@betterportal/framework 0.0.1

package/lib/runtime/configProvider.js

@@ -0,0 +1,232 @@
+import { readFile } from "node:fs/promises";
+import { resolve as resolvePath } from "node:path";
+import { parse } from "yaml";
+import { BetterPortalConfigSchema, BetterPortalOriginPolicySchema } from "../contracts/platformConfig.js";
+import { hostFromHeaderValue, resolveEmbeddedSourceHeader, resolveThemeSourceHeader } from "./http.js";
+const EMPTY_CONFIG = BetterPortalConfigSchema.parse({
+    configManagement: { auth: { mechanism: "none", requiredPermissions: [] } }
+});
+export class FileBackedBetterPortalConfigProvider {
+    configPath;
+    constructor(configPath) {
+        this.configPath = configPath;
+    }
+    async loadConfig() {
+        const resolvedConfigPath = resolvePath(this.configPath);
+        try {
+            const fileContent = await readFile(resolvedConfigPath, "utf8");
+            const parsed = parse(fileContent);
+            return BetterPortalConfigSchema.parse(parsed);
+        }
+        catch (err) {
+            // Pre-bootstrap: file may not exist yet. Return empty config so the caller
+            // can decide how to handle (typically returns 503 or empty UI).
+            if (err.code === "ENOENT") {
+                return EMPTY_CONFIG;
+            }
+            throw err;
+        }
+    }
+}
+export function createBetterPortalConfigProvider(options) {
+    return new FileBackedBetterPortalConfigProvider(options.configPath);
+}
+function hostFromUrlValue(value) {
+    return hostFromHeaderValue(value);
+}
+function hostFromHostHeader(host) {
+    return hostFromHeaderValue(host);
+}
+function findAppByHost(config, requestHost) {
+    if (!requestHost) {
+        return null;
+    }
+    return config.apps.find((app) => app.hostnames.some((appHostname) => {
+        const appHost = hostFromHostHeader(appHostname);
+        if (!appHost) {
+            return false;
+        }
+        if (appHost === requestHost) {
+            return true;
+        }
+        return appHost.split(":")[0] === requestHost.split(":")[0];
+    })) ?? null;
+}
+export function describeEmbeddedContextResolution(config, headers, headerTrust = {}) {
+    const refererHost = hostFromUrlValue(resolveEmbeddedSourceHeader(headers, headerTrust));
+    const originHost = hostFromUrlValue(resolveThemeSourceHeader(headers, headerTrust));
+    const candidates = [...new Set([refererHost, originHost].filter((value) => !!value))];
+    return {
+        candidates,
+        appHosts: config.apps.map((app) => ({
+            appId: app.id,
+            hosts: app.hostnames
+                .map((hostname) => hostFromHostHeader(hostname))
+                .filter((value) => !!value)
+        }))
+    };
+}
+function buildResolvedContext(config, appId) {
+    if (!appId) {
+        return null;
+    }
+    const app = config.apps.find((entry) => entry.id === appId) ?? null;
+    if (!app) {
+        return null;
+    }
+    const tenant = config.tenants.find((entry) => entry.id === app.tenantId) ?? null;
+    if (!tenant || !tenant.active) {
+        return null;
+    }
+    return { tenant, app };
+}
+export function resolveThemeRequestContext(config, headers, requestHost, headerTrust = {}) {
+    const originHostname = hostFromUrlValue(resolveThemeSourceHeader(headers, headerTrust));
+    const refererHostname = hostFromUrlValue(resolveEmbeddedSourceHeader(headers, headerTrust));
+    const hostHostname = hostFromHostHeader(requestHost);
+    const app = findAppByHost(config, hostHostname) ??
+        findAppByHost(config, originHostname) ??
+        findAppByHost(config, refererHostname);
+    return buildResolvedContext(config, app?.id ?? null);
+}
+export function resolveEmbeddedRequestContext(config, headers, headerTrust = {}) {
+    const refererHostname = hostFromUrlValue(resolveEmbeddedSourceHeader(headers, headerTrust));
+    const originHostname = hostFromUrlValue(resolveThemeSourceHeader(headers, headerTrust));
+    const app = findAppByHost(config, refererHostname) ??
+        findAppByHost(config, originHostname);
+    return buildResolvedContext(config, app?.id ?? null);
+}
+export function resolveServiceForTenant(config, serviceId, context) {
+    const tenantService = context.tenant.services.find((s) => s.enabled && (s.id === serviceId || s.serviceId === serviceId));
+    if (tenantService) {
+        return { tenant: context.tenant, app: context.app, service: tenantService };
+    }
+    if (context.tenant.activatedPlatformServices.includes(serviceId)) {
+        const platformService = config.platformServices.find((ps) => ps.enabled && (ps.id === serviceId || ps.serviceId === serviceId));
+        if (platformService) {
+            return {
+                tenant: context.tenant,
+                app: context.app,
+                service: {
+                    id: platformService.id,
+                    hostname: platformService.hostname,
+                    apiKeyHash: platformService.apiKeyHash,
+                    serviceId: platformService.serviceId,
+                    capabilities: platformService.capabilities,
+                    title: platformService.title,
+                    description: platformService.description,
+                    deploymentMode: "bp-hosted",
+                    createdAt: platformService.createdAt,
+                    enabled: true
+                }
+            };
+        }
+    }
+    return null;
+}
+function ensureAllowedOrigins(app) {
+    const generated = app.hostnames.flatMap((hostname) => {
+        if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
+            return [hostname];
+        }
+        return [
+            `https://${hostname}`,
+            `http://${hostname}`
+        ];
+    });
+    return [...new Set([...generated, ...app.originOverrides])];
+}
+export function buildOriginPolicy(context) {
+    return BetterPortalOriginPolicySchema.parse({
+        allowedOrigins: ensureAllowedOrigins(context.app),
+        allowedReferers: [...new Set([
+                ...ensureAllowedOrigins(context.app),
+                ...context.app.refererOverrides
+            ])]
+    });
+}
+export function isAllowedOriginForContext(context, origin) {
+    if (!origin) {
+        return false;
+    }
+    return buildOriginPolicy(context).allowedOrigins.includes(origin);
+}
+export function isAllowedRefererForContext(context, referer) {
+    if (!referer) {
+        return false;
+    }
+    return buildOriginPolicy(context).allowedReferers.includes(referer);
+}
+export function serviceBaseUrl(service) {
+    const url = "hostname" in service ? service.hostname : service.endpointBaseUrl;
+    return url.replace(/\/+$/, "");
+}
+function splitRoutePath(pathname) {
+    return pathname.replace(/^\/+|\/+$/g, "").split("/").filter((segment) => segment.length > 0);
+}
+function routeParamName(segment) {
+    if (segment.startsWith(":") && segment.length > 1) {
+        return segment.slice(1);
+    }
+    const braceMatch = segment.match(/^\{([A-Za-z_][A-Za-z0-9_]*)\}$/);
+    return braceMatch?.[1] ?? null;
+}
+function routePatternMatches(routePath, pathname) {
+    if (routePath === pathname) {
+        return true;
+    }
+    const routeSegments = splitRoutePath(routePath);
+    const pathSegments = splitRoutePath(pathname);
+    if (routeSegments.length !== pathSegments.length) {
+        return false;
+    }
+    return routeSegments.every((segment, index) => routeParamName(segment) !== null || segment === pathSegments[index]);
+}
+export function resolveAppRoute(app, pathname) {
+    const normalizedPath = pathname.trim().length > 0 ? pathname : "/";
+    return app.routes.find((route) => route.enabled && routePatternMatches(route.path, normalizedPath)) ?? null;
+}
+export function inferServicePathFromViewId(viewId) {
+    const normalized = viewId.replace(/\.index$/, "").replace(/\./g, "/");
+    return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function extractRouteParams(routePath, currentPath) {
+    const routeSegments = splitRoutePath(routePath);
+    const currentSegments = splitRoutePath(currentPath);
+    if (routeSegments.length !== currentSegments.length) {
+        return null;
+    }
+    const params = {};
+    for (let i = 0; i < routeSegments.length; i++) {
+        const paramName = routeParamName(routeSegments[i]);
+        if (paramName) {
+            params[paramName] = currentSegments[i];
+        }
+        else if (routeSegments[i] !== currentSegments[i]) {
+            return null;
+        }
+    }
+    return params;
+}
+function interpolatePath(pathTemplate, params) {
+    const [pathPart, queryPart] = pathTemplate.split("?", 2);
+    const resolvedSegments = splitRoutePath(pathPart).map((segment) => {
+        const paramName = routeParamName(segment);
+        return paramName ? (params[paramName] ?? segment) : segment;
+    });
+    const resolvedPath = resolvedSegments.length === 0 ? "/" : `/${resolvedSegments.join("/")}`;
+    const resolvedQuery = queryPart?.replace(/(?::([A-Za-z_][A-Za-z0-9_]*)|\{([A-Za-z_][A-Za-z0-9_]*)\})/g, (match, colonName, braceName) => params[colonName ?? braceName ?? ""] ?? match);
+    return resolvedQuery ? `${resolvedPath}?${resolvedQuery}` : resolvedPath;
+}
+export function buildServiceViewUrl(binding, route, currentPath) {
+    const baseUrl = serviceBaseUrl(binding);
+    const params = extractRouteParams(route.path, currentPath) ?? {};
+    const servicePath = route.resolvedServicePath ?? route.targetPath;
+    const resolvedPath = servicePath
+        ? interpolatePath(servicePath, params)
+        : Object.keys(params).length > 0
+            ? interpolatePath(route.path, params)
+            : inferServicePathFromViewId(route.viewId);
+    return `${baseUrl}${resolvedPath}`;
+}
+//# sourceMappingURL=configProvider.js.map

package/lib/runtime/configProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configProvider.js","sourceRoot":"","sources":["../../src/runtime/configProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,MAAM,CAAC;AAC7B,OAAO,EAGL,wBAAwB,EAExB,8BAA8B,EAI/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAGL,mBAAmB,EACnB,2BAA2B,EAC3B,wBAAwB,EACzB,MAAM,WAAW,CAAC;AASnB,MAAM,YAAY,GAAuB,wBAAwB,CAAC,KAAK,CAAC;IACtE,gBAAgB,EAAE,EAAE,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,EAAE,EAAE,EAAE;CAC3E,CAAC,CAAC;AAEH,MAAM,OAAO,oCAAoC;IAClB;IAA7B,YAA6B,UAAkB;QAAlB,eAAU,GAAV,UAAU,CAAQ;IAAG,CAAC;IAEnD,KAAK,CAAC,UAAU;QACd,MAAM,kBAAkB,GAAG,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAY,CAAC;YAC7C,OAAO,wBAAwB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,2EAA2E;YAC3E,gEAAgE;YAChE,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,OAAO,YAAY,CAAC;YACtB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,gCAAgC,CAAC,OAA0C;IACzF,OAAO,IAAI,oCAAoC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,OAAO,mBAAmB,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAa;IACvC,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,aAAa,CAAC,MAA0B,EAAE,WAA0B;IAC3E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;QAClE,MAAM,OAAO,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,MAA0B,EAC1B,OAAkB,EAClB,cAA8C,EAAE;IAKhD,MAAM,WAAW,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IACxF,MAAM,UAAU,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IACpF,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvG,OAAO;QACL,UAAU;QACV,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAClC,KAAK,EAAE,GAAG,CAAC,EAAE;YACb,KAAK,EAAE,GAAG,CAAC,SAAS;iBACjB,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;iBAC/C,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;SAC/C,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAA0B,EAAE,KAAoB;IAC5E,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,CAAC,IAAI,IAAI,CAAC;IACpE,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACjF,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,MAA0B,EAC1B,OAAkB,EAClB,WAAoB,EACpB,cAA8C,EAAE;IAEhD,MAAM,cAAc,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IACxF,MAAM,eAAe,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IAC5F,MAAM,YAAY,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAErD,MAAM,GAAG,GACP,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC;QACnC,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC;QACrC,aAAa,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAEzC,OAAO,oBAAoB,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,MAA0B,EAC1B,OAAkB,EAClB,cAA8C,EAAE;IAEhD,MAAM,eAAe,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IAC5F,MAAM,cAAc,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IACxF,MAAM,GAAG,GACP,aAAa,CAAC,MAAM,EAAE,eAAe,CAAC;QACtC,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAExC,OAAO,oBAAoB,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAA0B,EAC1B,SAAiB,EACjB,OAA2C;IAE3C,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAChD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CACtE,CAAC;IAEF,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;IAC9E,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,CAAC,yBAAyB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjE,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAClD,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,EAAE,KAAK,SAAS,IAAI,EAAE,CAAC,SAAS,KAAK,SAAS,CAAC,CAC1E,CAAC;QACF,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO;gBACL,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,OAAO,EAAE;oBACP,EAAE,EAAE,eAAe,CAAC,EAAE;oBACtB,QAAQ,EAAE,eAAe,CAAC,QAAQ;oBAClC,UAAU,EAAE,eAAe,CAAC,UAAU;oBACtC,SAAS,EAAE,eAAe,CAAC,SAAS;oBACpC,YAAY,EAAE,eAAe,CAAC,YAAY;oBAC1C,KAAK,EAAE,eAAe,CAAC,KAAK;oBAC5B,WAAW,EAAE,eAAe,CAAC,WAAW;oBACxC,cAAc,EAAE,WAAoB;oBACpC,SAAS,EAAE,eAAe,CAAC,SAAS;oBACpC,OAAO,EAAE,IAAI;iBACd;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,GAA8C;IAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;QACnD,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACtE,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpB,CAAC;QAED,OAAO;YACL,WAAW,QAAQ,EAAE;YACrB,UAAU,QAAQ,EAAE;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAA2C;IAC3E,OAAO,8BAA8B,CAAC,KAAK,CAAC;QAC1C,cAAc,EAAE,oBAAoB,CAAC,OAAO,CAAC,GAAG,CAAC;QACjD,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC;gBAC3B,GAAG,oBAAoB,CAAC,OAAO,CAAC,GAAG,CAAC;gBACpC,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB;aAChC,CAAC,CAAC;KACJ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAA2C,EAC3C,MAAqB;IAErB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,OAA2C,EAC3C,OAAsB;IAEtB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAA2D;IACxF,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAC/E,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,OAAO,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC/F,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IACD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACnE,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,mBAAmB,CAAC,SAAiB,EAAE,QAAgB;IAC9D,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,aAAa,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;QACjD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,IAAI,IAAI,OAAO,KAAK,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AACtH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAoB,EAAE,QAAgB;IACpE,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,IAAI,mBAAmB,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,IAAI,IAAI,CAAC;AAC9G,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,MAAc;IACvD,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtE,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,kBAAkB,CAAC,SAAiB,EAAE,WAAmB;IAChE,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,eAAe,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAEpD,IAAI,aAAa,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,SAAS,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,aAAa,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,YAAoB,EAAE,MAA8B;IAC3E,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,gBAAgB,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAChE,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAC5F,MAAM,aAAa,GAAG,SAAS,EAAE,OAAO,CACtC,6DAA6D,EAC7D,CAAC,KAAK,EAAE,SAA6B,EAAE,SAA6B,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS,IAAI,EAAE,CAAC,IAAI,KAAK,CACvH,CAAC;IAEF,OAAO,aAAa,CAAC,CAAC,CAAC,GAAG,YAAY,IAAI,aAAa,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,OAA2D,EAC3D,KAA6B,EAC7B,WAAmB;IAEnB,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;IACjE,MAAM,WAAW,GAAG,KAAK,CAAC,mBAAmB,IAAI,KAAK,CAAC,UAAU,CAAC;IAClE,MAAM,YAAY,GAAG,WAAW;QAC9B,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC;QACtC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC;YAC9B,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC;YACrC,CAAC,CAAC,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/C,OAAO,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACrC,CAAC"}

package/lib/runtime/configStore.d.ts

@@ -0,0 +1,34 @@
+import type { ConfigSchemaDescriptor } from "../contracts/config.js";
+import type { ServiceConfigState, ServiceConfigTicketClaims } from "../contracts/serviceConfig.js";
+export interface ServiceConfigStore {
+    read(ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    write(tenantId: string, appId: string | undefined, values: Record<string, unknown>, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    clearKey?(tenantId: string, appId: string | undefined, key: string, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+}
+export declare class InMemoryServiceConfigStore implements ServiceConfigStore {
+    private state;
+    read(ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    write(tenantId: string, appId: string | undefined, values: Record<string, unknown>, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    clearKey(tenantId: string, appId: string | undefined, key: string, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+}
+export interface FileBackedServiceConfigStoreOptions {
+    filePath: string;
+    configSchemas: ConfigSchemaDescriptor[];
+    encryptionKey: string;
+}
+export declare class FileBackedServiceConfigStore implements ServiceConfigStore {
+    private state;
+    private readonly key;
+    private readonly secretKeys;
+    private readonly filePath;
+    constructor(options: FileBackedServiceConfigStoreOptions);
+    read(ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    write(tenantId: string, appId: string | undefined, values: Record<string, unknown>, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    clearKey(tenantId: string, appId: string | undefined, key: string, ticket: ServiceConfigTicketClaims): ServiceConfigState;
+    private readBucket;
+    private ensureTenantBucket;
+    private decryptRecord;
+    private loadFromDisk;
+    private saveToDisk;
+}
+//# sourceMappingURL=configStore.d.ts.map

package/lib/runtime/configStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configStore.d.ts","sourceRoot":"","sources":["../../src/runtime/configStore.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAErE,OAAO,KAAK,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAyBnG,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,MAAM,EAAE,yBAAyB,GAAG,kBAAkB,CAAC;IAC5D,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,yBAAyB,GAChC,kBAAkB,CAAC;IACtB,QAAQ,CAAC,CACP,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,yBAAyB,GAChC,kBAAkB,CAAC;CACvB;AAID,qBAAa,0BAA2B,YAAW,kBAAkB;IACnE,OAAO,CAAC,KAAK,CAAgD;IAE7D,IAAI,CAAC,MAAM,EAAE,yBAAyB,GAAG,kBAAkB;IAI3D,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,yBAAyB,GAChC,kBAAkB;IAmBrB,QAAQ,CACN,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,yBAAyB,GAChC,kBAAkB;CAkBtB;AAyED,MAAM,WAAW,mCAAmC;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,sBAAsB,EAAE,CAAC;IACxC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,4BAA6B,YAAW,kBAAkB;IACrE,OAAO,CAAC,KAAK,CAA8B;IAC3C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAc;IACzC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,OAAO,EAAE,mCAAmC;IAOxD,IAAI,CAAC,MAAM,EAAE,yBAAyB,GAAG,kBAAkB;IAI3D,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,yBAAyB,GAChC,kBAAkB;IAsBrB,QAAQ,CACN,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,yBAAyB,GAChC,kBAAkB;IAqBrB,OAAO,CAAC,UAAU;IAUlB,OAAO,CAAC,kBAAkB;IAY1B,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,UAAU;CAOnB"}

package/lib/runtime/configStore.js

@@ -0,0 +1,197 @@
+import * as av from "anyvali";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
+import { dirname } from "node:path";
+const ValuesSchema = av.record(av.any());
+function emptyBucket() {
+    return { tenant: {}, app: {} };
+}
+function cloneBucket(bucket) {
+    return {
+        tenant: { ...(bucket?.tenant ?? {}) },
+        app: Object.fromEntries(Object.entries(bucket?.app ?? {}).map(([appId, values]) => [appId, { ...values }]))
+    };
+}
+// -- In-memory (dev) --------------------------------------------------
+export class InMemoryServiceConfigStore {
+    state = { tenants: {} };
+    read(ticket) {
+        return cloneBucket(this.state.tenants[ticket.tenantId]);
+    }
+    write(tenantId, appId, values, ticket) {
+        const parsed = ValuesSchema.parse(values);
+        if (tenantId !== ticket.tenantId) {
+            return this.read(ticket);
+        }
+        const current = this.state.tenants[tenantId] ?? emptyBucket();
+        if (appId) {
+            this.state.tenants[tenantId] = {
+                tenant: current.tenant,
+                app: { ...current.app, [appId]: { ...(current.app[appId] ?? {}), ...parsed } }
+            };
+        }
+        else {
+            this.state.tenants[tenantId] = { tenant: { ...current.tenant, ...parsed }, app: current.app };
+        }
+        return this.read(ticket);
+    }
+    clearKey(tenantId, appId, key, ticket) {
+        if (tenantId !== ticket.tenantId)
+            return this.read(ticket);
+        const current = this.state.tenants[tenantId] ?? emptyBucket();
+        if (appId) {
+            const appValues = { ...(current.app[appId] ?? {}) };
+            delete appValues[key];
+            this.state.tenants[tenantId] = {
+                tenant: current.tenant,
+                app: { ...current.app, [appId]: appValues }
+            };
+        }
+        else {
+            const tenantValues = { ...current.tenant };
+            delete tenantValues[key];
+            this.state.tenants[tenantId] = { tenant: tenantValues, app: current.app };
+        }
+        return this.read(ticket);
+    }
+}
+// -- Encryption helpers -----------------------------------------------
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+const ENCRYPTED_PREFIX = "enc:aes256gcm:";
+function deriveKey(secret) {
+    return scryptSync(secret, "bp-config-store", 32);
+}
+function encryptValue(plaintext, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const payload = Buffer.concat([iv, authTag, encrypted]).toString("base64");
+    return `${ENCRYPTED_PREFIX}${payload}`;
+}
+function decryptValue(ciphertext, key) {
+    if (!ciphertext.startsWith(ENCRYPTED_PREFIX))
+        return ciphertext;
+    const payload = Buffer.from(ciphertext.slice(ENCRYPTED_PREFIX.length), "base64");
+    const iv = payload.subarray(0, IV_LENGTH);
+    const authTag = payload.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+    const encrypted = payload.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
+}
+function resolveSecretKeys(configSchemas) {
+    return new Set(configSchemas.flatMap((schema) => schema.fields
+        .filter((field) => field.visibility === "secret")
+        .map((field) => field.key)));
+}
+function encryptSecrets(values, secretKeys, key) {
+    return Object.fromEntries(Object.entries(values).map(([k, v]) => [
+        k,
+        secretKeys.has(k) && typeof v === "string" ? encryptValue(v, key) : v
+    ]));
+}
+function decryptSecrets(values, secretKeys, key) {
+    return Object.fromEntries(Object.entries(values).map(([k, v]) => [
+        k,
+        secretKeys.has(k) && typeof v === "string" && v.startsWith(ENCRYPTED_PREFIX)
+            ? decryptValue(v, key)
+            : v
+    ]));
+}
+export class FileBackedServiceConfigStore {
+    state;
+    key;
+    secretKeys;
+    filePath;
+    constructor(options) {
+        this.filePath = options.filePath;
+        this.key = deriveKey(options.encryptionKey);
+        this.secretKeys = resolveSecretKeys(options.configSchemas);
+        this.state = this.loadFromDisk();
+    }
+    read(ticket) {
+        return this.readBucket(ticket.tenantId);
+    }
+    write(tenantId, appId, values, ticket) {
+        const parsed = ValuesSchema.parse(values);
+        if (tenantId !== ticket.tenantId) {
+            return this.read(ticket);
+        }
+        const encrypted = encryptSecrets(parsed, this.secretKeys, this.key);
+        const current = this.ensureTenantBucket(tenantId);
+        if (appId) {
+            this.state.tenants[tenantId] = {
+                tenant: current.tenant,
+                app: { ...current.app, [appId]: { ...(current.app[appId] ?? {}), ...encrypted } }
+            };
+        }
+        else {
+            this.state.tenants[tenantId] = { tenant: { ...current.tenant, ...encrypted }, app: current.app };
+        }
+        this.saveToDisk();
+        return this.read(ticket);
+    }
+    clearKey(tenantId, appId, key, ticket) {
+        if (tenantId !== ticket.tenantId)
+            return this.read(ticket);
+        const current = this.ensureTenantBucket(tenantId);
+        if (appId) {
+            const appValues = { ...(current.app[appId] ?? {}) };
+            delete appValues[key];
+            this.state.tenants[tenantId] = {
+                tenant: current.tenant,
+                app: { ...current.app, [appId]: appValues }
+            };
+        }
+        else {
+            const tenantValues = { ...current.tenant };
+            delete tenantValues[key];
+            this.state.tenants[tenantId] = { tenant: tenantValues, app: current.app };
+        }
+        this.saveToDisk();
+        return this.read(ticket);
+    }
+    readBucket(tenantId) {
+        const bucket = this.ensureTenantBucket(tenantId);
+        return {
+            tenant: this.decryptRecord(bucket.tenant),
+            app: Object.fromEntries(Object.entries(bucket.app).map(([id, vals]) => [id, this.decryptRecord(vals)]))
+        };
+    }
+    ensureTenantBucket(tenantId) {
+        if (!this.state.tenants[tenantId] && this.state.legacy) {
+            this.state.tenants[tenantId] = this.state.legacy;
+            delete this.state.legacy;
+            this.saveToDisk();
+        }
+        if (!this.state.tenants[tenantId]) {
+            this.state.tenants[tenantId] = emptyBucket();
+        }
+        return this.state.tenants[tenantId];
+    }
+    decryptRecord(values) {
+        return decryptSecrets(values, this.secretKeys, this.key);
+    }
+    loadFromDisk() {
+        if (!existsSync(this.filePath)) {
+            return { tenants: {} };
+        }
+        const raw = readFileSync(this.filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === "object" && parsed.tenants && typeof parsed.tenants === "object") {
+            return { tenants: parsed.tenants };
+        }
+        return { tenants: {}, legacy: { tenant: parsed.tenant ?? {}, app: parsed.app ?? {} } };
+    }
+    saveToDisk() {
+        const dir = dirname(this.filePath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        writeFileSync(this.filePath, JSON.stringify({ tenants: this.state.tenants }, null, 2), "utf8");
+    }
+}
+//# sourceMappingURL=configStore.js.map

package/lib/runtime/configStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configStore.js","sourceRoot":"","sources":["../../src/runtime/configStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKpC,MAAM,YAAY,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;AAQzC,SAAS,WAAW;IAClB,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,MAAsC;IACzD,OAAO;QACL,MAAM,EAAE,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,IAAI,EAAE,CAAC,EAAE;QACrC,GAAG,EAAE,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC,CACnF;KACF,CAAC;AACJ,CAAC;AAoBD,wEAAwE;AAExE,MAAM,OAAO,0BAA0B;IAC7B,KAAK,GAAgC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAE7D,IAAI,CAAC,MAAiC;QACpC,OAAO,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CACH,QAAgB,EAChB,KAAyB,EACzB,MAA+B,EAC/B,MAAiC;QAEjC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAiB,CAAC;QAC1D,IAAI,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC;QAE9D,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,MAAM,EAAE,EAAE;aAC/E,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChG,CAAC;QAED,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,QAAQ,CACN,QAAgB,EAChB,KAAyB,EACzB,GAAW,EACX,MAAiC;QAEjC,IAAI,QAAQ,KAAK,MAAM,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC;QAE9D,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,SAAS,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YACpD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE;aAC5C,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YAC3C,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAC5E,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;CACF;AAED,wEAAwE;AAExE,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAE1C,SAAS,SAAS,CAAC,MAAc;IAC/B,OAAO,UAAU,CAAC,MAAM,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,GAAW;IAClD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3E,OAAO,GAAG,gBAAgB,GAAG,OAAO,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB,EAAE,GAAW;IACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,gBAAgB,CAAC;QAAE,OAAO,UAAU,CAAC;IAChE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;IACjF,MAAM,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxF,CAAC;AAED,SAAS,iBAAiB,CAAC,aAAuC;IAChE,OAAO,IAAI,GAAG,CACZ,aAAa,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAC/B,MAAM,CAAC,MAAM;SACV,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,KAAK,QAAQ,CAAC;SAChD,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAC7B,CACF,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,MAAiC,EACjC,UAAuB,EACvB,GAAW;IAEX,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;QACrC,CAAC;QACD,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;KACtE,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,MAAiC,EACjC,UAAuB,EACvB,GAAW;IAEX,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;QACrC,CAAC;QACD,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,CAAC;YAC1E,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC;YACtB,CAAC,CAAC,CAAC;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAUD,MAAM,OAAO,4BAA4B;IAC/B,KAAK,CAA8B;IAC1B,GAAG,CAAS;IACZ,UAAU,CAAc;IACxB,QAAQ,CAAS;IAElC,YAAY,OAA4C;QACtD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,MAAiC;QACpC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CACH,QAAgB,EAChB,KAAyB,EACzB,MAA+B,EAC/B,MAAiC;QAEjC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAiB,CAAC;QAC1D,IAAI,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAElD,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,SAAS,EAAE,EAAE;aAClF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACnG,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,QAAQ,CACN,QAAgB,EAChB,KAAyB,EACzB,GAAW,EACX,MAAiC;QAEjC,IAAI,QAAQ,KAAK,MAAM,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAElD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,SAAS,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YACpD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE;aAC5C,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YAC3C,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAC5E,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAEO,UAAU,CAAC,QAAgB;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACjD,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC;YACzC,GAAG,EAAE,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAC/E;SACF,CAAC;IACJ,CAAC;IAEO,kBAAkB,CAAC,QAAgB;QACzC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACvD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YACjD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YACzB,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,WAAW,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAEO,aAAa,CAAC,MAAiC;QACrD,OAAO,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACjG,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QACrC,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC;IACzF,CAAC;IAEO,UAAU;QAChB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACjG,CAAC;CACF"}

package/lib/runtime/configTicket.d.ts

@@ -0,0 +1,49 @@
+import { type ServiceConfigAction, type ServiceConfigTicketClaims } from "../contracts/serviceConfig.js";
+/** Audience every BetterPortal service-config ticket is minted for. */
+export declare const CONFIG_TICKET_AUDIENCE = "betterportal-service-config";
+export interface SignServiceConfigTicketOptions {
+    /** PEM of the CP signing key (cpState.keyPair.privateKeyPem). */
+    privateKeyPem: string;
+    /** kid published in the CP JWKS. */
+    kid: string;
+    /** CP issuer (cpState.issuer); becomes the `iss` claim and verifier expectation. */
+    issuer: string;
+    tenantId: string;
+    serviceId: string;
+    actions: ServiceConfigAction[];
+    subject?: string;
+    bindingId?: string;
+    expiresInSeconds: number;
+    jti?: string;
+}
+/**
+ * Mint a config ticket as an RS256 JWT signed by the control plane's key.
+ * Replaces the legacy symmetric HMAC ticket - services verify it against the
+ * CP JWKS, so no shared secret is required and only the CP can issue tickets.
+ */
+export declare function signServiceConfigTicket(options: SignServiceConfigTicketOptions): string;
+export interface VerifyServiceConfigTicketOptions {
+    /** JWKS endpoint of the issuing control plane (delivered to the service at redeem). */
+    jwksUri?: string;
+    /** In-process key lookup, used instead of jwksUri when supplied (no network). */
+    keyResolver?: (kid: string) => Promise<string> | string;
+    /** Expected `iss` - the CP URL the service was installed against. */
+    issuer: string;
+    /** This service's id; the ticket's `serviceId` must match. */
+    serviceId: string;
+    clockToleranceSeconds?: number;
+}
+/**
+ * Verify a CP-signed config ticket against the CP JWKS. Throws on any failure.
+ * Pins RS256, rejects jku/x5u key references, and re-checks iss/aud/exp/serviceId
+ * after library verification (defence in depth).
+ */
+export declare function verifyServiceConfigTicket(token: string, options: VerifyServiceConfigTicketOptions): Promise<ServiceConfigTicketClaims>;
+/**
+ * Build a `validateTicket` callback for `registerServiceConfigRoutes` that
+ * verifies CP-signed tickets against the CP JWKS. Returns null (not throw) on
+ * any failure so the route responds 401 rather than 500.
+ */
+export declare function createCpConfigTicketValidator(options: VerifyServiceConfigTicketOptions): (ticketValue: string | null, ...rest: unknown[]) => Promise<ServiceConfigTicketClaims | null>;
+export declare function clearConfigTicketJwksCache(): void;
+//# sourceMappingURL=configTicket.d.ts.map

package/lib/runtime/configTicket.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configTicket.d.ts","sourceRoot":"","sources":["../../src/runtime/configTicket.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,yBAAyB,EAC/B,MAAM,+BAA+B,CAAC;AAOvC,uEAAuE;AACvE,eAAO,MAAM,sBAAsB,gCAAgC,CAAC;AAIpE,MAAM,WAAW,8BAA8B;IAC7C,iEAAiE;IACjE,aAAa,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,oFAAoF;IACpF,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,8BAA8B,GAAG,MAAM,CAqBvF;AAgCD,MAAM,WAAW,gCAAgC;IAC/C,uFAAuF;IACvF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACxD,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,yBAAyB,CAAC,CAoEpC;AAED;;;;GAIG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,gCAAgC,GACxC,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC,CAS/F;AAED,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}