@lindorm/aegis 0.8.1 → 0.10.0

package/dist/internal/utils/rules/forbid-present.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const forbidPresent: (claims: Dict, keys: Array<string>) => Array<InvalidEntry>;
+//# sourceMappingURL=forbid-present.d.ts.map

package/dist/internal/utils/rules/forbid-present.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"forbid-present.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/forbid-present.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAM5D,eAAO,MAAM,aAAa,GAAI,QAAQ,IAAI,EAAE,MAAM,KAAK,CAAC,MAAM,CAAC,KAAG,KAAK,CAAC,YAAY,CAUnF,CAAC"}

package/dist/internal/utils/rules/forbid-present.js

@@ -0,0 +1,10 @@
+export const forbidPresent = (claims, keys) => {
+    const invalid = [];
+    for (const key of keys) {
+        if (claims[key] !== undefined) {
+            invalid.push({ key, message: `Forbidden claim "${key}" is present` });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=forbid-present.js.map

package/dist/internal/utils/rules/forbid-present.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"forbid-present.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/forbid-present.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,MAAY,EAAE,IAAmB,EAAuB,EAAE;IACtF,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,oBAAoB,GAAG,cAAc,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/index.d.ts

@@ -0,0 +1,14 @@
+export * from "./act-chain-shape.js";
+export * from "./alg-permitted.js";
+export * from "./at-least-one-of.js";
+export * from "./aud-single-resource.js";
+export * from "./cnf-shape.js";
+export * from "./cross-field.js";
+export * from "./events-shape.js";
+export * from "./every-element-has-key.js";
+export * from "./forbid-present.js";
+export * from "./iss-uri.js";
+export * from "./require-present.js";
+export * from "./required-when.js";
+export * from "./sub-id-shape.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/internal/utils/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,qBAAqB,CAAC;AACpC,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC"}

package/dist/internal/utils/rules/index.js

@@ -0,0 +1,14 @@
+export * from "./act-chain-shape.js";
+export * from "./alg-permitted.js";
+export * from "./at-least-one-of.js";
+export * from "./aud-single-resource.js";
+export * from "./cnf-shape.js";
+export * from "./cross-field.js";
+export * from "./events-shape.js";
+export * from "./every-element-has-key.js";
+export * from "./forbid-present.js";
+export * from "./iss-uri.js";
+export * from "./require-present.js";
+export * from "./required-when.js";
+export * from "./sub-id-shape.js";
+//# sourceMappingURL=index.js.map

package/dist/internal/utils/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,qBAAqB,CAAC;AACpC,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC"}

package/dist/internal/utils/rules/iss-uri.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const issUri: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=iss-uri.d.ts.map

package/dist/internal/utils/rules/iss-uri.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iss-uri.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/iss-uri.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAM5D,eAAO,MAAM,MAAM,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CAUvD,CAAC"}

package/dist/internal/utils/rules/iss-uri.js

@@ -0,0 +1,11 @@
+import { isString, isUrlLike } from "@lindorm/is";
+export const issUri = (claims) => {
+    const iss = claims.issuer;
+    if (iss === undefined)
+        return [];
+    if (!isString(iss) || !isUrlLike(iss)) {
+        return [{ key: "iss", message: "iss must be a URI" }];
+    }
+    return [];
+};
+//# sourceMappingURL=iss-uri.js.map

package/dist/internal/utils/rules/iss-uri.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iss-uri.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/iss-uri.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAQlD,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,MAAY,EAAuB,EAAE;IAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;IAE1B,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEjC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC"}

package/dist/internal/utils/rules/require-present.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const requirePresent: (claims: Dict, keys: Array<string>) => Array<InvalidEntry>;
+//# sourceMappingURL=require-present.d.ts.map

package/dist/internal/utils/rules/require-present.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-present.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/require-present.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAM5D,eAAO,MAAM,cAAc,GACzB,QAAQ,IAAI,EACZ,MAAM,KAAK,CAAC,MAAM,CAAC,KAClB,KAAK,CAAC,YAAY,CAUpB,CAAC"}

package/dist/internal/utils/rules/require-present.js

@@ -0,0 +1,10 @@
+export const requirePresent = (claims, keys) => {
+    const invalid = [];
+    for (const key of keys) {
+        if (claims[key] === undefined) {
+            invalid.push({ key, message: `Required claim "${key}" is missing` });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=require-present.js.map

package/dist/internal/utils/rules/require-present.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-present.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/require-present.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,MAAY,EACZ,IAAmB,EACE,EAAE;IACvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,mBAAmB,GAAG,cAAc,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/required-when.d.ts

@@ -0,0 +1,8 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry, SignContext } from "../../../types/index.js";
+export type RequiredWhenRule = {
+    claim: string;
+    when: (claims: Dict, ctx: SignContext) => boolean;
+};
+export declare const requiredWhen: (claims: Dict, ctx: SignContext, rules: Array<RequiredWhenRule>) => Array<InvalidEntry>;
+//# sourceMappingURL=required-when.d.ts.map

package/dist/internal/utils/rules/required-when.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"required-when.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/required-when.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEzE,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC;CACnD,CAAC;AAQF,eAAO,MAAM,YAAY,GACvB,QAAQ,IAAI,EACZ,KAAK,WAAW,EAChB,OAAO,KAAK,CAAC,gBAAgB,CAAC,KAC7B,KAAK,CAAC,YAAY,CAapB,CAAC"}

package/dist/internal/utils/rules/required-when.js

@@ -0,0 +1,13 @@
+export const requiredWhen = (claims, ctx, rules) => {
+    const invalid = [];
+    for (const { claim, when } of rules) {
+        if (claims[claim] === undefined && when(claims, ctx)) {
+            invalid.push({
+                key: claim,
+                message: `Conditionally required claim "${claim}" is missing`,
+            });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=required-when.js.map

package/dist/internal/utils/rules/required-when.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"required-when.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/required-when.ts"],"names":[],"mappings":"AAcA,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,MAAY,EACZ,GAAgB,EAChB,KAA8B,EACT,EAAE;IACvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,iCAAiC,KAAK,cAAc;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/sub-id-shape.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const subIdShape: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=sub-id-shape.d.ts.map

package/dist/internal/utils/rules/sub-id-shape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sub-id-shape.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/sub-id-shape.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAO5D,eAAO,MAAM,UAAU,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CA6B3D,CAAC"}

package/dist/internal/utils/rules/sub-id-shape.js

@@ -0,0 +1,26 @@
+import { isObject, isString } from "@lindorm/is";
+import { SUBJECT_IDENTIFIER_REQUIRED_MEMBERS } from "../../claims/sub-id.js";
+export const subIdShape = (claims) => {
+    const value = claims.subjectId;
+    if (value === undefined)
+        return [];
+    if (!isObject(value)) {
+        return [{ key: "sub_id", message: "sub_id must be an object" }];
+    }
+    const subId = value;
+    if (!isString(subId.format)) {
+        return [{ key: "sub_id.format", message: "sub_id.format must be a string" }];
+    }
+    const required = SUBJECT_IDENTIFIER_REQUIRED_MEMBERS[subId.format] ?? [];
+    const invalid = [];
+    for (const member of required) {
+        if (subId[member] === undefined) {
+            invalid.push({
+                key: `sub_id.${member}`,
+                message: `sub_id of format "${subId.format}" requires member "${member}"`,
+            });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=sub-id-shape.js.map

package/dist/internal/utils/rules/sub-id-shape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sub-id-shape.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/sub-id-shape.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,EAAE,mCAAmC,EAAE,MAAM,wBAAwB,CAAC;AAQ7E,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,MAAY,EAAuB,EAAE;IAC9D,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC;IAE/B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEnC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,QAAQ,GAAG,mCAAmC,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAEzE,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,UAAU,MAAM,EAAE;gBACvB,OAAO,EAAE,qBAAqB,KAAK,CAAC,MAAM,sBAAsB,MAAM,GAAG;aAC1E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/select-encoder.d.ts

@@ -0,0 +1,6 @@
+export type TokenFormat = "jwt" | "cose";
+export type SelectedEncoder = {
+    format: TokenFormat;
+};
+export declare const selectEncoder: (format?: TokenFormat) => SelectedEncoder;
+//# sourceMappingURL=select-encoder.d.ts.map

package/dist/internal/utils/select-encoder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"select-encoder.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/select-encoder.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;AAEzC,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,WAAW,CAAC;CACrB,CAAC;AAOF,eAAO,MAAM,aAAa,GAAI,SAAQ,WAAmB,KAAG,eAE1D,CAAC"}

package/dist/internal/utils/select-encoder.js

@@ -0,0 +1,4 @@
+export const selectEncoder = (format = "jwt") => ({
+    format,
+});
+//# sourceMappingURL=select-encoder.js.map

package/dist/internal/utils/select-encoder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"select-encoder.js","sourceRoot":"","sources":["../../../src/internal/utils/select-encoder.ts"],"names":[],"mappings":"AAkBA,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,SAAsB,KAAK,EAAmB,EAAE,CAAC,CAAC;IAC9E,MAAM;CACP,CAAC,CAAC"}

package/dist/internal/utils/validate-actor.d.ts

@@ -1,3 +1,10 @@
+import type { ActClaim } from "../../types/claims/act-claim.js";
 import type { TokenDelegation, VerifyActorOptions } from "../../types/jwt/index.js";
-export declare const validateActor: (delegation: TokenDelegation, options: VerifyActorOptions | undefined) => string | null;
+export type ActorValidationError = {
+    message: string;
+    debug?: {
+        actor: ActClaim;
+    };
+};
+export declare const validateActor: (delegation: TokenDelegation, options: VerifyActorOptions | undefined) => ActorValidationError | null;
 //# sourceMappingURL=validate-actor.d.ts.map

package/dist/internal/utils/validate-actor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate-actor.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAKpF,eAAO,MAAM,aAAa,GACxB,YAAY,eAAe,EAC3B,SAAS,kBAAkB,GAAG,SAAS,KACtC,MAAM,GAAG,IAmDX,CAAC"}
+{"version":3,"file":"validate-actor.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAEpF,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE;QAAE,KAAK,EAAE,QAAQ,CAAA;KAAE,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,YAAY,eAAe,EAC3B,SAAS,kBAAkB,GAAG,SAAS,KACtC,oBAAoB,GAAG,IAuDzB,CAAC"}

package/dist/internal/utils/validate-actor.js

@@ -1,17 +1,16 @@
 import { Predicated } from "@lindorm/utils";
-const describeActor = (actor) => actor.subject ?? actor.clientId ?? "undefined";
 export const validateActor = (delegation, options) => {
     if (!options)
         return null;
     if (options.required && !delegation.isDelegated) {
-        return "Expected delegated token with act claim";
+        return { message: "Expected delegated token with act claim" };
     }
     if (options.forbidden && delegation.isDelegated) {
-        return "Expected non-delegated token";
+        return { message: "Expected non-delegated token" };
     }
     if (options.maxChainDepth !== undefined &&
         delegation.actorChain.length > options.maxChainDepth) {
-        return `Actor chain exceeds maximum depth of ${options.maxChainDepth}`;
+        return { message: `Actor chain exceeds maximum depth of ${options.maxChainDepth}` };
     }
     if (options.allowedActors) {
         const predicate = options.allowedActors;
@@ -20,13 +19,16 @@ export const validateActor = (delegation, options) => {
             case "current": {
                 const current = delegation.actorChain[0];
                 if (!current || !Predicated.match(current, predicate)) {
-                    return `Actor not allowed: ${current ? describeActor(current) : "undefined"}`;
+                    return {
+                        message: "Actor not allowed",
+                        debug: current ? { actor: current } : undefined,
+                    };
                 }
                 break;
             }
             case "some": {
                 if (!delegation.actorChain.some((entry) => Predicated.match(entry, predicate))) {
-                    return "No actor in the chain matches the allowed predicate";
+                    return { message: "No actor in the chain matches the allowed predicate" };
                 }
                 break;
             }
@@ -34,7 +36,7 @@ export const validateActor = (delegation, options) => {
             default: {
                 for (const entry of delegation.actorChain) {
                     if (!Predicated.match(entry, predicate)) {
-                        return `Actor not allowed: ${describeActor(entry)}`;
+                        return { message: "Actor not allowed", debug: { actor: entry } };
                     }
                 }
                 break;

package/dist/internal/utils/validate-actor.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate-actor.js","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAI5C,MAAM,aAAa,GAAG,CAAC,KAAe,EAAU,EAAE,CAChD,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,QAAQ,IAAI,WAAW,CAAC;AAEjD,MAAM,CAAC,MAAM,aAAa,GAAG,CAC3B,UAA2B,EAC3B,OAAuC,EACxB,EAAE;IACjB,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,yCAAyC,CAAC;IACnD,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,8BAA8B,CAAC;IACxC,CAAC;IAED,IACE,OAAO,CAAC,aAAa,KAAK,SAAS;QACnC,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,aAAa,EACpD,CAAC;QACD,OAAO,wCAAwC,OAAO,CAAC,aAAa,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC;QAE5C,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,OAAO,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBACzC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;oBACtD,OAAO,sBAAsB,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAChF,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC;oBAC/E,OAAO,qDAAqD,CAAC;gBAC/D,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,OAAO,CAAC;YACb,OAAO,CAAC,CAAC,CAAC;gBACR,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;oBAC1C,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;wBACxC,OAAO,sBAAsB,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtD,CAAC;gBACH,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC"}
+{"version":3,"file":"validate-actor.js","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAS5C,MAAM,CAAC,MAAM,aAAa,GAAG,CAC3B,UAA2B,EAC3B,OAAuC,EACV,EAAE;IAC/B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IAChE,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IACrD,CAAC;IAED,IACE,OAAO,CAAC,aAAa,KAAK,SAAS;QACnC,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,aAAa,EACpD,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,wCAAwC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC;IACtF,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC;QAE5C,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,OAAO,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBACzC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;oBAEtD,OAAO;wBACL,OAAO,EAAE,mBAAmB;wBAC5B,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS;qBAChD,CAAC;gBACJ,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC;oBAC/E,OAAO,EAAE,OAAO,EAAE,qDAAqD,EAAE,CAAC;gBAC5E,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,OAAO,CAAC;YACb,OAAO,CAAC,CAAC,CAAC;gBACR,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;oBAC1C,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;wBACxC,OAAO,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;oBACnE,CAAC;gBACH,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC"}

package/dist/internal/utils/validate-profile-claims.d.ts

@@ -0,0 +1,8 @@
+import type { KryptosSigAlgorithm } from "@lindorm/kryptos";
+import type { Dict } from "@lindorm/types";
+import type { SignContext, TokenProfile } from "../../types/index.js";
+export type ValidateProfileContext = {
+    algorithm?: KryptosSigAlgorithm | "none";
+};
+export declare const validateProfileClaims: (profile: TokenProfile, claims: Dict, ctx?: SignContext & ValidateProfileContext) => void;
+//# sourceMappingURL=validate-profile-claims.d.ts.map

package/dist/internal/utils/validate-profile-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-profile-claims.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate-profile-claims.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAgB,WAAW,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAWpF,MAAM,MAAM,sBAAsB,GAAG;IACnC,SAAS,CAAC,EAAE,mBAAmB,GAAG,MAAM,CAAC;CAC1C,CAAC;AASF,eAAO,MAAM,qBAAqB,GAChC,SAAS,YAAY,EACrB,QAAQ,IAAI,EACZ,MAAK,WAAW,GAAG,sBAA2B,KAC7C,IA+BF,CAAC"}

package/dist/internal/utils/validate-profile-claims.js

@@ -0,0 +1,45 @@
+import { JwtError } from "../../errors/index.js";
+import { actChainShape } from "./rules/act-chain-shape.js";
+import { algPermitted } from "./rules/alg-permitted.js";
+import { audSingleResource } from "./rules/aud-single-resource.js";
+import { cnfShape } from "./rules/cnf-shape.js";
+import { crossField } from "./rules/cross-field.js";
+import { eventsShape } from "./rules/events-shape.js";
+import { everyElementHasKey } from "./rules/every-element-has-key.js";
+import { issUri } from "./rules/iss-uri.js";
+import { subIdShape } from "./rules/sub-id-shape.js";
+export const validateProfileClaims = (profile, claims, ctx = {}) => {
+    const invalid = [];
+    const rules = profile.rules ?? {};
+    if (rules.issUri)
+        invalid.push(...issUri(claims));
+    if (rules.crossField)
+        invalid.push(...crossField(claims));
+    if (rules.audSingleResource)
+        invalid.push(...audSingleResource(claims));
+    if (rules.authorizationDetailsType) {
+        invalid.push(...everyElementHasKey(claims, "authorizationDetails", "type"));
+    }
+    if (rules.cnfShape)
+        invalid.push(...cnfShape(claims));
+    if (rules.actChainShape)
+        invalid.push(...actChainShape(claims));
+    if (rules.subIdShape)
+        invalid.push(...subIdShape(claims));
+    if (rules.eventsShape)
+        invalid.push(...eventsShape(claims));
+    if (profile.algClass) {
+        invalid.push(...algPermitted(ctx.algorithm, profile.algClass));
+    }
+    invalid.push(...profile.validate(claims, ctx));
+    if (invalid.length > 0) {
+        throw new JwtError("Invalid token", {
+            code: "jwt_claims_invalid",
+            data: { invalid },
+            debug: { invalid, profile: profile.name },
+            title: "JWT Claims Invalid",
+            details: "The assembled claims do not satisfy the profile's RFC validation rules.",
+        });
+    }
+};
+//# sourceMappingURL=validate-profile-claims.js.map

package/dist/internal/utils/validate-profile-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-profile-claims.js","sourceRoot":"","sources":["../../../src/internal/utils/validate-profile-claims.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAarD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACnC,OAAqB,EACrB,MAAY,EACZ,MAA4C,EAAE,EACxC,EAAE;IACR,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAElC,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,IAAI,KAAK,CAAC,iBAAiB;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;IACxE,IAAI,KAAK,CAAC,wBAAwB,EAAE,CAAC;QACnC,OAAO,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,MAAM,EAAE,sBAAsB,EAAE,MAAM,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACtD,IAAI,KAAK,CAAC,aAAa;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;IAChE,IAAI,KAAK,CAAC,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,IAAI,KAAK,CAAC,WAAW;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAE5D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;IAE/C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,QAAQ,CAAC,eAAe,EAAE;YAClC,IAAI,EAAE,oBAAoB;YAC1B,IAAI,EAAE,EAAE,OAAO,EAAE;YACjB,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE;YACzC,KAAK,EAAE,oBAAoB;YAC3B,OAAO,EAAE,yEAAyE;SACnF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC"}

package/dist/internal/utils/validate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEtD,eAAO,MAAM,QAAQ,GAAI,CAAC,SAAS,IAAI,GAAG,IAAI,EAC5C,MAAM,CAAC,EACP,WAAW,SAAS,CAAC,CAAC,CAAC,KACtB,IAWF,CAAC"}
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEtD,eAAO,MAAM,QAAQ,GAAI,CAAC,SAAS,IAAI,GAAG,IAAI,EAC5C,MAAM,CAAC,EACP,WAAW,SAAS,CAAC,CAAC,CAAC,KACtB,IAmBF,CAAC"}

package/dist/internal/utils/validate.js

@@ -9,6 +9,13 @@ export const validate = (dict, predicate) => {
             invalid.push({ key, value: dict[key] });
         }
     }
-    throw new LindormError("Invalid token", { data: { invalid } });
+    throw new LindormError("Invalid token", {
+        code: "jwt_claims_invalid",
+        type: "urn:lindorm:aegis:error:jwt_claims_invalid",
+        data: { invalid: invalid.map(({ key }) => key) },
+        debug: { invalid },
+        title: "JWT Claims Invalid",
+        details: "One or more claims did not satisfy the supplied validation predicate; see the invalid list for the failing claim keys.",
+    });
 };
 //# sourceMappingURL=validate.js.map

package/dist/internal/utils/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/internal/utils/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAG5C,MAAM,CAAC,MAAM,QAAQ,GAAG,CACtB,IAAO,EACP,SAAuB,EACjB,EAAE;IACR,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,SAAS,CAAC;QAAE,OAAO;IAE9C,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAS,CAAC,EAAE,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,MAAM,IAAI,YAAY,CAAC,eAAe,EAAE,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;AACjE,CAAC,CAAC"}
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/internal/utils/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAG5C,MAAM,CAAC,MAAM,QAAQ,GAAG,CACtB,IAAO,EACP,SAAuB,EACjB,EAAE;IACR,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,SAAS,CAAC;QAAE,OAAO;IAE9C,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAS,CAAC,EAAE,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,MAAM,IAAI,YAAY,CAAC,eAAe,EAAE;QACtC,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,4CAA4C;QAClD,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE;QAChD,KAAK,EAAE,EAAE,OAAO,EAAE;QAClB,KAAK,EAAE,oBAAoB;QAC3B,OAAO,EACL,wHAAwH;KAC3H,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/internal/utils/verify-cert-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify-cert-binding.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE5D,KAAK,wBAAwB,GAAG;IAC9B,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE,QAAQ,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,EAAE,eAAe,CAAC;CACvB,CAAC;AAqBF,eAAO,MAAM,iBAAiB,GAAI,oCAK/B,wBAAwB,KAAG,IAyB7B,CAAC"}
+{"version":3,"file":"verify-cert-binding.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE5D,KAAK,wBAAwB,GAAG;IAC9B,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE,QAAQ,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,EAAE,eAAe,CAAC;CACvB,CAAC;AAqBF,eAAO,MAAM,iBAAiB,GAAI,oCAK/B,wBAAwB,KAAG,IAmC7B,CAAC"}

package/dist/internal/utils/verify-cert-binding.js

@@ -4,17 +4,25 @@ export const verifyCertBinding = ({ header, kryptos, logger, mode, }) => {
         return;
     if (kryptos.certificateThumbprint === null) {
         if (mode === "strict") {
-            throw new AegisError("token header x5t#S256 present but signing kryptos has no certificateChain", { debug: { kryptosId: kryptos.id } });
+            throw new AegisError("token header x5t#S256 present but signing kryptos has no certificateChain", {
+                code: "cert_binding_chain_missing",
+                debug: { kryptosId: kryptos.id },
+                title: "Cert Binding Chain Missing",
+                details: "The token header carries an x5t#S256 thumbprint, but the verifying kryptos has no certificateChain to confirm the binding in strict mode.",
+            });
         }
         logger.warn("Cert binding: token header x5t#S256 present but signing kryptos has no certificateChain (lax mode — passing through)", { kryptosId: kryptos.id });
         return;
     }
     if (header.x5tS256 !== kryptos.certificateThumbprint) {
         throw new AegisError("signing certificate thumbprint mismatch", {
+            code: "cert_binding_thumbprint_mismatch",
             debug: {
                 expected: kryptos.certificateThumbprint,
                 received: header.x5tS256,
             },
+            title: "Cert Binding Thumbprint Mismatch",
+            details: "The token header x5t#S256 does not match the certificateThumbprint of the verifying kryptos.",
         });
     }
 };

package/dist/internal/utils/verify-cert-binding.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify-cert-binding.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA6BnD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,EAChC,MAAM,EACN,OAAO,EACP,MAAM,EACN,IAAI,GACqB,EAAQ,EAAE;IACnC,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO;IAEzC,IAAI,OAAO,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;QAC3C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,2EAA2E,EAC3E,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,CACrC,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CACT,sHAAsH,EACtH,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,CAC1B,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,qBAAqB,EAAE,CAAC;QACrD,MAAM,IAAI,UAAU,CAAC,yCAAyC,EAAE;YAC9D,KAAK,EAAE;gBACL,QAAQ,EAAE,OAAO,CAAC,qBAAqB;gBACvC,QAAQ,EAAE,MAAM,CAAC,OAAO;aACzB;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC"}
+{"version":3,"file":"verify-cert-binding.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA6BnD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,EAChC,MAAM,EACN,OAAO,EACP,MAAM,EACN,IAAI,GACqB,EAAQ,EAAE;IACnC,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO;IAEzC,IAAI,OAAO,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;QAC3C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,2EAA2E,EAC3E;gBACE,IAAI,EAAE,4BAA4B;gBAClC,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE;gBAChC,KAAK,EAAE,4BAA4B;gBACnC,OAAO,EACL,2IAA2I;aAC9I,CACF,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CACT,sHAAsH,EACtH,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,CAC1B,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,qBAAqB,EAAE,CAAC;QACrD,MAAM,IAAI,UAAU,CAAC,yCAAyC,EAAE;YAC9D,IAAI,EAAE,kCAAkC;YACxC,KAAK,EAAE;gBACL,QAAQ,EAAE,OAAO,CAAC,qBAAqB;gBACvC,QAAQ,EAAE,MAAM,CAAC,OAAO;aACzB;YACD,KAAK,EAAE,kCAAkC;YACzC,OAAO,EACL,8FAA8F;SACjG,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC"}

package/dist/internal/utils/verify-dpop-proof.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify-dpop-proof.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAMnE,KAAK,OAAO,GAAG;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAkBF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,eA8ElD,CAAC"}
+{"version":3,"file":"verify-dpop-proof.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAMnE,KAAK,OAAO,GAAG;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAwBF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,eAkHlD,CAAC"}

package/dist/internal/utils/verify-dpop-proof.js

@@ -7,7 +7,12 @@ import { verifyJoseSignature } from "./jose-signature.js";
 import { decodeJwtPayload } from "./jwt-payload.js";
 const assertString = (value, claim) => {
     if (typeof value !== "string" || value.length === 0) {
-        throw new JwtError(`Invalid DPoP proof: "${claim}" claim is required`);
+        throw new JwtError(`Invalid DPoP proof: "${claim}" claim is required`, {
+            code: "jwt_dpop_claim_required",
+            data: { claim },
+            title: "JWT DPoP Claim Required",
+            details: "A required DPoP proof claim (jti, htm, or htu) was missing or not a non-empty string.",
+        });
     }
     return value;
 };
@@ -15,23 +20,37 @@ export const verifyDpopProof = (options) => {
     const { proof, accessToken, expectedThumbprint, dpopMaxSkew } = options;
     const parts = proof.split(".");
     if (parts.length !== 3) {
-        throw new JwtError("Invalid DPoP proof: not a compact JWS");
+        throw new JwtError("Invalid DPoP proof: not a compact JWS", {
+            code: "jwt_dpop_not_compact_jws",
+            title: "JWT DPoP Not Compact JWS",
+            details: "The DPoP proof must be a compact JWS with exactly three dot-separated segments.",
+        });
     }
     const [headerB64, payloadB64] = parts;
     const header = decodeJoseHeader(headerB64);
     if (header.typ !== "dpop+jwt") {
         throw new JwtError("Invalid DPoP proof: header typ must be dpop+jwt", {
+            code: "jwt_dpop_invalid_typ",
             data: { typ: header.typ },
+            title: "JWT DPoP Invalid Typ",
+            details: "The DPoP proof header typ must be exactly dpop+jwt per RFC 9449.",
         });
     }
     if (!header.jwk) {
-        throw new JwtError("Invalid DPoP proof: header jwk is required");
+        throw new JwtError("Invalid DPoP proof: header jwk is required", {
+            code: "jwt_dpop_jwk_required",
+            title: "JWT DPoP JWK Required",
+            details: "The DPoP proof header must carry a jwk so its thumbprint can be matched against cnf.jkt.",
+        });
     }
     const rawJwk = header.jwk;
     const thumbprint = computeJwkThumbprint(rawJwk);
     if (thumbprint !== expectedThumbprint) {
         throw new JwtError("Invalid DPoP proof: thumbprint does not match cnf.jkt", {
-            data: { expected: expectedThumbprint, actual: thumbprint },
+            code: "jwt_dpop_thumbprint_mismatch",
+            debug: { expected: expectedThumbprint, actual: thumbprint },
+            title: "JWT DPoP Thumbprint Mismatch",
+            details: "The RFC 7638 thumbprint of the proof header jwk does not match the token's bound cnf.jkt thumbprint.",
         });
     }
     const proofKryptos = KryptosKit.from.jwk({
@@ -40,24 +59,39 @@ export const verifyDpopProof = (options) => {
         use: "sig",
     });
     if (!verifyJoseSignature(proofKryptos, proof)) {
-        throw new JwtError("Invalid DPoP proof: signature verification failed");
+        throw new JwtError("Invalid DPoP proof: signature verification failed", {
+            code: "jwt_dpop_signature_invalid",
+            title: "JWT DPoP Signature Invalid",
+            details: "The DPoP proof signature did not verify against the key embedded in its jwk header.",
+        });
     }
     const payload = decodeJwtPayload(payloadB64);
     const tokenId = assertString(payload.jti, "jti");
     const httpMethod = assertString(payload.htm, "htm");
     const httpUri = assertString(payload.htu, "htu");
     if (typeof payload.iat !== "number") {
-        throw new JwtError("Invalid DPoP proof: iat claim is required");
+        throw new JwtError("Invalid DPoP proof: iat claim is required", {
+            code: "jwt_dpop_iat_required",
+            title: "JWT DPoP IAT Required",
+            details: "The DPoP proof must carry a numeric iat claim so its freshness can be checked.",
+        });
     }
     const now = Math.floor(Date.now() / 1000);
     if (Math.abs(now - payload.iat) > dpopMaxSkew) {
         throw new JwtError("Invalid DPoP proof: iat is outside the allowed skew window", {
+            code: "jwt_dpop_iat_skew",
             data: { iat: payload.iat, now, dpopMaxSkew },
+            title: "JWT DPoP IAT Skew",
+            details: "The DPoP proof iat differs from the current time by more than the configured dpopMaxSkew window.",
         });
     }
     const expectedAth = ShaKit.S256(accessToken);
     if (payload.ath !== expectedAth) {
-        throw new JwtError("Invalid DPoP proof: ath does not match access token hash");
+        throw new JwtError("Invalid DPoP proof: ath does not match access token hash", {
+            code: "jwt_dpop_ath_mismatch",
+            title: "JWT DPoP ATH Mismatch",
+            details: "The DPoP proof ath claim does not equal the SHA-256 hash of the presented access token.",
+        });
     }
     return {
         thumbprint,

package/dist/internal/utils/verify-dpop-proof.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify-dpop-proof.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAkBpD,MAAM,YAAY,GAAG,CAAC,KAAc,EAAE,KAAa,EAAU,EAAE;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,QAAQ,CAAC,wBAAwB,KAAK,qBAAqB,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAAgB,EAAmB,EAAE;IACnE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,QAAQ,CAAC,uCAAuC,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,QAAQ,CAAC,iDAAiD,EAAE;YACpE,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,IAAI,QAAQ,CAAC,4CAA4C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAA8B,CAAC;IAIrD,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAEhD,IAAI,UAAU,KAAK,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,QAAQ,CAAC,uDAAuD,EAAE;YAC1E,IAAI,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE;SAC3D,CAAC,CAAC;IACL,CAAC;IAOD,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QACvC,GAAG,MAAM;QACT,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,KAAK;KACkC,CAAC,CAAC;IAEhD,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,mDAAmD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAmB,UAAU,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAEjD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,QAAQ,CAAC,2CAA2C,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,4DAA4D,EAAE;YAC/E,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,IAAI,QAAQ,CAAC,0DAA0D,CAAC,CAAC;IACjF,CAAC;IAED,OAAO;QACL,UAAU;QACV,OAAO;QACP,UAAU;QACV,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;QACtC,eAAe,EAAE,WAAW;QAC5B,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACrE,CAAC;AACJ,CAAC,CAAC"}
+{"version":3,"file":"verify-dpop-proof.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAkBpD,MAAM,YAAY,GAAG,CAAC,KAAc,EAAE,KAAa,EAAU,EAAE;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,QAAQ,CAAC,wBAAwB,KAAK,qBAAqB,EAAE;YACrE,IAAI,EAAE,yBAAyB;YAC/B,IAAI,EAAE,EAAE,KAAK,EAAE;YACf,KAAK,EAAE,yBAAyB;YAChC,OAAO,EACL,uFAAuF;SAC1F,CAAC,CAAC;IACL,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAAgB,EAAmB,EAAE;IACnE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,QAAQ,CAAC,uCAAuC,EAAE;YAC1D,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,0BAA0B;YACjC,OAAO,EACL,iFAAiF;SACpF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,QAAQ,CAAC,iDAAiD,EAAE;YACpE,IAAI,EAAE,sBAAsB;YAC5B,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE;YACzB,KAAK,EAAE,sBAAsB;YAC7B,OAAO,EAAE,kEAAkE;SAC5E,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,IAAI,QAAQ,CAAC,4CAA4C,EAAE;YAC/D,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EACL,0FAA0F;SAC7F,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAA8B,CAAC;IAIrD,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAEhD,IAAI,UAAU,KAAK,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,QAAQ,CAAC,uDAAuD,EAAE;YAC1E,IAAI,EAAE,8BAA8B;YACpC,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE;YAC3D,KAAK,EAAE,8BAA8B;YACrC,OAAO,EACL,sGAAsG;SACzG,CAAC,CAAC;IACL,CAAC;IAOD,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QACvC,GAAG,MAAM;QACT,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,KAAK;KACkC,CAAC,CAAC;IAEhD,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,mDAAmD,EAAE;YACtE,IAAI,EAAE,4BAA4B;YAClC,KAAK,EAAE,4BAA4B;YACnC,OAAO,EACL,qFAAqF;SACxF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAmB,UAAU,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAEjD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,QAAQ,CAAC,2CAA2C,EAAE;YAC9D,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EACL,gFAAgF;SACnF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,4DAA4D,EAAE;YAC/E,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,EAAE;YAC5C,KAAK,EAAE,mBAAmB;YAC1B,OAAO,EACL,kGAAkG;SACrG,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,IAAI,QAAQ,CAAC,0DAA0D,EAAE;YAC7E,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EACL,yFAAyF;SAC5F,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,UAAU;QACV,OAAO;QACP,UAAU;QACV,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;QACtC,eAAe,EAAE,WAAW;QAC5B,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACrE,CAAC;AACJ,CAAC,CAAC"}

package/dist/types/claims/aegis-introspection.d.ts

@@ -2,9 +2,10 @@ import type { LindormClaims } from "./lindorm-claims.js";
 import type { OAuthClaims } from "./oauth-claims.js";
 import type { OidcClaims } from "./oidc-claims.js";
 import type { PopClaims } from "./pop-claims.js";
+import type { RarClaims } from "./rar-claims.js";
 import type { DelegationClaims } from "./delegation-claims.js";
 import type { StdClaims } from "./std-claims.js";
-export type AegisIntrospectionActive = StdClaims & OidcClaims & PopClaims & DelegationClaims & OAuthClaims & LindormClaims & {
+export type AegisIntrospectionActive = StdClaims & OidcClaims & PopClaims & DelegationClaims & OAuthClaims & RarClaims & LindormClaims & {
     active: true;
     tokenType?: string;
     username?: string;

package/dist/types/claims/aegis-introspection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aegis-introspection.d.ts","sourceRoot":"","sources":["../../../src/types/claims/aegis-introspection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAKjD,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAC9C,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,WAAW,GACX,aAAa,GAAG;IACd,MAAM,EAAE,IAAI,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAIJ,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,KAAK,CAAC;CACf,CAAC;AAIF,MAAM,MAAM,kBAAkB,GAAG,wBAAwB,GAAG,0BAA0B,CAAC"}
+{"version":3,"file":"aegis-introspection.d.ts","sourceRoot":"","sources":["../../../src/types/claims/aegis-introspection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAKjD,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAC9C,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,WAAW,GACX,SAAS,GACT,aAAa,GAAG;IACd,MAAM,EAAE,IAAI,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAIJ,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,KAAK,CAAC;CACf,CAAC;AAIF,MAAM,MAAM,kBAAkB,GAAG,wBAAwB,GAAG,0BAA0B,CAAC"}

package/dist/types/claims/index.d.ts

@@ -9,7 +9,9 @@ export * from "./lindorm-claims.js";
 export * from "./oauth-claims.js";
 export * from "./oidc-claims.js";
 export * from "./pop-claims.js";
+export * from "./rar-claims.js";
 export * from "./delegation-claims.js";
+export * from "./set-claims.js";
 export * from "./std-claims.js";
 export * from "./jwt/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/types/claims/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/types/claims/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAEhC,cAAc,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/types/claims/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAEhC,cAAc,gBAAgB,CAAC"}

package/dist/types/claims/index.js

@@ -9,7 +9,9 @@ export * from "./lindorm-claims.js";
 export * from "./oauth-claims.js";
 export * from "./oidc-claims.js";
 export * from "./pop-claims.js";
+export * from "./rar-claims.js";
 export * from "./delegation-claims.js";
+export * from "./set-claims.js";
 export * from "./std-claims.js";
 export * from "./jwt/index.js";
 //# sourceMappingURL=index.js.map