@botparty/sdk 0.0.56 → 0.0.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.d.cts +44 -0
- package/dist/index.d.ts +44 -0
- package/dist/index.js +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
"use strict";var ne=Object.defineProperty;var Ze=Object.getOwnPropertyDescriptor;var et=Object.getOwnPropertyNames;var tt=Object.prototype.hasOwnProperty;var rt=(t,e)=>{for(var r in e)ne(t,r,{get:e[r],enumerable:!0})},st=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of et(e))!tt.call(t,n)&&n!==r&&ne(t,n,{get:()=>e[n],enumerable:!(s=Ze(e,n))||s.enumerable});return t};var nt=t=>st(ne({},"__esModule",{value:!0}),t);var Yt={};rt(Yt,{BotPartyClient:()=>se,BotPartyError:()=>l,InsufficientPermissionError:()=>W,Key:()=>te,KeyManager:()=>re,LinkRequiredError:()=>J,NamespaceLockedError:()=>Z,PaymentRequiredError:()=>ee,botpartyFetch:()=>jt,toProxyUrl:()=>we});module.exports=nt(Yt);var H=new TextEncoder,$=new TextDecoder,Vt=2**32;function xe(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function Pe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:$.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=$.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=H.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function it(t){return parseInt(t.name.slice(4),10)}function ie(t,e){if(it(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function ot(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function at(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ke(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw S("HMAC");ie(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");ie(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");ie(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw S("ECDSA");let s=ot(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}at(t,r)}function Re(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var j=(t,...e)=>Re("Key must be ",t,...e),oe=(t,e,...r)=>Re(`Key for the ${t} algorithm must be `,e,...r);var I=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends I{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var w=class extends I{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Y=class extends I{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var C=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},_=t=>t?.[Symbol.toStringTag]==="KeyObject",ae=t=>C(t)||_(t);var ir=Symbol();function ce(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var ct=t=>typeof t=="object"&&t!==null;function pe(t){if(!ct(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Te(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var D=t=>pe(t)&&typeof t.kty=="string",ve=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Ie=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ce=t=>t.kty==="oct"&&typeof t.k=="string";function dt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ut(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function lt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(j(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ke(e,t,r),e}async function _e(t,e,r){let s=await lt(t,e,"sign");dt(t,s);let n=await crypto.subtle.sign(ut(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ft(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function De(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ft(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",T,Ue=async(t,e,r,s=!1)=>{T||=new WeakMap;let n=T.get(t);if(n?.[r])return n[r];let i=await De({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:T.set(t,{[r]:i}),i},ht=(t,e)=>{T||=new WeakMap;let r=T.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:T.set(t,{[e]:i}),i};async function ke(t,e){if(t instanceof Uint8Array||C(t))return t;if(_(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ht(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ue(t,r,e)}if(D(t))return t.k?Pe(t.k):Ue(t,t,e,!0);throw new Error("unreachable")}var mt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
1
|
+
"use strict";var oe=Object.defineProperty;var et=Object.getOwnPropertyDescriptor;var tt=Object.getOwnPropertyNames;var rt=Object.prototype.hasOwnProperty;var st=(t,e)=>{for(var r in e)oe(t,r,{get:e[r],enumerable:!0})},nt=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of tt(e))!rt.call(t,n)&&n!==r&&oe(t,n,{get:()=>e[n],enumerable:!(s=et(e,n))||s.enumerable});return t};var it=t=>nt(oe({},"__esModule",{value:!0}),t);var Xt={};st(Xt,{BotPartyClient:()=>ie,BotPartyError:()=>h,InsufficientPermissionError:()=>H,Key:()=>se,KeyManager:()=>ne,LinkRequiredError:()=>M,NamespaceLockedError:()=>te,PaymentRequiredError:()=>re,botpartyFetch:()=>Yt,toProxyUrl:()=>Pe});module.exports=it(Xt);var B=new TextEncoder,v=new TextDecoder,qt=2**32;function ve(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function F(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function j(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function G(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function Y(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:v.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=v.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return G(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function X(t){let e=t;return typeof e=="string"&&(e=B.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):j(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function ot(t){return parseInt(t.name.slice(4),10)}function ae(t,e){if(ot(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function at(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ct(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ke(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw S("HMAC");ae(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");ae(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");ae(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw S("ECDSA");let s=at(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ct(t,r)}function Re(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var V=(t,...e)=>Re("Key must be ",t,...e),ce=(t,e,...r)=>Re(`Key for the ${t} algorithm must be `,e,...r);var k=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends k{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var A=class extends k{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},y=class extends k{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var D=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},O=t=>t?.[Symbol.toStringTag]==="KeyObject",de=t=>D(t)||O(t);var or=Symbol();function pe(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var dt=t=>typeof t=="object"&&t!==null;function U(t){if(!dt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Ie(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var N=t=>U(t)&&typeof t.kty=="string",Ce=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),_e=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,ke=t=>t.kty==="oct"&&typeof t.k=="string";function ut(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function lt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ht(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(V(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ke(e,t,r),e}async function De(t,e,r){let s=await ht(t,e,"sign");ut(t,s);let n=await crypto.subtle.sign(lt(t,s.algorithm),s,r);return new Uint8Array(n)}var q='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function mt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(q)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(q)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(q)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(q)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Oe(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=mt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",I,Ue=async(t,e,r,s=!1)=>{I||=new WeakMap;let n=I.get(t);if(n?.[r])return n[r];let i=await Oe({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:I.set(t,{[r]:i}),i},ft=(t,e)=>{I||=new WeakMap;let r=I.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:I.set(t,{[e]:i}),i};async function Ne(t,e){if(t instanceof Uint8Array||D(t))return t;if(O(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ue(t,r,e)}if(N(t))return t.k?Y(t.k):Ue(t,t,e,!0);throw new Error("unreachable")}var yt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Oe=async(t,e,r)=>{if(_(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!C(r))throw new TypeError(j(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return mt(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Ne=t=>Oe("public","spki",t),Le=t=>Oe("private","pkcs8",t),de=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},yt=t=>({data:t,pos:0}),U=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var k=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},We=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},gt=t=>{k(t,6,"Expected algorithm OID");let e=U(t);return We(t,e)};function Et(t){k(t,48,"Invalid PKCS#8 structure"),U(t),k(t,2,"Expected version field");let e=U(t);t.pos+=e,k(t,48,"Expected algorithm identifier");let r=U(t);return{algIdStart:t.pos,algIdLength:r}}var St=t=>{let e=gt(t);if(de(e,[43,101,110]))return"X25519";if(!de(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");k(t,6,"Expected curve OID");let r=U(t),s=We(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(de(s,i))return n;throw new Error("Unsupported named curve")},wt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},At=(t,e)=>F(t.replace(e,"")),Je=(t,e,r)=>{let s=At(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=yt(i);return Et(o),St(o)}),wt("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Je(t,e,r)}async function ue(t){return Ne(t)}async function le(t){return Le(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var v=t=>t?.[Symbol.toStringTag],fe=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},bt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(D(e)){if(Ce(e)&&fe(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${v(e)} instances for symmetric algorithms must be of type "secret"`)}},xt=(t,e,r)=>{if(D(e))switch(r){case"decrypt":case"sign":if(ve(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ie(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${v(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${v(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${v(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function $e(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":bt(t,e,r);break;default:xt(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Me=60,Be=Me*60,me=Be*24,Pt=me*7,Kt=me*365.25,Rt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function he(t){let e=Rt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Me);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Be);break;case"day":case"days":case"d":n=Math.round(r*me);break;case"week":case"weeks":case"w":n=Math.round(r*Pt);break;default:n=Math.round(r*Kt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!pe(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return H.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",b(e)):this.#e.nbf=b(new Date)+he(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",b(e)):this.#e.exp=b(new Date)+he(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",b(new Date)+he(e)):this.#e.iat=x("setIssuedAt",e)}};var P=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ce(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ce(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new w("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Te(this.#t,this.#r))throw new w("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(w,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new w('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new w('JWS "alg" (Algorithm) Header Parameter missing or invalid');$e(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let p,f;this.#t?(p=G(JSON.stringify(this.#t)),f=M(p)):(p="",f=new Uint8Array);let g=xe(f,M("."),c),A=await ke(e,o),E=await _e(o,A,g),h={signature:G(E),payload:a};return this.#r&&(h.header=this.#r),this.#t&&(h.protected=p),h}};var z=class{#e;constructor(e){this.#e=new P(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ye(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ge(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var d=require("node:fs"),y=require("node:path"),Ve=require("node:os"),Ae=require("node:crypto"),vt="https://id.botparty.club",It="EdDSA",Ct=15,Fe=6e4,_t=3e4,Dt="5m",Ut=3,kt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ot=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Z=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ee=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},W=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},J=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ge(t){let e=(0,Ae.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Nt(){return`${Ge(kt)}-${Ge(Ot)}`}function Lt(){let t=Nt(),e=(0,Ae.randomBytes)(2).toString("hex");return`${t}-${e}`}function Wt(){return(0,y.join)((0,Ve.homedir)(),".botparty")}function be(t){(0,d.existsSync)(t)||(0,d.mkdirSync)(t,{recursive:!0,mode:448})}function Jt(t){let e=(0,y.join)(t,"identity.json");if(!(0,d.existsSync)(e))return null;try{return JSON.parse((0,d.readFileSync)(e,"utf-8"))}catch{return null}}function qe(t,e){be(t);let r=(0,y.join)(t,"identity.json"),s=r+".tmp";(0,d.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,d.renameSync)(s,r)}function Ht(t){let e=(0,y.join)(t,"private.pem");if(!(0,d.existsSync)(e))return null;try{return(0,d.readFileSync)(e,"utf-8")}catch{return null}}function ze(t,e){be(t);let r=(0,y.join)(t,"private.pem"),s=r+".tmp";(0,d.writeFileSync)(s,e,{mode:384}),(0,d.renameSync)(s,r)}function je(t){for(let e of["identity.json","private.pem"]){let r=(0,y.join)(t,e);(0,d.existsSync)(r)&&(0,d.unlinkSync)(r)}}function $t(t){let e=(0,y.join)(t,"rotation.lock");be(t);for(let r=0;r<2;r++)try{(0,d.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,d.statSync)(e);if(Date.now()-n.mtimeMs>_t){(0,d.unlinkSync)(e);continue}}catch{continue}throw s}}function Mt(t){try{(0,d.unlinkSync)((0,y.join)(t,"rotation.lock"))}catch{}}async function Qe(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ge(t,e),n=await le(r),i=await ue(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Bt(t,e,r){let s=await V(e,r);return(await new P(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await V(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(Dt).sign(o)}async function m(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function we(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Q(t){try{return await t.clone().json()}catch{return null}}function L(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var te=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},re=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Qe(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await m(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return ze(this.client.stateDir,i.privatePem),qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},se=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||N("BOTPARTY_SERVER_URL")||vt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||N("BOTPARTY_PROXY_URL")||N("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||N("BOTPARTY_STATE_DIR")||Wt(),this.algorithm=e.algorithm||It,this.rotationTTL=e.rotationTTL||Ct,this.inviteToken=e.inviteToken||N("BOTPARTY_INVITE_TOKEN"),this.keys=new re(this)}getIdentity(){return Jt(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Ut;){n||(n=Lt());let a=r||n,c=await Qe(this.algorithm),p=await m(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),f=await p.json();if(f.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:f.error||"REGISTRATION_FAILED",message:f.message||f.error||"Registration failed",statusCode:p.status});let g=f.challenge,A=await Bt(g,c.privatePem,this.algorithm),E=await m(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:g,signature:A})});if(!E.ok)throw await this._apiError(E);let h=await E.json();return ze(this.stateDir,c.privatePem),qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:h.keyId,algorithm:this.algorithm,rotatedAt:h.rotatedAt,rotationTTL:h.rotationTTL,label:a,...h.parentNamespace&&{parentNamespace:h.parentNamespace},...h.inheritedScopes&&{inheritedScopes:h.inheritedScopes}}),h}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Fe)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){$t(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Fe)return;await this.keys.rotateCurrent()}finally{Mt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=we(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Q(o);if(a){let{code:c}=L(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await Q(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let g=a.proxyUrl.replace(/\/$/,""),A=we(e,g),E=new Headers(r.headers);return E.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(A,{...r,headers:E})}let p=a.approval_url||a.authorizationUrl;if(p){let g=c==="scope_refused",A=a.missing_scopes||a.missingScopes;throw g||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new W({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:A}):new J({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=L(a);Ye(f)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Q(o);if(a){let{code:c}=L(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await m(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await m(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);je(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new te(this,e)}reset(){je(this.stateDir)}async _apiError(e){let r=await Q(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=L(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ft=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Ft.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=L(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new Z({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ee({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new J({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new W({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var Ee=null;function Gt(t){return Ee||(Ee=new se(t)),Ee}async function jt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Gt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function N(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
|
4
|
+
-----END ${e}-----`},Le=async(t,e,r)=>{if(O(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!D(r))throw new TypeError(V(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return yt(j(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},We=t=>Le("public","spki",t),Je=t=>Le("private","pkcs8",t),ue=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},gt=t=>({data:t,pos:0}),L=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var W=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},$e=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},wt=t=>{W(t,6,"Expected algorithm OID");let e=L(t);return $e(t,e)};function Et(t){W(t,48,"Invalid PKCS#8 structure"),L(t),W(t,2,"Expected version field");let e=L(t);t.pos+=e,W(t,48,"Expected algorithm identifier");let r=L(t);return{algIdStart:t.pos,algIdLength:r}}var St=t=>{let e=wt(t);if(ue(e,[43,101,110]))return"X25519";if(!ue(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");W(t,6,"Expected curve OID");let r=L(t),s=$e(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ue(s,i))return n;throw new Error("Unsupported named curve")},At=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},bt=(t,e)=>G(t.replace(e,"")),He=(t,e,r)=>{let s=bt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=gt(i);return Et(o),St(o)}),At("pkcs8",s,e,n)};async function z(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return He(t,e,r)}async function le(t){return We(t)}async function he(t){return Je(t)}function Me(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var C=t=>t?.[Symbol.toStringTag],me=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Pt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(N(e)){if(ke(e)&&me(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!de(e))throw new TypeError(ce(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${C(e)} instances for symmetric algorithms must be of type "secret"`)}},xt=(t,e,r)=>{if(N(e))switch(r){case"decrypt":case"sign":if(Ce(e)&&me(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(_e(e)&&me(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!de(e))throw new TypeError(ce(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${C(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${C(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${C(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Be(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Pt(t,e,r);break;default:xt(t,e,r)}}var P=t=>Math.floor(t.getTime()/1e3),Fe=60,je=Fe*60,ye=je*24,Tt=ye*7,vt=ye*365.25,Kt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function fe(t){let e=Kt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Fe);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*je);break;case"day":case"days":case"d":n=Math.round(r*ye);break;case"week":case"weeks":case"w":n=Math.round(r*Tt);break;default:n=Math.round(r*vt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Q=class{#e;constructor(e){if(!U(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return B.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",P(e)):this.#e.nbf=P(new Date)+fe(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",P(e)):this.#e.exp=P(new Date)+fe(e)}set iat(e){e===void 0?this.#e.iat=P(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",P(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",P(new Date)+fe(e)):this.#e.iat=x("setIssuedAt",e)}};var T=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return pe(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return pe(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new A("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ie(this.#t,this.#r))throw new A("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Me(A,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new A('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new A('JWS "alg" (Algorithm) Header Parameter missing or invalid');Be(o,e,"sign");let a,c;i?(a=X(this.#e),c=F(a)):(c=this.#e,a="");let d,m;this.#t?(d=X(JSON.stringify(this.#t)),m=F(d)):(d="",m=new Uint8Array);let w=ve(m,F("."),c),b=await Ne(e,o),E=await De(o,b,w),f={signature:X(E),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=d),f}};var Z=class{#e;constructor(e){this.#e=new T(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var J=class{#e;#t;constructor(e={}){this.#t=new Q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new Z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ge(t){if(typeof t!="string")throw new y("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new y("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new y("Invalid JWT");if(!e)throw new y("JWTs must contain a payload");let s;try{s=Y(e)}catch{throw new y("Failed to base64url decode the payload")}let n;try{n=JSON.parse(v.decode(s))}catch{throw new y("Failed to parse the decoded payload as JSON")}if(!U(n))throw new y("Invalid JWT Claims Set");return n}function we(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function Ee(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var p=require("node:fs"),g=require("node:path"),ze=require("node:os"),xe=require("node:crypto"),It="https://id.botparty.club",Ct="EdDSA",_t=15,Ge=6e4,kt=3e4,Dt="5m",Ot=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Nt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},te=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},re=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},H=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},M=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ye(t){let e=(0,xe.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Lt(){return`${Ye(Ut)}-${Ye(Nt)}`}function Wt(){let t=Lt(),e=(0,xe.randomBytes)(2).toString("hex");return`${t}-${e}`}function Jt(){return(0,g.join)((0,ze.homedir)(),".botparty")}function Te(t){(0,p.existsSync)(t)||(0,p.mkdirSync)(t,{recursive:!0,mode:448})}function $t(t){let e=(0,g.join)(t,"identity.json");if(!(0,p.existsSync)(e))return null;try{return JSON.parse((0,p.readFileSync)(e,"utf-8"))}catch{return null}}function Ae(t,e){Te(t);let r=(0,g.join)(t,"identity.json"),s=r+".tmp";(0,p.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,p.renameSync)(s,r)}function Ht(t){let e=(0,g.join)(t,"private.pem");if(!(0,p.existsSync)(e))return null;try{return(0,p.readFileSync)(e,"utf-8")}catch{return null}}function Qe(t,e){Te(t);let r=(0,g.join)(t,"private.pem"),s=r+".tmp";(0,p.writeFileSync)(s,e,{mode:384}),(0,p.renameSync)(s,r)}function Xe(t){for(let e of["identity.json","private.pem"]){let r=(0,g.join)(t,e);(0,p.existsSync)(r)&&(0,p.unlinkSync)(r)}}function Mt(t){let e=(0,g.join)(t,"rotation.lock");Te(t);for(let r=0;r<2;r++)try{(0,p.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,p.statSync)(e);if(Date.now()-n.mtimeMs>kt){(0,p.unlinkSync)(e);continue}}catch{continue}throw s}}function Bt(t){try{(0,p.unlinkSync)((0,g.join)(t,"rotation.lock"))}catch{}}async function Ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await Ee(t,e),n=await he(r),i=await le(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Ft(t,e,r){let s=await z(e,r);return(await new T(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function be(t,e,r,s,n,i){let o=s,a=await z(r,o);return new J({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Dt).sign(a)}async function l(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Pe(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function ee(t){try{return await t.clone().json()}catch{return null}}function $(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var se=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ne=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Ze(r.algorithm),o=await be(r.namespace,r.keyId,s,r.algorithm),a=await l(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Qe(this.client.stateDir,i.privatePem),Ae(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},ie=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||_("BOTPARTY_SERVER_URL")||It).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||_("BOTPARTY_PROXY_URL")||_("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||_("BOTPARTY_STATE_DIR")||Jt(),this.algorithm=e.algorithm||Ct,this.rotationTTL=e.rotationTTL||_t,this.inviteToken=e.inviteToken||_("BOTPARTY_INVITE_TOKEN"),this.keys=new ne(this)}getIdentity(){return $t(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Ot;){n||(n=Wt());let a=r||n,c=await Ze(this.algorithm),d=await l(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),m=await d.json();if(m.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(d.status===409&&!e){n=void 0,i++;continue}if(!d.ok)throw new h({code:m.error||"REGISTRATION_FAILED",message:m.message||m.error||"Registration failed",statusCode:d.status});let w=m.challenge,b=await Ft(w,c.privatePem,this.algorithm),E=await l(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:w,signature:b})});if(!E.ok)throw await this._apiError(E);let f=await E.json();return Qe(this.stateDir,c.privatePem),Ae(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=ge(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Ge)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Mt(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Ge)return;await this.keys.rotateCurrent()}finally{Bt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return be(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Pe(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await ee(o);if(a){let{code:c}=$(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),m=new Headers(r.headers);m.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:m})}}}if(o.status===403){let a=await ee(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let w=a.proxyUrl.replace(/\/$/,""),b=Pe(e,w),E=new Headers(r.headers);return E.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(b,{...r,headers:E})}let d=a.approval_url||a.authorizationUrl;if(d){let w=c==="scope_refused",b=a.missing_scopes||a.missingScopes;throw w||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new H({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:b}):new M({message:a.message||"Missing required credentials",actionUrl:d})}let{code:m}=$(a);Ve(m)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await ee(o);if(a){let{code:c}=$(a);(Ve(c)||o.status===402||o.status===423)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await l(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Xe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await be(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return _("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Ae(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await l(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await l(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new se(this,e)}reset(){Xe(this.stateDir)}async _apiError(e){let r=await ee(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=$(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},jt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ve(t){return jt.has(t.toUpperCase())}function qe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=$(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new te({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new re({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new M({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new H({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var Se=null;function Gt(t){return Se||(Se=new ie(t)),Se}async function Yt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Gt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function _(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
package/dist/index.d.cts
CHANGED
|
@@ -29,6 +29,7 @@ export interface Identity {
|
|
|
29
29
|
label?: string;
|
|
30
30
|
parentNamespace?: string;
|
|
31
31
|
inheritedScopes?: string[];
|
|
32
|
+
actAs?: string;
|
|
32
33
|
}
|
|
33
34
|
export interface RegistrationResult {
|
|
34
35
|
namespace: string;
|
|
@@ -231,7 +232,50 @@ export declare class BotPartyClient {
|
|
|
231
232
|
staleAt: string;
|
|
232
233
|
label?: string;
|
|
233
234
|
serverUrl: string;
|
|
235
|
+
actAs?: string;
|
|
234
236
|
} | null;
|
|
237
|
+
getActAs(): string | undefined;
|
|
238
|
+
setActAs(orgId: string | undefined): void;
|
|
239
|
+
listOrgs(): Promise<{
|
|
240
|
+
organizations: Array<{
|
|
241
|
+
id: string;
|
|
242
|
+
name: string;
|
|
243
|
+
description: string;
|
|
244
|
+
role: string;
|
|
245
|
+
}>;
|
|
246
|
+
}>;
|
|
247
|
+
createOrg(name: string, description?: string): Promise<{
|
|
248
|
+
organization: {
|
|
249
|
+
id: string;
|
|
250
|
+
name: string;
|
|
251
|
+
description: string;
|
|
252
|
+
};
|
|
253
|
+
}>;
|
|
254
|
+
quitOrg(orgId: string): Promise<void>;
|
|
255
|
+
createOrgInvite(orgId: string, expiresIn?: string): Promise<{
|
|
256
|
+
inviteToken: string;
|
|
257
|
+
tokenId: string;
|
|
258
|
+
}>;
|
|
259
|
+
redeemOrgInvite(inviteToken: string): Promise<{
|
|
260
|
+
orgId: string;
|
|
261
|
+
}>;
|
|
262
|
+
listOrgMembers(orgId: string): Promise<{
|
|
263
|
+
members: Array<{
|
|
264
|
+
namespace: string;
|
|
265
|
+
role: string;
|
|
266
|
+
joinedAt: string;
|
|
267
|
+
}>;
|
|
268
|
+
}>;
|
|
269
|
+
removeOrgMember(orgId: string, namespace: string): Promise<void>;
|
|
270
|
+
updateMemberRole(orgId: string, namespace: string, role: 'admin' | 'member'): Promise<{
|
|
271
|
+
ok: boolean;
|
|
272
|
+
role: string;
|
|
273
|
+
changed: boolean;
|
|
274
|
+
}>;
|
|
275
|
+
deleteOrg(orgId: string): Promise<{
|
|
276
|
+
ok: boolean;
|
|
277
|
+
dissolved: boolean;
|
|
278
|
+
}>;
|
|
235
279
|
/**
|
|
236
280
|
* Get a fluent Key object for a specific key ID.
|
|
237
281
|
*
|
package/dist/index.d.ts
CHANGED
|
@@ -29,6 +29,7 @@ export interface Identity {
|
|
|
29
29
|
label?: string;
|
|
30
30
|
parentNamespace?: string;
|
|
31
31
|
inheritedScopes?: string[];
|
|
32
|
+
actAs?: string;
|
|
32
33
|
}
|
|
33
34
|
export interface RegistrationResult {
|
|
34
35
|
namespace: string;
|
|
@@ -231,7 +232,50 @@ export declare class BotPartyClient {
|
|
|
231
232
|
staleAt: string;
|
|
232
233
|
label?: string;
|
|
233
234
|
serverUrl: string;
|
|
235
|
+
actAs?: string;
|
|
234
236
|
} | null;
|
|
237
|
+
getActAs(): string | undefined;
|
|
238
|
+
setActAs(orgId: string | undefined): void;
|
|
239
|
+
listOrgs(): Promise<{
|
|
240
|
+
organizations: Array<{
|
|
241
|
+
id: string;
|
|
242
|
+
name: string;
|
|
243
|
+
description: string;
|
|
244
|
+
role: string;
|
|
245
|
+
}>;
|
|
246
|
+
}>;
|
|
247
|
+
createOrg(name: string, description?: string): Promise<{
|
|
248
|
+
organization: {
|
|
249
|
+
id: string;
|
|
250
|
+
name: string;
|
|
251
|
+
description: string;
|
|
252
|
+
};
|
|
253
|
+
}>;
|
|
254
|
+
quitOrg(orgId: string): Promise<void>;
|
|
255
|
+
createOrgInvite(orgId: string, expiresIn?: string): Promise<{
|
|
256
|
+
inviteToken: string;
|
|
257
|
+
tokenId: string;
|
|
258
|
+
}>;
|
|
259
|
+
redeemOrgInvite(inviteToken: string): Promise<{
|
|
260
|
+
orgId: string;
|
|
261
|
+
}>;
|
|
262
|
+
listOrgMembers(orgId: string): Promise<{
|
|
263
|
+
members: Array<{
|
|
264
|
+
namespace: string;
|
|
265
|
+
role: string;
|
|
266
|
+
joinedAt: string;
|
|
267
|
+
}>;
|
|
268
|
+
}>;
|
|
269
|
+
removeOrgMember(orgId: string, namespace: string): Promise<void>;
|
|
270
|
+
updateMemberRole(orgId: string, namespace: string, role: 'admin' | 'member'): Promise<{
|
|
271
|
+
ok: boolean;
|
|
272
|
+
role: string;
|
|
273
|
+
changed: boolean;
|
|
274
|
+
}>;
|
|
275
|
+
deleteOrg(orgId: string): Promise<{
|
|
276
|
+
ok: boolean;
|
|
277
|
+
dissolved: boolean;
|
|
278
|
+
}>;
|
|
235
279
|
/**
|
|
236
280
|
* Get a fluent Key object for a specific key ID.
|
|
237
281
|
*
|
package/dist/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
var
|
|
1
|
+
var $=new TextEncoder,T=new TextDecoder,Gt=2**32;function Te(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function H(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function M(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function B(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:T.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=T.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return B(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function j(t){let e=t;return typeof e=="string"&&(e=$.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):M(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var w=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),v=(t,e)=>t.name===e;function rt(t){return parseInt(t.name.slice(4),10)}function te(t,e){if(rt(t.hash)!==e)throw w(`SHA-${e}`,"algorithm.hash")}function st(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function nt(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function ve(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!v(t.algorithm,"HMAC"))throw w("HMAC");te(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!v(t.algorithm,"RSASSA-PKCS1-v1_5"))throw w("RSASSA-PKCS1-v1_5");te(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!v(t.algorithm,"RSA-PSS"))throw w("RSA-PSS");te(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!v(t.algorithm,"Ed25519"))throw w("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!v(t.algorithm,e))throw w(e);break}case"ES256":case"ES384":case"ES512":{if(!v(t.algorithm,"ECDSA"))throw w("ECDSA");let s=st(e);if(t.algorithm.namedCurve!==s)throw w(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}nt(t,r)}function Ke(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var G=(t,...e)=>Ke("Key must be ",t,...e),re=(t,e,...r)=>Ke(`Key for the ${t} algorithm must be `,e,...r);var _=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var p=class extends _{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var E=class extends _{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},f=class extends _{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var k=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},D=t=>t?.[Symbol.toStringTag]==="KeyObject",se=t=>k(t)||D(t);var rr=Symbol();function ne(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var it=t=>typeof t=="object"&&t!==null;function O(t){if(!it(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Re(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var U=t=>O(t)&&typeof t.kty=="string",Ie=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Ce=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,_e=t=>t.kty==="oct"&&typeof t.k=="string";function at(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ct(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new p(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function dt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(G(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return ve(e,t,r),e}async function ke(t,e,r){let s=await dt(t,e,"sign");at(t,s);let n=await crypto.subtle.sign(ct(t,s.algorithm),s,r);return new Uint8Array(n)}var Y='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function pt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new p(Y)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new p(Y)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(Y)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(Y)}break}default:throw new p('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function De(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=pt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var K="given KeyObject instance cannot be used for this algorithm",R,Oe=async(t,e,r,s=!1)=>{R||=new WeakMap;let n=R.get(t);if(n?.[r])return n[r];let i=await De({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:R.set(t,{[r]:i}),i},ut=(t,e)=>{R||=new WeakMap;let r=R.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(K)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(K)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(K);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(K);return r?r[e]=i:R.set(t,{[e]:i}),i};async function Ue(t,e){if(t instanceof Uint8Array||k(t))return t;if(D(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ut(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Oe(t,r,e)}if(U(t))return t.k?F(t.k):Oe(t,t,e,!0);throw new Error("unreachable")}var lt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},ke=async(t,e,r)=>{if(C(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!I(r))throw new TypeError(B(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ut(H(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Oe=t=>ke("public","spki",t),Ne=t=>ke("private","pkcs8",t),ne=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},lt=t=>({data:t,pos:0}),D=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var U=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Le=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},ft=t=>{U(t,6,"Expected algorithm OID");let e=D(t);return Le(t,e)};function ht(t){U(t,48,"Invalid PKCS#8 structure"),D(t),U(t,2,"Expected version field");let e=D(t);t.pos+=e,U(t,48,"Expected algorithm identifier");let r=D(t);return{algIdStart:t.pos,algIdLength:r}}var mt=t=>{let e=ft(t);if(ne(e,[43,101,110]))return"X25519";if(!ne(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");U(t,6,"Expected curve OID");let r=D(t),s=Le(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ne(s,i))return n;throw new Error("Unsupported named curve")},yt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},gt=(t,e)=>$(t.replace(e,"")),We=(t,e,r)=>{let s=gt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=lt(i);return ht(o),mt(o)}),yt("pkcs8",s,e,n)};async function j(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return We(t,e,r)}async function ie(t){return Oe(t)}async function oe(t){return Ne(t)}function Je(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var T=t=>t?.[Symbol.toStringTag],ae=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(_(e)){if(Ie(e)&&ae(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${T(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(_(e))switch(r){case"decrypt":case"sign":if(Te(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(ve(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${T(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${T(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${T(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function He(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var A=t=>Math.floor(t.getTime()/1e3),$e=60,Me=$e*60,pe=Me*24,wt=pe*7,At=pe*365.25,bt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ce(t){let e=bt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*$e);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Me);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*wt);break;default:n=Math.round(r*At);break}return e[1]==="-"||e[4]==="ago"?-n:n}function b(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Y=class{#e;constructor(e){if(!se(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return L.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=b("setNotBefore",e):e instanceof Date?this.#e.nbf=b("setNotBefore",A(e)):this.#e.nbf=A(new Date)+ce(e)}set exp(e){typeof e=="number"?this.#e.exp=b("setExpirationTime",e):e instanceof Date?this.#e.exp=b("setExpirationTime",A(e)):this.#e.exp=A(new Date)+ce(e)}set iat(e){e===void 0?this.#e.iat=A(new Date):e instanceof Date?this.#e.iat=b("setIssuedAt",A(e)):typeof e=="string"?this.#e.iat=b("setIssuedAt",A(new Date)+ce(e)):this.#e.iat=b("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return re(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return re(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Je(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');He(o,e,"sign");let a,c;i?(a=M(this.#e),c=J(a)):(c=this.#e,a="");let p,u;this.#t?(p=M(JSON.stringify(this.#t)),u=J(p)):(p="",u=new Uint8Array);let m=be(u,J("."),c),w=await Ue(e,o),y=await Ce(o,w,m),f={signature:M(y),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var X=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var k=class{#e;#t;constructor(e={}){this.#t=new Y(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new X(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new F("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function de(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ue(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Ve,writeFileSync as Se,mkdirSync as Pt,existsSync as Q,unlinkSync as we,statSync as Kt,renameSync as qe}from"node:fs";import{join as S}from"node:path";import{homedir as Rt}from"node:os";import{randomBytes as ze}from"node:crypto";var Tt="https://id.botparty.club",vt="EdDSA",It=15,Be=6e4,Ct=3e4,_t="5m",Dt=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],kt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},he=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Fe(t){let e=ze(4);return t[e.readUInt32BE(0)%t.length]}function Ot(){return`${Fe(Ut)}-${Fe(kt)}`}function Nt(){let t=Ot(),e=ze(2).toString("hex");return`${t}-${e}`}function Lt(){return S(Rt(),".botparty")}function Ae(t){Q(t)||Pt(t,{recursive:!0,mode:448})}function Wt(t){let e=S(t,"identity.json");if(!Q(e))return null;try{return JSON.parse(Ve(e,"utf-8"))}catch{return null}}function Qe(t,e){Ae(t);let r=S(t,"identity.json"),s=r+".tmp";Se(s,JSON.stringify(e,null,2),{mode:384}),qe(s,r)}function Jt(t){let e=S(t,"private.pem");if(!Q(e))return null;try{return Ve(e,"utf-8")}catch{return null}}function Ze(t,e){Ae(t);let r=S(t,"private.pem"),s=r+".tmp";Se(s,e,{mode:384}),qe(s,r)}function Ge(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);Q(r)&&we(r)}}function Ht(t){let e=S(t,"rotation.lock");Ae(t);for(let r=0;r<2;r++)try{Se(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=Kt(e);if(Date.now()-n.mtimeMs>Ct){we(e);continue}}catch{continue}throw s}}function $t(t){try{we(S(t,"rotation.lock"))}catch{}}async function et(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ue(t,e),n=await oe(r),i=await ie(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Mt(t,e,r){let s=await j(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await j(r,i);return new k({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(_t).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function je(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function V(t){try{return await t.clone().json()}catch{return null}}function N(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await et(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Ze(this.client.stateDir,i.privatePem),Qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||O("BOTPARTY_SERVER_URL")||Tt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||O("BOTPARTY_PROXY_URL")||O("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||O("BOTPARTY_STATE_DIR")||Lt(),this.algorithm=e.algorithm||vt,this.rotationTTL=e.rotationTTL||It,this.inviteToken=e.inviteToken||O("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return Wt(this.stateDir)}getPrivateKey(){return Jt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Nt());let a=r||n,c=await et(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),u=await p.json();if(u.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:u.error||"REGISTRATION_FAILED",message:u.message||u.error||"Registration failed",statusCode:p.status});let m=u.challenge,w=await Mt(m,c.privatePem,this.algorithm),y=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:m,signature:w})});if(!y.ok)throw await this._apiError(y);let f=await y.json();return Ze(this.stateDir,c.privatePem),Qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Be)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ht(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Be)return;await this.keys.rotateCurrent()}finally{$t(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=je(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await V(o);if(a){let{code:c}=N(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),u=new Headers(r.headers);u.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:u})}}}if(o.status===403){let a=await V(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let m=a.proxyUrl.replace(/\/$/,""),w=je(e,m),y=new Headers(r.headers);return y.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(w,{...r,headers:y})}let p=a.approval_url||a.authorizationUrl;if(p){let m=c==="scope_refused",w=a.missing_scopes||a.missingScopes;throw m||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new q({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:w}):new z({message:a.message||"Missing required credentials",actionUrl:p})}let{code:u}=N(a);Ye(u)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await V(o);if(a){let{code:c}=N(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Ge(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){Ge(this.stateDir)}async _apiError(e){let r=await V(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=N(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Bt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Bt.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=N(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new he({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var le=null;function Ft(t){return le||(le=new Ee(t)),le}async function ls(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Ft({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function O(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,l as BotPartyError,q as InsufficientPermissionError,ye as Key,ge as KeyManager,z as LinkRequiredError,fe as NamespaceLockedError,he as PaymentRequiredError,ls as botpartyFetch,je as toProxyUrl};
|
|
4
|
+
-----END ${e}-----`},Ne=async(t,e,r)=>{if(D(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!k(r))throw new TypeError(G(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return lt(M(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Le=t=>Ne("public","spki",t),We=t=>Ne("private","pkcs8",t),ie=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},ht=t=>({data:t,pos:0}),N=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var L=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Je=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},mt=t=>{L(t,6,"Expected algorithm OID");let e=N(t);return Je(t,e)};function ft(t){L(t,48,"Invalid PKCS#8 structure"),N(t),L(t,2,"Expected version field");let e=N(t);t.pos+=e,L(t,48,"Expected algorithm identifier");let r=N(t);return{algIdStart:t.pos,algIdLength:r}}var yt=t=>{let e=mt(t);if(ie(e,[43,101,110]))return"X25519";if(!ie(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");L(t,6,"Expected curve OID");let r=N(t),s=Je(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ie(s,i))return n;throw new Error("Unsupported named curve")},gt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new p("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new p('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},wt=(t,e)=>B(t.replace(e,"")),$e=(t,e,r)=>{let s=wt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=ht(i);return ft(o),yt(o)}),gt("pkcs8",s,e,n)};async function X(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return $e(t,e,r)}async function oe(t){return Le(t)}async function ae(t){return We(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new p(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var I=t=>t?.[Symbol.toStringTag],ce=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(U(e)){if(_e(e)&&ce(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!se(e))throw new TypeError(re(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${I(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(U(e))switch(r){case"decrypt":case"sign":if(Ie(e)&&ce(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ce(e)&&ce(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!se(e))throw new TypeError(re(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${I(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${I(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${I(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Me(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Be=60,Fe=Be*60,pe=Fe*24,At=pe*7,bt=pe*365.25,Pt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function de(t){let e=Pt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Be);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Fe);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*At);break;default:n=Math.round(r*bt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function P(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var V=class{#e;constructor(e){if(!O(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return $.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=P("setNotBefore",e):e instanceof Date?this.#e.nbf=P("setNotBefore",b(e)):this.#e.nbf=b(new Date)+de(e)}set exp(e){typeof e=="number"?this.#e.exp=P("setExpirationTime",e):e instanceof Date?this.#e.exp=P("setExpirationTime",b(e)):this.#e.exp=b(new Date)+de(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=P("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=P("setIssuedAt",b(new Date)+de(e)):this.#e.iat=P("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ne(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ne(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');Me(o,e,"sign");let a,c;i?(a=j(this.#e),c=H(a)):(c=this.#e,a="");let d,l;this.#t?(d=j(JSON.stringify(this.#t)),l=H(d)):(d="",l=new Uint8Array);let y=Te(l,H("."),c),A=await Ue(e,o),g=await ke(o,A,y),m={signature:j(g),payload:a};return this.#r&&(m.header=this.#r),this.#t&&(m.protected=d),m}};var q=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var W=class{#e;#t;constructor(e={}){this.#t=new V(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new q(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new f("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ue(t){if(typeof t!="string")throw new f("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new f("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new f("Invalid JWT");if(!e)throw new f("JWTs must contain a payload");let s;try{s=F(e)}catch{throw new f("Failed to base64url decode the payload")}let n;try{n=JSON.parse(T.decode(s))}catch{throw new f("Failed to parse the decoded payload as JSON")}if(!O(n))throw new f("Invalid JWT Claims Set");return n}function le(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new p("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function he(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new p("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new p('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as ze,writeFileSync as be,mkdirSync as Tt,existsSync as ee,unlinkSync as Pe,statSync as vt,renameSync as Qe}from"node:fs";import{join as S}from"node:path";import{homedir as Kt}from"node:os";import{randomBytes as Ze}from"node:crypto";var Rt="https://id.botparty.club",It="EdDSA",Ct=15,je=6e4,_t=3e4,kt="5m",Dt=3,Ot=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ut=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ye=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},Q=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},Z=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ge(t){let e=Ze(4);return t[e.readUInt32BE(0)%t.length]}function Nt(){return`${Ge(Ot)}-${Ge(Ut)}`}function Lt(){let t=Nt(),e=Ze(2).toString("hex");return`${t}-${e}`}function Wt(){return S(Kt(),".botparty")}function xe(t){ee(t)||Tt(t,{recursive:!0,mode:448})}function Jt(t){let e=S(t,"identity.json");if(!ee(e))return null;try{return JSON.parse(ze(e,"utf-8"))}catch{return null}}function ge(t,e){xe(t);let r=S(t,"identity.json"),s=r+".tmp";be(s,JSON.stringify(e,null,2),{mode:384}),Qe(s,r)}function $t(t){let e=S(t,"private.pem");if(!ee(e))return null;try{return ze(e,"utf-8")}catch{return null}}function et(t,e){xe(t);let r=S(t,"private.pem"),s=r+".tmp";be(s,e,{mode:384}),Qe(s,r)}function Ye(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);ee(r)&&Pe(r)}}function Ht(t){let e=S(t,"rotation.lock");xe(t);for(let r=0;r<2;r++)try{be(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=vt(e);if(Date.now()-n.mtimeMs>_t){Pe(e);continue}}catch{continue}throw s}}function Mt(t){try{Pe(S(t,"rotation.lock"))}catch{}}async function tt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await he(t,e),n=await ae(r),i=await oe(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Bt(t,e,r){let s=await X(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function we(t,e,r,s,n,i){let o=s,a=await X(r,o);return new W({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(kt).sign(a)}async function u(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Xe(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function z(t){try{return await t.clone().json()}catch{return null}}function J(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var Ee=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},Se=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await tt(r.algorithm),o=await we(r.namespace,r.keyId,s,r.algorithm),a=await u(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return et(this.client.stateDir,i.privatePem),ge(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ae=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||C("BOTPARTY_SERVER_URL")||Rt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||C("BOTPARTY_PROXY_URL")||C("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||C("BOTPARTY_STATE_DIR")||Wt(),this.algorithm=e.algorithm||It,this.rotationTTL=e.rotationTTL||Ct,this.inviteToken=e.inviteToken||C("BOTPARTY_INVITE_TOKEN"),this.keys=new Se(this)}getIdentity(){return Jt(this.stateDir)}getPrivateKey(){return $t(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Lt());let a=r||n,c=await tt(this.algorithm),d=await u(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),l=await d.json();if(l.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(d.status===409&&!e){n=void 0,i++;continue}if(!d.ok)throw new h({code:l.error||"REGISTRATION_FAILED",message:l.message||l.error||"Registration failed",statusCode:d.status});let y=l.challenge,A=await Bt(y,c.privatePem,this.algorithm),g=await u(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:y,signature:A})});if(!g.ok)throw await this._apiError(g);let m=await g.json();return et(this.stateDir,c.privatePem),ge(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:m.keyId,algorithm:this.algorithm,rotatedAt:m.rotatedAt,rotationTTL:m.rotationTTL,label:a,...m.parentNamespace&&{parentNamespace:m.parentNamespace},...m.inheritedScopes&&{inheritedScopes:m.inheritedScopes}}),m}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=ue(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-je)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ht(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-je)return;await this.keys.rotateCurrent()}finally{Mt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return we(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Xe(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await z(o);if(a){let{code:c}=J(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),l=new Headers(r.headers);l.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:l})}}}if(o.status===403){let a=await z(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),A=Xe(e,y),g=new Headers(r.headers);return g.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(A,{...r,headers:g})}let d=a.approval_url||a.authorizationUrl;if(d){let y=c==="scope_refused",A=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new Q({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:A}):new Z({message:a.message||"Missing required credentials",actionUrl:d})}let{code:l}=J(a);Ve(l)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await z(o);if(a){let{code:c}=J(a);(Ve(c)||o.status===402||o.status===423)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await u(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Ye(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await we(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return C("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,ge(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await u(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await u(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new Ee(this,e)}reset(){Ye(this.stateDir)}async _apiError(e){let r=await z(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=J(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ft=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ve(t){return Ft.has(t.toUpperCase())}function qe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=J(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ye({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new Z({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new Q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var me=null;function jt(t){return me||(me=new Ae(t)),me}async function Es(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return jt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function C(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ae as BotPartyClient,h as BotPartyError,Q as InsufficientPermissionError,Ee as Key,Se as KeyManager,Z as LinkRequiredError,fe as NamespaceLockedError,ye as PaymentRequiredError,Es as botpartyFetch,Xe as toProxyUrl};
|