@hanzo/iam 0.8.0 → 0.9.1

package/dist/auth.cjs

@@ -0,0 +1,111 @@
+'use strict';
+
+var jose = require('jose');
+
+// src/auth.ts
+var jwksSets = /* @__PURE__ */ new Map();
+function getJwksKeySet(jwksUri) {
+  let keySet = jwksSets.get(jwksUri);
+  if (!keySet) {
+    keySet = jose.createRemoteJWKSet(new URL(jwksUri));
+    jwksSets.set(jwksUri, keySet);
+  }
+  return keySet;
+}
+function clearJwksCache() {
+  jwksSets.clear();
+}
+var discoveryCache = /* @__PURE__ */ new Map();
+var DISCOVERY_TTL_MS = 5 * 60 * 1e3;
+async function resolveJwksUri(serverUrl) {
+  const baseUrl = serverUrl.replace(/\/+$/, "");
+  const cached = discoveryCache.get(baseUrl);
+  if (cached && Date.now() - cached.fetchedAt < DISCOVERY_TTL_MS) {
+    return { jwksUri: cached.jwksUri, issuer: cached.issuer };
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), 8e3);
+  try {
+    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
+      signal: controller.signal,
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      throw new Error(`OIDC discovery failed: ${res.status}`);
+    }
+    const body = await res.json();
+    const jwksUri = body.jwks_uri;
+    const issuer = body.issuer ?? baseUrl;
+    if (!jwksUri) {
+      throw new Error("OIDC discovery response missing jwks_uri");
+    }
+    discoveryCache.set(baseUrl, { jwksUri, issuer, fetchedAt: Date.now() });
+    return { jwksUri, issuer };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function validateToken(token, config) {
+  if (!token || typeof token !== "string") {
+    return { ok: false, reason: "iam_token_missing" };
+  }
+  let jwksUri;
+  let issuer;
+  try {
+    const discovery = await resolveJwksUri(config.serverUrl);
+    jwksUri = discovery.jwksUri;
+    issuer = discovery.issuer;
+  } catch {
+    return { ok: false, reason: "iam_discovery_failed" };
+  }
+  const keySet = getJwksKeySet(jwksUri);
+  let payload;
+  try {
+    const result = await jose.jwtVerify(token, keySet, {
+      issuer,
+      audience: config.clientId,
+      clockTolerance: 30
+      // 30s clock skew
+    });
+    payload = result.payload;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("expired")) {
+      return { ok: false, reason: "iam_token_expired" };
+    }
+    if (message.includes("audience")) {
+      try {
+        const result = await jose.jwtVerify(token, keySet, {
+          issuer,
+          clockTolerance: 30
+        });
+        payload = result.payload;
+      } catch {
+        return { ok: false, reason: "iam_signature_invalid" };
+      }
+    } else {
+      return { ok: false, reason: "iam_signature_invalid" };
+    }
+  }
+  const claims = payload;
+  const sub = claims.sub || (typeof claims.owner === "string" && typeof claims.name === "string" ? `${claims.owner}/${claims.name}` : void 0);
+  if (!sub) {
+    return { ok: false, reason: "iam_subject_missing" };
+  }
+  const parts = sub.split("/");
+  const owner = parts.length > 1 ? parts[0] : config.orgName ?? "unknown";
+  return {
+    ok: true,
+    userId: sub,
+    email: typeof claims.email === "string" ? claims.email : void 0,
+    name: typeof claims.name === "string" ? claims.name : typeof claims.preferred_username === "string" ? claims.preferred_username : void 0,
+    avatar: typeof claims.picture === "string" ? claims.picture : void 0,
+    owner,
+    claims
+  };
+}
+
+exports.clearJwksCache = clearJwksCache;
+exports.validateToken = validateToken;
+//# sourceMappingURL=auth.cjs.map
+//# sourceMappingURL=auth.cjs.map

package/dist/auth.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth.ts"],"names":["createRemoteJWKSet","jwtVerify"],"mappings":";;;;;AAaA,IAAM,QAAA,uBAAe,GAAA,EAAmD;AAExE,SAAS,cAAc,OAAA,EAAwD;AAC7E,EAAA,IAAI,MAAA,GAAS,QAAA,CAAS,GAAA,CAAI,OAAO,CAAA;AACjC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAA,GAASA,uBAAA,CAAmB,IAAI,GAAA,CAAI,OAAO,CAAC,CAAA;AAC5C,IAAA,QAAA,CAAS,GAAA,CAAI,SAAS,MAAM,CAAA;AAAA,EAC9B;AACA,EAAA,OAAO,MAAA;AACT;AAGO,SAAS,cAAA,GAAuB;AACrC,EAAA,QAAA,CAAS,KAAA,EAAM;AACjB;AAOA,IAAM,cAAA,uBAAqB,GAAA,EAA6B;AACxD,IAAM,gBAAA,GAAmB,IAAI,EAAA,GAAK,GAAA;AAElC,eAAe,eAAe,SAAA,EAAiE;AAC7F,EAAA,MAAM,OAAA,GAAU,SAAA,CAAU,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAA;AAC5C,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,GAAA,CAAI,OAAO,CAAA;AACzC,EAAA,IAAI,UAAU,IAAA,CAAK,GAAA,EAAI,GAAI,MAAA,CAAO,YAAY,gBAAA,EAAkB;AAC9D,IAAA,OAAO,EAAE,OAAA,EAAS,MAAA,CAAO,OAAA,EAAS,MAAA,EAAQ,OAAO,MAAA,EAAO;AAAA,EAC1D;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,GAAK,CAAA;AACxD,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,CAAA,EAAG,OAAO,CAAA,iCAAA,CAAA,EAAqC;AAAA,MACrE,QAAQ,UAAA,CAAW,MAAA;AAAA,MACnB,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA;AAAmB,KACvC,CAAA;AACD,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,GAAA,CAAI,MAAM,CAAA,CAAE,CAAA;AAAA,IACxD;AACA,IAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,IAAA,MAAM,UAAU,IAAA,CAAK,QAAA;AACrB,IAAA,MAAM,MAAA,GAAS,KAAK,MAAA,IAAU,OAAA;AAC9B,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AACA,IAAA,cAAA,CAAe,GAAA,CAAI,SAAS,EAAE,OAAA,EAAS,QAAQ,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,EAAG,CAAA;AACtE,IAAA,OAAO,EAAE,SAAS,MAAA,EAAO;AAAA,EAC3B,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,KAAK,CAAA;AAAA,EACpB;AACF;AAYA,eAAsB,aAAA,CACpB,OACA,MAAA,EACwB;AACxB,EAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,EAClD;AAEA,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,MAAM,cAAA,CAAe,MAAA,CAAO,SAAS,CAAA;AACvD,IAAA,OAAA,GAAU,SAAA,CAAU,OAAA;AACpB,IAAA,MAAA,GAAS,SAAA,CAAU,MAAA;AAAA,EACrB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,sBAAA,EAAuB;AAAA,EACrD;AAEA,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,MAAMC,cAAA,CAAU,KAAA,EAAO,MAAA,EAAQ;AAAA,MAC5C,MAAA;AAAA,MACA,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,cAAA,EAAgB;AAAA;AAAA,KACjB,CAAA;AACD,IAAA,OAAA,GAAU,MAAA,CAAO,OAAA;AAAA,EACnB,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,UAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG,CAAA;AAC/D,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,SAAS,CAAA,EAAG;AAC/B,MAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IAClD;AACA,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,UAAU,CAAA,EAAG;AAEhC,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAMA,cAAA,CAAU,KAAA,EAAO,MAAA,EAAQ;AAAA,UAC5C,MAAA;AAAA,UACA,cAAA,EAAgB;AAAA,SACjB,CAAA;AACD,QAAA,OAAA,GAAU,MAAA,CAAO,OAAA;AAAA,MACnB,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,MACtD;AAAA,IACF,CAAA,MAAO;AACL,MAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,IACtD;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,OAAA;AAGf,EAAA,MAAM,MACJ,MAAA,CAAO,GAAA,KACN,OAAO,MAAA,CAAO,UAAU,QAAA,IAAY,OAAO,MAAA,CAAO,IAAA,KAAS,WACxD,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAA,EAAI,MAAA,CAAO,IAAI,CAAA,CAAA,GAC9B,MAAA,CAAA;AAEN,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,qBAAA,EAAsB;AAAA,EACpD;AAGA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,EAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,GAAS,CAAA,GAAI,MAAM,CAAC,CAAA,GAAI,OAAO,OAAA,IAAW,SAAA;AAE9D,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,IAAA;AAAA,IACJ,MAAA,EAAQ,GAAA;AAAA,IACR,OAAO,OAAO,MAAA,CAAO,KAAA,KAAU,QAAA,GAAW,OAAO,KAAA,GAAQ,MAAA;AAAA,IACzD,IAAA,EACE,OAAO,MAAA,CAAO,IAAA,KAAS,QAAA,GACnB,MAAA,CAAO,IAAA,GACP,OAAO,MAAA,CAAO,kBAAA,KAAuB,QAAA,GACnC,MAAA,CAAO,kBAAA,GACP,MAAA;AAAA,IACR,QAAQ,OAAO,MAAA,CAAO,OAAA,KAAY,QAAA,GAAW,OAAO,OAAA,GAAU,MAAA;AAAA,IAC9D,KAAA;AAAA,IACA;AAAA,GACF;AACF","file":"auth.cjs","sourcesContent":["/**\n * JWT validation using jose library + OIDC JWKS discovery.\n *\n * Validates access/ID tokens issued by Hanzo IAM.\n */\n\nimport { createRemoteJWKSet, jwtVerify, type JWTPayload } from \"jose\";\nimport type { IamConfig, IamAuthResult, IamJwtClaims } from \"./types.js\";\n\n// ---------------------------------------------------------------------------\n// JWKS key set cache (per issuer)\n// ---------------------------------------------------------------------------\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nfunction getJwksKeySet(jwksUri: string): ReturnType<typeof createRemoteJWKSet> {\n  let keySet = jwksSets.get(jwksUri);\n  if (!keySet) {\n    keySet = createRemoteJWKSet(new URL(jwksUri));\n    jwksSets.set(jwksUri, keySet);\n  }\n  return keySet;\n}\n\n/** Clear cached JWKS key sets (useful for testing or key rotation). */\nexport function clearJwksCache(): void {\n  jwksSets.clear();\n}\n\n// ---------------------------------------------------------------------------\n// OIDC discovery cache (lightweight, no full client needed)\n// ---------------------------------------------------------------------------\n\ntype CachedDiscovery = { jwksUri: string; issuer: string; fetchedAt: number };\nconst discoveryCache = new Map<string, CachedDiscovery>();\nconst DISCOVERY_TTL_MS = 5 * 60 * 1000;\n\nasync function resolveJwksUri(serverUrl: string): Promise<{ jwksUri: string; issuer: string }> {\n  const baseUrl = serverUrl.replace(/\\/+$/, \"\");\n  const cached = discoveryCache.get(baseUrl);\n  if (cached && Date.now() - cached.fetchedAt < DISCOVERY_TTL_MS) {\n    return { jwksUri: cached.jwksUri, issuer: cached.issuer };\n  }\n\n  const controller = new AbortController();\n  const timer = setTimeout(() => controller.abort(), 8_000);\n  try {\n    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {\n      signal: controller.signal,\n      headers: { Accept: \"application/json\" },\n    });\n    if (!res.ok) {\n      throw new Error(`OIDC discovery failed: ${res.status}`);\n    }\n    const body = (await res.json()) as { jwks_uri?: string; issuer?: string };\n    const jwksUri = body.jwks_uri;\n    const issuer = body.issuer ?? baseUrl;\n    if (!jwksUri) {\n      throw new Error(\"OIDC discovery response missing jwks_uri\");\n    }\n    discoveryCache.set(baseUrl, { jwksUri, issuer, fetchedAt: Date.now() });\n    return { jwksUri, issuer };\n  } finally {\n    clearTimeout(timer);\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Token validation\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a JWT access token against IAM's JWKS.\n *\n * Uses OIDC discovery to find the JWKS URI, then verifies the token\n * signature, issuer, audience, and expiry using the `jose` library.\n */\nexport async function validateToken(\n  token: string,\n  config: IamConfig,\n): Promise<IamAuthResult> {\n  if (!token || typeof token !== \"string\") {\n    return { ok: false, reason: \"iam_token_missing\" };\n  }\n\n  let jwksUri: string;\n  let issuer: string;\n  try {\n    const discovery = await resolveJwksUri(config.serverUrl);\n    jwksUri = discovery.jwksUri;\n    issuer = discovery.issuer;\n  } catch {\n    return { ok: false, reason: \"iam_discovery_failed\" };\n  }\n\n  const keySet = getJwksKeySet(jwksUri);\n\n  let payload: JWTPayload;\n  try {\n    const result = await jwtVerify(token, keySet, {\n      issuer,\n      audience: config.clientId,\n      clockTolerance: 30, // 30s clock skew\n    });\n    payload = result.payload;\n  } catch (err) {\n    const message = err instanceof Error ? err.message : String(err);\n    if (message.includes(\"expired\")) {\n      return { ok: false, reason: \"iam_token_expired\" };\n    }\n    if (message.includes(\"audience\")) {\n      // Retry without audience check - some IAM configs don't set aud\n      try {\n        const result = await jwtVerify(token, keySet, {\n          issuer,\n          clockTolerance: 30,\n        });\n        payload = result.payload;\n      } catch {\n        return { ok: false, reason: \"iam_signature_invalid\" };\n      }\n    } else {\n      return { ok: false, reason: \"iam_signature_invalid\" };\n    }\n  }\n\n  const claims = payload as unknown as IamJwtClaims;\n\n  // Hanzo IAM tokens may use owner/name instead of sub claim\n  const sub =\n    claims.sub ||\n    (typeof claims.owner === \"string\" && typeof claims.name === \"string\"\n      ? `${claims.owner}/${claims.name}`\n      : undefined);\n\n  if (!sub) {\n    return { ok: false, reason: \"iam_subject_missing\" };\n  }\n\n  // IAM sub format is \"org/username\" - extract owner\n  const parts = sub.split(\"/\");\n  const owner = parts.length > 1 ? parts[0] : config.orgName ?? \"unknown\";\n\n  return {\n    ok: true,\n    userId: sub,\n    email: typeof claims.email === \"string\" ? claims.email : undefined,\n    name:\n      typeof claims.name === \"string\"\n        ? claims.name\n        : typeof claims.preferred_username === \"string\"\n          ? claims.preferred_username\n          : undefined,\n    avatar: typeof claims.picture === \"string\" ? claims.picture : undefined,\n    owner,\n    claims,\n  };\n}\n"]}

package/dist/auth.d.cts

@@ -0,0 +1,19 @@
+import { IamConfig, IamAuthResult } from './types.cjs';
+
+/**
+ * JWT validation using jose library + OIDC JWKS discovery.
+ *
+ * Validates access/ID tokens issued by Hanzo IAM.
+ */
+
+/** Clear cached JWKS key sets (useful for testing or key rotation). */
+declare function clearJwksCache(): void;
+/**
+ * Validate a JWT access token against IAM's JWKS.
+ *
+ * Uses OIDC discovery to find the JWKS URI, then verifies the token
+ * signature, issuer, audience, and expiry using the `jose` library.
+ */
+declare function validateToken(token: string, config: IamConfig): Promise<IamAuthResult>;
+
+export { clearJwksCache, validateToken };

package/dist/auth.d.ts

@@ -1,16 +1,19 @@
+import { IamConfig, IamAuthResult } from './types.js';
+
 /**
  * JWT validation using jose library + OIDC JWKS discovery.
  *
  * Validates access/ID tokens issued by Hanzo IAM.
  */
-import type { IamConfig, IamAuthResult } from "./types.js";
+
 /** Clear cached JWKS key sets (useful for testing or key rotation). */
-export declare function clearJwksCache(): void;
+declare function clearJwksCache(): void;
 /**
  * Validate a JWT access token against IAM's JWKS.
  *
  * Uses OIDC discovery to find the JWKS URI, then verifies the token
  * signature, issuer, audience, and expiry using the `jose` library.
  */
-export declare function validateToken(token: string, config: IamConfig): Promise<IamAuthResult>;
-//# sourceMappingURL=auth.d.ts.map
+declare function validateToken(token: string, config: IamConfig): Promise<IamAuthResult>;
+
+export { clearJwksCache, validateToken };

package/dist/auth.js

@@ -1,135 +1,108 @@
-/**
- * JWT validation using jose library + OIDC JWKS discovery.
- *
- * Validates access/ID tokens issued by Hanzo IAM.
- */
-import { createRemoteJWKSet, jwtVerify } from "jose";
-// ---------------------------------------------------------------------------
-// JWKS key set cache (per issuer)
-// ---------------------------------------------------------------------------
-const jwksSets = new Map();
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+
+// src/auth.ts
+var jwksSets = /* @__PURE__ */ new Map();
 function getJwksKeySet(jwksUri) {
-    let keySet = jwksSets.get(jwksUri);
-    if (!keySet) {
-        keySet = createRemoteJWKSet(new URL(jwksUri));
-        jwksSets.set(jwksUri, keySet);
-    }
-    return keySet;
+  let keySet = jwksSets.get(jwksUri);
+  if (!keySet) {
+    keySet = createRemoteJWKSet(new URL(jwksUri));
+    jwksSets.set(jwksUri, keySet);
+  }
+  return keySet;
 }
-/** Clear cached JWKS key sets (useful for testing or key rotation). */
-export function clearJwksCache() {
-    jwksSets.clear();
+function clearJwksCache() {
+  jwksSets.clear();
 }
-const discoveryCache = new Map();
-const DISCOVERY_TTL_MS = 5 * 60 * 1000;
+var discoveryCache = /* @__PURE__ */ new Map();
+var DISCOVERY_TTL_MS = 5 * 60 * 1e3;
 async function resolveJwksUri(serverUrl) {
-    const baseUrl = serverUrl.replace(/\/+$/, "");
-    const cached = discoveryCache.get(baseUrl);
-    if (cached && Date.now() - cached.fetchedAt < DISCOVERY_TTL_MS) {
-        return { jwksUri: cached.jwksUri, issuer: cached.issuer };
-    }
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), 8_000);
-    try {
-        const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
-            signal: controller.signal,
-            headers: { Accept: "application/json" },
-        });
-        if (!res.ok) {
-            throw new Error(`OIDC discovery failed: ${res.status}`);
-        }
-        const body = (await res.json());
-        const jwksUri = body.jwks_uri;
-        const issuer = body.issuer ?? baseUrl;
-        if (!jwksUri) {
-            throw new Error("OIDC discovery response missing jwks_uri");
-        }
-        discoveryCache.set(baseUrl, { jwksUri, issuer, fetchedAt: Date.now() });
-        return { jwksUri, issuer };
+  const baseUrl = serverUrl.replace(/\/+$/, "");
+  const cached = discoveryCache.get(baseUrl);
+  if (cached && Date.now() - cached.fetchedAt < DISCOVERY_TTL_MS) {
+    return { jwksUri: cached.jwksUri, issuer: cached.issuer };
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), 8e3);
+  try {
+    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
+      signal: controller.signal,
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      throw new Error(`OIDC discovery failed: ${res.status}`);
     }
-    finally {
-        clearTimeout(timer);
+    const body = await res.json();
+    const jwksUri = body.jwks_uri;
+    const issuer = body.issuer ?? baseUrl;
+    if (!jwksUri) {
+      throw new Error("OIDC discovery response missing jwks_uri");
     }
+    discoveryCache.set(baseUrl, { jwksUri, issuer, fetchedAt: Date.now() });
+    return { jwksUri, issuer };
+  } finally {
+    clearTimeout(timer);
+  }
 }
-// ---------------------------------------------------------------------------
-// Token validation
-// ---------------------------------------------------------------------------
-/**
- * Validate a JWT access token against IAM's JWKS.
- *
- * Uses OIDC discovery to find the JWKS URI, then verifies the token
- * signature, issuer, audience, and expiry using the `jose` library.
- */
-export async function validateToken(token, config) {
-    if (!token || typeof token !== "string") {
-        return { ok: false, reason: "iam_token_missing" };
-    }
-    let jwksUri;
-    let issuer;
-    try {
-        const discovery = await resolveJwksUri(config.serverUrl);
-        jwksUri = discovery.jwksUri;
-        issuer = discovery.issuer;
+async function validateToken(token, config) {
+  if (!token || typeof token !== "string") {
+    return { ok: false, reason: "iam_token_missing" };
+  }
+  let jwksUri;
+  let issuer;
+  try {
+    const discovery = await resolveJwksUri(config.serverUrl);
+    jwksUri = discovery.jwksUri;
+    issuer = discovery.issuer;
+  } catch {
+    return { ok: false, reason: "iam_discovery_failed" };
+  }
+  const keySet = getJwksKeySet(jwksUri);
+  let payload;
+  try {
+    const result = await jwtVerify(token, keySet, {
+      issuer,
+      audience: config.clientId,
+      clockTolerance: 30
+      // 30s clock skew
+    });
+    payload = result.payload;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("expired")) {
+      return { ok: false, reason: "iam_token_expired" };
     }
-    catch {
-        return { ok: false, reason: "iam_discovery_failed" };
-    }
-    const keySet = getJwksKeySet(jwksUri);
-    let payload;
-    try {
+    if (message.includes("audience")) {
+      try {
         const result = await jwtVerify(token, keySet, {
-            issuer,
-            audience: config.clientId,
-            clockTolerance: 30, // 30s clock skew
+          issuer,
+          clockTolerance: 30
         });
         payload = result.payload;
+      } catch {
+        return { ok: false, reason: "iam_signature_invalid" };
+      }
+    } else {
+      return { ok: false, reason: "iam_signature_invalid" };
     }
-    catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        if (message.includes("expired")) {
-            return { ok: false, reason: "iam_token_expired" };
-        }
-        if (message.includes("audience")) {
-            // Retry without audience check - some IAM configs don't set aud
-            try {
-                const result = await jwtVerify(token, keySet, {
-                    issuer,
-                    clockTolerance: 30,
-                });
-                payload = result.payload;
-            }
-            catch {
-                return { ok: false, reason: "iam_signature_invalid" };
-            }
-        }
-        else {
-            return { ok: false, reason: "iam_signature_invalid" };
-        }
-    }
-    const claims = payload;
-    // Hanzo IAM tokens may use owner/name instead of sub claim
-    const sub = claims.sub ||
-        (typeof claims.owner === "string" && typeof claims.name === "string"
-            ? `${claims.owner}/${claims.name}`
-            : undefined);
-    if (!sub) {
-        return { ok: false, reason: "iam_subject_missing" };
-    }
-    // IAM sub format is "org/username" - extract owner
-    const parts = sub.split("/");
-    const owner = parts.length > 1 ? parts[0] : config.orgName ?? "unknown";
-    return {
-        ok: true,
-        userId: sub,
-        email: typeof claims.email === "string" ? claims.email : undefined,
-        name: typeof claims.name === "string"
-            ? claims.name
-            : typeof claims.preferred_username === "string"
-                ? claims.preferred_username
-                : undefined,
-        avatar: typeof claims.picture === "string" ? claims.picture : undefined,
-        owner,
-        claims,
-    };
+  }
+  const claims = payload;
+  const sub = claims.sub || (typeof claims.owner === "string" && typeof claims.name === "string" ? `${claims.owner}/${claims.name}` : void 0);
+  if (!sub) {
+    return { ok: false, reason: "iam_subject_missing" };
+  }
+  const parts = sub.split("/");
+  const owner = parts.length > 1 ? parts[0] : config.orgName ?? "unknown";
+  return {
+    ok: true,
+    userId: sub,
+    email: typeof claims.email === "string" ? claims.email : void 0,
+    name: typeof claims.name === "string" ? claims.name : typeof claims.preferred_username === "string" ? claims.preferred_username : void 0,
+    avatar: typeof claims.picture === "string" ? claims.picture : void 0,
+    owner,
+    claims
+  };
 }
+
+export { clearJwksCache, validateToken };
+//# sourceMappingURL=auth.js.map
 //# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAmB,MAAM,MAAM,CAAC;AAGtE,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAiD,CAAC;AAE1E,SAAS,aAAa,CAAC,OAAe;IACpC,IAAI,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,cAAc;IAC5B,QAAQ,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC;AAOD,MAAM,cAAc,GAAG,IAAI,GAAG,EAA2B,CAAC;AAC1D,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEvC,KAAK,UAAU,cAAc,CAAC,SAAiB;IAC7C,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,gBAAgB,EAAE,CAAC;QAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,mCAAmC,EAAE;YACrE,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA2C,CAAC;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;QACtC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,cAAc,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACxE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAC7B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,MAAiB;IAEjB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACpD,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACzD,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC;QAC5B,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;YAC5C,MAAM;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,cAAc,EAAE,EAAE,EAAE,iBAAiB;SACtC,CAAC,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;QACpD,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACjC,gEAAgE;YAChE,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;oBAC5C,MAAM;oBACN,cAAc,EAAE,EAAE;iBACnB,CAAC,CAAC;gBACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,OAAkC,CAAC;IAElD,2DAA2D;IAC3D,MAAM,GAAG,GACP,MAAM,CAAC,GAAG;QACV,CAAC,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAClE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE;YAClC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IAED,mDAAmD;IACnD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,IAAI,SAAS,CAAC;IAExE,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAClE,IAAI,EACF,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAC7B,CAAC,CAAC,MAAM,CAAC,IAAI;YACb,CAAC,CAAC,OAAO,MAAM,CAAC,kBAAkB,KAAK,QAAQ;gBAC7C,CAAC,CAAC,MAAM,CAAC,kBAAkB;gBAC3B,CAAC,CAAC,SAAS;QACjB,MAAM,EAAE,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QACvE,KAAK;QACL,MAAM;KACP,CAAC;AACJ,CAAC"}
+{"version":3,"sources":["../src/auth.ts"],"names":[],"mappings":";;;AAaA,IAAM,QAAA,uBAAe,GAAA,EAAmD;AAExE,SAAS,cAAc,OAAA,EAAwD;AAC7E,EAAA,IAAI,MAAA,GAAS,QAAA,CAAS,GAAA,CAAI,OAAO,CAAA;AACjC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAA,GAAS,kBAAA,CAAmB,IAAI,GAAA,CAAI,OAAO,CAAC,CAAA;AAC5C,IAAA,QAAA,CAAS,GAAA,CAAI,SAAS,MAAM,CAAA;AAAA,EAC9B;AACA,EAAA,OAAO,MAAA;AACT;AAGO,SAAS,cAAA,GAAuB;AACrC,EAAA,QAAA,CAAS,KAAA,EAAM;AACjB;AAOA,IAAM,cAAA,uBAAqB,GAAA,EAA6B;AACxD,IAAM,gBAAA,GAAmB,IAAI,EAAA,GAAK,GAAA;AAElC,eAAe,eAAe,SAAA,EAAiE;AAC7F,EAAA,MAAM,OAAA,GAAU,SAAA,CAAU,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAA;AAC5C,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,GAAA,CAAI,OAAO,CAAA;AACzC,EAAA,IAAI,UAAU,IAAA,CAAK,GAAA,EAAI,GAAI,MAAA,CAAO,YAAY,gBAAA,EAAkB;AAC9D,IAAA,OAAO,EAAE,OAAA,EAAS,MAAA,CAAO,OAAA,EAAS,MAAA,EAAQ,OAAO,MAAA,EAAO;AAAA,EAC1D;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,GAAK,CAAA;AACxD,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,CAAA,EAAG,OAAO,CAAA,iCAAA,CAAA,EAAqC;AAAA,MACrE,QAAQ,UAAA,CAAW,MAAA;AAAA,MACnB,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA;AAAmB,KACvC,CAAA;AACD,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,GAAA,CAAI,MAAM,CAAA,CAAE,CAAA;AAAA,IACxD;AACA,IAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,IAAA,MAAM,UAAU,IAAA,CAAK,QAAA;AACrB,IAAA,MAAM,MAAA,GAAS,KAAK,MAAA,IAAU,OAAA;AAC9B,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AACA,IAAA,cAAA,CAAe,GAAA,CAAI,SAAS,EAAE,OAAA,EAAS,QAAQ,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,EAAG,CAAA;AACtE,IAAA,OAAO,EAAE,SAAS,MAAA,EAAO;AAAA,EAC3B,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,KAAK,CAAA;AAAA,EACpB;AACF;AAYA,eAAsB,aAAA,CACpB,OACA,MAAA,EACwB;AACxB,EAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,EAClD;AAEA,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,MAAM,cAAA,CAAe,MAAA,CAAO,SAAS,CAAA;AACvD,IAAA,OAAA,GAAU,SAAA,CAAU,OAAA;AACpB,IAAA,MAAA,GAAS,SAAA,CAAU,MAAA;AAAA,EACrB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,sBAAA,EAAuB;AAAA,EACrD;AAEA,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,KAAA,EAAO,MAAA,EAAQ;AAAA,MAC5C,MAAA;AAAA,MACA,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,cAAA,EAAgB;AAAA;AAAA,KACjB,CAAA;AACD,IAAA,OAAA,GAAU,MAAA,CAAO,OAAA;AAAA,EACnB,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,UAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG,CAAA;AAC/D,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,SAAS,CAAA,EAAG;AAC/B,MAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IAClD;AACA,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,UAAU,CAAA,EAAG;AAEhC,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,KAAA,EAAO,MAAA,EAAQ;AAAA,UAC5C,MAAA;AAAA,UACA,cAAA,EAAgB;AAAA,SACjB,CAAA;AACD,QAAA,OAAA,GAAU,MAAA,CAAO,OAAA;AAAA,MACnB,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,MACtD;AAAA,IACF,CAAA,MAAO;AACL,MAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,IACtD;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,OAAA;AAGf,EAAA,MAAM,MACJ,MAAA,CAAO,GAAA,KACN,OAAO,MAAA,CAAO,UAAU,QAAA,IAAY,OAAO,MAAA,CAAO,IAAA,KAAS,WACxD,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAA,EAAI,MAAA,CAAO,IAAI,CAAA,CAAA,GAC9B,MAAA,CAAA;AAEN,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,EAAE,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,qBAAA,EAAsB;AAAA,EACpD;AAGA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,EAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,GAAS,CAAA,GAAI,MAAM,CAAC,CAAA,GAAI,OAAO,OAAA,IAAW,SAAA;AAE9D,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,IAAA;AAAA,IACJ,MAAA,EAAQ,GAAA;AAAA,IACR,OAAO,OAAO,MAAA,CAAO,KAAA,KAAU,QAAA,GAAW,OAAO,KAAA,GAAQ,MAAA;AAAA,IACzD,IAAA,EACE,OAAO,MAAA,CAAO,IAAA,KAAS,QAAA,GACnB,MAAA,CAAO,IAAA,GACP,OAAO,MAAA,CAAO,kBAAA,KAAuB,QAAA,GACnC,MAAA,CAAO,kBAAA,GACP,MAAA;AAAA,IACR,QAAQ,OAAO,MAAA,CAAO,OAAA,KAAY,QAAA,GAAW,OAAO,OAAA,GAAU,MAAA;AAAA,IAC9D,KAAA;AAAA,IACA;AAAA,GACF;AACF","file":"auth.js","sourcesContent":["/**\n * JWT validation using jose library + OIDC JWKS discovery.\n *\n * Validates access/ID tokens issued by Hanzo IAM.\n */\n\nimport { createRemoteJWKSet, jwtVerify, type JWTPayload } from \"jose\";\nimport type { IamConfig, IamAuthResult, IamJwtClaims } from \"./types.js\";\n\n// ---------------------------------------------------------------------------\n// JWKS key set cache (per issuer)\n// ---------------------------------------------------------------------------\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nfunction getJwksKeySet(jwksUri: string): ReturnType<typeof createRemoteJWKSet> {\n  let keySet = jwksSets.get(jwksUri);\n  if (!keySet) {\n    keySet = createRemoteJWKSet(new URL(jwksUri));\n    jwksSets.set(jwksUri, keySet);\n  }\n  return keySet;\n}\n\n/** Clear cached JWKS key sets (useful for testing or key rotation). */\nexport function clearJwksCache(): void {\n  jwksSets.clear();\n}\n\n// ---------------------------------------------------------------------------\n// OIDC discovery cache (lightweight, no full client needed)\n// ---------------------------------------------------------------------------\n\ntype CachedDiscovery = { jwksUri: string; issuer: string; fetchedAt: number };\nconst discoveryCache = new Map<string, CachedDiscovery>();\nconst DISCOVERY_TTL_MS = 5 * 60 * 1000;\n\nasync function resolveJwksUri(serverUrl: string): Promise<{ jwksUri: string; issuer: string }> {\n  const baseUrl = serverUrl.replace(/\\/+$/, \"\");\n  const cached = discoveryCache.get(baseUrl);\n  if (cached && Date.now() - cached.fetchedAt < DISCOVERY_TTL_MS) {\n    return { jwksUri: cached.jwksUri, issuer: cached.issuer };\n  }\n\n  const controller = new AbortController();\n  const timer = setTimeout(() => controller.abort(), 8_000);\n  try {\n    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {\n      signal: controller.signal,\n      headers: { Accept: \"application/json\" },\n    });\n    if (!res.ok) {\n      throw new Error(`OIDC discovery failed: ${res.status}`);\n    }\n    const body = (await res.json()) as { jwks_uri?: string; issuer?: string };\n    const jwksUri = body.jwks_uri;\n    const issuer = body.issuer ?? baseUrl;\n    if (!jwksUri) {\n      throw new Error(\"OIDC discovery response missing jwks_uri\");\n    }\n    discoveryCache.set(baseUrl, { jwksUri, issuer, fetchedAt: Date.now() });\n    return { jwksUri, issuer };\n  } finally {\n    clearTimeout(timer);\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Token validation\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a JWT access token against IAM's JWKS.\n *\n * Uses OIDC discovery to find the JWKS URI, then verifies the token\n * signature, issuer, audience, and expiry using the `jose` library.\n */\nexport async function validateToken(\n  token: string,\n  config: IamConfig,\n): Promise<IamAuthResult> {\n  if (!token || typeof token !== \"string\") {\n    return { ok: false, reason: \"iam_token_missing\" };\n  }\n\n  let jwksUri: string;\n  let issuer: string;\n  try {\n    const discovery = await resolveJwksUri(config.serverUrl);\n    jwksUri = discovery.jwksUri;\n    issuer = discovery.issuer;\n  } catch {\n    return { ok: false, reason: \"iam_discovery_failed\" };\n  }\n\n  const keySet = getJwksKeySet(jwksUri);\n\n  let payload: JWTPayload;\n  try {\n    const result = await jwtVerify(token, keySet, {\n      issuer,\n      audience: config.clientId,\n      clockTolerance: 30, // 30s clock skew\n    });\n    payload = result.payload;\n  } catch (err) {\n    const message = err instanceof Error ? err.message : String(err);\n    if (message.includes(\"expired\")) {\n      return { ok: false, reason: \"iam_token_expired\" };\n    }\n    if (message.includes(\"audience\")) {\n      // Retry without audience check - some IAM configs don't set aud\n      try {\n        const result = await jwtVerify(token, keySet, {\n          issuer,\n          clockTolerance: 30,\n        });\n        payload = result.payload;\n      } catch {\n        return { ok: false, reason: \"iam_signature_invalid\" };\n      }\n    } else {\n      return { ok: false, reason: \"iam_signature_invalid\" };\n    }\n  }\n\n  const claims = payload as unknown as IamJwtClaims;\n\n  // Hanzo IAM tokens may use owner/name instead of sub claim\n  const sub =\n    claims.sub ||\n    (typeof claims.owner === \"string\" && typeof claims.name === \"string\"\n      ? `${claims.owner}/${claims.name}`\n      : undefined);\n\n  if (!sub) {\n    return { ok: false, reason: \"iam_subject_missing\" };\n  }\n\n  // IAM sub format is \"org/username\" - extract owner\n  const parts = sub.split(\"/\");\n  const owner = parts.length > 1 ? parts[0] : config.orgName ?? \"unknown\";\n\n  return {\n    ok: true,\n    userId: sub,\n    email: typeof claims.email === \"string\" ? claims.email : undefined,\n    name:\n      typeof claims.name === \"string\"\n        ? claims.name\n        : typeof claims.preferred_username === \"string\"\n          ? claims.preferred_username\n          : undefined,\n    avatar: typeof claims.picture === \"string\" ? claims.picture : undefined,\n    owner,\n    claims,\n  };\n}\n"]}

package/dist/betterauth.cjs

@@ -0,0 +1,34 @@
+'use strict';
+
+// src/betterauth.ts
+function iamProvider(config) {
+  const baseUrl = config.serverUrl.replace(/\/+$/, "");
+  return {
+    id: "iam",
+    name: "IAM",
+    type: "oidc",
+    issuer: baseUrl,
+    clientId: config.clientId,
+    clientSecret: config.clientSecret,
+    authorization: {
+      url: `${baseUrl}/oauth/authorize`,
+      params: { scope: "openid profile email" }
+    },
+    token: { url: `${baseUrl}/oauth/token` },
+    userinfo: { url: `${baseUrl}/oauth/userinfo` },
+    profile(profile) {
+      return {
+        id: profile.sub ?? profile.id ?? "",
+        name: profile.displayName ?? profile.name ?? profile.preferred_username ?? "",
+        email: profile.email ?? "",
+        image: profile.avatar ?? profile.picture ?? null
+      };
+    }
+  };
+}
+
+exports.hanzoIamProvider = iamProvider;
+exports.hanzoIamSocialProvider = iamProvider;
+exports.iamProvider = iamProvider;
+//# sourceMappingURL=betterauth.cjs.map
+//# sourceMappingURL=betterauth.cjs.map

package/dist/betterauth.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/betterauth.ts"],"names":[],"mappings":";;;AAmDO,SAAS,YACd,MAAA,EACmB;AACnB,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,SAAA,CAAU,OAAA,CAAQ,QAAQ,EAAE,CAAA;AAEnD,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,KAAA;AAAA,IACJ,IAAA,EAAM,KAAA;AAAA,IACN,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,OAAA;AAAA,IACR,UAAU,MAAA,CAAO,QAAA;AAAA,IACjB,cAAc,MAAA,CAAO,YAAA;AAAA,IACrB,aAAA,EAAe;AAAA,MACb,GAAA,EAAK,GAAG,OAAO,CAAA,gBAAA,CAAA;AAAA,MACf,MAAA,EAAQ,EAAE,KAAA,EAAO,sBAAA;AAAuB,KAC1C;AAAA,IACA,KAAA,EAAO,EAAE,GAAA,EAAK,CAAA,EAAG,OAAO,CAAA,YAAA,CAAA,EAAe;AAAA,IACvC,QAAA,EAAU,EAAE,GAAA,EAAK,CAAA,EAAG,OAAO,CAAA,eAAA,CAAA,EAAkB;AAAA,IAC7C,QAAQ,OAAA,EAAkC;AACxC,MAAA,OAAO;AAAA,QACL,EAAA,EAAK,OAAA,CAAQ,GAAA,IAAmB,OAAA,CAAQ,EAAA,IAAiB,EAAA;AAAA,QACzD,MACG,OAAA,CAAQ,WAAA,IACR,OAAA,CAAQ,IAAA,IACR,QAAQ,kBAAA,IACT,EAAA;AAAA,QACF,KAAA,EAAQ,QAAQ,KAAA,IAAoB,EAAA;AAAA,QACpC,KAAA,EAAQ,OAAA,CAAQ,MAAA,IAAsB,OAAA,CAAQ,OAAA,IAAsB;AAAA,OACtE;AAAA,IACF;AAAA,GACF;AACF","file":"betterauth.cjs","sourcesContent":["/**\n * BetterAuth SSO provider configuration for IAM.\n *\n * Returns a provider config object compatible with BetterAuth's\n * `socialProviders` or generic OAuth plugin.\n *\n * @example\n * ```ts\n * import { betterAuth } from \"better-auth\";\n * import { iamProvider } from \"@hanzo/iam/betterauth\";\n *\n * export const auth = betterAuth({\n *   socialProviders: [\n *     iamProvider({\n *       serverUrl: process.env.IAM_SERVER_URL!,\n *       clientId: process.env.IAM_CLIENT_ID!,\n *       clientSecret: process.env.IAM_CLIENT_SECRET!,\n *     }),\n *   ],\n * });\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { IamConfig } from \"./types.js\";\n\nexport interface IamSocialProvider {\n  id: string;\n  name: string;\n  type: \"oidc\";\n  issuer: string;\n  clientId: string;\n  clientSecret?: string;\n  authorization: { url: string; params: { scope: string } };\n  token: { url: string };\n  userinfo: { url: string };\n  profile: (profile: Record<string, unknown>) => {\n    id: string;\n    name: string;\n    email: string;\n    image: string | null;\n  };\n}\n\n/**\n * Create a BetterAuth-compatible social provider for IAM.\n *\n * Works with BetterAuth's SSO plugin or generic OAuth integration.\n * Uses standard OIDC endpoints.\n */\nexport function iamProvider(\n  config: IamConfig & { redirectUri?: string },\n): IamSocialProvider {\n  const baseUrl = config.serverUrl.replace(/\\/+$/, \"\");\n\n  return {\n    id: \"iam\",\n    name: \"IAM\",\n    type: \"oidc\",\n    issuer: baseUrl,\n    clientId: config.clientId,\n    clientSecret: config.clientSecret,\n    authorization: {\n      url: `${baseUrl}/oauth/authorize`,\n      params: { scope: \"openid profile email\" },\n    },\n    token: { url: `${baseUrl}/oauth/token` },\n    userinfo: { url: `${baseUrl}/oauth/userinfo` },\n    profile(profile: Record<string, unknown>) {\n      return {\n        id: (profile.sub as string) ?? (profile.id as string) ?? \"\",\n        name:\n          (profile.displayName as string) ??\n          (profile.name as string) ??\n          (profile.preferred_username as string) ??\n          \"\",\n        email: (profile.email as string) ?? \"\",\n        image: (profile.avatar as string) ?? (profile.picture as string) ?? null,\n      };\n    },\n  };\n}\n\n// Backwards-compatible aliases\n/** @deprecated Use iamProvider instead */\nexport { iamProvider as hanzoIamProvider };\n/** @deprecated Use iamProvider instead */\nexport { iamProvider as hanzoIamSocialProvider };\n/** @deprecated Use IamSocialProvider instead */\nexport type { IamSocialProvider as HanzoIamSocialProvider };\n"]}

package/dist/betterauth.d.cts

@@ -0,0 +1,64 @@
+import { IamConfig } from './types.cjs';
+
+/**
+ * BetterAuth SSO provider configuration for IAM.
+ *
+ * Returns a provider config object compatible with BetterAuth's
+ * `socialProviders` or generic OAuth plugin.
+ *
+ * @example
+ * ```ts
+ * import { betterAuth } from "better-auth";
+ * import { iamProvider } from "@hanzo/iam/betterauth";
+ *
+ * export const auth = betterAuth({
+ *   socialProviders: [
+ *     iamProvider({
+ *       serverUrl: process.env.IAM_SERVER_URL!,
+ *       clientId: process.env.IAM_CLIENT_ID!,
+ *       clientSecret: process.env.IAM_CLIENT_SECRET!,
+ *     }),
+ *   ],
+ * });
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+interface IamSocialProvider {
+    id: string;
+    name: string;
+    type: "oidc";
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    authorization: {
+        url: string;
+        params: {
+            scope: string;
+        };
+    };
+    token: {
+        url: string;
+    };
+    userinfo: {
+        url: string;
+    };
+    profile: (profile: Record<string, unknown>) => {
+        id: string;
+        name: string;
+        email: string;
+        image: string | null;
+    };
+}
+/**
+ * Create a BetterAuth-compatible social provider for IAM.
+ *
+ * Works with BetterAuth's SSO plugin or generic OAuth integration.
+ * Uses standard OIDC endpoints.
+ */
+declare function iamProvider(config: IamConfig & {
+    redirectUri?: string;
+}): IamSocialProvider;
+
+export { type IamSocialProvider as HanzoIamSocialProvider, type IamSocialProvider, iamProvider as hanzoIamProvider, iamProvider as hanzoIamSocialProvider, iamProvider };

package/dist/betterauth.d.ts

@@ -1,3 +1,5 @@
+import { IamConfig } from './types.js';
+
 /**
  * BetterAuth SSO provider configuration for IAM.
  *
@@ -22,8 +24,8 @@
  *
  * @packageDocumentation
  */
-import type { IamConfig } from "./types.js";
-export interface IamSocialProvider {
+
+interface IamSocialProvider {
     id: string;
     name: string;
     type: "oidc";
@@ -55,13 +57,8 @@ export interface IamSocialProvider {
  * Works with BetterAuth's SSO plugin or generic OAuth integration.
  * Uses standard OIDC endpoints.
  */
-export declare function iamProvider(config: IamConfig & {
+declare function iamProvider(config: IamConfig & {
     redirectUri?: string;
 }): IamSocialProvider;
-/** @deprecated Use iamProvider instead */
-export { iamProvider as hanzoIamProvider };
-/** @deprecated Use iamProvider instead */
-export { iamProvider as hanzoIamSocialProvider };
-/** @deprecated Use IamSocialProvider instead */
-export type { IamSocialProvider as HanzoIamSocialProvider };
-//# sourceMappingURL=betterauth.d.ts.map
+
+export { type IamSocialProvider as HanzoIamSocialProvider, type IamSocialProvider, iamProvider as hanzoIamProvider, iamProvider as hanzoIamSocialProvider, iamProvider };