@executor-js/emulate 0.6.0

package/dist/dist-ZEC77OKZ.js

@@ -0,0 +1,913 @@
+import {
+  SignJWT,
+  exportJWK,
+  generateKeyPair
+} from "./chunk-D6EKRYGP.js";
+
+// ../@emulators/apple/dist/index.js
+import { randomBytes } from "crypto";
+import { randomBytes as randomBytes2 } from "crypto";
+function getAppleStore(store) {
+  return {
+    users: store.collection("apple.users", ["uid", "email"]),
+    oauthClients: store.collection("apple.oauth_clients", ["client_id"])
+  };
+}
+function generateAppleUid() {
+  const prefix = randomBytes(3).toString("hex").toUpperCase();
+  const middle = randomBytes(16).toString("hex");
+  const suffix = randomBytes(2).toString("hex").toUpperCase();
+  return `${prefix}.${middle}.${suffix}`;
+}
+function generatePrivateRelayEmail() {
+  const id = randomBytes(12).toString("hex");
+  return `${id}@privaterelay.appleid.com`;
+}
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function debug(label, ...args) {
+  if (isDebug) {
+    console.log(`[${label}]`, ...args);
+  }
+}
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml(s).replace(/'/g, "&#39;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.info-text a,.section-heading a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.info-text a:hover,.section-heading a:hover{color:#33ff00;}
+code{font-family:'Geist Mono','SF Mono',ui-monospace,monospace;font-size:.8125rem;color:#33ff00;word-break:break-all;}
+.code-block{
+  background:#020;border:1px solid #0a3300;border-radius:6px;padding:10px 12px;
+  margin:8px 0 12px;overflow-x:auto;
+}
+.code-block code{white-space:pre;word-break:normal;display:block;line-height:1.5;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+
+.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}
+.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}
+.inspector-tabs a{
+  padding:7px 16px;border-radius:6px;text-decoration:none;
+  font-size:.8125rem;color:#1a8c00;border:1px solid transparent;
+  transition:color .15s,border-color .15s;
+}
+.inspector-tabs a:hover{color:#33ff00;}
+.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}
+.inspector-section{margin-bottom:24px;}
+.inspector-section h2{
+  font-family:'Geist Pixel',monospace;
+  font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;
+}
+.inspector-section h3{
+  font-family:'Geist Pixel',monospace;
+  font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;
+}
+.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}
+.inspector-table th,.inspector-table td{
+  text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;
+  font-size:.8125rem;
+}
+.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}
+.inspector-table td{color:#33ff00;}
+.inspector-table tbody tr{transition:background .1s;}
+.inspector-table tbody tr:hover{background:#0a3300;}
+.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}
+
+.checkout-layout{
+  display:flex;min-height:calc(100vh - 42px);
+}
+.checkout-summary{
+  flex:1;background:#020;padding:48px 40px 48px 10%;
+  display:flex;flex-direction:column;justify-content:center;
+  border-right:1px solid #0a3300;
+}
+.checkout-form-side{
+  flex:1;background:#000;padding:48px 10% 48px 40px;
+  display:flex;flex-direction:column;justify-content:center;
+}
+.checkout-merchant{
+  display:flex;align-items:center;gap:10px;margin-bottom:6px;
+}
+.checkout-merchant-name{
+  font-family:'Geist Pixel',monospace;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-test-badge{
+  font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;
+  background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;
+}
+.checkout-total{
+  font-family:'Geist Pixel',monospace;
+  font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;
+}
+.checkout-line-item{
+  display:flex;align-items:center;gap:14px;padding:14px 0;
+  border-bottom:1px solid #0a3300;
+}
+.checkout-line-item:first-child{border-top:1px solid #0a3300;}
+.checkout-item-icon{
+  width:42px;height:42px;border-radius:6px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;
+}
+.checkout-item-details{flex:1;min-width:0;}
+.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}
+.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.checkout-item-price{
+  font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;
+}
+.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}
+.checkout-totals{margin-top:20px;}
+.checkout-totals-row{
+  display:flex;justify-content:space-between;padding:6px 0;
+  font-size:.8125rem;color:#1a8c00;
+}
+.checkout-totals-row.total{
+  border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-form-section{margin-bottom:24px;}
+.checkout-form-label{
+  font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;
+}
+.checkout-input{
+  width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;
+  background:#020;color:#33ff00;font:inherit;font-size:.875rem;
+  transition:border-color .15s;outline:none;
+}
+.checkout-input:focus{border-color:#33ff00;}
+.checkout-input::placeholder{color:#116600;}
+.checkout-card-box{
+  border:1px solid #0a3300;border-radius:6px;padding:14px;
+  background:#020;
+}
+.checkout-card-row{
+  display:flex;gap:12px;margin-top:10px;
+}
+.checkout-card-row .checkout-input{flex:1;}
+.checkout-sim-note{
+  font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;
+  font-style:italic;
+}
+.checkout-pay-btn{
+  width:100%;padding:14px;border:none;border-radius:8px;
+  background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;
+  cursor:pointer;transition:background .15s;
+  font-family:'Geist Pixel',monospace;
+}
+.checkout-pay-btn:hover{background:#44ff22;}
+.checkout-cancel{
+  text-align:center;margin-top:14px;
+}
+.checkout-cancel a{
+  color:#1a8c00;text-decoration:none;font-size:.8125rem;
+  transition:color .15s;
+}
+.checkout-cancel a:hover{color:#33ff00;}
+@media(max-width:768px){
+  .checkout-layout{flex-direction:column;}
+  .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}
+  .checkout-form-side{padding:32px 20px;}
+}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<link rel="icon" href="/_emulate/favicon.ico"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderErrorPage(title, message, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner error-card">
+    <div class="error-title">${escapeHtml(title)}</div>
+    <div class="error-msg">${escapeHtml(message)}</div>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderFormPostPage(action, fields, service) {
+  const hiddens = Object.entries(fields).filter(([, v]) => v != null).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("\n");
+  return `${head("Redirecting")}
+<body onload="document.forms[0].submit()">
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner" style="text-align:center">
+    <div class="card-subtitle">Redirecting&hellip;</div>
+    <form method="POST" action="${escapeAttr(action)}">
+${hiddens}
+    <noscript><button type="submit" class="user-btn" style="margin-top:12px;justify-content:center">
+      <span class="user-login">Continue</span>
+    </button></noscript>
+    </form>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderUserButton(opts) {
+  const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
+  const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
+  const emailLine = opts.email ? `<div class="user-email">${escapeHtml(opts.email)}</div>` : "";
+  return `<form class="user-form" method="post" action="${escapeAttr(opts.formAction)}">
+${hiddens}
+<button type="submit" class="user-btn">
+  <span class="avatar">${escapeHtml(opts.letter)}</span>
+  <span class="user-text">
+    <span class="user-login">${escapeHtml(opts.login)}</span>
+    ${nameLine}${emailLine}
+  </span>
+</button>
+</form>`;
+}
+function normalizeUri(uri) {
+  try {
+    const u = new URL(uri);
+    return `${u.origin}${u.pathname.replace(/\/+$/, "")}`;
+  } catch {
+    return uri.replace(/\/+$/, "").split("?")[0];
+  }
+}
+function matchesRedirectUri(incoming, registered) {
+  const normalized = normalizeUri(incoming);
+  return registered.some((r) => normalizeUri(r) === normalized);
+}
+function bodyStr(v) {
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return "";
+}
+var keyPairPromise = generateKeyPair("RS256");
+var KID = "emulate-apple-1";
+var PENDING_CODE_TTL_MS = 5 * 60 * 1e3;
+function getPendingCodes(store) {
+  let map = store.getData("apple.oauth.pendingCodes");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("apple.oauth.pendingCodes", map);
+  }
+  return map;
+}
+function getRefreshTokens(store) {
+  let map = store.getData("apple.oauth.refreshTokens");
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    store.setData("apple.oauth.refreshTokens", map);
+  }
+  return map;
+}
+function getFirstAuthTracker(store) {
+  let set = store.getData("apple.oauth.firstAuthTracker");
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    store.setData("apple.oauth.firstAuthTracker", set);
+  }
+  return set;
+}
+function isPendingCodeExpired(p) {
+  return Date.now() - p.created_at > PENDING_CODE_TTL_MS;
+}
+var SERVICE_LABEL = "Apple";
+async function createIdToken(user, clientId, nonce, baseUrl) {
+  const { privateKey } = await keyPairPromise;
+  const email = user.is_private_email && user.private_relay_email ? user.private_relay_email : user.email;
+  const now = Math.floor(Date.now() / 1e3);
+  const builder = new SignJWT({
+    sub: user.uid,
+    email,
+    email_verified: String(user.email_verified),
+    is_private_email: String(user.is_private_email),
+    real_user_status: user.real_user_status,
+    nonce_supported: true,
+    auth_time: now,
+    ...nonce ? { nonce } : {}
+  }).setProtectedHeader({ alg: "RS256", kid: KID, typ: "JWT" }).setIssuer(baseUrl).setAudience(clientId).setIssuedAt(now).setExpirationTime("1h");
+  return builder.sign(privateKey);
+}
+function oauthRoutes({ app, store, baseUrl, tokenMap }) {
+  const as = getAppleStore(store);
+  app.get("/.well-known/openid-configuration", (c) => {
+    return c.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/auth/authorize`,
+      token_endpoint: `${baseUrl}/auth/token`,
+      revocation_endpoint: `${baseUrl}/auth/revoke`,
+      jwks_uri: `${baseUrl}/auth/keys`,
+      response_types_supported: ["code"],
+      response_modes_supported: ["query", "fragment", "form_post"],
+      subject_types_supported: ["pairwise"],
+      id_token_signing_alg_values_supported: ["RS256"],
+      scopes_supported: ["openid", "email", "name"],
+      token_endpoint_auth_methods_supported: ["client_secret_post"],
+      claims_supported: [
+        "aud",
+        "email",
+        "email_verified",
+        "exp",
+        "iat",
+        "is_private_email",
+        "iss",
+        "nonce",
+        "nonce_supported",
+        "real_user_status",
+        "sub",
+        "transfer_sub"
+      ]
+    });
+  });
+  app.get("/auth/keys", async (c) => {
+    const { publicKey } = await keyPairPromise;
+    const jwk = await exportJWK(publicKey);
+    return c.json({
+      keys: [
+        {
+          ...jwk,
+          kid: KID,
+          use: "sig",
+          alg: "RS256"
+        }
+      ]
+    });
+  });
+  app.get("/auth/authorize", (c) => {
+    const client_id = c.req.query("client_id") ?? "";
+    const redirect_uri = c.req.query("redirect_uri") ?? "";
+    const scope = c.req.query("scope") ?? "";
+    const state = c.req.query("state") ?? "";
+    const nonce = c.req.query("nonce") ?? "";
+    const response_mode = c.req.query("response_mode") ?? "query";
+    const clientsConfigured = as.oauthClients.all().length > 0;
+    let clientName = "";
+    if (clientsConfigured) {
+      const client = as.oauthClients.findOneBy("client_id", client_id);
+      if (!client) {
+        return c.html(
+          renderErrorPage("Application not found", `The client_id '${client_id}' is not registered.`, SERVICE_LABEL),
+          400
+        );
+      }
+      if (redirect_uri && !matchesRedirectUri(redirect_uri, client.redirect_uris)) {
+        return c.html(
+          renderErrorPage(
+            "Redirect URI mismatch",
+            "The redirect_uri is not registered for this application.",
+            SERVICE_LABEL
+          ),
+          400
+        );
+      }
+      clientName = client.name;
+    }
+    const subtitleText = clientName ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Apple ID.` : "Choose a seeded user to continue.";
+    const users = as.users.all();
+    const userButtons = users.map((user) => {
+      return renderUserButton({
+        letter: (user.email[0] ?? "?").toUpperCase(),
+        login: user.email,
+        name: user.name,
+        email: user.email,
+        formAction: "/auth/authorize/callback",
+        hiddenFields: {
+          email: user.email,
+          redirect_uri,
+          scope,
+          state,
+          nonce,
+          client_id,
+          response_mode
+        }
+      });
+    }).join("\n");
+    const body = users.length === 0 ? '<p class="empty">No users in the emulator store.</p>' : userButtons;
+    return c.html(renderCardPage("Sign in with Apple", subtitleText, body, SERVICE_LABEL));
+  });
+  app.post("/auth/authorize/callback", async (c) => {
+    const body = await c.req.parseBody();
+    const email = bodyStr(body.email);
+    const redirect_uri = bodyStr(body.redirect_uri);
+    const scope = bodyStr(body.scope);
+    const state = bodyStr(body.state);
+    const client_id = bodyStr(body.client_id);
+    const nonce = bodyStr(body.nonce);
+    const response_mode = bodyStr(body.response_mode) || "query";
+    const code = randomBytes2(20).toString("hex");
+    getPendingCodes(store).set(code, {
+      email,
+      scope,
+      redirectUri: redirect_uri,
+      clientId: client_id,
+      nonce: nonce || null,
+      responseMode: response_mode,
+      created_at: Date.now()
+    });
+    debug("apple.oauth", `[Apple callback] code=${code.slice(0, 8)}... email=${email}`);
+    const tracker = getFirstAuthTracker(store);
+    const pairKey = `${email}:${client_id}`;
+    const isFirstAuth = !tracker.has(pairKey);
+    if (isFirstAuth) {
+      tracker.add(pairKey);
+    }
+    let userJson;
+    if (isFirstAuth) {
+      const user = as.users.findOneBy("email", email);
+      if (user) {
+        userJson = JSON.stringify({
+          name: { firstName: user.given_name, lastName: user.family_name },
+          email: user.email
+        });
+      }
+    }
+    if (response_mode === "form_post") {
+      const fields = { code, state };
+      if (userJson) fields.user = userJson;
+      return c.html(renderFormPostPage(redirect_uri, fields, SERVICE_LABEL));
+    }
+    const url = new URL(redirect_uri);
+    url.searchParams.set("code", code);
+    if (state) url.searchParams.set("state", state);
+    if (userJson) url.searchParams.set("user", userJson);
+    return c.redirect(url.toString(), 302);
+  });
+  app.post("/auth/token", async (c) => {
+    const rawText = await c.req.text();
+    const body = Object.fromEntries(new URLSearchParams(rawText));
+    const grant_type = body.grant_type ?? "";
+    const code = body.code ?? "";
+    const client_id = body.client_id ?? "";
+    const refresh_token = body.refresh_token ?? "";
+    if (grant_type === "authorization_code") {
+      const pendingMap = getPendingCodes(store);
+      const pending = pendingMap.get(code);
+      if (!pending) {
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      if (isPendingCodeExpired(pending)) {
+        pendingMap.delete(code);
+        return c.json({ error: "invalid_grant", error_description: "The code is incorrect or expired." }, 400);
+      }
+      pendingMap.delete(code);
+      const user = as.users.findOneBy("email", pending.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "apple_" + randomBytes2(20).toString("base64url");
+      const refreshToken = "r_apple_" + randomBytes2(20).toString("base64url");
+      const scopes = pending.scope ? pending.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      getRefreshTokens(store).set(refreshToken, {
+        email: user.email,
+        clientId: pending.clientId,
+        scope: pending.scope,
+        nonce: pending.nonce
+      });
+      const idToken = await createIdToken(user, pending.clientId, pending.nonce, baseUrl);
+      debug("apple.oauth", `[Apple token] issued token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        refresh_token: refreshToken,
+        id_token: idToken
+      });
+    }
+    if (grant_type === "refresh_token") {
+      const refreshMap = getRefreshTokens(store);
+      const stored = refreshMap.get(refresh_token);
+      if (!stored) {
+        return c.json({ error: "invalid_grant", error_description: "The refresh_token is invalid." }, 400);
+      }
+      const user = as.users.findOneBy("email", stored.email);
+      if (!user) {
+        return c.json({ error: "invalid_grant", error_description: "User not found." }, 400);
+      }
+      const accessToken = "apple_" + randomBytes2(20).toString("base64url");
+      const scopes = stored.scope ? stored.scope.split(/\s+/).filter(Boolean) : [];
+      if (tokenMap) {
+        tokenMap.set(accessToken, { login: user.email, id: user.id, scopes });
+      }
+      const idToken = await createIdToken(user, stored.clientId || client_id, stored.nonce, baseUrl);
+      debug("apple.oauth", `[Apple refresh] issued new token for ${user.email}`);
+      return c.json({
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: 3600,
+        id_token: idToken
+      });
+    }
+    return c.json(
+      {
+        error: "unsupported_grant_type",
+        error_description: "Only authorization_code and refresh_token are supported."
+      },
+      400
+    );
+  });
+  app.post("/auth/revoke", async (c) => {
+    const rawText = await c.req.text();
+    const params = new URLSearchParams(rawText);
+    const token = params.get("token") ?? "";
+    if (token && tokenMap) {
+      tokenMap.delete(token);
+    }
+    if (token) {
+      getRefreshTokens(store).delete(token);
+    }
+    return c.body(null, 200);
+  });
+}
+var manifest = {
+  id: "apple",
+  name: "Apple Sign In / OAuth",
+  description: "Stateful Sign in with Apple emulator for OAuth authorization code and OpenID Connect flows.",
+  docsUrl: "https://docs.emulators.dev/apple",
+  surfaces: [
+    { id: "oauth", kind: "oauth", title: "Sign in with Apple", status: "supported", basePath: "/auth" },
+    { id: "oidc", kind: "oidc", title: "OpenID Connect", status: "supported", basePath: "/.well-known" }
+  ],
+  auth: [
+    { id: "oauth-code", title: "OAuth authorization code", type: "oauth-authorization-code", status: "supported" },
+    { id: "oidc", title: "OIDC identity tokens", type: "oidc", status: "supported" }
+  ],
+  specs: [
+    {
+      kind: "oauth-metadata",
+      title: "Apple OIDC metadata",
+      coverage: "hand-authored",
+      operations: [
+        {
+          operationId: "openid-configuration",
+          method: "GET",
+          path: "/.well-known/openid-configuration",
+          status: "hand-authored",
+          summary: "OIDC discovery document."
+        },
+        {
+          operationId: "jwks",
+          method: "GET",
+          path: "/auth/keys",
+          status: "hand-authored",
+          summary: "JWKS signing keys."
+        },
+        {
+          operationId: "authorize",
+          method: "GET",
+          path: "/auth/authorize",
+          status: "hand-authored",
+          summary: "Sign in with Apple authorization page."
+        },
+        {
+          operationId: "authorize-callback",
+          method: "POST",
+          path: "/auth/authorize/callback",
+          status: "hand-authored",
+          summary: "Issues an authorization code after user selection."
+        },
+        {
+          operationId: "token",
+          method: "POST",
+          path: "/auth/token",
+          status: "hand-authored",
+          summary: "Exchanges authorization codes and refresh tokens for access and id tokens."
+        },
+        {
+          operationId: "revoke",
+          method: "POST",
+          path: "/auth/revoke",
+          status: "hand-authored",
+          summary: "Revokes an access or refresh token."
+        }
+      ]
+    }
+  ],
+  seedSchema: {
+    description: "Seed Apple ID users and registered Sign in with Apple service clients.",
+    fields: [
+      {
+        key: "users",
+        title: "Users",
+        description: "Apple ID accounts addressable by email, optionally using private relay.",
+        example: [{ email: "testuser@icloud.com", name: "Test User", is_private_email: false }]
+      },
+      {
+        key: "oauth_clients",
+        title: "OAuth clients",
+        description: "Registered service IDs with team id and redirect URIs.",
+        example: [
+          {
+            client_id: "com.example.app",
+            team_id: "TEAM001",
+            name: "My Apple App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/apple"]
+          }
+        ]
+      }
+    ],
+    example: {
+      users: [{ email: "testuser@icloud.com", name: "Test User", is_private_email: false }],
+      oauth_clients: [
+        {
+          client_id: "com.example.app",
+          team_id: "TEAM001",
+          name: "My Apple App",
+          redirect_uris: ["http://localhost:3000/api/auth/callback/apple"]
+        }
+      ]
+    }
+  },
+  stateModel: {
+    description: "Entities mutated by Apple Sign in with Apple flows.",
+    collections: [{ name: "apple.users" }, { name: "apple.oauth_clients" }]
+  },
+  connections: [
+    {
+      id: "openid-client",
+      title: "openid-client (TypeScript)",
+      kind: "sdk",
+      language: "typescript",
+      description: "Discover the emulator issuer and run the authorization code flow.",
+      template: 'import * as client from "openid-client";\n\nconst config = await client.discovery(\n  new URL("{{baseUrl}}"),\n  "{{clientId}}",\n  "{{clientSecret}}",\n);'
+    },
+    {
+      id: "apple-env",
+      title: "Sign in with Apple (env)",
+      kind: "env",
+      language: "bash",
+      description: "Point your auth library at the emulator issuer and endpoints.",
+      template: "APPLE_ISSUER={{baseUrl}}\nAPPLE_AUTHORIZATION_URL={{baseUrl}}/auth/authorize\nAPPLE_TOKEN_URL={{baseUrl}}/auth/token\nAPPLE_JWKS_URL={{baseUrl}}/auth/keys\nAPPLE_CLIENT_ID={{clientId}}\nAPPLE_CLIENT_SECRET={{clientSecret}}"
+    },
+    {
+      id: "curl-discovery",
+      title: "curl OIDC discovery",
+      kind: "curl",
+      language: "bash",
+      description: "Fetch the OpenID Connect discovery document.",
+      template: "curl -s {{baseUrl}}/.well-known/openid-configuration"
+    },
+    {
+      id: "curl-token",
+      title: "curl token exchange",
+      kind: "curl",
+      language: "bash",
+      description: "Exchange an authorization code for tokens.",
+      template: 'curl -s -X POST {{baseUrl}}/auth/token \\\n  -H "content-type: application/x-www-form-urlencoded" \\\n  -d "grant_type=authorization_code&code=<code>&client_id={{clientId}}&client_secret={{clientSecret}}"'
+    }
+  ]
+};
+function seedDefaults(store, _baseUrl) {
+  const as = getAppleStore(store);
+  as.users.insert({
+    uid: generateAppleUid(),
+    email: "testuser@icloud.com",
+    name: "Test User",
+    given_name: "Test",
+    family_name: "User",
+    email_verified: true,
+    is_private_email: false,
+    private_relay_email: null,
+    real_user_status: 2
+  });
+}
+function seedFromConfig(store, _baseUrl, config) {
+  const as = getAppleStore(store);
+  if (config.users) {
+    for (const u of config.users) {
+      const existing = as.users.findOneBy("email", u.email);
+      if (existing) continue;
+      const nameParts = (u.name ?? "").split(/\s+/);
+      const isPrivate = u.is_private_email ?? false;
+      as.users.insert({
+        uid: generateAppleUid(),
+        email: u.email,
+        name: u.name ?? u.email.split("@")[0],
+        given_name: u.given_name ?? nameParts[0] ?? "",
+        family_name: u.family_name ?? nameParts.slice(1).join(" ") ?? "",
+        email_verified: true,
+        is_private_email: isPrivate,
+        private_relay_email: isPrivate ? generatePrivateRelayEmail() : null,
+        real_user_status: 2
+      });
+    }
+  }
+  if (config.oauth_clients) {
+    for (const client of config.oauth_clients) {
+      const existing = as.oauthClients.findOneBy("client_id", client.client_id);
+      if (existing) continue;
+      as.oauthClients.insert({
+        client_id: client.client_id,
+        team_id: client.team_id,
+        key_id: client.key_id ?? "TESTKEY001",
+        name: client.name,
+        redirect_uris: client.redirect_uris
+      });
+    }
+  }
+}
+var applePlugin = {
+  name: "apple",
+  register(app, store, webhooks, baseUrl, tokenMap) {
+    const ctx = { app, store, webhooks, baseUrl, tokenMap };
+    oauthRoutes(ctx);
+  },
+  seed(store, baseUrl) {
+    seedDefaults(store, baseUrl);
+  }
+};
+var index_default = applePlugin;
+export {
+  applePlugin,
+  index_default as default,
+  getAppleStore,
+  manifest,
+  seedFromConfig
+};
+//# sourceMappingURL=dist-ZEC77OKZ.js.map