@iqauth/sdk 2.6.4 → 2.7.0

package/dist/index.d.mts

@@ -1,10 +1,58 @@
-export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-kYlJFgPv.mjs';
-export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-export { i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
-export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-DCyzzn8L.mjs';
-export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-BaR0HoAH.mjs';
+export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-BGFnBpfc.mjs';
+export { b as ErrorCode, E as ErrorCodes, I as IQAuthError, c as IQAuthErrorCode, a as IQ_AUTH_ERROR_CODES } from './errors-Jl1Jtm-6.mjs';
+export { i as iqAuthMiddleware } from './express-CVNQEkOr.mjs';
+export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-CITeoG6P.mjs';
+export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-f2kq-rKw.mjs';
+export { UserinfoResponse, buildUserinfoResponse, handleUserinfo } from './server/handlers.mjs';
 export { VerifyWsUpgradeOptions, VerifyWsUpgradeResult, WsUpgradeRequestLike, verifyWsUpgrade } from './ws.mjs';
 export { CreateTestIssuerOptions, MintAuthCodeOptions, MintTokenOptions, TestIssuer, createTestIssuer } from './test.mjs';
-export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-DZAflmmq.mjs';
-export { IQAuthWebhookEvent, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, verifyWebhookSignature } from './webhooks.mjs';
-export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-88xjOS2n.mjs';
+export { ap as AcceptInviteRequest, ac as AddGroupPermissionRequest, af as AddUserOverrideRequest, D as ApiErrorResponse, ai as ApiKeyInfo, al as ApiKeyIntrospection, E as ApiResponse, A as ApiSuccessResponse, a0 as AppInfo, $ as AppManifest, a2 as AppSyncResult, a6 as AssignRoleRequest, aO as AvailableScopesTree, b0 as BackupCodeCountResult, a$ as BackupCodesResult, u as BrandingAsset, B as BrandingConfig, w as BrandingDomainMapping, aD as Client, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, aE as CreateClientRequest, an as CreateInviteRequest, aL as CreateMembershipRequest, a4 as CreateRoleRequest, aB as CreateSourceRequest, C as CreateTenantRequest, ay as CreateVendorRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, ag as EffectivePermission, a_ as EmailEnrollResult, av as Entitlement, X as ExpressMiddlewareOptions, aT as GdprExportData, aw as GrantEntitlementRequest, ab as GroupPermission, aI as HierarchyClient, aJ as HierarchyLink, aH as HierarchySource, aG as HierarchyVendor, i as IQAuthBaseClaims, I as IQAuthBrowserSessionClientConfig, h as IQAuthClaims, e as IQAuthClientConfig, d as IQAuthEnvironment, c as IQAuthNextFunction, a as IQAuthRequestLike, b as IQAuthResponseLike, Y as IQAuthRetryConfig, f as IQAuthTokenClientConfig, Z as IQAuthVerifyConfig, ad as InheritanceRelation, am as Invitation, q as InviteTenantUserRequest, r as InviteTenantUserResult, ao as InviteValidation, x as JwksKey, y as JwksResponse, J as JwtClaims, L as LoginResult, aK as Membership, aN as MembershipWithDetails, aW as MfaAvailableMethods, G as MfaEnrollment, F as MfaMethod, Q as MfaPolicy, K as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, z as OidcTokenResponse, N as PasswordPolicy, ah as PermissionCheckResult, aa as PermissionGroup, a1 as PermissionNodeInfo, _ as PermissionNodeManifest, aV as PinLoginResult, aU as PinStatus, P as PromoteToVendorRequest, p as PromoteToVendorResult, V as ProvisionUserRequest, W as ProvisionUserResponse, a3 as Role, g as ScopeContext, aS as ScopeSwitchResult, aP as ScopeTreeClient, aQ as ScopeTreeSource, aR as ScopeTreeVendor, m as Session, l as SessionAuthenticatedLoginResult, S as SessionUser, aZ as SmsEnrollResult, aA as Source, j as Tenant, n as TenantInfo, a9 as TenantUser, s as TenantUserRoleUpdate, k as TokenAuthenticatedLoginResult, T as TokenPair, aX as TotpEnrollResult, H as TotpEnrollmentResult, aY as TotpVerifyResult, t as UpdateBrandingRequest, aF as UpdateClientRequest, aM as UpdateMembershipRequest, a5 as UpdateRoleRequest, aC as UpdateSourceRequest, o as UpdateTenantRequest, az as UpdateVendorRequest, v as UploadAssetRequest, a8 as UserGroupAssignment, ae as UserPermissionOverride, R as UserPermissions, U as UserProfile, a7 as UserRoleAssignment, ax as Vendor, at as WebhookDelivery, aq as WebhookEndpoint, au as WebhookTestResult } from './types-XOV9XPVi.mjs';
+export { IQAUTH_SIGNATURE_HEADER, IQAuthEvent, IQAuthWebhookEvent, LEGACY_SIGNATURE_HEADERS, ParseWebhookEventOptions, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, parseWebhookEvent, verifyWebhookSignature } from './webhooks.mjs';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-M5G47LWO.mjs';
+
+/**
+ * Shared wildcard permission utilities.
+ *
+ * Permission ids are dot-separated keys ("metrics", "metrics.read",
+ * "billing.invoices.delete"). Wildcards are supported in two forms:
+ *
+ * - `*` — matches every permission id (root wildcard).
+ * - `<prefix>.*` — matches `<prefix>` itself AND every descendant
+ *   (`metrics.*` matches `metrics`, `metrics.foo`, `metrics.foo.bar`, …).
+ *
+ * Wildcards may NOT appear in the middle of an id (e.g. `metrics.*.read`
+ * is treated as the literal string `metrics.*.read` and matches nothing
+ * special). Empty strings are ignored.
+ *
+ * The same implementation is meant to be used on BOTH client and server so
+ * the two halves can never drift apart and produce the classic
+ * "user can see the page but every API call 403s" foot-gun.
+ */
+/**
+ * Returns true iff the permission `id` is granted by the given `set` of
+ * granted permissions.
+ *
+ * Concrete ids in `id` (no wildcards in the query) are matched against
+ * concrete entries in the set OR any wildcard entry that covers them.
+ *
+ * Wildcards in the query (`id === "metrics.*"`) match iff there is an
+ * equivalent or broader wildcard in the set (`*` or `metrics.*`).
+ */
+declare function hasPermission(set: Iterable<string> | null | undefined, id: string): boolean;
+/**
+ * Normalizes a permission set: dedupes entries and strips entries already
+ * implied by a broader wildcard. The result is a stable, sorted array.
+ *
+ * Examples:
+ * - `["*", "metrics.read"]` → `["*"]`
+ * - `["metrics.*", "metrics", "metrics.foo"]` → `["metrics.*"]`
+ * - `["metrics.read", "billing.*", "billing.invoices.delete"]`
+ *      → `["billing.*", "metrics.read"]`
+ *
+ * Note: wildcards in the input remain wildcards in the output — the set of
+ * descendants is open-ended and cannot be enumerated. `expandPermissions`
+ * is about *normalization*, not enumeration.
+ */
+declare function expandPermissions(set: Iterable<string> | null | undefined): string[];
+
+export { expandPermissions, hasPermission };

package/dist/index.d.ts

@@ -1,10 +1,58 @@
-export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-BNQe3AgF.js';
-export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-export { i as iqAuthMiddleware } from './express-CHpfa7D_.js';
-export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-aHiGFr_E.js';
-export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-BaR0HoAH.js';
+export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-CDQ21LvW.js';
+export { b as ErrorCode, E as ErrorCodes, I as IQAuthError, c as IQAuthErrorCode, a as IQ_AUTH_ERROR_CODES } from './errors-Jl1Jtm-6.js';
+export { i as iqAuthMiddleware } from './express-Piv2WhWM.js';
+export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-Bqhmqq_R.js';
+export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-f2kq-rKw.js';
+export { UserinfoResponse, buildUserinfoResponse, handleUserinfo } from './server/handlers.js';
 export { VerifyWsUpgradeOptions, VerifyWsUpgradeResult, WsUpgradeRequestLike, verifyWsUpgrade } from './ws.js';
 export { CreateTestIssuerOptions, MintAuthCodeOptions, MintTokenOptions, TestIssuer, createTestIssuer } from './test.js';
-export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-DZAflmmq.js';
-export { IQAuthWebhookEvent, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, verifyWebhookSignature } from './webhooks.js';
-export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-DnTfzdZK.js';
+export { ap as AcceptInviteRequest, ac as AddGroupPermissionRequest, af as AddUserOverrideRequest, D as ApiErrorResponse, ai as ApiKeyInfo, al as ApiKeyIntrospection, E as ApiResponse, A as ApiSuccessResponse, a0 as AppInfo, $ as AppManifest, a2 as AppSyncResult, a6 as AssignRoleRequest, aO as AvailableScopesTree, b0 as BackupCodeCountResult, a$ as BackupCodesResult, u as BrandingAsset, B as BrandingConfig, w as BrandingDomainMapping, aD as Client, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, aE as CreateClientRequest, an as CreateInviteRequest, aL as CreateMembershipRequest, a4 as CreateRoleRequest, aB as CreateSourceRequest, C as CreateTenantRequest, ay as CreateVendorRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, ag as EffectivePermission, a_ as EmailEnrollResult, av as Entitlement, X as ExpressMiddlewareOptions, aT as GdprExportData, aw as GrantEntitlementRequest, ab as GroupPermission, aI as HierarchyClient, aJ as HierarchyLink, aH as HierarchySource, aG as HierarchyVendor, i as IQAuthBaseClaims, I as IQAuthBrowserSessionClientConfig, h as IQAuthClaims, e as IQAuthClientConfig, d as IQAuthEnvironment, c as IQAuthNextFunction, a as IQAuthRequestLike, b as IQAuthResponseLike, Y as IQAuthRetryConfig, f as IQAuthTokenClientConfig, Z as IQAuthVerifyConfig, ad as InheritanceRelation, am as Invitation, q as InviteTenantUserRequest, r as InviteTenantUserResult, ao as InviteValidation, x as JwksKey, y as JwksResponse, J as JwtClaims, L as LoginResult, aK as Membership, aN as MembershipWithDetails, aW as MfaAvailableMethods, G as MfaEnrollment, F as MfaMethod, Q as MfaPolicy, K as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, z as OidcTokenResponse, N as PasswordPolicy, ah as PermissionCheckResult, aa as PermissionGroup, a1 as PermissionNodeInfo, _ as PermissionNodeManifest, aV as PinLoginResult, aU as PinStatus, P as PromoteToVendorRequest, p as PromoteToVendorResult, V as ProvisionUserRequest, W as ProvisionUserResponse, a3 as Role, g as ScopeContext, aS as ScopeSwitchResult, aP as ScopeTreeClient, aQ as ScopeTreeSource, aR as ScopeTreeVendor, m as Session, l as SessionAuthenticatedLoginResult, S as SessionUser, aZ as SmsEnrollResult, aA as Source, j as Tenant, n as TenantInfo, a9 as TenantUser, s as TenantUserRoleUpdate, k as TokenAuthenticatedLoginResult, T as TokenPair, aX as TotpEnrollResult, H as TotpEnrollmentResult, aY as TotpVerifyResult, t as UpdateBrandingRequest, aF as UpdateClientRequest, aM as UpdateMembershipRequest, a5 as UpdateRoleRequest, aC as UpdateSourceRequest, o as UpdateTenantRequest, az as UpdateVendorRequest, v as UploadAssetRequest, a8 as UserGroupAssignment, ae as UserPermissionOverride, R as UserPermissions, U as UserProfile, a7 as UserRoleAssignment, ax as Vendor, at as WebhookDelivery, aq as WebhookEndpoint, au as WebhookTestResult } from './types-XOV9XPVi.js';
+export { IQAUTH_SIGNATURE_HEADER, IQAuthEvent, IQAuthWebhookEvent, LEGACY_SIGNATURE_HEADERS, ParseWebhookEventOptions, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, parseWebhookEvent, verifyWebhookSignature } from './webhooks.js';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-CGpMRie4.js';
+
+/**
+ * Shared wildcard permission utilities.
+ *
+ * Permission ids are dot-separated keys ("metrics", "metrics.read",
+ * "billing.invoices.delete"). Wildcards are supported in two forms:
+ *
+ * - `*` — matches every permission id (root wildcard).
+ * - `<prefix>.*` — matches `<prefix>` itself AND every descendant
+ *   (`metrics.*` matches `metrics`, `metrics.foo`, `metrics.foo.bar`, …).
+ *
+ * Wildcards may NOT appear in the middle of an id (e.g. `metrics.*.read`
+ * is treated as the literal string `metrics.*.read` and matches nothing
+ * special). Empty strings are ignored.
+ *
+ * The same implementation is meant to be used on BOTH client and server so
+ * the two halves can never drift apart and produce the classic
+ * "user can see the page but every API call 403s" foot-gun.
+ */
+/**
+ * Returns true iff the permission `id` is granted by the given `set` of
+ * granted permissions.
+ *
+ * Concrete ids in `id` (no wildcards in the query) are matched against
+ * concrete entries in the set OR any wildcard entry that covers them.
+ *
+ * Wildcards in the query (`id === "metrics.*"`) match iff there is an
+ * equivalent or broader wildcard in the set (`*` or `metrics.*`).
+ */
+declare function hasPermission(set: Iterable<string> | null | undefined, id: string): boolean;
+/**
+ * Normalizes a permission set: dedupes entries and strips entries already
+ * implied by a broader wildcard. The result is a stable, sorted array.
+ *
+ * Examples:
+ * - `["*", "metrics.read"]` → `["*"]`
+ * - `["metrics.*", "metrics", "metrics.foo"]` → `["metrics.*"]`
+ * - `["metrics.read", "billing.*", "billing.invoices.delete"]`
+ *      → `["billing.*", "metrics.read"]`
+ *
+ * Note: wildcards in the input remain wildcards in the output — the set of
+ * descendants is open-ended and cannot be enumerated. `expandPermissions`
+ * is about *normalization*, not enumeration.
+ */
+declare function expandPermissions(set: Iterable<string> | null | undefined): string[];
+
+export { expandPermissions, hasPermission };