@dwk/solid-pod 0.1.0-beta.0

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2026 David W. Keith
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,108 @@
+# `@dwk/solid-pod`
+
+> Edge-native Solid Pod: LDP verbs, content negotiation, N3 Patch, WAC, notifications. Ships the per-pod Durable Object.
+
+Part of the [`@dwk` IndieWeb + Solid cohort](../../README.md). See the
+[package specification](../../spec/packages/solid-pod.md) for the full requirements.
+
+An edge-native [Solid](https://solidproject.org/TR/protocol) Pod: a stateless
+Worker front door over a per-pod **Durable Object** that is the consistency,
+authorization, and notification authority, with **R2** for blob bodies. This is
+the only `@dwk` package that ships a Durable Object. It composes the reusable
+libraries [`@dwk/dpop`](../dpop) (edge DPoP validation), [`@dwk/rdf`](../rdf)
+(Turtle/JSON-LD), [`@dwk/wac`](../wac) (access control), and
+[`@dwk/store`](../store) (DO-SQLite quads + R2 copy-on-write blobs).
+
+## What it does
+
+- **LDP** — `GET / HEAD / OPTIONS / PUT / POST / PATCH / DELETE` with resource
+  and basic-container semantics (`ldp:contains`).
+- **Content negotiation** — Turtle and JSON-LD (plus the other Turtle-family
+  types) on read, via `@dwk/rdf`.
+- **N3 Patch / `application/sparql-update`** — `solid:where` is matched against
+  the current graph with minimal (non-SPARQL) semantics: no exact single
+  binding ⇒ **409**; `deletes` then `inserts` apply in one SQLite transaction.
+- **Web Access Control** — walks to the nearest effective `.acl`
+  (`acl:accessTo` / `acl:default`), evaluating `Read`/`Write`/`Append`/`Control`,
+  agents, groups, `acl:agentClass foaf:Agent`, and `acl:origin` via `@dwk/wac`.
+  `Append` authorizes insert-only patches; any delete requires `Write`. The pod
+  `owner` always has full access (bootstraps `.acl` management).
+- **Auth (Resource Server)** — DPoP-bound bearer tokens validated at the edge
+  (issuer JWKS pinned by `kid`, header `typ: at+jwt`, `aud`/`exp`/`nbf`/`webid`,
+  proof `htu`/`htm`/`ath`/`cnf.jkt`). Strict
+  single-use `jti` replay is enforced in the DO for **writes**, pruned by expiry;
+  reads do not consume a `jti` (a documented tradeoff).
+- **Concurrency** — all writes funnel through the single-threaded DO; the
+  `If-Match` / `If-None-Match` (create-only) check and the write are
+  TOCTOU-free, evaluated inside the store's write transaction. Deleting a
+  non-empty container is likewise rejected inside that transaction.
+- **Oversized / binary bodies** — content-addressed R2 copy-on-write with an
+  atomic DO pointer flip; orphaned keys are reclaimed by an out-of-band GC cron
+  (`createSolidPodGc`), never by waking a DO.
+- **Notifications** — Solid Notifications over WebSocket channels on the DO's
+  hibernatable WebSockets (v1 channels carry the changed resource IRI only).
+
+v1 is a **Resource Server only** (no OIDC OP) and runs **one Durable Object per
+pod** (no sharding).
+
+## Usage
+
+```ts
+import { createSolidPod, createSolidPodGc, SolidPodObject } from "@dwk/solid-pod";
+
+const pod = createSolidPod({
+  baseUrl: "https://pod.example",
+  issuer: "https://issuer.example",
+  jwksUri: "https://issuer.example/jwks",
+  owner: "https://pod.example/profile/card#me",
+});
+
+const gc = createSolidPodGc({
+  baseUrl: "https://pod.example",
+  gcSafetyWindowMs: 300_000,
+});
+
+export default {
+  fetch: pod,
+  scheduled: gc,
+};
+
+// Bind the per-pod Durable Object class in your Worker.
+export { SolidPodObject };
+```
+
+### Required bindings & `wrangler.toml`
+
+```toml
+compatibility_date = "2025-01-01"
+# N3.js (via @dwk/rdf) uses Node's stream/buffer; the pod runs the parser in the DO.
+compatibility_flags = ["nodejs_compat"]
+
+[[durable_objects.bindings]]
+name = "POD"
+class_name = "SolidPodObject"
+
+[[migrations]]
+tag = "v1"
+new_sqlite_classes = ["SolidPodObject"]
+
+[[r2_buckets]]
+binding = "BLOBS"
+bucket_name = "solid-pod-blobs"
+
+# Optional: shared D1 table for out-of-band R2 garbage collection.
+[[d1_databases]]
+binding = "GC_DB"
+database_name = "solid-pod-gc"
+
+[triggers]
+crons = ["*/5 * * * *"]
+```
+
+The `POD` (Durable Object) and `BLOBS` (R2) bindings are required; the handler
+**fails loudly** at startup if either is missing. `GC_DB` (D1) is optional — when
+bound, the DO forwards orphaned blob keys to it for the GC cron to reclaim.
+
+## License
+
+[ISC](../../LICENSE)

package/dist/auth.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Edge authentication for the Resource Server: validate a DPoP-bound bearer
+ * token and its proof at the Worker front door, before any request reaches the
+ * per-pod Durable Object.
+ *
+ * A request with no credentials is allowed through unauthenticated — WAC then
+ * decides whether the resource is public. A request that *presents* credentials
+ * must pass fully or it is rejected `401`: the token signature (issuer JWKS),
+ * the `iss` / `aud` / `exp` / `webid` claims, and the RFC 9449 DPoP proof
+ * binding (`htu` / `htm` / `ath` / `cnf.jkt`) via `@dwk/dpop`.
+ */
+import type { AuthContext, ResolvedConfig } from "./config";
+/** A stable reason an authentication attempt failed (for `WWW-Authenticate`). */
+export type AuthFailureReason = "no_jwks" | "token_malformed" | "token_type_invalid" | "signature_invalid" | "issuer_mismatch" | "audience_mismatch" | "token_expired" | "token_not_yet_valid" | "webid_missing" | "cnf_missing" | "dpop_missing" | "dpop_invalid";
+/** Outcome of {@link authenticate}: a context, an explicit failure, or "no creds". */
+export type AuthResult = {
+    readonly kind: "authenticated";
+    readonly context: AuthContext;
+} | {
+    readonly kind: "anonymous";
+} | {
+    readonly kind: "rejected";
+    readonly reason: AuthFailureReason;
+};
+/**
+ * Authenticate a request at the edge.
+ *
+ * Returns `anonymous` when no credentials are presented, `authenticated` with
+ * the verified {@link AuthContext} on success, and `rejected` with a stable
+ * reason on any failure of a *presented* credential.
+ */
+export declare function authenticate(request: Request, config: ResolvedConfig): Promise<AuthResult>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG5D,iFAAiF;AACjF,MAAM,MAAM,iBAAiB,GACzB,SAAS,GACT,iBAAiB,GACjB,oBAAoB,GACpB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,eAAe,GACf,qBAAqB,GACrB,eAAe,GACf,aAAa,GACb,cAAc,GACd,cAAc,CAAC;AAEnB,sFAAsF;AACtF,MAAM,MAAM,UAAU,GAClB;IAAE,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;CAAE,GACjE;IAAE,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GAC9B;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,iBAAiB,CAAA;CAAE,CAAC;AAuEtE;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,UAAU,CAAC,CAqFrB"}

package/dist/auth.js

@@ -0,0 +1,160 @@
+/**
+ * Edge authentication for the Resource Server: validate a DPoP-bound bearer
+ * token and its proof at the Worker front door, before any request reaches the
+ * per-pod Durable Object.
+ *
+ * A request with no credentials is allowed through unauthenticated — WAC then
+ * decides whether the resource is public. A request that *presents* credentials
+ * must pass fully or it is rejected `401`: the token signature (issuer JWKS),
+ * the `iss` / `aud` / `exp` / `webid` claims, and the RFC 9449 DPoP proof
+ * binding (`htu` / `htm` / `ath` / `cnf.jkt`) via `@dwk/dpop`.
+ */
+import { verifyDpopProof } from "@dwk/dpop";
+import { decodeJwt, verifyJwtSignature } from "./jwt";
+const JWKS_TTL_MS = 5 * 60 * 1000;
+const jwksCache = new Map();
+/** Resolve the issuer verification keys: static config first, then cached fetch. */
+async function resolveJwks(config) {
+    if (config.jwks && config.jwks.length > 0)
+        return config.jwks;
+    if (!config.jwksUri)
+        return null;
+    const now = config.now();
+    const cached = jwksCache.get(config.jwksUri);
+    if (cached && now - cached.fetchedAt < JWKS_TTL_MS)
+        return cached.keys;
+    try {
+        const response = await config.fetch(config.jwksUri);
+        if (!response.ok)
+            return cached?.keys ?? null;
+        const body = (await response.json());
+        // Only cache a well-formed JWKS; caching an empty/garbled body would poison
+        // verification for the whole TTL and discard the last good keys.
+        if (!Array.isArray(body.keys))
+            return cached?.keys ?? null;
+        jwksCache.set(config.jwksUri, { keys: body.keys, fetchedAt: now });
+        return body.keys;
+    }
+    catch {
+        // A transient fetch failure falls back to the last good keys if we have
+        // them, rather than failing closed on every request mid-outage.
+        return cached?.keys ?? null;
+    }
+}
+/** Extract the `DPoP <token>` (or `Bearer <token>`) value, if present. */
+function bearerToken(request) {
+    const header = request.headers.get("authorization");
+    if (!header)
+        return null;
+    const match = /^(DPoP|Bearer)\s+(.+)$/i.exec(header.trim());
+    return match ? match[2] : null;
+}
+/**
+ * Whether the token header's `typ` is the required access-token type. Compared
+ * case-insensitively and tolerant of the `application/at+jwt` media-type form,
+ * since RFC 9068 permits either the full media type or its `at+jwt` short form.
+ */
+function tokenTypeMatches(typ, required) {
+    if (typeof typ !== "string")
+        return false;
+    const normalize = (value) => {
+        const lower = value.toLowerCase();
+        return lower.startsWith("application/")
+            ? lower.slice("application/".length)
+            : lower;
+    };
+    return normalize(typ) === normalize(required);
+}
+/** Whether the token's `aud` claim intersects the accepted audience set. */
+function audienceMatches(aud, accepted) {
+    const values = Array.isArray(aud)
+        ? aud.filter((a) => typeof a === "string")
+        : typeof aud === "string"
+            ? [aud]
+            : [];
+    return values.some((a) => accepted.includes(a));
+}
+/**
+ * Authenticate a request at the edge.
+ *
+ * Returns `anonymous` when no credentials are presented, `authenticated` with
+ * the verified {@link AuthContext} on success, and `rejected` with a stable
+ * reason on any failure of a *presented* credential.
+ */
+export async function authenticate(request, config) {
+    // A deployer-supplied hook fully replaces the built-in verifier.
+    if (config.authenticate) {
+        const context = await config.authenticate(request);
+        return context ? { kind: "authenticated", context } : { kind: "anonymous" };
+    }
+    const token = bearerToken(request);
+    if (!token)
+        return { kind: "anonymous" };
+    const decoded = decodeJwt(token);
+    if (!decoded)
+        return { kind: "rejected", reason: "token_malformed" };
+    const jwks = await resolveJwks(config);
+    if (!jwks || jwks.length === 0)
+        return { kind: "rejected", reason: "no_jwks" };
+    if (!(await verifyJwtSignature(decoded, jwks))) {
+        return { kind: "rejected", reason: "signature_invalid" };
+    }
+    // Enforce the access-token `typ` (`at+jwt`) so an ID token or other
+    // issuer-signed JWT sharing this `iss`/`aud`/`webid` cannot be replayed as an
+    // access token. Skipped when the deployer opts out via `accessTokenType: null`.
+    if (config.accessTokenType !== null &&
+        !tokenTypeMatches(decoded.header.typ, config.accessTokenType)) {
+        return { kind: "rejected", reason: "token_type_invalid" };
+    }
+    const { iss, aud, exp, nbf, webid, sub, cnf } = decoded.payload;
+    if (config.issuer !== undefined && iss !== config.issuer) {
+        return { kind: "rejected", reason: "issuer_mismatch" };
+    }
+    if (!audienceMatches(aud, config.audience)) {
+        return { kind: "rejected", reason: "audience_mismatch" };
+    }
+    const now = Math.floor(config.now() / 1000);
+    if (typeof exp !== "number" || now >= exp) {
+        return { kind: "rejected", reason: "token_expired" };
+    }
+    // Honor `nbf` when present: a token is not valid before its not-before time.
+    // Per RFC 7519 §4.1.5 `nbf` MUST be a number; a present-but-malformed value is
+    // rejected rather than silently bypassed (mirrors the `exp` handling above).
+    if (nbf !== undefined && (typeof nbf !== "number" || now < nbf)) {
+        return { kind: "rejected", reason: "token_not_yet_valid" };
+    }
+    // Solid-OIDC carries the agent identity in `webid`; fall back to `sub`.
+    const agent = typeof webid === "string"
+        ? webid
+        : typeof sub === "string"
+            ? sub
+            : undefined;
+    if (agent === undefined)
+        return { kind: "rejected", reason: "webid_missing" };
+    const jkt = typeof cnf === "object" &&
+        cnf !== null &&
+        typeof cnf.jkt === "string"
+        ? cnf.jkt
+        : undefined;
+    if (jkt === undefined)
+        return { kind: "rejected", reason: "cnf_missing" };
+    const proof = request.headers.get("dpop");
+    if (!proof)
+        return { kind: "rejected", reason: "dpop_missing" };
+    const dpop = await verifyDpopProof({
+        proof,
+        htm: request.method,
+        htu: request.url,
+        accessToken: token,
+        expectedJkt: jkt,
+        now,
+    });
+    if (!dpop.valid || !dpop.jti || !dpop.jkt) {
+        return { kind: "rejected", reason: "dpop_invalid" };
+    }
+    return {
+        kind: "authenticated",
+        context: { webid: agent, jti: dpop.jti, jkt: dpop.jkt },
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAG5C,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AA4BtD,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAClC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEhD,oFAAoF;AACpF,KAAK,UAAU,WAAW,CACxB,MAAsB;IAEtB,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,GAAG,WAAW;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC;IAEvE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC;QAC9C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAChE,4EAA4E;QAC5E,iEAAiE;QACjE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC;QAC3D,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;QACxE,gEAAgE;QAChE,OAAO,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,SAAS,WAAW,CAAC,OAAgB;IACnC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5D,OAAO,KAAK,CAAC,CAAC,CAAE,KAAK,CAAC,CAAC,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAY,EAAE,QAAgB;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,SAAS,GAAG,CAAC,KAAa,EAAU,EAAE;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC;YACrC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC;YACpC,CAAC,CAAC,KAAK,CAAC;IACZ,CAAC,CAAC;IACF,OAAO,SAAS,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,QAAQ,CAAC,CAAC;AAChD,CAAC;AAED,4EAA4E;AAC5E,SAAS,eAAe,CAAC,GAAY,EAAE,QAA2B;IAChE,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAC/B,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACvD,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ;YACvB,CAAC,CAAC,CAAC,GAAG,CAAC;YACP,CAAC,CAAC,EAAE,CAAC;IACT,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAgB,EAChB,MAAsB;IAEtB,iEAAiE;IACjE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACnD,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IAEzC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAErE,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAEjD,IAAI,CAAC,CAAC,MAAM,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IAC3D,CAAC;IAED,oEAAoE;IACpE,8EAA8E;IAC9E,gFAAgF;IAChF,IACE,MAAM,CAAC,eAAe,KAAK,IAAI;QAC/B,CAAC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,EAC7D,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAChE,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,GAAG,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QACzD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IAC3D,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;QAC1C,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvD,CAAC;IACD,6EAA6E;IAC7E,+EAA+E;IAC/E,6EAA6E;IAC7E,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IAC7D,CAAC;IAED,wEAAwE;IACxE,MAAM,KAAK,GACT,OAAO,KAAK,KAAK,QAAQ;QACvB,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ;YACvB,CAAC,CAAC,GAAG;YACL,CAAC,CAAC,SAAS,CAAC;IAClB,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE9E,MAAM,GAAG,GACP,OAAO,GAAG,KAAK,QAAQ;QACvB,GAAG,KAAK,IAAI;QACZ,OAAQ,GAA+B,CAAC,GAAG,KAAK,QAAQ;QACtD,CAAC,CAAG,GAA+B,CAAC,GAAc;QAClD,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAE1E,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAEhE,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC;QACjC,KAAK;QACL,GAAG,EAAE,OAAO,CAAC,MAAM;QACnB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;QAChB,GAAG;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1C,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IACtD,CAAC;IAED,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;KACxD,CAAC;AACJ,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,181 @@
+/**
+ * Configuration, the declared Cloudflare `Env` fragment, and config resolution
+ * for `@dwk/solid-pod`.
+ *
+ * Per the composition contract, the package never reads the global environment
+ * directly: all tunables (base URL, token issuer/JWKS, accepted audience,
+ * offload threshold, replay/GC windows) are passed into {@link createSolidPod}
+ * and {@link createSolidPodGc}, so a pod can be instantiated multiple times and
+ * unit-tested in isolation. The Cloudflare bindings — the per-pod Durable
+ * Object namespace and the R2 blob bucket — are the only runtime coupling, and
+ * a missing one fails loudly at startup.
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { SolidPodObject } from "./pod";
+/** Cloudflare bindings required by the Solid Pod handler and Durable Object. */
+export interface SolidPodEnv {
+    /** Durable Object namespace for the per-pod class ({@link SolidPodObject}). */
+    readonly POD: DurableObjectNamespace<SolidPodObject>;
+    /** R2 bucket holding blob bodies. */
+    readonly BLOBS: R2Bucket;
+    /**
+     * Shared D1 database tracking orphaned blob keys for the out-of-band GC cron.
+     * Optional: when bound, the DO opportunistically forwards its transactional
+     * orphan outbox here after writes so {@link createSolidPodGc} can reclaim them
+     * without ever waking a Durable Object.
+     */
+    readonly GC_DB?: D1Database;
+}
+/** Cloudflare bindings required by the out-of-band R2 garbage-collection cron. */
+export interface SolidPodGcEnv {
+    /** R2 bucket holding blob bodies. */
+    readonly BLOBS: R2Bucket;
+    /** Shared D1 database tracking orphaned blob keys (see `@dwk/store`). */
+    readonly GC_DB: D1Database;
+}
+/**
+ * A verification key set used to validate issuer-signed access tokens. Supply
+ * either static {@link SolidPodConfig.jwks} (hermetic, no network) or a
+ * {@link SolidPodConfig.jwksUri} the handler fetches and caches.
+ */
+export type Jwks = readonly JsonWebKey[];
+/** Configuration passed to {@link createSolidPod}. */
+export interface SolidPodConfig {
+    /**
+     * The pod's identity root / base URL, e.g. `https://pod.example`. Used as the
+     * origin for absolute resource IRIs in WAC and content negotiation, and as
+     * the default token audience. No trailing slash.
+     */
+    readonly baseUrl: string;
+    /**
+     * The pod owner's WebID(s). An owner is always granted full access
+     * (`Read`/`Write`/`Append`/`Control`) regardless of ACLs, which bootstraps
+     * ACL management — without it, no one could create the first `.acl`.
+     */
+    readonly owner?: string | readonly string[];
+    /**
+     * Accepted access-token issuer (`iss`). When set, a token whose `iss` differs
+     * is rejected. Required unless a custom {@link SolidPodConfig.authenticate}
+     * hook is supplied.
+     */
+    readonly issuer?: string;
+    /**
+     * Accepted token audience(s) (`aud`). A token is accepted when its `aud`
+     * intersects this set. Defaults to `["solid", baseUrl]`.
+     */
+    readonly audience?: string | readonly string[];
+    /**
+     * Required access-token header `typ`. Solid-OIDC / RFC 9068 access tokens
+     * carry `typ: at+jwt`; enforcing it stops an ID token or other issuer-signed
+     * JWT sharing the same `iss`/`aud`/`webid` from being replayed as an access
+     * token (token-type confusion). Compared case-insensitively, tolerating the
+     * `application/at+jwt` media-type form. Set to `null` to skip the check for
+     * issuers that omit `typ`. Defaults to `"at+jwt"`.
+     */
+    readonly accessTokenType?: string | null;
+    /** Static JWK verification keys for the issuer (hermetic alternative to {@link jwksUri}). */
+    readonly jwks?: Jwks;
+    /** Issuer JWKS endpoint; fetched and cached when {@link jwks} is not given. */
+    readonly jwksUri?: string;
+    /**
+     * Bodies larger than this (bytes) are offloaded to R2 as opaque blobs instead
+     * of the DO SQLite quad store. Defaults to the ~2 MB DO-cell ceiling.
+     */
+    readonly maxInlineBytes?: number;
+    /**
+     * The documented read-replay tradeoff: reads MAY reuse a DPoP proof within
+     * this many seconds (edge-cached window) rather than enforcing strict
+     * single-use `jti`. Writes are always strict. Defaults to `0` (strict reads).
+     */
+    readonly readReplayWindowSeconds?: number;
+    /**
+     * Allow **unauthenticated** writes (`PUT`/`POST`/`PATCH`/`DELETE`) when WAC
+     * grants the public agent class (`acl:agentClass foaf:Agent`) the needed
+     * mode. Such requests carry no DPoP proof, so they get **no `jti` replay /
+     * anti-abuse protection** — the "DPoP everywhere" guarantee does not hold for
+     * them. Defaults to `false`: a tokenless write is refused `401` even where a
+     * public-write ACL would otherwise permit it. Set `true` to opt into
+     * public write as an explicit, documented tradeoff.
+     */
+    readonly allowAnonymousWrites?: boolean;
+    /**
+     * GC safety window (ms) advertised to the cron handler; an orphaned R2 object
+     * is only reclaimed once it is older than this. MUST be ≥ the maximum write
+     * duration. Defaults to five minutes.
+     */
+    readonly gcSafetyWindowMs?: number;
+    /** Injectable clock (epoch ms) for deterministic tests. Defaults to `Date.now`. */
+    readonly now?: () => number;
+    /** `fetch` implementation used to resolve {@link jwksUri}; defaults to global `fetch`. */
+    readonly fetch?: typeof fetch;
+    /**
+     * Override the edge authentication step entirely. When provided, the handler
+     * calls this instead of the built-in JWKS + DPoP validation — useful for
+     * tests and for issuers the default verifier does not cover. Returning
+     * `null` means "no/invalid credentials" and the request proceeds
+     * unauthenticated (WAC then decides public access).
+     */
+    readonly authenticate?: (request: Request) => Promise<AuthContext | null> | AuthContext | null;
+    /**
+     * Logger for auth/authz events; defaults to a no-op. Wired once here at the
+     * composition boundary (see `@dwk/log`) to surface edge-authentication
+     * rejections and the Durable Object's WAC denials, anonymous-write refusals,
+     * and DPoP replay rejections instead of swallowing them.
+     */
+    readonly logger?: Logger;
+    /**
+     * Metrics sink for the same events; defaults to a no-op. Wire an adapter (e.g.
+     * `analyticsEngineMetrics` from `@dwk/log`) to chart what the logger names —
+     * auth rejections by reason, WAC denials/min, replay rejections.
+     */
+    readonly metrics?: Metrics;
+}
+/** The authenticated facts the front door hands to the Durable Object. */
+export interface AuthContext {
+    /** The authenticated agent's WebID. */
+    readonly webid: string;
+    /** The verified DPoP proof's `jti`, for write replay enforcement in the DO. */
+    readonly jti: string;
+    /** The DPoP key thumbprint the token is bound to (`cnf.jkt`). */
+    readonly jkt: string;
+}
+/** Fully-resolved configuration with defaults applied. */
+export interface ResolvedConfig {
+    readonly baseUrl: string;
+    readonly origin: string;
+    readonly owners: readonly string[];
+    readonly issuer?: string;
+    readonly audience: readonly string[];
+    readonly accessTokenType: string | null;
+    readonly jwks?: Jwks;
+    readonly jwksUri?: string;
+    readonly maxInlineBytes?: number;
+    readonly readReplayWindowSeconds: number;
+    readonly allowAnonymousWrites: boolean;
+    readonly gcSafetyWindowMs: number;
+    readonly now: () => number;
+    readonly fetch: typeof fetch;
+    readonly authenticate?: SolidPodConfig["authenticate"];
+    readonly logger: Logger;
+    readonly metrics: Metrics;
+}
+/** Internal headers the trusted front door uses to hand auth facts to the DO. */
+export declare const INTERNAL_HEADERS: {
+    /** Authenticated agent WebID (absent ⇒ unauthenticated request). */
+    readonly webid: "x-solid-webid";
+    /** Verified DPoP `jti` (present on authenticated writes for replay control). */
+    readonly jti: "x-solid-jti";
+    /** Verified DPoP key thumbprint (`cnf.jkt`). */
+    readonly jkt: "x-solid-jkt";
+    /** JSON-encoded subset of config the DO needs (offload threshold, etc.). */
+    readonly config: "x-solid-config";
+    /**
+     * DO→front-door: a machine-readable authorization outcome (see `PodOutcome`)
+     * the composition boundary logs via the injected seams, then strips before the
+     * response reaches the client.
+     */
+    readonly outcome: "x-solid-outcome";
+};
+/** Apply defaults and derived values to raw {@link SolidPodConfig}. */
+export declare function resolveConfig(config: SolidPodConfig): ResolvedConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA2B,KAAK,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,UAAU,CAAC;AAE9E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAE5C,gFAAgF;AAChF,MAAM,WAAW,WAAW;IAC1B,+EAA+E;IAC/E,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC,cAAc,CAAC,CAAC;IACrD,qCAAqC;IACrC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,UAAU,CAAC;CAC7B;AAED,kFAAkF;AAClF,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,yEAAyE;IACzE,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,MAAM,IAAI,GAAG,SAAS,UAAU,EAAE,CAAC;AAEzC,sDAAsD;AACtD,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAEzB;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAE5C;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEzB;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAE/C;;;;;;;OAOG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzC,6FAA6F;IAC7F,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC;IAErB,+EAA+E;IAC/E,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IAEjC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAE1C;;;;;;;;OAQG;IACH,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAExC;;;;OAIG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAEnC,mFAAmF;IACnF,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAE5B,0FAA0F;IAC1F,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IAE9B;;;;;;OAMG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,CACtB,OAAO,EAAE,OAAO,KACb,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,WAAW,GAAG,IAAI,CAAC;IAEtD;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,uCAAuC;IACvC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED,0DAA0D;AAC1D,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACzC,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,GAAG,EAAE,MAAM,MAAM,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,OAAO,KAAK,CAAC;IAC7B,QAAQ,CAAC,YAAY,CAAC,EAAE,cAAc,CAAC,cAAc,CAAC,CAAC;IACvD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAKD,iFAAiF;AACjF,eAAO,MAAM,gBAAgB;IAC3B,oEAAoE;;IAEpE,gFAAgF;;IAEhF,gDAAgD;;IAEhD,4EAA4E;;IAE5E;;;;OAIG;;CAEK,CAAC;AAOX,uEAAuE;AACvE,wBAAgB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,cAAc,CAwCpE"}

package/dist/config.js

@@ -0,0 +1,74 @@
+/**
+ * Configuration, the declared Cloudflare `Env` fragment, and config resolution
+ * for `@dwk/solid-pod`.
+ *
+ * Per the composition contract, the package never reads the global environment
+ * directly: all tunables (base URL, token issuer/JWKS, accepted audience,
+ * offload threshold, replay/GC windows) are passed into {@link createSolidPod}
+ * and {@link createSolidPodGc}, so a pod can be instantiated multiple times and
+ * unit-tested in isolation. The Cloudflare bindings — the per-pod Durable
+ * Object namespace and the R2 blob bucket — are the only runtime coupling, and
+ * a missing one fails loudly at startup.
+ */
+import { noopLogger, noopMetrics } from "@dwk/log";
+/** Default GC safety window: five minutes, comfortably above any write. */
+const DEFAULT_GC_SAFETY_WINDOW_MS = 5 * 60 * 1000;
+/** Internal headers the trusted front door uses to hand auth facts to the DO. */
+export const INTERNAL_HEADERS = {
+    /** Authenticated agent WebID (absent ⇒ unauthenticated request). */
+    webid: "x-solid-webid",
+    /** Verified DPoP `jti` (present on authenticated writes for replay control). */
+    jti: "x-solid-jti",
+    /** Verified DPoP key thumbprint (`cnf.jkt`). */
+    jkt: "x-solid-jkt",
+    /** JSON-encoded subset of config the DO needs (offload threshold, etc.). */
+    config: "x-solid-config",
+    /**
+     * DO→front-door: a machine-readable authorization outcome (see `PodOutcome`)
+     * the composition boundary logs via the injected seams, then strips before the
+     * response reaches the client.
+     */
+    outcome: "x-solid-outcome",
+};
+/** Strip the trailing slash from a base URL so path joins are unambiguous. */
+function normalizeBaseUrl(baseUrl) {
+    return baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+}
+/** Apply defaults and derived values to raw {@link SolidPodConfig}. */
+export function resolveConfig(config) {
+    if (!config.baseUrl) {
+        throw new Error("@dwk/solid-pod: `baseUrl` is required");
+    }
+    const baseUrl = normalizeBaseUrl(config.baseUrl);
+    const origin = new URL(baseUrl).origin;
+    const audience = config.audience === undefined
+        ? ["solid", baseUrl]
+        : typeof config.audience === "string"
+            ? [config.audience]
+            : [...config.audience];
+    const owners = config.owner === undefined
+        ? []
+        : typeof config.owner === "string"
+            ? [config.owner]
+            : [...config.owner];
+    return {
+        baseUrl,
+        origin,
+        owners,
+        issuer: config.issuer,
+        audience,
+        accessTokenType: config.accessTokenType === undefined ? "at+jwt" : config.accessTokenType,
+        jwks: config.jwks,
+        jwksUri: config.jwksUri,
+        maxInlineBytes: config.maxInlineBytes,
+        readReplayWindowSeconds: config.readReplayWindowSeconds ?? 0,
+        allowAnonymousWrites: config.allowAnonymousWrites ?? false,
+        gcSafetyWindowMs: config.gcSafetyWindowMs ?? DEFAULT_GC_SAFETY_WINDOW_MS,
+        now: config.now ?? (() => Date.now()),
+        fetch: config.fetch ?? fetch,
+        authenticate: config.authenticate,
+        logger: config.logger ?? noopLogger,
+        metrics: config.metrics ?? noopMetrics,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAA6B,MAAM,UAAU,CAAC;AA6K9E,2EAA2E;AAC3E,MAAM,2BAA2B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,iFAAiF;AACjF,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,oEAAoE;IACpE,KAAK,EAAE,eAAe;IACtB,gFAAgF;IAChF,GAAG,EAAE,aAAa;IAClB,gDAAgD;IAChD,GAAG,EAAE,aAAa;IAClB,4EAA4E;IAC5E,MAAM,EAAE,gBAAgB;IACxB;;;;OAIG;IACH,OAAO,EAAE,iBAAiB;CAClB,CAAC;AAEX,8EAA8E;AAC9E,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;AAChE,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,aAAa,CAAC,MAAsB;IAClD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IACvC,MAAM,QAAQ,GACZ,MAAM,CAAC,QAAQ,KAAK,SAAS;QAC3B,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC;QACpB,CAAC,CAAC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC;YACnB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7B,MAAM,MAAM,GACV,MAAM,CAAC,KAAK,KAAK,SAAS;QACxB,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;YAChC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAE1B,OAAO;QACL,OAAO;QACP,MAAM;QACN,MAAM;QACN,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ;QACR,eAAe,EACb,MAAM,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe;QAC1E,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,IAAI,CAAC;QAC5D,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,KAAK;QAC1D,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,2BAA2B;QACxE,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACrC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,WAAW;KACvC,CAAC;AACJ,CAAC"}

package/dist/encoding.d.ts

@@ -0,0 +1,13 @@
+/**
+ * base64url + UTF-8 helpers for the edge auth path (JWT/JWKS, DPoP hashing).
+ *
+ * Dependency-free and runtime-agnostic (Web Crypto / `atob` / `btoa` only) so
+ * the surrounding modules unit-test without a Workers runtime.
+ */
+/** Encode bytes as unpadded base64url (RFC 4648 §5). */
+export declare function bytesToBase64url(bytes: Uint8Array): string;
+/** Decode unpadded (or padded) base64url to bytes. */
+export declare function base64urlToBytes(segment: string): Uint8Array;
+/** Decode unpadded base64url to a UTF-8 string. */
+export declare function base64urlToText(segment: string): string;
+//# sourceMappingURL=encoding.d.ts.map

package/dist/encoding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.ts","sourceRoot":"","sources":["../src/encoding.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,wDAAwD;AACxD,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAO1D;AAED,sDAAsD;AACtD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAQ5D;AAED,mDAAmD;AACnD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEvD"}

package/dist/encoding.js

@@ -0,0 +1,31 @@
+/**
+ * base64url + UTF-8 helpers for the edge auth path (JWT/JWKS, DPoP hashing).
+ *
+ * Dependency-free and runtime-agnostic (Web Crypto / `atob` / `btoa` only) so
+ * the surrounding modules unit-test without a Workers runtime.
+ */
+/** Encode bytes as unpadded base64url (RFC 4648 §5). */
+export function bytesToBase64url(bytes) {
+    let binary = "";
+    for (const byte of bytes)
+        binary += String.fromCharCode(byte);
+    return btoa(binary)
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+/** Decode unpadded (or padded) base64url to bytes. */
+export function base64urlToBytes(segment) {
+    const b64 = segment.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = b64.length % 4 === 0 ? b64 : b64 + "=".repeat(4 - (b64.length % 4));
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+/** Decode unpadded base64url to a UTF-8 string. */
+export function base64urlToText(segment) {
+    return new TextDecoder().decode(base64urlToBytes(segment));
+}
+//# sourceMappingURL=encoding.js.map

package/dist/encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.js","sourceRoot":"","sources":["../src/encoding.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,wDAAwD;AACxD,MAAM,UAAU,gBAAgB,CAAC,KAAiB;IAChD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAC9D,OAAO,IAAI,CAAC,MAAM,CAAC;SAChB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,MAAM,GACV,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;AAC7D,CAAC"}