@blakearoberts/visage 0.0.1-rc.3 → 0.0.1-rc.30

package/README.md

@@ -1,6 +1,7 @@
 # Visage
 
-Visage (`/vit·ɛdʒ/`) is a Vite plugin for local development with HMR and OIDC session cookie lifecycle semantics.
+Visage (`/vit·ɛdʒ/`) is a Vite plugin for local development with HMR and OIDC
+session cookie lifecycle semantics.
 
 ## Getting Started
 
@@ -21,55 +22,115 @@ export default defineConfig({
 });
 ```
 
-Then start Vite normally:
+Start Vite normally:
 
 ```console
 vite
 ```
 
+By default, you can reach the app at `https://localhost:9001`. You will be
+redirected to Dex to sign in. The default username and password is
+`user@example.com` and `pass`.
+
+## Why Visage
+
+Visage is a local development harness for web apps that run behind an
+auth-protected edge, where browser sessions are represented by secure cookies
+backed by OIDC tokens.
+
+Visage narrows the gap between local development, automated tests, and
+production by bringing production-like session lifecycle semantics to local Vite
+development without giving up HMR. That makes it practical to iterate on SSR
+identity injection, session timeout recovery, lock screens, and authenticated
+API calls.
+
+Visage can also use a hosted IdP, so local frontend code can call hosted backend
+APIs with real credentials. That avoids frontend-only auth mocks or backend-only
+local bypasses: code can be written for production and still work locally.
+
 ## Configuration
 
 Visage is configured through `visage(options?)` in `vite.config.ts`.
 
-The top-level `host` and `port` configure the local Visage origin that the browser visits:
+The top-level `host` and `port` configure the local Visage origin that the
+browser visits:
+
+```ts
+visage({ host: 'localhost', port: 9001 });
+```
+
+### Services
+
+Services are Docker Compose services managed by the Vite dev-server lifecycle.
+Additional services automatically get a matching managed upstream with the same
+name, host, and default `/{name}/` location.
 
 ```ts
 visage({
-  host: 'localhost',
-  port: 9001,
+  services: { whoami: { image: 'traefik/whoami' } },
 });
 ```
 
-Services are Docker Compose services managed by the Vite dev-server lifecycle. Upstreams are proxy targets that Visage routes to, whether they are managed services or external systems.
+### Upstreams
+
+Upstreams are proxy targets that Visage routes to. A top-level upstream with no
+matching service entry is treated as an external upstream.
 
 ```ts
 visage({
-  services: {
-    whoami: { image: 'traefik/whoami' },
+  upstreams: {
+    api: { host: 'api.local.test', locations: { '/api/': {} } },
   },
+});
+```
+
+Authenticated upstream locations do not forward bearer tokens by default. Set
+`auth.forward` to `true` to forward the default bearer token for the upstream
+kind: external upstreams receive the OAuth access token, while local service
+upstreams receive the OIDC ID token.
+
+Hosted backend APIs that validate bearer auth should generally receive the
+access token, provided the token is issued for that API's issuer, audience, and
+scopes. Use `'access'` or `'id'` when you need to force a specific token kind.
+
+```ts
+visage({
   upstreams: {
-    whoami: {
-      host: 'whoami',
-      port: 80,
-      locations: { '/whoami/': {} },
+    api: {
+      locations: {
+        '/api/': { auth: { forward: true } },
+      },
     },
   },
 });
 ```
 
-See `VisageOptions` for the full option surface.
+OAuth2 Proxy identity values can also be mapped explicitly through headers such
+as `$auth_user`, `$auth_email`, `$auth_groups`, and `$auth_preferred_username`.
 
-## Expected Local URLs
+Authenticated locations also get Fetch Metadata CSRF checks by default. The
+built-in Vite root location uses `csrf: 'app'`, which allows same-origin
+requests and top-level `GET` document navigations. Other authenticated upstream
+locations use `csrf: 'api'`, which blocks same-site and cross-site browser
+requests when modern Fetch Metadata headers are present. Set `csrf: 'app'` for
+an upstream that serves browser pages, or `csrf: false` when the upstream
+intentionally handles cross-site browser requests itself.
 
-The browser-facing Visage origin is `https://{host}:{port}`.
+### External IdPs
 
-With the default configuration, open:
+External OIDC providers use issuer discovery by default:
 
-```text
-https://localhost:9001/
+```ts
+visage({
+  idp: { issuer: 'https://idp.example.test/oauth2/default' },
+});
 ```
 
-When using the managed Dex flow, OAuth2 Proxy serves auth endpoints under `/oauth2/` and Dex serves OIDC endpoints under `/dex/`.
+Configure `authorization`, `token`, or `jwks` only when the provider endpoints
+must be rendered explicitly instead of discovered from the issuer. Configure
+`end_session_endpoint` when the provider supports OIDC end-session redirects.
+
+See [`VisageOptions`](src/types.ts) for the full option surface.
 
 ## System Block Diagram
 
@@ -91,37 +152,53 @@ flowchart LR
 
 ## Required Tools
 
-- [Docker](https://docs.docker.com/get-started/get-docker/) with Compose v2 support through `docker compose`.
-
-## Managed Tools
-
-### mkcert
+- [Docker](https://docs.docker.com/get-started/get-docker/) with Compose v2
+  support through `docker compose`.
+- [`mkcert`](https://github.com/FiloSottile/mkcert#installation) installed on
+  `PATH`, or configured with `VISAGE_MKCERT=/path/to/mkcert`.
 
-Visage downloads [`mkcert`](https://github.com/FiloSottile/mkcert) from `dl.filippo.io` when the Vite dev server starts. Visage uses it to install a local certificate authority and generate HTTPS certificates for the local proxy.
-
-### Docker Images
+## Managed Docker Images
 
 Visage pulls these as needed based on configuration:
 
-- [NGINX](https://nginx.org/): [`nginx:1.30.0-alpine`](https://hub.docker.com/_/nginx).
-- [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/): [`quay.io/oauth2-proxy/oauth2-proxy:v7.15.2`](https://quay.io/repository/oauth2-proxy/oauth2-proxy).
-- [Dex](https://dexidp.io/): [`ghcr.io/dexidp/dex:v2.45.1`](https://github.com/dexidp/dex/pkgs/container/dex).
+| Service                                                      | Image                                                                                       | Pin                                   |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------- |
+| [NGINX](https://nginx.org/)                                  | [`nginx`](https://hub.docker.com/_/nginx)                                                   | [manifest](docker-compose.images.yml) |
+| [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | [`quay.io/oauth2-proxy/oauth2-proxy`](https://quay.io/repository/oauth2-proxy/oauth2-proxy) | [manifest](docker-compose.images.yml) |
+| [Dex](https://dexidp.io/)                                    | [`ghcr.io/dexidp/dex`](https://github.com/dexidp/dex/pkgs/container/dex)                    | [manifest](docker-compose.images.yml) |
 
 ## Security Notes
 
-Visage is local-development tooling. It starts local auth infrastructure, terminates local HTTPS, and forwards authenticated identity or token material to configured upstreams.
+Visage is local-development tooling. It starts local auth infrastructure,
+terminates local HTTPS, and forwards authenticated identity or token material to
+configured upstreams.
+
+Please report suspected vulnerabilities through GitHub private vulnerability
+reporting as described in [Security Policy](SECURITY.md).
+
+Do not treat the managed Dex and OAuth2 Proxy defaults as production auth
+infrastructure.
 
-Do not treat the managed Dex and OAuth2 Proxy defaults as production auth infrastructure.
+Visage's CSRF policy is an edge request-isolation guard for cookie-backed
+locations. It is not a replacement for application-owned CSRF tokens where an
+application accepts form posts or other browser-submitted mutations. CSP,
+`frame-ancestors`, and other click-jacking controls remain application policy.
 
 ## Troubleshooting
 
-- If startup fails immediately, confirm Docker is running and `docker compose` works.
+- If startup fails immediately, confirm Docker is running and `docker compose`
+  works.
 - If NGINX cannot start, check whether the configured `port` is already in use.
-- If the hostname cannot be resolved, Visage may need permission to update `/etc/hosts`.
-- If the browser rejects the certificate, allow the local certificate authority prompt from `mkcert`.
+- If the hostname cannot be resolved, Visage may need permission to update
+  `/etc/hosts`.
+- If the browser rejects the certificate, allow the local certificate authority
+  prompt from `mkcert`; CI test runners should be configured to ignore local
+  HTTPS errors.
 
 ## TO-DO
 
+- [ ] Harden the default security posture by addressing the
+      [security hardening backlog](docs/security-hardening.md).
 - [ ] Support configuring [Dex connectors](https://dexidp.io/docs/connectors/).
-- [ ] Support configuring Dex on a distinct subdomain, such as `auth.local.vite.app`.
+- [ ] Support configuring Dex on a distinct subdomain, such as `auth.localhost`.
 - [ ] Support optional [HTTP mode without local TLS](docs/tls-http-mode.md).

package/dist/certs.d.ts

@@ -1,8 +1,3 @@
-type Options = {
-    bin: string;
-    certs: string;
-    hostname: string;
-};
-export declare function ensureCerts({ bin, certs, hostname, }: Options): Promise<void>;
-export {};
+import type { VisageConfig } from './config';
+export declare function ensureCerts(config: VisageConfig): Promise<void>;
 //# sourceMappingURL=certs.d.ts.map

package/dist/certs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../src/certs.ts"],"names":[],"mappings":"AAOA,KAAK,OAAO,GAAG;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wBAAsB,WAAW,CAAC,EAChC,GAAG,EACH,KAAK,EACL,QAAQ,GACT,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAsCzB"}
+{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../src/certs.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAI7C,wBAAsB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAwCrE"}

package/dist/compose.d.ts

@@ -1,4 +1,5 @@
+import type { VisageConfig } from './config';
 type StopCompose = () => void;
-export declare function startCompose(file: string): StopCompose;
+export declare function startCompose(config: VisageConfig): StopCompose;
 export {};
 //# sourceMappingURL=compose.d.ts.map

package/dist/compose.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAGA,KAAK,WAAW,GAAG,MAAM,IAAI,CAAC;AAI9B,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAoBtD"}
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,KAAK,WAAW,GAAG,MAAM,IAAI,CAAC;AAI9B,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,WAAW,CA0C9D"}

package/dist/config.d.ts

@@ -1,5 +1,4 @@
-import type { ResolvedConfig } from 'vite';
-import type { VisageDexExpiry, VisageDexUser, VisageOptions, VisageService, VisageUpstream } from './types';
+import type { VisageDexExpiry, VisageDexOptions, VisageDexUser, VisageExternalIdpOptions, VisageOptions, VisageService } from './types';
 type Volume = readonly [from: string, to: string];
 type ResolvedCookiePolicy = {
     readonly cookie_name: string;
@@ -8,55 +7,81 @@ type ResolvedCookiePolicy = {
     readonly cookie_domains?: readonly string[];
     readonly cookie_path: string;
 };
-type ResolvedDexConfig = {
-    readonly expiry?: VisageDexExpiry;
-    readonly users: readonly Required<VisageDexUser>[];
-};
 type ResolvedIdpOption = {
-    readonly path: string;
-    readonly upstream: string;
-    readonly issuer?: string;
-    readonly authorizationEndpoint?: string;
-    readonly tokenEndpoint?: string;
-    readonly jwksEndpoint?: string;
-} & ({
-    readonly kind: 'dex';
-    readonly dex: ResolvedDexConfig;
-} | {
-    readonly kind: 'external';
-});
-type ResolvedIdp = {
-    readonly issuer: string;
-    readonly authorizationEndpoint: string;
-    readonly tokenEndpoint: string;
-    readonly jwksEndpoint: string;
-    readonly upstream: string;
-} & ({
-    readonly kind: 'dex';
-    readonly dex: ResolvedDexConfig;
-} | {
-    readonly kind: 'external';
-});
+    readonly dex: VisageDexOptions;
+} | VisageExternalIdpOptions;
 type ResolvedOAuth2Client = {
     readonly id: string;
     readonly secret?: string;
     readonly scopes: readonly string[];
+    readonly emailDomains: readonly string[];
     readonly public: boolean;
 };
+type ResolvedProxyPolicy = {
+    readonly auth: {
+        readonly enabled: boolean;
+        readonly forward: false | 'id' | 'access';
+        readonly redirect: boolean;
+    };
+    readonly csrf: false | 'app' | 'api';
+    readonly headers: Readonly<Record<string, string>>;
+    readonly directives: Readonly<Record<string, readonly string[]>>;
+};
+type ResolvedUpstream = {
+    readonly scheme: 'http' | 'https';
+    readonly host: string;
+    readonly port: number;
+    readonly locations: Readonly<Record<string, ResolvedProxyPolicy>>;
+};
 type ResolvedVisageOptions = {
     readonly host: string;
     readonly port: number;
     readonly cookie: ResolvedCookiePolicy;
     readonly idp: ResolvedIdpOption;
     readonly oauth2: ResolvedOAuth2Client;
-    readonly services?: Record<string, VisageService>;
-    readonly upstreams?: Record<string, VisageUpstream>;
+    readonly services: Readonly<Record<string, VisageService>>;
+    readonly upstreams: Record<string, ResolvedUpstream>;
+};
+type OIDCEndpointConfig = {
+    readonly issuer: string;
+    readonly authorization?: string;
+    readonly token?: string;
+    readonly jwks?: string;
+    readonly end_session_endpoint?: string;
+};
+type ManualOIDCEndpointConfig = OIDCEndpointConfig & {
+    readonly authorization: string;
+    readonly token: string;
+    readonly jwks: string;
+};
+type ResolvedDexIdpConfig = {
+    readonly dex: {
+        readonly expiry?: VisageDexExpiry;
+        readonly users: readonly VisageDexUser[];
+    };
+    readonly oidc: ManualOIDCEndpointConfig;
+    readonly upstream: {
+        readonly dex: ResolvedUpstream;
+    };
+};
+type ResolvedExternalIdpConfig = {
+    readonly oidc: OIDCEndpointConfig;
+    readonly upstream: {
+        readonly idp: ResolvedUpstream;
+    };
+};
+type ResolvedIdpConfig = ResolvedDexIdpConfig | ResolvedExternalIdpConfig;
+type ResolvedService = Omit<VisageService, 'upstream'> & {
+    readonly restart: NonNullable<VisageService['restart']>;
+};
+type ResolvedConfigUpstream = ResolvedUpstream & {
+    readonly external: boolean;
 };
 export type VisageConfig = {
     readonly host: string;
     readonly port: number;
     readonly cookie: ResolvedCookiePolicy;
-    readonly idp: ResolvedIdp;
+    readonly idp: ResolvedIdpConfig;
     readonly oauth2: ResolvedOAuth2Client;
     readonly cache: string;
     readonly files: {
@@ -65,12 +90,20 @@ export type VisageConfig = {
         readonly dex: Volume;
         readonly nginx: Volume;
         readonly oauth2Proxy: Volume;
-        readonly oauth2ProxyClientSecret: Volume;
     };
-    readonly services: Readonly<Record<string, VisageService>>;
-    readonly upstreams: Readonly<Record<string, VisageUpstream>>;
+    readonly secrets: {
+        readonly cookieSecret: string;
+        readonly clientSecret: string;
+    };
+    readonly network: {
+        readonly name: string;
+        readonly trustedProxyIps: readonly string[];
+    };
+    readonly services: Readonly<Record<string, ResolvedService>>;
+    readonly upstreams: Readonly<Record<string, ResolvedConfigUpstream>>;
 };
+export declare const VisageEdgeKeyHeader = "X-Visage-Edge-Key";
 export declare function resolveOptions(options: VisageOptions): ResolvedVisageOptions;
-export declare function resolveConfig(options: ResolvedVisageOptions, config: ResolvedConfig, vitePort: number): VisageConfig;
+export declare function resolveConfig(options: ResolvedVisageOptions, cache: string, edgeKey?: string): VisageConfig;
 export {};
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAE3C,OAAO,KAAK,EACV,eAAe,EAEf,aAAa,EAEb,aAAa,EAEb,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAEjB,KAAK,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;AAElD,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,CAAC;AAEF,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,SAAS,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;CACpD,CAAC;AAEF,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC,GAAG,CACA;IACE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;CACjC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAChC,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B,GAAG,CACA;IACE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;CACjC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAChC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IAEtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,uBAAuB,EAAE,MAAM,CAAC;KAC1C,CAAC;IAEF,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;CAC9D,CAAC;AA6GF,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,qBAAqB,CAqC5E;AA6BD,wBAAgB,aAAa,CAC3B,OAAO,EAAE,qBAAqB,EAC9B,MAAM,EAAE,cAAc,EACtB,QAAQ,EAAE,MAAM,GACf,YAAY,CAiEd"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,aAAa,EAEb,aAAa,EAEd,MAAM,SAAS,CAAC;AAEjB,KAAK,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;AAElD,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,CAAC;AAEF,KAAK,iBAAiB,GAClB;IAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;CAAE,GAClC,wBAAwB,CAAC;AAE7B,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE;QACb,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;QAC1B,QAAQ,CAAC,OAAO,EAAE,KAAK,GAAG,IAAI,GAAG,QAAQ,CAAC;QAC1C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;KAC5B,CAAC;IACF,QAAQ,CAAC,IAAI,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;CACnE,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;CACtD,CAAC;AAEF,KAAK,kBAAkB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC,CAAC;AAEF,KAAK,wBAAwB,GAAG,kBAAkB,GAAG;IACnD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,GAAG,EAAE;QACZ,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;QAClC,QAAQ,CAAC,KAAK,EAAE,SAAS,aAAa,EAAE,CAAC;KAC1C,CAAC;IACF,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAC;IACxC,QAAQ,CAAC,QAAQ,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;KAAE,CAAC;CACvD,CAAC;AACF,KAAK,yBAAyB,GAAG;IAC/B,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,QAAQ,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;KAAE,CAAC;CACvD,CAAC;AACF,KAAK,iBAAiB,GAAG,oBAAoB,GAAG,yBAAyB,CAAC;AAE1E,KAAK,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,GAAG;IACvD,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;CACzD,CAAC;AAEF,KAAK,sBAAsB,GAAG,gBAAgB,GAAG;IAC/C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IAEtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;KAC9B,CAAC;IACF,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;KAC7C,CAAC;IAEF,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IAC7D,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC;CACtE,CAAC;AAEF,eAAO,MAAM,mBAAmB,sBAAsB,CAAC;AAmGvD,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,qBAAqB,CAyD5E;AAsLD,wBAAgB,aAAa,CAC3B,OAAO,EAAE,qBAAqB,EAC9B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,GACf,YAAY,CAsFd"}

package/dist/hosts.d.ts

@@ -1,2 +1,3 @@
-export declare function ensureHostEntry(hostname: string): void;
+import type { VisageConfig } from './config';
+export declare function ensureHostEntry({ host }: VisageConfig): void;
 //# sourceMappingURL=hosts.d.ts.map

package/dist/hosts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../src/hosts.ts"],"names":[],"mappings":"AAKA,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAyDtD"}
+{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../src/hosts.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAI7C,wBAAgB,eAAe,CAAC,EAAE,IAAI,EAAE,EAAE,YAAY,GAAG,IAAI,CAyD5D"}

package/dist/index.d.ts

@@ -1,6 +1,4 @@
-import type { Plugin } from 'vite';
-import type { VisageOptions } from './types';
-export type { VisageCookiePolicy, VisageDexExpiry, VisageDexOptions, VisageDexUser, VisageIdpOptions, VisageOAuth2Client, VisageOptions, VisageProxyPolicy, VisageService, VisageUpstream, } from './types';
-export declare function visage(options?: VisageOptions): Plugin;
-export default visage;
+export type { VisageCookiePolicy, VisageDexExpiry, VisageDexOptions, VisageDexUser, VisageExternalIdpOptions, VisageOAuth2Client, VisageOptions, VisageProxyPolicy, VisageService, VisageUpstream, } from './types';
+export { default, visage } from './plugin';
+export { createVisageServer, type VisageServer } from './server';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAOnC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC;AAEjB,wBAAgB,MAAM,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM,CAmD1D;AAED,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,KAAK,YAAY,EAAE,MAAM,UAAU,CAAC"}