@keycardai/oauth 0.3.0 → 0.4.1

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/esm/jwt/substituteUser.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+export declare function buildSubstituteUserToken(identifier: string): string;
+//# sourceMappingURL=substituteUser.d.ts.map

package/dist/esm/jwt/substituteUser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.d.ts","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAOnE"}

package/dist/esm/jwt/substituteUser.js

@@ -0,0 +1,26 @@
+const SUBSTITUTE_USER_HEADER = { typ: "vnd.kc.su+jwt", alg: "none" };
+/**
+ * Build the substitute-user assertion sent as the `subject_token` of an
+ * impersonation token exchange (RFC 8693, Keycard vendor extension).
+ *
+ * This is NOT a signed JWT and is NOT a general-purpose JWT builder. The
+ * assertion's `alg: "none"` is intentional: the Keycard authorization server
+ * trusts the call by validating the requesting client's credentials and the
+ * vendor URN `urn:keycard:params:oauth:token-type:substitute-user`, not the
+ * subject token's signature. Authority comes from the calling application's
+ * client credentials plus the impersonation policy on the AS.
+ *
+ * For signing arbitrary JWTs, use `JWTSigner` from `@keycardai/oauth/jwt/signer`.
+ */
+export function buildSubstituteUserToken(identifier) {
+    if (!identifier) {
+        throw new Error("identifier is required");
+    }
+    const header = btoau(JSON.stringify(SUBSTITUTE_USER_HEADER));
+    const payload = btoau(JSON.stringify({ sub: identifier }));
+    return `${header}.${payload}.`;
+}
+function btoau(str) {
+    return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+//# sourceMappingURL=substituteUser.js.map

package/dist/esm/jwt/substituteUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"substituteUser.js","sourceRoot":"","sources":["../../../src/jwt/substituteUser.ts"],"names":[],"mappings":"AAAA,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AAErE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,wBAAwB,CAAC,UAAkB;IACzD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;IAC3D,OAAO,GAAG,MAAM,IAAI,OAAO,GAAG,CAAC;AACjC,CAAC;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC7E,CAAC"}

package/dist/esm/keyring.d.ts

@@ -22,5 +22,11 @@ export declare class JWKSOAuthKeyring implements OAuthKeyring {
     constructor(options?: JWKSOAuthKeyringOptions);
     key(issuer: string, kid: string): Promise<CryptoKey>;
     invalidate(issuer: string, kid: string): void;
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear(): void;
 }
 //# sourceMappingURL=keyring.d.ts.map

package/dist/esm/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAQ7C;;;;OAIG;IACH,KAAK,IAAI,IAAI;CA2Hd"}

package/dist/esm/keyring.js

@@ -76,6 +76,17 @@ export class JWKSOAuthKeyring {
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
         __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
     }
+    /**
+     * Drops all cached keys, JWKS URI discoveries, and inflight resolutions.
+     * Use after a global key rotation when targeted `invalidate(issuer, kid)`
+     * is impractical. Subsequent `key()` calls re-discover and re-fetch.
+     */
+    clear() {
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").clear();
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").clear();
+    }
 }
 _JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri = 
 // -------------------------------------------------------

package/dist/esm/keyring.js.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,uBAAA,IAAI,kCAAU,CAAC,KAAK,EAAE,CAAC;QACvB,uBAAA,IAAI,qCAAa,CAAC,KAAK,EAAE,CAAC;QAC1B,uBAAA,IAAI,wCAAgB,CAAC,KAAK,EAAE,CAAC;QAC7B,uBAAA,IAAI,2CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}

package/dist/esm/server/accessContext.d.ts

@@ -0,0 +1,26 @@
+import type { TokenResponse } from "../tokenExchange.js";
+import { type ErrorDetail } from "../errors.js";
+export type { ErrorDetail } from "../errors.js";
+export type AccessContextStatus = "success" | "partial_error" | "error";
+export declare class AccessContext {
+    #private;
+    constructor(accessTokens?: Record<string, TokenResponse>);
+    setToken(resource: string, token: TokenResponse): void;
+    setBulkTokens(tokens: Record<string, TokenResponse>): void;
+    setResourceError(resource: string, error: ErrorDetail): void;
+    setError(error: ErrorDetail): void;
+    access(resource: string): TokenResponse;
+    hasError(): boolean;
+    hasResourceError(resource: string): boolean;
+    hasErrors(): boolean;
+    getError(): ErrorDetail | null;
+    getResourceError(resource: string): ErrorDetail | null;
+    getErrors(): {
+        resources: Record<string, ErrorDetail>;
+        error: ErrorDetail | null;
+    };
+    getStatus(): AccessContextStatus;
+    getSuccessfulResources(): string[];
+    getFailedResources(): string[];
+}
+//# sourceMappingURL=accessContext.d.ts.map

package/dist/esm/server/accessContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessContext.d.ts","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,MAAM,mBAAmB,GAAG,SAAS,GAAG,eAAe,GAAG,OAAO,CAAC;AAExE,qBAAa,aAAa;;gBAKZ,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC;IAMxD,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,GAAG,IAAI;IAKtD,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,IAAI;IAM1D,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAK5D,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAIlC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IA2BvC,QAAQ,IAAI,OAAO;IAInB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI3C,SAAS,IAAI,OAAO;IAIpB,QAAQ,IAAI,WAAW,GAAG,IAAI;IAI9B,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAItD,SAAS,IAAI;QAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;KAAE;IAOlF,SAAS,IAAI,mBAAmB;IAMhC,sBAAsB,IAAI,MAAM,EAAE;IAIlC,kBAAkB,IAAI,MAAM,EAAE;CAG/B"}

package/dist/esm/server/accessContext.js

@@ -0,0 +1,101 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _AccessContext_accessTokens, _AccessContext_resourceErrors, _AccessContext_error;
+import { ResourceAccessError } from "../errors.js";
+export class AccessContext {
+    constructor(accessTokens) {
+        _AccessContext_accessTokens.set(this, void 0);
+        _AccessContext_resourceErrors.set(this, void 0);
+        _AccessContext_error.set(this, void 0);
+        __classPrivateFieldSet(this, _AccessContext_accessTokens, new Map(accessTokens ? Object.entries(accessTokens) : []), "f");
+        __classPrivateFieldSet(this, _AccessContext_resourceErrors, new Map(), "f");
+        __classPrivateFieldSet(this, _AccessContext_error, null, "f");
+    }
+    setToken(resource, token) {
+        __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
+        __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").delete(resource);
+    }
+    setBulkTokens(tokens) {
+        for (const [resource, token] of Object.entries(tokens)) {
+            __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
+        }
+    }
+    setResourceError(resource, error) {
+        __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").set(resource, error);
+        __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").delete(resource);
+    }
+    setError(error) {
+        __classPrivateFieldSet(this, _AccessContext_error, error, "f");
+    }
+    access(resource) {
+        if (__classPrivateFieldGet(this, _AccessContext_error, "f")) {
+            throw new ResourceAccessError(undefined, {
+                resource,
+                errorType: "global_error",
+                errorDetails: __classPrivateFieldGet(this, _AccessContext_error, "f"),
+            });
+        }
+        const resourceError = __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource);
+        if (resourceError) {
+            throw new ResourceAccessError(undefined, {
+                resource,
+                errorType: "resource_error",
+                errorDetails: resourceError,
+            });
+        }
+        const token = __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").get(resource);
+        if (!token) {
+            throw new ResourceAccessError(undefined, {
+                resource,
+                errorType: "missing_token",
+                availableResources: [...__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys()],
+            });
+        }
+        return token;
+    }
+    hasError() {
+        return __classPrivateFieldGet(this, _AccessContext_error, "f") !== null;
+    }
+    hasResourceError(resource) {
+        return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").has(resource);
+    }
+    hasErrors() {
+        return this.hasError() || __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0;
+    }
+    getError() {
+        return __classPrivateFieldGet(this, _AccessContext_error, "f");
+    }
+    getResourceError(resource) {
+        return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource) ?? null;
+    }
+    getErrors() {
+        return {
+            resources: Object.fromEntries(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f")),
+            error: __classPrivateFieldGet(this, _AccessContext_error, "f"),
+        };
+    }
+    getStatus() {
+        if (__classPrivateFieldGet(this, _AccessContext_error, "f"))
+            return "error";
+        if (__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0)
+            return "partial_error";
+        return "success";
+    }
+    getSuccessfulResources() {
+        return Array.from(__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys());
+    }
+    getFailedResources() {
+        return Array.from(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").keys());
+    }
+}
+_AccessContext_accessTokens = new WeakMap(), _AccessContext_resourceErrors = new WeakMap(), _AccessContext_error = new WeakMap();
+//# sourceMappingURL=accessContext.js.map

package/dist/esm/server/accessContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessContext.js","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,mBAAmB,EAAoB,MAAM,cAAc,CAAC;AAMrE,MAAM,OAAO,aAAa;IAKxB,YAAY,YAA4C;QAJxD,8CAA0C;QAC1C,gDAA0C;QAC1C,uCAA2B;QAGzB,uBAAA,IAAI,+BAAiB,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAA,CAAC;QAC/E,uBAAA,IAAI,iCAAmB,IAAI,GAAG,EAAE,MAAA,CAAC;QACjC,uBAAA,IAAI,wBAAU,IAAI,MAAA,CAAC;IACrB,CAAC;IAED,QAAQ,CAAC,QAAgB,EAAE,KAAoB;QAC7C,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACxC,uBAAA,IAAI,qCAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,aAAa,CAAC,MAAqC;QACjD,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,gBAAgB,CAAC,QAAgB,EAAE,KAAkB;QACnD,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,uBAAA,IAAI,mCAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,QAAQ,CAAC,KAAkB;QACzB,uBAAA,IAAI,wBAAU,KAAK,MAAA,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,IAAI,uBAAA,IAAI,4BAAO,EAAE,CAAC;YAChB,MAAM,IAAI,mBAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,cAAc;gBACzB,YAAY,EAAE,uBAAA,IAAI,4BAAO;aAC1B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,aAAa,GAAG,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,mBAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,gBAAgB;gBAC3B,YAAY,EAAE,aAAa;aAC5B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,mBAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,eAAe;gBAC1B,kBAAkB,EAAE,CAAC,GAAG,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,KAAK,IAAI,CAAC;IAC9B,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,QAAQ,EAAE,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACpD,CAAC;IAED,SAAS;QACP,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,WAAW,CAAC,uBAAA,IAAI,qCAAgB,CAAC;YACnD,KAAK,EAAE,uBAAA,IAAI,4BAAO;SACnB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,IAAI,uBAAA,IAAI,4BAAO;YAAE,OAAO,OAAO,CAAC;QAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC;YAAE,OAAO,eAAe,CAAC;QAC1D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sBAAsB;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,kBAAkB;QAChB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,qCAAgB,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;CACF"}

package/dist/esm/server/accessToken.d.ts

@@ -0,0 +1,8 @@
+export interface AccessToken {
+    token: string;
+    clientId: string;
+    scopes: string[];
+    expiresAt?: number;
+    resource?: string;
+}
+//# sourceMappingURL=accessToken.d.ts.map

package/dist/esm/server/accessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessToken.d.ts","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB"}

package/dist/esm/server/accessToken.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=accessToken.js.map

package/dist/esm/server/accessToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessToken.js","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":""}

package/dist/esm/server/clientSecret.d.ts

@@ -0,0 +1,14 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+export type ClientSecretCredentials = [clientId: string, clientSecret: string] | Record<string, [clientId: string, clientSecret: string]>;
+export declare class ClientSecret implements ApplicationCredential {
+    #private;
+    constructor(clientId: string, clientSecret: string);
+    constructor(credentials: ClientSecretCredentials);
+    getAuth(zoneId?: string): {
+        clientId: string;
+        clientSecret: string;
+    } | null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=clientSecret.d.ts.map

package/dist/esm/server/clientSecret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAKhE,MAAM,MAAM,uBAAuB,GAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;AAE7D,qBAAa,YAAa,YAAW,qBAAqB;;gBAI5C,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;gBACtC,WAAW,EAAE,uBAAuB;IA2ChD,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAYrE,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CAOjC"}

package/dist/esm/server/clientSecret.js

@@ -0,0 +1,72 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _ClientSecret_zoneCredentials, _ClientSecret_isMultiZone;
+const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+const DEFAULT_ZONE = "__default__";
+export class ClientSecret {
+    constructor(arg1, arg2) {
+        _ClientSecret_zoneCredentials.set(this, void 0);
+        _ClientSecret_isMultiZone.set(this, void 0);
+        __classPrivateFieldSet(this, _ClientSecret_zoneCredentials, new Map(), "f");
+        if (typeof arg1 === "string") {
+            if (typeof arg2 !== "string") {
+                throw new TypeError("ClientSecret: client_secret is required when client_id is provided as a string");
+            }
+            __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [arg1, arg2]);
+            __classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
+            return;
+        }
+        if (Array.isArray(arg1)) {
+            const [clientId, clientSecret] = arg1;
+            if (typeof clientId !== "string" || typeof clientSecret !== "string") {
+                throw new TypeError("ClientSecret: tuple must be [clientId, clientSecret]");
+            }
+            __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [clientId, clientSecret]);
+            __classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
+            return;
+        }
+        if (arg1 && typeof arg1 === "object") {
+            for (const [zoneId, tuple] of Object.entries(arg1)) {
+                if (!Array.isArray(tuple) || typeof tuple[0] !== "string" || typeof tuple[1] !== "string") {
+                    throw new TypeError(`ClientSecret: zone "${zoneId}" must map to [clientId, clientSecret]`);
+                }
+                __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(zoneId, [tuple[0], tuple[1]]);
+            }
+            if (__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").size === 0) {
+                throw new TypeError("ClientSecret: zone-keyed credentials must contain at least one zone");
+            }
+            __classPrivateFieldSet(this, _ClientSecret_isMultiZone, true, "f");
+            return;
+        }
+        throw new TypeError("ClientSecret: unsupported credentials shape");
+    }
+    getAuth(zoneId) {
+        if (!__classPrivateFieldGet(this, _ClientSecret_isMultiZone, "f")) {
+            const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(DEFAULT_ZONE);
+            return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
+        }
+        if (!zoneId) {
+            return null;
+        }
+        const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(zoneId);
+        return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource) {
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: ACCESS_TOKEN_TYPE,
+        };
+    }
+}
+_ClientSecret_zoneCredentials = new WeakMap(), _ClientSecret_isMultiZone = new WeakMap();
+//# sourceMappingURL=clientSecret.js.map

package/dist/esm/server/clientSecret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;AAMnC,MAAM,OAAO,YAAY;IAMvB,YACE,IAAsC,EACtC,IAAa;QAPf,gDAAgD;QAChD,4CAAsB;QAQpB,uBAAA,IAAI,iCAAoB,IAAI,GAAG,EAAE,MAAA,CAAC;QAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CAAC,gFAAgF,CAAC,CAAC;YACxG,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtD,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC;YACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;YAC9E,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YAClE,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1F,MAAM,IAAI,SAAS,CAAC,uBAAuB,MAAM,wCAAwC,CAAC,CAAC;gBAC7F,CAAC;gBACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,uBAAA,IAAI,qCAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,SAAS,CAAC,qEAAqE,CAAC,CAAC;YAC7F,CAAC;YACD,uBAAA,IAAI,6BAAgB,IAAI,MAAA,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,MAAe;QACrB,IAAI,CAAC,uBAAA,IAAI,iCAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,iBAAiB;SACpC,CAAC;IACJ,CAAC;CACF"}

package/dist/esm/server/index.d.ts

@@ -0,0 +1,8 @@
+export { AccessContext } from "./accessContext.js";
+export type { ErrorDetail, AccessContextStatus } from "./accessContext.js";
+export type { AccessToken } from "./accessToken.js";
+export { TokenVerifier } from "./tokenVerifier.js";
+export type { TokenVerifierOptions } from "./tokenVerifier.js";
+export { ClientSecret } from "./clientSecret.js";
+export type { ClientSecretCredentials } from "./clientSecret.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/esm/server/index.js

@@ -0,0 +1,4 @@
+export { AccessContext } from "./accessContext.js";
+export { TokenVerifier } from "./tokenVerifier.js";
+export { ClientSecret } from "./clientSecret.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/esm/server/tokenVerifier.d.ts

@@ -0,0 +1,49 @@
+import { type OAuthKeyring } from "../keyring.js";
+import type { AccessToken } from "./accessToken.js";
+export interface TokenVerifierOptions {
+    /**
+     * Issuer URL for the Keycard zone, e.g. "https://zone-id.keycard.cloud" for
+     * single-zone deployments. With `enableMultiZone: true`, this is the base
+     * URL whose host gets prefixed with the per-request zoneId.
+     */
+    issuer: string;
+    /**
+     * Required scopes. When set, every value must be present in the token's
+     * `scope` claim or verification returns null.
+     */
+    requiredScopes?: readonly string[];
+    /**
+     * Allowed signing algorithms. Defaults to ["RS256"].
+     */
+    allowedAlgorithms?: readonly string[];
+    /**
+     * When true, callers can supply a per-request zoneId via verifyTokenForZone.
+     * Each zone gets its own issuer URL and audience.
+     */
+    enableMultiZone?: boolean;
+    /**
+     * Audience to validate against. A single string applies to every zone.
+     * A `Record<zoneId, audience>` selects the audience per zone; if a request
+     * arrives for a zoneId with no entry in the dict, verification fails closed
+     * (returns null) rather than silently dropping audience validation.
+     */
+    audience?: string | Record<string, string>;
+    /**
+     * Custom keyring (e.g. for testing or shared caches). When omitted,
+     * a fresh JWKSOAuthKeyring is constructed.
+     */
+    keyring?: OAuthKeyring;
+}
+export declare class TokenVerifier {
+    #private;
+    constructor(options: TokenVerifierOptions);
+    verifyToken(token: string): Promise<AccessToken | null>;
+    verifyTokenForZone(token: string, zoneId: string): Promise<AccessToken | null>;
+    /**
+     * Flushes JWKS keys and discovery results from the underlying keyring.
+     * Use after a global key rotation. No-op if the injected keyring does
+     * not expose a `clear()` method.
+     */
+    clearCache(): void;
+}
+//# sourceMappingURL=tokenVerifier.d.ts.map

package/dist/esm/server/tokenVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenVerifier.d.ts","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AAEpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAIpD,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C;;;OAGG;IACH,OAAO,CAAC,EAAE,YAAY,CAAC;CACxB;AAED,qBAAa,aAAa;;gBAQZ,OAAO,EAAE,oBAAoB;IAYnC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIvD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAOpF;;;;OAIG;IACH,UAAU,IAAI,IAAI;CA8CnB"}

package/dist/esm/server/tokenVerifier.js

@@ -0,0 +1,114 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _TokenVerifier_instances, _TokenVerifier_issuer, _TokenVerifier_requiredScopes, _TokenVerifier_allowedAlgorithms, _TokenVerifier_enableMultiZone, _TokenVerifier_audience, _TokenVerifier_keyring, _TokenVerifier_verify, _TokenVerifier_scopesSatisfied;
+import { JWTVerifier } from "../jwt/verifier.js";
+import { JWKSOAuthKeyring } from "../keyring.js";
+const DEFAULT_ALLOWED_ALGORITHMS = ["RS256"];
+export class TokenVerifier {
+    constructor(options) {
+        _TokenVerifier_instances.add(this);
+        _TokenVerifier_issuer.set(this, void 0);
+        _TokenVerifier_requiredScopes.set(this, void 0);
+        _TokenVerifier_allowedAlgorithms.set(this, void 0);
+        _TokenVerifier_enableMultiZone.set(this, void 0);
+        _TokenVerifier_audience.set(this, void 0);
+        _TokenVerifier_keyring.set(this, void 0);
+        if (!options.issuer) {
+            throw new Error("TokenVerifier: issuer is required");
+        }
+        __classPrivateFieldSet(this, _TokenVerifier_issuer, options.issuer, "f");
+        __classPrivateFieldSet(this, _TokenVerifier_requiredScopes, options.requiredScopes ?? [], "f");
+        __classPrivateFieldSet(this, _TokenVerifier_allowedAlgorithms, options.allowedAlgorithms ?? DEFAULT_ALLOWED_ALGORITHMS, "f");
+        __classPrivateFieldSet(this, _TokenVerifier_enableMultiZone, options.enableMultiZone ?? false, "f");
+        __classPrivateFieldSet(this, _TokenVerifier_audience, options.audience, "f");
+        __classPrivateFieldSet(this, _TokenVerifier_keyring, options.keyring ?? new JWKSOAuthKeyring(), "f");
+    }
+    async verifyToken(token) {
+        return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, undefined);
+    }
+    async verifyTokenForZone(token, zoneId) {
+        if (!zoneId) {
+            return null;
+        }
+        return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, zoneId);
+    }
+    /**
+     * Flushes JWKS keys and discovery results from the underlying keyring.
+     * Use after a global key rotation. No-op if the injected keyring does
+     * not expose a `clear()` method.
+     */
+    clearCache() {
+        const keyring = __classPrivateFieldGet(this, _TokenVerifier_keyring, "f");
+        keyring.clear?.();
+    }
+}
+_TokenVerifier_issuer = new WeakMap(), _TokenVerifier_requiredScopes = new WeakMap(), _TokenVerifier_allowedAlgorithms = new WeakMap(), _TokenVerifier_enableMultiZone = new WeakMap(), _TokenVerifier_audience = new WeakMap(), _TokenVerifier_keyring = new WeakMap(), _TokenVerifier_instances = new WeakSet(), _TokenVerifier_verify = async function _TokenVerifier_verify(token, zoneId) {
+    let audience;
+    if (typeof __classPrivateFieldGet(this, _TokenVerifier_audience, "f") === "string") {
+        audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f");
+    }
+    else if (__classPrivateFieldGet(this, _TokenVerifier_audience, "f") !== undefined) {
+        if (!zoneId || !Object.prototype.hasOwnProperty.call(__classPrivateFieldGet(this, _TokenVerifier_audience, "f"), zoneId)) {
+            return null;
+        }
+        audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f")[zoneId];
+    }
+    const issuer = __classPrivateFieldGet(this, _TokenVerifier_enableMultiZone, "f") && zoneId
+        ? buildZoneScopedIssuer(__classPrivateFieldGet(this, _TokenVerifier_issuer, "f"), zoneId)
+        : __classPrivateFieldGet(this, _TokenVerifier_issuer, "f");
+    try {
+        const verifier = new JWTVerifier(__classPrivateFieldGet(this, _TokenVerifier_keyring, "f"), {
+            issuers: [issuer],
+            audiences: audience,
+            algorithms: __classPrivateFieldGet(this, _TokenVerifier_allowedAlgorithms, "f"),
+        });
+        const claims = await verifier.verify(token);
+        if (!__classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_scopesSatisfied).call(this, claims)) {
+            return null;
+        }
+        return toAccessToken(token, claims);
+    }
+    catch {
+        return null;
+    }
+}, _TokenVerifier_scopesSatisfied = function _TokenVerifier_scopesSatisfied(claims) {
+    if (__classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").length === 0) {
+        return true;
+    }
+    if (typeof claims.scope !== "string") {
+        return false;
+    }
+    const tokenScopes = new Set(claims.scope.split(" ").filter(Boolean));
+    return __classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").every((s) => tokenScopes.has(s));
+};
+function toAccessToken(token, claims) {
+    const scopes = typeof claims.scope === "string"
+        ? claims.scope.split(" ").filter(Boolean)
+        : [];
+    const resourceClaim = claims["resource"];
+    const resource = typeof resourceClaim === "string" ? resourceClaim : undefined;
+    const expiresAt = typeof claims.exp === "number" ? claims.exp : undefined;
+    // JWTVerifier validates client_id is present and a non-empty string before
+    // returning, so this assertion is load-bearing only at the type boundary.
+    return {
+        token,
+        clientId: claims.client_id,
+        scopes,
+        expiresAt,
+        resource,
+    };
+}
+function buildZoneScopedIssuer(baseIssuer, zoneId) {
+    const url = new URL(baseIssuer);
+    return `${url.protocol}//${zoneId}.${url.host}`;
+}
+//# sourceMappingURL=tokenVerifier.js.map

package/dist/esm/server/tokenVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenVerifier.js","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAqB,MAAM,eAAe,CAAC;AAIpE,MAAM,0BAA0B,GAAG,CAAC,OAAO,CAAU,CAAC;AAqCtD,MAAM,OAAO,aAAa;IAQxB,YAAY,OAA6B;;QAPzC,wCAAgB;QAChB,gDAAmC;QACnC,mDAAsC;QACtC,iDAA0B;QAC1B,0CAA4C;QAC5C,yCAAuB;QAGrB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,uBAAA,IAAI,yBAAW,OAAO,CAAC,MAAM,MAAA,CAAC;QAC9B,uBAAA,IAAI,iCAAmB,OAAO,CAAC,cAAc,IAAI,EAAE,MAAA,CAAC;QACpD,uBAAA,IAAI,oCAAsB,OAAO,CAAC,iBAAiB,IAAI,0BAA0B,MAAA,CAAC;QAClF,uBAAA,IAAI,kCAAoB,OAAO,CAAC,eAAe,IAAI,KAAK,MAAA,CAAC;QACzD,uBAAA,IAAI,2BAAa,OAAO,CAAC,QAAQ,MAAA,CAAC;QAClC,uBAAA,IAAI,0BAAY,OAAO,CAAC,OAAO,IAAI,IAAI,gBAAgB,EAAE,MAAA,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,MAAc;QACpD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACH,UAAU;QACR,MAAM,OAAO,GAAG,uBAAA,IAAI,8BAAmC,CAAC;QACxD,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IACpB,CAAC;CA2CF;2UAzCC,KAAK,gCAAS,KAAa,EAAE,MAA0B;IACrD,IAAI,QAA4B,CAAC;IACjC,IAAI,OAAO,uBAAA,IAAI,+BAAU,KAAK,QAAQ,EAAE,CAAC;QACvC,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC;IAC5B,CAAC;SAAM,IAAI,uBAAA,IAAI,+BAAU,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,uBAAA,IAAI,+BAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAC7E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,uBAAA,IAAI,sCAAiB,IAAI,MAAM;QAC5C,CAAC,CAAC,qBAAqB,CAAC,uBAAA,IAAI,6BAAQ,EAAE,MAAM,CAAC;QAC7C,CAAC,CAAC,uBAAA,IAAI,6BAAQ,CAAC;IAEjB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,WAAW,CAAC,uBAAA,IAAI,8BAAS,EAAE;YAC9C,OAAO,EAAE,CAAC,MAAM,CAAC;YACjB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,uBAAA,IAAI,wCAAmB;SACpC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,uBAAA,IAAI,gEAAiB,MAArB,IAAI,EAAkB,MAAM,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,2EAEgB,MAAiB;IAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACrE,OAAO,uBAAA,IAAI,qCAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAGH,SAAS,aAAa,CAAC,KAAa,EAAE,MAAiB;IACrD,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;QAC7C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACzC,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1E,2EAA2E;IAC3E,0EAA0E;IAC1E,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,SAAmB;QACpC,MAAM;QACN,SAAS;QACT,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB,EAAE,MAAc;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC"}