@de-otio/trellis 0.7.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1252) hide show
  1. package/LICENSE +661 -0
  2. package/dist/db.js +10 -18
  3. package/dist/db.js.map +1 -1
  4. package/dist/env.d.ts +66 -6
  5. package/dist/env.d.ts.map +1 -1
  6. package/dist/env.js +89 -70
  7. package/dist/env.js.map +1 -1
  8. package/dist/extensions.js +3 -8
  9. package/dist/extensions.js.map +1 -1
  10. package/dist/index.d.ts +2 -2
  11. package/dist/index.d.ts.map +1 -1
  12. package/dist/index.js +2 -9
  13. package/dist/index.js.map +1 -1
  14. package/dist/lambda/cleanup-cron.d.ts.map +1 -1
  15. package/dist/lambda/cleanup-cron.js +20 -24
  16. package/dist/lambda/cleanup-cron.js.map +1 -1
  17. package/dist/lambda/create-auth-challenge.d.ts.map +1 -1
  18. package/dist/lambda/create-auth-challenge.js +17 -19
  19. package/dist/lambda/create-auth-challenge.js.map +1 -1
  20. package/dist/lambda/custom-message.js +1 -5
  21. package/dist/lambda/custom-message.js.map +1 -1
  22. package/dist/lambda/define-auth-challenge.js +1 -5
  23. package/dist/lambda/define-auth-challenge.js.map +1 -1
  24. package/dist/lambda/delete-account-worker.d.ts.map +1 -1
  25. package/dist/lambda/delete-account-worker.js +25 -58
  26. package/dist/lambda/delete-account-worker.js.map +1 -1
  27. package/dist/lambda/diagnostics-proxy.d.ts.map +1 -1
  28. package/dist/lambda/diagnostics-proxy.js +14 -49
  29. package/dist/lambda/diagnostics-proxy.js.map +1 -1
  30. package/dist/lambda/e2e-sweeper.d.ts.map +1 -1
  31. package/dist/lambda/e2e-sweeper.js +30 -38
  32. package/dist/lambda/e2e-sweeper.js.map +1 -1
  33. package/dist/lambda/federation-outbox-worker.d.ts.map +1 -1
  34. package/dist/lambda/federation-outbox-worker.js +4 -6
  35. package/dist/lambda/federation-outbox-worker.js.map +1 -1
  36. package/dist/lambda/followers-events-worker.d.ts.map +1 -1
  37. package/dist/lambda/followers-events-worker.js +4 -6
  38. package/dist/lambda/followers-events-worker.js.map +1 -1
  39. package/dist/lambda/hourly-cron.d.ts.map +1 -1
  40. package/dist/lambda/hourly-cron.js +100 -32
  41. package/dist/lambda/hourly-cron.js.map +1 -1
  42. package/dist/lambda/link-check-worker.d.ts.map +1 -1
  43. package/dist/lambda/link-check-worker.js +4 -6
  44. package/dist/lambda/link-check-worker.js.map +1 -1
  45. package/dist/lambda/maintenance-cron.d.ts.map +1 -1
  46. package/dist/lambda/maintenance-cron.js +30 -63
  47. package/dist/lambda/maintenance-cron.js.map +1 -1
  48. package/dist/lambda/media-processing-worker.d.ts.map +1 -1
  49. package/dist/lambda/media-processing-worker.js +11 -46
  50. package/dist/lambda/media-processing-worker.js.map +1 -1
  51. package/dist/lambda/media-reconciliation-worker.d.ts.map +1 -1
  52. package/dist/lambda/media-reconciliation-worker.js +4 -6
  53. package/dist/lambda/media-reconciliation-worker.js.map +1 -1
  54. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  55. package/dist/lambda/nightly-cron.js +67 -112
  56. package/dist/lambda/nightly-cron.js.map +1 -1
  57. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  58. package/dist/lambda/post-confirmation.js +203 -47
  59. package/dist/lambda/post-confirmation.js.map +1 -1
  60. package/dist/lambda/pre-signup.js +7 -11
  61. package/dist/lambda/pre-signup.js.map +1 -1
  62. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  63. package/dist/lambda/pre-token-generation.js +27 -35
  64. package/dist/lambda/pre-token-generation.js.map +1 -1
  65. package/dist/lambda/tools/check-health.js +1 -5
  66. package/dist/lambda/tools/check-health.js.map +1 -1
  67. package/dist/lambda/tools/describe-services.js +4 -8
  68. package/dist/lambda/tools/describe-services.js.map +1 -1
  69. package/dist/lambda/tools/get-cost-report.js +4 -8
  70. package/dist/lambda/tools/get-cost-report.js.map +1 -1
  71. package/dist/lambda/tools/get-errors.js +5 -9
  72. package/dist/lambda/tools/get-errors.js.map +1 -1
  73. package/dist/lambda/tools/get-feature-flags.js +4 -8
  74. package/dist/lambda/tools/get-feature-flags.js.map +1 -1
  75. package/dist/lambda/tools/get-queue-status.js +5 -9
  76. package/dist/lambda/tools/get-queue-status.js.map +1 -1
  77. package/dist/lambda/tools/search-logs.js +5 -9
  78. package/dist/lambda/tools/search-logs.js.map +1 -1
  79. package/dist/lambda/tools/send-alert.js +4 -8
  80. package/dist/lambda/tools/send-alert.js.map +1 -1
  81. package/dist/lambda/verify-auth-challenge.d.ts.map +1 -1
  82. package/dist/lambda/verify-auth-challenge.js +10 -12
  83. package/dist/lambda/verify-auth-challenge.js.map +1 -1
  84. package/dist/lib/abuse-metrics.d.ts.map +1 -1
  85. package/dist/lib/abuse-metrics.js +10 -13
  86. package/dist/lib/abuse-metrics.js.map +1 -1
  87. package/dist/lib/activitypub/activity-processor.d.ts +1 -1
  88. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  89. package/dist/lib/activitypub/activity-processor.js +9 -43
  90. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  91. package/dist/lib/activitypub/activity-service.js +1 -5
  92. package/dist/lib/activitypub/activity-service.js.map +1 -1
  93. package/dist/lib/activitypub/actor.d.ts +1 -1
  94. package/dist/lib/activitypub/actor.d.ts.map +1 -1
  95. package/dist/lib/activitypub/actor.js +1 -5
  96. package/dist/lib/activitypub/actor.js.map +1 -1
  97. package/dist/lib/activitypub/audience-service.d.ts +2 -2
  98. package/dist/lib/activitypub/audience-service.d.ts.map +1 -1
  99. package/dist/lib/activitypub/audience-service.js +8 -12
  100. package/dist/lib/activitypub/audience-service.js.map +1 -1
  101. package/dist/lib/activitypub/crypto.d.ts +1 -1
  102. package/dist/lib/activitypub/crypto.d.ts.map +1 -1
  103. package/dist/lib/activitypub/crypto.js +3 -41
  104. package/dist/lib/activitypub/crypto.js.map +1 -1
  105. package/dist/lib/activitypub/delivery-service.d.ts +5 -5
  106. package/dist/lib/activitypub/delivery-service.d.ts.map +1 -1
  107. package/dist/lib/activitypub/delivery-service.js +10 -47
  108. package/dist/lib/activitypub/delivery-service.js.map +1 -1
  109. package/dist/lib/activitypub/dispatchers/entity-actor.d.ts +3 -2
  110. package/dist/lib/activitypub/dispatchers/entity-actor.d.ts.map +1 -1
  111. package/dist/lib/activitypub/dispatchers/entity-actor.js +19 -23
  112. package/dist/lib/activitypub/dispatchers/entity-actor.js.map +1 -1
  113. package/dist/lib/activitypub/dispatchers/group-actor.d.ts +3 -2
  114. package/dist/lib/activitypub/dispatchers/group-actor.d.ts.map +1 -1
  115. package/dist/lib/activitypub/dispatchers/group-actor.js +19 -23
  116. package/dist/lib/activitypub/dispatchers/group-actor.js.map +1 -1
  117. package/dist/lib/activitypub/dispatchers/user-actor.d.ts +3 -2
  118. package/dist/lib/activitypub/dispatchers/user-actor.d.ts.map +1 -1
  119. package/dist/lib/activitypub/dispatchers/user-actor.js +16 -20
  120. package/dist/lib/activitypub/dispatchers/user-actor.js.map +1 -1
  121. package/dist/lib/activitypub/dm-service.js +1 -5
  122. package/dist/lib/activitypub/dm-service.js.map +1 -1
  123. package/dist/lib/activitypub/entity-profile-service.d.ts +1 -1
  124. package/dist/lib/activitypub/entity-profile-service.d.ts.map +1 -1
  125. package/dist/lib/activitypub/entity-profile-service.js +6 -10
  126. package/dist/lib/activitypub/entity-profile-service.js.map +1 -1
  127. package/dist/lib/activitypub/fedify/config.d.ts +3 -3
  128. package/dist/lib/activitypub/fedify/config.d.ts.map +1 -1
  129. package/dist/lib/activitypub/fedify/config.js +5 -8
  130. package/dist/lib/activitypub/fedify/config.js.map +1 -1
  131. package/dist/lib/activitypub/fedify/context.d.ts +1 -1
  132. package/dist/lib/activitypub/fedify/context.d.ts.map +1 -1
  133. package/dist/lib/activitypub/fedify/context.js +8 -12
  134. package/dist/lib/activitypub/fedify/context.js.map +1 -1
  135. package/dist/lib/activitypub/fedify/runtime.d.ts +1 -1
  136. package/dist/lib/activitypub/fedify/runtime.d.ts.map +1 -1
  137. package/dist/lib/activitypub/fedify/runtime.js +3 -6
  138. package/dist/lib/activitypub/fedify/runtime.js.map +1 -1
  139. package/dist/lib/activitypub/friendship-service.js +1 -5
  140. package/dist/lib/activitypub/friendship-service.js.map +1 -1
  141. package/dist/lib/activitypub/group-service.d.ts +1 -1
  142. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  143. package/dist/lib/activitypub/group-service.js +9 -46
  144. package/dist/lib/activitypub/group-service.js.map +1 -1
  145. package/dist/lib/activitypub/http-signatures.js +8 -45
  146. package/dist/lib/activitypub/http-signatures.js.map +1 -1
  147. package/dist/lib/activitypub/jsonld.d.ts +1 -1
  148. package/dist/lib/activitypub/jsonld.d.ts.map +1 -1
  149. package/dist/lib/activitypub/jsonld.js +1 -5
  150. package/dist/lib/activitypub/jsonld.js.map +1 -1
  151. package/dist/lib/activitypub/listeners/friends-collection.d.ts +1 -1
  152. package/dist/lib/activitypub/listeners/friends-collection.d.ts.map +1 -1
  153. package/dist/lib/activitypub/listeners/friends-collection.js +17 -20
  154. package/dist/lib/activitypub/listeners/friends-collection.js.map +1 -1
  155. package/dist/lib/activitypub/listeners/http-signatures.d.ts +1 -1
  156. package/dist/lib/activitypub/listeners/http-signatures.d.ts.map +1 -1
  157. package/dist/lib/activitypub/listeners/http-signatures.js +9 -46
  158. package/dist/lib/activitypub/listeners/http-signatures.js.map +1 -1
  159. package/dist/lib/activitypub/listeners/inbox.d.ts +2 -2
  160. package/dist/lib/activitypub/listeners/inbox.d.ts.map +1 -1
  161. package/dist/lib/activitypub/listeners/inbox.js +31 -35
  162. package/dist/lib/activitypub/listeners/inbox.js.map +1 -1
  163. package/dist/lib/activitypub/listeners/outbox.d.ts +1 -1
  164. package/dist/lib/activitypub/listeners/outbox.d.ts.map +1 -1
  165. package/dist/lib/activitypub/listeners/outbox.js +17 -20
  166. package/dist/lib/activitypub/listeners/outbox.js.map +1 -1
  167. package/dist/lib/activitypub/remote-fetch-service.d.ts +6 -6
  168. package/dist/lib/activitypub/remote-fetch-service.d.ts.map +1 -1
  169. package/dist/lib/activitypub/remote-fetch-service.js +6 -10
  170. package/dist/lib/activitypub/remote-fetch-service.js.map +1 -1
  171. package/dist/lib/activitypub/services/abuse-prevention.d.ts +1 -1
  172. package/dist/lib/activitypub/services/abuse-prevention.d.ts.map +1 -1
  173. package/dist/lib/activitypub/services/abuse-prevention.js +11 -17
  174. package/dist/lib/activitypub/services/abuse-prevention.js.map +1 -1
  175. package/dist/lib/activitypub/services/dm-service-fedify.d.ts +4 -4
  176. package/dist/lib/activitypub/services/dm-service-fedify.d.ts.map +1 -1
  177. package/dist/lib/activitypub/services/dm-service-fedify.js +24 -59
  178. package/dist/lib/activitypub/services/dm-service-fedify.js.map +1 -1
  179. package/dist/lib/activitypub/services/fedify-converters.d.ts +2 -2
  180. package/dist/lib/activitypub/services/fedify-converters.d.ts.map +1 -1
  181. package/dist/lib/activitypub/services/fedify-converters.js +3 -8
  182. package/dist/lib/activitypub/services/fedify-converters.js.map +1 -1
  183. package/dist/lib/activitypub/services/fedify-delivery.d.ts +2 -2
  184. package/dist/lib/activitypub/services/fedify-delivery.d.ts.map +1 -1
  185. package/dist/lib/activitypub/services/fedify-delivery.js +19 -56
  186. package/dist/lib/activitypub/services/fedify-delivery.js.map +1 -1
  187. package/dist/lib/activitypub/services/follow-activity-service.d.ts +2 -2
  188. package/dist/lib/activitypub/services/follow-activity-service.d.ts.map +1 -1
  189. package/dist/lib/activitypub/services/follow-activity-service.js +8 -12
  190. package/dist/lib/activitypub/services/follow-activity-service.js.map +1 -1
  191. package/dist/lib/activitypub/services/post-service-fedify.d.ts +2 -2
  192. package/dist/lib/activitypub/services/post-service-fedify.d.ts.map +1 -1
  193. package/dist/lib/activitypub/services/post-service-fedify.js +33 -65
  194. package/dist/lib/activitypub/services/post-service-fedify.js.map +1 -1
  195. package/dist/lib/activitypub/services/remote-activity-handler.d.ts +2 -2
  196. package/dist/lib/activitypub/services/remote-activity-handler.d.ts.map +1 -1
  197. package/dist/lib/activitypub/services/remote-activity-handler.js +25 -28
  198. package/dist/lib/activitypub/services/remote-activity-handler.js.map +1 -1
  199. package/dist/lib/activitypub/standalone-mode.d.ts +1 -1
  200. package/dist/lib/activitypub/standalone-mode.d.ts.map +1 -1
  201. package/dist/lib/activitypub/standalone-mode.js +13 -50
  202. package/dist/lib/activitypub/standalone-mode.js.map +1 -1
  203. package/dist/lib/activitypub/webfinger/server.d.ts +1 -1
  204. package/dist/lib/activitypub/webfinger/server.d.ts.map +1 -1
  205. package/dist/lib/activitypub/webfinger/server.js +18 -54
  206. package/dist/lib/activitypub/webfinger/server.js.map +1 -1
  207. package/dist/lib/age-gate-middleware.d.ts +4 -4
  208. package/dist/lib/age-gate-middleware.d.ts.map +1 -1
  209. package/dist/lib/age-gate-middleware.js +3 -6
  210. package/dist/lib/age-gate-middleware.js.map +1 -1
  211. package/dist/lib/age-gate.js +3 -8
  212. package/dist/lib/age-gate.js.map +1 -1
  213. package/dist/lib/age-tier-transition.d.ts +1 -1
  214. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  215. package/dist/lib/age-tier-transition.js +7 -44
  216. package/dist/lib/age-tier-transition.js.map +1 -1
  217. package/dist/lib/app.d.ts +76 -0
  218. package/dist/lib/app.d.ts.map +1 -0
  219. package/dist/lib/app.js +400 -0
  220. package/dist/lib/app.js.map +1 -0
  221. package/dist/lib/audit/csv-export.js +6 -13
  222. package/dist/lib/audit/csv-export.js.map +1 -1
  223. package/dist/lib/audit/pii-filter.d.ts +9 -0
  224. package/dist/lib/audit/pii-filter.d.ts.map +1 -1
  225. package/dist/lib/audit/pii-filter.js +57 -7
  226. package/dist/lib/audit/pii-filter.js.map +1 -1
  227. package/dist/lib/audit-actions.d.ts +94 -0
  228. package/dist/lib/audit-actions.d.ts.map +1 -0
  229. package/dist/lib/audit-actions.js +107 -0
  230. package/dist/lib/audit-actions.js.map +1 -0
  231. package/dist/lib/audit-composer.d.ts +174 -0
  232. package/dist/lib/audit-composer.d.ts.map +1 -0
  233. package/dist/lib/audit-composer.js +421 -0
  234. package/dist/lib/audit-composer.js.map +1 -0
  235. package/dist/lib/auth/auth-context.d.ts +1 -1
  236. package/dist/lib/auth/auth-context.js +1 -2
  237. package/dist/lib/auth/auth-context.js.map +1 -1
  238. package/dist/lib/auth/auth-middleware.d.ts +16 -2
  239. package/dist/lib/auth/auth-middleware.d.ts.map +1 -1
  240. package/dist/lib/auth/auth-middleware.js +36 -45
  241. package/dist/lib/auth/auth-middleware.js.map +1 -1
  242. package/dist/lib/auth/capabilities.js +2 -5
  243. package/dist/lib/auth/capabilities.js.map +1 -1
  244. package/dist/lib/auth/claims-cache.d.ts +2 -2
  245. package/dist/lib/auth/claims-cache.js +19 -24
  246. package/dist/lib/auth/claims-cache.js.map +1 -1
  247. package/dist/lib/auth/cognito-jwt.d.ts +20 -2
  248. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  249. package/dist/lib/auth/cognito-jwt.js +83 -23
  250. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  251. package/dist/lib/auth/idp-redirect-builder.d.ts +1 -1
  252. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -1
  253. package/dist/lib/auth/idp-redirect-builder.js +4 -10
  254. package/dist/lib/auth/idp-redirect-builder.js.map +1 -1
  255. package/dist/lib/auth/require.d.ts +4 -4
  256. package/dist/lib/auth/require.d.ts.map +1 -1
  257. package/dist/lib/auth/require.js +11 -18
  258. package/dist/lib/auth/require.js.map +1 -1
  259. package/dist/lib/auth/role-grants.d.ts +1 -1
  260. package/dist/lib/auth/role-grants.d.ts.map +1 -1
  261. package/dist/lib/auth/role-grants.js +28 -31
  262. package/dist/lib/auth/role-grants.js.map +1 -1
  263. package/dist/lib/auth-context-manager.js +1 -5
  264. package/dist/lib/auth-context-manager.js.map +1 -1
  265. package/dist/lib/auth-handler.d.ts +5 -5
  266. package/dist/lib/auth-handler.d.ts.map +1 -1
  267. package/dist/lib/auth-handler.js +5 -9
  268. package/dist/lib/auth-handler.js.map +1 -1
  269. package/dist/lib/badge-handler.d.ts +1 -1
  270. package/dist/lib/badge-handler.d.ts.map +1 -1
  271. package/dist/lib/badge-handler.js +14 -52
  272. package/dist/lib/badge-handler.js.map +1 -1
  273. package/dist/lib/circle-handler.d.ts +10 -10
  274. package/dist/lib/circle-handler.d.ts.map +1 -1
  275. package/dist/lib/circle-handler.js +10 -47
  276. package/dist/lib/circle-handler.js.map +1 -1
  277. package/dist/lib/cognito/idp-sdk.js +11 -18
  278. package/dist/lib/cognito/idp-sdk.js.map +1 -1
  279. package/dist/lib/cognito/issuer-probe.js +9 -14
  280. package/dist/lib/cognito/issuer-probe.js.map +1 -1
  281. package/dist/lib/comment-handler.d.ts +10 -10
  282. package/dist/lib/comment-handler.d.ts.map +1 -1
  283. package/dist/lib/comment-handler.js +61 -97
  284. package/dist/lib/comment-handler.js.map +1 -1
  285. package/dist/lib/compliance/baseline.d.ts +2 -2
  286. package/dist/lib/compliance/baseline.d.ts.map +1 -1
  287. package/dist/lib/compliance/baseline.js +15 -18
  288. package/dist/lib/compliance/baseline.js.map +1 -1
  289. package/dist/lib/compliance/tenant-merge.d.ts +1 -1
  290. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -1
  291. package/dist/lib/compliance/tenant-merge.js +1 -4
  292. package/dist/lib/compliance/tenant-merge.js.map +1 -1
  293. package/dist/lib/compliance/types.d.ts +1 -1
  294. package/dist/lib/compliance/types.js +2 -3
  295. package/dist/lib/compliance/types.js.map +1 -1
  296. package/dist/lib/connection-code-handler.d.ts +7 -7
  297. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  298. package/dist/lib/connection-code-handler.js +13 -50
  299. package/dist/lib/connection-code-handler.js.map +1 -1
  300. package/dist/lib/content-discovery.d.ts +1 -1
  301. package/dist/lib/content-discovery.d.ts.map +1 -1
  302. package/dist/lib/content-discovery.js +15 -52
  303. package/dist/lib/content-discovery.js.map +1 -1
  304. package/dist/lib/context-aware-data-access.d.ts +1 -1
  305. package/dist/lib/context-aware-data-access.d.ts.map +1 -1
  306. package/dist/lib/context-aware-data-access.js +1 -5
  307. package/dist/lib/context-aware-data-access.js.map +1 -1
  308. package/dist/lib/cors-handler.d.ts +1 -1
  309. package/dist/lib/cors-handler.d.ts.map +1 -1
  310. package/dist/lib/cors-handler.js +13 -17
  311. package/dist/lib/cors-handler.js.map +1 -1
  312. package/dist/lib/cost-accumulator.d.ts.map +1 -1
  313. package/dist/lib/cost-accumulator.js +7 -11
  314. package/dist/lib/cost-accumulator.js.map +1 -1
  315. package/dist/lib/crypto/voting/elgamal-encryption.js +1 -5
  316. package/dist/lib/crypto/voting/elgamal-encryption.js.map +1 -1
  317. package/dist/lib/crypto/voting/encryption-scheme.js +1 -2
  318. package/dist/lib/crypto/voting/encryption-scheme.js.map +1 -1
  319. package/dist/lib/crypto/voting/hash-utils.js +6 -12
  320. package/dist/lib/crypto/voting/hash-utils.js.map +1 -1
  321. package/dist/lib/crypto/voting/hybrid-encryption.js +5 -9
  322. package/dist/lib/crypto/voting/hybrid-encryption.js.map +1 -1
  323. package/dist/lib/crypto/voting/index.js +4 -14
  324. package/dist/lib/crypto/voting/index.js.map +1 -1
  325. package/dist/lib/crypto/voting/post-quantum-encryption.js +1 -5
  326. package/dist/lib/crypto/voting/post-quantum-encryption.js.map +1 -1
  327. package/dist/lib/csrf.d.ts +2 -2
  328. package/dist/lib/csrf.d.ts.map +1 -1
  329. package/dist/lib/csrf.js +1 -5
  330. package/dist/lib/csrf.js.map +1 -1
  331. package/dist/lib/data-router.d.ts +5 -4
  332. package/dist/lib/data-router.d.ts.map +1 -1
  333. package/dist/lib/data-router.js +67 -90
  334. package/dist/lib/data-router.js.map +1 -1
  335. package/dist/lib/database-circuit-breaker.d.ts +61 -34
  336. package/dist/lib/database-circuit-breaker.d.ts.map +1 -1
  337. package/dist/lib/database-circuit-breaker.js +102 -109
  338. package/dist/lib/database-circuit-breaker.js.map +1 -1
  339. package/dist/lib/database-config.js +1 -4
  340. package/dist/lib/database-config.js.map +1 -1
  341. package/dist/lib/database-connection-manager.d.ts +42 -2
  342. package/dist/lib/database-connection-manager.d.ts.map +1 -1
  343. package/dist/lib/database-connection-manager.js +178 -74
  344. package/dist/lib/database-connection-manager.js.map +1 -1
  345. package/dist/lib/database-monitor.d.ts +1 -1
  346. package/dist/lib/database-monitor.d.ts.map +1 -1
  347. package/dist/lib/database-monitor.js +5 -9
  348. package/dist/lib/database-monitor.js.map +1 -1
  349. package/dist/lib/database-rate-limiter.d.ts +1 -1
  350. package/dist/lib/database-rate-limiter.d.ts.map +1 -1
  351. package/dist/lib/database-rate-limiter.js +3 -7
  352. package/dist/lib/database-rate-limiter.js.map +1 -1
  353. package/dist/lib/database-wrapper-helper.d.ts +2 -2
  354. package/dist/lib/database-wrapper-helper.d.ts.map +1 -1
  355. package/dist/lib/database-wrapper-helper.js +7 -11
  356. package/dist/lib/database-wrapper-helper.js.map +1 -1
  357. package/dist/lib/database-wrapper.d.ts +1 -1
  358. package/dist/lib/database-wrapper.d.ts.map +1 -1
  359. package/dist/lib/database-wrapper.js +5 -9
  360. package/dist/lib/database-wrapper.js.map +1 -1
  361. package/dist/lib/db-query-helper.d.ts +3 -3
  362. package/dist/lib/db-query-helper.d.ts.map +1 -1
  363. package/dist/lib/db-query-helper.js +4 -9
  364. package/dist/lib/db-query-helper.js.map +1 -1
  365. package/dist/lib/discovery-exposure.d.ts +42 -0
  366. package/dist/lib/discovery-exposure.d.ts.map +1 -0
  367. package/dist/lib/discovery-exposure.js +89 -0
  368. package/dist/lib/discovery-exposure.js.map +1 -0
  369. package/dist/lib/discovery-handler.d.ts +6 -6
  370. package/dist/lib/discovery-handler.d.ts.map +1 -1
  371. package/dist/lib/discovery-handler.js +10 -43
  372. package/dist/lib/discovery-handler.js.map +1 -1
  373. package/dist/lib/domain-reputation-service.d.ts +1 -1
  374. package/dist/lib/domain-reputation-service.d.ts.map +1 -1
  375. package/dist/lib/domain-reputation-service.js +12 -15
  376. package/dist/lib/domain-reputation-service.js.map +1 -1
  377. package/dist/lib/email-privacy.js +4 -8
  378. package/dist/lib/email-privacy.js.map +1 -1
  379. package/dist/lib/email-provider.d.ts +2 -2
  380. package/dist/lib/email-provider.d.ts.map +1 -1
  381. package/dist/lib/email-provider.js +8 -16
  382. package/dist/lib/email-provider.js.map +1 -1
  383. package/dist/lib/entity-handler.d.ts +5 -6
  384. package/dist/lib/entity-handler.d.ts.map +1 -1
  385. package/dist/lib/entity-handler.js +52 -81
  386. package/dist/lib/entity-handler.js.map +1 -1
  387. package/dist/lib/entity-relationship-handler.d.ts +9 -9
  388. package/dist/lib/entity-relationship-handler.d.ts.map +1 -1
  389. package/dist/lib/entity-relationship-handler.js +14 -51
  390. package/dist/lib/entity-relationship-handler.js.map +1 -1
  391. package/dist/lib/entity-tagging-errors.js +4 -11
  392. package/dist/lib/entity-tagging-errors.js.map +1 -1
  393. package/dist/lib/entity-tagging-validator.d.ts +3 -3
  394. package/dist/lib/entity-tagging-validator.d.ts.map +1 -1
  395. package/dist/lib/entity-tagging-validator.js +6 -11
  396. package/dist/lib/entity-tagging-validator.js.map +1 -1
  397. package/dist/lib/exif-stripper.js +1 -4
  398. package/dist/lib/exif-stripper.js.map +1 -1
  399. package/dist/lib/extension-context.d.ts +2 -2
  400. package/dist/lib/extension-context.d.ts.map +1 -1
  401. package/dist/lib/extension-context.js +1 -4
  402. package/dist/lib/extension-context.js.map +1 -1
  403. package/dist/lib/extension-route-wrapper.d.ts +1 -1
  404. package/dist/lib/extension-route-wrapper.d.ts.map +1 -1
  405. package/dist/lib/extension-route-wrapper.js +17 -55
  406. package/dist/lib/extension-route-wrapper.js.map +1 -1
  407. package/dist/lib/extension-validator.js +3 -6
  408. package/dist/lib/extension-validator.js.map +1 -1
  409. package/dist/lib/feature-flags.d.ts +5 -2
  410. package/dist/lib/feature-flags.d.ts.map +1 -1
  411. package/dist/lib/feature-flags.js +15 -48
  412. package/dist/lib/feature-flags.js.map +1 -1
  413. package/dist/lib/feature-toggle-global-client.d.ts +6 -0
  414. package/dist/lib/feature-toggle-global-client.d.ts.map +1 -0
  415. package/dist/lib/feature-toggle-global-client.js +73 -0
  416. package/dist/lib/feature-toggle-global-client.js.map +1 -0
  417. package/dist/lib/feature-toggle-service.d.ts +137 -27
  418. package/dist/lib/feature-toggle-service.d.ts.map +1 -1
  419. package/dist/lib/feature-toggle-service.js +302 -119
  420. package/dist/lib/feature-toggle-service.js.map +1 -1
  421. package/dist/lib/feed-handler.d.ts +8 -8
  422. package/dist/lib/feed-handler.d.ts.map +1 -1
  423. package/dist/lib/feed-handler.js +33 -62
  424. package/dist/lib/feed-handler.js.map +1 -1
  425. package/dist/lib/feed-pagination.d.ts +26 -0
  426. package/dist/lib/feed-pagination.d.ts.map +1 -1
  427. package/dist/lib/feed-pagination.js +31 -11
  428. package/dist/lib/feed-pagination.js.map +1 -1
  429. package/dist/lib/feed-personalization.d.ts +1 -1
  430. package/dist/lib/feed-personalization.d.ts.map +1 -1
  431. package/dist/lib/feed-personalization.js +6 -43
  432. package/dist/lib/feed-personalization.js.map +1 -1
  433. package/dist/lib/followers-events.js +8 -13
  434. package/dist/lib/followers-events.js.map +1 -1
  435. package/dist/lib/friends-handler.d.ts +2 -2
  436. package/dist/lib/friends-handler.d.ts.map +1 -1
  437. package/dist/lib/friends-handler.js +9 -46
  438. package/dist/lib/friends-handler.js.map +1 -1
  439. package/dist/lib/geo/entity-geo-repository.d.ts +67 -0
  440. package/dist/lib/geo/entity-geo-repository.d.ts.map +1 -0
  441. package/dist/lib/geo/entity-geo-repository.js +91 -0
  442. package/dist/lib/geo/entity-geo-repository.js.map +1 -0
  443. package/dist/lib/graph/errors.d.ts.map +1 -1
  444. package/dist/lib/graph/errors.js +13 -18
  445. package/dist/lib/graph/errors.js.map +1 -1
  446. package/dist/lib/graph/graph-factory.d.ts +12 -53
  447. package/dist/lib/graph/graph-factory.d.ts.map +1 -1
  448. package/dist/lib/graph/graph-factory.js +67 -162
  449. package/dist/lib/graph/graph-factory.js.map +1 -1
  450. package/dist/lib/graph/graph-service.d.ts +1 -1
  451. package/dist/lib/graph/graph-service.d.ts.map +1 -1
  452. package/dist/lib/graph/graph-service.js +1 -2
  453. package/dist/lib/graph/graph-service.js.map +1 -1
  454. package/dist/lib/graph/index.d.ts +10 -14
  455. package/dist/lib/graph/index.d.ts.map +1 -1
  456. package/dist/lib/graph/index.js +12 -46
  457. package/dist/lib/graph/index.js.map +1 -1
  458. package/dist/lib/graph/postgres/_shared.d.ts +18 -0
  459. package/dist/lib/graph/postgres/_shared.d.ts.map +1 -0
  460. package/dist/lib/graph/postgres/_shared.js +24 -0
  461. package/dist/lib/graph/postgres/_shared.js.map +1 -0
  462. package/dist/lib/graph/postgres/circles.d.ts +66 -0
  463. package/dist/lib/graph/postgres/circles.d.ts.map +1 -0
  464. package/dist/lib/graph/postgres/circles.js +513 -0
  465. package/dist/lib/graph/postgres/circles.js.map +1 -0
  466. package/dist/lib/graph/postgres/discovery.d.ts +165 -0
  467. package/dist/lib/graph/postgres/discovery.d.ts.map +1 -0
  468. package/dist/lib/graph/postgres/discovery.js +579 -0
  469. package/dist/lib/graph/postgres/discovery.js.map +1 -0
  470. package/dist/lib/graph/postgres/entity-relationships.d.ts +53 -0
  471. package/dist/lib/graph/postgres/entity-relationships.d.ts.map +1 -0
  472. package/dist/lib/graph/postgres/entity-relationships.js +304 -0
  473. package/dist/lib/graph/postgres/entity-relationships.js.map +1 -0
  474. package/dist/lib/graph/postgres/interaction-events.d.ts +106 -0
  475. package/dist/lib/graph/postgres/interaction-events.d.ts.map +1 -0
  476. package/dist/lib/graph/postgres/interaction-events.js +162 -0
  477. package/dist/lib/graph/postgres/interaction-events.js.map +1 -0
  478. package/dist/lib/graph/postgres/postgres-graph-service.d.ts +74 -0
  479. package/dist/lib/graph/postgres/postgres-graph-service.d.ts.map +1 -0
  480. package/dist/lib/graph/postgres/postgres-graph-service.js +167 -0
  481. package/dist/lib/graph/postgres/postgres-graph-service.js.map +1 -0
  482. package/dist/lib/graph/postgres/relationships.d.ts +58 -0
  483. package/dist/lib/graph/postgres/relationships.d.ts.map +1 -0
  484. package/dist/lib/graph/postgres/relationships.js +314 -0
  485. package/dist/lib/graph/postgres/relationships.js.map +1 -0
  486. package/dist/lib/graph/postgres/scoring.d.ts +74 -0
  487. package/dist/lib/graph/postgres/scoring.d.ts.map +1 -0
  488. package/dist/lib/graph/postgres/scoring.js +297 -0
  489. package/dist/lib/graph/postgres/scoring.js.map +1 -0
  490. package/dist/lib/graph/postgres/sync.d.ts +149 -0
  491. package/dist/lib/graph/postgres/sync.d.ts.map +1 -0
  492. package/dist/lib/graph/postgres/sync.js +269 -0
  493. package/dist/lib/graph/postgres/sync.js.map +1 -0
  494. package/dist/lib/graph/scoring-engine.d.ts +7 -1
  495. package/dist/lib/graph/scoring-engine.d.ts.map +1 -1
  496. package/dist/lib/graph/scoring-engine.js +29 -35
  497. package/dist/lib/graph/scoring-engine.js.map +1 -1
  498. package/dist/lib/graph/types.d.ts +18 -1
  499. package/dist/lib/graph/types.d.ts.map +1 -1
  500. package/dist/lib/graph/types.js +1 -2
  501. package/dist/lib/graph/types.js.map +1 -1
  502. package/dist/lib/hook-dispatcher.d.ts +1 -1
  503. package/dist/lib/hook-dispatcher.d.ts.map +1 -1
  504. package/dist/lib/hook-dispatcher.js +8 -12
  505. package/dist/lib/hook-dispatcher.js.map +1 -1
  506. package/dist/lib/input-sanitizer.js +1 -5
  507. package/dist/lib/input-sanitizer.js.map +1 -1
  508. package/dist/lib/internal-docs-handler.d.ts +2 -2
  509. package/dist/lib/internal-docs-handler.d.ts.map +1 -1
  510. package/dist/lib/internal-docs-handler.js +20 -28
  511. package/dist/lib/internal-docs-handler.js.map +1 -1
  512. package/dist/lib/internal-docs-navigation.js +2 -6
  513. package/dist/lib/internal-docs-navigation.js.map +1 -1
  514. package/dist/lib/invitation-handler.d.ts +2 -2
  515. package/dist/lib/invitation-handler.d.ts.map +1 -1
  516. package/dist/lib/invitation-handler.js +41 -82
  517. package/dist/lib/invitation-handler.js.map +1 -1
  518. package/dist/lib/ip-scrubber.js +3 -8
  519. package/dist/lib/ip-scrubber.js.map +1 -1
  520. package/dist/lib/link-security-handler.d.ts +3 -2
  521. package/dist/lib/link-security-handler.d.ts.map +1 -1
  522. package/dist/lib/link-security-handler.js +8 -44
  523. package/dist/lib/link-security-handler.js.map +1 -1
  524. package/dist/lib/logger.d.ts +31 -82
  525. package/dist/lib/logger.d.ts.map +1 -1
  526. package/dist/lib/logger.js +43 -185
  527. package/dist/lib/logger.js.map +1 -1
  528. package/dist/lib/media-cleanup-handler.d.ts +2 -2
  529. package/dist/lib/media-cleanup-handler.d.ts.map +1 -1
  530. package/dist/lib/media-cleanup-handler.js +7 -11
  531. package/dist/lib/media-cleanup-handler.js.map +1 -1
  532. package/dist/lib/media-handler.d.ts +1 -1
  533. package/dist/lib/media-handler.d.ts.map +1 -1
  534. package/dist/lib/media-handler.js +36 -73
  535. package/dist/lib/media-handler.js.map +1 -1
  536. package/dist/lib/media-metadata-extractor.d.ts +1 -1
  537. package/dist/lib/media-metadata-extractor.d.ts.map +1 -1
  538. package/dist/lib/media-metadata-extractor.js +3 -7
  539. package/dist/lib/media-metadata-extractor.js.map +1 -1
  540. package/dist/lib/media-metrics.d.ts +2 -2
  541. package/dist/lib/media-metrics.d.ts.map +1 -1
  542. package/dist/lib/media-metrics.js +3 -7
  543. package/dist/lib/media-metrics.js.map +1 -1
  544. package/dist/lib/metadata/index.d.ts +5 -5
  545. package/dist/lib/metadata/index.d.ts.map +1 -1
  546. package/dist/lib/metadata/index.js +5 -21
  547. package/dist/lib/metadata/index.js.map +1 -1
  548. package/dist/lib/metadata/metadata-config.js +2 -5
  549. package/dist/lib/metadata/metadata-config.js.map +1 -1
  550. package/dist/lib/metadata/metadata-errors.js +2 -7
  551. package/dist/lib/metadata/metadata-errors.js.map +1 -1
  552. package/dist/lib/metadata/metadata-extractor.d.ts +1 -1
  553. package/dist/lib/metadata/metadata-extractor.d.ts.map +1 -1
  554. package/dist/lib/metadata/metadata-extractor.js +42 -82
  555. package/dist/lib/metadata/metadata-extractor.js.map +1 -1
  556. package/dist/lib/metadata/metadata-sanitizer.js +17 -24
  557. package/dist/lib/metadata/metadata-sanitizer.js.map +1 -1
  558. package/dist/lib/metadata/metadata-schemas.d.ts +16 -100
  559. package/dist/lib/metadata/metadata-schemas.d.ts.map +1 -1
  560. package/dist/lib/metadata/metadata-schemas.js +31 -34
  561. package/dist/lib/metadata/metadata-schemas.js.map +1 -1
  562. package/dist/lib/mfa/mfa-handler.d.ts +1 -1
  563. package/dist/lib/mfa/mfa-handler.d.ts.map +1 -1
  564. package/dist/lib/mfa/mfa-handler.js +13 -17
  565. package/dist/lib/mfa/mfa-handler.js.map +1 -1
  566. package/dist/lib/mfa/totp-service.js +8 -18
  567. package/dist/lib/mfa/totp-service.js.map +1 -1
  568. package/dist/lib/middleware/comment-rate-limit.d.ts +1 -1
  569. package/dist/lib/middleware/comment-rate-limit.d.ts.map +1 -1
  570. package/dist/lib/middleware/comment-rate-limit.js +7 -10
  571. package/dist/lib/middleware/comment-rate-limit.js.map +1 -1
  572. package/dist/lib/middleware/feature-toggle-rate-limit.d.ts +1 -1
  573. package/dist/lib/middleware/feature-toggle-rate-limit.d.ts.map +1 -1
  574. package/dist/lib/middleware/feature-toggle-rate-limit.js +8 -13
  575. package/dist/lib/middleware/feature-toggle-rate-limit.js.map +1 -1
  576. package/dist/lib/middleware/idempotency-store.js +20 -26
  577. package/dist/lib/middleware/idempotency-store.js.map +1 -1
  578. package/dist/lib/middleware/idempotency.d.ts +2 -2
  579. package/dist/lib/middleware/idempotency.d.ts.map +1 -1
  580. package/dist/lib/middleware/idempotency.js +12 -50
  581. package/dist/lib/middleware/idempotency.js.map +1 -1
  582. package/dist/lib/middleware.d.ts +22 -9
  583. package/dist/lib/middleware.d.ts.map +1 -1
  584. package/dist/lib/middleware.js +72 -153
  585. package/dist/lib/middleware.js.map +1 -1
  586. package/dist/lib/moderation-handler.d.ts +1 -1
  587. package/dist/lib/moderation-handler.d.ts.map +1 -1
  588. package/dist/lib/moderation-handler.js +15 -54
  589. package/dist/lib/moderation-handler.js.map +1 -1
  590. package/dist/lib/net/trusted-client-ip.d.ts +8 -30
  591. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -1
  592. package/dist/lib/net/trusted-client-ip.js +13 -94
  593. package/dist/lib/net/trusted-client-ip.js.map +1 -1
  594. package/dist/lib/notification-handler.d.ts +1 -1
  595. package/dist/lib/notification-handler.d.ts.map +1 -1
  596. package/dist/lib/notification-handler.js +10 -15
  597. package/dist/lib/notification-handler.js.map +1 -1
  598. package/dist/lib/notification-preferences-handler.d.ts +1 -1
  599. package/dist/lib/notification-preferences-handler.d.ts.map +1 -1
  600. package/dist/lib/notification-preferences-handler.js +7 -11
  601. package/dist/lib/notification-preferences-handler.js.map +1 -1
  602. package/dist/lib/oauth/cognito-issuer.d.ts +1 -1
  603. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -1
  604. package/dist/lib/oauth/cognito-issuer.js +5 -10
  605. package/dist/lib/oauth/cognito-issuer.js.map +1 -1
  606. package/dist/lib/oauth/device-authorization.d.ts +1 -1
  607. package/dist/lib/oauth/device-authorization.d.ts.map +1 -1
  608. package/dist/lib/oauth/device-authorization.js +62 -77
  609. package/dist/lib/oauth/device-authorization.js.map +1 -1
  610. package/dist/lib/oauth/envelope-crypto.d.ts +2 -2
  611. package/dist/lib/oauth/envelope-crypto.js +22 -34
  612. package/dist/lib/oauth/envelope-crypto.js.map +1 -1
  613. package/dist/lib/oauth/refresh-detection.js +42 -52
  614. package/dist/lib/oauth/refresh-detection.js.map +1 -1
  615. package/dist/lib/openai-budget.d.ts.map +1 -1
  616. package/dist/lib/openai-budget.js +7 -44
  617. package/dist/lib/openai-budget.js.map +1 -1
  618. package/dist/lib/openapi/generator.d.ts +1 -1
  619. package/dist/lib/openapi/generator.d.ts.map +1 -1
  620. package/dist/lib/openapi/generator.js +2 -6
  621. package/dist/lib/openapi/generator.js.map +1 -1
  622. package/dist/lib/orphaned-media-handler.d.ts +1 -1
  623. package/dist/lib/orphaned-media-handler.d.ts.map +1 -1
  624. package/dist/lib/orphaned-media-handler.js +9 -46
  625. package/dist/lib/orphaned-media-handler.js.map +1 -1
  626. package/dist/lib/parental-control-handler.d.ts +2 -2
  627. package/dist/lib/parental-control-handler.d.ts.map +1 -1
  628. package/dist/lib/parental-control-handler.js +18 -55
  629. package/dist/lib/parental-control-handler.js.map +1 -1
  630. package/dist/lib/parental-link-handler.d.ts +8 -8
  631. package/dist/lib/parental-link-handler.d.ts.map +1 -1
  632. package/dist/lib/parental-link-handler.js +10 -14
  633. package/dist/lib/parental-link-handler.js.map +1 -1
  634. package/dist/lib/performance-metrics.d.ts +1 -1
  635. package/dist/lib/performance-metrics.d.ts.map +1 -1
  636. package/dist/lib/performance-metrics.js +3 -6
  637. package/dist/lib/performance-metrics.js.map +1 -1
  638. package/dist/lib/post-handler.d.ts +9 -9
  639. package/dist/lib/post-handler.d.ts.map +1 -1
  640. package/dist/lib/post-handler.js +67 -101
  641. package/dist/lib/post-handler.js.map +1 -1
  642. package/dist/lib/privacy-defaults.js +3 -8
  643. package/dist/lib/privacy-defaults.js.map +1 -1
  644. package/dist/lib/privacy-handler.d.ts +2 -2
  645. package/dist/lib/privacy-handler.d.ts.map +1 -1
  646. package/dist/lib/privacy-handler.js +6 -10
  647. package/dist/lib/privacy-handler.js.map +1 -1
  648. package/dist/lib/pseudonym.d.ts +56 -0
  649. package/dist/lib/pseudonym.d.ts.map +1 -0
  650. package/dist/lib/pseudonym.js +85 -0
  651. package/dist/lib/pseudonym.js.map +1 -0
  652. package/dist/lib/queue-consumers/media-reconciliation-consumer.d.ts +2 -2
  653. package/dist/lib/queue-consumers/media-reconciliation-consumer.d.ts.map +1 -1
  654. package/dist/lib/queue-consumers/media-reconciliation-consumer.js +5 -8
  655. package/dist/lib/queue-consumers/media-reconciliation-consumer.js.map +1 -1
  656. package/dist/lib/quiet-hours.js +2 -6
  657. package/dist/lib/quiet-hours.js.map +1 -1
  658. package/dist/lib/rate-limit.d.ts +58 -47
  659. package/dist/lib/rate-limit.d.ts.map +1 -1
  660. package/dist/lib/rate-limit.js +168 -157
  661. package/dist/lib/rate-limit.js.map +1 -1
  662. package/dist/lib/reaction-handler.d.ts +10 -10
  663. package/dist/lib/reaction-handler.d.ts.map +1 -1
  664. package/dist/lib/reaction-handler.js +44 -80
  665. package/dist/lib/reaction-handler.js.map +1 -1
  666. package/dist/lib/recaptcha.js +6 -9
  667. package/dist/lib/recaptcha.js.map +1 -1
  668. package/dist/lib/redirect-resolver.d.ts +2 -2
  669. package/dist/lib/redirect-resolver.d.ts.map +1 -1
  670. package/dist/lib/redirect-resolver.js +5 -9
  671. package/dist/lib/redirect-resolver.js.map +1 -1
  672. package/dist/lib/region-config.d.ts +3 -3
  673. package/dist/lib/region-config.d.ts.map +1 -1
  674. package/dist/lib/region-config.js +15 -58
  675. package/dist/lib/region-config.js.map +1 -1
  676. package/dist/lib/region-detection.d.ts +55 -24
  677. package/dist/lib/region-detection.d.ts.map +1 -1
  678. package/dist/lib/region-detection.js +140 -199
  679. package/dist/lib/region-detection.js.map +1 -1
  680. package/dist/lib/region-registry.d.ts +49 -0
  681. package/dist/lib/region-registry.d.ts.map +1 -0
  682. package/dist/lib/region-registry.js +112 -0
  683. package/dist/lib/region-registry.js.map +1 -0
  684. package/dist/lib/relationship-handler.d.ts +9 -9
  685. package/dist/lib/relationship-handler.d.ts.map +1 -1
  686. package/dist/lib/relationship-handler.js +12 -49
  687. package/dist/lib/relationship-handler.js.map +1 -1
  688. package/dist/lib/request-context.d.ts +16 -16
  689. package/dist/lib/request-context.d.ts.map +1 -1
  690. package/dist/lib/request-context.js +14 -22
  691. package/dist/lib/request-context.js.map +1 -1
  692. package/dist/lib/route-helpers.d.ts +3 -4
  693. package/dist/lib/route-helpers.d.ts.map +1 -1
  694. package/dist/lib/route-helpers.js +20 -75
  695. package/dist/lib/route-helpers.js.map +1 -1
  696. package/dist/lib/routes/activitypub/actor.d.ts +1 -1
  697. package/dist/lib/routes/activitypub/actor.d.ts.map +1 -1
  698. package/dist/lib/routes/activitypub/actor.js +20 -23
  699. package/dist/lib/routes/activitypub/actor.js.map +1 -1
  700. package/dist/lib/routes/activitypub/audiences.d.ts +1 -1
  701. package/dist/lib/routes/activitypub/audiences.d.ts.map +1 -1
  702. package/dist/lib/routes/activitypub/audiences.js +76 -80
  703. package/dist/lib/routes/activitypub/audiences.js.map +1 -1
  704. package/dist/lib/routes/activitypub/collections.d.ts +1 -1
  705. package/dist/lib/routes/activitypub/collections.d.ts.map +1 -1
  706. package/dist/lib/routes/activitypub/collections.js +24 -26
  707. package/dist/lib/routes/activitypub/collections.js.map +1 -1
  708. package/dist/lib/routes/activitypub/entity-profile.d.ts +1 -1
  709. package/dist/lib/routes/activitypub/entity-profile.d.ts.map +1 -1
  710. package/dist/lib/routes/activitypub/entity-profile.js +36 -39
  711. package/dist/lib/routes/activitypub/entity-profile.js.map +1 -1
  712. package/dist/lib/routes/activitypub/friends.d.ts +1 -1
  713. package/dist/lib/routes/activitypub/friends.d.ts.map +1 -1
  714. package/dist/lib/routes/activitypub/friends.js +9 -12
  715. package/dist/lib/routes/activitypub/friends.js.map +1 -1
  716. package/dist/lib/routes/activitypub/group.d.ts +1 -1
  717. package/dist/lib/routes/activitypub/group.d.ts.map +1 -1
  718. package/dist/lib/routes/activitypub/group.js +91 -94
  719. package/dist/lib/routes/activitypub/group.js.map +1 -1
  720. package/dist/lib/routes/activitypub/inbox.d.ts +1 -1
  721. package/dist/lib/routes/activitypub/inbox.d.ts.map +1 -1
  722. package/dist/lib/routes/activitypub/inbox.js +30 -33
  723. package/dist/lib/routes/activitypub/inbox.js.map +1 -1
  724. package/dist/lib/routes/activitypub/messages.d.ts +1 -1
  725. package/dist/lib/routes/activitypub/messages.d.ts.map +1 -1
  726. package/dist/lib/routes/activitypub/messages.js +79 -83
  727. package/dist/lib/routes/activitypub/messages.js.map +1 -1
  728. package/dist/lib/routes/activitypub/outbox.d.ts +1 -1
  729. package/dist/lib/routes/activitypub/outbox.d.ts.map +1 -1
  730. package/dist/lib/routes/activitypub/outbox.js +9 -12
  731. package/dist/lib/routes/activitypub/outbox.js.map +1 -1
  732. package/dist/lib/routes/activitypub/post.d.ts +1 -1
  733. package/dist/lib/routes/activitypub/post.d.ts.map +1 -1
  734. package/dist/lib/routes/activitypub/post.js +32 -35
  735. package/dist/lib/routes/activitypub/post.js.map +1 -1
  736. package/dist/lib/routes/activitypub/webfinger.d.ts +1 -1
  737. package/dist/lib/routes/activitypub/webfinger.d.ts.map +1 -1
  738. package/dist/lib/routes/activitypub/webfinger.js +5 -8
  739. package/dist/lib/routes/activitypub/webfinger.js.map +1 -1
  740. package/dist/lib/routes/admin-costs.d.ts +1 -1
  741. package/dist/lib/routes/admin-costs.d.ts.map +1 -1
  742. package/dist/lib/routes/admin-costs.js +22 -26
  743. package/dist/lib/routes/admin-costs.js.map +1 -1
  744. package/dist/lib/routes/admin.d.ts +1 -1
  745. package/dist/lib/routes/admin.d.ts.map +1 -1
  746. package/dist/lib/routes/admin.js +290 -269
  747. package/dist/lib/routes/admin.js.map +1 -1
  748. package/dist/lib/routes/agent-authorize.d.ts +5 -5
  749. package/dist/lib/routes/agent-authorize.d.ts.map +1 -1
  750. package/dist/lib/routes/agent-authorize.js +68 -74
  751. package/dist/lib/routes/agent-authorize.js.map +1 -1
  752. package/dist/lib/routes/agent-sessions.d.ts +4 -4
  753. package/dist/lib/routes/agent-sessions.d.ts.map +1 -1
  754. package/dist/lib/routes/agent-sessions.js +30 -35
  755. package/dist/lib/routes/agent-sessions.js.map +1 -1
  756. package/dist/lib/routes/agent-surface.d.ts +2 -2
  757. package/dist/lib/routes/agent-surface.d.ts.map +1 -1
  758. package/dist/lib/routes/agent-surface.js +20 -24
  759. package/dist/lib/routes/agent-surface.js.map +1 -1
  760. package/dist/lib/routes/auth-discover.d.ts +1 -1
  761. package/dist/lib/routes/auth-discover.d.ts.map +1 -1
  762. package/dist/lib/routes/auth-discover.js +20 -56
  763. package/dist/lib/routes/auth-discover.js.map +1 -1
  764. package/dist/lib/routes/auth.d.ts +1 -1
  765. package/dist/lib/routes/auth.d.ts.map +1 -1
  766. package/dist/lib/routes/auth.js +13 -16
  767. package/dist/lib/routes/auth.js.map +1 -1
  768. package/dist/lib/routes/badges.d.ts +1 -1
  769. package/dist/lib/routes/badges.d.ts.map +1 -1
  770. package/dist/lib/routes/badges.js +20 -23
  771. package/dist/lib/routes/badges.js.map +1 -1
  772. package/dist/lib/routes/circles.d.ts +1 -1
  773. package/dist/lib/routes/circles.d.ts.map +1 -1
  774. package/dist/lib/routes/circles.js +40 -44
  775. package/dist/lib/routes/circles.js.map +1 -1
  776. package/dist/lib/routes/comments.d.ts +1 -1
  777. package/dist/lib/routes/comments.d.ts.map +1 -1
  778. package/dist/lib/routes/comments.js +67 -71
  779. package/dist/lib/routes/comments.js.map +1 -1
  780. package/dist/lib/routes/connection-codes.d.ts +1 -1
  781. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  782. package/dist/lib/routes/connection-codes.js +30 -34
  783. package/dist/lib/routes/connection-codes.js.map +1 -1
  784. package/dist/lib/routes/content-discovery.d.ts +1 -1
  785. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  786. package/dist/lib/routes/content-discovery.js +31 -34
  787. package/dist/lib/routes/content-discovery.js.map +1 -1
  788. package/dist/lib/routes/dashboard.d.ts +1 -1
  789. package/dist/lib/routes/dashboard.d.ts.map +1 -1
  790. package/dist/lib/routes/dashboard.js +251 -288
  791. package/dist/lib/routes/dashboard.js.map +1 -1
  792. package/dist/lib/routes/deletion.d.ts +1 -1
  793. package/dist/lib/routes/deletion.d.ts.map +1 -1
  794. package/dist/lib/routes/deletion.js +37 -74
  795. package/dist/lib/routes/deletion.js.map +1 -1
  796. package/dist/lib/routes/discovery.d.ts +1 -1
  797. package/dist/lib/routes/discovery.d.ts.map +1 -1
  798. package/dist/lib/routes/discovery.js +20 -24
  799. package/dist/lib/routes/discovery.js.map +1 -1
  800. package/dist/lib/routes/employees.d.ts +1 -1
  801. package/dist/lib/routes/employees.d.ts.map +1 -1
  802. package/dist/lib/routes/employees.js +15 -52
  803. package/dist/lib/routes/employees.js.map +1 -1
  804. package/dist/lib/routes/entities.d.ts +1 -1
  805. package/dist/lib/routes/entities.d.ts.map +1 -1
  806. package/dist/lib/routes/entities.js +133 -137
  807. package/dist/lib/routes/entities.js.map +1 -1
  808. package/dist/lib/routes/entity-relationships.d.ts +1 -1
  809. package/dist/lib/routes/entity-relationships.d.ts.map +1 -1
  810. package/dist/lib/routes/entity-relationships.js +35 -39
  811. package/dist/lib/routes/entity-relationships.js.map +1 -1
  812. package/dist/lib/routes/errors.d.ts +1 -1
  813. package/dist/lib/routes/errors.d.ts.map +1 -1
  814. package/dist/lib/routes/errors.js +4 -10
  815. package/dist/lib/routes/errors.js.map +1 -1
  816. package/dist/lib/routes/export.d.ts +1 -1
  817. package/dist/lib/routes/export.d.ts.map +1 -1
  818. package/dist/lib/routes/export.js +31 -35
  819. package/dist/lib/routes/export.js.map +1 -1
  820. package/dist/lib/routes/feature-flags.d.ts +1 -1
  821. package/dist/lib/routes/feature-flags.d.ts.map +1 -1
  822. package/dist/lib/routes/feature-flags.js +20 -23
  823. package/dist/lib/routes/feature-flags.js.map +1 -1
  824. package/dist/lib/routes/feeds.d.ts +1 -1
  825. package/dist/lib/routes/feeds.d.ts.map +1 -1
  826. package/dist/lib/routes/feeds.js +42 -46
  827. package/dist/lib/routes/feeds.js.map +1 -1
  828. package/dist/lib/routes/friends.d.ts +1 -1
  829. package/dist/lib/routes/friends.d.ts.map +1 -1
  830. package/dist/lib/routes/friends.js +35 -39
  831. package/dist/lib/routes/friends.js.map +1 -1
  832. package/dist/lib/routes/health.d.ts +1 -1
  833. package/dist/lib/routes/health.d.ts.map +1 -1
  834. package/dist/lib/routes/health.js +23 -27
  835. package/dist/lib/routes/health.js.map +1 -1
  836. package/dist/lib/routes/index.d.ts +2 -7
  837. package/dist/lib/routes/index.d.ts.map +1 -1
  838. package/dist/lib/routes/index.js +137 -158
  839. package/dist/lib/routes/index.js.map +1 -1
  840. package/dist/lib/routes/internal-docs.d.ts +1 -1
  841. package/dist/lib/routes/internal-docs.d.ts.map +1 -1
  842. package/dist/lib/routes/internal-docs.js +13 -16
  843. package/dist/lib/routes/internal-docs.js.map +1 -1
  844. package/dist/lib/routes/invitations.d.ts +1 -1
  845. package/dist/lib/routes/invitations.d.ts.map +1 -1
  846. package/dist/lib/routes/invitations.js +19 -22
  847. package/dist/lib/routes/invitations.js.map +1 -1
  848. package/dist/lib/routes/link-reports.d.ts +2 -2
  849. package/dist/lib/routes/link-reports.d.ts.map +1 -1
  850. package/dist/lib/routes/link-reports.js +86 -48
  851. package/dist/lib/routes/link-reports.js.map +1 -1
  852. package/dist/lib/routes/map.d.ts +1 -1
  853. package/dist/lib/routes/map.d.ts.map +1 -1
  854. package/dist/lib/routes/map.js +5 -8
  855. package/dist/lib/routes/map.js.map +1 -1
  856. package/dist/lib/routes/media-metadata-visibility.d.ts +1 -1
  857. package/dist/lib/routes/media-metadata-visibility.d.ts.map +1 -1
  858. package/dist/lib/routes/media-metadata-visibility.js +30 -67
  859. package/dist/lib/routes/media-metadata-visibility.js.map +1 -1
  860. package/dist/lib/routes/media.d.ts +1 -1
  861. package/dist/lib/routes/media.d.ts.map +1 -1
  862. package/dist/lib/routes/media.js +156 -193
  863. package/dist/lib/routes/media.js.map +1 -1
  864. package/dist/lib/routes/mfa.d.ts +1 -1
  865. package/dist/lib/routes/mfa.d.ts.map +1 -1
  866. package/dist/lib/routes/mfa.js +60 -64
  867. package/dist/lib/routes/mfa.js.map +1 -1
  868. package/dist/lib/routes/notifications.d.ts +1 -1
  869. package/dist/lib/routes/notifications.d.ts.map +1 -1
  870. package/dist/lib/routes/notifications.js +68 -72
  871. package/dist/lib/routes/notifications.js.map +1 -1
  872. package/dist/lib/routes/oauth.d.ts +1 -1
  873. package/dist/lib/routes/oauth.d.ts.map +1 -1
  874. package/dist/lib/routes/oauth.js +20 -23
  875. package/dist/lib/routes/oauth.js.map +1 -1
  876. package/dist/lib/routes/orphaned-media-health.d.ts +1 -1
  877. package/dist/lib/routes/orphaned-media-health.d.ts.map +1 -1
  878. package/dist/lib/routes/orphaned-media-health.js +10 -13
  879. package/dist/lib/routes/orphaned-media-health.js.map +1 -1
  880. package/dist/lib/routes/orphaned-media.d.ts +1 -1
  881. package/dist/lib/routes/orphaned-media.d.ts.map +1 -1
  882. package/dist/lib/routes/orphaned-media.js +20 -57
  883. package/dist/lib/routes/orphaned-media.js.map +1 -1
  884. package/dist/lib/routes/out.d.ts +1 -1
  885. package/dist/lib/routes/out.d.ts.map +1 -1
  886. package/dist/lib/routes/out.js +21 -24
  887. package/dist/lib/routes/out.js.map +1 -1
  888. package/dist/lib/routes/parental-controls.d.ts +1 -1
  889. package/dist/lib/routes/parental-controls.d.ts.map +1 -1
  890. package/dist/lib/routes/parental-controls.js +91 -95
  891. package/dist/lib/routes/parental-controls.js.map +1 -1
  892. package/dist/lib/routes/posts.d.ts +1 -1
  893. package/dist/lib/routes/posts.d.ts.map +1 -1
  894. package/dist/lib/routes/posts.js +101 -105
  895. package/dist/lib/routes/posts.js.map +1 -1
  896. package/dist/lib/routes/privacy.d.ts +1 -1
  897. package/dist/lib/routes/privacy.d.ts.map +1 -1
  898. package/dist/lib/routes/privacy.js +21 -25
  899. package/dist/lib/routes/privacy.js.map +1 -1
  900. package/dist/lib/routes/products.d.ts +1 -1
  901. package/dist/lib/routes/products.d.ts.map +1 -1
  902. package/dist/lib/routes/products.js +44 -48
  903. package/dist/lib/routes/products.js.map +1 -1
  904. package/dist/lib/routes/relationships.d.ts +1 -1
  905. package/dist/lib/routes/relationships.d.ts.map +1 -1
  906. package/dist/lib/routes/relationships.js +35 -39
  907. package/dist/lib/routes/relationships.js.map +1 -1
  908. package/dist/lib/routes/sentiments.d.ts +1 -1
  909. package/dist/lib/routes/sentiments.d.ts.map +1 -1
  910. package/dist/lib/routes/sentiments.js +71 -75
  911. package/dist/lib/routes/sentiments.js.map +1 -1
  912. package/dist/lib/routes/setup-status.d.ts +1 -1
  913. package/dist/lib/routes/setup-status.d.ts.map +1 -1
  914. package/dist/lib/routes/setup-status.js +17 -20
  915. package/dist/lib/routes/setup-status.js.map +1 -1
  916. package/dist/lib/routes/taxonomy-analytics.d.ts +1 -1
  917. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  918. package/dist/lib/routes/taxonomy-analytics.js +29 -33
  919. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  920. package/dist/lib/routes/taxonomy.d.ts +1 -1
  921. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  922. package/dist/lib/routes/taxonomy.js +48 -51
  923. package/dist/lib/routes/taxonomy.js.map +1 -1
  924. package/dist/lib/routes/tenant-audit.d.ts +1 -1
  925. package/dist/lib/routes/tenant-audit.d.ts.map +1 -1
  926. package/dist/lib/routes/tenant-audit.js +35 -92
  927. package/dist/lib/routes/tenant-audit.js.map +1 -1
  928. package/dist/lib/routes/tenant-compliance.d.ts +1 -1
  929. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -1
  930. package/dist/lib/routes/tenant-compliance.js +16 -52
  931. package/dist/lib/routes/tenant-compliance.js.map +1 -1
  932. package/dist/lib/routes/tenant-domains.d.ts +1 -1
  933. package/dist/lib/routes/tenant-domains.d.ts.map +1 -1
  934. package/dist/lib/routes/tenant-domains.js +27 -30
  935. package/dist/lib/routes/tenant-domains.js.map +1 -1
  936. package/dist/lib/routes/tenant-idp.d.ts +1 -1
  937. package/dist/lib/routes/tenant-idp.d.ts.map +1 -1
  938. package/dist/lib/routes/tenant-idp.js +27 -30
  939. package/dist/lib/routes/tenant-idp.js.map +1 -1
  940. package/dist/lib/routes/tenant-members.d.ts +1 -1
  941. package/dist/lib/routes/tenant-members.d.ts.map +1 -1
  942. package/dist/lib/routes/tenant-members.js +21 -24
  943. package/dist/lib/routes/tenant-members.js.map +1 -1
  944. package/dist/lib/routes/tenant-role-mappings.d.ts +1 -1
  945. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -1
  946. package/dist/lib/routes/tenant-role-mappings.js +27 -30
  947. package/dist/lib/routes/tenant-role-mappings.js.map +1 -1
  948. package/dist/lib/routes/tenants.d.ts +1 -1
  949. package/dist/lib/routes/tenants.d.ts.map +1 -1
  950. package/dist/lib/routes/tenants.js +37 -40
  951. package/dist/lib/routes/tenants.js.map +1 -1
  952. package/dist/lib/routes/types.d.ts +10 -5
  953. package/dist/lib/routes/types.d.ts.map +1 -1
  954. package/dist/lib/routes/types.js +1 -2
  955. package/dist/lib/routes/types.js.map +1 -1
  956. package/dist/lib/routes/upload-sessions.d.ts +1 -1
  957. package/dist/lib/routes/upload-sessions.d.ts.map +1 -1
  958. package/dist/lib/routes/upload-sessions.js +57 -94
  959. package/dist/lib/routes/upload-sessions.js.map +1 -1
  960. package/dist/lib/routes/user.d.ts +1 -1
  961. package/dist/lib/routes/user.d.ts.map +1 -1
  962. package/dist/lib/routes/user.js +137 -85
  963. package/dist/lib/routes/user.js.map +1 -1
  964. package/dist/lib/routes.d.ts +2 -2
  965. package/dist/lib/routes.d.ts.map +1 -1
  966. package/dist/lib/routes.js +2 -7
  967. package/dist/lib/routes.js.map +1 -1
  968. package/dist/lib/scaling-health.d.ts.map +1 -1
  969. package/dist/lib/scaling-health.js +6 -9
  970. package/dist/lib/scaling-health.js.map +1 -1
  971. package/dist/lib/scheduled/media-stale-cleanup.js +5 -8
  972. package/dist/lib/scheduled/media-stale-cleanup.js.map +1 -1
  973. package/dist/lib/scheduled/orphaned-media-monitor.d.ts +1 -1
  974. package/dist/lib/scheduled/orphaned-media-monitor.d.ts.map +1 -1
  975. package/dist/lib/scheduled/orphaned-media-monitor.js +5 -42
  976. package/dist/lib/scheduled/orphaned-media-monitor.js.map +1 -1
  977. package/dist/lib/schemas.d.ts +85 -204
  978. package/dist/lib/schemas.d.ts.map +1 -1
  979. package/dist/lib/schemas.js +71 -74
  980. package/dist/lib/schemas.js.map +1 -1
  981. package/dist/lib/secrets/idp-secrets.d.ts +1 -1
  982. package/dist/lib/secrets/idp-secrets.js +13 -19
  983. package/dist/lib/secrets/idp-secrets.js.map +1 -1
  984. package/dist/lib/security-event-cleaner.js +1 -5
  985. package/dist/lib/security-event-cleaner.js.map +1 -1
  986. package/dist/lib/security-headers.js +1 -5
  987. package/dist/lib/security-headers.js.map +1 -1
  988. package/dist/lib/security-monitor.d.ts +4 -2
  989. package/dist/lib/security-monitor.d.ts.map +1 -1
  990. package/dist/lib/security-monitor.js +16 -18
  991. package/dist/lib/security-monitor.js.map +1 -1
  992. package/dist/lib/sentiment-digest.d.ts +1 -1
  993. package/dist/lib/sentiment-digest.d.ts.map +1 -1
  994. package/dist/lib/sentiment-digest.js +5 -8
  995. package/dist/lib/sentiment-digest.js.map +1 -1
  996. package/dist/lib/sentiment-display.js +3 -7
  997. package/dist/lib/sentiment-display.js.map +1 -1
  998. package/dist/lib/services/image-normalizer.js +1 -5
  999. package/dist/lib/services/image-normalizer.js.map +1 -1
  1000. package/dist/lib/services/media-reconciliation-service.d.ts +1 -1
  1001. package/dist/lib/services/media-reconciliation-service.d.ts.map +1 -1
  1002. package/dist/lib/services/media-reconciliation-service.js +7 -11
  1003. package/dist/lib/services/media-reconciliation-service.js.map +1 -1
  1004. package/dist/lib/services/media-upload-service.d.ts +1 -1
  1005. package/dist/lib/services/media-upload-service.d.ts.map +1 -1
  1006. package/dist/lib/services/media-upload-service.js +4 -8
  1007. package/dist/lib/services/media-upload-service.js.map +1 -1
  1008. package/dist/lib/services/user-data-deletion.d.ts +45 -2
  1009. package/dist/lib/services/user-data-deletion.d.ts.map +1 -1
  1010. package/dist/lib/services/user-data-deletion.js +87 -9
  1011. package/dist/lib/services/user-data-deletion.js.map +1 -1
  1012. package/dist/lib/session-awareness.js +2 -6
  1013. package/dist/lib/session-awareness.js.map +1 -1
  1014. package/dist/lib/session-config.js +8 -17
  1015. package/dist/lib/session-config.js.map +1 -1
  1016. package/dist/lib/{session-manager.d.ts → session-cookie.d.ts} +58 -15
  1017. package/dist/lib/session-cookie.d.ts.map +1 -0
  1018. package/dist/lib/session-cookie.js +0 -0
  1019. package/dist/lib/session-cookie.js.map +1 -0
  1020. package/dist/lib/signup-metadata.d.ts +129 -0
  1021. package/dist/lib/signup-metadata.d.ts.map +1 -0
  1022. package/dist/lib/signup-metadata.js +127 -0
  1023. package/dist/lib/signup-metadata.js.map +1 -0
  1024. package/dist/lib/sso-auth-handler.js +1 -5
  1025. package/dist/lib/sso-auth-handler.js.map +1 -1
  1026. package/dist/lib/tag-suggestions-handler.d.ts +1 -1
  1027. package/dist/lib/tag-suggestions-handler.d.ts.map +1 -1
  1028. package/dist/lib/tag-suggestions-handler.js +1 -5
  1029. package/dist/lib/tag-suggestions-handler.js.map +1 -1
  1030. package/dist/lib/taxonomy-handler-factory.d.ts +2 -2
  1031. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  1032. package/dist/lib/taxonomy-handler-factory.js +7 -10
  1033. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  1034. package/dist/lib/taxonomy-handler.d.ts +2 -2
  1035. package/dist/lib/taxonomy-handler.d.ts.map +1 -1
  1036. package/dist/lib/taxonomy-handler.js +8 -8
  1037. package/dist/lib/taxonomy-handler.js.map +1 -1
  1038. package/dist/lib/taxonomy-metrics.js +5 -9
  1039. package/dist/lib/taxonomy-metrics.js.map +1 -1
  1040. package/dist/lib/taxonomy-search-metrics.d.ts +2 -2
  1041. package/dist/lib/taxonomy-search-metrics.d.ts.map +1 -1
  1042. package/dist/lib/taxonomy-search-metrics.js +3 -7
  1043. package/dist/lib/taxonomy-search-metrics.js.map +1 -1
  1044. package/dist/lib/tenant/audit-emit.d.ts +18 -8
  1045. package/dist/lib/tenant/audit-emit.d.ts.map +1 -1
  1046. package/dist/lib/tenant/audit-emit.js +50 -11
  1047. package/dist/lib/tenant/audit-emit.js.map +1 -1
  1048. package/dist/lib/tenant/derive-domain.js +1 -4
  1049. package/dist/lib/tenant/derive-domain.js.map +1 -1
  1050. package/dist/lib/tenant/domain-handler.d.ts +2 -2
  1051. package/dist/lib/tenant/domain-handler.d.ts.map +1 -1
  1052. package/dist/lib/tenant/domain-handler.js +50 -62
  1053. package/dist/lib/tenant/domain-handler.js.map +1 -1
  1054. package/dist/lib/tenant/domain-validator.d.ts +1 -1
  1055. package/dist/lib/tenant/domain-validator.js +10 -13
  1056. package/dist/lib/tenant/domain-validator.js.map +1 -1
  1057. package/dist/lib/tenant/domain-verifier.d.ts +3 -3
  1058. package/dist/lib/tenant/domain-verifier.js +8 -11
  1059. package/dist/lib/tenant/domain-verifier.js.map +1 -1
  1060. package/dist/lib/tenant/idp-handler.d.ts +4 -4
  1061. package/dist/lib/tenant/idp-handler.d.ts.map +1 -1
  1062. package/dist/lib/tenant/idp-handler.js +45 -82
  1063. package/dist/lib/tenant/idp-handler.js.map +1 -1
  1064. package/dist/lib/tenant/idp-name.js +1 -4
  1065. package/dist/lib/tenant/idp-name.js.map +1 -1
  1066. package/dist/lib/tenant/member-handler.d.ts +2 -2
  1067. package/dist/lib/tenant/member-handler.d.ts.map +1 -1
  1068. package/dist/lib/tenant/member-handler.js +30 -67
  1069. package/dist/lib/tenant/member-handler.js.map +1 -1
  1070. package/dist/lib/tenant/reserved-slugs.d.ts +1 -1
  1071. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -1
  1072. package/dist/lib/tenant/reserved-slugs.js +8 -14
  1073. package/dist/lib/tenant/reserved-slugs.js.map +1 -1
  1074. package/dist/lib/tenant/resolve-role.js +1 -4
  1075. package/dist/lib/tenant/resolve-role.js.map +1 -1
  1076. package/dist/lib/tenant/role-mapping-handler.d.ts +2 -2
  1077. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -1
  1078. package/dist/lib/tenant/role-mapping-handler.js +24 -61
  1079. package/dist/lib/tenant/role-mapping-handler.js.map +1 -1
  1080. package/dist/lib/tenant/setup-status.d.ts +1 -1
  1081. package/dist/lib/tenant/setup-status.d.ts.map +1 -1
  1082. package/dist/lib/tenant/setup-status.js +3 -40
  1083. package/dist/lib/tenant/setup-status.js.map +1 -1
  1084. package/dist/lib/tenant/slug-validator.js +3 -6
  1085. package/dist/lib/tenant/slug-validator.js.map +1 -1
  1086. package/dist/lib/tenant/tenant-handler.d.ts +2 -2
  1087. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -1
  1088. package/dist/lib/tenant/tenant-handler.js +31 -68
  1089. package/dist/lib/tenant/tenant-handler.js.map +1 -1
  1090. package/dist/lib/tenant/transfer-ownership.js +2 -6
  1091. package/dist/lib/tenant/transfer-ownership.js.map +1 -1
  1092. package/dist/lib/tenant-scope.d.ts +97 -0
  1093. package/dist/lib/tenant-scope.d.ts.map +1 -0
  1094. package/dist/lib/tenant-scope.js +270 -0
  1095. package/dist/lib/tenant-scope.js.map +1 -0
  1096. package/dist/lib/terminology.d.ts.map +1 -1
  1097. package/dist/lib/terminology.js +7 -9
  1098. package/dist/lib/terminology.js.map +1 -1
  1099. package/dist/lib/theme.js +2 -6
  1100. package/dist/lib/theme.js.map +1 -1
  1101. package/dist/lib/threat-intel-service.d.ts +2 -2
  1102. package/dist/lib/threat-intel-service.d.ts.map +1 -1
  1103. package/dist/lib/threat-intel-service.js +3 -7
  1104. package/dist/lib/threat-intel-service.js.map +1 -1
  1105. package/dist/lib/types/media-reconciliation.js +1 -2
  1106. package/dist/lib/types/media-reconciliation.js.map +1 -1
  1107. package/dist/lib/upload-session-handler.d.ts +1 -1
  1108. package/dist/lib/upload-session-handler.d.ts.map +1 -1
  1109. package/dist/lib/upload-session-handler.js +13 -50
  1110. package/dist/lib/upload-session-handler.js.map +1 -1
  1111. package/dist/lib/user/derive-handle.d.ts +22 -0
  1112. package/dist/lib/user/derive-handle.d.ts.map +1 -1
  1113. package/dist/lib/user/derive-handle.js +18 -6
  1114. package/dist/lib/user/derive-handle.js.map +1 -1
  1115. package/dist/lib/user-badge.js +6 -14
  1116. package/dist/lib/user-badge.js.map +1 -1
  1117. package/dist/lib/user-deletion-handler-enhanced.d.ts +2 -2
  1118. package/dist/lib/user-deletion-handler-enhanced.d.ts.map +1 -1
  1119. package/dist/lib/user-deletion-handler-enhanced.js +16 -53
  1120. package/dist/lib/user-deletion-handler-enhanced.js.map +1 -1
  1121. package/dist/lib/user-deprovisioning.d.ts +1 -1
  1122. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  1123. package/dist/lib/user-deprovisioning.js +16 -20
  1124. package/dist/lib/user-deprovisioning.js.map +1 -1
  1125. package/dist/lib/user-export-handler.d.ts +4 -4
  1126. package/dist/lib/user-export-handler.d.ts.map +1 -1
  1127. package/dist/lib/user-export-handler.js +11 -15
  1128. package/dist/lib/user-export-handler.js.map +1 -1
  1129. package/dist/lib/validate-request.js +8 -13
  1130. package/dist/lib/validate-request.js.map +1 -1
  1131. package/dist/lib/validation/feature-toggle-schemas.d.ts +130 -249
  1132. package/dist/lib/validation/feature-toggle-schemas.d.ts.map +1 -1
  1133. package/dist/lib/validation/feature-toggle-schemas.js +50 -59
  1134. package/dist/lib/validation/feature-toggle-schemas.js.map +1 -1
  1135. package/dist/lib/validation/validate-request.d.ts.map +1 -1
  1136. package/dist/lib/validation/validate-request.js +12 -23
  1137. package/dist/lib/validation/validate-request.js.map +1 -1
  1138. package/dist/lib/validation.js +1 -5
  1139. package/dist/lib/validation.js.map +1 -1
  1140. package/dist/lib/version.js +3 -8
  1141. package/dist/lib/version.js.map +1 -1
  1142. package/dist/server.d.ts +1 -1
  1143. package/dist/server.d.ts.map +1 -1
  1144. package/dist/server.js +29 -69
  1145. package/dist/server.js.map +1 -1
  1146. package/dist/types/cloudflare-compat.d.ts +3 -93
  1147. package/dist/types/cloudflare-compat.d.ts.map +1 -1
  1148. package/dist/types/cloudflare-compat.js +1 -2
  1149. package/dist/types/cloudflare-compat.js.map +1 -1
  1150. package/dist/worker.d.ts +6 -6
  1151. package/dist/worker.d.ts.map +1 -1
  1152. package/dist/worker.js +6 -13
  1153. package/dist/worker.js.map +1 -1
  1154. package/package.json +28 -15
  1155. package/prisma/migrations/20260602054730_add_entity_geo_and_pending_schema/migration.sql +113 -0
  1156. package/prisma/migrations/20260602162901_research_foundations/migration.sql +65 -0
  1157. package/prisma/migrations/20260604130000_surveillance_phase0_enablers/migration.sql +107 -0
  1158. package/prisma/migrations/20260604140000_fold_link_reports_into_reports/migration.sql +23 -0
  1159. package/prisma/migrations/20260604140000_fold_link_reports_into_reports/rollback.reference.sql +31 -0
  1160. package/prisma/migrations/20260606000000_handle_canonical_identity/migration.sql +18 -0
  1161. package/prisma/schema.prisma +426 -68
  1162. package/src/lambda/cleanup-cron.ts +10 -7
  1163. package/src/lambda/create-auth-challenge.ts +6 -3
  1164. package/src/lambda/delete-account-worker.ts +17 -12
  1165. package/src/lambda/diagnostics-proxy.ts +9 -6
  1166. package/src/lambda/e2e-sweeper.ts +17 -23
  1167. package/src/lambda/federation-outbox-worker.ts +4 -1
  1168. package/src/lambda/followers-events-worker.ts +4 -1
  1169. package/src/lambda/hourly-cron.ts +112 -20
  1170. package/src/lambda/link-check-worker.ts +4 -1
  1171. package/src/lambda/maintenance-cron.ts +24 -13
  1172. package/src/lambda/media-processing-worker.ts +5 -2
  1173. package/src/lambda/media-reconciliation-worker.ts +4 -1
  1174. package/src/lambda/nightly-cron.ts +53 -54
  1175. package/src/lambda/post-confirmation.ts +262 -76
  1176. package/src/lambda/pre-token-generation.ts +39 -44
  1177. package/src/lambda/verify-auth-challenge.ts +4 -1
  1178. package/dist/lib/audit/emit.d.ts +0 -56
  1179. package/dist/lib/audit/emit.d.ts.map +0 -1
  1180. package/dist/lib/audit/emit.js +0 -124
  1181. package/dist/lib/audit/emit.js.map +0 -1
  1182. package/dist/lib/audit/event-types.d.ts +0 -36
  1183. package/dist/lib/audit/event-types.d.ts.map +0 -1
  1184. package/dist/lib/audit/event-types.js +0 -69
  1185. package/dist/lib/audit/event-types.js.map +0 -1
  1186. package/dist/lib/audit-logger.d.ts +0 -142
  1187. package/dist/lib/audit-logger.d.ts.map +0 -1
  1188. package/dist/lib/audit-logger.js +0 -326
  1189. package/dist/lib/audit-logger.js.map +0 -1
  1190. package/dist/lib/circuit-breaker.d.ts +0 -27
  1191. package/dist/lib/circuit-breaker.d.ts.map +0 -1
  1192. package/dist/lib/circuit-breaker.js +0 -63
  1193. package/dist/lib/circuit-breaker.js.map +0 -1
  1194. package/dist/lib/graph/dual-write-service.d.ts +0 -116
  1195. package/dist/lib/graph/dual-write-service.d.ts.map +0 -1
  1196. package/dist/lib/graph/dual-write-service.js +0 -332
  1197. package/dist/lib/graph/dual-write-service.js.map +0 -1
  1198. package/dist/lib/graph/dual-write.d.ts +0 -396
  1199. package/dist/lib/graph/dual-write.d.ts.map +0 -1
  1200. package/dist/lib/graph/dual-write.js +0 -53
  1201. package/dist/lib/graph/dual-write.js.map +0 -1
  1202. package/dist/lib/graph/graph-schema-init.d.ts +0 -31
  1203. package/dist/lib/graph/graph-schema-init.d.ts.map +0 -1
  1204. package/dist/lib/graph/graph-schema-init.js +0 -105
  1205. package/dist/lib/graph/graph-schema-init.js.map +0 -1
  1206. package/dist/lib/graph/neo4j-graph-service.d.ts +0 -186
  1207. package/dist/lib/graph/neo4j-graph-service.d.ts.map +0 -1
  1208. package/dist/lib/graph/neo4j-graph-service.js +0 -1625
  1209. package/dist/lib/graph/neo4j-graph-service.js.map +0 -1
  1210. package/dist/lib/graph/reconciliation-service.d.ts +0 -113
  1211. package/dist/lib/graph/reconciliation-service.d.ts.map +0 -1
  1212. package/dist/lib/graph/reconciliation-service.js +0 -533
  1213. package/dist/lib/graph/reconciliation-service.js.map +0 -1
  1214. package/dist/lib/id-generator.d.ts +0 -29
  1215. package/dist/lib/id-generator.d.ts.map +0 -1
  1216. package/dist/lib/id-generator.js +0 -51
  1217. package/dist/lib/id-generator.js.map +0 -1
  1218. package/dist/lib/kv/dynamodb-kv.d.ts +0 -39
  1219. package/dist/lib/kv/dynamodb-kv.d.ts.map +0 -1
  1220. package/dist/lib/kv/dynamodb-kv.js +0 -239
  1221. package/dist/lib/kv/dynamodb-kv.js.map +0 -1
  1222. package/dist/lib/queue/sqs-queue.d.ts +0 -16
  1223. package/dist/lib/queue/sqs-queue.d.ts.map +0 -1
  1224. package/dist/lib/queue/sqs-queue.js +0 -39
  1225. package/dist/lib/queue/sqs-queue.js.map +0 -1
  1226. package/dist/lib/route-matcher.d.ts +0 -24
  1227. package/dist/lib/route-matcher.d.ts.map +0 -1
  1228. package/dist/lib/route-matcher.js +0 -96
  1229. package/dist/lib/route-matcher.js.map +0 -1
  1230. package/dist/lib/router.d.ts +0 -26
  1231. package/dist/lib/router.d.ts.map +0 -1
  1232. package/dist/lib/router.js +0 -90
  1233. package/dist/lib/router.js.map +0 -1
  1234. package/dist/lib/routes-all.d.ts +0 -9
  1235. package/dist/lib/routes-all.d.ts.map +0 -1
  1236. package/dist/lib/routes-all.js +0 -170
  1237. package/dist/lib/routes-all.js.map +0 -1
  1238. package/dist/lib/secret-resolver.d.ts +0 -88
  1239. package/dist/lib/secret-resolver.d.ts.map +0 -1
  1240. package/dist/lib/secret-resolver.js +0 -183
  1241. package/dist/lib/secret-resolver.js.map +0 -1
  1242. package/dist/lib/session-manager.d.ts.map +0 -1
  1243. package/dist/lib/session-manager.js +0 -492
  1244. package/dist/lib/session-manager.js.map +0 -1
  1245. package/dist/lib/storage/s3-storage.d.ts +0 -29
  1246. package/dist/lib/storage/s3-storage.d.ts.map +0 -1
  1247. package/dist/lib/storage/s3-storage.js +0 -135
  1248. package/dist/lib/storage/s3-storage.js.map +0 -1
  1249. package/dist/lib/tenant-context.d.ts +0 -35
  1250. package/dist/lib/tenant-context.d.ts.map +0 -1
  1251. package/dist/lib/tenant-context.js +0 -54
  1252. package/dist/lib/tenant-context.js.map +0 -1
@@ -1,4 +1,3 @@
1
- "use strict";
2
1
  /**
3
2
  * Capability catalog — every action a tenant member can be authorized to do.
4
3
  *
@@ -7,9 +6,7 @@
7
6
  *
8
7
  * Source of truth: doc/02-technical/identity-federation/05-roles-and-permissions.md.
9
8
  */
10
- Object.defineProperty(exports, "__esModule", { value: true });
11
- exports.ALL_CAPABILITIES = exports.Capability = void 0;
12
- exports.Capability = {
9
+ export const Capability = {
13
10
  TenantUpdate: "tenant.update",
14
11
  TenantDelete: "tenant.delete",
15
12
  TenantSuspend: "tenant.suspend",
@@ -40,5 +37,5 @@ exports.Capability = {
40
37
  ManageAgentSessions: "manage:agent_sessions",
41
38
  };
42
39
  /** All capabilities, used by tests + reflection helpers. */
43
- exports.ALL_CAPABILITIES = Object.values(exports.Capability);
40
+ export const ALL_CAPABILITIES = Object.values(Capability);
44
41
  //# sourceMappingURL=capabilities.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../../src/lib/auth/capabilities.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEU,QAAA,UAAU,GAAG;IACxB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,aAAa,EAAE,gBAAgB;IAE/B,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,gBAAgB,EAAE,oBAAoB;IACtC,aAAa,EAAE,gBAAgB;IAC/B,UAAU,EAAE,aAAa;IAEzB,YAAY,EAAE,eAAe;IAC7B,OAAO,EAAE,UAAU;IACnB,eAAe,EAAE,mBAAmB;IAEpC,SAAS,EAAE,YAAY;IACvB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,aAAa;IAEzB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,aAAa;IAEzB,UAAU,EAAE,aAAa;IACzB,UAAU,EAAE,aAAa;IACzB,UAAU,EAAE,aAAa;IACzB,YAAY,EAAE,eAAe;IAC7B,QAAQ,EAAE,WAAW;IAErB,SAAS,EAAE,YAAY;IAEvB,uEAAuE;IACvE,4DAA4D;IAC5D,mBAAmB,EAAE,uBAAuB;CACpC,CAAC;AAIX,4DAA4D;AAC/C,QAAA,gBAAgB,GAC3B,MAAM,CAAC,MAAM,CAAC,kBAAU,CAAmC,CAAC"}
1
+ {"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../../src/lib/auth/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,aAAa,EAAE,gBAAgB;IAE/B,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,gBAAgB,EAAE,oBAAoB;IACtC,aAAa,EAAE,gBAAgB;IAC/B,UAAU,EAAE,aAAa;IAEzB,YAAY,EAAE,eAAe;IAC7B,OAAO,EAAE,UAAU;IACnB,eAAe,EAAE,mBAAmB;IAEpC,SAAS,EAAE,YAAY;IACvB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,aAAa;IAEzB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,aAAa;IAEzB,UAAU,EAAE,aAAa;IACzB,UAAU,EAAE,aAAa;IACzB,UAAU,EAAE,aAAa;IACzB,YAAY,EAAE,eAAe;IAC7B,QAAQ,EAAE,WAAW;IAErB,SAAS,EAAE,YAAY;IAEvB,uEAAuE;IACvE,4DAA4D;IAC5D,mBAAmB,EAAE,uBAAuB;CACpC,CAAC;AAIX,4DAA4D;AAC5D,MAAM,CAAC,MAAM,gBAAgB,GAC3B,MAAM,CAAC,MAAM,CAAC,UAAU,CAAmC,CAAC"}
@@ -2,7 +2,7 @@
2
2
  * DynamoDB-backed claims cache for the pre-token-generation Lambda
3
3
  * (T2 — JIT provisioning).
4
4
  *
5
- * Storage layout (single-table on the existing `{stage}-skybber` table):
5
+ * Storage layout (single-table on the existing `{stage}-trellis` table):
6
6
  * pk = `claims:{cognitoSub}`
7
7
  * sk = `meta`
8
8
  * ttl = epoch seconds; DynamoDB-managed expiry plus a manual check on read
@@ -16,7 +16,7 @@
16
16
  */
17
17
  import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
18
18
  export interface CachedClaims {
19
- /** Skybber `User.id` (cuid). May be empty string for drift sentinel. */
19
+ /** Trellis `User.id` (cuid). May be empty string for drift sentinel. */
20
20
  userId: string;
21
21
  /** Global `UserRole` enum value. May be empty string for drift sentinel. */
22
22
  globalRole: string;
@@ -1,9 +1,8 @@
1
- "use strict";
2
1
  /**
3
2
  * DynamoDB-backed claims cache for the pre-token-generation Lambda
4
3
  * (T2 — JIT provisioning).
5
4
  *
6
- * Storage layout (single-table on the existing `{stage}-skybber` table):
5
+ * Storage layout (single-table on the existing `{stage}-trellis` table):
7
6
  * pk = `claims:{cognitoSub}`
8
7
  * sk = `meta`
9
8
  * ttl = epoch seconds; DynamoDB-managed expiry plus a manual check on read
@@ -15,19 +14,16 @@
15
14
  * pre-token-gen invocations for the same user (rare, but possible during a
16
15
  * burst of token refreshes) cannot stale-overwrite a fresh entry.
17
16
  */
18
- Object.defineProperty(exports, "__esModule", { value: true });
19
- exports.ClaimsCache = exports.DEFAULT_CACHE_TTL_SECONDS = void 0;
20
- exports.createClaimsCacheFromEnv = createClaimsCacheFromEnv;
21
- const client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
22
- const util_dynamodb_1 = require("@aws-sdk/util-dynamodb");
23
- exports.DEFAULT_CACHE_TTL_SECONDS = 3600;
17
+ import { DynamoDBClient, GetItemCommand, PutItemCommand, DeleteItemCommand, } from "@aws-sdk/client-dynamodb";
18
+ import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
19
+ export const DEFAULT_CACHE_TTL_SECONDS = 3600;
24
20
  function pkFor(cognitoSub) {
25
21
  return `claims:${cognitoSub}`;
26
22
  }
27
23
  function nowSeconds() {
28
24
  return Math.floor(Date.now() / 1000);
29
25
  }
30
- class ClaimsCache {
26
+ export class ClaimsCache {
31
27
  client;
32
28
  tableName;
33
29
  constructor(client, tableName) {
@@ -40,13 +36,13 @@ class ClaimsCache {
40
36
  * eventually delete them.
41
37
  */
42
38
  async get(cognitoSub) {
43
- const result = await this.client.send(new client_dynamodb_1.GetItemCommand({
39
+ const result = await this.client.send(new GetItemCommand({
44
40
  TableName: this.tableName,
45
- Key: (0, util_dynamodb_1.marshall)({ pk: pkFor(cognitoSub), sk: "meta" }),
41
+ Key: marshall({ pk: pkFor(cognitoSub), sk: "meta" }),
46
42
  }));
47
43
  if (!result.Item)
48
44
  return null;
49
- const item = (0, util_dynamodb_1.unmarshall)(result.Item);
45
+ const item = unmarshall(result.Item);
50
46
  const ttl = typeof item.ttl === "number" ? item.ttl : 0;
51
47
  if (!ttl || ttl <= nowSeconds())
52
48
  return null;
@@ -66,13 +62,13 @@ class ClaimsCache {
66
62
  * first-org-tenant heuristic.
67
63
  */
68
64
  async getActiveTenantPreference(cognitoSub) {
69
- const result = await this.client.send(new client_dynamodb_1.GetItemCommand({
65
+ const result = await this.client.send(new GetItemCommand({
70
66
  TableName: this.tableName,
71
- Key: (0, util_dynamodb_1.marshall)({ pk: pkFor(cognitoSub), sk: "meta" }),
67
+ Key: marshall({ pk: pkFor(cognitoSub), sk: "meta" }),
72
68
  }));
73
69
  if (!result.Item)
74
70
  return null;
75
- const item = (0, util_dynamodb_1.unmarshall)(result.Item);
71
+ const item = unmarshall(result.Item);
76
72
  const activeTenantId = item.activeTenantId ?? "";
77
73
  return activeTenantId || null;
78
74
  }
@@ -82,12 +78,12 @@ class ClaimsCache {
82
78
  * overwrite a fresher row. On collision we silently swallow the
83
79
  * conditional-check failure — the cache still holds an acceptable value.
84
80
  */
85
- async put(cognitoSub, claims, ttlSeconds = exports.DEFAULT_CACHE_TTL_SECONDS) {
81
+ async put(cognitoSub, claims, ttlSeconds = DEFAULT_CACHE_TTL_SECONDS) {
86
82
  const expiresAt = nowSeconds() + ttlSeconds;
87
83
  try {
88
- await this.client.send(new client_dynamodb_1.PutItemCommand({
84
+ await this.client.send(new PutItemCommand({
89
85
  TableName: this.tableName,
90
- Item: (0, util_dynamodb_1.marshall)({
86
+ Item: marshall({
91
87
  pk: pkFor(cognitoSub),
92
88
  sk: "meta",
93
89
  userId: claims.userId,
@@ -100,7 +96,7 @@ class ClaimsCache {
100
96
  }),
101
97
  ConditionExpression: "attribute_not_exists(#ttl) OR #ttl < :incomingTtl",
102
98
  ExpressionAttributeNames: { "#ttl": "ttl" },
103
- ExpressionAttributeValues: (0, util_dynamodb_1.marshall)({ ":incomingTtl": expiresAt }),
99
+ ExpressionAttributeValues: marshall({ ":incomingTtl": expiresAt }),
104
100
  }));
105
101
  }
106
102
  catch (err) {
@@ -116,24 +112,23 @@ class ClaimsCache {
116
112
  * RDS rather than serving a stale role.
117
113
  */
118
114
  async invalidate(cognitoSub) {
119
- await this.client.send(new client_dynamodb_1.DeleteItemCommand({
115
+ await this.client.send(new DeleteItemCommand({
120
116
  TableName: this.tableName,
121
- Key: (0, util_dynamodb_1.marshall)({ pk: pkFor(cognitoSub), sk: "meta" }),
117
+ Key: marshall({ pk: pkFor(cognitoSub), sk: "meta" }),
122
118
  }));
123
119
  }
124
120
  }
125
- exports.ClaimsCache = ClaimsCache;
126
121
  /**
127
122
  * Convenience constructor used by the Lambda handler. Reads the table name
128
123
  * from `DYNAMODB_TABLE` and the region from `AWS_REGION`. Tests construct
129
124
  * a `ClaimsCache` directly with a mock client.
130
125
  */
131
- function createClaimsCacheFromEnv() {
126
+ export function createClaimsCacheFromEnv() {
132
127
  const tableName = process.env.DYNAMODB_TABLE;
133
128
  if (!tableName) {
134
129
  throw new Error("DYNAMODB_TABLE env var is required for ClaimsCache");
135
130
  }
136
- const client = new client_dynamodb_1.DynamoDBClient({ region: process.env.AWS_REGION });
131
+ const client = new DynamoDBClient({ region: process.env.AWS_REGION });
137
132
  return new ClaimsCache(client, tableName);
138
133
  }
139
134
  //# sourceMappingURL=claims-cache.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"claims-cache.js","sourceRoot":"","sources":["../../../src/lib/auth/claims-cache.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAiJH,4DAOC;AAtJD,8DAKkC;AAClC,0DAA8D;AAiBjD,QAAA,yBAAyB,GAAG,IAAI,CAAC;AAE9C,SAAS,KAAK,CAAC,UAAkB;IAC/B,OAAO,UAAU,UAAU,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAa,WAAW;IAEH;IACA;IAFnB,YACmB,MAAsB,EACtB,SAAiB;QADjB,WAAM,GAAN,MAAM,CAAgB;QACtB,cAAS,GAAT,SAAS,CAAQ;IACjC,CAAC;IAEJ;;;;OAIG;IACH,KAAK,CAAC,GAAG,CAAC,UAAkB;QAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,gCAAc,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAA,0BAAU,EAAC,MAAM,CAAC,IAAI,CAA4B,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,IAAI,GAAG,IAAI,UAAU,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO;YACL,MAAM,EAAG,IAAI,CAAC,MAA6B,IAAI,EAAE;YACjD,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,cAAc,EAAG,IAAI,CAAC,cAAqC,IAAI,EAAE;YACjE,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,MAAM,EAAG,IAAI,CAAC,MAA6B,IAAI,EAAE;SAClD,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,yBAAyB,CAAC,UAAkB;QAChD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,gCAAc,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAA,0BAAU,EAAC,MAAM,CAAC,IAAI,CAA4B,CAAC;QAChE,MAAM,cAAc,GAAI,IAAI,CAAC,cAAqC,IAAI,EAAE,CAAC;QACzE,OAAO,cAAc,IAAI,IAAI,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,UAAkB,EAClB,MAAoB,EACpB,aAAqB,iCAAyB;QAE9C,MAAM,SAAS,GAAG,UAAU,EAAE,GAAG,UAAU,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,gCAAc,CAAC;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,IAAI,EAAE,IAAA,wBAAQ,EAAC;oBACb,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC;oBACrB,EAAE,EAAE,MAAM;oBACV,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;oBACrC,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,GAAG,EAAE,SAAS;iBACf,CAAC;gBACF,mBAAmB,EAAE,mDAAmD;gBACxE,wBAAwB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;gBAC3C,yBAAyB,EAAE,IAAA,wBAAQ,EAAC,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;aACnE,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,GAAI,GAAyB,CAAC,IAAI,CAAC;YAC7C,IAAI,IAAI,KAAK,iCAAiC;gBAAE,OAAO;YACvD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU,CAAC,UAAkB;QACjC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,mCAAiB,CAAC;YACpB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;IACJ,CAAC;CACF;AAvGD,kCAuGC;AAED;;;;GAIG;AACH,SAAgB,wBAAwB;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,gCAAc,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC"}
1
+ {"version":3,"file":"claims-cache.js","sourceRoot":"","sources":["../../../src/lib/auth/claims-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAiB9D,MAAM,CAAC,MAAM,yBAAyB,GAAG,IAAI,CAAC;AAE9C,SAAS,KAAK,CAAC,UAAkB;IAC/B,OAAO,UAAU,UAAU,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,OAAO,WAAW;IAEH;IACA;IAFnB,YACmB,MAAsB,EACtB,SAAiB;QADjB,WAAM,GAAN,MAAM,CAAgB;QACtB,cAAS,GAAT,SAAS,CAAQ;IACjC,CAAC;IAEJ;;;;OAIG;IACH,KAAK,CAAC,GAAG,CAAC,UAAkB;QAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,cAAc,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAA4B,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,IAAI,GAAG,IAAI,UAAU,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO;YACL,MAAM,EAAG,IAAI,CAAC,MAA6B,IAAI,EAAE;YACjD,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,cAAc,EAAG,IAAI,CAAC,cAAqC,IAAI,EAAE;YACjE,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,UAAU,EAAG,IAAI,CAAC,UAAiC,IAAI,EAAE;YACzD,MAAM,EAAG,IAAI,CAAC,MAA6B,IAAI,EAAE;SAClD,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,yBAAyB,CAAC,UAAkB;QAChD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,cAAc,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAA4B,CAAC;QAChE,MAAM,cAAc,GAAI,IAAI,CAAC,cAAqC,IAAI,EAAE,CAAC;QACzE,OAAO,cAAc,IAAI,IAAI,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,UAAkB,EAClB,MAAoB,EACpB,aAAqB,yBAAyB;QAE9C,MAAM,SAAS,GAAG,UAAU,EAAE,GAAG,UAAU,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,cAAc,CAAC;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,IAAI,EAAE,QAAQ,CAAC;oBACb,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC;oBACrB,EAAE,EAAE,MAAM;oBACV,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;oBACrC,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,GAAG,EAAE,SAAS;iBACf,CAAC;gBACF,mBAAmB,EAAE,mDAAmD;gBACxE,wBAAwB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;gBAC3C,yBAAyB,EAAE,QAAQ,CAAC,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;aACnE,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,GAAI,GAAyB,CAAC,IAAI,CAAC;YAC7C,IAAI,IAAI,KAAK,iCAAiC;gBAAE,OAAO;YACvD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU,CAAC,UAAkB;QACjC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,iBAAiB,CAAC;YACpB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;SACrD,CAAC,CACH,CAAC;IACJ,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC"}
@@ -1,8 +1,14 @@
1
1
  /**
2
2
  * Cognito JWT Verification
3
3
  *
4
- * Validates Cognito-issued JWTs using the aws-jwt-verify library.
5
- * Caches the JWKS locally to avoid network calls per request.
4
+ * Validates Cognito-issued JWTs via `@de-otio/vestibulum`'s
5
+ * `createMultiPoolVerifier`. Trellis is single-pool, so the verifier is
6
+ * configured with a one-element pool array — the idiomatic single-pool
7
+ * shape. The underlying `aws-jwt-verify` JWKS cache lives inside the
8
+ * vestibulum verifier (transitive dependency).
9
+ *
10
+ * The verifier is lazily constructed and recreated if older than 24
11
+ * hours to refresh the pinned JWKS.
6
12
  */
7
13
  /** Reset the verifier to force JWKS refresh on next call */
8
14
  export declare function resetVerifier(): void;
@@ -21,6 +27,18 @@ export interface CognitoJwtClaims {
21
27
  "custom:handle"?: string;
22
28
  "custom:dataRegion"?: string;
23
29
  }
30
+ /**
31
+ * Verify a Cognito JWT and return its narrowed claims.
32
+ *
33
+ * Throws on any verification failure (expired, bad signature, wrong
34
+ * client/issuer/token_use, malformed). This preserves the previous
35
+ * throw-on-invalid contract that callers rely on (auth-middleware and
36
+ * the session manager both treat a throw as "not authenticated").
37
+ *
38
+ * On a `MultiPoolVerifierError` (which can include JWKS-key-not-found
39
+ * surfaced as invalid_signature), we reset the verifier to refresh the
40
+ * JWKS and retry once — mirroring the previous S1.5 behaviour.
41
+ */
24
42
  export declare function verifyCognitoJwt(token: string): Promise<CognitoJwtClaims>;
25
43
  export declare function extractBearerToken(authHeader: string | null): string | null;
26
44
  //# sourceMappingURL=cognito-jwt.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"cognito-jwt.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/cognito-jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA2BH,4DAA4D;AAC5D,wBAAgB,aAAa,SAG5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAU/E;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAG3E"}
1
+ {"version":3,"file":"cognito-jwt.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/cognito-jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAwCH,4DAA4D;AAC5D,wBAAgB,aAAa,SAG5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AA2CD;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAa/E;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAG3E"}
@@ -1,54 +1,114 @@
1
- "use strict";
2
1
  /**
3
2
  * Cognito JWT Verification
4
3
  *
5
- * Validates Cognito-issued JWTs using the aws-jwt-verify library.
6
- * Caches the JWKS locally to avoid network calls per request.
4
+ * Validates Cognito-issued JWTs via `@de-otio/vestibulum`'s
5
+ * `createMultiPoolVerifier`. Trellis is single-pool, so the verifier is
6
+ * configured with a one-element pool array — the idiomatic single-pool
7
+ * shape. The underlying `aws-jwt-verify` JWKS cache lives inside the
8
+ * vestibulum verifier (transitive dependency).
9
+ *
10
+ * The verifier is lazily constructed and recreated if older than 24
11
+ * hours to refresh the pinned JWKS.
7
12
  */
8
- Object.defineProperty(exports, "__esModule", { value: true });
9
- exports.resetVerifier = resetVerifier;
10
- exports.verifyCognitoJwt = verifyCognitoJwt;
11
- exports.extractBearerToken = extractBearerToken;
12
- const aws_jwt_verify_1 = require("aws-jwt-verify");
13
+ import { createMultiPoolVerifier, MultiPoolVerifierError, } from "@de-otio/vestibulum";
13
14
  let verifier = null;
14
15
  let lastCreated = 0;
15
16
  const VERIFIER_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
16
17
  function getVerifier() {
17
18
  const now = Date.now();
18
19
  // S1.5 — Recreate verifier if older than 24 hours to refresh JWKS
19
- if (!verifier || (now - lastCreated > VERIFIER_MAX_AGE_MS)) {
20
+ if (!verifier || now - lastCreated > VERIFIER_MAX_AGE_MS) {
20
21
  const userPoolId = process.env.COGNITO_USER_POOL_ID;
21
22
  const clientId = process.env.COGNITO_APP_CLIENT_ID;
22
23
  if (!userPoolId || !clientId) {
23
24
  throw new Error("COGNITO_USER_POOL_ID and COGNITO_APP_CLIENT_ID must be set");
24
25
  }
25
- verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
26
- userPoolId,
27
- tokenUse: "id",
28
- clientId,
29
- });
26
+ const region = process.env.COGNITO_REGION ?? process.env.AWS_REGION ?? "us-east-1";
27
+ // Single-pool config: one PoolConfig is the correct, idiomatic shape
28
+ // for a single-pool consumer. tokenUse "id" preserves the previous
29
+ // CognitoJwtVerifier.create({ tokenUse: "id" }) contract.
30
+ verifier = createMultiPoolVerifier([
31
+ {
32
+ poolKey: "default",
33
+ userPoolId,
34
+ clientId,
35
+ region,
36
+ tokenUse: "id",
37
+ },
38
+ ]);
30
39
  lastCreated = now;
31
40
  }
32
41
  return verifier;
33
42
  }
34
43
  /** Reset the verifier to force JWKS refresh on next call */
35
- function resetVerifier() {
44
+ export function resetVerifier() {
36
45
  verifier = null;
37
46
  lastCreated = 0;
38
47
  }
39
- async function verifyCognitoJwt(token) {
48
+ /**
49
+ * Narrow vestibulum's `Record<string, unknown>` claims onto the trellis
50
+ * `CognitoJwtClaims` shape. The known fields (sub, username, email,
51
+ * custom:*) are read explicitly; everything else is dropped.
52
+ *
53
+ * `sub` is always present on a verified Cognito token; `username` is
54
+ * the Cognito `cognito:username` claim on ID tokens. We coerce missing
55
+ * string claims to "" defensively rather than throwing — callers that
56
+ * require a field already guard for it (e.g. auth-middleware checks
57
+ * custom:userId / custom:activeTenantId).
58
+ */
59
+ function narrowClaims(claims) {
60
+ const asString = (v) => typeof v === "string" ? v : undefined;
61
+ const result = {
62
+ sub: asString(claims.sub) ?? "",
63
+ username: asString(claims["cognito:username"]) ?? asString(claims.username) ?? "",
64
+ };
65
+ const optional = [
66
+ "email",
67
+ "custom:userId",
68
+ "custom:role",
69
+ "custom:globalRole",
70
+ "custom:activeTenantId",
71
+ "custom:tenantSlug",
72
+ "custom:tenantRole",
73
+ "custom:handle",
74
+ "custom:dataRegion",
75
+ ];
76
+ for (const key of optional) {
77
+ const value = asString(claims[key]);
78
+ if (value !== undefined) {
79
+ result[key] = value;
80
+ }
81
+ }
82
+ return result;
83
+ }
84
+ /**
85
+ * Verify a Cognito JWT and return its narrowed claims.
86
+ *
87
+ * Throws on any verification failure (expired, bad signature, wrong
88
+ * client/issuer/token_use, malformed). This preserves the previous
89
+ * throw-on-invalid contract that callers rely on (auth-middleware and
90
+ * the session manager both treat a throw as "not authenticated").
91
+ *
92
+ * On a `MultiPoolVerifierError` (which can include JWKS-key-not-found
93
+ * surfaced as invalid_signature), we reset the verifier to refresh the
94
+ * JWKS and retry once — mirroring the previous S1.5 behaviour.
95
+ */
96
+ export async function verifyCognitoJwt(token) {
40
97
  try {
41
- const payload = await getVerifier().verify(token);
42
- return payload;
98
+ const verified = await getVerifier().verify(token);
99
+ return narrowClaims(verified.claims);
43
100
  }
44
101
  catch (err) {
45
- // S1.5 — On verification failure, reset verifier to refresh JWKS and retry once
46
- resetVerifier();
47
- const payload = await getVerifier().verify(token);
48
- return payload;
102
+ // S1.5 — On verification failure, reset verifier to refresh JWKS and retry once.
103
+ if (err instanceof MultiPoolVerifierError) {
104
+ resetVerifier();
105
+ const verified = await getVerifier().verify(token);
106
+ return narrowClaims(verified.claims);
107
+ }
108
+ throw err;
49
109
  }
50
110
  }
51
- function extractBearerToken(authHeader) {
111
+ export function extractBearerToken(authHeader) {
52
112
  if (!authHeader?.startsWith("Bearer "))
53
113
  return null;
54
114
  return authHeader.slice(7);
@@ -1 +1 @@
1
- {"version":3,"file":"cognito-jwt.js","sourceRoot":"","sources":["../../../src/lib/auth/cognito-jwt.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA4BH,sCAGC;AAkBD,4CAUC;AAED,gDAGC;AA9DD,mDAAoD;AAEpD,IAAI,QAAQ,GAAwD,IAAI,CAAC;AACzE,IAAI,WAAW,GAAG,CAAC,CAAC;AACpB,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAE5D,SAAS,WAAW;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,kEAAkE;IAClE,IAAI,CAAC,QAAQ,IAAI,CAAC,GAAG,GAAG,WAAW,GAAG,mBAAmB,CAAC,EAAE,CAAC;QAC3D,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACnD,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,QAAQ,GAAG,mCAAkB,CAAC,MAAM,CAAC;YACnC,UAAU;YACV,QAAQ,EAAE,IAAI;YACd,QAAQ;SACT,CAAC,CAAC;QACH,WAAW,GAAG,GAAG,CAAC;IACpB,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4DAA4D;AAC5D,SAAgB,aAAa;IAC3B,QAAQ,GAAG,IAAI,CAAC;IAChB,WAAW,GAAG,CAAC,CAAC;AAClB,CAAC;AAkBM,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClD,OAAO,OAAsC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,gFAAgF;QAChF,aAAa,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClD,OAAO,OAAsC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,SAAgB,kBAAkB,CAAC,UAAyB;IAC1D,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC7B,CAAC"}
1
+ {"version":3,"file":"cognito-jwt.js","sourceRoot":"","sources":["../../../src/lib/auth/cognito-jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EACL,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,qBAAqB,CAAC;AAE7B,IAAI,QAAQ,GAA6B,IAAI,CAAC;AAC9C,IAAI,WAAW,GAAG,CAAC,CAAC;AACpB,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAE5D,SAAS,WAAW;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,kEAAkE;IAClE,IAAI,CAAC,QAAQ,IAAI,GAAG,GAAG,WAAW,GAAG,mBAAmB,EAAE,CAAC;QACzD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACnD,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;QACtE,qEAAqE;QACrE,mEAAmE;QACnE,0DAA0D;QAC1D,QAAQ,GAAG,uBAAuB,CAAC;YACjC;gBACE,OAAO,EAAE,SAAS;gBAClB,UAAU;gBACV,QAAQ;gBACR,MAAM;gBACN,QAAQ,EAAE,IAAI;aACf;SACF,CAAC,CAAC;QACH,WAAW,GAAG,GAAG,CAAC;IACpB,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,aAAa;IAC3B,QAAQ,GAAG,IAAI,CAAC;IAChB,WAAW,GAAG,CAAC,CAAC;AAClB,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,MAAyC;IAC7D,MAAM,QAAQ,GAAG,CAAC,CAAU,EAAsB,EAAE,CAClD,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAExC,MAAM,MAAM,GAAqB;QAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE;QAC/B,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE;KAClF,CAAC;IAEF,MAAM,QAAQ,GAA+B;QAC3C,OAAO;QACP,eAAe;QACf,aAAa;QACb,mBAAmB;QACnB,uBAAuB;QACvB,mBAAmB;QACnB,mBAAmB;QACnB,eAAe;QACf,mBAAmB;KACpB,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnD,OAAO,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iFAAiF;QACjF,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;YAC1C,aAAa,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnD,OAAO,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,UAAyB;IAC1D,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC7B,CAAC"}
@@ -9,7 +9,7 @@
9
9
  * All URL parameters are server-derived; callers supply only the Prisma-loaded
10
10
  * cognitoIdpName — no arbitrary IdP names accepted from request input.
11
11
  */
12
- export { cognitoIdpName } from "../tenant/idp-name";
12
+ export { cognitoIdpName } from "../tenant/idp-name.js";
13
13
  export interface IdpRedirectConfig {
14
14
  hostedUiDomain: string;
15
15
  clientId: string;
@@ -1 +1 @@
1
- {"version":3,"file":"idp-redirect-builder.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/idp-redirect-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,iBAAiB,GACxB,MAAM,CAUR;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE;IACxC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,GAAG,iBAAiB,CAMpB"}
1
+ {"version":3,"file":"idp-redirect-builder.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/idp-redirect-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,iBAAiB,GACxB,MAAM,CAUR;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE;IACxC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,GAAG,iBAAiB,CAMpB"}
@@ -1,4 +1,3 @@
1
- "use strict";
2
1
  /**
3
2
  * Builds the Cognito Hosted UI OAuth2 authorization URL for federated sign-in.
4
3
  *
@@ -10,19 +9,14 @@
10
9
  * All URL parameters are server-derived; callers supply only the Prisma-loaded
11
10
  * cognitoIdpName — no arbitrary IdP names accepted from request input.
12
11
  */
13
- Object.defineProperty(exports, "__esModule", { value: true });
14
- exports.cognitoIdpName = void 0;
15
- exports.buildIdpRedirectUrl = buildIdpRedirectUrl;
16
- exports.getIdpRedirectConfig = getIdpRedirectConfig;
17
- var idp_name_1 = require("../tenant/idp-name");
18
- Object.defineProperty(exports, "cognitoIdpName", { enumerable: true, get: function () { return idp_name_1.cognitoIdpName; } });
12
+ export { cognitoIdpName } from "../tenant/idp-name.js";
19
13
  /**
20
14
  * Builds the Cognito Hosted UI authorization URL.
21
15
  *
22
16
  * Scope is always `openid email profile` — no caller-supplied scope to prevent
23
17
  * privilege escalation via scope injection.
24
18
  */
25
- function buildIdpRedirectUrl(config, params) {
19
+ export function buildIdpRedirectUrl(config, params) {
26
20
  const base = `https://${config.hostedUiDomain}/oauth2/authorize`;
27
21
  const qs = new URLSearchParams({
28
22
  identity_provider: params.cognitoIdpName,
@@ -38,9 +32,9 @@ function buildIdpRedirectUrl(config, params) {
38
32
  * Env vars read here are defined in src/env.ts and must come from there —
39
33
  * no direct process.env access outside buildEnv().
40
34
  */
41
- function getIdpRedirectConfig(env) {
35
+ export function getIdpRedirectConfig(env) {
42
36
  return {
43
- hostedUiDomain: env.COGNITO_HOSTED_UI_DOMAIN ?? "auth.skybber.com",
37
+ hostedUiDomain: env.COGNITO_HOSTED_UI_DOMAIN ?? "auth.example.com",
44
38
  clientId: env.COGNITO_APP_CLIENT_ID ?? "",
45
39
  redirectUri: env.COGNITO_REDIRECT_URI ?? "",
46
40
  };
@@ -1 +1 @@
1
- {"version":3,"file":"idp-redirect-builder.js","sourceRoot":"","sources":["../../../src/lib/auth/idp-redirect-builder.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AA0BH,kDAaC;AAOD,oDAUC;AAtDD,+CAAoD;AAA3C,0GAAA,cAAc,OAAA;AAkBvB;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,MAAyB,EACzB,MAAyB;IAEzB,MAAM,IAAI,GAAG,WAAW,MAAM,CAAC,cAAc,mBAAmB,CAAC;IACjE,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;QAC7B,iBAAiB,EAAE,MAAM,CAAC,cAAc;QACxC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;KAC9B,CAAC,CAAC;IACH,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,GAIpC;IACC,OAAO;QACL,cAAc,EAAE,GAAG,CAAC,wBAAwB,IAAI,kBAAkB;QAClE,QAAQ,EAAE,GAAG,CAAC,qBAAqB,IAAI,EAAE;QACzC,WAAW,EAAE,GAAG,CAAC,oBAAoB,IAAI,EAAE;KAC5C,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"idp-redirect-builder.js","sourceRoot":"","sources":["../../../src/lib/auth/idp-redirect-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAkBvD;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAyB,EACzB,MAAyB;IAEzB,MAAM,IAAI,GAAG,WAAW,MAAM,CAAC,cAAc,mBAAmB,CAAC;IACjE,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;QAC7B,iBAAiB,EAAE,MAAM,CAAC,cAAc;QACxC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;KAC9B,CAAC,CAAC;IACH,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAIpC;IACC,OAAO;QACL,cAAc,EAAE,GAAG,CAAC,wBAAwB,IAAI,kBAAkB;QAClE,QAAQ,EAAE,GAAG,CAAC,qBAAqB,IAAI,EAAE;QACzC,WAAW,EAAE,GAAG,CAAC,oBAAoB,IAAI,EAAE;KAC5C,CAAC;AACJ,CAAC"}
@@ -8,10 +8,10 @@
8
8
  * SUPER_ADMIN bypasses every check (platform-wide override).
9
9
  */
10
10
  import type { TenantRole } from "@prisma/client";
11
- import type { AuthContext } from "./auth-context";
12
- import { type CapabilityValue } from "./capabilities";
13
- export { Capability, type CapabilityValue } from "./capabilities";
14
- export { RoleGrants } from "./role-grants";
11
+ import type { AuthContext } from "./auth-context.js";
12
+ import { type CapabilityValue } from "./capabilities.js";
13
+ export { Capability, type CapabilityValue } from "./capabilities.js";
14
+ export { RoleGrants } from "./role-grants.js";
15
15
  /**
16
16
  * Returns a 403 Response if the caller's tenant role is below `minRole`,
17
17
  * or null if the check passes. SUPER_ADMIN bypasses.
@@ -1 +1 @@
1
- {"version":3,"file":"require.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAY,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGlE,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAoB3C;;;GAGG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,WAAW,EACjB,OAAO,EAAE,UAAU,GAClB,QAAQ,GAAG,IAAI,CAIjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,wBAAwB;IACvC,mEAAmE;IACnE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AA6BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,eAAe,EACpB,OAAO,GAAE,wBAA6B,GACrC,QAAQ,GAAG,IAAI,CAcjB"}
1
+ {"version":3,"file":"require.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAY,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGrE,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAoB9C;;;GAGG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,WAAW,EACjB,OAAO,EAAE,UAAU,GAClB,QAAQ,GAAG,IAAI,CAIjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,wBAAwB;IACvC,mEAAmE;IACnE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AA6BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,eAAe,EACpB,OAAO,GAAE,wBAA6B,GACrC,QAAQ,GAAG,IAAI,CAcjB"}
@@ -1,4 +1,3 @@
1
- "use strict";
2
1
  /**
3
2
  * Authorization helpers — role and capability gating.
4
3
  *
@@ -8,16 +7,10 @@
8
7
  *
9
8
  * SUPER_ADMIN bypasses every check (platform-wide override).
10
9
  */
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.RoleGrants = exports.Capability = void 0;
13
- exports.requireRole = requireRole;
14
- exports.requireCapability = requireCapability;
15
- const capabilities_1 = require("./capabilities");
16
- const role_grants_1 = require("./role-grants");
17
- var capabilities_2 = require("./capabilities");
18
- Object.defineProperty(exports, "Capability", { enumerable: true, get: function () { return capabilities_2.Capability; } });
19
- var role_grants_2 = require("./role-grants");
20
- Object.defineProperty(exports, "RoleGrants", { enumerable: true, get: function () { return role_grants_2.RoleGrants; } });
10
+ import { Capability } from "./capabilities.js";
11
+ import { RoleGrants } from "./role-grants.js";
12
+ export { Capability } from "./capabilities.js";
13
+ export { RoleGrants } from "./role-grants.js";
21
14
  const ROLE_RANK = {
22
15
  OWNER: 4,
23
16
  ADMIN: 3,
@@ -34,7 +27,7 @@ function forbidden(message) {
34
27
  * Returns a 403 Response if the caller's tenant role is below `minRole`,
35
28
  * or null if the check passes. SUPER_ADMIN bypasses.
36
29
  */
37
- function requireRole(auth, minRole) {
30
+ export function requireRole(auth, minRole) {
38
31
  if (isSuperAdmin(auth))
39
32
  return null;
40
33
  if (ROLE_RANK[auth.tenantRole] >= ROLE_RANK[minRole])
@@ -52,10 +45,10 @@ function requireRole(auth, minRole) {
52
45
  * (cross-user takedown). MEMBER must own the entity.
53
46
  */
54
47
  const OWN_ONLY_FALLBACK = {
55
- [capabilities_1.Capability.PostUpdate]: capabilities_1.Capability.PostModerate,
56
- [capabilities_1.Capability.PostDelete]: capabilities_1.Capability.PostModerate,
57
- [capabilities_1.Capability.EntityUpdate]: capabilities_1.Capability.PostModerate,
58
- [capabilities_1.Capability.EntityDelete]: capabilities_1.Capability.PostModerate,
48
+ [Capability.PostUpdate]: Capability.PostModerate,
49
+ [Capability.PostDelete]: Capability.PostModerate,
50
+ [Capability.EntityUpdate]: Capability.PostModerate,
51
+ [Capability.EntityDelete]: Capability.PostModerate,
59
52
  };
60
53
  function isOwnedBy(resource, userId) {
61
54
  if (!resource)
@@ -79,10 +72,10 @@ function isOwnedBy(resource, userId) {
79
72
  * If `options.resource` is omitted for an own-only capability, the check is
80
73
  * lenient (caps-only) — callers that load the resource must pass it through.
81
74
  */
82
- function requireCapability(auth, cap, options = {}) {
75
+ export function requireCapability(auth, cap, options = {}) {
83
76
  if (isSuperAdmin(auth))
84
77
  return null;
85
- const grants = role_grants_1.RoleGrants[auth.tenantRole];
78
+ const grants = RoleGrants[auth.tenantRole];
86
79
  if (!grants.has(cap))
87
80
  return forbidden(`Requires capability ${cap}`);
88
81
  const moderationCap = OWN_ONLY_FALLBACK[cap];
@@ -1 +1 @@
1
- {"version":3,"file":"require.js","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAgCH,kCAOC;AA6DD,8CAkBC;AAlHD,iDAAkE;AAClE,+CAA2C;AAE3C,+CAAkE;AAAzD,0GAAA,UAAU,OAAA;AACnB,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AAEnB,MAAM,SAAS,GAA+B;IAC5C,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,YAAY,CAAC,IAAiB;IACrC,OAAO,IAAI,CAAC,UAAU,KAAM,aAA0B,CAAC;AACzD,CAAC;AAED,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,EAC/C,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CACzB,IAAiB,EACjB,OAAmB;IAEnB,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,OAAO,SAAS,CAAC,wBAAwB,OAAO,YAAY,CAAC,CAAC;AAChE,CAAC;AAqBD;;;;;;;;;GASG;AACH,MAAM,iBAAiB,GAAsD;IAC3E,CAAC,yBAAU,CAAC,UAAU,CAAC,EAAE,yBAAU,CAAC,YAAY;IAChD,CAAC,yBAAU,CAAC,UAAU,CAAC,EAAE,yBAAU,CAAC,YAAY;IAChD,CAAC,yBAAU,CAAC,YAAY,CAAC,EAAE,yBAAU,CAAC,YAAY;IAClD,CAAC,yBAAU,CAAC,YAAY,CAAC,EAAE,yBAAU,CAAC,YAAY;CACnD,CAAC;AAEF,SAAS,SAAS,CAChB,QAAwC,EACxC,MAAc;IAEd,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACzE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,iBAAiB,CAC/B,IAAiB,EACjB,GAAoB,EACpB,UAAoC,EAAE;IAEtC,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,MAAM,GAAG,wBAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;IAErE,MAAM,aAAa,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEhC,IAAI,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,OAAO,SAAS,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAC;AAC7D,CAAC"}
1
+ {"version":3,"file":"require.js","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAE,UAAU,EAAwB,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,UAAU,EAAwB,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,MAAM,SAAS,GAA+B;IAC5C,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,YAAY,CAAC,IAAiB;IACrC,OAAO,IAAI,CAAC,UAAU,KAAM,aAA0B,CAAC;AACzD,CAAC;AAED,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,EAC/C,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,IAAiB,EACjB,OAAmB;IAEnB,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,OAAO,SAAS,CAAC,wBAAwB,OAAO,YAAY,CAAC,CAAC;AAChE,CAAC;AAqBD;;;;;;;;;GASG;AACH,MAAM,iBAAiB,GAAsD;IAC3E,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,YAAY;IAChD,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,YAAY;IAChD,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC,YAAY;IAClD,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC,YAAY;CACnD,CAAC;AAEF,SAAS,SAAS,CAChB,QAAwC,EACxC,MAAc;IAEd,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACzE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAiB,EACjB,GAAoB,EACpB,UAAoC,EAAE;IAEtC,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;IAErE,MAAM,aAAa,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEhC,IAAI,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,OAAO,SAAS,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAC;AAC7D,CAAC"}
@@ -13,6 +13,6 @@
13
13
  * GUEST ⊂ MEMBER ⊂ ADMIN ⊂ OWNER.
14
14
  */
15
15
  import type { TenantRole } from "@prisma/client";
16
- import { type CapabilityValue } from "./capabilities";
16
+ import { type CapabilityValue } from "./capabilities.js";
17
17
  export declare const RoleGrants: Record<TenantRole, ReadonlySet<CapabilityValue>>;
18
18
  //# sourceMappingURL=role-grants.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"role-grants.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/role-grants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AA2ClE,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,eAAe,CAAC,CAKvE,CAAC"}
1
+ {"version":3,"file":"role-grants.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/role-grants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AA2CrE,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,eAAe,CAAC,CAKvE,CAAC"}