@diskd-ai/sdk 5.1.2

package/dist/auth/createAuth.js

@@ -0,0 +1,128 @@
+import { extractWorkspaceId } from './jwtClaims.js';
+import { readKeyfileFromPath } from './keyfile.js';
+import { fetchOidcDiscovery } from './oidcDiscovery.js';
+import { createPkceChallenge, createPkceState, createPkceVerifier } from './pkce.js';
+import { getSessionStorage } from './sessionStorage.js';
+import { requestAuthorizationCodeToken, requestClientCredentialsToken } from './tokenRequests.js';
+import { getLocation, replaceUrlWithoutSearchParams } from './urlRuntime.js';
+const hasKeyfilePath = (params) => 'keyfilePath' in params;
+const storageKeys = {
+    verifier: 'diskd_pkce_verifier',
+    state: 'diskd_pkce_state',
+};
+export const createAuth = async (params) => {
+    let token = null;
+    let discovery = null;
+    const ensureDiscovery = async (issuer) => {
+        if (discovery)
+            return discovery;
+        const loaded = await fetchOidcDiscovery(issuer);
+        discovery = {
+            authorization_endpoint: loaded.authorization_endpoint,
+            token_endpoint: loaded.token_endpoint,
+        };
+        return discovery;
+    };
+    const signOut = () => {
+        token = null;
+    };
+    if (hasKeyfilePath(params)) {
+        const keyfile = await readKeyfileFromPath(params.keyfilePath);
+        // Set APIS_BASE_URL from credentials if not already set
+        if (keyfile.apisUrl && !process.env.APIS_BASE_URL) {
+            process.env.APIS_BASE_URL = keyfile.apisUrl;
+        }
+        const getAccessToken = async () => {
+            if (token)
+                return token.accessToken;
+            const disc = await ensureDiscovery(keyfile.issuer);
+            const accessToken = await requestClientCredentialsToken({
+                tokenEndpoint: disc.token_endpoint,
+                clientId: keyfile.clientId,
+                clientSecret: keyfile.clientSecret,
+                audience: keyfile.audience,
+                scopes: params.scopes,
+            });
+            token = { accessToken };
+            return accessToken;
+        };
+        return {
+            signIn: async () => {
+                await getAccessToken();
+            },
+            signOut,
+            handleRedirectCallback: async () => { },
+            getAccessToken,
+            getToken: () => token,
+            getWorkspaceId: async () => extractWorkspaceId(await getAccessToken()),
+        };
+    }
+    const pkce = params;
+    const signIn = async () => {
+        const disc = await ensureDiscovery(pkce.issuer);
+        const verifier = createPkceVerifier();
+        const challenge = await createPkceChallenge(verifier);
+        const state = createPkceState();
+        const storage = getSessionStorage();
+        storage.setItem(storageKeys.verifier, verifier);
+        storage.setItem(storageKeys.state, state);
+        const qs = new URLSearchParams({
+            client_id: pkce.clientId,
+            response_type: 'code',
+            scope: pkce.scopes.join(' '),
+            audience: pkce.audience,
+            redirect_uri: pkce.redirectUri,
+            code_challenge: challenge,
+            code_challenge_method: 'S256',
+            state,
+        });
+        const locationObj = getLocation();
+        locationObj.href = `${disc.authorization_endpoint}?${qs.toString()}`;
+    };
+    const handleRedirectCallback = async () => {
+        const locationObj = getLocation();
+        const current = new URL(locationObj.href);
+        const code = current.searchParams.get('code');
+        const state = current.searchParams.get('state');
+        const error = current.searchParams.get('error');
+        if (error) {
+            replaceUrlWithoutSearchParams();
+            throw new Error(error);
+        }
+        if (!code || !state)
+            return;
+        const disc = await ensureDiscovery(pkce.issuer);
+        const storage = getSessionStorage();
+        const expectedState = storage.getItem(storageKeys.state) ?? '';
+        const verifier = storage.getItem(storageKeys.verifier) ?? '';
+        if (!verifier || !expectedState || state !== expectedState) {
+            throw new Error('Invalid PKCE state');
+        }
+        storage.removeItem(storageKeys.state);
+        storage.removeItem(storageKeys.verifier);
+        const accessToken = await requestAuthorizationCodeToken({
+            tokenEndpoint: disc.token_endpoint,
+            clientId: pkce.clientId,
+            redirectUri: pkce.redirectUri,
+            code,
+            verifier,
+        });
+        token = { accessToken };
+        replaceUrlWithoutSearchParams();
+    };
+    const getAccessToken = async () => {
+        if (!token) {
+            throw new Error('No access token available. Call signIn() and handleRedirectCallback() first.');
+        }
+        return token.accessToken;
+    };
+    return {
+        signIn,
+        signOut,
+        handleRedirectCallback,
+        getAccessToken,
+        getToken: () => token,
+        getWorkspaceId: async () => extractWorkspaceId(await getAccessToken()),
+    };
+};
+//# sourceMappingURL=createAuth.js.map

package/dist/auth/createAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAuth.js","sourceRoot":"","sources":["../../src/auth/createAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAC;AAElG,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE,MAAM,iBAAiB,CAAC;AAE7E,MAAM,cAAc,GAAG,CACrB,MAAuB,EACsC,EAAE,CAAC,aAAa,IAAI,MAAM,CAAC;AAE1F,MAAM,WAAW,GAAG;IAClB,QAAQ,EAAE,qBAAqB;IAC/B,KAAK,EAAE,kBAAkB;CACjB,CAAC;AAEX,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,EAAE,MAAuB,EAAuB,EAAE;IAC/E,IAAI,KAAK,GAAqB,IAAI,CAAC;IACnC,IAAI,SAAS,GAGF,IAAI,CAAC;IAEhB,MAAM,eAAe,GAAG,KAAK,EAAE,MAAc,EAAE,EAAE;QAC/C,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAChD,SAAS,GAAG;YACV,sBAAsB,EAAE,MAAM,CAAC,sBAAsB;YACrD,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,KAAK,GAAG,IAAI,CAAC;IACf,CAAC,CAAC;IAEF,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE9D,wDAAwD;QACxD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;QAC9C,CAAC;QAED,MAAM,cAAc,GAAG,KAAK,IAAqB,EAAE;YACjD,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC,WAAW,CAAC;YACpC,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACnD,MAAM,WAAW,GAAG,MAAM,6BAA6B,CAAC;gBACtD,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;YACH,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC;YACxB,OAAO,WAAW,CAAC;QACrB,CAAC,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,KAAK,IAAI,EAAE;gBACjB,MAAM,cAAc,EAAE,CAAC;YACzB,CAAC;YACD,OAAO;YACP,sBAAsB,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;YACtC,cAAc;YACd,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK;YACrB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,MAAM,cAAc,EAAE,CAAC;SACvE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC;IAEpB,MAAM,MAAM,GAAG,KAAK,IAAmB,EAAE;QACvC,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAEhC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAE1C,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;YAC7B,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,cAAc,EAAE,SAAS;YACzB,qBAAqB,EAAE,MAAM;YAC7B,KAAK;SACN,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,WAAW,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,sBAAsB,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;IACvE,CAAC,CAAC;IAEF,MAAM,sBAAsB,GAAG,KAAK,IAAmB,EAAE;QACvD,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhD,IAAI,KAAK,EAAE,CAAC;YACV,6BAA6B,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QAE5B,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE7D,IAAI,CAAC,QAAQ,IAAI,CAAC,aAAa,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACtC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAEzC,MAAM,WAAW,GAAG,MAAM,6BAA6B,CAAC;YACtD,aAAa,EAAE,IAAI,CAAC,cAAc;YAClC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,IAAI;YACJ,QAAQ;SACT,CAAC,CAAC;QACH,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC;QACxB,6BAA6B,EAAE,CAAC;IAClC,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,KAAK,IAAqB,EAAE;QACjD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,CAAC;IAC3B,CAAC,CAAC;IAEF,OAAO;QACL,MAAM;QACN,OAAO;QACP,sBAAsB;QACtB,cAAc;QACd,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK;QACrB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,MAAM,cAAc,EAAE,CAAC;KACvE,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/createAuthBrowser.d.ts

@@ -0,0 +1,3 @@
+import type { AuthModule, SdkCreateParams } from './types.js';
+export declare const createAuth: (params: SdkCreateParams) => Promise<AuthModule>;
+//# sourceMappingURL=createAuthBrowser.d.ts.map

package/dist/auth/createAuthBrowser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAuthBrowser.d.ts","sourceRoot":"","sources":["../../src/auth/createAuthBrowser.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAa,eAAe,EAAE,MAAM,YAAY,CAAC;AAYzE,eAAO,MAAM,UAAU,GAAU,QAAQ,eAAe,KAAG,OAAO,CAAC,UAAU,CA8G5E,CAAC"}

package/dist/auth/createAuthBrowser.js

@@ -0,0 +1,104 @@
+import { fetchOidcDiscovery } from './oidcDiscovery.js';
+import { createPkceChallenge, createPkceState, createPkceVerifier } from './pkce.js';
+import { getSessionStorage } from './sessionStorage.js';
+import { requestAuthorizationCodeToken } from './tokenRequests.js';
+import { getLocation, replaceUrlWithoutSearchParams } from './urlRuntime.js';
+const hasKeyfilePath = (params) => 'keyfilePath' in params;
+const storageKeys = {
+    verifier: 'diskd_pkce_verifier',
+    state: 'diskd_pkce_state',
+};
+export const createAuth = async (params) => {
+    if (hasKeyfilePath(params)) {
+        throw new Error('keyfilePath auth is not supported in browser builds');
+    }
+    const pkce = params;
+    let token = null;
+    let discovery = null;
+    const ensureDiscovery = async () => {
+        if (discovery)
+            return discovery;
+        const loaded = await fetchOidcDiscovery(pkce.issuer);
+        discovery = {
+            authorization_endpoint: loaded.authorization_endpoint,
+            token_endpoint: loaded.token_endpoint,
+        };
+        return discovery;
+    };
+    const signIn = async () => {
+        const disc = await ensureDiscovery();
+        const verifier = createPkceVerifier();
+        const challenge = await createPkceChallenge(verifier);
+        const state = createPkceState();
+        const storage = getSessionStorage();
+        storage.setItem(storageKeys.verifier, verifier);
+        storage.setItem(storageKeys.state, state);
+        const qs = new URLSearchParams({
+            client_id: pkce.clientId,
+            response_type: 'code',
+            scope: pkce.scopes.join(' '),
+            audience: pkce.audience,
+            redirect_uri: pkce.redirectUri,
+            code_challenge: challenge,
+            code_challenge_method: 'S256',
+            state,
+        });
+        const locationObj = getLocation();
+        locationObj.href = `${disc.authorization_endpoint}?${qs.toString()}`;
+    };
+    const handleRedirectCallback = async () => {
+        const locationObj = getLocation();
+        const current = new URL(locationObj.href);
+        const code = current.searchParams.get('code');
+        const state = current.searchParams.get('state');
+        const error = current.searchParams.get('error');
+        if (error) {
+            replaceUrlWithoutSearchParams();
+            throw new Error(error);
+        }
+        if (!code || !state)
+            return;
+        const disc = await ensureDiscovery();
+        const storage = getSessionStorage();
+        const expectedState = storage.getItem(storageKeys.state) ?? '';
+        const verifier = storage.getItem(storageKeys.verifier) ?? '';
+        if (!verifier || !expectedState || state !== expectedState) {
+            throw new Error('Invalid PKCE state');
+        }
+        storage.removeItem(storageKeys.state);
+        storage.removeItem(storageKeys.verifier);
+        const accessToken = await requestAuthorizationCodeToken({
+            tokenEndpoint: disc.token_endpoint,
+            clientId: pkce.clientId,
+            redirectUri: pkce.redirectUri,
+            code,
+            verifier,
+        });
+        token = { accessToken };
+        replaceUrlWithoutSearchParams();
+    };
+    const getAccessToken = async () => {
+        if (!token) {
+            throw new Error('No access token available. Call signIn() and handleRedirectCallback() first.');
+        }
+        return token.accessToken;
+    };
+    return {
+        signIn,
+        signOut: () => {
+            token = null;
+        },
+        handleRedirectCallback,
+        getAccessToken,
+        getToken: () => token,
+        getWorkspaceId: async () => {
+            const t = await getAccessToken();
+            const parts = t.split('.');
+            if (parts.length !== 3)
+                throw new Error('Invalid JWT');
+            const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+            return payload?.ext?.workspace_id ?? payload?.workspace_id ?? payload?.sub ?? '';
+        },
+    };
+};
+//# sourceMappingURL=createAuthBrowser.js.map

package/dist/auth/createAuthBrowser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAuthBrowser.js","sourceRoot":"","sources":["../../src/auth/createAuthBrowser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAC;AAEnE,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE,MAAM,iBAAiB,CAAC;AAE7E,MAAM,cAAc,GAAG,CACrB,MAAuB,EACsC,EAAE,CAAC,aAAa,IAAI,MAAM,CAAC;AAE1F,MAAM,WAAW,GAAG;IAClB,QAAQ,EAAE,qBAAqB;IAC/B,KAAK,EAAE,kBAAkB;CACjB,CAAC;AAEX,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,EAAE,MAAuB,EAAuB,EAAE;IAC/E,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC;IAEpB,IAAI,KAAK,GAAqB,IAAI,CAAC;IACnC,IAAI,SAAS,GAGF,IAAI,CAAC;IAEhB,MAAM,eAAe,GAAG,KAAK,IAAI,EAAE;QACjC,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,SAAS,GAAG;YACV,sBAAsB,EAAE,MAAM,CAAC,sBAAsB;YACrD,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,MAAM,MAAM,GAAG,KAAK,IAAmB,EAAE;QACvC,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAEhC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAE1C,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;YAC7B,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,cAAc,EAAE,SAAS;YACzB,qBAAqB,EAAE,MAAM;YAC7B,KAAK;SACN,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,WAAW,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,sBAAsB,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;IACvE,CAAC,CAAC;IAEF,MAAM,sBAAsB,GAAG,KAAK,IAAmB,EAAE;QACvD,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhD,IAAI,KAAK,EAAE,CAAC;YACV,6BAA6B,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QAE5B,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE7D,IAAI,CAAC,QAAQ,IAAI,CAAC,aAAa,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACtC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAEzC,MAAM,WAAW,GAAG,MAAM,6BAA6B,CAAC;YACtD,aAAa,EAAE,IAAI,CAAC,cAAc;YAClC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,IAAI;YACJ,QAAQ;SACT,CAAC,CAAC;QACH,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC;QACxB,6BAA6B,EAAE,CAAC;IAClC,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,KAAK,IAAqB,EAAE;QACjD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,CAAC;IAC3B,CAAC,CAAC;IAEF,OAAO;QACL,MAAM;QACN,OAAO,EAAE,GAAG,EAAE;YACZ,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QACD,sBAAsB;QACtB,cAAc;QACd,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK;QACrB,cAAc,EAAE,KAAK,IAAI,EAAE;YACzB,MAAM,CAAC,GAAG,MAAM,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;YACvD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;YACjF,OAAO,OAAO,EAAE,GAAG,EAAE,YAAY,IAAI,OAAO,EAAE,YAAY,IAAI,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC;QACnF,CAAC;KACF,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/jwtClaims.d.ts

@@ -0,0 +1,3 @@
+/** Decode JWT payload without signature verification (claims extraction only). */
+export declare const extractWorkspaceId: (accessToken: string) => string;
+//# sourceMappingURL=jwtClaims.d.ts.map

package/dist/auth/jwtClaims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtClaims.d.ts","sourceRoot":"","sources":["../../src/auth/jwtClaims.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,GAAI,aAAa,MAAM,KAAG,MAwBxD,CAAC"}

package/dist/auth/jwtClaims.js

@@ -0,0 +1,23 @@
+/** Decode JWT payload without signature verification (claims extraction only). */
+export const extractWorkspaceId = (accessToken) => {
+    const parts = accessToken.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWT: expected 3 parts');
+    }
+    const payload = parts[1];
+    const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
+    const decoded = Buffer.from(padded, 'base64url').toString('utf-8');
+    const claims = JSON.parse(decoded);
+    // ext.workspace_id (Hydra token hook) > workspace_id (top-level) > sub (client_id = workspace_id)
+    const ext = typeof claims.ext === 'object' && claims.ext !== null
+        ? claims.ext
+        : {};
+    const workspaceId = (typeof ext.workspace_id === 'string' && ext.workspace_id) ||
+        (typeof claims.workspace_id === 'string' && claims.workspace_id) ||
+        (typeof claims.sub === 'string' && claims.sub);
+    if (!workspaceId) {
+        throw new Error('JWT has no workspace_id claim');
+    }
+    return workspaceId;
+};
+//# sourceMappingURL=jwtClaims.js.map

package/dist/auth/jwtClaims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtClaims.js","sourceRoot":"","sources":["../../src/auth/jwtClaims.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,WAAmB,EAAU,EAAE;IAChE,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnE,MAAM,MAAM,GAA4B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE5D,kGAAkG;IAClG,MAAM,GAAG,GACP,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;QACnD,CAAC,CAAE,MAAM,CAAC,GAA+B;QACzC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,WAAW,GACf,CAAC,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ,IAAI,GAAG,CAAC,YAAY,CAAC;QAC1D,CAAC,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC;QAChE,CAAC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;IAEjD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC,CAAC"}

package/dist/auth/keyfile.d.ts

@@ -0,0 +1,10 @@
+type KeyfileJson = {
+    readonly issuer: string;
+    readonly clientId: string;
+    readonly clientSecret: string;
+    readonly audience: string;
+    readonly apisUrl?: string;
+};
+export declare const readKeyfileFromPath: (keyfilePath: string) => Promise<KeyfileJson>;
+export {};
+//# sourceMappingURL=keyfile.d.ts.map

package/dist/auth/keyfile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyfile.d.ts","sourceRoot":"","sources":["../../src/auth/keyfile.ts"],"names":[],"mappings":"AAAA,KAAK,WAAW,GAAG;IACjB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAqBF,eAAO,MAAM,mBAAmB,GAAU,aAAa,MAAM,KAAG,OAAO,CAAC,WAAW,CAclF,CAAC"}

package/dist/auth/keyfile.js

@@ -0,0 +1,28 @@
+const isObject = (value) => typeof value === 'object' && value !== null;
+const readRequiredString = (obj, key) => {
+    const value = obj[key];
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Invalid credentials.json: '${key}' must be a non-empty string`);
+    }
+    return value;
+};
+const readOptionalString = (obj, key) => {
+    const value = obj[key];
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+};
+export const readKeyfileFromPath = async (keyfilePath) => {
+    const fs = await import('node:fs/promises');
+    const rawText = await fs.readFile(keyfilePath, 'utf-8');
+    const data = JSON.parse(rawText);
+    if (!isObject(data)) {
+        throw new Error('Invalid credentials.json: expected object');
+    }
+    return {
+        issuer: readRequiredString(data, 'issuer'),
+        clientId: readRequiredString(data, 'clientId'),
+        clientSecret: readRequiredString(data, 'clientSecret'),
+        audience: readRequiredString(data, 'audience'),
+        apisUrl: readOptionalString(data, 'apisUrl'),
+    };
+};
+//# sourceMappingURL=keyfile.js.map

package/dist/auth/keyfile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyfile.js","sourceRoot":"","sources":["../../src/auth/keyfile.ts"],"names":[],"mappings":"AAQA,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAgD,EAAE,CAChF,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AAE9C,MAAM,kBAAkB,GAAG,CAAC,GAAwC,EAAE,GAAW,EAAU,EAAE;IAC3F,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,8BAA8B,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAAG,CACzB,GAAwC,EACxC,GAAW,EACS,EAAE;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EAAE,WAAmB,EAAwB,EAAE;IACrF,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,IAAI,GAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO;QACL,MAAM,EAAE,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC;QAC1C,QAAQ,EAAE,kBAAkB,CAAC,IAAI,EAAE,UAAU,CAAC;QAC9C,YAAY,EAAE,kBAAkB,CAAC,IAAI,EAAE,cAAc,CAAC;QACtD,QAAQ,EAAE,kBAAkB,CAAC,IAAI,EAAE,UAAU,CAAC;QAC9C,OAAO,EAAE,kBAAkB,CAAC,IAAI,EAAE,SAAS,CAAC;KAC7C,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/oidcDiscovery.d.ts

@@ -0,0 +1,9 @@
+type OidcDiscoveryDocument = {
+    readonly issuer: string;
+    readonly authorization_endpoint: string;
+    readonly token_endpoint: string;
+    readonly userinfo_endpoint?: string;
+};
+export declare const fetchOidcDiscovery: (issuer: string) => Promise<OidcDiscoveryDocument>;
+export {};
+//# sourceMappingURL=oidcDiscovery.d.ts.map

package/dist/auth/oidcDiscovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcDiscovery.d.ts","sourceRoot":"","sources":["../../src/auth/oidcDiscovery.ts"],"names":[],"mappings":"AAAA,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CACrC,CAAC;AAqBF,eAAO,MAAM,kBAAkB,GAAU,QAAQ,MAAM,KAAG,OAAO,CAAC,qBAAqB,CAatF,CAAC"}

package/dist/auth/oidcDiscovery.js

@@ -0,0 +1,27 @@
+const isObject = (value) => typeof value === 'object' && value !== null;
+const readRequiredString = (obj, key) => {
+    const value = obj[key];
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Invalid discovery document: '${key}' must be a non-empty string`);
+    }
+    return value;
+};
+const readOptionalString = (obj, key) => {
+    const value = obj[key];
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+};
+export const fetchOidcDiscovery = async (issuer) => {
+    const url = `${issuer.replace(/\/+$/, '')}/.well-known/openid-configuration`;
+    const response = await fetch(url);
+    const data = await response.json();
+    if (!isObject(data)) {
+        throw new Error('Invalid discovery document: expected object');
+    }
+    return {
+        issuer: readRequiredString(data, 'issuer'),
+        authorization_endpoint: readRequiredString(data, 'authorization_endpoint'),
+        token_endpoint: readRequiredString(data, 'token_endpoint'),
+        userinfo_endpoint: readOptionalString(data, 'userinfo_endpoint'),
+    };
+};
+//# sourceMappingURL=oidcDiscovery.js.map

package/dist/auth/oidcDiscovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcDiscovery.js","sourceRoot":"","sources":["../../src/auth/oidcDiscovery.ts"],"names":[],"mappings":"AAOA,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAgD,EAAE,CAChF,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AAE9C,MAAM,kBAAkB,GAAG,CAAC,GAAwC,EAAE,GAAW,EAAU,EAAE;IAC3F,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,8BAA8B,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAAG,CACzB,GAAwC,EACxC,GAAW,EACS,EAAE;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,EAAE,MAAc,EAAkC,EAAE;IACzF,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,mCAAmC,CAAC;IAC7E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO;QACL,MAAM,EAAE,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC;QAC1C,sBAAsB,EAAE,kBAAkB,CAAC,IAAI,EAAE,wBAAwB,CAAC;QAC1E,cAAc,EAAE,kBAAkB,CAAC,IAAI,EAAE,gBAAgB,CAAC;QAC1D,iBAAiB,EAAE,kBAAkB,CAAC,IAAI,EAAE,mBAAmB,CAAC;KACjE,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,4 @@
+export declare const createPkceVerifier: () => string;
+export declare const createPkceState: () => string;
+export declare const createPkceChallenge: (verifier: string) => Promise<string>;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAsCA,eAAO,MAAM,kBAAkB,QAAO,MAKrC,CAAC;AAEF,eAAO,MAAM,eAAe,QAAO,MAKlC,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAAU,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAI1E,CAAC"}

package/dist/auth/pkce.js

@@ -0,0 +1,43 @@
+const getCrypto = () => {
+    const cryptoObj = globalThis.crypto;
+    if (!cryptoObj || typeof cryptoObj !== 'object') {
+        throw new Error('Web Crypto is unavailable');
+    }
+    const cryptoLike = cryptoObj;
+    if (typeof cryptoLike.getRandomValues !== 'function' || !cryptoLike.subtle) {
+        throw new Error('Web Crypto is unavailable');
+    }
+    return cryptoLike;
+};
+const toBase64Url = (bytes) => {
+    const base64 = (() => {
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(bytes).toString('base64');
+        }
+        const btoaFn = globalThis.btoa;
+        if (!btoaFn) {
+            throw new Error('btoa is unavailable');
+        }
+        return btoaFn(String.fromCharCode(...bytes));
+    })();
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+};
+const utf8Encode = (value) => new TextEncoder().encode(value);
+export const createPkceVerifier = () => {
+    const cryptoLike = getCrypto();
+    const bytes = new Uint8Array(32);
+    cryptoLike.getRandomValues(bytes);
+    return toBase64Url(bytes);
+};
+export const createPkceState = () => {
+    const cryptoLike = getCrypto();
+    const bytes = new Uint8Array(16);
+    cryptoLike.getRandomValues(bytes);
+    return toBase64Url(bytes);
+};
+export const createPkceChallenge = async (verifier) => {
+    const cryptoLike = getCrypto();
+    const digest = await cryptoLike.subtle.digest('SHA-256', utf8Encode(verifier));
+    return toBase64Url(new Uint8Array(digest));
+};
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAUA,MAAM,SAAS,GAAG,GAAkB,EAAE;IACpC,MAAM,SAAS,GAAI,UAAmC,CAAC,MAAM,CAAC;IAC9D,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,MAAM,UAAU,GAAG,SAAmC,CAAC;IACvD,IAAI,OAAO,UAAU,CAAC,eAAe,KAAK,UAAU,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,UAA2B,CAAC;AACrC,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,CAAC,KAAiB,EAAU,EAAE;IAChD,MAAM,MAAM,GAAG,CAAC,GAAG,EAAE;QACnB,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,MAAM,GAAI,UAAkD,CAAC,IAAI,CAAC;QACxE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;IAC/C,CAAC,CAAC,EAAE,CAAC;IACL,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC,CAAC;AAEF,MAAM,UAAU,GAAG,CAAC,KAAa,EAAc,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAElF,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAW,EAAE;IAC7C,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,UAAU,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,GAAW,EAAE;IAC1C,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,UAAU,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EAAE,QAAgB,EAAmB,EAAE;IAC7E,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC;IAC/B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/E,OAAO,WAAW,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC7C,CAAC,CAAC"}

package/dist/auth/sessionStorage.d.ts

@@ -0,0 +1,8 @@
+type SessionStorageLike = {
+    readonly getItem: (key: string) => string | null;
+    readonly setItem: (key: string, value: string) => void;
+    readonly removeItem: (key: string) => void;
+};
+export declare const getSessionStorage: () => SessionStorageLike;
+export {};
+//# sourceMappingURL=sessionStorage.d.ts.map

package/dist/auth/sessionStorage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionStorage.d.ts","sourceRoot":"","sources":["../../src/auth/sessionStorage.ts"],"names":[],"mappings":"AAAA,KAAK,kBAAkB,GAAG;IACxB,QAAQ,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IACjD,QAAQ,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IACvD,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC5C,CAAC;AAEF,eAAO,MAAM,iBAAiB,QAAO,kBAMpC,CAAC"}

package/dist/auth/sessionStorage.js

@@ -0,0 +1,8 @@
+export const getSessionStorage = () => {
+    const storage = globalThis.sessionStorage;
+    if (!storage) {
+        throw new Error('sessionStorage is unavailable');
+    }
+    return storage;
+};
+//# sourceMappingURL=sessionStorage.js.map

package/dist/auth/sessionStorage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionStorage.js","sourceRoot":"","sources":["../../src/auth/sessionStorage.ts"],"names":[],"mappings":"AAMA,MAAM,CAAC,MAAM,iBAAiB,GAAG,GAAuB,EAAE;IACxD,MAAM,OAAO,GAAI,UAAsD,CAAC,cAAc,CAAC;IACvF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/auth/tokenRequests.d.ts

@@ -0,0 +1,15 @@
+export declare const requestClientCredentialsToken: (params: {
+    readonly tokenEndpoint: string;
+    readonly clientId: string;
+    readonly clientSecret: string;
+    readonly audience: string;
+    readonly scopes: readonly string[];
+}) => Promise<string>;
+export declare const requestAuthorizationCodeToken: (params: {
+    readonly tokenEndpoint: string;
+    readonly clientId: string;
+    readonly redirectUri: string;
+    readonly code: string;
+    readonly verifier: string;
+}) => Promise<string>;
+//# sourceMappingURL=tokenRequests.d.ts.map

package/dist/auth/tokenRequests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenRequests.d.ts","sourceRoot":"","sources":["../../src/auth/tokenRequests.ts"],"names":[],"mappings":"AAmDA,eAAO,MAAM,6BAA6B,GAAU,QAAQ;IAC1D,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC,KAAG,OAAO,CAAC,MAAM,CAwBjB,CAAC;AAEF,eAAO,MAAM,6BAA6B,GAAU,QAAQ;IAC1D,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B,KAAG,OAAO,CAAC,MAAM,CAqBjB,CAAC"}

package/dist/auth/tokenRequests.js

@@ -0,0 +1,89 @@
+const isObject = (value) => typeof value === 'object' && value !== null;
+const readOptionalString = (obj, key) => {
+    const value = obj[key];
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+};
+const readJsonResponse = async (response) => {
+    const text = await response.text();
+    if (text.length === 0)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+};
+const describeOAuthError = (data) => {
+    if (!isObject(data))
+        return undefined;
+    const error = readOptionalString(data, 'error');
+    if (!error)
+        return undefined;
+    const description = readOptionalString(data, 'error_description');
+    return description ? `${error}: ${description}` : error;
+};
+const encodeBase64 = (raw) => {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(raw).toString('base64');
+    }
+    const btoaFn = globalThis.btoa;
+    if (!btoaFn) {
+        throw new Error('btoa is unavailable');
+    }
+    return btoaFn(raw);
+};
+const readAccessToken = (raw) => {
+    if (!isObject(raw)) {
+        throw new Error('Invalid token response: expected object');
+    }
+    const token = readOptionalString(raw, 'access_token');
+    if (!token) {
+        throw new Error('Invalid token response: access_token is required');
+    }
+    return token;
+};
+export const requestClientCredentialsToken = async (params) => {
+    const body = new URLSearchParams({
+        grant_type: 'client_credentials',
+        client_id: params.clientId,
+        scope: params.scopes.join(' '),
+        audience: params.audience,
+    });
+    const basic = encodeBase64(`${params.clientId}:${params.clientSecret}`);
+    const response = await fetch(params.tokenEndpoint, {
+        method: 'POST',
+        headers: {
+            Authorization: `Basic ${basic}`,
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+    const data = await readJsonResponse(response);
+    if (!response.ok) {
+        const detail = describeOAuthError(data);
+        throw new Error(`Token request failed: HTTP ${response.status}${detail ? ` (${detail})` : ''}`);
+    }
+    return readAccessToken(data);
+};
+export const requestAuthorizationCodeToken = async (params) => {
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: params.clientId,
+        redirect_uri: params.redirectUri,
+        code: params.code,
+        code_verifier: params.verifier,
+    });
+    const response = await fetch(params.tokenEndpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body,
+    });
+    const data = await readJsonResponse(response);
+    if (!response.ok) {
+        const detail = describeOAuthError(data);
+        throw new Error(`Token request failed: HTTP ${response.status}${detail ? ` (${detail})` : ''}`);
+    }
+    return readAccessToken(data);
+};
+//# sourceMappingURL=tokenRequests.js.map

package/dist/auth/tokenRequests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenRequests.js","sourceRoot":"","sources":["../../src/auth/tokenRequests.ts"],"names":[],"mappings":"AAAA,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAgD,EAAE,CAChF,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AAE9C,MAAM,kBAAkB,GAAG,CACzB,GAAwC,EACxC,GAAW,EACS,EAAE;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,KAAK,EAAE,QAAkB,EAAoB,EAAE;IACtE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,IAAa,EAAsB,EAAE;IAC/D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACtC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IAClE,OAAO,WAAW,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;AAC1D,CAAC,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,GAAW,EAAU,EAAE;IAC3C,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,MAAM,GAAI,UAAkD,CAAC,IAAI,CAAC;IACxE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,GAAY,EAAU,EAAE;IAC/C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,6BAA6B,GAAG,KAAK,EAAE,MAMnD,EAAmB,EAAE;IACpB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;QACjD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,SAAS,KAAK,EAAE;YAC/B,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI;KACL,CAAC,CAAC;IAEH,MAAM,IAAI,GAAY,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,6BAA6B,GAAG,KAAK,EAAE,MAMnD,EAAmB,EAAE;IACpB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,aAAa,EAAE,MAAM,CAAC,QAAQ;KAC/B,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;QACjD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IAEH,MAAM,IAAI,GAAY,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,35 @@
+export type SdkCreateParams = {
+    readonly issuer: string;
+    readonly clientId: string;
+    readonly redirectUri: string;
+    readonly scopes: readonly string[];
+    readonly audience: string;
+} | {
+    readonly scopes: readonly string[];
+    readonly keyfilePath: string;
+};
+export type ApiKeyAuthParams = {
+    readonly workspaceId: string;
+    readonly orgId?: string;
+    readonly userId?: string;
+};
+export type AuthToken = {
+    readonly accessToken: string;
+};
+export type AuthModule = {
+    readonly signIn: () => Promise<void>;
+    readonly signOut: () => void;
+    readonly handleRedirectCallback: () => Promise<void>;
+    readonly getAccessToken: () => Promise<string>;
+    readonly getToken: () => AuthToken | null;
+    /** Returns the workspace ID from the auth context.
+     *  OAuth: decoded from the JWT `ext.workspace_id` or `sub` claim.
+     *  API key: from the `workspaceId` constructor param. */
+    readonly getWorkspaceId: () => Promise<string>;
+    /** Returns all auth-related headers for RPC calls.
+     *  OAuth: { Authorization: 'Bearer ...' }
+     *  API key: { 'X-Api-Key': APIS_API_KEY, 'X-Workspace-Id': '...', ... }
+     *  When absent, falls back to Bearer token from getAccessToken(). */
+    readonly getRequestHeaders?: () => Promise<Readonly<Record<string, string>>>;
+};
+//# sourceMappingURL=types.d.ts.map