@emulators/microsoft 0.3.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. Please also get an informed
+      understanding of your current status in the "Work made for hire"
+      or other employer IP clauses in your jurisdiction and contracts
+      before applying.
+
+   Copyright 2025 Chris Tate
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/dist/index.d.ts

@@ -0,0 +1,50 @@
+import { Entity, Collection, Store, ServicePlugin } from '@emulators/core';
+
+interface MicrosoftUser extends Entity {
+    /** Object ID (oid) — unique per-tenant user identifier */
+    oid: string;
+    email: string;
+    name: string;
+    given_name: string;
+    family_name: string;
+    email_verified: boolean;
+    /** Microsoft tenant ID */
+    tenant_id: string;
+    /** User principal name (usually email) */
+    preferred_username: string;
+}
+interface MicrosoftOAuthClient extends Entity {
+    client_id: string;
+    client_secret: string;
+    name: string;
+    redirect_uris: string[];
+    /** Tenant ID this app is registered in */
+    tenant_id: string;
+}
+
+interface MicrosoftStore {
+    users: Collection<MicrosoftUser>;
+    oauthClients: Collection<MicrosoftOAuthClient>;
+}
+declare function getMicrosoftStore(store: Store): MicrosoftStore;
+
+interface MicrosoftSeedConfig {
+    users?: Array<{
+        email: string;
+        name?: string;
+        given_name?: string;
+        family_name?: string;
+        tenant_id?: string;
+    }>;
+    oauth_clients?: Array<{
+        client_id: string;
+        client_secret: string;
+        name: string;
+        redirect_uris: string[];
+        tenant_id?: string;
+    }>;
+}
+declare function seedFromConfig(store: Store, _baseUrl: string, config: MicrosoftSeedConfig): void;
+declare const microsoftPlugin: ServicePlugin;
+
+export { type MicrosoftOAuthClient, type MicrosoftSeedConfig, type MicrosoftStore, type MicrosoftUser, microsoftPlugin as default, getMicrosoftStore, microsoftPlugin, seedFromConfig };

package/dist/index.js

@@ -0,0 +1,795 @@
+// src/store.ts
+function getMicrosoftStore(store) {
+  return {
+    users: store.collection("microsoft.users", ["oid", "email"]),
+    oauthClients: store.collection("microsoft.oauth_clients", ["client_id"])
+  };
+}
+
+// src/helpers.ts
+import { randomUUID } from "crypto";
+var DEFAULT_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+function generateOid() {
+  return randomUUID();
+}
+
+// src/routes/oauth.ts
+import { createHash, randomBytes } from "crypto";
+import { SignJWT, exportJWK, generateKeyPair } from "jose";
+
+// ../core/dist/index.js
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { jwtVerify, importPKCS8 } from "jose";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+import { timingSafeEqual } from "crypto";
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function debug(label, ...args) {
+  if (isDebug) {
+    console.log(`[${label}]`, ...args);
+  }
+}
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var FONTS = {
+  "geist-sans.woff2": readFileSync(join(__dirname, "fonts", "geist-sans.woff2")),
+  "GeistPixel-Square.woff2": readFileSync(join(__dirname, "fonts", "GeistPixel-Square.woff2"))
+};
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml(s).replace(/'/g, "&#39;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderErrorPage(title, message, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner error-card">
+    <div class="error-title">${escapeHtml(title)}</div>
+    <div class="error-msg">${escapeHtml(message)}</div>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderUserButton(opts) {
+  const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
+  const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
+  const emailLine = opts.email ? `<div class="user-email">${escapeHtml(opts.email)}</div>` : "";
+  return `<form class="user-form" method="post" action="${escapeAttr(opts.formAction)}">
+${hiddens}
+<button type="submit" class="user-btn">
+  <span class="avatar">${escapeHtml(opts.letter)}</span>
+  <span class="user-text">
+    <span class="user-login">${escapeHtml(opts.login)}</span>
+    ${nameLine}${emailLine}
+  </span>
+</button>
+</form>`;
+}
+function normalizeUri(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.origin}${u.pathname.replace(/\/+$/, "")}`;
+  } catch {
+    return uri.replace(/\/+$/, "").split("?")[0];
+  }
+}
+function matchesRedirectUri(incoming, registered) {
+  const normalized = normalizeUri(incoming);
+  return registered.some((r) => normalizeUri(r) === normalized);
+}
+function constantTimeSecretEqual(a, b) {
+  const bufA = Buffer.from(a, "utf-8");
+  const bufB = Buffer.from(b, "utf-8");
+  if (bufA.length !== bufB.length) return false;
+  return timingSafeEqual(bufA, bufB);
+}
+function bodyStr(v) {
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return "";
+}
+
+// src/routes/oauth.ts
+var keyPairPromise = generateKeyPair("RS256");
+var KID = "emulate-microsoft-1";
+var PENDING_CODE_TTL_MS = 10 * 60 * 1e3;
+function getPendingCodes(store) {
+  let map = store.getData("microsoft.oauth.pendingCodes");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("microsoft.oauth.pendingCodes", map);
+  }
+  return map;
+}
+function getRefreshTokens(store) {
+  let map = store.getData("microsoft.oauth.refreshTokens");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("microsoft.oauth.refreshTokens", map);
+  }
+  return map;
+}
+function isPendingCodeExpired(p) {
+  return Date.now() - p.created_at > PENDING_CODE_TTL_MS;
+}
+var SERVICE_LABEL = "Microsoft";
+async function createIdToken(user, clientId, nonce, baseUrl) {
+  const { privateKey } = await keyPairPromise;
+  const now = Math.floor(Date.now() / 1e3);
+  const builder = new SignJWT({
+    sub: user.oid,
+    email: user.email,
+    name: user.name,
+    given_name: user.given_name,
+    family_name: user.family_name,
+    preferred_username: user.preferred_username,
+    oid: user.oid,
+    tid: user.tenant_id,
+    ver: "2.0",
+    ...nonce ? { nonce } : {}
+  }).setProtectedHeader({ alg: "RS256", kid: KID, typ: "JWT" }).setIssuer(`${baseUrl}/${user.tenant_id}/v2.0`).setAudience(clientId).setIssuedAt(now).setExpirationTime("1h");
+  return builder.sign(privateKey);
+}
+function oauthRoutes({ app, store, baseUrl, tokenMap }) {
+  const ms = getMicrosoftStore(store);
+  const oidcConfig = (tenantId) => ({
+    issuer: `${baseUrl}/${tenantId}/v2.0`,
+    authorization_endpoint: `${baseUrl}/oauth2/v2.0/authorize`,
+    token_endpoint: `${baseUrl}/oauth2/v2.0/token`,
+    userinfo_endpoint: `${baseUrl}/oidc/userinfo`,
+    end_session_endpoint: `${baseUrl}/oauth2/v2.0/logout`,
+    jwks_uri: `${baseUrl}/discovery/v2.0/keys`,
+    response_types_supported: ["code"],
+    response_modes_supported: ["query", "fragment", "form_post"],
+    subject_types_supported: ["pairwise"],
+    id_token_signing_alg_values_supported: ["RS256"],
+    scopes_supported: ["openid", "email", "profile", "offline_access", "User.Read", ".default"],
+    grant_types_supported: ["authorization_code", "refresh_token", "client_credentials"],
+    token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
+    claims_supported: [
+      "sub",
+      "iss",
+      "aud",
+      "exp",
+      "iat",
+      "nonce",
+      "name",
+      "email",
+      "given_name",
+      "family_name",
+      "preferred_username",
+      "oid",
+      "tid",
+      "ver"
+    ],
+    code_challenge_methods_supported: ["plain", "S256"]
+  });
+  app.get("/.well-known/openid-configuration", (c) => {
+    return c.json(oidcConfig(DEFAULT_TENANT_ID));
+  });
+  app.get("/:tenant/v2.0/.well-known/openid-configuration", (c) => {
+    const tenant = c.req.param("tenant");
+    return c.json(oidcConfig(tenant === "common" || tenant === "organizations" || tenant === "consumers" ? DEFAULT_TENANT_ID : tenant));
+  });
+  app.get("/discovery/v2.0/keys", async (c) => {
+    const { publicKey } = await keyPairPromise;
+    const jwk = await exportJWK(publicKey);
+    return c.json({
+      keys: [{
+        ...jwk,
+        kid: KID,
+        use: "sig",
+        alg: "RS256"
+      }]
+    });
+  });
+  app.get("/oauth2/v2.0/authorize", (c) => {
+    const client_id = c.req.query("client_id") ?? "";
+    const redirect_uri = c.req.query("redirect_uri") ?? "";
+    const scope = c.req.query("scope") ?? "";
+    const state = c.req.query("state") ?? "";
+    const nonce = c.req.query("nonce") ?? "";
+    const response_mode = c.req.query("response_mode") ?? "query";
+    const code_challenge = c.req.query("code_challenge") ?? "";
+    const code_challenge_method = c.req.query("code_challenge_method") ?? "";
+    const clientsConfigured = ms.oauthClients.all().length > 0;
+    let clientName = "";
+    if (clientsConfigured) {
+      const client = ms.oauthClients.findOneBy("client_id", client_id);
+      if (!client) {
+        return c.html(
+          renderErrorPage("Application not found", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),
+          400
+        );
+      }
+      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {
+        return c.html(
+          renderErrorPage("Redirect URI mismatch", "The redirect_uri is not registered for this application.", SERVICE_LABEL),
+          400
+        );
+      }
+      clientName = client.name;
+    }
+    const subtitleText = clientName ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Microsoft account.` : "Choose a seeded user to continue.";
+    const users = ms.users.all();
+    const userButtons = users.map((user) => {
+      return renderUserButton({
+        letter: (user.email[0] ?? "?").toUpperCase(),
+        login: user.email,
+        name: user.name,
+        email: user.email,
+        formAction: "/oauth2/v2.0/authorize/callback",
+        hiddenFields: {
+          email: user.email,
+          redirect_uri,
+          scope,
+          state,
+          nonce,
+          client_id,
+          response_mode,
+          code_challenge,
+          code_challenge_method
+        }
+      });
+    }).join("\n");
+    const body = users.length === 0 ? '<p class="empty">No users in the emulator store.</p>' : userButtons;
+    return c.html(renderCardPage("Sign in with Microsoft", subtitleText, body, SERVICE_LABEL));
+  });
+  app.post("/oauth2/v2.0/authorize/callback", async (c) => {
+    const body = await c.req.parseBody();
+    const email = bodyStr(body.email);
+    const redirect_uri = bodyStr(body.redirect_uri);
+    const scope = bodyStr(body.scope);
+    const state = bodyStr(body.state);
+    const client_id = bodyStr(body.client_id);
+    const nonce = bodyStr(body.nonce);
+    const response_mode = bodyStr(body.response_mode) || "query";
+    const code_challenge = bodyStr(body.code_challenge);
+    const code_challenge_method = bodyStr(body.code_challenge_method);
+    const clientsConfigured = ms.oauthClients.all().length > 0;
+    if (clientsConfigured) {
+      const client = ms.oauthClients.findOneBy("client_id", client_id);
+      if (!client) {
+        return c.html(
+          renderErrorPage("Application not found", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),
+          400
+        );
+      }
+      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {
+        return c.html(
+          renderErrorPage("Redirect URI mismatch", "The redirect_uri is not registered for this application.", SERVICE_LABEL),
+          400
+        );
+      }
+    }
+    const code = randomBytes(20).toString("hex");
+    getPendingCodes(store).set(code, {
+      email,
+      scope,
+      redirectUri: redirect_uri,
+      clientId: client_id,
+      nonce: nonce || null,
+      codeChallenge: code_challenge || null,
+      codeChallengeMethod: code_challenge_method || null,
+      created_at: Date.now()
+    });
+    debug("microsoft.oauth", `[Microsoft callback] code=${code.slice(0, 8)}... email=${email}`);
+    if (response_mode === "form_post") {
+      const html = `<!DOCTYPE html>
+<html>
+<head><title>Submit</title></head>
+<body onload="document.forms[0].submit()">
+<form method="POST" action="${escapeAttr(redirect_uri)}">
+<input type="hidden" name="code" value="${escapeAttr(code)}" />
+<input type="hidden" name="state" value="${escapeAttr(state)}" />
+</form>
+</body>
+</html>`;
+      return c.html(html);
+    }
+    const url = new URL(redirect_uri);
+    url.searchParams.set("code", code);
+    if (state) url.searchParams.set("state", state);
+    return c.redirect(url.toString(), 302);
+  });
+  app.post("/oauth2/v2.0/token", async (c) => {
+    const contentType = c.req.header("Content-Type") ?? "";
+    const rawText = await c.req.text();
+    let body;
+    if (contentType.includes("application/json")) {
+      try {
+        body = JSON.parse(rawText);
+      } catch {
+        body = {};
+      }
+    } else {
+      body = Object.fromEntries(new URLSearchParams(rawText));
+    }
+    const grant_type = typeof body.grant_type === "string" ? body.grant_type : "";
+    const code = typeof body.code === "string" ? body.code : "";
+    let client_id = typeof body.client_id === "string" ? body.client_id : "";
+    let client_secret = typeof body.client_secret === "string" ? body.client_secret : "";
+    const refresh_token = typeof body.refresh_token === "string" ? body.refresh_token : "";
+    const redirect_uri = typeof body.redirect_uri === "string" ? body.redirect_uri : "";
+    const code_verifier = typeof body.code_verifier === "string" ? body.code_verifier : void 0;
+    const scope = typeof body.scope === "string" ? body.scope : "";
+    const authHeader = c.req.header("Authorization") ?? "";
+    if (authHeader.startsWith("Basic ")) {
+      const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
+      const sep = decoded.indexOf(":");
+      if (sep !== -1) {
+        const headerId = decodeURIComponent(decoded.slice(0, sep));
+        const headerSecret = decodeURIComponent(decoded.slice(sep + 1));
+        if (!client_id) client_id = headerId;
+        if (!client_secret) client_secret = headerSecret;
+      }
+    }
+    if (grant_type === "authorization_code") {
+      const clientsConfigured = ms.oauthClients.all().length > 0;
+      if (clientsConfigured) {
+        const client = ms.oauthClients.findOneBy("client_id", client_id);
+        if (!client) {
+          return c.json({ error: "invalid_client", error_description: "The client_id is incorrect." }, 401);
+        }
+        if (!constantTimeSecretEqual(client_secret, client.client_secret)) {
+          return c.json({ error: "invalid_client", error_description: "The client_secret is incorrect." }, 401);
+        }
+      }
+      const pendingMap = getPendingCodes(store);
+      const pending = pendingMap.get(code);
+      if (!pending) {
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      if (isPendingCodeExpired(pending)) {
+        pendingMap.delete(code);
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      if (pending.redirectUri && redirect_uri && pending.redirectUri !== redirect_uri) {
+        pendingMap.delete(code);
+        return c.json({ error: "invalid_grant", error_description: "The redirect_uri does not match the one used in the authorization request." }, 400);
+      }
+      if (pending.codeChallenge !== null) {
+        if (code_verifier === void 0) {
+          return c.json({ error: "invalid_grant", error_description: "PKCE verification failed." }, 400);
+        }
+        const method = (pending.codeChallengeMethod ?? "plain").toLowerCase();
+        if (method === "s256") {
+          const expected = createHash("sha256").update(code_verifier).digest("base64url");
+          if (expected !== pending.codeChallenge) {
+            return c.json({ error: "invalid_grant", error_description: "PKCE verification failed." }, 400);
+          }
+        } else if (method === "plain") {
+          if (code_verifier !== pending.codeChallenge) {
+            return c.json({ error: "invalid_grant", error_description: "PKCE verification failed." }, 400);
+          }
+        } else {
+          return c.json({ error: "invalid_grant", error_description: "PKCE verification failed." }, 400);
+        }
+      }
+      pendingMap.delete(code);
+      const user = ms.users.findOneBy("email", pending.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "microsoft_" + randomBytes(20).toString("base64url");
+      const refreshToken = "r_microsoft_" + randomBytes(20).toString("base64url");
+      const scopes = pending.scope ? pending.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      getRefreshTokens(store).set(refreshToken, {
+        email: user.email,
+        clientId: pending.clientId,
+        scope: pending.scope,
+        nonce: pending.nonce
+      });
+      const idToken = await createIdToken(user, pending.clientId, pending.nonce, baseUrl);
+      debug("microsoft.oauth", `[Microsoft token] issued token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        scope: pending.scope || "openid email profile",
+        refresh_token: refreshToken,
+        id_token: idToken
+      });
+    }
+    if (grant_type === "refresh_token") {
+      const refreshMap = getRefreshTokens(store);
+      const stored = refreshMap.get(refresh_token);
+      if (!stored) {
+        return c.json({ error: "invalid_grant", error_description: "The refresh_token is invalid." }, 400);
+      }
+      const user = ms.users.findOneBy("email", stored.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "microsoft_" + randomBytes(20).toString("base64url");
+      const newRefreshToken = "r_microsoft_" + randomBytes(20).toString("base64url");
+      const scopes = stored.scope ? stored.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      refreshMap.delete(refresh_token);
+      refreshMap.set(newRefreshToken, {
+        email: stored.email,
+        clientId: stored.clientId,
+        scope: stored.scope,
+        nonce: stored.nonce
+      });
+      const idToken = await createIdToken(user, stored.clientId || client_id, stored.nonce, baseUrl);
+      debug("microsoft.oauth", `[Microsoft refresh] issued new token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        scope: stored.scope || "openid email profile",
+        refresh_token: newRefreshToken,
+        id_token: idToken
+      });
+    }
+    if (grant_type === "client_credentials") {
+      const clientsConfigured = ms.oauthClients.all().length > 0;
+      if (clientsConfigured) {
+        const client = ms.oauthClients.findOneBy("client_id", client_id);
+        if (!client) {
+          return c.json({ error: "invalid_client", error_description: "The client_id is incorrect." }, 401);
+        }
+        if (!constantTimeSecretEqual(client_secret, client.client_secret)) {
+          return c.json({ error: "invalid_client", error_description: "The client_secret is incorrect." }, 401);
+        }
+      }
+      const accessToken = "microsoft_" + randomBytes(20).toString("base64url");
+      const scopes = scope ? scope.split(/\s+/).filter(Boolean) : [".default"];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: client_id, id: 0, scopes });
+      }
+      debug("microsoft.oauth", `[Microsoft client_credentials] issued token for ${client_id}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        scope: scope || ".default"
+      });
+    }
+    return c.json({ error: "unsupported_grant_type", error_description: "Only authorization_code, refresh_token, and client_credentials are supported." }, 400);
+  });
+  app.get("/oidc/userinfo", (c) => {
+    const authUser = c.get("authUser");
+    if (!authUser) {
+      return c.json({ error: "invalid_token", error_description: "Authentication required." }, 401);
+    }
+    const user = ms.users.findOneBy("email", authUser.login);
+    if (!user) {
+      return c.json({ error: "invalid_token", error_description: "User not found." }, 401);
+    }
+    return c.json({
+      sub: user.oid,
+      email: user.email,
+      name: user.name,
+      given_name: user.given_name,
+      family_name: user.family_name,
+      preferred_username: user.preferred_username
+    });
+  });
+  app.get("/v1.0/me", (c) => {
+    const authUser = c.get("authUser");
+    if (!authUser) {
+      return c.json({ error: { code: "InvalidAuthenticationToken", message: "Authentication required." } }, 401);
+    }
+    const user = ms.users.findOneBy("email", authUser.login);
+    if (!user) {
+      return c.json({ error: { code: "Request_ResourceNotFound", message: "User not found." } }, 404);
+    }
+    return c.json({
+      "@odata.context": `${baseUrl}/v1.0/$metadata#users/$entity`,
+      id: user.oid,
+      displayName: user.name,
+      givenName: user.given_name,
+      surname: user.family_name,
+      mail: user.email,
+      userPrincipalName: user.preferred_username
+    });
+  });
+  app.get("/oauth2/v2.0/logout", (c) => {
+    const post_logout_redirect_uri = c.req.query("post_logout_redirect_uri");
+    if (post_logout_redirect_uri) {
+      const allClients = ms.oauthClients.all();
+      if (allClients.length > 0) {
+        const allowed = allClients.some(
+          (client) => matchesRedirectUri(post_logout_redirect_uri, client.redirect_uris)
+        );
+        if (!allowed) {
+          return c.text("Invalid post_logout_redirect_uri", 400);
+        }
+      }
+      return c.redirect(post_logout_redirect_uri, 302);
+    }
+    return c.text("Logged out", 200);
+  });
+  app.post("/oauth2/v2.0/revoke", async (c) => {
+    const contentType = c.req.header("Content-Type") ?? "";
+    const rawText = await c.req.text();
+    let token;
+    if (contentType.includes("application/json")) {
+      try {
+        const parsed = JSON.parse(rawText);
+        token = typeof parsed.token === "string" ? parsed.token : "";
+      } catch {
+        token = "";
+      }
+    } else {
+      const params = new URLSearchParams(rawText);
+      token = params.get("token") ?? "";
+    }
+    if (token && tokenMap) {
+      tokenMap.delete(token);
+    }
+    if (token) {
+      getRefreshTokens(store).delete(token);
+    }
+    return c.body(null, 200);
+  });
+}
+
+// src/index.ts
+function seedDefaults(store, _baseUrl) {
+  const ms = getMicrosoftStore(store);
+  ms.users.insert({
+    oid: generateOid(),
+    email: "testuser@outlook.com",
+    name: "Test User",
+    given_name: "Test",
+    family_name: "User",
+    email_verified: true,
+    tenant_id: DEFAULT_TENANT_ID,
+    preferred_username: "testuser@outlook.com"
+  });
+}
+function seedFromConfig(store, _baseUrl, config) {
+  const ms = getMicrosoftStore(store);
+  if (config.users) {
+    for (const u of config.users) {
+      const existing = ms.users.findOneBy("email", u.email);
+      if (existing) continue;
+      const nameParts = (u.name ?? "").split(/\s+/);
+      ms.users.insert({
+        oid: generateOid(),
+        email: u.email,
+        name: u.name ?? u.email.split("@")[0],
+        given_name: u.given_name ?? nameParts[0] ?? "",
+        family_name: u.family_name ?? nameParts.slice(1).join(" ") ?? "",
+        email_verified: true,
+        tenant_id: u.tenant_id ?? DEFAULT_TENANT_ID,
+        preferred_username: u.email
+      });
+    }
+  }
+  if (config.oauth_clients) {
+    for (const client of config.oauth_clients) {
+      const existing = ms.oauthClients.findOneBy("client_id", client.client_id);
+      if (existing) continue;
+      ms.oauthClients.insert({
+        client_id: client.client_id,
+        client_secret: client.client_secret,
+        name: client.name,
+        redirect_uris: client.redirect_uris,
+        tenant_id: client.tenant_id ?? DEFAULT_TENANT_ID
+      });
+    }
+  }
+}
+var microsoftPlugin = {
+  name: "microsoft",
+  register(app, store, webhooks, baseUrl, tokenMap) {
+    const ctx = { app, store, webhooks, baseUrl, tokenMap };
+    oauthRoutes(ctx);
+  },
+  seed(store, baseUrl) {
+    seedDefaults(store, baseUrl);
+  }
+};
+var index_default = microsoftPlugin;
+export {
+  index_default as default,
+  getMicrosoftStore,
+  microsoftPlugin,
+  seedFromConfig
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/store.ts","../src/helpers.ts","../src/routes/oauth.ts","../../core/src/store.ts","../../core/src/server.ts","../../core/src/webhooks.ts","../../core/src/middleware/error-handler.ts","../../core/src/middleware/auth.ts","../../core/src/debug.ts","../../core/src/fonts.ts","../../core/src/middleware/pagination.ts","../../core/src/ui.ts","../../core/src/oauth-helpers.ts","../src/index.ts"],"sourcesContent":["import { Store, type Collection } from \"@emulators/core\";\nimport type { MicrosoftUser, MicrosoftOAuthClient } from \"./entities.js\";\n\nexport interface MicrosoftStore {\n  users: Collection<MicrosoftUser>;\n  oauthClients: Collection<MicrosoftOAuthClient>;\n}\n\nexport function getMicrosoftStore(store: Store): MicrosoftStore {\n  return {\n    users: store.collection<MicrosoftUser>(\"microsoft.users\", [\"oid\", \"email\"]),\n    oauthClients: store.collection<MicrosoftOAuthClient>(\"microsoft.oauth_clients\", [\"client_id\"]),\n  };\n}\n","import { randomUUID } from \"crypto\";\n\n/** Default tenant ID used when none is configured */\nexport const DEFAULT_TENANT_ID = \"9188040d-6c67-4c5b-b112-36a304b66dad\";\n\n/**\n * Generate a Microsoft-style object ID (UUID v4 format).\n */\nexport function generateOid(): string {\n  return randomUUID();\n}\n","import { createHash, randomBytes } from \"crypto\";\nimport { SignJWT, exportJWK, generateKeyPair } from \"jose\";\nimport type { RouteContext } from \"@emulators/core\";\nimport {\n  escapeHtml,\n  escapeAttr,\n  renderCardPage,\n  renderErrorPage,\n  renderUserButton,\n  matchesRedirectUri,\n  constantTimeSecretEqual,\n  bodyStr,\n  debug,\n} from \"@emulators/core\";\nimport { getMicrosoftStore } from \"../store.js\";\nimport { DEFAULT_TENANT_ID } from \"../helpers.js\";\nimport type { MicrosoftUser } from \"../entities.js\";\nimport type { Store } from \"@emulators/core\";\n\n// RSA key pair generated at module load for signing id_tokens\nconst keyPairPromise = generateKeyPair(\"RS256\");\nconst KID = \"emulate-microsoft-1\";\n\ntype PendingCode = {\n  email: string;\n  scope: string;\n  redirectUri: string;\n  clientId: string;\n  nonce: string | null;\n  codeChallenge: string | null;\n  codeChallengeMethod: string | null;\n  created_at: number;\n};\n\ntype StoredRefreshToken = {\n  email: string;\n  clientId: string;\n  scope: string;\n  nonce: string | null;\n};\n\nconst PENDING_CODE_TTL_MS = 10 * 60 * 1000;\n\nfunction getPendingCodes(store: Store): Map<string, PendingCode> {\n  let map = store.getData<Map<string, PendingCode>>(\"microsoft.oauth.pendingCodes\");\n  if (!map) {\n    map = new Map();\n    store.setData(\"microsoft.oauth.pendingCodes\", map);\n  }\n  return map;\n}\n\nfunction getRefreshTokens(store: Store): Map<string, StoredRefreshToken> {\n  let map = store.getData<Map<string, StoredRefreshToken>>(\"microsoft.oauth.refreshTokens\");\n  if (!map) {\n    map = new Map();\n    store.setData(\"microsoft.oauth.refreshTokens\", map);\n  }\n  return map;\n}\n\nfunction isPendingCodeExpired(p: PendingCode): boolean {\n  return Date.now() - p.created_at > PENDING_CODE_TTL_MS;\n}\n\nconst SERVICE_LABEL = \"Microsoft\";\n\nasync function createIdToken(\n  user: MicrosoftUser,\n  clientId: string,\n  nonce: string | null,\n  baseUrl: string,\n): Promise<string> {\n  const { privateKey } = await keyPairPromise;\n  const now = Math.floor(Date.now() / 1000);\n\n  const builder = new SignJWT({\n    sub: user.oid,\n    email: user.email,\n    name: user.name,\n    given_name: user.given_name,\n    family_name: user.family_name,\n    preferred_username: user.preferred_username,\n    oid: user.oid,\n    tid: user.tenant_id,\n    ver: \"2.0\",\n    ...(nonce ? { nonce } : {}),\n  })\n    .setProtectedHeader({ alg: \"RS256\", kid: KID, typ: \"JWT\" })\n    .setIssuer(`${baseUrl}/${user.tenant_id}/v2.0`)\n    .setAudience(clientId)\n    .setIssuedAt(now)\n    .setExpirationTime(\"1h\");\n\n  return builder.sign(privateKey);\n}\n\nexport function oauthRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n  const ms = getMicrosoftStore(store);\n\n  // ---------- OpenID Configuration ----------\n  // Microsoft uses /{tenant}/v2.0/.well-known/openid-configuration\n  // We also serve at /.well-known/openid-configuration for convenience.\n\n  const oidcConfig = (tenantId: string) => ({\n    issuer: `${baseUrl}/${tenantId}/v2.0`,\n    authorization_endpoint: `${baseUrl}/oauth2/v2.0/authorize`,\n    token_endpoint: `${baseUrl}/oauth2/v2.0/token`,\n    userinfo_endpoint: `${baseUrl}/oidc/userinfo`,\n    end_session_endpoint: `${baseUrl}/oauth2/v2.0/logout`,\n    jwks_uri: `${baseUrl}/discovery/v2.0/keys`,\n    response_types_supported: [\"code\"],\n    response_modes_supported: [\"query\", \"fragment\", \"form_post\"],\n    subject_types_supported: [\"pairwise\"],\n    id_token_signing_alg_values_supported: [\"RS256\"],\n    scopes_supported: [\"openid\", \"email\", \"profile\", \"offline_access\", \"User.Read\", \".default\"],\n    grant_types_supported: [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n    token_endpoint_auth_methods_supported: [\"client_secret_post\", \"client_secret_basic\"],\n    claims_supported: [\n      \"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"nonce\",\n      \"name\", \"email\", \"given_name\", \"family_name\",\n      \"preferred_username\", \"oid\", \"tid\", \"ver\",\n    ],\n    code_challenge_methods_supported: [\"plain\", \"S256\"],\n  });\n\n  app.get(\"/.well-known/openid-configuration\", (c) => {\n    return c.json(oidcConfig(DEFAULT_TENANT_ID));\n  });\n\n  app.get(\"/:tenant/v2.0/.well-known/openid-configuration\", (c) => {\n    const tenant = c.req.param(\"tenant\");\n    return c.json(oidcConfig(tenant === \"common\" || tenant === \"organizations\" || tenant === \"consumers\" ? DEFAULT_TENANT_ID : tenant));\n  });\n\n  // ---------- JWKS ----------\n\n  app.get(\"/discovery/v2.0/keys\", async (c) => {\n    const { publicKey } = await keyPairPromise;\n    const jwk = await exportJWK(publicKey);\n    return c.json({\n      keys: [{\n        ...jwk,\n        kid: KID,\n        use: \"sig\",\n        alg: \"RS256\",\n      }],\n    });\n  });\n\n  // ---------- Authorization page ----------\n\n  app.get(\"/oauth2/v2.0/authorize\", (c) => {\n    const client_id = c.req.query(\"client_id\") ?? \"\";\n    const redirect_uri = c.req.query(\"redirect_uri\") ?? \"\";\n    const scope = c.req.query(\"scope\") ?? \"\";\n    const state = c.req.query(\"state\") ?? \"\";\n    const nonce = c.req.query(\"nonce\") ?? \"\";\n    const response_mode = c.req.query(\"response_mode\") ?? \"query\";\n    const code_challenge = c.req.query(\"code_challenge\") ?? \"\";\n    const code_challenge_method = c.req.query(\"code_challenge_method\") ?? \"\";\n\n    const clientsConfigured = ms.oauthClients.all().length > 0;\n    let clientName = \"\";\n    if (clientsConfigured) {\n      const client = ms.oauthClients.findOneBy(\"client_id\", client_id);\n      if (!client) {\n        return c.html(\n          renderErrorPage(\"Application not found\", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),\n          400,\n        );\n      }\n      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {\n        return c.html(\n          renderErrorPage(\"Redirect URI mismatch\", \"The redirect_uri is not registered for this application.\", SERVICE_LABEL),\n          400,\n        );\n      }\n      clientName = client.name;\n    }\n\n    const subtitleText = clientName\n      ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Microsoft account.`\n      : \"Choose a seeded user to continue.\";\n\n    const users = ms.users.all();\n    const userButtons = users\n      .map((user) => {\n        return renderUserButton({\n          letter: (user.email[0] ?? \"?\").toUpperCase(),\n          login: user.email,\n          name: user.name,\n          email: user.email,\n          formAction: \"/oauth2/v2.0/authorize/callback\",\n          hiddenFields: {\n            email: user.email,\n            redirect_uri,\n            scope,\n            state,\n            nonce,\n            client_id,\n            response_mode,\n            code_challenge,\n            code_challenge_method,\n          },\n        });\n      })\n      .join(\"\\n\");\n\n    const body = users.length === 0\n      ? '<p class=\"empty\">No users in the emulator store.</p>'\n      : userButtons;\n\n    return c.html(renderCardPage(\"Sign in with Microsoft\", subtitleText, body, SERVICE_LABEL));\n  });\n\n  // ---------- Authorization callback ----------\n\n  app.post(\"/oauth2/v2.0/authorize/callback\", async (c) => {\n    const body = await c.req.parseBody();\n    const email = bodyStr(body.email);\n    const redirect_uri = bodyStr(body.redirect_uri);\n    const scope = bodyStr(body.scope);\n    const state = bodyStr(body.state);\n    const client_id = bodyStr(body.client_id);\n    const nonce = bodyStr(body.nonce);\n    const response_mode = bodyStr(body.response_mode) || \"query\";\n    const code_challenge = bodyStr(body.code_challenge);\n    const code_challenge_method = bodyStr(body.code_challenge_method);\n\n    // Validate redirect_uri against registered client\n    const clientsConfigured = ms.oauthClients.all().length > 0;\n    if (clientsConfigured) {\n      const client = ms.oauthClients.findOneBy(\"client_id\", client_id);\n      if (!client) {\n        return c.html(\n          renderErrorPage(\"Application not found\", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),\n          400,\n        );\n      }\n      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {\n        return c.html(\n          renderErrorPage(\"Redirect URI mismatch\", \"The redirect_uri is not registered for this application.\", SERVICE_LABEL),\n          400,\n        );\n      }\n    }\n\n    const code = randomBytes(20).toString(\"hex\");\n\n    getPendingCodes(store).set(code, {\n      email,\n      scope,\n      redirectUri: redirect_uri,\n      clientId: client_id,\n      nonce: nonce || null,\n      codeChallenge: code_challenge || null,\n      codeChallengeMethod: code_challenge_method || null,\n      created_at: Date.now(),\n    });\n\n    debug(\"microsoft.oauth\", `[Microsoft callback] code=${code.slice(0, 8)}... email=${email}`);\n\n    if (response_mode === \"form_post\") {\n      const html = `<!DOCTYPE html>\n<html>\n<head><title>Submit</title></head>\n<body onload=\"document.forms[0].submit()\">\n<form method=\"POST\" action=\"${escapeAttr(redirect_uri)}\">\n<input type=\"hidden\" name=\"code\" value=\"${escapeAttr(code)}\" />\n<input type=\"hidden\" name=\"state\" value=\"${escapeAttr(state)}\" />\n</form>\n</body>\n</html>`;\n      return c.html(html);\n    }\n\n    // Default: query mode redirect\n    const url = new URL(redirect_uri);\n    url.searchParams.set(\"code\", code);\n    if (state) url.searchParams.set(\"state\", state);\n\n    return c.redirect(url.toString(), 302);\n  });\n\n  // ---------- Token exchange ----------\n\n  app.post(\"/oauth2/v2.0/token\", async (c) => {\n    const contentType = c.req.header(\"Content-Type\") ?? \"\";\n    const rawText = await c.req.text();\n\n    let body: Record<string, unknown>;\n    if (contentType.includes(\"application/json\")) {\n      try { body = JSON.parse(rawText); } catch { body = {}; }\n    } else {\n      body = Object.fromEntries(new URLSearchParams(rawText));\n    }\n\n    const grant_type = typeof body.grant_type === \"string\" ? body.grant_type : \"\";\n    const code = typeof body.code === \"string\" ? body.code : \"\";\n    let client_id = typeof body.client_id === \"string\" ? body.client_id : \"\";\n    let client_secret = typeof body.client_secret === \"string\" ? body.client_secret : \"\";\n    const refresh_token = typeof body.refresh_token === \"string\" ? body.refresh_token : \"\";\n    const redirect_uri = typeof body.redirect_uri === \"string\" ? body.redirect_uri : \"\";\n    const code_verifier = typeof body.code_verifier === \"string\" ? body.code_verifier : undefined;\n    const scope = typeof body.scope === \"string\" ? body.scope : \"\";\n\n    // Support client_secret_basic: credentials in Authorization header\n    const authHeader = c.req.header(\"Authorization\") ?? \"\";\n    if (authHeader.startsWith(\"Basic \")) {\n      const decoded = Buffer.from(authHeader.slice(6), \"base64\").toString();\n      const sep = decoded.indexOf(\":\");\n      if (sep !== -1) {\n        const headerId = decodeURIComponent(decoded.slice(0, sep));\n        const headerSecret = decodeURIComponent(decoded.slice(sep + 1));\n        if (!client_id) client_id = headerId;\n        if (!client_secret) client_secret = headerSecret;\n      }\n    }\n\n    if (grant_type === \"authorization_code\") {\n      const clientsConfigured = ms.oauthClients.all().length > 0;\n      if (clientsConfigured) {\n        const client = ms.oauthClients.findOneBy(\"client_id\", client_id);\n        if (!client) {\n          return c.json({ error: \"invalid_client\", error_description: \"The client_id is incorrect.\" }, 401);\n        }\n        if (!constantTimeSecretEqual(client_secret, client.client_secret)) {\n          return c.json({ error: \"invalid_client\", error_description: \"The client_secret is incorrect.\" }, 401);\n        }\n      }\n\n      const pendingMap = getPendingCodes(store);\n      const pending = pendingMap.get(code);\n      if (!pending) {\n        return c.json({ error: \"invalid_grant\", error_description: \"The code is incorrect or expired.\" }, 400);\n      }\n      if (isPendingCodeExpired(pending)) {\n        pendingMap.delete(code);\n        return c.json({ error: \"invalid_grant\", error_description: \"The code is incorrect or expired.\" }, 400);\n      }\n\n      // Verify redirect_uri matches the one used in the authorization request (RFC 6749 §4.1.3)\n      if (pending.redirectUri && redirect_uri && pending.redirectUri !== redirect_uri) {\n        pendingMap.delete(code);\n        return c.json({ error: \"invalid_grant\", error_description: \"The redirect_uri does not match the one used in the authorization request.\" }, 400);\n      }\n\n      // PKCE verification\n      if (pending.codeChallenge !== null) {\n        if (code_verifier === undefined) {\n          return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n        }\n        const method = (pending.codeChallengeMethod ?? \"plain\").toLowerCase();\n        if (method === \"s256\") {\n          const expected = createHash(\"sha256\").update(code_verifier).digest(\"base64url\");\n          if (expected !== pending.codeChallenge) {\n            return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n          }\n        } else if (method === \"plain\") {\n          if (code_verifier !== pending.codeChallenge) {\n            return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n          }\n        } else {\n          return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n        }\n      }\n\n      // Single-use: delete immediately\n      pendingMap.delete(code);\n\n      const user = ms.users.findOneBy(\"email\", pending.email as MicrosoftUser[\"email\"]);\n      if (!user) {\n        return c.json({ error: \"invalid_grant\", error_description: \"User not found.\" }, 400);\n      }\n\n      const accessToken = \"microsoft_\" + randomBytes(20).toString(\"base64url\");\n      const refreshToken = \"r_microsoft_\" + randomBytes(20).toString(\"base64url\");\n      const scopes = pending.scope ? pending.scope.split(/\\s+/).filter(Boolean) : [];\n\n      if (tokenMap) {\n        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });\n      }\n\n      // Store refresh token\n      getRefreshTokens(store).set(refreshToken, {\n        email: user.email,\n        clientId: pending.clientId,\n        scope: pending.scope,\n        nonce: pending.nonce,\n      });\n\n      const idToken = await createIdToken(user, pending.clientId, pending.nonce, baseUrl);\n\n      debug(\"microsoft.oauth\", `[Microsoft token] issued token for ${user.email}`);\n\n      return c.json({\n        access_token: accessToken,\n        token_type: \"Bearer\",\n        expires_in: 3600,\n        scope: pending.scope || \"openid email profile\",\n        refresh_token: refreshToken,\n        id_token: idToken,\n      });\n    }\n\n    if (grant_type === \"refresh_token\") {\n      const refreshMap = getRefreshTokens(store);\n      const stored = refreshMap.get(refresh_token);\n      if (!stored) {\n        return c.json({ error: \"invalid_grant\", error_description: \"The refresh_token is invalid.\" }, 400);\n      }\n\n      const user = ms.users.findOneBy(\"email\", stored.email as MicrosoftUser[\"email\"]);\n      if (!user) {\n        return c.json({ error: \"invalid_grant\", error_description: \"User not found.\" }, 400);\n      }\n\n      const accessToken = \"microsoft_\" + randomBytes(20).toString(\"base64url\");\n      const newRefreshToken = \"r_microsoft_\" + randomBytes(20).toString(\"base64url\");\n      const scopes = stored.scope ? stored.scope.split(/\\s+/).filter(Boolean) : [];\n\n      if (tokenMap) {\n        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });\n      }\n\n      // Rotate refresh token\n      refreshMap.delete(refresh_token);\n      refreshMap.set(newRefreshToken, {\n        email: stored.email,\n        clientId: stored.clientId,\n        scope: stored.scope,\n        nonce: stored.nonce,\n      });\n\n      const idToken = await createIdToken(user, stored.clientId || client_id, stored.nonce, baseUrl);\n\n      debug(\"microsoft.oauth\", `[Microsoft refresh] issued new token for ${user.email}`);\n\n      return c.json({\n        access_token: accessToken,\n        token_type: \"Bearer\",\n        expires_in: 3600,\n        scope: stored.scope || \"openid email profile\",\n        refresh_token: newRefreshToken,\n        id_token: idToken,\n      });\n    }\n\n    if (grant_type === \"client_credentials\") {\n      const clientsConfigured = ms.oauthClients.all().length > 0;\n      if (clientsConfigured) {\n        const client = ms.oauthClients.findOneBy(\"client_id\", client_id);\n        if (!client) {\n          return c.json({ error: \"invalid_client\", error_description: \"The client_id is incorrect.\" }, 401);\n        }\n        if (!constantTimeSecretEqual(client_secret, client.client_secret)) {\n          return c.json({ error: \"invalid_client\", error_description: \"The client_secret is incorrect.\" }, 401);\n        }\n      }\n\n      const accessToken = \"microsoft_\" + randomBytes(20).toString(\"base64url\");\n      const scopes = scope ? scope.split(/\\s+/).filter(Boolean) : [\".default\"];\n\n      if (tokenMap) {\n        tokenMap.set(accessToken, { login: client_id, id: 0, scopes });\n      }\n\n      debug(\"microsoft.oauth\", `[Microsoft client_credentials] issued token for ${client_id}`);\n\n      return c.json({\n        access_token: accessToken,\n        token_type: \"Bearer\",\n        expires_in: 3600,\n        scope: scope || \".default\",\n      });\n    }\n\n    return c.json({ error: \"unsupported_grant_type\", error_description: \"Only authorization_code, refresh_token, and client_credentials are supported.\" }, 400);\n  });\n\n  // ---------- UserInfo (Microsoft Graph /oidc/userinfo) ----------\n\n  app.get(\"/oidc/userinfo\", (c) => {\n    const authUser = c.get(\"authUser\");\n    if (!authUser) {\n      return c.json({ error: \"invalid_token\", error_description: \"Authentication required.\" }, 401);\n    }\n\n    const user = ms.users.findOneBy(\"email\", authUser.login as MicrosoftUser[\"email\"]);\n    if (!user) {\n      return c.json({ error: \"invalid_token\", error_description: \"User not found.\" }, 401);\n    }\n\n    return c.json({\n      sub: user.oid,\n      email: user.email,\n      name: user.name,\n      given_name: user.given_name,\n      family_name: user.family_name,\n      preferred_username: user.preferred_username,\n    });\n  });\n\n  // ---------- Microsoft Graph /me endpoint ----------\n\n  app.get(\"/v1.0/me\", (c) => {\n    const authUser = c.get(\"authUser\");\n    if (!authUser) {\n      return c.json({ error: { code: \"InvalidAuthenticationToken\", message: \"Authentication required.\" } }, 401);\n    }\n\n    const user = ms.users.findOneBy(\"email\", authUser.login as MicrosoftUser[\"email\"]);\n    if (!user) {\n      return c.json({ error: { code: \"Request_ResourceNotFound\", message: \"User not found.\" } }, 404);\n    }\n\n    return c.json({\n      \"@odata.context\": `${baseUrl}/v1.0/$metadata#users/$entity`,\n      id: user.oid,\n      displayName: user.name,\n      givenName: user.given_name,\n      surname: user.family_name,\n      mail: user.email,\n      userPrincipalName: user.preferred_username,\n    });\n  });\n\n  // ---------- Logout ----------\n\n  app.get(\"/oauth2/v2.0/logout\", (c) => {\n    const post_logout_redirect_uri = c.req.query(\"post_logout_redirect_uri\");\n    if (post_logout_redirect_uri) {\n      // Validate against registered client redirect URIs\n      const allClients = ms.oauthClients.all();\n      if (allClients.length > 0) {\n        const allowed = allClients.some((client) =>\n          matchesRedirectUri(post_logout_redirect_uri, client.redirect_uris),\n        );\n        if (!allowed) {\n          return c.text(\"Invalid post_logout_redirect_uri\", 400);\n        }\n      }\n      return c.redirect(post_logout_redirect_uri, 302);\n    }\n    return c.text(\"Logged out\", 200);\n  });\n\n  // ---------- Token revocation ----------\n\n  app.post(\"/oauth2/v2.0/revoke\", async (c) => {\n    const contentType = c.req.header(\"Content-Type\") ?? \"\";\n    const rawText = await c.req.text();\n\n    let token: string;\n    if (contentType.includes(\"application/json\")) {\n      try {\n        const parsed = JSON.parse(rawText);\n        token = typeof parsed.token === \"string\" ? parsed.token : \"\";\n      } catch {\n        token = \"\";\n      }\n    } else {\n      const params = new URLSearchParams(rawText);\n      token = params.get(\"token\") ?? \"\";\n    }\n\n    if (token && tokenMap) {\n      tokenMap.delete(token);\n    }\n\n    // Also check refresh tokens\n    if (token) {\n      getRefreshTokens(store).delete(token);\n    }\n\n    return c.body(null, 200);\n  });\n}\n","export interface Entity {\n  id: number;\n  created_at: string;\n  updated_at: string;\n}\n\nexport type InsertInput<T extends Entity> = Omit<T, \"id\" | \"created_at\" | \"updated_at\"> & { id?: number };\n\nexport type FilterFn<T> = (item: T) => boolean;\nexport type SortFn<T> = (a: T, b: T) => number;\n\nexport interface QueryOptions<T> {\n  filter?: FilterFn<T>;\n  sort?: SortFn<T>;\n  page?: number;\n  per_page?: number;\n}\n\nexport interface PaginatedResult<T> {\n  items: T[];\n  total_count: number;\n  page: number;\n  per_page: number;\n  has_next: boolean;\n  has_prev: boolean;\n}\n\nexport class Collection<T extends Entity> {\n  private items = new Map<number, T>();\n  private indexes = new Map<string, Map<string | number, Set<number>>>();\n  private autoId = 1;\n  readonly fieldNames: string[];\n\n  constructor(private indexFields: (keyof T)[] = []) {\n    this.fieldNames = indexFields.map(String).sort();\n    for (const field of indexFields) {\n      this.indexes.set(String(field), new Map());\n    }\n  }\n\n  private addToIndex(item: T): void {\n    for (const field of this.indexFields) {\n      const value = item[field];\n      if (value === undefined || value === null) continue;\n      const indexMap = this.indexes.get(String(field))!;\n      const key = String(value);\n      if (!indexMap.has(key)) {\n        indexMap.set(key, new Set());\n      }\n      indexMap.get(key)!.add(item.id);\n    }\n  }\n\n  private removeFromIndex(item: T): void {\n    for (const field of this.indexFields) {\n      const value = item[field];\n      if (value === undefined || value === null) continue;\n      const indexMap = this.indexes.get(String(field))!;\n      const key = String(value);\n      indexMap.get(key)?.delete(item.id);\n    }\n  }\n\n  insert(data: InsertInput<T>): T {\n    const now = new Date().toISOString();\n    const explicitId = data.id != null && data.id > 0 ? data.id : undefined;\n    const id = explicitId ?? this.autoId++;\n    if (id >= this.autoId) {\n      this.autoId = id + 1;\n    }\n    const item = {\n      ...data,\n      id,\n      created_at: now,\n      updated_at: now,\n    } as unknown as T;\n    this.items.set(id, item);\n    this.addToIndex(item);\n    return item;\n  }\n\n  get(id: number): T | undefined {\n    return this.items.get(id);\n  }\n\n  findBy(field: keyof T, value: T[keyof T] | string | number): T[] {\n    if (this.indexes.has(String(field))) {\n      const ids = this.indexes.get(String(field))!.get(String(value));\n      if (!ids) return [];\n      return Array.from(ids).map((id) => this.items.get(id)!).filter(Boolean);\n    }\n    return this.all().filter((item) => item[field] === value);\n  }\n\n  findOneBy(field: keyof T, value: T[keyof T] | string | number): T | undefined {\n    return this.findBy(field, value)[0];\n  }\n\n  update(id: number, data: Partial<T>): T | undefined {\n    const existing = this.items.get(id);\n    if (!existing) return undefined;\n    this.removeFromIndex(existing);\n    const updated = {\n      ...existing,\n      ...data,\n      id,\n      updated_at: new Date().toISOString(),\n    } as T;\n    this.items.set(id, updated);\n    this.addToIndex(updated);\n    return updated;\n  }\n\n  delete(id: number): boolean {\n    const existing = this.items.get(id);\n    if (!existing) return false;\n    this.removeFromIndex(existing);\n    return this.items.delete(id);\n  }\n\n  all(): T[] {\n    return Array.from(this.items.values());\n  }\n\n  query(options: QueryOptions<T> = {}): PaginatedResult<T> {\n    let results = this.all();\n\n    if (options.filter) {\n      results = results.filter(options.filter);\n    }\n\n    const total_count = results.length;\n\n    if (options.sort) {\n      results.sort(options.sort);\n    }\n\n    const page = options.page ?? 1;\n    const per_page = Math.min(options.per_page ?? 30, 100);\n    const start = (page - 1) * per_page;\n    const paged = results.slice(start, start + per_page);\n\n    return {\n      items: paged,\n      total_count,\n      page,\n      per_page,\n      has_next: start + per_page < total_count,\n      has_prev: page > 1,\n    };\n  }\n\n  count(filter?: FilterFn<T>): number {\n    if (!filter) return this.items.size;\n    return this.all().filter(filter).length;\n  }\n\n  clear(): void {\n    this.items.clear();\n    for (const indexMap of this.indexes.values()) {\n      indexMap.clear();\n    }\n    this.autoId = 1;\n  }\n}\n\nexport class Store {\n  private collections = new Map<string, Collection<any>>();\n  private _data = new Map<string, unknown>();\n\n  collection<T extends Entity>(name: string, indexFields: (keyof T)[] = []): Collection<T> {\n    const existing = this.collections.get(name);\n    if (existing) {\n      if (indexFields.length > 0) {\n        const requested = indexFields.map(String).sort();\n        if (existing.fieldNames.length !== requested.length || existing.fieldNames.some((f, i) => f !== requested[i])) {\n          throw new Error(\n            `Collection \"${name}\" already exists with indexes [${existing.fieldNames}] but was requested with [${requested}]`\n          );\n        }\n      }\n      return existing as Collection<T>;\n    }\n    const col = new Collection<T>(indexFields);\n    this.collections.set(name, col);\n    return col;\n  }\n\n  getData<V>(key: string): V | undefined {\n    return this._data.get(key) as V | undefined;\n  }\n\n  setData<V>(key: string, value: V): void {\n    this._data.set(key, value);\n  }\n\n  reset(): void {\n    for (const collection of this.collections.values()) {\n      collection.clear();\n    }\n    this._data.clear();\n  }\n}\n","import { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { Store } from \"./store.js\";\nimport { WebhookDispatcher } from \"./webhooks.js\";\nimport { createApiErrorHandler, createErrorHandler } from \"./middleware/error-handler.js\";\nimport { authMiddleware, type AuthFallback, type TokenMap, type AppKeyResolver, type AppEnv } from \"./middleware/auth.js\";\nimport type { ServicePlugin } from \"./plugin.js\";\nimport { registerFontRoutes } from \"./fonts.js\";\n\nexport interface ServerOptions {\n  port?: number;\n  baseUrl?: string;\n  docsUrl?: string;\n  tokens?: Record<string, { login: string; id: number; scopes?: string[] }>;\n  appKeyResolver?: AppKeyResolver;\n  fallbackUser?: AuthFallback;\n}\n\nexport function createServer(plugin: ServicePlugin, options: ServerOptions = {}) {\n  const port = options.port ?? 4000;\n  const baseUrl = options.baseUrl ?? `http://localhost:${port}`;\n\n  const app = new Hono<AppEnv>();\n  const store = new Store();\n  const webhooks = new WebhookDispatcher();\n\n  const tokenMap: TokenMap = new Map();\n  if (options.tokens) {\n    for (const [token, user] of Object.entries(options.tokens)) {\n      tokenMap.set(token, {\n        login: user.login,\n        id: user.id,\n        scopes: user.scopes ?? [\"repo\", \"user\", \"admin:org\", \"admin:repo_hook\"],\n      });\n    }\n  }\n\n  const docsUrl = options.docsUrl ?? `https://emulate.dev/${plugin.name}`;\n\n  registerFontRoutes(app);\n\n  app.onError(createApiErrorHandler(docsUrl));\n  app.use(\"*\", cors());\n  app.use(\"*\", createErrorHandler(docsUrl));\n  app.use(\"*\", authMiddleware(tokenMap, options.appKeyResolver, options.fallbackUser));\n\n  const rateLimitCounters = new Map<string, { remaining: number; resetAt: number }>();\n  let lastPruneAt = Math.floor(Date.now() / 1000);\n\n  app.use(\"*\", async (c, next) => {\n    const token = c.get(\"authToken\") ?? \"__anonymous__\";\n    const now = Math.floor(Date.now() / 1000);\n\n    if (now - lastPruneAt > 3600) {\n      for (const [key, val] of rateLimitCounters) {\n        if (val.resetAt <= now) rateLimitCounters.delete(key);\n      }\n      lastPruneAt = now;\n    }\n\n    let counter = rateLimitCounters.get(token);\n    if (!counter || counter.resetAt <= now) {\n      counter = { remaining: 5000, resetAt: now + 3600 };\n      rateLimitCounters.set(token, counter);\n    }\n\n    counter.remaining = Math.max(0, counter.remaining - 1);\n\n    c.header(\"X-RateLimit-Limit\", \"5000\");\n    c.header(\"X-RateLimit-Remaining\", String(counter.remaining));\n    c.header(\"X-RateLimit-Reset\", String(counter.resetAt));\n    c.header(\"X-RateLimit-Resource\", \"core\");\n\n    if (counter.remaining === 0) {\n      return c.json(\n        {\n          message: \"API rate limit exceeded\",\n          documentation_url: docsUrl,\n        },\n        403\n      );\n    }\n\n    await next();\n  });\n\n  plugin.register(app, store, webhooks, baseUrl, tokenMap);\n\n  app.notFound((c) =>\n    c.json(\n      {\n        message: \"Not Found\",\n        documentation_url: docsUrl,\n      },\n      404\n    )\n  );\n\n  return { app, store, webhooks, port, baseUrl, tokenMap };\n}\n","import { createHmac } from \"crypto\";\n\nexport interface WebhookSubscription {\n  id: number;\n  url: string;\n  events: string[];\n  active: boolean;\n  secret?: string;\n  owner: string;\n  repo?: string;\n}\n\nexport interface WebhookDelivery {\n  id: number;\n  hook_id: number;\n  event: string;\n  action?: string;\n  payload: unknown;\n  status_code: number | null;\n  delivered_at: string;\n  duration: number | null;\n  success: boolean;\n}\n\nconst MAX_DELIVERIES = 1000;\n\nexport class WebhookDispatcher {\n  private subscriptions: WebhookSubscription[] = [];\n  private deliveries: WebhookDelivery[] = [];\n  private subscriptionIdCounter = 1;\n  private deliveryIdCounter = 1;\n\n  register(sub: Omit<WebhookSubscription, \"id\"> & { id?: number }): WebhookSubscription {\n    const { id: explicitId, ...rest } = sub;\n    const id = explicitId !== undefined ? explicitId : this.subscriptionIdCounter++;\n    if (id >= this.subscriptionIdCounter) {\n      this.subscriptionIdCounter = id + 1;\n    }\n    const subscription: WebhookSubscription = { ...rest, id };\n    this.subscriptions.push(subscription);\n    return subscription;\n  }\n\n  unregister(id: number): boolean {\n    const idx = this.subscriptions.findIndex((s) => s.id === id);\n    if (idx === -1) return false;\n    this.subscriptions.splice(idx, 1);\n    return true;\n  }\n\n  getSubscription(id: number): WebhookSubscription | undefined {\n    return this.subscriptions.find((s) => s.id === id);\n  }\n\n  getSubscriptions(owner?: string, repo?: string): WebhookSubscription[] {\n    return this.subscriptions.filter((s) => {\n      if (owner && s.owner !== owner) return false;\n      if (repo !== undefined && s.repo !== repo) return false;\n      return true;\n    });\n  }\n\n  updateSubscription(\n    id: number,\n    data: Partial<Pick<WebhookSubscription, \"url\" | \"events\" | \"active\" | \"secret\">>\n  ): WebhookSubscription | undefined {\n    const sub = this.subscriptions.find((s) => s.id === id);\n    if (!sub) return undefined;\n    Object.assign(sub, data);\n    return sub;\n  }\n\n  async dispatch(event: string, action: string | undefined, payload: unknown, owner: string, repo?: string): Promise<void> {\n    const matchingSubs = this.subscriptions.filter((s) => {\n      if (!s.active) return false;\n      if (s.owner !== owner) return false;\n      if (repo !== undefined) {\n        if (s.repo !== repo) return false;\n      } else if (s.repo !== undefined) {\n        return false;\n      }\n      return (\n        event === \"ping\" ||\n        s.events.includes(\"*\") ||\n        s.events.includes(event)\n      );\n    });\n\n    for (const sub of matchingSubs) {\n      const delivery: WebhookDelivery = {\n        id: this.deliveryIdCounter++,\n        hook_id: sub.id,\n        event,\n        action,\n        payload,\n        status_code: null,\n        delivered_at: new Date().toISOString(),\n        duration: null,\n        success: false,\n      };\n\n      const body = JSON.stringify(payload);\n\n      const signatureHeaders: Record<string, string> = {};\n      if (sub.secret) {\n        const hmac = createHmac(\"sha256\", sub.secret).update(body).digest(\"hex\");\n        signatureHeaders[\"X-Hub-Signature-256\"] = `sha256=${hmac}`;\n      }\n\n      try {\n        const start = Date.now();\n        const response = await fetch(sub.url, {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/json\",\n            \"X-GitHub-Event\": event,\n            \"X-GitHub-Delivery\": String(delivery.id),\n            ...signatureHeaders,\n          },\n          body,\n          signal: AbortSignal.timeout(10000),\n        });\n        delivery.duration = Date.now() - start;\n        delivery.status_code = response.status;\n        delivery.success = response.ok;\n      } catch {\n        delivery.duration = 0;\n        delivery.success = false;\n      }\n\n      this.deliveries.push(delivery);\n      if (this.deliveries.length > MAX_DELIVERIES) {\n        this.deliveries.splice(0, this.deliveries.length - MAX_DELIVERIES);\n      }\n    }\n  }\n\n  getDeliveries(hookId?: number): WebhookDelivery[] {\n    if (hookId !== undefined) {\n      return this.deliveries.filter((d) => d.hook_id === hookId);\n    }\n    return [...this.deliveries];\n  }\n\n  clear(): void {\n    this.subscriptions.length = 0;\n    this.deliveries.length = 0;\n    this.subscriptionIdCounter = 1;\n    this.deliveryIdCounter = 1;\n  }\n}\n","import type { Context, ErrorHandler, MiddlewareHandler } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\n\nconst DEFAULT_DOCS_URL = \"https://emulate.dev\";\n\nfunction getDocsUrl(c: Context): string {\n  return (c.get(\"docsUrl\") as string | undefined) ?? DEFAULT_DOCS_URL;\n}\n\nfunction errorStatus(err: unknown): number {\n  if (err && typeof err === \"object\" && \"status\" in err) {\n    const s = (err as { status: unknown }).status;\n    if (typeof s === \"number\" && Number.isFinite(s)) return s;\n  }\n  return 500;\n}\n\n/**\n * Use with `app.onError(...)`. Hono routes handler throws to the app error handler, not to outer middleware try/catch.\n */\nexport function createApiErrorHandler(documentationUrl?: string): ErrorHandler {\n  return (err, c) => {\n    if (documentationUrl) {\n      c.set(\"docsUrl\", documentationUrl);\n    }\n    const status = errorStatus(err);\n    const message = err instanceof Error ? err.message : \"Internal Server Error\";\n    return c.json(\n      {\n        message,\n        documentation_url: getDocsUrl(c),\n      },\n      status as ContentfulStatusCode\n    );\n  };\n}\n\n/** Sets `docsUrl` on the context for successful responses; register `createApiErrorHandler` for thrown `ApiError`s. */\nexport function createErrorHandler(documentationUrl?: string): MiddlewareHandler {\n  return async (c, next) => {\n    if (documentationUrl) {\n      c.set(\"docsUrl\", documentationUrl);\n    }\n    await next();\n  };\n}\n\nexport const errorHandler: MiddlewareHandler = createErrorHandler();\n\nexport class ApiError extends Error {\n  constructor(\n    public status: number,\n    message: string,\n    public errors?: Array<{ resource: string; field: string; code: string }>\n  ) {\n    super(message);\n    this.name = \"ApiError\";\n  }\n}\n\nexport function notFound(resource?: string): ApiError {\n  return new ApiError(404, resource ? `${resource} not found` : \"Not Found\");\n}\n\nexport function validationError(message: string, errors?: ApiError[\"errors\"]): ApiError {\n  return new ApiError(422, message, errors);\n}\n\nexport function unauthorized(): ApiError {\n  return new ApiError(401, \"Requires authentication\");\n}\n\nexport function forbidden(): ApiError {\n  return new ApiError(403, \"Forbidden\");\n}\n\nexport async function parseJsonBody(c: Context): Promise<Record<string, unknown>> {\n  try {\n    const body = await c.req.json();\n    if (body && typeof body === \"object\" && !Array.isArray(body)) {\n      return body as Record<string, unknown>;\n    }\n    return {};\n  } catch {\n    throw new ApiError(400, \"Problems parsing JSON\");\n  }\n}\n","import type { Context, Next } from \"hono\";\nimport { jwtVerify, importPKCS8 } from \"jose\";\nimport { debug } from \"../debug.js\";\n\nexport interface AuthUser {\n  login: string;\n  id: number;\n  scopes: string[];\n}\n\nexport interface AuthApp {\n  appId: number;\n  slug: string;\n  name: string;\n}\n\nexport interface AuthInstallation {\n  installationId: number;\n  appId: number;\n  permissions: Record<string, string>;\n  repositoryIds: number[];\n  repositorySelection: \"all\" | \"selected\";\n}\n\nexport type TokenMap = Map<string, AuthUser>;\n\nexport type AppEnv = {\n  Variables: {\n    authUser?: AuthUser;\n    authApp?: AuthApp;\n    authToken?: string;\n    authScopes?: string[];\n    docsUrl?: string;\n  };\n};\n\nexport interface AppKeyResolver {\n  (appId: number): { privateKey: string; slug: string; name: string } | null;\n}\n\nexport interface AuthFallback {\n  login: string;\n  id: number;\n  scopes: string[];\n}\n\nexport function authMiddleware(tokens: TokenMap, appKeyResolver?: AppKeyResolver, fallbackUser?: AuthFallback) {\n  return async (c: Context, next: Next) => {\n    const authHeader = c.req.header(\"Authorization\");\n    if (authHeader) {\n      const token = authHeader.replace(/^(Bearer|token)\\s+/i, \"\").trim();\n\n      if (token.startsWith(\"eyJ\") && appKeyResolver) {\n        try {\n          const [, payloadB64] = token.split(\".\");\n          const payload = JSON.parse(\n            Buffer.from(payloadB64, \"base64url\").toString()\n          );\n          const appId = typeof payload.iss === \"string\" ? parseInt(payload.iss, 10) : payload.iss;\n\n          if (typeof appId === \"number\" && !isNaN(appId)) {\n            const appInfo = appKeyResolver(appId);\n            if (appInfo) {\n              const key = await importPKCS8(appInfo.privateKey, \"RS256\");\n              await jwtVerify(token, key, { algorithms: [\"RS256\"] });\n              c.set(\"authApp\", {\n                appId,\n                slug: appInfo.slug,\n                name: appInfo.name,\n              } satisfies AuthApp);\n            }\n          }\n        } catch {\n          // JWT verification failed\n        }\n      } else {\n        let user = tokens.get(token);\n        if (!user && fallbackUser && token.length > 0) {\n          debug(\"auth\", \"fallback user for unknown token\", { login: fallbackUser.login, id: fallbackUser.id });\n          user = { login: fallbackUser.login, id: fallbackUser.id, scopes: fallbackUser.scopes };\n        }\n        if (user) {\n          c.set(\"authUser\", user);\n          c.set(\"authToken\", token);\n          c.set(\"authScopes\", user.scopes);\n        }\n      }\n    }\n    await next();\n  };\n}\n\nexport function requireAuth() {\n  return async (c: Context, next: Next) => {\n    if (!c.get(\"authUser\")) {\n      const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n      return c.json(\n        {\n          message: \"Requires authentication\",\n          documentation_url: docsUrl,\n        },\n        401\n      );\n    }\n    await next();\n  };\n}\n\nexport function requireAppAuth() {\n  return async (c: Context, next: Next) => {\n    if (!c.get(\"authApp\")) {\n      const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n      return c.json(\n        {\n          message: \"A JSON web token could not be decoded\",\n          documentation_url: docsUrl,\n        },\n        401\n      );\n    }\n    await next();\n  };\n}\n","const isDebug = typeof process !== \"undefined\" && (process.env.DEBUG === \"1\" || process.env.DEBUG === \"true\" || process.env.EMULATE_DEBUG === \"1\");\n\nexport function debug(label: string, ...args: unknown[]): void {\n  if (isDebug) {\n    console.log(`[${label}]`, ...args);\n  }\n}\n","import { readFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\nimport { dirname, join } from \"node:path\";\nimport type { Hono } from \"hono\";\nimport type { AppEnv } from \"./middleware/auth.js\";\n\nconst __dirname = dirname(fileURLToPath(import.meta.url));\n\nconst FONTS: Record<string, Buffer> = {\n  \"geist-sans.woff2\": readFileSync(join(__dirname, \"fonts\", \"geist-sans.woff2\")),\n  \"GeistPixel-Square.woff2\": readFileSync(join(__dirname, \"fonts\", \"GeistPixel-Square.woff2\")),\n};\n\nexport function registerFontRoutes(app: Hono<AppEnv>): void {\n  app.get(\"/_emulate/fonts/:name\", (c) => {\n    const name = c.req.param(\"name\");\n    const buf = FONTS[name];\n    if (!buf) return c.notFound();\n    return new Response(buf, {\n      headers: {\n        \"Content-Type\": \"font/woff2\",\n        \"Cache-Control\": \"public, max-age=31536000, immutable\",\n        \"Access-Control-Allow-Origin\": \"*\",\n      },\n    });\n  });\n}\n","import type { Context } from \"hono\";\n\nexport interface PaginationParams {\n  page: number;\n  per_page: number;\n}\n\nexport function parsePagination(c: Context): PaginationParams {\n  const page = Math.max(1, parseInt(c.req.query(\"page\") ?? \"1\", 10) || 1);\n  const per_page = Math.min(100, Math.max(1, parseInt(c.req.query(\"per_page\") ?? \"30\", 10) || 30));\n  return { page, per_page };\n}\n\nexport function setLinkHeader(\n  c: Context,\n  totalCount: number,\n  page: number,\n  perPage: number\n): void {\n  const lastPage = Math.max(1, Math.ceil(totalCount / perPage));\n  const baseUrl = new URL(c.req.url);\n  const links: string[] = [];\n\n  const makeLink = (p: number, rel: string) => {\n    baseUrl.searchParams.set(\"page\", String(p));\n    baseUrl.searchParams.set(\"per_page\", String(perPage));\n    return `<${baseUrl.toString()}>; rel=\"${rel}\"`;\n  };\n\n  if (page < lastPage) {\n    links.push(makeLink(page + 1, \"next\"));\n    links.push(makeLink(lastPage, \"last\"));\n  }\n  if (page > 1) {\n    links.push(makeLink(1, \"first\"));\n    links.push(makeLink(page - 1, \"prev\"));\n  }\n\n  if (links.length > 0) {\n    c.header(\"Link\", links.join(\", \"));\n  }\n}\n","export function escapeHtml(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return escapeHtml(s).replace(/'/g, \"&#39;\");\n}\n\nconst CSS = `\n@font-face{\n  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;\n  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');\n}\n@font-face{\n  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;\n  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');\n}\n*{box-sizing:border-box;margin:0;padding:0}\nbody{\n  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;\n  background:#000;color:#33ff00;min-height:100vh;\n  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;\n}\n.emu-bar{\n  border-bottom:1px solid #0a3300;padding:10px 20px;\n  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;\n}\n.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}\n.emu-bar-links{margin-left:auto;display:flex;gap:16px;}\n.emu-bar-links a{\n  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;\n}\n.emu-bar-links a:hover{color:#33ff00;}\n.emu-bar-links a .full{display:inline;}\n.emu-bar-links a .short{display:none;}\n@media(max-width:600px){\n  .emu-bar-links a .full{display:none;}\n  .emu-bar-links a .short{display:inline;}\n}\n\n.content{\n  display:flex;align-items:center;justify-content:center;\n  min-height:calc(100vh - 42px);padding:24px 16px;\n}\n.content-inner{width:100%;max-width:420px;}\n.card-title{\n  font-family:'Geist Pixel',monospace;\n  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;\n}\n.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}\n.powered-by{\n  position:fixed;bottom:0;left:0;right:0;\n  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;\n  font-family:'Geist Pixel',monospace;\n}\n.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}\n.powered-by a:hover{color:#33ff00;}\n\n.error-title{\n  font-family:'Geist Pixel',monospace;\n  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;\n}\n.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}\n.error-card{text-align:center;}\n\n.user-form{margin-bottom:8px;}\n.user-form:last-of-type{margin-bottom:0;}\n.user-btn{\n  width:100%;display:flex;align-items:center;gap:12px;\n  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;\n  background:#000;color:inherit;cursor:pointer;text-align:left;\n  font:inherit;transition:border-color .15s;\n}\n.user-btn:hover{border-color:#33ff00;}\n.avatar{\n  width:36px;height:36px;border-radius:50%;\n  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;\n  display:flex;align-items:center;justify-content:center;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.user-text{min-width:0;}\n.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}\n.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}\n.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}\n\n.settings-layout{\n  max-width:920px;margin:0 auto;padding:28px 20px;\n  display:flex;gap:28px;\n}\n.settings-sidebar{width:200px;flex-shrink:0;}\n.settings-sidebar a{\n  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;\n  text-decoration:none;font-size:.8125rem;transition:color .15s;\n}\n.settings-sidebar a:hover{color:#33ff00;}\n.settings-sidebar a.active{color:#33ff00;font-weight:600;}\n.settings-main{flex:1;min-width:0;}\n\n.s-card{\n  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;\n}\n.s-card:last-child{border-bottom:none;}\n.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}\n.s-icon{\n  width:42px;height:42px;border-radius:8px;\n  background:#0a3300;display:flex;align-items:center;justify-content:center;\n  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.s-title{\n  font-family:'Geist Pixel',monospace;\n  font-size:1.25rem;font-weight:600;color:#33ff00;\n}\n.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}\n.section-heading{\n  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;\n  display:flex;align-items:center;justify-content:space-between;\n}\n.perm-list{list-style:none;}\n.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}\n.check{color:#33ff00;}\n.org-row{\n  display:flex;align-items:center;gap:8px;padding:7px 0;\n  border-bottom:1px solid #0a3300;font-size:.8125rem;\n}\n.org-row:last-child{border-bottom:none;}\n.org-icon{\n  width:22px;height:22px;border-radius:4px;background:#0a3300;\n  display:flex;align-items:center;justify-content:center;\n  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;\n  font-family:'Geist Pixel',monospace;\n}\n.org-name{font-weight:600;color:#33ff00;}\n.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}\n.badge-granted{background:#0a3300;color:#33ff00;}\n.badge-denied{background:#1a0a0a;color:#ff4444;}\n.badge-requested{background:#0a3300;color:#1a8c00;}\n.btn-revoke{\n  display:inline-block;padding:5px 14px;border-radius:6px;\n  border:1px solid #0a3300;background:transparent;color:#ff4444;\n  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;\n}\n.btn-revoke:hover{border-color:#ff4444;}\n.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}\n.app-link{\n  display:flex;align-items:center;gap:12px;padding:12px;\n  border:1px solid #0a3300;border-radius:8px;background:#000;\n  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;\n}\n.app-link:hover{border-color:#33ff00;}\n.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}\n.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}\n.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}\n`;\n\nconst POWERED_BY = `<div class=\"powered-by\">Powered by <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\">emulate</a></div>`;\n\nfunction emuBar(service?: string): string {\n  const title = service ? `${escapeHtml(service)} Emulator` : \"Emulator\";\n  return `<div class=\"emu-bar\">\n  <span class=\"emu-bar-title\">${title}</span>\n  <nav class=\"emu-bar-links\">\n    <a href=\"https://github.com/vercel-labs/emulate/issues\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Report Issue</span><span class=\"short\">Report</span></a>\n    <a href=\"https://github.com/vercel-labs/emulate\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Source Code</span><span class=\"short\">Source</span></a>\n    <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Learn More</span><span class=\"short\">Learn</span></a>\n  </nav>\n</div>`;\n}\n\nfunction head(title: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\"/>\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n<title>${escapeHtml(title)} | emulate</title>\n<style>${CSS}</style>\n</head>`;\n}\n\nexport function renderCardPage(\n  title: string,\n  subtitle: string,\n  body: string,\n  service?: string\n): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n  <div class=\"content-inner\">\n    <div class=\"card-title\">${escapeHtml(title)}</div>\n    <div class=\"card-subtitle\">${subtitle}</div>\n    ${body}\n  </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderErrorPage(title: string, message: string, service?: string): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n  <div class=\"content-inner error-card\">\n    <div class=\"error-title\">${escapeHtml(title)}</div>\n    <div class=\"error-msg\">${escapeHtml(message)}</div>\n  </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderSettingsPage(\n  title: string,\n  sidebarHtml: string,\n  bodyHtml: string,\n  service?: string\n): string {\n  return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"settings-layout\">\n  <nav class=\"settings-sidebar\">${sidebarHtml}</nav>\n  <div class=\"settings-main\">${bodyHtml}</div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface UserButtonOptions {\n  letter: string;\n  login: string;\n  name?: string;\n  email?: string;\n  formAction: string;\n  hiddenFields: Record<string, string>;\n}\n\nexport function renderUserButton(opts: UserButtonOptions): string {\n  const hiddens = Object.entries(opts.hiddenFields)\n    .map(([k, v]) => `<input type=\"hidden\" name=\"${escapeAttr(k)}\" value=\"${escapeAttr(v)}\"/>`)\n    .join(\"\");\n\n  const nameLine = opts.name\n    ? `<div class=\"user-meta\">${escapeHtml(opts.name)}</div>`\n    : \"\";\n  const emailLine = opts.email\n    ? `<div class=\"user-email\">${escapeHtml(opts.email)}</div>`\n    : \"\";\n\n  return `<form class=\"user-form\" method=\"post\" action=\"${escapeAttr(opts.formAction)}\">\n${hiddens}\n<button type=\"submit\" class=\"user-btn\">\n  <span class=\"avatar\">${escapeHtml(opts.letter)}</span>\n  <span class=\"user-text\">\n    <span class=\"user-login\">${escapeHtml(opts.login)}</span>\n    ${nameLine}${emailLine}\n  </span>\n</button>\n</form>`;\n}\n","import { timingSafeEqual } from \"crypto\";\n\nexport function normalizeUri(uri: string): string {\n  try {\n    const u = new URL(uri);\n    return `${u.origin}${u.pathname.replace(/\\/+$/, \"\")}`;\n  } catch {\n    return uri.replace(/\\/+$/, \"\").split(\"?\")[0];\n  }\n}\n\nexport function matchesRedirectUri(incoming: string, registered: string[]): boolean {\n  const normalized = normalizeUri(incoming);\n  return registered.some((r) => normalizeUri(r) === normalized);\n}\n\nexport function constantTimeSecretEqual(a: string, b: string): boolean {\n  const bufA = Buffer.from(a, \"utf-8\");\n  const bufB = Buffer.from(b, \"utf-8\");\n  if (bufA.length !== bufB.length) return false;\n  return timingSafeEqual(bufA, bufB);\n}\n\nexport function bodyStr(v: unknown): string {\n  if (typeof v === \"string\") return v;\n  if (Array.isArray(v) && typeof v[0] === \"string\") return v[0];\n  return \"\";\n}\n\nexport function parseCookies(header: string): Record<string, string> {\n  const cookies: Record<string, string> = {};\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.split(\"=\");\n    if (k) cookies[k.trim()] = v.join(\"=\").trim();\n  }\n  return cookies;\n}\n","import type { Hono } from \"hono\";\nimport type { ServicePlugin, Store, WebhookDispatcher, TokenMap, AppEnv, RouteContext } from \"@emulators/core\";\nimport { getMicrosoftStore } from \"./store.js\";\nimport { generateOid, DEFAULT_TENANT_ID } from \"./helpers.js\";\nimport { oauthRoutes } from \"./routes/oauth.js\";\n\nexport { getMicrosoftStore, type MicrosoftStore } from \"./store.js\";\nexport * from \"./entities.js\";\n\n\nexport interface MicrosoftSeedConfig {\n  users?: Array<{\n    email: string;\n    name?: string;\n    given_name?: string;\n    family_name?: string;\n    tenant_id?: string;\n  }>;\n  oauth_clients?: Array<{\n    client_id: string;\n    client_secret: string;\n    name: string;\n    redirect_uris: string[];\n    tenant_id?: string;\n  }>;\n}\n\nfunction seedDefaults(store: Store, _baseUrl: string): void {\n  const ms = getMicrosoftStore(store);\n\n  ms.users.insert({\n    oid: generateOid(),\n    email: \"testuser@outlook.com\",\n    name: \"Test User\",\n    given_name: \"Test\",\n    family_name: \"User\",\n    email_verified: true,\n    tenant_id: DEFAULT_TENANT_ID,\n    preferred_username: \"testuser@outlook.com\",\n  });\n}\n\nexport function seedFromConfig(store: Store, _baseUrl: string, config: MicrosoftSeedConfig): void {\n  const ms = getMicrosoftStore(store);\n\n  if (config.users) {\n    for (const u of config.users) {\n      const existing = ms.users.findOneBy(\"email\", u.email);\n      if (existing) continue;\n\n      const nameParts = (u.name ?? \"\").split(/\\s+/);\n      ms.users.insert({\n        oid: generateOid(),\n        email: u.email,\n        name: u.name ?? u.email.split(\"@\")[0],\n        given_name: u.given_name ?? nameParts[0] ?? \"\",\n        family_name: u.family_name ?? nameParts.slice(1).join(\" \") ?? \"\",\n        email_verified: true,\n        tenant_id: u.tenant_id ?? DEFAULT_TENANT_ID,\n        preferred_username: u.email,\n      });\n    }\n  }\n\n  if (config.oauth_clients) {\n    for (const client of config.oauth_clients) {\n      const existing = ms.oauthClients.findOneBy(\"client_id\", client.client_id);\n      if (existing) continue;\n      ms.oauthClients.insert({\n        client_id: client.client_id,\n        client_secret: client.client_secret,\n        name: client.name,\n        redirect_uris: client.redirect_uris,\n        tenant_id: client.tenant_id ?? DEFAULT_TENANT_ID,\n      });\n    }\n  }\n}\n\nexport const microsoftPlugin: ServicePlugin = {\n  name: \"microsoft\",\n  register(app: Hono<AppEnv>, store: Store, webhooks: WebhookDispatcher, baseUrl: string, tokenMap?: TokenMap): void {\n    const ctx: RouteContext = { app, store, webhooks, baseUrl, tokenMap };\n    oauthRoutes(ctx);\n  },\n  seed(store: Store, baseUrl: string): void {\n    seedDefaults(store, baseUrl);\n  },\n};\n\nexport default microsoftPlugin;\n"],"mappings":";AAQO,SAAS,kBAAkB,OAA8B;AAC9D,SAAO;AAAA,IACL,OAAO,MAAM,WAA0B,mBAAmB,CAAC,OAAO,OAAO,CAAC;AAAA,IAC1E,cAAc,MAAM,WAAiC,2BAA2B,CAAC,WAAW,CAAC;AAAA,EAC/F;AACF;;;ACbA,SAAS,kBAAkB;AAGpB,IAAM,oBAAoB;AAK1B,SAAS,cAAsB;AACpC,SAAO,WAAW;AACpB;;;ACVA,SAAS,YAAY,mBAAmB;AACxC,SAAS,SAAS,WAAW,uBAAuB;;;AEDpD,SAAS,YAAY;AACrB,SAAS,YAAY;AGArB,SAAS,WAAW,mBAAmB;AEDvC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,YAAY;AGF9B,SAAS,uBAAuB;ANsCzB,SAAS,mBAAmB,kBAA8C;AAC/E,SAAO,OAAO,GAAG,SAAS;AACxB,QAAI,kBAAkB;AACpB,QAAE,IAAI,WAAW,gBAAgB;IACnC;AACA,UAAM,KAAK;EACb;AACF;AAEO,IAAM,eAAkC,mBAAmB;AE/ClE,IAAM,UAAU,OAAO,YAAY,gBAAgB,QAAQ,IAAI,UAAU,OAAO,QAAQ,IAAI,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AAEvI,SAAS,MAAM,UAAkB,MAAuB;AAC7D,MAAI,SAAS;AACX,YAAQ,IAAI,IAAI,KAAK,KAAK,GAAG,IAAI;EACnC;AACF;ACAA,IAAM,YAAY,QAAQ,cAAc,YAAY,GAAG,CAAC;AAExD,IAAM,QAAgC;EACpC,oBAAoB,aAAa,KAAK,WAAW,SAAS,kBAAkB,CAAC;EAC7E,2BAA2B,aAAa,KAAK,WAAW,SAAS,yBAAyB,CAAC;AAC7F;AEXO,SAAS,WAAW,GAAmB;AAC5C,SAAO,EACJ,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,QAAQ;AAC3B;AAEO,SAAS,WAAW,GAAmB;AAC5C,SAAO,WAAW,CAAC,EAAE,QAAQ,MAAM,OAAO;AAC5C;AAEA,IAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmJZ,IAAM,aAAa;AAEnB,SAAS,OAAO,SAA0B;AACxC,QAAM,QAAQ,UAAU,GAAG,WAAW,OAAO,CAAC,cAAc;AAC5D,SAAO;gCACuB,KAAK;;;;;;;AAOrC;AAEA,SAAS,KAAK,OAAuB;AACnC,SAAO;;;;;SAKA,WAAW,KAAK,CAAC;SACjB,GAAG;;AAEZ;AAEO,SAAS,eACd,OACA,UACA,MACA,SACQ;AACR,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;8BAGa,WAAW,KAAK,CAAC;iCACd,QAAQ;MACnC,IAAI;;;EAGR,UAAU;;AAEZ;AAEO,SAAS,gBAAgB,OAAe,SAAiB,SAA0B;AACxF,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;+BAGc,WAAW,KAAK,CAAC;6BACnB,WAAW,OAAO,CAAC;;;EAG9C,UAAU;;AAEZ;AA4BO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU,OAAO,QAAQ,KAAK,YAAY,EAC7C,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,8BAA8B,WAAW,CAAC,CAAC,YAAY,WAAW,CAAC,CAAC,KAAK,EACzF,KAAK,EAAE;AAEV,QAAM,WAAW,KAAK,OAClB,0BAA0B,WAAW,KAAK,IAAI,CAAC,WAC/C;AACJ,QAAM,YAAY,KAAK,QACnB,2BAA2B,WAAW,KAAK,KAAK,CAAC,WACjD;AAEJ,SAAO,iDAAiD,WAAW,KAAK,UAAU,CAAC;EACnF,OAAO;;yBAEgB,WAAW,KAAK,MAAM,CAAC;;+BAEjB,WAAW,KAAK,KAAK,CAAC;MAC/C,QAAQ,GAAG,SAAS;;;;AAI1B;ACxQO,SAAS,aAAa,KAAqB;AAChD,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,GAAG;AACrB,WAAO,GAAG,EAAE,MAAM,GAAG,EAAE,SAAS,QAAQ,QAAQ,EAAE,CAAC;EACrD,QAAQ;AACN,WAAO,IAAI,QAAQ,QAAQ,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;EAC7C;AACF;AAEO,SAAS,mBAAmB,UAAkB,YAA+B;AAClF,QAAM,aAAa,aAAa,QAAQ;AACxC,SAAO,WAAW,KAAK,CAAC,MAAM,aAAa,CAAC,MAAM,UAAU;AAC9D;AAEO,SAAS,wBAAwB,GAAW,GAAoB;AACrE,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAEO,SAAS,QAAQ,GAAoB;AAC1C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,MAAM,QAAQ,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,SAAU,QAAO,EAAE,CAAC;AAC5D,SAAO;AACT;;;AVPA,IAAM,iBAAiB,gBAAgB,OAAO;AAC9C,IAAM,MAAM;AAoBZ,IAAM,sBAAsB,KAAK,KAAK;AAEtC,SAAS,gBAAgB,OAAwC;AAC/D,MAAI,MAAM,MAAM,QAAkC,8BAA8B;AAChF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,gCAAgC,GAAG;AAAA,EACnD;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA+C;AACvE,MAAI,MAAM,MAAM,QAAyC,+BAA+B;AACxF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,iCAAiC,GAAG;AAAA,EACpD;AACA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAyB;AACrD,SAAO,KAAK,IAAI,IAAI,EAAE,aAAa;AACrC;AAEA,IAAM,gBAAgB;AAEtB,eAAe,cACb,MACA,UACA,OACA,SACiB;AACjB,QAAM,EAAE,WAAW,IAAI,MAAM;AAC7B,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,QAAM,UAAU,IAAI,QAAQ;AAAA,IAC1B,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,IACZ,MAAM,KAAK;AAAA,IACX,YAAY,KAAK;AAAA,IACjB,aAAa,KAAK;AAAA,IAClB,oBAAoB,KAAK;AAAA,IACzB,KAAK,KAAK;AAAA,IACV,KAAK,KAAK;AAAA,IACV,KAAK;AAAA,IACL,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,EAC3B,CAAC,EACE,mBAAmB,EAAE,KAAK,SAAS,KAAK,KAAK,KAAK,MAAM,CAAC,EACzD,UAAU,GAAG,OAAO,IAAI,KAAK,SAAS,OAAO,EAC7C,YAAY,QAAQ,EACpB,YAAY,GAAG,EACf,kBAAkB,IAAI;AAEzB,SAAO,QAAQ,KAAK,UAAU;AAChC;AAEO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,KAAK,kBAAkB,KAAK;AAMlC,QAAM,aAAa,CAAC,cAAsB;AAAA,IACxC,QAAQ,GAAG,OAAO,IAAI,QAAQ;AAAA,IAC9B,wBAAwB,GAAG,OAAO;AAAA,IAClC,gBAAgB,GAAG,OAAO;AAAA,IAC1B,mBAAmB,GAAG,OAAO;AAAA,IAC7B,sBAAsB,GAAG,OAAO;AAAA,IAChC,UAAU,GAAG,OAAO;AAAA,IACpB,0BAA0B,CAAC,MAAM;AAAA,IACjC,0BAA0B,CAAC,SAAS,YAAY,WAAW;AAAA,IAC3D,yBAAyB,CAAC,UAAU;AAAA,IACpC,uCAAuC,CAAC,OAAO;AAAA,IAC/C,kBAAkB,CAAC,UAAU,SAAS,WAAW,kBAAkB,aAAa,UAAU;AAAA,IAC1F,uBAAuB,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,IACnF,uCAAuC,CAAC,sBAAsB,qBAAqB;AAAA,IACnF,kBAAkB;AAAA,MAChB;AAAA,MAAO;AAAA,MAAO;AAAA,MAAO;AAAA,MAAO;AAAA,MAAO;AAAA,MACnC;AAAA,MAAQ;AAAA,MAAS;AAAA,MAAc;AAAA,MAC/B;AAAA,MAAsB;AAAA,MAAO;AAAA,MAAO;AAAA,IACtC;AAAA,IACA,kCAAkC,CAAC,SAAS,MAAM;AAAA,EACpD;AAEA,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,WAAO,EAAE,KAAK,WAAW,iBAAiB,CAAC;AAAA,EAC7C,CAAC;AAED,MAAI,IAAI,kDAAkD,CAAC,MAAM;AAC/D,UAAM,SAAS,EAAE,IAAI,MAAM,QAAQ;AACnC,WAAO,EAAE,KAAK,WAAW,WAAW,YAAY,WAAW,mBAAmB,WAAW,cAAc,oBAAoB,MAAM,CAAC;AAAA,EACpI,CAAC;AAID,MAAI,IAAI,wBAAwB,OAAO,MAAM;AAC3C,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC;AAAA,QACL,GAAG;AAAA,QACH,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH,CAAC;AAAA,EACH,CAAC;AAID,MAAI,IAAI,0BAA0B,CAAC,MAAM;AACvC,UAAM,YAAY,EAAE,IAAI,MAAM,WAAW,KAAK;AAC9C,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc,KAAK;AACpD,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,gBAAgB,EAAE,IAAI,MAAM,eAAe,KAAK;AACtD,UAAM,iBAAiB,EAAE,IAAI,MAAM,gBAAgB,KAAK;AACxD,UAAM,wBAAwB,EAAE,IAAI,MAAM,uBAAuB,KAAK;AAEtE,UAAM,oBAAoB,GAAG,aAAa,IAAI,EAAE,SAAS;AACzD,QAAI,aAAa;AACjB,QAAI,mBAAmB;AACrB,YAAM,SAAS,GAAG,aAAa,UAAU,aAAa,SAAS;AAC/D,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,SAAS,wBAAwB,aAAa;AAAA,UACzG;AAAA,QACF;AAAA,MACF;AACA,UAAI,gBAAgB,CAAC,mBAAmB,cAAc,OAAO,aAAa,GAAG;AAC3E,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,4DAA4D,aAAa;AAAA,UAClH;AAAA,QACF;AAAA,MACF;AACA,mBAAa,OAAO;AAAA,IACtB;AAEA,UAAM,eAAe,aACjB,sBAAsB,WAAW,UAAU,CAAC,2CAC5C;AAEJ,UAAM,QAAQ,GAAG,MAAM,IAAI;AAC3B,UAAM,cAAc,MACjB,IAAI,CAAC,SAAS;AACb,aAAO,iBAAiB;AAAA,QACtB,SAAS,KAAK,MAAM,CAAC,KAAK,KAAK,YAAY;AAAA,QAC3C,OAAO,KAAK;AAAA,QACZ,MAAM,KAAK;AAAA,QACX,OAAO,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,UACZ,OAAO,KAAK;AAAA,UACZ;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,CAAC,EACA,KAAK,IAAI;AAEZ,UAAM,OAAO,MAAM,WAAW,IAC1B,yDACA;AAEJ,WAAO,EAAE,KAAK,eAAe,0BAA0B,cAAc,MAAM,aAAa,CAAC;AAAA,EAC3F,CAAC;AAID,MAAI,KAAK,mCAAmC,OAAO,MAAM;AACvD,UAAM,OAAO,MAAM,EAAE,IAAI,UAAU;AACnC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,eAAe,QAAQ,KAAK,YAAY;AAC9C,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,YAAY,QAAQ,KAAK,SAAS;AACxC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,gBAAgB,QAAQ,KAAK,aAAa,KAAK;AACrD,UAAM,iBAAiB,QAAQ,KAAK,cAAc;AAClD,UAAM,wBAAwB,QAAQ,KAAK,qBAAqB;AAGhE,UAAM,oBAAoB,GAAG,aAAa,IAAI,EAAE,SAAS;AACzD,QAAI,mBAAmB;AACrB,YAAM,SAAS,GAAG,aAAa,UAAU,aAAa,SAAS;AAC/D,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,SAAS,wBAAwB,aAAa;AAAA,UACzG;AAAA,QACF;AAAA,MACF;AACA,UAAI,gBAAgB,CAAC,mBAAmB,cAAc,OAAO,aAAa,GAAG;AAC3E,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,4DAA4D,aAAa;AAAA,UAClH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAE3C,oBAAgB,KAAK,EAAE,IAAI,MAAM;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,SAAS;AAAA,MAChB,eAAe,kBAAkB;AAAA,MACjC,qBAAqB,yBAAyB;AAAA,MAC9C,YAAY,KAAK,IAAI;AAAA,IACvB,CAAC;AAED,UAAM,mBAAmB,6BAA6B,KAAK,MAAM,GAAG,CAAC,CAAC,aAAa,KAAK,EAAE;AAE1F,QAAI,kBAAkB,aAAa;AACjC,YAAM,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIW,WAAW,YAAY,CAAC;AAAA,0CACZ,WAAW,IAAI,CAAC;AAAA,2CACf,WAAW,KAAK,CAAC;AAAA;AAAA;AAAA;AAItD,aAAO,EAAE,KAAK,IAAI;AAAA,IACpB;AAGA,UAAM,MAAM,IAAI,IAAI,YAAY;AAChC,QAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,QAAI,MAAO,KAAI,aAAa,IAAI,SAAS,KAAK;AAE9C,WAAO,EAAE,SAAS,IAAI,SAAS,GAAG,GAAG;AAAA,EACvC,CAAC;AAID,MAAI,KAAK,sBAAsB,OAAO,MAAM;AAC1C,UAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,UAAM,UAAU,MAAM,EAAE,IAAI,KAAK;AAEjC,QAAI;AACJ,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AAAE,eAAO,KAAK,MAAM,OAAO;AAAA,MAAG,QAAQ;AAAE,eAAO,CAAC;AAAA,MAAG;AAAA,IACzD,OAAO;AACL,aAAO,OAAO,YAAY,IAAI,gBAAgB,OAAO,CAAC;AAAA,IACxD;AAEA,UAAM,aAAa,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa;AAC3E,UAAM,OAAO,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AACzD,QAAI,YAAY,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY;AACtE,QAAI,gBAAgB,OAAO,KAAK,kBAAkB,WAAW,KAAK,gBAAgB;AAClF,UAAM,gBAAgB,OAAO,KAAK,kBAAkB,WAAW,KAAK,gBAAgB;AACpF,UAAM,eAAe,OAAO,KAAK,iBAAiB,WAAW,KAAK,eAAe;AACjF,UAAM,gBAAgB,OAAO,KAAK,kBAAkB,WAAW,KAAK,gBAAgB;AACpF,UAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAG5D,UAAM,aAAa,EAAE,IAAI,OAAO,eAAe,KAAK;AACpD,QAAI,WAAW,WAAW,QAAQ,GAAG;AACnC,YAAM,UAAU,OAAO,KAAK,WAAW,MAAM,CAAC,GAAG,QAAQ,EAAE,SAAS;AACpE,YAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,UAAI,QAAQ,IAAI;AACd,cAAM,WAAW,mBAAmB,QAAQ,MAAM,GAAG,GAAG,CAAC;AACzD,cAAM,eAAe,mBAAmB,QAAQ,MAAM,MAAM,CAAC,CAAC;AAC9D,YAAI,CAAC,UAAW,aAAY;AAC5B,YAAI,CAAC,cAAe,iBAAgB;AAAA,MACtC;AAAA,IACF;AAEA,QAAI,eAAe,sBAAsB;AACvC,YAAM,oBAAoB,GAAG,aAAa,IAAI,EAAE,SAAS;AACzD,UAAI,mBAAmB;AACrB,cAAM,SAAS,GAAG,aAAa,UAAU,aAAa,SAAS;AAC/D,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,8BAA8B,GAAG,GAAG;AAAA,QAClG;AACA,YAAI,CAAC,wBAAwB,eAAe,OAAO,aAAa,GAAG;AACjE,iBAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC,GAAG,GAAG;AAAA,QACtG;AAAA,MACF;AAEA,YAAM,aAAa,gBAAgB,KAAK;AACxC,YAAM,UAAU,WAAW,IAAI,IAAI;AACnC,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,oCAAoC,GAAG,GAAG;AAAA,MACvG;AACA,UAAI,qBAAqB,OAAO,GAAG;AACjC,mBAAW,OAAO,IAAI;AACtB,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,oCAAoC,GAAG,GAAG;AAAA,MACvG;AAGA,UAAI,QAAQ,eAAe,gBAAgB,QAAQ,gBAAgB,cAAc;AAC/E,mBAAW,OAAO,IAAI;AACtB,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,6EAA6E,GAAG,GAAG;AAAA,MAChJ;AAGA,UAAI,QAAQ,kBAAkB,MAAM;AAClC,YAAI,kBAAkB,QAAW;AAC/B,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AACA,cAAM,UAAU,QAAQ,uBAAuB,SAAS,YAAY;AACpE,YAAI,WAAW,QAAQ;AACrB,gBAAM,WAAW,WAAW,QAAQ,EAAE,OAAO,aAAa,EAAE,OAAO,WAAW;AAC9E,cAAI,aAAa,QAAQ,eAAe;AACtC,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,WAAW,WAAW,SAAS;AAC7B,cAAI,kBAAkB,QAAQ,eAAe;AAC3C,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,OAAO;AACL,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AAAA,MACF;AAGA,iBAAW,OAAO,IAAI;AAEtB,YAAM,OAAO,GAAG,MAAM,UAAU,SAAS,QAAQ,KAA+B;AAChF,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACrF;AAEA,YAAM,cAAc,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACvE,YAAM,eAAe,iBAAiB,YAAY,EAAE,EAAE,SAAS,WAAW;AAC1E,YAAM,SAAS,QAAQ,QAAQ,QAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAC;AAE7E,UAAI,UAAU;AACZ,iBAAS,IAAI,aAAa,EAAE,OAAO,KAAK,OAAO,IAAI,KAAK,IAAI,OAAO,CAAC;AAAA,MACtE;AAGA,uBAAiB,KAAK,EAAE,IAAI,cAAc;AAAA,QACxC,OAAO,KAAK;AAAA,QACZ,UAAU,QAAQ;AAAA,QAClB,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,MACjB,CAAC;AAED,YAAM,UAAU,MAAM,cAAc,MAAM,QAAQ,UAAU,QAAQ,OAAO,OAAO;AAElF,YAAM,mBAAmB,sCAAsC,KAAK,KAAK,EAAE;AAE3E,aAAO,EAAE,KAAK;AAAA,QACZ,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,OAAO,QAAQ,SAAS;AAAA,QACxB,eAAe;AAAA,QACf,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,iBAAiB;AAClC,YAAM,aAAa,iBAAiB,KAAK;AACzC,YAAM,SAAS,WAAW,IAAI,aAAa;AAC3C,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gCAAgC,GAAG,GAAG;AAAA,MACnG;AAEA,YAAM,OAAO,GAAG,MAAM,UAAU,SAAS,OAAO,KAA+B;AAC/E,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACrF;AAEA,YAAM,cAAc,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACvE,YAAM,kBAAkB,iBAAiB,YAAY,EAAE,EAAE,SAAS,WAAW;AAC7E,YAAM,SAAS,OAAO,QAAQ,OAAO,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAC;AAE3E,UAAI,UAAU;AACZ,iBAAS,IAAI,aAAa,EAAE,OAAO,KAAK,OAAO,IAAI,KAAK,IAAI,OAAO,CAAC;AAAA,MACtE;AAGA,iBAAW,OAAO,aAAa;AAC/B,iBAAW,IAAI,iBAAiB;AAAA,QAC9B,OAAO,OAAO;AAAA,QACd,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,YAAM,UAAU,MAAM,cAAc,MAAM,OAAO,YAAY,WAAW,OAAO,OAAO,OAAO;AAE7F,YAAM,mBAAmB,4CAA4C,KAAK,KAAK,EAAE;AAEjF,aAAO,EAAE,KAAK;AAAA,QACZ,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,OAAO,OAAO,SAAS;AAAA,QACvB,eAAe;AAAA,QACf,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,sBAAsB;AACvC,YAAM,oBAAoB,GAAG,aAAa,IAAI,EAAE,SAAS;AACzD,UAAI,mBAAmB;AACrB,cAAM,SAAS,GAAG,aAAa,UAAU,aAAa,SAAS;AAC/D,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,8BAA8B,GAAG,GAAG;AAAA,QAClG;AACA,YAAI,CAAC,wBAAwB,eAAe,OAAO,aAAa,GAAG;AACjE,iBAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC,GAAG,GAAG;AAAA,QACtG;AAAA,MACF;AAEA,YAAM,cAAc,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACvE,YAAM,SAAS,QAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAC,UAAU;AAEvE,UAAI,UAAU;AACZ,iBAAS,IAAI,aAAa,EAAE,OAAO,WAAW,IAAI,GAAG,OAAO,CAAC;AAAA,MAC/D;AAEA,YAAM,mBAAmB,mDAAmD,SAAS,EAAE;AAEvF,aAAO,EAAE,KAAK;AAAA,QACZ,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,OAAO,SAAS;AAAA,MAClB,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,mBAAmB,gFAAgF,GAAG,GAAG;AAAA,EAC5J,CAAC;AAID,MAAI,IAAI,kBAAkB,CAAC,MAAM;AAC/B,UAAM,WAAW,EAAE,IAAI,UAAU;AACjC,QAAI,CAAC,UAAU;AACb,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,2BAA2B,GAAG,GAAG;AAAA,IAC9F;AAEA,UAAM,OAAO,GAAG,MAAM,UAAU,SAAS,SAAS,KAA+B;AACjF,QAAI,CAAC,MAAM;AACT,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,IACrF;AAEA,WAAO,EAAE,KAAK;AAAA,MACZ,KAAK,KAAK;AAAA,MACV,OAAO,KAAK;AAAA,MACZ,MAAM,KAAK;AAAA,MACX,YAAY,KAAK;AAAA,MACjB,aAAa,KAAK;AAAA,MAClB,oBAAoB,KAAK;AAAA,IAC3B,CAAC;AAAA,EACH,CAAC;AAID,MAAI,IAAI,YAAY,CAAC,MAAM;AACzB,UAAM,WAAW,EAAE,IAAI,UAAU;AACjC,QAAI,CAAC,UAAU;AACb,aAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,SAAS,2BAA2B,EAAE,GAAG,GAAG;AAAA,IAC3G;AAEA,UAAM,OAAO,GAAG,MAAM,UAAU,SAAS,SAAS,KAA+B;AACjF,QAAI,CAAC,MAAM;AACT,aAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,4BAA4B,SAAS,kBAAkB,EAAE,GAAG,GAAG;AAAA,IAChG;AAEA,WAAO,EAAE,KAAK;AAAA,MACZ,kBAAkB,GAAG,OAAO;AAAA,MAC5B,IAAI,KAAK;AAAA,MACT,aAAa,KAAK;AAAA,MAClB,WAAW,KAAK;AAAA,MAChB,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,MACX,mBAAmB,KAAK;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AAID,MAAI,IAAI,uBAAuB,CAAC,MAAM;AACpC,UAAM,2BAA2B,EAAE,IAAI,MAAM,0BAA0B;AACvE,QAAI,0BAA0B;AAE5B,YAAM,aAAa,GAAG,aAAa,IAAI;AACvC,UAAI,WAAW,SAAS,GAAG;AACzB,cAAM,UAAU,WAAW;AAAA,UAAK,CAAC,WAC/B,mBAAmB,0BAA0B,OAAO,aAAa;AAAA,QACnE;AACA,YAAI,CAAC,SAAS;AACZ,iBAAO,EAAE,KAAK,oCAAoC,GAAG;AAAA,QACvD;AAAA,MACF;AACA,aAAO,EAAE,SAAS,0BAA0B,GAAG;AAAA,IACjD;AACA,WAAO,EAAE,KAAK,cAAc,GAAG;AAAA,EACjC,CAAC;AAID,MAAI,KAAK,uBAAuB,OAAO,MAAM;AAC3C,UAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,UAAM,UAAU,MAAM,EAAE,IAAI,KAAK;AAEjC,QAAI;AACJ,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AACF,cAAM,SAAS,KAAK,MAAM,OAAO;AACjC,gBAAQ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ;AAAA,MAC5D,QAAQ;AACN,gBAAQ;AAAA,MACV;AAAA,IACF,OAAO;AACL,YAAM,SAAS,IAAI,gBAAgB,OAAO;AAC1C,cAAQ,OAAO,IAAI,OAAO,KAAK;AAAA,IACjC;AAEA,QAAI,SAAS,UAAU;AACrB,eAAS,OAAO,KAAK;AAAA,IACvB;AAGA,QAAI,OAAO;AACT,uBAAiB,KAAK,EAAE,OAAO,KAAK;AAAA,IACtC;AAEA,WAAO,EAAE,KAAK,MAAM,GAAG;AAAA,EACzB,CAAC;AACH;;;AWviBA,SAAS,aAAa,OAAc,UAAwB;AAC1D,QAAM,KAAK,kBAAkB,KAAK;AAElC,KAAG,MAAM,OAAO;AAAA,IACd,KAAK,YAAY;AAAA,IACjB,OAAO;AAAA,IACP,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,WAAW;AAAA,IACX,oBAAoB;AAAA,EACtB,CAAC;AACH;AAEO,SAAS,eAAe,OAAc,UAAkB,QAAmC;AAChG,QAAM,KAAK,kBAAkB,KAAK;AAElC,MAAI,OAAO,OAAO;AAChB,eAAW,KAAK,OAAO,OAAO;AAC5B,YAAM,WAAW,GAAG,MAAM,UAAU,SAAS,EAAE,KAAK;AACpD,UAAI,SAAU;AAEd,YAAM,aAAa,EAAE,QAAQ,IAAI,MAAM,KAAK;AAC5C,SAAG,MAAM,OAAO;AAAA,QACd,KAAK,YAAY;AAAA,QACjB,OAAO,EAAE;AAAA,QACT,MAAM,EAAE,QAAQ,EAAE,MAAM,MAAM,GAAG,EAAE,CAAC;AAAA,QACpC,YAAY,EAAE,cAAc,UAAU,CAAC,KAAK;AAAA,QAC5C,aAAa,EAAE,eAAe,UAAU,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK;AAAA,QAC9D,gBAAgB;AAAA,QAChB,WAAW,EAAE,aAAa;AAAA,QAC1B,oBAAoB,EAAE;AAAA,MACxB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,eAAe;AACxB,eAAW,UAAU,OAAO,eAAe;AACzC,YAAM,WAAW,GAAG,aAAa,UAAU,aAAa,OAAO,SAAS;AACxE,UAAI,SAAU;AACd,SAAG,aAAa,OAAO;AAAA,QACrB,WAAW,OAAO;AAAA,QAClB,eAAe,OAAO;AAAA,QACtB,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,QACtB,WAAW,OAAO,aAAa;AAAA,MACjC,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEO,IAAM,kBAAiC;AAAA,EAC5C,MAAM;AAAA,EACN,SAAS,KAAmB,OAAc,UAA6B,SAAiB,UAA2B;AACjH,UAAM,MAAoB,EAAE,KAAK,OAAO,UAAU,SAAS,SAAS;AACpE,gBAAY,GAAG;AAAA,EACjB;AAAA,EACA,KAAK,OAAc,SAAuB;AACxC,iBAAa,OAAO,OAAO;AAAA,EAC7B;AACF;AAEA,IAAO,gBAAQ;","names":[]}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@emulators/microsoft",
+  "version": "0.3.0",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "homepage": "https://emulate.dev",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vercel-labs/emulate.git",
+    "directory": "packages/@emulators/microsoft"
+  },
+  "bugs": {
+    "url": "https://github.com/vercel-labs/emulate/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "hono": "^4",
+    "jose": "^6",
+    "@emulators/core": "0.3.0"
+  },
+  "devDependencies": {
+    "tsup": "^8",
+    "typescript": "^5.7",
+    "vitest": "^4.1.0"
+  },
+  "scripts": {
+    "build": "tsup --clean",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "clean": "rm -rf dist .turbo"
+  }
+}