npm - gazetta - Versions diffs - 0.6.0 → 0.8.0 - Mend

gazetta 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (983) hide show

package/admin-dist/assets/index-CBeq0rRb.js +693 -0
package/admin-dist/assets/index-Dtg1dTZQ.css +1 -0
package/admin-dist/assets/rolldown-runtime-BYbx6iT9.js +1 -0
package/admin-dist/assets/{vendor-primevue-C0Q_YTCb.js → vendor-primevue-CBGHkaXv.js} +183 -39
package/admin-dist/assets/{vendor-react-BipDVGow.js → vendor-react-BdW_kNCG.js} +2 -2
package/admin-dist/assets/vendor-rjsf-lN2SztQt.js +33 -0
package/admin-dist/assets/vendor-tiptap-C36yDquB.js +141 -0
package/admin-dist/assets/vendor-vue-Bt5uR1VW.js +1 -0
package/admin-dist/assets/workbox-window.prod.es5-DGMtIXHc.js +2 -0
package/admin-dist/index.html +8 -8
package/admin-dist/sw.js +1 -0
package/dist/admin-api/archived-name-conflict.d.ts +31 -0
package/dist/admin-api/archived-name-conflict.d.ts.map +1 -0
package/dist/admin-api/archived-name-conflict.js +226 -0
package/dist/admin-api/archived-name-conflict.js.map +1 -0
package/dist/admin-api/cache-stats-logger.d.ts +83 -0
package/dist/admin-api/cache-stats-logger.d.ts.map +1 -0
package/dist/admin-api/cache-stats-logger.js +59 -0
package/dist/admin-api/cache-stats-logger.js.map +1 -0
package/dist/admin-api/error-response.d.ts +21 -0
package/dist/admin-api/error-response.d.ts.map +1 -0
package/dist/admin-api/error-response.js +12 -0
package/dist/admin-api/error-response.js.map +1 -0
package/dist/admin-api/hook-audit-emitter.d.ts +38 -0
package/dist/admin-api/hook-audit-emitter.d.ts.map +1 -0
package/dist/admin-api/hook-audit-emitter.js +21 -0
package/dist/admin-api/hook-audit-emitter.js.map +1 -0
package/dist/admin-api/index.d.ts +84 -2
package/dist/admin-api/index.d.ts.map +1 -1
package/dist/admin-api/index.js +257 -32
package/dist/admin-api/index.js.map +1 -1
package/dist/admin-api/middleware/audit.d.ts +25 -0
package/dist/admin-api/middleware/audit.d.ts.map +1 -0
package/dist/admin-api/middleware/audit.js +65 -0
package/dist/admin-api/middleware/audit.js.map +1 -0
package/dist/admin-api/middleware/capability.d.ts +8 -0
package/dist/admin-api/middleware/capability.d.ts.map +1 -0
package/dist/admin-api/middleware/capability.js +65 -0
package/dist/admin-api/middleware/capability.js.map +1 -0
package/dist/admin-api/middleware/principal.d.ts +18 -0
package/dist/admin-api/middleware/principal.d.ts.map +1 -0
package/dist/admin-api/middleware/principal.js +128 -0
package/dist/admin-api/middleware/principal.js.map +1 -0
package/dist/admin-api/routes/archive-review.d.ts +80 -0
package/dist/admin-api/routes/archive-review.d.ts.map +1 -0
package/dist/admin-api/routes/archive-review.js +70 -0
package/dist/admin-api/routes/archive-review.js.map +1 -0
package/dist/admin-api/routes/archive.d.ts +145 -0
package/dist/admin-api/routes/archive.d.ts.map +1 -0
package/dist/admin-api/routes/archive.js +540 -0
package/dist/admin-api/routes/archive.js.map +1 -0
package/dist/admin-api/routes/assets.d.ts +21 -0
package/dist/admin-api/routes/assets.d.ts.map +1 -0
package/dist/admin-api/routes/assets.js +586 -0
package/dist/admin-api/routes/assets.js.map +1 -0
package/dist/admin-api/routes/audit.d.ts +71 -0
package/dist/admin-api/routes/audit.d.ts.map +1 -0
package/dist/admin-api/routes/audit.js +178 -0
package/dist/admin-api/routes/audit.js.map +1 -0
package/dist/admin-api/routes/compare.d.ts.map +1 -1
package/dist/admin-api/routes/compare.js +3 -2
package/dist/admin-api/routes/compare.js.map +1 -1
package/dist/admin-api/routes/fields.d.ts.map +1 -1
package/dist/admin-api/routes/fields.js +2 -1
package/dist/admin-api/routes/fields.js.map +1 -1
package/dist/admin-api/routes/fragments.d.ts +13 -1
package/dist/admin-api/routes/fragments.d.ts.map +1 -1
package/dist/admin-api/routes/fragments.js +128 -67
package/dist/admin-api/routes/fragments.js.map +1 -1
package/dist/admin-api/routes/health.d.ts +60 -0
package/dist/admin-api/routes/health.d.ts.map +1 -0
package/dist/admin-api/routes/health.js +65 -0
package/dist/admin-api/routes/health.js.map +1 -0
package/dist/admin-api/routes/history.d.ts +2 -1
package/dist/admin-api/routes/history.d.ts.map +1 -1
package/dist/admin-api/routes/history.js +26 -4
package/dist/admin-api/routes/history.js.map +1 -1
package/dist/admin-api/routes/pages.d.ts +20 -1
package/dist/admin-api/routes/pages.d.ts.map +1 -1
package/dist/admin-api/routes/pages.js +158 -85
package/dist/admin-api/routes/pages.js.map +1 -1
package/dist/admin-api/routes/preview.d.ts.map +1 -1
package/dist/admin-api/routes/preview.js +56 -17
package/dist/admin-api/routes/preview.js.map +1 -1
package/dist/admin-api/routes/publish.d.ts +19 -1
package/dist/admin-api/routes/publish.d.ts.map +1 -1
package/dist/admin-api/routes/publish.js +548 -99
package/dist/admin-api/routes/publish.js.map +1 -1
package/dist/admin-api/routes/rename.d.ts +62 -0
package/dist/admin-api/routes/rename.d.ts.map +1 -0
package/dist/admin-api/routes/rename.js +366 -0
package/dist/admin-api/routes/rename.js.map +1 -0
package/dist/admin-api/routes/site.d.ts.map +1 -1
package/dist/admin-api/routes/site.js +6 -18
package/dist/admin-api/routes/site.js.map +1 -1
package/dist/admin-api/routes/system.d.ts +23 -0
package/dist/admin-api/routes/system.d.ts.map +1 -0
package/dist/admin-api/routes/system.js +115 -0
package/dist/admin-api/routes/system.js.map +1 -0
package/dist/admin-api/routes/templates.d.ts +11 -1
package/dist/admin-api/routes/templates.d.ts.map +1 -1
package/dist/admin-api/routes/templates.js +36 -3
package/dist/admin-api/routes/templates.js.map +1 -1
package/dist/admin-api/routes/validation.d.ts +47 -0
package/dist/admin-api/routes/validation.d.ts.map +1 -0
package/dist/admin-api/routes/validation.js +120 -0
package/dist/admin-api/routes/validation.js.map +1 -0
package/dist/admin-api/schemas/archive.d.ts +124 -0
package/dist/admin-api/schemas/archive.d.ts.map +1 -0
package/dist/admin-api/schemas/archive.js +93 -0
package/dist/admin-api/schemas/archive.js.map +1 -0
package/dist/admin-api/schemas/assets.d.ts +64 -0
package/dist/admin-api/schemas/assets.d.ts.map +1 -0
package/dist/admin-api/schemas/assets.js +59 -0
package/dist/admin-api/schemas/assets.js.map +1 -0
package/dist/admin-api/schemas/audit.d.ts +175 -0
package/dist/admin-api/schemas/audit.d.ts.map +1 -0
package/dist/admin-api/schemas/audit.js +91 -0
package/dist/admin-api/schemas/audit.js.map +1 -0
package/dist/admin-api/schemas/error.d.ts +94 -0
package/dist/admin-api/schemas/error.d.ts.map +1 -0
package/dist/admin-api/schemas/error.js +79 -0
package/dist/admin-api/schemas/error.js.map +1 -0
package/dist/admin-api/schemas/fragments.d.ts +2 -0
package/dist/admin-api/schemas/fragments.d.ts.map +1 -1
package/dist/admin-api/schemas/fragments.js +4 -0
package/dist/admin-api/schemas/fragments.js.map +1 -1
package/dist/admin-api/schemas/index.d.ts +10 -0
package/dist/admin-api/schemas/index.d.ts.map +1 -1
package/dist/admin-api/schemas/index.js +10 -0
package/dist/admin-api/schemas/index.js.map +1 -1
package/dist/admin-api/schemas/pages.d.ts +2 -0
package/dist/admin-api/schemas/pages.d.ts.map +1 -1
package/dist/admin-api/schemas/pages.js +11 -0
package/dist/admin-api/schemas/pages.js.map +1 -1
package/dist/admin-api/schemas/rename.d.ts +77 -0
package/dist/admin-api/schemas/rename.d.ts.map +1 -0
package/dist/admin-api/schemas/rename.js +75 -0
package/dist/admin-api/schemas/rename.js.map +1 -0
package/dist/admin-api/schemas/site.d.ts +3 -2
package/dist/admin-api/schemas/site.d.ts.map +1 -1
package/dist/admin-api/schemas/site.js +3 -2
package/dist/admin-api/schemas/site.js.map +1 -1
package/dist/admin-api/schemas/system.d.ts +28 -0
package/dist/admin-api/schemas/system.d.ts.map +1 -0
package/dist/admin-api/schemas/system.js +35 -0
package/dist/admin-api/schemas/system.js.map +1 -0
package/dist/admin-api/schemas/targets.d.ts +55 -0
package/dist/admin-api/schemas/targets.d.ts.map +1 -1
package/dist/admin-api/schemas/targets.js +46 -0
package/dist/admin-api/schemas/targets.js.map +1 -1
package/dist/admin-api/schemas/templates.d.ts +54 -0
package/dist/admin-api/schemas/templates.d.ts.map +1 -1
package/dist/admin-api/schemas/templates.js +21 -0
package/dist/admin-api/schemas/templates.js.map +1 -1
package/dist/admin-api/schemas/validation.d.ts +101 -0
package/dist/admin-api/schemas/validation.d.ts.map +1 -0
package/dist/admin-api/schemas/validation.js +57 -0
package/dist/admin-api/schemas/validation.js.map +1 -0
package/dist/admin-api/source-context.d.ts +66 -17
package/dist/admin-api/source-context.d.ts.map +1 -1
package/dist/admin-api/source-context.js +43 -8
package/dist/admin-api/source-context.js.map +1 -1
package/dist/ai/adapter-scaffold.d.ts +63 -0
package/dist/ai/adapter-scaffold.d.ts.map +1 -0
package/dist/ai/adapter-scaffold.js +89 -0
package/dist/ai/adapter-scaffold.js.map +1 -0
package/dist/ai/compose-prompt.d.ts +50 -0
package/dist/ai/compose-prompt.d.ts.map +1 -0
package/dist/ai/compose-prompt.js +49 -0
package/dist/ai/compose-prompt.js.map +1 -0
package/dist/ai/errors.d.ts +65 -0
package/dist/ai/errors.d.ts.map +1 -0
package/dist/ai/errors.js +59 -0
package/dist/ai/errors.js.map +1 -0
package/dist/ai/index.d.ts +17 -0
package/dist/ai/index.d.ts.map +1 -0
package/dist/ai/index.js +16 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/provider.d.ts +76 -0
package/dist/ai/provider.d.ts.map +1 -0
package/dist/ai/provider.js +13 -0
package/dist/ai/provider.js.map +1 -0
package/dist/ai/refusal.d.ts +50 -0
package/dist/ai/refusal.d.ts.map +1 -0
package/dist/ai/refusal.js +100 -0
package/dist/ai/refusal.js.map +1 -0
package/dist/ai/vision-prep.d.ts +32 -0
package/dist/ai/vision-prep.d.ts.map +1 -0
package/dist/ai/vision-prep.js +113 -0
package/dist/ai/vision-prep.js.map +1 -0
package/dist/alt/adapter.d.ts +140 -0
package/dist/alt/adapter.d.ts.map +1 -0
package/dist/alt/adapter.js +7 -0
package/dist/alt/adapter.js.map +1 -0
package/dist/alt/anthropic.d.ts +63 -0
package/dist/alt/anthropic.d.ts.map +1 -0
package/dist/alt/anthropic.js +147 -0
package/dist/alt/anthropic.js.map +1 -0
package/dist/alt/config.d.ts +67 -0
package/dist/alt/config.d.ts.map +1 -0
package/dist/alt/config.js +41 -0
package/dist/alt/config.js.map +1 -0
package/dist/alt/factory.d.ts +19 -0
package/dist/alt/factory.d.ts.map +1 -0
package/dist/alt/factory.js +69 -0
package/dist/alt/factory.js.map +1 -0
package/dist/alt/null-adapter.d.ts +3 -0
package/dist/alt/null-adapter.d.ts.map +1 -0
package/dist/alt/null-adapter.js +43 -0
package/dist/alt/null-adapter.js.map +1 -0
package/dist/alt/ollama.d.ts +40 -0
package/dist/alt/ollama.d.ts.map +1 -0
package/dist/alt/ollama.js +139 -0
package/dist/alt/ollama.js.map +1 -0
package/dist/alt/openai.d.ts +46 -0
package/dist/alt/openai.d.ts.map +1 -0
package/dist/alt/openai.js +118 -0
package/dist/alt/openai.js.map +1 -0
package/dist/alt/prompt-policies.d.ts +79 -0
package/dist/alt/prompt-policies.d.ts.map +1 -0
package/dist/alt/prompt-policies.js +67 -0
package/dist/alt/prompt-policies.js.map +1 -0
package/dist/alt/route-handler.d.ts +56 -0
package/dist/alt/route-handler.d.ts.map +1 -0
package/dist/alt/route-handler.js +122 -0
package/dist/alt/route-handler.js.map +1 -0
package/dist/alt/suggester.d.ts +57 -0
package/dist/alt/suggester.d.ts.map +1 -0
package/dist/alt/suggester.js +133 -0
package/dist/alt/suggester.js.map +1 -0
package/dist/app.js +1 -1
package/dist/app.js.map +1 -1
package/dist/archive-aliases.d.ts +79 -0
package/dist/archive-aliases.d.ts.map +1 -0
package/dist/archive-aliases.js +60 -0
package/dist/archive-aliases.js.map +1 -0
package/dist/archive-helpers.d.ts +73 -0
package/dist/archive-helpers.d.ts.map +1 -0
package/dist/archive-helpers.js +94 -0
package/dist/archive-helpers.js.map +1 -0
package/dist/assets/analyze-audio.d.ts +3 -0
package/dist/assets/analyze-audio.d.ts.map +1 -0
package/dist/assets/analyze-audio.js +80 -0
package/dist/assets/analyze-audio.js.map +1 -0
package/dist/assets/analyze-image.d.ts +19 -0
package/dist/assets/analyze-image.d.ts.map +1 -0
package/dist/assets/analyze-image.js +123 -0
package/dist/assets/analyze-image.js.map +1 -0
package/dist/assets/analyze.d.ts +94 -0
package/dist/assets/analyze.d.ts.map +1 -0
package/dist/assets/analyze.js +45 -0
package/dist/assets/analyze.js.map +1 -0
package/dist/assets/asset-deps.d.ts +30 -0
package/dist/assets/asset-deps.d.ts.map +1 -0
package/dist/assets/asset-deps.js +42 -0
package/dist/assets/asset-deps.js.map +1 -0
package/dist/assets/asset-paths.d.ts +155 -0
package/dist/assets/asset-paths.d.ts.map +1 -0
package/dist/assets/asset-paths.js +197 -0
package/dist/assets/asset-paths.js.map +1 -0
package/dist/assets/delete.d.ts +75 -0
package/dist/assets/delete.d.ts.map +1 -0
package/dist/assets/delete.js +82 -0
package/dist/assets/delete.js.map +1 -0
package/dist/assets/errors.d.ts +241 -0
package/dist/assets/errors.d.ts.map +1 -0
package/dist/assets/errors.js +300 -0
package/dist/assets/errors.js.map +1 -0
package/dist/assets/find-refs.d.ts +37 -0
package/dist/assets/find-refs.d.ts.map +1 -0
package/dist/assets/find-refs.js +35 -0
package/dist/assets/find-refs.js.map +1 -0
package/dist/assets/hash.d.ts +13 -0
package/dist/assets/hash.d.ts.map +1 -0
package/dist/assets/hash.js +43 -0
package/dist/assets/hash.js.map +1 -0
package/dist/assets/image-metadata.d.ts +11 -0
package/dist/assets/image-metadata.d.ts.map +1 -0
package/dist/assets/image-metadata.js +31 -0
package/dist/assets/image-metadata.js.map +1 -0
package/dist/assets/ingest-locale.d.ts +86 -0
package/dist/assets/ingest-locale.d.ts.map +1 -0
package/dist/assets/ingest-locale.js +209 -0
package/dist/assets/ingest-locale.js.map +1 -0
package/dist/assets/ingest.d.ts +96 -0
package/dist/assets/ingest.d.ts.map +1 -0
package/dist/assets/ingest.js +308 -0
package/dist/assets/ingest.js.map +1 -0
package/dist/assets/kind-compat.d.ts +34 -0
package/dist/assets/kind-compat.d.ts.map +1 -0
package/dist/assets/kind-compat.js +33 -0
package/dist/assets/kind-compat.js.map +1 -0
package/dist/assets/list.d.ts +46 -0
package/dist/assets/list.d.ts.map +1 -0
package/dist/assets/list.js +102 -0
package/dist/assets/list.js.map +1 -0
package/dist/assets/manifest-default.d.ts +56 -0
package/dist/assets/manifest-default.d.ts.map +1 -0
package/dist/assets/manifest-default.js +120 -0
package/dist/assets/manifest-default.js.map +1 -0
package/dist/assets/manifest-filename.d.ts +52 -0
package/dist/assets/manifest-filename.d.ts.map +1 -0
package/dist/assets/manifest-filename.js +104 -0
package/dist/assets/manifest-filename.js.map +1 -0
package/dist/assets/manifest-locale.d.ts +60 -0
package/dist/assets/manifest-locale.d.ts.map +1 -0
package/dist/assets/manifest-locale.js +206 -0
package/dist/assets/manifest-locale.js.map +1 -0
package/dist/assets/manifest-merge.d.ts +66 -0
package/dist/assets/manifest-merge.d.ts.map +1 -0
package/dist/assets/manifest-merge.js +82 -0
package/dist/assets/manifest-merge.js.map +1 -0
package/dist/assets/manifest.d.ts +83 -0
package/dist/assets/manifest.d.ts.map +1 -0
package/dist/assets/manifest.js +93 -0
package/dist/assets/manifest.js.map +1 -0
package/dist/assets/mime-sniff.d.ts +18 -0
package/dist/assets/mime-sniff.d.ts.map +1 -0
package/dist/assets/mime-sniff.js +84 -0
package/dist/assets/mime-sniff.js.map +1 -0
package/dist/assets/preprocess-svg.d.ts +3 -0
package/dist/assets/preprocess-svg.d.ts.map +1 -0
package/dist/assets/preprocess-svg.js +49 -0
package/dist/assets/preprocess-svg.js.map +1 -0
package/dist/assets/preprocess.d.ts +62 -0
package/dist/assets/preprocess.d.ts.map +1 -0
package/dist/assets/preprocess.js +86 -0
package/dist/assets/preprocess.js.map +1 -0
package/dist/assets/publish-plan.d.ts +41 -0
package/dist/assets/publish-plan.d.ts.map +1 -0
package/dist/assets/publish-plan.js +49 -0
package/dist/assets/publish-plan.js.map +1 -0
package/dist/assets/publish.d.ts +33 -0
package/dist/assets/publish.d.ts.map +1 -0
package/dist/assets/publish.js +81 -0
package/dist/assets/publish.js.map +1 -0
package/dist/assets/refs.d.ts +37 -0
package/dist/assets/refs.d.ts.map +1 -0
package/dist/assets/refs.js +33 -0
package/dist/assets/refs.js.map +1 -0
package/dist/assets/remove-override.d.ts +42 -0
package/dist/assets/remove-override.d.ts.map +1 -0
package/dist/assets/remove-override.js +53 -0
package/dist/assets/remove-override.js.map +1 -0
package/dist/assets/rename.d.ts +43 -0
package/dist/assets/rename.d.ts.map +1 -0
package/dist/assets/rename.js +271 -0
package/dist/assets/rename.js.map +1 -0
package/dist/assets/replace.d.ts +37 -0
package/dist/assets/replace.d.ts.map +1 -0
package/dist/assets/replace.js +195 -0
package/dist/assets/replace.js.map +1 -0
package/dist/assets/resolve.d.ts +141 -0
package/dist/assets/resolve.d.ts.map +1 -0
package/dist/assets/resolve.js +381 -0
package/dist/assets/resolve.js.map +1 -0
package/dist/assets/rewrite-manifest-asset-ref.d.ts +44 -0
package/dist/assets/rewrite-manifest-asset-ref.d.ts.map +1 -0
package/dist/assets/rewrite-manifest-asset-ref.js +51 -0
package/dist/assets/rewrite-manifest-asset-ref.js.map +1 -0
package/dist/assets/scan-manifest-for-asset.d.ts +63 -0
package/dist/assets/scan-manifest-for-asset.d.ts.map +1 -0
package/dist/assets/scan-manifest-for-asset.js +105 -0
package/dist/assets/scan-manifest-for-asset.js.map +1 -0
package/dist/assets/serve-route.d.ts +45 -0
package/dist/assets/serve-route.d.ts.map +1 -0
package/dist/assets/serve-route.js +123 -0
package/dist/assets/serve-route.js.map +1 -0
package/dist/assets/svg-sanitize.d.ts +38 -0
package/dist/assets/svg-sanitize.d.ts.map +1 -0
package/dist/assets/svg-sanitize.js +209 -0
package/dist/assets/svg-sanitize.js.map +1 -0
package/dist/assets/update-metadata.d.ts +61 -0
package/dist/assets/update-metadata.d.ts.map +1 -0
package/dist/assets/update-metadata.js +82 -0
package/dist/assets/update-metadata.js.map +1 -0
package/dist/assets/url.d.ts +82 -0
package/dist/assets/url.d.ts.map +1 -0
package/dist/assets/url.js +103 -0
package/dist/assets/url.js.map +1 -0
package/dist/assets/validate.d.ts +74 -0
package/dist/assets/validate.d.ts.map +1 -0
package/dist/assets/validate.js +136 -0
package/dist/assets/validate.js.map +1 -0
package/dist/assets/variants.d.ts +23 -0
package/dist/assets/variants.d.ts.map +1 -0
package/dist/assets/variants.js +74 -0
package/dist/assets/variants.js.map +1 -0
package/dist/audit/config.d.ts +75 -0
package/dist/audit/config.d.ts.map +1 -0
package/dist/audit/config.js +91 -0
package/dist/audit/config.js.map +1 -0
package/dist/audit/context.d.ts +98 -0
package/dist/audit/context.d.ts.map +1 -0
package/dist/audit/context.js +51 -0
package/dist/audit/context.js.map +1 -0
package/dist/audit/errors.d.ts +73 -0
package/dist/audit/errors.d.ts.map +1 -0
package/dist/audit/errors.js +78 -0
package/dist/audit/errors.js.map +1 -0
package/dist/audit/index.d.ts +16 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +10 -0
package/dist/audit/index.js.map +1 -0
package/dist/audit/provider.d.ts +73 -0
package/dist/audit/provider.d.ts.map +1 -0
package/dist/audit/provider.js +2 -0
package/dist/audit/provider.js.map +1 -0
package/dist/audit/providers/history.d.ts +66 -0
package/dist/audit/providers/history.d.ts.map +1 -0
package/dist/audit/providers/history.js +102 -0
package/dist/audit/providers/history.js.map +1 -0
package/dist/audit/pseudonymize.d.ts +26 -0
package/dist/audit/pseudonymize.d.ts.map +1 -0
package/dist/audit/pseudonymize.js +86 -0
package/dist/audit/pseudonymize.js.map +1 -0
package/dist/audit/recorder.d.ts +102 -0
package/dist/audit/recorder.d.ts.map +1 -0
package/dist/audit/recorder.js +55 -0
package/dist/audit/recorder.js.map +1 -0
package/dist/audit/retention.d.ts +83 -0
package/dist/audit/retention.d.ts.map +1 -0
package/dist/audit/retention.js +142 -0
package/dist/audit/retention.js.map +1 -0
package/dist/audit/source-ip.d.ts +32 -0
package/dist/audit/source-ip.d.ts.map +1 -0
package/dist/audit/source-ip.js +164 -0
package/dist/audit/source-ip.js.map +1 -0
package/dist/audit/types.d.ts +143 -0
package/dist/audit/types.d.ts.map +1 -0
package/dist/audit/types.js +33 -0
package/dist/audit/types.js.map +1 -0
package/dist/audit/user-agent.d.ts +28 -0
package/dist/audit/user-agent.d.ts.map +1 -0
package/dist/audit/user-agent.js +63 -0
package/dist/audit/user-agent.js.map +1 -0
package/dist/auth/capabilities.d.ts +28 -0
package/dist/auth/capabilities.d.ts.map +1 -0
package/dist/auth/capabilities.js +101 -0
package/dist/auth/capabilities.js.map +1 -0
package/dist/auth/config.d.ts +109 -0
package/dist/auth/config.d.ts.map +1 -0
package/dist/auth/config.js +221 -0
package/dist/auth/config.js.map +1 -0
package/dist/auth/errors.d.ts +72 -0
package/dist/auth/errors.d.ts.map +1 -0
package/dist/auth/errors.js +78 -0
package/dist/auth/errors.js.map +1 -0
package/dist/auth/factory.d.ts +43 -0
package/dist/auth/factory.d.ts.map +1 -0
package/dist/auth/factory.js +48 -0
package/dist/auth/factory.js.map +1 -0
package/dist/auth/index.d.ts +21 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +14 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/ip-match.d.ts +29 -0
package/dist/auth/ip-match.d.ts.map +1 -0
package/dist/auth/ip-match.js +162 -0
package/dist/auth/ip-match.js.map +1 -0
package/dist/auth/provider.d.ts +76 -0
package/dist/auth/provider.d.ts.map +1 -0
package/dist/auth/provider.js +2 -0
package/dist/auth/provider.js.map +1 -0
package/dist/auth/providers/aws-cognito.d.ts +55 -0
package/dist/auth/providers/aws-cognito.d.ts.map +1 -0
package/dist/auth/providers/aws-cognito.js +114 -0
package/dist/auth/providers/aws-cognito.js.map +1 -0
package/dist/auth/providers/azure-easy-auth.d.ts +7 -0
package/dist/auth/providers/azure-easy-auth.d.ts.map +1 -0
package/dist/auth/providers/azure-easy-auth.js +48 -0
package/dist/auth/providers/azure-easy-auth.js.map +1 -0
package/dist/auth/providers/cloudflare-access.d.ts +71 -0
package/dist/auth/providers/cloudflare-access.d.ts.map +1 -0
package/dist/auth/providers/cloudflare-access.js +120 -0
package/dist/auth/providers/cloudflare-access.js.map +1 -0
package/dist/auth/providers/forwarded-user.d.ts +31 -0
package/dist/auth/providers/forwarded-user.d.ts.map +1 -0
package/dist/auth/providers/forwarded-user.js +72 -0
package/dist/auth/providers/forwarded-user.js.map +1 -0
package/dist/auth/providers/none.d.ts +6 -0
package/dist/auth/providers/none.d.ts.map +1 -0
package/dist/auth/providers/none.js +19 -0
package/dist/auth/providers/none.js.map +1 -0
package/dist/auth/providers/tailscale.d.ts +7 -0
package/dist/auth/providers/tailscale.d.ts.map +1 -0
package/dist/auth/providers/tailscale.js +30 -0
package/dist/auth/providers/tailscale.js.map +1 -0
package/dist/auth/role-resolver.d.ts +38 -0
package/dist/auth/role-resolver.d.ts.map +1 -0
package/dist/auth/role-resolver.js +92 -0
package/dist/auth/role-resolver.js.map +1 -0
package/dist/auth/types.d.ts +150 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +60 -0
package/dist/auth/types.js.map +1 -0
package/dist/cache/errors.d.ts +41 -0
package/dist/cache/errors.d.ts.map +1 -0
package/dist/cache/errors.js +44 -0
package/dist/cache/errors.js.map +1 -0
package/dist/cache/factories.d.ts +17 -0
package/dist/cache/factories.d.ts.map +1 -0
package/dist/cache/factories.js +17 -0
package/dist/cache/factories.js.map +1 -0
package/dist/cache/keys.d.ts +63 -0
package/dist/cache/keys.d.ts.map +1 -0
package/dist/cache/keys.js +145 -0
package/dist/cache/keys.js.map +1 -0
package/dist/cache/memory.d.ts +51 -0
package/dist/cache/memory.d.ts.map +1 -0
package/dist/cache/memory.js +204 -0
package/dist/cache/memory.js.map +1 -0
package/dist/cache/per-site.d.ts +22 -0
package/dist/cache/per-site.d.ts.map +1 -0
package/dist/cache/per-site.js +114 -0
package/dist/cache/per-site.js.map +1 -0
package/dist/cache/types.d.ts +142 -0
package/dist/cache/types.d.ts.map +1 -0
package/dist/cache/types.js +33 -0
package/dist/cache/types.js.map +1 -0
package/dist/cli/archive.d.ts +44 -0
package/dist/cli/archive.d.ts.map +1 -0
package/dist/cli/archive.js +310 -0
package/dist/cli/archive.js.map +1 -0
package/dist/cli/assets-cli.d.ts +58 -0
package/dist/cli/assets-cli.d.ts.map +1 -0
package/dist/cli/assets-cli.js +233 -0
package/dist/cli/assets-cli.js.map +1 -0
package/dist/cli/assets-display.d.ts +112 -0
package/dist/cli/assets-display.d.ts.map +1 -0
package/dist/cli/assets-display.js +106 -0
package/dist/cli/assets-display.js.map +1 -0
package/dist/cli/bootstrap.d.ts +15 -10
package/dist/cli/bootstrap.d.ts.map +1 -1
package/dist/cli/bootstrap.js +59 -24
package/dist/cli/bootstrap.js.map +1 -1
package/dist/cli/dev-template-watcher.d.ts +29 -0
package/dist/cli/dev-template-watcher.d.ts.map +1 -0
package/dist/cli/dev-template-watcher.js +38 -0
package/dist/cli/dev-template-watcher.js.map +1 -0
package/dist/cli/history.d.ts.map +1 -1
package/dist/cli/history.js +5 -3
package/dist/cli/history.js.map +1 -1
package/dist/cli/index.js +737 -374
package/dist/cli/index.js.map +1 -1
package/dist/cli/validate-flags.d.ts +29 -0
package/dist/cli/validate-flags.d.ts.map +1 -0
package/dist/cli/validate-flags.js +49 -0
package/dist/cli/validate-flags.js.map +1 -0
package/dist/compare.d.ts +1 -1
package/dist/compare.d.ts.map +1 -1
package/dist/compare.js +40 -35
package/dist/compare.js.map +1 -1
package/dist/component-ids.d.ts +25 -0
package/dist/component-ids.d.ts.map +1 -0
package/dist/component-ids.js +83 -0
package/dist/component-ids.js.map +1 -0
package/dist/config/define.d.ts +61 -0
package/dist/config/define.d.ts.map +1 -0
package/dist/config/define.js +64 -0
package/dist/config/define.js.map +1 -0
package/dist/config/errors.d.ts +32 -0
package/dist/config/errors.d.ts.map +1 -0
package/dist/config/errors.js +40 -0
package/dist/config/errors.js.map +1 -0
package/dist/config/index.d.ts +13 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +20 -0
package/dist/config/index.js.map +1 -0
package/dist/config/loader.d.ts +105 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +265 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schemas.d.ts +89 -0
package/dist/config/schemas.d.ts.map +1 -0
package/dist/config/schemas.js +172 -0
package/dist/config/schemas.js.map +1 -0
package/dist/config/types.d.ts +32 -0
package/dist/config/types.d.ts.map +1 -0
package/dist/config/types.js +15 -0
package/dist/config/types.js.map +1 -0
package/dist/dep-sidecars.d.ts +127 -0
package/dist/dep-sidecars.d.ts.map +1 -0
package/dist/dep-sidecars.js +122 -0
package/dist/dep-sidecars.js.map +1 -0
package/dist/deploy/cloudflare-workers.d.ts +46 -0
package/dist/deploy/cloudflare-workers.d.ts.map +1 -0
package/dist/deploy/cloudflare-workers.js +213 -0
package/dist/deploy/cloudflare-workers.js.map +1 -0
package/dist/deploy/errors.d.ts +66 -0
package/dist/deploy/errors.d.ts.map +1 -0
package/dist/deploy/errors.js +82 -0
package/dist/deploy/errors.js.map +1 -0
package/dist/deploy/index.d.ts +9 -0
package/dist/deploy/index.d.ts.map +1 -0
package/dist/deploy/index.js +3 -0
package/dist/deploy/index.js.map +1 -0
package/dist/deploy/types.d.ts +162 -0
package/dist/deploy/types.d.ts.map +1 -0
package/dist/deploy/types.js +2 -0
package/dist/deploy/types.js.map +1 -0
package/dist/editor/AssetEmbeddedWidget.d.ts +3 -0
package/dist/editor/AssetEmbeddedWidget.d.ts.map +1 -0
package/dist/editor/AssetEmbeddedWidget.js +146 -0
package/dist/editor/AssetEmbeddedWidget.js.map +1 -0
package/dist/editor/mount.d.ts +12 -1
package/dist/editor/mount.d.ts.map +1 -1
package/dist/editor/mount.js +36 -5
package/dist/editor/mount.js.map +1 -1
package/dist/format.d.ts +44 -0
package/dist/format.d.ts.map +1 -0
package/dist/format.js +65 -0
package/dist/format.js.map +1 -0
package/dist/fragment-deps.d.ts +24 -0
package/dist/fragment-deps.d.ts.map +1 -0
package/dist/fragment-deps.js +20 -0
package/dist/fragment-deps.js.map +1 -0
package/dist/fragments/create.d.ts +70 -0
package/dist/fragments/create.d.ts.map +1 -0
package/dist/fragments/create.js +93 -0
package/dist/fragments/create.js.map +1 -0
package/dist/fragments/publish.d.ts +37 -0
package/dist/fragments/publish.d.ts.map +1 -0
package/dist/fragments/publish.js +52 -0
package/dist/fragments/publish.js.map +1 -0
package/dist/fragments/save.d.ts +81 -0
package/dist/fragments/save.d.ts.map +1 -0
package/dist/fragments/save.js +105 -0
package/dist/fragments/save.js.map +1 -0
package/dist/hash.d.ts +0 -6
package/dist/hash.d.ts.map +1 -1
package/dist/hash.js +0 -18
package/dist/hash.js.map +1 -1
package/dist/history-provider.d.ts.map +1 -1
package/dist/history-provider.js +30 -8
package/dist/history-provider.js.map +1 -1
package/dist/history-recorder.d.ts +10 -6
package/dist/history-recorder.d.ts.map +1 -1
package/dist/history-recorder.js +13 -5
package/dist/history-recorder.js.map +1 -1
package/dist/history-restorer.d.ts.map +1 -1
package/dist/history-restorer.js +34 -2
package/dist/history-restorer.js.map +1 -1
package/dist/history.d.ts +26 -8
package/dist/history.d.ts.map +1 -1
package/dist/hooks/audit-emitter.d.ts +73 -0
package/dist/hooks/audit-emitter.d.ts.map +1 -0
package/dist/hooks/audit-emitter.js +13 -0
package/dist/hooks/audit-emitter.js.map +1 -0
package/dist/hooks/context.d.ts +78 -0
package/dist/hooks/context.d.ts.map +1 -0
package/dist/hooks/context.js +56 -0
package/dist/hooks/context.js.map +1 -0
package/dist/hooks/contribution.d.ts +90 -0
package/dist/hooks/contribution.d.ts.map +1 -0
package/dist/hooks/contribution.js +2 -0
package/dist/hooks/contribution.js.map +1 -0
package/dist/hooks/dispatch.d.ts +30 -0
package/dist/hooks/dispatch.d.ts.map +1 -0
package/dist/hooks/dispatch.js +252 -0
package/dist/hooks/dispatch.js.map +1 -0
package/dist/hooks/errors.d.ts +100 -0
package/dist/hooks/errors.d.ts.map +1 -0
package/dist/hooks/errors.js +103 -0
package/dist/hooks/errors.js.map +1 -0
package/dist/hooks/index.d.ts +15 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +6 -0
package/dist/hooks/index.js.map +1 -0
package/dist/hooks/registry.d.ts +53 -0
package/dist/hooks/registry.d.ts.map +1 -0
package/dist/hooks/registry.js +139 -0
package/dist/hooks/registry.js.map +1 -0
package/dist/hooks/storage.d.ts +43 -0
package/dist/hooks/storage.d.ts.map +1 -0
package/dist/hooks/storage.js +2 -0
package/dist/hooks/storage.js.map +1 -0
package/dist/hooks/types.d.ts +324 -0
package/dist/hooks/types.d.ts.map +1 -0
package/dist/hooks/types.js +2 -0
package/dist/hooks/types.js.map +1 -0
package/dist/index.d.ts +27 -9
package/dist/index.d.ts.map +1 -1
package/dist/index.js +50 -7
package/dist/index.js.map +1 -1
package/dist/locale.d.ts +25 -1
package/dist/locale.d.ts.map +1 -1
package/dist/locale.js +44 -2
package/dist/locale.js.map +1 -1
package/dist/manifest-save.d.ts +255 -0
package/dist/manifest-save.d.ts.map +1 -0
package/dist/manifest-save.js +260 -0
package/dist/manifest-save.js.map +1 -0
package/dist/manifest.d.ts +1 -2
package/dist/manifest.d.ts.map +1 -1
package/dist/manifest.js +43 -44
package/dist/manifest.js.map +1 -1
package/dist/node-floor.d.ts +3 -0
package/dist/node-floor.d.ts.map +1 -0
package/dist/node-floor.js +3 -0
package/dist/node-floor.js.map +1 -0
package/dist/pages/create.d.ts +103 -0
package/dist/pages/create.d.ts.map +1 -0
package/dist/pages/create.js +117 -0
package/dist/pages/create.js.map +1 -0
package/dist/pages/publish.d.ts +59 -0
package/dist/pages/publish.d.ts.map +1 -0
package/dist/pages/publish.js +78 -0
package/dist/pages/publish.js.map +1 -0
package/dist/pages/save.d.ts +97 -0
package/dist/pages/save.d.ts.map +1 -0
package/dist/pages/save.js +138 -0
package/dist/pages/save.js.map +1 -0
package/dist/providers/_atomic-write.d.ts +9 -0
package/dist/providers/_atomic-write.d.ts.map +1 -0
package/dist/providers/_atomic-write.js +72 -0
package/dist/providers/_atomic-write.js.map +1 -0
package/dist/providers/_rm-ignore-missing.d.ts +31 -0
package/dist/providers/_rm-ignore-missing.d.ts.map +1 -0
package/dist/providers/_rm-ignore-missing.js +12 -0
package/dist/providers/_rm-ignore-missing.js.map +1 -0
package/dist/providers/_stream-interop.d.ts +23 -0
package/dist/providers/_stream-interop.d.ts.map +1 -0
package/dist/providers/_stream-interop.js +21 -0
package/dist/providers/_stream-interop.js.map +1 -0
package/dist/providers/azure-blob.d.ts.map +1 -1
package/dist/providers/azure-blob.js +60 -0
package/dist/providers/azure-blob.js.map +1 -1
package/dist/providers/factories.d.ts +65 -0
package/dist/providers/factories.d.ts.map +1 -0
package/dist/providers/factories.js +189 -0
package/dist/providers/factories.js.map +1 -0
package/dist/providers/filesystem.d.ts +4 -0
package/dist/providers/filesystem.d.ts.map +1 -1
package/dist/providers/filesystem.js +63 -2
package/dist/providers/filesystem.js.map +1 -1
package/dist/providers/s3.d.ts.map +1 -1
package/dist/providers/s3.js +84 -1
package/dist/providers/s3.js.map +1 -1
package/dist/publish-item.d.ts +225 -0
package/dist/publish-item.d.ts.map +1 -0
package/dist/publish-item.js +210 -0
package/dist/publish-item.js.map +1 -0
package/dist/publish-rendered.d.ts +37 -17
package/dist/publish-rendered.d.ts.map +1 -1
package/dist/publish-rendered.js +144 -71
package/dist/publish-rendered.js.map +1 -1
package/dist/publish-renderers.d.ts +132 -0
package/dist/publish-renderers.d.ts.map +1 -0
package/dist/publish-renderers.js +240 -0
package/dist/publish-renderers.js.map +1 -0
package/dist/publish-run.d.ts +223 -0
package/dist/publish-run.d.ts.map +1 -0
package/dist/publish-run.js +307 -0
package/dist/publish-run.js.map +1 -0
package/dist/publish.d.ts +13 -12
package/dist/publish.d.ts.map +1 -1
package/dist/publish.js +24 -57
package/dist/publish.js.map +1 -1
package/dist/render-for-analysis.d.ts +24 -0
package/dist/render-for-analysis.d.ts.map +1 -0
package/dist/render-for-analysis.js +146 -0
package/dist/render-for-analysis.js.map +1 -0
package/dist/resolver.d.ts +12 -2
package/dist/resolver.d.ts.map +1 -1
package/dist/resolver.js +101 -32
package/dist/resolver.js.map +1 -1
package/dist/runtime/archive-marker.d.ts +62 -0
package/dist/runtime/archive-marker.d.ts.map +1 -0
package/dist/runtime/archive-marker.js +88 -0
package/dist/runtime/archive-marker.js.map +1 -0
package/dist/runtime/capability-gap-warnings.d.ts +42 -0
package/dist/runtime/capability-gap-warnings.d.ts.map +1 -0
package/dist/runtime/capability-gap-warnings.js +28 -0
package/dist/runtime/capability-gap-warnings.js.map +1 -0
package/dist/runtime/redirects-emit.d.ts +93 -0
package/dist/runtime/redirects-emit.d.ts.map +1 -0
package/dist/runtime/redirects-emit.js +89 -0
package/dist/runtime/redirects-emit.js.map +1 -0
package/dist/runtime/runtime-capabilities.d.ts +79 -0
package/dist/runtime/runtime-capabilities.d.ts.map +1 -0
package/dist/runtime/runtime-capabilities.js +60 -0
package/dist/runtime/runtime-capabilities.js.map +1 -0
package/dist/save-etag.d.ts +69 -0
package/dist/save-etag.d.ts.map +1 -0
package/dist/save-etag.js +118 -0
package/dist/save-etag.js.map +1 -0
package/dist/schema/dimensions.d.ts +78 -0
package/dist/schema/dimensions.d.ts.map +1 -0
package/dist/schema/dimensions.js +97 -0
package/dist/schema/dimensions.js.map +1 -0
package/dist/schema/helpers.d.ts +108 -0
package/dist/schema/helpers.d.ts.map +1 -0
package/dist/schema/helpers.js +133 -0
package/dist/schema/helpers.js.map +1 -0
package/dist/schema/index.d.ts +27 -0
package/dist/schema/index.d.ts.map +1 -0
package/dist/schema/index.js +25 -0
package/dist/schema/index.js.map +1 -0
package/dist/schema/types.d.ts +390 -0
package/dist/schema/types.d.ts.map +1 -0
package/dist/schema/types.js +25 -0
package/dist/schema/types.js.map +1 -0
package/dist/selector-chain.d.ts +63 -0
package/dist/selector-chain.d.ts.map +1 -0
package/dist/selector-chain.js +58 -0
package/dist/selector-chain.js.map +1 -0
package/dist/sidecars.d.ts +19 -18
package/dist/sidecars.d.ts.map +1 -1
package/dist/sidecars.js +70 -62
package/dist/sidecars.js.map +1 -1
package/dist/site-loader.d.ts +42 -4
package/dist/site-loader.d.ts.map +1 -1
package/dist/site-loader.js +27 -8
package/dist/site-loader.js.map +1 -1
package/dist/targets.d.ts +21 -12
package/dist/targets.d.ts.map +1 -1
package/dist/targets.js +27 -117
package/dist/targets.js.map +1 -1
package/dist/testing/admin-cache-contract.d.ts +52 -0
package/dist/testing/admin-cache-contract.d.ts.map +1 -0
package/dist/testing/admin-cache-contract.js +203 -0
package/dist/testing/admin-cache-contract.js.map +1 -0
package/dist/testing/index.d.ts +11 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +11 -0
package/dist/testing/index.js.map +1 -0
package/dist/themes.d.ts +69 -0
package/dist/themes.d.ts.map +1 -0
package/dist/themes.js +85 -0
package/dist/themes.js.map +1 -0
package/dist/transforms/adapter.d.ts +115 -0
package/dist/transforms/adapter.d.ts.map +1 -0
package/dist/transforms/adapter.js +2 -0
package/dist/transforms/adapter.js.map +1 -0
package/dist/transforms/cloudflare.d.ts +17 -0
package/dist/transforms/cloudflare.d.ts.map +1 -0
package/dist/transforms/cloudflare.js +110 -0
package/dist/transforms/cloudflare.js.map +1 -0
package/dist/transforms/factories.d.ts +16 -0
package/dist/transforms/factories.d.ts.map +1 -0
package/dist/transforms/factories.js +18 -0
package/dist/transforms/factories.js.map +1 -0
package/dist/transforms/index.d.ts +17 -0
package/dist/transforms/index.d.ts.map +1 -0
package/dist/transforms/index.js +6 -0
package/dist/transforms/index.js.map +1 -0
package/dist/transforms/sharp.d.ts +17 -0
package/dist/transforms/sharp.d.ts.map +1 -0
package/dist/transforms/sharp.js +57 -0
package/dist/transforms/sharp.js.map +1 -0
package/dist/types.d.ts +485 -34
package/dist/types.d.ts.map +1 -1
package/dist/types.js +20 -1
package/dist/types.js.map +1 -1
package/dist/validation/alt-required-walker.d.ts +27 -0
package/dist/validation/alt-required-walker.d.ts.map +1 -0
package/dist/validation/alt-required-walker.js +108 -0
package/dist/validation/alt-required-walker.js.map +1 -0
package/dist/validation/default-registry.d.ts +12 -0
package/dist/validation/default-registry.d.ts.map +1 -0
package/dist/validation/default-registry.js +55 -0
package/dist/validation/default-registry.js.map +1 -0
package/dist/validation/publish-audit.d.ts +44 -0
package/dist/validation/publish-audit.d.ts.map +1 -0
package/dist/validation/publish-audit.js +64 -0
package/dist/validation/publish-audit.js.map +1 -0
package/dist/validation/registry.d.ts +23 -0
package/dist/validation/registry.d.ts.map +1 -0
package/dist/validation/registry.js +15 -0
package/dist/validation/registry.js.map +1 -0
package/dist/validation/save-delta.d.ts +46 -0
package/dist/validation/save-delta.d.ts.map +1 -0
package/dist/validation/save-delta.js +57 -0
package/dist/validation/save-delta.js.map +1 -0
package/dist/validation/scanner.d.ts +91 -0
package/dist/validation/scanner.d.ts.map +1 -0
package/dist/validation/scanner.js +327 -0
package/dist/validation/scanner.js.map +1 -0
package/dist/validation/template-impact.d.ts +52 -0
package/dist/validation/template-impact.d.ts.map +1 -0
package/dist/validation/template-impact.js +53 -0
package/dist/validation/template-impact.js.map +1 -0
package/dist/validation/types.d.ts +123 -0
package/dist/validation/types.d.ts.map +1 -0
package/dist/validation/types.js +7 -0
package/dist/validation/types.js.map +1 -0
package/dist/validation/validators/accessibility.d.ts +3 -0
package/dist/validation/validators/accessibility.d.ts.map +1 -0
package/dist/validation/validators/accessibility.js +106 -0
package/dist/validation/validators/accessibility.js.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts +40 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.js +34 -0
package/dist/validation/validators/aliasof-points-to-archived.js.map +1 -0
package/dist/validation/validators/alt-required.d.ts +3 -0
package/dist/validation/validators/alt-required.d.ts.map +1 -0
package/dist/validation/validators/alt-required.js +118 -0
package/dist/validation/validators/alt-required.js.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts +3 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.js +38 -0
package/dist/validation/validators/archive-not-supported-on-target.js.map +1 -0
package/dist/validation/validators/broken-links.d.ts +3 -0
package/dist/validation/validators/broken-links.d.ts.map +1 -0
package/dist/validation/validators/broken-links.js +190 -0
package/dist/validation/validators/broken-links.js.map +1 -0
package/dist/validation/validators/circular-alias.d.ts +36 -0
package/dist/validation/validators/circular-alias.d.ts.map +1 -0
package/dist/validation/validators/circular-alias.js +63 -0
package/dist/validation/validators/circular-alias.js.map +1 -0
package/dist/validation/validators/circular-fragment.d.ts +15 -0
package/dist/validation/validators/circular-fragment.d.ts.map +1 -0
package/dist/validation/validators/circular-fragment.js +97 -0
package/dist/validation/validators/circular-fragment.js.map +1 -0
package/dist/validation/validators/dangling-alias.d.ts +38 -0
package/dist/validation/validators/dangling-alias.d.ts.map +1 -0
package/dist/validation/validators/dangling-alias.js +31 -0
package/dist/validation/validators/dangling-alias.js.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts +3 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.js +32 -0
package/dist/validation/validators/deploy-target-type-supported.js.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts +18 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.js +80 -0
package/dist/validation/validators/dynamic-route-conflict.js.map +1 -0
package/dist/validation/validators/html-validity.d.ts +3 -0
package/dist/validation/validators/html-validity.d.ts.map +1 -0
package/dist/validation/validators/html-validity.js +89 -0
package/dist/validation/validators/html-validity.js.map +1 -0
package/dist/validation/validators/orphaned-locale-file.d.ts +21 -0
package/dist/validation/validators/orphaned-locale-file.d.ts.map +1 -0
package/dist/validation/validators/orphaned-locale-file.js +84 -0
package/dist/validation/validators/orphaned-locale-file.js.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts +3 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.js +65 -0
package/dist/validation/validators/referenced-archived-without-alias.js.map +1 -0
package/dist/validation/validators/referenced-asset-exists.d.ts +13 -0
package/dist/validation/validators/referenced-asset-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-asset-exists.js +80 -0
package/dist/validation/validators/referenced-asset-exists.js.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts +9 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.js +52 -0
package/dist/validation/validators/referenced-fragment-exists.js.map +1 -0
package/dist/validation/validators/referenced-template-exists.d.ts +10 -0
package/dist/validation/validators/referenced-template-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-template-exists.js +74 -0
package/dist/validation/validators/referenced-template-exists.js.map +1 -0
package/dist/validation/validators/schema-conformance.d.ts +17 -0
package/dist/validation/validators/schema-conformance.d.ts.map +1 -0
package/dist/validation/validators/schema-conformance.js +94 -0
package/dist/validation/validators/schema-conformance.js.map +1 -0
package/dist/validation/validators/target-deploy-coverage.d.ts +3 -0
package/dist/validation/validators/target-deploy-coverage.d.ts.map +1 -0
package/dist/validation/validators/target-deploy-coverage.js +37 -0
package/dist/validation/validators/target-deploy-coverage.js.map +1 -0
package/dist/validation/validators/unused-fragment.d.ts +16 -0
package/dist/validation/validators/unused-fragment.d.ts.map +1 -0
package/dist/validation/validators/unused-fragment.js +86 -0
package/dist/validation/validators/unused-fragment.js.map +1 -0
package/package.json +69 -27
package/admin-dist/assets/index-B6pVot0Y.css +0 -1
package/admin-dist/assets/index-DniLwxJA.js +0 -609
package/admin-dist/assets/rolldown-runtime-COnpUsM8.js +0 -1
package/admin-dist/assets/vendor-rjsf-HKBAjOmQ.js +0 -32
package/admin-dist/assets/vendor-tiptap-IyO99U4R.js +0 -142
package/admin-dist/assets/vendor-vue-D3wBSmDf.js +0 -1
package/dist/providers/r2.d.ts +0 -8
package/dist/providers/r2.d.ts.map +0 -1
package/dist/providers/r2.js +0 -86
package/dist/providers/r2.js.map +0 -1
package/dist/publish-locale.d.ts +0 -44
package/dist/publish-locale.d.ts.map +0 -1
package/dist/publish-locale.js +0 -103
package/dist/publish-locale.js.map +0 -1
package/dist/source-sidecars.d.ts +0 -32
package/dist/source-sidecars.d.ts.map +0 -1
package/dist/source-sidecars.js +0 -98
package/dist/source-sidecars.js.map +0 -1

package/dist/auth/factory.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * `AuthIdentityProvider` factory — constructs the right provider
+ * from the typed `admin.auth` block in `site.config.ts`.
+ *
+ * # Why a factory and not direct provider exports
+ *
+ * Operators write `admin.auth: { trust: 'cloudflare-access', teamDomain: 'acme' }`
+ * in `site.config.ts`. The admin-api boot code receives this config
+ * (typed as `AuthConfig`) and needs to dispatch to the right provider
+ * factory. Centralizing the dispatch here keeps the built-in
+ * trust-mode set closed (per `design-auth-rbac.md` Q1) while
+ * leaving the operator-config field type open to any
+ * `AuthIdentityProvider` instance — including those returned by
+ * plugin-supplied factories.
+ *
+ * # Plugin promotion path
+ *
+ * Per ADR-0009 + `design-plugins.md`: external trust modes ship as
+ * npm packages exporting a factory function returning
+ * `AuthIdentityProvider`. The operator imports the factory and
+ * assigns its result to `admin.auth` directly (Pattern A factory-
+ * call-at-field). No runtime register method; no central registry
+ * for plugin-contributed providers — the type system accepts any
+ * conforming instance.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: dispatch only. Doesn't read from disk, doesn't construct
+ *     middleware. Pure function over (config) → AuthIdentityProvider.
+ *   - OCP: adding a trust mode is one new case in the switch + one
+ *     import. Existing cases unchanged.
+ *   - DIP: callers depend on AuthIdentityProvider, not on which
+ *     trust mode the operator picked.
+ */
+import type { AuthIdentityProvider } from './provider.js';
+import type { AuthConfig } from './config.js';
+/**
+ * Build the configured `AuthIdentityProvider`. Returns the
+ * `none`-mode provider when `config` is undefined (the default
+ * when `site.config.ts` has no `admin.auth` block).
+ */
+export declare function buildAuthProvider(config: AuthConfig | undefined): AuthIdentityProvider;
+//# sourceMappingURL=factory.d.ts.map

package/dist/auth/factory.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/auth/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAA;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAS7C;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,GAAG,SAAS,GAAG,oBAAoB,CAkCtF"}

package/dist/auth/factory.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { AuthConfigurationError } from './errors.js';
+import { noneAuthProvider } from './providers/none.js';
+import { createForwardedUserAuthProvider } from './providers/forwarded-user.js';
+import { createCloudflareAccessAuthProvider } from './providers/cloudflare-access.js';
+import { createAzureEasyAuthProvider } from './providers/azure-easy-auth.js';
+import { createAwsCognitoAuthProvider } from './providers/aws-cognito.js';
+import { createTailscaleAuthProvider } from './providers/tailscale.js';
+/**
+ * Build the configured `AuthIdentityProvider`. Returns the
+ * `none`-mode provider when `config` is undefined (the default
+ * when `site.config.ts` has no `admin.auth` block).
+ */
+export function buildAuthProvider(config) {
+    if (!config)
+        return noneAuthProvider;
+    switch (config.trust) {
+        case 'none':
+            return noneAuthProvider;
+        case 'forwarded-user':
+            return createForwardedUserAuthProvider({
+                trustedProxies: config.trustedProxies,
+                allowAnyOrigin: config.allowAnyOrigin,
+            });
+        case 'cloudflare-access':
+            return createCloudflareAccessAuthProvider({
+                teamDomain: config.teamDomain,
+                audience: config.audience,
+            });
+        case 'azure-easy-auth':
+            return createAzureEasyAuthProvider({});
+        case 'aws-cognito':
+            return createAwsCognitoAuthProvider({
+                region: config.region,
+                audience: config.audience,
+            });
+        case 'tailscale':
+            return createTailscaleAuthProvider({});
+        default: {
+            // Exhaustive check — the discriminated union should make
+            // this unreachable, but defense-in-depth against an operator
+            // bypassing the schema (e.g., constructing the manifest
+            // programmatically).
+            const exhaustiveCheck = config;
+            throw new AuthConfigurationError(`Unknown trust mode in admin.auth: ${JSON.stringify(exhaustiveCheck)}`);
+        }
+    }
+}
+//# sourceMappingURL=factory.js.map

package/dist/auth/factory.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/auth/factory.ts"],"names":[],"mappings":"AAoCA,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,+BAA+B,EAAE,MAAM,+BAA+B,CAAA;AAC/E,OAAO,EAAE,kCAAkC,EAAE,MAAM,kCAAkC,CAAA;AACrF,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAA;AAC5E,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAA;AAEtE;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA8B;IAC9D,IAAI,CAAC,MAAM;QAAE,OAAO,gBAAgB,CAAA;IAEpC,QAAQ,MAAM,CAAC,KAAK,EAAE,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,gBAAgB,CAAA;QACzB,KAAK,gBAAgB;YACnB,OAAO,+BAA+B,CAAC;gBACrC,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,cAAc,EAAE,MAAM,CAAC,cAAc;aACtC,CAAC,CAAA;QACJ,KAAK,mBAAmB;YACtB,OAAO,kCAAkC,CAAC;gBACxC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAA;QACJ,KAAK,iBAAiB;YACpB,OAAO,2BAA2B,CAAC,EAAE,CAAC,CAAA;QACxC,KAAK,aAAa;YAChB,OAAO,4BAA4B,CAAC;gBAClC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAA;QACJ,KAAK,WAAW;YACd,OAAO,2BAA2B,CAAC,EAAE,CAAC,CAAA;QACxC,OAAO,CAAC,CAAC,CAAC;YACR,yDAAyD;YACzD,6DAA6D;YAC7D,wDAAwD;YACxD,qBAAqB;YACrB,MAAM,eAAe,GAAU,MAAM,CAAA;YACrC,MAAM,IAAI,sBAAsB,CAAC,qCAAqC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC,CAAA;QAC1G,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Auth + RBAC barrel export. Imports are stable across cuts;
+ * subsequent cuts (forwarded-user, cloudflare-access, etc.) add
+ * exports without breaking the existing surface.
+ */
+export type { AuthRequest, AuthIdentityProvider } from './provider.js';
+export type { Principal, Role, RoleMapping, TrustMode, BuiltInCapability, } from './types.js';
+export { BUILT_IN_ROLES, RESERVED_CAPABILITY_PREFIXES } from './types.js';
+export { AuthError, AuthConfigurationError, AuthenticationError, AuthorizationError } from './errors.js';
+export { AuthConfigSchema, isReservedPrefix, type AuthConfig } from './config.js';
+export { noneAuthProvider, UNKNOWN_ACTOR_ID } from './providers/none.js';
+export { createForwardedUserAuthProvider, type ForwardedUserConfig } from './providers/forwarded-user.js';
+export { createCloudflareAccessAuthProvider, type CloudflareAccessConfig } from './providers/cloudflare-access.js';
+export { createAzureEasyAuthProvider, type AzureEasyAuthConfig } from './providers/azure-easy-auth.js';
+export { createAwsCognitoAuthProvider, type AwsCognitoConfig } from './providers/aws-cognito.js';
+export { createTailscaleAuthProvider, type TailscaleConfig } from './providers/tailscale.js';
+export { ipMatchesAny, parseRule, parseRules, type ParsedRule } from './ip-match.js';
+export { capabilityGrants, expandRole } from './capabilities.js';
+export { resolveRole, validateCustomRoles, type ResolveRoleArgs, type ResolvedRole } from './role-resolver.js';
+export { buildAuthProvider } from './factory.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAA;AACtE,YAAY,EACV,SAAS,EACT,IAAI,EACJ,WAAW,EACX,SAAS,EACT,iBAAiB,GAClB,MAAM,YAAY,CAAA;AACnB,OAAO,EAAE,cAAc,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AACxG,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,KAAK,UAAU,EAAE,MAAM,aAAa,CAAA;AACjF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACxE,OAAO,EAAE,+BAA+B,EAAE,KAAK,mBAAmB,EAAE,MAAM,+BAA+B,CAAA;AACzG,OAAO,EAAE,kCAAkC,EAAE,KAAK,sBAAsB,EAAE,MAAM,kCAAkC,CAAA;AAClH,OAAO,EAAE,2BAA2B,EAAE,KAAK,mBAAmB,EAAE,MAAM,gCAAgC,CAAA;AACtG,OAAO,EAAE,4BAA4B,EAAE,KAAK,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAChG,OAAO,EAAE,2BAA2B,EAAE,KAAK,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC5F,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,UAAU,EAAE,MAAM,eAAe,CAAA;AACpF,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAC9G,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA"}

package/dist/auth/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+export { BUILT_IN_ROLES, RESERVED_CAPABILITY_PREFIXES } from './types.js';
+export { AuthError, AuthConfigurationError, AuthenticationError, AuthorizationError } from './errors.js';
+export { AuthConfigSchema, isReservedPrefix } from './config.js';
+export { noneAuthProvider, UNKNOWN_ACTOR_ID } from './providers/none.js';
+export { createForwardedUserAuthProvider } from './providers/forwarded-user.js';
+export { createCloudflareAccessAuthProvider } from './providers/cloudflare-access.js';
+export { createAzureEasyAuthProvider } from './providers/azure-easy-auth.js';
+export { createAwsCognitoAuthProvider } from './providers/aws-cognito.js';
+export { createTailscaleAuthProvider } from './providers/tailscale.js';
+export { ipMatchesAny, parseRule, parseRules } from './ip-match.js';
+export { capabilityGrants, expandRole } from './capabilities.js';
+export { resolveRole, validateCustomRoles } from './role-resolver.js';
+export { buildAuthProvider } from './factory.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,cAAc,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AACxG,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAmB,MAAM,aAAa,CAAA;AACjF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACxE,OAAO,EAAE,+BAA+B,EAA4B,MAAM,+BAA+B,CAAA;AACzG,OAAO,EAAE,kCAAkC,EAA+B,MAAM,kCAAkC,CAAA;AAClH,OAAO,EAAE,2BAA2B,EAA4B,MAAM,gCAAgC,CAAA;AACtG,OAAO,EAAE,4BAA4B,EAAyB,MAAM,4BAA4B,CAAA;AAChG,OAAO,EAAE,2BAA2B,EAAwB,MAAM,0BAA0B,CAAA;AAC5F,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAmB,MAAM,eAAe,CAAA;AACpF,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAA2C,MAAM,oBAAoB,CAAA;AAC9G,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA"}

package/dist/auth/ip-match.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Parsed CIDR rule. Exposed for tests and reuse by other providers
+ * that may want to validate operator-supplied rule strings.
+ */
+export interface ParsedRule {
+    /** Original rule string (for diagnostics). */
+    raw: string;
+    /** Address family — 4 (IPv4) or 6 (IPv6). */
+    family: 4 | 6;
+    /** Network address as bigint (left-aligned for IPv4 to fit IPv6). */
+    network: bigint;
+    /** Number of leading bits that must match. 32 for IPv4-exact; 128 for IPv6-exact. */
+    prefixBits: number;
+}
+/**
+ * Parse a single rule. Throws on malformed input. Operator's
+ * `trustedProxies` array passes through this once at boot; rules
+ * are validated then cached as `ParsedRule[]` for fast per-request
+ * checks.
+ */
+export declare function parseRule(raw: string): ParsedRule;
+/** Build all rules; throws on the first malformed entry with rule context. */
+export declare function parseRules(rawRules: readonly string[]): ParsedRule[];
+/**
+ * Test whether an IP matches any rule. Returns false for unknown
+ * input (empty string, malformed) — fail-closed.
+ */
+export declare function ipMatchesAny(ip: string | undefined, rules: readonly ParsedRule[]): boolean;
+//# sourceMappingURL=ip-match.d.ts.map

package/dist/auth/ip-match.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ip-match.d.ts","sourceRoot":"","sources":["../../src/auth/ip-match.ts"],"names":[],"mappings":"AAoCA;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,8CAA8C;IAC9C,GAAG,EAAE,MAAM,CAAA;IACX,6CAA6C;IAC7C,MAAM,EAAE,CAAC,GAAG,CAAC,CAAA;IACb,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAA;IACf,qFAAqF;IACrF,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CA8BjD;AAED,8EAA8E;AAC9E,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,GAAG,UAAU,EAAE,CAEpE;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,EAAE,KAAK,EAAE,SAAS,UAAU,EAAE,GAAG,OAAO,CAiB1F"}

package/dist/auth/ip-match.js ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * IP / CIDR membership testing for header-spoofing protection.
+ *
+ * # Why a custom matcher and not a library
+ *
+ * Three reasons:
+ *   - Zero-dep: `net.isIP` ships with Node 22; we only need
+ *     equality + CIDR-prefix checks. A library adds 50KB to a
+ *     small concern.
+ *   - IPv4 + IPv6 mixing: industrial libs (e.g. `ipaddr.js`) handle
+ *     edge cases we don't have (IPv4-mapped IPv6 addresses, etc.).
+ *     For the auth use case the operator-supplied list is small and
+ *     well-understood — they wrote each entry by hand.
+ *   - Multi-instance discipline: the matcher is a pure function over
+ *     `(ip, ruleList)`. No state, no async, no shared mutable cache.
+ *
+ * # Supported syntax
+ *
+ *   - `1.2.3.4` — exact IPv4 match
+ *   - `10.0.0.0/8` — IPv4 CIDR
+ *   - `fe80::1` — exact IPv6 match
+ *   - `fd00::/8` — IPv6 CIDR
+ *
+ * Mixed-family rules are fine; an IPv4 source is checked only
+ * against IPv4 rules, IPv6 against IPv6.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: this module owns IP-vs-rule comparison; doesn't read
+ *     headers, doesn't construct providers.
+ *   - LSP: future provider-specific source-IP needs (e.g.,
+ *     `cloudflare-access` reads `Cf-Connecting-IP`) consume the
+ *     same matcher.
+ */
+import { isIP } from 'node:net';
+/**
+ * Parse a single rule. Throws on malformed input. Operator's
+ * `trustedProxies` array passes through this once at boot; rules
+ * are validated then cached as `ParsedRule[]` for fast per-request
+ * checks.
+ */
+export function parseRule(raw) {
+    const slash = raw.indexOf('/');
+    let addr;
+    let prefix;
+    if (slash >= 0) {
+        addr = raw.slice(0, slash);
+        const prefixStr = raw.slice(slash + 1);
+        prefix = Number.parseInt(prefixStr, 10);
+        if (!Number.isInteger(prefix) || prefix < 0) {
+            throw new Error(`Invalid CIDR prefix in "${raw}": "${prefixStr}" must be a non-negative integer`);
+        }
+    }
+    else {
+        addr = raw;
+        prefix = -1; // sentinel: exact match — set per-family below
+    }
+    const family = isIP(addr);
+    if (family === 0) {
+        throw new Error(`Invalid IP address in "${raw}": "${addr}" is not a valid IPv4 or IPv6 address`);
+    }
+    const maxPrefix = family === 4 ? 32 : 128;
+    if (prefix === -1)
+        prefix = maxPrefix;
+    if (prefix > maxPrefix) {
+        throw new Error(`Invalid CIDR prefix in "${raw}": ${prefix} exceeds max ${maxPrefix} for IPv${family}`);
+    }
+    const fullBits = family === 4 ? ipv4ToBigInt(addr) : ipv6ToBigInt(addr);
+    // Mask off non-prefix bits so the network is canonical (operator
+    // can write 10.1.2.3/8 and we treat it the same as 10.0.0.0/8).
+    const totalBits = family === 4 ? 32 : 128;
+    const network = fullBits & cidrMask(prefix, totalBits);
+    return { raw, family: family, network, prefixBits: prefix };
+}
+/** Build all rules; throws on the first malformed entry with rule context. */
+export function parseRules(rawRules) {
+    return rawRules.map(parseRule);
+}
+/**
+ * Test whether an IP matches any rule. Returns false for unknown
+ * input (empty string, malformed) — fail-closed.
+ */
+export function ipMatchesAny(ip, rules) {
+    if (!ip)
+        return false;
+    const family = isIP(ip);
+    if (family === 0)
+        return false;
+    let value;
+    try {
+        value = family === 4 ? ipv4ToBigInt(ip) : ipv6ToBigInt(ip);
+    }
+    catch {
+        return false;
+    }
+    const totalBits = family === 4 ? 32 : 128;
+    for (const rule of rules) {
+        if (rule.family !== family)
+            continue;
+        const masked = value & cidrMask(rule.prefixBits, totalBits);
+        if (masked === rule.network)
+            return true;
+    }
+    return false;
+}
+// --- Internals ---
+function ipv4ToBigInt(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        throw new Error(`Invalid IPv4: ${ip}`);
+    let n = 0n;
+    for (const part of parts) {
+        const octet = Number.parseInt(part, 10);
+        if (!Number.isInteger(octet) || octet < 0 || octet > 255) {
+            throw new Error(`Invalid IPv4 octet: ${part}`);
+        }
+        n = (n << 8n) | BigInt(octet);
+    }
+    return n;
+}
+function ipv6ToBigInt(ip) {
+    // Handle :: shorthand by expanding to the right number of zero
+    // groups. Doesn't handle IPv4-mapped IPv6 addresses
+    // (e.g. ::ffff:1.2.3.4) — operators with hybrid stacks list
+    // both representations explicitly.
+    const doubleColon = ip.indexOf('::');
+    let groups;
+    if (doubleColon >= 0) {
+        const left = ip.slice(0, doubleColon).split(':').filter(Boolean);
+        const right = ip
+            .slice(doubleColon + 2)
+            .split(':')
+            .filter(Boolean);
+        const fillCount = 8 - left.length - right.length;
+        if (fillCount < 0)
+            throw new Error(`Invalid IPv6: too many groups in ${ip}`);
+        groups = [...left, ...new Array(fillCount).fill('0'), ...right];
+    }
+    else {
+        groups = ip.split(':');
+    }
+    if (groups.length !== 8)
+        throw new Error(`Invalid IPv6: expected 8 groups, got ${groups.length} in ${ip}`);
+    let n = 0n;
+    for (const group of groups) {
+        const value = Number.parseInt(group, 16);
+        if (!Number.isInteger(value) || value < 0 || value > 0xffff) {
+            throw new Error(`Invalid IPv6 group: ${group}`);
+        }
+        n = (n << 16n) | BigInt(value);
+    }
+    return n;
+}
+function cidrMask(prefixBits, totalBits) {
+    if (prefixBits === 0)
+        return 0n;
+    if (prefixBits === totalBits)
+        return (1n << BigInt(totalBits)) - 1n;
+    const ones = (1n << BigInt(prefixBits)) - 1n;
+    return ones << BigInt(totalBits - prefixBits);
+}
+//# sourceMappingURL=ip-match.js.map

package/dist/auth/ip-match.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ip-match.js","sourceRoot":"","sources":["../../src/auth/ip-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAiB/B;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,IAAY,CAAA;IAChB,IAAI,MAAc,CAAA;IAClB,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACf,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAA;QAC1B,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAA;QACtC,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,OAAO,SAAS,kCAAkC,CAAC,CAAA;QACnG,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,GAAG,CAAA;QACV,MAAM,GAAG,CAAC,CAAC,CAAA,CAAC,+CAA+C;IAC7D,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,OAAO,IAAI,uCAAuC,CAAC,CAAA;IAClG,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,IAAI,MAAM,KAAK,CAAC,CAAC;QAAE,MAAM,GAAG,SAAS,CAAA;IACrC,IAAI,MAAM,GAAG,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,MAAM,MAAM,gBAAgB,SAAS,WAAW,MAAM,EAAE,CAAC,CAAA;IACzG,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAA;IACvE,iEAAiE;IACjE,gEAAgE;IAChE,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;IACtD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAe,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACtE,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,UAAU,CAAC,QAA2B;IACpD,OAAO,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,EAAsB,EAAE,KAA4B;IAC/E,IAAI,CAAC,EAAE;QAAE,OAAO,KAAK,CAAA;IACrB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,CAAA;IACvB,IAAI,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAC9B,IAAI,KAAa,CAAA;IACjB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAA;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;YAAE,SAAQ;QACpC,MAAM,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;QAC3D,IAAI,MAAM,KAAK,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;IAC1C,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,oBAAoB;AAEpB,SAAS,YAAY,CAAC,EAAU;IAC9B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAA;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAA;IACV,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAA;QAChD,CAAC;QACD,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,YAAY,CAAC,EAAU;IAC9B,+DAA+D;IAC/D,oDAAoD;IACpD,4DAA4D;IAC5D,mCAAmC;IACnC,MAAM,WAAW,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IACpC,IAAI,MAAgB,CAAA;IACpB,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAChE,MAAM,KAAK,GAAG,EAAE;aACb,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,OAAO,CAAC,CAAA;QAClB,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAA;QAChD,IAAI,SAAS,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,EAAE,EAAE,CAAC,CAAA;QAC5E,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAA;IACjE,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,MAAM,CAAC,MAAM,OAAO,EAAE,EAAE,CAAC,CAAA;IAC1G,IAAI,CAAC,GAAG,EAAE,CAAA;IACV,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACxC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,MAAM,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAA;QACjD,CAAC;QACD,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IAChC,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,QAAQ,CAAC,UAAkB,EAAE,SAAiB;IACrD,IAAI,UAAU,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IAC/B,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,CAAC,EAAE,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,CAAA;IACnE,MAAM,IAAI,GAAG,CAAC,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,CAAA;IAC5C,OAAO,IAAI,IAAI,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC,CAAA;AAC/C,CAAC"}

package/dist/auth/provider.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * `AuthIdentityProvider` — the seam between Gazetta and upstream
+ * authentication.
+ *
+ * # The contract
+ *
+ * Each provider knows how to extract a `Principal` from one trust
+ * mode's request shape. The `extractPrincipal(req)` method is
+ * synchronous-or-async; the auth middleware awaits it and attaches
+ * the result to the Hono request context.
+ *
+ * # Error semantics
+ *
+ *   - Returns `null` when the request has no identity (anonymous,
+ *     no upstream auth applied) — the middleware decides whether to
+ *     reject (401) or grant the `unknown` principal based on the
+ *     trust mode
+ *   - Throws `AuthenticationError` when the identity is corrupt
+ *     (signature verification failed, header malformed)
+ *   - Never throws on transport errors (per Universal Provider
+ *     Requirement #5 — fail-open) — JWKS fetch failures fall back
+ *     to fail-closed reject with a structured log
+ *
+ * # Why a registered factory pattern
+ *
+ * Trust modes are operator-configurable in `site.config.ts`. The
+ * dispatcher reads `admin.auth.trust` and constructs the matching
+ * provider. Plugin promotion (per ADR-0009 + `design-plugins.md`):
+ * external trust modes ship as npm packages exporting a factory
+ * function returning `AuthIdentityProvider`; operators import the
+ * factory and assign the result to `admin.auth` directly. No
+ * runtime register method.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: each provider owns one trust mode's mechanics; doesn't
+ *     read config, doesn't dispatch, doesn't wire middleware.
+ *   - LSP: every provider satisfies the same interface; consumers
+ *     branch only on `provider.trustMode` for diagnostics, never
+ *     for behavior.
+ *   - DIP: middleware depends on this interface, not on concrete
+ *     classes.
+ *   - ISP: interface stays narrow — name + extract function. No
+ *     capability-detection methods every provider must stub out.
+ */
+import type { Principal, TrustMode } from './types.js';
+/**
+ * Minimal request shape the provider needs. We don't depend on Hono
+ * directly here so providers can be unit-tested with synthetic
+ * requests; the middleware adapts the Hono request before calling.
+ */
+export interface AuthRequest {
+    /** Map of header name → value. Header names are lowercased per HTTP convention. */
+    headers: ReadonlyMap<string, string>;
+    /** Source IP after trust-mode-driven extraction. Optional. */
+    sourceIp?: string;
+    /** Method + URL — providers rarely need these, but available. */
+    method?: string;
+    url?: string;
+}
+/**
+ * The provider contract. Trust-mode-specific implementations live
+ * under `auth/providers/`.
+ */
+export interface AuthIdentityProvider {
+    /** Identifies the trust mode this provider implements. */
+    readonly trustMode: TrustMode;
+    /**
+     * Pull identity from the request. Returns `null` when no identity
+     * is present (anonymous request); throws `AuthenticationError` for
+     * corrupted credentials. Configuration errors surface at provider
+     * construction, not here.
+     */
+    extractPrincipal(req: AuthRequest): Promise<Principal | null>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/auth/provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAEtD;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,mFAAmF;IACnF,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,0DAA0D;IAC1D,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B;;;;;OAKG;IACH,gBAAgB,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAA;CAC9D"}

package/dist/auth/provider.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=provider.js.map

package/dist/auth/provider.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":""}

package/dist/auth/providers/aws-cognito.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * `aws-cognito` trust mode — AWS Application Load Balancer fronting
+ * the admin with Cognito user pool authentication. ALB injects a
+ * signed JWT in the `x-amzn-oidc-data` header containing the
+ * authenticated user's claims.
+ *
+ * # Why JWT verification (just like cloudflare-access)
+ *
+ * The ALB-issued token is signed with AWS's per-region key. Verifying
+ * the signature is the security contract — without it, anyone behind
+ * the LB or with header-injection access can forge identity.
+ *
+ * # JWKS endpoint shape
+ *
+ * AWS publishes the verification keys at:
+ *
+ *     https://public-keys.auth.elb.{region}.amazonaws.com/{kid}
+ *
+ * Unlike Cloudflare's single-JWKS endpoint, AWS's endpoint is keyed
+ * by the JWT header's `kid`. jose's `createRemoteJWKSet` doesn't fit
+ * this shape; we wire a custom `JWTVerifyGetKey` that fetches the
+ * specific kid. The `jwksFactory` injection point makes this pluggable
+ * for tests.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: same as cloudflare-access — JWT verification only.
+ *   - LSP: same `AuthIdentityProvider` shape.
+ *   - DIP: jwksFactory injection point lets tests run without HTTP.
+ */
+import { type JWTVerifyGetKey } from 'jose';
+import type { AuthIdentityProvider } from '../provider.js';
+export interface AwsCognitoConfig {
+    /**
+     * AWS region the ALB runs in. Required to construct the JWKS URL
+     * (`public-keys.auth.elb.{region}.amazonaws.com`).
+     */
+    region: string;
+    /**
+     * Optional `aud` claim — Cognito user-pool app client id. Setting
+     * this prevents token replay across other Cognito-protected apps
+     * sharing the same user pool.
+     */
+    audience?: string;
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+    /**
+     * Internal: factory for the JWKS verifier. Tests inject a stub.
+     * Production builds a fetch-based key resolver per AWS's
+     * keyed-by-kid endpoint shape.
+     */
+    jwksFactory?: (region: string) => JWTVerifyGetKey;
+}
+export declare function createAwsCognitoAuthProvider(config: AwsCognitoConfig): AuthIdentityProvider;
+//# sourceMappingURL=aws-cognito.d.ts.map

package/dist/auth/providers/aws-cognito.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-cognito.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/aws-cognito.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EAA8B,KAAK,eAAe,EAAE,MAAM,MAAM,CAAA;AAEvE,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,eAAe,CAAA;CAClD;AAyDD,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,gBAAgB,GAAG,oBAAoB,CA2C3F"}

package/dist/auth/providers/aws-cognito.js ADDED Viewed

@@ -0,0 +1,114 @@
+/**
+ * `aws-cognito` trust mode — AWS Application Load Balancer fronting
+ * the admin with Cognito user pool authentication. ALB injects a
+ * signed JWT in the `x-amzn-oidc-data` header containing the
+ * authenticated user's claims.
+ *
+ * # Why JWT verification (just like cloudflare-access)
+ *
+ * The ALB-issued token is signed with AWS's per-region key. Verifying
+ * the signature is the security contract — without it, anyone behind
+ * the LB or with header-injection access can forge identity.
+ *
+ * # JWKS endpoint shape
+ *
+ * AWS publishes the verification keys at:
+ *
+ *     https://public-keys.auth.elb.{region}.amazonaws.com/{kid}
+ *
+ * Unlike Cloudflare's single-JWKS endpoint, AWS's endpoint is keyed
+ * by the JWT header's `kid`. jose's `createRemoteJWKSet` doesn't fit
+ * this shape; we wire a custom `JWTVerifyGetKey` that fetches the
+ * specific kid. The `jwksFactory` injection point makes this pluggable
+ * for tests.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: same as cloudflare-access — JWT verification only.
+ *   - LSP: same `AuthIdentityProvider` shape.
+ *   - DIP: jwksFactory injection point lets tests run without HTTP.
+ */
+import { jwtVerify } from 'jose';
+import { AuthenticationError, AuthConfigurationError } from '../errors.js';
+import { expandRole } from '../capabilities.js';
+/**
+ * Default JWKS factory — fetches AWS's per-kid public key. Each
+ * verification call may hit a different kid; the resolver caches
+ * downloaded keys to keep verification fast under steady load.
+ *
+ * Operators may want to override this with a `createRemoteJWKSet`
+ * variant if they front Cognito directly (without ALB) — that's
+ * outside Cut 5's scope; the injection point keeps it open.
+ */
+function defaultJwksFactory(region) {
+    const cache = new Map();
+    return async (header) => {
+        if (!header.kid) {
+            throw new AuthenticationError('AWS Cognito JWT has no kid in header');
+        }
+        const cached = cache.get(header.kid);
+        if (cached)
+            return cached;
+        const url = `https://public-keys.auth.elb.${region}.amazonaws.com/${encodeURIComponent(header.kid)}`;
+        const res = await fetch(url);
+        if (!res.ok) {
+            throw new AuthenticationError(`AWS public-keys endpoint returned ${res.status} for kid ${header.kid}`);
+        }
+        const pem = await res.text();
+        // Defer to Web Crypto's importKey via jose — actually jose
+        // accepts CryptoKey directly. We use Node's crypto subtle to
+        // import the PEM. This works in Node 22+ which has full WebCrypto.
+        const subtle = (globalThis.crypto ?? require('node:crypto').webcrypto).subtle;
+        const key = await subtle.importKey('spki', pemToDer(pem), { name: 'ECDSA', namedCurve: header.alg === 'ES512' ? 'P-521' : 'P-256' }, false, ['verify']);
+        cache.set(header.kid, key);
+        return key;
+    };
+}
+function pemToDer(pem) {
+    const body = pem
+        .replace(/-----BEGIN [^-]+-----/, '')
+        .replace(/-----END [^-]+-----/, '')
+        .replace(/\s+/g, '');
+    const bin = Buffer.from(body, 'base64');
+    return bin.buffer.slice(bin.byteOffset, bin.byteOffset + bin.byteLength);
+}
+export function createAwsCognitoAuthProvider(config) {
+    if (!config.region || config.region.length === 0) {
+        throw new AuthConfigurationError('aws-cognito trust mode requires region (e.g. "us-east-1")');
+    }
+    if (!/^[a-z]{2}-[a-z]+-\d+$/.test(config.region)) {
+        throw new AuthConfigurationError(`Invalid region "${config.region}": expected AWS region format like "us-east-1" or "eu-west-2"`);
+    }
+    const jwks = (config.jwksFactory ?? defaultJwksFactory)(config.region);
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'aws-cognito',
+        async extractPrincipal(req) {
+            const token = req.headers.get('x-amzn-oidc-data');
+            if (!token)
+                return null;
+            let payload;
+            try {
+                const result = await jwtVerify(token, jwks, {
+                    audience: config.audience,
+                });
+                payload = result.payload;
+            }
+            catch (err) {
+                throw new AuthenticationError(`AWS Cognito JWT verification failed: ${err.message}`);
+            }
+            const id = payload.sub ?? payload.username;
+            if (!id) {
+                throw new AuthenticationError('AWS Cognito JWT has no sub or username claim');
+            }
+            return {
+                id,
+                email: payload.email,
+                role: defaultRole,
+                trustMode: 'aws-cognito',
+                capabilities: expandRole(defaultRole) ?? [],
+            };
+        },
+    };
+}
+//# sourceMappingURL=aws-cognito.js.map

package/dist/auth/providers/aws-cognito.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-cognito.js","sourceRoot":"","sources":["../../../src/auth/providers/aws-cognito.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EAAE,SAAS,EAAyC,MAAM,MAAM,CAAA;AAGvE,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AA+B/C;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAA;IAC1C,OAAO,KAAK,EAAE,MAAsC,EAAE,EAAE;QACtD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,mBAAmB,CAAC,sCAAsC,CAAC,CAAA;QACvE,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QACzB,MAAM,GAAG,GAAG,gCAAgC,MAAM,kBAAkB,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAA;QACpG,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,mBAAmB,CAAC,qCAAqC,GAAG,CAAC,MAAM,YAAY,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;QACxG,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC5B,2DAA2D;QAC3D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,MAAM,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAA;QAC7E,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAChC,MAAM,EACN,QAAQ,CAAC,GAAG,CAAC,EACb,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,EACzE,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAA;QACD,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC1B,OAAO,GAAG,CAAA;IACZ,CAAC,CAAA;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;SACpC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC;SAClC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACtB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IACvC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,CAAA;AAC1E,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAAwB;IACnE,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,sBAAsB,CAAC,2DAA2D,CAAC,CAAA;IAC/F,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,sBAAsB,CAC9B,mBAAmB,MAAM,CAAC,MAAM,+DAA+D,CAChG,CAAA;IACH,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACtE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,aAAa;QACxB,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACjD,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAA;YAEvB,IAAI,OAAsB,CAAA;YAC1B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAgB,KAAK,EAAE,IAAI,EAAE;oBACzD,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAA;gBACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAAC,wCAAyC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YACjG,CAAC;YAED,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAA;YAC1C,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAAC,8CAA8C,CAAC,CAAA;YAC/E,CAAC;YAED,OAAO;gBACL,EAAE;gBACF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,aAAa;gBACxB,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/auth/providers/azure-easy-auth.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AuthIdentityProvider } from '../provider.js';
+export interface AzureEasyAuthConfig {
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+}
+export declare function createAzureEasyAuthProvider(config?: AzureEasyAuthConfig): AuthIdentityProvider;
+//# sourceMappingURL=azure-easy-auth.d.ts.map

package/dist/auth/providers/azure-easy-auth.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"azure-easy-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/azure-easy-auth.ts"],"names":[],"mappings":"AAqDA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAeD,wBAAgB,2BAA2B,CAAC,MAAM,GAAE,mBAAwB,GAAG,oBAAoB,CAkDlG"}