@geostack/arc 0.1.0

package/dist/index.js

@@ -0,0 +1,1514 @@
+import { createHash, randomUUID } from "node:crypto";
+import { decodeProtectedHeader, importJWK, compactVerify } from "jose";
+const defaultMaxTimestampSkewMs = 5 * 60 * 1000;
+const defaultNonceStore = createMemoryNonceStore();
+const actionKeyPattern = /^[a-z][a-z0-9_.:-]{0,79}$/;
+const slugPattern = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
+const defaultBaseUrl = "http://127.0.0.1:4000";
+const riskLevels = new Set(["low", "medium", "high", "critical"]);
+const defaultDecisions = new Set(["allow", "ask", "block"]);
+export class ArcError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "ArcError";
+    }
+}
+export class ArcValidationError extends ArcError {
+    constructor(code, message) {
+        super(code, message);
+        this.name = "ArcValidationError";
+    }
+}
+export class ArcActionError extends ArcError {
+    statusCode;
+    constructor(statusCode, code, message) {
+        super(code, message);
+        this.statusCode = statusCode;
+        this.name = "ArcActionError";
+    }
+}
+export class ArcHttpError extends ArcError {
+    status;
+    responseBody;
+    constructor(status, code, message, responseBody) {
+        super(code, message);
+        this.status = status;
+        this.responseBody = responseBody;
+        this.name = "ArcHttpError";
+    }
+}
+export class ArcRequestVerificationError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "ArcRequestVerificationError";
+    }
+}
+export function defineActions(actions) {
+    validateActionDefinitions(actions);
+    return actions;
+}
+export function createActionSyncPayload(actions) {
+    validateActionDefinitions(actions);
+    return {
+        actions: Object.entries(actions)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([key, action]) => ({
+            cost_currency: (action.cost?.currency ?? "USD").toUpperCase(),
+            cost_field: action.cost?.mode === "field" ? action.cost.field : null,
+            cost_fixed_minor: action.cost?.mode === "fixed" ? action.cost.fixedMinor : null,
+            cost_mode: action.cost?.mode ?? "none",
+            default_decision: action.defaultDecision,
+            description: action.description ?? null,
+            enabled: action.enabled ?? true,
+            input_schema: action.input,
+            key,
+            name: action.name,
+            output_schema: action.output ?? null,
+            risk_level: action.risk,
+            tags: action.tags ?? []
+        }))
+    };
+}
+export async function syncActions(actions, options = {}) {
+    const payload = createActionSyncPayload(actions);
+    if (options.dryRun) {
+        return payload;
+    }
+    if (!options.appId) {
+        throw new ArcValidationError("missing_app_id", "syncActions requires appId unless dryRun is true.");
+    }
+    const client = options.client ??
+        new ArcDeveloperClient({
+            baseUrl: options.baseUrl,
+            sessionCookie: options.sessionCookie
+        });
+    return client.syncActions(options.appId, payload.actions);
+}
+export function handleAction(actions, handlers, options = {}) {
+    validateActionDefinitions(actions);
+    const executor = createArcExecutor(options);
+    return executor.handleAction(actions, handlers);
+}
+export function createArcExecutor(options = {}) {
+    let jwksCache = options.jwks ?? null;
+    async function resolveVerifyOptions(localOptions = {}) {
+        const jwks = localOptions.jwks ?? jwksCache ?? (await fetchJwks(localOptions));
+        jwksCache = jwks;
+        return {
+            jwks,
+            maxTimestampSkewMs: localOptions.maxTimestampSkewMs ?? options.maxTimestampSkewMs,
+            nonceStore: localOptions.nonceStore ?? options.nonceStore,
+            now: localOptions.now ?? options.now,
+            unsafeAllowInMemoryNonceStore: localOptions.unsafeAllowInMemoryNonceStore ?? options.unsafeAllowInMemoryNonceStore
+        };
+    }
+    async function fetchJwks(localOptions) {
+        const jwksUrl = localOptions.jwksUrl ??
+            options.jwksUrl ??
+            `${trimTrailingSlash(localOptions.apiUrl ?? options.apiUrl ?? defaultBaseUrl)}/.well-known/jwks.json`;
+        const response = await fetch(jwksUrl);
+        if (!response.ok) {
+            throw new ArcRequestVerificationError("jwks_unavailable", "Arc JWKS could not be loaded.");
+        }
+        const value = await response.json();
+        if (!isJwks(value)) {
+            throw new ArcRequestVerificationError("jwks_invalid", "Arc JWKS response is invalid.");
+        }
+        return value;
+    }
+    return {
+        handleAction: (actions, handlers, localOptions = {}) => {
+            validateActionDefinitions(actions);
+            return async (request, response) => {
+                let verified;
+                try {
+                    const normalized = await normalizeActionRequest(request);
+                    verified = await verifyArcRequest({
+                        body: normalized.body,
+                        headers: normalized.headers
+                    }, await resolveVerifyOptions(localOptions));
+                }
+                catch (error) {
+                    if (error instanceof ArcRequestVerificationError) {
+                        return sendActionResponse(request, response, 401, {
+                            error: {
+                                code: error.code,
+                                message: error.message
+                            }
+                        });
+                    }
+                    if (error instanceof ArcValidationError) {
+                        return sendActionResponse(request, response, 400, {
+                            error: {
+                                code: error.code,
+                                message: error.message
+                            }
+                        });
+                    }
+                    throw error;
+                }
+                const actionKey = verified.payload.action_key;
+                const isKnownAction = Object.prototype.hasOwnProperty.call(actions, actionKey);
+                const handler = isKnownAction ? handlers[actionKey] : undefined;
+                if (!isKnownAction || !handler) {
+                    return sendActionResponse(request, response, 404, {
+                        error: {
+                            code: "unknown_action",
+                            message: "Arc action handler is not registered."
+                        }
+                    });
+                }
+                try {
+                    const result = await handler({
+                        actionKey,
+                        agent: verified.payload.agent,
+                        appUserId: verified.payload.app_user_id,
+                        input: verified.payload.input,
+                        invocationId: verified.payload.invocation_id,
+                        payload: verified.payload,
+                        user: verified.payload.user
+                    });
+                    return sendActionResponse(request, response, 200, {
+                        data: {
+                            invocation_id: verified.payload.invocation_id,
+                            result: result ?? null
+                        }
+                    });
+                }
+                catch (error) {
+                    if (error instanceof ArcActionError) {
+                        return sendActionResponse(request, response, error.statusCode, {
+                            error: {
+                                code: error.code,
+                                message: error.message
+                            }
+                        });
+                    }
+                    return sendActionResponse(request, response, 500, {
+                        error: {
+                            code: "handler_failed",
+                            message: "Arc action handler failed."
+                        }
+                    });
+                }
+            };
+        },
+        verify: async (request, localOptions = {}) => {
+            const normalized = await normalizeActionRequest(request);
+            return verifyArcRequest({
+                body: normalized.body,
+                headers: normalized.headers
+            }, await resolveVerifyOptions(localOptions));
+        }
+    };
+}
+export async function verifyArcRequest(request, options) {
+    const signature = readSignature(request.headers);
+    const protectedHeader = parseProtectedHeader(signature);
+    if (protectedHeader.alg !== "ES256" ||
+        typeof protectedHeader.kid !== "string" ||
+        protectedHeader.kid.trim().length === 0) {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature header is invalid.");
+    }
+    const key = await importVerificationKey(options.jwks, protectedHeader.kid);
+    let verification;
+    try {
+        verification = await compactVerify(signature, key);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature verification failed.");
+    }
+    const claims = parseClaims(new TextDecoder().decode(verification.payload));
+    const bodyJson = bodyToJson(request.body);
+    const body = parseBody(bodyJson);
+    const bodyHash = `sha256:${sha256Hex(bodyJson)}`;
+    if (bodyHash !== claims.body_hash) {
+        throw new ArcRequestVerificationError("body_hash_mismatch", "Arc request body hash mismatch.");
+    }
+    if (body.app_id !== claims.app_id || body.action_key !== claims.action_key) {
+        throw new ArcRequestVerificationError("body_claim_mismatch", "Arc request body does not match signature claims.");
+    }
+    if (body.invocation_id !== claims.invocation_id || body.nonce !== claims.nonce) {
+        throw new ArcRequestVerificationError("body_claim_mismatch", "Arc request body does not match signature claims.");
+    }
+    if (body.timestamp !== claims.timestamp || body.input_hash !== claims.input_hash) {
+        throw new ArcRequestVerificationError("body_claim_mismatch", "Arc request body does not match signature claims.");
+    }
+    if (body.org_id !== claims.org_id || body.workspace_id !== claims.workspace_id) {
+        throw new ArcRequestVerificationError("body_claim_mismatch", "Arc request body does not match signature claims.");
+    }
+    verifyTimestamp(claims.timestamp, options);
+    await verifyNonce(claims.nonce, claims.timestamp, options);
+    return {
+        claims,
+        payload: body,
+        valid: true
+    };
+}
+export async function verifyArcSignature(request, options) {
+    return verifyArcRequest(request, options);
+}
+export async function verifyArcExecution(request, options) {
+    const verified = await verifyArcRequest(request, options);
+    verifyArcDelegation(verified.payload, options);
+    await validateArcInvocation(verified.payload, options);
+    return verified;
+}
+export async function verifyArcAuthorityToken(token, options) {
+    const protectedHeader = parseProtectedHeader(token);
+    if (protectedHeader.alg !== "ES256" ||
+        typeof protectedHeader.kid !== "string" ||
+        protectedHeader.kid.trim().length === 0) {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc authority token header is invalid.");
+    }
+    const key = await importVerificationKey(options.jwks, protectedHeader.kid);
+    let verification;
+    try {
+        verification = await compactVerify(token, key);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc authority token signature failed.");
+    }
+    const claims = parseAuthorityClaims(new TextDecoder().decode(verification.payload));
+    const nowMs = options.now?.getTime() ?? Date.now();
+    const skewMs = options.maxClockSkewMs ?? 30_000;
+    if (claims.exp * 1000 <= nowMs - skewMs) {
+        throw new ArcRequestVerificationError("token_expired", "Arc authority token is expired.");
+    }
+    if (claims.iat * 1000 > nowMs + skewMs) {
+        throw new ArcRequestVerificationError("token_not_yet_valid", "Arc authority token is not valid yet.");
+    }
+    if (options.expectedIssuer && claims.iss !== options.expectedIssuer) {
+        throw new ArcRequestVerificationError("unexpected_issuer", "Arc authority token issuer does not match.");
+    }
+    const expectedAudience = options.expectedAudience ?? options.expectedAppId;
+    if (expectedAudience && claims.aud !== expectedAudience) {
+        throw new ArcRequestVerificationError("unexpected_audience", "Arc authority token audience does not match.");
+    }
+    if (options.expectedAppId && claims.app_id !== options.expectedAppId) {
+        throw new ArcRequestVerificationError("unexpected_app", "Arc authority token app does not match.");
+    }
+    if (options.expectedActionKey && claims.action_key !== options.expectedActionKey) {
+        throw new ArcRequestVerificationError("unexpected_action", "Arc authority token action does not match.");
+    }
+    if (options.expectedDelegationId && claims.delegation_id !== options.expectedDelegationId) {
+        throw new ArcRequestVerificationError("unexpected_delegation", "Arc authority token delegation does not match.");
+    }
+    if (options.expectedOrgId && claims.org_id !== options.expectedOrgId) {
+        throw new ArcRequestVerificationError("unexpected_org", "Arc authority token organization does not match.");
+    }
+    if (options.expectedWorkspaceId && claims.workspace_id !== options.expectedWorkspaceId) {
+        throw new ArcRequestVerificationError("unexpected_workspace", "Arc authority token workspace does not match.");
+    }
+    if (options.expectedDecision && claims.decision !== options.expectedDecision) {
+        throw new ArcRequestVerificationError("unexpected_decision", "Arc authority token decision does not match.");
+    }
+    if (options.nonceStore) {
+        const accepted = await options.nonceStore.useNonce(claims.nonce, new Date(claims.exp * 1000));
+        if (!accepted) {
+            throw new ArcRequestVerificationError("nonce_replayed", "Arc authority token nonce has already been used.");
+        }
+    }
+    return {
+        claims,
+        expiresAt: new Date(claims.exp * 1000),
+        valid: true
+    };
+}
+export async function requireArcAuthority(token, options) {
+    const verified = await verifyArcAuthorityToken(token, options);
+    return verified.claims;
+}
+export function createArcAuthorityMiddleware(options) {
+    return async (request, response, next) => {
+        try {
+            const token = options.tokenResolver?.(request) ?? readAuthorityTokenFromRequest(request);
+            const expectedActionKey = options.actionResolver?.(request) ?? options.expectedActionKey;
+            if (!token) {
+                throw new ArcRequestVerificationError("missing_authority", "Arc authority token is required.");
+            }
+            const verified = await verifyArcAuthorityToken(token, {
+                ...options,
+                expectedActionKey
+            });
+            attachArcAuthority(request, verified.claims);
+            if (typeof next === "function") {
+                next();
+                return undefined;
+            }
+            return verified.claims;
+        }
+        catch (error) {
+            if (typeof next === "function") {
+                next(error);
+                return undefined;
+            }
+            if (response && typeof response === "object" && "status" in response) {
+                const status = response.status;
+                if (typeof status === "function") {
+                    const statusResult = status.call(response, 401);
+                    const json = isPlainObject(statusResult) ? statusResult.json : undefined;
+                    if (typeof json === "function") {
+                        return json.call(statusResult, {
+                            error: {
+                                code: error instanceof ArcRequestVerificationError ? error.code : "authority_rejected",
+                                message: "Arc authority was rejected."
+                            }
+                        });
+                    }
+                }
+            }
+            throw error;
+        }
+    };
+}
+export async function introspectArcAuthority(input) {
+    const fetchImpl = input.fetch ?? fetch;
+    const response = await requestJson({
+        baseUrl: input.apiUrl,
+        body: {
+            invocation_id: input.invocationId,
+            signed_execution_id: input.signedExecutionId,
+            token: input.token
+        },
+        fetchImpl,
+        headers: {
+            authorization: `Bearer ${input.appApiKey}`
+        },
+        method: "POST",
+        path: "/v1/authority/introspect",
+        retrySafeGet: false
+    });
+    return response.value.data.introspection;
+}
+export function verifyArcDelegation(payload, options = {}) {
+    const requireActiveDelegation = options.requireActiveDelegation ?? true;
+    const requireApprovedAsk = options.requireApprovedAsk ?? true;
+    const authorization = payload.authorization;
+    if (!authorization) {
+        if (options.expectedDelegationId) {
+            throw new ArcRequestVerificationError("unexpected_delegation", "Arc invocation delegation does not match.");
+        }
+        if (requireActiveDelegation) {
+            throw new ArcRequestVerificationError("missing_delegation_context", "Arc delegation context is required.");
+        }
+        return true;
+    }
+    if (authorization.issued_by !== "arc" || authorization.decision !== payload.decision) {
+        throw new ArcRequestVerificationError("invalid_delegation_context", "Arc delegation context is invalid.");
+    }
+    if (requireActiveDelegation &&
+        (!authorization.delegation_id || authorization.delegation_status !== "active")) {
+        throw new ArcRequestVerificationError("delegation_not_active", "Arc delegation is not active.");
+    }
+    if (options.expectedDelegationId && authorization.delegation_id !== options.expectedDelegationId) {
+        throw new ArcRequestVerificationError("unexpected_delegation", "Arc invocation delegation does not match.");
+    }
+    if (requireApprovedAsk && payload.decision === "ask" && authorization.approval_status !== "approved") {
+        throw new ArcRequestVerificationError("approval_not_valid", "Arc approval state is not valid for this action.");
+    }
+    return true;
+}
+export async function validateArcInvocation(payload, options = {}) {
+    if (options.expectedAppId && payload.app_id !== options.expectedAppId) {
+        throw new ArcRequestVerificationError("unexpected_app", "Arc invocation was signed for a different app.");
+    }
+    if (options.expectedActionKey && payload.action_key !== options.expectedActionKey) {
+        throw new ArcRequestVerificationError("unexpected_action", "Arc invocation was signed for a different action.");
+    }
+    if (options.expectedDecision && payload.decision !== options.expectedDecision) {
+        throw new ArcRequestVerificationError("unexpected_decision", "Arc invocation decision does not match.");
+    }
+    if (options.expectedRiskLevel && payload.risk_level !== options.expectedRiskLevel) {
+        throw new ArcRequestVerificationError("unexpected_risk", "Arc invocation risk level does not match.");
+    }
+    if (options.expectedOrgId && payload.org_id !== options.expectedOrgId) {
+        throw new ArcRequestVerificationError("unexpected_org", "Arc invocation organization does not match.");
+    }
+    if (options.expectedWorkspaceId && payload.workspace_id !== options.expectedWorkspaceId) {
+        throw new ArcRequestVerificationError("unexpected_workspace", "Arc invocation workspace does not match.");
+    }
+    if (options.inputSchema) {
+        validateInputAgainstSchema(payload.input, options.inputSchema);
+    }
+    if (options.invocationStore) {
+        const accepted = await options.invocationStore.useInvocation(payload.invocation_id);
+        if (!accepted) {
+            throw new ArcRequestVerificationError("invocation_replayed", "Arc invocation id has already been processed.");
+        }
+    }
+    return true;
+}
+export function createMemoryNonceStore() {
+    const seen = new Map();
+    return {
+        useNonce: (nonce, expiresAt) => {
+            const now = Date.now();
+            for (const [key, expires] of seen.entries()) {
+                if (expires <= now) {
+                    seen.delete(key);
+                }
+            }
+            if (seen.has(nonce)) {
+                return false;
+            }
+            seen.set(nonce, expiresAt.getTime());
+            return true;
+        }
+    };
+}
+export class ArcDeveloperClient {
+    options;
+    fetchImpl;
+    sessionCookie;
+    constructor(options = {}) {
+        this.options = options;
+        this.fetchImpl = options.fetch ?? fetch;
+        this.sessionCookie = options.sessionCookie ?? null;
+    }
+    get cookie() {
+        return this.sessionCookie;
+    }
+    setCookie(cookie) {
+        this.sessionCookie = cookie;
+    }
+    async devLogin(input) {
+        return this.request("POST", "/v1/auth/dev-login", {
+            email: input.email,
+            name: input.name ?? undefined
+        });
+    }
+    async logout() {
+        const response = await this.request("POST", "/v1/auth/logout", {});
+        this.sessionCookie = null;
+        return response;
+    }
+    async me() {
+        return this.request("GET", "/v1/me");
+    }
+    async listOrgs() {
+        return this.request("GET", "/v1/orgs");
+    }
+    async getCurrentOrg() {
+        return this.request("GET", "/v1/orgs/current");
+    }
+    async listOrgMembers() {
+        return this.request("GET", "/v1/orgs/members");
+    }
+    async inviteOrgMember(input) {
+        return this.request("POST", "/v1/users/invite", input);
+    }
+    async createApp(input) {
+        return this.request("POST", "/v1/apps", input);
+    }
+    async createAppFromManifest(input) {
+        return this.request("POST", "/v1/apps/manifest", input);
+    }
+    async listApps() {
+        return this.request("GET", "/v1/apps");
+    }
+    async getApp(appId) {
+        return this.request("GET", `/v1/apps/${encodeURIComponent(appId)}`);
+    }
+    async createAppApiKey(appId, input = {}) {
+        return this.request("POST", `/v1/apps/${encodeURIComponent(appId)}/api-keys`, input);
+    }
+    async listAppApiKeys(appId) {
+        return this.request("GET", `/v1/apps/${encodeURIComponent(appId)}/api-keys`);
+    }
+    async revokeAppApiKey(appId, keyId) {
+        return this.request("POST", `/v1/apps/${encodeURIComponent(appId)}/api-keys/${encodeURIComponent(keyId)}/revoke`, {});
+    }
+    async rotateAppApiKey(appId, keyId, input = {}) {
+        return this.request("POST", `/v1/apps/${encodeURIComponent(appId)}/api-keys/${encodeURIComponent(keyId)}/rotate`, input);
+    }
+    async syncActions(appId, actions) {
+        const payload = Array.isArray(actions) ? { actions } : createActionSyncPayload(actions);
+        return this.request("PUT", `/v1/apps/${encodeURIComponent(appId)}/actions`, payload);
+    }
+    async createAppConnection(input) {
+        return this.request("POST", "/v1/app-connections", input);
+    }
+    async createDevAgentToken(input) {
+        return this.request("POST", "/v1/agents/dev-token", {
+            agent_type: input.agent_type,
+            display_name: input.display_name ?? undefined
+        });
+    }
+    async registerAgent(input) {
+        return this.request("POST", "/v1/agents/register", input);
+    }
+    async listAgents() {
+        return this.request("GET", "/v1/agents");
+    }
+    async getAgent(agentId) {
+        return this.request("GET", `/v1/agents/${encodeURIComponent(agentId)}`);
+    }
+    async updateAgent(agentId, input) {
+        return this.request("PATCH", `/v1/agents/${encodeURIComponent(agentId)}`, input);
+    }
+    async revokeAgent(agentId) {
+        return this.request("POST", `/v1/agents/${encodeURIComponent(agentId)}/revoke`, {});
+    }
+    async regenerateAgentToken(agentId, input = {}) {
+        return this.request("POST", `/v1/agents/${encodeURIComponent(agentId)}/regenerate-token`, input);
+    }
+    async listAgentGrants(agentId) {
+        return this.request("GET", `/v1/agents/${encodeURIComponent(agentId)}/grants`);
+    }
+    async putAgentGrant(agentId, appId, actions) {
+        return this.request("PUT", `/v1/agents/${encodeURIComponent(agentId)}/grants/${encodeURIComponent(appId)}`, { actions });
+    }
+    async listDelegations() {
+        return this.request("GET", "/v1/delegations");
+    }
+    async getDelegation(delegationId) {
+        return this.request("GET", `/v1/delegations/${encodeURIComponent(delegationId)}`);
+    }
+    async createDelegation(input) {
+        return this.request("POST", "/v1/delegations", input);
+    }
+    async updateDelegationPermissions(delegationId, input) {
+        return this.request("PATCH", `/v1/delegations/${encodeURIComponent(delegationId)}`, input);
+    }
+    async revokeDelegation(delegationId, input = {}) {
+        return this.request("POST", `/v1/delegations/${encodeURIComponent(delegationId)}/revoke`, input);
+    }
+    async listDelegationAudit(delegationId) {
+        return this.request("GET", `/v1/delegations/${encodeURIComponent(delegationId)}/audit`);
+    }
+    async listRegistryApps() {
+        return this.request("GET", "/v1/registry/apps");
+    }
+    async getRegistryApp(appId) {
+        return this.request("GET", `/v1/registry/apps/${encodeURIComponent(appId)}`);
+    }
+    async listRegistryAppActions(appId) {
+        return this.request("GET", `/v1/registry/apps/${encodeURIComponent(appId)}/actions`);
+    }
+    async getRegistryAppManifest(appId) {
+        return this.request("GET", `/v1/registry/apps/${encodeURIComponent(appId)}/manifest`);
+    }
+    async listApprovals() {
+        return this.request("GET", "/v1/approvals");
+    }
+    async getApproval(approvalId) {
+        return this.request("GET", `/v1/approvals/${encodeURIComponent(approvalId)}`);
+    }
+    async approveApproval(approvalId) {
+        return this.request("POST", `/v1/approvals/${encodeURIComponent(approvalId)}/approve`, {});
+    }
+    async denyApproval(approvalId) {
+        return this.request("POST", `/v1/approvals/${encodeURIComponent(approvalId)}/deny`, {});
+    }
+    async tailAudit(input = {}) {
+        const limit = input.limit ?? 20;
+        return this.request("GET", `/v1/audit?limit=${encodeURIComponent(String(limit))}`);
+    }
+    async exportAudit(input = {}) {
+        return this.request("GET", `/v1/audit/export${auditQueryString(input)}`);
+    }
+    async createAuditExport(input = {}) {
+        return this.request("POST", "/v1/audit/export", input);
+    }
+    async getAuditExport(exportId) {
+        return this.request("GET", `/v1/audit/export/${encodeURIComponent(exportId)}`);
+    }
+    async verifyAudit(input = {}) {
+        return this.request("GET", `/v1/audit/verify${auditQueryString(input)}`);
+    }
+    async getAuditTimeline(input = {}) {
+        return this.request("GET", `/v1/audit/timeline${auditQueryString(input)}`);
+    }
+    async getJwks() {
+        return this.request("GET", "/.well-known/jwks.json");
+    }
+    async getAuthorityMetadata() {
+        return this.request("GET", "/.well-known/arc-configuration");
+    }
+    async introspectAuthority(input) {
+        return this.request("POST", "/v1/authority/introspect", input);
+    }
+    async request(method, path, body, options = {}) {
+        const response = await requestJson({
+            baseUrl: this.options.baseUrl,
+            body,
+            fetchImpl: this.fetchImpl,
+            headers: {
+                ...this.authHeaders(),
+                ...options.headers
+            },
+            method,
+            path,
+            retrySafeGet: options.retrySafeGet ?? method.toUpperCase() === "GET"
+        });
+        const setCookie = response.setCookie;
+        if (setCookie) {
+            this.sessionCookie = setCookie;
+        }
+        return response.value;
+    }
+    authHeaders() {
+        const headers = {};
+        if (this.sessionCookie) {
+            headers.cookie = this.sessionCookie;
+        }
+        if (this.options.apiKey) {
+            headers.authorization = `Bearer ${this.options.apiKey}`;
+        }
+        if (this.options.orgId) {
+            headers["x-arc-org-id"] = this.options.orgId;
+        }
+        return headers;
+    }
+}
+export class ArcAgentRuntimeClient {
+    options;
+    fetchImpl;
+    constructor(options = {}) {
+        this.options = options;
+        this.fetchImpl = options.fetch ?? fetch;
+    }
+    async me() {
+        const response = await this.request("GET", "/v1/agent/me");
+        return response.data.agent;
+    }
+    async listApps() {
+        const response = await this.request("GET", "/v1/agent/apps");
+        return response.data.apps;
+    }
+    async listActions(appId) {
+        const response = await this.request("GET", `/v1/agent/apps/${encodeURIComponent(appId)}/actions`);
+        return response.data.actions;
+    }
+    async getAvailableActions() {
+        const response = await this.request("GET", "/v1/agent/actions");
+        return response.data.actions;
+    }
+    async createActionRequest(input) {
+        return this.request("POST", "/v1/action-requests", input);
+    }
+    async pollActionRequest(actionRequestId) {
+        return this.request("GET", `/v1/action-requests/${encodeURIComponent(actionRequestId)}`);
+    }
+    async listGrants() {
+        const response = await this.request("GET", "/v1/agent/grants");
+        return response.data.grants;
+    }
+    async invoke(appId, actionKey, input = {}, options = {}) {
+        const idempotencyKey = options.idempotencyKey ?? randomUUID();
+        try {
+            const response = await this.request("POST", "/v1/agent/invocations", {
+                action_key: actionKey,
+                app_id: appId,
+                idempotency_key: idempotencyKey,
+                input
+            });
+            return parseRuntimeInvocationResult(response, idempotencyKey);
+        }
+        catch (error) {
+            if (error instanceof ArcHttpError) {
+                return runtimeErrorResult({
+                    code: error.code,
+                    idempotencyKey,
+                    message: error.message,
+                    raw: error.responseBody,
+                    status: error.status
+                });
+            }
+            if (error instanceof Error) {
+                return runtimeErrorResult({
+                    code: "request_failed",
+                    idempotencyKey,
+                    message: error.message,
+                    raw: null
+                });
+            }
+            return runtimeErrorResult({
+                code: "request_failed",
+                idempotencyKey,
+                message: "Arc request failed.",
+                raw: null
+            });
+        }
+    }
+    async request(method, path, body) {
+        const agentToken = this.options.agentToken;
+        if (!agentToken) {
+            throw new ArcValidationError("missing_agent_token", "Arc agent token is required.");
+        }
+        const response = await requestJson({
+            baseUrl: this.options.apiUrl,
+            body,
+            fetchImpl: this.fetchImpl,
+            headers: {
+                authorization: `Bearer ${agentToken}`
+            },
+            method,
+            path,
+            retrySafeGet: method.toUpperCase() === "GET"
+        });
+        return response.value;
+    }
+}
+export function createArcAgentRuntime(options) {
+    return new ArcAgentRuntimeClient(options);
+}
+export class ArcAgentClient {
+    options;
+    fetchImpl;
+    constructor(options = {}) {
+        this.options = options;
+        this.fetchImpl = options.fetch ?? fetch;
+    }
+    async invoke(input) {
+        const idempotencyKey = input.idempotency_key ?? randomUUID();
+        return this.request("POST", "/v1/agent/invocations", {
+            action_key: input.action_key,
+            app_id: input.app_id,
+            app_slug: input.app_slug,
+            idempotency_key: idempotencyKey,
+            input: input.input ?? {}
+        });
+    }
+    async listActions(input) {
+        const params = new URLSearchParams();
+        if (input.app_id) {
+            params.set("app_id", input.app_id);
+        }
+        if (input.app_slug) {
+            params.set("app_slug", input.app_slug);
+        }
+        return this.request("GET", `/v1/agent/actions?${params.toString()}`);
+    }
+    async createActionRequest(input) {
+        return this.request("POST", "/v1/action-requests", input);
+    }
+    async pollActionRequest(actionRequestId) {
+        return this.request("GET", `/v1/action-requests/${encodeURIComponent(actionRequestId)}`);
+    }
+    async getInvocation(invocationId) {
+        return this.request("GET", `/v1/agent/invocations/${encodeURIComponent(invocationId)}`);
+    }
+    async me() {
+        return createArcAgentRuntime({
+            agentToken: this.options.agentToken,
+            apiUrl: this.options.baseUrl,
+            fetch: this.options.fetch
+        }).me();
+    }
+    async listApps() {
+        return createArcAgentRuntime({
+            agentToken: this.options.agentToken,
+            apiUrl: this.options.baseUrl,
+            fetch: this.options.fetch
+        }).listApps();
+    }
+    async listGrants() {
+        return createArcAgentRuntime({
+            agentToken: this.options.agentToken,
+            apiUrl: this.options.baseUrl,
+            fetch: this.options.fetch
+        }).listGrants();
+    }
+    async request(method, path, body) {
+        const agentToken = this.options.agentToken;
+        if (!agentToken) {
+            throw new ArcValidationError("missing_agent_token", "Arc agent token is required.");
+        }
+        const response = await requestJson({
+            baseUrl: this.options.baseUrl,
+            body,
+            fetchImpl: this.fetchImpl,
+            headers: {
+                authorization: `Bearer ${agentToken}`
+            },
+            method,
+            path,
+            retrySafeGet: method.toUpperCase() === "GET"
+        });
+        return response.value;
+    }
+}
+export const arc = {
+    ArcAgentClient,
+    ArcAgentRuntimeClient,
+    ArcDeveloperClient,
+    createActionSyncPayload,
+    createArcAuthorityMiddleware,
+    createArcExecutor,
+    createArcAgentRuntime,
+    createMemoryNonceStore,
+    defineActions,
+    handleAction,
+    introspectArcAuthority,
+    requireArcAuthority,
+    syncActions,
+    validateArcInvocation,
+    verifyArcDelegation,
+    verifyArcExecution,
+    verifyArcSignature,
+    verifyArcAuthorityToken,
+    verifyArcRequest
+};
+function parseRuntimeInvocationResult(response, idempotencyKey) {
+    const envelope = isPlainObject(response) ? response : {};
+    const data = isPlainObject(envelope.data) ? envelope.data : {};
+    const invocation = isPlainObject(data.invocation) ? data.invocation : {};
+    const approval = isPlainObject(data.approval) ? data.approval : {};
+    const decisionRecord = isPlainObject(data.decision) ? data.decision : {};
+    const decision = typeof decisionRecord.decision === "string"
+        ? decisionRecord.decision
+        : typeof invocation.decision === "string"
+            ? invocation.decision
+            : null;
+    const status = typeof data.status === "string"
+        ? data.status
+        : typeof invocation.status === "string"
+            ? invocation.status
+            : null;
+    const invocationId = typeof invocation.id === "string" ? invocation.id : null;
+    const approvalId = typeof approval.id === "string" ? approval.id : null;
+    if (decision === "ask") {
+        return {
+            approval_id: approvalId,
+            decision,
+            idempotency_key: idempotencyKey,
+            invocation_id: invocationId,
+            raw: response,
+            result: null,
+            status: "pending_approval"
+        };
+    }
+    if (decision === "block") {
+        return {
+            approval_id: null,
+            decision,
+            idempotency_key: idempotencyKey,
+            invocation_id: invocationId,
+            raw: response,
+            result: null,
+            status: "blocked"
+        };
+    }
+    if (decision === "allow" && status === "queued_for_execution") {
+        return {
+            approval_id: null,
+            decision,
+            idempotency_key: idempotencyKey,
+            invocation_id: invocationId,
+            raw: response,
+            result: null,
+            status: "queued"
+        };
+    }
+    if (decision === "allow" && status === "execution_succeeded") {
+        return {
+            approval_id: null,
+            decision,
+            idempotency_key: idempotencyKey,
+            invocation_id: invocationId,
+            raw: response,
+            result: invocation.result_redacted ?? null,
+            status: "executed"
+        };
+    }
+    return runtimeErrorResult({
+        code: "invalid_arc_response",
+        idempotencyKey,
+        message: "Arc returned an unknown invocation decision or status.",
+        raw: response,
+        decision,
+        invocationId
+    });
+}
+function runtimeErrorResult(input) {
+    return {
+        approval_id: null,
+        decision: input.decision ?? null,
+        error: {
+            code: input.code,
+            message: input.message,
+            ...(input.status === undefined ? {} : { status: input.status })
+        },
+        idempotency_key: input.idempotencyKey,
+        invocation_id: input.invocationId ?? null,
+        raw: input.raw,
+        result: null,
+        status: "error"
+    };
+}
+function auditQueryString(input) {
+    const params = new URLSearchParams();
+    const filters = input.filters ?? input;
+    const entries = [
+        ["action_id", filters.action_id],
+        ["action_key", filters.action_key],
+        ["actor_id", filters.actor_id],
+        ["agent_id", filters.agent_id],
+        ["app_id", filters.app_id],
+        ["approval_id", filters.approval_id],
+        ["decision", filters.decision],
+        ["delegation_id", filters.delegation_id],
+        ["event_type", filters.event_type],
+        ["from", filters.from],
+        ["invocation_id", filters.invocation_id],
+        ["status", filters.status],
+        ["to", filters.to],
+        ["user_id", filters.user_id],
+        ["format", input.format],
+        ["limit", input.limit],
+        ["offset", input.offset]
+    ];
+    for (const [key, value] of entries) {
+        if (value !== undefined && value !== null && value !== "") {
+            params.set(key, String(value));
+        }
+    }
+    const queryString = params.toString();
+    return queryString ? `?${queryString}` : "";
+}
+async function requestJson(input) {
+    const maxAttempts = input.retrySafeGet ? 2 : 1;
+    let lastError = null;
+    for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+        try {
+            const response = await input.fetchImpl(buildUrl(input.baseUrl, input.path), {
+                body: input.body === undefined ? undefined : JSON.stringify(input.body),
+                headers: {
+                    accept: "application/json",
+                    ...(input.body === undefined ? {} : { "content-type": "application/json" }),
+                    ...input.headers
+                },
+                method: input.method
+            });
+            if (response.status >= 500 && attempt < maxAttempts) {
+                continue;
+            }
+            const text = await response.text();
+            const value = text ? parseJsonResponse(text) : null;
+            const setCookie = parseSetCookie(response.headers);
+            if (!response.ok) {
+                const serverError = asServerError(value);
+                throw new ArcHttpError(response.status, serverError.code, serverError.message, value);
+            }
+            return {
+                setCookie,
+                value: value
+            };
+        }
+        catch (error) {
+            lastError = error;
+            if (error instanceof ArcHttpError || attempt >= maxAttempts) {
+                throw error;
+            }
+        }
+    }
+    throw lastError instanceof Error
+        ? lastError
+        : new ArcError("request_failed", "Arc request failed.");
+}
+function validateActionDefinitions(actions) {
+    if (!isPlainObject(actions)) {
+        throw new ArcValidationError("invalid_actions", "Arc actions must be an object.");
+    }
+    for (const [key, action] of Object.entries(actions)) {
+        if (!actionKeyPattern.test(key)) {
+            throw new ArcValidationError("invalid_action_key", `Arc action key is invalid: ${key}`);
+        }
+        if (!isPlainObject(action)) {
+            throw new ArcValidationError("invalid_action", `Arc action ${key} must be an object.`);
+        }
+        if (typeof action.name !== "string" || action.name.trim().length === 0) {
+            throw new ArcValidationError("invalid_action", `Arc action ${key} requires a name.`);
+        }
+        if (!riskLevels.has(action.risk)) {
+            throw new ArcValidationError("invalid_risk", `Arc action ${key} has an invalid risk.`);
+        }
+        if (!defaultDecisions.has(action.defaultDecision)) {
+            throw new ArcValidationError("invalid_default_decision", `Arc action ${key} has an invalid defaultDecision.`);
+        }
+        if (!isPlainObject(action.input)) {
+            throw new ArcValidationError("invalid_input_schema", `Arc action ${key} requires an input schema object.`);
+        }
+        if (action.output !== undefined && !isPlainObject(action.output)) {
+            throw new ArcValidationError("invalid_output_schema", `Arc action ${key} output must be a schema object.`);
+        }
+        if (action.tags !== undefined &&
+            (!Array.isArray(action.tags) || !action.tags.every((tag) => typeof tag === "string" && tag.trim().length > 0))) {
+            throw new ArcValidationError("invalid_tags", `Arc action ${key} tags must be non-empty strings.`);
+        }
+        if (action.description !== undefined && typeof action.description !== "string") {
+            throw new ArcValidationError("invalid_action", `Arc action ${key} description must be a string.`);
+        }
+        if (action.enabled !== undefined && typeof action.enabled !== "boolean") {
+            throw new ArcValidationError("invalid_action", `Arc action ${key} enabled must be a boolean.`);
+        }
+        if (action.cost !== undefined) {
+            validateActionCost(key, action.cost);
+        }
+    }
+}
+function validateActionCost(key, cost) {
+    if (!isPlainObject(cost)) {
+        throw new ArcValidationError("invalid_cost", `Arc action ${key} cost must be an object.`);
+    }
+    if (cost.mode !== "fixed" && cost.mode !== "field") {
+        throw new ArcValidationError("invalid_cost", `Arc action ${key} cost.mode must be "fixed" or "field".`);
+    }
+    if (cost.currency !== undefined && (typeof cost.currency !== "string" || !/^[A-Za-z]{3}$/.test(cost.currency))) {
+        throw new ArcValidationError("invalid_cost", `Arc action ${key} cost.currency must be a 3-letter ISO code.`);
+    }
+    if (cost.mode === "fixed") {
+        if (!Number.isInteger(cost.fixedMinor) || cost.fixedMinor < 0) {
+            throw new ArcValidationError("invalid_cost", `Arc action ${key} cost.fixedMinor must be a non-negative integer (minor units, e.g. cents).`);
+        }
+    }
+    else if (typeof cost.field !== "string" || cost.field.trim().length === 0) {
+        throw new ArcValidationError("invalid_cost", `Arc action ${key} cost.field must be a non-empty input field name.`);
+    }
+}
+function validateInputAgainstSchema(input, schema) {
+    if (schema.type !== undefined && typeof schema.type === "string" && !matchesJsonSchemaType(input, schema.type)) {
+        throw new ArcRequestVerificationError("invalid_input", "Arc invocation input does not match action schema.");
+    }
+    const required = schema.required;
+    if (Array.isArray(required)) {
+        if (!isPlainObject(input)) {
+            throw new ArcRequestVerificationError("invalid_input", "Arc invocation input must be an object.");
+        }
+        for (const field of required) {
+            if (typeof field === "string" && !(field in input)) {
+                throw new ArcRequestVerificationError("invalid_input", "Arc invocation input is missing a required field.");
+            }
+        }
+    }
+    const properties = schema.properties;
+    if (isPlainObject(properties) && isPlainObject(input)) {
+        for (const [field, propertySchema] of Object.entries(properties)) {
+            if (!(field in input) || !isPlainObject(propertySchema) || typeof propertySchema.type !== "string") {
+                continue;
+            }
+            if (!matchesJsonSchemaType(input[field], propertySchema.type)) {
+                throw new ArcRequestVerificationError("invalid_input", "Arc invocation input field does not match action schema.");
+            }
+        }
+    }
+}
+function matchesJsonSchemaType(value, type) {
+    switch (type) {
+        case "array":
+            return Array.isArray(value);
+        case "boolean":
+            return typeof value === "boolean";
+        case "integer":
+            return Number.isInteger(value);
+        case "null":
+            return value === null;
+        case "number":
+            return typeof value === "number" && Number.isFinite(value);
+        case "object":
+            return isPlainObject(value);
+        case "string":
+            return typeof value === "string";
+        default:
+            return true;
+    }
+}
+function buildUrl(baseUrl, path) {
+    if (/^https?:\/\//u.test(path)) {
+        return path;
+    }
+    return `${trimTrailingSlash(baseUrl ?? defaultBaseUrl)}${path.startsWith("/") ? path : `/${path}`}`;
+}
+function normalizeSlug(value) {
+    return value
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 63);
+}
+export function createSlug(value) {
+    const slug = normalizeSlug(value);
+    if (slug.length >= 3 && slugPattern.test(slug)) {
+        return slug;
+    }
+    return `app-${randomUUID().slice(0, 8)}`;
+}
+function parseProtectedHeader(signature) {
+    try {
+        return decodeProtectedHeader(signature);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature header is invalid.");
+    }
+}
+async function importVerificationKey(jwks, kid) {
+    const keys = Array.isArray(jwks)
+        ? jwks
+        : jwks && typeof jwks === "object" && Array.isArray(jwks.keys)
+            ? jwks.keys
+            : null;
+    if (!keys) {
+        throw new ArcRequestVerificationError("jwks_invalid", "Arc JWKS response is invalid.");
+    }
+    const jwk = keys.find((item) => item && typeof item === "object" && item.kid === kid);
+    if (!jwk) {
+        throw new ArcRequestVerificationError("unknown_key", "Arc signing key is unknown.");
+    }
+    try {
+        return await importJWK(jwk, "ES256");
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signing key is invalid.");
+    }
+}
+function readSignature(headers) {
+    const authorization = readHeader(headers, "authorization");
+    const match = /^Arc-Signature\s+(.+)$/i.exec(authorization ?? "");
+    if (!match?.[1]) {
+        throw new ArcRequestVerificationError("missing_signature", "Arc-Signature authorization header is required.");
+    }
+    return match[1].trim();
+}
+function readHeader(headers, name) {
+    if (headers instanceof Headers) {
+        return headers.get(name);
+    }
+    const pair = Object.entries(headers).find(([key]) => key.toLowerCase() === name.toLowerCase());
+    const value = pair?.[1];
+    if (Array.isArray(value)) {
+        return value[0] ?? null;
+    }
+    return value ?? null;
+}
+function bodyToJson(body) {
+    if (typeof body === "string") {
+        return body;
+    }
+    if (body instanceof Uint8Array) {
+        return new TextDecoder().decode(body);
+    }
+    return canonicalJson(body);
+}
+function parseBody(bodyJson) {
+    let parsed;
+    try {
+        parsed = JSON.parse(bodyJson);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_body", "Arc request body is invalid.");
+    }
+    if (!isPlainObject(parsed)) {
+        throw new ArcRequestVerificationError("invalid_body", "Arc request body is invalid.");
+    }
+    const body = parsed;
+    if (typeof body.invocation_id !== "string" ||
+        typeof body.app_id !== "string" ||
+        typeof body.action_key !== "string" ||
+        typeof body.app_user_id !== "string" ||
+        typeof body.org_id !== "string" ||
+        typeof body.workspace_id !== "string" ||
+        (body.decision !== "allow" && body.decision !== "ask") ||
+        !riskLevels.has(body.risk_level) ||
+        typeof body.input_hash !== "string" ||
+        typeof body.timestamp !== "string" ||
+        typeof body.nonce !== "string" ||
+        !body.agent ||
+        !body.user) {
+        throw new ArcRequestVerificationError("invalid_body", "Arc request body is invalid.");
+    }
+    if (body.authorization !== undefined &&
+        (!isPlainObject(body.authorization) ||
+            body.authorization.issued_by !== "arc" ||
+            (body.authorization.decision !== "allow" && body.authorization.decision !== "ask") ||
+            (body.authorization.delegation_id !== null && typeof body.authorization.delegation_id !== "string") ||
+            (body.authorization.delegation_status !== null && typeof body.authorization.delegation_status !== "string") ||
+            (body.authorization.approval_status !== null && typeof body.authorization.approval_status !== "string"))) {
+        throw new ArcRequestVerificationError("invalid_body", "Arc request authorization context is invalid.");
+    }
+    return body;
+}
+function parseClaims(value) {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature claims are invalid.");
+    }
+    if (!isPlainObject(parsed)) {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature claims are invalid.");
+    }
+    const claims = parsed;
+    if (typeof claims.invocation_id !== "string" ||
+        typeof claims.app_id !== "string" ||
+        typeof claims.action_key !== "string" ||
+        typeof claims.body_hash !== "string" ||
+        typeof claims.input_hash !== "string" ||
+        typeof claims.timestamp !== "string" ||
+        typeof claims.org_id !== "string" ||
+        typeof claims.workspace_id !== "string" ||
+        typeof claims.nonce !== "string") {
+        throw new ArcRequestVerificationError("invalid_signature", "Arc signature claims are invalid.");
+    }
+    return claims;
+}
+function parseAuthorityClaims(value) {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        throw new ArcRequestVerificationError("invalid_authority_token", "Arc authority token claims are invalid.");
+    }
+    if (!isPlainObject(parsed)) {
+        throw new ArcRequestVerificationError("invalid_authority_token", "Arc authority token claims are invalid.");
+    }
+    const claims = parsed;
+    if (claims.token_use !== "arc_authority" ||
+        typeof claims.iss !== "string" ||
+        typeof claims.sub !== "string" ||
+        typeof claims.aud !== "string" ||
+        typeof claims.scope !== "string" ||
+        typeof claims.human_user_id !== "string" ||
+        typeof claims.agent_id !== "string" ||
+        typeof claims.org_id !== "string" ||
+        typeof claims.workspace_id !== "string" ||
+        typeof claims.invocation_id !== "string" ||
+        typeof claims.app_id !== "string" ||
+        typeof claims.action_key !== "string" ||
+        typeof claims.body_hash !== "string" ||
+        typeof claims.input_hash !== "string" ||
+        typeof claims.timestamp !== "string" ||
+        typeof claims.nonce !== "string" ||
+        typeof claims.jti !== "string" ||
+        typeof claims.iat !== "number" ||
+        typeof claims.exp !== "number" ||
+        (claims.decision !== "allow" && claims.decision !== "ask") ||
+        (claims.delegation_id !== null && typeof claims.delegation_id !== "string") ||
+        (claims.approval_id !== null && typeof claims.approval_id !== "string") ||
+        !riskLevels.has(claims.risk_level) ||
+        !["pending", "unverified", "verified", "official", "internal"].includes(String(claims.app_verification_status)) ||
+        claims.aud !== claims.app_id ||
+        claims.jti !== claims.invocation_id) {
+        throw new ArcRequestVerificationError("invalid_authority_token", "Arc authority token claims are invalid.");
+    }
+    return claims;
+}
+function readAuthorityTokenFromRequest(request) {
+    const headers = readRequestHeaders(request);
+    const explicit = readHeader(headers, "x-arc-authority-token");
+    if (explicit) {
+        return explicit;
+    }
+    const authorization = readHeader(headers, "authorization");
+    const arcSignature = /^Arc-Signature\s+(.+)$/i.exec(authorization ?? "");
+    if (arcSignature?.[1]) {
+        return arcSignature[1].trim();
+    }
+    const bearer = /^Bearer\s+(.+)$/i.exec(authorization ?? "");
+    return bearer?.[1]?.trim() ?? null;
+}
+function readRequestHeaders(request) {
+    if (request instanceof Request) {
+        return request.headers;
+    }
+    if (isPlainObject(request) && request.headers !== undefined) {
+        return request.headers;
+    }
+    return {};
+}
+function attachArcAuthority(request, claims) {
+    if (request && typeof request === "object") {
+        request.arcAuthority = claims;
+    }
+}
+function verifyTimestamp(timestamp, options) {
+    const parsed = Date.parse(timestamp);
+    if (!Number.isFinite(parsed)) {
+        throw new ArcRequestVerificationError("stale_timestamp", "Arc timestamp is invalid.");
+    }
+    const now = options.now?.getTime() ?? Date.now();
+    const skewMs = options.maxTimestampSkewMs ?? defaultMaxTimestampSkewMs;
+    if (Math.abs(now - parsed) > skewMs) {
+        throw new ArcRequestVerificationError("stale_timestamp", "Arc timestamp is outside the freshness window.");
+    }
+}
+async function verifyNonce(nonce, timestamp, options) {
+    const skewMs = options.maxTimestampSkewMs ?? defaultMaxTimestampSkewMs;
+    const expiresAt = new Date(Date.parse(timestamp) + skewMs);
+    const store = options.nonceStore ?? (options.unsafeAllowInMemoryNonceStore ? defaultNonceStore : null);
+    if (!store) {
+        throw new ArcRequestVerificationError("nonce_store_required", "Arc request verification requires a nonceStore backed by persistent shared storage.");
+    }
+    const accepted = await store.useNonce(nonce, expiresAt);
+    if (!accepted) {
+        throw new ArcRequestVerificationError("nonce_replayed", "Arc nonce has already been used.");
+    }
+}
+async function normalizeActionRequest(request) {
+    if (isFetchRequest(request)) {
+        return {
+            body: await request.text(),
+            headers: request.headers
+        };
+    }
+    if (isObjectWithHeaders(request)) {
+        const body = "body" in request && request.body !== undefined
+            ? request.body
+            : await readRequestStream(request);
+        return {
+            body: normalizeRequestBody(body),
+            headers: normalizeRequestHeaders(request.headers)
+        };
+    }
+    throw new ArcValidationError("invalid_request", "Arc action handler received an unsupported request.");
+}
+function normalizeRequestBody(body) {
+    if (typeof body === "string" || body instanceof Uint8Array || isArcExecutionRequestBody(body)) {
+        return body;
+    }
+    if (Buffer.isBuffer(body)) {
+        return new Uint8Array(body);
+    }
+    if (isPlainObject(body)) {
+        return body;
+    }
+    throw new ArcValidationError("invalid_request", "Arc request body is unsupported.");
+}
+function normalizeRequestHeaders(headers) {
+    if (headers instanceof Headers) {
+        return headers;
+    }
+    if (!isPlainObject(headers)) {
+        return {};
+    }
+    const normalized = {};
+    for (const [key, value] of Object.entries(headers)) {
+        if (typeof value === "string" || Array.isArray(value)) {
+            normalized[key] = value;
+        }
+    }
+    return normalized;
+}
+async function readRequestStream(request) {
+    if (!isAsyncIterable(request)) {
+        return "";
+    }
+    const chunks = [];
+    for await (const chunk of request) {
+        if (typeof chunk === "string") {
+            chunks.push(Buffer.from(chunk));
+        }
+        else if (chunk instanceof Uint8Array) {
+            chunks.push(chunk);
+        }
+    }
+    return Buffer.concat(chunks).toString("utf8");
+}
+function sendActionResponse(request, response, statusCode, body) {
+    if (isExpressResponse(response)) {
+        return response.status(statusCode).json(body);
+    }
+    if (isFastifyReply(response)) {
+        return response.code(statusCode).send(body);
+    }
+    if (isFetchRequest(request) && typeof Response !== "undefined") {
+        return Response.json(body, { status: statusCode });
+    }
+    return body;
+}
+function isFetchRequest(value) {
+    return typeof Request !== "undefined" && value instanceof Request;
+}
+function isObjectWithHeaders(value) {
+    return Boolean(value && typeof value === "object" && "headers" in value);
+}
+function isAsyncIterable(value) {
+    return Boolean(value && typeof value === "object" && Symbol.asyncIterator in value);
+}
+function isExpressResponse(value) {
+    return Boolean(value &&
+        typeof value === "object" &&
+        "status" in value &&
+        typeof value.status === "function");
+}
+function isFastifyReply(value) {
+    return Boolean(value &&
+        typeof value === "object" &&
+        "code" in value &&
+        typeof value.code === "function");
+}
+function isArcExecutionRequestBody(value) {
+    return Boolean(value &&
+        typeof value === "object" &&
+        "invocation_id" in value &&
+        "action_key" in value &&
+        "app_id" in value);
+}
+function isJwks(value) {
+    return Boolean(value &&
+        typeof value === "object" &&
+        Array.isArray(value.keys));
+}
+function parseJsonResponse(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        throw new ArcError("invalid_json", "Arc response was not valid JSON.");
+    }
+}
+function parseSetCookie(headers) {
+    const setCookie = headers.get("set-cookie");
+    if (!setCookie) {
+        return null;
+    }
+    const [cookie] = setCookie.split(";");
+    return cookie?.trim() || null;
+}
+function asServerError(value) {
+    if (isPlainObject(value) &&
+        isPlainObject(value.error) &&
+        typeof value.error.code === "string" &&
+        typeof value.error.message === "string") {
+        return {
+            code: value.error.code,
+            message: value.error.message
+        };
+    }
+    return {
+        code: "request_failed",
+        message: "Arc request failed."
+    };
+}
+function sha256Hex(value) {
+    return createHash("sha256").update(value, "utf8").digest("hex");
+}
+function canonicalJson(value) {
+    return JSON.stringify(sortJson(value));
+}
+function sortJson(value) {
+    if (Array.isArray(value)) {
+        return value.map(sortJson);
+    }
+    if (value && typeof value === "object") {
+        return Object.fromEntries(Object.entries(value)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([key, item]) => [key, sortJson(item)]));
+    }
+    return value;
+}
+function isPlainObject(value) {
+    return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function trimTrailingSlash(value) {
+    return value.replace(/\/+$/u, "");
+}
+//# sourceMappingURL=index.js.map