@haneullabs/signers 0.1.0 → 1.0.2

package/dist/aws/aws-client.mjs

@@ -0,0 +1,46 @@
+import { publicKeyFromDER } from "../utils/utils.mjs";
+import { AwsClient } from "./aws4fetch.mjs";
+import { fromBase64 } from "@haneullabs/haneul/utils";
+import { Secp256k1PublicKey } from "@haneullabs/haneul/keypairs/secp256k1";
+import { Secp256r1PublicKey } from "@haneullabs/haneul/keypairs/secp256r1";
+
+//#region src/aws/aws-client.ts
+var AwsKmsClient = class extends AwsClient {
+	constructor(options = {}) {
+		if (!options.accessKeyId || !options.secretAccessKey) throw new Error("AWS Access Key ID and Secret Access Key are required");
+		if (!options.region) throw new Error("Region is required");
+		super({
+			region: options.region,
+			accessKeyId: options.accessKeyId,
+			secretAccessKey: options.secretAccessKey,
+			service: "kms",
+			...options
+		});
+	}
+	async getPublicKey(keyId) {
+		const publicKeyResponse = await this.runCommand("GetPublicKey", { KeyId: keyId });
+		if (!publicKeyResponse.PublicKey) throw new Error("Public Key not found for the supplied `keyId`");
+		const compressedKey = publicKeyFromDER(fromBase64(publicKeyResponse.PublicKey));
+		switch (publicKeyResponse.KeySpec) {
+			case "ECC_NIST_P256": return new Secp256r1PublicKey(compressedKey);
+			case "ECC_SECG_P256K1": return new Secp256k1PublicKey(compressedKey);
+			default: throw new Error("Unsupported key spec: " + publicKeyResponse.KeySpec);
+		}
+	}
+	async runCommand(command, body, { region = this.region } = {}) {
+		if (!region) throw new Error("Region is required");
+		const res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {
+			headers: {
+				"Content-Type": "application/x-amz-json-1.1",
+				"X-Amz-Target": `TrentService.${command}`
+			},
+			body: JSON.stringify(body)
+		});
+		if (!res.ok) throw new Error(await res.text());
+		return res.json();
+	}
+};
+
+//#endregion
+export { AwsKmsClient };
+//# sourceMappingURL=aws-client.mjs.map

package/dist/aws/aws-client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-client.mjs","names":[],"sources":["../../src/aws/aws-client.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Secp256k1PublicKey } from '@haneullabs/haneul/keypairs/secp256k1';\nimport { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';\nimport { fromBase64 } from '@haneullabs/haneul/utils';\n\nimport { publicKeyFromDER } from '../utils/utils.js';\nimport { AwsClient } from './aws4fetch.js';\n\ninterface KmsCommands {\n\tSign: {\n\t\trequest: {\n\t\t\tKeyId: string;\n\t\t\tMessage: string;\n\t\t\tMessageType: 'RAW' | 'DIGEST';\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256';\n\t\t};\n\t\tresponse: {\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tSignature: string;\n\t\t\tSigningAlgorithm: string;\n\t\t};\n\t};\n\tGetPublicKey: {\n\t\trequest: { KeyId: string };\n\t\tresponse: {\n\t\t\tCustomerMasterKeySpec: string;\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tKeySpec: string;\n\t\t\tKeyUsage: string;\n\t\t\tPublicKey: string;\n\t\t\tSigningAlgorithms: string[];\n\t\t};\n\t};\n}\n\nexport interface AwsClientOptions extends Partial<ConstructorParameters<typeof AwsClient>[0]> {}\n\nexport class AwsKmsClient extends AwsClient {\n\tconstructor(options: AwsClientOptions = {}) {\n\t\tif (!options.accessKeyId || !options.secretAccessKey) {\n\t\t\tthrow new Error('AWS Access Key ID and Secret Access Key are required');\n\t\t}\n\n\t\tif (!options.region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tsuper({\n\t\t\tregion: options.region,\n\t\t\taccessKeyId: options.accessKeyId,\n\t\t\tsecretAccessKey: options.secretAccessKey,\n\t\t\tservice: 'kms',\n\t\t\t...options,\n\t\t});\n\t}\n\n\tasync getPublicKey(keyId: string) {\n\t\tconst publicKeyResponse = await this.runCommand('GetPublicKey', { KeyId: keyId });\n\n\t\tif (!publicKeyResponse.PublicKey) {\n\t\t\tthrow new Error('Public Key not found for the supplied `keyId`');\n\t\t}\n\n\t\tconst compressedKey = publicKeyFromDER(fromBase64(publicKeyResponse.PublicKey));\n\n\t\tswitch (publicKeyResponse.KeySpec) {\n\t\t\tcase 'ECC_NIST_P256':\n\t\t\t\treturn new Secp256r1PublicKey(compressedKey);\n\t\t\tcase 'ECC_SECG_P256K1':\n\t\t\t\treturn new Secp256k1PublicKey(compressedKey);\n\t\t\tdefault:\n\t\t\t\tthrow new Error('Unsupported key spec: ' + publicKeyResponse.KeySpec);\n\t\t}\n\t}\n\n\tasync runCommand<T extends keyof KmsCommands>(\n\t\tcommand: T,\n\t\tbody: KmsCommands[T]['request'],\n\t\t{\n\t\t\tregion = this.region!,\n\t\t}: {\n\t\t\tregion?: string;\n\t\t} = {},\n\t): Promise<KmsCommands[T]['response']> {\n\t\tif (!region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tconst res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-amz-json-1.1',\n\t\t\t\t'X-Amz-Target': `TrentService.${command}`,\n\t\t\t},\n\t\t\tbody: JSON.stringify(body),\n\t\t});\n\n\t\tif (!res.ok) {\n\t\t\tthrow new Error(await res.text());\n\t\t}\n\n\t\treturn res.json();\n\t}\n}\n"],"mappings":";;;;;;;AAyCA,IAAa,eAAb,cAAkC,UAAU;CAC3C,YAAY,UAA4B,EAAE,EAAE;AAC3C,MAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,gBACpC,OAAM,IAAI,MAAM,uDAAuD;AAGxE,MAAI,CAAC,QAAQ,OACZ,OAAM,IAAI,MAAM,qBAAqB;AAGtC,QAAM;GACL,QAAQ,QAAQ;GAChB,aAAa,QAAQ;GACrB,iBAAiB,QAAQ;GACzB,SAAS;GACT,GAAG;GACH,CAAC;;CAGH,MAAM,aAAa,OAAe;EACjC,MAAM,oBAAoB,MAAM,KAAK,WAAW,gBAAgB,EAAE,OAAO,OAAO,CAAC;AAEjF,MAAI,CAAC,kBAAkB,UACtB,OAAM,IAAI,MAAM,gDAAgD;EAGjE,MAAM,gBAAgB,iBAAiB,WAAW,kBAAkB,UAAU,CAAC;AAE/E,UAAQ,kBAAkB,SAA1B;GACC,KAAK,gBACJ,QAAO,IAAI,mBAAmB,cAAc;GAC7C,KAAK,kBACJ,QAAO,IAAI,mBAAmB,cAAc;GAC7C,QACC,OAAM,IAAI,MAAM,2BAA2B,kBAAkB,QAAQ;;;CAIxE,MAAM,WACL,SACA,MACA,EACC,SAAS,KAAK,WAGX,EAAE,EACgC;AACtC,MAAI,CAAC,OACJ,OAAM,IAAI,MAAM,qBAAqB;EAGtC,MAAM,MAAM,MAAM,KAAK,MAAM,eAAe,OAAO,kBAAkB;GACpE,SAAS;IACR,gBAAgB;IAChB,gBAAgB,gBAAgB;IAChC;GACD,MAAM,KAAK,UAAU,KAAK;GAC1B,CAAC;AAEF,MAAI,CAAC,IAAI,GACR,OAAM,IAAI,MAAM,MAAM,IAAI,MAAM,CAAC;AAGlC,SAAO,IAAI,MAAM"}

package/dist/aws/aws-kms-signer.d.mts

@@ -0,0 +1,62 @@
+import { AwsClientOptions, AwsKmsClient } from "./aws-client.mjs";
+import { PublicKey, Signer } from "@haneullabs/haneul/cryptography";
+
+//#region src/aws/aws-kms-signer.d.ts
+/**
+ * Configuration options for initializing the AwsKmsSigner.
+ */
+interface AwsKmsSignerOptions {
+  /** AWS KMS Key ID used for signing */
+  kmsKeyId: string;
+  /** Options for setting up the AWS KMS client */
+  client: AwsKmsClient;
+  /** Public key */
+  publicKey: PublicKey;
+}
+/**
+ * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain
+ * to provide signing capabilities using AWS-managed cryptographic keys.
+ */
+declare class AwsKmsSigner extends Signer {
+  #private;
+  /**
+   * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+   * For example:
+   * ```
+   * const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+   * ```
+   * @throws Will throw an error if required AWS credentials or region are not provided.
+   */
+  constructor({
+    kmsKeyId,
+    client,
+    publicKey
+  }: AwsKmsSignerOptions);
+  /**
+   * Retrieves the key scheme used by this signer.
+   * @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+   */
+  getKeyScheme(): "ED25519" | "Secp256r1" | "Secp256k1" | "MultiSig" | "ZkLogin" | "Passkey";
+  /**
+   * Retrieves the public key associated with this signer.
+   * @returns The Secp256k1PublicKey instance.
+   * @throws Will throw an error if the public key has not been initialized.
+   */
+  getPublicKey(): PublicKey;
+  /**
+   * Signs the given data using AWS KMS.
+   * @param bytes - The data to be signed as a Uint8Array.
+   * @returns A promise that resolves to the signature as a Uint8Array.
+   * @throws Will throw an error if the public key is not initialized or if signing fails.
+   */
+  sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>>;
+  /**
+   * Prepares the signer by fetching and setting the public key from AWS KMS.
+   * It is recommended to initialize an `AwsKmsSigner` instance using this function.
+   * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+   */
+  static fromKeyId(keyId: string, options: AwsClientOptions): Promise<AwsKmsSigner>;
+}
+//#endregion
+export { AwsKmsSigner, AwsKmsSignerOptions };
+//# sourceMappingURL=aws-kms-signer.d.mts.map

package/dist/aws/aws-kms-signer.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-signer.d.mts","names":[],"sources":["../../src/aws/aws-kms-signer.ts"],"mappings":";;;;AAaA;;;AAAA,UAAiB,mBAAA;EAEhB;EAAA,QAAA;EAEQ;EAAR,MAAA,EAAQ,YAAA;EAEG;EAAX,SAAA,EAAW,SAAA;AAAA;AAOZ;;;;AAAA,cAAa,YAAA,SAAqB,MAAA;EAAA;EAeY;;;;;;;;;IAA/B,QAAA;IAAU,MAAA;IAAQ;EAAA,GAAa,mBAAA;EAfZ;;;;EA4BjC,YAAA,CAAA;;;;;;EASA,YAAA,CAAA,GAAY,SAAA;EAtBoB;;;;;;EAgC1B,IAAA,CAAK,KAAA,EAAO,UAAA,GAAa,OAAA,CAAQ,UAAA,CAAW,WAAA;EAAvC;;;;;EAAA,OAiBE,SAAA,CAAU,KAAA,UAAe,OAAA,EAAS,gBAAA,GAAgB,OAAA,CAAA,YAAA;AAAA"}

package/dist/aws/aws-kms-signer.mjs

@@ -0,0 +1,78 @@
+import { getConcatenatedSignature } from "../utils/utils.mjs";
+import { AwsKmsClient } from "./aws-client.mjs";
+import { SIGNATURE_FLAG_TO_SCHEME, Signer } from "@haneullabs/haneul/cryptography";
+import { fromBase64, toBase64 } from "@haneullabs/haneul/utils";
+
+//#region src/aws/aws-kms-signer.ts
+/**
+* Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain
+* to provide signing capabilities using AWS-managed cryptographic keys.
+*/
+var AwsKmsSigner = class AwsKmsSigner extends Signer {
+	#publicKey;
+	/** AWS KMS client instance */
+	#client;
+	/** AWS KMS Key ID used for signing */
+	#kmsKeyId;
+	/**
+	* Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+	* For example:
+	* ```
+	* const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+	* ```
+	* @throws Will throw an error if required AWS credentials or region are not provided.
+	*/
+	constructor({ kmsKeyId, client, publicKey }) {
+		super();
+		if (!kmsKeyId) throw new Error("KMS Key ID is required");
+		this.#client = client;
+		this.#kmsKeyId = kmsKeyId;
+		this.#publicKey = publicKey;
+	}
+	/**
+	* Retrieves the key scheme used by this signer.
+	* @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+	*/
+	getKeyScheme() {
+		return SIGNATURE_FLAG_TO_SCHEME[this.#publicKey.flag()];
+	}
+	/**
+	* Retrieves the public key associated with this signer.
+	* @returns The Secp256k1PublicKey instance.
+	* @throws Will throw an error if the public key has not been initialized.
+	*/
+	getPublicKey() {
+		return this.#publicKey;
+	}
+	/**
+	* Signs the given data using AWS KMS.
+	* @param bytes - The data to be signed as a Uint8Array.
+	* @returns A promise that resolves to the signature as a Uint8Array.
+	* @throws Will throw an error if the public key is not initialized or if signing fails.
+	*/
+	async sign(bytes) {
+		return getConcatenatedSignature(fromBase64((await this.#client.runCommand("Sign", {
+			KeyId: this.#kmsKeyId,
+			Message: toBase64(bytes),
+			MessageType: "RAW",
+			SigningAlgorithm: "ECDSA_SHA_256"
+		})).Signature), this.getKeyScheme());
+	}
+	/**
+	* Prepares the signer by fetching and setting the public key from AWS KMS.
+	* It is recommended to initialize an `AwsKmsSigner` instance using this function.
+	* @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+	*/
+	static async fromKeyId(keyId, options) {
+		const client = new AwsKmsClient(options);
+		return new AwsKmsSigner({
+			kmsKeyId: keyId,
+			client,
+			publicKey: await client.getPublicKey(keyId)
+		});
+	}
+};
+
+//#endregion
+export { AwsKmsSigner };
+//# sourceMappingURL=aws-kms-signer.mjs.map

package/dist/aws/aws-kms-signer.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-signer.mjs","names":["#client","#kmsKeyId","#publicKey"],"sources":["../../src/aws/aws-kms-signer.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport type { PublicKey, SignatureFlag } from '@haneullabs/haneul/cryptography';\nimport { SIGNATURE_FLAG_TO_SCHEME, Signer } from '@haneullabs/haneul/cryptography';\nimport { fromBase64, toBase64 } from '@haneullabs/haneul/utils';\n\nimport { getConcatenatedSignature } from '../utils/utils.js';\nimport type { AwsClientOptions } from './aws-client.js';\nimport { AwsKmsClient } from './aws-client.js';\n\n/**\n * Configuration options for initializing the AwsKmsSigner.\n */\nexport interface AwsKmsSignerOptions {\n\t/** AWS KMS Key ID used for signing */\n\tkmsKeyId: string;\n\t/** Options for setting up the AWS KMS client */\n\tclient: AwsKmsClient;\n\t/** Public key */\n\tpublicKey: PublicKey;\n}\n\n/**\n * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain\n * to provide signing capabilities using AWS-managed cryptographic keys.\n */\nexport class AwsKmsSigner extends Signer {\n\t#publicKey: PublicKey;\n\t/** AWS KMS client instance */\n\t#client: AwsKmsClient;\n\t/** AWS KMS Key ID used for signing */\n\t#kmsKeyId: string;\n\n\t/**\n\t * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.\n\t * For example:\n\t * ```\n\t * const signer = await AwsKmsSigner.fromKeyId(keyId, options);\n\t * ```\n\t * @throws Will throw an error if required AWS credentials or region are not provided.\n\t */\n\tconstructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions) {\n\t\tsuper();\n\t\tif (!kmsKeyId) throw new Error('KMS Key ID is required');\n\n\t\tthis.#client = client;\n\t\tthis.#kmsKeyId = kmsKeyId;\n\t\tthis.#publicKey = publicKey;\n\t}\n\n\t/**\n\t * Retrieves the key scheme used by this signer.\n\t * @returns AWS supports only Secp256k1 and Secp256r1 schemes.\n\t */\n\tgetKeyScheme() {\n\t\treturn SIGNATURE_FLAG_TO_SCHEME[this.#publicKey.flag() as SignatureFlag];\n\t}\n\n\t/**\n\t * Retrieves the public key associated with this signer.\n\t * @returns The Secp256k1PublicKey instance.\n\t * @throws Will throw an error if the public key has not been initialized.\n\t */\n\tgetPublicKey() {\n\t\treturn this.#publicKey;\n\t}\n\n\t/**\n\t * Signs the given data using AWS KMS.\n\t * @param bytes - The data to be signed as a Uint8Array.\n\t * @returns A promise that resolves to the signature as a Uint8Array.\n\t * @throws Will throw an error if the public key is not initialized or if signing fails.\n\t */\n\tasync sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {\n\t\tconst signResponse = await this.#client.runCommand('Sign', {\n\t\t\tKeyId: this.#kmsKeyId,\n\t\t\tMessage: toBase64(bytes),\n\t\t\tMessageType: 'RAW',\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256',\n\t\t});\n\n\t\t// Concatenate the signature components into a compact form\n\t\treturn getConcatenatedSignature(fromBase64(signResponse.Signature), this.getKeyScheme());\n\t}\n\n\t/**\n\t * Prepares the signer by fetching and setting the public key from AWS KMS.\n\t * It is recommended to initialize an `AwsKmsSigner` instance using this function.\n\t * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).\n\t */\n\tstatic async fromKeyId(keyId: string, options: AwsClientOptions) {\n\t\tconst client = new AwsKmsClient(options);\n\n\t\tconst pubKey = await client.getPublicKey(keyId);\n\n\t\treturn new AwsKmsSigner({\n\t\t\tkmsKeyId: keyId,\n\t\t\tclient,\n\t\t\tpublicKey: pubKey,\n\t\t});\n\t}\n}\n"],"mappings":";;;;;;;;;;AA0BA,IAAa,eAAb,MAAa,qBAAqB,OAAO;CACxC;;CAEA;;CAEA;;;;;;;;;CAUA,YAAY,EAAE,UAAU,QAAQ,aAAkC;AACjE,SAAO;AACP,MAAI,CAAC,SAAU,OAAM,IAAI,MAAM,yBAAyB;AAExD,QAAKA,SAAU;AACf,QAAKC,WAAY;AACjB,QAAKC,YAAa;;;;;;CAOnB,eAAe;AACd,SAAO,yBAAyB,MAAKA,UAAW,MAAM;;;;;;;CAQvD,eAAe;AACd,SAAO,MAAKA;;;;;;;;CASb,MAAM,KAAK,OAAqD;AAS/D,SAAO,yBAAyB,YARX,MAAM,MAAKF,OAAQ,WAAW,QAAQ;GAC1D,OAAO,MAAKC;GACZ,SAAS,SAAS,MAAM;GACxB,aAAa;GACb,kBAAkB;GAClB,CAAC,EAGsD,UAAU,EAAE,KAAK,cAAc,CAAC;;;;;;;CAQzF,aAAa,UAAU,OAAe,SAA2B;EAChE,MAAM,SAAS,IAAI,aAAa,QAAQ;AAIxC,SAAO,IAAI,aAAa;GACvB,UAAU;GACV;GACA,WALc,MAAM,OAAO,aAAa,MAAM;GAM9C,CAAC"}

package/dist/aws/aws4fetch.d.mts

@@ -0,0 +1,62 @@
+//#region src/aws/aws4fetch.d.ts
+type AwsRequestInit = RequestInit & {
+  aws?: {
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    sessionToken?: string;
+    service?: string;
+    region?: string;
+    cache?: Map<string, ArrayBuffer>;
+    datetime?: string;
+    signQuery?: boolean;
+    appendSessionToken?: boolean;
+    allHeaders?: boolean;
+    singleEncode?: boolean;
+  };
+};
+declare class AwsClient {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken: string | undefined;
+  service: string | undefined;
+  region: string | undefined;
+  cache: Map<any, any>;
+  retries: number;
+  initRetryMs: number;
+  /**
+   * @param {} options
+   */
+  constructor({
+    accessKeyId,
+    secretAccessKey,
+    sessionToken,
+    service,
+    region,
+    cache,
+    retries,
+    initRetryMs
+  }: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+    service?: string;
+    region?: string;
+    cache?: Map<string, ArrayBuffer>;
+    retries?: number;
+    initRetryMs?: number;
+  });
+  sign(input: Request | {
+    toString: () => string;
+  }, init: AwsRequestInit): Promise<Request>;
+  /**
+   * @param {Request | { toString: () => string }} input
+   * @param {?AwsRequestInit} [init]
+   * @returns {Promise<Response>}
+   */
+  fetch(input: Request | {
+    toString: () => string;
+  }, init: AwsRequestInit): Promise<Response>;
+}
+//#endregion
+export { AwsClient };
+//# sourceMappingURL=aws4fetch.d.mts.map

package/dist/aws/aws4fetch.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws4fetch.d.mts","names":[],"sources":["../../src/aws/aws4fetch.ts"],"mappings":";KAsCK,cAAA,GAAiB,WAAA;EACrB,GAAA;IACC,WAAA;IACA,eAAA;IACA,YAAA;IACA,OAAA;IACA,MAAA;IACA,KAAA,GAAQ,GAAA,SAAY,WAAA;IACpB,QAAA;IACA,SAAA;IACA,kBAAA;IACA,UAAA;IACA,YAAA;EAAA;AAAA;AAAA,cAIW,SAAA;EACZ,WAAA;EACA,eAAA;EACA,YAAA;EACA,OAAA;EACA,MAAA;EACA,KAAA,EAAO,GAAA;EACP,OAAA;EACA,WAAA;EAZa;;AAId;;IAaE,WAAA;IACA,eAAA;IACA,YAAA;IACA,OAAA;IACA,MAAA;IACA,KAAA;IACA,OAAA;IACA;EAAA;IAEA,WAAA;IACA,eAAA;IACA,YAAA;IACA,OAAA;IACA,MAAA;IACA,KAAA,GAAQ,GAAA,SAAY,WAAA;IACpB,OAAA;IACA,WAAA;EAAA;EAeK,IAAA,CAAK,KAAA,EAAO,OAAA;IAAY,QAAA;EAAA,GAA0B,IAAA,EAAM,cAAA,GAAiB,OAAA,CAAQ,OAAA;EAArE;;;;;EAiCZ,KAAA,CAAM,KAAA,EAAO,OAAA;IAAY,QAAA;EAAA,GAA0B,IAAA,EAAM,cAAA,GAAc,OAAA,CAAA,QAAA;AAAA"}

package/dist/aws/aws4fetch.mjs

@@ -0,0 +1,313 @@
+//#region src/aws/aws4fetch.ts
+/**
+* Original implementation https://github.com/mhart/aws4fetch, inlined to reduce external dependencies
+* @license MIT <https://opensource.org/licenses/MIT>
+* @copyright Michael Hart 2024
+*/
+const encoder = new TextEncoder();
+/** @type {Record<string, string>} */
+const HOST_SERVICES = {
+	appstream2: "appstream",
+	cloudhsmv2: "cloudhsm",
+	email: "ses",
+	marketplace: "aws-marketplace",
+	mobile: "AWSMobileHubService",
+	pinpoint: "mobiletargeting",
+	queue: "sqs",
+	"git-codecommit": "codecommit",
+	"mturk-requester-sandbox": "mturk-requester",
+	"personalize-runtime": "personalize"
+};
+const UNSIGNABLE_HEADERS = new Set([
+	"authorization",
+	"content-type",
+	"content-length",
+	"user-agent",
+	"presigned-expires",
+	"expect",
+	"x-amzn-trace-id",
+	"range",
+	"connection"
+]);
+var AwsClient = class {
+	/**
+	* @param {} options
+	*/
+	constructor({ accessKeyId, secretAccessKey, sessionToken, service, region, cache, retries, initRetryMs }) {
+		if (accessKeyId == null) throw new TypeError("accessKeyId is a required option");
+		if (secretAccessKey == null) throw new TypeError("secretAccessKey is a required option");
+		this.accessKeyId = accessKeyId;
+		this.secretAccessKey = secretAccessKey;
+		this.sessionToken = sessionToken;
+		this.service = service;
+		this.region = region;
+		/** @type {Map<string, ArrayBuffer>} */
+		this.cache = cache || /* @__PURE__ */ new Map();
+		this.retries = retries != null ? retries : 10;
+		this.initRetryMs = initRetryMs || 50;
+	}
+	async sign(input, init) {
+		if (input instanceof Request) {
+			const { method, url, headers, body } = input;
+			init = Object.assign({
+				method,
+				url,
+				headers
+			}, init);
+			if (init.body == null && headers.has("Content-Type")) init.body = body != null && headers.has("X-Amz-Content-Sha256") ? body : await input.clone().arrayBuffer();
+			input = url;
+		}
+		const signer = new AwsV4Signer(Object.assign({ url: input.toString() }, init, this, init && init.aws));
+		const signed = Object.assign({}, init, await signer.sign());
+		delete signed.aws;
+		try {
+			return new Request(signed.url.toString(), signed);
+		} catch (e) {
+			if (e instanceof TypeError) return new Request(signed.url.toString(), Object.assign({ duplex: "half" }, signed));
+			throw e;
+		}
+	}
+	/**
+	* @param {Request | { toString: () => string }} input
+	* @param {?AwsRequestInit} [init]
+	* @returns {Promise<Response>}
+	*/
+	async fetch(input, init) {
+		for (let i = 0; i <= this.retries; i++) {
+			const fetched = fetch(await this.sign(input, init));
+			if (i === this.retries) return fetched;
+			const res = await fetched;
+			if (res.status < 500 && res.status !== 429) return res;
+			await new Promise((resolve) => setTimeout(resolve, Math.random() * this.initRetryMs * Math.pow(2, i)));
+		}
+		throw new Error("An unknown error occurred, ensure retries is not negative");
+	}
+};
+var AwsV4Signer = class {
+	/**
+	* @param {} options
+	*/
+	constructor({ method, url, headers, body, accessKeyId, secretAccessKey, sessionToken, service, region, cache, datetime, signQuery, appendSessionToken, allHeaders, singleEncode }) {
+		if (url == null) throw new TypeError("url is a required option");
+		if (accessKeyId == null) throw new TypeError("accessKeyId is a required option");
+		if (secretAccessKey == null) throw new TypeError("secretAccessKey is a required option");
+		this.method = method || (body ? "POST" : "GET");
+		this.url = new URL(url);
+		this.headers = new Headers(headers || {});
+		this.body = body;
+		this.accessKeyId = accessKeyId;
+		this.secretAccessKey = secretAccessKey;
+		this.sessionToken = sessionToken;
+		let guessedService, guessedRegion;
+		if (!service || !region) [guessedService, guessedRegion] = guessServiceRegion(this.url, this.headers);
+		this.service = service || guessedService || "";
+		this.region = region || guessedRegion || "us-east-1";
+		/** @type {Map<string, ArrayBuffer>} */
+		this.cache = cache || /* @__PURE__ */ new Map();
+		this.datetime = datetime || (/* @__PURE__ */ new Date()).toISOString().replace(/[:-]|\.\d{3}/g, "");
+		this.signQuery = signQuery;
+		this.appendSessionToken = appendSessionToken || this.service === "iotdevicegateway";
+		this.headers.delete("Host");
+		if (this.service === "s3" && !this.signQuery && !this.headers.has("X-Amz-Content-Sha256")) this.headers.set("X-Amz-Content-Sha256", "UNSIGNED-PAYLOAD");
+		const params = this.signQuery ? this.url.searchParams : this.headers;
+		params.set("X-Amz-Date", this.datetime);
+		if (this.sessionToken && !this.appendSessionToken) params.set("X-Amz-Security-Token", this.sessionToken);
+		this.signableHeaders = ["host", ...this.headers.keys()].filter((header) => allHeaders || !UNSIGNABLE_HEADERS.has(header)).sort();
+		this.signedHeaders = this.signableHeaders.join(";");
+		this.canonicalHeaders = this.signableHeaders.map((header) => header + ":" + (header === "host" ? this.url.host : (this.headers.get(header) || "").replace(/\s+/g, " "))).join("\n");
+		this.credentialString = [
+			this.datetime.slice(0, 8),
+			this.region,
+			this.service,
+			"aws4_request"
+		].join("/");
+		if (this.signQuery) {
+			if (this.service === "s3" && !params.has("X-Amz-Expires")) params.set("X-Amz-Expires", "86400");
+			params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256");
+			params.set("X-Amz-Credential", this.accessKeyId + "/" + this.credentialString);
+			params.set("X-Amz-SignedHeaders", this.signedHeaders);
+		}
+		if (this.service === "s3") try {
+			this.encodedPath = decodeURIComponent(this.url.pathname.replace(/\+/g, " "));
+		} catch {
+			this.encodedPath = this.url.pathname;
+		}
+		else this.encodedPath = this.url.pathname.replace(/\/+/g, "/");
+		if (!singleEncode) this.encodedPath = encodeURIComponent(this.encodedPath).replace(/%2F/g, "/");
+		this.encodedPath = encodeRfc3986(this.encodedPath);
+		const seenKeys = /* @__PURE__ */ new Set();
+		this.encodedSearch = [...this.url.searchParams].filter(([k]) => {
+			if (!k) return false;
+			if (this.service === "s3") {
+				if (seenKeys.has(k)) return false;
+				seenKeys.add(k);
+			}
+			return true;
+		}).map((pair) => pair.map((p) => encodeRfc3986(encodeURIComponent(p)))).sort(([k1, v1], [k2, v2]) => k1 < k2 ? -1 : k1 > k2 ? 1 : v1 < v2 ? -1 : v1 > v2 ? 1 : 0).map((pair) => pair.join("=")).join("&");
+	}
+	/**
+	* @returns {Promise<{
+	*   method: string
+	*   url: URL
+	*   headers: Headers
+	*   body?: BodyInit | null
+	* }>}
+	*/
+	async sign() {
+		if (this.signQuery) {
+			this.url.searchParams.set("X-Amz-Signature", await this.signature());
+			if (this.sessionToken && this.appendSessionToken) this.url.searchParams.set("X-Amz-Security-Token", this.sessionToken);
+		} else this.headers.set("Authorization", await this.authHeader());
+		return {
+			method: this.method,
+			url: this.url,
+			headers: this.headers,
+			body: this.body
+		};
+	}
+	/**
+	* @returns {Promise<string>}
+	*/
+	async authHeader() {
+		return [
+			"AWS4-HMAC-SHA256 Credential=" + this.accessKeyId + "/" + this.credentialString,
+			"SignedHeaders=" + this.signedHeaders,
+			"Signature=" + await this.signature()
+		].join(", ");
+	}
+	/**
+	* @returns {Promise<string>}
+	*/
+	async signature() {
+		const date = this.datetime.slice(0, 8);
+		const cacheKey = [
+			this.secretAccessKey,
+			date,
+			this.region,
+			this.service
+		].join();
+		let kCredentials = this.cache.get(cacheKey);
+		if (!kCredentials) {
+			kCredentials = await hmac(await hmac(await hmac(await hmac("AWS4" + this.secretAccessKey, date), this.region), this.service), "aws4_request");
+			this.cache.set(cacheKey, kCredentials);
+		}
+		return buf2hex(await hmac(kCredentials, await this.stringToSign()));
+	}
+	/**
+	* @returns {Promise<string>}
+	*/
+	async stringToSign() {
+		return [
+			"AWS4-HMAC-SHA256",
+			this.datetime,
+			this.credentialString,
+			buf2hex(await hash(await this.canonicalString()))
+		].join("\n");
+	}
+	/**
+	* @returns {Promise<string>}
+	*/
+	async canonicalString() {
+		return [
+			this.method.toUpperCase(),
+			this.encodedPath,
+			this.encodedSearch,
+			this.canonicalHeaders + "\n",
+			this.signedHeaders,
+			await this.hexBodyHash()
+		].join("\n");
+	}
+	/**
+	* @returns {Promise<string>}
+	*/
+	async hexBodyHash() {
+		let hashHeader = this.headers.get("X-Amz-Content-Sha256") || (this.service === "s3" && this.signQuery ? "UNSIGNED-PAYLOAD" : null);
+		if (hashHeader == null) {
+			if (this.body && typeof this.body !== "string" && !("byteLength" in this.body)) throw new Error("body must be a string, ArrayBuffer or ArrayBufferView, unless you include the X-Amz-Content-Sha256 header");
+			hashHeader = buf2hex(await hash(this.body || ""));
+		}
+		return hashHeader;
+	}
+};
+/**
+* @param {string | BufferSource} key
+* @param {string} string
+* @returns {Promise<ArrayBuffer>}
+*/
+async function hmac(key, string) {
+	const cryptoKey = await crypto.subtle.importKey("raw", typeof key === "string" ? encoder.encode(key) : key, {
+		name: "HMAC",
+		hash: { name: "SHA-256" }
+	}, false, ["sign"]);
+	return crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(string));
+}
+async function hash(content) {
+	return crypto.subtle.digest("SHA-256", typeof content === "string" ? encoder.encode(content) : content);
+}
+const HEX_CHARS = [
+	"0",
+	"1",
+	"2",
+	"3",
+	"4",
+	"5",
+	"6",
+	"7",
+	"8",
+	"9",
+	"a",
+	"b",
+	"c",
+	"d",
+	"e",
+	"f"
+];
+function buf2hex(arrayBuffer) {
+	const buffer = new Uint8Array(arrayBuffer);
+	let out = "";
+	for (let idx = 0; idx < buffer.length; idx++) {
+		const n = buffer[idx];
+		out += HEX_CHARS[n >>> 4 & 15];
+		out += HEX_CHARS[n & 15];
+	}
+	return out;
+}
+function encodeRfc3986(urlEncodedStr) {
+	return urlEncodedStr.replace(/[!'()*]/g, (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase());
+}
+function guessServiceRegion(url, headers) {
+	const { hostname, pathname } = url;
+	if (hostname.endsWith(".on.aws")) {
+		const match$1 = hostname.match(/^[^.]{1,63}\.lambda-url\.([^.]{1,63})\.on\.aws$/);
+		return match$1 != null ? ["lambda", match$1[1] || ""] : ["", ""];
+	}
+	if (hostname.endsWith(".r2.cloudflarestorage.com")) return ["s3", "auto"];
+	if (hostname.endsWith(".backblazeb2.com")) {
+		const match$1 = hostname.match(/^(?:[^.]{1,63}\.)?s3\.([^.]{1,63})\.backblazeb2\.com$/);
+		return match$1 != null ? ["s3", match$1[1] || ""] : ["", ""];
+	}
+	const match = hostname.replace("dualstack.", "").match(/([^.]{1,63})\.(?:([^.]{0,63})\.)?amazonaws\.com(?:\.cn)?$/);
+	let service = match && match[1] || "";
+	let region = match && match[2];
+	if (region === "us-gov") region = "us-gov-west-1";
+	else if (region === "s3" || region === "s3-accelerate") {
+		region = "us-east-1";
+		service = "s3";
+	} else if (service === "iot") if (hostname.startsWith("iot.")) service = "execute-api";
+	else if (hostname.startsWith("data.jobs.iot.")) service = "iot-jobs-data";
+	else service = pathname === "/mqtt" ? "iotdevicegateway" : "iotdata";
+	else if (service === "autoscaling") {
+		const targetPrefix = (headers.get("X-Amz-Target") || "").split(".")[0];
+		if (targetPrefix === "AnyScaleFrontendService") service = "application-autoscaling";
+		else if (targetPrefix === "AnyScaleScalingPlannerFrontendService") service = "autoscaling-plans";
+	} else if (region == null && service.startsWith("s3-")) {
+		region = service.slice(3).replace(/^fips-|^external-1/, "");
+		service = "s3";
+	} else if (service.endsWith("-fips")) service = service.slice(0, -5);
+	else if (region && /-\d$/.test(service) && !/-\d$/.test(region)) [service, region] = [region, service];
+	return [HOST_SERVICES[service] || service, region || ""];
+}
+
+//#endregion
+export { AwsClient };
+//# sourceMappingURL=aws4fetch.mjs.map

package/dist/aws/aws4fetch.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws4fetch.mjs","names":["match"],"sources":["../../src/aws/aws4fetch.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n/**\n * Original implementation https://github.com/mhart/aws4fetch, inlined to reduce external dependencies\n * @license MIT <https://opensource.org/licenses/MIT>\n * @copyright Michael Hart 2024\n */\n\nconst encoder = new TextEncoder();\n\n/** @type {Record<string, string>} */\nconst HOST_SERVICES: Record<string, string> = {\n\tappstream2: 'appstream',\n\tcloudhsmv2: 'cloudhsm',\n\temail: 'ses',\n\tmarketplace: 'aws-marketplace',\n\tmobile: 'AWSMobileHubService',\n\tpinpoint: 'mobiletargeting',\n\tqueue: 'sqs',\n\t'git-codecommit': 'codecommit',\n\t'mturk-requester-sandbox': 'mturk-requester',\n\t'personalize-runtime': 'personalize',\n};\n\n// https://github.com/aws/aws-sdk-js/blob/cc29728c1c4178969ebabe3bbe6b6f3159436394/lib/signers/v4.js#L190-L198\nconst UNSIGNABLE_HEADERS = new Set([\n\t'authorization',\n\t'content-type',\n\t'content-length',\n\t'user-agent',\n\t'presigned-expires',\n\t'expect',\n\t'x-amzn-trace-id',\n\t'range',\n\t'connection',\n]);\n\ntype AwsRequestInit = RequestInit & {\n\taws?: {\n\t\taccessKeyId?: string;\n\t\tsecretAccessKey?: string;\n\t\tsessionToken?: string;\n\t\tservice?: string;\n\t\tregion?: string;\n\t\tcache?: Map<string, ArrayBuffer>;\n\t\tdatetime?: string;\n\t\tsignQuery?: boolean;\n\t\tappendSessionToken?: boolean;\n\t\tallHeaders?: boolean;\n\t\tsingleEncode?: boolean;\n\t};\n};\n\nexport class AwsClient {\n\taccessKeyId: string;\n\tsecretAccessKey: string;\n\tsessionToken: string | undefined;\n\tservice: string | undefined;\n\tregion: string | undefined;\n\tcache: Map<any, any>;\n\tretries: number;\n\tinitRetryMs: number;\n\t/**\n\t * @param {} options\n\t */\n\tconstructor({\n\t\taccessKeyId,\n\t\tsecretAccessKey,\n\t\tsessionToken,\n\t\tservice,\n\t\tregion,\n\t\tcache,\n\t\tretries,\n\t\tinitRetryMs,\n\t}: {\n\t\taccessKeyId: string;\n\t\tsecretAccessKey: string;\n\t\tsessionToken?: string;\n\t\tservice?: string;\n\t\tregion?: string;\n\t\tcache?: Map<string, ArrayBuffer>;\n\t\tretries?: number;\n\t\tinitRetryMs?: number;\n\t}) {\n\t\tif (accessKeyId == null) throw new TypeError('accessKeyId is a required option');\n\t\tif (secretAccessKey == null) throw new TypeError('secretAccessKey is a required option');\n\t\tthis.accessKeyId = accessKeyId;\n\t\tthis.secretAccessKey = secretAccessKey;\n\t\tthis.sessionToken = sessionToken;\n\t\tthis.service = service;\n\t\tthis.region = region;\n\t\t/** @type {Map<string, ArrayBuffer>} */\n\t\tthis.cache = cache || new Map();\n\t\tthis.retries = retries != null ? retries : 10; // Up to 25.6 secs\n\t\tthis.initRetryMs = initRetryMs || 50;\n\t}\n\n\tasync sign(input: Request | { toString: () => string }, init: AwsRequestInit): Promise<Request> {\n\t\tif (input instanceof Request) {\n\t\t\tconst { method, url, headers, body } = input;\n\t\t\tinit = Object.assign({ method, url, headers }, init);\n\t\t\tif (init.body == null && headers.has('Content-Type')) {\n\t\t\t\tinit.body =\n\t\t\t\t\tbody != null && headers.has('X-Amz-Content-Sha256')\n\t\t\t\t\t\t? body\n\t\t\t\t\t\t: await input.clone().arrayBuffer();\n\t\t\t}\n\t\t\tinput = url;\n\t\t}\n\t\tconst signer = new AwsV4Signer(\n\t\t\tObject.assign({ url: input.toString() }, init, this, init && init.aws),\n\t\t);\n\t\tconst signed = Object.assign({}, init, await signer.sign());\n\t\tdelete signed.aws;\n\t\ttry {\n\t\t\treturn new Request(signed.url.toString(), signed);\n\t\t} catch (e) {\n\t\t\tif (e instanceof TypeError) {\n\t\t\t\t// https://bugs.chromium.org/p/chromium/issues/detail?id=1360943\n\t\t\t\treturn new Request(signed.url.toString(), Object.assign({ duplex: 'half' }, signed));\n\t\t\t}\n\t\t\tthrow e;\n\t\t}\n\t}\n\n\t/**\n\t * @param {Request | { toString: () => string }} input\n\t * @param {?AwsRequestInit} [init]\n\t * @returns {Promise<Response>}\n\t */\n\tasync fetch(input: Request | { toString: () => string }, init: AwsRequestInit) {\n\t\tfor (let i = 0; i <= this.retries; i++) {\n\t\t\tconst fetched = fetch(await this.sign(input, init));\n\t\t\tif (i === this.retries) {\n\t\t\t\treturn fetched; // No need to await if we're returning anyway\n\t\t\t}\n\t\t\tconst res = await fetched;\n\t\t\tif (res.status < 500 && res.status !== 429) {\n\t\t\t\treturn res;\n\t\t\t}\n\t\t\tawait new Promise((resolve) =>\n\t\t\t\tsetTimeout(resolve, Math.random() * this.initRetryMs * Math.pow(2, i)),\n\t\t\t);\n\t\t}\n\t\tthrow new Error('An unknown error occurred, ensure retries is not negative');\n\t}\n}\n\nexport class AwsV4Signer {\n\tmethod: any;\n\turl: URL;\n\theaders: Headers;\n\tbody: any;\n\taccessKeyId: any;\n\tsecretAccessKey: any;\n\tsessionToken: any;\n\tservice: any;\n\tregion: any;\n\tcache: any;\n\tdatetime: any;\n\tsignQuery: any;\n\tappendSessionToken: any;\n\tsignableHeaders: any[];\n\tsignedHeaders: any;\n\tcanonicalHeaders: any;\n\tcredentialString: string;\n\tencodedPath: string;\n\tencodedSearch: string;\n\t/**\n\t * @param {} options\n\t */\n\tconstructor({\n\t\tmethod,\n\t\turl,\n\t\theaders,\n\t\tbody,\n\t\taccessKeyId,\n\t\tsecretAccessKey,\n\t\tsessionToken,\n\t\tservice,\n\t\tregion,\n\t\tcache,\n\t\tdatetime,\n\t\tsignQuery,\n\t\tappendSessionToken,\n\t\tallHeaders,\n\t\tsingleEncode,\n\t}: {\n\t\tmethod?: string;\n\t\turl: string;\n\t\theaders?: HeadersInit;\n\t\tbody?: BodyInit | null;\n\t\taccessKeyId: string;\n\t\tsecretAccessKey: string;\n\t\tsessionToken?: string;\n\t\tservice?: string;\n\t\tregion?: string;\n\t\tcache?: Map<string, ArrayBuffer>;\n\t\tdatetime?: string;\n\t\tsignQuery?: boolean;\n\t\tappendSessionToken?: boolean;\n\t\tallHeaders?: boolean;\n\t\tsingleEncode?: boolean;\n\t}) {\n\t\tif (url == null) throw new TypeError('url is a required option');\n\t\tif (accessKeyId == null) throw new TypeError('accessKeyId is a required option');\n\t\tif (secretAccessKey == null) throw new TypeError('secretAccessKey is a required option');\n\n\t\tthis.method = method || (body ? 'POST' : 'GET');\n\t\tthis.url = new URL(url);\n\t\tthis.headers = new Headers(headers || {});\n\t\tthis.body = body;\n\n\t\tthis.accessKeyId = accessKeyId;\n\t\tthis.secretAccessKey = secretAccessKey;\n\t\tthis.sessionToken = sessionToken;\n\n\t\tlet guessedService, guessedRegion;\n\t\tif (!service || !region) {\n\t\t\t[guessedService, guessedRegion] = guessServiceRegion(this.url, this.headers);\n\t\t}\n\t\tthis.service = service || guessedService || '';\n\t\tthis.region = region || guessedRegion || 'us-east-1';\n\n\t\t/** @type {Map<string, ArrayBuffer>} */\n\t\tthis.cache = cache || new Map();\n\t\tthis.datetime = datetime || new Date().toISOString().replace(/[:-]|\\.\\d{3}/g, '');\n\t\tthis.signQuery = signQuery;\n\t\tthis.appendSessionToken = appendSessionToken || this.service === 'iotdevicegateway';\n\n\t\tthis.headers.delete('Host'); // Can't be set in insecure env anyway\n\n\t\tif (this.service === 's3' && !this.signQuery && !this.headers.has('X-Amz-Content-Sha256')) {\n\t\t\tthis.headers.set('X-Amz-Content-Sha256', 'UNSIGNED-PAYLOAD');\n\t\t}\n\n\t\tconst params = this.signQuery ? this.url.searchParams : this.headers;\n\n\t\tparams.set('X-Amz-Date', this.datetime);\n\t\tif (this.sessionToken && !this.appendSessionToken) {\n\t\t\tparams.set('X-Amz-Security-Token', this.sessionToken);\n\t\t}\n\n\t\t// headers are always lowercase in keys()\n\n\t\tthis.signableHeaders = ['host', ...((this.headers as any).keys() as string[])]\n\t\t\t.filter((header) => allHeaders || !UNSIGNABLE_HEADERS.has(header))\n\t\t\t.sort();\n\n\t\tthis.signedHeaders = this.signableHeaders.join(';');\n\n\t\t// headers are always trimmed:\n\t\t// https://fetch.spec.whatwg.org/#concept-header-value-normalize\n\t\tthis.canonicalHeaders = this.signableHeaders\n\t\t\t.map(\n\t\t\t\t(header) =>\n\t\t\t\t\theader +\n\t\t\t\t\t':' +\n\t\t\t\t\t(header === 'host'\n\t\t\t\t\t\t? this.url.host\n\t\t\t\t\t\t: (this.headers.get(header) || '').replace(/\\s+/g, ' ')),\n\t\t\t)\n\t\t\t.join('\\n');\n\n\t\tthis.credentialString = [\n\t\t\tthis.datetime.slice(0, 8),\n\t\t\tthis.region,\n\t\t\tthis.service,\n\t\t\t'aws4_request',\n\t\t].join('/');\n\n\t\tif (this.signQuery) {\n\t\t\tif (this.service === 's3' && !params.has('X-Amz-Expires')) {\n\t\t\t\tparams.set('X-Amz-Expires', '86400'); // 24 hours\n\t\t\t}\n\t\t\tparams.set('X-Amz-Algorithm', 'AWS4-HMAC-SHA256');\n\t\t\tparams.set('X-Amz-Credential', this.accessKeyId + '/' + this.credentialString);\n\t\t\tparams.set('X-Amz-SignedHeaders', this.signedHeaders);\n\t\t}\n\n\t\tif (this.service === 's3') {\n\t\t\ttry {\n\t\t\t\tthis.encodedPath = decodeURIComponent(this.url.pathname.replace(/\\+/g, ' '));\n\t\t\t} catch {\n\t\t\t\tthis.encodedPath = this.url.pathname;\n\t\t\t}\n\t\t} else {\n\t\t\tthis.encodedPath = this.url.pathname.replace(/\\/+/g, '/');\n\t\t}\n\t\tif (!singleEncode) {\n\t\t\tthis.encodedPath = encodeURIComponent(this.encodedPath).replace(/%2F/g, '/');\n\t\t}\n\t\tthis.encodedPath = encodeRfc3986(this.encodedPath);\n\n\t\tconst seenKeys = new Set();\n\t\tthis.encodedSearch = [...this.url.searchParams]\n\t\t\t.filter(([k]) => {\n\t\t\t\tif (!k) return false; // no empty keys\n\t\t\t\tif (this.service === 's3') {\n\t\t\t\t\tif (seenKeys.has(k)) return false; // first val only for S3\n\t\t\t\t\tseenKeys.add(k);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map((pair) => pair.map((p) => encodeRfc3986(encodeURIComponent(p))))\n\t\t\t.sort(([k1, v1], [k2, v2]) => (k1 < k2 ? -1 : k1 > k2 ? 1 : v1 < v2 ? -1 : v1 > v2 ? 1 : 0))\n\t\t\t.map((pair) => pair.join('='))\n\t\t\t.join('&');\n\t}\n\n\t/**\n\t * @returns {Promise<{\n\t *   method: string\n\t *   url: URL\n\t *   headers: Headers\n\t *   body?: BodyInit | null\n\t * }>}\n\t */\n\tasync sign() {\n\t\tif (this.signQuery) {\n\t\t\tthis.url.searchParams.set('X-Amz-Signature', await this.signature());\n\t\t\tif (this.sessionToken && this.appendSessionToken) {\n\t\t\t\tthis.url.searchParams.set('X-Amz-Security-Token', this.sessionToken);\n\t\t\t}\n\t\t} else {\n\t\t\tthis.headers.set('Authorization', await this.authHeader());\n\t\t}\n\n\t\treturn {\n\t\t\tmethod: this.method,\n\t\t\turl: this.url,\n\t\t\theaders: this.headers,\n\t\t\tbody: this.body,\n\t\t};\n\t}\n\n\t/**\n\t * @returns {Promise<string>}\n\t */\n\tasync authHeader() {\n\t\treturn [\n\t\t\t'AWS4-HMAC-SHA256 Credential=' + this.accessKeyId + '/' + this.credentialString,\n\t\t\t'SignedHeaders=' + this.signedHeaders,\n\t\t\t'Signature=' + (await this.signature()),\n\t\t].join(', ');\n\t}\n\n\t/**\n\t * @returns {Promise<string>}\n\t */\n\tasync signature() {\n\t\tconst date = this.datetime.slice(0, 8);\n\t\tconst cacheKey = [this.secretAccessKey, date, this.region, this.service].join();\n\t\tlet kCredentials = this.cache.get(cacheKey);\n\t\tif (!kCredentials) {\n\t\t\tconst kDate = await hmac('AWS4' + this.secretAccessKey, date);\n\t\t\tconst kRegion = await hmac(kDate, this.region);\n\t\t\tconst kService = await hmac(kRegion, this.service);\n\t\t\tkCredentials = await hmac(kService, 'aws4_request');\n\t\t\tthis.cache.set(cacheKey, kCredentials);\n\t\t}\n\t\treturn buf2hex(await hmac(kCredentials, await this.stringToSign()));\n\t}\n\n\t/**\n\t * @returns {Promise<string>}\n\t */\n\tasync stringToSign() {\n\t\treturn [\n\t\t\t'AWS4-HMAC-SHA256',\n\t\t\tthis.datetime,\n\t\t\tthis.credentialString,\n\t\t\tbuf2hex(await hash(await this.canonicalString())),\n\t\t].join('\\n');\n\t}\n\n\t/**\n\t * @returns {Promise<string>}\n\t */\n\tasync canonicalString() {\n\t\treturn [\n\t\t\tthis.method.toUpperCase(),\n\t\t\tthis.encodedPath,\n\t\t\tthis.encodedSearch,\n\t\t\tthis.canonicalHeaders + '\\n',\n\t\t\tthis.signedHeaders,\n\t\t\tawait this.hexBodyHash(),\n\t\t].join('\\n');\n\t}\n\n\t/**\n\t * @returns {Promise<string>}\n\t */\n\tasync hexBodyHash() {\n\t\tlet hashHeader =\n\t\t\tthis.headers.get('X-Amz-Content-Sha256') ||\n\t\t\t(this.service === 's3' && this.signQuery ? 'UNSIGNED-PAYLOAD' : null);\n\t\tif (hashHeader == null) {\n\t\t\tif (this.body && typeof this.body !== 'string' && !('byteLength' in this.body)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t'body must be a string, ArrayBuffer or ArrayBufferView, unless you include the X-Amz-Content-Sha256 header',\n\t\t\t\t);\n\t\t\t}\n\t\t\thashHeader = buf2hex(await hash(this.body || ''));\n\t\t}\n\t\treturn hashHeader;\n\t}\n}\n\n/**\n * @param {string | BufferSource} key\n * @param {string} string\n * @returns {Promise<ArrayBuffer>}\n */\nasync function hmac(key: string | BufferSource, string: string): Promise<ArrayBuffer> {\n\tconst cryptoKey = await crypto.subtle.importKey(\n\t\t'raw',\n\t\ttypeof key === 'string' ? encoder.encode(key) : key,\n\t\t{ name: 'HMAC', hash: { name: 'SHA-256' } },\n\t\tfalse,\n\t\t['sign'],\n\t);\n\treturn crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(string));\n}\n\nasync function hash(content: string | ArrayBufferLike): Promise<ArrayBuffer> {\n\treturn crypto.subtle.digest(\n\t\t'SHA-256',\n\t\t(typeof content === 'string' ? encoder.encode(content) : content) as ArrayBuffer,\n\t);\n}\n\nconst HEX_CHARS = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'];\n\nfunction buf2hex(arrayBuffer: ArrayBufferLike): string {\n\tconst buffer = new Uint8Array(arrayBuffer);\n\tlet out = '';\n\tfor (let idx = 0; idx < buffer.length; idx++) {\n\t\tconst n = buffer[idx];\n\n\t\tout += HEX_CHARS[(n >>> 4) & 0xf];\n\t\tout += HEX_CHARS[n & 0xf];\n\t}\n\treturn out;\n}\n\nfunction encodeRfc3986(urlEncodedStr: string): string {\n\treturn urlEncodedStr.replace(/[!'()*]/g, (c) => '%' + c.charCodeAt(0).toString(16).toUpperCase());\n}\n\nfunction guessServiceRegion(url: URL, headers: Headers): [string, string] {\n\tconst { hostname, pathname } = url;\n\n\tif (hostname.endsWith('.on.aws')) {\n\t\tconst match = hostname.match(/^[^.]{1,63}\\.lambda-url\\.([^.]{1,63})\\.on\\.aws$/);\n\t\treturn match != null ? ['lambda', match[1] || ''] : ['', ''];\n\t}\n\tif (hostname.endsWith('.r2.cloudflarestorage.com')) {\n\t\treturn ['s3', 'auto'];\n\t}\n\tif (hostname.endsWith('.backblazeb2.com')) {\n\t\tconst match = hostname.match(/^(?:[^.]{1,63}\\.)?s3\\.([^.]{1,63})\\.backblazeb2\\.com$/);\n\t\treturn match != null ? ['s3', match[1] || ''] : ['', ''];\n\t}\n\tconst match = hostname\n\t\t.replace('dualstack.', '')\n\t\t.match(/([^.]{1,63})\\.(?:([^.]{0,63})\\.)?amazonaws\\.com(?:\\.cn)?$/);\n\tlet service = (match && match[1]) || '';\n\tlet region = match && match[2];\n\n\tif (region === 'us-gov') {\n\t\tregion = 'us-gov-west-1';\n\t} else if (region === 's3' || region === 's3-accelerate') {\n\t\tregion = 'us-east-1';\n\t\tservice = 's3';\n\t} else if (service === 'iot') {\n\t\tif (hostname.startsWith('iot.')) {\n\t\t\tservice = 'execute-api';\n\t\t} else if (hostname.startsWith('data.jobs.iot.')) {\n\t\t\tservice = 'iot-jobs-data';\n\t\t} else {\n\t\t\tservice = pathname === '/mqtt' ? 'iotdevicegateway' : 'iotdata';\n\t\t}\n\t} else if (service === 'autoscaling') {\n\t\tconst targetPrefix = (headers.get('X-Amz-Target') || '').split('.')[0];\n\t\tif (targetPrefix === 'AnyScaleFrontendService') {\n\t\t\tservice = 'application-autoscaling';\n\t\t} else if (targetPrefix === 'AnyScaleScalingPlannerFrontendService') {\n\t\t\tservice = 'autoscaling-plans';\n\t\t}\n\t} else if (region == null && service.startsWith('s3-')) {\n\t\tregion = service.slice(3).replace(/^fips-|^external-1/, '');\n\t\tservice = 's3';\n\t} else if (service.endsWith('-fips')) {\n\t\tservice = service.slice(0, -5);\n\t} else if (region && /-\\d$/.test(service) && !/-\\d$/.test(region)) {\n\t\t[service, region] = [region, service];\n\t}\n\n\treturn [HOST_SERVICES[service] || service, region || ''];\n}\n"],"mappings":";;;;;;AASA,MAAM,UAAU,IAAI,aAAa;;AAGjC,MAAM,gBAAwC;CAC7C,YAAY;CACZ,YAAY;CACZ,OAAO;CACP,aAAa;CACb,QAAQ;CACR,UAAU;CACV,OAAO;CACP,kBAAkB;CAClB,2BAA2B;CAC3B,uBAAuB;CACvB;AAGD,MAAM,qBAAqB,IAAI,IAAI;CAClC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA,CAAC;AAkBF,IAAa,YAAb,MAAuB;;;;CAYtB,YAAY,EACX,aACA,iBACA,cACA,SACA,QACA,OACA,SACA,eAUE;AACF,MAAI,eAAe,KAAM,OAAM,IAAI,UAAU,mCAAmC;AAChF,MAAI,mBAAmB,KAAM,OAAM,IAAI,UAAU,uCAAuC;AACxF,OAAK,cAAc;AACnB,OAAK,kBAAkB;AACvB,OAAK,eAAe;AACpB,OAAK,UAAU;AACf,OAAK,SAAS;;AAEd,OAAK,QAAQ,yBAAS,IAAI,KAAK;AAC/B,OAAK,UAAU,WAAW,OAAO,UAAU;AAC3C,OAAK,cAAc,eAAe;;CAGnC,MAAM,KAAK,OAA6C,MAAwC;AAC/F,MAAI,iBAAiB,SAAS;GAC7B,MAAM,EAAE,QAAQ,KAAK,SAAS,SAAS;AACvC,UAAO,OAAO,OAAO;IAAE;IAAQ;IAAK;IAAS,EAAE,KAAK;AACpD,OAAI,KAAK,QAAQ,QAAQ,QAAQ,IAAI,eAAe,CACnD,MAAK,OACJ,QAAQ,QAAQ,QAAQ,IAAI,uBAAuB,GAChD,OACA,MAAM,MAAM,OAAO,CAAC,aAAa;AAEtC,WAAQ;;EAET,MAAM,SAAS,IAAI,YAClB,OAAO,OAAO,EAAE,KAAK,MAAM,UAAU,EAAE,EAAE,MAAM,MAAM,QAAQ,KAAK,IAAI,CACtE;EACD,MAAM,SAAS,OAAO,OAAO,EAAE,EAAE,MAAM,MAAM,OAAO,MAAM,CAAC;AAC3D,SAAO,OAAO;AACd,MAAI;AACH,UAAO,IAAI,QAAQ,OAAO,IAAI,UAAU,EAAE,OAAO;WACzC,GAAG;AACX,OAAI,aAAa,UAEhB,QAAO,IAAI,QAAQ,OAAO,IAAI,UAAU,EAAE,OAAO,OAAO,EAAE,QAAQ,QAAQ,EAAE,OAAO,CAAC;AAErF,SAAM;;;;;;;;CASR,MAAM,MAAM,OAA6C,MAAsB;AAC9E,OAAK,IAAI,IAAI,GAAG,KAAK,KAAK,SAAS,KAAK;GACvC,MAAM,UAAU,MAAM,MAAM,KAAK,KAAK,OAAO,KAAK,CAAC;AACnD,OAAI,MAAM,KAAK,QACd,QAAO;GAER,MAAM,MAAM,MAAM;AAClB,OAAI,IAAI,SAAS,OAAO,IAAI,WAAW,IACtC,QAAO;AAER,SAAM,IAAI,SAAS,YAClB,WAAW,SAAS,KAAK,QAAQ,GAAG,KAAK,cAAc,KAAK,IAAI,GAAG,EAAE,CAAC,CACtE;;AAEF,QAAM,IAAI,MAAM,4DAA4D;;;AAI9E,IAAa,cAAb,MAAyB;;;;CAuBxB,YAAY,EACX,QACA,KACA,SACA,MACA,aACA,iBACA,cACA,SACA,QACA,OACA,UACA,WACA,oBACA,YACA,gBAiBE;AACF,MAAI,OAAO,KAAM,OAAM,IAAI,UAAU,2BAA2B;AAChE,MAAI,eAAe,KAAM,OAAM,IAAI,UAAU,mCAAmC;AAChF,MAAI,mBAAmB,KAAM,OAAM,IAAI,UAAU,uCAAuC;AAExF,OAAK,SAAS,WAAW,OAAO,SAAS;AACzC,OAAK,MAAM,IAAI,IAAI,IAAI;AACvB,OAAK,UAAU,IAAI,QAAQ,WAAW,EAAE,CAAC;AACzC,OAAK,OAAO;AAEZ,OAAK,cAAc;AACnB,OAAK,kBAAkB;AACvB,OAAK,eAAe;EAEpB,IAAI,gBAAgB;AACpB,MAAI,CAAC,WAAW,CAAC,OAChB,EAAC,gBAAgB,iBAAiB,mBAAmB,KAAK,KAAK,KAAK,QAAQ;AAE7E,OAAK,UAAU,WAAW,kBAAkB;AAC5C,OAAK,SAAS,UAAU,iBAAiB;;AAGzC,OAAK,QAAQ,yBAAS,IAAI,KAAK;AAC/B,OAAK,WAAW,6BAAY,IAAI,MAAM,EAAC,aAAa,CAAC,QAAQ,iBAAiB,GAAG;AACjF,OAAK,YAAY;AACjB,OAAK,qBAAqB,sBAAsB,KAAK,YAAY;AAEjE,OAAK,QAAQ,OAAO,OAAO;AAE3B,MAAI,KAAK,YAAY,QAAQ,CAAC,KAAK,aAAa,CAAC,KAAK,QAAQ,IAAI,uBAAuB,CACxF,MAAK,QAAQ,IAAI,wBAAwB,mBAAmB;EAG7D,MAAM,SAAS,KAAK,YAAY,KAAK,IAAI,eAAe,KAAK;AAE7D,SAAO,IAAI,cAAc,KAAK,SAAS;AACvC,MAAI,KAAK,gBAAgB,CAAC,KAAK,mBAC9B,QAAO,IAAI,wBAAwB,KAAK,aAAa;AAKtD,OAAK,kBAAkB,CAAC,QAAQ,GAAK,KAAK,QAAgB,MAAM,CAAc,CAC5E,QAAQ,WAAW,cAAc,CAAC,mBAAmB,IAAI,OAAO,CAAC,CACjE,MAAM;AAER,OAAK,gBAAgB,KAAK,gBAAgB,KAAK,IAAI;AAInD,OAAK,mBAAmB,KAAK,gBAC3B,KACC,WACA,SACA,OACC,WAAW,SACT,KAAK,IAAI,QACR,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,QAAQ,QAAQ,IAAI,EACzD,CACA,KAAK,KAAK;AAEZ,OAAK,mBAAmB;GACvB,KAAK,SAAS,MAAM,GAAG,EAAE;GACzB,KAAK;GACL,KAAK;GACL;GACA,CAAC,KAAK,IAAI;AAEX,MAAI,KAAK,WAAW;AACnB,OAAI,KAAK,YAAY,QAAQ,CAAC,OAAO,IAAI,gBAAgB,CACxD,QAAO,IAAI,iBAAiB,QAAQ;AAErC,UAAO,IAAI,mBAAmB,mBAAmB;AACjD,UAAO,IAAI,oBAAoB,KAAK,cAAc,MAAM,KAAK,iBAAiB;AAC9E,UAAO,IAAI,uBAAuB,KAAK,cAAc;;AAGtD,MAAI,KAAK,YAAY,KACpB,KAAI;AACH,QAAK,cAAc,mBAAmB,KAAK,IAAI,SAAS,QAAQ,OAAO,IAAI,CAAC;UACrE;AACP,QAAK,cAAc,KAAK,IAAI;;MAG7B,MAAK,cAAc,KAAK,IAAI,SAAS,QAAQ,QAAQ,IAAI;AAE1D,MAAI,CAAC,aACJ,MAAK,cAAc,mBAAmB,KAAK,YAAY,CAAC,QAAQ,QAAQ,IAAI;AAE7E,OAAK,cAAc,cAAc,KAAK,YAAY;EAElD,MAAM,2BAAW,IAAI,KAAK;AAC1B,OAAK,gBAAgB,CAAC,GAAG,KAAK,IAAI,aAAa,CAC7C,QAAQ,CAAC,OAAO;AAChB,OAAI,CAAC,EAAG,QAAO;AACf,OAAI,KAAK,YAAY,MAAM;AAC1B,QAAI,SAAS,IAAI,EAAE,CAAE,QAAO;AAC5B,aAAS,IAAI,EAAE;;AAEhB,UAAO;IACN,CACD,KAAK,SAAS,KAAK,KAAK,MAAM,cAAc,mBAAmB,EAAE,CAAC,CAAC,CAAC,CACpE,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,QAAS,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI,EAAG,CAC3F,KAAK,SAAS,KAAK,KAAK,IAAI,CAAC,CAC7B,KAAK,IAAI;;;;;;;;;;CAWZ,MAAM,OAAO;AACZ,MAAI,KAAK,WAAW;AACnB,QAAK,IAAI,aAAa,IAAI,mBAAmB,MAAM,KAAK,WAAW,CAAC;AACpE,OAAI,KAAK,gBAAgB,KAAK,mBAC7B,MAAK,IAAI,aAAa,IAAI,wBAAwB,KAAK,aAAa;QAGrE,MAAK,QAAQ,IAAI,iBAAiB,MAAM,KAAK,YAAY,CAAC;AAG3D,SAAO;GACN,QAAQ,KAAK;GACb,KAAK,KAAK;GACV,SAAS,KAAK;GACd,MAAM,KAAK;GACX;;;;;CAMF,MAAM,aAAa;AAClB,SAAO;GACN,iCAAiC,KAAK,cAAc,MAAM,KAAK;GAC/D,mBAAmB,KAAK;GACxB,eAAgB,MAAM,KAAK,WAAW;GACtC,CAAC,KAAK,KAAK;;;;;CAMb,MAAM,YAAY;EACjB,MAAM,OAAO,KAAK,SAAS,MAAM,GAAG,EAAE;EACtC,MAAM,WAAW;GAAC,KAAK;GAAiB;GAAM,KAAK;GAAQ,KAAK;GAAQ,CAAC,MAAM;EAC/E,IAAI,eAAe,KAAK,MAAM,IAAI,SAAS;AAC3C,MAAI,CAAC,cAAc;AAIlB,kBAAe,MAAM,KADJ,MAAM,KADP,MAAM,KADR,MAAM,KAAK,SAAS,KAAK,iBAAiB,KAAK,EAC3B,KAAK,OAAO,EACT,KAAK,QAAQ,EACd,eAAe;AACnD,QAAK,MAAM,IAAI,UAAU,aAAa;;AAEvC,SAAO,QAAQ,MAAM,KAAK,cAAc,MAAM,KAAK,cAAc,CAAC,CAAC;;;;;CAMpE,MAAM,eAAe;AACpB,SAAO;GACN;GACA,KAAK;GACL,KAAK;GACL,QAAQ,MAAM,KAAK,MAAM,KAAK,iBAAiB,CAAC,CAAC;GACjD,CAAC,KAAK,KAAK;;;;;CAMb,MAAM,kBAAkB;AACvB,SAAO;GACN,KAAK,OAAO,aAAa;GACzB,KAAK;GACL,KAAK;GACL,KAAK,mBAAmB;GACxB,KAAK;GACL,MAAM,KAAK,aAAa;GACxB,CAAC,KAAK,KAAK;;;;;CAMb,MAAM,cAAc;EACnB,IAAI,aACH,KAAK,QAAQ,IAAI,uBAAuB,KACvC,KAAK,YAAY,QAAQ,KAAK,YAAY,qBAAqB;AACjE,MAAI,cAAc,MAAM;AACvB,OAAI,KAAK,QAAQ,OAAO,KAAK,SAAS,YAAY,EAAE,gBAAgB,KAAK,MACxE,OAAM,IAAI,MACT,4GACA;AAEF,gBAAa,QAAQ,MAAM,KAAK,KAAK,QAAQ,GAAG,CAAC;;AAElD,SAAO;;;;;;;;AAST,eAAe,KAAK,KAA4B,QAAsC;CACrF,MAAM,YAAY,MAAM,OAAO,OAAO,UACrC,OACA,OAAO,QAAQ,WAAW,QAAQ,OAAO,IAAI,GAAG,KAChD;EAAE,MAAM;EAAQ,MAAM,EAAE,MAAM,WAAW;EAAE,EAC3C,OACA,CAAC,OAAO,CACR;AACD,QAAO,OAAO,OAAO,KAAK,QAAQ,WAAW,QAAQ,OAAO,OAAO,CAAC;;AAGrE,eAAe,KAAK,SAAyD;AAC5E,QAAO,OAAO,OAAO,OACpB,WACC,OAAO,YAAY,WAAW,QAAQ,OAAO,QAAQ,GAAG,QACzD;;AAGF,MAAM,YAAY;CAAC;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAK;CAAI;AAElG,SAAS,QAAQ,aAAsC;CACtD,MAAM,SAAS,IAAI,WAAW,YAAY;CAC1C,IAAI,MAAM;AACV,MAAK,IAAI,MAAM,GAAG,MAAM,OAAO,QAAQ,OAAO;EAC7C,MAAM,IAAI,OAAO;AAEjB,SAAO,UAAW,MAAM,IAAK;AAC7B,SAAO,UAAU,IAAI;;AAEtB,QAAO;;AAGR,SAAS,cAAc,eAA+B;AACrD,QAAO,cAAc,QAAQ,aAAa,MAAM,MAAM,EAAE,WAAW,EAAE,CAAC,SAAS,GAAG,CAAC,aAAa,CAAC;;AAGlG,SAAS,mBAAmB,KAAU,SAAoC;CACzE,MAAM,EAAE,UAAU,aAAa;AAE/B,KAAI,SAAS,SAAS,UAAU,EAAE;EACjC,MAAMA,UAAQ,SAAS,MAAM,kDAAkD;AAC/E,SAAOA,WAAS,OAAO,CAAC,UAAUA,QAAM,MAAM,GAAG,GAAG,CAAC,IAAI,GAAG;;AAE7D,KAAI,SAAS,SAAS,4BAA4B,CACjD,QAAO,CAAC,MAAM,OAAO;AAEtB,KAAI,SAAS,SAAS,mBAAmB,EAAE;EAC1C,MAAMA,UAAQ,SAAS,MAAM,wDAAwD;AACrF,SAAOA,WAAS,OAAO,CAAC,MAAMA,QAAM,MAAM,GAAG,GAAG,CAAC,IAAI,GAAG;;CAEzD,MAAM,QAAQ,SACZ,QAAQ,cAAc,GAAG,CACzB,MAAM,4DAA4D;CACpE,IAAI,UAAW,SAAS,MAAM,MAAO;CACrC,IAAI,SAAS,SAAS,MAAM;AAE5B,KAAI,WAAW,SACd,UAAS;UACC,WAAW,QAAQ,WAAW,iBAAiB;AACzD,WAAS;AACT,YAAU;YACA,YAAY,MACtB,KAAI,SAAS,WAAW,OAAO,CAC9B,WAAU;UACA,SAAS,WAAW,iBAAiB,CAC/C,WAAU;KAEV,WAAU,aAAa,UAAU,qBAAqB;UAE7C,YAAY,eAAe;EACrC,MAAM,gBAAgB,QAAQ,IAAI,eAAe,IAAI,IAAI,MAAM,IAAI,CAAC;AACpE,MAAI,iBAAiB,0BACpB,WAAU;WACA,iBAAiB,wCAC3B,WAAU;YAED,UAAU,QAAQ,QAAQ,WAAW,MAAM,EAAE;AACvD,WAAS,QAAQ,MAAM,EAAE,CAAC,QAAQ,sBAAsB,GAAG;AAC3D,YAAU;YACA,QAAQ,SAAS,QAAQ,CACnC,WAAU,QAAQ,MAAM,GAAG,GAAG;UACpB,UAAU,OAAO,KAAK,QAAQ,IAAI,CAAC,OAAO,KAAK,OAAO,CAChE,EAAC,SAAS,UAAU,CAAC,QAAQ,QAAQ;AAGtC,QAAO,CAAC,cAAc,YAAY,SAAS,UAAU,GAAG"}

package/dist/aws/index.d.mts

@@ -0,0 +1,3 @@
+import { AwsClientOptions } from "./aws-client.mjs";
+import { AwsKmsSigner, AwsKmsSignerOptions } from "./aws-kms-signer.mjs";
+export { type AwsClientOptions, AwsKmsSigner, type AwsKmsSignerOptions };

package/dist/aws/index.mjs

@@ -0,0 +1,3 @@
+import { AwsKmsSigner } from "./aws-kms-signer.mjs";
+
+export { AwsKmsSigner };