@datacules/agent-identity 0.9.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +128 -0
- package/dist/cjs/attestation.js +131 -29
- package/dist/cjs/attestation.js.map +1 -1
- package/dist/cjs/identity-providers.js +100 -0
- package/dist/cjs/identity-providers.js.map +1 -0
- package/dist/cjs/index.js +5 -0
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/revocation-listener.js +78 -0
- package/dist/cjs/revocation-listener.js.map +1 -0
- package/dist/cjs/revocation.js +59 -0
- package/dist/cjs/revocation.js.map +1 -0
- package/dist/cjs/rotation.js +6 -1
- package/dist/cjs/rotation.js.map +1 -1
- package/dist/cjs/router.js +27 -5
- package/dist/cjs/router.js.map +1 -1
- package/dist/cjs/schemas.js +26 -2
- package/dist/cjs/schemas.js.map +1 -1
- package/dist/esm/attestation.js +129 -28
- package/dist/esm/attestation.js.map +1 -1
- package/dist/esm/identity-providers.js +97 -0
- package/dist/esm/identity-providers.js.map +1 -0
- package/dist/esm/index.js +5 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/revocation-listener.js +74 -0
- package/dist/esm/revocation-listener.js.map +1 -0
- package/dist/esm/revocation.js +55 -0
- package/dist/esm/revocation.js.map +1 -0
- package/dist/esm/rotation.js +6 -1
- package/dist/esm/rotation.js.map +1 -1
- package/dist/esm/router.js +27 -5
- package/dist/esm/router.js.map +1 -1
- package/dist/esm/schemas.js +25 -1
- package/dist/esm/schemas.js.map +1 -1
- package/dist/types/attestation.d.ts +34 -6
- package/dist/types/attestation.d.ts.map +1 -1
- package/dist/types/identity-providers.d.ts +53 -0
- package/dist/types/identity-providers.d.ts.map +1 -0
- package/dist/types/index.d.ts +3 -0
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/revocation-listener.d.ts +63 -0
- package/dist/types/revocation-listener.d.ts.map +1 -0
- package/dist/types/revocation.d.ts +52 -0
- package/dist/types/revocation.d.ts.map +1 -0
- package/dist/types/rotation.d.ts.map +1 -1
- package/dist/types/router.d.ts +14 -0
- package/dist/types/router.d.ts.map +1 -1
- package/dist/types/schemas.d.ts +89 -4
- package/dist/types/schemas.d.ts.map +1 -1
- package/dist/types/types.d.ts +82 -1
- package/dist/types/types.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/cjs/rotation.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":";;;AA+BA,
|
|
1
|
+
{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":";;;AA+BA,kFAAkF;AAElF,MAAa,2BAA2B;IAItC,YACmB,UAA8B,EAC9B,WAAyB;QADzB,eAAU,GAAV,UAAU,CAAoB;QAC9B,gBAAW,GAAX,WAAW,CAAc;QAL3B,cAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;QACzD,mBAAc,GAA0C,IAAI,CAAC;IAKlE,CAAC;IAEJ,gBAAgB,CAAC,QAA0B;QACzC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,2CAA2C;YAC3C,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAE7B,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;gBAAE,SAAS;YAE1C,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBACtD,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACxC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC/C,CAAC,CAAC,IAAI,CAAC;YAET,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,kDAAkD,IAAI,CAAC,EAAE,kBAAkB,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,OAAO,GAAG,CAAC,CAAC;gBACjI,SAAS;YACX,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC1D,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;gBAE/E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,oBAAoB;wBAC5B,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;gBAC1E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,4BAA4B;wBACpC,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,GAAG,OAAS;QAC1B,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO;QACzC,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YACrC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;IACjB,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;YACjC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QACvE,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACvE,IAAI,SAAS,IAAI,MAAM,CAAC,eAAe;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QAChF,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAC9B,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACtG,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACnG,IAAI,YAAY,GAAG,CAAC,IAAI,YAAY,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBAChE,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,OAAO,EAAE,oBAAoB,IAAI,CAAC,EAAE,EAAE;oBACtC,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,yBAAyB;oBACjC,UAAU,EAAE,IAAI,CAAC,EAAE;oBACnB,YAAY,EAAE,QAAQ;oBACtB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,QAAQ;oBACf,YAAY,EAAE,IAAI,CAAC,EAAE;oBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;oBACzB,WAAW,EAAE,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF;AArID,kEAqIC"}
|
package/dist/cjs/router.js
CHANGED
|
@@ -10,6 +10,8 @@
|
|
|
10
10
|
* - resolveAsync(): full async resolution path for cloud stores
|
|
11
11
|
* - resolvePairAsync(): async migration pair resolution (async counterpart
|
|
12
12
|
* of resolvePair(), enabling budget + attestation on migration workflows)
|
|
13
|
+
* - Unclaimed guard: credentials with status='unclaimed' are never routed
|
|
14
|
+
* until the auth.md claim ceremony completes and status flips to 'active'
|
|
13
15
|
*/
|
|
14
16
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
17
|
exports.CredentialRouter = exports.MemoryCredentialStore = void 0;
|
|
@@ -50,6 +52,20 @@ class MemoryCredentialStore {
|
|
|
50
52
|
if (existing?.migrationId === migrationId)
|
|
51
53
|
this.reservations.delete(ref);
|
|
52
54
|
}
|
|
55
|
+
/**
|
|
56
|
+
* revokeByIdentity — MemoryCredentialStore no-op implementation.
|
|
57
|
+
*
|
|
58
|
+
* MemoryCredentialStore does not track the issuer/subject triple that
|
|
59
|
+
* corresponds to each credential (it only stores the credential object
|
|
60
|
+
* itself). It therefore cannot determine which credentials belong to
|
|
61
|
+
* a given identity triple and always returns 0.
|
|
62
|
+
*
|
|
63
|
+
* Implementers of custom stores should override this to mark matching
|
|
64
|
+
* credentials as status='revoked' based on their own metadata schema.
|
|
65
|
+
*/
|
|
66
|
+
async revokeByIdentity(_issuer, _subject, _audience) {
|
|
67
|
+
return 0;
|
|
68
|
+
}
|
|
53
69
|
}
|
|
54
70
|
exports.MemoryCredentialStore = MemoryCredentialStore;
|
|
55
71
|
class CredentialRouter {
|
|
@@ -76,6 +92,9 @@ class CredentialRouter {
|
|
|
76
92
|
return null;
|
|
77
93
|
if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
|
|
78
94
|
return null;
|
|
95
|
+
// Unclaimed credentials (auth.md pre-claim) must not be resolved
|
|
96
|
+
if (cred.status === 'unclaimed')
|
|
97
|
+
return null;
|
|
79
98
|
if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
|
|
80
99
|
return null;
|
|
81
100
|
const resolved = {
|
|
@@ -115,6 +134,9 @@ class CredentialRouter {
|
|
|
115
134
|
return null;
|
|
116
135
|
if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
|
|
117
136
|
return null;
|
|
137
|
+
// Unclaimed credentials (auth.md pre-claim) must not be resolved
|
|
138
|
+
if (cred.status === 'unclaimed')
|
|
139
|
+
return null;
|
|
118
140
|
if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
|
|
119
141
|
return null;
|
|
120
142
|
// Budget check
|
|
@@ -154,7 +176,7 @@ class CredentialRouter {
|
|
|
154
176
|
return null;
|
|
155
177
|
return { source, target, migrationId: ctx.migrationId };
|
|
156
178
|
}
|
|
157
|
-
// ─── Pair resolve for migration (async)
|
|
179
|
+
// ─── Pair resolve for migration (async) ────────────────────────────────
|
|
158
180
|
/**
|
|
159
181
|
* Async counterpart of resolvePair(). Resolves source and target credentials
|
|
160
182
|
* in parallel using resolveAsync(), so both resolutions benefit from:
|
|
@@ -200,7 +222,7 @@ class CredentialRouter {
|
|
|
200
222
|
}
|
|
201
223
|
return { source, target, migrationId: ctx.migrationId, expiresAt };
|
|
202
224
|
}
|
|
203
|
-
// ─── Canary selection
|
|
225
|
+
// ─── Canary selection ───────────────────────────────────────────────────
|
|
204
226
|
selectRef(rule) {
|
|
205
227
|
if (rule.canaryRef && rule.canaryWeight && rule.canaryWeight > 0) {
|
|
206
228
|
const roll = Math.random() * 100;
|
|
@@ -209,7 +231,7 @@ class CredentialRouter {
|
|
|
209
231
|
}
|
|
210
232
|
return rule.credentialRef;
|
|
211
233
|
}
|
|
212
|
-
// ─── Rule matching
|
|
234
|
+
// ─── Rule matching ─────────────────────────────────────────────────────
|
|
213
235
|
ruleMatches(rule, ctx) {
|
|
214
236
|
if (rule.matchResourceKind && rule.matchResourceKind !== ctx.resourceKind)
|
|
215
237
|
return false;
|
|
@@ -234,7 +256,7 @@ class CredentialRouter {
|
|
|
234
256
|
}
|
|
235
257
|
return true;
|
|
236
258
|
}
|
|
237
|
-
// ─── Audit entry builder
|
|
259
|
+
// ─── Audit entry builder ───────────────────────────────────────────────
|
|
238
260
|
buildAuditEntry(ctx, resolved, rule, isCanary) {
|
|
239
261
|
return {
|
|
240
262
|
timestamp: new Date().toISOString(),
|
|
@@ -254,7 +276,7 @@ class CredentialRouter {
|
|
|
254
276
|
}
|
|
255
277
|
}
|
|
256
278
|
exports.CredentialRouter = CredentialRouter;
|
|
257
|
-
// ─── Factory functions
|
|
279
|
+
// ─── Factory functions ───────────────────────────────────────────────────────────
|
|
258
280
|
function createRouter(credentials, rules, logger) {
|
|
259
281
|
return new CredentialRouter({ store: new MemoryCredentialStore(credentials), rules, logger });
|
|
260
282
|
}
|
package/dist/cjs/router.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAiUH,oCAMC;AAED,sDAMC;AAED,wDAEC;AArUD,+CAAiD;AAQjD,SAAS,aAAa,CAAC,KAAsB;IAC3C,OAAO,OAAQ,KAA0B,CAAC,aAAa,KAAK,UAAU,CAAC;AACzE,CAAC;AAcD,MAAa,qBAAqB;IAIhC,YAAY,WAAyB;QAFpB,iBAAY,GAAG,IAAI,GAAG,EAAsD,CAAC;QAG5F,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC;IAC3B,CAAC;IAED,aAAa,CAAC,GAAW;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAwB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,IAAI,QAAQ,CAAC,SAAS,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAC/F,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,GAAG,UAAU,GAAG,IAAI,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,QAAQ,EAAE,WAAW,KAAK,WAAW;YAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3E,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,QAAgB,EAChB,SAAiB;QAEjB,OAAO,CAAC,CAAC;IACX,CAAC;CACF;AAvDD,sDAuDC;AAED,MAAa,gBAAgB;IAC3B,YAA6B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IAAG,CAAC;IAErD,6EAA6E;IAE7E,OAAO,CAAC,GAAwB;QAC9B,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACrC,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;YAC5G,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,iEAAiE;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;YACR,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;YAClE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,6EAA6E;IAE7E,KAAK,CAAC,YAAY,CAAC,GAAwB;QACzC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACzF,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,gBAAgB;QAChB,IAAI,IAAI,CAAC,QAAQ,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9F,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,aAAa;gBAAE,OAAO,IAAI,CAAC;QACrE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,iEAAiE;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,eAAe;QACf,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;YACR,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,cAAc;QACd,IAAI,iBAAiB,EAAE,CAAC;YACtB,QAAQ,CAAC,qBAAqB,GAAG,MAAM,IAAA,8BAAgB,EAAC,GAAG,EAAE,QAAQ,EAAE;gBACrE,MAAM,EAAE,iBAAiB;gBACzB,MAAM,EAAE,IAAI,CAAC,EAAE;aAChB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,4EAA4E;IAE5E,WAAW,CAAC,GAAqB;QAC/B,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACpG,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAE9H,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;IAC1D,CAAC;IAED,0EAA0E;IAE1E;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,gBAAgB,CAAC,GAAqB;QAC1C,MAAM,SAAS,GAAwB;YACrC,GAAG,GAAG;YACN,UAAU,EAAE,GAAG,CAAC,gBAAgB;YAChC,MAAM,EAAE,MAAM;SACf,CAAC;QACF,MAAM,SAAS,GAAwB;YACrC,GAAG,GAAG;YACN,UAAU,EAAE,GAAG,CAAC,gBAAgB;YAChC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM;SACzC,CAAC;QAEF,6EAA6E;QAC7E,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACzC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;SAC7B,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEpC,2DAA2D;QAC3D,IAAI,SAA6B,CAAC;QAClC,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,SAAS,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;QACxF,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC;IACrE,CAAC;IAED,2EAA2E;IAEnE,SAAS,CAAC,IAAiB;QACjC,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC;YACjC,IAAI,IAAI,GAAG,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QACtD,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED,0EAA0E;IAElE,WAAW,CAAC,IAAiB,EAAE,GAAwB;QAC7D,IAAI,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,iBAAiB,KAAK,GAAG,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QACxF,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,KAAK,GAAG,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,KAAK,GAAG,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACtE,IAAI,IAAI,CAAC,aAAa,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QAClD,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,GAAuB,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAChC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACpF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0EAA0E;IAElE,eAAe,CACrB,GAAwB,EACxB,QAA4B,EAC5B,IAAiB,EACjB,QAAiB;QAEjB,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,cAAc,EAAE,QAAQ,CAAC,IAAI;YAC7B,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ;YACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;IACJ,CAAC;CACF;AA9ND,4CA8NC;AAED,oFAAoF;AAEpF,SAAgB,YAAY,CAC1B,WAAyB,EACzB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,IAAI,qBAAqB,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,SAAgB,qBAAqB,CACnC,KAAsB,EACtB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,SAAgB,sBAAsB,CAAC,MAAoB;IACzD,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC"}
|
package/dist/cjs/schemas.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.MigrationContextSchema = exports.AgentRequestContextSchema = exports.RoutingRuleSchema = exports.CredentialSchema = exports.ApprovalPolicySchema = exports.ApproverSchema = exports.BudgetPolicySchema = exports.RotationPolicySchema = exports.ApproverKindSchema = exports.MigrationPhaseSchema = exports.CredentialStatusSchema = exports.CredentialKindSchema = exports.ResourceKindSchema = exports.SupportedProviderSchema = void 0;
|
|
3
|
+
exports.TrustedProviderRegistrySchema = exports.TrustedIdentityProviderSchema = exports.MigrationContextSchema = exports.AgentRequestContextSchema = exports.RoutingRuleSchema = exports.CredentialSchema = exports.ApprovalPolicySchema = exports.ApproverSchema = exports.BudgetPolicySchema = exports.RotationPolicySchema = exports.ApproverKindSchema = exports.MigrationPhaseSchema = exports.CredentialStatusSchema = exports.CredentialKindSchema = exports.ResourceKindSchema = exports.SupportedProviderSchema = void 0;
|
|
4
4
|
/**
|
|
5
5
|
* @datacules/agent-identity/schemas
|
|
6
6
|
*
|
|
@@ -22,7 +22,11 @@ exports.SupportedProviderSchema = zod_1.z.enum([
|
|
|
22
22
|
]);
|
|
23
23
|
exports.ResourceKindSchema = zod_1.z.enum(['shared', 'personal']);
|
|
24
24
|
exports.CredentialKindSchema = zod_1.z.enum(['fixed', 'user-delegated']);
|
|
25
|
-
|
|
25
|
+
/**
|
|
26
|
+
* 'unclaimed' added for auth.md anonymous-flow credentials that are
|
|
27
|
+
* awaiting claim ceremony completion before becoming fully active.
|
|
28
|
+
*/
|
|
29
|
+
exports.CredentialStatusSchema = zod_1.z.enum(['active', 'pending', 'unclaimed', 'revoked']);
|
|
26
30
|
exports.MigrationPhaseSchema = zod_1.z.enum([
|
|
27
31
|
'dry-run',
|
|
28
32
|
'extract',
|
|
@@ -80,6 +84,12 @@ exports.CredentialSchema = zod_1.z.object({
|
|
|
80
84
|
rotation: exports.RotationPolicySchema.optional(),
|
|
81
85
|
budget: exports.BudgetPolicySchema.optional(),
|
|
82
86
|
tags: zod_1.z.array(zod_1.z.string()).optional(),
|
|
87
|
+
// auth.md claim-ceremony fields
|
|
88
|
+
preClaimScopes: zod_1.z.array(zod_1.z.string()).optional(),
|
|
89
|
+
postClaimScopes: zod_1.z.array(zod_1.z.string()).optional(),
|
|
90
|
+
claimedAt: zod_1.z.string().datetime().optional(),
|
|
91
|
+
// claimToken is intentionally omitted from the schema — it must never
|
|
92
|
+
// be serialised or validated at an API boundary; it is held in memory only.
|
|
83
93
|
});
|
|
84
94
|
// ─── Routing Rule ──────────────────────────────────────────────────────────
|
|
85
95
|
exports.RoutingRuleSchema = zod_1.z.object({
|
|
@@ -124,4 +134,18 @@ exports.MigrationContextSchema = exports.AgentRequestContextSchema.extend({
|
|
|
124
134
|
batchIndex: zod_1.z.number().int().nonnegative().optional(),
|
|
125
135
|
totalBatches: zod_1.z.number().int().positive().optional(),
|
|
126
136
|
});
|
|
137
|
+
// ─── Trusted Identity Providers (auth.md) ──────────────────────────────────
|
|
138
|
+
exports.TrustedIdentityProviderSchema = zod_1.z.object({
|
|
139
|
+
issuerUrl: zod_1.z.string().url(),
|
|
140
|
+
label: zod_1.z.string().min(1),
|
|
141
|
+
jwksUri: zod_1.z.string().url().optional(),
|
|
142
|
+
cimdUri: zod_1.z.string().url().optional(),
|
|
143
|
+
requiredAmr: zod_1.z.array(zod_1.z.string()).optional(),
|
|
144
|
+
enabled: zod_1.z.boolean().optional(),
|
|
145
|
+
});
|
|
146
|
+
exports.TrustedProviderRegistrySchema = zod_1.z.object({
|
|
147
|
+
providers: zod_1.z.array(exports.TrustedIdentityProviderSchema),
|
|
148
|
+
jwksCacheTtlMs: zod_1.z.number().int().positive().optional(),
|
|
149
|
+
jwksCacheFloorMs: zod_1.z.number().int().positive().optional(),
|
|
150
|
+
});
|
|
127
151
|
//# sourceMappingURL=schemas.js.map
|
package/dist/cjs/schemas.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,6BAAwB;AAExB,iFAAiF;AAEpE,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,OAAO;CACR,CAAC,CAAC;AAEU,QAAA,kBAAkB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAEpD,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,6BAAwB;AAExB,iFAAiF;AAEpE,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,OAAO;CACR,CAAC,CAAC;AAEU,QAAA,kBAAkB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAEpD,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAExE;;;GAGG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAE/E,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC;IACzC,SAAS;IACT,SAAS;IACT,WAAW;IACX,MAAM;IACN,QAAQ;IACR,UAAU;CACX,CAAC,CAAC;AAEU,QAAA,kBAAkB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAExE,gFAAgF;AAEnE,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACxD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH,iFAAiF;AAEpE,QAAA,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClD,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC3D,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH,gFAAgF;AAEnE,QAAA,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,0BAAkB;IACxB,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1B,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,sBAAc,CAAC;IAClC,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACtD,UAAU,EAAE,OAAC;SACV,MAAM,CAAC;QACN,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC7C,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,+EAA+E;AAElE,QAAA,gBAAgB,GAAG,OAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,IAAI,EAAE,4BAAoB;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,MAAM,EAAE,8BAAsB;IAC9B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC3C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC/D,QAAQ,EAAE,4BAAoB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,0BAAkB,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpC,gCAAgC;IAChC,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC9C,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC/C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC3C,sEAAsE;IACtE,4EAA4E;CAC7E,CAAC,CAAC;AAEH,8EAA8E;AAEjE,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,cAAc,EAAE,4BAAoB;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC1B,iBAAiB,EAAE,0BAAkB,CAAC,QAAQ,EAAE;IAChD,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClE,aAAa,EAAE,+BAAuB,CAAC,QAAQ,EAAE;IACjD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC;SACV,KAAK,CAAC,CAAC,4BAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,4BAAoB,CAAC,CAAC,CAAC;SAC5D,QAAQ,EAAE;IACb,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACzD,QAAQ,EAAE,4BAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH,4EAA4E;AAE/D,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,YAAY,EAAE,0BAAkB;IAChC,QAAQ,EAAE,+BAAuB;IACjC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,iCAAyB,CAAC,MAAM,CAAC;IACrE,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,KAAK,EAAE,4BAAoB;IAC3B,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,OAAC,CAAC,OAAO,EAAE;IACnB,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACrD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH,8EAA8E;AAEjE,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC3B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3C,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,qCAA6B,CAAC;IACjD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACtD,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACzD,CAAC,CAAC"}
|
package/dist/esm/attestation.js
CHANGED
|
@@ -1,37 +1,69 @@
|
|
|
1
|
-
// ───
|
|
1
|
+
// ─── Shared base64url helpers (module-level; used by both signers) ──────────
|
|
2
|
+
/** Encode a UTF-8 string to base64url */
|
|
3
|
+
function base64urlEncode(input) {
|
|
4
|
+
if (typeof Buffer !== 'undefined') {
|
|
5
|
+
return Buffer.from(input).toString('base64url');
|
|
6
|
+
}
|
|
7
|
+
return btoa(input).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
|
|
8
|
+
}
|
|
9
|
+
/** Encode an ArrayBuffer to base64url */
|
|
10
|
+
function bufToBase64url(buf) {
|
|
11
|
+
if (typeof Buffer !== 'undefined') {
|
|
12
|
+
return Buffer.from(buf).toString('base64url');
|
|
13
|
+
}
|
|
14
|
+
const bytes = new Uint8Array(buf);
|
|
15
|
+
let binary = '';
|
|
16
|
+
for (let i = 0; i < bytes.byteLength; i++)
|
|
17
|
+
binary += String.fromCharCode(bytes[i]);
|
|
18
|
+
return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Decode a base64url string to a Uint8Array<ArrayBuffer>.
|
|
22
|
+
*
|
|
23
|
+
* Returns Uint8Array<ArrayBuffer> (not ArrayBufferLike) so the result is
|
|
24
|
+
* directly usable as BufferSource in crypto.subtle.verify() without an
|
|
25
|
+
* extra cast — required since TypeScript 5.5 made Uint8Array generic.
|
|
26
|
+
*/
|
|
27
|
+
function base64urlToBuffer(s) {
|
|
28
|
+
if (typeof Buffer !== 'undefined') {
|
|
29
|
+
// Buffer.from() returns Uint8Array<ArrayBufferLike>; copy into a fresh
|
|
30
|
+
// Uint8Array<ArrayBuffer> so crypto.subtle accepts it as BufferSource.
|
|
31
|
+
const nodeBuf = Buffer.from(s, 'base64url');
|
|
32
|
+
const out = new Uint8Array(nodeBuf.length);
|
|
33
|
+
out.set(nodeBuf);
|
|
34
|
+
return out;
|
|
35
|
+
}
|
|
36
|
+
const b64 = s.replace(/-/g, '+').replace(/_/g, '/');
|
|
37
|
+
const padded = b64 + '='.repeat((4 - (b64.length % 4)) % 4);
|
|
38
|
+
const binary = atob(padded);
|
|
39
|
+
const bytes = new Uint8Array(binary.length);
|
|
40
|
+
for (let i = 0; i < binary.length; i++)
|
|
41
|
+
bytes[i] = binary.charCodeAt(i);
|
|
42
|
+
return bytes;
|
|
43
|
+
}
|
|
44
|
+
/** Decode a base64url body segment to a UTF-8 string */
|
|
45
|
+
function base64urlDecodeString(s) {
|
|
46
|
+
if (typeof Buffer !== 'undefined') {
|
|
47
|
+
return Buffer.from(s, 'base64url').toString('utf8');
|
|
48
|
+
}
|
|
49
|
+
return atob(s.replace(/-/g, '+').replace(/_/g, '/'));
|
|
50
|
+
}
|
|
51
|
+
// ─── HMAC Signer (built-in, zero deps) ───────────────────────────────────
|
|
2
52
|
export class HmacAttestationSigner {
|
|
3
53
|
constructor(options) {
|
|
4
54
|
this.secret = options.secret;
|
|
5
55
|
this.issuer = options.issuer ?? 'agent-identity';
|
|
6
56
|
this.ttlSeconds = options.ttlSeconds ?? 300;
|
|
7
57
|
}
|
|
8
|
-
base64url(input) {
|
|
9
|
-
// Works in both browser and Node 18+ (Buffer is global in Node)
|
|
10
|
-
if (typeof Buffer !== 'undefined') {
|
|
11
|
-
return Buffer.from(input).toString('base64url');
|
|
12
|
-
}
|
|
13
|
-
// Browser fallback via btoa
|
|
14
|
-
return btoa(input).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
|
|
15
|
-
}
|
|
16
|
-
bufToBase64url(buf) {
|
|
17
|
-
if (typeof Buffer !== 'undefined') {
|
|
18
|
-
return Buffer.from(buf).toString('base64url');
|
|
19
|
-
}
|
|
20
|
-
const bytes = new Uint8Array(buf);
|
|
21
|
-
let binary = '';
|
|
22
|
-
for (let i = 0; i < bytes.byteLength; i++)
|
|
23
|
-
binary += String.fromCharCode(bytes[i]);
|
|
24
|
-
return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
|
|
25
|
-
}
|
|
26
58
|
async hmacSign(data) {
|
|
27
59
|
const enc = new TextEncoder();
|
|
28
60
|
const key = await crypto.subtle.importKey('raw', enc.encode(this.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
|
|
29
61
|
const sig = await crypto.subtle.sign('HMAC', key, enc.encode(data));
|
|
30
|
-
return
|
|
62
|
+
return bufToBase64url(sig);
|
|
31
63
|
}
|
|
32
64
|
async sign(payload) {
|
|
33
|
-
const header =
|
|
34
|
-
const body =
|
|
65
|
+
const header = base64urlEncode(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
|
|
66
|
+
const body = base64urlEncode(JSON.stringify(payload));
|
|
35
67
|
const sig = await this.hmacSign(`${header}.${body}`);
|
|
36
68
|
return `${header}.${body}.${sig}`;
|
|
37
69
|
}
|
|
@@ -43,11 +75,80 @@ export class HmacAttestationSigner {
|
|
|
43
75
|
const expected = await this.hmacSign(`${header}.${body}`);
|
|
44
76
|
if (expected !== sig)
|
|
45
77
|
return null;
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
78
|
+
return JSON.parse(base64urlDecodeString(body));
|
|
79
|
+
}
|
|
80
|
+
catch {
|
|
81
|
+
return null;
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
// ─── Asymmetric Signer (RS256 / ES256) ──────────────────────────────────
|
|
86
|
+
/**
|
|
87
|
+
* Asymmetric JWT signer/verifier using Web Crypto (RS256 or ES256).
|
|
88
|
+
* Uses only crypto.subtle — no external dependencies.
|
|
89
|
+
*
|
|
90
|
+
* For signing (e.g. minting your own attestations):
|
|
91
|
+
* const signer = await AsymmetricAttestationSigner.fromKeyPair(privateKey, publicKey, 'RS256');
|
|
92
|
+
*
|
|
93
|
+
* For verification only (e.g. verifying incoming ID-JAGs from JWKS):
|
|
94
|
+
* const verifier = await AsymmetricAttestationSigner.fromPublicJwk(publicJwk, 'RS256');
|
|
95
|
+
*/
|
|
96
|
+
export class AsymmetricAttestationSigner {
|
|
97
|
+
constructor(privateKey, publicKey, algorithm, ttlSeconds) {
|
|
98
|
+
this.privateKey = privateKey;
|
|
99
|
+
this.publicKey = publicKey;
|
|
100
|
+
this.algorithm = algorithm;
|
|
101
|
+
this.ttlSeconds = ttlSeconds;
|
|
102
|
+
}
|
|
103
|
+
// ─── Static factory methods ──────────────────────────────────────────────
|
|
104
|
+
/**
|
|
105
|
+
* Create a signing+verification instance from an already-imported key pair.
|
|
106
|
+
*/
|
|
107
|
+
static async fromKeyPair(privateKey, publicKey, algorithm, options) {
|
|
108
|
+
return new AsymmetricAttestationSigner(privateKey, publicKey, algorithm, options?.ttlSeconds ?? 300);
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Create a verification-only instance from a JSON Web Key.
|
|
112
|
+
* Calling sign() on this instance will throw.
|
|
113
|
+
*/
|
|
114
|
+
static async fromPublicJwk(jwk, algorithm) {
|
|
115
|
+
const importAlgo = algorithm === 'RS256'
|
|
116
|
+
? { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }
|
|
117
|
+
: { name: 'ECDSA', namedCurve: 'P-256' };
|
|
118
|
+
const publicKey = await crypto.subtle.importKey('jwk', jwk, importAlgo, true, ['verify']);
|
|
119
|
+
return new AsymmetricAttestationSigner(null, publicKey, algorithm, 300);
|
|
120
|
+
}
|
|
121
|
+
// ─── Sign / Verify ────────────────────────────────────────────────────────────
|
|
122
|
+
async sign(payload) {
|
|
123
|
+
if (!this.privateKey) {
|
|
124
|
+
throw new Error('AsymmetricAttestationSigner: no private key — verification-only instance');
|
|
125
|
+
}
|
|
126
|
+
const header = base64urlEncode(JSON.stringify({ alg: this.algorithm, typ: 'JWT' }));
|
|
127
|
+
const body = base64urlEncode(JSON.stringify(payload));
|
|
128
|
+
const signingInput = `${header}.${body}`;
|
|
129
|
+
const data = new TextEncoder().encode(signingInput);
|
|
130
|
+
const algo = this.algorithm === 'RS256'
|
|
131
|
+
? 'RSASSA-PKCS1-v1_5'
|
|
132
|
+
: { name: 'ECDSA', hash: 'SHA-256' };
|
|
133
|
+
const sigBuf = await crypto.subtle.sign(algo, this.privateKey, data);
|
|
134
|
+
const sig = bufToBase64url(sigBuf);
|
|
135
|
+
return `${header}.${body}.${sig}`;
|
|
136
|
+
}
|
|
137
|
+
async verify(token) {
|
|
138
|
+
try {
|
|
139
|
+
const [header, body, sig] = token.split('.');
|
|
140
|
+
if (!header || !body || !sig)
|
|
141
|
+
return null;
|
|
142
|
+
const signingInput = `${header}.${body}`;
|
|
143
|
+
const data = new TextEncoder().encode(signingInput);
|
|
144
|
+
const sigBytes = base64urlToBuffer(sig);
|
|
145
|
+
const algo = this.algorithm === 'RS256'
|
|
146
|
+
? 'RSASSA-PKCS1-v1_5'
|
|
147
|
+
: { name: 'ECDSA', hash: 'SHA-256' };
|
|
148
|
+
const valid = await crypto.subtle.verify(algo, this.publicKey, sigBytes, data);
|
|
149
|
+
if (!valid)
|
|
150
|
+
return null;
|
|
151
|
+
return JSON.parse(base64urlDecodeString(body));
|
|
51
152
|
}
|
|
52
153
|
catch {
|
|
53
154
|
return null;
|
|
@@ -70,7 +171,7 @@ export async function buildAttestation(ctx, resolved, options) {
|
|
|
70
171
|
};
|
|
71
172
|
return options.signer.sign(payload);
|
|
72
173
|
}
|
|
73
|
-
// ─── Standalone verifyAttestation helper
|
|
174
|
+
// ─── Standalone verifyAttestation helper ──────────────────────────────────
|
|
74
175
|
export async function verifyAttestation(token, signer) {
|
|
75
176
|
const raw = await signer.verify(token);
|
|
76
177
|
if (!raw)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":"AAaA,+EAA+E;AAE/E,
|
|
1
|
+
{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":"AAaA,+EAA+E;AAE/E,yCAAyC;AACzC,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,yCAAyC;AACzC,SAAS,cAAc,CAAC,GAAgB;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3C,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjB,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wDAAwD;AACxD,SAAS,qBAAqB,CAAC,CAAS;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,4EAA4E;AAE5E,MAAM,OAAO,qBAAqB;IAKhC,YAAY,OAAiE;QAC3E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;IAC9C,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAAY;QACjC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACvB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YAC1D,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAED,2EAA2E;AAE3E;;;;;;;;;GASG;AACH,MAAM,OAAO,2BAA2B;IACtC,YACmB,UAA4B,EAC5B,SAAoB,EACpB,SAA4B,EAC5B,UAAkB;QAHlB,eAAU,GAAV,UAAU,CAAkB;QAC5B,cAAS,GAAT,SAAS,CAAW;QACpB,cAAS,GAAT,SAAS,CAAmB;QAC5B,eAAU,GAAV,UAAU,CAAQ;IAClC,CAAC;IAEJ,4EAA4E;IAE5E;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CACtB,UAAqB,EACrB,SAAoB,EACpB,SAA4B,EAC5B,OAAiC;QAEjC,OAAO,IAAI,2BAA2B,CACpC,UAAU,EACV,SAAS,EACT,SAAS,EACT,OAAO,EAAE,UAAU,IAAI,GAAG,CAC3B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CACxB,GAAe,EACf,SAA4B;QAE5B,MAAM,UAAU,GACd,SAAS,KAAK,OAAO;YACnB,CAAC,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE;YAChD,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1F,OAAO,IAAI,2BAA2B,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1E,CAAC;IAED,iFAAiF;IAEjF,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACb,0EAA0E,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CACpD,CAAC;QACF,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAEpD,MAAM,IAAI,GACR,IAAI,CAAC,SAAS,KAAK,OAAO;YACxB,CAAC,CAAC,mBAAmB;YACrB,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAkB,CAAC;QAE1D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACnC,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAE1C,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACpD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAExC,MAAM,IAAI,GACR,IAAI,CAAC,SAAS,KAAK,OAAO;gBACxB,CAAC,CAAC,mBAAmB;gBACrB,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAkB,CAAC;YAE1D,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC/E,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,OAAO,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAWD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAwB,EACxB,QAA4B,EAC5B,OAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAuB;QAClC,GAAG,EAAE,OAAO,CAAC,MAAM,IAAI,gBAAgB;QACvC,GAAG,EAAE,GAAG,CAAC,MAAM;QACf,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;KACvC,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAA6C,CAAC,CAAC;AAC5E,CAAC;AAED,6EAA6E;AAE7E,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,MAAyB;IAEzB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAoC,CAAC;AAC9C,CAAC"}
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ID-JAG verification utilities — validates the claims on a decoded ID-JAG
|
|
3
|
+
* payload against a TrustedProviderRegistry.
|
|
4
|
+
*
|
|
5
|
+
* Signature verification is left to the caller (requires a JWT library or
|
|
6
|
+
* Web Crypto with the provider's JWKS). This module validates claims only.
|
|
7
|
+
*
|
|
8
|
+
* @module identity-providers
|
|
9
|
+
*/
|
|
10
|
+
// ─── validateIdJagClaims ──────────────────────────────────────────────────────
|
|
11
|
+
/**
|
|
12
|
+
* Validate ID-JAG claims (NOT signature — that's the caller's responsibility).
|
|
13
|
+
*
|
|
14
|
+
* Steps:
|
|
15
|
+
* 1. Find provider by payload.iss — return issuer_not_trusted if absent.
|
|
16
|
+
* 2. If provider.enabled === false — return provider_disabled.
|
|
17
|
+
* 3. If token is expired (with clock skew tolerance) — return expired.
|
|
18
|
+
* 4. If audience does not include the expected audience — return audience_mismatch.
|
|
19
|
+
* 5. If neither email_verified nor phone_number_verified — return missing_verified_identity.
|
|
20
|
+
* 6. If provider.requiredAmr is set and none of its values appear in payload.amr
|
|
21
|
+
* — return amr_not_satisfied.
|
|
22
|
+
* 7. Return { valid: true, provider }.
|
|
23
|
+
*
|
|
24
|
+
* @param payload Decoded JWT payload (signature NOT verified here)
|
|
25
|
+
* @param audience Expected aud (this service's authorization server URL)
|
|
26
|
+
* @param registry Configured trusted providers
|
|
27
|
+
* @param nowMs Current time in ms (injectable for testing; defaults to Date.now())
|
|
28
|
+
* @param clockSkewMs Accepted clock skew in ms (default: 120_000 = 2 minutes)
|
|
29
|
+
*/
|
|
30
|
+
export function validateIdJagClaims(payload, audience, registry, nowMs, clockSkewMs) {
|
|
31
|
+
const now = nowMs ?? Date.now();
|
|
32
|
+
const skew = clockSkewMs ?? 120000;
|
|
33
|
+
// 1. Issuer lookup
|
|
34
|
+
const provider = registry.providers.find((p) => p.issuerUrl === payload.iss);
|
|
35
|
+
if (!provider) {
|
|
36
|
+
return {
|
|
37
|
+
valid: false,
|
|
38
|
+
error: 'issuer_not_trusted',
|
|
39
|
+
errorMessage: `Issuer '${payload.iss}' is not in the trusted provider registry`,
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
// 2. Provider enabled check (undefined → enabled)
|
|
43
|
+
if (provider.enabled === false) {
|
|
44
|
+
return {
|
|
45
|
+
valid: false,
|
|
46
|
+
provider,
|
|
47
|
+
error: 'provider_disabled',
|
|
48
|
+
errorMessage: `Provider '${provider.label}' is currently disabled`,
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
// 3. Expiry check (exp is in seconds; add clock skew tolerance)
|
|
52
|
+
if (payload.exp * 1000 < now - skew) {
|
|
53
|
+
return {
|
|
54
|
+
valid: false,
|
|
55
|
+
provider,
|
|
56
|
+
error: 'expired',
|
|
57
|
+
errorMessage: `Token expired at ${new Date(payload.exp * 1000).toISOString()}`,
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
// 4. Audience check
|
|
61
|
+
const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
|
|
62
|
+
if (!audiences.includes(audience)) {
|
|
63
|
+
return {
|
|
64
|
+
valid: false,
|
|
65
|
+
provider,
|
|
66
|
+
error: 'audience_mismatch',
|
|
67
|
+
errorMessage: `Expected audience '${audience}' not found in token aud claim`,
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
// 5. Verified identity check — must have at least one verified identity claim
|
|
71
|
+
const hasVerifiedEmail = payload.email_verified === true;
|
|
72
|
+
const hasVerifiedPhone = payload.phone_number_verified === true;
|
|
73
|
+
if (!hasVerifiedEmail && !hasVerifiedPhone) {
|
|
74
|
+
return {
|
|
75
|
+
valid: false,
|
|
76
|
+
provider,
|
|
77
|
+
error: 'missing_verified_identity',
|
|
78
|
+
errorMessage: 'Token must have either email_verified=true or phone_number_verified=true',
|
|
79
|
+
};
|
|
80
|
+
}
|
|
81
|
+
// 6. AMR check
|
|
82
|
+
if (provider.requiredAmr && provider.requiredAmr.length > 0) {
|
|
83
|
+
const tokenAmr = payload.amr ?? [];
|
|
84
|
+
const satisfied = provider.requiredAmr.some((required) => tokenAmr.includes(required));
|
|
85
|
+
if (!satisfied) {
|
|
86
|
+
return {
|
|
87
|
+
valid: false,
|
|
88
|
+
provider,
|
|
89
|
+
error: 'amr_not_satisfied',
|
|
90
|
+
errorMessage: `Required AMR values [${provider.requiredAmr.join(', ')}] not found in token amr: [${tokenAmr.join(', ')}]`,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
// 7. All checks passed
|
|
95
|
+
return { valid: true, provider };
|
|
96
|
+
}
|
|
97
|
+
//# sourceMappingURL=identity-providers.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"identity-providers.js","sourceRoot":"","sources":["../../src/identity-providers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAsCH,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAqB,EACrB,QAAgB,EAChB,QAAiC,EACjC,KAAc,EACd,WAAoB;IAEpB,MAAM,GAAG,GAAG,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,WAAW,IAAI,MAAO,CAAC;IAEpC,mBAAmB;IACnB,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,WAAW,OAAO,CAAC,GAAG,2CAA2C;SAChF,CAAC;IACJ,CAAC;IAED,kDAAkD;IAClD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,aAAa,QAAQ,CAAC,KAAK,yBAAyB;SACnE,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,SAAS;YAChB,YAAY,EAAE,oBAAoB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;SAC/E,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,sBAAsB,QAAQ,gCAAgC;SAC7E,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG,OAAO,CAAC,cAAc,KAAK,IAAI,CAAC;IACzD,MAAM,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,KAAK,IAAI,CAAC;IAChE,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC3C,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,2BAA2B;YAClC,YAAY,EAAE,0EAA0E;SACzF,CAAC;IACJ,CAAC;IAED,eAAe;IACf,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACvF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,QAAQ;gBACR,KAAK,EAAE,mBAAmB;gBAC1B,YAAY,EAAE,wBAAwB,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,8BAA8B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;aAC1H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AACnC,CAAC"}
|
package/dist/esm/index.js
CHANGED
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
* ```
|
|
15
15
|
*/
|
|
16
16
|
// ─── Runtime modules (classes, functions, const) ─────────────────────────────
|
|
17
|
+
// Core router + built-in stores
|
|
17
18
|
export * from './router';
|
|
18
19
|
export * from './providers';
|
|
19
20
|
export * from './credentials';
|
|
@@ -23,4 +24,8 @@ export * from './attestation';
|
|
|
23
24
|
export * from './approval';
|
|
24
25
|
export * from './budget';
|
|
25
26
|
export * from './federation';
|
|
27
|
+
// auth.md compatibility — identity providers, revocation, and claim lifecycle
|
|
28
|
+
export * from './identity-providers';
|
|
29
|
+
export * from './revocation';
|
|
30
|
+
export * from './revocation-listener';
|
|
26
31
|
//# sourceMappingURL=index.js.map
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,gFAAgF;AAChF,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,gFAAgF;AAChF,gCAAgC;AAChC,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAE7B,8EAA8E;AAC9E,cAAc,sBAAsB,CAAC;AACrC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC"}
|