@elaraai/e3-api-server 0.0.2-beta.11 → 0.0.2-beta.13

package/dist/src/auth/device.js

@@ -0,0 +1,227 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * OAuth2 Device Authorization Grant (RFC 8628) implementation.
+ */
+import * as crypto from 'node:crypto';
+import { Hono } from 'hono';
+import { signJwt } from './keys.js';
+// In-memory pending authorizations
+const pendingAuths = new Map();
+// Clean up expired authorizations periodically
+// Use unref() so this timer doesn't prevent process exit
+const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [deviceCode, auth] of pendingAuths) {
+        if (auth.expiresAt < now) {
+            pendingAuths.delete(deviceCode);
+        }
+    }
+}, 60000); // Every minute
+cleanupInterval.unref();
+/**
+ * Generate a random device code.
+ */
+function generateDeviceCode() {
+    return crypto.randomBytes(32).toString('hex');
+}
+/**
+ * Generate a user-friendly code (e.g., ABCD-1234).
+ */
+function generateUserCode() {
+    const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // Exclude confusing chars
+    let code = '';
+    for (let i = 0; i < 8; i++) {
+        if (i === 4)
+            code += '-';
+        code += chars[crypto.randomInt(chars.length)];
+    }
+    return code;
+}
+/**
+ * Create device flow routes.
+ */
+export function createDeviceRoutes(config) {
+    const app = new Hono();
+    // POST /oauth2/device_authorization - Start device flow
+    app.post('/oauth2/device_authorization', (c) => {
+        const deviceCode = generateDeviceCode();
+        const userCode = generateUserCode();
+        const expiresIn = 300; // 5 minutes
+        pendingAuths.set(deviceCode, {
+            userCode,
+            approved: config.autoApprove, // Auto-approve in CI mode
+            expiresAt: Date.now() + expiresIn * 1000,
+        });
+        return c.json({
+            device_code: deviceCode,
+            user_code: userCode,
+            verification_uri: `${config.baseUrl}/device`,
+            verification_uri_complete: `${config.baseUrl}/device?user_code=${userCode}`,
+            expires_in: expiresIn,
+            interval: 1, // Poll every 1 second (fast for dev)
+        });
+    });
+    // GET /device - HTML approval page
+    app.get('/device', (c) => {
+        const userCode = c.req.query('user_code') || '';
+        const autoApproveScript = config.autoApprove
+            ? `<script>setTimeout(() => document.forms[0].submit(), 500);</script>`
+            : '';
+        return c.html(`<!DOCTYPE html>
+<html>
+<head>
+  <title>e3 Device Login</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 400px; margin: 50px auto; padding: 20px; }
+    h1 { color: #333; }
+    .code { font-size: 2em; font-family: monospace; letter-spacing: 0.1em; background: #f0f0f0; padding: 10px 20px; border-radius: 4px; }
+    button { background: #0066cc; color: white; border: none; padding: 12px 24px; font-size: 1em; border-radius: 4px; cursor: pointer; margin-top: 20px; }
+    button:hover { background: #0055aa; }
+    .auto { color: #666; font-style: italic; margin-top: 10px; }
+  </style>
+</head>
+<body>
+  <h1>e3 Device Login</h1>
+  <p>Confirm this code matches what's shown in your terminal:</p>
+  <div class="code">${userCode || '(no code)'}</div>
+  <form method="POST" action="/device/approve">
+    <input type="hidden" name="user_code" value="${userCode}">
+    <button type="submit">Approve</button>
+  </form>
+  ${config.autoApprove ? '<p class="auto">Auto-approving in CI mode...</p>' : ''}
+  ${autoApproveScript}
+</body>
+</html>`);
+    });
+    // POST /device/approve - Approve device code
+    app.post('/device/approve', async (c) => {
+        const body = await c.req.parseBody();
+        const userCode = String(body['user_code'] || '');
+        // Find the pending auth with this user code
+        for (const [_deviceCode, auth] of pendingAuths) {
+            if (auth.userCode === userCode && auth.expiresAt > Date.now()) {
+                auth.approved = true;
+                return c.html(`<!DOCTYPE html>
+<html>
+<head>
+  <title>e3 Device Login</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 400px; margin: 50px auto; padding: 20px; }
+    h1 { color: #22aa22; }
+  </style>
+</head>
+<body>
+  <h1>✓ Approved</h1>
+  <p>You can close this window and return to your terminal.</p>
+</body>
+</html>`);
+            }
+        }
+        return c.html(`<!DOCTYPE html>
+<html>
+<head>
+  <title>e3 Device Login</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 400px; margin: 50px auto; padding: 20px; }
+    h1 { color: #cc0000; }
+  </style>
+</head>
+<body>
+  <h1>✗ Invalid or Expired Code</h1>
+  <p>The code may have expired. Please try again.</p>
+</body>
+</html>`, 400);
+    });
+    // POST /oauth2/token - Exchange device code for tokens OR refresh tokens
+    app.post('/oauth2/token', async (c) => {
+        const body = await c.req.parseBody();
+        const grantType = String(body['grant_type'] || '');
+        // Device code grant
+        if (grantType === 'urn:ietf:params:oauth:grant-type:device_code') {
+            const deviceCode = String(body['device_code'] || '');
+            const auth = pendingAuths.get(deviceCode);
+            if (!auth || auth.expiresAt < Date.now()) {
+                return c.json({ error: 'expired_token' }, 400);
+            }
+            if (!auth.approved) {
+                return c.json({ error: 'authorization_pending' }, 400);
+            }
+            // Delete the pending auth
+            pendingAuths.delete(deviceCode);
+            // Generate tokens
+            const now = Math.floor(Date.now() / 1000);
+            const accessPayload = {
+                sub: 'dev-user',
+                iss: config.baseUrl,
+                aud: config.baseUrl,
+                iat: now,
+                nbf: now,
+                exp: now + config.accessTokenExpiry,
+                token_type: 'access',
+            };
+            const refreshPayload = {
+                sub: 'dev-user',
+                iss: config.baseUrl,
+                aud: config.baseUrl,
+                iat: now,
+                nbf: now,
+                exp: now + config.refreshTokenExpiry,
+                token_type: 'refresh',
+            };
+            return c.json({
+                access_token: signJwt(accessPayload, config.keys),
+                refresh_token: signJwt(refreshPayload, config.keys),
+                token_type: 'Bearer',
+                expires_in: config.accessTokenExpiry,
+            });
+        }
+        // Refresh token grant
+        if (grantType === 'refresh_token') {
+            const refreshToken = String(body['refresh_token'] || '');
+            try {
+                // Import verifyJwt dynamically to avoid circular dependency
+                const { verifyJwt } = await import('./keys.js');
+                const payload = verifyJwt(refreshToken, config.keys);
+                if (payload.token_type !== 'refresh') {
+                    return c.json({ error: 'invalid_grant', error_description: 'Not a refresh token' }, 400);
+                }
+                // Generate new access token
+                const now = Math.floor(Date.now() / 1000);
+                const accessPayload = {
+                    sub: payload.sub,
+                    iss: config.baseUrl,
+                    aud: config.baseUrl,
+                    iat: now,
+                    nbf: now,
+                    exp: now + config.accessTokenExpiry,
+                    token_type: 'access',
+                };
+                // Also issue a new refresh token (rotation)
+                const newRefreshPayload = {
+                    sub: payload.sub,
+                    iss: config.baseUrl,
+                    aud: config.baseUrl,
+                    iat: now,
+                    nbf: now,
+                    exp: now + config.refreshTokenExpiry,
+                    token_type: 'refresh',
+                };
+                return c.json({
+                    access_token: signJwt(accessPayload, config.keys),
+                    refresh_token: signJwt(newRefreshPayload, config.keys),
+                    token_type: 'Bearer',
+                    expires_in: config.accessTokenExpiry,
+                });
+            }
+            catch {
+                return c.json({ error: 'invalid_grant', error_description: 'Invalid refresh token' }, 400);
+            }
+        }
+        return c.json({ error: 'unsupported_grant_type' }, 400);
+    });
+    return app;
+}
+//# sourceMappingURL=device.js.map

package/dist/src/auth/device.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.js","sourceRoot":"","sources":["../../../src/auth/device.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA2BpC,mCAAmC;AACnC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;AAEpD,+CAA+C;AAC/C,yDAAyD;AACzD,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACzB,YAAY,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;AACH,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,eAAe;AAC1B,eAAe,CAAC,KAAK,EAAE,CAAC;AAExB;;GAEG;AACH,SAAS,kBAAkB;IACzB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,kCAAkC,CAAC,CAAC,0BAA0B;IAC5E,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC;YAAE,IAAI,IAAI,GAAG,CAAC;QACzB,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAwB;IACzD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,wDAAwD;IACxD,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,CAAC,CAAC,EAAE,EAAE;QAC7C,MAAM,UAAU,GAAG,kBAAkB,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,YAAY;QAEnC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE;YAC3B,QAAQ;YACR,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,0BAA0B;YACxD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI;SACzC,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,QAAQ;YACnB,gBAAgB,EAAE,GAAG,MAAM,CAAC,OAAO,SAAS;YAC5C,yBAAyB,EAAE,GAAG,MAAM,CAAC,OAAO,qBAAqB,QAAQ,EAAE;YAC3E,UAAU,EAAE,SAAS;YACrB,QAAQ,EAAE,CAAC,EAAE,qCAAqC;SACnD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,mCAAmC;IACnC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE;QACvB,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,iBAAiB,GAAG,MAAM,CAAC,WAAW;YAC1C,CAAC,CAAC,qEAAqE;YACvE,CAAC,CAAC,EAAE,CAAC;QAEP,OAAO,CAAC,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;sBAgBI,QAAQ,IAAI,WAAW;;mDAEM,QAAQ;;;IAGvD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,kDAAkD,CAAC,CAAC,CAAC,EAAE;IAC5E,iBAAiB;;QAEb,CAAC,CAAC;IACR,CAAC,CAAC,CAAC;IAEH,6CAA6C;IAC7C,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACtC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;QAEjD,4CAA4C;QAC5C,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;YAC/C,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC;;;;;;;;;;;;;QAad,CAAC,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC;;;;;;;;;;;;;QAaV,EAAE,GAAG,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,yEAAyE;IACzE,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;QAEnD,oBAAoB;QACpB,IAAI,SAAS,KAAK,8CAA8C,EAAE,CAAC;YACjE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC;YACrD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAE1C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACzC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;YACjD,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACnB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;YACzD,CAAC;YAED,0BAA0B;YAC1B,YAAY,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAEhC,kBAAkB;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,aAAa,GAAe;gBAChC,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,MAAM,CAAC,OAAO;gBACnB,GAAG,EAAE,MAAM,CAAC,OAAO;gBACnB,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,GAAG,GAAG,MAAM,CAAC,iBAAiB;gBACnC,UAAU,EAAE,QAAQ;aACrB,CAAC;YACF,MAAM,cAAc,GAAe;gBACjC,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,MAAM,CAAC,OAAO;gBACnB,GAAG,EAAE,MAAM,CAAC,OAAO;gBACnB,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,GAAG,GAAG,MAAM,CAAC,kBAAkB;gBACpC,UAAU,EAAE,SAAS;aACtB,CAAC;YAEF,OAAO,CAAC,CAAC,IAAI,CAAC;gBACZ,YAAY,EAAE,OAAO,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC;gBACjD,aAAa,EAAE,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC;gBACnD,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,MAAM,CAAC,iBAAiB;aACrC,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,SAAS,KAAK,eAAe,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC;YAEzD,IAAI,CAAC;gBACH,4DAA4D;gBAC5D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;gBAChD,MAAM,OAAO,GAAG,SAAS,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBAErD,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;oBACrC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC3F,CAAC;gBAED,4BAA4B;gBAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAC1C,MAAM,aAAa,GAAe;oBAChC,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,MAAM,CAAC,OAAO;oBACnB,GAAG,EAAE,MAAM,CAAC,OAAO;oBACnB,GAAG,EAAE,GAAG;oBACR,GAAG,EAAE,GAAG;oBACR,GAAG,EAAE,GAAG,GAAG,MAAM,CAAC,iBAAiB;oBACnC,UAAU,EAAE,QAAQ;iBACrB,CAAC;gBAEF,4CAA4C;gBAC5C,MAAM,iBAAiB,GAAe;oBACpC,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,MAAM,CAAC,OAAO;oBACnB,GAAG,EAAE,MAAM,CAAC,OAAO;oBACnB,GAAG,EAAE,GAAG;oBACR,GAAG,EAAE,GAAG;oBACR,GAAG,EAAE,GAAG,GAAG,MAAM,CAAC,kBAAkB;oBACpC,UAAU,EAAE,SAAS;iBACtB,CAAC;gBAEF,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,YAAY,EAAE,OAAO,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC;oBACjD,aAAa,EAAE,OAAO,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC;oBACtD,UAAU,EAAE,QAAQ;oBACpB,UAAU,EAAE,MAAM,CAAC,iBAAiB;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;YAC7F,CAAC;QACH,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,GAAG,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/src/auth/discovery.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * OIDC Discovery endpoint (/.well-known/openid-configuration).
+ */
+import { Hono } from 'hono';
+import type { KeyPair } from './keys.js';
+/**
+ * Discovery configuration.
+ */
+export interface DiscoveryConfig {
+    /** Server base URL (e.g., http://localhost:3000) */
+    baseUrl: string;
+    /** RSA keypair for JWKS */
+    keys: KeyPair;
+}
+/**
+ * Create discovery routes.
+ */
+export declare function createDiscoveryRoutes(config: DiscoveryConfig): Hono;
+//# sourceMappingURL=discovery.d.ts.map

package/dist/src/auth/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../../src/auth/discovery.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGzC;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oDAAoD;IACpD,OAAO,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI,CA6BnE"}

package/dist/src/auth/discovery.js

@@ -0,0 +1,40 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * OIDC Discovery endpoint (/.well-known/openid-configuration).
+ */
+import { Hono } from 'hono';
+import { publicKeyToJwk } from './keys.js';
+/**
+ * Create discovery routes.
+ */
+export function createDiscoveryRoutes(config) {
+    const app = new Hono();
+    // GET /.well-known/openid-configuration - OIDC Discovery
+    app.get('/.well-known/openid-configuration', (c) => {
+        return c.json({
+            issuer: config.baseUrl,
+            device_authorization_endpoint: `${config.baseUrl}/oauth2/device_authorization`,
+            token_endpoint: `${config.baseUrl}/oauth2/token`,
+            jwks_uri: `${config.baseUrl}/.well-known/jwks.json`,
+            response_types_supported: ['token'],
+            grant_types_supported: [
+                'urn:ietf:params:oauth:grant-type:device_code',
+                'refresh_token',
+            ],
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: ['RS256'],
+            token_endpoint_auth_methods_supported: ['none'],
+        });
+    });
+    // GET /.well-known/jwks.json - JSON Web Key Set
+    app.get('/.well-known/jwks.json', (c) => {
+        return c.json({
+            keys: [publicKeyToJwk(config.keys)],
+        });
+    });
+    return app;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/src/auth/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../../src/auth/discovery.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAY3C;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAuB;IAC3D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,yDAAyD;IACzD,GAAG,CAAC,GAAG,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;QACjD,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM,CAAC,OAAO;YACtB,6BAA6B,EAAE,GAAG,MAAM,CAAC,OAAO,8BAA8B;YAC9E,cAAc,EAAE,GAAG,MAAM,CAAC,OAAO,eAAe;YAChD,QAAQ,EAAE,GAAG,MAAM,CAAC,OAAO,wBAAwB;YACnD,wBAAwB,EAAE,CAAC,OAAO,CAAC;YACnC,qBAAqB,EAAE;gBACrB,8CAA8C;gBAC9C,eAAe;aAChB;YACD,uBAAuB,EAAE,CAAC,QAAQ,CAAC;YACnC,qCAAqC,EAAE,CAAC,OAAO,CAAC;YAChD,qCAAqC,EAAE,CAAC,MAAM,CAAC;SAChD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,gDAAgD;IAChD,GAAG,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC,CAAC,EAAE,EAAE;QACtC,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/src/auth/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * OIDC authentication provider for e3-api-server.
+ *
+ * Provides OAuth2 Device Flow (RFC 8628) with JWT tokens,
+ * compatible with AWS Cognito for cloud deployment.
+ */
+import { Hono } from 'hono';
+import { type KeyPair } from './keys.js';
+export { generateKeyPair, verifyJwt, type KeyPair, type JwtPayload } from './keys.js';
+/**
+ * Parse duration string to seconds.
+ * Supports: "5s", "15m", "1h", "24h", "90d"
+ */
+export declare function parseDuration(duration: string): number;
+/**
+ * OIDC provider configuration.
+ */
+export interface OidcConfig {
+    /** Server base URL (e.g., http://localhost:3000) */
+    baseUrl: string;
+    /** Access token expiry duration (default: "1h") */
+    tokenExpiry?: string;
+    /** Refresh token expiry duration (default: "90d") */
+    refreshTokenExpiry?: string;
+    /** Auto-approve device codes (for CI testing) */
+    autoApprove?: boolean;
+}
+/**
+ * OIDC provider instance.
+ */
+export interface OidcProvider {
+    /** Hono app with all auth routes */
+    routes: Hono;
+    /** RSA keypair (for validating tokens) */
+    keys: KeyPair;
+    /** Server base URL */
+    baseUrl: string;
+    /** Access token expiry in seconds */
+    accessTokenExpiry: number;
+}
+/**
+ * Create an OIDC provider for the e3-api-server.
+ *
+ * This provides:
+ * - /.well-known/openid-configuration (discovery)
+ * - /.well-known/jwks.json (public keys)
+ * - /oauth2/device_authorization (start device flow)
+ * - /device (approval page)
+ * - /oauth2/token (exchange codes and refresh tokens)
+ */
+export declare function createOidcProvider(config: OidcConfig): OidcProvider;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAmB,KAAK,OAAO,EAAE,MAAM,WAAW,CAAC;AAI1D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,KAAK,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAEtF;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgBtD;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,OAAO,EAAE,MAAM,CAAC;IAChB,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,MAAM,EAAE,IAAI,CAAC;IACb,0CAA0C;IAC1C,IAAI,EAAE,OAAO,CAAC;IACd,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,qCAAqC;IACrC,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,YAAY,CA4BnE"}

package/dist/src/auth/index.js

@@ -0,0 +1,69 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * OIDC authentication provider for e3-api-server.
+ *
+ * Provides OAuth2 Device Flow (RFC 8628) with JWT tokens,
+ * compatible with AWS Cognito for cloud deployment.
+ */
+import { Hono } from 'hono';
+import { generateKeyPair } from './keys.js';
+import { createDeviceRoutes } from './device.js';
+import { createDiscoveryRoutes } from './discovery.js';
+export { generateKeyPair, verifyJwt } from './keys.js';
+/**
+ * Parse duration string to seconds.
+ * Supports: "5s", "15m", "1h", "24h", "90d"
+ */
+export function parseDuration(duration) {
+    const match = duration.match(/^(\d+)(s|m|h|d)$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: ${duration}. Use format like "5s", "15m", "1h", "90d"`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case 's': return value;
+        case 'm': return value * 60;
+        case 'h': return value * 60 * 60;
+        case 'd': return value * 60 * 60 * 24;
+        default: throw new Error(`Unknown duration unit: ${unit}`);
+    }
+}
+/**
+ * Create an OIDC provider for the e3-api-server.
+ *
+ * This provides:
+ * - /.well-known/openid-configuration (discovery)
+ * - /.well-known/jwks.json (public keys)
+ * - /oauth2/device_authorization (start device flow)
+ * - /device (approval page)
+ * - /oauth2/token (exchange codes and refresh tokens)
+ */
+export function createOidcProvider(config) {
+    const keys = generateKeyPair();
+    const accessTokenExpiry = parseDuration(config.tokenExpiry ?? '1h');
+    const refreshTokenExpiry = parseDuration(config.refreshTokenExpiry ?? '90d');
+    const autoApprove = config.autoApprove ?? process.env.E3_AUTH_AUTO_APPROVE === '1';
+    const deviceConfig = {
+        baseUrl: config.baseUrl,
+        keys,
+        accessTokenExpiry,
+        refreshTokenExpiry,
+        autoApprove,
+    };
+    const app = new Hono();
+    // Mount discovery routes (/.well-known/*)
+    app.route('/', createDiscoveryRoutes({ baseUrl: config.baseUrl, keys }));
+    // Mount device flow routes (/oauth2/*, /device)
+    app.route('/', createDeviceRoutes(deviceConfig));
+    return {
+        routes: app,
+        keys,
+        baseUrl: config.baseUrl,
+        accessTokenExpiry,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/src/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAgB,MAAM,WAAW,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAyB,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAEvD,OAAO,EAAE,eAAe,EAAE,SAAS,EAAiC,MAAM,WAAW,CAAC;AAEtF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,4CAA4C,CAAC,CAAC;IACpG,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC;QACvB,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,CAAC;QAC5B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;QACjC,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QACtC,OAAO,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AA8BD;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAkB;IACnD,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC;IACpE,MAAM,kBAAkB,GAAG,aAAa,CAAC,MAAM,CAAC,kBAAkB,IAAI,KAAK,CAAC,CAAC;IAC7E,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,GAAG,CAAC;IAEnF,MAAM,YAAY,GAAqB;QACrC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,IAAI;QACJ,iBAAiB;QACjB,kBAAkB;QAClB,WAAW;KACZ,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,0CAA0C;IAC1C,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,qBAAqB,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEzE,gDAAgD;IAChD,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,kBAAkB,CAAC,YAAY,CAAC,CAAC,CAAC;IAEjD,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI;QACJ,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,iBAAiB;KAClB,CAAC;AACJ,CAAC"}

package/dist/src/auth/keys.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * RSA keypair generation and JWT signing for OIDC provider.
+ */
+import * as crypto from 'node:crypto';
+/**
+ * RSA keypair for JWT signing.
+ */
+export interface KeyPair {
+    privateKey: crypto.KeyObject;
+    publicKey: crypto.KeyObject;
+    /** Key ID for JWKS */
+    kid: string;
+}
+/**
+ * JWT payload claims.
+ */
+export interface JwtPayload {
+    /** Subject - user identifier */
+    sub: string;
+    /** Issuer */
+    iss: string;
+    /** Audience */
+    aud: string;
+    /** Expiration time (Unix timestamp) */
+    exp: number;
+    /** Issued at time (Unix timestamp) */
+    iat: number;
+    /** Not before time (Unix timestamp) */
+    nbf: number;
+    /** Token type (access or refresh) */
+    token_type?: 'access' | 'refresh';
+}
+/**
+ * Generate an RSA keypair for JWT signing.
+ * Keys are generated in-memory on server startup.
+ */
+export declare function generateKeyPair(): KeyPair;
+/**
+ * Sign a JWT payload with the private key.
+ */
+export declare function signJwt(payload: JwtPayload, keys: KeyPair): string;
+/**
+ * Verify a JWT and return the payload.
+ * @throws Error if verification fails
+ */
+export declare function verifyJwt(token: string, keys: KeyPair): JwtPayload;
+/**
+ * Export public key in JWK format for JWKS endpoint.
+ */
+export declare function publicKeyToJwk(keys: KeyPair): object;
+//# sourceMappingURL=keys.d.ts.map

package/dist/src/auth/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../../src/auth/keys.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;IAC5B,sBAAsB;IACtB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,eAAe;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,sCAAsC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,qCAAqC;IACrC,UAAU,CAAC,EAAE,QAAQ,GAAG,SAAS,CAAC;CACnC;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,OAAO,CASzC;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,CAgBlE;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CA4BlE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAQpD"}

package/dist/src/auth/keys.js

@@ -0,0 +1,78 @@
+/**
+ * Copyright (c) 2025 Elara AI Pty Ltd
+ * Licensed under BSL 1.1. See LICENSE for details.
+ */
+/**
+ * RSA keypair generation and JWT signing for OIDC provider.
+ */
+import * as crypto from 'node:crypto';
+/**
+ * Generate an RSA keypair for JWT signing.
+ * Keys are generated in-memory on server startup.
+ */
+export function generateKeyPair() {
+    const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+    });
+    // Generate a random key ID
+    const kid = crypto.randomBytes(8).toString('hex');
+    return { privateKey, publicKey, kid };
+}
+/**
+ * Sign a JWT payload with the private key.
+ */
+export function signJwt(payload, keys) {
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+        kid: keys.kid,
+    };
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const sign = crypto.createSign('RSA-SHA256');
+    sign.update(`${headerB64}.${payloadB64}`);
+    const signature = sign.sign(keys.privateKey);
+    const signatureB64 = signature.toString('base64url');
+    return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+/**
+ * Verify a JWT and return the payload.
+ * @throws Error if verification fails
+ */
+export function verifyJwt(token, keys) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Malformed JWT: expected 3 parts');
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Verify signature
+    const verify = crypto.createVerify('RSA-SHA256');
+    verify.update(`${headerB64}.${payloadB64}`);
+    const signature = Buffer.from(signatureB64, 'base64url');
+    if (!verify.verify(keys.publicKey, signature)) {
+        throw new Error('Invalid JWT signature');
+    }
+    // Decode and validate payload
+    const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp !== undefined && payload.exp < now) {
+        throw new Error('Token expired');
+    }
+    if (payload.nbf !== undefined && payload.nbf > now) {
+        throw new Error('Token not yet valid');
+    }
+    return payload;
+}
+/**
+ * Export public key in JWK format for JWKS endpoint.
+ */
+export function publicKeyToJwk(keys) {
+    const publicKeyJwk = keys.publicKey.export({ format: 'jwk' });
+    return {
+        ...publicKeyJwk,
+        kid: keys.kid,
+        use: 'sig',
+        alg: 'RS256',
+    };
+}
+//# sourceMappingURL=keys.js.map

package/dist/src/auth/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../../src/auth/keys.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAgCtC;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE;QAClE,aAAa,EAAE,IAAI;KACpB,CAAC,CAAC;IAEH,2BAA2B;IAC3B,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,OAAmB,EAAE,IAAa;IACxD,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9E,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,YAAY,GAAG,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAErD,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,YAAY,EAAE,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,IAAa;IACpD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAEpD,mBAAmB;IACnB,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;IACjD,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAe,CAAC;IAE1F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,OAAO;QACL,GAAG,YAAY;QACf,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;KACb,CAAC;AACJ,CAAC"}

package/dist/src/beast2.d.ts

@@ -6,15 +6,27 @@ import type { EastType, ValueTypeOf } from '@elaraai/east';
 import type { Context } from 'hono';
 import { type Error } from './types.js';
 /**
- * Decode BEAST2 request body.
+ * Decode BEAST2 request body from Hono context.
  */
 export declare function decodeBody<T extends EastType>(c: Context, type: T): Promise<ValueTypeOf<T>>;
+/**
+ * Decode raw BEAST2 bytes (for handlers that receive body directly).
+ */
+export declare function decodeBeast2<T extends EastType>(data: Uint8Array, type: T): ValueTypeOf<T>;
 /**
  * Send BEAST2 success response.
+ *
+ * Returns a web Response object that can be used by both Hono routes and Lambda handlers.
  */
-export declare function sendSuccess<T extends EastType>(c: Context, type: T, value: ValueTypeOf<T>): Response;
+export declare function sendSuccess<T extends EastType>(type: T, value: ValueTypeOf<T>): Response;
 /**
  * Send BEAST2 error response.
+ *
+ * Returns a web Response object that can be used by both Hono routes and Lambda handlers.
+ */
+export declare function sendError<T extends EastType>(type: T, error: Error): Response;
+/**
+ * Send BEAST2 success response with custom HTTP status.
  */
-export declare function sendError<T extends EastType>(c: Context, type: T, error: Error): Response;
+export declare function sendSuccessWithStatus<T extends EastType>(type: T, value: ValueTypeOf<T>, status: number): Response;
 //# sourceMappingURL=beast2.d.ts.map

package/dist/src/beast2.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"beast2.d.ts","sourceRoot":"","sources":["../../src/beast2.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAgB,KAAK,KAAK,EAAE,MAAM,YAAY,CAAC;AAEtD;;GAEG;AACH,wBAAsB,UAAU,CAAC,CAAC,SAAS,QAAQ,EACjD,CAAC,EAAE,OAAO,EACV,IAAI,EAAE,CAAC,GACN,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CASzB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,QAAQ,EAC5C,CAAC,EAAE,OAAO,EACV,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,GACpB,QAAQ,CAWV;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,CAAC,SAAS,QAAQ,EAC1C,CAAC,EAAE,OAAO,EACV,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,KAAK,GACX,QAAQ,CAWV"}
+{"version":3,"file":"beast2.d.ts","sourceRoot":"","sources":["../../src/beast2.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAgB,KAAK,KAAK,EAAE,MAAM,YAAY,CAAC;AAEtD;;GAEG;AACH,wBAAsB,UAAU,CAAC,CAAC,SAAS,QAAQ,EACjD,CAAC,EAAE,OAAO,EACV,IAAI,EAAE,CAAC,GACN,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAUzB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,QAAQ,EAC7C,IAAI,EAAE,UAAU,EAChB,IAAI,EAAE,CAAC,GACN,WAAW,CAAC,CAAC,CAAC,CAGhB;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,QAAQ,EAC5C,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,GACpB,QAAQ,CAWV;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,CAAC,SAAS,QAAQ,EAC1C,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,KAAK,GACX,QAAQ,CAWV;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,QAAQ,EACtD,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,EACrB,MAAM,EAAE,MAAM,GACb,QAAQ,CAWV"}