@botparty/sdk 0.0.38 → 0.0.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.d.cts +5 -0
- package/dist/index.d.ts +5 -0
- package/dist/index.js +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
"use strict";var ne=Object.defineProperty;var Qe=Object.getOwnPropertyDescriptor;var Ze=Object.getOwnPropertyNames;var et=Object.prototype.hasOwnProperty;var tt=(t,e)=>{for(var r in e)ne(t,r,{get:e[r],enumerable:!0})},rt=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of Ze(e))!et.call(t,n)&&n!==r&&ne(t,n,{get:()=>e[n],enumerable:!(s=Qe(e,n))||s.enumerable});return t};var st=t=>rt(ne({},"__esModule",{value:!0}),t);var Ft={};tt(Ft,{BotPartyClient:()=>se,BotPartyError:()=>u,InsufficientPermissionError:()=>W,Key:()=>te,KeyManager:()=>re,LinkRequiredError:()=>H,NamespaceLockedError:()=>Z,PaymentRequiredError:()=>ee,botpartyFetch:()=>Bt,toProxyUrl:()=>we});module.exports=st(Ft);var J=new TextEncoder,$=new TextDecoder,jt=2**32;function be(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function xe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:$.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=$.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=J.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var E=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function nt(t){return parseInt(t.name.slice(4),10)}function ie(t,e){if(nt(t.hash)!==e)throw E(`SHA-${e}`,"algorithm.hash")}function it(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ot(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Pe(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw E("HMAC");ie(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw E("RSASSA-PKCS1-v1_5");ie(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw E("RSA-PSS");ie(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw E("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw E(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw E("ECDSA");let s=it(e);if(t.algorithm.namedCurve!==s)throw E(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ot(t,r)}function Ke(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var j=(t,...e)=>Ke("Key must be ",t,...e),oe=(t,e,...r)=>Ke(`Key for the ${t} algorithm must be `,e,...r);var I=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var d=class extends I{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var S=class extends I{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Y=class extends I{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var C=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},_=t=>t?.[Symbol.toStringTag]==="KeyObject",ae=t=>C(t)||_(t);var rr=Symbol();function ce(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var at=t=>typeof t=="object"&&t!==null;function pe(t){if(!at(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Re(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var D=t=>pe(t)&&typeof t.kty=="string",Te=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),ve=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ie=t=>t.kty==="oct"&&typeof t.k=="string";function pt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function dt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new d(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ut(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(j(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Pe(e,t,r),e}async function Ce(t,e,r){let s=await ut(t,e,"sign");pt(t,s);let n=await crypto.subtle.sign(dt(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function lt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new d(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new d(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(X)}break}default:throw new d('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function _e(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=lt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",T,De=async(t,e,r,s=!1)=>{T||=new WeakMap;let n=T.get(t);if(n?.[r])return n[r];let i=await _e({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:T.set(t,{[r]:i}),i},ft=(t,e)=>{T||=new WeakMap;let r=T.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:T.set(t,{[e]:i}),i};async function Ue(t,e){if(t instanceof Uint8Array||C(t))return t;if(_(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return De(t,r,e)}if(D(t))return t.k?xe(t.k):De(t,t,e,!0);throw new Error("unreachable")}var ht=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
1
|
+
"use strict";var ne=Object.defineProperty;var Ze=Object.getOwnPropertyDescriptor;var et=Object.getOwnPropertyNames;var tt=Object.prototype.hasOwnProperty;var rt=(t,e)=>{for(var r in e)ne(t,r,{get:e[r],enumerable:!0})},st=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of et(e))!tt.call(t,n)&&n!==r&&ne(t,n,{get:()=>e[n],enumerable:!(s=Ze(e,n))||s.enumerable});return t};var nt=t=>st(ne({},"__esModule",{value:!0}),t);var Yt={};rt(Yt,{BotPartyClient:()=>se,BotPartyError:()=>l,InsufficientPermissionError:()=>W,Key:()=>te,KeyManager:()=>re,LinkRequiredError:()=>J,NamespaceLockedError:()=>Z,PaymentRequiredError:()=>ee,botpartyFetch:()=>jt,toProxyUrl:()=>we});module.exports=nt(Yt);var H=new TextEncoder,$=new TextDecoder,Vt=2**32;function xe(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function Pe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:$.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=$.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=H.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function it(t){return parseInt(t.name.slice(4),10)}function ie(t,e){if(it(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function ot(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function at(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ke(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw S("HMAC");ie(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");ie(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");ie(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw S("ECDSA");let s=ot(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}at(t,r)}function Re(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var j=(t,...e)=>Re("Key must be ",t,...e),oe=(t,e,...r)=>Re(`Key for the ${t} algorithm must be `,e,...r);var I=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends I{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var w=class extends I{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Y=class extends I{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var C=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},_=t=>t?.[Symbol.toStringTag]==="KeyObject",ae=t=>C(t)||_(t);var ir=Symbol();function ce(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var ct=t=>typeof t=="object"&&t!==null;function pe(t){if(!ct(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Te(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var D=t=>pe(t)&&typeof t.kty=="string",ve=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Ie=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ce=t=>t.kty==="oct"&&typeof t.k=="string";function dt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ut(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function lt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(j(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ke(e,t,r),e}async function _e(t,e,r){let s=await lt(t,e,"sign");dt(t,s);let n=await crypto.subtle.sign(ut(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ft(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function De(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ft(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",T,Ue=async(t,e,r,s=!1)=>{T||=new WeakMap;let n=T.get(t);if(n?.[r])return n[r];let i=await De({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:T.set(t,{[r]:i}),i},ht=(t,e)=>{T||=new WeakMap;let r=T.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:T.set(t,{[e]:i}),i};async function ke(t,e){if(t instanceof Uint8Array||C(t))return t;if(_(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ht(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ue(t,r,e)}if(D(t))return t.k?Pe(t.k):Ue(t,t,e,!0);throw new Error("unreachable")}var mt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Oe=async(t,e,r)=>{if(_(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!C(r))throw new TypeError(j(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ht(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},ke=t=>Oe("public","spki",t),Ne=t=>Oe("private","pkcs8",t),de=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},mt=t=>({data:t,pos:0}),U=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var O=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Le=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},yt=t=>{O(t,6,"Expected algorithm OID");let e=U(t);return Le(t,e)};function gt(t){O(t,48,"Invalid PKCS#8 structure"),U(t),O(t,2,"Expected version field");let e=U(t);t.pos+=e,O(t,48,"Expected algorithm identifier");let r=U(t);return{algIdStart:t.pos,algIdLength:r}}var Et=t=>{let e=yt(t);if(de(e,[43,101,110]))return"X25519";if(!de(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");O(t,6,"Expected curve OID");let r=U(t),s=Le(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(de(s,i))return n;throw new Error("Unsupported named curve")},St=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},wt=(t,e)=>F(t.replace(e,"")),We=(t,e,r)=>{let s=wt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=mt(i);return gt(o),Et(o)}),St("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return We(t,e,r)}async function ue(t){return ke(t)}async function le(t){return Ne(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var v=t=>t?.[Symbol.toStringTag],fe=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},At=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(D(e)){if(Ie(e)&&fe(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${v(e)} instances for symmetric algorithms must be of type "secret"`)}},bt=(t,e,r)=>{if(D(e))switch(r){case"decrypt":case"sign":if(Te(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(ve(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${v(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${v(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${v(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Je(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":At(t,e,r);break;default:bt(t,e,r)}}var A=t=>Math.floor(t.getTime()/1e3),$e=60,Me=$e*60,me=Me*24,xt=me*7,Pt=me*365.25,Kt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function he(t){let e=Kt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*$e);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Me);break;case"day":case"days":case"d":n=Math.round(r*me);break;case"week":case"weeks":case"w":n=Math.round(r*xt);break;default:n=Math.round(r*Pt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function b(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!pe(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return J.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=b("setNotBefore",e):e instanceof Date?this.#e.nbf=b("setNotBefore",A(e)):this.#e.nbf=A(new Date)+he(e)}set exp(e){typeof e=="number"?this.#e.exp=b("setExpirationTime",e):e instanceof Date?this.#e.exp=b("setExpirationTime",A(e)):this.#e.exp=A(new Date)+he(e)}set iat(e){e===void 0?this.#e.iat=A(new Date):e instanceof Date?this.#e.iat=b("setIssuedAt",A(e)):typeof e=="string"?this.#e.iat=b("setIssuedAt",A(new Date)+he(e)):this.#e.iat=b("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ce(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ce(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new S("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(S,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new S('JWS "alg" (Algorithm) Header Parameter missing or invalid');Je(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let p,f;this.#t?(p=G(JSON.stringify(this.#t)),f=M(p)):(p="",f=new Uint8Array);let y=be(f,M("."),c),w=await Ue(e,o),g=await Ce(o,w,y),h={signature:G(g),payload:a};return this.#r&&(h.header=this.#r),this.#t&&(h.protected=p),h}};var z=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var k=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ye(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ge(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var l=require("node:fs"),P=require("node:path"),Ye=require("node:os"),Ae=require("node:crypto"),Tt="https://id.botparty.club",vt="EdDSA",It=15,Ct=6e4,_t="5m",Dt=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ot=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],u=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Z=class extends u{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ee=class extends u{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},W=class extends u{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},H=class extends u{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Be(t){let e=(0,Ae.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function kt(){return`${Be(Ut)}-${Be(Ot)}`}function Nt(){let t=kt(),e=(0,Ae.randomBytes)(2).toString("hex");return`${t}-${e}`}function Lt(){return(0,P.join)((0,Ye.homedir)(),".botparty")}function Xe(t){(0,l.existsSync)(t)||(0,l.mkdirSync)(t,{recursive:!0,mode:448})}function Wt(t){let e=(0,P.join)(t,"identity.json");if(!(0,l.existsSync)(e))return null;try{return JSON.parse((0,l.readFileSync)(e,"utf-8"))}catch{return null}}function Ve(t,e){Xe(t);let r=(0,P.join)(t,"identity.json");(0,l.writeFileSync)(r,JSON.stringify(e,null,2),{mode:384})}function Ht(t){let e=(0,P.join)(t,"private.pem");if(!(0,l.existsSync)(e))return null;try{return(0,l.readFileSync)(e,"utf-8")}catch{return null}}function qe(t,e){Xe(t);let r=(0,P.join)(t,"private.pem");(0,l.writeFileSync)(r,e,{mode:384})}function Fe(t){for(let e of["identity.json","private.pem"]){let r=(0,P.join)(t,e);(0,l.existsSync)(r)&&(0,l.unlinkSync)(r)}}async function ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ge(t,e),n=await le(r),i=await ue(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Jt(t,e,r){let s=await V(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await V(r,i);return new k({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(_t).sign(o)}async function m(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function we(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Q(t){try{return await t.clone().json()}catch{return null}}function L(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var te=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},re=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new u({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new u({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await ze(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await m(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return qe(this.client.stateDir,i.privatePem),Ve(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},se=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||N("BOTPARTY_SERVER_URL")||Tt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||N("BOTPARTY_PROXY_URL")||N("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||N("BOTPARTY_STATE_DIR")||Lt(),this.algorithm=e.algorithm||vt,this.rotationTTL=e.rotationTTL||It,this.inviteToken=e.inviteToken||N("BOTPARTY_INVITE_TOKEN"),this.keys=new re(this)}getIdentity(){return Wt(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Nt());let a=r||n,c=await ze(this.algorithm),p=await m(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),f=await p.json();if(f.status==="already_registered")throw new u({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new u({code:f.error||"REGISTRATION_FAILED",message:f.message||f.error||"Registration failed",statusCode:p.status});let y=f.challenge,w=await Jt(y,c.privatePem,this.algorithm),g=await m(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:y,signature:w})});if(!g.ok)throw await this._apiError(g);let h=await g.json();return qe(this.stateDir,c.privatePem),Ve(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:h.keyId,algorithm:this.algorithm,rotatedAt:h.rotatedAt,rotationTTL:h.rotationTTL,label:a,...h.parentNamespace&&{parentNamespace:h.parentNamespace},...h.inheritedScopes&&{inheritedScopes:h.inheritedScopes}}),h}throw new u({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Ct&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=we(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Q(o);if(a){let{code:c}=L(a);if(c==="KEY_STALE"){await this.keys.rotateCurrent();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await Q(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),w=we(e,y),g=new Headers(r.headers);return g.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(w,{...r,headers:g})}let p=a.approval_url||a.authorizationUrl;if(p){let y=c==="scope_refused",w=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new W({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:w}):new H({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=L(a);Ge(f)&&je(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Q(o);if(a){let{code:c}=L(a);(Ge(c)||o.status===402||o.status===423)&&je(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await m(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await m(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Fe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new te(this,e)}reset(){Fe(this.stateDir)}async _apiError(e){let r=await Q(e);if(!r)return new u({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=L(r);return new u({code:s,message:n,statusCode:e.status,actionUrl:i})}},$t=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ge(t){return $t.has(t.toUpperCase())}function je(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=L(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new Z({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ee({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new H({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new W({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new u({code:n,message:i,statusCode:t,actionUrl:o})}var Ee=null;function Mt(t){return Ee||(Ee=new se(t)),Ee}async function Bt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Mt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function N(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
|
4
|
+
-----END ${e}-----`},Oe=async(t,e,r)=>{if(_(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!C(r))throw new TypeError(j(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return mt(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Ne=t=>Oe("public","spki",t),Le=t=>Oe("private","pkcs8",t),de=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},yt=t=>({data:t,pos:0}),U=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var k=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},We=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},gt=t=>{k(t,6,"Expected algorithm OID");let e=U(t);return We(t,e)};function Et(t){k(t,48,"Invalid PKCS#8 structure"),U(t),k(t,2,"Expected version field");let e=U(t);t.pos+=e,k(t,48,"Expected algorithm identifier");let r=U(t);return{algIdStart:t.pos,algIdLength:r}}var St=t=>{let e=gt(t);if(de(e,[43,101,110]))return"X25519";if(!de(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");k(t,6,"Expected curve OID");let r=U(t),s=We(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(de(s,i))return n;throw new Error("Unsupported named curve")},wt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},At=(t,e)=>F(t.replace(e,"")),Je=(t,e,r)=>{let s=At(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=yt(i);return Et(o),St(o)}),wt("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Je(t,e,r)}async function ue(t){return Ne(t)}async function le(t){return Le(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var v=t=>t?.[Symbol.toStringTag],fe=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},bt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(D(e)){if(Ce(e)&&fe(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${v(e)} instances for symmetric algorithms must be of type "secret"`)}},xt=(t,e,r)=>{if(D(e))switch(r){case"decrypt":case"sign":if(ve(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ie(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${v(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${v(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${v(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function $e(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":bt(t,e,r);break;default:xt(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Me=60,Be=Me*60,me=Be*24,Pt=me*7,Kt=me*365.25,Rt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function he(t){let e=Rt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Me);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Be);break;case"day":case"days":case"d":n=Math.round(r*me);break;case"week":case"weeks":case"w":n=Math.round(r*Pt);break;default:n=Math.round(r*Kt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!pe(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return H.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",b(e)):this.#e.nbf=b(new Date)+he(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",b(e)):this.#e.exp=b(new Date)+he(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",b(new Date)+he(e)):this.#e.iat=x("setIssuedAt",e)}};var P=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ce(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ce(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new w("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Te(this.#t,this.#r))throw new w("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(w,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new w('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new w('JWS "alg" (Algorithm) Header Parameter missing or invalid');$e(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let p,f;this.#t?(p=G(JSON.stringify(this.#t)),f=M(p)):(p="",f=new Uint8Array);let g=xe(f,M("."),c),A=await ke(e,o),E=await _e(o,A,g),h={signature:G(E),payload:a};return this.#r&&(h.header=this.#r),this.#t&&(h.protected=p),h}};var z=class{#e;constructor(e){this.#e=new P(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ye(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ge(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var d=require("node:fs"),y=require("node:path"),Ve=require("node:os"),Ae=require("node:crypto"),vt="https://id.botparty.club",It="EdDSA",Ct=15,Fe=6e4,_t=3e4,Dt="5m",Ut=3,kt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ot=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Z=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ee=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},W=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},J=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ge(t){let e=(0,Ae.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Nt(){return`${Ge(kt)}-${Ge(Ot)}`}function Lt(){let t=Nt(),e=(0,Ae.randomBytes)(2).toString("hex");return`${t}-${e}`}function Wt(){return(0,y.join)((0,Ve.homedir)(),".botparty")}function be(t){(0,d.existsSync)(t)||(0,d.mkdirSync)(t,{recursive:!0,mode:448})}function Jt(t){let e=(0,y.join)(t,"identity.json");if(!(0,d.existsSync)(e))return null;try{return JSON.parse((0,d.readFileSync)(e,"utf-8"))}catch{return null}}function qe(t,e){be(t);let r=(0,y.join)(t,"identity.json"),s=r+".tmp";(0,d.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,d.renameSync)(s,r)}function Ht(t){let e=(0,y.join)(t,"private.pem");if(!(0,d.existsSync)(e))return null;try{return(0,d.readFileSync)(e,"utf-8")}catch{return null}}function ze(t,e){be(t);let r=(0,y.join)(t,"private.pem"),s=r+".tmp";(0,d.writeFileSync)(s,e,{mode:384}),(0,d.renameSync)(s,r)}function je(t){for(let e of["identity.json","private.pem"]){let r=(0,y.join)(t,e);(0,d.existsSync)(r)&&(0,d.unlinkSync)(r)}}function $t(t){let e=(0,y.join)(t,"rotation.lock");be(t);for(let r=0;r<2;r++)try{(0,d.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,d.statSync)(e);if(Date.now()-n.mtimeMs>_t){(0,d.unlinkSync)(e);continue}}catch{continue}throw s}}function Mt(t){try{(0,d.unlinkSync)((0,y.join)(t,"rotation.lock"))}catch{}}async function Qe(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ge(t,e),n=await le(r),i=await ue(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Bt(t,e,r){let s=await V(e,r);return(await new P(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await V(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(Dt).sign(o)}async function m(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function we(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Q(t){try{return await t.clone().json()}catch{return null}}function L(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var te=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},re=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Qe(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await m(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return ze(this.client.stateDir,i.privatePem),qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},se=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||N("BOTPARTY_SERVER_URL")||vt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||N("BOTPARTY_PROXY_URL")||N("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||N("BOTPARTY_STATE_DIR")||Wt(),this.algorithm=e.algorithm||It,this.rotationTTL=e.rotationTTL||Ct,this.inviteToken=e.inviteToken||N("BOTPARTY_INVITE_TOKEN"),this.keys=new re(this)}getIdentity(){return Jt(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Ut;){n||(n=Lt());let a=r||n,c=await Qe(this.algorithm),p=await m(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),f=await p.json();if(f.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:f.error||"REGISTRATION_FAILED",message:f.message||f.error||"Registration failed",statusCode:p.status});let g=f.challenge,A=await Bt(g,c.privatePem,this.algorithm),E=await m(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:g,signature:A})});if(!E.ok)throw await this._apiError(E);let h=await E.json();return ze(this.stateDir,c.privatePem),qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:h.keyId,algorithm:this.algorithm,rotatedAt:h.rotatedAt,rotationTTL:h.rotationTTL,label:a,...h.parentNamespace&&{parentNamespace:h.parentNamespace},...h.inheritedScopes&&{inheritedScopes:h.inheritedScopes}}),h}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Fe)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){$t(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Fe)return;await this.keys.rotateCurrent()}finally{Mt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=we(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Q(o);if(a){let{code:c}=L(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await Q(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let g=a.proxyUrl.replace(/\/$/,""),A=we(e,g),E=new Headers(r.headers);return E.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(A,{...r,headers:E})}let p=a.approval_url||a.authorizationUrl;if(p){let g=c==="scope_refused",A=a.missing_scopes||a.missingScopes;throw g||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new W({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:A}):new J({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=L(a);Ye(f)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Q(o);if(a){let{code:c}=L(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await m(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await m(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);je(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new te(this,e)}reset(){je(this.stateDir)}async _apiError(e){let r=await Q(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=L(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ft=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Ft.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=L(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new Z({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ee({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new J({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new W({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var Ee=null;function Gt(t){return Ee||(Ee=new se(t)),Ee}async function jt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Gt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function N(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
package/dist/index.d.cts
CHANGED
|
@@ -170,6 +170,7 @@ export declare class BotPartyClient {
|
|
|
170
170
|
private algorithm;
|
|
171
171
|
private rotationTTL;
|
|
172
172
|
private inviteToken?;
|
|
173
|
+
private _rotationPromise;
|
|
173
174
|
constructor(options?: BotPartyOptions);
|
|
174
175
|
getIdentity(): Identity | null;
|
|
175
176
|
getPrivateKey(): string | null;
|
|
@@ -189,8 +190,12 @@ export declare class BotPartyClient {
|
|
|
189
190
|
ensureRegistered(): Promise<Identity>;
|
|
190
191
|
/**
|
|
191
192
|
* Rotate the key if it's about to go stale.
|
|
193
|
+
* Uses an in-memory promise to deduplicate concurrent callers within the same
|
|
194
|
+
* process, and a file lock in stateDir to serialize across processes.
|
|
192
195
|
*/
|
|
193
196
|
ensureFreshKey(): Promise<void>;
|
|
197
|
+
/** @internal — acquire file lock, re-check staleness, rotate, release. */
|
|
198
|
+
private _lockedRotate;
|
|
194
199
|
/**
|
|
195
200
|
* Generate a JWT token. Ensures registration and fresh key first.
|
|
196
201
|
*
|
package/dist/index.d.ts
CHANGED
|
@@ -170,6 +170,7 @@ export declare class BotPartyClient {
|
|
|
170
170
|
private algorithm;
|
|
171
171
|
private rotationTTL;
|
|
172
172
|
private inviteToken?;
|
|
173
|
+
private _rotationPromise;
|
|
173
174
|
constructor(options?: BotPartyOptions);
|
|
174
175
|
getIdentity(): Identity | null;
|
|
175
176
|
getPrivateKey(): string | null;
|
|
@@ -189,8 +190,12 @@ export declare class BotPartyClient {
|
|
|
189
190
|
ensureRegistered(): Promise<Identity>;
|
|
190
191
|
/**
|
|
191
192
|
* Rotate the key if it's about to go stale.
|
|
193
|
+
* Uses an in-memory promise to deduplicate concurrent callers within the same
|
|
194
|
+
* process, and a file lock in stateDir to serialize across processes.
|
|
192
195
|
*/
|
|
193
196
|
ensureFreshKey(): Promise<void>;
|
|
197
|
+
/** @internal — acquire file lock, re-check staleness, rotate, release. */
|
|
198
|
+
private _lockedRotate;
|
|
194
199
|
/**
|
|
195
200
|
* Generate a JWT token. Ensures registration and fresh key first.
|
|
196
201
|
*
|
package/dist/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
var L=new TextEncoder,W=new TextDecoder,
|
|
1
|
+
var L=new TextEncoder,W=new TextDecoder,Gt=2**32;function be(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function J(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function H(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function $(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function xe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:W.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=W.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return $(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function M(t){let e=t;return typeof e=="string"&&(e=L.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):H(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var g=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),P=(t,e)=>t.name===e;function tt(t){return parseInt(t.name.slice(4),10)}function Z(t,e){if(tt(t.hash)!==e)throw g(`SHA-${e}`,"algorithm.hash")}function rt(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function st(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Pe(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!P(t.algorithm,"HMAC"))throw g("HMAC");Z(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!P(t.algorithm,"RSASSA-PKCS1-v1_5"))throw g("RSASSA-PKCS1-v1_5");Z(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!P(t.algorithm,"RSA-PSS"))throw g("RSA-PSS");Z(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!P(t.algorithm,"Ed25519"))throw g("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!P(t.algorithm,e))throw g(e);break}case"ES256":case"ES384":case"ES512":{if(!P(t.algorithm,"ECDSA"))throw g("ECDSA");let s=rt(e);if(t.algorithm.namedCurve!==s)throw g(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}st(t,r)}function Ke(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var B=(t,...e)=>Ke("Key must be ",t,...e),ee=(t,e,...r)=>Ke(`Key for the ${t} algorithm must be `,e,...r);var v=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var d=class extends v{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var E=class extends v{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},F=class extends v{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var I=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},C=t=>t?.[Symbol.toStringTag]==="KeyObject",te=t=>I(t)||C(t);var tr=Symbol();function re(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var nt=t=>typeof t=="object"&&t!==null;function se(t){if(!nt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Re(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var _=t=>se(t)&&typeof t.kty=="string",Te=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),ve=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ie=t=>t.kty==="oct"&&typeof t.k=="string";function ot(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function at(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new d(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ct(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(B(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Pe(e,t,r),e}async function Ce(t,e,r){let s=await ct(t,e,"sign");ot(t,s);let n=await crypto.subtle.sign(at(t,s.algorithm),s,r);return new Uint8Array(n)}var G='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function pt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new d(G)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new d(G)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(G)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(G)}break}default:throw new d('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function _e(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=pt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var K="given KeyObject instance cannot be used for this algorithm",R,De=async(t,e,r,s=!1)=>{R||=new WeakMap;let n=R.get(t);if(n?.[r])return n[r];let i=await _e({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:R.set(t,{[r]:i}),i},dt=(t,e)=>{R||=new WeakMap;let r=R.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(K)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(K)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(K);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(K);return r?r[e]=i:R.set(t,{[e]:i}),i};async function Ue(t,e){if(t instanceof Uint8Array||I(t))return t;if(C(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return dt(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return De(t,r,e)}if(_(t))return t.k?xe(t.k):De(t,t,e,!0);throw new Error("unreachable")}var ut=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},_e=async(t,e,r)=>{if(C(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!I(r))throw new TypeError(B(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ct(J(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},De=t=>_e("public","spki",t),Ue=t=>_e("private","pkcs8",t),ne=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},pt=t=>({data:t,pos:0}),D=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var U=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Oe=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},dt=t=>{U(t,6,"Expected algorithm OID");let e=D(t);return Oe(t,e)};function ut(t){U(t,48,"Invalid PKCS#8 structure"),D(t),U(t,2,"Expected version field");let e=D(t);t.pos+=e,U(t,48,"Expected algorithm identifier");let r=D(t);return{algIdStart:t.pos,algIdLength:r}}var lt=t=>{let e=dt(t);if(ne(e,[43,101,110]))return"X25519";if(!ne(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");U(t,6,"Expected curve OID");let r=D(t),s=Oe(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ne(s,i))return n;throw new Error("Unsupported named curve")},ft=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},ht=(t,e)=>$(t.replace(e,"")),ke=(t,e,r)=>{let s=ht(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=pt(i);return ut(o),lt(o)}),ft("pkcs8",s,e,n)};async function j(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return ke(t,e,r)}async function ie(t){return De(t)}async function oe(t){return Ue(t)}function Ne(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var R=t=>t?.[Symbol.toStringTag],ae=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},mt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(_(e)){if(Re(e)&&ae(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${R(e)} instances for symmetric algorithms must be of type "secret"`)}},yt=(t,e,r)=>{if(_(e))switch(r){case"decrypt":case"sign":if(Pe(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ke(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${R(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${R(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${R(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${R(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${R(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Le(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":mt(t,e,r);break;default:yt(t,e,r)}}var w=t=>Math.floor(t.getTime()/1e3),We=60,He=We*60,pe=He*24,gt=pe*7,Et=pe*365.25,St=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ce(t){let e=St.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*We);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*He);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*gt);break;default:n=Math.round(r*Et);break}return e[1]==="-"||e[4]==="ago"?-n:n}function A(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Y=class{#e;constructor(e){if(!se(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return L.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=A("setNotBefore",e):e instanceof Date?this.#e.nbf=A("setNotBefore",w(e)):this.#e.nbf=w(new Date)+ce(e)}set exp(e){typeof e=="number"?this.#e.exp=A("setExpirationTime",e):e instanceof Date?this.#e.exp=A("setExpirationTime",w(e)):this.#e.exp=w(new Date)+ce(e)}set iat(e){e===void 0?this.#e.iat=w(new Date):e instanceof Date?this.#e.iat=A("setIssuedAt",w(e)):typeof e=="string"?this.#e.iat=A("setIssuedAt",w(new Date)+ce(e)):this.#e.iat=A("setIssuedAt",e)}};var b=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return re(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return re(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!xe(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Ne(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');Le(o,e,"sign");let a,c;i?(a=M(this.#e),c=H(a)):(c=this.#e,a="");let p,u;this.#t?(p=M(JSON.stringify(this.#t)),u=H(p)):(p="",u=new Uint8Array);let m=Se(u,H("."),c),S=await Ce(e,o),y=await Te(o,S,m),f={signature:M(y),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var X=class{#e;constructor(e){this.#e=new b(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new Y(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new X(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new F("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function de(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ue(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Ge,writeFileSync as je,mkdirSync as At,existsSync as Q,unlinkSync as bt}from"node:fs";import{join as T}from"node:path";import{homedir as xt}from"node:os";import{randomBytes as Ye}from"node:crypto";var Pt="https://id.botparty.club",Kt="EdDSA",Rt=15,Tt=6e4,vt="5m",It=3,Ct=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],_t=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},he=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Je(t){let e=Ye(4);return t[e.readUInt32BE(0)%t.length]}function Dt(){return`${Je(Ct)}-${Je(_t)}`}function Ut(){let t=Dt(),e=Ye(2).toString("hex");return`${t}-${e}`}function Ot(){return T(xt(),".botparty")}function Xe(t){Q(t)||At(t,{recursive:!0,mode:448})}function kt(t){let e=T(t,"identity.json");if(!Q(e))return null;try{return JSON.parse(Ge(e,"utf-8"))}catch{return null}}function Ve(t,e){Xe(t);let r=T(t,"identity.json");je(r,JSON.stringify(e,null,2),{mode:384})}function Nt(t){let e=T(t,"private.pem");if(!Q(e))return null;try{return Ge(e,"utf-8")}catch{return null}}function qe(t,e){Xe(t);let r=T(t,"private.pem");je(r,e,{mode:384})}function $e(t){for(let e of["identity.json","private.pem"]){let r=T(t,e);Q(r)&&bt(r)}}async function ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ue(t,e),n=await oe(r),i=await ie(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Lt(t,e,r){let s=await j(e,r);return(await new b(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await j(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(vt).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Me(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function V(t){try{return await t.clone().json()}catch{return null}}function N(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await ze(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return qe(this.client.stateDir,i.privatePem),Ve(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||k("BOTPARTY_SERVER_URL")||Pt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||k("BOTPARTY_PROXY_URL")||k("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||k("BOTPARTY_STATE_DIR")||Ot(),this.algorithm=e.algorithm||Kt,this.rotationTTL=e.rotationTTL||Rt,this.inviteToken=e.inviteToken||k("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return kt(this.stateDir)}getPrivateKey(){return Nt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<It;){n||(n=Ut());let a=r||n,c=await ze(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),u=await p.json();if(u.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:u.error||"REGISTRATION_FAILED",message:u.message||u.error||"Registration failed",statusCode:p.status});let m=u.challenge,S=await Lt(m,c.privatePem,this.algorithm),y=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:m,signature:S})});if(!y.ok)throw await this._apiError(y);let f=await y.json();return qe(this.stateDir,c.privatePem),Ve(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Tt&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=Me(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await V(o);if(a){let{code:c}=N(a);if(c==="KEY_STALE"){await this.keys.rotateCurrent();let p=await this.generateToken(),u=new Headers(r.headers);u.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:u})}}}if(o.status===403){let a=await V(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let m=a.proxyUrl.replace(/\/$/,""),S=Me(e,m),y=new Headers(r.headers);return y.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(S,{...r,headers:y})}let p=a.approval_url||a.authorizationUrl;if(p){let m=c==="scope_refused",S=a.missing_scopes||a.missingScopes;throw m||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new q({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:S}):new z({message:a.message||"Missing required credentials",actionUrl:p})}let{code:u}=N(a);Be(u)&&Fe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await V(o);if(a){let{code:c}=N(a);(Be(c)||o.status===402||o.status===423)&&Fe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);$e(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){$e(this.stateDir)}async _apiError(e){let r=await V(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=N(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Wt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Be(t){return Wt.has(t.toUpperCase())}function Fe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=N(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new he({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var le=null;function Ht(t){return le||(le=new Ee(t)),le}async function as(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Ht({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function k(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,l as BotPartyError,q as InsufficientPermissionError,ye as Key,ge as KeyManager,z as LinkRequiredError,fe as NamespaceLockedError,he as PaymentRequiredError,as as botpartyFetch,Me as toProxyUrl};
|
|
4
|
+
-----END ${e}-----`},ke=async(t,e,r)=>{if(C(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!I(r))throw new TypeError(B(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ut(H(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Oe=t=>ke("public","spki",t),Ne=t=>ke("private","pkcs8",t),ne=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},lt=t=>({data:t,pos:0}),D=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var U=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Le=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},ft=t=>{U(t,6,"Expected algorithm OID");let e=D(t);return Le(t,e)};function ht(t){U(t,48,"Invalid PKCS#8 structure"),D(t),U(t,2,"Expected version field");let e=D(t);t.pos+=e,U(t,48,"Expected algorithm identifier");let r=D(t);return{algIdStart:t.pos,algIdLength:r}}var mt=t=>{let e=ft(t);if(ne(e,[43,101,110]))return"X25519";if(!ne(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");U(t,6,"Expected curve OID");let r=D(t),s=Le(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ne(s,i))return n;throw new Error("Unsupported named curve")},yt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},gt=(t,e)=>$(t.replace(e,"")),We=(t,e,r)=>{let s=gt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=lt(i);return ht(o),mt(o)}),yt("pkcs8",s,e,n)};async function j(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return We(t,e,r)}async function ie(t){return Oe(t)}async function oe(t){return Ne(t)}function Je(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var T=t=>t?.[Symbol.toStringTag],ae=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(_(e)){if(Ie(e)&&ae(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${T(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(_(e))switch(r){case"decrypt":case"sign":if(Te(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(ve(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${T(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${T(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${T(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function He(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var A=t=>Math.floor(t.getTime()/1e3),$e=60,Me=$e*60,pe=Me*24,wt=pe*7,At=pe*365.25,bt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ce(t){let e=bt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*$e);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Me);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*wt);break;default:n=Math.round(r*At);break}return e[1]==="-"||e[4]==="ago"?-n:n}function b(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Y=class{#e;constructor(e){if(!se(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return L.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=b("setNotBefore",e):e instanceof Date?this.#e.nbf=b("setNotBefore",A(e)):this.#e.nbf=A(new Date)+ce(e)}set exp(e){typeof e=="number"?this.#e.exp=b("setExpirationTime",e):e instanceof Date?this.#e.exp=b("setExpirationTime",A(e)):this.#e.exp=A(new Date)+ce(e)}set iat(e){e===void 0?this.#e.iat=A(new Date):e instanceof Date?this.#e.iat=b("setIssuedAt",A(e)):typeof e=="string"?this.#e.iat=b("setIssuedAt",A(new Date)+ce(e)):this.#e.iat=b("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return re(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return re(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Je(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');He(o,e,"sign");let a,c;i?(a=M(this.#e),c=J(a)):(c=this.#e,a="");let p,u;this.#t?(p=M(JSON.stringify(this.#t)),u=J(p)):(p="",u=new Uint8Array);let m=be(u,J("."),c),w=await Ue(e,o),y=await Ce(o,w,m),f={signature:M(y),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var X=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var k=class{#e;#t;constructor(e={}){this.#t=new Y(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new X(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new F("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function de(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ue(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Ve,writeFileSync as Se,mkdirSync as Pt,existsSync as Q,unlinkSync as we,statSync as Kt,renameSync as qe}from"node:fs";import{join as S}from"node:path";import{homedir as Rt}from"node:os";import{randomBytes as ze}from"node:crypto";var Tt="https://id.botparty.club",vt="EdDSA",It=15,Be=6e4,Ct=3e4,_t="5m",Dt=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],kt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},he=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Fe(t){let e=ze(4);return t[e.readUInt32BE(0)%t.length]}function Ot(){return`${Fe(Ut)}-${Fe(kt)}`}function Nt(){let t=Ot(),e=ze(2).toString("hex");return`${t}-${e}`}function Lt(){return S(Rt(),".botparty")}function Ae(t){Q(t)||Pt(t,{recursive:!0,mode:448})}function Wt(t){let e=S(t,"identity.json");if(!Q(e))return null;try{return JSON.parse(Ve(e,"utf-8"))}catch{return null}}function Qe(t,e){Ae(t);let r=S(t,"identity.json"),s=r+".tmp";Se(s,JSON.stringify(e,null,2),{mode:384}),qe(s,r)}function Jt(t){let e=S(t,"private.pem");if(!Q(e))return null;try{return Ve(e,"utf-8")}catch{return null}}function Ze(t,e){Ae(t);let r=S(t,"private.pem"),s=r+".tmp";Se(s,e,{mode:384}),qe(s,r)}function Ge(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);Q(r)&&we(r)}}function Ht(t){let e=S(t,"rotation.lock");Ae(t);for(let r=0;r<2;r++)try{Se(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=Kt(e);if(Date.now()-n.mtimeMs>Ct){we(e);continue}}catch{continue}throw s}}function $t(t){try{we(S(t,"rotation.lock"))}catch{}}async function et(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ue(t,e),n=await oe(r),i=await ie(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Mt(t,e,r){let s=await j(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await j(r,i);return new k({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(_t).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function je(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function V(t){try{return await t.clone().json()}catch{return null}}function N(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await et(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Ze(this.client.stateDir,i.privatePem),Qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||O("BOTPARTY_SERVER_URL")||Tt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||O("BOTPARTY_PROXY_URL")||O("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||O("BOTPARTY_STATE_DIR")||Lt(),this.algorithm=e.algorithm||vt,this.rotationTTL=e.rotationTTL||It,this.inviteToken=e.inviteToken||O("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return Wt(this.stateDir)}getPrivateKey(){return Jt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Nt());let a=r||n,c=await et(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),u=await p.json();if(u.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:u.error||"REGISTRATION_FAILED",message:u.message||u.error||"Registration failed",statusCode:p.status});let m=u.challenge,w=await Mt(m,c.privatePem,this.algorithm),y=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:m,signature:w})});if(!y.ok)throw await this._apiError(y);let f=await y.json();return Ze(this.stateDir,c.privatePem),Qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Be)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ht(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Be)return;await this.keys.rotateCurrent()}finally{$t(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=je(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await V(o);if(a){let{code:c}=N(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),u=new Headers(r.headers);u.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:u})}}}if(o.status===403){let a=await V(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let m=a.proxyUrl.replace(/\/$/,""),w=je(e,m),y=new Headers(r.headers);return y.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(w,{...r,headers:y})}let p=a.approval_url||a.authorizationUrl;if(p){let m=c==="scope_refused",w=a.missing_scopes||a.missingScopes;throw m||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new q({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:w}):new z({message:a.message||"Missing required credentials",actionUrl:p})}let{code:u}=N(a);Ye(u)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await V(o);if(a){let{code:c}=N(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Ge(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){Ge(this.stateDir)}async _apiError(e){let r=await V(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=N(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Bt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Bt.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=N(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new he({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var le=null;function Ft(t){return le||(le=new Ee(t)),le}async function ls(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Ft({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function O(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,l as BotPartyError,q as InsufficientPermissionError,ye as Key,ge as KeyManager,z as LinkRequiredError,fe as NamespaceLockedError,he as PaymentRequiredError,ls as botpartyFetch,je as toProxyUrl};
|