@enterprisestandard/esv 0.0.5-beta.20260115.1 → 0.0.5-beta.20260115.2

package/dist/server/index.js

@@ -1,1380 +1,34 @@
-import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
-var __moduleCache = /* @__PURE__ */ new WeakMap;
-var __toCommonJS = (from) => {
-  var entry = __moduleCache.get(from), desc;
-  if (entry)
-    return entry;
-  entry = __defProp({}, "__esModule", { value: true });
-  if (from && typeof from === "object" || typeof from === "function")
-    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
-      get: () => from[key],
-      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-    }));
-  __moduleCache.set(from, entry);
-  return entry;
-};
-var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, {
-      get: all[name],
-      enumerable: true,
-      configurable: true,
-      set: (newValue) => all[name] = () => newValue
-    });
-};
-var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-
-// packages/esv/src/server/crypto.ts
-import * as crypto from "node:crypto";
-var privateKey;
-var publicKey;
-var keyId;
-function initializeKeys() {
-  const { publicKey: pubKey, privateKey: privKey } = crypto.generateKeyPairSync("rsa", {
-    modulusLength: 2048
-  });
-  privateKey = privKey;
-  publicKey = pubKey;
-  keyId = crypto.randomBytes(8).toString("hex");
-}
-function getKeyId() {
-  return keyId;
-}
-function base64UrlEncode(data) {
-  const buffer = typeof data === "string" ? Buffer.from(data) : data;
-  return buffer.toString("base64url");
-}
-function base64UrlDecode(data) {
-  return Buffer.from(data, "base64url");
-}
-function signJwt(payload, expiresInSeconds = 3600) {
-  const now = Math.floor(Date.now() / 1000);
-  const header = {
-    alg: "RS256",
-    typ: "JWT",
-    kid: keyId
-  };
-  const claims = {
-    ...payload,
-    iat: now,
-    exp: now + expiresInSeconds
-  };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(claims));
-  const signatureInput = `${encodedHeader}.${encodedPayload}`;
-  const sign = crypto.createSign("RSA-SHA256");
-  sign.update(signatureInput);
-  const signature = sign.sign(privateKey);
-  return `${signatureInput}.${base64UrlEncode(signature)}`;
-}
-function verifyJwt(token) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) {
-      return { valid: false, error: "Invalid JWT format" };
-    }
-    const [encodedHeader, encodedPayload, encodedSignature] = parts;
-    const signatureInput = `${encodedHeader}.${encodedPayload}`;
-    const signature = base64UrlDecode(encodedSignature);
-    const verify = crypto.createVerify("RSA-SHA256");
-    verify.update(signatureInput);
-    const isValid = verify.verify(publicKey, signature);
-    if (!isValid) {
-      return { valid: false, error: "Invalid signature" };
-    }
-    const payload = JSON.parse(base64UrlDecode(encodedPayload).toString("utf-8"));
-    const now = Math.floor(Date.now() / 1000);
-    if (payload.exp && payload.exp < now) {
-      return { valid: false, error: "Token expired" };
-    }
-    return { valid: true, payload };
-  } catch (error) {
-    return { valid: false, error: error instanceof Error ? error.message : "Unknown error" };
-  }
-}
-function getJwks() {
-  const jwk = publicKey.export({ format: "jwk" });
-  return {
-    keys: [
-      {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e,
-        kid: keyId,
-        use: "sig",
-        alg: "RS256"
-      }
-    ]
-  };
-}
-function generateRandomString(length = 32) {
-  return crypto.randomBytes(length).toString("hex").substring(0, length);
-}
-function generateUUID() {
-  return crypto.randomUUID();
-}
-function verifyCodeChallenge(codeVerifier, codeChallenge) {
-  const hash = crypto.createHash("sha256").update(codeVerifier).digest();
-  const computed = base64UrlEncode(hash);
-  return computed === codeChallenge;
-}
-// packages/esv/src/server/server.ts
-import { createServer } from "node:http";
-
-// packages/esv/src/server/state.ts
-var users = new Map;
-var groups = new Map;
-var authCodes = new Map;
-var refreshTokens = new Map;
-var sessions = new Map;
-var defaultTestUser = {
-  id: "test-user-001",
-  userName: "testuser@example.com",
-  email: "testuser@example.com",
-  name: "Test User",
-  givenName: "Test",
-  familyName: "User"
-};
-function getUsers() {
-  return Array.from(users.values());
-}
-function getUser(id) {
-  return users.get(id);
-}
-function createUser(user) {
-  const now = new Date().toISOString();
-  user.meta = {
-    resourceType: "User",
-    created: now,
-    lastModified: now,
-    location: `/Users/${user.id}`
-  };
-  users.set(user.id, user);
-  return user;
-}
-function updateUser(id, updates) {
-  const user = users.get(id);
-  if (!user)
-    return;
-  const updated = { ...user, ...updates };
-  if (updated.meta) {
-    updated.meta.lastModified = new Date().toISOString();
-  }
-  users.set(id, updated);
-  return updated;
-}
-function deleteUser(id) {
-  return users.delete(id);
-}
-function getGroups() {
-  return Array.from(groups.values());
-}
-function getGroup(id) {
-  return groups.get(id);
-}
-function createGroup(group) {
-  const now = new Date().toISOString();
-  group.meta = {
-    resourceType: "Group",
-    created: now,
-    lastModified: now,
-    location: `/Groups/${group.id}`
-  };
-  groups.set(group.id, group);
-  return group;
-}
-function updateGroup(id, updates) {
-  const group = groups.get(id);
-  if (!group)
-    return;
-  const updated = { ...group, ...updates };
-  if (updated.meta) {
-    updated.meta.lastModified = new Date().toISOString();
-  }
-  groups.set(id, updated);
-  return updated;
-}
-function deleteGroup(id) {
-  return groups.delete(id);
-}
-function storeAuthCode(authCode) {
-  authCodes.set(authCode.code, authCode);
-}
-function getAuthCode(code) {
-  return authCodes.get(code);
-}
-function deleteAuthCode(code) {
-  return authCodes.delete(code);
-}
-function storeRefreshToken(refreshToken) {
-  refreshTokens.set(refreshToken.token, refreshToken);
-}
-function getRefreshToken(token) {
-  return refreshTokens.get(token);
-}
-function deleteRefreshToken(token) {
-  return refreshTokens.delete(token);
-}
-function deleteRefreshTokensBySession(sessionId) {
-  for (const [token, data] of refreshTokens.entries()) {
-    if (data.sessionId === sessionId) {
-      refreshTokens.delete(token);
-    }
-  }
-}
-function createSession(session) {
-  sessions.set(session.id, session);
-}
-function deleteSession(id) {
-  deleteRefreshTokensBySession(id);
-  return sessions.delete(id);
-}
-function getTestUser() {
-  return defaultTestUser;
-}
-function setTestUser(user) {
-  defaultTestUser = user;
-}
-function resetState() {
-  users.clear();
-  groups.clear();
-  authCodes.clear();
-  refreshTokens.clear();
-  sessions.clear();
-  defaultTestUser = {
-    id: "test-user-001",
-    userName: "testuser@example.com",
-    email: "testuser@example.com",
-    name: "Test User",
-    givenName: "Test",
-    familyName: "User"
-  };
-}
-
-// packages/esv/src/server/iam.ts
-var SCIM_CONTENT_TYPE = "application/scim+json";
-async function parseJsonBody(req) {
-  return new Promise((resolve, reject) => {
-    let body = "";
-    req.on("data", (chunk) => {
-      body += chunk.toString();
-    });
-    req.on("end", () => {
-      try {
-        resolve(body ? JSON.parse(body) : {});
-      } catch (error) {
-        reject(error);
-      }
-    });
-    req.on("error", reject);
-  });
-}
-function validateAuth(req, res) {
-  const auth = req.headers.authorization;
-  if (!auth || !auth.startsWith("Bearer ")) {
-    res.writeHead(401, { "Content-Type": SCIM_CONTENT_TYPE });
-    res.end(JSON.stringify({
-      schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-      status: "401",
-      detail: "Authorization required"
-    }));
-    return false;
-  }
-  return true;
-}
-function sendScimError(res, status, detail, scimType) {
-  res.writeHead(status, { "Content-Type": SCIM_CONTENT_TYPE });
-  res.end(JSON.stringify({
-    schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-    status: String(status),
-    scimType,
-    detail
-  }));
-}
-function sendListResponse(res, resources, totalResults) {
-  res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-  res.end(JSON.stringify({
-    schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    totalResults: totalResults ?? resources.length,
-    startIndex: 1,
-    itemsPerPage: resources.length,
-    Resources: resources
-  }));
-}
-async function handleIamRequest(req, res, pathname) {
-  const iamPath = pathname.replace(/^\/iam/, "");
-  if (!validateAuth(req, res)) {
-    return;
-  }
-  const usersMatch = iamPath.match(/^\/Users(?:\/([^/]+))?$/);
-  const groupsMatch = iamPath.match(/^\/Groups(?:\/([^/]+))?$/);
-  if (usersMatch) {
-    const userId = usersMatch[1];
-    await handleUsersRequest(req, res, userId);
-    return;
-  }
-  if (groupsMatch) {
-    const groupId = groupsMatch[1];
-    await handleGroupsRequest(req, res, groupId);
-    return;
-  }
-  sendScimError(res, 404, "Resource not found");
-}
-async function handleUsersRequest(req, res, userId) {
-  if (userId) {
-    switch (req.method) {
-      case "GET":
-        handleGetUser(res, userId);
-        break;
-      case "PUT":
-        await handleReplaceUser(req, res, userId);
-        break;
-      case "PATCH":
-        await handlePatchUser(req, res, userId);
-        break;
-      case "DELETE":
-        handleDeleteUser(res, userId);
-        break;
-      default:
-        sendScimError(res, 405, "Method not allowed");
-    }
-  } else {
-    switch (req.method) {
-      case "GET":
-        handleListUsers(res);
-        break;
-      case "POST":
-        await handleCreateUser(req, res);
-        break;
-      default:
-        sendScimError(res, 405, "Method not allowed");
-    }
-  }
-}
-async function handleGroupsRequest(req, res, groupId) {
-  if (groupId) {
-    switch (req.method) {
-      case "GET":
-        handleGetGroup(res, groupId);
-        break;
-      case "PUT":
-        await handleReplaceGroup(req, res, groupId);
-        break;
-      case "PATCH":
-        await handlePatchGroup(req, res, groupId);
-        break;
-      case "DELETE":
-        handleDeleteGroup(res, groupId);
-        break;
-      default:
-        sendScimError(res, 405, "Method not allowed");
-    }
-  } else {
-    switch (req.method) {
-      case "GET":
-        handleListGroups(res);
-        break;
-      case "POST":
-        await handleCreateGroup(req, res);
-        break;
-      default:
-        sendScimError(res, 405, "Method not allowed");
-    }
-  }
-}
-function handleListUsers(res) {
-  const users2 = getUsers();
-  sendListResponse(res, users2);
-}
-function handleGetUser(res, id) {
-  const user = getUser(id);
-  if (!user) {
-    sendScimError(res, 404, `User ${id} not found`, "invalidValue");
-    return;
-  }
-  res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-  res.end(JSON.stringify(user));
-}
-async function handleCreateUser(req, res) {
-  try {
-    const body = await parseJsonBody(req);
-    if (!body.userName) {
-      sendScimError(res, 400, "userName is required", "invalidValue");
-      return;
-    }
-    const user = {
-      id: generateUUID(),
-      schemas: body.schemas || [
-        "urn:ietf:params:scim:schemas:core:2.0:User",
-        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
-      ],
-      userName: body.userName,
-      displayName: body.displayName,
-      name: body.name,
-      emails: body.emails,
-      active: body.active ?? true,
-      externalId: body.externalId,
-      groups: [],
-      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": body["urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]
-    };
-    const created = createUser(user);
-    res.writeHead(201, { "Content-Type": SCIM_CONTENT_TYPE });
-    res.end(JSON.stringify(created));
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-async function handleReplaceUser(req, res, id) {
-  const existing = getUser(id);
-  if (!existing) {
-    sendScimError(res, 404, `User ${id} not found`, "invalidValue");
-    return;
-  }
-  try {
-    const body = await parseJsonBody(req);
-    const updated = updateUser(id, { ...body, id });
-    if (updated) {
-      res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-      res.end(JSON.stringify(updated));
-    } else {
-      sendScimError(res, 404, `User ${id} not found`);
-    }
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-async function handlePatchUser(req, res, id) {
-  const existing = getUser(id);
-  if (!existing) {
-    sendScimError(res, 404, `User ${id} not found`, "invalidValue");
-    return;
-  }
-  try {
-    const body = await parseJsonBody(req);
-    const operations = body.Operations || [];
-    const updated = { ...existing };
-    for (const op of operations) {
-      if (op.op === "replace" && op.path && op.value !== undefined) {
-        if (op.path === "displayName") {
-          updated.displayName = op.value;
-        } else if (op.path === "active") {
-          updated.active = op.value;
-        } else if (op.path.startsWith("name.")) {
-          const namePart = op.path.split(".")[1];
-          updated.name = { ...updated.name, [namePart]: op.value };
-        }
-      } else if (op.op === "add" && op.path && op.value !== undefined) {
-        if (op.path === "emails") {
-          updated.emails = [...updated.emails || [], ...op.value || []];
-        }
-      } else if (op.op === "remove" && op.path) {
-        if (op.path === "displayName") {
-          updated.displayName = undefined;
-        }
-      }
-    }
-    const result = updateUser(id, updated);
-    if (result) {
-      res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-      res.end(JSON.stringify(result));
-    } else {
-      sendScimError(res, 404, `User ${id} not found`);
-    }
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-function handleDeleteUser(res, id) {
-  const deleted = deleteUser(id);
-  if (!deleted) {
-    sendScimError(res, 404, `User ${id} not found`, "invalidValue");
-    return;
-  }
-  res.writeHead(204);
-  res.end();
-}
-function handleListGroups(res) {
-  const groups2 = getGroups();
-  sendListResponse(res, groups2);
-}
-function handleGetGroup(res, id) {
-  const group = getGroup(id);
-  if (!group) {
-    sendScimError(res, 404, `Group ${id} not found`, "invalidValue");
-    return;
-  }
-  res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-  res.end(JSON.stringify(group));
-}
-async function handleCreateGroup(req, res) {
-  try {
-    const body = await parseJsonBody(req);
-    if (!body.displayName) {
-      sendScimError(res, 400, "displayName is required", "invalidValue");
-      return;
-    }
-    const group = {
-      id: generateUUID(),
-      schemas: body.schemas || ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-      displayName: body.displayName,
-      externalId: body.externalId,
-      members: body.members || []
-    };
-    const created = createGroup(group);
-    res.writeHead(201, { "Content-Type": SCIM_CONTENT_TYPE });
-    res.end(JSON.stringify(created));
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-async function handleReplaceGroup(req, res, id) {
-  const existing = getGroup(id);
-  if (!existing) {
-    sendScimError(res, 404, `Group ${id} not found`, "invalidValue");
-    return;
-  }
-  try {
-    const body = await parseJsonBody(req);
-    const updated = updateGroup(id, { ...body, id });
-    if (updated) {
-      res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-      res.end(JSON.stringify(updated));
-    } else {
-      sendScimError(res, 404, `Group ${id} not found`);
-    }
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-async function handlePatchGroup(req, res, id) {
-  const existing = getGroup(id);
-  if (!existing) {
-    sendScimError(res, 404, `Group ${id} not found`, "invalidValue");
-    return;
-  }
-  try {
-    const body = await parseJsonBody(req);
-    const operations = body.Operations || [];
-    const updated = { ...existing };
-    for (const op of operations) {
-      if (op.op === "replace" && op.path && op.value !== undefined) {
-        if (op.path === "displayName") {
-          updated.displayName = op.value;
-        }
-      } else if (op.op === "add" && op.path && op.value !== undefined) {
-        if (op.path === "members") {
-          updated.members = [...updated.members || [], ...op.value || []];
-        }
-      } else if (op.op === "remove" && op.path) {
-        if (op.path.startsWith("members[")) {
-          const match = op.path.match(/members\[value eq "([^"]+)"\]/);
-          if (match) {
-            updated.members = (updated.members || []).filter((m) => m.value !== match[1]);
-          }
-        }
-      }
-    }
-    const result = updateGroup(id, updated);
-    if (result) {
-      res.writeHead(200, { "Content-Type": SCIM_CONTENT_TYPE });
-      res.end(JSON.stringify(result));
-    } else {
-      sendScimError(res, 404, `Group ${id} not found`);
-    }
-  } catch (_error) {
-    sendScimError(res, 400, "Invalid request body");
-  }
-}
-function handleDeleteGroup(res, id) {
-  const deleted = deleteGroup(id);
-  if (!deleted) {
-    sendScimError(res, 404, `Group ${id} not found`, "invalidValue");
-    return;
-  }
-  res.writeHead(204);
-  res.end();
-}
-
-// packages/esv/src/server/sso.ts
-var ISSUER = "http://localhost:3555/sso";
-var TOKEN_EXPIRY = 3600;
-var REFRESH_EXPIRY = 86400;
-var CODE_EXPIRY = 300;
-async function parseFormBody(req) {
-  return new Promise((resolve, reject) => {
-    let body = "";
-    req.on("data", (chunk) => {
-      body += chunk.toString();
-    });
-    req.on("end", () => {
-      resolve(new URLSearchParams(body));
-    });
-    req.on("error", reject);
-  });
-}
-async function handleSsoRequest(req, res, pathname) {
-  const ssoPath = pathname.replace(/^\/sso/, "");
-  if (req.method === "GET" && ssoPath === "/authorize") {
-    await handleAuthorize(req, res);
-    return;
-  }
-  if (req.method === "POST" && ssoPath === "/token") {
-    await handleToken(req, res);
-    return;
-  }
-  if (req.method === "GET" && ssoPath === "/certs") {
-    handleCerts(res);
-    return;
-  }
-  if (req.method === "POST" && ssoPath === "/revoke") {
-    await handleRevoke(req, res);
-    return;
-  }
-  if (req.method === "GET" && ssoPath === "/userinfo") {
-    handleUserInfo(req, res);
-    return;
-  }
-  if (req.method === "GET" && ssoPath === "/logout") {
-    handleLogout(req, res);
-    return;
-  }
-  if (req.method === "POST" && ssoPath === "/logout/backchannel") {
-    await handleBackChannelLogout(req, res);
-    return;
-  }
-  if (req.method === "GET" && ssoPath === "/.well-known/openid-configuration") {
-    handleOpenIDConfig(res);
-    return;
-  }
-  res.writeHead(404, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ error: "not_found" }));
-}
-async function handleAuthorize(req, res) {
-  const url = new URL(req.url || "", `http://${req.headers.host}`);
-  const params = url.searchParams;
-  const clientId = params.get("client_id");
-  const redirectUri = params.get("redirect_uri");
-  const responseType = params.get("response_type");
-  const scope = params.get("scope") || "openid";
-  const state = params.get("state");
-  const codeChallenge = params.get("code_challenge");
-  const codeChallengeMethod = params.get("code_challenge_method");
-  if (!clientId || !redirectUri || !responseType) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_request",
-      error_description: "Missing required parameters"
-    }));
-    return;
-  }
-  if (responseType !== "code") {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "unsupported_response_type",
-      error_description: "Only code response type is supported"
-    }));
-    return;
-  }
-  const testUser = getTestUser();
-  const code = generateRandomString(32);
-  const authCode = {
-    code,
-    userId: testUser.id,
-    clientId,
-    redirectUri,
-    scope,
-    codeChallenge: codeChallenge || undefined,
-    codeChallengeMethod: codeChallengeMethod || undefined,
-    state: state || undefined,
-    createdAt: new Date,
-    expiresAt: new Date(Date.now() + CODE_EXPIRY * 1000)
-  };
-  storeAuthCode(authCode);
-  const redirectUrl = new URL(redirectUri);
-  redirectUrl.searchParams.set("code", code);
-  if (state) {
-    redirectUrl.searchParams.set("state", state);
-  }
-  res.writeHead(302, { Location: redirectUrl.toString() });
-  res.end();
-}
-async function handleToken(req, res) {
-  const body = await parseFormBody(req);
-  const grantType = body.get("grant_type");
-  if (grantType === "authorization_code") {
-    await handleAuthorizationCodeGrant(body, res);
-  } else if (grantType === "refresh_token") {
-    await handleRefreshTokenGrant(body, res);
-  } else {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "unsupported_grant_type",
-      error_description: "Only authorization_code and refresh_token are supported"
-    }));
-  }
-}
-async function handleAuthorizationCodeGrant(body, res) {
-  const code = body.get("code");
-  const redirectUri = body.get("redirect_uri");
-  const codeVerifier = body.get("code_verifier");
-  if (!code || !redirectUri) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_request",
-      error_description: "Missing code or redirect_uri"
-    }));
-    return;
-  }
-  const authCode = getAuthCode(code);
-  if (!authCode) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_grant",
-      error_description: "Invalid or expired authorization code"
-    }));
-    return;
-  }
-  if (authCode.redirectUri !== redirectUri) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_grant",
-      error_description: "Redirect URI mismatch"
-    }));
-    return;
-  }
-  if (authCode.codeChallenge && authCode.codeChallengeMethod === "S256") {
-    if (!codeVerifier || !verifyCodeChallenge(codeVerifier, authCode.codeChallenge)) {
-      res.writeHead(400, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: "invalid_grant",
-        error_description: "Invalid code verifier"
-      }));
-      return;
-    }
-  }
-  deleteAuthCode(code);
-  const sessionId = generateUUID();
-  createSession({
-    id: sessionId,
-    userId: authCode.userId,
-    createdAt: new Date,
-    lastActivityAt: new Date
-  });
-  const testUser = getTestUser();
-  const tokens = generateTokens(testUser, authCode.clientId, authCode.scope, sessionId);
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify(tokens));
-}
-async function handleRefreshTokenGrant(body, res) {
-  const refreshToken = body.get("refresh_token");
-  if (!refreshToken) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_request",
-      error_description: "Missing refresh_token"
-    }));
-    return;
-  }
-  const tokenData = getRefreshToken(refreshToken);
-  if (!tokenData || tokenData.expiresAt < new Date) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_grant",
-      error_description: "Invalid or expired refresh token"
-    }));
-    return;
-  }
-  deleteRefreshToken(refreshToken);
-  const testUser = getTestUser();
-  const tokens = generateTokens(testUser, tokenData.clientId, tokenData.scope, tokenData.sessionId);
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify(tokens));
-}
-function generateTokens(user, clientId, scope, sessionId) {
-  const now = Math.floor(Date.now() / 1000);
-  const idTokenClaims = {
-    iss: ISSUER,
-    sub: user.id,
-    aud: clientId,
-    nonce: generateRandomString(16),
-    sid: sessionId,
-    auth_time: now,
-    email: user.email,
-    email_verified: true,
-    name: user.name,
-    given_name: user.givenName,
-    family_name: user.familyName,
-    preferred_username: user.userName,
-    picture: user.picture
-  };
-  const accessTokenClaims = {
-    iss: ISSUER,
-    sub: user.id,
-    aud: clientId,
-    scope,
-    sid: sessionId
-  };
-  const idToken = signJwt(idTokenClaims, TOKEN_EXPIRY);
-  const accessToken = signJwt(accessTokenClaims, TOKEN_EXPIRY);
-  const refreshTokenValue = generateRandomString(64);
-  const refreshToken = {
-    token: refreshTokenValue,
-    userId: user.id,
-    clientId,
-    scope,
-    sessionId,
-    createdAt: new Date,
-    expiresAt: new Date(Date.now() + REFRESH_EXPIRY * 1000)
-  };
-  storeRefreshToken(refreshToken);
-  return {
-    access_token: accessToken,
-    token_type: "Bearer",
-    expires_in: TOKEN_EXPIRY,
-    refresh_token: refreshTokenValue,
-    refresh_expires_in: REFRESH_EXPIRY,
-    id_token: idToken,
-    scope,
-    session_state: sessionId
-  };
-}
-function handleCerts(res) {
-  const jwks = getJwks();
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify(jwks));
-}
-async function handleRevoke(req, res) {
-  const body = await parseFormBody(req);
-  const token = body.get("token");
-  const tokenTypeHint = body.get("token_type_hint");
-  if (token) {
-    if (tokenTypeHint === "refresh_token" || !tokenTypeHint) {
-      deleteRefreshToken(token);
-    }
-  }
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ success: true }));
-}
-function handleUserInfo(req, res) {
-  const authHeader = req.headers.authorization;
-  if (!authHeader?.startsWith("Bearer ")) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "invalid_token" }));
-    return;
-  }
-  const user = getTestUser();
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    sub: user.id,
-    email: user.email,
-    email_verified: true,
-    name: user.name,
-    given_name: user.givenName,
-    family_name: user.familyName,
-    preferred_username: user.userName,
-    picture: user.picture
-  }));
-}
-function handleLogout(req, res) {
-  const url = new URL(req.url || "", `http://${req.headers.host}`);
-  const postLogoutRedirectUri = url.searchParams.get("post_logout_redirect_uri");
-  if (postLogoutRedirectUri) {
-    res.writeHead(302, { Location: postLogoutRedirectUri });
-    res.end();
-  } else {
-    res.writeHead(200, { "Content-Type": "text/html" });
-    res.end("<html><body><h1>Logged out</h1></body></html>");
-  }
-}
-async function handleBackChannelLogout(req, res) {
-  const body = await parseFormBody(req);
-  const logoutToken = body.get("logout_token");
-  if (!logoutToken) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "invalid_request", error_description: "Missing logout_token" }));
-    return;
-  }
-  try {
-    const parts = logoutToken.split(".");
-    if (parts.length >= 2) {
-      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
-      if (payload.sid) {
-        deleteSession(payload.sid);
-      }
-    }
-  } catch {}
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ success: true }));
-}
-function handleOpenIDConfig(res) {
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    issuer: ISSUER,
-    authorization_endpoint: `${ISSUER}/authorize`,
-    token_endpoint: `${ISSUER}/token`,
-    userinfo_endpoint: `${ISSUER}/userinfo`,
-    jwks_uri: `${ISSUER}/certs`,
-    end_session_endpoint: `${ISSUER}/logout`,
-    revocation_endpoint: `${ISSUER}/revoke`,
-    response_types_supported: ["code"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
-    scopes_supported: ["openid", "profile", "email"],
-    token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
-    claims_supported: [
-      "sub",
-      "iss",
-      "aud",
-      "exp",
-      "iat",
-      "nonce",
-      "email",
-      "email_verified",
-      "name",
-      "given_name",
-      "family_name",
-      "preferred_username",
-      "picture",
-      "sid"
-    ],
-    code_challenge_methods_supported: ["S256"],
-    backchannel_logout_supported: true,
-    backchannel_logout_session_supported: true
-  }));
-}
-
-// packages/esv/src/server/vault.ts
-function getEsvConfig(baseUrl = "http://localhost:3555") {
-  return {
-    sso: {
-      authority: `${baseUrl}/sso`,
-      token_url: `${baseUrl}/sso/token`,
-      authorization_url: `${baseUrl}/sso/authorize`,
-      jwks_uri: `${baseUrl}/sso/certs`,
-      client_id: "local-test-client",
-      client_secret: "local-test-secret",
-      redirect_uri: "http://localhost:3000/api/auth/callback",
-      scope: "openid profile email",
-      revocation_endpoint: `${baseUrl}/sso/revoke`,
-      end_session_endpoint: `${baseUrl}/sso/logout`
-    },
-    iam: {
-      url: `${baseUrl}/iam`
-    },
-    workload: {
-      token_url: `${baseUrl}/workload/token`,
-      jwks_uri: `${baseUrl}/workload/certs`,
-      client_id: "local-workload-client",
-      client_secret: "local-workload-secret",
-      issuer: `${baseUrl}/workload`,
-      audience: `${baseUrl}/workload`
-    }
-  };
-}
-function handleVaultRequest(req, res, pathname) {
-  const vaultPath = pathname.replace(/^\/vault/, "");
-  if (req.method === "GET" && vaultPath === "/v1/secret/data/esv/config") {
-    const token = req.headers["x-vault-token"];
-    if (token !== "local-esv-token") {
-      res.writeHead(403, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ errors: ["permission denied"] }));
-      return;
-    }
-    const config = getEsvConfig();
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      request_id: "local-esv-request",
-      lease_id: "",
-      renewable: false,
-      lease_duration: 0,
-      data: {
-        data: config,
-        metadata: {
-          created_time: new Date().toISOString(),
-          deletion_time: "",
-          destroyed: false,
-          version: 1
-        }
-      },
-      wrap_info: null,
-      warnings: null,
-      auth: null
-    }));
-    return;
-  }
-  if (req.method === "GET" && vaultPath.startsWith("/v1/secret/data/")) {
-    const token = req.headers["x-vault-token"];
-    if (token !== "local-esv-token") {
-      res.writeHead(403, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ errors: ["permission denied"] }));
-      return;
-    }
-    res.writeHead(404, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ errors: ["secret not found"] }));
-    return;
-  }
-  res.writeHead(404, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ errors: ["path not found"] }));
-}
-
-// packages/esv/src/server/workload.ts
-var ISSUER2 = "http://localhost:3555/workload";
-var TOKEN_EXPIRY2 = 3600;
-var VALID_CLIENTS = {
-  "local-workload-client": "local-workload-secret"
-};
-async function parseFormBody2(req) {
-  return new Promise((resolve, reject) => {
-    let body = "";
-    req.on("data", (chunk) => {
-      body += chunk.toString();
-    });
-    req.on("end", () => {
-      resolve(new URLSearchParams(body));
-    });
-    req.on("error", reject);
-  });
-}
-async function handleWorkloadRequest(req, res, pathname) {
-  const workloadPath = pathname.replace(/^\/workload/, "");
-  if (req.method === "POST" && workloadPath === "/token") {
-    await handleToken2(req, res);
-    return;
-  }
-  if (req.method === "GET" && workloadPath === "/certs") {
-    handleCerts2(res);
-    return;
-  }
-  if (req.method === "POST" && workloadPath === "/validate") {
-    handleValidate(req, res);
-    return;
-  }
-  res.writeHead(404, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ error: "not_found" }));
-}
-async function handleToken2(req, res) {
-  const body = await parseFormBody2(req);
-  const grantType = body.get("grant_type");
-  if (grantType === "client_credentials") {
-    handleClientCredentials(body, res);
-  } else if (grantType === "urn:ietf:params:oauth:grant-type:jwt-bearer") {
-    handleJwtBearer(body, res);
-  } else {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "unsupported_grant_type",
-      error_description: "Only client_credentials and jwt-bearer are supported"
-    }));
-  }
-}
-function handleClientCredentials(body, res) {
-  const clientId = body.get("client_id");
-  const clientSecret = body.get("client_secret");
-  const scope = body.get("scope") || "";
-  if (!clientId || !clientSecret) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_request",
-      error_description: "Missing client_id or client_secret"
-    }));
-    return;
-  }
-  const expectedSecret = VALID_CLIENTS[clientId];
-  if (!expectedSecret || expectedSecret !== clientSecret) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_client",
-      error_description: "Invalid client credentials"
-    }));
-    return;
-  }
-  const accessTokenClaims = {
-    iss: ISSUER2,
-    sub: clientId,
-    aud: ISSUER2,
-    client_id: clientId,
-    scope
-  };
-  const accessToken = signJwt(accessTokenClaims, TOKEN_EXPIRY2);
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    access_token: accessToken,
-    token_type: "Bearer",
-    expires_in: TOKEN_EXPIRY2,
-    scope
-  }));
-}
-function handleJwtBearer(body, res) {
-  const assertion = body.get("assertion");
-  const scope = body.get("scope") || "";
-  if (!assertion) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_request",
-      error_description: "Missing assertion"
-    }));
-    return;
-  }
-  const result = verifyJwt(assertion);
-  if (!result.valid) {
-    res.writeHead(400, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      error: "invalid_grant",
-      error_description: result.error || "Invalid JWT assertion"
-    }));
-    return;
-  }
-  const workloadId = result.payload?.sub;
-  const accessTokenClaims = {
-    iss: ISSUER2,
-    sub: workloadId,
-    aud: ISSUER2,
-    workload_id: workloadId,
-    scope: scope || result.payload?.scope || ""
-  };
-  const accessToken = signJwt(accessTokenClaims, TOKEN_EXPIRY2);
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    access_token: accessToken,
-    token_type: "Bearer",
-    expires_in: TOKEN_EXPIRY2,
-    scope: accessTokenClaims.scope
-  }));
-}
-function handleCerts2(res) {
-  const jwks = getJwks();
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify(jwks));
-}
-function handleValidate(req, res) {
-  const authHeader = req.headers.authorization;
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      valid: false,
-      error: "Missing Authorization header"
-    }));
-    return;
-  }
-  const token = authHeader.substring(7);
-  const result = verifyJwt(token);
-  if (!result.valid) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({
-      valid: false,
-      error: result.error
-    }));
-    return;
-  }
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    valid: true,
-    claims: result.payload,
-    expiresAt: result.payload?.exp ? new Date(result.payload.exp * 1000).toISOString() : undefined
-  }));
-}
-function handleWhoamiRequest(req, res) {
-  const authHeader = req.headers.authorization;
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Unauthorized" }));
-    return;
-  }
-  const token = authHeader.substring(7);
-  const result = verifyJwt(token);
-  if (!result.valid) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Invalid token", details: result.error }));
-    return;
-  }
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({
-    user: null,
-    workload: {
-      workload_id: result.payload?.sub,
-      client_id: result.payload?.client_id,
-      scope: result.payload?.scope
-    }
-  }));
-}
-
-// packages/esv/src/server/server.ts
-async function handleWebhook(req, res) {
-  if (req.method !== "POST") {
-    res.writeHead(405, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Method not allowed" }));
-    return;
-  }
-  let body = "";
-  req.on("data", (chunk) => {
-    body += chunk.toString();
-  });
-  req.on("end", () => {
-    try {
-      const payload = JSON.parse(body);
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ received: true, payload }));
-    } catch (_error) {
-      res.writeHead(400, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Invalid JSON" }));
-    }
-  });
-}
-var DEFAULT_PORT = 3555;
-var DEFAULT_HOST = "localhost";
-var server = null;
-var isStarted = false;
-async function handleRequest(req, res, verbose) {
-  const url = new URL(req.url || "/", `http://${req.headers.host}`);
-  const pathname = url.pathname;
-  if (verbose) {
-    console.log(`[ESV Server] ${req.method} ${pathname}`);
-  }
-  res.setHeader("Access-Control-Allow-Origin", "*");
-  res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Vault-Token");
-  if (req.method === "OPTIONS") {
-    res.writeHead(204);
-    res.end();
-    return;
-  }
-  try {
-    if (pathname.startsWith("/vault")) {
-      handleVaultRequest(req, res, pathname);
-    } else if (pathname.startsWith("/sso")) {
-      await handleSsoRequest(req, res, pathname);
-    } else if (pathname.startsWith("/iam")) {
-      await handleIamRequest(req, res, pathname);
-    } else if (pathname.startsWith("/workload")) {
-      await handleWorkloadRequest(req, res, pathname);
-    } else if (pathname === "/api/whoami") {
-      handleWhoamiRequest(req, res);
-    } else if (pathname === "/webhook") {
-      handleWebhook(req, res);
-    } else if (pathname === "/health" || pathname === "/") {
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", service: "esv-mock-server" }));
-    } else {
-      res.writeHead(404, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Not found" }));
-    }
-  } catch (error) {
-    console.error("[ESV Server] Error handling request:", error);
-    res.writeHead(500, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Internal server error" }));
-  }
-}
-function startServer(options = {}) {
-  const { port = DEFAULT_PORT, host = DEFAULT_HOST, verbose = false } = options;
-  if (isStarted && server) {
-    if (verbose) {
-      console.log("[ESV Server] Server already running");
-    }
-    return Promise.resolve();
-  }
-  return new Promise((resolve, reject) => {
-    try {
-      initializeKeys();
-      resetState();
-      server = createServer((req, res) => {
-        handleRequest(req, res, verbose).catch((error) => {
-          console.error("[ESV Server] Unhandled error:", error);
-          if (!res.headersSent) {
-            res.writeHead(500, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ error: "Internal server error" }));
-          }
-        });
-      });
-      server.on("error", (error) => {
-        if (error.code === "EADDRINUSE") {
-          if (verbose) {
-            console.log(`[ESV Server] Port ${port} already in use, assuming server is running`);
-          }
-          isStarted = true;
-          resolve();
-        } else {
-          reject(error);
-        }
-      });
-      server.listen(port, host, () => {
-        isStarted = true;
-        console.log(`[ESV Server] Running at http://${host}:${port}/`);
-        console.log("[ESV Server] Endpoints:");
-        console.log(`  - Vault:    http://${host}:${port}/vault/v1/secret/data/esv/config`);
-        console.log(`  - SSO:      http://${host}:${port}/sso/*`);
-        console.log(`  - IAM:      http://${host}:${port}/iam/*`);
-        console.log(`  - Workload: http://${host}:${port}/workload/*`);
-        console.log(`  - Whoami:   http://${host}:${port}/api/whoami`);
-        console.log(`  - Webhook:  http://${host}:${port}/webhook`);
-        resolve();
-      });
-    } catch (error) {
-      reject(error);
-    }
-  });
-}
-function stopServer() {
-  return new Promise((resolve, reject) => {
-    if (!server) {
-      isStarted = false;
-      resolve();
-      return;
-    }
-    server.close((error) => {
-      if (error) {
-        if (error.code === "ERR_SERVER_NOT_RUNNING") {
-          server = null;
-          isStarted = false;
-          resolve();
-          return;
-        }
-        reject(error);
-        return;
-      }
-      server = null;
-      isStarted = false;
-      console.log("[ESV Server] Stopped");
-      resolve();
-    });
-  });
-}
-function isServerRunning() {
-  return isStarted;
-}
-function getServerUrl(options = {}) {
-  const { port = DEFAULT_PORT, host = DEFAULT_HOST } = options;
-  return `http://${host}:${port}`;
-}
-export {
-  verifyJwt,
-  stopServer,
-  startServer,
-  signJwt,
-  setTestUser,
-  resetState,
-  isServerRunning,
-  getServerUrl,
-  getKeyId,
-  getJwks
-};
-
-//# debugId=26AB5076DF5FC52A64756E2164756E21
+/**
+ * ESV Mock Server
+ *
+ * A zero-dependency mock server for testing Enterprise Standard integrations locally.
+ *
+ * @example
+ * ```typescript
+ * import { startServer, stopServer } from '@enterprisestandard/esv/server';
+ * import { enterpriseStandard } from '@enterprisestandard/react';
+ *
+ * // In your test setup
+ * beforeAll(async () => {
+ *   await startServer();
+ * });
+ *
+ * afterAll(async () => {
+ *   await stopServer();
+ * });
+ *
+ * // Initialize with ES_VAULT_URL, ES_VAULT_TOKEN, and ES_VAULT_PATH set
+ * const es = await enterpriseStandard(undefined, {
+ *   vaultUrl: process.env.ES_VAULT_URL,
+ *   vaultToken: process.env.ES_VAULT_TOKEN,
+ *   vaultPath: process.env.ES_VAULT_PATH,
+ * });
+ * ```
+ */
+// Crypto utilities (for advanced testing scenarios)
+export { getJwks, getKeyId, signJwt, verifyJwt } from './crypto.js';
+// Main server functions
+export { getServerUrl, isServerRunning, startServer, stopServer } from './server.js';
+// State management (useful for test setup)
+export { resetState, setTestUser } from './state.js';
+//# sourceMappingURL=index.js.map