@yannelli/zoomies 0.0.0

package/dist/server/auth/require-token.js

@@ -0,0 +1,98 @@
+/**
+ * Bearer-token guard for Route Handlers and CLI-facing entry points.
+ *
+ * This is intentionally NOT a Next.js `middleware.ts` export — Next.js
+ * middleware runs in the Edge runtime, which doesn't expose Node's `crypto`
+ * primitives we need for a constant-time token comparison. Route Handlers
+ * call this helper directly in the Node runtime.
+ */
+import { Buffer } from 'node:buffer';
+import { timingSafeEqual } from 'node:crypto';
+export class UnauthorizedError extends Error {
+    code = 'unauthorized';
+    constructor(message = 'unauthorized') {
+        super(message);
+        this.name = 'UnauthorizedError';
+    }
+}
+/**
+ * Duck-typed check for a Web `Headers`-like value. We accept either a real
+ * `Headers` instance (Route Handlers) or a plain header bag (unit tests, CLI
+ * callers) so the same helper covers both surfaces.
+ */
+function isHeadersLike(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        typeof value.get === 'function');
+}
+/**
+ * Look up the `Authorization` header from either input shape. Plain bags may
+ * use any casing and may store arrays (Node's `IncomingHttpHeaders` does for
+ * a few headers); take the first array entry if so.
+ */
+function readAuthorizationHeader(headers) {
+    if (isHeadersLike(headers)) {
+        return headers.get('authorization');
+    }
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() !== 'authorization') {
+            continue;
+        }
+        if (Array.isArray(value)) {
+            return value[0] ?? null;
+        }
+        return value ?? null;
+    }
+    return null;
+}
+/**
+ * Constant-time string compare. `timingSafeEqual` requires equal-length
+ * buffers, so we pad the shorter side to the longer side's length before
+ * comparing and then check lengths separately. The pad is on a constant-
+ * length pair so the equality check itself doesn't reveal which side was
+ * shorter via timing.
+ */
+function constantTimeEquals(a, b) {
+    const aBuf = Buffer.from(a, 'utf8');
+    const bBuf = Buffer.from(b, 'utf8');
+    const len = Math.max(aBuf.length, bBuf.length, 1);
+    const aPadded = Buffer.alloc(len);
+    const bPadded = Buffer.alloc(len);
+    aBuf.copy(aPadded);
+    bBuf.copy(bPadded);
+    const equal = timingSafeEqual(aPadded, bPadded);
+    return equal && aBuf.length === bBuf.length;
+}
+/**
+ * Reads the bearer token from the Authorization header and compares it to
+ * `ZOOMIES_API_TOKEN` (or `opts.expectedToken`) using a constant-time
+ * comparison. Throws {@link UnauthorizedError} on any failure, returns void
+ * on success.
+ */
+export function requireToken(headers, opts) {
+    // Re-read at each call: tests stub `process.env.ZOOMIES_API_TOKEN` via
+    // `vi.stubEnv`, and the value can also legitimately change at runtime if
+    // operators rotate the token.
+    const expected = opts?.expectedToken ?? process.env.ZOOMIES_API_TOKEN;
+    if (expected === undefined || expected === '') {
+        throw new UnauthorizedError('api token not configured');
+    }
+    const raw = readAuthorizationHeader(headers);
+    if (raw === null || raw === '') {
+        throw new UnauthorizedError('missing authorization header');
+    }
+    // Split into exactly two non-empty tokens: scheme + credential. Anything
+    // else (e.g. `Bearer` alone, `Bearer  token`, `Bearer a b`) is malformed.
+    const parts = raw.split(' ');
+    if (parts.length !== 2 || parts[0] === '' || parts[1] === '') {
+        throw new UnauthorizedError('malformed authorization header');
+    }
+    const [scheme, credential] = parts;
+    if (scheme.toLowerCase() !== 'bearer') {
+        throw new UnauthorizedError('malformed authorization header');
+    }
+    if (!constantTimeEquals(credential, expected)) {
+        throw new UnauthorizedError('invalid token');
+    }
+}
+//# sourceMappingURL=require-token.js.map

package/dist/server/auth/require-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-token.js","sourceRoot":"","sources":["../../../src/server/auth/require-token.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,GAAG,cAAc,CAAC;IAE/B,YAAY,UAAkB,cAAc;QAC1C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAOD;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,OAAQ,KAA2B,CAAC,GAAG,KAAK,UAAU,CACvD,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAC9B,OAAgE;IAEhE,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,eAAe,EAAE,CAAC;YAC1C,SAAS;QACX,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,IAAI,IAAI,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,CAAS,EAAE,CAAS;IAC9C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnB,MAAM,KAAK,GAAG,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAChD,OAAO,KAAK,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,OAAgE,EAChE,IAA0B;IAE1B,uEAAuE;IACvE,yEAAyE;IACzE,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,IAAI,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACtE,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,iBAAiB,CAAC,0BAA0B,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,GAAG,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAC;IAC9D,CAAC;IAED,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;QAC7D,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,GAAG,KAAyB,CAAC;IACvD,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC"}

package/dist/server/certs/acme-account.d.ts

@@ -0,0 +1,37 @@
+/**
+ * ACME account key lifecycle.
+ *
+ * Every ACME interaction is signed with a long-lived account key. The CA
+ * binds issued certificates to the public half of this key, so it must
+ * persist across renewals — generating a new account key per run would
+ * leak per-host state to the CA and re-trigger ToS prompts.
+ *
+ * This module owns reading the account key from disk on warm start, and
+ * generating + persisting a fresh one on cold start. The key material is
+ * an RSA 2048 PEM produced by `acme-client`'s own crypto helper so we
+ * don't have to reimplement key encoding.
+ */
+export interface AcmeAccount {
+    /** PEM-encoded RSA or ECDSA private key, as required by acme.Client. */
+    accountKeyPem: string;
+    /** Contact email surfaced to the CA on account creation/update. */
+    contactEmail: string;
+    /** ACME directory URL — Let's Encrypt staging vs. production lives here. */
+    directoryUrl: string;
+}
+export interface LoadOrCreateAccountOptions {
+    /** Absolute path where the account key PEM is persisted across restarts. */
+    accountKeyPath: string;
+    contactEmail: string;
+    directoryUrl: string;
+}
+/**
+ * Return an {@link AcmeAccount}, creating + persisting a fresh account key
+ * on cold start. Subsequent calls with the same `accountKeyPath` round-trip
+ * the same key material byte-exact.
+ *
+ * The key file is written atomically — a crash mid-generation never leaves
+ * a truncated PEM that would deadlock the next start.
+ */
+export declare function loadOrCreateAccount(opts: LoadOrCreateAccountOptions): Promise<AcmeAccount>;
+//# sourceMappingURL=acme-account.d.ts.map

package/dist/server/certs/acme-account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"acme-account.d.ts","sourceRoot":"","sources":["../../../src/server/certs/acme-account.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH,MAAM,WAAW,WAAW;IAC1B,wEAAwE;IACxE,aAAa,EAAE,MAAM,CAAC;IACtB,mEAAmE;IACnE,YAAY,EAAE,MAAM,CAAC;IACrB,4EAA4E;IAC5E,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,0BAA0B;IACzC,4EAA4E;IAC5E,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC,CAQhG"}

package/dist/server/certs/acme-account.js

@@ -0,0 +1,49 @@
+/**
+ * ACME account key lifecycle.
+ *
+ * Every ACME interaction is signed with a long-lived account key. The CA
+ * binds issued certificates to the public half of this key, so it must
+ * persist across renewals — generating a new account key per run would
+ * leak per-host state to the CA and re-trigger ToS prompts.
+ *
+ * This module owns reading the account key from disk on warm start, and
+ * generating + persisting a fresh one on cold start. The key material is
+ * an RSA 2048 PEM produced by `acme-client`'s own crypto helper so we
+ * don't have to reimplement key encoding.
+ */
+import { readFile } from 'node:fs/promises';
+import acme from 'acme-client';
+import { writeAtomic } from '../reload/atomic-write.js';
+/**
+ * Return an {@link AcmeAccount}, creating + persisting a fresh account key
+ * on cold start. Subsequent calls with the same `accountKeyPath` round-trip
+ * the same key material byte-exact.
+ *
+ * The key file is written atomically — a crash mid-generation never leaves
+ * a truncated PEM that would deadlock the next start.
+ */
+export async function loadOrCreateAccount(opts) {
+    const accountKeyPem = await loadOrGenerate(opts.accountKeyPath);
+    return {
+        accountKeyPem,
+        contactEmail: opts.contactEmail,
+        directoryUrl: opts.directoryUrl,
+    };
+}
+async function loadOrGenerate(accountKeyPath) {
+    try {
+        return await readFile(accountKeyPath, 'utf8');
+    }
+    catch (err) {
+        if (err.code !== 'ENOENT') {
+            throw err;
+        }
+    }
+    // No key on disk yet — generate one and persist it atomically so a crash
+    // during generation never leaves a half-written PEM.
+    const generated = await acme.crypto.createPrivateKey();
+    const pem = generated.toString('utf8');
+    await writeAtomic(accountKeyPath, pem);
+    return pem;
+}
+//# sourceMappingURL=acme-account.js.map

package/dist/server/certs/acme-account.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acme-account.js","sourceRoot":"","sources":["../../../src/server/certs/acme-account.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,IAAI,MAAM,aAAa,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAkBxD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAgC;IACxE,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAEhE,OAAO;QACL,aAAa;QACb,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,YAAY,EAAE,IAAI,CAAC,YAAY;KAChC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,cAAsB;IAClD,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,qDAAqD;IACrD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;IACvD,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,WAAW,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/certs/challenge-store.d.ts

@@ -0,0 +1,53 @@
+/**
+ * HTTP-01 challenge token persistence.
+ *
+ * ACME's HTTP-01 challenge demands that for each `token` issued by the CA we
+ * serve the matching `keyAuthorization` at
+ * `http://<domain>/.well-known/acme-challenge/<token>` over plaintext HTTP.
+ *
+ * The control plane writes those files into a state directory; NGINX is
+ * configured (separately, by the bootstrap config) to serve that directory
+ * for the `.well-known/acme-challenge/` path on port 80 for every site.
+ *
+ * This module is intentionally tiny: a token-to-file mapping with strict
+ * input validation. Anything fancier (e.g. an in-memory store, an
+ * orchestrator across nodes) is out of scope for the single-host control
+ * plane.
+ */
+export interface ChallengeStore {
+    /**
+     * Persist the `keyAuthorization` for `token` so NGINX can serve it.
+     * Creates {@link basePath} on first call if missing.
+     * Throws {@link ValidationError} if `token` contains characters outside
+     * the base64url alphabet — refuse the write rather than risk a path
+     * traversal.
+     */
+    write(token: string, keyAuthorization: string): Promise<void>;
+    /**
+     * Remove the challenge file for `token`. ENOENT is swallowed so callers
+     * can use this as cleanup in both success and failure paths without
+     * tracking which tokens they actually wrote.
+     */
+    remove(token: string): Promise<void>;
+    /**
+     * Absolute path to the `.well-known/acme-challenge/` directory the store
+     * writes into. Surfaced so the NGINX site renderer and the cleanup worker
+     * can read it without re-deriving the convention.
+     */
+    basePath: string;
+}
+export interface CreateChallengeStoreOptions {
+    /**
+     * Override the state directory. Defaults to `$ZOOMIES_STATE_DIR`, or
+     * `<cwd>/.zoomies` if that env var is unset (matches `db-context.ts`).
+     */
+    stateDir?: string;
+}
+/**
+ * Build a ChallengeStore bound to the resolved base directory.
+ *
+ * Pure factory: no I/O happens until the first call to {@link
+ * ChallengeStore.write}.
+ */
+export declare function createChallengeStore(opts?: CreateChallengeStoreOptions): ChallengeStore;
+//# sourceMappingURL=challenge-store.d.ts.map

package/dist/server/certs/challenge-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.d.ts","sourceRoot":"","sources":["../../../src/server/certs/challenge-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAgBH,MAAM,WAAW,cAAc;IAC7B;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAErC;;;;OAIG;IACH,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAcD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,CAAC,EAAE,2BAA2B,GAAG,cAAc,CAwBvF"}

package/dist/server/certs/challenge-store.js

@@ -0,0 +1,66 @@
+/**
+ * HTTP-01 challenge token persistence.
+ *
+ * ACME's HTTP-01 challenge demands that for each `token` issued by the CA we
+ * serve the matching `keyAuthorization` at
+ * `http://<domain>/.well-known/acme-challenge/<token>` over plaintext HTTP.
+ *
+ * The control plane writes those files into a state directory; NGINX is
+ * configured (separately, by the bootstrap config) to serve that directory
+ * for the `.well-known/acme-challenge/` path on port 80 for every site.
+ *
+ * This module is intentionally tiny: a token-to-file mapping with strict
+ * input validation. Anything fancier (e.g. an in-memory store, an
+ * orchestrator across nodes) is out of scope for the single-host control
+ * plane.
+ */
+import { mkdir, unlink } from 'node:fs/promises';
+import { join } from 'node:path';
+import { ValidationError } from '../domain/errors.js';
+import { writeAtomic } from '../reload/atomic-write.js';
+/**
+ * ACME token grammar — base64url alphabet, no padding, no slashes or dots.
+ * This is what `acme-client` (and the spec) hand us, but we re-validate at
+ * the boundary because the token becomes part of a filesystem path and a
+ * traversal would let a hostile CA escape the challenge directory.
+ */
+const TOKEN_REGEX = /^[A-Za-z0-9_-]+$/;
+function resolveBasePath(opts) {
+    const stateDir = opts?.stateDir ?? process.env.ZOOMIES_STATE_DIR ?? join(process.cwd(), '.zoomies');
+    return join(stateDir, 'acme', '.well-known', 'acme-challenge');
+}
+function assertValidToken(token) {
+    if (!TOKEN_REGEX.test(token)) {
+        throw new ValidationError(`invalid ACME challenge token: ${JSON.stringify(token)}`);
+    }
+}
+/**
+ * Build a ChallengeStore bound to the resolved base directory.
+ *
+ * Pure factory: no I/O happens until the first call to {@link
+ * ChallengeStore.write}.
+ */
+export function createChallengeStore(opts) {
+    const basePath = resolveBasePath(opts);
+    return {
+        basePath,
+        async write(token, keyAuthorization) {
+            assertValidToken(token);
+            await mkdir(basePath, { recursive: true });
+            await writeAtomic(join(basePath, token), keyAuthorization);
+        },
+        async remove(token) {
+            assertValidToken(token);
+            try {
+                await unlink(join(basePath, token));
+            }
+            catch (err) {
+                if (err.code === 'ENOENT') {
+                    return;
+                }
+                throw err;
+            }
+        },
+    };
+}
+//# sourceMappingURL=challenge-store.js.map

package/dist/server/certs/challenge-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.js","sourceRoot":"","sources":["../../../src/server/certs/challenge-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAExD;;;;;GAKG;AACH,MAAM,WAAW,GAAG,kBAAkB,CAAC;AAmCvC,SAAS,eAAe,CAAC,IAAkC;IACzD,MAAM,QAAQ,GACZ,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACrF,OAAO,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CAAC,iCAAiC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACtF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAkC;IACrE,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IAEvC,OAAO;QACL,QAAQ;QAER,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,gBAAwB;YACjD,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACxB,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3C,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAC7D,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,KAAa;YACxB,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;YACtC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACrD,OAAO;gBACT,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/server/certs/issue.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Single-shot ACME certificate issuance with HTTP-01.
+ *
+ * Drives the full happy-path: generate a per-domain key + CSR, ask
+ * `acme-client.auto()` to negotiate the order, hand off the resulting PEM
+ * chain + private key onto disk atomically, and extract the validity
+ * window from the leaf certificate so the caller (issue endpoint or renew
+ * loop) can persist a `Cert` row.
+ *
+ * Side effects are bracketed by rollback:
+ *   - Challenge files are cleaned up by `challengeRemoveFn` (acme-client
+ *     calls it in both success and failure paths in current versions).
+ *   - PEM + key writes use {@link writeAtomic} and are rolled back if any
+ *     later step throws — never leave a half-issued cert on disk that a
+ *     reload could pick up.
+ *
+ * The acme-client surface is wrapped behind {@link AcmeClientLike} so
+ * tests can substitute a fake without depending on the library's full
+ * type surface, which has historically shifted between minor versions.
+ */
+import { writeAtomic } from '../reload/atomic-write.js';
+import type { AcmeAccount } from './acme-account.js';
+import type { ChallengeStore } from './challenge-store.js';
+/**
+ * Minimal slice of `acme-client.Client` that the issuance flow actually
+ * touches. Keep this narrow so tests can implement it without pulling in
+ * the real client's surface.
+ */
+export interface AcmeClientLike {
+    /**
+     * Drive the ACME order to completion using HTTP-01. Returns the PEM
+     * chain of the issued certificate (leaf first).
+     */
+    auto(opts: {
+        csr: Buffer;
+        email: string;
+        termsOfServiceAgreed: boolean;
+        challengeCreateFn: (authz: {
+            identifier: {
+                value: string;
+            };
+        }, challenge: {
+            token: string;
+            type: string;
+        }, keyAuthorization: string) => Promise<void>;
+        challengeRemoveFn: (authz: {
+            identifier: {
+                value: string;
+            };
+        }, challenge: {
+            token: string;
+            type: string;
+        }, keyAuthorization: string) => Promise<void>;
+    }): Promise<string>;
+}
+/**
+ * Validity window extracted from a PEM-encoded leaf certificate. Both
+ * fields must be `Date` instances; the caller serialises to ISO-8601.
+ */
+export interface CertificateValidity {
+    notBefore: Date;
+    notAfter: Date;
+}
+export interface IssueDeps {
+    /**
+     * Factory for the ACME client. Default wraps `acme.Client` from
+     * `acme-client`; tests substitute a fake that returns a canned PEM.
+     */
+    createClient: (account: AcmeAccount) => AcmeClientLike;
+    /**
+     * Atomic file writer. Defaults to the production {@link writeAtomic};
+     * tests rarely override but the seam is here for parity with the rest
+     * of the codebase.
+     */
+    writeFile: typeof writeAtomic;
+    /**
+     * Parse the validity window out of a leaf certificate PEM. Defaults to
+     * `acme.crypto.readCertificateInfo`. Injected so tests can avoid having
+     * to construct a fully-valid x509 PEM with non-degenerate dates.
+     */
+    readCertificateValidity: (pemChain: string) => CertificateValidity;
+}
+export interface IssueOptions {
+    domain: string;
+    account: AcmeAccount;
+    challengeStore: ChallengeStore;
+    /** Directory to write `<domain>.pem` and `<domain>.key` into. */
+    certDir: string;
+    deps?: Partial<IssueDeps>;
+}
+export interface IssueResult {
+    domain: string;
+    pemPath: string;
+    keyPath: string;
+    /** ISO-8601 — directly insertable into the `certs` table. */
+    notBefore: string;
+    /** ISO-8601 — directly insertable into the `certs` table. */
+    notAfter: string;
+}
+/**
+ * Issue a single certificate via HTTP-01. Returns the data needed to
+ * insert (or update) a `Cert` row — the caller is responsible for that
+ * persistence step.
+ */
+export declare function issueCertificate(opts: IssueOptions): Promise<IssueResult>;
+//# sourceMappingURL=issue.d.ts.map

package/dist/server/certs/issue.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../../../src/server/certs/issue.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAQH,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,IAAI,CAAC,IAAI,EAAE;QACT,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,oBAAoB,EAAE,OAAO,CAAC;QAC9B,iBAAiB,EAAE,CACjB,KAAK,EAAE;YAAE,UAAU,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,EACxC,SAAS,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,EAC1C,gBAAgB,EAAE,MAAM,KACrB,OAAO,CAAC,IAAI,CAAC,CAAC;QACnB,iBAAiB,EAAE,CACjB,KAAK,EAAE;YAAE,UAAU,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,EACxC,SAAS,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,EAC1C,gBAAgB,EAAE,MAAM,KACrB,OAAO,CAAC,IAAI,CAAC,CAAC;KACpB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,EAAE,IAAI,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IACxB;;;OAGG;IACH,YAAY,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,cAAc,CAAC;IACvD;;;;OAIG;IACH,SAAS,EAAE,OAAO,WAAW,CAAC;IAC9B;;;;OAIG;IACH,uBAAuB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,mBAAmB,CAAC;CACpE;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,WAAW,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,iEAAiE;IACjE,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;CAC3B;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,QAAQ,EAAE,MAAM,CAAC;CAClB;AA0BD;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA2D/E"}

package/dist/server/certs/issue.js

@@ -0,0 +1,107 @@
+/**
+ * Single-shot ACME certificate issuance with HTTP-01.
+ *
+ * Drives the full happy-path: generate a per-domain key + CSR, ask
+ * `acme-client.auto()` to negotiate the order, hand off the resulting PEM
+ * chain + private key onto disk atomically, and extract the validity
+ * window from the leaf certificate so the caller (issue endpoint or renew
+ * loop) can persist a `Cert` row.
+ *
+ * Side effects are bracketed by rollback:
+ *   - Challenge files are cleaned up by `challengeRemoveFn` (acme-client
+ *     calls it in both success and failure paths in current versions).
+ *   - PEM + key writes use {@link writeAtomic} and are rolled back if any
+ *     later step throws — never leave a half-issued cert on disk that a
+ *     reload could pick up.
+ *
+ * The acme-client surface is wrapped behind {@link AcmeClientLike} so
+ * tests can substitute a fake without depending on the library's full
+ * type surface, which has historically shifted between minor versions.
+ */
+import { chmod } from 'node:fs/promises';
+import { join } from 'node:path';
+import acme from 'acme-client';
+import { writeAtomic } from '../reload/atomic-write.js';
+/**
+ * Default factory wrapping `acme.Client`. The narrow {@link AcmeClientLike}
+ * type means we cast at the boundary; the cast is safe because the real
+ * `auto` signature is a superset of our minimal interface.
+ */
+function defaultCreateClient(account) {
+    const client = new acme.Client({
+        directoryUrl: account.directoryUrl,
+        accountKey: account.accountKeyPem,
+    });
+    return client;
+}
+function defaultReadCertificateValidity(pemChain) {
+    const info = acme.crypto.readCertificateInfo(pemChain);
+    return { notBefore: info.notBefore, notAfter: info.notAfter };
+}
+const defaultDeps = {
+    createClient: defaultCreateClient,
+    writeFile: writeAtomic,
+    readCertificateValidity: defaultReadCertificateValidity,
+};
+/**
+ * Issue a single certificate via HTTP-01. Returns the data needed to
+ * insert (or update) a `Cert` row — the caller is responsible for that
+ * persistence step.
+ */
+export async function issueCertificate(opts) {
+    const deps = { ...defaultDeps, ...opts.deps };
+    const { domain, account, challengeStore, certDir } = opts;
+    // 1. Per-domain key + CSR. acme-client returns a tuple of [keyPem, csrPem]
+    //    and we hand the CSR (as a Buffer) into `auto`.
+    const [keyPem, csrBuffer] = await acme.crypto.createCsr({
+        commonName: domain,
+        altNames: [domain],
+    });
+    // 2. Drive the order. challengeCreateFn / challengeRemoveFn mediate the
+    //    HTTP-01 dance via the store. acme-client invokes Remove on success
+    //    AND failure paths, so we don't need to track tokens ourselves.
+    const client = deps.createClient(account);
+    const pemChain = await client.auto({
+        csr: csrBuffer,
+        email: account.contactEmail,
+        termsOfServiceAgreed: true,
+        challengeCreateFn: async (_authz, challenge, keyAuthorization) => {
+            await challengeStore.write(challenge.token, keyAuthorization);
+        },
+        challengeRemoveFn: async (_authz, challenge) => {
+            await challengeStore.remove(challenge.token);
+        },
+    });
+    // 3. Validity window from the leaf cert. The dep returns `Date` instances;
+    //    we serialise to ISO-8601 to match the rest of the schema.
+    const validity = deps.readCertificateValidity(pemChain);
+    const notBefore = validity.notBefore.toISOString();
+    const notAfter = validity.notAfter.toISOString();
+    // 4. Atomically write the cert + key. If either step throws, roll the
+    //    other back so an issuance failure never leaves a half-installed
+    //    pair on disk.
+    const pemPath = join(certDir, `${domain}.pem`);
+    const keyPath = join(certDir, `${domain}.key`);
+    const rollbacks = [];
+    try {
+        rollbacks.push(await deps.writeFile(pemPath, pemChain));
+        rollbacks.push(await deps.writeFile(keyPath, keyPem.toString('utf8')));
+        // Private key must not be world-readable. The atomic write applies its
+        // default mode; tighten via chmod after the rename so the tightening
+        // is atomic relative to the file's final identity.
+        await chmod(keyPath, 0o600);
+    }
+    catch (err) {
+        for (const handle of rollbacks.reverse()) {
+            try {
+                await handle.restore();
+            }
+            catch {
+                // Best-effort rollback — don't mask the original error.
+            }
+        }
+        throw err;
+    }
+    return { domain, pemPath, keyPath, notBefore, notAfter };
+}
+//# sourceMappingURL=issue.js.map

package/dist/server/certs/issue.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue.js","sourceRoot":"","sources":["../../../src/server/certs/issue.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,IAAI,MAAM,aAAa,CAAC;AAG/B,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AA+ExD;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,OAAoB;IAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC;QAC7B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,UAAU,EAAE,OAAO,CAAC,aAAa;KAClC,CAAC,CAAC;IACH,OAAO,MAAmC,CAAC;AAC7C,CAAC;AAED,SAAS,8BAA8B,CAAC,QAAgB;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,WAAW,GAAc;IAC7B,YAAY,EAAE,mBAAmB;IACjC,SAAS,EAAE,WAAW;IACtB,uBAAuB,EAAE,8BAA8B;CACxD,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAkB;IACvD,MAAM,IAAI,GAAc,EAAE,GAAG,WAAW,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACzD,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAE1D,2EAA2E;IAC3E,oDAAoD;IACpD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;QACtD,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB,CAAC,CAAC;IAEH,wEAAwE;IACxE,wEAAwE;IACxE,oEAAoE;IACpE,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC;QACjC,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,OAAO,CAAC,YAAY;QAC3B,oBAAoB,EAAE,IAAI;QAC1B,iBAAiB,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,gBAAgB,EAAE,EAAE;YAC/D,MAAM,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAChE,CAAC;QACD,iBAAiB,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE;YAC7C,MAAM,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/C,CAAC;KACF,CAAC,CAAC;IAEH,2EAA2E;IAC3E,+DAA+D;IAC/D,MAAM,QAAQ,GAAG,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEjD,sEAAsE;IACtE,qEAAqE;IACrE,mBAAmB;IACnB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,CAAC;IAE/C,MAAM,SAAS,GAAqB,EAAE,CAAC;IACvC,IAAI,CAAC;QACH,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QACxD,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvE,uEAAuE;QACvE,qEAAqE;QACrE,mDAAmD;QACnD,MAAM,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,MAAM,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,wDAAwD;YAC1D,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC3D,CAAC"}

package/dist/server/certs/renew.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Renew an existing `Cert` row by re-issuing for the same domain.
+ *
+ * The renew flow is a thin wrapper around {@link issueCertificate}:
+ *
+ *   1. Issue a new chain + key for `cert.domain`. The atomic writes in
+ *      `issueCertificate` overwrite the existing PEM/key files in place,
+ *      so the on-disk paths usually don't change.
+ *   2. Persist the fresh validity window to the DB. The repository bumps
+ *      `updatedAt` automatically.
+ *
+ * Failure modes:
+ *   - If `issueCertificate` throws, the DB row is untouched (we update
+ *     only on success). The atomic writes in `issueCertificate` roll back
+ *     their own partial state.
+ *   - If the DB update throws, the new files are already on disk — that's
+ *     an acceptable inconsistency for now because the next renew attempt
+ *     will overwrite them. A future enhancement can swap that out for a
+ *     transactional pair.
+ */
+import type { Cert } from '../domain/cert.js';
+import type { CertRepository } from '../repositories/cert-repository.js';
+import { type IssueOptions } from './issue.js';
+export interface RenewOptions extends IssueOptions {
+    /** The existing row whose validity window we're replacing. */
+    cert: Cert;
+    certRepo: CertRepository;
+}
+/**
+ * Re-issue the certificate for `cert.domain` and persist the new validity
+ * window onto the existing row. Returns the updated `Cert`.
+ */
+export declare function renewCertificate(opts: RenewOptions): Promise<Cert>;
+//# sourceMappingURL=renew.d.ts.map

package/dist/server/certs/renew.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"renew.d.ts","sourceRoot":"","sources":["../../../src/server/certs/renew.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAoB,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC;AAEjE,MAAM,WAAW,YAAa,SAAQ,YAAY;IAChD,8DAA8D;IAC9D,IAAI,EAAE,IAAI,CAAC;IACX,QAAQ,EAAE,cAAc,CAAC;CAC1B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAWxE"}

package/dist/server/certs/renew.js

@@ -0,0 +1,36 @@
+/**
+ * Renew an existing `Cert` row by re-issuing for the same domain.
+ *
+ * The renew flow is a thin wrapper around {@link issueCertificate}:
+ *
+ *   1. Issue a new chain + key for `cert.domain`. The atomic writes in
+ *      `issueCertificate` overwrite the existing PEM/key files in place,
+ *      so the on-disk paths usually don't change.
+ *   2. Persist the fresh validity window to the DB. The repository bumps
+ *      `updatedAt` automatically.
+ *
+ * Failure modes:
+ *   - If `issueCertificate` throws, the DB row is untouched (we update
+ *     only on success). The atomic writes in `issueCertificate` roll back
+ *     their own partial state.
+ *   - If the DB update throws, the new files are already on disk — that's
+ *     an acceptable inconsistency for now because the next renew attempt
+ *     will overwrite them. A future enhancement can swap that out for a
+ *     transactional pair.
+ */
+import { issueCertificate } from './issue.js';
+/**
+ * Re-issue the certificate for `cert.domain` and persist the new validity
+ * window onto the existing row. Returns the updated `Cert`.
+ */
+export async function renewCertificate(opts) {
+    const { cert, certRepo, ...issueOpts } = opts;
+    const result = await issueCertificate(issueOpts);
+    return certRepo.update(cert.id, {
+        pemPath: result.pemPath,
+        keyPath: result.keyPath,
+        notBefore: result.notBefore,
+        notAfter: result.notAfter,
+    });
+}
+//# sourceMappingURL=renew.js.map

package/dist/server/certs/renew.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"renew.js","sourceRoot":"","sources":["../../../src/server/certs/renew.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,OAAO,EAAE,gBAAgB,EAAqB,MAAM,YAAY,CAAC;AAQjE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAkB;IACvD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,SAAS,EAAE,GAAG,IAAI,CAAC;IAE9C,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAEjD,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE;QAC9B,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;AACL,CAAC"}