@frontmcp/sdk 0.6.0 → 0.6.2

package/src/auth/session/session.service.js

@@ -1,105 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SessionService = void 0;
-// auth/session/session.service.ts
-const session_stateless_1 = require("./record/session.stateless");
-const session_stateful_1 = require("./record/session.stateful");
-const session_transparent_1 = require("./record/session.transparent");
-const store_1 = require("../../store");
-class SessionService {
-    store = new store_1.ScopedInMemoryStore();
-    /**
-     * Create and persist a new Session from verified auth data.
-     * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
-     */
-    async createSession(scope, args) {
-        if (scope.orchestrated) {
-            return this.createOrchestratedSession(scope, args);
-        }
-        else {
-            return this.createTransparentSession(scope, args);
-        }
-    }
-    createOrchestratedSession(scope, args) {
-        const stateless = scope.metadata.transport?.sessionMode === 'stateless';
-        if (stateless) {
-            return new session_stateless_1.StatelessSession(args);
-        }
-        else {
-            return new session_stateful_1.StatefulSession(args);
-        }
-    }
-    createTransparentSession(scope, args) {
-        const primary = scope.auth;
-        const apps = scope.apps.getApps();
-        const appIds = apps.map((app) => app.id);
-        // Prefer precomputed projections when provided
-        let authorizedApps = args.authorizedApps ?? {};
-        if (!args.authorizedApps) {
-            authorizedApps = {};
-            for (const app of apps) {
-                try {
-                    const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));
-                    authorizedApps[app.id] = { id: app.id, toolIds: toolNames };
-                }
-                catch {
-                    authorizedApps[app.id] = { id: app.id, toolIds: [] };
-                }
-            }
-        }
-        // TODO: the authorized resources should be computed from the oauth-protected-resource flow
-        // let authorizedResources: string[] = args.authorizedResources ?? [];
-        // if (!args.authorizedResources) {
-        //   authorizedResources = [];
-        // }
-        // Providers snapshot
-        let authorizedProviders = args.authorizedProviders;
-        let authorizedProviderIds = args.authorizedProviderIds;
-        if (!authorizedProviders || !authorizedProviderIds) {
-            const expClaim = args.claims && typeof args.claims['exp'] === 'number'
-                ? Number(args.claims['exp'])
-                : undefined;
-            const providerSnapshot = {
-                id: primary.id,
-                exp: expClaim,
-                payload: args.claims ?? {},
-                apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),
-                embedMode: 'plain',
-            };
-            authorizedProviders = { [primary.id]: providerSnapshot };
-            authorizedProviderIds = [primary.id];
-        }
-        // resolve granted scopes from token claims (scope or scp)
-        let scopes = args.scopes ?? [];
-        if (!args.scopes) {
-            const rawScope = (args.claims && (args.claims['scope'] ?? args.claims['scp']));
-            scopes = Array.isArray(rawScope)
-                ? rawScope.map(String)
-                : typeof rawScope === 'string'
-                    ? rawScope.split(/[\s,]+/).filter(Boolean)
-                    : [];
-        }
-        return new session_transparent_1.TransparentSession({
-            apps: appIds,
-            id: args.token,
-            sessionId: args.sessionId,
-            scope,
-            user: args.user,
-            issuer: primary.issuer,
-            token: args.token,
-            claims: args.claims,
-            authorizedProviders: authorizedProviders,
-            authorizedProviderIds: authorizedProviderIds,
-            authorizedApps,
-            authorizedAppIds: appIds,
-            authorizedResources: [], // TODO: fix
-            scopes,
-            authorizedTools: args.authorizedTools,
-            authorizedToolIds: args.authorizedToolIds,
-            authorizedPrompts: args.authorizedPrompts,
-            authorizedPromptIds: args.authorizedPromptIds,
-        });
-    }
-}
-exports.SessionService = SessionService;
-//# sourceMappingURL=session.service.js.map

package/src/auth/session/session.service.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.service.js","sourceRoot":"","sources":["../../../../src/auth/session/session.service.ts"],"names":[],"mappings":";;;AAAA,kCAAkC;AAClC,kEAA8D;AAC9D,gEAA4D;AAG5D,sEAAkE;AAClE,uCAAkD;AAElD,MAAa,cAAc;IACjB,KAAK,GAAG,IAAI,2BAAmB,EAAE,CAAC;IAE1C;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,KAAY,EAAE,IAAuB;QACvD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,yBAAyB,CAAC,KAAY,EAAE,IAAuB;QACrE,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,WAAW,KAAK,WAAW,CAAC;QACxE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,IAAI,oCAAgB,CAAC,IAAW,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,kCAAe,CAAC,IAAW,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,wBAAwB,CAAC,KAAY,EAAE,IAAuB;QACpE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;QAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEzC,+CAA+C;QAC/C,IAAI,cAAc,GAAsD,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,cAAc,GAAG,EAAE,CAAC;YACpB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;gBAC9D,CAAC;gBAAC,MAAM,CAAC;oBACP,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;QAED,2FAA2F;QAC3F,sEAAsE;QACtE,mCAAmC;QACnC,8BAA8B;QAC9B,IAAI;QAEJ,qBAAqB;QACrB,IAAI,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC;QACnD,IAAI,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,CAAC;QACvD,IAAI,CAAC,mBAAmB,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACnD,MAAM,QAAQ,GACZ,IAAI,CAAC,MAAM,IAAI,OAAQ,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAC5D,CAAC,CAAC,MAAM,CAAE,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC;gBACrC,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,gBAAgB,GAAG;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,QAAQ;gBACb,OAAO,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBAC1B,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC9E,SAAS,EAAE,OAAgB;aAC5B,CAAC;YACF,mBAAmB,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,EAAS,CAAC;YAChE,qBAAqB,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,0DAA0D;QAC1D,IAAI,MAAM,GAAa,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,CAAE,IAAI,CAAC,MAAc,CAAC,OAAO,CAAC,IAAK,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAY,CAAC;YAC5G,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAC9B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;oBAC9B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC1C,CAAC,CAAC,EAAE,CAAC;QACT,CAAC;QAED,OAAO,IAAI,wCAAkB,CAAC;YAC5B,IAAI,EAAE,MAAM;YACZ,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,mBAA0B;YAC/C,qBAAqB,EAAE,qBAA4B;YACnD,cAAc;YACd,gBAAgB,EAAE,MAAM;YACxB,mBAAmB,EAAE,EAAE,EAAE,YAAY;YACrC,MAAM;YACN,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SACvC,CAAC,CAAC;IACZ,CAAC;CACF;AArGD,wCAqGC","sourcesContent":["// auth/session/session.service.ts\nimport { StatelessSession } from './record/session.stateless';\nimport { StatefulSession } from './record/session.stateful';\nimport { Scope } from '../../scope';\nimport { CreateSessionArgs } from './session.types';\nimport { TransparentSession } from './record/session.transparent';\nimport { ScopedInMemoryStore } from '../../store';\n\nexport class SessionService {\n  private store = new ScopedInMemoryStore();\n\n  /**\n   * Create and persist a new Session from verified auth data.\n   * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.\n   */\n  async createSession(scope: Scope, args: CreateSessionArgs) {\n    if (scope.orchestrated) {\n      return this.createOrchestratedSession(scope, args);\n    } else {\n      return this.createTransparentSession(scope, args);\n    }\n  }\n\n  private createOrchestratedSession(scope: Scope, args: CreateSessionArgs) {\n    const stateless = scope.metadata.transport?.sessionMode === 'stateless';\n    if (stateless) {\n      return new StatelessSession(args as any);\n    } else {\n      return new StatefulSession(args as any);\n    }\n  }\n\n  private createTransparentSession(scope: Scope, args: CreateSessionArgs) {\n    const primary = scope.auth;\n\n    const apps = scope.apps.getApps();\n    const appIds = apps.map((app) => app.id);\n\n    // Prefer precomputed projections when provided\n    let authorizedApps: Record<string, { id: string; toolIds: string[] }> = args.authorizedApps ?? {};\n    if (!args.authorizedApps) {\n      authorizedApps = {};\n      for (const app of apps) {\n        try {\n          const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));\n          authorizedApps[app.id] = { id: app.id, toolIds: toolNames };\n        } catch {\n          authorizedApps[app.id] = { id: app.id, toolIds: [] };\n        }\n      }\n    }\n\n    // TODO: the authorized resources should be computed from the oauth-protected-resource flow\n    // let authorizedResources: string[] = args.authorizedResources ?? [];\n    // if (!args.authorizedResources) {\n    //   authorizedResources = [];\n    // }\n\n    // Providers snapshot\n    let authorizedProviders = args.authorizedProviders;\n    let authorizedProviderIds = args.authorizedProviderIds;\n    if (!authorizedProviders || !authorizedProviderIds) {\n      const expClaim =\n        args.claims && typeof (args.claims as any)['exp'] === 'number'\n          ? Number((args.claims as any)['exp'])\n          : undefined;\n      const providerSnapshot = {\n        id: primary.id,\n        exp: expClaim,\n        payload: args.claims ?? {},\n        apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),\n        embedMode: 'plain' as const,\n      };\n      authorizedProviders = { [primary.id]: providerSnapshot } as any;\n      authorizedProviderIds = [primary.id];\n    }\n\n    // resolve granted scopes from token claims (scope or scp)\n    let scopes: string[] = args.scopes ?? [];\n    if (!args.scopes) {\n      const rawScope = (args.claims && ((args.claims as any)['scope'] ?? (args.claims as any)['scp'])) as unknown;\n      scopes = Array.isArray(rawScope)\n        ? rawScope.map(String)\n        : typeof rawScope === 'string'\n        ? rawScope.split(/[\\s,]+/).filter(Boolean)\n        : [];\n    }\n\n    return new TransparentSession({\n      apps: appIds,\n      id: args.token,\n      sessionId: args.sessionId,\n      scope,\n      user: args.user,\n      issuer: primary.issuer,\n      token: args.token,\n      claims: args.claims,\n      authorizedProviders: authorizedProviders as any,\n      authorizedProviderIds: authorizedProviderIds as any,\n      authorizedApps,\n      authorizedAppIds: appIds,\n      authorizedResources: [], // TODO: fix\n      scopes,\n      authorizedTools: args.authorizedTools,\n      authorizedToolIds: args.authorizedToolIds,\n      authorizedPrompts: args.authorizedPrompts,\n      authorizedPromptIds: args.authorizedPromptIds,\n    } as any);\n  }\n}\n"]}

package/src/auth/session/session.transport.js

@@ -1,20 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TransportIdGenerator = void 0;
-// auth/session/session.transport.ts
-const node_crypto_1 = require("node:crypto");
-class TransportIdGenerator {
-    static createId(mode) {
-        switch (mode) {
-            case 'uuid':
-                return (0, node_crypto_1.randomUUID)();
-            case 'jwt':
-                // TODO: generate a JWT with a random UUID as the jti,
-                return (0, node_crypto_1.randomUUID)().replace(/-/g, '');
-            default:
-                throw new Error(`Unknown transport id mode: ${mode}`);
-        }
-    }
-}
-exports.TransportIdGenerator = TransportIdGenerator;
-//# sourceMappingURL=session.transport.js.map

package/src/auth/session/session.transport.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.transport.js","sourceRoot":"","sources":["../../../../src/auth/session/session.transport.ts"],"names":[],"mappings":";;;AAAA,oCAAoC;AACpC,6CAAyC;AAGzC,MAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,IAAqB;QACnC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM;gBACT,OAAO,IAAA,wBAAU,GAAE,CAAC;YACtB,KAAK,KAAK;gBACR,sDAAsD;gBACtD,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC;gBACE,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;CACF;AAZD,oDAYC","sourcesContent":["// auth/session/session.transport.ts\nimport { randomUUID } from 'node:crypto';\nimport { TransportIdMode } from '../../common';\n\nexport class TransportIdGenerator {\n  static createId(mode: TransportIdMode): string {\n    switch (mode) {\n      case 'uuid':\n        return randomUUID();\n      case 'jwt':\n        // TODO: generate a JWT with a random UUID as the jti,\n        return randomUUID().replace(/-/g, '');\n      default:\n        throw new Error(`Unknown transport id mode: ${mode}`);\n    }\n  }\n}\n"]}

package/src/auth/session/session.types.js

@@ -1,4 +0,0 @@
-"use strict";
-// auth/session/session.types.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=session.types.js.map

package/src/auth/session/session.types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.types.js","sourceRoot":"","sources":["../../../../src/auth/session/session.types.ts"],"names":[],"mappings":";AAAA,gCAAgC","sourcesContent":["// auth/session/session.types.ts\n\nimport { SessionUser } from './record/session.base';\n\n/** How provider tokens are managed in a session. */\nexport type SessionMode = 'transparent' | 'stateful' | 'stateless';\n\n/**\n * How a single provider’s access token is represented inside the session payload.\n */\nexport type ProviderEmbedMode =\n  | 'store-only' // stateful, encrypted in memory store\n  | 'encrypted' // stateless, encrypted in JWT/session-secret\n  | 'plain' // stateless, plaintext (in-memory only)\n  | 'ref'; // NEW: external vault/store by reference\n\n/** AES-256-GCM encrypted blob, base64url fields. */\nexport type EncBlob = { alg: 'A256GCM'; iv: string; tag: string; data: string };\n\nexport type ProviderSnapshot = {\n  id: string;\n  exp?: number;\n  payload?: Record<string, unknown>;\n  apps?: Array<{ id: string; toolIds?: string[] }>;\n  embedMode: ProviderEmbedMode;\n\n  // legacy fields (keep for back-compat)\n  token?: string; // in-memory only, for 'plain'\n  tokenEnc?: { alg: 'A256GCM'; iv: string; tag: string; data: string }; // for 'encrypted' or 'store-only'\n  refreshTokenEnc?: { alg: 'A256GCM'; iv: string; tag: string; data: string };\n\n  // NEW: externalized refs\n  secretRefId?: string; // access token reference\n  refreshRefId?: string; // refresh token reference\n};\n\n/** Arguments required to create a session from verified auth data. */\nexport type CreateSessionArgs = {\n  token: string;\n  sessionId?: string;\n  claims: Record<string, any>;\n  user: SessionUser;\n  // Optional precomputed authorization projections (preferred when provided)\n  authorizedProviders?: Record<string, import('./session.types').ProviderSnapshot>;\n  authorizedProviderIds?: string[];\n  authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n  authorizedAppIds?: string[];\n  authorizedResources?: string[];\n  scopes?: string[];\n  // Scoped tool/prompt projections for fast lookup\n  authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedToolIds?: string[];\n  authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedPromptIds?: string[];\n};\n\n"]}

package/src/auth/session/token.refresh.js

@@ -1,63 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.toEpochSeconds = toEpochSeconds;
-exports.isSoonExpiring = isSoonExpiring;
-exports.isSoonExpiringProvider = isSoonExpiringProvider;
-exports.tryJwtExp = tryJwtExp;
-// -----------------------------------------------------------------------------
-// Expiry helpers
-// -----------------------------------------------------------------------------
-/** Convert seconds/ms epoch or Date to epoch seconds. */
-function toEpochSeconds(exp) {
-    if (exp == null)
-        return undefined;
-    if (exp instanceof Date)
-        return Math.floor(exp.getTime() / 1000);
-    // Heuristic: treat large numbers as ms
-    return exp > 1e12 ? Math.floor(exp / 1000) : Math.floor(exp);
-}
-/** Returns true if `exp` will occur within `skewSec` from now (or already past). */
-function isSoonExpiring(exp, skewSec = 60) {
-    const expSec = toEpochSeconds(exp);
-    if (expSec == null)
-        return false;
-    const now = Math.floor(Date.now() / 1000);
-    return expSec <= now + Math.max(0, skewSec);
-}
-/**
- * Synchronous check against a provider snapshot’s `exp` field.
- * Note: In `ref` mode the exact expiry may live in the store; this helper
- * intentionally remains synchronous and only uses the snapshot’s `exp`.
- */
-function isSoonExpiringProvider(sessionLike, providerId, skewSec = 60) {
-    const snap = sessionLike.authorizedProviders[providerId];
-    if (!snap)
-        return false;
-    return isSoonExpiring(snap.exp, skewSec);
-}
-// -----------------------------------------------------------------------------
-// Optional utility: derive exp from JWT (unsigned decode)
-// -----------------------------------------------------------------------------
-/** Best-effort extraction of `exp` from a JWT without verification. */
-function tryJwtExp(token) {
-    if (!token)
-        return undefined;
-    const parts = token.split('.');
-    if (parts.length < 2)
-        return undefined;
-    try {
-        const json = JSON.parse(base64urlDecode(parts[1]));
-        const e = json?.exp;
-        return typeof e === 'number' ? toEpochSeconds(e) : undefined;
-    }
-    catch {
-        return undefined;
-    }
-}
-function base64urlDecode(input) {
-    // pad
-    const pad = input.length % 4 === 2 ? '==' : input.length % 4 === 3 ? '=' : '';
-    const s = input.replace(/-/g, '+').replace(/_/g, '/') + pad;
-    return Buffer.from(s, 'base64').toString('utf8');
-}
-//# sourceMappingURL=token.refresh.js.map

package/src/auth/session/token.refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.refresh.js","sourceRoot":"","sources":["../../../../src/auth/session/token.refresh.ts"],"names":[],"mappings":";;AA8DA,wCAKC;AAGD,wCAKC;AAOD,wDAQC;AAOD,8BAWC;AAnDD,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF,yDAAyD;AACzD,SAAgB,cAAc,CAAC,GAAmB;IAChD,IAAI,GAAG,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IAClC,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACjE,uCAAuC;IACvC,OAAO,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC/D,CAAC;AAED,oFAAoF;AACpF,SAAgB,cAAc,CAAC,GAAmB,EAAE,OAAO,GAAG,EAAE;IAC9D,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,MAAM,IAAI,IAAI;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CACpC,WAAsE,EACtE,UAAkB,EAClB,OAAO,GAAG,EAAE;IAEZ,MAAM,IAAI,GAAG,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAChF,0DAA0D;AAC1D,gFAAgF;AAEhF,uEAAuE;AACvE,SAAgB,SAAS,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;QACpB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM;IACN,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9E,MAAM,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC","sourcesContent":["// auth/session/token.refresh.ts\nimport type { ProviderSnapshot } from './session.types';\nimport type { TokenStore } from './token.store';\nimport type { TokenVault } from './token.vault';\n\n// -----------------------------------------------------------------------------\n// Types\n// -----------------------------------------------------------------------------\n\nexport type TokenRefreshCtx = {\n  /** The provider we’re refreshing for. */\n  providerId: string;\n\n  /** Caller-provided session facade (only what a refresher may need). */\n  session: {\n    id: string;\n    scopeId: string;\n    /** Current snapshot (mutable by the session after refresh). */\n    authorizedProviders: Record<string, ProviderSnapshot>;\n    /** Optional helper if the refresher wants to call other providers. */\n    getToken?: (pid: string, opts?: { refreshSkewSec?: number; forceRefresh?: boolean }) => Promise<string | undefined>;\n  };\n\n  /** Current access token (if known); may be undefined/expired. */\n  accessToken?: string;\n\n  /**\n   * Refresh token (if accessible by the embedding mode).\n   * For `ref` mode this is usually `undefined`; the refresher should use `store`/`vault`.\n   */\n  refreshToken?: string;\n\n  /** The snapshot we’re refreshing (same as authorizedProviders[providerId]). */\n  snapshot: ProviderSnapshot;\n\n  /**\n   * External storage interfaces, present for `ref` mode to avoid revealing plaintext tokens.\n   * - `store` holds opaque encrypted blobs\n   * - `vault` handles AEAD encryption/decryption of secrets\n   */\n  store?: TokenStore;\n  vault?: TokenVault;\n};\n\nexport type TokenRefreshResult = {\n  /** New access token (if rotated). */\n  accessToken?: string;\n  /** New refresh token (optional). */\n  refreshToken?: string;\n  /** New absolute expiry (seconds since epoch preferred; ms also accepted). */\n  exp: number;\n  /** Optional opaque payload returned by the AS (id_token claims, etc.). */\n  payload?: Record<string, unknown>;\n};\n\nexport type TokenRefresher = (ctx: TokenRefreshCtx) => Promise<TokenRefreshResult>;\n\n// -----------------------------------------------------------------------------\n// Expiry helpers\n// -----------------------------------------------------------------------------\n\n/** Convert seconds/ms epoch or Date to epoch seconds. */\nexport function toEpochSeconds(exp?: number | Date): number | undefined {\n  if (exp == null) return undefined;\n  if (exp instanceof Date) return Math.floor(exp.getTime() / 1000);\n  // Heuristic: treat large numbers as ms\n  return exp > 1e12 ? Math.floor(exp / 1000) : Math.floor(exp);\n}\n\n/** Returns true if `exp` will occur within `skewSec` from now (or already past). */\nexport function isSoonExpiring(exp?: number | Date, skewSec = 60): boolean {\n  const expSec = toEpochSeconds(exp);\n  if (expSec == null) return false;\n  const now = Math.floor(Date.now() / 1000);\n  return expSec <= now + Math.max(0, skewSec);\n}\n\n/**\n * Synchronous check against a provider snapshot’s `exp` field.\n * Note: In `ref` mode the exact expiry may live in the store; this helper\n * intentionally remains synchronous and only uses the snapshot’s `exp`.\n */\nexport function isSoonExpiringProvider(\n  sessionLike: { authorizedProviders: Record<string, ProviderSnapshot> },\n  providerId: string,\n  skewSec = 60,\n): boolean {\n  const snap = sessionLike.authorizedProviders[providerId];\n  if (!snap) return false;\n  return isSoonExpiring(snap.exp, skewSec);\n}\n\n// -----------------------------------------------------------------------------\n// Optional utility: derive exp from JWT (unsigned decode)\n// -----------------------------------------------------------------------------\n\n/** Best-effort extraction of `exp` from a JWT without verification. */\nexport function tryJwtExp(token?: string): number | undefined {\n  if (!token) return undefined;\n  const parts = token.split('.');\n  if (parts.length < 2) return undefined;\n  try {\n    const json = JSON.parse(base64urlDecode(parts[1]));\n    const e = json?.exp;\n    return typeof e === 'number' ? toEpochSeconds(e) : undefined;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction base64urlDecode(input: string): string {\n  // pad\n  const pad = input.length % 4 === 2 ? '==' : input.length % 4 === 3 ? '=' : '';\n  const s = input.replace(/-/g, '+').replace(/_/g, '/') + pad;\n  return Buffer.from(s, 'base64').toString('utf8');\n}\n"]}

package/src/auth/session/token.store.js

@@ -1,53 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedisTokenStore = exports.MemoryTokenStore = void 0;
-// auth/session/token.store.ts
-const node_crypto_1 = require("node:crypto");
-/** In-memory reference store (dev/test). */
-class MemoryTokenStore {
-    m = new Map();
-    allocId() {
-        return (0, node_crypto_1.randomUUID)();
-    }
-    async put(id, blob) {
-        this.m.set(id, { id, blob, updatedAt: Date.now() });
-    }
-    async get(id) {
-        return this.m.get(id);
-    }
-    async del(id) {
-        this.m.delete(id);
-    }
-}
-exports.MemoryTokenStore = MemoryTokenStore;
-/** Redis (sketch) — replace `any` with your redis client type. */
-class RedisTokenStore {
-    redis;
-    ns;
-    constructor(redis, ns = 'tok:') {
-        this.redis = redis;
-        this.ns = ns;
-    }
-    allocId() {
-        return (0, node_crypto_1.randomUUID)();
-    }
-    key(id) {
-        return `${this.ns}${id}`;
-    }
-    async put(id, blob) {
-        const rec = JSON.stringify({ id, blob, updatedAt: Date.now() });
-        // Optional: set EX by blob.exp if you want Redis eviction at token expiry
-        await this.redis.set(this.key(id), rec);
-    }
-    async get(id) {
-        const raw = await this.redis.get(this.key(id));
-        if (!raw)
-            return undefined;
-        return JSON.parse(raw);
-    }
-    async del(id) {
-        await this.redis.del(this.key(id));
-    }
-}
-exports.RedisTokenStore = RedisTokenStore;
-//# sourceMappingURL=token.store.js.map

package/src/auth/session/token.store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.store.js","sourceRoot":"","sources":["../../../../src/auth/session/token.store.ts"],"names":[],"mappings":";;;AAAA,8BAA8B;AAC9B,6CAAyC;AAoBzC,4CAA4C;AAC5C,MAAa,gBAAgB;IACnB,CAAC,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC5C,OAAO;QACL,OAAO,IAAA,wBAAU,GAAE,CAAC;IACtB,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,EAAU,EAAE,IAAa;QACjC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACpB,CAAC;CACF;AAdD,4CAcC;AAED,kEAAkE;AAClE,MAAa,eAAe;IACG;IAA6B;IAA1D,YAA6B,KAAU,EAAmB,KAAK,MAAM;QAAxC,UAAK,GAAL,KAAK,CAAK;QAAmB,OAAE,GAAF,EAAE,CAAS;IAAG,CAAC;IACzE,OAAO;QACL,OAAO,IAAA,wBAAU,GAAE,CAAC;IACtB,CAAC;IACD,GAAG,CAAC,EAAU;QACZ,OAAO,GAAG,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU,EAAE,IAAa;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAChE,0EAA0E;QAC1E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACrC,CAAC;CACF;AAxBD,0CAwBC","sourcesContent":["// auth/session/token.store.ts\nimport { randomUUID } from 'node:crypto';\nimport type { EncBlob } from './token.vault';\n\nexport type SecretRecord = {\n  id: string; // opaque reference id\n  blob: EncBlob; // encrypted token\n  updatedAt: number; // ms\n};\n\nexport interface TokenStore {\n  /** Create or overwrite a blob under a stable id. */\n  put(id: string, blob: EncBlob): Promise<void>;\n  /** Fetch encrypted blob by id. */\n  get(id: string): Promise<SecretRecord | undefined>;\n  /** Delete a reference. */\n  del(id: string): Promise<void>;\n  /** Allocate a new id (opaque). */\n  allocId(): string;\n}\n\n/** In-memory reference store (dev/test). */\nexport class MemoryTokenStore implements TokenStore {\n  private m = new Map<string, SecretRecord>();\n  allocId() {\n    return randomUUID();\n  }\n  async put(id: string, blob: EncBlob) {\n    this.m.set(id, { id, blob, updatedAt: Date.now() });\n  }\n  async get(id: string) {\n    return this.m.get(id);\n  }\n  async del(id: string) {\n    this.m.delete(id);\n  }\n}\n\n/** Redis (sketch) — replace `any` with your redis client type. */\nexport class RedisTokenStore implements TokenStore {\n  constructor(private readonly redis: any, private readonly ns = 'tok:') {}\n  allocId() {\n    return randomUUID();\n  }\n  key(id: string) {\n    return `${this.ns}${id}`;\n  }\n\n  async put(id: string, blob: EncBlob) {\n    const rec = JSON.stringify({ id, blob, updatedAt: Date.now() });\n    // Optional: set EX by blob.exp if you want Redis eviction at token expiry\n    await this.redis.set(this.key(id), rec);\n  }\n\n  async get(id: string) {\n    const raw = await this.redis.get(this.key(id));\n    if (!raw) return undefined;\n    return JSON.parse(raw) as SecretRecord;\n  }\n\n  async del(id: string) {\n    await this.redis.del(this.key(id));\n  }\n}\n"]}

package/src/auth/session/token.vault.js

@@ -1,54 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenVault = void 0;
-const tslib_1 = require("tslib");
-// auth/session/token.vault.ts
-const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
-class TokenVault {
-    /** Active key used for new encryptions */
-    active;
-    /** All known keys by kid for decryption (includes active) */
-    keys = new Map();
-    constructor(keys) {
-        if (!Array.isArray(keys) || keys.length === 0) {
-            throw new Error('TokenVault requires at least one key');
-        }
-        // first is active by convention
-        this.active = keys[0];
-        for (const k of keys)
-            this.keys.set(k.kid, k.key);
-    }
-    rotateTo(k) {
-        this.active = k;
-        this.keys.set(k.kid, k.key);
-    }
-    encrypt(plaintext, opts) {
-        const iv = node_crypto_1.default.randomBytes(12);
-        const cipher = node_crypto_1.default.createCipheriv('aes-256-gcm', this.active.key, iv);
-        const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-        const tag = cipher.getAuthTag();
-        return {
-            alg: 'A256GCM',
-            kid: this.active.kid,
-            iv: iv.toString('base64url'),
-            tag: tag.toString('base64url'),
-            data: data.toString('base64url'),
-            exp: opts?.exp,
-            meta: opts?.meta,
-        };
-    }
-    decrypt(blob) {
-        const key = this.keys.get(blob.kid);
-        if (!key)
-            throw new Error(`vault_unknown_kid:${blob.kid}`);
-        const iv = Buffer.from(blob.iv, 'base64url');
-        const tag = Buffer.from(blob.tag, 'base64url');
-        const data = Buffer.from(blob.data, 'base64url');
-        const decipher = node_crypto_1.default.createDecipheriv('aes-256-gcm', key, iv);
-        decipher.setAuthTag(tag);
-        const out = Buffer.concat([decipher.update(data), decipher.final()]);
-        return out.toString('utf8');
-    }
-}
-exports.TokenVault = TokenVault;
-//# sourceMappingURL=token.vault.js.map

package/src/auth/session/token.vault.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.vault.js","sourceRoot":"","sources":["../../../../src/auth/session/token.vault.ts"],"names":[],"mappings":";;;;AAAA,8BAA8B;AAC9B,sEAAiC;AAcjC,MAAa,UAAU;IACrB,0CAA0C;IAClC,MAAM,CAAW;IACzB,6DAA6D;IACrD,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEzC,YAAY,IAAgB;QAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,gCAAgC;QAChC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,IAAI;YAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC;IAED,QAAQ,CAAC,CAAW;QAClB,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;QAChB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,SAAiB,EAAE,IAAuD;QAChF,MAAM,EAAE,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,qBAAM,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACzE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,OAAO;YACL,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;YAChC,GAAG,EAAE,IAAI,EAAE,GAAG;YACd,IAAI,EAAE,IAAI,EAAE,IAAI;SACjB,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,IAAa;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3D,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAG,qBAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrE,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;CACF;AA/CD,gCA+CC","sourcesContent":["// auth/session/token.vault.ts\nimport crypto from 'node:crypto';\n\nexport type EncBlob = {\n  alg: 'A256GCM';\n  kid: string; // master key id\n  iv: string; // base64url\n  tag: string; // base64url\n  data: string; // base64url\n  exp?: number; // optional epoch seconds\n  meta?: Record<string, unknown>;\n};\n\nexport type VaultKey = { kid: string; key: Buffer };\n\nexport class TokenVault {\n  /** Active key used for new encryptions */\n  private active: VaultKey;\n  /** All known keys by kid for decryption (includes active) */\n  private keys = new Map<string, Buffer>();\n\n  constructor(keys: VaultKey[]) {\n    if (!Array.isArray(keys) || keys.length === 0) {\n      throw new Error('TokenVault requires at least one key');\n    }\n    // first is active by convention\n    this.active = keys[0];\n    for (const k of keys) this.keys.set(k.kid, k.key);\n  }\n\n  rotateTo(k: VaultKey) {\n    this.active = k;\n    this.keys.set(k.kid, k.key);\n  }\n\n  encrypt(plaintext: string, opts?: { exp?: number; meta?: Record<string, unknown> }): EncBlob {\n    const iv = crypto.randomBytes(12);\n    const cipher = crypto.createCipheriv('aes-256-gcm', this.active.key, iv);\n    const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n    const tag = cipher.getAuthTag();\n    return {\n      alg: 'A256GCM',\n      kid: this.active.kid,\n      iv: iv.toString('base64url'),\n      tag: tag.toString('base64url'),\n      data: data.toString('base64url'),\n      exp: opts?.exp,\n      meta: opts?.meta,\n    };\n  }\n\n  decrypt(blob: EncBlob): string {\n    const key = this.keys.get(blob.kid);\n    if (!key) throw new Error(`vault_unknown_kid:${blob.kid}`);\n    const iv = Buffer.from(blob.iv, 'base64url');\n    const tag = Buffer.from(blob.tag, 'base64url');\n    const data = Buffer.from(blob.data, 'base64url');\n    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);\n    decipher.setAuthTag(tag);\n    const out = Buffer.concat([decipher.update(data), decipher.final()]);\n    return out.toString('utf8');\n  }\n}\n"]}