@dupecom/botcha-cloudflare 0.18.0 → 0.19.0

package/README.md

@@ -13,7 +13,7 @@ Reverse CAPTCHA that verifies AI agents and blocks humans. Running at the edge.
 - **Dashboard** - Per-app metrics with agent-first auth (device code flow)
 - **JWT security** - 5-min access tokens, refresh tokens, audience claims, IP binding, revocation
 - **Multi-tenant** - Per-app isolation, scoped tokens, rate limiting
-- **Server-side SDKs** - @botcha/verify (TS) + botcha-verify (Python)
+- **Server-side SDKs** - @dupecom/botcha-verify (TS) + botcha-verify (Python)
 
 ## Features
 

package/dist/auth.d.ts

@@ -61,15 +61,40 @@ export interface TokenGenerationOptions {
     clientIp?: string;
     app_id?: string;
 }
+/**
+ * ES256 private key in JWK format
+ * { kty: "EC", crv: "P-256", x: "...", y: "...", d: "..." }
+ */
+export interface ES256SigningKeyJWK {
+    kty: string;
+    crv: string;
+    x: string;
+    y: string;
+    d: string;
+    kid?: string;
+}
+/**
+ * Derive the public key JWK from an ES256 private key JWK.
+ * Strips the `d` (private) parameter and sets standard fields.
+ * Used by the JWKS endpoint to publish the signing key.
+ */
+export declare function getSigningPublicKeyJWK(privateKeyJwk: ES256SigningKeyJWK): Omit<ES256SigningKeyJWK, 'd'> & {
+    kid: string;
+    use: string;
+    alg: string;
+};
 /**
  * Generate JWT tokens (access + refresh) after successful challenge verification
  *
  * Access token: 5 minutes, used for API access
  * Refresh token: 1 hour, used to get new access tokens
+ *
+ * When signingKey (ES256 JWK) is provided, tokens are signed with ES256.
+ * Otherwise falls back to HS256 with the shared secret (backward compat).
  */
 export declare function generateToken(challengeId: string, solveTimeMs: number, secret: string, env?: {
     CHALLENGES: KVNamespace;
-}, options?: TokenGenerationOptions): Promise<TokenCreationResult>;
+}, options?: TokenGenerationOptions, signingKey?: ES256SigningKeyJWK): Promise<TokenCreationResult>;
 /**
  * Revoke a token by its JTI
  *
@@ -81,11 +106,20 @@ export declare function revokeToken(jti: string, env: {
 /**
  * Refresh an access token using a valid refresh token
  *
- * Verifies the refresh token, checks revocation, and issues a new access token
+ * Verifies the refresh token, checks revocation, and issues a new access token.
+ * Supports both ES256 (asymmetric) and HS256 (symmetric) refresh tokens.
  */
 export declare function refreshAccessToken(refreshToken: string, env: {
     CHALLENGES: KVNamespace;
-}, secret: string, options?: TokenGenerationOptions): Promise<{
+}, secret: string, options?: TokenGenerationOptions, signingKey?: ES256SigningKeyJWK, publicKey?: {
+    kty: string;
+    crv: string;
+    x: string;
+    y: string;
+    kid?: string;
+    use?: string;
+    alg?: string;
+}): Promise<{
     success: boolean;
     tokens?: Omit<TokenCreationResult, 'refresh_token' | 'refresh_expires_in'> & {
         access_token: string;
@@ -96,6 +130,9 @@ export declare function refreshAccessToken(refreshToken: string, env: {
 /**
  * Verify a JWT token with security checks
  *
+ * Supports both ES256 (asymmetric) and HS256 (symmetric) tokens.
+ * The algorithm is detected from the token's protected header.
+ *
  * Checks:
  * - Token signature and expiry
  * - Revocation status (via JTI)
@@ -107,6 +144,14 @@ export declare function verifyToken(token: string, secret: string, env?: {
 }, options?: {
     requiredAud?: string;
     clientIp?: string;
+}, publicKey?: {
+    kty: string;
+    crv: string;
+    x: string;
+    y: string;
+    kid?: string;
+    use?: string;
+    alg?: string;
 }): Promise<{
     valid: boolean;
     payload?: BotchaTokenPayload;

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrF,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,iBAAiB,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,gBAAgB,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EACjC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,mBAAmB,CAAC,CAmF9B;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,GAAG,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,GAC/B,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EAChC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,GAAG,oBAAoB,CAAC,GAAG;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0G1K;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EACjC,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6E3E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrF,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,iBAAiB,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,gBAAgB,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,EAAE,GAAG,CAAC,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAQnJ;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EACjC,OAAO,CAAC,EAAE,sBAAsB,EAChC,UAAU,CAAC,EAAE,kBAAkB,GAC9B,OAAO,CAAC,mBAAmB,CAAC,CAgG9B;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,GAAG,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,GAC/B,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EAChC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,sBAAsB,EAChC,UAAU,CAAC,EAAE,kBAAkB,EAC/B,SAAS,CAAC,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACvG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,GAAG,oBAAoB,CAAC,GAAG;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiI1K;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE;IAAE,UAAU,EAAE,WAAW,CAAA;CAAE,EACjC,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,EACD,SAAS,CAAC,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACvG,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAyF3E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrE"}

package/dist/auth.js

@@ -8,16 +8,44 @@
  * - Short-lived access tokens (5 min) with refresh tokens (1 hour)
  * - Token revocation via KV storage
  */
-import { SignJWT, jwtVerify } from 'jose';
+import { SignJWT, jwtVerify, importJWK, decodeProtectedHeader } from 'jose';
+/**
+ * Derive the public key JWK from an ES256 private key JWK.
+ * Strips the `d` (private) parameter and sets standard fields.
+ * Used by the JWKS endpoint to publish the signing key.
+ */
+export function getSigningPublicKeyJWK(privateKeyJwk) {
+    const { d: _d, ...publicKey } = privateKeyJwk;
+    return {
+        ...publicKey,
+        kid: privateKeyJwk.kid || 'botcha-signing-1',
+        use: 'sig',
+        alg: 'ES256',
+    };
+}
 /**
  * Generate JWT tokens (access + refresh) after successful challenge verification
  *
  * Access token: 5 minutes, used for API access
  * Refresh token: 1 hour, used to get new access tokens
+ *
+ * When signingKey (ES256 JWK) is provided, tokens are signed with ES256.
+ * Otherwise falls back to HS256 with the shared secret (backward compat).
  */
-export async function generateToken(challengeId, solveTimeMs, secret, env, options) {
-    const encoder = new TextEncoder();
-    const secretKey = encoder.encode(secret);
+export async function generateToken(challengeId, solveTimeMs, secret, env, options, signingKey) {
+    // Determine signing algorithm and key
+    let signKey;
+    let protectedHeader;
+    if (signingKey) {
+        // ES256 asymmetric signing
+        signKey = await importJWK(signingKey, 'ES256');
+        protectedHeader = { alg: 'ES256', kid: signingKey.kid || 'botcha-signing-1' };
+    }
+    else {
+        // HS256 symmetric signing (legacy fallback)
+        signKey = new TextEncoder().encode(secret);
+        protectedHeader = { alg: 'HS256' };
+    }
     // Generate unique JTIs for both tokens
     const accessJti = crypto.randomUUID();
     const refreshJti = crypto.randomUUID();
@@ -38,11 +66,12 @@ export async function generateToken(challengeId, solveTimeMs, secret, env, optio
         accessTokenPayload.app_id = options.app_id;
     }
     const accessToken = await new SignJWT(accessTokenPayload)
-        .setProtectedHeader({ alg: 'HS256' })
+        .setProtectedHeader(protectedHeader)
         .setSubject(challengeId)
+        .setIssuer('botcha.ai')
         .setIssuedAt()
         .setExpirationTime('5m') // 5 minutes
-        .sign(secretKey);
+        .sign(signKey);
     // Refresh token: 1 hour
     const refreshTokenPayload = {
         type: 'botcha-refresh',
@@ -54,11 +83,12 @@ export async function generateToken(challengeId, solveTimeMs, secret, env, optio
         refreshTokenPayload.app_id = options.app_id;
     }
     const refreshToken = await new SignJWT(refreshTokenPayload)
-        .setProtectedHeader({ alg: 'HS256' })
+        .setProtectedHeader(protectedHeader)
         .setSubject(challengeId)
+        .setIssuer('botcha.ai')
         .setIssuedAt()
         .setExpirationTime('1h') // 1 hour
-        .sign(secretKey);
+        .sign(signKey);
     // Store refresh token JTI in KV if env provided (for revocation tracking)
     // Also store aud, client_ip, and app_id so they carry over on refresh
     if (env?.CHALLENGES) {
@@ -105,15 +135,26 @@ export async function revokeToken(jti, env) {
 /**
  * Refresh an access token using a valid refresh token
  *
- * Verifies the refresh token, checks revocation, and issues a new access token
+ * Verifies the refresh token, checks revocation, and issues a new access token.
+ * Supports both ES256 (asymmetric) and HS256 (symmetric) refresh tokens.
  */
-export async function refreshAccessToken(refreshToken, env, secret, options) {
+export async function refreshAccessToken(refreshToken, env, secret, options, signingKey, publicKey) {
     try {
-        const encoder = new TextEncoder();
-        const secretKey = encoder.encode(secret);
+        // Detect algorithm from token header and verify accordingly
+        const header = decodeProtectedHeader(refreshToken);
+        let verifyKey;
+        let algorithms;
+        if (header.alg === 'ES256' && publicKey) {
+            verifyKey = await importJWK(publicKey, 'ES256');
+            algorithms = ['ES256'];
+        }
+        else {
+            verifyKey = new TextEncoder().encode(secret);
+            algorithms = ['HS256'];
+        }
         // Verify refresh token
-        const { payload } = await jwtVerify(refreshToken, secretKey, {
-            algorithms: ['HS256'],
+        const { payload } = await jwtVerify(refreshToken, verifyKey, {
+            algorithms,
         });
         // Check token type
         if (payload.type !== 'botcha-refresh') {
@@ -168,6 +209,17 @@ export async function refreshAccessToken(refreshToken, env, secret, options) {
                 console.error('Failed to verify refresh token in KV:', error);
             }
         }
+        // Determine signing algorithm and key for the new access token
+        let signKey;
+        let protectedHeaderObj;
+        if (signingKey) {
+            signKey = await importJWK(signingKey, 'ES256');
+            protectedHeaderObj = { alg: 'ES256', kid: signingKey.kid || 'botcha-signing-1' };
+        }
+        else {
+            signKey = new TextEncoder().encode(secret);
+            protectedHeaderObj = { alg: 'HS256' };
+        }
         // Generate new access token
         const newAccessJti = crypto.randomUUID();
         const accessTokenPayload = {
@@ -189,11 +241,12 @@ export async function refreshAccessToken(refreshToken, env, secret, options) {
             accessTokenPayload.app_id = effectiveAppId;
         }
         const accessToken = await new SignJWT(accessTokenPayload)
-            .setProtectedHeader({ alg: 'HS256' })
+            .setProtectedHeader(protectedHeaderObj)
             .setSubject(payload.sub || '')
+            .setIssuer('botcha.ai')
             .setIssuedAt()
             .setExpirationTime('5m') // 5 minutes
-            .sign(secretKey);
+            .sign(signKey);
         return {
             success: true,
             tokens: {
@@ -212,18 +265,33 @@ export async function refreshAccessToken(refreshToken, env, secret, options) {
 /**
  * Verify a JWT token with security checks
  *
+ * Supports both ES256 (asymmetric) and HS256 (symmetric) tokens.
+ * The algorithm is detected from the token's protected header.
+ *
  * Checks:
  * - Token signature and expiry
  * - Revocation status (via JTI)
  * - Audience claim (if provided)
  * - Client IP binding (if provided)
  */
-export async function verifyToken(token, secret, env, options) {
+export async function verifyToken(token, secret, env, options, publicKey) {
     try {
-        const encoder = new TextEncoder();
-        const secretKey = encoder.encode(secret);
-        const { payload } = await jwtVerify(token, secretKey, {
-            algorithms: ['HS256'],
+        // Detect algorithm from the token header
+        const header = decodeProtectedHeader(token);
+        let verifyKey;
+        let algorithms;
+        if (header.alg === 'ES256' && publicKey) {
+            // ES256 asymmetric verification
+            verifyKey = await importJWK(publicKey, 'ES256');
+            algorithms = ['ES256'];
+        }
+        else {
+            // HS256 symmetric verification (legacy/fallback)
+            verifyKey = new TextEncoder().encode(secret);
+            algorithms = ['HS256'];
+        }
+        const { payload } = await jwtVerify(token, verifyKey, {
+            algorithms,
         });
         // Check token type (must be access token, not refresh token)
         if (payload.type !== 'botcha-verified') {

package/dist/dashboard/docs.d.ts

@@ -0,0 +1,15 @@
+/**
+ * BOTCHA API Documentation Page
+ *
+ * Public API docs at /docs — no authentication required.
+ * Renders all endpoints grouped by category with request/response
+ * examples, install instructions, and quick-start guides.
+ *
+ * Follows the ShowcasePage pattern: self-contained JSX with own
+ * HTML shell, inline CSS, and the shared DASHBOARD_CSS base.
+ */
+import type { FC } from 'hono/jsx';
+export declare const DocsPage: FC<{
+    version: string;
+}>;
+//# sourceMappingURL=docs.d.ts.map

package/dist/dashboard/docs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"docs.d.ts","sourceRoot":"","sources":["../../src/dashboard/docs.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,UAAU,CAAC;AAsbnC,eAAO,MAAM,QAAQ,EAAE,EAAE,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAqpB5C,CAAC"}