@thebes/cadmus 0.2.1

package/dist/astro/index.js

@@ -0,0 +1,146 @@
+import { generateToken, hashToken, signSession, verifySession } from "../auth/index.js";
+import { checkRateLimit } from "../rate-limit/index.js";
+//#region src/astro/index.ts
+const DEFAULT_COOKIE_NAME = "cadmus_session";
+const DEFAULT_COOKIE_MAX_AGE_SECONDS = 3600 * 24 * 7;
+const DEFAULT_MAGIC_LINK_TTL_SECONDS = 900;
+const DEFAULT_RATE_LIMIT = {
+	limit: 3,
+	windowSeconds: 900
+};
+const KV_RETRY_ATTEMPTS = 2;
+const KV_RETRY_DELAY_MS = 100;
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isSafeRedirect(value) {
+	return !!value && value.startsWith("/") && !value.startsWith("//");
+}
+function resolve(value, context, fallback) {
+	if (value === void 0) return fallback;
+	return typeof value === "function" ? value(context) : value;
+}
+function defaultIsLocalDev(context) {
+	const hostname = context.url.hostname;
+	return hostname === "localhost" || hostname === "127.0.0.1";
+}
+function defaultOnLocalDev(_context, { email, verifyUrl }) {
+	console.log(`[dev] Magic link for ${email}: ${verifyUrl.toString()}`);
+}
+/**
+* Builds the magic-link request (`POST`) and verify (`GET`) Astro
+* `APIRoute` handlers — mount both at the same route, e.g.
+* `export const { POST, GET } = createMagicLinkHandlers(options)` from
+* `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate
+* `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.
+*/
+function createMagicLinkHandlers(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	const cookieMaxAgeSeconds = options.cookieMaxAgeSeconds ?? DEFAULT_COOKIE_MAX_AGE_SECONDS;
+	const magicLinkTtlSeconds = options.magicLinkTtlSeconds ?? DEFAULT_MAGIC_LINK_TTL_SECONDS;
+	const rateLimit = options.rateLimit === false ? null : options.rateLimit ?? DEFAULT_RATE_LIMIT;
+	const verifyPath = options.verifyPath ?? "/api/auth/verify";
+	const loginPath = options.loginPath ?? "/login";
+	const isLocalDev = options.isLocalDev ?? defaultIsLocalDev;
+	const onLocalDev = options.onLocalDev ?? defaultOnLocalDev;
+	const POST = async (context) => {
+		const body = await context.request.json().catch(() => null);
+		const email = body?.email?.trim().toLowerCase();
+		if (!email) return Response.json({ ok: true });
+		const redirect = isSafeRedirect(body?.redirect) ? body.redirect : null;
+		const kv = options.kv(context);
+		if (rateLimit) {
+			const { allowed } = await checkRateLimit(kv, `magiclink:ratelimit:${email}`, rateLimit.limit, rateLimit.windowSeconds);
+			if (!allowed) return Response.json({ ok: true });
+		}
+		if (!await options.findUser(context, email)) return Response.json({ ok: true });
+		const token = generateToken();
+		const hash = await hashToken(token);
+		await kv.put(`magiclink:${hash}`, email, { expirationTtl: magicLinkTtlSeconds });
+		const verifyUrl = new URL(verifyPath, context.url);
+		verifyUrl.searchParams.set("token", token);
+		if (redirect) verifyUrl.searchParams.set("redirect", redirect);
+		if (isLocalDev(context)) await onLocalDev(context, {
+			email,
+			verifyUrl
+		});
+		else await options.sendMagicLinkEmail(context, {
+			email,
+			verifyUrl
+		});
+		return Response.json({ ok: true });
+	};
+	const GET = async (context) => {
+		const token = context.url.searchParams.get("token");
+		if (!token) return context.redirect(`${loginPath}?error=invalid`);
+		const kv = options.kv(context);
+		const key = `magiclink:${await hashToken(token)}`;
+		let email = null;
+		for (let attempt = 0; attempt <= KV_RETRY_ATTEMPTS; attempt++) {
+			email = await kv.get(key);
+			if (email !== null) break;
+			if (attempt < KV_RETRY_ATTEMPTS) await sleep(KV_RETRY_DELAY_MS);
+		}
+		if (email === null) return context.redirect(`${loginPath}?error=invalid`);
+		await kv.delete(key);
+		const user = await options.findUser(context, email);
+		if (!user) return context.redirect(`${loginPath}?error=unauthorized`);
+		const { sessionId } = await options.createSession(context, user);
+		const signature = await signSession(sessionId, options.secret(context));
+		context.cookies.set(cookieName, `${sessionId}.${signature}`, {
+			httpOnly: true,
+			secure: true,
+			sameSite: "lax",
+			path: "/",
+			maxAge: cookieMaxAgeSeconds
+		});
+		const requestedRedirect = context.url.searchParams.get("redirect");
+		const redirectTo = isSafeRedirect(requestedRedirect) ? requestedRedirect : resolve(options.defaultRedirect, context, "/");
+		return context.redirect(redirectTo);
+	};
+	return {
+		POST,
+		GET
+	};
+}
+/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */
+function createLogoutHandler(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	return async (context) => {
+		const cookieValue = context.cookies.get(cookieName)?.value;
+		if (cookieValue) {
+			const [sessionId] = cookieValue.split(".");
+			if (sessionId) await options.deleteSession(context, sessionId);
+		}
+		context.cookies.delete(cookieName, { path: "/" });
+		return context.redirect(resolve(options.redirectTo, context, "/login"));
+	};
+}
+/**
+* Astro middleware that verifies the session cookie's signature and
+* populates `context.locals[localsKey]` with the resolved session, or
+* null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono
+* layer: it authenticates the request, it doesn't gate access — pages
+* and routes downstream decide what to do with a null session.
+*/
+function cadmusAuthGuard(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	const localsKey = options.localsKey ?? "session";
+	const handler = async (context, next) => {
+		const cookieValue = context.cookies.get(cookieName)?.value;
+		let session = null;
+		if (cookieValue) {
+			const [sessionId, signature] = cookieValue.split(".");
+			if (sessionId && signature) {
+				if (await verifySession(sessionId, signature, options.secret(context))) session = await options.getSession(context, sessionId);
+			}
+		}
+		context.locals[localsKey] = session;
+		return next();
+	};
+	return handler;
+}
+//#endregion
+export { cadmusAuthGuard, createLogoutHandler, createMagicLinkHandlers };
+
+//# sourceMappingURL=index.js.map

package/dist/astro/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":[],"sources":["../../src/astro/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/astro\n//\n// Peer-integration layer for Astro — the same \"peer, not a dependency\"\n// treatment @thebes/cadmus/hono already gets (see that module's\n// index.ts). `astro` is an optional peer dependency; this entrypoint is\n// excluded from the package root export for the same reason hono is.\n// Unlike the hono layer, every `astro` import below is `import type` —\n// nothing from the real `astro` package executes in this module. Astro's\n// own `defineMiddleware` is `(fn) => fn`, a type-inference convenience\n// for app code calling it inline, not anything we need at runtime; we\n// return the typed function directly instead of importing it, so this\n// module stays V8-first with no Astro runtime in the bundled output.\n//\n// These handlers are thin HTTP plumbing over cadmus/auth, cadmus/session,\n// and cadmus/rate-limit — they don't introduce new crypto or storage\n// logic. What's genuinely app-specific (looking up a user by email,\n// shaping a session payload, sending the actual email) is always a\n// caller-supplied function, mirroring how @thebes/cadmus/hono's\n// mountCmsRoutes takes a `resolveContext` callback instead of guessing at\n// the app's auth model.\n\nimport type { APIContext, APIRoute, MiddlewareHandler } from \"astro\";\nimport {\n  generateToken,\n  hashToken,\n  signSession,\n  verifySession,\n} from \"../auth/index.js\";\nimport { checkRateLimit } from \"../rate-limit/index.js\";\n\nconst DEFAULT_COOKIE_NAME = \"cadmus_session\";\nconst DEFAULT_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days\nconst DEFAULT_MAGIC_LINK_TTL_SECONDS = 60 * 15; // 15 min\nconst DEFAULT_RATE_LIMIT = { limit: 3, windowSeconds: 60 * 15 };\nconst KV_RETRY_ATTEMPTS = 2;\nconst KV_RETRY_DELAY_MS = 100;\n\nfunction sleep(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n// Only a same-origin relative path is safe to redirect to — a protocol-\n// relative \"//host/...\" or absolute URL turns this into an open redirect.\nfunction isSafeRedirect(value: string | null | undefined): value is string {\n  return !!value && value.startsWith(\"/\") && !value.startsWith(\"//\");\n}\n\nfunction resolve<TContext>(\n  value: string | ((context: TContext) => string) | undefined,\n  context: TContext,\n  fallback: string,\n): string {\n  if (value === undefined) return fallback;\n  return typeof value === \"function\" ? value(context) : value;\n}\n\nexport interface MagicLinkHandlersOptions<TUser> {\n  /** Resolves the KV namespace magic-link tokens are stored in, per request. */\n  kv: (context: APIContext) => KVNamespace;\n  /** Resolves the secret session cookies are HMAC-signed with — must match cadmusAuthGuard's `secret`. */\n  secret: (context: APIContext) => string;\n  /**\n   * Looks up the user a request's email belongs to. Returning null is\n   * indistinguishable to the client from a successful send — this is\n   * the anti-enumeration guarantee the same way the hand-rolled\n   * Worker 1 route this replaces always returned `{ ok: true }`.\n   */\n  findUser: (context: APIContext, email: string) => Promise<TUser | null>;\n  /** Creates a session for a verified user, returning the session ID to sign into the cookie. */\n  createSession: (\n    context: APIContext,\n    user: TUser,\n  ) => Promise<{ sessionId: string }>;\n  /** Sends the magic-link email. Not called when `isLocalDev` returns true — see that option. */\n  sendMagicLinkEmail: (\n    context: APIContext,\n    params: { email: string; verifyUrl: URL },\n  ) => Promise<void>;\n  /** Cookie name the session is signed into. Defaults to \"cadmus_session\". */\n  cookieName?: string;\n  /** Cookie `maxAge` in seconds. Defaults to 7 days. */\n  cookieMaxAgeSeconds?: number;\n  /** Magic-link token TTL in seconds. Defaults to 15 minutes. */\n  magicLinkTtlSeconds?: number;\n  /**\n   * Per-email rate limit on magic-link requests, keyed in the same KV\n   * namespace `kv` resolves. Defaults to 3 requests / 15 minutes. Pass\n   * `false` to disable.\n   */\n  rateLimit?: { limit: number; windowSeconds: number } | false;\n  /** Path the verify GET handler is mounted at — used to build the emailed link. Defaults to \"/api/auth/verify\". */\n  verifyPath?: string;\n  /** Path to redirect to on a failed verify, with `?error=invalid|unauthorized` appended. Defaults to \"/login\". */\n  loginPath?: string;\n  /** Redirect target after a successful verify when no `redirect` param was supplied. Defaults to \"/\". */\n  defaultRedirect?: string | ((context: APIContext) => string);\n  /**\n   * Whether this request should skip emailing and log the link instead —\n   * see `onLocalDev`. Defaults to checking for a localhost/127.0.0.1\n   * request hostname, since no deployed environment is ever literally\n   * that (unlike checking `sendMagicLinkEmail`'s own success/failure,\n   * which local email emulators can mask).\n   */\n  isLocalDev?: (context: APIContext) => boolean;\n  /** Called instead of `sendMagicLinkEmail` when `isLocalDev` is true. Defaults to a console.log of the link. */\n  onLocalDev?: (\n    context: APIContext,\n    params: { email: string; verifyUrl: URL },\n  ) => void | Promise<void>;\n}\n\nfunction defaultIsLocalDev(context: APIContext): boolean {\n  const hostname = context.url.hostname;\n  return hostname === \"localhost\" || hostname === \"127.0.0.1\";\n}\n\nfunction defaultOnLocalDev(\n  _context: APIContext,\n  { email, verifyUrl }: { email: string; verifyUrl: URL },\n): void {\n  console.log(`[dev] Magic link for ${email}: ${verifyUrl.toString()}`);\n}\n\n/**\n * Builds the magic-link request (`POST`) and verify (`GET`) Astro\n * `APIRoute` handlers — mount both at the same route, e.g.\n * `export const { POST, GET } = createMagicLinkHandlers(options)` from\n * `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate\n * `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.\n */\nexport function createMagicLinkHandlers<TUser>(\n  options: MagicLinkHandlersOptions<TUser>,\n): { POST: APIRoute; GET: APIRoute } {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n  const cookieMaxAgeSeconds =\n    options.cookieMaxAgeSeconds ?? DEFAULT_COOKIE_MAX_AGE_SECONDS;\n  const magicLinkTtlSeconds =\n    options.magicLinkTtlSeconds ?? DEFAULT_MAGIC_LINK_TTL_SECONDS;\n  const rateLimit =\n    options.rateLimit === false\n      ? null\n      : (options.rateLimit ?? DEFAULT_RATE_LIMIT);\n  const verifyPath = options.verifyPath ?? \"/api/auth/verify\";\n  const loginPath = options.loginPath ?? \"/login\";\n  const isLocalDev = options.isLocalDev ?? defaultIsLocalDev;\n  const onLocalDev = options.onLocalDev ?? defaultOnLocalDev;\n\n  const POST: APIRoute = async (context) => {\n    const body = await context.request\n      .json<{ email?: string; redirect?: string }>()\n      .catch(() => null);\n    const email = body?.email?.trim().toLowerCase();\n    if (!email) return Response.json({ ok: true });\n\n    const redirect = isSafeRedirect(body?.redirect) ? body.redirect : null;\n\n    const kv = options.kv(context);\n\n    if (rateLimit) {\n      const { allowed } = await checkRateLimit(\n        kv,\n        `magiclink:ratelimit:${email}`,\n        rateLimit.limit,\n        rateLimit.windowSeconds,\n      );\n      if (!allowed) return Response.json({ ok: true });\n    }\n\n    const user = await options.findUser(context, email);\n    if (!user) return Response.json({ ok: true });\n\n    const token = generateToken();\n    const hash = await hashToken(token);\n    await kv.put(`magiclink:${hash}`, email, {\n      expirationTtl: magicLinkTtlSeconds,\n    });\n\n    const verifyUrl = new URL(verifyPath, context.url);\n    verifyUrl.searchParams.set(\"token\", token);\n    if (redirect) verifyUrl.searchParams.set(\"redirect\", redirect);\n\n    if (isLocalDev(context)) {\n      await onLocalDev(context, { email, verifyUrl });\n    } else {\n      await options.sendMagicLinkEmail(context, { email, verifyUrl });\n    }\n\n    return Response.json({ ok: true });\n  };\n\n  const GET: APIRoute = async (context) => {\n    const token = context.url.searchParams.get(\"token\");\n    if (!token) return context.redirect(`${loginPath}?error=invalid`);\n\n    const kv = options.kv(context);\n    const hash = await hashToken(token);\n    const key = `magiclink:${hash}`;\n\n    // Single use, and retried — see cadmus/session's getSession for why\n    // a read immediately following the write above can otherwise see a\n    // false negative under KV's eventual consistency.\n    let email: string | null = null;\n    for (let attempt = 0; attempt <= KV_RETRY_ATTEMPTS; attempt++) {\n      email = await kv.get(key);\n      if (email !== null) break;\n      if (attempt < KV_RETRY_ATTEMPTS) await sleep(KV_RETRY_DELAY_MS);\n    }\n    if (email === null) return context.redirect(`${loginPath}?error=invalid`);\n    await kv.delete(key);\n\n    const user = await options.findUser(context, email);\n    if (!user) return context.redirect(`${loginPath}?error=unauthorized`);\n\n    const { sessionId } = await options.createSession(context, user);\n    const signature = await signSession(sessionId, options.secret(context));\n\n    context.cookies.set(cookieName, `${sessionId}.${signature}`, {\n      httpOnly: true,\n      secure: true,\n      sameSite: \"lax\",\n      path: \"/\",\n      maxAge: cookieMaxAgeSeconds,\n    });\n\n    // Re-validated here too — this query param isn't signed alongside\n    // the token, so the request-side check above doesn't cover it.\n    const requestedRedirect = context.url.searchParams.get(\"redirect\");\n    const redirectTo = isSafeRedirect(requestedRedirect)\n      ? requestedRedirect\n      : resolve(options.defaultRedirect, context, \"/\");\n    return context.redirect(redirectTo);\n  };\n\n  return { POST, GET };\n}\n\nexport interface LogoutHandlerOptions {\n  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */\n  cookieName?: string;\n  /** Deletes the session identified by the cookie's session ID (e.g. from KV). */\n  deleteSession: (context: APIContext, sessionId: string) => Promise<void>;\n  /** Where to redirect after logout. Defaults to \"/login\". */\n  redirectTo?: string | ((context: APIContext) => string);\n}\n\n/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */\nexport function createLogoutHandler(options: LogoutHandlerOptions): APIRoute {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n\n  return async (context) => {\n    const cookieValue = context.cookies.get(cookieName)?.value;\n    if (cookieValue) {\n      const [sessionId] = cookieValue.split(\".\");\n      if (sessionId) await options.deleteSession(context, sessionId);\n    }\n    context.cookies.delete(cookieName, { path: \"/\" });\n    return context.redirect(resolve(options.redirectTo, context, \"/login\"));\n  };\n}\n\nexport interface AuthGuardOptions<TSession> {\n  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */\n  cookieName?: string;\n  /** Resolves the secret session cookies are HMAC-signed with — must match createMagicLinkHandlers' `secret`. */\n  secret: (context: APIContext) => string;\n  /** Reads the session for a verified session ID (e.g. from KV). Returning null treats the session as missing. */\n  getSession: (\n    context: APIContext,\n    sessionId: string,\n  ) => Promise<TSession | null>;\n  /** Key set on `context.locals`. Defaults to \"session\". */\n  localsKey?: string;\n}\n\n/**\n * Astro middleware that verifies the session cookie's signature and\n * populates `context.locals[localsKey]` with the resolved session, or\n * null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono\n * layer: it authenticates the request, it doesn't gate access — pages\n * and routes downstream decide what to do with a null session.\n */\nexport function cadmusAuthGuard<TSession>(\n  options: AuthGuardOptions<TSession>,\n): MiddlewareHandler {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n  const localsKey = options.localsKey ?? \"session\";\n\n  const handler: MiddlewareHandler = async (context, next) => {\n    const cookieValue = context.cookies.get(cookieName)?.value;\n    let session: TSession | null = null;\n\n    if (cookieValue) {\n      const [sessionId, signature] = cookieValue.split(\".\");\n      if (sessionId && signature) {\n        const valid = await verifySession(\n          sessionId,\n          signature,\n          options.secret(context),\n        );\n        if (valid) session = await options.getSession(context, sessionId);\n      }\n    }\n\n    (context.locals as Record<string, unknown>)[localsKey] = session;\n    return next();\n  };\n\n  return handler;\n}\n"],"mappings":";;;AAiCA,MAAM,sBAAsB;AAC5B,MAAM,iCAAiC,OAAU,KAAK;AACtD,MAAM,iCAAiC;AACvC,MAAM,qBAAqB;CAAE,OAAO;CAAG,eAAe;AAAQ;AAC9D,MAAM,oBAAoB;AAC1B,MAAM,oBAAoB;AAE1B,SAAS,MAAM,IAA2B;CACxC,OAAO,IAAI,SAAS,YAAY,WAAW,SAAS,EAAE,CAAC;AACzD;AAIA,SAAS,eAAe,OAAmD;CACzE,OAAO,CAAC,CAAC,SAAS,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,WAAW,IAAI;AACnE;AAEA,SAAS,QACP,OACA,SACA,UACQ;CACR,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,OAAO,OAAO,UAAU,aAAa,MAAM,OAAO,IAAI;AACxD;AAyDA,SAAS,kBAAkB,SAA8B;CACvD,MAAM,WAAW,QAAQ,IAAI;CAC7B,OAAO,aAAa,eAAe,aAAa;AAClD;AAEA,SAAS,kBACP,UACA,EAAE,OAAO,aACH;CACN,QAAQ,IAAI,wBAAwB,MAAM,IAAI,UAAU,SAAS,GAAG;AACtE;;;;;;;;AASA,SAAgB,wBACd,SACmC;CACnC,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,sBACJ,QAAQ,uBAAuB;CACjC,MAAM,sBACJ,QAAQ,uBAAuB;CACjC,MAAM,YACJ,QAAQ,cAAc,QAClB,OACC,QAAQ,aAAa;CAC5B,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,aAAa,QAAQ,cAAc;CAEzC,MAAM,OAAiB,OAAO,YAAY;EACxC,MAAM,OAAO,MAAM,QAAQ,QACxB,KAA4C,CAAC,CAC7C,YAAY,IAAI;EACnB,MAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,CAAC,YAAY;EAC9C,IAAI,CAAC,OAAO,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EAE7C,MAAM,WAAW,eAAe,MAAM,QAAQ,IAAI,KAAK,WAAW;EAElE,MAAM,KAAK,QAAQ,GAAG,OAAO;EAE7B,IAAI,WAAW;GACb,MAAM,EAAE,YAAY,MAAM,eACxB,IACA,uBAAuB,SACvB,UAAU,OACV,UAAU,aACZ;GACA,IAAI,CAAC,SAAS,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACjD;EAGA,IAAI,CAAC,MADc,QAAQ,SAAS,SAAS,KAAK,GACvC,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EAE5C,MAAM,QAAQ,cAAc;EAC5B,MAAM,OAAO,MAAM,UAAU,KAAK;EAClC,MAAM,GAAG,IAAI,aAAa,QAAQ,OAAO,EACvC,eAAe,oBACjB,CAAC;EAED,MAAM,YAAY,IAAI,IAAI,YAAY,QAAQ,GAAG;EACjD,UAAU,aAAa,IAAI,SAAS,KAAK;EACzC,IAAI,UAAU,UAAU,aAAa,IAAI,YAAY,QAAQ;EAE7D,IAAI,WAAW,OAAO,GACpB,MAAM,WAAW,SAAS;GAAE;GAAO;EAAU,CAAC;OAE9C,MAAM,QAAQ,mBAAmB,SAAS;GAAE;GAAO;EAAU,CAAC;EAGhE,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;CACnC;CAEA,MAAM,MAAgB,OAAO,YAAY;EACvC,MAAM,QAAQ,QAAQ,IAAI,aAAa,IAAI,OAAO;EAClD,IAAI,CAAC,OAAO,OAAO,QAAQ,SAAS,GAAG,UAAU,eAAe;EAEhE,MAAM,KAAK,QAAQ,GAAG,OAAO;EAE7B,MAAM,MAAM,aAAa,MADN,UAAU,KAAK;EAMlC,IAAI,QAAuB;EAC3B,KAAK,IAAI,UAAU,GAAG,WAAW,mBAAmB,WAAW;GAC7D,QAAQ,MAAM,GAAG,IAAI,GAAG;GACxB,IAAI,UAAU,MAAM;GACpB,IAAI,UAAU,mBAAmB,MAAM,MAAM,iBAAiB;EAChE;EACA,IAAI,UAAU,MAAM,OAAO,QAAQ,SAAS,GAAG,UAAU,eAAe;EACxE,MAAM,GAAG,OAAO,GAAG;EAEnB,MAAM,OAAO,MAAM,QAAQ,SAAS,SAAS,KAAK;EAClD,IAAI,CAAC,MAAM,OAAO,QAAQ,SAAS,GAAG,UAAU,oBAAoB;EAEpE,MAAM,EAAE,cAAc,MAAM,QAAQ,cAAc,SAAS,IAAI;EAC/D,MAAM,YAAY,MAAM,YAAY,WAAW,QAAQ,OAAO,OAAO,CAAC;EAEtE,QAAQ,QAAQ,IAAI,YAAY,GAAG,UAAU,GAAG,aAAa;GAC3D,UAAU;GACV,QAAQ;GACR,UAAU;GACV,MAAM;GACN,QAAQ;EACV,CAAC;EAID,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,UAAU;EACjE,MAAM,aAAa,eAAe,iBAAiB,IAC/C,oBACA,QAAQ,QAAQ,iBAAiB,SAAS,GAAG;EACjD,OAAO,QAAQ,SAAS,UAAU;CACpC;CAEA,OAAO;EAAE;EAAM;CAAI;AACrB;;AAYA,SAAgB,oBAAoB,SAAyC;CAC3E,MAAM,aAAa,QAAQ,cAAc;CAEzC,OAAO,OAAO,YAAY;EACxB,MAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU,CAAC,EAAE;EACrD,IAAI,aAAa;GACf,MAAM,CAAC,aAAa,YAAY,MAAM,GAAG;GACzC,IAAI,WAAW,MAAM,QAAQ,cAAc,SAAS,SAAS;EAC/D;EACA,QAAQ,QAAQ,OAAO,YAAY,EAAE,MAAM,IAAI,CAAC;EAChD,OAAO,QAAQ,SAAS,QAAQ,QAAQ,YAAY,SAAS,QAAQ,CAAC;CACxE;AACF;;;;;;;;AAuBA,SAAgB,gBACd,SACmB;CACnB,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,YAAY,QAAQ,aAAa;CAEvC,MAAM,UAA6B,OAAO,SAAS,SAAS;EAC1D,MAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU,CAAC,EAAE;EACrD,IAAI,UAA2B;EAE/B,IAAI,aAAa;GACf,MAAM,CAAC,WAAW,aAAa,YAAY,MAAM,GAAG;GACpD,IAAI,aAAa;QAMX,MALgB,cAClB,WACA,WACA,QAAQ,OAAO,OAAO,CACxB,GACW,UAAU,MAAM,QAAQ,WAAW,SAAS,SAAS;GAAA;EAEpE;EAEA,QAAS,OAAmC,aAAa;EACzD,OAAO,KAAK;CACd;CAEA,OAAO;AACT"}

package/dist/auth/index.cjs

@@ -0,0 +1,59 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/auth/index.ts
+function toHex(bytes) {
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function toBase64Url(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromBase64Url(value) {
+	const padded = value.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */
+function generateToken() {
+	return toHex(crypto.getRandomValues(new Uint8Array(32)));
+}
+/** SHA-256 hashes a token for storage — raw tokens never touch KV. */
+async function hashToken(token) {
+	const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(token));
+	return toHex(new Uint8Array(digest));
+}
+/** Generates a 16-byte random session ID, hex-encoded. */
+function generateSessionId() {
+	return toHex(crypto.getRandomValues(new Uint8Array(16)));
+}
+async function hmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+/** HMAC-SHA256-signs a session ID, base64url-encoded. */
+async function signSession(sessionId, secret) {
+	const key = await hmacKey(secret);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(sessionId));
+	return toBase64Url(new Uint8Array(signature));
+}
+/** Verifies an HMAC-SHA256 session signature. */
+async function verifySession(sessionId, signature, secret) {
+	const key = await hmacKey(secret);
+	let signatureBytes;
+	try {
+		signatureBytes = fromBase64Url(signature);
+	} catch {
+		return false;
+	}
+	return crypto.subtle.verify("HMAC", key, signatureBytes, new TextEncoder().encode(sessionId));
+}
+//#endregion
+exports.generateSessionId = generateSessionId;
+exports.generateToken = generateToken;
+exports.hashToken = hashToken;
+exports.signSession = signSession;
+exports.verifySession = verifySession;
+
+//# sourceMappingURL=index.cjs.map

package/dist/auth/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs","names":[],"sources":["../../src/auth/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/auth\n//\n// Web Crypto primitives for magic-link/token-based auth flows. No\n// passwords, no Node.js crypto — every operation here runs on\n// `crypto.subtle` / `crypto.getRandomValues`, available natively in the\n// V8 isolate. Callers own the KV storage and cookie wiring; this module\n// is pure functions over bytes.\n\nfunction toHex(bytes: Uint8Array): string {\n  return Array.from(bytes, (b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\nfunction toBase64Url(bytes: Uint8Array): string {\n  let binary = \"\";\n  for (const byte of bytes) binary += String.fromCharCode(byte);\n  return btoa(binary)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nfunction fromBase64Url(value: string): Uint8Array {\n  const padded = value.replace(/-/g, \"+\").replace(/_/g, \"/\");\n  const binary = atob(padded);\n  return Uint8Array.from(binary, (c) => c.charCodeAt(0));\n}\n\n/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */\nexport function generateToken(): string {\n  return toHex(crypto.getRandomValues(new Uint8Array(32)));\n}\n\n/** SHA-256 hashes a token for storage — raw tokens never touch KV. */\nexport async function hashToken(token: string): Promise<string> {\n  const digest = await crypto.subtle.digest(\n    \"SHA-256\",\n    new TextEncoder().encode(token),\n  );\n  return toHex(new Uint8Array(digest));\n}\n\n/** Generates a 16-byte random session ID, hex-encoded. */\nexport function generateSessionId(): string {\n  return toHex(crypto.getRandomValues(new Uint8Array(16)));\n}\n\nasync function hmacKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    \"raw\",\n    new TextEncoder().encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\", \"verify\"],\n  );\n}\n\n/** HMAC-SHA256-signs a session ID, base64url-encoded. */\nexport async function signSession(\n  sessionId: string,\n  secret: string,\n): Promise<string> {\n  const key = await hmacKey(secret);\n  const signature = await crypto.subtle.sign(\n    \"HMAC\",\n    key,\n    new TextEncoder().encode(sessionId),\n  );\n  return toBase64Url(new Uint8Array(signature));\n}\n\n/** Verifies an HMAC-SHA256 session signature. */\nexport async function verifySession(\n  sessionId: string,\n  signature: string,\n  secret: string,\n): Promise<boolean> {\n  const key = await hmacKey(secret);\n  let signatureBytes: Uint8Array;\n  try {\n    signatureBytes = fromBase64Url(signature);\n  } catch {\n    return false;\n  }\n  return crypto.subtle.verify(\n    \"HMAC\",\n    key,\n    signatureBytes as BufferSource,\n    new TextEncoder().encode(sessionId),\n  );\n}\n"],"mappings":";;AAWA,SAAS,MAAM,OAA2B;CACxC,OAAO,MAAM,KAAK,QAAQ,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE;AAC1E;AAEA,SAAS,YAAY,OAA2B;CAC9C,IAAI,SAAS;CACb,KAAK,MAAM,QAAQ,OAAO,UAAU,OAAO,aAAa,IAAI;CAC5D,OAAO,KAAK,MAAM,CAAC,CAChB,QAAQ,OAAO,GAAG,CAAC,CACnB,QAAQ,OAAO,GAAG,CAAC,CACnB,QAAQ,OAAO,EAAE;AACtB;AAEA,SAAS,cAAc,OAA2B;CAChD,MAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,CAAC,CAAC,QAAQ,MAAM,GAAG;CACzD,MAAM,SAAS,KAAK,MAAM;CAC1B,OAAO,WAAW,KAAK,SAAS,MAAM,EAAE,WAAW,CAAC,CAAC;AACvD;;AAGA,SAAgB,gBAAwB;CACtC,OAAO,MAAM,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACzD;;AAGA,eAAsB,UAAU,OAAgC;CAC9D,MAAM,SAAS,MAAM,OAAO,OAAO,OACjC,WACA,IAAI,YAAY,CAAC,CAAC,OAAO,KAAK,CAChC;CACA,OAAO,MAAM,IAAI,WAAW,MAAM,CAAC;AACrC;;AAGA,SAAgB,oBAA4B;CAC1C,OAAO,MAAM,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACzD;AAEA,eAAe,QAAQ,QAAoC;CACzD,OAAO,OAAO,OAAO,UACnB,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,QAAQ,QAAQ,CACnB;AACF;;AAGA,eAAsB,YACpB,WACA,QACiB;CACjB,MAAM,MAAM,MAAM,QAAQ,MAAM;CAChC,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS,CACpC;CACA,OAAO,YAAY,IAAI,WAAW,SAAS,CAAC;AAC9C;;AAGA,eAAsB,cACpB,WACA,WACA,QACkB;CAClB,MAAM,MAAM,MAAM,QAAQ,MAAM;CAChC,IAAI;CACJ,IAAI;EACF,iBAAiB,cAAc,SAAS;CAC1C,QAAQ;EACN,OAAO;CACT;CACA,OAAO,OAAO,OAAO,OACnB,QACA,KACA,gBACA,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS,CACpC;AACF"}

package/dist/auth/index.d.cts

@@ -0,0 +1,14 @@
+//#region src/auth/index.d.ts
+/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */
+declare function generateToken(): string;
+/** SHA-256 hashes a token for storage — raw tokens never touch KV. */
+declare function hashToken(token: string): Promise<string>;
+/** Generates a 16-byte random session ID, hex-encoded. */
+declare function generateSessionId(): string;
+/** HMAC-SHA256-signs a session ID, base64url-encoded. */
+declare function signSession(sessionId: string, secret: string): Promise<string>;
+/** Verifies an HMAC-SHA256 session signature. */
+declare function verifySession(sessionId: string, signature: string, secret: string): Promise<boolean>;
+//#endregion
+export { generateSessionId, generateToken, hashToken, signSession, verifySession };
+//# sourceMappingURL=index.d.cts.map

package/dist/auth/index.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.cts","names":[],"sources":["../../src/auth/index.ts"],"mappings":";;iBA+BgB,aAAA;;iBAKM,SAAA,CAAU,KAAA,WAAgB,OAAO;;iBASvC,iBAAA;AAThB;AAAA,iBAwBsB,WAAA,CACpB,SAAA,UACA,MAAA,WACC,OAAO;;iBAWY,aAAA,CACpB,SAAA,UACA,SAAA,UACA,MAAA,WACC,OAAO"}

package/dist/auth/index.d.ts

@@ -0,0 +1,14 @@
+//#region src/auth/index.d.ts
+/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */
+declare function generateToken(): string;
+/** SHA-256 hashes a token for storage — raw tokens never touch KV. */
+declare function hashToken(token: string): Promise<string>;
+/** Generates a 16-byte random session ID, hex-encoded. */
+declare function generateSessionId(): string;
+/** HMAC-SHA256-signs a session ID, base64url-encoded. */
+declare function signSession(sessionId: string, secret: string): Promise<string>;
+/** Verifies an HMAC-SHA256 session signature. */
+declare function verifySession(sessionId: string, signature: string, secret: string): Promise<boolean>;
+//#endregion
+export { generateSessionId, generateToken, hashToken, signSession, verifySession };
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/auth/index.ts"],"mappings":";;iBA+BgB,aAAA;;iBAKM,SAAA,CAAU,KAAA,WAAgB,OAAO;;iBASvC,iBAAA;AAThB;AAAA,iBAwBsB,WAAA,CACpB,SAAA,UACA,MAAA,WACC,OAAO;;iBAWY,aAAA,CACpB,SAAA,UACA,SAAA,UACA,MAAA,WACC,OAAO"}

package/dist/auth/index.js

@@ -0,0 +1,54 @@
+//#region src/auth/index.ts
+function toHex(bytes) {
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function toBase64Url(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromBase64Url(value) {
+	const padded = value.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */
+function generateToken() {
+	return toHex(crypto.getRandomValues(new Uint8Array(32)));
+}
+/** SHA-256 hashes a token for storage — raw tokens never touch KV. */
+async function hashToken(token) {
+	const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(token));
+	return toHex(new Uint8Array(digest));
+}
+/** Generates a 16-byte random session ID, hex-encoded. */
+function generateSessionId() {
+	return toHex(crypto.getRandomValues(new Uint8Array(16)));
+}
+async function hmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+/** HMAC-SHA256-signs a session ID, base64url-encoded. */
+async function signSession(sessionId, secret) {
+	const key = await hmacKey(secret);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(sessionId));
+	return toBase64Url(new Uint8Array(signature));
+}
+/** Verifies an HMAC-SHA256 session signature. */
+async function verifySession(sessionId, signature, secret) {
+	const key = await hmacKey(secret);
+	let signatureBytes;
+	try {
+		signatureBytes = fromBase64Url(signature);
+	} catch {
+		return false;
+	}
+	return crypto.subtle.verify("HMAC", key, signatureBytes, new TextEncoder().encode(sessionId));
+}
+//#endregion
+export { generateSessionId, generateToken, hashToken, signSession, verifySession };
+
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":[],"sources":["../../src/auth/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/auth\n//\n// Web Crypto primitives for magic-link/token-based auth flows. No\n// passwords, no Node.js crypto — every operation here runs on\n// `crypto.subtle` / `crypto.getRandomValues`, available natively in the\n// V8 isolate. Callers own the KV storage and cookie wiring; this module\n// is pure functions over bytes.\n\nfunction toHex(bytes: Uint8Array): string {\n  return Array.from(bytes, (b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\nfunction toBase64Url(bytes: Uint8Array): string {\n  let binary = \"\";\n  for (const byte of bytes) binary += String.fromCharCode(byte);\n  return btoa(binary)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nfunction fromBase64Url(value: string): Uint8Array {\n  const padded = value.replace(/-/g, \"+\").replace(/_/g, \"/\");\n  const binary = atob(padded);\n  return Uint8Array.from(binary, (c) => c.charCodeAt(0));\n}\n\n/** Generates a 32-byte random token, hex-encoded — for magic-link URLs. */\nexport function generateToken(): string {\n  return toHex(crypto.getRandomValues(new Uint8Array(32)));\n}\n\n/** SHA-256 hashes a token for storage — raw tokens never touch KV. */\nexport async function hashToken(token: string): Promise<string> {\n  const digest = await crypto.subtle.digest(\n    \"SHA-256\",\n    new TextEncoder().encode(token),\n  );\n  return toHex(new Uint8Array(digest));\n}\n\n/** Generates a 16-byte random session ID, hex-encoded. */\nexport function generateSessionId(): string {\n  return toHex(crypto.getRandomValues(new Uint8Array(16)));\n}\n\nasync function hmacKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    \"raw\",\n    new TextEncoder().encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\", \"verify\"],\n  );\n}\n\n/** HMAC-SHA256-signs a session ID, base64url-encoded. */\nexport async function signSession(\n  sessionId: string,\n  secret: string,\n): Promise<string> {\n  const key = await hmacKey(secret);\n  const signature = await crypto.subtle.sign(\n    \"HMAC\",\n    key,\n    new TextEncoder().encode(sessionId),\n  );\n  return toBase64Url(new Uint8Array(signature));\n}\n\n/** Verifies an HMAC-SHA256 session signature. */\nexport async function verifySession(\n  sessionId: string,\n  signature: string,\n  secret: string,\n): Promise<boolean> {\n  const key = await hmacKey(secret);\n  let signatureBytes: Uint8Array;\n  try {\n    signatureBytes = fromBase64Url(signature);\n  } catch {\n    return false;\n  }\n  return crypto.subtle.verify(\n    \"HMAC\",\n    key,\n    signatureBytes as BufferSource,\n    new TextEncoder().encode(sessionId),\n  );\n}\n"],"mappings":";AAWA,SAAS,MAAM,OAA2B;CACxC,OAAO,MAAM,KAAK,QAAQ,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE;AAC1E;AAEA,SAAS,YAAY,OAA2B;CAC9C,IAAI,SAAS;CACb,KAAK,MAAM,QAAQ,OAAO,UAAU,OAAO,aAAa,IAAI;CAC5D,OAAO,KAAK,MAAM,CAAC,CAChB,QAAQ,OAAO,GAAG,CAAC,CACnB,QAAQ,OAAO,GAAG,CAAC,CACnB,QAAQ,OAAO,EAAE;AACtB;AAEA,SAAS,cAAc,OAA2B;CAChD,MAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,CAAC,CAAC,QAAQ,MAAM,GAAG;CACzD,MAAM,SAAS,KAAK,MAAM;CAC1B,OAAO,WAAW,KAAK,SAAS,MAAM,EAAE,WAAW,CAAC,CAAC;AACvD;;AAGA,SAAgB,gBAAwB;CACtC,OAAO,MAAM,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACzD;;AAGA,eAAsB,UAAU,OAAgC;CAC9D,MAAM,SAAS,MAAM,OAAO,OAAO,OACjC,WACA,IAAI,YAAY,CAAC,CAAC,OAAO,KAAK,CAChC;CACA,OAAO,MAAM,IAAI,WAAW,MAAM,CAAC;AACrC;;AAGA,SAAgB,oBAA4B;CAC1C,OAAO,MAAM,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACzD;AAEA,eAAe,QAAQ,QAAoC;CACzD,OAAO,OAAO,OAAO,UACnB,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,QAAQ,QAAQ,CACnB;AACF;;AAGA,eAAsB,YACpB,WACA,QACiB;CACjB,MAAM,MAAM,MAAM,QAAQ,MAAM;CAChC,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS,CACpC;CACA,OAAO,YAAY,IAAI,WAAW,SAAS,CAAC;AAC9C;;AAGA,eAAsB,cACpB,WACA,WACA,QACkB;CAClB,MAAM,MAAM,MAAM,QAAQ,MAAM;CAChC,IAAI;CACJ,IAAI;EACF,iBAAiB,cAAc,SAAS;CAC1C,QAAQ;EACN,OAAO;CACT;CACA,OAAO,OAAO,OAAO,OACnB,QACA,KACA,gBACA,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS,CACpC;AACF"}

package/dist/cache/index.cjs

@@ -0,0 +1,18 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/cache/index.ts
+const isDev = typeof caches === "undefined" || typeof caches.default === "undefined";
+async function purgeCache(url) {
+	if (isDev) {
+		console.log(`[cache] DEV — skipping purge: ${url}`);
+		return;
+	}
+	try {
+		await caches.default.delete(new Request(url));
+	} catch (err) {
+		console.warn("[cache] Purge failed:", err);
+	}
+}
+//#endregion
+exports.purgeCache = purgeCache;
+
+//# sourceMappingURL=index.cjs.map

package/dist/cache/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs","names":[],"sources":["../../src/cache/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/cache\n//\n// Cloudflare Cache API wrapper with a dev-mode bypass. `caches.default`\n// has been confirmed available under `wrangler dev` in current\n// wrangler/workerd versions (see DECISIONS.md, 2026-06-19) — this bypass\n// is defensive code for older versions and non-Workers test runtimes\n// (e.g. vitest-pool-workers), not something every dev request hits.\n\n// `@cloudflare/workers-types` never declares `caches.default` — that\n// Workers-runtime extension to the standard CacheStorage API is only ever\n// typed via wrangler's own per-project generated worker-configuration.d.ts,\n// not the static npm package. Cadmus ships standalone, so it declares the\n// minimal ambient extension itself rather than depending on a consumer's\n// generated types.\ndeclare global {\n  interface CacheStorage {\n    readonly default: Cache;\n  }\n}\n\nconst isDev =\n  typeof caches === \"undefined\" || typeof caches.default === \"undefined\";\n\nexport async function purgeCache(url: string): Promise<void> {\n  if (isDev) {\n    console.log(`[cache] DEV — skipping purge: ${url}`);\n    return;\n  }\n  try {\n    await caches.default.delete(new Request(url));\n  } catch (err) {\n    console.warn(\"[cache] Purge failed:\", err);\n  }\n}\n"],"mappings":";;AAuBA,MAAM,QACJ,OAAO,WAAW,eAAe,OAAO,OAAO,YAAY;AAE7D,eAAsB,WAAW,KAA4B;CAC3D,IAAI,OAAO;EACT,QAAQ,IAAI,iCAAiC,KAAK;EAClD;CACF;CACA,IAAI;EACF,MAAM,OAAO,QAAQ,OAAO,IAAI,QAAQ,GAAG,CAAC;CAC9C,SAAS,KAAK;EACZ,QAAQ,KAAK,yBAAyB,GAAG;CAC3C;AACF"}

package/dist/cache/index.d.cts

@@ -0,0 +1,10 @@
+//#region src/cache/index.d.ts
+declare global {
+  interface CacheStorage {
+    readonly default: Cache;
+  }
+}
+declare function purgeCache(url: string): Promise<void>;
+//#endregion
+export { purgeCache };
+//# sourceMappingURL=index.d.cts.map

package/dist/cache/index.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.cts","names":[],"sources":["../../src/cache/index.ts"],"mappings":";QAiBQ,MAAA;EAAA,UACI,YAAA;IAAA,SACC,OAAA,EAAS,KAAK;EAAA;AAAA;AAAA,iBAOL,UAAA,CAAW,GAAA,WAAc,OAAO"}

package/dist/cache/index.d.ts

@@ -0,0 +1,10 @@
+//#region src/cache/index.d.ts
+declare global {
+  interface CacheStorage {
+    readonly default: Cache;
+  }
+}
+declare function purgeCache(url: string): Promise<void>;
+//#endregion
+export { purgeCache };
+//# sourceMappingURL=index.d.ts.map

package/dist/cache/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/cache/index.ts"],"mappings":";QAiBQ,MAAA;EAAA,UACI,YAAA;IAAA,SACC,OAAA,EAAS,KAAK;EAAA;AAAA;AAAA,iBAOL,UAAA,CAAW,GAAA,WAAc,OAAO"}

package/dist/cache/index.js

@@ -0,0 +1,17 @@
+//#region src/cache/index.ts
+const isDev = typeof caches === "undefined" || typeof caches.default === "undefined";
+async function purgeCache(url) {
+	if (isDev) {
+		console.log(`[cache] DEV — skipping purge: ${url}`);
+		return;
+	}
+	try {
+		await caches.default.delete(new Request(url));
+	} catch (err) {
+		console.warn("[cache] Purge failed:", err);
+	}
+}
+//#endregion
+export { purgeCache };
+
+//# sourceMappingURL=index.js.map

package/dist/cache/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":[],"sources":["../../src/cache/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/cache\n//\n// Cloudflare Cache API wrapper with a dev-mode bypass. `caches.default`\n// has been confirmed available under `wrangler dev` in current\n// wrangler/workerd versions (see DECISIONS.md, 2026-06-19) — this bypass\n// is defensive code for older versions and non-Workers test runtimes\n// (e.g. vitest-pool-workers), not something every dev request hits.\n\n// `@cloudflare/workers-types` never declares `caches.default` — that\n// Workers-runtime extension to the standard CacheStorage API is only ever\n// typed via wrangler's own per-project generated worker-configuration.d.ts,\n// not the static npm package. Cadmus ships standalone, so it declares the\n// minimal ambient extension itself rather than depending on a consumer's\n// generated types.\ndeclare global {\n  interface CacheStorage {\n    readonly default: Cache;\n  }\n}\n\nconst isDev =\n  typeof caches === \"undefined\" || typeof caches.default === \"undefined\";\n\nexport async function purgeCache(url: string): Promise<void> {\n  if (isDev) {\n    console.log(`[cache] DEV — skipping purge: ${url}`);\n    return;\n  }\n  try {\n    await caches.default.delete(new Request(url));\n  } catch (err) {\n    console.warn(\"[cache] Purge failed:\", err);\n  }\n}\n"],"mappings":";AAuBA,MAAM,QACJ,OAAO,WAAW,eAAe,OAAO,OAAO,YAAY;AAE7D,eAAsB,WAAW,KAA4B;CAC3D,IAAI,OAAO;EACT,QAAQ,IAAI,iCAAiC,KAAK;EAClD;CACF;CACA,IAAI;EACF,MAAM,OAAO,QAAQ,OAAO,IAAI,QAAQ,GAAG,CAAC;CAC9C,SAAS,KAAK;EACZ,QAAQ,KAAK,yBAAyB,GAAG;CAC3C;AACF"}