@opendatalabs/service-auth 1.0.0-next.1

package/README.md

@@ -0,0 +1,140 @@
+# `@opendatalabs/service-auth`
+
+OAuth 2.0 service-to-service authentication helper built around the
+`private_key_jwt` client authentication method. A caller signs a JWT
+assertion (RFC 7521 / 7523), exchanges it at the OAuth token endpoint
+(Hydra in Vana's deployment) for an RFC 9068 JWT access token, and
+forwards that token as `Authorization: Bearer <jwt>` to the resource
+server. The resource server verifies the JWT locally against the
+issuer's JWKS, with no back-channel introspect on the hot path.
+
+The package wraps [`jose`](https://github.com/panva/jose) and ships three
+subpaths consumers care about (`./client`, `./jwks`, `./resource-server`)
+plus a `./testkit` for verifying integrations.
+
+## Install
+
+```sh
+npm install @opendatalabs/service-auth jose
+```
+
+## Caller (`./client`)
+
+```ts
+import { createServiceAuthClient } from "@opendatalabs/service-auth/client";
+
+const auth = createServiceAuthClient({
+  clientId: process.env.SERVICE_CLIENT_ID!,
+  privateKeyJwk: JSON.parse(process.env.SERVICE_PRIVATE_JWK!),
+  tokenEndpoint: process.env.OAUTH_TOKEN_ENDPOINT!,
+});
+
+const { token } = await auth.getServiceToken({
+  audience: "vana-account-introspect",
+});
+
+await fetch("https://account.vana.org/api/oauth/introspect", {
+  method: "POST",
+  headers: {
+    authorization: `Bearer ${token}`,
+    "content-type": "application/json",
+  },
+  body: JSON.stringify({ token: someUserToken }),
+});
+```
+
+Tokens are cached in-process by `(audience, scope)` until 30s before
+expiry. No on-disk cache, no shared cache, no refresh-token flow. A cold
+start re-fetches.
+
+## Publishing JWKS (`./jwks`)
+
+```ts
+// app/.well-known/jwks.json/route.ts
+import { createJwksHandler } from "@opendatalabs/service-auth/jwks";
+
+const handler = createJwksHandler({
+  keys: [
+    JSON.parse(process.env.SERVICE_PUBLIC_JWK_CURRENT!),
+    // During rotation, include the previous public key too:
+    JSON.parse(process.env.SERVICE_PUBLIC_JWK_PREVIOUS ?? "null"),
+  ].filter(Boolean),
+});
+
+export function GET(request: Request) {
+  return handler(request);
+}
+```
+
+The helper strips all private fields. If you accidentally pass a private
+JWK, the response still only exposes the public half.
+
+## Resource server (`./resource-server`)
+
+```ts
+import { createServiceAuthValidator } from "@opendatalabs/service-auth/resource-server";
+
+const validator = createServiceAuthValidator({
+  jwksUri: `${process.env.OAUTH_PUBLIC_URL}/.well-known/jwks.json`,
+  issuer: process.env.OAUTH_ISSUER!,
+  audience: "vana-account-introspect",
+});
+
+export async function POST(request: Request) {
+  const auth = await validator.requireJwt()(request);
+  if (!auth.ok) return auth.response;
+  // auth.result.clientId is the verified caller.
+  // ...do your work.
+}
+```
+
+Rejection shapes:
+
+- **401** with `WWW-Authenticate: Bearer error="invalid_token"` for
+  expired / wrong-iss / wrong-aud / bad-signature / not-a-bearer.
+- **403** with `WWW-Authenticate: Bearer error="insufficient_scope"` when
+  `requiredScopes` is not satisfied.
+
+## Testing (`./testkit`)
+
+```ts
+import { createFixtures } from "@opendatalabs/service-auth/testkit";
+import { createServiceAuthValidator } from "@opendatalabs/service-auth/resource-server";
+
+const f = await createFixtures({ audience: "my-resource" });
+const validator = createServiceAuthValidator({
+  issuer: f.issuer.issuer,
+  audience: "my-resource",
+  jwks: f.issuer.jwks,
+});
+```
+
+## About this package
+
+This package implements [RFC 7521](https://www.rfc-editor.org/rfc/rfc7521)
+(assertion framework), [RFC 7523](https://www.rfc-editor.org/rfc/rfc7523)
+(JWT bearer assertions for `private_key_jwt`), and
+[RFC 9068](https://www.rfc-editor.org/rfc/rfc9068) (JWT access tokens).
+
+It is the public companion to Vana's internal service-auth setup. The
+`./registration` subpath (manifest schema + Hydra admin reconciliation)
+is Vana-operator-only and not part of the public surface; it is exported
+so the Vana account app can consume it as a workspace package.
+
+## Versioning
+
+Released via [semantic-release](https://github.com/semantic-release/semantic-release)
+from the `vana-com/unity-surfaces` repository. Pushes to `main` publish
+the stable channel (dist-tag `latest`). Pushes to `dev` publish the
+prerelease channel (dist-tag `next`, e.g. `1.0.0-next.1`). Use
+[conventional commits](https://www.conventionalcommits.org/) for commit
+messages.
+
+```sh
+npm install @opendatalabs/service-auth          # latest
+npm install @opendatalabs/service-auth@next     # prerelease
+```
+
+## License
+
+MIT.

package/dist/client/index.d.ts

@@ -0,0 +1,141 @@
+/**
+ * Service-to-service caller. INTERNAL Vana package, not a public SDK.
+ *
+ * What this does
+ * --------------
+ *
+ * Given a Vana service that wants to call another Vana service:
+ *
+ *   1. Signs a `client_assertion` JWT per RFC 7523 with the caller's
+ *      private key.
+ *   2. POSTs `grant_type=client_credentials` + the assertion to Hydra's
+ *      token endpoint to obtain a JWT-shaped access token (RFC 9068).
+ *   3. Caches the access token by (audience, scope) until 30s before
+ *      `exp` and returns it to the caller for forwarding as
+ *      `Authorization: Bearer <jwt>` on the inter-service hop.
+ *
+ * What this does NOT do
+ * ---------------------
+ *
+ *   - It does NOT manage your private key. Hand `privateKeyJwk` in from
+ *     workload secrets (Doppler, Vercel env, GCP Secret Manager). The
+ *     key never touches `process.env` of this package.
+ *   - It does NOT host your JWKS. Use the `jwks` subpath for that.
+ *   - It does NOT speak Hydra's admin API. Use the `registration`
+ *     subpath for provisioning.
+ *
+ * RFC references
+ * --------------
+ *
+ *   - RFC 7521: Assertion Framework for OAuth 2.0.
+ *   - RFC 7523: JWT Profile for OAuth 2.0 Client Authentication and
+ *     Authorization Grants (the `private_key_jwt` pattern).
+ *   - RFC 9068: JWT Profile for OAuth 2.0 Access Tokens (the shape of
+ *     the token Hydra returns to us).
+ */
+import { type JWK } from "jose";
+/**
+ * Construction options. All fields are required and have no defaults
+ * because every value is environment- and service-specific.
+ */
+export interface ServiceAuthClientOptions {
+    /**
+     * Hydra OAuth client id provisioned for this service. Matches the
+     * `hydra_client_id` in the service-auth.yaml manifest.
+     */
+    clientId: string;
+    /**
+     * Private JWK whose public counterpart is published at the service's
+     * JWKS URI and registered with Hydra under `jwks_uri`. Must have
+     * `kid` and `alg` set.
+     *
+     * The JWK is never serialized or logged by this package.
+     */
+    privateKeyJwk: JWK;
+    /**
+     * Hydra token endpoint URL, e.g.
+     * `https://oauth-dev.vana.org/oauth2/token`. Used both as the POST
+     * target and as the `aud` claim on the client assertion.
+     */
+    tokenEndpoint: string;
+    /**
+     * Hydra issuer URL, used as the `iss` claim on the client assertion.
+     * Distinct from `tokenEndpoint` so deployments with a separate
+     * issuer hostname (e.g. proxied via a public domain) still work.
+     *
+     * RFC 7523 §3 only requires `iss` to be a value the auth server can
+     * use to identify the client; for Hydra `private_key_jwt`, the
+     * caller's `client_id` is the canonical value, so we default the
+     * assertion `iss` to `clientId`. This field is kept for forensics
+     * and future flexibility.
+     */
+    issuer?: string;
+    /**
+     * Optional override of the wall clock (seconds since epoch). Tests
+     * pass a deterministic value; production omits.
+     */
+    now?: () => number;
+    /** Optional fetch override (tests). */
+    fetch?: (input: string, init?: RequestInit) => Promise<Response>;
+    /**
+     * Cache eviction watermark in seconds. Tokens are refreshed this
+     * many seconds BEFORE their `exp`. Default 30s.
+     */
+    refreshSkewSec?: number;
+    /**
+     * Assertion `exp` lifetime in seconds. Hydra rejects assertions
+     * with exp too far in the future; 60s is the well-trodden value.
+     */
+    assertionLifetimeSec?: number;
+}
+export interface GetServiceTokenInput {
+    /**
+     * The resource audience (e.g. `"vana-account-introspect"`). MUST be
+     * present in the manifest's `allowed_audiences`. Sent to Hydra as
+     * the `audience` form parameter; Hydra mints an access token whose
+     * `aud` includes this value.
+     */
+    audience: string;
+    /**
+     * Optional space-separated scopes. Empty/undefined means "no
+     * scopes" (service tokens are usually audience-scoped, not
+     * permission-scoped).
+     */
+    scope?: string;
+}
+export interface ServiceToken {
+    /** The raw JWT-shaped access token. */
+    token: string;
+    /** Absolute unix-seconds expiry from the Hydra response. */
+    expiresAt: number;
+}
+export interface SignRequestAssertionInput {
+    /**
+     * Optional override of the assertion `aud`. Defaults to the token
+     * endpoint, which is what RFC 7523 §3 prescribes for the
+     * `private_key_jwt` use case.
+     */
+    audience?: string;
+}
+export interface ServiceAuthClient {
+    /**
+     * Fetch (or return cached) a service-to-service access token for
+     * the given audience+scope. Refreshes when within `refreshSkewSec`
+     * of expiry. Throws on token-endpoint errors.
+     */
+    getServiceToken(input: GetServiceTokenInput): Promise<ServiceToken>;
+    /**
+     * Mint a single RFC 7523 client assertion. Advanced use only;
+     * `getServiceToken` already does this internally.
+     */
+    signRequestAssertion(input?: SignRequestAssertionInput): Promise<string>;
+    /** Test-only: drop the in-memory token cache. */
+    clearCache(): void;
+}
+export declare class ServiceAuthTokenError extends Error {
+    readonly status: number;
+    readonly body: unknown;
+    constructor(status: number, body: unknown);
+}
+export declare function createServiceAuthClient(options: ServiceAuthClientOptions): ServiceAuthClient;
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,OAAO,EAEL,KAAK,GAAG,EAGT,MAAM,MAAM,CAAC;AAKd;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;;OAMG;IACH,aAAa,EAAE,GAAG,CAAC;IACnB;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;;;;;;OAUG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjE;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACpE;;;OAGG;IACH,oBAAoB,CAClB,KAAK,CAAC,EAAE,yBAAyB,GAChC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB,iDAAiD;IACjD,UAAU,IAAI,IAAI,CAAC;CACpB;AAqDD,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;gBACX,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;CAgB1C;AAED,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,wBAAwB,GAChC,iBAAiB,CAuHnB"}

package/dist/client/index.js

@@ -0,0 +1,192 @@
+/**
+ * Service-to-service caller. INTERNAL Vana package, not a public SDK.
+ *
+ * What this does
+ * --------------
+ *
+ * Given a Vana service that wants to call another Vana service:
+ *
+ *   1. Signs a `client_assertion` JWT per RFC 7523 with the caller's
+ *      private key.
+ *   2. POSTs `grant_type=client_credentials` + the assertion to Hydra's
+ *      token endpoint to obtain a JWT-shaped access token (RFC 9068).
+ *   3. Caches the access token by (audience, scope) until 30s before
+ *      `exp` and returns it to the caller for forwarding as
+ *      `Authorization: Bearer <jwt>` on the inter-service hop.
+ *
+ * What this does NOT do
+ * ---------------------
+ *
+ *   - It does NOT manage your private key. Hand `privateKeyJwk` in from
+ *     workload secrets (Doppler, Vercel env, GCP Secret Manager). The
+ *     key never touches `process.env` of this package.
+ *   - It does NOT host your JWKS. Use the `jwks` subpath for that.
+ *   - It does NOT speak Hydra's admin API. Use the `registration`
+ *     subpath for provisioning.
+ *
+ * RFC references
+ * --------------
+ *
+ *   - RFC 7521: Assertion Framework for OAuth 2.0.
+ *   - RFC 7523: JWT Profile for OAuth 2.0 Client Authentication and
+ *     Authorization Grants (the `private_key_jwt` pattern).
+ *   - RFC 9068: JWT Profile for OAuth 2.0 Access Tokens (the shape of
+ *     the token Hydra returns to us).
+ */
+import { importJWK, SignJWT, } from "jose";
+const ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+function defaultNow() {
+    return Math.floor(Date.now() / 1000);
+}
+/**
+ * Build a stable cache key. Scope tokens are sorted so callers that
+ * pass `"a b"` and `"b a"` share a cache slot.
+ */
+function cacheKey(audience, scope) {
+    const sorted = (scope ?? "")
+        .split(/\s+/)
+        .filter(Boolean)
+        .sort()
+        .join(" ");
+    return `${audience}::${sorted}`;
+}
+/**
+ * Generate a 128-bit random `jti`. Hydra requires uniqueness across
+ * the validity window of the assertion.
+ */
+function randomJti() {
+    const bytes = new Uint8Array(16);
+    globalThis.crypto.getRandomValues(bytes);
+    let hex = "";
+    for (const b of bytes) {
+        hex += b.toString(16).padStart(2, "0");
+    }
+    return hex;
+}
+export class ServiceAuthTokenError extends Error {
+    status;
+    body;
+    constructor(status, body) {
+        let message = `service-auth: token endpoint returned ${status}`;
+        if (body &&
+            typeof body === "object" &&
+            "error" in body) {
+            const err = body.error;
+            const desc = body.error_description;
+            message += ` (${err}${desc ? `: ${desc}` : ""})`;
+        }
+        super(message);
+        this.name = "ServiceAuthTokenError";
+        this.status = status;
+        this.body = body;
+    }
+}
+export function createServiceAuthClient(options) {
+    assertNonEmpty(options.clientId, "clientId");
+    assertNonEmpty(options.tokenEndpoint, "tokenEndpoint");
+    if (!options.privateKeyJwk?.kid) {
+        throw new Error("service-auth: privateKeyJwk.kid is required (must match the public key registered in JWKS).");
+    }
+    if (!options.privateKeyJwk?.alg) {
+        throw new Error("service-auth: privateKeyJwk.alg is required (e.g. 'ES256', 'RS256').");
+    }
+    const now = options.now ?? defaultNow;
+    const fetchImpl = options.fetch ?? fetch;
+    const refreshSkewSec = options.refreshSkewSec ?? 30;
+    const assertionLifetimeSec = options.assertionLifetimeSec ?? 60;
+    const issuer = options.issuer ?? options.clientId;
+    const cache = new Map();
+    // jose.importJWK returns either a CryptoKey (web) or KeyObject
+    // (Node). Both satisfy the SignJWT.sign() signature.
+    let privateKeyPromise = null;
+    function getPrivateKey() {
+        if (!privateKeyPromise) {
+            privateKeyPromise = importJWK(options.privateKeyJwk, options.privateKeyJwk.alg);
+        }
+        return privateKeyPromise;
+    }
+    async function signRequestAssertion(input) {
+        const privateKey = await getPrivateKey();
+        const issuedAt = now();
+        return new SignJWT({})
+            .setProtectedHeader({
+            alg: options.privateKeyJwk.alg,
+            kid: options.privateKeyJwk.kid,
+            typ: "JWT",
+        })
+            .setIssuer(issuer)
+            .setSubject(options.clientId)
+            .setAudience(input?.audience ?? options.tokenEndpoint)
+            .setIssuedAt(issuedAt)
+            .setNotBefore(issuedAt)
+            .setExpirationTime(issuedAt + assertionLifetimeSec)
+            .setJti(randomJti())
+            // Use `any`-shaped key argument for jose 6 cross-runtime types.
+            .sign(privateKey);
+    }
+    async function fetchToken(audience, scope) {
+        const assertion = await signRequestAssertion();
+        const form = new URLSearchParams({
+            grant_type: "client_credentials",
+            client_assertion_type: ASSERTION_TYPE,
+            client_assertion: assertion,
+            audience,
+        });
+        if (scope && scope.trim()) {
+            form.set("scope", scope.trim());
+        }
+        const response = await fetchImpl(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "content-type": "application/x-www-form-urlencoded",
+                accept: "application/json",
+            },
+            body: form.toString(),
+        });
+        const text = await response.text();
+        let parsed = {};
+        if (text) {
+            try {
+                parsed = JSON.parse(text);
+            }
+            catch {
+                parsed = { raw: text };
+            }
+        }
+        if (!response.ok) {
+            throw new ServiceAuthTokenError(response.status, parsed);
+        }
+        const ok = parsed;
+        if (typeof ok.access_token !== "string" || typeof ok.expires_in !== "number") {
+            throw new ServiceAuthTokenError(response.status, parsed);
+        }
+        return {
+            token: ok.access_token,
+            expiresAt: now() + ok.expires_in,
+        };
+    }
+    return {
+        async getServiceToken(input) {
+            assertNonEmpty(input.audience, "audience");
+            const key = cacheKey(input.audience, input.scope);
+            const hit = cache.get(key);
+            const t = now();
+            if (hit && hit.expiresAt - refreshSkewSec > t) {
+                return { token: hit.token, expiresAt: hit.expiresAt };
+            }
+            const fresh = await fetchToken(input.audience, input.scope);
+            cache.set(key, fresh);
+            return fresh;
+        },
+        signRequestAssertion,
+        clearCache() {
+            cache.clear();
+        },
+    };
+}
+function assertNonEmpty(value, name) {
+    if (!value || typeof value !== "string") {
+        throw new Error(`service-auth: ${name} is required`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,OAAO,EACL,SAAS,EAGT,OAAO,GACR,MAAM,MAAM,CAAC;AAmHd,MAAM,cAAc,GAClB,wDAAwD,CAAC;AAE3D,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,SAAS,QAAQ,CAAC,QAAgB,EAAE,KAAyB;IAC3D,MAAM,MAAM,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;SACzB,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,EAAE;SACN,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,OAAO,GAAG,QAAQ,KAAK,MAAM,EAAE,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS;IAChB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAcD,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IACrC,MAAM,CAAS;IACf,IAAI,CAAU;IACvB,YAAY,MAAc,EAAE,IAAa;QACvC,IAAI,OAAO,GAAG,yCAAyC,MAAM,EAAE,CAAC;QAChE,IACE,IAAI;YACJ,OAAO,IAAI,KAAK,QAAQ;YACxB,OAAO,IAAK,IAAgC,EAC5C,CAAC;YACD,MAAM,GAAG,GAAI,IAA8B,CAAC,KAAK,CAAC;YAClD,MAAM,IAAI,GAAI,IAA8B,CAAC,iBAAiB,CAAC;YAC/D,OAAO,IAAI,KAAK,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;QACnD,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,UAAU,uBAAuB,CACrC,OAAiC;IAEjC,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC7C,cAAc,CAAC,OAAO,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;IACvD,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IACzC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IACpD,MAAM,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,IAAI,EAAE,CAAC;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,QAAQ,CAAC;IAClD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAE5C,+DAA+D;IAC/D,qDAAqD;IACrD,IAAI,iBAAiB,GAAkC,IAAI,CAAC;IAC5D,SAAS,aAAa;QACpB,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,iBAAiB,GAAG,SAAS,CAC3B,OAAO,CAAC,aAAa,EACrB,OAAO,CAAC,aAAa,CAAC,GAAG,CACA,CAAC;QAC9B,CAAC;QACD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,KAAiC;QAEjC,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,GAAG,EAAE,CAAC;QACvB,OAAO,IAAI,OAAO,CAAC,EAAE,CAAC;aACnB,kBAAkB,CAAC;YAClB,GAAG,EAAE,OAAO,CAAC,aAAa,CAAC,GAAa;YACxC,GAAG,EAAE,OAAO,CAAC,aAAa,CAAC,GAAa;YACxC,GAAG,EAAE,KAAK;SACX,CAAC;aACD,SAAS,CAAC,MAAM,CAAC;aACjB,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC;aAC5B,WAAW,CAAC,KAAK,EAAE,QAAQ,IAAI,OAAO,CAAC,aAAa,CAAC;aACrD,WAAW,CAAC,QAAQ,CAAC;aACrB,YAAY,CAAC,QAAQ,CAAC;aACtB,iBAAiB,CAAC,QAAQ,GAAG,oBAAoB,CAAC;aAClD,MAAM,CAAC,SAAS,EAAE,CAAC;YACpB,gEAAgE;aAC/D,IAAI,CAAC,UAAmB,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,UAAU,CACvB,QAAgB,EAChB,KAAyB;QAEzB,MAAM,SAAS,GAAG,MAAM,oBAAoB,EAAE,CAAC;QAC/C,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,qBAAqB,EAAE,cAAc;YACrC,gBAAgB,EAAE,SAAS;YAC3B,QAAQ;SACT,CAAC,CAAC;QACH,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,MAAM,GAAY,EAAE,CAAC;QACzB,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;YACzB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,qBAAqB,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3D,CAAC;QACD,MAAM,EAAE,GAAG,MAA8B,CAAC;QAC1C,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,QAAQ,IAAI,OAAO,EAAE,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC7E,MAAM,IAAI,qBAAqB,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO;YACL,KAAK,EAAE,EAAE,CAAC,YAAY;YACtB,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,UAAU;SACjC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,CAAC,eAAe,CAAC,KAAK;YACzB,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC3C,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC3B,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;YAChB,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,GAAG,cAAc,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC;YACxD,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC5D,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACtB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,oBAAoB;QACpB,UAAU;YACR,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAgC,EAAE,IAAY;IACpE,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,cAAc,CAAC,CAAC;IACvD,CAAC;AACH,CAAC"}

package/dist/jwks/index.d.ts

@@ -0,0 +1,58 @@
+/**
+ * JWKS publishing helper. INTERNAL Vana package.
+ *
+ * A service that authenticates to Hydra with `private_key_jwt` must
+ * publish the *public* counterpart of its signing key at a stable
+ * URI that Hydra fetches. This helper produces:
+ *
+ *   - `buildJwksDocument({ keys })`  --  returns the JSON shape suitable
+ *     for `/.well-known/jwks.json`.
+ *   - `createJwksHandler({ keys })`  --  returns a function
+ *     `(request: Request) => Response` that a Next.js / Hono / plain
+ *     Node handler can call.
+ *
+ * Key rotation
+ * ------------
+ *
+ * `keys` is an array; publish the current and previous keys
+ * simultaneously during rotation so callers that cached an older
+ * `kid` still verify until they refresh. Hydra's
+ * `createRemoteJWKSet` and ours both pick the right key by `kid`.
+ *
+ * Safety
+ * ------
+ *
+ * Each entry is stripped of any private-key material via an
+ * allowlist of public-only members. This package will NEVER serialize
+ * `d`, `p`, `q`, `dp`, `dq`, or `qi`.
+ */
+import type { JWK } from "jose";
+export interface PublicJwk {
+    kty: string;
+    kid: string;
+    alg: string;
+    use?: string;
+    n?: string;
+    e?: string;
+    crv?: string;
+    x?: string;
+    y?: string;
+}
+export interface JwksDocument {
+    keys: PublicJwk[];
+}
+export interface CreateJwksOptions {
+    /**
+     * One or more JWKs. Each must have a stable `kid` and `alg`.
+     * Private-key fields are stripped before publication.
+     */
+    keys: JWK[];
+}
+export declare function buildJwksDocument(options: CreateJwksOptions): JwksDocument;
+export type JwksHandler = (request: Request) => Response;
+/**
+ * Build the JWKS Response with the standard headers. Pre-computed at
+ * handler-creation time because the keyset is immutable per process.
+ */
+export declare function createJwksHandler(options: CreateJwksOptions): JwksHandler;
+//# sourceMappingURL=index.d.ts.map

package/dist/jwks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/jwks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAEhC,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IAEX,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;CAEZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,SAAS,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAwBD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,YAAY,CAiB1E;AAED,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC;AAEzD;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CAYzE"}

package/dist/jwks/index.js

@@ -0,0 +1,84 @@
+/**
+ * JWKS publishing helper. INTERNAL Vana package.
+ *
+ * A service that authenticates to Hydra with `private_key_jwt` must
+ * publish the *public* counterpart of its signing key at a stable
+ * URI that Hydra fetches. This helper produces:
+ *
+ *   - `buildJwksDocument({ keys })`  --  returns the JSON shape suitable
+ *     for `/.well-known/jwks.json`.
+ *   - `createJwksHandler({ keys })`  --  returns a function
+ *     `(request: Request) => Response` that a Next.js / Hono / plain
+ *     Node handler can call.
+ *
+ * Key rotation
+ * ------------
+ *
+ * `keys` is an array; publish the current and previous keys
+ * simultaneously during rotation so callers that cached an older
+ * `kid` still verify until they refresh. Hydra's
+ * `createRemoteJWKSet` and ours both pick the right key by `kid`.
+ *
+ * Safety
+ * ------
+ *
+ * Each entry is stripped of any private-key material via an
+ * allowlist of public-only members. This package will NEVER serialize
+ * `d`, `p`, `q`, `dp`, `dq`, or `qi`.
+ */
+const PRIVATE_FIELDS = new Set(["d", "p", "q", "dp", "dq", "qi", "k"]);
+function toPublicJwk(jwk) {
+    if (!jwk.kid) {
+        throw new Error("service-auth/jwks: every key must have a stable kid");
+    }
+    if (!jwk.alg) {
+        throw new Error("service-auth/jwks: every key must declare alg");
+    }
+    if (!jwk.kty) {
+        throw new Error("service-auth/jwks: every key must declare kty");
+    }
+    const out = {};
+    for (const [k, v] of Object.entries(jwk)) {
+        if (PRIVATE_FIELDS.has(k))
+            continue;
+        if (v === undefined)
+            continue;
+        out[k] = v;
+    }
+    if (!out.use)
+        out.use = "sig";
+    return out;
+}
+export function buildJwksDocument(options) {
+    if (!Array.isArray(options.keys) || options.keys.length === 0) {
+        throw new Error("service-auth/jwks: at least one key is required");
+    }
+    const seen = new Set();
+    const out = [];
+    for (const k of options.keys) {
+        const pub = toPublicJwk(k);
+        if (seen.has(pub.kid)) {
+            throw new Error(`service-auth/jwks: duplicate kid '${pub.kid}' in keyset`);
+        }
+        seen.add(pub.kid);
+        out.push(pub);
+    }
+    return { keys: out };
+}
+/**
+ * Build the JWKS Response with the standard headers. Pre-computed at
+ * handler-creation time because the keyset is immutable per process.
+ */
+export function createJwksHandler(options) {
+    const doc = buildJwksDocument(options);
+    const body = JSON.stringify(doc);
+    return (_request) => new Response(body, {
+        status: 200,
+        headers: {
+            "content-type": "application/jwk-set+json",
+            // 5 minutes; mirrors Hydra's own JWKS cache cadence.
+            "cache-control": "public, max-age=300, must-revalidate",
+        },
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/jwks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/jwks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA+BH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAEvE,SAAS,WAAW,CAAC,GAAQ;IAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QACpC,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;IAC9B,OAAO,GAA2B,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAA0B;IAC1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAgB,EAAE,CAAC;IAC5B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,qCAAqC,GAAG,CAAC,GAAG,aAAa,CAC1D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClB,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AACvB,CAAC;AAID;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAA0B;IAC1D,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,CAAC,QAAiB,EAAE,EAAE,CAC3B,IAAI,QAAQ,CAAC,IAAI,EAAE;QACjB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,qDAAqD;YACrD,eAAe,EAAE,sCAAsC;SACxD;KACF,CAAC,CAAC;AACP,CAAC"}

package/dist/registration/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Registration: manifest schema + Hydra provisioning. INTERNAL Vana
+ * package; see ./manifest.ts and ./provision.ts.
+ */
+export { diffHydraClient, type HydraClientBody, loadManifest, ManifestValidationError, manifestToHydraClient, parseManifestText, serviceAuthManifestSchema, type ServiceAuthManifest, } from "./manifest";
+export { HydraAdminApiError, provisionServiceClient, type ProvisionAction, type ProvisionFetch, type ProvisionOptions, type ProvisionResult, } from "./provision";
+//# sourceMappingURL=index.d.ts.map

package/dist/registration/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/registration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,eAAe,EACf,KAAK,eAAe,EACpB,YAAY,EACZ,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC"}

package/dist/registration/index.js

@@ -0,0 +1,7 @@
+/**
+ * Registration: manifest schema + Hydra provisioning. INTERNAL Vana
+ * package; see ./manifest.ts and ./provision.ts.
+ */
+export { diffHydraClient, loadManifest, ManifestValidationError, manifestToHydraClient, parseManifestText, serviceAuthManifestSchema, } from "./manifest";
+export { HydraAdminApiError, provisionServiceClient, } from "./provision";
+//# sourceMappingURL=index.js.map

package/dist/registration/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/registration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,eAAe,EAEf,YAAY,EACZ,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,GAE1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,kBAAkB,EAClB,sBAAsB,GAKvB,MAAM,aAAa,CAAC"}