@varity-labs/types 2.0.0-alpha.1

package/dist/auth.d.ts

@@ -0,0 +1,457 @@
+/**
+ * Authentication & Authorization Types
+ *
+ * Comprehensive type definitions for authentication, authorization, and access control
+ * across Varity's S3-compatible and GCS-compatible storage gateways.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Supported authentication providers
+ */
+export declare enum AuthProvider {
+    AWS_SIGNATURE_V4 = "aws-signature-v4",
+    GCS_OAUTH2 = "gcs-oauth2",
+    GCS_SERVICE_ACCOUNT = "gcs-service-account",
+    VARITY_API_KEY = "varity-api-key",
+    WEB3_WALLET = "web3-wallet"
+}
+/**
+ * Access key status
+ */
+export declare enum AccessKeyStatus {
+    ACTIVE = "active",
+    INACTIVE = "inactive",
+    REVOKED = "revoked",
+    EXPIRED = "expired"
+}
+/**
+ * Access key for S3/GCS API authentication
+ */
+export interface AccessKey {
+    /** Unique access key identifier (e.g., VARIETYXXXXXXXXXXXXXXXX) */
+    accessKeyId: string;
+    /** Secret access key (only returned on creation) */
+    secretAccessKey: string;
+    /** Customer ID that owns this key */
+    customerId: string;
+    /** Human-readable name for the key */
+    name: string;
+    /** Optional description */
+    description?: string;
+    /** Permissions granted to this key */
+    permissions: Permission[];
+    /** Current status of the key */
+    status: AccessKeyStatus;
+    /** When the key was created */
+    createdAt: Date;
+    /** Last time the key was used */
+    lastUsedAt?: Date;
+    /** Optional expiration date */
+    expiresAt?: Date;
+}
+/**
+ * Permission effect (allow or deny)
+ */
+export declare enum PermissionEffect {
+    ALLOW = "allow",
+    DENY = "deny"
+}
+/**
+ * Storage and administrative actions
+ */
+export declare enum Action {
+    GET_OBJECT = "storage:GetObject",
+    PUT_OBJECT = "storage:PutObject",
+    DELETE_OBJECT = "storage:DeleteObject",
+    LIST_OBJECTS = "storage:ListObjects",
+    CREATE_BUCKET = "storage:CreateBucket",
+    DELETE_BUCKET = "storage:DeleteBucket",
+    LIST_BUCKETS = "storage:ListBuckets",
+    GET_BUCKET_METADATA = "storage:GetBucketMetadata",
+    PUT_BUCKET_POLICY = "storage:PutBucketPolicy",
+    GET_BUCKET_POLICY = "storage:GetBucketPolicy",
+    INITIATE_MULTIPART_UPLOAD = "storage:InitiateMultipartUpload",
+    UPLOAD_PART = "storage:UploadPart",
+    COMPLETE_MULTIPART_UPLOAD = "storage:CompleteMultipartUpload",
+    ABORT_MULTIPART_UPLOAD = "storage:AbortMultipartUpload",
+    MANAGE_ACCESS_KEYS = "admin:ManageAccessKeys",
+    VIEW_METRICS = "admin:ViewMetrics",
+    MANAGE_BILLING = "admin:ManageBilling",
+    MANAGE_ENCRYPTION = "admin:ManageEncryption",
+    ALL_ACTIONS = "*"
+}
+/**
+ * Permission definition for a resource
+ */
+export interface Permission {
+    /** Resource pattern (e.g., "bucket:my-bucket" or "bucket:my-bucket/prefix/*") */
+    resource: string;
+    /** Actions allowed or denied on this resource */
+    actions: Action[];
+    /** Whether to allow or deny these actions */
+    effect: PermissionEffect;
+}
+/**
+ * AWS Signature V4 request data
+ */
+export interface AWSSignatureV4Request {
+    /** HTTP method (GET, PUT, POST, DELETE, etc.) */
+    method: string;
+    /** Full URL including query string */
+    url: string;
+    /** HTTP headers */
+    headers: Record<string, string>;
+    /** Request body (if any) */
+    body?: string;
+    /** Query parameters */
+    query?: Record<string, string>;
+}
+/**
+ * AWS Signature V4 credentials
+ */
+export interface AWSSignatureV4Credentials {
+    /** Access key ID */
+    accessKeyId: string;
+    /** Secret access key */
+    secretAccessKey: string;
+    /** Optional session token (for temporary credentials) */
+    sessionToken?: string;
+    /** AWS region (e.g., 'us-east-1') */
+    region: string;
+    /** AWS service name (e.g., 's3') */
+    service: string;
+}
+/**
+ * AWS Signature V4 validation result
+ */
+export interface AWSSignatureV4Result {
+    /** Whether the signature is valid */
+    valid: boolean;
+    /** Access key ID extracted from signature */
+    accessKeyId?: string;
+    /** Error message if validation failed */
+    error?: string;
+    /** Timestamp of validation */
+    timestamp: Date;
+}
+/**
+ * Parsed AWS Signature V4 components
+ */
+export interface S3SignatureV4Components {
+    /** Algorithm (e.g., 'AWS4-HMAC-SHA256') */
+    algorithm: string;
+    /** Credential scope string */
+    credential: string;
+    /** List of signed headers */
+    signedHeaders: string[];
+    /** Hex-encoded signature */
+    signature: string;
+    /** Date in YYYYMMDD format */
+    date: string;
+    /** AWS region */
+    region: string;
+    /** AWS service name */
+    service: string;
+}
+/**
+ * AWS Signature V4 canonical request
+ */
+export interface S3CanonicalRequest {
+    /** HTTP method */
+    method: string;
+    /** Canonical URI */
+    uri: string;
+    /** Canonical query string */
+    queryString: string;
+    /** Canonical headers */
+    canonicalHeaders: string;
+    /** Signed headers */
+    signedHeaders: string;
+    /** SHA256 hash of payload */
+    payloadHash: string;
+}
+/**
+ * AWS Signature V4 string to sign
+ */
+export interface S3StringToSign {
+    /** Algorithm identifier */
+    algorithm: string;
+    /** Request date-time in ISO format */
+    requestDateTime: string;
+    /** Credential scope */
+    credentialScope: string;
+    /** SHA256 hash of canonical request */
+    hashedCanonicalRequest: string;
+}
+/**
+ * GCS OAuth 2.0 token
+ */
+export interface GCSOAuth2Token {
+    /** Bearer token */
+    accessToken: string;
+    /** Token type (always 'Bearer') */
+    tokenType: 'Bearer';
+    /** Seconds until token expires */
+    expiresIn: number;
+    /** Optional refresh token */
+    refreshToken?: string;
+    /** Granted scopes */
+    scope: string[];
+    /** When token was issued */
+    issuedAt: Date;
+}
+/**
+ * GCS OAuth 2.0 validation result
+ */
+export interface GCSOAuth2ValidationResult {
+    /** Whether the token is valid */
+    valid: boolean;
+    /** User email associated with token */
+    email?: string;
+    /** GCP project ID */
+    projectId?: string;
+    /** Authorized scopes */
+    scopes?: string[];
+    /** Error message if validation failed */
+    error?: string;
+}
+/**
+ * GCS Service Account credentials
+ */
+export interface GCSServiceAccount {
+    /** Account type (always 'service_account') */
+    type: 'service_account';
+    /** GCP project ID */
+    projectId: string;
+    /** Private key ID */
+    privateKeyId: string;
+    /** Private key in PEM format */
+    privateKey: string;
+    /** Service account email */
+    clientEmail: string;
+    /** Client ID */
+    clientId: string;
+    /** OAuth 2.0 authorization URI */
+    authUri: string;
+    /** OAuth 2.0 token URI */
+    tokenUri: string;
+    /** Auth provider x509 cert URL */
+    authProviderX509CertUrl: string;
+    /** Client x509 cert URL */
+    clientX509CertUrl: string;
+}
+/**
+ * GCS Service Account token
+ */
+export interface GCSServiceAccountToken {
+    /** Bearer token */
+    accessToken: string;
+    /** Seconds until token expires */
+    expiresIn: number;
+    /** Token type (always 'Bearer') */
+    tokenType: 'Bearer';
+}
+/**
+ * Rate limiting configuration
+ */
+export interface RateLimit {
+    /** Maximum requests per second */
+    requestsPerSecond: number;
+    /** Maximum requests per day */
+    requestsPerDay: number;
+    /** Maximum bandwidth per day (bytes) */
+    bandwidthPerDay: number;
+}
+/**
+ * Varity API Key
+ */
+export interface VarityAPIKey {
+    /** Key identifier */
+    keyId: string;
+    /** Secret key */
+    keySecret: string;
+    /** Customer ID that owns this key */
+    customerId: string;
+    /** Permissions granted to this key */
+    permissions: Permission[];
+    /** Rate limiting configuration */
+    rateLimit: RateLimit;
+    /** Key status */
+    status: AccessKeyStatus;
+}
+/**
+ * Web3 wallet authentication request
+ */
+export interface Web3AuthRequest {
+    /** Wallet address */
+    walletAddress: string;
+    /** Cryptographic signature */
+    signature: string;
+    /** Original message that was signed */
+    message: string;
+    /** Timestamp of signature request */
+    timestamp: number;
+}
+/**
+ * Web3 authentication result
+ */
+export interface Web3AuthResult {
+    /** Whether the signature is valid */
+    valid: boolean;
+    /** Verified wallet address */
+    walletAddress?: string;
+    /** Error message if validation failed */
+    error?: string;
+}
+/**
+ * Policy condition types
+ */
+export declare enum ConditionType {
+    STRING_EQUALS = "StringEquals",
+    STRING_NOT_EQUALS = "StringNotEquals",
+    STRING_LIKE = "StringLike",
+    NUMERIC_EQUALS = "NumericEquals",
+    NUMERIC_LESS_THAN = "NumericLessThan",
+    NUMERIC_GREATER_THAN = "NumericGreaterThan",
+    DATE_EQUALS = "DateEquals",
+    DATE_LESS_THAN = "DateLessThan",
+    DATE_GREATER_THAN = "DateGreaterThan",
+    BOOL = "Bool",
+    IP_ADDRESS = "IpAddress",
+    NOT_IP_ADDRESS = "NotIpAddress"
+}
+/**
+ * Policy condition
+ */
+export interface PolicyCondition {
+    /** Condition type */
+    type: ConditionType;
+    /** Condition key */
+    key: string;
+    /** Condition value */
+    value: string | number | boolean;
+}
+/**
+ * Policy statement
+ */
+export interface PolicyStatement {
+    /** Statement ID (optional) */
+    sid?: string;
+    /** Effect (allow or deny) */
+    effect: PermissionEffect;
+    /** Actions covered by this statement */
+    actions: Action[];
+    /** Resources covered by this statement */
+    resources: string[];
+    /** Optional conditions */
+    conditions?: PolicyCondition[];
+}
+/**
+ * Authorization policy
+ */
+export interface AuthorizationPolicy {
+    /** Unique policy ID */
+    policyId: string;
+    /** Policy name */
+    name: string;
+    /** Optional description */
+    description?: string;
+    /** Policy statements */
+    statements: PolicyStatement[];
+    /** Policy version (e.g., '2024-01-01') */
+    version: string;
+}
+/**
+ * Authorization request context
+ */
+export interface AuthorizationContext {
+    /** Customer ID making the request */
+    customerId: string;
+    /** Access key ID (if using key auth) */
+    accessKeyId?: string;
+    /** Wallet address (if using Web3 auth) */
+    walletAddress?: string;
+    /** Action being requested */
+    action: Action;
+    /** Resource being accessed */
+    resource: string;
+    /** Request IP address */
+    ipAddress?: string;
+    /** Request timestamp */
+    timestamp: Date;
+    /** Request headers */
+    requestHeaders?: Record<string, string>;
+}
+/**
+ * Authorization result
+ */
+export interface AuthorizationResult {
+    /** Whether the action is allowed */
+    allowed: boolean;
+    /** Reason for the decision */
+    reason?: string;
+    /** Policy that allowed the action */
+    matchedPolicy?: string;
+    /** Policy that denied the action */
+    deniedBy?: string;
+}
+/**
+ * User session
+ */
+export interface Session {
+    /** Unique session ID */
+    sessionId: string;
+    /** Customer ID */
+    customerId: string;
+    /** Authentication provider used */
+    authProvider: AuthProvider;
+    /** Stored credentials (type depends on provider) */
+    credentials: any;
+    /** When session was created */
+    createdAt: Date;
+    /** When session expires */
+    expiresAt: Date;
+    /** Last activity timestamp */
+    lastActivityAt: Date;
+}
+/**
+ * Utility class for checking permissions
+ */
+export declare class PermissionChecker {
+    /**
+     * Check if a set of permissions allows a specific action on a resource
+     *
+     * @param permissions - List of permissions to check
+     * @param action - Action being requested
+     * @param resource - Resource being accessed
+     * @returns true if allowed, false otherwise
+     */
+    static isAllowed(permissions: Permission[], action: Action, resource: string): boolean;
+    /**
+     * Check if an action matches the allowed actions
+     */
+    private static matchesAction;
+    /**
+     * Check if a resource matches a resource pattern
+     * Supports wildcards: * (match any) and ? (match single character)
+     */
+    private static matchesResource;
+    /**
+     * Check if an action is allowed with detailed reason
+     */
+    static checkPermission(permissions: Permission[], action: Action, resource: string): AuthorizationResult;
+}
+/**
+ * Check if credentials are AWS Signature V4 credentials
+ */
+export declare function isAWSSignatureV4Credentials(credentials: any): credentials is AWSSignatureV4Credentials;
+/**
+ * Check if credentials are GCS Service Account credentials
+ */
+export declare function isGCSServiceAccount(credentials: any): credentials is GCSServiceAccount;
+/**
+ * Check if token is a GCS OAuth2 token
+ */
+export declare function isGCSOAuth2Token(token: any): token is GCSOAuth2Token;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;GAEG;AACH,oBAAY,YAAY;IACtB,gBAAgB,qBAAqB;IACrC,UAAU,eAAe;IACzB,mBAAmB,wBAAwB;IAC3C,cAAc,mBAAmB;IACjC,WAAW,gBAAgB;CAC5B;AAMD;;GAEG;AACH,oBAAY,eAAe;IACzB,MAAM,WAAW;IACjB,QAAQ,aAAa;IACrB,OAAO,YAAY;IACnB,OAAO,YAAY;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,mEAAmE;IACnE,WAAW,EAAE,MAAM,CAAA;IAEnB,oDAAoD;IACpD,eAAe,EAAE,MAAM,CAAA;IAEvB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAA;IAElB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAA;IAEZ,2BAA2B;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB,sCAAsC;IACtC,WAAW,EAAE,UAAU,EAAE,CAAA;IAEzB,gCAAgC;IAChC,MAAM,EAAE,eAAe,CAAA;IAEvB,+BAA+B;IAC/B,SAAS,EAAE,IAAI,CAAA;IAEf,iCAAiC;IACjC,UAAU,CAAC,EAAE,IAAI,CAAA;IAEjB,+BAA+B;IAC/B,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAMD;;GAEG;AACH,oBAAY,gBAAgB;IAC1B,KAAK,UAAU;IACf,IAAI,SAAS;CACd;AAED;;GAEG;AACH,oBAAY,MAAM;IAEhB,UAAU,sBAAsB;IAChC,UAAU,sBAAsB;IAChC,aAAa,yBAAyB;IACtC,YAAY,wBAAwB;IAGpC,aAAa,yBAAyB;IACtC,aAAa,yBAAyB;IACtC,YAAY,wBAAwB;IACpC,mBAAmB,8BAA8B;IACjD,iBAAiB,4BAA4B;IAC7C,iBAAiB,4BAA4B;IAG7C,yBAAyB,oCAAoC;IAC7D,WAAW,uBAAuB;IAClC,yBAAyB,oCAAoC;IAC7D,sBAAsB,iCAAiC;IAGvD,kBAAkB,2BAA2B;IAC7C,YAAY,sBAAsB;IAClC,cAAc,wBAAwB;IACtC,iBAAiB,2BAA2B;IAG5C,WAAW,MAAM;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,iFAAiF;IACjF,QAAQ,EAAE,MAAM,CAAA;IAEhB,iDAAiD;IACjD,OAAO,EAAE,MAAM,EAAE,CAAA;IAEjB,6CAA6C;IAC7C,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAA;IAEd,sCAAsC;IACtC,GAAG,EAAE,MAAM,CAAA;IAEX,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAE/B,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAA;IAEb,uBAAuB;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,oBAAoB;IACpB,WAAW,EAAE,MAAM,CAAA;IAEnB,wBAAwB;IACxB,eAAe,EAAE,MAAM,CAAA;IAEvB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAA;IAEd,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAA;IAEd,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;IAEd,8BAA8B;IAC9B,SAAS,EAAE,IAAI,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAA;IAEjB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAA;IAElB,6BAA6B;IAC7B,aAAa,EAAE,MAAM,EAAE,CAAA;IAEvB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAA;IAEjB,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAA;IAEZ,iBAAiB;IACjB,MAAM,EAAE,MAAM,CAAA;IAEd,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAA;IAEd,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAA;IAEX,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAA;IAEnB,wBAAwB;IACxB,gBAAgB,EAAE,MAAM,CAAA;IAExB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAA;IAErB,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAA;IAEjB,sCAAsC;IACtC,eAAe,EAAE,MAAM,CAAA;IAEvB,uBAAuB;IACvB,eAAe,EAAE,MAAM,CAAA;IAEvB,uCAAuC;IACvC,sBAAsB,EAAE,MAAM,CAAA;CAC/B;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAA;IAEnB,mCAAmC;IACnC,SAAS,EAAE,QAAQ,CAAA;IAEnB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAA;IAEjB,6BAA6B;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB,qBAAqB;IACrB,KAAK,EAAE,MAAM,EAAE,CAAA;IAEf,4BAA4B;IAC5B,QAAQ,EAAE,IAAI,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,iCAAiC;IACjC,KAAK,EAAE,OAAO,CAAA;IAEd,uCAAuC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAA;IAEd,qBAAqB;IACrB,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IAEjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAMD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,IAAI,EAAE,iBAAiB,CAAA;IAEvB,qBAAqB;IACrB,SAAS,EAAE,MAAM,CAAA;IAEjB,qBAAqB;IACrB,YAAY,EAAE,MAAM,CAAA;IAEpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAA;IAElB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAA;IAEnB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAA;IAEhB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAA;IAEf,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAEhB,kCAAkC;IAClC,uBAAuB,EAAE,MAAM,CAAA;IAE/B,2BAA2B;IAC3B,iBAAiB,EAAE,MAAM,CAAA;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAA;IAEnB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAA;IAEjB,mCAAmC;IACnC,SAAS,EAAE,QAAQ,CAAA;CACpB;AAMD;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,kCAAkC;IAClC,iBAAiB,EAAE,MAAM,CAAA;IAEzB,+BAA+B;IAC/B,cAAc,EAAE,MAAM,CAAA;IAEtB,wCAAwC;IACxC,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAA;IAEb,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAA;IAEjB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAA;IAElB,sCAAsC;IACtC,WAAW,EAAE,UAAU,EAAE,CAAA;IAEzB,kCAAkC;IAClC,SAAS,EAAE,SAAS,CAAA;IAEpB,iBAAiB;IACjB,MAAM,EAAE,eAAe,CAAA;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAA;IAErB,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAA;IAEjB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAA;IAEf,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAA;IAEd,8BAA8B;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAMD;;GAEG;AACH,oBAAY,aAAa;IACvB,aAAa,iBAAiB;IAC9B,iBAAiB,oBAAoB;IACrC,WAAW,eAAe;IAC1B,cAAc,kBAAkB;IAChC,iBAAiB,oBAAoB;IACrC,oBAAoB,uBAAuB;IAC3C,WAAW,eAAe;IAC1B,cAAc,iBAAiB;IAC/B,iBAAiB,oBAAoB;IACrC,IAAI,SAAS;IACb,UAAU,cAAc;IACxB,cAAc,iBAAiB;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qBAAqB;IACrB,IAAI,EAAE,aAAa,CAAA;IAEnB,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAA;IAEX,sBAAsB;IACtB,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAA;IAEZ,6BAA6B;IAC7B,MAAM,EAAE,gBAAgB,CAAA;IAExB,wCAAwC;IACxC,OAAO,EAAE,MAAM,EAAE,CAAA;IAEjB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,EAAE,CAAA;IAEnB,0BAA0B;IAC1B,UAAU,CAAC,EAAE,eAAe,EAAE,CAAA;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAA;IAEhB,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAA;IAEZ,2BAA2B;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB,wBAAwB;IACxB,UAAU,EAAE,eAAe,EAAE,CAAA;IAE7B,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAA;CAChB;AAMD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAA;IAElB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAA;IAEd,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAEhB,yBAAyB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB,wBAAwB;IACxB,SAAS,EAAE,IAAI,CAAA;IAEf,sBAAsB;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAA;IAEhB,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf,qCAAqC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAMD;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAA;IAEjB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAA;IAElB,mCAAmC;IACnC,YAAY,EAAE,YAAY,CAAA;IAE1B,oDAAoD;IACpD,WAAW,EAAE,GAAG,CAAA;IAEhB,+BAA+B;IAC/B,SAAS,EAAE,IAAI,CAAA;IAEf,2BAA2B;IAC3B,SAAS,EAAE,IAAI,CAAA;IAEf,8BAA8B;IAC9B,cAAc,EAAE,IAAI,CAAA;CACrB;AAMD;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;;OAOG;IACH,MAAM,CAAC,SAAS,CACd,WAAW,EAAE,UAAU,EAAE,EACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO;IA2BV;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IAO5B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAc9B;;OAEG;IACH,MAAM,CAAC,eAAe,CACpB,WAAW,EAAE,UAAU,EAAE,EACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,mBAAmB;CAqCvB;AAMD;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,WAAW,EAAE,GAAG,GACf,WAAW,IAAI,yBAAyB,CAQ1C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,GAAG,GACf,WAAW,IAAI,iBAAiB,CAQlC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,GAAG,GACT,KAAK,IAAI,cAAc,CAOzB"}

package/dist/auth.js

@@ -0,0 +1,222 @@
+/**
+ * Authentication & Authorization Types
+ *
+ * Comprehensive type definitions for authentication, authorization, and access control
+ * across Varity's S3-compatible and GCS-compatible storage gateways.
+ *
+ * @packageDocumentation
+ */
+// ============================================================================
+// Authentication Provider Types
+// ============================================================================
+/**
+ * Supported authentication providers
+ */
+export var AuthProvider;
+(function (AuthProvider) {
+    AuthProvider["AWS_SIGNATURE_V4"] = "aws-signature-v4";
+    AuthProvider["GCS_OAUTH2"] = "gcs-oauth2";
+    AuthProvider["GCS_SERVICE_ACCOUNT"] = "gcs-service-account";
+    AuthProvider["VARITY_API_KEY"] = "varity-api-key";
+    AuthProvider["WEB3_WALLET"] = "web3-wallet";
+})(AuthProvider || (AuthProvider = {}));
+// ============================================================================
+// Access Key Management
+// ============================================================================
+/**
+ * Access key status
+ */
+export var AccessKeyStatus;
+(function (AccessKeyStatus) {
+    AccessKeyStatus["ACTIVE"] = "active";
+    AccessKeyStatus["INACTIVE"] = "inactive";
+    AccessKeyStatus["REVOKED"] = "revoked";
+    AccessKeyStatus["EXPIRED"] = "expired";
+})(AccessKeyStatus || (AccessKeyStatus = {}));
+// ============================================================================
+// Permission System
+// ============================================================================
+/**
+ * Permission effect (allow or deny)
+ */
+export var PermissionEffect;
+(function (PermissionEffect) {
+    PermissionEffect["ALLOW"] = "allow";
+    PermissionEffect["DENY"] = "deny";
+})(PermissionEffect || (PermissionEffect = {}));
+/**
+ * Storage and administrative actions
+ */
+export var Action;
+(function (Action) {
+    // Storage object actions
+    Action["GET_OBJECT"] = "storage:GetObject";
+    Action["PUT_OBJECT"] = "storage:PutObject";
+    Action["DELETE_OBJECT"] = "storage:DeleteObject";
+    Action["LIST_OBJECTS"] = "storage:ListObjects";
+    // Bucket actions
+    Action["CREATE_BUCKET"] = "storage:CreateBucket";
+    Action["DELETE_BUCKET"] = "storage:DeleteBucket";
+    Action["LIST_BUCKETS"] = "storage:ListBuckets";
+    Action["GET_BUCKET_METADATA"] = "storage:GetBucketMetadata";
+    Action["PUT_BUCKET_POLICY"] = "storage:PutBucketPolicy";
+    Action["GET_BUCKET_POLICY"] = "storage:GetBucketPolicy";
+    // Multipart upload actions
+    Action["INITIATE_MULTIPART_UPLOAD"] = "storage:InitiateMultipartUpload";
+    Action["UPLOAD_PART"] = "storage:UploadPart";
+    Action["COMPLETE_MULTIPART_UPLOAD"] = "storage:CompleteMultipartUpload";
+    Action["ABORT_MULTIPART_UPLOAD"] = "storage:AbortMultipartUpload";
+    // Administrative actions
+    Action["MANAGE_ACCESS_KEYS"] = "admin:ManageAccessKeys";
+    Action["VIEW_METRICS"] = "admin:ViewMetrics";
+    Action["MANAGE_BILLING"] = "admin:ManageBilling";
+    Action["MANAGE_ENCRYPTION"] = "admin:ManageEncryption";
+    // Wildcard
+    Action["ALL_ACTIONS"] = "*";
+})(Action || (Action = {}));
+// ============================================================================
+// Authorization Policies
+// ============================================================================
+/**
+ * Policy condition types
+ */
+export var ConditionType;
+(function (ConditionType) {
+    ConditionType["STRING_EQUALS"] = "StringEquals";
+    ConditionType["STRING_NOT_EQUALS"] = "StringNotEquals";
+    ConditionType["STRING_LIKE"] = "StringLike";
+    ConditionType["NUMERIC_EQUALS"] = "NumericEquals";
+    ConditionType["NUMERIC_LESS_THAN"] = "NumericLessThan";
+    ConditionType["NUMERIC_GREATER_THAN"] = "NumericGreaterThan";
+    ConditionType["DATE_EQUALS"] = "DateEquals";
+    ConditionType["DATE_LESS_THAN"] = "DateLessThan";
+    ConditionType["DATE_GREATER_THAN"] = "DateGreaterThan";
+    ConditionType["BOOL"] = "Bool";
+    ConditionType["IP_ADDRESS"] = "IpAddress";
+    ConditionType["NOT_IP_ADDRESS"] = "NotIpAddress";
+})(ConditionType || (ConditionType = {}));
+// ============================================================================
+// Permission Checker Utility
+// ============================================================================
+/**
+ * Utility class for checking permissions
+ */
+export class PermissionChecker {
+    /**
+     * Check if a set of permissions allows a specific action on a resource
+     *
+     * @param permissions - List of permissions to check
+     * @param action - Action being requested
+     * @param resource - Resource being accessed
+     * @returns true if allowed, false otherwise
+     */
+    static isAllowed(permissions, action, resource) {
+        // Check for explicit deny first (deny always wins)
+        for (const permission of permissions) {
+            if (permission.effect === PermissionEffect.DENY &&
+                this.matchesAction(permission.actions, action) &&
+                this.matchesResource(permission.resource, resource)) {
+                return false;
+            }
+        }
+        // Check for explicit allow
+        for (const permission of permissions) {
+            if (permission.effect === PermissionEffect.ALLOW &&
+                this.matchesAction(permission.actions, action) &&
+                this.matchesResource(permission.resource, resource)) {
+                return true;
+            }
+        }
+        // Default deny (principle of least privilege)
+        return false;
+    }
+    /**
+     * Check if an action matches the allowed actions
+     */
+    static matchesAction(allowedActions, action) {
+        return (allowedActions.indexOf(action) !== -1 ||
+            allowedActions.indexOf(Action.ALL_ACTIONS) !== -1);
+    }
+    /**
+     * Check if a resource matches a resource pattern
+     * Supports wildcards: * (match any) and ? (match single character)
+     */
+    static matchesResource(pattern, resource) {
+        // Convert wildcard pattern to regex
+        // bucket:* matches bucket:my-bucket
+        // bucket:my-bucket/* matches bucket:my-bucket/file.txt
+        // bucket:my-bucket/prefix-* matches bucket:my-bucket/prefix-123
+        const regexPattern = pattern
+            .replace(/[.+^${}()|[\]\\]/g, '\\$&') // Escape regex special chars
+            .replace(/\*/g, '.*') // * matches any characters
+            .replace(/\?/g, '.'); // ? matches single character
+        const regex = new RegExp(`^${regexPattern}$`);
+        return regex.test(resource);
+    }
+    /**
+     * Check if an action is allowed with detailed reason
+     */
+    static checkPermission(permissions, action, resource) {
+        // Check for explicit deny first
+        for (const permission of permissions) {
+            if (permission.effect === PermissionEffect.DENY &&
+                this.matchesAction(permission.actions, action) &&
+                this.matchesResource(permission.resource, resource)) {
+                return {
+                    allowed: false,
+                    reason: `Explicitly denied by policy`,
+                    deniedBy: `resource:${permission.resource} action:${action}`
+                };
+            }
+        }
+        // Check for explicit allow
+        for (const permission of permissions) {
+            if (permission.effect === PermissionEffect.ALLOW &&
+                this.matchesAction(permission.actions, action) &&
+                this.matchesResource(permission.resource, resource)) {
+                return {
+                    allowed: true,
+                    reason: `Allowed by policy`,
+                    matchedPolicy: `resource:${permission.resource} action:${action}`
+                };
+            }
+        }
+        // Default deny
+        return {
+            allowed: false,
+            reason: `No matching allow policy found (default deny)`
+        };
+    }
+}
+// ============================================================================
+// Type Guards
+// ============================================================================
+/**
+ * Check if credentials are AWS Signature V4 credentials
+ */
+export function isAWSSignatureV4Credentials(credentials) {
+    return (typeof credentials === 'object' &&
+        typeof credentials.accessKeyId === 'string' &&
+        typeof credentials.secretAccessKey === 'string' &&
+        typeof credentials.region === 'string' &&
+        typeof credentials.service === 'string');
+}
+/**
+ * Check if credentials are GCS Service Account credentials
+ */
+export function isGCSServiceAccount(credentials) {
+    return (typeof credentials === 'object' &&
+        credentials.type === 'service_account' &&
+        typeof credentials.projectId === 'string' &&
+        typeof credentials.privateKey === 'string' &&
+        typeof credentials.clientEmail === 'string');
+}
+/**
+ * Check if token is a GCS OAuth2 token
+ */
+export function isGCSOAuth2Token(token) {
+    return (typeof token === 'object' &&
+        typeof token.accessToken === 'string' &&
+        token.tokenType === 'Bearer' &&
+        typeof token.expiresIn === 'number');
+}