@push.rocks/smartregistry 1.1.1

package/dist_ts/00_commitinfo_data.d.ts

@@ -0,0 +1,8 @@
+/**
+ * autocreated commitinfo by @push.rocks/commitinfo
+ */
+export declare const commitinfo: {
+    name: string;
+    version: string;
+    description: string;
+};

package/dist_ts/00_commitinfo_data.js

@@ -0,0 +1,9 @@
+/**
+ * autocreated commitinfo by @push.rocks/commitinfo
+ */
+export const commitinfo = {
+    name: '@push.rocks/smartregistry',
+    version: '1.1.1',
+    description: 'a registry for npm modules and oci images'
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSwyQkFBMkI7SUFDakMsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLDJDQUEyQztDQUN6RCxDQUFBIn0=

package/dist_ts/classes.smartregistry.d.ts

@@ -0,0 +1,45 @@
+import { RegistryStorage } from './core/classes.registrystorage.js';
+import { AuthManager } from './core/classes.authmanager.js';
+import { BaseRegistry } from './core/classes.baseregistry.js';
+import type { IRegistryConfig, IRequestContext, IResponse } from './core/interfaces.core.js';
+/**
+ * Main registry orchestrator
+ * Routes requests to appropriate protocol handlers (OCI or NPM)
+ */
+export declare class SmartRegistry {
+    private storage;
+    private authManager;
+    private registries;
+    private config;
+    private initialized;
+    constructor(config: IRegistryConfig);
+    /**
+     * Initialize the registry system
+     */
+    init(): Promise<void>;
+    /**
+     * Handle an incoming HTTP request
+     * Routes to the appropriate protocol handler based on path
+     */
+    handleRequest(context: IRequestContext): Promise<IResponse>;
+    /**
+     * Get the storage instance (for testing/advanced use)
+     */
+    getStorage(): RegistryStorage;
+    /**
+     * Get the auth manager instance (for testing/advanced use)
+     */
+    getAuthManager(): AuthManager;
+    /**
+     * Get a specific registry handler
+     */
+    getRegistry(protocol: 'oci' | 'npm'): BaseRegistry | undefined;
+    /**
+     * Check if the registry is initialized
+     */
+    isInitialized(): boolean;
+    /**
+     * Clean up resources (timers, connections, etc.)
+     */
+    destroy(): void;
+}

package/dist_ts/classes.smartregistry.js

@@ -0,0 +1,113 @@
+import { RegistryStorage } from './core/classes.registrystorage.js';
+import { AuthManager } from './core/classes.authmanager.js';
+import { BaseRegistry } from './core/classes.baseregistry.js';
+import { OciRegistry } from './oci/classes.ociregistry.js';
+import { NpmRegistry } from './npm/classes.npmregistry.js';
+/**
+ * Main registry orchestrator
+ * Routes requests to appropriate protocol handlers (OCI or NPM)
+ */
+export class SmartRegistry {
+    storage;
+    authManager;
+    registries = new Map();
+    config;
+    initialized = false;
+    constructor(config) {
+        this.config = config;
+        this.storage = new RegistryStorage(config.storage);
+        this.authManager = new AuthManager(config.auth);
+    }
+    /**
+     * Initialize the registry system
+     */
+    async init() {
+        if (this.initialized)
+            return;
+        // Initialize storage
+        await this.storage.init();
+        // Initialize auth manager
+        await this.authManager.init();
+        // Initialize OCI registry if enabled
+        if (this.config.oci?.enabled) {
+            const ociBasePath = this.config.oci.basePath || '/oci';
+            const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath);
+            await ociRegistry.init();
+            this.registries.set('oci', ociRegistry);
+        }
+        // Initialize NPM registry if enabled
+        if (this.config.npm?.enabled) {
+            const npmBasePath = this.config.npm.basePath || '/npm';
+            const registryUrl = `http://localhost:5000${npmBasePath}`; // TODO: Make configurable
+            const npmRegistry = new NpmRegistry(this.storage, this.authManager, npmBasePath, registryUrl);
+            await npmRegistry.init();
+            this.registries.set('npm', npmRegistry);
+        }
+        this.initialized = true;
+    }
+    /**
+     * Handle an incoming HTTP request
+     * Routes to the appropriate protocol handler based on path
+     */
+    async handleRequest(context) {
+        const path = context.path;
+        // Route to OCI registry
+        if (this.config.oci?.enabled && path.startsWith(this.config.oci.basePath)) {
+            const ociRegistry = this.registries.get('oci');
+            if (ociRegistry) {
+                return ociRegistry.handleRequest(context);
+            }
+        }
+        // Route to NPM registry
+        if (this.config.npm?.enabled && path.startsWith(this.config.npm.basePath)) {
+            const npmRegistry = this.registries.get('npm');
+            if (npmRegistry) {
+                return npmRegistry.handleRequest(context);
+            }
+        }
+        // No matching registry
+        return {
+            status: 404,
+            headers: { 'Content-Type': 'application/json' },
+            body: {
+                error: 'NOT_FOUND',
+                message: 'No registry handler for this path',
+            },
+        };
+    }
+    /**
+     * Get the storage instance (for testing/advanced use)
+     */
+    getStorage() {
+        return this.storage;
+    }
+    /**
+     * Get the auth manager instance (for testing/advanced use)
+     */
+    getAuthManager() {
+        return this.authManager;
+    }
+    /**
+     * Get a specific registry handler
+     */
+    getRegistry(protocol) {
+        return this.registries.get(protocol);
+    }
+    /**
+     * Check if the registry is initialized
+     */
+    isInitialized() {
+        return this.initialized;
+    }
+    /**
+     * Clean up resources (timers, connections, etc.)
+     */
+    destroy() {
+        for (const registry of this.registries.values()) {
+            if (typeof registry.destroy === 'function') {
+                registry.destroy();
+            }
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5zbWFydHJlZ2lzdHJ5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvY2xhc3Nlcy5zbWFydHJlZ2lzdHJ5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxlQUFlLEVBQUUsTUFBTSxtQ0FBbUMsQ0FBQztBQUNwRSxPQUFPLEVBQUUsV0FBVyxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFDNUQsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLGdDQUFnQyxDQUFDO0FBRTlELE9BQU8sRUFBRSxXQUFXLEVBQUUsTUFBTSw4QkFBOEIsQ0FBQztBQUMzRCxPQUFPLEVBQUUsV0FBVyxFQUFFLE1BQU0sOEJBQThCLENBQUM7QUFFM0Q7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGFBQWE7SUFDaEIsT0FBTyxDQUFrQjtJQUN6QixXQUFXLENBQWM7SUFDekIsVUFBVSxHQUE4QixJQUFJLEdBQUcsRUFBRSxDQUFDO0lBQ2xELE1BQU0sQ0FBa0I7SUFDeEIsV0FBVyxHQUFZLEtBQUssQ0FBQztJQUVyQyxZQUFZLE1BQXVCO1FBQ2pDLElBQUksQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO1FBQ3JCLElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxlQUFlLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ25ELElBQUksQ0FBQyxXQUFXLEdBQUcsSUFBSSxXQUFXLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ2xELENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxJQUFJO1FBQ2YsSUFBSSxJQUFJLENBQUMsV0FBVztZQUFFLE9BQU87UUFFN0IscUJBQXFCO1FBQ3JCLE1BQU0sSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUUxQiwwQkFBMEI7UUFDMUIsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksRUFBRSxDQUFDO1FBRTlCLHFDQUFxQztRQUNyQyxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQzdCLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLFFBQVEsSUFBSSxNQUFNLENBQUM7WUFDdkQsTUFBTSxXQUFXLEdBQUcsSUFBSSxXQUFXLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxJQUFJLENBQUMsV0FBVyxFQUFFLFdBQVcsQ0FBQyxDQUFDO1lBQ2pGLE1BQU0sV0FBVyxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ3pCLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQztRQUMxQyxDQUFDO1FBRUQscUNBQXFDO1FBQ3JDLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDN0IsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLE1BQU0sQ0FBQztZQUN2RCxNQUFNLFdBQVcsR0FBRyx3QkFBd0IsV0FBVyxFQUFFLENBQUMsQ0FBQywwQkFBMEI7WUFDckYsTUFBTSxXQUFXLEdBQUcsSUFBSSxXQUFXLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxJQUFJLENBQUMsV0FBVyxFQUFFLFdBQVcsRUFBRSxXQUFXLENBQUMsQ0FBQztZQUM5RixNQUFNLFdBQVcsQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUN6QixJQUFJLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsV0FBVyxDQUFDLENBQUM7UUFDMUMsQ0FBQztRQUVELElBQUksQ0FBQyxXQUFXLEdBQUcsSUFBSSxDQUFDO0lBQzFCLENBQUM7SUFFRDs7O09BR0c7SUFDSSxLQUFLLENBQUMsYUFBYSxDQUFDLE9BQXdCO1FBQ2pELE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUM7UUFFMUIsd0JBQXdCO1FBQ3hCLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsT0FBTyxJQUFJLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUMxRSxNQUFNLFdBQVcsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQztZQUMvQyxJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUNoQixPQUFPLFdBQVcsQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDNUMsQ0FBQztRQUNILENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsRUFBRSxPQUFPLElBQUksSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1lBQzFFLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO1lBQy9DLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ2hCLE9BQU8sV0FBVyxDQUFDLGFBQWEsQ0FBQyxPQUFPLENBQUMsQ0FBQztZQUM1QyxDQUFDO1FBQ0gsQ0FBQztRQUVELHVCQUF1QjtRQUN2QixPQUFPO1lBQ0wsTUFBTSxFQUFFLEdBQUc7WUFDWCxPQUFPLEVBQUUsRUFBRSxjQUFjLEVBQUUsa0JBQWtCLEVBQUU7WUFDL0MsSUFBSSxFQUFFO2dCQUNKLEtBQUssRUFBRSxXQUFXO2dCQUNsQixPQUFPLEVBQUUsbUNBQW1DO2FBQzdDO1NBQ0YsQ0FBQztJQUNKLENBQUM7SUFFRDs7T0FFRztJQUNJLFVBQVU7UUFDZixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUM7SUFDdEIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxXQUFXLENBQUM7SUFDMUIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksV0FBVyxDQUFDLFFBQXVCO1FBQ3hDLE9BQU8sSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLENBQUM7SUFDdkMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksYUFBYTtRQUNsQixPQUFPLElBQUksQ0FBQyxXQUFXLENBQUM7SUFDMUIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksT0FBTztRQUNaLEtBQUssTUFBTSxRQUFRLElBQUksSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDO1lBQ2hELElBQUksT0FBUSxRQUFnQixDQUFDLE9BQU8sS0FBSyxVQUFVLEVBQUUsQ0FBQztnQkFDbkQsUUFBZ0IsQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUM5QixDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7Q0FDRiJ9

package/dist_ts/core/classes.authmanager.d.ts

@@ -0,0 +1,108 @@
+import type { IAuthConfig, IAuthToken, ICredentials, TRegistryProtocol } from './interfaces.core.js';
+/**
+ * Unified authentication manager for all registry protocols
+ * Handles both NPM UUID tokens and OCI JWT tokens
+ */
+export declare class AuthManager {
+    private config;
+    private tokenStore;
+    private userCredentials;
+    constructor(config: IAuthConfig);
+    /**
+     * Initialize the auth manager
+     */
+    init(): Promise<void>;
+    /**
+     * Create an NPM token
+     * @param userId - User ID
+     * @param readonly - Whether the token is readonly
+     * @returns NPM UUID token
+     */
+    createNpmToken(userId: string, readonly?: boolean): Promise<string>;
+    /**
+     * Validate an NPM token
+     * @param token - NPM UUID token
+     * @returns Auth token object or null
+     */
+    validateNpmToken(token: string): Promise<IAuthToken | null>;
+    /**
+     * Revoke an NPM token
+     * @param token - NPM UUID token
+     */
+    revokeNpmToken(token: string): Promise<void>;
+    /**
+     * List all tokens for a user
+     * @param userId - User ID
+     * @returns List of token info (without actual token values)
+     */
+    listUserTokens(userId: string): Promise<Array<{
+        key: string;
+        readonly: boolean;
+        created: string;
+    }>>;
+    /**
+     * Create an OCI JWT token
+     * @param userId - User ID
+     * @param scopes - Permission scopes
+     * @param expiresIn - Expiration time in seconds
+     * @returns JWT token string
+     */
+    createOciToken(userId: string, scopes: string[], expiresIn?: number): Promise<string>;
+    /**
+     * Validate an OCI JWT token
+     * @param jwt - JWT token string
+     * @returns Auth token object or null
+     */
+    validateOciToken(jwt: string): Promise<IAuthToken | null>;
+    /**
+     * Authenticate user credentials
+     * @param credentials - Username and password
+     * @returns User ID or null
+     */
+    authenticate(credentials: ICredentials): Promise<string | null>;
+    /**
+     * Validate any token (NPM or OCI)
+     * @param tokenString - Token string (UUID or JWT)
+     * @param protocol - Expected protocol type
+     * @returns Auth token object or null
+     */
+    validateToken(tokenString: string, protocol?: TRegistryProtocol): Promise<IAuthToken | null>;
+    /**
+     * Check if token has permission for an action
+     * @param token - Auth token
+     * @param resource - Resource being accessed (e.g., "package:foo" or "repository:bar")
+     * @param action - Action being performed (read, write, push, pull, delete)
+     * @returns true if authorized
+     */
+    authorize(token: IAuthToken | null, resource: string, action: string): Promise<boolean>;
+    /**
+     * Check if a scope matches a resource and action
+     * Scope format: "{protocol}:{type}:{name}:{action}"
+     * Examples:
+     * - "npm:*:*" - All NPM access
+     * - "npm:package:foo:*" - All actions on package foo
+     * - "npm:package:foo:read" - Read-only on package foo
+     * - "oci:repository:*:pull" - Pull from any OCI repo
+     */
+    private matchesScope;
+    /**
+     * Convert unified scopes to OCI access array
+     */
+    private scopesToOciAccess;
+    /**
+     * Convert OCI access array to unified scopes
+     */
+    private ociAccessToScopes;
+    /**
+     * Generate UUID for NPM tokens
+     */
+    private generateUuid;
+    /**
+     * Check if string is a valid UUID
+     */
+    private isValidUuid;
+    /**
+     * Hash a token for identification (SHA-512 mock)
+     */
+    private hashToken;
+}

package/dist_ts/core/classes.authmanager.js

@@ -0,0 +1,315 @@
+/**
+ * Unified authentication manager for all registry protocols
+ * Handles both NPM UUID tokens and OCI JWT tokens
+ */
+export class AuthManager {
+    config;
+    tokenStore = new Map();
+    userCredentials = new Map(); // username -> password hash (mock)
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Initialize the auth manager
+     */
+    async init() {
+        // Initialize token store (in-memory for now)
+        // In production, this could be Redis or a database
+    }
+    // ========================================================================
+    // NPM AUTHENTICATION
+    // ========================================================================
+    /**
+     * Create an NPM token
+     * @param userId - User ID
+     * @param readonly - Whether the token is readonly
+     * @returns NPM UUID token
+     */
+    async createNpmToken(userId, readonly = false) {
+        if (!this.config.npmTokens.enabled) {
+            throw new Error('NPM tokens are not enabled');
+        }
+        const token = this.generateUuid();
+        const authToken = {
+            type: 'npm',
+            userId,
+            scopes: readonly ? ['npm:*:*:read'] : ['npm:*:*:*'],
+            readonly,
+            metadata: {
+                created: new Date().toISOString(),
+            },
+        };
+        this.tokenStore.set(token, authToken);
+        return token;
+    }
+    /**
+     * Validate an NPM token
+     * @param token - NPM UUID token
+     * @returns Auth token object or null
+     */
+    async validateNpmToken(token) {
+        if (!this.isValidUuid(token)) {
+            return null;
+        }
+        const authToken = this.tokenStore.get(token);
+        if (!authToken || authToken.type !== 'npm') {
+            return null;
+        }
+        // Check expiration if set
+        if (authToken.expiresAt && authToken.expiresAt < new Date()) {
+            this.tokenStore.delete(token);
+            return null;
+        }
+        return authToken;
+    }
+    /**
+     * Revoke an NPM token
+     * @param token - NPM UUID token
+     */
+    async revokeNpmToken(token) {
+        this.tokenStore.delete(token);
+    }
+    /**
+     * List all tokens for a user
+     * @param userId - User ID
+     * @returns List of token info (without actual token values)
+     */
+    async listUserTokens(userId) {
+        const tokens = [];
+        for (const [token, authToken] of this.tokenStore.entries()) {
+            if (authToken.userId === userId) {
+                tokens.push({
+                    key: this.hashToken(token),
+                    readonly: authToken.readonly || false,
+                    created: authToken.metadata?.created || 'unknown',
+                });
+            }
+        }
+        return tokens;
+    }
+    // ========================================================================
+    // OCI AUTHENTICATION (JWT)
+    // ========================================================================
+    /**
+     * Create an OCI JWT token
+     * @param userId - User ID
+     * @param scopes - Permission scopes
+     * @param expiresIn - Expiration time in seconds
+     * @returns JWT token string
+     */
+    async createOciToken(userId, scopes, expiresIn = 3600) {
+        if (!this.config.ociTokens.enabled) {
+            throw new Error('OCI tokens are not enabled');
+        }
+        const now = Math.floor(Date.now() / 1000);
+        const payload = {
+            iss: this.config.ociTokens.realm,
+            sub: userId,
+            aud: this.config.ociTokens.service,
+            exp: now + expiresIn,
+            nbf: now,
+            iat: now,
+            access: this.scopesToOciAccess(scopes),
+        };
+        // In production, use proper JWT library with signing
+        // For now, return JSON string (mock JWT)
+        return JSON.stringify(payload);
+    }
+    /**
+     * Validate an OCI JWT token
+     * @param jwt - JWT token string
+     * @returns Auth token object or null
+     */
+    async validateOciToken(jwt) {
+        try {
+            // In production, verify JWT signature
+            const payload = JSON.parse(jwt);
+            // Check expiration
+            const now = Math.floor(Date.now() / 1000);
+            if (payload.exp && payload.exp < now) {
+                return null;
+            }
+            // Convert to unified token format
+            const scopes = this.ociAccessToScopes(payload.access || []);
+            return {
+                type: 'oci',
+                userId: payload.sub,
+                scopes,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                metadata: {
+                    iss: payload.iss,
+                    aud: payload.aud,
+                },
+            };
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    // ========================================================================
+    // UNIFIED AUTHENTICATION
+    // ========================================================================
+    /**
+     * Authenticate user credentials
+     * @param credentials - Username and password
+     * @returns User ID or null
+     */
+    async authenticate(credentials) {
+        // Mock authentication - in production, verify against database
+        const storedPassword = this.userCredentials.get(credentials.username);
+        if (!storedPassword) {
+            // Auto-register for testing (remove in production)
+            this.userCredentials.set(credentials.username, credentials.password);
+            return credentials.username;
+        }
+        if (storedPassword === credentials.password) {
+            return credentials.username;
+        }
+        return null;
+    }
+    /**
+     * Validate any token (NPM or OCI)
+     * @param tokenString - Token string (UUID or JWT)
+     * @param protocol - Expected protocol type
+     * @returns Auth token object or null
+     */
+    async validateToken(tokenString, protocol) {
+        // Try NPM token first (UUID format)
+        if (this.isValidUuid(tokenString)) {
+            const npmToken = await this.validateNpmToken(tokenString);
+            if (npmToken && (!protocol || protocol === 'npm')) {
+                return npmToken;
+            }
+        }
+        // Try OCI JWT
+        const ociToken = await this.validateOciToken(tokenString);
+        if (ociToken && (!protocol || protocol === 'oci')) {
+            return ociToken;
+        }
+        return null;
+    }
+    /**
+     * Check if token has permission for an action
+     * @param token - Auth token
+     * @param resource - Resource being accessed (e.g., "package:foo" or "repository:bar")
+     * @param action - Action being performed (read, write, push, pull, delete)
+     * @returns true if authorized
+     */
+    async authorize(token, resource, action) {
+        if (!token) {
+            return false;
+        }
+        // Check readonly flag
+        if (token.readonly && ['write', 'push', 'delete'].includes(action)) {
+            return false;
+        }
+        // Check scopes
+        for (const scope of token.scopes) {
+            if (this.matchesScope(scope, resource, action)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    // ========================================================================
+    // HELPER METHODS
+    // ========================================================================
+    /**
+     * Check if a scope matches a resource and action
+     * Scope format: "{protocol}:{type}:{name}:{action}"
+     * Examples:
+     * - "npm:*:*" - All NPM access
+     * - "npm:package:foo:*" - All actions on package foo
+     * - "npm:package:foo:read" - Read-only on package foo
+     * - "oci:repository:*:pull" - Pull from any OCI repo
+     */
+    matchesScope(scope, resource, action) {
+        const scopeParts = scope.split(':');
+        const resourceParts = resource.split(':');
+        // Scope must have at least protocol:type:name:action
+        if (scopeParts.length < 4) {
+            return false;
+        }
+        const [scopeProtocol, scopeType, scopeName, scopeAction] = scopeParts;
+        const [resourceProtocol, resourceType, resourceName] = resourceParts;
+        // Check protocol
+        if (scopeProtocol !== '*' && scopeProtocol !== resourceProtocol) {
+            return false;
+        }
+        // Check type
+        if (scopeType !== '*' && scopeType !== resourceType) {
+            return false;
+        }
+        // Check name
+        if (scopeName !== '*' && scopeName !== resourceName) {
+            return false;
+        }
+        // Check action
+        if (scopeAction !== '*' && scopeAction !== action) {
+            // Map action aliases
+            const actionAliases = {
+                read: ['pull', 'get'],
+                write: ['push', 'put', 'post'],
+            };
+            const aliases = actionAliases[scopeAction] || [];
+            if (!aliases.includes(action)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    /**
+     * Convert unified scopes to OCI access array
+     */
+    scopesToOciAccess(scopes) {
+        const access = [];
+        for (const scope of scopes) {
+            const parts = scope.split(':');
+            if (parts.length >= 4 && parts[0] === 'oci') {
+                access.push({
+                    type: parts[1],
+                    name: parts[2],
+                    actions: [parts[3]],
+                });
+            }
+        }
+        return access;
+    }
+    /**
+     * Convert OCI access array to unified scopes
+     */
+    ociAccessToScopes(access) {
+        const scopes = [];
+        for (const item of access) {
+            for (const action of item.actions) {
+                scopes.push(`oci:${item.type}:${item.name}:${action}`);
+            }
+        }
+        return scopes;
+    }
+    /**
+     * Generate UUID for NPM tokens
+     */
+    generateUuid() {
+        return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+            const r = (Math.random() * 16) | 0;
+            const v = c === 'x' ? r : (r & 0x3) | 0x8;
+            return v.toString(16);
+        });
+    }
+    /**
+     * Check if string is a valid UUID
+     */
+    isValidUuid(str) {
+        const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+        return uuidRegex.test(str);
+    }
+    /**
+     * Hash a token for identification (SHA-512 mock)
+     */
+    hashToken(token) {
+        // In production, use actual SHA-512
+        return `sha512-${token.substring(0, 16)}...`;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5hdXRobWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3RzL2NvcmUvY2xhc3Nlcy5hdXRobWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFFQTs7O0dBR0c7QUFDSCxNQUFNLE9BQU8sV0FBVztJQUlGO0lBSFosVUFBVSxHQUE0QixJQUFJLEdBQUcsRUFBRSxDQUFDO0lBQ2hELGVBQWUsR0FBd0IsSUFBSSxHQUFHLEVBQUUsQ0FBQyxDQUFDLG1DQUFtQztJQUU3RixZQUFvQixNQUFtQjtRQUFuQixXQUFNLEdBQU4sTUFBTSxDQUFhO0lBQUcsQ0FBQztJQUUzQzs7T0FFRztJQUNJLEtBQUssQ0FBQyxJQUFJO1FBQ2YsNkNBQTZDO1FBQzdDLG1EQUFtRDtJQUNyRCxDQUFDO0lBRUQsMkVBQTJFO0lBQzNFLHFCQUFxQjtJQUNyQiwyRUFBMkU7SUFFM0U7Ozs7O09BS0c7SUFDSSxLQUFLLENBQUMsY0FBYyxDQUFDLE1BQWMsRUFBRSxXQUFvQixLQUFLO1FBQ25FLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNuQyxNQUFNLElBQUksS0FBSyxDQUFDLDRCQUE0QixDQUFDLENBQUM7UUFDaEQsQ0FBQztRQUVELE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUNsQyxNQUFNLFNBQVMsR0FBZTtZQUM1QixJQUFJLEVBQUUsS0FBSztZQUNYLE1BQU07WUFDTixNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLFdBQVcsQ0FBQztZQUNuRCxRQUFRO1lBQ1IsUUFBUSxFQUFFO2dCQUNSLE9BQU8sRUFBRSxJQUFJLElBQUksRUFBRSxDQUFDLFdBQVcsRUFBRTthQUNsQztTQUNGLENBQUM7UUFFRixJQUFJLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDdEMsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxLQUFhO1FBQ3pDLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDN0IsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDN0MsSUFBSSxDQUFDLFNBQVMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLEtBQUssRUFBRSxDQUFDO1lBQzNDLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELDBCQUEwQjtRQUMxQixJQUFJLFNBQVMsQ0FBQyxTQUFTLElBQUksU0FBUyxDQUFDLFNBQVMsR0FBRyxJQUFJLElBQUksRUFBRSxFQUFFLENBQUM7WUFDNUQsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDOUIsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVEOzs7T0FHRztJQUNJLEtBQUssQ0FBQyxjQUFjLENBQUMsS0FBYTtRQUN2QyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxjQUFjLENBQUMsTUFBYztRQUt4QyxNQUFNLE1BQU0sR0FBNkQsRUFBRSxDQUFDO1FBRTVFLEtBQUssTUFBTSxDQUFDLEtBQUssRUFBRSxTQUFTLENBQUMsSUFBSSxJQUFJLENBQUMsVUFBVSxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUM7WUFDM0QsSUFBSSxTQUFTLENBQUMsTUFBTSxLQUFLLE1BQU0sRUFBRSxDQUFDO2dCQUNoQyxNQUFNLENBQUMsSUFBSSxDQUFDO29CQUNWLEdBQUcsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQztvQkFDMUIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxRQUFRLElBQUksS0FBSztvQkFDckMsT0FBTyxFQUFFLFNBQVMsQ0FBQyxRQUFRLEVBQUUsT0FBTyxJQUFJLFNBQVM7aUJBQ2xELENBQUMsQ0FBQztZQUNMLENBQUM7UUFDSCxDQUFDO1FBRUQsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVELDJFQUEyRTtJQUMzRSwyQkFBMkI7SUFDM0IsMkVBQTJFO0lBRTNFOzs7Ozs7T0FNRztJQUNJLEtBQUssQ0FBQyxjQUFjLENBQ3pCLE1BQWMsRUFDZCxNQUFnQixFQUNoQixZQUFvQixJQUFJO1FBRXhCLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNuQyxNQUFNLElBQUksS0FBSyxDQUFDLDRCQUE0QixDQUFDLENBQUM7UUFDaEQsQ0FBQztRQUVELE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDO1FBQzFDLE1BQU0sT0FBTyxHQUFHO1lBQ2QsR0FBRyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUs7WUFDaEMsR0FBRyxFQUFFLE1BQU07WUFDWCxHQUFHLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsT0FBTztZQUNsQyxHQUFHLEVBQUUsR0FBRyxHQUFHLFNBQVM7WUFDcEIsR0FBRyxFQUFFLEdBQUc7WUFDUixHQUFHLEVBQUUsR0FBRztZQUNSLE1BQU0sRUFBRSxJQUFJLENBQUMsaUJBQWlCLENBQUMsTUFBTSxDQUFDO1NBQ3ZDLENBQUM7UUFFRixxREFBcUQ7UUFDckQseUNBQXlDO1FBQ3pDLE9BQU8sSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxHQUFXO1FBQ3ZDLElBQUksQ0FBQztZQUNILHNDQUFzQztZQUN0QyxNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBRWhDLG1CQUFtQjtZQUNuQixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsQ0FBQztZQUMxQyxJQUFJLE9BQU8sQ0FBQyxHQUFHLElBQUksT0FBTyxDQUFDLEdBQUcsR0FBRyxHQUFHLEVBQUUsQ0FBQztnQkFDckMsT0FBTyxJQUFJLENBQUM7WUFDZCxDQUFDO1lBRUQsa0NBQWtDO1lBQ2xDLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxPQUFPLENBQUMsTUFBTSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1lBRTVELE9BQU87Z0JBQ0wsSUFBSSxFQUFFLEtBQUs7Z0JBQ1gsTUFBTSxFQUFFLE9BQU8sQ0FBQyxHQUFHO2dCQUNuQixNQUFNO2dCQUNOLFNBQVMsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTO2dCQUNqRSxRQUFRLEVBQUU7b0JBQ1IsR0FBRyxFQUFFLE9BQU8sQ0FBQyxHQUFHO29CQUNoQixHQUFHLEVBQUUsT0FBTyxDQUFDLEdBQUc7aUJBQ2pCO2FBQ0YsQ0FBQztRQUNKLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVELDJFQUEyRTtJQUMzRSx5QkFBeUI7SUFDekIsMkVBQTJFO0lBRTNFOzs7O09BSUc7SUFDSSxLQUFLLENBQUMsWUFBWSxDQUFDLFdBQXlCO1FBQ2pELCtEQUErRDtRQUMvRCxNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFdEUsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3BCLG1EQUFtRDtZQUNuRCxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsUUFBUSxFQUFFLFdBQVcsQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUNyRSxPQUFPLFdBQVcsQ0FBQyxRQUFRLENBQUM7UUFDOUIsQ0FBQztRQUVELElBQUksY0FBYyxLQUFLLFdBQVcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUM1QyxPQUFPLFdBQVcsQ0FBQyxRQUFRLENBQUM7UUFDOUIsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0ksS0FBSyxDQUFDLGFBQWEsQ0FDeEIsV0FBbUIsRUFDbkIsUUFBNEI7UUFFNUIsb0NBQW9DO1FBQ3BDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBQzFELElBQUksUUFBUSxJQUFJLENBQUMsQ0FBQyxRQUFRLElBQUksUUFBUSxLQUFLLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQ2xELE9BQU8sUUFBUSxDQUFDO1lBQ2xCLENBQUM7UUFDSCxDQUFDO1FBRUQsY0FBYztRQUNkLE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzFELElBQUksUUFBUSxJQUFJLENBQUMsQ0FBQyxRQUFRLElBQUksUUFBUSxLQUFLLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDbEQsT0FBTyxRQUFRLENBQUM7UUFDbEIsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLEtBQUssQ0FBQyxTQUFTLENBQ3BCLEtBQXdCLEVBQ3hCLFFBQWdCLEVBQ2hCLE1BQWM7UUFFZCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDWCxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCxzQkFBc0I7UUFDdEIsSUFBSSxLQUFLLENBQUMsUUFBUSxJQUFJLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUNuRSxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCxlQUFlO1FBQ2YsS0FBSyxNQUFNLEtBQUssSUFBSSxLQUFLLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDakMsSUFBSSxJQUFJLENBQUMsWUFBWSxDQUFDLEtBQUssRUFBRSxRQUFRLEVBQUUsTUFBTSxDQUFDLEVBQUUsQ0FBQztnQkFDL0MsT0FBTyxJQUFJLENBQUM7WUFDZCxDQUFDO1FBQ0gsQ0FBQztRQUVELE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVELDJFQUEyRTtJQUMzRSxpQkFBaUI7SUFDakIsMkVBQTJFO0lBRTNFOzs7Ozs7OztPQVFHO0lBQ0ssWUFBWSxDQUFDLEtBQWEsRUFBRSxRQUFnQixFQUFFLE1BQWM7UUFDbEUsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNwQyxNQUFNLGFBQWEsR0FBRyxRQUFRLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRTFDLHFEQUFxRDtRQUNyRCxJQUFJLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDMUIsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsTUFBTSxDQUFDLGFBQWEsRUFBRSxTQUFTLEVBQUUsU0FBUyxFQUFFLFdBQVcsQ0FBQyxHQUFHLFVBQVUsQ0FBQztRQUN0RSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsWUFBWSxFQUFFLFlBQVksQ0FBQyxHQUFHLGFBQWEsQ0FBQztRQUVyRSxpQkFBaUI7UUFDakIsSUFBSSxhQUFhLEtBQUssR0FBRyxJQUFJLGFBQWEsS0FBSyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ2hFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELGFBQWE7UUFDYixJQUFJLFNBQVMsS0FBSyxHQUFHLElBQUksU0FBUyxLQUFLLFlBQVksRUFBRSxDQUFDO1lBQ3BELE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELGFBQWE7UUFDYixJQUFJLFNBQVMsS0FBSyxHQUFHLElBQUksU0FBUyxLQUFLLFlBQVksRUFBRSxDQUFDO1lBQ3BELE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELGVBQWU7UUFDZixJQUFJLFdBQVcsS0FBSyxHQUFHLElBQUksV0FBVyxLQUFLLE1BQU0sRUFBRSxDQUFDO1lBQ2xELHFCQUFxQjtZQUNyQixNQUFNLGFBQWEsR0FBNkI7Z0JBQzlDLElBQUksRUFBRSxDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUM7Z0JBQ3JCLEtBQUssRUFBRSxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsTUFBTSxDQUFDO2FBQy9CLENBQUM7WUFFRixNQUFNLE9BQU8sR0FBRyxhQUFhLENBQUMsV0FBVyxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ2pELElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQzlCLE9BQU8sS0FBSyxDQUFDO1lBQ2YsQ0FBQztRQUNILENBQUM7UUFFRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFRDs7T0FFRztJQUNLLGlCQUFpQixDQUFDLE1BQWdCO1FBS3hDLE1BQU0sTUFBTSxHQUEyRCxFQUFFLENBQUM7UUFFMUUsS0FBSyxNQUFNLEtBQUssSUFBSSxNQUFNLEVBQUUsQ0FBQztZQUMzQixNQUFNLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQy9CLElBQUksS0FBSyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLEtBQUssRUFBRSxDQUFDO2dCQUM1QyxNQUFNLENBQUMsSUFBSSxDQUFDO29CQUNWLElBQUksRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDO29CQUNkLElBQUksRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDO29CQUNkLE9BQU8sRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztpQkFDcEIsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztRQUNILENBQUM7UUFFRCxPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBRUQ7O09BRUc7SUFDSyxpQkFBaUIsQ0FBQyxNQUl4QjtRQUNBLE1BQU0sTUFBTSxHQUFhLEVBQUUsQ0FBQztRQUU1QixLQUFLLE1BQU0sSUFBSSxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQzFCLEtBQUssTUFBTSxNQUFNLElBQUksSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO2dCQUNsQyxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sSUFBSSxDQUFDLElBQUksSUFBSSxJQUFJLENBQUMsSUFBSSxJQUFJLE1BQU0sRUFBRSxDQUFDLENBQUM7WUFDekQsQ0FBQztRQUNILENBQUM7UUFFRCxPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBRUQ7O09BRUc7SUFDSyxZQUFZO1FBQ2xCLE9BQU8sc0NBQXNDLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFO1lBQ25FLE1BQU0sQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxHQUFHLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNuQyxNQUFNLENBQUMsR0FBRyxDQUFDLEtBQUssR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxHQUFHLEdBQUcsQ0FBQztZQUMxQyxPQUFPLENBQUMsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDeEIsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxXQUFXLENBQUMsR0FBVztRQUM3QixNQUFNLFNBQVMsR0FBRyx3RUFBd0UsQ0FBQztRQUMzRixPQUFPLFNBQVMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDN0IsQ0FBQztJQUVEOztPQUVHO0lBQ0ssU0FBUyxDQUFDLEtBQWE7UUFDN0Isb0NBQW9DO1FBQ3BDLE9BQU8sVUFBVSxLQUFLLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDO0lBQy9DLENBQUM7Q0FDRiJ9

package/dist_ts/core/classes.baseregistry.d.ts

@@ -0,0 +1,28 @@
+import type { IRequestContext, IResponse, IAuthToken } from './interfaces.core.js';
+/**
+ * Abstract base class for all registry protocol implementations
+ */
+export declare abstract class BaseRegistry {
+    /**
+     * Initialize the registry
+     */
+    abstract init(): Promise<void>;
+    /**
+     * Handle an incoming HTTP request
+     * @param context - Request context
+     * @returns Response object
+     */
+    abstract handleRequest(context: IRequestContext): Promise<IResponse>;
+    /**
+     * Get the base path for this registry protocol
+     */
+    abstract getBasePath(): string;
+    /**
+     * Validate that a token has the required permissions
+     * @param token - Authentication token
+     * @param resource - Resource being accessed
+     * @param action - Action being performed
+     * @returns true if authorized
+     */
+    protected abstract checkPermission(token: IAuthToken | null, resource: string, action: string): Promise<boolean>;
+}

package/dist_ts/core/classes.baseregistry.js

@@ -0,0 +1,6 @@
+/**
+ * Abstract base class for all registry protocol implementations
+ */
+export class BaseRegistry {
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5iYXNlcmVnaXN0cnkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi90cy9jb3JlL2NsYXNzZXMuYmFzZXJlZ2lzdHJ5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBOztHQUVHO0FBQ0gsTUFBTSxPQUFnQixZQUFZO0NBOEJqQyJ9