npm - @middag-io/licensing - Versions diffs - 0.1.0 - Mend

@middag-io/licensing 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +72 -0
package/dist/build/index.d.ts +47 -0
package/dist/build/index.d.ts.map +1 -0
package/dist/build/index.js +113 -0
package/dist/build/index.js.map +1 -0
package/dist/client/index.d.ts +74 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +912 -0
package/dist/client/index.js.map +1 -0
package/dist/contract/index.d.ts +138 -0
package/dist/contract/index.d.ts.map +1 -0
package/dist/contract/index.js +33 -0
package/dist/contract/index.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +2 -0
package/package.json +48 -0

package/dist/client/index.js ADDED Viewed

@@ -0,0 +1,912 @@
+import { CONTRACT_VERSION } from "../contract/index.js";
+//#region node_modules/jose/dist/webapi/lib/buffer_utils.js
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+function concat(...buffers) {
+	const size = buffers.reduce((acc, { length }) => acc + length, 0);
+	const buf = new Uint8Array(size);
+	let i = 0;
+	for (const buffer of buffers) {
+		buf.set(buffer, i);
+		i += buffer.length;
+	}
+	return buf;
+}
+function encode(string) {
+	const bytes = new Uint8Array(string.length);
+	for (let i = 0; i < string.length; i++) {
+		const code = string.charCodeAt(i);
+		if (code > 127) throw new TypeError("non-ASCII string encountered in encode()");
+		bytes[i] = code;
+	}
+	return bytes;
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/base64.js
+function decodeBase64(encoded) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(encoded);
+	const binary = atob(encoded);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), { alphabet: "base64url" });
+	let encoded = input;
+	if (encoded instanceof Uint8Array) encoded = decoder.decode(encoded);
+	encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+	try {
+		return decodeBase64(encoded);
+	} catch {
+		throw new TypeError("The input to be decoded is not correctly encoded.");
+	}
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/crypto_key.js
+var unusable = (name, prop = "algorithm.name") => /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+	return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+	if (getHashLength(algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+	switch (alg) {
+		case "ES256": return "P-256";
+		case "ES384": return "P-384";
+		case "ES512": return "P-521";
+		default: throw new Error("unreachable");
+	}
+}
+function checkUsage(key, usage) {
+	if (usage && !key.usages.includes(usage)) throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+}
+function checkSigCryptoKey(key, alg, usage) {
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512":
+			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
+			checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+			break;
+		case "RS256":
+		case "RS384":
+		case "RS512":
+			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
+			checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+			break;
+		case "PS256":
+		case "PS384":
+		case "PS512":
+			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
+			checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+			break;
+		case "Ed25519":
+		case "EdDSA":
+			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+			break;
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87":
+			if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+			break;
+		case "ES256":
+		case "ES384":
+		case "ES512": {
+			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
+			const expected = getNamedCurve(alg);
+			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
+			break;
+		}
+		default: throw new TypeError("CryptoKey does not support this operation");
+	}
+	checkUsage(key, usage);
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+	types = types.filter(Boolean);
+	if (types.length > 2) {
+		const last = types.pop();
+		msg += `one of type ${types.join(", ")}, or ${last}.`;
+	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
+	else msg += `of type ${types[0]}.`;
+	if (actual == null) msg += ` Received ${actual}`;
+	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
+	else if (typeof actual === "object" && actual != null) {
+		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
+	}
+	return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+//#endregion
+//#region node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+	static code = "ERR_JOSE_GENERIC";
+	code = "ERR_JOSE_GENERIC";
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var JOSEAlgNotAllowed = class extends JOSEError {
+	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+	code = "ERR_JOSE_ALG_NOT_ALLOWED";
+};
+var JOSENotSupported = class extends JOSEError {
+	static code = "ERR_JOSE_NOT_SUPPORTED";
+	code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWSInvalid = class extends JOSEError {
+	static code = "ERR_JWS_INVALID";
+	code = "ERR_JWS_INVALID";
+};
+var JWSSignatureVerificationFailed = class extends JOSEError {
+	static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	constructor(message = "signature verification failed", options) {
+		super(message, options);
+	}
+};
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/is_key_like.js
+var isCryptoKey = (key) => {
+	if (key?.[Symbol.toStringTag] === "CryptoKey") return true;
+	try {
+		return key instanceof CryptoKey;
+	} catch {
+		return false;
+	}
+};
+var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/helpers.js
+function decodeBase64url(value, label, ErrorClass) {
+	try {
+		return decode(value);
+	} catch {
+		throw new ErrorClass(`Failed to base64url decode the ${label}`);
+	}
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/type_checks.js
+var isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+	if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") return false;
+	if (Object.getPrototypeOf(input) === null) return true;
+	let proto = input;
+	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
+	return Object.getPrototypeOf(input) === proto;
+}
+function isDisjoint(...headers) {
+	const sources = headers.filter(Boolean);
+	if (sources.length === 0 || sources.length === 1) return true;
+	let acc;
+	for (const header of sources) {
+		const parameters = Object.keys(header);
+		if (!acc || acc.size === 0) {
+			acc = new Set(parameters);
+			continue;
+		}
+		for (const parameter of parameters) {
+			if (acc.has(parameter)) return false;
+			acc.add(parameter);
+		}
+	}
+	return true;
+}
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/signing.js
+function checkKeyLength(alg, key) {
+	if (alg.startsWith("RS") || alg.startsWith("PS")) {
+		const { modulusLength } = key.algorithm;
+		if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+	}
+}
+function subtleAlgorithm(alg, algorithm) {
+	const hash = `SHA-${alg.slice(-3)}`;
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512": return {
+			hash,
+			name: "HMAC"
+		};
+		case "PS256":
+		case "PS384":
+		case "PS512": return {
+			hash,
+			name: "RSA-PSS",
+			saltLength: parseInt(alg.slice(-3), 10) >> 3
+		};
+		case "RS256":
+		case "RS384":
+		case "RS512": return {
+			hash,
+			name: "RSASSA-PKCS1-v1_5"
+		};
+		case "ES256":
+		case "ES384":
+		case "ES512": return {
+			hash,
+			name: "ECDSA",
+			namedCurve: algorithm.namedCurve
+		};
+		case "Ed25519":
+		case "EdDSA": return { name: "Ed25519" };
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87": return { name: alg };
+		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+	}
+}
+async function getSigKey(alg, key, usage) {
+	if (key instanceof Uint8Array) {
+		if (!alg.startsWith("HS")) throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+		return crypto.subtle.importKey("raw", key, {
+			hash: `SHA-${alg.slice(-3)}`,
+			name: "HMAC"
+		}, false, [usage]);
+	}
+	checkSigCryptoKey(key, alg, usage);
+	return key;
+}
+async function verify(alg, key, signature, data) {
+	const cryptoKey = await getSigKey(alg, key, "verify");
+	checkKeyLength(alg, cryptoKey);
+	const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+	try {
+		return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/jwk_to_key.js
+var unsupportedAlg = "Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value";
+function subtleMapping(jwk) {
+	let algorithm;
+	let keyUsages;
+	switch (jwk.kty) {
+		case "AKP":
+			switch (jwk.alg) {
+				case "ML-DSA-44":
+				case "ML-DSA-65":
+				case "ML-DSA-87":
+					algorithm = { name: jwk.alg };
+					keyUsages = jwk.priv ? ["sign"] : ["verify"];
+					break;
+				default: throw new JOSENotSupported(unsupportedAlg);
+			}
+			break;
+		case "RSA":
+			switch (jwk.alg) {
+				case "PS256":
+				case "PS384":
+				case "PS512":
+					algorithm = {
+						name: "RSA-PSS",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RS256":
+				case "RS384":
+				case "RS512":
+					algorithm = {
+						name: "RSASSA-PKCS1-v1_5",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RSA-OAEP":
+				case "RSA-OAEP-256":
+				case "RSA-OAEP-384":
+				case "RSA-OAEP-512":
+					algorithm = {
+						name: "RSA-OAEP",
+						hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+					};
+					keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+					break;
+				default: throw new JOSENotSupported(unsupportedAlg);
+			}
+			break;
+		case "EC":
+			switch (jwk.alg) {
+				case "ES256":
+				case "ES384":
+				case "ES512":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: {
+							ES256: "P-256",
+							ES384: "P-384",
+							ES512: "P-521"
+						}[jwk.alg]
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = {
+						name: "ECDH",
+						namedCurve: jwk.crv
+					};
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported(unsupportedAlg);
+			}
+			break;
+		case "OKP":
+			switch (jwk.alg) {
+				case "Ed25519":
+				case "EdDSA":
+					algorithm = { name: "Ed25519" };
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = { name: jwk.crv };
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported(unsupportedAlg);
+			}
+			break;
+		default: throw new JOSENotSupported("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
+	}
+	return {
+		algorithm,
+		keyUsages
+	};
+}
+async function jwkToKey(jwk) {
+	if (!jwk.alg) throw new TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
+	const { algorithm, keyUsages } = subtleMapping(jwk);
+	const keyData = { ...jwk };
+	if (keyData.kty !== "AKP") delete keyData.alg;
+	delete keyData.use;
+	return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/normalize_key.js
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
+var cache;
+var handleJWK = async (key, jwk, alg, freeze = false) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(key);
+	if (cached?.[alg]) return cached[alg];
+	const cryptoKey = await jwkToKey({
+		...jwk,
+		alg
+	});
+	if (freeze) Object.freeze(key);
+	if (!cached) cache.set(key, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+var handleKeyObject = (keyObject, alg) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(keyObject);
+	if (cached?.[alg]) return cached[alg];
+	const isPublic = keyObject.type === "public";
+	const extractable = isPublic ? true : false;
+	let cryptoKey;
+	if (keyObject.asymmetricKeyType === "x25519") {
+		switch (alg) {
+			case "ECDH-ES":
+			case "ECDH-ES+A128KW":
+			case "ECDH-ES+A192KW":
+			case "ECDH-ES+A256KW": break;
+			default: throw new TypeError(unusableForAlg);
+		}
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (keyObject.asymmetricKeyType === "ed25519") {
+		if (alg !== "EdDSA" && alg !== "Ed25519") throw new TypeError(unusableForAlg);
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	switch (keyObject.asymmetricKeyType) {
+		case "ml-dsa-44":
+		case "ml-dsa-65":
+		case "ml-dsa-87":
+			if (alg !== keyObject.asymmetricKeyType.toUpperCase()) throw new TypeError(unusableForAlg);
+			cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "rsa") {
+		let hash;
+		switch (alg) {
+			case "RSA-OAEP":
+				hash = "SHA-1";
+				break;
+			case "RS256":
+			case "PS256":
+			case "RSA-OAEP-256":
+				hash = "SHA-256";
+				break;
+			case "RS384":
+			case "PS384":
+			case "RSA-OAEP-384":
+				hash = "SHA-384";
+				break;
+			case "RS512":
+			case "PS512":
+			case "RSA-OAEP-512":
+				hash = "SHA-512";
+				break;
+			default: throw new TypeError(unusableForAlg);
+		}
+		if (alg.startsWith("RSA-OAEP")) return keyObject.toCryptoKey({
+			name: "RSA-OAEP",
+			hash
+		}, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+		cryptoKey = keyObject.toCryptoKey({
+			name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+			hash
+		}, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "ec") {
+		const namedCurve = new Map([
+			["prime256v1", "P-256"],
+			["secp384r1", "P-384"],
+			["secp521r1", "P-521"]
+		]).get(keyObject.asymmetricKeyDetails?.namedCurve);
+		if (!namedCurve) throw new TypeError(unusableForAlg);
+		const expectedCurve = {
+			ES256: "P-256",
+			ES384: "P-384",
+			ES512: "P-521"
+		};
+		if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg.startsWith("ECDH-ES")) cryptoKey = keyObject.toCryptoKey({
+			name: "ECDH",
+			namedCurve
+		}, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (!cryptoKey) throw new TypeError(unusableForAlg);
+	if (!cached) cache.set(keyObject, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+	if (key instanceof Uint8Array) return key;
+	if (isCryptoKey(key)) return key;
+	if (isKeyObject(key)) {
+		if (key.type === "secret") return key.export();
+		if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") try {
+			return handleKeyObject(key, alg);
+		} catch (err) {
+			if (err instanceof TypeError) throw err;
+		}
+		return handleJWK(key, key.export({ format: "jwk" }), alg);
+	}
+	if (isJWK(key)) {
+		if (key.k) return decode(key.k);
+		return handleJWK(key, key, alg, true);
+	}
+	throw new Error("unreachable");
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
+	let ext;
+	alg ??= jwk.alg;
+	ext ??= options?.extractable ?? jwk.ext;
+	switch (jwk.kty) {
+		case "oct":
+			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
+			return decode(jwk.k);
+		case "RSA":
+			if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
+			return jwkToKey({
+				...jwk,
+				alg,
+				ext
+			});
+		case "AKP":
+			if (typeof jwk.alg !== "string" || !jwk.alg) throw new TypeError("missing \"alg\" (Algorithm) Parameter value");
+			if (alg !== void 0 && alg !== jwk.alg) throw new TypeError("JWK alg and alg option value mismatch");
+			return jwkToKey({
+				...jwk,
+				ext
+			});
+		case "EC":
+		case "OKP": return jwkToKey({
+			...jwk,
+			alg,
+			ext
+		});
+		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
+	}
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
+	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
+	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
+	let recognized;
+	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+	else recognized = recognizedDefault;
+	for (const parameter of protectedHeader.crit) {
+		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+	}
+	return new Set(protectedHeader.crit);
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
+	if (!algorithms) return;
+	return new Set(algorithms);
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/lib/check_key_type.js
+var tag = (key) => key?.[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key, usage) => {
+	if (key.use !== void 0) {
+		let expected;
+		switch (usage) {
+			case "sign":
+			case "verify":
+				expected = "sig";
+				break;
+			case "encrypt":
+			case "decrypt":
+				expected = "enc";
+				break;
+		}
+		if (key.use !== expected) throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+	}
+	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+	if (Array.isArray(key.key_ops)) {
+		let expectedKeyOp;
+		switch (true) {
+			case usage === "sign" || usage === "verify":
+			case alg === "dir":
+			case alg.includes("CBC-HS"):
+				expectedKeyOp = usage;
+				break;
+			case alg.startsWith("PBES2"):
+				expectedKeyOp = "deriveBits";
+				break;
+			case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+				if (!alg.includes("GCM") && alg.endsWith("KW")) expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+				else expectedKeyOp = usage;
+				break;
+			case usage === "encrypt" && alg.startsWith("RSA"):
+				expectedKeyOp = "wrapKey";
+				break;
+			case usage === "decrypt":
+				expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+				break;
+		}
+		if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+	}
+	return true;
+};
+var symmetricTypeCheck = (alg, key, usage) => {
+	if (key instanceof Uint8Array) return;
+	if (isJWK(key)) {
+		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+};
+var asymmetricTypeCheck = (alg, key, usage) => {
+	if (isJWK(key)) switch (usage) {
+		case "decrypt":
+		case "sign":
+			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
+		case "encrypt":
+		case "verify":
+			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+	if (key.type === "public") switch (usage) {
+		case "sign": throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+		case "decrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+	}
+	if (key.type === "private") switch (usage) {
+		case "verify": throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+		case "encrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+	}
+};
+function checkKeyType(alg, key, usage) {
+	switch (alg.substring(0, 2)) {
+		case "A1":
+		case "A2":
+		case "di":
+		case "HS":
+		case "PB":
+			symmetricTypeCheck(alg, key, usage);
+			break;
+		default: asymmetricTypeCheck(alg, key, usage);
+	}
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
+	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
+	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
+	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
+	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
+	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
+	let parsedProt = {};
+	if (jws.protected) try {
+		const protectedHeader = decode(jws.protected);
+		parsedProt = JSON.parse(decoder.decode(protectedHeader));
+	} catch {
+		throw new JWSInvalid("JWS Protected Header is invalid");
+	}
+	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+	const joseHeader = {
+		...parsedProt,
+		...jws.header
+	};
+	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+	let b64 = true;
+	if (extensions.has("b64")) {
+		b64 = parsedProt.b64;
+		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+	}
+	const { alg } = joseHeader;
+	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
+	if (b64) {
+		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
+	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+	let resolvedKey = false;
+	if (typeof key === "function") {
+		key = await key(parsedProt, jws);
+		resolvedKey = true;
+	}
+	checkKeyType(alg, key, "verify");
+	const data = concat(jws.protected !== void 0 ? encode(jws.protected) : new Uint8Array(), encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+	const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
+	const k = await normalizeKey(key, alg);
+	if (!await verify(alg, k, signature, data)) throw new JWSSignatureVerificationFailed();
+	let payload;
+	if (b64) payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
+	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
+	else payload = jws.payload;
+	const result = { payload };
+	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
+	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
+	if (resolvedKey) return {
+		...result,
+		key: k
+	};
+	return result;
+}
+//#endregion
+//#region node_modules/jose/dist/webapi/jws/compact/verify.js
+async function compactVerify(jws, key, options) {
+	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
+	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
+	const verified = await flattenedVerify({
+		payload,
+		protected: protectedHeader,
+		signature
+	}, key, options);
+	const result = {
+		payload: verified.payload,
+		protectedHeader: verified.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: verified.key
+	};
+	return result;
+}
+//#endregion
+//#region src/client/index.ts
+/**
+* Runtime loader for @middag-io/licensing.
+*
+* Runs inside the consuming host (Moodle, WordPress, ...). The browser never
+* calls the worker's HMAC-protected `/v1/protected/manifest` endpoint — the
+* PHP host bridge does that, persists the `ManifestResponse`, and serves it
+* to the browser at `manifest_url` (per ADR-012 §"Server-side host bridge").
+*
+* This loader:
+*
+*   1. Fetches the manifest JSON from the host-served URL (or via a caller-
+*      supplied `fetchManifest` for embedded use cases).
+*   2. Verifies the JWS signature against the worker's JWKS endpoint
+*      `${workerOrigin}/api/protected/jwks` (cached in-memory per kid).
+*   3. Validates the decoded payload against the bootstrap context
+*      (`install_id`, `host_origin`, `host_type`, `product`, `contract_version`)
+*      so a manifest swapped between installs is rejected client-side.
+*   4. Loads a requested module by fetching its CDN URL, recomputing the
+*      SRI hash against the bytes, and dynamic-importing from a Blob URL.
+*      Native `import()` does not yet take an integrity attribute, so we
+*      compute SRI ourselves before handing the bytes to the JS engine.
+*/
+var JWKS_PATH = "/api/protected/jwks";
+var JwksCache = class {
+	fetcher;
+	endpoint;
+	staticDoc;
+	byKid = /* @__PURE__ */ new Map();
+	constructor(fetcher, endpoint, staticDoc) {
+		this.fetcher = fetcher;
+		this.endpoint = endpoint;
+		this.staticDoc = staticDoc;
+	}
+	async resolve(kid) {
+		const cached = this.byKid.get(kid);
+		if (cached) return cached;
+		const jwk = (await this.loadDocument()).keys.find((k) => k.kid === kid);
+		if (!jwk) throw new LicensingError("jwks_kid_not_found", `manifest signing kid "${kid}" not present in JWKS`);
+		const key = await importJWK(jwk, "EdDSA");
+		this.byKid.set(kid, key);
+		return key;
+	}
+	async loadDocument() {
+		if (this.staticDoc) return this.staticDoc;
+		if (!this.endpoint) throw new LicensingError("jwks_endpoint_missing", "workerOrigin (or static jwks) must be supplied to verify the manifest");
+		const res = await this.fetcher(this.endpoint, { headers: { accept: "application/json" } });
+		if (!res.ok) throw new LicensingError("jwks_fetch_failed", `JWKS fetch failed: ${res.status} ${res.statusText}`);
+		const doc = await res.json();
+		if (!doc || !Array.isArray(doc.keys)) throw new LicensingError("jwks_malformed", "JWKS response did not contain a keys array");
+		return doc;
+	}
+};
+var LicensingError = class extends Error {
+	code;
+	constructor(code, message) {
+		super(message);
+		this.code = code;
+		this.name = "LicensingError";
+	}
+};
+function nowSec() {
+	return Math.floor(Date.now() / 1e3);
+}
+async function fetchManifestDefault(fetcher, url) {
+	const res = await fetcher(url, { headers: { accept: "application/json" } });
+	if (!res.ok) throw new LicensingError("manifest_fetch_failed", `manifest fetch failed: ${res.status} ${res.statusText}`);
+	return await res.json();
+}
+function decodeJwsHeader(jws) {
+	const dot = jws.indexOf(".");
+	if (dot <= 0) throw new LicensingError("jws_malformed", "JWS missing header segment");
+	const headerB64 = jws.slice(0, dot);
+	const json = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+	const header = JSON.parse(json);
+	if (typeof header.alg !== "string" || typeof header.kid !== "string") throw new LicensingError("jws_header_invalid", "JWS header missing alg or kid");
+	return {
+		alg: header.alg,
+		kid: header.kid,
+		typ: header.typ
+	};
+}
+function assertEqual(field, actual, expected) {
+	if (actual !== expected) throw new LicensingError("manifest_field_mismatch", `manifest ${field} does not match bootstrap (got ${JSON.stringify(actual)}, expected ${JSON.stringify(expected)})`);
+}
+async function verifyAndValidate(options, jwks, response) {
+	const header = decodeJwsHeader(response.jws);
+	if (header.alg !== "EdDSA") throw new LicensingError("jws_alg_unsupported", `unsupported JWS alg "${header.alg}" — expected EdDSA`);
+	if (header.kid !== response.signing_kid) throw new LicensingError("jws_kid_mismatch", "JWS header kid does not match response signing_kid");
+	const key = await jwks.resolve(header.kid);
+	let verified;
+	try {
+		verified = await compactVerify(response.jws, key);
+	} catch (err) {
+		throw new LicensingError("jws_signature_invalid", `JWS verification failed: ${err.message}`);
+	}
+	const payload = JSON.parse(new TextDecoder().decode(verified.payload));
+	const skew = options.clockSkewSeconds ?? 60;
+	const now = nowSec();
+	if (payload.bundle_expires_at + skew < now) throw new LicensingError("manifest_expired", `manifest expired at ${payload.bundle_expires_at} (now=${now})`);
+	assertEqual("install_id", payload.install_id, options.installId);
+	assertEqual("host_origin", payload.host_origin, options.hostOrigin);
+	assertEqual("host_type", payload.host_type, options.hostType);
+	assertEqual("product", payload.product, options.product);
+	assertEqual("contract_version", payload.contract_version, CONTRACT_VERSION);
+	return {
+		payload,
+		response
+	};
+}
+async function loadModuleBytes(fetcher, url, integrity) {
+	const res = await fetcher(url, { headers: { accept: "application/javascript, text/javascript" } });
+	if (!res.ok) throw new LicensingError("module_fetch_failed", `module fetch failed for ${url}: ${res.status} ${res.statusText}`);
+	const bytes = await res.arrayBuffer();
+	await assertSri(bytes, integrity, url);
+	return bytes;
+}
+async function assertSri(bytes, integrity, url) {
+	const match = /^sha384-(.+)$/.exec(integrity);
+	if (!match) throw new LicensingError("module_integrity_unsupported", `unsupported integrity hash format for ${url}: ${integrity}`);
+	const expected = match[1];
+	const digest = await crypto.subtle.digest("SHA-384", bytes);
+	if (bytesToBase64(new Uint8Array(digest)) !== expected) throw new LicensingError("module_integrity_mismatch", `module bytes did not match SRI for ${url}`);
+}
+function bytesToBase64(bytes) {
+	let bin = "";
+	for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+	return btoa(bin);
+}
+async function createLicensingClient(options) {
+	const fetcher = options.fetch ?? globalThis.fetch?.bind(globalThis);
+	if (!fetcher) throw new LicensingError("fetch_unavailable", "no global fetch and no options.fetch supplied");
+	const jwks = new JwksCache(fetcher, options.workerOrigin ? `${options.workerOrigin.replace(/\/$/, "")}${JWKS_PATH}` : void 0, options.jwks);
+	const fetchManifestFn = async () => {
+		if (options.fetchManifest) return options.fetchManifest();
+		if (!options.manifestUrl) throw new LicensingError("manifest_source_missing", "either manifestUrl or fetchManifest must be supplied");
+		return fetchManifestDefault(fetcher, options.manifestUrl);
+	};
+	let current = await verifyAndValidate(options, jwks, await fetchManifestFn());
+	const moduleCache = /* @__PURE__ */ new Map();
+	async function loadModule(name) {
+		if (moduleCache.has(name)) return moduleCache.get(name);
+		const mod = current.payload.modules.find((m) => m.name === name);
+		if (!mod) throw new LicensingError("module_not_authorized", `module "${name}" is not present in the current manifest`);
+		const bytes = await loadModuleBytes(fetcher, mod.url, mod.integrity);
+		const blob = new Blob([bytes], { type: "application/javascript" });
+		const blobUrl = URL.createObjectURL(blob);
+		try {
+			const imported = await import(
+				/* @vite-ignore */
+				blobUrl
+);
+			moduleCache.set(name, imported);
+			return imported;
+		} finally {
+			URL.revokeObjectURL(blobUrl);
+		}
+	}
+	async function refresh() {
+		const next = await verifyAndValidate(options, jwks, await fetchManifestFn());
+		current = next;
+		moduleCache.clear();
+		return next.payload;
+	}
+	return {
+		get manifest() {
+			return current.payload;
+		},
+		get response() {
+			return current.response;
+		},
+		has(moduleName) {
+			return current.payload.modules.some((m) => m.name === moduleName);
+		},
+		loadModule,
+		refresh
+	};
+}
+//#endregion
+export { CONTRACT_VERSION, LicensingError, createLicensingClient };
+//# sourceMappingURL=index.js.map