@enterprisestandard/esv 0.0.5-beta.20260114.2 → 0.0.5-beta.20260115.1

package/dist/runner.js

@@ -4971,7 +4971,7 @@ async function getScimUserValidator() {
         const { zodValidators: zodValidators2 } = await Promise.resolve().then(() => (init_dist3(), exports_dist3));
         cachedScimUserValidator = zodValidators2.scimUser();
         return cachedScimUserValidator;
-      } catch (error) {
+      } catch (_error) {
         throw new Error("IAM validation requires either @enterprisestandard/react-validators-valibot or @enterprisestandard/react-validators-zod to be installed. Please install one of these packages.");
       }
     }
@@ -4984,7 +4984,7 @@ function getScimGroupValidator() {
       validate: (value) => {
         if (typeof value !== "object" || value === null) {
           return {
-            issues: [{ message: "Expected object, got " + typeof value }]
+            issues: [{ message: `Expected object, got ${typeof value}` }]
           };
         }
         const group = value;
@@ -5855,7 +5855,7 @@ function getWorkloadTokenResponseValidator() {
       validate: (value) => {
         if (typeof value !== "object" || value === null) {
           return {
-            issues: [{ message: "Expected object, got " + typeof value }]
+            issues: [{ message: `Expected object, got ${typeof value}` }]
           };
         }
         const token = value;
@@ -5886,7 +5886,7 @@ function getJwksKeyValidator() {
       validate: (value) => {
         if (typeof value !== "object" || value === null) {
           return {
-            issues: [{ message: "Expected object, got " + typeof value }]
+            issues: [{ message: `Expected object, got ${typeof value}` }]
           };
         }
         const key = value;
@@ -5911,7 +5911,7 @@ function getTokenValidationResultValidator() {
       validate: (value) => {
         if (typeof value !== "object" || value === null) {
           return {
-            issues: [{ message: "Expected object, got " + typeof value }]
+            issues: [{ message: `Expected object, got ${typeof value}` }]
           };
         }
         const result = value;
@@ -6226,7 +6226,7 @@ async function getTenantResponseValidator() {
         const { zodValidators: zodValidators2 } = await Promise.resolve().then(() => (init_dist3(), exports_dist3));
         cachedValidator = zodValidators2.createTenantResponse();
         return cachedValidator;
-      } catch (error) {
+      } catch (_error) {
         throw new Error("Tenant validation requires either @enterprisestandard/react-validators-valibot or @enterprisestandard/react-validators-zod to be installed. Please install one of these packages.");
       }
     }
@@ -9515,7 +9515,7 @@ function sso(config) {
     const str = atob(val);
     return JSON.parse(str);
   }
-  async function handler(request, handlerConfig) {
+  async function handler(request, es) {
     const {
       loginUrl,
       userUrl,
@@ -9527,7 +9527,7 @@ function sso(config) {
       logoutBackChannelUrl,
       jwksUrl,
       validation
-    } = { ...handlerDefaults, ...handlerConfig };
+    } = { ...handlerDefaults, ...es?.sso };
     if (!configWithDefaults) {
       throw new Error("Enterprise Standard SSO Manager not initialized");
     }
@@ -9870,39 +9870,47 @@ function validateWorkloadConfig(config) {
   }
 }
 function workload(config) {
-  validateWorkloadConfig(config);
   let configWithDefaults;
-  if (isJwtBearerConfig(config)) {
-    configWithDefaults = {
-      ...config,
-      token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
-      workload_id: must(config.workload_id, "Missing 'workload_id' from Workload Config"),
-      audience: must(config.audience, "Missing 'audience' from Workload Config"),
-      scope: config.scope ?? "",
-      algorithm: config.algorithm ?? "RS256",
-      token_lifetime: config.token_lifetime ?? 300,
-      refresh_threshold: config.refresh_threshold ?? 60,
-      auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
-      token_store: config.token_store ?? new InMemoryWorkloadTokenStore
-    };
-  } else if (isClientCredentialsConfig(config)) {
-    configWithDefaults = {
-      ...config,
-      token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
-      client_id: must(config.client_id, "Missing 'client_id' from Workload Config"),
-      client_secret: must(config.client_secret, "Missing 'client_secret' from Workload Config"),
-      scope: config.scope ?? "",
-      token_lifetime: config.token_lifetime ?? 300,
-      refresh_threshold: config.refresh_threshold ?? 60,
-      auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
-      token_store: config.token_store ?? new InMemoryWorkloadTokenStore
-    };
+  if (!config) {
+    configWithDefaults = undefined;
   } else {
-    configWithDefaults = config;
+    try {
+      validateWorkloadConfig(config);
+      if (isJwtBearerConfig(config)) {
+        configWithDefaults = {
+          ...config,
+          token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
+          workload_id: must(config.workload_id, "Missing 'workload_id' from Workload Config"),
+          audience: must(config.audience, "Missing 'audience' from Workload Config"),
+          scope: config.scope ?? "",
+          algorithm: config.algorithm ?? "RS256",
+          token_lifetime: config.token_lifetime ?? 300,
+          refresh_threshold: config.refresh_threshold ?? 60,
+          auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
+          token_store: config.token_store ?? new InMemoryWorkloadTokenStore
+        };
+      } else if (isClientCredentialsConfig(config)) {
+        configWithDefaults = {
+          ...config,
+          token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
+          client_id: must(config.client_id, "Missing 'client_id' from Workload Config"),
+          client_secret: must(config.client_secret, "Missing 'client_secret' from Workload Config"),
+          scope: config.scope ?? "",
+          token_lifetime: config.token_lifetime ?? 300,
+          refresh_threshold: config.refresh_threshold ?? 60,
+          auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
+          token_store: config.token_store ?? new InMemoryWorkloadTokenStore
+        };
+      } else {
+        configWithDefaults = config;
+      }
+    } catch {
+      configWithDefaults = undefined;
+    }
   }
   const initialized = true;
-  function ensureInitialized() {
-    if (!initialized) {
+  function _ensureInitialized() {
+    if (!initialized || !configWithDefaults) {
       throw new Error("Enterprise Standard Workload Manager not initialized");
     }
   }
@@ -9972,8 +9980,10 @@ function workload(config) {
     throw lastError;
   }
   async function generateJWTAssertion(scope) {
-    ensureInitialized();
-    if (!isJwtBearerConfig(config)) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
+    if (!isJwtBearerConfig(configWithDefaults)) {
       throw new Error("generateJWTAssertion is only available in JWT Bearer Grant mode");
     }
     const cfg = configWithDefaults;
@@ -9999,6 +10009,9 @@ function workload(config) {
     return `${signatureInput}.${signature}`;
   }
   async function acquireTokenJwtBearer(scope, validation) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     const cfg = configWithDefaults;
     return retryWithBackoff(async () => {
       const tokenUrl = cfg.token_url;
@@ -10044,6 +10057,9 @@ function workload(config) {
     });
   }
   async function acquireTokenClientCredentials(scope, validation) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     const cfg = configWithDefaults;
     return retryWithBackoff(async () => {
       const tokenUrl = cfg.token_url;
@@ -10089,8 +10105,10 @@ function workload(config) {
     });
   }
   async function getToken(scope) {
-    ensureInitialized();
-    if (isServerOnlyConfig(config)) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
+    if (isServerOnlyConfig(configWithDefaults)) {
       throw new Error("Cannot acquire tokens: Workload is configured in server-only mode (validation only). " + "To acquire tokens, configure client_id + client_secret for OAuth2 Client Credentials, " + "or workload_id + private_key for JWT Bearer Grant.");
     }
     if (!configWithDefaults.token_url) {
@@ -10126,7 +10144,7 @@ function workload(config) {
         }
         if (cfg.auto_refresh) {
           try {
-            const newToken = isJwtBearerConfig(config) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
+            const newToken = isJwtBearerConfig(configWithDefaults) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
             return newToken.access_token;
           } catch (error) {
             if (now < expiresAt) {
@@ -10138,35 +10156,39 @@ function workload(config) {
         }
       }
     }
-    const tokenResponse = isJwtBearerConfig(config) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
+    const tokenResponse = isJwtBearerConfig(configWithDefaults) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
     return tokenResponse.access_token;
   }
   async function refreshToken() {
-    ensureInitialized();
-    if (isServerOnlyConfig(config)) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
+    if (isServerOnlyConfig(configWithDefaults)) {
       throw new Error("Cannot refresh tokens: Workload is configured in server-only mode (validation only).");
     }
     const cfg = configWithDefaults;
     return isJwtBearerConfig(cfg) ? await acquireTokenJwtBearer(cfg.scope) : await acquireTokenClientCredentials(cfg.scope);
   }
   async function revokeToken(token) {
-    ensureInitialized();
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     try {
-      if (!config.revocation_endpoint) {
+      if (!configWithDefaults.revocation_endpoint) {
         return;
       }
       const body = new URLSearchParams;
       body.append("token", token);
       body.append("token_type_hint", "access_token");
-      if (isJwtBearerConfig(config)) {
+      if (isJwtBearerConfig(configWithDefaults)) {
         const cfg = configWithDefaults;
         body.append("client_id", cfg.workload_id);
-      } else if (isClientCredentialsConfig(config)) {
+      } else if (isClientCredentialsConfig(configWithDefaults)) {
         const cfg = configWithDefaults;
         body.append("client_id", cfg.client_id);
         body.append("client_secret", cfg.client_secret);
       }
-      const response = await fetch(config.revocation_endpoint, {
+      const response = await fetch(configWithDefaults.revocation_endpoint, {
         method: "POST",
         headers: {
           "Content-Type": "application/x-www-form-urlencoded"
@@ -10178,24 +10200,26 @@ function workload(config) {
       } else {
         console.log("Token revoked successfully");
       }
-      if (config.token_store) {
+      if (configWithDefaults.token_store) {
         let cacheKey;
-        if (isJwtBearerConfig(config)) {
+        if (isJwtBearerConfig(configWithDefaults)) {
           cacheKey = configWithDefaults.workload_id;
-        } else if (isClientCredentialsConfig(config)) {
+        } else if (isClientCredentialsConfig(configWithDefaults)) {
           cacheKey = configWithDefaults.client_id;
         } else {
           return;
         }
-        await config.token_store.delete(cacheKey);
+        await configWithDefaults.token_store.delete(cacheKey);
       }
     } catch (error) {
       console.warn("Error revoking token:", error);
     }
   }
   async function fetchJwks() {
-    ensureInitialized();
-    const url2 = config.jwks_uri;
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
+    const url2 = configWithDefaults.jwks_uri;
     if (!url2) {
       throw new Error("Cannot validate tokens: Missing jwks_uri in WorkloadConfig. " + "Server role requires jwks_uri to be configured in vault to fetch public keys for token validation.");
     }
@@ -10212,16 +10236,21 @@ function workload(config) {
     });
   }
   async function getPublicKey(kid) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     const jwks = await fetchJwks();
     const key = jwks.keys.find((k) => k.kid === kid);
     if (!key)
       throw new Error("Public key not found");
-    const defaultAlg = isJwtBearerConfig(config) ? configWithDefaults.algorithm : "RS256";
+    const defaultAlg = isJwtBearerConfig(configWithDefaults) ? configWithDefaults.algorithm : "RS256";
     const algorithmParams = getAlgorithmParams(key.alg || defaultAlg);
     return crypto.subtle.importKey("jwk", key, algorithmParams, false, ["verify"]);
   }
   async function parseJWT(token, validation) {
-    ensureInitialized();
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     try {
       const parts = token.split(".");
       if (parts.length !== 3)
@@ -10250,26 +10279,28 @@ function workload(config) {
     }
   }
   async function validateToken(token, validation) {
-    ensureInitialized();
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     try {
       const claims = await parseJWT(token, validation);
       const now = Math.floor(Date.now() / 1000);
       if (claims.exp && claims.exp < now) {
         return { valid: false, error: "Token expired" };
       }
-      if (isJwtBearerConfig(config)) {
-        if (config.audience && claims.aud !== config.audience) {
+      if (isJwtBearerConfig(configWithDefaults)) {
+        if (configWithDefaults.audience && claims.aud !== configWithDefaults.audience) {
           return { valid: false, error: "Invalid audience" };
         }
-      } else if (isClientCredentialsConfig(config)) {
-        if (config.issuer && claims.iss !== config.issuer) {
+      } else if (isClientCredentialsConfig(configWithDefaults)) {
+        if (configWithDefaults.issuer && claims.iss !== configWithDefaults.issuer) {
           return { valid: false, error: "Invalid issuer" };
         }
-        if (config.audience && claims.aud !== config.audience) {
+        if (configWithDefaults.audience && claims.aud !== configWithDefaults.audience) {
           return { valid: false, error: "Invalid audience" };
         }
       } else {
-        const serverConfig = config;
+        const serverConfig = configWithDefaults;
         if (serverConfig.issuer && claims.iss !== serverConfig.issuer) {
           return { valid: false, error: "Invalid issuer" };
         }
@@ -10287,8 +10318,10 @@ function workload(config) {
     }
   }
   async function getWorkload(request) {
-    ensureInitialized();
-    if (!config.jwks_uri) {
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
+    if (!configWithDefaults.jwks_uri) {
       throw new Error("Cannot validate tokens: Missing jwks_uri in WorkloadConfig. " + "Server role requires jwks_uri to be configured in vault to fetch public keys for token validation.");
     }
     const authHeader = request.headers.get("Authorization");
@@ -10308,7 +10341,9 @@ function workload(config) {
     };
   }
   async function handler(request) {
-    ensureInitialized();
+    if (!configWithDefaults) {
+      throw new Error("Enterprise Standard Workload Manager not initialized");
+    }
     const tokenUrl = configWithDefaults.tokenUrl;
     const validateUrl = configWithDefaults.validateUrl;
     const jwksUrl = configWithDefaults.jwksUrl;
@@ -10353,7 +10388,7 @@ function workload(config) {
     return new Response("Not Found", { status: 404 });
   }
   return {
-    ...configWithDefaults,
+    ...configWithDefaults ?? {},
     getToken,
     refreshToken,
     generateJWTAssertion,
@@ -10608,10 +10643,19 @@ async function enterpriseStandard(appId, initConfig) {
       token: vaultToken
     };
   } else if (!vaultUrl || !vaultToken || !vaultPath) {
-    console.log("NODE_ENV", "development");
-    const cmd = `${process.versions.bun ? "bun" : "npm"} ionite login --app ${appId}`;
-    throw new Error(`@enterprisestandard configuration missing.
- For development, login with the ionite CLI using "${cmd}" or visit ${ioniteUrl}/api/applications/apiKeys/create?appId=${appId}. If this is a non-development environment, ensure that you are deployed with the correct tenant pattern.`);
+    const msg = "@enterprisestandard configuration missing.";
+    if (true) {
+      const cmd = `${process.versions.bun ? "bun" : "npm"} ionite login --app ${appId}`;
+      console.warn(`${msg} For development, login with the ionite CLI using "${cmd}" or visit ${ioniteUrl}/api/applications/apiKeys/create?appId=${appId}.`);
+      const wl = workload(undefined);
+      return {
+        defaultInstance: false,
+        vault: vault(""),
+        sso: sso(undefined),
+        iam: iam({}, wl),
+        workload: wl
+      };
+    } else {}
   }
   const defaultInstance2 = getDefaultInstance();
   const vaultClient = vault(vaultUrl);
@@ -10907,4 +10951,4 @@ if (__require.main == __require.module) {
   main();
 }
 
-//# debugId=5A71D57095EC595164756E2164756E21
+//# debugId=0F8680DE7ED1E84064756E2164756E21