@betterportal/framework 0.0.1

package/lib/controlPlane/sync.js

@@ -0,0 +1,24 @@
+import { PluginManifestSchema } from "../contracts/manifest.js";
+export async function importBindingManifest(store, bindingId, provider) {
+    const binding = store.getBinding(bindingId);
+    if (!binding) {
+        throw new Error(`Binding ${bindingId} does not exist`);
+    }
+    const manifest = PluginManifestSchema.parse(await provider(binding));
+    const updatedBinding = {
+        ...binding,
+        importedManifestVersion: manifest.version,
+        lastSyncAtIso: new Date().toISOString()
+    };
+    store.upsertBinding(updatedBinding);
+    return store.recordImportedManifest(bindingId, manifest);
+}
+export async function syncAllBindingManifests(store, provider) {
+    const snapshot = store.getSnapshot();
+    const results = [];
+    for (const binding of snapshot.bindings) {
+        results.push(await importBindingManifest(store, binding.bindingId, provider));
+    }
+    return results;
+}
+//# sourceMappingURL=sync.js.map

package/lib/controlPlane/sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.js","sourceRoot":"","sources":["../../src/controlPlane/sync.ts"],"names":[],"mappings":"AACA,OAAO,EAAkB,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAMhF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAoC,EACpC,SAAiB,EACjB,QAA0B;IAE1B,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,iBAAiB,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACrE,MAAM,cAAc,GAAkB;QACpC,GAAG,OAAO;QACV,uBAAuB,EAAE,QAAQ,CAAC,OAAO;QACzC,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACxC,CAAC;IAEF,KAAK,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;IACpC,OAAO,KAAK,CAAC,sBAAsB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAoC,EACpC,QAA0B;IAE1B,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,OAAO,GAA6B,EAAE,CAAC;IAE7C,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,qBAAqB,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;IAChF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/lib/controlPlane/types.d.ts

@@ -0,0 +1,15 @@
+import { App, BindingRecord, ServiceCatalogEntry, Tenant } from "../contracts/binding.js";
+import { PluginManifest } from "../contracts/manifest.js";
+export interface ImportedManifestRecord {
+    bindingId: string;
+    manifest: PluginManifest;
+    importedAtIso: string;
+}
+export interface ControlPlaneSnapshot {
+    catalog: ReadonlyArray<ServiceCatalogEntry>;
+    tenants: ReadonlyArray<Tenant>;
+    apps: ReadonlyArray<App>;
+    bindings: ReadonlyArray<BindingRecord>;
+    importedManifests: ReadonlyArray<ImportedManifestRecord>;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/controlPlane/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/controlPlane/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,MAAM,yBAAyB,CAAC;AAC1F,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,cAAc,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC5C,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,IAAI,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC;IACzB,QAAQ,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IACvC,iBAAiB,EAAE,aAAa,CAAC,sBAAsB,CAAC,CAAC;CAC1D"}

package/lib/controlPlane/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/lib/controlPlane/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/controlPlane/types.ts"],"names":[],"mappings":""}

package/lib/index.d.ts

@@ -0,0 +1,40 @@
+export * from "./contracts/auth.js";
+export * from "./contracts/binding.js";
+export * from "./contracts/common.js";
+export * from "./contracts/config.js";
+export * from "./contracts/json.js";
+export * from "./contracts/manifest.js";
+export * from "./contracts/observability.js";
+export * from "./contracts/platformConfig.js";
+export * from "./contracts/registry.js";
+export * from "./contracts/route.js";
+export * from "./contracts/serviceConfig.js";
+export * from "./contracts/streaming.js";
+export * from "./contracts/view.js";
+export * from "./controlPlane/store.js";
+export * from "./controlPlane/sync.js";
+export * from "./controlPlane/types.js";
+export * from "./runtime/configProvider.js";
+export * from "./runtime/h3.js";
+export * from "./runtime/jsonSchema.js";
+export * from "./runtime/http.js";
+export * from "./runtime/manifest.js";
+export * from "./runtime/media.js";
+export * from "./runtime/registry.js";
+export * from "./runtime/serviceConfig.js";
+export * from "./runtime/tenantResolution.js";
+export * from "./runtime/view.js";
+export * from "./runtime/handler.js";
+export * from "./runtime/streamHandler.js";
+export * from "./runtime/configStore.js";
+export * from "./runtime/configTicket.js";
+export * from "./runtime/auth/envelope.js";
+export * from "./runtime/auth/issuer.js";
+export * from "./runtime/auth/jwks.js";
+export * from "./runtime/auth/keypair.js";
+export * from "./runtime/auth/tokens.js";
+export * from "./runtime/auth/verifier.js";
+export * from "./contracts/controlPlane.js";
+export * from "./runtime/uuid.js";
+export * from "./adapters/h3.js";
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,wBAAwB,CAAC;AACvC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC;AACtC,cAAc,oBAAoB,CAAC;AACnC,cAAc,uBAAuB,CAAC;AACtC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,0BAA0B,CAAC;AACzC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,0BAA0B,CAAC;AACzC,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC"}

package/lib/index.js

@@ -0,0 +1,40 @@
+export * from "./contracts/auth.js";
+export * from "./contracts/binding.js";
+export * from "./contracts/common.js";
+export * from "./contracts/config.js";
+export * from "./contracts/json.js";
+export * from "./contracts/manifest.js";
+export * from "./contracts/observability.js";
+export * from "./contracts/platformConfig.js";
+export * from "./contracts/registry.js";
+export * from "./contracts/route.js";
+export * from "./contracts/serviceConfig.js";
+export * from "./contracts/streaming.js";
+export * from "./contracts/view.js";
+export * from "./controlPlane/store.js";
+export * from "./controlPlane/sync.js";
+export * from "./controlPlane/types.js";
+export * from "./runtime/configProvider.js";
+export * from "./runtime/h3.js";
+export * from "./runtime/jsonSchema.js";
+export * from "./runtime/http.js";
+export * from "./runtime/manifest.js";
+export * from "./runtime/media.js";
+export * from "./runtime/registry.js";
+export * from "./runtime/serviceConfig.js";
+export * from "./runtime/tenantResolution.js";
+export * from "./runtime/view.js";
+export * from "./runtime/handler.js";
+export * from "./runtime/streamHandler.js";
+export * from "./runtime/configStore.js";
+export * from "./runtime/configTicket.js";
+export * from "./runtime/auth/envelope.js";
+export * from "./runtime/auth/issuer.js";
+export * from "./runtime/auth/jwks.js";
+export * from "./runtime/auth/keypair.js";
+export * from "./runtime/auth/tokens.js";
+export * from "./runtime/auth/verifier.js";
+export * from "./contracts/controlPlane.js";
+export * from "./runtime/uuid.js";
+export * from "./adapters/h3.js";
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,wBAAwB,CAAC;AACvC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC;AACtC,cAAc,oBAAoB,CAAC;AACnC,cAAc,uBAAuB,CAAC;AACtC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,0BAA0B,CAAC;AACzC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,0BAA0B,CAAC;AACzC,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC"}

package/lib/runtime/auth/envelope.d.ts

@@ -0,0 +1,32 @@
+import { type CpEnvelopeClaims, type SetupTokenClaims } from "../../contracts/auth.js";
+import { type JwksLookupOptions } from "./jwks.js";
+export interface SignCpEnvelopeOptions {
+    privateKeyPem: string;
+    kid: string;
+    claims: Omit<CpEnvelopeClaims, "exp" | "iat" | "jti"> & {
+        expiresInSeconds: number;
+        jti?: string;
+    };
+}
+export interface SignSetupTokenOptions {
+    privateKeyPem: string;
+    kid: string;
+    claims: Omit<SetupTokenClaims, "exp" | "iat" | "jti"> & {
+        expiresInSeconds: number;
+        jti?: string;
+    };
+}
+export interface VerifyEnvelopeOptions {
+    /** JWKS lookup details for the issuer (CP). */
+    jwks?: JwksLookupOptions;
+    /** Or an in-process key resolver (preferred for installer flow). */
+    keyResolver?: (kid: string) => Promise<string>;
+    expectedIssuer: string;
+    expectedAudience?: string;
+    clockToleranceSeconds?: number;
+}
+export declare function signCpEnvelope(options: SignCpEnvelopeOptions): string;
+export declare function signSetupToken(options: SignSetupTokenOptions): string;
+export declare function verifyCpEnvelope(token: string, options: VerifyEnvelopeOptions): Promise<CpEnvelopeClaims>;
+export declare function verifySetupToken(token: string, options: VerifyEnvelopeOptions): Promise<SetupTokenClaims>;
+//# sourceMappingURL=envelope.d.ts.map

package/lib/runtime/auth/envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/envelope.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAMxE,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAAG;QACtD,gBAAgB,EAAE,MAAM,CAAC;QACzB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAAG;QACtD,gBAAgB,EAAE,MAAM,CAAC;QACzB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,+CAA+C;IAC/C,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,oEAAoE;IACpE,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,CAgBrE;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,CAgBrE;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAM/G;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAM/G"}

package/lib/runtime/auth/envelope.js

@@ -0,0 +1,123 @@
+import jwt from "jsonwebtoken";
+import { CpEnvelopeClaimsSchema, SetupTokenClaimsSchema } from "../../contracts/auth.js";
+import { uuidv7 } from "../uuid.js";
+import { getSigningKeyForKid } from "./jwks.js";
+const ALLOWED_ALGORITHM = "RS256";
+const ALLOWED_TYP = "JWT";
+const KID_PATTERN = /^[A-Za-z0-9_-]+$/;
+export function signCpEnvelope(options) {
+    const now = Math.floor(Date.now() / 1000);
+    const { expiresInSeconds, jti, ...rest } = options.claims;
+    const fullClaims = {
+        ...rest,
+        iat: now,
+        exp: now + expiresInSeconds,
+        jti: jti ?? uuidv7()
+    };
+    const validated = CpEnvelopeClaimsSchema.parse(fullClaims);
+    return jwt.sign(validated, options.privateKeyPem, {
+        algorithm: ALLOWED_ALGORITHM,
+        keyid: options.kid,
+        header: { alg: ALLOWED_ALGORITHM, typ: ALLOWED_TYP, kid: options.kid }
+    });
+}
+export function signSetupToken(options) {
+    const now = Math.floor(Date.now() / 1000);
+    const { expiresInSeconds, jti, ...rest } = options.claims;
+    const fullClaims = {
+        ...rest,
+        iat: now,
+        exp: now + expiresInSeconds,
+        jti: jti ?? uuidv7()
+    };
+    const validated = SetupTokenClaimsSchema.parse(fullClaims);
+    return jwt.sign(validated, options.privateKeyPem, {
+        algorithm: ALLOWED_ALGORITHM,
+        keyid: options.kid,
+        header: { alg: ALLOWED_ALGORITHM, typ: ALLOWED_TYP, kid: options.kid }
+    });
+}
+export async function verifyCpEnvelope(token, options) {
+    const claims = await verifyTypedToken(token, options);
+    if (claims.tokenType !== "cp-envelope") {
+        throw new Error(`Expected cp-envelope token, got ${String(claims.tokenType)}`);
+    }
+    return CpEnvelopeClaimsSchema.parse(claims);
+}
+export async function verifySetupToken(token, options) {
+    const claims = await verifyTypedToken(token, options);
+    if (claims.tokenType !== "setup") {
+        throw new Error(`Expected setup token, got ${String(claims.tokenType)}`);
+    }
+    return SetupTokenClaimsSchema.parse(claims);
+}
+async function verifyTypedToken(token, options) {
+    if (typeof token !== "string" || token.length === 0) {
+        throw new Error("Token is empty");
+    }
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Token must have exactly three parts");
+    }
+    const [encodedHeader] = parts;
+    const header = parseHeader(encodedHeader);
+    if (header.alg !== ALLOWED_ALGORITHM) {
+        throw new Error(`Algorithm not allowed: ${String(header.alg)}`);
+    }
+    if (header.typ !== ALLOWED_TYP) {
+        throw new Error(`Token typ not allowed: ${String(header.typ)}`);
+    }
+    if (typeof header.kid !== "string" || !KID_PATTERN.test(header.kid)) {
+        throw new Error("Invalid kid");
+    }
+    if ("jku" in header || "x5u" in header) {
+        throw new Error("Token header contains untrusted reference (jku/x5u)");
+    }
+    const publicKeyPem = options.keyResolver
+        ? await options.keyResolver(header.kid)
+        : await getSigningKeyForKid(requireJwks(options), header.kid);
+    let verified;
+    try {
+        verified = jwt.verify(token, publicKeyPem, {
+            algorithms: [ALLOWED_ALGORITHM],
+            issuer: options.expectedIssuer,
+            audience: options.expectedAudience,
+            clockTolerance: options.clockToleranceSeconds ?? 0,
+            complete: false
+        });
+    }
+    catch (error) {
+        throw new Error(`Envelope verification failed: ${error.message}`);
+    }
+    if (!verified || typeof verified !== "object") {
+        throw new Error("Verifier returned non-object claims");
+    }
+    return verified;
+}
+function parseHeader(encodedHeader) {
+    let json;
+    try {
+        json = Buffer.from(encodedHeader, "base64url").toString("utf8");
+    }
+    catch {
+        throw new Error("Token header is not valid base64url");
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(json);
+    }
+    catch {
+        throw new Error("Token header is not valid JSON");
+    }
+    if (!parsed || typeof parsed !== "object") {
+        throw new Error("Token header is not an object");
+    }
+    return parsed;
+}
+function requireJwks(options) {
+    if (!options.jwks) {
+        throw new Error("verifyEnvelope requires either jwks or keyResolver");
+    }
+    return options.jwks;
+}
+//# sourceMappingURL=envelope.js.map

package/lib/runtime/auth/envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../../../src/runtime/auth/envelope.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EAGvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAA0B,MAAM,WAAW,CAAC;AAExE,MAAM,iBAAiB,GAAG,OAAgB,CAAC;AAC3C,MAAM,WAAW,GAAG,KAAc,CAAC;AACnC,MAAM,WAAW,GAAG,kBAAkB,CAAC;AA8BvC,MAAM,UAAU,cAAc,CAAC,OAA8B;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,GAAG,IAAI;QACP,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,gBAAgB;QAC3B,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE;KACrB,CAAC;IAEF,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC,IAAI,CAAC,SAAmB,EAAE,OAAO,CAAC,aAAa,EAAE;QAC1D,SAAS,EAAE,iBAAiB;QAC5B,KAAK,EAAE,OAAO,CAAC,GAAG;QAClB,MAAM,EAAE,EAAE,GAAG,EAAE,iBAAiB,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;KACvE,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAA8B;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,GAAG,IAAI;QACP,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,gBAAgB;QAC3B,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE;KACrB,CAAC;IAEF,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC,IAAI,CAAC,SAAmB,EAAE,OAAO,CAAC,aAAa,EAAE;QAC1D,SAAS,EAAE,iBAAiB;QAC5B,KAAK,EAAE,OAAO,CAAC,GAAG;QAClB,MAAM,EAAE,EAAE,GAAG,EAAE,iBAAiB,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;KACvE,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,OAA8B;IAClF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,SAAS,KAAK,aAAa,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,mCAAmC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,sBAAsB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,OAA8B;IAClF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,sBAAsB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,OAA8B;IAC3E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;IAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;IAE1C,IAAI,MAAM,CAAC,GAAG,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW;QACtC,CAAC,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC;QACvC,CAAC,CAAC,MAAM,mBAAmB,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAEhE,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE;YACzC,UAAU,EAAE,CAAC,iBAAiB,CAAC;YAC/B,MAAM,EAAE,OAAO,CAAC,cAAc;YAC9B,QAAQ,EAAE,OAAO,CAAC,gBAAgB;YAClC,cAAc,EAAE,OAAO,CAAC,qBAAqB,IAAI,CAAC;YAClD,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,iCAAkC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,QAAmC,CAAC;AAC7C,CAAC;AAED,SAAS,WAAW,CAAC,aAAqB;IACxC,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAiC,CAAC;AAC3C,CAAC;AAED,SAAS,WAAW,CAAC,OAA8B;IACjD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC"}

package/lib/runtime/auth/issuer.d.ts

@@ -0,0 +1,44 @@
+import type { JwtClaims, TokenType } from "../../contracts/auth.js";
+import type { JwtVerifier } from "../../contracts/route.js";
+import type { RsaKeyPair } from "./keypair.js";
+export interface BpTokenIssuerOptions {
+    keyPair: RsaKeyPair;
+    issuer: string;
+    audience: string;
+    accessTokenSeconds: number;
+    refreshTokenSeconds?: number;
+}
+export interface BpTokenUser {
+    sub: string;
+    tenantId: string;
+    appId: string;
+    roles?: string[];
+    authProvider?: string;
+    providerSubject?: string;
+    provider?: JwtClaims["provider"];
+    name?: string;
+    email?: string;
+    picture?: string;
+}
+export interface BpIssuedTokenPair {
+    tokenId: string;
+    accessToken: string;
+    accessTokenExpiresInSeconds: number;
+    refreshToken?: string;
+    refreshTokenExpiresInSeconds?: number;
+}
+export interface BpRefreshTokenValidation {
+    refreshToken: string;
+    tenantId: string;
+    appId: string;
+}
+export declare function createBpTokenIssuer(options: BpTokenIssuerOptions): {
+    signAccessToken(input: BpTokenUser): string;
+    issueTokenPair(input: BpTokenUser, pairOptions?: {
+        includeRefreshToken?: boolean;
+    }): BpIssuedTokenPair;
+    verifyRefreshToken(input: BpRefreshTokenValidation): Promise<JwtClaims>;
+    verifier(expectedTokenType?: TokenType): JwtVerifier;
+};
+export type BpTokenIssuer = ReturnType<typeof createBpTokenIssuer>;
+//# sourceMappingURL=issuer.d.ts.map

package/lib/runtime/auth/issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/issuer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG/C,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,UAAU,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,2BAA2B,EAAE,MAAM,CAAC;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4BAA4B,CAAC,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,wBAAwB;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB;2BA8BtC,WAAW,GAAG,MAAM;0BAIrB,WAAW,gBAAe;QAAE,mBAAmB,CAAC,EAAE,OAAO,CAAA;KAAE,GAAmC,iBAAiB;8BAsBrG,wBAAwB,GAAG,OAAO,CAAC,SAAS,CAAC;iCAajD,SAAS,GAAc,WAAW;EAajE;AAED,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/lib/runtime/auth/issuer.js

@@ -0,0 +1,82 @@
+import { uuidv7 } from "../uuid.js";
+import { signJwt, verifyJwt } from "./tokens.js";
+export function createBpTokenIssuer(options) {
+    const keyResolver = async (kid) => {
+        if (kid !== options.keyPair.kid)
+            throw new Error("Unknown signing key");
+        return options.keyPair.publicKeyPem;
+    };
+    const signToken = (input, tokenType, expiresInSeconds, tokenId = uuidv7()) => signJwt({
+        privateKeyPem: options.keyPair.privateKeyPem,
+        kid: options.keyPair.kid,
+        claims: {
+            iss: options.issuer,
+            aud: options.audience,
+            sub: input.sub,
+            tenantId: input.tenantId,
+            appId: input.appId,
+            roles: tokenType === "refresh" ? [] : (input.roles ?? []),
+            realm: "runtime",
+            tokenType,
+            authProvider: input.authProvider,
+            providerSubject: input.providerSubject,
+            provider: input.provider,
+            name: input.name,
+            email: input.email,
+            picture: input.picture,
+            expiresInSeconds,
+            jti: tokenId
+        }
+    });
+    return {
+        signAccessToken(input) {
+            return signToken(input, "access", options.accessTokenSeconds);
+        },
+        issueTokenPair(input, pairOptions = { includeRefreshToken: true }) {
+            const tokenId = uuidv7();
+            const accessToken = signToken(input, "access", options.accessTokenSeconds, tokenId);
+            if (!pairOptions.includeRefreshToken) {
+                return {
+                    tokenId,
+                    accessToken,
+                    accessTokenExpiresInSeconds: options.accessTokenSeconds
+                };
+            }
+            if (!options.refreshTokenSeconds) {
+                throw new Error("refreshTokenSeconds is required to issue refresh tokens");
+            }
+            return {
+                tokenId,
+                accessToken,
+                accessTokenExpiresInSeconds: options.accessTokenSeconds,
+                refreshToken: signToken(input, "refresh", options.refreshTokenSeconds, tokenId),
+                refreshTokenExpiresInSeconds: options.refreshTokenSeconds
+            };
+        },
+        async verifyRefreshToken(input) {
+            const claims = await verifyJwt(input.refreshToken, {
+                keyResolver,
+                expectedIssuer: options.issuer,
+                expectedAudience: options.audience,
+                expectedTokenType: "refresh"
+            });
+            if (claims.tenantId !== input.tenantId || claims.appId !== input.appId) {
+                throw new Error("Refresh token bound to a different tenant/app");
+            }
+            return claims;
+        },
+        verifier(expectedTokenType = "access") {
+            return {
+                verify(token) {
+                    return verifyJwt(token, {
+                        keyResolver,
+                        expectedIssuer: options.issuer,
+                        expectedAudience: options.audience,
+                        expectedTokenType
+                    });
+                }
+            };
+        }
+    };
+}
+//# sourceMappingURL=issuer.js.map

package/lib/runtime/auth/issuer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.js","sourceRoot":"","sources":["../../../src/runtime/auth/issuer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAEpC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAoB,MAAM,aAAa,CAAC;AAqCnE,MAAM,UAAU,mBAAmB,CAAC,OAA6B;IAC/D,MAAM,WAAW,GAAgB,KAAK,EAAE,GAAG,EAAE,EAAE;QAC7C,IAAI,GAAG,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACxE,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;IACtC,CAAC,CAAC;IAEF,MAAM,SAAS,GAAG,CAAC,KAAkB,EAAE,SAAoB,EAAE,gBAAwB,EAAE,OAAO,GAAG,MAAM,EAAE,EAAU,EAAE,CAAC,OAAO,CAAC;QAC5H,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa;QAC5C,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG;QACxB,MAAM,EAAE;YACN,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,KAAK,EAAE,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;YACzD,KAAK,EAAE,SAAS;YAChB,SAAS;YACT,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,gBAAgB;YAChB,GAAG,EAAE,OAAO;SACb;KACF,CAAC,CAAC;IAEH,OAAO;QACL,eAAe,CAAC,KAAkB;YAChC,OAAO,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAChE,CAAC;QAED,cAAc,CAAC,KAAkB,EAAE,cAAiD,EAAE,mBAAmB,EAAE,IAAI,EAAE;YAC/G,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;YACpF,IAAI,CAAC,WAAW,CAAC,mBAAmB,EAAE,CAAC;gBACrC,OAAO;oBACL,OAAO;oBACP,WAAW;oBACX,2BAA2B,EAAE,OAAO,CAAC,kBAAkB;iBACxD,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;YACD,OAAO;gBACL,OAAO;gBACP,WAAW;gBACX,2BAA2B,EAAE,OAAO,CAAC,kBAAkB;gBACvD,YAAY,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,mBAAmB,EAAE,OAAO,CAAC;gBAC/E,4BAA4B,EAAE,OAAO,CAAC,mBAAmB;aAC1D,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,kBAAkB,CAAC,KAA+B;YACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,YAAY,EAAE;gBACjD,WAAW;gBACX,cAAc,EAAE,OAAO,CAAC,MAAM;gBAC9B,gBAAgB,EAAE,OAAO,CAAC,QAAQ;gBAClC,iBAAiB,EAAE,SAAS;aAC7B,CAAC,CAAC;YACH,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;gBACvE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,QAAQ,CAAC,oBAA+B,QAAQ;YAC9C,OAAO;gBACL,MAAM,CAAC,KAAa;oBAClB,OAAO,SAAS,CAAC,KAAK,EAAE;wBACtB,WAAW;wBACX,cAAc,EAAE,OAAO,CAAC,MAAM;wBAC9B,gBAAgB,EAAE,OAAO,CAAC,QAAQ;wBAClC,iBAAiB;qBAClB,CAAC,CAAC;gBACL,CAAC;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/lib/runtime/auth/jwks.d.ts

@@ -0,0 +1,7 @@
+export interface JwksLookupOptions {
+    jwksUri: string;
+    issuer: string;
+}
+export declare function getSigningKeyForKid(options: JwksLookupOptions, kid: string): Promise<string>;
+export declare function clearJwksCache(): void;
+//# sourceMappingURL=jwks.d.ts.map

package/lib/runtime/auth/jwks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/jwks.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAqDD,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,iBAAiB,EAC1B,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED,wBAAgB,cAAc,IAAI,IAAI,CAErC"}

package/lib/runtime/auth/jwks.js

@@ -0,0 +1,69 @@
+import { createPublicKey } from "node:crypto";
+const KID_PATTERN = /^[A-Za-z0-9_-]+$/;
+const clientCache = new Map();
+const CACHE_TTL_MS = 30 * 60 * 1000;
+async function getJwksKeys(options) {
+    const cacheKey = `${options.issuer}|${options.jwksUri}`;
+    const now = Date.now();
+    const existing = clientCache.get(cacheKey);
+    if (existing && now - existing.lastUsed < CACHE_TTL_MS) {
+        existing.lastUsed = now;
+        return existing.keys;
+    }
+    const response = await fetch(options.jwksUri, {
+        headers: { accept: "application/json" },
+        signal: AbortSignal.timeout(5000)
+    });
+    const contentType = response.headers.get("content-type") ?? "";
+    const text = await response.text();
+    if (!response.ok) {
+        throw new Error(`JWKS fetch failed: ${options.jwksUri} HTTP ${response.status} ${text.slice(0, 160)}`);
+    }
+    if (!contentType.includes("application/json") && !contentType.includes("application/jwk-set+json")) {
+        throw new Error(`JWKS endpoint returned non-JSON: ${options.jwksUri} content-type=${contentType || "(missing)"} body=${text.slice(0, 160)}`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(text);
+    }
+    catch (error) {
+        throw new Error(`JWKS endpoint returned invalid JSON: ${options.jwksUri}: ${error.message}`);
+    }
+    const rawKeys = parsed.keys;
+    if (!Array.isArray(rawKeys)) {
+        throw new Error(`JWKS endpoint missing keys array: ${options.jwksUri}`);
+    }
+    const keys = new Map();
+    for (const rawKey of rawKeys) {
+        const kid = rawKey.kid;
+        if (typeof kid !== "string" || kid.length === 0)
+            continue;
+        try {
+            const pem = createPublicKey({ key: rawKey, format: "jwk" }).export({ type: "spki", format: "pem" });
+            keys.set(kid, pem);
+        }
+        catch {
+            // Skip unusable keys; lookup below reports the missing kid.
+        }
+    }
+    clientCache.set(cacheKey, { keys, jwksUri: options.jwksUri, lastUsed: now });
+    return keys;
+}
+export async function getSigningKeyForKid(options, kid) {
+    if (typeof kid !== "string" || kid.length === 0 || kid.length > 256) {
+        throw new Error("Invalid kid: empty or too long");
+    }
+    if (!KID_PATTERN.test(kid)) {
+        throw new Error(`Invalid kid: must match ${KID_PATTERN.source}`);
+    }
+    const keys = await getJwksKeys(options);
+    const key = keys.get(kid);
+    if (!key) {
+        throw new Error(`JWKS key not found for kid ${kid}: ${options.jwksUri}`);
+    }
+    return key;
+}
+export function clearJwksCache() {
+    clientCache.clear();
+}
+//# sourceMappingURL=jwks.js.map

package/lib/runtime/auth/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../../../src/runtime/auth/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,WAAW,GAAG,kBAAkB,CAAC;AAQvC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;AACpD,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAOpC,KAAK,UAAU,WAAW,CAAC,OAA0B;IACnD,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,QAAQ,IAAI,GAAG,GAAG,QAAQ,CAAC,QAAQ,GAAG,YAAY,EAAE,CAAC;QACvD,QAAQ,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxB,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE;QAC5C,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;QACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC/D,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,OAAO,CAAC,OAAO,SAAS,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACzG,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,CAAC;QACnG,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,CAAC,OAAO,iBAAiB,WAAW,IAAI,WAAW,SAAS,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC/I,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,CAAC,OAAO,KAAM,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1G,CAAC;IAED,MAAM,OAAO,GAAI,MAA6B,CAAC,IAAI,CAAC;IACpD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAI,MAA4B,CAAC,GAAG,CAAC;QAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAC1D,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,MAAe,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;YACvH,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,4DAA4D;QAC9D,CAAC;IACH,CAAC;IAED,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAA0B,EAC1B,GAAW;IAEX,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,2BAA2B,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC"}

package/lib/runtime/auth/keypair.d.ts

@@ -0,0 +1,21 @@
+export interface RsaKeyPair {
+    privateKeyPem: string;
+    publicKeyPem: string;
+    kid: string;
+}
+export interface GenerateKeyPairOptions {
+    kid?: string;
+    modulusLength?: 2048 | 3072 | 4096;
+}
+export declare function generateKeyPair(options?: GenerateKeyPairOptions): RsaKeyPair;
+export declare function loadOrGenerateKeyPair(filePath: string, options?: GenerateKeyPairOptions): RsaKeyPair;
+export interface JwkRsaPublic {
+    kty: "RSA";
+    use: "sig";
+    alg: "RS256";
+    kid: string;
+    n: string;
+    e: string;
+}
+export declare function publicKeyToJwk(publicKeyPem: string, kid: string): JwkRsaPublic;
+//# sourceMappingURL=keypair.d.ts.map

package/lib/runtime/auth/keypair.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keypair.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/keypair.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,sBAAsB;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;CACpC;AAED,wBAAgB,eAAe,CAAC,OAAO,GAAE,sBAA2B,GAAG,UAAU,CAUhF;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B,GAAG,UAAU,CAcxG;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,KAAK,CAAC;IACX,GAAG,EAAE,KAAK,CAAC;IACX,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;CACX;AAED,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,YAAY,CAc9E"}

package/lib/runtime/auth/keypair.js

@@ -0,0 +1,50 @@
+import { generateKeyPairSync, createPublicKey } from "node:crypto";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+export function generateKeyPair(options = {}) {
+    const modulusLength = options.modulusLength ?? 2048;
+    const { privateKey, publicKey } = generateKeyPairSync("rsa", {
+        modulusLength,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" }
+    });
+    const kid = options.kid ?? deriveKid(publicKey);
+    return { privateKeyPem: privateKey, publicKeyPem: publicKey, kid };
+}
+export function loadOrGenerateKeyPair(filePath, options = {}) {
+    if (existsSync(filePath)) {
+        const raw = readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (typeof parsed.privateKeyPem !== "string" || typeof parsed.publicKeyPem !== "string" || typeof parsed.kid !== "string") {
+            throw new Error(`Keypair file ${filePath} is malformed`);
+        }
+        return parsed;
+    }
+    const pair = generateKeyPair(options);
+    mkdirSync(dirname(filePath), { recursive: true });
+    writeFileSync(filePath, JSON.stringify(pair, null, 2), { mode: 0o600 });
+    return pair;
+}
+export function publicKeyToJwk(publicKeyPem, kid) {
+    const keyObject = createPublicKey(publicKeyPem);
+    const jwk = keyObject.export({ format: "jwk" });
+    if (jwk.kty !== "RSA" || typeof jwk.n !== "string" || typeof jwk.e !== "string") {
+        throw new Error("Public key is not RSA");
+    }
+    return {
+        kty: "RSA",
+        use: "sig",
+        alg: "RS256",
+        kid,
+        n: jwk.n,
+        e: jwk.e
+    };
+}
+function deriveKid(publicKeyPem) {
+    const keyObject = createPublicKey(publicKeyPem);
+    const jwk = keyObject.export({ format: "jwk" });
+    if (!jwk.n)
+        throw new Error("Cannot derive kid from non-RSA key");
+    return jwk.n.replace(/[^A-Za-z0-9_-]/g, "").slice(0, 16) || "default";
+}
+//# sourceMappingURL=keypair.js.map

package/lib/runtime/auth/keypair.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keypair.js","sourceRoot":"","sources":["../../../src/runtime/auth/keypair.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAkB,MAAM,aAAa,CAAC;AACnF,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAapC,MAAM,UAAU,eAAe,CAAC,UAAkC,EAAE;IAClE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC;IACpD,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa;QACb,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,SAAS,CAAC,SAAS,CAAC,CAAC;IAChD,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,UAAkC,EAAE;IAC1F,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;QAC7C,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC1H,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,eAAe,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxE,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,MAAM,UAAU,cAAc,CAAC,YAAoB,EAAE,GAAW;IAC9D,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA0C,CAAC;IACzF,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,OAAO,GAAG,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,GAAG,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO;QACL,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;QACZ,GAAG;QACH,CAAC,EAAE,GAAG,CAAC,CAAC;QACR,CAAC,EAAE,GAAG,CAAC,CAAC;KACT,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,YAAoB;IACrC,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAmB,CAAC;IAClE,IAAI,CAAC,GAAG,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IAClE,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC;AACxE,CAAC"}