@keycardai/oauth 0.3.0 → 0.4.1

package/README.md

@@ -1,6 +1,10 @@
 # @keycardai/oauth
 
-Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, authorization server discovery, and token exchange. **Zero MCP dependencies.**
+> **Preview.** This SDK has not reached parity with the Keycard Python
+> SDK. APIs may change between minor versions. The preview label will
+> be removed once feature parity is reached.
+
+OAuth 2.0 primitives for Keycard: JWKS key management, JWT signing and verification, authorization server discovery, RFC 8693 token exchange (including impersonation), and server-tier primitives (`AccessContext`, `TokenVerifier`, `ClientSecret`) with multi-zone support. **Zero MCP dependencies.**
 
 This is the foundational layer of the [Keycard TypeScript SDK](../../README.md). If you're building an MCP server, you probably want [`@keycardai/mcp`](../mcp/) instead, which includes this package as a dependency.
 
@@ -68,6 +72,70 @@ const response = await client.exchangeToken({
 console.log(response.accessToken);
 ```
 
+### Impersonation (substitute-user token exchange)
+
+```typescript
+import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
+
+const client = new TokenExchangeClient("https://your-zone.keycard.cloud", {
+  clientId: "your-client-id",
+  clientSecret: "your-client-secret",
+});
+
+const response = await client.impersonate({
+  userIdentifier: "user@example.com",
+  resource: "https://graph.microsoft.com",
+});
+
+console.log(response.accessToken);
+```
+
+Impersonation is a privileged operation gated by Keycard policy. The calling
+application authenticates via client credentials, and the impersonated user
+must have a delegated grant for the target resource.
+
+### Multi-Zone Credentials
+
+```typescript
+import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
+import { ClientSecret } from "@keycardai/oauth/server";
+
+const credential = new ClientSecret({
+  "zone-a": ["client-id-a", "client-secret-a"],
+  "zone-b": ["client-id-b", "client-secret-b"],
+});
+
+const client = new TokenExchangeClient("https://keycard.cloud", { credential });
+
+const response = await client.exchangeToken(
+  { subjectToken: userToken, resource: "https://api.example.com" },
+  { zoneId: "zone-a" },
+);
+```
+
+### Server-tier Token Verification
+
+```typescript
+import { TokenVerifier } from "@keycardai/oauth/server";
+
+const verifier = new TokenVerifier({
+  issuer: "https://your-zone.keycard.cloud",
+  requiredScopes: ["read"],
+  audience: "https://api.example.com",
+});
+
+const accessToken = await verifier.verifyToken(bearerToken);
+if (!accessToken) {
+  // 401 Unauthorized
+}
+console.log(accessToken.clientId, accessToken.scopes);
+```
+
+`verifyToken` returns `AccessToken | null`. Verification failures (bad signature,
+expired token, missing scope, audience mismatch) return `null`; callers map that
+to an HTTP 401. `verifyTokenForZone(token, zoneId)` enables per-zone validation
+when the verifier is constructed with `enableMultiZone: true`.
+
 ## API Overview
 
 ### JWKS Key Management
@@ -91,7 +159,19 @@ console.log(response.accessToken);
 | Export | Import Path | Description |
 |---|---|---|
 | `fetchAuthorizationServerMetadata` | `@keycardai/oauth/discovery` | Fetches `.well-known/oauth-authorization-server` metadata |
-| `TokenExchangeClient` | `@keycardai/oauth/tokenExchange` | RFC 8693 token exchange client with auto-discovery |
+| `TokenExchangeClient` | `@keycardai/oauth/tokenExchange` | RFC 8693 token exchange client with auto-discovery, plus `impersonate()` for substitute-user exchange |
+| `TokenType` | `@keycardai/oauth/tokenExchange` | URN constants: `ACCESS_TOKEN`, `SUBSTITUTE_USER` |
+| `buildSubstituteUserToken` | `@keycardai/oauth/jwt/substituteUser` | Builds the unsigned subject JWT for impersonation calls |
+
+### Server-tier Primitives
+
+| Export | Import Path | Description |
+|---|---|---|
+| `TokenVerifier` | `@keycardai/oauth/server` | High-level JWT verifier with JWKS discovery, multi-zone, audience and scope validation; returns `AccessToken \| null` |
+| `AccessToken` (type) | `@keycardai/oauth/server` | Verified token shape (`token`, `clientId`, `scopes`, `expiresAt?`, `resource?`) |
+| `AccessContext` | `@keycardai/oauth/server` | Non-throwing per-resource token container with partial-error tracking |
+| `ClientSecret` | `@keycardai/oauth/server` | Application credential provider; supports `(clientId, clientSecret)`, tuple, or `Record<zoneId, [id, secret]>` |
+| `ApplicationCredential` (type) | `@keycardai/oauth/credentials` | Interface for credential providers |
 
 ### Errors
 
@@ -103,6 +183,8 @@ console.log(response.accessToken);
 | `OAuthError` | `@keycardai/oauth/errors` | OAuth error with error code and URI |
 | `InvalidTokenError` | `@keycardai/oauth/errors` | Token validation failure |
 | `InsufficientScopeError` | `@keycardai/oauth/errors` | Missing required scopes |
+| `ResourceAccessError` | `@keycardai/oauth/errors` | Thrown by `AccessContext.access()` on missing or failed resource |
+| `AuthProviderConfigurationError` | `@keycardai/oauth/errors` | Configuration guard for auth providers |
 
 ### Utilities
 

package/dist/cjs/credentials.d.ts

@@ -4,15 +4,19 @@ import type { TokenExchangeRequest } from "./tokenExchange.js";
  *
  * Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
  * because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
+ *
+ * The optional `zoneId` parameter routes per-zone credentials in multi-zone deployments.
+ * Implementations that ignore the zone (single-zone) are accepted by the interface.
  */
 export interface ApplicationCredential {
-    getAuth(): {
+    getAuth(zoneId?: string): {
         clientId: string;
         clientSecret: string;
     } | null;
     prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
         tokenEndpoint?: string;
         authInfo?: Record<string, string>;
+        zoneId?: string;
     }): Promise<TokenExchangeRequest>;
 }
 //# sourceMappingURL=credentials.d.ts.map

package/dist/cjs/credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC7D,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GACvF,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}

package/dist/cjs/errors.d.ts

@@ -16,4 +16,27 @@ export declare class InvalidTokenError extends OAuthError {
 export declare class InsufficientScopeError extends OAuthError {
     constructor(message: string, errorUri?: string);
 }
+export type ErrorDetail = {
+    message: string;
+    code?: string;
+    description?: string;
+    rawError?: string;
+};
+export type ResourceAccessErrorType = "global_error" | "resource_error" | "missing_token";
+export interface ResourceAccessErrorOptions {
+    resource?: string;
+    errorType?: ResourceAccessErrorType;
+    availableResources?: readonly string[];
+    errorDetails?: ErrorDetail | null;
+}
+export declare class ResourceAccessError extends Error {
+    readonly resource?: string;
+    readonly errorType?: ResourceAccessErrorType;
+    readonly availableResources?: readonly string[];
+    readonly errorDetails: ErrorDetail | null;
+    constructor(message?: string, options?: ResourceAccessErrorOptions);
+}
+export declare class AuthProviderConfigurationError extends Error {
+    constructor(message?: string);
+}
 //# sourceMappingURL=errors.d.ts.map

package/dist/cjs/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAC/B,cAAc,GACd,gBAAgB,GAChB,eAAe,CAAC;AAEpB,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,YAAY,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACnC;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAChD,QAAQ,CAAC,YAAY,EAAE,WAAW,GAAG,IAAI,CAAC;gBAE9B,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;CAQnE;AA4BD,qBAAa,8BAA+B,SAAQ,KAAK;gBAC3C,OAAO,CAAC,EAAE,MAAM;CAI7B"}

package/dist/cjs/errors.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = void 0;
+exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = void 0;
 class HTTPError extends Error {
     constructor(message) {
         super(message);
@@ -33,4 +33,45 @@ class InsufficientScopeError extends OAuthError {
     }
 }
 exports.InsufficientScopeError = InsufficientScopeError;
+class ResourceAccessError extends Error {
+    constructor(message, options) {
+        super(message ?? buildResourceAccessMessage(options));
+        this.name = "ResourceAccessError";
+        this.resource = options?.resource;
+        this.errorType = options?.errorType;
+        this.availableResources = options?.availableResources;
+        this.errorDetails = options?.errorDetails ?? null;
+    }
+}
+exports.ResourceAccessError = ResourceAccessError;
+function buildResourceAccessMessage(options) {
+    if (!options?.errorType) {
+        return "Resource access denied or token not available";
+    }
+    const { resource, errorType, availableResources, errorDetails } = options;
+    const label = resource ? `'${resource}'` : "resource";
+    switch (errorType) {
+        case "global_error": {
+            const inner = errorDetails?.message ?? "Unknown global error";
+            return `Cannot access resource ${label}: global authentication error. ${inner}`;
+        }
+        case "resource_error": {
+            const inner = errorDetails?.message ?? "Unknown resource error";
+            return `Cannot access resource ${label}: ${inner}`;
+        }
+        case "missing_token": {
+            const list = availableResources && availableResources.length > 0
+                ? ` Available: ${availableResources.join(", ")}.`
+                : "";
+            return `No access token available for resource ${label}.${list}`;
+        }
+    }
+}
+class AuthProviderConfigurationError extends Error {
+    constructor(message) {
+        super(message ?? "AuthProvider configuration is invalid");
+        this.name = "AuthProviderConfigurationError";
+    }
+}
+exports.AuthProviderConfigurationError = AuthProviderConfigurationError;
 //# sourceMappingURL=errors.js.map

package/dist/cjs/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAND,8BAMC;AAED,MAAa,eAAgB,SAAQ,SAAS;CAC7C;AADD,0CACC;AAED,MAAa,iBAAkB,SAAQ,SAAS;CAC/C;AADD,8CACC;AAED,MAAa,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AARD,gCAQC;AAED,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED,MAAa,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAJD,wDAIC"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAND,8BAMC;AAED,MAAa,eAAgB,SAAQ,SAAS;CAC7C;AADD,0CACC;AAED,MAAa,iBAAkB,SAAQ,SAAS;CAC/C;AADD,8CACC;AAED,MAAa,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AARD,gCAQC;AAED,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED,MAAa,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAJD,wDAIC;AAqBD,MAAa,mBAAoB,SAAQ,KAAK;IAM5C,YAAY,OAAgB,EAAE,OAAoC;QAChE,KAAK,CAAC,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QACpC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;CACF;AAdD,kDAcC;AAED,SAAS,0BAA0B,CAAC,OAAoC;IACtE,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;QACxB,OAAO,+CAA+C,CAAC;IACzD,CAAC;IACD,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAC1E,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;IAEtD,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,sBAAsB,CAAC;YAC9D,OAAO,0BAA0B,KAAK,kCAAkC,KAAK,EAAE,CAAC;QAClF,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,wBAAwB,CAAC;YAChE,OAAO,0BAA0B,KAAK,KAAK,KAAK,EAAE,CAAC;QACrD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,IAAI,GACR,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC;gBACjD,CAAC,CAAC,eAAe,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACjD,CAAC,CAAC,EAAE,CAAC;YACT,OAAO,0CAA0C,KAAK,IAAI,IAAI,EAAE,CAAC;QACnE,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAa,8BAA+B,SAAQ,KAAK;IACvD,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,IAAI,uCAAuC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,gCAAgC,CAAC;IAC/C,CAAC;CACF;AALD,wEAKC"}

package/dist/cjs/index.d.ts

@@ -3,11 +3,14 @@ export { JWKSOAuthKeyring } from "./keyring.js";
 export { default as base64url } from "./base64url.js";
 export { fetchAuthorizationServerMetadata } from "./discovery.js";
 export type { OAuthAuthorizationServerMetadata } from "./discovery.js";
-export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError, ResourceAccessError, AuthProviderConfigurationError, } from "./errors.js";
 export { JWTSigner } from "./jwt/signer.js";
 export type { JWTClaims } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
-export { TokenExchangeClient } from "./tokenExchange.js";
-export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
+export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
+export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
 export type { ApplicationCredential } from "./credentials.js";
+export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
+export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}

package/dist/cjs/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenExchangeClient = exports.JWTVerifier = exports.JWTSigner = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
+exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
 var keyring_js_1 = require("./keyring.js");
 Object.defineProperty(exports, "JWKSOAuthKeyring", { enumerable: true, get: function () { return keyring_js_1.JWKSOAuthKeyring; } });
 var base64url_js_1 = require("./base64url.js");
@@ -17,10 +17,19 @@ Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: fun
 Object.defineProperty(exports, "OAuthError", { enumerable: true, get: function () { return errors_js_1.OAuthError; } });
 Object.defineProperty(exports, "InvalidTokenError", { enumerable: true, get: function () { return errors_js_1.InvalidTokenError; } });
 Object.defineProperty(exports, "InsufficientScopeError", { enumerable: true, get: function () { return errors_js_1.InsufficientScopeError; } });
+Object.defineProperty(exports, "ResourceAccessError", { enumerable: true, get: function () { return errors_js_1.ResourceAccessError; } });
+Object.defineProperty(exports, "AuthProviderConfigurationError", { enumerable: true, get: function () { return errors_js_1.AuthProviderConfigurationError; } });
 var signer_js_1 = require("./jwt/signer.js");
 Object.defineProperty(exports, "JWTSigner", { enumerable: true, get: function () { return signer_js_1.JWTSigner; } });
 var verifier_js_1 = require("./jwt/verifier.js");
 Object.defineProperty(exports, "JWTVerifier", { enumerable: true, get: function () { return verifier_js_1.JWTVerifier; } });
+var substituteUser_js_1 = require("./jwt/substituteUser.js");
+Object.defineProperty(exports, "buildSubstituteUserToken", { enumerable: true, get: function () { return substituteUser_js_1.buildSubstituteUserToken; } });
 var tokenExchange_js_1 = require("./tokenExchange.js");
 Object.defineProperty(exports, "TokenExchangeClient", { enumerable: true, get: function () { return tokenExchange_js_1.TokenExchangeClient; } });
+Object.defineProperty(exports, "TokenType", { enumerable: true, get: function () { return tokenExchange_js_1.TokenType; } });
+var index_js_1 = require("./server/index.js");
+Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return index_js_1.AccessContext; } });
+Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return index_js_1.TokenVerifier; } });
+Object.defineProperty(exports, "ClientSecret", { enumerable: true, get: function () { return index_js_1.ClientSecret; } });
 //# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCAAmI;AAA1H,sGAAA,SAAS,OAAA;AAAE,4GAAA,eAAe,OAAA;AAAE,8GAAA,iBAAiB,OAAA;AAAE,uGAAA,UAAU,OAAA;AAAE,8GAAA,iBAAiB,OAAA;AAAE,mHAAA,sBAAsB,OAAA;AAC7G,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,uDAAyD;AAAhD,uHAAA,mBAAmB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCASqB;AARnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAEhC,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AASvC,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA"}

package/dist/cjs/jwt/substituteUser.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+export declare function buildSubstituteUserToken(identifier: string): string;
+//# sourceMappingURL=substituteUser.d.ts.map

package/dist/cjs/jwt/substituteUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.d.ts","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAOnE"}

package/dist/cjs/jwt/substituteUser.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildSubstituteUserToken = buildSubstituteUserToken;
+const SUBSTITUTE_USER_HEADER = { typ: "vnd.kc.su+jwt", alg: "none" };
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+function buildSubstituteUserToken(identifier) {
+    if (!identifier) {
+        throw new Error("identifier is required");
+    }
+    const header = btoau(JSON.stringify(SUBSTITUTE_USER_HEADER));
+    const payload = btoau(JSON.stringify({ sub: identifier }));
+    return `${header}.${payload}.`;
+}
+function btoau(str) {
+    return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+//# sourceMappingURL=substituteUser.js.map

package/dist/cjs/jwt/substituteUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.js","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":";;AAeA,4DAOC;AAtBD,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AAErE;;;;;;;;;;;;GAYG;AACH,SAAgB,wBAAwB,CAAC,UAAkB;IACzD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;IAC3D,OAAO,GAAG,MAAM,IAAI,OAAO,GAAG,CAAC;AACjC,CAAC;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC7E,CAAC"}

package/dist/cjs/keyring.d.ts

@@ -22,5 +22,11 @@ export declare class JWKSOAuthKeyring implements OAuthKeyring {
     constructor(options?: JWKSOAuthKeyringOptions);
     key(issuer: string, kid: string): Promise<CryptoKey>;
     invalidate(issuer: string, kid: string): void;
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear(): void;
 }
 //# sourceMappingURL=keyring.d.ts.map

package/dist/cjs/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAQ7C;;;;OAIG;IACH,KAAK,IAAI,IAAI;CA2Hd"}

package/dist/cjs/keyring.js

@@ -79,6 +79,17 @@ class JWKSOAuthKeyring {
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
     }
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear() {
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").clear();
+    }
 }
 exports.JWKSOAuthKeyring = JWKSOAuthKeyring;
 _JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri = 

package/dist/cjs/keyring.js.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;AAxJD,4CAwJC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,uBAAA,IAAI,kCAAU,CAAC,KAAK,EAAE,CAAC;QACvB,uBAAA,IAAI,qCAAa,CAAC,KAAK,EAAE,CAAC;QAC1B,uBAAA,IAAI,wCAAgB,CAAC,KAAK,EAAE,CAAC;QAC7B,uBAAA,IAAI,2CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CAsHF;AApKD,4CAoKC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}

package/dist/cjs/server/accessContext.d.ts

@@ -0,0 +1,26 @@
+import type { TokenResponse } from "../tokenExchange.js";
+import { type ErrorDetail } from "../errors.js";
+export type { ErrorDetail } from "../errors.js";
+export type AccessContextStatus = "success" | "partial_error" | "error";
+export declare class AccessContext {
+    #private;
+    constructor(accessTokens?: Record<string, TokenResponse>);
+    setToken(resource: string, token: TokenResponse): void;
+    setBulkTokens(tokens: Record<string, TokenResponse>): void;
+    setResourceError(resource: string, error: ErrorDetail): void;
+    setError(error: ErrorDetail): void;
+    access(resource: string): TokenResponse;
+    hasError(): boolean;
+    hasResourceError(resource: string): boolean;
+    hasErrors(): boolean;
+    getError(): ErrorDetail | null;
+    getResourceError(resource: string): ErrorDetail | null;
+    getErrors(): {
+        resources: Record<string, ErrorDetail>;
+        error: ErrorDetail | null;
+    };
+    getStatus(): AccessContextStatus;
+    getSuccessfulResources(): string[];
+    getFailedResources(): string[];
+}
+//# sourceMappingURL=accessContext.d.ts.map

package/dist/cjs/server/accessContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessContext.d.ts","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,MAAM,mBAAmB,GAAG,SAAS,GAAG,eAAe,GAAG,OAAO,CAAC;AAExE,qBAAa,aAAa;;gBAKZ,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC;IAMxD,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,GAAG,IAAI;IAKtD,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,IAAI;IAM1D,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAK5D,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAIlC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IA2BvC,QAAQ,IAAI,OAAO;IAInB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI3C,SAAS,IAAI,OAAO;IAIpB,QAAQ,IAAI,WAAW,GAAG,IAAI;IAI9B,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAItD,SAAS,IAAI;QAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;KAAE;IAOlF,SAAS,IAAI,mBAAmB;IAMhC,sBAAsB,IAAI,MAAM,EAAE;IAIlC,kBAAkB,IAAI,MAAM,EAAE;CAG/B"}

package/dist/cjs/server/accessContext.js

@@ -0,0 +1,105 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _AccessContext_accessTokens, _AccessContext_resourceErrors, _AccessContext_error;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessContext = void 0;
+const errors_js_1 = require("../errors.js");
+class AccessContext {
+    constructor(accessTokens) {
+        _AccessContext_accessTokens.set(this, void 0);
+        _AccessContext_resourceErrors.set(this, void 0);
+        _AccessContext_error.set(this, void 0);
+        __classPrivateFieldSet(this, _AccessContext_accessTokens, new Map(accessTokens ? Object.entries(accessTokens) : []), "f");
+        __classPrivateFieldSet(this, _AccessContext_resourceErrors, new Map(), "f");
+        __classPrivateFieldSet(this, _AccessContext_error, null, "f");
+    }
+    setToken(resource, token) {
+        __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
+        __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").delete(resource);
+    }
+    setBulkTokens(tokens) {
+        for (const [resource, token] of Object.entries(tokens)) {
+            __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
+        }
+    }
+    setResourceError(resource, error) {
+        __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").set(resource, error);
+        __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").delete(resource);
+    }
+    setError(error) {
+        __classPrivateFieldSet(this, _AccessContext_error, error, "f");
+    }
+    access(resource) {
+        if (__classPrivateFieldGet(this, _AccessContext_error, "f")) {
+            throw new errors_js_1.ResourceAccessError(undefined, {
+                resource,
+                errorType: "global_error",
+                errorDetails: __classPrivateFieldGet(this, _AccessContext_error, "f"),
+            });
+        }
+        const resourceError = __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource);
+        if (resourceError) {
+            throw new errors_js_1.ResourceAccessError(undefined, {
+                resource,
+                errorType: "resource_error",
+                errorDetails: resourceError,
+            });
+        }
+        const token = __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").get(resource);
+        if (!token) {
+            throw new errors_js_1.ResourceAccessError(undefined, {
+                resource,
+                errorType: "missing_token",
+                availableResources: [...__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys()],
+            });
+        }
+        return token;
+    }
+    hasError() {
+        return __classPrivateFieldGet(this, _AccessContext_error, "f") !== null;
+    }
+    hasResourceError(resource) {
+        return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").has(resource);
+    }
+    hasErrors() {
+        return this.hasError() || __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0;
+    }
+    getError() {
+        return __classPrivateFieldGet(this, _AccessContext_error, "f");
+    }
+    getResourceError(resource) {
+        return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource) ?? null;
+    }
+    getErrors() {
+        return {
+            resources: Object.fromEntries(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f")),
+            error: __classPrivateFieldGet(this, _AccessContext_error, "f"),
+        };
+    }
+    getStatus() {
+        if (__classPrivateFieldGet(this, _AccessContext_error, "f"))
+            return "error";
+        if (__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0)
+            return "partial_error";
+        return "success";
+    }
+    getSuccessfulResources() {
+        return Array.from(__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys());
+    }
+    getFailedResources() {
+        return Array.from(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").keys());
+    }
+}
+exports.AccessContext = AccessContext;
+_AccessContext_accessTokens = new WeakMap(), _AccessContext_resourceErrors = new WeakMap(), _AccessContext_error = new WeakMap();
+//# sourceMappingURL=accessContext.js.map

package/dist/cjs/server/accessContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessContext.js","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AACA,4CAAqE;AAMrE,MAAa,aAAa;IAKxB,YAAY,YAA4C;QAJxD,8CAA0C;QAC1C,gDAA0C;QAC1C,uCAA2B;QAGzB,uBAAA,IAAI,+BAAiB,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAA,CAAC;QAC/E,uBAAA,IAAI,iCAAmB,IAAI,GAAG,EAAE,MAAA,CAAC;QACjC,uBAAA,IAAI,wBAAU,IAAI,MAAA,CAAC;IACrB,CAAC;IAED,QAAQ,CAAC,QAAgB,EAAE,KAAoB;QAC7C,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACxC,uBAAA,IAAI,qCAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,aAAa,CAAC,MAAqC;QACjD,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,gBAAgB,CAAC,QAAgB,EAAE,KAAkB;QACnD,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,uBAAA,IAAI,mCAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,QAAQ,CAAC,KAAkB;QACzB,uBAAA,IAAI,wBAAU,KAAK,MAAA,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,IAAI,uBAAA,IAAI,4BAAO,EAAE,CAAC;YAChB,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,cAAc;gBACzB,YAAY,EAAE,uBAAA,IAAI,4BAAO;aAC1B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,aAAa,GAAG,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,gBAAgB;gBAC3B,YAAY,EAAE,aAAa;aAC5B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,eAAe;gBAC1B,kBAAkB,EAAE,CAAC,GAAG,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,KAAK,IAAI,CAAC;IAC9B,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,QAAQ,EAAE,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACpD,CAAC;IAED,SAAS;QACP,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,WAAW,CAAC,uBAAA,IAAI,qCAAgB,CAAC;YACnD,KAAK,EAAE,uBAAA,IAAI,4BAAO;SACnB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,IAAI,uBAAA,IAAI,4BAAO;YAAE,OAAO,OAAO,CAAC;QAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC;YAAE,OAAO,eAAe,CAAC;QAC1D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sBAAsB;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,kBAAkB;QAChB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,qCAAgB,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;CACF;AAlGD,sCAkGC"}

package/dist/cjs/server/accessToken.d.ts

@@ -0,0 +1,8 @@
+export interface AccessToken {
+    token: string;
+    clientId: string;
+    scopes: string[];
+    expiresAt?: number;
+    resource?: string;
+}
+//# sourceMappingURL=accessToken.d.ts.map

package/dist/cjs/server/accessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessToken.d.ts","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB"}

package/dist/cjs/server/accessToken.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=accessToken.js.map

package/dist/cjs/server/accessToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessToken.js","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":""}

package/dist/cjs/server/clientSecret.d.ts

@@ -0,0 +1,14 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+export type ClientSecretCredentials = [clientId: string, clientSecret: string] | Record<string, [clientId: string, clientSecret: string]>;
+export declare class ClientSecret implements ApplicationCredential {
+    #private;
+    constructor(clientId: string, clientSecret: string);
+    constructor(credentials: ClientSecretCredentials);
+    getAuth(zoneId?: string): {
+        clientId: string;
+        clientSecret: string;
+    } | null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=clientSecret.d.ts.map

package/dist/cjs/server/clientSecret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAKhE,MAAM,MAAM,uBAAuB,GAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;AAE7D,qBAAa,YAAa,YAAW,qBAAqB;;gBAI5C,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;gBACtC,WAAW,EAAE,uBAAuB;IA2ChD,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAYrE,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CAOjC"}