@opendatalabs/vana-sdk 2.2.3 → 3.0.0

package/README.md

@@ -1,122 +1,106 @@
 # Vana SDK
 
-Build user-owned data applications with gasless permissions, encrypted data management, and privacy-preserving infrastructure.
+TypeScript primitives for building on Vana — smart-contract bindings, ECIES
+encryption, storage providers, and a shared isomorphic platform layer.
 
 [![npm version](https://img.shields.io/npm/v/@opendatalabs/vana-sdk)](https://www.npmjs.com/package/@opendatalabs/vana-sdk)
 [![Downloads](https://img.shields.io/npm/dm/@opendatalabs/vana-sdk)](https://www.npmjs.com/package/@opendatalabs/vana-sdk)
 [![License](https://img.shields.io/npm/l/@opendatalabs/vana-sdk)](https://opensource.org/licenses/ISC)
 
-The SDK is production-ready. APIs may evolve in minor versions as we incorporate feedback and expand functionality.
-
-## Get Started
-
-### 1. Install
+> **Heads up — minimal scaffold.** As of `3.x` the SDK has been pared down
+> to the primitives the new Vana protocol architecture builds on. The
+> previous high-level API (`Vana(...)` factory, `vana.permissions`,
+> `vana.data`, subgraph queries, personal-server client, DLP rewards) is
+> **not part of this release.** If you need that surface, pin to
+> [`@opendatalabs/vana-sdk@^2.3.0`](https://www.npmjs.com/package/@opendatalabs/vana-sdk/v/2.3.0)
+> or check out the [`legacy-pre-unification`](https://github.com/vana-com/vana-sdk/tree/legacy-pre-unification)
+> tag.
+
+## What's in the box
+
+- **Smart-contract bindings** — `getContractController`, `getContractInfo`,
+  `getAbi`, `getContractAddress`, plus the `CONTRACTS` and `VanaContract`
+  registries auto-generated from on-chain discovery.
+- **Chain configurations** — `vanaMainnet`, `mokshaTestnet` (alias `moksha`),
+  `getChainConfig`, `getAllChains`, plus the lower-level viem `chains` map.
+- **ECIES crypto** — audited (HashCloak, 2025) ECIES implementation with
+  matched browser and Node providers, byte-identical across platforms and
+  with strict KDF/MAC validation.
+- **Storage providers** — `StorageManager`, `IpfsStorage`, `PinataStorage`,
+  `GoogleDriveStorage`, `DropboxStorage`, `CallbackStorage`.
+- **Platform adapters** — `NodePlatformAdapter` and `BrowserPlatformAdapter`
+  with a shared `VanaPlatformAdapter` interface, plus detection helpers
+  (`detectPlatform`, `isPlatformSupported`, `createPlatformAdapter`,
+  `createPlatformAdapterSafe`).
+- **JSON protocol schemas** — `dataSchema.schema.json` and
+  `grantFile.schema.json`, shipped under `dist/schemas/`.
+
+## Install
 
 ```bash
 npm install @opendatalabs/vana-sdk viem
 ```
 
-### 2. Set up your client
-
-Choose the build for your environment:
-
-**Browser:**
+The SDK ships separate browser and Node bundles. Pick the entry point that
+matches your runtime:
 
 ```typescript
-import { Vana, mokshaTestnet } from "@opendatalabs/vana-sdk/browser";
-import { createWalletClient, custom } from "viem";
+// Browser / web app
+import { BrowserPlatformAdapter } from "@opendatalabs/vana-sdk/browser";
 
-const walletClient = createWalletClient({
-  chain: mokshaTestnet,
-  transport: custom(window.ethereum),
-});
-
-const vana = Vana({ walletClient });
+// Node.js / server
+import { NodePlatformAdapter } from "@opendatalabs/vana-sdk/node";
 ```
 
-**Node.js:**
+The bare `@opendatalabs/vana-sdk` import intentionally throws — it forces a
+deliberate platform choice instead of accidentally pulling Node-only code
+into a browser bundle (or vice versa).
 
-```typescript
-import { Vana, mokshaTestnet } from "@opendatalabs/vana-sdk/node";
-import { createWalletClient, http } from "viem";
-import { privateKeyToAccount } from "viem/accounts";
-
-const account = privateKeyToAccount("0x...");
-const vana = Vana({
-  walletClient: createWalletClient({
-    account,
-    chain: mokshaTestnet,
-    transport: http("https://rpc.moksha.vana.org"),
-  }),
-  relayerUrl: "https://relayer.moksha.vana.org",
-});
-```
+## Quick examples
 
-### 3. Use the SDK
+### Read a Vana contract
 
 ```typescript
-// Grant gasless data access permission
-await vana.permissions.grant({
-  grantee: "0x742d35Cc6558Fd4D9e9E0E888F0462ef6919Bd36",
-  operation: "llm_inference",
-  parameters: {
-    prompt: "Analyze my data for insights",
-    maxTokens: 1000,
-  },
-  expiresAt: Math.floor(Date.now() / 1000) + 86400,
-});
+import { getContractController } from "@opendatalabs/vana-sdk/node";
+import { createPublicClient, http } from "viem";
+import { mokshaTestnet } from "@opendatalabs/vana-sdk/node";
 
-// Upload encrypted file with decryption permissions
-await vana.data.upload({
-  content: "Sensitive user data",
-  filename: "data.json",
-  schemaId: 123,
-  permissions: [
-    {
-      account: "0xServerAddress...",
-      publicKey: "0x04ServerKey...",
-    },
-  ],
+const client = createPublicClient({
+  chain: mokshaTestnet,
+  transport: http(),
 });
 
-// Query user files
-const files = await vana.data.getUserFiles({
-  owner: "0x742d35Cc6558Fd4D9e9E0E888F0462ef6919Bd36",
-});
+const dataRegistry = getContractController("DataRegistry" as const, client);
+const fileCount = await dataRegistry.read.filesCount();
 ```
 
-## Features
+### Encrypt with ECIES (Node)
 
-The SDK provides six main controllers:
+```typescript
+import { NodeECIESProvider } from "@opendatalabs/vana-sdk/node";
 
-| Controller    | Purpose                                      |
-| ------------- | -------------------------------------------- |
-| `permissions` | Grant and revoke gasless data access         |
-| `data`        | Upload, query, and decrypt encrypted files   |
-| `schemas`     | Validate data against schemas                |
-| `server`      | Interact with trusted servers                |
-| `protocol`    | Direct smart contract access                 |
-| `operations`  | Track and poll transaction status            |
+const ecies = new NodeECIESProvider();
 
-## Configuration
+const encrypted = await ecies.encrypt(recipientPublicKey, payload);
+const decrypted = await ecies.decrypt(recipientPrivateKey, encrypted);
+```
+
+The browser entry exposes the same surface as `BrowserECIESProvider`.
 
-Configure storage, relay, and subgraph services:
+### Upload a file via the storage manager
 
 ```typescript
 import { StorageManager, PinataStorage } from "@opendatalabs/vana-sdk/node";
 
-const vana = Vana({
-  walletClient,
-  relayerUrl: "https://relayer.moksha.vana.org",
-  storageManager: new StorageManager().register(
-    "ipfs",
-    new PinataStorage({
-      apiKey: process.env.PINATA_API_KEY,
-      secretKey: process.env.PINATA_SECRET_KEY,
-    })
-  ),
-  subgraphUrl: "https://api.thegraph.com/subgraphs/name/vana/moksha",
-});
+const storage = new StorageManager();
+storage.register(
+  "pinata",
+  new PinataStorage({ jwt: process.env.PINATA_JWT! }),
+  true, // mark as default
+);
+
+const result = await storage.upload(myBlob, "report.json");
+console.log(result.url);
 ```
 
 ## Networks
@@ -126,16 +110,16 @@ const vana = Vana({
 | Vana Mainnet   | 1480     | https://rpc.vana.org        |
 | Moksha Testnet | 14800    | https://rpc.moksha.vana.org |
 
-## Learn More
+## Audit
 
-- [Documentation](https://docs.vana.org/docs/sdk) - Comprehensive guides and tutorials
-- [API Reference](https://vana-com.github.io/vana-sdk) - Complete TypeScript documentation
-- [Examples](https://github.com/vana-com/vana-sdk/tree/main/examples) - Full demo applications
-- [Discord](https://discord.gg/vanabuilders) - Community support
+The ECIES implementation under `src/crypto/ecies/` was audited by HashCloak
+in October 2025; the report is in [`audits/`](https://github.com/vana-com/vana-sdk/tree/main/packages/vana-sdk/audits).
 
-## Support
+## Learn more
 
-Report issues on [GitHub Issues](https://github.com/vana-com/vana-sdk/issues).
+- [Documentation](https://docs.vana.org/docs/sdk)
+- [API reference](https://vana-com.github.io/vana-sdk)
+- [Discord](https://discord.gg/vanabuilders)
 
 ## License
 

package/dist/auth/errors.cjs

@@ -0,0 +1,54 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var errors_exports = {};
+__export(errors_exports, {
+  ExpiredTokenError: () => ExpiredTokenError,
+  InvalidSignatureError: () => InvalidSignatureError,
+  MissingAuthError: () => MissingAuthError
+});
+module.exports = __toCommonJS(errors_exports);
+var import_errors = require("../errors");
+class MissingAuthError extends import_errors.VanaError {
+  constructor(message = "Missing authentication", details) {
+    super(message, "MISSING_AUTH");
+    this.details = details;
+  }
+  details;
+}
+class InvalidSignatureError extends import_errors.VanaError {
+  constructor(details, message = "Invalid signature") {
+    super(message, "INVALID_SIGNATURE");
+    this.details = details;
+  }
+  details;
+}
+class ExpiredTokenError extends import_errors.VanaError {
+  constructor(details, message = "Token has expired") {
+    super(message, "EXPIRED_TOKEN");
+    this.details = details;
+  }
+  details;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ExpiredTokenError,
+  InvalidSignatureError,
+  MissingAuthError
+});
+//# sourceMappingURL=errors.cjs.map

package/dist/auth/errors.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/errors.ts"],"sourcesContent":["/**\n * Auth-specific error classes for Web3Signed verification.\n *\n * @remarks\n * Mirrors the relevant subset of `personal-server-ts` `ProtocolError` so server\n * code that consumes Web3Signed primitives can branch on typed errors. They\n * extend {@link VanaError} so they fit the SDK error hierarchy.\n *\n * @category Error Handling\n */\n\nimport { VanaError } from \"../errors\";\n\n/** Thrown when an Authorization header is missing or empty. */\nexport class MissingAuthError extends VanaError {\n  constructor(\n    message = \"Missing authentication\",\n    public readonly details?: Record<string, unknown>,\n  ) {\n    super(message, \"MISSING_AUTH\");\n  }\n}\n\n/** Thrown when a Web3Signed header is malformed or its signature does not verify. */\nexport class InvalidSignatureError extends VanaError {\n  constructor(\n    public readonly details?: Record<string, unknown>,\n    message = \"Invalid signature\",\n  ) {\n    super(message, \"INVALID_SIGNATURE\");\n  }\n}\n\n/** Thrown when a Web3Signed token is expired or issued too far in the future. */\nexport class ExpiredTokenError extends VanaError {\n  constructor(\n    public readonly details?: Record<string, unknown>,\n    message = \"Token has expired\",\n  ) {\n    super(message, \"EXPIRED_TOKEN\");\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWA,oBAA0B;AAGnB,MAAM,yBAAyB,wBAAU;AAAA,EAC9C,YACE,UAAU,0BACM,SAChB;AACA,UAAM,SAAS,cAAc;AAFb;AAAA,EAGlB;AAAA,EAHkB;AAIpB;AAGO,MAAM,8BAA8B,wBAAU;AAAA,EACnD,YACkB,SAChB,UAAU,qBACV;AACA,UAAM,SAAS,mBAAmB;AAHlB;AAAA,EAIlB;AAAA,EAJkB;AAKpB;AAGO,MAAM,0BAA0B,wBAAU;AAAA,EAC/C,YACkB,SAChB,UAAU,qBACV;AACA,UAAM,SAAS,eAAe;AAHd;AAAA,EAIlB;AAAA,EAJkB;AAKpB;","names":[]}

package/dist/auth/errors.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Auth-specific error classes for Web3Signed verification.
+ *
+ * @remarks
+ * Mirrors the relevant subset of `personal-server-ts` `ProtocolError` so server
+ * code that consumes Web3Signed primitives can branch on typed errors. They
+ * extend {@link VanaError} so they fit the SDK error hierarchy.
+ *
+ * @category Error Handling
+ */
+import { VanaError } from "../errors";
+/** Thrown when an Authorization header is missing or empty. */
+export declare class MissingAuthError extends VanaError {
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message?: string, details?: Record<string, unknown> | undefined);
+}
+/** Thrown when a Web3Signed header is malformed or its signature does not verify. */
+export declare class InvalidSignatureError extends VanaError {
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(details?: Record<string, unknown> | undefined, message?: string);
+}
+/** Thrown when a Web3Signed token is expired or issued too far in the future. */
+export declare class ExpiredTokenError extends VanaError {
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(details?: Record<string, unknown> | undefined, message?: string);
+}

package/dist/auth/errors.js

@@ -0,0 +1,28 @@
+import { VanaError } from "../errors";
+class MissingAuthError extends VanaError {
+  constructor(message = "Missing authentication", details) {
+    super(message, "MISSING_AUTH");
+    this.details = details;
+  }
+  details;
+}
+class InvalidSignatureError extends VanaError {
+  constructor(details, message = "Invalid signature") {
+    super(message, "INVALID_SIGNATURE");
+    this.details = details;
+  }
+  details;
+}
+class ExpiredTokenError extends VanaError {
+  constructor(details, message = "Token has expired") {
+    super(message, "EXPIRED_TOKEN");
+    this.details = details;
+  }
+  details;
+}
+export {
+  ExpiredTokenError,
+  InvalidSignatureError,
+  MissingAuthError
+};
+//# sourceMappingURL=errors.js.map

package/dist/auth/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/errors.ts"],"sourcesContent":["/**\n * Auth-specific error classes for Web3Signed verification.\n *\n * @remarks\n * Mirrors the relevant subset of `personal-server-ts` `ProtocolError` so server\n * code that consumes Web3Signed primitives can branch on typed errors. They\n * extend {@link VanaError} so they fit the SDK error hierarchy.\n *\n * @category Error Handling\n */\n\nimport { VanaError } from \"../errors\";\n\n/** Thrown when an Authorization header is missing or empty. */\nexport class MissingAuthError extends VanaError {\n  constructor(\n    message = \"Missing authentication\",\n    public readonly details?: Record<string, unknown>,\n  ) {\n    super(message, \"MISSING_AUTH\");\n  }\n}\n\n/** Thrown when a Web3Signed header is malformed or its signature does not verify. */\nexport class InvalidSignatureError extends VanaError {\n  constructor(\n    public readonly details?: Record<string, unknown>,\n    message = \"Invalid signature\",\n  ) {\n    super(message, \"INVALID_SIGNATURE\");\n  }\n}\n\n/** Thrown when a Web3Signed token is expired or issued too far in the future. */\nexport class ExpiredTokenError extends VanaError {\n  constructor(\n    public readonly details?: Record<string, unknown>,\n    message = \"Token has expired\",\n  ) {\n    super(message, \"EXPIRED_TOKEN\");\n  }\n}\n"],"mappings":"AAWA,SAAS,iBAAiB;AAGnB,MAAM,yBAAyB,UAAU;AAAA,EAC9C,YACE,UAAU,0BACM,SAChB;AACA,UAAM,SAAS,cAAc;AAFb;AAAA,EAGlB;AAAA,EAHkB;AAIpB;AAGO,MAAM,8BAA8B,UAAU;AAAA,EACnD,YACkB,SAChB,UAAU,qBACV;AACA,UAAM,SAAS,mBAAmB;AAHlB;AAAA,EAIlB;AAAA,EAJkB;AAKpB;AAGO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YACkB,SAChB,UAAU,qBACV;AACA,UAAM,SAAS,eAAe;AAHd;AAAA,EAIlB;AAAA,EAJkB;AAKpB;","names":[]}

package/dist/auth/pkce.cjs

@@ -0,0 +1,100 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var pkce_exports = {};
+__export(pkce_exports, {
+  PKCE_CHALLENGE_PATTERN: () => PKCE_CHALLENGE_PATTERN,
+  PKCE_VERIFIER_PATTERN: () => PKCE_VERIFIER_PATTERN,
+  assertValidPkceVerifier: () => assertValidPkceVerifier,
+  computePkceChallenge: () => computePkceChallenge,
+  generatePkceVerifier: () => generatePkceVerifier,
+  verifyPkceChallenge: () => verifyPkceChallenge
+});
+module.exports = __toCommonJS(pkce_exports);
+const PKCE_VERIFIER_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+const PKCE_VERIFIER_MIN_LENGTH = 43;
+const PKCE_VERIFIER_MAX_LENGTH = 128;
+const PKCE_VERIFIER_DEFAULT_LENGTH = 64;
+const PKCE_VERIFIER_PATTERN = /^[A-Za-z0-9._~-]{43,128}$/;
+const PKCE_CHALLENGE_PATTERN = /^[A-Za-z0-9_-]{43}$/;
+function assertValidPkceVerifier(verifier) {
+  if (!PKCE_VERIFIER_PATTERN.test(verifier)) {
+    throw new RangeError(
+      `PKCE verifier must match RFC 7636 \xA74.1: ${PKCE_VERIFIER_MIN_LENGTH}-${PKCE_VERIFIER_MAX_LENGTH} unreserved chars [A-Za-z0-9._~-]`
+    );
+  }
+}
+function generatePkceVerifier(length = PKCE_VERIFIER_DEFAULT_LENGTH) {
+  if (!Number.isInteger(length) || length < PKCE_VERIFIER_MIN_LENGTH || length > PKCE_VERIFIER_MAX_LENGTH) {
+    throw new RangeError(
+      `PKCE verifier length must be an integer between ${PKCE_VERIFIER_MIN_LENGTH} and ${PKCE_VERIFIER_MAX_LENGTH}`
+    );
+  }
+  const alphabetLen = PKCE_VERIFIER_ALPHABET.length;
+  const acceptCutoff = Math.floor(256 / alphabetLen) * alphabetLen;
+  const out = new Array(length);
+  let filled = 0;
+  const buffer = new Uint8Array(length * 2);
+  while (filled < length) {
+    crypto.getRandomValues(buffer);
+    for (let i = 0; i < buffer.length && filled < length; i++) {
+      const byte = buffer[i];
+      if (byte < acceptCutoff) {
+        out[filled++] = PKCE_VERIFIER_ALPHABET[byte % alphabetLen];
+      }
+    }
+  }
+  return out.join("");
+}
+async function computePkceChallenge(verifier) {
+  assertValidPkceVerifier(verifier);
+  const bytes = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", bytes);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function verifyPkceChallenge(verifier, challenge) {
+  if (!PKCE_VERIFIER_PATTERN.test(verifier)) return false;
+  if (!PKCE_CHALLENGE_PATTERN.test(challenge)) return false;
+  const computed = await computePkceChallenge(verifier);
+  return constantTimeEqualString(computed, challenge);
+}
+function base64UrlEncode(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function constantTimeEqualString(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PKCE_CHALLENGE_PATTERN,
+  PKCE_VERIFIER_PATTERN,
+  assertValidPkceVerifier,
+  computePkceChallenge,
+  generatePkceVerifier,
+  verifyPkceChallenge
+});
+//# sourceMappingURL=pkce.cjs.map

package/dist/auth/pkce.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) primitives per RFC 7636.\n *\n * @remarks\n * Implements the S256 challenge method only. All functions are pure and\n * isomorphic — they rely on the `crypto.getRandomValues` and\n * `crypto.subtle` Web Crypto APIs available as globals in browsers and\n * Node.js (>= 20).\n *\n * @category Auth\n * @module auth/pkce\n */\n\n// RFC 7636 §4.1 unreserved characters: ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst PKCE_VERIFIER_ALPHABET =\n  \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~\";\n\nconst PKCE_VERIFIER_MIN_LENGTH = 43;\nconst PKCE_VERIFIER_MAX_LENGTH = 128;\nconst PKCE_VERIFIER_DEFAULT_LENGTH = 64;\n\n/**\n * RFC 7636 §4.1 verifier shape: 43-128 unreserved chars.\n *\n * @category Auth\n */\nexport const PKCE_VERIFIER_PATTERN = /^[A-Za-z0-9._~-]{43,128}$/;\n\n/**\n * S256 challenge shape: 43-char base64url (SHA-256 = 32 bytes → 43 chars\n * after base64url-no-padding encoding).\n *\n * @category Auth\n */\nexport const PKCE_CHALLENGE_PATTERN = /^[A-Za-z0-9_-]{43}$/;\n\n/**\n * Throws {@link RangeError} unless `verifier` matches RFC 7636 §4.1.\n *\n * @category Auth\n */\nexport function assertValidPkceVerifier(verifier: string): void {\n  if (!PKCE_VERIFIER_PATTERN.test(verifier)) {\n    throw new RangeError(\n      `PKCE verifier must match RFC 7636 §4.1: ${PKCE_VERIFIER_MIN_LENGTH}-${PKCE_VERIFIER_MAX_LENGTH} unreserved chars [A-Za-z0-9._~-]`,\n    );\n  }\n}\n\n/**\n * Generates a cryptographically random PKCE code verifier.\n *\n * @param length - Verifier length in characters. Must be between 43 and 128\n *   (RFC 7636 §4.1). Defaults to 64.\n * @returns A string of the requested length using only the RFC-allowed\n *   unreserved alphabet.\n */\nexport function generatePkceVerifier(\n  length: number = PKCE_VERIFIER_DEFAULT_LENGTH,\n): string {\n  if (\n    !Number.isInteger(length) ||\n    length < PKCE_VERIFIER_MIN_LENGTH ||\n    length > PKCE_VERIFIER_MAX_LENGTH\n  ) {\n    throw new RangeError(\n      `PKCE verifier length must be an integer between ${PKCE_VERIFIER_MIN_LENGTH} and ${PKCE_VERIFIER_MAX_LENGTH}`,\n    );\n  }\n\n  const alphabetLen = PKCE_VERIFIER_ALPHABET.length;\n  // Reject-sample to avoid modulo bias from a non-power-of-two alphabet (66).\n  const acceptCutoff = Math.floor(256 / alphabetLen) * alphabetLen;\n\n  const out = new Array<string>(length);\n  let filled = 0;\n  const buffer = new Uint8Array(length * 2);\n\n  while (filled < length) {\n    crypto.getRandomValues(buffer);\n    for (let i = 0; i < buffer.length && filled < length; i++) {\n      const byte = buffer[i] as number;\n      if (byte < acceptCutoff) {\n        out[filled++] = PKCE_VERIFIER_ALPHABET[byte % alphabetLen] as string;\n      }\n    }\n  }\n\n  return out.join(\"\");\n}\n\n/**\n * Computes the S256 PKCE code challenge for a verifier.\n *\n * @param verifier - The PKCE code verifier.\n * @returns The base64url-encoded SHA-256 hash of the verifier (no padding).\n */\nexport async function computePkceChallenge(verifier: string): Promise<string> {\n  assertValidPkceVerifier(verifier);\n  const bytes = new TextEncoder().encode(verifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", bytes);\n  return base64UrlEncode(new Uint8Array(digest));\n}\n\n/**\n * Verifies that a verifier hashes to the given S256 challenge.\n *\n * @param verifier - The PKCE code verifier presented by the client.\n * @param challenge - The previously stored S256 challenge.\n * @returns `true` when the verifier matches; `false` otherwise.\n */\nexport async function verifyPkceChallenge(\n  verifier: string,\n  challenge: string,\n): Promise<boolean> {\n  if (!PKCE_VERIFIER_PATTERN.test(verifier)) return false;\n  if (!PKCE_CHALLENGE_PATTERN.test(challenge)) return false;\n  const computed = await computePkceChallenge(verifier);\n  return constantTimeEqualString(computed, challenge);\n}\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n  let binary = \"\";\n  for (let i = 0; i < bytes.length; i++) {\n    binary += String.fromCharCode(bytes[i] as number);\n  }\n  // btoa is available in Node 16+ and all browsers.\n  return btoa(binary)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nfunction constantTimeEqualString(a: string, b: string): boolean {\n  if (a.length !== b.length) return false;\n  let result = 0;\n  for (let i = 0; i < a.length; i++) {\n    result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n  }\n  return result === 0;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAcA,MAAM,yBACJ;AAEF,MAAM,2BAA2B;AACjC,MAAM,2BAA2B;AACjC,MAAM,+BAA+B;AAO9B,MAAM,wBAAwB;AAQ9B,MAAM,yBAAyB;AAO/B,SAAS,wBAAwB,UAAwB;AAC9D,MAAI,CAAC,sBAAsB,KAAK,QAAQ,GAAG;AACzC,UAAM,IAAI;AAAA,MACR,8CAA2C,wBAAwB,IAAI,wBAAwB;AAAA,IACjG;AAAA,EACF;AACF;AAUO,SAAS,qBACd,SAAiB,8BACT;AACR,MACE,CAAC,OAAO,UAAU,MAAM,KACxB,SAAS,4BACT,SAAS,0BACT;AACA,UAAM,IAAI;AAAA,MACR,mDAAmD,wBAAwB,QAAQ,wBAAwB;AAAA,IAC7G;AAAA,EACF;AAEA,QAAM,cAAc,uBAAuB;AAE3C,QAAM,eAAe,KAAK,MAAM,MAAM,WAAW,IAAI;AAErD,QAAM,MAAM,IAAI,MAAc,MAAM;AACpC,MAAI,SAAS;AACb,QAAM,SAAS,IAAI,WAAW,SAAS,CAAC;AAExC,SAAO,SAAS,QAAQ;AACtB,WAAO,gBAAgB,MAAM;AAC7B,aAAS,IAAI,GAAG,IAAI,OAAO,UAAU,SAAS,QAAQ,KAAK;AACzD,YAAM,OAAO,OAAO,CAAC;AACrB,UAAI,OAAO,cAAc;AACvB,YAAI,QAAQ,IAAI,uBAAuB,OAAO,WAAW;AAAA,MAC3D;AAAA,IACF;AAAA,EACF;AAEA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQA,eAAsB,qBAAqB,UAAmC;AAC5E,0BAAwB,QAAQ;AAChC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,QAAQ;AAC/C,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;AAC1D,SAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AAC/C;AASA,eAAsB,oBACpB,UACA,WACkB;AAClB,MAAI,CAAC,sBAAsB,KAAK,QAAQ,EAAG,QAAO;AAClD,MAAI,CAAC,uBAAuB,KAAK,SAAS,EAAG,QAAO;AACpD,QAAM,WAAW,MAAM,qBAAqB,QAAQ;AACpD,SAAO,wBAAwB,UAAU,SAAS;AACpD;AAEA,SAAS,gBAAgB,OAA2B;AAClD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAU,OAAO,aAAa,MAAM,CAAC,CAAW;AAAA,EAClD;AAEA,SAAO,KAAK,MAAM,EACf,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAEA,SAAS,wBAAwB,GAAW,GAAoB;AAC9D,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAU,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC5C;AACA,SAAO,WAAW;AACpB;","names":[]}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,55 @@
+/**
+ * PKCE (Proof Key for Code Exchange) primitives per RFC 7636.
+ *
+ * @remarks
+ * Implements the S256 challenge method only. All functions are pure and
+ * isomorphic — they rely on the `crypto.getRandomValues` and
+ * `crypto.subtle` Web Crypto APIs available as globals in browsers and
+ * Node.js (>= 20).
+ *
+ * @category Auth
+ * @module auth/pkce
+ */
+/**
+ * RFC 7636 §4.1 verifier shape: 43-128 unreserved chars.
+ *
+ * @category Auth
+ */
+export declare const PKCE_VERIFIER_PATTERN: RegExp;
+/**
+ * S256 challenge shape: 43-char base64url (SHA-256 = 32 bytes → 43 chars
+ * after base64url-no-padding encoding).
+ *
+ * @category Auth
+ */
+export declare const PKCE_CHALLENGE_PATTERN: RegExp;
+/**
+ * Throws {@link RangeError} unless `verifier` matches RFC 7636 §4.1.
+ *
+ * @category Auth
+ */
+export declare function assertValidPkceVerifier(verifier: string): void;
+/**
+ * Generates a cryptographically random PKCE code verifier.
+ *
+ * @param length - Verifier length in characters. Must be between 43 and 128
+ *   (RFC 7636 §4.1). Defaults to 64.
+ * @returns A string of the requested length using only the RFC-allowed
+ *   unreserved alphabet.
+ */
+export declare function generatePkceVerifier(length?: number): string;
+/**
+ * Computes the S256 PKCE code challenge for a verifier.
+ *
+ * @param verifier - The PKCE code verifier.
+ * @returns The base64url-encoded SHA-256 hash of the verifier (no padding).
+ */
+export declare function computePkceChallenge(verifier: string): Promise<string>;
+/**
+ * Verifies that a verifier hashes to the given S256 challenge.
+ *
+ * @param verifier - The PKCE code verifier presented by the client.
+ * @param challenge - The previously stored S256 challenge.
+ * @returns `true` when the verifier matches; `false` otherwise.
+ */
+export declare function verifyPkceChallenge(verifier: string, challenge: string): Promise<boolean>;

package/dist/auth/pkce.js

@@ -0,0 +1,71 @@
+const PKCE_VERIFIER_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+const PKCE_VERIFIER_MIN_LENGTH = 43;
+const PKCE_VERIFIER_MAX_LENGTH = 128;
+const PKCE_VERIFIER_DEFAULT_LENGTH = 64;
+const PKCE_VERIFIER_PATTERN = /^[A-Za-z0-9._~-]{43,128}$/;
+const PKCE_CHALLENGE_PATTERN = /^[A-Za-z0-9_-]{43}$/;
+function assertValidPkceVerifier(verifier) {
+  if (!PKCE_VERIFIER_PATTERN.test(verifier)) {
+    throw new RangeError(
+      `PKCE verifier must match RFC 7636 \xA74.1: ${PKCE_VERIFIER_MIN_LENGTH}-${PKCE_VERIFIER_MAX_LENGTH} unreserved chars [A-Za-z0-9._~-]`
+    );
+  }
+}
+function generatePkceVerifier(length = PKCE_VERIFIER_DEFAULT_LENGTH) {
+  if (!Number.isInteger(length) || length < PKCE_VERIFIER_MIN_LENGTH || length > PKCE_VERIFIER_MAX_LENGTH) {
+    throw new RangeError(
+      `PKCE verifier length must be an integer between ${PKCE_VERIFIER_MIN_LENGTH} and ${PKCE_VERIFIER_MAX_LENGTH}`
+    );
+  }
+  const alphabetLen = PKCE_VERIFIER_ALPHABET.length;
+  const acceptCutoff = Math.floor(256 / alphabetLen) * alphabetLen;
+  const out = new Array(length);
+  let filled = 0;
+  const buffer = new Uint8Array(length * 2);
+  while (filled < length) {
+    crypto.getRandomValues(buffer);
+    for (let i = 0; i < buffer.length && filled < length; i++) {
+      const byte = buffer[i];
+      if (byte < acceptCutoff) {
+        out[filled++] = PKCE_VERIFIER_ALPHABET[byte % alphabetLen];
+      }
+    }
+  }
+  return out.join("");
+}
+async function computePkceChallenge(verifier) {
+  assertValidPkceVerifier(verifier);
+  const bytes = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", bytes);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function verifyPkceChallenge(verifier, challenge) {
+  if (!PKCE_VERIFIER_PATTERN.test(verifier)) return false;
+  if (!PKCE_CHALLENGE_PATTERN.test(challenge)) return false;
+  const computed = await computePkceChallenge(verifier);
+  return constantTimeEqualString(computed, challenge);
+}
+function base64UrlEncode(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function constantTimeEqualString(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+export {
+  PKCE_CHALLENGE_PATTERN,
+  PKCE_VERIFIER_PATTERN,
+  assertValidPkceVerifier,
+  computePkceChallenge,
+  generatePkceVerifier,
+  verifyPkceChallenge
+};
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) primitives per RFC 7636.\n *\n * @remarks\n * Implements the S256 challenge method only. All functions are pure and\n * isomorphic — they rely on the `crypto.getRandomValues` and\n * `crypto.subtle` Web Crypto APIs available as globals in browsers and\n * Node.js (>= 20).\n *\n * @category Auth\n * @module auth/pkce\n */\n\n// RFC 7636 §4.1 unreserved characters: ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst PKCE_VERIFIER_ALPHABET =\n  \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~\";\n\nconst PKCE_VERIFIER_MIN_LENGTH = 43;\nconst PKCE_VERIFIER_MAX_LENGTH = 128;\nconst PKCE_VERIFIER_DEFAULT_LENGTH = 64;\n\n/**\n * RFC 7636 §4.1 verifier shape: 43-128 unreserved chars.\n *\n * @category Auth\n */\nexport const PKCE_VERIFIER_PATTERN = /^[A-Za-z0-9._~-]{43,128}$/;\n\n/**\n * S256 challenge shape: 43-char base64url (SHA-256 = 32 bytes → 43 chars\n * after base64url-no-padding encoding).\n *\n * @category Auth\n */\nexport const PKCE_CHALLENGE_PATTERN = /^[A-Za-z0-9_-]{43}$/;\n\n/**\n * Throws {@link RangeError} unless `verifier` matches RFC 7636 §4.1.\n *\n * @category Auth\n */\nexport function assertValidPkceVerifier(verifier: string): void {\n  if (!PKCE_VERIFIER_PATTERN.test(verifier)) {\n    throw new RangeError(\n      `PKCE verifier must match RFC 7636 §4.1: ${PKCE_VERIFIER_MIN_LENGTH}-${PKCE_VERIFIER_MAX_LENGTH} unreserved chars [A-Za-z0-9._~-]`,\n    );\n  }\n}\n\n/**\n * Generates a cryptographically random PKCE code verifier.\n *\n * @param length - Verifier length in characters. Must be between 43 and 128\n *   (RFC 7636 §4.1). Defaults to 64.\n * @returns A string of the requested length using only the RFC-allowed\n *   unreserved alphabet.\n */\nexport function generatePkceVerifier(\n  length: number = PKCE_VERIFIER_DEFAULT_LENGTH,\n): string {\n  if (\n    !Number.isInteger(length) ||\n    length < PKCE_VERIFIER_MIN_LENGTH ||\n    length > PKCE_VERIFIER_MAX_LENGTH\n  ) {\n    throw new RangeError(\n      `PKCE verifier length must be an integer between ${PKCE_VERIFIER_MIN_LENGTH} and ${PKCE_VERIFIER_MAX_LENGTH}`,\n    );\n  }\n\n  const alphabetLen = PKCE_VERIFIER_ALPHABET.length;\n  // Reject-sample to avoid modulo bias from a non-power-of-two alphabet (66).\n  const acceptCutoff = Math.floor(256 / alphabetLen) * alphabetLen;\n\n  const out = new Array<string>(length);\n  let filled = 0;\n  const buffer = new Uint8Array(length * 2);\n\n  while (filled < length) {\n    crypto.getRandomValues(buffer);\n    for (let i = 0; i < buffer.length && filled < length; i++) {\n      const byte = buffer[i] as number;\n      if (byte < acceptCutoff) {\n        out[filled++] = PKCE_VERIFIER_ALPHABET[byte % alphabetLen] as string;\n      }\n    }\n  }\n\n  return out.join(\"\");\n}\n\n/**\n * Computes the S256 PKCE code challenge for a verifier.\n *\n * @param verifier - The PKCE code verifier.\n * @returns The base64url-encoded SHA-256 hash of the verifier (no padding).\n */\nexport async function computePkceChallenge(verifier: string): Promise<string> {\n  assertValidPkceVerifier(verifier);\n  const bytes = new TextEncoder().encode(verifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", bytes);\n  return base64UrlEncode(new Uint8Array(digest));\n}\n\n/**\n * Verifies that a verifier hashes to the given S256 challenge.\n *\n * @param verifier - The PKCE code verifier presented by the client.\n * @param challenge - The previously stored S256 challenge.\n * @returns `true` when the verifier matches; `false` otherwise.\n */\nexport async function verifyPkceChallenge(\n  verifier: string,\n  challenge: string,\n): Promise<boolean> {\n  if (!PKCE_VERIFIER_PATTERN.test(verifier)) return false;\n  if (!PKCE_CHALLENGE_PATTERN.test(challenge)) return false;\n  const computed = await computePkceChallenge(verifier);\n  return constantTimeEqualString(computed, challenge);\n}\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n  let binary = \"\";\n  for (let i = 0; i < bytes.length; i++) {\n    binary += String.fromCharCode(bytes[i] as number);\n  }\n  // btoa is available in Node 16+ and all browsers.\n  return btoa(binary)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nfunction constantTimeEqualString(a: string, b: string): boolean {\n  if (a.length !== b.length) return false;\n  let result = 0;\n  for (let i = 0; i < a.length; i++) {\n    result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n  }\n  return result === 0;\n}\n"],"mappings":"AAcA,MAAM,yBACJ;AAEF,MAAM,2BAA2B;AACjC,MAAM,2BAA2B;AACjC,MAAM,+BAA+B;AAO9B,MAAM,wBAAwB;AAQ9B,MAAM,yBAAyB;AAO/B,SAAS,wBAAwB,UAAwB;AAC9D,MAAI,CAAC,sBAAsB,KAAK,QAAQ,GAAG;AACzC,UAAM,IAAI;AAAA,MACR,8CAA2C,wBAAwB,IAAI,wBAAwB;AAAA,IACjG;AAAA,EACF;AACF;AAUO,SAAS,qBACd,SAAiB,8BACT;AACR,MACE,CAAC,OAAO,UAAU,MAAM,KACxB,SAAS,4BACT,SAAS,0BACT;AACA,UAAM,IAAI;AAAA,MACR,mDAAmD,wBAAwB,QAAQ,wBAAwB;AAAA,IAC7G;AAAA,EACF;AAEA,QAAM,cAAc,uBAAuB;AAE3C,QAAM,eAAe,KAAK,MAAM,MAAM,WAAW,IAAI;AAErD,QAAM,MAAM,IAAI,MAAc,MAAM;AACpC,MAAI,SAAS;AACb,QAAM,SAAS,IAAI,WAAW,SAAS,CAAC;AAExC,SAAO,SAAS,QAAQ;AACtB,WAAO,gBAAgB,MAAM;AAC7B,aAAS,IAAI,GAAG,IAAI,OAAO,UAAU,SAAS,QAAQ,KAAK;AACzD,YAAM,OAAO,OAAO,CAAC;AACrB,UAAI,OAAO,cAAc;AACvB,YAAI,QAAQ,IAAI,uBAAuB,OAAO,WAAW;AAAA,MAC3D;AAAA,IACF;AAAA,EACF;AAEA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQA,eAAsB,qBAAqB,UAAmC;AAC5E,0BAAwB,QAAQ;AAChC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,QAAQ;AAC/C,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;AAC1D,SAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AAC/C;AASA,eAAsB,oBACpB,UACA,WACkB;AAClB,MAAI,CAAC,sBAAsB,KAAK,QAAQ,EAAG,QAAO;AAClD,MAAI,CAAC,uBAAuB,KAAK,SAAS,EAAG,QAAO;AACpD,QAAM,WAAW,MAAM,qBAAqB,QAAQ;AACpD,SAAO,wBAAwB,UAAU,SAAS;AACpD;AAEA,SAAS,gBAAgB,OAA2B;AAClD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAU,OAAO,aAAa,MAAM,CAAC,CAAW;AAAA,EAClD;AAEA,SAAO,KAAK,MAAM,EACf,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAEA,SAAS,wBAAwB,GAAW,GAAoB;AAC9D,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAU,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC5C;AACA,SAAO,WAAW;AACpB;","names":[]}

package/dist/auth/token-store.cjs

@@ -0,0 +1,59 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var token_store_exports = {};
+__export(token_store_exports, {
+  InMemoryTokenStore: () => InMemoryTokenStore
+});
+module.exports = __toCommonJS(token_store_exports);
+class InMemoryTokenStore {
+  #records = /* @__PURE__ */ new Map();
+  get(key) {
+    const record = this.#records.get(key);
+    if (record === void 0) return Promise.resolve(null);
+    if (record.expiresAt !== void 0 && record.expiresAt <= Math.floor(Date.now() / 1e3)) {
+      this.#records.delete(key);
+      return Promise.resolve(null);
+    }
+    return Promise.resolve({ ...record });
+  }
+  set(key, record) {
+    this.#records.set(key, { ...record });
+    return Promise.resolve();
+  }
+  delete(key) {
+    this.#records.delete(key);
+    return Promise.resolve();
+  }
+  clear() {
+    this.#records.clear();
+    return Promise.resolve();
+  }
+  /**
+   * Returns the number of stored entries (including any not yet
+   * lazily evicted). Intended for tests and diagnostics.
+   */
+  get size() {
+    return this.#records.size;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  InMemoryTokenStore
+});
+//# sourceMappingURL=token-store.cjs.map