@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/lib/credentialStuffing.js

@@ -1,77 +0,0 @@
-// In-memory store: key → BoundedSet
-const _store = new Map();
-function cleanExpired() {
-    const now = Date.now();
-    for (const [key, entry] of _store.entries()) {
-        if (entry.expiresAt < now)
-            _store.delete(key);
-    }
-}
-function addToSet(key, member, windowMs) {
-    cleanExpired();
-    const now = Date.now();
-    let entry = _store.get(key);
-    if (!entry || entry.expiresAt < now) {
-        entry = { members: new Set(), expiresAt: now + windowMs };
-        _store.set(key, entry);
-    }
-    entry.members.add(member);
-    return entry.members.size;
-}
-function getSetSize(key) {
-    cleanExpired();
-    const now = Date.now();
-    const entry = _store.get(key);
-    if (!entry || entry.expiresAt < now)
-        return 0;
-    return entry.members.size;
-}
-let _config = null;
-export function setCredentialStuffingConfig(config) {
-    _config = config;
-}
-export function getCredentialStuffingConfig() {
-    return _config;
-}
-/**
- * Track a failed login attempt. Call this AFTER confirming the login failed.
- */
-export function trackFailedLogin(ip, identifier) {
-    if (!_config)
-        return;
-    const ipWindowMs = _config.maxAccountsPerIp?.windowMs ?? 15 * 60 * 1000;
-    const accountWindowMs = _config.maxIpsPerAccount?.windowMs ?? 15 * 60 * 1000;
-    addToSet(`ip:${ip}`, identifier, ipWindowMs);
-    addToSet(`account:${identifier}`, ip, accountWindowMs);
-}
-/**
- * Check whether this login attempt should be blocked.
- * Call this BEFORE verifying credentials.
- */
-export function isStuffingBlocked(ip, identifier) {
-    if (!_config)
-        return false;
-    const ipMax = _config.maxAccountsPerIp?.count ?? 5;
-    const accountMax = _config.maxIpsPerAccount?.count ?? 10;
-    const ipCount = getSetSize(`ip:${ip}`);
-    if (ipCount >= ipMax) {
-        try {
-            _config.onDetected?.({ type: "ip", key: ip, count: ipCount });
-        }
-        catch { /* swallow */ }
-        return true;
-    }
-    const accountCount = getSetSize(`account:${identifier}`);
-    if (accountCount >= accountMax) {
-        try {
-            _config.onDetected?.({ type: "account", key: identifier, count: accountCount });
-        }
-        catch { /* swallow */ }
-        return true;
-    }
-    return false;
-}
-/** Clear the in-memory store (for testing). */
-export function clearCredentialStuffingStore() {
-    _store.clear();
-}

package/dist/lib/crypto.d.ts

@@ -1,11 +0,0 @@
-/**
- * Constant-time string comparison to prevent timing attacks.
- * Returns true if both strings are equal, false otherwise.
- * Always compares the full length even on mismatch.
- */
-export declare function timingSafeEqual(a: string, b: string): boolean;
-/**
- * SHA-256 hash a string and return the hex digest.
- * Centralized to avoid duplicate implementations across modules.
- */
-export declare function sha256(input: string): string;

package/dist/lib/crypto.js

@@ -1,22 +0,0 @@
-import { createHash, timingSafeEqual as nodeTimingSafeEqual } from "crypto";
-/**
- * Constant-time string comparison to prevent timing attacks.
- * Returns true if both strings are equal, false otherwise.
- * Always compares the full length even on mismatch.
- */
-export function timingSafeEqual(a, b) {
-    if (a.length !== b.length) {
-        // Compare against self to burn the same time, then return false
-        const buf = Buffer.from(a, "utf-8");
-        nodeTimingSafeEqual(buf, buf);
-        return false;
-    }
-    return nodeTimingSafeEqual(Buffer.from(a, "utf-8"), Buffer.from(b, "utf-8"));
-}
-/**
- * SHA-256 hash a string and return the hex digest.
- * Centralized to avoid duplicate implementations across modules.
- */
-export function sha256(input) {
-    return createHash("sha256").update(input).digest("hex");
-}

package/dist/lib/deletionCancelToken.d.ts

@@ -1,12 +0,0 @@
-type CancelStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setDeletionCancelTokenStore: (store: CancelStore) => void;
-/** Create a cancel token. Returns the raw token (to embed in the cancel link).
- *  Only the SHA-256 hash is persisted. TTL is gracePeriod + a 5-minute buffer. */
-export declare const createDeletionCancelToken: (userId: string, jobId: string, gracePeriodSeconds: number) => Promise<string>;
-/** Atomically consume a cancel token — returns its payload and deletes it.
- *  Returns null if the token is invalid, expired, or already used. */
-export declare const consumeDeletionCancelToken: (token: string) => Promise<{
-    userId: string;
-    jobId: string;
-} | null>;
-export {};

package/dist/lib/deletionCancelToken.js

@@ -1,88 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName } from "./appConfig";
-import { sqliteCreateDeletionCancelToken, sqliteConsumeDeletionCancelToken, } from "../adapters/sqliteAuth";
-import { memoryCreateDeletionCancelToken, memoryConsumeDeletionCancelToken, } from "../adapters/memoryAuth";
-import { sha256 as hashToken } from "./crypto";
-function getCancelModel() {
-    if (appConnection.models["DeletionCancelToken"])
-        return appConnection.models["DeletionCancelToken"];
-    const { Schema } = mongoose;
-    const schema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        jobId: { type: String, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "deletion_cancel_tokens" });
-    return appConnection.model("DeletionCancelToken", schema);
-}
-// ---------------------------------------------------------------------------
-// Redis helpers
-// ---------------------------------------------------------------------------
-async function redisGetDel(key) {
-    const redis = getRedis();
-    if (typeof redis.getdel === "function") {
-        try {
-            return await redis.getdel(key);
-        }
-        catch (err) {
-            const msg = err?.message ?? "";
-            if (!/unknown command|ERR unknown command/i.test(msg))
-                throw err;
-        }
-    }
-    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
-    return result ?? null;
-}
-let _store = "redis";
-export const setDeletionCancelTokenStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/** Create a cancel token. Returns the raw token (to embed in the cancel link).
- *  Only the SHA-256 hash is persisted. TTL is gracePeriod + a 5-minute buffer. */
-export const createDeletionCancelToken = async (userId, jobId, gracePeriodSeconds) => {
-    const token = crypto.randomUUID();
-    const hash = hashToken(token);
-    const ttl = gracePeriodSeconds + 300; // 5-min buffer after grace period expires
-    if (_store === "memory") {
-        memoryCreateDeletionCancelToken(hash, userId, jobId, ttl);
-        return token;
-    }
-    if (_store === "sqlite") {
-        sqliteCreateDeletionCancelToken(hash, userId, jobId, ttl);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getCancelModel().create({
-            token: hash,
-            userId,
-            jobId,
-            expiresAt: new Date(Date.now() + ttl * 1000),
-        });
-        return token;
-    }
-    await getRedis().set(`delcancel:${getAppName()}:${hash}`, JSON.stringify({ userId, jobId }), "EX", ttl);
-    return token;
-};
-/** Atomically consume a cancel token — returns its payload and deletes it.
- *  Returns null if the token is invalid, expired, or already used. */
-export const consumeDeletionCancelToken = async (token) => {
-    const hash = hashToken(token);
-    if (_store === "memory")
-        return memoryConsumeDeletionCancelToken(hash);
-    if (_store === "sqlite")
-        return sqliteConsumeDeletionCancelToken(hash);
-    if (_store === "mongo") {
-        const doc = await getCancelModel()
-            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
-            .lean();
-        if (!doc)
-            return null;
-        return { userId: doc.userId, jobId: doc.jobId };
-    }
-    const raw = await redisGetDel(`delcancel:${getAppName()}:${hash}`);
-    if (!raw)
-        return null;
-    return JSON.parse(raw);
-};

package/dist/lib/emailVerification.d.ts

@@ -1,19 +0,0 @@
-type VerificationStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setEmailVerificationStore: (store: VerificationStore) => void;
-/** Create a verification token. Returns the raw token (for the email link).
- *  Only the SHA-256 hash is persisted in the store. */
-export declare const createVerificationToken: (userId: string, email: string) => Promise<string>;
-/** Look up a verification token by its raw value. Hashes before lookup. */
-export declare const getVerificationToken: (token: string) => Promise<{
-    userId: string;
-    email: string;
-} | null>;
-/** Delete a verification token by its raw value. Hashes before lookup. */
-export declare const deleteVerificationToken: (token: string) => Promise<void>;
-/** Atomically consume a verification token — returns its payload and deletes it in one operation.
- *  Returns null if the token is invalid, expired, or already used. */
-export declare const consumeVerificationToken: (token: string) => Promise<{
-    userId: string;
-    email: string;
-} | null>;
-export {};

package/dist/lib/emailVerification.js

@@ -1,129 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName, getTokenExpiry } from "./appConfig";
-import { sha256 } from "./crypto";
-import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, sqliteConsumeVerificationToken, } from "../adapters/sqliteAuth";
-import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, memoryConsumeVerificationToken, } from "../adapters/memoryAuth";
-function getVerificationModel() {
-    if (appConnection.models["EmailVerification"])
-        return appConnection.models["EmailVerification"];
-    const { Schema } = mongoose;
-    const verificationSchema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        email: { type: String, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "email_verifications" });
-    return appConnection.model("EmailVerification", verificationSchema);
-}
-// ---------------------------------------------------------------------------
-// Redis helpers
-// ---------------------------------------------------------------------------
-/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
-async function redisGetDel(key) {
-    const redis = getRedis();
-    if (typeof redis.getdel === "function") {
-        try {
-            return await redis.getdel(key);
-        }
-        catch (err) {
-            const msg = err?.message ?? "";
-            if (!/unknown command|ERR unknown command/i.test(msg))
-                throw err;
-        }
-    }
-    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
-    return result ?? null;
-}
-let _store = "redis";
-export const setEmailVerificationStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/** Create a verification token. Returns the raw token (for the email link).
- *  Only the SHA-256 hash is persisted in the store. */
-export const createVerificationToken = async (userId, email) => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Buffer.from(bytes).toString("base64url");
-    const hash = sha256(token);
-    const ttl = getTokenExpiry();
-    if (_store === "memory") {
-        memoryCreateVerificationToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "sqlite") {
-        sqliteCreateVerificationToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getVerificationModel().create({
-            token: hash,
-            userId,
-            email,
-            expiresAt: new Date(Date.now() + ttl * 1000),
-        });
-        return token;
-    }
-    await getRedis().set(`verify:${getAppName()}:${hash}`, JSON.stringify({ userId, email }), "EX", ttl);
-    return token;
-};
-/** Look up a verification token by its raw value. Hashes before lookup. */
-export const getVerificationToken = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory")
-        return memoryGetVerificationToken(hash);
-    if (_store === "sqlite")
-        return sqliteGetVerificationToken(hash);
-    if (_store === "mongo") {
-        const doc = await getVerificationModel()
-            .findOne({ token: hash, expiresAt: { $gt: new Date() } })
-            .lean();
-        if (!doc)
-            return null;
-        return { userId: doc.userId, email: doc.email };
-    }
-    const raw = await getRedis().get(`verify:${getAppName()}:${hash}`);
-    if (!raw)
-        return null;
-    return JSON.parse(raw);
-};
-/** Delete a verification token by its raw value. Hashes before lookup. */
-export const deleteVerificationToken = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        memoryDeleteVerificationToken(hash);
-        return;
-    }
-    if (_store === "sqlite") {
-        sqliteDeleteVerificationToken(hash);
-        return;
-    }
-    if (_store === "mongo") {
-        await getVerificationModel().deleteOne({ token: hash });
-        return;
-    }
-    await getRedis().del(`verify:${getAppName()}:${hash}`);
-};
-/** Atomically consume a verification token — returns its payload and deletes it in one operation.
- *  Returns null if the token is invalid, expired, or already used. */
-export const consumeVerificationToken = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory")
-        return memoryConsumeVerificationToken(hash);
-    if (_store === "sqlite")
-        return sqliteConsumeVerificationToken(hash);
-    if (_store === "mongo") {
-        const doc = await getVerificationModel()
-            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
-            .lean();
-        if (!doc)
-            return null;
-        return { userId: doc.userId, email: doc.email };
-    }
-    // Redis: atomically return and remove the key (GETDEL or Lua fallback)
-    const raw = await redisGetDel(`verify:${getAppName()}:${hash}`);
-    if (!raw)
-        return null;
-    return JSON.parse(raw);
-};

package/dist/lib/fingerprint.js

@@ -1,36 +0,0 @@
-const BROWSER_HEADERS = [
-    "sec-fetch-site",
-    "sec-fetch-mode",
-    "sec-fetch-dest",
-    "sec-ch-ua",
-    "sec-ch-ua-mobile",
-    "sec-ch-ua-platform",
-    "origin",
-    "referer",
-    "x-requested-with",
-];
-const encoder = new TextEncoder();
-/**
- * Builds a 12-hex-char fingerprint from stable HTTP headers.
- * IP-independent: bots that rotate IPs but use the same HTTP client
- * will produce the same fingerprint and share a rate-limit bucket.
- */
-export async function buildFingerprint(req) {
-    const h = (name) => req.headers.get(name) ?? "";
-    // Encode which browser-only headers are present as a bitmask string.
-    // Real browsers send most of these; raw HTTP clients send none.
-    const bitmap = BROWSER_HEADERS.map((name) => req.headers.has(name) ? "1" : "0").join("");
-    const raw = [
-        h("user-agent"),
-        h("accept"),
-        h("accept-language"),
-        h("accept-encoding"),
-        h("connection"),
-        bitmap,
-    ].join("|");
-    const buf = await crypto.subtle.digest("SHA-256", encoder.encode(raw));
-    const bytes = new Uint8Array(buf).slice(0, 6);
-    return Array.from(bytes)
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("");
-}

package/dist/lib/idempotency.js

@@ -1,182 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName } from "./appConfig";
-import { getSigningConfig, getSigningSecret } from "./appConfig";
-import { hmacSign } from "./signing";
-import { HEADER_IDEMPOTENCY_KEY } from "./constants";
-let _store = "redis";
-export const setIdempotencyStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Memory store (tests only — no TTL eviction)
-// ---------------------------------------------------------------------------
-const _memory = new Map();
-export const clearIdempotencyMemoryStore = () => _memory.clear();
-function getIdempotencyModel() {
-    if (appConnection.models["Idempotency"])
-        return appConnection.models["Idempotency"];
-    const { Schema } = mongoose;
-    const schema = new Schema({
-        key: { type: String, required: true, unique: true },
-        status: { type: Number, required: true },
-        body: { type: String, required: true },
-        createdAt: { type: Date, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "idempotency" });
-    return appConnection.model("Idempotency", schema);
-}
-// ---------------------------------------------------------------------------
-// SQLite helpers (lazy — only available when bun:sqlite is in use)
-// ---------------------------------------------------------------------------
-function getSqliteDb() {
-    const { getDb } = require("../adapters/sqliteAuth");
-    return getDb();
-}
-function sqliteEnsureTable() {
-    const db = getSqliteDb();
-    db.run(`CREATE TABLE IF NOT EXISTS idempotency (
-    key       TEXT PRIMARY KEY,
-    status    INTEGER NOT NULL,
-    body      TEXT NOT NULL,
-    createdAt INTEGER NOT NULL,
-    expiresAt INTEGER NOT NULL
-  )`);
-}
-// ---------------------------------------------------------------------------
-// Key derivation
-// ---------------------------------------------------------------------------
-function deriveKey(rawKey, userId) {
-    const prefix = userId ?? "anon";
-    const cfg = getSigningConfig();
-    if (cfg?.idempotencyKeys) {
-        const secret = getSigningSecret();
-        if (secret) {
-            return `${prefix}:${hmacSign(rawKey, secret)}`;
-        }
-    }
-    return `${prefix}:${rawKey}`;
-}
-function redisIdempotencyKey(key) {
-    return `idempotency:${getAppName()}:${key}`;
-}
-// ---------------------------------------------------------------------------
-// Store operations
-// ---------------------------------------------------------------------------
-async function getRecord(key) {
-    if (_store === "memory") {
-        return _memory.get(key) ?? null;
-    }
-    if (_store === "sqlite") {
-        sqliteEnsureTable();
-        const row = getSqliteDb().query("SELECT status, body, createdAt FROM idempotency WHERE key = ? AND expiresAt > ?").get(key, Date.now());
-        return row ? { status: row.status, body: row.body, createdAt: row.createdAt } : null;
-    }
-    if (_store === "redis") {
-        const raw = await getRedis().get(redisIdempotencyKey(key));
-        if (!raw)
-            return null;
-        return JSON.parse(raw);
-    }
-    // mongo
-    const doc = await getIdempotencyModel()
-        .findOne({ key, expiresAt: { $gt: new Date() } }, "status body createdAt")
-        .lean();
-    return doc ? { status: doc.status, body: doc.body, createdAt: doc.createdAt.getTime() } : null;
-}
-/**
- * Attempt to store a record. Returns true if stored, false if a record
- * already exists (write collision — treat as cache hit).
- */
-async function tryStoreRecord(key, record, ttl) {
-    if (_store === "memory") {
-        if (_memory.has(key))
-            return false;
-        _memory.set(key, record);
-        return true;
-    }
-    if (_store === "sqlite") {
-        sqliteEnsureTable();
-        const db = getSqliteDb();
-        const expiresAt = record.createdAt + ttl * 1000;
-        db.run("INSERT OR IGNORE INTO idempotency (key, status, body, createdAt, expiresAt) VALUES (?, ?, ?, ?, ?)", [key, record.status, record.body, record.createdAt, expiresAt]);
-        // SQLite INSERT OR IGNORE doesn't throw on conflict; check changes count
-        const changes = db.query("SELECT changes() as changes").get()?.changes ?? 0;
-        return changes > 0;
-    }
-    if (_store === "redis") {
-        // SET NX: set-if-not-exists — second concurrent writer gets a no-op
-        const value = JSON.stringify(record);
-        const result = await getRedis().set(redisIdempotencyKey(key), value, "EX", ttl, "NX");
-        return result === "OK";
-    }
-    // mongo — unique index on key; second writer catches duplicate key error
-    try {
-        const now = new Date(record.createdAt);
-        await getIdempotencyModel().create({
-            key,
-            status: record.status,
-            body: record.body,
-            createdAt: now,
-            expiresAt: new Date(now.getTime() + ttl * 1000),
-        });
-        return true;
-    }
-    catch (err) {
-        // Duplicate key — another concurrent request already stored the result
-        if (err?.code === 11000 || err?.code === "11000")
-            return false;
-        throw err;
-    }
-}
-// ---------------------------------------------------------------------------
-// Middleware factory
-// ---------------------------------------------------------------------------
-/**
- * Idempotency middleware. Reads the `Idempotency-Key` header and returns a
- * cached response if one exists for this user + key combination. Otherwise
- * calls the next handler, stores the response, and returns it.
- *
- * On write collision (two concurrent identical requests), the second request
- * re-reads and returns the first-stored result.
- *
- * When `signing.idempotencyKeys: true`, keys are HMAC'd before storage to
- * prevent enumeration. When off, raw keys are stored (slight enumeration risk).
- */
-export const idempotent = (opts) => async (c, next) => {
-    const rawKey = c.req.header(HEADER_IDEMPOTENCY_KEY);
-    if (!rawKey) {
-        await next();
-        return;
-    }
-    const userId = c.get("authUserId") ?? null;
-    const key = deriveKey(rawKey, userId);
-    const ttl = opts?.ttl ?? 86400;
-    // Cache hit — return stored response
-    const cached = await getRecord(key);
-    if (cached) {
-        return c.json(JSON.parse(cached.body), cached.status);
-    }
-    // Cache miss — call handler
-    await next();
-    // Capture the response body by reading it
-    const status = c.res.status;
-    let body = "";
-    try {
-        body = await c.res.clone().text();
-    }
-    catch {
-        // Non-text/non-json response — skip caching
-        return;
-    }
-    const record = { status, body, createdAt: Date.now() };
-    const stored = await tryStoreRecord(key, record, ttl);
-    if (!stored) {
-        // Write collision — return the first-stored result
-        const winner = await getRecord(key);
-        if (winner) {
-            c.res = new Response(winner.body, {
-                status: winner.status,
-                headers: { "content-type": "application/json" },
-            });
-        }
-    }
-};

package/dist/lib/jwks.d.ts

@@ -1,25 +0,0 @@
-import { type JWK } from "jose";
-export interface JwksKeyConfig {
-    privateKey: string;
-    publicKey: string;
-    kid?: string;
-}
-type KeyMaterial = CryptoKey;
-export declare function loadJwksKey(config: JwksKeyConfig): Promise<void>;
-export declare function loadPreviousKey(config: {
-    publicKey: string;
-    kid?: string;
-}): Promise<void>;
-export declare function generateAndLoadKeyPair(): Promise<{
-    privateKey: string;
-    publicKey: string;
-}>;
-export declare function getSigningPrivateKey(): KeyMaterial;
-export declare function getVerifyPublicKeys(): KeyMaterial[];
-export declare function getJwks(): {
-    keys: JWK[];
-};
-export declare function isJwksLoaded(): boolean;
-/** @internal — reset for tests */
-export declare function _resetJwksState(): void;
-export {};

package/dist/lib/jwks.js

@@ -1,51 +0,0 @@
-import { generateKeyPair, exportJWK, importPKCS8, importSPKI } from "jose";
-let _primaryKey = null;
-let _previousKeys = [];
-export async function loadJwksKey(config) {
-    const kid = config.kid ?? "key-1";
-    const privateKey = await importPKCS8(config.privateKey, "RS256");
-    const publicKey = await importSPKI(config.publicKey, "RS256");
-    const jwk = await exportJWK(publicKey);
-    _primaryKey = { privateKey, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid };
-}
-export async function loadPreviousKey(config) {
-    const kid = config.kid ?? `key-prev-${_previousKeys.length + 1}`;
-    const publicKey = await importSPKI(config.publicKey, "RS256");
-    const jwk = await exportJWK(publicKey);
-    _previousKeys.push({ privateKey: null, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid });
-}
-export async function generateAndLoadKeyPair() {
-    const { privateKey: pk, publicKey: pubk } = await generateKeyPair("RS256", { modulusLength: 2048, extractable: true });
-    const { exportSPKI, exportPKCS8 } = await import("jose");
-    const privatePem = await exportPKCS8(pk);
-    const publicPem = await exportSPKI(pubk);
-    await loadJwksKey({ privateKey: privatePem, publicKey: publicPem, kid: "key-1" });
-    return { privateKey: privatePem, publicKey: publicPem };
-}
-export function getSigningPrivateKey() {
-    if (!_primaryKey)
-        throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
-    return _primaryKey.privateKey;
-}
-export function getVerifyPublicKeys() {
-    const keys = [];
-    if (_primaryKey)
-        keys.push(_primaryKey.publicKey);
-    keys.push(..._previousKeys.map((k) => k.publicKey));
-    return keys;
-}
-export function getJwks() {
-    const keys = [];
-    if (_primaryKey)
-        keys.push(_primaryKey.jwk);
-    keys.push(..._previousKeys.map((k) => k.jwk));
-    return { keys };
-}
-export function isJwksLoaded() {
-    return _primaryKey !== null;
-}
-/** @internal — reset for tests */
-export function _resetJwksState() {
-    _primaryKey = null;
-    _previousKeys = [];
-}

package/dist/lib/jwt.d.ts

@@ -1,15 +0,0 @@
-import type { JWTPayload } from "jose";
-export declare function validateJwtSecrets(): void;
-export type TokenClaims = {
-    sub: string;
-    sid?: string;
-    scope?: string;
-    [key: string]: unknown;
-};
-export declare function signToken(claims: TokenClaims, expirySeconds?: number): Promise<string>;
-export declare function signToken(userId: string, sessionId: string, expirySeconds?: number): Promise<string>;
-export declare const verifyToken: (token: string) => Promise<JWTPayload>;
-/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
-export declare function _setAlgorithm(alg: string): void;
-/** @internal — reset for testing */
-export declare function _resetJwtState(): void;