@plumbus/core 0.1.0

package/dist/auth/adapter.js

@@ -0,0 +1,144 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+const defaultClaimMapping = {
+    userId: 'sub',
+    roles: 'roles',
+    scopes: 'scope',
+    tenantId: 'tenant_id',
+};
+/**
+ * JWT-based auth adapter. Decodes, verifies HMAC-SHA256 signatures,
+ * and validates JWT tokens, mapping claims to an AuthContext.
+ */
+export function createJwtAdapter(config) {
+    const mapping = { ...defaultClaimMapping, ...config.claimMapping };
+    return {
+        async authenticate(authorizationHeader) {
+            if (!authorizationHeader)
+                return null;
+            const token = extractBearerToken(authorizationHeader);
+            if (!token)
+                return null;
+            const verified = verifyJwtHs256(token, config.secret);
+            if (!verified)
+                return null;
+            const { payload } = verified;
+            // Validate issuer if configured
+            if (config.issuer && payload.iss !== config.issuer) {
+                return null;
+            }
+            // Validate audience if configured
+            if (config.audience) {
+                const aud = payload.aud;
+                const audiences = Array.isArray(aud) ? aud : [aud];
+                if (!audiences.includes(config.audience)) {
+                    return null;
+                }
+            }
+            // Check expiration
+            const exp = payload.exp;
+            if (typeof exp === 'number' && exp * 1000 < Date.now()) {
+                return null;
+            }
+            // Map claims to AuthContext
+            const rawRoles = payload[mapping.roles];
+            const rawScopes = payload[mapping.scopes];
+            return {
+                userId: String(payload[mapping.userId] ?? ''),
+                roles: Array.isArray(rawRoles)
+                    ? rawRoles.map(String)
+                    : typeof rawRoles === 'string'
+                        ? rawRoles.split(',').map((s) => s.trim())
+                        : [],
+                scopes: Array.isArray(rawScopes)
+                    ? rawScopes.map(String)
+                    : typeof rawScopes === 'string'
+                        ? rawScopes.split(' ').filter(Boolean)
+                        : [],
+                tenantId: payload[mapping.tenantId] ? String(payload[mapping.tenantId]) : undefined,
+                provider: 'jwt',
+                sessionId: payload.sid ? String(payload.sid) : undefined,
+                authenticatedAt: payload.iat ? new Date(payload.iat * 1000) : undefined,
+            };
+        },
+    };
+}
+function extractBearerToken(header) {
+    if (header.startsWith('Bearer ')) {
+        return header.slice(7);
+    }
+    return null;
+}
+function decodeJwtPayload(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return null;
+    try {
+        const payload = parts[1];
+        if (!payload)
+            return null;
+        const decoded = Buffer.from(payload, 'base64url').toString('utf-8');
+        return JSON.parse(decoded);
+    }
+    catch {
+        return null;
+    }
+}
+function verifyJwtHs256(token, secret) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return null;
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    if (!encodedHeader || !encodedPayload || !encodedSignature)
+        return null;
+    let header;
+    try {
+        header = JSON.parse(Buffer.from(encodedHeader, 'base64url').toString('utf-8'));
+    }
+    catch {
+        return null;
+    }
+    if (header.alg !== 'HS256') {
+        return null;
+    }
+    const signingInput = `${encodedHeader}.${encodedPayload}`;
+    const expected = createHmac('sha256', secret).update(signingInput).digest();
+    const actual = Buffer.from(encodedSignature, 'base64url');
+    if (expected.length !== actual.length)
+        return null;
+    if (!timingSafeEqual(expected, actual))
+        return null;
+    const payload = decodeJwtPayload(token);
+    if (!payload)
+        return null;
+    return { payload };
+}
+/**
+ * Sign a JWT token using HMAC-SHA256.
+ * Returns the signed token string (header.payload.signature).
+ */
+export function signJwt(options) {
+    const now = Math.floor(Date.now() / 1000);
+    const exp = now + (options.expiresIn ?? 86400);
+    const header = { alg: 'HS256', typ: 'JWT' };
+    const payload = {
+        sub: options.sub,
+        iat: now,
+        exp,
+        ...options.claims,
+    };
+    if (options.roles?.length)
+        payload.roles = options.roles;
+    if (options.scopes?.length)
+        payload.scope = options.scopes.join(' ');
+    if (options.tenantId)
+        payload.tenant_id = options.tenantId;
+    if (options.issuer)
+        payload.iss = options.issuer;
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = createHmac('sha256', options.secret)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest('base64url');
+    return `${headerB64}.${payloadB64}.${signature}`;
+}
+//# sourceMappingURL=adapter.js.map

package/dist/auth/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../src/auth/adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAoC1D,MAAM,mBAAmB,GAAoB;IAC3C,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,OAAO;IACd,MAAM,EAAE,OAAO;IACf,QAAQ,EAAE,WAAW;CACtB,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAwB;IACvD,MAAM,OAAO,GAAG,EAAE,GAAG,mBAAmB,EAAE,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;IAEnE,OAAO;QACL,KAAK,CAAC,YAAY,CAAC,mBAAuC;YACxD,IAAI,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;YAEtC,MAAM,KAAK,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;YACtD,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACtD,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC3B,MAAM,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;YAE7B,gCAAgC;YAChC,IAAI,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kCAAkC;YAClC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;gBACxB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACnD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzC,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,4BAA4B;YAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAE1C,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC7C,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;oBAC5B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;oBACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;wBAC5B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;wBAClD,CAAC,CAAC,EAAE;gBACR,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;oBAC9B,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC;oBACvB,CAAC,CAAC,OAAO,SAAS,KAAK,QAAQ;wBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;wBACtC,CAAC,CAAC,EAAE;gBACR,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;gBACnF,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;gBACxD,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAE,OAAO,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;aACpF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc;IACxC,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC1B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CACrB,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAChE,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB;QAAE,OAAO,IAAI,CAAC;IAExE,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAG5E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAC1D,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;IAC5E,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;IAE1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpD,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAuBD;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,OAAuB;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;IAE/C,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,OAAO,GAA4B;QACvC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,GAAG;QACR,GAAG;QACH,GAAG,OAAO,CAAC,MAAM;KAClB,CAAC;IAEF,IAAI,OAAO,CAAC,KAAK,EAAE,MAAM;QAAE,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IACzD,IAAI,OAAO,CAAC,MAAM,EAAE,MAAM;QAAE,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,QAAQ;QAAE,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3D,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAEjD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9E,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;SACnD,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvB,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,11 @@
+export { createJwtAdapter, signJwt } from './adapter.js';
+export type { AuthAdapter, JwtAdapterConfig, JwtClaimMapping, SignJwtOptions } from './adapter.js';
+export { createOidcAdapter } from './oidc-adapter.js';
+export type { OidcAdapterConfig, JsonWebKey as OidcJwk } from './oidc-adapter.js';
+export { hashPassword, verifyPassword } from './password.js';
+export type { PasswordHashOptions } from './password.js';
+export { createSamlAdapter } from './saml-adapter.js';
+export type { SamlAdapterConfig } from './saml-adapter.js';
+export { createScimService } from './scim.js';
+export type { ScimEmail, ScimError, ScimListResponse, ScimService, ScimServiceConfig, ScimUser, ScimUserRepository, ScimUserResource, } from './scim.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACzD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AACnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,YAAY,EAAE,iBAAiB,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC7D,YAAY,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,YAAY,EACV,SAAS,EACT,SAAS,EACT,gBAAgB,EAChB,WAAW,EACX,iBAAiB,EACjB,QAAQ,EACR,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,WAAW,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,9 @@
+// ── Auth Module ──
+// Authentication adapters for extracting identity from requests.
+// JWT adapter, OIDC adapter, SAML adapter, SCIM provisioning, password hashing.
+export { createJwtAdapter, signJwt } from './adapter.js';
+export { createOidcAdapter } from './oidc-adapter.js';
+export { hashPassword, verifyPassword } from './password.js';
+export { createSamlAdapter } from './saml-adapter.js';
+export { createScimService } from './scim.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,iEAAiE;AACjE,gFAAgF;AAEhF,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC"}

package/dist/auth/oidc-adapter.d.ts

@@ -0,0 +1,32 @@
+import type { AuthAdapter, JwtClaimMapping } from './adapter.js';
+export interface OidcAdapterConfig {
+    /** OIDC issuer URL (e.g., https://auth.example.com) */
+    issuer: string;
+    /** Expected audience (client ID) */
+    audience: string;
+    /** JWKS URI — auto-discovered from issuer if not provided */
+    jwksUri?: string;
+    /** Cache JWKS keys for this many seconds (default: 3600) */
+    jwksCacheTtl?: number;
+    /** Claim mapping override */
+    claimMapping?: Partial<JwtClaimMapping>;
+    /** Custom fetch function (for testing / environments without global fetch) */
+    fetchFn?: typeof fetch;
+}
+export interface JsonWebKey {
+    kty: string;
+    kid?: string;
+    alg?: string;
+    use?: string;
+    n?: string;
+    e?: string;
+    x?: string;
+    y?: string;
+    crv?: string;
+}
+/**
+ * OIDC auth adapter. Validates JWT tokens from OIDC providers
+ * by verifying signatures against JWKS keys fetched from the provider.
+ */
+export declare function createOidcAdapter(config: OidcAdapterConfig): AuthAdapter;
+//# sourceMappingURL=oidc-adapter.d.ts.map

package/dist/auth/oidc-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-adapter.d.ts","sourceRoot":"","sources":["../../src/auth/oidc-adapter.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAMjE,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,YAAY,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACxC,8EAA8E;IAC9E,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAgBD;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,WAAW,CAuHxE"}

package/dist/auth/oidc-adapter.js

@@ -0,0 +1,169 @@
+import { createPublicKey, verify } from 'node:crypto';
+const defaultClaimMapping = {
+    userId: 'sub',
+    roles: 'roles',
+    scopes: 'scope',
+    tenantId: 'tenant_id',
+};
+const SUPPORTED_ALGORITHMS = new Set(['RS256', 'ES256']);
+/**
+ * OIDC auth adapter. Validates JWT tokens from OIDC providers
+ * by verifying signatures against JWKS keys fetched from the provider.
+ */
+export function createOidcAdapter(config) {
+    const mapping = { ...defaultClaimMapping, ...config.claimMapping };
+    const cacheTtl = (config.jwksCacheTtl ?? 3600) * 1000;
+    const fetchFn = config.fetchFn ?? globalThis.fetch;
+    let jwksCache = null;
+    let discoveredJwksUri = config.jwksUri ?? null;
+    async function discoverJwksUri() {
+        if (discoveredJwksUri)
+            return discoveredJwksUri;
+        const discoveryUrl = `${config.issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+        const response = await fetchFn(discoveryUrl);
+        if (!response.ok) {
+            throw new Error(`OIDC discovery failed: ${response.status}`);
+        }
+        const doc = (await response.json());
+        if (!doc.jwks_uri) {
+            throw new Error('OIDC discovery response missing jwks_uri');
+        }
+        discoveredJwksUri = doc.jwks_uri;
+        return discoveredJwksUri;
+    }
+    async function fetchJwks() {
+        if (jwksCache && jwksCache.expiresAt > Date.now()) {
+            return jwksCache.keys;
+        }
+        const jwksUri = await discoverJwksUri();
+        const response = await fetchFn(jwksUri);
+        if (!response.ok) {
+            throw new Error(`JWKS fetch failed: ${response.status}`);
+        }
+        const jwks = (await response.json());
+        const keys = jwks.keys ?? [];
+        jwksCache = { keys, expiresAt: Date.now() + cacheTtl };
+        return keys;
+    }
+    function findKey(kid, keys) {
+        if (kid) {
+            return keys.find((k) => k.kid === kid && k.use !== 'enc');
+        }
+        // If no kid in header, use the first signing key
+        return keys.find((k) => k.use === 'sig' || !k.use);
+    }
+    return {
+        async authenticate(authorizationHeader) {
+            if (!authorizationHeader)
+                return null;
+            const token = extractBearerToken(authorizationHeader);
+            if (!token)
+                return null;
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const headerStr = parts[0];
+            const payloadStr = parts[1];
+            const signatureStr = parts[2];
+            if (!headerStr || !payloadStr || !signatureStr)
+                return null;
+            // Decode header to get kid and alg
+            let header;
+            try {
+                header = JSON.parse(Buffer.from(headerStr, 'base64url').toString('utf-8'));
+            }
+            catch {
+                return null;
+            }
+            if (!header.alg || !SUPPORTED_ALGORITHMS.has(header.alg)) {
+                return null;
+            }
+            // Fetch JWKS and find matching key
+            let keys;
+            try {
+                keys = await fetchJwks();
+            }
+            catch {
+                return null;
+            }
+            const jwk = findKey(header.kid, keys);
+            if (!jwk) {
+                // Key not found — try refreshing cache in case of rotation
+                jwksCache = null;
+                try {
+                    keys = await fetchJwks();
+                }
+                catch {
+                    return null;
+                }
+                const refreshedJwk = findKey(header.kid, keys);
+                if (!refreshedJwk)
+                    return null;
+                return verifyAndMap(token, headerStr, payloadStr, signatureStr, refreshedJwk, header.alg, config, mapping);
+            }
+            return verifyAndMap(token, headerStr, payloadStr, signatureStr, jwk, header.alg, config, mapping);
+        },
+    };
+}
+function verifyAndMap(_token, headerStr, payloadStr, signatureStr, jwk, alg, config, mapping) {
+    // Verify signature
+    try {
+        const publicKey = createPublicKey({ key: jwk, format: 'jwk' });
+        const algorithm = alg === 'RS256' ? 'RSA-SHA256' : 'SHA256';
+        const signatureBuffer = Buffer.from(signatureStr, 'base64url');
+        const data = `${headerStr}.${payloadStr}`;
+        const valid = verify(algorithm, Buffer.from(data), publicKey, signatureBuffer);
+        if (!valid)
+            return null;
+    }
+    catch {
+        return null;
+    }
+    // Decode payload
+    let payload;
+    try {
+        payload = JSON.parse(Buffer.from(payloadStr, 'base64url').toString('utf-8'));
+    }
+    catch {
+        return null;
+    }
+    // Validate issuer
+    if (payload.iss !== config.issuer)
+        return null;
+    // Validate audience
+    const aud = payload.aud;
+    const audiences = Array.isArray(aud) ? aud : [aud];
+    if (!audiences.includes(config.audience))
+        return null;
+    // Check expiration
+    const exp = payload.exp;
+    if (typeof exp === 'number' && exp * 1000 < Date.now())
+        return null;
+    // Map claims to AuthContext
+    const rawRoles = payload[mapping.roles];
+    const rawScopes = payload[mapping.scopes];
+    return {
+        userId: String(payload[mapping.userId] ?? ''),
+        roles: Array.isArray(rawRoles)
+            ? rawRoles.map(String)
+            : typeof rawRoles === 'string'
+                ? rawRoles.split(',').map((s) => s.trim())
+                : [],
+        scopes: Array.isArray(rawScopes)
+            ? rawScopes.map(String)
+            : typeof rawScopes === 'string'
+                ? rawScopes.split(' ').filter(Boolean)
+                : [],
+        tenantId: payload[mapping.tenantId] ? String(payload[mapping.tenantId]) : undefined,
+        provider: 'oidc',
+        sessionId: payload.sid ? String(payload.sid) : undefined,
+        authenticatedAt: payload.iat ? new Date(payload.iat * 1000) : undefined,
+    };
+}
+function extractBearerToken(header) {
+    if (header.startsWith('Bearer ')) {
+        return header.slice(7);
+    }
+    return null;
+}
+//# sourceMappingURL=oidc-adapter.js.map

package/dist/auth/oidc-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-adapter.js","sourceRoot":"","sources":["../../src/auth/oidc-adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAwCtD,MAAM,mBAAmB,GAAoB;IAC3C,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,OAAO;IACd,MAAM,EAAE,OAAO;IACf,QAAQ,EAAE,WAAW;CACtB,CAAC;AAEF,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAEzD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAyB;IACzD,MAAM,OAAO,GAAG,EAAE,GAAG,mBAAmB,EAAE,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;IACnE,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC;IACtD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC;IAEnD,IAAI,SAAS,GAAqB,IAAI,CAAC;IACvC,IAAI,iBAAiB,GAAkB,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC;IAE9D,KAAK,UAAU,eAAe;QAC5B,IAAI,iBAAiB;YAAE,OAAO,iBAAiB,CAAC;QAEhD,MAAM,YAAY,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mCAAmC,CAAC;QAC5F,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,GAAG,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC7D,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,iBAAiB,GAAG,GAAG,CAAC,QAAQ,CAAC;QACjC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,KAAK,UAAU,SAAS;QACtB,IAAI,SAAS,IAAI,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC,IAAI,CAAC;QACxB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAChE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;QAE7B,SAAS,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,OAAO,CAAC,GAAuB,EAAE,IAAkB;QAC1D,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC;QAC5D,CAAC;QACD,iDAAiD;QACjD,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IAED,OAAO;QACL,KAAK,CAAC,YAAY,CAAC,mBAAuC;YACxD,IAAI,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;YAEtC,MAAM,KAAK,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;YACtD,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC;YAE5D,mCAAmC;YACnC,IAAI,MAAsC,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC7E,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mCAAmC;YACnC,IAAI,IAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,SAAS,EAAE,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,2DAA2D;gBAC3D,SAAS,GAAG,IAAI,CAAC;gBACjB,IAAI,CAAC;oBACH,IAAI,GAAG,MAAM,SAAS,EAAE,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC/C,IAAI,CAAC,YAAY;oBAAE,OAAO,IAAI,CAAC;gBAC/B,OAAO,YAAY,CACjB,KAAK,EACL,SAAS,EACT,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,MAAM,CAAC,GAAG,EACV,MAAM,EACN,OAAO,CACR,CAAC;YACJ,CAAC;YAED,OAAO,YAAY,CACjB,KAAK,EACL,SAAS,EACT,UAAU,EACV,YAAY,EACZ,GAAG,EACH,MAAM,CAAC,GAAG,EACV,MAAM,EACN,OAAO,CACR,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,MAAc,EACd,SAAiB,EACjB,UAAkB,EAClB,YAAoB,EACpB,GAAe,EACf,GAAW,EACX,MAAyB,EACzB,OAAwB;IAExB,mBAAmB;IACnB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,GAAsB,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,MAAM,SAAS,GAAG,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC5D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;QAC/E,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAgC,CAAC;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kBAAkB;IAClB,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE/C,oBAAoB;IACpB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtD,mBAAmB;IACnB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAEpE,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAE1C,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7C,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;YAC5B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;gBAC5B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAClD,CAAC,CAAC,EAAE;QACR,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC9B,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC;YACvB,CAAC,CAAC,OAAO,SAAS,KAAK,QAAQ;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBACtC,CAAC,CAAC,EAAE;QACR,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;QACnF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;QACxD,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAE,OAAO,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KACpF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc;IACxC,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/password.d.ts

@@ -0,0 +1,13 @@
+export interface PasswordHashOptions {
+    saltBytes?: number;
+    keyLength?: number;
+}
+/**
+ * Hash a password with scrypt and return a portable salt:hash string.
+ */
+export declare function hashPassword(password: string, options?: PasswordHashOptions): Promise<string>;
+/**
+ * Verify a password against a stored salt:hash string.
+ */
+export declare function verifyPassword(password: string, storedHash: string, options?: PasswordHashOptions): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/auth/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAOD;;GAEG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAelB"}

package/dist/auth/password.js

@@ -0,0 +1,33 @@
+import { randomBytes, scrypt, timingSafeEqual } from 'node:crypto';
+import { promisify } from 'node:util';
+const scryptAsync = promisify(scrypt);
+const defaultPasswordHashOptions = {
+    saltBytes: 16,
+    keyLength: 64,
+};
+/**
+ * Hash a password with scrypt and return a portable salt:hash string.
+ */
+export async function hashPassword(password, options = {}) {
+    const resolved = { ...defaultPasswordHashOptions, ...options };
+    const salt = randomBytes(resolved.saltBytes).toString('hex');
+    const derived = (await scryptAsync(password, salt, resolved.keyLength));
+    return `${salt}:${derived.toString('hex')}`;
+}
+/**
+ * Verify a password against a stored salt:hash string.
+ */
+export async function verifyPassword(password, storedHash, options = {}) {
+    const [salt, hash] = storedHash.split(':');
+    if (!salt || !hash) {
+        return false;
+    }
+    const resolved = { ...defaultPasswordHashOptions, ...options };
+    const derived = (await scryptAsync(password, salt, resolved.keyLength));
+    const stored = Buffer.from(hash, 'hex');
+    if (stored.length !== derived.length) {
+        return false;
+    }
+    return timingSafeEqual(derived, stored);
+}
+//# sourceMappingURL=password.js.map

package/dist/auth/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;AAOtC,MAAM,0BAA0B,GAAkC;IAChE,SAAS,EAAE,EAAE;IACb,SAAS,EAAE,EAAE;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,UAA+B,EAAE;IAEjC,MAAM,QAAQ,GAAG,EAAE,GAAG,0BAA0B,EAAE,GAAG,OAAO,EAAE,CAAC;IAC/D,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAW,CAAC;IAClF,OAAO,GAAG,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAgB,EAChB,UAAkB,EAClB,UAA+B,EAAE;IAEjC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,EAAE,GAAG,0BAA0B,EAAE,GAAG,OAAO,EAAE,CAAC;IAC/D,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAW,CAAC;IAClF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAExC,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AAC1C,CAAC"}

package/dist/auth/saml-adapter.d.ts

@@ -0,0 +1,38 @@
+import type { AuthContext } from '../types/security.js';
+import type { AuthAdapter } from './adapter.js';
+export interface SamlAdapterConfig {
+    /** IdP certificate (PEM format) for signature validation */
+    idpCertificate: string;
+    /** Expected SAML issuer (IdP entity ID) */
+    issuer: string;
+    /** Expected audience (SP entity ID / ACS URL) */
+    audience: string;
+    /** Attribute mapping for SAML claim extraction */
+    attributeMapping?: Partial<SamlAttributeMapping>;
+}
+export interface SamlAttributeMapping {
+    userId: string;
+    email: string;
+    roles: string;
+    tenantId: string;
+    displayName: string;
+}
+export interface SamlAuthResult extends AuthContext {
+    /** Raw SAML attributes from the assertion */
+    attributes: Record<string, string[]>;
+    /** SAML NameID */
+    nameId: string;
+}
+/**
+ * SAML 2.0 auth adapter. Two modes of operation:
+ *
+ * 1. `authenticate(header)` — extracts a Bearer token containing a
+ *    base64-encoded SAML assertion (used for API calls after SSO login).
+ *
+ * 2. `processSamlResponse(samlResponse)` — directly validates a SAML
+ *    Response from the IdP (used in SSO callback handlers).
+ */
+export declare function createSamlAdapter(config: SamlAdapterConfig): AuthAdapter & {
+    processSamlResponse(samlResponseB64: string): SamlAuthResult | null;
+};
+//# sourceMappingURL=saml-adapter.d.ts.map

package/dist/auth/saml-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml-adapter.d.ts","sourceRoot":"","sources":["../../src/auth/saml-adapter.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAOhD,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,cAAc,EAAE,MAAM,CAAC;IACvB,2CAA2C;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,gBAAgB,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClD;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAe,SAAQ,WAAW;IACjD,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACrC,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAUD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,iBAAiB,GACxB,WAAW,GAAG;IAAE,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAAA;CAAE,CA8EvF"}