@generazioneai/authz 0.0.1

package/dist/define-resource.js

@@ -0,0 +1,26 @@
+"use strict";
+// Step 1 — Resource Manifest DSL
+// Reference: plan riprendiamo-il-plan-di-delegated-petal.md sezione "DSL `defineResource()`"
+//
+// Ogni microservizio possessore (skillAuth, skillID, skillCertet) dichiara i suoi
+// resource manifest in `*.resource.ts` co-locati con il modulo Prisma corrispondente.
+// skillID importa il registry aggregato a build-time per buildare gli snapshot CASL.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defineResource = defineResource;
+/**
+ * Identity function generica. Type inference vincola scope templates a essere
+ * strutturalmente compatibili con `Prisma.<Model>WhereInput`.
+ *
+ * Esempio:
+ *   export const CourseResource = defineResource<Prisma.CourseWhereInput, 'Course'>({
+ *     subject: 'Course',
+ *     prismaModel: 'course',
+ *     service: 'skillID',
+ *     tenancy: { kind: 'single', field: 'juridicalId' },
+ *     // ...
+ *   });
+ */
+function defineResource(manifest) {
+    return manifest;
+}
+//# sourceMappingURL=define-resource.js.map

package/dist/define-resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-resource.js","sourceRoot":"","sources":["../src/define-resource.ts"],"names":[],"mappings":";AAAA,iCAAiC;AACjC,6FAA6F;AAC7F,EAAE;AACF,kFAAkF;AAClF,sFAAsF;AACtF,qFAAqF;;AAgKrF,wCAMC;AAnBD;;;;;;;;;;;;GAYG;AACH,SAAgB,cAAc,CAI5B,QAAoC;IACpC,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './define-resource';
+export * from './resource-registry';
+export * from './resource-registry.module';
+export * from './scope-substitute';
+export * from './context/als';
+export * from './context/authz-context';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,oBAAoB,CAAC;AACnC,cAAc,eAAe,CAAC;AAC9B,cAAc,yBAAyB,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./define-resource"), exports);
+__exportStar(require("./resource-registry"), exports);
+__exportStar(require("./resource-registry.module"), exports);
+__exportStar(require("./scope-substitute"), exports);
+__exportStar(require("./context/als"), exports);
+__exportStar(require("./context/authz-context"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,oDAAkC;AAClC,sDAAoC;AACpC,6DAA2C;AAC3C,qDAAmC;AACnC,gDAA8B;AAC9B,0DAAwC"}

package/dist/nats/canonical-hash.d.ts

@@ -0,0 +1,5 @@
+/** Deterministic string form of a value (recursively key-sorted). */
+export declare function canonicalize(value: unknown): string;
+/** sha256 hex of the canonical form. 64 hex chars. */
+export declare function bodyHash(value: unknown): string;
+//# sourceMappingURL=canonical-hash.d.ts.map

package/dist/nats/canonical-hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-hash.d.ts","sourceRoot":"","sources":["../../src/nats/canonical-hash.ts"],"names":[],"mappings":"AAUA,qEAAqE;AACrE,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEnD;AAED,sDAAsD;AACtD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAE/C"}

package/dist/nats/canonical-hash.js

@@ -0,0 +1,24 @@
+"use strict";
+// Step 2 DEC-S2.8/19 — canonical body hashing for the internal NATS JWT `req` claim.
+//
+// The gateway hashes the outbound NATS payload (minus the injected token field) and
+// puts the hash in the JWT; the downstream verifier re-hashes and compares. Plain
+// JSON.stringify is insufficient (Node only guarantees insertion order), so we
+// canonicalize with json-stable-stringify (deterministic, recursive key sort).
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonicalize = canonicalize;
+exports.bodyHash = bodyHash;
+const node_crypto_1 = require("node:crypto");
+const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
+/** Deterministic string form of a value (recursively key-sorted). */
+function canonicalize(value) {
+    return (0, json_stable_stringify_1.default)(value) ?? 'null';
+}
+/** sha256 hex of the canonical form. 64 hex chars. */
+function bodyHash(value) {
+    return (0, node_crypto_1.createHash)('sha256').update(canonicalize(value)).digest('hex');
+}
+//# sourceMappingURL=canonical-hash.js.map

package/dist/nats/canonical-hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-hash.js","sourceRoot":"","sources":["../../src/nats/canonical-hash.ts"],"names":[],"mappings":";AAAA,qFAAqF;AACrF,EAAE;AACF,oFAAoF;AACpF,kFAAkF;AAClF,+EAA+E;AAC/E,+EAA+E;;;;;AAM/E,oCAEC;AAGD,4BAEC;AAXD,6CAAyC;AACzC,kFAAoD;AAEpD,qEAAqE;AACrE,SAAgB,YAAY,CAAC,KAAc;IACzC,OAAO,IAAA,+BAAe,EAAC,KAAK,CAAC,IAAI,MAAM,CAAC;AAC1C,CAAC;AAED,sDAAsD;AACtD,SAAgB,QAAQ,CAAC,KAAc;IACrC,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxE,CAAC"}

package/dist/nats/index.d.ts

@@ -0,0 +1,7 @@
+export * from './canonical-hash';
+export * from './internal-token';
+export * from './internal-token.signer';
+export * from './key-loader';
+export * from './jwks-client';
+export * from './replay-cache';
+//# sourceMappingURL=index.d.ts.map

package/dist/nats/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nats/index.ts"],"names":[],"mappings":"AAIA,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC"}

package/dist/nats/index.js

@@ -0,0 +1,27 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// @generazioneai/authz/nats — Step 2 internal NATS JWT surface.
+// Crypto core (no NestJS runtime dep). The NestJS proxy/interceptor that wrap these
+// (NatsScopedClientProxy, InternalAuthInterceptor) are added once @nestjs/microservices
+// is wired in the consuming services.
+__exportStar(require("./canonical-hash"), exports);
+__exportStar(require("./internal-token"), exports);
+__exportStar(require("./internal-token.signer"), exports);
+__exportStar(require("./key-loader"), exports);
+__exportStar(require("./jwks-client"), exports);
+__exportStar(require("./replay-cache"), exports);
+//# sourceMappingURL=index.js.map

package/dist/nats/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nats/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,gEAAgE;AAChE,oFAAoF;AACpF,wFAAwF;AACxF,sCAAsC;AACtC,mDAAiC;AACjC,mDAAiC;AACjC,0DAAwC;AACxC,+CAA6B;AAC7B,gDAA8B;AAC9B,iDAA+B"}

package/dist/nats/internal-token.d.ts

@@ -0,0 +1,56 @@
+import { SignJWT, jwtVerify } from 'jose';
+/** Top-level payload field carrying the token (DEC-S2.18). */
+export declare const INTERNAL_JWT_FIELD = "_internalJwt";
+export declare const INTERNAL_ISSUER = "skillera-gateway";
+export declare const INTERNAL_ALG = "EdDSA";
+export declare const INTERNAL_JWT_TTL_SEC = 30;
+export declare const INTERNAL_JWT_CLOCK_TOLERANCE = "5s";
+/** Signing key material jose accepts for EdDSA (CryptoKey/KeyObject/Uint8Array). */
+export type SigningKey = Parameters<SignJWT['sign']>[0];
+/** Verification key material: a static key OR a remote JWKS getter function. */
+export type VerificationKey = SigningKey | Parameters<typeof jwtVerify>[1];
+export interface InternalTokenInput {
+    audience: string;
+    subject: string;
+    cmd: string;
+    reqHash: string;
+    juridicalIndividualId?: string;
+    tenantId?: string;
+    snapId?: string;
+    permHash?: string;
+    jti?: string;
+    nowSec?: number;
+}
+export interface InternalClaims {
+    iss: string;
+    aud: string;
+    sub: string;
+    ji?: string;
+    tnt?: string;
+    snap?: string;
+    ph?: string;
+    cmd: string;
+    req: string;
+    jti: string;
+    iat: number;
+    exp: number;
+}
+/** DEC-S2.7: sign the canonical claim set. Header carries `kid` for rotation. */
+export declare function signInternalToken(key: SigningKey, kid: string, input: InternalTokenInput): Promise<string>;
+/** Reason labels for verify failures (DEC-S2.30 metrics + Step 7 audit). */
+export type InternalAuthReason = 'missing' | 'sig' | 'exp' | 'aud' | 'jwks' | 'hash' | 'cmd' | 'replay' | 'backend';
+export declare class InternalAuthError extends Error {
+    readonly reason: InternalAuthReason;
+    constructor(reason: InternalAuthReason, message?: string);
+}
+/**
+ * DEC-S2.23 step 2: verify signature + iss + aud + exp via jose. Maps jose errors to
+ * an InternalAuthError with a precise reason label. Does NOT check body-hash/cmd/replay
+ * (the caller does, after re-extracting the payload) — see assert* helpers below.
+ */
+export declare function verifyInternalToken(jwt: string, key: VerificationKey, audience: string): Promise<InternalClaims>;
+/** DEC-S2.23 step 3: re-hash the payload (token field already removed) and compare. */
+export declare function assertBodyHash(claims: InternalClaims, payloadWithoutToken: unknown): void;
+/** DEC-S2.23 step 4: the token's cmd must match the actual NATS pattern. */
+export declare function assertCmd(claims: InternalClaims, cmd: string): void;
+//# sourceMappingURL=internal-token.d.ts.map

package/dist/nats/internal-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-token.d.ts","sourceRoot":"","sources":["../../src/nats/internal-token.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAI1C,8DAA8D;AAC9D,eAAO,MAAM,kBAAkB,iBAAiB,CAAC;AACjD,eAAO,MAAM,eAAe,qBAAqB,CAAC;AAClD,eAAO,MAAM,YAAY,UAAU,CAAC;AACpC,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,4BAA4B,OAAO,CAAC;AAEjD,oFAAoF;AACpF,MAAM,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACxD,gFAAgF;AAChF,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE3E,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,iFAAiF;AACjF,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,kBAAkB,GACxB,OAAO,CAAC,MAAM,CAAC,CAoBjB;AAED,4EAA4E;AAC5E,MAAM,MAAM,kBAAkB,GAC1B,SAAS,GACT,KAAK,GACL,KAAK,GACL,KAAK,GACL,MAAM,GACN,MAAM,GACN,KAAK,GACL,QAAQ,GACR,SAAS,CAAC;AAEd,qBAAa,iBAAkB,SAAQ,KAAK;aACd,MAAM,EAAE,kBAAkB;gBAA1B,MAAM,EAAE,kBAAkB,EAAE,OAAO,CAAC,EAAE,MAAM;CAIzE;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,eAAe,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC,CAkBzB;AAED,uFAAuF;AACvF,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,EAAE,mBAAmB,EAAE,OAAO,GAAG,IAAI,CAIzF;AAED,4EAA4E;AAC5E,wBAAgB,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAInE"}

package/dist/nats/internal-token.js

@@ -0,0 +1,93 @@
+"use strict";
+// Step 2 DEC-S2.1/7/11/23 — internal NATS JWT sign + verify (EdDSA / Ed25519).
+//
+// Pure crypto core (no NestJS): the gateway signs a short-lived token per NATS call;
+// the downstream verifier checks signature/issuer/audience/expiry via jose, then the
+// caller asserts body-hash + cmd (this module's assert* helpers) and replay (Redis).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalAuthError = exports.INTERNAL_JWT_CLOCK_TOLERANCE = exports.INTERNAL_JWT_TTL_SEC = exports.INTERNAL_ALG = exports.INTERNAL_ISSUER = exports.INTERNAL_JWT_FIELD = void 0;
+exports.signInternalToken = signInternalToken;
+exports.verifyInternalToken = verifyInternalToken;
+exports.assertBodyHash = assertBodyHash;
+exports.assertCmd = assertCmd;
+const jose_1 = require("jose");
+const node_crypto_1 = require("node:crypto");
+const canonical_hash_1 = require("./canonical-hash");
+/** Top-level payload field carrying the token (DEC-S2.18). */
+exports.INTERNAL_JWT_FIELD = '_internalJwt';
+exports.INTERNAL_ISSUER = 'skillera-gateway';
+exports.INTERNAL_ALG = 'EdDSA';
+exports.INTERNAL_JWT_TTL_SEC = 30; // DEC-S2.11
+exports.INTERNAL_JWT_CLOCK_TOLERANCE = '5s'; // DEC-S2.11
+/** DEC-S2.7: sign the canonical claim set. Header carries `kid` for rotation. */
+async function signInternalToken(key, kid, input) {
+    const now = input.nowSec ?? Math.floor(Date.now() / 1000);
+    const claims = {
+        cmd: input.cmd,
+        req: input.reqHash,
+        jti: input.jti ?? (0, node_crypto_1.randomUUID)(),
+    };
+    if (input.juridicalIndividualId !== undefined)
+        claims.ji = input.juridicalIndividualId;
+    if (input.tenantId !== undefined)
+        claims.tnt = input.tenantId;
+    if (input.snapId !== undefined)
+        claims.snap = input.snapId;
+    if (input.permHash !== undefined)
+        claims.ph = input.permHash;
+    return new jose_1.SignJWT(claims)
+        .setProtectedHeader({ alg: exports.INTERNAL_ALG, kid, typ: 'JWT' })
+        .setIssuer(exports.INTERNAL_ISSUER)
+        .setAudience(input.audience)
+        .setSubject(input.subject)
+        .setIssuedAt(now)
+        .setExpirationTime(now + exports.INTERNAL_JWT_TTL_SEC)
+        .sign(key);
+}
+class InternalAuthError extends Error {
+    constructor(reason, message) {
+        super(message ?? `internal-auth: ${reason}`);
+        this.reason = reason;
+        this.name = 'InternalAuthError';
+    }
+}
+exports.InternalAuthError = InternalAuthError;
+/**
+ * DEC-S2.23 step 2: verify signature + iss + aud + exp via jose. Maps jose errors to
+ * an InternalAuthError with a precise reason label. Does NOT check body-hash/cmd/replay
+ * (the caller does, after re-extracting the payload) — see assert* helpers below.
+ */
+async function verifyInternalToken(jwt, key, audience) {
+    try {
+        const { payload } = await (0, jose_1.jwtVerify)(jwt, key, {
+            issuer: exports.INTERNAL_ISSUER,
+            audience,
+            algorithms: [exports.INTERNAL_ALG],
+            clockTolerance: exports.INTERNAL_JWT_CLOCK_TOLERANCE,
+        });
+        return payload;
+    }
+    catch (e) {
+        const code = e.code ?? '';
+        if (code === 'ERR_JWT_EXPIRED')
+            throw new InternalAuthError('exp', e.message);
+        if (code === 'ERR_JWT_CLAIM_VALIDATION_FAILED')
+            throw new InternalAuthError('aud', e.message);
+        if (code === 'ERR_JWKS_NO_MATCHING_KEY' || code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS')
+            throw new InternalAuthError('jwks', e.message);
+        throw new InternalAuthError('sig', e.message);
+    }
+}
+/** DEC-S2.23 step 3: re-hash the payload (token field already removed) and compare. */
+function assertBodyHash(claims, payloadWithoutToken) {
+    if (claims.req !== (0, canonical_hash_1.bodyHash)(payloadWithoutToken)) {
+        throw new InternalAuthError('hash', 'request body hash mismatch (payload tampered)');
+    }
+}
+/** DEC-S2.23 step 4: the token's cmd must match the actual NATS pattern. */
+function assertCmd(claims, cmd) {
+    if (claims.cmd !== cmd) {
+        throw new InternalAuthError('cmd', `cmd mismatch: token='${claims.cmd}' actual='${cmd}'`);
+    }
+}
+//# sourceMappingURL=internal-token.js.map

package/dist/nats/internal-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-token.js","sourceRoot":"","sources":["../../src/nats/internal-token.ts"],"names":[],"mappings":";AAAA,+EAA+E;AAC/E,EAAE;AACF,qFAAqF;AACrF,qFAAqF;AACrF,qFAAqF;;;AA+CrF,8CAwBC;AA0BD,kDAsBC;AAGD,wCAIC;AAGD,8BAIC;AAnID,+BAA0C;AAC1C,6CAAyC;AACzC,qDAA4C;AAE5C,8DAA8D;AACjD,QAAA,kBAAkB,GAAG,cAAc,CAAC;AACpC,QAAA,eAAe,GAAG,kBAAkB,CAAC;AACrC,QAAA,YAAY,GAAG,OAAO,CAAC;AACvB,QAAA,oBAAoB,GAAG,EAAE,CAAC,CAAC,YAAY;AACvC,QAAA,4BAA4B,GAAG,IAAI,CAAC,CAAC,YAAY;AAmC9D,iFAAiF;AAC1E,KAAK,UAAU,iBAAiB,CACrC,GAAe,EACf,GAAW,EACX,KAAyB;IAEzB,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1D,MAAM,MAAM,GAA4B;QACtC,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,OAAO;QAClB,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,IAAA,wBAAU,GAAE;KAC/B,CAAC;IACF,IAAI,KAAK,CAAC,qBAAqB,KAAK,SAAS;QAAE,MAAM,CAAC,EAAE,GAAG,KAAK,CAAC,qBAAqB,CAAC;IACvF,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS;QAAE,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC;IAC9D,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC;IAC3D,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS;QAAE,MAAM,CAAC,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IAE7D,OAAO,IAAI,cAAO,CAAC,MAAM,CAAC;SACvB,kBAAkB,CAAC,EAAE,GAAG,EAAE,oBAAY,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;SAC1D,SAAS,CAAC,uBAAe,CAAC;SAC1B,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC;SAC3B,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC;SACzB,WAAW,CAAC,GAAG,CAAC;SAChB,iBAAiB,CAAC,GAAG,GAAG,4BAAoB,CAAC;SAC7C,IAAI,CAAC,GAAqC,CAAC,CAAC;AACjD,CAAC;AAcD,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YAA4B,MAA0B,EAAE,OAAgB;QACtE,KAAK,CAAC,OAAO,IAAI,kBAAkB,MAAM,EAAE,CAAC,CAAC;QADnB,WAAM,GAAN,MAAM,CAAoB;QAEpD,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AALD,8CAKC;AAED;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,GAAW,EACX,GAAoB,EACpB,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,GAAU,EAAE;YACnD,MAAM,EAAE,uBAAe;YACvB,QAAQ;YACR,UAAU,EAAE,CAAC,oBAAY,CAAC;YAC1B,cAAc,EAAE,oCAA4B;SAC7C,CAAC,CAAC;QACH,OAAO,OAAoC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,GAAI,CAAuB,CAAC,IAAI,IAAI,EAAE,CAAC;QACjD,IAAI,IAAI,KAAK,iBAAiB;YAAE,MAAM,IAAI,iBAAiB,CAAC,KAAK,EAAG,CAAW,CAAC,OAAO,CAAC,CAAC;QACzF,IAAI,IAAI,KAAK,iCAAiC;YAC5C,MAAM,IAAI,iBAAiB,CAAC,KAAK,EAAG,CAAW,CAAC,OAAO,CAAC,CAAC;QAC3D,IAAI,IAAI,KAAK,0BAA0B,IAAI,IAAI,KAAK,iCAAiC;YACnF,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAG,CAAW,CAAC,OAAO,CAAC,CAAC;QAC5D,MAAM,IAAI,iBAAiB,CAAC,KAAK,EAAG,CAAW,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAgB,cAAc,CAAC,MAAsB,EAAE,mBAA4B;IACjF,IAAI,MAAM,CAAC,GAAG,KAAK,IAAA,yBAAQ,EAAC,mBAAmB,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE,+CAA+C,CAAC,CAAC;IACvF,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,SAAgB,SAAS,CAAC,MAAsB,EAAE,GAAW;IAC3D,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;QACvB,MAAM,IAAI,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,MAAM,CAAC,GAAG,aAAa,GAAG,GAAG,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC"}

package/dist/nats/internal-token.signer.d.ts

@@ -0,0 +1,21 @@
+import type { AuthzContext } from '../context/authz-context';
+import { type SigningKey } from './internal-token';
+export interface SignerConfig {
+    key: SigningKey;
+    kid: string;
+    /** Subject used when there is no user in context (system/cron calls). */
+    systemSubject?: string;
+}
+export declare class InternalTokenSigner {
+    private readonly cfg;
+    constructor(cfg: SignerConfig);
+    /**
+     * Returns a shallow clone of `payload` with `_internalJwt` attached. The `req`
+     * body-hash is computed over the payload BEFORE the token is added (DEC-S2.19),
+     * so the downstream verifier reproduces it after stripping the field.
+     */
+    sign(cmd: string, audience: string, payload: Record<string, unknown>, ctx?: AuthzContext): Promise<Record<string, unknown>>;
+}
+/** `{cmd:'x'}` → 'x'; anything else → stable JSON (EDGE-S2.36). */
+export declare function patternToCmd(pattern: unknown): string;
+//# sourceMappingURL=internal-token.signer.d.ts.map

package/dist/nats/internal-token.signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-token.signer.d.ts","sourceRoot":"","sources":["../../src/nats/internal-token.signer.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,OAAO,EAAyC,KAAK,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE1F,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,UAAU,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,mBAAmB;IAClB,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,YAAY;IAE9C;;;;OAIG;IACG,IAAI,CACR,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,GAAG,CAAC,EAAE,YAAY,GACjB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAmBpC;AAED,mEAAmE;AACnE,wBAAgB,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAKrD"}

package/dist/nats/internal-token.signer.js

@@ -0,0 +1,48 @@
+"use strict";
+// Step 2 DEC-S2.16/19 — signer logic (transport-agnostic, testable).
+// The NatsScopedClientProxy (src/nest) calls this to build the outbound payload:
+// hash the payload WITHOUT the token field, sign, then attach `_internalJwt`.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalTokenSigner = void 0;
+exports.patternToCmd = patternToCmd;
+const als_1 = require("../context/als");
+const canonical_hash_1 = require("./canonical-hash");
+const internal_token_1 = require("./internal-token");
+class InternalTokenSigner {
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    /**
+     * Returns a shallow clone of `payload` with `_internalJwt` attached. The `req`
+     * body-hash is computed over the payload BEFORE the token is added (DEC-S2.19),
+     * so the downstream verifier reproduces it after stripping the field.
+     */
+    async sign(cmd, audience, payload, ctx) {
+        const c = ctx ?? als_1.authzAls.getStore();
+        const subject = c?.userId ?? this.cfg.systemSubject;
+        if (!subject) {
+            throw new Error(`[authz] cannot sign internal token for '${cmd}': no userId in context`);
+        }
+        const reqHash = (0, canonical_hash_1.bodyHash)(payload ?? {});
+        const jwt = await (0, internal_token_1.signInternalToken)(this.cfg.key, this.cfg.kid, {
+            audience,
+            subject,
+            cmd,
+            reqHash,
+            juridicalIndividualId: c?.juridicalIndividualId,
+            tenantId: c?.tenantId,
+            snapId: c?.snapId,
+            permHash: c?.permHash,
+        });
+        return { ...(payload ?? {}), [internal_token_1.INTERNAL_JWT_FIELD]: jwt };
+    }
+}
+exports.InternalTokenSigner = InternalTokenSigner;
+/** `{cmd:'x'}` → 'x'; anything else → stable JSON (EDGE-S2.36). */
+function patternToCmd(pattern) {
+    if (pattern && typeof pattern === 'object' && typeof pattern.cmd === 'string') {
+        return pattern.cmd;
+    }
+    return JSON.stringify(pattern);
+}
+//# sourceMappingURL=internal-token.signer.js.map

package/dist/nats/internal-token.signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-token.signer.js","sourceRoot":"","sources":["../../src/nats/internal-token.signer.ts"],"names":[],"mappings":";AAAA,qEAAqE;AACrE,iFAAiF;AACjF,8EAA8E;;;AAiD9E,oCAKC;AApDD,wCAA0C;AAE1C,qDAA4C;AAC5C,qDAA0F;AAS1F,MAAa,mBAAmB;IAC9B,YAA6B,GAAiB;QAAjB,QAAG,GAAH,GAAG,CAAc;IAAG,CAAC;IAElD;;;;OAIG;IACH,KAAK,CAAC,IAAI,CACR,GAAW,EACX,QAAgB,EAChB,OAAgC,EAChC,GAAkB;QAElB,MAAM,CAAC,GAAG,GAAG,IAAI,cAAQ,CAAC,QAAQ,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC;QACpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,2CAA2C,GAAG,yBAAyB,CAAC,CAAC;QAC3F,CAAC;QACD,MAAM,OAAO,GAAG,IAAA,yBAAQ,EAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,IAAA,kCAAiB,EAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,QAAQ;YACR,OAAO;YACP,GAAG;YACH,OAAO;YACP,qBAAqB,EAAE,CAAC,EAAE,qBAAqB;YAC/C,QAAQ,EAAE,CAAC,EAAE,QAAQ;YACrB,MAAM,EAAE,CAAC,EAAE,MAAM;YACjB,QAAQ,EAAE,CAAC,EAAE,QAAQ;SACtB,CAAC,CAAC;QACH,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC,mCAAkB,CAAC,EAAE,GAAG,EAAE,CAAC;IAC3D,CAAC;CACF;AAhCD,kDAgCC;AAED,mEAAmE;AACnE,SAAgB,YAAY,CAAC,OAAgB;IAC3C,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAQ,OAA6B,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrG,OAAQ,OAA2B,CAAC,GAAG,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/nats/jwks-client.d.ts

@@ -0,0 +1,10 @@
+import { createRemoteJWKSet } from 'jose';
+export interface JwksClientOptions {
+    /** e.g. http://backend-skillera-auth-svc:3000/internal/jwks */
+    url: string;
+    cacheMaxAgeMs?: number;
+    cooldownMs?: number;
+}
+export type JwksKeyGetter = ReturnType<typeof createRemoteJWKSet>;
+export declare function createInternalJwks(opts: JwksClientOptions): JwksKeyGetter;
+//# sourceMappingURL=jwks-client.d.ts.map

package/dist/nats/jwks-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-client.d.ts","sourceRoot":"","sources":["../../src/nats/jwks-client.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,MAAM,CAAC;AAE1C,MAAM,WAAW,iBAAiB;IAChC,+DAA+D;IAC/D,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAElE,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,iBAAiB,GAAG,aAAa,CAKzE"}

package/dist/nats/jwks-client.js

@@ -0,0 +1,14 @@
+"use strict";
+// Step 2 DEC-S2.14 — remote JWKS verification key set (skillAuth /internal/jwks).
+// Singleton per process: caches keys 1h, 10min cooldown between refetch attempts,
+// keeps the last-known set in memory across fetch failures (DEC-S2.15 fail-soft).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInternalJwks = createInternalJwks;
+const jose_1 = require("jose");
+function createInternalJwks(opts) {
+    return (0, jose_1.createRemoteJWKSet)(new URL(opts.url), {
+        cacheMaxAge: opts.cacheMaxAgeMs ?? 3_600_000,
+        cooldownDuration: opts.cooldownMs ?? 600_000,
+    });
+}
+//# sourceMappingURL=jwks-client.js.map

package/dist/nats/jwks-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-client.js","sourceRoot":"","sources":["../../src/nats/jwks-client.ts"],"names":[],"mappings":";AAAA,kFAAkF;AAClF,kFAAkF;AAClF,kFAAkF;;AAalF,gDAKC;AAhBD,+BAA0C;AAW1C,SAAgB,kBAAkB,CAAC,IAAuB;IACxD,OAAO,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QAC3C,WAAW,EAAE,IAAI,CAAC,aAAa,IAAI,SAAS;QAC5C,gBAAgB,EAAE,IAAI,CAAC,UAAU,IAAI,OAAO;KAC7C,CAAC,CAAC;AACL,CAAC"}

package/dist/nats/key-loader.d.ts

@@ -0,0 +1,24 @@
+import { importJWK, type JWK } from 'jose';
+type ImportedKey = Awaited<ReturnType<typeof importJWK>>;
+export declare const DEFAULT_SIGNING_KEY_PATH = "/etc/skillera/authz/signing-key.jwk.json";
+export declare const SIGNING_KEY_ENV = "AUTHZ_SIGNING_KEY_JWK";
+export declare const SIGNING_KEY_PATH_ENV = "AUTHZ_SIGNING_KEY_PATH";
+export interface LoadedSigningKey {
+    key: ImportedKey;
+    kid: string;
+}
+/** Load the private signing key. Throws (fail-closed) if absent/corrupt. */
+export declare function loadSigningKey(opts?: {
+    path?: string;
+    envVar?: string;
+}): Promise<LoadedSigningKey>;
+/**
+ * Generate an Ed25519 keypair as JWKs (DEC-S2.2). Used by the rotation script
+ * (packages/authz/scripts/rotate.ts) and tests. `kid` convention: timestamped.
+ */
+export declare function generateSigningKeyPair(kid: string): Promise<{
+    privateJwk: JWK;
+    publicJwk: JWK;
+}>;
+export {};
+//# sourceMappingURL=key-loader.d.ts.map

package/dist/nats/key-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-loader.d.ts","sourceRoot":"","sources":["../../src/nats/key-loader.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,SAAS,EAA8B,KAAK,GAAG,EAAE,MAAM,MAAM,CAAC;AAGvE,KAAK,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC;AAEzD,eAAO,MAAM,wBAAwB,6CAA6C,CAAC;AACnF,eAAO,MAAM,eAAe,0BAA0B,CAAC;AACvD,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAE7D,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,WAAW,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AA8BD,4EAA4E;AAC5E,wBAAsB,cAAc,CAClC,IAAI,GAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAO,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAI3B;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,UAAU,EAAE,GAAG,CAAC;IAAC,SAAS,EAAE,GAAG,CAAA;CAAE,CAAC,CAU9C"}

package/dist/nats/key-loader.js

@@ -0,0 +1,65 @@
+"use strict";
+// Step 2 DEC-S2.3 / EDGE-S2.21 — load the gateway Ed25519 signing key (fail-closed).
+//
+// Primary: K8s Secret mounted as a JWK file (/etc/skillera/authz/signing-key.jwk.json).
+// Fallback (dev): base64-encoded JWK in env AUTHZ_SIGNING_KEY_JWK.
+// A missing/corrupt key throws — the gateway must refuse to boot (fail-closed).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SIGNING_KEY_PATH_ENV = exports.SIGNING_KEY_ENV = exports.DEFAULT_SIGNING_KEY_PATH = void 0;
+exports.loadSigningKey = loadSigningKey;
+exports.generateSigningKeyPair = generateSigningKeyPair;
+const node_fs_1 = require("node:fs");
+const jose_1 = require("jose");
+const internal_token_1 = require("./internal-token");
+exports.DEFAULT_SIGNING_KEY_PATH = '/etc/skillera/authz/signing-key.jwk.json';
+exports.SIGNING_KEY_ENV = 'AUTHZ_SIGNING_KEY_JWK';
+exports.SIGNING_KEY_PATH_ENV = 'AUTHZ_SIGNING_KEY_PATH';
+function readKeyJwk(opts) {
+    const path = opts.path ?? process.env[exports.SIGNING_KEY_PATH_ENV] ?? exports.DEFAULT_SIGNING_KEY_PATH;
+    const envVar = opts.envVar ?? exports.SIGNING_KEY_ENV;
+    let raw;
+    if ((0, node_fs_1.existsSync)(path)) {
+        raw = (0, node_fs_1.readFileSync)(path, 'utf8');
+    }
+    else if (process.env[envVar]) {
+        raw = Buffer.from(process.env[envVar], 'base64').toString('utf8');
+    }
+    if (!raw) {
+        throw new Error(`[authz] signing key not found — neither file '${path}' nor env '${envVar}' present`);
+    }
+    let jwk;
+    try {
+        jwk = JSON.parse(raw);
+    }
+    catch (e) {
+        throw new Error(`[authz] signing key JWK is not valid JSON: ${e.message}`);
+    }
+    if (!jwk.kid)
+        throw new Error('[authz] signing key JWK is missing the required "kid"');
+    if (jwk.crv && jwk.crv !== 'Ed25519') {
+        throw new Error(`[authz] signing key must be Ed25519 (got crv='${jwk.crv}')`);
+    }
+    return jwk;
+}
+/** Load the private signing key. Throws (fail-closed) if absent/corrupt. */
+async function loadSigningKey(opts = {}) {
+    const jwk = readKeyJwk(opts);
+    const key = await (0, jose_1.importJWK)(jwk, internal_token_1.INTERNAL_ALG);
+    return { key, kid: jwk.kid };
+}
+/**
+ * Generate an Ed25519 keypair as JWKs (DEC-S2.2). Used by the rotation script
+ * (packages/authz/scripts/rotate.ts) and tests. `kid` convention: timestamped.
+ */
+async function generateSigningKeyPair(kid) {
+    const { privateKey, publicKey } = await (0, jose_1.generateKeyPair)(internal_token_1.INTERNAL_ALG, {
+        crv: 'Ed25519',
+        extractable: true,
+    });
+    const base = { kid, alg: internal_token_1.INTERNAL_ALG, use: 'sig' };
+    return {
+        privateJwk: { ...(await (0, jose_1.exportJWK)(privateKey)), ...base },
+        publicJwk: { ...(await (0, jose_1.exportJWK)(publicKey)), ...base },
+    };
+}
+//# sourceMappingURL=key-loader.js.map

package/dist/nats/key-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-loader.js","sourceRoot":"","sources":["../../src/nats/key-loader.ts"],"names":[],"mappings":";AAAA,qFAAqF;AACrF,EAAE;AACF,wFAAwF;AACxF,mEAAmE;AACnE,gFAAgF;;;AA8ChF,wCAMC;AAMD,wDAYC;AApED,qCAAmD;AACnD,+BAAuE;AACvE,qDAAgD;AAInC,QAAA,wBAAwB,GAAG,0CAA0C,CAAC;AACtE,QAAA,eAAe,GAAG,uBAAuB,CAAC;AAC1C,QAAA,oBAAoB,GAAG,wBAAwB,CAAC;AAO7D,SAAS,UAAU,CAAC,IAAwC;IAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,4BAAoB,CAAC,IAAI,gCAAwB,CAAC;IACxF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,uBAAe,CAAC;IAE9C,IAAI,GAAuB,CAAC;IAC5B,IAAI,IAAA,oBAAU,EAAC,IAAI,CAAC,EAAE,CAAC;QACrB,GAAG,GAAG,IAAA,sBAAY,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,iDAAiD,IAAI,cAAc,MAAM,WAAW,CACrF,CAAC;IACJ,CAAC;IACD,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAQ,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,8CAA+C,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IACvF,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,iDAAiD,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AACrE,KAAK,UAAU,cAAc,CAClC,OAA2C,EAAE;IAE7C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,6BAAY,CAAC,CAAC;IAC/C,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAa,EAAE,CAAC;AACzC,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,sBAAsB,CAC1C,GAAW;IAEX,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,6BAAY,EAAE;QACpE,GAAG,EAAE,SAAS;QACd,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,6BAAY,EAAE,GAAG,EAAE,KAAc,EAAE,CAAC;IAC7D,OAAO;QACL,UAAU,EAAE,EAAE,GAAG,CAAC,MAAM,IAAA,gBAAS,EAAC,UAAU,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE;QACzD,SAAS,EAAE,EAAE,GAAG,CAAC,MAAM,IAAA,gBAAS,EAAC,SAAS,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE;KACxD,CAAC;AACJ,CAAC"}

package/dist/nats/replay-cache.d.ts

@@ -0,0 +1,14 @@
+import type Redis from 'ioredis';
+export interface ReplayCache {
+    /** Returns true if the jti is first-seen (allowed), false if already seen (replay). */
+    firstSeen(jti: string, ttlSec?: number): Promise<boolean>;
+}
+export declare const DEFAULT_JTI_PREFIX = "authz:jti:";
+export declare const DEFAULT_JTI_TTL_SEC = 60;
+export declare class RedisReplayCache implements ReplayCache {
+    private readonly redis;
+    private readonly prefix;
+    constructor(redis: Redis, prefix?: string);
+    firstSeen(jti: string, ttlSec?: number): Promise<boolean>;
+}
+//# sourceMappingURL=replay-cache.d.ts.map

package/dist/nats/replay-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay-cache.d.ts","sourceRoot":"","sources":["../../src/nats/replay-cache.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AAEjC,MAAM,WAAW,WAAW;IAC1B,uFAAuF;IACvF,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC3D;AAED,eAAO,MAAM,kBAAkB,eAAe,CAAC;AAC/C,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,qBAAa,gBAAiB,YAAW,WAAW;IAEhD,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,KAAK,EAAE,KAAK,EACZ,MAAM,GAAE,MAA2B;IAGhD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,GAAE,MAA4B,GAAG,OAAO,CAAC,OAAO,CAAC;CAKrF"}

package/dist/nats/replay-cache.js

@@ -0,0 +1,23 @@
+"use strict";
+// Step 2 DEC-S2.25 — JWT replay protection via Redis (SET NX EX).
+//
+// Key `authz:jti:<jti>` with TTL 60s (2× the 30s JWT TTL → covers clock skew + retry).
+// First-seen → SET succeeds → allowed. Already present → replay → rejected.
+// Redis unreachable → throw → the verifier fails CLOSED (INTERNAL_AUTH_BACKEND).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisReplayCache = exports.DEFAULT_JTI_TTL_SEC = exports.DEFAULT_JTI_PREFIX = void 0;
+exports.DEFAULT_JTI_PREFIX = 'authz:jti:';
+exports.DEFAULT_JTI_TTL_SEC = 60;
+class RedisReplayCache {
+    constructor(redis, prefix = exports.DEFAULT_JTI_PREFIX) {
+        this.redis = redis;
+        this.prefix = prefix;
+    }
+    async firstSeen(jti, ttlSec = exports.DEFAULT_JTI_TTL_SEC) {
+        // SET key 1 EX <ttl> NX → 'OK' when newly set, null when the key already exists.
+        const res = await this.redis.set(this.prefix + jti, '1', 'EX', ttlSec, 'NX');
+        return res === 'OK';
+    }
+}
+exports.RedisReplayCache = RedisReplayCache;
+//# sourceMappingURL=replay-cache.js.map

package/dist/nats/replay-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay-cache.js","sourceRoot":"","sources":["../../src/nats/replay-cache.ts"],"names":[],"mappings":";AAAA,kEAAkE;AAClE,EAAE;AACF,uFAAuF;AACvF,4EAA4E;AAC5E,iFAAiF;;;AASpE,QAAA,kBAAkB,GAAG,YAAY,CAAC;AAClC,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC,MAAa,gBAAgB;IAC3B,YACmB,KAAY,EACZ,SAAiB,0BAAkB;QADnC,UAAK,GAAL,KAAK,CAAO;QACZ,WAAM,GAAN,MAAM,CAA6B;IACnD,CAAC;IAEJ,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,SAAiB,2BAAmB;QAC/D,iFAAiF;QACjF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7E,OAAO,GAAG,KAAK,IAAI,CAAC;IACtB,CAAC;CACF;AAXD,4CAWC"}

package/dist/nest/authz-context.interceptor.d.ts

@@ -0,0 +1,6 @@
+import { type CallHandler, type ExecutionContext, type NestInterceptor } from '@nestjs/common';
+import { Observable } from 'rxjs';
+export declare class AuthzContextInterceptor implements NestInterceptor {
+    intercept(context: ExecutionContext, next: CallHandler): Observable<unknown>;
+}
+//# sourceMappingURL=authz-context.interceptor.d.ts.map

package/dist/nest/authz-context.interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAKlC,qBACa,uBAAwB,YAAW,eAAe;IAC7D,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;CAyB7E"}