actor-gate 0.2.0 → 0.2.2

package/package.json

@@ -1,20 +1,63 @@
 {
   "name": "actor-gate",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Schema-agnostic Next.js auth library for direct and MCP authentication flows.",
   "type": "module",
   "private": false,
   "exports": {
-    ".": "./src/index.js",
-    "./core": "./src/core/index.js",
-    "./config": "./src/config/index.js",
-    "./express": "./src/express/index.js",
-    "./next": "./src/next/index.js",
-    "./mcp": "./src/mcp/index.js",
-    "./testing": "./src/testing/index.js"
+    ".": {
+      "types": "./src/index.d.ts",
+      "default": "./src/index.js"
+    },
+    "./core": {
+      "types": "./src/core/index.d.ts",
+      "default": "./src/core/index.js"
+    },
+    "./config": {
+      "types": "./src/config/index.d.ts",
+      "default": "./src/config/index.js"
+    },
+    "./express": {
+      "types": "./src/express/index.d.ts",
+      "default": "./src/express/index.js"
+    },
+    "./next": {
+      "types": "./src/next/index.d.ts",
+      "default": "./src/next/index.js"
+    },
+    "./mcp": {
+      "types": "./src/mcp/index.d.ts",
+      "default": "./src/mcp/index.js"
+    },
+    "./testing": {
+      "types": "./src/testing/index.d.ts",
+      "default": "./src/testing/index.js"
+    }
   },
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
+  "typesVersions": {
+    "*": {
+      "core": [
+        "./src/core/index.d.ts"
+      ],
+      "config": [
+        "./src/config/index.d.ts"
+      ],
+      "express": [
+        "./src/express/index.d.ts"
+      ],
+      "next": [
+        "./src/next/index.d.ts"
+      ],
+      "mcp": [
+        "./src/mcp/index.d.ts"
+      ],
+      "testing": [
+        "./src/testing/index.d.ts"
+      ]
+    }
+  },
   "files": [
     "src/**/*.js",
     "src/**/*.d.ts"

package/src/config/index.js

@@ -1,5 +1,5 @@
-export { defineBaseAuthConfig, } from './base-config';
-export { defineNextJsPublicAuthConfig, toSerializableNextJsPublicAuthConfig, } from './nextjs-public-config';
-export { defineNextJsServerAuthConfig, } from './nextjs-server-config';
-export { defineReactAuthConfig, } from './react-config';
-export { ReactAuthClient, createReactAuthClient, } from './react-client';
+export { defineBaseAuthConfig, } from './base-config.js';
+export { defineNextJsPublicAuthConfig, toSerializableNextJsPublicAuthConfig, } from './nextjs-public-config.js';
+export { defineNextJsServerAuthConfig, } from './nextjs-server-config.js';
+export { defineReactAuthConfig, } from './react-config.js';
+export { ReactAuthClient, createReactAuthClient, } from './react-client.js';

package/src/config/nextjs-public-config.js

@@ -1,5 +1,5 @@
-import { buildAuthRoutePath, } from '../next/shared/auth-routes';
-import { buildAuthRewrites, } from '../next/rewrites';
+import { buildAuthRoutePath, } from '../next/shared/auth-routes.js';
+import { buildAuthRewrites, } from '../next/rewrites.js';
 function normalizePath(path) {
     const trimmed = path.trim();
     if (trimmed.length === 0) {

package/src/core/index.js

@@ -1,7 +1,7 @@
-export { buildBearerChallengeHeader, } from './http/bearer-challenge';
-export { base64UrlEncode, createS256CodeChallenge, verifyPkce, } from './oauth/pkce';
-export { numberIdCodec, stringIdCodec } from './ids/id-codec';
-export { decodeSubjectClaims, encodeSubjectClaims, } from './tokens/id-claims';
-export * from './services/index';
-export { DEFAULT_TOKEN_CLAIMS_VERSION, buildAccessClaims, parseAccessClaims, } from './tokens/access-claims';
-export { buildClientSession } from './sessions/client-session';
+export { buildBearerChallengeHeader, } from './http/bearer-challenge.js';
+export { base64UrlEncode, createS256CodeChallenge, verifyPkce, } from './oauth/pkce.js';
+export { numberIdCodec, stringIdCodec } from './ids/id-codec.js';
+export { decodeSubjectClaims, encodeSubjectClaims, } from './tokens/id-claims.js';
+export * from './services/index.js';
+export { DEFAULT_TOKEN_CLAIMS_VERSION, buildAccessClaims, parseAccessClaims, } from './tokens/access-claims.js';
+export { buildClientSession } from './sessions/client-session.js';

package/src/core/services/access-token-service.js

@@ -1,9 +1,9 @@
-import { buildClientSession } from '../sessions/client-session';
-import { decodeSubjectClaims } from '../tokens/id-claims';
-import { buildAccessClaims, parseAccessClaims } from '../tokens/access-claims';
-import { AuthServiceError, isAuthServiceError } from './auth-error';
-import { createRevocationDecisionEngine, shouldValidateSession, } from './revocation-policy';
-import { emitAuditEvent, emitMetric, reportServiceError, } from './observability';
+import { buildClientSession } from '../sessions/client-session.js';
+import { decodeSubjectClaims } from '../tokens/id-claims.js';
+import { buildAccessClaims, parseAccessClaims } from '../tokens/access-claims.js';
+import { AuthServiceError, isAuthServiceError } from './auth-error.js';
+import { createRevocationDecisionEngine, shouldValidateSession, } from './revocation-policy.js';
+import { emitAuditEvent, emitMetric, reportServiceError, } from './observability.js';
 function assertPositiveSafeInteger(value, fieldName) {
     if (!Number.isSafeInteger(value) || value <= 0) {
         throw new AuthServiceError({

package/src/core/services/direct-auth-service.js

@@ -1,6 +1,6 @@
-import { buildClientSession } from '../sessions/client-session';
-import { AuthServiceError, isAuthServiceError } from './auth-error';
-import { emitAuditEvent, emitMetric, reportServiceError, } from './observability';
+import { buildClientSession } from '../sessions/client-session.js';
+import { AuthServiceError, isAuthServiceError } from './auth-error.js';
+import { emitAuditEvent, emitMetric, reportServiceError, } from './observability.js';
 function assertPositiveSafeInteger(value, fieldName) {
     if (!Number.isSafeInteger(value) || value <= 0) {
         throw new AuthServiceError({

package/src/core/services/index.js

@@ -1,5 +1,5 @@
-export { AuthServiceError, authErrorToHttpStatus, isAuthServiceError, } from './auth-error';
-export { createAccessTokenService, } from './access-token-service';
-export { createDirectAuthService, } from './direct-auth-service';
-export { createOAuthService, } from './oauth-service';
-export { createMcpAuthService, } from './mcp-auth-service';
+export { AuthServiceError, authErrorToHttpStatus, isAuthServiceError, } from './auth-error.js';
+export { createAccessTokenService, } from './access-token-service.js';
+export { createDirectAuthService, } from './direct-auth-service.js';
+export { createOAuthService, } from './oauth-service.js';
+export { createMcpAuthService, } from './mcp-auth-service.js';

package/src/core/services/mcp-auth-service.js

@@ -1,6 +1,6 @@
-import { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodsFromBody, requiresAuth, } from '../../mcp/json-rpc-auth';
-import { AuthServiceError, isAuthServiceError } from './auth-error';
-import { emitAuditEvent, reportServiceError } from './observability';
+import { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodsFromBody, requiresAuth, } from '../../mcp/json-rpc-auth.js';
+import { AuthServiceError, isAuthServiceError } from './auth-error.js';
+import { emitAuditEvent, reportServiceError } from './observability.js';
 function extractToolNameFromPayload(payload) {
     if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
         return null;

package/src/core/services/oauth-service.js

@@ -1,6 +1,6 @@
-import { verifyPkce } from '../oauth/pkce';
-import { AuthServiceError, isAuthServiceError } from './auth-error';
-import { emitAuditEvent, reportServiceError } from './observability';
+import { verifyPkce } from '../oauth/pkce.js';
+import { AuthServiceError, isAuthServiceError } from './auth-error.js';
+import { emitAuditEvent, reportServiceError } from './observability.js';
 function assertPositiveSafeInteger(value, fieldName) {
     if (!Number.isSafeInteger(value) || value <= 0) {
         throw new AuthServiceError({

package/src/core/tokens/access-claims.js

@@ -1,5 +1,5 @@
 import { randomUUID } from 'node:crypto';
-import { encodeSubjectClaims } from './id-claims';
+import { encodeSubjectClaims } from './id-claims.js';
 export const DEFAULT_TOKEN_CLAIMS_VERSION = 1;
 const ALLOWED_TOP_LEVEL_CLAIM_KEYS = new Set([
     'sub',

package/src/express/index.js

@@ -1,2 +1,2 @@
-export { withExpressProtectedRoute, } from './protected-route';
-export { buildProtectedRouteSession, buildProtectedRouteSessionWithMeta, } from '../shared/protected-route-session';
+export { withExpressProtectedRoute, } from './protected-route.js';
+export { buildProtectedRouteSession, buildProtectedRouteSessionWithMeta, } from '../shared/protected-route-session.js';

package/src/express/protected-route.d.ts

@@ -40,5 +40,15 @@ export type WithExpressProtectedRouteOptions<TSessionId, TUserId, TActor extends
         resourceMetadataUrl?: string;
     };
 };
+/**
+ * Wraps an Express route with access-token authentication and standardized
+ * auth/system error responses.
+ *
+ * Handler output behavior:
+ * - Return a non-`undefined` value to send `200` with `res.json(output)`.
+ * - Return `undefined` to send `204`.
+ * - If your handler already committed the response (for example via
+ *   `res.status(...).json(...)`), this wrapper does not overwrite it.
+ */
 export declare function withExpressProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TReq extends ExpressRequestLike = ExpressRequestLike, TRes extends ExpressResponseLike = ExpressResponseLike, TOutput = unknown>(options: WithExpressProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TReq, TRes, TOutput>): (req: TReq, res: TRes) => Promise<void>;
 export {};

package/src/express/protected-route.js

@@ -1,7 +1,7 @@
-import { AuthServiceError, isAuthServiceError, } from '../core/services/auth-error';
-import { parseCookieHeader } from '../next/pages/request';
-import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../next/shared/auth-http';
-import { assertBearerOnlyActorPolicy, getHeaderValue, resolveAccessTokenTransportAdapter, } from '../next/shared/direct-auth-utils';
+import { AuthServiceError, isAuthServiceError, } from '../core/services/auth-error.js';
+import { parseCookieHeader } from '../next/pages/request.js';
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../next/shared/auth-http.js';
+import { assertBearerOnlyActorPolicy, getHeaderValue, resolveAccessTokenTransportAdapter, } from '../next/shared/direct-auth-utils.js';
 function normalizeRequestId(value) {
     return value;
 }
@@ -37,6 +37,16 @@ function sendExpressAuthError(res, error, input) {
     }
     res.status(built.statusCode).json(built.body);
 }
+/**
+ * Wraps an Express route with access-token authentication and standardized
+ * auth/system error responses.
+ *
+ * Handler output behavior:
+ * - Return a non-`undefined` value to send `200` with `res.json(output)`.
+ * - Return `undefined` to send `204`.
+ * - If your handler already committed the response (for example via
+ *   `res.status(...).json(...)`), this wrapper does not overwrite it.
+ */
 export function withExpressProtectedRoute(options) {
     const authorizationHeaderName = options.authorizationHeaderName ?? 'authorization';
     const requestIdHeaderName = options.requestIdHeaderName ?? 'x-request-id';

package/src/index.js

@@ -1,8 +1,8 @@
-export * from './core/index';
-export * from './config/index';
-export * from './express/index';
-export * as config from './config/index';
-export * as express from './express/index';
-export * as mcp from './mcp/index';
-export * as next from './next/index';
-export * as testing from './testing/index';
+export * from './core/index.js';
+export * from './config/index.js';
+export * from './express/index.js';
+export * as config from './config/index.js';
+export * as express from './express/index.js';
+export * as mcp from './mcp/index.js';
+export * as next from './next/index.js';
+export * as testing from './testing/index.js';

package/src/mcp/index.js

@@ -1 +1 @@
-export { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodFromBody, getRpcMethodsFromBody, requiresAuth, requiresAuthForBody, } from './json-rpc-auth';
+export { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodFromBody, getRpcMethodsFromBody, requiresAuth, requiresAuthForBody, } from './json-rpc-auth.js';

package/src/next/app/catch-all.js

@@ -1,4 +1,4 @@
-import { AUTH_ROUTE_HTTP_METHODS, isAuthRouteMethodAllowed, normalizeAuthRouteSegments, resolveAuthRoute, } from '../shared/auth-routes';
+import { AUTH_ROUTE_HTTP_METHODS, isAuthRouteMethodAllowed, normalizeAuthRouteSegments, resolveAuthRoute, } from '../shared/auth-routes.js';
 function jsonResponse(statusCode, body, headers) {
     const responseHeaders = new Headers(headers);
     responseHeaders.set('Content-Type', 'application/json');

package/src/next/app/cookies.js

@@ -1,4 +1,4 @@
-import { serializeSetCookie, } from '../pages/cookies';
+import { serializeSetCookie, } from '../pages/cookies.js';
 export function appendAppSetCookieHeader(headers, serializedCookie) {
     headers.append('Set-Cookie', serializedCookie);
 }

package/src/next/app/direct-auth-handlers.js

@@ -1,9 +1,9 @@
-import { AuthServiceError } from '../../core/services/auth-error';
-import { clearAppAuthCookie, setAppAuthCookie, } from './cookies';
-import { sendAppRedirect } from './response';
-import { withAppAuthRoute } from './wrapper';
-import { assertBearerOnlyActorPolicy, assertCsrfForCookieMutation, DEFAULT_ACCESS_TOKEN_COOKIE_NAME, DEFAULT_REFRESH_TOKEN_COOKIE_NAME, extractRefreshToken, parseNonNegativeSafeInteger, resolveAccessTokenTransportAdapter, resolveCookieSecureFlag, resolveLoginMethod, resolvePathnameFromUrl, } from '../shared/direct-auth-utils';
-import { parseBodyToRecord, toSingleString } from '../shared/oauth-utils';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { clearAppAuthCookie, setAppAuthCookie, } from './cookies.js';
+import { sendAppRedirect } from './response.js';
+import { withAppAuthRoute } from './wrapper.js';
+import { assertBearerOnlyActorPolicy, assertCsrfForCookieMutation, DEFAULT_ACCESS_TOKEN_COOKIE_NAME, DEFAULT_REFRESH_TOKEN_COOKIE_NAME, extractRefreshToken, parseNonNegativeSafeInteger, resolveAccessTokenTransportAdapter, resolveCookieSecureFlag, resolveLoginMethod, resolvePathnameFromUrl, } from '../shared/direct-auth-utils.js';
+import { parseBodyToRecord, toSingleString } from '../shared/oauth-utils.js';
 function jsonResponse(statusCode, body, headers) {
     const responseHeaders = new Headers(headers);
     responseHeaders.set('Content-Type', 'application/json');

package/src/next/app/index.js

@@ -1,8 +1,8 @@
-export { buildAppAccessTokenTransportInput, getAppAuthorizationHeader, getAppCookies, getAppRequestId, } from './request';
-export { appendAppSetCookieHeader, clearAppAuthCookie, setAppAuthCookie, setAppCookie, } from './cookies';
-export { sendAppAuthError, sendAppRedirect, sendAppSystemError, } from './response';
-export { withAppAuthRoute, } from './wrapper';
-export { withAppProtectedRoute, } from './protected-route';
-export { APP_AUTH_CATCH_ALL_METHODS, createAppAuthCatchAllHandlers, } from './catch-all';
-export { createAppMcpHandler, createAppOAuthHandlers, createAppWellKnownHandlers, } from './mcp-oauth-handlers';
-export { createAppDirectAuthHandlers, } from './direct-auth-handlers';
+export { buildAppAccessTokenTransportInput, getAppAuthorizationHeader, getAppCookies, getAppRequestId, } from './request.js';
+export { appendAppSetCookieHeader, clearAppAuthCookie, setAppAuthCookie, setAppCookie, } from './cookies.js';
+export { sendAppAuthError, sendAppRedirect, sendAppSystemError, } from './response.js';
+export { withAppAuthRoute, } from './wrapper.js';
+export { withAppProtectedRoute, } from './protected-route.js';
+export { APP_AUTH_CATCH_ALL_METHODS, createAppAuthCatchAllHandlers, } from './catch-all.js';
+export { createAppMcpHandler, createAppOAuthHandlers, createAppWellKnownHandlers, } from './mcp-oauth-handlers.js';
+export { createAppDirectAuthHandlers, } from './direct-auth-handlers.js';

package/src/next/app/mcp-oauth-handlers.js

@@ -1,9 +1,9 @@
 import { randomUUID } from 'crypto';
-import { AuthServiceError } from '../../core/services/auth-error';
-import { sendAppRedirect } from './response';
-import { withAppAuthRoute } from './wrapper';
-import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, } from '../shared/oauth-utils';
-import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { sendAppRedirect } from './response.js';
+import { withAppAuthRoute } from './wrapper.js';
+import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, } from '../shared/oauth-utils.js';
+import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils.js';
 function jsonResponse(statusCode, body, headers) {
     const responseHeaders = new Headers(headers);
     responseHeaders.set('Content-Type', 'application/json');

package/src/next/app/protected-route.d.ts

@@ -24,4 +24,13 @@ export type WithAppProtectedRouteOptions<TSessionId, TUserId, TActor extends Aut
     authorizationHeaderName?: string;
     challenge?: WithAppAuthRouteOptions<TOutput>['challenge'];
 };
+/**
+ * Wraps a Next.js App Router handler with access-token authentication and
+ * standardized auth/system error handling.
+ *
+ * Handler output behavior:
+ * - Return a `Response` to fully control the HTTP response.
+ * - Return a non-`undefined` non-`Response` value to send `200` JSON.
+ * - Return `undefined` to send `204`.
+ */
 export declare function withAppProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown>(options: WithAppProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TOutput>): (req: Request) => Promise<Response>;

package/src/next/app/protected-route.js

@@ -1,6 +1,15 @@
-import { AuthServiceError } from '../../core/services/auth-error';
-import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils';
-import { withAppAuthRoute } from './wrapper';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils.js';
+import { withAppAuthRoute } from './wrapper.js';
+/**
+ * Wraps a Next.js App Router handler with access-token authentication and
+ * standardized auth/system error handling.
+ *
+ * Handler output behavior:
+ * - Return a `Response` to fully control the HTTP response.
+ * - Return a non-`undefined` non-`Response` value to send `200` JSON.
+ * - Return `undefined` to send `204`.
+ */
 export function withAppProtectedRoute(options) {
     const accessTokenTransportAdapter = resolveAccessTokenTransportAdapter(options.accessTokenTransport);
     return withAppAuthRoute({

package/src/next/app/request.js

@@ -1,4 +1,4 @@
-import { parseCookieHeader } from '../pages/request';
+import { parseCookieHeader } from '../pages/request.js';
 function getHeaderValue(headers, headerName) {
     const value = headers.get(headerName);
     if (value === null || value.length === 0) {

package/src/next/app/response.js

@@ -1,4 +1,4 @@
-import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http';
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http.js';
 function createJsonResponse(input) {
     const headers = new Headers(input.headers);
     headers.set('Content-Type', 'application/json');

package/src/next/app/wrapper.js

@@ -1,6 +1,6 @@
-import { isAuthServiceError } from '../../core/services/auth-error';
-import { buildAppAccessTokenTransportInput, getAppCookies, getAppRequestId, } from './request';
-import { sendAppAuthError, sendAppSystemError } from './response';
+import { isAuthServiceError } from '../../core/services/auth-error.js';
+import { buildAppAccessTokenTransportInput, getAppCookies, getAppRequestId, } from './request.js';
+import { sendAppAuthError, sendAppSystemError } from './response.js';
 export function withAppAuthRoute(options) {
     return async function appAuthRoute(req) {
         const requestId = getAppRequestId(req, options.requestIdHeaderName);

package/src/next/index.js

@@ -1,6 +1,6 @@
 export const SUPPORTED_NEXT_ROUTERS = ['pages', 'app'];
-export { buildProtectedRouteSession, buildProtectedRouteSessionWithMeta, } from '../shared/protected-route-session';
-export * from './pages/index';
-export * from './app/index';
-export * from './shared/auth-routes';
-export * from './rewrites';
+export { buildProtectedRouteSession, buildProtectedRouteSessionWithMeta, } from '../shared/protected-route-session.js';
+export * from './pages/index.js';
+export * from './app/index.js';
+export * from './shared/auth-routes.js';
+export * from './rewrites.js';

package/src/next/pages/catch-all.js

@@ -1,4 +1,4 @@
-import { isAuthRouteMethodAllowed, normalizeAuthRouteSegments, resolveAuthRoute, } from '../shared/auth-routes';
+import { isAuthRouteMethodAllowed, normalizeAuthRouteSegments, resolveAuthRoute, } from '../shared/auth-routes.js';
 function sendUnsupportedRoute(res) {
     res.status(404).json({
         error: 'not_found',

package/src/next/pages/direct-auth-handlers.js

@@ -1,9 +1,9 @@
-import { AuthServiceError } from '../../core/services/auth-error';
-import { clearPagesAuthCookie, setPagesAuthCookie, } from './cookies';
-import { sendPagesRedirect } from './response';
-import { withPagesAuthRoute } from './wrapper';
-import { assertBearerOnlyActorPolicy, assertCsrfForCookieMutation, DEFAULT_ACCESS_TOKEN_COOKIE_NAME, DEFAULT_REFRESH_TOKEN_COOKIE_NAME, extractRefreshToken, parseNonNegativeSafeInteger, resolveAccessTokenTransportAdapter, resolveCookieSecureFlag, resolveLoginMethod, resolvePathnameFromUrl, } from '../shared/direct-auth-utils';
-import { parseBodyToRecord, toSingleString } from '../shared/oauth-utils';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { clearPagesAuthCookie, setPagesAuthCookie, } from './cookies.js';
+import { sendPagesRedirect } from './response.js';
+import { withPagesAuthRoute } from './wrapper.js';
+import { assertBearerOnlyActorPolicy, assertCsrfForCookieMutation, DEFAULT_ACCESS_TOKEN_COOKIE_NAME, DEFAULT_REFRESH_TOKEN_COOKIE_NAME, extractRefreshToken, parseNonNegativeSafeInteger, resolveAccessTokenTransportAdapter, resolveCookieSecureFlag, resolveLoginMethod, resolvePathnameFromUrl, } from '../shared/direct-auth-utils.js';
+import { parseBodyToRecord, toSingleString } from '../shared/oauth-utils.js';
 function sendMethodNotAllowed(res, allowedMethods) {
     res.setHeader('Allow', allowedMethods.join(', '));
     res.status(405).json({

package/src/next/pages/index.js

@@ -1,8 +1,8 @@
-export { buildPagesAccessTokenTransportInput, getPagesAuthorizationHeader, getPagesCookies, getPagesRequestId, parseCookieHeader, } from './request';
-export { appendSetCookieHeader, clearPagesAuthCookie, serializeSetCookie, setPagesAuthCookie, setPagesCookie, } from './cookies';
-export { sendPagesAuthError, sendPagesRedirect, sendPagesSystemError, } from './response';
-export { withPagesAuthRoute, } from './wrapper';
-export { withPagesProtectedRoute, } from './protected-route';
-export { createPagesAuthCatchAllHandler, } from './catch-all';
-export { createPagesMcpHandler, createPagesOAuthHandlers, createPagesWellKnownHandlers, } from './mcp-oauth-handlers';
-export { createPagesDirectAuthHandlers, } from './direct-auth-handlers';
+export { buildPagesAccessTokenTransportInput, getPagesAuthorizationHeader, getPagesCookies, getPagesRequestId, parseCookieHeader, } from './request.js';
+export { appendSetCookieHeader, clearPagesAuthCookie, serializeSetCookie, setPagesAuthCookie, setPagesCookie, } from './cookies.js';
+export { sendPagesAuthError, sendPagesRedirect, sendPagesSystemError, } from './response.js';
+export { withPagesAuthRoute, } from './wrapper.js';
+export { withPagesProtectedRoute, } from './protected-route.js';
+export { createPagesAuthCatchAllHandler, } from './catch-all.js';
+export { createPagesMcpHandler, createPagesOAuthHandlers, createPagesWellKnownHandlers, } from './mcp-oauth-handlers.js';
+export { createPagesDirectAuthHandlers, } from './direct-auth-handlers.js';

package/src/next/pages/mcp-oauth-handlers.js

@@ -1,9 +1,9 @@
 import { randomUUID } from 'crypto';
-import { AuthServiceError } from '../../core/services/auth-error';
-import { sendPagesRedirect } from './response';
-import { withPagesAuthRoute } from './wrapper';
-import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, toSingleString, } from '../shared/oauth-utils';
-import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { sendPagesRedirect } from './response.js';
+import { withPagesAuthRoute } from './wrapper.js';
+import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, toSingleString, } from '../shared/oauth-utils.js';
+import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils.js';
 function sendMethodNotAllowed(res, allowedMethods) {
     res.setHeader('Allow', allowedMethods.join(', '));
     res.status(405).json({

package/src/next/pages/protected-route.d.ts

@@ -25,4 +25,14 @@ export type WithPagesProtectedRouteOptions<TSessionId, TUserId, TActor extends A
     authorizationHeaderName?: string;
     challenge?: WithPagesAuthRouteOptions<TOutput>['challenge'];
 };
+/**
+ * Wraps a Next.js Pages API route with access-token authentication and
+ * standardized auth/system error handling.
+ *
+ * Handler output behavior:
+ * - Return a non-`undefined` value to send `200` with `res.json(output)`.
+ * - Return `undefined` to send `204`.
+ * - If your handler already finished the response (for example by calling
+ *   `res.status(...).json(...)` directly), the wrapper does not overwrite it.
+ */
 export declare function withPagesProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown>(options: WithPagesProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TOutput>): NextApiHandler;

package/src/next/pages/protected-route.js

@@ -1,6 +1,16 @@
-import { AuthServiceError } from '../../core/services/auth-error';
-import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils';
-import { withPagesAuthRoute } from './wrapper';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils.js';
+import { withPagesAuthRoute } from './wrapper.js';
+/**
+ * Wraps a Next.js Pages API route with access-token authentication and
+ * standardized auth/system error handling.
+ *
+ * Handler output behavior:
+ * - Return a non-`undefined` value to send `200` with `res.json(output)`.
+ * - Return `undefined` to send `204`.
+ * - If your handler already finished the response (for example by calling
+ *   `res.status(...).json(...)` directly), the wrapper does not overwrite it.
+ */
 export function withPagesProtectedRoute(options) {
     const accessTokenTransportAdapter = resolveAccessTokenTransportAdapter(options.accessTokenTransport);
     return withPagesAuthRoute({

package/src/next/pages/response.js

@@ -1,4 +1,4 @@
-import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http';
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http.js';
 export function sendPagesAuthError(res, error, options) {
     const mapped = buildAuthErrorHttpResponse({
         error,

package/src/next/pages/wrapper.js

@@ -1,6 +1,6 @@
-import { isAuthServiceError } from '../../core/services/auth-error';
-import { buildPagesAccessTokenTransportInput, getPagesRequestId, } from './request';
-import { sendPagesAuthError, sendPagesSystemError } from './response';
+import { isAuthServiceError } from '../../core/services/auth-error.js';
+import { buildPagesAccessTokenTransportInput, getPagesRequestId, } from './request.js';
+import { sendPagesAuthError, sendPagesSystemError } from './response.js';
 export function withPagesAuthRoute(options) {
     return async function pagesAuthRoute(req, res) {
         const requestId = getPagesRequestId(req, options.requestIdHeaderName);

package/src/next/rewrites.js

@@ -1,4 +1,4 @@
-import { buildAuthRoutePath } from './shared/auth-routes';
+import { buildAuthRoutePath } from './shared/auth-routes.js';
 function normalizePath(path) {
     const trimmed = path.trim();
     if (trimmed.length === 0) {

package/src/next/shared/auth-http.js

@@ -1,5 +1,5 @@
-import { buildBearerChallengeHeader } from '../../core/http/bearer-challenge';
-import { authErrorToHttpStatus, } from '../../core/services/auth-error';
+import { buildBearerChallengeHeader } from '../../core/http/bearer-challenge.js';
+import { authErrorToHttpStatus, } from '../../core/services/auth-error.js';
 function toBearerChallengeError(code) {
     return code === 'invalid_client' ? 'invalid_client' : 'invalid_token';
 }

package/src/next/shared/direct-auth-utils.js

@@ -1,5 +1,5 @@
-import { AuthServiceError } from '../../core/services/auth-error';
-import { toSingleString } from './oauth-utils';
+import { AuthServiceError } from '../../core/services/auth-error.js';
+import { toSingleString } from './oauth-utils.js';
 export const DEFAULT_ACCESS_TOKEN_COOKIE_NAME = 'access_token';
 export const DEFAULT_REFRESH_TOKEN_COOKIE_NAME = 'refresh_token';
 export const DEFAULT_CSRF_COOKIE_NAME = 'csrf_token';

package/src/next/shared/oauth-utils.js

@@ -1,4 +1,4 @@
-import { AuthServiceError } from '../../core/services/auth-error';
+import { AuthServiceError } from '../../core/services/auth-error.js';
 function toNonEmptyString(value) {
     if (Array.isArray(value)) {
         for (const item of value) {

package/src/shared/protected-route-session.js

@@ -1,4 +1,4 @@
-import { AuthServiceError, } from '../core/services/auth-error';
+import { AuthServiceError, } from '../core/services/auth-error.js';
 function buildMissingMetaError(options) {
     return new AuthServiceError({
         code: options?.errorCode ?? 'unauthorized',

package/src/testing/in-memory/index.js

@@ -1,7 +1,7 @@
-export { createInMemoryAccessTokenRevocationAdapter } from './in-memory-access-token-revocation-adapter';
-export { createInMemoryAuthorizationCodeAdapter } from './in-memory-authorization-code-adapter';
-export { createInMemoryOAuthClientAdapter, } from './in-memory-oauth-client-adapter';
-export { createInMemoryPendingAuthRequestAdapter } from './in-memory-pending-auth-request-adapter';
-export { createInMemoryRefreshTokenAdapter } from './in-memory-refresh-token-adapter';
-export { createInMemorySessionAdapter } from './in-memory-session-adapter';
-export { createIncrementingIdFactory, createStepClock } from './test-fixtures';
+export { createInMemoryAccessTokenRevocationAdapter } from './in-memory-access-token-revocation-adapter.js';
+export { createInMemoryAuthorizationCodeAdapter } from './in-memory-authorization-code-adapter.js';
+export { createInMemoryOAuthClientAdapter, } from './in-memory-oauth-client-adapter.js';
+export { createInMemoryPendingAuthRequestAdapter } from './in-memory-pending-auth-request-adapter.js';
+export { createInMemoryRefreshTokenAdapter } from './in-memory-refresh-token-adapter.js';
+export { createInMemorySessionAdapter } from './in-memory-session-adapter.js';
+export { createIncrementingIdFactory, createStepClock } from './test-fixtures.js';

package/src/testing/index.js

@@ -1,4 +1,4 @@
 export function createFixedUnixNow(unix) {
     return () => unix;
 }
-export * from './in-memory/index';
+export * from './in-memory/index.js';