@enterprisestandard/core 0.0.7-beta.20260123.5 → 0.0.7-beta.20260124.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +1 -1
  2. package/package.json +3 -3
package/dist/index.js CHANGED
@@ -6,4 +6,4 @@ import{createRequire as k$}from"node:module";var y$=Object.create;var{getPrototy
6
6
  Check the <a href="https://EnterpriseStandard.com/sso#logout">Enterprise Standard Packages</a> for more information.
7
7
  </div>
8
8
  </body></html>
9
- `,{status:200,headers:[["Content-Type","text/html"],...M]})}async function v(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.sessionStore)throw Error("Back-Channel Logout requires sessionStore configuration");try{let W=K.headers.get("content-type");if(!W||!W.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let M=await K.text(),A=new URLSearchParams(M).get("logout_token");if(!A)return new Response("Missing logout_token parameter",{status:400});let B=(await f(A)).sid;if(!B)return console.warn("Back-Channel Logout: logout_token missing sid claim"),new Response("Invalid logout_token: missing sid claim",{status:400});return await Y.sessionStore.delete(B),console.log(`Back-Channel Logout: successfully deleted session ${B}`),new Response("OK",{status:200})}catch(W){return console.error("Error during back-channel logout:",W),new Response("Internal Server Error",{status:500})}}async function t(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let W=new URL(K.url),M=new URLSearchParams(W.search),G=Object.fromEntries(M.entries()),A=await $.callbackParams["~standard"].validate(G);if(A.issues)return _$(A.issues,"OIDC callback parameters validation failed");let{code:H,state:B}=A.value;try{let J=I("state",K,!0),{codeVerifier:z,state:x,landingUrl:j}=J??{};if(c(z,'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),c(x,'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),c(j,'OIDC "landingUrl" was not present in cookies'),B!==x)throw Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');let k=await w(H,z,K.url),m=await E(k);if(Y.sessionStore)try{let P=m.sso.profile.sid,p=m.id;if(P&&p){let o={sid:P,sub:p,createdAt:new Date,lastActivityAt:new Date};await Y.sessionStore.create(o)}else console.warn("Session creation skipped: missing sid or sub in ID token claims")}catch(P){console.warn("Failed to create session:",P)}if(Y.userStore)try{let P=m.id;if(P){let p=new Date,o=await Y.userStore.get(P);if(o||Y.enableJitUserProvisioning){let G$={...o??{},...m,id:P,createdAt:o?.createdAt??p,updatedAt:p};await Y.userStore.upsert(G$)}else console.warn("JIT user provisioning disabled: user not found in store and will not be created")}else console.warn("User storage skipped: missing sub in ID token claims")}catch(P){console.warn("Failed to store user:",P)}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",j],["Set-Cookie",S("state")],...R(k,m.sso.expires)]})}catch(J){console.error("Error during sign-in callback:",J);try{let z=I("state",K,!0),{errorUrl:x}=z??{};if(x)return new Response("Redirecting to error url",{status:302,headers:[["Location",x]]})}catch(z){console.warn("Error parsing the errorUrl from the OIDC cookie")}return console.warn("No error page was found in the cookies. The user will be shown a default error page."),new Response("An error occurred during authentication, please return to the application homepage and try again.",{status:500})}}async function E(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let W=await f(K.id_token),M=Number(K.refresh_expires_in??K.expires_in??3600),G=K.expires?new Date(K.expires):new Date(Date.now()+M*1000);return{id:W.sub,userName:W.preferred_username||"",name:W.name||"",email:W.email||"",emails:[{value:W.email||"",primary:!0}],avatarUrl:W.picture,sso:{profile:{...W,iss:W.iss||Y.authority,aud:W.aud||Y.clientId},tenant:{id:W.idp||W.iss||Y.authority||"",name:W.iss||Y.authority||""},scope:K.scope,tokenType:K.token_type,sessionState:K.session_state,expires:G}}}async function w(K,W,M){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");N();let{tokenUrl:G,redirectUri:A}=Y;try{new URL(A)}catch{if(M)try{let B=new URL(M),J=A.startsWith("//")?A.slice(1):A.startsWith("/")?A:`/${A}`;A=new URL(J,B.origin).toString()}catch{try{let B=new URL(G),J=A.startsWith("//")?A.slice(1):A.startsWith("/")?A:`/${A}`;A=new URL(J,B.origin).toString()}catch{throw Error(`Invalid redirectUri: "${Y.redirectUri}". It must be a valid absolute URL.`)}}}let H=new URLSearchParams;if(H.append("grant_type","authorization_code"),H.append("code",K),H.append("redirect_uri",A),H.append("client_id",Y.clientId),Y.clientSecret)H.append("client_secret",Y.clientSecret);H.append("code_verifier",W);try{let B=await fetch(G,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:H.toString()}),J=await B.json();if(!B.ok){console.error("Token exchange error:",J);let x=J;throw Error(`Token exchange failed: ${x.error||B.statusText} - ${x.error_description||""}`.trim())}let z=await $.tokenResponse["~standard"].validate(J);if(z.issues)throw console.error("Token response validation failed:",z.issues),Error(`Token response validation failed: ${z.issues}`);return z.value}catch(B){throw console.error("Error during token exchange:",B),B}}async function b(K){return g(async()=>{if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");N();let W=Y.tokenUrl,M=new URLSearchParams;M.append("grant_type","refresh_token"),M.append("refresh_token",K),M.append("client_id",Y.clientId);let G=await fetch(W,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:M.toString()}),A=await G.json();if(!G.ok){console.error("Token refresh error:",A);let H=A;throw Error(`Token refresh failed: ${H.error||G.statusText} - ${H.error_description||""}`.trim())}return A})}async function C(K){try{if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.revocationEndpoint)return;let W=new URLSearchParams;W.append("token",K),W.append("token_type_hint","refresh_token"),W.append("client_id",Y.clientId);let M=await fetch(Y.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:W.toString()});if(!M.ok)console.warn("Token revocation failed:",M.status,M.statusText);else console.log("Token revoked successfully")}catch(W){console.warn("Error revoking token:",W)}}async function h(){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.jwksUri&&!Y.authority)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");let K=Y.jwksUri||`${Y.authority}/protocol/openid-connect/certs`,W=z$.get(K);if(W)return W;return g(async()=>{if(!Y)throw Error("SSO Manager not initialized");let M=await fetch(K);if(!M.ok)throw Error("Failed to fetch JWKS");let G=await M.json();return z$.set(K,G),G})}async function g(K,W=3,M=1000,G=30000){let A=Error("Placeholder Error");for(let H=0;H<=W;H++)try{return await K()}catch(B){if(A=B instanceof Error?B:Error(String(B)),B instanceof Error&&B.message.includes("400"))throw B;if(H===W)throw A;let J=Math.min(M*2**H,G),z=Math.random()*0.1*J;await new Promise((x)=>setTimeout(x,J+z)),console.warn(`Retry attempt ${H+1} after ${J+z}ms delay`)}throw A}async function f(K){try{let W=K.split(".");if(W.length!==3)throw Error("Invalid JWT");let M=JSON.parse(atob(W[0].replace(/-/g,"+").replace(/_/g,"/"))),G=JSON.parse(atob(W[1].replace(/-/g,"+").replace(/_/g,"/"))),A=W[2].replace(/-/g,"+").replace(/_/g,"/"),H=await u(M.kid),J=new TextEncoder().encode(`${W[0]}.${W[1]}`);if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",H,Uint8Array.from(atob(A),(j)=>j.charCodeAt(0)),J))throw Error("Invalid JWT signature");let x=await $.idTokenClaims["~standard"].validate(G);if(x.issues)throw console.error("ID token claims validation failed:",x.issues),Error(`ID token claims validation failed: ${x.issues}`);return x.value}catch(W){throw console.error("Error verifying JWT:",W),W}}function l(K=32){let W=new Uint8Array(K);return crypto.getRandomValues(W),Array.from(W,(M)=>M.toString(16).padStart(2,"0")).join("").substring(0,K)}async function i(K){let M=new TextEncoder().encode(K),G=await crypto.subtle.digest("SHA-256",M),A=Array.from(new Uint8Array(G));return btoa(String.fromCharCode(...A)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}async function u(K){let M=(await h()).keys.find((A)=>A.kid===K);if(!M)throw Error("Public key not found");return await crypto.subtle.importKey("jwk",{kty:M.kty,n:M.n,e:M.e},{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"])}function R(K,W){let M={expires_in:K.expires_in,refresh_expires_in:K.refresh_expires_in,scope:K.scope,session_state:K.session_state,token_type:K.token_type,expires:W.toISOString()};return[["Set-Cookie",T("access",K.access_token,W)],["Set-Cookie",T("id",K.id_token,W)],["Set-Cookie",T("refresh",K.refresh_token??"",W)],["Set-Cookie",T("control",M,W)]]}async function q(K){let W=I("access",K),M=I("id",K),G=I("refresh",K),A=I("control",K,!0);if(!W||!M||!G||!A)return{tokens:void 0,refreshHeaders:[]};let H={access_token:W,id_token:M,refresh_token:G,...A};if(A.expires&&G&&Date.now()>new Date(A.expires).getTime()){H=await b(G);let B=await E(H),J=R(H,B.sso.expires);return{tokens:H,refreshHeaders:J}}return{tokens:H,refreshHeaders:[]}}async function D(K){let{tokens:W}=await q(K);if(!W)return;return W.access_token}function T(K,W,M){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(K=`${Y.cookiesPrefix}.${K}`,typeof W!=="string")W=btoa(JSON.stringify(W));let G;if(M instanceof Date)G=`Expires=${M.toUTCString()}`;else if(typeof M==="number")G=`Max-Age=${M}`;else throw Error("Invalid expires type",M);if(W.length>4000)throw Error(`Error setting cookie: ${K}. Cookie length is: ${W.length}`);return`${K}=${W}; ${G}; Path=${Y.cookiesPath}; HttpOnly;${Y.cookiesSecure?" Secure;":""} SameSite=${Y.cookiesSameSite};`}function S(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");return`${Y.cookiesPrefix}.${K}=; Max-Age=0; Path=${Y.cookiesPath}; HttpOnly;${Y.cookiesSecure?" Secure;":""} SameSite=${Y.cookiesSameSite};`}function I(K,W,M=!1){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let G=W.headers.get("cookie");if(!G)return null;let A=G.split(";").find((J)=>J.trim().startsWith(`${Y.cookiesPrefix}.${K}=`));if(!A)return null;let H=A.split("=")[1].trim();if(!M)return H;let B=atob(H);return JSON.parse(B)}async function O(K,W){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let{loginUrl:M,userUrl:G,errorUrl:A,landingUrl:H,tokenUrl:B,refreshUrl:J,logoutUrl:z,logoutBackChannelUrl:x,jwksUrl:j,redirectUri:k}={...Y,...W},m=new URL(K.url).pathname;if(k){let P;try{P=new URL(k).pathname}catch{try{let p=new URL(K.url),o=k.startsWith("//")?k.slice(1):k;P=new URL(o,p.origin).pathname}catch{P=k.startsWith("/")?k:`/${k}`}}if(P===m)return t(K)}if(M===m)return y({landingUrl:H||"/",errorUrl:A},K.url);if(G===m){let{tokens:P,refreshHeaders:p}=await q(K);if(!P)return new Response("User not logged in",{status:401});let o=await E(P);return new Response(JSON.stringify(o),{headers:[["Content-Type","application/json"],...p]})}if(B===m){let{tokens:P,refreshHeaders:p}=await q(K);if(!P)return new Response("User not logged in",{status:401});return new Response(JSON.stringify({token:P.access_token,expires:P.expires}),{headers:[["Content-Type","application/json"],...p]})}if(J===m){let P=I("refresh",K);if(!P)return new Response("User not logged in",{status:401});let p=await b(P),o=await E(p),G$=R(p,o.sso.expires);return new Response("Refresh Complete",{status:200,headers:G$})}if(z===m)return n(K,{landingUrl:H||"/"});if(x===m)return v(K);if(j===m){let P=await h();return new Response(JSON.stringify(P),{headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{config:Y,getUser:_,getRequiredUser:F,getJwt:D,initiateLogin:y,logout:n,callbackHandler:t,handler:O}}function K$($,L,X){if(!L&&!X)return;let Q={...L,...X};async function Z(Y){if(Y.method!=="POST")throw Error("Only POST method is supported");let N;try{N=await Y.json()}catch(y){throw Error("Invalid JSON in request body")}if(typeof N!=="object"||N===null)throw Error("Request body must be an object");let _=await $.createTenantRequest["~standard"].validate(N);if(_.issues)return _;let F=_.value.tenantUrl;try{new URL(F)}catch{try{let y=new URL(Y.url),n=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;_.value.tenantUrl=new URL(n,y.origin).toString()}catch{throw Error(`Invalid tenantUrl: "${_.value.tenantUrl}". It must be a valid absolute URL or relative path.`)}}return _}return{config:Q,parseTenantRequest:Z,sendTenantWebhook:v$}}async function v$($,L){try{let X=await fetch($,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(L)});if(!X.ok)console.error(`Failed to send webhook update: ${X.status} ${X.statusText}`)}catch(X){console.error("Failed to send webhook update:",X)}}class x${tenants=new Map;companyIdIndex=new Map;async get($){return this.tenants.get($)??null}async getByCompanyId($){let L=this.companyIdIndex.get($);if(!L||L.size===0)return[];let X=[];for(let Q of L){let Z=this.tenants.get(Q);if(Z)X.push(Z)}return X}async list(){return Array.from(this.tenants.values())}async upsert($){let L=this.tenants.get($.appId);if(L&&L.companyId!==$.companyId){let Q=this.companyIdIndex.get(L.companyId);if(Q){if(Q.delete($.appId),Q.size===0)this.companyIdIndex.delete(L.companyId)}}this.tenants.set($.appId,$);let X=this.companyIdIndex.get($.companyId);if(!X)X=new Set,this.companyIdIndex.set($.companyId,X);return X.add($.appId),$}async delete($){let L=this.tenants.get($);if(L){let X=this.companyIdIndex.get(L.companyId);if(X){if(X.delete($),X.size===0)this.companyIdIndex.delete(L.companyId)}}this.tenants.delete($)}}function I$($){async function L(X){throw Error("Error retrieving secret",{cause:Error("Not implemented")})}return{type:$.type,getFullSecret:L,getSecret:async(X)=>{return(await L(X)).data}}}function E$($){let L=$.url||process.env.ES_VAULT_URL,X=$.token||process.env.ES_VAULT_TOKEN;if(!L||!X)throw Error("ES_VAULT_URL and ES_VAULT_TOKEN must be set");async function Q(Z){let Y=await fetch(`${L}/${Z}`,{headers:{"X-Vault-Token":X}});if(Y.status!==200)throw Error(`Vault returned invalid status, ${Y.status}: '${Y.statusText}' from URL: ${L}/${Z}`);try{return(await Y.json()).data}catch(N){throw Error("Error retrieving secret",{cause:N})}}return{type:"openbao",getFullSecret:Q,getSecret:async(Z)=>{return(await Q(Z)).data}}}function X$($){if(!$?.type){let L=process.env.ES_VAULT_TYPE;if(!L)console.warn('process.env.ES_VAULT_TYPE is not set, using a "dev" vault'),$={type:"dev"};else if(!L)throw Error("process.env.ES_VAULT_TYPE is not set");else $={type:L}}if($.type==="lfv")return I$($);else if($.type==="azure")throw Error("Azure vault is not supported");else if($.type==="aws")throw Error("AWS vault is not supported");else if($.type==="gcp")throw Error("GCP vault is not supported");else if($.type==="openbao")return E$($);else if($.type==="dev")throw Error("Dev vault is not supported");throw Error(`Invalid vault config: ${$}`)}class Q${tokens=new Map;async set($){this.tokens.set($.workload_id,$)}async get($){let L=this.tokens.get($);if(!L)return null;if(Date.now()>L.expires_at.getTime())return this.tokens.delete($),null;return L}async delete($){this.tokens.delete($)}async isValid($){return await this.get($)!==null}async cleanup(){let $=Date.now();for(let[L,X]of this.tokens.entries())if($>X.expires_at.getTime())this.tokens.delete(L)}}var O$=new Map;function d($){if($===void 0||$===null)return!1;let L=$;return L.workloadId!==void 0&&L.workloadId!==null||L.privateKey!==void 0&&L.privateKey!==null}function r($){if($===void 0||$===null)return!1;let L=$,X=L.clientId!==void 0&&L.clientId!==null,Q=L.clientSecret!==void 0&&L.clientSecret!==null,Z=L.workloadId!==void 0&&L.workloadId!==null,Y=L.privateKey!==void 0&&L.privateKey!==null;return(X||Q)&&!Z&&!Y}function T$($){if($===void 0||$===null)return!1;let L=$,X=L.jwksUri!==void 0&&L.jwksUri!==null,Q=L.workloadId!==void 0&&L.workloadId!==null,Z=L.clientId!==void 0&&L.clientId!==null,Y=L.clientSecret!==void 0&&L.clientSecret!==null,N=L.privateKey!==void 0&&L.privateKey!==null;return X&&!Q&&!N&&!Z&&!Y}function A$($,L,X){if(!L&&!X)return;let Q=L?.tokenUrl,Z=X?.tokenUrl,Y=Q&&(Q.startsWith("http://")||Q.startsWith("https://"))?Q:Z&&(Z.startsWith("http://")||Z.startsWith("https://"))?Z:void 0,N=Z?.startsWith("/")?Z:void 0,_={...L,...X,tokenUrl:Y||N||Q||Z};_._handlerTokenUrl=N,_._oauth2TokenUrl=Y;let F,y=_,n=d(_),v=r(_),t=T$(_);if(!n&&!v&&!t&&Object.keys(_).length>0)console.error("WorkloadConfig validation failed. Config:",{keys:Object.keys(_),clientId:y.clientId,clientSecret:y.clientSecret?"[REDACTED]":void 0,workloadId:y.workloadId,privateKey:y.privateKey?"[REDACTED]":void 0,jwksUri:y.jwksUri,tokenUrl:y.tokenUrl,fromVaultKeys:L?Object.keys(L):[],fromCodeKeys:X?Object.keys(X):[]});if(n)F={..._,tokenUrl:c(_.tokenUrl,"Missing 'tokenUrl' from Workload Config"),workloadId:c(_.workloadId,"Missing 'workloadId' from Workload Config"),privateKey:c(_.privateKey,"Missing 'privateKey' from Workload Config"),audience:c(_.audience,"Missing 'audience' from Workload Config"),scope:_.scope??"",algorithm:_.algorithm??"RS256",tokenLifetime:_.tokenLifetime??300,refreshThreshold:_.refreshThreshold??60,autoRefresh:_.autoRefresh!==void 0?_.autoRefresh:!0,tokenStore:_.tokenStore??new Q$};else if(r(_))F={..._,tokenUrl:c(_.tokenUrl,"Missing 'tokenUrl' from Workload Config"),clientId:c(_.clientId,"Missing 'clientId' from Workload Config"),clientSecret:c(_.clientSecret,"Missing 'clientSecret' from Workload Config"),scope:_.scope??"",tokenLifetime:_.tokenLifetime??300,refreshThreshold:_.refreshThreshold??60,autoRefresh:_.autoRefresh!==void 0?_.autoRefresh:!0,tokenStore:_.tokenStore??new Q$};else if(T$(_))F=_;else throw Error("Invalid WorkloadConfig: must provide the correct config for one of the following modes: JWT Bearer Grant, OAuth2 Client Credentials, or Server-Only");function E(){let M=new Uint8Array(16);return crypto.getRandomValues(M),Array.from(M,(G)=>G.toString(16).padStart(2,"0")).join("")}function w(M){let G;if(typeof M==="string")G=btoa(M);else G=btoa(String.fromCharCode(...M));return G.replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}function b(M){let G=M.replace(/-/g,"+").replace(/_/g,"/");while(G.length%4)G+="=";return atob(G)}function C(M){if(M.startsWith("RS"))return{name:"RSASSA-PKCS1-v1_5",hash:M==="RS256"?"SHA-256":M==="RS384"?"SHA-384":"SHA-512"};else if(M.startsWith("ES"))return{name:"ECDSA",namedCurve:M==="ES256"?"P-256":M==="ES384"?"P-384":"P-521",hash:M==="ES256"?"SHA-256":M==="ES384"?"SHA-384":"SHA-512"};throw Error(`Unsupported algorithm: ${M}`)}async function h(M,G){let A=M.replace(/-----BEGIN PRIVATE KEY-----/,"").replace(/-----END PRIVATE KEY-----/,"").replace(/\s/g,""),H=Uint8Array.from(atob(A),(J)=>J.charCodeAt(0)),B=C(G);return crypto.subtle.importKey("pkcs8",H,B,!1,["sign"])}async function g(M,G,A){let H=await h(G,A),J=new TextEncoder().encode(M),z=C(A),x=await crypto.subtle.sign(z,H,J);return w(new Uint8Array(x))}async function f(M,G=3,A=1000,H=30000){let B=Error("Placeholder Error");for(let J=0;J<=G;J++)try{return await M()}catch(z){if(B=z instanceof Error?z:Error(String(z)),B.message.includes("400")||B.message.includes("401")||B.message.includes("403")||B.message.includes("404"))throw B;if(J<G){let x=Math.min(A*2**J,H),j=Math.random()*x*0.1;await new Promise((k)=>setTimeout(k,x+j))}}throw B}async function l(M){if(!d(F))throw Error("generateJWTAssertion is only available in JWT Bearer Grant mode");let G=F,A=Math.floor(Date.now()/1000),H={iss:G.workloadId,sub:G.workloadId,aud:G.audience??"",exp:A+G.tokenLifetime,iat:A,jti:E(),scope:M??G.scope},B={alg:G.algorithm,typ:"JWT",kid:G.keyId},J=w(JSON.stringify(B)),z=w(JSON.stringify(H)),x=`${J}.${z}`,j=await g(x,G.privateKey,G.algorithm);return`${x}.${j}`}async function i(M){if(!d(F))throw Error("generateJWTAssertion is only available in JWT Bearer Grant mode");let G=F;return f(async()=>{let A=G.tokenUrl,H=await l(M),B=new URLSearchParams;if(B.append("grant_type","urn:ietf:params:oauth:grant-type:jwt-bearer"),B.append("assertion",H),M)B.append("scope",M);let J=await fetch(A,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:B.toString()}),z=await J.json();if(!J.ok)throw console.error("Token acquisition error:",z),Error(`Token acquisition failed: ${z.error||J.statusText} - ${z.error_description||""}`.trim());let x=await $.tokenResponse["~standard"].validate(z);if(x.issues)throw console.error("Token response validation failed:",x.issues),Error(`Token response validation failed: ${x.issues.map((j)=>j.message).join("; ")}`);if(G.tokenStore){let j=new Date(Date.now()+(x.value.expires_in??300)*1000),k={workload_id:G.workloadId,access_token:x.value.access_token,token_type:x.value.token_type,scope:x.value.scope,expires_at:j,created_at:new Date,refresh_token:x.value.refresh_token};await G.tokenStore.set(k)}return x.value})}async function u(M){if(!r(F))throw Error("acquireTokenClientCredentials is only available in OAuth2 Client Credentials mode");let G=F;return f(async()=>{let A=G.tokenUrl,H=new URLSearchParams;if(H.append("grant_type","client_credentials"),H.append("client_id",G.clientId),H.append("client_secret",G.clientSecret),M)H.append("scope",M);let B=await fetch(A,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:H.toString()}),J=await B.json();if(!B.ok)throw console.error("Token acquisition error:",J),Error(`Token acquisition failed: ${J.error||B.statusText} - ${J.error_description||""}`.trim());let z=await $.tokenResponse["~standard"].validate(J);if(z.issues)throw console.error("Token response validation failed:",z.issues),Error(`Token response validation failed: ${z.issues.map((x)=>x.message).join("; ")}`);if(G.tokenStore){let x=new Date(Date.now()+(z.value.expires_in??300)*1000),j={workload_id:G.clientId,access_token:z.value.access_token,token_type:z.value.token_type,scope:z.value.scope,expires_at:x,created_at:new Date,refresh_token:z.value.refresh_token};await G.tokenStore.set(j)}return z.value})}async function R(M){if(!d(F)&&!r(F)){let B=F;throw Error(`Acquiring tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode. Current config: hasClientId=${!!B.clientId}, hasClientSecret=${!!B.clientSecret}, hasWorkloadId=${!!B.workloadId}, hasPrivateKey=${!!B.privateKey}, hasJwksUri=${!!B.jwksUri}`)}let G=F;M=M??G.scope;let A=d(F)?F.workloadId:F.clientId;if(G.tokenStore){let B=await G.tokenStore.get(A);if(B){let J=Date.now(),z=B.expires_at.getTime(),x=G.refreshThreshold*1000;if(J+x<z)return B.access_token;if(G.autoRefresh)try{return(d(F)?await i(M):await u(M)).access_token}catch(j){if(J<z)return console.warn("Token refresh failed, using cached token:",j),B.access_token;throw j}}}return(d(F)?await i(M):await u(M)).access_token}async function q(M){if(!d(F)&&!r(F))throw Error("Refreshing tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");let G=F;return M=M??G.scope,d(G)?await i(M):await u(M)}async function D(M){if(!d(F)&&!r(F))throw Error("Revoking tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");let G=F;try{if(!F.revocationEndpoint)return;let A=new URLSearchParams;if(A.append("token",M),A.append("token_type_hint","access_token"),d(F)){let B=F;A.append("client_id",B.workloadId)}else if(r(F)){let B=F;A.append("client_id",B.clientId),A.append("client_secret",B.clientSecret)}let H=await fetch(F.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:A.toString()});if(!H.ok)console.warn("Token revocation failed:",H.status,H.statusText);else console.log("Token revoked successfully");if(F.tokenStore){let B;if(d(F))B=F.workloadId;else if(r(F))B=F.clientId;else return;await F.tokenStore.delete(B)}}catch(A){console.warn("Error revoking token:",A)}}async function T(){if(!F?.jwksUri)throw Error("No JWKS URI configured in Workload Config");let M=F.jwksUri,G=O$.get(M);if(G)return G;return f(async()=>{let A=await fetch(M);if(!A.ok)throw Error("Failed to fetch JWKS");let H=await A.json();return O$.set(M,H),H})}async function S(M){let A=(await T()).keys.find((J)=>J.kid===M);if(!A)throw Error("Public key not found");let H=d(F)?F.algorithm:"RS256",B=C(A.alg||H);return crypto.subtle.importKey("jwk",A,B,!1,["verify"])}async function I(M){try{let G=M.split(".");if(G.length!==3)throw Error("Invalid JWT");let A=JSON.parse(b(G[0])),H=JSON.parse(b(G[1])),B=await S(A.kid),J=G[2],x=new TextEncoder().encode(`${G[0]}.${G[1]}`),j=Uint8Array.from(b(J),(p)=>p.charCodeAt(0)),k=C(A.alg);if(!await crypto.subtle.verify(k,B,j,x))throw Error("Invalid JWT signature");let P=await $.jwtAssertionClaims["~standard"].validate(H);if(P.issues)throw console.error("JWT claims validation failed:",P.issues),Error(`JWT claims validation failed: ${P.issues.map((p)=>p.message).join("; ")}`);return P.value}catch(G){throw console.error("Error verifying JWT:",G),G}}async function O(M){if(!d(F)&&!r(F))throw Error("Validating tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");try{let G=await I(M),A=Math.floor(Date.now()/1000);if(G.exp&&G.exp<A)return{valid:!1,error:"Token expired"};if(d(F)){if(F.audience&&G.aud!==F.audience)return{valid:!1,error:"Invalid audience"}}else if(r(F)){if(F.issuer&&G.iss!==F.issuer)return{valid:!1,error:"Invalid issuer"};if(F.audience&&G.aud!==F.audience)return{valid:!1,error:"Invalid audience"}}else{let H=F;if(H.issuer&&G.iss!==H.issuer)return{valid:!1,error:"Invalid issuer"}}return{valid:!0,claims:G,expiresAt:G.exp?new Date(G.exp*1000):void 0}}catch(G){return{valid:!1,error:G instanceof Error?G.message:String(G)}}}async function K(M){let G=M.headers.get("Authorization");if(!G||!G.startsWith("Bearer "))return;let A=G.substring(7),H=await O(A);if(!H.valid||!H.claims)return;return{workloadId:H.claims.sub,clientId:typeof H.claims.client_id==="string"?H.claims.client_id:void 0,scope:H.claims.scope,claims:H.claims}}async function W(M){if(!F)throw Error("Enterprise Standard Workload Manager not initialized");let G=new URL(M.url).pathname,A=(j)=>{if(!j)return;try{return new URL(j).pathname}catch{return j.startsWith("/")?j:`/${j}`}},H=F._handlerTokenUrl;if(A(H||F.tokenUrl)===G&&M.method==="GET")try{let k=new URL(M.url).searchParams.get("scope")||void 0,m=await R(k);return new Response(JSON.stringify({access_token:m,token_type:"Bearer"}),{headers:[["Content-Type","application/json"]]})}catch(j){return console.error("Error in token endpoint:",j),new Response(JSON.stringify({error:j instanceof Error?j.message:"Internal server error"}),{status:500,headers:[["Content-Type","application/json"]]})}if(A(F.validateUrl)===G&&M.method==="POST"){let j=M.headers.get("Authorization");if(!j||!j.startsWith("Bearer "))return new Response(JSON.stringify({valid:!1,error:"Missing Authorization header"}),{status:401,headers:[["Content-Type","application/json"]]});let k=j.substring(7),m=await O(k);return new Response(JSON.stringify(m),{status:m.valid?200:401,headers:[["Content-Type","application/json"]]})}if(A(F.jwksUrl)===G&&M.method==="GET"){let j=await T();return new Response(JSON.stringify(j),{headers:[["Content-Type","application/json"]]})}if(A(F.refreshUrl)===G&&M.method==="POST")try{let j=await q();return new Response(JSON.stringify(j),{headers:[["Content-Type","application/json"]]})}catch(j){return console.error("Error in refresh endpoint:",j),new Response(JSON.stringify({error:j instanceof Error?j.message:"Internal server error"}),{status:500,headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{config:F,getToken:R,refreshToken:q,generateJWTAssertion:l,revokeToken:D,validateToken:O,getWorkloadIdentity:K,parseJWT:I,handler:W}}class w${groups=new Map;externalIdIndex=new Map;displayNameIndex=new Map;async get($){return this.groups.get($)??null}async getByExternalId($){let L=this.externalIdIndex.get($);if(!L)return null;return this.groups.get(L)??null}async getByDisplayName($){let L=this.displayNameIndex.get($.toLowerCase());if(!L)return null;return this.groups.get(L)??null}async list(){return Array.from(this.groups.values())}async upsert($){let L=this.groups.get($.id);if(L){if(L.externalId&&L.externalId!==$.externalId)this.externalIdIndex.delete(L.externalId);if(L.displayName.toLowerCase()!==$.displayName.toLowerCase())this.displayNameIndex.delete(L.displayName.toLowerCase())}if(this.groups.set($.id,$),$.externalId)this.externalIdIndex.set($.externalId,$.id);this.displayNameIndex.set($.displayName.toLowerCase(),$.id)}async delete($){let L=this.groups.get($);if(L){if(L.externalId)this.externalIdIndex.delete(L.externalId);this.displayNameIndex.delete(L.displayName.toLowerCase())}this.groups.delete($)}async addMember($,L){let X=this.groups.get($);if(!X)throw Error(`Group ${$} not found`);let Q=X.members??[];if(!Q.some((Z)=>Z.value===L.value))Q.push(L),X.members=Q,X.updatedAt=new Date}async removeMember($,L){let X=this.groups.get($);if(!X)throw Error(`Group ${$} not found`);if(X.members)X.members=X.members.filter((Q)=>Q.value!==L),X.updatedAt=new Date}}class S${sessions=new Map;async create($){if(this.sessions.has($.sid))throw Error(`Session with sid ${$.sid} already exists`);this.sessions.set($.sid,$)}async get($){return this.sessions.get($)??null}async update($,L){let X=this.sessions.get($);if(!X)throw Error(`Session with sid ${$} not found`);let Q={...X,...L};this.sessions.set($,Q)}async delete($){this.sessions.delete($)}}function R$($){return $=$??"SSO Unavailable",new Response(JSON.stringify({error:$}),{status:503,statusText:$,headers:{"Content-Type":"application/json"}})}async function z0($,L){return a(L)?.sso?.getUser($)}async function x0($,L){let X=a(L)?.sso;if(!X)throw Error("SSO has not been initialized");return X.getRequiredUser($)}async function I0($,L){let X=a(L)?.sso;if(!X)return R$();return X.initiateLogin($)}async function E0($,L){let X=a(L)?.sso;if(!X)return R$();return X.callbackHandler($)}async function h$($){let L=M$();if(!L?.tenants)throw Error("Tenant service not available. Ensure EnterpriseStandard is initialized with tenant configuration.");return L.tenants.parseTenantRequest($)}async function m$($,L){let X=M$();if(!X?.tenants)throw Error("Tenant service not available. Ensure EnterpriseStandard is initialized with tenant configuration.");return X.tenants.sendTenantWebhook($,L)}class P$ extends Error{constructor($){super($);this.name="TenantRequestError"}}function f$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("code"in X)if(typeof X.code==="string")Z.code=X.code;else Q.push({message:"code must be a string",path:["code"]});else if(!("error"in X))Q.push({message:"code is required",path:["code"]});if("state"in X)if(typeof X.state==="string"||X.state===void 0)Z.state=X.state;else Q.push({message:"state must be a string",path:["state"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)Z.session_state=X.session_state;else Q.push({message:"session_state must be a string",path:["session_state"]});if("error"in X){if(typeof X.error==="string")Z.error=X.error;else Q.push({message:"error must be a string",path:["error"]});if("error_description"in X)if(typeof X.error_description==="string"||X.error_description===void 0)Z.error_description=X.error_description;else Q.push({message:"error_description must be a string",path:["error_description"]});if("error_uri"in X)if(typeof X.error_uri==="string"||X.error_uri===void 0)Z.error_uri=X.error_uri;else Q.push({message:"error_uri must be a string",path:["error_uri"]})}if("iss"in X)if(typeof X.iss==="string"||X.iss===void 0)Z.iss=X.iss;else Q.push({message:"iss must be a string",path:["iss"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function p$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("access_token"in X)if(typeof X.access_token==="string")Z.access_token=X.access_token;else Q.push({message:"access_token must be a string",path:["access_token"]});else Q.push({message:"access_token is required",path:["access_token"]});if("id_token"in X)if(typeof X.id_token==="string")Z.id_token=X.id_token;else Q.push({message:"id_token must be a string",path:["id_token"]});else Q.push({message:"id_token is required",path:["id_token"]});if("token_type"in X)if(typeof X.token_type==="string")Z.token_type=X.token_type;else Q.push({message:"token_type must be a string",path:["token_type"]});else Q.push({message:"token_type is required",path:["token_type"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)Z.refresh_token=X.refresh_token;else Q.push({message:"refresh_token must be a string",path:["refresh_token"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)Z.scope=X.scope;else Q.push({message:"scope must be a string",path:["scope"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)Z.session_state=X.session_state;else Q.push({message:"session_state must be a string",path:["session_state"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)Z.expires=X.expires;else Q.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)Z.expires_in=X.expires_in;else Q.push({message:"expires_in must be a number",path:["expires_in"]});if("refresh_expires_in"in X)if(typeof X.refresh_expires_in==="number"||X.refresh_expires_in===void 0)Z.refresh_expires_in=X.refresh_expires_in;else Q.push({message:"refresh_expires_in must be a number",path:["refresh_expires_in"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function c$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={...X},Y=["iss","aud","sub","sid","name","email","preferred_username","picture"];for(let _ of Y)if(_ in X&&X[_]!==void 0){if(typeof X[_]!=="string")Q.push({message:`${_} must be a string`,path:[_]})}let N=["exp","iat"];for(let _ of N)if(_ in X&&X[_]!==void 0){if(typeof X[_]!=="number")Q.push({message:`${_} must be a number`,path:[_]})}if(Q.length>0)return{issues:Q};return{value:Z}}}}}function V($,L,X,Q,Z){if($===void 0||$===null){if(X)Q.push({message:`${L} is required`,path:Z});return}if(typeof $!=="string"){Q.push({message:`${L} must be a string`,path:Z});return}return $}function Y$($,L,X,Q){if($===void 0||$===null)return;if(typeof $!=="boolean"){X.push({message:`${L} must be a boolean`,path:Q});return}return $}function g$($,L,X){if($===void 0||$===null)return;if(typeof $!=="object"||$===null){L.push({message:"name must be an object",path:X});return}let Q=$,Z={};return Z.formatted=V(Q.formatted,"formatted",!1,L,[...X,"formatted"]),Z.familyName=V(Q.familyName,"familyName",!1,L,[...X,"familyName"]),Z.givenName=V(Q.givenName,"givenName",!1,L,[...X,"givenName"]),Z.middleName=V(Q.middleName,"middleName",!1,L,[...X,"middleName"]),Z.honorificPrefix=V(Q.honorificPrefix,"honorificPrefix",!1,L,[...X,"honorificPrefix"]),Z.honorificSuffix=V(Q.honorificSuffix,"honorificSuffix",!1,L,[...X,"honorificSuffix"]),Z}function d$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"emails must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"email must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function l$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"phoneNumbers must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"phoneNumber must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function u$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"addresses must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"address must be an object",path:N});continue}let _=Y;Q.push({formatted:V(_.formatted,"formatted",!1,L,[...N,"formatted"]),streetAddress:V(_.streetAddress,"streetAddress",!1,L,[...N,"streetAddress"]),locality:V(_.locality,"locality",!1,L,[...N,"locality"]),region:V(_.region,"region",!1,L,[...N,"region"]),postalCode:V(_.postalCode,"postalCode",!1,L,[...N,"postalCode"]),country:V(_.country,"country",!1,L,[...N,"country"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function n$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"groups must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"group must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,$ref:V(_.$ref,"$ref",!1,L,[...N,"$ref"]),display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"])})}return Q.length>0?Q:void 0}function t$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"roles must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"role must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function i$($,L,X){if($===void 0||$===null)return;if(typeof $!=="object"||$===null){L.push({message:"Enterprise User extension must be an object",path:X});return}let Q=$,Z={};if(Z.employeeNumber=V(Q.employeeNumber,"employeeNumber",!1,L,[...X,"employeeNumber"]),Z.costCenter=V(Q.costCenter,"costCenter",!1,L,[...X,"costCenter"]),Z.organization=V(Q.organization,"organization",!1,L,[...X,"organization"]),Z.division=V(Q.division,"division",!1,L,[...X,"division"]),Z.department=V(Q.department,"department",!1,L,[...X,"department"]),Q.manager!==void 0&&Q.manager!==null)if(typeof Q.manager!=="object"||Q.manager===null)L.push({message:"manager must be an object",path:[...X,"manager"]});else{let Y=Q.manager;Z.manager={value:V(Y.value,"value",!1,L,[...X,"manager","value"]),$ref:V(Y.$ref,"$ref",!1,L,[...X,"manager","$ref"]),displayName:V(Y.displayName,"displayName",!1,L,[...X,"manager","displayName"])}}return Z}function o$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={},Y=V(X.userName,"userName",!0,Q,["userName"]);if(!Y)return{issues:Q};Z.userName=Y,Z.id=V(X.id,"id",!1,Q,["id"]),Z.externalId=V(X.externalId,"externalId",!1,Q,["externalId"]),Z.displayName=V(X.displayName,"displayName",!1,Q,["displayName"]),Z.nickName=V(X.nickName,"nickName",!1,Q,["nickName"]),Z.profileUrl=V(X.profileUrl,"profileUrl",!1,Q,["profileUrl"]),Z.title=V(X.title,"title",!1,Q,["title"]),Z.userType=V(X.userType,"userType",!1,Q,["userType"]),Z.preferredLanguage=V(X.preferredLanguage,"preferredLanguage",!1,Q,["preferredLanguage"]),Z.locale=V(X.locale,"locale",!1,Q,["locale"]),Z.timezone=V(X.timezone,"timezone",!1,Q,["timezone"]),Z.password=V(X.password,"password",!1,Q,["password"]),Z.active=Y$(X.active,"active",Q,["active"]),Z.name=g$(X.name,Q,["name"]),Z.emails=d$(X.emails,Q,["emails"]),Z.phoneNumbers=l$(X.phoneNumbers,Q,["phoneNumbers"]),Z.addresses=u$(X.addresses,Q,["addresses"]),Z.groups=n$(X.groups,Q,["groups"]),Z.roles=t$(X.roles,Q,["roles"]);let N="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(X[N]!==void 0)Z[N]=i$(X[N],Q,[N]);if(X.schemas!==void 0)if(Array.isArray(X.schemas))Z.schemas=X.schemas.filter((_)=>typeof _==="string");else Q.push({message:"schemas must be an array",path:["schemas"]});if(X.meta!==void 0)if(typeof X.meta==="object"&&X.meta!==null){let _=X.meta;Z.meta={resourceType:typeof _.resourceType==="string"?_.resourceType:void 0,created:typeof _.created==="string"?_.created:void 0,lastModified:typeof _.lastModified==="string"?_.lastModified:void 0,location:typeof _.location==="string"?_.location:void 0,version:typeof _.version==="string"?_.version:void 0}}else Q.push({message:"meta must be an object",path:["meta"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function a$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"members must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"member must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F){let y=V(_.type,"type",!1,L,[...N,"type"]);Q.push({value:F,$ref:V(_.$ref,"$ref",!1,L,[...N,"$ref"]),display:V(_.display,"display",!1,L,[...N,"display"]),type:y==="User"||y==="Group"?y:void 0})}}return Q.length>0?Q:void 0}function r$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={},Y=V(X.displayName,"displayName",!0,Q,["displayName"]);if(!Y)return{issues:Q};if(Z.displayName=Y,Z.id=V(X.id,"id",!1,Q,["id"]),Z.externalId=V(X.externalId,"externalId",!1,Q,["externalId"]),Z.members=a$(X.members,Q,["members"]),X.schemas!==void 0)if(Array.isArray(X.schemas))Z.schemas=X.schemas.filter((N)=>typeof N==="string");else Q.push({message:"schemas must be an array",path:["schemas"]});if(X.meta!==void 0)if(typeof X.meta==="object"&&X.meta!==null){let N=X.meta;Z.meta={resourceType:typeof N.resourceType==="string"?N.resourceType:void 0,created:typeof N.created==="string"?N.created:void 0,lastModified:typeof N.lastModified==="string"?N.lastModified:void 0,location:typeof N.location==="string"?N.location:void 0,version:typeof N.version==="string"?N.version:void 0}}else Q.push({message:"meta must be an object",path:["meta"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function s$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={...X},Y=["iss","sub"];for(let F of Y)if(F in X){if(typeof X[F]!=="string")Q.push({message:`${F} must be a string`,path:[F]})}else Q.push({message:`${F} is required`,path:[F]});if("aud"in X&&X.aud!==void 0){let F=X.aud;if(typeof F!=="string"&&!Array.isArray(F))Q.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(F)&&!F.every((y)=>typeof y==="string"))Q.push({message:"aud array must contain only strings",path:["aud"]})}let N=["jti","scope"];for(let F of N)if(F in X&&X[F]!==void 0){if(typeof X[F]!=="string")Q.push({message:`${F} must be a string`,path:[F]})}let _=["exp","iat"];for(let F of _)if(F in X){if(typeof X[F]!=="number")Q.push({message:`${F} must be a number`,path:[F]})}else Q.push({message:`${F} is required`,path:[F]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function e$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("access_token"in X)if(typeof X.access_token==="string")Z.access_token=X.access_token;else Q.push({message:"access_token must be a string",path:["access_token"]});else Q.push({message:"access_token is required",path:["access_token"]});if("token_type"in X)if(typeof X.token_type==="string")Z.token_type=X.token_type;else Q.push({message:"token_type must be a string",path:["token_type"]});else Q.push({message:"token_type is required",path:["token_type"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)Z.scope=X.scope;else Q.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)Z.refresh_token=X.refresh_token;else Q.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)Z.expires=X.expires;else Q.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)Z.expires_in=X.expires_in;else Q.push({message:"expires_in must be a number",path:["expires_in"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}class q${users=new Map;emailIndex=new Map;userNameIndex=new Map;async get($){return this.users.get($)??null}async getByEmail($){let L=this.emailIndex.get($.toLowerCase());if(!L)return null;return this.users.get(L)??null}async getByUserName($){let L=this.userNameIndex.get($.toLowerCase());if(!L)return null;return this.users.get(L)??null}async upsert($){let L=this.users.get($.id);if(L){if(L.email&&L.email.toLowerCase()!==$.email?.toLowerCase())this.emailIndex.delete(L.email.toLowerCase());if(L.userName&&L.userName.toLowerCase()!==$.userName?.toLowerCase())this.userNameIndex.delete(L.userName.toLowerCase())}if(this.users.set($.id,$),$.email)this.emailIndex.set($.email.toLowerCase(),$.id);if($.userName)this.userNameIndex.set($.userName.toLowerCase(),$.id)}async delete($){let L=this.users.get($);if(L){if(L.email)this.emailIndex.delete(L.email.toLowerCase());if(L.userName)this.userNameIndex.delete(L.userName.toLowerCase())}this.users.delete($)}}function N$($){$=$??"Workload authentication unavailable",new Response(JSON.stringify({error:$}),{status:503,statusText:$,headers:{"Content-Type":"application/json"}})}async function C0($,L){let X=a(L)?.workload;if(!X)return;return X.getWorkload($)}async function b0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.getToken($)}async function k0($,L){let X=a(L)?.workload;if(!X)return{valid:!1,error:"Workload authentication unavailable"};let Q=$.headers.get("Authorization");if(!Q||!Q.startsWith("Bearer "))return{valid:!1,error:"Missing or invalid Authorization header"};let Z=Q.substring(7);return X.validateToken(Z)}async function v0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.revokeToken($)}async function h0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.handler($)}async function u0($,L){let X;if(process.env.ES_VAULT_TYPE)X=X$();else if($.startsWith("IONITE_PUBLIC_DEMO_"))X=X$({type:"openbao",url:"https://vault-ionite.ionite.dev/v1/secret/data",token:"hvs.VGhD2hmXDH9PmZjTacZx0G5K"}),L=L??{},L.vaultPath=`public/${$}`;else X=X$();let Q=L?.vaultPath||process.env.ES_VAULT_PATH||`enterprisestandard/${$}`,Z=await X.getSecret(Q),Y=await $0(L),N={defaultInstance:L?.defaultInstance===!0,handler:async()=>{return new Response("Not Found",{status:404})}};return N.workload=A$(Y.workload,Z?.workload,L?.workload),N.sso=F$(Y.sso,Z?.sso,L?.sso),N.iam=W$(Y.iam,N.workload,Z?.iam,L?.iam),N.tenants=K$(Y.tenant,Z?.tenant,L?.tenant),N.handler=async(_)=>{let y=new URL(_.url).pathname,n=(E)=>{if(!E)return;try{return new URL(E).pathname}catch{return E.startsWith("/")?E:`/${E}`}},v=(E)=>{if(!E)return!1;return n(E)===y},t=(E)=>{if(!E)return!1;let w=n(E);if(!w)return!1;return y===w||y.startsWith(`${w}/`)};if(N.sso){let E=N.sso.config;if(v(E.loginUrl)||v(E.userUrl)||v(E.logoutUrl)||v(E.logoutBackChannelUrl)||v(E.tokenUrl)||v(E.refreshUrl)||v(E.jwksUrl)||v(E.redirectUri))return N.sso.handler(_)}if(N.iam){let E=N.iam;if(t(E.usersUrl)||t(E.groupsUrl))return N.iam.handler(_)}if(N.workload){let E=N.workload.config,b=E._handlerTokenUrl||(E.tokenUrl?.startsWith("/")?E.tokenUrl:void 0)||(E.tokenUrl&&!E.tokenUrl.startsWith("http")?E.tokenUrl:void 0),C="validateUrl"in E?E.validateUrl:void 0,h="jwksUrl"in E?E.jwksUrl:void 0,g="refreshUrl"in E?E.refreshUrl:void 0;if(v(b)||v(C)||v(h)||v(g))return N.workload.handler(_)}return new Response("Not Found",{status:404})},j$(N),N}async function $0($){if($?.validators)return $.validators;try{let{createValidators:L}=await import("@enterprisestandard/react-validators-zod");if(L&&typeof L==="function")return L()}catch{}try{let{createValidators:L}=await import("@enterprisestandard/react-validators-valibot");if(L&&typeof L==="function")return L()}catch{}throw Error("No validators found. Install the appropriate validator package such as zod or valibot. For example: bun i @enterprisestandard/react-validators-zod")}export{e$ as workloadTokenResponseSchema,h0 as workloadHandler,A$ as workload,X$ as vault,_$ as validationFailureResponse,k0 as validateWorkloadToken,o$ as userSchema,p$ as tokenResponseSchema,K$ as tenantManagement,F$ as sso,$$ as serializeESConfig,m$ as sendTenantWebhook,v0 as revokeWorkloadToken,h$ as parseTenantRequest,f$ as oidcCallbackSchema,s$ as jwtAssertionClaimsSchema,I0 as initiateLogin,c$ as idTokenClaimsSchema,W$ as iam,r$ as groupResourceSchema,b0 as getWorkloadToken,C0 as getWorkload,z0 as getUser,x0 as getRequiredUser,M$ as getDefaultInstance,u0 as enterpriseStandard,E0 as callback,P$ as TenantRequestError,Q$ as InMemoryWorkloadTokenStore,q$ as InMemoryUserStore,x$ as InMemoryTenantStore,S$ as InMemorySessionStore,w$ as InMemoryGroupStore};
9
+ `,{status:200,headers:[["Content-Type","text/html"],...M]})}async function v(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.sessionStore)throw Error("Back-Channel Logout requires sessionStore configuration");try{let W=K.headers.get("content-type");if(!W||!W.includes("application/x-www-form-urlencoded"))return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded",{status:400});let M=await K.text(),A=new URLSearchParams(M).get("logout_token");if(!A)return new Response("Missing logout_token parameter",{status:400});let B=(await f(A)).sid;if(!B)return console.warn("Back-Channel Logout: logout_token missing sid claim"),new Response("Invalid logout_token: missing sid claim",{status:400});return await Y.sessionStore.delete(B),console.log(`Back-Channel Logout: successfully deleted session ${B}`),new Response("OK",{status:200})}catch(W){return console.error("Error during back-channel logout:",W),new Response("Internal Server Error",{status:500})}}async function t(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let W=new URL(K.url),M=new URLSearchParams(W.search),G=Object.fromEntries(M.entries()),A=await $.callbackParams["~standard"].validate(G);if(A.issues)return _$(A.issues,"OIDC callback parameters validation failed");let{code:H,state:B}=A.value;try{let J=I("state",K,!0),{codeVerifier:z,state:x,landingUrl:j}=J??{};if(c(z,'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),c(x,'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly'),c(j,'OIDC "landingUrl" was not present in cookies'),B!==x)throw Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');let k=await w(H,z,K.url),m=await E(k);if(Y.sessionStore)try{let P=m.sso.profile.sid,p=m.id;if(P&&p){let o={sid:P,sub:p,createdAt:new Date,lastActivityAt:new Date};await Y.sessionStore.create(o)}else console.warn("Session creation skipped: missing sid or sub in ID token claims")}catch(P){console.warn("Failed to create session:",P)}if(Y.userStore)try{let P=m.id;if(P){let p=new Date,o=await Y.userStore.get(P);if(o||Y.enableJitUserProvisioning){let G$={...o??{},...m,id:P,createdAt:o?.createdAt??p,updatedAt:p};await Y.userStore.upsert(G$)}else console.warn("JIT user provisioning disabled: user not found in store and will not be created")}else console.warn("User storage skipped: missing sub in ID token claims")}catch(P){console.warn("Failed to store user:",P)}return new Response("Authentication successful, redirecting",{status:302,headers:[["Location",j],["Set-Cookie",S("state")],...R(k,m.sso.expires)]})}catch(J){console.error("Error during sign-in callback:",J);try{let z=I("state",K,!0),{errorUrl:x}=z??{};if(x)return new Response("Redirecting to error url",{status:302,headers:[["Location",x]]})}catch(z){console.warn("Error parsing the errorUrl from the OIDC cookie")}return console.warn("No error page was found in the cookies. The user will be shown a default error page."),new Response("An error occurred during authentication, please return to the application homepage and try again.",{status:500})}}async function E(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let W=await f(K.id_token),M=Number(K.refresh_expires_in??K.expires_in??3600),G=K.expires?new Date(K.expires):new Date(Date.now()+M*1000);return{id:W.sub,userName:W.preferred_username||"",name:W.name||"",email:W.email||"",emails:[{value:W.email||"",primary:!0}],avatarUrl:W.picture,sso:{profile:{...W,iss:W.iss||Y.authority,aud:W.aud||Y.clientId},tenant:{id:W.idp||W.iss||Y.authority||"",name:W.iss||Y.authority||""},scope:K.scope,tokenType:K.token_type,sessionState:K.session_state,expires:G}}}async function w(K,W,M){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");N();let{tokenUrl:G,redirectUri:A}=Y;try{new URL(A)}catch{if(M)try{let B=new URL(M),J=A.startsWith("//")?A.slice(1):A.startsWith("/")?A:`/${A}`;A=new URL(J,B.origin).toString()}catch{try{let B=new URL(G),J=A.startsWith("//")?A.slice(1):A.startsWith("/")?A:`/${A}`;A=new URL(J,B.origin).toString()}catch{throw Error(`Invalid redirectUri: "${Y.redirectUri}". It must be a valid absolute URL.`)}}}let H=new URLSearchParams;if(H.append("grant_type","authorization_code"),H.append("code",K),H.append("redirect_uri",A),H.append("client_id",Y.clientId),Y.clientSecret)H.append("client_secret",Y.clientSecret);H.append("code_verifier",W);try{let B=await fetch(G,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:H.toString()}),J=await B.json();if(!B.ok){console.error("Token exchange error:",J);let x=J;throw Error(`Token exchange failed: ${x.error||B.statusText} - ${x.error_description||""}`.trim())}let z=await $.tokenResponse["~standard"].validate(J);if(z.issues)throw console.error("Token response validation failed:",z.issues),Error(`Token response validation failed: ${z.issues}`);return z.value}catch(B){throw console.error("Error during token exchange:",B),B}}async function b(K){return g(async()=>{if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");N();let W=Y.tokenUrl,M=new URLSearchParams;M.append("grant_type","refresh_token"),M.append("refresh_token",K),M.append("client_id",Y.clientId);let G=await fetch(W,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:M.toString()}),A=await G.json();if(!G.ok){console.error("Token refresh error:",A);let H=A;throw Error(`Token refresh failed: ${H.error||G.statusText} - ${H.error_description||""}`.trim())}return A})}async function C(K){try{if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.revocationEndpoint)return;let W=new URLSearchParams;W.append("token",K),W.append("token_type_hint","refresh_token"),W.append("client_id",Y.clientId);let M=await fetch(Y.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:W.toString()});if(!M.ok)console.warn("Token revocation failed:",M.status,M.statusText);else console.log("Token revoked successfully")}catch(W){console.warn("Error revoking token:",W)}}async function h(){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(!Y.jwksUri&&!Y.authority)throw Error("Missing 'jwksUri' or 'authority' from SSO Config. OIDC configuration is required for this operation.");let K=Y.jwksUri||`${Y.authority}/protocol/openid-connect/certs`,W=z$.get(K);if(W)return W;return g(async()=>{if(!Y)throw Error("SSO Manager not initialized");let M=await fetch(K);if(!M.ok)throw Error("Failed to fetch JWKS");let G=await M.json();return z$.set(K,G),G})}async function g(K,W=3,M=1000,G=30000){let A=Error("Placeholder Error");for(let H=0;H<=W;H++)try{return await K()}catch(B){if(A=B instanceof Error?B:Error(String(B)),B instanceof Error&&B.message.includes("400"))throw B;if(H===W)throw A;let J=Math.min(M*2**H,G),z=Math.random()*0.1*J;await new Promise((x)=>setTimeout(x,J+z)),console.warn(`Retry attempt ${H+1} after ${J+z}ms delay`)}throw A}async function f(K){try{let W=K.split(".");if(W.length!==3)throw Error("Invalid JWT");let M=JSON.parse(atob(W[0].replace(/-/g,"+").replace(/_/g,"/"))),G=JSON.parse(atob(W[1].replace(/-/g,"+").replace(/_/g,"/"))),A=W[2].replace(/-/g,"+").replace(/_/g,"/"),H=await u(M.kid),J=new TextEncoder().encode(`${W[0]}.${W[1]}`);if(!await crypto.subtle.verify("RSASSA-PKCS1-v1_5",H,Uint8Array.from(atob(A),(j)=>j.charCodeAt(0)),J))throw Error("Invalid JWT signature");let x=await $.idTokenClaims["~standard"].validate(G);if(x.issues)throw console.error("ID token claims validation failed:",x.issues),Error(`ID token claims validation failed: ${x.issues}`);return x.value}catch(W){throw console.error("Error verifying JWT:",W),W}}function l(K=32){let W=new Uint8Array(K);return crypto.getRandomValues(W),Array.from(W,(M)=>M.toString(16).padStart(2,"0")).join("").substring(0,K)}async function i(K){let M=new TextEncoder().encode(K),G=await crypto.subtle.digest("SHA-256",M),A=Array.from(new Uint8Array(G));return btoa(String.fromCharCode(...A)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}async function u(K){let M=(await h()).keys.find((A)=>A.kid===K);if(!M)throw Error("Public key not found");return await crypto.subtle.importKey("jwk",{kty:M.kty,n:M.n,e:M.e},{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"])}function R(K,W){let M={expires_in:K.expires_in,refresh_expires_in:K.refresh_expires_in,scope:K.scope,session_state:K.session_state,token_type:K.token_type,expires:W.toISOString()};return[["Set-Cookie",T("access",K.access_token,W)],["Set-Cookie",T("id",K.id_token,W)],["Set-Cookie",T("refresh",K.refresh_token??"",W)],["Set-Cookie",T("control",M,W)]]}async function q(K){let W=I("access",K),M=I("id",K),G=I("refresh",K),A=I("control",K,!0);if(!W||!M||!G||!A)return{tokens:void 0,refreshHeaders:[]};let H={access_token:W,id_token:M,refresh_token:G,...A};if(A.expires&&G&&Date.now()>new Date(A.expires).getTime()){H=await b(G);let B=await E(H),J=R(H,B.sso.expires);return{tokens:H,refreshHeaders:J}}return{tokens:H,refreshHeaders:[]}}async function D(K){let{tokens:W}=await q(K);if(!W)return;return W.access_token}function T(K,W,M){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");if(K=`${Y.cookiesPrefix}.${K}`,typeof W!=="string")W=btoa(JSON.stringify(W));let G;if(M instanceof Date)G=`Expires=${M.toUTCString()}`;else if(typeof M==="number")G=`Max-Age=${M}`;else throw Error("Invalid expires type",M);if(W.length>4000)throw Error(`Error setting cookie: ${K}. Cookie length is: ${W.length}`);return`${K}=${W}; ${G}; Path=${Y.cookiesPath}; HttpOnly;${Y.cookiesSecure?" Secure;":""} SameSite=${Y.cookiesSameSite};`}function S(K){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");return`${Y.cookiesPrefix}.${K}=; Max-Age=0; Path=${Y.cookiesPath}; HttpOnly;${Y.cookiesSecure?" Secure;":""} SameSite=${Y.cookiesSameSite};`}function I(K,W,M=!1){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let G=W.headers.get("cookie");if(!G)return null;let A=G.split(";").find((J)=>J.trim().startsWith(`${Y.cookiesPrefix}.${K}=`));if(!A)return null;let H=A.split("=")[1].trim();if(!M)return H;let B=atob(H);return JSON.parse(B)}async function O(K,W){if(!Y)throw Error("Enterprise Standard SSO Manager not initialized");let{loginUrl:M,userUrl:G,errorUrl:A,landingUrl:H,tokenUrl:B,refreshUrl:J,logoutUrl:z,logoutBackChannelUrl:x,jwksUrl:j,redirectUri:k}={...Y,...W},m=new URL(K.url).pathname;if(k){let P;try{P=new URL(k).pathname}catch{try{let p=new URL(K.url),o=k.startsWith("//")?k.slice(1):k;P=new URL(o,p.origin).pathname}catch{P=k.startsWith("/")?k:`/${k}`}}if(P===m)return t(K)}if(M===m)return y({landingUrl:H||"/",errorUrl:A},K.url);if(G===m){let{tokens:P,refreshHeaders:p}=await q(K);if(!P)return new Response("User not logged in",{status:401});let o=await E(P);return new Response(JSON.stringify(o),{headers:[["Content-Type","application/json"],...p]})}if(B===m){let{tokens:P,refreshHeaders:p}=await q(K);if(!P)return new Response("User not logged in",{status:401});return new Response(JSON.stringify({token:P.access_token,expires:P.expires}),{headers:[["Content-Type","application/json"],...p]})}if(J===m){let P=I("refresh",K);if(!P)return new Response("User not logged in",{status:401});let p=await b(P),o=await E(p),G$=R(p,o.sso.expires);return new Response("Refresh Complete",{status:200,headers:G$})}if(z===m)return n(K,{landingUrl:H||"/"});if(x===m)return v(K);if(j===m){let P=await h();return new Response(JSON.stringify(P),{headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{config:Y,getUser:_,getRequiredUser:F,getJwt:D,initiateLogin:y,logout:n,callbackHandler:t,handler:O}}function K$($,L,X){if(!L&&!X)return;let Q={...L,...X};async function Z(Y){if(Y.method!=="POST")throw Error("Only POST method is supported");let N;try{N=await Y.json()}catch(y){throw Error("Invalid JSON in request body")}if(typeof N!=="object"||N===null)throw Error("Request body must be an object");let _=await $.createTenantRequest["~standard"].validate(N);if(_.issues)return _;let F=_.value.tenantUrl;try{new URL(F)}catch{try{let y=new URL(Y.url),n=F.startsWith("//")?F.slice(1):F.startsWith("/")?F:`/${F}`;_.value.tenantUrl=new URL(n,y.origin).toString()}catch{throw Error(`Invalid tenantUrl: "${_.value.tenantUrl}". It must be a valid absolute URL or relative path.`)}}return _}return{config:Q,parseTenantRequest:Z,sendTenantWebhook:v$}}async function v$($,L){try{let X=await fetch($,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(L)});if(!X.ok)console.error(`Failed to send webhook update: ${X.status} ${X.statusText}`)}catch(X){console.error("Failed to send webhook update:",X)}}class x${tenants=new Map;companyIdIndex=new Map;async get($){return this.tenants.get($)??null}async getByCompanyId($){let L=this.companyIdIndex.get($);if(!L||L.size===0)return[];let X=[];for(let Q of L){let Z=this.tenants.get(Q);if(Z)X.push(Z)}return X}async list(){return Array.from(this.tenants.values())}async upsert($){let L=this.tenants.get($.appId);if(L&&L.companyId!==$.companyId){let Q=this.companyIdIndex.get(L.companyId);if(Q){if(Q.delete($.appId),Q.size===0)this.companyIdIndex.delete(L.companyId)}}this.tenants.set($.appId,$);let X=this.companyIdIndex.get($.companyId);if(!X)X=new Set,this.companyIdIndex.set($.companyId,X);return X.add($.appId),$}async delete($){let L=this.tenants.get($);if(L){let X=this.companyIdIndex.get(L.companyId);if(X){if(X.delete($),X.size===0)this.companyIdIndex.delete(L.companyId)}}this.tenants.delete($)}}function I$($){async function L(X){throw Error("Error retrieving secret",{cause:Error("Not implemented")})}return{type:$.type,getFullSecret:L,getSecret:async(X)=>{return(await L(X)).data}}}function E$($){let L=$.url||process.env.ES_VAULT_URL,X=$.token||process.env.ES_VAULT_TOKEN;if(!L||!X)throw Error("ES_VAULT_URL and ES_VAULT_TOKEN must be set");async function Q(Z){let Y=await fetch(`${L}/${Z}`,{headers:{"X-Vault-Token":X}});if(Y.status!==200)throw Error(`Vault returned invalid status, ${Y.status}: '${Y.statusText}' from URL: ${L}/${Z}`);try{return(await Y.json()).data}catch(N){throw Error("Error retrieving secret",{cause:N})}}return{type:"openbao",getFullSecret:Q,getSecret:async(Z)=>{return(await Q(Z)).data}}}function X$($){if(!$?.type){let L=process.env.ES_VAULT_TYPE;if(!L)throw Error("process.env.ES_VAULT_TYPE is not set");else $={type:L}}if($.type==="lfv")return I$($);else if($.type==="azure")throw Error("Azure vault is not supported");else if($.type==="aws")throw Error("AWS vault is not supported");else if($.type==="gcp")throw Error("GCP vault is not supported");else if($.type==="openbao")return E$($);else if($.type==="dev")throw Error("Dev vault is not supported");throw Error(`Invalid vault config: ${$}`)}class Q${tokens=new Map;async set($){this.tokens.set($.workload_id,$)}async get($){let L=this.tokens.get($);if(!L)return null;if(Date.now()>L.expires_at.getTime())return this.tokens.delete($),null;return L}async delete($){this.tokens.delete($)}async isValid($){return await this.get($)!==null}async cleanup(){let $=Date.now();for(let[L,X]of this.tokens.entries())if($>X.expires_at.getTime())this.tokens.delete(L)}}var O$=new Map;function d($){if($===void 0||$===null)return!1;let L=$;return L.workloadId!==void 0&&L.workloadId!==null||L.privateKey!==void 0&&L.privateKey!==null}function r($){if($===void 0||$===null)return!1;let L=$,X=L.clientId!==void 0&&L.clientId!==null,Q=L.clientSecret!==void 0&&L.clientSecret!==null,Z=L.workloadId!==void 0&&L.workloadId!==null,Y=L.privateKey!==void 0&&L.privateKey!==null;return(X||Q)&&!Z&&!Y}function T$($){if($===void 0||$===null)return!1;let L=$,X=L.jwksUri!==void 0&&L.jwksUri!==null,Q=L.workloadId!==void 0&&L.workloadId!==null,Z=L.clientId!==void 0&&L.clientId!==null,Y=L.clientSecret!==void 0&&L.clientSecret!==null,N=L.privateKey!==void 0&&L.privateKey!==null;return X&&!Q&&!N&&!Z&&!Y}function A$($,L,X){if(!L&&!X)return;let Q=L?.tokenUrl,Z=X?.tokenUrl,Y=Q&&(Q.startsWith("http://")||Q.startsWith("https://"))?Q:Z&&(Z.startsWith("http://")||Z.startsWith("https://"))?Z:void 0,N=Z?.startsWith("/")?Z:void 0,_={...L,...X,tokenUrl:Y||N||Q||Z};_._handlerTokenUrl=N,_._oauth2TokenUrl=Y;let F,y=_,n=d(_),v=r(_),t=T$(_);if(!n&&!v&&!t&&Object.keys(_).length>0)console.error("WorkloadConfig validation failed. Config:",{keys:Object.keys(_),clientId:y.clientId,clientSecret:y.clientSecret?"[REDACTED]":void 0,workloadId:y.workloadId,privateKey:y.privateKey?"[REDACTED]":void 0,jwksUri:y.jwksUri,tokenUrl:y.tokenUrl,fromVaultKeys:L?Object.keys(L):[],fromCodeKeys:X?Object.keys(X):[]});if(n)F={..._,tokenUrl:c(_.tokenUrl,"Missing 'tokenUrl' from Workload Config"),workloadId:c(_.workloadId,"Missing 'workloadId' from Workload Config"),privateKey:c(_.privateKey,"Missing 'privateKey' from Workload Config"),audience:c(_.audience,"Missing 'audience' from Workload Config"),scope:_.scope??"",algorithm:_.algorithm??"RS256",tokenLifetime:_.tokenLifetime??300,refreshThreshold:_.refreshThreshold??60,autoRefresh:_.autoRefresh!==void 0?_.autoRefresh:!0,tokenStore:_.tokenStore??new Q$};else if(r(_))F={..._,tokenUrl:c(_.tokenUrl,"Missing 'tokenUrl' from Workload Config"),clientId:c(_.clientId,"Missing 'clientId' from Workload Config"),clientSecret:c(_.clientSecret,"Missing 'clientSecret' from Workload Config"),scope:_.scope??"",tokenLifetime:_.tokenLifetime??300,refreshThreshold:_.refreshThreshold??60,autoRefresh:_.autoRefresh!==void 0?_.autoRefresh:!0,tokenStore:_.tokenStore??new Q$};else if(T$(_))F=_;else throw Error("Invalid WorkloadConfig: must provide the correct config for one of the following modes: JWT Bearer Grant, OAuth2 Client Credentials, or Server-Only");function E(){let M=new Uint8Array(16);return crypto.getRandomValues(M),Array.from(M,(G)=>G.toString(16).padStart(2,"0")).join("")}function w(M){let G;if(typeof M==="string")G=btoa(M);else G=btoa(String.fromCharCode(...M));return G.replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}function b(M){let G=M.replace(/-/g,"+").replace(/_/g,"/");while(G.length%4)G+="=";return atob(G)}function C(M){if(M.startsWith("RS"))return{name:"RSASSA-PKCS1-v1_5",hash:M==="RS256"?"SHA-256":M==="RS384"?"SHA-384":"SHA-512"};else if(M.startsWith("ES"))return{name:"ECDSA",namedCurve:M==="ES256"?"P-256":M==="ES384"?"P-384":"P-521",hash:M==="ES256"?"SHA-256":M==="ES384"?"SHA-384":"SHA-512"};throw Error(`Unsupported algorithm: ${M}`)}async function h(M,G){let A=M.replace(/-----BEGIN PRIVATE KEY-----/,"").replace(/-----END PRIVATE KEY-----/,"").replace(/\s/g,""),H=Uint8Array.from(atob(A),(J)=>J.charCodeAt(0)),B=C(G);return crypto.subtle.importKey("pkcs8",H,B,!1,["sign"])}async function g(M,G,A){let H=await h(G,A),J=new TextEncoder().encode(M),z=C(A),x=await crypto.subtle.sign(z,H,J);return w(new Uint8Array(x))}async function f(M,G=3,A=1000,H=30000){let B=Error("Placeholder Error");for(let J=0;J<=G;J++)try{return await M()}catch(z){if(B=z instanceof Error?z:Error(String(z)),B.message.includes("400")||B.message.includes("401")||B.message.includes("403")||B.message.includes("404"))throw B;if(J<G){let x=Math.min(A*2**J,H),j=Math.random()*x*0.1;await new Promise((k)=>setTimeout(k,x+j))}}throw B}async function l(M){if(!d(F))throw Error("generateJWTAssertion is only available in JWT Bearer Grant mode");let G=F,A=Math.floor(Date.now()/1000),H={iss:G.workloadId,sub:G.workloadId,aud:G.audience??"",exp:A+G.tokenLifetime,iat:A,jti:E(),scope:M??G.scope},B={alg:G.algorithm,typ:"JWT",kid:G.keyId},J=w(JSON.stringify(B)),z=w(JSON.stringify(H)),x=`${J}.${z}`,j=await g(x,G.privateKey,G.algorithm);return`${x}.${j}`}async function i(M){if(!d(F))throw Error("generateJWTAssertion is only available in JWT Bearer Grant mode");let G=F;return f(async()=>{let A=G.tokenUrl,H=await l(M),B=new URLSearchParams;if(B.append("grant_type","urn:ietf:params:oauth:grant-type:jwt-bearer"),B.append("assertion",H),M)B.append("scope",M);let J=await fetch(A,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:B.toString()}),z=await J.json();if(!J.ok)throw console.error("Token acquisition error:",z),Error(`Token acquisition failed: ${z.error||J.statusText} - ${z.error_description||""}`.trim());let x=await $.tokenResponse["~standard"].validate(z);if(x.issues)throw console.error("Token response validation failed:",x.issues),Error(`Token response validation failed: ${x.issues.map((j)=>j.message).join("; ")}`);if(G.tokenStore){let j=new Date(Date.now()+(x.value.expires_in??300)*1000),k={workload_id:G.workloadId,access_token:x.value.access_token,token_type:x.value.token_type,scope:x.value.scope,expires_at:j,created_at:new Date,refresh_token:x.value.refresh_token};await G.tokenStore.set(k)}return x.value})}async function u(M){if(!r(F))throw Error("acquireTokenClientCredentials is only available in OAuth2 Client Credentials mode");let G=F;return f(async()=>{let A=G.tokenUrl,H=new URLSearchParams;if(H.append("grant_type","client_credentials"),H.append("client_id",G.clientId),H.append("client_secret",G.clientSecret),M)H.append("scope",M);let B=await fetch(A,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:H.toString()}),J=await B.json();if(!B.ok)throw console.error("Token acquisition error:",J),Error(`Token acquisition failed: ${J.error||B.statusText} - ${J.error_description||""}`.trim());let z=await $.tokenResponse["~standard"].validate(J);if(z.issues)throw console.error("Token response validation failed:",z.issues),Error(`Token response validation failed: ${z.issues.map((x)=>x.message).join("; ")}`);if(G.tokenStore){let x=new Date(Date.now()+(z.value.expires_in??300)*1000),j={workload_id:G.clientId,access_token:z.value.access_token,token_type:z.value.token_type,scope:z.value.scope,expires_at:x,created_at:new Date,refresh_token:z.value.refresh_token};await G.tokenStore.set(j)}return z.value})}async function R(M){if(!d(F)&&!r(F)){let B=F;throw Error(`Acquiring tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode. Current config: hasClientId=${!!B.clientId}, hasClientSecret=${!!B.clientSecret}, hasWorkloadId=${!!B.workloadId}, hasPrivateKey=${!!B.privateKey}, hasJwksUri=${!!B.jwksUri}`)}let G=F;M=M??G.scope;let A=d(F)?F.workloadId:F.clientId;if(G.tokenStore){let B=await G.tokenStore.get(A);if(B){let J=Date.now(),z=B.expires_at.getTime(),x=G.refreshThreshold*1000;if(J+x<z)return B.access_token;if(G.autoRefresh)try{return(d(F)?await i(M):await u(M)).access_token}catch(j){if(J<z)return console.warn("Token refresh failed, using cached token:",j),B.access_token;throw j}}}return(d(F)?await i(M):await u(M)).access_token}async function q(M){if(!d(F)&&!r(F))throw Error("Refreshing tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");let G=F;return M=M??G.scope,d(G)?await i(M):await u(M)}async function D(M){if(!d(F)&&!r(F))throw Error("Revoking tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");let G=F;try{if(!F.revocationEndpoint)return;let A=new URLSearchParams;if(A.append("token",M),A.append("token_type_hint","access_token"),d(F)){let B=F;A.append("client_id",B.workloadId)}else if(r(F)){let B=F;A.append("client_id",B.clientId),A.append("client_secret",B.clientSecret)}let H=await fetch(F.revocationEndpoint,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:A.toString()});if(!H.ok)console.warn("Token revocation failed:",H.status,H.statusText);else console.log("Token revoked successfully");if(F.tokenStore){let B;if(d(F))B=F.workloadId;else if(r(F))B=F.clientId;else return;await F.tokenStore.delete(B)}}catch(A){console.warn("Error revoking token:",A)}}async function T(){if(!F?.jwksUri)throw Error("No JWKS URI configured in Workload Config");let M=F.jwksUri,G=O$.get(M);if(G)return G;return f(async()=>{let A=await fetch(M);if(!A.ok)throw Error("Failed to fetch JWKS");let H=await A.json();return O$.set(M,H),H})}async function S(M){let A=(await T()).keys.find((J)=>J.kid===M);if(!A)throw Error("Public key not found");let H=d(F)?F.algorithm:"RS256",B=C(A.alg||H);return crypto.subtle.importKey("jwk",A,B,!1,["verify"])}async function I(M){try{let G=M.split(".");if(G.length!==3)throw Error("Invalid JWT");let A=JSON.parse(b(G[0])),H=JSON.parse(b(G[1])),B=await S(A.kid),J=G[2],x=new TextEncoder().encode(`${G[0]}.${G[1]}`),j=Uint8Array.from(b(J),(p)=>p.charCodeAt(0)),k=C(A.alg);if(!await crypto.subtle.verify(k,B,j,x))throw Error("Invalid JWT signature");let P=await $.jwtAssertionClaims["~standard"].validate(H);if(P.issues)throw console.error("JWT claims validation failed:",P.issues),Error(`JWT claims validation failed: ${P.issues.map((p)=>p.message).join("; ")}`);return P.value}catch(G){throw console.error("Error verifying JWT:",G),G}}async function O(M){if(!d(F)&&!r(F))throw Error("Validating tokens is only available in JWT Bearer Grant or OAuth2 Client Credentials mode");try{let G=await I(M),A=Math.floor(Date.now()/1000);if(G.exp&&G.exp<A)return{valid:!1,error:"Token expired"};if(d(F)){if(F.audience&&G.aud!==F.audience)return{valid:!1,error:"Invalid audience"}}else if(r(F)){if(F.issuer&&G.iss!==F.issuer)return{valid:!1,error:"Invalid issuer"};if(F.audience&&G.aud!==F.audience)return{valid:!1,error:"Invalid audience"}}else{let H=F;if(H.issuer&&G.iss!==H.issuer)return{valid:!1,error:"Invalid issuer"}}return{valid:!0,claims:G,expiresAt:G.exp?new Date(G.exp*1000):void 0}}catch(G){return{valid:!1,error:G instanceof Error?G.message:String(G)}}}async function K(M){let G=M.headers.get("Authorization");if(!G||!G.startsWith("Bearer "))return;let A=G.substring(7),H=await O(A);if(!H.valid||!H.claims)return;return{workloadId:H.claims.sub,clientId:typeof H.claims.client_id==="string"?H.claims.client_id:void 0,scope:H.claims.scope,claims:H.claims}}async function W(M){if(!F)throw Error("Enterprise Standard Workload Manager not initialized");let G=new URL(M.url).pathname,A=(j)=>{if(!j)return;try{return new URL(j).pathname}catch{return j.startsWith("/")?j:`/${j}`}},H=F._handlerTokenUrl;if(A(H||F.tokenUrl)===G&&M.method==="GET")try{let k=new URL(M.url).searchParams.get("scope")||void 0,m=await R(k);return new Response(JSON.stringify({access_token:m,token_type:"Bearer"}),{headers:[["Content-Type","application/json"]]})}catch(j){return console.error("Error in token endpoint:",j),new Response(JSON.stringify({error:j instanceof Error?j.message:"Internal server error"}),{status:500,headers:[["Content-Type","application/json"]]})}if(A(F.validateUrl)===G&&M.method==="POST"){let j=M.headers.get("Authorization");if(!j||!j.startsWith("Bearer "))return new Response(JSON.stringify({valid:!1,error:"Missing Authorization header"}),{status:401,headers:[["Content-Type","application/json"]]});let k=j.substring(7),m=await O(k);return new Response(JSON.stringify(m),{status:m.valid?200:401,headers:[["Content-Type","application/json"]]})}if(A(F.jwksUrl)===G&&M.method==="GET"){let j=await T();return new Response(JSON.stringify(j),{headers:[["Content-Type","application/json"]]})}if(A(F.refreshUrl)===G&&M.method==="POST")try{let j=await q();return new Response(JSON.stringify(j),{headers:[["Content-Type","application/json"]]})}catch(j){return console.error("Error in refresh endpoint:",j),new Response(JSON.stringify({error:j instanceof Error?j.message:"Internal server error"}),{status:500,headers:[["Content-Type","application/json"]]})}return new Response("Not Found",{status:404})}return{config:F,getToken:R,refreshToken:q,generateJWTAssertion:l,revokeToken:D,validateToken:O,getWorkloadIdentity:K,parseJWT:I,handler:W}}class w${groups=new Map;externalIdIndex=new Map;displayNameIndex=new Map;async get($){return this.groups.get($)??null}async getByExternalId($){let L=this.externalIdIndex.get($);if(!L)return null;return this.groups.get(L)??null}async getByDisplayName($){let L=this.displayNameIndex.get($.toLowerCase());if(!L)return null;return this.groups.get(L)??null}async list(){return Array.from(this.groups.values())}async upsert($){let L=this.groups.get($.id);if(L){if(L.externalId&&L.externalId!==$.externalId)this.externalIdIndex.delete(L.externalId);if(L.displayName.toLowerCase()!==$.displayName.toLowerCase())this.displayNameIndex.delete(L.displayName.toLowerCase())}if(this.groups.set($.id,$),$.externalId)this.externalIdIndex.set($.externalId,$.id);this.displayNameIndex.set($.displayName.toLowerCase(),$.id)}async delete($){let L=this.groups.get($);if(L){if(L.externalId)this.externalIdIndex.delete(L.externalId);this.displayNameIndex.delete(L.displayName.toLowerCase())}this.groups.delete($)}async addMember($,L){let X=this.groups.get($);if(!X)throw Error(`Group ${$} not found`);let Q=X.members??[];if(!Q.some((Z)=>Z.value===L.value))Q.push(L),X.members=Q,X.updatedAt=new Date}async removeMember($,L){let X=this.groups.get($);if(!X)throw Error(`Group ${$} not found`);if(X.members)X.members=X.members.filter((Q)=>Q.value!==L),X.updatedAt=new Date}}class S${sessions=new Map;async create($){if(this.sessions.has($.sid))throw Error(`Session with sid ${$.sid} already exists`);this.sessions.set($.sid,$)}async get($){return this.sessions.get($)??null}async update($,L){let X=this.sessions.get($);if(!X)throw Error(`Session with sid ${$} not found`);let Q={...X,...L};this.sessions.set($,Q)}async delete($){this.sessions.delete($)}}function R$($){return $=$??"SSO Unavailable",new Response(JSON.stringify({error:$}),{status:503,statusText:$,headers:{"Content-Type":"application/json"}})}async function z0($,L){return a(L)?.sso?.getUser($)}async function x0($,L){let X=a(L)?.sso;if(!X)throw Error("SSO has not been initialized");return X.getRequiredUser($)}async function I0($,L){let X=a(L)?.sso;if(!X)return R$();return X.initiateLogin($)}async function E0($,L){let X=a(L)?.sso;if(!X)return R$();return X.callbackHandler($)}async function h$($){let L=M$();if(!L?.tenants)throw Error("Tenant service not available. Ensure EnterpriseStandard is initialized with tenant configuration.");return L.tenants.parseTenantRequest($)}async function m$($,L){let X=M$();if(!X?.tenants)throw Error("Tenant service not available. Ensure EnterpriseStandard is initialized with tenant configuration.");return X.tenants.sendTenantWebhook($,L)}class P$ extends Error{constructor($){super($);this.name="TenantRequestError"}}function f$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("code"in X)if(typeof X.code==="string")Z.code=X.code;else Q.push({message:"code must be a string",path:["code"]});else if(!("error"in X))Q.push({message:"code is required",path:["code"]});if("state"in X)if(typeof X.state==="string"||X.state===void 0)Z.state=X.state;else Q.push({message:"state must be a string",path:["state"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)Z.session_state=X.session_state;else Q.push({message:"session_state must be a string",path:["session_state"]});if("error"in X){if(typeof X.error==="string")Z.error=X.error;else Q.push({message:"error must be a string",path:["error"]});if("error_description"in X)if(typeof X.error_description==="string"||X.error_description===void 0)Z.error_description=X.error_description;else Q.push({message:"error_description must be a string",path:["error_description"]});if("error_uri"in X)if(typeof X.error_uri==="string"||X.error_uri===void 0)Z.error_uri=X.error_uri;else Q.push({message:"error_uri must be a string",path:["error_uri"]})}if("iss"in X)if(typeof X.iss==="string"||X.iss===void 0)Z.iss=X.iss;else Q.push({message:"iss must be a string",path:["iss"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function p$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("access_token"in X)if(typeof X.access_token==="string")Z.access_token=X.access_token;else Q.push({message:"access_token must be a string",path:["access_token"]});else Q.push({message:"access_token is required",path:["access_token"]});if("id_token"in X)if(typeof X.id_token==="string")Z.id_token=X.id_token;else Q.push({message:"id_token must be a string",path:["id_token"]});else Q.push({message:"id_token is required",path:["id_token"]});if("token_type"in X)if(typeof X.token_type==="string")Z.token_type=X.token_type;else Q.push({message:"token_type must be a string",path:["token_type"]});else Q.push({message:"token_type is required",path:["token_type"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)Z.refresh_token=X.refresh_token;else Q.push({message:"refresh_token must be a string",path:["refresh_token"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)Z.scope=X.scope;else Q.push({message:"scope must be a string",path:["scope"]});if("session_state"in X)if(typeof X.session_state==="string"||X.session_state===void 0)Z.session_state=X.session_state;else Q.push({message:"session_state must be a string",path:["session_state"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)Z.expires=X.expires;else Q.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)Z.expires_in=X.expires_in;else Q.push({message:"expires_in must be a number",path:["expires_in"]});if("refresh_expires_in"in X)if(typeof X.refresh_expires_in==="number"||X.refresh_expires_in===void 0)Z.refresh_expires_in=X.refresh_expires_in;else Q.push({message:"refresh_expires_in must be a number",path:["refresh_expires_in"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function c$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={...X},Y=["iss","aud","sub","sid","name","email","preferred_username","picture"];for(let _ of Y)if(_ in X&&X[_]!==void 0){if(typeof X[_]!=="string")Q.push({message:`${_} must be a string`,path:[_]})}let N=["exp","iat"];for(let _ of N)if(_ in X&&X[_]!==void 0){if(typeof X[_]!=="number")Q.push({message:`${_} must be a number`,path:[_]})}if(Q.length>0)return{issues:Q};return{value:Z}}}}}function V($,L,X,Q,Z){if($===void 0||$===null){if(X)Q.push({message:`${L} is required`,path:Z});return}if(typeof $!=="string"){Q.push({message:`${L} must be a string`,path:Z});return}return $}function Y$($,L,X,Q){if($===void 0||$===null)return;if(typeof $!=="boolean"){X.push({message:`${L} must be a boolean`,path:Q});return}return $}function g$($,L,X){if($===void 0||$===null)return;if(typeof $!=="object"||$===null){L.push({message:"name must be an object",path:X});return}let Q=$,Z={};return Z.formatted=V(Q.formatted,"formatted",!1,L,[...X,"formatted"]),Z.familyName=V(Q.familyName,"familyName",!1,L,[...X,"familyName"]),Z.givenName=V(Q.givenName,"givenName",!1,L,[...X,"givenName"]),Z.middleName=V(Q.middleName,"middleName",!1,L,[...X,"middleName"]),Z.honorificPrefix=V(Q.honorificPrefix,"honorificPrefix",!1,L,[...X,"honorificPrefix"]),Z.honorificSuffix=V(Q.honorificSuffix,"honorificSuffix",!1,L,[...X,"honorificSuffix"]),Z}function d$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"emails must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"email must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function l$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"phoneNumbers must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"phoneNumber must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function u$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"addresses must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"address must be an object",path:N});continue}let _=Y;Q.push({formatted:V(_.formatted,"formatted",!1,L,[...N,"formatted"]),streetAddress:V(_.streetAddress,"streetAddress",!1,L,[...N,"streetAddress"]),locality:V(_.locality,"locality",!1,L,[...N,"locality"]),region:V(_.region,"region",!1,L,[...N,"region"]),postalCode:V(_.postalCode,"postalCode",!1,L,[...N,"postalCode"]),country:V(_.country,"country",!1,L,[...N,"country"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function n$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"groups must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"group must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,$ref:V(_.$ref,"$ref",!1,L,[...N,"$ref"]),display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"])})}return Q.length>0?Q:void 0}function t$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"roles must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"role must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F)Q.push({value:F,display:V(_.display,"display",!1,L,[...N,"display"]),type:V(_.type,"type",!1,L,[...N,"type"]),primary:Y$(_.primary,"primary",L,[...N,"primary"])})}return Q.length>0?Q:void 0}function i$($,L,X){if($===void 0||$===null)return;if(typeof $!=="object"||$===null){L.push({message:"Enterprise User extension must be an object",path:X});return}let Q=$,Z={};if(Z.employeeNumber=V(Q.employeeNumber,"employeeNumber",!1,L,[...X,"employeeNumber"]),Z.costCenter=V(Q.costCenter,"costCenter",!1,L,[...X,"costCenter"]),Z.organization=V(Q.organization,"organization",!1,L,[...X,"organization"]),Z.division=V(Q.division,"division",!1,L,[...X,"division"]),Z.department=V(Q.department,"department",!1,L,[...X,"department"]),Q.manager!==void 0&&Q.manager!==null)if(typeof Q.manager!=="object"||Q.manager===null)L.push({message:"manager must be an object",path:[...X,"manager"]});else{let Y=Q.manager;Z.manager={value:V(Y.value,"value",!1,L,[...X,"manager","value"]),$ref:V(Y.$ref,"$ref",!1,L,[...X,"manager","$ref"]),displayName:V(Y.displayName,"displayName",!1,L,[...X,"manager","displayName"])}}return Z}function o$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={},Y=V(X.userName,"userName",!0,Q,["userName"]);if(!Y)return{issues:Q};Z.userName=Y,Z.id=V(X.id,"id",!1,Q,["id"]),Z.externalId=V(X.externalId,"externalId",!1,Q,["externalId"]),Z.displayName=V(X.displayName,"displayName",!1,Q,["displayName"]),Z.nickName=V(X.nickName,"nickName",!1,Q,["nickName"]),Z.profileUrl=V(X.profileUrl,"profileUrl",!1,Q,["profileUrl"]),Z.title=V(X.title,"title",!1,Q,["title"]),Z.userType=V(X.userType,"userType",!1,Q,["userType"]),Z.preferredLanguage=V(X.preferredLanguage,"preferredLanguage",!1,Q,["preferredLanguage"]),Z.locale=V(X.locale,"locale",!1,Q,["locale"]),Z.timezone=V(X.timezone,"timezone",!1,Q,["timezone"]),Z.password=V(X.password,"password",!1,Q,["password"]),Z.active=Y$(X.active,"active",Q,["active"]),Z.name=g$(X.name,Q,["name"]),Z.emails=d$(X.emails,Q,["emails"]),Z.phoneNumbers=l$(X.phoneNumbers,Q,["phoneNumbers"]),Z.addresses=u$(X.addresses,Q,["addresses"]),Z.groups=n$(X.groups,Q,["groups"]),Z.roles=t$(X.roles,Q,["roles"]);let N="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(X[N]!==void 0)Z[N]=i$(X[N],Q,[N]);if(X.schemas!==void 0)if(Array.isArray(X.schemas))Z.schemas=X.schemas.filter((_)=>typeof _==="string");else Q.push({message:"schemas must be an array",path:["schemas"]});if(X.meta!==void 0)if(typeof X.meta==="object"&&X.meta!==null){let _=X.meta;Z.meta={resourceType:typeof _.resourceType==="string"?_.resourceType:void 0,created:typeof _.created==="string"?_.created:void 0,lastModified:typeof _.lastModified==="string"?_.lastModified:void 0,location:typeof _.location==="string"?_.location:void 0,version:typeof _.version==="string"?_.version:void 0}}else Q.push({message:"meta must be an object",path:["meta"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function a$($,L,X){if($===void 0||$===null)return;if(!Array.isArray($)){L.push({message:"members must be an array",path:X});return}let Q=[];for(let Z=0;Z<$.length;Z++){let Y=$[Z],N=[...X,Z];if(typeof Y!=="object"||Y===null){L.push({message:"member must be an object",path:N});continue}let _=Y,F=V(_.value,"value",!0,L,[...N,"value"]);if(F){let y=V(_.type,"type",!1,L,[...N,"type"]);Q.push({value:F,$ref:V(_.$ref,"$ref",!1,L,[...N,"$ref"]),display:V(_.display,"display",!1,L,[...N,"display"]),type:y==="User"||y==="Group"?y:void 0})}}return Q.length>0?Q:void 0}function r$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={},Y=V(X.displayName,"displayName",!0,Q,["displayName"]);if(!Y)return{issues:Q};if(Z.displayName=Y,Z.id=V(X.id,"id",!1,Q,["id"]),Z.externalId=V(X.externalId,"externalId",!1,Q,["externalId"]),Z.members=a$(X.members,Q,["members"]),X.schemas!==void 0)if(Array.isArray(X.schemas))Z.schemas=X.schemas.filter((N)=>typeof N==="string");else Q.push({message:"schemas must be an array",path:["schemas"]});if(X.meta!==void 0)if(typeof X.meta==="object"&&X.meta!==null){let N=X.meta;Z.meta={resourceType:typeof N.resourceType==="string"?N.resourceType:void 0,created:typeof N.created==="string"?N.created:void 0,lastModified:typeof N.lastModified==="string"?N.lastModified:void 0,location:typeof N.location==="string"?N.location:void 0,version:typeof N.version==="string"?N.version:void 0}}else Q.push({message:"meta must be an object",path:["meta"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function s$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={...X},Y=["iss","sub"];for(let F of Y)if(F in X){if(typeof X[F]!=="string")Q.push({message:`${F} must be a string`,path:[F]})}else Q.push({message:`${F} is required`,path:[F]});if("aud"in X&&X.aud!==void 0){let F=X.aud;if(typeof F!=="string"&&!Array.isArray(F))Q.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(F)&&!F.every((y)=>typeof y==="string"))Q.push({message:"aud array must contain only strings",path:["aud"]})}let N=["jti","scope"];for(let F of N)if(F in X&&X[F]!==void 0){if(typeof X[F]!=="string")Q.push({message:`${F} must be a string`,path:[F]})}let _=["exp","iat"];for(let F of _)if(F in X){if(typeof X[F]!=="number")Q.push({message:`${F} must be a number`,path:[F]})}else Q.push({message:`${F} is required`,path:[F]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}function e$($){return{"~standard":{version:1,vendor:$,validate:(L)=>{if(typeof L!=="object"||L===null)return{issues:[{message:"Expected an object"}]};let X=L,Q=[],Z={};if("access_token"in X)if(typeof X.access_token==="string")Z.access_token=X.access_token;else Q.push({message:"access_token must be a string",path:["access_token"]});else Q.push({message:"access_token is required",path:["access_token"]});if("token_type"in X)if(typeof X.token_type==="string")Z.token_type=X.token_type;else Q.push({message:"token_type must be a string",path:["token_type"]});else Q.push({message:"token_type is required",path:["token_type"]});if("scope"in X)if(typeof X.scope==="string"||X.scope===void 0)Z.scope=X.scope;else Q.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in X)if(typeof X.refresh_token==="string"||X.refresh_token===void 0)Z.refresh_token=X.refresh_token;else Q.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in X)if(typeof X.expires==="string"||X.expires===void 0)Z.expires=X.expires;else Q.push({message:"expires must be a string",path:["expires"]});if("expires_in"in X)if(typeof X.expires_in==="number"||X.expires_in===void 0)Z.expires_in=X.expires_in;else Q.push({message:"expires_in must be a number",path:["expires_in"]});if(Q.length>0)return{issues:Q};return{value:Z}}}}}class q${users=new Map;emailIndex=new Map;userNameIndex=new Map;async get($){return this.users.get($)??null}async getByEmail($){let L=this.emailIndex.get($.toLowerCase());if(!L)return null;return this.users.get(L)??null}async getByUserName($){let L=this.userNameIndex.get($.toLowerCase());if(!L)return null;return this.users.get(L)??null}async upsert($){let L=this.users.get($.id);if(L){if(L.email&&L.email.toLowerCase()!==$.email?.toLowerCase())this.emailIndex.delete(L.email.toLowerCase());if(L.userName&&L.userName.toLowerCase()!==$.userName?.toLowerCase())this.userNameIndex.delete(L.userName.toLowerCase())}if(this.users.set($.id,$),$.email)this.emailIndex.set($.email.toLowerCase(),$.id);if($.userName)this.userNameIndex.set($.userName.toLowerCase(),$.id)}async delete($){let L=this.users.get($);if(L){if(L.email)this.emailIndex.delete(L.email.toLowerCase());if(L.userName)this.userNameIndex.delete(L.userName.toLowerCase())}this.users.delete($)}}function N$($){$=$??"Workload authentication unavailable",new Response(JSON.stringify({error:$}),{status:503,statusText:$,headers:{"Content-Type":"application/json"}})}async function C0($,L){let X=a(L)?.workload;if(!X)return;return X.getWorkload($)}async function b0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.getToken($)}async function k0($,L){let X=a(L)?.workload;if(!X)return{valid:!1,error:"Workload authentication unavailable"};let Q=$.headers.get("Authorization");if(!Q||!Q.startsWith("Bearer "))return{valid:!1,error:"Missing or invalid Authorization header"};let Z=Q.substring(7);return X.validateToken(Z)}async function v0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.revokeToken($)}async function h0($,L){let X=a(L)?.workload;if(!X)throw N$();return X.handler($)}async function u0($,L){let X;if(process.env.ES_VAULT_TYPE)X=X$();else if($.startsWith("IONITE_PUBLIC_DEMO_"))X=X$({type:"openbao",url:"https://vault-ionite.ionite.dev/v1/secret/data",token:"hvs.VGhD2hmXDH9PmZjTacZx0G5K"}),L=L??{},L.vaultPath=`public/${$}`;else X=X$();let Q=L?.vaultPath||process.env.ES_VAULT_PATH||`es/${$}`,Z=await X.getSecret(Q),Y=await $0(L),N={defaultInstance:L?.defaultInstance===!0,handler:async()=>{return new Response("Not Found",{status:404})}};return N.workload=A$(Y.workload,Z?.workload,L?.workload),N.sso=F$(Y.sso,Z?.sso,L?.sso),N.iam=W$(Y.iam,N.workload,Z?.iam,L?.iam),N.tenants=K$(Y.tenant,Z?.tenant,L?.tenant),N.handler=async(_)=>{let y=new URL(_.url).pathname,n=(E)=>{if(!E)return;try{return new URL(E).pathname}catch{return E.startsWith("/")?E:`/${E}`}},v=(E)=>{if(!E)return!1;return n(E)===y},t=(E)=>{if(!E)return!1;let w=n(E);if(!w)return!1;return y===w||y.startsWith(`${w}/`)};if(N.sso){let E=N.sso.config;if(v(E.loginUrl)||v(E.userUrl)||v(E.logoutUrl)||v(E.logoutBackChannelUrl)||v(E.tokenUrl)||v(E.refreshUrl)||v(E.jwksUrl)||v(E.redirectUri))return N.sso.handler(_)}if(N.iam){let E=N.iam;if(t(E.usersUrl)||t(E.groupsUrl))return N.iam.handler(_)}if(N.workload){let E=N.workload.config,b=E._handlerTokenUrl||(E.tokenUrl?.startsWith("/")?E.tokenUrl:void 0)||(E.tokenUrl&&!E.tokenUrl.startsWith("http")?E.tokenUrl:void 0),C="validateUrl"in E?E.validateUrl:void 0,h="jwksUrl"in E?E.jwksUrl:void 0,g="refreshUrl"in E?E.refreshUrl:void 0;if(v(b)||v(C)||v(h)||v(g))return N.workload.handler(_)}return new Response("Not Found",{status:404})},j$(N),N}async function $0($){if($?.validators)return $.validators;try{let{createValidators:L}=await import("@enterprisestandard/react-validators-zod");if(L&&typeof L==="function")return L()}catch{}try{let{createValidators:L}=await import("@enterprisestandard/react-validators-valibot");if(L&&typeof L==="function")return L()}catch{}throw Error("No validators found. Install the appropriate validator package such as zod or valibot. For example: bun i @enterprisestandard/react-validators-zod")}export{e$ as workloadTokenResponseSchema,h0 as workloadHandler,A$ as workload,X$ as vault,_$ as validationFailureResponse,k0 as validateWorkloadToken,o$ as userSchema,p$ as tokenResponseSchema,K$ as tenantManagement,F$ as sso,$$ as serializeESConfig,m$ as sendTenantWebhook,v0 as revokeWorkloadToken,h$ as parseTenantRequest,f$ as oidcCallbackSchema,s$ as jwtAssertionClaimsSchema,I0 as initiateLogin,c$ as idTokenClaimsSchema,W$ as iam,r$ as groupResourceSchema,b0 as getWorkloadToken,C0 as getWorkload,z0 as getUser,x0 as getRequiredUser,M$ as getDefaultInstance,u0 as enterpriseStandard,E0 as callback,P$ as TenantRequestError,Q$ as InMemoryWorkloadTokenStore,q$ as InMemoryUserStore,x$ as InMemoryTenantStore,S$ as InMemorySessionStore,w$ as InMemoryGroupStore};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@enterprisestandard/core",
3
- "version": "0.0.7-beta.20260123.5",
3
+ "version": "0.0.7-beta.20260124.1",
4
4
  "description": "Enterprise Standard Core (Server-only)",
5
5
  "private": false,
6
6
  "author": "enterprisestandard",
@@ -21,7 +21,7 @@
21
21
  "./package.json": "./package.json"
22
22
  },
23
23
  "peerDependencies": {
24
- "@enterprisestandard/react-validators-zod": "0.0.7-beta.20260123.5",
25
- "@enterprisestandard/react-validators-valibot": "0.0.7-beta.20260123.5"
24
+ "@enterprisestandard/react-validators-zod": "0.0.7-beta.20260124.1",
25
+ "@enterprisestandard/react-validators-valibot": "0.0.7-beta.20260124.1"
26
26
  }
27
27
  }