@grackle-ai/auth 0.72.3

package/dist/oauth.js

@@ -0,0 +1,225 @@
+import { randomUUID, randomBytes, createHash } from "node:crypto";
+import { getAuthLogger } from "./auth-logger.js";
+/** Time-to-live for authorization codes: 30 seconds. */
+const AUTH_CODE_TTL_MS = 30 * 1000;
+/** Time-to-live for refresh tokens: 30 days. */
+const REFRESH_TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+/** Interval at which expired OAuth state is cleaned up. */
+const CLEANUP_INTERVAL_MS = 60 * 1000;
+/** Byte length of generated tokens (authorization codes, refresh tokens). */
+const TOKEN_BYTE_LENGTH = 32;
+/** Maximum number of registered OAuth clients to prevent unbounded growth. */
+const MAX_CLIENTS = 100;
+/** Time-to-live for client registrations: 7 days. */
+const CLIENT_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+/** Registered OAuth clients keyed by client ID. */
+const clients = new Map();
+/**
+ * Register a new OAuth client with dynamic client registration.
+ *
+ * @param redirectUris - List of allowed redirect URIs for this client.
+ * @param clientName - Human-readable name for the client (optional).
+ * @returns The newly registered client record.
+ */
+export function registerClient(redirectUris, clientName) {
+    // Evict expired clients before checking capacity
+    const now = Date.now();
+    for (const [id, rec] of clients) {
+        if (now - rec.createdAt > CLIENT_TTL_MS) {
+            clients.delete(id);
+        }
+    }
+    if (clients.size >= MAX_CLIENTS) {
+        getAuthLogger().warn({}, "Maximum registered OAuth clients reached (%d)");
+        return undefined;
+    }
+    const clientId = randomUUID();
+    const record = {
+        clientId,
+        redirectUris,
+        clientName: clientName || "Unknown Client",
+        createdAt: now,
+    };
+    clients.set(clientId, record);
+    getAuthLogger().info({ clientId, clientName: record.clientName }, "OAuth client registered");
+    return record;
+}
+/**
+ * Look up a registered client by ID.
+ *
+ * @param clientId - The client ID to look up.
+ * @returns The client record, or undefined if not found.
+ */
+export function getClient(clientId) {
+    return clients.get(clientId);
+}
+/** Active authorization codes keyed by code string. */
+const authCodes = new Map();
+/**
+ * Create a single-use authorization code bound to the given parameters.
+ *
+ * @param clientId - The client that requested authorization.
+ * @param redirectUri - The redirect URI for this authorization.
+ * @param codeChallenge - PKCE S256 code challenge.
+ * @param resource - The resource URL the client wants to access.
+ * @returns The generated authorization code string.
+ */
+export function createAuthorizationCode(clientId, redirectUri, codeChallenge, resource) {
+    const code = randomBytes(TOKEN_BYTE_LENGTH).toString("base64url");
+    const now = Date.now();
+    const record = {
+        code,
+        clientId,
+        redirectUri,
+        codeChallenge,
+        resource,
+        createdAt: now,
+        expiresAt: now + AUTH_CODE_TTL_MS,
+    };
+    authCodes.set(code, record);
+    getAuthLogger().info({ clientId }, "Authorization code created");
+    return code;
+}
+/**
+ * Compute the S256 code challenge from a code verifier.
+ *
+ * @param codeVerifier - The PKCE code verifier string.
+ * @returns The base64url-encoded SHA-256 hash.
+ */
+export function computeCodeChallenge(codeVerifier) {
+    return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+/**
+ * Verify that a code verifier matches a code challenge using S256.
+ *
+ * @param codeVerifier - The PKCE code verifier from the token request.
+ * @param codeChallenge - The code challenge stored at authorization time.
+ * @returns True if the verifier matches the challenge.
+ */
+export function verifyCodeChallenge(codeVerifier, codeChallenge) {
+    const computed = computeCodeChallenge(codeVerifier);
+    return computed === codeChallenge;
+}
+/**
+ * Consume an authorization code, validating all parameters.
+ *
+ * The code is deleted regardless of whether validation succeeds (single-use).
+ *
+ * @param code - The authorization code to consume.
+ * @param clientId - The client ID making the token request.
+ * @param redirectUri - The redirect URI from the token request.
+ * @param codeVerifier - The PKCE code verifier.
+ * @param resource - The resource URL from the token request.
+ * @returns The auth code record if valid, or undefined.
+ */
+export function consumeAuthorizationCode(code, clientId, redirectUri, codeVerifier, resource) {
+    const record = authCodes.get(code);
+    // Always delete to prevent replay — even if validation fails
+    authCodes.delete(code);
+    if (!record) {
+        return undefined;
+    }
+    const now = Date.now();
+    if (now > record.expiresAt) {
+        return undefined;
+    }
+    if (record.clientId !== clientId) {
+        return undefined;
+    }
+    if (record.redirectUri !== redirectUri) {
+        return undefined;
+    }
+    if (record.resource !== resource) {
+        return undefined;
+    }
+    if (!verifyCodeChallenge(codeVerifier, record.codeChallenge)) {
+        return undefined;
+    }
+    return record;
+}
+/** Active refresh tokens keyed by token string. */
+const refreshTokens = new Map();
+/**
+ * Create a new refresh token for the given client and resource.
+ *
+ * @param clientId - The client this refresh token is issued to.
+ * @param resource - The resource URL this refresh token is scoped to.
+ * @returns The generated refresh token string.
+ */
+export function createRefreshToken(clientId, resource) {
+    const token = randomBytes(TOKEN_BYTE_LENGTH).toString("base64url");
+    const now = Date.now();
+    refreshTokens.set(token, {
+        token,
+        clientId,
+        resource,
+        createdAt: now,
+        expiresAt: now + REFRESH_TOKEN_TTL_MS,
+    });
+    return token;
+}
+/**
+ * Consume a refresh token with rotation — the old token is invalidated and
+ * a new one must be issued in its place.
+ *
+ * @param token - The refresh token to consume.
+ * @param clientId - The client ID making the refresh request.
+ * @returns The refresh token record if valid, or undefined.
+ */
+export function consumeRefreshToken(token, clientId) {
+    const record = refreshTokens.get(token);
+    // Always delete to enforce rotation
+    refreshTokens.delete(token);
+    if (!record) {
+        return undefined;
+    }
+    const now = Date.now();
+    if (now > record.expiresAt) {
+        return undefined;
+    }
+    if (record.clientId !== clientId) {
+        return undefined;
+    }
+    return record;
+}
+// ─── Cleanup ──────────────────────────────────────────────────────────
+let cleanupTimer;
+/** Start the periodic OAuth state cleanup timer. Call once on server startup. */
+export function startOAuthCleanup() {
+    if (cleanupTimer) {
+        return;
+    }
+    cleanupTimer = setInterval(() => {
+        const now = Date.now();
+        for (const [id, record] of clients) {
+            if (now - record.createdAt > CLIENT_TTL_MS) {
+                clients.delete(id);
+            }
+        }
+        for (const [code, record] of authCodes) {
+            if (now > record.expiresAt) {
+                authCodes.delete(code);
+            }
+        }
+        for (const [token, record] of refreshTokens) {
+            if (now > record.expiresAt) {
+                refreshTokens.delete(token);
+            }
+        }
+    }, CLEANUP_INTERVAL_MS);
+    cleanupTimer.unref();
+}
+/** Stop the periodic OAuth state cleanup timer. */
+export function stopOAuthCleanup() {
+    if (cleanupTimer) {
+        clearInterval(cleanupTimer);
+        cleanupTimer = undefined;
+    }
+}
+/** Clear all OAuth state. Intended for testing only. */
+export function clearOAuthState() {
+    clients.clear();
+    authCodes.clear();
+    refreshTokens.clear();
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,wDAAwD;AACxD,MAAM,gBAAgB,GAAW,EAAE,GAAG,IAAI,CAAC;AAE3C,gDAAgD;AAChD,MAAM,oBAAoB,GAAW,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9D,2DAA2D;AAC3D,MAAM,mBAAmB,GAAW,EAAE,GAAG,IAAI,CAAC;AAE9C,6EAA6E;AAC7E,MAAM,iBAAiB,GAAW,EAAE,CAAC;AAErC,8EAA8E;AAC9E,MAAM,WAAW,GAAW,GAAG,CAAC;AAEhC,qDAAqD;AACrD,MAAM,aAAa,GAAW,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAYtD,mDAAmD;AACnD,MAAM,OAAO,GAA8B,IAAI,GAAG,EAAE,CAAC;AAErD;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,YAAsB,EAAE,UAAmB;IACxE,iDAAiD;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAChC,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,GAAG,aAAa,EAAE,CAAC;YACxC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC;QAChC,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC1E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAiB;QAC3B,QAAQ;QACR,YAAY;QACZ,UAAU,EAAE,UAAU,IAAI,gBAAgB;QAC1C,SAAS,EAAE,GAAG;KACf,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,EAAE,yBAAyB,CAAC,CAAC;IAC7F,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAeD,uDAAuD;AACvD,MAAM,SAAS,GAAgC,IAAI,GAAG,EAAE,CAAC;AAEzD;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACrC,QAAgB,EAChB,WAAmB,EACnB,aAAqB,EACrB,QAAgB;IAEhB,MAAM,IAAI,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAmB;QAC7B,IAAI;QACJ,QAAQ;QACR,WAAW;QACX,aAAa;QACb,QAAQ;QACR,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG,GAAG,gBAAgB;KAClC,CAAC;IACF,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC5B,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,4BAA4B,CAAC,CAAC;IACjE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,YAAoB;IACvD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB,EAAE,aAAqB;IAC7E,MAAM,QAAQ,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACpD,OAAO,QAAQ,KAAK,aAAa,CAAC;AACpC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAY,EACZ,QAAgB,EAChB,WAAmB,EACnB,YAAoB,EACpB,QAAgB;IAEhB,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,6DAA6D;IAC7D,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEvB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAaD,mDAAmD;AACnD,MAAM,aAAa,GAAoC,IAAI,GAAG,EAAE,CAAC;AAEjE;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB,EAAE,QAAgB;IACnE,MAAM,KAAK,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACnE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE;QACvB,KAAK;QACL,QAAQ;QACR,QAAQ;QACR,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG,GAAG,oBAAoB;KACtC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa,EAAE,QAAgB;IACjE,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACxC,oCAAoC;IACpC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAE5B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yEAAyE;AAEzE,IAAI,YAAwD,CAAC;AAE7D,iFAAiF;AACjF,MAAM,UAAU,iBAAiB;IAC/B,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IACD,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,GAAG,aAAa,EAAE,CAAC;gBAC3C,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YACvC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC5C,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC,EAAE,mBAAmB,CAAC,CAAC;IACxB,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,gBAAgB;IAC9B,IAAI,YAAY,EAAE,CAAC;QACjB,aAAa,CAAC,YAAY,CAAC,CAAC;QAC5B,YAAY,GAAG,SAAS,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,KAAK,EAAE,CAAC;IAChB,SAAS,CAAC,KAAK,EAAE,CAAC;IAClB,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC"}

package/dist/pairing.d.ts

@@ -0,0 +1,22 @@
+/** Start the periodic cleanup timer. Call once on server startup. */
+export declare function startPairingCleanup(): void;
+/** Stop the periodic cleanup timer. */
+export declare function stopPairingCleanup(): void;
+/**
+ * Generate a new pairing code.
+ *
+ * Returns the 6-character uppercase alphanumeric code, or undefined
+ * if the maximum number of active codes has been reached.
+ */
+export declare function generatePairingCode(): string | undefined;
+/**
+ * Attempt to redeem a pairing code. Returns true if the code was valid
+ * and has been consumed (burned). Returns false otherwise.
+ *
+ * @param code - The pairing code to redeem (case-insensitive).
+ * @param remoteIp - The remote IP address for rate limiting.
+ */
+export declare function redeemPairingCode(code: string, remoteIp: string): boolean;
+/** Clear all pairing codes and rate limits (for testing). */
+export declare function clearPairing(): void;
+//# sourceMappingURL=pairing.d.ts.map

package/dist/pairing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing.d.ts","sourceRoot":"","sources":["../src/pairing.ts"],"names":[],"mappings":"AA4CA,qEAAqE;AACrE,wBAAgB,mBAAmB,IAAI,IAAI,CAmB1C;AAED,uCAAuC;AACvC,wBAAgB,kBAAkB,IAAI,IAAI,CAKzC;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAgCxD;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAuCzE;AAED,6DAA6D;AAC7D,wBAAgB,YAAY,IAAI,IAAI,CAGnC"}

package/dist/pairing.js

@@ -0,0 +1,136 @@
+import { randomBytes } from "node:crypto";
+import { getAuthLogger } from "./auth-logger.js";
+/** How long a pairing code is valid after generation. */
+const PAIRING_CODE_TTL_MS = 5 * 60 * 1000;
+/** Maximum number of active (unexpired) pairing codes. */
+const MAX_ACTIVE_CODES = 10;
+/** Number of characters in a pairing code. */
+const PAIRING_CODE_LENGTH = 6;
+/** Maximum failed redemption attempts per IP before blocking. */
+const MAX_FAILED_ATTEMPTS = 5;
+/** Duration to block an IP after exceeding failed attempts. */
+const RATE_LIMIT_WINDOW_MS = 60 * 1000;
+/** Duration to block an IP after exceeding the rate limit. */
+const RATE_LIMIT_BLOCK_MS = 5 * 60 * 1000;
+/** Interval at which expired codes and rate-limit entries are cleaned up. */
+const CLEANUP_INTERVAL_MS = 60 * 1000;
+/** Active pairing codes keyed by code string (uppercase). */
+const activeCodes = new Map();
+/** Rate-limit tracking keyed by remote IP. */
+const rateLimits = new Map();
+let cleanupTimer;
+/** Start the periodic cleanup timer. Call once on server startup. */
+export function startPairingCleanup() {
+    if (cleanupTimer) {
+        return;
+    }
+    cleanupTimer = setInterval(() => {
+        const now = Date.now();
+        for (const [code, record] of activeCodes) {
+            if (now > record.expiresAt) {
+                activeCodes.delete(code);
+            }
+        }
+        for (const [ip, record] of rateLimits) {
+            if (now > record.blockedUntil && now - record.firstAttempt > RATE_LIMIT_WINDOW_MS) {
+                rateLimits.delete(ip);
+            }
+        }
+    }, CLEANUP_INTERVAL_MS);
+    // Allow the process to exit even if the timer is still running
+    cleanupTimer.unref();
+}
+/** Stop the periodic cleanup timer. */
+export function stopPairingCleanup() {
+    if (cleanupTimer) {
+        clearInterval(cleanupTimer);
+        cleanupTimer = undefined;
+    }
+}
+/**
+ * Generate a new pairing code.
+ *
+ * Returns the 6-character uppercase alphanumeric code, or undefined
+ * if the maximum number of active codes has been reached.
+ */
+export function generatePairingCode() {
+    // Purge expired codes first
+    const now = Date.now();
+    for (const [code, record] of activeCodes) {
+        if (now > record.expiresAt) {
+            activeCodes.delete(code);
+        }
+    }
+    if (activeCodes.size >= MAX_ACTIVE_CODES) {
+        getAuthLogger().warn({}, "Maximum active pairing codes reached (%d)");
+        return undefined;
+    }
+    // Generate a code that doesn't collide with existing ones
+    let code;
+    do {
+        code = randomBytes(4)
+            .toString("base64url")
+            .replace(/[^A-Za-z0-9]/g, "")
+            .slice(0, PAIRING_CODE_LENGTH)
+            .toUpperCase();
+    } while (code.length < PAIRING_CODE_LENGTH || activeCodes.has(code));
+    const record = {
+        code,
+        createdAt: now,
+        expiresAt: now + PAIRING_CODE_TTL_MS,
+    };
+    activeCodes.set(code, record);
+    getAuthLogger().info({ expiresIn: PAIRING_CODE_TTL_MS / 1000 }, "Generated pairing code");
+    return code;
+}
+/**
+ * Attempt to redeem a pairing code. Returns true if the code was valid
+ * and has been consumed (burned). Returns false otherwise.
+ *
+ * @param code - The pairing code to redeem (case-insensitive).
+ * @param remoteIp - The remote IP address for rate limiting.
+ */
+export function redeemPairingCode(code, remoteIp) {
+    const now = Date.now();
+    const normalised = code.toUpperCase().trim();
+    // Check rate limit
+    const limit = rateLimits.get(remoteIp);
+    if (limit && now < limit.blockedUntil) {
+        getAuthLogger().warn({ remoteIp }, "Pairing attempt blocked by rate limit");
+        return false;
+    }
+    const record = activeCodes.get(normalised);
+    if (!record || now > record.expiresAt) {
+        // Record failed attempt
+        if (limit) {
+            if (now - limit.firstAttempt > RATE_LIMIT_WINDOW_MS) {
+                // Reset window
+                rateLimits.set(remoteIp, { attempts: 1, firstAttempt: now, blockedUntil: 0 });
+            }
+            else {
+                limit.attempts++;
+                if (limit.attempts >= MAX_FAILED_ATTEMPTS) {
+                    limit.blockedUntil = now + RATE_LIMIT_BLOCK_MS;
+                    getAuthLogger().warn({ remoteIp, attempts: limit.attempts }, "Rate limit triggered for pairing attempts");
+                }
+            }
+        }
+        else {
+            rateLimits.set(remoteIp, { attempts: 1, firstAttempt: now, blockedUntil: 0 });
+        }
+        if (record && now > record.expiresAt) {
+            activeCodes.delete(normalised);
+        }
+        return false;
+    }
+    // Burn the code — single use
+    activeCodes.delete(normalised);
+    getAuthLogger().info({}, "Pairing code redeemed");
+    return true;
+}
+/** Clear all pairing codes and rate limits (for testing). */
+export function clearPairing() {
+    activeCodes.clear();
+    rateLimits.clear();
+}
+//# sourceMappingURL=pairing.js.map

package/dist/pairing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing.js","sourceRoot":"","sources":["../src/pairing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,yDAAyD;AACzD,MAAM,mBAAmB,GAAW,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,0DAA0D;AAC1D,MAAM,gBAAgB,GAAW,EAAE,CAAC;AAEpC,8CAA8C;AAC9C,MAAM,mBAAmB,GAAW,CAAC,CAAC;AAEtC,iEAAiE;AACjE,MAAM,mBAAmB,GAAW,CAAC,CAAC;AAEtC,+DAA+D;AAC/D,MAAM,oBAAoB,GAAW,EAAE,GAAG,IAAI,CAAC;AAE/C,8DAA8D;AAC9D,MAAM,mBAAmB,GAAW,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,6EAA6E;AAC7E,MAAM,mBAAmB,GAAW,EAAE,GAAG,IAAI,CAAC;AAc9C,6DAA6D;AAC7D,MAAM,WAAW,GAA+B,IAAI,GAAG,EAAyB,CAAC;AAEjF,8CAA8C;AAC9C,MAAM,UAAU,GAAiC,IAAI,GAAG,EAA2B,CAAC;AAEpF,IAAI,YAAwD,CAAC;AAE7D,qEAAqE;AACrE,MAAM,UAAU,mBAAmB;IACjC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IACD,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YACzC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YACtC,IAAI,GAAG,GAAG,MAAM,CAAC,YAAY,IAAI,GAAG,GAAG,MAAM,CAAC,YAAY,GAAG,oBAAoB,EAAE,CAAC;gBAClF,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC,EAAE,mBAAmB,CAAC,CAAC;IACxB,+DAA+D;IAC/D,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,kBAAkB;IAChC,IAAI,YAAY,EAAE,CAAC;QACjB,aAAa,CAAC,YAAY,CAAC,CAAC;QAC5B,YAAY,GAAG,SAAS,CAAC;IAC3B,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,4BAA4B;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QACzC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACzC,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,2CAA2C,CAAC,CAAC;QACtE,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0DAA0D;IAC1D,IAAI,IAAY,CAAC;IACjB,GAAG,CAAC;QACF,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC;aAClB,QAAQ,CAAC,WAAW,CAAC;aACrB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,KAAK,CAAC,CAAC,EAAE,mBAAmB,CAAC;aAC7B,WAAW,EAAE,CAAC;IACnB,CAAC,QAAQ,IAAI,CAAC,MAAM,GAAG,mBAAmB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;IAErE,MAAM,MAAM,GAAkB;QAC5B,IAAI;QACJ,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG,GAAG,mBAAmB;KACrC,CAAC;IACF,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9B,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,GAAG,IAAI,EAAE,EAAE,wBAAwB,CAAC,CAAC;IAC1F,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IAC9D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7C,mBAAmB;IACnB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;QACtC,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,uCAAuC,CAAC,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QACtC,wBAAwB;QACxB,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,GAAG,GAAG,KAAK,CAAC,YAAY,GAAG,oBAAoB,EAAE,CAAC;gBACpD,eAAe;gBACf,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;YAChF,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACjB,IAAI,KAAK,CAAC,QAAQ,IAAI,mBAAmB,EAAE,CAAC;oBAC1C,KAAK,CAAC,YAAY,GAAG,GAAG,GAAG,mBAAmB,CAAC;oBAC/C,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,EAAE,2CAA2C,CAAC,CAAC;gBAC5G,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACrC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,6BAA6B;IAC7B,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/B,aAAa,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,uBAAuB,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,YAAY;IAC1B,WAAW,CAAC,KAAK,EAAE,CAAC;IACpB,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC"}

package/dist/scoped-token.d.ts

@@ -0,0 +1,55 @@
+/** Claims embedded in a scoped token payload. */
+export interface ScopedTokenClaims {
+    /** Task ID (subject). */
+    sub: string;
+    /** Workspace ID. */
+    pid: string;
+    /** Persona ID. */
+    per: string;
+    /** Session ID. */
+    sid: string;
+    /** Issued-at time (epoch seconds). */
+    iat: number;
+    /** Expiry time (epoch seconds). */
+    exp: number;
+}
+/**
+ * Create a scoped token with the given claims, signed with the provided secret.
+ *
+ * @param claims - Token claims (sub, pid, per, sid). iat/exp are set automatically.
+ * @param signingSecret - Secret used to HMAC-sign the token (typically the API key).
+ * @param ttlMs - Token time-to-live in milliseconds (default: 24 hours).
+ * @returns The signed opaque token string.
+ */
+export declare function createScopedToken(claims: Pick<ScopedTokenClaims, "sub" | "pid" | "per" | "sid">, signingSecret: string, ttlMs?: number): string;
+/**
+ * Verify a scoped token's signature and expiry.
+ *
+ * Uses constant-time comparison for the HMAC signature.
+ *
+ * @param token - The token string to verify.
+ * @param signingSecret - The secret used to verify the HMAC signature.
+ * @returns The decoded claims if valid, or `undefined` if verification fails.
+ */
+export declare function verifyScopedToken(token: string, signingSecret: string): ScopedTokenClaims | undefined;
+/**
+ * Revoke all tokens for a given task ID.
+ * Revoked tokens are rejected by `authenticateMcpRequest` even if not yet expired.
+ */
+export declare function revokeTask(taskId: string): void;
+/** Check whether a task ID has been revoked. */
+export declare function isRevokedTask(taskId: string): boolean;
+/**
+ * Remove revocation entries older than the given TTL.
+ * Since expired tokens are already rejected by the `exp` check,
+ * revocation entries only need to live as long as the token TTL.
+ *
+ * @param ttlMs - Maximum age of revocation entries in milliseconds (default: 24 hours).
+ */
+export declare function pruneRevocations(ttlMs?: number): void;
+/**
+ * Clear all revocation entries. Intended for testing only.
+ * @internal
+ */
+export declare function clearRevocations(): void;
+//# sourceMappingURL=scoped-token.d.ts.map

package/dist/scoped-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-token.d.ts","sourceRoot":"","sources":["../src/scoped-token.ts"],"names":[],"mappings":"AAKA,iDAAiD;AACjD,MAAM,WAAW,iBAAiB;IAChC,yBAAyB;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,sCAAsC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;CACb;AAoBD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,IAAI,CAAC,iBAAiB,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,EAC9D,aAAa,EAAE,MAAM,EACrB,KAAK,GAAE,MAAuB,GAC7B,MAAM,CAWR;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS,CA2DrG;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAE/C;AAED,gDAAgD;AAChD,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAErD;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,GAAE,MAAuB,GAAG,IAAI,CAOrE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}

package/dist/scoped-token.js

@@ -0,0 +1,131 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+/** Default token time-to-live: 24 hours in milliseconds. */
+const DEFAULT_TTL_MS = 24 * 60 * 60 * 1000;
+/** In-memory revocation set: taskId → revocation timestamp (epoch ms). */
+const revokedTasks = new Map();
+/** Encode a buffer as base64url (no padding). */
+function toBase64Url(buf) {
+    return buf.toString("base64url");
+}
+/** Decode a base64url string to a Buffer. */
+function fromBase64Url(str) {
+    return Buffer.from(str, "base64url");
+}
+/** Compute HMAC-SHA256 signature over a payload string. */
+function sign(payload, secret) {
+    return createHmac("sha256", secret).update(payload).digest();
+}
+/**
+ * Create a scoped token with the given claims, signed with the provided secret.
+ *
+ * @param claims - Token claims (sub, pid, per, sid). iat/exp are set automatically.
+ * @param signingSecret - Secret used to HMAC-sign the token (typically the API key).
+ * @param ttlMs - Token time-to-live in milliseconds (default: 24 hours).
+ * @returns The signed opaque token string.
+ */
+export function createScopedToken(claims, signingSecret, ttlMs = DEFAULT_TTL_MS) {
+    const now = Math.floor(Date.now() / 1000);
+    const payload = {
+        ...claims,
+        iat: now,
+        exp: now + Math.floor(ttlMs / 1000),
+    };
+    const payloadStr = JSON.stringify(payload);
+    const payloadEncoded = toBase64Url(Buffer.from(payloadStr, "utf8"));
+    const signature = toBase64Url(sign(payloadEncoded, signingSecret));
+    return `${payloadEncoded}.${signature}`;
+}
+/**
+ * Verify a scoped token's signature and expiry.
+ *
+ * Uses constant-time comparison for the HMAC signature.
+ *
+ * @param token - The token string to verify.
+ * @param signingSecret - The secret used to verify the HMAC signature.
+ * @returns The decoded claims if valid, or `undefined` if verification fails.
+ */
+export function verifyScopedToken(token, signingSecret) {
+    const dotIndex = token.indexOf(".");
+    if (dotIndex === -1 || dotIndex === 0 || dotIndex === token.length - 1) {
+        return undefined;
+    }
+    // Reject tokens with multiple dots
+    if (token.indexOf(".", dotIndex + 1) !== -1) {
+        return undefined;
+    }
+    const payloadEncoded = token.slice(0, dotIndex);
+    const signatureEncoded = token.slice(dotIndex + 1);
+    // Verify signature using constant-time comparison
+    const expectedSignature = sign(payloadEncoded, signingSecret);
+    let actualSignature;
+    try {
+        actualSignature = fromBase64Url(signatureEncoded);
+    }
+    catch {
+        return undefined;
+    }
+    if (expectedSignature.length !== actualSignature.length) {
+        return undefined;
+    }
+    if (!timingSafeEqual(expectedSignature, actualSignature)) {
+        return undefined;
+    }
+    // Decode and parse payload
+    let claims;
+    try {
+        const payloadStr = fromBase64Url(payloadEncoded).toString("utf8");
+        claims = JSON.parse(payloadStr);
+    }
+    catch {
+        return undefined;
+    }
+    // Validate claim types to prevent bypass via crafted payloads
+    if (typeof claims.sub !== "string" ||
+        typeof claims.pid !== "string" ||
+        typeof claims.per !== "string" ||
+        typeof claims.sid !== "string" ||
+        !Number.isFinite(claims.iat) ||
+        !Number.isFinite(claims.exp)) {
+        return undefined;
+    }
+    // Check expiry (exp must be strictly greater than both iat and now)
+    const now = Math.floor(Date.now() / 1000);
+    if (claims.exp <= now || claims.exp <= claims.iat) {
+        return undefined;
+    }
+    return claims;
+}
+/**
+ * Revoke all tokens for a given task ID.
+ * Revoked tokens are rejected by `authenticateMcpRequest` even if not yet expired.
+ */
+export function revokeTask(taskId) {
+    revokedTasks.set(taskId, Date.now());
+}
+/** Check whether a task ID has been revoked. */
+export function isRevokedTask(taskId) {
+    return revokedTasks.has(taskId);
+}
+/**
+ * Remove revocation entries older than the given TTL.
+ * Since expired tokens are already rejected by the `exp` check,
+ * revocation entries only need to live as long as the token TTL.
+ *
+ * @param ttlMs - Maximum age of revocation entries in milliseconds (default: 24 hours).
+ */
+export function pruneRevocations(ttlMs = DEFAULT_TTL_MS) {
+    const cutoff = Date.now() - ttlMs;
+    for (const [taskId, revokedAt] of revokedTasks) {
+        if (revokedAt < cutoff) {
+            revokedTasks.delete(taskId);
+        }
+    }
+}
+/**
+ * Clear all revocation entries. Intended for testing only.
+ * @internal
+ */
+export function clearRevocations() {
+    revokedTasks.clear();
+}
+//# sourceMappingURL=scoped-token.js.map

package/dist/scoped-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-token.js","sourceRoot":"","sources":["../src/scoped-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D,4DAA4D;AAC5D,MAAM,cAAc,GAAW,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAkBnD,0EAA0E;AAC1E,MAAM,YAAY,GAAwB,IAAI,GAAG,EAAE,CAAC;AAEpD,iDAAiD;AACjD,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,6CAA6C;AAC7C,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;AACvC,CAAC;AAED,2DAA2D;AAC3D,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IAC3C,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;AAC/D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAA8D,EAC9D,aAAqB,EACrB,QAAgB,cAAc;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAsB;QACjC,GAAG,MAAM;QACT,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;KACpC,CAAC;IACF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3C,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IACpE,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa,EAAE,aAAqB;IACpE,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvE,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,mCAAmC;IACnC,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAEnD,kDAAkD;IAClD,MAAM,iBAAiB,GAAG,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAC9D,IAAI,eAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,eAAe,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,iBAAiB,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM,EAAE,CAAC;QACxD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,eAAe,CAAC,EAAE,CAAC;QACzD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,2BAA2B;IAC3B,IAAI,MAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClE,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAsB,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,8DAA8D;IAC9D,IACE,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC;QAC5B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAC5B,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,oEAAoE;IACpE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,GAAG,IAAI,GAAG,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QAClD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,gDAAgD;AAChD,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAO,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,cAAc;IAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IAClC,KAAK,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,YAAY,EAAE,CAAC;QAC/C,IAAI,SAAS,GAAG,MAAM,EAAE,CAAC;YACvB,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC"}

package/dist/security-headers.d.ts

@@ -0,0 +1,17 @@
+import type { ServerResponse } from "node:http";
+/**
+ * Content Security Policy for the web handler.
+ *
+ * Covers the React SPA (served from 'self') and server-rendered pages
+ * (pairing/authorize) which use inline styles.
+ */
+export declare const WEB_CONTENT_SECURITY_POLICY: string;
+/**
+ * Set defense-in-depth security headers on every web response.
+ *
+ * Called at the top of `createWebHandler`'s returned function so that all
+ * response paths (static files, HTML pages, JSON APIs, redirects) are covered
+ * without modifying each `writeHead` call individually.
+ */
+export declare function setSecurityHeaders(res: ServerResponse): void;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,EAAE,MAW9B,CAAC;AAEb;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI,CAI5D"}

package/dist/security-headers.js

@@ -0,0 +1,31 @@
+/**
+ * Content Security Policy for the web handler.
+ *
+ * Covers the React SPA (served from 'self') and server-rendered pages
+ * (pairing/authorize) which use inline styles.
+ */
+export const WEB_CONTENT_SECURITY_POLICY = [
+    "default-src 'self'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data:",
+    "font-src 'self'",
+    "connect-src 'self'",
+    "object-src 'none'",
+    "form-action 'self'",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+].join("; ");
+/**
+ * Set defense-in-depth security headers on every web response.
+ *
+ * Called at the top of `createWebHandler`'s returned function so that all
+ * response paths (static files, HTML pages, JSON APIs, redirects) are covered
+ * without modifying each `writeHead` call individually.
+ */
+export function setSecurityHeaders(res) {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("Content-Security-Policy", WEB_CONTENT_SECURITY_POLICY);
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAW;IACjD,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,sBAAsB;IACtB,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,oBAAoB;IACpB,wBAAwB;IACxB,iBAAiB;CAClB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAmB;IACpD,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACnD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,2BAA2B,CAAC,CAAC;AACxE,CAAC"}