botparty 0.0.62 → 0.0.63

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +1 -1
  2. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -161,7 +161,7 @@ ${$("BOTPARTY SERVICES")}
161
161
  `)}function y4(e){return e.includes(".")?e:`${e}.botparty.club`}function YR(e){let t=[];for(let a=0;a<e.length;a++){let r=e[a];if(r.startsWith("--")){let n=r.slice(2).split("=")[0];if(C4.has(n))continue;if(b4.has(n)){!r.includes("=")&&a+1<e.length&&a++;continue}}t.push(r)}return t}async function g_(e,t){let a=process.argv.slice(2),r=a.findIndex(l=>l==="services"),n=YR(r>=0?a.slice(r+1):[]),i=n[0]&&!n[0].startsWith("-")?n[0]:void 0;if(!i){T4();return}let s=y4(i),o=n[1]&&!n[1].startsWith("-")?n[1]:void 0,c=n.slice(o?2:1);try{if(!o&&c.length===0)await Ko(s);else{let l=await Aa(s);!(o&&(l.actions.some(u=>u.slug===o)||l.actions.some(u=>u.slug.startsWith(o+"."))))&&l.defaultAction&&(c=n.slice(1),o=l.defaultAction),await p_(s,o,c,e,t)}}catch(l){l.code==="ENOTFOUND"||l.cause?.code==="ENOTFOUND"?console.error(`\x1B[31mError:\x1B[0m Could not connect to ${s}`):l.message?console.error(`\x1B[31mError:\x1B[0m ${l.message}`):console.error(l),process.exit(1)}}var HR,b4,C4,f_=Ce(()=>{"use strict";Ni();m_();Or();Ci();HR=[{shorthand:"mongo",description:"MongoDB databases \u2014 create, manage credentials, backups"},{shorthand:"git",description:"Git repositories \u2014 create, push/pull, token management"},{shorthand:"s3",description:"S3 storage \u2014 buckets, presigned URLs, IAM credentials"},{shorthand:"deploy",description:"Deployments \u2014 deploy to Vercel with no account needed"},{shorthand:"domains",description:"Domains \u2014 register, configure DNS records"},{shorthand:"upstash",description:"Upstash \u2014 Redis, Vector indices, QStash queues"},{shorthand:"vps",description:"VPS \u2014 bare-metal servers, SSH sessions, command exec"},{shorthand:"vms",description:"VMs \u2014 Docker containers with persistent storage"},{shorthand:"email",description:"Email \u2014 inboxes, send/receive, threaded conversations"}];b4=new Set(["state-dir","server"]),C4=new Set(["json","help","h","version","v","yes"])});import{readFileSync as J_,writeFileSync as bo,mkdirSync as WA,existsSync as fi,unlinkSync as Co,statSync as QA,renameSync as ed}from"node:fs";import{join as Ra}from"node:path";import{homedir as jA}from"node:os";import{randomBytes as td}from"node:crypto";var B_=new TextEncoder,po=new TextDecoder,cF=2**32;function sA(...e){let t=e.reduce((n,{length:i})=>n+i,0),a=new Uint8Array(t),r=0;for(let n of e)a.set(n,r),r+=n.length;return a}function so(e){let t=new Uint8Array(e.length);for(let a=0;a<e.length;a++){let r=e.charCodeAt(a);if(r>127)throw new TypeError("non-ASCII string encountered in encode()");t[a]=r}return t}function G_(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,a=[];for(let r=0;r<e.length;r+=t)a.push(String.fromCharCode.apply(null,e.subarray(r,r+t)));return btoa(a.join(""))}function z_(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),a=new Uint8Array(t.length);for(let r=0;r<t.length;r++)a[r]=t.charCodeAt(r);return a}function H_(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:po.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=po.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return z_(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function oo(e){let t=e;return typeof t=="string"&&(t=B_.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:!0}):G_(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ba=(e,t="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`),yr=(e,t)=>e.name===t;function oA(e){return parseInt(e.name.slice(4),10)}function lo(e,t){if(oA(e.hash)!==t)throw ba(`SHA-${t}`,"algorithm.hash")}function lA(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function cA(e,t){if(t&&!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function _A(e,t,a){switch(t){case"HS256":case"HS384":case"HS512":{if(!yr(e.algorithm,"HMAC"))throw ba("HMAC");lo(e.algorithm,parseInt(t.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!yr(e.algorithm,"RSASSA-PKCS1-v1_5"))throw ba("RSASSA-PKCS1-v1_5");lo(e.algorithm,parseInt(t.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!yr(e.algorithm,"RSA-PSS"))throw ba("RSA-PSS");lo(e.algorithm,parseInt(t.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!yr(e.algorithm,"Ed25519"))throw ba("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!yr(e.algorithm,t))throw ba(t);break}case"ES256":case"ES384":case"ES512":{if(!yr(e.algorithm,"ECDSA"))throw ba("ECDSA");let r=lA(t);if(e.algorithm.namedCurve!==r)throw ba(r,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}cA(e,a)}function Y_(e,t,...a){if(a=a.filter(Boolean),a.length>2){let r=a.pop();e+=`one of type ${a.join(", ")}, or ${r}.`}else a.length===2?e+=`one of type ${a[0]} or ${a[1]}.`:e+=`of type ${a[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var q_=(e,...t)=>Y_("Key must be ",e,...t),$_=(e,t,...a)=>Y_(`Key for the ${e} algorithm must be `,t,...a),fo=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,t){super(e,t),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}},Rt=class extends fo{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"},fn=class extends fo{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Ca=class extends fo{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"},Eo=e=>{if(e?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return e instanceof CryptoKey}catch{return!1}},ho=e=>e?.[Symbol.toStringTag]==="KeyObject",V_=e=>Eo(e)||ho(e),_F=Symbol();function v_(e,t){if(e)throw new TypeError(`${t} can only be called once`)}var dA=e=>typeof e=="object"&&e!==null;function So(e){if(!dA(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}function uA(...e){let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let a;for(let r of t){let n=Object.keys(r);if(!a||a.size===0){a=new Set(n);continue}for(let i of n){if(a.has(i))return!1;a.add(i)}}return!0}var To=e=>So(e)&&typeof e.kty=="string",pA=e=>e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string"),mA=e=>e.kty!=="oct"&&e.d===void 0&&e.priv===void 0,gA=e=>e.kty==="oct"&&typeof e.k=="string";function fA(e,t){if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:a}=t.algorithm;if(typeof a!="number"||a<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}}function EA(e,t){let a=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return{hash:a,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:a,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:a,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:a,name:"ECDSA",namedCurve:t.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:e};default:throw new Rt(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}async function hA(e,t,a){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(q_(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[a])}return _A(t,e,a),t}async function SA(e,t,a){let r=await hA(e,t,"sign");fA(e,r);let n=await crypto.subtle.sign(EA(e,r.algorithm),r,a);return new Uint8Array(n)}var pi='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function TA(e){let t,a;switch(e.kty){case"AKP":{switch(e.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":t={name:e.alg},a=e.priv?["sign"]:["verify"];break;default:throw new Rt(pi)}break}case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},a=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},a=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},a=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new Rt(pi)}break}case"EC":{switch(e.alg){case"ES256":case"ES384":case"ES512":t={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[e.alg]},a=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},a=e.d?["deriveBits"]:[];break;default:throw new Rt(pi)}break}case"OKP":{switch(e.alg){case"Ed25519":case"EdDSA":t={name:"Ed25519"},a=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},a=e.d?["deriveBits"]:[];break;default:throw new Rt(pi)}break}default:throw new Rt('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:a}}async function yA(e){if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:a}=TA(e),r={...e};return r.kty!=="AKP"&&delete r.alg,delete r.use,crypto.subtle.importKey("jwk",r,t,e.ext??!(e.d||e.priv),e.key_ops??a)}var br="given KeyObject instance cannot be used for this algorithm",Ar,w_=async(e,t,a,r=!1)=>{Ar||=new WeakMap;let n=Ar.get(e);if(n?.[a])return n[a];let i=await yA({...t,alg:a});return r&&Object.freeze(e),n?n[a]=i:Ar.set(e,{[a]:i}),i},bA=(e,t)=>{Ar||=new WeakMap;let a=Ar.get(e);if(a?.[t])return a[t];let r=e.type==="public",n=!!r,i;if(e.asymmetricKeyType==="x25519"){switch(t){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(br)}i=e.toCryptoKey(e.asymmetricKeyType,n,r?[]:["deriveBits"])}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError(br);i=e.toCryptoKey(e.asymmetricKeyType,n,[r?"verify":"sign"])}switch(e.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError(br);i=e.toCryptoKey(e.asymmetricKeyType,n,[r?"verify":"sign"])}}if(e.asymmetricKeyType==="rsa"){let s;switch(t){case"RSA-OAEP":s="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":s="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":s="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":s="SHA-512";break;default:throw new TypeError(br)}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:s},n,r?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:s},n,[r?"verify":"sign"])}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError(br);let o={ES256:"P-256",ES384:"P-384",ES512:"P-521"};o[t]&&s===o[t]&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:s},n,[r?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:s},n,r?[]:["deriveBits"]))}if(!i)throw new TypeError(br);return a?a[t]=i:Ar.set(e,{[t]:i}),i};async function CA(e,t){if(e instanceof Uint8Array||Eo(e))return e;if(ho(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return bA(e,t)}catch(r){if(r instanceof TypeError)throw r}let a=e.export({format:"jwk"});return w_(e,a,t)}if(To(e))return e.k?H_(e.k):w_(e,e,t,!0);throw new Error("unreachable")}var RA=(e,t)=>{let a=(e.match(/.{1,64}/g)||[]).join(`
162
162
  `);return`-----BEGIN ${t}-----
163
163
  ${a}
164
- -----END ${t}-----`},K_=async(e,t,a)=>{if(ho(a)){if(a.type!==e)throw new TypeError(`key is not a ${e} key`);return a.export({format:"pem",type:t})}if(!Eo(a))throw new TypeError(q_(a,"CryptoKey","KeyObject"));if(!a.extractable)throw new TypeError("CryptoKey is not extractable");if(a.type!==e)throw new TypeError(`key is not a ${e} key`);return RA(G_(new Uint8Array(await crypto.subtle.exportKey(t,a))),`${e.toUpperCase()} KEY`)},AA=e=>K_("public","spki",e),NA=e=>K_("private","pkcs8",e),co=(e,t)=>{if(e.byteLength!==t.length)return!1;for(let a=0;a<e.byteLength;a++)if(e[a]!==t[a])return!1;return!0},OA=e=>({data:e,pos:0}),hn=e=>{let t=e.data[e.pos++];if(t&128){let a=t&127,r=0;for(let n=0;n<a;n++)r=r<<8|e.data[e.pos++];return r}return t},Sn=(e,t,a)=>{if(e.data[e.pos++]!==t)throw new Error(a)},W_=(e,t)=>{let a=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,a},DA=e=>{Sn(e,6,"Expected algorithm OID");let t=hn(e);return W_(e,t)};function IA(e){Sn(e,48,"Invalid PKCS#8 structure"),hn(e),Sn(e,2,"Expected version field");let t=hn(e);e.pos+=t,Sn(e,48,"Expected algorithm identifier");let a=hn(e);return{algIdStart:e.pos,algIdLength:a}}var kA=e=>{let t=DA(e);if(co(t,[43,101,110]))return"X25519";if(!co(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");Sn(e,6,"Expected curve OID");let a=hn(e),r=W_(e,a);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(co(r,i))return n;throw new Error("Unsupported named curve")},vA=async(e,t,a,r)=>{let n,i,s=e==="spki",o=()=>s?["verify"]:["sign"],c=()=>s?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(a){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${a.slice(-3)}`},i=o();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${a.slice(-3)}`},i=o();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(a.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[a]},i=o();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let l=r.getNamedCurve(t);n=l==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:l}}catch{throw new Rt("Invalid or unsupported key format")}i=s?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=o();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:a},i=o();break;default:throw new Rt('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,n,r?.extractable??!!s,i)},wA=(e,t)=>z_(e.replace(t,"")),xA=(e,t,a)=>{let r=wA(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=a;return t?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let s=OA(i);return IA(s),kA(s)}),vA("pkcs8",r,t,n)};async function Q_(e,t,a){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return xA(e,t,a)}async function MA(e){return AA(e)}async function LA(e){return NA(e)}function PA(e,t,a,r,n){if(n.crit!==void 0&&r?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!r||r.crit===void 0)return new Set;if(!Array.isArray(r.crit)||r.crit.length===0||r.crit.some(s=>typeof s!="string"||s.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;a!==void 0?i=new Map([...Object.entries(a),...t.entries()]):i=t;for(let s of r.crit){if(!i.has(s))throw new Rt(`Extension Header Parameter "${s}" is not recognized`);if(n[s]===void 0)throw new e(`Extension Header Parameter "${s}" is missing`);if(i.get(s)&&r[s]===void 0)throw new e(`Extension Header Parameter "${s}" MUST be integrity protected`)}return new Set(r.crit)}var Rr=e=>e?.[Symbol.toStringTag],mo=(e,t,a)=>{if(t.use!==void 0){let r;switch(a){case"sign":case"verify":r="sig";break;case"encrypt":case"decrypt":r="enc";break}if(t.use!==r)throw new TypeError(`Invalid key for this operation, its "use" must be "${r}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let r;switch(!0){case(a==="sign"||a==="verify"):case e==="dir":case e.includes("CBC-HS"):r=a;break;case e.startsWith("PBES2"):r="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?r=a==="encrypt"?"wrapKey":"unwrapKey":r=a;break;case(a==="encrypt"&&e.startsWith("RSA")):r="wrapKey";break;case a==="decrypt":r=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(r&&t.key_ops?.includes?.(r)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${r}" when present`)}return!0},FA=(e,t,a)=>{if(!(t instanceof Uint8Array)){if(To(t)){if(gA(t)&&mo(e,t,a))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!V_(t))throw new TypeError($_(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${Rr(t)} instances for symmetric algorithms must be of type "secret"`)}},UA=(e,t,a)=>{if(To(t))switch(a){case"decrypt":case"sign":if(pA(t)&&mo(e,t,a))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(mA(t)&&mo(e,t,a))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!V_(t))throw new TypeError($_(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${Rr(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(a){case"sign":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm decryption must be of type "private"`)}if(t.type==="private")switch(a){case"verify":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm encryption must be of type "public"`)}};function BA(e,t,a){switch(e.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":FA(e,t,a);break;default:UA(e,t,a)}}var Ya=e=>Math.floor(e.getTime()/1e3),j_=60,X_=j_*60,yo=X_*24,GA=yo*7,zA=yo*365.25,HA=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function _o(e){let t=HA.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let a=parseFloat(t[2]),r=t[3].toLowerCase(),n;switch(r){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(a);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(a*j_);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(a*X_);break;case"day":case"days":case"d":n=Math.round(a*yo);break;case"week":case"weeks":case"w":n=Math.round(a*GA);break;default:n=Math.round(a*zA);break}return t[1]==="-"||t[4]==="ago"?-n:n}function qa(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var YA=class{#e;constructor(e){if(!So(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return B_.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=qa("setNotBefore",e):e instanceof Date?this.#e.nbf=qa("setNotBefore",Ya(e)):this.#e.nbf=Ya(new Date)+_o(e)}set exp(e){typeof e=="number"?this.#e.exp=qa("setExpirationTime",e):e instanceof Date?this.#e.exp=qa("setExpirationTime",Ya(e)):this.#e.exp=Ya(new Date)+_o(e)}set iat(e){e===void 0?this.#e.iat=Ya(new Date):e instanceof Date?this.#e.iat=qa("setIssuedAt",Ya(e)):typeof e=="string"?this.#e.iat=qa("setIssuedAt",Ya(new Date)+_o(e)):this.#e.iat=qa("setIssuedAt",e)}},Z_=class{#e;#t;#a;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return v_(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return v_(this.#a,"setUnprotectedHeader"),this.#a=e,this}async sign(e,t){if(!this.#t&&!this.#a)throw new fn("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!uA(this.#t,this.#a))throw new fn("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let a={...this.#t,...this.#a},r=PA(fn,new Map([["b64",!0]]),t?.crit,this.#t,a),n=!0;if(r.has("b64")&&(n=this.#t.b64,typeof n!="boolean"))throw new fn('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=a;if(typeof i!="string"||!i)throw new fn('JWS "alg" (Algorithm) Header Parameter missing or invalid');BA(i,e,"sign");let s,o;n?(s=oo(this.#e),o=so(s)):(o=this.#e,s="");let c,l;this.#t?(c=oo(JSON.stringify(this.#t)),l=so(c)):(c="",l=new Uint8Array);let d=sA(l,so("."),o),u=await CA(e,i),g=await SA(i,u,d),E={signature:oo(g),payload:s};return this.#a&&(E.header=this.#a),this.#t&&(E.protected=c),E}},qA=class{#e;constructor(e){this.#e=new Z_(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,t){let a=await this.#e.sign(e,t);if(a.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${a.protected}.${a.payload}.${a.signature}`}},$A=class{#e;#t;constructor(e={}){this.#t=new YA(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,t){let a=new qA(this.#t.data());if(a.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Ca("JWTs MUST NOT use unencoded payload");return a.sign(e,t)}};function VA(e){if(typeof e!="string")throw new Ca("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:a}=e.split(".");if(a===5)throw new Ca("Only JWTs using Compact JWS serialization can be decoded");if(a!==3)throw new Ca("Invalid JWT");if(!t)throw new Ca("JWTs must contain a payload");let r;try{r=H_(t)}catch{throw new Ca("Failed to base64url decode the payload")}let n;try{n=JSON.parse(po.decode(r))}catch{throw new Ca("Failed to parse the decoded payload as JSON")}if(!So(n))throw new Ca("Invalid JWT Claims Set");return n}function uo(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new Rt("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function KA(e,t){let a,r;switch(e){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["sign","verify"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},r=["sign","verify"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},r=["sign","verify"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},r=["sign","verify"];break;case"Ed25519":case"EdDSA":{r=["sign","verify"],a={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{r=["sign","verify"],a={name:e};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{r=["deriveBits"];let n=t?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{a={name:"ECDH",namedCurve:n};break}case"X25519":a={name:"X25519"};break;default:throw new Rt("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new Rt('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(a,t?.extractable??!1,r)}var XA="https://id.botparty.club",ZA="EdDSA",JA=15,x_=6e4,eN=3e4,tN="5m",aN=3,rN=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],nN=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],je=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Ro=class extends je{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},Ei=class extends je{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},Tn=class extends je{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},hi=class extends je{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function M_(e){let t=td(4);return e[t.readUInt32BE(0)%e.length]}function iN(){return`${M_(rN)}-${M_(nN)}`}function sN(){let e=iN(),t=td(2).toString("hex");return`${e}-${t}`}function oN(){return Ra(jA(),".botparty")}function Ao(e){fi(e)||WA(e,{recursive:!0,mode:448})}function lN(e){let t=Ra(e,"identity.json");if(!fi(t))return null;try{return JSON.parse(J_(t,"utf-8"))}catch{return null}}function go(e,t){Ao(e);let a=Ra(e,"identity.json"),r=a+".tmp";bo(r,JSON.stringify(t,null,2),{mode:384}),ed(r,a)}function cN(e){let t=Ra(e,"private.pem");if(!fi(t))return null;try{return J_(t,"utf-8")}catch{return null}}function ad(e,t){Ao(e);let a=Ra(e,"private.pem"),r=a+".tmp";bo(r,t,{mode:384}),ed(r,a)}function L_(e){for(let t of["identity.json","private.pem"]){let a=Ra(e,t);fi(a)&&Co(a)}}function _N(e){let t=Ra(e,"rotation.lock");Ao(e);for(let a=0;a<2;a++)try{bo(t,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(r){if(r.code!=="EEXIST")throw r;try{let n=QA(t);if(Date.now()-n.mtimeMs>eN){Co(t);continue}}catch{continue}throw r}}function dN(e){try{Co(Ra(e,"rotation.lock"))}catch{}}async function rd(e){let t={extractable:!0};e==="EdDSA"&&(t.crv="Ed25519");let{privateKey:a,publicKey:r}=await KA(e,t),n=await LA(a),i=await MA(r);return{privateKey:a,publicKey:r,privatePem:n,publicPem:i}}async function uN(e,t,a){let r=await Q_(t,a);return(await new Z_(new TextEncoder().encode(e)).setProtectedHeader({alg:a}).sign(r)).signature}async function gi(e,t,a,r,n,i){let s=r,o=await Q_(a,s);return new $A({...n}).setProtectedHeader({alg:s,kid:t}).setIssuer(e).setSubject(i??e).setIssuedAt().setExpirationTime(tN).sign(o)}async function Qe(e,t,a={}){let{token:r,...n}=a,i=new Headers(n.headers);return i.set("Content-Type","application/json"),r&&i.set("Authorization",`Bearer ${r}`),fetch(`${e}${t}`,{...n,headers:i})}function P_(e,t){try{let a=new URL(e),r=new URL(t);return a.hostname===r.hostname&&a.port===r.port&&a.protocol===r.protocol?e:`${t}/${a.hostname}${a.pathname}${a.search}`}catch{return`${t}/${e}`}}async function mi(e){try{return await e.clone().json()}catch{return null}}function En(e){let t=e.error,a,r,n,i={};if(typeof t=="object"&&t!==null){let s=t;a=s.code||"UNKNOWN",r=s.message||e.message||"Request failed",n=s.actionUrl||e.actionUrl||s.payTo||e.payTo,i=s}else a=(typeof t=="string"?t:e.code)||"UNKNOWN",r=e.message||(typeof t=="string"?t:"Request failed"),n=e.actionUrl||e.payTo,i=e;return{code:a.toUpperCase(),message:r,actionUrl:n,extra:i}}var pN=class{constructor(e,t){this.client=e,this.keyId=t}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},mN=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),t=await Qe(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!t.ok)throw await this.client._apiError(t);return(await t.json()).data}async get(e){let t=(await this.list()).find(a=>a.id===e);if(!t)throw new je({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return t}async add(e){let t=await this.client.generateToken(),a=await Qe(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:t,body:JSON.stringify(e)});if(!a.ok)throw await this.client._apiError(a);return a.json()}async update(e,t){let a=await this.client.generateToken(),r=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:a,body:JSON.stringify(t)});if(!r.ok)throw await this.client._apiError(r);return r.json()}async delete(e){let t=await this.client.generateToken(),a=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:t});if(!a.ok&&a.status!==204)throw await this.client._apiError(a)}async rotate(e){let t=this.client.getIdentity();if(!t)throw new Error("Not registered");let a=this.client.getPrivateKey();if(!a)throw new Error("Private key not found");let r=e||t.keyId;if(r!==t.keyId)throw new je({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let n=await rd(t.algorithm),i=await gi(t.namespace,t.keyId,a,t.algorithm),s=await Qe(t.serverUrl,`/api/v1/namespaces/keys/${r}/rotate`,{method:"POST",token:i,body:JSON.stringify({newPublicKey:n.publicPem})});if(!s.ok)throw await this.client._apiError(s);let o=await s.json();return ad(this.client.stateDir,n.privatePem),go(this.client.stateDir,{...t,rotatedAt:o.rotatedAt}),o}async rotateCurrent(){return this.rotate()}async invalidate(e,t){let a=await this.client.generateToken(),r=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:a,body:JSON.stringify({reason:t})});if(!r.ok)throw await this.client._apiError(r)}},nd=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||Cr("BOTPARTY_SERVER_URL")||XA).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||Cr("BOTPARTY_PROXY_URL")||Cr("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||Cr("BOTPARTY_STATE_DIR")||oN(),this.algorithm=e.algorithm||ZA,this.rotationTTL=e.rotationTTL||JA,this.inviteToken=e.inviteToken||Cr("BOTPARTY_INVITE_TOKEN"),this.keys=new mN(this)}getIdentity(){return lN(this.stateDir)}getPrivateKey(){return cN(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,t,a){let r=e,n=0,i=a?.inviteToken||this.inviteToken;for(;n<aN;){r||(r=sN());let s=t||r,o=await rd(this.algorithm),c=await Qe(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:r,publicKey:o.publicPem,rotationTTL:this.rotationTTL,...i&&{inviteToken:i}})}),l=await c.json();if(l.status==="already_registered")throw new je({code:"ALREADY_REGISTERED",message:`Namespace "${r}" is already registered`,statusCode:409});if(c.status===409&&!e){r=void 0,n++;continue}if(!c.ok)throw new je({code:l.error||"REGISTRATION_FAILED",message:l.message||l.error||"Registration failed",statusCode:c.status});let d=l.challenge,u=await uN(d,o.privatePem,this.algorithm),g=await Qe(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:r,challenge:d,signature:u})});if(!g.ok)throw await this._apiError(g);let E=await g.json();return ad(this.stateDir,o.privatePem),go(this.stateDir,{serverUrl:this.serverUrl,namespace:r,keyId:E.keyId,algorithm:this.algorithm,rotatedAt:E.rotatedAt,rotationTTL:E.rotationTTL,label:s,...E.parentNamespace&&{parentNamespace:E.parentNamespace},...E.inheritedScopes&&{inheritedScopes:E.inheritedScopes}}),E}throw new je({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let t=this.inviteToken,a=!1;if(t)try{a=VA(t).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:a?void 0:t}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(a&&t)try{let r=await this.redeemOrgInvite(t);r.orgId&&this.setActAs(r.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=t-x_)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){_N(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<t-x_)return;await this.keys.rotateCurrent()}finally{dN(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let t=this.getIdentity(),a=this.getPrivateKey(),r=this.getActAs(),n=r??t.namespace,i=r?t.namespace:void 0;return gi(n,t.keyId,a,t.algorithm,e,i)}async fetch(e,t={}){let a=await this.generateToken(),r=P_(e,this.proxyUrl),n=new Headers(t.headers);n.set("X-Proxy-Authorization",`Bearer ${a}`);let i=await fetch(r,{...t,headers:n});if(i.status===401){let s=await mi(i);if(s){let{code:o}=En(s);if(o==="KEY_STALE"){await this._lockedRotate();let c=await this.generateToken(),l=new Headers(t.headers);l.set("X-Proxy-Authorization",`Bearer ${c}`),i=await fetch(r,{...t,headers:l})}}}if(i.status===403){let s=await mi(i);if(s){let o=typeof s.error=="string"?s.error:s.error?.code;if(o==="wrong_proxy"&&s.proxyUrl){let d=s.proxyUrl.replace(/\/$/,""),u=P_(e,d),g=new Headers(t.headers);return g.set("X-Proxy-Authorization",`Bearer ${a}`),fetch(u,{...t,headers:g})}let c=s.approval_url||s.authorizationUrl;if(c){let d=o==="scope_refused",u=s.missing_scopes||s.missingScopes;throw d||o==="insufficient_scope"||o==="permission_denied"||o==="scope_not_approved"||o==="permission_needs_revalidation"?new Tn({message:s.message||"Missing required credentials",actionUrl:c,missingScopes:u}):new hi({message:s.message||"Missing required credentials",actionUrl:c})}let{code:l}=En(s);F_(l)&&U_(i.status,s,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(i.status)){let s=await mi(i);if(s){let{code:o}=En(s);(F_(o)||i.status===402||i.status===423)&&U_(i.status,s,this.getIdentity(),this.serverUrl)}}return i}async info(e){let t=e||this.getIdentity()?.namespace;if(!t)throw new Error("Not registered and no namespace provided");let a=await Qe(this.serverUrl,`/api/v1/namespaces/${t}/info`);if(!a.ok)throw await this._apiError(a);return a.json()}async destroy(){let e=await this.generateToken(),t=await Qe(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!t.ok&&t.status!==204)throw await this._apiError(t);L_(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=this.getPrivateKey();if(!t)throw new Error("Private key not found");let a=await gi(e.namespace,e.keyId,t,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${a}`}}whoami(){let e=this.getIdentity();if(!e)return null;let t=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:t,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return Cr("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let t=this.getIdentity();if(!t)throw new Error("Not registered");e===void 0?delete t.actAs:t.actAs=e,go(this.stateDir,t)}async listOrgs(){let e=await this.generateToken(),t=await Qe(this.serverUrl,"/api/v1/orgs",{token:e});if(!t.ok)throw new Error(`Failed to list orgs: ${t.status}`);return t.json()}async createOrg(e,t=""){let a=await this.generateToken(),r=await Qe(this.serverUrl,"/api/v1/orgs",{method:"POST",token:a,body:JSON.stringify({name:e,description:t})});if(!r.ok)throw new Error(`Failed to create org: ${r.status}`);return r.json()}async quitOrg(e){let t=await this.generateToken(),a=await Qe(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:t});if(!a.ok)throw new Error(`Failed to quit org: ${a.status}`)}async createOrgInvite(e,t){let a=await this.generateToken(),r=await Qe(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:a,body:JSON.stringify(t?{expiresIn:t}:{})});if(!r.ok)throw new Error(`Failed to create org invite: ${r.status}`);return r.json()}async redeemOrgInvite(e){await this.ensureRegistered(),await this.ensureFreshKey();let t=this.getIdentity(),a=this.getPrivateKey(),r=await gi(t.namespace,t.keyId,a,t.algorithm),n=await Qe(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!n.ok)throw new Error(`Failed to redeem org invite: ${n.status}`);return n.json()}async listOrgMembers(e){let t=await this.generateToken(),a=await Qe(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:t});if(!a.ok)throw new Error(`Failed to list org members: ${a.status}`);return a.json()}async removeOrgMember(e,t){let a=await this.generateToken(),r=await Qe(this.serverUrl,`/api/v1/orgs/${e}/members/${t}`,{method:"DELETE",token:a});if(!r.ok)throw new Error(`Failed to remove org member: ${r.status}`)}key(e){return new pN(this,e)}reset(){L_(this.stateDir)}async _apiError(e){let t=await mi(e);if(!t)return new je({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:a,message:r,actionUrl:n}=En(t);return new je({code:a,message:r,statusCode:e.status,actionUrl:n})}},gN=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function F_(e){return gN.has(e.toUpperCase())}function U_(e,t,a,r){let{code:n,message:i,actionUrl:s,extra:o}=En(t),c=a?.namespace||"",l=a?.serverUrl||r;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||e===423?new Ro({message:i||"Namespace is locked",actionUrl:s||`${l}/namespaces/${c}/unlock`,lockedAt:o.lockedAt,reason:o.reason}):n==="PAYMENT_REQUIRED"||e===402?new Ei({message:i,actionUrl:s,amount:o.amount||t.amount,service:o.service||t.service}):n==="LINK_REQUIRED"?new hi({message:i,actionUrl:s||`${l}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||e===403?new Tn({message:i,actionUrl:s,missingScopes:o.missingScopes||o.missing_scopes}):new je({code:n,message:i,statusCode:e,actionUrl:s})}function Cr(e){if(typeof process<"u"&&process.env)return process.env[e]}Yo();import{writeFileSync as bd}from"fs";import{readFileSync as Ri}from"fs";import{basename as YN}from"path";Ci();import{readFileSync as FN,writeFileSync as UN,existsSync as hd,mkdirSync as BN}from"node:fs";import{join as Sd}from"node:path";var Td="auth-capability-cache.json",GN=1440*60*1e3;function zN(e){let t=Sd(e,Td);if(!hd(t))return{};try{return JSON.parse(FN(t,"utf-8"))}catch{return{}}}function HN(e,t){hd(e)||BN(e,{recursive:!0,mode:448}),UN(Sd(e,Td),JSON.stringify(t,null,2))}async function yd(e,t){let a=zN(t),r=a[e];if(r&&Date.now()-r.checkedAt<GN)return r.supportsBotparty;let n=!1;try{let i=new AbortController,s=setTimeout(()=>i.abort(),3e3),o=await fetch(`https://${e}/api/botparty/auth/me`,{method:"HEAD",signal:i.signal});clearTimeout(s),n=o.ok||o.status===401}catch{n=!1}a[e]={supportsBotparty:n,checkedAt:Date.now()};try{HN(t,a)}catch{}return n}function qo(e,t,a,r){let n=(Date.now()-r)/1e3,i=t.headers.get("content-type")||"",s={http_code:t.status,http_connect:0,http_version:"1.1",response_code:t.status,content_type:i,size_download:a,size_header:0,size_request:0,size_upload:0,speed_download:n>0?Math.round(a/n):0,speed_upload:0,time_appconnect:n,time_connect:n,time_namelookup:0,time_pretransfer:n,time_redirect:0,time_starttransfer:n,time_total:n,url_effective:"",num_connects:1,num_redirects:0,redirect_url:"",ssl_verify_result:0,stdout:"-",stderr:"-",exitcode:0,errormsg:"",method:"",scheme:"",filename_effective:"",onerror:"",urlnum:0},o=e;return o=o.replace(/\\n/g,`
164
+ -----END ${t}-----`},K_=async(e,t,a)=>{if(ho(a)){if(a.type!==e)throw new TypeError(`key is not a ${e} key`);return a.export({format:"pem",type:t})}if(!Eo(a))throw new TypeError(q_(a,"CryptoKey","KeyObject"));if(!a.extractable)throw new TypeError("CryptoKey is not extractable");if(a.type!==e)throw new TypeError(`key is not a ${e} key`);return RA(G_(new Uint8Array(await crypto.subtle.exportKey(t,a))),`${e.toUpperCase()} KEY`)},AA=e=>K_("public","spki",e),NA=e=>K_("private","pkcs8",e),co=(e,t)=>{if(e.byteLength!==t.length)return!1;for(let a=0;a<e.byteLength;a++)if(e[a]!==t[a])return!1;return!0},OA=e=>({data:e,pos:0}),hn=e=>{let t=e.data[e.pos++];if(t&128){let a=t&127,r=0;for(let n=0;n<a;n++)r=r<<8|e.data[e.pos++];return r}return t},Sn=(e,t,a)=>{if(e.data[e.pos++]!==t)throw new Error(a)},W_=(e,t)=>{let a=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,a},DA=e=>{Sn(e,6,"Expected algorithm OID");let t=hn(e);return W_(e,t)};function IA(e){Sn(e,48,"Invalid PKCS#8 structure"),hn(e),Sn(e,2,"Expected version field");let t=hn(e);e.pos+=t,Sn(e,48,"Expected algorithm identifier");let a=hn(e);return{algIdStart:e.pos,algIdLength:a}}var kA=e=>{let t=DA(e);if(co(t,[43,101,110]))return"X25519";if(!co(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");Sn(e,6,"Expected curve OID");let a=hn(e),r=W_(e,a);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(co(r,i))return n;throw new Error("Unsupported named curve")},vA=async(e,t,a,r)=>{let n,i,s=e==="spki",o=()=>s?["verify"]:["sign"],c=()=>s?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(a){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${a.slice(-3)}`},i=o();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${a.slice(-3)}`},i=o();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(a.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[a]},i=o();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let l=r.getNamedCurve(t);n=l==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:l}}catch{throw new Rt("Invalid or unsupported key format")}i=s?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=o();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:a},i=o();break;default:throw new Rt('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,n,r?.extractable??!!s,i)},wA=(e,t)=>z_(e.replace(t,"")),xA=(e,t,a)=>{let r=wA(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=a;return t?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let s=OA(i);return IA(s),kA(s)}),vA("pkcs8",r,t,n)};async function Q_(e,t,a){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return xA(e,t,a)}async function MA(e){return AA(e)}async function LA(e){return NA(e)}function PA(e,t,a,r,n){if(n.crit!==void 0&&r?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!r||r.crit===void 0)return new Set;if(!Array.isArray(r.crit)||r.crit.length===0||r.crit.some(s=>typeof s!="string"||s.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;a!==void 0?i=new Map([...Object.entries(a),...t.entries()]):i=t;for(let s of r.crit){if(!i.has(s))throw new Rt(`Extension Header Parameter "${s}" is not recognized`);if(n[s]===void 0)throw new e(`Extension Header Parameter "${s}" is missing`);if(i.get(s)&&r[s]===void 0)throw new e(`Extension Header Parameter "${s}" MUST be integrity protected`)}return new Set(r.crit)}var Rr=e=>e?.[Symbol.toStringTag],mo=(e,t,a)=>{if(t.use!==void 0){let r;switch(a){case"sign":case"verify":r="sig";break;case"encrypt":case"decrypt":r="enc";break}if(t.use!==r)throw new TypeError(`Invalid key for this operation, its "use" must be "${r}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let r;switch(!0){case(a==="sign"||a==="verify"):case e==="dir":case e.includes("CBC-HS"):r=a;break;case e.startsWith("PBES2"):r="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?r=a==="encrypt"?"wrapKey":"unwrapKey":r=a;break;case(a==="encrypt"&&e.startsWith("RSA")):r="wrapKey";break;case a==="decrypt":r=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(r&&t.key_ops?.includes?.(r)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${r}" when present`)}return!0},FA=(e,t,a)=>{if(!(t instanceof Uint8Array)){if(To(t)){if(gA(t)&&mo(e,t,a))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!V_(t))throw new TypeError($_(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${Rr(t)} instances for symmetric algorithms must be of type "secret"`)}},UA=(e,t,a)=>{if(To(t))switch(a){case"decrypt":case"sign":if(pA(t)&&mo(e,t,a))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(mA(t)&&mo(e,t,a))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!V_(t))throw new TypeError($_(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${Rr(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(a){case"sign":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm decryption must be of type "private"`)}if(t.type==="private")switch(a){case"verify":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${Rr(t)} instances for asymmetric algorithm encryption must be of type "public"`)}};function BA(e,t,a){switch(e.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":FA(e,t,a);break;default:UA(e,t,a)}}var Ya=e=>Math.floor(e.getTime()/1e3),j_=60,X_=j_*60,yo=X_*24,GA=yo*7,zA=yo*365.25,HA=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function _o(e){let t=HA.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let a=parseFloat(t[2]),r=t[3].toLowerCase(),n;switch(r){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(a);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(a*j_);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(a*X_);break;case"day":case"days":case"d":n=Math.round(a*yo);break;case"week":case"weeks":case"w":n=Math.round(a*GA);break;default:n=Math.round(a*zA);break}return t[1]==="-"||t[4]==="ago"?-n:n}function qa(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var YA=class{#e;constructor(e){if(!So(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return B_.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=qa("setNotBefore",e):e instanceof Date?this.#e.nbf=qa("setNotBefore",Ya(e)):this.#e.nbf=Ya(new Date)+_o(e)}set exp(e){typeof e=="number"?this.#e.exp=qa("setExpirationTime",e):e instanceof Date?this.#e.exp=qa("setExpirationTime",Ya(e)):this.#e.exp=Ya(new Date)+_o(e)}set iat(e){e===void 0?this.#e.iat=Ya(new Date):e instanceof Date?this.#e.iat=qa("setIssuedAt",Ya(e)):typeof e=="string"?this.#e.iat=qa("setIssuedAt",Ya(new Date)+_o(e)):this.#e.iat=qa("setIssuedAt",e)}},Z_=class{#e;#t;#a;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return v_(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return v_(this.#a,"setUnprotectedHeader"),this.#a=e,this}async sign(e,t){if(!this.#t&&!this.#a)throw new fn("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!uA(this.#t,this.#a))throw new fn("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let a={...this.#t,...this.#a},r=PA(fn,new Map([["b64",!0]]),t?.crit,this.#t,a),n=!0;if(r.has("b64")&&(n=this.#t.b64,typeof n!="boolean"))throw new fn('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=a;if(typeof i!="string"||!i)throw new fn('JWS "alg" (Algorithm) Header Parameter missing or invalid');BA(i,e,"sign");let s,o;n?(s=oo(this.#e),o=so(s)):(o=this.#e,s="");let c,l;this.#t?(c=oo(JSON.stringify(this.#t)),l=so(c)):(c="",l=new Uint8Array);let d=sA(l,so("."),o),u=await CA(e,i),g=await SA(i,u,d),E={signature:oo(g),payload:s};return this.#a&&(E.header=this.#a),this.#t&&(E.protected=c),E}},qA=class{#e;constructor(e){this.#e=new Z_(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,t){let a=await this.#e.sign(e,t);if(a.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${a.protected}.${a.payload}.${a.signature}`}},$A=class{#e;#t;constructor(e={}){this.#t=new YA(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,t){let a=new qA(this.#t.data());if(a.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Ca("JWTs MUST NOT use unencoded payload");return a.sign(e,t)}};function VA(e){if(typeof e!="string")throw new Ca("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:a}=e.split(".");if(a===5)throw new Ca("Only JWTs using Compact JWS serialization can be decoded");if(a!==3)throw new Ca("Invalid JWT");if(!t)throw new Ca("JWTs must contain a payload");let r;try{r=H_(t)}catch{throw new Ca("Failed to base64url decode the payload")}let n;try{n=JSON.parse(po.decode(r))}catch{throw new Ca("Failed to parse the decoded payload as JSON")}if(!So(n))throw new Ca("Invalid JWT Claims Set");return n}function uo(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new Rt("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function KA(e,t){let a,r;switch(e){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["sign","verify"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:uo(t)},r=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},r=["sign","verify"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},r=["sign","verify"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},r=["sign","verify"];break;case"Ed25519":case"EdDSA":{r=["sign","verify"],a={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{r=["sign","verify"],a={name:e};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{r=["deriveBits"];let n=t?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{a={name:"ECDH",namedCurve:n};break}case"X25519":a={name:"X25519"};break;default:throw new Rt("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new Rt('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(a,t?.extractable??!1,r)}var XA="https://id.botparty.club",ZA="EdDSA",JA=15,x_=6e4,eN=3e4,tN="5m",aN=3,rN=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],nN=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],je=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Ro=class extends je{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},Ei=class extends je{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},Tn=class extends je{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},hi=class extends je{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function M_(e){let t=td(4);return e[t.readUInt32BE(0)%e.length]}function iN(){return`${M_(rN)}-${M_(nN)}`}function sN(){let e=iN(),t=td(2).toString("hex");return`${e}-${t}`}function oN(){return Ra(jA(),".botparty")}function Ao(e){fi(e)||WA(e,{recursive:!0,mode:448})}function lN(e){let t=Ra(e,"identity.json");if(!fi(t))return null;try{return JSON.parse(J_(t,"utf-8"))}catch{return null}}function go(e,t){Ao(e);let a=Ra(e,"identity.json"),r=a+".tmp";bo(r,JSON.stringify(t,null,2),{mode:384}),ed(r,a)}function cN(e){let t=Ra(e,"private.pem");if(!fi(t))return null;try{return J_(t,"utf-8")}catch{return null}}function ad(e,t){Ao(e);let a=Ra(e,"private.pem"),r=a+".tmp";bo(r,t,{mode:384}),ed(r,a)}function L_(e){for(let t of["identity.json","private.pem"]){let a=Ra(e,t);fi(a)&&Co(a)}}function _N(e){let t=Ra(e,"rotation.lock");Ao(e);for(let a=0;a<2;a++)try{bo(t,`${process.pid}:${Date.now()}`,{flag:"wx",mode:384});return}catch(r){if(r.code!=="EEXIST")throw r;try{let n=QA(t);if(Date.now()-n.mtimeMs>eN){Co(t);continue}}catch{continue}throw r}}function dN(e){try{Co(Ra(e,"rotation.lock"))}catch{}}async function rd(e){let t={extractable:!0};e==="EdDSA"&&(t.crv="Ed25519");let{privateKey:a,publicKey:r}=await KA(e,t),n=await LA(a),i=await MA(r);return{privateKey:a,publicKey:r,privatePem:n,publicPem:i}}async function uN(e,t,a){let r=await Q_(t,a);return(await new Z_(new TextEncoder().encode(e)).setProtectedHeader({alg:a}).sign(r)).signature}async function gi(e,t,a,r,n,i){let s=r,o=await Q_(a,s);return new $A({...n}).setProtectedHeader({alg:s,kid:t}).setIssuer(e).setSubject(i??e).setIssuedAt().setExpirationTime(tN).sign(o)}async function Qe(e,t,a={}){let{token:r,...n}=a,i=new Headers(n.headers);return i.set("Content-Type","application/json"),r&&i.set("Authorization",`Bearer ${r}`),fetch(`${e}${t}`,{...n,headers:i})}function P_(e,t){try{let a=new URL(e),r=new URL(t);return a.hostname===r.hostname&&a.port===r.port&&a.protocol===r.protocol?e:`${t}/${a.hostname}${a.pathname}${a.search}`}catch{return`${t}/${e}`}}async function mi(e){try{return await e.clone().json()}catch{return null}}function En(e){let t=e.error,a,r,n,i={};if(typeof t=="object"&&t!==null){let s=t;a=s.code||"UNKNOWN",r=s.message||e.message||"Request failed",n=s.actionUrl||e.actionUrl||s.payTo||e.payTo,i=s}else a=(typeof t=="string"?t:e.code)||"UNKNOWN",r=e.message||(typeof t=="string"?t:"Request failed"),n=e.actionUrl||e.payTo,i=e;return{code:a.toUpperCase(),message:r,actionUrl:n,extra:i}}var pN=class{constructor(e,t){this.client=e,this.keyId=t}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},mN=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),t=await Qe(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!t.ok)throw await this.client._apiError(t);return(await t.json()).data}async get(e){let t=(await this.list()).find(a=>a.id===e);if(!t)throw new je({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return t}async add(e){let t=await this.client.generateToken(),a=await Qe(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:t,body:JSON.stringify(e)});if(!a.ok)throw await this.client._apiError(a);return a.json()}async update(e,t){let a=await this.client.generateToken(),r=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:a,body:JSON.stringify(t)});if(!r.ok)throw await this.client._apiError(r);return r.json()}async delete(e){let t=await this.client.generateToken(),a=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:t});if(!a.ok&&a.status!==204)throw await this.client._apiError(a)}async rotate(e){let t=this.client.getIdentity();if(!t)throw new Error("Not registered");let a=this.client.getPrivateKey();if(!a)throw new Error("Private key not found");let r=e||t.keyId;if(r!==t.keyId)throw new je({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let n=await rd(t.algorithm),i=await gi(t.namespace,t.keyId,a,t.algorithm),s=await Qe(t.serverUrl,`/api/v1/namespaces/keys/${r}/rotate`,{method:"POST",token:i,body:JSON.stringify({newPublicKey:n.publicPem})});if(!s.ok)throw await this.client._apiError(s);let o=await s.json();return ad(this.client.stateDir,n.privatePem),go(this.client.stateDir,{...t,rotatedAt:o.rotatedAt}),o}async rotateCurrent(){return this.rotate()}async invalidate(e,t){let a=await this.client.generateToken(),r=await Qe(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:a,body:JSON.stringify({reason:t})});if(!r.ok)throw await this.client._apiError(r)}},nd=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;_rotationPromise=null;constructor(e={}){this.serverUrl=(e.serverUrl||Cr("BOTPARTY_SERVER_URL")||XA).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||Cr("BOTPARTY_PROXY_URL")||Cr("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||Cr("BOTPARTY_STATE_DIR")||oN(),this.algorithm=e.algorithm||ZA,this.rotationTTL=e.rotationTTL||JA,this.inviteToken=e.inviteToken||Cr("BOTPARTY_INVITE_TOKEN"),this.keys=new mN(this)}getIdentity(){return lN(this.stateDir)}getPrivateKey(){return cN(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,t,a){let r=e,n=0,i=a&&"inviteToken"in a?a.inviteToken:this.inviteToken;for(;n<aN;){r||(r=sN());let s=t||r,o=await rd(this.algorithm),c=await Qe(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:r,publicKey:o.publicPem,rotationTTL:this.rotationTTL,...i&&{inviteToken:i}})}),l=await c.json();if(l.status==="already_registered")throw new je({code:"ALREADY_REGISTERED",message:`Namespace "${r}" is already registered`,statusCode:409});if(c.status===409&&!e){r=void 0,n++;continue}if(!c.ok)throw new je({code:l.error||"REGISTRATION_FAILED",message:l.message||l.error||"Registration failed",statusCode:c.status});let d=l.challenge,u=await uN(d,o.privatePem,this.algorithm),g=await Qe(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:r,challenge:d,signature:u})});if(!g.ok)throw await this._apiError(g);let E=await g.json();return ad(this.stateDir,o.privatePem),go(this.stateDir,{serverUrl:this.serverUrl,namespace:r,keyId:E.keyId,algorithm:this.algorithm,rotatedAt:E.rotatedAt,rotationTTL:E.rotationTTL,label:s,...E.parentNamespace&&{parentNamespace:E.parentNamespace},...E.inheritedScopes&&{inheritedScopes:E.inheritedScopes}}),E}throw new je({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;let t=this.inviteToken,a=!1;if(t)try{a=VA(t).typ==="org_invite"}catch{}if(await this.register(void 0,void 0,{inviteToken:a?void 0:t}),!this.getIdentity())throw new Error("Registration succeeded but identity could not be read");if(a&&t)try{let r=await this.redeemOrgInvite(t);r.orgId&&this.setActAs(r.orgId)}catch{}return this.getIdentity()}async ensureFreshKey(){if(this._rotationPromise)return this._rotationPromise;let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()>=t-x_)return this._rotationPromise=this._lockedRotate().finally(()=>{this._rotationPromise=null}),this._rotationPromise}async _lockedRotate(){_N(this.stateDir);try{let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;if(Date.now()<t-x_)return;await this.keys.rotateCurrent()}finally{dN(this.stateDir)}}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let t=this.getIdentity(),a=this.getPrivateKey(),r=this.getActAs(),n=r??t.namespace,i=r?t.namespace:void 0;return gi(n,t.keyId,a,t.algorithm,e,i)}async fetch(e,t={}){let a=await this.generateToken(),r=P_(e,this.proxyUrl),n=new Headers(t.headers);n.set("X-Proxy-Authorization",`Bearer ${a}`);let i=await fetch(r,{...t,headers:n});if(i.status===401){let s=await mi(i);if(s){let{code:o}=En(s);if(o==="KEY_STALE"){await this._lockedRotate();let c=await this.generateToken(),l=new Headers(t.headers);l.set("X-Proxy-Authorization",`Bearer ${c}`),i=await fetch(r,{...t,headers:l})}}}if(i.status===403){let s=await mi(i);if(s){let o=typeof s.error=="string"?s.error:s.error?.code;if(o==="wrong_proxy"&&s.proxyUrl){let d=s.proxyUrl.replace(/\/$/,""),u=P_(e,d),g=new Headers(t.headers);return g.set("X-Proxy-Authorization",`Bearer ${a}`),fetch(u,{...t,headers:g})}let c=s.approval_url||s.authorizationUrl;if(c){let d=o==="scope_refused",u=s.missing_scopes||s.missingScopes;throw d||o==="insufficient_scope"||o==="permission_denied"||o==="scope_not_approved"||o==="permission_needs_revalidation"?new Tn({message:s.message||"Missing required credentials",actionUrl:c,missingScopes:u}):new hi({message:s.message||"Missing required credentials",actionUrl:c})}let{code:l}=En(s);F_(l)&&U_(i.status,s,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(i.status)){let s=await mi(i);if(s){let{code:o}=En(s);(F_(o)||i.status===402||i.status===423)&&U_(i.status,s,this.getIdentity(),this.serverUrl)}}return i}async info(e){let t=e||this.getIdentity()?.namespace;if(!t)throw new Error("Not registered and no namespace provided");let a=await Qe(this.serverUrl,`/api/v1/namespaces/${t}/info`);if(!a.ok)throw await this._apiError(a);return a.json()}async destroy(){let e=await this.generateToken(),t=await Qe(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!t.ok&&t.status!==204)throw await this._apiError(t);L_(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let t=this.getPrivateKey();if(!t)throw new Error("Private key not found");let a=await gi(e.namespace,e.keyId,t,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${a}`}}whoami(){let e=this.getIdentity();if(!e)return null;let t=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:t,label:e.label,serverUrl:e.serverUrl,actAs:this.getActAs()}}getActAs(){return Cr("BOTPARTY_ACT_AS")||this.getIdentity()?.actAs}setActAs(e){let t=this.getIdentity();if(!t)throw new Error("Not registered");e===void 0?delete t.actAs:t.actAs=e,go(this.stateDir,t)}async listOrgs(){let e=await this.generateToken(),t=await Qe(this.serverUrl,"/api/v1/orgs",{token:e});if(!t.ok)throw new Error(`Failed to list orgs: ${t.status}`);return t.json()}async createOrg(e,t=""){let a=await this.generateToken(),r=await Qe(this.serverUrl,"/api/v1/orgs",{method:"POST",token:a,body:JSON.stringify({name:e,description:t})});if(!r.ok)throw new Error(`Failed to create org: ${r.status}`);return r.json()}async quitOrg(e){let t=await this.generateToken(),a=await Qe(this.serverUrl,`/api/v1/orgs/${e}/quit`,{method:"POST",token:t});if(!a.ok)throw new Error(`Failed to quit org: ${a.status}`)}async createOrgInvite(e,t){let a=await this.generateToken(),r=await Qe(this.serverUrl,`/api/v1/orgs/${e}/invites`,{method:"POST",token:a,body:JSON.stringify(t?{expiresIn:t}:{})});if(!r.ok)throw new Error(`Failed to create org invite: ${r.status}`);return r.json()}async redeemOrgInvite(e){await this.ensureRegistered(),await this.ensureFreshKey();let t=this.getIdentity(),a=this.getPrivateKey(),r=await gi(t.namespace,t.keyId,a,t.algorithm),n=await Qe(this.serverUrl,"/api/v1/orgs/invites/redeem",{method:"POST",token:r,body:JSON.stringify({inviteToken:e})});if(!n.ok)throw new Error(`Failed to redeem org invite: ${n.status}`);return n.json()}async listOrgMembers(e){let t=await this.generateToken(),a=await Qe(this.serverUrl,`/api/v1/orgs/${e}/members`,{token:t});if(!a.ok)throw new Error(`Failed to list org members: ${a.status}`);return a.json()}async removeOrgMember(e,t){let a=await this.generateToken(),r=await Qe(this.serverUrl,`/api/v1/orgs/${e}/members/${t}`,{method:"DELETE",token:a});if(!r.ok)throw new Error(`Failed to remove org member: ${r.status}`)}key(e){return new pN(this,e)}reset(){L_(this.stateDir)}async _apiError(e){let t=await mi(e);if(!t)return new je({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:a,message:r,actionUrl:n}=En(t);return new je({code:a,message:r,statusCode:e.status,actionUrl:n})}},gN=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function F_(e){return gN.has(e.toUpperCase())}function U_(e,t,a,r){let{code:n,message:i,actionUrl:s,extra:o}=En(t),c=a?.namespace||"",l=a?.serverUrl||r;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||e===423?new Ro({message:i||"Namespace is locked",actionUrl:s||`${l}/namespaces/${c}/unlock`,lockedAt:o.lockedAt,reason:o.reason}):n==="PAYMENT_REQUIRED"||e===402?new Ei({message:i,actionUrl:s,amount:o.amount||t.amount,service:o.service||t.service}):n==="LINK_REQUIRED"?new hi({message:i,actionUrl:s||`${l}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||e===403?new Tn({message:i,actionUrl:s,missingScopes:o.missingScopes||o.missing_scopes}):new je({code:n,message:i,statusCode:e,actionUrl:s})}function Cr(e){if(typeof process<"u"&&process.env)return process.env[e]}Yo();import{writeFileSync as bd}from"fs";import{readFileSync as Ri}from"fs";import{basename as YN}from"path";Ci();import{readFileSync as FN,writeFileSync as UN,existsSync as hd,mkdirSync as BN}from"node:fs";import{join as Sd}from"node:path";var Td="auth-capability-cache.json",GN=1440*60*1e3;function zN(e){let t=Sd(e,Td);if(!hd(t))return{};try{return JSON.parse(FN(t,"utf-8"))}catch{return{}}}function HN(e,t){hd(e)||BN(e,{recursive:!0,mode:448}),UN(Sd(e,Td),JSON.stringify(t,null,2))}async function yd(e,t){let a=zN(t),r=a[e];if(r&&Date.now()-r.checkedAt<GN)return r.supportsBotparty;let n=!1;try{let i=new AbortController,s=setTimeout(()=>i.abort(),3e3),o=await fetch(`https://${e}/api/botparty/auth/me`,{method:"HEAD",signal:i.signal});clearTimeout(s),n=o.ok||o.status===401}catch{n=!1}a[e]={supportsBotparty:n,checkedAt:Date.now()};try{HN(t,a)}catch{}return n}function qo(e,t,a,r){let n=(Date.now()-r)/1e3,i=t.headers.get("content-type")||"",s={http_code:t.status,http_connect:0,http_version:"1.1",response_code:t.status,content_type:i,size_download:a,size_header:0,size_request:0,size_upload:0,speed_download:n>0?Math.round(a/n):0,speed_upload:0,time_appconnect:n,time_connect:n,time_namelookup:0,time_pretransfer:n,time_redirect:0,time_starttransfer:n,time_total:n,url_effective:"",num_connects:1,num_redirects:0,redirect_url:"",ssl_verify_result:0,stdout:"-",stderr:"-",exitcode:0,errormsg:"",method:"",scheme:"",filename_effective:"",onerror:"",urlnum:0},o=e;return o=o.replace(/\\n/g,`
165
165
  `),o=o.replace(/\\r/g,"\r"),o=o.replace(/\\t/g," "),o=o.replace(/\\\\/g,"\\"),o=o.replace(/%\{([a-zA-Z_][a-zA-Z0-9_]*)\}/g,(c,l)=>l in s?String(s[l]):c),o}function qN(e,t,a){let r=[],n;try{let i=new URL(t);n=i.pathname+i.search}catch{n=t}r.push(`> ${e} ${n} HTTP/1.1`);try{let i=new URL(t);r.push(`> Host: ${i.host}`)}catch{}for(let[i,s]of Object.entries(a))i.toLowerCase()!=="host"&&r.push(`> ${i}: ${s}`);return r.push(">"),r.join(`
166
166
  `)}function $N(e,t,a){let r=[];return r.push(`< HTTP/1.1 ${e} ${t}`),a.forEach((n,i)=>{r.push(`< ${i}: ${n}`)}),r.push("<"),r.join(`
167
167
  `)}function Cd(e,t,a){let r=[];return r.push(`HTTP/1.1 ${e} ${t}`),a.forEach((n,i)=>{r.push(`${i}: ${n}`)}),r.push(""),r.join(`
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "botparty",
3
- "version": "0.0.62",
3
+ "version": "0.0.63",
4
4
  "description": "CLI for BotParty — federated bot identity, authentication, and payments",
5
5
  "type": "module",
6
6
  "bin": {