@voyantjs/hono 0.31.3 → 0.32.0

package/dist/index.d.ts

@@ -6,6 +6,8 @@ export { consoleLoggerProvider, cors, DEFAULT_IDEMPOTENCY_TTL_MS, db, errorBound
 export type { HonoExtension, HonoModule } from "./module.js";
 export type { ExpandedHonoBundles, ExpandedHonoPlugins, HonoBundle, HonoPlugin, } from "./plugin.js";
 export { defineHonoBundle, defineHonoPlugin, expandHonoBundles, expandHonoPlugins, } from "./plugin.js";
+export type { CreatePublicCapabilityOptions, PublicCapabilityCookieOptions, PublicCapabilityPayload, VerifyPublicCapabilityOptions, } from "./public-capability.js";
+export { createPublicCapabilityToken, extractPublicCapabilityToken, serializePublicCapabilityCookie, verifyPublicCapabilityToken, } from "./public-capability.js";
 export type { DbFactory, LogEntry, LoggerProvider, VoyantAppConfig, VoyantAuthIntegration, VoyantAuthPermissionArgs, VoyantAuthResolveArgs, VoyantBindings, VoyantDb, VoyantExecutionContext, VoyantQueryRuntime, VoyantRequestAuthContext, VoyantVariables, } from "./types.js";
 export { ApiHttpError, ForbiddenApiError, normalizeValidationError, parseJsonBody, parseOptionalJsonBody, parseQuery, RequestValidationError, UnauthorizedApiError, } from "./validation.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,qBAAqB,EACrB,IAAI,EACJ,0BAA0B,EAC1B,EAAE,EACF,aAAa,EACb,cAAc,EACd,KAAK,qBAAqB,EAC1B,cAAc,EACd,WAAW,EACX,MAAM,EACN,2BAA2B,EAC3B,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,qBAAqB,EACrB,IAAI,EACJ,0BAA0B,EAC1B,EAAE,EACF,aAAa,EACb,cAAc,EACd,KAAK,qBAAqB,EAC1B,cAAc,EACd,WAAW,EACX,MAAM,EACN,2BAA2B,EAC3B,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,6BAA6B,EAC7B,6BAA6B,EAC7B,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,EAC/B,2BAA2B,GAC5B,MAAM,wBAAwB,CAAA;AAC/B,YAAY,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}

package/dist/index.js

@@ -2,4 +2,5 @@ export { createApp } from "./app.js";
 export { extractBearerToken, generateNumericCode, randomBytesHex, requireUserId, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
 export { consoleLoggerProvider, cors, DEFAULT_IDEMPOTENCY_TTL_MS, db, errorBoundary, handleApiError, idempotencyKey, LIVE_LIMITS, logger, purgeExpiredIdempotencyKeys, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
 export { defineHonoBundle, defineHonoPlugin, expandHonoBundles, expandHonoPlugins, } from "./plugin.js";
+export { createPublicCapabilityToken, extractPublicCapabilityToken, serializePublicCapabilityCookie, verifyPublicCapabilityToken, } from "./public-capability.js";
 export { ApiHttpError, ForbiddenApiError, normalizeValidationError, parseJsonBody, parseOptionalJsonBody, parseQuery, RequestValidationError, UnauthorizedApiError, } from "./validation.js";

package/dist/public-capability.d.ts

@@ -0,0 +1,46 @@
+import type { Context } from "hono";
+export interface PublicCapabilityPayload {
+    v: 1;
+    scope: string;
+    subjectId: string;
+    actions: string[];
+    iat: number;
+    exp: number;
+    jti?: string;
+}
+export interface CreatePublicCapabilityOptions {
+    secret: string;
+    scope: string;
+    subjectId: string;
+    actions: string[];
+    ttlSeconds: number;
+    now?: Date;
+    jti?: string;
+}
+export interface VerifyPublicCapabilityOptions {
+    secret: string;
+    scope: string;
+    subjectId: string;
+    action: string;
+    now?: Date;
+}
+export interface PublicCapabilityCookieOptions {
+    name: string;
+    token: string;
+    expiresAt: Date;
+    secure?: boolean;
+    sameSite?: "Strict" | "Lax" | "None";
+    path?: string;
+}
+export declare function createPublicCapabilityToken(options: CreatePublicCapabilityOptions): Promise<{
+    token: string;
+    payload: PublicCapabilityPayload;
+    expiresAt: Date;
+}>;
+export declare function verifyPublicCapabilityToken(token: string, options: VerifyPublicCapabilityOptions): Promise<PublicCapabilityPayload>;
+export declare function extractPublicCapabilityToken(c: Context, options?: {
+    headerName?: string;
+    cookieName?: string;
+}): string | null;
+export declare function serializePublicCapabilityCookie(options: PublicCapabilityCookieOptions): string;
+//# sourceMappingURL=public-capability.d.ts.map

package/dist/public-capability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public-capability.d.ts","sourceRoot":"","sources":["../src/public-capability.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAInC,MAAM,WAAW,uBAAuB;IACtC,CAAC,EAAE,CAAC,CAAA;IACJ,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,GAAG,CAAC,EAAE,IAAI,CAAA;IACV,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,CAAC,EAAE,IAAI,CAAA;CACX;AAED,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;IACf,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAA;IACpC,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AA2DD,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,uBAAuB,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAyB/E;AAED,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,uBAAuB,CAAC,CAyClC;AAED,wBAAgB,4BAA4B,CAC1C,CAAC,EAAE,OAAO,EACV,OAAO,GAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAO,iBA0B3D;AAED,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,6BAA6B,UAiBrF"}

package/dist/public-capability.js

@@ -0,0 +1,140 @@
+import { ForbiddenApiError, UnauthorizedApiError } from "./validation.js";
+const TOKEN_TYPE = "voyant-public-capability+jwt";
+const DEFAULT_CAPABILITY_HEADER = "X-Voyant-Checkout-Capability";
+function getWebCrypto() {
+    if (globalThis.crypto?.subtle) {
+        return globalThis.crypto;
+    }
+    throw new Error("No crypto implementation available");
+}
+function encodeBase64Url(input) {
+    const bytes = typeof input === "string" ? new TextEncoder().encode(input) : input;
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeBase64Url(input) {
+    const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64.padEnd(Math.ceil(base64.length / 4) * 4, "=");
+    return atob(padded);
+}
+function constantTimeEqual(left, right) {
+    if (left.length !== right.length)
+        return false;
+    let result = 0;
+    for (let index = 0; index < left.length; index += 1) {
+        result |= left.charCodeAt(index) ^ right.charCodeAt(index);
+    }
+    return result === 0;
+}
+async function signMessage(message, secret) {
+    const crypto = getWebCrypto();
+    const encoder = new TextEncoder();
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(message));
+    return encodeBase64Url(new Uint8Array(signature));
+}
+function validateSecret(secret) {
+    if (secret.length < 32) {
+        throw new Error("Public capability secret must be at least 32 characters");
+    }
+}
+export async function createPublicCapabilityToken(options) {
+    validateSecret(options.secret);
+    const issuedAt = Math.floor((options.now ?? new Date()).getTime() / 1000);
+    const expiresAtSeconds = issuedAt + options.ttlSeconds;
+    const payload = {
+        v: 1,
+        scope: options.scope,
+        subjectId: options.subjectId,
+        actions: Array.from(new Set(options.actions)).sort(),
+        iat: issuedAt,
+        exp: expiresAtSeconds,
+        ...(options.jti ? { jti: options.jti } : {}),
+    };
+    const header = { alg: "HS256", typ: TOKEN_TYPE };
+    const headerB64 = encodeBase64Url(JSON.stringify(header));
+    const payloadB64 = encodeBase64Url(JSON.stringify(payload));
+    const message = `${headerB64}.${payloadB64}`;
+    const signature = await signMessage(message, options.secret);
+    return {
+        token: `${message}.${signature}`,
+        payload,
+        expiresAt: new Date(expiresAtSeconds * 1000),
+    };
+}
+export async function verifyPublicCapabilityToken(token, options) {
+    validateSecret(options.secret);
+    const [headerB64, payloadB64, signature] = token.split(".");
+    if (!headerB64 || !payloadB64 || !signature) {
+        throw new UnauthorizedApiError("Invalid checkout session capability");
+    }
+    const message = `${headerB64}.${payloadB64}`;
+    const expectedSignature = await signMessage(message, options.secret);
+    if (!constantTimeEqual(signature, expectedSignature)) {
+        throw new UnauthorizedApiError("Invalid checkout session capability");
+    }
+    let header;
+    let payload;
+    try {
+        header = JSON.parse(decodeBase64Url(headerB64));
+        payload = JSON.parse(decodeBase64Url(payloadB64));
+    }
+    catch {
+        throw new UnauthorizedApiError("Invalid checkout session capability");
+    }
+    if (header.typ !== TOKEN_TYPE || payload.v !== 1) {
+        throw new UnauthorizedApiError("Invalid checkout session capability");
+    }
+    const now = Math.floor((options.now ?? new Date()).getTime() / 1000);
+    if (payload.exp < now) {
+        throw new UnauthorizedApiError("Expired checkout session capability");
+    }
+    if (payload.scope !== options.scope || payload.subjectId !== options.subjectId) {
+        throw new ForbiddenApiError("Checkout session capability is not scoped to this resource");
+    }
+    if (!payload.actions.includes(options.action)) {
+        throw new ForbiddenApiError("Checkout session capability cannot perform this action");
+    }
+    return payload;
+}
+export function extractPublicCapabilityToken(c, options = {}) {
+    const headerName = options.headerName ?? DEFAULT_CAPABILITY_HEADER;
+    const headerToken = c.req.header(headerName);
+    if (headerToken) {
+        return headerToken;
+    }
+    const cookieName = options.cookieName;
+    if (!cookieName) {
+        return null;
+    }
+    const cookieHeader = c.req.header("Cookie");
+    if (!cookieHeader) {
+        return null;
+    }
+    for (const part of cookieHeader.split(";")) {
+        const [rawName, ...rawValueParts] = part.trim().split("=");
+        if (rawName === cookieName) {
+            return decodeURIComponent(rawValueParts.join("="));
+        }
+    }
+    return null;
+}
+export function serializePublicCapabilityCookie(options) {
+    const secure = options.secure ?? true;
+    const sameSite = options.sameSite ?? "Lax";
+    const path = options.path ?? "/";
+    const parts = [
+        `${options.name}=${encodeURIComponent(options.token)}`,
+        "HttpOnly",
+        `SameSite=${sameSite}`,
+        `Path=${path}`,
+        `Expires=${options.expiresAt.toUTCString()}`,
+    ];
+    if (secure) {
+        parts.push("Secure");
+    }
+    return parts.join("; ");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@voyantjs/hono",
-  "version": "0.31.3",
+  "version": "0.32.0",
   "license": "Apache-2.0",
   "type": "module",
   "exports": {
@@ -94,18 +94,18 @@
     "drizzle-orm": "^0.45.2",
     "hono": "^4.12.10",
     "zod": "^4.3.6",
-    "@voyantjs/core": "0.31.3",
-    "@voyantjs/db": "0.31.3",
-    "@voyantjs/types": "0.31.3",
-    "@voyantjs/utils": "0.31.3",
-    "@voyantjs/workflows": "0.31.3"
+    "@voyantjs/core": "0.32.0",
+    "@voyantjs/db": "0.32.0",
+    "@voyantjs/types": "0.32.0",
+    "@voyantjs/utils": "0.32.0",
+    "@voyantjs/workflows": "0.32.0"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260426.1",
     "typescript": "^6.0.2",
     "vitest": "^4.1.2",
     "@voyantjs/voyant-typescript-config": "0.1.0",
-    "@voyantjs/workflows-orchestrator": "0.31.3"
+    "@voyantjs/workflows-orchestrator": "0.32.0"
   },
   "files": [
     "dist"