@skylab-kulubu/inscribed-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Skylab Kulübü
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,167 @@
+# @skylab-kulubu/inscribed-auth
+
+Skylab's opt-in **NextAuth + Keycloak** adapter for the [`inscribed`](https://www.npmjs.com/package/inscribed) CMS.
+
+`inscribed` is auth- and vendor-neutral: out of the box it runs read-only/public.
+This package is the Skylab layer that plugs admin auth and the build-time
+service token into it, so a new Skylab Next.js app gets editing + sync by
+**installing one package and setting env vars** — no hand-copied auth files.
+
+It ships **two seam adapters**:
+
+| Seam | What this package provides |
+| --- | --- |
+| **Auth** | NextAuth options (JWT access/refresh persistence, silent refresh, Keycloak client-role extraction), the `withCmsAuth` adapter, the `NextAuthCmsProvider` client wrapper, and a one-route auto-signin handler. |
+| **Service token** | Keycloak client-credentials token for SSR content fetch + the `cms-sync` CLI. |
+
+Transport is **not** provided — Skylab uses `inscribed`'s default REST transport.
+
+## Install
+
+```bash
+npm install @skylab-kulubu/inscribed-auth
+```
+
+Peer dependencies (you already have most in a Next app):
+
+```bash
+npm install inscribed next next-auth@^4 react react-dom
+```
+
+> **Keep the app CommonJS** (do not set `"type": "module"` in the app's
+> `package.json`). next-auth v4's Keycloak provider only resolves through
+> Webpack's CJS/ESM interop; an ESM app breaks it. The one exception is
+> `cms.config.mjs` below, which is `.mjs` on purpose.
+
+## Entry points
+
+| Import | Use from | Exports |
+| --- | --- | --- |
+| `@skylab-kulubu/inscribed-auth` | Client (`"use client"`) | `NextAuthCmsProvider` |
+| `@skylab-kulubu/inscribed-auth/server` | Server only | `createCmsAuthOptions`, `withCmsAuth`, `isCmsAdmin`, `readCmsAuthMeta`, `getClientCredentialsToken`, `debugServiceTokenClaims` |
+| `@skylab-kulubu/inscribed-auth/signin` | Server route | `GET`, `createSignInRoute` |
+| `@skylab-kulubu/inscribed-auth/config` | `cms-sync` CLI / build-time | `getServiceToken`, `onSyncError` |
+
+## Wiring (the five files + env)
+
+### `lib/auth.js` — NextAuth options
+
+The Keycloak **provider instance stays here, on your side** — never let it be
+bundled by a dependency, or it resolves to `undefined` at runtime.
+
+```js
+import KeycloakProvider from "next-auth/providers/keycloak";
+import { createCmsAuthOptions } from "@skylab-kulubu/inscribed-auth/server";
+
+export const authOptions = createCmsAuthOptions({
+  provider: KeycloakProvider({
+    clientId: process.env.KEYCLOAK_CLIENT_ID ?? "",
+    clientSecret: process.env.KEYCLOAK_CLIENT_SECRET ?? "",
+    issuer: process.env.KEYCLOAK_ISSUER ?? "",
+  }),
+  adminRole: "cms:access", // Keycloak client role gating admin access (default)
+});
+```
+
+### `app/api/auth/[...nextauth]/route.js` — NextAuth handler
+
+```js
+import NextAuth from "next-auth";
+import { authOptions } from "../../../../lib/auth.js";
+
+const handler = NextAuth(authOptions);
+export { handler as GET, handler as POST };
+```
+
+### `app/api/signin/route.js` — one-click sign-in
+
+`/api/signin?callbackUrl=...` jumps straight into the Keycloak flow, skipping
+NextAuth's provider-picker page. Link to it from anywhere (`<a href="/api/signin">`).
+
+```js
+export { GET } from "@skylab-kulubu/inscribed-auth/signin";
+```
+
+### `lib/cms.jsx` — the CMS page factory
+
+```jsx
+import { revalidateCmsSlug } from "inscribed/actions";
+import { createCmsPage } from "inscribed/page";
+import { NextAuthCmsProvider } from "@skylab-kulubu/inscribed-auth";
+import { withCmsAuth, getClientCredentialsToken } from "@skylab-kulubu/inscribed-auth/server";
+
+import { authOptions } from "./auth.js";
+
+export const CmsPage = createCmsPage({
+  Provider: NextAuthCmsProvider,
+  config: {
+    baseUrl: process.env.CMS_URL ?? "http://localhost:5000",
+    cdnUrl: process.env.CMS_CDN_URL,
+  },
+  // Service token for the public SSR content fetch (no session required).
+  getServiceToken: getClientCredentialsToken,
+  // Adapts NextAuth into inscribed's auth-agnostic callbacks
+  // (getSession / deriveAdmin / deriveUserSub).
+  ...withCmsAuth(authOptions),
+  // Must come through inscribed's `actions` entry so its "use server"
+  // directive survives bundling.
+  onAfterSave: revalidateCmsSlug,
+});
+```
+
+### `cms.config.mjs` — `cms-sync` CLI wiring (project root, `.mjs`)
+
+The CLI is plain Node and `import()`s this file. One line:
+
+```js
+export { getServiceToken, onSyncError } from "@skylab-kulubu/inscribed-auth/config";
+```
+
+### `.env.local`
+
+```dotenv
+# Keycloak (same client serves login + client_credentials sync)
+KEYCLOAK_CLIENT_ID=<your-client-id>
+KEYCLOAK_CLIENT_SECRET=<your-client-secret>
+KEYCLOAK_ISSUER=https://<keycloak-host>/realms/<realm>
+
+# NextAuth
+NEXTAUTH_URL=http://localhost:3000
+NEXTAUTH_SECRET=<run: openssl rand -base64 32>
+
+# CMS backend
+CMS_URL=https://<your-cms-host>
+# Optional:
+# CMS_CDN_URL=https://<your-cdn-host>
+# NEXT_PUBLIC_CMS_URL=https://<your-cms-host>   # read by inscribed core, client-side
+```
+
+| Var | Required | Purpose |
+| --- | --- | --- |
+| `KEYCLOAK_CLIENT_ID` | ✅ | Keycloak client (both grants) |
+| `KEYCLOAK_CLIENT_SECRET` | ✅ | Client secret |
+| `KEYCLOAK_ISSUER` | ✅ | Realm issuer URL |
+| `NEXTAUTH_URL` | ✅ | App base URL for NextAuth |
+| `NEXTAUTH_SECRET` | ✅ | NextAuth JWT/session secret |
+| `CMS_URL` | ✅ | inscribed backend base URL |
+| `CMS_CDN_URL` | — | Asset CDN base (read by inscribed) |
+| `NEXT_PUBLIC_CMS_URL` | — | Client-side base URL (read by inscribed) |
+
+## Admin access
+
+Admin operations require the `cms:access` Keycloak **client role**, both for the
+logged-in user (admin UI) and the service account (sync). If sync returns `403`,
+`onSyncError` dumps the service token's `azp` / `aud` / `resource_access` claims
+and tells you exactly which role mapping is missing:
+
+```
+Keycloak Admin → Clients → <client> → Service account roles → assign "cms:access"
+```
+
+## License
+
+MIT © Skylab Kulübü — see [LICENSE](LICENSE).
+
+Uses [`inscribed`](https://www.npmjs.com/package/inscribed) (LGPL-3.0-or-later) as
+a peer dependency (not bundled); that license governs `inscribed` itself, not
+this adapter.

package/dist/config.d.ts

@@ -0,0 +1,25 @@
+import { g as getClientCredentialsToken, d as debugServiceTokenClaims } from './service-token-COa7hHuV.js';
+
+/**
+ * @file `@skylab-kulubu/inscribed-auth/config` — `cms-sync` CLI wiring.
+ *
+ * The `cms-sync` CLI is a plain Node binary - it can't receive function props
+ * the way the React tree does - so it loads the consumer's `cms.config.{js,mjs}`
+ * from the project root to learn how to obtain a service token (and, optionally,
+ * how to diagnose failures). This entry lets that config file be a one-liner:
+ *
+ *   // cms.config.mjs (consumer project root)
+ *   export { getServiceToken, onSyncError } from "@skylab-kulubu/inscribed-auth/config";
+ *
+ * Resolves to ESM so the CLI's dynamic `import()` works regardless of the
+ * consuming app's `"type"`.
+ */
+
+
+/** Service token for build-time `POST /cms/sync`. */
+const getServiceToken = getClientCredentialsToken;
+
+/** Called when a sync fails - dumps Keycloak claims to explain 403s. */
+const onSyncError = () => debugServiceTokenClaims();
+
+export { getServiceToken, onSyncError };

package/dist/config.js

@@ -0,0 +1,68 @@
+// src/lib/service-token.mjs
+var cache = null;
+async function getClientCredentialsToken() {
+  const clientId = process.env.KEYCLOAK_CLIENT_ID;
+  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;
+  const issuer = process.env.KEYCLOAK_ISSUER;
+  if (!clientId || !clientSecret || !issuer) return "";
+  if (cache && cache.expiresAt > Date.now() + 3e4) return cache.token;
+  const res = await fetch(`${issuer}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: clientId,
+      client_secret: clientSecret
+    }),
+    cache: "no-store"
+  });
+  if (!res.ok) {
+    throw new Error(
+      `[inscribed-auth] Keycloak token request failed: ${res.status} ${await res.text()}`
+    );
+  }
+  const { access_token, expires_in } = await res.json();
+  cache = { token: access_token, expiresAt: Date.now() + expires_in * 1e3 };
+  return access_token;
+}
+async function debugServiceTokenClaims() {
+  const { KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER } = process.env;
+  if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) return;
+  const res = await fetch(`${KEYCLOAK_ISSUER}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: KEYCLOAK_CLIENT_ID,
+      client_secret: KEYCLOAK_CLIENT_SECRET
+    })
+  });
+  if (!res.ok) {
+    console.error(`[cms-sync:debug] Token fetch failed: ${res.status} ${await res.text()}`);
+    return;
+  }
+  const { access_token } = await res.json();
+  const [, payload] = access_token.split(".");
+  const claims = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+  console.error("[cms-sync:debug] Service token claims:");
+  console.error(`  azp:             ${claims.azp}`);
+  console.error(`  sub:             ${claims.sub}`);
+  console.error(`  aud:             ${JSON.stringify(claims.aud)}`);
+  console.error(`  scope:           ${claims.scope}`);
+  console.error(`  resource_access: ${JSON.stringify(claims.resource_access)}`);
+  const ourRoles = claims.resource_access?.[claims.azp]?.roles ?? [];
+  console.error(`  -> roles for "${claims.azp}": ${JSON.stringify(ourRoles)}`);
+  if (!ourRoles.includes("cms:access")) {
+    console.error(`  ! "cms:access" role missing on service account.`);
+    console.error(`     Keycloak Admin -> Clients -> ${claims.azp} -> Service account roles -> Assign "cms:access".`);
+  }
+}
+
+// src/config.mjs
+var getServiceToken = getClientCredentialsToken;
+var onSyncError = () => debugServiceTokenClaims();
+export {
+  getServiceToken,
+  onSyncError
+};
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/service-token.mjs","../src/config.mjs"],"sourcesContent":["/**\n * @file Keycloak client-credentials service-token provider.\n *\n * Part of `@skylab-kulubu/inscribed-auth`. The inscribed core is backend-neutral:\n * it only knows the `ServiceTokenProvider` contract (`() => Promise<string>`)\n * and defaults to \"no token\". This module implements that contract against\n * Keycloak and is wired into the SDK via `createCmsPage({ getServiceToken })`\n * (consumer `lib/cms.jsx`) and the `cms-sync` CLI (consumer `cms.config.mjs`,\n * which re-exports from `@skylab-kulubu/inscribed-auth/config`).\n *\n * `.mjs` so the plain-Node `cms-sync` CLI can `import()` the resolved `./config`\n * entry as ESM regardless of the consuming app's `\"type\"`. (Skylab apps stay\n * CommonJS so next-auth v4's Keycloak provider resolves through Webpack's CJS\n * interop — see the provider-injection note in `options.js`.)\n *\n * Server / build-time only. Reads KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET,\n * KEYCLOAK_ISSUER. Returns \"\" when those vars are absent so reads degrade to\n * unauthenticated. In-process cache shared across requests, re-fetched 30s\n * before expiry.\n */\n\n/** @type {{ token: string; expiresAt: number } | null} */\nlet cache = null;\n\n/**\n * Implements the SDK's `ServiceTokenProvider` contract: `() => Promise<string>`.\n * @returns {Promise<string>}\n */\nexport async function getClientCredentialsToken() {\n  const clientId = process.env.KEYCLOAK_CLIENT_ID;\n  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;\n  const issuer = process.env.KEYCLOAK_ISSUER;\n\n  if (!clientId || !clientSecret || !issuer) return \"\";\n\n  if (cache && cache.expiresAt > Date.now() + 30_000) return cache.token;\n\n  const res = await fetch(`${issuer}/protocol/openid-connect/token`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: new URLSearchParams({\n      grant_type: \"client_credentials\",\n      client_id: clientId,\n      client_secret: clientSecret,\n    }),\n    cache: \"no-store\",\n  });\n\n  if (!res.ok) {\n    throw new Error(\n      `[inscribed-auth] Keycloak token request failed: ${res.status} ${await res.text()}`,\n    );\n  }\n\n  const { access_token, expires_in } = await res.json();\n  cache = { token: access_token, expiresAt: Date.now() + expires_in * 1000 };\n  return access_token;\n}\n\n/**\n * Drop the cached service token so the next call re-fetches. Intentionally NOT\n * part of the public `./server` surface — kept here for internal use and for\n * anyone who deep-imports the raw module (e.g. token rotation in tests).\n */\nexport function invalidateClientCredentialsToken() {\n  cache = null;\n}\n\n/**\n * On a sync failure, fetch the service token directly and dump the claims the\n * backend's `CmsAccessPolicy` checks (`azp`, `aud`, `resource_access`). Most\n * 403s come from the service account missing the `cms:access` role mapping in\n * Keycloak - this prints exactly what's there. Wired as `onSyncError` in the\n * `./config` entry.\n */\nexport async function debugServiceTokenClaims() {\n  const { KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER } = process.env;\n  if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) return;\n\n  const res = await fetch(`${KEYCLOAK_ISSUER}/protocol/openid-connect/token`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: new URLSearchParams({\n      grant_type: \"client_credentials\",\n      client_id: KEYCLOAK_CLIENT_ID,\n      client_secret: KEYCLOAK_CLIENT_SECRET,\n    }),\n  });\n  if (!res.ok) {\n    console.error(`[cms-sync:debug] Token fetch failed: ${res.status} ${await res.text()}`);\n    return;\n  }\n\n  const { access_token } = await res.json();\n  const [, payload] = access_token.split(\".\");\n  const claims = JSON.parse(Buffer.from(payload, \"base64url\").toString(\"utf8\"));\n\n  console.error(\"[cms-sync:debug] Service token claims:\");\n  console.error(`  azp:             ${claims.azp}`);\n  console.error(`  sub:             ${claims.sub}`);\n  console.error(`  aud:             ${JSON.stringify(claims.aud)}`);\n  console.error(`  scope:           ${claims.scope}`);\n  console.error(`  resource_access: ${JSON.stringify(claims.resource_access)}`);\n\n  const ourRoles = claims.resource_access?.[claims.azp]?.roles ?? [];\n  console.error(`  -> roles for \"${claims.azp}\": ${JSON.stringify(ourRoles)}`);\n  if (!ourRoles.includes(\"cms:access\")) {\n    console.error(`  ! \"cms:access\" role missing on service account.`);\n    console.error(`     Keycloak Admin -> Clients -> ${claims.azp} -> Service account roles -> Assign \"cms:access\".`);\n  }\n}\n","/**\n * @file `@skylab-kulubu/inscribed-auth/config` — `cms-sync` CLI wiring.\n *\n * The `cms-sync` CLI is a plain Node binary - it can't receive function props\n * the way the React tree does - so it loads the consumer's `cms.config.{js,mjs}`\n * from the project root to learn how to obtain a service token (and, optionally,\n * how to diagnose failures). This entry lets that config file be a one-liner:\n *\n *   // cms.config.mjs (consumer project root)\n *   export { getServiceToken, onSyncError } from \"@skylab-kulubu/inscribed-auth/config\";\n *\n * Resolves to ESM so the CLI's dynamic `import()` works regardless of the\n * consuming app's `\"type\"`.\n */\n\nimport {\n  getClientCredentialsToken,\n  debugServiceTokenClaims,\n} from \"./lib/service-token.mjs\";\n\n/** Service token for build-time `POST /cms/sync`. */\nexport const getServiceToken = getClientCredentialsToken;\n\n/** Called when a sync fails - dumps Keycloak claims to explain 403s. */\nexport const onSyncError = () => debugServiceTokenClaims();\n"],"mappings":";AAsBA,IAAI,QAAQ;AAMZ,eAAsB,4BAA4B;AAChD,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,eAAe,QAAQ,IAAI;AACjC,QAAM,SAAS,QAAQ,IAAI;AAE3B,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,OAAQ,QAAO;AAElD,MAAI,SAAS,MAAM,YAAY,KAAK,IAAI,IAAI,IAAQ,QAAO,MAAM;AAEjE,QAAM,MAAM,MAAM,MAAM,GAAG,MAAM,kCAAkC;AAAA,IACjE,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,IACjB,CAAC;AAAA,IACD,OAAO;AAAA,EACT,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI;AAAA,MACR,mDAAmD,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,EAAE,cAAc,WAAW,IAAI,MAAM,IAAI,KAAK;AACpD,UAAQ,EAAE,OAAO,cAAc,WAAW,KAAK,IAAI,IAAI,aAAa,IAAK;AACzE,SAAO;AACT;AAkBA,eAAsB,0BAA0B;AAC9C,QAAM,EAAE,oBAAoB,wBAAwB,gBAAgB,IAAI,QAAQ;AAChF,MAAI,CAAC,sBAAsB,CAAC,0BAA0B,CAAC,gBAAiB;AAExE,QAAM,MAAM,MAAM,MAAM,GAAG,eAAe,kCAAkC;AAAA,IAC1E,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,IACjB,CAAC;AAAA,EACH,CAAC;AACD,MAAI,CAAC,IAAI,IAAI;AACX,YAAQ,MAAM,wCAAwC,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC,EAAE;AACtF;AAAA,EACF;AAEA,QAAM,EAAE,aAAa,IAAI,MAAM,IAAI,KAAK;AACxC,QAAM,CAAC,EAAE,OAAO,IAAI,aAAa,MAAM,GAAG;AAC1C,QAAM,SAAS,KAAK,MAAM,OAAO,KAAK,SAAS,WAAW,EAAE,SAAS,MAAM,CAAC;AAE5E,UAAQ,MAAM,wCAAwC;AACtD,UAAQ,MAAM,sBAAsB,OAAO,GAAG,EAAE;AAChD,UAAQ,MAAM,sBAAsB,OAAO,GAAG,EAAE;AAChD,UAAQ,MAAM,sBAAsB,KAAK,UAAU,OAAO,GAAG,CAAC,EAAE;AAChE,UAAQ,MAAM,sBAAsB,OAAO,KAAK,EAAE;AAClD,UAAQ,MAAM,sBAAsB,KAAK,UAAU,OAAO,eAAe,CAAC,EAAE;AAE5E,QAAM,WAAW,OAAO,kBAAkB,OAAO,GAAG,GAAG,SAAS,CAAC;AACjE,UAAQ,MAAM,mBAAmB,OAAO,GAAG,MAAM,KAAK,UAAU,QAAQ,CAAC,EAAE;AAC3E,MAAI,CAAC,SAAS,SAAS,YAAY,GAAG;AACpC,YAAQ,MAAM,mDAAmD;AACjE,YAAQ,MAAM,qCAAqC,OAAO,GAAG,mDAAmD;AAAA,EAClH;AACF;;;ACzFO,IAAM,kBAAkB;AAGxB,IAAM,cAAc,MAAM,wBAAwB;","names":[]}

package/dist/index.d.ts

@@ -0,0 +1,35 @@
+import * as next_auth from 'next-auth';
+import { CmsConfig, BlockResponse } from 'inscribed';
+
+/**
+ * Drop-in replacement for `CmsProvider` when using NextAuth + Keycloak.
+ *
+ * The parent Server Component should:
+ * 1. Call `getServerSession(authOptions)` to get the session
+ * 2. Derive `isAdmin` (e.g. `session !== null`) and `userSub` (`session?.user?.id`)
+ * 3. Server-fetch `initialBlocks` with `getCmsContent`
+ * 4. Pass `onAfterSave={revalidateCmsSlug}` from `inscribed/actions`
+ *
+ * @param {{
+ *   config: CmsConfig | { baseUrl: string },
+ *   isAdmin: boolean,
+ *   userSub: string | null,
+ *   initialBlocks?: BlockResponse[],
+ *   onAfterSave?: (slug: string) => void | Promise<void>,
+ *   session?: import("next-auth").Session | null,
+ *   children: React.ReactNode,
+ * }} props
+ */
+declare function NextAuthCmsProvider({ session, ...props }: {
+    config: CmsConfig | {
+        baseUrl: string;
+    };
+    isAdmin: boolean;
+    userSub: string | null;
+    initialBlocks?: BlockResponse[];
+    onAfterSave?: (slug: string) => void | Promise<void>;
+    session?: next_auth.Session | null;
+    children: React.ReactNode;
+}): any;
+
+export { NextAuthCmsProvider };

package/dist/index.js

@@ -0,0 +1,52 @@
+"use client";
+
+// src/index.jsx
+import { SessionProvider, signIn, signOut, useSession } from "next-auth/react";
+import { useCallback, useEffect, useMemo } from "react";
+import { CmsProvider } from "inscribed";
+import { jsx } from "react/jsx-runtime";
+function Inner({ config, isAdmin, userSub, initialBlocks, onAfterSave, children }) {
+  const { data: session } = useSession();
+  useEffect(() => {
+    if (session?.error === "RefreshAccessTokenError") signIn();
+  }, [session?.error]);
+  const getAccessToken = useCallback(
+    async () => (
+      /** @type {string} */
+      session?.accessToken ?? ""
+    ),
+    [session?.accessToken]
+  );
+  const userInfo = useMemo(
+    () => session?.user ? {
+      name: session.user.name ?? null,
+      email: session.user.email ?? null,
+      image: session.user.image ?? null
+    } : null,
+    [session?.user?.name, session?.user?.email, session?.user?.image]
+  );
+  const onSignOut = useCallback(() => {
+    signOut({ callbackUrl: "/" });
+  }, []);
+  return /* @__PURE__ */ jsx(
+    CmsProvider,
+    {
+      config,
+      isAdmin,
+      userSub,
+      initialBlocks,
+      onAfterSave,
+      getAccessToken: isAdmin ? getAccessToken : void 0,
+      userInfo,
+      onSignOut,
+      children
+    }
+  );
+}
+function NextAuthCmsProvider({ session, ...props }) {
+  return /* @__PURE__ */ jsx(SessionProvider, { session, children: /* @__PURE__ */ jsx(Inner, { ...props }) });
+}
+export {
+  NextAuthCmsProvider
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.jsx"],"sourcesContent":["\"use client\";\n\n/**\n * @file `@skylab-kulubu/inscribed-auth` — client entry.\n *\n * NextAuth-aware wrapper around inscribed's `CmsProvider`. The inscribed core is\n * auth-agnostic; this is Skylab's NextAuth + Keycloak client wiring.\n *\n * Wraps children with NextAuth's `SessionProvider` (so you don't need to add it\n * to `layout.jsx`) and feeds `useSession()` into `CmsProvider` so admin saves\n * include a valid `Authorization: Bearer` header automatically.\n *\n * This is the only client surface in the package; keeping it isolated in the\n * `.` entry is what lets the top-level `\"use client\"` above survive bundling.\n */\n\nimport { SessionProvider, signIn, signOut, useSession } from \"next-auth/react\";\nimport { useCallback, useEffect, useMemo } from \"react\";\n\nimport { CmsProvider } from \"inscribed\";\n\n/**\n * @import { CmsConfig, BlockResponse } from \"inscribed\"\n */\n\n/**\n * Inner component: needs to be inside `SessionProvider` to call `useSession`.\n *\n * @param {{\n *   config: CmsConfig | { baseUrl: string },\n *   isAdmin: boolean,\n *   userSub: string | null,\n *   initialBlocks?: BlockResponse[],\n *   onAfterSave?: (slug: string) => void | Promise<void>,\n *   children: React.ReactNode,\n * }} props\n */\nfunction Inner({ config, isAdmin, userSub, initialBlocks, onAfterSave, children }) {\n  const { data: session } = useSession();\n\n  useEffect(() => {\n    if (session?.error === \"RefreshAccessTokenError\") signIn();\n  }, [session?.error]);\n\n  const getAccessToken = useCallback(\n    async () => /** @type {string} */ (session?.accessToken ?? \"\"),\n    [session?.accessToken],\n  );\n\n  // Surface identity for the admin panel footer. Re-build only when the\n  // underlying values change so CmsProvider's memo doesn't bust on every\n  // render of this component.\n  const userInfo = useMemo(\n    () =>\n      session?.user\n        ? {\n            name: session.user.name ?? null,\n            email: session.user.email ?? null,\n            image: session.user.image ?? null,\n          }\n        : null,\n    [session?.user?.name, session?.user?.email, session?.user?.image],\n  );\n\n  const onSignOut = useCallback(() => {\n    signOut({ callbackUrl: \"/\" });\n  }, []);\n\n  return (\n    <CmsProvider config={config} isAdmin={isAdmin} userSub={userSub}\n      initialBlocks={initialBlocks} onAfterSave={onAfterSave}\n      getAccessToken={isAdmin ? getAccessToken : undefined}\n      userInfo={userInfo}\n      onSignOut={onSignOut}\n    >\n      {children}\n    </CmsProvider>\n  );\n}\n\n/**\n * Drop-in replacement for `CmsProvider` when using NextAuth + Keycloak.\n *\n * The parent Server Component should:\n * 1. Call `getServerSession(authOptions)` to get the session\n * 2. Derive `isAdmin` (e.g. `session !== null`) and `userSub` (`session?.user?.id`)\n * 3. Server-fetch `initialBlocks` with `getCmsContent`\n * 4. Pass `onAfterSave={revalidateCmsSlug}` from `inscribed/actions`\n *\n * @param {{\n *   config: CmsConfig | { baseUrl: string },\n *   isAdmin: boolean,\n *   userSub: string | null,\n *   initialBlocks?: BlockResponse[],\n *   onAfterSave?: (slug: string) => void | Promise<void>,\n *   session?: import(\"next-auth\").Session | null,\n *   children: React.ReactNode,\n * }} props\n */\nexport function NextAuthCmsProvider({ session, ...props }) {\n  return (\n    <SessionProvider session={session}>\n      <Inner {...props} />\n    </SessionProvider>\n  );\n}\n"],"mappings":";;;AAgBA,SAAS,iBAAiB,QAAQ,SAAS,kBAAkB;AAC7D,SAAS,aAAa,WAAW,eAAe;AAEhD,SAAS,mBAAmB;AAkDxB;AAhCJ,SAAS,MAAM,EAAE,QAAQ,SAAS,SAAS,eAAe,aAAa,SAAS,GAAG;AACjF,QAAM,EAAE,MAAM,QAAQ,IAAI,WAAW;AAErC,YAAU,MAAM;AACd,QAAI,SAAS,UAAU,0BAA2B,QAAO;AAAA,EAC3D,GAAG,CAAC,SAAS,KAAK,CAAC;AAEnB,QAAM,iBAAiB;AAAA,IACrB;AAAA;AAAA,MAAmC,SAAS,eAAe;AAAA;AAAA,IAC3D,CAAC,SAAS,WAAW;AAAA,EACvB;AAKA,QAAM,WAAW;AAAA,IACf,MACE,SAAS,OACL;AAAA,MACE,MAAM,QAAQ,KAAK,QAAQ;AAAA,MAC3B,OAAO,QAAQ,KAAK,SAAS;AAAA,MAC7B,OAAO,QAAQ,KAAK,SAAS;AAAA,IAC/B,IACA;AAAA,IACN,CAAC,SAAS,MAAM,MAAM,SAAS,MAAM,OAAO,SAAS,MAAM,KAAK;AAAA,EAClE;AAEA,QAAM,YAAY,YAAY,MAAM;AAClC,YAAQ,EAAE,aAAa,IAAI,CAAC;AAAA,EAC9B,GAAG,CAAC,CAAC;AAEL,SACE;AAAA,IAAC;AAAA;AAAA,MAAY;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAC7C;AAAA,MAA8B;AAAA,MAC9B,gBAAgB,UAAU,iBAAiB;AAAA,MAC3C;AAAA,MACA;AAAA,MAEC;AAAA;AAAA,EACH;AAEJ;AAqBO,SAAS,oBAAoB,EAAE,SAAS,GAAG,MAAM,GAAG;AACzD,SACE,oBAAC,mBAAgB,SACf,8BAAC,SAAO,GAAG,OAAO,GACpB;AAEJ;","names":[]}

package/dist/server.d.ts

@@ -0,0 +1,112 @@
+import * as next_auth from 'next-auth';
+export { d as debugServiceTokenClaims, g as getClientCredentialsToken } from './service-token-COa7hHuV.js';
+
+/**
+ * @typedef {Object} CmsAuthMeta
+ * @property {string|null} adminRole
+ * @property {((session: *) => boolean)|null} isAdmin
+ */
+/**
+ * @typedef {Object} CreateCmsAuthOptionsInput
+ * @property {*} provider
+ *   Configured NextAuth provider instance. Import the provider module on
+ *   the consumer side (typically `next-auth/providers/keycloak`) and pass
+ *   the result of calling it. Required.
+ * @property {string} [adminRole]
+ *   Keycloak client role required for admin access. Default `"cms:access"`.
+ * @property {(session: *) => boolean} [isAdmin]
+ *   Override admin gating with arbitrary logic. Wins over `adminRole`.
+ * @property {number} [refreshLeadTimeMs]
+ *   Refresh access tokens this many ms before expiry. Default 10 000.
+ * @property {Partial<import("next-auth").AuthOptions["callbacks"]>} [extraCallbacks]
+ *   Extra callbacks merged on top of the built-in ones. Each callback runs
+ *   AFTER the built-in version and receives the already-augmented value.
+ * @property {Partial<import("next-auth").AuthOptions>} [extraOptions]
+ *   Anything else (pages, cookies, events, ...) merged onto the result.
+ */
+/**
+ * Build a ready-to-use NextAuth `AuthOptions` object.
+ *
+ * @param {CreateCmsAuthOptionsInput} input
+ * @returns {import("next-auth").AuthOptions & { [CMS_META]: CmsAuthMeta }}
+ */
+declare function createCmsAuthOptions(input: CreateCmsAuthOptionsInput): next_auth.AuthOptions & {
+    [CMS_META]: CmsAuthMeta;
+};
+/**
+ * Read CMS admin metadata previously stamped by `createCmsAuthOptions`.
+ * Returns null if the options didn't come from the factory.
+ *
+ * @param {*} authOptions
+ * @returns {CmsAuthMeta|null}
+ */
+declare function readCmsAuthMeta(authOptions: any): CmsAuthMeta | null;
+/**
+ * Decide whether a session belongs to a CMS admin. Uses `isAdmin` callback
+ * when provided, otherwise checks for the named Keycloak client role.
+ * Falls back to `false` when no metadata is available.
+ *
+ * @param {*} session
+ * @param {CmsAuthMeta|null} [meta]
+ * @returns {boolean}
+ */
+declare function isCmsAdmin(session: any, meta?: CmsAuthMeta | null): boolean;
+/**
+ * Adapt NextAuth `authOptions` into the auth-agnostic callbacks
+ * `createCmsPage` expects, so the inscribed core never has to import next-auth.
+ * Spread the result into the factory:
+ *
+ *   import { withCmsAuth } from "@skylab-kulubu/inscribed-auth/server";
+ *   createCmsPage({ ...withCmsAuth(authOptions), config, Provider, ... });
+ *
+ * - `getSession` resolves the server session via `getServerSession`.
+ * - `deriveAdmin` uses the admin metadata stamped by `createCmsAuthOptions`
+ *   (falls back to `session != null` when the options didn't come from the
+ *   factory).
+ * - `deriveUserSub` reads `session.user.id`.
+ *
+ * @param {import("next-auth").AuthOptions} authOptions
+ * @returns {{ getSession: () => Promise<*|null>, deriveAdmin: (session: *) => boolean, deriveUserSub: (session: *) => string | null }}
+ */
+declare function withCmsAuth(authOptions: next_auth.AuthOptions): {
+    getSession: () => Promise<any | null>;
+    deriveAdmin: (session: any) => boolean;
+    deriveUserSub: (session: any) => string | null;
+};
+type CmsAuthMeta = {
+    adminRole: string | null;
+    isAdmin: ((session: any) => boolean) | null;
+};
+type CreateCmsAuthOptionsInput = {
+    /**
+     *   Configured NextAuth provider instance. Import the provider module on
+     *   the consumer side (typically `next-auth/providers/keycloak`) and pass
+     *   the result of calling it. Required.
+     */
+    provider: any;
+    /**
+     * Keycloak client role required for admin access. Default `"cms:access"`.
+     */
+    adminRole?: string | undefined;
+    /**
+     * Override admin gating with arbitrary logic. Wins over `adminRole`.
+     */
+    isAdmin?: ((session: any) => boolean) | undefined;
+    /**
+     * Refresh access tokens this many ms before expiry. Default 10 000.
+     */
+    refreshLeadTimeMs?: number | undefined;
+    /**
+     * Extra callbacks merged on top of the built-in ones. Each callback runs
+     * AFTER the built-in version and receives the already-augmented value.
+     */
+    extraCallbacks?: Partial<next_auth.AuthOptions["callbacks"]>;
+    /**
+     * Anything else (pages, cookies, events, ...) merged onto the result.
+     */
+    extraOptions?: Partial<next_auth.NextAuthOptions> | undefined;
+};
+/** @type {unique symbol} */
+declare const CMS_META: unique symbol;
+
+export { createCmsAuthOptions, isCmsAdmin, readCmsAuthMeta, withCmsAuth };

package/dist/server.js

@@ -0,0 +1,214 @@
+// src/lib/options.js
+import { getServerSession } from "next-auth";
+var CMS_META = /* @__PURE__ */ Symbol.for("inscribed/auth.meta");
+function createCmsAuthOptions(input) {
+  const {
+    provider,
+    adminRole = "cms:access",
+    isAdmin,
+    refreshLeadTimeMs = 1e4,
+    extraCallbacks,
+    extraOptions
+  } = input ?? {};
+  if (!provider) {
+    throw new Error(
+      "createCmsAuthOptions: `provider` is required. Import a NextAuth provider (e.g. `next-auth/providers/keycloak`) in your own auth file and pass the configured instance."
+    );
+  }
+  const keycloakClientId = process.env.KEYCLOAK_CLIENT_ID ?? "";
+  const base = {
+    providers: [provider],
+    callbacks: {
+      async jwt(args) {
+        const { token, account } = args;
+        let next = token;
+        if (account) {
+          next.accessToken = account.access_token;
+          next.refreshToken = account.refresh_token;
+          next.accessTokenExpires = typeof account.expires_at === "number" ? account.expires_at * 1e3 : 0;
+          next.sub = account.providerAccountId ?? next.sub;
+          next.error = void 0;
+          next.clientRoles = readClientRoles(account.access_token, keycloakClientId);
+        } else if (
+          // 2. Previous refresh failed - bail until the user re-authenticates.
+          next.error !== "RefreshAccessTokenError" && // 3. Token still valid (with lead time) - return as-is.
+          (typeof next.accessTokenExpires !== "number" || Date.now() >= next.accessTokenExpires - refreshLeadTimeMs)
+        ) {
+          next = await refreshAccessToken(next, keycloakClientId);
+        }
+        if (extraCallbacks?.jwt) {
+          const overridden = await extraCallbacks.jwt({ ...args, token: next });
+          if (overridden !== void 0) return overridden;
+        }
+        return next;
+      },
+      async session(args) {
+        const { session, token } = args;
+        session.accessToken = /** @type {string|undefined} */
+        token.accessToken;
+        session.error = token.error;
+        if (session.user) {
+          session.user.id = /** @type {string} */
+          token.sub ?? "";
+          session.user.clientRoles = /** @type {string[]} */
+          token.clientRoles ?? [];
+        }
+        if (extraCallbacks?.session) {
+          const overridden = await extraCallbacks.session(args);
+          if (overridden !== void 0) return overridden;
+        }
+        return session;
+      },
+      ...extraCallbacks ? Object.fromEntries(
+        Object.entries(extraCallbacks).filter(
+          ([key]) => key !== "jwt" && key !== "session"
+        )
+      ) : {}
+    },
+    ...extraOptions
+  };
+  const meta = {
+    adminRole: isAdmin ? null : adminRole,
+    isAdmin: isAdmin ?? null
+  };
+  return Object.assign(base, { [CMS_META]: meta });
+}
+function readCmsAuthMeta(authOptions) {
+  if (!authOptions || typeof authOptions !== "object") return null;
+  return authOptions[CMS_META] ?? null;
+}
+function isCmsAdmin(session, meta) {
+  if (!session) return false;
+  if (!meta) return false;
+  if (meta.isAdmin) return Boolean(meta.isAdmin(session));
+  if (meta.adminRole) {
+    const roles = session.user?.clientRoles ?? [];
+    return roles.includes(meta.adminRole);
+  }
+  return false;
+}
+function withCmsAuth(authOptions) {
+  if (!authOptions) {
+    throw new Error("withCmsAuth: `authOptions` is required");
+  }
+  const meta = readCmsAuthMeta(authOptions);
+  return {
+    getSession: () => getServerSession(authOptions),
+    deriveAdmin: meta ? (session) => isCmsAdmin(session, meta) : (session) => session != null,
+    deriveUserSub: (session) => session?.user?.id ?? null
+  };
+}
+function readClientRoles(accessToken, clientId) {
+  if (!accessToken || !clientId) return [];
+  const segments = accessToken.split(".");
+  if (segments.length < 2) return [];
+  try {
+    const payload = JSON.parse(
+      Buffer.from(segments[1], "base64url").toString("utf8")
+    );
+    return payload?.resource_access?.[clientId]?.roles ?? [];
+  } catch {
+    return [];
+  }
+}
+async function refreshAccessToken(token, keycloakClientId) {
+  try {
+    const issuer = process.env.KEYCLOAK_ISSUER ?? "";
+    const response = await fetch(`${issuer}/protocol/openid-connect/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: process.env.KEYCLOAK_CLIENT_ID ?? "",
+        client_secret: process.env.KEYCLOAK_CLIENT_SECRET ?? "",
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken
+      })
+    });
+    const refreshed = await response.json();
+    if (!response.ok) throw refreshed;
+    return {
+      ...token,
+      accessToken: refreshed.access_token,
+      accessTokenExpires: Date.now() + refreshed.expires_in * 1e3,
+      refreshToken: refreshed.refresh_token ?? token.refreshToken,
+      clientRoles: readClientRoles(refreshed.access_token, keycloakClientId),
+      error: void 0
+    };
+  } catch (error) {
+    console.error("[inscribed-auth] Refresh token error:", error);
+    return {
+      ...token,
+      accessToken: void 0,
+      error: "RefreshAccessTokenError"
+    };
+  }
+}
+
+// src/lib/service-token.mjs
+var cache = null;
+async function getClientCredentialsToken() {
+  const clientId = process.env.KEYCLOAK_CLIENT_ID;
+  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;
+  const issuer = process.env.KEYCLOAK_ISSUER;
+  if (!clientId || !clientSecret || !issuer) return "";
+  if (cache && cache.expiresAt > Date.now() + 3e4) return cache.token;
+  const res = await fetch(`${issuer}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: clientId,
+      client_secret: clientSecret
+    }),
+    cache: "no-store"
+  });
+  if (!res.ok) {
+    throw new Error(
+      `[inscribed-auth] Keycloak token request failed: ${res.status} ${await res.text()}`
+    );
+  }
+  const { access_token, expires_in } = await res.json();
+  cache = { token: access_token, expiresAt: Date.now() + expires_in * 1e3 };
+  return access_token;
+}
+async function debugServiceTokenClaims() {
+  const { KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER } = process.env;
+  if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) return;
+  const res = await fetch(`${KEYCLOAK_ISSUER}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: KEYCLOAK_CLIENT_ID,
+      client_secret: KEYCLOAK_CLIENT_SECRET
+    })
+  });
+  if (!res.ok) {
+    console.error(`[cms-sync:debug] Token fetch failed: ${res.status} ${await res.text()}`);
+    return;
+  }
+  const { access_token } = await res.json();
+  const [, payload] = access_token.split(".");
+  const claims = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+  console.error("[cms-sync:debug] Service token claims:");
+  console.error(`  azp:             ${claims.azp}`);
+  console.error(`  sub:             ${claims.sub}`);
+  console.error(`  aud:             ${JSON.stringify(claims.aud)}`);
+  console.error(`  scope:           ${claims.scope}`);
+  console.error(`  resource_access: ${JSON.stringify(claims.resource_access)}`);
+  const ourRoles = claims.resource_access?.[claims.azp]?.roles ?? [];
+  console.error(`  -> roles for "${claims.azp}": ${JSON.stringify(ourRoles)}`);
+  if (!ourRoles.includes("cms:access")) {
+    console.error(`  ! "cms:access" role missing on service account.`);
+    console.error(`     Keycloak Admin -> Clients -> ${claims.azp} -> Service account roles -> Assign "cms:access".`);
+  }
+}
+export {
+  createCmsAuthOptions,
+  debugServiceTokenClaims,
+  getClientCredentialsToken,
+  isCmsAdmin,
+  readCmsAuthMeta,
+  withCmsAuth
+};
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/options.js","../src/lib/service-token.mjs"],"sourcesContent":["/**\n * @file Pre-wired NextAuth options for inscribed CMS apps (Skylab auth adapter).\n *\n * Part of `@skylab-kulubu/inscribed-auth`. The inscribed core is auth-agnostic;\n * this module is Skylab's NextAuth + Keycloak server wiring on top of it.\n *\n * `createCmsAuthOptions()` returns a complete `AuthOptions` object suitable\n * for `NextAuth(...)` in `app/api/auth/[...nextauth]/route.js`. It bundles:\n *   - JWT callback that persists Keycloak access/refresh tokens\n *   - Silent refresh of expired access tokens\n *   - Client-role extraction from the access token\n *   - Session callback that exposes `accessToken`, `user.id`, `user.clientRoles`\n *\n * The OAuth provider itself stays on the consumer side - import\n * `next-auth/providers/keycloak` (or any other provider) in your own\n * `lib/auth.js` and pass the configured instance via `provider`. Importing\n * NextAuth provider modules from a bundled package breaks Webpack's\n * CJS/ESM interop and the provider resolves to `undefined` at runtime.\n *\n * Admin metadata (`adminRole` / `isAdmin`) is stamped onto the returned\n * options so `createCmsPage({ ...withCmsAuth(authOptions) })` can derive admin\n * gating automatically without the caller wiring a separate `deriveAdmin`.\n */\n\nimport { getServerSession } from \"next-auth\";\n\n/** @type {unique symbol} */\nconst CMS_META = Symbol.for(\"inscribed/auth.meta\");\n\n/**\n * @typedef {Object} CmsAuthMeta\n * @property {string|null} adminRole\n * @property {((session: *) => boolean)|null} isAdmin\n */\n\n/**\n * @typedef {Object} CreateCmsAuthOptionsInput\n * @property {*} provider\n *   Configured NextAuth provider instance. Import the provider module on\n *   the consumer side (typically `next-auth/providers/keycloak`) and pass\n *   the result of calling it. Required.\n * @property {string} [adminRole]\n *   Keycloak client role required for admin access. Default `\"cms:access\"`.\n * @property {(session: *) => boolean} [isAdmin]\n *   Override admin gating with arbitrary logic. Wins over `adminRole`.\n * @property {number} [refreshLeadTimeMs]\n *   Refresh access tokens this many ms before expiry. Default 10 000.\n * @property {Partial<import(\"next-auth\").AuthOptions[\"callbacks\"]>} [extraCallbacks]\n *   Extra callbacks merged on top of the built-in ones. Each callback runs\n *   AFTER the built-in version and receives the already-augmented value.\n * @property {Partial<import(\"next-auth\").AuthOptions>} [extraOptions]\n *   Anything else (pages, cookies, events, ...) merged onto the result.\n */\n\n/**\n * Build a ready-to-use NextAuth `AuthOptions` object.\n *\n * @param {CreateCmsAuthOptionsInput} input\n * @returns {import(\"next-auth\").AuthOptions & { [CMS_META]: CmsAuthMeta }}\n */\nexport function createCmsAuthOptions(input) {\n  const {\n    provider,\n    adminRole = \"cms:access\",\n    isAdmin,\n    refreshLeadTimeMs = 10_000,\n    extraCallbacks,\n    extraOptions,\n  } = input ?? {};\n\n  if (!provider) {\n    throw new Error(\n      \"createCmsAuthOptions: `provider` is required. Import a NextAuth provider \" +\n        \"(e.g. `next-auth/providers/keycloak`) in your own auth file and pass \" +\n        \"the configured instance.\",\n    );\n  }\n\n  const keycloakClientId = process.env.KEYCLOAK_CLIENT_ID ?? \"\";\n\n  /** @type {import(\"next-auth\").AuthOptions} */\n  const base = {\n    providers: [provider],\n    callbacks: {\n      async jwt(args) {\n        const { token, account } = args;\n        let next = token;\n\n        // 1. Initial sign-in: copy tokens off the OAuth account.\n        if (account) {\n          next.accessToken = account.access_token;\n          next.refreshToken = account.refresh_token;\n          next.accessTokenExpires =\n            typeof account.expires_at === \"number\" ? account.expires_at * 1000 : 0;\n          next.sub = account.providerAccountId ?? next.sub;\n          next.error = undefined;\n          next.clientRoles = readClientRoles(account.access_token, keycloakClientId);\n        } else if (\n          // 2. Previous refresh failed - bail until the user re-authenticates.\n          next.error !== \"RefreshAccessTokenError\" &&\n          // 3. Token still valid (with lead time) - return as-is.\n          (typeof next.accessTokenExpires !== \"number\" ||\n            Date.now() >= next.accessTokenExpires - refreshLeadTimeMs)\n        ) {\n          // 4. Expired (or about to) - silently refresh.\n          next = await refreshAccessToken(next, keycloakClientId);\n        }\n\n        if (extraCallbacks?.jwt) {\n          const overridden = await extraCallbacks.jwt({ ...args, token: next });\n          if (overridden !== undefined) return overridden;\n        }\n        return next;\n      },\n\n      async session(args) {\n        const { session, token } = args;\n        session.accessToken = /** @type {string|undefined} */ (token.accessToken);\n        session.error = token.error;\n        if (session.user) {\n          session.user.id = /** @type {string} */ (token.sub ?? \"\");\n          session.user.clientRoles =\n            /** @type {string[]} */ (token.clientRoles ?? []);\n        }\n\n        if (extraCallbacks?.session) {\n          const overridden = await extraCallbacks.session(args);\n          if (overridden !== undefined) return overridden;\n        }\n        return session;\n      },\n\n      ...(extraCallbacks\n        ? Object.fromEntries(\n            Object.entries(extraCallbacks).filter(\n              ([key]) => key !== \"jwt\" && key !== \"session\",\n            ),\n          )\n        : {}),\n    },\n    ...extraOptions,\n  };\n\n  /** @type {CmsAuthMeta} */\n  const meta = {\n    adminRole: isAdmin ? null : adminRole,\n    isAdmin: isAdmin ?? null,\n  };\n\n  return Object.assign(base, { [CMS_META]: meta });\n}\n\n/**\n * Read CMS admin metadata previously stamped by `createCmsAuthOptions`.\n * Returns null if the options didn't come from the factory.\n *\n * @param {*} authOptions\n * @returns {CmsAuthMeta|null}\n */\nexport function readCmsAuthMeta(authOptions) {\n  if (!authOptions || typeof authOptions !== \"object\") return null;\n  return authOptions[CMS_META] ?? null;\n}\n\n/**\n * Decide whether a session belongs to a CMS admin. Uses `isAdmin` callback\n * when provided, otherwise checks for the named Keycloak client role.\n * Falls back to `false` when no metadata is available.\n *\n * @param {*} session\n * @param {CmsAuthMeta|null} [meta]\n * @returns {boolean}\n */\nexport function isCmsAdmin(session, meta) {\n  if (!session) return false;\n  if (!meta) return false;\n  if (meta.isAdmin) return Boolean(meta.isAdmin(session));\n  if (meta.adminRole) {\n    /** @type {string[]} */\n    const roles = session.user?.clientRoles ?? [];\n    return roles.includes(meta.adminRole);\n  }\n  return false;\n}\n\n/**\n * Adapt NextAuth `authOptions` into the auth-agnostic callbacks\n * `createCmsPage` expects, so the inscribed core never has to import next-auth.\n * Spread the result into the factory:\n *\n *   import { withCmsAuth } from \"@skylab-kulubu/inscribed-auth/server\";\n *   createCmsPage({ ...withCmsAuth(authOptions), config, Provider, ... });\n *\n * - `getSession` resolves the server session via `getServerSession`.\n * - `deriveAdmin` uses the admin metadata stamped by `createCmsAuthOptions`\n *   (falls back to `session != null` when the options didn't come from the\n *   factory).\n * - `deriveUserSub` reads `session.user.id`.\n *\n * @param {import(\"next-auth\").AuthOptions} authOptions\n * @returns {{ getSession: () => Promise<*|null>, deriveAdmin: (session: *) => boolean, deriveUserSub: (session: *) => string | null }}\n */\nexport function withCmsAuth(authOptions) {\n  if (!authOptions) {\n    throw new Error(\"withCmsAuth: `authOptions` is required\");\n  }\n  const meta = readCmsAuthMeta(authOptions);\n  return {\n    getSession: () => getServerSession(authOptions),\n    deriveAdmin: meta\n      ? (session) => isCmsAdmin(session, meta)\n      : (session) => session != null,\n    deriveUserSub: (session) => session?.user?.id ?? null,\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Internals\n// ---------------------------------------------------------------------------\n\n/**\n * Decode a Keycloak access token (JWT) and return roles scoped to the\n * given client. Signature isn't verified - the token came from Keycloak\n * directly via the OAuth flow, so trust is established.\n *\n * @param {string|undefined} accessToken\n * @param {string} clientId\n * @returns {string[]}\n */\nfunction readClientRoles(accessToken, clientId) {\n  if (!accessToken || !clientId) return [];\n  const segments = accessToken.split(\".\");\n  if (segments.length < 2) return [];\n  try {\n    const payload = JSON.parse(\n      Buffer.from(segments[1], \"base64url\").toString(\"utf8\"),\n    );\n    return payload?.resource_access?.[clientId]?.roles ?? [];\n  } catch {\n    return [];\n  }\n}\n\n/**\n * Exchange the refresh token for a new access token at Keycloak.\n *\n * @param {*} token\n * @param {string} keycloakClientId\n */\nasync function refreshAccessToken(token, keycloakClientId) {\n  try {\n    const issuer = process.env.KEYCLOAK_ISSUER ?? \"\";\n    const response = await fetch(`${issuer}/protocol/openid-connect/token`, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n      body: new URLSearchParams({\n        client_id: process.env.KEYCLOAK_CLIENT_ID ?? \"\",\n        client_secret: process.env.KEYCLOAK_CLIENT_SECRET ?? \"\",\n        grant_type: \"refresh_token\",\n        refresh_token: token.refreshToken,\n      }),\n    });\n\n    const refreshed = await response.json();\n    if (!response.ok) throw refreshed;\n\n    return {\n      ...token,\n      accessToken: refreshed.access_token,\n      accessTokenExpires: Date.now() + refreshed.expires_in * 1000,\n      refreshToken: refreshed.refresh_token ?? token.refreshToken,\n      clientRoles: readClientRoles(refreshed.access_token, keycloakClientId),\n      error: undefined,\n    };\n  } catch (error) {\n    // eslint-disable-next-line no-console\n    console.error(\"[inscribed-auth] Refresh token error:\", error);\n    return {\n      ...token,\n      accessToken: undefined,\n      error: \"RefreshAccessTokenError\",\n    };\n  }\n}\n","/**\n * @file Keycloak client-credentials service-token provider.\n *\n * Part of `@skylab-kulubu/inscribed-auth`. The inscribed core is backend-neutral:\n * it only knows the `ServiceTokenProvider` contract (`() => Promise<string>`)\n * and defaults to \"no token\". This module implements that contract against\n * Keycloak and is wired into the SDK via `createCmsPage({ getServiceToken })`\n * (consumer `lib/cms.jsx`) and the `cms-sync` CLI (consumer `cms.config.mjs`,\n * which re-exports from `@skylab-kulubu/inscribed-auth/config`).\n *\n * `.mjs` so the plain-Node `cms-sync` CLI can `import()` the resolved `./config`\n * entry as ESM regardless of the consuming app's `\"type\"`. (Skylab apps stay\n * CommonJS so next-auth v4's Keycloak provider resolves through Webpack's CJS\n * interop — see the provider-injection note in `options.js`.)\n *\n * Server / build-time only. Reads KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET,\n * KEYCLOAK_ISSUER. Returns \"\" when those vars are absent so reads degrade to\n * unauthenticated. In-process cache shared across requests, re-fetched 30s\n * before expiry.\n */\n\n/** @type {{ token: string; expiresAt: number } | null} */\nlet cache = null;\n\n/**\n * Implements the SDK's `ServiceTokenProvider` contract: `() => Promise<string>`.\n * @returns {Promise<string>}\n */\nexport async function getClientCredentialsToken() {\n  const clientId = process.env.KEYCLOAK_CLIENT_ID;\n  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;\n  const issuer = process.env.KEYCLOAK_ISSUER;\n\n  if (!clientId || !clientSecret || !issuer) return \"\";\n\n  if (cache && cache.expiresAt > Date.now() + 30_000) return cache.token;\n\n  const res = await fetch(`${issuer}/protocol/openid-connect/token`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: new URLSearchParams({\n      grant_type: \"client_credentials\",\n      client_id: clientId,\n      client_secret: clientSecret,\n    }),\n    cache: \"no-store\",\n  });\n\n  if (!res.ok) {\n    throw new Error(\n      `[inscribed-auth] Keycloak token request failed: ${res.status} ${await res.text()}`,\n    );\n  }\n\n  const { access_token, expires_in } = await res.json();\n  cache = { token: access_token, expiresAt: Date.now() + expires_in * 1000 };\n  return access_token;\n}\n\n/**\n * Drop the cached service token so the next call re-fetches. Intentionally NOT\n * part of the public `./server` surface — kept here for internal use and for\n * anyone who deep-imports the raw module (e.g. token rotation in tests).\n */\nexport function invalidateClientCredentialsToken() {\n  cache = null;\n}\n\n/**\n * On a sync failure, fetch the service token directly and dump the claims the\n * backend's `CmsAccessPolicy` checks (`azp`, `aud`, `resource_access`). Most\n * 403s come from the service account missing the `cms:access` role mapping in\n * Keycloak - this prints exactly what's there. Wired as `onSyncError` in the\n * `./config` entry.\n */\nexport async function debugServiceTokenClaims() {\n  const { KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER } = process.env;\n  if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) return;\n\n  const res = await fetch(`${KEYCLOAK_ISSUER}/protocol/openid-connect/token`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: new URLSearchParams({\n      grant_type: \"client_credentials\",\n      client_id: KEYCLOAK_CLIENT_ID,\n      client_secret: KEYCLOAK_CLIENT_SECRET,\n    }),\n  });\n  if (!res.ok) {\n    console.error(`[cms-sync:debug] Token fetch failed: ${res.status} ${await res.text()}`);\n    return;\n  }\n\n  const { access_token } = await res.json();\n  const [, payload] = access_token.split(\".\");\n  const claims = JSON.parse(Buffer.from(payload, \"base64url\").toString(\"utf8\"));\n\n  console.error(\"[cms-sync:debug] Service token claims:\");\n  console.error(`  azp:             ${claims.azp}`);\n  console.error(`  sub:             ${claims.sub}`);\n  console.error(`  aud:             ${JSON.stringify(claims.aud)}`);\n  console.error(`  scope:           ${claims.scope}`);\n  console.error(`  resource_access: ${JSON.stringify(claims.resource_access)}`);\n\n  const ourRoles = claims.resource_access?.[claims.azp]?.roles ?? [];\n  console.error(`  -> roles for \"${claims.azp}\": ${JSON.stringify(ourRoles)}`);\n  if (!ourRoles.includes(\"cms:access\")) {\n    console.error(`  ! \"cms:access\" role missing on service account.`);\n    console.error(`     Keycloak Admin -> Clients -> ${claims.azp} -> Service account roles -> Assign \"cms:access\".`);\n  }\n}\n"],"mappings":";AAwBA,SAAS,wBAAwB;AAGjC,IAAM,WAAW,uBAAO,IAAI,qBAAqB;AAiC1C,SAAS,qBAAqB,OAAO;AAC1C,QAAM;AAAA,IACJ;AAAA,IACA,YAAY;AAAA,IACZ;AAAA,IACA,oBAAoB;AAAA,IACpB;AAAA,IACA;AAAA,EACF,IAAI,SAAS,CAAC;AAEd,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,QAAM,mBAAmB,QAAQ,IAAI,sBAAsB;AAG3D,QAAM,OAAO;AAAA,IACX,WAAW,CAAC,QAAQ;AAAA,IACpB,WAAW;AAAA,MACT,MAAM,IAAI,MAAM;AACd,cAAM,EAAE,OAAO,QAAQ,IAAI;AAC3B,YAAI,OAAO;AAGX,YAAI,SAAS;AACX,eAAK,cAAc,QAAQ;AAC3B,eAAK,eAAe,QAAQ;AAC5B,eAAK,qBACH,OAAO,QAAQ,eAAe,WAAW,QAAQ,aAAa,MAAO;AACvE,eAAK,MAAM,QAAQ,qBAAqB,KAAK;AAC7C,eAAK,QAAQ;AACb,eAAK,cAAc,gBAAgB,QAAQ,cAAc,gBAAgB;AAAA,QAC3E;AAAA;AAAA,UAEE,KAAK,UAAU;AAAA,WAEd,OAAO,KAAK,uBAAuB,YAClC,KAAK,IAAI,KAAK,KAAK,qBAAqB;AAAA,UAC1C;AAEA,iBAAO,MAAM,mBAAmB,MAAM,gBAAgB;AAAA,QACxD;AAEA,YAAI,gBAAgB,KAAK;AACvB,gBAAM,aAAa,MAAM,eAAe,IAAI,EAAE,GAAG,MAAM,OAAO,KAAK,CAAC;AACpE,cAAI,eAAe,OAAW,QAAO;AAAA,QACvC;AACA,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,QAAQ,MAAM;AAClB,cAAM,EAAE,SAAS,MAAM,IAAI;AAC3B,gBAAQ;AAAA,QAA+C,MAAM;AAC7D,gBAAQ,QAAQ,MAAM;AACtB,YAAI,QAAQ,MAAM;AAChB,kBAAQ,KAAK;AAAA,UAA4B,MAAM,OAAO;AACtD,kBAAQ,KAAK;AAAA,UACc,MAAM,eAAe,CAAC;AAAA,QACnD;AAEA,YAAI,gBAAgB,SAAS;AAC3B,gBAAM,aAAa,MAAM,eAAe,QAAQ,IAAI;AACpD,cAAI,eAAe,OAAW,QAAO;AAAA,QACvC;AACA,eAAO;AAAA,MACT;AAAA,MAEA,GAAI,iBACA,OAAO;AAAA,QACL,OAAO,QAAQ,cAAc,EAAE;AAAA,UAC7B,CAAC,CAAC,GAAG,MAAM,QAAQ,SAAS,QAAQ;AAAA,QACtC;AAAA,MACF,IACA,CAAC;AAAA,IACP;AAAA,IACA,GAAG;AAAA,EACL;AAGA,QAAM,OAAO;AAAA,IACX,WAAW,UAAU,OAAO;AAAA,IAC5B,SAAS,WAAW;AAAA,EACtB;AAEA,SAAO,OAAO,OAAO,MAAM,EAAE,CAAC,QAAQ,GAAG,KAAK,CAAC;AACjD;AASO,SAAS,gBAAgB,aAAa;AAC3C,MAAI,CAAC,eAAe,OAAO,gBAAgB,SAAU,QAAO;AAC5D,SAAO,YAAY,QAAQ,KAAK;AAClC;AAWO,SAAS,WAAW,SAAS,MAAM;AACxC,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,QAAS,QAAO,QAAQ,KAAK,QAAQ,OAAO,CAAC;AACtD,MAAI,KAAK,WAAW;AAElB,UAAM,QAAQ,QAAQ,MAAM,eAAe,CAAC;AAC5C,WAAO,MAAM,SAAS,KAAK,SAAS;AAAA,EACtC;AACA,SAAO;AACT;AAmBO,SAAS,YAAY,aAAa;AACvC,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,wCAAwC;AAAA,EAC1D;AACA,QAAM,OAAO,gBAAgB,WAAW;AACxC,SAAO;AAAA,IACL,YAAY,MAAM,iBAAiB,WAAW;AAAA,IAC9C,aAAa,OACT,CAAC,YAAY,WAAW,SAAS,IAAI,IACrC,CAAC,YAAY,WAAW;AAAA,IAC5B,eAAe,CAAC,YAAY,SAAS,MAAM,MAAM;AAAA,EACnD;AACF;AAeA,SAAS,gBAAgB,aAAa,UAAU;AAC9C,MAAI,CAAC,eAAe,CAAC,SAAU,QAAO,CAAC;AACvC,QAAM,WAAW,YAAY,MAAM,GAAG;AACtC,MAAI,SAAS,SAAS,EAAG,QAAO,CAAC;AACjC,MAAI;AACF,UAAM,UAAU,KAAK;AAAA,MACnB,OAAO,KAAK,SAAS,CAAC,GAAG,WAAW,EAAE,SAAS,MAAM;AAAA,IACvD;AACA,WAAO,SAAS,kBAAkB,QAAQ,GAAG,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAQA,eAAe,mBAAmB,OAAO,kBAAkB;AACzD,MAAI;AACF,UAAM,SAAS,QAAQ,IAAI,mBAAmB;AAC9C,UAAM,WAAW,MAAM,MAAM,GAAG,MAAM,kCAAkC;AAAA,MACtE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,IAAI,gBAAgB;AAAA,QACxB,WAAW,QAAQ,IAAI,sBAAsB;AAAA,QAC7C,eAAe,QAAQ,IAAI,0BAA0B;AAAA,QACrD,YAAY;AAAA,QACZ,eAAe,MAAM;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,UAAM,YAAY,MAAM,SAAS,KAAK;AACtC,QAAI,CAAC,SAAS,GAAI,OAAM;AAExB,WAAO;AAAA,MACL,GAAG;AAAA,MACH,aAAa,UAAU;AAAA,MACvB,oBAAoB,KAAK,IAAI,IAAI,UAAU,aAAa;AAAA,MACxD,cAAc,UAAU,iBAAiB,MAAM;AAAA,MAC/C,aAAa,gBAAgB,UAAU,cAAc,gBAAgB;AAAA,MACrE,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AAEd,YAAQ,MAAM,yCAAyC,KAAK;AAC5D,WAAO;AAAA,MACL,GAAG;AAAA,MACH,aAAa;AAAA,MACb,OAAO;AAAA,IACT;AAAA,EACF;AACF;;;ACrQA,IAAI,QAAQ;AAMZ,eAAsB,4BAA4B;AAChD,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,eAAe,QAAQ,IAAI;AACjC,QAAM,SAAS,QAAQ,IAAI;AAE3B,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,OAAQ,QAAO;AAElD,MAAI,SAAS,MAAM,YAAY,KAAK,IAAI,IAAI,IAAQ,QAAO,MAAM;AAEjE,QAAM,MAAM,MAAM,MAAM,GAAG,MAAM,kCAAkC;AAAA,IACjE,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,IACjB,CAAC;AAAA,IACD,OAAO;AAAA,EACT,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI;AAAA,MACR,mDAAmD,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,EAAE,cAAc,WAAW,IAAI,MAAM,IAAI,KAAK;AACpD,UAAQ,EAAE,OAAO,cAAc,WAAW,KAAK,IAAI,IAAI,aAAa,IAAK;AACzE,SAAO;AACT;AAkBA,eAAsB,0BAA0B;AAC9C,QAAM,EAAE,oBAAoB,wBAAwB,gBAAgB,IAAI,QAAQ;AAChF,MAAI,CAAC,sBAAsB,CAAC,0BAA0B,CAAC,gBAAiB;AAExE,QAAM,MAAM,MAAM,MAAM,GAAG,eAAe,kCAAkC;AAAA,IAC1E,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,IACjB,CAAC;AAAA,EACH,CAAC;AACD,MAAI,CAAC,IAAI,IAAI;AACX,YAAQ,MAAM,wCAAwC,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC,EAAE;AACtF;AAAA,EACF;AAEA,QAAM,EAAE,aAAa,IAAI,MAAM,IAAI,KAAK;AACxC,QAAM,CAAC,EAAE,OAAO,IAAI,aAAa,MAAM,GAAG;AAC1C,QAAM,SAAS,KAAK,MAAM,OAAO,KAAK,SAAS,WAAW,EAAE,SAAS,MAAM,CAAC;AAE5E,UAAQ,MAAM,wCAAwC;AACtD,UAAQ,MAAM,sBAAsB,OAAO,GAAG,EAAE;AAChD,UAAQ,MAAM,sBAAsB,OAAO,GAAG,EAAE;AAChD,UAAQ,MAAM,sBAAsB,KAAK,UAAU,OAAO,GAAG,CAAC,EAAE;AAChE,UAAQ,MAAM,sBAAsB,OAAO,KAAK,EAAE;AAClD,UAAQ,MAAM,sBAAsB,KAAK,UAAU,OAAO,eAAe,CAAC,EAAE;AAE5E,QAAM,WAAW,OAAO,kBAAkB,OAAO,GAAG,GAAG,SAAS,CAAC;AACjE,UAAQ,MAAM,mBAAmB,OAAO,GAAG,MAAM,KAAK,UAAU,QAAQ,CAAC,EAAE;AAC3E,MAAI,CAAC,SAAS,SAAS,YAAY,GAAG;AACpC,YAAQ,MAAM,mDAAmD;AACjE,YAAQ,MAAM,qCAAqC,OAAO,GAAG,mDAAmD;AAAA,EAClH;AACF;","names":[]}

package/dist/service-token-COa7hHuV.d.ts

@@ -0,0 +1,104 @@
+/**
+ * @file Keycloak client-credentials service-token provider.
+ *
+ * Part of `@skylab-kulubu/inscribed-auth`. The inscribed core is backend-neutral:
+ * it only knows the `ServiceTokenProvider` contract (`() => Promise<string>`)
+ * and defaults to "no token". This module implements that contract against
+ * Keycloak and is wired into the SDK via `createCmsPage({ getServiceToken })`
+ * (consumer `lib/cms.jsx`) and the `cms-sync` CLI (consumer `cms.config.mjs`,
+ * which re-exports from `@skylab-kulubu/inscribed-auth/config`).
+ *
+ * `.mjs` so the plain-Node `cms-sync` CLI can `import()` the resolved `./config`
+ * entry as ESM regardless of the consuming app's `"type"`. (Skylab apps stay
+ * CommonJS so next-auth v4's Keycloak provider resolves through Webpack's CJS
+ * interop — see the provider-injection note in `options.js`.)
+ *
+ * Server / build-time only. Reads KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET,
+ * KEYCLOAK_ISSUER. Returns "" when those vars are absent so reads degrade to
+ * unauthenticated. In-process cache shared across requests, re-fetched 30s
+ * before expiry.
+ */
+
+/** @type {{ token: string; expiresAt: number } | null} */
+let cache = null;
+
+/**
+ * Implements the SDK's `ServiceTokenProvider` contract: `() => Promise<string>`.
+ * @returns {Promise<string>}
+ */
+async function getClientCredentialsToken() {
+  const clientId = process.env.KEYCLOAK_CLIENT_ID;
+  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;
+  const issuer = process.env.KEYCLOAK_ISSUER;
+
+  if (!clientId || !clientSecret || !issuer) return "";
+
+  if (cache && cache.expiresAt > Date.now() + 30_000) return cache.token;
+
+  const res = await fetch(`${issuer}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: clientId,
+      client_secret: clientSecret,
+    }),
+    cache: "no-store",
+  });
+
+  if (!res.ok) {
+    throw new Error(
+      `[inscribed-auth] Keycloak token request failed: ${res.status} ${await res.text()}`,
+    );
+  }
+
+  const { access_token, expires_in } = await res.json();
+  cache = { token: access_token, expiresAt: Date.now() + expires_in * 1000 };
+  return access_token;
+}
+
+/**
+ * On a sync failure, fetch the service token directly and dump the claims the
+ * backend's `CmsAccessPolicy` checks (`azp`, `aud`, `resource_access`). Most
+ * 403s come from the service account missing the `cms:access` role mapping in
+ * Keycloak - this prints exactly what's there. Wired as `onSyncError` in the
+ * `./config` entry.
+ */
+async function debugServiceTokenClaims() {
+  const { KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER } = process.env;
+  if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) return;
+
+  const res = await fetch(`${KEYCLOAK_ISSUER}/protocol/openid-connect/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: KEYCLOAK_CLIENT_ID,
+      client_secret: KEYCLOAK_CLIENT_SECRET,
+    }),
+  });
+  if (!res.ok) {
+    console.error(`[cms-sync:debug] Token fetch failed: ${res.status} ${await res.text()}`);
+    return;
+  }
+
+  const { access_token } = await res.json();
+  const [, payload] = access_token.split(".");
+  const claims = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+
+  console.error("[cms-sync:debug] Service token claims:");
+  console.error(`  azp:             ${claims.azp}`);
+  console.error(`  sub:             ${claims.sub}`);
+  console.error(`  aud:             ${JSON.stringify(claims.aud)}`);
+  console.error(`  scope:           ${claims.scope}`);
+  console.error(`  resource_access: ${JSON.stringify(claims.resource_access)}`);
+
+  const ourRoles = claims.resource_access?.[claims.azp]?.roles ?? [];
+  console.error(`  -> roles for "${claims.azp}": ${JSON.stringify(ourRoles)}`);
+  if (!ourRoles.includes("cms:access")) {
+    console.error(`  ! "cms:access" role missing on service account.`);
+    console.error(`     Keycloak Admin -> Clients -> ${claims.azp} -> Service account roles -> Assign "cms:access".`);
+  }
+}
+
+export { debugServiceTokenClaims as d, getClientCredentialsToken as g };

package/dist/signin.d.ts

@@ -0,0 +1,67 @@
+/**
+ * @file `@skylab-kulubu/inscribed-auth/signin` — signin route handler factory.
+ *
+ * Server-only App Router route handler that auto-submits the user to NextAuth's
+ * provider sign-in flow, skipping the "Sign in with X" confirm page that
+ * NextAuth shows when its sign-in URL is hit with GET. The route returns
+ * a tiny HTML document that fetches the CSRF token and POSTs the sign-in
+ * form via JavaScript - the same dance `next-auth/react`'s `signIn()`
+ * helper does, just done from a server route so the consumer can link to
+ * `/api/signin` from anywhere (server components, plain anchors, server
+ * actions) without bundling client-side helpers.
+ *
+ * Usage (consumer side):
+ *
+ *   // app/api/signin/route.js
+ *   export { GET } from "@skylab-kulubu/inscribed-auth/signin";
+ *
+ * Or with explicit provider id / forced callback URL:
+ *
+ *   import { createSignInRoute } from "@skylab-kulubu/inscribed-auth/signin";
+ *   export const GET = createSignInRoute({ provider: "keycloak" });
+ *
+ * The `callbackUrl` query parameter is forwarded to NextAuth so the user
+ * lands back where they came from after signing in. Defaults to "/".
+ *
+ * `<noscript>` users get a link to NextAuth's standard provider page
+ * (the one with the "Sign in with X" button) so sign-in still works
+ * without JavaScript - it just can't skip the extra click.
+ */
+/**
+ * @typedef {Object} CreateSignInRouteOptions
+ * @property {string} [provider]
+ *   Provider id NextAuth registered. Default `"keycloak"`. Set to `null`
+ *   (or `""`) to land on NextAuth's provider-picker page instead.
+ * @property {string} [defaultCallbackUrl]
+ *   Where to send the user when no `?callbackUrl=` query is present. Default `"/"`.
+ * @property {string} [signInPath]
+ *   Override the NextAuth sign-in mount path. Default `/api/auth/signin`.
+ * @property {string} [csrfPath]
+ *   Override the NextAuth CSRF endpoint. Default `/api/auth/csrf`.
+ */
+/**
+ * @param {CreateSignInRouteOptions} [options]
+ */
+declare function createSignInRoute(options?: CreateSignInRouteOptions): (request: Request) => Response;
+declare function GET(request: Request): Response;
+type CreateSignInRouteOptions = {
+    /**
+     * Provider id NextAuth registered. Default `"keycloak"`. Set to `null`
+     * (or `""`) to land on NextAuth's provider-picker page instead.
+     */
+    provider?: string | undefined;
+    /**
+     * Where to send the user when no `?callbackUrl=` query is present. Default `"/"`.
+     */
+    defaultCallbackUrl?: string | undefined;
+    /**
+     * Override the NextAuth sign-in mount path. Default `/api/auth/signin`.
+     */
+    signInPath?: string | undefined;
+    /**
+     * Override the NextAuth CSRF endpoint. Default `/api/auth/csrf`.
+     */
+    csrfPath?: string | undefined;
+};
+
+export { type CreateSignInRouteOptions, GET, createSignInRoute };

package/dist/signin.js

@@ -0,0 +1,96 @@
+// src/signin.js
+function createSignInRoute(options = {}) {
+  const {
+    provider = "keycloak",
+    defaultCallbackUrl = "/",
+    signInPath = "/api/auth/signin",
+    csrfPath = "/api/auth/csrf"
+  } = options;
+  const signInUrl = provider ? `${signInPath}/${provider}` : signInPath;
+  return function GET2(request) {
+    const url = new URL(request.url);
+    const callbackUrl = url.searchParams.get("callbackUrl") ?? defaultCallbackUrl;
+    const html = renderAutoSubmitPage({
+      signInUrl,
+      csrfPath,
+      callbackUrl,
+      // <noscript> fallback - NextAuth's own GET sign-in page, which
+      // shows the "Sign in with X" button. It's a worse UX (extra click)
+      // but it's the only thing that works without JS.
+      noscriptHref: `${signInUrl}?callbackUrl=${encodeURIComponent(callbackUrl)}`
+    });
+    return new Response(html, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/html; charset=utf-8",
+        // Don't let browsers/proxies cache this - the form needs a fresh
+        // CSRF token on every visit.
+        "Cache-Control": "no-store"
+      }
+    });
+  };
+}
+function renderAutoSubmitPage({ signInUrl, csrfPath, callbackUrl, noscriptHref }) {
+  const jsSignInUrl = escapeForScript(signInUrl);
+  const jsCsrfPath = escapeForScript(csrfPath);
+  const jsCallbackUrl = escapeForScript(callbackUrl);
+  const htmlNoscriptHref = escapeForHtmlAttribute(noscriptHref);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Signing in\u2026</title>
+<meta name="robots" content="noindex,nofollow">
+<style>
+  body { margin: 0; min-height: 100dvh; display: grid; place-items: center;
+         font: 14px/1.5 system-ui, -apple-system, sans-serif; color: #6b7280; }
+</style>
+</head>
+<body>
+<p>Signing in\u2026</p>
+<noscript>
+  <p><a href=${htmlNoscriptHref}>Continue to sign in</a></p>
+</noscript>
+<script>
+(function () {
+  fetch(${jsCsrfPath}, { credentials: "same-origin" })
+    .then(function (r) { return r.json(); })
+    .then(function (data) {
+      var form = document.createElement("form");
+      form.method = "POST";
+      form.action = ${jsSignInUrl};
+      var fields = { csrfToken: data.csrfToken, callbackUrl: ${jsCallbackUrl} };
+      for (var key in fields) {
+        var input = document.createElement("input");
+        input.type = "hidden";
+        input.name = key;
+        input.value = fields[key];
+        form.appendChild(input);
+      }
+      document.body.appendChild(form);
+      form.submit();
+    })
+    .catch(function () {
+      // CSRF fetch failed - drop the user on NextAuth's confirm page so
+      // they can still complete sign-in manually.
+      window.location.replace(${escapeForScript(noscriptHref)});
+    });
+})();
+</script>
+</body>
+</html>`;
+}
+var LINE_SEPARATOR = String.fromCharCode(8232);
+var PARAGRAPH_SEPARATOR = String.fromCharCode(8233);
+function escapeForScript(value) {
+  return JSON.stringify(value).replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").split(LINE_SEPARATOR).join("\\u2028").split(PARAGRAPH_SEPARATOR).join("\\u2029");
+}
+function escapeForHtmlAttribute(value) {
+  return `"${value.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;")}"`;
+}
+var GET = createSignInRoute();
+export {
+  GET,
+  createSignInRoute
+};
+//# sourceMappingURL=signin.js.map

package/dist/signin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/signin.js"],"sourcesContent":["/**\n * @file `@skylab-kulubu/inscribed-auth/signin` — signin route handler factory.\n *\n * Server-only App Router route handler that auto-submits the user to NextAuth's\n * provider sign-in flow, skipping the \"Sign in with X\" confirm page that\n * NextAuth shows when its sign-in URL is hit with GET. The route returns\n * a tiny HTML document that fetches the CSRF token and POSTs the sign-in\n * form via JavaScript - the same dance `next-auth/react`'s `signIn()`\n * helper does, just done from a server route so the consumer can link to\n * `/api/signin` from anywhere (server components, plain anchors, server\n * actions) without bundling client-side helpers.\n *\n * Usage (consumer side):\n *\n *   // app/api/signin/route.js\n *   export { GET } from \"@skylab-kulubu/inscribed-auth/signin\";\n *\n * Or with explicit provider id / forced callback URL:\n *\n *   import { createSignInRoute } from \"@skylab-kulubu/inscribed-auth/signin\";\n *   export const GET = createSignInRoute({ provider: \"keycloak\" });\n *\n * The `callbackUrl` query parameter is forwarded to NextAuth so the user\n * lands back where they came from after signing in. Defaults to \"/\".\n *\n * `<noscript>` users get a link to NextAuth's standard provider page\n * (the one with the \"Sign in with X\" button) so sign-in still works\n * without JavaScript - it just can't skip the extra click.\n */\n\n/**\n * @typedef {Object} CreateSignInRouteOptions\n * @property {string} [provider]\n *   Provider id NextAuth registered. Default `\"keycloak\"`. Set to `null`\n *   (or `\"\"`) to land on NextAuth's provider-picker page instead.\n * @property {string} [defaultCallbackUrl]\n *   Where to send the user when no `?callbackUrl=` query is present. Default `\"/\"`.\n * @property {string} [signInPath]\n *   Override the NextAuth sign-in mount path. Default `/api/auth/signin`.\n * @property {string} [csrfPath]\n *   Override the NextAuth CSRF endpoint. Default `/api/auth/csrf`.\n */\n\n/**\n * @param {CreateSignInRouteOptions} [options]\n */\nexport function createSignInRoute(options = {}) {\n  const {\n    provider = \"keycloak\",\n    defaultCallbackUrl = \"/\",\n    signInPath = \"/api/auth/signin\",\n    csrfPath = \"/api/auth/csrf\",\n  } = options;\n\n  const signInUrl = provider ? `${signInPath}/${provider}` : signInPath;\n\n  /**\n   * @param {Request} request\n   * @returns {Response}\n   */\n  return function GET(request) {\n    const url = new URL(request.url);\n    const callbackUrl = url.searchParams.get(\"callbackUrl\") ?? defaultCallbackUrl;\n\n    const html = renderAutoSubmitPage({\n      signInUrl,\n      csrfPath,\n      callbackUrl,\n      // <noscript> fallback - NextAuth's own GET sign-in page, which\n      // shows the \"Sign in with X\" button. It's a worse UX (extra click)\n      // but it's the only thing that works without JS.\n      noscriptHref: `${signInUrl}?callbackUrl=${encodeURIComponent(callbackUrl)}`,\n    });\n\n    return new Response(html, {\n      status: 200,\n      headers: {\n        \"Content-Type\": \"text/html; charset=utf-8\",\n        // Don't let browsers/proxies cache this - the form needs a fresh\n        // CSRF token on every visit.\n        \"Cache-Control\": \"no-store\",\n      },\n    });\n  };\n}\n\n/**\n * Build the auto-submit HTML page. All user-controlled values are\n * embedded with `escapeForScript` to prevent `</script>` and other XSS\n * vectors when the value lands inside the inline `<script>` block.\n *\n * @param {{ signInUrl: string, csrfPath: string, callbackUrl: string, noscriptHref: string }} args\n */\nfunction renderAutoSubmitPage({ signInUrl, csrfPath, callbackUrl, noscriptHref }) {\n  const jsSignInUrl = escapeForScript(signInUrl);\n  const jsCsrfPath = escapeForScript(csrfPath);\n  const jsCallbackUrl = escapeForScript(callbackUrl);\n  const htmlNoscriptHref = escapeForHtmlAttribute(noscriptHref);\n\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Signing in…</title>\n<meta name=\"robots\" content=\"noindex,nofollow\">\n<style>\n  body { margin: 0; min-height: 100dvh; display: grid; place-items: center;\n         font: 14px/1.5 system-ui, -apple-system, sans-serif; color: #6b7280; }\n</style>\n</head>\n<body>\n<p>Signing in…</p>\n<noscript>\n  <p><a href=${htmlNoscriptHref}>Continue to sign in</a></p>\n</noscript>\n<script>\n(function () {\n  fetch(${jsCsrfPath}, { credentials: \"same-origin\" })\n    .then(function (r) { return r.json(); })\n    .then(function (data) {\n      var form = document.createElement(\"form\");\n      form.method = \"POST\";\n      form.action = ${jsSignInUrl};\n      var fields = { csrfToken: data.csrfToken, callbackUrl: ${jsCallbackUrl} };\n      for (var key in fields) {\n        var input = document.createElement(\"input\");\n        input.type = \"hidden\";\n        input.name = key;\n        input.value = fields[key];\n        form.appendChild(input);\n      }\n      document.body.appendChild(form);\n      form.submit();\n    })\n    .catch(function () {\n      // CSRF fetch failed - drop the user on NextAuth's confirm page so\n      // they can still complete sign-in manually.\n      window.location.replace(${escapeForScript(noscriptHref)});\n    });\n})();\n</script>\n</body>\n</html>`;\n}\n\n// U+2028 / U+2029 are valid string contents in JSON output but illegal in\n// JavaScript string literals - inline <script> would parse the response\n// as a syntax error. Built from char codes so this source file itself\n// stays free of literal separator characters that confuse parsers/diffs.\nconst LINE_SEPARATOR = String.fromCharCode(0x2028);\nconst PARAGRAPH_SEPARATOR = String.fromCharCode(0x2029);\n\n/**\n * Encode a string as a JavaScript string literal safe for inline `<script>`.\n * `JSON.stringify` handles quotes/control chars; the extra replacements\n * neutralise sequences that could otherwise close the script tag or\n * smuggle in HTML.\n *\n * @param {string} value\n */\nfunction escapeForScript(value) {\n  return JSON.stringify(value)\n    .replace(/</g, \"\\\\u003c\")\n    .replace(/>/g, \"\\\\u003e\")\n    .replace(/&/g, \"\\\\u0026\")\n    .split(LINE_SEPARATOR).join(\"\\\\u2028\")\n    .split(PARAGRAPH_SEPARATOR).join(\"\\\\u2029\");\n}\n\n/**\n * Encode a string for use as an HTML attribute value with surrounding\n * double quotes embedded by the caller.\n *\n * @param {string} value\n */\nfunction escapeForHtmlAttribute(value) {\n  return `\"${value\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")}\"`;\n}\n\n/** Default GET handler — `export { GET } from \"@skylab-kulubu/inscribed-auth/signin\"`. */\nexport const GET = createSignInRoute();\n"],"mappings":";AA8CO,SAAS,kBAAkB,UAAU,CAAC,GAAG;AAC9C,QAAM;AAAA,IACJ,WAAW;AAAA,IACX,qBAAqB;AAAA,IACrB,aAAa;AAAA,IACb,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,YAAY,WAAW,GAAG,UAAU,IAAI,QAAQ,KAAK;AAM3D,SAAO,SAASA,KAAI,SAAS;AAC3B,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,UAAM,cAAc,IAAI,aAAa,IAAI,aAAa,KAAK;AAE3D,UAAM,OAAO,qBAAqB;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA;AAAA,MAIA,cAAc,GAAG,SAAS,gBAAgB,mBAAmB,WAAW,CAAC;AAAA,IAC3E,CAAC;AAED,WAAO,IAAI,SAAS,MAAM;AAAA,MACxB,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA;AAAA;AAAA,QAGhB,iBAAiB;AAAA,MACnB;AAAA,IACF,CAAC;AAAA,EACH;AACF;AASA,SAAS,qBAAqB,EAAE,WAAW,UAAU,aAAa,aAAa,GAAG;AAChF,QAAM,cAAc,gBAAgB,SAAS;AAC7C,QAAM,aAAa,gBAAgB,QAAQ;AAC3C,QAAM,gBAAgB,gBAAgB,WAAW;AACjD,QAAM,mBAAmB,uBAAuB,YAAY;AAE5D,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAcM,gBAAgB;AAAA;AAAA;AAAA;AAAA,UAIrB,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,sBAKE,WAAW;AAAA,+DAC8B,aAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gCAc5C,gBAAgB,YAAY,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAM7D;AAMA,IAAM,iBAAiB,OAAO,aAAa,IAAM;AACjD,IAAM,sBAAsB,OAAO,aAAa,IAAM;AAUtD,SAAS,gBAAgB,OAAO;AAC9B,SAAO,KAAK,UAAU,KAAK,EACxB,QAAQ,MAAM,SAAS,EACvB,QAAQ,MAAM,SAAS,EACvB,QAAQ,MAAM,SAAS,EACvB,MAAM,cAAc,EAAE,KAAK,SAAS,EACpC,MAAM,mBAAmB,EAAE,KAAK,SAAS;AAC9C;AAQA,SAAS,uBAAuB,OAAO;AACrC,SAAO,IAAI,MACR,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,QAAQ,EACtB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,CAAC;AAC1B;AAGO,IAAM,MAAM,kBAAkB;","names":["GET"]}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@skylab-kulubu/inscribed-auth",
+  "version": "0.1.0",
+  "description": "Skylab's opt-in NextAuth + Keycloak adapter (auth + service token) for the inscribed CMS.",
+  "type": "module",
+  "license": "MIT",
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    },
+    "./signin": {
+      "types": "./dist/signin.d.ts",
+      "import": "./dist/signin.js"
+    },
+    "./config": {
+      "types": "./dist/config.d.ts",
+      "import": "./dist/config.js"
+    }
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "peerDependencies": {
+    "inscribed": "^1.0.1",
+    "next": ">=14",
+    "next-auth": "^4",
+    "react": ">=18",
+    "react-dom": ">=18"
+  },
+  "devDependencies": {
+    "inscribed": "^1.0.1",
+    "next": ">=14",
+    "next-auth": "^4",
+    "react": ">=18",
+    "react-dom": ">=18",
+    "tsup": "^8",
+    "typescript": "^5"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}