@emulators/apple 0.3.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. Please also get an informed
+      understanding of your current status in the "Work made for hire"
+      or other employer IP clauses in your jurisdiction and contracts
+      before applying.
+
+   Copyright 2025 Chris Tate
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/dist/index.d.ts

@@ -0,0 +1,47 @@
+import { Entity, Collection, Store, ServicePlugin } from '@emulators/core';
+
+interface AppleUser extends Entity {
+    uid: string;
+    email: string;
+    name: string;
+    given_name: string;
+    family_name: string;
+    email_verified: boolean;
+    is_private_email: boolean;
+    private_relay_email: string | null;
+    real_user_status: number;
+}
+interface AppleOAuthClient extends Entity {
+    client_id: string;
+    team_id: string;
+    key_id: string;
+    name: string;
+    redirect_uris: string[];
+}
+
+interface AppleStore {
+    users: Collection<AppleUser>;
+    oauthClients: Collection<AppleOAuthClient>;
+}
+declare function getAppleStore(store: Store): AppleStore;
+
+interface AppleSeedConfig {
+    users?: Array<{
+        email: string;
+        name?: string;
+        given_name?: string;
+        family_name?: string;
+        is_private_email?: boolean;
+    }>;
+    oauth_clients?: Array<{
+        client_id: string;
+        team_id: string;
+        key_id?: string;
+        name: string;
+        redirect_uris: string[];
+    }>;
+}
+declare function seedFromConfig(store: Store, _baseUrl: string, config: AppleSeedConfig): void;
+declare const applePlugin: ServicePlugin;
+
+export { type AppleOAuthClient, type AppleSeedConfig, type AppleStore, type AppleUser, applePlugin, applePlugin as default, getAppleStore, seedFromConfig };

package/dist/index.js

@@ -0,0 +1,633 @@
+// src/store.ts
+function getAppleStore(store) {
+  return {
+    users: store.collection("apple.users", ["uid", "email"]),
+    oauthClients: store.collection("apple.oauth_clients", ["client_id"])
+  };
+}
+
+// src/helpers.ts
+import { randomBytes } from "crypto";
+function generateAppleUid() {
+  const prefix = randomBytes(3).toString("hex").toUpperCase();
+  const middle = randomBytes(16).toString("hex");
+  const suffix = randomBytes(2).toString("hex").toUpperCase();
+  return `${prefix}.${middle}.${suffix}`;
+}
+function generatePrivateRelayEmail() {
+  const id = randomBytes(12).toString("hex");
+  return `${id}@privaterelay.appleid.com`;
+}
+
+// src/routes/oauth.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import { SignJWT, exportJWK, generateKeyPair } from "jose";
+
+// ../core/dist/index.js
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { jwtVerify, importPKCS8 } from "jose";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function debug(label, ...args) {
+  if (isDebug) {
+    console.log(`[${label}]`, ...args);
+  }
+}
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var FONTS = {
+  "geist-sans.woff2": readFileSync(join(__dirname, "fonts", "geist-sans.woff2")),
+  "GeistPixel-Square.woff2": readFileSync(join(__dirname, "fonts", "GeistPixel-Square.woff2"))
+};
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml(s).replace(/'/g, "&#39;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderErrorPage(title, message, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner error-card">
+    <div class="error-title">${escapeHtml(title)}</div>
+    <div class="error-msg">${escapeHtml(message)}</div>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderUserButton(opts) {
+  const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
+  const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
+  const emailLine = opts.email ? `<div class="user-email">${escapeHtml(opts.email)}</div>` : "";
+  return `<form class="user-form" method="post" action="${escapeAttr(opts.formAction)}">
+${hiddens}
+<button type="submit" class="user-btn">
+  <span class="avatar">${escapeHtml(opts.letter)}</span>
+  <span class="user-text">
+    <span class="user-login">${escapeHtml(opts.login)}</span>
+    ${nameLine}${emailLine}
+  </span>
+</button>
+</form>`;
+}
+function normalizeUri(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.origin}${u.pathname.replace(/\/+$/, "")}`;
+  } catch {
+    return uri.replace(/\/+$/, "").split("?")[0];
+  }
+}
+function matchesRedirectUri(incoming, registered) {
+  const normalized = normalizeUri(incoming);
+  return registered.some((r) => normalizeUri(r) === normalized);
+}
+function bodyStr(v) {
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return "";
+}
+
+// src/routes/oauth.ts
+var keyPairPromise = generateKeyPair("RS256");
+var KID = "emulate-apple-1";
+var PENDING_CODE_TTL_MS = 5 * 60 * 1e3;
+function getPendingCodes(store) {
+  let map = store.getData("apple.oauth.pendingCodes");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("apple.oauth.pendingCodes", map);
+  }
+  return map;
+}
+function getRefreshTokens(store) {
+  let map = store.getData("apple.oauth.refreshTokens");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("apple.oauth.refreshTokens", map);
+  }
+  return map;
+}
+function getFirstAuthTracker(store) {
+  let set = store.getData("apple.oauth.firstAuthTracker");
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    store.setData("apple.oauth.firstAuthTracker", set);
+  }
+  return set;
+}
+function isPendingCodeExpired(p) {
+  return Date.now() - p.created_at > PENDING_CODE_TTL_MS;
+}
+var SERVICE_LABEL = "Apple";
+async function createIdToken(user, clientId, nonce, baseUrl) {
+  const { privateKey } = await keyPairPromise;
+  const email = user.is_private_email && user.private_relay_email ? user.private_relay_email : user.email;
+  const now = Math.floor(Date.now() / 1e3);
+  const builder = new SignJWT({
+    sub: user.uid,
+    email,
+    email_verified: String(user.email_verified),
+    is_private_email: String(user.is_private_email),
+    real_user_status: user.real_user_status,
+    nonce_supported: true,
+    auth_time: now,
+    ...nonce ? { nonce } : {}
+  }).setProtectedHeader({ alg: "RS256", kid: KID, typ: "JWT" }).setIssuer(baseUrl).setAudience(clientId).setIssuedAt(now).setExpirationTime("1h");
+  return builder.sign(privateKey);
+}
+function oauthRoutes({ app, store, baseUrl, tokenMap }) {
+  const as = getAppleStore(store);
+  app.get("/.well-known/openid-configuration", (c) => {
+    return c.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/auth/authorize`,
+      token_endpoint: `${baseUrl}/auth/token`,
+      revocation_endpoint: `${baseUrl}/auth/revoke`,
+      jwks_uri: `${baseUrl}/auth/keys`,
+      response_types_supported: ["code"],
+      response_modes_supported: ["query", "fragment", "form_post"],
+      subject_types_supported: ["pairwise"],
+      id_token_signing_alg_values_supported: ["RS256"],
+      scopes_supported: ["openid", "email", "name"],
+      token_endpoint_auth_methods_supported: ["client_secret_post"],
+      claims_supported: [
+        "aud",
+        "email",
+        "email_verified",
+        "exp",
+        "iat",
+        "is_private_email",
+        "iss",
+        "nonce",
+        "nonce_supported",
+        "real_user_status",
+        "sub",
+        "transfer_sub"
+      ]
+    });
+  });
+  app.get("/auth/keys", async (c) => {
+    const { publicKey } = await keyPairPromise;
+    const jwk = await exportJWK(publicKey);
+    return c.json({
+      keys: [{
+        ...jwk,
+        kid: KID,
+        use: "sig",
+        alg: "RS256"
+      }]
+    });
+  });
+  app.get("/auth/authorize", (c) => {
+    const client_id = c.req.query("client_id") ?? "";
+    const redirect_uri = c.req.query("redirect_uri") ?? "";
+    const scope = c.req.query("scope") ?? "";
+    const state = c.req.query("state") ?? "";
+    const nonce = c.req.query("nonce") ?? "";
+    const response_mode = c.req.query("response_mode") ?? "query";
+    const clientsConfigured = as.oauthClients.all().length > 0;
+    let clientName = "";
+    if (clientsConfigured) {
+      const client = as.oauthClients.findOneBy("client_id", client_id);
+      if (!client) {
+        return c.html(
+          renderErrorPage("Application not found", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),
+          400
+        );
+      }
+      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {
+        return c.html(
+          renderErrorPage("Redirect URI mismatch", "The redirect_uri is not registered for this application.", SERVICE_LABEL),
+          400
+        );
+      }
+      clientName = client.name;
+    }
+    const subtitleText = clientName ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Apple ID.` : "Choose a seeded user to continue.";
+    const users = as.users.all();
+    const userButtons = users.map((user) => {
+      return renderUserButton({
+        letter: (user.email[0] ?? "?").toUpperCase(),
+        login: user.email,
+        name: user.name,
+        email: user.email,
+        formAction: "/auth/authorize/callback",
+        hiddenFields: {
+          email: user.email,
+          redirect_uri,
+          scope,
+          state,
+          nonce,
+          client_id,
+          response_mode
+        }
+      });
+    }).join("\n");
+    const body = users.length === 0 ? '<p class="empty">No users in the emulator store.</p>' : userButtons;
+    return c.html(renderCardPage("Sign in with Apple", subtitleText, body, SERVICE_LABEL));
+  });
+  app.post("/auth/authorize/callback", async (c) => {
+    const body = await c.req.parseBody();
+    const email = bodyStr(body.email);
+    const redirect_uri = bodyStr(body.redirect_uri);
+    const scope = bodyStr(body.scope);
+    const state = bodyStr(body.state);
+    const client_id = bodyStr(body.client_id);
+    const nonce = bodyStr(body.nonce);
+    const response_mode = bodyStr(body.response_mode) || "query";
+    const code = randomBytes2(20).toString("hex");
+    getPendingCodes(store).set(code, {
+      email,
+      scope,
+      redirectUri: redirect_uri,
+      clientId: client_id,
+      nonce: nonce || null,
+      responseMode: response_mode,
+      created_at: Date.now()
+    });
+    debug("apple.oauth", `[Apple callback] code=${code.slice(0, 8)}... email=${email}`);
+    const tracker = getFirstAuthTracker(store);
+    const pairKey = `${email}:${client_id}`;
+    const isFirstAuth = !tracker.has(pairKey);
+    if (isFirstAuth) {
+      tracker.add(pairKey);
+    }
+    let userJson;
+    if (isFirstAuth) {
+      const user = as.users.findOneBy("email", email);
+      if (user) {
+        userJson = JSON.stringify({
+          name: { firstName: user.given_name, lastName: user.family_name },
+          email: user.email
+        });
+      }
+    }
+    if (response_mode === "form_post") {
+      const html = `<!DOCTYPE html>
+<html>
+<head><title>Submit</title></head>
+<body onload="document.forms[0].submit()">
+<form method="POST" action="${escapeAttr(redirect_uri)}">
+<input type="hidden" name="code" value="${escapeAttr(code)}" />
+<input type="hidden" name="state" value="${escapeAttr(state)}" />${userJson ? `
+<input type="hidden" name="user" value="${escapeAttr(userJson)}" />` : ""}
+</form>
+</body>
+</html>`;
+      return c.html(html);
+    }
+    const url = new URL(redirect_uri);
+    url.searchParams.set("code", code);
+    if (state) url.searchParams.set("state", state);
+    if (userJson) url.searchParams.set("user", userJson);
+    return c.redirect(url.toString(), 302);
+  });
+  app.post("/auth/token", async (c) => {
+    const rawText = await c.req.text();
+    const body = Object.fromEntries(new URLSearchParams(rawText));
+    const grant_type = body.grant_type ?? "";
+    const code = body.code ?? "";
+    const client_id = body.client_id ?? "";
+    const refresh_token = body.refresh_token ?? "";
+    if (grant_type === "authorization_code") {
+      const pendingMap = getPendingCodes(store);
+      const pending = pendingMap.get(code);
+      if (!pending) {
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      if (isPendingCodeExpired(pending)) {
+        pendingMap.delete(code);
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      pendingMap.delete(code);
+      const user = as.users.findOneBy("email", pending.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "apple_" + randomBytes2(20).toString("base64url");
+      const refreshToken = "r_apple_" + randomBytes2(20).toString("base64url");
+      const scopes = pending.scope ? pending.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      getRefreshTokens(store).set(refreshToken, {
+        email: user.email,
+        clientId: pending.clientId,
+        scope: pending.scope,
+        nonce: pending.nonce
+      });
+      const idToken = await createIdToken(user, pending.clientId, pending.nonce, baseUrl);
+      debug("apple.oauth", `[Apple token] issued token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        refresh_token: refreshToken,
+        id_token: idToken
+      });
+    }
+    if (grant_type === "refresh_token") {
+      const refreshMap = getRefreshTokens(store);
+      const stored = refreshMap.get(refresh_token);
+      if (!stored) {
+        return c.json({ error: "invalid_grant", error_description: "The refresh_token is invalid." }, 400);
+      }
+      const user = as.users.findOneBy("email", stored.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "apple_" + randomBytes2(20).toString("base64url");
+      const scopes = stored.scope ? stored.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      const idToken = await createIdToken(user, stored.clientId || client_id, stored.nonce, baseUrl);
+      debug("apple.oauth", `[Apple refresh] issued new token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        id_token: idToken
+      });
+    }
+    return c.json({ error: "unsupported_grant_type", error_description: "Only authorization_code and refresh_token are supported." }, 400);
+  });
+  app.post("/auth/revoke", async (c) => {
+    const rawText = await c.req.text();
+    const params = new URLSearchParams(rawText);
+    const token = params.get("token") ?? "";
+    if (token && tokenMap) {
+      tokenMap.delete(token);
+    }
+    if (token) {
+      getRefreshTokens(store).delete(token);
+    }
+    return c.body(null, 200);
+  });
+}
+
+// src/index.ts
+function seedDefaults(store, _baseUrl) {
+  const as = getAppleStore(store);
+  as.users.insert({
+    uid: generateAppleUid(),
+    email: "testuser@icloud.com",
+    name: "Test User",
+    given_name: "Test",
+    family_name: "User",
+    email_verified: true,
+    is_private_email: false,
+    private_relay_email: null,
+    real_user_status: 2
+  });
+}
+function seedFromConfig(store, _baseUrl, config) {
+  const as = getAppleStore(store);
+  if (config.users) {
+    for (const u of config.users) {
+      const existing = as.users.findOneBy("email", u.email);
+      if (existing) continue;
+      const nameParts = (u.name ?? "").split(/\s+/);
+      const isPrivate = u.is_private_email ?? false;
+      as.users.insert({
+        uid: generateAppleUid(),
+        email: u.email,
+        name: u.name ?? u.email.split("@")[0],
+        given_name: u.given_name ?? nameParts[0] ?? "",
+        family_name: u.family_name ?? nameParts.slice(1).join(" ") ?? "",
+        email_verified: true,
+        is_private_email: isPrivate,
+        private_relay_email: isPrivate ? generatePrivateRelayEmail() : null,
+        real_user_status: 2
+      });
+    }
+  }
+  if (config.oauth_clients) {
+    for (const client of config.oauth_clients) {
+      const existing = as.oauthClients.findOneBy("client_id", client.client_id);
+      if (existing) continue;
+      as.oauthClients.insert({
+        client_id: client.client_id,
+        team_id: client.team_id,
+        key_id: client.key_id ?? "TESTKEY001",
+        name: client.name,
+        redirect_uris: client.redirect_uris
+      });
+    }
+  }
+}
+var applePlugin = {
+  name: "apple",
+  register(app, store, webhooks, baseUrl, tokenMap) {
+    const ctx = { app, store, webhooks, baseUrl, tokenMap };
+    oauthRoutes(ctx);
+  },
+  seed(store, baseUrl) {
+    seedDefaults(store, baseUrl);
+  }
+};
+var index_default = applePlugin;
+export {
+  applePlugin,
+  index_default as default,
+  getAppleStore,
+  seedFromConfig
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/store.ts","../src/helpers.ts","../src/routes/oauth.ts","../../core/src/store.ts","../../core/src/server.ts","../../core/src/webhooks.ts","../../core/src/middleware/error-handler.ts","../../core/src/middleware/auth.ts","../../core/src/debug.ts","../../core/src/fonts.ts","../../core/src/middleware/pagination.ts","../../core/src/ui.ts","../../core/src/oauth-helpers.ts","../src/index.ts"],"sourcesContent":["import { Store, type Collection } from \"@emulators/core\";\nimport type { AppleUser, AppleOAuthClient } from \"./entities.js\";\n\nexport interface AppleStore {\n  users: Collection<AppleUser>;\n  oauthClients: Collection<AppleOAuthClient>;\n}\n\nexport function getAppleStore(store: Store): AppleStore {\n  return {\n    users: store.collection<AppleUser>(\"apple.users\", [\"uid\", \"email\"]),\n    oauthClients: store.collection<AppleOAuthClient>(\"apple.oauth_clients\", [\"client_id\"]),\n  };\n}\n","import { randomBytes } from \"crypto\";\n\n/**\n * Generate a pairwise subject ID in Apple's format: \"XXXXXX.hex32.XXXX\"\n */\nexport function generateAppleUid(): string {\n  const prefix = randomBytes(3).toString(\"hex\").toUpperCase();\n  const middle = randomBytes(16).toString(\"hex\");\n  const suffix = randomBytes(2).toString(\"hex\").toUpperCase();\n  return `${prefix}.${middle}.${suffix}`;\n}\n\n/**\n * Generate a private relay email address.\n */\nexport function generatePrivateRelayEmail(): string {\n  const id = randomBytes(12).toString(\"hex\");\n  return `${id}@privaterelay.appleid.com`;\n}\n","import { randomBytes } from \"crypto\";\nimport { SignJWT, exportJWK, generateKeyPair } from \"jose\";\nimport type { RouteContext } from \"@emulators/core\";\nimport {\n  escapeHtml,\n  escapeAttr,\n  renderCardPage,\n  renderErrorPage,\n  renderUserButton,\n  matchesRedirectUri,\n  bodyStr,\n  debug,\n} from \"@emulators/core\";\nimport { getAppleStore } from \"../store.js\";\nimport type { AppleUser } from \"../entities.js\";\nimport type { Store } from \"@emulators/core\";\n\n// RSA key pair generated at module load for signing id_tokens\nconst keyPairPromise = generateKeyPair(\"RS256\");\nconst KID = \"emulate-apple-1\";\n\ntype PendingCode = {\n  email: string;\n  scope: string;\n  redirectUri: string;\n  clientId: string;\n  nonce: string | null;\n  responseMode: string;\n  created_at: number;\n};\n\ntype StoredRefreshToken = {\n  email: string;\n  clientId: string;\n  scope: string;\n  nonce: string | null;\n};\n\nconst PENDING_CODE_TTL_MS = 5 * 60 * 1000;\n\nfunction getPendingCodes(store: Store): Map<string, PendingCode> {\n  let map = store.getData<Map<string, PendingCode>>(\"apple.oauth.pendingCodes\");\n  if (!map) {\n    map = new Map();\n    store.setData(\"apple.oauth.pendingCodes\", map);\n  }\n  return map;\n}\n\nfunction getRefreshTokens(store: Store): Map<string, StoredRefreshToken> {\n  let map = store.getData<Map<string, StoredRefreshToken>>(\"apple.oauth.refreshTokens\");\n  if (!map) {\n    map = new Map();\n    store.setData(\"apple.oauth.refreshTokens\", map);\n  }\n  return map;\n}\n\nfunction getFirstAuthTracker(store: Store): Set<string> {\n  let set = store.getData<Set<string>>(\"apple.oauth.firstAuthTracker\");\n  if (!set) {\n    set = new Set();\n    store.setData(\"apple.oauth.firstAuthTracker\", set);\n  }\n  return set;\n}\n\nfunction isPendingCodeExpired(p: PendingCode): boolean {\n  return Date.now() - p.created_at > PENDING_CODE_TTL_MS;\n}\n\nconst SERVICE_LABEL = \"Apple\";\n\nasync function createIdToken(\n  user: AppleUser,\n  clientId: string,\n  nonce: string | null,\n  baseUrl: string,\n): Promise<string> {\n  const { privateKey } = await keyPairPromise;\n\n  const email = user.is_private_email && user.private_relay_email\n    ? user.private_relay_email\n    : user.email;\n\n  const now = Math.floor(Date.now() / 1000);\n\n  const builder = new SignJWT({\n    sub: user.uid,\n    email,\n    email_verified: String(user.email_verified),\n    is_private_email: String(user.is_private_email),\n    real_user_status: user.real_user_status,\n    nonce_supported: true,\n    auth_time: now,\n    ...(nonce ? { nonce } : {}),\n  })\n    .setProtectedHeader({ alg: \"RS256\", kid: KID, typ: \"JWT\" })\n    .setIssuer(baseUrl)\n    .setAudience(clientId)\n    .setIssuedAt(now)\n    .setExpirationTime(\"1h\");\n\n  return builder.sign(privateKey);\n}\n\nexport function oauthRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n  const as = getAppleStore(store);\n\n  // ---------- OIDC Discovery ----------\n\n  app.get(\"/.well-known/openid-configuration\", (c) => {\n    return c.json({\n      issuer: baseUrl,\n      authorization_endpoint: `${baseUrl}/auth/authorize`,\n      token_endpoint: `${baseUrl}/auth/token`,\n      revocation_endpoint: `${baseUrl}/auth/revoke`,\n      jwks_uri: `${baseUrl}/auth/keys`,\n      response_types_supported: [\"code\"],\n      response_modes_supported: [\"query\", \"fragment\", \"form_post\"],\n      subject_types_supported: [\"pairwise\"],\n      id_token_signing_alg_values_supported: [\"RS256\"],\n      scopes_supported: [\"openid\", \"email\", \"name\"],\n      token_endpoint_auth_methods_supported: [\"client_secret_post\"],\n      claims_supported: [\n        \"aud\", \"email\", \"email_verified\", \"exp\", \"iat\",\n        \"is_private_email\", \"iss\", \"nonce\", \"nonce_supported\",\n        \"real_user_status\", \"sub\", \"transfer_sub\",\n      ],\n    });\n  });\n\n  // ---------- JWKS ----------\n\n  app.get(\"/auth/keys\", async (c) => {\n    const { publicKey } = await keyPairPromise;\n    const jwk = await exportJWK(publicKey);\n    return c.json({\n      keys: [{\n        ...jwk,\n        kid: KID,\n        use: \"sig\",\n        alg: \"RS256\",\n      }],\n    });\n  });\n\n  // ---------- Authorization page ----------\n\n  app.get(\"/auth/authorize\", (c) => {\n    const client_id = c.req.query(\"client_id\") ?? \"\";\n    const redirect_uri = c.req.query(\"redirect_uri\") ?? \"\";\n    const scope = c.req.query(\"scope\") ?? \"\";\n    const state = c.req.query(\"state\") ?? \"\";\n    const nonce = c.req.query(\"nonce\") ?? \"\";\n    const response_mode = c.req.query(\"response_mode\") ?? \"query\";\n\n    const clientsConfigured = as.oauthClients.all().length > 0;\n    let clientName = \"\";\n    if (clientsConfigured) {\n      const client = as.oauthClients.findOneBy(\"client_id\", client_id);\n      if (!client) {\n        return c.html(\n          renderErrorPage(\"Application not found\", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),\n          400,\n        );\n      }\n      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {\n        return c.html(\n          renderErrorPage(\"Redirect URI mismatch\", \"The redirect_uri is not registered for this application.\", SERVICE_LABEL),\n          400,\n        );\n      }\n      clientName = client.name;\n    }\n\n    const subtitleText = clientName\n      ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Apple ID.`\n      : \"Choose a seeded user to continue.\";\n\n    const users = as.users.all();\n    const userButtons = users\n      .map((user) => {\n        return renderUserButton({\n          letter: (user.email[0] ?? \"?\").toUpperCase(),\n          login: user.email,\n          name: user.name,\n          email: user.email,\n          formAction: \"/auth/authorize/callback\",\n          hiddenFields: {\n            email: user.email,\n            redirect_uri,\n            scope,\n            state,\n            nonce,\n            client_id,\n            response_mode,\n          },\n        });\n      })\n      .join(\"\\n\");\n\n    const body = users.length === 0\n      ? '<p class=\"empty\">No users in the emulator store.</p>'\n      : userButtons;\n\n    return c.html(renderCardPage(\"Sign in with Apple\", subtitleText, body, SERVICE_LABEL));\n  });\n\n  // ---------- Authorization callback ----------\n\n  app.post(\"/auth/authorize/callback\", async (c) => {\n    const body = await c.req.parseBody();\n    const email = bodyStr(body.email);\n    const redirect_uri = bodyStr(body.redirect_uri);\n    const scope = bodyStr(body.scope);\n    const state = bodyStr(body.state);\n    const client_id = bodyStr(body.client_id);\n    const nonce = bodyStr(body.nonce);\n    const response_mode = bodyStr(body.response_mode) || \"query\";\n\n    const code = randomBytes(20).toString(\"hex\");\n\n    getPendingCodes(store).set(code, {\n      email,\n      scope,\n      redirectUri: redirect_uri,\n      clientId: client_id,\n      nonce: nonce || null,\n      responseMode: response_mode,\n      created_at: Date.now(),\n    });\n\n    debug(\"apple.oauth\", `[Apple callback] code=${code.slice(0, 8)}... email=${email}`);\n\n    // Track first authorization per user+client pair\n    const tracker = getFirstAuthTracker(store);\n    const pairKey = `${email}:${client_id}`;\n    const isFirstAuth = !tracker.has(pairKey);\n    if (isFirstAuth) {\n      tracker.add(pairKey);\n    }\n\n    // Build user JSON blob (only on first auth)\n    let userJson: string | undefined;\n    if (isFirstAuth) {\n      const user = as.users.findOneBy(\"email\", email as AppleUser[\"email\"]);\n      if (user) {\n        userJson = JSON.stringify({\n          name: { firstName: user.given_name, lastName: user.family_name },\n          email: user.email,\n        });\n      }\n    }\n\n    if (response_mode === \"form_post\") {\n      // Return auto-submit form that POSTs to redirect_uri\n      const html = `<!DOCTYPE html>\n<html>\n<head><title>Submit</title></head>\n<body onload=\"document.forms[0].submit()\">\n<form method=\"POST\" action=\"${escapeAttr(redirect_uri)}\">\n<input type=\"hidden\" name=\"code\" value=\"${escapeAttr(code)}\" />\n<input type=\"hidden\" name=\"state\" value=\"${escapeAttr(state)}\" />${userJson ? `\\n<input type=\"hidden\" name=\"user\" value=\"${escapeAttr(userJson)}\" />` : \"\"}\n</form>\n</body>\n</html>`;\n      return c.html(html);\n    }\n\n    // Default: query mode redirect\n    const url = new URL(redirect_uri);\n    url.searchParams.set(\"code\", code);\n    if (state) url.searchParams.set(\"state\", state);\n    if (userJson) url.searchParams.set(\"user\", userJson);\n\n    return c.redirect(url.toString(), 302);\n  });\n\n  // ---------- Token exchange ----------\n\n  app.post(\"/auth/token\", async (c) => {\n    const rawText = await c.req.text();\n    const body = Object.fromEntries(new URLSearchParams(rawText));\n\n    const grant_type = body.grant_type ?? \"\";\n    const code = body.code ?? \"\";\n    const client_id = body.client_id ?? \"\";\n    const refresh_token = body.refresh_token ?? \"\";\n\n    if (grant_type === \"authorization_code\") {\n      const pendingMap = getPendingCodes(store);\n      const pending = pendingMap.get(code);\n      if (!pending) {\n        return c.json({ error: \"invalid_grant\", error_description: \"The code is incorrect or expired.\" }, 400);\n      }\n      if (isPendingCodeExpired(pending)) {\n        pendingMap.delete(code);\n        return c.json({ error: \"invalid_grant\", error_description: \"The code is incorrect or expired.\" }, 400);\n      }\n\n      // Single-use: delete immediately\n      pendingMap.delete(code);\n\n      const user = as.users.findOneBy(\"email\", pending.email as AppleUser[\"email\"]);\n      if (!user) {\n        return c.json({ error: \"invalid_grant\", error_description: \"User not found.\" }, 400);\n      }\n\n      const accessToken = \"apple_\" + randomBytes(20).toString(\"base64url\");\n      const refreshToken = \"r_apple_\" + randomBytes(20).toString(\"base64url\");\n      const scopes = pending.scope ? pending.scope.split(/\\s+/).filter(Boolean) : [];\n\n      if (tokenMap) {\n        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });\n      }\n\n      // Store refresh token\n      getRefreshTokens(store).set(refreshToken, {\n        email: user.email,\n        clientId: pending.clientId,\n        scope: pending.scope,\n        nonce: pending.nonce,\n      });\n\n      const idToken = await createIdToken(user, pending.clientId, pending.nonce, baseUrl);\n\n      debug(\"apple.oauth\", `[Apple token] issued token for ${user.email}`);\n\n      return c.json({\n        access_token: accessToken,\n        token_type: \"Bearer\",\n        expires_in: 3600,\n        refresh_token: refreshToken,\n        id_token: idToken,\n      });\n    }\n\n    if (grant_type === \"refresh_token\") {\n      const refreshMap = getRefreshTokens(store);\n      const stored = refreshMap.get(refresh_token);\n      if (!stored) {\n        return c.json({ error: \"invalid_grant\", error_description: \"The refresh_token is invalid.\" }, 400);\n      }\n\n      const user = as.users.findOneBy(\"email\", stored.email as AppleUser[\"email\"]);\n      if (!user) {\n        return c.json({ error: \"invalid_grant\", error_description: \"User not found.\" }, 400);\n      }\n\n      const accessToken = \"apple_\" + randomBytes(20).toString(\"base64url\");\n      const scopes = stored.scope ? stored.scope.split(/\\s+/).filter(Boolean) : [];\n\n      if (tokenMap) {\n        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });\n      }\n\n      const idToken = await createIdToken(user, stored.clientId || client_id, stored.nonce, baseUrl);\n\n      debug(\"apple.oauth\", `[Apple refresh] issued new token for ${user.email}`);\n\n      // No new refresh_token for refresh grant\n      return c.json({\n        access_token: accessToken,\n        token_type: \"Bearer\",\n        expires_in: 3600,\n        id_token: idToken,\n      });\n    }\n\n    return c.json({ error: \"unsupported_grant_type\", error_description: \"Only authorization_code and refresh_token are supported.\" }, 400);\n  });\n\n  // ---------- Token revocation ----------\n\n  app.post(\"/auth/revoke\", async (c) => {\n    const rawText = await c.req.text();\n    const params = new URLSearchParams(rawText);\n    const token = params.get(\"token\") ?? \"\";\n\n    if (token && tokenMap) {\n      tokenMap.delete(token);\n    }\n\n    // Also check refresh tokens\n    if (token) {\n      getRefreshTokens(store).delete(token);\n    }\n\n    return c.body(null, 200);\n  });\n}\n","export interface Entity {\n  id: number;\n  created_at: string;\n  updated_at: string;\n}\n\nexport type InsertInput<T extends Entity> = Omit<T, \"id\" | \"created_at\" | \"updated_at\"> & { id?: number };\n\nexport type FilterFn<T> = (item: T) => boolean;\nexport type SortFn<T> = (a: T, b: T) => number;\n\nexport interface QueryOptions<T> {\n  filter?: FilterFn<T>;\n  sort?: SortFn<T>;\n  page?: number;\n  per_page?: number;\n}\n\nexport interface PaginatedResult<T> {\n  items: T[];\n  total_count: number;\n  page: number;\n  per_page: number;\n  has_next: boolean;\n  has_prev: boolean;\n}\n\nexport class Collection<T extends Entity> {\n  private items = new Map<number, T>();\n  private indexes = new Map<string, Map<string | number, Set<number>>>();\n  private autoId = 1;\n  readonly fieldNames: string[];\n\n  constructor(private indexFields: (keyof T)[] = []) {\n    this.fieldNames = indexFields.map(String).sort();\n    for (const field of indexFields) {\n      this.indexes.set(String(field), new Map());\n    }\n  }\n\n  private addToIndex(item: T): void {\n    for (const field of this.indexFields) {\n      const value = item[field];\n      if (value === undefined || value === null) continue;\n      const indexMap = this.indexes.get(String(field))!;\n      const key = String(value);\n      if (!indexMap.has(key)) {\n        indexMap.set(key, new Set());\n      }\n      indexMap.get(key)!.add(item.id);\n    }\n  }\n\n  private removeFromIndex(item: T): void {\n    for (const field of this.indexFields) {\n      const value = item[field];\n      if (value === undefined || value === null) continue;\n      const indexMap = this.indexes.get(String(field))!;\n      const key = String(value);\n      indexMap.get(key)?.delete(item.id);\n    }\n  }\n\n  insert(data: InsertInput<T>): T {\n    const now = new Date().toISOString();\n    const explicitId = data.id != null && data.id > 0 ? data.id : undefined;\n    const id = explicitId ?? this.autoId++;\n    if (id >= this.autoId) {\n      this.autoId = id + 1;\n    }\n    const item = {\n      ...data,\n      id,\n      created_at: now,\n      updated_at: now,\n    } as unknown as T;\n    this.items.set(id, item);\n    this.addToIndex(item);\n    return item;\n  }\n\n  get(id: number): T | undefined {\n    return this.items.get(id);\n  }\n\n  findBy(field: keyof T, value: T[keyof T] | string | number): T[] {\n    if (this.indexes.has(String(field))) {\n      const ids = this.indexes.get(String(field))!.get(String(value));\n      if (!ids) return [];\n      return Array.from(ids).map((id) => this.items.get(id)!).filter(Boolean);\n    }\n    return this.all().filter((item) => item[field] === value);\n  }\n\n  findOneBy(field: keyof T, value: T[keyof T] | string | number): T | undefined {\n    return this.findBy(field, value)[0];\n  }\n\n  update(id: number, data: Partial<T>): T | undefined {\n    const existing = this.items.get(id);\n    if (!existing) return undefined;\n    this.removeFromIndex(existing);\n    const updated = {\n      ...existing,\n      ...data,\n      id,\n      updated_at: new Date().toISOString(),\n    } as T;\n    this.items.set(id, updated);\n    this.addToIndex(updated);\n    return updated;\n  }\n\n  delete(id: number): boolean {\n    const existing = this.items.get(id);\n    if (!existing) return false;\n    this.removeFromIndex(existing);\n    return this.items.delete(id);\n  }\n\n  all(): T[] {\n    return Array.from(this.items.values());\n  }\n\n  query(options: QueryOptions<T> = {}): PaginatedResult<T> {\n    let results = this.all();\n\n    if (options.filter) {\n      results = results.filter(options.filter);\n    }\n\n    const total_count = results.length;\n\n    if (options.sort) {\n      results.sort(options.sort);\n    }\n\n    const page = options.page ?? 1;\n    const per_page = Math.min(options.per_page ?? 30, 100);\n    const start = (page - 1) * per_page;\n    const paged = results.slice(start, start + per_page);\n\n    return {\n      items: paged,\n      total_count,\n      page,\n      per_page,\n      has_next: start + per_page < total_count,\n      has_prev: page > 1,\n    };\n  }\n\n  count(filter?: FilterFn<T>): number {\n    if (!filter) return this.items.size;\n    return this.all().filter(filter).length;\n  }\n\n  clear(): void {\n    this.items.clear();\n    for (const indexMap of this.indexes.values()) {\n      indexMap.clear();\n    }\n    this.autoId = 1;\n  }\n}\n\nexport class Store {\n  private collections = new Map<string, Collection<any>>();\n  private _data = new Map<string, unknown>();\n\n  collection<T extends Entity>(name: string, indexFields: (keyof T)[] = []): Collection<T> {\n    const existing = this.collections.get(name);\n    if (existing) {\n      if (indexFields.length > 0) {\n        const requested = indexFields.map(String).sort();\n        if (existing.fieldNames.length !== requested.length || existing.fieldNames.some((f, i) => f !== requested[i])) {\n          throw new Error(\n            `Collection \"${name}\" already exists with indexes [${existing.fieldNames}] but was requested with [${requested}]`\n          );\n        }\n      }\n      return existing as Collection<T>;\n    }\n    const col = new Collection<T>(indexFields);\n    this.collections.set(name, col);\n    return col;\n  }\n\n  getData<V>(key: string): V | undefined {\n    return this._data.get(key) as V | undefined;\n  }\n\n  setData<V>(key: string, value: V): void {\n    this._data.set(key, value);\n  }\n\n  reset(): void {\n    for (const collection of this.collections.values()) {\n      collection.clear();\n    }\n    this._data.clear();\n  }\n}\n","import { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { Store } from \"./store.js\";\nimport { WebhookDispatcher } from \"./webhooks.js\";\nimport { createApiErrorHandler, createErrorHandler } from \"./middleware/error-handler.js\";\nimport { authMiddleware, type AuthFallback, type TokenMap, type AppKeyResolver, type AppEnv } from \"./middleware/auth.js\";\nimport type { ServicePlugin } from \"./plugin.js\";\nimport { registerFontRoutes } from \"./fonts.js\";\n\nexport interface ServerOptions {\n  port?: number;\n  baseUrl?: string;\n  docsUrl?: string;\n  tokens?: Record<string, { login: string; id: number; scopes?: string[] }>;\n  appKeyResolver?: AppKeyResolver;\n  fallbackUser?: AuthFallback;\n}\n\nexport function createServer(plugin: ServicePlugin, options: ServerOptions = {}) {\n  const port = options.port ?? 4000;\n  const baseUrl = options.baseUrl ?? `http://localhost:${port}`;\n\n  const app = new Hono<AppEnv>();\n  const store = new Store();\n  const webhooks = new WebhookDispatcher();\n\n  const tokenMap: TokenMap = new Map();\n  if (options.tokens) {\n    for (const [token, user] of Object.entries(options.tokens)) {\n      tokenMap.set(token, {\n        login: user.login,\n        id: user.id,\n        scopes: user.scopes ?? [\"repo\", \"user\", \"admin:org\", \"admin:repo_hook\"],\n      });\n    }\n  }\n\n  const docsUrl = options.docsUrl ?? `https://emulate.dev/${plugin.name}`;\n\n  registerFontRoutes(app);\n\n  app.onError(createApiErrorHandler(docsUrl));\n  app.use(\"*\", cors());\n  app.use(\"*\", createErrorHandler(docsUrl));\n  app.use(\"*\", authMiddleware(tokenMap, options.appKeyResolver, options.fallbackUser));\n\n  const rateLimitCounters = new Map<string, { remaining: number; resetAt: number }>();\n  let lastPruneAt = Math.floor(Date.now() / 1000);\n\n  app.use(\"*\", async (c, next) => {\n    const token = c.get(\"authToken\") ?? \"__anonymous__\";\n    const now = Math.floor(Date.now() / 1000);\n\n    if (now - lastPruneAt > 3600) {\n      for (const [key, val] of rateLimitCounters) {\n        if (val.resetAt <= now) rateLimitCounters.delete(key);\n      }\n      lastPruneAt = now;\n    }\n\n    let counter = rateLimitCounters.get(token);\n    if (!counter || counter.resetAt <= now) {\n      counter = { remaining: 5000, resetAt: now + 3600 };\n      rateLimitCounters.set(token, counter);\n    }\n\n    counter.remaining = Math.max(0, counter.remaining - 1);\n\n    c.header(\"X-RateLimit-Limit\", \"5000\");\n    c.header(\"X-RateLimit-Remaining\", String(counter.remaining));\n    c.header(\"X-RateLimit-Reset\", String(counter.resetAt));\n    c.header(\"X-RateLimit-Resource\", \"core\");\n\n    if (counter.remaining === 0) {\n      return c.json(\n        {\n          message: \"API rate limit exceeded\",\n          documentation_url: docsUrl,\n        },\n        403\n      );\n    }\n\n    await next();\n  });\n\n  plugin.register(app, store, webhooks, baseUrl, tokenMap);\n\n  app.notFound((c) =>\n    c.json(\n      {\n        message: \"Not Found\",\n        documentation_url: docsUrl,\n      },\n      404\n    )\n  );\n\n  return { app, store, webhooks, port, baseUrl, tokenMap };\n}\n","import { createHmac } from \"crypto\";\n\nexport interface WebhookSubscription {\n  id: number;\n  url: string;\n  events: string[];\n  active: boolean;\n  secret?: string;\n  owner: string;\n  repo?: string;\n}\n\nexport interface WebhookDelivery {\n  id: number;\n  hook_id: number;\n  event: string;\n  action?: string;\n  payload: unknown;\n  status_code: number | null;\n  delivered_at: string;\n  duration: number | null;\n  success: boolean;\n}\n\nconst MAX_DELIVERIES = 1000;\n\nexport class WebhookDispatcher {\n  private subscriptions: WebhookSubscription[] = [];\n  private deliveries: WebhookDelivery[] = [];\n  private subscriptionIdCounter = 1;\n  private deliveryIdCounter = 1;\n\n  register(sub: Omit<WebhookSubscription, \"id\"> & { id?: number }): WebhookSubscription {\n    const { id: explicitId, ...rest } = sub;\n    const id = explicitId !== undefined ? explicitId : this.subscriptionIdCounter++;\n    if (id >= this.subscriptionIdCounter) {\n      this.subscriptionIdCounter = id + 1;\n    }\n    const subscription: WebhookSubscription = { ...rest, id };\n    this.subscriptions.push(subscription);\n    return subscription;\n  }\n\n  unregister(id: number): boolean {\n    const idx = this.subscriptions.findIndex((s) => s.id === id);\n    if (idx === -1) return false;\n    this.subscriptions.splice(idx, 1);\n    return true;\n  }\n\n  getSubscription(id: number): WebhookSubscription | undefined {\n    return this.subscriptions.find((s) => s.id === id);\n  }\n\n  getSubscriptions(owner?: string, repo?: string): WebhookSubscription[] {\n    return this.subscriptions.filter((s) => {\n      if (owner && s.owner !== owner) return false;\n      if (repo !== undefined && s.repo !== repo) return false;\n      return true;\n    });\n  }\n\n  updateSubscription(\n    id: number,\n    data: Partial<Pick<WebhookSubscription, \"url\" | \"events\" | \"active\" | \"secret\">>\n  ): WebhookSubscription | undefined {\n    const sub = this.subscriptions.find((s) => s.id === id);\n    if (!sub) return undefined;\n    Object.assign(sub, data);\n    return sub;\n  }\n\n  async dispatch(event: string, action: string | undefined, payload: unknown, owner: string, repo?: string): Promise<void> {\n    const matchingSubs = this.subscriptions.filter((s) => {\n      if (!s.active) return false;\n      if (s.owner !== owner) return false;\n      if (repo !== undefined) {\n        if (s.repo !== repo) return false;\n      } else if (s.repo !== undefined) {\n        return false;\n      }\n      return (\n        event === \"ping\" ||\n        s.events.includes(\"*\") ||\n        s.events.includes(event)\n      );\n    });\n\n    for (const sub of matchingSubs) {\n      const delivery: WebhookDelivery = {\n        id: this.deliveryIdCounter++,\n        hook_id: sub.id,\n        event,\n        action,\n        payload,\n        status_code: null,\n        delivered_at: new Date().toISOString(),\n        duration: null,\n        success: false,\n      };\n\n      const body = JSON.stringify(payload);\n\n      const signatureHeaders: Record<string, string> = {};\n      if (sub.secret) {\n        const hmac = createHmac(\"sha256\", sub.secret).update(body).digest(\"hex\");\n        signatureHeaders[\"X-Hub-Signature-256\"] = `sha256=${hmac}`;\n      }\n\n      try {\n        const start = Date.now();\n        const response = await fetch(sub.url, {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/json\",\n            \"X-GitHub-Event\": event,\n            \"X-GitHub-Delivery\": String(delivery.id),\n            ...signatureHeaders,\n          },\n          body,\n          signal: AbortSignal.timeout(10000),\n        });\n        delivery.duration = Date.now() - start;\n        delivery.status_code = response.status;\n        delivery.success = response.ok;\n      } catch {\n        delivery.duration = 0;\n        delivery.success = false;\n      }\n\n      this.deliveries.push(delivery);\n      if (this.deliveries.length > MAX_DELIVERIES) {\n        this.deliveries.splice(0, this.deliveries.length - MAX_DELIVERIES);\n      }\n    }\n  }\n\n  getDeliveries(hookId?: number): WebhookDelivery[] {\n    if (hookId !== undefined) {\n      return this.deliveries.filter((d) => d.hook_id === hookId);\n    }\n    return [...this.deliveries];\n  }\n\n  clear(): void {\n    this.subscriptions.length = 0;\n    this.deliveries.length = 0;\n    this.subscriptionIdCounter = 1;\n    this.deliveryIdCounter = 1;\n  }\n}\n","import type { Context, ErrorHandler, MiddlewareHandler } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\n\nconst DEFAULT_DOCS_URL = \"https://emulate.dev\";\n\nfunction getDocsUrl(c: Context): string {\n  return (c.get(\"docsUrl\") as string | undefined) ?? DEFAULT_DOCS_URL;\n}\n\nfunction errorStatus(err: unknown): number {\n  if (err && typeof err === \"object\" && \"status\" in err) {\n    const s = (err as { status: unknown }).status;\n    if (typeof s === \"number\" && Number.isFinite(s)) return s;\n  }\n  return 500;\n}\n\n/**\n * Use with `app.onError(...)`. Hono routes handler throws to the app error handler, not to outer middleware try/catch.\n */\nexport function createApiErrorHandler(documentationUrl?: string): ErrorHandler {\n  return (err, c) => {\n    if (documentationUrl) {\n      c.set(\"docsUrl\", documentationUrl);\n    }\n    const status = errorStatus(err);\n    const message = err instanceof Error ? err.message : \"Internal Server Error\";\n    return c.json(\n      {\n        message,\n        documentation_url: getDocsUrl(c),\n      },\n      status as ContentfulStatusCode\n    );\n  };\n}\n\n/** Sets `docsUrl` on the context for successful responses; register `createApiErrorHandler` for thrown `ApiError`s. */\nexport function createErrorHandler(documentationUrl?: string): MiddlewareHandler {\n  return async (c, next) => {\n    if (documentationUrl) {\n      c.set(\"docsUrl\", documentationUrl);\n    }\n    await next();\n  };\n}\n\nexport const errorHandler: MiddlewareHandler = createErrorHandler();\n\nexport class ApiError extends Error {\n  constructor(\n    public status: number,\n    message: string,\n    public errors?: Array<{ resource: string; field: string; code: string }>\n  ) {\n    super(message);\n    this.name = \"ApiError\";\n  }\n}\n\nexport function notFound(resource?: string): ApiError {\n  return new ApiError(404, resource ? `${resource} not found` : \"Not Found\");\n}\n\nexport function validationError(message: string, errors?: ApiError[\"errors\"]): ApiError {\n  return new ApiError(422, message, errors);\n}\n\nexport function unauthorized(): ApiError {\n  return new ApiError(401, \"Requires authentication\");\n}\n\nexport function forbidden(): ApiError {\n  return new ApiError(403, \"Forbidden\");\n}\n\nexport async function parseJsonBody(c: Context): Promise<Record<string, unknown>> {\n  try {\n    const body = await c.req.json();\n    if (body && typeof body === \"object\" && !Array.isArray(body)) {\n      return body as Record<string, unknown>;\n    }\n    return {};\n  } catch {\n    throw new ApiError(400, \"Problems parsing JSON\");\n  }\n}\n","import type { Context, Next } from \"hono\";\nimport { jwtVerify, importPKCS8 } from \"jose\";\nimport { debug } from \"../debug.js\";\n\nexport interface AuthUser {\n  login: string;\n  id: number;\n  scopes: string[];\n}\n\nexport interface AuthApp {\n  appId: number;\n  slug: string;\n  name: string;\n}\n\nexport interface AuthInstallation {\n  installationId: number;\n  appId: number;\n  permissions: Record<string, string>;\n  repositoryIds: number[];\n  repositorySelection: \"all\" | \"selected\";\n}\n\nexport type TokenMap = Map<string, AuthUser>;\n\nexport type AppEnv = {\n  Variables: {\n    authUser?: AuthUser;\n    authApp?: AuthApp;\n    authToken?: string;\n    authScopes?: string[];\n    docsUrl?: string;\n  };\n};\n\nexport interface AppKeyResolver {\n  (appId: number): { privateKey: string; slug: string; name: string } | null;\n}\n\nexport interface AuthFallback {\n  login: string;\n  id: number;\n  scopes: string[];\n}\n\nexport function authMiddleware(tokens: TokenMap, appKeyResolver?: AppKeyResolver, fallbackUser?: AuthFallback) {\n  return async (c: Context, next: Next) => {\n    const authHeader = c.req.header(\"Authorization\");\n    if (authHeader) {\n      const token = authHeader.replace(/^(Bearer|token)\\s+/i, \"\").trim();\n\n      if (token.startsWith(\"eyJ\") && appKeyResolver) {\n        try {\n          const [, payloadB64] = token.split(\".\");\n          const payload = JSON.parse(\n            Buffer.from(payloadB64, \"base64url\").toString()\n          );\n          const appId = typeof payload.iss === \"string\" ? parseInt(payload.iss, 10) : payload.iss;\n\n          if (typeof appId === \"number\" && !isNaN(appId)) {\n            const appInfo = appKeyResolver(appId);\n            if (appInfo) {\n              const key = await importPKCS8(appInfo.privateKey, \"RS256\");\n              await jwtVerify(token, key, { algorithms: [\"RS256\"] });\n              c.set(\"authApp\", {\n                appId,\n                slug: appInfo.slug,\n                name: appInfo.name,\n              } satisfies AuthApp);\n            }\n          }\n        } catch {\n          // JWT verification failed\n        }\n      } else {\n        let user = tokens.get(token);\n        if (!user && fallbackUser && token.length > 0) {\n          debug(\"auth\", \"fallback user for unknown token\", { login: fallbackUser.login, id: fallbackUser.id });\n          user = { login: fallbackUser.login, id: fallbackUser.id, scopes: fallbackUser.scopes };\n        }\n        if (user) {\n          c.set(\"authUser\", user);\n          c.set(\"authToken\", token);\n          c.set(\"authScopes\", user.scopes);\n        }\n      }\n    }\n    await next();\n  };\n}\n\nexport function requireAuth() {\n  return async (c: Context, next: Next) => {\n    if (!c.get(\"authUser\")) {\n      const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n      return c.json(\n        {\n          message: \"Requires authentication\",\n          documentation_url: docsUrl,\n        },\n        401\n      );\n    }\n    await next();\n  };\n}\n\nexport function requireAppAuth() {\n  return async (c: Context, next: Next) => {\n    if (!c.get(\"authApp\")) {\n      const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n      return c.json(\n        {\n          message: \"A JSON web token could not be decoded\",\n          documentation_url: docsUrl,\n        },\n        401\n      );\n    }\n    await next();\n  };\n}\n","const isDebug = typeof process !== \"undefined\" && (process.env.DEBUG === \"1\" || process.env.DEBUG === \"true\" || process.env.EMULATE_DEBUG === \"1\");\n\nexport function debug(label: string, ...args: unknown[]): void {\n  if (isDebug) {\n    console.log(`[${label}]`, ...args);\n  }\n}\n","import { readFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\nimport { dirname, join } from \"node:path\";\nimport type { Hono } from \"hono\";\nimport type { AppEnv } from \"./middleware/auth.js\";\n\nconst __dirname = dirname(fileURLToPath(import.meta.url));\n\nconst FONTS: Record<string, Buffer> = {\n  \"geist-sans.woff2\": readFileSync(join(__dirname, \"fonts\", \"geist-sans.woff2\")),\n  \"GeistPixel-Square.woff2\": readFileSync(join(__dirname, \"fonts\", \"GeistPixel-Square.woff2\")),\n};\n\nexport function registerFontRoutes(app: Hono<AppEnv>): void {\n  app.get(\"/_emulate/fonts/:name\", (c) => {\n    const name = c.req.param(\"name\");\n    const buf = FONTS[name];\n    if (!buf) return c.notFound();\n    return new Response(buf, {\n      headers: {\n        \"Content-Type\": \"font/woff2\",\n        \"Cache-Control\": \"public, max-age=31536000, immutable\",\n        \"Access-Control-Allow-Origin\": \"*\",\n      },\n    });\n  });\n}\n","import type { Context } from \"hono\";\n\nexport interface PaginationParams {\n  page: number;\n  per_page: number;\n}\n\nexport function parsePagination(c: Context): PaginationParams {\n  const page = Math.max(1, parseInt(c.req.query(\"page\") ?? \"1\", 10) || 1);\n  const per_page = Math.min(100, Math.max(1, parseInt(c.req.query(\"per_page\") ?? \"30\", 10) || 30));\n  return { page, per_page };\n}\n\nexport function setLinkHeader(\n  c: Context,\n  totalCount: number,\n  page: number,\n  perPage: number\n): void {\n  const lastPage = Math.max(1, Math.ceil(totalCount / perPage));\n  const baseUrl = new URL(c.req.url);\n  const links: string[] = [];\n\n  const makeLink = (p: number, rel: string) => {\n    baseUrl.searchParams.set(\"page\", String(p));\n    baseUrl.searchParams.set(\"per_page\", String(perPage));\n    return `<${baseUrl.toString()}>; rel=\"${rel}\"`;\n  };\n\n  if (page < lastPage) {\n    links.push(makeLink(page + 1, \"next\"));\n    links.push(makeLink(lastPage, \"last\"));\n  }\n  if (page > 1) {\n    links.push(makeLink(1, \"first\"));\n    links.push(makeLink(page - 1, \"prev\"));\n  }\n\n  if (links.length > 0) {\n    c.header(\"Link\", links.join(\", \"));\n  }\n}\n","export function escapeHtml(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return escapeHtml(s).replace(/'/g, \"&#39;\");\n}\n\nconst CSS = `\n@font-face{\n  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;\n  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');\n}\n@font-face{\n  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;\n  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');\n}\n*{box-sizing:border-box;margin:0;padding:0}\nbody{\n  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;\n  background:#000;color:#33ff00;min-height:100vh;\n  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;\n}\n.emu-bar{\n  border-bottom:1px solid #0a3300;padding:10px 20px;\n  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;\n}\n.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}\n.emu-bar-links{margin-left:auto;display:flex;gap:16px;}\n.emu-bar-links a{\n  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;\n}\n.emu-bar-links a:hover{color:#33ff00;}\n.emu-bar-links a .full{display:inline;}\n.emu-bar-links a .short{display:none;}\n@media(max-width:600px){\n  .emu-bar-links a .full{display:none;}\n  .emu-bar-links a .short{display:inline;}\n}\n\n.content{\n  display:flex;align-items:center;justify-content:center;\n  min-height:calc(100vh - 42px);padding:24px 16px;\n}\n.content-inner{width:100%;max-width:420px;}\n.card-title{\n  font-family:'Geist Pixel',monospace;\n  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;\n}\n.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}\n.powered-by{\n  position:fixed;bottom:0;left:0;right:0;\n  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;\n  font-family:'Geist Pixel',monospace;\n}\n.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}\n.powered-by a:hover{color:#33ff00;}\n\n.error-title{\n  font-family:'Geist Pixel',monospace;\n  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;\n}\n.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}\n.error-card{text-align:center;}\n\n.user-form{margin-bottom:8px;}\n.user-form:last-of-type{margin-bottom:0;}\n.user-btn{\n  width:100%;display:flex;align-items:center;gap:12px;\n  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;\n  background:#000;color:inherit;cursor:pointer;text-align:left;\n  font:inherit;transition:border-color .15s;\n}\n.user-btn:hover{border-color:#33ff00;}\n.avatar{\n  width:36px;height:36px;border-radius:50%;\n  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;\n  display:flex;align-items:center;justify-content:center;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.user-text{min-width:0;}\n.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}\n.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}\n.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}\n\n.settings-layout{\n  max-width:920px;margin:0 auto;padding:28px 20px;\n  display:flex;gap:28px;\n}\n.settings-sidebar{width:200px;flex-shrink:0;}\n.settings-sidebar a{\n  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;\n  text-decoration:none;font-size:.8125rem;transition:color .15s;\n}\n.settings-sidebar a:hover{color:#33ff00;}\n.settings-sidebar a.active{color:#33ff00;font-weight:600;}\n.settings-main{flex:1;min-width:0;}\n\n.s-card{\n  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;\n}\n.s-card:last-child{border-bottom:none;}\n.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}\n.s-icon{\n  width:42px;height:42px;border-radius:8px;\n  background:#0a3300;display:flex;align-items:center;justify-content:center;\n  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.s-title{\n  font-family:'Geist Pixel',monospace;\n  font-size:1.25rem;font-weight:600;color:#33ff00;\n}\n.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}\n.section-heading{\n  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;\n  display:flex;align-items:center;justify-content:space-between;\n}\n.perm-list{list-style:none;}\n.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}\n.check{color:#33ff00;}\n.org-row{\n  display:flex;align-items:center;gap:8px;padding:7px 0;\n  border-bottom:1px solid #0a3300;font-size:.8125rem;\n}\n.org-row:last-child{border-bottom:none;}\n.org-icon{\n  width:22px;height:22px;border-radius:4px;background:#0a3300;\n  display:flex;align-items:center;justify-content:center;\n  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.org-name{font-weight:600;color:#33ff00;}\n.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}\n.badge-granted{background:#0a3300;color:#33ff00;}\n.badge-denied{background:#1a0a0a;color:#ff4444;}\n.badge-requested{background:#0a3300;color:#1a8c00;}\n.btn-revoke{\n  display:inline-block;padding:5px 14px;border-radius:6px;\n  border:1px solid #0a3300;background:transparent;color:#ff4444;\n  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;\n}\n.btn-revoke:hover{border-color:#ff4444;}\n.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}\n.app-link{\n  display:flex;align-items:center;gap:12px;padding:12px;\n  border:1px solid #0a3300;border-radius:8px;background:#000;\n  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;\n}\n.app-link:hover{border-color:#33ff00;}\n.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}\n.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}\n.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}\n`;\n\nconst POWERED_BY = `<div class=\"powered-by\">Powered by <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\">emulate</a></div>`;\n\nfunction emuBar(service?: string): string {\n  const title = service ? `${escapeHtml(service)} Emulator` : \"Emulator\";\n  return `<div class=\"emu-bar\">\n  <span class=\"emu-bar-title\">${title}</span>\n  <nav class=\"emu-bar-links\">\n    <a href=\"https://github.com/vercel-labs/emulate/issues\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Report Issue</span><span class=\"short\">Report</span></a>\n    <a href=\"https://github.com/vercel-labs/emulate\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Source Code</span><span class=\"short\">Source</span></a>\n    <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Learn More</span><span class=\"short\">Learn</span></a>\n  </nav>\n</div>`;\n}\n\nfunction head(title: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\"/>\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n<title>${escapeHtml(title)} | emulate</title>\n<style>${CSS}</style>\n</head>`;\n}\n\nexport function renderCardPage(\n  title: string,\n  subtitle: string,\n  body: string,\n  service?: string\n): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n  <div class=\"content-inner\">\n    <div class=\"card-title\">${escapeHtml(title)}</div>\n    <div class=\"card-subtitle\">${subtitle}</div>\n    ${body}\n  </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderErrorPage(title: string, message: string, service?: string): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n  <div class=\"content-inner error-card\">\n    <div class=\"error-title\">${escapeHtml(title)}</div>\n    <div class=\"error-msg\">${escapeHtml(message)}</div>\n  </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderSettingsPage(\n  title: string,\n  sidebarHtml: string,\n  bodyHtml: string,\n  service?: string\n): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"settings-layout\">\n  <nav class=\"settings-sidebar\">${sidebarHtml}</nav>\n  <div class=\"settings-main\">${bodyHtml}</div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface UserButtonOptions {\n  letter: string;\n  login: string;\n  name?: string;\n  email?: string;\n  formAction: string;\n  hiddenFields: Record<string, string>;\n}\n\nexport function renderUserButton(opts: UserButtonOptions): string {\n  const hiddens = Object.entries(opts.hiddenFields)\n    .map(([k, v]) => `<input type=\"hidden\" name=\"${escapeAttr(k)}\" value=\"${escapeAttr(v)}\"/>`)\n    .join(\"\");\n\n  const nameLine = opts.name\n    ? `<div class=\"user-meta\">${escapeHtml(opts.name)}</div>`\n    : \"\";\n  const emailLine = opts.email\n    ? `<div class=\"user-email\">${escapeHtml(opts.email)}</div>`\n    : \"\";\n\n  return `<form class=\"user-form\" method=\"post\" action=\"${escapeAttr(opts.formAction)}\">\n${hiddens}\n<button type=\"submit\" class=\"user-btn\">\n  <span class=\"avatar\">${escapeHtml(opts.letter)}</span>\n  <span class=\"user-text\">\n    <span class=\"user-login\">${escapeHtml(opts.login)}</span>\n    ${nameLine}${emailLine}\n  </span>\n</button>\n</form>`;\n}\n","import { timingSafeEqual } from \"crypto\";\n\nexport function normalizeUri(uri: string): string {\n  try {\n    const u = new URL(uri);\n    return `${u.origin}${u.pathname.replace(/\\/+$/, \"\")}`;\n  } catch {\n    return uri.replace(/\\/+$/, \"\").split(\"?\")[0];\n  }\n}\n\nexport function matchesRedirectUri(incoming: string, registered: string[]): boolean {\n  const normalized = normalizeUri(incoming);\n  return registered.some((r) => normalizeUri(r) === normalized);\n}\n\nexport function constantTimeSecretEqual(a: string, b: string): boolean {\n  const bufA = Buffer.from(a, \"utf-8\");\n  const bufB = Buffer.from(b, \"utf-8\");\n  if (bufA.length !== bufB.length) return false;\n  return timingSafeEqual(bufA, bufB);\n}\n\nexport function bodyStr(v: unknown): string {\n  if (typeof v === \"string\") return v;\n  if (Array.isArray(v) && typeof v[0] === \"string\") return v[0];\n  return \"\";\n}\n\nexport function parseCookies(header: string): Record<string, string> {\n  const cookies: Record<string, string> = {};\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.split(\"=\");\n    if (k) cookies[k.trim()] = v.join(\"=\").trim();\n  }\n  return cookies;\n}\n","import type { Hono } from \"hono\";\nimport type { ServicePlugin, Store, WebhookDispatcher, TokenMap, AppEnv, RouteContext } from \"@emulators/core\";\nimport { getAppleStore } from \"./store.js\";\nimport { generateAppleUid, generatePrivateRelayEmail } from \"./helpers.js\";\nimport { oauthRoutes } from \"./routes/oauth.js\";\n\nexport { getAppleStore, type AppleStore } from \"./store.js\";\nexport * from \"./entities.js\";\n\nexport interface AppleSeedConfig {\n  users?: Array<{\n    email: string;\n    name?: string;\n    given_name?: string;\n    family_name?: string;\n    is_private_email?: boolean;\n  }>;\n  oauth_clients?: Array<{\n    client_id: string;\n    team_id: string;\n    key_id?: string;\n    name: string;\n    redirect_uris: string[];\n  }>;\n}\n\nfunction seedDefaults(store: Store, _baseUrl: string): void {\n  const as = getAppleStore(store);\n\n  as.users.insert({\n    uid: generateAppleUid(),\n    email: \"testuser@icloud.com\",\n    name: \"Test User\",\n    given_name: \"Test\",\n    family_name: \"User\",\n    email_verified: true,\n    is_private_email: false,\n    private_relay_email: null,\n    real_user_status: 2,\n  });\n}\n\nexport function seedFromConfig(store: Store, _baseUrl: string, config: AppleSeedConfig): void {\n  const as = getAppleStore(store);\n\n  if (config.users) {\n    for (const u of config.users) {\n      const existing = as.users.findOneBy(\"email\", u.email);\n      if (existing) continue;\n\n      const nameParts = (u.name ?? \"\").split(/\\s+/);\n      const isPrivate = u.is_private_email ?? false;\n\n      as.users.insert({\n        uid: generateAppleUid(),\n        email: u.email,\n        name: u.name ?? u.email.split(\"@\")[0],\n        given_name: u.given_name ?? nameParts[0] ?? \"\",\n        family_name: u.family_name ?? nameParts.slice(1).join(\" \") ?? \"\",\n        email_verified: true,\n        is_private_email: isPrivate,\n        private_relay_email: isPrivate ? generatePrivateRelayEmail() : null,\n        real_user_status: 2,\n      });\n    }\n  }\n\n  if (config.oauth_clients) {\n    for (const client of config.oauth_clients) {\n      const existing = as.oauthClients.findOneBy(\"client_id\", client.client_id);\n      if (existing) continue;\n      as.oauthClients.insert({\n        client_id: client.client_id,\n        team_id: client.team_id,\n        key_id: client.key_id ?? \"TESTKEY001\",\n        name: client.name,\n        redirect_uris: client.redirect_uris,\n      });\n    }\n  }\n}\n\nexport const applePlugin: ServicePlugin = {\n  name: \"apple\",\n  register(app: Hono<AppEnv>, store: Store, webhooks: WebhookDispatcher, baseUrl: string, tokenMap?: TokenMap): void {\n    const ctx: RouteContext = { app, store, webhooks, baseUrl, tokenMap };\n    oauthRoutes(ctx);\n  },\n  seed(store: Store, baseUrl: string): void {\n    seedDefaults(store, baseUrl);\n  },\n};\n\nexport default applePlugin;\n"],"mappings":";AAQO,SAAS,cAAc,OAA0B;AACtD,SAAO;AAAA,IACL,OAAO,MAAM,WAAsB,eAAe,CAAC,OAAO,OAAO,CAAC;AAAA,IAClE,cAAc,MAAM,WAA6B,uBAAuB,CAAC,WAAW,CAAC;AAAA,EACvF;AACF;;;ACbA,SAAS,mBAAmB;AAKrB,SAAS,mBAA2B;AACzC,QAAM,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK,EAAE,YAAY;AAC1D,QAAM,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAC7C,QAAM,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK,EAAE,YAAY;AAC1D,SAAO,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM;AACtC;AAKO,SAAS,4BAAoC;AAClD,QAAM,KAAK,YAAY,EAAE,EAAE,SAAS,KAAK;AACzC,SAAO,GAAG,EAAE;AACd;;;AClBA,SAAS,eAAAA,oBAAmB;AAC5B,SAAS,SAAS,WAAW,uBAAuB;;;AEDpD,SAAS,YAAY;AACrB,SAAS,YAAY;AGArB,SAAS,WAAW,mBAAmB;AEDvC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,YAAY;AHoCvB,SAAS,mBAAmB,kBAA8C;AAC/E,SAAO,OAAO,GAAG,SAAS;AACxB,QAAI,kBAAkB;AACpB,QAAE,IAAI,WAAW,gBAAgB;IACnC;AACA,UAAM,KAAK;EACb;AACF;AAEO,IAAM,eAAkC,mBAAmB;AE/ClE,IAAM,UAAU,OAAO,YAAY,gBAAgB,QAAQ,IAAI,UAAU,OAAO,QAAQ,IAAI,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AAEvI,SAAS,MAAM,UAAkB,MAAuB;AAC7D,MAAI,SAAS;AACX,YAAQ,IAAI,IAAI,KAAK,KAAK,GAAG,IAAI;EACnC;AACF;ACAA,IAAM,YAAY,QAAQ,cAAc,YAAY,GAAG,CAAC;AAExD,IAAM,QAAgC;EACpC,oBAAoB,aAAa,KAAK,WAAW,SAAS,kBAAkB,CAAC;EAC7E,2BAA2B,aAAa,KAAK,WAAW,SAAS,yBAAyB,CAAC;AAC7F;AEXO,SAAS,WAAW,GAAmB;AAC5C,SAAO,EACJ,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,QAAQ;AAC3B;AAEO,SAAS,WAAW,GAAmB;AAC5C,SAAO,WAAW,CAAC,EAAE,QAAQ,MAAM,OAAO;AAC5C;AAEA,IAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmJZ,IAAM,aAAa;AAEnB,SAAS,OAAO,SAA0B;AACxC,QAAM,QAAQ,UAAU,GAAG,WAAW,OAAO,CAAC,cAAc;AAC5D,SAAO;gCACuB,KAAK;;;;;;;AAOrC;AAEA,SAAS,KAAK,OAAuB;AACnC,SAAO;;;;;SAKA,WAAW,KAAK,CAAC;SACjB,GAAG;;AAEZ;AAEO,SAAS,eACd,OACA,UACA,MACA,SACQ;AACR,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;8BAGa,WAAW,KAAK,CAAC;iCACd,QAAQ;MACnC,IAAI;;;EAGR,UAAU;;AAEZ;AAEO,SAAS,gBAAgB,OAAe,SAAiB,SAA0B;AACxF,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;+BAGc,WAAW,KAAK,CAAC;6BACnB,WAAW,OAAO,CAAC;;;EAG9C,UAAU;;AAEZ;AA4BO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU,OAAO,QAAQ,KAAK,YAAY,EAC7C,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,8BAA8B,WAAW,CAAC,CAAC,YAAY,WAAW,CAAC,CAAC,KAAK,EACzF,KAAK,EAAE;AAEV,QAAM,WAAW,KAAK,OAClB,0BAA0B,WAAW,KAAK,IAAI,CAAC,WAC/C;AACJ,QAAM,YAAY,KAAK,QACnB,2BAA2B,WAAW,KAAK,KAAK,CAAC,WACjD;AAEJ,SAAO,iDAAiD,WAAW,KAAK,UAAU,CAAC;EACnF,OAAO;;yBAEgB,WAAW,KAAK,MAAM,CAAC;;+BAEjB,WAAW,KAAK,KAAK,CAAC;MAC/C,QAAQ,GAAG,SAAS;;;;AAI1B;ACxQO,SAAS,aAAa,KAAqB;AAChD,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,GAAG;AACrB,WAAO,GAAG,EAAE,MAAM,GAAG,EAAE,SAAS,QAAQ,QAAQ,EAAE,CAAC;EACrD,QAAQ;AACN,WAAO,IAAI,QAAQ,QAAQ,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;EAC7C;AACF;AAEO,SAAS,mBAAmB,UAAkB,YAA+B;AAClF,QAAM,aAAa,aAAa,QAAQ;AACxC,SAAO,WAAW,KAAK,CAAC,MAAM,aAAa,CAAC,MAAM,UAAU;AAC9D;AASO,SAAS,QAAQ,GAAoB;AAC1C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,MAAM,QAAQ,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,SAAU,QAAO,EAAE,CAAC;AAC5D,SAAO;AACT;;;AVTA,IAAM,iBAAiB,gBAAgB,OAAO;AAC9C,IAAM,MAAM;AAmBZ,IAAM,sBAAsB,IAAI,KAAK;AAErC,SAAS,gBAAgB,OAAwC;AAC/D,MAAI,MAAM,MAAM,QAAkC,0BAA0B;AAC5E,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,4BAA4B,GAAG;AAAA,EAC/C;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA+C;AACvE,MAAI,MAAM,MAAM,QAAyC,2BAA2B;AACpF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,6BAA6B,GAAG;AAAA,EAChD;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAA2B;AACtD,MAAI,MAAM,MAAM,QAAqB,8BAA8B;AACnE,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,gCAAgC,GAAG;AAAA,EACnD;AACA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAyB;AACrD,SAAO,KAAK,IAAI,IAAI,EAAE,aAAa;AACrC;AAEA,IAAM,gBAAgB;AAEtB,eAAe,cACb,MACA,UACA,OACA,SACiB;AACjB,QAAM,EAAE,WAAW,IAAI,MAAM;AAE7B,QAAM,QAAQ,KAAK,oBAAoB,KAAK,sBACxC,KAAK,sBACL,KAAK;AAET,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,QAAM,UAAU,IAAI,QAAQ;AAAA,IAC1B,KAAK,KAAK;AAAA,IACV;AAAA,IACA,gBAAgB,OAAO,KAAK,cAAc;AAAA,IAC1C,kBAAkB,OAAO,KAAK,gBAAgB;AAAA,IAC9C,kBAAkB,KAAK;AAAA,IACvB,iBAAiB;AAAA,IACjB,WAAW;AAAA,IACX,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,EAC3B,CAAC,EACE,mBAAmB,EAAE,KAAK,SAAS,KAAK,KAAK,KAAK,MAAM,CAAC,EACzD,UAAU,OAAO,EACjB,YAAY,QAAQ,EACpB,YAAY,GAAG,EACf,kBAAkB,IAAI;AAEzB,SAAO,QAAQ,KAAK,UAAU;AAChC;AAEO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,KAAK,cAAc,KAAK;AAI9B,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,WAAO,EAAE,KAAK;AAAA,MACZ,QAAQ;AAAA,MACR,wBAAwB,GAAG,OAAO;AAAA,MAClC,gBAAgB,GAAG,OAAO;AAAA,MAC1B,qBAAqB,GAAG,OAAO;AAAA,MAC/B,UAAU,GAAG,OAAO;AAAA,MACpB,0BAA0B,CAAC,MAAM;AAAA,MACjC,0BAA0B,CAAC,SAAS,YAAY,WAAW;AAAA,MAC3D,yBAAyB,CAAC,UAAU;AAAA,MACpC,uCAAuC,CAAC,OAAO;AAAA,MAC/C,kBAAkB,CAAC,UAAU,SAAS,MAAM;AAAA,MAC5C,uCAAuC,CAAC,oBAAoB;AAAA,MAC5D,kBAAkB;AAAA,QAChB;AAAA,QAAO;AAAA,QAAS;AAAA,QAAkB;AAAA,QAAO;AAAA,QACzC;AAAA,QAAoB;AAAA,QAAO;AAAA,QAAS;AAAA,QACpC;AAAA,QAAoB;AAAA,QAAO;AAAA,MAC7B;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAID,MAAI,IAAI,cAAc,OAAO,MAAM;AACjC,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC;AAAA,QACL,GAAG;AAAA,QACH,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH,CAAC;AAAA,EACH,CAAC;AAID,MAAI,IAAI,mBAAmB,CAAC,MAAM;AAChC,UAAM,YAAY,EAAE,IAAI,MAAM,WAAW,KAAK;AAC9C,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc,KAAK;AACpD,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,gBAAgB,EAAE,IAAI,MAAM,eAAe,KAAK;AAEtD,UAAM,oBAAoB,GAAG,aAAa,IAAI,EAAE,SAAS;AACzD,QAAI,aAAa;AACjB,QAAI,mBAAmB;AACrB,YAAM,SAAS,GAAG,aAAa,UAAU,aAAa,SAAS;AAC/D,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,SAAS,wBAAwB,aAAa;AAAA,UACzG;AAAA,QACF;AAAA,MACF;AACA,UAAI,gBAAgB,CAAC,mBAAmB,cAAc,OAAO,aAAa,GAAG;AAC3E,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,4DAA4D,aAAa;AAAA,UAClH;AAAA,QACF;AAAA,MACF;AACA,mBAAa,OAAO;AAAA,IACtB;AAEA,UAAM,eAAe,aACjB,sBAAsB,WAAW,UAAU,CAAC,kCAC5C;AAEJ,UAAM,QAAQ,GAAG,MAAM,IAAI;AAC3B,UAAM,cAAc,MACjB,IAAI,CAAC,SAAS;AACb,aAAO,iBAAiB;AAAA,QACtB,SAAS,KAAK,MAAM,CAAC,KAAK,KAAK,YAAY;AAAA,QAC3C,OAAO,KAAK;AAAA,QACZ,MAAM,KAAK;AAAA,QACX,OAAO,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,UACZ,OAAO,KAAK;AAAA,UACZ;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,CAAC,EACA,KAAK,IAAI;AAEZ,UAAM,OAAO,MAAM,WAAW,IAC1B,yDACA;AAEJ,WAAO,EAAE,KAAK,eAAe,sBAAsB,cAAc,MAAM,aAAa,CAAC;AAAA,EACvF,CAAC;AAID,MAAI,KAAK,4BAA4B,OAAO,MAAM;AAChD,UAAM,OAAO,MAAM,EAAE,IAAI,UAAU;AACnC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,eAAe,QAAQ,KAAK,YAAY;AAC9C,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,YAAY,QAAQ,KAAK,SAAS;AACxC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,gBAAgB,QAAQ,KAAK,aAAa,KAAK;AAErD,UAAM,OAAOC,aAAY,EAAE,EAAE,SAAS,KAAK;AAE3C,oBAAgB,KAAK,EAAE,IAAI,MAAM;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,SAAS;AAAA,MAChB,cAAc;AAAA,MACd,YAAY,KAAK,IAAI;AAAA,IACvB,CAAC;AAED,UAAM,eAAe,yBAAyB,KAAK,MAAM,GAAG,CAAC,CAAC,aAAa,KAAK,EAAE;AAGlF,UAAM,UAAU,oBAAoB,KAAK;AACzC,UAAM,UAAU,GAAG,KAAK,IAAI,SAAS;AACrC,UAAM,cAAc,CAAC,QAAQ,IAAI,OAAO;AACxC,QAAI,aAAa;AACf,cAAQ,IAAI,OAAO;AAAA,IACrB;AAGA,QAAI;AACJ,QAAI,aAAa;AACf,YAAM,OAAO,GAAG,MAAM,UAAU,SAAS,KAA2B;AACpE,UAAI,MAAM;AACR,mBAAW,KAAK,UAAU;AAAA,UACxB,MAAM,EAAE,WAAW,KAAK,YAAY,UAAU,KAAK,YAAY;AAAA,UAC/D,OAAO,KAAK;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,kBAAkB,aAAa;AAEjC,YAAM,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIW,WAAW,YAAY,CAAC;AAAA,0CACZ,WAAW,IAAI,CAAC;AAAA,2CACf,WAAW,KAAK,CAAC,OAAO,WAAW;AAAA,0CAA6C,WAAW,QAAQ,CAAC,SAAS,EAAE;AAAA;AAAA;AAAA;AAIpJ,aAAO,EAAE,KAAK,IAAI;AAAA,IACpB;AAGA,UAAM,MAAM,IAAI,IAAI,YAAY;AAChC,QAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,QAAI,MAAO,KAAI,aAAa,IAAI,SAAS,KAAK;AAC9C,QAAI,SAAU,KAAI,aAAa,IAAI,QAAQ,QAAQ;AAEnD,WAAO,EAAE,SAAS,IAAI,SAAS,GAAG,GAAG;AAAA,EACvC,CAAC;AAID,MAAI,KAAK,eAAe,OAAO,MAAM;AACnC,UAAM,UAAU,MAAM,EAAE,IAAI,KAAK;AACjC,UAAM,OAAO,OAAO,YAAY,IAAI,gBAAgB,OAAO,CAAC;AAE5D,UAAM,aAAa,KAAK,cAAc;AACtC,UAAM,OAAO,KAAK,QAAQ;AAC1B,UAAM,YAAY,KAAK,aAAa;AACpC,UAAM,gBAAgB,KAAK,iBAAiB;AAE5C,QAAI,eAAe,sBAAsB;AACvC,YAAM,aAAa,gBAAgB,KAAK;AACxC,YAAM,UAAU,WAAW,IAAI,IAAI;AACnC,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,oCAAoC,GAAG,GAAG;AAAA,MACvG;AACA,UAAI,qBAAqB,OAAO,GAAG;AACjC,mBAAW,OAAO,IAAI;AACtB,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,oCAAoC,GAAG,GAAG;AAAA,MACvG;AAGA,iBAAW,OAAO,IAAI;AAEtB,YAAM,OAAO,GAAG,MAAM,UAAU,SAAS,QAAQ,KAA2B;AAC5E,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACrF;AAEA,YAAM,cAAc,WAAWA,aAAY,EAAE,EAAE,SAAS,WAAW;AACnE,YAAM,eAAe,aAAaA,aAAY,EAAE,EAAE,SAAS,WAAW;AACtE,YAAM,SAAS,QAAQ,QAAQ,QAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAC;AAE7E,UAAI,UAAU;AACZ,iBAAS,IAAI,aAAa,EAAE,OAAO,KAAK,OAAO,IAAI,KAAK,IAAI,OAAO,CAAC;AAAA,MACtE;AAGA,uBAAiB,KAAK,EAAE,IAAI,cAAc;AAAA,QACxC,OAAO,KAAK;AAAA,QACZ,UAAU,QAAQ;AAAA,QAClB,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,MACjB,CAAC;AAED,YAAM,UAAU,MAAM,cAAc,MAAM,QAAQ,UAAU,QAAQ,OAAO,OAAO;AAElF,YAAM,eAAe,kCAAkC,KAAK,KAAK,EAAE;AAEnE,aAAO,EAAE,KAAK;AAAA,QACZ,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,eAAe;AAAA,QACf,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,iBAAiB;AAClC,YAAM,aAAa,iBAAiB,KAAK;AACzC,YAAM,SAAS,WAAW,IAAI,aAAa;AAC3C,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gCAAgC,GAAG,GAAG;AAAA,MACnG;AAEA,YAAM,OAAO,GAAG,MAAM,UAAU,SAAS,OAAO,KAA2B;AAC3E,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACrF;AAEA,YAAM,cAAc,WAAWA,aAAY,EAAE,EAAE,SAAS,WAAW;AACnE,YAAM,SAAS,OAAO,QAAQ,OAAO,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAC;AAE3E,UAAI,UAAU;AACZ,iBAAS,IAAI,aAAa,EAAE,OAAO,KAAK,OAAO,IAAI,KAAK,IAAI,OAAO,CAAC;AAAA,MACtE;AAEA,YAAM,UAAU,MAAM,cAAc,MAAM,OAAO,YAAY,WAAW,OAAO,OAAO,OAAO;AAE7F,YAAM,eAAe,wCAAwC,KAAK,KAAK,EAAE;AAGzE,aAAO,EAAE,KAAK;AAAA,QACZ,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,mBAAmB,2DAA2D,GAAG,GAAG;AAAA,EACvI,CAAC;AAID,MAAI,KAAK,gBAAgB,OAAO,MAAM;AACpC,UAAM,UAAU,MAAM,EAAE,IAAI,KAAK;AACjC,UAAM,SAAS,IAAI,gBAAgB,OAAO;AAC1C,UAAM,QAAQ,OAAO,IAAI,OAAO,KAAK;AAErC,QAAI,SAAS,UAAU;AACrB,eAAS,OAAO,KAAK;AAAA,IACvB;AAGA,QAAI,OAAO;AACT,uBAAiB,KAAK,EAAE,OAAO,KAAK;AAAA,IACtC;AAEA,WAAO,EAAE,KAAK,MAAM,GAAG;AAAA,EACzB,CAAC;AACH;;;AW7WA,SAAS,aAAa,OAAc,UAAwB;AAC1D,QAAM,KAAK,cAAc,KAAK;AAE9B,KAAG,MAAM,OAAO;AAAA,IACd,KAAK,iBAAiB;AAAA,IACtB,OAAO;AAAA,IACP,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,kBAAkB;AAAA,IAClB,qBAAqB;AAAA,IACrB,kBAAkB;AAAA,EACpB,CAAC;AACH;AAEO,SAAS,eAAe,OAAc,UAAkB,QAA+B;AAC5F,QAAM,KAAK,cAAc,KAAK;AAE9B,MAAI,OAAO,OAAO;AAChB,eAAW,KAAK,OAAO,OAAO;AAC5B,YAAM,WAAW,GAAG,MAAM,UAAU,SAAS,EAAE,KAAK;AACpD,UAAI,SAAU;AAEd,YAAM,aAAa,EAAE,QAAQ,IAAI,MAAM,KAAK;AAC5C,YAAM,YAAY,EAAE,oBAAoB;AAExC,SAAG,MAAM,OAAO;AAAA,QACd,KAAK,iBAAiB;AAAA,QACtB,OAAO,EAAE;AAAA,QACT,MAAM,EAAE,QAAQ,EAAE,MAAM,MAAM,GAAG,EAAE,CAAC;AAAA,QACpC,YAAY,EAAE,cAAc,UAAU,CAAC,KAAK;AAAA,QAC5C,aAAa,EAAE,eAAe,UAAU,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK;AAAA,QAC9D,gBAAgB;AAAA,QAChB,kBAAkB;AAAA,QAClB,qBAAqB,YAAY,0BAA0B,IAAI;AAAA,QAC/D,kBAAkB;AAAA,MACpB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,eAAe;AACxB,eAAW,UAAU,OAAO,eAAe;AACzC,YAAM,WAAW,GAAG,aAAa,UAAU,aAAa,OAAO,SAAS;AACxE,UAAI,SAAU;AACd,SAAG,aAAa,OAAO;AAAA,QACrB,WAAW,OAAO;AAAA,QAClB,SAAS,OAAO;AAAA,QAChB,QAAQ,OAAO,UAAU;AAAA,QACzB,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,MACxB,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEO,IAAM,cAA6B;AAAA,EACxC,MAAM;AAAA,EACN,SAAS,KAAmB,OAAc,UAA6B,SAAiB,UAA2B;AACjH,UAAM,MAAoB,EAAE,KAAK,OAAO,UAAU,SAAS,SAAS;AACpE,gBAAY,GAAG;AAAA,EACjB;AAAA,EACA,KAAK,OAAc,SAAuB;AACxC,iBAAa,OAAO,OAAO;AAAA,EAC7B;AACF;AAEA,IAAO,gBAAQ;","names":["randomBytes","randomBytes"]}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@emulators/apple",
+  "version": "0.3.0",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "homepage": "https://emulate.dev",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vercel-labs/emulate.git",
+    "directory": "packages/@emulators/apple"
+  },
+  "bugs": {
+    "url": "https://github.com/vercel-labs/emulate/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "hono": "^4",
+    "jose": "^6",
+    "@emulators/core": "0.3.0"
+  },
+  "devDependencies": {
+    "tsup": "^8",
+    "typescript": "^5.7",
+    "vitest": "^4.1.0"
+  },
+  "scripts": {
+    "build": "tsup --clean",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "clean": "rm -rf dist .turbo"
+  }
+}