@keycardai/oauth 0.2.0 → 0.4.0

package/dist/cjs/tokenExchange.js

@@ -10,11 +10,23 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
+var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_credential, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_resolveBasicAuth, _TokenExchangeClient_getTokenEndpoint;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenExchangeClient = void 0;
+exports.TokenExchangeClient = exports.TokenType = void 0;
 const discovery_js_1 = require("./discovery.js");
 const errors_js_1 = require("./errors.js");
+const substituteUser_js_1 = require("./jwt/substituteUser.js");
+// =============================================================================
+// Token Exchange Types (RFC 8693)
+// =============================================================================
+exports.TokenType = {
+    ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token",
+    /**
+     * Vendor URN for substitute-user (impersonation) subject tokens.
+     * Recognized by the Keycard authorization server; not registered with IANA.
+     */
+    SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user",
+};
 // =============================================================================
 // Wire format helpers (camelCase <-> snake_case at the boundary)
 // =============================================================================
@@ -70,20 +82,23 @@ class TokenExchangeClient {
         _TokenExchangeClient_issuerUrl.set(this, void 0);
         _TokenExchangeClient_clientId.set(this, void 0);
         _TokenExchangeClient_clientSecret.set(this, void 0);
+        _TokenExchangeClient_credential.set(this, void 0);
         _TokenExchangeClient_tokenEndpoint.set(this, void 0);
         _TokenExchangeClient_discoveryPromise.set(this, void 0);
         __classPrivateFieldSet(this, _TokenExchangeClient_issuerUrl, issuerUrl, "f");
         __classPrivateFieldSet(this, _TokenExchangeClient_clientId, options?.clientId, "f");
         __classPrivateFieldSet(this, _TokenExchangeClient_clientSecret, options?.clientSecret, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_credential, options?.credential, "f");
     }
-    async exchangeToken(request) {
+    async exchangeToken(request, options) {
         const tokenEndpoint = await __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_getTokenEndpoint).call(this);
         const body = serializeRequest(request);
         const headers = {
             "Content-Type": "application/x-www-form-urlencoded",
         };
-        if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
-            const credentials = btoa(`${__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f")}:${__classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")}`);
+        const basicAuth = __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_resolveBasicAuth).call(this, options?.zoneId);
+        if (basicAuth) {
+            const credentials = btoa(`${basicAuth.clientId}:${basicAuth.clientSecret}`);
             headers["Authorization"] = `Basic ${credentials}`;
         }
         const response = await fetch(tokenEndpoint, {
@@ -115,9 +130,32 @@ class TokenExchangeClient {
         const json = await response.json();
         return deserializeResponse(json);
     }
+    async impersonate(req) {
+        if (!req.userIdentifier) {
+            throw new Error("impersonate: userIdentifier is required");
+        }
+        if (!req.resource) {
+            throw new Error("impersonate: resource is required");
+        }
+        const subjectToken = (0, substituteUser_js_1.buildSubstituteUserToken)(req.userIdentifier);
+        return this.exchangeToken({
+            subjectToken,
+            subjectTokenType: exports.TokenType.SUBSTITUTE_USER,
+            resource: req.resource,
+            scope: req.scope,
+        }, { zoneId: req.zoneId });
+    }
 }
 exports.TokenExchangeClient = TokenExchangeClient;
-_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
+_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_credential = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_resolveBasicAuth = function _TokenExchangeClient_resolveBasicAuth(zoneId) {
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_credential, "f")) {
+        return __classPrivateFieldGet(this, _TokenExchangeClient_credential, "f").getAuth(zoneId);
+    }
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
+        return { clientId: __classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f"), clientSecret: __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f") };
+    }
+    return null;
+}, _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
     if (__classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f")) {
         return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
     }

package/dist/cjs/tokenExchange.js.map

@@ -1 +1 @@
-{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;AA7ED,kDA6EC;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
+{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAEzC,+DAAmE;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEnE,QAAA,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAQ9B,YAAY,SAAiB,EAAE,OAAoC;;QAPnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,kDAAoC;QACpC,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,mCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAA6B,EAC7B,OAAyB;QAEzB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAuB;QACvC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,YAAY,GAAG,IAAA,4CAAwB,EAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,aAAa,CACvB;YACE,YAAY;YACZ,gBAAgB,EAAE,iBAAS,CAAC,eAAe;YAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CACvB,CAAC;IACJ,CAAC;CAiCF;AAlHD,kDAkHC;qbA9BG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,uCAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,uCAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,qCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,yCAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,0CAED,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}

package/dist/esm/credentials.d.ts

@@ -0,0 +1,22 @@
+import type { TokenExchangeRequest } from "./tokenExchange.js";
+/**
+ * Common interface for application-level credentials used in token exchange.
+ *
+ * Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
+ * because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
+ *
+ * The optional `zoneId` parameter routes per-zone credentials in multi-zone deployments.
+ * Implementations that ignore the zone (single-zone) are accepted by the interface.
+ */
+export interface ApplicationCredential {
+    getAuth(zoneId?: string): {
+        clientId: string;
+        clientSecret: string;
+    } | null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+        zoneId?: string;
+    }): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=credentials.d.ts.map

package/dist/esm/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GACvF,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}

package/dist/esm/credentials.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=credentials.js.map

package/dist/esm/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":""}

package/dist/esm/errors.d.ts

@@ -16,4 +16,27 @@ export declare class InvalidTokenError extends OAuthError {
 export declare class InsufficientScopeError extends OAuthError {
     constructor(message: string, errorUri?: string);
 }
+export type ErrorDetail = {
+    message: string;
+    code?: string;
+    description?: string;
+    rawError?: string;
+};
+export type ResourceAccessErrorType = "global_error" | "resource_error" | "missing_token";
+export interface ResourceAccessErrorOptions {
+    resource?: string;
+    errorType?: ResourceAccessErrorType;
+    availableResources?: readonly string[];
+    errorDetails?: ErrorDetail | null;
+}
+export declare class ResourceAccessError extends Error {
+    readonly resource?: string;
+    readonly errorType?: ResourceAccessErrorType;
+    readonly availableResources?: readonly string[];
+    readonly errorDetails: ErrorDetail | null;
+    constructor(message?: string, options?: ResourceAccessErrorOptions);
+}
+export declare class AuthProviderConfigurationError extends Error {
+    constructor(message?: string);
+}
 //# sourceMappingURL=errors.d.ts.map

package/dist/esm/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAC/B,cAAc,GACd,gBAAgB,GAChB,eAAe,CAAC;AAEpB,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,YAAY,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACnC;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAChD,QAAQ,CAAC,YAAY,EAAE,WAAW,GAAG,IAAI,CAAC;gBAE9B,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;CAQnE;AA4BD,qBAAa,8BAA+B,SAAQ,KAAK;gBAC3C,OAAO,CAAC,EAAE,MAAM;CAI7B"}

package/dist/esm/errors.js

@@ -24,4 +24,43 @@ export class InsufficientScopeError extends OAuthError {
         super("insufficient_scope", message, errorUri);
     }
 }
+export class ResourceAccessError extends Error {
+    constructor(message, options) {
+        super(message ?? buildResourceAccessMessage(options));
+        this.name = "ResourceAccessError";
+        this.resource = options?.resource;
+        this.errorType = options?.errorType;
+        this.availableResources = options?.availableResources;
+        this.errorDetails = options?.errorDetails ?? null;
+    }
+}
+function buildResourceAccessMessage(options) {
+    if (!options?.errorType) {
+        return "Resource access denied or token not available";
+    }
+    const { resource, errorType, availableResources, errorDetails } = options;
+    const label = resource ? `'${resource}'` : "resource";
+    switch (errorType) {
+        case "global_error": {
+            const inner = errorDetails?.message ?? "Unknown global error";
+            return `Cannot access resource ${label}: global authentication error. ${inner}`;
+        }
+        case "resource_error": {
+            const inner = errorDetails?.message ?? "Unknown resource error";
+            return `Cannot access resource ${label}: ${inner}`;
+        }
+        case "missing_token": {
+            const list = availableResources && availableResources.length > 0
+                ? ` Available: ${availableResources.join(", ")}.`
+                : "";
+            return `No access token available for resource ${label}.${list}`;
+        }
+    }
+}
+export class AuthProviderConfigurationError extends Error {
+    constructor(message) {
+        super(message ?? "AuthProvider configuration is invalid");
+        this.name = "AuthProviderConfigurationError";
+    }
+}
 //# sourceMappingURL=errors.js.map

package/dist/esm/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;CAC7C;AAED,MAAM,OAAO,iBAAkB,SAAQ,SAAS;CAC/C;AAED,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;CAC7C;AAED,MAAM,OAAO,iBAAkB,SAAQ,SAAS;CAC/C;AAED,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAqBD,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAM5C,YAAY,OAAgB,EAAE,OAAoC;QAChE,KAAK,CAAC,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QACpC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,OAAoC;IACtE,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;QACxB,OAAO,+CAA+C,CAAC;IACzD,CAAC;IACD,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAC1E,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;IAEtD,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,sBAAsB,CAAC;YAC9D,OAAO,0BAA0B,KAAK,kCAAkC,KAAK,EAAE,CAAC;QAClF,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,wBAAwB,CAAC;YAChE,OAAO,0BAA0B,KAAK,KAAK,KAAK,EAAE,CAAC;QACrD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,IAAI,GACR,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC;gBACjD,CAAC,CAAC,eAAe,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACjD,CAAC,CAAC,EAAE,CAAC;YACT,OAAO,0CAA0C,KAAK,IAAI,IAAI,EAAE,CAAC;QACnE,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,OAAO,8BAA+B,SAAQ,KAAK;IACvD,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,IAAI,uCAAuC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,gCAAgC,CAAC;IAC/C,CAAC;CACF"}

package/dist/esm/index.d.ts

@@ -3,10 +3,14 @@ export { JWKSOAuthKeyring } from "./keyring.js";
 export { default as base64url } from "./base64url.js";
 export { fetchAuthorizationServerMetadata } from "./discovery.js";
 export type { OAuthAuthorizationServerMetadata } from "./discovery.js";
-export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError, ResourceAccessError, AuthProviderConfigurationError, } from "./errors.js";
 export { JWTSigner } from "./jwt/signer.js";
 export type { JWTClaims } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
-export { TokenExchangeClient } from "./tokenExchange.js";
-export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
+export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
+export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
+export type { ApplicationCredential } from "./credentials.js";
+export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
+export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}

package/dist/esm/index.js

@@ -1,8 +1,10 @@
 export { JWKSOAuthKeyring } from "./keyring.js";
 export { default as base64url } from "./base64url.js";
 export { fetchAuthorizationServerMetadata } from "./discovery.js";
-export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError, ResourceAccessError, AuthProviderConfigurationError, } from "./errors.js";
 export { JWTSigner } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
-export { TokenExchangeClient } from "./tokenExchange.js";
+export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
+export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
+export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/esm/jwt/substituteUser.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+export declare function buildSubstituteUserToken(identifier: string): string;
+//# sourceMappingURL=substituteUser.d.ts.map

package/dist/esm/jwt/substituteUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.d.ts","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAOnE"}

package/dist/esm/jwt/substituteUser.js

@@ -0,0 +1,26 @@
+const SUBSTITUTE_USER_HEADER = { typ: "vnd.kc.su+jwt", alg: "none" };
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+export function buildSubstituteUserToken(identifier) {
+    if (!identifier) {
+        throw new Error("identifier is required");
+    }
+    const header = btoau(JSON.stringify(SUBSTITUTE_USER_HEADER));
+    const payload = btoau(JSON.stringify({ sub: identifier }));
+    return `${header}.${payload}.`;
+}
+function btoau(str) {
+    return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+//# sourceMappingURL=substituteUser.js.map

package/dist/esm/jwt/substituteUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.js","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":"AAAA,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AAErE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,wBAAwB,CAAC,UAAkB;IACzD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;IAC3D,OAAO,GAAG,MAAM,IAAI,OAAO,GAAG,CAAC;AACjC,CAAC;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC7E,CAAC"}

package/dist/esm/jwt/verifier.d.ts

@@ -1,8 +1,29 @@
 import { OAuthKeyring } from "../keyring.js";
 import type { JWTClaims } from "./signer.js";
+export interface JWTVerifierOptions {
+    /**
+     * Issuer(s) this verifier will accept. The `iss` claim in a presented token
+     * must exactly match (string equality) one of these values. Tokens with any
+     * other issuer are rejected before any key lookup or network I/O runs.
+     */
+    issuers: string | readonly string[];
+    /**
+     * Audience(s) the token must be intended for. When configured, the token's
+     * `aud` claim must be present and contain at least one of these values.
+     * When omitted, audience is not validated.
+     */
+    audiences?: string | readonly string[];
+    /**
+     * Allowed JWT algorithms. Defaults to `["RS256"]`. The `alg` header of a
+     * presented token must be a member. `"none"` is always rejected. Values
+     * must be in the set the verifier actually implements (currently only
+     * `"RS256"`).
+     */
+    algorithms?: readonly string[];
+}
 export declare class JWTVerifier {
     #private;
-    constructor(keyring: OAuthKeyring);
+    constructor(keyring: OAuthKeyring, options: JWTVerifierOptions);
     verify(token: string): Promise<JWTClaims>;
 }
 //# sourceMappingURL=verifier.d.ts.map

package/dist/esm/jwt/verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;gBAGV,OAAO,EAAE,YAAY;IAI3B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2BhD"}
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA4FhD"}

package/dist/esm/jwt/verifier.js

@@ -9,25 +9,117 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _JWTVerifier_keyring;
+var _JWTVerifier_keyring, _JWTVerifier_issuers, _JWTVerifier_audiences, _JWTVerifier_algorithms;
 import { InvalidTokenError } from "../errors.js";
 import base64url from "../base64url.js";
+// The single `crypto.subtle.verify` call in `verify()` is hardcoded to
+// RSASSA-PKCS1-v1_5 + SHA-256, so the `algorithms` option is only meaningful
+// as an allowlist that's a subset of what we actually implement. Used both
+// as the default when the option is omitted and to validate user-supplied
+// values at construction time.
+const SUPPORTED_ALGORITHMS = ["RS256"];
+const SUPPORTED_ALGORITHM_SET = new Set(SUPPORTED_ALGORITHMS);
 export class JWTVerifier {
-    constructor(keyring) {
+    constructor(keyring, options) {
         _JWTVerifier_keyring.set(this, void 0);
+        _JWTVerifier_issuers.set(this, void 0);
+        _JWTVerifier_audiences.set(this, void 0);
+        _JWTVerifier_algorithms.set(this, void 0);
+        const rawIssuers = typeof options?.issuers === "string" ? [options.issuers] : options?.issuers ?? [];
+        if (rawIssuers.length === 0) {
+            throw new Error("JWTVerifier requires at least one trusted issuer");
+        }
+        const rawAudiences = typeof options.audiences === "string"
+            ? [options.audiences]
+            : options.audiences ?? [];
+        const rawAlgorithms = options.algorithms ?? SUPPORTED_ALGORITHMS;
+        for (const alg of rawAlgorithms) {
+            if (!SUPPORTED_ALGORITHM_SET.has(alg)) {
+                throw new Error(`JWTVerifier does not implement signature verification for "${alg}". ` +
+                    `Supported: ${SUPPORTED_ALGORITHMS.join(", ")}.`);
+            }
+        }
         __classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_issuers, new Set(rawIssuers), "f");
+        // An empty `audiences` list means "unconfigured" — matches the ergonomic
+        // intent of passing `audiences: []`. A non-empty list switches audience
+        // validation on; a missing `aud` fails closed.
+        __classPrivateFieldSet(this, _JWTVerifier_audiences, rawAudiences.length > 0 ? new Set(rawAudiences) : undefined, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_algorithms, new Set(rawAlgorithms), "f");
     }
     async verify(token) {
-        const [header, payload, signature, ...rest] = token.split('.');
-        const jsonHeader = JSON.parse(autob(header));
-        const jsonPayload = JSON.parse(autob(payload));
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new InvalidTokenError("Malformed JWT");
+        }
+        const [header, payload, signature] = parts;
+        let jsonHeader;
+        let jsonPayload;
+        try {
+            jsonHeader = JSON.parse(autob(header));
+            jsonPayload = JSON.parse(autob(payload));
+        }
+        catch {
+            throw new InvalidTokenError("Malformed JWT");
+        }
+        // Algorithm allowlist. Reject "none" and anything outside the allowlist
+        // before any other work.
+        if (!jsonHeader.alg || jsonHeader.alg === "none" || !__classPrivateFieldGet(this, _JWTVerifier_algorithms, "f").has(jsonHeader.alg)) {
+            throw new InvalidTokenError(`Unsupported JWT algorithm: ${jsonHeader.alg ?? "none"}`);
+        }
+        // Issuer allowlist. Rejected BEFORE any keyring call — guarantees a token
+        // with an attacker-controlled `iss` can't trigger discovery against an
+        // untrusted URL.
         if (!jsonPayload.iss) {
             throw new InvalidTokenError("JWT missing issuer (iss) claim");
         }
+        if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
+            throw new InvalidTokenError("Untrusted issuer");
+        }
+        // Required claims per RFC 9068 § 2.2. Reject NaN / Infinity explicitly —
+        // `typeof NaN === "number"` passes the type check but would make every
+        // comparison below false (and with `exp: NaN` that means effectively no
+        // expiration).
+        if (!Number.isFinite(jsonPayload.exp)) {
+            throw new InvalidTokenError("JWT missing expiration (exp) claim");
+        }
+        if (!jsonPayload.client_id) {
+            throw new InvalidTokenError("JWT missing client_id claim");
+        }
+        // Time-based claims.
+        const now = Math.floor(Date.now() / 1000);
+        if (now > jsonPayload.exp) {
+            throw new InvalidTokenError("Token expired");
+        }
+        if (jsonPayload.nbf !== undefined) {
+            if (!Number.isFinite(jsonPayload.nbf)) {
+                throw new InvalidTokenError("JWT has invalid not-before (nbf) claim");
+            }
+            if (now < jsonPayload.nbf) {
+                throw new InvalidTokenError("Token not yet valid");
+            }
+        }
+        // Audience check, if configured. Missing `aud` fails closed when audiences
+        // are required — matches RFC 8707 resource-indicator expectations.
+        if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
+            const aud = jsonPayload.aud;
+            if (aud === undefined) {
+                throw new InvalidTokenError("JWT missing audience (aud) claim");
+            }
+            const audValues = Array.isArray(aud) ? aud : [aud];
+            const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
+            if (!matched) {
+                throw new InvalidTokenError("Audience mismatch");
+            }
+        }
+        // Only after all cheap policy checks do we touch the keyring.
+        if (!jsonHeader.kid) {
+            throw new InvalidTokenError("JWT missing key id (kid) header");
+        }
         const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
         const verified = await crypto.subtle.verify({
-            name: 'RSASSA-PKCS1-v1_5',
-            hash: { name: 'SHA-256' },
+            name: "RSASSA-PKCS1-v1_5",
+            hash: { name: "SHA-256" },
         }, key, base64url.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
         if (!verified) {
             throw new InvalidTokenError("Invalid signature");
@@ -35,8 +127,8 @@ export class JWTVerifier {
         return jsonPayload;
     }
 }
-_JWTVerifier_keyring = new WeakMap();
+_JWTVerifier_keyring = new WeakMap(), _JWTVerifier_issuers = new WeakMap(), _JWTVerifier_audiences = new WeakMap(), _JWTVerifier_algorithms = new WeakMap();
 function autob(data) {
-    return atob(data.replace(/-/g, '+').replace(/_/g, '/'));
+    return atob(data.replace(/-/g, "+").replace(/_/g, "/"));
 }
 //# sourceMappingURL=verifier.js.map

package/dist/esm/jwt/verifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AAGxC,MAAM,OAAO,WAAW;IAGtB,YAAY,OAAqB;QAFjC,uCAAuB;QAGrB,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAc,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,mEAAmE;QACnE,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;YAC5B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/esm/keyring.d.ts

@@ -22,5 +22,11 @@ export declare class JWKSOAuthKeyring implements OAuthKeyring {
     constructor(options?: JWKSOAuthKeyringOptions);
     key(issuer: string, kid: string): Promise<CryptoKey>;
     invalidate(issuer: string, kid: string): void;
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear(): void;
 }
 //# sourceMappingURL=keyring.d.ts.map

package/dist/esm/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAQ7C;;;;OAIG;IACH,KAAK,IAAI,IAAI;CA2Hd"}

package/dist/esm/keyring.js

@@ -76,6 +76,17 @@ export class JWKSOAuthKeyring {
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
     }
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear() {
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").clear();
+    }
 }
 _JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri = 
 // -------------------------------------------------------

package/dist/esm/keyring.js.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,uBAAA,IAAI,kCAAU,CAAC,KAAK,EAAE,CAAC;QACvB,uBAAA,IAAI,qCAAa,CAAC,KAAK,EAAE,CAAC;QAC1B,uBAAA,IAAI,wCAAgB,CAAC,KAAK,EAAE,CAAC;QAC7B,uBAAA,IAAI,2CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}