@hypercerts-org/sdk-core 0.10.0-beta.4 → 0.10.0-beta.6

package/dist/types.mjs

@@ -2,26 +2,67 @@ import { z } from 'zod';
 export { BlobRef } from '@atproto/lexicon';
 import '@hypercerts-org/lexicon';
 
+/**
+ * Custom URL validator that allows HTTP loopback addresses for development.
+ *
+ * Accepts:
+ * - Any HTTPS URL (production)
+ * - http://localhost (with optional port and path)
+ * - http://127.0.0.1 (with optional port and path)
+ * - http://[::1] (with optional port and path) - IPv6 loopback
+ *
+ * Rejects:
+ * - Other HTTP URLs (e.g., http://example.com)
+ * - Invalid URLs
+ *
+ * @internal
+ */
+const urlOrLoopback = z.string().refine((value) => {
+    try {
+        const url = new URL(value);
+        // Always allow HTTPS
+        if (url.protocol === "https:") {
+            return true;
+        }
+        // For HTTP, only allow loopback addresses
+        if (url.protocol === "http:") {
+            const hostname = url.hostname.toLowerCase();
+            return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+        }
+        return false;
+    }
+    catch {
+        return false;
+    }
+}, {
+    message: "Must be a valid HTTPS URL or HTTP loopback URL (localhost, 127.0.0.1, [::1])",
+});
 /**
  * Zod schema for OAuth configuration validation.
  *
  * @remarks
- * All URLs must be valid and use HTTPS in production. The `jwkPrivate` field
- * should contain the private key in JWK (JSON Web Key) format as a string.
+ * All URLs must be valid and use HTTPS in production. For local development,
+ * HTTP loopback URLs (localhost, 127.0.0.1, [::1]) are allowed.
+ * The `jwkPrivate` field should contain the private key in JWK (JSON Web Key) format as a string.
  */
 const OAuthConfigSchema = z.object({
     /**
      * URL to the OAuth client metadata JSON document.
      * This document describes your application to the authorization server.
      *
+     * For local development, you can use `http://localhost/` as a loopback client.
+     *
      * @see https://atproto.com/specs/oauth#client-metadata
      */
-    clientId: z.string().url(),
+    clientId: urlOrLoopback,
     /**
      * URL where users are redirected after authentication.
      * Must match one of the redirect URIs in your client metadata.
+     *
+     * For local development, you can use HTTP loopback URLs like
+     * `http://127.0.0.1:3000/callback` or `http://localhost:3000/callback`.
      */
-    redirectUri: z.string().url(),
+    redirectUri: urlOrLoopback,
     /**
      * OAuth scopes to request, space-separated.
      *
@@ -55,8 +96,11 @@ const OAuthConfigSchema = z.object({
     /**
      * URL to your public JWKS (JSON Web Key Set) endpoint.
      * Used by the authorization server to verify your client's signatures.
+     *
+     * For local development, you can serve JWKS from a loopback URL like
+     * `http://127.0.0.1:3000/.well-known/jwks.json`.
      */
-    jwksUri: z.string().url(),
+    jwksUri: urlOrLoopback,
     /**
      * Private JWK (JSON Web Key) as a JSON string.
      * Used for signing DPoP proofs and client assertions.
@@ -66,28 +110,64 @@ const OAuthConfigSchema = z.object({
      * Typically loaded from environment variables or a secrets manager.
      */
     jwkPrivate: z.string(),
+    /**
+     * Enable development mode features (optional).
+     *
+     * When true, suppresses warnings about using HTTP loopback URLs.
+     * Should be set to true for local development to reduce console noise.
+     *
+     * @default false
+     *
+     * @example
+     * ```typescript
+     * oauth: {
+     *   clientId: "http://localhost/",
+     *   redirectUri: "http://127.0.0.1:3000/callback",
+     *   // ... other config
+     *   developmentMode: true, // Suppress loopback warnings
+     * }
+     * ```
+     */
+    developmentMode: z.boolean().optional(),
 });
 /**
  * Zod schema for server URL configuration.
  *
  * @remarks
  * At least one server (PDS or SDS) should be configured for the SDK to be useful.
+ * For local development, HTTP loopback URLs are allowed.
  */
 const ServerConfigSchema = z.object({
     /**
      * Personal Data Server URL - the user's own AT Protocol server.
      * This is the primary server for user data operations.
      *
-     * @example "https://bsky.social"
+     * @example Production
+     * ```typescript
+     * pds: "https://bsky.social"
+     * ```
+     *
+     * @example Local development
+     * ```typescript
+     * pds: "http://localhost:2583"
+     * ```
      */
-    pds: z.string().url().optional(),
+    pds: urlOrLoopback.optional(),
     /**
      * Shared Data Server URL - for collaborative data storage.
      * Required for collaborator and organization operations.
      *
-     * @example "https://sds.hypercerts.org"
+     * @example Production
+     * ```typescript
+     * sds: "https://sds.hypercerts.org"
+     * ```
+     *
+     * @example Local development
+     * ```typescript
+     * sds: "http://127.0.0.1:2584"
+     * ```
      */
-    sds: z.string().url().optional(),
+    sds: urlOrLoopback.optional(),
 });
 /**
  * Zod schema for timeout configuration.

package/dist/types.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"types.mjs","sources":["../src/core/config.ts","../src/core/types.ts"],"sourcesContent":["import { z } from \"zod\";\nimport type { SessionStore, StateStore, CacheInterface, LoggerInterface } from \"./interfaces.js\";\n\n/**\n * Zod schema for OAuth configuration validation.\n *\n * @remarks\n * All URLs must be valid and use HTTPS in production. The `jwkPrivate` field\n * should contain the private key in JWK (JSON Web Key) format as a string.\n */\nexport const OAuthConfigSchema = z.object({\n  /**\n   * URL to the OAuth client metadata JSON document.\n   * This document describes your application to the authorization server.\n   *\n   * @see https://atproto.com/specs/oauth#client-metadata\n   */\n  clientId: z.string().url(),\n\n  /**\n   * URL where users are redirected after authentication.\n   * Must match one of the redirect URIs in your client metadata.\n   */\n  redirectUri: z.string().url(),\n\n  /**\n   * OAuth scopes to request, space-separated.\n   *\n   * Can be a string of space-separated permissions or use the permission system:\n   *\n   * @example Using presets\n   * ```typescript\n   * import { ScopePresets } from '@hypercerts-org/sdk-core';\n   * scope: ScopePresets.EMAIL_AND_PROFILE\n   * ```\n   *\n   * @example Building custom scopes\n   * ```typescript\n   * import { PermissionBuilder, buildScope } from '@hypercerts-org/sdk-core';\n   * scope: buildScope(\n   *   new PermissionBuilder()\n   *     .accountEmail('read')\n   *     .repoWrite('app.bsky.feed.post')\n   *     .build()\n   * )\n   * ```\n   *\n   * @example Legacy scopes\n   * ```typescript\n   * scope: \"atproto transition:generic\"\n   * ```\n   *\n   * @see https://atproto.com/specs/permission for permission details\n   */\n  scope: z.string().min(1, \"OAuth scope is required\"),\n\n  /**\n   * URL to your public JWKS (JSON Web Key Set) endpoint.\n   * Used by the authorization server to verify your client's signatures.\n   */\n  jwksUri: z.string().url(),\n\n  /**\n   * Private JWK (JSON Web Key) as a JSON string.\n   * Used for signing DPoP proofs and client assertions.\n   *\n   * @remarks\n   * This should be kept secret and never exposed to clients.\n   * Typically loaded from environment variables or a secrets manager.\n   */\n  jwkPrivate: z.string(),\n});\n\n/**\n * Zod schema for server URL configuration.\n *\n * @remarks\n * At least one server (PDS or SDS) should be configured for the SDK to be useful.\n */\nexport const ServerConfigSchema = z.object({\n  /**\n   * Personal Data Server URL - the user's own AT Protocol server.\n   * This is the primary server for user data operations.\n   *\n   * @example \"https://bsky.social\"\n   */\n  pds: z.string().url().optional(),\n\n  /**\n   * Shared Data Server URL - for collaborative data storage.\n   * Required for collaborator and organization operations.\n   *\n   * @example \"https://sds.hypercerts.org\"\n   */\n  sds: z.string().url().optional(),\n});\n\n/**\n * Zod schema for timeout configuration.\n *\n * @remarks\n * All timeout values are in milliseconds.\n */\nexport const TimeoutConfigSchema = z.object({\n  /**\n   * Timeout for fetching PDS metadata during identity resolution.\n   * @default 5000 (5 seconds, set by OAuthClient)\n   */\n  pdsMetadata: z.number().positive().optional(),\n\n  /**\n   * Timeout for general API requests to PDS/SDS.\n   * @default 30000 (30 seconds)\n   */\n  apiRequests: z.number().positive().optional(),\n});\n\n/**\n * Zod schema for SDK configuration validation.\n *\n * @remarks\n * This schema validates only the primitive/serializable parts of the configuration.\n * Storage interfaces ({@link SessionStore}, {@link StateStore}) cannot be validated\n * with Zod as they are runtime objects.\n */\nexport const ATProtoSDKConfigSchema = z.object({\n  oauth: OAuthConfigSchema,\n  servers: ServerConfigSchema.optional(),\n  timeouts: TimeoutConfigSchema.optional(),\n});\n\n/**\n * Configuration options for the ATProto SDK.\n *\n * This interface defines all configuration needed to initialize the SDK,\n * including OAuth credentials, server endpoints, and optional customizations.\n *\n * @example Minimal configuration\n * ```typescript\n * const config: ATProtoSDKConfig = {\n *   oauth: {\n *     clientId: \"https://my-app.com/client-metadata.json\",\n *     redirectUri: \"https://my-app.com/callback\",\n *     scope: \"atproto transition:generic\",\n *     jwksUri: \"https://my-app.com/.well-known/jwks.json\",\n *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,\n *   },\n *   servers: {\n *     pds: \"https://bsky.social\",\n *   },\n * };\n * ```\n *\n * @example Full configuration with custom storage\n * ```typescript\n * const config: ATProtoSDKConfig = {\n *   oauth: { ... },\n *   servers: {\n *     pds: \"https://bsky.social\",\n *     sds: \"https://sds.hypercerts.org\",\n *   },\n *   storage: {\n *     sessionStore: new RedisSessionStore(redisClient),\n *     stateStore: new RedisStateStore(redisClient),\n *   },\n *   timeouts: {\n *     pdsMetadata: 5000,\n *     apiRequests: 30000,\n *   },\n *   logger: console,\n * };\n * ```\n */\nexport interface ATProtoSDKConfig {\n  /**\n   * OAuth 2.0 configuration for authentication.\n   *\n   * Required fields for the OAuth flow with DPoP (Demonstrating Proof of Possession).\n   * Your application must host the client metadata and JWKS endpoints.\n   *\n   * @see https://atproto.com/specs/oauth for AT Protocol OAuth specification\n   */\n  oauth: z.infer<typeof OAuthConfigSchema>;\n\n  /**\n   * Server URLs for PDS and SDS connections.\n   *\n   * - **PDS**: Personal Data Server - user's own data storage\n   * - **SDS**: Shared Data Server - collaborative storage with access control\n   */\n  servers?: z.infer<typeof ServerConfigSchema>;\n\n  /**\n   * Storage adapters for persisting OAuth sessions and state.\n   *\n   * If not provided, in-memory implementations are used automatically.\n   * **Warning**: In-memory storage is lost on process restart - use persistent\n   * storage (Redis, database, etc.) in production.\n   *\n   * @example\n   * ```typescript\n   * storage: {\n   *   sessionStore: new RedisSessionStore(redis),\n   *   stateStore: new RedisStateStore(redis),\n   * }\n   * ```\n   */\n  storage?: {\n    /**\n     * Persistent storage for OAuth sessions.\n     * Sessions contain access tokens, refresh tokens, and DPoP keys.\n     */\n    sessionStore?: SessionStore;\n\n    /**\n     * Temporary storage for OAuth state during the authorization flow.\n     * State is short-lived and used for PKCE and CSRF protection.\n     */\n    stateStore?: StateStore;\n  };\n\n  /**\n   * Custom fetch implementation for HTTP requests.\n   *\n   * Use this to add custom headers, logging, or to use a different HTTP client.\n   * Must be compatible with the standard Fetch API.\n   *\n   * @example\n   * ```typescript\n   * fetch: async (url, init) => {\n   *   console.log(`Fetching: ${url}`);\n   *   return globalThis.fetch(url, init);\n   * }\n   * ```\n   */\n  fetch?: typeof fetch;\n\n  /**\n   * Timeout configuration for network requests.\n   * Values are in milliseconds.\n   */\n  timeouts?: z.infer<typeof TimeoutConfigSchema>;\n\n  /**\n   * Cache for profiles, metadata, and other frequently accessed data.\n   *\n   * Implementing caching can significantly reduce API calls and improve performance.\n   * The SDK does not provide a default cache - you must implement {@link CacheInterface}.\n   */\n  cache?: CacheInterface;\n\n  /**\n   * Logger for debugging and observability.\n   *\n   * The logger receives debug, info, warn, and error messages from the SDK.\n   * Compatible with `console` or any logger implementing {@link LoggerInterface}.\n   *\n   * @example\n   * ```typescript\n   * logger: console\n   * // or\n   * logger: pino()\n   * // or\n   * logger: winston.createLogger({ ... })\n   * ```\n   */\n  logger?: LoggerInterface;\n}\n","import type { OAuthSession } from \"@atproto/oauth-client-node\";\nimport { z } from \"zod\";\n\n/**\n * Decentralized Identifier (DID) - a unique, persistent identifier for AT Protocol users.\n *\n * DIDs are the canonical identifier for users in the AT Protocol ecosystem.\n * Unlike handles which can change, DIDs remain constant for the lifetime of an account.\n *\n * @remarks\n * AT Protocol supports multiple DID methods:\n * - `did:plc:` - PLC (Public Ledger of Credentials) DIDs, most common for Bluesky users\n * - `did:web:` - Web DIDs, resolved via HTTPS\n *\n * @example\n * ```typescript\n * const did: DID = \"did:plc:ewvi7nxzyoun6zhxrhs64oiz\";\n * const webDid: DID = \"did:web:example.com\";\n * ```\n *\n * @see https://atproto.com/specs/did for DID specification\n */\nexport type DID = string;\n\n/**\n * OAuth session with DPoP (Demonstrating Proof of Possession) support.\n *\n * This type represents an authenticated user session. It wraps the\n * `@atproto/oauth-client-node` OAuthSession and contains:\n * - Access token for API requests\n * - Refresh token for obtaining new access tokens\n * - DPoP key pair for proof-of-possession\n * - User's DID and other identity information\n *\n * @remarks\n * Sessions are managed by the SDK and automatically refresh when tokens expire.\n * Store the user's DID to restore sessions later with {@link ATProtoSDK.restoreSession}.\n *\n * Key properties from OAuthSession:\n * - `did` or `sub`: The user's DID\n * - `handle`: The user's handle (e.g., \"user.bsky.social\")\n *\n * @example\n * ```typescript\n * const session = await sdk.callback(params);\n *\n * // Access user identity\n * console.log(`Logged in as: ${session.did}`);\n *\n * // Use session for repository operations\n * const repo = sdk.repository(session);\n * ```\n *\n * @see https://atproto.com/specs/oauth for OAuth specification\n */\nexport type Session = OAuthSession;\n\n/**\n * Zod schema for collaborator permissions in SDS repositories.\n *\n * Defines the granular permissions a collaborator can have on a shared repository.\n * Permissions follow a hierarchical model where higher-level permissions\n * typically imply lower-level ones.\n */\nexport const CollaboratorPermissionsSchema = z.object({\n  /**\n   * Can read/view records in the repository.\n   * This is the most basic permission level.\n   */\n  read: z.boolean(),\n\n  /**\n   * Can create new records in the repository.\n   * Typically implies `read` permission.\n   */\n  create: z.boolean(),\n\n  /**\n   * Can modify existing records in the repository.\n   * Typically implies `read` and `create` permissions.\n   */\n  update: z.boolean(),\n\n  /**\n   * Can delete records from the repository.\n   * Typically implies `read`, `create`, and `update` permissions.\n   */\n  delete: z.boolean(),\n\n  /**\n   * Can manage collaborators and their permissions.\n   * Administrative permission that allows inviting/removing collaborators.\n   */\n  admin: z.boolean(),\n\n  /**\n   * Full ownership of the repository.\n   * Owners have all permissions and cannot be removed by other admins.\n   * There must always be at least one owner.\n   */\n  owner: z.boolean(),\n});\n\n/**\n * Collaborator permissions for SDS (Shared Data Server) repositories.\n *\n * These permissions control what actions a collaborator can perform\n * on records within a shared repository.\n *\n * @example\n * ```typescript\n * // Read-only collaborator\n * const readOnlyPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: false,\n *   update: false,\n *   delete: false,\n *   admin: false,\n *   owner: false,\n * };\n *\n * // Editor collaborator\n * const editorPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: true,\n *   update: true,\n *   delete: false,\n *   admin: false,\n *   owner: false,\n * };\n *\n * // Admin collaborator\n * const adminPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: true,\n *   update: true,\n *   delete: true,\n *   admin: true,\n *   owner: false,\n * };\n * ```\n */\nexport type CollaboratorPermissions = z.infer<typeof CollaboratorPermissionsSchema>;\n\n/**\n * Zod schema for SDS organization data.\n *\n * Organizations are top-level entities in SDS that can own repositories\n * and have multiple collaborators with different permission levels.\n */\nexport const OrganizationSchema = z.object({\n  /**\n   * The organization's DID - unique identifier.\n   * Format: \"did:plc:...\" or \"did:web:...\"\n   */\n  did: z.string(),\n\n  /**\n   * The organization's handle - human-readable identifier.\n   * Format: \"orgname.sds.hypercerts.org\" or similar\n   */\n  handle: z.string(),\n\n  /**\n   * Display name for the organization.\n   */\n  name: z.string(),\n\n  /**\n   * Optional description of the organization's purpose.\n   */\n  description: z.string().optional(),\n\n  /**\n   * ISO 8601 timestamp when the organization was created.\n   * Format: \"2024-01-15T10:30:00.000Z\"\n   */\n  createdAt: z.string(),\n\n  /**\n   * The current user's permissions within this organization.\n   */\n  permissions: CollaboratorPermissionsSchema,\n\n  /**\n   * How the current user relates to this organization.\n   * - `\"owner\"`: User created or owns the organization\n   * - `\"shared\"`: User was invited to collaborate (has permissions)\n   * - `\"none\"`: User has no access to this organization\n   */\n  accessType: z.enum([\"owner\", \"shared\", \"none\"]),\n});\n\n/**\n * SDS Organization entity.\n *\n * Represents an organization on a Shared Data Server. Organizations\n * provide a way to group repositories and manage access for teams.\n *\n * @example\n * ```typescript\n * const org: Organization = {\n *   did: \"did:plc:org123abc\",\n *   handle: \"my-team.sds.hypercerts.org\",\n *   name: \"My Team\",\n *   description: \"A team working on impact certificates\",\n *   createdAt: \"2024-01-15T10:30:00.000Z\",\n *   permissions: {\n *     read: true,\n *     create: true,\n *     update: true,\n *     delete: true,\n *     admin: true,\n *     owner: true,\n *   },\n *   accessType: \"owner\",\n * };\n * ```\n */\nexport type Organization = z.infer<typeof OrganizationSchema>;\n\n/**\n * Zod schema for collaborator data.\n *\n * Represents a user who has been granted access to a shared repository\n * or organization with specific permissions.\n */\nexport const CollaboratorSchema = z.object({\n  /**\n   * The collaborator's DID - their unique identifier.\n   * Format: \"did:plc:...\" or \"did:web:...\"\n   */\n  userDid: z.string(),\n\n  /**\n   * The permissions granted to this collaborator.\n   */\n  permissions: CollaboratorPermissionsSchema,\n\n  /**\n   * DID of the user who granted these permissions.\n   * Useful for audit trails.\n   */\n  grantedBy: z.string(),\n\n  /**\n   * ISO 8601 timestamp when permissions were granted.\n   * Format: \"2024-01-15T10:30:00.000Z\"\n   */\n  grantedAt: z.string(),\n\n  /**\n   * ISO 8601 timestamp when permissions were revoked, if applicable.\n   * Undefined if the collaborator is still active.\n   */\n  revokedAt: z.string().optional(),\n});\n\n/**\n * Collaborator information for SDS repositories.\n *\n * Represents a user who has been granted access to collaborate on\n * a shared repository or organization.\n *\n * @example\n * ```typescript\n * const collaborator: Collaborator = {\n *   userDid: \"did:plc:user456def\",\n *   permissions: {\n *     read: true,\n *     create: true,\n *     update: true,\n *     delete: false,\n *     admin: false,\n *     owner: false,\n *   },\n *   grantedBy: \"did:plc:owner123abc\",\n *   grantedAt: \"2024-02-01T14:00:00.000Z\",\n * };\n * ```\n */\nexport type Collaborator = z.infer<typeof CollaboratorSchema>;\n"],"names":[],"mappings":";;;;AAGA;;;;;;AAMG;AACI,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;AACxC;;;;;AAKG;AACH,IAAA,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;AAE1B;;;AAGG;AACH,IAAA,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;AAE7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BG;IACH,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,yBAAyB,CAAC;AAEnD;;;AAGG;AACH,IAAA,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;AAEzB;;;;;;;AAOG;AACH,IAAA,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;AACvB,CAAA;AAED;;;;;AAKG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;;;AAKG;IACH,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;AAEhC;;;;;AAKG;IACH,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;AACjC,CAAA;AAED;;;;;AAKG;AACI,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;AAC1C;;;AAGG;IACH,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;AAE7C;;;AAGG;IACH,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;AAC9C,CAAA;AAED;;;;;;;AAOG;AACI,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;AAC7C,IAAA,KAAK,EAAE,iBAAiB;AACxB,IAAA,OAAO,EAAE,kBAAkB,CAAC,QAAQ,EAAE;AACtC,IAAA,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,EAAE;AACzC,CAAA;;ACxED;;;;;;AAMG;AACI,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;AACpD;;;AAGG;AACH,IAAA,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;AAEjB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;AAElB;;;;AAIG;AACH,IAAA,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;AACnB,CAAA;AA2CD;;;;;AAKG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;AAGG;AACH,IAAA,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;AAEf;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;AAElB;;AAEG;AACH,IAAA,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;AAEhB;;AAEG;AACH,IAAA,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;AAElC;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;AAEG;AACH,IAAA,WAAW,EAAE,6BAA6B;AAE1C;;;;;AAKG;AACH,IAAA,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AAChD,CAAA;AA8BD;;;;;AAKG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;AAGG;AACH,IAAA,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;AAEnB;;AAEG;AACH,IAAA,WAAW,EAAE,6BAA6B;AAE1C;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;AACjC,CAAA;;;;"}
+{"version":3,"file":"types.mjs","sources":["../src/core/config.ts","../src/core/types.ts"],"sourcesContent":["import { z } from \"zod\";\nimport type { SessionStore, StateStore, CacheInterface, LoggerInterface } from \"./interfaces.js\";\n\n/**\n * Type for HTTP loopback URLs (localhost, 127.0.0.1, [::1])\n */\nexport type LoopbackUrl = `http://localhost${string}` | `http://127.0.0.1${string}` | `http://[::1]${string}`;\n\n/**\n * Type for HTTPS URLs (production)\n */\nexport type HttpsUrl = `https://${string}`;\n\n/**\n * Type for URLs that can be used in development or production\n */\nexport type DevelopmentOrProductionUrl = HttpsUrl | LoopbackUrl;\n\n/**\n * Custom URL validator that allows HTTP loopback addresses for development.\n *\n * Accepts:\n * - Any HTTPS URL (production)\n * - http://localhost (with optional port and path)\n * - http://127.0.0.1 (with optional port and path)\n * - http://[::1] (with optional port and path) - IPv6 loopback\n *\n * Rejects:\n * - Other HTTP URLs (e.g., http://example.com)\n * - Invalid URLs\n *\n * @internal\n */\nconst urlOrLoopback = z.string().refine(\n  (value) => {\n    try {\n      const url = new URL(value);\n\n      // Always allow HTTPS\n      if (url.protocol === \"https:\") {\n        return true;\n      }\n\n      // For HTTP, only allow loopback addresses\n      if (url.protocol === \"http:\") {\n        const hostname = url.hostname.toLowerCase();\n        return hostname === \"localhost\" || hostname === \"127.0.0.1\" || hostname === \"[::1]\";\n      }\n\n      return false;\n    } catch {\n      return false;\n    }\n  },\n  {\n    message: \"Must be a valid HTTPS URL or HTTP loopback URL (localhost, 127.0.0.1, [::1])\",\n  },\n);\n\n/**\n * Zod schema for OAuth configuration validation.\n *\n * @remarks\n * All URLs must be valid and use HTTPS in production. For local development,\n * HTTP loopback URLs (localhost, 127.0.0.1, [::1]) are allowed.\n * The `jwkPrivate` field should contain the private key in JWK (JSON Web Key) format as a string.\n */\nexport const OAuthConfigSchema = z.object({\n  /**\n   * URL to the OAuth client metadata JSON document.\n   * This document describes your application to the authorization server.\n   *\n   * For local development, you can use `http://localhost/` as a loopback client.\n   *\n   * @see https://atproto.com/specs/oauth#client-metadata\n   */\n  clientId: urlOrLoopback,\n\n  /**\n   * URL where users are redirected after authentication.\n   * Must match one of the redirect URIs in your client metadata.\n   *\n   * For local development, you can use HTTP loopback URLs like\n   * `http://127.0.0.1:3000/callback` or `http://localhost:3000/callback`.\n   */\n  redirectUri: urlOrLoopback,\n\n  /**\n   * OAuth scopes to request, space-separated.\n   *\n   * Can be a string of space-separated permissions or use the permission system:\n   *\n   * @example Using presets\n   * ```typescript\n   * import { ScopePresets } from '@hypercerts-org/sdk-core';\n   * scope: ScopePresets.EMAIL_AND_PROFILE\n   * ```\n   *\n   * @example Building custom scopes\n   * ```typescript\n   * import { PermissionBuilder, buildScope } from '@hypercerts-org/sdk-core';\n   * scope: buildScope(\n   *   new PermissionBuilder()\n   *     .accountEmail('read')\n   *     .repoWrite('app.bsky.feed.post')\n   *     .build()\n   * )\n   * ```\n   *\n   * @example Legacy scopes\n   * ```typescript\n   * scope: \"atproto transition:generic\"\n   * ```\n   *\n   * @see https://atproto.com/specs/permission for permission details\n   */\n  scope: z.string().min(1, \"OAuth scope is required\"),\n\n  /**\n   * URL to your public JWKS (JSON Web Key Set) endpoint.\n   * Used by the authorization server to verify your client's signatures.\n   *\n   * For local development, you can serve JWKS from a loopback URL like\n   * `http://127.0.0.1:3000/.well-known/jwks.json`.\n   */\n  jwksUri: urlOrLoopback,\n\n  /**\n   * Private JWK (JSON Web Key) as a JSON string.\n   * Used for signing DPoP proofs and client assertions.\n   *\n   * @remarks\n   * This should be kept secret and never exposed to clients.\n   * Typically loaded from environment variables or a secrets manager.\n   */\n  jwkPrivate: z.string(),\n\n  /**\n   * Enable development mode features (optional).\n   *\n   * When true, suppresses warnings about using HTTP loopback URLs.\n   * Should be set to true for local development to reduce console noise.\n   *\n   * @default false\n   *\n   * @example\n   * ```typescript\n   * oauth: {\n   *   clientId: \"http://localhost/\",\n   *   redirectUri: \"http://127.0.0.1:3000/callback\",\n   *   // ... other config\n   *   developmentMode: true, // Suppress loopback warnings\n   * }\n   * ```\n   */\n  developmentMode: z.boolean().optional(),\n});\n\n/**\n * Zod schema for server URL configuration.\n *\n * @remarks\n * At least one server (PDS or SDS) should be configured for the SDK to be useful.\n * For local development, HTTP loopback URLs are allowed.\n */\nexport const ServerConfigSchema = z.object({\n  /**\n   * Personal Data Server URL - the user's own AT Protocol server.\n   * This is the primary server for user data operations.\n   *\n   * @example Production\n   * ```typescript\n   * pds: \"https://bsky.social\"\n   * ```\n   *\n   * @example Local development\n   * ```typescript\n   * pds: \"http://localhost:2583\"\n   * ```\n   */\n  pds: urlOrLoopback.optional(),\n\n  /**\n   * Shared Data Server URL - for collaborative data storage.\n   * Required for collaborator and organization operations.\n   *\n   * @example Production\n   * ```typescript\n   * sds: \"https://sds.hypercerts.org\"\n   * ```\n   *\n   * @example Local development\n   * ```typescript\n   * sds: \"http://127.0.0.1:2584\"\n   * ```\n   */\n  sds: urlOrLoopback.optional(),\n});\n\n/**\n * Zod schema for timeout configuration.\n *\n * @remarks\n * All timeout values are in milliseconds.\n */\nexport const TimeoutConfigSchema = z.object({\n  /**\n   * Timeout for fetching PDS metadata during identity resolution.\n   * @default 5000 (5 seconds, set by OAuthClient)\n   */\n  pdsMetadata: z.number().positive().optional(),\n\n  /**\n   * Timeout for general API requests to PDS/SDS.\n   * @default 30000 (30 seconds)\n   */\n  apiRequests: z.number().positive().optional(),\n});\n\n/**\n * Zod schema for SDK configuration validation.\n *\n * @remarks\n * This schema validates only the primitive/serializable parts of the configuration.\n * Storage interfaces ({@link SessionStore}, {@link StateStore}) cannot be validated\n * with Zod as they are runtime objects.\n */\nexport const ATProtoSDKConfigSchema = z.object({\n  oauth: OAuthConfigSchema,\n  servers: ServerConfigSchema.optional(),\n  timeouts: TimeoutConfigSchema.optional(),\n});\n\n/**\n * Configuration options for the ATProto SDK.\n *\n * This interface defines all configuration needed to initialize the SDK,\n * including OAuth credentials, server endpoints, and optional customizations.\n *\n * @example Minimal configuration\n * ```typescript\n * const config: ATProtoSDKConfig = {\n *   oauth: {\n *     clientId: \"https://my-app.com/client-metadata.json\",\n *     redirectUri: \"https://my-app.com/callback\",\n *     scope: \"atproto transition:generic\",\n *     jwksUri: \"https://my-app.com/.well-known/jwks.json\",\n *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,\n *   },\n *   servers: {\n *     pds: \"https://bsky.social\",\n *   },\n * };\n * ```\n *\n * @example Full configuration with custom storage\n * ```typescript\n * const config: ATProtoSDKConfig = {\n *   oauth: { ... },\n *   servers: {\n *     pds: \"https://bsky.social\",\n *     sds: \"https://sds.hypercerts.org\",\n *   },\n *   storage: {\n *     sessionStore: new RedisSessionStore(redisClient),\n *     stateStore: new RedisStateStore(redisClient),\n *   },\n *   timeouts: {\n *     pdsMetadata: 5000,\n *     apiRequests: 30000,\n *   },\n *   logger: console,\n * };\n * ```\n */\nexport interface ATProtoSDKConfig {\n  /**\n   * OAuth 2.0 configuration for authentication.\n   *\n   * Required fields for the OAuth flow with DPoP (Demonstrating Proof of Possession).\n   * Your application must host the client metadata and JWKS endpoints.\n   *\n   * @see https://atproto.com/specs/oauth for AT Protocol OAuth specification\n   */\n  oauth: z.infer<typeof OAuthConfigSchema>;\n\n  /**\n   * Server URLs for PDS and SDS connections.\n   *\n   * - **PDS**: Personal Data Server - user's own data storage\n   * - **SDS**: Shared Data Server - collaborative storage with access control\n   */\n  servers?: z.infer<typeof ServerConfigSchema>;\n\n  /**\n   * Storage adapters for persisting OAuth sessions and state.\n   *\n   * If not provided, in-memory implementations are used automatically.\n   * **Warning**: In-memory storage is lost on process restart - use persistent\n   * storage (Redis, database, etc.) in production.\n   *\n   * @example\n   * ```typescript\n   * storage: {\n   *   sessionStore: new RedisSessionStore(redis),\n   *   stateStore: new RedisStateStore(redis),\n   * }\n   * ```\n   */\n  storage?: {\n    /**\n     * Persistent storage for OAuth sessions.\n     * Sessions contain access tokens, refresh tokens, and DPoP keys.\n     */\n    sessionStore?: SessionStore;\n\n    /**\n     * Temporary storage for OAuth state during the authorization flow.\n     * State is short-lived and used for PKCE and CSRF protection.\n     */\n    stateStore?: StateStore;\n  };\n\n  /**\n   * Custom fetch implementation for HTTP requests.\n   *\n   * Use this to add custom headers, logging, or to use a different HTTP client.\n   * Must be compatible with the standard Fetch API.\n   *\n   * @example\n   * ```typescript\n   * fetch: async (url, init) => {\n   *   console.log(`Fetching: ${url}`);\n   *   return globalThis.fetch(url, init);\n   * }\n   * ```\n   */\n  fetch?: typeof fetch;\n\n  /**\n   * Timeout configuration for network requests.\n   * Values are in milliseconds.\n   */\n  timeouts?: z.infer<typeof TimeoutConfigSchema>;\n\n  /**\n   * Cache for profiles, metadata, and other frequently accessed data.\n   *\n   * Implementing caching can significantly reduce API calls and improve performance.\n   * The SDK does not provide a default cache - you must implement {@link CacheInterface}.\n   */\n  cache?: CacheInterface;\n\n  /**\n   * Logger for debugging and observability.\n   *\n   * The logger receives debug, info, warn, and error messages from the SDK.\n   * Compatible with `console` or any logger implementing {@link LoggerInterface}.\n   *\n   * @example\n   * ```typescript\n   * logger: console\n   * // or\n   * logger: pino()\n   * // or\n   * logger: winston.createLogger({ ... })\n   * ```\n   */\n  logger?: LoggerInterface;\n}\n","import type { OAuthSession } from \"@atproto/oauth-client-node\";\nimport { z } from \"zod\";\n\n/**\n * Decentralized Identifier (DID) - a unique, persistent identifier for AT Protocol users.\n *\n * DIDs are the canonical identifier for users in the AT Protocol ecosystem.\n * Unlike handles which can change, DIDs remain constant for the lifetime of an account.\n *\n * @remarks\n * AT Protocol supports multiple DID methods:\n * - `did:plc:` - PLC (Public Ledger of Credentials) DIDs, most common for Bluesky users\n * - `did:web:` - Web DIDs, resolved via HTTPS\n *\n * @example\n * ```typescript\n * const did: DID = \"did:plc:ewvi7nxzyoun6zhxrhs64oiz\";\n * const webDid: DID = \"did:web:example.com\";\n * ```\n *\n * @see https://atproto.com/specs/did for DID specification\n */\nexport type DID = string;\n\n/**\n * OAuth session with DPoP (Demonstrating Proof of Possession) support.\n *\n * This type represents an authenticated user session. It wraps the\n * `@atproto/oauth-client-node` OAuthSession and contains:\n * - Access token for API requests\n * - Refresh token for obtaining new access tokens\n * - DPoP key pair for proof-of-possession\n * - User's DID and other identity information\n *\n * @remarks\n * Sessions are managed by the SDK and automatically refresh when tokens expire.\n * Store the user's DID to restore sessions later with {@link ATProtoSDK.restoreSession}.\n *\n * Key properties from OAuthSession:\n * - `did` or `sub`: The user's DID\n * - `handle`: The user's handle (e.g., \"user.bsky.social\")\n *\n * @example\n * ```typescript\n * const session = await sdk.callback(params);\n *\n * // Access user identity\n * console.log(`Logged in as: ${session.did}`);\n *\n * // Use session for repository operations\n * const repo = sdk.repository(session);\n * ```\n *\n * @see https://atproto.com/specs/oauth for OAuth specification\n */\nexport type Session = OAuthSession;\n\n/**\n * Zod schema for collaborator permissions in SDS repositories.\n *\n * Defines the granular permissions a collaborator can have on a shared repository.\n * Permissions follow a hierarchical model where higher-level permissions\n * typically imply lower-level ones.\n */\nexport const CollaboratorPermissionsSchema = z.object({\n  /**\n   * Can read/view records in the repository.\n   * This is the most basic permission level.\n   */\n  read: z.boolean(),\n\n  /**\n   * Can create new records in the repository.\n   * Typically implies `read` permission.\n   */\n  create: z.boolean(),\n\n  /**\n   * Can modify existing records in the repository.\n   * Typically implies `read` and `create` permissions.\n   */\n  update: z.boolean(),\n\n  /**\n   * Can delete records from the repository.\n   * Typically implies `read`, `create`, and `update` permissions.\n   */\n  delete: z.boolean(),\n\n  /**\n   * Can manage collaborators and their permissions.\n   * Administrative permission that allows inviting/removing collaborators.\n   */\n  admin: z.boolean(),\n\n  /**\n   * Full ownership of the repository.\n   * Owners have all permissions and cannot be removed by other admins.\n   * There must always be at least one owner.\n   */\n  owner: z.boolean(),\n});\n\n/**\n * Collaborator permissions for SDS (Shared Data Server) repositories.\n *\n * These permissions control what actions a collaborator can perform\n * on records within a shared repository.\n *\n * @example\n * ```typescript\n * // Read-only collaborator\n * const readOnlyPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: false,\n *   update: false,\n *   delete: false,\n *   admin: false,\n *   owner: false,\n * };\n *\n * // Editor collaborator\n * const editorPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: true,\n *   update: true,\n *   delete: false,\n *   admin: false,\n *   owner: false,\n * };\n *\n * // Admin collaborator\n * const adminPerms: CollaboratorPermissions = {\n *   read: true,\n *   create: true,\n *   update: true,\n *   delete: true,\n *   admin: true,\n *   owner: false,\n * };\n * ```\n */\nexport type CollaboratorPermissions = z.infer<typeof CollaboratorPermissionsSchema>;\n\n/**\n * Zod schema for SDS organization data.\n *\n * Organizations are top-level entities in SDS that can own repositories\n * and have multiple collaborators with different permission levels.\n */\nexport const OrganizationSchema = z.object({\n  /**\n   * The organization's DID - unique identifier.\n   * Format: \"did:plc:...\" or \"did:web:...\"\n   */\n  did: z.string(),\n\n  /**\n   * The organization's handle - human-readable identifier.\n   * Format: \"orgname.sds.hypercerts.org\" or similar\n   */\n  handle: z.string(),\n\n  /**\n   * Display name for the organization.\n   */\n  name: z.string(),\n\n  /**\n   * Optional description of the organization's purpose.\n   */\n  description: z.string().optional(),\n\n  /**\n   * ISO 8601 timestamp when the organization was created.\n   * Format: \"2024-01-15T10:30:00.000Z\"\n   */\n  createdAt: z.string(),\n\n  /**\n   * The current user's permissions within this organization.\n   */\n  permissions: CollaboratorPermissionsSchema,\n\n  /**\n   * How the current user relates to this organization.\n   * - `\"owner\"`: User created or owns the organization\n   * - `\"shared\"`: User was invited to collaborate (has permissions)\n   * - `\"none\"`: User has no access to this organization\n   */\n  accessType: z.enum([\"owner\", \"shared\", \"none\"]),\n});\n\n/**\n * SDS Organization entity.\n *\n * Represents an organization on a Shared Data Server. Organizations\n * provide a way to group repositories and manage access for teams.\n *\n * @example\n * ```typescript\n * const org: Organization = {\n *   did: \"did:plc:org123abc\",\n *   handle: \"my-team.sds.hypercerts.org\",\n *   name: \"My Team\",\n *   description: \"A team working on impact certificates\",\n *   createdAt: \"2024-01-15T10:30:00.000Z\",\n *   permissions: {\n *     read: true,\n *     create: true,\n *     update: true,\n *     delete: true,\n *     admin: true,\n *     owner: true,\n *   },\n *   accessType: \"owner\",\n * };\n * ```\n */\nexport type Organization = z.infer<typeof OrganizationSchema>;\n\n/**\n * Zod schema for collaborator data.\n *\n * Represents a user who has been granted access to a shared repository\n * or organization with specific permissions.\n */\nexport const CollaboratorSchema = z.object({\n  /**\n   * The collaborator's DID - their unique identifier.\n   * Format: \"did:plc:...\" or \"did:web:...\"\n   */\n  userDid: z.string(),\n\n  /**\n   * The permissions granted to this collaborator.\n   */\n  permissions: CollaboratorPermissionsSchema,\n\n  /**\n   * DID of the user who granted these permissions.\n   * Useful for audit trails.\n   */\n  grantedBy: z.string(),\n\n  /**\n   * ISO 8601 timestamp when permissions were granted.\n   * Format: \"2024-01-15T10:30:00.000Z\"\n   */\n  grantedAt: z.string(),\n\n  /**\n   * ISO 8601 timestamp when permissions were revoked, if applicable.\n   * Undefined if the collaborator is still active.\n   */\n  revokedAt: z.string().optional(),\n});\n\n/**\n * Collaborator information for SDS repositories.\n *\n * Represents a user who has been granted access to collaborate on\n * a shared repository or organization.\n *\n * @example\n * ```typescript\n * const collaborator: Collaborator = {\n *   userDid: \"did:plc:user456def\",\n *   permissions: {\n *     read: true,\n *     create: true,\n *     update: true,\n *     delete: false,\n *     admin: false,\n *     owner: false,\n *   },\n *   grantedBy: \"did:plc:owner123abc\",\n *   grantedAt: \"2024-02-01T14:00:00.000Z\",\n * };\n * ```\n */\nexport type Collaborator = z.infer<typeof CollaboratorSchema>;\n"],"names":[],"mappings":";;;;AAkBA;;;;;;;;;;;;;;AAcG;AACH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CACrC,CAAC,KAAK,KAAI;AACR,IAAA,IAAI;AACF,QAAA,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC;;AAG1B,QAAA,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE;AAC7B,YAAA,OAAO,IAAI;QACb;;AAGA,QAAA,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE;YAC5B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE;YAC3C,OAAO,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,OAAO;QACrF;AAEA,QAAA,OAAO,KAAK;IACd;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,KAAK;IACd;AACF,CAAC,EACD;AACE,IAAA,OAAO,EAAE,8EAA8E;AACxF,CAAA,CACF;AAED;;;;;;;AAOG;AACI,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;AACxC;;;;;;;AAOG;AACH,IAAA,QAAQ,EAAE,aAAa;AAEvB;;;;;;AAMG;AACH,IAAA,WAAW,EAAE,aAAa;AAE1B;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BG;IACH,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,yBAAyB,CAAC;AAEnD;;;;;;AAMG;AACH,IAAA,OAAO,EAAE,aAAa;AAEtB;;;;;;;AAOG;AACH,IAAA,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;AAEtB;;;;;;;;;;;;;;;;;AAiBG;AACH,IAAA,eAAe,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;AACxC,CAAA;AAED;;;;;;AAMG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;;;;;;;;;;;AAaG;AACH,IAAA,GAAG,EAAE,aAAa,CAAC,QAAQ,EAAE;AAE7B;;;;;;;;;;;;;AAaG;AACH,IAAA,GAAG,EAAE,aAAa,CAAC,QAAQ,EAAE;AAC9B,CAAA;AAED;;;;;AAKG;AACI,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;AAC1C;;;AAGG;IACH,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;AAE7C;;;AAGG;IACH,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;AAC9C,CAAA;AAED;;;;;;;AAOG;AACI,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;AAC7C,IAAA,KAAK,EAAE,iBAAiB;AACxB,IAAA,OAAO,EAAE,kBAAkB,CAAC,QAAQ,EAAE;AACtC,IAAA,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,EAAE;AACzC,CAAA;;AC9KD;;;;;;AAMG;AACI,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;AACpD;;;AAGG;AACH,IAAA,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;AAEjB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;AAEnB;;;AAGG;AACH,IAAA,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;AAElB;;;;AAIG;AACH,IAAA,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;AACnB,CAAA;AA2CD;;;;;AAKG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;AAGG;AACH,IAAA,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;AAEf;;;AAGG;AACH,IAAA,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;AAElB;;AAEG;AACH,IAAA,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;AAEhB;;AAEG;AACH,IAAA,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;AAElC;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;AAEG;AACH,IAAA,WAAW,EAAE,6BAA6B;AAE1C;;;;;AAKG;AACH,IAAA,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AAChD,CAAA;AA8BD;;;;;AAKG;AACI,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;AACzC;;;AAGG;AACH,IAAA,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;AAEnB;;AAEG;AACH,IAAA,WAAW,EAAE,6BAA6B;AAE1C;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;AAErB;;;AAGG;AACH,IAAA,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;AACjC,CAAA;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hypercerts-org/sdk-core",
-  "version": "0.10.0-beta.4",
+  "version": "0.10.0-beta.6",
   "description": "Framework-agnostic ATProto SDK core for authentication, repository operations, and lexicon management",
   "main": "dist/index.cjs",
   "repository": {
@@ -15,7 +15,7 @@
     "README.md",
     "CHANGELOG.md"
   ],
-  "prepublishOnly": "pnpm run check",
+  "prepublishOnly": "npm run lint && pnpm run typecheck && pnpm run build && pnpm run test",
   "keywords": [
     "atproto",
     "hypercerts",
@@ -76,8 +76,9 @@
     "@atproto/lexicon": "^0.5.1",
     "@atproto/oauth-client": "^0.5.10",
     "@atproto/oauth-client-node": "^0.3.12",
-    "@hypercerts-org/lexicon": "^0.10.0-beta.3",
+    "@hypercerts-org/lexicon": "0.10.0-beta.11",
     "eventemitter3": "^5.0.1",
+    "type-fest": "^5.4.1",
     "zod": "^3.24.4"
   },
   "scripts": {