@botparty/sdk 0.0.56 → 0.0.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.d.cts +44 -0
- package/dist/index.d.ts +44 -0
- package/dist/index.js +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
"use strict";var ne=Object.defineProperty;var Ze=Object.getOwnPropertyDescriptor;var et=Object.getOwnPropertyNames;var tt=Object.prototype.hasOwnProperty;var rt=(t,e)=>{for(var r in e)ne(t,r,{get:e[r],enumerable:!0})},st=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of et(e))!tt.call(t,n)&&n!==r&&ne(t,n,{get:()=>e[n],enumerable:!(s=Ze(e,n))||s.enumerable});return t};var nt=t=>st(ne({},"__esModule",{value:!0}),t);var Yt={};rt(Yt,{BotPartyClient:()=>se,BotPartyError:()=>l,InsufficientPermissionError:()=>W,Key:()=>te,KeyManager:()=>re,LinkRequiredError:()=>J,NamespaceLockedError:()=>Z,PaymentRequiredError:()=>ee,botpartyFetch:()=>jt,toProxyUrl:()=>we});module.exports=nt(Yt);var H=new TextEncoder,$=new TextDecoder,Vt=2**32;function xe(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function Pe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:$.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=$.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=H.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function it(t){return parseInt(t.name.slice(4),10)}function ie(t,e){if(it(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function ot(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function at(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ke(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw S("HMAC");ie(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");ie(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");ie(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw S("ECDSA");let s=ot(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}at(t,r)}function Re(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var j=(t,...e)=>Re("Key must be ",t,...e),oe=(t,e,...r)=>Re(`Key for the ${t} algorithm must be `,e,...r);var I=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends I{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var w=class extends I{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Y=class extends I{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var C=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},_=t=>t?.[Symbol.toStringTag]==="KeyObject",ae=t=>C(t)||_(t);var ir=Symbol();function ce(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var ct=t=>typeof t=="object"&&t!==null;function pe(t){if(!ct(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Te(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var D=t=>pe(t)&&typeof t.kty=="string",ve=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Ie=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ce=t=>t.kty==="oct"&&typeof t.k=="string";function dt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ut(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function lt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(j(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ke(e,t,r),e}async function _e(t,e,r){let s=await lt(t,e,"sign");dt(t,s);let n=await crypto.subtle.sign(ut(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ft(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(X)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function De(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ft(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",T,Ue=async(t,e,r,s=!1)=>{T||=new WeakMap;let n=T.get(t);if(n?.[r])return n[r];let i=await De({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:T.set(t,{[r]:i}),i},ht=(t,e)=>{T||=new WeakMap;let r=T.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:T.set(t,{[e]:i}),i};async function ke(t,e){if(t instanceof Uint8Array||C(t))return t;if(_(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ht(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ue(t,r,e)}if(D(t))return t.k?Pe(t.k):Ue(t,t,e,!0);throw new Error("unreachable")}var mt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
1
|
+
"use strict";var de=Object.defineProperty;var st=Object.getOwnPropertyDescriptor;var nt=Object.getOwnPropertyNames;var it=Object.prototype.hasOwnProperty;var ot=(t,e)=>{for(var r in e)de(t,r,{get:e[r],enumerable:!0})},at=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of nt(e))!it.call(t,n)&&n!==r&&de(t,n,{get:()=>e[n],enumerable:!(s=st(e,n))||s.enumerable});return t};var ct=t=>at(de({},"__esModule",{value:!0}),t);var zt={};ot(zt,{BotPartyClient:()=>ae,BotPartyError:()=>h,InsufficientPermissionError:()=>M,Key:()=>ie,KeyManager:()=>oe,LinkRequiredError:()=>B,NamespaceLockedError:()=>se,PaymentRequiredError:()=>ne,botpartyFetch:()=>qt,toProxyUrl:()=>Te});module.exports=ct(zt);var F=new TextEncoder,v=new TextDecoder,Zt=2**32;function Ie(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function j(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function G(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function Y(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function X(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:v.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=v.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return Y(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function V(t){let e=t;return typeof e=="string"&&(e=F.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):G(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),R=(t,e)=>t.name===e;function dt(t){return parseInt(t.name.slice(4),10)}function pe(t,e){if(dt(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function pt(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ut(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ce(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!R(t.algorithm,"HMAC"))throw S("HMAC");pe(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!R(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");pe(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!R(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");pe(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!R(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!R(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!R(t.algorithm,"ECDSA"))throw S("ECDSA");let s=pt(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ut(t,r)}function _e(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var q=(t,...e)=>_e("Key must be ",t,...e),ue=(t,e,...r)=>_e(`Key for the ${t} algorithm must be `,e,...r);var D=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends D{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var A=class extends D{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},m=class extends D{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var O=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},U=t=>t?.[Symbol.toStringTag]==="KeyObject",le=t=>O(t)||U(t);var dr=Symbol();function he(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var lt=t=>typeof t=="object"&&t!==null;function N(t){if(!lt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function ke(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var L=t=>N(t)&&typeof t.kty=="string",De=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Oe=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ue=t=>t.kty==="oct"&&typeof t.k=="string";function ft(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function mt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function yt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(q(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ce(e,t,r),e}async function Ne(t,e,r){let s=await yt(t,e,"sign");ft(t,s);let n=await crypto.subtle.sign(mt(t,s.algorithm),s,r);return new Uint8Array(n)}var z='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function gt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(z)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(z)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(z)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(z)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Le(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=gt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var K="given KeyObject instance cannot be used for this algorithm",I,We=async(t,e,r,s=!1)=>{I||=new WeakMap;let n=I.get(t);if(n?.[r])return n[r];let i=await Le({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:I.set(t,{[r]:i}),i},wt=(t,e)=>{I||=new WeakMap;let r=I.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(K)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(K)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(K);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(K);return r?r[e]=i:I.set(t,{[e]:i}),i};async function Je(t,e){if(t instanceof Uint8Array||O(t))return t;if(U(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return wt(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return We(t,r,e)}if(L(t))return t.k?X(t.k):We(t,t,e,!0);throw new Error("unreachable")}var Et=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Oe=async(t,e,r)=>{if(_(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!C(r))throw new TypeError(j(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return mt(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Ne=t=>Oe("public","spki",t),Le=t=>Oe("private","pkcs8",t),de=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},yt=t=>({data:t,pos:0}),U=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var k=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},We=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},gt=t=>{k(t,6,"Expected algorithm OID");let e=U(t);return We(t,e)};function Et(t){k(t,48,"Invalid PKCS#8 structure"),U(t),k(t,2,"Expected version field");let e=U(t);t.pos+=e,k(t,48,"Expected algorithm identifier");let r=U(t);return{algIdStart:t.pos,algIdLength:r}}var St=t=>{let e=gt(t);if(de(e,[43,101,110]))return"X25519";if(!de(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");k(t,6,"Expected curve OID");let r=U(t),s=We(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(de(s,i))return n;throw new Error("Unsupported named curve")},wt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},At=(t,e)=>F(t.replace(e,"")),Je=(t,e,r)=>{let s=At(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=yt(i);return Et(o),St(o)}),wt("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Je(t,e,r)}async function ue(t){return Ne(t)}async function le(t){return Le(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var v=t=>t?.[Symbol.toStringTag],fe=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},bt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(D(e)){if(Ce(e)&&fe(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${v(e)} instances for symmetric algorithms must be of type "secret"`)}},xt=(t,e,r)=>{if(D(e))switch(r){case"decrypt":case"sign":if(ve(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ie(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${v(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${v(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${v(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function $e(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":bt(t,e,r);break;default:xt(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Me=60,Be=Me*60,me=Be*24,Pt=me*7,Kt=me*365.25,Rt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function he(t){let e=Rt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Me);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Be);break;case"day":case"days":case"d":n=Math.round(r*me);break;case"week":case"weeks":case"w":n=Math.round(r*Pt);break;default:n=Math.round(r*Kt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!pe(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return H.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",b(e)):this.#e.nbf=b(new Date)+he(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",b(e)):this.#e.exp=b(new Date)+he(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",b(new Date)+he(e)):this.#e.iat=x("setIssuedAt",e)}};var P=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ce(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ce(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new w("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Te(this.#t,this.#r))throw new w("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(w,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new w('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new w('JWS "alg" (Algorithm) Header Parameter missing or invalid');$e(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let p,f;this.#t?(p=G(JSON.stringify(this.#t)),f=M(p)):(p="",f=new Uint8Array);let g=xe(f,M("."),c),A=await ke(e,o),E=await _e(o,A,g),h={signature:G(E),payload:a};return this.#r&&(h.header=this.#r),this.#t&&(h.protected=p),h}};var z=class{#e;constructor(e){this.#e=new P(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ye(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ge(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var d=require("node:fs"),y=require("node:path"),Ve=require("node:os"),Ae=require("node:crypto"),vt="https://id.botparty.club",It="EdDSA",Ct=15,Fe=6e4,_t=3e4,Dt="5m",Ut=3,kt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ot=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Z=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ee=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},W=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},J=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ge(t){let e=(0,Ae.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Nt(){return`${Ge(kt)}-${Ge(Ot)}`}function Lt(){let t=Nt(),e=(0,Ae.randomBytes)(2).toString("hex");return`${t}-${e}`}function Wt(){return(0,y.join)((0,Ve.homedir)(),".botparty")}function be(t){(0,d.existsSync)(t)||(0,d.mkdirSync)(t,{recursive:!0,mode:448})}function Jt(t){let e=(0,y.join)(t,"identity.json");if(!(0,d.existsSync)(e))return null;try{return JSON.parse((0,d.readFileSync)(e,"utf-8"))}catch{return null}}function qe(t,e){be(t);let r=(0,y.join)(t,"identity.json"),s=r+".tmp";(0,d.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,d.renameSync)(s,r)}function Ht(t){let e=(0,y.join)(t,"private.pem");if(!(0,d.existsSync)(e))return null;try{return(0,d.readFileSync)(e,"utf-8")}catch{return null}}function ze(t,e){be(t);let r=(0,y.join)(t,"private.pem"),s=r+".tmp";(0,d.writeFileSync)(s,e,{mode:384}),(0,d.renameSync)(s,r)}function je(t){for(let e of["identity.json","private.pem"]){let r=(0,y.join)(t,e);(0,d.existsSync)(r)&&(0,d.unlinkSync)(r)}}function $t(t){let e=(0,y.join)(t,"rotation.lock");be(t);for(let r=0;r<2;r++)try{(0,d.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,d.statSync)(e);if(Date.now()-n.mtimeMs>_t){(0,d.unlinkSync)(e);continue}}catch{continue}throw s}}function Mt(t){try{(0,d.unlinkSync)((0,y.join)(t,"rotation.lock"))}catch{}}async function Qe(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ge(t,e),n=await le(r),i=await ue(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Bt(t,e,r){let s=await V(e,r);return(await new P(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await V(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(Dt).sign(o)}async function m(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function we(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Q(t){try{return await t.clone().json()}catch{return null}}function L(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var te=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},re=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Qe(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await m(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return ze(this.client.stateDir,i.privatePem),qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},se=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||N("BOTPARTY_SERVER_URL")||vt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||N("BOTPARTY_PROXY_URL")||N("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||N("BOTPARTY_STATE_DIR")||Wt(),this.algorithm=e.algorithm||It,this.rotationTTL=e.rotationTTL||Ct,this.inviteToken=e.inviteToken||N("BOTPARTY_INVITE_TOKEN"),this.keys=new re(this)}getIdentity(){return Jt(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Ut;){n||(n=Lt());let a=r||n,c=await Qe(this.algorithm),p=await m(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),f=await p.json();if(f.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:f.error||"REGISTRATION_FAILED",message:f.message||f.error||"Registration failed",statusCode:p.status});let g=f.challenge,A=await Bt(g,c.privatePem,this.algorithm),E=await m(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:g,signature:A})});if(!E.ok)throw await this._apiError(E);let h=await E.json();return ze(this.stateDir,c.privatePem),qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:h.keyId,algorithm:this.algorithm,rotatedAt:h.rotatedAt,rotationTTL:h.rotationTTL,label:a,...h.parentNamespace&&{parentNamespace:h.parentNamespace},...h.inheritedScopes&&{inheritedScopes:h.inheritedScopes}}),h}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Fe)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){$t(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Fe)return;await this.keys.rotateCurrent()}finally{Mt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=we(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Q(o);if(a){let{code:c}=L(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await Q(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let g=a.proxyUrl.replace(/\/$/,""),A=we(e,g),E=new Headers(r.headers);return E.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(A,{...r,headers:E})}let p=a.approval_url||a.authorizationUrl;if(p){let g=c==="scope_refused",A=a.missing_scopes||a.missingScopes;throw g||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new W({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:A}):new J({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=L(a);Ye(f)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Q(o);if(a){let{code:c}=L(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await m(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await m(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);je(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new te(this,e)}reset(){je(this.stateDir)}async _apiError(e){let r=await Q(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=L(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ft=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Ft.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=L(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new Z({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ee({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new J({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new W({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var Ee=null;function Gt(t){return Ee||(Ee=new se(t)),Ee}async function jt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Gt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function N(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
|
4
|
+
-----END ${e}-----`},$e=async(t,e,r)=>{if(U(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!O(r))throw new TypeError(q(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return Et(G(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},He=t=>$e("public","spki",t),Me=t=>$e("private","pkcs8",t),fe=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},St=t=>({data:t,pos:0}),W=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var J=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Be=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},At=t=>{J(t,6,"Expected algorithm OID");let e=W(t);return Be(t,e)};function bt(t){J(t,48,"Invalid PKCS#8 structure"),W(t),J(t,2,"Expected version field");let e=W(t);t.pos+=e,J(t,48,"Expected algorithm identifier");let r=W(t);return{algIdStart:t.pos,algIdLength:r}}var Pt=t=>{let e=At(t);if(fe(e,[43,101,110]))return"X25519";if(!fe(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");J(t,6,"Expected curve OID");let r=W(t),s=Be(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(fe(s,i))return n;throw new Error("Unsupported named curve")},xt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},Tt=(t,e)=>Y(t.replace(e,"")),Fe=(t,e,r)=>{let s=Tt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=St(i);return bt(o),Pt(o)}),xt("pkcs8",s,e,n)};async function Q(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Fe(t,e,r)}async function me(t){return He(t)}async function ye(t){return Me(t)}function je(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var C=t=>t?.[Symbol.toStringTag],ge=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},vt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(L(e)){if(Ue(e)&&ge(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!le(e))throw new TypeError(ue(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${C(e)} instances for symmetric algorithms must be of type "secret"`)}},Rt=(t,e,r)=>{if(L(e))switch(r){case"decrypt":case"sign":if(De(e)&&ge(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Oe(e)&&ge(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!le(e))throw new TypeError(ue(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${C(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${C(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${C(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Ge(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":vt(t,e,r);break;default:Rt(t,e,r)}}var P=t=>Math.floor(t.getTime()/1e3),Ye=60,Xe=Ye*60,Ee=Xe*24,Kt=Ee*7,It=Ee*365.25,Ct=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function we(t){let e=Ct.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Ye);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Xe);break;case"day":case"days":case"d":n=Math.round(r*Ee);break;case"week":case"weeks":case"w":n=Math.round(r*Kt);break;default:n=Math.round(r*It);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Z=class{#e;constructor(e){if(!N(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return F.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",P(e)):this.#e.nbf=P(new Date)+we(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",P(e)):this.#e.exp=P(new Date)+we(e)}set iat(e){e===void 0?this.#e.iat=P(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",P(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",P(new Date)+we(e)):this.#e.iat=x("setIssuedAt",e)}};var T=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return he(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return he(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new A("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!ke(this.#t,this.#r))throw new A("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=je(A,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new A('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new A('JWS "alg" (Algorithm) Header Parameter missing or invalid');Ge(o,e,"sign");let a,c;i?(a=V(this.#e),c=j(a)):(c=this.#e,a="");let p,f;this.#t?(p=V(JSON.stringify(this.#t)),f=j(p)):(p="",f=new Uint8Array);let g=Ie(f,j("."),c),y=await Je(e,o),b=await Ne(o,y,g),k={signature:V(b),payload:a};return this.#r&&(k.header=this.#r),this.#t&&(k.protected=p),k}};var ee=class{#e;constructor(e){this.#e=new T(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var $=class{#e;#t;constructor(e={}){this.#t=new Z(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new ee(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new m("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function te(t){if(typeof t!="string")throw new m("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new m("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new m("Invalid JWT");if(!e)throw new m("JWTs must contain a payload");let s;try{s=X(e)}catch{throw new m("Failed to base64url decode the payload")}let n;try{n=JSON.parse(v.decode(s))}catch{throw new m("Failed to parse the decoded payload as JSON")}if(!N(n))throw new m("Invalid JWT Claims Set");return n}function Se(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function Ae(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var d=require("node:fs"),w=require("node:path"),et=require("node:os"),ve=require("node:crypto"),kt="https://id.botparty.club",Dt="EdDSA",Ot=15,Ve=6e4,Ut=3e4,Nt="5m",Lt=3,Wt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Jt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},se=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ne=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},M=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},B=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function qe(t){let e=(0,ve.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function $t(){return`${qe(Wt)}-${qe(Jt)}`}function Ht(){let t=$t(),e=(0,ve.randomBytes)(2).toString("hex");return`${t}-${e}`}function Mt(){return(0,w.join)((0,et.homedir)(),".botparty")}function Re(t){(0,d.existsSync)(t)||(0,d.mkdirSync)(t,{recursive:!0,mode:448})}function Bt(t){let e=(0,w.join)(t,"identity.json");if(!(0,d.existsSync)(e))return null;try{return JSON.parse((0,d.readFileSync)(e,"utf-8"))}catch{return null}}function Pe(t,e){Re(t);let r=(0,w.join)(t,"identity.json"),s=r+".tmp";(0,d.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,d.renameSync)(s,r)}function Ft(t){let e=(0,w.join)(t,"private.pem");if(!(0,d.existsSync)(e))return null;try{return(0,d.readFileSync)(e,"utf-8")}catch{return null}}function tt(t,e){Re(t);let r=(0,w.join)(t,"private.pem"),s=r+".tmp";(0,d.writeFileSync)(s,e,{mode:384}),(0,d.renameSync)(s,r)}function ze(t){for(let e of["identity.json","private.pem"]){let r=(0,w.join)(t,e);(0,d.existsSync)(r)&&(0,d.unlinkSync)(r)}}function jt(t){let e=(0,w.join)(t,"rotation.lock");Re(t);for(let r=0;r<2;r++)try{(0,d.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,d.statSync)(e);if(Date.now()-n.mtimeMs>Ut){(0,d.unlinkSync)(e);continue}}catch{continue}throw s}}function Gt(t){try{(0,d.unlinkSync)((0,w.join)(t,"rotation.lock"))}catch{}}async function rt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await Ae(t,e),n=await ye(r),i=await me(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Yt(t,e,r){let s=await Q(e,r);return(await new T(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function xe(t,e,r,s,n,i){let o=s,a=await Q(r,o);return new $({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Nt).sign(a)}async function l(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Te(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function re(t){try{return await t.clone().json()}catch{return null}}function H(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ie=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},oe=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await rt(r.algorithm),o=await xe(r.namespace,r.keyId,s,r.algorithm),a=await l(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return tt(this.client.stateDir,i.privatePem),Pe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},ae=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||_("BOTPARTY_SERVER_URL")||kt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||_("BOTPARTY_PROXY_URL")||_("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||_("BOTPARTY_STATE_DIR")||Mt(),this.algorithm=e.algorithm||Dt,this.rotationTTL=e.rotationTTL||Ot,this.inviteToken=e.inviteToken||_("BOTPARTY_INVITE_TOKEN"),this.keys=new oe(this)}getIdentity(){return Bt(this.stateDir)}getPrivateKey(){return Ft(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken,a=o,c;if(o)try{te(o).typ==="org_invite"&&(a=void 0,c=o)}catch{}for(;i<Lt;){n||(n=Ht());let p=r||n,f=await rt(this.algorithm),g=await l(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:f.publicPem,rotationTTL:this.rotationTTL,...a&&{inviteToken:a}})}),y=await g.json();if(y.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(g.status===409&&!e){n=void 0,i++;continue}if(!g.ok)throw new h({code:y.error||"REGISTRATION_FAILED",message:y.message||y.error||"Registration failed",statusCode:g.status});let b=y.challenge,k=await Yt(b,f.privatePem,this.algorithm),ce=await l(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:b,signature:k})});if(!ce.ok)throw await this._apiError(ce);let E=await ce.json();if(tt(this.stateDir,f.privatePem),Pe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:E.keyId,algorithm:this.algorithm,rotatedAt:E.rotatedAt,rotationTTL:E.rotationTTL,label:p,...E.parentNamespace&&{parentNamespace:E.parentNamespace},...E.inheritedScopes&&{inheritedScopes:E.inheritedScopes}}),c)try{let Ke=await this.redeemOrgInvite(c);Ke.orgId&&this.setActAs(Ke.orgId)}catch{}return E}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=te(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Ve)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){jt(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Ve)return;await this.keys.rotateCurrent()}finally{Gt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return xe(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Te(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await re(o);if(a){let{code:c}=H(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await re(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let g=a.proxyUrl.replace(/\/$/,""),y=Te(e,g),b=new Headers(r.headers);return b.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(y,{...r,headers:b})}let p=a.approval_url||a.authorizationUrl;if(p){let g=c==="scope_refused",y=a.missing_scopes||a.missingScopes;throw g||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new M({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:y}):new B({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=H(a);Qe(f)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await re(o);if(a){let{code:c}=H(a);(Qe(c)||o.status===402||o.status===423)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await l(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);ze(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await xe(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return _("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Pe(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await l(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await l(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new ie(this,e)}reset(){ze(this.stateDir)}async _apiError(e){let r=await re(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=H(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},Xt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Qe(t){return Xt.has(t.toUpperCase())}function Ze(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=H(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new se({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ne({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new B({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new M({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var be=null;function Vt(t){return be||(be=new ae(t)),be}async function qt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Vt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function _(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
package/dist/index.d.cts
CHANGED
|
@@ -29,6 +29,7 @@ export interface Identity {
|
|
|
29
29
|
label?: string;
|
|
30
30
|
parentNamespace?: string;
|
|
31
31
|
inheritedScopes?: string[];
|
|
32
|
+
actAs?: string;
|
|
32
33
|
}
|
|
33
34
|
export interface RegistrationResult {
|
|
34
35
|
namespace: string;
|
|
@@ -231,7 +232,50 @@ export declare class BotPartyClient {
|
|
|
231
232
|
staleAt: string;
|
|
232
233
|
label?: string;
|
|
233
234
|
serverUrl: string;
|
|
235
|
+
actAs?: string;
|
|
234
236
|
} | null;
|
|
237
|
+
getActAs(): string | undefined;
|
|
238
|
+
setActAs(orgId: string | undefined): void;
|
|
239
|
+
listOrgs(): Promise<{
|
|
240
|
+
organizations: Array<{
|
|
241
|
+
id: string;
|
|
242
|
+
name: string;
|
|
243
|
+
description: string;
|
|
244
|
+
role: string;
|
|
245
|
+
}>;
|
|
246
|
+
}>;
|
|
247
|
+
createOrg(name: string, description?: string): Promise<{
|
|
248
|
+
organization: {
|
|
249
|
+
id: string;
|
|
250
|
+
name: string;
|
|
251
|
+
description: string;
|
|
252
|
+
};
|
|
253
|
+
}>;
|
|
254
|
+
quitOrg(orgId: string): Promise<void>;
|
|
255
|
+
createOrgInvite(orgId: string, expiresIn?: string): Promise<{
|
|
256
|
+
inviteToken: string;
|
|
257
|
+
tokenId: string;
|
|
258
|
+
}>;
|
|
259
|
+
redeemOrgInvite(inviteToken: string): Promise<{
|
|
260
|
+
orgId: string;
|
|
261
|
+
}>;
|
|
262
|
+
listOrgMembers(orgId: string): Promise<{
|
|
263
|
+
members: Array<{
|
|
264
|
+
namespace: string;
|
|
265
|
+
role: string;
|
|
266
|
+
joinedAt: string;
|
|
267
|
+
}>;
|
|
268
|
+
}>;
|
|
269
|
+
removeOrgMember(orgId: string, namespace: string): Promise<void>;
|
|
270
|
+
updateMemberRole(orgId: string, namespace: string, role: 'admin' | 'member'): Promise<{
|
|
271
|
+
ok: boolean;
|
|
272
|
+
role: string;
|
|
273
|
+
changed: boolean;
|
|
274
|
+
}>;
|
|
275
|
+
deleteOrg(orgId: string): Promise<{
|
|
276
|
+
ok: boolean;
|
|
277
|
+
dissolved: boolean;
|
|
278
|
+
}>;
|
|
235
279
|
/**
|
|
236
280
|
* Get a fluent Key object for a specific key ID.
|
|
237
281
|
*
|
package/dist/index.d.ts
CHANGED
|
@@ -29,6 +29,7 @@ export interface Identity {
|
|
|
29
29
|
label?: string;
|
|
30
30
|
parentNamespace?: string;
|
|
31
31
|
inheritedScopes?: string[];
|
|
32
|
+
actAs?: string;
|
|
32
33
|
}
|
|
33
34
|
export interface RegistrationResult {
|
|
34
35
|
namespace: string;
|
|
@@ -231,7 +232,50 @@ export declare class BotPartyClient {
|
|
|
231
232
|
staleAt: string;
|
|
232
233
|
label?: string;
|
|
233
234
|
serverUrl: string;
|
|
235
|
+
actAs?: string;
|
|
234
236
|
} | null;
|
|
237
|
+
getActAs(): string | undefined;
|
|
238
|
+
setActAs(orgId: string | undefined): void;
|
|
239
|
+
listOrgs(): Promise<{
|
|
240
|
+
organizations: Array<{
|
|
241
|
+
id: string;
|
|
242
|
+
name: string;
|
|
243
|
+
description: string;
|
|
244
|
+
role: string;
|
|
245
|
+
}>;
|
|
246
|
+
}>;
|
|
247
|
+
createOrg(name: string, description?: string): Promise<{
|
|
248
|
+
organization: {
|
|
249
|
+
id: string;
|
|
250
|
+
name: string;
|
|
251
|
+
description: string;
|
|
252
|
+
};
|
|
253
|
+
}>;
|
|
254
|
+
quitOrg(orgId: string): Promise<void>;
|
|
255
|
+
createOrgInvite(orgId: string, expiresIn?: string): Promise<{
|
|
256
|
+
inviteToken: string;
|
|
257
|
+
tokenId: string;
|
|
258
|
+
}>;
|
|
259
|
+
redeemOrgInvite(inviteToken: string): Promise<{
|
|
260
|
+
orgId: string;
|
|
261
|
+
}>;
|
|
262
|
+
listOrgMembers(orgId: string): Promise<{
|
|
263
|
+
members: Array<{
|
|
264
|
+
namespace: string;
|
|
265
|
+
role: string;
|
|
266
|
+
joinedAt: string;
|
|
267
|
+
}>;
|
|
268
|
+
}>;
|
|
269
|
+
removeOrgMember(orgId: string, namespace: string): Promise<void>;
|
|
270
|
+
updateMemberRole(orgId: string, namespace: string, role: 'admin' | 'member'): Promise<{
|
|
271
|
+
ok: boolean;
|
|
272
|
+
role: string;
|
|
273
|
+
changed: boolean;
|
|
274
|
+
}>;
|
|
275
|
+
deleteOrg(orgId: string): Promise<{
|
|
276
|
+
ok: boolean;
|
|
277
|
+
dissolved: boolean;
|
|
278
|
+
}>;
|
|
235
279
|
/**
|
|
236
280
|
* Get a fluent Key object for a specific key ID.
|
|
237
281
|
*
|
package/dist/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
var
|
|
1
|
+
var H=new TextEncoder,T=new TextDecoder,Vt=2**32;function Ke(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function j(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:T.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=T.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=H.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var w=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),v=(t,e)=>t.name===e;function it(t){return parseInt(t.name.slice(4),10)}function ne(t,e){if(it(t.hash)!==e)throw w(`SHA-${e}`,"algorithm.hash")}function ot(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function at(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ie(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!v(t.algorithm,"HMAC"))throw w("HMAC");ne(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!v(t.algorithm,"RSASSA-PKCS1-v1_5"))throw w("RSASSA-PKCS1-v1_5");ne(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!v(t.algorithm,"RSA-PSS"))throw w("RSA-PSS");ne(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!v(t.algorithm,"Ed25519"))throw w("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!v(t.algorithm,e))throw w(e);break}case"ES256":case"ES384":case"ES512":{if(!v(t.algorithm,"ECDSA"))throw w("ECDSA");let s=ot(e);if(t.algorithm.namedCurve!==s)throw w(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}at(t,r)}function Ce(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var Y=(t,...e)=>Ce("Key must be ",t,...e),ie=(t,e,...r)=>Ce(`Key for the ${t} algorithm must be `,e,...r);var k=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var p=class extends k{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var E=class extends k{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},f=class extends k{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var D=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},O=t=>t?.[Symbol.toStringTag]==="KeyObject",oe=t=>D(t)||O(t);var ir=Symbol();function ae(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var ct=t=>typeof t=="object"&&t!==null;function U(t){if(!ct(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function _e(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var N=t=>U(t)&&typeof t.kty=="string",ke=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),De=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Oe=t=>t.kty==="oct"&&typeof t.k=="string";function pt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ut(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new p(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function lt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(Y(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ie(e,t,r),e}async function Ue(t,e,r){let s=await lt(t,e,"sign");pt(t,s);let n=await crypto.subtle.sign(ut(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ht(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new p(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new p(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(X)}break}default:throw new p('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Ne(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ht(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",K,Le=async(t,e,r,s=!1)=>{K||=new WeakMap;let n=K.get(t);if(n?.[r])return n[r];let i=await Ne({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:K.set(t,{[r]:i}),i},ft=(t,e)=>{K||=new WeakMap;let r=K.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:K.set(t,{[e]:i}),i};async function We(t,e){if(t instanceof Uint8Array||D(t))return t;if(O(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Le(t,r,e)}if(N(t))return t.k?j(t.k):Le(t,t,e,!0);throw new Error("unreachable")}var mt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},ke=async(t,e,r)=>{if(C(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!I(r))throw new TypeError(B(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ut(H(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Oe=t=>ke("public","spki",t),Ne=t=>ke("private","pkcs8",t),ne=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},lt=t=>({data:t,pos:0}),D=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var U=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Le=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},ft=t=>{U(t,6,"Expected algorithm OID");let e=D(t);return Le(t,e)};function ht(t){U(t,48,"Invalid PKCS#8 structure"),D(t),U(t,2,"Expected version field");let e=D(t);t.pos+=e,U(t,48,"Expected algorithm identifier");let r=D(t);return{algIdStart:t.pos,algIdLength:r}}var mt=t=>{let e=ft(t);if(ne(e,[43,101,110]))return"X25519";if(!ne(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");U(t,6,"Expected curve OID");let r=D(t),s=Le(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ne(s,i))return n;throw new Error("Unsupported named curve")},yt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},gt=(t,e)=>$(t.replace(e,"")),We=(t,e,r)=>{let s=gt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=lt(i);return ht(o),mt(o)}),yt("pkcs8",s,e,n)};async function j(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return We(t,e,r)}async function ie(t){return Oe(t)}async function oe(t){return Ne(t)}function Je(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var T=t=>t?.[Symbol.toStringTag],ae=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(_(e)){if(Ie(e)&&ae(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${T(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(_(e))switch(r){case"decrypt":case"sign":if(Te(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(ve(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${T(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${T(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${T(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${T(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function He(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var A=t=>Math.floor(t.getTime()/1e3),$e=60,Me=$e*60,pe=Me*24,wt=pe*7,At=pe*365.25,bt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ce(t){let e=bt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*$e);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Me);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*wt);break;default:n=Math.round(r*At);break}return e[1]==="-"||e[4]==="ago"?-n:n}function b(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Y=class{#e;constructor(e){if(!se(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return L.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=b("setNotBefore",e):e instanceof Date?this.#e.nbf=b("setNotBefore",A(e)):this.#e.nbf=A(new Date)+ce(e)}set exp(e){typeof e=="number"?this.#e.exp=b("setExpirationTime",e):e instanceof Date?this.#e.exp=b("setExpirationTime",A(e)):this.#e.exp=A(new Date)+ce(e)}set iat(e){e===void 0?this.#e.iat=A(new Date):e instanceof Date?this.#e.iat=b("setIssuedAt",A(e)):typeof e=="string"?this.#e.iat=b("setIssuedAt",A(new Date)+ce(e)):this.#e.iat=b("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return re(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return re(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Je(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');He(o,e,"sign");let a,c;i?(a=M(this.#e),c=J(a)):(c=this.#e,a="");let p,u;this.#t?(p=M(JSON.stringify(this.#t)),u=J(p)):(p="",u=new Uint8Array);let m=be(u,J("."),c),w=await Ue(e,o),y=await Ce(o,w,m),f={signature:M(y),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var X=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var k=class{#e;#t;constructor(e={}){this.#t=new Y(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new X(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new F("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function de(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ue(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Ve,writeFileSync as Se,mkdirSync as Pt,existsSync as Q,unlinkSync as we,statSync as Kt,renameSync as qe}from"node:fs";import{join as S}from"node:path";import{homedir as Rt}from"node:os";import{randomBytes as ze}from"node:crypto";var Tt="https://id.botparty.club",vt="EdDSA",It=15,Be=6e4,Ct=3e4,_t="5m",Dt=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],kt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},he=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Fe(t){let e=ze(4);return t[e.readUInt32BE(0)%t.length]}function Ot(){return`${Fe(Ut)}-${Fe(kt)}`}function Nt(){let t=Ot(),e=ze(2).toString("hex");return`${t}-${e}`}function Lt(){return S(Rt(),".botparty")}function Ae(t){Q(t)||Pt(t,{recursive:!0,mode:448})}function Wt(t){let e=S(t,"identity.json");if(!Q(e))return null;try{return JSON.parse(Ve(e,"utf-8"))}catch{return null}}function Qe(t,e){Ae(t);let r=S(t,"identity.json"),s=r+".tmp";Se(s,JSON.stringify(e,null,2),{mode:384}),qe(s,r)}function Jt(t){let e=S(t,"private.pem");if(!Q(e))return null;try{return Ve(e,"utf-8")}catch{return null}}function Ze(t,e){Ae(t);let r=S(t,"private.pem"),s=r+".tmp";Se(s,e,{mode:384}),qe(s,r)}function Ge(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);Q(r)&&we(r)}}function Ht(t){let e=S(t,"rotation.lock");Ae(t);for(let r=0;r<2;r++)try{Se(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=Kt(e);if(Date.now()-n.mtimeMs>Ct){we(e);continue}}catch{continue}throw s}}function $t(t){try{we(S(t,"rotation.lock"))}catch{}}async function et(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ue(t,e),n=await oe(r),i=await ie(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Mt(t,e,r){let s=await j(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await j(r,i);return new k({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(_t).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function je(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function V(t){try{return await t.clone().json()}catch{return null}}function N(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await et(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Ze(this.client.stateDir,i.privatePem),Qe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||O("BOTPARTY_SERVER_URL")||Tt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||O("BOTPARTY_PROXY_URL")||O("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||O("BOTPARTY_STATE_DIR")||Lt(),this.algorithm=e.algorithm||vt,this.rotationTTL=e.rotationTTL||It,this.inviteToken=e.inviteToken||O("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return Wt(this.stateDir)}getPrivateKey(){return Jt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Nt());let a=r||n,c=await et(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),u=await p.json();if(u.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:u.error||"REGISTRATION_FAILED",message:u.message||u.error||"Registration failed",statusCode:p.status});let m=u.challenge,w=await Mt(m,c.privatePem,this.algorithm),y=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:m,signature:w})});if(!y.ok)throw await this._apiError(y);let f=await y.json();return Ze(this.stateDir,c.privatePem),Qe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Be)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ht(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Be)return;await this.keys.rotateCurrent()}finally{$t(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=je(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await V(o);if(a){let{code:c}=N(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),u=new Headers(r.headers);u.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:u})}}}if(o.status===403){let a=await V(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let m=a.proxyUrl.replace(/\/$/,""),w=je(e,m),y=new Headers(r.headers);return y.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(w,{...r,headers:y})}let p=a.approval_url||a.authorizationUrl;if(p){let m=c==="scope_refused",w=a.missing_scopes||a.missingScopes;throw m||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new q({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:w}):new z({message:a.message||"Missing required credentials",actionUrl:p})}let{code:u}=N(a);Ye(u)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await V(o);if(a){let{code:c}=N(a);(Ye(c)||o.status===402||o.status===423)&&Xe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Ge(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){Ge(this.stateDir)}async _apiError(e){let r=await V(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=N(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Bt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ye(t){return Bt.has(t.toUpperCase())}function Xe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=N(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new he({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var le=null;function Ft(t){return le||(le=new Ee(t)),le}async function ls(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Ft({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function O(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,l as BotPartyError,q as InsufficientPermissionError,ye as Key,ge as KeyManager,z as LinkRequiredError,fe as NamespaceLockedError,he as PaymentRequiredError,ls as botpartyFetch,je as toProxyUrl};
|
|
4
|
+
-----END ${e}-----`},Je=async(t,e,r)=>{if(O(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!D(r))throw new TypeError(Y(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return mt(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},$e=t=>Je("public","spki",t),He=t=>Je("private","pkcs8",t),ce=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},yt=t=>({data:t,pos:0}),L=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var W=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Me=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},gt=t=>{W(t,6,"Expected algorithm OID");let e=L(t);return Me(t,e)};function wt(t){W(t,48,"Invalid PKCS#8 structure"),L(t),W(t,2,"Expected version field");let e=L(t);t.pos+=e,W(t,48,"Expected algorithm identifier");let r=L(t);return{algIdStart:t.pos,algIdLength:r}}var Et=t=>{let e=gt(t);if(ce(e,[43,101,110]))return"X25519";if(!ce(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");W(t,6,"Expected curve OID");let r=L(t),s=Me(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ce(s,i))return n;throw new Error("Unsupported named curve")},St=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new p("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new p('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},At=(t,e)=>F(t.replace(e,"")),Be=(t,e,r)=>{let s=At(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=yt(i);return wt(o),Et(o)}),St("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Be(t,e,r)}async function de(t){return $e(t)}async function pe(t){return He(t)}function Fe(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new p(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var I=t=>t?.[Symbol.toStringTag],ue=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},bt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(N(e)){if(Oe(e)&&ue(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!oe(e))throw new TypeError(ie(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${I(e)} instances for symmetric algorithms must be of type "secret"`)}},Pt=(t,e,r)=>{if(N(e))switch(r){case"decrypt":case"sign":if(ke(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(De(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!oe(e))throw new TypeError(ie(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${I(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${I(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${I(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function je(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":bt(t,e,r);break;default:Pt(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Ge=60,Ye=Ge*60,he=Ye*24,xt=he*7,Tt=he*365.25,vt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function le(t){let e=vt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Ge);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Ye);break;case"day":case"days":case"d":n=Math.round(r*he);break;case"week":case"weeks":case"w":n=Math.round(r*xt);break;default:n=Math.round(r*Tt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function P(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!U(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return H.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=P("setNotBefore",e):e instanceof Date?this.#e.nbf=P("setNotBefore",b(e)):this.#e.nbf=b(new Date)+le(e)}set exp(e){typeof e=="number"?this.#e.exp=P("setExpirationTime",e):e instanceof Date?this.#e.exp=P("setExpirationTime",b(e)):this.#e.exp=b(new Date)+le(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=P("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=P("setIssuedAt",b(new Date)+le(e)):this.#e.iat=P("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ae(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ae(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!_e(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Fe(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');je(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let d,h;this.#t?(d=G(JSON.stringify(this.#t)),h=M(d)):(d="",h=new Uint8Array);let y=Ke(h,M("."),c),m=await We(e,o),A=await Ue(o,m,y),_={signature:G(A),payload:a};return this.#r&&(_.header=this.#r),this.#t&&(_.protected=d),_}};var z=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var J=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new f("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function Q(t){if(typeof t!="string")throw new f("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new f("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new f("Invalid JWT");if(!e)throw new f("JWTs must contain a payload");let s;try{s=j(e)}catch{throw new f("Failed to base64url decode the payload")}let n;try{n=JSON.parse(T.decode(s))}catch{throw new f("Failed to parse the decoded payload as JSON")}if(!U(n))throw new f("Invalid JWT Claims Set");return n}function fe(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new p("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function me(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new p("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new p('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as et,writeFileSync as xe,mkdirSync as Kt,existsSync as re,unlinkSync as Te,statSync as It,renameSync as tt}from"node:fs";import{join as S}from"node:path";import{homedir as Ct}from"node:os";import{randomBytes as rt}from"node:crypto";var _t="https://id.botparty.club",kt="EdDSA",Dt=15,Xe=6e4,Ot=3e4,Ut="5m",Nt=3,Lt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Wt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},ge=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},we=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},ee=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},te=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ve(t){let e=rt(4);return t[e.readUInt32BE(0)%t.length]}function Jt(){return`${Ve(Lt)}-${Ve(Wt)}`}function $t(){let t=Jt(),e=rt(2).toString("hex");return`${t}-${e}`}function Ht(){return S(Ct(),".botparty")}function ve(t){re(t)||Kt(t,{recursive:!0,mode:448})}function Mt(t){let e=S(t,"identity.json");if(!re(e))return null;try{return JSON.parse(et(e,"utf-8"))}catch{return null}}function Ee(t,e){ve(t);let r=S(t,"identity.json"),s=r+".tmp";xe(s,JSON.stringify(e,null,2),{mode:384}),tt(s,r)}function Bt(t){let e=S(t,"private.pem");if(!re(e))return null;try{return et(e,"utf-8")}catch{return null}}function st(t,e){ve(t);let r=S(t,"private.pem"),s=r+".tmp";xe(s,e,{mode:384}),tt(s,r)}function qe(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);re(r)&&Te(r)}}function Ft(t){let e=S(t,"rotation.lock");ve(t);for(let r=0;r<2;r++)try{xe(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=It(e);if(Date.now()-n.mtimeMs>Ot){Te(e);continue}}catch{continue}throw s}}function jt(t){try{Te(S(t,"rotation.lock"))}catch{}}async function nt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await me(t,e),n=await pe(r),i=await de(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Gt(t,e,r){let s=await V(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n,i){let o=s,a=await V(r,o);return new J({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Ut).sign(a)}async function u(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function ze(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Z(t){try{return await t.clone().json()}catch{return null}}function $(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var Ae=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},be=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await nt(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await u(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return st(this.client.stateDir,i.privatePem),Ee(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Pe=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||C("BOTPARTY_SERVER_URL")||_t).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||C("BOTPARTY_PROXY_URL")||C("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||C("BOTPARTY_STATE_DIR")||Ht(),this.algorithm=e.algorithm||kt,this.rotationTTL=e.rotationTTL||Dt,this.inviteToken=e.inviteToken||C("BOTPARTY_INVITE_TOKEN"),this.keys=new be(this)}getIdentity(){return Mt(this.stateDir)}getPrivateKey(){return Bt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken,a=o,c;if(o)try{Q(o).typ==="org_invite"&&(a=void 0,c=o)}catch{}for(;i<Nt;){n||(n=$t());let d=r||n,h=await nt(this.algorithm),y=await u(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:h.publicPem,rotationTTL:this.rotationTTL,...a&&{inviteToken:a}})}),m=await y.json();if(m.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(y.status===409&&!e){n=void 0,i++;continue}if(!y.ok)throw new l({code:m.error||"REGISTRATION_FAILED",message:m.message||m.error||"Registration failed",statusCode:y.status});let A=m.challenge,_=await Gt(A,h.privatePem,this.algorithm),se=await u(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:A,signature:_})});if(!se.ok)throw await this._apiError(se);let g=await se.json();if(st(this.stateDir,h.privatePem),Ee(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:g.keyId,algorithm:this.algorithm,rotatedAt:g.rotatedAt,rotationTTL:g.rotationTTL,label:d,...g.parentNamespace&&{parentNamespace:g.parentNamespace},...g.inheritedScopes&&{inheritedScopes:g.inheritedScopes}}),c)try{let Re=await this.redeemOrgInvite(c);Re.orgId&&this.setActAs(Re.orgId)}catch{}return g}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=Q(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Xe)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ft(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Xe)return;await this.keys.rotateCurrent()}finally{jt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return Se(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=ze(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Z(o);if(a){let{code:c}=$(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),h=new Headers(r.headers);h.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:h})}}}if(o.status===403){let a=await Z(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),m=ze(e,y),A=new Headers(r.headers);return A.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(m,{...r,headers:A})}let d=a.approval_url||a.authorizationUrl;if(d){let y=c==="scope_refused",m=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new ee({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:m}):new te({message:a.message||"Missing required credentials",actionUrl:d})}let{code:h}=$(a);Qe(h)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Z(o);if(a){let{code:c}=$(a);(Qe(c)||o.status===402||o.status===423)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await u(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);qe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return C("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Ee(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await u(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await u(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new Ae(this,e)}reset(){qe(this.stateDir)}async _apiError(e){let r=await Z(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=$(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Yt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Qe(t){return Yt.has(t.toUpperCase())}function Ze(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=$(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new ge({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new we({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new te({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new ee({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var ye=null;function Xt(t){return ye||(ye=new Pe(t)),ye}async function bs(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Xt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function C(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Pe as BotPartyClient,l as BotPartyError,ee as InsufficientPermissionError,Ae as Key,be as KeyManager,te as LinkRequiredError,ge as NamespaceLockedError,we as PaymentRequiredError,bs as botpartyFetch,ze as toProxyUrl};
|