@frontmcp/utils 0.12.2 → 1.0.0-beta.10

package/async-context/browser-async-context.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Browser polyfill for AsyncLocalStorage.
+ *
+ * Uses a simple stack-based approach, which is safe in single-threaded
+ * browser environments. Does not support `enterWith()` or `disable()`
+ * (neither is used in the FrontMCP codebase).
+ */
+export declare class AsyncLocalStorage<T> {
+    private stack;
+    run<R>(store: T, callback: (...args: unknown[]) => R, ...args: unknown[]): R;
+    getStore(): T | undefined;
+}

package/async-context/browser-async-context.js

@@ -0,0 +1,49 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/async-context/browser-async-context.ts
+var browser_async_context_exports = {};
+__export(browser_async_context_exports, {
+  AsyncLocalStorage: () => AsyncLocalStorage
+});
+module.exports = __toCommonJS(browser_async_context_exports);
+var AsyncLocalStorage = class {
+  stack = [];
+  run(store, callback, ...args) {
+    this.stack.push(store);
+    try {
+      const result = callback(...args);
+      if (result instanceof Promise) {
+        return result.finally(() => this.stack.pop());
+      }
+      this.stack.pop();
+      return result;
+    } catch (err) {
+      this.stack.pop();
+      throw err;
+    }
+  }
+  getStore() {
+    return this.stack.length > 0 ? this.stack[this.stack.length - 1] : void 0;
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AsyncLocalStorage
+});

package/async-context/index.d.ts

@@ -0,0 +1 @@
+export { AsyncLocalStorage } from '#async-context';

package/async-context/node-async-context.d.ts

@@ -0,0 +1 @@
+export { AsyncLocalStorage } from 'node:async_hooks';

package/async-context/node-async-context.js

@@ -0,0 +1,30 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/async-context/node-async-context.ts
+var node_async_context_exports = {};
+__export(node_async_context_exports, {
+  AsyncLocalStorage: () => import_node_async_hooks.AsyncLocalStorage
+});
+module.exports = __toCommonJS(node_async_context_exports);
+var import_node_async_hooks = require("node:async_hooks");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AsyncLocalStorage
+});

package/crypto/browser.d.ts

@@ -9,3 +9,19 @@ import type { CryptoProvider } from './types';
  * Browser-compatible crypto provider using @noble libraries.
  */
 export declare const browserCrypto: CryptoProvider;
+/** Alias for conditional import resolution via `#crypto-provider`. */
+export { browserCrypto as cryptoProvider };
+export { isRsaPssAlg, jwtAlgToWebCryptoAlg } from './jwt-alg';
+/**
+ * Verify an RSA signature using WebCrypto.
+ *
+ * Supports RS256/RS384/RS512 (RSASSA-PKCS1-v1_5) and PS256/PS384/PS512 (RSA-PSS).
+ * Works in both browsers and Node.js environments that provide `crypto.subtle`.
+ *
+ * @param jwtAlg - JWT algorithm identifier (e.g. 'RS256', 'PS256')
+ * @param data - The signed data (e.g. `headerB64.payloadB64`)
+ * @param publicJwk - Public key in JWK format
+ * @param signature - The signature bytes
+ * @returns true if the signature is valid
+ */
+export declare function rsaVerifyBrowser(jwtAlg: string, data: Uint8Array, publicJwk: JsonWebKey, signature: Uint8Array): Promise<boolean>;

package/crypto/browser.js

@@ -0,0 +1,160 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/crypto/browser.ts
+var browser_exports = {};
+__export(browser_exports, {
+  browserCrypto: () => browserCrypto,
+  cryptoProvider: () => browserCrypto,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToWebCryptoAlg: () => jwtAlgToWebCryptoAlg,
+  rsaVerifyBrowser: () => rsaVerifyBrowser
+});
+module.exports = __toCommonJS(browser_exports);
+var import_sha2 = require("@noble/hashes/sha2.js");
+var import_hmac = require("@noble/hashes/hmac.js");
+var import_hkdf = require("@noble/hashes/hkdf.js");
+var import_utils = require("@noble/hashes/utils.js");
+var import_aes = require("@noble/ciphers/aes.js");
+
+// libs/utils/src/crypto/jwt-alg.ts
+function isRsaPssAlg(jwtAlg) {
+  return jwtAlg.startsWith("PS");
+}
+var JWT_ALG_TO_WEB_CRYPTO = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512",
+  PS256: "SHA-256",
+  PS384: "SHA-384",
+  PS512: "SHA-512"
+};
+function jwtAlgToWebCryptoAlg(jwtAlg) {
+  const webAlg = JWT_ALG_TO_WEB_CRYPTO[jwtAlg];
+  if (!webAlg) {
+    throw new Error(`Unsupported JWT algorithm for WebCrypto: ${jwtAlg}`);
+  }
+  return webAlg;
+}
+
+// libs/utils/src/crypto/browser.ts
+function toBytes(data) {
+  if (typeof data === "string") {
+    return new TextEncoder().encode(data);
+  }
+  return data;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = (0, import_utils.randomBytes)(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = toHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+var browserCrypto = {
+  randomUUID() {
+    return generateUUID();
+  },
+  randomBytes(length) {
+    return (0, import_utils.randomBytes)(length);
+  },
+  sha256(data) {
+    return (0, import_sha2.sha256)(toBytes(data));
+  },
+  sha256Hex(data) {
+    return toHex((0, import_sha2.sha256)(toBytes(data)));
+  },
+  hmacSha256(key, data) {
+    return (0, import_hmac.hmac)(import_sha2.sha256, key, data);
+  },
+  hkdfSha256(ikm, salt, info, length) {
+    const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
+    return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, effectiveSalt, info, length);
+  },
+  encryptAesGcm(key, plaintext, iv) {
+    const cipher = (0, import_aes.gcm)(key, iv);
+    const sealed = cipher.encrypt(plaintext);
+    const ciphertext = sealed.slice(0, -16);
+    const tag = sealed.slice(-16);
+    return { ciphertext, tag };
+  },
+  decryptAesGcm(key, ciphertext, iv, tag) {
+    const cipher = (0, import_aes.gcm)(key, iv);
+    const sealed = new Uint8Array(ciphertext.length + tag.length);
+    sealed.set(ciphertext);
+    sealed.set(tag, ciphertext.length);
+    return cipher.decrypt(sealed);
+  },
+  timingSafeEqual(a, b) {
+    return constantTimeEqual(a, b);
+  }
+};
+async function rsaVerifyBrowser(jwtAlg, data, publicJwk, signature) {
+  if (typeof globalThis.crypto?.subtle === "undefined") {
+    throw new Error("WebCrypto API (crypto.subtle) is not available in this environment");
+  }
+  const webAlg = jwtAlgToWebCryptoAlg(jwtAlg);
+  const isPss = isRsaPssAlg(jwtAlg);
+  const algorithm = {
+    name: isPss ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+    hash: { name: webAlg }
+  };
+  const key = await globalThis.crypto.subtle.importKey("jwk", publicJwk, algorithm, false, ["verify"]);
+  const verifyAlgorithm = isPss ? { name: "RSA-PSS", saltLength: getSaltLength(jwtAlg) } : { name: "RSASSA-PKCS1-v1_5" };
+  const sigBuf = new Uint8Array(signature).buffer;
+  const dataBuf = new Uint8Array(data).buffer;
+  return globalThis.crypto.subtle.verify(verifyAlgorithm, key, sigBuf, dataBuf);
+}
+function getSaltLength(jwtAlg) {
+  switch (jwtAlg) {
+    case "PS256":
+      return 32;
+    // SHA-256 digest length
+    case "PS384":
+      return 48;
+    // SHA-384 digest length
+    case "PS512":
+      return 64;
+    // SHA-512 digest length
+    default:
+      return 32;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  browserCrypto,
+  cryptoProvider,
+  isRsaPssAlg,
+  jwtAlgToWebCryptoAlg,
+  rsaVerifyBrowser
+});

package/crypto/index.d.ts

@@ -5,16 +5,25 @@
  * Uses native crypto in Node.js and @noble/hashes + @noble/ciphers in browsers.
  */
 import type { CryptoProvider, EncBlob } from './types';
-export { isRsaPssAlg, jwtAlgToNodeAlg } from './jwt-alg';
+export { isRsaPssAlg, jwtAlgToNodeAlg, jwtAlgToWebCryptoAlg } from './jwt-alg';
 /**
  * Get the crypto provider for the current runtime environment.
- * Lazily initializes the provider.
- *
- * Note: this module intentionally avoids importing any Node-only crypto modules
- * at module-load time so it can be used in browser builds without pulling them in.
+ * Resolved at build time via the `#crypto-provider` conditional import.
  */
 export declare function getCrypto(): CryptoProvider;
-export declare function rsaVerify(jwtAlg: string, data: Buffer, publicJwk: JsonWebKey, signature: Buffer): boolean;
+/**
+ * Verify an RSA signature.
+ *
+ * Cross-platform: uses Node.js `crypto` module in Node environments,
+ * and WebCrypto `crypto.subtle.verify()` in browsers.
+ *
+ * @param jwtAlg - JWT algorithm identifier (e.g. 'RS256', 'PS256')
+ * @param data - The signed data bytes
+ * @param publicJwk - Public key in JWK format
+ * @param signature - The signature bytes
+ * @returns Promise resolving to true if the signature is valid
+ */
+export declare function rsaVerify(jwtAlg: string, data: Buffer | Uint8Array, publicJwk: JsonWebKey, signature: Buffer | Uint8Array): Promise<boolean>;
 /**
  * Generate a UUID v4 string.
  */

package/crypto/jwt-alg.d.ts

@@ -6,3 +6,8 @@
  */
 export declare function jwtAlgToNodeAlg(jwtAlg: string): string;
 export declare function isRsaPssAlg(jwtAlg: string): boolean;
+/**
+ * Map a JWT algorithm to a WebCrypto hash algorithm name.
+ * Used for `crypto.subtle.importKey()` and `crypto.subtle.verify()`.
+ */
+export declare function jwtAlgToWebCryptoAlg(jwtAlg: string): string;

package/crypto/key-persistence/factory.d.ts

@@ -13,7 +13,8 @@ import type { CreateKeyPersistenceOptions } from './types';
  * Create a KeyPersistence instance with auto-detected storage.
  *
  * In Node.js: Uses filesystem storage at `.frontmcp/keys/` by default
- * In browser: Uses memory storage (keys lost on refresh)
+ * In browser: Uses IndexedDB (persistent) with localStorage fallback
+ * Fallback: Memory storage (keys lost on restart)
  *
  * @param options - Configuration options
  * @returns KeyPersistence instance (storage already connected)
@@ -26,6 +27,12 @@ import type { CreateKeyPersistenceOptions } from './types';
  * // Force memory storage
  * const memKeys = await createKeyPersistence({ type: 'memory' });
  *
+ * // Force IndexedDB (browser)
+ * const idbKeys = await createKeyPersistence({ type: 'indexeddb' });
+ *
+ * // Force localStorage (browser)
+ * const lsKeys = await createKeyPersistence({ type: 'localstorage' });
+ *
  * // Custom directory for filesystem
  * const fsKeys = await createKeyPersistence({
  *   type: 'filesystem',

package/crypto/key-persistence/types.d.ts

@@ -75,12 +75,14 @@ export interface KeyPersistenceOptions {
 export interface CreateKeyPersistenceOptions {
     /**
      * Storage type.
-     * - 'auto': Auto-detect based on environment (filesystem in Node.js, memory in browser)
+     * - 'auto': Auto-detect based on environment (filesystem in Node.js, indexeddb in browser)
      * - 'memory': Always use memory (keys lost on restart)
      * - 'filesystem': Always use filesystem (Node.js only)
+     * - 'indexeddb': Use IndexedDB (browser only, persistent)
+     * - 'localstorage': Use localStorage (browser only, persistent, ~5MB limit)
      * @default 'auto'
      */
-    type?: 'auto' | 'memory' | 'filesystem';
+    type?: 'auto' | 'memory' | 'filesystem' | 'indexeddb' | 'localstorage';
     /**
      * Base directory for filesystem storage.
      * Only used when type is 'filesystem' or 'auto' in Node.js.
@@ -97,6 +99,12 @@ export interface CreateKeyPersistenceOptions {
      * @default true
      */
     enableCache?: boolean;
+    /**
+     * Optional 32-byte AES-256-GCM key for encrypting values at rest in localStorage.
+     * Only used when type is 'localstorage' or 'auto' with localStorage fallback.
+     * If not provided, HKDF-SHA256 derives a key from a fixed IKM using the page origin.
+     */
+    encryptionKey?: Uint8Array;
 }
 /**
  * Options for creating a secret key.

package/crypto/node.d.ts

@@ -10,6 +10,8 @@ export { isRsaPssAlg, jwtAlgToNodeAlg } from './jwt-alg';
  * Node.js crypto provider implementation.
  */
 export declare const nodeCrypto: CryptoProvider;
+/** Alias for conditional import resolution via `#crypto-provider`. */
+export { nodeCrypto as cryptoProvider };
 /**
  * RSA JWK structure for public keys
  */

package/crypto/node.js

@@ -0,0 +1,185 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/crypto/node.ts
+var node_exports = {};
+__export(node_exports, {
+  createSignedJwt: () => createSignedJwt,
+  cryptoProvider: () => nodeCrypto,
+  generateRsaKeyPair: () => generateRsaKeyPair,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
+  nodeCrypto: () => nodeCrypto,
+  rsaSign: () => rsaSign,
+  rsaVerify: () => rsaVerify
+});
+module.exports = __toCommonJS(node_exports);
+var import_node_crypto = __toESM(require("node:crypto"));
+
+// libs/utils/src/crypto/jwt-alg.ts
+var JWT_ALG_TO_NODE_DIGEST = {
+  RS256: "RSA-SHA256",
+  RS384: "RSA-SHA384",
+  RS512: "RSA-SHA512",
+  // For RSA-PSS, Node's crypto.sign/verify uses the digest algorithm + explicit PSS padding options.
+  PS256: "RSA-SHA256",
+  PS384: "RSA-SHA384",
+  PS512: "RSA-SHA512"
+};
+function jwtAlgToNodeAlg(jwtAlg) {
+  const nodeAlg = JWT_ALG_TO_NODE_DIGEST[jwtAlg];
+  if (!nodeAlg) {
+    throw new Error(`Unsupported JWT algorithm: ${jwtAlg}`);
+  }
+  return nodeAlg;
+}
+function isRsaPssAlg(jwtAlg) {
+  return jwtAlg.startsWith("PS");
+}
+
+// libs/utils/src/crypto/node.ts
+function toUint8Array(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function toBuffer(data) {
+  if (typeof data === "string") {
+    return Buffer.from(data, "utf8");
+  }
+  return Buffer.from(data);
+}
+var nodeCrypto = {
+  randomUUID() {
+    return import_node_crypto.default.randomUUID();
+  },
+  randomBytes(length) {
+    return toUint8Array(import_node_crypto.default.randomBytes(length));
+  },
+  sha256(data) {
+    const hash = import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest();
+    return toUint8Array(hash);
+  },
+  sha256Hex(data) {
+    return import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest("hex");
+  },
+  hmacSha256(key, data) {
+    const hmac = import_node_crypto.default.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+    return toUint8Array(hmac);
+  },
+  hkdfSha256(ikm, salt, info, length) {
+    const ikmBuf = Buffer.from(ikm);
+    const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+    const prk = import_node_crypto.default.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+    const hashLen = 32;
+    const n = Math.ceil(length / hashLen);
+    const chunks = [];
+    let prev = Buffer.alloc(0);
+    for (let i = 1; i <= n; i++) {
+      prev = import_node_crypto.default.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+      chunks.push(prev);
+    }
+    return toUint8Array(Buffer.concat(chunks).subarray(0, length));
+  },
+  encryptAesGcm(key, plaintext, iv) {
+    const cipher = import_node_crypto.default.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+    const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: toUint8Array(encrypted),
+      tag: toUint8Array(tag)
+    };
+  },
+  decryptAesGcm(key, ciphertext, iv, tag) {
+    const decipher = import_node_crypto.default.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+    decipher.setAuthTag(Buffer.from(tag));
+    const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+    return toUint8Array(decrypted);
+  },
+  timingSafeEqual(a, b) {
+    if (a.length !== b.length) return false;
+    return import_node_crypto.default.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  }
+};
+function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
+  const kid = `rsa-key-${Date.now()}-${import_node_crypto.default.randomBytes(8).toString("hex")}`;
+  const { privateKey, publicKey } = import_node_crypto.default.generateKeyPairSync("rsa", {
+    modulusLength
+  });
+  const exported = publicKey.export({ format: "jwk" });
+  const publicJwk = {
+    ...exported,
+    kid,
+    alg,
+    use: "sig",
+    kty: "RSA"
+  };
+  return { privateKey, publicKey, publicJwk };
+}
+function rsaSign(algorithm, data, privateKey, options) {
+  const signingKey = options ? { key: privateKey, ...options } : privateKey;
+  return import_node_crypto.default.sign(algorithm, data, signingKey);
+}
+function rsaVerify(jwtAlg, data, publicJwk, signature) {
+  const publicKey = import_node_crypto.default.createPublicKey({ key: publicJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const verifyKey = isRsaPssAlg(jwtAlg) ? {
+    key: publicKey,
+    padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+  } : publicKey;
+  return import_node_crypto.default.verify(nodeAlgorithm, data, verifyKey, signature);
+}
+function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
+  const header = { alg, typ: "JWT", kid };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signatureInput = `${headerB64}.${payloadB64}`;
+  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
+  const signature = rsaSign(
+    nodeAlgorithm,
+    Buffer.from(signatureInput),
+    privateKey,
+    isRsaPssAlg(alg) ? {
+      padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+    } : void 0
+  );
+  const signatureB64 = signature.toString("base64url");
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSignedJwt,
+  cryptoProvider,
+  generateRsaKeyPair,
+  isRsaPssAlg,
+  jwtAlgToNodeAlg,
+  nodeCrypto,
+  rsaSign,
+  rsaVerify
+});

package/env/browser-env.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Browser environment stubs.
+ *
+ * Returns safe defaults when running in a browser context
+ * where `process` is not available.
+ */
+export declare function getEnv(_key: string): string | undefined;
+export declare function getEnv(_key: string, defaultValue: string): string;
+export declare function getCwd(): string;
+export declare function isProduction(): boolean;
+export declare function isDevelopment(): boolean;
+export declare function getEnvFlag(_key: string): boolean;
+export declare function isDebug(): boolean;
+export declare function setEnv(_key: string, _value: string): void;
+export declare function isEdgeRuntime(): boolean;
+export declare function isServerless(): boolean;
+export declare function supportsAnsi(): boolean;

package/env/browser-env.js

@@ -0,0 +1,78 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/env/browser-env.ts
+var browser_env_exports = {};
+__export(browser_env_exports, {
+  getCwd: () => getCwd,
+  getEnv: () => getEnv,
+  getEnvFlag: () => getEnvFlag,
+  isDebug: () => isDebug,
+  isDevelopment: () => isDevelopment,
+  isEdgeRuntime: () => isEdgeRuntime,
+  isProduction: () => isProduction,
+  isServerless: () => isServerless,
+  setEnv: () => setEnv,
+  supportsAnsi: () => supportsAnsi
+});
+module.exports = __toCommonJS(browser_env_exports);
+function getEnv(_key, defaultValue) {
+  return defaultValue;
+}
+function getCwd() {
+  return "/";
+}
+function isProduction() {
+  return false;
+}
+function isDevelopment() {
+  return false;
+}
+function getEnvFlag(_key) {
+  return false;
+}
+function isDebug() {
+  return false;
+}
+function setEnv(_key, _value) {
+}
+function isEdgeRuntime() {
+  if (typeof globalThis !== "undefined" && "EdgeRuntime" in globalThis) return true;
+  if (typeof globalThis !== "undefined" && "caches" in globalThis && !("window" in globalThis)) return true;
+  return false;
+}
+function isServerless() {
+  return false;
+}
+function supportsAnsi() {
+  return false;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getCwd,
+  getEnv,
+  getEnvFlag,
+  isDebug,
+  isDevelopment,
+  isEdgeRuntime,
+  isProduction,
+  isServerless,
+  setEnv,
+  supportsAnsi
+});

package/env/index.d.ts

@@ -0,0 +1 @@
+export { getEnv, getCwd, isProduction, isDevelopment, getEnvFlag, isDebug, setEnv, isEdgeRuntime, isServerless, supportsAnsi, } from '#env';