@portel/photon 1.22.1 → 1.23.0

package/dist/serv/auth/sqlite-stores.d.ts

@@ -0,0 +1,85 @@
+/**
+ * SQLite-backed authorization-server stores.
+ *
+ * Implements the same five interfaces as `auth-store.ts` (AuthCodeStore,
+ * RefreshTokenStore, ClientRegistry, ConsentStore, PendingAuthorizationStore)
+ * with persistent storage across process restarts.
+ *
+ * Runtime-agnostic via `src/shared/sqlite-runtime.ts`:
+ * - Under Bun: uses built-in `bun:sqlite` (zero install).
+ * - Under Node: falls back to `better-sqlite3` (optional peer dep).
+ *
+ * All five stores share a single database handle. Schema is created on first
+ * use. TTL enforcement happens at read time (stale rows are ignored and
+ * sweep() deletes them).
+ */
+import type { AuthorizationCode, RefreshToken, RegisteredClient, ConsentRecord } from '../types/index.js';
+import type { AuthCodeStore, RefreshTokenStore, ClientRegistry, ConsentStore, PendingAuthorizationStore, PendingAuthorization } from './auth-store.js';
+import { type SqliteDatabase } from '../../shared/sqlite-runtime.js';
+/**
+ * Open the AS SQLite database at `path` with all schema created.
+ */
+export declare function openAuthDatabase(path: string): Promise<SqliteDatabase>;
+export declare class SqliteAuthCodeStore implements AuthCodeStore {
+    private db;
+    private insert;
+    private select;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    save(code: AuthorizationCode): Promise<void>;
+    peek(code: string): Promise<AuthorizationCode | null>;
+    consume(code: string): Promise<AuthorizationCode | null>;
+    sweep(now?: Date): Promise<number>;
+}
+export declare class SqliteRefreshTokenStore implements RefreshTokenStore {
+    private db;
+    private insert;
+    private select;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    save(token: RefreshToken): Promise<void>;
+    private insertRow;
+    find(token: string): Promise<RefreshToken | null>;
+    rotate(oldToken: string, newToken: RefreshToken): Promise<RefreshToken | null>;
+    revoke(token: string): Promise<boolean>;
+    sweep(now?: Date): Promise<number>;
+}
+export declare class SqliteClientRegistry implements ClientRegistry {
+    private upsert;
+    private select;
+    private touchStmt;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    save(client: RegisteredClient): Promise<void>;
+    find(clientId: string): Promise<RegisteredClient | null>;
+    touch(clientId: string, now?: Date): Promise<void>;
+    delete(clientId: string): Promise<boolean>;
+    sweep(maxIdleMs: number, now?: Date): Promise<number>;
+}
+export declare class SqliteConsentStore implements ConsentStore {
+    private upsert;
+    private select;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    save(record: ConsentRecord): Promise<void>;
+    covers(userId: string, tenantId: string, clientId: string, scopes: string[]): Promise<boolean>;
+    revoke(userId: string, tenantId: string, clientId: string): Promise<boolean>;
+    sweep(now?: Date): Promise<number>;
+}
+export declare class SqlitePendingAuthorizationStore implements PendingAuthorizationStore {
+    private db;
+    private insert;
+    private select;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    save(req: PendingAuthorization): Promise<void>;
+    peek(id: string): Promise<PendingAuthorization | null>;
+    consume(id: string): Promise<PendingAuthorization | null>;
+    sweep(now?: Date): Promise<number>;
+}
+//# sourceMappingURL=sqlite-stores.d.ts.map

package/dist/serv/auth/sqlite-stores.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite-stores.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/sqlite-stores.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EACV,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,yBAAyB,EACzB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAEL,KAAK,cAAc,EAEpB,MAAM,gCAAgC,CAAC;AAExC;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAE5E;AA6GD,qBAAa,mBAAoB,YAAW,aAAa;IAM3C,OAAO,CAAC,EAAE;IALtB,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEf,EAAE,EAAE,cAAc;IAWhC,IAAI,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAuB5C,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAQrD,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAcxD,KAAK,CAAC,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CAIrD;AAsBD,qBAAa,uBAAwB,YAAW,iBAAiB;IAMnD,OAAO,CAAC,EAAE;IALtB,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEf,EAAE,EAAE,cAAc;IAWhC,IAAI,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9C,OAAO,CAAC,SAAS;IAaX,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAOjD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAe9E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvC,KAAK,CAAC,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CAIrD;AAmBD,qBAAa,oBAAqB,YAAW,cAAc;IACzD,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;IACnC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEvB,EAAE,EAAE,cAAc;IAgBxB,IAAI,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAqB7C,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAMxD,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9D,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK1C,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CAKxE;AA6BD,qBAAa,kBAAmB,YAAW,YAAY;IACrD,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEvB,EAAE,EAAE,cAAc;IAexB,IAAI,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAW1C,MAAM,CACV,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,OAAO,CAAC;IAWb,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5E,KAAK,CAAC,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CAIrD;AAMD,qBAAa,+BAAgC,YAAW,yBAAyB;IAMnE,OAAO,CAAC,EAAE;IALtB,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEf,EAAE,EAAE,cAAc;IAahC,IAAI,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkB9C,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAOtD,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAazD,KAAK,CAAC,GAAG,GAAE,IAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CAIrD"}

package/dist/serv/auth/sqlite-stores.js

@@ -0,0 +1,446 @@
+/**
+ * SQLite-backed authorization-server stores.
+ *
+ * Implements the same five interfaces as `auth-store.ts` (AuthCodeStore,
+ * RefreshTokenStore, ClientRegistry, ConsentStore, PendingAuthorizationStore)
+ * with persistent storage across process restarts.
+ *
+ * Runtime-agnostic via `src/shared/sqlite-runtime.ts`:
+ * - Under Bun: uses built-in `bun:sqlite` (zero install).
+ * - Under Node: falls back to `better-sqlite3` (optional peer dep).
+ *
+ * All five stores share a single database handle. Schema is created on first
+ * use. TTL enforcement happens at read time (stale rows are ignored and
+ * sweep() deletes them).
+ */
+import { openSqlite, } from '../../shared/sqlite-runtime.js';
+/**
+ * Open the AS SQLite database at `path` with all schema created.
+ */
+export async function openAuthDatabase(path) {
+    return openSqlite(path, initSchema);
+}
+// ============================================================================
+// Schema
+// ============================================================================
+function initSchema(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS auth_codes (
+      code TEXT PRIMARY KEY,
+      client_id TEXT NOT NULL,
+      redirect_uri TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      user_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      code_challenge TEXT NOT NULL,
+      code_challenge_method TEXT NOT NULL,
+      nonce TEXT,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_auth_codes_expires ON auth_codes(expires_at);
+
+    CREATE TABLE IF NOT EXISTS refresh_tokens (
+      token TEXT PRIMARY KEY,
+      client_id TEXT NOT NULL,
+      user_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      supersedes TEXT
+    );
+    CREATE INDEX IF NOT EXISTS idx_refresh_expires ON refresh_tokens(expires_at);
+    CREATE INDEX IF NOT EXISTS idx_refresh_user ON refresh_tokens(tenant_id, user_id);
+
+    CREATE TABLE IF NOT EXISTS registered_clients (
+      client_id TEXT PRIMARY KEY,
+      client_secret_hash TEXT,
+      client_name TEXT NOT NULL,
+      redirect_uris TEXT NOT NULL,
+      grant_types TEXT NOT NULL,
+      response_types TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      contacts TEXT,
+      logo_uri TEXT,
+      tos_uri TEXT,
+      policy_uri TEXT,
+      is_public INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      last_used_at INTEGER NOT NULL,
+      user_agent TEXT,
+      ip_address TEXT
+    );
+    CREATE INDEX IF NOT EXISTS idx_clients_last_used ON registered_clients(last_used_at);
+
+    CREATE TABLE IF NOT EXISTS consent_records (
+      user_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      client_id TEXT NOT NULL,
+      scopes TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      PRIMARY KEY (tenant_id, user_id, client_id)
+    );
+    CREATE INDEX IF NOT EXISTS idx_consent_expires ON consent_records(expires_at);
+
+    CREATE TABLE IF NOT EXISTS pending_auth (
+      id TEXT PRIMARY KEY,
+      client_id TEXT NOT NULL,
+      redirect_uri TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      state TEXT,
+      nonce TEXT,
+      code_challenge TEXT NOT NULL,
+      code_challenge_method TEXT NOT NULL,
+      user_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      response_type TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_pending_expires ON pending_auth(expires_at);
+  `);
+    // Backfill columns added after the original schema. CREATE TABLE IF NOT EXISTS
+    // is a no-op against an existing table, so explicit ALTERs are required.
+    // ALTER COLUMN ADD on SQLite is idempotent only via PRAGMA inspection — the
+    // raw statement throws "duplicate column" on a re-run, which we swallow.
+    addColumnIfMissing(db, 'auth_codes', 'nonce', 'TEXT');
+    addColumnIfMissing(db, 'pending_auth', 'nonce', 'TEXT');
+}
+/** Idempotent ALTER TABLE ADD COLUMN. SQLite's table_info is the safest probe. */
+function addColumnIfMissing(db, table, column, type) {
+    try {
+        const cols = db.prepare(`PRAGMA table_info(${table})`).all();
+        if (cols.some((c) => c.name === column))
+            return;
+        db.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${type}`);
+    }
+    catch {
+        // Table missing or PRAGMA unavailable — initial CREATE above will have
+        // produced the column; this is purely an upgrade-from-pre-nonce path.
+    }
+}
+// ============================================================================
+// Auth Code Store
+// ============================================================================
+export class SqliteAuthCodeStore {
+    db;
+    insert;
+    select;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.db = db;
+        this.insert = db.prepare(`
+      INSERT INTO auth_codes (code, client_id, redirect_uri, scope, user_id, tenant_id,
+        code_challenge, code_challenge_method, nonce, expires_at, created_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM auth_codes WHERE code = ?');
+        this.remove = db.prepare('DELETE FROM auth_codes WHERE code = ?');
+        this.sweepStmt = db.prepare('DELETE FROM auth_codes WHERE expires_at < ?');
+    }
+    async save(code) {
+        try {
+            this.insert.run(code.code, code.clientId, code.redirectUri, code.scope, code.userId, code.tenantId, code.codeChallenge, code.codeChallengeMethod, code.nonce ?? null, code.expiresAt.getTime(), code.createdAt.getTime());
+        }
+        catch (err) {
+            if (err instanceof Error && /UNIQUE/i.test(err.message)) {
+                throw new Error('authorization code collision');
+            }
+            throw err;
+        }
+    }
+    async peek(code) {
+        const row = this.select.get(code);
+        if (!row)
+            return null;
+        const expiresAt = new Date(row.expires_at);
+        if (expiresAt.getTime() < Date.now())
+            return null;
+        return rowToAuthCode(row);
+    }
+    async consume(code) {
+        const tx = this.db.transaction((c) => {
+            const row = this.select.get(c);
+            if (!row)
+                return null;
+            this.remove.run(c);
+            return row;
+        });
+        const row = tx(code);
+        if (!row)
+            return null;
+        const expiresAt = new Date(row.expires_at);
+        if (expiresAt.getTime() < Date.now())
+            return null;
+        return rowToAuthCode(row);
+    }
+    async sweep(now = new Date()) {
+        const result = this.sweepStmt.run(now.getTime());
+        return result.changes ?? 0;
+    }
+}
+function rowToAuthCode(row) {
+    return {
+        code: row.code,
+        clientId: row.client_id,
+        redirectUri: row.redirect_uri,
+        scope: row.scope,
+        userId: row.user_id,
+        tenantId: row.tenant_id,
+        codeChallenge: row.code_challenge,
+        codeChallengeMethod: row.code_challenge_method,
+        nonce: row.nonce ?? undefined,
+        expiresAt: new Date(row.expires_at),
+        createdAt: new Date(row.created_at),
+    };
+}
+// ============================================================================
+// Refresh Token Store
+// ============================================================================
+export class SqliteRefreshTokenStore {
+    db;
+    insert;
+    select;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.db = db;
+        this.insert = db.prepare(`
+      INSERT OR REPLACE INTO refresh_tokens
+        (token, client_id, user_id, tenant_id, scope, expires_at, created_at, supersedes)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM refresh_tokens WHERE token = ?');
+        this.remove = db.prepare('DELETE FROM refresh_tokens WHERE token = ?');
+        this.sweepStmt = db.prepare('DELETE FROM refresh_tokens WHERE expires_at < ?');
+    }
+    async save(token) {
+        this.insertRow(token);
+    }
+    insertRow(token) {
+        this.insert.run(token.token, token.clientId, token.userId, token.tenantId, token.scope, token.expiresAt.getTime(), token.createdAt.getTime(), token.supersedes ?? null);
+    }
+    async find(token) {
+        const row = this.select.get(token);
+        if (!row)
+            return null;
+        if (row.expires_at < Date.now())
+            return null;
+        return rowToRefreshToken(row);
+    }
+    async rotate(oldToken, newToken) {
+        const tx = this.db.transaction((o, n) => {
+            const existing = this.select.get(o);
+            if (!existing)
+                return null;
+            if (existing.expires_at < Date.now()) {
+                this.remove.run(o);
+                return null;
+            }
+            this.remove.run(o);
+            this.insertRow(n);
+            return n;
+        });
+        return tx(oldToken, newToken);
+    }
+    async revoke(token) {
+        const result = this.remove.run(token);
+        return (result.changes ?? 0) > 0;
+    }
+    async sweep(now = new Date()) {
+        const result = this.sweepStmt.run(now.getTime());
+        return result.changes ?? 0;
+    }
+}
+function rowToRefreshToken(row) {
+    return {
+        token: row.token,
+        clientId: row.client_id,
+        userId: row.user_id,
+        tenantId: row.tenant_id,
+        scope: row.scope,
+        expiresAt: new Date(row.expires_at),
+        createdAt: new Date(row.created_at),
+        supersedes: row.supersedes ?? undefined,
+    };
+}
+// ============================================================================
+// Client Registry
+// ============================================================================
+export class SqliteClientRegistry {
+    upsert;
+    select;
+    touchStmt;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.upsert = db.prepare(`
+      INSERT OR REPLACE INTO registered_clients
+        (client_id, client_secret_hash, client_name, redirect_uris, grant_types,
+         response_types, scope, contacts, logo_uri, tos_uri, policy_uri,
+         is_public, created_at, last_used_at, user_agent, ip_address)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM registered_clients WHERE client_id = ?');
+        this.touchStmt = db.prepare('UPDATE registered_clients SET last_used_at = ? WHERE client_id = ?');
+        this.remove = db.prepare('DELETE FROM registered_clients WHERE client_id = ?');
+        this.sweepStmt = db.prepare('DELETE FROM registered_clients WHERE last_used_at < ?');
+    }
+    async save(client) {
+        this.upsert.run(client.clientId, client.clientSecretHash ?? null, client.clientName, JSON.stringify(client.redirectUris), JSON.stringify(client.grantTypes), JSON.stringify(client.responseTypes), client.scope, client.contacts ? JSON.stringify(client.contacts) : null, client.logoUri ?? null, client.tosUri ?? null, client.policyUri ?? null, client.isPublic ? 1 : 0, client.createdAt.getTime(), client.lastUsedAt.getTime(), client.registrationContext?.userAgent ?? null, client.registrationContext?.ipAddress ?? null);
+    }
+    async find(clientId) {
+        const row = this.select.get(clientId);
+        if (!row)
+            return null;
+        return rowToRegisteredClient(row);
+    }
+    async touch(clientId, now = new Date()) {
+        this.touchStmt.run(now.getTime(), clientId);
+    }
+    async delete(clientId) {
+        const result = this.remove.run(clientId);
+        return (result.changes ?? 0) > 0;
+    }
+    async sweep(maxIdleMs, now = new Date()) {
+        const threshold = now.getTime() - maxIdleMs;
+        const result = this.sweepStmt.run(threshold);
+        return result.changes ?? 0;
+    }
+}
+function rowToRegisteredClient(row) {
+    return {
+        clientId: row.client_id,
+        clientSecretHash: row.client_secret_hash ?? undefined,
+        clientName: row.client_name,
+        redirectUris: JSON.parse(row.redirect_uris),
+        grantTypes: JSON.parse(row.grant_types),
+        responseTypes: JSON.parse(row.response_types),
+        scope: row.scope,
+        contacts: row.contacts ? JSON.parse(row.contacts) : undefined,
+        logoUri: row.logo_uri ?? undefined,
+        tosUri: row.tos_uri ?? undefined,
+        policyUri: row.policy_uri ?? undefined,
+        isPublic: row.is_public === 1,
+        createdAt: new Date(row.created_at),
+        lastUsedAt: new Date(row.last_used_at),
+        registrationContext: row.user_agent || row.ip_address
+            ? { userAgent: row.user_agent ?? undefined, ipAddress: row.ip_address ?? undefined }
+            : undefined,
+    };
+}
+// ============================================================================
+// Consent Store
+// ============================================================================
+export class SqliteConsentStore {
+    upsert;
+    select;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.upsert = db.prepare(`
+      INSERT OR REPLACE INTO consent_records
+        (user_id, tenant_id, client_id, scopes, expires_at, created_at)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM consent_records WHERE tenant_id = ? AND user_id = ? AND client_id = ?');
+        this.remove = db.prepare('DELETE FROM consent_records WHERE tenant_id = ? AND user_id = ? AND client_id = ?');
+        this.sweepStmt = db.prepare('DELETE FROM consent_records WHERE expires_at < ?');
+    }
+    async save(record) {
+        this.upsert.run(record.userId, record.tenantId, record.clientId, record.scopes, record.expiresAt.getTime(), record.createdAt.getTime());
+    }
+    async covers(userId, tenantId, clientId, scopes) {
+        const row = this.select.get(tenantId, userId, clientId);
+        if (!row)
+            return false;
+        if (row.expires_at < Date.now()) {
+            this.remove.run(tenantId, userId, clientId);
+            return false;
+        }
+        const stored = new Set(row.scopes.split(' ').filter(Boolean));
+        return scopes.every((s) => stored.has(s));
+    }
+    async revoke(userId, tenantId, clientId) {
+        const result = this.remove.run(tenantId, userId, clientId);
+        return (result.changes ?? 0) > 0;
+    }
+    async sweep(now = new Date()) {
+        const result = this.sweepStmt.run(now.getTime());
+        return result.changes ?? 0;
+    }
+}
+// ============================================================================
+// Pending Authorization Store
+// ============================================================================
+export class SqlitePendingAuthorizationStore {
+    db;
+    insert;
+    select;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.db = db;
+        this.insert = db.prepare(`
+      INSERT INTO pending_auth
+        (id, client_id, redirect_uri, scope, state, nonce, code_challenge,
+         code_challenge_method, user_id, tenant_id, response_type,
+         expires_at, created_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM pending_auth WHERE id = ?');
+        this.remove = db.prepare('DELETE FROM pending_auth WHERE id = ?');
+        this.sweepStmt = db.prepare('DELETE FROM pending_auth WHERE expires_at < ?');
+    }
+    async save(req) {
+        this.insert.run(req.id, req.clientId, req.redirectUri, req.scope, req.state ?? null, req.nonce ?? null, req.codeChallenge, req.codeChallengeMethod, req.userId, req.tenantId, req.responseType, req.expiresAt.getTime(), req.createdAt.getTime());
+    }
+    async peek(id) {
+        const row = this.select.get(id);
+        if (!row)
+            return null;
+        if (row.expires_at < Date.now())
+            return null;
+        return rowToPending(row);
+    }
+    async consume(id) {
+        const tx = this.db.transaction((i) => {
+            const row = this.select.get(i);
+            if (!row)
+                return null;
+            this.remove.run(i);
+            return row;
+        });
+        const row = tx(id);
+        if (!row)
+            return null;
+        if (row.expires_at < Date.now())
+            return null;
+        return rowToPending(row);
+    }
+    async sweep(now = new Date()) {
+        const result = this.sweepStmt.run(now.getTime());
+        return result.changes ?? 0;
+    }
+}
+function rowToPending(row) {
+    return {
+        id: row.id,
+        clientId: row.client_id,
+        redirectUri: row.redirect_uri,
+        scope: row.scope,
+        state: row.state ?? undefined,
+        nonce: row.nonce ?? undefined,
+        codeChallenge: row.code_challenge,
+        codeChallengeMethod: row.code_challenge_method,
+        userId: row.user_id,
+        tenantId: row.tenant_id,
+        responseType: row.response_type,
+        expiresAt: new Date(row.expires_at),
+        createdAt: new Date(row.created_at),
+    };
+}
+//# sourceMappingURL=sqlite-stores.js.map

package/dist/serv/auth/sqlite-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite-stores.js","sourceRoot":"","sources":["../../../src/serv/auth/sqlite-stores.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAgBH,OAAO,EACL,UAAU,GAGX,MAAM,gCAAgC,CAAC;AAExC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,OAAO,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AACtC,CAAC;AAED,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,SAAS,UAAU,CAAC,EAAkB;IACpC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4EP,CAAC,CAAC;IAEH,+EAA+E;IAC/E,yEAAyE;IACzE,4EAA4E;IAC5E,yEAAyE;IACzE,kBAAkB,CAAC,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtD,kBAAkB,CAAC,EAAE,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED,kFAAkF;AAClF,SAAS,kBAAkB,CAAC,EAAkB,EAAE,KAAa,EAAE,MAAc,EAAE,IAAY;IACzF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,qBAAqB,KAAK,GAAG,CAAC,CAAC,GAAG,EAA6B,CAAC;QACxF,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;YAAE,OAAO;QAChD,EAAE,CAAC,IAAI,CAAC,eAAe,KAAK,eAAe,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,sEAAsE;IACxE,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,MAAM,OAAO,mBAAmB;IAMV;IALZ,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAoB,EAAkB;QAAlB,OAAE,GAAF,EAAE,CAAgB;QACpC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;KAIxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,yCAAyC,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC;QAClE,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,6CAA6C,CAAC,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAuB;QAChC,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,mBAAmB,EACxB,IAAI,CAAC,KAAK,IAAI,IAAI,EAClB,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,EACxB,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CACzB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,KAAK,IAAI,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAClD,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAS,EAAE,EAAE;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/B,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnB,OAAO,GAAG,CAAC;QACb,CAAC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAClD,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACjD,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,aAAa,CAAC,GAAQ;IAC7B,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,MAAM,EAAE,GAAG,CAAC,OAAO;QACnB,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,qBAAqB;QAC9C,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,SAAS;QAC7B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,MAAM,OAAO,uBAAuB;IAMd;IALZ,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAoB,EAAkB;QAAlB,OAAE,GAAF,EAAE,CAAgB;QACpC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;KAIxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC;QACzE,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;QACvE,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,iDAAiD,CAAC,CAAC;IACjF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAmB;QAC5B,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAEO,SAAS,CAAC,KAAmB;QACnC,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,EACzB,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,EACzB,KAAK,CAAC,UAAU,IAAI,IAAI,CACzB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,QAAsB;QACnD,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAS,EAAE,CAAe,EAAE,EAAE;YAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACpC,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC3B,IAAI,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACnB,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YAClB,OAAO,CAAC,CAAC;QACX,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtC,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACjD,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,GAAQ;IACjC,OAAO;QACL,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,CAAC,OAAO;QACnB,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;KACxC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,MAAM,OAAO,oBAAoB;IACvB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAC3B,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAY,EAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;KAMxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,sDAAsD,CAAC,CAAC;QACjF,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CACzB,oEAAoE,CACrE,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,oDAAoD,CAAC,CAAC;QAC/E,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,uDAAuD,CAAC,CAAC;IACvF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAwB;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,gBAAgB,IAAI,IAAI,EAC/B,MAAM,CAAC,UAAU,EACjB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,EACnC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,EACjC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,EACpC,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EACxD,MAAM,CAAC,OAAO,IAAI,IAAI,EACtB,MAAM,CAAC,MAAM,IAAI,IAAI,EACrB,MAAM,CAAC,SAAS,IAAI,IAAI,EACxB,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EACvB,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,EAC1B,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,EAC3B,MAAM,CAAC,mBAAmB,EAAE,SAAS,IAAI,IAAI,EAC7C,MAAM,CAAC,mBAAmB,EAAE,SAAS,IAAI,IAAI,CAC9C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,qBAAqB,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,QAAgB,EAAE,MAAY,IAAI,IAAI,EAAE;QAClD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzC,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAiB,EAAE,MAAY,IAAI,IAAI,EAAE;QACnD,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,qBAAqB,CAAC,GAAQ;IACrC,OAAO;QACL,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS;QACrD,UAAU,EAAE,GAAG,CAAC,WAAW;QAC3B,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAa;QACvD,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAa;QACnD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAa;QACzD,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAc,CAAC,CAAC,CAAC,SAAS;QAC3E,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;QAClC,MAAM,EAAE,GAAG,CAAC,OAAO,IAAI,SAAS;QAChC,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACtC,QAAQ,EAAE,GAAG,CAAC,SAAS,KAAK,CAAC;QAC7B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,UAAU,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;QACtC,mBAAmB,EACjB,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU;YAC9B,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS,EAAE;YACpF,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,MAAM,OAAO,kBAAkB;IACrB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAY,EAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;KAIxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CACtB,qFAAqF,CACtF,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CACtB,mFAAmF,CACpF,CAAC;QACF,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAqB;QAC9B,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,EAC1B,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CACV,MAAc,EACd,QAAgB,EAChB,QAAgB,EAChB,MAAgB;QAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QACvB,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC5C,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAE,GAAG,CAAC,MAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1E,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,QAAgB,EAAE,QAAgB;QAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3D,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACjD,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,+EAA+E;AAC/E,8BAA8B;AAC9B,+EAA+E;AAE/E,MAAM,OAAO,+BAA+B;IAMtB;IALZ,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAoB,EAAkB;QAAlB,OAAE,GAAF,EAAE,CAAgB;QACpC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;KAMxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,yCAAyC,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC;QAClE,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAyB;QAClC,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,GAAG,CAAC,EAAE,EACN,GAAG,CAAC,QAAQ,EACZ,GAAG,CAAC,WAAW,EACf,GAAG,CAAC,KAAK,EACT,GAAG,CAAC,KAAK,IAAI,IAAI,EACjB,GAAG,CAAC,KAAK,IAAI,IAAI,EACjB,GAAG,CAAC,aAAa,EACjB,GAAG,CAAC,mBAAmB,EACvB,GAAG,CAAC,MAAM,EACV,GAAG,CAAC,QAAQ,EACZ,GAAG,CAAC,YAAY,EAChB,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,EACvB,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,CACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAU;QACtB,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAS,EAAE,EAAE;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/B,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnB,OAAO,GAAG,CAAC;QACb,CAAC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACjD,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,YAAY,CAAC,GAAQ;IAC5B,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,SAAS;QAC7B,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,SAAS;QAC7B,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,qBAAqB;QAC9C,MAAM,EAAE,GAAG,CAAC,OAAO;QACnB,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,YAAY,EAAE,GAAG,CAAC,aAAa;QAC/B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;KACpC,CAAC;AACJ,CAAC"}

package/dist/serv/auth/well-known.d.ts

@@ -34,9 +34,61 @@ export interface ClientMetadataDocument {
     policy_uri?: string;
 }
 /**
- * Fetch and validate a Client ID Metadata Document
+ * Error taxonomy for CIMD resolution failures. Maps to OAuth `invalid_client`
+ * with distinct `error_description` so callers can diagnose misconfiguration.
+ */
+export type CimdError = 'not_https' | 'fetch_failed' | 'http_error' | 'invalid_json' | 'client_id_mismatch' | 'missing_redirect_uris' | 'domain_not_allowed' | 'timeout';
+export interface CimdResult {
+    ok: boolean;
+    metadata?: ClientMetadataDocument;
+    error?: CimdError;
+    errorDescription?: string;
+    fromCache?: boolean;
+}
+export interface CimdFetchOptions {
+    /** Allowlist of hostnames; supports exact match or leading wildcard (*.claude.ai). Empty = allow all. */
+    allowedDomains?: string[];
+    /** Cache to consult/update. If omitted, fetch is uncached. */
+    cache?: CimdCache;
+    /** Override fetch for testing. */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * Resolve a CIMD client_id to its metadata document with full validation,
+ * caching, and domain-allowlist enforcement.
+ */
+export declare function resolveClientMetadata(clientId: string, opts?: CimdFetchOptions): Promise<CimdResult>;
+/**
+ * @deprecated Use resolveClientMetadata for structured errors + caching.
+ * Retained for callers that only need the happy-path document.
  */
 export declare function fetchClientMetadata(clientId: string): Promise<ClientMetadataDocument | null>;
+interface CimdCacheEntry {
+    metadata: ClientMetadataDocument;
+    etag?: string;
+    expiresAt: number;
+}
+/**
+ * LRU cache for CIMD metadata. Eviction on insert past capacity.
+ */
+export declare class CimdCache {
+    private capacity;
+    private entries;
+    constructor(capacity?: number);
+    get(clientId: string): CimdCacheEntry | undefined;
+    set(clientId: string, entry: CimdCacheEntry): void;
+    clear(): void;
+    size(): number;
+}
+declare function isDomainAllowed(hostname: string, allowlist?: string[]): boolean;
+declare function resolveTtlMs(response: Response): number;
+/**
+ * Internal exports for tests only.
+ */
+export declare const __test__: {
+    isDomainAllowed: typeof isDomainAllowed;
+    resolveTtlMs: typeof resolveTtlMs;
+};
 /**
  * Handle /.well-known/oauth-protected-resource request
  */
@@ -57,4 +109,5 @@ export declare function handleAuthServerRequest(config: WellKnownConfig, tenant:
  * Generate WWW-Authenticate header for 401 responses
  */
 export declare function generateWwwAuthenticate(baseUrl: string, tenant: Tenant, error?: string, errorDescription?: string): string;
+export {};
 //# sourceMappingURL=well-known.d.ts.map

package/dist/serv/auth/well-known.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"well-known.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/well-known.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,yBAAyB,EACzB,2BAA2B,EAC3B,MAAM,EACP,MAAM,mBAAmB,CAAC;AAS3B,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,OAAO,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,yBAAyB,CAU3B;AAMD;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,2BAA2B,CA0B7B;AAMD,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CA6BxC;AA+BD;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GACxB,MAAM,CAeR"}
+{"version":3,"file":"well-known.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/well-known.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,yBAAyB,EACzB,2BAA2B,EAC3B,MAAM,EACP,MAAM,mBAAmB,CAAC;AAS3B,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,OAAO,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,yBAAyB,CAU3B;AAMD;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,2BAA2B,CA6B7B;AAMD,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,MAAM,SAAS,GACjB,WAAW,GACX,cAAc,GACd,YAAY,GACZ,cAAc,GACd,oBAAoB,GACpB,uBAAuB,GACvB,oBAAoB,GACpB,SAAS,CAAC;AAEd,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAClC,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,yGAAyG;IACzG,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,8DAA8D;IAC9D,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,kCAAkC;IAClC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAID;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,UAAU,CAAC,CAoGrB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CAGxC;AAMD,UAAU,cAAc;IACtB,QAAQ,EAAE,sBAAsB,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,SAAS;IAER,OAAO,CAAC,QAAQ;IAD5B,OAAO,CAAC,OAAO,CAAqC;gBAChC,QAAQ,SAAM;IAElC,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IASjD,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,GAAG,IAAI;IAUlD,KAAK,IAAI,IAAI;IAIb,IAAI,IAAI,MAAM;CAGf;AAMD,iBAAS,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAWxE;AAED,iBAAS,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAQhD;AAED;;GAEG;AACH,eAAO,MAAM,QAAQ;;;CAAoC,CAAC;AA+B1D;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GACxB,MAAM,CAeR"}