@zauso-ai/capstan-auth 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/dist/dpop.d.ts +46 -0
  2. package/dist/dpop.d.ts.map +1 -0
  3. package/dist/dpop.js +259 -0
  4. package/dist/dpop.js.map +1 -0
  5. package/dist/execution.d.ts +10 -0
  6. package/dist/execution.d.ts.map +1 -0
  7. package/dist/execution.js +50 -0
  8. package/dist/execution.js.map +1 -0
  9. package/dist/harness-authorizer.d.ts +10 -0
  10. package/dist/harness-authorizer.d.ts.map +1 -0
  11. package/dist/harness-authorizer.js +90 -0
  12. package/dist/harness-authorizer.js.map +1 -0
  13. package/dist/index.d.ts +14 -2
  14. package/dist/index.d.ts.map +1 -1
  15. package/dist/index.js +8 -1
  16. package/dist/index.js.map +1 -1
  17. package/dist/middleware.d.ts +6 -3
  18. package/dist/middleware.d.ts.map +1 -1
  19. package/dist/middleware.js +209 -30
  20. package/dist/middleware.js.map +1 -1
  21. package/dist/oauth.d.ts +47 -0
  22. package/dist/oauth.d.ts.map +1 -0
  23. package/dist/oauth.js +199 -0
  24. package/dist/oauth.js.map +1 -0
  25. package/dist/permissions.d.ts +12 -22
  26. package/dist/permissions.d.ts.map +1 -1
  27. package/dist/permissions.js +91 -33
  28. package/dist/permissions.js.map +1 -1
  29. package/dist/runtime-authorizer.d.ts +28 -0
  30. package/dist/runtime-authorizer.d.ts.map +1 -0
  31. package/dist/runtime-authorizer.js +136 -0
  32. package/dist/runtime-authorizer.js.map +1 -0
  33. package/dist/runtime-grants.d.ts +31 -0
  34. package/dist/runtime-grants.d.ts.map +1 -0
  35. package/dist/runtime-grants.js +96 -0
  36. package/dist/runtime-grants.js.map +1 -0
  37. package/dist/session.d.ts +3 -3
  38. package/dist/session.d.ts.map +1 -1
  39. package/dist/session.js +21 -3
  40. package/dist/session.js.map +1 -1
  41. package/dist/store.d.ts +27 -0
  42. package/dist/store.d.ts.map +1 -0
  43. package/dist/store.js +46 -0
  44. package/dist/store.js.map +1 -0
  45. package/dist/types.d.ts +109 -1
  46. package/dist/types.d.ts.map +1 -1
  47. package/dist/workload.d.ts +46 -0
  48. package/dist/workload.d.ts.map +1 -0
  49. package/dist/workload.js +227 -0
  50. package/dist/workload.js.map +1 -0
  51. package/package.json +3 -2
package/dist/permissions.js CHANGED
@@ -1,44 +1,102 @@
1
+ import { createGrant } from "./runtime-grants.js";
2
+ function isGrantRecord(value) {
3
+ return (typeof value === "object" &&
4
+ value !== null &&
5
+ "resource" in value &&
6
+ "action" in value &&
7
+ typeof value["resource"] === "string" &&
8
+ typeof value["action"] === "string");
9
+ }
10
+ function parsePermission(permission) {
11
+ const sepIndex = permission.indexOf(":");
12
+ if (sepIndex === -1)
13
+ return null;
14
+ return createGrant(permission.slice(0, sepIndex), permission.slice(sepIndex + 1));
15
+ }
16
+ function scopeMatches(required, granted) {
17
+ if (!required || Object.keys(required).length === 0)
18
+ return true;
19
+ if (!granted)
20
+ return false;
21
+ for (const [key, value] of Object.entries(required)) {
22
+ const grantedValue = granted[key];
23
+ if (grantedValue !== "*" && grantedValue !== value) {
24
+ return false;
25
+ }
26
+ }
27
+ return true;
28
+ }
29
+ function resourceMatches(required, granted) {
30
+ return granted === "*" || granted === required;
31
+ }
32
+ function actionMatches(required, granted) {
33
+ return granted === "*" || granted === required;
34
+ }
35
+ function isGrantExpired(grant) {
36
+ if (grant.expiresAt === undefined)
37
+ return false;
38
+ const expiresAt = Date.parse(grant.expiresAt);
39
+ return Number.isFinite(expiresAt) && expiresAt <= Date.now();
40
+ }
41
+ export function normalizePermissionsToGrants(granted) {
42
+ const grants = [];
43
+ for (const entry of granted) {
44
+ if (typeof entry === "string") {
45
+ const parsed = parsePermission(entry);
46
+ if (parsed)
47
+ grants.push(parsed);
48
+ continue;
49
+ }
50
+ if (isGrantRecord(entry)) {
51
+ grants.push(entry);
52
+ }
53
+ }
54
+ return grants;
55
+ }
56
+ export function serializeGrantsToPermissions(grants) {
57
+ return grants.map((grant) => `${grant.resource}:${grant.action}`);
58
+ }
59
+ export function authorizeGrant(required, granted) {
60
+ const grants = normalizePermissionsToGrants(granted);
61
+ let matchedAllowGrant;
62
+ for (const grant of grants) {
63
+ if (isGrantExpired(grant))
64
+ continue;
65
+ const matches = resourceMatches(required.resource, grant.resource) &&
66
+ actionMatches(required.action, grant.action) &&
67
+ scopeMatches(required.scope, grant.scope);
68
+ if (!matches)
69
+ continue;
70
+ if (grant.effect === "deny") {
71
+ return {
72
+ allowed: false,
73
+ matchedGrant: grant,
74
+ reason: `Grant explicitly denied ${required.resource}:${required.action}`,
75
+ };
76
+ }
77
+ matchedAllowGrant = grant;
78
+ }
79
+ if (matchedAllowGrant) {
80
+ return { allowed: true, matchedGrant: matchedAllowGrant };
81
+ }
82
+ return {
83
+ allowed: false,
84
+ reason: `No grant matched ${required.resource}:${required.action}`,
85
+ };
86
+ }
87
+ export function checkGrant(required, granted) {
88
+ return authorizeGrant(required, granted).allowed;
89
+ }
1
90
  /**
2
91
  * Check whether a required permission is satisfied by at least one entry in
3
- * the `granted` permission set.
4
- *
5
- * Permission strings follow the `resource:action` pattern.
6
- *
7
- * Wildcards:
8
- * - `*:read` — allows `read` on any resource
9
- * - `ticket:*` — allows any action on `ticket`
10
- * - `*:*` — full access (superuser)
11
- *
12
- * Examples:
13
- * checkPermission({ resource: "ticket", action: "read" }, ["ticket:read"]) // true
14
- * checkPermission({ resource: "ticket", action: "write" }, ["*:write"]) // true
15
- * checkPermission({ resource: "ticket", action: "delete" }, ["ticket:*"]) // true
16
- * checkPermission({ resource: "ticket", action: "delete" }, ["*:*"]) // true
92
+ * the granted permission / grant set.
17
93
  */
18
94
  export function checkPermission(required, granted) {
19
- for (const perm of granted) {
20
- const sepIndex = perm.indexOf(":");
21
- if (sepIndex === -1)
22
- continue; // malformed entry, skip
23
- const grantedResource = perm.slice(0, sepIndex);
24
- const grantedAction = perm.slice(sepIndex + 1);
25
- const resourceMatch = grantedResource === "*" || grantedResource === required.resource;
26
- const actionMatch = grantedAction === "*" || grantedAction === required.action;
27
- if (resourceMatch && actionMatch)
28
- return true;
29
- }
30
- return false;
95
+ return checkGrant(required, granted);
31
96
  }
32
97
  /**
33
98
  * Derive a `{ resource, action }` pair from an agent capability mode and
34
99
  * an optional resource name.
35
- *
36
- * Mapping:
37
- * - `"read"` → `{ resource, action: "read" }`
38
- * - `"write"` → `{ resource, action: "write" }`
39
- * - `"external"` → `{ resource: "external", action: "write" }`
40
- *
41
- * When `resource` is omitted the wildcard `"*"` is used.
42
100
  */
43
101
  export function derivePermission(capability, resource) {
44
102
  if (capability === "external") {
package/dist/permissions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAmE,EACnE,OAAiB;IAEjB,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,KAAK,CAAC,CAAC;YAAE,SAAS,CAAC,wBAAwB;QAEvD,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAChD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAE/C,MAAM,aAAa,GACjB,eAAe,KAAK,GAAG,IAAI,eAAe,KAAK,QAAQ,CAAC,QAAQ,CAAC;QACnE,MAAM,WAAW,GACf,aAAa,KAAK,GAAG,IAAI,aAAa,KAAK,QAAQ,CAAC,MAAM,CAAC;QAE7D,IAAI,aAAa,IAAI,WAAW;YAAE,OAAO,IAAI,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAyC,EACzC,QAAiB;IAEjB,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACnD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,IAAI,GAAG;QACzB,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAQlD,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,UAAU,IAAI,KAAK;QACnB,QAAQ,IAAI,KAAK;QACjB,OAAQ,KAAiC,CAAC,UAAU,CAAC,KAAK,QAAQ;QAClE,OAAQ,KAAiC,CAAC,QAAQ,CAAC,KAAK,QAAQ,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,YAAY,CACnB,QAA4C,EAC5C,OAA2C;IAE3C,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,YAAY,KAAK,GAAG,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB,EAAE,OAAe;IACxD,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,CAAC;AACjD,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,OAAe;IACtD,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,CAAC;AACjD,CAAC;AAED,SAAS,cAAc,CAAC,KAAgB;IACtC,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAAwC;IAExC,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YACtC,IAAI,MAAM;gBAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,SAAS;QACX,CAAC;QACD,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAA4B;IACvE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,OAAwC;IAExC,MAAM,MAAM,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,iBAAwC,CAAC;IAC7C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,cAAc,CAAC,KAAK,CAAC;YAAE,SAAS;QACpC,MAAM,OAAO,GACX,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC;YAClD,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC;YAC5C,YAAY,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,2BAA2B,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE;aAC1E,CAAC;QACJ,CAAC;QACD,iBAAiB,GAAG,KAAK,CAAC;IAC5B,CAAC;IACD,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAC5D,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,oBAAoB,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE;KACnE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,QAA8B,EAC9B,OAAwC;IAExC,OAAO,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAmE,EACnE,OAAwC;IAExC,OAAO,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAyC,EACzC,QAAiB;IAEjB,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACnD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,IAAI,GAAG;QACzB,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC"}
package/dist/runtime-authorizer.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ import type { AuthGrant, AuthGrantRequirement } from "./types.js";
2
+ import { type AuthorizationDecision } from "./permissions.js";
3
+ export interface RuntimeGrantScope {
4
+ runId?: string;
5
+ approvalId?: string;
6
+ artifactId?: string;
7
+ taskId?: string;
8
+ summaryId?: string;
9
+ memoryId?: string;
10
+ tool?: string;
11
+ }
12
+ export interface RuntimeGrantAttributes {
13
+ memoryKind?: "session" | "persistent";
14
+ approvalKind?: "tool" | "task";
15
+ }
16
+ export interface RuntimeGrantAuthorizerRequest {
17
+ action: string;
18
+ scope?: RuntimeGrantScope;
19
+ attributes?: RuntimeGrantAttributes;
20
+ }
21
+ export interface RuntimeGrantAuthorizationResult extends AuthorizationDecision {
22
+ matchedRequirement?: AuthGrantRequirement;
23
+ }
24
+ export type RuntimeGrantSupplier = readonly (string | AuthGrant)[] | (() => readonly (string | AuthGrant)[] | Promise<readonly (string | AuthGrant)[]>);
25
+ export declare function deriveRuntimeGrantRequirements(request: RuntimeGrantAuthorizerRequest): AuthGrantRequirement[];
26
+ export declare function authorizeRuntimeAction(request: RuntimeGrantAuthorizerRequest, granted: readonly (string | AuthGrant)[]): RuntimeGrantAuthorizationResult;
27
+ export declare function createRuntimeGrantAuthorizer(supplier: RuntimeGrantSupplier): (request: RuntimeGrantAuthorizerRequest) => Promise<RuntimeGrantAuthorizationResult>;
28
+ //# sourceMappingURL=runtime-authorizer.d.ts.map
package/dist/runtime-authorizer.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runtime-authorizer.d.ts","sourceRoot":"","sources":["../src/runtime-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAE9E,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,CAAC,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,UAAU,CAAC,EAAE,sBAAsB,CAAC;CACrC;AAED,MAAM,WAAW,+BAAgC,SAAQ,qBAAqB;IAC5E,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;CAC3C;AAED,MAAM,MAAM,oBAAoB,GAC5B,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAC/B,CAAC,MAAM,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;AA6CvF,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,6BAA6B,GACrC,oBAAoB,EAAE,CAiExB;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,6BAA6B,EACtC,OAAO,EAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GACvC,+BAA+B,CA+BjC;AAWD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,IAC3D,SAAS,6BAA6B,8CAErD"}
package/dist/runtime-authorizer.js ADDED
@@ -0,0 +1,136 @@
1
+ import { authorizeGrant } from "./permissions.js";
2
+ function parseRuntimeAction(action) {
3
+ const separator = action.indexOf(":");
4
+ if (separator === -1) {
5
+ return { resource: action, action: "read" };
6
+ }
7
+ return {
8
+ resource: action.slice(0, separator),
9
+ action: action.slice(separator + 1),
10
+ };
11
+ }
12
+ function normalizedScope(scope) {
13
+ if (!scope) {
14
+ return undefined;
15
+ }
16
+ const entries = Object.entries(scope).filter((entry) => typeof entry[1] === "string" && entry[1].trim().length > 0);
17
+ if (entries.length === 0) {
18
+ return undefined;
19
+ }
20
+ return Object.fromEntries(entries);
21
+ }
22
+ function requirement(resource, action, scope) {
23
+ const nextScope = normalizedScope(scope);
24
+ return {
25
+ resource,
26
+ action,
27
+ ...(nextScope ? { scope: nextScope } : {}),
28
+ };
29
+ }
30
+ function runScope(scope) {
31
+ return scope?.runId ? { runId: scope.runId } : undefined;
32
+ }
33
+ export function deriveRuntimeGrantRequirements(request) {
34
+ const parsed = parseRuntimeAction(request.action);
35
+ const scope = request.scope;
36
+ const fallbackRunScope = runScope(scope);
37
+ switch (request.action) {
38
+ case "checkpoint:read":
39
+ return [
40
+ requirement("checkpoint", "read", scope),
41
+ requirement("run", "read", fallbackRunScope),
42
+ ];
43
+ case "artifact:read":
44
+ return [
45
+ requirement("artifact", "read", scope),
46
+ requirement("run", "read", fallbackRunScope),
47
+ ];
48
+ case "event:read":
49
+ return [
50
+ requirement("event", "read", scope),
51
+ requirement("run", "read", fallbackRunScope),
52
+ ];
53
+ case "task:read":
54
+ return [
55
+ requirement("task", "read", scope),
56
+ requirement("run", "read", fallbackRunScope),
57
+ ];
58
+ case "context:read":
59
+ return [
60
+ requirement("context", "read", scope),
61
+ requirement("run", "read", fallbackRunScope),
62
+ ];
63
+ case "summary:read":
64
+ return [
65
+ requirement("summary", "read", scope),
66
+ requirement("context", "read", fallbackRunScope),
67
+ requirement("run", "read", fallbackRunScope),
68
+ ];
69
+ case "memory:read":
70
+ return [
71
+ requirement("memory", "read", scope),
72
+ ...(request.attributes?.memoryKind === "session" && fallbackRunScope
73
+ ? [
74
+ requirement("context", "read", fallbackRunScope),
75
+ requirement("run", "read", fallbackRunScope),
76
+ ]
77
+ : []),
78
+ ];
79
+ case "approval:read":
80
+ return [
81
+ requirement("approval", "read", scope),
82
+ requirement("approval", "manage", scope),
83
+ ];
84
+ case "approval:approve":
85
+ return [
86
+ requirement("approval", "approve", scope),
87
+ requirement("approval", "manage", scope),
88
+ ];
89
+ case "approval:deny":
90
+ return [
91
+ requirement("approval", "deny", scope),
92
+ requirement("approval", "manage", scope),
93
+ ];
94
+ default:
95
+ return [requirement(parsed.resource, parsed.action, scope)];
96
+ }
97
+ }
98
+ export function authorizeRuntimeAction(request, granted) {
99
+ const requirements = deriveRuntimeGrantRequirements(request);
100
+ let denied;
101
+ for (const current of requirements) {
102
+ const decision = authorizeGrant(current, granted);
103
+ if (decision.allowed) {
104
+ return {
105
+ ...decision,
106
+ matchedRequirement: current,
107
+ };
108
+ }
109
+ if (decision.matchedGrant?.effect === "deny") {
110
+ denied = {
111
+ ...decision,
112
+ matchedRequirement: current,
113
+ };
114
+ break;
115
+ }
116
+ }
117
+ if (denied) {
118
+ return denied;
119
+ }
120
+ const matchedRequirement = requirements[0];
121
+ return {
122
+ allowed: false,
123
+ reason: `No grant matched ${request.action}`,
124
+ ...(matchedRequirement ? { matchedRequirement } : {}),
125
+ };
126
+ }
127
+ async function resolveRuntimeGrants(supplier) {
128
+ if (typeof supplier === "function") {
129
+ return supplier();
130
+ }
131
+ return supplier;
132
+ }
133
+ export function createRuntimeGrantAuthorizer(supplier) {
134
+ return async (request) => authorizeRuntimeAction(request, await resolveRuntimeGrants(supplier));
135
+ }
136
+ //# sourceMappingURL=runtime-authorizer.js.map
package/dist/runtime-authorizer.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runtime-authorizer.js","sourceRoot":"","sources":["../src/runtime-authorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAA8B,MAAM,kBAAkB,CAAC;AA+B9E,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC9C,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC;QACpC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,KAAoC;IAEpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,CAC1C,CAAC,KAAK,EAA6B,EAAE,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CACjG,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAClB,QAAgB,EAChB,MAAc,EACd,KAAyB;IAEzB,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACzC,OAAO;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAoC;IACpD,OAAO,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,OAAsC;IAEtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEzC,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,iBAAiB;YACpB,OAAO;gBACL,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE,KAAK,CAAC;gBACxC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,YAAY;YACf,OAAO;gBACL,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC;gBACnC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,WAAW;YACd,OAAO;gBACL,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;gBAClC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC;gBACrC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC;gBACrC,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,gBAAgB,CAAC;gBAChD,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;aAC7C,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO;gBACL,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC;gBACpC,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,UAAU,KAAK,SAAS,IAAI,gBAAgB;oBAClE,CAAC,CAAC;wBACE,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,gBAAgB,CAAC;wBAChD,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC;qBAC7C;oBACH,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ,KAAK,kBAAkB;YACrB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;gBACzC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ,KAAK,eAAe;YAClB,OAAO;gBACL,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;gBACtC,WAAW,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC;aACzC,CAAC;QACJ;YACE,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAsC,EACtC,OAAwC;IAExC,MAAM,YAAY,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,MAAmD,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO;gBACL,GAAG,QAAQ;gBACX,kBAAkB,EAAE,OAAO;aAC5B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7C,MAAM,GAAG;gBACP,GAAG,QAAQ;gBACX,kBAAkB,EAAE,OAAO;aAC5B,CAAC;YACF,MAAM;QACR,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,oBAAoB,OAAO,CAAC,MAAM,EAAE;QAC5C,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAA8B;IAE9B,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,QAAQ,EAAE,CAAC;IACpB,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,QAA8B;IACzE,OAAO,KAAK,EAAE,OAAsC,EAAE,EAAE,CACtD,sBAAsB,CAAC,OAAO,EAAE,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC1E,CAAC"}
package/dist/runtime-grants.d.ts ADDED
@@ -0,0 +1,31 @@
1
+ import type { AuthGrant } from "./types.js";
2
+ export declare function createGrant(resource: string, action: string, options?: {
3
+ scope?: Record<string, string>;
4
+ expiresAt?: string;
5
+ constraints?: Record<string, unknown>;
6
+ effect?: "allow" | "deny";
7
+ }): AuthGrant;
8
+ export declare function grantRunActions(runId: string, actions?: readonly string[]): AuthGrant[];
9
+ export declare function grantApprovalActions(actions?: readonly string[], options?: {
10
+ approvalId?: string;
11
+ runId?: string;
12
+ tool?: string;
13
+ }): AuthGrant[];
14
+ export declare function grantApprovalCollectionActions(actions?: readonly string[], options?: {
15
+ runId?: string;
16
+ }): AuthGrant[];
17
+ export declare function grantArtifactActions(runId: string, actions?: readonly string[], artifactId?: string): AuthGrant[];
18
+ export declare function grantCheckpointActions(runId: string, actions?: readonly string[]): AuthGrant[];
19
+ export declare function grantRunCollectionActions(actions?: readonly string[]): AuthGrant[];
20
+ export declare function grantEventActions(runId: string, actions?: readonly string[]): AuthGrant[];
21
+ export declare function grantEventCollectionActions(actions?: readonly string[]): AuthGrant[];
22
+ export declare function grantTaskActions(runId: string, actions?: readonly string[], taskId?: string): AuthGrant[];
23
+ export declare function grantSummaryActions(runId: string, actions?: readonly string[], summaryId?: string): AuthGrant[];
24
+ export declare function grantSummaryCollectionActions(actions?: readonly string[]): AuthGrant[];
25
+ export declare function grantMemoryActions(actions?: readonly string[], options?: {
26
+ runId?: string;
27
+ memoryId?: string;
28
+ }): AuthGrant[];
29
+ export declare function grantContextActions(runId: string, actions?: readonly string[]): AuthGrant[];
30
+ export declare function grantRuntimePathsActions(actions?: readonly string[]): AuthGrant[];
31
+ //# sourceMappingURL=runtime-grants.d.ts.map
package/dist/runtime-grants.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runtime-grants.d.ts","sourceRoot":"","sources":["../src/runtime-grants.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,wBAAgB,WAAW,CACzB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;CAC3B,GACA,SAAS,CAOX;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAA0C,GACjE,SAAS,EAAE,CAMb;AAED,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,SAAS,MAAM,EAA0C,EAClE,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,GACA,SAAS,EAAE,CAUb;AAED,wBAAgB,8BAA8B,CAC5C,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GACA,SAAS,EAAE,CAMb;AAED,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,UAAU,CAAC,EAAE,MAAM,GAClB,SAAS,EAAE,CAQb;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,SAAS,MAAM,EAAsB,GAC7C,SAAS,EAAE,CAEb;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,2BAA2B,CACzC,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,MAAM,CAAC,EAAE,MAAM,GACd,SAAS,EAAE,CAQb;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,SAAS,CAAC,EAAE,MAAM,GACjB,SAAS,EAAE,CAQb;AAED,wBAAgB,6BAA6B,CAC3C,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb;AAED,wBAAgB,kBAAkB,CAChC,OAAO,GAAE,SAAS,MAAM,EAAa,EACrC,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,SAAS,EAAE,CASb;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAMb;AAED,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,SAAS,MAAM,EAAa,GACpC,SAAS,EAAE,CAEb"}
package/dist/runtime-grants.js ADDED
@@ -0,0 +1,96 @@
1
+ export function createGrant(resource, action, options) {
2
+ const grant = { resource, action };
3
+ if (options?.scope !== undefined)
4
+ grant.scope = options.scope;
5
+ if (options?.expiresAt !== undefined)
6
+ grant.expiresAt = options.expiresAt;
7
+ if (options?.constraints !== undefined)
8
+ grant.constraints = options.constraints;
9
+ if (options?.effect !== undefined)
10
+ grant.effect = options.effect;
11
+ return grant;
12
+ }
13
+ export function grantRunActions(runId, actions = ["read", "pause", "cancel", "resume"]) {
14
+ return actions.map((action) => createGrant("run", action, {
15
+ scope: { runId },
16
+ }));
17
+ }
18
+ export function grantApprovalActions(actions = ["read", "approve", "deny", "manage"], options) {
19
+ const scope = {};
20
+ if (options?.approvalId !== undefined)
21
+ scope.approvalId = options.approvalId;
22
+ if (options?.runId !== undefined)
23
+ scope.runId = options.runId;
24
+ if (options?.tool !== undefined)
25
+ scope.tool = options.tool;
26
+ return actions.map((action) => createGrant("approval", action, {
27
+ ...(Object.keys(scope).length > 0 ? { scope } : {}),
28
+ }));
29
+ }
30
+ export function grantApprovalCollectionActions(actions = ["list"], options) {
31
+ return actions.map((action) => createGrant("approval", action, {
32
+ ...(options?.runId ? { scope: { runId: options.runId } } : {}),
33
+ }));
34
+ }
35
+ export function grantArtifactActions(runId, actions = ["read"], artifactId) {
36
+ const scope = { runId };
37
+ if (artifactId !== undefined)
38
+ scope.artifactId = artifactId;
39
+ return actions.map((action) => createGrant("artifact", action, {
40
+ scope,
41
+ }));
42
+ }
43
+ export function grantCheckpointActions(runId, actions = ["read"]) {
44
+ return actions.map((action) => createGrant("checkpoint", action, {
45
+ scope: { runId },
46
+ }));
47
+ }
48
+ export function grantRunCollectionActions(actions = ["start", "list"]) {
49
+ return actions.map((action) => createGrant("run", action));
50
+ }
51
+ export function grantEventActions(runId, actions = ["read"]) {
52
+ return actions.map((action) => createGrant("event", action, {
53
+ scope: { runId },
54
+ }));
55
+ }
56
+ export function grantEventCollectionActions(actions = ["list"]) {
57
+ return actions.map((action) => createGrant("event", action));
58
+ }
59
+ export function grantTaskActions(runId, actions = ["read"], taskId) {
60
+ const scope = { runId };
61
+ if (taskId !== undefined)
62
+ scope.taskId = taskId;
63
+ return actions.map((action) => createGrant("task", action, {
64
+ scope,
65
+ }));
66
+ }
67
+ export function grantSummaryActions(runId, actions = ["read"], summaryId) {
68
+ const scope = { runId };
69
+ if (summaryId !== undefined)
70
+ scope.summaryId = summaryId;
71
+ return actions.map((action) => createGrant("summary", action, {
72
+ scope,
73
+ }));
74
+ }
75
+ export function grantSummaryCollectionActions(actions = ["list"]) {
76
+ return actions.map((action) => createGrant("summary", action));
77
+ }
78
+ export function grantMemoryActions(actions = ["read"], options) {
79
+ const scope = {};
80
+ if (options?.runId !== undefined)
81
+ scope.runId = options.runId;
82
+ if (options?.memoryId !== undefined)
83
+ scope.memoryId = options.memoryId;
84
+ return actions.map((action) => createGrant("memory", action, {
85
+ ...(Object.keys(scope).length > 0 ? { scope } : {}),
86
+ }));
87
+ }
88
+ export function grantContextActions(runId, actions = ["read"]) {
89
+ return actions.map((action) => createGrant("context", action, {
90
+ scope: { runId },
91
+ }));
92
+ }
93
+ export function grantRuntimePathsActions(actions = ["read"]) {
94
+ return actions.map((action) => createGrant("runtime_paths", action));
95
+ }
96
+ //# sourceMappingURL=runtime-grants.js.map
package/dist/runtime-grants.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runtime-grants.js","sourceRoot":"","sources":["../src/runtime-grants.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,WAAW,CACzB,QAAgB,EAChB,MAAc,EACd,OAKC;IAED,MAAM,KAAK,GAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC9C,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,SAAS,KAAK,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAC1E,IAAI,OAAO,EAAE,WAAW,KAAK,SAAS;QAAE,KAAK,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAChF,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACjE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,UAA6B,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC;IAElE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE;QACzB,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,UAA6B,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAClE,OAIC;IAED,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,IAAI,OAAO,EAAE,UAAU,KAAK,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAC7E,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,UAA6B,CAAC,MAAM,CAAC,EACrC,OAEC;IAED,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,UAAmB;IAEnB,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,UAAU,KAAK,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC;IAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE;QAC9B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE;QAChC,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,UAA6B,CAAC,OAAO,EAAE,MAAM,CAAC;IAE9C,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE;QAC3B,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,MAAe;IAEf,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE;QAC1B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC,EACrC,SAAkB;IAElB,MAAM,KAAK,GAA2B,EAAE,KAAK,EAAE,CAAC;IAChD,IAAI,SAAS,KAAK,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;IACzD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE;QAC7B,KAAK;KACN,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,UAA6B,CAAC,MAAM,CAAC,EACrC,OAGC;IAED,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9D,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,KAAK,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACvE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE;QAC5B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5B,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE;QAC7B,KAAK,EAAE,EAAE,KAAK,EAAE;KACjB,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,UAA6B,CAAC,MAAM,CAAC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC"}
package/dist/session.d.ts CHANGED
@@ -1,15 +1,15 @@
1
- import type { SessionPayload } from "./types.js";
1
+ import type { SessionPayload, SessionSigningOptions, SessionVerificationOptions } from "./types.js";
2
2
  /**
3
3
  * Create a signed JWT containing the given session data.
4
4
  *
5
5
  * `maxAge` defaults to `"7d"` (7 days) when omitted.
6
6
  */
7
- export declare function signSession(payload: Omit<SessionPayload, "iat" | "exp">, secret: string, maxAge?: string): string;
7
+ export declare function signSession(payload: Omit<SessionPayload, "iat" | "exp">, secret: string, maxAgeOrOptions?: string | SessionSigningOptions): string;
8
8
  /**
9
9
  * Verify a JWT's HMAC-SHA256 signature and expiration.
10
10
  *
11
11
  * Returns the decoded payload on success, or `null` when the token is
12
12
  * invalid, tampered with, or expired.
13
13
  */
14
- export declare function verifySession(token: string, secret: string): SessionPayload | null;
14
+ export declare function verifySession(token: string, secret: string, options?: SessionVerificationOptions): SessionPayload | null;
15
15
  //# sourceMappingURL=session.d.ts.map
package/dist/session.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AA+DjD;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,KAAK,CAAC,EAC5C,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CAWR;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,cAAc,GAAG,IAAI,CA6BvB"}
1
+ {"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,cAAc,EACd,qBAAqB,EACrB,0BAA0B,EAC3B,MAAM,YAAY,CAAC;AA+DpB;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,KAAK,CAAC,EAC5C,MAAM,EAAE,MAAM,EACd,eAAe,CAAC,EAAE,MAAM,GAAG,qBAAqB,GAC/C,MAAM,CAiBR;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,0BAA0B,GACnC,cAAc,GAAG,IAAI,CA0CvB"}
package/dist/session.js CHANGED
@@ -48,11 +48,16 @@ function sign(payload, secret) {
48
48
  *
49
49
  * `maxAge` defaults to `"7d"` (7 days) when omitted.
50
50
  */
51
- export function signSession(payload, secret, maxAge) {
51
+ export function signSession(payload, secret, maxAgeOrOptions) {
52
52
  const nowSeconds = Math.floor(Date.now() / 1000);
53
- const ttl = parseDuration(maxAge ?? "7d");
53
+ const options = typeof maxAgeOrOptions === "string"
54
+ ? { maxAge: maxAgeOrOptions }
55
+ : (maxAgeOrOptions ?? {});
56
+ const ttl = parseDuration(options.maxAge ?? "7d");
54
57
  const full = {
55
58
  ...payload,
59
+ ...(options.issuer !== undefined ? { iss: options.issuer } : {}),
60
+ ...(options.audience !== undefined ? { aud: options.audience } : {}),
56
61
  iat: nowSeconds,
57
62
  exp: nowSeconds + ttl,
58
63
  };
@@ -64,7 +69,7 @@ export function signSession(payload, secret, maxAge) {
64
69
  * Returns the decoded payload on success, or `null` when the token is
65
70
  * invalid, tampered with, or expired.
66
71
  */
67
- export function verifySession(token, secret) {
72
+ export function verifySession(token, secret, options) {
68
73
  const parts = token.split(".");
69
74
  if (parts.length !== 3)
70
75
  return null;
@@ -86,6 +91,19 @@ export function verifySession(token, secret) {
86
91
  const now = Math.floor(Date.now() / 1000);
87
92
  if (typeof payload.exp !== "number" || payload.exp <= now)
88
93
  return null;
94
+ if (options?.issuer !== undefined && payload.iss !== options.issuer) {
95
+ return null;
96
+ }
97
+ if (options?.audience !== undefined) {
98
+ const audiences = Array.isArray(payload.aud)
99
+ ? payload.aud
100
+ : payload.aud !== undefined
101
+ ? [payload.aud]
102
+ : [];
103
+ if (!audiences.includes(options.audience)) {
104
+ return null;
105
+ }
106
+ }
89
107
  return payload;
90
108
  }
91
109
  catch {
package/dist/session.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG1D,sEAAsE;AAEtE,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACzE,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,sEAAsE;AAEtE;;;;;;;GAOG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,6BAA6B,QAAQ,oDAAoD,CAC1F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAgC,CAAC;IAErD,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,EAAE;QACL,CAAC,EAAE,IAAI;QACP,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,OAAO;KACX,CAAC;IAEF,OAAO,KAAK,GAAG,WAAW,CAAC,IAAI,CAAE,CAAC;AACpC,CAAC;AAED,sEAAsE;AAEtE,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IAC3C,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAC7C,CAAC;IACF,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;IAEzC,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;SAC3C,MAAM,CAAC,YAAY,CAAC;SACpB,MAAM,EAAE,CAAC;IAEZ,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,sEAAsE;AAEtE;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,OAA4C,EAC5C,MAAc,EACd,MAAe;IAEf,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;IAE1C,MAAM,IAAI,GAAmB;QAC3B,GAAG,OAAO;QACV,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,UAAU,GAAG,GAAG;KACtB,CAAC;IAEF,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAiC,CAAC;IAE9D,oCAAoC;IACpC,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;SAC7C,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;SAC3B,MAAM,EAAE,CAAC;IAEZ,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAEhD,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAmB,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;QAElE,oBAAoB;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC;QAEvE,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAO1D,sEAAsE;AAEtE,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACzE,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,sEAAsE;AAEtE;;;;;;;GAOG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,6BAA6B,QAAQ,oDAAoD,CAC1F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAgC,CAAC;IAErD,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,EAAE;QACL,CAAC,EAAE,IAAI;QACP,CAAC,EAAE,MAAM;QACT,CAAC,EAAE,OAAO;KACX,CAAC;IAEF,OAAO,KAAK,GAAG,WAAW,CAAC,IAAI,CAAE,CAAC;AACpC,CAAC;AAED,sEAAsE;AAEtE,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IAC3C,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAC7C,CAAC;IACF,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;IAEzC,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;SAC3C,MAAM,CAAC,YAAY,CAAC;SACpB,MAAM,EAAE,CAAC;IAEZ,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,sEAAsE;AAEtE;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,OAA4C,EAC5C,MAAc,EACd,eAAgD;IAEhD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACjD,MAAM,OAAO,GACX,OAAO,eAAe,KAAK,QAAQ;QACjC,CAAC,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE;QAC7B,CAAC,CAAC,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;IAC9B,MAAM,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;IAElD,MAAM,IAAI,GAAmB;QAC3B,GAAG,OAAO;QACV,GAAG,CAAC,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,UAAU,GAAG,GAAG;KACtB,CAAC;IAEF,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAa,EACb,MAAc,EACd,OAAoC;IAEpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAiC,CAAC;IAE9D,oCAAoC;IACpC,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;SAC7C,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;SAC3B,MAAM,EAAE,CAAC;IAEZ,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAEhD,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAmB,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;QAElE,oBAAoB;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC;QACvE,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;gBAC1C,CAAC,CAAC,OAAO,CAAC,GAAG;gBACb,CAAC,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS;oBACzB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;oBACf,CAAC,CAAC,EAAE,CAAC;YACT,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
package/dist/store.d.ts ADDED
@@ -0,0 +1,27 @@
1
+ /**
2
+ * Pluggable key-value store interface.
3
+ *
4
+ * Identical to `@zauso-ai/capstan-core`'s `KeyValueStore` — duplicated here
5
+ * so that `@zauso-ai/capstan-auth` has no hard dependency on the core package.
6
+ */
7
+ export interface KeyValueStore<T> {
8
+ get(key: string): Promise<T | undefined>;
9
+ set(key: string, value: T, ttlMs?: number): Promise<void>;
10
+ delete(key: string): Promise<boolean>;
11
+ has(key: string): Promise<boolean>;
12
+ keys(): Promise<string[]>;
13
+ clear(): Promise<void>;
14
+ }
15
+ /**
16
+ * In-memory implementation of `KeyValueStore` with optional per-entry TTL.
17
+ */
18
+ export declare class MemoryStore<T> implements KeyValueStore<T> {
19
+ private data;
20
+ get(key: string): Promise<T | undefined>;
21
+ set(key: string, value: T, ttlMs?: number): Promise<void>;
22
+ delete(key: string): Promise<boolean>;
23
+ has(key: string): Promise<boolean>;
24
+ keys(): Promise<string[]>;
25
+ clear(): Promise<void>;
26
+ }
27
+ //# sourceMappingURL=store.d.ts.map
package/dist/store.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,WAAW,aAAa,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACtC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;GAEG;AACH,qBAAa,WAAW,CAAC,CAAC,CAAE,YAAW,aAAa,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,IAAI,CAAkE;IAExE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IAUxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOzD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIrC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAazB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}
package/dist/store.js ADDED
@@ -0,0 +1,46 @@
1
+ /**
2
+ * In-memory implementation of `KeyValueStore` with optional per-entry TTL.
3
+ */
4
+ export class MemoryStore {
5
+ data = new Map();
6
+ async get(key) {
7
+ const entry = this.data.get(key);
8
+ if (!entry)
9
+ return undefined;
10
+ if (entry.expiresAt !== undefined && Date.now() > entry.expiresAt) {
11
+ this.data.delete(key);
12
+ return undefined;
13
+ }
14
+ return entry.value;
15
+ }
16
+ async set(key, value, ttlMs) {
17
+ this.data.set(key, {
18
+ value,
19
+ expiresAt: ttlMs ? Date.now() + ttlMs : undefined,
20
+ });
21
+ }
22
+ async delete(key) {
23
+ return this.data.delete(key);
24
+ }
25
+ async has(key) {
26
+ const val = await this.get(key); // triggers TTL check
27
+ return val !== undefined;
28
+ }
29
+ async keys() {
30
+ const now = Date.now();
31
+ const result = [];
32
+ for (const [key, entry] of this.data) {
33
+ if (entry.expiresAt !== undefined && now > entry.expiresAt) {
34
+ this.data.delete(key);
35
+ }
36
+ else {
37
+ result.push(key);
38
+ }
39
+ }
40
+ return result;
41
+ }
42
+ async clear() {
43
+ this.data.clear();
44
+ }
45
+ }
46
+ //# sourceMappingURL=store.js.map
package/dist/store.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAeA;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,IAAI,GAAG,IAAI,GAAG,EAAuD,CAAC;IAE9E,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YAClE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAQ,EAAE,KAAc;QAC7C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YACjB,KAAK;YACL,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAClD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,qBAAqB;QACtD,OAAO,GAAG,KAAK,SAAS,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACrC,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC3D,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;CACF"}