@executor-js/emulate 0.6.0

package/dist/dist-OYYGWKZQ.js

@@ -0,0 +1,1533 @@
+// ../@emulators/x/dist/index.js
+import { createHash, randomBytes } from "crypto";
+import { timingSafeEqual } from "crypto";
+function getXStore(store) {
+  return {
+    users: store.collection("x.users", ["user_id", "username"]),
+    tweets: store.collection("x.tweets", ["tweet_id", "author_id"]),
+    oauthClients: store.collection("x.oauth_clients", ["client_id"]),
+    authCodes: store.collection("x.auth_codes", ["code", "client_id"]),
+    accessTokens: store.collection("x.access_tokens", ["token", "client_id"]),
+    refreshTokens: store.collection("x.refresh_tokens", ["token", "client_id"])
+  };
+}
+function lookupAccessToken(store, token) {
+  const xs = getXStore(store);
+  const row = xs.accessTokens.findOneBy("token", token);
+  if (!row) return void 0;
+  if (row.expires > 0 && Date.now() > row.expires) {
+    xs.accessTokens.delete(row.id);
+    return void 0;
+  }
+  return row;
+}
+function xNumericId() {
+  let s = "";
+  for (let i = 0; i < 19; i++) {
+    s += Math.floor(Math.random() * 10).toString();
+  }
+  return s[0] === "0" ? "1" + s.slice(1) : s;
+}
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function debug(label, ...args) {
+  if (isDebug) {
+    console.log(`[${label}]`, ...args);
+  }
+}
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml(s).replace(/'/g, "&#39;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.info-text a,.section-heading a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.info-text a:hover,.section-heading a:hover{color:#33ff00;}
+code{font-family:'Geist Mono','SF Mono',ui-monospace,monospace;font-size:.8125rem;color:#33ff00;word-break:break-all;}
+.code-block{
+  background:#020;border:1px solid #0a3300;border-radius:6px;padding:10px 12px;
+  margin:8px 0 12px;overflow-x:auto;
+}
+.code-block code{white-space:pre;word-break:normal;display:block;line-height:1.5;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+
+.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}
+.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}
+.inspector-tabs a{
+  padding:7px 16px;border-radius:6px;text-decoration:none;
+  font-size:.8125rem;color:#1a8c00;border:1px solid transparent;
+  transition:color .15s,border-color .15s;
+}
+.inspector-tabs a:hover{color:#33ff00;}
+.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}
+.inspector-section{margin-bottom:24px;}
+.inspector-section h2{
+  font-family:'Geist Pixel',monospace;
+  font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;
+}
+.inspector-section h3{
+  font-family:'Geist Pixel',monospace;
+  font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;
+}
+.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}
+.inspector-table th,.inspector-table td{
+  text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;
+  font-size:.8125rem;
+}
+.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}
+.inspector-table td{color:#33ff00;}
+.inspector-table tbody tr{transition:background .1s;}
+.inspector-table tbody tr:hover{background:#0a3300;}
+.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}
+
+.checkout-layout{
+  display:flex;min-height:calc(100vh - 42px);
+}
+.checkout-summary{
+  flex:1;background:#020;padding:48px 40px 48px 10%;
+  display:flex;flex-direction:column;justify-content:center;
+  border-right:1px solid #0a3300;
+}
+.checkout-form-side{
+  flex:1;background:#000;padding:48px 10% 48px 40px;
+  display:flex;flex-direction:column;justify-content:center;
+}
+.checkout-merchant{
+  display:flex;align-items:center;gap:10px;margin-bottom:6px;
+}
+.checkout-merchant-name{
+  font-family:'Geist Pixel',monospace;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-test-badge{
+  font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;
+  background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;
+}
+.checkout-total{
+  font-family:'Geist Pixel',monospace;
+  font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;
+}
+.checkout-line-item{
+  display:flex;align-items:center;gap:14px;padding:14px 0;
+  border-bottom:1px solid #0a3300;
+}
+.checkout-line-item:first-child{border-top:1px solid #0a3300;}
+.checkout-item-icon{
+  width:42px;height:42px;border-radius:6px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;
+}
+.checkout-item-details{flex:1;min-width:0;}
+.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}
+.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.checkout-item-price{
+  font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;
+}
+.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}
+.checkout-totals{margin-top:20px;}
+.checkout-totals-row{
+  display:flex;justify-content:space-between;padding:6px 0;
+  font-size:.8125rem;color:#1a8c00;
+}
+.checkout-totals-row.total{
+  border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-form-section{margin-bottom:24px;}
+.checkout-form-label{
+  font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;
+}
+.checkout-input{
+  width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;
+  background:#020;color:#33ff00;font:inherit;font-size:.875rem;
+  transition:border-color .15s;outline:none;
+}
+.checkout-input:focus{border-color:#33ff00;}
+.checkout-input::placeholder{color:#116600;}
+.checkout-card-box{
+  border:1px solid #0a3300;border-radius:6px;padding:14px;
+  background:#020;
+}
+.checkout-card-row{
+  display:flex;gap:12px;margin-top:10px;
+}
+.checkout-card-row .checkout-input{flex:1;}
+.checkout-sim-note{
+  font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;
+  font-style:italic;
+}
+.checkout-pay-btn{
+  width:100%;padding:14px;border:none;border-radius:8px;
+  background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;
+  cursor:pointer;transition:background .15s;
+  font-family:'Geist Pixel',monospace;
+}
+.checkout-pay-btn:hover{background:#44ff22;}
+.checkout-cancel{
+  text-align:center;margin-top:14px;
+}
+.checkout-cancel a{
+  color:#1a8c00;text-decoration:none;font-size:.8125rem;
+  transition:color .15s;
+}
+.checkout-cancel a:hover{color:#33ff00;}
+@media(max-width:768px){
+  .checkout-layout{flex-direction:column;}
+  .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}
+  .checkout-form-side{padding:32px 20px;}
+}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<link rel="icon" href="/_emulate/favicon.ico"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderErrorPage(title, message, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner error-card">
+    <div class="error-title">${escapeHtml(title)}</div>
+    <div class="error-msg">${escapeHtml(message)}</div>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderUserButton(opts) {
+  const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
+  const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
+  const emailLine = opts.email ? `<div class="user-email">${escapeHtml(opts.email)}</div>` : "";
+  return `<form class="user-form" method="post" action="${escapeAttr(opts.formAction)}">
+${hiddens}
+<button type="submit" class="user-btn">
+  <span class="avatar">${escapeHtml(opts.letter)}</span>
+  <span class="user-text">
+    <span class="user-login">${escapeHtml(opts.login)}</span>
+    ${nameLine}${emailLine}
+  </span>
+</button>
+</form>`;
+}
+function normalizeUri(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.origin}${u.pathname.replace(/\/+$/, "")}`;
+  } catch {
+    return uri.replace(/\/+$/, "").split("?")[0];
+  }
+}
+function matchesRedirectUri(incoming, registered) {
+  const normalized = normalizeUri(incoming);
+  return registered.some((r) => normalizeUri(r) === normalized);
+}
+function constantTimeSecretEqual(a, b) {
+  const bufA = Buffer.from(a, "utf-8");
+  const bufB = Buffer.from(b, "utf-8");
+  if (bufA.length !== bufB.length) return false;
+  return timingSafeEqual(bufA, bufB);
+}
+function bodyStr(v) {
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return "";
+}
+var SERVICE_LABEL = "X";
+var AUTH_CODE_TTL_MS = 10 * 60 * 1e3;
+var ACCESS_TOKEN_TTL_SECONDS = 7200;
+var X_SCOPES = [
+  "tweet.read",
+  "tweet.write",
+  "tweet.moderate.write",
+  "users.read",
+  "follows.read",
+  "follows.write",
+  "offline.access",
+  "space.read",
+  "mute.read",
+  "mute.write",
+  "like.read",
+  "like.write",
+  "list.read",
+  "list.write",
+  "block.read",
+  "block.write",
+  "bookmark.read",
+  "bookmark.write"
+];
+function parseClientCredentials(c, body) {
+  const basic = /^Basic\s+(.+)$/i.exec(c.req.header("Authorization") ?? "");
+  if (basic) {
+    try {
+      const decoded = Buffer.from(basic[1].trim(), "base64").toString("utf-8");
+      const sep = decoded.indexOf(":");
+      if (sep >= 0) {
+        return {
+          clientId: decodeURIComponent(decoded.slice(0, sep)),
+          clientSecret: decodeURIComponent(decoded.slice(sep + 1)),
+          fromBasic: true
+        };
+      }
+    } catch {
+    }
+  }
+  const clientId = typeof body.client_id === "string" ? body.client_id : "";
+  const clientSecret = typeof body.client_secret === "string" ? body.client_secret : null;
+  return { clientId, clientSecret, fromBasic: false };
+}
+function s256(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+async function parseTokenBody(c) {
+  const contentType = c.req.header("Content-Type") ?? "";
+  const rawText = await c.req.text();
+  if (contentType.includes("application/json")) {
+    try {
+      return JSON.parse(rawText);
+    } catch {
+      return {};
+    }
+  }
+  return Object.fromEntries(new URLSearchParams(rawText));
+}
+function opaqueToken() {
+  return randomBytes(32).toString("base64url");
+}
+function oauthRoutes({ app, store, baseUrl }) {
+  const xs = getXStore(store);
+  function authenticateClient(creds, _body) {
+    if (!creds.clientId) {
+      return {
+        error: "invalid_request",
+        description: "A client_id is required. Public clients must include client_id in the request body.",
+        status: 400
+      };
+    }
+    const client = xs.oauthClients.findOneBy("client_id", creds.clientId);
+    if (!client) {
+      return { error: "invalid_client", description: "Unknown client_id.", status: 401 };
+    }
+    if (client.client_type === "confidential") {
+      if (!creds.fromBasic) {
+        return {
+          error: "invalid_client",
+          description: "Confidential clients must authenticate with HTTP Basic.",
+          status: 401
+        };
+      }
+      if (!constantTimeSecretEqual(creds.clientSecret ?? "", client.client_secret ?? "")) {
+        return { error: "invalid_client", description: "Invalid client credentials.", status: 401 };
+      }
+    } else {
+      if (creds.fromBasic || creds.clientSecret != null) {
+        return {
+          error: "invalid_client",
+          description: "Public clients have no client_secret and must authenticate with PKCE only.",
+          status: 401
+        };
+      }
+    }
+    return { client };
+  }
+  app.get("/2/oauth2/authorize", (c) => {
+    const client_id = c.req.query("client_id") ?? "";
+    const redirect_uri = c.req.query("redirect_uri") ?? "";
+    const scope = c.req.query("scope") ?? "";
+    const state = c.req.query("state") ?? "";
+    const response_type = c.req.query("response_type") ?? "";
+    const code_challenge = c.req.query("code_challenge") ?? "";
+    const code_challenge_method = c.req.query("code_challenge_method") ?? "";
+    const client = xs.oauthClients.findOneBy("client_id", client_id);
+    if (!client) {
+      return c.html(
+        renderErrorPage(
+          "Application not found",
+          `The client_id '${escapeHtml(client_id)}' is not registered.`,
+          SERVICE_LABEL
+        ),
+        400
+      );
+    }
+    if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {
+      return c.html(
+        renderErrorPage(
+          "Redirect URI mismatch",
+          "The redirect_uri is not registered for this application.",
+          SERVICE_LABEL
+        ),
+        400
+      );
+    }
+    if (response_type && response_type !== "code") {
+      return c.html(
+        renderErrorPage("Unsupported response_type", "Only response_type=code is supported.", SERVICE_LABEL),
+        400
+      );
+    }
+    if (!code_challenge) {
+      return c.html(
+        renderErrorPage(
+          "PKCE required",
+          "A code_challenge is required for the authorization code flow.",
+          SERVICE_LABEL
+        ),
+        400
+      );
+    }
+    if (code_challenge_method.toUpperCase() !== "S256") {
+      return c.html(
+        renderErrorPage(
+          "Unsupported PKCE method",
+          "code_challenge_method must be S256 for the X authorization code flow.",
+          SERVICE_LABEL
+        ),
+        400
+      );
+    }
+    const requestedScopes = scope.split(/[\s+]+/).filter(Boolean);
+    const unknownScope = requestedScopes.find((s) => !X_SCOPES.includes(s));
+    if (unknownScope) {
+      return c.html(
+        renderErrorPage("Invalid scope", `The scope '${escapeHtml(unknownScope)}' is not supported.`, SERVICE_LABEL),
+        400
+      );
+    }
+    const users = [...xs.users.all()].sort((a, b) => a.username.localeCompare(b.username));
+    const subtitleText = `Authorize <strong>${escapeHtml(client.name)}</strong> to access your X account.`;
+    const userButtons = users.map(
+      (u) => renderUserButton({
+        letter: (u.name[0] ?? u.username[0] ?? "?").toUpperCase(),
+        login: `@${u.username}`,
+        name: u.name,
+        formAction: `${baseUrl}/2/oauth2/authorize/consent`,
+        hiddenFields: {
+          user_id: u.user_id,
+          redirect_uri,
+          scope,
+          state,
+          client_id,
+          code_challenge,
+          code_challenge_method
+        }
+      })
+    ).join("\n");
+    const body = users.length === 0 ? '<p class="empty">No users in the emulator store.</p>' : userButtons;
+    return c.html(renderCardPage("Sign in to X", subtitleText, body, SERVICE_LABEL));
+  });
+  app.post("/2/oauth2/authorize/consent", async (c) => {
+    const form = await c.req.parseBody();
+    const user_id = bodyStr(form.user_id);
+    const redirect_uri = bodyStr(form.redirect_uri);
+    const scope = bodyStr(form.scope);
+    const state = bodyStr(form.state);
+    const client_id = bodyStr(form.client_id);
+    const code_challenge = bodyStr(form.code_challenge);
+    const code_challenge_method = bodyStr(form.code_challenge_method);
+    const user = xs.users.findOneBy("user_id", user_id);
+    if (!user) {
+      return c.html(renderErrorPage("User not found", "The selected user no longer exists.", SERVICE_LABEL), 400);
+    }
+    const code = randomBytes(24).toString("base64url");
+    xs.authCodes.insert({
+      code,
+      client_id,
+      redirect_uri,
+      code_challenge,
+      code_challenge_method: code_challenge_method || "S256",
+      scopes: scope.split(/[\s+]+/).filter(Boolean),
+      user_id,
+      expires: Date.now() + AUTH_CODE_TTL_MS
+    });
+    debug("x.oauth", `[authorize] minted code for user ${user_id} client ${client_id}`);
+    const url = new URL(redirect_uri);
+    url.searchParams.set("code", code);
+    if (state) url.searchParams.set("state", state);
+    return c.redirect(url.toString(), 302);
+  });
+  app.post("/2/oauth2/token", async (c) => {
+    const body = await parseTokenBody(c);
+    const grant_type = typeof body.grant_type === "string" ? body.grant_type : "";
+    const creds = parseClientCredentials(c, body);
+    if (grant_type === "client_credentials") {
+      const auth = authenticateClient(creds, body);
+      if ("error" in auth) {
+        return c.json({ error: auth.error, error_description: auth.description }, auth.status);
+      }
+      if (auth.client.client_type !== "confidential") {
+        return c.json(
+          {
+            error: "unauthorized_client",
+            error_description: "Only confidential clients may use the client_credentials grant."
+          },
+          400
+        );
+      }
+      const token = opaqueToken();
+      const expires = Date.now() + ACCESS_TOKEN_TTL_SECONDS * 1e3;
+      xs.accessTokens.insert({
+        token,
+        client_id: auth.client.client_id,
+        user_id: null,
+        scopes: [],
+        app_only: true,
+        expires
+      });
+      return c.json({
+        token_type: "bearer",
+        access_token: token,
+        expires_in: ACCESS_TOKEN_TTL_SECONDS
+      });
+    }
+    if (grant_type === "authorization_code") {
+      const auth = authenticateClient(creds, body);
+      if ("error" in auth) {
+        return c.json({ error: auth.error, error_description: auth.description }, auth.status);
+      }
+      const client = auth.client;
+      const code = typeof body.code === "string" ? body.code : "";
+      const redirect_uri = typeof body.redirect_uri === "string" ? body.redirect_uri : "";
+      const code_verifier = typeof body.code_verifier === "string" ? body.code_verifier : "";
+      const codeRow = xs.authCodes.findOneBy("code", code);
+      if (!codeRow || codeRow.expires < Date.now()) {
+        if (codeRow) xs.authCodes.delete(codeRow.id);
+        return c.json(
+          { error: "invalid_grant", error_description: "The authorization code is invalid or expired." },
+          400
+        );
+      }
+      if (codeRow.client_id !== client.client_id) {
+        return c.json(
+          { error: "invalid_grant", error_description: "The authorization code was issued to another client." },
+          400
+        );
+      }
+      if (codeRow.redirect_uri !== redirect_uri) {
+        return c.json(
+          { error: "invalid_grant", error_description: "The redirect_uri does not match the authorization request." },
+          400
+        );
+      }
+      if (!code_verifier) {
+        return c.json({ error: "invalid_request", error_description: "A code_verifier is required (PKCE)." }, 400);
+      }
+      if (s256(code_verifier) !== codeRow.code_challenge) {
+        return c.json({ error: "invalid_grant", error_description: "PKCE verification failed." }, 400);
+      }
+      xs.authCodes.delete(codeRow.id);
+      const scopes = codeRow.scopes;
+      const token = opaqueToken();
+      const expires = Date.now() + ACCESS_TOKEN_TTL_SECONDS * 1e3;
+      xs.accessTokens.insert({
+        token,
+        client_id: client.client_id,
+        user_id: codeRow.user_id,
+        scopes,
+        app_only: false,
+        expires
+      });
+      const response = {
+        token_type: "bearer",
+        access_token: token,
+        scope: scopes.join(" "),
+        expires_in: ACCESS_TOKEN_TTL_SECONDS
+      };
+      if (scopes.includes("offline.access")) {
+        const refreshToken = opaqueToken();
+        xs.refreshTokens.insert({
+          token: refreshToken,
+          client_id: client.client_id,
+          user_id: codeRow.user_id,
+          scopes
+        });
+        response.refresh_token = refreshToken;
+      }
+      debug("x.oauth", `[token] authorization_code \u2192 user ${codeRow.user_id} scopes ${scopes.join(",")}`);
+      return c.json(response);
+    }
+    if (grant_type === "refresh_token") {
+      const auth = authenticateClient(creds, body);
+      if ("error" in auth) {
+        return c.json({ error: auth.error, error_description: auth.description }, auth.status);
+      }
+      const client = auth.client;
+      const refresh_token = typeof body.refresh_token === "string" ? body.refresh_token : "";
+      const row = xs.refreshTokens.findOneBy("token", refresh_token);
+      if (!row || row.client_id !== client.client_id) {
+        return c.json({ error: "invalid_grant", error_description: "The refresh token is invalid." }, 400);
+      }
+      if (!row.scopes.includes("offline.access")) {
+        return c.json(
+          { error: "invalid_grant", error_description: "The refresh token does not have offline.access." },
+          400
+        );
+      }
+      const token = opaqueToken();
+      const expires = Date.now() + ACCESS_TOKEN_TTL_SECONDS * 1e3;
+      xs.accessTokens.insert({
+        token,
+        client_id: client.client_id,
+        user_id: row.user_id,
+        scopes: row.scopes,
+        app_only: false,
+        expires
+      });
+      const newRefresh = opaqueToken();
+      xs.refreshTokens.update(row.id, { token: newRefresh });
+      return c.json({
+        token_type: "bearer",
+        access_token: token,
+        scope: row.scopes.join(" "),
+        expires_in: ACCESS_TOKEN_TTL_SECONDS,
+        refresh_token: newRefresh
+      });
+    }
+    return c.json(
+      {
+        error: "unsupported_grant_type",
+        error_description: "grant_type must be authorization_code, refresh_token, or client_credentials."
+      },
+      400
+    );
+  });
+  app.post("/2/oauth2/revoke", async (c) => {
+    const body = await parseTokenBody(c);
+    const creds = parseClientCredentials(c, body);
+    const auth = authenticateClient(creds, body);
+    if ("error" in auth) {
+      return c.json({ error: auth.error, error_description: auth.description }, auth.status);
+    }
+    const token = typeof body.token === "string" ? body.token : "";
+    if (token) {
+      const access = xs.accessTokens.findOneBy("token", token);
+      if (access && access.client_id === auth.client.client_id) {
+        xs.accessTokens.delete(access.id);
+      }
+      const refresh = xs.refreshTokens.findOneBy("token", token);
+      if (refresh && refresh.client_id === auth.client.client_id) {
+        xs.refreshTokens.delete(refresh.id);
+      }
+    }
+    return c.json({ revoked: true });
+  });
+}
+function resolveToken(store, c) {
+  const m = /^Bearer\s+(.+)$/i.exec(c.req.header("Authorization") ?? "");
+  if (!m) return null;
+  return lookupAccessToken(store, m[1].trim()) ?? null;
+}
+function unauthorized(c) {
+  return c.json(
+    {
+      title: "Unauthorized",
+      type: "about:blank",
+      status: 401,
+      detail: "Unauthorized"
+    },
+    401
+  );
+}
+function forbidden(c, detail) {
+  return c.json(
+    {
+      title: "Forbidden",
+      type: "https://api.twitter.com/2/problems/oauth2-insufficient-scope",
+      status: 403,
+      detail
+    },
+    403
+  );
+}
+function hasUserScope(token, ...required) {
+  if (token.app_only) return false;
+  return required.every((s) => token.scopes.includes(s));
+}
+function formatUser(u) {
+  return {
+    id: u.user_id,
+    name: u.name,
+    username: u.username,
+    created_at: u.created_at_x,
+    description: u.description,
+    location: u.location,
+    url: u.url,
+    protected: u.protected,
+    verified: u.verified,
+    profile_image_url: u.profile_image_url,
+    public_metrics: {
+      followers_count: u.followers_count,
+      following_count: u.following_count,
+      tweet_count: u.tweet_count,
+      listed_count: u.listed_count
+    }
+  };
+}
+function notFound(c, detail) {
+  return c.json(
+    {
+      errors: [
+        {
+          title: "Not Found Error",
+          type: "https://api.twitter.com/2/problems/resource-not-found",
+          detail
+        }
+      ]
+    },
+    404
+  );
+}
+function usersRoutes({ app, store }) {
+  const xs = getXStore(store);
+  app.get("/2/users/me", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (token.app_only) {
+      return forbidden(c, "This endpoint requires a user-context OAuth 2.0 token; an app-only token has no user.");
+    }
+    if (!hasUserScope(token, "users.read")) {
+      return forbidden(c, "Your token is missing the users.read scope required by this endpoint.");
+    }
+    const user = token.user_id ? xs.users.findOneBy("user_id", token.user_id) : void 0;
+    if (!user) return unauthorized(c);
+    return c.json({ data: formatUser(user) });
+  });
+  app.get("/2/users/:id", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (!token.app_only && !hasUserScope(token, "users.read")) {
+      return forbidden(c, "Your token is missing the users.read scope required by this endpoint.");
+    }
+    const user = xs.users.findOneBy("user_id", c.req.param("id"));
+    if (!user) return notFound(c, `Could not find user with id: [${c.req.param("id")}].`);
+    return c.json({ data: formatUser(user) });
+  });
+  app.get("/2/users/by/username/:username", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (!token.app_only && !hasUserScope(token, "users.read")) {
+      return forbidden(c, "Your token is missing the users.read scope required by this endpoint.");
+    }
+    const username = c.req.param("username").toLowerCase();
+    const user = xs.users.findOneBy("username", username);
+    if (!user) return notFound(c, `Could not find user with username: [${c.req.param("username")}].`);
+    return c.json({ data: formatUser(user) });
+  });
+}
+function formatTweet(t) {
+  return {
+    id: t.tweet_id,
+    text: t.text,
+    author_id: t.author_id,
+    created_at: t.created_at_x,
+    conversation_id: t.conversation_id,
+    lang: t.lang,
+    possibly_sensitive: t.possibly_sensitive,
+    in_reply_to_user_id: t.in_reply_to_user_id,
+    edit_history_tweet_ids: [t.tweet_id],
+    public_metrics: {
+      retweet_count: t.retweet_count,
+      reply_count: t.reply_count,
+      like_count: t.like_count,
+      quote_count: t.quote_count,
+      impression_count: t.impression_count
+    }
+  };
+}
+function notFound2(c, detail) {
+  return c.json(
+    {
+      errors: [
+        {
+          title: "Not Found Error",
+          type: "https://api.twitter.com/2/problems/resource-not-found",
+          detail
+        }
+      ]
+    },
+    404
+  );
+}
+function tweetsRoutes({ app, store }) {
+  const xs = getXStore(store);
+  app.get("/2/tweets/:id", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (!token.app_only && !hasUserScope(token, "tweet.read")) {
+      return forbidden(c, "Your token is missing the tweet.read scope required by this endpoint.");
+    }
+    const tweet = xs.tweets.findOneBy("tweet_id", c.req.param("id"));
+    if (!tweet) return notFound2(c, `Could not find tweet with id: [${c.req.param("id")}].`);
+    return c.json({ data: formatTweet(tweet) });
+  });
+  app.get("/2/tweets", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (!token.app_only && !hasUserScope(token, "tweet.read")) {
+      return forbidden(c, "Your token is missing the tweet.read scope required by this endpoint.");
+    }
+    const idsParam = c.req.query("ids") ?? "";
+    const ids = idsParam.split(",").map((s) => s.trim()).filter(Boolean);
+    if (ids.length === 0) {
+      return c.json(
+        {
+          errors: [
+            {
+              parameters: { ids: [] },
+              message: "The `ids` query parameter is required and must be a comma-separated list of Tweet IDs."
+            }
+          ],
+          title: "Invalid Request",
+          detail: "One or more parameters to your request was invalid.",
+          type: "https://api.twitter.com/2/problems/invalid-request"
+        },
+        400
+      );
+    }
+    const data = [];
+    const errors = [];
+    for (const id of ids) {
+      const tweet = xs.tweets.findOneBy("tweet_id", id);
+      if (tweet) {
+        data.push(formatTweet(tweet));
+      } else {
+        errors.push({
+          value: id,
+          detail: `Could not find tweet with ids: [${id}].`,
+          title: "Not Found Error",
+          resource_type: "tweet",
+          parameter: "ids",
+          resource_id: id,
+          type: "https://api.twitter.com/2/problems/resource-not-found"
+        });
+      }
+    }
+    const out = { data };
+    if (errors.length > 0) out.errors = errors;
+    return c.json(out);
+  });
+  app.get("/2/users/:id/tweets", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (!token.app_only && !hasUserScope(token, "tweet.read")) {
+      return forbidden(c, "Your token is missing the tweet.read scope required by this endpoint.");
+    }
+    const authorId = c.req.param("id");
+    const author = xs.users.findOneBy("user_id", authorId);
+    if (!author) return notFound2(c, `Could not find user with id: [${authorId}].`);
+    const tweets = xs.tweets.findBy("author_id", authorId).sort((a, b) => b.created_at_x.localeCompare(a.created_at_x));
+    return c.json({
+      data: tweets.map(formatTweet),
+      meta: {
+        result_count: tweets.length,
+        newest_id: tweets[0]?.tweet_id,
+        oldest_id: tweets[tweets.length - 1]?.tweet_id
+      }
+    });
+  });
+  app.post("/2/tweets", async (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (token.app_only) {
+      return forbidden(c, "Creating a Tweet requires a user-context OAuth 2.0 token; an app-only token cannot post.");
+    }
+    if (!hasUserScope(token, "tweet.write")) {
+      return forbidden(c, "Your token is missing the tweet.write scope required to create a Tweet.");
+    }
+    const author = token.user_id ? xs.users.findOneBy("user_id", token.user_id) : void 0;
+    if (!author) return unauthorized(c);
+    const body = await c.req.json().catch(() => ({}));
+    const text = typeof body.text === "string" ? body.text : "";
+    if (!text.trim()) {
+      return c.json(
+        {
+          errors: [{ message: "text or media is required", parameters: {} }],
+          title: "Invalid Request",
+          detail: "One or more parameters to your request was invalid.",
+          type: "https://api.twitter.com/2/problems/invalid-request"
+        },
+        400
+      );
+    }
+    const reply = body.reply;
+    const inReplyToTweetId = reply && typeof reply.in_reply_to_tweet_id === "string" ? reply.in_reply_to_tweet_id : null;
+    const parent = inReplyToTweetId ? xs.tweets.findOneBy("tweet_id", inReplyToTweetId) : void 0;
+    const tweetId = xNumericId();
+    const tweet = xs.tweets.insert({
+      tweet_id: tweetId,
+      author_id: author.user_id,
+      text,
+      reply_count: 0,
+      retweet_count: 0,
+      like_count: 0,
+      quote_count: 0,
+      impression_count: 0,
+      in_reply_to_user_id: parent ? parent.author_id : null,
+      conversation_id: parent ? parent.conversation_id : tweetId,
+      lang: "en",
+      possibly_sensitive: false,
+      created_at_x: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    xs.users.update(author.id, { tweet_count: author.tweet_count + 1 });
+    if (parent) xs.tweets.update(parent.id, { reply_count: parent.reply_count + 1 });
+    return c.json({ data: { id: tweet.tweet_id, text: tweet.text } }, 201);
+  });
+  app.delete("/2/tweets/:id", (c) => {
+    const token = resolveToken(store, c);
+    if (!token) return unauthorized(c);
+    if (token.app_only) {
+      return forbidden(c, "Deleting a Tweet requires a user-context OAuth 2.0 token; an app-only token cannot delete.");
+    }
+    if (!hasUserScope(token, "tweet.write")) {
+      return forbidden(c, "Your token is missing the tweet.write scope required to delete a Tweet.");
+    }
+    const tweet = xs.tweets.findOneBy("tweet_id", c.req.param("id"));
+    if (!tweet) return notFound2(c, `Could not find tweet with id: [${c.req.param("id")}].`);
+    if (token.user_id && tweet.author_id !== token.user_id) {
+      return forbidden(c, "You may only delete your own Tweets.");
+    }
+    xs.tweets.delete(tweet.id);
+    return c.json({ data: { deleted: true } });
+  });
+}
+function openapiRoutes({ app, baseUrl }) {
+  const handler = (c) => c.json(buildSpec(baseUrl));
+  app.get("/2/openapi.json", handler);
+  app.get("/openapi.json", handler);
+}
+var ok = (description) => ({
+  description,
+  content: { "application/json": { schema: { type: "object" } } }
+});
+function buildSpec(baseUrl) {
+  const userScopes = Object.fromEntries(X_SCOPES.map((s) => [s, `Scope: ${s}`]));
+  return {
+    openapi: "3.0.3",
+    info: {
+      title: "X API v2 (Emulated)",
+      version: "2.0.0",
+      description: "Emulated subset of the X (formerly Twitter) API v2. Supports app-only Bearer tokens (client_credentials), the OAuth 2.0 Authorization Code flow with PKCE (user context), and a documented-partial legacy OAuth 1.0a user context."
+    },
+    servers: [{ url: baseUrl }],
+    components: {
+      securitySchemes: {
+        // App-only Bearer token, minted via POST /2/oauth2/token grant_type=client_credentials.
+        BearerToken: {
+          type: "http",
+          scheme: "bearer",
+          description: "App-only Bearer token (OAuth 2.0 client_credentials). Minted with client_secret_basic (HTTP Basic) only; client_secret_post is not supported. Read-only public endpoints."
+        },
+        // OAuth 2.0 Authorization Code with PKCE (S256). User context.
+        OAuth2UserToken: {
+          type: "oauth2",
+          description: "OAuth 2.0 Authorization Code with PKCE (S256). User-context access and writes. Confidential clients authenticate with client_secret_basic (HTTP Basic) only; client_secret_post is not supported.",
+          flows: {
+            authorizationCode: {
+              authorizationUrl: `${baseUrl}/2/oauth2/authorize`,
+              tokenUrl: `${baseUrl}/2/oauth2/token`,
+              scopes: userScopes
+            }
+          }
+        },
+        // Legacy OAuth 1.0a user context — declared faithfully but NOT implemented.
+        UserToken: {
+          type: "http",
+          scheme: "OAuth",
+          description: "Legacy OAuth 1.0a user context. Declared for fidelity but emulated as a partial/unsupported surface; the emulator does not validate OAuth 1.0a signatures."
+        }
+      }
+    },
+    security: [{ BearerToken: [] }, { OAuth2UserToken: [...X_SCOPES] }],
+    paths: {
+      "/2/oauth2/token": {
+        post: {
+          operationId: "oauth2Token",
+          summary: "Token endpoint (authorization_code, refresh_token, client_credentials)",
+          responses: { "200": ok("Token response."), "400": ok("OAuth error."), "401": ok("invalid_client.") }
+        }
+      },
+      "/2/oauth2/revoke": {
+        post: { operationId: "oauth2Revoke", summary: "Revoke a token", responses: { "200": ok("Revoked.") } }
+      },
+      "/2/users/me": {
+        get: {
+          operationId: "findMyUser",
+          summary: "Get the authenticated user",
+          security: [{ OAuth2UserToken: ["users.read"] }],
+          responses: { "200": ok("User object."), "401": ok("Unauthorized."), "403": ok("Insufficient scope.") }
+        }
+      },
+      "/2/users/{id}": {
+        get: {
+          operationId: "findUserById",
+          summary: "Get a user by id",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          security: [{ BearerToken: [] }, { OAuth2UserToken: ["users.read"] }],
+          responses: { "200": ok("User object."), "404": ok("Not found.") }
+        }
+      },
+      "/2/users/by/username/{username}": {
+        get: {
+          operationId: "findUserByUsername",
+          summary: "Get a user by username",
+          parameters: [{ name: "username", in: "path", required: true, schema: { type: "string" } }],
+          security: [{ BearerToken: [] }, { OAuth2UserToken: ["users.read"] }],
+          responses: { "200": ok("User object."), "404": ok("Not found.") }
+        }
+      },
+      "/2/users/{id}/tweets": {
+        get: {
+          operationId: "usersIdTweets",
+          summary: "Get a user's Tweets timeline",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          security: [{ BearerToken: [] }, { OAuth2UserToken: ["tweet.read", "users.read"] }],
+          responses: { "200": ok("Tweet list."), "404": ok("Not found.") }
+        }
+      },
+      "/2/tweets/{id}": {
+        get: {
+          operationId: "findTweetById",
+          summary: "Get a Tweet by id",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          security: [{ BearerToken: [] }, { OAuth2UserToken: ["tweet.read"] }],
+          responses: { "200": ok("Tweet object."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "deleteTweetById",
+          summary: "Delete a Tweet",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          security: [{ OAuth2UserToken: ["tweet.write"] }],
+          responses: { "200": ok("Deletion result."), "403": ok("Insufficient scope.") }
+        }
+      },
+      "/2/tweets": {
+        get: {
+          operationId: "findTweetsById",
+          summary: "Get Tweets by ids",
+          parameters: [{ name: "ids", in: "query", required: true, schema: { type: "string" } }],
+          security: [{ BearerToken: [] }, { OAuth2UserToken: ["tweet.read"] }],
+          responses: { "200": ok("Tweet list."), "400": ok("Invalid request.") }
+        },
+        post: {
+          operationId: "createTweet",
+          summary: "Create a Tweet",
+          security: [{ OAuth2UserToken: ["tweet.write"] }],
+          requestBody: {
+            required: true,
+            content: {
+              "application/json": {
+                schema: { type: "object", required: ["text"], properties: { text: { type: "string" } } }
+              }
+            }
+          },
+          responses: { "201": ok("Created Tweet."), "403": ok("Insufficient scope.") }
+        }
+      }
+    }
+  };
+}
+var manifest = {
+  id: "x",
+  name: "X",
+  description: "Stateful X (formerly Twitter) API v2 emulator focused on faithful auth: app-only Bearer tokens, OAuth 2.0 Authorization Code with PKCE, and a documented-partial legacy OAuth 1.0a surface.",
+  docsUrl: "https://docs.emulators.dev/x",
+  surfaces: [
+    { id: "rest", kind: "rest", title: "X API v2 (REST)", status: "partial", basePath: "/2" },
+    {
+      id: "oauth2",
+      kind: "oauth",
+      title: "OAuth 2.0 Authorization Code (PKCE)",
+      status: "supported",
+      basePath: "/2/oauth2"
+    },
+    {
+      id: "app-only",
+      kind: "oauth",
+      title: "App-only Bearer token (client credentials)",
+      status: "supported",
+      basePath: "/2/oauth2/token"
+    },
+    {
+      id: "oauth1",
+      kind: "provider-specific",
+      title: "Legacy OAuth 1.0a user context",
+      status: "unsupported",
+      notes: "Declared for fidelity. Signature validation is not implemented."
+    }
+  ],
+  auth: [
+    {
+      id: "bearer-token",
+      title: "App-only Bearer token",
+      type: "bearer-token",
+      status: "supported",
+      notes: "Minted via POST /2/oauth2/token grant_type=client_credentials with HTTP Basic client auth."
+    },
+    {
+      id: "oauth2-user",
+      title: "OAuth 2.0 Authorization Code with PKCE",
+      type: "oauth-authorization-code",
+      status: "supported",
+      notes: "Confidential clients authenticate with client_secret_basic (HTTP Basic header) only; X does not support client_secret_post, so a secret in the request body is rejected. Public clients send client_id in the body and rely on PKCE (S256). offline.access yields a refresh token."
+    },
+    {
+      id: "oauth1-user",
+      title: "Legacy OAuth 1.0a user context",
+      type: "provider-specific",
+      status: "unsupported",
+      notes: "Accepted honestly as a partial surface; OAuth 1.0a request signing is not emulated."
+    }
+  ],
+  specs: [
+    {
+      kind: "openapi",
+      title: "X API v2 subset",
+      coverage: "hand-authored",
+      url: "/2/openapi.json",
+      operations: [
+        {
+          operationId: "oauth2Token",
+          method: "POST",
+          path: "/2/oauth2/token",
+          status: "hand-authored",
+          summary: "authorization_code (PKCE), refresh_token, and client_credentials grants."
+        },
+        { operationId: "oauth2Revoke", method: "POST", path: "/2/oauth2/revoke", status: "hand-authored" },
+        {
+          operationId: "findMyUser",
+          method: "GET",
+          path: "/2/users/me",
+          status: "hand-authored",
+          summary: "User-context token with users.read."
+        },
+        { operationId: "findUserById", method: "GET", path: "/2/users/:id", status: "hand-authored" },
+        {
+          operationId: "findUserByUsername",
+          method: "GET",
+          path: "/2/users/by/username/:username",
+          status: "hand-authored"
+        },
+        { operationId: "usersIdTweets", method: "GET", path: "/2/users/:id/tweets", status: "hand-authored" },
+        { operationId: "findTweetById", method: "GET", path: "/2/tweets/:id", status: "hand-authored" },
+        { operationId: "findTweetsById", method: "GET", path: "/2/tweets", status: "hand-authored" },
+        {
+          operationId: "createTweet",
+          method: "POST",
+          path: "/2/tweets",
+          status: "hand-authored",
+          summary: "User-context token with tweet.write."
+        },
+        { operationId: "deleteTweetById", method: "DELETE", path: "/2/tweets/:id", status: "hand-authored" },
+        {
+          operationId: "tweetsRecentSearch",
+          method: "GET",
+          path: "/2/tweets/search/recent",
+          status: "unsupported"
+        },
+        { operationId: "usersIdFollow", method: "POST", path: "/2/users/:id/following", status: "unsupported" },
+        { operationId: "usersIdLike", method: "POST", path: "/2/users/:id/likes", status: "unsupported" }
+      ]
+    },
+    {
+      kind: "oauth-metadata",
+      title: "OAuth 2.0 client-auth behavior (confidential clients use client_secret_basic only)",
+      coverage: "hand-authored"
+    }
+  ],
+  scenarios: [
+    {
+      id: "default",
+      title: "Single developer account",
+      description: "One verified user with a seeded confidential and public OAuth client."
+    }
+  ],
+  seedSchema: {
+    description: "Seed users, OAuth 2.0 clients (confidential or public), and Tweets.",
+    fields: [
+      {
+        key: "users",
+        title: "Users",
+        description: "X accounts addressable by username (@handle) and numeric id.",
+        example: [{ username: "developer", name: "Developer", verified: true }]
+      },
+      {
+        key: "oauth_clients",
+        title: "OAuth 2.0 clients",
+        description: "Confidential clients have a client_secret and use HTTP Basic auth; public clients omit it and use PKCE only.",
+        example: [
+          {
+            client_id: "x-confidential-client",
+            client_secret: "x-confidential-secret",
+            client_type: "confidential",
+            name: "My X App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+          },
+          { client_id: "x-public-client", client_type: "public", name: "My X SPA" }
+        ]
+      },
+      {
+        key: "tweets",
+        title: "Tweets",
+        description: "Tweets authored by a seeded user (referenced by username or id).",
+        example: [{ text: "Hello from X.", author: "developer", like_count: 42 }]
+      }
+    ],
+    example: {
+      users: [{ username: "developer", name: "Developer", verified: true, followers_count: 1200 }],
+      oauth_clients: [
+        {
+          client_id: "x-confidential-client",
+          client_secret: "x-confidential-secret",
+          client_type: "confidential",
+          name: "My X App",
+          redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+        },
+        { client_id: "x-public-client", client_type: "public", name: "My X SPA" }
+      ],
+      tweets: [{ text: "Hello from the X API v2 emulator.", author: "developer", like_count: 42, retweet_count: 7 }]
+    }
+  },
+  stateModel: {
+    description: "Entities seeded and mutated by X provider calls.",
+    collections: [
+      { name: "x.users", title: "Users" },
+      { name: "x.tweets", title: "Tweets" },
+      { name: "x.oauth_clients", title: "OAuth 2.0 clients" },
+      { name: "x.auth_codes", title: "Authorization codes" },
+      { name: "x.access_tokens", title: "Access tokens" },
+      { name: "x.refresh_tokens", title: "Refresh tokens" }
+    ]
+  },
+  connections: [
+    {
+      id: "twitter-api-v2",
+      title: "twitter-api-v2 (TypeScript)",
+      kind: "sdk",
+      language: "typescript",
+      description: "Point the twitter-api-v2 SDK at the emulator for both app-only and user-context auth.",
+      template: 'import { TwitterApi } from "twitter-api-v2";\n\nconst base = "{{baseUrl}}";\n\n// App-only Bearer token (client_credentials).\nconst appClient = new TwitterApi("{{token}}", { baseUrl: base });\nconst user = await appClient.v2.userByUsername("developer");\n\n// OAuth 2.0 user-context client (Authorization Code with PKCE).\nconst oauthClient = new TwitterApi({ clientId: "{{clientId}}", clientSecret: "{{clientSecret}}" });\nconst { url, codeVerifier, state } = oauthClient.generateOAuth2AuthLink(\n  "http://localhost:3000/api/auth/callback/twitter",\n  { scope: ["tweet.read", "tweet.write", "users.read", "offline.access"] },\n);\n// Send the user to `url` (against `${base}/2/oauth2/authorize`), then exchange the code at `${base}/2/oauth2/token`.'
+    },
+    {
+      id: "x-env",
+      title: "X base URL and credentials (env)",
+      kind: "env",
+      language: "bash",
+      description: "Point your app at the emulator instead of api.x.com.",
+      template: "X_API_BASE_URL={{baseUrl}}\nX_CLIENT_ID={{clientId}}\nX_CLIENT_SECRET={{clientSecret}}\nX_BEARER_TOKEN={{token}}"
+    },
+    {
+      id: "curl-app-only",
+      title: "curl (app-only Bearer)",
+      kind: "curl",
+      language: "bash",
+      description: "Mint an app-only Bearer token (confidential client, HTTP Basic auth) and read a user.",
+      template: 'curl -s -X POST {{baseUrl}}/2/oauth2/token \\\n  -u "{{clientId}}:{{clientSecret}}" \\\n  -d grant_type=client_credentials\n\ncurl -s {{baseUrl}}/2/users/by/username/developer \\\n  -H "authorization: Bearer {{token}}"'
+    },
+    {
+      id: "curl-token-exchange",
+      title: "curl (authorization code + PKCE)",
+      kind: "curl",
+      language: "bash",
+      description: "Exchange an authorization code for a user-context token. Confidential clients use -u (Basic); public clients send client_id in the body with no secret.",
+      template: 'curl -s -X POST {{baseUrl}}/2/oauth2/token \\\n  -u "{{clientId}}:{{clientSecret}}" \\\n  -d grant_type=authorization_code \\\n  -d code=$CODE \\\n  -d redirect_uri=http://localhost:3000/api/auth/callback/twitter \\\n  -d code_verifier=$CODE_VERIFIER'
+    }
+  ]
+};
+function resolveAuthor(store, ref) {
+  const xs = getXStore(store);
+  const byId = xs.users.findOneBy("user_id", ref);
+  if (byId) return byId.user_id;
+  const byUsername = xs.users.findOneBy("username", ref.toLowerCase().replace(/^@/, ""));
+  return byUsername ? byUsername.user_id : null;
+}
+function seedFromConfig(store, baseUrl, config) {
+  const xs = getXStore(store);
+  for (const u of config.users ?? []) {
+    const username = u.username.toLowerCase().replace(/^@/, "");
+    if (xs.users.findOneBy("username", username)) continue;
+    const userId = u.user_id ?? xNumericId();
+    xs.users.insert({
+      user_id: userId,
+      username,
+      name: u.name ?? u.username,
+      description: u.description ?? "",
+      verified: u.verified ?? false,
+      protected: u.protected ?? false,
+      location: u.location ?? null,
+      url: u.url ?? null,
+      profile_image_url: u.profile_image_url ?? `${baseUrl}/profile_images/${username}.png`,
+      followers_count: u.followers_count ?? 0,
+      following_count: u.following_count ?? 0,
+      tweet_count: 0,
+      listed_count: u.listed_count ?? 0,
+      created_at_x: u.created_at ?? (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  for (const cl of config.oauth_clients ?? []) {
+    if (xs.oauthClients.findOneBy("client_id", cl.client_id)) continue;
+    const clientType = cl.client_type ?? (cl.client_secret ? "confidential" : "public");
+    xs.oauthClients.insert({
+      client_id: cl.client_id,
+      client_secret: clientType === "confidential" ? cl.client_secret ?? null : null,
+      client_type: clientType,
+      name: cl.name ?? cl.client_id,
+      redirect_uris: cl.redirect_uris ?? ["http://localhost:3000/callback"]
+    });
+  }
+  for (const t of config.tweets ?? []) {
+    const authorId = resolveAuthor(store, t.author);
+    if (!authorId) continue;
+    const tweetId = t.tweet_id ?? xNumericId();
+    if (xs.tweets.findOneBy("tweet_id", tweetId)) continue;
+    xs.tweets.insert({
+      tweet_id: tweetId,
+      author_id: authorId,
+      text: t.text,
+      reply_count: t.reply_count ?? 0,
+      retweet_count: t.retweet_count ?? 0,
+      like_count: t.like_count ?? 0,
+      quote_count: t.quote_count ?? 0,
+      impression_count: t.impression_count ?? 0,
+      in_reply_to_user_id: null,
+      conversation_id: tweetId,
+      lang: t.lang ?? "en",
+      possibly_sensitive: false,
+      created_at_x: t.created_at ?? (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const author = xs.users.findOneBy("user_id", authorId);
+    if (author) xs.users.update(author.id, { tweet_count: author.tweet_count + 1 });
+  }
+}
+var xPlugin = {
+  name: "x",
+  register(app, store, webhooks, baseUrl, tokenMap) {
+    const ctx = { app, store, webhooks, baseUrl, tokenMap };
+    oauthRoutes(ctx);
+    usersRoutes(ctx);
+    tweetsRoutes(ctx);
+    openapiRoutes(ctx);
+  },
+  seed(store, baseUrl) {
+    seedFromConfig(store, baseUrl, {
+      users: [
+        {
+          username: "developer",
+          name: "Developer",
+          description: "Building with the X API v2 emulator.",
+          verified: true,
+          followers_count: 1200,
+          following_count: 320
+        }
+      ],
+      oauth_clients: [
+        {
+          client_id: "x-confidential-client",
+          client_secret: "x-confidential-secret",
+          client_type: "confidential",
+          name: "My X App (confidential)",
+          redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+        },
+        {
+          client_id: "x-public-client",
+          client_type: "public",
+          name: "My X App (public)",
+          redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+        }
+      ],
+      tweets: [{ text: "Hello from the X API v2 emulator.", author: "developer", like_count: 42, retweet_count: 7 }]
+    });
+  }
+};
+var index_default = xPlugin;
+export {
+  index_default as default,
+  getXStore,
+  lookupAccessToken,
+  manifest,
+  seedFromConfig,
+  xPlugin
+};
+//# sourceMappingURL=dist-OYYGWKZQ.js.map