@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/lib/emailVerification.js

@@ -2,8 +2,8 @@ import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName, getTokenExpiry } from "./appConfig";
 import { sha256 } from "./crypto";
-import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, } from "../adapters/sqliteAuth";
-import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, } from "../adapters/memoryAuth";
+import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, sqliteConsumeVerificationToken, } from "../adapters/sqliteAuth";
+import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, memoryConsumeVerificationToken, } from "../adapters/memoryAuth";
 function getVerificationModel() {
     if (appConnection.models["EmailVerification"])
         return appConnection.models["EmailVerification"];
@@ -16,6 +16,25 @@ function getVerificationModel() {
     }, { collection: "email_verifications" });
     return appConnection.model("EmailVerification", verificationSchema);
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setEmailVerificationStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
@@ -24,7 +43,9 @@ export const setEmailVerificationStore = (store) => { _store = store; };
 /** Create a verification token. Returns the raw token (for the email link).
  *  Only the SHA-256 hash is persisted in the store. */
 export const createVerificationToken = async (userId, email) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getTokenExpiry();
     if (_store === "memory") {
@@ -84,3 +105,25 @@ export const deleteVerificationToken = async (token) => {
     }
     await getRedis().del(`verify:${getAppName()}:${hash}`);
 };
+/** Atomically consume a verification token — returns its payload and deletes it in one operation.
+ *  Returns null if the token is invalid, expired, or already used. */
+export const consumeVerificationToken = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory")
+        return memoryConsumeVerificationToken(hash);
+    if (_store === "sqlite")
+        return sqliteConsumeVerificationToken(hash);
+    if (_store === "mongo") {
+        const doc = await getVerificationModel()
+            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+            .lean();
+        if (!doc)
+            return null;
+        return { userId: doc.userId, email: doc.email };
+    }
+    // Redis: atomically return and remove the key (GETDEL or Lua fallback)
+    const raw = await redisGetDel(`verify:${getAppName()}:${hash}`);
+    if (!raw)
+        return null;
+    return JSON.parse(raw);
+};

package/dist/lib/groups.d.ts

@@ -0,0 +1,113 @@
+export interface GroupRecord {
+    id: string;
+    /** Machine-readable slug: /^[a-z0-9_-]+$/, unique within scope (app-wide or per-tenant). */
+    name: string;
+    displayName?: string;
+    description?: string;
+    /** Baseline roles granted to every member of this group. */
+    roles: string[];
+    /** null = app-wide group, string = tenant-scoped group. Immutable after creation. */
+    tenantId: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+export interface GroupMembershipRecord {
+    userId: string;
+    groupId: string;
+    /** Per-member extra roles on top of the group's baseline roles. */
+    roles: string[];
+    /**
+     * Denormalized from the group at insert time for efficient tenant-scoped queries.
+     * Immutable: the group's tenantId cannot change after creation, so this is always consistent.
+     */
+    tenantId: string | null;
+    createdAt: number;
+}
+export interface PaginationOpts {
+    /** Default: 50, max: 200 */
+    limit?: number;
+    /** Default: 0 */
+    offset?: number;
+}
+export interface PaginatedResult<T> {
+    items: T[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+/**
+ * Create a new group. tenantId null = app-wide, string = tenant-scoped.
+ * The group name must be a slug (/^[a-z0-9_-]+$/) and unique within its scope.
+ * Returns the new group's id.
+ */
+export declare const createGroup: (group: Omit<GroupRecord, "id" | "createdAt" | "updatedAt">) => Promise<{
+    id: string;
+}>;
+/**
+ * Delete a group by ID. All memberships are cascade-deleted by the adapter.
+ */
+export declare const deleteGroup: (groupId: string) => Promise<void>;
+/**
+ * Get a group by ID. Returns null if not found.
+ */
+export declare const getGroup: (groupId: string) => Promise<GroupRecord | null>;
+/**
+ * List groups scoped to a tenant (tenantId string) or app-wide (tenantId null).
+ * Results are paginated.
+ */
+export declare const listGroups: (tenantId: string | null, opts?: PaginationOpts) => Promise<PaginatedResult<GroupRecord>>;
+/**
+ * Update a group's mutable fields: name, displayName, description, roles.
+ * tenantId is NOT in the update type — it is immutable after creation.
+ */
+export declare const updateGroup: (groupId: string, updates: Partial<Pick<GroupRecord, "roles" | "name" | "displayName" | "description">>) => Promise<void>;
+/**
+ * Add a user to a group. Optionally supply per-membership roles (extras on top of group.roles).
+ *
+ * CONTRACT: throws if the user is already a member (unique constraint).
+ * Use updateGroupMembership to change roles on an existing membership.
+ * All adapters surface this as a thrown error, not a silent no-op.
+ */
+export declare const addGroupMember: (groupId: string, userId: string, roles?: string[]) => Promise<void>;
+/**
+ * Update the per-membership roles for an existing member.
+ * This replaces the member's roles[] entirely (not an additive operation).
+ */
+export declare const updateGroupMembership: (groupId: string, userId: string, roles: string[]) => Promise<void>;
+/**
+ * Remove a user from a group. No-op if the user is not a member.
+ */
+export declare const removeGroupMember: (groupId: string, userId: string) => Promise<void>;
+/**
+ * List members of a group, with their per-membership roles. Paginated.
+ */
+export declare const getGroupMembers: (groupId: string, opts?: PaginationOpts) => Promise<PaginatedResult<{
+    userId: string;
+    roles: string[];
+}>>;
+/**
+ * List all groups a user belongs to, with their per-membership roles.
+ * Pass tenantId=null for app-wide groups, tenantId=string for tenant-scoped groups.
+ */
+export declare const getUserGroups: (userId: string, tenantId: string | null) => Promise<Array<{
+    group: GroupRecord;
+    membershipRoles: string[];
+}>>;
+/**
+ * Return all roles a user effectively has in the given scope, combining:
+ *   1. Direct roles (app-wide or tenant-scoped)
+ *   2. Group baseline roles (from all groups the user belongs to in that scope)
+ *   3. Per-membership roles (user-specific extras within each group)
+ *
+ * SCOPE CONTRACT:
+ *   - tenantId = null  → app-wide direct roles + app-wide group roles
+ *   - tenantId = string → tenant-scoped direct roles + tenant-scoped group roles
+ *
+ * Tenant-scoped group roles NEVER appear in app-wide effective roles and vice versa.
+ * This is intentional: a user who is "admin" only in a tenant-scoped group is NOT
+ * a global admin. Assign roles app-wide for global access.
+ *
+ * Used internally by requireRole and requireRole.global. Also exported for use in
+ * custom middleware, route handlers, or GET /auth/me enrichment.
+ */
+export declare const getEffectiveRoles: (userId: string, tenantId: string | null) => Promise<string[]>;

package/dist/lib/groups.js

@@ -0,0 +1,133 @@
+import { getAuthAdapter } from "./authAdapter";
+// ---------------------------------------------------------------------------
+// Group CRUD
+// ---------------------------------------------------------------------------
+/**
+ * Create a new group. tenantId null = app-wide, string = tenant-scoped.
+ * The group name must be a slug (/^[a-z0-9_-]+$/) and unique within its scope.
+ * Returns the new group's id.
+ */
+export const createGroup = async (group) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.createGroup)
+        throw new Error("Auth adapter does not implement createGroup");
+    return adapter.createGroup(group);
+};
+/**
+ * Delete a group by ID. All memberships are cascade-deleted by the adapter.
+ */
+export const deleteGroup = async (groupId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.deleteGroup)
+        throw new Error("Auth adapter does not implement deleteGroup");
+    return adapter.deleteGroup(groupId);
+};
+/**
+ * Get a group by ID. Returns null if not found.
+ */
+export const getGroup = async (groupId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getGroup)
+        throw new Error("Auth adapter does not implement getGroup");
+    return adapter.getGroup(groupId);
+};
+/**
+ * List groups scoped to a tenant (tenantId string) or app-wide (tenantId null).
+ * Results are paginated.
+ */
+export const listGroups = async (tenantId, opts) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.listGroups)
+        throw new Error("Auth adapter does not implement listGroups");
+    return adapter.listGroups(tenantId, opts);
+};
+/**
+ * Update a group's mutable fields: name, displayName, description, roles.
+ * tenantId is NOT in the update type — it is immutable after creation.
+ */
+export const updateGroup = async (groupId, updates) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.updateGroup)
+        throw new Error("Auth adapter does not implement updateGroup");
+    return adapter.updateGroup(groupId, updates);
+};
+// ---------------------------------------------------------------------------
+// Membership management
+// ---------------------------------------------------------------------------
+/**
+ * Add a user to a group. Optionally supply per-membership roles (extras on top of group.roles).
+ *
+ * CONTRACT: throws if the user is already a member (unique constraint).
+ * Use updateGroupMembership to change roles on an existing membership.
+ * All adapters surface this as a thrown error, not a silent no-op.
+ */
+export const addGroupMember = async (groupId, userId, roles) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.addGroupMember)
+        throw new Error("Auth adapter does not implement addGroupMember");
+    return adapter.addGroupMember(groupId, userId, roles);
+};
+/**
+ * Update the per-membership roles for an existing member.
+ * This replaces the member's roles[] entirely (not an additive operation).
+ */
+export const updateGroupMembership = async (groupId, userId, roles) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.updateGroupMembership)
+        throw new Error("Auth adapter does not implement updateGroupMembership");
+    return adapter.updateGroupMembership(groupId, userId, roles);
+};
+/**
+ * Remove a user from a group. No-op if the user is not a member.
+ */
+export const removeGroupMember = async (groupId, userId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.removeGroupMember)
+        throw new Error("Auth adapter does not implement removeGroupMember");
+    return adapter.removeGroupMember(groupId, userId);
+};
+/**
+ * List members of a group, with their per-membership roles. Paginated.
+ */
+export const getGroupMembers = async (groupId, opts) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getGroupMembers)
+        throw new Error("Auth adapter does not implement getGroupMembers");
+    return adapter.getGroupMembers(groupId, opts);
+};
+/**
+ * List all groups a user belongs to, with their per-membership roles.
+ * Pass tenantId=null for app-wide groups, tenantId=string for tenant-scoped groups.
+ */
+export const getUserGroups = async (userId, tenantId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getUserGroups)
+        throw new Error("Auth adapter does not implement getUserGroups");
+    return adapter.getUserGroups(userId, tenantId);
+};
+// ---------------------------------------------------------------------------
+// Effective role resolution
+// ---------------------------------------------------------------------------
+/**
+ * Return all roles a user effectively has in the given scope, combining:
+ *   1. Direct roles (app-wide or tenant-scoped)
+ *   2. Group baseline roles (from all groups the user belongs to in that scope)
+ *   3. Per-membership roles (user-specific extras within each group)
+ *
+ * SCOPE CONTRACT:
+ *   - tenantId = null  → app-wide direct roles + app-wide group roles
+ *   - tenantId = string → tenant-scoped direct roles + tenant-scoped group roles
+ *
+ * Tenant-scoped group roles NEVER appear in app-wide effective roles and vice versa.
+ * This is intentional: a user who is "admin" only in a tenant-scoped group is NOT
+ * a global admin. Assign roles app-wide for global access.
+ *
+ * Used internally by requireRole and requireRole.global. Also exported for use in
+ * custom middleware, route handlers, or GET /auth/me enrichment.
+ */
+export const getEffectiveRoles = async (userId, tenantId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getEffectiveRoles)
+        throw new Error("Auth adapter does not implement getEffectiveRoles");
+    return adapter.getEffectiveRoles(userId, tenantId);
+};

package/dist/lib/idempotency.d.ts

@@ -0,0 +1,22 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "./context";
+export interface IdempotencyOptions {
+    /** TTL in seconds for cached responses. Default: 86400 (24 hours). */
+    ttl?: number;
+}
+type IdempotencyStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setIdempotencyStore: (store: IdempotencyStore) => void;
+export declare const clearIdempotencyMemoryStore: () => void;
+/**
+ * Idempotency middleware. Reads the `Idempotency-Key` header and returns a
+ * cached response if one exists for this user + key combination. Otherwise
+ * calls the next handler, stores the response, and returns it.
+ *
+ * On write collision (two concurrent identical requests), the second request
+ * re-reads and returns the first-stored result.
+ *
+ * When `signing.idempotencyKeys: true`, keys are HMAC'd before storage to
+ * prevent enumeration. When off, raw keys are stored (slight enumeration risk).
+ */
+export declare const idempotent: (opts?: IdempotencyOptions) => MiddlewareHandler<AppEnv>;
+export {};

package/dist/lib/idempotency.js

@@ -0,0 +1,182 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName } from "./appConfig";
+import { getSigningConfig, getSigningSecret } from "./appConfig";
+import { hmacSign } from "./signing";
+import { HEADER_IDEMPOTENCY_KEY } from "./constants";
+let _store = "redis";
+export const setIdempotencyStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// Memory store (tests only — no TTL eviction)
+// ---------------------------------------------------------------------------
+const _memory = new Map();
+export const clearIdempotencyMemoryStore = () => _memory.clear();
+function getIdempotencyModel() {
+    if (appConnection.models["Idempotency"])
+        return appConnection.models["Idempotency"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        key: { type: String, required: true, unique: true },
+        status: { type: Number, required: true },
+        body: { type: String, required: true },
+        createdAt: { type: Date, required: true },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "idempotency" });
+    return appConnection.model("Idempotency", schema);
+}
+// ---------------------------------------------------------------------------
+// SQLite helpers (lazy — only available when bun:sqlite is in use)
+// ---------------------------------------------------------------------------
+function getSqliteDb() {
+    const { getDb } = require("../adapters/sqliteAuth");
+    return getDb();
+}
+function sqliteEnsureTable() {
+    const db = getSqliteDb();
+    db.run(`CREATE TABLE IF NOT EXISTS idempotency (
+    key       TEXT PRIMARY KEY,
+    status    INTEGER NOT NULL,
+    body      TEXT NOT NULL,
+    createdAt INTEGER NOT NULL,
+    expiresAt INTEGER NOT NULL
+  )`);
+}
+// ---------------------------------------------------------------------------
+// Key derivation
+// ---------------------------------------------------------------------------
+function deriveKey(rawKey, userId) {
+    const prefix = userId ?? "anon";
+    const cfg = getSigningConfig();
+    if (cfg?.idempotencyKeys) {
+        const secret = getSigningSecret();
+        if (secret) {
+            return `${prefix}:${hmacSign(rawKey, secret)}`;
+        }
+    }
+    return `${prefix}:${rawKey}`;
+}
+function redisIdempotencyKey(key) {
+    return `idempotency:${getAppName()}:${key}`;
+}
+// ---------------------------------------------------------------------------
+// Store operations
+// ---------------------------------------------------------------------------
+async function getRecord(key) {
+    if (_store === "memory") {
+        return _memory.get(key) ?? null;
+    }
+    if (_store === "sqlite") {
+        sqliteEnsureTable();
+        const row = getSqliteDb().query("SELECT status, body, createdAt FROM idempotency WHERE key = ? AND expiresAt > ?").get(key, Date.now());
+        return row ? { status: row.status, body: row.body, createdAt: row.createdAt } : null;
+    }
+    if (_store === "redis") {
+        const raw = await getRedis().get(redisIdempotencyKey(key));
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    // mongo
+    const doc = await getIdempotencyModel()
+        .findOne({ key, expiresAt: { $gt: new Date() } }, "status body createdAt")
+        .lean();
+    return doc ? { status: doc.status, body: doc.body, createdAt: doc.createdAt.getTime() } : null;
+}
+/**
+ * Attempt to store a record. Returns true if stored, false if a record
+ * already exists (write collision — treat as cache hit).
+ */
+async function tryStoreRecord(key, record, ttl) {
+    if (_store === "memory") {
+        if (_memory.has(key))
+            return false;
+        _memory.set(key, record);
+        return true;
+    }
+    if (_store === "sqlite") {
+        sqliteEnsureTable();
+        const db = getSqliteDb();
+        const expiresAt = record.createdAt + ttl * 1000;
+        db.run("INSERT OR IGNORE INTO idempotency (key, status, body, createdAt, expiresAt) VALUES (?, ?, ?, ?, ?)", [key, record.status, record.body, record.createdAt, expiresAt]);
+        // SQLite INSERT OR IGNORE doesn't throw on conflict; check changes count
+        const changes = db.query("SELECT changes() as changes").get()?.changes ?? 0;
+        return changes > 0;
+    }
+    if (_store === "redis") {
+        // SET NX: set-if-not-exists — second concurrent writer gets a no-op
+        const value = JSON.stringify(record);
+        const result = await getRedis().set(redisIdempotencyKey(key), value, "EX", ttl, "NX");
+        return result === "OK";
+    }
+    // mongo — unique index on key; second writer catches duplicate key error
+    try {
+        const now = new Date(record.createdAt);
+        await getIdempotencyModel().create({
+            key,
+            status: record.status,
+            body: record.body,
+            createdAt: now,
+            expiresAt: new Date(now.getTime() + ttl * 1000),
+        });
+        return true;
+    }
+    catch (err) {
+        // Duplicate key — another concurrent request already stored the result
+        if (err?.code === 11000 || err?.code === "11000")
+            return false;
+        throw err;
+    }
+}
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+/**
+ * Idempotency middleware. Reads the `Idempotency-Key` header and returns a
+ * cached response if one exists for this user + key combination. Otherwise
+ * calls the next handler, stores the response, and returns it.
+ *
+ * On write collision (two concurrent identical requests), the second request
+ * re-reads and returns the first-stored result.
+ *
+ * When `signing.idempotencyKeys: true`, keys are HMAC'd before storage to
+ * prevent enumeration. When off, raw keys are stored (slight enumeration risk).
+ */
+export const idempotent = (opts) => async (c, next) => {
+    const rawKey = c.req.header(HEADER_IDEMPOTENCY_KEY);
+    if (!rawKey) {
+        await next();
+        return;
+    }
+    const userId = c.get("authUserId") ?? null;
+    const key = deriveKey(rawKey, userId);
+    const ttl = opts?.ttl ?? 86400;
+    // Cache hit — return stored response
+    const cached = await getRecord(key);
+    if (cached) {
+        return c.json(JSON.parse(cached.body), cached.status);
+    }
+    // Cache miss — call handler
+    await next();
+    // Capture the response body by reading it
+    const status = c.res.status;
+    let body = "";
+    try {
+        body = await c.res.clone().text();
+    }
+    catch {
+        // Non-text/non-json response — skip caching
+        return;
+    }
+    const record = { status, body, createdAt: Date.now() };
+    const stored = await tryStoreRecord(key, record, ttl);
+    if (!stored) {
+        // Write collision — return the first-stored result
+        const winner = await getRecord(key);
+        if (winner) {
+            c.res = new Response(winner.body, {
+                status: winner.status,
+                headers: { "content-type": "application/json" },
+            });
+        }
+    }
+};

package/dist/lib/jwks.d.ts

@@ -0,0 +1,25 @@
+import { type JWK } from "jose";
+export interface JwksKeyConfig {
+    privateKey: string;
+    publicKey: string;
+    kid?: string;
+}
+type KeyMaterial = CryptoKey;
+export declare function loadJwksKey(config: JwksKeyConfig): Promise<void>;
+export declare function loadPreviousKey(config: {
+    publicKey: string;
+    kid?: string;
+}): Promise<void>;
+export declare function generateAndLoadKeyPair(): Promise<{
+    privateKey: string;
+    publicKey: string;
+}>;
+export declare function getSigningPrivateKey(): KeyMaterial;
+export declare function getVerifyPublicKeys(): KeyMaterial[];
+export declare function getJwks(): {
+    keys: JWK[];
+};
+export declare function isJwksLoaded(): boolean;
+/** @internal — reset for tests */
+export declare function _resetJwksState(): void;
+export {};

package/dist/lib/jwks.js

@@ -0,0 +1,51 @@
+import { generateKeyPair, exportJWK, importPKCS8, importSPKI } from "jose";
+let _primaryKey = null;
+let _previousKeys = [];
+export async function loadJwksKey(config) {
+    const kid = config.kid ?? "key-1";
+    const privateKey = await importPKCS8(config.privateKey, "RS256");
+    const publicKey = await importSPKI(config.publicKey, "RS256");
+    const jwk = await exportJWK(publicKey);
+    _primaryKey = { privateKey, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid };
+}
+export async function loadPreviousKey(config) {
+    const kid = config.kid ?? `key-prev-${_previousKeys.length + 1}`;
+    const publicKey = await importSPKI(config.publicKey, "RS256");
+    const jwk = await exportJWK(publicKey);
+    _previousKeys.push({ privateKey: null, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid });
+}
+export async function generateAndLoadKeyPair() {
+    const { privateKey: pk, publicKey: pubk } = await generateKeyPair("RS256", { modulusLength: 2048, extractable: true });
+    const { exportSPKI, exportPKCS8 } = await import("jose");
+    const privatePem = await exportPKCS8(pk);
+    const publicPem = await exportSPKI(pubk);
+    await loadJwksKey({ privateKey: privatePem, publicKey: publicPem, kid: "key-1" });
+    return { privateKey: privatePem, publicKey: publicPem };
+}
+export function getSigningPrivateKey() {
+    if (!_primaryKey)
+        throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
+    return _primaryKey.privateKey;
+}
+export function getVerifyPublicKeys() {
+    const keys = [];
+    if (_primaryKey)
+        keys.push(_primaryKey.publicKey);
+    keys.push(..._previousKeys.map((k) => k.publicKey));
+    return keys;
+}
+export function getJwks() {
+    const keys = [];
+    if (_primaryKey)
+        keys.push(_primaryKey.jwk);
+    keys.push(..._previousKeys.map((k) => k.jwk));
+    return { keys };
+}
+export function isJwksLoaded() {
+    return _primaryKey !== null;
+}
+/** @internal — reset for tests */
+export function _resetJwksState() {
+    _primaryKey = null;
+    _previousKeys = [];
+}

package/dist/lib/jwt.d.ts

@@ -1,2 +1,15 @@
-export declare const signToken: (userId: string, sessionId: string, expirySeconds?: number) => Promise<string>;
-export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;
+import type { JWTPayload } from "jose";
+export declare function validateJwtSecrets(): void;
+export type TokenClaims = {
+    sub: string;
+    sid?: string;
+    scope?: string;
+    [key: string]: unknown;
+};
+export declare function signToken(claims: TokenClaims, expirySeconds?: number): Promise<string>;
+export declare function signToken(userId: string, sessionId: string, expirySeconds?: number): Promise<string>;
+export declare const verifyToken: (token: string) => Promise<JWTPayload>;
+/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
+export declare function _setAlgorithm(alg: string): void;
+/** @internal — reset for testing */
+export declare function _resetJwtState(): void;