dominus-sdk-nodejs 1.1.7 → 1.2.0

package/dist/lib/cache.js

@@ -0,0 +1,237 @@
+/**
+ * Internal cache with automatic encryption and circuit breaker.
+ *
+ * NOT exposed to SDK users - internal use only.
+ */
+import crypto from 'crypto';
+/**
+ * Circuit breaker states.
+ */
+var CircuitState;
+(function (CircuitState) {
+    CircuitState["CLOSED"] = "closed";
+    CircuitState["OPEN"] = "open";
+    CircuitState["HALF_OPEN"] = "half_open";
+})(CircuitState || (CircuitState = {}));
+/**
+ * Simple circuit breaker to prevent runaway retries.
+ *
+ * States:
+ * - CLOSED: Normal operation, requests pass through
+ * - OPEN: Too many failures, requests blocked
+ * - HALF_OPEN: Testing if service recovered
+ *
+ * Prevents CPU/quota exhaustion from retry storms.
+ */
+export class CircuitBreaker {
+    failureThreshold;
+    recoveryTimeout;
+    halfOpenMaxCalls;
+    failureCount = 0;
+    state = CircuitState.CLOSED;
+    lastFailureTime = 0;
+    halfOpenCalls = 0;
+    constructor(failureThreshold = 5, recoveryTimeout = 30000, // 30 seconds in ms
+    halfOpenMaxCalls = 1) {
+        this.failureThreshold = failureThreshold;
+        this.recoveryTimeout = recoveryTimeout;
+        this.halfOpenMaxCalls = halfOpenMaxCalls;
+    }
+    /**
+     * Get current state, transitioning OPEN→HALF_OPEN if timeout elapsed.
+     */
+    getState() {
+        if (this.state === CircuitState.OPEN) {
+            if (Date.now() - this.lastFailureTime >= this.recoveryTimeout) {
+                this.state = CircuitState.HALF_OPEN;
+                this.halfOpenCalls = 0;
+            }
+        }
+        return this.state;
+    }
+    /**
+     * Check if a request can be executed.
+     */
+    canExecute() {
+        const state = this.getState();
+        if (state === CircuitState.CLOSED) {
+            return true;
+        }
+        if (state === CircuitState.HALF_OPEN) {
+            return this.halfOpenCalls < this.halfOpenMaxCalls;
+        }
+        return false; // OPEN
+    }
+    /**
+     * Record a successful call.
+     */
+    recordSuccess() {
+        if (this.state === CircuitState.HALF_OPEN) {
+            this.state = CircuitState.CLOSED;
+        }
+        this.failureCount = 0;
+        this.halfOpenCalls = 0;
+    }
+    /**
+     * Record a failed call.
+     */
+    recordFailure() {
+        this.failureCount++;
+        this.lastFailureTime = Date.now();
+        if (this.state === CircuitState.HALF_OPEN) {
+            // Failed during recovery test, go back to OPEN
+            this.state = CircuitState.OPEN;
+        }
+        else if (this.failureCount >= this.failureThreshold) {
+            this.state = CircuitState.OPEN;
+        }
+    }
+    /**
+     * Record a call attempt in HALF_OPEN state.
+     */
+    recordHalfOpenCall() {
+        this.halfOpenCalls++;
+    }
+    /**
+     * Reset the circuit breaker.
+     */
+    reset() {
+        this.failureCount = 0;
+        this.state = CircuitState.CLOSED;
+        this.lastFailureTime = 0;
+        this.halfOpenCalls = 0;
+    }
+}
+/**
+ * Calculate backoff delay with jitter to prevent thundering herd.
+ *
+ * @param attempt - Zero-based attempt number
+ * @param baseDelay - Base delay in milliseconds
+ * @param maxDelay - Maximum delay cap
+ * @param jitter - Jitter factor (0-1), adds randomness
+ * @returns Delay in milliseconds
+ */
+export function exponentialBackoffWithJitter(attempt, baseDelay = 1000, maxDelay = 30000, jitter = 0.5) {
+    const delay = Math.min(baseDelay * Math.pow(2, attempt), maxDelay);
+    const jitterRange = delay * jitter;
+    return delay + (Math.random() * 2 - 1) * jitterRange;
+}
+/**
+ * Internal process-local cache with auto-encryption.
+ *
+ * Used by dominus services only:
+ * - Validation state
+ * - Service URLs
+ * - API responses
+ *
+ * NOT accessible by SDK users.
+ */
+export class DominusCache {
+    defaultTtl;
+    store = new Map();
+    cipher = null;
+    constructor(defaultTtl = 300000) {
+        this.defaultTtl = defaultTtl;
+    } // 5 minutes in ms
+    /**
+     * Initialize encryption using auth token.
+     */
+    setEncryptionKey(token) {
+        if (!token)
+            return;
+        const key = crypto.createHash('sha256').update(token).digest();
+        this.cipher = { key, algorithm: 'aes-256-gcm' };
+    }
+    /**
+     * Get and decrypt, refresh TTL.
+     */
+    get(key) {
+        const entry = this.store.get(key);
+        if (!entry)
+            return null;
+        // Check expiry
+        if (Date.now() >= entry.expiresAt) {
+            this.store.delete(key);
+            return null;
+        }
+        try {
+            let value;
+            if (this.cipher) {
+                // Decrypt
+                const iv = entry.encryptedValue.subarray(0, 16);
+                const authTag = entry.encryptedValue.subarray(16, 32);
+                const encrypted = entry.encryptedValue.subarray(32);
+                const decipher = crypto.createDecipheriv(this.cipher.algorithm, this.cipher.key, iv);
+                decipher.setAuthTag(authTag);
+                const decrypted = Buffer.concat([
+                    decipher.update(encrypted),
+                    decipher.final(),
+                ]);
+                value = JSON.parse(decrypted.toString('utf8'));
+            }
+            else {
+                value = JSON.parse(entry.encryptedValue.toString('utf8'));
+            }
+            // Touch TTL
+            entry.expiresAt = Date.now() + this.defaultTtl;
+            return value;
+        }
+        catch {
+            this.store.delete(key);
+            return null;
+        }
+    }
+    /**
+     * Encrypt and store.
+     */
+    set(key, value, ttl) {
+        const duration = ttl ?? this.defaultTtl;
+        const plaintext = JSON.stringify(value);
+        let encryptedValue;
+        if (this.cipher) {
+            const iv = crypto.randomBytes(16);
+            const cipher = crypto.createCipheriv(this.cipher.algorithm, this.cipher.key, iv);
+            const encrypted = Buffer.concat([
+                cipher.update(plaintext, 'utf8'),
+                cipher.final(),
+            ]);
+            const authTag = cipher.getAuthTag();
+            encryptedValue = Buffer.concat([iv, authTag, encrypted]);
+        }
+        else {
+            encryptedValue = Buffer.from(plaintext, 'utf8');
+        }
+        this.store.set(key, {
+            encryptedValue,
+            expiresAt: Date.now() + duration,
+        });
+    }
+    /**
+     * Delete key.
+     */
+    delete(key) {
+        return this.store.delete(key);
+    }
+    /**
+     * Clear all.
+     */
+    clear() {
+        const count = this.store.size;
+        this.store.clear();
+        return count;
+    }
+    /**
+     * Get cache size.
+     */
+    size() {
+        return this.store.size;
+    }
+}
+// Internal singletons - NOT exported to users
+export const dominusCache = new DominusCache(300000); // 5 minutes
+// Circuit breakers for different services (prevents retry storms)
+export const orchestratorCircuitBreaker = new CircuitBreaker(5, // Open after 5 consecutive failures
+30000, // Try again after 30 seconds
+1 // Allow 1 test call in half-open state
+);
+//# sourceMappingURL=cache.js.map

package/dist/lib/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../src/lib/cache.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;GAEG;AACH,IAAK,YAIJ;AAJD,WAAK,YAAY;IACf,iCAAiB,CAAA;IACjB,6BAAa,CAAA;IACb,uCAAuB,CAAA;AACzB,CAAC,EAJI,YAAY,KAAZ,YAAY,QAIhB;AAED;;;;;;;;;GASG;AACH,MAAM,OAAO,cAAc;IAOf;IACA;IACA;IARF,YAAY,GAAG,CAAC,CAAC;IACjB,KAAK,GAAiB,YAAY,CAAC,MAAM,CAAC;IAC1C,eAAe,GAAG,CAAC,CAAC;IACpB,aAAa,GAAG,CAAC,CAAC;IAE1B,YACU,mBAAmB,CAAC,EACpB,kBAAkB,KAAK,EAAE,mBAAmB;IAC5C,mBAAmB,CAAC;QAFpB,qBAAgB,GAAhB,gBAAgB,CAAI;QACpB,oBAAe,GAAf,eAAe,CAAQ;QACvB,qBAAgB,GAAhB,gBAAgB,CAAI;IAC3B,CAAC;IAEJ;;OAEG;IACH,QAAQ;QACN,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY,CAAC,IAAI,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC9D,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,SAAS,CAAC;gBACpC,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,IAAI,KAAK,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,KAAK,YAAY,CAAC,SAAS,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,gBAAgB,CAAC;QACpD,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,OAAO;IACvB,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY,CAAC,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC;QACnC,CAAC;QACD,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAElC,IAAI,IAAI,CAAC,KAAK,KAAK,YAAY,CAAC,SAAS,EAAE,CAAC;YAC1C,+CAA+C;YAC/C,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC;QACjC,CAAC;aAAM,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtD,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC;QACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC;QACjC,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;QACzB,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;IACzB,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,OAAe,EACf,SAAS,GAAG,IAAI,EAChB,QAAQ,GAAG,KAAK,EAChB,MAAM,GAAG,GAAG;IAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;IACnC,OAAO,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,WAAW,CAAC;AACvD,CAAC;AAOD;;;;;;;;;GASG;AACH,MAAM,OAAO,YAAY;IAIH;IAHZ,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IACtC,MAAM,GAA8C,IAAI,CAAC;IAEjE,YAAoB,aAAa,MAAM;QAAnB,eAAU,GAAV,UAAU,CAAS;IAAG,CAAC,CAAC,kBAAkB;IAE9D;;OAEG;IACH,gBAAgB,CAAC,KAAa;QAC5B,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/D,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,GAAG,CAAc,GAAW;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,eAAe;QACf,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,IAAI,KAAQ,CAAC;YAEb,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,UAAU;gBACV,MAAM,EAAE,GAAG,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAChD,MAAM,OAAO,GAAG,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBACtD,MAAM,SAAS,GAAG,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;gBAEpD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,IAAI,CAAC,MAAM,CAAC,SAAS,EACrB,IAAI,CAAC,MAAM,CAAC,GAAG,EACf,EAAE,CACmB,CAAC;gBACxB,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBAE7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;oBAC9B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;oBAC1B,QAAQ,CAAC,KAAK,EAAE;iBACjB,CAAC,CAAC;gBACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,YAAY;YACZ,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC;YAC/C,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,GAAG,CAAc,GAAW,EAAE,KAAQ,EAAE,GAAY;QAClD,MAAM,QAAQ,GAAG,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC;QACxC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAExC,IAAI,cAAsB,CAAC;QAE3B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAClC,IAAI,CAAC,MAAM,CAAC,SAAS,EACrB,IAAI,CAAC,MAAM,CAAC,GAAG,EACf,EAAE,CACiB,CAAC;YAEtB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC;gBAChC,MAAM,CAAC,KAAK,EAAE;aACf,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAEpC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,cAAc;YACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ;SACjC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,GAAW;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;CACF;AAED,8CAA8C;AAC9C,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY;AAElE,kEAAkE;AAClE,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,cAAc,CAC1D,CAAC,EAAM,oCAAoC;AAC3C,KAAK,EAAE,6BAA6B;AACpC,CAAC,CAAM,uCAAuC;CAC/C,CAAC"}

package/dist/lib/crypto.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Cryptographic helpers for password and PSK hashing.
+ *
+ * All hashing is done client-side (in SDK) before sending to Orchestrator.
+ * This ensures passwords/PSKs are never transmitted in plaintext.
+ */
+/**
+ * Hash a password using bcrypt.
+ *
+ * @param password - Raw password string
+ * @returns Bcrypt hash string (includes salt)
+ */
+export declare function hashPassword(password: string): string;
+/**
+ * Verify a password against a bcrypt hash locally.
+ *
+ * This is primarily for testing. In production, verification
+ * happens via the orchestrator's verify endpoints.
+ *
+ * @param password - Raw password to verify
+ * @param passwordHash - Bcrypt hash to compare against
+ * @returns True if password matches hash
+ */
+export declare function verifyPasswordLocal(password: string, passwordHash: string): boolean;
+/**
+ * Hash a PSK (Pre-Shared Key) using bcrypt.
+ *
+ * @param psk - Raw PSK string
+ * @returns Bcrypt hash string (includes salt)
+ */
+export declare function hashPsk(psk: string): string;
+/**
+ * Verify a PSK against a bcrypt hash locally.
+ *
+ * This is primarily for testing. In production, verification
+ * happens via the orchestrator's verify endpoints.
+ *
+ * @param psk - Raw PSK to verify
+ * @param pskHash - Bcrypt hash to compare against
+ * @returns True if PSK matches hash
+ */
+export declare function verifyPskLocal(psk: string, pskHash: string): boolean;
+/**
+ * Generate a random PSK locally.
+ *
+ * Note: In production, prefer using the orchestrator's PSK generation
+ * for centralized PSK management. This is a fallback.
+ *
+ * @param length - Length of PSK to generate (default: 32)
+ * @returns Random PSK string
+ */
+export declare function generatePskLocal(length?: number): string;
+/**
+ * Hash a token using SHA-256.
+ *
+ * Used for refresh tokens where we need fast comparison
+ * and don't need the security properties of bcrypt.
+ *
+ * @param token - Raw token string
+ * @returns SHA-256 hex digest
+ */
+export declare function hashToken(token: string): string;
+/**
+ * Generate a random token string.
+ *
+ * @param length - Length of token to generate (default: 64)
+ * @returns Random URL-safe token string
+ */
+export declare function generateToken(length?: number): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/lib/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/crypto.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGrD;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAEnF;AAED;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG3C;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAEpE;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,SAAK,GAAG,MAAM,CAQpD;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,SAAK,GAAG,MAAM,CAEjD"}

package/dist/lib/crypto.js

@@ -0,0 +1,95 @@
+/**
+ * Cryptographic helpers for password and PSK hashing.
+ *
+ * All hashing is done client-side (in SDK) before sending to Orchestrator.
+ * This ensures passwords/PSKs are never transmitted in plaintext.
+ */
+import bcrypt from 'bcryptjs';
+import crypto from 'crypto';
+const BCRYPT_ROUNDS = 12;
+/**
+ * Hash a password using bcrypt.
+ *
+ * @param password - Raw password string
+ * @returns Bcrypt hash string (includes salt)
+ */
+export function hashPassword(password) {
+    const salt = bcrypt.genSaltSync(BCRYPT_ROUNDS);
+    return bcrypt.hashSync(password, salt);
+}
+/**
+ * Verify a password against a bcrypt hash locally.
+ *
+ * This is primarily for testing. In production, verification
+ * happens via the orchestrator's verify endpoints.
+ *
+ * @param password - Raw password to verify
+ * @param passwordHash - Bcrypt hash to compare against
+ * @returns True if password matches hash
+ */
+export function verifyPasswordLocal(password, passwordHash) {
+    return bcrypt.compareSync(password, passwordHash);
+}
+/**
+ * Hash a PSK (Pre-Shared Key) using bcrypt.
+ *
+ * @param psk - Raw PSK string
+ * @returns Bcrypt hash string (includes salt)
+ */
+export function hashPsk(psk) {
+    const salt = bcrypt.genSaltSync(BCRYPT_ROUNDS);
+    return bcrypt.hashSync(psk, salt);
+}
+/**
+ * Verify a PSK against a bcrypt hash locally.
+ *
+ * This is primarily for testing. In production, verification
+ * happens via the orchestrator's verify endpoints.
+ *
+ * @param psk - Raw PSK to verify
+ * @param pskHash - Bcrypt hash to compare against
+ * @returns True if PSK matches hash
+ */
+export function verifyPskLocal(psk, pskHash) {
+    return bcrypt.compareSync(psk, pskHash);
+}
+/**
+ * Generate a random PSK locally.
+ *
+ * Note: In production, prefer using the orchestrator's PSK generation
+ * for centralized PSK management. This is a fallback.
+ *
+ * @param length - Length of PSK to generate (default: 32)
+ * @returns Random PSK string
+ */
+export function generatePskLocal(length = 32) {
+    const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
+    let result = '';
+    const randomBytes = crypto.randomBytes(length);
+    for (let i = 0; i < length; i++) {
+        result += alphabet[randomBytes[i] % alphabet.length];
+    }
+    return result;
+}
+/**
+ * Hash a token using SHA-256.
+ *
+ * Used for refresh tokens where we need fast comparison
+ * and don't need the security properties of bcrypt.
+ *
+ * @param token - Raw token string
+ * @returns SHA-256 hex digest
+ */
+export function hashToken(token) {
+    return crypto.createHash('sha256').update(token).digest('hex');
+}
+/**
+ * Generate a random token string.
+ *
+ * @param length - Length of token to generate (default: 64)
+ * @returns Random URL-safe token string
+ */
+export function generateToken(length = 64) {
+    return crypto.randomBytes(length).toString('base64url');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/lib/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/lib/crypto.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,MAAM,MAAM,UAAU,CAAC;AAC9B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAC/C,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,YAAoB;IACxE,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;AACpD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAC/C,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,OAAe;IACzD,OAAO,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAM,GAAG,EAAE;IAC1C,MAAM,QAAQ,GAAG,wEAAwE,CAAC;IAC1F,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,MAAM,GAAG,EAAE;IACvC,OAAO,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC1D,CAAC"}

package/dist/namespaces/auth.d.ts

@@ -6,60 +6,204 @@
 import type { DominusClient } from '../lib/client.js';
 export declare class AuthNamespace {
     private client;
+    private _publicKeyCache;
     constructor(client: DominusClient);
-    getUser(userId: string): Promise<Record<string, unknown>>;
-    listUsers(): Promise<Array<Record<string, unknown>>>;
-    addUser(params: {
+    createUser(params: {
         username: string;
+        email: string;
         password: string;
+        status?: string;
+    }): Promise<Record<string, unknown>>;
+    getUser(userId: string): Promise<Record<string, unknown>>;
+    listUsers(params?: {
+        status?: string;
+        limit?: number;
+        offset?: number;
+        orderBy?: string;
+        orderDesc?: boolean;
+    }): Promise<Record<string, unknown>>;
+    updateUser(userId: string, data: {
+        username?: string;
         email?: string;
-        roleId?: string;
+        status?: string;
     }): Promise<Record<string, unknown>>;
-    updateUser(userId: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
     deleteUser(userId: string): Promise<Record<string, unknown>>;
-    getRole(roleId: string): Promise<Record<string, unknown>>;
-    listRoles(): Promise<Array<Record<string, unknown>>>;
-    addRole(params: {
+    updatePassword(userId: string, password: string): Promise<Record<string, unknown>>;
+    verifyPassword(userId: string, password: string): Promise<Record<string, unknown>>;
+    getUserRoles(userId: string): Promise<Array<Record<string, unknown>>>;
+    addUserRoles(userId: string, roleIds: string[]): Promise<Record<string, unknown>>;
+    removeUserRoles(userId: string, roleIds: string[]): Promise<Record<string, unknown>>;
+    getUserScopes(userId: string): Promise<Array<Record<string, unknown>>>;
+    addUserScopes(userId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    removeUserScopes(userId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    getUserTenants(userId: string): Promise<Array<Record<string, unknown>>>;
+    addUserTenants(userId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    removeUserTenants(userId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    getUserSubtypes(userId: string): Promise<Array<Record<string, unknown>>>;
+    addUserSubtypes(userId: string, subtypeIds: string[]): Promise<Record<string, unknown>>;
+    removeUserSubtypes(userId: string, subtypeIds: string[]): Promise<Record<string, unknown>>;
+    createRole(params: {
         name: string;
-        scopeSlugs?: string[];
         description?: string;
     }): Promise<Record<string, unknown>>;
-    updateRole(roleId: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
+    getRole(roleId: string): Promise<Record<string, unknown>>;
+    listRoles(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateRole(roleId: string, data: {
+        name?: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
     deleteRole(roleId: string): Promise<Record<string, unknown>>;
-    getScope(scopeId: string): Promise<Record<string, unknown>>;
-    listScopes(): Promise<Array<Record<string, unknown>>>;
-    addScope(params: {
+    getRoleScopes(roleId: string): Promise<Array<Record<string, unknown>>>;
+    addRoleScopes(roleId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    removeRoleScopes(roleId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    createScope(params: {
         slug: string;
         displayName: string;
         description?: string;
     }): Promise<Record<string, unknown>>;
-    updateScope(scopeId: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
+    getScope(scopeId: string): Promise<Record<string, unknown>>;
+    listScopes(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateScope(scopeId: string, data: {
+        slug?: string;
+        displayName?: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
     deleteScope(scopeId: string): Promise<Record<string, unknown>>;
-    getClient(clientId: string): Promise<Record<string, unknown>>;
-    listClients(): Promise<Array<Record<string, unknown>>>;
-    addClient(params: {
+    createClient(params: {
         label: string;
-        roleId?: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
+    getClient(clientId: string): Promise<Record<string, unknown>>;
+    listClients(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateClient(clientId: string, data: {
+        label?: string;
+        description?: string;
+        status?: string;
     }): Promise<Record<string, unknown>>;
     deleteClient(clientId: string): Promise<Record<string, unknown>>;
-    getTenant(tenantId: string): Promise<Record<string, unknown>>;
-    listTenants(): Promise<Array<Record<string, unknown>>>;
-    addTenant(params: {
+    regeneratePsk(clientId: string): Promise<Record<string, unknown>>;
+    verifyPsk(clientId: string, psk: string): Promise<Record<string, unknown>>;
+    getClientTenants(clientId: string): Promise<Array<Record<string, unknown>>>;
+    addClientTenants(clientId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    removeClientTenants(clientId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    createTenant(params: {
         name: string;
         slug: string;
         categoryId?: string;
+        displayName?: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
+    getTenant(tenantId: string): Promise<Record<string, unknown>>;
+    listTenants(params?: {
+        status?: string;
+        categoryId?: string;
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateTenant(tenantId: string, data: {
+        name?: string;
+        displayName?: string;
+        status?: string;
     }): Promise<Record<string, unknown>>;
-    updateTenant(tenantId: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
     deleteTenant(tenantId: string): Promise<Record<string, unknown>>;
+    createTenantCategory(params: {
+        name: string;
+        slug: string;
+        description?: string;
+        color?: string;
+    }): Promise<Record<string, unknown>>;
     getTenantCategory(categoryId: string): Promise<Record<string, unknown>>;
-    listTenantCategories(): Promise<Array<Record<string, unknown>>>;
-    listPages(): Promise<Array<Record<string, unknown>>>;
-    listNavigation(): Promise<Array<Record<string, unknown>>>;
-    listSecureTables(): Promise<Array<Record<string, unknown>>>;
-    addSecureTable(params: {
-        schema: string;
+    listTenantCategories(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateTenantCategory(categoryId: string, data: {
+        name?: string;
+        description?: string;
+        color?: string;
+    }): Promise<Record<string, unknown>>;
+    deleteTenantCategory(categoryId: string): Promise<Record<string, unknown>>;
+    createSubtype(params: {
+        name: string;
+        slug: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
+    getSubtype(subtypeId: string): Promise<Record<string, unknown>>;
+    listSubtypes(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateSubtype(subtypeId: string, data: {
+        name?: string;
+        description?: string;
+    }): Promise<Record<string, unknown>>;
+    deleteSubtype(subtypeId: string): Promise<Record<string, unknown>>;
+    createPage(params: {
+        path: string;
+        name: string;
+        description?: string;
+        isActive?: boolean;
+    }): Promise<Record<string, unknown>>;
+    getPage(pageId: string): Promise<Record<string, unknown>>;
+    listPages(params?: {
+        isActive?: boolean;
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updatePage(pageId: string, data: {
+        path?: string;
+        name?: string;
+        description?: string;
+        isActive?: boolean;
+    }): Promise<Record<string, unknown>>;
+    deletePage(pageId: string): Promise<Record<string, unknown>>;
+    getPageTenants(pageId: string): Promise<Array<Record<string, unknown>>>;
+    addPageTenants(pageId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    removePageTenants(pageId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    createNavItem(params: {
+        title: string;
+        icon?: string;
+        pageId?: string;
+        parentId?: string;
+        sortOrder?: number;
+    }): Promise<Record<string, unknown>>;
+    getNavItem(navId: string): Promise<Record<string, unknown>>;
+    listNavItems(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<Record<string, unknown>>;
+    updateNavItem(navId: string, data: {
+        title?: string;
+        icon?: string;
+        sortOrder?: number;
+    }): Promise<Record<string, unknown>>;
+    deleteNavItem(navId: string): Promise<Record<string, unknown>>;
+    getNavTenants(navId: string): Promise<Array<Record<string, unknown>>>;
+    addNavTenants(navId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    removeNavTenants(navId: string, tenantIds: string[]): Promise<Record<string, unknown>>;
+    createSecureTable(params: {
         tableName: string;
+        schemaName?: string;
+    }): Promise<Record<string, unknown>>;
+    getSecureTable(secureTableId: string): Promise<Record<string, unknown>>;
+    listSecureTables(params?: {
+        limit?: number;
+        offset?: number;
     }): Promise<Record<string, unknown>>;
-    deleteSecureTable(tableId: string): Promise<Record<string, unknown>>;
+    deleteSecureTable(secureTableId: string): Promise<Record<string, unknown>>;
+    getSecureTableScopes(secureTableId: string): Promise<Array<Record<string, unknown>>>;
+    addSecureTableScopes(secureTableId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    removeSecureTableScopes(secureTableId: string, scopeIds: string[]): Promise<Record<string, unknown>>;
+    getJwks(): Promise<Record<string, unknown>>;
+    validateJwt(token: string): Promise<Record<string, unknown>>;
 }
 //# sourceMappingURL=auth.d.ts.map