@tegis/server 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to `@tegis/server` are documented here. This project follows [semver](https://semver.org).
+
+## [0.1.0] — unreleased
+
+Initial extraction from the Tegis reference SDK (formerly the private `@aegis/sdk`).
+
+- `TegisServer.mintEntitlement(sub, assetId, opts)` — short-lived, EdDSA-signed entitlement grants.
+- Vendored, zero-dependency crypto (Ed25519 + compact JWS) — no repo-relative imports; byte-parity
+  with the Go data plane's verifier (golden-vector gate).

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Burak Saraloglu (okbrk)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,47 @@
+# @tegis/server
+
+Backend SDK for **Tegis** — the content-protection gateway for video. Use it on your own server to
+mint short-lived, signed **entitlement grants** that authorize one viewer to play one asset. The
+tenant signing key never leaves your backend and never reaches the browser; Tegis validates each grant
+against your published JWKS.
+
+Zero npm dependencies (`node:crypto` only). Runs on Node ≥18 and Bun.
+
+## Install
+
+```sh
+bun add @tegis/server
+```
+
+## Usage
+
+```ts
+import { TegisServer } from "@tegis/server";
+
+const tegis = new TegisServer({
+  tid: "t_yourtenant",                 // your Tegis tenant id
+  issuer: "https://yourapp.example",   // your token issuer
+  jwksKid: "k1",                       // key id, must match your published JWKS
+  signSeed: Buffer.from(process.env.TEGIS_SIGN_SEED!, "base64url"), // 32-byte Ed25519 seed — keep server-side
+  ttlSeconds: 300,
+});
+
+// In your "can this user watch this asset?" endpoint, after your own authz check:
+const entitlement = tegis.mintEntitlement(userId, assetId, { maxRes: "1080p" });
+return Response.json({ entitlement }); // the browser hands this to @tegis/player
+```
+
+The browser never sees `signSeed`; it only receives the short-lived `entitlement`, which
+[`@tegis/player`](https://www.npmjs.com/package/@tegis/player) exchanges for a playback grant.
+
+## API
+
+- `new TegisServer(config: TegisServerConfig)`
+- `.mintEntitlement(sub, assetId, opts?: { maxRes?: string; drm?: string }): string`
+
+## Security
+
+Treat `signSeed` like a private key: load it from a secret store, never log it, never ship it to the
+client. Rotate by publishing a new `kid` in your JWKS.
+
+MIT © okbrk

package/dist/crypto/ed25519.d.ts

@@ -0,0 +1,8 @@
+import { type KeyObject } from "node:crypto";
+export declare function privateKeyFromSeed(seed: Buffer): KeyObject;
+export declare function publicRawFromSeed(seed: Buffer): Buffer;
+export declare function signEd25519(seed: Buffer, msg: Buffer): Buffer;
+export declare function verifyEd25519(pubRaw: Buffer, msg: Buffer, sig: Buffer): boolean;
+export declare const b64u: (b: Buffer | Uint8Array) => string;
+export declare const unb64u: (s: string) => Buffer<ArrayBuffer>;
+export declare const utf8: (s: string) => Buffer<ArrayBuffer>;

package/dist/crypto/jose.d.ts

@@ -0,0 +1,2 @@
+export declare function jwsSign(header: Record<string, unknown>, payload: Record<string, unknown>, seed: Buffer): string;
+export declare function jwsVerify(token: string, pubRaw: Buffer): Record<string, any> | null;

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { TegisServer } from "./server.js";
+export type { TegisServerConfig } from "./server.js";

package/dist/index.js

@@ -0,0 +1,3 @@
+export {
+  TegisServer
+};

package/dist/server.d.ts

@@ -0,0 +1,16 @@
+export interface TegisServerConfig {
+    tid: string;
+    issuer: string;
+    jwksKid: string;
+    signSeed: Buffer;
+    ttlSeconds?: number;
+}
+export declare class TegisServer {
+    private cfg;
+    constructor(cfg: TegisServerConfig);
+    /** Mint a short-lived entitlement JWT authorizing one viewer to play one asset. */
+    mintEntitlement(sub: string, assetId: string, opts?: {
+        maxRes?: string;
+        drm?: string;
+    }): string;
+}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@tegis/server",
+  "version": "0.1.0",
+  "description": "Tegis backend SDK — mint short-lived, EdDSA-signed entitlement grants. The tenant signing key never leaves your server.",
+  "type": "module",
+  "license": "MIT",
+  "author": "okbrk <burak@okbrk.com>",
+  "homepage": "https://tegis.io",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/okbrk/aegis.git",
+    "directory": "reference/sdk-ts/packages/server"
+  },
+  "keywords": [
+    "tegis",
+    "content-protection",
+    "anti-piracy",
+    "entitlement",
+    "drm",
+    "video",
+    "jws",
+    "eddsa",
+    "ed25519"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "sideEffects": false,
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "test": "bun test",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "build": "bun run clean && bun build ./src/index.ts --target=node --format=esm --outdir dist && tsc -p tsconfig.build.json && bun ../../scripts/fix-dts.ts dist",
+    "prepublishOnly": "bun run build"
+  }
+}