@lindorm/aegis 0.4.4 → 0.6.0

package/dist/types/jwt/jwt-kit.d.ts

@@ -1,9 +1,7 @@
-import { IKryptos } from "@lindorm/kryptos";
-import { ILogger } from "@lindorm/logger";
-export type JwtKitOptions = {
+import { SignKitOptions } from "../kit";
+export type JwtKitOptions = SignKitOptions & {
     clockTolerance?: number;
+    dpopMaxSkew?: number;
     issuer?: string;
-    logger: ILogger;
-    kryptos: IKryptos;
 };
 //# sourceMappingURL=jwt-kit.d.ts.map

package/dist/types/jwt/jwt-kit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-kit.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-kit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,MAAM,MAAM,aAAa,GAAG;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,QAAQ,CAAC;CACnB,CAAC"}
+{"version":3,"file":"jwt-kit.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-kit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AAExC,MAAM,MAAM,aAAa,GAAG,cAAc,GAAG;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC"}

package/dist/types/jwt/jwt-parse.d.ts

@@ -1,45 +1,29 @@
 import { KryptosSigAlgorithm } from "@lindorm/kryptos";
 import { Dict } from "@lindorm/types";
-import { ParsedTokenHeader } from "../header";
-import { AdjustedAccessLevel, LevelOfAssurance } from "../level-of-assurance";
+import { AegisProfile, LindormClaims, OAuthClaims, OidcClaims, PopClaims, DelegationClaims, StdClaims } from "../claims";
+import { RefinedTokenHeader } from "../header";
 import { DecodedJwt } from "./jwt-decode";
-export type ParsedJwtHeader = Omit<ParsedTokenHeader, "algorithm" | "headerType"> & {
-    algorithm: KryptosSigAlgorithm;
-    headerType: "JWT";
-};
-export type ParsedJwtPayload<C extends Dict = Dict> = {
-    accessTokenHash: string | undefined;
-    adjustedAccessLevel: AdjustedAccessLevel | undefined;
+import { TokenDelegation } from "./jwt-delegation";
+import { ParsedDpopProof } from "./jwt-dpop";
+export type ParsedJwtHeader = RefinedTokenHeader<KryptosSigAlgorithm>;
+export type ParsedJwtPayload<C extends Dict = Dict> = StdClaims & OidcClaims & PopClaims & DelegationClaims & OAuthClaims & LindormClaims & {
     audience: Array<string>;
-    authContextClass: string | undefined;
-    authFactor: string | undefined;
     authMethods: Array<string>;
-    authorizedParty: string | undefined;
-    authTime: Date | undefined;
     claims: C;
-    clientId: string | undefined;
-    codeHash: string | undefined;
-    expiresAt: Date | undefined;
-    grantType: string | undefined;
-    issuedAt: Date | undefined;
+    entitlements: Array<string>;
+    groups: Array<string>;
     issuer: string;
-    levelOfAssurance: LevelOfAssurance | undefined;
-    nonce: string | undefined;
-    notBefore: Date | undefined;
     permissions: Array<string>;
+    profile: AegisProfile | undefined;
     roles: Array<string>;
     scope: Array<string>;
-    sessionHint: string | undefined;
-    sessionId: string | undefined;
-    stateHash: string | undefined;
     subject: string;
-    subjectHint: string | undefined;
-    tenantId: string | undefined;
     tokenId: string;
-    tokenType: string;
 };
 export type ParsedJwt<C extends Dict = Dict> = {
     decoded: DecodedJwt<C>;
+    delegation: TokenDelegation;
+    dpop?: ParsedDpopProof;
     header: ParsedJwtHeader;
     payload: ParsedJwtPayload<C>;
     token: string;

package/dist/types/jwt/jwt-parse.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-parse.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-parse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,MAAM,MAAM,eAAe,GAAG,IAAI,CAAC,iBAAiB,EAAE,WAAW,GAAG,YAAY,CAAC,GAAG;IAClF,SAAS,EAAE,mBAAmB,CAAC;IAC/B,UAAU,EAAE,KAAK,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI;IACpD,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,mBAAmB,EAAE,mBAAmB,GAAG,SAAS,CAAC;IACrD,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IACrC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE,CAAC,CAAC;IACV,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAC;IAC5B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAC/C,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAC;IAC5B,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI;IAC7C,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACvB,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf,CAAC"}
+{"version":3,"file":"jwt-parse.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-parse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACtC,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EACX,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,SAAS,EACV,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,MAAM,eAAe,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;AAEtE,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI,SAAS,GAC7D,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,WAAW,GACX,aAAa,GAAG;IACd,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,MAAM,EAAE,CAAC,CAAC;IACV,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,OAAO,EAAE,YAAY,GAAG,SAAS,CAAC;IAClC,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEJ,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI;IAC7C,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACvB,UAAU,EAAE,eAAe,CAAC;IAC5B,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf,CAAC"}

package/dist/types/jwt/jwt-sign.d.ts

@@ -1,37 +1,20 @@
 import { Expiry } from "@lindorm/date";
 import { Dict } from "@lindorm/types";
-import { TokenEncryptOrSignOptions } from "../header";
-import { AdjustedAccessLevel, LevelOfAssurance } from "../level-of-assurance";
-export type SignJwtContent<C extends Dict = Dict> = {
+import { AegisProfile, LindormClaims, OAuthClaims, OidcClaims, PopClaims, DelegationClaims, StdClaims } from "../claims";
+import { BindCertificateMode, TokenEncryptOrSignOptions } from "../header";
+export type SignJwtContent<C extends Dict = Dict> = Omit<StdClaims, "expiresAt" | "issuedAt" | "issuer" | "tokenId"> & Omit<OidcClaims, "accessTokenHash" | "codeHash" | "stateHash"> & PopClaims & DelegationClaims & OAuthClaims & LindormClaims & {
     accessToken?: string;
-    adjustedAccessLevel?: AdjustedAccessLevel;
-    audience?: Array<string>;
     authCode?: string;
-    authContextClass?: string;
-    authFactor?: string;
-    authMethods?: Array<string>;
-    authorizedParty?: string;
     authState?: string;
-    authTime?: Date;
     claims?: C;
-    clientId?: string;
     expires: Expiry;
-    grantType?: string;
-    levelOfAssurance?: LevelOfAssurance;
-    nonce?: string;
-    notBefore?: Date;
-    permissions?: Array<string>;
-    roles?: Array<string>;
-    scope?: Array<string>;
-    sessionHint?: string;
-    sessionId?: string;
+    profile?: AegisProfile;
     subject: string;
-    subjectHint?: string;
-    tenantId?: string;
     tokenType: string;
 };
 export type SignJwtOptions = {
     accessTokenHash?: string;
+    bindCertificate?: BindCertificateMode;
     codeHash?: string;
     header?: TokenEncryptOrSignOptions;
     issuedAt?: Date;
@@ -43,7 +26,7 @@ export type SignedJwt = {
     expiresAt: Date;
     expiresIn: number;
     expiresOn: number;
-    objectId: string;
+    objectId: string | undefined;
     token: string;
     tokenId: string;
 };

package/dist/types/jwt/jwt-sign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-sign.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-sign.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAE9E,MAAM,MAAM,cAAc,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,MAAM,CAAC,EAAE,CAAC,CAAC;IACX,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,yBAAyB,CAAC;IACnC,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC"}
+{"version":3,"file":"jwt-sign.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-sign.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACtC,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EACX,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,SAAS,EACV,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AAE3E,MAAM,MAAM,cAAc,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI,IAAI,CACtD,SAAS,EACT,WAAW,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAChD,GACC,IAAI,CAAC,UAAU,EAAE,iBAAiB,GAAG,UAAU,GAAG,WAAW,CAAC,GAC9D,SAAS,GACT,gBAAgB,GAChB,WAAW,GACX,aAAa,GAAG;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEJ,MAAM,MAAM,cAAc,GAAG;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,yBAAyB,CAAC;IACnC,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC"}

package/dist/types/jwt/jwt-validate.d.ts

@@ -1,29 +1,8 @@
 import { KryptosAlgorithm } from "@lindorm/kryptos";
 import { PredicateOperator } from "@lindorm/types";
-export type ValidateJwtOptions = {
+import { JwtClaimMatchers } from "./jwt-claim-matchers";
+export type ValidateJwtOptions = JwtClaimMatchers & {
     algorithm?: KryptosAlgorithm;
-    accessToken?: string;
-    adjustedAccessLevel?: PredicateOperator<number>;
-    audience?: Array<string> | string | PredicateOperator<any>;
-    authCode?: string;
-    authContextClass?: string | PredicateOperator<string>;
-    authFactor?: string | PredicateOperator<string>;
-    authMethods?: Array<string> | string | PredicateOperator<any>;
-    authorizedParty?: string | PredicateOperator<string>;
-    authState?: string;
-    authTime?: PredicateOperator<Date>;
-    clientId?: Array<string> | string | PredicateOperator<any>;
-    grantType?: string | PredicateOperator<string>;
-    issuer?: string | PredicateOperator<string>;
-    levelOfAssurance?: number | PredicateOperator<number>;
-    nonce?: string | PredicateOperator<string>;
-    permissions?: Array<string> | string | PredicateOperator<any>;
-    roles?: Array<string> | string | PredicateOperator<any>;
-    scope?: Array<string> | string | PredicateOperator<any>;
-    sessionHint?: Array<string> | string | PredicateOperator<any>;
-    subject?: Array<string> | string | PredicateOperator<any>;
-    subjectHint?: string | PredicateOperator<string>;
-    tenantId?: Array<string> | string | PredicateOperator<any>;
     tokenType?: string | PredicateOperator<string>;
 };
 //# sourceMappingURL=jwt-validate.d.ts.map

package/dist/types/jwt/jwt-validate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-validate.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAEnD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAChD,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACtD,UAAU,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAChD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,eAAe,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,OAAO,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1D,WAAW,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;CAChD,CAAC"}
+{"version":3,"file":"jwt-validate.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,MAAM,MAAM,kBAAkB,GAAG,gBAAgB,GAAG;IAClD,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;CAChD,CAAC"}

package/dist/types/jwt/jwt-verify.d.ts

@@ -1,27 +1,15 @@
-import { PredicateOperator } from "@lindorm/types";
-export type VerifyJwtOptions = {
-    accessToken?: string;
-    adjustedAccessLevel?: PredicateOperator<number>;
-    audience?: Array<string> | string | PredicateOperator<any>;
-    authCode?: string;
-    authContextClass?: string | PredicateOperator<string>;
-    authFactor?: string | PredicateOperator<string>;
-    authMethods?: Array<string> | string | PredicateOperator<any>;
-    authorizedParty?: string | PredicateOperator<string>;
-    authState?: string;
-    authTime?: PredicateOperator<Date>;
-    clientId?: Array<string> | string | PredicateOperator<any>;
-    grantType?: string | PredicateOperator<string>;
-    issuer?: string | PredicateOperator<string>;
-    levelOfAssurance?: number | PredicateOperator<number>;
-    nonce?: string | PredicateOperator<string>;
-    permissions?: Array<string> | string | PredicateOperator<any>;
-    roles?: Array<string> | string | PredicateOperator<any>;
-    scope?: Array<string> | string | PredicateOperator<any>;
-    sessionHint?: Array<string> | string | PredicateOperator<any>;
-    subject?: Array<string> | string | PredicateOperator<any>;
-    subjectHint?: string | PredicateOperator<string>;
-    tenantId?: Array<string> | string | PredicateOperator<any>;
-    tokenType?: string | PredicateOperator<string>;
+import { TokenType } from "../../constants/token-type";
+import { JwtClaimMatchers } from "./jwt-claim-matchers";
+export type VerifyActorOptions = {
+    required?: boolean;
+    forbidden?: boolean;
+    allowedSubjects?: Array<string>;
+    maxChainDepth?: number;
+};
+export type VerifyJwtOptions = JwtClaimMatchers & {
+    actor?: VerifyActorOptions;
+    dpopProof?: string;
+    trustBoundThumbprint?: boolean;
+    tokenType?: TokenType;
 };
 //# sourceMappingURL=jwt-verify.d.ts.map

package/dist/types/jwt/jwt-verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-verify.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAEnD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAChD,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACtD,UAAU,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAChD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,eAAe,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,OAAO,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1D,WAAW,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;CAChD,CAAC"}
+{"version":3,"file":"jwt-verify.d.ts","sourceRoot":"","sources":["../../../src/types/jwt/jwt-verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG,gBAAgB,GAAG;IAChD,KAAK,CAAC,EAAE,kBAAkB,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IAUnB,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB,CAAC"}

package/dist/types/kit.d.ts

@@ -0,0 +1,12 @@
+import { IKryptos, KryptosEncryption } from "@lindorm/kryptos";
+import { ILogger } from "@lindorm/logger";
+import { CertBindingMode } from "./header";
+export type SignKitOptions = {
+    certBindingMode?: CertBindingMode;
+    kryptos: IKryptos;
+    logger: ILogger;
+};
+export type EncryptKitOptions = SignKitOptions & {
+    encryption?: KryptosEncryption;
+};
+//# sourceMappingURL=kit.d.ts.map

package/dist/types/kit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kit.d.ts","sourceRoot":"","sources":["../../src/types/kit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,MAAM,MAAM,cAAc,GAAG;IAC3B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,OAAO,EAAE,QAAQ,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG;IAC/C,UAAU,CAAC,EAAE,iBAAiB,CAAC;CAChC,CAAC"}

package/dist/{interfaces/CweKit.js → types/kit.js}

@@ -1,3 +1,3 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=CweKit.js.map
+//# sourceMappingURL=kit.js.map

package/dist/types/kit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kit.js","sourceRoot":"","sources":["../../src/types/kit.ts"],"names":[],"mappings":""}

package/dist/types/level-of-assurance.d.ts

@@ -1,3 +1,3 @@
-export type LevelOfAssurance = 1 | 2 | 3 | 4;
+export type LevelOfAssurance = 0 | 1 | 2 | 3 | 4;
 export type AdjustedAccessLevel = LevelOfAssurance;
 //# sourceMappingURL=level-of-assurance.d.ts.map

package/dist/types/level-of-assurance.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"level-of-assurance.d.ts","sourceRoot":"","sources":["../../src/types/level-of-assurance.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAE7C,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,CAAC"}
+{"version":3,"file":"level-of-assurance.d.ts","sourceRoot":"","sources":["../../src/types/level-of-assurance.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAEjD,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lindorm/aegis",
-  "version": "0.4.4",
+  "version": "0.6.0",
   "license": "AGPL-3.0-or-later",
   "author": "Jonn Nilsson",
   "repository": {
@@ -30,14 +30,11 @@
       ]
     }
   },
-  "imports": {
-    "#internal/*": "./dist/internal/*.js"
-  },
   "scripts": {
     "build": "rimraf dist && tsc -b ./tsconfig.build.json",
     "example": "ts-node example",
     "prettier": "prettier --write ./src/*",
-    "test": "jest --",
+    "test": "jest",
     "test:ci": "jest",
     "test:interop": "NODE_OPTIONS='--experimental-vm-modules' jest --config jest.config.interop.mjs --no-coverage",
     "test:watch": "jest --watch --",
@@ -45,30 +42,32 @@
     "typecheck:watch": "tsc --watch",
     "update": "ncu -i",
     "update:auto": "ncu -u",
-    "verify": "npm run typecheck; npm run build; npm test"
+    "verify": "npm run typecheck && npm run build && npm test"
   },
   "dependencies": {
-    "@lindorm/aes": "^0.6.3",
-    "@lindorm/b64": "^0.1.8",
-    "@lindorm/date": "^0.4.2",
-    "@lindorm/ec": "^0.2.9",
-    "@lindorm/errors": "^0.1.16",
-    "@lindorm/is": "^0.1.14",
-    "@lindorm/kryptos": "^0.5.3",
-    "@lindorm/oct": "^0.2.9",
-    "@lindorm/okp": "^0.2.9",
-    "@lindorm/rsa": "^0.2.9",
-    "@lindorm/utils": "^0.6.2",
+    "@lindorm/aes": "^0.6.5",
+    "@lindorm/akp": "^0.1.0",
+    "@lindorm/b64": "^0.1.10",
+    "@lindorm/date": "^0.4.4",
+    "@lindorm/ec": "^0.2.11",
+    "@lindorm/errors": "^0.1.18",
+    "@lindorm/is": "^0.1.16",
+    "@lindorm/kryptos": "^0.7.0",
+    "@lindorm/oct": "^0.2.11",
+    "@lindorm/okp": "^0.2.11",
+    "@lindorm/rsa": "^0.2.11",
+    "@lindorm/sha": "^0.4.1",
+    "@lindorm/utils": "^0.7.1",
     "cbor": "^10.0.12"
   },
   "devDependencies": {
     "@auth0/cose": "^1.0.2",
-    "@lindorm/amphora": "^0.3.4",
-    "@lindorm/logger": "^0.5.2",
-    "@lindorm/types": "^0.4.1",
+    "@lindorm/amphora": "^0.4.1",
+    "@lindorm/logger": "^0.5.4",
+    "@lindorm/types": "^0.5.0",
     "@types/jsonwebtoken": "^9.0.10",
     "jose": "^6.2.1",
     "jsonwebtoken": "^9.0.3"
   },
-  "gitHead": "a771f3669e540fb78fecf0ffc0e58e0f417f086c"
+  "gitHead": "2f258248c91376d768d11e26b72d26b57208007b"
 }

package/tsconfig.interop.json

@@ -3,11 +3,7 @@
   "compilerOptions": {
     "module": "esnext",
     "moduleResolution": "node",
-    "rootDir": ".",
-    "baseUrl": ".",
-    "paths": {
-      "#internal/*": ["./src/internal/*"]
-    }
+    "rootDir": "."
   },
   "include": ["__tests__/**/*", "src/**/*"]
 }