crossly.client.auth.service 0.0.1

package/src/signer/jwtSigner.ts

@@ -0,0 +1,49 @@
+import { SignJWT, jwtVerify } from 'jose';
+import type { AccessTokenClaims } from '@textyly/crossly-client-auth-contracts';
+import type { IJwtSigner } from './types.js';
+
+/**
+ * HS256 JWT signer backed by `jose`.
+ *
+ * "Extremely simple" by design: a single shared secret both signs and verifies
+ * tokens. When real identity providers are introduced, swap this for an
+ * RS256/JWKS implementation of {@link IJwtSigner} — nothing else in the service
+ * (or in consumers) changes, because the token shape stays the same.
+ */
+export class JwtSigner implements IJwtSigner {
+    private static readonly algorithm: string = 'HS256';
+    private readonly key: Uint8Array;
+
+    public constructor(secret: string) {
+        this.key = new TextEncoder().encode(secret);
+    }
+
+    public async sign(
+        sub: string,
+        guest: boolean,
+        ttlSeconds: number,
+    ): Promise<{ token: string; expiresAt: number }> {
+        const issuedAt = Math.floor(Date.now() / 1000);
+        const expiresAt = issuedAt + ttlSeconds;
+
+        const token = await new SignJWT({ guest })
+            .setProtectedHeader({ alg: JwtSigner.algorithm })
+            .setSubject(sub)
+            .setIssuedAt(issuedAt)
+            .setExpirationTime(expiresAt)
+            .sign(this.key);
+
+        return { token, expiresAt };
+    }
+
+    public async verify(token: string): Promise<AccessTokenClaims> {
+        const { payload } = await jwtVerify(token, this.key);
+
+        return {
+            sub: payload.sub as string,
+            guest: payload.guest as boolean,
+            iat: payload.iat as number,
+            exp: payload.exp as number,
+        };
+    }
+}

package/src/signer/types.ts

@@ -0,0 +1,14 @@
+import type { AccessTokenClaims } from '@textyly/crossly-client-auth-contracts';
+
+/**
+ * Token signing/verification boundary — the lowest layer of the service
+ * (the auth analogue of a repository). Implementations wrap a concrete JWT
+ * library + key; the rest of the service depends only on this interface.
+ */
+export interface IJwtSigner {
+    /** Sign an access token for `sub`, valid for `ttlSeconds`. Returns the token and its expiry. */
+    sign(sub: string, guest: boolean, ttlSeconds: number): Promise<{ token: string; expiresAt: number }>;
+
+    /** Verify a token and return its claims, or throw if it is invalid or expired. */
+    verify(token: string): Promise<AccessTokenClaims>;
+}

package/tests/integration/auth.api.test.ts

@@ -0,0 +1,212 @@
+import { expect } from 'chai';
+import request from 'supertest';
+import type { MeResponse, SessionResponse } from '@textyly/crossly-client-auth-contracts';
+import { createApp } from '../../src/createApp.js';
+import { JwtSigner } from '../../src/signer/jwtSigner.js';
+import { InMemoryClientRepository } from '../../src/repository/inMemoryClientRepository.js';
+import { NotConfiguredOidcProvider } from '../../src/oidc/notConfiguredOidcProvider.js';
+import { FakeOidcProvider } from './fakeOidcProvider.js';
+import type { AuthConfig } from '../../src/config.js';
+
+// Integration tests drive the full HTTP stack (controller -> manager -> signer/repo)
+// through supertest, using an in-memory repo + a fake OIDC provider so no database
+// or live Google is required. `request.agent(app)` persists cookies between
+// requests, which is how we exercise the httpOnly session/OAuth cookies end-to-end.
+describe('auth API (integration, cookie model)', () => {
+    const signer = new JwtSigner('test-secret');
+    const config: AuthConfig = {
+        cookieSecret: 'test-cookie-secret',
+        uiRedirectUrl: 'http://localhost:5000',
+        corsOrigin: 'http://localhost:5000',
+        secureCookies: false,
+    };
+
+    type Agent = ReturnType<typeof request.agent>;
+
+    let clients: InMemoryClientRepository;
+    let oidc: FakeOidcProvider;
+    let app: ReturnType<typeof createApp>;
+
+    beforeEach(() => {
+        clients = new InMemoryClientRepository();
+        oidc = new FakeOidcProvider({
+            provider: 'google',
+            subject: 'google-test',
+            email: 'test@example.com',
+        });
+        app = createApp({ signer, clients, oidc, config });
+    });
+
+    // Run the OAuth dance on an agent: /login -> read state from the redirect -> /callback.
+    async function login(agent: Agent): Promise<request.Response> {
+        const start = await agent.get('/api/v1/auth/login');
+        const state = new URL(start.headers.location).searchParams.get('state') ?? '';
+        return agent.get(`/api/v1/auth/callback?code=fake-code&state=${encodeURIComponent(state)}`);
+    }
+
+    function sessionCookie(res: request.Response): string | undefined {
+        const set = res.headers['set-cookie'] as unknown as string[] | undefined;
+        return set?.find((cookie) => cookie.startsWith('crossly_session='));
+    }
+
+    it('GET /health returns ok', async () => {
+        const response = await request(app).get('/health');
+        expect(response.status).to.equal(200);
+        expect(response.body).to.deep.equal({ status: 'ok' });
+    });
+
+    it('POST /api/v1/auth/guest sets an httpOnly session cookie and returns a guest summary', async () => {
+        const agent = request.agent(app);
+        const response = await agent.post('/api/v1/auth/guest');
+
+        expect(response.status).to.equal(201);
+        const body = response.body as SessionResponse;
+        expect(body.clientId).to.be.a('string').with.length.greaterThan(0);
+        expect(body.guest).to.equal(true);
+
+        const cookie = sessionCookie(response);
+        expect(cookie, 'session cookie set').to.be.a('string');
+        expect(cookie).to.contain('HttpOnly');
+
+        // The cookie is a valid session: /validate accepts it and reports the same id.
+        const validated = await agent.get('/api/v1/auth/validate');
+        expect(validated.status).to.equal(200);
+        expect(validated.headers['x-client-id']).to.equal(body.clientId);
+        expect(validated.headers['x-guest']).to.equal('true');
+    });
+
+    it('issues a different clientId for each guest', async () => {
+        const first = await request.agent(app).post('/api/v1/auth/guest');
+        const second = await request.agent(app).post('/api/v1/auth/guest');
+        expect(first.body.clientId).to.not.equal(second.body.clientId);
+    });
+
+    it('POST /api/v1/auth/guest is idempotent — a second call returns the same guest (200)', async () => {
+        const agent = request.agent(app);
+        const first = await agent.post('/api/v1/auth/guest');
+        expect(first.status).to.equal(201);
+
+        const second = await agent.post('/api/v1/auth/guest');
+        expect(second.status).to.equal(200);
+        expect((second.body as SessionResponse).clientId).to.equal(first.body.clientId);
+    });
+
+    it('POST /api/v1/auth/guest does not downgrade a logged-in user', async () => {
+        const agent = request.agent(app);
+        await agent.post('/api/v1/auth/guest');
+        await login(agent);
+        const me = (await agent.get('/api/v1/auth/me')).body as MeResponse;
+        expect(me.guest).to.equal(false);
+
+        const response = await agent.post('/api/v1/auth/guest');
+        expect(response.status).to.equal(200);
+        const body = response.body as SessionResponse;
+        expect(body.clientId).to.equal(me.clientId); // same account, not a new guest
+        expect(body.guest).to.equal(false); // still authenticated
+    });
+
+    it('POST /api/v1/auth/refresh rolls the session cookie forward, keeping the clientId', async () => {
+        const agent = request.agent(app);
+        const guest = await agent.post('/api/v1/auth/guest');
+
+        const refreshed = await agent.post('/api/v1/auth/refresh');
+        expect(refreshed.status).to.equal(200);
+        const body = refreshed.body as SessionResponse;
+        expect(body.clientId).to.equal(guest.body.clientId);
+        expect(body.guest).to.equal(true);
+        expect(sessionCookie(refreshed)).to.be.a('string');
+    });
+
+    it('rejects refresh / validate / me with no session cookie (401)', async () => {
+        expect((await request(app).post('/api/v1/auth/refresh')).status).to.equal(401);
+        expect((await request(app).get('/api/v1/auth/validate')).status).to.equal(401);
+        expect((await request(app).get('/api/v1/auth/me')).status).to.equal(401);
+    });
+
+    it('GET /api/v1/auth/login redirects to the provider with state and sets the oauth cookie', async () => {
+        const response = await request(app).get('/api/v1/auth/login');
+
+        expect(response.status).to.equal(302);
+        const location = new URL(response.headers.location);
+        expect(location.host).to.equal('fake-idp.test');
+        expect(location.searchParams.get('state')).to.be.a('string').with.length.greaterThan(0);
+
+        const set = response.headers['set-cookie'] as unknown as string[] | undefined;
+        expect(set?.some((cookie) => cookie.startsWith('crossly_oauth='))).to.equal(true);
+    });
+
+    it('GET /api/v1/auth/callback completes login, sets an authenticated session, and /me reflects it', async () => {
+        const agent = request.agent(app);
+        const callback = await login(agent);
+
+        expect(callback.status).to.equal(302);
+        expect(callback.headers.location).to.equal(config.uiRedirectUrl);
+
+        const me = (await agent.get('/api/v1/auth/me')).body as MeResponse;
+        expect(me.guest).to.equal(false);
+        expect(me.clientId).to.be.a('string').with.length.greaterThan(0);
+        expect(me.email).to.equal('test@example.com');
+    });
+
+    it('rejects a callback whose state does not match the cookie (CSRF) with 400', async () => {
+        const agent = request.agent(app);
+        await agent.get('/api/v1/auth/login'); // sets the oauth cookie with the real state
+
+        const response = await agent.get('/api/v1/auth/callback?code=fake-code&state=tampered');
+        expect(response.status).to.equal(400);
+    });
+
+    it('rejects a callback with no oauth cookie (400)', async () => {
+        const response = await request(app).get('/api/v1/auth/callback?code=fake-code&state=whatever');
+        expect(response.status).to.equal(400);
+    });
+
+    it('promotes the guest in place: after login /me keeps the guest clientId', async () => {
+        const agent = request.agent(app);
+        const guest = await agent.post('/api/v1/auth/guest');
+        const guestClientId = (guest.body as SessionResponse).clientId;
+
+        await login(agent);
+
+        const me = (await agent.get('/api/v1/auth/me')).body as MeResponse;
+        expect(me.clientId).to.equal(guestClientId);
+        expect(me.guest).to.equal(false);
+    });
+
+    it('a returning login on a different device resolves to the same client', async () => {
+        // Device A: guest -> login (promotes), capture the account id.
+        const deviceA = request.agent(app);
+        await deviceA.post('/api/v1/auth/guest');
+        await login(deviceA);
+        const idA = ((await deviceA.get('/api/v1/auth/me')).body as MeResponse).clientId;
+
+        // Device B: fresh agent, no guest -> login with the same identity.
+        const deviceB = request.agent(app);
+        await login(deviceB);
+        const idB = ((await deviceB.get('/api/v1/auth/me')).body as MeResponse).clientId;
+
+        expect(idB).to.equal(idA);
+    });
+
+    it('POST /api/v1/auth/logout clears the session; /me then returns 401', async () => {
+        const agent = request.agent(app);
+        await agent.post('/api/v1/auth/guest');
+
+        const loggedOut = await agent.post('/api/v1/auth/logout');
+        expect(loggedOut.status).to.equal(204);
+
+        expect((await agent.get('/api/v1/auth/me')).status).to.equal(401);
+    });
+
+    it('GET /api/v1/auth/login returns 503 when no provider is configured', async () => {
+        const disabled = createApp({
+            signer,
+            clients: new InMemoryClientRepository(),
+            oidc: new NotConfiguredOidcProvider(),
+            config,
+        });
+
+        const response = await request(disabled).get('/api/v1/auth/login');
+        expect(response.status).to.equal(503);
+    });
+});

package/tests/integration/fakeOidcProvider.ts

@@ -0,0 +1,32 @@
+import type { IOidcProvider, OidcIdentity } from '../../src/oidc/types.js';
+
+/**
+ * Test double for {@link IOidcProvider}. `authorizeUrl` returns a fake provider
+ * URL that echoes the `state` (so tests can read it back from the redirect), and
+ * `exchangeCode` returns a preset identity — letting the login/callback flow be
+ * driven end-to-end with no live provider.
+ */
+export class FakeOidcProvider implements IOidcProvider {
+    public lastState?: string;
+    public lastCodeVerifier?: string;
+
+    public constructor(private identity: OidcIdentity) {}
+
+    /** Change the identity the next `exchangeCode` returns. */
+    public setIdentity(identity: OidcIdentity): void {
+        this.identity = identity;
+    }
+
+    public async authorizeUrl(state: string, codeVerifier: string): Promise<string> {
+        this.lastState = state;
+        this.lastCodeVerifier = codeVerifier;
+        return `https://fake-idp.test/authorize?state=${encodeURIComponent(state)}`;
+    }
+
+    public async exchangeCode(
+        _callbackParams: URLSearchParams,
+        _codeVerifier: string,
+    ): Promise<OidcIdentity> {
+        return this.identity;
+    }
+}

package/tests/unit/authManager.test.ts

@@ -0,0 +1,87 @@
+import { expect } from 'chai';
+import { AuthManager } from '../../src/managers/authManager.js';
+import { JwtSigner } from '../../src/signer/jwtSigner.js';
+import { InMemoryClientRepository } from '../../src/repository/inMemoryClientRepository.js';
+
+describe('AuthManager', () => {
+    const signer = new JwtSigner('test-secret');
+    let manager: AuthManager;
+
+    beforeEach(() => {
+        manager = new AuthManager(signer, new InMemoryClientRepository());
+    });
+
+    it('creates a guest session with a token, clientId and expiry', async () => {
+        const session = await manager.createGuestSession();
+
+        expect(session.token).to.be.a('string').with.length.greaterThan(0);
+        expect(session.clientId).to.be.a('string').with.length.greaterThan(0);
+        expect(session.expiresAt).to.be.a('number');
+    });
+
+    it('issues a token whose subject equals the clientId and is marked guest', async () => {
+        const session = await manager.createGuestSession();
+
+        const claims = await signer.verify(session.token);
+
+        expect(claims.sub).to.equal(session.clientId);
+        expect(claims.guest).to.equal(true);
+    });
+
+    it('issues a session valid for ~1 year', async () => {
+        const before = Math.floor(Date.now() / 1000);
+        const session = await manager.createGuestSession();
+
+        const oneYear = 60 * 60 * 24 * 365;
+        expect(session.expiresAt).to.be.closeTo(before + oneYear, 5);
+    });
+
+    it('gives a different clientId on each call', async () => {
+        const first = await manager.createGuestSession();
+        const second = await manager.createGuestSession();
+
+        expect(first.clientId).to.not.equal(second.clientId);
+    });
+
+    it('refreshes a session, preserving the clientId and guest flag', async () => {
+        const original = await manager.createGuestSession();
+
+        const refreshed = await manager.refreshSession(original.token);
+
+        expect(refreshed.clientId).to.equal(original.clientId);
+        const claims = await signer.verify(refreshed.token);
+        expect(claims.sub).to.equal(original.clientId);
+        expect(claims.guest).to.equal(true);
+    });
+
+    it('rejects refreshing an invalid token', async () => {
+        let threw = false;
+        try {
+            await manager.refreshSession('not-a-jwt');
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+
+    it('validates a token and returns its claims', async () => {
+        const session = await manager.createGuestSession();
+
+        const claims = await manager.validate(session.token);
+
+        expect(claims.sub).to.equal(session.clientId);
+        expect(claims.guest).to.equal(true);
+    });
+
+    it('rejects validating an invalid token', async () => {
+        let threw = false;
+        try {
+            await manager.validate('not-a-jwt');
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+});

package/tests/unit/clientRepository.test.ts

@@ -0,0 +1,115 @@
+import { expect } from 'chai';
+import { InMemoryClientRepository } from '../../src/repository/inMemoryClientRepository.js';
+import type { NewClient } from '../../src/repository/types.js';
+
+describe('InMemoryClientRepository', () => {
+    let repository: InMemoryClientRepository;
+
+    const sample: NewClient = {
+        clientId: 'client-1',
+        provider: 'google',
+        providerSubject: 'google-123',
+        email: 'user@example.com',
+    };
+
+    beforeEach(() => {
+        repository = new InMemoryClientRepository();
+    });
+
+    it('creates a client and finds it by provider identity', async () => {
+        const created = await repository.create(sample);
+
+        expect(created.clientId).to.equal('client-1');
+        expect(created.createdAt).to.be.instanceOf(Date);
+        expect(created.lastLoginAt).to.equal(undefined);
+
+        const found = await repository.findByProvider('google', 'google-123');
+        expect(found?.clientId).to.equal('client-1');
+        expect(found?.email).to.equal('user@example.com');
+    });
+
+    it('finds a client by its clientId', async () => {
+        await repository.create(sample);
+
+        const found = await repository.findById('client-1');
+        expect(found?.providerSubject).to.equal('google-123');
+    });
+
+    it('returns undefined for an unknown identity or id', async () => {
+        expect(await repository.findByProvider('google', 'nope')).to.equal(undefined);
+        expect(await repository.findById('nope')).to.equal(undefined);
+    });
+
+    it('rejects a duplicate (provider, subject)', async () => {
+        await repository.create(sample);
+
+        let threw = false;
+        try {
+            await repository.create({
+                clientId: 'client-2',
+                provider: 'google',
+                providerSubject: 'google-123',
+            });
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+
+    it('rejects a duplicate clientId', async () => {
+        await repository.create(sample);
+
+        let threw = false;
+        try {
+            await repository.create({
+                clientId: 'client-1',
+                provider: 'github',
+                providerSubject: 'github-9',
+            });
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+
+    it('treats the same subject under different providers as different clients', async () => {
+        await repository.create(sample);
+
+        const other = await repository.create({
+            clientId: 'client-2',
+            provider: 'github',
+            providerSubject: 'google-123',
+        });
+
+        expect(other.clientId).to.equal('client-2');
+        expect((await repository.findByProvider('github', 'google-123'))?.clientId).to.equal(
+            'client-2',
+        );
+        expect((await repository.findByProvider('google', 'google-123'))?.clientId).to.equal(
+            'client-1',
+        );
+    });
+
+    it('sets lastLoginAt on touchLastLogin', async () => {
+        await repository.create(sample);
+        expect((await repository.findById('client-1'))?.lastLoginAt).to.equal(undefined);
+
+        await repository.touchLastLogin('client-1');
+        expect((await repository.findById('client-1'))?.lastLoginAt).to.be.instanceOf(Date);
+    });
+
+    it('touchLastLogin is a no-op for an unknown client', async () => {
+        await repository.touchLastLogin('nope');
+        expect(await repository.findById('nope')).to.equal(undefined);
+    });
+
+    it('does not let callers mutate stored state by reference', async () => {
+        const created = await repository.create(sample);
+        created.email = 'tampered@example.com';
+
+        const found = await repository.findById('client-1');
+        expect(found?.email).to.equal('user@example.com');
+    });
+});

package/tests/unit/jwtSigner.test.ts

@@ -0,0 +1,42 @@
+import { expect } from 'chai';
+import { JwtSigner } from '../../src/signer/jwtSigner.js';
+
+describe('JwtSigner', () => {
+    const signer = new JwtSigner('test-secret');
+
+    it('signs a token and verifies its claims', async () => {
+        const { token, expiresAt } = await signer.sign('client-1', true, 3600);
+
+        const claims = await signer.verify(token);
+
+        expect(claims.sub).to.equal('client-1');
+        expect(claims.guest).to.equal(true);
+        expect(claims.exp).to.equal(expiresAt);
+        expect(claims.iat).to.be.a('number');
+    });
+
+    it('rejects a token signed with a different secret', async () => {
+        const { token } = await signer.sign('client-1', true, 3600);
+        const other = new JwtSigner('different-secret');
+
+        let threw = false;
+        try {
+            await other.verify(token);
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+
+    it('rejects a malformed token', async () => {
+        let threw = false;
+        try {
+            await signer.verify('not-a-jwt');
+        } catch {
+            threw = true;
+        }
+
+        expect(threw).to.equal(true);
+    });
+});

package/tests/unit/resolveLogin.test.ts

@@ -0,0 +1,86 @@
+import { expect } from 'chai';
+import { AuthManager } from '../../src/managers/authManager.js';
+import { JwtSigner } from '../../src/signer/jwtSigner.js';
+import { InMemoryClientRepository } from '../../src/repository/inMemoryClientRepository.js';
+import type { OidcIdentity } from '../../src/oidc/types.js';
+
+describe('AuthManager.resolveLogin', () => {
+    const signer = new JwtSigner('test-secret');
+    let clients: InMemoryClientRepository;
+    let manager: AuthManager;
+
+    const googleAlice: OidcIdentity = {
+        provider: 'google',
+        subject: 'google-alice',
+        email: 'alice@example.com',
+    };
+
+    beforeEach(() => {
+        clients = new InMemoryClientRepository();
+        manager = new AuthManager(signer, clients);
+    });
+
+    it('creates a brand-new client when there is no guest and no existing identity', async () => {
+        const result = await manager.resolveLogin(googleAlice);
+
+        expect(result.created).to.equal(true);
+        expect(result.promoted).to.equal(false);
+        expect(result.clientId).to.be.a('string').with.length.greaterThan(0);
+
+        const stored = await clients.findByProvider('google', 'google-alice');
+        expect(stored?.clientId).to.equal(result.clientId);
+        expect(stored?.email).to.equal('alice@example.com');
+    });
+
+    it('promotes the guest in place — the account adopts the guest clientId', async () => {
+        const guestId = 'guest-123';
+
+        const result = await manager.resolveLogin(googleAlice, guestId);
+
+        expect(result.promoted).to.equal(true);
+        expect(result.created).to.equal(true);
+        expect(result.clientId).to.equal(guestId);
+
+        const stored = await clients.findByProvider('google', 'google-alice');
+        expect(stored?.clientId).to.equal(guestId);
+    });
+
+    it('returns the existing client on a returning login (no new row, no promotion)', async () => {
+        const first = await manager.resolveLogin(googleAlice, 'guest-abc'); // promote
+        const second = await manager.resolveLogin(googleAlice, 'guest-xyz'); // returning, fresh guest
+
+        expect(second.clientId).to.equal(first.clientId); // same account, not the new guest id
+        expect(second.created).to.equal(false);
+        expect(second.promoted).to.equal(false);
+    });
+
+    it('updates last_login on a returning login', async () => {
+        const { clientId } = await manager.resolveLogin(googleAlice);
+        expect((await clients.findById(clientId))?.lastLoginAt).to.equal(undefined);
+
+        await manager.resolveLogin(googleAlice);
+        expect((await clients.findById(clientId))?.lastLoginAt).to.be.instanceOf(Date);
+    });
+
+    it('treats a different provider with the same subject as a different client', async () => {
+        const google = await manager.resolveLogin({ provider: 'google', subject: 'shared-sub' });
+        const github = await manager.resolveLogin({ provider: 'github', subject: 'shared-sub' });
+
+        expect(github.clientId).to.not.equal(google.clientId);
+    });
+
+    it('never matches on email (same email, different identity → different client)', async () => {
+        const a = await manager.resolveLogin({
+            provider: 'google',
+            subject: 's1',
+            email: 'same@example.com',
+        });
+        const b = await manager.resolveLogin({
+            provider: 'github',
+            subject: 's2',
+            email: 'same@example.com',
+        });
+
+        expect(b.clientId).to.not.equal(a.clientId);
+    });
+});

package/tsconfig.build.json

@@ -0,0 +1,11 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": false,
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": [
+    "src/**/*"
+  ]
+}

package/tsconfig.json

@@ -0,0 +1,24 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "paths": {
+      "@textyly/crossly-client-auth-contracts": ["./contracts/dist/index.d.ts"]
+    },
+    "strict": true,
+    "sourceMap": true,
+    "inlineSources": true,
+    "esModuleInterop": true,
+    "noEmit": true
+  },
+  "include": [
+    "src/**/*",
+    "tests/**/*"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist",
+    "dist-tests"
+  ]
+}