@grackle-ai/auth 0.115.0 → 0.115.1

package/dist/channel-token.d.ts

@@ -0,0 +1,38 @@
+/** Claims embedded in a channel-capability token payload. */
+export interface ChannelTokenClaims {
+    /** Channel URI this token grants access to, e.g. `grackle:/sessions/<id>`. */
+    chan: string;
+    /** Verbs permitted on the channel, e.g. `["send_input"]`. */
+    verbs: string[];
+    /** Grant ID (links the token to its persisted, revocable grant row). */
+    jti: string;
+    /** Issued-at time (epoch seconds). */
+    iat: number;
+    /** Expiry time (epoch seconds). */
+    exp: number;
+}
+/**
+ * Create a channel-capability token signed with the provided secret.
+ *
+ * The token grants a specific set of verbs on a single channel URI and is
+ * bound to a grant ID (`jti`) so it can be revoked independently of expiry.
+ *
+ * @param claims - Channel, verbs, and grant ID. `iat`/`exp` are set automatically.
+ * @param signingSecret - Secret used to HMAC-sign the token (the server API key).
+ * @param ttlMs - Token time-to-live in milliseconds (default: 365 days).
+ * @returns The signed opaque token string (`<payload>.<signature>`).
+ */
+export declare function createChannelToken(claims: Pick<ChannelTokenClaims, "chan" | "verbs" | "jti">, signingSecret: string, ttlMs?: number): string;
+/**
+ * Verify a channel token's signature, structure, and expiry.
+ *
+ * Uses constant-time comparison for the HMAC signature. Revocation is NOT
+ * checked here (the in-token `jti` must be checked against the persisted,
+ * revocable grant row by the caller).
+ *
+ * @param token - The token string to verify.
+ * @param signingSecret - The secret used to verify the HMAC signature.
+ * @returns The decoded claims if valid, or `undefined` if verification fails.
+ */
+export declare function verifyChannelToken(token: string, signingSecret: string): ChannelTokenClaims | undefined;
+//# sourceMappingURL=channel-token.d.ts.map

package/dist/channel-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-token.d.ts","sourceRoot":"","sources":["../src/channel-token.ts"],"names":[],"mappings":"AAWA,6DAA6D;AAC7D,MAAM,WAAW,kBAAkB;IACjC,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,6DAA6D;IAC7D,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,sCAAsC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;CACb;AAiBD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,IAAI,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,GAAG,KAAK,CAAC,EAC1D,aAAa,EAAE,MAAM,EACrB,KAAK,GAAE,MAAuB,GAC7B,MAAM,CAYR;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAwDvG"}

package/dist/channel-token.js

@@ -0,0 +1,108 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+/**
+ * Default channel-token time-to-live: 365 days in milliseconds.
+ *
+ * Channel tokens back stable external webhook URLs (e.g. pasted into n8n), so
+ * they are long-lived by default; the real kill switch is grant revocation
+ * (persisted), not expiry.
+ */
+const DEFAULT_TTL_MS = 365 * 24 * 60 * 60 * 1000;
+/** Encode a buffer as base64url (no padding). */
+function toBase64Url(buf) {
+    return buf.toString("base64url");
+}
+/** Decode a base64url string to a Buffer. */
+function fromBase64Url(str) {
+    return Buffer.from(str, "base64url");
+}
+/** Compute HMAC-SHA256 signature over a payload string. */
+function sign(payload, secret) {
+    return createHmac("sha256", secret).update(payload).digest();
+}
+/**
+ * Create a channel-capability token signed with the provided secret.
+ *
+ * The token grants a specific set of verbs on a single channel URI and is
+ * bound to a grant ID (`jti`) so it can be revoked independently of expiry.
+ *
+ * @param claims - Channel, verbs, and grant ID. `iat`/`exp` are set automatically.
+ * @param signingSecret - Secret used to HMAC-sign the token (the server API key).
+ * @param ttlMs - Token time-to-live in milliseconds (default: 365 days).
+ * @returns The signed opaque token string (`<payload>.<signature>`).
+ */
+export function createChannelToken(claims, signingSecret, ttlMs = DEFAULT_TTL_MS) {
+    const now = Math.floor(Date.now() / 1000);
+    const payload = {
+        chan: claims.chan,
+        verbs: [...claims.verbs],
+        jti: claims.jti,
+        iat: now,
+        exp: now + Math.floor(ttlMs / 1000),
+    };
+    const payloadEncoded = toBase64Url(Buffer.from(JSON.stringify(payload), "utf8"));
+    const signature = toBase64Url(sign(payloadEncoded, signingSecret));
+    return `${payloadEncoded}.${signature}`;
+}
+/**
+ * Verify a channel token's signature, structure, and expiry.
+ *
+ * Uses constant-time comparison for the HMAC signature. Revocation is NOT
+ * checked here (the in-token `jti` must be checked against the persisted,
+ * revocable grant row by the caller).
+ *
+ * @param token - The token string to verify.
+ * @param signingSecret - The secret used to verify the HMAC signature.
+ * @returns The decoded claims if valid, or `undefined` if verification fails.
+ */
+export function verifyChannelToken(token, signingSecret) {
+    const dotIndex = token.indexOf(".");
+    if (dotIndex === -1 || dotIndex === 0 || dotIndex === token.length - 1) {
+        return undefined;
+    }
+    // Reject tokens with multiple dots.
+    if (token.indexOf(".", dotIndex + 1) !== -1) {
+        return undefined;
+    }
+    const payloadEncoded = token.slice(0, dotIndex);
+    const signatureEncoded = token.slice(dotIndex + 1);
+    // Verify signature using constant-time comparison.
+    const expectedSignature = sign(payloadEncoded, signingSecret);
+    let actualSignature;
+    try {
+        actualSignature = fromBase64Url(signatureEncoded);
+    }
+    catch {
+        return undefined;
+    }
+    if (expectedSignature.length !== actualSignature.length) {
+        return undefined;
+    }
+    if (!timingSafeEqual(expectedSignature, actualSignature)) {
+        return undefined;
+    }
+    // Decode and parse payload.
+    let claims;
+    try {
+        const payloadStr = fromBase64Url(payloadEncoded).toString("utf8");
+        claims = JSON.parse(payloadStr);
+    }
+    catch {
+        return undefined;
+    }
+    // Validate claim types to prevent bypass via crafted payloads.
+    if (typeof claims.chan !== "string" ||
+        !Array.isArray(claims.verbs) ||
+        !claims.verbs.every((v) => typeof v === "string") ||
+        typeof claims.jti !== "string" ||
+        !Number.isFinite(claims.iat) ||
+        !Number.isFinite(claims.exp)) {
+        return undefined;
+    }
+    // Check expiry (exp must be strictly greater than both iat and now).
+    const now = Math.floor(Date.now() / 1000);
+    if (claims.exp <= now || claims.exp <= claims.iat) {
+        return undefined;
+    }
+    return claims;
+}
+//# sourceMappingURL=channel-token.js.map

package/dist/channel-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-token.js","sourceRoot":"","sources":["../src/channel-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,cAAc,GAAW,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAgBzD,iDAAiD;AACjD,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,6CAA6C;AAC7C,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;AACvC,CAAC;AAED,2DAA2D;AAC3D,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IAC3C,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAA0D,EAC1D,aAAqB,EACrB,QAAgB,cAAc;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAuB;QAClC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,KAAK,EAAE,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;KACpC,CAAC;IACF,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACjF,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,aAAqB;IACrE,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,oCAAoC;IACpC,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAEnD,mDAAmD;IACnD,MAAM,iBAAiB,GAAG,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAC9D,IAAI,eAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,eAAe,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,iBAAiB,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM,EAAE,CAAC;QACxD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,eAAe,CAAC,EAAE,CAAC;QACzD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,4BAA4B;IAC5B,IAAI,MAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClE,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAuB,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,+DAA+D;IAC/D,IACE,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;QAC/B,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;QAC5B,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACjD,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC;QAC5B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAC5B,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,qEAAqE;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,GAAG,IAAI,GAAG,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QAClD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts

@@ -9,6 +9,8 @@ export type { OAuthTokenClaims } from "./oauth-token.js";
 export { OAUTH_ACCESS_TOKEN_TTL_MS, OAUTH_REFRESH_TOKEN_TTL_MS, createOAuthAccessToken, verifyOAuthAccessToken, } from "./oauth-token.js";
 export type { ScopedTokenClaims } from "./scoped-token.js";
 export { createScopedToken, verifyScopedToken, revokeTask, isRevokedTask, pruneRevocations, clearRevocations, } from "./scoped-token.js";
+export type { ChannelTokenClaims } from "./channel-token.js";
+export { createChannelToken, verifyChannelToken, } from "./channel-token.js";
 export type { AuthContext } from "./auth-context.js";
 export { authenticateMcpRequest } from "./auth-middleware.js";
 export { WEB_CONTENT_SECURITY_POLICY, setSecurityHeaders } from "./security-headers.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGpE,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACnF,OAAO,EACL,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,wBAAwB,EACxB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAGpB,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAG1B,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAGrD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAG9D,OAAO,EAAE,2BAA2B,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGpE,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACnF,OAAO,EACL,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,wBAAwB,EACxB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAGpB,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAG1B,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAGrD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAG9D,OAAO,EAAE,2BAA2B,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -8,6 +8,7 @@ export { generatePairingCode, redeemPairingCode, clearPairing, startPairingClean
 export { registerClient, getClient, createAuthorizationCode, consumeAuthorizationCode, createRefreshToken, consumeRefreshToken, computeCodeChallenge, verifyCodeChallenge, clearOAuthState, startOAuthCleanup, stopOAuthCleanup, } from "./oauth.js";
 export { OAUTH_ACCESS_TOKEN_TTL_MS, OAUTH_REFRESH_TOKEN_TTL_MS, createOAuthAccessToken, verifyOAuthAccessToken, } from "./oauth-token.js";
 export { createScopedToken, verifyScopedToken, revokeTask, isRevokedTask, pruneRevocations, clearRevocations, } from "./scoped-token.js";
+export { createChannelToken, verifyChannelToken, } from "./channel-token.js";
 // ─── Auth Middleware ────────────────────────────────────────
 export { authenticateMcpRequest } from "./auth-middleware.js";
 // ─── Security Headers ──────────────────────────────────────

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEpE,+DAA+D;AAC/D,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,+DAA+D;AAC/D,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAEtB,+DAA+D;AAC/D,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAItB,OAAO,EACL,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,wBAAwB,EACxB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAIpB,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAK3B,+DAA+D;AAC/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,8DAA8D;AAC9D,OAAO,EAAE,2BAA2B,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEpE,+DAA+D;AAC/D,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,+DAA+D;AAC/D,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAEtB,+DAA+D;AAC/D,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAItB,OAAO,EACL,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,wBAAwB,EACxB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAIpB,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAI3B,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAK5B,+DAA+D;AAC/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,8DAA8D;AAC9D,OAAO,EAAE,2BAA2B,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grackle-ai/auth",
-  "version": "0.115.0",
+  "version": "0.115.1",
   "description": "Authentication and authorization primitives for Grackle",
   "license": "MIT",
   "repository": {
@@ -29,7 +29,7 @@
     "dist/"
   ],
   "dependencies": {
-    "@grackle-ai/common": "0.115.0"
+    "@grackle-ai/common": "0.115.1"
   },
   "devDependencies": {
     "@rushstack/heft": "1.2.7",