@betterportal/framework 0.0.1

package/lib/runtime/auth/tokens.d.ts

@@ -0,0 +1,25 @@
+import { type JwtClaims, type TokenType } from "../../contracts/auth.js";
+import { type JwksLookupOptions } from "./jwks.js";
+export interface SignJwtOptions {
+    privateKeyPem: string;
+    kid: string;
+    claims: Omit<JwtClaims, "iss" | "aud" | "exp" | "iat" | "jti"> & {
+        iss: string;
+        aud: string | string[];
+        expiresInSeconds: number;
+        jti?: string;
+    };
+}
+export type KeyResolver = (kid: string) => Promise<string>;
+export interface VerifyJwtOptions {
+    jwks?: JwksLookupOptions;
+    keyResolver?: KeyResolver;
+    expectedIssuer: string;
+    expectedAudience: string;
+    expectedTokenType?: TokenType;
+    clockToleranceSeconds?: number;
+}
+export declare function signJwt(options: SignJwtOptions): string;
+export declare function verifyJwt(token: string, options: VerifyJwtOptions): Promise<JwtClaims>;
+export declare function unsafeDecodeJwtPayload(token: string): unknown;
+//# sourceMappingURL=tokens.d.ts.map

package/lib/runtime/auth/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/tokens.ts"],"names":[],"mappings":"AACA,OAAO,EAAmB,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAE1F,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAMxE,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAAG;QAC/D,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACvB,gBAAgB,EAAE,MAAM,CAAC;QACzB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,wBAAgB,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,CAmBvD;AAED,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC,CAmF5F;AAgCD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAI7D"}

package/lib/runtime/auth/tokens.js

@@ -0,0 +1,137 @@
+import jwt from "jsonwebtoken";
+import { JwtClaimsSchema } from "../../contracts/auth.js";
+import { uuidv7 } from "../uuid.js";
+import { getSigningKeyForKid } from "./jwks.js";
+const ALLOWED_ALGORITHM = "RS256";
+const ALLOWED_TYP = "JWT";
+const KID_PATTERN = /^[A-Za-z0-9_-]+$/;
+export function signJwt(options) {
+    const now = Math.floor(Date.now() / 1000);
+    const { expiresInSeconds, jti, ...rest } = options.claims;
+    const fullClaims = {
+        ...rest,
+        iat: now,
+        exp: now + expiresInSeconds,
+        jti: jti ?? generateJti()
+    };
+    const validated = JwtClaimsSchema.parse(fullClaims);
+    const signOptions = {
+        algorithm: ALLOWED_ALGORITHM,
+        keyid: options.kid,
+        header: { alg: ALLOWED_ALGORITHM, typ: ALLOWED_TYP, kid: options.kid }
+    };
+    return jwt.sign(validated, options.privateKeyPem, signOptions);
+}
+export async function verifyJwt(token, options) {
+    if (typeof token !== "string" || token.length === 0) {
+        throw new Error("Token is empty");
+    }
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Token must have exactly three parts");
+    }
+    const [encodedHeader] = parts;
+    const header = parseHeader(encodedHeader);
+    if (header.alg !== ALLOWED_ALGORITHM) {
+        throw new Error(`Algorithm not allowed: ${String(header.alg)}`);
+    }
+    if (header.typ !== ALLOWED_TYP) {
+        throw new Error(`Token typ not allowed: ${String(header.typ)}`);
+    }
+    if (typeof header.kid !== "string") {
+        throw new Error("Token header missing kid");
+    }
+    if ("jku" in header || "x5u" in header) {
+        throw new Error("Token header contains untrusted reference (jku/x5u)");
+    }
+    if (!KID_PATTERN.test(header.kid) || header.kid.length > 256) {
+        throw new Error(`Invalid kid: must match ${KID_PATTERN.source}`);
+    }
+    const publicKeyPem = options.keyResolver
+        ? await options.keyResolver(header.kid)
+        : await getSigningKeyForKid(requireJwks(options), header.kid);
+    let libVerified;
+    try {
+        libVerified = jwt.verify(token, publicKeyPem, {
+            algorithms: [ALLOWED_ALGORITHM],
+            issuer: options.expectedIssuer,
+            audience: options.expectedAudience,
+            clockTolerance: options.clockToleranceSeconds ?? 0,
+            complete: false
+        });
+    }
+    catch (error) {
+        throw new Error(`Library verification failed: ${error.message}`);
+    }
+    if (!libVerified || typeof libVerified !== "object") {
+        throw new Error("Library returned non-object claims");
+    }
+    const claims = JwtClaimsSchema.parse(libVerified);
+    const now = Math.floor(Date.now() / 1000);
+    const tolerance = options.clockToleranceSeconds ?? 0;
+    if (claims.exp <= now - tolerance) {
+        throw new Error("Token is expired (manual re-check)");
+    }
+    if (typeof claims.nbf === "number" && claims.nbf > now + tolerance) {
+        throw new Error("Token is not yet valid (manual re-check)");
+    }
+    if (claims.iss !== options.expectedIssuer) {
+        throw new Error(`EIssuer mismatch (manual re-check) (${claims.iss} != ${options.expectedIssuer}`);
+    }
+    const auds = Array.isArray(claims.aud) ? claims.aud : [claims.aud];
+    if (!auds.includes(options.expectedAudience)) {
+        throw new Error(`Audience mismatch (manual re-check) (${options.expectedAudience} != ${auds.join(',')})`);
+    }
+    if (typeof claims.tenantId !== "string" || claims.tenantId.length === 0) {
+        throw new Error("tenantId missing or empty");
+    }
+    if (typeof claims.appId !== "string" || claims.appId.length === 0) {
+        throw new Error("appId missing or empty");
+    }
+    if (!Array.isArray(claims.roles)) {
+        throw new Error("roles missing");
+    }
+    if (claims.roles.some((role) => typeof role !== "string" || role.length === 0)) {
+        throw new Error("roles entries invalid");
+    }
+    if (options.expectedTokenType && claims.tokenType !== options.expectedTokenType) {
+        throw new Error(`Token type mismatch: expected ${options.expectedTokenType}, got ${claims.tokenType}`);
+    }
+    return claims;
+}
+function parseHeader(encodedHeader) {
+    let json;
+    try {
+        json = Buffer.from(encodedHeader, "base64url").toString("utf8");
+    }
+    catch {
+        throw new Error("Token header is not valid base64url");
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(json);
+    }
+    catch {
+        throw new Error("Token header is not valid JSON");
+    }
+    if (!parsed || typeof parsed !== "object") {
+        throw new Error("Token header is not an object");
+    }
+    return parsed;
+}
+function generateJti() {
+    return uuidv7();
+}
+function requireJwks(options) {
+    if (!options.jwks) {
+        throw new Error("verifyJwt requires either jwks or keyResolver");
+    }
+    return options.jwks;
+}
+export function unsafeDecodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        throw new Error("Token must have exactly three parts");
+    return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+}
+//# sourceMappingURL=tokens.js.map

package/lib/runtime/auth/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../../src/runtime/auth/tokens.ts"],"names":[],"mappings":"AAAA,OAAO,GAAyC,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,eAAe,EAAkC,MAAM,yBAAyB,CAAC;AAC1F,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAA0B,MAAM,WAAW,CAAC;AAExE,MAAM,iBAAiB,GAAG,OAAgB,CAAC;AAC3C,MAAM,WAAW,GAAG,KAAc,CAAC;AACnC,MAAM,WAAW,GAAG,kBAAkB,CAAC;AAwBvC,MAAM,UAAU,OAAO,CAAC,OAAuB;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,GAAG,IAAI;QACP,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,gBAAgB;QAC3B,GAAG,EAAE,GAAG,IAAI,WAAW,EAAE;KAC1B,CAAC;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAEpD,MAAM,WAAW,GAAgB;QAC/B,SAAS,EAAE,iBAAiB;QAC5B,KAAK,EAAE,OAAO,CAAC,GAAG;QAClB,MAAM,EAAE,EAAE,GAAG,EAAE,iBAAiB,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;KACvE,CAAC;IAEF,OAAO,GAAG,CAAC,IAAI,CAAC,SAAmB,EAAE,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa,EAAE,OAAyB;IACtE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;IAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;IAE1C,IAAI,MAAM,CAAC,GAAG,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,2BAA2B,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW;QACtC,CAAC,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC;QACvC,CAAC,CAAC,MAAM,mBAAmB,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAEhE,IAAI,WAAoB,CAAC;IACzB,IAAI,CAAC;QACH,WAAW,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE;YAC5C,UAAU,EAAE,CAAC,iBAAiB,CAAC;YAC/B,MAAM,EAAE,OAAO,CAAC,cAAc;YAC9B,QAAQ,EAAE,OAAO,CAAC,gBAAgB;YAClC,cAAc,EAAE,OAAO,CAAC,qBAAqB,IAAI,CAAC;YAClD,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,gCAAiC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAElD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,qBAAqB,IAAI,CAAC,CAAC;IACrD,IAAI,MAAM,CAAC,GAAG,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,uCAAuC,MAAM,CAAC,GAAG,OAAO,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,CAAC,gBAAgB,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5G,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,OAAO,CAAC,iBAAiB,IAAI,MAAM,CAAC,SAAS,KAAK,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,CAAC,iBAAiB,SAAS,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,aAAqB;IACxC,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAkE,CAAC;AAC5E,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,MAAM,EAAE,CAAC;AAClB,CAAC;AAED,SAAS,WAAW,CAAC,OAAyB;IAC5C,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAC/E,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzE,CAAC"}

package/lib/runtime/auth/verifier.d.ts

@@ -0,0 +1,45 @@
+import type { TokenType } from "../../contracts/auth.js";
+import type { JwtVerifier } from "../../contracts/route.js";
+import { type KeyResolver } from "./tokens.js";
+export interface CreateJwksVerifierOptions {
+    jwksUri: string;
+    expectedIssuer: string;
+    expectedAudience: string;
+    expectedTokenType?: TokenType;
+    clockToleranceSeconds?: number;
+}
+/**
+ * Build a JwtVerifier that fetches signing keys from a remote JWKS endpoint.
+ * Use when verifying tokens issued by a separate auth service.
+ */
+export declare function createJwksVerifier(options: CreateJwksVerifierOptions): JwtVerifier;
+export interface CreateLocalVerifierOptions {
+    keyResolver: KeyResolver;
+    expectedIssuer: string;
+    expectedAudience: string;
+    expectedTokenType?: TokenType;
+    clockToleranceSeconds?: number;
+}
+export interface CreateStaticJwksVerifierOptions {
+    /** JWKS document - keys pushed by the auth service at /install. */
+    jwks: {
+        keys: ReadonlyArray<Record<string, unknown>>;
+    };
+    expectedIssuer: string;
+    expectedAudience: string;
+    expectedTokenType?: TokenType;
+    clockToleranceSeconds?: number;
+}
+/**
+ * Build a JwtVerifier that resolves signing keys from an in-memory JWKS doc.
+ * Use when the CP cannot reach the issuer for live JWKS fetches - keys are
+ * pushed by the auth service at /install (and on rotation) and cached in
+ * app.auth.publicKeys.
+ */
+export declare function createStaticJwksVerifier(options: CreateStaticJwksVerifierOptions): JwtVerifier;
+/**
+ * Build a JwtVerifier that uses an in-process key resolver.
+ * Use when the verifying service is the same as the issuer (auth provider verifying its own refresh tokens).
+ */
+export declare function createLocalVerifier(options: CreateLocalVerifierOptions): JwtVerifier;
+//# sourceMappingURL=verifier.d.ts.map

package/lib/runtime/auth/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/runtime/auth/verifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAa,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAa,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1D,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,WAAW,CAYlF;AAED,MAAM,WAAW,0BAA0B;IACzC,WAAW,EAAE,WAAW,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,+BAA+B;IAC9C,mEAAmE;IACnE,IAAI,EAAE;QAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;KAAE,CAAC;IACvD,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,+BAA+B,GAAG,WAAW,CA6B9F;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,0BAA0B,GAAG,WAAW,CAYpF"}

package/lib/runtime/auth/verifier.js

@@ -0,0 +1,76 @@
+import { createPublicKey } from "node:crypto";
+import { verifyJwt } from "./tokens.js";
+/**
+ * Build a JwtVerifier that fetches signing keys from a remote JWKS endpoint.
+ * Use when verifying tokens issued by a separate auth service.
+ */
+export function createJwksVerifier(options) {
+    return {
+        verify(token) {
+            return verifyJwt(token, {
+                jwks: { jwksUri: options.jwksUri, issuer: options.expectedIssuer },
+                expectedIssuer: options.expectedIssuer,
+                expectedAudience: options.expectedAudience,
+                expectedTokenType: options.expectedTokenType,
+                clockToleranceSeconds: options.clockToleranceSeconds
+            });
+        }
+    };
+}
+/**
+ * Build a JwtVerifier that resolves signing keys from an in-memory JWKS doc.
+ * Use when the CP cannot reach the issuer for live JWKS fetches - keys are
+ * pushed by the auth service at /install (and on rotation) and cached in
+ * app.auth.publicKeys.
+ */
+export function createStaticJwksVerifier(options) {
+    const byKid = new Map();
+    for (const jwk of options.jwks.keys) {
+        const kid = jwk.kid;
+        if (typeof kid !== "string" || kid.length === 0)
+            continue;
+        try {
+            const pem = createPublicKey({ key: jwk, format: "jwk" })
+                .export({ type: "spki", format: "pem" });
+            byKid.set(kid, pem);
+        }
+        catch {
+            // Skip unparseable key; verifier will reject tokens that need it.
+        }
+    }
+    const keyResolver = async (kid) => {
+        const pem = byKid.get(kid);
+        if (!pem)
+            throw new Error(`No public key for kid ${kid}`);
+        return pem;
+    };
+    return {
+        verify(token) {
+            return verifyJwt(token, {
+                keyResolver,
+                expectedIssuer: options.expectedIssuer,
+                expectedAudience: options.expectedAudience,
+                expectedTokenType: options.expectedTokenType,
+                clockToleranceSeconds: options.clockToleranceSeconds
+            });
+        }
+    };
+}
+/**
+ * Build a JwtVerifier that uses an in-process key resolver.
+ * Use when the verifying service is the same as the issuer (auth provider verifying its own refresh tokens).
+ */
+export function createLocalVerifier(options) {
+    return {
+        verify(token) {
+            return verifyJwt(token, {
+                keyResolver: options.keyResolver,
+                expectedIssuer: options.expectedIssuer,
+                expectedAudience: options.expectedAudience,
+                expectedTokenType: options.expectedTokenType,
+                clockToleranceSeconds: options.clockToleranceSeconds
+            });
+        }
+    };
+}
+//# sourceMappingURL=verifier.js.map

package/lib/runtime/auth/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/runtime/auth/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EAAE,SAAS,EAAoB,MAAM,aAAa,CAAC;AAU1D;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAkC;IACnE,OAAO;QACL,MAAM,CAAC,KAAa;YAClB,OAAO,SAAS,CAAC,KAAK,EAAE;gBACtB,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,cAAc,EAAE;gBAClE,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;gBAC1C,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;gBAC5C,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;aACrD,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAmBD;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAwC;IAC/E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAC1D,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,GAAY,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;iBAC9D,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;YACrD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;QACpE,CAAC;IACH,CAAC;IACD,MAAM,WAAW,GAAgB,KAAK,EAAE,GAAW,EAAE,EAAE;QACrD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC3B,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;QAC1D,OAAO,GAAG,CAAC;IACb,CAAC,CAAC;IACF,OAAO;QACL,MAAM,CAAC,KAAa;YAClB,OAAO,SAAS,CAAC,KAAK,EAAE;gBACtB,WAAW;gBACX,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;gBAC1C,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;gBAC5C,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;aACrD,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAmC;IACrE,OAAO;QACL,MAAM,CAAC,KAAa;YAClB,OAAO,SAAS,CAAC,KAAK,EAAE;gBACtB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;gBAC1C,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;gBAC5C,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;aACrD,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/lib/runtime/bpHeaders.d.ts

@@ -0,0 +1,10 @@
+import type { BpHeadersApi } from "../contracts/route.js";
+export interface BpHeadersCollector extends BpHeadersApi {
+    /** Render directives as a list of HTTP response headers. */
+    emit(): {
+        setHeaders: string[];
+        removeHeaders: string[];
+    };
+}
+export declare function createBpHeadersCollector(): BpHeadersCollector;
+//# sourceMappingURL=bpHeaders.d.ts.map

package/lib/runtime/bpHeaders.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bpHeaders.d.ts","sourceRoot":"","sources":["../../src/runtime/bpHeaders.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAsB,MAAM,uBAAuB,CAAC;AAa9E,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,4DAA4D;IAC5D,IAAI,IAAI;QAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAC3D;AAED,wBAAgB,wBAAwB,IAAI,kBAAkB,CA2C7D"}

package/lib/runtime/bpHeaders.js

@@ -0,0 +1,53 @@
+const BP_HEADER_PREFIX_PATTERN = /^[A-Za-z0-9_-]+$/;
+export function createBpHeadersCollector() {
+    const pending = new Map();
+    const removed = new Set();
+    return {
+        set(name, value, options = {}) {
+            validateHeaderName(name);
+            pending.set(name, {
+                value,
+                locked: options.locked ?? false,
+                scoped: options.scopeToOwner ?? Boolean(options.scopeServiceId),
+                expires: options.expiresInSeconds
+                    ? Math.floor(Date.now() / 1000) + options.expiresInSeconds
+                    : undefined,
+                refreshPath: options.refreshPath,
+                refreshBeforeSeconds: options.refreshBeforeSeconds
+            });
+            removed.delete(name);
+        },
+        remove(name) {
+            validateHeaderName(name);
+            pending.delete(name);
+            removed.add(name);
+        },
+        emit() {
+            const setHeaders = [];
+            for (const [name, entry] of pending.entries()) {
+                const parts = [`${name}=${entry.value}`];
+                if (entry.locked)
+                    parts.push("locked=true");
+                if (entry.scoped)
+                    parts.push("scope=true");
+                if (entry.expires)
+                    parts.push(`expires=${entry.expires}`);
+                if (entry.refreshPath)
+                    parts.push(`refresh=${entry.refreshPath}`);
+                if (entry.refreshBeforeSeconds)
+                    parts.push(`refreshBefore=${entry.refreshBeforeSeconds}`);
+                setHeaders.push(parts.join("; "));
+            }
+            return {
+                setHeaders,
+                removeHeaders: Array.from(removed)
+            };
+        }
+    };
+}
+function validateHeaderName(name) {
+    if (!BP_HEADER_PREFIX_PATTERN.test(name) || name.length === 0 || name.length > 128) {
+        throw new Error(`Invalid BP header name: ${name}`);
+    }
+}
+//# sourceMappingURL=bpHeaders.js.map

package/lib/runtime/bpHeaders.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bpHeaders.js","sourceRoot":"","sources":["../../src/runtime/bpHeaders.ts"],"names":[],"mappings":"AAEA,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAgBpD,MAAM,UAAU,wBAAwB;IACtC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,OAAO;QACL,GAAG,CAAC,IAAY,EAAE,KAAa,EAAE,UAA8B,EAAE;YAC/D,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;gBAChB,KAAK;gBACL,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;gBAC/B,MAAM,EAAE,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC;gBAC/D,OAAO,EAAE,OAAO,CAAC,gBAAgB;oBAC/B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,gBAAgB;oBAC1D,CAAC,CAAC,SAAS;gBACb,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;aACnD,CAAC,CAAC;YACH,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QAED,MAAM,CAAC,IAAY;YACjB,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzB,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,IAAI;YACF,MAAM,UAAU,GAAa,EAAE,CAAC;YAChC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC9C,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;gBACzC,IAAI,KAAK,CAAC,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC5C,IAAI,KAAK,CAAC,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBAC3C,IAAI,KAAK,CAAC,OAAO;oBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC1D,IAAI,KAAK,CAAC,WAAW;oBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;gBAClE,IAAI,KAAK,CAAC,oBAAoB;oBAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,oBAAoB,EAAE,CAAC,CAAC;gBAC1F,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpC,CAAC;YACD,OAAO;gBACL,UAAU;gBACV,aAAa,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;aACnC,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACnF,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC;AACH,CAAC"}

package/lib/runtime/configProvider.d.ts

@@ -0,0 +1,41 @@
+import { BetterPortalApp, BetterPortalConfig, BetterPortalOriginPolicy, BetterPortalResolvedRequestContext, BetterPortalResolvedServiceBinding, BetterPortalRouteMount } from "../contracts/platformConfig.js";
+import { type BetterPortalHeaderTrustOptions, HeaderMap } from "./http.js";
+export interface BetterPortalConfigProvider {
+    loadConfig(): Promise<BetterPortalConfig>;
+}
+export type BetterPortalConfigProviderOptions = {
+    readonly backend?: "file";
+    readonly configPath: string;
+};
+export declare class FileBackedBetterPortalConfigProvider implements BetterPortalConfigProvider {
+    private readonly configPath;
+    constructor(configPath: string);
+    loadConfig(): Promise<BetterPortalConfig>;
+}
+export declare function createBetterPortalConfigProvider(options: BetterPortalConfigProviderOptions): BetterPortalConfigProvider;
+export declare function describeEmbeddedContextResolution(config: BetterPortalConfig, headers: HeaderMap, headerTrust?: BetterPortalHeaderTrustOptions): {
+    candidates: string[];
+    appHosts: Array<{
+        appId: string;
+        hosts: string[];
+    }>;
+};
+export declare function resolveThemeRequestContext(config: BetterPortalConfig, headers: HeaderMap, requestHost?: string, headerTrust?: BetterPortalHeaderTrustOptions): BetterPortalResolvedRequestContext | null;
+export declare function resolveEmbeddedRequestContext(config: BetterPortalConfig, headers: HeaderMap, headerTrust?: BetterPortalHeaderTrustOptions): BetterPortalResolvedRequestContext | null;
+export declare function resolveServiceForTenant(config: BetterPortalConfig, serviceId: string, context: BetterPortalResolvedRequestContext): BetterPortalResolvedServiceBinding | null;
+export declare function buildOriginPolicy(context: BetterPortalResolvedRequestContext): BetterPortalOriginPolicy;
+export declare function isAllowedOriginForContext(context: BetterPortalResolvedRequestContext, origin: string | null): boolean;
+export declare function isAllowedRefererForContext(context: BetterPortalResolvedRequestContext, referer: string | null): boolean;
+export declare function serviceBaseUrl(service: {
+    hostname: string;
+} | {
+    endpointBaseUrl: string;
+}): string;
+export declare function resolveAppRoute(app: BetterPortalApp, pathname: string): BetterPortalRouteMount | null;
+export declare function inferServicePathFromViewId(viewId: string): string;
+export declare function buildServiceViewUrl(binding: {
+    hostname: string;
+} | {
+    endpointBaseUrl: string;
+}, route: BetterPortalRouteMount, currentPath: string): string;
+//# sourceMappingURL=configProvider.d.ts.map

package/lib/runtime/configProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configProvider.d.ts","sourceRoot":"","sources":["../../src/runtime/configProvider.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,eAAe,EACf,kBAAkB,EAElB,wBAAwB,EAExB,kCAAkC,EAClC,kCAAkC,EAClC,sBAAsB,EACvB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,KAAK,8BAA8B,EACnC,SAAS,EAIV,MAAM,WAAW,CAAC;AAEnB,MAAM,WAAW,0BAA0B;IACzC,UAAU,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAC;CAC3C;AAED,MAAM,MAAM,iCAAiC,GACzC;IAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC;AAM/D,qBAAa,oCAAqC,YAAW,0BAA0B;IACzE,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,MAAM;IAEzC,UAAU,IAAI,OAAO,CAAC,kBAAkB,CAAC;CAehD;AAED,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,iCAAiC,GAAG,0BAA0B,CAEvH;AA6BD,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,EAAE,SAAS,EAClB,WAAW,GAAE,8BAAmC,GAC/C;IACD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CACrD,CAaA;AAoBD,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,kBAAkB,EAC1B,OAAO,EAAE,SAAS,EAClB,WAAW,CAAC,EAAE,MAAM,EACpB,WAAW,GAAE,8BAAmC,GAC/C,kCAAkC,GAAG,IAAI,CAW3C;AAED,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,EAAE,SAAS,EAClB,WAAW,GAAE,8BAAmC,GAC/C,kCAAkC,GAAG,IAAI,CAQ3C;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,kBAAkB,EAC1B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,kCAAkC,GAC1C,kCAAkC,GAAG,IAAI,CAkC3C;AAiBD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,kCAAkC,GAAG,wBAAwB,CAQvG;AAED,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,kCAAkC,EAC3C,MAAM,EAAE,MAAM,GAAG,IAAI,GACpB,OAAO,CAMT;AAED,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,kCAAkC,EAC3C,OAAO,EAAE,MAAM,GAAG,IAAI,GACrB,OAAO,CAMT;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,eAAe,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAGlG;AA4BD,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,GAAG,IAAI,CAGrG;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAGjE;AAsCD,wBAAgB,mBAAmB,CACjC,OAAO,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,eAAe,EAAE,MAAM,CAAA;CAAE,EAC3D,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,GAClB,MAAM,CAWR"}