@qlever-llc/trellis 0.5.1 → 0.6.1

package/esm/trellis/workload.js

@@ -0,0 +1,144 @@
+import * as dntShim from "../_dnt.shims.js";
+import { jwtAuthenticator } from "@nats-io/nats-core";
+import { base64urlDecode, buildWorkloadActivationPayload, buildWorkloadActivationUrl, createWorkloadNatsAuthToken, deriveWorkloadIdentity, getWorkloadConnectInfo, verifyWorkloadConfirmationCode, waitForWorkloadActivation, } from "./auth.js";
+function normalizeRootSecret(rootSecret) {
+    if (typeof rootSecret === "string") {
+        const decoded = base64urlDecode(rootSecret.trim());
+        if (decoded.length === 0)
+            throw new Error("rootSecret must not be empty");
+        return decoded;
+    }
+    if (rootSecret.length === 0)
+        throw new Error("rootSecret must not be empty");
+    return rootSecret;
+}
+async function signIdentityBytes(identitySeed, data) {
+    const { importEd25519PrivateKeyFromSeedBase64url } = await import("../auth/keys.js");
+    const { base64urlEncode, toArrayBuffer } = await import("../auth/utils.js");
+    const privateKey = await importEd25519PrivateKeyFromSeedBase64url(base64urlEncode(identitySeed));
+    return new Uint8Array(await crypto.subtle.sign("Ed25519", privateKey, toArrayBuffer(data)));
+}
+async function runtimeImport(specifier) {
+    const load = new Function("specifier", "return import(specifier);");
+    return await load(specifier);
+}
+export async function loadDefaultTransport(importModule = runtimeImport) {
+    if ("Deno" in dntShim.dntGlobalThis) {
+        const mod = await importModule("@nats-io/nats-core");
+        return {
+            connect: mod.wsconnect,
+        };
+    }
+    const mod = await runtimeImport("@nats-io/transport-node");
+    return {
+        connect: mod.connect,
+    };
+}
+const defaultDeps = {
+    loadTransport: loadDefaultTransport,
+    now: () => Date.now(),
+};
+function activationRequiredError() {
+    return new Error("Workload activation required but no activation handler was provided");
+}
+function isConnectInfoUnavailable(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return message.includes("404") || message.includes("unknown_workload");
+}
+export async function connectWorkloadWithDeps(args, deps) {
+    const rootSecret = normalizeRootSecret(args.rootSecret);
+    const identity = await deriveWorkloadIdentity(rootSecret);
+    const contractDigest = args.contract.CONTRACT_DIGEST;
+    let connectInfo = null;
+    try {
+        connectInfo = (await getWorkloadConnectInfo({
+            trellisUrl: args.authUrl,
+            publicIdentityKey: identity.publicIdentityKey,
+            identitySeed: identity.identitySeed,
+            contractDigest,
+        })).connectInfo;
+    }
+    catch (error) {
+        if (!isConnectInfoUnavailable(error))
+            throw error;
+    }
+    if (!connectInfo) {
+        if (!args.onActivationRequired)
+            throw activationRequiredError();
+        const nonce = crypto.randomUUID();
+        const payload = await buildWorkloadActivationPayload({
+            activationKey: identity.activationKey,
+            publicIdentityKey: identity.publicIdentityKey,
+            nonce,
+        });
+        const activationUrl = buildWorkloadActivationUrl({
+            trellisUrl: args.authUrl,
+            payload,
+        });
+        let activationCompleted = false;
+        let onlineConnectInfo = null;
+        await args.onActivationRequired({
+            url: activationUrl,
+            waitForOnlineApproval: async (opts) => {
+                if (activationCompleted)
+                    return;
+                const activation = await waitForWorkloadActivation({
+                    trellisUrl: args.authUrl,
+                    publicIdentityKey: identity.publicIdentityKey,
+                    nonce,
+                    identitySeed: identity.identitySeed,
+                    contractDigest,
+                    signal: opts?.signal,
+                });
+                onlineConnectInfo = activation.connectInfo;
+                activationCompleted = true;
+            },
+            acceptConfirmationCode: async (code) => {
+                if (activationCompleted)
+                    return;
+                const ok = await verifyWorkloadConfirmationCode({
+                    activationKey: identity.activationKey,
+                    publicIdentityKey: identity.publicIdentityKey,
+                    nonce,
+                    confirmationCode: code,
+                });
+                if (!ok) {
+                    throw new Error("Invalid workload confirmation code");
+                }
+                activationCompleted = true;
+            },
+        });
+        if (!activationCompleted) {
+            throw new Error("Workload activation did not complete");
+        }
+        connectInfo = onlineConnectInfo ?? (await getWorkloadConnectInfo({
+            trellisUrl: args.authUrl,
+            publicIdentityKey: identity.publicIdentityKey,
+            identitySeed: identity.identitySeed,
+            contractDigest,
+        })).connectInfo;
+    }
+    const transport = await deps.loadTransport();
+    const iat = Math.floor(deps.now() / 1_000);
+    const authToken = await createWorkloadNatsAuthToken({
+        publicIdentityKey: identity.publicIdentityKey,
+        identitySeed: identity.identitySeed,
+        contractDigest,
+        iat,
+    });
+    const nc = await transport.connect({
+        servers: connectInfo.transport.natsServers,
+        token: JSON.stringify(authToken),
+        inboxPrefix: `_INBOX.${identity.publicIdentityKey.slice(0, 16)}`,
+        authenticator: jwtAuthenticator(connectInfo.transport.sentinel.jwt, new TextEncoder().encode(connectInfo.transport.sentinel.seed)),
+    });
+    return args.contract.createClient(nc, {
+        sessionKey: identity.publicIdentityKey,
+        sign: (data) => signIdentityBytes(identity.identitySeed, data),
+    });
+}
+export class TrellisWorkload {
+    static connect(args) {
+        return connectWorkloadWithDeps(args, defaultDeps);
+    }
+}

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@qlever-llc/trellis",
-  "version": "0.5.1",
+  "version": "0.6.1",
   "description": "Client-side Trellis runtime, models, and contract helpers for TypeScript applications.",
   "homepage": "https://github.com/Qlever-LLC/trellis#readme",
   "repository": {
     "type": "git",
-    "url": "https://github.com/Qlever-LLC/trellis"
+    "url": "git+https://github.com/Qlever-LLC/trellis.git"
   },
   "license": "Apache-2.0",
   "bugs": {
@@ -18,10 +18,62 @@
       "import": "./esm/trellis/index.js",
       "require": "./script/trellis/index.js"
     },
+    "./auth": {
+      "import": "./esm/trellis/auth.js",
+      "require": "./script/trellis/auth.js"
+    },
+    "./auth/browser": {
+      "import": "./esm/trellis/auth/browser.js",
+      "require": "./script/trellis/auth/browser.js"
+    },
     "./browser": {
       "import": "./esm/trellis/browser.js",
       "require": "./script/trellis/browser.js"
     },
+    "./contracts": {
+      "import": "./esm/trellis/contracts.js",
+      "require": "./script/trellis/contracts.js"
+    },
+    "./errors": {
+      "import": "./esm/trellis/errors/index.js",
+      "require": "./script/trellis/errors/index.js"
+    },
+    "./helpers": {
+      "import": "./esm/trellis/helpers.js",
+      "require": "./script/trellis/helpers.js"
+    },
+    "./server": {
+      "import": "./esm/trellis/server/mod.js",
+      "require": "./script/trellis/server/mod.js"
+    },
+    "./server/health": {
+      "import": "./esm/trellis/server/health.js",
+      "require": "./script/trellis/server/health.js"
+    },
+    "./server/deno": {
+      "import": "./esm/trellis/server/deno.js",
+      "require": "./script/trellis/server/deno.js"
+    },
+    "./server/node": {
+      "import": "./esm/trellis/server/node.js",
+      "require": "./script/trellis/server/node.js"
+    },
+    "./server/runtime": {
+      "import": "./esm/trellis/server/runtime.js",
+      "require": "./script/trellis/server/runtime.js"
+    },
+    "./sdk/activity": {
+      "import": "./esm/trellis/sdk/activity.js",
+      "require": "./script/trellis/sdk/activity.js"
+    },
+    "./sdk/auth": {
+      "import": "./esm/trellis/sdk/auth.js",
+      "require": "./script/trellis/sdk/auth.js"
+    },
+    "./sdk/core": {
+      "import": "./esm/trellis/sdk/core.js",
+      "require": "./script/trellis/sdk/core.js"
+    },
     "./tracing": {
       "import": "./esm/trellis/tracing.js",
       "require": "./script/trellis/tracing.js"
@@ -31,16 +83,23 @@
     "access": "public"
   },
   "dependencies": {
+    "@deno/shim-deno": "~0.18.0",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.56.0",
+    "@opentelemetry/resources": "^1.30.1",
+    "@opentelemetry/sdk-trace-base": "^1.30.1",
+    "@opentelemetry/sdk-trace-node": "^1.30.1",
+    "@opentelemetry/semantic-conventions": "^1.28.0",
     "@nats-io/jetstream": "^3.3.0",
     "@nats-io/kv": "^3.2.0",
     "@nats-io/nats-core": "^3.3.1",
+    "@nats-io/transport-node": "^3.3.1",
+    "json-schema-library": "^10.5.2",
     "pino": "^9.11.0",
     "ts-deepmerge": "^7.0.3",
     "typebox": "^1.0.15",
     "ulid": "^3.0.1",
-    "@qlever-llc/trellis-contracts": "^0.5.1",
-    "@qlever-llc/trellis-result": "^0.5.1",
-    "@qlever-llc/trellis-telemetry": "^0.5.1"
+    "@qlever-llc/result": "^0.6.1"
   },
   "devDependencies": {
     "@types/node": "^20.9.0"

package/script/auth/browser/login.d.ts

@@ -0,0 +1,27 @@
+import { type BindResponse, type BindSuccessResponse } from "../schemas.ts";
+import type { SessionKeyHandle } from "./session.ts";
+export type { BindResponse, BindSuccessResponse, ContractApproval, SentinelCreds, } from "../schemas.ts";
+export type AuthConfig = {
+    authUrl: string;
+};
+export declare function buildLoginUrl(config: AuthConfig, provider: string | undefined, redirectTo: string, handle: SessionKeyHandle, contract: Record<string, unknown>, context?: unknown): Promise<string>;
+export declare function buildLoginUrl(args: {
+    authUrl: string;
+    provider?: string;
+    redirectTo: string;
+    handle: SessionKeyHandle;
+    contract: Record<string, unknown>;
+    context?: unknown;
+}): Promise<string>;
+export declare function buildLoginUrl(args: {
+    config: AuthConfig;
+    provider?: string;
+    redirectTo: string;
+    handle: SessionKeyHandle;
+    contract: Record<string, unknown>;
+    context?: unknown;
+}): Promise<string>;
+export declare function isBindSuccessResponse(response: BindResponse): response is BindSuccessResponse;
+export declare function bindFlow(config: AuthConfig, handle: SessionKeyHandle, flowId: string): Promise<BindResponse>;
+export declare function bindSession(config: AuthConfig, handle: SessionKeyHandle, authToken: string): Promise<BindResponse>;
+//# sourceMappingURL=login.d.ts.map

package/script/auth/browser/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../../../auth/browser/login.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,KAAK,YAAY,EAEjB,KAAK,mBAAmB,EAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD,YAAY,EACV,YAAY,EACZ,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC;AAEvB,MAAM,MAAM,UAAU,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AA4BF,wBAAsB,aAAa,CACjC,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AAwEnB,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,QAAQ,IAAI,mBAAmB,CAE7F;AAED,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAmBvB;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,CAAC,CAoBvB"}

package/script/auth/browser/login.js

@@ -0,0 +1,100 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildLoginUrl = buildLoginUrl;
+exports.isBindSuccessResponse = isBindSuccessResponse;
+exports.bindFlow = bindFlow;
+exports.bindSession = bindSession;
+const utils_ts_1 = require("../utils.ts");
+const value_1 = require("typebox/value");
+const schemas_ts_1 = require("../schemas.ts");
+const session_ts_1 = require("./session.ts");
+function encodeJsonForQuery(value) {
+    const json = (0, utils_ts_1.canonicalizeJsonValue)(value);
+    const bytes = new TextEncoder().encode(json);
+    let binary = "";
+    for (const byte of bytes)
+        binary += String.fromCharCode(byte);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+async function buildLoginUrl(argsOrConfig, provider, redirectTo, handle, contract, context) {
+    const resolved = isNestedBuildLoginUrlArgs(argsOrConfig)
+        ? argsOrConfig
+        : isFlatBuildLoginUrlArgs(argsOrConfig)
+            ? {
+                config: { authUrl: argsOrConfig.authUrl },
+                provider: argsOrConfig.provider,
+                redirectTo: argsOrConfig.redirectTo,
+                handle: argsOrConfig.handle,
+                contract: argsOrConfig.contract,
+                context: argsOrConfig.context,
+            }
+            : buildLoginUrlArgsFromPositional(argsOrConfig, provider, redirectTo, handle, contract, context);
+    const sessionKey = (0, session_ts_1.getPublicSessionKey)(resolved.handle);
+    const sig = await (0, session_ts_1.oauthInitSig)(resolved.handle, resolved.redirectTo, resolved.context);
+    const url = new URL(`${resolved.config.authUrl}/auth/login`);
+    url.searchParams.set("redirectTo", resolved.redirectTo);
+    url.searchParams.set("sessionKey", sessionKey);
+    url.searchParams.set("sig", sig);
+    url.searchParams.set("contract", encodeJsonForQuery(resolved.contract));
+    if (resolved.provider) {
+        url.searchParams.set("provider", resolved.provider);
+    }
+    if (resolved.context !== undefined) {
+        url.searchParams.set("context", encodeJsonForQuery(resolved.context));
+    }
+    return url.href;
+}
+function buildLoginUrlArgsFromPositional(config, provider, redirectTo, handle, contract, context) {
+    if (redirectTo === undefined || handle === undefined || contract === undefined) {
+        throw new TypeError("buildLoginUrl requires redirectTo, handle, and contract");
+    }
+    return {
+        config,
+        provider,
+        redirectTo,
+        handle,
+        contract,
+        context,
+    };
+}
+function isNestedBuildLoginUrlArgs(value) {
+    return "config" in value;
+}
+function isFlatBuildLoginUrlArgs(value) {
+    return "authUrl" in value && "redirectTo" in value && "handle" in value && "contract" in value;
+}
+function isBindSuccessResponse(response) {
+    return response.status === "bound";
+}
+async function bindFlow(config, handle, flowId) {
+    const sessionKey = (0, session_ts_1.getPublicSessionKey)(handle);
+    const sig = await (0, session_ts_1.bindFlowSig)(handle, flowId);
+    const response = await fetch(`${config.authUrl}/auth/flow/${encodeURIComponent(flowId)}/bind`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ sessionKey, sig }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Bind failed: ${response.status} ${text}`);
+    }
+    return value_1.Value.Parse(schemas_ts_1.BindResponseSchema, await response.json());
+}
+async function bindSession(config, handle, authToken) {
+    const sessionKey = (0, session_ts_1.getPublicSessionKey)(handle);
+    const sig = await (0, session_ts_1.bindSig)(handle, authToken);
+    const response = await fetch(`${config.authUrl}/auth/bind`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            authToken,
+            sessionKey,
+            sig,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Bind failed: ${response.status} ${text}`);
+    }
+    return value_1.Value.Parse(schemas_ts_1.BindResponseSchema, await response.json());
+}

package/script/auth/browser/portal.d.ts

@@ -0,0 +1,11 @@
+import { type PortalFlowState } from "../protocol.ts";
+import type { ApprovalDecision } from "../schemas.ts";
+import type { AuthConfig } from "./login.ts";
+export type { PortalFlowState } from "../protocol.ts";
+export type { ApprovalDecision } from "../schemas.ts";
+export declare function portalFlowIdFromUrl(url: URL): string | null;
+export declare function fetchPortalFlowState(config: AuthConfig, flowId: string): Promise<PortalFlowState>;
+export declare function portalProviderLoginUrl(config: AuthConfig, providerId: string, flowId: string): string;
+export declare function submitPortalApproval(config: AuthConfig, flowId: string, decision: ApprovalDecision): Promise<PortalFlowState>;
+export declare function portalRedirectLocation(state: PortalFlowState | null): string | null;
+//# sourceMappingURL=portal.d.ts.map

package/script/auth/browser/portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../../../auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAO1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAGR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAe1B;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAEnF"}

package/script/auth/browser/portal.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.portalFlowIdFromUrl = portalFlowIdFromUrl;
+exports.fetchPortalFlowState = fetchPortalFlowState;
+exports.portalProviderLoginUrl = portalProviderLoginUrl;
+exports.submitPortalApproval = submitPortalApproval;
+exports.portalRedirectLocation = portalRedirectLocation;
+const protocol_ts_1 = require("../protocol.ts");
+const value_1 = require("typebox/value");
+function authBaseUrl(config) {
+    return config.authUrl.replace(/\/$/, "");
+}
+function portalFlowIdFromUrl(url) {
+    return url.searchParams.get("flowId");
+}
+async function fetchPortalFlowState(config, flowId) {
+    const response = await fetch(`${authBaseUrl(config)}/auth/flow/${encodeURIComponent(flowId)}`);
+    if (!response.ok) {
+        throw new Error(`Failed to load portal flow (${response.status})`);
+    }
+    return value_1.Value.Parse(protocol_ts_1.PortalFlowStateSchema, await response.json());
+}
+function portalProviderLoginUrl(config, providerId, flowId) {
+    const base = `${authBaseUrl(config)}/auth/login/${encodeURIComponent(providerId)}`;
+    return `${base}?flowId=${encodeURIComponent(flowId)}`;
+}
+async function submitPortalApproval(config, flowId, decision) {
+    const response = await fetch(`${authBaseUrl(config)}/auth/flow/${encodeURIComponent(flowId)}/approval`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ decision }),
+    });
+    if (!response.ok) {
+        throw new Error(`Approval request failed (${response.status})`);
+    }
+    return value_1.Value.Parse(protocol_ts_1.PortalFlowStateSchema, await response.json());
+}
+function portalRedirectLocation(state) {
+    return state?.status === "redirect" ? state.location : null;
+}

package/script/auth/browser/session.d.ts

@@ -0,0 +1,19 @@
+export type SessionKeyHandle = {
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+    publicKeyRaw: Uint8Array;
+    sessionKey: string;
+};
+export declare function generateSessionKey(): Promise<SessionKeyHandle>;
+export declare function loadSessionKey(): Promise<SessionKeyHandle | null>;
+export declare function getOrCreateSessionKey(): Promise<SessionKeyHandle>;
+export declare function signBytes(handle: SessionKeyHandle, data: Uint8Array): Promise<Uint8Array>;
+export declare function getPublicSessionKey(handle: SessionKeyHandle): string;
+export declare function oauthInitSig(handle: SessionKeyHandle, redirectTo: string, context?: unknown): Promise<string>;
+export declare function bindSig(handle: SessionKeyHandle, authToken: string): Promise<string>;
+export declare function bindFlowSig(handle: SessionKeyHandle, flowId: string): Promise<string>;
+export declare function natsConnectSigForBindingToken(handle: SessionKeyHandle, bindingToken: string): Promise<string>;
+export declare function createRpcProof(handle: SessionKeyHandle, subject: string, payload: Uint8Array): Promise<string>;
+export declare function clearSessionKey(): Promise<void>;
+export declare function hasSessionKey(): Promise<boolean>;
+//# sourceMappingURL=session.d.ts.map

package/script/auth/browser/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../../../auth/browser/session.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAapE;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CASvE;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAIvE;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAO/F;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAEpE;AAED,wBAAsB,YAAY,CAChC,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED,wBAAsB,OAAO,CAAC,MAAM,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1F;AAED,wBAAsB,WAAW,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI3F;AAED,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,gBAAgB,EACxB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,CAGjB;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAErD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAEtD"}

package/script/auth/browser/session.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSessionKey = generateSessionKey;
+exports.loadSessionKey = loadSessionKey;
+exports.getOrCreateSessionKey = getOrCreateSessionKey;
+exports.signBytes = signBytes;
+exports.getPublicSessionKey = getPublicSessionKey;
+exports.oauthInitSig = oauthInitSig;
+exports.bindSig = bindSig;
+exports.bindFlowSig = bindFlowSig;
+exports.natsConnectSigForBindingToken = natsConnectSigForBindingToken;
+exports.createRpcProof = createRpcProof;
+exports.clearSessionKey = clearSessionKey;
+exports.hasSessionKey = hasSessionKey;
+const utils_ts_1 = require("../utils.ts");
+const proof_ts_1 = require("../proof.ts");
+const storage_ts_1 = require("./storage.ts");
+async function generateSessionKey() {
+    const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, false, ["sign", "verify"]);
+    const publicKeyRaw = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const sessionKey = (0, utils_ts_1.base64urlEncode)(publicKeyRaw);
+    await (0, storage_ts_1.storeKeyPair)(keyPair, publicKeyRaw);
+    return { privateKey: keyPair.privateKey, publicKey: keyPair.publicKey, publicKeyRaw, sessionKey };
+}
+async function loadSessionKey() {
+    const stored = await (0, storage_ts_1.loadKeyPair)();
+    if (!stored)
+        return null;
+    return {
+        privateKey: stored.privateKey,
+        publicKey: stored.publicKey,
+        publicKeyRaw: stored.publicKeyRaw,
+        sessionKey: (0, utils_ts_1.base64urlEncode)(stored.publicKeyRaw),
+    };
+}
+async function getOrCreateSessionKey() {
+    const existing = await loadSessionKey();
+    if (existing)
+        return existing;
+    return await generateSessionKey();
+}
+async function signBytes(handle, data) {
+    const sig = await crypto.subtle.sign({ name: "Ed25519" }, handle.privateKey, (0, utils_ts_1.toArrayBuffer)(data));
+    return new Uint8Array(sig);
+}
+function getPublicSessionKey(handle) {
+    return handle.sessionKey;
+}
+async function oauthInitSig(handle, redirectTo, context) {
+    const canonicalContext = (0, utils_ts_1.canonicalizeJsonValue)(context ?? null);
+    const digest = await (0, utils_ts_1.sha256)((0, utils_ts_1.utf8)(`oauth-init:${redirectTo}:${canonicalContext}`));
+    const sig = await signBytes(handle, digest);
+    return (0, utils_ts_1.base64urlEncode)(sig);
+}
+async function bindSig(handle, authToken) {
+    const digest = await (0, utils_ts_1.sha256)((0, utils_ts_1.utf8)(`bind:${authToken}`));
+    const sig = await signBytes(handle, digest);
+    return (0, utils_ts_1.base64urlEncode)(sig);
+}
+async function bindFlowSig(handle, flowId) {
+    const digest = await (0, utils_ts_1.sha256)((0, utils_ts_1.utf8)(`bind-flow:${flowId}`));
+    const sig = await signBytes(handle, digest);
+    return (0, utils_ts_1.base64urlEncode)(sig);
+}
+async function natsConnectSigForBindingToken(handle, bindingToken) {
+    const digest = await (0, utils_ts_1.sha256)((0, utils_ts_1.utf8)(`nats-connect:${bindingToken}`));
+    const sig = await signBytes(handle, digest);
+    return (0, utils_ts_1.base64urlEncode)(sig);
+}
+async function createRpcProof(handle, subject, payload) {
+    const payloadHash = await (0, utils_ts_1.sha256)(payload);
+    return await (0, proof_ts_1.createProof)(handle.privateKey, { sessionKey: handle.sessionKey, subject, payloadHash });
+}
+async function clearSessionKey() {
+    await (0, storage_ts_1.deleteKeyPair)();
+}
+async function hasSessionKey() {
+    return await (0, storage_ts_1.hasKeyPair)();
+}

package/script/auth/browser/storage.d.ts

@@ -0,0 +1,12 @@
+export type StoredKeyPair = {
+    id: string;
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+    publicKeyRaw: Uint8Array;
+    createdAt: number;
+};
+export declare function storeKeyPair(keyPair: CryptoKeyPair, publicKeyRaw: Uint8Array): Promise<void>;
+export declare function loadKeyPair(): Promise<StoredKeyPair | null>;
+export declare function deleteKeyPair(): Promise<void>;
+export declare function hasKeyPair(): Promise<boolean>;
+//# sourceMappingURL=storage.d.ts.map

package/script/auth/browser/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../../../auth/browser/storage.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBlG;AAED,wBAAsB,WAAW,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAYjE;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAYnD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,CAGnD"}

package/script/auth/browser/storage.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.storeKeyPair = storeKeyPair;
+exports.loadKeyPair = loadKeyPair;
+exports.deleteKeyPair = deleteKeyPair;
+exports.hasKeyPair = hasKeyPair;
+const DB_NAME = "trellis-auth";
+const DB_VERSION = 1;
+const STORE_NAME = "keys";
+const KEY_ID = "trellis-session-key";
+function openDB() {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(DB_NAME, DB_VERSION);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve(request.result);
+        request.onupgradeneeded = () => {
+            const db = request.result;
+            if (!db.objectStoreNames.contains(STORE_NAME)) {
+                db.createObjectStore(STORE_NAME, { keyPath: "id" });
+            }
+        };
+    });
+}
+async function storeKeyPair(keyPair, publicKeyRaw) {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        const store = tx.objectStore(STORE_NAME);
+        const record = {
+            id: KEY_ID,
+            privateKey: keyPair.privateKey,
+            publicKey: keyPair.publicKey,
+            publicKeyRaw,
+            createdAt: Date.now(),
+        };
+        const request = store.put(record);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve();
+        tx.oncomplete = () => db.close();
+    });
+}
+async function loadKeyPair() {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readonly");
+        const store = tx.objectStore(STORE_NAME);
+        const request = store.get(KEY_ID);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve(request.result ?? null);
+        tx.oncomplete = () => db.close();
+    });
+}
+async function deleteKeyPair() {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        const store = tx.objectStore(STORE_NAME);
+        const request = store.delete(KEY_ID);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve();
+        tx.oncomplete = () => db.close();
+    });
+}
+async function hasKeyPair() {
+    const keyPair = await loadKeyPair();
+    return keyPair !== null;
+}

package/script/auth/browser.d.ts

@@ -0,0 +1,13 @@
+/**
+ * @module
+ * Browser-based authentication utilities for session-key based authentication.
+ * Uses WebCrypto API and IndexedDB for secure key storage.
+ */
+export { type AuthConfig, type BindResponse, type BindSuccessResponse, bindFlow, bindSession, buildLoginUrl, isBindSuccessResponse, type SentinelCreds, } from "./browser/login.ts";
+export { fetchPortalFlowState, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, type ApprovalDecision, type PortalFlowState as BrowserPortalFlowState, } from "./browser/portal.ts";
+export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForBindingToken, type SessionKeyHandle, signBytes, } from "./browser/session.ts";
+export { deleteKeyPair, hasKeyPair } from "./browser/storage.ts";
+export { type BindResponse as BindResponseData, BindResponseSchema, type BindSuccessResponse as BindSuccessResponseData, BindSuccessResponseSchema, type ContractApproval as ContractApprovalData, ContractApprovalSchema, type NatsAuthTokenV1 as NatsAuthTokenV1Data, NatsAuthTokenV1Schema, type ApprovalDecision as ApprovalDecisionData, ApprovalDecisionSchema, type SentinelCreds as SentinelCredsData, SentinelCredsSchema, } from "./schemas.ts";
+export type { NatsAuthTokenV1 } from "./types.ts";
+export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.ts";
+//# sourceMappingURL=browser.d.ts.map

package/script/auth/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../../auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,QAAQ,EACR,WAAW,EACX,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,eAAe,IAAI,sBAAsB,GAC/C,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,6BAA6B,EAC7B,KAAK,gBAAgB,EACrB,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}