@toa.io/extensions.exposition 1.0.0-alpha.0 → 1.0.0-alpha.100

package/components/identity.federation/source/incept.ts

@@ -0,0 +1,26 @@
+import { assertionsAsValues } from './lib/assertions-as-values.js'
+import { decode } from './lib/jwt'
+import type { Request } from '@toa.io/core'
+import type { Context, Entity } from './types'
+
+async function incept (input: Input, context: Context): Promise<Output> {
+  const { iss, sub } = await decode(input.credentials, context.configuration.trust)
+  const request: Request = { input: { authority: input.authority, iss, sub } satisfies Omit<Entity, 'id'> }
+
+  if (input.id !== undefined)
+    request.query = { id: input.id }
+
+  return await context.local.transit(request)
+}
+
+interface Input {
+  authority: string
+  credentials: string
+  id?: string
+}
+
+interface Output {
+  id: string
+}
+
+export const effect = assertionsAsValues(incept)

package/components/identity.federation/source/lib/assertions-as-values.ts

@@ -0,0 +1,22 @@
+import * as assert from 'node:assert'
+import { console } from 'openspan'
+
+/**
+ * Wrapping function that returns assertion errors as function return value
+ */
+export function assertionsAsValues<T extends (...args: any[]) => Promise<any>> (
+  fn: T) {
+  return async (...args: Parameters<T>): Promise<ReturnType<T> | Error> => {
+    try {
+      return await fn(...args)
+    } catch (err) {
+      if (err instanceof assert.AssertionError) {
+        console.error('OIDC Authentication exception', { message: err.message })
+
+        return err
+      }
+
+      throw err
+    }
+  }
+}

package/components/identity.federation/source/lib/get.ts

@@ -0,0 +1,82 @@
+/* eslint-disable max-depth */
+
+import { Readable } from 'node:stream'
+import { buffer } from 'node:stream/consumers'
+
+import Cache from '@isaacs/ttlcache'
+import Policy from 'http-cache-semantics'
+import type { ReadableStream } from 'node:stream/web'
+
+const cache = new Cache<string, Entry>()
+
+export async function get (url: string, init?: RequestInit): Promise<Response> {
+  const headers = toRecord(init?.headers)
+  const request = { url, method: 'GET', headers }
+  const cached = cache.get(url)
+
+  if (cached?.policy.satisfiesWithoutRevalidation(request) === true) {
+    const headers = toHeaders(cached.policy.responseHeaders())
+
+    return new Response(cached.body, { headers })
+  }
+
+  const response = await fetch(url, init)
+  const policy = new Policy(request, { status: response.status, headers: toRecord(response.headers) })
+  const ttl = policy.timeToLive()
+
+  if (policy.storable() && ttl > 0) {
+    const body = await toBuffer(response.body as ReadableStream)
+
+    cache.set(url, { policy, body }, { ttl })
+
+    return new Response(body, { headers: response.headers })
+  } else
+    return response
+}
+
+function toRecord (headers: RequestInit['headers']): Record<string, string> {
+  if (!(headers instanceof Headers))
+    headers = toHeaders(headers)
+
+  return Object.fromEntries(headers.entries())
+}
+
+function toHeaders (values?: Array<[string, string]> | Record<string, string | string[] | undefined>): Headers {
+  const headers = new Headers()
+
+  if (values === undefined)
+    return headers
+
+  if (Array.isArray(values))
+    for (const [name, value] of values)
+      headers.append(name, value)
+  else
+    for (const name in values) {
+      const value = values[name]
+
+      if (value === undefined)
+        continue
+
+      if (Array.isArray(value))
+        for (const v of value)
+          headers.append(name, v)
+      else
+        headers.append(name, value)
+    }
+
+  return headers
+}
+
+async function toBuffer (body: ReadableStream<Uint8Array> | null): Promise<Buffer | null> {
+  if (body === null)
+    return null
+
+  const buf = await buffer(Readable.fromWeb(body as ReadableStream))
+
+  return Buffer.from(buf)
+}
+
+interface Entry {
+  policy: Policy
+  body: Buffer | null
+}

package/components/identity.federation/source/lib/jwt.test.ts

@@ -0,0 +1,179 @@
+import * as http from 'node:http'
+
+/* eslint-disable @typescript-eslint/consistent-type-assertions */
+import { once } from 'node:events'
+import { validateSignature, decodeJwt, validateJwtPayload } from './jwt'
+import { get } from './get'
+import type { AddressInfo } from 'node:net'
+import type { IdToken, JwtHeader, Trust } from '../types'
+
+describe('jwt', () => {
+  describe('validateJwtPayload', () => {
+    const jwtHeader: JwtHeader = { alg: 'HS256', kid: 'k1' }
+
+    const trusted: Trust[] = [{
+      iss: 'test-iss',
+      aud: ['test-aud1', 'test-aud2'],
+      secrets: { [jwtHeader.alg]: { [jwtHeader.kid!]: 'test-secrete' } }
+    }]
+
+    const validJwtPayload: IdToken = {
+      iss: trusted[0].iss,
+      sub: 'test-sub',
+      iat: Date.now() / 1000,
+      exp: Date.now() / 1000 + 2000,
+      aud: trusted[0].aud![1]
+    }
+
+    describe('aud', () => {
+      test('throws without it', () => {
+        const { aud, ...noAudPayload } = validJwtPayload
+
+        expect(() => validateJwtPayload(noAudPayload, trusted, jwtHeader)).toThrow('Payload is missing aud')
+      })
+
+      test('passes with a single string', () => {
+        expect(validJwtPayload.aud).toEqual(expect.any(String))
+        expect(() => validateJwtPayload(validJwtPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('passes with an array', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: trusted[0].aud }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('throws with an array that does not intersects', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: ['boo', 'foo'] }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader))
+          .toThrow('Unknown audiences: boo, foo')
+      })
+    })
+  })
+
+  test('decode', () => {
+    const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
+
+    expect(header).toMatchObject({ alg: 'HS256' })
+    expect(payload).toEqual({ some: 'payload' })
+  })
+
+  test('symmetric pass', async () => {
+    // example from
+    // https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-hs256
+
+    await expect(validateSignature({
+      header: { alg: 'HS256', kid: 'k2' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9',
+      rawPayload: 'eyJzb21lIjoicGF5bG9hZCJ9',
+      signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
+      trusted: [
+        {
+          iss: 'test-issuer',
+          secrets: {
+            HS256: {
+              k1: 'old-secret',
+              k2: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).resolves.toBeUndefined()
+  })
+
+  test('symmetric fail', async () => {
+    await expect(validateSignature({
+      header: { alg: 'HS256' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'header',
+      rawPayload: 'payload',
+      signature: 'signature',
+      trusted: [
+        {
+          iss: 'test-issuer',
+          secrets: {
+            HS256: {
+              theKey: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
+  })
+
+  describe('cache', () => {
+    let server: http.Server
+    // eslint-disable-next-line @typescript-eslint/no-invalid-void-type
+    const handler = jest.fn<void, [http.IncomingMessage, http.ServerResponse]>()
+    let endpoint: string
+
+    beforeAll(async () => {
+      server = http.createServer(handler)
+
+      server.listen(0, 'localhost')
+      await once(server, 'listening')
+
+      const { port } = server.address() as AddressInfo
+
+      endpoint = `http://localhost:${port}`
+    })
+
+    afterEach(() => {
+      handler.mockReset()
+    })
+
+    afterAll(async () => {
+      server.close()
+      await once(server, 'close')
+    })
+
+    test('fetches only once', async () => {
+      handler.mockImplementationOnce((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'public, max-age=3600' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      }).mockImplementationOnce((req, res) => {
+        res.writeHead(500)
+        res.end()
+      })
+
+      const firstRequest = await get(endpoint)
+
+      expect(firstRequest.ok).toBe(true)
+
+      const json = await firstRequest.json()
+
+      expect(json).toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint)
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(1)
+    })
+
+    test('respects caching headers', async () => {
+      handler.mockImplementation((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'no-cache' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      })
+
+      const firstRequest = await get(endpoint + '/no-cache')
+
+      expect(firstRequest.headers.get('cache-control')).toBe('no-cache')
+      expect(firstRequest.ok).toBe(true)
+      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint + '/no-cache')
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(2)
+    })
+  })
+})

package/components/identity.federation/source/lib/jwt.ts

@@ -0,0 +1,178 @@
+import crypto from 'node:crypto'
+import * as assert from 'node:assert'
+import { get } from './get'
+import type { JwtHeader, IdToken, Trust } from '../types'
+
+export function decodeJwt (token: string): {
+  header: unknown
+  payload: unknown
+  rawHeader: string
+  rawPayload: string
+  signature: string
+} {
+  const [rawHeader, rawPayload, signature] = token.split('.', 3)
+
+  const header = JSON.parse(Buffer.from(rawHeader, 'base64url').toString())
+  const payload = JSON.parse(Buffer.from(rawPayload, 'base64url').toString())
+
+  return { header, payload, rawHeader, rawPayload, signature }
+}
+
+export function validateJwtHeader (header: unknown): asserts header is JwtHeader {
+  assert.ok(header !== null && typeof header === 'object', 'Header is not an object')
+  assert.ok('alg' in header, 'Header is missing alg')
+  assert.ok(typeof header.alg === 'string', 'Header alg is not a string')
+  assert.match(header.alg, /^RS256|HS\d{3}$/, `Unknown algorithm ${header.alg}`)
+  assert.ok(!('kid' in header) || typeof header.kid === 'string', 'kid must be a string if present')
+}
+
+export function validateJwtPayload (payload: unknown,
+  trusted: Trust[] = [],
+  header: JwtHeader): asserts payload is IdToken {
+  assert.ok(trusted.length > 0, 'No trusted issuers provided')
+
+  // the full list of validations is
+  // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+  assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object')
+
+  assert.ok('iss' in payload, 'Payload is missing iss')
+  assert.ok(typeof payload.iss === 'string', 'Payload iss is not a string')
+  assert.ok('aud' in payload, 'Payload is missing aud')
+  assert.ok(typeof payload.aud === 'string' ||
+    (Array.isArray(payload.aud) && payload.aud.every((e): e is string => typeof e === 'string')),
+  'Payload aud is not a string nor an array of strings')
+
+  const issuer = trusted.find((config) => config.iss === payload.iss)
+
+  assert.ok(issuer, `Unknown issuer: ${payload.iss}`)
+
+  if (Array.isArray(issuer.aud)) {
+    const tokenAud = payload.aud
+
+    if (typeof tokenAud === 'string')
+      assert.ok(issuer.aud.some((a) => a === tokenAud), `Unknown audience: ${tokenAud}`)
+    else
+      assert.ok(issuer.aud.some((a) => tokenAud.includes(a)), `Unknown audiences: ${tokenAud.join(', ')}`)
+  }
+
+  if (header.alg.startsWith('HS')) {
+    const secrets = issuer.secrets
+
+    assert.ok(secrets, `We don't have known secrets for ${payload.iss}`)
+
+    const keys = secrets[header.alg]
+
+    assert.ok(keys, `No known secrets for ${header.alg}`)
+
+    if (typeof header.kid === 'string')
+      assert.ok(header.kid in keys, `No secret ${header.kid} provided for ${header.alg}`)
+  }
+
+  assert.ok('sub' in payload, 'Payload is missing sub')
+  assert.ok(typeof payload.sub === 'string', 'Payload sub is not a string')
+
+  assert.ok('exp' in payload, 'Payload is missing exp')
+  assert.ok(typeof payload.exp === 'number', 'Payload exp is not a number')
+  assert.ok(Date.now() < payload.exp * 1000, 'Token is expired')
+
+  assert.ok('iat' in payload, 'Payload is missing iat')
+  assert.ok(typeof payload.iat === 'number', 'Payload iat is not a number')
+  assert.ok(Date.now() >= payload.iat * 1000, 'Token was issued in the future')
+  assert.ok(payload.exp >= payload.iat, 'Payload exp is before iat')
+
+  if ('nbf' in payload) {
+    assert.ok(typeof payload.nbf === 'number', 'Payload nbf is not a number')
+    assert.ok(Date.now() >= payload.nbf * 1000, 'Token is not valid yet')
+  }
+}
+
+export async function validateSignature ({
+  header: { kid, alg },
+  payload: { iss },
+  rawHeader,
+  rawPayload,
+  signature,
+  trusted = []
+}: {
+  readonly header: JwtHeader
+  rawHeader: string
+  readonly payload: IdToken
+  rawPayload: string
+  signature: string
+  trusted?: Trust[]
+}): Promise<void> {
+  if (alg.startsWith('HS')) {
+    // symmetric algorithm, issuer is validated at this point
+
+    const secrets = trusted.find((c) => c.iss === iss)!.secrets![alg]
+    const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
+    const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
+    const hmac = crypto.createHmac(algorithm, secret)
+
+    hmac.update(rawHeader)
+    hmac.update('.')
+    hmac.update(rawPayload)
+    assert.strictEqual(signature, hmac.digest('base64url'), 'Signature does not match')
+
+    return
+  }
+
+  // Getting issuer public keys
+  const oidcRequest = await get(new URL('/.well-known/openid-configuration', iss).href)
+
+  assert.ok(oidcRequest.ok,
+    `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
+
+  const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
+
+  const jwkRequest = await get(jwksUri)
+
+  assert.ok(jwkRequest.ok, `Failed to fetch issuer keys: ${jwkRequest.statusText}`)
+
+  const { keys } = (await jwkRequest.json()) as {
+    keys: Array<{ use: string, kid?: string, alg?: string } & crypto.JsonWebKey>
+  }
+
+  // getting corresponding signing key
+  const signingKeys = keys.filter((k) => k.use === 'sig' && k.alg === alg)
+
+  assert.ok(signingKeys.length > 0, 'No acceptable signing keys found')
+
+  assert.ok(kid !== undefined || signingKeys.length === 1,
+    'Signing key selection is not deterministic')
+
+  const signingKey = kid === undefined ? signingKeys.find((k) => k.kid === kid) : keys[0]
+
+  assert.ok(signingKey, 'Signing key was not found in issuer keys')
+
+  const verifyFunction = crypto.createVerify('RSA-SHA256')
+
+  verifyFunction.write(rawHeader)
+  verifyFunction.write('.')
+  verifyFunction.write(rawPayload)
+  verifyFunction.end()
+
+  const signatureValid = verifyFunction.verify({ format: 'jwk', key: signingKey },
+    signature,
+    'base64url')
+
+  assert.ok(signatureValid, 'Failed to validate signature')
+}
+
+export async function decode (token: string, trusted?: Trust[]): Promise<IdToken> {
+  const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
+
+  validateJwtHeader(header)
+  validateJwtPayload(payload, trusted, header)
+
+  await validateSignature({
+    header,
+    rawHeader,
+    payload,
+    rawPayload,
+    signature,
+    trusted
+  })
+
+  return payload
+}

package/components/identity.federation/source/types/configuration.ts

@@ -0,0 +1,16 @@
+export interface Configuration {
+  implicit: boolean
+  trust?: Trust[]
+  principal?: Principal
+}
+
+export interface Trust {
+  iss: string
+  aud?: [string, ...string[]]
+  secrets?: Record<string, Record<string, string>>
+}
+
+interface Principal {
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/types/context.ts

@@ -0,0 +1,55 @@
+import { type Call, type Observation, type Query } from '@toa.io/types'
+import type { Entity } from './entity'
+import type { Configuration } from './configuration'
+
+export interface Context {
+  local: {
+    observe: Observation<Entity>
+    transit: Call<TransitOutput, TransitInput>
+    ensure: Call<EnsureOutput>
+  }
+  remote: {
+    identity: {
+      tokens: {
+        revoke: Call<void, IdentityTokensRevokeInput>
+      }
+    }
+  }
+  configuration: Configuration
+}
+
+export interface TransitInput {
+  readonly authority: string
+  readonly iss: string
+  readonly sub: string
+}
+
+export interface TransitOutput {
+  id: string
+}
+
+export interface EnsureOutput {
+  id: string
+}
+
+interface IdentityTokensRevokeInput {
+  query: Query
+}
+
+export interface JwtHeader {
+  typ?: string
+  alg: string
+  kid?: string
+}
+
+/**
+ * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#IDToken}
+ */
+export interface IdToken {
+  iss: string
+  sub: string
+  aud: string | string[]
+  exp: number
+  iat: number
+  nbf?: number
+}

package/components/identity.federation/source/types/entity.ts

@@ -0,0 +1,6 @@
+export interface Entity {
+  id: string
+  authority: string
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/types/index.ts

@@ -0,0 +1,3 @@
+export * from './configuration'
+export * from './context'
+export * from './entity'

package/components/identity.federation/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./operations",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "target": "ES2022"
+  },
+  "include": ["source"]
+}

package/components/identity.roles/manifest.toa.yaml

@@ -4,14 +4,20 @@ name: roles
 entity:
   schema:
     identity*: string
-    role*: string
+    role*: /^[a-zA-Z0-9]{0,32}(:[a-zA-Z0-9]{0,32}){0,8}$/
+    grantor: string
+  unique:
+    role: [identity, role]
 
 operations:
-  transit:
+  grant:
     query: false
     input:
-      identity*: string
-      role*: string
+      identity*: .
+      role*: .
+      grantor:
+        id: string
+        roles: [string]
   list:
     output: [string]
   principal:
@@ -20,12 +26,19 @@ operations:
 
 receivers:
   identity.basic.principal: principal
+  identity.federation.principal: principal
 
 exposition:
   isolated: true
   /:identity:
     auth:role: system:identity:roles
-    POST: transit
+    POST:
+      io:output: [id, grantor]
+      auth:rule:
+        delegate: grantor
+        role: system:identity:roles:delegation
+      endpoint: grant
     GET:
+      io:output: true # array of strings
       auth:id: identity
       endpoint: list

package/components/identity.roles/operations/grant.d.ts

@@ -0,0 +1,10 @@
+import type { Entity } from './lib/Entity';
+export declare function transition(input: Input, object: Entity): Promise<Entity | Error>;
+export interface Input {
+    identity: string;
+    role: string;
+    grantor?: {
+        id: string;
+        roles: string[];
+    };
+}

package/components/identity.roles/operations/grant.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.transition = void 0;
+const error_value_1 = require("error-value");
+async function transition(input, object) {
+    if (input.grantor === undefined)
+        return Object.assign(object, input);
+    if (!within('system:identity:roles', input.grantor.roles) &&
+        !within(input.role, input.grantor.roles))
+        return ERR_OUT_OF_SCOPE;
+    object.role = input.role;
+    object.identity = input.identity;
+    object.grantor = input.grantor.id;
+    return object;
+}
+exports.transition = transition;
+function within(role, scopes) {
+    return scopes.some((scope) => role === scope || role.startsWith(scope + ':'));
+}
+const ERR_OUT_OF_SCOPE = (0, error_value_1.Err)('OUT_OF_SCOPE');
+//# sourceMappingURL=grant.js.map

package/components/identity.roles/operations/grant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../source/grant.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAG1B,KAAK,UAAU,UAAU,CAAE,KAAY,EAAE,MAAc;IAC5D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;QAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAErC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACvD,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxC,OAAO,gBAAgB,CAAA;IAEzB,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;IACxB,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;IAChC,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAA;IAEjC,OAAO,MAAM,CAAA;AACf,CAAC;AAbD,gCAaC;AAED,SAAS,MAAM,CAAE,IAAY,EAAE,MAAgB;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAA;AAC/E,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAA,iBAAG,EAAC,cAAc,CAAC,CAAA"}

package/components/identity.roles/operations/lib/Entity.d.ts

@@ -0,0 +1,5 @@
+export interface Entity {
+    identity: string;
+    role: string;
+    grantor?: string;
+}

package/components/identity.roles/operations/lib/Entity.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Entity.js.map

package/components/identity.roles/operations/lib/Entity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Entity.js","sourceRoot":"","sources":["../../source/lib/Entity.ts"],"names":[],"mappings":""}

package/components/identity.roles/operations/list.d.ts

@@ -0,0 +1,2 @@
+import type { Entity } from './lib/Entity';
+export declare function observation(_: unknown, objects: Entity[]): string[];