,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC,EAAE,CAAC;QAEL,IAAI,CAAC;YACH,OAAO,MAAM,cAAc,CAAC,WAAW,CAAC;QAC1C,CAAC;gBAAS,CAAC;YACT,cAAc,CAAC,WAAW,GAAG,IAAI,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG;QACd,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,cAAc,CAAC,QAAQ,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,UAAkB,EAAE,OAAgB;QACtD,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,IAAI,CAAC,UAAU,GAAG,IAAI,0CAAiB,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAEhC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YAED,IAAI,CAAC,IAAI,GAAG,IAAI,+BAAY,CAAC;gBAC3B,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,QAAS;gBACnC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAY;gBACzC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,UAAW;gBACvC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAY;gBACzC,OAAO;aACR,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAE3C,6CAA6C;YAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;YACpB,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;gBACnC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;oBAC3B,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC1D,CAAC,CAAC,CAAC;YACL,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAEnB,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,EAAE,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,CAAC,IAAK,CAAC,OAAO,CAChB,IAAI,CAAC,UAAU,CAAC,WAAY,EAC5B,IAAI,CAAC,UAAU,CAAC,UAAW,EAC3B,IAAI,CAAC,UAAU,CAAC,WAAY,CAC7B,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ;QACV,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,0BAA0B;IAC1B,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,0BAA0B;IAC1B,IAAI,UAAU;QACZ,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC9B,CAAC;IAED,2BAA2B;IAC3B,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,gCAAgC;IAChC,IAAI,YAAY;QACd,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;IAChC,CAAC;IAED,gCAAgC;IAChC,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,8BAA8B;IAC9B,IAAI,UAAU;QACZ,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED,oEAAoE;IACpE,kBAAkB;QAChB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAC3B,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QAErB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;YACnC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtC,CAAC;;AA1MH,wCA2MC"}

package/dist/spiffe/workload-api-client.d.ts

@@ -0,0 +1,71 @@
+/**
+ * SPIFFE Workload API - gRPC Client
+ * Mirrors Python WorkloadAPIClient
+ *
+ * Client library for workloads to fetch SVIDs from the gRPC Workload API.
+ * Supports streaming X.509-SVIDs with automatic rotation.
+ */
+export declare class WorkloadAPIClient {
+    private socketPath;
+    private logger;
+    spiffeId: string | null;
+    certificate: string | null;
+    privateKey: string | null;
+    trustBundle: string | null;
+    private client;
+    private streamCall;
+    private running;
+    constructor(options?: {
+        socketPath?: string;
+        logger?: {
+            info: Function;
+            error: Function;
+            debug: Function;
+        };
+    });
+    /** Connect to the Workload API */
+    connect(): Promise<void>;
+    /** Disconnect from Workload API */
+    disconnect(): Promise<void>;
+    /** Build gRPC metadata from environment variables */
+    private buildMetadata;
+    /**
+     * Fetch X.509-SVID once (single request/response).
+     * @returns true if successful, false otherwise
+     */
+    fetchX509SvidOnce(): Promise<boolean>;
+    /**
+     * Start streaming X.509-SVID updates.
+     * @param onUpdate Optional callback called when SVID is updated
+     */
+    startStreaming(onUpdate?: (client: WorkloadAPIClient) => Promise<void>): Promise<void>;
+    /**
+     * Fetch JWT-SVID.
+     * @param audience List of audiences for the JWT
+     * @param spiffeId Optional SPIFFE ID (defaults to workload's identity)
+     * @returns JWT token or null
+     */
+    fetchJwtSvid(audience: string[], spiffeId?: string): Promise<string | null>;
+    /**
+     * Validate JWT-SVID.
+     * @param token JWT token to validate
+     * @param audience Expected audience
+     * @returns Validation result with spiffe_id and claims, or null if invalid
+     */
+    validateJwtSvid(token: string, audience: string): Promise<{
+        spiffeId: string;
+        claims: Record<string, string>;
+    } | null>;
+    /**
+     * Get mTLS configuration for HTTP clients.
+     * @returns Object with cert, key, and caBundle, or null if not available
+     */
+    getMtlsConfig(): {
+        cert: string;
+        key: string;
+        caBundle: string;
+    } | null;
+    /** Check if SVID is available */
+    hasSvid(): boolean;
+}
+//# sourceMappingURL=workload-api-client.d.ts.map

package/dist/spiffe/workload-api-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-api-client.d.ts","sourceRoot":"","sources":["../../src/spiffe/workload-api-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAwBH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,MAAM,CAAuD;IAGrE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAC/B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAQ;IAClC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAQ;IACjC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAQ;IAGlC,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE;YAAE,IAAI,EAAE,QAAQ,CAAC;YAAC,KAAK,EAAE,QAAQ,CAAC;YAAC,KAAK,EAAE,QAAQ,CAAA;SAAE,CAAC;KAC/D;IAUD,kCAAkC;IAC5B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IA6B9B,mCAAmC;IAC7B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBjC,qDAAqD;IACrD,OAAO,CAAC,aAAa;IAqDrB;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC;IAyD3C;;;OAGG;IACG,cAAc,CAClB,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,iBAAiB,KAAK,OAAO,CAAC,IAAI,CAAC,GACtD,OAAO,CAAC,IAAI,CAAC;IAuDhB;;;;;OAKG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAAE,EAClB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAqCzB;;;;;OAKG;IACG,eAAe,CACnB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAkCvE;;;OAGG;IACH,aAAa,IAAI;QACf,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,IAAI;IAYR,iCAAiC;IACjC,OAAO,IAAI,OAAO;CAGnB"}