agentlock-shared 0.2.0 → 0.3.0

package/dist/__tests__/signing.test.js

@@ -1,7 +1,25 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const vitest_1 = require("vitest");
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
 const signing_js_1 = require("../signing.js");
+/**
+ * Sign the pre-version-binding (legacy) pre-image: `canonical:timestamp:nonce`
+ * with NO `:version` suffix and no version header. Models an agent built
+ * before the version was bound into the signature.
+ */
+function signLegacyUnbound(body, privateKeyB64) {
+    const timestamp = String(Date.now());
+    const nonce = (0, tweetnacl_util_1.encodeBase64)(tweetnacl_1.default.randomBytes(16));
+    const canonical = (0, signing_js_1.canonicalStringify)(body);
+    const message = (0, tweetnacl_util_1.decodeUTF8)(`${canonical}:${timestamp}:${nonce}`);
+    const signature = tweetnacl_1.default.sign.detached(message, (0, tweetnacl_util_1.decodeBase64)(privateKeyB64));
+    return { timestamp, nonce, signature: (0, tweetnacl_util_1.encodeBase64)(signature) };
+}
 (0, vitest_1.describe)('Ed25519 Signing', () => {
     (0, vitest_1.it)('should generate valid keypair', () => {
         const kp = (0, signing_js_1.generateKeypair)();
@@ -47,5 +65,76 @@ const signing_js_1 = require("../signing.js");
         headers['x-timestamp'] = String(Date.now() - 10 * 60 * 1000);
         (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Timestamp skew');
     });
+    (0, vitest_1.it)('should reject timestamp from the future', () => {
+        // A permissive check would only look at now - ts. Replay would then work
+        // forever if you set the timestamp 2h in the future. Math.abs() catches
+        // both directions; guard against a future refactor dropping the abs.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: {} };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        headers['x-timestamp'] = String(Date.now() + 10 * 60 * 1000);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Timestamp skew');
+    });
+    (0, vitest_1.it)('should produce unique nonces across many signs', () => {
+        // If nonces collide, the gateway's replay-protection unique-index
+        // rejects the second insert and the agent sees a 409. 200 iterations
+        // is enough to shake out a non-random generator without making CI slow.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const nonces = new Set();
+        for (let i = 0; i < 200; i++) {
+            const n = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey)['x-nonce'];
+            if (n)
+                nonces.add(n);
+        }
+        (0, vitest_1.expect)(nonces.size).toBe(200);
+    });
+    (0, vitest_1.it)('should reject a replayed request that only changes the nonce header', () => {
+        // The signature is bound to (body, timestamp, nonce). Just rotating
+        // the nonce without re-signing must not produce a verifying signature.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        headers['x-nonce'] = 'AAAAAAAAAAAAAAAAAAAAAAAA'; // 24-char base64
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Invalid signature');
+    });
+    (0, vitest_1.it)('should verify identical payloads signed concurrently with different nonces (race-safety)', () => {
+        // Simulate two concurrent signers of the same body. Both must verify
+        // independently; only the DB unique-constraint on nonce stops the
+        // second from actually executing in production.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const headersA = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        const headersB = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        (0, vitest_1.expect)(headersA['x-nonce']).toBeTruthy();
+        (0, vitest_1.expect)(headersA['x-nonce']).not.toBe(headersB['x-nonce']);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headersA, kp.publicKey)).not.toThrow();
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headersB, kp.publicKey)).not.toThrow();
+    });
+    (0, vitest_1.it)('accepts a legacy unbound-preimage signature when NO version header is sent', () => {
+        // Transitional fallback: agents built before version-binding sign the
+        // unbound pre-image and send no header. They must keep verifying so the
+        // rollout doesn't force a simultaneous redeploy of every agent.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const { timestamp, nonce, signature } = signLegacyUnbound(body, kp.privateKey);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, { 'x-agent-id': 'a', 'x-timestamp': timestamp, 'x-signature': signature, 'x-nonce': nonce }, kp.publicKey)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects a legacy unbound-preimage signature once x-signature-version is present', () => {
+        // This is the property the gateway routes must preserve by FORWARDING the
+        // header: when a client declares its version, the unbound legacy pre-image
+        // is no longer an accepted downgrade. If a route drops the header, this
+        // downgrade path stays open for every request.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const { timestamp, nonce, signature } = signLegacyUnbound(body, kp.privateKey);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, {
+            'x-agent-id': 'a',
+            'x-timestamp': timestamp,
+            'x-signature': signature,
+            'x-nonce': nonce,
+            'x-signature-version': '1',
+        }, kp.publicKey)).toThrow('Invalid signature');
+    });
 });
 //# sourceMappingURL=signing.test.js.map

package/dist/__tests__/signing.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8CAAgG;AAEhG,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QAClC,IAAA,eAAM,EAAC,EAAE,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;QACnC,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,+BAAkB,EAAC,GAAG,CAAC,CAAC;QACvC,0CAA0C;QAC1C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,0DAA6B;AAC7B,mDAAwE;AACxE,8CAAgG;AAEhG;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,IAA6B,EAAE,aAAqB;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,IAAA,6BAAY,EAAC,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAA,+BAAkB,EAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,2BAAU,EAAC,GAAG,SAAS,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,mBAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAA,6BAAY,EAAC,aAAa,CAAC,CAAC,CAAC;IAC3E,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,IAAA,6BAAY,EAAC,SAAS,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QAClC,IAAA,eAAM,EAAC,EAAE,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;QACnC,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,+BAAkB,EAAC,GAAG,CAAC,CAAC;QACvC,0CAA0C;QAC1C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,yEAAyE;QACzE,wEAAwE;QACxE,qEAAqE;QACrE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,kEAAkE;QAClE,qEAAqE;QACrE,wEAAwE;QACxE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QACD,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,oEAAoE;QACpE,uEAAuE;QACvE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,SAAS,CAAC,GAAG,0BAA0B,CAAC,CAAC,iBAAiB;QAClE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0FAA0F,EAAE,GAAG,EAAE;QAClG,qEAAqE;QACrE,kEAAkE;QAClE,gDAAgD;QAChD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,QAAQ,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC;QACzC,IAAA,eAAM,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,sEAAsE;QACtE,wEAAwE;QACxE,gEAAgE;QAChE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CACV,IAAA,0BAAa,EACX,IAAI,EACJ,EAAE,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,EAC3F,EAAE,CAAC,SAAS,CACb,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,0EAA0E;QAC1E,2EAA2E;QAC3E,wEAAwE;QACxE,+CAA+C;QAC/C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CACV,IAAA,0BAAa,EACX,IAAI,EACJ;YACE,YAAY,EAAE,GAAG;YACjB,aAAa,EAAE,SAAS;YACxB,aAAa,EAAE,SAAS;YACxB,SAAS,EAAE,KAAK;YAChB,qBAAqB,EAAE,GAAG;SAC3B,EACD,EAAE,CAAC,SAAS,CACb,CACF,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/ssh-fingerprint.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ssh-fingerprint.test.d.ts.map

package/dist/__tests__/ssh-fingerprint.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-fingerprint.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/ssh-fingerprint.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/ssh-fingerprint.test.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const ssh_fingerprint_js_1 = require("../ssh-fingerprint.js");
+(0, vitest_1.describe)('normalizeSshHostKeyFingerprint', () => {
+    (0, vitest_1.it)('accepts canonical hex and lowercases it', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')).toBe('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa');
+    });
+    (0, vitest_1.it)('accepts OpenSSH-style SHA256 base64 and converts it to hex', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')).toBe('0000000000000000000000000000000000000000000000000000000000000000');
+    });
+    (0, vitest_1.it)('accepts url-safe base64 without the SHA256 prefix', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('___________________________________________')).toBe('ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+    });
+    (0, vitest_1.it)('rejects malformed fingerprints', () => {
+        (0, vitest_1.expect)(() => (0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('not-a-fingerprint')).toThrow(/Invalid SHA-256 host key fingerprint/);
+    });
+});
+//# sourceMappingURL=ssh-fingerprint.test.js.map

package/dist/__tests__/ssh-fingerprint.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-fingerprint.test.js","sourceRoot":"","sources":["../../src/__tests__/ssh-fingerprint.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8DAAuE;AAEvE,IAAA,iBAAQ,EAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAC5B,kEAAkE,CACnE,CACF,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAAC,oDAAoD,CAAC,CACrF,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAAC,6CAA6C,CAAC,CAC9E,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mDAA8B,EAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CACvE,sCAAsC,CACvC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/vpn-route.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=vpn-route.test.d.ts.map

package/dist/__tests__/vpn-route.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpn-route.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/vpn-route.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/vpn-route.test.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const policy_js_1 = require("../policy.js");
+const UUID_A = '11111111-1111-4111-8111-111111111111';
+const UUID_B = '22222222-2222-4222-8222-222222222222';
+const UUID_C = '33333333-3333-4333-8333-333333333333';
+(0, vitest_1.describe)('resolveVpnRoute', () => {
+    (0, vitest_1.it)('returns undefined when host or routes are missing/empty', () => {
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)(undefined, undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('example.com', undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('example.com', [])).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('', [{ domainPattern: 'example.com', vpnCredentialId: UUID_A }])).toBeUndefined();
+    });
+    (0, vitest_1.it)('matches exact hostname case-insensitively', () => {
+        const routes = [
+            { domainPattern: 'Internal.Corp.Example', vpnCredentialId: UUID_A },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('internal.corp.example', routes)).toBe(UUID_A);
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('INTERNAL.CORP.EXAMPLE', routes)).toBe(UUID_A);
+        // Trailing dot in FQDN form is canonicalized away.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('internal.corp.example.', routes)).toBe(UUID_A);
+        // Unrelated host does not match.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('other.example', routes)).toBeUndefined();
+    });
+    (0, vitest_1.it)('wildcard "*.corp.example" matches subdomains but not the bare suffix', () => {
+        const routes = [
+            { domainPattern: '*.corp.example', vpnCredentialId: UUID_A },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('www.corp.example', routes)).toBe(UUID_A);
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('a.b.corp.example', routes)).toBe(UUID_A);
+        // Bare suffix must NOT match — users who want both add a second exact entry.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('corp.example', routes)).toBeUndefined();
+        // Different tail.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('www.corp.other', routes)).toBeUndefined();
+    });
+    (0, vitest_1.it)('first match wins when multiple routes could apply', () => {
+        const routes = [
+            { domainPattern: 'db.corp.example', vpnCredentialId: UUID_A },
+            { domainPattern: '*.corp.example', vpnCredentialId: UUID_B },
+            { domainPattern: 'corp.example', vpnCredentialId: UUID_C },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('db.corp.example', routes)).toBe(UUID_A); // exact match wins over wildcard
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('web.corp.example', routes)).toBe(UUID_B); // wildcard hits here
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('corp.example', routes)).toBe(UUID_C); // bare suffix exact
+    });
+    (0, vitest_1.it)('silently skips malformed pattern entries instead of throwing', () => {
+        // Zod rejects these at save time; this is a belt-and-suspenders guard.
+        const routes = [
+            { domainPattern: '', vpnCredentialId: UUID_A },
+            { domainPattern: '   ', vpnCredentialId: UUID_A },
+            { domainPattern: '*.', vpnCredentialId: UUID_A },
+            { domainPattern: 'good.example', vpnCredentialId: UUID_B },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('good.example', routes)).toBe(UUID_B);
+        // And the malformed entries don't accidentally match:
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('anything.com', routes)).toBeUndefined();
+    });
+});
+(0, vitest_1.describe)('hostnameFromUrl', () => {
+    (0, vitest_1.it)('extracts the lowercased hostname from http(s) URLs', () => {
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('https://Api.Example.COM/path?q=1')).toBe('api.example.com');
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('http://127.0.0.1:8080/x')).toBe('127.0.0.1');
+    });
+    (0, vitest_1.it)('returns undefined for non-URL inputs', () => {
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)(undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)(null)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('')).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('not a url')).toBeUndefined();
+    });
+});
+//# sourceMappingURL=vpn-route.test.js.map

package/dist/__tests__/vpn-route.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpn-route.test.js","sourceRoot":"","sources":["../../src/__tests__/vpn-route.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAgE;AAGhE,MAAM,MAAM,GAAG,sCAAsC,CAAC;AACtD,MAAM,MAAM,GAAG,sCAAsC,CAAC;AACtD,MAAM,MAAM,GAAG,sCAAsC,CAAC;AAEtD,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,aAAa,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAClE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC3D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC3G,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,EAAE;SACpE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtE,mDAAmD;QACnD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvE,iCAAiC;QACjC,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE;SAC7D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjE,6EAA6E;QAC7E,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAChE,kBAAkB;QAClB,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,EAAE;YAC7D,EAAE,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE;YAC5D,EAAE,aAAa,EAAE,cAAc,EAAI,eAAe,EAAE,MAAM,EAAE;SAC7D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAG,iCAAiC;QACpG,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,qBAAqB;QACxF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAM,oBAAoB;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,uEAAuE;QACvE,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;YAC9C,EAAE,aAAa,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE;YACjD,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE;YAChD,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,EAAE;SAC3D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7D,sDAAsD;QACtD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kCAAkC,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACnD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,IAAI,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,EAAE,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,WAAW,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/wireguard.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=wireguard.test.d.ts.map

package/dist/__tests__/wireguard.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireguard.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/wireguard.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/wireguard.test.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const wireguard_js_1 = require("../wireguard.js");
+const validConfig = `
+[Interface]
+PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
+Address = 10.0.0.5/32
+DNS = 10.0.0.1
+MTU = 1420
+
+[Peer]
+PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
+PresharedKey = FpCyhws9cxwWoV4xELtfJvjJN+zQVRPISllRWgeopVE=
+Endpoint = vpn.example.com:51820
+AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
+PersistentKeepalive = 25
+`;
+(0, vitest_1.describe)('parseWireGuardConfig', () => {
+    (0, vitest_1.it)('parses a complete valid config', () => {
+        const cfg = (0, wireguard_js_1.parseWireGuardConfig)(validConfig);
+        (0, vitest_1.expect)(cfg.privateKey).toBe('yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=');
+        (0, vitest_1.expect)(cfg.address).toBe('10.0.0.5/32');
+        (0, vitest_1.expect)(cfg.mtu).toBe(1420);
+        (0, vitest_1.expect)(cfg.dns).toEqual(['10.0.0.1']);
+        (0, vitest_1.expect)(cfg.peer.publicKey).toBe('xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=');
+        (0, vitest_1.expect)(cfg.peer.endpoint).toBe('vpn.example.com:51820');
+        (0, vitest_1.expect)(cfg.peer.allowedIPs).toEqual(['10.0.0.0/24', '192.168.1.0/24']);
+        (0, vitest_1.expect)(cfg.peer.persistentKeepalive).toBe(25);
+    });
+    (0, vitest_1.it)('accepts minimal config (no DNS, MTU, PSK, keepalive)', () => {
+        const minimal = `
+[Interface]
+PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
+Address = 10.0.0.5/32
+
+[Peer]
+PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
+Endpoint = vpn.example.com:51820
+AllowedIPs = 10.0.0.0/24
+`;
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(minimal)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects config missing [Interface]', () => {
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)('[Peer]\nPublicKey=x\nEndpoint=e:1\nAllowedIPs=0.0.0.0/0')).toThrow(/Interface/i);
+    });
+    (0, vitest_1.it)('rejects config with multiple [Peer] blocks', () => {
+        const dual = validConfig + '\n[Peer]\nPublicKey = x\nEndpoint = y:1\nAllowedIPs = 0.0.0.0/0\n';
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dual)).toThrow(/exactly one \[Peer\]/i);
+    });
+    (0, vitest_1.it)('rejects malformed base64 key', () => {
+        const bad = validConfig.replace('yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=', 'not-base64!');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/private key/i);
+    });
+    (0, vitest_1.it)('rejects invalid endpoint format', () => {
+        const bad = validConfig.replace('vpn.example.com:51820', 'no-port-here');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/endpoint/i);
+    });
+    (0, vitest_1.it)('Zod schema rejects extra fields', () => {
+        const withExtra = {
+            privateKey: 'yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=',
+            address: '10.0.0.5/32',
+            extraField: 'nope',
+            peer: {
+                publicKey: 'xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=',
+                endpoint: 'vpn.example.com:51820',
+                allowedIPs: ['10.0.0.0/24'],
+            },
+        };
+        (0, vitest_1.expect)(() => wireguard_js_1.WireGuardConfigSchema.parse(withExtra)).toThrow();
+    });
+    (0, vitest_1.it)('rejects endpoint with port > 65535', () => {
+        const bad = validConfig.replace('vpn.example.com:51820', 'vpn.example.com:99999');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/port/i);
+    });
+    (0, vitest_1.it)('rejects CIDR with octet > 255', () => {
+        const bad = validConfig.replace('10.0.0.5/32', '999.0.0.0/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/ipv4 cidr/i);
+    });
+    (0, vitest_1.it)('rejects CIDR with prefix > 32', () => {
+        const bad = validConfig.replace('10.0.0.0/24', '10.0.0.0/99');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/ipv4 cidr/i);
+    });
+    (0, vitest_1.it)('rejects duplicate [Interface] section', () => {
+        const dup = validConfig + '\n[Interface]\nPrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=\nAddress = 10.0.0.6/32\n';
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dup)).toThrow(/duplicate \[interface\]/i);
+    });
+    (0, vitest_1.it)('rejects duplicate key within a section', () => {
+        const dup = validConfig.replace('Address = 10.0.0.5/32', 'Address = 10.0.0.5/32\nAddress = 10.0.0.6/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dup)).toThrow(/duplicate key: address/i);
+    });
+    (0, vitest_1.it)('rejects AllowedIPs routing to cloud-metadata or loopback (SSRF-exemption pivot)', () => {
+        const meta = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '169.254.169.254/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(meta)).toThrow();
+        const loop = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '127.0.0.0/8');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(loop)).toThrow();
+    });
+    (0, vitest_1.it)('still allows AllowedIPs in legitimate private (RFC1918) ranges', () => {
+        const priv = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '172.16.0.0/12');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(priv)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects a DNS server pointing at the metadata address', () => {
+        const badDns = validConfig.replace('DNS = 10.0.0.1', 'DNS = 169.254.169.254');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(badDns)).toThrow();
+    });
+});
+(0, vitest_1.describe)('VPN_LIMITS_BY_PLAN', () => {
+    (0, vitest_1.it)('enforces free=0, pro=3, team=10', () => {
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.free).toBe(0);
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.pro).toBe(3);
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.team).toBe(10);
+    });
+});
+//# sourceMappingURL=wireguard.test.js.map

package/dist/__tests__/wireguard.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireguard.test.js","sourceRoot":"","sources":["../../src/__tests__/wireguard.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,kDAAkG;AAElG,MAAM,WAAW,GAAG;;;;;;;;;;;;;CAanB,CAAC;AAEF,IAAA,iBAAQ,EAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,GAAG,GAAG,IAAA,mCAAoB,EAAC,WAAW,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACxC,IAAA,eAAM,EAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAA,eAAM,EAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAChF,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACxD,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,OAAO,GAAG;;;;;;;;;CASnB,CAAC;QACE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,yDAAyD,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACtH,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,IAAI,GAAG,WAAW,GAAG,mEAAmE,CAAC;QAC/F,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,8CAA8C,EAAE,aAAa,CAAC,CAAC;QAC/F,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,uBAAuB,EAAE,cAAc,CAAC,CAAC;QACzE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,SAAS,GAAG;YAChB,UAAU,EAAE,8CAA8C;YAC1D,OAAO,EAAE,aAAa;YACtB,UAAU,EAAE,MAAM;YAClB,IAAI,EAAE;gBACJ,SAAS,EAAE,8CAA8C;gBACzD,QAAQ,EAAE,uBAAuB;gBACjC,UAAU,EAAE,CAAC,aAAa,CAAC;aAC5B;SACF,CAAC;QACF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,oCAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;QAClF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,WAAW,GAAG,mGAAmG,CAAC;QAC9H,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAC7B,uBAAuB,EACvB,8CAA8C,CAC/C,CAAC;QACF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,oBAAoB,CAAC,CAAC;QACtF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,aAAa,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,eAAe,CAAC,CAAC;QACjF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,gBAAgB,EAAE,uBAAuB,CAAC,CAAC;QAC9E,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,eAAM,EAAC,iCAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,IAAA,eAAM,EAAC,iCAAkB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACvC,IAAA,eAAM,EAAC,iCAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/billing.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Stripe subscription-status helpers shared by the billing routes.
+ *
+ * Keep these rules small and explicit: checkout/self-heal and webhook
+ * downgrade paths must make the same decision about whether an existing
+ * subscription can still be recovered or should be treated as terminal.
+ */
+export declare function isEntitledStripeSubscriptionStatus(status: string): boolean;
+export declare function isRecoverableStripeSubscriptionStatus(status: string): boolean;
+export declare function isTerminalStripeSubscriptionStatus(status: string): boolean;
+export declare function canStartNewCheckoutForStripeSubscriptionStatus(status: string): boolean;
+//# sourceMappingURL=billing.d.ts.map

package/dist/billing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing.d.ts","sourceRoot":"","sources":["../src/billing.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoBH,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED,wBAAgB,qCAAqC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED,wBAAgB,8CAA8C,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEtF"}

package/dist/billing.js

@@ -0,0 +1,41 @@
+"use strict";
+/**
+ * Stripe subscription-status helpers shared by the billing routes.
+ *
+ * Keep these rules small and explicit: checkout/self-heal and webhook
+ * downgrade paths must make the same decision about whether an existing
+ * subscription can still be recovered or should be treated as terminal.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isEntitledStripeSubscriptionStatus = isEntitledStripeSubscriptionStatus;
+exports.isRecoverableStripeSubscriptionStatus = isRecoverableStripeSubscriptionStatus;
+exports.isTerminalStripeSubscriptionStatus = isTerminalStripeSubscriptionStatus;
+exports.canStartNewCheckoutForStripeSubscriptionStatus = canStartNewCheckoutForStripeSubscriptionStatus;
+const ENTITLED_STATUSES = new Set([
+    'active',
+    'trialing',
+]);
+const RECOVERABLE_STATUSES = new Set([
+    ...ENTITLED_STATUSES,
+    'past_due',
+    'unpaid',
+    'incomplete',
+    'paused',
+]);
+const TERMINAL_STATUSES = new Set([
+    'canceled',
+    'incomplete_expired',
+]);
+function isEntitledStripeSubscriptionStatus(status) {
+    return ENTITLED_STATUSES.has(status);
+}
+function isRecoverableStripeSubscriptionStatus(status) {
+    return RECOVERABLE_STATUSES.has(status);
+}
+function isTerminalStripeSubscriptionStatus(status) {
+    return TERMINAL_STATUSES.has(status);
+}
+function canStartNewCheckoutForStripeSubscriptionStatus(status) {
+    return isTerminalStripeSubscriptionStatus(status);
+}
+//# sourceMappingURL=billing.js.map

package/dist/billing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing.js","sourceRoot":"","sources":["../src/billing.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAoBH,gFAEC;AAED,sFAEC;AAED,gFAEC;AAED,wGAEC;AAhCD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,QAAQ;IACR,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,GAAG,iBAAiB;IACpB,UAAU;IACV,QAAQ;IACR,YAAY;IACZ,QAAQ;CACT,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,UAAU;IACV,oBAAoB;CACrB,CAAC,CAAC;AAEH,SAAgB,kCAAkC,CAAC,MAAc;IAC/D,OAAO,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,qCAAqC,CAAC,MAAc;IAClE,OAAO,oBAAoB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,SAAgB,kCAAkC,CAAC,MAAc;IAC/D,OAAO,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,8CAA8C,CAAC,MAAc;IAC3E,OAAO,kCAAkC,CAAC,MAAM,CAAC,CAAC;AACpD,CAAC"}

package/dist/crypto.d.ts

@@ -37,6 +37,11 @@ export declare function envelopeDecrypt(encryptedData: string, masterKey: Uint8A
 export declare function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string;
 export declare function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Array;
 export declare function getMasterKey(): Uint8Array;
+/** Return every retired key in rotation order (most-recent first). Used by
+ *  the credential-decryption fallback path to try each until one succeeds.
+ */
+export declare function getPreviousMasterKeys(): Uint8Array[];
+/** Back-compat: first previous key only. Prefer `getPreviousMasterKeys()`. */
 export declare function getPreviousMasterKey(): Uint8Array | null;
 /** Zero and release cached master keys. Call on graceful shutdown. */
 export declare function clearCachedKeys(): void;

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAYA,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAU7D;AAED;;;;;;;;;GASG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CA0BtE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAU3E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAKpF;AAkDD,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAGlF;AAMD,wBAAgB,YAAY,IAAI,UAAU,CAMzC;AAMD,wBAAgB,oBAAoB,IAAI,UAAU,GAAG,IAAI,CAOxD;AAED,sEAAsE;AACtE,wBAAgB,eAAe,IAAI,IAAI,CAUtC;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,EAAE,UAAU,GACpB;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAUpD;AAED,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,SAAS,EAAE,UAAU,GACpB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAYA,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAU7D;AAED;;;;;;;;;GASG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAwBtE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAU3E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAKpF;AAkDD,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAGlF;AA0BD,wBAAgB,YAAY,IAAI,UAAU,CAMzC;AAuCD;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,EAAE,CAOpD;AAED,8EAA8E;AAC9E,wBAAgB,oBAAoB,IAAI,UAAU,GAAG,IAAI,CAExD;AAED,sEAAsE;AACtE,wBAAgB,eAAe,IAAI,IAAI,CAUtC;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,EAAE,UAAU,GACpB;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAUpD;AAED,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,SAAS,EAAE,UAAU,GACpB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB"}

package/dist/crypto.js

@@ -11,6 +11,7 @@ exports.envelopeDecrypt = envelopeDecrypt;
 exports.encryptDEK = encryptDEK;
 exports.decryptDEK = decryptDEK;
 exports.getMasterKey = getMasterKey;
+exports.getPreviousMasterKeys = getPreviousMasterKeys;
 exports.getPreviousMasterKey = getPreviousMasterKey;
 exports.clearCachedKeys = clearCachedKeys;
 exports.generateMasterKey = generateMasterKey;
@@ -66,13 +67,12 @@ function decrypt(encryptedData, key) {
     if (message) {
         return new TextDecoder().decode(message);
     }
-    // Try previous master key for rotation support
-    const prevKey = getPreviousMasterKey();
-    if (prevKey) {
-        const message2 = tweetnacl_1.default.secretbox.open(box, nonce, prevKey);
-        if (message2) {
-            return new TextDecoder().decode(message2);
-        }
+    // Try every retired master key (most-recent first). See
+    // `getPreviousMasterKeys()` for the rotation model.
+    for (const prevKey of getPreviousMasterKeys()) {
+        const attempt = tweetnacl_1.default.secretbox.open(box, nonce, prevKey);
+        if (attempt)
+            return new TextDecoder().decode(attempt);
     }
     throw new Error('Decryption failed: invalid key or corrupted data');
 }
@@ -166,27 +166,83 @@ function decryptDEK(encryptedDEK, masterKey) {
 // Cache the decoded master key to avoid creating multiple copies in memory.
 // A single copy is preferable to many short-lived copies scattered on the heap.
 let _cachedMasterKey = null;
+/** nacl.secretbox requires a 32-byte key. A shorter key silently breaks
+ * crypto with a confusing error deep in the stack; a longer key indicates
+ * misconfiguration. Fail loudly at first access instead. */
+const SECRETBOX_KEY_LENGTH = 32;
+function validateMasterKey(raw, name) {
+    let decoded;
+    try {
+        decoded = (0, tweetnacl_util_1.decodeBase64)(raw);
+    }
+    catch {
+        throw new Error(`${name} is not valid base64`);
+    }
+    if (decoded.length !== SECRETBOX_KEY_LENGTH) {
+        throw new Error(`${name} must decode to exactly ${SECRETBOX_KEY_LENGTH} bytes (got ${decoded.length})`);
+    }
+    return decoded;
+}
 function getMasterKey() {
     if (_cachedMasterKey)
         return _cachedMasterKey.slice();
     const key = process.env.MASTER_KEY;
     if (!key)
         throw new Error('MASTER_KEY environment variable not set');
-    _cachedMasterKey = (0, tweetnacl_util_1.decodeBase64)(key);
+    _cachedMasterKey = validateMasterKey(key, 'MASTER_KEY');
     return _cachedMasterKey.slice();
 }
-// Support MASTER_KEY rotation: try previous key when current key fails
-let _cachedPrevKey = null;
-let _prevKeyChecked = false;
-function getPreviousMasterKey() {
-    if (_prevKeyChecked)
-        return _cachedPrevKey ? _cachedPrevKey.slice() : null;
-    _prevKeyChecked = true;
-    const key = process.env.MASTER_KEY_PREVIOUS;
-    if (!key)
+// Support MASTER_KEY rotation with up to 5 previous keys. Operator sets
+//   MASTER_KEY            = current key
+//   MASTER_KEY_PREVIOUS   = most recent retired key   (used during rotation #1)
+//   MASTER_KEY_PREVIOUS_2 = one-before-that           (rotation #2)
+//   ...
+//   MASTER_KEY_PREVIOUS_5 = oldest retained key       (rotation #5)
+//
+// Decryption walks the list top-down until one key succeeds; that lets an
+// operator roll the key repeatedly (e.g. quarterly) without a big-bang
+// re-encryption job in between. After all rows are re-encrypted with the
+// new current key, unset the oldest MASTER_KEY_PREVIOUS_* env var.
+//
+// Each env var is validated + cached at first-use. The cache is cleared on
+// shutdown so keys don't linger in the heap post-SIGTERM.
+const MAX_PREVIOUS_KEYS = 5;
+const _prevKeyCache = new Array(MAX_PREVIOUS_KEYS).fill(null);
+function previousKeyEnvName(slot) {
+    // slot 0 → MASTER_KEY_PREVIOUS, slot 1 → MASTER_KEY_PREVIOUS_2, etc.
+    return slot === 0 ? 'MASTER_KEY_PREVIOUS' : `MASTER_KEY_PREVIOUS_${slot + 1}`;
+}
+function loadPreviousKeySlot(slot) {
+    const cached = _prevKeyCache[slot];
+    if (cached === 'unset')
+        return null;
+    if (cached instanceof Uint8Array)
+        return cached.slice();
+    const name = previousKeyEnvName(slot);
+    const raw = process.env[name];
+    if (!raw) {
+        _prevKeyCache[slot] = 'unset';
         return null;
-    _cachedPrevKey = (0, tweetnacl_util_1.decodeBase64)(key);
-    return _cachedPrevKey.slice();
+    }
+    const key = validateMasterKey(raw, name);
+    _prevKeyCache[slot] = key;
+    return key.slice();
+}
+/** Return every retired key in rotation order (most-recent first). Used by
+ *  the credential-decryption fallback path to try each until one succeeds.
+ */
+function getPreviousMasterKeys() {
+    const out = [];
+    for (let i = 0; i < MAX_PREVIOUS_KEYS; i++) {
+        const k = loadPreviousKeySlot(i);
+        if (k)
+            out.push(k);
+    }
+    return out;
+}
+/** Back-compat: first previous key only. Prefer `getPreviousMasterKeys()`. */
+function getPreviousMasterKey() {
+    return loadPreviousKeySlot(0);
 }
 /** Zero and release cached master keys. Call on graceful shutdown. */
 function clearCachedKeys() {
@@ -194,11 +250,12 @@ function clearCachedKeys() {
         _cachedMasterKey.fill(0);
         _cachedMasterKey = null;
     }
-    if (_cachedPrevKey) {
-        _cachedPrevKey.fill(0);
-        _cachedPrevKey = null;
+    for (let i = 0; i < MAX_PREVIOUS_KEYS; i++) {
+        const k = _prevKeyCache[i];
+        if (k instanceof Uint8Array)
+            k.fill(0);
+        _prevKeyCache[i] = null;
     }
-    _prevKeyChecked = false;
 }
 function generateMasterKey() {
     return (0, tweetnacl_util_1.encodeBase64)(generateKey());