@vivero/stoma 0.1.0-rc.10

package/dist/policies/auth/generate-jwt.js

@@ -0,0 +1,99 @@
+import { GatewayError } from "../../core/errors";
+import { withModifiedHeaders } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+import { base64UrlEncodeBytes, base64UrlEncodeString } from "./crypto";
+function getHashAlgorithm(alg) {
+  switch (alg) {
+    case "HS256":
+    case "RS256":
+      return "SHA-256";
+    case "HS384":
+    case "RS384":
+      return "SHA-384";
+    case "HS512":
+    case "RS512":
+      return "SHA-512";
+  }
+}
+function isHmac(alg) {
+  return alg.startsWith("HS");
+}
+const generateJwt = /* @__PURE__ */ definePolicy({
+  name: "generate-jwt",
+  priority: Priority.REQUEST_TRANSFORM,
+  defaults: {
+    expiresIn: 3600,
+    headerName: "Authorization",
+    tokenPrefix: "Bearer"
+  },
+  handler: async (c, next, { config, debug }) => {
+    if (isHmac(config.algorithm)) {
+      if (!config.secret) {
+        throw new GatewayError(
+          500,
+          "config_error",
+          "generateJwt with HMAC algorithm requires 'secret'"
+        );
+      }
+    } else {
+      if (!config.privateKey) {
+        throw new GatewayError(
+          500,
+          "config_error",
+          "generateJwt with RSA algorithm requires 'privateKey'"
+        );
+      }
+    }
+    const jwtHeader = { alg: config.algorithm, typ: "JWT" };
+    const encodedHeader = base64UrlEncodeString(JSON.stringify(jwtHeader));
+    const now = Math.floor(Date.now() / 1e3);
+    const baseClaims = {
+      iat: now,
+      exp: now + (config.expiresIn ?? 3600)
+    };
+    if (config.issuer) baseClaims.iss = config.issuer;
+    if (config.audience) baseClaims.aud = config.audience;
+    let userClaims = {};
+    if (config.claims) {
+      userClaims = typeof config.claims === "function" ? await config.claims(c) : config.claims;
+    }
+    const payload = { ...baseClaims, ...userClaims };
+    const encodedPayload = base64UrlEncodeString(JSON.stringify(payload));
+    const signingInput = `${encodedHeader}.${encodedPayload}`;
+    const encoder = new TextEncoder();
+    const data = encoder.encode(signingInput);
+    const hash = getHashAlgorithm(config.algorithm);
+    let signature;
+    if (isHmac(config.algorithm)) {
+      const key = await crypto.subtle.importKey(
+        "raw",
+        encoder.encode(config.secret),
+        { name: "HMAC", hash },
+        false,
+        ["sign"]
+      );
+      signature = await crypto.subtle.sign("HMAC", key, data);
+    } else {
+      const key = await crypto.subtle.importKey(
+        "jwk",
+        config.privateKey,
+        { name: "RSASSA-PKCS1-v1_5", hash },
+        false,
+        ["sign"]
+      );
+      signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, data);
+    }
+    const encodedSignature = base64UrlEncodeBytes(new Uint8Array(signature));
+    const token = `${signingInput}.${encodedSignature}`;
+    debug(`generated JWT (alg=${config.algorithm})`);
+    const headerValue = config.tokenPrefix ? `${config.tokenPrefix} ${token}` : token;
+    withModifiedHeaders(c, (headers) => {
+      headers.set(config.headerName, headerValue);
+    });
+    await next();
+  }
+});
+export {
+  generateJwt
+};
+//# sourceMappingURL=generate-jwt.js.map

package/dist/policies/auth/generate-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/auth/generate-jwt.ts"],"sourcesContent":["/**\n * JWT generation policy - mints JWTs for upstream consumption.\n *\n * Signs tokens using HMAC (HS256/384/512) or RSA (RS256/384/512) and\n * attaches them to the outgoing request as a header.\n *\n * @module generate-jwt\n */\nimport type { Context } from \"hono\";\nimport { GatewayError } from \"../../core/errors\";\nimport { withModifiedHeaders } from \"../../utils/headers\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\nimport { base64UrlEncodeBytes, base64UrlEncodeString } from \"./crypto\";\n\nexport interface GenerateJwtConfig extends PolicyConfig {\n  /** Signing algorithm */\n  algorithm: \"HS256\" | \"HS384\" | \"HS512\" | \"RS256\" | \"RS384\" | \"RS512\";\n  /** HMAC secret (for HS* algorithms) */\n  secret?: string;\n  /** RSA private key as JWK (for RS* algorithms) */\n  privateKey?: JsonWebKey;\n  /** Claims to include. Static record or dynamic function. */\n  claims?:\n    | Record<string, unknown>\n    | ((\n        c: Context\n      ) => Record<string, unknown> | Promise<Record<string, unknown>>);\n  /** Token lifetime in seconds. Default: 3600 (1 hour) */\n  expiresIn?: number;\n  /** Issuer claim */\n  issuer?: string;\n  /** Audience claim */\n  audience?: string;\n  /** Header name for the generated token. Default: \"Authorization\" */\n  headerName?: string;\n  /** Token prefix. Default: \"Bearer\" */\n  tokenPrefix?: string;\n}\n\nfunction getHashAlgorithm(alg: GenerateJwtConfig[\"algorithm\"]): string {\n  switch (alg) {\n    case \"HS256\":\n    case \"RS256\":\n      return \"SHA-256\";\n    case \"HS384\":\n    case \"RS384\":\n      return \"SHA-384\";\n    case \"HS512\":\n    case \"RS512\":\n      return \"SHA-512\";\n  }\n}\n\nfunction isHmac(alg: string): boolean {\n  return alg.startsWith(\"HS\");\n}\n\n/**\n * Mint JWTs and attach them to the request for upstream consumption.\n *\n * @example\n * ```ts\n * import { generateJwt } from \"@vivero/stoma\";\n *\n * generateJwt({\n *   algorithm: \"HS256\",\n *   secret: env.JWT_SIGNING_SECRET,\n *   claims: (c) => ({ sub: c.req.header(\"x-user-id\") }),\n *   issuer: \"my-gateway\",\n *   expiresIn: 300,\n * });\n * ```\n */\nexport const generateJwt = /*#__PURE__*/ definePolicy<GenerateJwtConfig>({\n  name: \"generate-jwt\",\n  priority: Priority.REQUEST_TRANSFORM,\n  defaults: {\n    expiresIn: 3600,\n    headerName: \"Authorization\",\n    tokenPrefix: \"Bearer\",\n  },\n  handler: async (c, next, { config, debug }) => {\n    // Validate config at request time (allows lazy secret resolution)\n    if (isHmac(config.algorithm)) {\n      if (!config.secret) {\n        throw new GatewayError(\n          500,\n          \"config_error\",\n          \"generateJwt with HMAC algorithm requires 'secret'\"\n        );\n      }\n    } else {\n      if (!config.privateKey) {\n        throw new GatewayError(\n          500,\n          \"config_error\",\n          \"generateJwt with RSA algorithm requires 'privateKey'\"\n        );\n      }\n    }\n\n    // Build header\n    const jwtHeader = { alg: config.algorithm, typ: \"JWT\" };\n    const encodedHeader = base64UrlEncodeString(JSON.stringify(jwtHeader));\n\n    // Build payload\n    const now = Math.floor(Date.now() / 1000);\n    const baseClaims: Record<string, unknown> = {\n      iat: now,\n      exp: now + (config.expiresIn ?? 3600),\n    };\n    if (config.issuer) baseClaims.iss = config.issuer;\n    if (config.audience) baseClaims.aud = config.audience;\n\n    let userClaims: Record<string, unknown> = {};\n    if (config.claims) {\n      userClaims =\n        typeof config.claims === \"function\"\n          ? await config.claims(c)\n          : config.claims;\n    }\n\n    const payload = { ...baseClaims, ...userClaims };\n    const encodedPayload = base64UrlEncodeString(JSON.stringify(payload));\n\n    // Sign\n    const signingInput = `${encodedHeader}.${encodedPayload}`;\n    const encoder = new TextEncoder();\n    const data = encoder.encode(signingInput);\n\n    const hash = getHashAlgorithm(config.algorithm);\n    let signature: ArrayBuffer;\n\n    if (isHmac(config.algorithm)) {\n      const key = await crypto.subtle.importKey(\n        \"raw\",\n        encoder.encode(config.secret!),\n        { name: \"HMAC\", hash },\n        false,\n        [\"sign\"]\n      );\n      signature = await crypto.subtle.sign(\"HMAC\", key, data);\n    } else {\n      const key = await crypto.subtle.importKey(\n        \"jwk\",\n        config.privateKey!,\n        { name: \"RSASSA-PKCS1-v1_5\", hash },\n        false,\n        [\"sign\"]\n      );\n      signature = await crypto.subtle.sign(\"RSASSA-PKCS1-v1_5\", key, data);\n    }\n\n    const encodedSignature = base64UrlEncodeBytes(new Uint8Array(signature));\n    const token = `${signingInput}.${encodedSignature}`;\n\n    debug(`generated JWT (alg=${config.algorithm})`);\n\n    // Attach to request\n    const headerValue = config.tokenPrefix\n      ? `${config.tokenPrefix} ${token}`\n      : token;\n\n    withModifiedHeaders(c, (headers) => {\n      headers.set(config.headerName!, headerValue);\n    });\n\n    await next();\n  },\n});\n"],"mappings":"AASA,SAAS,oBAAoB;AAC7B,SAAS,2BAA2B;AACpC,SAAS,cAAc,gBAAgB;AAEvC,SAAS,sBAAsB,6BAA6B;AA2B5D,SAAS,iBAAiB,KAA6C;AACrE,UAAQ,KAAK;AAAA,IACX,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAEA,SAAS,OAAO,KAAsB;AACpC,SAAO,IAAI,WAAW,IAAI;AAC5B;AAkBO,MAAM,cAA4B,6BAAgC;AAAA,EACvE,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,WAAW;AAAA,IACX,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAE7C,QAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,UAAI,CAAC,OAAO,QAAQ;AAClB,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF,OAAO;AACL,UAAI,CAAC,OAAO,YAAY;AACtB,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,YAAY,EAAE,KAAK,OAAO,WAAW,KAAK,MAAM;AACtD,UAAM,gBAAgB,sBAAsB,KAAK,UAAU,SAAS,CAAC;AAGrE,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,aAAsC;AAAA,MAC1C,KAAK;AAAA,MACL,KAAK,OAAO,OAAO,aAAa;AAAA,IAClC;AACA,QAAI,OAAO,OAAQ,YAAW,MAAM,OAAO;AAC3C,QAAI,OAAO,SAAU,YAAW,MAAM,OAAO;AAE7C,QAAI,aAAsC,CAAC;AAC3C,QAAI,OAAO,QAAQ;AACjB,mBACE,OAAO,OAAO,WAAW,aACrB,MAAM,OAAO,OAAO,CAAC,IACrB,OAAO;AAAA,IACf;AAEA,UAAM,UAAU,EAAE,GAAG,YAAY,GAAG,WAAW;AAC/C,UAAM,iBAAiB,sBAAsB,KAAK,UAAU,OAAO,CAAC;AAGpE,UAAM,eAAe,GAAG,aAAa,IAAI,cAAc;AACvD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,OAAO,QAAQ,OAAO,YAAY;AAExC,UAAM,OAAO,iBAAiB,OAAO,SAAS;AAC9C,QAAI;AAEJ,QAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,YAAM,MAAM,MAAM,OAAO,OAAO;AAAA,QAC9B;AAAA,QACA,QAAQ,OAAO,OAAO,MAAO;AAAA,QAC7B,EAAE,MAAM,QAAQ,KAAK;AAAA,QACrB;AAAA,QACA,CAAC,MAAM;AAAA,MACT;AACA,kBAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI;AAAA,IACxD,OAAO;AACL,YAAM,MAAM,MAAM,OAAO,OAAO;AAAA,QAC9B;AAAA,QACA,OAAO;AAAA,QACP,EAAE,MAAM,qBAAqB,KAAK;AAAA,QAClC;AAAA,QACA,CAAC,MAAM;AAAA,MACT;AACA,kBAAY,MAAM,OAAO,OAAO,KAAK,qBAAqB,KAAK,IAAI;AAAA,IACrE;AAEA,UAAM,mBAAmB,qBAAqB,IAAI,WAAW,SAAS,CAAC;AACvE,UAAM,QAAQ,GAAG,YAAY,IAAI,gBAAgB;AAEjD,UAAM,sBAAsB,OAAO,SAAS,GAAG;AAG/C,UAAM,cAAc,OAAO,cACvB,GAAG,OAAO,WAAW,IAAI,KAAK,KAC9B;AAEJ,wBAAoB,GAAG,CAAC,YAAY;AAClC,cAAQ,IAAI,OAAO,YAAa,WAAW;AAAA,IAC7C,CAAC;AAED,UAAM,KAAK;AAAA,EACb;AACF,CAAC;","names":[]}

package/dist/policies/auth/http-signature-base.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Shared utilities for RFC 9421 HTTP Message Signatures.
+ *
+ * Builds the signature base string and provides crypto helpers
+ * used by both `generateHttpSignature` and `verifyHttpSignature`.
+ *
+ * @module http-signature-base
+ */
+/**
+ * Build the signature base string per RFC 9421 Section 2.5.
+ *
+ * Each line is `"component-id": value`, ending with `"@signature-params": <params>`.
+ */
+declare function buildSignatureBase(components: string[], signatureParams: string, request: Request): string;
+/**
+ * Build the signature params string.
+ *
+ * Format: `("@method" "@path" ...);created=<ts>;keyid="<id>"[;expires=<ts>][;nonce="<n>"]`
+ */
+declare function buildSignatureParams(components: string[], params: {
+    created: number;
+    keyId: string;
+    expires?: number;
+    nonce?: string;
+    algorithm?: string;
+}): string;
+/**
+ * Parse a signature params string from the Signature-Input header.
+ *
+ * Input: `("@method" "@path" "content-type");created=1618884473;keyid="test-key"`
+ * Returns the component list and key-value parameters.
+ */
+declare function parseSignatureParams(input: string): {
+    components: string[];
+    params: Record<string, string>;
+};
+/** Map algorithm identifier to Web Crypto params for import + sign/verify. */
+declare function algorithmToCrypto(alg: string): {
+    importAlg: Parameters<typeof crypto.subtle.importKey>[2];
+    signAlg: Parameters<typeof crypto.subtle.sign>[0];
+};
+/**
+ * Import key material for signing.
+ */
+declare function importSigningKey(algorithm: string, secret?: string, privateKey?: JsonWebKey): Promise<CryptoKey>;
+/**
+ * Import key material for verification.
+ */
+declare function importVerifyKey(algorithm: string, secret?: string, publicKey?: JsonWebKey): Promise<CryptoKey>;
+/** Encode bytes to standard base64. */
+declare function toBase64(buffer: ArrayBuffer): string;
+/** Decode standard base64 to bytes. */
+declare function fromBase64(str: string): Uint8Array;
+
+export { algorithmToCrypto, buildSignatureBase, buildSignatureParams, fromBase64, importSigningKey, importVerifyKey, parseSignatureParams, toBase64 };

package/dist/policies/auth/http-signature-base.js

@@ -0,0 +1,140 @@
+function resolveDerivedComponent(componentId, request) {
+  const url = new URL(request.url);
+  switch (componentId) {
+    case "@method":
+      return request.method.toUpperCase();
+    case "@path":
+      return url.pathname;
+    case "@authority":
+      return url.host;
+    case "@scheme":
+      return url.protocol.replace(":", "");
+    case "@target-uri":
+      return url.href;
+    default:
+      throw new Error(`Unknown derived component: ${componentId}`);
+  }
+}
+function resolveComponentValue(componentId, request) {
+  if (componentId.startsWith("@")) {
+    return resolveDerivedComponent(componentId, request);
+  }
+  return request.headers.get(componentId) ?? "";
+}
+function buildSignatureBase(components, signatureParams, request) {
+  const lines = [];
+  for (const component of components) {
+    const value = resolveComponentValue(component, request);
+    lines.push(`"${component}": ${value}`);
+  }
+  lines.push(`"@signature-params": ${signatureParams}`);
+  return lines.join("\n");
+}
+function buildSignatureParams(components, params) {
+  const componentList = components.map((c) => `"${c}"`).join(" ");
+  let result = `(${componentList});created=${params.created};keyid="${params.keyId}"`;
+  if (params.algorithm) {
+    result += `;alg="${params.algorithm}"`;
+  }
+  if (params.expires !== void 0) {
+    result += `;expires=${params.expires}`;
+  }
+  if (params.nonce !== void 0) {
+    result += `;nonce="${params.nonce}"`;
+  }
+  return result;
+}
+function parseSignatureParams(input) {
+  const parenMatch = input.match(/^\(([^)]*)\)/);
+  if (!parenMatch) {
+    throw new Error("Invalid signature params: missing component list");
+  }
+  const componentStr = parenMatch[1];
+  const components = componentStr ? componentStr.match(/"([^"]+)"/g)?.map((s) => s.slice(1, -1)) ?? [] : [];
+  const paramStr = input.slice(parenMatch[0].length);
+  const params = {};
+  const paramRegex = /;(\w+)=("([^"]*)"|(\d+))/g;
+  let match = paramRegex.exec(paramStr);
+  while (match !== null) {
+    params[match[1]] = match[3] ?? match[4];
+    match = paramRegex.exec(paramStr);
+  }
+  return { components, params };
+}
+function algorithmToCrypto(alg) {
+  switch (alg) {
+    case "hmac-sha256":
+      return {
+        importAlg: { name: "HMAC", hash: "SHA-256" },
+        signAlg: "HMAC"
+      };
+    case "rsa-v1_5-sha256":
+      return {
+        importAlg: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+        signAlg: "RSASSA-PKCS1-v1_5"
+      };
+    case "rsa-pss-sha512":
+      return {
+        importAlg: { name: "RSA-PSS", hash: "SHA-512" },
+        signAlg: { name: "RSA-PSS", saltLength: 64 }
+      };
+    default:
+      throw new Error(`Unsupported signature algorithm: ${alg}`);
+  }
+}
+async function importSigningKey(algorithm, secret, privateKey) {
+  const { importAlg } = algorithmToCrypto(algorithm);
+  if (algorithm.startsWith("hmac")) {
+    if (!secret) throw new Error("HMAC algorithm requires secret");
+    const encoder = new TextEncoder();
+    return crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      importAlg,
+      false,
+      ["sign"]
+    );
+  }
+  if (!privateKey) throw new Error("RSA algorithm requires privateKey");
+  return crypto.subtle.importKey("jwk", privateKey, importAlg, false, ["sign"]);
+}
+async function importVerifyKey(algorithm, secret, publicKey) {
+  const { importAlg } = algorithmToCrypto(algorithm);
+  if (algorithm.startsWith("hmac")) {
+    if (!secret) throw new Error("HMAC algorithm requires secret");
+    const encoder = new TextEncoder();
+    return crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      importAlg,
+      false,
+      ["verify"]
+    );
+  }
+  if (!publicKey) throw new Error("RSA algorithm requires publicKey");
+  return crypto.subtle.importKey("jwk", publicKey, importAlg, false, [
+    "verify"
+  ]);
+}
+function toBase64(buffer) {
+  return btoa(String.fromCharCode(...new Uint8Array(buffer)));
+}
+function fromBase64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+export {
+  algorithmToCrypto,
+  buildSignatureBase,
+  buildSignatureParams,
+  fromBase64,
+  importSigningKey,
+  importVerifyKey,
+  parseSignatureParams,
+  toBase64
+};
+//# sourceMappingURL=http-signature-base.js.map

package/dist/policies/auth/http-signature-base.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/auth/http-signature-base.ts"],"sourcesContent":["/**\n * Shared utilities for RFC 9421 HTTP Message Signatures.\n *\n * Builds the signature base string and provides crypto helpers\n * used by both `generateHttpSignature` and `verifyHttpSignature`.\n *\n * @module http-signature-base\n */\n\n/**\n * Resolve a derived component value from the request per RFC 9421 Section 2.2.\n */\nfunction resolveDerivedComponent(\n  componentId: string,\n  request: Request\n): string {\n  const url = new URL(request.url);\n  switch (componentId) {\n    case \"@method\":\n      return request.method.toUpperCase();\n    case \"@path\":\n      return url.pathname;\n    case \"@authority\":\n      return url.host;\n    case \"@scheme\":\n      return url.protocol.replace(\":\", \"\");\n    case \"@target-uri\":\n      return url.href;\n    default:\n      throw new Error(`Unknown derived component: ${componentId}`);\n  }\n}\n\n/**\n * Resolve a component value - derived (`@method`, `@path`, etc.) or\n * regular header name (lowercased).\n */\nfunction resolveComponentValue(componentId: string, request: Request): string {\n  if (componentId.startsWith(\"@\")) {\n    return resolveDerivedComponent(componentId, request);\n  }\n  // Regular header component - value from request headers\n  return request.headers.get(componentId) ?? \"\";\n}\n\n/**\n * Build the signature base string per RFC 9421 Section 2.5.\n *\n * Each line is `\"component-id\": value`, ending with `\"@signature-params\": <params>`.\n */\nexport function buildSignatureBase(\n  components: string[],\n  signatureParams: string,\n  request: Request\n): string {\n  const lines: string[] = [];\n  for (const component of components) {\n    const value = resolveComponentValue(component, request);\n    lines.push(`\"${component}\": ${value}`);\n  }\n  lines.push(`\"@signature-params\": ${signatureParams}`);\n  return lines.join(\"\\n\");\n}\n\n/**\n * Build the signature params string.\n *\n * Format: `(\"@method\" \"@path\" ...);created=<ts>;keyid=\"<id>\"[;expires=<ts>][;nonce=\"<n>\"]`\n */\nexport function buildSignatureParams(\n  components: string[],\n  params: {\n    created: number;\n    keyId: string;\n    expires?: number;\n    nonce?: string;\n    algorithm?: string;\n  }\n): string {\n  const componentList = components.map((c) => `\"${c}\"`).join(\" \");\n  let result = `(${componentList});created=${params.created};keyid=\"${params.keyId}\"`;\n  if (params.algorithm) {\n    result += `;alg=\"${params.algorithm}\"`;\n  }\n  if (params.expires !== undefined) {\n    result += `;expires=${params.expires}`;\n  }\n  if (params.nonce !== undefined) {\n    result += `;nonce=\"${params.nonce}\"`;\n  }\n  return result;\n}\n\n/**\n * Parse a signature params string from the Signature-Input header.\n *\n * Input: `(\"@method\" \"@path\" \"content-type\");created=1618884473;keyid=\"test-key\"`\n * Returns the component list and key-value parameters.\n */\nexport function parseSignatureParams(input: string): {\n  components: string[];\n  params: Record<string, string>;\n} {\n  // Extract the component list inside parentheses\n  const parenMatch = input.match(/^\\(([^)]*)\\)/);\n  if (!parenMatch) {\n    throw new Error(\"Invalid signature params: missing component list\");\n  }\n\n  const componentStr = parenMatch[1];\n  const components = componentStr\n    ? (componentStr.match(/\"([^\"]+)\"/g)?.map((s) => s.slice(1, -1)) ?? [])\n    : [];\n\n  // Parse params after the closing paren\n  const paramStr = input.slice(parenMatch[0].length);\n  const params: Record<string, string> = {};\n  const paramRegex = /;(\\w+)=(\"([^\"]*)\"|(\\d+))/g;\n  let match: RegExpExecArray | null = paramRegex.exec(paramStr);\n  while (match !== null) {\n    // match[3] is quoted string value, match[4] is unquoted numeric value\n    params[match[1]] = match[3] ?? match[4];\n    match = paramRegex.exec(paramStr);\n  }\n\n  return { components, params };\n}\n\n/** Map algorithm identifier to Web Crypto params for import + sign/verify. */\nexport function algorithmToCrypto(alg: string): {\n  importAlg: Parameters<typeof crypto.subtle.importKey>[2];\n  signAlg: Parameters<typeof crypto.subtle.sign>[0];\n} {\n  switch (alg) {\n    case \"hmac-sha256\":\n      return {\n        importAlg: { name: \"HMAC\", hash: \"SHA-256\" },\n        signAlg: \"HMAC\",\n      };\n    case \"rsa-v1_5-sha256\":\n      return {\n        importAlg: { name: \"RSASSA-PKCS1-v1_5\", hash: \"SHA-256\" },\n        signAlg: \"RSASSA-PKCS1-v1_5\",\n      };\n    case \"rsa-pss-sha512\":\n      return {\n        importAlg: { name: \"RSA-PSS\", hash: \"SHA-512\" },\n        signAlg: { name: \"RSA-PSS\", saltLength: 64 },\n      };\n    default:\n      throw new Error(`Unsupported signature algorithm: ${alg}`);\n  }\n}\n\n/**\n * Import key material for signing.\n */\nexport async function importSigningKey(\n  algorithm: string,\n  secret?: string,\n  privateKey?: JsonWebKey\n): Promise<CryptoKey> {\n  const { importAlg } = algorithmToCrypto(algorithm);\n\n  if (algorithm.startsWith(\"hmac\")) {\n    if (!secret) throw new Error(\"HMAC algorithm requires secret\");\n    const encoder = new TextEncoder();\n    return crypto.subtle.importKey(\n      \"raw\",\n      encoder.encode(secret),\n      importAlg,\n      false,\n      [\"sign\"]\n    );\n  }\n\n  if (!privateKey) throw new Error(\"RSA algorithm requires privateKey\");\n  return crypto.subtle.importKey(\"jwk\", privateKey, importAlg, false, [\"sign\"]);\n}\n\n/**\n * Import key material for verification.\n */\nexport async function importVerifyKey(\n  algorithm: string,\n  secret?: string,\n  publicKey?: JsonWebKey\n): Promise<CryptoKey> {\n  const { importAlg } = algorithmToCrypto(algorithm);\n\n  if (algorithm.startsWith(\"hmac\")) {\n    if (!secret) throw new Error(\"HMAC algorithm requires secret\");\n    const encoder = new TextEncoder();\n    return crypto.subtle.importKey(\n      \"raw\",\n      encoder.encode(secret),\n      importAlg,\n      false,\n      [\"verify\"]\n    );\n  }\n\n  if (!publicKey) throw new Error(\"RSA algorithm requires publicKey\");\n  return crypto.subtle.importKey(\"jwk\", publicKey, importAlg, false, [\n    \"verify\",\n  ]);\n}\n\n/** Encode bytes to standard base64. */\nexport function toBase64(buffer: ArrayBuffer): string {\n  return btoa(String.fromCharCode(...new Uint8Array(buffer)));\n}\n\n/** Decode standard base64 to bytes. */\nexport function fromBase64(str: string): Uint8Array {\n  const binary = atob(str);\n  const bytes = new Uint8Array(binary.length);\n  for (let i = 0; i < binary.length; i++) {\n    bytes[i] = binary.charCodeAt(i);\n  }\n  return bytes;\n}\n"],"mappings":"AAYA,SAAS,wBACP,aACA,SACQ;AACR,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO,QAAQ,OAAO,YAAY;AAAA,IACpC,KAAK;AACH,aAAO,IAAI;AAAA,IACb,KAAK;AACH,aAAO,IAAI;AAAA,IACb,KAAK;AACH,aAAO,IAAI,SAAS,QAAQ,KAAK,EAAE;AAAA,IACrC,KAAK;AACH,aAAO,IAAI;AAAA,IACb;AACE,YAAM,IAAI,MAAM,8BAA8B,WAAW,EAAE;AAAA,EAC/D;AACF;AAMA,SAAS,sBAAsB,aAAqB,SAA0B;AAC5E,MAAI,YAAY,WAAW,GAAG,GAAG;AAC/B,WAAO,wBAAwB,aAAa,OAAO;AAAA,EACrD;AAEA,SAAO,QAAQ,QAAQ,IAAI,WAAW,KAAK;AAC7C;AAOO,SAAS,mBACd,YACA,iBACA,SACQ;AACR,QAAM,QAAkB,CAAC;AACzB,aAAW,aAAa,YAAY;AAClC,UAAM,QAAQ,sBAAsB,WAAW,OAAO;AACtD,UAAM,KAAK,IAAI,SAAS,MAAM,KAAK,EAAE;AAAA,EACvC;AACA,QAAM,KAAK,wBAAwB,eAAe,EAAE;AACpD,SAAO,MAAM,KAAK,IAAI;AACxB;AAOO,SAAS,qBACd,YACA,QAOQ;AACR,QAAM,gBAAgB,WAAW,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,KAAK,GAAG;AAC9D,MAAI,SAAS,IAAI,aAAa,aAAa,OAAO,OAAO,WAAW,OAAO,KAAK;AAChF,MAAI,OAAO,WAAW;AACpB,cAAU,SAAS,OAAO,SAAS;AAAA,EACrC;AACA,MAAI,OAAO,YAAY,QAAW;AAChC,cAAU,YAAY,OAAO,OAAO;AAAA,EACtC;AACA,MAAI,OAAO,UAAU,QAAW;AAC9B,cAAU,WAAW,OAAO,KAAK;AAAA,EACnC;AACA,SAAO;AACT;AAQO,SAAS,qBAAqB,OAGnC;AAEA,QAAM,aAAa,MAAM,MAAM,cAAc;AAC7C,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,QAAM,eAAe,WAAW,CAAC;AACjC,QAAM,aAAa,eACd,aAAa,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,IAClE,CAAC;AAGL,QAAM,WAAW,MAAM,MAAM,WAAW,CAAC,EAAE,MAAM;AACjD,QAAM,SAAiC,CAAC;AACxC,QAAM,aAAa;AACnB,MAAI,QAAgC,WAAW,KAAK,QAAQ;AAC5D,SAAO,UAAU,MAAM;AAErB,WAAO,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,KAAK,MAAM,CAAC;AACtC,YAAQ,WAAW,KAAK,QAAQ;AAAA,EAClC;AAEA,SAAO,EAAE,YAAY,OAAO;AAC9B;AAGO,SAAS,kBAAkB,KAGhC;AACA,UAAQ,KAAK;AAAA,IACX,KAAK;AACH,aAAO;AAAA,QACL,WAAW,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,QAC3C,SAAS;AAAA,MACX;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,WAAW,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,QACxD,SAAS;AAAA,MACX;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,WAAW,EAAE,MAAM,WAAW,MAAM,UAAU;AAAA,QAC9C,SAAS,EAAE,MAAM,WAAW,YAAY,GAAG;AAAA,MAC7C;AAAA,IACF;AACE,YAAM,IAAI,MAAM,oCAAoC,GAAG,EAAE;AAAA,EAC7D;AACF;AAKA,eAAsB,iBACpB,WACA,QACA,YACoB;AACpB,QAAM,EAAE,UAAU,IAAI,kBAAkB,SAAS;AAEjD,MAAI,UAAU,WAAW,MAAM,GAAG;AAChC,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,gCAAgC;AAC7D,UAAM,UAAU,IAAI,YAAY;AAChC,WAAO,OAAO,OAAO;AAAA,MACnB;AAAA,MACA,QAAQ,OAAO,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAAA,EACF;AAEA,MAAI,CAAC,WAAY,OAAM,IAAI,MAAM,mCAAmC;AACpE,SAAO,OAAO,OAAO,UAAU,OAAO,YAAY,WAAW,OAAO,CAAC,MAAM,CAAC;AAC9E;AAKA,eAAsB,gBACpB,WACA,QACA,WACoB;AACpB,QAAM,EAAE,UAAU,IAAI,kBAAkB,SAAS;AAEjD,MAAI,UAAU,WAAW,MAAM,GAAG;AAChC,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,gCAAgC;AAC7D,UAAM,UAAU,IAAI,YAAY;AAChC,WAAO,OAAO,OAAO;AAAA,MACnB;AAAA,MACA,QAAQ,OAAO,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AAAA,EACF;AAEA,MAAI,CAAC,UAAW,OAAM,IAAI,MAAM,kCAAkC;AAClE,SAAO,OAAO,OAAO,UAAU,OAAO,WAAW,WAAW,OAAO;AAAA,IACjE;AAAA,EACF,CAAC;AACH;AAGO,SAAS,SAAS,QAA6B;AACpD,SAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,MAAM,CAAC,CAAC;AAC5D;AAGO,SAAS,WAAW,KAAyB;AAClD,QAAM,SAAS,KAAK,GAAG;AACvB,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;","names":[]}

package/dist/policies/auth/jws.d.ts

@@ -0,0 +1,46 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+export { clearJwksCache as clearJwsJwksCache } from './crypto.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface JwsConfig extends PolicyConfig {
+    /** HMAC secret for verification */
+    secret?: string;
+    /** JWKS endpoint for RSA verification */
+    jwksUrl?: string;
+    /** Header containing the JWS. Default: "X-JWS-Signature" */
+    headerName?: string;
+    /** Where the payload comes from for detached JWS. Default: "embedded" */
+    payloadSource?: "embedded" | "body";
+    /** Whether to forward the verified payload as a header. Default: false */
+    forwardPayload?: boolean;
+    /** Header name for forwarded payload. Default: "X-JWS-Payload" */
+    forwardHeaderName?: string;
+    /** JWKS cache TTL in ms. Default: 300000 */
+    jwksCacheTtlMs?: number;
+    /** JWKS fetch timeout in milliseconds. Default: 10000 (10 seconds). */
+    jwksTimeoutMs?: number;
+}
+
+/**
+ * Verify JWS compact serialization signatures on requests.
+ *
+ * The `none` algorithm is always rejected to prevent signature bypass attacks.
+ * Config validation (`secret` or `jwksUrl` required) is performed at construction
+ * time - a missing config throws immediately, not on first request.
+ *
+ * @example
+ * ```ts
+ * import { jws } from "@vivero/stoma";
+ *
+ * // HMAC verification with embedded payload
+ * jws({ secret: env.JWS_SECRET });
+ *
+ * // Detached JWS - payload comes from the request body
+ * jws({ secret: env.JWS_SECRET, payloadSource: "body" });
+ * ```
+ */
+declare const jws: (config?: JwsConfig | undefined) => Policy;
+
+export { type JwsConfig, jws };