@blakearoberts/visage 0.0.1-rc.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Blake Roberts
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,128 @@
+# Visage
+
+Visage (`/vit·ɛdʒ/`) is a Vite plugin for local development with HMR and OIDC session cookie lifecycle semantics.
+
+## Getting Started
+
+Install Visage from npm:
+
+```console
+npm install @blakearoberts/visage@next
+```
+
+Add the plugin to `vite.config.ts`:
+
+```ts
+import { defineConfig } from 'vite';
+import visage from '@blakearoberts/visage';
+
+export default defineConfig({
+  plugins: [visage()],
+});
+```
+
+Then start Vite normally:
+
+```console
+vite
+```
+
+## Configuration
+
+Visage is configured through `visage(options?)` in `vite.config.ts`.
+
+The top-level `host` and `port` configure the local Visage origin that the browser visits:
+
+```ts
+visage({
+  host: 'localhost',
+  port: 9001,
+});
+```
+
+Services are Docker Compose services managed by the Vite dev-server lifecycle. Upstreams are proxy targets that Visage routes to, whether they are managed services or external systems.
+
+```ts
+visage({
+  services: {
+    whoami: { image: 'traefik/whoami' },
+  },
+  upstreams: {
+    whoami: {
+      host: 'whoami',
+      port: 80,
+      locations: { '/whoami/': {} },
+    },
+  },
+});
+```
+
+See `VisageOptions` for the full option surface.
+
+## Expected Local URLs
+
+The browser-facing Visage origin is `https://{host}:{port}`.
+
+With the default configuration, open:
+
+```text
+https://localhost:9001/
+```
+
+When using the managed Dex flow, OAuth2 Proxy serves auth endpoints under `/oauth2/` and Dex serves OIDC endpoints under `/dex/`.
+
+## System Block Diagram
+
+```mermaid
+flowchart LR
+  Browser
+  NGINX
+  Oauth2-Proxy
+  Vite
+  IDP["IdP (Dex)"]
+  ServicesUpstreams["Services / Upstreams"]
+
+  Browser --> NGINX
+  NGINX --> Oauth2-Proxy
+  Oauth2-Proxy --> IDP
+  NGINX --> Vite
+  NGINX --> ServicesUpstreams
+```
+
+## Required Tools
+
+- [Docker](https://docs.docker.com/get-started/get-docker/) with Compose v2 support through `docker compose`.
+
+## Managed Tools
+
+### mkcert
+
+Visage downloads [`mkcert`](https://github.com/FiloSottile/mkcert) from `dl.filippo.io` when the Vite dev server starts. Visage uses it to install a local certificate authority and generate HTTPS certificates for the local proxy.
+
+### Docker Images
+
+Visage pulls these as needed based on configuration:
+
+- [NGINX](https://nginx.org/): [`nginx:1.30.0-alpine`](https://hub.docker.com/_/nginx).
+- [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/): [`quay.io/oauth2-proxy/oauth2-proxy:v7.15.2`](https://quay.io/repository/oauth2-proxy/oauth2-proxy).
+- [Dex](https://dexidp.io/): [`ghcr.io/dexidp/dex:v2.45.1`](https://github.com/dexidp/dex/pkgs/container/dex).
+
+## Security Notes
+
+Visage is local-development tooling. It starts local auth infrastructure, terminates local HTTPS, and forwards authenticated identity or token material to configured upstreams.
+
+Do not treat the managed Dex and OAuth2 Proxy defaults as production auth infrastructure.
+
+## Troubleshooting
+
+- If startup fails immediately, confirm Docker is running and `docker compose` works.
+- If NGINX cannot start, check whether the configured `port` is already in use.
+- If the hostname cannot be resolved, Visage may need permission to update `/etc/hosts`.
+- If the browser rejects the certificate, allow the local certificate authority prompt from `mkcert`.
+
+## TO-DO
+
+- [ ] Promote a stable release.
+- [ ] Support configuring [Dex connectors](https://dexidp.io/docs/connectors/).
+- [ ] Support configuring Dex on a distinct subdomain, such as `auth.local.vite.app`.
+- [ ] Support optional [HTTP mode without local TLS](docs/tls-http-mode.md).

package/dist/certs.d.ts

@@ -0,0 +1,8 @@
+type Options = {
+    bin: string;
+    certs: string;
+    hostname: string;
+};
+export declare function ensureCerts({ bin, certs, hostname, }: Options): Promise<void>;
+export {};
+//# sourceMappingURL=certs.d.ts.map

package/dist/certs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../src/certs.ts"],"names":[],"mappings":"AAMA,KAAK,OAAO,GAAG;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wBAAsB,WAAW,CAAC,EAChC,GAAG,EACH,KAAK,EACL,QAAQ,GACT,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCzB"}

package/dist/compose.d.ts

@@ -0,0 +1,4 @@
+type StopCompose = () => void;
+export declare function startCompose(file: string): StopCompose;
+export {};
+//# sourceMappingURL=compose.d.ts.map

package/dist/compose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAGA,KAAK,WAAW,GAAG,MAAM,IAAI,CAAC;AAI9B,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAoBtD"}

package/dist/config.d.ts

@@ -0,0 +1,76 @@
+import type { ResolvedConfig } from 'vite';
+import type { VisageDexExpiry, VisageDexUser, VisageOptions, VisageService, VisageUpstream } from './types';
+type Volume = readonly [from: string, to: string];
+type ResolvedCookiePolicy = {
+    readonly cookie_name: string;
+    readonly cookie_expire: string;
+    readonly cookie_refresh: string;
+    readonly cookie_domains?: readonly string[];
+    readonly cookie_path: string;
+};
+type ResolvedDexConfig = {
+    readonly expiry?: VisageDexExpiry;
+    readonly users: readonly Required<VisageDexUser>[];
+};
+type ResolvedIdpOption = {
+    readonly path: string;
+    readonly upstream: string;
+    readonly issuer?: string;
+    readonly authorizationEndpoint?: string;
+    readonly tokenEndpoint?: string;
+    readonly jwksEndpoint?: string;
+} & ({
+    readonly kind: 'dex';
+    readonly dex: ResolvedDexConfig;
+} | {
+    readonly kind: 'external';
+});
+type ResolvedIdp = {
+    readonly issuer: string;
+    readonly authorizationEndpoint: string;
+    readonly tokenEndpoint: string;
+    readonly jwksEndpoint: string;
+    readonly upstream: string;
+} & ({
+    readonly kind: 'dex';
+    readonly dex: ResolvedDexConfig;
+} | {
+    readonly kind: 'external';
+});
+type ResolvedOAuth2Client = {
+    readonly id: string;
+    readonly secret?: string;
+    readonly scopes: readonly string[];
+    readonly public: boolean;
+};
+type ResolvedVisageOptions = {
+    readonly host: string;
+    readonly port: number;
+    readonly cookie: ResolvedCookiePolicy;
+    readonly idp: ResolvedIdpOption;
+    readonly oauth2: ResolvedOAuth2Client;
+    readonly services?: Record<string, VisageService>;
+    readonly upstreams?: Record<string, VisageUpstream>;
+};
+export type VisageConfig = {
+    readonly host: string;
+    readonly port: number;
+    readonly cookie: ResolvedCookiePolicy;
+    readonly idp: ResolvedIdp;
+    readonly oauth2: ResolvedOAuth2Client;
+    readonly cache: string;
+    readonly files: {
+        readonly certs: Volume;
+        readonly compose: string;
+        readonly dex: Volume;
+        readonly nginx: Volume;
+        readonly oauth2Proxy: Volume;
+        readonly oauth2ProxyClientSecret: Volume;
+    };
+    readonly services: Readonly<Record<string, VisageService>>;
+    readonly upstreams: Readonly<Record<string, VisageUpstream>>;
+};
+export declare function resolveOptions(options: VisageOptions): ResolvedVisageOptions;
+export declare function resolveConfig(options: ResolvedVisageOptions, config: ResolvedConfig, vitePort: number): VisageConfig;
+export {};
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAE3C,OAAO,KAAK,EACV,eAAe,EAEf,aAAa,EAEb,aAAa,EAEb,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAEjB,KAAK,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;AAElD,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,CAAC;AAEF,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,SAAS,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;CACpD,CAAC;AAEF,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC,GAAG,CACA;IACE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;CACjC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAChC,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B,GAAG,CACA;IACE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;CACjC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAChC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IAEtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,uBAAuB,EAAE,MAAM,CAAC;KAC1C,CAAC;IAEF,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;CAC9D,CAAC;AA6GF,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,qBAAqB,CAqC5E;AA6BD,wBAAgB,aAAa,CAC3B,OAAO,EAAE,qBAAqB,EAC9B,MAAM,EAAE,cAAc,EACtB,QAAQ,EAAE,MAAM,GACf,YAAY,CAiEd"}

package/dist/hosts.d.ts

@@ -0,0 +1,2 @@
+export declare function ensureHostEntry(hostname: string): void;
+//# sourceMappingURL=hosts.d.ts.map

package/dist/hosts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../src/hosts.ts"],"names":[],"mappings":"AAKA,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAyDtD"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+import type { Plugin } from 'vite';
+import type { VisageOptions } from './types';
+export type { VisageCookiePolicy, VisageDexExpiry, VisageDexOptions, VisageDexUser, VisageIdpOptions, VisageOAuth2Client, VisageOptions, VisageProxyPolicy, VisageService, VisageUpstream, } from './types';
+export declare function visage(options?: VisageOptions): Plugin;
+export default visage;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAOnC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC;AAEjB,wBAAgB,MAAM,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM,CAmD1D;AAED,eAAe,MAAM,CAAC"}

package/dist/index.js

@@ -0,0 +1,621 @@
+import { dirname, join } from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { existsSync, mkdirSync, createWriteStream, chmodSync, readFileSync, appendFileSync, writeFileSync } from 'node:fs';
+import { Readable } from 'node:stream';
+import { pipeline } from 'node:stream/promises';
+import { stringify } from 'yaml';
+import { hashSync } from 'bcryptjs';
+import { Eta } from 'eta';
+import { createHash } from 'node:crypto';
+
+let stopCompose;
+function startCompose(file) {
+    stopCompose?.();
+    stopCompose = undefined;
+    const stop = () => {
+        if (stopCompose !== stop)
+            return;
+        stopCompose = undefined;
+        process.off('SIGINT', onSigInt);
+        process.off('SIGTERM', onSigTerm);
+        run(file, ['down'], 'Failed to stop Docker Compose');
+    };
+    run(file, ['up', '-d'], 'Failed to start Docker Compose');
+    stopCompose = stop;
+    process.off('SIGINT', onSigInt);
+    process.off('SIGTERM', onSigTerm);
+    process.once('SIGINT', onSigInt);
+    process.once('SIGTERM', onSigTerm);
+    return stop;
+}
+function run(file, args, message) {
+    const result = spawnSync('docker', ['compose', '-f', file, ...args], {
+        cwd: dirname(file),
+        stdio: 'inherit',
+    });
+    if (result.error)
+        throw result.error;
+    if (result.status !== 0)
+        throw new Error(message);
+}
+function onSigInt() {
+    try {
+        stopCompose?.();
+    }
+    finally {
+        process.exit(130);
+    }
+}
+function onSigTerm() {
+    try {
+        stopCompose?.();
+    }
+    finally {
+        process.exit(143);
+    }
+}
+
+async function ensureCerts({ bin, certs, hostname, }) {
+    const cert = join(certs, 'tls.crt');
+    const key = join(certs, 'tls.key');
+    if (existsSync(cert) && existsSync(key))
+        return;
+    const mkcert = await ensureMkCert(bin);
+    const env = {
+        ...process.env,
+        CAROOT: join(bin, 'ca'),
+        TRUST_STORES: process.env.TRUST_STORES ?? 'system',
+    };
+    // install CA
+    {
+        const result = spawnSync(mkcert, ['-install'], {
+            env,
+            stdio: [process.stdin.isTTY ? 'inherit' : 'ignore', 'inherit', 'inherit'],
+        });
+        if (result.error)
+            throw result.error;
+        if (result.status !== 0) {
+            throw new Error('Failed to install CA');
+        }
+    }
+    // generate certs
+    mkdirSync(certs, { recursive: true });
+    const names = [...new Set([hostname, 'localhost', '127.0.0.1', '::1'])];
+    const args = ['-cert-file', cert, '-key-file', key, ...names];
+    const result = spawnSync(mkcert, args, { env, stdio: 'inherit' });
+    if (result.error)
+        throw result.error;
+    if (result.status !== 0) {
+        throw new Error('Failed to generate TLS certificates');
+    }
+}
+async function ensureMkCert(bin) {
+    const file = join(bin, 'mkcert');
+    if (existsSync(file))
+        return file;
+    mkdirSync(bin, { recursive: true });
+    const base = 'https://dl.filippo.io/mkcert/latest';
+    const arch = process.arch === 'x64' ? 'amd64' : process.arch;
+    const params = `?for=${process.platform}/${arch}`;
+    const url = new URL(params, base);
+    const response = await fetch(url);
+    if (!response.ok || !response.body) {
+        throw new Error('Failed to download mkcert');
+    }
+    await pipeline(Readable.fromWeb(response.body), createWriteStream(file));
+    chmodSync(file, 0o755);
+    return file;
+}
+
+const HOSTS_FILE = '/etc/hosts';
+function ensureHostEntry(hostname) {
+    if (!hostname ||
+        hostname.trim() !== hostname ||
+        hostname.includes('/') ||
+        hostname.includes(':')) {
+        throw new Error('Invalid hostname');
+    }
+    const contents = readFileSync(HOSTS_FILE, 'utf8');
+    for (const line of contents.split(/\r?\n/)) {
+        const uncommented = line.replace(/\s+#.*$/, '').trim();
+        if (!uncommented || uncommented.startsWith('#')) {
+            continue;
+        }
+        const [address, ...names] = uncommented.split(/\s+/);
+        if (!names.includes(hostname)) {
+            continue;
+        }
+        if (address === '127.0.0.1' || address === '::1') {
+            // Already configured to loopback, nothing to do.
+            return;
+        }
+        throw new Error('Hosts file contains a conflicting entry');
+    }
+    const prefix = contents.endsWith('\n') ? '' : '\n';
+    const entry = `${prefix}127.0.0.1\t${hostname} # visage\n`;
+    try {
+        appendFileSync(HOSTS_FILE, entry);
+        return;
+    }
+    catch {
+        // Fall through to sudo tee.
+    }
+    const result = spawnSync('sudo', [...(process.stdin.isTTY ? [] : ['-n']), 'tee', '-a', HOSTS_FILE], {
+        input: entry,
+        stdio: ['pipe', 'ignore', 'inherit'],
+    });
+    if (result.error) {
+        throw result.error;
+    }
+    if (result.status !== 0) {
+        throw new Error('Failed to add hosts entry');
+    }
+}
+
+function writeComposeConfig(config) {
+    const file = join(config.cache, config.files.compose);
+    const render = renderComposeConfig(config);
+    writeFileSync(file, render, 'utf-8');
+}
+function renderComposeConfig(config) {
+    const { dex, nginx, oauth2_proxy, ...services } = config.services;
+    return stringify({
+        services: {
+            ...(config.idp.kind === 'dex'
+                ? {
+                    dex: {
+                        ...config.services.dex,
+                        volumes: [`${config.files.dex[0]}:${config.files.dex[1]}:ro`],
+                    },
+                }
+                : {}),
+            nginx: {
+                ...config.services.nginx,
+                ports: [`${config.port}:${config.port}`],
+                volumes: [config.files.certs, config.files.nginx].map(([from, to]) => `${from}:${to}:ro`),
+            },
+            oauth2_proxy: {
+                ...config.services.oauth2_proxy,
+                volumes: [
+                    `${config.files.oauth2Proxy[0]}:${config.files.oauth2Proxy[1]}:ro`,
+                    ...(config.oauth2.public
+                        ? [
+                            `${config.files.oauth2ProxyClientSecret[0]}:${config.files.oauth2ProxyClientSecret[1]}:ro`,
+                        ]
+                        : []),
+                ],
+            },
+            ...services,
+        },
+    });
+}
+
+function writeDexConfig(config) {
+    const file = join(config.cache, config.files.dex[0]);
+    const render = renderDexConfig(config);
+    writeFileSync(file, render, 'utf-8');
+}
+function renderDexConfig(config) {
+    if (config.idp.kind !== 'dex') {
+        throw new Error('Dex config is required to render Dex');
+    }
+    const origin = `https://${config.host}:${config.port}`;
+    const redirect = `${origin}/oauth2/callback`;
+    const upstream = config.upstreams[config.idp.upstream];
+    return stringify({
+        issuer: config.idp.issuer,
+        storage: { type: 'memory' },
+        web: { http: `0.0.0.0:${upstream.port}` },
+        oauth2: { skipApprovalScreen: true },
+        staticClients: [
+            {
+                id: config.oauth2.id,
+                name: 'Visage',
+                ...(config.oauth2.secret === undefined
+                    ? { public: true }
+                    : { secret: config.oauth2.secret }),
+                redirectURIs: [redirect],
+            },
+        ],
+        enablePasswordDB: true,
+        ...(config.idp.dex.expiry === undefined
+            ? {}
+            : { expiry: config.idp.dex.expiry }),
+        staticPasswords: config.idp.dex.users.map(({ password, ...user }) => ({
+            ...user,
+            hash: hashSync(password, 10),
+        })),
+    });
+}
+
+const template = `
+events {}
+
+http {
+    # Allow WebSockets (Vite HMR).
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    <%_ for (const [name, upstream] of Object.entries(it.upstreams)) { %>
+    upstream <%~ name %> {
+        server <%~ upstream.host %>:<%~ upstream.port %>;
+    }
+
+    <%_ } %>
+    server {
+        listen <%~ it.port %> ssl;
+        server_name <%~ it.host %>;
+
+        ssl_certificate     <%~ it.ssl.cert %>;
+        ssl_certificate_key <%~ it.ssl.key %>;
+
+        <%_ for (const [name, upstream] of Object.entries(it.upstreams)) { %>
+            <%_ for (const [path, location] of Object.entries(upstream.locations ?? {})) { %>
+        location <%~ path %> {
+            <%_ if (location.auth?.enabled) { %>
+            auth_request      /oauth2/auth;
+            auth_request_set  $access_token $upstream_http_x_auth_request_access_token;
+
+            <%_ if (location.auth.redirect) { %>
+            error_page 401 =302 /oauth2/start?rd=$scheme://$http_host$request_uri;
+            <%_ } %>
+            <%_ } %>
+            <%_ for (const [header, value] of Object.entries(location.headers ?? {})) { %>
+            proxy_set_header <%~ header %> <%~ value %>;
+            <%_ } %>
+            <%_ if (location.auth?.enabled && location.auth.forward) { %>
+            proxy_set_header Authorization "Bearer $access_token";
+            <%_ } %>
+            proxy_pass http://<%~ name %>;
+        }
+            <%_ } %>
+
+        <%_ } %>
+    }
+}
+`;
+function writeNginxConfig(config) {
+    const file = join(config.cache, config.files.nginx[0]);
+    const render = renderNginxConfig(config);
+    writeFileSync(file, render, 'utf-8');
+}
+function renderNginxConfig(config) {
+    const data = {
+        host: config.host,
+        port: config.port,
+        ssl: {
+            cert: join(config.files.certs[1], 'tls.crt'),
+            key: join(config.files.certs[1], 'tls.key'),
+        },
+        upstreams: config.upstreams,
+    };
+    return new Eta({ autoTrim: false }).renderString(template, data);
+}
+
+function writeOauth2ProxyConfig(config) {
+    const file = join(config.cache, config.files.oauth2Proxy[0]);
+    const render = renderOauth2ProxyConfig(config);
+    writeFileSync(file, render, 'utf-8');
+    if (config.oauth2.public) {
+        writeFileSync(join(config.cache, config.files.oauth2ProxyClientSecret[0]), '');
+    }
+}
+function renderOauth2ProxyConfig(config) {
+    const data = {
+        http_address: `0.0.0.0:${config.upstreams.oauth2_proxy.port}`,
+        provider: 'oidc',
+        oidc_issuer_url: config.idp.issuer,
+        skip_oidc_discovery: true,
+        login_url: config.idp.authorizationEndpoint,
+        redeem_url: config.idp.tokenEndpoint,
+        oidc_jwks_url: config.idp.jwksEndpoint,
+        redirect_url: `https://${config.host}:${config.port}/oauth2/callback`,
+        client_id: config.oauth2.id,
+        ...(config.oauth2.secret === undefined
+            ? {
+                client_secret_file: config.files.oauth2ProxyClientSecret[1],
+                code_challenge_method: 'S256',
+            }
+            : { client_secret: config.oauth2.secret }),
+        cookie_secret: createHash('sha256')
+            .update('visage:cookie-secret\0')
+            .update(config.cache)
+            .digest('base64url'),
+        ...config.cookie,
+        cookie_httponly: true,
+        cookie_secure: true,
+        cookie_samesite: 'lax',
+        email_domains: ['*'],
+        scope: config.oauth2.scopes.join(' '),
+        upstreams: ['static://202'],
+        reverse_proxy: true,
+        set_xauthrequest: true,
+        pass_access_token: true,
+        pass_authorization_header: true,
+        skip_provider_button: true,
+    };
+    return `${Object.entries(data)
+        .map(([key, value]) => {
+        if (Array.isArray(value)) {
+            const values = value.map((item) => JSON.stringify(item)).join(', ');
+            return `${key} = [${values}]`;
+        }
+        if (typeof value === 'string') {
+            return `${key} = ${JSON.stringify(value)}`;
+        }
+        return `${key} = ${String(value)}`;
+    })
+        .join('\n')}\n`;
+}
+
+function render(config) {
+    writeComposeConfig(config);
+    if (config.idp.kind === 'dex') {
+        writeDexConfig(config);
+    }
+    writeNginxConfig(config);
+    writeOauth2ProxyConfig(config);
+}
+
+const BaseFiles = {
+    certs: ['./certs', '/etc/nginx/certs'],
+    compose: './compose.yaml',
+    dex: ['./dex.yml', '/etc/dex/dex.yml'],
+    nginx: ['./nginx.conf', '/etc/nginx/nginx.conf'],
+    oauth2ProxyClientSecret: [
+        './oauth2-client-secret',
+        '/etc/oauth2-proxy/client-secret',
+    ],
+    oauth2Proxy: ['./oauth2-proxy.yml', '/etc/oauth2-proxy/config.yml'],
+};
+const BaseServices = {
+    dex: {
+        image: 'ghcr.io/dexidp/dex:v2.45.1',
+        command: ['dex', 'serve', '/etc/dex/dex.yml'],
+    },
+    nginx: {
+        image: 'nginx:1.30.0-alpine',
+        depends_on: ['oauth2_proxy', 'dex'],
+        extra_hosts: ['host.docker.internal:host-gateway'],
+    },
+    oauth2_proxy: {
+        image: 'quay.io/oauth2-proxy/oauth2-proxy:v7.15.2',
+        command: ['--config', '/etc/oauth2-proxy/config.yml'],
+        depends_on: ['dex'],
+        extra_hosts: ['host.docker.internal:host-gateway'],
+    },
+};
+const BaseDexUpstream = {
+    host: 'dex',
+    port: 5556,
+    locations: { '/dex/': { auth: { enabled: false } } },
+};
+const BaseOauth2ProxyUpstream = {
+    host: 'oauth2_proxy',
+    port: 4180,
+    locations: {
+        '/oauth2/': {
+            auth: { enabled: false },
+            headers: {
+                Cookie: '$http_cookie',
+                Host: '$host',
+                'X-Real-IP': '$remote_addr',
+                'X-Forwarded-For': '$proxy_add_x_forwarded_for',
+                'X-Forwarded-Proto': '$scheme',
+                'X-Auth-Request-Redirect': '$request_uri',
+            },
+        },
+    },
+};
+const BaseViteUpstream = {
+    host: 'host.docker.internal',
+    locations: {
+        '/': {
+            auth: { forward: false, redirect: true },
+            headers: {
+                Upgrade: '$http_upgrade',
+                Connection: '$connection_upgrade',
+            },
+        },
+    },
+};
+const DefaultCookiePolicy = {
+    cookie_expire: '8h',
+    cookie_refresh: '15m',
+    cookie_path: '/',
+};
+const DefaultDexUsers = [
+    {
+        email: 'user@example.com',
+        password: 'pass',
+    },
+];
+const DefaultIdpConfig = {
+    kind: 'dex',
+    path: '/dex',
+    upstream: 'dex',
+};
+const DefaultOAuth2Client = {
+    id: 'visage',
+    secret: 'visage-secret',
+    scopes: ['openid', 'email', 'profile']};
+const DefaultProxyPolicy = {
+    auth: { enabled: true, forward: true, redirect: false },
+    headers: {
+        Cookie: '""', // Don't forward session cookie.
+        Host: '$host',
+        'X-Real-IP': '$remote_addr',
+        'X-Forwarded-For': '$proxy_add_x_forwarded_for',
+        'X-Forwarded-Proto': '$scheme',
+    },
+};
+function resolveOptions(options) {
+    const cookie = options.cookie ?? {};
+    const cookieName = cookie.name ?? 'session';
+    const oauth2 = options.oauth2 ?? {};
+    const publicClient = oauth2.clientSecret === null;
+    return {
+        ...options,
+        host: options.host ?? 'local.vite.app',
+        port: options.port ?? 9001,
+        cookie: {
+            ...DefaultCookiePolicy,
+            cookie_name: cookie.domains === undefined
+                ? cookieName.startsWith('__HOST-')
+                    ? cookieName
+                    : `__HOST-${cookieName}`
+                : cookieName,
+            ...(cookie.expire === undefined ? {} : { cookie_expire: cookie.expire }),
+            ...(cookie.refresh === undefined
+                ? {}
+                : { cookie_refresh: cookie.refresh }),
+            ...(cookie.domains === undefined
+                ? {}
+                : { cookie_domains: cookie.domains }),
+            ...(cookie.path === undefined ? {} : { cookie_path: cookie.path }),
+        },
+        idp: resolveIdpOption(options.idp),
+        oauth2: {
+            id: oauth2.clientId ?? DefaultOAuth2Client.id,
+            ...(publicClient
+                ? {}
+                : { secret: oauth2.clientSecret ?? DefaultOAuth2Client.secret }),
+            scopes: oauth2.scopes ?? DefaultOAuth2Client.scopes,
+            public: publicClient,
+        },
+    };
+}
+function resolveIdpOption(idp) {
+    function normalizePath(path) {
+        const pathWithLeadingSlash = path.startsWith('/') ? path : `/${path}`;
+        return pathWithLeadingSlash.endsWith('/')
+            ? pathWithLeadingSlash.slice(0, -1)
+            : pathWithLeadingSlash;
+    }
+    if (idp?.kind === 'external') {
+        const { path = DefaultIdpConfig.path, ...external } = idp;
+        return { ...external, path: normalizePath(path) };
+    }
+    return {
+        ...DefaultIdpConfig,
+        dex: {
+            ...(idp?.expiry ? { expiry: idp.expiry } : {}),
+            users: (idp?.users ?? DefaultDexUsers).map((user) => ({
+                email: user.email,
+                password: user.password,
+                username: user.username ?? user.email.split('@', 1)[0],
+                userID: user.userID ?? user.email,
+            })),
+        },
+    };
+}
+function resolveConfig(options, config, vitePort) {
+    const upstreams = {
+        oauth2_proxy: BaseOauth2ProxyUpstream,
+        vite: { ...BaseViteUpstream, port: vitePort },
+        ...(options.idp.kind === 'dex' ? { dex: BaseDexUpstream } : {}),
+        ...options.upstreams,
+    };
+    const { host: idpHost, port: idpPort } = upstreams[options.idp.upstream];
+    const origin = `https://${options.host}:${options.port}`;
+    const idpOrigin = `http://${idpHost}:${idpPort}`;
+    const idpBase = {
+        upstream: options.idp.upstream,
+        issuer: options.idp.issuer ?? `${origin}${options.idp.path}`,
+        authorizationEndpoint: options.idp.authorizationEndpoint ?? `${origin}${options.idp.path}/auth`,
+        tokenEndpoint: options.idp.tokenEndpoint ?? `${idpOrigin}${options.idp.path}/token`,
+        jwksEndpoint: options.idp.jwksEndpoint ?? `${idpOrigin}${options.idp.path}/keys`,
+    };
+    return {
+        host: options.host,
+        port: options.port,
+        cookie: options.cookie,
+        idp: options.idp.kind === 'dex'
+            ? { ...idpBase, kind: 'dex', dex: options.idp.dex }
+            : { ...idpBase, kind: 'external' },
+        oauth2: options.oauth2,
+        cache: join(config.cacheDir, 'visage'),
+        files: { ...BaseFiles },
+        services: {
+            ...(options.idp.kind === 'dex'
+                ? BaseServices
+                : {
+                    nginx: {
+                        ...BaseServices.nginx,
+                        depends_on: ['oauth2_proxy'],
+                    },
+                    oauth2_proxy: {
+                        command: BaseServices.oauth2_proxy.command,
+                        extra_hosts: BaseServices.oauth2_proxy.extra_hosts,
+                        image: BaseServices.oauth2_proxy.image,
+                    },
+                }),
+            ...options.services,
+        },
+        upstreams: Object.fromEntries(Object.entries(upstreams).map(([name, upstream]) => [
+            name,
+            {
+                ...upstream,
+                locations: Object.fromEntries(Object.entries(upstream.locations ?? {}).map(([path, policy]) => [
+                    path,
+                    {
+                        auth: { ...DefaultProxyPolicy.auth, ...policy.auth },
+                        headers: { ...DefaultProxyPolicy.headers, ...policy.headers },
+                    },
+                ])),
+            },
+        ])),
+    };
+}
+
+function visage(options = {}) {
+    const resolvedOptions = resolveOptions(options);
+    let stop;
+    return {
+        name: 'visage',
+        apply: 'serve',
+        config() {
+            return {
+                server: {
+                    hmr: {
+                        protocol: 'wss',
+                        host: resolvedOptions.host,
+                        clientPort: resolvedOptions.port,
+                    },
+                    host: '0.0.0.0',
+                },
+            };
+        },
+        configureServer(server) {
+            async function startVisage(port) {
+                const config = resolveConfig(resolvedOptions, server.config, port);
+                await ensureCerts({
+                    bin: join(config.cache, 'bin'),
+                    certs: join(config.cache, config.files.certs[0]),
+                    hostname: config.host,
+                });
+                ensureHostEntry(config.host);
+                render(config);
+                return startCompose(join(config.cache, config.files.compose));
+            }
+            const listen = server.listen.bind(server);
+            server.listen = async (port, isRestart) => {
+                const result = await listen(port, isRestart);
+                const address = server.httpServer?.address();
+                if (!address || typeof address === 'string') {
+                    throw new Error('Failed to resolve port for Visage');
+                }
+                stop = await startVisage(address.port);
+                return result;
+            };
+        },
+        closeBundle() {
+            stop?.();
+            stop = undefined;
+        },
+    };
+}
+
+export { visage as default, visage };

package/dist/render/compose.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from '../config';
+export declare function writeComposeConfig(config: VisageConfig): void;
+//# sourceMappingURL=compose.d.ts.map

package/dist/render/compose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/render/compose.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAE9C,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAI7D"}

package/dist/render/dex.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from '../config';
+export declare function writeDexConfig(config: VisageConfig): void;
+//# sourceMappingURL=dex.d.ts.map

package/dist/render/dex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dex.d.ts","sourceRoot":"","sources":["../../src/render/dex.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAE9C,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAIzD"}

package/dist/render/index.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from '../config';
+export declare function render(config: VisageConfig): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/render/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/render/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAM9C,wBAAgB,MAAM,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAOjD"}

package/dist/render/nginx.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from '../config';
+export declare function writeNginxConfig(config: VisageConfig): void;
+//# sourceMappingURL=nginx.d.ts.map

package/dist/render/nginx.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nginx.d.ts","sourceRoot":"","sources":["../../src/render/nginx.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAmD9C,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAI3D"}

package/dist/render/oauth2-proxy.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from '../config';
+export declare function writeOauth2ProxyConfig(config: VisageConfig): void;
+//# sourceMappingURL=oauth2-proxy.d.ts.map

package/dist/render/oauth2-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-proxy.d.ts","sourceRoot":"","sources":["../../src/render/oauth2-proxy.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAE9C,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAQjE"}

package/dist/types.d.ts

@@ -0,0 +1,85 @@
+export type VisageOptions = {
+    readonly host?: string;
+    readonly port?: number;
+    readonly cookie?: VisageCookiePolicy;
+    readonly idp?: VisageDexOptions | VisageIdpOptions;
+    readonly oauth2?: VisageOAuth2Client;
+    readonly services?: Record<string, VisageService>;
+    readonly upstreams?: Record<string, VisageUpstream>;
+};
+export type VisageCookiePolicy = {
+    readonly name?: string;
+    readonly expire?: string;
+    readonly refresh?: string;
+    readonly domains?: readonly string[];
+    readonly path?: string;
+};
+export type VisageDexOptions = {
+    readonly kind?: 'dex';
+    readonly expiry?: VisageDexExpiry;
+    readonly users?: readonly VisageDexUser[];
+};
+/**
+ * Dex token expiration and rotation settings.
+ *
+ * @see {@link https://dexidp.io/docs/configuration/tokens/#expiration-and-rotation-settings}
+ */
+export type VisageDexExpiry = {
+    readonly idTokens?: string;
+    readonly authRequests?: string;
+    readonly deviceRequests?: string;
+    readonly signingKeys?: string;
+    readonly refreshTokens?: {
+        readonly validIfNotUsedFor?: string;
+        readonly absoluteLifetime?: string;
+        readonly disableRotation?: boolean;
+        readonly reuseInterval?: string;
+    };
+};
+export type VisageDexUser = {
+    readonly email: string;
+    readonly password: string;
+    readonly username?: string;
+    readonly userID?: string;
+};
+export type VisageIdpOptions = {
+    readonly kind: 'external';
+    readonly upstream: string;
+    readonly path?: string;
+    readonly issuer?: string;
+    readonly authorizationEndpoint?: string;
+    readonly tokenEndpoint?: string;
+    readonly jwksEndpoint?: string;
+};
+export type VisageOAuth2Client = {
+    readonly clientId?: string;
+    /**
+     * Set to `null` to render a public Dex client and enable OAuth2 Proxy PKCE.
+     */
+    readonly clientSecret?: string | null;
+    readonly scopes?: readonly string[];
+};
+export type VisageService = {
+    readonly image: string;
+    readonly command?: readonly string[];
+    readonly depends_on?: readonly string[];
+    readonly extra_hosts?: readonly string[];
+};
+export type VisageUpstream = {
+    readonly host: string;
+    readonly port: number;
+    readonly locations?: {
+        readonly [path: string]: VisageProxyPolicy;
+    };
+};
+export type VisageProxyPolicy = {
+    readonly auth?: {
+        readonly enabled?: boolean;
+        readonly redirect?: boolean;
+        readonly forward?: boolean;
+    };
+    readonly headers?: {
+        readonly [key: string]: string;
+    };
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,GAAG,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,CAAC;IACnD,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,aAAa,EAAE,CAAC;CAC3C,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,aAAa,CAAC,EAAE;QACvB,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;QACpC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QACnC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;QACnC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;KACjC,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,EAAE;QAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAAA;KAAE,CAAC;CACrE,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE;QACd,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;QAC3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;QAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;KAC5B,CAAC;IACF,QAAQ,CAAC,OAAO,CAAC,EAAE;QAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;CACvD,CAAC"}

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@blakearoberts/visage",
+  "version": "0.0.1-rc.0",
+  "description": "Vite plugin for local development with HMR and OIDC session cookie lifecycle semantics.",
+  "type": "module",
+  "author": "Blake Roberts",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/blakearoberts/visage.git"
+  },
+  "bugs": {
+    "url": "https://github.com/blakearoberts/visage/issues"
+  },
+  "homepage": "https://github.com/blakearoberts/visage#readme",
+  "keywords": [
+    "vite",
+    "plugin",
+    "oidc",
+    "hmr",
+    "session",
+    "cookie",
+    "lifecycle",
+    "development"
+  ],
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
+  },
+  "scripts": {
+    "build": "npm run clean && rollup -c",
+    "clean": "node -e \"require('node:fs').rmSync('dist', { recursive: true, force: true })\"",
+    "test": "npm run test:unit",
+    "test:e2e": "playwright test test/e2e",
+    "test:unit": "node --experimental-strip-types --test test/unit/*.test.ts"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.59.1",
+    "@rollup/plugin-typescript": "^12.3.0",
+    "@types/node": "^25.6.2",
+    "rollup": "^4.60.3",
+    "tslib": "^2.8.1",
+    "typescript": "^5.9.3",
+    "vite": "^6.3.5"
+  },
+  "dependencies": {
+    "bcryptjs": "^3.0.3",
+    "eta": "^4.6.0",
+    "yaml": "^2.8.4"
+  }
+}