@vfarcic/dot-ai 1.4.0 → 1.6.0

package/dist/interfaces/oauth/dex-api.proto

@@ -0,0 +1,304 @@
+syntax = "proto3";
+
+package api;
+
+option java_package = "com.coreos.dex.api";
+option go_package = "github.com/dexidp/dex/api/v2;api";
+
+// Client represents an OAuth2 client.
+message Client {
+  string id = 1;
+  string secret = 2;
+  repeated string redirect_uris = 3;
+  repeated string trusted_peers = 4;
+  bool public = 5;
+  string name = 6;
+  string logo_url = 7;
+}
+
+// ClientInfo represents an OAuth2 client without sensitive information.
+message ClientInfo {
+  string id = 1;
+  repeated string redirect_uris = 2;
+  repeated string trusted_peers = 3;
+  bool public = 4;
+  string name = 5;
+  string logo_url = 6;
+}
+
+// GetClientReq is a request to retrieve client details.
+message GetClientReq {
+  // The ID of the client.
+  string id = 1;
+}
+
+// GetClientResp returns the client details.
+message GetClientResp {
+  Client client = 1;
+}
+
+// CreateClientReq is a request to make a client.
+message CreateClientReq {
+  Client client = 1;
+}
+
+// CreateClientResp returns the response from creating a client.
+message CreateClientResp {
+  bool already_exists = 1;
+  Client client = 2;
+}
+
+// DeleteClientReq is a request to delete a client.
+message DeleteClientReq {
+  // The ID of the client.
+  string id = 1;
+}
+
+// DeleteClientResp determines if the client is deleted successfully.
+message DeleteClientResp {
+  bool not_found = 1;
+}
+
+// UpdateClientReq is a request to update an existing client.
+message UpdateClientReq {
+    string id = 1;
+    repeated string redirect_uris = 2;
+    repeated string trusted_peers = 3;
+    string name = 4;
+    string logo_url = 5;
+}
+
+// UpdateClientResp returns the response from updating a client.
+message UpdateClientResp {
+    bool not_found = 1;
+}
+
+// ListClientReq is a request to enumerate clients.
+message ListClientReq {}
+
+// ListClientResp returns a list of clients.
+message ListClientResp {
+  repeated ClientInfo clients = 1;
+}
+
+// TODO(ericchiang): expand this.
+
+// Password is an email for password mapping managed by the storage.
+message Password {
+  string email = 1;
+
+  // Currently we do not accept plain text passwords. Could be an option in the future.
+  bytes hash = 2;
+  string username = 3;
+  string user_id = 4;
+}
+
+// CreatePasswordReq is a request to make a password.
+message CreatePasswordReq {
+  Password password = 1;
+}
+
+// CreatePasswordResp returns the response from creating a password.
+message CreatePasswordResp {
+  bool already_exists = 1;
+}
+
+// UpdatePasswordReq is a request to modify an existing password.
+message UpdatePasswordReq {
+  // The email used to lookup the password. This field cannot be modified
+  string email = 1;
+  bytes new_hash = 2;
+  string new_username = 3;
+}
+
+// UpdatePasswordResp returns the response from modifying an existing password.
+message UpdatePasswordResp {
+  bool not_found = 1;
+}
+
+// DeletePasswordReq is a request to delete a password.
+message DeletePasswordReq {
+  string email = 1;
+}
+
+// DeletePasswordResp returns the response from deleting a password.
+message DeletePasswordResp {
+  bool not_found = 1;
+}
+
+// ListPasswordReq is a request to enumerate passwords.
+message ListPasswordReq {}
+
+// ListPasswordResp returns a list of passwords.
+message ListPasswordResp {
+  repeated Password passwords = 1;
+}
+
+// Connector is a strategy used by Dex for authenticating a user against another identity provider
+message Connector {
+  string id = 1;
+  string type = 2;
+  string name = 3;
+  bytes config = 4;
+}
+
+// CreateConnectorReq is a request to make a connector.
+message CreateConnectorReq {
+  Connector connector = 1;
+}
+
+// CreateConnectorResp returns the response from creating a connector.
+message CreateConnectorResp {
+  bool already_exists = 1;
+}
+
+// UpdateConnectorReq is a request to modify an existing connector.
+message UpdateConnectorReq {
+  // The id used to lookup the connector. This field cannot be modified
+  string id = 1;
+  string new_type = 2;
+  string new_name = 3;
+  bytes new_config = 4;
+}
+
+// UpdateConnectorResp returns the response from modifying an existing connector.
+message UpdateConnectorResp {
+  bool not_found = 1;
+}
+
+// DeleteConnectorReq is a request to delete a connector.
+message DeleteConnectorReq {
+  string id = 1;
+}
+
+// DeleteConnectorResp returns the response from deleting a connector.
+message DeleteConnectorResp {
+  bool not_found = 1;
+}
+
+// ListConnectorReq is a request to enumerate connectors.
+message ListConnectorReq {}
+
+// ListConnectorResp returns a list of connectors.
+message ListConnectorResp {
+  repeated Connector connectors = 1;
+}
+
+// VersionReq is a request to fetch version info.
+message VersionReq {}
+
+// VersionResp holds the version info of components.
+message VersionResp {
+  // Semantic version of the server.
+  string server = 1;
+  // Numeric version of the API. It increases every time a new call is added to the API.
+  // Clients should use this info to determine if the server supports specific features.
+  int32 api = 2;
+}
+
+// DiscoveryReq is a request to fetch discover information.
+message DiscoveryReq {}
+
+//DiscoverResp holds the version oidc disovery info.
+message DiscoveryResp {
+  string issuer = 1;
+  string authorization_endpoint = 2;
+  string token_endpoint = 3;
+  string jwks_uri = 4;
+  string userinfo_endpoint = 5;
+  string device_authorization_endpoint = 6;
+  string introspection_endpoint = 7;
+  repeated string grant_types_supported = 8;
+  repeated string response_types_supported = 9;
+  repeated string subject_types_supported = 10;
+  repeated string id_token_signing_alg_values_supported = 11;
+  repeated string code_challenge_methods_supported = 12;
+  repeated string scopes_supported = 13;
+  repeated string token_endpoint_auth_methods_supported = 14;
+  repeated string claims_supported = 15;
+}
+
+// RefreshTokenRef contains the metadata for a refresh token that is managed by the storage.
+message RefreshTokenRef {
+  // ID of the refresh token.
+  string id = 1;
+  string client_id = 2;
+  int64 created_at = 5;
+  int64 last_used = 6;
+}
+
+// ListRefreshReq is a request to enumerate the refresh tokens of a user.
+message ListRefreshReq {
+  // The "sub" claim returned in the ID Token.
+  string user_id = 1;
+}
+
+// ListRefreshResp returns a list of refresh tokens for a user.
+message ListRefreshResp {
+  repeated RefreshTokenRef refresh_tokens = 1;
+}
+
+// RevokeRefreshReq is a request to revoke the refresh token of the user-client pair.
+message RevokeRefreshReq {
+  // The "sub" claim returned in the ID Token.
+  string user_id = 1;
+  string client_id = 2;
+}
+
+// RevokeRefreshResp determines if the refresh token is revoked successfully.
+message RevokeRefreshResp {
+  // Set to true is refresh token was not found and token could not be revoked.
+  bool not_found = 1;
+}
+
+message VerifyPasswordReq {
+  string email = 1;
+  string password = 2;
+}
+
+message VerifyPasswordResp {
+  bool verified = 1;
+  bool not_found = 2;
+}
+
+// Dex represents the dex gRPC service.
+service Dex {
+  // GetClient gets a client.
+  rpc GetClient(GetClientReq) returns (GetClientResp) {};
+  // CreateClient creates a client.
+  rpc CreateClient(CreateClientReq) returns (CreateClientResp) {};
+  // UpdateClient updates an existing client
+  rpc UpdateClient(UpdateClientReq) returns (UpdateClientResp) {};
+  // DeleteClient deletes the provided client.
+  rpc DeleteClient(DeleteClientReq) returns (DeleteClientResp) {};
+  // ListClients lists all client entries.
+  rpc ListClients(ListClientReq) returns (ListClientResp) {};
+  // CreatePassword creates a password.
+  rpc CreatePassword(CreatePasswordReq) returns (CreatePasswordResp) {};
+  // UpdatePassword modifies existing password.
+  rpc UpdatePassword(UpdatePasswordReq) returns (UpdatePasswordResp) {};
+  // DeletePassword deletes the password.
+  rpc DeletePassword(DeletePasswordReq) returns (DeletePasswordResp) {};
+  // ListPassword lists all password entries.
+  rpc ListPasswords(ListPasswordReq) returns (ListPasswordResp) {};
+  // CreateConnector creates a connector.
+  rpc CreateConnector(CreateConnectorReq) returns (CreateConnectorResp) {};
+  // UpdateConnector modifies existing connector.
+  rpc UpdateConnector(UpdateConnectorReq) returns (UpdateConnectorResp) {};
+  // DeleteConnector deletes the connector.
+  rpc DeleteConnector(DeleteConnectorReq) returns (DeleteConnectorResp) {};
+  // ListConnectors lists all connector entries.
+  rpc ListConnectors(ListConnectorReq) returns (ListConnectorResp) {};
+  // GetVersion returns version information of the server.
+  rpc GetVersion(VersionReq) returns (VersionResp) {};
+  // GetDiscovery returns discovery information of the server.
+  rpc GetDiscovery(DiscoveryReq) returns (DiscoveryResp) {};
+  // ListRefresh lists all the refresh token entries for a particular user.
+  rpc ListRefresh(ListRefreshReq) returns (ListRefreshResp) {};
+  // RevokeRefresh revokes the refresh token for the provided user-client pair.
+  //
+  // Note that each user-client pair can have only one refresh token at a time.
+  rpc RevokeRefresh(RevokeRefreshReq) returns (RevokeRefreshResp) {};
+  // VerifyPassword returns whether a password matches a hash for a specific email or not.
+  rpc VerifyPassword(VerifyPasswordReq) returns (VerifyPasswordResp) {};
+}

package/dist/interfaces/oauth/dex-client.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Lightweight Dex OIDC client for PRD #380, Task 2.3.
+ *
+ * Three pure utility functions using only node:http/node:https.
+ * No external dependencies. Dex is trusted in-cluster, so ID tokens
+ * are decoded without signature verification.
+ */
+import type { DexConfig } from './types';
+/**
+ * Build the Dex OIDC authorization URL for the browser redirect.
+ *
+ * Uses dexConfig.issuerUrl (the external Dex URL) because this URL
+ * is followed by the user's browser, not the MCP server.
+ */
+export declare function buildAuthorizeUrl(dexConfig: DexConfig, params: {
+    redirectUri: string;
+    state: string;
+    scope?: string;
+}): string;
+/**
+ * Exchange a Dex authorization code for tokens.
+ *
+ * Uses dexConfig.tokenEndpoint (the in-cluster URL) for server-to-server
+ * communication. Posts application/x-www-form-urlencoded with client credentials.
+ */
+export declare function exchangeDexCode(dexConfig: DexConfig, code: string, redirectUri: string): Promise<{
+    idToken: string;
+    accessToken: string;
+}>;
+/**
+ * Decode a Dex ID token payload without signature verification.
+ *
+ * Dex is trusted in-cluster — the token was received directly from
+ * Dex's token endpoint over the internal network. No JWKS needed.
+ */
+export declare function parseIdToken(idToken: string): {
+    sub: string;
+    email?: string;
+    groups?: string[];
+};
+//# sourceMappingURL=dex-client.d.ts.map

package/dist/interfaces/oauth/dex-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dex-client.d.ts","sourceRoot":"","sources":["../../../src/interfaces/oauth/dex-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE;IACN,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GACA,MAAM,CASR;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC,CAqDnD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG;IAC7C,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CA0BA"}

package/dist/interfaces/oauth/dex-client.js

@@ -0,0 +1,145 @@
+"use strict";
+/**
+ * Lightweight Dex OIDC client for PRD #380, Task 2.3.
+ *
+ * Three pure utility functions using only node:http/node:https.
+ * No external dependencies. Dex is trusted in-cluster, so ID tokens
+ * are decoded without signature verification.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthorizeUrl = buildAuthorizeUrl;
+exports.exchangeDexCode = exchangeDexCode;
+exports.parseIdToken = parseIdToken;
+const http = __importStar(require("node:http"));
+const https = __importStar(require("node:https"));
+/**
+ * Build the Dex OIDC authorization URL for the browser redirect.
+ *
+ * Uses dexConfig.issuerUrl (the external Dex URL) because this URL
+ * is followed by the user's browser, not the MCP server.
+ */
+function buildAuthorizeUrl(dexConfig, params) {
+    const base = dexConfig.issuerUrl.replace(/\/$/, '');
+    const url = new URL(`${base}/auth`);
+    url.searchParams.set('client_id', dexConfig.clientId);
+    url.searchParams.set('redirect_uri', params.redirectUri);
+    url.searchParams.set('response_type', 'code');
+    url.searchParams.set('scope', params.scope ?? 'openid email profile groups');
+    url.searchParams.set('state', params.state);
+    return url.toString();
+}
+/**
+ * Exchange a Dex authorization code for tokens.
+ *
+ * Uses dexConfig.tokenEndpoint (the in-cluster URL) for server-to-server
+ * communication. Posts application/x-www-form-urlencoded with client credentials.
+ */
+async function exchangeDexCode(dexConfig, code, redirectUri) {
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: redirectUri,
+        client_id: dexConfig.clientId,
+        client_secret: dexConfig.clientSecret,
+    }).toString();
+    const tokenUrl = new URL(dexConfig.tokenEndpoint);
+    const transport = tokenUrl.protocol === 'https:' ? https : http;
+    const response = await new Promise((resolve, reject) => {
+        const req = transport.request(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Content-Length': Buffer.byteLength(body).toString(),
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk.toString(); });
+            res.on('end', () => {
+                resolve({ statusCode: res.statusCode ?? 0, body: data });
+            });
+        });
+        req.setTimeout(10_000, () => {
+            req.destroy(new Error('Dex token exchange timed out'));
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
+    });
+    if (response.statusCode !== 200) {
+        throw new Error(`Dex token exchange failed (HTTP ${response.statusCode}): ${response.body}`);
+    }
+    const parsed = JSON.parse(response.body);
+    if (!parsed.id_token) {
+        throw new Error('Dex token response missing id_token');
+    }
+    return {
+        idToken: parsed.id_token,
+        accessToken: parsed.access_token ?? '',
+    };
+}
+/**
+ * Decode a Dex ID token payload without signature verification.
+ *
+ * Dex is trusted in-cluster — the token was received directly from
+ * Dex's token endpoint over the internal network. No JWKS needed.
+ */
+function parseIdToken(idToken) {
+    const parts = idToken.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWT format — expected 3 segments');
+    }
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof payload.exp !== 'number' || payload.exp <= now) {
+        throw new Error('ID token is expired or missing exp claim');
+    }
+    if (typeof payload.sub !== 'string' || payload.sub.length === 0) {
+        throw new Error('ID token missing sub claim');
+    }
+    if (payload.email !== undefined && typeof payload.email !== 'string') {
+        throw new Error('ID token email claim must be a string');
+    }
+    if (payload.groups !== undefined) {
+        if (!Array.isArray(payload.groups) || !payload.groups.every((g) => typeof g === 'string')) {
+            throw new Error('ID token groups claim must be an array of strings');
+        }
+    }
+    return {
+        sub: payload.sub,
+        email: payload.email,
+        groups: payload.groups,
+    };
+}

package/dist/interfaces/oauth/index.d.ts

@@ -0,0 +1,6 @@
+export type { UserIdentity, AuthResult, JwtClaims } from './types';
+export { signJwt, verifyJwt, getJwtSecret } from './jwt';
+export { checkBearerAuth, isAuthEnabled } from './middleware';
+export { DotAIOAuthProvider } from './provider';
+export { createUser, listUsers, deleteUser, type UserResult, type UserEntry, } from './user-management';
+//# sourceMappingURL=index.d.ts.map

package/dist/interfaces/oauth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/interfaces/oauth/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EACL,UAAU,EACV,SAAS,EACT,UAAU,EACV,KAAK,UAAU,EACf,KAAK,SAAS,GACf,MAAM,mBAAmB,CAAC"}

package/dist/interfaces/oauth/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteUser = exports.listUsers = exports.createUser = exports.DotAIOAuthProvider = exports.isAuthEnabled = exports.checkBearerAuth = exports.getJwtSecret = exports.verifyJwt = exports.signJwt = void 0;
+var jwt_1 = require("./jwt");
+Object.defineProperty(exports, "signJwt", { enumerable: true, get: function () { return jwt_1.signJwt; } });
+Object.defineProperty(exports, "verifyJwt", { enumerable: true, get: function () { return jwt_1.verifyJwt; } });
+Object.defineProperty(exports, "getJwtSecret", { enumerable: true, get: function () { return jwt_1.getJwtSecret; } });
+var middleware_1 = require("./middleware");
+Object.defineProperty(exports, "checkBearerAuth", { enumerable: true, get: function () { return middleware_1.checkBearerAuth; } });
+Object.defineProperty(exports, "isAuthEnabled", { enumerable: true, get: function () { return middleware_1.isAuthEnabled; } });
+var provider_1 = require("./provider");
+Object.defineProperty(exports, "DotAIOAuthProvider", { enumerable: true, get: function () { return provider_1.DotAIOAuthProvider; } });
+var user_management_1 = require("./user-management");
+Object.defineProperty(exports, "createUser", { enumerable: true, get: function () { return user_management_1.createUser; } });
+Object.defineProperty(exports, "listUsers", { enumerable: true, get: function () { return user_management_1.listUsers; } });
+Object.defineProperty(exports, "deleteUser", { enumerable: true, get: function () { return user_management_1.deleteUser; } });

package/dist/interfaces/oauth/jwt.d.ts

@@ -0,0 +1,37 @@
+/**
+ * JWT signing and verification using node:crypto HMAC-SHA256.
+ *
+ * No external libraries — implements the minimal JWT subset needed
+ * for dot-ai access tokens (HS256 only).
+ */
+import type { JwtClaims } from './types';
+/**
+ * Returns the JWT signing secret.
+ * Uses DOT_AI_JWT_SECRET env var if set, otherwise generates
+ * a random 32-byte hex secret cached for the process lifetime.
+ */
+export declare function getJwtSecret(): string;
+/**
+ * Reset the cached secret. Only for testing.
+ * @internal
+ */
+export declare function _resetCachedSecret(): void;
+/**
+ * Sign a JWT with HMAC-SHA256.
+ *
+ * @param claims - The JWT payload claims
+ * @param secret - The signing secret
+ * @returns Encoded JWT string (header.payload.signature)
+ */
+export declare function signJwt(claims: JwtClaims, secret: string): string;
+/**
+ * Verify a JWT signed with HMAC-SHA256.
+ *
+ * Performs timing-safe signature comparison and expiry check.
+ *
+ * @param token - The JWT string to verify
+ * @param secret - The signing secret
+ * @returns Decoded claims if valid, null otherwise
+ */
+export declare function verifyJwt(token: string, secret: string): JwtClaims | null;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/interfaces/oauth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/interfaces/oauth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AASzC;;;;GAIG;AACH,wBAAgB,YAAY,IAAI,MAAM,CASrC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAOjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAmDzE"}

package/dist/interfaces/oauth/jwt.js

@@ -0,0 +1,106 @@
+"use strict";
+/**
+ * JWT signing and verification using node:crypto HMAC-SHA256.
+ *
+ * No external libraries — implements the minimal JWT subset needed
+ * for dot-ai access tokens (HS256 only).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getJwtSecret = getJwtSecret;
+exports._resetCachedSecret = _resetCachedSecret;
+exports.signJwt = signJwt;
+exports.verifyJwt = verifyJwt;
+const node_crypto_1 = require("node:crypto");
+const JWT_HEADER = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+/** Cached auto-generated secret (per-process). */
+let cachedSecret;
+/**
+ * Returns the JWT signing secret.
+ * Uses DOT_AI_JWT_SECRET env var if set, otherwise generates
+ * a random 32-byte hex secret cached for the process lifetime.
+ */
+function getJwtSecret() {
+    const envSecret = process.env.DOT_AI_JWT_SECRET;
+    if (envSecret) {
+        return envSecret;
+    }
+    if (!cachedSecret) {
+        cachedSecret = (0, node_crypto_1.randomBytes)(32).toString('hex');
+    }
+    return cachedSecret;
+}
+/**
+ * Reset the cached secret. Only for testing.
+ * @internal
+ */
+function _resetCachedSecret() {
+    cachedSecret = undefined;
+}
+/**
+ * Sign a JWT with HMAC-SHA256.
+ *
+ * @param claims - The JWT payload claims
+ * @param secret - The signing secret
+ * @returns Encoded JWT string (header.payload.signature)
+ */
+function signJwt(claims, secret) {
+    const payload = Buffer.from(JSON.stringify(claims)).toString('base64url');
+    const data = `${JWT_HEADER}.${payload}`;
+    const signature = (0, node_crypto_1.createHmac)('sha256', secret)
+        .update(data)
+        .digest('base64url');
+    return `${data}.${signature}`;
+}
+/**
+ * Verify a JWT signed with HMAC-SHA256.
+ *
+ * Performs timing-safe signature comparison and expiry check.
+ *
+ * @param token - The JWT string to verify
+ * @param secret - The signing secret
+ * @returns Decoded claims if valid, null otherwise
+ */
+function verifyJwt(token, secret) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        return null;
+    }
+    const [header, payload, signature] = parts;
+    // Recompute expected signature
+    const data = `${header}.${payload}`;
+    const expectedSignature = (0, node_crypto_1.createHmac)('sha256', secret)
+        .update(data)
+        .digest('base64url');
+    // Timing-safe comparison
+    const sigBuffer = Buffer.from(signature, 'base64url');
+    const expectedBuffer = Buffer.from(expectedSignature, 'base64url');
+    if (sigBuffer.length !== expectedBuffer.length) {
+        // Dummy comparison to maintain constant time
+        (0, node_crypto_1.timingSafeEqual)(expectedBuffer, expectedBuffer);
+        return null;
+    }
+    if (!(0, node_crypto_1.timingSafeEqual)(sigBuffer, expectedBuffer)) {
+        return null;
+    }
+    // Decode and validate claims
+    let claims;
+    try {
+        claims = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
+    }
+    catch {
+        return null;
+    }
+    // Validate identity claims
+    if (typeof claims.sub !== 'string' || claims.sub.length === 0) {
+        return null;
+    }
+    if (claims.groups !== undefined && !Array.isArray(claims.groups)) {
+        return null;
+    }
+    // Check expiration (strict: exp === now is treated as expired)
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof claims.exp !== 'number' || claims.exp <= now) {
+        return null;
+    }
+    return claims;
+}