@treeseed/core 0.8.3 → 0.8.4

package/dist/api/auth/d1-database.d.ts

@@ -1,3 +0,0 @@
-import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
-import type { ApiConfig } from '../types.ts';
-export declare function resolveApiD1Database(config: ApiConfig): D1DatabaseLike;

package/dist/api/auth/d1-database.js

@@ -1,20 +0,0 @@
-import { CloudflareHttpD1Database } from "@treeseed/sdk";
-import { NodeSqliteD1Database } from "@treeseed/sdk/db/node-sqlite";
-function resolveApiD1Database(config) {
-  if (config.cloudflareAccountId && config.cloudflareApiToken && config.d1DatabaseId) {
-    return new CloudflareHttpD1Database({
-      accountId: config.cloudflareAccountId,
-      apiToken: config.cloudflareApiToken,
-      databaseId: config.d1DatabaseId
-    });
-  }
-  if (config.d1LocalPersistTo || config.d1DatabaseName) {
-    return new NodeSqliteD1Database(config.d1LocalPersistTo);
-  }
-  throw new Error(
-    "Treeseed API auth requires either CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN + TREESEED_API_D1_DATABASE_ID for remote D1 access, or TREESEED_API_D1_LOCAL_PERSIST_TO for local SQLite-backed D1-compatible access."
-  );
-}
-export {
-  resolveApiD1Database
-};

package/dist/api/auth/d1-provider.d.ts

@@ -1,79 +0,0 @@
-import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
-import type { ApiAuthProvider, ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
-export declare class D1AuthProvider implements ApiAuthProvider {
-    private readonly config;
-    readonly id = "d1";
-    private readonly store;
-    constructor(config: ApiConfig, options?: {
-        db?: D1DatabaseLike;
-    });
-    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
-    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
-    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
-    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
-        ok: true;
-    }>;
-    authenticateBearerToken(token: string): Promise<{
-        principal: ApiPrincipal;
-        credential: ApiCredential;
-    } | null>;
-    authenticateServiceCredential(serviceId: string, secret: string): Promise<{
-        principal: ApiPrincipal;
-        credential: ApiCredential;
-    } | null>;
-    createPersonalAccessToken(userId: string, input: {
-        name: string;
-        scopes?: string[];
-        expiresAt?: string | null;
-    }): Promise<{
-        id: `${string}-${string}-${string}-${string}-${string}`;
-        token: string;
-        prefix: string;
-        name: string;
-        expiresAt: string;
-    }>;
-    listPersonalAccessTokens(userId: string): Promise<{
-        id: string;
-        name: string;
-        token_prefix: string;
-        expires_at: string | null;
-        last_used_at: string | null;
-        revoked_at: string | null;
-        created_at: string;
-    }[]>;
-    revokePersonalAccessToken(userId: string, tokenId: string): Promise<void>;
-    syncUserIdentity(identity: UserIdentityProfileInput): Promise<{
-        identityId: string;
-        principal: ApiPrincipal;
-        userId: string;
-    }>;
-    createUser(input: {
-        email?: string | null;
-        displayName?: string | null;
-        metadata?: Record<string, unknown>;
-    }): Promise<{
-        principal: ApiPrincipal;
-        userId: string;
-    }>;
-    setUserRoles(userId: string, roles: string[]): Promise<{
-        principal: ApiPrincipal;
-        userId: string;
-    }>;
-    createServiceToken(input: {
-        serviceId: string;
-        name: string;
-        roles?: string[];
-        permissions?: string[];
-    }): Promise<import("./d1-store.ts").ServiceCredentialResult>;
-    rotateServiceToken(serviceId: string): Promise<import("./d1-store.ts").ServiceCredentialResult>;
-    createTrustedUserAssertion(claims: TrustedUserAssertionClaims): string;
-    verifyTrustedUserAssertion(assertion: string): TrustedUserAssertionClaims;
-    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
-        ok: true;
-        accessToken: string;
-        tokenType: "Bearer";
-        expiresAt: string;
-        expiresInSeconds: number;
-        principal: ApiPrincipal;
-    }>;
-}

package/dist/api/auth/d1-provider.js

@@ -1,92 +0,0 @@
-import { createHmac, timingSafeEqual } from "node:crypto";
-import { D1AuthStore } from "./d1-store.js";
-function encodePayload(payload) {
-  return Buffer.from(JSON.stringify(payload)).toString("base64url");
-}
-function decodePayload(value) {
-  return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
-}
-function signPayload(payload, secret) {
-  return createHmac("sha256", secret).update(payload).digest("base64url");
-}
-function safeEqual(left, right) {
-  const leftBuffer = Buffer.from(left);
-  const rightBuffer = Buffer.from(right);
-  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
-}
-class D1AuthProvider {
-  constructor(config, options = {}) {
-    this.config = config;
-    if (!options.db) {
-      throw new Error("D1AuthProvider requires an explicit database binding or adapter.");
-    }
-    this.store = new D1AuthStore(config, options.db);
-  }
-  config;
-  id = "d1";
-  store;
-  startDeviceFlow(request) {
-    return this.store.startDeviceFlow(request);
-  }
-  pollDeviceFlow(request) {
-    return this.store.pollDeviceFlow(request);
-  }
-  refreshAccessToken(request) {
-    return this.store.refreshAccessToken(request);
-  }
-  approveDeviceFlow(request) {
-    return this.store.approveDeviceFlow(request);
-  }
-  authenticateBearerToken(token) {
-    return this.store.authenticateBearerToken(token);
-  }
-  authenticateServiceCredential(serviceId, secret) {
-    return this.store.authenticateService(serviceId, secret);
-  }
-  createPersonalAccessToken(userId, input) {
-    return this.store.createPersonalAccessToken(userId, input);
-  }
-  listPersonalAccessTokens(userId) {
-    return this.store.listPersonalAccessTokens(userId);
-  }
-  revokePersonalAccessToken(userId, tokenId) {
-    return this.store.revokePersonalAccessToken(userId, tokenId);
-  }
-  syncUserIdentity(identity) {
-    return this.store.syncUser(identity);
-  }
-  createUser(input) {
-    return this.store.createUser(input);
-  }
-  setUserRoles(userId, roles) {
-    return this.store.setUserRoles(userId, roles);
-  }
-  createServiceToken(input) {
-    return this.store.createServiceCredential(input);
-  }
-  rotateServiceToken(serviceId) {
-    return this.store.rotateServiceCredential(serviceId);
-  }
-  createTrustedUserAssertion(claims) {
-    const payload = encodePayload(claims);
-    const signature = signPayload(payload, this.config.webAssertionSecret);
-    return `${payload}.${signature}`;
-  }
-  verifyTrustedUserAssertion(assertion) {
-    const [payload, signature] = assertion.split(".");
-    if (!payload || !signature) return null;
-    const expectedSignature = signPayload(payload, this.config.webAssertionSecret);
-    if (!safeEqual(signature, expectedSignature)) return null;
-    const claims = decodePayload(payload);
-    if (!claims.expiresAt || new Date(claims.expiresAt).getTime() <= Date.now()) {
-      return null;
-    }
-    return claims;
-  }
-  exchangeTrustedUserAssertion(claims) {
-    return this.store.exchangeTrustedUserAssertion(claims);
-  }
-}
-export {
-  D1AuthProvider
-};

package/dist/api/auth/d1-store.d.ts

@@ -1,114 +0,0 @@
-import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
-import type { ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
-type PrincipalRecord = {
-    principal: ApiPrincipal;
-    userId: string;
-};
-export interface PersonalAccessTokenResult {
-    id: string;
-    token: string;
-    prefix: string;
-    name: string;
-    expiresAt: string | null;
-}
-export interface ServiceCredentialResult {
-    id: string;
-    serviceId: string;
-    secret: string;
-}
-export declare class D1AuthStore {
-    private readonly config;
-    private readonly db;
-    private initializationPromise;
-    constructor(config: ApiConfig, db: D1DatabaseLike);
-    private run;
-    private first;
-    private all;
-    private ensureInitialized;
-    private ensureAuthSchema;
-    private seedCatalog;
-    private seedConfiguredServices;
-    private loadUser;
-    private loadIdentityByProvider;
-    private loadUserByVerifiedEmail;
-    private rolesForUser;
-    private permissionsForUser;
-    private permissionsForRoles;
-    private scopesForPrincipal;
-    private principalForUser;
-    private assignRole;
-    private replaceRoles;
-    private bootstrapRolesForUser;
-    private writeAuditEvent;
-    private userMetadata;
-    syncUser(identity: UserIdentityProfileInput): Promise<{
-        identityId: string;
-        principal: ApiPrincipal;
-        userId: string;
-    }>;
-    createUser(input: {
-        email?: string | null;
-        username?: string | null;
-        displayName?: string | null;
-        metadata?: Record<string, unknown>;
-    }): Promise<PrincipalRecord>;
-    setUserRoles(userId: string, roles: string[]): Promise<PrincipalRecord>;
-    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
-    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
-        ok: true;
-    }>;
-    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
-    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
-    createPersonalAccessToken(userId: string, input: {
-        name: string;
-        scopes?: string[];
-        expiresAt?: string | null;
-    }): Promise<{
-        id: `${string}-${string}-${string}-${string}-${string}`;
-        token: string;
-        prefix: string;
-        name: string;
-        expiresAt: string;
-    }>;
-    listPersonalAccessTokens(userId: string): Promise<{
-        id: string;
-        name: string;
-        token_prefix: string;
-        expires_at: string | null;
-        last_used_at: string | null;
-        revoked_at: string | null;
-        created_at: string;
-    }[]>;
-    revokePersonalAccessToken(userId: string, tokenId: string): Promise<void>;
-    upsertServiceCredential(input: {
-        serviceId: string;
-        name: string;
-        secret: string;
-        roles?: string[];
-        permissions?: string[];
-    }): Promise<string>;
-    createServiceCredential(input: {
-        serviceId: string;
-        name: string;
-        roles?: string[];
-        permissions?: string[];
-    }): Promise<ServiceCredentialResult>;
-    rotateServiceCredential(serviceId: string): Promise<ServiceCredentialResult>;
-    authenticateBearerToken(token: string): Promise<{
-        principal: ApiPrincipal;
-        credential: ApiCredential;
-    } | null>;
-    authenticateService(serviceId: string, secret: string): Promise<{
-        principal: ApiPrincipal;
-        credential: ApiCredential;
-    } | null>;
-    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
-        ok: true;
-        accessToken: string;
-        tokenType: "Bearer";
-        expiresAt: string;
-        expiresInSeconds: number;
-        principal: ApiPrincipal;
-    }>;
-}
-export {};