npm - @peac/jwks-cache - Versions diffs - 0.10.8 → 0.10.10 - Mend

@peac/jwks-cache 0.10.8 → 0.10.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/LICENSE CHANGED Viewed

@@ -175,7 +175,7 @@ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 END OF TERMS AND CONDITIONS
-Copyright 2025 PEAC Protocol Contributors
+Copyright 2025-2026 PEAC Protocol Contributors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

package/dist/cache.d.ts CHANGED Viewed

@@ -2,12 +2,27 @@
  * In-memory cache implementation.
  */
 import type { CacheBackend, CacheEntry } from './types.js';
+export interface InMemoryCacheOptions {
+    /** Max entries before LRU eviction (default: 1000). */
+    maxEntries?: number;
+}
 /**
- * Simple in-memory cache with TTL support.
+ * In-memory cache with TTL, bounded size, and stale-if-error support.
+ *
+ * Uses Map insertion order for LRU eviction: oldest entries are evicted
+ * first when maxEntries is exceeded. On get(), entries are re-inserted
+ * to refresh their position (most-recently-used).
  */
 export declare class InMemoryCache implements CacheBackend {
     private readonly cache;
+    private readonly maxEntries;
+    constructor(options?: InMemoryCacheOptions);
     get(key: string): Promise<CacheEntry | null>;
+    /**
+     * Get entry even if expired (for stale-if-error fallback).
+     * Returns null only if key was never cached.
+     */
+    getStale(key: string): Promise<CacheEntry | null>;
     set(key: string, value: CacheEntry): Promise<void>;
     delete(key: string): Promise<void>;
     /**
@@ -18,6 +33,10 @@ export declare class InMemoryCache implements CacheBackend {
      * Get current cache size.
      */
     get size(): number;
+    /**
+     * Evict oldest entries (by Map insertion order) when over capacity.
+     */
+    private evictIfNeeded;
 }
 /**
  * Build cache key for a specific key ID.

package/dist/cache.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;~~AAE3D;;GAEG~~;AACH,qBAAa,aAAc,YAAW,YAAY;IAChD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;~~IAEjD~~,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;~~IAiB5C~~,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;~~IAIlD~~,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;~~CACF~~;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAWlF"}
1	+ {"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAI3D,MAAM,WAAW,oBAAoB;IACnC,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;GAMG;AACH,qBAAa,aAAc,YAAW,YAAY;IAChD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;IACvD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,CAAC,EAAE,oBAAoB;IAIpC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAoBlD;;;OAGG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAIjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IASlD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,OAAO,CAAC,aAAa;CAUtB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAWlF"}

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,458 @@
+'use strict';
+// src/cache.ts
+var DEFAULT_MAX_ENTRIES = 1e3;
+var InMemoryCache = class {
+  cache = /* @__PURE__ */ new Map();
+  maxEntries;
+  constructor(options) {
+    this.maxEntries = options?.maxEntries ?? DEFAULT_MAX_ENTRIES;
+  }
+  async get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (now >= entry.expiresAt) {
+      return null;
+    }
+    this.cache.delete(key);
+    this.cache.set(key, entry);
+    return entry;
+  }
+  /**
+   * Get entry even if expired (for stale-if-error fallback).
+   * Returns null only if key was never cached.
+   */
+  async getStale(key) {
+    return this.cache.get(key) ?? null;
+  }
+  async set(key, value) {
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    }
+    this.cache.set(key, value);
+    this.evictIfNeeded();
+  }
+  async delete(key) {
+    this.cache.delete(key);
+  }
+  /**
+   * Clear all entries.
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Get current cache size.
+   */
+  get size() {
+    return this.cache.size;
+  }
+  /**
+   * Evict oldest entries (by Map insertion order) when over capacity.
+   */
+  evictIfNeeded() {
+    while (this.cache.size > this.maxEntries) {
+      const oldestKey = this.cache.keys().next().value;
+      if (oldestKey !== void 0) {
+        this.cache.delete(oldestKey);
+      } else {
+        break;
+      }
+    }
+  }
+};
+function buildCacheKey(issuerOrigin, kid) {
+  return `${issuerOrigin}:${kid}`;
+}
+function buildJwksCacheKey(issuerOrigin) {
+  return `${issuerOrigin}:__jwks__`;
+}
+function parseCacheControlMaxAge(cacheControl) {
+  if (!cacheControl) {
+    return null;
+  }
+  const match = cacheControl.match(/max-age=(\d+)/);
+  if (!match) {
+    return null;
+  }
+  return parseInt(match[1], 10);
+}
+// src/errors.ts
+var ErrorCodes = {
+  /** Network error fetching JWKS */
+  JWKS_FETCH_FAILED: "E_JWKS_FETCH_FAILED",
+  /** Fetch timeout */
+  JWKS_TIMEOUT: "E_JWKS_TIMEOUT",
+  /** Invalid JSON or structure */
+  JWKS_INVALID: "E_JWKS_INVALID",
+  /** Response > 1MB */
+  JWKS_TOO_LARGE: "E_JWKS_TOO_LARGE",
+  /** keys.length > 100 */
+  JWKS_TOO_MANY_KEYS: "E_JWKS_TOO_MANY_KEYS",
+  /** Private IP or metadata URL blocked */
+  SSRF_BLOCKED: "E_SSRF_BLOCKED",
+  /** Requested kid not in JWKS */
+  KEY_NOT_FOUND: "E_KEY_NOT_FOUND",
+  /** All discovery paths failed */
+  ALL_PATHS_FAILED: "E_ALL_PATHS_FAILED"
+};
+var ErrorHttpStatus = {
+  [ErrorCodes.JWKS_FETCH_FAILED]: 502,
+  [ErrorCodes.JWKS_TIMEOUT]: 504,
+  [ErrorCodes.JWKS_INVALID]: 502,
+  [ErrorCodes.JWKS_TOO_LARGE]: 502,
+  [ErrorCodes.JWKS_TOO_MANY_KEYS]: 502,
+  [ErrorCodes.SSRF_BLOCKED]: 403,
+  [ErrorCodes.KEY_NOT_FOUND]: 401,
+  [ErrorCodes.ALL_PATHS_FAILED]: 502
+};
+var JwksError = class extends Error {
+  code;
+  httpStatus;
+  constructor(code, message) {
+    super(message);
+    this.name = "JwksError";
+    this.code = code;
+    this.httpStatus = ErrorHttpStatus[code];
+  }
+};
+// src/security.ts
+function validateUrl(url, options = {}) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Invalid URL: ${url}`);
+  }
+  if (parsed.protocol !== "https:") {
+    if (parsed.protocol === "http:" && options.allowLocalhost && isLocalhostHost(parsed.hostname)) ; else {
+      throw new JwksError(ErrorCodes.SSRF_BLOCKED, `HTTPS required, got ${parsed.protocol}`);
+    }
+  }
+  if (isLocalhostHost(parsed.hostname) && !options.allowLocalhost) {
+    throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Localhost blocked: ${parsed.hostname}`);
+  }
+  if (isLiteralIp(parsed.hostname)) {
+    throw new JwksError(
+      ErrorCodes.SSRF_BLOCKED,
+      `Literal IP addresses blocked: ${parsed.hostname}`
+    );
+  }
+  if (options.isAllowedHost && !options.isAllowedHost(parsed.hostname)) {
+    throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Host not in allowlist: ${parsed.hostname}`);
+  }
+}
+function isLocalhostHost(hostname) {
+  const lower = hostname.toLowerCase();
+  return lower === "localhost" || lower === "127.0.0.1" || lower === "::1" || lower === "[::1]" || lower.endsWith(".localhost");
+}
+function isLiteralIp(hostname) {
+  if (/^(\d{1,3}\.){3}\d{1,3}$/.test(hostname)) {
+    return true;
+  }
+  if (hostname.startsWith("[") && hostname.endsWith("]")) {
+    return true;
+  }
+  if (hostname.includes(":")) {
+    return true;
+  }
+  return false;
+}
+function isMetadataIp(hostname) {
+  if (hostname === "169.254.169.254") {
+    return true;
+  }
+  if (hostname.startsWith("169.254.")) {
+    return true;
+  }
+  return false;
+}
+// src/resolver.ts
+var DEFAULT_TTL_SECONDS = 3600;
+var MAX_TTL_SECONDS = 86400;
+var MIN_TTL_SECONDS = 60;
+var DEFAULT_TIMEOUT_MS = 5e3;
+var DEFAULT_MAX_RESPONSE_BYTES = 1024 * 1024;
+var DEFAULT_MAX_KEYS = 100;
+var DEFAULT_MAX_STALE_AGE_SECONDS = 172800;
+function createResolver(options = {}) {
+  const cache = options.cache ?? new InMemoryCache();
+  const {
+    defaultTtlSeconds = DEFAULT_TTL_SECONDS,
+    maxTtlSeconds = MAX_TTL_SECONDS,
+    minTtlSeconds = MIN_TTL_SECONDS,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    maxResponseBytes = DEFAULT_MAX_RESPONSE_BYTES,
+    maxKeys = DEFAULT_MAX_KEYS,
+    isAllowedHost,
+    allowLocalhost = false,
+    allowStale = false,
+    maxStaleAgeSeconds = DEFAULT_MAX_STALE_AGE_SECONDS
+  } = options;
+  const inflight = /* @__PURE__ */ new Map();
+  return async (issuer, keyid) => {
+    const flightKey = `${issuer}:${keyid}`;
+    const existing = inflight.get(flightKey);
+    if (existing) {
+      const resolvedKey2 = await existing;
+      return resolvedKey2 ? createJwkVerifier(resolvedKey2.jwk) : null;
+    }
+    const promise = resolveKey(issuer, keyid, {
+      cache,
+      defaultTtlSeconds,
+      maxTtlSeconds,
+      minTtlSeconds,
+      timeoutMs,
+      maxResponseBytes,
+      maxKeys,
+      isAllowedHost,
+      allowLocalhost,
+      allowStale,
+      maxStaleAgeSeconds
+    }).finally(() => {
+      inflight.delete(flightKey);
+    });
+    inflight.set(flightKey, promise);
+    const resolvedKey = await promise;
+    if (!resolvedKey) {
+      return null;
+    }
+    return createJwkVerifier(resolvedKey.jwk);
+  };
+}
+async function resolveKey(issuer, keyid, options) {
+  const { cache, isAllowedHost, allowLocalhost, allowStale, maxStaleAgeSeconds } = options;
+  const issuerOrigin = new URL(issuer).origin;
+  const cacheKey = buildCacheKey(issuerOrigin, keyid);
+  const cached = await cache.get(cacheKey);
+  if (cached) {
+    return {
+      jwk: cached.jwk,
+      source: "/.well-known/jwks",
+      cached: true
+    };
+  }
+  const paths = [
+    {
+      url: `${issuerOrigin}/.well-known/jwks`,
+      source: "/.well-known/jwks",
+      isSingleKey: false
+    },
+    {
+      url: `${issuerOrigin}/keys?keyID=${encodeURIComponent(keyid)}`,
+      source: "/keys",
+      isSingleKey: true
+    },
+    {
+      url: `${issuerOrigin}/.well-known/jwks.json`,
+      source: "/.well-known/jwks.json",
+      isSingleKey: false
+    }
+  ];
+  const errors = [];
+  for (const path of paths) {
+    try {
+      validateUrl(path.url, { isAllowedHost, allowLocalhost });
+      const result = await fetchWithTimeout(path.url, options.timeoutMs);
+      const contentLength = result.headers.get("content-length");
+      if (contentLength && parseInt(contentLength, 10) > options.maxResponseBytes) {
+        throw new JwksError(
+          ErrorCodes.JWKS_TOO_LARGE,
+          `Response too large: ${contentLength} bytes`
+        );
+      }
+      const text = await result.text();
+      if (text.length > options.maxResponseBytes) {
+        throw new JwksError(ErrorCodes.JWKS_TOO_LARGE, `Response too large: ${text.length} bytes`);
+      }
+      let data;
+      try {
+        data = JSON.parse(text);
+      } catch {
+        throw new JwksError(ErrorCodes.JWKS_INVALID, "Invalid JSON response");
+      }
+      let jwk = null;
+      if (path.isSingleKey) {
+        jwk = validateJwk(data);
+      } else {
+        const jwks = validateJwks(data, options.maxKeys);
+        jwk = findKey(jwks, keyid);
+      }
+      if (!jwk) {
+        continue;
+      }
+      const cacheControlMaxAge = parseCacheControlMaxAge(result.headers.get("cache-control"));
+      const ttl = calculateTtl(
+        cacheControlMaxAge,
+        options.defaultTtlSeconds,
+        options.minTtlSeconds,
+        options.maxTtlSeconds
+      );
+      const now = Math.floor(Date.now() / 1e3);
+      await cache.set(cacheKey, {
+        jwk,
+        expiresAt: now + ttl,
+        etag: result.headers.get("etag") ?? void 0
+      });
+      return {
+        jwk,
+        source: path.source,
+        cached: false
+      };
+    } catch (error) {
+      errors.push(error);
+    }
+  }
+  if (errors.length > 0) {
+    const allTransient = errors.every(
+      (e) => e instanceof JwksError && (e.code === ErrorCodes.JWKS_FETCH_FAILED || e.code === ErrorCodes.JWKS_TIMEOUT)
+    );
+    if (allowStale && allTransient && "getStale" in cache && typeof cache.getStale === "function") {
+      const staleEntry = await cache.getStale(cacheKey);
+      if (staleEntry) {
+        const now = Math.floor(Date.now() / 1e3);
+        const staleAge = now - staleEntry.expiresAt;
+        if (staleAge >= 0 && staleAge <= maxStaleAgeSeconds) {
+          return {
+            jwk: staleEntry.jwk,
+            source: "/.well-known/jwks",
+            cached: true,
+            stale: true,
+            staleAgeSeconds: staleAge,
+            keyExpiredAt: staleEntry.expiresAt
+          };
+        }
+      }
+    }
+    const lastError = errors[errors.length - 1];
+    if (lastError instanceof JwksError) {
+      throw lastError;
+    }
+    throw new JwksError(
+      ErrorCodes.ALL_PATHS_FAILED,
+      `All discovery paths failed for ${issuerOrigin}`
+    );
+  }
+  return null;
+}
+async function fetchWithTimeout(url, timeoutMs) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      signal: controller.signal,
+      redirect: "error",
+      // No redirect following (fail-closed)
+      headers: {
+        Accept: "application/json"
+      }
+    });
+    if (!response.ok) {
+      throw new JwksError(
+        ErrorCodes.JWKS_FETCH_FAILED,
+        `HTTP ${response.status}: ${response.statusText}`
+      );
+    }
+    return response;
+  } catch (error) {
+    if (error.name === "AbortError") {
+      throw new JwksError(ErrorCodes.JWKS_TIMEOUT, `Fetch timeout after ${timeoutMs}ms`);
+    }
+    if (error instanceof JwksError) {
+      throw error;
+    }
+    throw new JwksError(ErrorCodes.JWKS_FETCH_FAILED, `Fetch failed: ${error.message}`);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function validateJwk(data) {
+  if (!data || typeof data !== "object") {
+    return null;
+  }
+  const jwk = data;
+  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || typeof jwk.x !== "string") {
+    return null;
+  }
+  return {
+    kty: jwk.kty,
+    crv: jwk.crv,
+    x: jwk.x,
+    kid: typeof jwk.kid === "string" ? jwk.kid : void 0,
+    use: typeof jwk.use === "string" ? jwk.use : void 0,
+    alg: typeof jwk.alg === "string" ? jwk.alg : void 0
+  };
+}
+function validateJwks(data, maxKeys) {
+  if (!data || typeof data !== "object") {
+    throw new JwksError(ErrorCodes.JWKS_INVALID, "Invalid JWKS structure");
+  }
+  const jwks = data;
+  if (!Array.isArray(jwks.keys)) {
+    throw new JwksError(ErrorCodes.JWKS_INVALID, "JWKS must have keys array");
+  }
+  if (jwks.keys.length > maxKeys) {
+    throw new JwksError(
+      ErrorCodes.JWKS_TOO_MANY_KEYS,
+      `Too many keys: ${jwks.keys.length} > ${maxKeys}`
+    );
+  }
+  return { keys: jwks.keys };
+}
+function findKey(jwks, keyid) {
+  for (const key of jwks.keys) {
+    if (key.kid === keyid) {
+      return validateJwk(key);
+    }
+  }
+  return null;
+}
+function calculateTtl(cacheControlMaxAge, defaultTtl, minTtl, maxTtl) {
+  let ttl = cacheControlMaxAge ?? defaultTtl;
+  ttl = Math.max(minTtl, ttl);
+  ttl = Math.min(maxTtl, ttl);
+  return ttl;
+}
+async function importJwkAsEd25519(jwk) {
+  return globalThis.crypto.subtle.importKey(
+    "jwk",
+    {
+      kty: jwk.kty,
+      crv: jwk.crv,
+      x: jwk.x
+    },
+    { name: "Ed25519" },
+    false,
+    ["verify"]
+  );
+}
+async function createJwkVerifier(jwk) {
+  const key = await importJwkAsEd25519(jwk);
+  return async (data, signature) => {
+    const sigBuffer = new Uint8Array(signature).buffer;
+    const dataBuffer = new Uint8Array(data).buffer;
+    return globalThis.crypto.subtle.verify("Ed25519", key, sigBuffer, dataBuffer);
+  };
+}
+exports.ErrorCodes = ErrorCodes;
+exports.ErrorHttpStatus = ErrorHttpStatus;
+exports.InMemoryCache = InMemoryCache;
+exports.JwksError = JwksError;
+exports.buildCacheKey = buildCacheKey;
+exports.buildJwksCacheKey = buildJwksCacheKey;
+exports.createJwkVerifier = createJwkVerifier;
+exports.createResolver = createResolver;
+exports.importJwkAsEd25519 = importJwkAsEd25519;
+exports.isMetadataIp = isMetadataIp;
+exports.parseCacheControlMaxAge = parseCacheControlMaxAge;
+exports.resolveKey = resolveKey;
+exports.validateUrl = validateUrl;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/cache.ts","../src/errors.ts","../src/security.ts","../src/resolver.ts"],"names":["resolvedKey"],"mappings":";;;AAMA,IAAM,mBAAA,GAAsB,GAAA;AAcrB,IAAM,gBAAN,MAA4C;AAAA,EAChC,KAAA,uBAAY,GAAA,EAAwB;AAAA,EACpC,UAAA;AAAA,EAEjB,YAAY,OAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,UAAA,GAAa,SAAS,UAAA,IAAc,mBAAA;AAAA,EAC3C;AAAA,EAEA,MAAM,IAAI,GAAA,EAAyC;AACjD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAEhC,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,IAAI,GAAA,IAAO,MAAM,SAAA,EAAW;AAC1B,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAEzB,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,SAAS,GAAA,EAAyC;AACtD,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA,IAAK,IAAA;AAAA,EAChC;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAkC;AAEvD,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA,EAAG;AACvB,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,IACvB;AACA,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AACzB,IAAA,IAAA,CAAK,aAAA,EAAc;AAAA,EACrB;AAAA,EAEA,MAAM,OAAO,GAAA,EAA4B;AACvC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,KAAA,CAAM,IAAA;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAA,GAAsB;AAC5B,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,GAAO,IAAA,CAAK,UAAA,EAAY;AACxC,MAAA,MAAM,YAAY,IAAA,CAAK,KAAA,CAAM,IAAA,EAAK,CAAE,MAAK,CAAE,KAAA;AAC3C,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,IAAA,CAAK,KAAA,CAAM,OAAO,SAAS,CAAA;AAAA,MAC7B,CAAA,MAAO;AACL,QAAA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,aAAA,CAAc,cAAsB,GAAA,EAAqB;AACvE,EAAA,OAAO,CAAA,EAAG,YAAY,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAC/B;AAKO,SAAS,kBAAkB,YAAA,EAA8B;AAC9D,EAAA,OAAO,GAAG,YAAY,CAAA,SAAA,CAAA;AACxB;AAQO,SAAS,wBAAwB,YAAA,EAA4C;AAClF,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,eAAe,CAAA;AAChD,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,QAAA,CAAS,KAAA,CAAM,CAAC,CAAA,EAAG,EAAE,CAAA;AAC9B;;;AC7HO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,qBAAA;AAAA;AAAA,EAEnB,YAAA,EAAc,gBAAA;AAAA;AAAA,EAEd,YAAA,EAAc,gBAAA;AAAA;AAAA,EAEd,cAAA,EAAgB,kBAAA;AAAA;AAAA,EAEhB,kBAAA,EAAoB,sBAAA;AAAA;AAAA,EAEpB,YAAA,EAAc,gBAAA;AAAA;AAAA,EAEd,aAAA,EAAe,iBAAA;AAAA;AAAA,EAEf,gBAAA,EAAkB;AACpB;AAOO,IAAM,eAAA,GAA6C;AAAA,EACxD,CAAC,UAAA,CAAW,iBAAiB,GAAG,GAAA;AAAA,EAChC,CAAC,UAAA,CAAW,YAAY,GAAG,GAAA;AAAA,EAC3B,CAAC,UAAA,CAAW,YAAY,GAAG,GAAA;AAAA,EAC3B,CAAC,UAAA,CAAW,cAAc,GAAG,GAAA;AAAA,EAC7B,CAAC,UAAA,CAAW,kBAAkB,GAAG,GAAA;AAAA,EACjC,CAAC,UAAA,CAAW,YAAY,GAAG,GAAA;AAAA,EAC3B,CAAC,UAAA,CAAW,aAAa,GAAG,GAAA;AAAA,EAC5B,CAAC,UAAA,CAAW,gBAAgB,GAAG;AACjC;AAKO,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EAC1B,IAAA;AAAA,EACA,UAAA;AAAA,EAET,WAAA,CAAY,MAAiB,OAAA,EAAiB;AAC5C,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,gBAAgB,IAAI,CAAA;AAAA,EACxC;AACF;;;ACpCO,SAAS,WAAA,CACd,GAAA,EACA,OAAA,GAGI,EAAC,EACC;AACN,EAAA,IAAI,MAAA;AAEJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAI,IAAI,GAAG,CAAA;AAAA,EACtB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,YAAA,EAAc,CAAA,aAAA,EAAgB,GAAG,CAAA,CAAE,CAAA;AAAA,EACpE;AAGA,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AAChC,IAAA,IAAI,MAAA,CAAO,aAAa,OAAA,IAAW,OAAA,CAAQ,kBAAkB,eAAA,CAAgB,MAAA,CAAO,QAAQ,CAAA,EAAG,CAE/F,MAAO;AACL,MAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,cAAc,CAAA,oBAAA,EAAuB,MAAA,CAAO,QAAQ,CAAA,CAAE,CAAA;AAAA,IACvF;AAAA,EACF;AAGA,EAAA,IAAI,gBAAgB,MAAA,CAAO,QAAQ,CAAA,IAAK,CAAC,QAAQ,cAAA,EAAgB;AAC/D,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,cAAc,CAAA,mBAAA,EAAsB,MAAA,CAAO,QAAQ,CAAA,CAAE,CAAA;AAAA,EACtF;AAGA,EAAA,IAAI,WAAA,CAAY,MAAA,CAAO,QAAQ,CAAA,EAAG;AAChC,IAAA,MAAM,IAAI,SAAA;AAAA,MACR,UAAA,CAAW,YAAA;AAAA,MACX,CAAA,8BAAA,EAAiC,OAAO,QAAQ,CAAA;AAAA,KAClD;AAAA,EACF;AAGA,EAAA,IAAI,QAAQ,aAAA,IAAiB,CAAC,QAAQ,aAAA,CAAc,MAAA,CAAO,QAAQ,CAAA,EAAG;AACpE,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,cAAc,CAAA,uBAAA,EAA0B,MAAA,CAAO,QAAQ,CAAA,CAAE,CAAA;AAAA,EAC1F;AACF;AAKA,SAAS,gBAAgB,QAAA,EAA2B;AAClD,EAAA,MAAM,KAAA,GAAQ,SAAS,WAAA,EAAY;AACnC,EAAA,OACE,KAAA,KAAU,WAAA,IACV,KAAA,KAAU,WAAA,IACV,KAAA,KAAU,SACV,KAAA,KAAU,OAAA,IACV,KAAA,CAAM,QAAA,CAAS,YAAY,CAAA;AAE/B;AAKA,SAAS,YAAY,QAAA,EAA2B;AAE9C,EAAA,IAAI,yBAAA,CAA0B,IAAA,CAAK,QAAQ,CAAA,EAAG;AAC5C,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,IAAI,SAAS,UAAA,CAAW,GAAG,KAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AACtD,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,IAAI,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,aAAa,QAAA,EAA2B;AAEtD,EAAA,IAAI,aAAa,iBAAA,EAAmB;AAClC,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,IAAI,QAAA,CAAS,UAAA,CAAW,UAAU,CAAA,EAAG;AACnC,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,KAAA;AACT;;;AC7FA,IAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAM,eAAA,GAAkB,KAAA;AACxB,IAAM,eAAA,GAAkB,EAAA;AACxB,IAAM,kBAAA,GAAqB,GAAA;AAC3B,IAAM,6BAA6B,IAAA,GAAO,IAAA;AAC1C,IAAM,gBAAA,GAAmB,GAAA;AACzB,IAAM,6BAAA,GAAgC,MAAA;AAW/B,SAAS,cAAA,CAAe,OAAA,GAA2B,EAAC,EAAoB;AAC7E,EAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,KAAA,IAAS,IAAI,aAAA,EAAc;AACjD,EAAA,MAAM;AAAA,IACJ,iBAAA,GAAoB,mBAAA;AAAA,IACpB,aAAA,GAAgB,eAAA;AAAA,IAChB,aAAA,GAAgB,eAAA;AAAA,IAChB,SAAA,GAAY,kBAAA;AAAA,IACZ,gBAAA,GAAmB,0BAAA;AAAA,IACnB,OAAA,GAAU,gBAAA;AAAA,IACV,aAAA;AAAA,IACA,cAAA,GAAiB,KAAA;AAAA,IACjB,UAAA,GAAa,KAAA;AAAA,IACb,kBAAA,GAAqB;AAAA,GACvB,GAAI,OAAA;AAGJ,EAAA,MAAM,QAAA,uBAAe,GAAA,EAAyC;AAE9D,EAAA,OAAO,OAAO,QAAgB,KAAA,KAAqD;AACjF,IAAA,MAAM,SAAA,GAAY,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AACpC,IAAA,MAAM,QAAA,GAAW,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACvC,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,MAAMA,eAAc,MAAM,QAAA;AAC1B,MAAA,OAAOA,YAAAA,GAAc,iBAAA,CAAkBA,YAAAA,CAAY,GAAG,CAAA,GAAI,IAAA;AAAA,IAC5D;AAEA,IAAA,MAAM,OAAA,GAAU,UAAA,CAAW,MAAA,EAAQ,KAAA,EAAO;AAAA,MACxC,KAAA;AAAA,MACA,iBAAA;AAAA,MACA,aAAA;AAAA,MACA,aAAA;AAAA,MACA,SAAA;AAAA,MACA,gBAAA;AAAA,MACA,OAAA;AAAA,MACA,aAAA;AAAA,MACA,cAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACD,CAAA,CAAE,OAAA,CAAQ,MAAM;AACf,MAAA,QAAA,CAAS,OAAO,SAAS,CAAA;AAAA,IAC3B,CAAC,CAAA;AAED,IAAA,QAAA,CAAS,GAAA,CAAI,WAAW,OAAO,CAAA;AAE/B,IAAA,MAAM,cAAc,MAAM,OAAA;AAC1B,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,iBAAA,CAAkB,YAAY,GAAG,CAAA;AAAA,EAC1C,CAAA;AACF;AAUA,eAAsB,UAAA,CACpB,MAAA,EACA,KAAA,EACA,OAAA,EAgB6B;AAC7B,EAAA,MAAM,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,UAAA,EAAY,oBAAmB,GAAI,OAAA;AAGjF,EAAA,MAAM,YAAA,GAAe,IAAI,GAAA,CAAI,MAAM,CAAA,CAAE,MAAA;AACrC,EAAA,MAAM,QAAA,GAAW,aAAA,CAAc,YAAA,EAAc,KAAK,CAAA;AAGlD,EAAA,MAAM,MAAA,GAAS,MAAM,KAAA,CAAM,GAAA,CAAI,QAAQ,CAAA;AACvC,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO;AAAA,MACL,KAAK,MAAA,CAAO,GAAA;AAAA,MACZ,MAAA,EAAQ,mBAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAGA,EAAA,MAAM,KAAA,GAID;AAAA,IACH;AAAA,MACE,GAAA,EAAK,GAAG,YAAY,CAAA,iBAAA,CAAA;AAAA,MACpB,MAAA,EAAQ,mBAAA;AAAA,MACR,WAAA,EAAa;AAAA,KACf;AAAA,IACA;AAAA,MACE,KAAK,CAAA,EAAG,YAAY,CAAA,YAAA,EAAe,kBAAA,CAAmB,KAAK,CAAC,CAAA,CAAA;AAAA,MAC5D,MAAA,EAAQ,OAAA;AAAA,MACR,WAAA,EAAa;AAAA,KACf;AAAA,IACA;AAAA,MACE,GAAA,EAAK,GAAG,YAAY,CAAA,sBAAA,CAAA;AAAA,MACpB,MAAA,EAAQ,wBAAA;AAAA,MACR,WAAA,EAAa;AAAA;AACf,GACF;AAEA,EAAA,MAAM,SAAkB,EAAC;AAEzB,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI;AAEF,MAAA,WAAA,CAAY,IAAA,CAAK,GAAA,EAAK,EAAE,aAAA,EAAe,gBAAgB,CAAA;AAEvD,MAAA,MAAM,SAAS,MAAM,gBAAA,CAAiB,IAAA,CAAK,GAAA,EAAK,QAAQ,SAAS,CAAA;AAGjE,MAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,OAAA,CAAQ,GAAA,CAAI,gBAAgB,CAAA;AACzD,MAAA,IAAI,iBAAiB,QAAA,CAAS,aAAA,EAAe,EAAE,CAAA,GAAI,QAAQ,gBAAA,EAAkB;AAC3E,QAAA,MAAM,IAAI,SAAA;AAAA,UACR,UAAA,CAAW,cAAA;AAAA,UACX,uBAAuB,aAAa,CAAA,MAAA;AAAA,SACtC;AAAA,MACF;AAGA,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,IAAA,EAAK;AAC/B,MAAA,IAAI,IAAA,CAAK,MAAA,GAAS,OAAA,CAAQ,gBAAA,EAAkB;AAC1C,QAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,gBAAgB,CAAA,oBAAA,EAAuB,IAAA,CAAK,MAAM,CAAA,MAAA,CAAQ,CAAA;AAAA,MAC3F;AAEA,MAAA,IAAI,IAAA;AACJ,MAAA,IAAI;AACF,QAAA,IAAA,GAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MACxB,CAAA,CAAA,MAAQ;AACN,QAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,YAAA,EAAc,uBAAuB,CAAA;AAAA,MACtE;AAGA,MAAA,IAAI,GAAA,GAAkB,IAAA;AAEtB,MAAA,IAAI,KAAK,WAAA,EAAa;AAEpB,QAAA,GAAA,GAAM,YAAY,IAAI,CAAA;AAAA,MACxB,CAAA,MAAO;AAEL,QAAA,MAAM,IAAA,GAAO,YAAA,CAAa,IAAA,EAAM,OAAA,CAAQ,OAAO,CAAA;AAC/C,QAAA,GAAA,GAAM,OAAA,CAAQ,MAAM,KAAK,CAAA;AAAA,MAC3B;AAEA,MAAA,IAAI,CAAC,GAAA,EAAK;AACR,QAAA;AAAA,MACF;AAGA,MAAA,MAAM,qBAAqB,uBAAA,CAAwB,MAAA,CAAO,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAC,CAAA;AACtF,MAAA,MAAM,GAAA,GAAM,YAAA;AAAA,QACV,kBAAA;AAAA,QACA,OAAA,CAAQ,iBAAA;AAAA,QACR,OAAA,CAAQ,aAAA;AAAA,QACR,OAAA,CAAQ;AAAA,OACV;AAGA,MAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,MAAA,MAAM,KAAA,CAAM,IAAI,QAAA,EAAU;AAAA,QACxB,GAAA;AAAA,QACA,WAAW,GAAA,GAAM,GAAA;AAAA,QACjB,IAAA,EAAM,MAAA,CAAO,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,IAAK,KAAA;AAAA,OACrC,CAAA;AAED,MAAA,OAAO;AAAA,QACL,GAAA;AAAA,QACA,QAAQ,IAAA,CAAK,MAAA;AAAA,QACb,MAAA,EAAQ;AAAA,OACV;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,MAAA,CAAO,KAAK,KAAc,CAAA;AAAA,IAE5B;AAAA,EACF;AAOA,EAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AAGrB,IAAA,MAAM,eAAe,MAAA,CAAO,KAAA;AAAA,MAC1B,CAAC,CAAA,KACC,CAAA,YAAa,SAAA,KACZ,CAAA,CAAE,SAAS,UAAA,CAAW,iBAAA,IAAqB,CAAA,CAAE,IAAA,KAAS,UAAA,CAAW,YAAA;AAAA,KACtE;AACA,IAAA,IAAI,cAAc,YAAA,IAAgB,UAAA,IAAc,SAAS,OAAO,KAAA,CAAM,aAAa,UAAA,EAAY;AAC7F,MAAA,MAAM,UAAA,GAAa,MACjB,KAAA,CACA,QAAA,CAAS,QAAQ,CAAA;AACnB,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,QAAA,MAAM,QAAA,GAAW,MAAM,UAAA,CAAW,SAAA;AAClC,QAAA,IAAI,QAAA,IAAY,CAAA,IAAK,QAAA,IAAY,kBAAA,EAAoB;AACnD,UAAA,OAAO;AAAA,YACL,KAAK,UAAA,CAAW,GAAA;AAAA,YAChB,MAAA,EAAQ,mBAAA;AAAA,YACR,MAAA,EAAQ,IAAA;AAAA,YACR,KAAA,EAAO,IAAA;AAAA,YACP,eAAA,EAAiB,QAAA;AAAA,YACjB,cAAc,UAAA,CAAW;AAAA,WAC3B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,CAAC,CAAA;AAC1C,IAAA,IAAI,qBAAqB,SAAA,EAAW;AAClC,MAAA,MAAM,SAAA;AAAA,IACR;AACA,IAAA,MAAM,IAAI,SAAA;AAAA,MACR,UAAA,CAAW,gBAAA;AAAA,MACX,kCAAkC,YAAY,CAAA;AAAA,KAChD;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAKA,eAAe,gBAAA,CAAiB,KAAa,SAAA,EAAsC;AACjF,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,UAAU,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,SAAS,CAAA;AAE9D,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAChC,QAAQ,UAAA,CAAW,MAAA;AAAA,MACnB,QAAA,EAAU,OAAA;AAAA;AAAA,MACV,OAAA,EAAS;AAAA,QACP,MAAA,EAAQ;AAAA;AACV,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,UAAA,CAAW,iBAAA;AAAA,QACX,CAAA,KAAA,EAAQ,QAAA,CAAS,MAAM,CAAA,EAAA,EAAK,SAAS,UAAU,CAAA;AAAA,OACjD;AAAA,IACF;AAEA,IAAA,OAAO,QAAA;AAAA,EACT,SAAS,KAAA,EAAO;AACd,IAAA,IAAK,KAAA,CAAgB,SAAS,YAAA,EAAc;AAC1C,MAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,YAAA,EAAc,CAAA,oBAAA,EAAuB,SAAS,CAAA,EAAA,CAAI,CAAA;AAAA,IACnF;AACA,IAAA,IAAI,iBAAiB,SAAA,EAAW;AAC9B,MAAA,MAAM,KAAA;AAAA,IACR;AACA,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,mBAAmB,CAAA,cAAA,EAAkB,KAAA,CAAgB,OAAO,CAAA,CAAE,CAAA;AAAA,EAC/F,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,OAAO,CAAA;AAAA,EACtB;AACF;AAKA,SAAS,YAAY,IAAA,EAA2B;AAC9C,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACrC,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,GAAA,GAAM,IAAA;AAEZ,EAAA,IAAI,GAAA,CAAI,QAAQ,KAAA,IAAS,GAAA,CAAI,QAAQ,SAAA,IAAa,OAAO,GAAA,CAAI,CAAA,KAAM,QAAA,EAAU;AAC3E,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO;AAAA,IACL,KAAK,GAAA,CAAI,GAAA;AAAA,IACT,KAAK,GAAA,CAAI,GAAA;AAAA,IACT,GAAG,GAAA,CAAI,CAAA;AAAA,IACP,KAAK,OAAO,GAAA,CAAI,GAAA,KAAQ,QAAA,GAAW,IAAI,GAAA,GAAM,MAAA;AAAA,IAC7C,KAAK,OAAO,GAAA,CAAI,GAAA,KAAQ,QAAA,GAAW,IAAI,GAAA,GAAM,MAAA;AAAA,IAC7C,KAAK,OAAO,GAAA,CAAI,GAAA,KAAQ,QAAA,GAAW,IAAI,GAAA,GAAM;AAAA,GAC/C;AACF;AAKA,SAAS,YAAA,CAAa,MAAe,OAAA,EAAuB;AAC1D,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACrC,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,YAAA,EAAc,wBAAwB,CAAA;AAAA,EACvE;AAEA,EAAA,MAAM,IAAA,GAAO,IAAA;AAEb,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC7B,IAAA,MAAM,IAAI,SAAA,CAAU,UAAA,CAAW,YAAA,EAAc,2BAA2B,CAAA;AAAA,EAC1E;AAEA,EAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,GAAS,OAAA,EAAS;AAC9B,IAAA,MAAM,IAAI,SAAA;AAAA,MACR,UAAA,CAAW,kBAAA;AAAA,MACX,CAAA,eAAA,EAAkB,IAAA,CAAK,IAAA,CAAK,MAAM,MAAM,OAAO,CAAA;AAAA,KACjD;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,IAAA,CAAK,IAAA,EAAc;AACpC;AAKA,SAAS,OAAA,CAAQ,MAAY,KAAA,EAA2B;AACtD,EAAA,KAAA,MAAW,GAAA,IAAO,KAAK,IAAA,EAAM;AAC3B,IAAA,IAAI,GAAA,CAAI,QAAQ,KAAA,EAAO;AACrB,MAAA,OAAO,YAAY,GAAG,CAAA;AAAA,IACxB;AAAA,EACF;AACA,EAAA,OAAO,IAAA;AACT;AAKA,SAAS,YAAA,CACP,kBAAA,EACA,UAAA,EACA,MAAA,EACA,MAAA,EACQ;AACR,EAAA,IAAI,MAAM,kBAAA,IAAsB,UAAA;AAChC,EAAA,GAAA,GAAM,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,GAAG,CAAA;AAC1B,EAAA,GAAA,GAAM,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,GAAG,CAAA;AAC1B,EAAA,OAAO,GAAA;AACT;AAQA,eAAsB,mBAAmB,GAAA,EAA4B;AACnE,EAAA,OAAO,UAAA,CAAW,OAAO,MAAA,CAAO,SAAA;AAAA,IAC9B,KAAA;AAAA,IACA;AAAA,MACE,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,GAAG,GAAA,CAAI;AAAA,KACT;AAAA,IACA,EAAE,MAAM,SAAA,EAAU;AAAA,IAClB,KAAA;AAAA,IACA,CAAC,QAAQ;AAAA,GACX;AACF;AAUA,eAAsB,kBAAkB,GAAA,EAAsC;AAC5E,EAAA,MAAM,GAAA,GAAM,MAAM,kBAAA,CAAmB,GAAG,CAAA;AAExC,EAAA,OAAO,OAAO,MAAkB,SAAA,KAA4C;AAE1E,IAAA,MAAM,SAAA,GAAY,IAAI,UAAA,CAAW,SAAS,CAAA,CAAE,MAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,IAAI,CAAA,CAAE,MAAA;AAKxC,IAAA,OAAO,WAAW,MAAA,CAAO,MAAA,CAAO,OAAO,SAAA,EAAW,GAAA,EAAkB,WAAW,UAAU,CAAA;AAAA,EAC3F,CAAA;AACF","file":"index.cjs","sourcesContent":["/**\n * In-memory cache implementation.\n */\n\nimport type { CacheBackend, CacheEntry } from './types.js';\n\nconst DEFAULT_MAX_ENTRIES = 1000;\n\nexport interface InMemoryCacheOptions {\n /** Max entries before LRU eviction (default: 1000). */\n maxEntries?: number;\n}\n\n/**\n * In-memory cache with TTL, bounded size, and stale-if-error support.\n *\n * Uses Map insertion order for LRU eviction: oldest entries are evicted\n * first when maxEntries is exceeded. On get(), entries are re-inserted\n * to refresh their position (most-recently-used).\n */\nexport class InMemoryCache implements CacheBackend {\n private readonly cache = new Map<string, CacheEntry>();\n private readonly maxEntries: number;\n\n constructor(options?: InMemoryCacheOptions) {\n this.maxEntries = options?.maxEntries ?? DEFAULT_MAX_ENTRIES;\n }\n\n async get(key: string): Promise<CacheEntry | null> {\n const entry = this.cache.get(key);\n\n if (!entry) {\n return null;\n }\n\n // Check expiration -- return null but KEEP entry for stale fallback\n const now = Math.floor(Date.now() / 1000);\n if (now >= entry.expiresAt) {\n return null;\n }\n\n // Refresh position in Map for LRU ordering (move to end)\n this.cache.delete(key);\n this.cache.set(key, entry);\n\n return entry;\n }\n\n /**\n * Get entry even if expired (for stale-if-error fallback).\n * Returns null only if key was never cached.\n */\n async getStale(key: string): Promise<CacheEntry | null> {\n return this.cache.get(key) ?? null;\n }\n\n async set(key: string, value: CacheEntry): Promise<void> {\n // If key already exists, delete first to refresh insertion order\n if (this.cache.has(key)) {\n this.cache.delete(key);\n }\n this.cache.set(key, value);\n this.evictIfNeeded();\n }\n\n async delete(key: string): Promise<void> {\n this.cache.delete(key);\n }\n\n /**\n * Clear all entries.\n */\n clear(): void {\n this.cache.clear();\n }\n\n /**\n * Get current cache size.\n */\n get size(): number {\n return this.cache.size;\n }\n\n /**\n * Evict oldest entries (by Map insertion order) when over capacity.\n */\n private evictIfNeeded(): void {\n while (this.cache.size > this.maxEntries) {\n const oldestKey = this.cache.keys().next().value;\n if (oldestKey !== undefined) {\n this.cache.delete(oldestKey);\n } else {\n break;\n }\n }\n }\n}\n\n/**\n * Build cache key for a specific key ID.\n */\nexport function buildCacheKey(issuerOrigin: string, kid: string): string {\n return `${issuerOrigin}:${kid}`;\n}\n\n/**\n * Build cache key for JWKS set.\n */\nexport function buildJwksCacheKey(issuerOrigin: string): string {\n return `${issuerOrigin}:__jwks__`;\n}\n\n/**\n * Parse Cache-Control header for max-age.\n *\n * @param cacheControl - Cache-Control header value\n * @returns max-age in seconds or null if not found\n */\nexport function parseCacheControlMaxAge(cacheControl: string | null): number | null {\n if (!cacheControl) {\n return null;\n }\n\n const match = cacheControl.match(/max-age=(\\d+)/);\n if (!match) {\n return null;\n }\n\n return parseInt(match[1], 10);\n}\n","/**\n * JWKS Cache error codes per execution pack specification.\n */\n\nexport const ErrorCodes = {\n /** Network error fetching JWKS */\n JWKS_FETCH_FAILED: 'E_JWKS_FETCH_FAILED',\n /** Fetch timeout */\n JWKS_TIMEOUT: 'E_JWKS_TIMEOUT',\n /** Invalid JSON or structure */\n JWKS_INVALID: 'E_JWKS_INVALID',\n /** Response > 1MB */\n JWKS_TOO_LARGE: 'E_JWKS_TOO_LARGE',\n /** keys.length > 100 */\n JWKS_TOO_MANY_KEYS: 'E_JWKS_TOO_MANY_KEYS',\n /** Private IP or metadata URL blocked */\n SSRF_BLOCKED: 'E_SSRF_BLOCKED',\n /** Requested kid not in JWKS */\n KEY_NOT_FOUND: 'E_KEY_NOT_FOUND',\n /** All discovery paths failed */\n ALL_PATHS_FAILED: 'E_ALL_PATHS_FAILED',\n} as const;\n\nexport type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];\n\n/**\n * HTTP status codes for each error.\n */\nexport const ErrorHttpStatus: Record<ErrorCode, number> = {\n [ErrorCodes.JWKS_FETCH_FAILED]: 502,\n [ErrorCodes.JWKS_TIMEOUT]: 504,\n [ErrorCodes.JWKS_INVALID]: 502,\n [ErrorCodes.JWKS_TOO_LARGE]: 502,\n [ErrorCodes.JWKS_TOO_MANY_KEYS]: 502,\n [ErrorCodes.SSRF_BLOCKED]: 403,\n [ErrorCodes.KEY_NOT_FOUND]: 401,\n [ErrorCodes.ALL_PATHS_FAILED]: 502,\n};\n\n/**\n * JWKS error with code and HTTP status.\n */\nexport class JwksError extends Error {\n readonly code: ErrorCode;\n readonly httpStatus: number;\n\n constructor(code: ErrorCode, message: string) {\n super(message);\n this.name = 'JwksError';\n this.code = code;\n this.httpStatus = ErrorHttpStatus[code];\n }\n}\n","/**\n * SSRF protection for JWKS fetching.\n *\n * Edge runtimes cannot reliably block private IPs via DNS resolution.\n * This module implements what IS possible at the edge.\n */\n\nimport { ErrorCodes, JwksError } from './errors.js';\n\n/**\n * Validate URL for SSRF protection.\n *\n * @param url - URL to validate\n * @param options - Validation options\n * @throws JwksError if URL is blocked\n */\nexport function validateUrl(\n url: string,\n options: {\n allowLocalhost?: boolean;\n isAllowedHost?: (host: string) => boolean;\n } = {}\n): void {\n let parsed: URL;\n\n try {\n parsed = new URL(url);\n } catch {\n throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Invalid URL: ${url}`);\n }\n\n // HTTPS required (except localhost in dev)\n if (parsed.protocol !== 'https:') {\n if (parsed.protocol === 'http:' && options.allowLocalhost && isLocalhostHost(parsed.hostname)) {\n // Allow http://localhost in dev mode\n } else {\n throw new JwksError(ErrorCodes.SSRF_BLOCKED, `HTTPS required, got ${parsed.protocol}`);\n }\n }\n\n // Block localhost variants (unless explicitly allowed)\n if (isLocalhostHost(parsed.hostname) && !options.allowLocalhost) {\n throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Localhost blocked: ${parsed.hostname}`);\n }\n\n // Block literal IP addresses in URL\n if (isLiteralIp(parsed.hostname)) {\n throw new JwksError(\n ErrorCodes.SSRF_BLOCKED,\n `Literal IP addresses blocked: ${parsed.hostname}`\n );\n }\n\n // Check enterprise allowlist if provided\n if (options.isAllowedHost && !options.isAllowedHost(parsed.hostname)) {\n throw new JwksError(ErrorCodes.SSRF_BLOCKED, `Host not in allowlist: ${parsed.hostname}`);\n }\n}\n\n/**\n * Check if hostname is localhost variant.\n */\nfunction isLocalhostHost(hostname: string): boolean {\n const lower = hostname.toLowerCase();\n return (\n lower === 'localhost' ||\n lower === '127.0.0.1' ||\n lower === '::1' ||\n lower === '[::1]' ||\n lower.endsWith('.localhost')\n );\n}\n\n/**\n * Check if hostname is a literal IP address.\n */\nfunction isLiteralIp(hostname: string): boolean {\n // IPv4 pattern\n if (/^(\\d{1,3}\\.){3}\\d{1,3}$/.test(hostname)) {\n return true;\n }\n\n // IPv6 pattern (with or without brackets)\n if (hostname.startsWith('[') && hostname.endsWith(']')) {\n return true;\n }\n\n // Colon indicates IPv6 (no brackets)\n if (hostname.includes(':')) {\n return true;\n }\n\n return false;\n}\n\n/**\n * Check if hostname is a metadata IP.\n */\nexport function isMetadataIp(hostname: string): boolean {\n // AWS/GCP/Azure metadata service\n if (hostname === '169.254.169.254') {\n return true;\n }\n\n // Link-local range (169.254.x.x)\n if (hostname.startsWith('169.254.')) {\n return true;\n }\n\n return false;\n}\n","/**\n * JWKS resolver with multi-path discovery and caching.\n */\n\nimport type { SignatureVerifier } from '@peac/http-signatures';\nimport type {\n JWK,\n JWKS,\n CacheBackend,\n ResolverOptions,\n ResolvedKey,\n JwksKeyResolver,\n} from './types.js';\nimport { ErrorCodes, JwksError } from './errors.js';\nimport { validateUrl } from './security.js';\nimport { InMemoryCache, buildCacheKey, parseCacheControlMaxAge } from './cache.js';\n\nconst DEFAULT_TTL_SECONDS = 3600; // 1 hour\nconst MAX_TTL_SECONDS = 86400; // 24 hours\nconst MIN_TTL_SECONDS = 60;\nconst DEFAULT_TIMEOUT_MS = 5000;\nconst DEFAULT_MAX_RESPONSE_BYTES = 1024 * 1024; // 1MB\nconst DEFAULT_MAX_KEYS = 100;\nconst DEFAULT_MAX_STALE_AGE_SECONDS = 172800; // 48 hours\n\n/**\n * Create a JWKS key resolver with singleflight dedup.\n *\n * Concurrent calls for the same issuer+keyid coalesce into a single\n * network request, preventing thundering herd on cache miss.\n *\n * @param options - Resolver options\n * @returns Key resolver function\n */\nexport function createResolver(options: ResolverOptions = {}): JwksKeyResolver {\n const cache = options.cache ?? new InMemoryCache();\n const {\n defaultTtlSeconds = DEFAULT_TTL_SECONDS,\n maxTtlSeconds = MAX_TTL_SECONDS,\n minTtlSeconds = MIN_TTL_SECONDS,\n timeoutMs = DEFAULT_TIMEOUT_MS,\n maxResponseBytes = DEFAULT_MAX_RESPONSE_BYTES,\n maxKeys = DEFAULT_MAX_KEYS,\n isAllowedHost,\n allowLocalhost = false,\n allowStale = false,\n maxStaleAgeSeconds = DEFAULT_MAX_STALE_AGE_SECONDS,\n } = options;\n\n // Singleflight: dedup concurrent resolves for the same issuer+keyid\n const inflight = new Map<string, Promise<ResolvedKey | null>>();\n\n return async (issuer: string, keyid: string): Promise<SignatureVerifier | null> => {\n const flightKey = `${issuer}:${keyid}`;\n const existing = inflight.get(flightKey);\n if (existing) {\n const resolvedKey = await existing;\n return resolvedKey ? createJwkVerifier(resolvedKey.jwk) : null;\n }\n\n const promise = resolveKey(issuer, keyid, {\n cache,\n defaultTtlSeconds,\n maxTtlSeconds,\n minTtlSeconds,\n timeoutMs,\n maxResponseBytes,\n maxKeys,\n isAllowedHost,\n allowLocalhost,\n allowStale,\n maxStaleAgeSeconds,\n }).finally(() => {\n inflight.delete(flightKey);\n });\n\n inflight.set(flightKey, promise);\n\n const resolvedKey = await promise;\n if (!resolvedKey) {\n return null;\n }\n\n return createJwkVerifier(resolvedKey.jwk);\n };\n}\n\n/**\n * Resolve a key by issuer and key ID.\n *\n * Discovery order (per TAP spec):\n * 1. /.well-known/jwks\n * 2. /keys?keyID=<kid>\n * 3. /.well-known/jwks.json (fallback)\n */\nexport async function resolveKey(\n issuer: string,\n keyid: string,\n options: Required<\n Pick<\n ResolverOptions,\n | 'cache'\n | 'defaultTtlSeconds'\n | 'maxTtlSeconds'\n | 'minTtlSeconds'\n | 'timeoutMs'\n | 'maxResponseBytes'\n | 'maxKeys'\n | 'allowLocalhost'\n | 'allowStale'\n | 'maxStaleAgeSeconds'\n >\n > &\n Pick<ResolverOptions, 'isAllowedHost'>\n): Promise<ResolvedKey | null> {\n const { cache, isAllowedHost, allowLocalhost, allowStale, maxStaleAgeSeconds } = options;\n\n // Normalize issuer to origin\n const issuerOrigin = new URL(issuer).origin;\n const cacheKey = buildCacheKey(issuerOrigin, keyid);\n\n // Check cache first\n const cached = await cache.get(cacheKey);\n if (cached) {\n return {\n jwk: cached.jwk,\n source: '/.well-known/jwks',\n cached: true,\n };\n }\n\n // Discovery paths in order\n const paths: Array<{\n url: string;\n source: ResolvedKey['source'];\n isSingleKey: boolean;\n }> = [\n {\n url: `${issuerOrigin}/.well-known/jwks`,\n source: '/.well-known/jwks',\n isSingleKey: false,\n },\n {\n url: `${issuerOrigin}/keys?keyID=${encodeURIComponent(keyid)}`,\n source: '/keys',\n isSingleKey: true,\n },\n {\n url: `${issuerOrigin}/.well-known/jwks.json`,\n source: '/.well-known/jwks.json',\n isSingleKey: false,\n },\n ];\n\n const errors: Error[] = [];\n\n for (const path of paths) {\n try {\n // Validate URL for SSRF\n validateUrl(path.url, { isAllowedHost, allowLocalhost });\n\n const result = await fetchWithTimeout(path.url, options.timeoutMs);\n\n // Check response size\n const contentLength = result.headers.get('content-length');\n if (contentLength && parseInt(contentLength, 10) > options.maxResponseBytes) {\n throw new JwksError(\n ErrorCodes.JWKS_TOO_LARGE,\n `Response too large: ${contentLength} bytes`\n );\n }\n\n // Parse response\n const text = await result.text();\n if (text.length > options.maxResponseBytes) {\n throw new JwksError(ErrorCodes.JWKS_TOO_LARGE, `Response too large: ${text.length} bytes`);\n }\n\n let data: unknown;\n try {\n data = JSON.parse(text);\n } catch {\n throw new JwksError(ErrorCodes.JWKS_INVALID, 'Invalid JSON response');\n }\n\n // Extract JWK\n let jwk: JWK | null = null;\n\n if (path.isSingleKey) {\n // Single key endpoint returns JWK directly\n jwk = validateJwk(data);\n } else {\n // JWKS endpoint returns key set\n const jwks = validateJwks(data, options.maxKeys);\n jwk = findKey(jwks, keyid);\n }\n\n if (!jwk) {\n continue; // Try next path\n }\n\n // Calculate TTL\n const cacheControlMaxAge = parseCacheControlMaxAge(result.headers.get('cache-control'));\n const ttl = calculateTtl(\n cacheControlMaxAge,\n options.defaultTtlSeconds,\n options.minTtlSeconds,\n options.maxTtlSeconds\n );\n\n // Cache the key\n const now = Math.floor(Date.now() / 1000);\n await cache.set(cacheKey, {\n jwk,\n expiresAt: now + ttl,\n etag: result.headers.get('etag') ?? undefined,\n });\n\n return {\n jwk,\n source: path.source,\n cached: false,\n };\n } catch (error) {\n errors.push(error as Error);\n // Continue to next path\n }\n }\n\n // All paths failed -- try stale fallback if allowed.\n // Only fall back on transient network errors. Fail closed on security policy\n // violations (SSRF), semantic errors (invalid JWKS, too many keys, too large),\n // and parse failures -- these indicate the server is misconfigured or\n // compromised, not that the network is temporarily unreachable.\n if (errors.length > 0) {\n // Fail closed: stale only if every error is a known-transient JwksError.\n // Non-JwksError (bugs, unexpected throws) must NOT widen stale eligibility.\n const allTransient = errors.every(\n (e) =>\n e instanceof JwksError &&\n (e.code === ErrorCodes.JWKS_FETCH_FAILED || e.code === ErrorCodes.JWKS_TIMEOUT)\n );\n if (allowStale && allTransient && 'getStale' in cache && typeof cache.getStale === 'function') {\n const staleEntry = await (\n cache as { getStale: (k: string) => Promise<typeof cached> }\n ).getStale(cacheKey);\n if (staleEntry) {\n const now = Math.floor(Date.now() / 1000);\n const staleAge = now - staleEntry.expiresAt;\n if (staleAge >= 0 && staleAge <= maxStaleAgeSeconds) {\n return {\n jwk: staleEntry.jwk,\n source: '/.well-known/jwks',\n cached: true,\n stale: true,\n staleAgeSeconds: staleAge,\n keyExpiredAt: staleEntry.expiresAt,\n };\n }\n }\n }\n\n const lastError = errors[errors.length - 1];\n if (lastError instanceof JwksError) {\n throw lastError;\n }\n throw new JwksError(\n ErrorCodes.ALL_PATHS_FAILED,\n `All discovery paths failed for ${issuerOrigin}`\n );\n }\n\n return null;\n}\n\n/**\n * Fetch with timeout.\n */\nasync function fetchWithTimeout(url: string, timeoutMs: number): Promise<Response> {\n const controller = new AbortController();\n const timeout = setTimeout(() => controller.abort(), timeoutMs);\n\n try {\n const response = await fetch(url, {\n signal: controller.signal,\n redirect: 'error', // No redirect following (fail-closed)\n headers: {\n Accept: 'application/json',\n },\n });\n\n if (!response.ok) {\n throw new JwksError(\n ErrorCodes.JWKS_FETCH_FAILED,\n `HTTP ${response.status}: ${response.statusText}`\n );\n }\n\n return response;\n } catch (error) {\n if ((error as Error).name === 'AbortError') {\n throw new JwksError(ErrorCodes.JWKS_TIMEOUT, `Fetch timeout after ${timeoutMs}ms`);\n }\n if (error instanceof JwksError) {\n throw error;\n }\n throw new JwksError(ErrorCodes.JWKS_FETCH_FAILED, `Fetch failed: ${(error as Error).message}`);\n } finally {\n clearTimeout(timeout);\n }\n}\n\n/**\n * Validate and extract JWK from response data.\n */\nfunction validateJwk(data: unknown): JWK | null {\n if (!data || typeof data !== 'object') {\n return null;\n }\n\n const jwk = data as Record<string, unknown>;\n\n if (jwk.kty !== 'OKP' || jwk.crv !== 'Ed25519' || typeof jwk.x !== 'string') {\n return null;\n }\n\n return {\n kty: jwk.kty,\n crv: jwk.crv,\n x: jwk.x,\n kid: typeof jwk.kid === 'string' ? jwk.kid : undefined,\n use: typeof jwk.use === 'string' ? jwk.use : undefined,\n alg: typeof jwk.alg === 'string' ? jwk.alg : undefined,\n };\n}\n\n/**\n * Validate JWKS structure.\n */\nfunction validateJwks(data: unknown, maxKeys: number): JWKS {\n if (!data || typeof data !== 'object') {\n throw new JwksError(ErrorCodes.JWKS_INVALID, 'Invalid JWKS structure');\n }\n\n const jwks = data as Record<string, unknown>;\n\n if (!Array.isArray(jwks.keys)) {\n throw new JwksError(ErrorCodes.JWKS_INVALID, 'JWKS must have keys array');\n }\n\n if (jwks.keys.length > maxKeys) {\n throw new JwksError(\n ErrorCodes.JWKS_TOO_MANY_KEYS,\n `Too many keys: ${jwks.keys.length} > ${maxKeys}`\n );\n }\n\n return { keys: jwks.keys as JWK[] };\n}\n\n/**\n * Find key by ID in JWKS.\n */\nfunction findKey(jwks: JWKS, keyid: string): JWK | null {\n for (const key of jwks.keys) {\n if (key.kid === keyid) {\n return validateJwk(key);\n }\n }\n return null;\n}\n\n/**\n * Calculate TTL from Cache-Control and options.\n */\nfunction calculateTtl(\n cacheControlMaxAge: number | null,\n defaultTtl: number,\n minTtl: number,\n maxTtl: number\n): number {\n let ttl = cacheControlMaxAge ?? defaultTtl;\n ttl = Math.max(minTtl, ttl);\n ttl = Math.min(maxTtl, ttl);\n return ttl;\n}\n\n/**\n * Import a JWK as Ed25519 public key.\n *\n * Returns an opaque key object (runtime-neutral).\n * Use createJwkVerifier() for a complete SignatureVerifier.\n */\nexport async function importJwkAsEd25519(jwk: JWK): Promise<unknown> {\n return globalThis.crypto.subtle.importKey(\n 'jwk',\n {\n kty: jwk.kty,\n crv: jwk.crv,\n x: jwk.x,\n },\n { name: 'Ed25519' },\n false,\n ['verify']\n );\n}\n\n/**\n * Create a SignatureVerifier from a JWK.\n *\n * Convenience function for TAP integration.\n *\n * @param jwk - Ed25519 JWK\n * @returns SignatureVerifier function\n */\nexport async function createJwkVerifier(jwk: JWK): Promise<SignatureVerifier> {\n const key = await importJwkAsEd25519(jwk);\n\n return async (data: Uint8Array, signature: Uint8Array): Promise<boolean> => {\n // Create proper ArrayBuffer views to satisfy TypeScript\n const sigBuffer = new Uint8Array(signature).buffer;\n const dataBuffer = new Uint8Array(data).buffer;\n\n // Use type from the actual WebCrypto API to avoid DOM type dependency\n type VerifyKey = Parameters<typeof globalThis.crypto.subtle.verify>[1];\n\n return globalThis.crypto.subtle.verify('Ed25519', key as VerifyKey, sigBuffer, dataBuffer);\n };\n}\n"]}

package/dist/index.d.ts CHANGED Viewed

@@ -4,6 +4,7 @@
  * Edge-safe JWKS fetch and cache with SSRF protection.
  */
 export type { JWK, JWKS, CacheBackend, CacheEntry, ResolverOptions, ResolvedKey, JwksKeyResolver, } from './types.js';
+export type { InMemoryCacheOptions } from './cache.js';
 export { InMemoryCache, buildCacheKey, buildJwksCacheKey, parseCacheControlMaxAge, } from './cache.js';
 export { validateUrl, isMetadataIp } from './security.js';
 export { createResolver, resolveKey, importJwkAsEd25519, createJwkVerifier } from './resolver.js';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,GAAG,EACH,IAAI,EACJ,YAAY,EACZ,UAAU,EACV,eAAe,EACf,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlG,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACrE,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,GAAG,EACH,IAAI,EACJ,YAAY,EACZ,UAAU,EACV,eAAe,EACf,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,YAAY,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EACL,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlG,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACrE,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC"}