@keycardai/oauth 0.5.0 → 0.7.0

package/dist/esm/pkce.js

@@ -0,0 +1,206 @@
+import base64url from "./base64url.js";
+import { fetchAuthorizationServerMetadata } from "./discovery.js";
+import { OAuthError } from "./errors.js";
+/**
+ * Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
+ *
+ * Returns a 43-character base64url string (32 random bytes). Runtime-agnostic:
+ * uses the global `crypto.getRandomValues` which is available in Node 19+,
+ * Cloudflare Workers, and browsers.
+ */
+export function generateCodeVerifier() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return base64url.encode(bytes.buffer);
+}
+/**
+ * Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
+ *
+ * S256 (default): `BASE64URL(SHA-256(ASCII(code_verifier)))`
+ * plain: returns the verifier unchanged (not recommended; use only when
+ * the AS does not support S256).
+ */
+export async function generateCodeChallenge(verifier, method = "S256") {
+    if (method === "plain") {
+        return verifier;
+    }
+    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+    return base64url.encode(digest);
+}
+/**
+ * Generate a PKCE pair (verifier + challenge) in one call.
+ */
+export async function generatePkcePair(method = "S256") {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await generateCodeChallenge(codeVerifier, method);
+    return { codeVerifier, codeChallenge, codeChallengeMethod: method };
+}
+/**
+ * Exchange an authorization code for tokens (RFC 6749 §4.1.3 + RFC 7636).
+ *
+ * Discovers `token_endpoint` from the AS metadata, then POSTs
+ * `grant_type=authorization_code` with the code verifier.
+ */
+export async function exchangeAuthorizationCode(issuerUrl, code, options) {
+    const metadata = await fetchAuthorizationServerMetadata(issuerUrl, {
+        signal: options.signal,
+    });
+    if (!metadata.token_endpoint) {
+        throw new Error(`Authorization server "${issuerUrl}" does not advertise a token_endpoint`);
+    }
+    const params = new URLSearchParams();
+    params.set("grant_type", "authorization_code");
+    params.set("code", code);
+    params.set("code_verifier", options.codeVerifier);
+    params.set("redirect_uri", options.redirectUri);
+    if (options.clientId)
+        params.set("client_id", options.clientId);
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+    };
+    if (options.clientId && options.clientSecret) {
+        headers["Authorization"] = `Basic ${btoa(`${options.clientId}:${options.clientSecret}`)}`;
+        params.delete("client_id");
+    }
+    const response = await fetch(metadata.token_endpoint, {
+        method: "POST",
+        headers,
+        body: params.toString(),
+        signal: options.signal,
+    });
+    if (!response.ok) {
+        let errorBody = null;
+        try {
+            const json = await response.json();
+            if (json && typeof json === "object" && !Array.isArray(json)) {
+                errorBody = json;
+            }
+        }
+        catch {
+            // non-JSON error body — fall through to generic error
+        }
+        if (errorBody && typeof errorBody.error === "string") {
+            const description = typeof errorBody.error_description === "string"
+                ? errorBody.error_description
+                : errorBody.error;
+            const errorUri = typeof errorBody.error_uri === "string" ? errorBody.error_uri : undefined;
+            throw new OAuthError(errorBody.error, description, errorUri);
+        }
+        throw new Error(`Authorization code exchange failed (HTTP ${response.status})`);
+    }
+    const json = await response.json();
+    if (!json || typeof json !== "object" || Array.isArray(json)) {
+        throw new Error("Token endpoint response is not a valid JSON object");
+    }
+    const body = json;
+    const accessToken = body.access_token;
+    if (typeof accessToken !== "string" || !accessToken) {
+        throw new Error("Token endpoint response missing access_token");
+    }
+    const tokenResponse = {
+        accessToken,
+        tokenType: typeof body.token_type === "string" ? body.token_type : "bearer",
+    };
+    if (typeof body.expires_in === "number")
+        tokenResponse.expiresIn = body.expires_in;
+    if (typeof body.refresh_token === "string")
+        tokenResponse.refreshToken = body.refresh_token;
+    if (typeof body.scope === "string") {
+        tokenResponse.scope = body.scope.split(" ").filter(Boolean);
+    }
+    return tokenResponse;
+}
+/**
+ * Full authorization-code-with-PKCE flow for local/CLI contexts.
+ *
+ * Generates a PKCE pair, builds the authorization URL, opens the user's
+ * browser, starts a local loopback HTTP server to receive the redirect,
+ * and exchanges the authorization code for tokens.
+ *
+ * **Requires Node.js.** Uses `node:http` and `node:child_process` via
+ * dynamic import. Importing this module is safe in any runtime; only
+ * *calling* `authenticate()` requires Node.js.
+ */
+export async function authenticate(issuerUrl, options) {
+    const port = options.port ?? 8080;
+    const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
+    const timeoutMs = options.timeoutMs ?? 60_000;
+    const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
+    const metadata = await fetchAuthorizationServerMetadata(issuerUrl);
+    if (!metadata.authorization_endpoint) {
+        throw new Error(`Authorization server "${issuerUrl}" does not advertise an authorization_endpoint`);
+    }
+    const authUrl = new URL(metadata.authorization_endpoint);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", options.clientId);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    if (options.scopes && options.scopes.length > 0) {
+        authUrl.searchParams.set("scope", options.scopes.join(" "));
+    }
+    await openBrowser(authUrl.toString());
+    const code = await waitForCode(port, redirectUri, timeoutMs);
+    return exchangeAuthorizationCode(issuerUrl, code, {
+        codeVerifier,
+        redirectUri,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+    });
+}
+async function openBrowser(url) {
+    const { execFile } = await import("node:child_process");
+    if (process.platform === "darwin") {
+        execFile("open", [url]);
+    }
+    else if (process.platform === "win32") {
+        // `start` is a cmd.exe built-in, not a standalone executable.
+        execFile("cmd", ["/c", "start", "", url]);
+    }
+    else {
+        execFile("xdg-open", [url]);
+    }
+}
+async function waitForCode(port, redirectUri, timeoutMs) {
+    // Import before entering the Promise constructor to avoid the async-executor
+    // anti-pattern: if the dynamic import throws, the rejection propagates through
+    // this async function rather than escaping an async Promise constructor.
+    const { createServer } = await import("node:http");
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            server.close();
+            reject(new Error(`PKCE authentication timed out after ${timeoutMs}ms`));
+        }, timeoutMs);
+        const server = createServer((req, res) => {
+            try {
+                const reqUrl = new URL(req.url ?? "/", redirectUri);
+                const code = reqUrl.searchParams.get("code");
+                const error = reqUrl.searchParams.get("error");
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end("<html><body><p>Authentication complete. You can close this tab.</p></body></html>");
+                server.close();
+                clearTimeout(timer);
+                if (error) {
+                    reject(new OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
+                }
+                else if (code) {
+                    resolve(code);
+                }
+                else {
+                    reject(new Error("No authorization code in redirect"));
+                }
+            }
+            catch (e) {
+                server.close();
+                clearTimeout(timer);
+                reject(e);
+            }
+        });
+        server.listen(port, "localhost");
+        server.on("error", (err) => {
+            clearTimeout(timer);
+            reject(new Error(`Failed to start loopback server on port ${port}: ${err.message}`));
+        });
+    });
+}
+//# sourceMappingURL=pkce.js.map

package/dist/esm/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAA2B,MAAM;IACtE,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,SAAiB,EACjB,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,EAAE;QACjE,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,uCAAuC,CAC1E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAE9C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,gDAAgD,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAE7D,OAAO,yBAAyB,CAAC,SAAS,EAAE,IAAI,EAAE;QAChD,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY,EAAE,WAAmB,EAAE,SAAiB;IAC7E,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/esm/server/eksWorkloadIdentity.d.ts

@@ -0,0 +1,22 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+export interface EKSWorkloadIdentityOptions {
+    tokenFilePath?: string;
+    envVarName?: string;
+}
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+export declare class EKSWorkloadIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: EKSWorkloadIdentityOptions);
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=eksWorkloadIdentity.d.ts.map

package/dist/esm/server/eksWorkloadIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAQhE,MAAM,WAAW,0BAA0B;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,YAAW,qBAAqB;;gBAGnD,OAAO,CAAC,EAAE,0BAA0B;IAmBhD,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CA+BjC"}

package/dist/esm/server/eksWorkloadIdentity.js

@@ -0,0 +1,80 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EKSWorkloadIdentity_instances, _EKSWorkloadIdentity_tokenFilePath, _EKSWorkloadIdentity_validateTokenFile, _EKSWorkloadIdentity_readToken;
+import * as fs from "node:fs";
+const DEFAULT_EKS_ENV_VARS = [
+    "KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE",
+    "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE",
+    "AWS_WEB_IDENTITY_TOKEN_FILE",
+];
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+export class EKSWorkloadIdentity {
+    constructor(options) {
+        _EKSWorkloadIdentity_instances.add(this);
+        _EKSWorkloadIdentity_tokenFilePath.set(this, void 0);
+        if (options?.tokenFilePath) {
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, options.tokenFilePath, "f");
+        }
+        else {
+            const envNames = options?.envVarName
+                ? [options.envVarName, ...DEFAULT_EKS_ENV_VARS]
+                : DEFAULT_EKS_ENV_VARS;
+            const found = envNames.find((name) => process.env[name]);
+            if (!found || !process.env[found]) {
+                throw new Error(`EKSWorkloadIdentity: could not find token file path in environment variables. ` +
+                    `Checked: ${envNames.join(", ")}`);
+            }
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, process.env[found], "f");
+        }
+        __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_validateTokenFile).call(this);
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource) {
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion: __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_readToken).call(this),
+        };
+    }
+}
+_EKSWorkloadIdentity_tokenFilePath = new WeakMap(), _EKSWorkloadIdentity_instances = new WeakSet(), _EKSWorkloadIdentity_validateTokenFile = function _EKSWorkloadIdentity_validateTokenFile() {
+    try {
+        const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+        if (!token) {
+            throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.startsWith("EKSWorkloadIdentity:"))
+            throw error;
+        throw new Error(`EKSWorkloadIdentity: error reading token file "${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}": ${error}`);
+    }
+}, _EKSWorkloadIdentity_readToken = function _EKSWorkloadIdentity_readToken() {
+    const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+    if (!token) {
+        throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+    }
+    return token;
+};
+//# sourceMappingURL=eksWorkloadIdentity.js.map

package/dist/esm/server/eksWorkloadIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.js","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAI9B,MAAM,oBAAoB,GAAG;IAC3B,0CAA0C;IAC1C,wCAAwC;IACxC,6BAA6B;CAC9B,CAAC;AAOF;;;;;;;;GAQG;AACH,MAAM,OAAO,mBAAmB;IAG9B,YAAY,OAAoC;;QAFhD,qDAAuB;QAGrB,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,uBAAA,IAAI,sCAAkB,OAAO,CAAC,aAAa,MAAA,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,OAAO,EAAE,UAAU;gBAClC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,oBAAoB,CAAC;gBAC/C,CAAC,CAAC,oBAAoB,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CACb,gFAAgF;oBAChF,YAAY,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClC,CAAC;YACJ,CAAC;YACD,uBAAA,IAAI,sCAAkB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAE,MAAA,CAAC;QAC5C,CAAC;QACD,uBAAA,IAAI,8EAAmB,MAAvB,IAAI,CAAqB,CAAC;IAC5B,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe,EAAE,uBAAA,IAAI,sEAAW,MAAf,IAAI,CAAa;SACnC,CAAC;IACJ,CAAC;CAuBF;;IApBG,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACnE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,sBAAsB,CAAC;YAAE,MAAM,KAAK,CAAC;QAC5F,MAAM,IAAI,KAAK,CACb,kDAAkD,uBAAA,IAAI,0CAAe,MAAM,KAAK,EAAE,CACnF,CAAC;IACJ,CAAC;AACH,CAAC;IAGC,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/esm/server/index.d.ts

@@ -5,4 +5,10 @@ export { TokenVerifier } from "./tokenVerifier.js";
 export type { TokenVerifierOptions } from "./tokenVerifier.js";
 export { ClientSecret } from "./clientSecret.js";
 export type { ClientSecretCredentials } from "./clientSecret.js";
+export { FilePrivateKeyStorage, PrivateKeyManager } from "./privateKey.js";
+export type { PrivateKeyStorage, JsonWebKey } from "./privateKey.js";
+export { WebIdentity } from "./webIdentity.js";
+export type { WebIdentityOptions } from "./webIdentity.js";
+export { EKSWorkloadIdentity } from "./eksWorkloadIdentity.js";
+export type { EKSWorkloadIdentityOptions } from "./eksWorkloadIdentity.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/esm/server/index.js

@@ -1,4 +1,7 @@
 export { AccessContext } from "./accessContext.js";
 export { TokenVerifier } from "./tokenVerifier.js";
 export { ClientSecret } from "./clientSecret.js";
+export { FilePrivateKeyStorage, PrivateKeyManager } from "./privateKey.js";
+export { WebIdentity } from "./webIdentity.js";
+export { EKSWorkloadIdentity } from "./eksWorkloadIdentity.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAE3E,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/esm/server/privateKey.d.ts

@@ -0,0 +1,47 @@
+export interface JsonWebKey {
+    kty: string;
+    alg?: string;
+    use?: string;
+    kid?: string;
+    n?: string;
+    e?: string;
+    [key: string]: unknown;
+}
+export interface PrivateKeyStorage {
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class FilePrivateKeyStorage implements PrivateKeyStorage {
+    #private;
+    constructor(storageDir: string);
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class PrivateKeyManager {
+    #private;
+    constructor(options: {
+        storage: PrivateKeyStorage;
+        keyId?: string;
+        audienceConfig?: string | Record<string, string>;
+    });
+    bootstrapIdentity(): Promise<void>;
+    createClientAssertion(issuer: string, audience: string, expirySeconds?: number): Promise<string>;
+    getPublicJwks(): {
+        keys: JsonWebKey[];
+    };
+    getClientId(): string;
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=privateKey.d.ts.map

package/dist/esm/server/privateKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.d.ts","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACxC,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5F,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IACzF,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACjC;AAMD,qBAAa,qBAAsB,YAAW,iBAAiB;;gBAGjD,UAAU,EAAE,MAAM;IAIxB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUvC,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,IAAI,CAAC;IAeV,WAAW,CACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC;IASzD,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO9C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAqBtC;AAMD,qBAAa,iBAAiB;;gBAOhB,OAAO,EAAE;QACnB,OAAO,EAAE,iBAAiB,CAAC;QAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAClD;IAMK,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;IAUlC,qBAAqB,CACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,aAAa,SAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAiBlB,aAAa,IAAI;QAAE,IAAI,EAAE,UAAU,EAAE,CAAA;KAAE;IAOvC,WAAW,IAAI,MAAM;IAIrB,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CA0BpD"}

package/dist/esm/server/privateKey.js

@@ -0,0 +1,195 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _FilePrivateKeyStorage_instances, _FilePrivateKeyStorage_storageDir, _FilePrivateKeyStorage_keyPath, _FilePrivateKeyStorage_metadataPath, _PrivateKeyManager_instances, _PrivateKeyManager_storage, _PrivateKeyManager_keyId, _PrivateKeyManager_audienceConfig, _PrivateKeyManager_privateKeyPem, _PrivateKeyManager_publicKeyJwk, _PrivateKeyManager_generateAndStoreKeyPair, _PemPrivateKeyring_pem, _PemPrivateKeyring_kid, _PemPrivateKeyring_issuer;
+import * as crypto from "node:crypto";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import { JWTSigner } from "../jwt/signer.js";
+// =============================================================================
+// File-Based Storage
+// =============================================================================
+export class FilePrivateKeyStorage {
+    constructor(storageDir) {
+        _FilePrivateKeyStorage_instances.add(this);
+        _FilePrivateKeyStorage_storageDir.set(this, void 0);
+        __classPrivateFieldSet(this, _FilePrivateKeyStorage_storageDir, storageDir, "f");
+    }
+    async exists(keyId) {
+        try {
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async storeKeyPair(keyId, privateKeyPem, publicKeyJwk) {
+        await fs.mkdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), { recursive: true });
+        const metadata = {
+            key_id: keyId,
+            public_key_jwk: publicKeyJwk,
+            created_at: Date.now() / 1000,
+            algorithm: "RS256",
+        };
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), privateKeyPem, { encoding: "utf-8", mode: 0o600 });
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), JSON.stringify(metadata, null, 2), {
+            encoding: "utf-8",
+            mode: 0o644,
+        });
+    }
+    async loadKeyPair(keyId) {
+        const [privateKeyPem, metadataRaw] = await Promise.all([
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), "utf-8"),
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), "utf-8"),
+        ]);
+        const metadata = JSON.parse(metadataRaw);
+        return { privateKeyPem, publicKeyJwk: metadata.public_key_jwk };
+    }
+    async deleteKeyPair(keyId) {
+        let deleted = false;
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        return deleted;
+    }
+    async listKeyIds() {
+        try {
+            const files = await fs.readdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"));
+            const keyIds = [];
+            for (const file of files.filter((f) => f.endsWith(".json"))) {
+                const keyId = file.replace(/\.json$/, "");
+                if (await this.exists(keyId))
+                    keyIds.push(keyId);
+            }
+            return keyIds.sort();
+        }
+        catch {
+            return [];
+        }
+    }
+}
+_FilePrivateKeyStorage_storageDir = new WeakMap(), _FilePrivateKeyStorage_instances = new WeakSet(), _FilePrivateKeyStorage_keyPath = function _FilePrivateKeyStorage_keyPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.pem`);
+}, _FilePrivateKeyStorage_metadataPath = function _FilePrivateKeyStorage_metadataPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.json`);
+};
+// =============================================================================
+// Private Key Manager
+// =============================================================================
+export class PrivateKeyManager {
+    constructor(options) {
+        _PrivateKeyManager_instances.add(this);
+        _PrivateKeyManager_storage.set(this, void 0);
+        _PrivateKeyManager_keyId.set(this, void 0);
+        _PrivateKeyManager_audienceConfig.set(this, void 0);
+        _PrivateKeyManager_privateKeyPem.set(this, void 0);
+        _PrivateKeyManager_publicKeyJwk.set(this, void 0);
+        __classPrivateFieldSet(this, _PrivateKeyManager_storage, options.storage, "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_keyId, options.keyId ?? crypto.randomUUID(), "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_audienceConfig, options.audienceConfig, "f");
+    }
+    async bootstrapIdentity() {
+        if (await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").exists(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"))) {
+            const { privateKeyPem, publicKeyJwk } = await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").loadKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"));
+            __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+            __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+        }
+        else {
+            await __classPrivateFieldGet(this, _PrivateKeyManager_instances, "m", _PrivateKeyManager_generateAndStoreKeyPair).call(this);
+        }
+    }
+    async createClientAssertion(issuer, audience, expirySeconds = 300) {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f") || !__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        const keyring = new PemPrivateKeyring(__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f"), __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), issuer);
+        const signer = new JWTSigner(keyring);
+        const now = Math.floor(Date.now() / 1000);
+        return signer.sign({
+            iss: issuer,
+            sub: issuer,
+            aud: audience,
+            jti: crypto.randomUUID(),
+            iat: now,
+            exp: now + expirySeconds,
+        });
+    }
+    getPublicJwks() {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        return { keys: [__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")] };
+    }
+    getClientId() {
+        return __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f");
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        const url = new URL(resourceServerUrl);
+        return `${url.protocol}//${url.host}/.well-known/jwks.json`;
+    }
+}
+_PrivateKeyManager_storage = new WeakMap(), _PrivateKeyManager_keyId = new WeakMap(), _PrivateKeyManager_audienceConfig = new WeakMap(), _PrivateKeyManager_privateKeyPem = new WeakMap(), _PrivateKeyManager_publicKeyJwk = new WeakMap(), _PrivateKeyManager_instances = new WeakSet(), _PrivateKeyManager_generateAndStoreKeyPair = async function _PrivateKeyManager_generateAndStoreKeyPair() {
+    const keyPair = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const privateKeyPem = String(keyPair.privateKey);
+    const publicKeyObj = crypto.createPublicKey(String(keyPair.publicKey));
+    const jwk = publicKeyObj.export({ format: "jwk" });
+    const publicKeyJwk = {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        kid: __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"),
+        alg: "RS256",
+        use: "sig",
+    };
+    await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").storeKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), privateKeyPem, publicKeyJwk);
+    __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+    __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+};
+// =============================================================================
+// PEM-based PrivateKeyring adapter (implements PrivateKeyring from @keycardai/oauth)
+// =============================================================================
+class PemPrivateKeyring {
+    constructor(pem, kid, issuer) {
+        _PemPrivateKeyring_pem.set(this, void 0);
+        _PemPrivateKeyring_kid.set(this, void 0);
+        _PemPrivateKeyring_issuer.set(this, void 0);
+        __classPrivateFieldSet(this, _PemPrivateKeyring_pem, pem, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_kid, kid, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_issuer, issuer, "f");
+    }
+    async key(_usage) {
+        const keyObj = crypto.createPrivateKey(__classPrivateFieldGet(this, _PemPrivateKeyring_pem, "f"));
+        const jwk = keyObj.export({ format: "jwk" });
+        const cryptoKey = await crypto.subtle.importKey("jwk", jwk, { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } }, false, ["sign"]);
+        return {
+            // node:crypto.webcrypto.CryptoKey and global CryptoKey are identical at
+            // runtime; the declaration split is a TypeScript-only artefact.
+            key: cryptoKey,
+            kid: __classPrivateFieldGet(this, _PemPrivateKeyring_kid, "f"),
+            issuer: __classPrivateFieldGet(this, _PemPrivateKeyring_issuer, "f"),
+        };
+    }
+}
+_PemPrivateKeyring_pem = new WeakMap(), _PemPrivateKeyring_kid = new WeakMap(), _PemPrivateKeyring_issuer = new WeakMap();
+//# sourceMappingURL=privateKey.js.map

package/dist/esm/server/privateKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.js","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAuB7C,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,OAAO,qBAAqB;IAGhC,YAAY,UAAkB;;QAF9B,oDAAoB;QAGlB,uBAAA,IAAI,qCAAe,UAAU,MAAA,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,aAAqB,EACrB,YAAwB;QAExB,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAA,IAAI,yCAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG;YACf,MAAM,EAAE,KAAK;YACb,cAAc,EAAE,YAAY;YAC5B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAC7B,SAAS,EAAE,OAAO;SACnB,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,aAAa,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC/E,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAa;QAEb,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,OAAO,CAAC;YAC1C,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,OAAO,CAAC;SAChD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAmC,CAAC;QAC3E,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACrF,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC1F,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAA,IAAI,yCAAY,CAAC,CAAC;YACjD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC1C,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;oBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CASF;8KAPU,KAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,MAAM,CAAC,CAAC;AACrD,CAAC,qFAEa,KAAa;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;AACtD,CAAC;AAGH,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,OAAO,iBAAiB;IAO5B,YAAY,OAIX;;QAVD,6CAA4B;QAC5B,2CAAe;QACf,oDAAkD;QAClD,mDAAwB;QACxB,kDAA2B;QAOzB,uBAAA,IAAI,8BAAY,OAAO,CAAC,OAAO,MAAA,CAAC;QAChC,uBAAA,IAAI,4BAAU,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,MAAA,CAAC;QACnD,uBAAA,IAAI,qCAAmB,OAAO,CAAC,cAAc,MAAA,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,MAAM,uBAAA,IAAI,kCAAS,CAAC,MAAM,CAAC,uBAAA,IAAI,gCAAO,CAAC,EAAE,CAAC;YAC5C,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,MAAM,uBAAA,IAAI,kCAAS,CAAC,WAAW,CAAC,uBAAA,IAAI,gCAAO,CAAC,CAAC;YACrF,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;YACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,uBAAA,IAAI,gFAAyB,MAA7B,IAAI,CAA2B,CAAC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,MAAc,EACd,QAAgB,EAChB,aAAa,GAAG,GAAG;QAEnB,IAAI,CAAC,uBAAA,IAAI,wCAAe,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,iBAAiB,CAAC,uBAAA,IAAI,wCAAe,EAAE,uBAAA,IAAI,gCAAO,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;YACxB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,aAAa;QACX,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC,uBAAA,IAAI,uCAAc,CAAC,EAAE,CAAC;IACxC,CAAC;IAED,WAAW;QACT,OAAO,uBAAA,IAAI,gCAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACvC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,wBAAwB,CAAC;IAC9D,CAAC;CAuBF;uUArBC,KAAK;IACH,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE;QAChD,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,MAAM,YAAY,GAAe;QAC/B,GAAG,EAAE,GAAG,CAAC,GAAI;QACb,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,GAAG,EAAE,uBAAA,IAAI,gCAAO;QAChB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,MAAM,uBAAA,IAAI,kCAAS,CAAC,YAAY,CAAC,uBAAA,IAAI,gCAAO,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAC3E,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;IACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;AACpC,CAAC;AAGH,gFAAgF;AAChF,qFAAqF;AACrF,gFAAgF;AAEhF,MAAM,iBAAiB;IAKrB,YAAY,GAAW,EAAE,GAAW,EAAE,MAAc;QAJpD,yCAAa;QACb,yCAAa;QACb,4CAAgB;QAGd,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,uBAAA,IAAI,8BAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EACxD,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO;YACL,wEAAwE;YACxE,gEAAgE;YAChE,GAAG,EAAE,SAAsB;YAC3B,GAAG,EAAE,uBAAA,IAAI,8BAAK;YACd,MAAM,EAAE,uBAAA,IAAI,iCAAQ;SACrB,CAAC;IACJ,CAAC;CACF"}