@theokit/sdk 1.6.2 → 1.7.0

package/dist/server/auth/errors.d.cts

@@ -0,0 +1,53 @@
+/**
+ * @theokit/sdk/server/auth — typed error classes
+ *
+ * Plan T1.2 + v1.1 EC-1 (AuthCancelledError for OAuth provider error response RFC 6749 §4.1.2.1).
+ */
+/**
+ * Thrown at `defineAuth()` time when configuration is invalid
+ * (e.g., duplicate provider name, invalid email shape per EC-V1-12).
+ */
+export declare class AuthConfigError extends Error {
+    readonly name = "AuthConfigError";
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+/**
+ * Thrown at `startSignIn(providerName, ...)` or `finishSignIn(providerName, ...)`
+ * when the named provider is not registered in `providers[]`.
+ */
+export declare class AuthProviderNotFoundError extends Error {
+    readonly name = "AuthProviderNotFoundError";
+    readonly providerName: string;
+    constructor(providerName: string);
+}
+/**
+ * Thrown during OAuth callback handling for state mismatches, expired
+ * transactions, missing query params, or provider 4xx/5xx errors.
+ *
+ * Typed `code` field lets consumers branch on cause:
+ *   - 'oauth_transaction_expired' — cookie tx > 10min old (per ADR D5)
+ *   - 'oauth_state_mismatch' — query state ≠ cookie state (CSRF defense per RFC 6749 §10.12)
+ *   - 'oauth_provider_error' — non-access_denied error in callback URL
+ *   - 'oauth_token_exchange_failed' — provider rejected code-for-tokens swap
+ *   - 'oauth_userinfo_failed' — userinfo endpoint returned error
+ *   - 'oauth_missing_code_or_state' — required query params absent
+ */
+export declare class AuthCallbackError extends Error {
+    readonly name: string;
+    readonly code: string;
+    constructor(code: string, message?: string);
+}
+/**
+ * Per v1.1 EC-1 MUST FIX — typed subclass of AuthCallbackError for the
+ * specific case where user declined consent at provider screen.
+ *
+ * OAuth 2.0 RFC 6749 §4.1.2.1: provider redirects with `?error=access_denied`.
+ * Apps can catch this distinctly from network/server errors to render
+ * "Login cancelled — try again" UX instead of opaque "callback failed".
+ */
+export declare class AuthCancelledError extends AuthCallbackError {
+    readonly name: string;
+    readonly errorDescription?: string;
+    constructor(errorDescription?: string);
+}

package/dist/server/auth/errors.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @theokit/sdk/server/auth — typed error classes
+ *
+ * Plan T1.2 + v1.1 EC-1 (AuthCancelledError for OAuth provider error response RFC 6749 §4.1.2.1).
+ */
+/**
+ * Thrown at `defineAuth()` time when configuration is invalid
+ * (e.g., duplicate provider name, invalid email shape per EC-V1-12).
+ */
+export declare class AuthConfigError extends Error {
+    readonly name = "AuthConfigError";
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+/**
+ * Thrown at `startSignIn(providerName, ...)` or `finishSignIn(providerName, ...)`
+ * when the named provider is not registered in `providers[]`.
+ */
+export declare class AuthProviderNotFoundError extends Error {
+    readonly name = "AuthProviderNotFoundError";
+    readonly providerName: string;
+    constructor(providerName: string);
+}
+/**
+ * Thrown during OAuth callback handling for state mismatches, expired
+ * transactions, missing query params, or provider 4xx/5xx errors.
+ *
+ * Typed `code` field lets consumers branch on cause:
+ *   - 'oauth_transaction_expired' — cookie tx > 10min old (per ADR D5)
+ *   - 'oauth_state_mismatch' — query state ≠ cookie state (CSRF defense per RFC 6749 §10.12)
+ *   - 'oauth_provider_error' — non-access_denied error in callback URL
+ *   - 'oauth_token_exchange_failed' — provider rejected code-for-tokens swap
+ *   - 'oauth_userinfo_failed' — userinfo endpoint returned error
+ *   - 'oauth_missing_code_or_state' — required query params absent
+ */
+export declare class AuthCallbackError extends Error {
+    readonly name: string;
+    readonly code: string;
+    constructor(code: string, message?: string);
+}
+/**
+ * Per v1.1 EC-1 MUST FIX — typed subclass of AuthCallbackError for the
+ * specific case where user declined consent at provider screen.
+ *
+ * OAuth 2.0 RFC 6749 §4.1.2.1: provider redirects with `?error=access_denied`.
+ * Apps can catch this distinctly from network/server errors to render
+ * "Login cancelled — try again" UX instead of opaque "callback failed".
+ */
+export declare class AuthCancelledError extends AuthCallbackError {
+    readonly name: string;
+    readonly errorDescription?: string;
+    constructor(errorDescription?: string);
+}

package/dist/server/auth/index.cjs

@@ -16,25 +16,33 @@ var __export = (target, all) => {
 // src/server/auth/oauth-transaction-store.ts
 var oauth_transaction_store_exports = {};
 __export(oauth_transaction_store_exports, {
-  clearCookie: () => clearCookie,
+  AuthSecretTooShortError: () => exports.AuthSecretTooShortError,
+  __TESTING__deriveKey: () => __TESTING__deriveKey,
   clearTransaction: () => clearTransaction,
-  decodeTransaction: () => decodeTransaction,
   encodeTransaction: () => encodeTransaction,
-  getCookie: () => getCookie,
   getTransaction: () => getTransaction,
-  newTransaction: () => newTransaction,
-  setCookie: () => setCookie,
-  setTransaction: () => setTransaction
+  newTransaction: () => newTransaction
 });
 async function deriveKey(secret) {
-  const keyMaterial = await crypto.webcrypto.subtle.importKey(
-    "raw",
-    buffer.Buffer.from(secret).slice(0, 32).length === 32 ? buffer.Buffer.from(secret).slice(0, 32) : buffer.Buffer.concat([buffer.Buffer.from(secret), buffer.Buffer.alloc(32)]).slice(0, 32),
-    { name: "AES-GCM" },
-    false,
-    ["encrypt", "decrypt"]
+  const secretBytes = new TextEncoder().encode(secret);
+  if (secretBytes.byteLength < 32) {
+    throw new exports.AuthSecretTooShortError(secretBytes.byteLength);
+  }
+  const saltRaw = process.env.THEOKIT_OAUTH_TX_SALT ?? "";
+  const salt = new TextEncoder().encode(saltRaw);
+  const ikm = await crypto.webcrypto.subtle.importKey("raw", secretBytes, "HKDF", false, ["deriveBits"]);
+  const derived = await crypto.webcrypto.subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info: new TextEncoder().encode(HKDF_INFO) },
+    ikm,
+    256
   );
-  return keyMaterial;
+  return crypto.webcrypto.subtle.importKey("raw", derived, { name: "AES-GCM" }, true, [
+    "encrypt",
+    "decrypt"
+  ]);
+}
+async function __TESTING__deriveKey(secret) {
+  return deriveKey(secret);
 }
 async function encodeTransaction(tx, secret) {
   const key = await deriveKey(secret);
@@ -68,34 +76,11 @@ function getCookie(req, name) {
   }
   return null;
 }
-function setCookie(res, name, value) {
-  const existing = res.getHeader("Set-Cookie");
-  const cookie = `${name}=${value}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=${TX_LIFETIME_MS / 1e3}`;
-  if (Array.isArray(existing)) {
-    res.setHeader("Set-Cookie", [...existing, cookie]);
-  } else if (typeof existing === "string") {
-    res.setHeader("Set-Cookie", [existing, cookie]);
-  } else {
-    res.setHeader("Set-Cookie", cookie);
-  }
-}
 function clearCookie(res, name) {
-  setCookie(
-    res,
-    name,
-    `; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`.split(";").slice(0, 1).join("")
-  );
-  const clear = `${name}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`;
+  const clear = `${name}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
   const existing = res.getHeader("Set-Cookie");
-  if (Array.isArray(existing)) {
-    res.setHeader("Set-Cookie", [...existing.filter((c) => !c.includes(`${name}=`)), clear]);
-  } else {
-    res.setHeader("Set-Cookie", clear);
-  }
-}
-async function setTransaction(res, tx, secret) {
-  const encoded = await encodeTransaction(tx, secret);
-  setCookie(res, COOKIE_NAME, encoded);
+  const preserved = Array.isArray(existing) ? existing.filter((c) => !c.startsWith(`${name}=`)) : typeof existing === "string" && !existing.startsWith(`${name}=`) ? [existing] : [];
+  res.setHeader("Set-Cookie", [...preserved, clear]);
 }
 async function getTransaction(req, secret) {
   const raw = getCookie(req, COOKIE_NAME);
@@ -118,11 +103,20 @@ function newTransaction(opts) {
     expiresAt: now + TX_LIFETIME_MS
   };
 }
-var COOKIE_NAME, TX_LIFETIME_MS;
+var COOKIE_NAME, TX_LIFETIME_MS, HKDF_INFO; exports.AuthSecretTooShortError = void 0;
 var init_oauth_transaction_store = __esm({
   "src/server/auth/oauth-transaction-store.ts"() {
-    COOKIE_NAME = "theo_oauth_tx";
+    COOKIE_NAME = "__Host-theo_oauth_tx";
     TX_LIFETIME_MS = 10 * 60 * 1e3;
+    HKDF_INFO = "theokit:oauth-tx-v1";
+    exports.AuthSecretTooShortError = class extends Error {
+      name = "AuthSecretTooShortError";
+      constructor(actualBytes) {
+        super(
+          `OAuth transaction secret must be at least 32 bytes (got ${actualBytes}). Generate a fresh value with: openssl rand -base64 33`
+        );
+      }
+    };
   }
 });
 
@@ -161,6 +155,9 @@ var AuthCancelledError = class extends AuthCallbackError {
     this.errorDescription = errorDescription;
   }
 };
+
+// src/server/auth/index.ts
+init_oauth_transaction_store();
 init_oauth_transaction_store();
 
 // src/server/auth/validate-return-to.ts

package/dist/server/auth/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/auth/oauth-transaction-store.ts","../../../src/server/auth/errors.ts","../../../src/server/auth/orchestrator.ts","../../../src/server/auth/validate-return-to.ts"],"names":["webcrypto","Buffer","encodeTransaction"],"mappings":";;;;;;;;;;;;;;;;AAAA,IAAA,+BAAA,GAAA,EAAA;AAAA,QAAA,CAAA,+BAAA,EAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,SAAA,EAAA,MAAA,SAAA;AAAA,EAAA,cAAA,EAAA,MAAA,cAAA;AAAA,EAAA,cAAA,EAAA,MAAA,cAAA;AAAA,EAAA,SAAA,EAAA,MAAA,SAAA;AAAA,EAAA,cAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AA2BA,eAAe,UAAU,MAAA,EAAoC;AAC3D,EAAA,MAAM,WAAA,GAAc,MAAMA,gBAAA,CAAU,MAAA,CAAO,SAAA;AAAA,IACzC,KAAA;AAAA,IACAC,aAAAA,CAAO,IAAA,CAAK,MAAM,CAAA,CAAE,MAAM,CAAA,EAAG,EAAE,CAAA,CAAE,MAAA,KAAW,EAAA,GACxCA,aAAAA,CAAO,IAAA,CAAK,MAAM,EAAE,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAC/BA,aAAAA,CAAO,MAAA,CAAO,CAACA,aAAAA,CAAO,KAAK,MAAM,CAAA,EAAGA,aAAAA,CAAO,KAAA,CAAM,EAAE,CAAC,CAAC,CAAA,CAAE,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACtE,EAAE,MAAM,SAAA,EAAU;AAAA,IAClB,KAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,GACvB;AACA,EAAA,OAAO,WAAA;AACT;AAEA,eAAsB,iBAAA,CAAkB,IAAsB,MAAA,EAAiC;AAC7F,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAM,CAAA;AAClC,EAAA,MAAM,KAAKD,gBAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AACvD,EAAA,MAAM,SAAA,GAAY,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAC7D,EAAA,MAAM,UAAA,GAAa,MAAMA,gBAAA,CAAU,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,SAAS,CAAA;AACzF,EAAA,MAAM,WAAW,IAAI,UAAA,CAAW,EAAA,CAAG,MAAA,GAAS,WAAW,UAAU,CAAA;AACjE,EAAA,QAAA,CAAS,GAAA,CAAI,IAAI,CAAC,CAAA;AAClB,EAAA,QAAA,CAAS,IAAI,IAAI,UAAA,CAAW,UAAU,CAAA,EAAG,GAAG,MAAM,CAAA;AAClD,EAAA,OAAOC,aAAAA,CAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,SAAS,WAAW,CAAA;AACnD;AAEA,eAAsB,iBAAA,CACpB,SACA,MAAA,EACkC;AAClC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAM,CAAA;AAClC,IAAA,MAAM,QAAA,GAAWA,aAAAA,CAAO,IAAA,CAAK,OAAA,EAAS,WAAW,CAAA;AACjD,IAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAC/B,IAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,EAAE,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,MAAMD,gBAAA,CAAU,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,UAAU,CAAA;AACzF,IAAA,MAAM,EAAA,GAAK,KAAK,KAAA,CAAM,IAAI,aAAY,CAAE,MAAA,CAAO,SAAS,CAAC,CAAA;AACzD,IAAA,OAAO,EAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEO,SAAS,SAAA,CAAU,KAAsB,IAAA,EAA6B;AAC3E,EAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,EAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA,EAAG;AACpC,IAAA,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,IAAA,CAAK,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AACvC,IAAA,IAAI,CAAA,KAAM,IAAA,EAAM,OAAO,CAAA,CAAE,KAAK,GAAG,CAAA;AAAA,EACnC;AACA,EAAA,OAAO,IAAA;AACT;AAEO,SAAS,SAAA,CAAU,GAAA,EAAqB,IAAA,EAAc,KAAA,EAAqB;AAChF,EAAA,MAAM,QAAA,GAAW,GAAA,CAAI,SAAA,CAAU,YAAY,CAAA;AAC3C,EAAA,MAAM,SAAS,CAAA,EAAG,IAAI,IAAI,KAAK,CAAA,kDAAA,EAAqD,iBAAiB,GAAI,CAAA,CAAA;AACzG,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC3B,IAAA,GAAA,CAAI,UAAU,YAAA,EAAc,CAAC,GAAG,QAAA,EAAU,MAAM,CAAC,CAAA;AAAA,EACnD,CAAA,MAAA,IAAW,OAAO,QAAA,KAAa,QAAA,EAAU;AACvC,IAAA,GAAA,CAAI,SAAA,CAAU,YAAA,EAAc,CAAC,QAAA,EAAU,MAAM,CAAC,CAAA;AAAA,EAChD,CAAA,MAAO;AACL,IAAA,GAAA,CAAI,SAAA,CAAU,cAAc,MAAM,CAAA;AAAA,EACpC;AACF;AAEO,SAAS,WAAA,CAAY,KAAqB,IAAA,EAAoB;AACnE,EAAA,SAAA;AAAA,IACE,GAAA;AAAA,IACA,IAAA;AAAA,IACA,CAAA,mDAAA,CAAA,CAAsD,MAAM,GAAG,CAAA,CAAE,MAAM,CAAA,EAAG,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE;AAAA,GACtF;AAEA,EAAA,MAAM,KAAA,GAAQ,GAAG,IAAI,CAAA,oDAAA,CAAA;AACrB,EAAA,MAAM,QAAA,GAAW,GAAA,CAAI,SAAA,CAAU,YAAY,CAAA;AAC3C,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC3B,IAAA,GAAA,CAAI,UAAU,YAAA,EAAc,CAAC,GAAG,QAAA,CAAS,OAAO,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,SAAS,CAAA,EAAG,IAAI,GAAG,CAAC,CAAA,EAAG,KAAK,CAAC,CAAA;AAAA,EACzF,CAAA,MAAO;AACL,IAAA,GAAA,CAAI,SAAA,CAAU,cAAc,KAAK,CAAA;AAAA,EACnC;AACF;AAEA,eAAsB,cAAA,CACpB,GAAA,EACA,EAAA,EACA,MAAA,EACe;AACf,EAAA,MAAM,OAAA,GAAU,MAAM,iBAAA,CAAkB,EAAA,EAAI,MAAM,CAAA;AAClD,EAAA,SAAA,CAAU,GAAA,EAAK,aAAa,OAAO,CAAA;AACrC;AAEA,eAAsB,cAAA,CACpB,KACA,MAAA,EACkC;AAClC,EAAA,MAAM,GAAA,GAAM,SAAA,CAAU,GAAA,EAAK,WAAW,CAAA;AACtC,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,MAAM,EAAA,GAAK,MAAM,iBAAA,CAAkB,GAAA,EAAK,MAAM,CAAA;AAC9C,EAAA,IAAI,CAAC,IAAI,OAAO,IAAA;AAEhB,EAAA,IAAI,EAAA,CAAG,SAAA,GAAY,IAAA,CAAK,GAAA,IAAO,OAAO,IAAA;AACtC,EAAA,OAAO,EAAA;AACT;AAEO,SAAS,iBAAiB,GAAA,EAA2B;AAC1D,EAAA,WAAA,CAAY,KAAK,WAAW,CAAA;AAC9B;AAEO,SAAS,eAAe,IAAA,EAIV;AACnB,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,OAAO;AAAA,IACL,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,cAAc,IAAA,CAAK,YAAA;AAAA,IACnB,UAAU,IAAA,CAAK,QAAA;AAAA,IACf,SAAA,EAAW,GAAA;AAAA,IACX,WAAW,GAAA,GAAM;AAAA,GACnB;AACF;AAjJA,IAwBM,WAAA,EACA,cAAA;AAzBN,IAAA,4BAAA,GAAA,KAAA,CAAA;AAAA,EAAA,4CAAA,GAAA;AAwBA,IAAM,WAAA,GAAc,eAAA;AACpB,IAAM,cAAA,GAAiB,KAAK,EAAA,GAAK,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACf1B,IAAM,eAAA,GAAN,cAA8B,KAAA,CAAM;AAAA,EACvB,IAAA,GAAO,iBAAA;AAAA,EAChB,IAAA;AAAA,EAET,WAAA,CAAY,MAAc,OAAA,EAAiB;AACzC,IAAA,KAAA,CAAM,CAAA,CAAA,EAAI,IAAI,CAAA,EAAA,EAAK,OAAO,CAAA,CAAE,CAAA;AAC5B,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAMO,IAAM,yBAAA,GAAN,cAAwC,KAAA,CAAM;AAAA,EACjC,IAAA,GAAO,2BAAA;AAAA,EAChB,YAAA;AAAA,EAET,YAAY,YAAA,EAAsB;AAChC,IAAA,KAAA;AAAA,MACE,6BAA6B,YAAY,CAAA,mDAAA;AAAA,KAC3C;AACA,IAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,EACtB;AACF;AAcO,IAAM,iBAAA,GAAN,cAAgC,KAAA,CAAM;AAAA,EACzB,IAAA,GAAe,mBAAA;AAAA,EACxB,IAAA;AAAA,EAET,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,KAAA,CAAM,OAAA,IAAW,CAAA,sBAAA,EAAyB,IAAI,CAAA,CAAE,CAAA;AAChD,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAUO,IAAM,kBAAA,GAAN,cAAiC,iBAAA,CAAkB;AAAA,EACtC,IAAA,GAAe,oBAAA;AAAA,EACxB,gBAAA;AAAA,EAET,YAAY,gBAAA,EAA2B;AACrC,IAAA,KAAA,CAAM,uBAAA,EAAyB,oBAAoB,mCAAmC,CAAA;AACtF,IAAA,IAAA,CAAK,gBAAA,GAAmB,gBAAA;AAAA,EAC1B;AACF;AC3DA,4BAAA,EAAA;;;ACCO,SAAS,gBAAA,CAAiB,UAA8B,OAAA,EAAsB;AACnF,EAAA,IAAI,CAAC,YAAY,OAAO,QAAA,KAAa,YAAY,QAAA,CAAS,IAAA,OAAW,EAAA,EAAI;AACvE,IAAA,OAAO,GAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,SAAS,IAAA,EAAK;AAG9B,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,GAAA,CAAI,QAAA,CAAS,OAAO,CAAA,EAAG;AACzB,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,OAAO,CAAA;AAC9B,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,OAAA,CAAQ,MAAA,EAAQ;AAEpC,MAAA,OAAO,MAAA,CAAO,QAAA,GAAW,MAAA,CAAO,MAAA,GAAS,MAAA,CAAO,IAAA;AAAA,IAClD;AAEA,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC3B,IAAA,OAAO,OAAA;AAAA,EACT;AAGA,EAAA,OAAO,GAAA;AACT;;;ADtBA,IAAM,gBAAA,GAAmB,mBAAA;AAEzB,SAAS,WAAA,GAAsB;AAC7B,EAAA,MAAM,QAAQA,gBAAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAChD;AAUA,SAAS,oBAAA,GAA+B;AACtC,EAAA,MAAM,QAAQA,gBAAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAChD;AAEA,SAAS,eAAyB,IAAA,EAA2C;AAK3E,EAAA,MAAM,OAAO,IAAA,CAAK,OAAA;AAClB,EAAA,IAAI,KAAK,MAAA,EAAQ;AACf,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAA,EAAG;AAC9B,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,CAAC,CAAA;AAC3B,MAAA,IAAI,OAAO,OAAO,KAAA;AAAA,IACpB,CAAA,MAAO;AACL,MAAA,OAAO,IAAA,CAAK,MAAA;AAAA,IACd;AAAA,EACF;AAIA,EAAA,OAAO,OAAA,CAAQ,IAAI,uBAAA,IAA2B,mDAAA;AAChD;AAEO,SAAS,WACd,IAAA,EAC4B;AAE5B,EAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,IAAA,MAAM,IAAI,eAAA,CAAgB,iBAAA,EAAmB,qCAAqC,CAAA;AAAA,EACpF;AAEA,EAAA,MAAM,YAAA,uBAAmB,GAAA,EAA2C;AACpE,EAAA,KAAA,MAAW,QAAA,IAAY,IAAA,CAAK,SAAA,IAAa,EAAC,EAAG;AAC3C,IAAA,IAAI,CAAC,SAAS,IAAA,IAAQ,CAAC,iBAAiB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,EAAG;AAC3D,MAAA,MAAM,IAAI,eAAA;AAAA,QACR,uBAAA;AAAA,QACA,CAAA,yBAAA,EAA4B,gBAAgB,CAAA,QAAA,EAAW,QAAA,CAAS,IAAI,CAAA,EAAA;AAAA,OACtE;AAAA,IACF;AACA,IAAA,IAAI,YAAA,CAAa,GAAA,CAAI,QAAA,CAAS,IAAI,CAAA,EAAG;AACnC,MAAA,MAAM,IAAI,eAAA;AAAA,QACR,yBAAA;AAAA,QACA,CAAA,0BAAA,EAA6B,SAAS,IAAI,CAAA,CAAA;AAAA,OAC5C;AAAA,IACF;AACA,IAAA,YAAA,CAAa,GAAA,CAAI,QAAA,CAAS,IAAA,EAAM,QAAQ,CAAA;AAAA,EAC1C;AAEA,EAAA,MAAM,QAAA,GAAW,eAAe,IAAI,CAAA;AAEpC,EAAA,SAAS,gBAAgB,IAAA,EAA6C;AACpE,IAAA,MAAM,CAAA,GAAI,YAAA,CAAa,GAAA,CAAI,IAAI,CAAA;AAC/B,IAAA,IAAI,CAAC,CAAA,EAAG,MAAM,IAAI,0BAA0B,IAAI,CAAA;AAChD,IAAA,OAAO,CAAA;AAAA,EACT;AAEA,EAAA,eAAe,WAAA,CACb,YAAA,EACA,GAAA,EACA,SAAA,EACmB;AACnB,IAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,IAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,EAAG,GAAA,CAAI,GAAA,IAAO,GAAG,CAAA,CAAE,CAAA;AACpF,IAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,SAAA,EAAW,QAAA,EAAU,OAAO,CAAA;AAMlE,IAAA,MAAM,QAAQ,WAAA,EAAY;AAC1B,IAAA,MAAM,eAAe,oBAAA,EAAqB;AAC1C,IAAA,MAAM,KAAK,cAAA,CAAe;AAAA,MACxB,KAAA;AAAA,MACA,YAAA;AAAA,MACA,QAAA,EAAU,YAAA,KAAiB,GAAA,GAAM,MAAA,GAAY;AAAA,KAC9C,CAAA;AAGD,IAAA,MAAM,OAAA,GAAU,MAAM,QAAA,CAAS,sBAAA,CAAuB,EAAE,CAAA;AAGxD,IAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,IAAA,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY,OAAA,CAAQ,QAAA,EAAU,CAAA;AAC1C,IAAA,MAAM,EAAE,iBAAA,EAAAE,kBAAAA,EAAkB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,4BAAA,EAAA,EAAA,+BAAA,CAAA,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,MAAMA,kBAAAA,CAAkB,EAAA,EAAI,QAAQ,CAAA;AACtD,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,YAAA;AAAA,MACA,iBAAiB,SAAS,CAAA,qDAAA;AAAA,KAC5B;AAEA,IAAA,OAAO,IAAI,QAAA,CAAS,IAAA,EAAM,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,EACpD;AAEA,EAAA,eAAe,YAAA,CACb,YAAA,EACA,GAAA,EACA,GAAA,EACmD;AACnD,IAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,EAAG,GAAA,CAAI,GAAA,IAAO,GAAG,CAAA,CAAE,CAAA;AAChF,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC/C,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,gBAAA,GAAmB,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,mBAAmB,CAAA,IAAK,MAAA;AACtE,MAAA,IAAI,eAAe,eAAA,EAAiB;AAClC,QAAA,MAAM,IAAI,mBAAmB,gBAAgB,CAAA;AAAA,MAC/C;AACA,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,sBAAA;AAAA,QACA,4BAA4B,UAAU,CAAA,EAAG,mBAAmB,CAAA,EAAA,EAAK,gBAAgB,MAAM,EAAE,CAAA;AAAA,OAC3F;AAAA,IACF;AAGA,IAAA,MAAM,EAAA,GAAK,MAAM,cAAA,CAAe,GAAA,EAAK,QAAQ,CAAA;AAC7C,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,2BAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC/C,IAAA,IAAI,CAAC,UAAA,IAAc,UAAA,KAAe,EAAA,CAAG,KAAA,EAAO;AAC1C,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,sBAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,cAAA,CAAe,KAAK,EAAE,CAAA;AAGpD,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA,CAAS,EAAE,OAAA,EAAS,OAAO,OAAA,EAAS,QAAA,EAAU,MAAA,CAAO,YAAA,EAAc,CAAA;AAAA,IAC9F,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,MAAA,CAAO,OAAA;AAAA,IACvB;AAGA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IAC3C,CAAA,CAAA,MAAQ;AAAA,IAER;AAGA,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,WAAW,CAAA;AAGjD,IAAA,gBAAA,CAAiB,GAAG,CAAA;AAEpB,IAAA,OAAO,EAAE,OAAA,EAAS,WAAA,EAAa,QAAA,EAAU,GAAG,QAAA,EAAS;AAAA,EACvD;AAEA,EAAA,eAAe,MAAA,CACb,OAAA,EACA,YAAA,EACA,GAAA,EACA,GAAA,EACmB;AAEnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA,CAAS,EAAE,OAAA,EAAS,QAAA,EAAU,cAAc,CAAA;AAAA,IACvE,CAAA,MAAO;AACL,MAAA,WAAA,GAAc,OAAA;AAAA,IAChB;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IAC3C,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,WAAW,CAAA;AACjD,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,eAAe,QAAQ,GAAA,EAAoC;AAEzD,IAAA,IAAI,WAAA,GAA+B,IAAA;AACnC,IAAA,IAAI,KAAK,SAAA,EAAW;AAIlB,MAAA,WAAA,GAAc,IAAA;AAAA,IAChB;AAEA,IAAA,IAAA,CAAK,OAAA,CAAQ,eAAe,GAAG,CAAA;AAE/B,IAAA,IAAI,KAAK,SAAA,EAAW;AAClB,MAAA,MAAM,IAAA,CAAK,UAAU,WAAW,CAAA;AAAA,IAClC;AAAA,EACF;AAEA,EAAA,eAAe,WAAW,GAAA,EAAgD;AACxE,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA;AAAA,EACpC;AAEA,EAAA,OAAO,EAAE,WAAA,EAAa,YAAA,EAAc,MAAA,EAAQ,SAAS,UAAA,EAAW;AAClE","file":"index.cjs","sourcesContent":["/**\n * @theokit/sdk/server/auth — encrypted OAuth transaction cookie store\n *\n * Per ADR D5 — cookie-state pattern (no Redis/db dependency in core).\n *\n * Stores OAuthTransaction (state + pkceVerifier + returnTo + expiry) in a\n * single signed+encrypted HttpOnly cookie. Stateless, works in edge/serverless.\n *\n * Cookie name: `theo_oauth_tx`\n * Lifetime: 10 minutes (per D5 invariant)\n * Encryption: AES-256-GCM via Node's webcrypto subtle API\n *\n * Note: this is a minimal in-package implementation. Production deployments\n * may prefer using `theokit/server/auth/crypto`'s encrypt/decrypt helpers\n * via the SessionManager's existing secret rotation chain. For T1.2 we keep\n * it self-contained to avoid cross-package peer-dep complexity; T2+ may\n * refactor to share SessionManager's encrypt path.\n */\n\nimport { Buffer } from \"node:buffer\";\nimport { webcrypto } from \"node:crypto\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport type { OAuthTransaction } from \"./types.js\";\n\nconst COOKIE_NAME = \"theo_oauth_tx\";\nconst TX_LIFETIME_MS = 10 * 60 * 1000; // 10 minutes per D5\n\nasync function deriveKey(secret: string): Promise<CryptoKey> {\n  const keyMaterial = await webcrypto.subtle.importKey(\n    \"raw\",\n    Buffer.from(secret).slice(0, 32).length === 32\n      ? Buffer.from(secret).slice(0, 32)\n      : Buffer.concat([Buffer.from(secret), Buffer.alloc(32)]).slice(0, 32),\n    { name: \"AES-GCM\" },\n    false,\n    [\"encrypt\", \"decrypt\"],\n  );\n  return keyMaterial;\n}\n\nexport async function encodeTransaction(tx: OAuthTransaction, secret: string): Promise<string> {\n  const key = await deriveKey(secret);\n  const iv = webcrypto.getRandomValues(new Uint8Array(12));\n  const plaintext = new TextEncoder().encode(JSON.stringify(tx));\n  const ciphertext = await webcrypto.subtle.encrypt({ name: \"AES-GCM\", iv }, key, plaintext);\n  const combined = new Uint8Array(iv.length + ciphertext.byteLength);\n  combined.set(iv, 0);\n  combined.set(new Uint8Array(ciphertext), iv.length);\n  return Buffer.from(combined).toString(\"base64url\");\n}\n\nexport async function decodeTransaction(\n  encoded: string,\n  secret: string,\n): Promise<OAuthTransaction | null> {\n  try {\n    const key = await deriveKey(secret);\n    const combined = Buffer.from(encoded, \"base64url\");\n    const iv = combined.slice(0, 12);\n    const ciphertext = combined.slice(12);\n    const plaintext = await webcrypto.subtle.decrypt({ name: \"AES-GCM\", iv }, key, ciphertext);\n    const tx = JSON.parse(new TextDecoder().decode(plaintext)) as OAuthTransaction;\n    return tx;\n  } catch {\n    return null;\n  }\n}\n\nexport function getCookie(req: IncomingMessage, name: string): string | null {\n  const header = req.headers.cookie;\n  if (!header) return null;\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.trim().split(\"=\");\n    if (k === name) return v.join(\"=\");\n  }\n  return null;\n}\n\nexport function setCookie(res: ServerResponse, name: string, value: string): void {\n  const existing = res.getHeader(\"Set-Cookie\");\n  const cookie = `${name}=${value}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=${TX_LIFETIME_MS / 1000}`;\n  if (Array.isArray(existing)) {\n    res.setHeader(\"Set-Cookie\", [...existing, cookie]);\n  } else if (typeof existing === \"string\") {\n    res.setHeader(\"Set-Cookie\", [existing, cookie]);\n  } else {\n    res.setHeader(\"Set-Cookie\", cookie);\n  }\n}\n\nexport function clearCookie(res: ServerResponse, name: string): void {\n  setCookie(\n    res,\n    name,\n    `; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`.split(\";\").slice(0, 1).join(\"\"),\n  );\n  // Explicit clear with Max-Age=0\n  const clear = `${name}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`;\n  const existing = res.getHeader(\"Set-Cookie\");\n  if (Array.isArray(existing)) {\n    res.setHeader(\"Set-Cookie\", [...existing.filter((c) => !c.includes(`${name}=`)), clear]);\n  } else {\n    res.setHeader(\"Set-Cookie\", clear);\n  }\n}\n\nexport async function setTransaction(\n  res: ServerResponse,\n  tx: OAuthTransaction,\n  secret: string,\n): Promise<void> {\n  const encoded = await encodeTransaction(tx, secret);\n  setCookie(res, COOKIE_NAME, encoded);\n}\n\nexport async function getTransaction(\n  req: IncomingMessage,\n  secret: string,\n): Promise<OAuthTransaction | null> {\n  const raw = getCookie(req, COOKIE_NAME);\n  if (!raw) return null;\n  const tx = await decodeTransaction(raw, secret);\n  if (!tx) return null;\n  // Check expiry\n  if (tx.expiresAt < Date.now()) return null;\n  return tx;\n}\n\nexport function clearTransaction(res: ServerResponse): void {\n  clearCookie(res, COOKIE_NAME);\n}\n\nexport function newTransaction(opts: {\n  state: string;\n  pkceVerifier?: string;\n  returnTo?: string;\n}): OAuthTransaction {\n  const now = Date.now();\n  return {\n    state: opts.state,\n    pkceVerifier: opts.pkceVerifier,\n    returnTo: opts.returnTo,\n    createdAt: now,\n    expiresAt: now + TX_LIFETIME_MS,\n  };\n}\n","/**\n * @theokit/sdk/server/auth — typed error classes\n *\n * Plan T1.2 + v1.1 EC-1 (AuthCancelledError for OAuth provider error response RFC 6749 §4.1.2.1).\n */\n\n/**\n * Thrown at `defineAuth()` time when configuration is invalid\n * (e.g., duplicate provider name, invalid email shape per EC-V1-12).\n */\nexport class AuthConfigError extends Error {\n  override readonly name = \"AuthConfigError\";\n  readonly code: string;\n\n  constructor(code: string, message: string) {\n    super(`[${code}] ${message}`);\n    this.code = code;\n  }\n}\n\n/**\n * Thrown at `startSignIn(providerName, ...)` or `finishSignIn(providerName, ...)`\n * when the named provider is not registered in `providers[]`.\n */\nexport class AuthProviderNotFoundError extends Error {\n  override readonly name = \"AuthProviderNotFoundError\";\n  readonly providerName: string;\n\n  constructor(providerName: string) {\n    super(\n      `Auth provider not found: '${providerName}'. Register it in defineAuth({ providers: [...] }).`,\n    );\n    this.providerName = providerName;\n  }\n}\n\n/**\n * Thrown during OAuth callback handling for state mismatches, expired\n * transactions, missing query params, or provider 4xx/5xx errors.\n *\n * Typed `code` field lets consumers branch on cause:\n *   - 'oauth_transaction_expired' — cookie tx > 10min old (per ADR D5)\n *   - 'oauth_state_mismatch' — query state ≠ cookie state (CSRF defense per RFC 6749 §10.12)\n *   - 'oauth_provider_error' — non-access_denied error in callback URL\n *   - 'oauth_token_exchange_failed' — provider rejected code-for-tokens swap\n *   - 'oauth_userinfo_failed' — userinfo endpoint returned error\n *   - 'oauth_missing_code_or_state' — required query params absent\n */\nexport class AuthCallbackError extends Error {\n  override readonly name: string = \"AuthCallbackError\";\n  readonly code: string;\n\n  constructor(code: string, message?: string) {\n    super(message ?? `OAuth callback error: ${code}`);\n    this.code = code;\n  }\n}\n\n/**\n * Per v1.1 EC-1 MUST FIX — typed subclass of AuthCallbackError for the\n * specific case where user declined consent at provider screen.\n *\n * OAuth 2.0 RFC 6749 §4.1.2.1: provider redirects with `?error=access_denied`.\n * Apps can catch this distinctly from network/server errors to render\n * \"Login cancelled — try again\" UX instead of opaque \"callback failed\".\n */\nexport class AuthCancelledError extends AuthCallbackError {\n  override readonly name: string = \"AuthCancelledError\";\n  readonly errorDescription?: string;\n\n  constructor(errorDescription?: string) {\n    super(\"user_declined_consent\", errorDescription ?? \"User declined consent at provider\");\n    this.errorDescription = errorDescription;\n  }\n}\n","/**\n * @theokit/sdk/server/auth — defineAuth orchestrator runtime (Caminho C Hybrid)\n *\n * Plan T1.2 implementation per blueprint Q5 § Caminho C signatures.\n * Composes existing primitives + the v1.1 EC-1/EC-2/EC-10 fixes.\n */\n\nimport { webcrypto } from \"node:crypto\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport {\n  AuthCallbackError,\n  AuthCancelledError,\n  AuthConfigError,\n  AuthProviderNotFoundError,\n} from \"./errors.js\";\nimport {\n  clearTransaction,\n  getTransaction,\n  newTransaction,\n  setTransaction,\n} from \"./oauth-transaction-store.js\";\nimport type { AuthOrchestrator, AuthProvider, DefineAuthOptions } from \"./types.js\";\nimport { validateReturnTo } from \"./validate-return-to.js\";\n\nconst PROVIDER_NAME_RE = /^[a-z0-9-]{1,32}$/;\n\nfunction randomState(): string {\n  const bytes = webcrypto.getRandomValues(new Uint8Array(24));\n  return Buffer.from(bytes).toString(\"base64url\");\n}\n\n/**\n * Generate a PKCE code_verifier per RFC 7636 §4.1 — 43..128 chars from the\n * unreserved set [A-Z][a-z][0-9]-._~ (base64url is a strict subset).\n *\n * 32 random bytes → 43 base64url chars satisfies the minimum. Provided by\n * the orchestrator so every transaction carries one; PKCE-aware providers\n * (Google) consume it; PKCE-ignorant providers (GitHub) discard it.\n */\nfunction generatePkceVerifier(): string {\n  const bytes = webcrypto.getRandomValues(new Uint8Array(32));\n  return Buffer.from(bytes).toString(\"base64url\");\n}\n\nfunction txCookieSecret<TSession>(opts: DefineAuthOptions<TSession>): string {\n  // For T1.2 minimal impl, derive a per-session-manager secret from the\n  // SessionManager identity. Production T2+ may refactor to share the\n  // SessionManager's actual secret rotation chain via a `getCookieSecret()` method.\n  // Falls back to TX_FALLBACK_SECRET when not available — apps should override.\n  const sess = opts.session as unknown as { secret?: string | string[] };\n  if (sess.secret) {\n    if (Array.isArray(sess.secret)) {\n      const first = sess.secret[0];\n      if (first) return first;\n    } else {\n      return sess.secret;\n    }\n  }\n  // Defensive fallback. Apps without SessionManager.secret pattern should\n  // explicitly pass an env-backed secret OR rely on this dev-only fallback\n  // (will fail in production scrutiny — flagged by future audit).\n  return process.env.THEOKIT_OAUTH_TX_SECRET ?? \"DEV_ONLY_INSECURE_OAUTH_TX_SECRET_REPLACE_IN_PROD\";\n}\n\nexport function defineAuth<TSession>(\n  opts: DefineAuthOptions<TSession>,\n): AuthOrchestrator<TSession> {\n  // Validate config at define-time (per blueprint Q5 invariants)\n  if (!opts.session) {\n    throw new AuthConfigError(\"missing_session\", \"defineAuth({ session }) is required\");\n  }\n\n  const providersMap = new Map<string, AuthProvider<unknown, string>>();\n  for (const provider of opts.providers ?? []) {\n    if (!provider.name || !PROVIDER_NAME_RE.test(provider.name)) {\n      throw new AuthConfigError(\n        \"invalid_provider_name\",\n        `Provider name must match ${PROVIDER_NAME_RE} (got: '${provider.name}')`,\n      );\n    }\n    if (providersMap.has(provider.name)) {\n      throw new AuthConfigError(\n        \"duplicate_provider_name\",\n        `Duplicate provider name: '${provider.name}'`,\n      );\n    }\n    providersMap.set(provider.name, provider);\n  }\n\n  const txSecret = txCookieSecret(opts);\n\n  function requireProvider(name: string): AuthProvider<unknown, string> {\n    const p = providersMap.get(name);\n    if (!p) throw new AuthProviderNotFoundError(name);\n    return p;\n  }\n\n  async function startSignIn(\n    providerName: string,\n    req: IncomingMessage,\n    startOpts?: { returnTo?: string },\n  ): Promise<Response> {\n    const provider = requireProvider(providerName);\n\n    // EC-2 (v1.1) — validate returnTo same-origin\n    const baseUrl = new URL(`http://${req.headers.host ?? \"localhost\"}${req.url ?? \"/\"}`);\n    const safeReturnTo = validateReturnTo(startOpts?.returnTo, baseUrl);\n\n    // Generate transaction. Always include a PKCE verifier — PKCE-aware\n    // providers (Google OIDC) consume it; PKCE-ignorant providers (GitHub\n    // OAuth 2.0) discard it. Generating unconditionally simplifies the\n    // provider contract: every tx is PKCE-ready.\n    const state = randomState();\n    const pkceVerifier = generatePkceVerifier();\n    const tx = newTransaction({\n      state,\n      pkceVerifier,\n      returnTo: safeReturnTo === \"/\" ? undefined : safeReturnTo,\n    });\n\n    // Persist transaction cookie via headers (since we return Response, need Set-Cookie header manually)\n    const authUrl = await provider.createAuthorizationURL(tx);\n\n    // Build response with Set-Cookie + redirect\n    const headers = new Headers();\n    headers.set(\"Location\", authUrl.toString());\n    const { encodeTransaction } = await import(\"./oauth-transaction-store.js\");\n    const encodedTx = await encodeTransaction(tx, txSecret);\n    headers.set(\n      \"Set-Cookie\",\n      `theo_oauth_tx=${encodedTx}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600`,\n    );\n\n    return new Response(null, { status: 302, headers });\n  }\n\n  async function finishSignIn(\n    providerName: string,\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<{ session: TSession; returnTo?: string }> {\n    const provider = requireProvider(providerName);\n\n    // EC-1 (v1.1) — OAuth provider error response (user declined consent) check BEFORE code-exchange\n    const url = new URL(`http://${req.headers.host ?? \"localhost\"}${req.url ?? \"/\"}`);\n    const errorParam = url.searchParams.get(\"error\");\n    if (errorParam) {\n      const errorDescription = url.searchParams.get(\"error_description\") ?? undefined;\n      if (errorParam === \"access_denied\") {\n        throw new AuthCancelledError(errorDescription);\n      }\n      throw new AuthCallbackError(\n        \"oauth_provider_error\",\n        `Provider returned error: ${errorParam}${errorDescription ? ` (${errorDescription})` : \"\"}`,\n      );\n    }\n\n    // Read + validate transaction cookie\n    const tx = await getTransaction(req, txSecret);\n    if (!tx) {\n      throw new AuthCallbackError(\n        \"oauth_transaction_expired\",\n        \"OAuth transaction cookie missing or expired (>10min). Please retry sign-in.\",\n      );\n    }\n\n    // Verify state matches query param (CSRF defense per RFC 6749 §10.12)\n    const queryState = url.searchParams.get(\"state\");\n    if (!queryState || queryState !== tx.state) {\n      throw new AuthCallbackError(\n        \"oauth_state_mismatch\",\n        \"OAuth state mismatch. Possible CSRF attempt or stale callback.\",\n      );\n    }\n\n    // Provider-specific callback handling (token exchange + userinfo fetch)\n    const result = await provider.handleCallback(req, tx);\n\n    // Invoke onSignIn callback if defined to derive session shape\n    let sessionData: TSession;\n    if (opts.onSignIn) {\n      sessionData = await opts.onSignIn({ profile: result.profile, provider: result.providerName });\n    } else {\n      // No onSignIn — pass the raw profile as session (consumers must type their own TSession)\n      sessionData = result.profile as unknown as TSession;\n    }\n\n    // EC-10 (v1.1) — OWASP A07:2021 session fixation mitigation: rotate session ID BEFORE creating new session\n    try {\n      await opts.session.rotateSession(req, res);\n    } catch {\n      // rotateSession may no-op if no pre-existing session — non-fatal\n    }\n\n    // Create session cookie\n    await opts.session.createSession(res, sessionData);\n\n    // Clear transaction cookie\n    clearTransaction(res);\n\n    return { session: sessionData, returnTo: tx.returnTo };\n  }\n\n  async function signIn<TProfile>(\n    profile: TProfile,\n    providerName: string,\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<TSession> {\n    // Caminho A escape hatch — skip OAuth flow, directly derive + persist session\n    let sessionData: TSession;\n    if (opts.onSignIn) {\n      sessionData = await opts.onSignIn({ profile, provider: providerName });\n    } else {\n      sessionData = profile as unknown as TSession;\n    }\n\n    try {\n      await opts.session.rotateSession(req, res);\n    } catch {\n      /* no-op if no pre-existing session */\n    }\n\n    await opts.session.createSession(res, sessionData);\n    return sessionData;\n  }\n\n  async function signOut(res: ServerResponse): Promise<void> {\n    // Read current session before destroying (so onSignOut can see it)\n    let sessionData: TSession | null = null;\n    if (opts.onSignOut) {\n      // We don't have req here per AuthOrchestrator contract; onSignOut receives null\n      // when no pre-existing session is available. Apps that need session-aware\n      // signOut should use the manual session.destroySession + custom logic.\n      sessionData = null;\n    }\n\n    opts.session.destroySession(res);\n\n    if (opts.onSignOut) {\n      await opts.onSignOut(sessionData);\n    }\n  }\n\n  async function getSession(req: IncomingMessage): Promise<TSession | null> {\n    return opts.session.getSession(req);\n  }\n\n  return { startSignIn, finishSignIn, signIn, signOut, getSession };\n}\n","/**\n * @theokit/sdk/server/auth — same-origin returnTo validator\n *\n * Per v1.1 EC-2 MUST FIX — OWASP A01:2021 open-redirect mitigation.\n *\n * Without this check, attacker craft `/login?returnTo=https://evil.com` would\n * cause post-login redirect to attacker domain with authenticated session cookie.\n *\n * Rules:\n *   - undefined/empty returnTo → default '/'\n *   - protocol-relative `//evil.com` → default '/' (URL parser would resolve to baseUrl protocol)\n *   - absolute URL with origin ≠ baseUrl.origin → default '/' (cross-origin redirect)\n *   - absolute URL with origin === baseUrl.origin → keep (same-origin allowed)\n *   - relative path starting with '/' → keep (same-app navigation)\n *   - relative path not starting with '/' → default '/' (defensive)\n */\nexport function validateReturnTo(returnTo: string | undefined, baseUrl: URL): string {\n  if (!returnTo || typeof returnTo !== \"string\" || returnTo.trim() === \"\") {\n    return \"/\";\n  }\n\n  const trimmed = returnTo.trim();\n\n  // Protocol-relative URLs (//evil.com) are dangerous — browser would resolve to current protocol\n  if (trimmed.startsWith(\"//\")) {\n    return \"/\";\n  }\n\n  // Try absolute URL parsing first\n  if (URL.canParse(trimmed)) {\n    const parsed = new URL(trimmed);\n    if (parsed.origin === baseUrl.origin) {\n      // Same-origin absolute URL — return the pathname+search+hash portion (drop origin)\n      return parsed.pathname + parsed.search + parsed.hash;\n    }\n    // Cross-origin — reject\n    return \"/\";\n  }\n\n  // Not parseable as absolute. Must start with '/' to be a valid relative path\n  if (trimmed.startsWith(\"/\")) {\n    return trimmed;\n  }\n\n  // Anything else (e.g., \"javascript:alert\", \"data:...\" that wasn't parseable, or bare strings) → default\n  return \"/\";\n}\n"]}
+{"version":3,"sources":["../../../src/server/auth/oauth-transaction-store.ts","../../../src/server/auth/errors.ts","../../../src/server/auth/index.ts","../../../src/server/auth/orchestrator.ts","../../../src/server/auth/validate-return-to.ts"],"names":["AuthSecretTooShortError","webcrypto","Buffer","encodeTransaction"],"mappings":";;;;;;;;;;;;;;;;AAAA,IAAA,+BAAA,GAAA,EAAA;AAAA,QAAA,CAAA,+BAAA,EAAA;AAAA,EAAA,uBAAA,EAAA,MAAAA,+BAAA;AAAA,EAAA,oBAAA,EAAA,MAAA,oBAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,cAAA,EAAA,MAAA,cAAA;AAAA,EAAA,cAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAuDA,eAAe,UAAU,MAAA,EAA8C;AACrE,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,EAAY,CAAE,OAAO,MAAM,CAAA;AACnD,EAAA,IAAI,WAAA,CAAY,aAAa,EAAA,EAAI;AAC/B,IAAA,MAAM,IAAIA,+BAAA,CAAwB,WAAA,CAAY,UAAU,CAAA;AAAA,EAC1D;AACA,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,GAAA,CAAI,qBAAA,IAAyB,EAAA;AACrD,EAAA,MAAM,IAAA,GAAO,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AAE7C,EAAA,MAAM,GAAA,GAAM,MAAMC,gBAAA,CAAU,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,WAAA,EAAa,MAAA,EAAQ,KAAA,EAAO,CAAC,YAAY,CAAC,CAAA;AAE9F,EAAA,MAAM,OAAA,GAAU,MAAMA,gBAAA,CAAU,MAAA,CAAO,UAAA;AAAA,IACrC,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAW,IAAA,EAAM,IAAA,EAAM,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,SAAS,CAAA,EAAE;AAAA,IACjF,GAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,OAAOA,gBAAA,CAAU,OAAO,SAAA,CAAU,KAAA,EAAO,SAAS,EAAE,IAAA,EAAM,SAAA,EAAU,EAAG,IAAA,EAAM;AAAA,IAC3E,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AACH;AA0BA,eAAsB,qBAAqB,MAAA,EAA8C;AACvF,EAAA,OAAO,UAAU,MAAM,CAAA;AACzB;AAEA,eAAsB,iBAAA,CAAkB,IAAsB,MAAA,EAAiC;AAC7F,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAM,CAAA;AAClC,EAAA,MAAM,KAAKA,gBAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AACvD,EAAA,MAAM,SAAA,GAAY,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAC7D,EAAA,MAAM,UAAA,GAAa,MAAMA,gBAAA,CAAU,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,SAAS,CAAA;AACzF,EAAA,MAAM,WAAW,IAAI,UAAA,CAAW,EAAA,CAAG,MAAA,GAAS,WAAW,UAAU,CAAA;AACjE,EAAA,QAAA,CAAS,GAAA,CAAI,IAAI,CAAC,CAAA;AAClB,EAAA,QAAA,CAAS,IAAI,IAAI,UAAA,CAAW,UAAU,CAAA,EAAG,GAAG,MAAM,CAAA;AAClD,EAAA,OAAOC,aAAAA,CAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,SAAS,WAAW,CAAA;AACnD;AAEA,eAAe,iBAAA,CACb,SACA,MAAA,EACkC;AAClC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAM,CAAA;AAClC,IAAA,MAAM,QAAA,GAAWA,aAAAA,CAAO,IAAA,CAAK,OAAA,EAAS,WAAW,CAAA;AACjD,IAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAC/B,IAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,EAAE,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,MAAMD,gBAAA,CAAU,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,UAAU,CAAA;AACzF,IAAA,MAAM,EAAA,GAAK,KAAK,KAAA,CAAM,IAAI,aAAY,CAAE,MAAA,CAAO,SAAS,CAAC,CAAA;AACzD,IAAA,OAAO,EAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEA,SAAS,SAAA,CAAU,KAAsB,IAAA,EAA6B;AACpE,EAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,EAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA,EAAG;AACpC,IAAA,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,IAAA,CAAK,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AACvC,IAAA,IAAI,CAAA,KAAM,IAAA,EAAM,OAAO,CAAA,CAAE,KAAK,GAAG,CAAA;AAAA,EACnC;AACA,EAAA,OAAO,IAAA;AACT;AA+BA,SAAS,WAAA,CAAY,KAAqB,IAAA,EAAoB;AAC5D,EAAA,MAAM,KAAA,GAAQ,GAAG,IAAI,CAAA,2FAAA,CAAA;AACrB,EAAA,MAAM,QAAA,GAAW,GAAA,CAAI,SAAA,CAAU,YAAY,CAAA;AAC3C,EAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,GACpC,QAAA,CAAS,MAAA,CAAO,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,UAAA,CAAW,GAAG,IAAI,CAAA,CAAA,CAAG,CAAC,CAAA,GAChD,OAAO,QAAA,KAAa,QAAA,IAAY,CAAC,QAAA,CAAS,UAAA,CAAW,CAAA,EAAG,IAAI,CAAA,CAAA,CAAG,CAAA,GAC7D,CAAC,QAAQ,IACT,EAAC;AACP,EAAA,GAAA,CAAI,UAAU,YAAA,EAAc,CAAC,GAAG,SAAA,EAAW,KAAK,CAAC,CAAA;AACnD;AAaA,eAAsB,cAAA,CACpB,KACA,MAAA,EACkC;AAClC,EAAA,MAAM,GAAA,GAAM,SAAA,CAAU,GAAA,EAAK,WAAW,CAAA;AACtC,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,MAAM,EAAA,GAAK,MAAM,iBAAA,CAAkB,GAAA,EAAK,MAAM,CAAA;AAC9C,EAAA,IAAI,CAAC,IAAI,OAAO,IAAA;AAEhB,EAAA,IAAI,EAAA,CAAG,SAAA,GAAY,IAAA,CAAK,GAAA,IAAO,OAAO,IAAA;AACtC,EAAA,OAAO,EAAA;AACT;AAEO,SAAS,iBAAiB,GAAA,EAA2B;AAC1D,EAAA,WAAA,CAAY,KAAK,WAAW,CAAA;AAC9B;AAEO,SAAS,eAAe,IAAA,EAIV;AACnB,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,OAAO;AAAA,IACL,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,cAAc,IAAA,CAAK,YAAA;AAAA,IACnB,UAAU,IAAA,CAAK,QAAA;AAAA,IACf,SAAA,EAAW,GAAA;AAAA,IACX,WAAW,GAAA,GAAM;AAAA,GACnB;AACF;AAhOA,IA8BM,WAAA,CAAA,CACA,gBAKA,SAAA,CAAA,CAgDOD;AApFb,IAAA,4BAAA,GAAA,KAAA,CAAA;AAAA,EAAA,4CAAA,GAAA;AA8BA,IAAM,WAAA,GAAc,sBAAA;AACpB,IAAM,cAAA,GAAiB,KAAK,EAAA,GAAK,GAAA;AAKjC,IAAM,SAAA,GAAY,qBAAA;AAgDX,IAAMA,+BAAA,GAAN,cAAsC,KAAA,CAAM;AAAA,MAC/B,IAAA,GAAO,yBAAA;AAAA,MACzB,YAAY,WAAA,EAAqB;AAC/B,QAAA,KAAA;AAAA,UACE,2DAA2D,WAAW,CAAA,uDAAA;AAAA,SAExE;AAAA,MACF;AAAA,KACF;AAAA,EAAA;AAAA,CAAA,CAAA;;;AClFO,IAAM,eAAA,GAAN,cAA8B,KAAA,CAAM;AAAA,EACvB,IAAA,GAAO,iBAAA;AAAA,EAChB,IAAA;AAAA,EAET,WAAA,CAAY,MAAc,OAAA,EAAiB;AACzC,IAAA,KAAA,CAAM,CAAA,CAAA,EAAI,IAAI,CAAA,EAAA,EAAK,OAAO,CAAA,CAAE,CAAA;AAC5B,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAMO,IAAM,yBAAA,GAAN,cAAwC,KAAA,CAAM;AAAA,EACjC,IAAA,GAAO,2BAAA;AAAA,EAChB,YAAA;AAAA,EAET,YAAY,YAAA,EAAsB;AAChC,IAAA,KAAA;AAAA,MACE,6BAA6B,YAAY,CAAA,mDAAA;AAAA,KAC3C;AACA,IAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,EACtB;AACF;AAcO,IAAM,iBAAA,GAAN,cAAgC,KAAA,CAAM;AAAA,EACzB,IAAA,GAAe,mBAAA;AAAA,EACxB,IAAA;AAAA,EAET,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,KAAA,CAAM,OAAA,IAAW,CAAA,sBAAA,EAAyB,IAAI,CAAA,CAAE,CAAA;AAChD,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAUO,IAAM,kBAAA,GAAN,cAAiC,iBAAA,CAAkB;AAAA,EACtC,IAAA,GAAe,oBAAA;AAAA,EACxB,gBAAA;AAAA,EAET,YAAY,gBAAA,EAA2B;AACrC,IAAA,KAAA,CAAM,uBAAA,EAAyB,oBAAoB,mCAAmC,CAAA;AACtF,IAAA,IAAA,CAAK,gBAAA,GAAmB,gBAAA;AAAA,EAC1B;AACF;;;ACtDA,4BAAA,EAAA;ACLA,4BAAA,EAAA;;;ACCO,SAAS,gBAAA,CAAiB,UAA8B,OAAA,EAAsB;AACnF,EAAA,IAAI,CAAC,YAAY,OAAO,QAAA,KAAa,YAAY,QAAA,CAAS,IAAA,OAAW,EAAA,EAAI;AACvE,IAAA,OAAO,GAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,SAAS,IAAA,EAAK;AAG9B,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,GAAA,CAAI,QAAA,CAAS,OAAO,CAAA,EAAG;AACzB,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,OAAO,CAAA;AAC9B,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,OAAA,CAAQ,MAAA,EAAQ;AAEpC,MAAA,OAAO,MAAA,CAAO,QAAA,GAAW,MAAA,CAAO,MAAA,GAAS,MAAA,CAAO,IAAA;AAAA,IAClD;AAEA,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC3B,IAAA,OAAO,OAAA;AAAA,EACT;AAGA,EAAA,OAAO,GAAA;AACT;;;AD3BA,IAAM,gBAAA,GAAmB,mBAAA;AAEzB,SAAS,WAAA,GAAsB;AAC7B,EAAA,MAAM,QAAQC,gBAAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAChD;AAUA,SAAS,oBAAA,GAA+B;AACtC,EAAA,MAAM,QAAQA,gBAAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAChD;AAEA,SAAS,eAAyB,IAAA,EAA2C;AAK3E,EAAA,MAAM,OAAO,IAAA,CAAK,OAAA;AAClB,EAAA,IAAI,KAAK,MAAA,EAAQ;AACf,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAA,EAAG;AAC9B,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,CAAC,CAAA;AAC3B,MAAA,IAAI,OAAO,OAAO,KAAA;AAAA,IACpB,CAAA,MAAO;AACL,MAAA,OAAO,IAAA,CAAK,MAAA;AAAA,IACd;AAAA,EACF;AAIA,EAAA,OAAO,OAAA,CAAQ,IAAI,uBAAA,IAA2B,mDAAA;AAChD;AAEO,SAAS,WACd,IAAA,EAC4B;AAE5B,EAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,IAAA,MAAM,IAAI,eAAA,CAAgB,iBAAA,EAAmB,qCAAqC,CAAA;AAAA,EACpF;AAEA,EAAA,MAAM,YAAA,uBAAmB,GAAA,EAA2C;AACpE,EAAA,KAAA,MAAW,QAAA,IAAY,IAAA,CAAK,SAAA,IAAa,EAAC,EAAG;AAC3C,IAAA,IAAI,CAAC,SAAS,IAAA,IAAQ,CAAC,iBAAiB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,EAAG;AAC3D,MAAA,MAAM,IAAI,eAAA;AAAA,QACR,uBAAA;AAAA,QACA,CAAA,yBAAA,EAA4B,gBAAgB,CAAA,QAAA,EAAW,QAAA,CAAS,IAAI,CAAA,EAAA;AAAA,OACtE;AAAA,IACF;AACA,IAAA,IAAI,YAAA,CAAa,GAAA,CAAI,QAAA,CAAS,IAAI,CAAA,EAAG;AACnC,MAAA,MAAM,IAAI,eAAA;AAAA,QACR,yBAAA;AAAA,QACA,CAAA,0BAAA,EAA6B,SAAS,IAAI,CAAA,CAAA;AAAA,OAC5C;AAAA,IACF;AACA,IAAA,YAAA,CAAa,GAAA,CAAI,QAAA,CAAS,IAAA,EAAM,QAAQ,CAAA;AAAA,EAC1C;AAEA,EAAA,MAAM,QAAA,GAAW,eAAe,IAAI,CAAA;AAEpC,EAAA,SAAS,gBAAgB,IAAA,EAA6C;AACpE,IAAA,MAAM,CAAA,GAAI,YAAA,CAAa,GAAA,CAAI,IAAI,CAAA;AAC/B,IAAA,IAAI,CAAC,CAAA,EAAG,MAAM,IAAI,0BAA0B,IAAI,CAAA;AAChD,IAAA,OAAO,CAAA;AAAA,EACT;AAEA,EAAA,eAAe,WAAA,CACb,YAAA,EACA,GAAA,EACA,SAAA,EACmB;AACnB,IAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,IAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,EAAG,GAAA,CAAI,GAAA,IAAO,GAAG,CAAA,CAAE,CAAA;AACpF,IAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,SAAA,EAAW,QAAA,EAAU,OAAO,CAAA;AAMlE,IAAA,MAAM,QAAQ,WAAA,EAAY;AAC1B,IAAA,MAAM,eAAe,oBAAA,EAAqB;AAC1C,IAAA,MAAM,KAAK,cAAA,CAAe;AAAA,MACxB,KAAA;AAAA,MACA,YAAA;AAAA,MACA,QAAA,EAAU,YAAA,KAAiB,GAAA,GAAM,MAAA,GAAY;AAAA,KAC9C,CAAA;AAGD,IAAA,MAAM,OAAA,GAAU,MAAM,QAAA,CAAS,sBAAA,CAAuB,EAAE,CAAA;AAGxD,IAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,IAAA,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY,OAAA,CAAQ,QAAA,EAAU,CAAA;AAC1C,IAAA,MAAM,EAAE,iBAAA,EAAAE,kBAAAA,EAAkB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,4BAAA,EAAA,EAAA,+BAAA,CAAA,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,MAAMA,kBAAAA,CAAkB,EAAA,EAAI,QAAQ,CAAA;AACtD,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,YAAA;AAAA,MACA,iBAAiB,SAAS,CAAA,qDAAA;AAAA,KAC5B;AAEA,IAAA,OAAO,IAAI,QAAA,CAAS,IAAA,EAAM,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,EACpD;AAGA,EAAA,eAAe,YAAA,CACb,YAAA,EACA,GAAA,EACA,GAAA,EACmD;AACnD,IAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,EAAG,GAAA,CAAI,GAAA,IAAO,GAAG,CAAA,CAAE,CAAA;AAChF,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC/C,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,gBAAA,GAAmB,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,mBAAmB,CAAA,IAAK,MAAA;AACtE,MAAA,IAAI,eAAe,eAAA,EAAiB;AAClC,QAAA,MAAM,IAAI,mBAAmB,gBAAgB,CAAA;AAAA,MAC/C;AACA,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,sBAAA;AAAA,QACA,4BAA4B,UAAU,CAAA,EAAG,mBAAmB,CAAA,EAAA,EAAK,gBAAgB,MAAM,EAAE,CAAA;AAAA,OAC3F;AAAA,IACF;AAGA,IAAA,MAAM,EAAA,GAAK,MAAM,cAAA,CAAe,GAAA,EAAK,QAAQ,CAAA;AAC7C,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,2BAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC/C,IAAA,IAAI,CAAC,UAAA,IAAc,UAAA,KAAe,EAAA,CAAG,KAAA,EAAO;AAC1C,MAAA,MAAM,IAAI,iBAAA;AAAA,QACR,sBAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,cAAA,CAAe,KAAK,EAAE,CAAA;AAGpD,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA,CAAS,EAAE,OAAA,EAAS,OAAO,OAAA,EAAS,QAAA,EAAU,MAAA,CAAO,YAAA,EAAc,CAAA;AAAA,IAC9F,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,MAAA,CAAO,OAAA;AAAA,IACvB;AAGA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IAC3C,CAAA,CAAA,MAAQ;AAAA,IAER;AAGA,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,WAAW,CAAA;AAGjD,IAAA,gBAAA,CAAiB,GAAG,CAAA;AAEpB,IAAA,OAAO,EAAE,OAAA,EAAS,WAAA,EAAa,QAAA,EAAU,GAAG,QAAA,EAAS;AAAA,EACvD;AAEA,EAAA,eAAe,MAAA,CACb,OAAA,EACA,YAAA,EACA,GAAA,EACA,GAAA,EACmB;AAEnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA,CAAS,EAAE,OAAA,EAAS,QAAA,EAAU,cAAc,CAAA;AAAA,IACvE,CAAA,MAAO;AACL,MAAA,WAAA,GAAc,OAAA;AAAA,IAChB;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IAC3C,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,EAAK,WAAW,CAAA;AACjD,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,eAAe,QAAQ,GAAA,EAAoC;AAEzD,IAAA,IAAI,WAAA,GAA+B,IAAA;AACnC,IAAA,IAAI,KAAK,SAAA,EAAW;AAIlB,MAAA,WAAA,GAAc,IAAA;AAAA,IAChB;AAEA,IAAA,IAAA,CAAK,OAAA,CAAQ,eAAe,GAAG,CAAA;AAE/B,IAAA,IAAI,KAAK,SAAA,EAAW;AAClB,MAAA,MAAM,IAAA,CAAK,UAAU,WAAW,CAAA;AAAA,IAClC;AAAA,EACF;AAEA,EAAA,eAAe,WAAW,GAAA,EAAgD;AACxE,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA;AAAA,EACpC;AAEA,EAAA,OAAO,EAAE,WAAA,EAAa,YAAA,EAAc,MAAA,EAAQ,SAAS,UAAA,EAAW;AAClE","file":"index.cjs","sourcesContent":["/**\n * @theokit/sdk/server/auth — encrypted OAuth transaction cookie store\n *\n * Per ADR D5 — cookie-state pattern (no Redis/db dependency in core).\n *\n * Stores OAuthTransaction (state + pkceVerifier + returnTo + expiry) in a\n * single signed+encrypted HttpOnly cookie. Stateless, works in edge/serverless.\n *\n * Cookie name: `__Host-theo_oauth_tx` (T5.3 — RFC 6265bis prefix)\n * Lifetime: 10 minutes (per D5 invariant)\n * Encryption: AES-256-GCM via Node's webcrypto subtle API\n *\n * Note: this is a minimal in-package implementation. Production deployments\n * may prefer using `theokit/server/auth/crypto`'s encrypt/decrypt helpers\n * via the SessionManager's existing secret rotation chain. For T1.2 we keep\n * it self-contained to avoid cross-package peer-dep complexity; T2+ may\n * refactor to share SessionManager's encrypt path.\n */\n\nimport { Buffer } from \"node:buffer\";\nimport { webcrypto } from \"node:crypto\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport type { OAuthTransaction } from \"./types.js\";\n\n// T5.3 — `__Host-` prefix per RFC 6265bis. Browsers enforce that any\n// cookie with this prefix MUST be set with `Secure`, MUST NOT carry a\n// `Domain` attribute, and MUST have `Path=/`. This blocks the\n// subdomain-fixation vector where a malicious page on\n// `evil.example.com` could plant a same-name cookie that the parent\n// app at `example.com` would happily decrypt.\nconst COOKIE_NAME = \"__Host-theo_oauth_tx\";\nconst TX_LIFETIME_MS = 10 * 60 * 1000; // 10 minutes per D5\n\n// T5.1 — HKDF info string fixed per plan; bump version (v1 → v2) only when\n// the AES-GCM derivation contract itself changes (which would invalidate\n// all in-flight cookies).\nconst HKDF_INFO = \"theokit:oauth-tx-v1\";\n\n/**\n * T5.1 — Derive a 32-byte AES-256-GCM key from `secret` via HKDF-SHA256\n * (RFC 5869). Replaces the pre-T5.1 zero-padding scheme that was NOT a\n * KDF and produced near-identical keys for near-identical secrets.\n *\n * Contract:\n * - `secret` MUST be ≥ 32 bytes (256 bits) — throws otherwise.\n * - Salt is sourced from `THEOKIT_OAUTH_TX_SALT` env (UTF-8 string);\n *   when unset, RFC 5869's zero-string fallback is used and operators\n *   accept the default cross-app collision risk.\n * - `info` is fixed at \"theokit:oauth-tx-v1\" so v1 cookies decrypt\n *   forever even if a future v2 derivation ships alongside.\n *\n * Throws `AuthSecretTooShortError` (typed) when secret < 32 bytes.\n *\n * @internal\n */\nasync function deriveKey(secret: string): Promise<webcrypto.CryptoKey> {\n  const secretBytes = new TextEncoder().encode(secret);\n  if (secretBytes.byteLength < 32) {\n    throw new AuthSecretTooShortError(secretBytes.byteLength);\n  }\n  const saltRaw = process.env.THEOKIT_OAUTH_TX_SALT ?? \"\";\n  const salt = new TextEncoder().encode(saltRaw);\n  // Import the raw secret as HKDF input keying material.\n  const ikm = await webcrypto.subtle.importKey(\"raw\", secretBytes, \"HKDF\", false, [\"deriveBits\"]);\n  // Derive 256 bits via HKDF-SHA256.\n  const derived = await webcrypto.subtle.deriveBits(\n    { name: \"HKDF\", hash: \"SHA-256\", salt, info: new TextEncoder().encode(HKDF_INFO) },\n    ikm,\n    256,\n  );\n  // Wrap the derived bits as an AES-GCM key.\n  return webcrypto.subtle.importKey(\"raw\", derived, { name: \"AES-GCM\" }, true, [\n    \"encrypt\",\n    \"decrypt\",\n  ]);\n}\n\n/**\n * T5.1 — Typed error thrown when an OAuth tx-cookie secret has < 32\n * bytes of entropy. Surfaces the actual byte length so operators can\n * diagnose mis-configured env vars without leaking the secret itself.\n *\n * @public\n */\nexport class AuthSecretTooShortError extends Error {\n  override readonly name = \"AuthSecretTooShortError\";\n  constructor(actualBytes: number) {\n    super(\n      `OAuth transaction secret must be at least 32 bytes (got ${actualBytes}). ` +\n        \"Generate a fresh value with: openssl rand -base64 33\",\n    );\n  }\n}\n\n/**\n * T5.1 — Test seam for the HKDF derivation. NOT included in the public\n * barrel — exposed only so unit tests can assert avalanche / determinism\n * properties without round-tripping through encodeTransaction.\n *\n * @internal\n */\nexport async function __TESTING__deriveKey(secret: string): Promise<webcrypto.CryptoKey> {\n  return deriveKey(secret);\n}\n\nexport async function encodeTransaction(tx: OAuthTransaction, secret: string): Promise<string> {\n  const key = await deriveKey(secret);\n  const iv = webcrypto.getRandomValues(new Uint8Array(12));\n  const plaintext = new TextEncoder().encode(JSON.stringify(tx));\n  const ciphertext = await webcrypto.subtle.encrypt({ name: \"AES-GCM\", iv }, key, plaintext);\n  const combined = new Uint8Array(iv.length + ciphertext.byteLength);\n  combined.set(iv, 0);\n  combined.set(new Uint8Array(ciphertext), iv.length);\n  return Buffer.from(combined).toString(\"base64url\");\n}\n\nasync function decodeTransaction(\n  encoded: string,\n  secret: string,\n): Promise<OAuthTransaction | null> {\n  try {\n    const key = await deriveKey(secret);\n    const combined = Buffer.from(encoded, \"base64url\");\n    const iv = combined.slice(0, 12);\n    const ciphertext = combined.slice(12);\n    const plaintext = await webcrypto.subtle.decrypt({ name: \"AES-GCM\", iv }, key, ciphertext);\n    const tx = JSON.parse(new TextDecoder().decode(plaintext)) as OAuthTransaction;\n    return tx;\n  } catch {\n    return null;\n  }\n}\n\nfunction getCookie(req: IncomingMessage, name: string): string | null {\n  const header = req.headers.cookie;\n  if (!header) return null;\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.trim().split(\"=\");\n    if (k === name) return v.join(\"=\");\n  }\n  return null;\n}\n\nfunction setCookie(res: ServerResponse, name: string, value: string): void {\n  const existing = res.getHeader(\"Set-Cookie\");\n  const cookie = `${name}=${value}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=${TX_LIFETIME_MS / 1000}`;\n  if (Array.isArray(existing)) {\n    res.setHeader(\"Set-Cookie\", [...existing, cookie]);\n  } else if (typeof existing === \"string\") {\n    res.setHeader(\"Set-Cookie\", [existing, cookie]);\n  } else {\n    res.setHeader(\"Set-Cookie\", cookie);\n  }\n}\n\n/**\n * T5.3 — Clear the tx cookie deterministically. Emits exactly ONE\n * Set-Cookie line for `name` (filtering any prior occurrences of the\n * same name from a pre-existing Set-Cookie header) with:\n *\n *   - empty value\n *   - `Max-Age=0` (modern browsers — immediate delete)\n *   - `Expires=Thu, 01 Jan 1970 00:00:00 GMT` (legacy fallback)\n *   - `HttpOnly`, `Secure`, `SameSite=Lax`, `Path=/` — preserved so the\n *     `__Host-` prefix contract is honored even on the clear path\n *\n * Pre-T5.3 this function called setCookie() with an empty value (which\n * still carried `Max-Age=600`) AND then issued a second explicit\n * `Max-Age=0` clear into the Set-Cookie header. The double-write\n * produced a duplicate response header that some legacy clients did\n * not handle deterministically.\n */\nfunction clearCookie(res: ServerResponse, name: string): void {\n  const clear = `${name}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n  const existing = res.getHeader(\"Set-Cookie\");\n  const preserved = Array.isArray(existing)\n    ? existing.filter((c) => !c.startsWith(`${name}=`))\n    : typeof existing === \"string\" && !existing.startsWith(`${name}=`)\n      ? [existing]\n      : [];\n  res.setHeader(\"Set-Cookie\", [...preserved, clear]);\n}\n\nasync function _setTransaction(\n  res: ServerResponse,\n  tx: OAuthTransaction,\n  secret: string,\n): Promise<void> {\n  const encoded = await encodeTransaction(tx, secret);\n  setCookie(res, COOKIE_NAME, encoded);\n}\n// Reserved internal helper — not currently invoked (drop-in for future T2.x refactor that consolidates SessionManager + tx-store crypto paths). Underscore prefix per biome noUnusedVariables documented escape.\nvoid _setTransaction;\n\nexport async function getTransaction(\n  req: IncomingMessage,\n  secret: string,\n): Promise<OAuthTransaction | null> {\n  const raw = getCookie(req, COOKIE_NAME);\n  if (!raw) return null;\n  const tx = await decodeTransaction(raw, secret);\n  if (!tx) return null;\n  // Check expiry\n  if (tx.expiresAt < Date.now()) return null;\n  return tx;\n}\n\nexport function clearTransaction(res: ServerResponse): void {\n  clearCookie(res, COOKIE_NAME);\n}\n\nexport function newTransaction(opts: {\n  state: string;\n  pkceVerifier?: string;\n  returnTo?: string;\n}): OAuthTransaction {\n  const now = Date.now();\n  return {\n    state: opts.state,\n    pkceVerifier: opts.pkceVerifier,\n    returnTo: opts.returnTo,\n    createdAt: now,\n    expiresAt: now + TX_LIFETIME_MS,\n  };\n}\n","/**\n * @theokit/sdk/server/auth — typed error classes\n *\n * Plan T1.2 + v1.1 EC-1 (AuthCancelledError for OAuth provider error response RFC 6749 §4.1.2.1).\n */\n\n/**\n * Thrown at `defineAuth()` time when configuration is invalid\n * (e.g., duplicate provider name, invalid email shape per EC-V1-12).\n */\nexport class AuthConfigError extends Error {\n  override readonly name = \"AuthConfigError\";\n  readonly code: string;\n\n  constructor(code: string, message: string) {\n    super(`[${code}] ${message}`);\n    this.code = code;\n  }\n}\n\n/**\n * Thrown at `startSignIn(providerName, ...)` or `finishSignIn(providerName, ...)`\n * when the named provider is not registered in `providers[]`.\n */\nexport class AuthProviderNotFoundError extends Error {\n  override readonly name = \"AuthProviderNotFoundError\";\n  readonly providerName: string;\n\n  constructor(providerName: string) {\n    super(\n      `Auth provider not found: '${providerName}'. Register it in defineAuth({ providers: [...] }).`,\n    );\n    this.providerName = providerName;\n  }\n}\n\n/**\n * Thrown during OAuth callback handling for state mismatches, expired\n * transactions, missing query params, or provider 4xx/5xx errors.\n *\n * Typed `code` field lets consumers branch on cause:\n *   - 'oauth_transaction_expired' — cookie tx > 10min old (per ADR D5)\n *   - 'oauth_state_mismatch' — query state ≠ cookie state (CSRF defense per RFC 6749 §10.12)\n *   - 'oauth_provider_error' — non-access_denied error in callback URL\n *   - 'oauth_token_exchange_failed' — provider rejected code-for-tokens swap\n *   - 'oauth_userinfo_failed' — userinfo endpoint returned error\n *   - 'oauth_missing_code_or_state' — required query params absent\n */\nexport class AuthCallbackError extends Error {\n  override readonly name: string = \"AuthCallbackError\";\n  readonly code: string;\n\n  constructor(code: string, message?: string) {\n    super(message ?? `OAuth callback error: ${code}`);\n    this.code = code;\n  }\n}\n\n/**\n * Per v1.1 EC-1 MUST FIX — typed subclass of AuthCallbackError for the\n * specific case where user declined consent at provider screen.\n *\n * OAuth 2.0 RFC 6749 §4.1.2.1: provider redirects with `?error=access_denied`.\n * Apps can catch this distinctly from network/server errors to render\n * \"Login cancelled — try again\" UX instead of opaque \"callback failed\".\n */\nexport class AuthCancelledError extends AuthCallbackError {\n  override readonly name: string = \"AuthCancelledError\";\n  readonly errorDescription?: string;\n\n  constructor(errorDescription?: string) {\n    super(\"user_declined_consent\", errorDescription ?? \"User declined consent at provider\");\n    this.errorDescription = errorDescription;\n  }\n}\n","/**\n * @theokit/sdk/server/auth — public barrel\n *\n * Per ADR D6 (sub-path export) — consumers import via `@theokit/sdk/server/auth`\n * NOT main `@theokit/sdk` barrel. Tree-shaking + allows breaking changes in\n * auth surface without affecting Agent runtime consumers.\n *\n * T1.1 shipped types-only.\n * T1.2 adds runtime: defineAuth() + 4 typed error classes + validateReturnTo helper.\n */\n\nexport {\n  AuthCallbackError,\n  AuthCancelledError,\n  AuthConfigError,\n  AuthProviderNotFoundError,\n} from \"./errors.js\";\n// T5.1 — HKDF-SHA256 derivation rejects secrets < 32 bytes with this\n// typed error. Surfaces on `defineAuth` callers whose env secret is\n// too short (e.g., a 16-byte legacy value carried over from pre-T5.1).\nexport { AuthSecretTooShortError } from \"./oauth-transaction-store.js\";\n\nexport { defineAuth } from \"./orchestrator.js\";\nexport type {\n  AuthOrchestrator,\n  AuthProvider,\n  AuthResult,\n  DefineAuthOptions,\n  OAuthTransaction,\n  SessionManager,\n} from \"./types.js\";\nexport { validateReturnTo } from \"./validate-return-to.js\";\n","/**\n * @theokit/sdk/server/auth — defineAuth orchestrator runtime (Caminho C Hybrid)\n *\n * Plan T1.2 implementation per blueprint Q5 § Caminho C signatures.\n * Composes existing primitives + the v1.1 EC-1/EC-2/EC-10 fixes.\n */\n\nimport { webcrypto } from \"node:crypto\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport {\n  AuthCallbackError,\n  AuthCancelledError,\n  AuthConfigError,\n  AuthProviderNotFoundError,\n} from \"./errors.js\";\nimport { clearTransaction, getTransaction, newTransaction } from \"./oauth-transaction-store.js\";\nimport type { AuthOrchestrator, AuthProvider, DefineAuthOptions } from \"./types.js\";\nimport { validateReturnTo } from \"./validate-return-to.js\";\n\nconst PROVIDER_NAME_RE = /^[a-z0-9-]{1,32}$/;\n\nfunction randomState(): string {\n  const bytes = webcrypto.getRandomValues(new Uint8Array(24));\n  return Buffer.from(bytes).toString(\"base64url\");\n}\n\n/**\n * Generate a PKCE code_verifier per RFC 7636 §4.1 — 43..128 chars from the\n * unreserved set [A-Z][a-z][0-9]-._~ (base64url is a strict subset).\n *\n * 32 random bytes → 43 base64url chars satisfies the minimum. Provided by\n * the orchestrator so every transaction carries one; PKCE-aware providers\n * (Google) consume it; PKCE-ignorant providers (GitHub) discard it.\n */\nfunction generatePkceVerifier(): string {\n  const bytes = webcrypto.getRandomValues(new Uint8Array(32));\n  return Buffer.from(bytes).toString(\"base64url\");\n}\n\nfunction txCookieSecret<TSession>(opts: DefineAuthOptions<TSession>): string {\n  // For T1.2 minimal impl, derive a per-session-manager secret from the\n  // SessionManager identity. Production T2+ may refactor to share the\n  // SessionManager's actual secret rotation chain via a `getCookieSecret()` method.\n  // Falls back to TX_FALLBACK_SECRET when not available — apps should override.\n  const sess = opts.session as unknown as { secret?: string | string[] };\n  if (sess.secret) {\n    if (Array.isArray(sess.secret)) {\n      const first = sess.secret[0];\n      if (first) return first;\n    } else {\n      return sess.secret;\n    }\n  }\n  // Defensive fallback. Apps without SessionManager.secret pattern should\n  // explicitly pass an env-backed secret OR rely on this dev-only fallback\n  // (will fail in production scrutiny — flagged by future audit).\n  return process.env.THEOKIT_OAUTH_TX_SECRET ?? \"DEV_ONLY_INSECURE_OAUTH_TX_SECRET_REPLACE_IN_PROD\";\n}\n\nexport function defineAuth<TSession>(\n  opts: DefineAuthOptions<TSession>,\n): AuthOrchestrator<TSession> {\n  // Validate config at define-time (per blueprint Q5 invariants)\n  if (!opts.session) {\n    throw new AuthConfigError(\"missing_session\", \"defineAuth({ session }) is required\");\n  }\n\n  const providersMap = new Map<string, AuthProvider<unknown, string>>();\n  for (const provider of opts.providers ?? []) {\n    if (!provider.name || !PROVIDER_NAME_RE.test(provider.name)) {\n      throw new AuthConfigError(\n        \"invalid_provider_name\",\n        `Provider name must match ${PROVIDER_NAME_RE} (got: '${provider.name}')`,\n      );\n    }\n    if (providersMap.has(provider.name)) {\n      throw new AuthConfigError(\n        \"duplicate_provider_name\",\n        `Duplicate provider name: '${provider.name}'`,\n      );\n    }\n    providersMap.set(provider.name, provider);\n  }\n\n  const txSecret = txCookieSecret(opts);\n\n  function requireProvider(name: string): AuthProvider<unknown, string> {\n    const p = providersMap.get(name);\n    if (!p) throw new AuthProviderNotFoundError(name);\n    return p;\n  }\n\n  async function startSignIn(\n    providerName: string,\n    req: IncomingMessage,\n    startOpts?: { returnTo?: string },\n  ): Promise<Response> {\n    const provider = requireProvider(providerName);\n\n    // EC-2 (v1.1) — validate returnTo same-origin\n    const baseUrl = new URL(`http://${req.headers.host ?? \"localhost\"}${req.url ?? \"/\"}`);\n    const safeReturnTo = validateReturnTo(startOpts?.returnTo, baseUrl);\n\n    // Generate transaction. Always include a PKCE verifier — PKCE-aware\n    // providers (Google OIDC) consume it; PKCE-ignorant providers (GitHub\n    // OAuth 2.0) discard it. Generating unconditionally simplifies the\n    // provider contract: every tx is PKCE-ready.\n    const state = randomState();\n    const pkceVerifier = generatePkceVerifier();\n    const tx = newTransaction({\n      state,\n      pkceVerifier,\n      returnTo: safeReturnTo === \"/\" ? undefined : safeReturnTo,\n    });\n\n    // Persist transaction cookie via headers (since we return Response, need Set-Cookie header manually)\n    const authUrl = await provider.createAuthorizationURL(tx);\n\n    // Build response with Set-Cookie + redirect\n    const headers = new Headers();\n    headers.set(\"Location\", authUrl.toString());\n    const { encodeTransaction } = await import(\"./oauth-transaction-store.js\");\n    const encodedTx = await encodeTransaction(tx, txSecret);\n    headers.set(\n      \"Set-Cookie\",\n      `theo_oauth_tx=${encodedTx}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600`,\n    );\n\n    return new Response(null, { status: 302, headers });\n  }\n\n  // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: OAuth callback handler must validate 6 distinct error conditions sequentially (provider error / state / tx fetch / PKCE / code exchange / session) — extracting helpers fragments the linear control flow without clarifying intent (per EC-1 v1.1 absorbed)\n  async function finishSignIn(\n    providerName: string,\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<{ session: TSession; returnTo?: string }> {\n    const provider = requireProvider(providerName);\n\n    // EC-1 (v1.1) — OAuth provider error response (user declined consent) check BEFORE code-exchange\n    const url = new URL(`http://${req.headers.host ?? \"localhost\"}${req.url ?? \"/\"}`);\n    const errorParam = url.searchParams.get(\"error\");\n    if (errorParam) {\n      const errorDescription = url.searchParams.get(\"error_description\") ?? undefined;\n      if (errorParam === \"access_denied\") {\n        throw new AuthCancelledError(errorDescription);\n      }\n      throw new AuthCallbackError(\n        \"oauth_provider_error\",\n        `Provider returned error: ${errorParam}${errorDescription ? ` (${errorDescription})` : \"\"}`,\n      );\n    }\n\n    // Read + validate transaction cookie\n    const tx = await getTransaction(req, txSecret);\n    if (!tx) {\n      throw new AuthCallbackError(\n        \"oauth_transaction_expired\",\n        \"OAuth transaction cookie missing or expired (>10min). Please retry sign-in.\",\n      );\n    }\n\n    // Verify state matches query param (CSRF defense per RFC 6749 §10.12)\n    const queryState = url.searchParams.get(\"state\");\n    if (!queryState || queryState !== tx.state) {\n      throw new AuthCallbackError(\n        \"oauth_state_mismatch\",\n        \"OAuth state mismatch. Possible CSRF attempt or stale callback.\",\n      );\n    }\n\n    // Provider-specific callback handling (token exchange + userinfo fetch)\n    const result = await provider.handleCallback(req, tx);\n\n    // Invoke onSignIn callback if defined to derive session shape\n    let sessionData: TSession;\n    if (opts.onSignIn) {\n      sessionData = await opts.onSignIn({ profile: result.profile, provider: result.providerName });\n    } else {\n      // No onSignIn — pass the raw profile as session (consumers must type their own TSession)\n      sessionData = result.profile as unknown as TSession;\n    }\n\n    // EC-10 (v1.1) — OWASP A07:2021 session fixation mitigation: rotate session ID BEFORE creating new session\n    try {\n      await opts.session.rotateSession(req, res);\n    } catch {\n      // rotateSession may no-op if no pre-existing session — non-fatal\n    }\n\n    // Create session cookie\n    await opts.session.createSession(res, sessionData);\n\n    // Clear transaction cookie\n    clearTransaction(res);\n\n    return { session: sessionData, returnTo: tx.returnTo };\n  }\n\n  async function signIn<TProfile>(\n    profile: TProfile,\n    providerName: string,\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<TSession> {\n    // Caminho A escape hatch — skip OAuth flow, directly derive + persist session\n    let sessionData: TSession;\n    if (opts.onSignIn) {\n      sessionData = await opts.onSignIn({ profile, provider: providerName });\n    } else {\n      sessionData = profile as unknown as TSession;\n    }\n\n    try {\n      await opts.session.rotateSession(req, res);\n    } catch {\n      /* no-op if no pre-existing session */\n    }\n\n    await opts.session.createSession(res, sessionData);\n    return sessionData;\n  }\n\n  async function signOut(res: ServerResponse): Promise<void> {\n    // Read current session before destroying (so onSignOut can see it)\n    let sessionData: TSession | null = null;\n    if (opts.onSignOut) {\n      // We don't have req here per AuthOrchestrator contract; onSignOut receives null\n      // when no pre-existing session is available. Apps that need session-aware\n      // signOut should use the manual session.destroySession + custom logic.\n      sessionData = null;\n    }\n\n    opts.session.destroySession(res);\n\n    if (opts.onSignOut) {\n      await opts.onSignOut(sessionData);\n    }\n  }\n\n  async function getSession(req: IncomingMessage): Promise<TSession | null> {\n    return opts.session.getSession(req);\n  }\n\n  return { startSignIn, finishSignIn, signIn, signOut, getSession };\n}\n","/**\n * @theokit/sdk/server/auth — same-origin returnTo validator\n *\n * Per v1.1 EC-2 MUST FIX — OWASP A01:2021 open-redirect mitigation.\n *\n * Without this check, attacker craft `/login?returnTo=https://evil.com` would\n * cause post-login redirect to attacker domain with authenticated session cookie.\n *\n * Rules:\n *   - undefined/empty returnTo → default '/'\n *   - protocol-relative `//evil.com` → default '/' (URL parser would resolve to baseUrl protocol)\n *   - absolute URL with origin ≠ baseUrl.origin → default '/' (cross-origin redirect)\n *   - absolute URL with origin === baseUrl.origin → keep (same-origin allowed)\n *   - relative path starting with '/' → keep (same-app navigation)\n *   - relative path not starting with '/' → default '/' (defensive)\n */\nexport function validateReturnTo(returnTo: string | undefined, baseUrl: URL): string {\n  if (!returnTo || typeof returnTo !== \"string\" || returnTo.trim() === \"\") {\n    return \"/\";\n  }\n\n  const trimmed = returnTo.trim();\n\n  // Protocol-relative URLs (//evil.com) are dangerous — browser would resolve to current protocol\n  if (trimmed.startsWith(\"//\")) {\n    return \"/\";\n  }\n\n  // Try absolute URL parsing first\n  if (URL.canParse(trimmed)) {\n    const parsed = new URL(trimmed);\n    if (parsed.origin === baseUrl.origin) {\n      // Same-origin absolute URL — return the pathname+search+hash portion (drop origin)\n      return parsed.pathname + parsed.search + parsed.hash;\n    }\n    // Cross-origin — reject\n    return \"/\";\n  }\n\n  // Not parseable as absolute. Must start with '/' to be a valid relative path\n  if (trimmed.startsWith(\"/\")) {\n    return trimmed;\n  }\n\n  // Anything else (e.g., \"javascript:alert\", \"data:...\" that wasn't parseable, or bare strings) → default\n  return \"/\";\n}\n"]}

package/dist/server/auth/index.d.cts

@@ -1,176 +1,15 @@
-import { IncomingMessage, ServerResponse } from 'node:http';
-
 /**
- * @theokit/sdk/server/auth — typed error classes
+ * @theokit/sdk/server/auth — public barrel
  *
- * Plan T1.2 + v1.1 EC-1 (AuthCancelledError for OAuth provider error response RFC 6749 §4.1.2.1).
- */
-/**
- * Thrown at `defineAuth()` time when configuration is invalid
- * (e.g., duplicate provider name, invalid email shape per EC-V1-12).
- */
-declare class AuthConfigError extends Error {
-    readonly name = "AuthConfigError";
-    readonly code: string;
-    constructor(code: string, message: string);
-}
-/**
- * Thrown at `startSignIn(providerName, ...)` or `finishSignIn(providerName, ...)`
- * when the named provider is not registered in `providers[]`.
- */
-declare class AuthProviderNotFoundError extends Error {
-    readonly name = "AuthProviderNotFoundError";
-    readonly providerName: string;
-    constructor(providerName: string);
-}
-/**
- * Thrown during OAuth callback handling for state mismatches, expired
- * transactions, missing query params, or provider 4xx/5xx errors.
- *
- * Typed `code` field lets consumers branch on cause:
- *   - 'oauth_transaction_expired' — cookie tx > 10min old (per ADR D5)
- *   - 'oauth_state_mismatch' — query state ≠ cookie state (CSRF defense per RFC 6749 §10.12)
- *   - 'oauth_provider_error' — non-access_denied error in callback URL
- *   - 'oauth_token_exchange_failed' — provider rejected code-for-tokens swap
- *   - 'oauth_userinfo_failed' — userinfo endpoint returned error
- *   - 'oauth_missing_code_or_state' — required query params absent
- */
-declare class AuthCallbackError extends Error {
-    readonly name: string;
-    readonly code: string;
-    constructor(code: string, message?: string);
-}
-/**
- * Per v1.1 EC-1 MUST FIX — typed subclass of AuthCallbackError for the
- * specific case where user declined consent at provider screen.
- *
- * OAuth 2.0 RFC 6749 §4.1.2.1: provider redirects with `?error=access_denied`.
- * Apps can catch this distinctly from network/server errors to render
- * "Login cancelled — try again" UX instead of opaque "callback failed".
- */
-declare class AuthCancelledError extends AuthCallbackError {
-    readonly name: string;
-    readonly errorDescription?: string;
-    constructor(errorDescription?: string);
-}
-
-/**
- * @theokit/sdk/server/auth — orchestrator types (Caminho C Hybrid per G11)
- *
- * Plan: g11-auth-architecture-implementation v1.4 (sha256 4d381020...)
- * Blueprint: g11-auth-architecture-decision v1.1 (SHIPPABLE 97.9)
- * AUTH-DELEGATION lock (theokit/CLAUDE.md:217-225) — these types are the
- * orchestrator contract; concrete OAuth/email providers ship in opt-in
- * @theokit/auth-* packages (adapters layer per ADR D11).
- */
-
-/**
- * SessionManager contract (matches theokit/packages/theo/src/server/auth/session.ts:49).
- * Imported as type-only — runtime depends via peerDep `theokit@>=0.2.4`.
- */
-interface SessionManager<TSession> {
-    getSession(req: IncomingMessage): Promise<TSession | null>;
-    createSession(res: ServerResponse, data: TSession): Promise<void>;
-    destroySession(res: ServerResponse): void;
-    rotateSession(req: IncomingMessage, res: ServerResponse): Promise<TSession | null>;
-}
-/**
- * Per ADR D5 — OAuth transaction state stored in encrypted HttpOnly cookie
- * (cookie-state pattern). Expires within 10 minutes per invariant.
- */
-interface OAuthTransaction {
-    state: string;
-    pkceVerifier?: string;
-    returnTo?: string;
-    createdAt: number;
-    expiresAt: number;
-}
-/**
- * Per ADR D9 — provider profile types are provider-specific (not unified).
- * Each @theokit/auth-* package exports its own profile shape.
- * Generic param TProfile lets consumers narrow via discriminated unions on providerName.
- */
-interface AuthResult<TProfile, TName extends string = string> {
-    profile: TProfile;
-    providerName: TName;
-    rawTokens?: {
-        accessToken: string;
-        refreshToken?: string;
-        idToken?: string;
-        expiresAt?: number;
-    };
-}
-/**
- * Provider contract — each @theokit/auth-* package implements this.
- * Per blueprint Q5 + ADR D11 (adapters layer).
- */
-interface AuthProvider<TProfile, TName extends string = string> {
-    name: TName;
-    createAuthorizationURL(tx: OAuthTransaction): URL | Promise<URL>;
-    handleCallback(req: IncomingMessage, tx: OAuthTransaction): Promise<AuthResult<TProfile, TName>>;
-}
-/**
- * `defineAuth(opts)` configuration shape — Caminho C (Hybrid).
- * `providers` optional: empty = Caminho A escape hatch (manual signIn only).
- * `onSignIn` invoked after provider callback success; returns TSession to persist.
- */
-interface DefineAuthOptions<TSession> {
-    session: SessionManager<TSession>;
-    providers?: AuthProvider<unknown, string>[];
-    onSignIn?: <TProfile>(args: {
-        profile: TProfile;
-        provider: string;
-    }) => Promise<TSession>;
-    onSignOut?: (session: TSession | null) => Promise<void> | void;
-}
-/**
- * Returned by `defineAuth<TSession>(opts)` — 5-method orchestrator surface.
- *
- * - startSignIn: returns Response.redirect to provider authorization URL with state cookie
- * - finishSignIn: handles provider callback; verifies state; calls onSignIn; rotates session ID
- *   (OWASP A07:2021 per EC-10); creates session cookie; clears transaction cookie
- * - signIn: Caminho A escape hatch — skip OAuth flow; directly persist session from external profile
- * - signOut: destroys session cookie + invokes onSignOut callback
- * - getSession: read-only passthrough to session.getSession
- */
-interface AuthOrchestrator<TSession> {
-    startSignIn(providerName: string, req: IncomingMessage, opts?: {
-        returnTo?: string;
-    }): Promise<Response>;
-    finishSignIn(providerName: string, req: IncomingMessage, res: ServerResponse): Promise<{
-        session: TSession;
-        returnTo?: string;
-    }>;
-    signIn<TProfile>(profile: TProfile, providerName: string, req: IncomingMessage, res: ServerResponse): Promise<TSession>;
-    signOut(res: ServerResponse): void | Promise<void>;
-    getSession(req: IncomingMessage): Promise<TSession | null>;
-}
-
-/**
- * @theokit/sdk/server/auth — defineAuth orchestrator runtime (Caminho C Hybrid)
- *
- * Plan T1.2 implementation per blueprint Q5 § Caminho C signatures.
- * Composes existing primitives + the v1.1 EC-1/EC-2/EC-10 fixes.
- */
-
-declare function defineAuth<TSession>(opts: DefineAuthOptions<TSession>): AuthOrchestrator<TSession>;
-
-/**
- * @theokit/sdk/server/auth — same-origin returnTo validator
- *
- * Per v1.1 EC-2 MUST FIX — OWASP A01:2021 open-redirect mitigation.
- *
- * Without this check, attacker craft `/login?returnTo=https://evil.com` would
- * cause post-login redirect to attacker domain with authenticated session cookie.
+ * Per ADR D6 (sub-path export) — consumers import via `@theokit/sdk/server/auth`
+ * NOT main `@theokit/sdk` barrel. Tree-shaking + allows breaking changes in
+ * auth surface without affecting Agent runtime consumers.
  *
- * Rules:
- *   - undefined/empty returnTo → default '/'
- *   - protocol-relative `//evil.com` → default '/' (URL parser would resolve to baseUrl protocol)
- *   - absolute URL with origin ≠ baseUrl.origin → default '/' (cross-origin redirect)
- *   - absolute URL with origin === baseUrl.origin → keep (same-origin allowed)
- *   - relative path starting with '/' → keep (same-app navigation)
- *   - relative path not starting with '/' → default '/' (defensive)
+ * T1.1 shipped types-only.
+ * T1.2 adds runtime: defineAuth() + 4 typed error classes + validateReturnTo helper.
  */
-declare function validateReturnTo(returnTo: string | undefined, baseUrl: URL): string;
-
-export { AuthCallbackError, AuthCancelledError, AuthConfigError, type AuthOrchestrator, type AuthProvider, AuthProviderNotFoundError, type AuthResult, type DefineAuthOptions, type OAuthTransaction, type SessionManager, defineAuth, validateReturnTo };
+export { AuthCallbackError, AuthCancelledError, AuthConfigError, AuthProviderNotFoundError, } from "./errors.js";
+export { AuthSecretTooShortError } from "./oauth-transaction-store.js";
+export { defineAuth } from "./orchestrator.js";
+export type { AuthOrchestrator, AuthProvider, AuthResult, DefineAuthOptions, OAuthTransaction, SessionManager, } from "./types.js";
+export { validateReturnTo } from "./validate-return-to.js";