@botparty/sdk 0.0.57 → 0.0.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.js +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
"use strict";var oe=Object.defineProperty;var et=Object.getOwnPropertyDescriptor;var tt=Object.getOwnPropertyNames;var rt=Object.prototype.hasOwnProperty;var st=(t,e)=>{for(var r in e)oe(t,r,{get:e[r],enumerable:!0})},nt=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of tt(e))!rt.call(t,n)&&n!==r&&oe(t,n,{get:()=>e[n],enumerable:!(s=et(e,n))||s.enumerable});return t};var it=t=>nt(oe({},"__esModule",{value:!0}),t);var Xt={};st(Xt,{BotPartyClient:()=>ie,BotPartyError:()=>h,InsufficientPermissionError:()=>H,Key:()=>se,KeyManager:()=>ne,LinkRequiredError:()=>M,NamespaceLockedError:()=>te,PaymentRequiredError:()=>re,botpartyFetch:()=>Yt,toProxyUrl:()=>Pe});module.exports=it(Xt);var B=new TextEncoder,v=new TextDecoder,qt=2**32;function ve(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function F(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function j(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function G(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function Y(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:v.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=v.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return G(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function X(t){let e=t;return typeof e=="string"&&(e=B.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):j(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function ot(t){return parseInt(t.name.slice(4),10)}function ae(t,e){if(ot(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function at(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ct(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ke(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw S("HMAC");ae(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");ae(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");ae(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw S("ECDSA");let s=at(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ct(t,r)}function Re(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var V=(t,...e)=>Re("Key must be ",t,...e),ce=(t,e,...r)=>Re(`Key for the ${t} algorithm must be `,e,...r);var k=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends k{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var A=class extends k{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},y=class extends k{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var D=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},O=t=>t?.[Symbol.toStringTag]==="KeyObject",de=t=>D(t)||O(t);var or=Symbol();function pe(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var dt=t=>typeof t=="object"&&t!==null;function U(t){if(!dt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Ie(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var N=t=>U(t)&&typeof t.kty=="string",Ce=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),_e=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,ke=t=>t.kty==="oct"&&typeof t.k=="string";function ut(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function lt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ht(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(V(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ke(e,t,r),e}async function De(t,e,r){let s=await ht(t,e,"sign");ut(t,s);let n=await crypto.subtle.sign(lt(t,s.algorithm),s,r);return new Uint8Array(n)}var q='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function mt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(q)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(q)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(q)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(q)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Oe(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=mt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",I,Ue=async(t,e,r,s=!1)=>{I||=new WeakMap;let n=I.get(t);if(n?.[r])return n[r];let i=await Oe({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:I.set(t,{[r]:i}),i},ft=(t,e)=>{I||=new WeakMap;let r=I.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:I.set(t,{[e]:i}),i};async function Ne(t,e){if(t instanceof Uint8Array||D(t))return t;if(O(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ue(t,r,e)}if(N(t))return t.k?Y(t.k):Ue(t,t,e,!0);throw new Error("unreachable")}var yt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
1
|
+
"use strict";var de=Object.defineProperty;var st=Object.getOwnPropertyDescriptor;var nt=Object.getOwnPropertyNames;var it=Object.prototype.hasOwnProperty;var ot=(t,e)=>{for(var r in e)de(t,r,{get:e[r],enumerable:!0})},at=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of nt(e))!it.call(t,n)&&n!==r&&de(t,n,{get:()=>e[n],enumerable:!(s=st(e,n))||s.enumerable});return t};var ct=t=>at(de({},"__esModule",{value:!0}),t);var zt={};ot(zt,{BotPartyClient:()=>ae,BotPartyError:()=>h,InsufficientPermissionError:()=>M,Key:()=>ie,KeyManager:()=>oe,LinkRequiredError:()=>B,NamespaceLockedError:()=>se,PaymentRequiredError:()=>ne,botpartyFetch:()=>qt,toProxyUrl:()=>Te});module.exports=ct(zt);var F=new TextEncoder,v=new TextDecoder,Zt=2**32;function Ie(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function j(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function G(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function Y(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function X(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:v.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=v.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return Y(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function V(t){let e=t;return typeof e=="string"&&(e=F.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):G(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var S=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),R=(t,e)=>t.name===e;function dt(t){return parseInt(t.name.slice(4),10)}function pe(t,e){if(dt(t.hash)!==e)throw S(`SHA-${e}`,"algorithm.hash")}function pt(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ut(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ce(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!R(t.algorithm,"HMAC"))throw S("HMAC");pe(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!R(t.algorithm,"RSASSA-PKCS1-v1_5"))throw S("RSASSA-PKCS1-v1_5");pe(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!R(t.algorithm,"RSA-PSS"))throw S("RSA-PSS");pe(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!R(t.algorithm,"Ed25519"))throw S("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!R(t.algorithm,e))throw S(e);break}case"ES256":case"ES384":case"ES512":{if(!R(t.algorithm,"ECDSA"))throw S("ECDSA");let s=pt(e);if(t.algorithm.namedCurve!==s)throw S(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ut(t,r)}function _e(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var q=(t,...e)=>_e("Key must be ",t,...e),ue=(t,e,...r)=>_e(`Key for the ${t} algorithm must be `,e,...r);var D=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var u=class extends D{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var A=class extends D{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},m=class extends D{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var O=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},U=t=>t?.[Symbol.toStringTag]==="KeyObject",le=t=>O(t)||U(t);var dr=Symbol();function he(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var lt=t=>typeof t=="object"&&t!==null;function N(t){if(!lt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function ke(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var L=t=>N(t)&&typeof t.kty=="string",De=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Oe=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ue=t=>t.kty==="oct"&&typeof t.k=="string";function ft(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function mt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new u(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function yt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(q(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ce(e,t,r),e}async function Ne(t,e,r){let s=await yt(t,e,"sign");ft(t,s);let n=await crypto.subtle.sign(mt(t,s.algorithm),s,r);return new Uint8Array(n)}var z='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function gt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new u(z)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new u(z)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(z)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new u(z)}break}default:throw new u('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Le(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=gt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var K="given KeyObject instance cannot be used for this algorithm",I,We=async(t,e,r,s=!1)=>{I||=new WeakMap;let n=I.get(t);if(n?.[r])return n[r];let i=await Le({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:I.set(t,{[r]:i}),i},wt=(t,e)=>{I||=new WeakMap;let r=I.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(K)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(K);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(K)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(K);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(K);return r?r[e]=i:I.set(t,{[e]:i}),i};async function Je(t,e){if(t instanceof Uint8Array||O(t))return t;if(U(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return wt(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return We(t,r,e)}if(L(t))return t.k?X(t.k):We(t,t,e,!0);throw new Error("unreachable")}var Et=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Le=async(t,e,r)=>{if(O(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!D(r))throw new TypeError(V(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return yt(j(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},We=t=>Le("public","spki",t),Je=t=>Le("private","pkcs8",t),ue=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},gt=t=>({data:t,pos:0}),L=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var W=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},$e=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},wt=t=>{W(t,6,"Expected algorithm OID");let e=L(t);return $e(t,e)};function Et(t){W(t,48,"Invalid PKCS#8 structure"),L(t),W(t,2,"Expected version field");let e=L(t);t.pos+=e,W(t,48,"Expected algorithm identifier");let r=L(t);return{algIdStart:t.pos,algIdLength:r}}var St=t=>{let e=wt(t);if(ue(e,[43,101,110]))return"X25519";if(!ue(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");W(t,6,"Expected curve OID");let r=L(t),s=$e(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ue(s,i))return n;throw new Error("Unsupported named curve")},At=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},bt=(t,e)=>G(t.replace(e,"")),He=(t,e,r)=>{let s=bt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=gt(i);return Et(o),St(o)}),At("pkcs8",s,e,n)};async function z(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return He(t,e,r)}async function le(t){return We(t)}async function he(t){return Je(t)}function Me(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var C=t=>t?.[Symbol.toStringTag],me=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Pt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(N(e)){if(ke(e)&&me(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!de(e))throw new TypeError(ce(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${C(e)} instances for symmetric algorithms must be of type "secret"`)}},xt=(t,e,r)=>{if(N(e))switch(r){case"decrypt":case"sign":if(Ce(e)&&me(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(_e(e)&&me(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!de(e))throw new TypeError(ce(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${C(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${C(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${C(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Be(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Pt(t,e,r);break;default:xt(t,e,r)}}var P=t=>Math.floor(t.getTime()/1e3),Fe=60,je=Fe*60,ye=je*24,Tt=ye*7,vt=ye*365.25,Kt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function fe(t){let e=Kt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Fe);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*je);break;case"day":case"days":case"d":n=Math.round(r*ye);break;case"week":case"weeks":case"w":n=Math.round(r*Tt);break;default:n=Math.round(r*vt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Q=class{#e;constructor(e){if(!U(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return B.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",P(e)):this.#e.nbf=P(new Date)+fe(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",P(e)):this.#e.exp=P(new Date)+fe(e)}set iat(e){e===void 0?this.#e.iat=P(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",P(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",P(new Date)+fe(e)):this.#e.iat=x("setIssuedAt",e)}};var T=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return pe(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return pe(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new A("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ie(this.#t,this.#r))throw new A("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Me(A,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new A('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new A('JWS "alg" (Algorithm) Header Parameter missing or invalid');Be(o,e,"sign");let a,c;i?(a=X(this.#e),c=F(a)):(c=this.#e,a="");let d,m;this.#t?(d=X(JSON.stringify(this.#t)),m=F(d)):(d="",m=new Uint8Array);let w=ve(m,F("."),c),b=await Ne(e,o),E=await De(o,b,w),f={signature:X(E),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=d),f}};var Z=class{#e;constructor(e){this.#e=new T(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var J=class{#e;#t;constructor(e={}){this.#t=new Q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new Z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ge(t){if(typeof t!="string")throw new y("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new y("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new y("Invalid JWT");if(!e)throw new y("JWTs must contain a payload");let s;try{s=Y(e)}catch{throw new y("Failed to base64url decode the payload")}let n;try{n=JSON.parse(v.decode(s))}catch{throw new y("Failed to parse the decoded payload as JSON")}if(!U(n))throw new y("Invalid JWT Claims Set");return n}function we(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function Ee(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:we(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var p=require("node:fs"),g=require("node:path"),ze=require("node:os"),xe=require("node:crypto"),It="https://id.botparty.club",Ct="EdDSA",_t=15,Ge=6e4,kt=3e4,Dt="5m",Ot=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Nt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},te=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},re=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},H=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},M=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ye(t){let e=(0,xe.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Lt(){return`${Ye(Ut)}-${Ye(Nt)}`}function Wt(){let t=Lt(),e=(0,xe.randomBytes)(2).toString("hex");return`${t}-${e}`}function Jt(){return(0,g.join)((0,ze.homedir)(),".botparty")}function Te(t){(0,p.existsSync)(t)||(0,p.mkdirSync)(t,{recursive:!0,mode:448})}function $t(t){let e=(0,g.join)(t,"identity.json");if(!(0,p.existsSync)(e))return null;try{return JSON.parse((0,p.readFileSync)(e,"utf-8"))}catch{return null}}function Ae(t,e){Te(t);let r=(0,g.join)(t,"identity.json"),s=r+".tmp";(0,p.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,p.renameSync)(s,r)}function Ht(t){let e=(0,g.join)(t,"private.pem");if(!(0,p.existsSync)(e))return null;try{return(0,p.readFileSync)(e,"utf-8")}catch{return null}}function Qe(t,e){Te(t);let r=(0,g.join)(t,"private.pem"),s=r+".tmp";(0,p.writeFileSync)(s,e,{mode:384}),(0,p.renameSync)(s,r)}function Xe(t){for(let e of["identity.json","private.pem"]){let r=(0,g.join)(t,e);(0,p.existsSync)(r)&&(0,p.unlinkSync)(r)}}function Mt(t){let e=(0,g.join)(t,"rotation.lock");Te(t);for(let r=0;r<2;r++)try{(0,p.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,p.statSync)(e);if(Date.now()-n.mtimeMs>kt){(0,p.unlinkSync)(e);continue}}catch{continue}throw s}}function Bt(t){try{(0,p.unlinkSync)((0,g.join)(t,"rotation.lock"))}catch{}}async function Ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await Ee(t,e),n=await he(r),i=await le(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Ft(t,e,r){let s=await z(e,r);return(await new T(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function be(t,e,r,s,n,i){let o=s,a=await z(r,o);return new J({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Dt).sign(a)}async function l(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Pe(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function ee(t){try{return await t.clone().json()}catch{return null}}function $(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var se=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ne=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Ze(r.algorithm),o=await be(r.namespace,r.keyId,s,r.algorithm),a=await l(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Qe(this.client.stateDir,i.privatePem),Ae(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},ie=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||_("BOTPARTY_SERVER_URL")||It).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||_("BOTPARTY_PROXY_URL")||_("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||_("BOTPARTY_STATE_DIR")||Jt(),this.algorithm=e.algorithm||Ct,this.rotationTTL=e.rotationTTL||_t,this.inviteToken=e.inviteToken||_("BOTPARTY_INVITE_TOKEN"),this.keys=new ne(this)}getIdentity(){return $t(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Ot;){n||(n=Wt());let a=r||n,c=await Ze(this.algorithm),d=await l(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),m=await d.json();if(m.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(d.status===409&&!e){n=void 0,i++;continue}if(!d.ok)throw new h({code:m.error||"REGISTRATION_FAILED",message:m.message||m.error||"Registration failed",statusCode:d.status});let w=m.challenge,b=await Ft(w,c.privatePem,this.algorithm),E=await l(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:w,signature:b})});if(!E.ok)throw await this._apiError(E);let f=await E.json();return Qe(this.stateDir,c.privatePem),Ae(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=ge(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Ge)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Mt(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Ge)return;await this.keys.rotateCurrent()}finally{Bt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return be(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Pe(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await ee(o);if(a){let{code:c}=$(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),m=new Headers(r.headers);m.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:m})}}}if(o.status===403){let a=await ee(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let w=a.proxyUrl.replace(/\/$/,""),b=Pe(e,w),E=new Headers(r.headers);return E.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(b,{...r,headers:E})}let d=a.approval_url||a.authorizationUrl;if(d){let w=c==="scope_refused",b=a.missing_scopes||a.missingScopes;throw w||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new H({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:b}):new M({message:a.message||"Missing required credentials",actionUrl:d})}let{code:m}=$(a);Ve(m)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await ee(o);if(a){let{code:c}=$(a);(Ve(c)||o.status===402||o.status===423)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await l(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Xe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await be(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return _("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Ae(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await l(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await l(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new se(this,e)}reset(){Xe(this.stateDir)}async _apiError(e){let r=await ee(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=$(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},jt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ve(t){return jt.has(t.toUpperCase())}function qe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=$(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new te({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new re({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new M({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new H({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var Se=null;function Gt(t){return Se||(Se=new ie(t)),Se}async function Yt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Gt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function _(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
|
4
|
+
-----END ${e}-----`},$e=async(t,e,r)=>{if(U(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!O(r))throw new TypeError(q(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return Et(G(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},He=t=>$e("public","spki",t),Me=t=>$e("private","pkcs8",t),fe=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},St=t=>({data:t,pos:0}),W=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var J=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Be=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},At=t=>{J(t,6,"Expected algorithm OID");let e=W(t);return Be(t,e)};function bt(t){J(t,48,"Invalid PKCS#8 structure"),W(t),J(t,2,"Expected version field");let e=W(t);t.pos+=e,J(t,48,"Expected algorithm identifier");let r=W(t);return{algIdStart:t.pos,algIdLength:r}}var Pt=t=>{let e=At(t);if(fe(e,[43,101,110]))return"X25519";if(!fe(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");J(t,6,"Expected curve OID");let r=W(t),s=Be(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(fe(s,i))return n;throw new Error("Unsupported named curve")},xt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new u("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new u('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},Tt=(t,e)=>Y(t.replace(e,"")),Fe=(t,e,r)=>{let s=Tt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=St(i);return bt(o),Pt(o)}),xt("pkcs8",s,e,n)};async function Q(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Fe(t,e,r)}async function me(t){return He(t)}async function ye(t){return Me(t)}function je(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new u(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var C=t=>t?.[Symbol.toStringTag],ge=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},vt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(L(e)){if(Ue(e)&&ge(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!le(e))throw new TypeError(ue(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${C(e)} instances for symmetric algorithms must be of type "secret"`)}},Rt=(t,e,r)=>{if(L(e))switch(r){case"decrypt":case"sign":if(De(e)&&ge(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Oe(e)&&ge(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!le(e))throw new TypeError(ue(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${C(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${C(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${C(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${C(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Ge(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":vt(t,e,r);break;default:Rt(t,e,r)}}var P=t=>Math.floor(t.getTime()/1e3),Ye=60,Xe=Ye*60,Ee=Xe*24,Kt=Ee*7,It=Ee*365.25,Ct=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function we(t){let e=Ct.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Ye);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Xe);break;case"day":case"days":case"d":n=Math.round(r*Ee);break;case"week":case"weeks":case"w":n=Math.round(r*Kt);break;default:n=Math.round(r*It);break}return e[1]==="-"||e[4]==="ago"?-n:n}function x(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Z=class{#e;constructor(e){if(!N(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return F.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=x("setNotBefore",e):e instanceof Date?this.#e.nbf=x("setNotBefore",P(e)):this.#e.nbf=P(new Date)+we(e)}set exp(e){typeof e=="number"?this.#e.exp=x("setExpirationTime",e):e instanceof Date?this.#e.exp=x("setExpirationTime",P(e)):this.#e.exp=P(new Date)+we(e)}set iat(e){e===void 0?this.#e.iat=P(new Date):e instanceof Date?this.#e.iat=x("setIssuedAt",P(e)):typeof e=="string"?this.#e.iat=x("setIssuedAt",P(new Date)+we(e)):this.#e.iat=x("setIssuedAt",e)}};var T=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return he(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return he(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new A("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!ke(this.#t,this.#r))throw new A("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=je(A,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new A('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new A('JWS "alg" (Algorithm) Header Parameter missing or invalid');Ge(o,e,"sign");let a,c;i?(a=V(this.#e),c=j(a)):(c=this.#e,a="");let p,f;this.#t?(p=V(JSON.stringify(this.#t)),f=j(p)):(p="",f=new Uint8Array);let g=Ie(f,j("."),c),y=await Je(e,o),b=await Ne(o,y,g),k={signature:V(b),payload:a};return this.#r&&(k.header=this.#r),this.#t&&(k.protected=p),k}};var ee=class{#e;constructor(e){this.#e=new T(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var $=class{#e;#t;constructor(e={}){this.#t=new Z(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new ee(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new m("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function te(t){if(typeof t!="string")throw new m("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new m("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new m("Invalid JWT");if(!e)throw new m("JWTs must contain a payload");let s;try{s=X(e)}catch{throw new m("Failed to base64url decode the payload")}let n;try{n=JSON.parse(v.decode(s))}catch{throw new m("Failed to parse the decoded payload as JSON")}if(!N(n))throw new m("Invalid JWT Claims Set");return n}function Se(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new u("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function Ae(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:Se(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new u("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new u('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var d=require("node:fs"),w=require("node:path"),et=require("node:os"),ve=require("node:crypto"),kt="https://id.botparty.club",Dt="EdDSA",Ot=15,Ve=6e4,Ut=3e4,Nt="5m",Lt=3,Wt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Jt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},se=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ne=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},M=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},B=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function qe(t){let e=(0,ve.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function $t(){return`${qe(Wt)}-${qe(Jt)}`}function Ht(){let t=$t(),e=(0,ve.randomBytes)(2).toString("hex");return`${t}-${e}`}function Mt(){return(0,w.join)((0,et.homedir)(),".botparty")}function Re(t){(0,d.existsSync)(t)||(0,d.mkdirSync)(t,{recursive:!0,mode:448})}function Bt(t){let e=(0,w.join)(t,"identity.json");if(!(0,d.existsSync)(e))return null;try{return JSON.parse((0,d.readFileSync)(e,"utf-8"))}catch{return null}}function Pe(t,e){Re(t);let r=(0,w.join)(t,"identity.json"),s=r+".tmp";(0,d.writeFileSync)(s,JSON.stringify(e,null,2),{mode:384}),(0,d.renameSync)(s,r)}function Ft(t){let e=(0,w.join)(t,"private.pem");if(!(0,d.existsSync)(e))return null;try{return(0,d.readFileSync)(e,"utf-8")}catch{return null}}function tt(t,e){Re(t);let r=(0,w.join)(t,"private.pem"),s=r+".tmp";(0,d.writeFileSync)(s,e,{mode:384}),(0,d.renameSync)(s,r)}function ze(t){for(let e of["identity.json","private.pem"]){let r=(0,w.join)(t,e);(0,d.existsSync)(r)&&(0,d.unlinkSync)(r)}}function jt(t){let e=(0,w.join)(t,"rotation.lock");Re(t);for(let r=0;r<2;r++)try{(0,d.writeFileSync)(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=(0,d.statSync)(e);if(Date.now()-n.mtimeMs>Ut){(0,d.unlinkSync)(e);continue}}catch{continue}throw s}}function Gt(t){try{(0,d.unlinkSync)((0,w.join)(t,"rotation.lock"))}catch{}}async function rt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await Ae(t,e),n=await ye(r),i=await me(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Yt(t,e,r){let s=await Q(e,r);return(await new T(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function xe(t,e,r,s,n,i){let o=s,a=await Q(r,o);return new $({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Nt).sign(a)}async function l(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Te(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function re(t){try{return await t.clone().json()}catch{return null}}function H(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ie=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},oe=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await rt(r.algorithm),o=await xe(r.namespace,r.keyId,s,r.algorithm),a=await l(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return tt(this.client.stateDir,i.privatePem),Pe(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await l(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},ae=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||_("BOTPARTY_SERVER_URL")||kt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||_("BOTPARTY_PROXY_URL")||_("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||_("BOTPARTY_STATE_DIR")||Mt(),this.algorithm=e.algorithm||Dt,this.rotationTTL=e.rotationTTL||Ot,this.inviteToken=e.inviteToken||_("BOTPARTY_INVITE_TOKEN"),this.keys=new oe(this)}getIdentity(){return Bt(this.stateDir)}getPrivateKey(){return Ft(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken,a=o,c;if(o)try{te(o).typ==="org_invite"&&(a=void 0,c=o)}catch{}for(;i<Lt;){n||(n=Ht());let p=r||n,f=await rt(this.algorithm),g=await l(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:f.publicPem,rotationTTL:this.rotationTTL,...a&&{inviteToken:a}})}),y=await g.json();if(y.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(g.status===409&&!e){n=void 0,i++;continue}if(!g.ok)throw new h({code:y.error||"REGISTRATION_FAILED",message:y.message||y.error||"Registration failed",statusCode:g.status});let b=y.challenge,k=await Yt(b,f.privatePem,this.algorithm),ce=await l(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:b,signature:k})});if(!ce.ok)throw await this._apiError(ce);let E=await ce.json();if(tt(this.stateDir,f.privatePem),Pe(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:E.keyId,algorithm:this.algorithm,rotatedAt:E.rotatedAt,rotationTTL:E.rotationTTL,label:p,...E.parentNamespace&&{parentNamespace:E.parentNamespace},...E.inheritedScopes&&{inheritedScopes:E.inheritedScopes}}),c)try{let Ke=await this.redeemOrgInvite(c);Ke.orgId&&this.setActAs(Ke.orgId)}catch{}return E}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=te(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Ve)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){jt(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Ve)return;await this.keys.rotateCurrent()}finally{Gt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return xe(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Te(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await re(o);if(a){let{code:c}=H(a);if(c==="KEY_STALE"){await this._lockedRotate();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await re(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let g=a.proxyUrl.replace(/\/$/,""),y=Te(e,g),b=new Headers(r.headers);return b.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(y,{...r,headers:b})}let p=a.approval_url||a.authorizationUrl;if(p){let g=c==="scope_refused",y=a.missing_scopes||a.missingScopes;throw g||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new M({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:y}):new B({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=H(a);Qe(f)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await re(o);if(a){let{code:c}=H(a);(Qe(c)||o.status===402||o.status===423)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await l(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);ze(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await xe(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return _("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Pe(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await l(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await l(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await l(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await l(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await l(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new ie(this,e)}reset(){ze(this.stateDir)}async _apiError(e){let r=await re(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=H(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},Xt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Qe(t){return Xt.has(t.toUpperCase())}function Ze(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=H(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new se({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ne({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new B({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new M({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var be=null;function Vt(t){return be||(be=new ae(t)),be}async function qt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Vt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function _(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
package/dist/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
var
|
|
1
|
+
var H=new TextEncoder,T=new TextDecoder,Vt=2**32;function Ke(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function j(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:T.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=T.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=H.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var w=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),v=(t,e)=>t.name===e;function it(t){return parseInt(t.name.slice(4),10)}function ne(t,e){if(it(t.hash)!==e)throw w(`SHA-${e}`,"algorithm.hash")}function ot(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function at(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ie(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!v(t.algorithm,"HMAC"))throw w("HMAC");ne(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!v(t.algorithm,"RSASSA-PKCS1-v1_5"))throw w("RSASSA-PKCS1-v1_5");ne(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!v(t.algorithm,"RSA-PSS"))throw w("RSA-PSS");ne(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!v(t.algorithm,"Ed25519"))throw w("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!v(t.algorithm,e))throw w(e);break}case"ES256":case"ES384":case"ES512":{if(!v(t.algorithm,"ECDSA"))throw w("ECDSA");let s=ot(e);if(t.algorithm.namedCurve!==s)throw w(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}at(t,r)}function Ce(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var Y=(t,...e)=>Ce("Key must be ",t,...e),ie=(t,e,...r)=>Ce(`Key for the ${t} algorithm must be `,e,...r);var k=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var p=class extends k{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var E=class extends k{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},f=class extends k{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var D=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},O=t=>t?.[Symbol.toStringTag]==="KeyObject",oe=t=>D(t)||O(t);var ir=Symbol();function ae(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var ct=t=>typeof t=="object"&&t!==null;function U(t){if(!ct(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function _e(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var N=t=>U(t)&&typeof t.kty=="string",ke=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),De=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Oe=t=>t.kty==="oct"&&typeof t.k=="string";function pt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function ut(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new p(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function lt(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(Y(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ie(e,t,r),e}async function Ue(t,e,r){let s=await lt(t,e,"sign");pt(t,s);let n=await crypto.subtle.sign(ut(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ht(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new p(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new p(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new p(X)}break}default:throw new p('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Ne(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ht(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",K,Le=async(t,e,r,s=!1)=>{K||=new WeakMap;let n=K.get(t);if(n?.[r])return n[r];let i=await Ne({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:K.set(t,{[r]:i}),i},ft=(t,e)=>{K||=new WeakMap;let r=K.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:K.set(t,{[e]:i}),i};async function We(t,e){if(t instanceof Uint8Array||D(t))return t;if(O(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Le(t,r,e)}if(N(t))return t.k?j(t.k):Le(t,t,e,!0);throw new Error("unreachable")}var mt=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Ne=async(t,e,r)=>{if(D(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!k(r))throw new TypeError(G(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return lt(M(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},Le=t=>Ne("public","spki",t),We=t=>Ne("private","pkcs8",t),ie=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},ht=t=>({data:t,pos:0}),N=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var L=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Je=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},mt=t=>{L(t,6,"Expected algorithm OID");let e=N(t);return Je(t,e)};function ft(t){L(t,48,"Invalid PKCS#8 structure"),N(t),L(t,2,"Expected version field");let e=N(t);t.pos+=e,L(t,48,"Expected algorithm identifier");let r=N(t);return{algIdStart:t.pos,algIdLength:r}}var yt=t=>{let e=mt(t);if(ie(e,[43,101,110]))return"X25519";if(!ie(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");L(t,6,"Expected curve OID");let r=N(t),s=Je(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ie(s,i))return n;throw new Error("Unsupported named curve")},gt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new p("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new p('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},wt=(t,e)=>B(t.replace(e,"")),$e=(t,e,r)=>{let s=wt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=ht(i);return ft(o),yt(o)}),gt("pkcs8",s,e,n)};async function X(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return $e(t,e,r)}async function oe(t){return Le(t)}async function ae(t){return We(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new p(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var I=t=>t?.[Symbol.toStringTag],ce=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(U(e)){if(_e(e)&&ce(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!se(e))throw new TypeError(re(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${I(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(U(e))switch(r){case"decrypt":case"sign":if(Ie(e)&&ce(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ce(e)&&ce(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!se(e))throw new TypeError(re(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${I(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${I(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${I(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Me(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Be=60,Fe=Be*60,pe=Fe*24,At=pe*7,bt=pe*365.25,Pt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function de(t){let e=Pt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Be);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Fe);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*At);break;default:n=Math.round(r*bt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function P(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var V=class{#e;constructor(e){if(!O(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return $.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=P("setNotBefore",e):e instanceof Date?this.#e.nbf=P("setNotBefore",b(e)):this.#e.nbf=b(new Date)+de(e)}set exp(e){typeof e=="number"?this.#e.exp=P("setExpirationTime",e):e instanceof Date?this.#e.exp=P("setExpirationTime",b(e)):this.#e.exp=b(new Date)+de(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=P("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=P("setIssuedAt",b(new Date)+de(e)):this.#e.iat=P("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ne(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ne(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');Me(o,e,"sign");let a,c;i?(a=j(this.#e),c=H(a)):(c=this.#e,a="");let d,l;this.#t?(d=j(JSON.stringify(this.#t)),l=H(d)):(d="",l=new Uint8Array);let y=Te(l,H("."),c),A=await Ue(e,o),g=await ke(o,A,y),m={signature:j(g),payload:a};return this.#r&&(m.header=this.#r),this.#t&&(m.protected=d),m}};var q=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var W=class{#e;#t;constructor(e={}){this.#t=new V(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new q(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new f("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ue(t){if(typeof t!="string")throw new f("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new f("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new f("Invalid JWT");if(!e)throw new f("JWTs must contain a payload");let s;try{s=F(e)}catch{throw new f("Failed to base64url decode the payload")}let n;try{n=JSON.parse(T.decode(s))}catch{throw new f("Failed to parse the decoded payload as JSON")}if(!O(n))throw new f("Invalid JWT Claims Set");return n}function le(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new p("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function he(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:le(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new p("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new p('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as ze,writeFileSync as be,mkdirSync as Tt,existsSync as ee,unlinkSync as Pe,statSync as vt,renameSync as Qe}from"node:fs";import{join as S}from"node:path";import{homedir as Kt}from"node:os";import{randomBytes as Ze}from"node:crypto";var Rt="https://id.botparty.club",It="EdDSA",Ct=15,je=6e4,_t=3e4,kt="5m",Dt=3,Ot=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ut=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],h=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends h{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ye=class extends h{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},Q=class extends h{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},Z=class extends h{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ge(t){let e=Ze(4);return t[e.readUInt32BE(0)%t.length]}function Nt(){return`${Ge(Ot)}-${Ge(Ut)}`}function Lt(){let t=Nt(),e=Ze(2).toString("hex");return`${t}-${e}`}function Wt(){return S(Kt(),".botparty")}function xe(t){ee(t)||Tt(t,{recursive:!0,mode:448})}function Jt(t){let e=S(t,"identity.json");if(!ee(e))return null;try{return JSON.parse(ze(e,"utf-8"))}catch{return null}}function ge(t,e){xe(t);let r=S(t,"identity.json"),s=r+".tmp";be(s,JSON.stringify(e,null,2),{mode:384}),Qe(s,r)}function $t(t){let e=S(t,"private.pem");if(!ee(e))return null;try{return ze(e,"utf-8")}catch{return null}}function et(t,e){xe(t);let r=S(t,"private.pem"),s=r+".tmp";be(s,e,{mode:384}),Qe(s,r)}function Ye(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);ee(r)&&Pe(r)}}function Ht(t){let e=S(t,"rotation.lock");xe(t);for(let r=0;r<2;r++)try{be(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=vt(e);if(Date.now()-n.mtimeMs>_t){Pe(e);continue}}catch{continue}throw s}}function Mt(t){try{Pe(S(t,"rotation.lock"))}catch{}}async function tt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await he(t,e),n=await ae(r),i=await oe(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Bt(t,e,r){let s=await X(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function we(t,e,r,s,n,i){let o=s,a=await X(r,o);return new W({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(kt).sign(a)}async function u(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Xe(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function z(t){try{return await t.clone().json()}catch{return null}}function J(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var Ee=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},Se=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new h({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new h({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await tt(r.algorithm),o=await we(r.namespace,r.keyId,s,r.algorithm),a=await u(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return et(this.client.stateDir,i.privatePem),ge(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ae=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||C("BOTPARTY_SERVER_URL")||Rt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||C("BOTPARTY_PROXY_URL")||C("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||C("BOTPARTY_STATE_DIR")||Wt(),this.algorithm=e.algorithm||It,this.rotationTTL=e.rotationTTL||Ct,this.inviteToken=e.inviteToken||C("BOTPARTY_INVITE_TOKEN"),this.keys=new Se(this)}getIdentity(){return Jt(this.stateDir)}getPrivateKey(){return $t(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Lt());let a=r||n,c=await tt(this.algorithm),d=await u(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),l=await d.json();if(l.status==="already_registered")throw new h({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(d.status===409&&!e){n=void 0,i++;continue}if(!d.ok)throw new h({code:l.error||"REGISTRATION_FAILED",message:l.message||l.error||"Registration failed",statusCode:d.status});let y=l.challenge,A=await Bt(y,c.privatePem,this.algorithm),g=await u(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:y,signature:A})});if(!g.ok)throw await this._apiError(g);let m=await g.json();return et(this.stateDir,c.privatePem),ge(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:m.keyId,algorithm:this.algorithm,rotatedAt:m.rotatedAt,rotationTTL:m.rotationTTL,label:a,...m.parentNamespace&&{parentNamespace:m.parentNamespace},...m.inheritedScopes&&{inheritedScopes:m.inheritedScopes}}),m}throw new h({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=ue(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-je)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ht(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-je)return;await this.keys.rotateCurrent()}finally{Mt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return we(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=Xe(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await z(o);if(a){let{code:c}=J(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),l=new Headers(r.headers);l.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:l})}}}if(o.status===403){let a=await z(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),A=Xe(e,y),g=new Headers(r.headers);return g.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(A,{...r,headers:g})}let d=a.approval_url||a.authorizationUrl;if(d){let y=c==="scope_refused",A=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new Q({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:A}):new Z({message:a.message||"Missing required credentials",actionUrl:d})}let{code:l}=J(a);Ve(l)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await z(o);if(a){let{code:c}=J(a);(Ve(c)||o.status===402||o.status===423)&&qe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await u(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Ye(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await we(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return C("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,ge(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await u(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await u(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new Ee(this,e)}reset(){Ye(this.stateDir)}async _apiError(e){let r=await z(e);if(!r)return new h({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=J(r);return new h({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ft=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ve(t){return Ft.has(t.toUpperCase())}function qe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=J(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ye({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new Z({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new Q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new h({code:n,message:i,statusCode:t,actionUrl:o})}var me=null;function jt(t){return me||(me=new Ae(t)),me}async function Es(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return jt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function C(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ae as BotPartyClient,h as BotPartyError,Q as InsufficientPermissionError,Ee as Key,Se as KeyManager,Z as LinkRequiredError,fe as NamespaceLockedError,ye as PaymentRequiredError,Es as botpartyFetch,Xe as toProxyUrl};
|
|
4
|
+
-----END ${e}-----`},Je=async(t,e,r)=>{if(O(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!D(r))throw new TypeError(Y(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return mt(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},$e=t=>Je("public","spki",t),He=t=>Je("private","pkcs8",t),ce=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},yt=t=>({data:t,pos:0}),L=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var W=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Me=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},gt=t=>{W(t,6,"Expected algorithm OID");let e=L(t);return Me(t,e)};function wt(t){W(t,48,"Invalid PKCS#8 structure"),L(t),W(t,2,"Expected version field");let e=L(t);t.pos+=e,W(t,48,"Expected algorithm identifier");let r=L(t);return{algIdStart:t.pos,algIdLength:r}}var Et=t=>{let e=gt(t);if(ce(e,[43,101,110]))return"X25519";if(!ce(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");W(t,6,"Expected curve OID");let r=L(t),s=Me(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ce(s,i))return n;throw new Error("Unsupported named curve")},St=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let d=s.getNamedCurve(e);n=d==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:d}}catch{throw new p("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new p('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},At=(t,e)=>F(t.replace(e,"")),Be=(t,e,r)=>{let s=At(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=yt(i);return wt(o),Et(o)}),St("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Be(t,e,r)}async function de(t){return $e(t)}async function pe(t){return He(t)}function Fe(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new p(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var I=t=>t?.[Symbol.toStringTag],ue=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},bt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(N(e)){if(Oe(e)&&ue(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!oe(e))throw new TypeError(ie(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${I(e)} instances for symmetric algorithms must be of type "secret"`)}},Pt=(t,e,r)=>{if(N(e))switch(r){case"decrypt":case"sign":if(ke(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(De(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!oe(e))throw new TypeError(ie(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${I(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${I(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${I(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${I(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function je(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":bt(t,e,r);break;default:Pt(t,e,r)}}var b=t=>Math.floor(t.getTime()/1e3),Ge=60,Ye=Ge*60,he=Ye*24,xt=he*7,Tt=he*365.25,vt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function le(t){let e=vt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*Ge);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Ye);break;case"day":case"days":case"d":n=Math.round(r*he);break;case"week":case"weeks":case"w":n=Math.round(r*xt);break;default:n=Math.round(r*Tt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function P(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!U(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return H.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=P("setNotBefore",e):e instanceof Date?this.#e.nbf=P("setNotBefore",b(e)):this.#e.nbf=b(new Date)+le(e)}set exp(e){typeof e=="number"?this.#e.exp=P("setExpirationTime",e):e instanceof Date?this.#e.exp=P("setExpirationTime",b(e)):this.#e.exp=b(new Date)+le(e)}set iat(e){e===void 0?this.#e.iat=b(new Date):e instanceof Date?this.#e.iat=P("setIssuedAt",b(e)):typeof e=="string"?this.#e.iat=P("setIssuedAt",b(new Date)+le(e)):this.#e.iat=P("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ae(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ae(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!_e(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Fe(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');je(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let d,h;this.#t?(d=G(JSON.stringify(this.#t)),h=M(d)):(d="",h=new Uint8Array);let y=Ke(h,M("."),c),m=await We(e,o),A=await Ue(o,m,y),_={signature:G(A),payload:a};return this.#r&&(_.header=this.#r),this.#t&&(_.protected=d),_}};var z=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var J=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new f("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function Q(t){if(typeof t!="string")throw new f("JWTs must use Compact JWS serialization, JWT must be a string");let{1:e,length:r}=t.split(".");if(r===5)throw new f("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new f("Invalid JWT");if(!e)throw new f("JWTs must contain a payload");let s;try{s=j(e)}catch{throw new f("Failed to base64url decode the payload")}let n;try{n=JSON.parse(T.decode(s))}catch{throw new f("Failed to parse the decoded payload as JSON")}if(!U(n))throw new f("Invalid JWT Claims Set");return n}function fe(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new p("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function me(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:fe(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new p("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new p('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as et,writeFileSync as xe,mkdirSync as Kt,existsSync as re,unlinkSync as Te,statSync as It,renameSync as tt}from"node:fs";import{join as S}from"node:path";import{homedir as Ct}from"node:os";import{randomBytes as rt}from"node:crypto";var _t="https://id.botparty.club",kt="EdDSA",Dt=15,Xe=6e4,Ot=3e4,Ut="5m",Nt=3,Lt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Wt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},ge=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},we=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},ee=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},te=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Ve(t){let e=rt(4);return t[e.readUInt32BE(0)%t.length]}function Jt(){return`${Ve(Lt)}-${Ve(Wt)}`}function $t(){let t=Jt(),e=rt(2).toString("hex");return`${t}-${e}`}function Ht(){return S(Ct(),".botparty")}function ve(t){re(t)||Kt(t,{recursive:!0,mode:448})}function Mt(t){let e=S(t,"identity.json");if(!re(e))return null;try{return JSON.parse(et(e,"utf-8"))}catch{return null}}function Ee(t,e){ve(t);let r=S(t,"identity.json"),s=r+".tmp";xe(s,JSON.stringify(e,null,2),{mode:384}),tt(s,r)}function Bt(t){let e=S(t,"private.pem");if(!re(e))return null;try{return et(e,"utf-8")}catch{return null}}function st(t,e){ve(t);let r=S(t,"private.pem"),s=r+".tmp";xe(s,e,{mode:384}),tt(s,r)}function qe(t){for(let e of["identity.json","private.pem"]){let r=S(t,e);re(r)&&Te(r)}}function Ft(t){let e=S(t,"rotation.lock");ve(t);for(let r=0;r<2;r++)try{xe(e,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(s){if(s.code!=="EEXIST")throw s;try{let n=It(e);if(Date.now()-n.mtimeMs>Ot){Te(e);continue}}catch{continue}throw s}}function jt(t){try{Te(S(t,"rotation.lock"))}catch{}}async function nt(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await me(t,e),n=await pe(r),i=await de(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Gt(t,e,r){let s=await V(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n,i){let o=s,a=await V(r,o);return new J({...n}).setProtectedHeader({alg:o,kid:e}).setIssuer(t).setSubject(i??t).setIssuedAt().setExpirationTime(Ut).sign(a)}async function u(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function ze(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Z(t){try{return await t.clone().json()}catch{return null}}function $(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var Ae=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},be=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await nt(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await u(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return st(this.client.stateDir,i.privatePem),Ee(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await u(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Pe=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||C("BOTPARTY_SERVER_URL")||_t).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||C("BOTPARTY_PROXY_URL")||C("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||C("BOTPARTY_STATE_DIR")||Ht(),this.algorithm=e.algorithm||kt,this.rotationTTL=e.rotationTTL||Dt,this.inviteToken=e.inviteToken||C("BOTPARTY_INVITE_TOKEN"),this.keys=new be(this)}getIdentity(){return Mt(this.stateDir)}getPrivateKey(){return Bt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken,a=o,c;if(o)try{Q(o).typ==="org_invite"&&(a=void 0,c=o)}catch{}for(;i<Nt;){n||(n=$t());let d=r||n,h=await nt(this.algorithm),y=await u(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:h.publicPem,rotationTTL:this.rotationTTL,...a&&{inviteToken:a}})}),m=await y.json();if(m.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(y.status===409&&!e){n=void 0,i++;continue}if(!y.ok)throw new l({code:m.error||"REGISTRATION_FAILED",message:m.message||m.error||"Registration failed",statusCode:y.status});let A=m.challenge,_=await Gt(A,h.privatePem,this.algorithm),se=await u(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:A,signature:_})});if(!se.ok)throw await this._apiError(se);let g=await se.json();if(st(this.stateDir,h.privatePem),Ee(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:g.keyId,algorithm:this.algorithm,rotatedAt:g.rotatedAt,rotationTTL:g.rotationTTL,label:d,...g.parentNamespace&&{parentNamespace:g.parentNamespace},...g.inheritedScopes&&{inheritedScopes:g.inheritedScopes}}),c)try{let Re=await this.redeemOrgInvite(c);Re.orgId&&this.setActAs(Re.orgId)}catch{}return g}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let r=this.inviteToken,s=!1;if(r)try{s=Q(r).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:s?void 0:r}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(s&&r)try{let i=await this.redeemOrgInvite(r);i.orgId&&this.setActAs(i.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=s-Xe)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){Ft(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<s-Xe)return;await this.keys.rotateCurrent()}finally{jt(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey(),n=this.getActAs(),i=n??r.namespace,o=n?r.namespace:void 0;return Se(i,r.keyId,s,r.algorithm,e,o)}async fetch(e,r={}){let s=await this.generateToken(),n=ze(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Z(o);if(a){let{code:c}=$(a);if(c==="KEY_STALE"){await this._lockedRotate();let d=await this.generateToken(),h=new Headers(r.headers);h.set("X-Proxy-Authorization",`Bearer ${d}`),o=await fetch(n,{...r,headers:h})}}}if(o.status===403){let a=await Z(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),m=ze(e,y),A=new Headers(r.headers);return A.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(m,{...r,headers:A})}let d=a.approval_url||a.authorizationUrl;if(d){let y=c==="scope_refused",m=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new ee({message:a.message||"Missing required credentials",actionUrl:d,missingScopes:m}):new te({message:a.message||"Missing required credentials",actionUrl:d})}let{code:h}=$(a);Qe(h)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Z(o);if(a){let{code:c}=$(a);(Qe(c)||o.status===402||o.status===423)&&Ze(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await u(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);qe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return C("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let r=this.getIdentity();if(!r)throw new Error("Not registered");e===void 0?delete r.actAs:r.actAs=e,Ee(this.stateDir,r)}async listOrgs(){let e=await this.generateToken(),r=await u(this.serverUrl,"/api/v1/orgs",{token:e});if(!r.ok)throw new Error(`Failed to list orgs: ${r.status}`);return r.json()}async createOrg(e,r=""){let s=await this.generateToken(),n=await u(this.serverUrl,"/api/v1/orgs",{method:"POST",token:s,body:JSON.stringify({name:e,description:r})});if(!n.ok)throw new Error(`Failed to create org: ${n.status}`);return n.json()}async quitOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:r});if(!s.ok)throw new Error(`Failed to quit org: ${s.status}`)}async createOrgInvite(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:s,body:JSON.stringify(r?{expiresIn:r}:{})});if(!n.ok)throw new Error(`Failed to create org invite: ${n.status}`);return n.json()}async redeemOrgInvite(e){let r=await this.generateToken(),s=await u(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!s.ok)throw new Error(`Failed to redeem org invite: ${s.status}`);return s.json()}async listOrgMembers(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:r});if(!s.ok)throw new Error(`Failed to list org members: ${s.status}`);return s.json()}async removeOrgMember(e,r){let s=await this.generateToken(),n=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}`,{method:"DELETE",token:s});if(!n.ok)throw new Error(`Failed to remove org member: ${n.status}`)}async updateMemberRole(e,r,s){let n=await this.generateToken(),i=await u(this.serverUrl,`/api/v1/orgs/${e}/members/${r}/role`,{method:"PATCH",token:n,body:JSON.stringify({role:s})});if(!i.ok)throw new Error(`Failed to update member role: ${i.status}`);return i.json()}async deleteOrg(e){let r=await this.generateToken(),s=await u(this.serverUrl,`/api/v1/orgs/${e}`,{method:"DELETE",token:r});if(!s.ok)throw new Error(`Failed to delete org: ${s.status}`);return s.json()}key(e){return new Ae(this,e)}reset(){qe(this.stateDir)}async _apiError(e){let r=await Z(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=$(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Yt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Qe(t){return Yt.has(t.toUpperCase())}function Ze(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=$(e),c=r?.namespace||"",d=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new ge({message:i||"Namespace is locked",actionUrl:o||`${d}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new we({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new te({message:i,actionUrl:o||`${d}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new ee({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var ye=null;function Xt(t){return ye||(ye=new Pe(t)),ye}async function bs(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Xt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function C(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Pe as BotPartyClient,l as BotPartyError,ee as InsufficientPermissionError,Ae as Key,be as KeyManager,te as LinkRequiredError,ge as NamespaceLockedError,we as PaymentRequiredError,bs as botpartyFetch,ze as toProxyUrl};
|