@dbsc-toolkit/core 0.1.0

package/LICENSE

@@ -0,0 +1,132 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship made available under
+the License, as indicated by a copyright notice that is included in
+or attached to the work.
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other transformations
+represent, as a whole, an original work of authorship.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works of the Work, that is intentionally
+submitted to the Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner.
+
+"Contributor" shall mean Licensor and any Legal Entity
+on behalf of whom a Contribution has been received by the Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by the combined work of their Contribution(s)
+with the Work to which such Contribution(s) was submitted.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative Works
+a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work; and
+
+(d) If the Work includes a "NOTICE" text file, you must include a
+readable copy of the attribution notices contained within such NOTICE
+file, in at least one of the following places: within a NOTICE text
+file distributed as part of the Derivative Works; or, within the
+Source form or documentation, if provided along with the Derivative
+Works; or, on a display generated by the Derivative Works.
+
+The "NOTICE" file referenced above refers to a text file that may
+accompany the source form of the Work.
+
+You may add Your own attribution notices within Derivative Works
+that You distribute, alongside or as an addendum to the NOTICE text
+from the Work, provided that such additional attribution notices
+cannot be construed as modifying the License.
+
+You may add Your own license statement for Your modifications and
+may provide additional grant of rights to use, reproduce, or
+distribute Derivative Works, subject to the terms and conditions
+for the Work itself.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each Contributor
+provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied, including,
+without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or exemplary damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer, and
+charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this License.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,59 @@
+# @dbsc-toolkit/core
+
+Framework-agnostic core for the DBSC Toolkit. Pure protocol logic, crypto primitives, type definitions, and a pluggable storage interface. No Express, no Fastify, no HTTP framework dependency.
+
+Use this package directly if you are wiring DBSC into Koa, Hapi, AdonisJS, raw `http`, Bun, Deno, or any framework without a shipped adapter. Otherwise use one of the framework adapters built on top of this:
+
+- `@dbsc-toolkit/server-express`
+- `@dbsc-toolkit/server-nextjs`
+- `@dbsc-toolkit/server-fastify`
+- `@dbsc-toolkit/server-hono`
+
+## Install
+
+```sh
+pnpm add @dbsc-toolkit/core
+```
+
+## What it exports
+
+- `handleRegistration`, `handleRefresh` — verify the JWS proof Chrome posts to your registration / refresh endpoints
+- `issueChallenge`, `generateJti` — issue single-use challenges
+- `buildRegistrationHeader`, `buildChallengeHeader`, `readSessionResponseHeader` — wire-format helpers
+- `REGISTRATION_HEADER`, `RESPONSE_HEADER`, `CHALLENGE_HEADER` plus `LEGACY_*` aliases — current and legacy header names
+- `MemoryStorage`-compatible `StorageAdapter` interface, `RateLimiter` interface, telemetry event types
+- `DbscProtocolError`, `DbscVerificationError`, `ErrorCodes`
+
+## Direct use without an adapter
+
+```ts
+import {
+  handleRefresh,
+  issueChallenge,
+  readSessionResponseHeader,
+  buildChallengeHeader,
+} from "@dbsc-toolkit/core";
+
+// inside any framework's POST /dbsc/refresh handler
+const sessionId = getCookie("__Host-dbsc-session");
+const expectedJti = getCookie("__Host-dbsc-challenge");
+const responseHeader = readSessionResponseHeader(req.headers);
+
+if (!responseHeader) {
+  const challenge = await issueChallenge(sessionId, storage);
+  setHeader("Secure-Session-Challenge", buildChallengeHeader(challenge.jti));
+  setHeader("Sec-Session-Challenge", buildChallengeHeader(challenge.jti));
+  setCookie("__Host-dbsc-challenge", challenge.jti, { maxAge: 5 * 60 * 1000, ... });
+  return reply.status(403);
+}
+
+await handleRefresh({ sessionId, secSessionResponseHeader: responseHeader, expectedJti }, storage);
+setCookie("__Host-dbsc-session", sessionId, { maxAge: 10 * 60 * 1000, ... });
+return reply.status(204);
+```
+
+See the [main README](https://github.com/SulimanAbdulrazzaq/DBSC#readme) for the full picture.
+
+## License
+
+Apache-2.0

package/dist/crypto/jwk.d.ts

@@ -0,0 +1,3 @@
+export declare function validateJwk(jwk: JsonWebKey): void;
+export declare function detectAlgorithm(jwk: JsonWebKey): "ES256" | "RS256";
+//# sourceMappingURL=jwk.d.ts.map

package/dist/crypto/jwk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../src/crypto/jwk.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAsCjD;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,GAAG,OAAO,CAOlE"}

package/dist/crypto/jwk.js

@@ -0,0 +1,36 @@
+import { DbscVerificationError, ErrorCodes } from "../errors.js";
+const SUPPORTED_CURVES = new Set(["P-256"]);
+const MIN_RSA_BITS = 2048;
+export function validateJwk(jwk) {
+    if (jwk.kty === "EC") {
+        if (!SUPPORTED_CURVES.has(jwk.crv ?? "")) {
+            throw new DbscVerificationError(ErrorCodes.INVALID_JWK, `unsupported curve: ${jwk.crv}`);
+        }
+        if (!jwk.x || !jwk.y) {
+            throw new DbscVerificationError(ErrorCodes.INVALID_JWK, "EC key missing x or y coordinate");
+        }
+        return;
+    }
+    if (jwk.kty === "RSA") {
+        if (!jwk.n) {
+            throw new DbscVerificationError(ErrorCodes.INVALID_JWK, "RSA key missing modulus");
+        }
+        const bits = base64urlBits(jwk.n);
+        if (bits < MIN_RSA_BITS) {
+            throw new DbscVerificationError(ErrorCodes.INVALID_JWK, `RSA key too short: ${bits} bits, minimum ${MIN_RSA_BITS}`);
+        }
+        return;
+    }
+    throw new DbscVerificationError(ErrorCodes.INVALID_JWK, `unsupported key type: ${jwk.kty}`);
+}
+export function detectAlgorithm(jwk) {
+    if (jwk.kty === "EC" && jwk.crv === "P-256")
+        return "ES256";
+    if (jwk.kty === "RSA")
+        return "RS256";
+    throw new DbscVerificationError(ErrorCodes.UNKNOWN_ALGORITHM, `cannot determine algorithm for kty=${jwk.kty} crv=${jwk.crv}`);
+}
+function base64urlBits(b64) {
+    return (b64.length * 6) / 8 * 8;
+}
+//# sourceMappingURL=jwk.js.map

package/dist/crypto/jwk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.js","sourceRoot":"","sources":["../../src/crypto/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEjE,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAC5C,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B,MAAM,UAAU,WAAW,CAAC,GAAe;IACzC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,WAAW,EACtB,sBAAsB,GAAG,CAAC,GAAG,EAAE,CAChC,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,WAAW,EACtB,kCAAkC,CACnC,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACX,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,WAAW,EACtB,yBAAyB,CAC1B,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,IAAI,GAAG,YAAY,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,WAAW,EACtB,sBAAsB,IAAI,kBAAkB,YAAY,EAAE,CAC3D,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,WAAW,EACtB,yBAAyB,GAAG,CAAC,GAAG,EAAE,CACnC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAe;IAC7C,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5D,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC;IACtC,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,iBAAiB,EAC5B,sCAAsC,GAAG,CAAC,GAAG,QAAQ,GAAG,CAAC,GAAG,EAAE,CAC/D,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC"}

package/dist/crypto/jws.d.ts

@@ -0,0 +1,15 @@
+import { type JWTPayload } from "jose";
+export interface DbscJwsClaims extends JWTPayload {
+    jti: string;
+}
+export interface ParsedDbscJws {
+    claims: DbscJwsClaims;
+    jwk?: JsonWebKey;
+}
+export declare function verifyDbscJws(token: string, storedJwk: JsonWebKey, expectedJti: string): Promise<DbscJwsClaims>;
+export declare function parseRegistrationJws(token: string): Promise<{
+    claims: JWTPayload;
+    jwk: JsonWebKey;
+    algorithm: "ES256" | "RS256";
+}>;
+//# sourceMappingURL=jws.d.ts.map

package/dist/crypto/jws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.d.ts","sourceRoot":"","sources":["../../src/crypto/jws.ts"],"names":[],"mappings":"AAAA,OAAO,EAA+C,KAAK,UAAU,EAAY,MAAM,MAAM,CAAC;AAO9F,MAAM,WAAW,aAAc,SAAQ,UAAU;IAC/C,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,aAAa,CAAC;IACtB,GAAG,CAAC,EAAE,UAAU,CAAC;CAClB;AAED,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,UAAU,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAoDxB;AAED,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACjE,MAAM,EAAE,UAAU,CAAC;IACnB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;CAC9B,CAAC,CAiDD"}

package/dist/crypto/jws.js

@@ -0,0 +1,89 @@
+import { importJWK, jwtVerify, decodeProtectedHeader } from "jose";
+import { DbscVerificationError, ErrorCodes } from "../errors.js";
+import { validateJwk } from "./jwk.js";
+const DBSC_TYPE = "dbsc+jwt";
+const SUPPORTED_ALGS = ["ES256", "RS256"];
+export async function verifyDbscJws(token, storedJwk, expectedJti) {
+    let header;
+    try {
+        header = decodeProtectedHeader(token);
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, "failed to decode JWS header");
+    }
+    if (header["typ"] !== DBSC_TYPE) {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, `expected typ=${DBSC_TYPE}, got ${header["typ"]}`);
+    }
+    const alg = header["alg"];
+    if (!SUPPORTED_ALGS.includes(alg)) {
+        throw new DbscVerificationError(ErrorCodes.UNKNOWN_ALGORITHM, `unsupported algorithm: ${alg}`);
+    }
+    let key;
+    try {
+        key = await importJWK(storedJwk, alg);
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.INVALID_JWK, "failed to import stored JWK");
+    }
+    let payload;
+    try {
+        const result = await jwtVerify(token, key, {
+            algorithms: [...SUPPORTED_ALGS],
+        });
+        payload = result.payload;
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.SIGNATURE_INVALID, "JWS signature verification failed");
+    }
+    if (typeof payload.jti !== "string") {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, "missing jti claim");
+    }
+    if (payload.jti !== expectedJti) {
+        throw new DbscVerificationError(ErrorCodes.JTI_MISMATCH, "jti does not match issued challenge");
+    }
+    return payload;
+}
+export async function parseRegistrationJws(token) {
+    let header;
+    try {
+        header = decodeProtectedHeader(token);
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, "failed to decode registration JWS header");
+    }
+    if (header["typ"] !== DBSC_TYPE) {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, `expected typ=${DBSC_TYPE}, got ${header["typ"]}`);
+    }
+    const alg = header["alg"];
+    if (!SUPPORTED_ALGS.includes(alg)) {
+        throw new DbscVerificationError(ErrorCodes.UNKNOWN_ALGORITHM, `unsupported algorithm: ${alg}`);
+    }
+    const jwk = header["jwk"];
+    if (!jwk) {
+        throw new DbscVerificationError(ErrorCodes.MALFORMED_JWS, "registration JWS missing jwk in header");
+    }
+    validateJwk(jwk);
+    let key;
+    try {
+        key = await importJWK(jwk, alg);
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.INVALID_JWK, "failed to import registration JWK");
+    }
+    let payload;
+    try {
+        const result = await jwtVerify(token, key, {
+            algorithms: [...SUPPORTED_ALGS],
+        });
+        payload = result.payload;
+    }
+    catch {
+        throw new DbscVerificationError(ErrorCodes.SIGNATURE_INVALID, "registration JWS self-signature invalid");
+    }
+    return {
+        claims: payload,
+        jwk,
+        algorithm: alg,
+    };
+}
+//# sourceMappingURL=jws.js.map

package/dist/crypto/jws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.js","sourceRoot":"","sources":["../../src/crypto/jws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,qBAAqB,EAA6B,MAAM,MAAM,CAAC;AAC9F,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEvC,MAAM,SAAS,GAAG,UAAU,CAAC;AAC7B,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,CAAU,CAAC;AAWnD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,SAAqB,EACrB,WAAmB;IAEnB,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAA4B,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,6BAA6B,CAAC,CAAC;IAC3F,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,gBAAgB,SAAS,SAAS,MAAM,CAAC,KAAK,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAsC,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,iBAAiB,EAC5B,0BAA0B,GAAG,EAAE,CAChC,CAAC;IACJ,CAAC;IAED,IAAI,GAA0C,CAAC;IAC/C,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,CAAC,SAAgB,EAAE,GAAa,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,WAAW,EAAE,6BAA6B,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE;YACzC,UAAU,EAAE,CAAC,GAAG,cAAc,CAAC;SAChC,CAAC,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,CAAC,CAAC;IACrG,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,YAAY,EACvB,qCAAqC,CACtC,CAAC;IACJ,CAAC;IAED,OAAO,OAAwB,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAAa;IAKtD,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAA4B,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,0CAA0C,CAAC,CAAC;IACxG,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,gBAAgB,SAAS,SAAS,MAAM,CAAC,KAAK,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAW,CAAC;IACpC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAsC,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,0BAA0B,GAAG,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAA2B,CAAC;IACpD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,wCAAwC,CAAC,CAAC;IACtG,CAAC;IAED,WAAW,CAAC,GAAG,CAAC,CAAC;IAEjB,IAAI,GAA0C,CAAC;IAC/C,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,CAAC,GAAU,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,WAAW,EAAE,mCAAmC,CAAC,CAAC;IAC/F,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE;YACzC,UAAU,EAAE,CAAC,GAAG,cAAc,CAAC;SAChC,CAAC,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,yCAAyC,CAAC,CAAC;IAC3G,CAAC;IAED,OAAO;QACL,MAAM,EAAE,OAAO;QACf,GAAG;QACH,SAAS,EAAE,GAAwB;KACpC,CAAC;AACJ,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,27 @@
+export declare class DbscProtocolError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+export declare class DbscVerificationError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+export declare class DbscStorageError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+export declare const ErrorCodes: {
+    readonly MISSING_RESPONSE_HEADER: "MISSING_RESPONSE_HEADER";
+    readonly MALFORMED_JWS: "MALFORMED_JWS";
+    readonly INVALID_JWK: "INVALID_JWK";
+    readonly UNKNOWN_ALGORITHM: "UNKNOWN_ALGORITHM";
+    readonly CHALLENGE_NOT_FOUND: "CHALLENGE_NOT_FOUND";
+    readonly CHALLENGE_EXPIRED: "CHALLENGE_EXPIRED";
+    readonly CHALLENGE_CONSUMED: "CHALLENGE_CONSUMED";
+    readonly JTI_MISMATCH: "JTI_MISMATCH";
+    readonly SIGNATURE_INVALID: "SIGNATURE_INVALID";
+    readonly KEY_NOT_FOUND: "KEY_NOT_FOUND";
+    readonly SESSION_NOT_FOUND: "SESSION_NOT_FOUND";
+    readonly RATE_LIMITED: "RATE_LIMITED";
+};
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK1C;AAED,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK1C;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK1C;AAED,eAAO,MAAM,UAAU;;;;;;;;;;;;;CAab,CAAC"}

package/dist/errors.js

@@ -0,0 +1,39 @@
+export class DbscProtocolError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscProtocolError";
+        this.code = code;
+    }
+}
+export class DbscVerificationError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscVerificationError";
+        this.code = code;
+    }
+}
+export class DbscStorageError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscStorageError";
+        this.code = code;
+    }
+}
+export const ErrorCodes = {
+    MISSING_RESPONSE_HEADER: "MISSING_RESPONSE_HEADER",
+    MALFORMED_JWS: "MALFORMED_JWS",
+    INVALID_JWK: "INVALID_JWK",
+    UNKNOWN_ALGORITHM: "UNKNOWN_ALGORITHM",
+    CHALLENGE_NOT_FOUND: "CHALLENGE_NOT_FOUND",
+    CHALLENGE_EXPIRED: "CHALLENGE_EXPIRED",
+    CHALLENGE_CONSUMED: "CHALLENGE_CONSUMED",
+    JTI_MISMATCH: "JTI_MISMATCH",
+    SIGNATURE_INVALID: "SIGNATURE_INVALID",
+    KEY_NOT_FOUND: "KEY_NOT_FOUND",
+    SESSION_NOT_FOUND: "SESSION_NOT_FOUND",
+    RATE_LIMITED: "RATE_LIMITED",
+};
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IACrC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,uBAAuB,EAAE,yBAAyB;IAClD,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,iBAAiB,EAAE,mBAAmB;IACtC,mBAAmB,EAAE,qBAAqB;IAC1C,iBAAiB,EAAE,mBAAmB;IACtC,kBAAkB,EAAE,oBAAoB;IACxC,YAAY,EAAE,cAAc;IAC5B,iBAAiB,EAAE,mBAAmB;IACtC,aAAa,EAAE,eAAe;IAC9B,iBAAiB,EAAE,mBAAmB;IACtC,YAAY,EAAE,cAAc;CACpB,CAAC"}

package/dist/fallback/hmac.d.ts

@@ -0,0 +1,9 @@
+export interface HmacSignalBundle {
+    userAgent: string;
+    acceptLanguage: string;
+    secureContext: boolean;
+}
+export declare function collectSignals(headers: Record<string, string | string[] | undefined>): HmacSignalBundle;
+export declare function generateHmacToken(signals: HmacSignalBundle, secret: Buffer): string;
+export declare function verifyHmacToken(token: string, signals: HmacSignalBundle, secret: Buffer): boolean;
+//# sourceMappingURL=hmac.d.ts.map

package/dist/fallback/hmac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../../src/fallback/hmac.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,gBAAgB,CAMvG;AAQD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAKnF;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,EACzB,MAAM,EAAE,MAAM,GACb,OAAO,CAeT"}

package/dist/fallback/hmac.js

@@ -0,0 +1,37 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+// This tier binds a cookie to a set of browser signals via HMAC.
+// It does NOT provide hardware-level binding. Use only when DBSC and WebAuthn
+// are both unavailable. Document this limitation to end users.
+const SIGNAL_SEPARATOR = "|";
+export function collectSignals(headers) {
+    return {
+        userAgent: headers["user-agent"] ?? "",
+        acceptLanguage: headers["accept-language"] ?? "",
+        secureContext: headers["x-forwarded-proto"] === "https",
+    };
+}
+function serializeSignals(bundle) {
+    return [bundle.userAgent, bundle.acceptLanguage, String(bundle.secureContext)].join(SIGNAL_SEPARATOR);
+}
+export function generateHmacToken(signals, secret) {
+    const nonce = randomBytes(16).toString("base64url");
+    const data = `${nonce}${SIGNAL_SEPARATOR}${serializeSignals(signals)}`;
+    const mac = createHmac("sha256", secret).update(data).digest("base64url");
+    return `${nonce}.${mac}`;
+}
+export function verifyHmacToken(token, signals, secret) {
+    const dot = token.indexOf(".");
+    if (dot === -1)
+        return false;
+    const nonce = token.slice(0, dot);
+    const providedMac = token.slice(dot + 1);
+    const data = `${nonce}${SIGNAL_SEPARATOR}${serializeSignals(signals)}`;
+    const expectedMac = createHmac("sha256", secret).update(data).digest("base64url");
+    try {
+        return timingSafeEqual(Buffer.from(providedMac), Buffer.from(expectedMac));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=hmac.js.map

package/dist/fallback/hmac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../../src/fallback/hmac.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,iEAAiE;AACjE,8EAA8E;AAC9E,+DAA+D;AAE/D,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAQ7B,MAAM,UAAU,cAAc,CAAC,OAAsD;IACnF,OAAO;QACL,SAAS,EAAG,OAAO,CAAC,YAAY,CAAY,IAAI,EAAE;QAClD,cAAc,EAAG,OAAO,CAAC,iBAAiB,CAAY,IAAI,EAAE;QAC5D,aAAa,EAAG,OAAO,CAAC,mBAAmB,CAAY,KAAK,OAAO;KACpE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAwB;IAChD,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CACjF,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAyB,EAAE,MAAc;IACzE,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,GAAG,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;IACvE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC1E,OAAO,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,OAAyB,EACzB,MAAc;IAEd,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAClC,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,GAAG,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;IACvE,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAElF,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/fallback/negotiate.d.ts

@@ -0,0 +1,9 @@
+import type { ProtectionTier } from "../types.js";
+export interface NegotiationContext {
+    acceptsDbsc: boolean;
+    supportsWebAuthn: boolean;
+    hmacAllowed: boolean;
+}
+export declare function negotiateTier(ctx: NegotiationContext): ProtectionTier;
+export declare function detectDbscSupport(headers: Record<string, string | string[] | undefined>): boolean;
+//# sourceMappingURL=negotiate.d.ts.map

package/dist/fallback/negotiate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"negotiate.d.ts","sourceRoot":"","sources":["../../src/fallback/negotiate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,OAAO,CAAC;IACrB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,OAAO,CAAC;CACtB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,kBAAkB,GAAG,cAAc,CAKrE;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,OAAO,CAWjG"}

package/dist/fallback/negotiate.js

@@ -0,0 +1,22 @@
+export function negotiateTier(ctx) {
+    if (ctx.acceptsDbsc)
+        return "dbsc";
+    if (ctx.supportsWebAuthn)
+        return "webauthn";
+    if (ctx.hmacAllowed)
+        return "hmac";
+    return "none";
+}
+export function detectDbscSupport(headers) {
+    const secFetch = headers["sec-fetch-site"];
+    const ua = (headers["user-agent"] ?? "");
+    // Chrome 146+ on Windows carries DBSC support
+    // The definitive signal is whether the browser responds to Secure-Session-Registration
+    // This header is set by the server; we detect support by checking Chrome version
+    const chromeMatch = /Chrome\/(\d+)/.exec(ua);
+    if (!chromeMatch)
+        return false;
+    const version = parseInt(chromeMatch[1] ?? "0", 10);
+    return version >= 146 && !!secFetch;
+}
+//# sourceMappingURL=negotiate.js.map

package/dist/fallback/negotiate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"negotiate.js","sourceRoot":"","sources":["../../src/fallback/negotiate.ts"],"names":[],"mappings":"AAQA,MAAM,UAAU,aAAa,CAAC,GAAuB;IACnD,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,MAAM,CAAC;IACnC,IAAI,GAAG,CAAC,gBAAgB;QAAE,OAAO,UAAU,CAAC;IAC5C,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,MAAM,CAAC;IACnC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAsD;IACtF,MAAM,QAAQ,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAW,CAAC;IAEnD,8CAA8C;IAC9C,uFAAuF;IACvF,iFAAiF;IACjF,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7C,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IACpD,OAAO,OAAO,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC;AACtC,CAAC"}

package/dist/fallback/webauthn.d.ts

@@ -0,0 +1,10 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, type VerifiedRegistrationResponse, type VerifyAuthenticationResponseOpts } from "@simplewebauthn/server";
+export interface WebAuthnRegistrationChallenge {
+    options: Awaited<ReturnType<typeof generateRegistrationOptions>>;
+    challenge: string;
+}
+export declare function generateWebAuthnRegistration(rpName: string, rpId: string, userId: string, userName: string): Promise<WebAuthnRegistrationChallenge>;
+export declare function verifyWebAuthnRegistration(response: Parameters<typeof verifyRegistrationResponse>[0]["response"], expectedChallenge: string, expectedOrigin: string, rpId: string): Promise<VerifiedRegistrationResponse>;
+export declare function generateWebAuthnAuthentication(rpId: string, allowedCredentialIds: string[]): Promise<Awaited<ReturnType<typeof generateAuthenticationOptions>>>;
+export declare function verifyWebAuthnAuthentication(opts: VerifyAuthenticationResponseOpts): Promise<Awaited<ReturnType<typeof verifyAuthenticationResponse>>>;
+//# sourceMappingURL=webauthn.d.ts.map

package/dist/fallback/webauthn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.d.ts","sourceRoot":"","sources":["../../src/fallback/webauthn.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAE5B,KAAK,4BAA4B,EACjC,KAAK,gCAAgC,EACtC,MAAM,wBAAwB,CAAC;AAEhC,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC;IACjE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,4BAA4B,CAChD,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,6BAA6B,CAAC,CAkBxC;AAED,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,EACtE,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,4BAA4B,CAAC,CAOvC;AAED,wBAAsB,8BAA8B,CAClD,IAAI,EAAE,MAAM,EACZ,oBAAoB,EAAE,MAAM,EAAE,GAC7B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,6BAA6B,CAAC,CAAC,CAAC,CASpE;AAED,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,gCAAgC,GACrC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,4BAA4B,CAAC,CAAC,CAAC,CAEnE"}

package/dist/fallback/webauthn.js

@@ -0,0 +1,41 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, } from "@simplewebauthn/server";
+export async function generateWebAuthnRegistration(rpName, rpId, userId, userName) {
+    const opts = {
+        rpName,
+        rpID: rpId,
+        userID: new TextEncoder().encode(userId),
+        userName,
+        authenticatorSelection: {
+            residentKey: "required",
+            userVerification: "preferred",
+        },
+        attestationType: "none",
+    };
+    const options = await generateRegistrationOptions(opts);
+    return {
+        options,
+        challenge: options.challenge,
+    };
+}
+export async function verifyWebAuthnRegistration(response, expectedChallenge, expectedOrigin, rpId) {
+    return verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin,
+        expectedRPID: rpId,
+    });
+}
+export async function generateWebAuthnAuthentication(rpId, allowedCredentialIds) {
+    return generateAuthenticationOptions({
+        rpID: rpId,
+        allowCredentials: allowedCredentialIds.map((id) => ({
+            id,
+            transports: ["internal"],
+        })),
+        userVerification: "preferred",
+    });
+}
+export async function verifyWebAuthnAuthentication(opts) {
+    return verifyAuthenticationResponse(opts);
+}
+//# sourceMappingURL=webauthn.js.map

package/dist/fallback/webauthn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.js","sourceRoot":"","sources":["../../src/fallback/webauthn.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,GAI7B,MAAM,wBAAwB,CAAC;AAOhC,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAc,EACd,IAAY,EACZ,MAAc,EACd,QAAgB;IAEhB,MAAM,IAAI,GAAoC;QAC5C,MAAM;QACN,IAAI,EAAE,IAAI;QACV,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;QACxC,QAAQ;QACR,sBAAsB,EAAE;YACtB,WAAW,EAAE,UAAU;YACvB,gBAAgB,EAAE,WAAW;SAC9B;QACD,eAAe,EAAE,MAAM;KACxB,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO;QACL,OAAO;QACP,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,QAAsE,EACtE,iBAAyB,EACzB,cAAsB,EACtB,IAAY;IAEZ,OAAO,0BAA0B,CAAC;QAChC,QAAQ;QACR,iBAAiB;QACjB,cAAc;QACd,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,IAAY,EACZ,oBAA8B;IAE9B,OAAO,6BAA6B,CAAC;QACnC,IAAI,EAAE,IAAI;QACV,gBAAgB,EAAE,oBAAoB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YAClD,EAAE;YACF,UAAU,EAAE,CAAC,UAAU,CAAC;SACzB,CAAC,CAAC;QACH,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,IAAsC;IAEtC,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC;AAC5C,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+export type { ProtectionTier, BoundKey, Session, Challenge, RegistrationProof, RefreshProof, StorageAdapter, RateLimiter, DbscOptions, AnyTelemetryEvent, TelemetryEvent, RegistrationEvent, RefreshEvent, VerificationFailureEvent, SessionStolenEvent, FallbackTierEvent, } from "./types.js";
+export { DbscProtocolError, DbscVerificationError, DbscStorageError, ErrorCodes } from "./errors.js";
+export { validateJwk, detectAlgorithm } from "./crypto/jwk.js";
+export { verifyDbscJws, parseRegistrationJws } from "./crypto/jws.js";
+export { generateJti, issueChallenge } from "./protocol/challenge.js";
+export { buildRegistrationHeader, buildChallengeHeader, parseSessionResponseHeader, buildSessionIdCookie, readSessionResponseHeader, REGISTRATION_HEADER, RESPONSE_HEADER, CHALLENGE_HEADER, LEGACY_REGISTRATION_HEADER, LEGACY_RESPONSE_HEADER, LEGACY_CHALLENGE_HEADER, } from "./protocol/headers.js";
+export { handleRegistration } from "./protocol/registration.js";
+export { handleRefresh } from "./protocol/refresh.js";
+export { negotiateTier, detectDbscSupport } from "./fallback/negotiate.js";
+export { generateWebAuthnRegistration, verifyWebAuthnRegistration, generateWebAuthnAuthentication, verifyWebAuthnAuthentication, } from "./fallback/webauthn.js";
+export { collectSignals, generateHmacToken, verifyHmacToken } from "./fallback/hmac.js";
+export { NoopRateLimiter } from "./ratelimit/interface.js";
+export { emit } from "./telemetry/hooks.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,cAAc,EACd,QAAQ,EACR,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,wBAAwB,EACxB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAExF,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+export { DbscProtocolError, DbscVerificationError, DbscStorageError, ErrorCodes } from "./errors.js";
+export { validateJwk, detectAlgorithm } from "./crypto/jwk.js";
+export { verifyDbscJws, parseRegistrationJws } from "./crypto/jws.js";
+export { generateJti, issueChallenge } from "./protocol/challenge.js";
+export { buildRegistrationHeader, buildChallengeHeader, parseSessionResponseHeader, buildSessionIdCookie, readSessionResponseHeader, REGISTRATION_HEADER, RESPONSE_HEADER, CHALLENGE_HEADER, LEGACY_REGISTRATION_HEADER, LEGACY_RESPONSE_HEADER, LEGACY_CHALLENGE_HEADER, } from "./protocol/headers.js";
+export { handleRegistration } from "./protocol/registration.js";
+export { handleRefresh } from "./protocol/refresh.js";
+export { negotiateTier, detectDbscSupport } from "./fallback/negotiate.js";
+export { generateWebAuthnRegistration, verifyWebAuthnRegistration, generateWebAuthnAuthentication, verifyWebAuthnAuthentication, } from "./fallback/webauthn.js";
+export { collectSignals, generateHmacToken, verifyHmacToken } from "./fallback/hmac.js";
+export { NoopRateLimiter } from "./ratelimit/interface.js";
+export { emit } from "./telemetry/hooks.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAmBA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAExF,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/protocol/challenge.d.ts

@@ -0,0 +1,4 @@
+import type { Challenge, StorageAdapter } from "../types.js";
+export declare function generateJti(): string;
+export declare function issueChallenge(sessionId: string, storage: StorageAdapter, ttlMs?: number): Promise<Challenge>;
+//# sourceMappingURL=challenge.d.ts.map

package/dist/protocol/challenge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.d.ts","sourceRoot":"","sources":["../../src/protocol/challenge.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAI7D,wBAAgB,WAAW,IAAI,MAAM,CAEpC;AAED,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,EACvB,KAAK,GAAE,MAAuB,GAC7B,OAAO,CAAC,SAAS,CAAC,CAWpB"}

package/dist/protocol/challenge.js

@@ -0,0 +1,18 @@
+import { randomBytes } from "node:crypto";
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+export function generateJti() {
+    return randomBytes(32).toString("base64url");
+}
+export async function issueChallenge(sessionId, storage, ttlMs = DEFAULT_TTL_MS) {
+    const now = Date.now();
+    const challenge = {
+        jti: generateJti(),
+        sessionId,
+        createdAt: now,
+        expiresAt: now + ttlMs,
+        consumed: false,
+    };
+    await storage.setChallenge(challenge);
+    return challenge;
+}
+//# sourceMappingURL=challenge.js.map

package/dist/protocol/challenge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.js","sourceRoot":"","sources":["../../src/protocol/challenge.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAErC,MAAM,UAAU,WAAW;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,OAAuB,EACvB,QAAgB,cAAc;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAc;QAC3B,GAAG,EAAE,WAAW,EAAE;QAClB,SAAS;QACT,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG,GAAG,KAAK;QACtB,QAAQ,EAAE,KAAK;KAChB,CAAC;IACF,MAAM,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IACtC,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/protocol/headers.d.ts

@@ -0,0 +1,20 @@
+export interface RegistrationHeaderOptions {
+    algorithm?: "ES256" | "RS256";
+    refreshPath: string;
+    challenge: string;
+}
+export declare function buildRegistrationHeader(opts: RegistrationHeaderOptions): string;
+export declare function buildChallengeHeader(jti: string): string;
+export declare function parseSessionResponseHeader(raw: string): string;
+export declare function buildSessionIdCookie(sessionId: string, opts: {
+    secure: boolean;
+    sameSite: string;
+}): string;
+export declare const REGISTRATION_HEADER = "Secure-Session-Registration";
+export declare const RESPONSE_HEADER = "Secure-Session-Response";
+export declare const CHALLENGE_HEADER = "Secure-Session-Challenge";
+export declare const LEGACY_REGISTRATION_HEADER = "Sec-Session-Registration";
+export declare const LEGACY_RESPONSE_HEADER = "Sec-Session-Response";
+export declare const LEGACY_CHALLENGE_HEADER = "Sec-Session-Challenge";
+export declare function readSessionResponseHeader(headers: Record<string, string | string[] | undefined>): string | undefined;
+//# sourceMappingURL=headers.d.ts.map

package/dist/protocol/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/protocol/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,yBAAyB,GAAG,MAAM,CAG/E;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC1C,MAAM,CAKR;AAED,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,eAAe,4BAA4B,CAAC;AACzD,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAE3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,sBAAsB,yBAAyB,CAAC;AAC7D,eAAO,MAAM,uBAAuB,0BAA0B,CAAC;AAE/D,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,MAAM,GAAG,SAAS,CAIpB"}

package/dist/protocol/headers.js

@@ -0,0 +1,30 @@
+export function buildRegistrationHeader(opts) {
+    const alg = opts.algorithm ?? "ES256";
+    return `(${alg});path="${opts.refreshPath}";challenge="${opts.challenge}"`;
+}
+export function buildChallengeHeader(jti) {
+    return `"${jti}"`;
+}
+export function parseSessionResponseHeader(raw) {
+    return raw.trim();
+}
+export function buildSessionIdCookie(sessionId, opts) {
+    const parts = [`__Secure-Session-Id=${sessionId}`, "HttpOnly", "Path=/"];
+    if (opts.secure)
+        parts.push("Secure");
+    parts.push(`SameSite=${opts.sameSite}`);
+    return parts.join("; ");
+}
+export const REGISTRATION_HEADER = "Secure-Session-Registration";
+export const RESPONSE_HEADER = "Secure-Session-Response";
+export const CHALLENGE_HEADER = "Secure-Session-Challenge";
+export const LEGACY_REGISTRATION_HEADER = "Sec-Session-Registration";
+export const LEGACY_RESPONSE_HEADER = "Sec-Session-Response";
+export const LEGACY_CHALLENGE_HEADER = "Sec-Session-Challenge";
+export function readSessionResponseHeader(headers) {
+    const v = headers["secure-session-response"] ?? headers["sec-session-response"];
+    if (Array.isArray(v))
+        return v[0];
+    return v;
+}
+//# sourceMappingURL=headers.js.map

package/dist/protocol/headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../src/protocol/headers.ts"],"names":[],"mappings":"AAMA,MAAM,UAAU,uBAAuB,CAAC,IAA+B;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;IACtC,OAAO,IAAI,GAAG,WAAW,IAAI,CAAC,WAAW,gBAAgB,IAAI,CAAC,SAAS,GAAG,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,OAAO,IAAI,GAAG,GAAG,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,SAAiB,EACjB,IAA2C;IAE3C,MAAM,KAAK,GAAG,CAAC,uBAAuB,SAAS,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACzE,IAAI,IAAI,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACxC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,6BAA6B,CAAC;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,yBAAyB,CAAC;AACzD,MAAM,CAAC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAE3D,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AACrE,MAAM,CAAC,MAAM,sBAAsB,GAAG,sBAAsB,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,uBAAuB,CAAC;AAE/D,MAAM,UAAU,yBAAyB,CACvC,OAAsD;IAEtD,MAAM,CAAC,GAAG,OAAO,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAChF,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/protocol/refresh.d.ts

@@ -0,0 +1,8 @@
+import type { RefreshProof, StorageAdapter } from "../types.js";
+export interface RefreshRequest {
+    sessionId: string;
+    secSessionResponseHeader: string | undefined;
+    expectedJti: string;
+}
+export declare function handleRefresh(req: RefreshRequest, storage: StorageAdapter): Promise<RefreshProof>;
+//# sourceMappingURL=refresh.d.ts.map

package/dist/protocol/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/protocol/refresh.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAwCvB"}

package/dist/protocol/refresh.js

@@ -0,0 +1,33 @@
+import { verifyDbscJws } from "../crypto/jws.js";
+import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
+export async function handleRefresh(req, storage) {
+    if (!req.secSessionResponseHeader) {
+        throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "Secure-Session-Response header is required for refresh");
+    }
+    const key = await storage.getBoundKey(req.sessionId);
+    if (!key) {
+        throw new DbscVerificationError(ErrorCodes.KEY_NOT_FOUND, "no bound key for session");
+    }
+    const challenge = await storage.getChallenge(req.expectedJti);
+    if (!challenge) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_NOT_FOUND, "challenge not found");
+    }
+    if (challenge.consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    if (Date.now() > challenge.expiresAt) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_EXPIRED, "challenge expired");
+    }
+    const token = req.secSessionResponseHeader.trim();
+    await verifyDbscJws(token, key.jwk, req.expectedJti);
+    const consumed = await storage.consumeChallenge(req.expectedJti);
+    if (!consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    return {
+        sessionId: req.sessionId,
+        jti: req.expectedJti,
+        verified: true,
+    };
+}
+//# sourceMappingURL=refresh.js.map

package/dist/protocol/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/protocol/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AASpF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAmB,EACnB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}

package/dist/protocol/registration.d.ts

@@ -0,0 +1,11 @@
+import type { BoundKey, StorageAdapter } from "../types.js";
+export interface RegistrationRequest {
+    sessionId: string;
+    secSessionResponseHeader: string | undefined;
+    expectedJti: string;
+}
+export interface RegistrationResult {
+    boundKey: BoundKey;
+}
+export declare function handleRegistration(req: RegistrationRequest, storage: StorageAdapter): Promise<RegistrationResult>;
+//# sourceMappingURL=registration.d.ts.map

package/dist/protocol/registration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/protocol/registration.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE5D,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,kBAAkB,CAAC,CAwC7B"}

package/dist/protocol/registration.js

@@ -0,0 +1,35 @@
+import { parseRegistrationJws } from "../crypto/jws.js";
+import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
+export async function handleRegistration(req, storage) {
+    if (!req.secSessionResponseHeader) {
+        throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "Secure-Session-Response header is required");
+    }
+    const token = req.secSessionResponseHeader.trim();
+    const { jwk, algorithm, claims } = await parseRegistrationJws(token);
+    const challenge = await storage.getChallenge(req.expectedJti);
+    if (!challenge) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_NOT_FOUND, "challenge not found");
+    }
+    if (challenge.consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    if (Date.now() > challenge.expiresAt) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_EXPIRED, "challenge expired");
+    }
+    if (claims.jti !== req.expectedJti) {
+        throw new DbscVerificationError(ErrorCodes.JTI_MISMATCH, "jti does not match challenge");
+    }
+    const consumed = await storage.consumeChallenge(req.expectedJti);
+    if (!consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    const boundKey = {
+        sessionId: req.sessionId,
+        jwk,
+        createdAt: Date.now(),
+        algorithm,
+    };
+    await storage.setBoundKey(boundKey);
+    return { boundKey };
+}
+//# sourceMappingURL=registration.js.map

package/dist/protocol/registration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/protocol/registration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAapF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAwB,EACxB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,4CAA4C,CAC7C,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAErE,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,YAAY,EAAE,8BAA8B,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,QAAQ,GAAa;QACzB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG;QACH,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS;KACV,CAAC;IAEF,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAEpC,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC"}

package/dist/ratelimit/interface.d.ts

@@ -0,0 +1,7 @@
+import type { RateLimiter } from "../types.js";
+export declare class NoopRateLimiter implements RateLimiter {
+    checkRegistration(_ip: string): Promise<boolean>;
+    checkRefresh(_ip: string, _sessionId: string): Promise<boolean>;
+    recordFailure(_ip: string, _sessionId?: string): Promise<void>;
+}
+//# sourceMappingURL=interface.d.ts.map

package/dist/ratelimit/interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../src/ratelimit/interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,qBAAa,eAAgB,YAAW,WAAW;IAC3C,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI/D,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CACrE"}

package/dist/ratelimit/interface.js

@@ -0,0 +1,11 @@
+// Default no-op limiter. Replace with a real implementation in production.
+export class NoopRateLimiter {
+    async checkRegistration(_ip) {
+        return true;
+    }
+    async checkRefresh(_ip, _sessionId) {
+        return true;
+    }
+    async recordFailure(_ip, _sessionId) { }
+}
+//# sourceMappingURL=interface.js.map

package/dist/ratelimit/interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.js","sourceRoot":"","sources":["../../src/ratelimit/interface.ts"],"names":[],"mappings":"AAEA,2EAA2E;AAC3E,MAAM,OAAO,eAAe;IAC1B,KAAK,CAAC,iBAAiB,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW,EAAE,UAAkB;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,UAAmB,IAAkB,CAAC;CACxE"}

package/dist/telemetry/hooks.d.ts

@@ -0,0 +1,4 @@
+import type { AnyTelemetryEvent } from "../types.js";
+export type EventHandler = (event: AnyTelemetryEvent) => void;
+export declare function emit(handler: EventHandler | undefined, event: AnyTelemetryEvent): void;
+//# sourceMappingURL=hooks.d.ts.map

package/dist/telemetry/hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../src/telemetry/hooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;AAE9D,wBAAgB,IAAI,CAAC,OAAO,EAAE,YAAY,GAAG,SAAS,EAAE,KAAK,EAAE,iBAAiB,GAAG,IAAI,CAOtF"}

package/dist/telemetry/hooks.js

@@ -0,0 +1,11 @@
+export function emit(handler, event) {
+    if (!handler)
+        return;
+    try {
+        handler(event);
+    }
+    catch {
+        // telemetry failures must never crash the auth path
+    }
+}
+//# sourceMappingURL=hooks.js.map

package/dist/telemetry/hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../src/telemetry/hooks.ts"],"names":[],"mappings":"AAIA,MAAM,UAAU,IAAI,CAAC,OAAiC,EAAE,KAAwB;IAC9E,IAAI,CAAC,OAAO;QAAE,OAAO;IACrB,IAAI,CAAC;QACH,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,91 @@
+export type ProtectionTier = "dbsc" | "webauthn" | "hmac" | "none";
+export interface BoundKey {
+    sessionId: string;
+    jwk: JsonWebKey;
+    createdAt: number;
+    algorithm: "ES256" | "RS256";
+}
+export interface Session {
+    id: string;
+    userId: string;
+    tier: ProtectionTier;
+    createdAt: number;
+    expiresAt: number;
+}
+export interface Challenge {
+    jti: string;
+    sessionId: string;
+    createdAt: number;
+    expiresAt: number;
+    consumed: boolean;
+}
+export interface RegistrationProof {
+    sessionId: string;
+    jwk: JsonWebKey;
+    algorithm: "ES256" | "RS256";
+    jti: string;
+}
+export interface RefreshProof {
+    sessionId: string;
+    jti: string;
+    verified: boolean;
+}
+export interface StorageAdapter {
+    getSession(id: string): Promise<Session | null>;
+    setSession(session: Session): Promise<void>;
+    deleteSession(id: string): Promise<void>;
+    getBoundKey(sessionId: string): Promise<BoundKey | null>;
+    setBoundKey(key: BoundKey): Promise<void>;
+    deleteBoundKey(sessionId: string): Promise<void>;
+    getChallenge(jti: string): Promise<Challenge | null>;
+    setChallenge(challenge: Challenge): Promise<void>;
+    consumeChallenge(jti: string): Promise<boolean>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllForUser(userId: string): Promise<void>;
+}
+export interface RateLimiter {
+    checkRegistration(ip: string): Promise<boolean>;
+    checkRefresh(ip: string, sessionId: string): Promise<boolean>;
+    recordFailure(ip: string, sessionId?: string): Promise<void>;
+}
+export interface TelemetryEvent {
+    sessionId: string;
+    tier: ProtectionTier;
+    timestamp: number;
+}
+export interface RegistrationEvent extends TelemetryEvent {
+    type: "registration";
+    algorithm: string;
+    ip: string;
+}
+export interface RefreshEvent extends TelemetryEvent {
+    type: "refresh";
+    ip: string;
+}
+export interface VerificationFailureEvent extends TelemetryEvent {
+    type: "verification_failure";
+    reason: string;
+    ip: string;
+}
+export interface SessionStolenEvent extends TelemetryEvent {
+    type: "session_stolen";
+    ip: string;
+}
+export interface FallbackTierEvent extends TelemetryEvent {
+    type: "fallback_tier";
+    from: ProtectionTier;
+    to: ProtectionTier;
+    reason: string;
+}
+export type AnyTelemetryEvent = RegistrationEvent | RefreshEvent | VerificationFailureEvent | SessionStolenEvent | FallbackTierEvent;
+export interface DbscOptions {
+    storage: StorageAdapter;
+    fallback?: "webauthn" | "hmac" | "none";
+    registrationPath?: string;
+    refreshPath?: string;
+    boundCookieTtl?: number;
+    registrationCookieTtl?: number;
+    rateLimiter?: RateLimiter;
+    onEvent?: (event: AnyTelemetryEvent) => void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAAC;AAEnE,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;IAC7B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAChD,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IACzD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACrD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,WAAW;IAC1B,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAa,SAAQ,cAAc;IAClD,IAAI,EAAE,SAAS,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,wBAAyB,SAAQ,cAAc;IAC9D,IAAI,EAAE,sBAAsB,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,IAAI,EAAE,gBAAgB,CAAC;IACvB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,IAAI,EAAE,eAAe,CAAC;IACtB,IAAI,EAAE,cAAc,CAAC;IACrB,EAAE,EAAE,cAAc,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,MAAM,iBAAiB,GACzB,iBAAiB,GACjB,YAAY,GACZ,wBAAwB,GACxB,kBAAkB,GAClB,iBAAiB,CAAC;AAEtB,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,QAAQ,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,MAAM,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;CAC9C"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "@dbsc-toolkit/core",
+  "version": "0.1.0",
+  "description": "Framework-agnostic DBSC protocol implementation for Node.js",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@simplewebauthn/server": "^10.0.0",
+    "jose": "^5.3.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.6.0"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "license": "Apache-2.0",
+  "homepage": "https://github.com/SulimanAbdulrazzaq/dbsc-toolkit#readme",
+  "bugs": {
+    "url": "https://github.com/SulimanAbdulrazzaq/dbsc-toolkit/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/SulimanAbdulrazzaq/dbsc-toolkit.git",
+    "directory": "packages/core"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "dbsc",
+    "device-bound-session-credentials",
+    "session",
+    "security",
+    "tpm",
+    "auth",
+    "cookies",
+    "webauthn"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run",
+    "lint": "eslint src",
+    "clean": "rm -rf dist"
+  }
+}