@concavejs/cli 0.0.1-alpha.12 → 0.0.1-alpha.13

package/dist/cli.js

@@ -4817,6 +4817,113 @@ var init_base64url = __esm(() => {
   init_buffer_utils();
 });
 
+// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
+
+// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
 // ../../node_modules/jose/dist/webapi/util/errors.js
 var exports_errors = {};
 __export(exports_errors, {
@@ -4841,8 +4948,8 @@ var init_errors2 = __esm(() => {
   JOSEError = class JOSEError extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message, options) {
-      super(message, options);
+    constructor(message2, options) {
+      super(message2, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -4853,8 +4960,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -4866,8 +4973,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -4884,8 +4991,8 @@ var init_errors2 = __esm(() => {
   JWEDecryptionFailed = class JWEDecryptionFailed extends JOSEError {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message = "decryption operation failed", options) {
-      super(message, options);
+    constructor(message2 = "decryption operation failed", options) {
+      super(message2, options);
     }
   };
   JWEInvalid = class JWEInvalid extends JOSEError {
@@ -4911,145 +5018,34 @@ var init_errors2 = __esm(() => {
   JWKSNoMatchingKey = class JWKSNoMatchingKey extends JOSEError {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message = "no applicable key found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSMultipleMatchingKeys = class JWKSMultipleMatchingKeys extends JOSEError {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSTimeout = class JWKSTimeout extends JOSEError {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message = "request timed out", options) {
-      super(message, options);
+    constructor(message2 = "request timed out", options) {
+      super(message2, options);
     }
   };
   JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed extends JOSEError {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message = "signature verification failed", options) {
-      super(message, options);
+    constructor(message2 = "signature verification failed", options) {
+      super(message2, options);
     }
   };
 });
 
-// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm(key.algorithm, alg))
-        throw unusable(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usage);
-}
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
-
-// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-  types = types.filter(Boolean);
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `one of type ${types.join(", ")}, or ${last}.`;
-  } else if (types.length === 2) {
-    msg += `one of type ${types[0]} or ${types[1]}.`;
-  } else {
-    msg += `of type ${types[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
-
 // ../../node_modules/jose/dist/webapi/lib/is_key_like.js
 var isCryptoKey = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
@@ -5061,7 +5057,34 @@ var isCryptoKey = (key) => {
   }
 }, isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
 
-// ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+// ../../node_modules/jose/dist/webapi/lib/helpers.js
+function decodeBase64url(value, label, ErrorClass) {
+  try {
+    return decode(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected;
+var init_helpers = __esm(() => {
+  init_base64url();
+  unprotected = Symbol();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/type_checks.js
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -5083,24 +5106,9 @@ function isDisjoint(...headers) {
   }
   return true;
 }
+var isObjectLike = (value) => typeof value === "object" && value !== null, isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
 
-// ../../node_modules/jose/dist/webapi/lib/is_object.js
-function isObject(input) {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-var isObjectLike = (value) => typeof value === "object" && value !== null;
-
-// ../../node_modules/jose/dist/webapi/lib/check_key_length.js
+// ../../node_modules/jose/dist/webapi/lib/signing.js
 function checkKeyLength(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -5109,6 +5117,59 @@ function checkKeyLength(alg, key) {
     }
   }
 }
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing = __esm(() => {
+  init_errors2();
+});
 
 // ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
 function subtleMapping(jwk) {
@@ -5124,7 +5185,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -5153,22 +5214,19 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -5177,142 +5235,53 @@ function subtleMapping(jwk) {
         case "ECDH-ES+A256KW":
           algorithm = { name: "ECDH", namedCurve: jwk.crv };
           keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "OKP": {
-      switch (jwk.alg) {
-        case "Ed25519":
-        case "EdDSA":
-          algorithm = { name: "Ed25519" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    default:
-      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-  }
-  return { algorithm, keyUsages };
-}
-async function jwkToKey(jwk) {
-  if (!jwk.alg) {
-    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  }
-  const { algorithm, keyUsages } = subtleMapping(jwk);
-  const keyData = { ...jwk };
-  if (keyData.kty !== "AKP") {
-    delete keyData.alg;
-  }
-  delete keyData.use;
-  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-}
-var init_jwk_to_key = __esm(() => {
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/key/import.js
-async function importJWK(jwk, alg, options) {
-  if (!isObject(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
       }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported(unsupportedAlg);
       }
-      return jwkToKey({ ...jwk, ext });
+      break;
     }
-    case "EC":
-    case "OKP":
-      return jwkToKey({ ...jwk, alg, ext });
     default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
+  return { algorithm, keyUsages };
 }
-var init_import = __esm(() => {
-  init_base64url();
-  init_jwk_to_key();
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
+async function jwkToKey(jwk) {
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
   }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = { ...jwk };
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
   }
-  return new Set(protectedHeader.crit);
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
-var init_validate_crit = __esm(() => {
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+var init_jwk_to_key = __esm(() => {
   init_errors2();
 });
 
-// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-
-// ../../node_modules/jose/dist/webapi/lib/is_jwk.js
-var isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk = () => {};
-
 // ../../node_modules/jose/dist/webapi/lib/normalize_key.js
 async function normalizeKey(key, alg) {
   if (key instanceof Uint8Array) {
@@ -5345,7 +5314,7 @@ async function normalizeKey(key, alg) {
   }
   throw new Error("unreachable");
 }
-var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm", cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
   let cached = cache.get(key);
   if (cached?.[alg]) {
@@ -5377,13 +5346,13 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -5394,7 +5363,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -5423,7 +5392,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -5444,21 +5413,10 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -5472,7 +5430,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg);
   }
   if (!cached) {
     cache.set(keyObject, { [alg]: cryptoKey });
@@ -5482,11 +5440,96 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   return cryptoKey;
 };
 var init_normalize_key = __esm(() => {
-  init_is_jwk();
   init_base64url();
   init_jwk_to_key();
 });
 
+// ../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import = __esm(() => {
+  init_base64url();
+  init_jwk_to_key();
+  init_errors2();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit = __esm(() => {
+  init_errors2();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
+
 // ../../node_modules/jose/dist/webapi/lib/check_key_type.js
 function checkKeyType(alg, key, usage) {
   switch (alg.substring(0, 2)) {
@@ -5603,73 +5646,7 @@ var tag = (key) => key?.[Symbol.toStringTag], jwkMatchesOp = (alg, key, usage) =
     }
   }
 };
-var init_check_key_type = __esm(() => {
-  init_is_jwk();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
-function subtleAlgorithm(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa = __esm(() => {
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-async function getSigKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key = () => {};
-
-// ../../node_modules/jose/dist/webapi/lib/verify.js
-async function verify(alg, key, signature, data) {
-  const cryptoKey = await getSigKey(alg, key, "verify");
-  checkKeyLength(alg, cryptoKey);
-  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify = __esm(() => {
-  init_subtle_dsa();
-  init_get_sign_verify_key();
-});
+var init_check_key_type = () => {};
 
 // ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
 async function flattenedVerify(jws, key, options) {
@@ -5737,12 +5714,7 @@ async function flattenedVerify(jws, key, options) {
   }
   checkKeyType(alg, key, "verify");
   const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode(jws.signature);
-  } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
   const k = await normalizeKey(key, alg);
   const verified = await verify(alg, k, signature, data);
   if (!verified) {
@@ -5750,11 +5722,7 @@ async function flattenedVerify(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode(jws.payload);
-    } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
   } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
@@ -5772,11 +5740,12 @@ async function flattenedVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify2 = __esm(() => {
+var init_verify = __esm(() => {
   init_base64url();
-  init_verify();
+  init_signing();
   init_errors2();
   init_buffer_utils();
+  init_helpers();
   init_check_key_type();
   init_validate_crit();
   init_normalize_key();
@@ -5801,8 +5770,8 @@ async function compactVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify3 = __esm(() => {
-  init_verify2();
+var init_verify2 = __esm(() => {
+  init_verify();
   init_errors2();
   init_buffer_utils();
 });
@@ -6046,8 +6015,8 @@ async function jwtVerify(jwt, key, options) {
   }
   return result;
 }
-var init_verify4 = __esm(() => {
-  init_verify3();
+var init_verify3 = __esm(() => {
+  init_verify2();
   init_jwt_claims_set();
   init_errors2();
 });
@@ -6332,7 +6301,7 @@ var init_remote = __esm(() => {
   init_local();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT = `${NAME}/${VERSION}`;
   }
   customFetch = Symbol();
@@ -6341,7 +6310,7 @@ var init_remote = __esm(() => {
 
 // ../../node_modules/jose/dist/webapi/index.js
 var init_webapi = __esm(() => {
-  init_verify4();
+  init_verify3();
   init_local();
   init_remote();
   init_errors2();
@@ -22565,7 +22534,7 @@ var WATCH_IGNORE_PATTERNS = [
   /(^|[/\\])_generated([/\\]|$)/
 ];
 // package.json
-var version2 = "0.0.1-alpha.12";
+var version2 = "0.0.1-alpha.13";
 
 // src/cli/cli.ts
 var DEFAULT_CONVEX_VERSION_RANGE = "^1.27.3";