@nanolink/signing-client 0.1.0

package/README.md

@@ -0,0 +1,43 @@
+# @nanolink/signing-client
+
+TypeScript npm package for interacting with a JWT signing service.
+
+## Install
+
+```bash
+npm install @nanolink/signing-client
+```
+
+## Usage
+
+```ts
+import { SigningClient } from "@nanolink/signing-client";
+
+const client = new SigningClient({ baseUrl: "http://localhost:8080" });
+
+const health = await client.healthz();
+const signed = await client.sign({
+  sub: "device-42",
+  kind: "access",
+  aud: ["api.example.com"],
+  ttl_seconds: 3600,
+  claims: { tid: "tenant-acme", ver: 3 }
+});
+const jwks = await client.getJwks();
+const publicKeyPem = await client.getPublicKeyPem();
+```
+
+## API
+
+- `healthz()` -> `{ status: "ok" }`
+- `sign(request)` -> `{ token: string }`
+- `getJwks()` -> `{ keys: Jwk[] }`
+- `getPublicKeyPem(kid?)` -> `string` (SPKI PEM public key)
+
+## Error handling
+
+All non-2xx responses throw `SigningClientError` with:
+
+- `status`: HTTP status code
+- `message`: error description from service or fallback text
+- `body`: parsed JSON or raw response body (if available)

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./signingClient";
+export * from "./types";

package/dist/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./signingClient"), exports);
+__exportStar(require("./types"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC;AAChC,0CAAwB"}

package/dist/signingClient.d.ts

@@ -0,0 +1,20 @@
+import { type HealthzResponse, type JwksResponse, type SignRequest, type SignResponse, type SigningClientOptions } from "./types";
+export declare class SigningClientError extends Error {
+    readonly status?: number;
+    readonly body?: unknown;
+    readonly cause?: unknown;
+    constructor(message: string, options?: {
+        status?: number;
+        body?: unknown;
+        cause?: unknown;
+    });
+}
+export declare class SigningClient {
+    private readonly http;
+    constructor(options?: SigningClientOptions);
+    healthz(): Promise<HealthzResponse>;
+    sign(request: SignRequest): Promise<SignResponse>;
+    getJwks(): Promise<JwksResponse>;
+    getPublicKeyPem(kid?: string): Promise<string>;
+    private request;
+}

package/dist/signingClient.js

@@ -0,0 +1,159 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SigningClient = exports.SigningClientError = void 0;
+const axios_1 = __importDefault(require("axios"));
+const node_crypto_1 = require("node:crypto");
+const VALID_KINDS = ["access", "service", "password_reset", "2fa"];
+const RESERVED_CLAIM_NAMES = new Set(["iss", "sub", "aud", "iat", "exp", "kind"]);
+class SigningClientError extends Error {
+    constructor(message, options) {
+        super(message);
+        this.name = "SigningClientError";
+        this.status = options?.status;
+        this.body = options?.body;
+        this.cause = options?.cause;
+    }
+}
+exports.SigningClientError = SigningClientError;
+class SigningClient {
+    constructor(options = {}) {
+        this.http = options.axios ?? axios_1.default.create({
+            baseURL: normalizeBaseUrl(options.baseUrl ?? "http://localhost:8080"),
+            headers: {
+                "content-type": "application/json",
+                ...(options.headers ?? {}),
+            },
+        });
+    }
+    async healthz() {
+        return this.request("/healthz", {
+            method: "GET",
+        });
+    }
+    async sign(request) {
+        validateSignRequest(request);
+        return this.request("/sign", {
+            method: "POST",
+            data: request,
+        });
+    }
+    async getJwks() {
+        return this.request("/.well-known/jwks.json", {
+            method: "GET",
+        });
+    }
+    async getPublicKeyPem(kid) {
+        const jwks = await this.getJwks();
+        const selectedKey = selectJwk(jwks, kid);
+        return jwkToPem(selectedKey);
+    }
+    async request(path, config) {
+        try {
+            const response = await this.http.request({
+                url: path,
+                ...config,
+            });
+            return response.data;
+        }
+        catch (error) {
+            throw mapRequestError(error);
+        }
+    }
+}
+exports.SigningClient = SigningClient;
+function normalizeBaseUrl(baseUrl) {
+    return baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+}
+function extractErrorMessage(body) {
+    if (!body || typeof body !== "object") {
+        return undefined;
+    }
+    const maybeError = body.error;
+    if (typeof maybeError === "string" && maybeError.length > 0) {
+        return maybeError;
+    }
+    return undefined;
+}
+function mapRequestError(error) {
+    if (isAxiosError(error)) {
+        const responseBody = error.response?.data;
+        const status = error.response?.status;
+        const message = extractErrorMessage(responseBody) ?? error.message ?? "Request failed";
+        return new SigningClientError(message, {
+            status,
+            body: responseBody,
+            cause: error,
+        });
+    }
+    return new SigningClientError("Request failed", { cause: error });
+}
+function isAxiosError(error) {
+    return !!error && typeof error === "object" && "isAxiosError" in error;
+}
+function validateSignRequest(request) {
+    if (!request || typeof request !== "object") {
+        throw new SigningClientError("Sign request must be an object");
+    }
+    if (!request.sub || typeof request.sub !== "string" || request.sub.trim().length === 0) {
+        throw new SigningClientError("'sub' is required and must be a non-empty string");
+    }
+    if (!VALID_KINDS.includes(request.kind)) {
+        throw new SigningClientError(`'kind' must be one of: ${VALID_KINDS.map((kind) => `"${kind}"`).join(", ")}`);
+    }
+    if (request.aud !== undefined) {
+        if (!Array.isArray(request.aud) || request.aud.some((item) => typeof item !== "string")) {
+            throw new SigningClientError("'aud' must be an array of strings when provided");
+        }
+    }
+    if (request.ttl_seconds !== undefined) {
+        if (!Number.isInteger(request.ttl_seconds) || request.ttl_seconds <= 0) {
+            throw new SigningClientError("'ttl_seconds' must be a positive integer when provided");
+        }
+    }
+    if (request.claims !== undefined) {
+        if (!request.claims || typeof request.claims !== "object" || Array.isArray(request.claims)) {
+            throw new SigningClientError("'claims' must be an object when provided");
+        }
+        for (const key of Object.keys(request.claims)) {
+            if (RESERVED_CLAIM_NAMES.has(key)) {
+                throw new SigningClientError(`claims contains reserved key: '${key}'`);
+            }
+        }
+    }
+}
+function selectJwk(jwks, kid) {
+    if (!Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+        throw new SigningClientError("JWKS response did not include any keys");
+    }
+    if (!kid) {
+        return jwks.keys[0];
+    }
+    const matched = jwks.keys.find((key) => key.kid === kid);
+    if (!matched) {
+        throw new SigningClientError(`No JWK found for kid '${kid}'`);
+    }
+    return matched;
+}
+function jwkToPem(jwk) {
+    try {
+        const keyObject = (0, node_crypto_1.createPublicKey)({
+            key: {
+                kty: "RSA",
+                n: jwk.n,
+                e: jwk.e,
+            },
+            format: "jwk",
+        });
+        return keyObject.export({
+            type: "spki",
+            format: "pem",
+        }).toString();
+    }
+    catch (error) {
+        throw new SigningClientError("Failed to convert JWK to PEM", { cause: error, body: jwk });
+    }
+}
+//# sourceMappingURL=signingClient.js.map

package/dist/signingClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signingClient.js","sourceRoot":"","sources":["../src/signingClient.ts"],"names":[],"mappings":";;;;;;AAUA,kDAA2E;AAC3E,6CAA8C;AAE9C,MAAM,WAAW,GAAgB,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;AAChF,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAElF,MAAa,kBAAmB,SAAQ,KAAK;IAK3C,YAAY,OAAe,EAAE,OAA8D;QACzF,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,MAAM,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,OAAO,EAAE,IAAI,CAAC;QAC1B,IAAI,CAAC,KAAK,GAAG,OAAO,EAAE,KAAK,CAAC;IAC9B,CAAC;CACF;AAZD,gDAYC;AAED,MAAa,aAAa;IAGxB,YAAY,UAAgC,EAAE;QAC5C,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,KAAK,IAAI,eAAK,CAAC,MAAM,CAAC;YACxC,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC,OAAO,IAAI,uBAAuB,CAAC;YACrE,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;aAC3B;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,OAAO,IAAI,CAAC,OAAO,CAAkB,UAAU,EAAE;YAC/C,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAoB;QAC7B,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAE7B,OAAO,IAAI,CAAC,OAAO,CAAe,OAAO,EAAE;YACzC,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,OAAO,IAAI,CAAC,OAAO,CAAe,wBAAwB,EAAE;YAC1D,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAY;QAChC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAEzC,OAAO,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/B,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,IAAY,EAAE,MAA0B;QAC/D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAI;gBAC1C,GAAG,EAAE,IAAI;gBACT,GAAG,MAAM;aACV,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF;AArDD,sCAqDC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;AAChE,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,UAAU,GAAI,IAA6B,CAAC,KAAK,CAAC;IACxD,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;QACtC,MAAM,OAAO,GAAG,mBAAmB,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,OAAO,IAAI,gBAAgB,CAAC;QAEvF,OAAO,IAAI,kBAAkB,CAAC,OAAO,EAAE;YACrC,MAAM;YACN,IAAI,EAAE,YAAY;YAClB,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;IAED,OAAO,IAAI,kBAAkB,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAQlC,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,cAAc,IAAI,KAAK,CAAC;AACzE,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAoB;IAC/C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,kBAAkB,CAAC,gCAAgC,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvF,MAAM,IAAI,kBAAkB,CAAC,kDAAkD,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,kBAAkB,CAC1B,0BAA0B,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;YACxF,MAAM,IAAI,kBAAkB,CAAC,iDAAiD,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,kBAAkB,CAAC,wDAAwD,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,kBAAkB,CAAC,0CAA0C,CAAC,CAAC;QAC3E,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9C,IAAI,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,kBAAkB,CAAC,kCAAkC,GAAG,GAAG,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,IAAkB,EAAE,GAAY;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,kBAAkB,CAAC,wCAAwC,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IACzD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,kBAAkB,CAAC,yBAAyB,GAAG,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,GAAQ;IACxB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAA,6BAAe,EAAC;YAChC,GAAG,EAAE;gBACH,GAAG,EAAE,KAAK;gBACV,CAAC,EAAE,GAAG,CAAC,CAAC;gBACR,CAAC,EAAE,GAAG,CAAC,CAAC;aACT;YACD,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,kBAAkB,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC"}

package/dist/signingClient.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/signingClient.test.js

@@ -0,0 +1,184 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = __importDefault(require("node:test"));
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_crypto_1 = require("node:crypto");
+const signingClient_1 = require("./signingClient");
+function createMockAxios(handler) {
+    return {
+        request: handler,
+    };
+}
+(0, node_test_1.default)("healthz calls /healthz and returns status", async () => {
+    const mockAxios = createMockAxios(async (config) => {
+        strict_1.default.equal(config.url, "/healthz");
+        strict_1.default.equal(config.method, "GET");
+        return {
+            data: { status: "ok" },
+            status: 200,
+            statusText: "OK",
+            headers: {},
+            config,
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    const result = await client.healthz();
+    strict_1.default.deepEqual(result, { status: "ok" });
+});
+(0, node_test_1.default)("sign sends payload and returns token", async () => {
+    const mockAxios = createMockAxios(async (config) => {
+        strict_1.default.equal(config.url, "/sign");
+        strict_1.default.equal(config.method, "POST");
+        strict_1.default.deepEqual(config.data, {
+            sub: "device-42",
+            kind: "access",
+            aud: ["api.example.com"],
+            ttl_seconds: 3600,
+            claims: { tid: "tenant-acme", ver: 3 },
+        });
+        return {
+            data: { token: "header.payload.signature" },
+            status: 200,
+            statusText: "OK",
+            headers: {},
+            config,
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    const result = await client.sign({
+        sub: "device-42",
+        kind: "access",
+        aud: ["api.example.com"],
+        ttl_seconds: 3600,
+        claims: { tid: "tenant-acme", ver: 3 },
+    });
+    strict_1.default.deepEqual(result, { token: "header.payload.signature" });
+});
+(0, node_test_1.default)("getJwks returns key set", async () => {
+    const mockAxios = createMockAxios(async (config) => {
+        strict_1.default.equal(config.url, "/.well-known/jwks.json");
+        return {
+            data: {
+                keys: [{
+                        kty: "RSA",
+                        use: "sig",
+                        alg: "RS256",
+                        kid: "nanolink",
+                        n: "abc",
+                        e: "AQAB",
+                    }],
+            },
+            status: 200,
+            statusText: "OK",
+            headers: {},
+            config,
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    const result = await client.getJwks();
+    strict_1.default.equal(result.keys[0]?.kid, "nanolink");
+});
+(0, node_test_1.default)("throws SigningClientError on API error", async () => {
+    const mockAxios = createMockAxios(async () => {
+        throw {
+            isAxiosError: true,
+            message: "Request failed with status code 400",
+            response: {
+                status: 400,
+                data: { error: "invalid kind" },
+            },
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    await strict_1.default.rejects(() => client.sign({ sub: "user", kind: "access", claims: { iss: "nope" } }), (error) => {
+        strict_1.default.ok(error instanceof signingClient_1.SigningClientError);
+        strict_1.default.equal(error.message, "claims contains reserved key: 'iss'");
+        return true;
+    });
+});
+(0, node_test_1.default)("propagates server-side error payload", async () => {
+    const mockAxios = createMockAxios(async () => {
+        throw {
+            isAxiosError: true,
+            message: "Request failed with status code 400",
+            response: {
+                status: 400,
+                data: { error: "missing sub" },
+            },
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    await strict_1.default.rejects(() => client.sign({ sub: "user-1", kind: "service" }), (error) => {
+        strict_1.default.ok(error instanceof signingClient_1.SigningClientError);
+        strict_1.default.equal(error.status, 400);
+        strict_1.default.equal(error.message, "missing sub");
+        return true;
+    });
+});
+(0, node_test_1.default)("getPublicKeyPem converts JWKS key to PEM", async () => {
+    const { publicKey } = (0, node_crypto_1.generateKeyPairSync)("rsa", { modulusLength: 2048 });
+    const publicJwk = publicKey.export({ format: "jwk" });
+    const mockAxios = createMockAxios(async (config) => {
+        return {
+            data: {
+                keys: [
+                    {
+                        kty: "RSA",
+                        use: "sig",
+                        alg: "RS256",
+                        kid: "nanolink",
+                        n: publicJwk.n,
+                        e: publicJwk.e,
+                    },
+                ],
+            },
+            status: 200,
+            statusText: "OK",
+            headers: {},
+            config,
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    const pem = await client.getPublicKeyPem();
+    strict_1.default.match(pem, /BEGIN PUBLIC KEY/);
+    strict_1.default.match(pem, /END PUBLIC KEY/);
+});
+(0, node_test_1.default)("getPublicKeyPem selects key by kid", async () => {
+    const { publicKey } = (0, node_crypto_1.generateKeyPairSync)("rsa", { modulusLength: 2048 });
+    const publicJwk = publicKey.export({ format: "jwk" });
+    const mockAxios = createMockAxios(async (config) => {
+        return {
+            data: {
+                keys: [
+                    {
+                        kty: "RSA",
+                        use: "sig",
+                        alg: "RS256",
+                        kid: "first",
+                        n: publicJwk.n,
+                        e: publicJwk.e,
+                    },
+                    {
+                        kty: "RSA",
+                        use: "sig",
+                        alg: "RS256",
+                        kid: "selected",
+                        n: publicJwk.n,
+                        e: publicJwk.e,
+                    },
+                ],
+            },
+            status: 200,
+            statusText: "OK",
+            headers: {},
+            config,
+        };
+    });
+    const client = new signingClient_1.SigningClient({ axios: mockAxios });
+    const pem = await client.getPublicKeyPem("selected");
+    strict_1.default.match(pem, /BEGIN PUBLIC KEY/);
+});
+//# sourceMappingURL=signingClient.test.js.map

package/dist/signingClient.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signingClient.test.js","sourceRoot":"","sources":["../src/signingClient.test.ts"],"names":[],"mappings":";;;;;AAAA,0DAA6B;AAC7B,gEAAwC;AACxC,6CAAkD;AAGlD,mDAAoE;AAEpE,SAAS,eAAe,CACtB,OAAyD;IAEzD,OAAO;QACL,OAAO,EAAE,OAAmC;KAC5B,CAAC;AACrB,CAAC;AAED,IAAA,mBAAI,EAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;IAC3D,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACjD,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACrC,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAEnC,OAAO;YACL,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;YACtB,MAAM,EAAE,GAAG;YACX,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,EAAE;YACX,MAAM;SACP,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;IAEtC,gBAAM,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7C,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;IACtD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACjD,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAClC,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,gBAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE;YAC5B,GAAG,EAAE,WAAW;YAChB,IAAI,EAAE,QAAQ;YACd,GAAG,EAAE,CAAC,iBAAiB,CAAC;YACxB,WAAW,EAAE,IAAI;YACjB,MAAM,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,CAAC,EAAE;SACvC,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE;YAC3C,MAAM,EAAE,GAAG;YACX,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,EAAE;YACX,MAAM;SACP,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC;QAC/B,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,CAAC,iBAAiB,CAAC;QACxB,WAAW,EAAE,IAAI;QACjB,MAAM,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,CAAC,EAAE;KACvC,CAAC,CAAC;IAEH,gBAAM,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;AAClE,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,yBAAyB,EAAE,KAAK,IAAI,EAAE;IACzC,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACjD,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAC;QAEnD,OAAO;YACL,IAAI,EAAE;gBACJ,IAAI,EAAE,CAAC;wBACL,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,OAAO;wBACZ,GAAG,EAAE,UAAU;wBACf,CAAC,EAAE,KAAK;wBACR,CAAC,EAAE,MAAM;qBACV,CAAC;aACH;YAED,MAAM,EAAE,GAAG;YACX,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,EAAE;YACX,MAAM;SACP,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;IAEtC,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;IACxD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,IAAI,EAAE;QAC3C,MAAM;YACJ,YAAY,EAAE,IAAI;YAClB,OAAO,EAAE,qCAAqC;YAC9C,QAAQ,EAAE;gBACR,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE;aAChC;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,MAAM,gBAAM,CAAC,OAAO,CAClB,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC,EAC3E,CAAC,KAAc,EAAE,EAAE;QACjB,gBAAM,CAAC,EAAE,CAAC,KAAK,YAAY,kCAAkB,CAAC,CAAC;QAC/C,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,qCAAqC,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;IACtD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,IAAI,EAAE;QAC3C,MAAM;YACJ,YAAY,EAAE,IAAI;YAClB,OAAO,EAAE,qCAAqC;YAC9C,QAAQ,EAAE;gBACR,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE;aAC/B;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,MAAM,gBAAM,CAAC,OAAO,CAClB,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EACrD,CAAC,KAAc,EAAE,EAAE;QACjB,gBAAM,CAAC,EAAE,CAAC,KAAK,YAAY,kCAAkB,CAAC,CAAC;QAC/C,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAChC,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;IAC1D,MAAM,EAAE,SAAS,EAAE,GAAG,IAAA,iCAAmB,EAAC,KAAK,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEtD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACjD,OAAO;YACL,IAAI,EAAE;gBACJ,IAAI,EAAE;oBACJ;wBACE,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,OAAO;wBACZ,GAAG,EAAE,UAAU;wBACf,CAAC,EAAE,SAAS,CAAC,CAAC;wBACd,CAAC,EAAE,SAAS,CAAC,CAAC;qBACf;iBACF;aACF;YACD,MAAM,EAAE,GAAG;YACX,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,EAAE;YACX,MAAM;SACP,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;IAE3C,gBAAM,CAAC,KAAK,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACtC,gBAAM,CAAC,KAAK,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;IACpD,MAAM,EAAE,SAAS,EAAE,GAAG,IAAA,iCAAmB,EAAC,KAAK,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEtD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACjD,OAAO;YACL,IAAI,EAAE;gBACJ,IAAI,EAAE;oBACJ;wBACE,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,OAAO;wBACZ,GAAG,EAAE,OAAO;wBACZ,CAAC,EAAE,SAAS,CAAC,CAAC;wBACd,CAAC,EAAE,SAAS,CAAC,CAAC;qBACf;oBACD;wBACE,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,KAAK;wBACV,GAAG,EAAE,OAAO;wBACZ,GAAG,EAAE,UAAU;wBACf,CAAC,EAAE,SAAS,CAAC,CAAC;wBACd,CAAC,EAAE,SAAS,CAAC,CAAC;qBACf;iBACF;aACF;YACD,MAAM,EAAE,GAAG;YACX,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,EAAE;YACX,MAAM;SACP,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,6BAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IAErD,gBAAM,CAAC,KAAK,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;AACxC,CAAC,CAAC,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,34 @@
+import type { AxiosInstance } from "axios";
+export type TokenKind = "access" | "service" | "password_reset" | "2fa";
+export interface HealthzResponse {
+    status: "ok";
+}
+export interface SignRequest {
+    sub: string;
+    kind: TokenKind;
+    aud?: string[];
+    ttl_seconds?: number;
+    claims?: Record<string, unknown>;
+}
+export interface SignResponse {
+    token: string;
+}
+export interface Jwk {
+    kty: "RSA";
+    use: "sig";
+    alg: "RS256";
+    kid: string;
+    n: string;
+    e: string;
+}
+export interface JwksResponse {
+    keys: Jwk[];
+}
+export interface SigningClientOptions {
+    baseUrl?: string;
+    axios?: AxiosInstance;
+    headers?: Record<string, string>;
+}
+export interface ServiceErrorResponse {
+    error: string;
+}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@nanolink/signing-client",
+  "version": "0.1.0",
+  "description": "TypeScript Node.js client for the Signing Service API",
+  "license": "MIT",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "clean": "node -e \"require('node:fs').rmSync('dist', { recursive: true, force: true })\"",
+    "prebuild": "npm run clean",
+    "test": "node --test dist/**/*.test.js",
+    "test:src": "node --loader ts-node/esm --test src/**/*.test.ts"
+  },
+  "keywords": [
+    "jwt",
+    "jwks",
+    "signing",
+    "typescript",
+    "nodejs"
+  ],
+  "dependencies": {
+    "axios": "^1.8.4"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.3",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.8.3"
+  }
+}