@dwk/webfinger 0.1.0-beta.0

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2026 David W. Keith
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,106 @@
+# `@dwk/webfinger`
+
+> WebFinger (RFC 7033) account/resource discovery endpoint. Endpoint package.
+
+Part of the [`@dwk` IndieWeb + Solid cohort](../../README.md). See the
+[package specification](../../spec/packages/webfinger.md) for the full
+requirements.
+
+WebFinger maps a queried `resource` URI (`acct:`, `mailto:`, `https:`) to a
+**JSON Resource Descriptor** (JRD) of links — profile page, avatar, OIDC issuer,
+the `self` ActivityPub actor. It is the foundational discovery step for
+federation: fediverse software resolves `acct:user@domain` against
+`/.well-known/webfinger` before it can follow or address an account.
+
+## Worker vs. static (why this package exists)
+
+WebFinger is **borderline static**. A static site generator can emit a single
+`/.well-known/webfinger` JRD, and for a **single-identity** site that often
+suffices. Spec-correct behaviour, however, needs request logic a static host
+cannot do:
+
+- dispatch on the `resource` query parameter and return **404** for a resource
+  this server does not control (a static file returns `200` for any `resource=`);
+- echo the matched `subject`, which **must equal** the queried `resource` URI
+  (fediverse software rejects a mismatch);
+- filter the returned `links` by the `rel` query parameter(s).
+
+So: ship the package for correct multi-resource / `rel`-filtered behaviour; the
+degenerate single-resource, no-`rel` case may stay a static file.
+
+## Usage
+
+```ts
+import { createWebfinger } from "@dwk/webfinger";
+
+const webfinger = createWebfinger({
+  resources: {
+    "acct:alice@example.com": {
+      aliases: ["https://example.com/users/alice"],
+      links: [
+        {
+          rel: "http://webfinger.net/rel/profile-page",
+          type: "text/html",
+          href: "https://example.com/",
+        },
+        {
+          rel: "self",
+          type: "application/activity+json",
+          href: "https://example.com/users/alice",
+        },
+      ],
+    },
+  },
+});
+
+// In your Worker's fetch handler, mount at the well-known path:
+//   GET /.well-known/webfinger?resource=acct:alice@example.com
+return webfinger(request, env, ctx);
+```
+
+- `resource` absent → **400**; `resource` not controlled → **404**; matched →
+  **200** with `subject` (echoing the queried URI), `aliases`, and `links`.
+- Matching is **case-insensitive on the scheme and host** per RFC 7033 §4.1
+  (`ACCT:alice@EXAMPLE.COM` matches a configured `acct:alice@example.com`); the
+  `acct:` local part stays case-sensitive. The echoed `subject` keeps the
+  client's literal spelling.
+- A `rel` parameter (repeatable) filters `links` to the matching relations;
+  `aliases` and `properties` are unaffected.
+- Every response — success or error — carries `Access-Control-Allow-Origin: *`
+  per RFC 7033 §10.2, because discovery data is public. `OPTIONS` returns a CORS
+  preflight; non-`GET`/`HEAD` methods get **405**.
+- The response media type is `application/jrd+json`.
+
+### Dynamic resolution
+
+For a resource set that is large or derived from stored data, pass a `resolve`
+function instead of (or alongside) the static `resources` map. The static map is
+consulted first; the resolver is the fallback. Returning `undefined` yields a
+`404`.
+
+```ts
+const webfinger = createWebfinger({
+  resolve: async (resource, rels) => {
+    const profile = await lookupProfile(resource); // your data source
+    return profile ? { links: profile.toWebfingerLinks(rels) } : undefined;
+  },
+});
+```
+
+`createWebfinger` **fails loudly** at construction if neither `resources` nor
+`resolve` is supplied — a WebFinger endpoint that controls no resources is always
+a misconfiguration.
+
+## Design
+
+Pure and **stateless**: no Durable Object, no D1, and no required Cloudflare
+bindings — the `resource → JRD` mapping is config-supplied (composition
+contract), never read from the global environment. The discovery logic
+unit-tests under Node without a Workers runtime.
+
+## Observability
+
+Discovery events are emitted through the injected `@dwk/log` `Logger`/`Metrics`
+seams (default no-op): `webfinger.resolved` for a match, `webfinger.rejected`
+for a `400`/`404`/`405`. A queried `resource` is reduced to its **host** in logs
+— the local part of an `acct:` handle is never recorded.

package/dist/config.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Configuration for {@link createWebfinger}: the set of resources this server
+ * controls (a static map, a resolver function, or both) plus the optional
+ * logging/metrics seams. Per the composition contract the package never reads
+ * the global environment — every resource mapping arrives here, so a handler can
+ * be instantiated multiple times and tested in isolation.
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { ResourceRecord } from "./jrd";
+/**
+ * A dynamic resolver from a queried `resource` URI to its {@link ResourceRecord},
+ * or `undefined` when this server does not control the resource (→ `404`). The
+ * `resource` is passed **normalized** (lowercased scheme/host per RFC 7033 §4.1),
+ * so a resolver can compare it directly without re-normalizing. The matched
+ * `rel` filters are passed through so a resolver backed by stored data (e.g. a
+ * profile document via `@dwk/rdf`) can avoid materialising links it is about to
+ * discard, but applying the filter is optional — the handler always re-applies
+ * {@link filterLinksByRel} to whatever is returned.
+ */
+export type ResourceResolver = (resource: string, rels: readonly string[]) => ResourceRecord | undefined | Promise<ResourceRecord | undefined>;
+/** Configuration passed to {@link createWebfinger}. */
+export interface WebfingerConfig {
+    /**
+     * Static map of controlled `resource` URI → its descriptor. Keys are the
+     * exact `resource` values clients query (`acct:user@example.com`,
+     * `https://example.com/`, `mailto:user@example.com`). Consulted before
+     * {@link resolve}.
+     */
+    readonly resources?: Readonly<Record<string, ResourceRecord>>;
+    /**
+     * Dynamic fallback consulted when {@link resources} has no entry for the
+     * queried URI. At least one of {@link resources} or `resolve` MUST be
+     * supplied, or {@link createWebfinger} throws at construction time.
+     */
+    readonly resolve?: ResourceResolver;
+    /**
+     * Logger for discovery events; defaults to a no-op. Wire a real logger (see
+     * `@dwk/log`) to surface unknown-resource probes and method rejections instead
+     * of swallowing them.
+     */
+    readonly logger?: Logger;
+    /**
+     * Metrics sink for discovery counters; defaults to a no-op. Wire an adapter
+     * (e.g. `analyticsEngineMetrics` from `@dwk/log`) to chart the same events the
+     * logger names — "lookups/min", "404 rate", "rel-filtered lookups".
+     */
+    readonly metrics?: Metrics;
+}
+/** Configuration after defaults are filled and a unified resolver is built. */
+export interface ResolvedConfig {
+    /** Look up a resource: static map first, then the dynamic resolver. */
+    readonly resolve: (resource: string, rels: readonly string[]) => Promise<ResourceRecord | undefined>;
+    readonly logger: Logger;
+    readonly metrics: Metrics;
+}
+/**
+ * Validate and normalise a {@link WebfingerConfig}. Fails loudly when neither a
+ * resource map nor a resolver is configured — a WebFinger endpoint that controls
+ * no resources is always a misconfiguration, not a silent "everything is a 404".
+ * Returns a single `resolve` that consults the static map first (an O(1) exact
+ * match) and then the dynamic resolver.
+ */
+export declare function resolveConfig(config: WebfingerConfig): ResolvedConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAA2B,KAAK,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,UAAU,CAAC;AAE9E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAG5C;;;;;;;;;GASG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,SAAS,MAAM,EAAE,KACpB,cAAc,GAAG,SAAS,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;AAEtE,uDAAuD;AACvD,MAAM,WAAW,eAAe;IAC9B;;;;;OAKG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAC9D;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,gBAAgB,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC7B,uEAAuE;IACvE,QAAQ,CAAC,OAAO,EAAE,CAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,SAAS,MAAM,EAAE,KACpB,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,CA4CrE"}

package/dist/config.js

@@ -0,0 +1,51 @@
+/**
+ * Configuration for {@link createWebfinger}: the set of resources this server
+ * controls (a static map, a resolver function, or both) plus the optional
+ * logging/metrics seams. Per the composition contract the package never reads
+ * the global environment — every resource mapping arrives here, so a handler can
+ * be instantiated multiple times and tested in isolation.
+ */
+import { noopLogger, noopMetrics } from "@dwk/log";
+import { normalizeResource } from "./resource";
+/**
+ * Validate and normalise a {@link WebfingerConfig}. Fails loudly when neither a
+ * resource map nor a resolver is configured — a WebFinger endpoint that controls
+ * no resources is always a misconfiguration, not a silent "everything is a 404".
+ * Returns a single `resolve` that consults the static map first (an O(1) exact
+ * match) and then the dynamic resolver.
+ */
+export function resolveConfig(config) {
+    if (config.resources === undefined && config.resolve === undefined) {
+        throw new Error("@dwk/webfinger: configure `resources` and/or `resolve` — a WebFinger " +
+            "endpoint must control at least one resource source.");
+    }
+    // Key the static map by the normalized resource URI so matching is
+    // case-insensitive on scheme/host (RFC 7033 §4.1). When two configured keys
+    // normalize to the same value, the later entry wins.
+    const normalizedMap = config.resources === undefined
+        ? undefined
+        : new Map(Object.entries(config.resources).map(([key, record]) => [
+            normalizeResource(key),
+            record,
+        ]));
+    const dynamicResolve = config.resolve;
+    const resolve = async (resource, rels) => {
+        const key = normalizeResource(resource);
+        if (normalizedMap !== undefined) {
+            const record = normalizedMap.get(key);
+            if (record !== undefined) {
+                return record;
+            }
+        }
+        if (dynamicResolve !== undefined) {
+            return await dynamicResolve(key, rels);
+        }
+        return undefined;
+    };
+    return {
+        resolve,
+        logger: config.logger ?? noopLogger,
+        metrics: config.metrics ?? noopMetrics,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAA6B,MAAM,UAAU,CAAC;AAG9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAyD/C;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,MAAuB;IACnD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,uEAAuE;YACrE,qDAAqD,CACxD,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,4EAA4E;IAC5E,qDAAqD;IACrD,MAAM,aAAa,GACjB,MAAM,CAAC,SAAS,KAAK,SAAS;QAC5B,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,IAAI,GAAG,CACL,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;YACtD,iBAAiB,CAAC,GAAG,CAAC;YACtB,MAAM;SACP,CAAC,CACH,CAAC;IACR,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC;IAEtC,MAAM,OAAO,GAAG,KAAK,EACnB,QAAgB,EAChB,IAAuB,EACc,EAAE;QACvC,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,MAAM,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,OAAO;QACL,OAAO;QACP,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,WAAW;KACvC,CAAC;AACJ,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,29 @@
+/**
+ * The WebFinger fetch handler (RFC 7033): a stateless `GET` endpoint, mountable
+ * at `/.well-known/webfinger`, that dispatches on the `resource` query parameter,
+ * returns the matching JRD (`rel`-filtered), and otherwise distinguishes a
+ * missing or malformed parameter (`400`) from an uncontrolled resource (`404`).
+ * Discovery data is public, so every response carries permissive CORS (§10.2).
+ */
+import { type WebfingerConfig } from "./config";
+/**
+ * Cloudflare bindings required by the WebFinger handler: **none**. The resource
+ * mapping is config-supplied (composition contract), so this fragment is empty
+ * and contributes nothing to the composed Worker's `Env`.
+ */
+export type WebfingerEnv = Record<never, never>;
+/** A `fetch`-compatible Worker handler. */
+export type WebfingerHandler = (request: Request, env: WebfingerEnv, ctx: ExecutionContext) => Promise<Response>;
+/**
+ * Build the WebFinger handler from configuration.
+ *
+ * The returned handler is mountable at `/.well-known/webfinger`. It accepts
+ * `GET` (and `HEAD`): a request with no `resource` parameter — or a malformed
+ * one (no scheme / unparseable URI, RFC 7033 §4.2) — gets `400`; a `resource`
+ * this server does not control gets `404`; a match gets `200` with an
+ * `application/jrd+json` body whose `subject` echoes the queried URI, filtered by
+ * any `rel` parameters. `OPTIONS` returns a CORS preflight; other methods get
+ * `405`. Fails loudly at construction if no resource source is configured.
+ */
+export declare function createWebfinger(config: WebfingerConfig): WebfingerHandler;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAGL,KAAK,eAAe,EACrB,MAAM,UAAU,CAAC;AAKlB;;;;GAIG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;AAEhD,2CAA2C;AAC3C,MAAM,MAAM,gBAAgB,GAAG,CAC7B,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,YAAY,EACjB,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAqEvB;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG,gBAAgB,CAuEzE"}

package/dist/handler.js

@@ -0,0 +1,130 @@
+/**
+ * The WebFinger fetch handler (RFC 7033): a stateless `GET` endpoint, mountable
+ * at `/.well-known/webfinger`, that dispatches on the `resource` query parameter,
+ * returns the matching JRD (`rel`-filtered), and otherwise distinguishes a
+ * missing or malformed parameter (`400`) from an uncontrolled resource (`404`).
+ * Discovery data is public, so every response carries permissive CORS (§10.2).
+ */
+import { hostFromUrl } from "@dwk/log";
+import { resolveConfig, } from "./config";
+import { buildJrd } from "./jrd";
+import { WebfingerLogEvent } from "./log";
+import { isWellFormedResource } from "./resource";
+/** Media type for a JSON Resource Descriptor (RFC 7033 §10.2). */
+const JRD_CONTENT_TYPE = "application/jrd+json; charset=utf-8";
+const TEXT_CONTENT_TYPE = "text/plain; charset=utf-8";
+/**
+ * WebFinger serves public discovery data to any origin, so every response —
+ * success or error — advertises permissive CORS per RFC 7033 §10.2.
+ */
+const CORS_HEADERS = {
+    "access-control-allow-origin": "*",
+};
+/**
+ * Reduce a queried `resource` to its host for logging: the domain of an
+ * `acct:`/`mailto:` handle, or the host of an `https:`/`http:` URI. The local
+ * part (the user identifier) is deliberately dropped — only the domain is
+ * recorded (see `log.ts`).
+ */
+function resourceHost(resource) {
+    if (/^(acct|mailto):/i.test(resource)) {
+        const at = resource.lastIndexOf("@");
+        if (at !== -1) {
+            const host = resource.slice(at + 1).toLowerCase();
+            return host.length > 0 ? host : undefined;
+        }
+        return undefined;
+    }
+    return hostFromUrl(resource);
+}
+/**
+ * Emit a structured event on both the logger and the metrics seam, which share
+ * one event vocabulary (see `@dwk/log`): `warn` for rejections, `info` for a
+ * resolved lookup. Callers pass only sanitized hosts, reason codes, and counts.
+ */
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+function jrdResponse(body, method) {
+    return new Response(method === "HEAD" ? null : body, {
+        status: 200,
+        headers: { "content-type": JRD_CONTENT_TYPE, ...CORS_HEADERS },
+    });
+}
+function errorResponse(status, message, extraHeaders) {
+    return new Response(message, {
+        status,
+        headers: {
+            "content-type": TEXT_CONTENT_TYPE,
+            ...CORS_HEADERS,
+            ...extraHeaders,
+        },
+    });
+}
+/**
+ * Build the WebFinger handler from configuration.
+ *
+ * The returned handler is mountable at `/.well-known/webfinger`. It accepts
+ * `GET` (and `HEAD`): a request with no `resource` parameter — or a malformed
+ * one (no scheme / unparseable URI, RFC 7033 §4.2) — gets `400`; a `resource`
+ * this server does not control gets `404`; a match gets `200` with an
+ * `application/jrd+json` body whose `subject` echoes the queried URI, filtered by
+ * any `rel` parameters. `OPTIONS` returns a CORS preflight; other methods get
+ * `405`. Fails loudly at construction if no resource source is configured.
+ */
+export function createWebfinger(config) {
+    const resolved = resolveConfig(config);
+    return async (request, _env, _ctx) => {
+        const method = request.method;
+        if (method === "OPTIONS") {
+            return new Response(null, {
+                status: 204,
+                headers: {
+                    ...CORS_HEADERS,
+                    "access-control-allow-methods": "GET, HEAD, OPTIONS",
+                    "access-control-allow-headers": "*",
+                },
+            });
+        }
+        if (method !== "GET" && method !== "HEAD") {
+            emit(resolved, "warn", WebfingerLogEvent.Rejected, {
+                reason: "method_not_allowed",
+            });
+            return errorResponse(405, "method_not_allowed: use GET", {
+                allow: "GET, HEAD, OPTIONS",
+            });
+        }
+        const url = new URL(request.url);
+        const resource = url.searchParams.get("resource");
+        if (resource === null || resource.length === 0) {
+            emit(resolved, "warn", WebfingerLogEvent.Rejected, {
+                reason: "missing_resource",
+            });
+            return errorResponse(400, "missing_resource: the `resource` query parameter is required");
+        }
+        if (!isWellFormedResource(resource)) {
+            emit(resolved, "warn", WebfingerLogEvent.Rejected, {
+                reason: "malformed_resource",
+                resourceHost: resourceHost(resource),
+            });
+            return errorResponse(400, "malformed_resource: the `resource` query parameter is not a valid URI");
+        }
+        const rels = url.searchParams.getAll("rel").filter((rel) => rel.length > 0);
+        const record = await resolved.resolve(resource, rels);
+        if (record === undefined) {
+            emit(resolved, "warn", WebfingerLogEvent.Rejected, {
+                reason: "not_found",
+                resourceHost: resourceHost(resource),
+            });
+            return errorResponse(404, "not_found: no descriptor for the requested resource");
+        }
+        const jrd = buildJrd(resource, record, rels);
+        emit(resolved, "info", WebfingerLogEvent.Resolved, {
+            resourceHost: resourceHost(resource),
+            relCount: rels.length,
+        });
+        return jrdResponse(JSON.stringify(jrd), method);
+    };
+}
+//# sourceMappingURL=handler.js.map

package/dist/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,UAAU,CAAC;AAEvD,OAAO,EACL,aAAa,GAGd,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAgBlD,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,qCAAqC,CAAC;AAC/D,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAEtD;;;GAGG;AACH,MAAM,YAAY,GAAqC;IACrD,6BAA6B,EAAE,GAAG;CACnC,CAAC;AAEF;;;;;GAKG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,SAAS,IAAI,CACX,MAAsB,EACtB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,MAAc;IAC/C,OAAO,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE;QACnD,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,cAAc,EAAE,gBAAgB,EAAE,GAAG,YAAY,EAAE;KAC/D,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CACpB,MAAc,EACd,OAAe,EACf,YAA+C;IAE/C,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE;QAC3B,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,iBAAiB;YACjC,GAAG,YAAY;YACf,GAAG,YAAY;SAChB;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,MAAuB;IACrD,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACnC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACP,GAAG,YAAY;oBACf,8BAA8B,EAAE,oBAAoB;oBACpD,8BAA8B,EAAE,GAAG;iBACpC;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,CAAC,QAAQ,EAAE;gBACjD,MAAM,EAAE,oBAAoB;aAC7B,CAAC,CAAC;YACH,OAAO,aAAa,CAAC,GAAG,EAAE,6BAA6B,EAAE;gBACvD,KAAK,EAAE,oBAAoB;aAC5B,CAAC,CAAC;QACL,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAElD,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,CAAC,QAAQ,EAAE;gBACjD,MAAM,EAAE,kBAAkB;aAC3B,CAAC,CAAC;YACH,OAAO,aAAa,CAClB,GAAG,EACH,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,CAAC,QAAQ,EAAE;gBACjD,MAAM,EAAE,oBAAoB;gBAC5B,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC;aACrC,CAAC,CAAC;YACH,OAAO,aAAa,CAClB,GAAG,EACH,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE5E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,CAAC,QAAQ,EAAE;gBACjD,MAAM,EAAE,WAAW;gBACnB,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC;aACrC,CAAC,CAAC;YACH,OAAO,aAAa,CAClB,GAAG,EACH,qDAAqD,CACtD,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,CAAC,QAAQ,EAAE;YACjD,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC;YACpC,QAAQ,EAAE,IAAI,CAAC,MAAM;SACtB,CAAC,CAAC;QACH,OAAO,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IAClD,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,29 @@
+/**
+ * `@dwk/webfinger` — WebFinger (RFC 7033) account/resource discovery endpoint.
+ *
+ * Endpoint package: exports a factory returning a `fetch`-compatible handler,
+ * mountable at `/.well-known/webfinger` so it composes with other `@dwk`
+ * packages in one Worker. It maps a queried `resource` URI (`acct:`, `mailto:`,
+ * `https:`) to a JSON Resource Descriptor (JRD) of links — avatar, profile page,
+ * OIDC issuer, the `self` ActivityPub actor — and is the foundational discovery
+ * step for federation.
+ *
+ * It exists because WebFinger is **borderline static**: a static host can emit a
+ * single JRD, but only request logic can dispatch on `resource` (404 for a URI
+ * this server does not control), echo the matched `subject`, and filter `links`
+ * by `rel`. The package is pure and stateless — the `resource → JRD` mapping is
+ * supplied by config (a static map and/or a resolver), never read from the
+ * global environment — so it ships no Durable Object and needs no bindings, and
+ * the discovery logic unit-tests under Node without a Workers runtime.
+ *
+ * @see spec/packages/webfinger.md
+ * @packageDocumentation
+ */
+export { createWebfinger } from "./handler";
+export type { WebfingerEnv, WebfingerHandler } from "./handler";
+export { resolveConfig, type WebfingerConfig, type ResourceResolver, type ResolvedConfig, } from "./config";
+export { filterLinksByRel, buildJrd, type Jrd, type Link, type ResourceRecord, } from "./jrd";
+export { normalizeResource, isWellFormedResource } from "./resource";
+export { WebfingerLogEvent } from "./log";
+export type { Logger, Metrics } from "@dwk/log";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAEhE,OAAO,EACL,aAAa,EACb,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,cAAc,GACpB,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,gBAAgB,EAChB,QAAQ,EACR,KAAK,GAAG,EACR,KAAK,IAAI,EACT,KAAK,cAAc,GACpB,MAAM,OAAO,CAAC;AAEf,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAC1C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,27 @@
+/**
+ * `@dwk/webfinger` — WebFinger (RFC 7033) account/resource discovery endpoint.
+ *
+ * Endpoint package: exports a factory returning a `fetch`-compatible handler,
+ * mountable at `/.well-known/webfinger` so it composes with other `@dwk`
+ * packages in one Worker. It maps a queried `resource` URI (`acct:`, `mailto:`,
+ * `https:`) to a JSON Resource Descriptor (JRD) of links — avatar, profile page,
+ * OIDC issuer, the `self` ActivityPub actor — and is the foundational discovery
+ * step for federation.
+ *
+ * It exists because WebFinger is **borderline static**: a static host can emit a
+ * single JRD, but only request logic can dispatch on `resource` (404 for a URI
+ * this server does not control), echo the matched `subject`, and filter `links`
+ * by `rel`. The package is pure and stateless — the `resource → JRD` mapping is
+ * supplied by config (a static map and/or a resolver), never read from the
+ * global environment — so it ships no Durable Object and needs no bindings, and
+ * the discovery logic unit-tests under Node without a Workers runtime.
+ *
+ * @see spec/packages/webfinger.md
+ * @packageDocumentation
+ */
+export { createWebfinger } from "./handler";
+export { resolveConfig, } from "./config";
+export { filterLinksByRel, buildJrd, } from "./jrd";
+export { normalizeResource, isWellFormedResource } from "./resource";
+export { WebfingerLogEvent } from "./log";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAG5C,OAAO,EACL,aAAa,GAId,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,gBAAgB,EAChB,QAAQ,GAIT,MAAM,OAAO,CAAC;AAEf,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC"}

package/dist/jrd.d.ts

@@ -0,0 +1,73 @@
+/**
+ * JSON Resource Descriptor (JRD) data model and the pure `rel`-filtering rule
+ * from RFC 7033 §4.3. These types are plain data — no Workers runtime, no
+ * Cloudflare bindings — so the discovery logic unit-tests in isolation. The
+ * handler in `handler.ts` turns an HTTP request into a `resource` lookup and
+ * renders the resulting {@link Jrd} as `application/jrd+json`.
+ */
+/**
+ * A single link relation in a JRD (RFC 7033 §4.4.4). `rel` is required; the
+ * remaining members are optional and emitted only when present. Either `href`
+ * (a concrete target) or `template` (a URI template) typically carries the
+ * link's value.
+ */
+export interface Link {
+    /** The link relation type — a registered name or an absolute URI. */
+    readonly rel: string;
+    /** Media type of the target resource, when known. */
+    readonly type?: string;
+    /** The target URI. */
+    readonly href?: string;
+    /** Human-readable titles keyed by language tag (or `"und"`). */
+    readonly titles?: Readonly<Record<string, string>>;
+    /** Additional, scheme-defined properties; a `null` value means "absent". */
+    readonly properties?: Readonly<Record<string, string | null>>;
+    /** A URI template, used in place of `href` for parameterised links. */
+    readonly template?: string;
+}
+/**
+ * What the configured resource map (or {@link ResourceResolver}) yields for a
+ * controlled resource. `subject` is optional here: the handler defaults it to
+ * the queried `resource` URI (which is what Mastodon/fediverse clients require),
+ * so a record normally lists only its `aliases`, `properties`, and `links`.
+ */
+export interface ResourceRecord {
+    /** Overrides the echoed subject; defaults to the queried `resource` URI. */
+    readonly subject?: string;
+    /** Other URIs that identify the same entity (RFC 7033 §4.4.2). */
+    readonly aliases?: readonly string[];
+    /** Subject-level properties; a `null` value means "absent". */
+    readonly properties?: Readonly<Record<string, string | null>>;
+    /** The link relations advertised for this resource. */
+    readonly links?: readonly Link[];
+}
+/**
+ * A fully-rendered JRD as serialised in a `200` response. `subject` and `links`
+ * are always present (`links` may be an empty array after `rel` filtering);
+ * `aliases` and `properties` appear only when the record supplied them.
+ */
+export interface Jrd {
+    /** The subject URI — equals the queried `resource` unless the record overrode it. */
+    readonly subject: string;
+    /** Other URIs identifying the subject. */
+    readonly aliases?: readonly string[];
+    /** Subject-level properties. */
+    readonly properties?: Readonly<Record<string, string | null>>;
+    /** The (possibly `rel`-filtered) link set. */
+    readonly links: readonly Link[];
+}
+/**
+ * Apply the RFC 7033 §4.3 `rel` filter: with no `rel` parameters the full link
+ * set is returned; otherwise only links whose `rel` exactly matches one of the
+ * requested relations survive. `rel` filtering never touches `aliases` or
+ * subject `properties` — it scopes the `links` array only.
+ */
+export declare function filterLinksByRel(links: readonly Link[], rels: readonly string[]): readonly Link[];
+/**
+ * Render the final {@link Jrd} for a matched resource: echo the queried
+ * `resource` as the subject (unless the record overrides it), apply the `rel`
+ * filter to the links, and carry through `aliases`/`properties` only when the
+ * record actually supplied them (so the JSON stays minimal).
+ */
+export declare function buildJrd(resource: string, record: ResourceRecord, rels: readonly string[]): Jrd;
+//# sourceMappingURL=jrd.d.ts.map

package/dist/jrd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jrd.d.ts","sourceRoot":"","sources":["../src/jrd.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,IAAI;IACnB,qEAAqE;IACrE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,qDAAqD;IACrD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,sBAAsB;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,gEAAgE;IAChE,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,4EAA4E;IAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9D,uEAAuE;IACvE,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,4EAA4E;IAC5E,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,kEAAkE;IAClE,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9D,uDAAuD;IACvD,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,IAAI,EAAE,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,GAAG;IAClB,qFAAqF;IACrF,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,0CAA0C;IAC1C,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,gCAAgC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9D,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,SAAS,IAAI,EAAE,CAAC;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,SAAS,IAAI,EAAE,EACtB,IAAI,EAAE,SAAS,MAAM,EAAE,GACtB,SAAS,IAAI,EAAE,CAGjB;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,SAAS,MAAM,EAAE,GACtB,GAAG,CAiBL"}

package/dist/jrd.js

@@ -0,0 +1,38 @@
+/**
+ * JSON Resource Descriptor (JRD) data model and the pure `rel`-filtering rule
+ * from RFC 7033 §4.3. These types are plain data — no Workers runtime, no
+ * Cloudflare bindings — so the discovery logic unit-tests in isolation. The
+ * handler in `handler.ts` turns an HTTP request into a `resource` lookup and
+ * renders the resulting {@link Jrd} as `application/jrd+json`.
+ */
+/**
+ * Apply the RFC 7033 §4.3 `rel` filter: with no `rel` parameters the full link
+ * set is returned; otherwise only links whose `rel` exactly matches one of the
+ * requested relations survive. `rel` filtering never touches `aliases` or
+ * subject `properties` — it scopes the `links` array only.
+ */
+export function filterLinksByRel(links, rels) {
+    if (rels.length === 0)
+        return links;
+    return links.filter((link) => rels.includes(link.rel));
+}
+/**
+ * Render the final {@link Jrd} for a matched resource: echo the queried
+ * `resource` as the subject (unless the record overrides it), apply the `rel`
+ * filter to the links, and carry through `aliases`/`properties` only when the
+ * record actually supplied them (so the JSON stays minimal).
+ */
+export function buildJrd(resource, record, rels) {
+    const jrd = {
+        subject: record.subject ?? resource,
+        links: filterLinksByRel(record.links ?? [], rels),
+    };
+    if (record.aliases && record.aliases.length > 0) {
+        jrd.aliases = record.aliases;
+    }
+    if (record.properties && Object.keys(record.properties).length > 0) {
+        jrd.properties = record.properties;
+    }
+    return jrd;
+}
+//# sourceMappingURL=jrd.js.map

package/dist/jrd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jrd.js","sourceRoot":"","sources":["../src/jrd.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAwDH;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,KAAsB,EACtB,IAAuB;IAEvB,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAgB,EAChB,MAAsB,EACtB,IAAuB;IAEvB,MAAM,GAAG,GAKL;QACF,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,QAAQ;QACnC,KAAK,EAAE,gBAAgB,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,IAAI,CAAC;KAClD,CAAC;IACF,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC/B,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnE,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;IACrC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/log.d.ts

@@ -0,0 +1,36 @@
+/**
+ * `@dwk/webfinger` — structured observability event taxonomy.
+ *
+ * WebFinger is public discovery data, so the stakes are lower than an auth
+ * endpoint — but a server being scraped for `acct:` handles it does not control,
+ * or a misconfigured resource map that 404s every lookup, is exactly the kind of
+ * thing an operator wants a signal for. Logging and metrics are opt-in via an
+ * injected {@link Logger} and {@link Metrics} (see `@dwk/log`) and **share this
+ * one vocabulary**: the same dotted event name is passed to the logger and the
+ * metrics sink so a log line and its counter line up.
+ *
+ * Fields follow the redaction policy: a `resource` is reduced to its **host**
+ * (the domain of an `acct:`/`mailto:` handle or an `https:` URI) via the
+ * handler's `resourceHost` helper — the local part (the user identifier) is
+ * never logged, only the domain, a machine-readable `reason`, and the count of
+ * `rel` filters. See `spec/observability.md`.
+ *
+ * @packageDocumentation
+ */
+/** Stable event names emitted by `@dwk/webfinger`. */
+export declare const WebfingerLogEvent: {
+    /**
+     * A `resource` was matched and a JRD returned. Fields: `resourceHost`
+     * (sanitized), `relCount` (number of `rel` filters applied).
+     */
+    readonly Resolved: "webfinger.resolved";
+    /**
+     * A request was rejected before a JRD could be returned. Field: `reason`
+     * (`missing_resource`, `malformed_resource`, `not_found`, or
+     * `method_not_allowed`), plus `resourceHost` when a `resource` was supplied.
+     */
+    readonly Rejected: "webfinger.rejected";
+};
+/** Union of the event-name string literals in {@link WebfingerLogEvent}. */
+export type WebfingerLogEvent = (typeof WebfingerLogEvent)[keyof typeof WebfingerLogEvent];
+//# sourceMappingURL=log.d.ts.map

package/dist/log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.d.ts","sourceRoot":"","sources":["../src/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,sDAAsD;AACtD,eAAO,MAAM,iBAAiB;IAC5B;;;OAGG;;IAEH;;;;OAIG;;CAEK,CAAC;AAEX,4EAA4E;AAC5E,MAAM,MAAM,iBAAiB,GAC3B,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,OAAO,iBAAiB,CAAC,CAAC"}