@deque/axe-auth 1.1.0-next.b1986c00 → 1.1.0-next.b7ba541c

package/dist/oauth/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+// undici's `RetryAgent` cannot retry POSTs through `fetch()` — its retry
+// handler aborts once the fetch ReadableStream body is consumed. Re-invoking
+// `fetch()` per attempt with a string body sidesteps that. POST replay is
+// safe for our OAuth endpoints by spec: single-use codes (RFC 6749 §4.1.2),
+// refresh requests that never reached the server (§6), no-op revocation
+// (RFC 7009 §2.2).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchWithRetry = fetchWithRetry;
+const promises_1 = require("node:timers/promises");
+const MAX_RETRIES = 3;
+const CONNECTION_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ENETDOWN",
+    "ENETUNREACH",
+    "EHOSTDOWN",
+    "UND_ERR_SOCKET",
+]);
+function isConnectionError(err) {
+    const seen = new Set();
+    let current = err;
+    while (current && typeof current === "object" && !seen.has(current)) {
+        seen.add(current);
+        const e = current;
+        if (typeof e.code === "string" && CONNECTION_ERROR_CODES.has(e.code)) {
+            return true;
+        }
+        current = e.cause;
+    }
+    return false;
+}
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+async function fetchWithRetry(input, init) {
+    for (let attempt = 0;; attempt++) {
+        try {
+            return await fetch(input, init);
+        }
+        catch (err) {
+            if (attempt >= MAX_RETRIES || !isConnectionError(err)) {
+                throw err;
+            }
+            // Exponential backoff: 500ms, 1s, 2s, capped at 30s.
+            // `sleep` honors `init.signal` so an aborted request interrupts the wait.
+            const delay = Math.min(500 * Math.pow(2, attempt), 30_000);
+            await (0, promises_1.setTimeout)(delay, undefined, { signal: init?.signal ?? undefined });
+        }
+    }
+}

package/dist/oauth/revokeToken.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.revokeRefreshToken = revokeRefreshToken;
+const retry_1 = require("./retry");
 const userAgent_1 = require("../userAgent");
 /**
  * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
@@ -23,10 +24,10 @@ async function revokeRefreshToken(options) {
         token: options.refreshToken,
         token_type_hint: "refresh_token",
         client_id: options.clientId,
-    });
+    }).toString();
     let response;
     try {
-        response = await fetch(options.revocationEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.revocationEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenExchange.d.ts

@@ -10,7 +10,7 @@ export interface ExchangeCodeForTokensOptions {
     /** PKCE verifier paired with the `code_challenge` sent at auth time. */
     codeVerifier: string;
     /** Redirect URI originally sent to the authorization endpoint. */
-    redirectUri: string;
+    redirectURI: string;
     /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
     now?: () => number;
     /** Aborts the underlying fetch when fired. */

package/dist/oauth/tokenExchange.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -18,12 +19,12 @@ async function exchangeCodeForTokens(options) {
         client_id: options.clientId,
         code: options.code,
         code_verifier: options.codeVerifier,
-        redirect_uri: options.redirectUri,
-    });
+        redirect_uri: options.redirectURI,
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenResponse.d.ts

@@ -1,18 +1,4 @@
-/**
- * Tokens returned by a successful token-endpoint call (authorization
- * code exchange, refresh-token grant, etc.).
- *
- * `refreshToken` is optional because not all flows return one. On
- * authorization-code exchange it's absent if the caller did not
- * request `offline_access` (or the provider equivalent); on refresh
- * some providers rotate tokens (return a new one) while others don't
- * (the caller should keep the existing refresh token).
- *
- * `grantedScope` reflects the authorization server's `scope` response
- * field when present. RFC 6749 §5.1 says `scope` is required in the
- * response when the granted set differs from the requested set; many
- * servers send it unconditionally.
- */
+/** Tokens returned by a successful token-endpoint call. */
 export interface TokenSet {
     /** Access token for authenticated API calls. */
     accessToken: string;
@@ -24,31 +10,13 @@ export interface TokenSet {
     grantedScope?: string;
 }
 /**
- * Reads a non-2xx response body and throws
- * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
- * `error` / `error_description` surfaced in both message and details
- * when present. Shared by both the authorization-code exchange and
- * refresh-token paths since the error contract is identical.
- *
- * @param context Short human-readable description of which call
- *   failed ("Token exchange", "Token refresh", etc.). Appears in the
- *   error message.
+ * Reads a non-2xx response body and throws `TOKEN_EXCHANGE_FAILED`
+ * with the OAuth `error` / `error_description` surfaced when present.
  */
 export declare function throwTokenEndpointError(response: Response, context: string): Promise<never>;
 /**
- * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
- * (authorization-code exchange, refresh-token grant, etc.) into a
- * `TokenSet`. Validates the required shape (`access_token`,
- * `expires_in`, Bearer `token_type`) and converts the relative
- * `expires_in` into an absolute `expiresAt` using `issuedAt`.
- *
- * @param response The HTTP response (must be 2xx; caller handles
- *   error statuses via `throwTokenEndpointError`).
- * @param issuedAt The timestamp captured just before the network
- *   call. Slightly conservative — the token actually expires
- *   `expires_in` seconds from when the server issued it, so the
- *   effective usable window is `expires_in - RTT`, which errs toward
- *   "expires sooner" rather than "expires later."
- * @param endpointURL URL used for error messages.
+ * Parses a 2xx response from an RFC 6749 §5.1 token endpoint into a
+ * `TokenSet`. `issuedAt` is the timestamp captured just before the
+ * network call; the resulting `expiresAt` is conservative by ~RTT.
  */
 export declare function parseTokenResponse(response: Response, issuedAt: number, endpointURL: string): Promise<TokenSet>;

package/dist/oauth/tokenResponse.js

@@ -4,10 +4,8 @@ exports.throwTokenEndpointError = throwTokenEndpointError;
 exports.parseTokenResponse = parseTokenResponse;
 const errors_1 = require("./errors");
 const predicates_1 = require("./predicates");
-// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
-// without pinning the JSON type, and some providers historically send
-// numeric strings. Accept both; reject anything non-positive or
-// non-finite.
+// RFC 6749 §5.1 doesn't pin the JSON type and some providers send
+// numeric strings; accept both, reject non-positive or non-finite.
 function parseExpiresIn(v) {
     if (typeof v === "number" && Number.isFinite(v) && v > 0)
         return v;
@@ -37,15 +35,8 @@ function parseErrorBody(body) {
     };
 }
 /**
- * Reads a non-2xx response body and throws
- * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
- * `error` / `error_description` surfaced in both message and details
- * when present. Shared by both the authorization-code exchange and
- * refresh-token paths since the error contract is identical.
- *
- * @param context Short human-readable description of which call
- *   failed ("Token exchange", "Token refresh", etc.). Appears in the
- *   error message.
+ * Reads a non-2xx response body and throws `TOKEN_EXCHANGE_FAILED`
+ * with the OAuth `error` / `error_description` surfaced when present.
  */
 async function throwTokenEndpointError(response, context) {
     const body = await response.text().catch(() => "");
@@ -63,20 +54,9 @@ async function throwTokenEndpointError(response, context) {
     throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `${context} failed with HTTP ${response.status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
 }
 /**
- * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
- * (authorization-code exchange, refresh-token grant, etc.) into a
- * `TokenSet`. Validates the required shape (`access_token`,
- * `expires_in`, Bearer `token_type`) and converts the relative
- * `expires_in` into an absolute `expiresAt` using `issuedAt`.
- *
- * @param response The HTTP response (must be 2xx; caller handles
- *   error statuses via `throwTokenEndpointError`).
- * @param issuedAt The timestamp captured just before the network
- *   call. Slightly conservative — the token actually expires
- *   `expires_in` seconds from when the server issued it, so the
- *   effective usable window is `expires_in - RTT`, which errs toward
- *   "expires sooner" rather than "expires later."
- * @param endpointURL URL used for error messages.
+ * Parses a 2xx response from an RFC 6749 §5.1 token endpoint into a
+ * `TokenSet`. `issuedAt` is the timestamp captured just before the
+ * network call; the resulting `expiresAt` is conservative by ~RTT.
  */
 async function parseTokenResponse(response, issuedAt, endpointURL) {
     let parsed;

package/dist/oauth/tokenStore.d.ts

@@ -2,8 +2,11 @@ import { type KeyringEntryFactory } from "./keyringBinding";
 import type { TokenSet } from "./tokenResponse";
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -109,28 +112,13 @@ export type BlobChainResult = {
  */
 export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 export declare function keyringErrorMessage(op: string, cause: unknown, platform?: NodeJS.Platform): string;
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-export declare function isKeyringSizeError(cause: unknown): boolean;
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -145,8 +133,8 @@ export declare function platformKeyringHint(platform?: NodeJS.Platform): string;
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.

package/dist/oauth/tokenStore.js

@@ -4,49 +4,41 @@ exports.KeyringTokenStore = exports.STORED_BLOB_VERSION = void 0;
 exports.shouldChunkForKeyring = shouldChunkForKeyring;
 exports.parseAndMigrateBlob = parseAndMigrateBlob;
 exports.keyringErrorMessage = keyringErrorMessage;
-exports.isKeyringSizeError = isKeyringSizeError;
 exports.platformKeyringHint = platformKeyringHint;
 exports.chunkBlobForKeyring = chunkBlobForKeyring;
 const errors_1 = require("./errors");
 const keyringBinding_1 = require("./keyringBinding");
-// On macOS: Keychain generic password item with the service name below.
-// On Windows: Credential Manager entry. On Linux: Secret Service / libsecret.
-// Exposed as a human-readable string because these all surface the service
-// name in OS UIs (Keychain Access, credmgr.exe, seahorse).
 const SERVICE_NAME = "axe-auth";
-// Single keychain entry per machine on macOS / Linux. (Windows splits
-// across `credentials.0`, `credentials.1`, … — see `CHUNK_LIMIT`
-// below.) The blob it holds is fully self-describing (issuerURL,
-// clientId, allowInsecureIssuer, plus the tokens), so verbs that
-// don't pass `--server` / `--realm` / `--client-id` can resolve their
-// config from the entry.
-//
-// Account name is human-readable so users investigating the entry in
-// macOS Keychain Access (or `secret-tool` on Linux, credmgr on
-// Windows) can tell what it is. Not versioned: the schema version
-// lives inside the blob and migrators handle the upgrade path. Note:
-// Windows entries hold base64-encoded JSON rather than the raw JSON
-// macOS / Linux store, so a Windows user inspecting their Credential
-// Manager will see opaque base64; that's a side effect of chunking.
+/**
+ * Keychain account identifier. On macOS/Linux the entire blob lives at
+ * this single account. On Windows the blob is base64-encoded and split
+ * across `credentials.0`, `credentials.1`, … entries (see `CHUNK_LIMIT`),
+ * so a Windows dev inspecting Credential Manager will see opaque base64.
+ */
 const ACCOUNT_NAME = "credentials";
-// Windows Credential Manager caps stored values at 2560 UTF-16 code
-// units, which large OAuth access-token JWTs (many groups/roles
-// claims) routinely exceed. On Windows we work around this by
-// splitting the JSON blob across multiple entries with account names
-// `credentials.0`, `credentials.1`, … . `CHUNK_LIMIT` leaves margin
-// under the platform cap; `MAX_CHUNKS` is a safety bound — we should
-// never get close in practice, even with maximally-claimed tokens.
-//
-// macOS Keychain and Linux libsecret have no comparable limit, so
-// chunking there would just multiply per-entry ACL prompts (each
-// keychain entry is independently lockable on macOS) for no gain.
-// Chunking is therefore Windows-only, gated by `shouldChunkForKeyring`.
-const CHUNK_LIMIT = 2500;
+/**
+ * Max JS string length per chunk. The limit applies to the full chunk
+ * including chunk 0's `<N>\n` count header, so chunk 0's data slice is
+ * `CHUNK_LIMIT - headerLen`. Windows Credential Manager's per-entry
+ * cap is `CRED_MAX_CREDENTIAL_BLOB_SIZE = 2560` bytes, and the
+ * `@napi-rs/keyring` Windows backend stores strings as UTF-16 (2 bytes
+ * per char), so 1250 chars = 2500 bytes stays safely under the cap.
+ */
+const CHUNK_LIMIT = 1250;
+/**
+ * Cap on chunks per stored blob. A request that would exceed this
+ * raises `TOKEN_TOO_LARGE` so an IDP issuing tokens with extraordinary
+ * claim counts fails with a clear error instead of silently consuming
+ * dozens of keychain entries.
+ */
 const MAX_CHUNKS = 32;
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -160,10 +152,6 @@ function parseAndMigrateBlob(raw, expectedVersion = exports.STORED_BLOB_VERSION,
     const storedVersion = getStoredVersion(parsed);
     if (storedVersion === null)
         return { ok: false, reason: "corrupt" };
-    // Walk the migrator chain until we reach the expected version. A
-    // missing or null-returning migrator means the old blob cannot be
-    // upgraded; surface that so callers can prompt re-auth with a
-    // clear signal instead of silently returning `empty`.
     let current = parsed;
     let currentVersion = storedVersion;
     while (currentVersion !== expectedVersion) {
@@ -177,8 +165,6 @@ function parseAndMigrateBlob(raw, expectedVersion = exports.STORED_BLOB_VERSION,
         }
         const nextVersion = getStoredVersion(next);
         if (nextVersion === null || nextVersion <= currentVersion) {
-            // Migrator output is malformed or didn't advance. Treat the
-            // stored blob as un-migratable rather than loop forever.
             return { ok: false, reason: "version-mismatch", storedVersion };
         }
         current = next;
@@ -201,38 +187,16 @@ function wrapKeyringError(op, cause) {
     });
 }
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 function keyringErrorMessage(op, cause, platform = process.platform) {
-    if (platform === "win32" && isKeyringSizeError(cause)) {
-        return `System keychain ${op} failed: Windows Credential Manager limits stored values to 2560 UTF-16 characters. Large OAuth access-token JWTs (many groups/roles claims) commonly exceed this.`;
-    }
     const causeMessage = cause instanceof Error ? cause.message : String(cause);
     return `System keychain ${op} failed: ${causeMessage}. ${platformKeyringHint(platform)}`;
 }
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-function isKeyringSizeError(cause) {
-    if (!(cause instanceof Error))
-        return false;
-    return /longer than the platform limit/.test(cause.message);
-}
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -280,8 +244,8 @@ function parseChunkHeader(first) {
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.
@@ -424,10 +388,6 @@ class KeyringTokenStore {
      * could trip it.
      */
     #saveChunked(parts) {
-        // Read previous N before any writes so the cleanup sweep is
-        // bounded. If the previous chunk 0 is missing or its header is
-        // unparseable we have no upper bound, so fall back to the full
-        // safety range as a one-time defensive recovery.
         const previousN = this.#previousChunkN();
         for (let i = parts.length - 1; i >= 1; i--) {
             this.#entry(`${ACCOUNT_NAME}.${i}`).setPassword(parts[i]);

package/docs/callback-page.md

@@ -1,6 +1,6 @@
 # Callback response page
 
-The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHtml.ts`.
+The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHTML.ts`.
 
 ## Approach
 
@@ -17,7 +17,7 @@ Content-Security-Policy: default-src 'none'; img-src data:; style-src 'sha256-<d
 X-Content-Type-Options: nosniff
 ```
 
-`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHtml` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
+`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHTML` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
 
 **Auth code not echoed.** The success page deliberately does not render the received `code` in the HTML (RFC 8252 §8.1 interception mitigation).
 

package/docs/callback-server.md

@@ -4,7 +4,7 @@ The loopback HTTP listener that receives the OAuth authorization code redirect,
 
 ## Loopback bind
 
-RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectUri` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
+RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectURI` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
 
 Request handling additionally rejects non-loopback `remoteAddress` values with `403` as defense in depth against DNS-rebinding-style pivots — the listener only binds to a loopback interface, but enforcing it at the handler costs nothing.
 

package/package.json

@@ -1,8 +1,15 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.1.0-next.b1986c00",
+  "version": "1.1.0-next.b7ba541c",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dequelabs/axe-mcp-server-public.git"
+  },
+  "bugs": {
+    "url": "https://github.com/dequelabs/axe-mcp-server-public/issues"
+  },
   "type": "commonjs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -20,7 +27,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "engines": {
-    "node": ">=22.13.0"
+    "node": ">=24.11.0"
   },
   "dependencies": {
     "@napi-rs/keyring": "^1.2.0",
@@ -30,15 +37,16 @@
   },
   "devDependencies": {
     "@hono/node-server": "^1.19.14",
-    "@types/node": "^22.13.10",
+    "@types/node": "^24.0.0",
     "c8": "^10.1.3",
     "hono": "^4.12.16",
     "tsx": "^4.20.6",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.3"
   },
   "scripts": {
     "build": "tsc",
-    "test": "tsx --test 'src/**/*.test.ts'",
+    "typecheck:scripts": "tsc -p tsconfig.scripts.json",
+    "test": "tsx --test \"src/**/*.test.ts\"",
     "coverage": "c8 pnpm test",
     "register-dev-client": "tsx scripts/registerDevClient.ts",
     "smoke-authorize": "tsx scripts/smokeAuthorize.ts",

package/dist/oauth/renderHtml.d.ts

@@ -1,9 +0,0 @@
-export type HtmlInput = {
-    kind: "success";
-} | {
-    kind: "error";
-    reason: string;
-    description?: string;
-};
-export declare const CSP_HEADER: string;
-export declare const renderHtml: (input: HtmlInput) => string;