gazetta 0.6.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/admin-dist/assets/index-CBeq0rRb.js +693 -0
- package/admin-dist/assets/index-Dtg1dTZQ.css +1 -0
- package/admin-dist/assets/rolldown-runtime-BYbx6iT9.js +1 -0
- package/admin-dist/assets/{vendor-primevue-C0Q_YTCb.js → vendor-primevue-CBGHkaXv.js} +183 -39
- package/admin-dist/assets/{vendor-react-BipDVGow.js → vendor-react-BdW_kNCG.js} +2 -2
- package/admin-dist/assets/vendor-rjsf-lN2SztQt.js +33 -0
- package/admin-dist/assets/vendor-tiptap-C36yDquB.js +141 -0
- package/admin-dist/assets/vendor-vue-Bt5uR1VW.js +1 -0
- package/admin-dist/assets/workbox-window.prod.es5-DGMtIXHc.js +2 -0
- package/admin-dist/index.html +8 -8
- package/admin-dist/sw.js +1 -0
- package/dist/admin-api/archived-name-conflict.d.ts +31 -0
- package/dist/admin-api/archived-name-conflict.d.ts.map +1 -0
- package/dist/admin-api/archived-name-conflict.js +226 -0
- package/dist/admin-api/archived-name-conflict.js.map +1 -0
- package/dist/admin-api/cache-stats-logger.d.ts +83 -0
- package/dist/admin-api/cache-stats-logger.d.ts.map +1 -0
- package/dist/admin-api/cache-stats-logger.js +59 -0
- package/dist/admin-api/cache-stats-logger.js.map +1 -0
- package/dist/admin-api/error-response.d.ts +21 -0
- package/dist/admin-api/error-response.d.ts.map +1 -0
- package/dist/admin-api/error-response.js +12 -0
- package/dist/admin-api/error-response.js.map +1 -0
- package/dist/admin-api/hook-audit-emitter.d.ts +38 -0
- package/dist/admin-api/hook-audit-emitter.d.ts.map +1 -0
- package/dist/admin-api/hook-audit-emitter.js +21 -0
- package/dist/admin-api/hook-audit-emitter.js.map +1 -0
- package/dist/admin-api/index.d.ts +84 -2
- package/dist/admin-api/index.d.ts.map +1 -1
- package/dist/admin-api/index.js +257 -32
- package/dist/admin-api/index.js.map +1 -1
- package/dist/admin-api/middleware/audit.d.ts +25 -0
- package/dist/admin-api/middleware/audit.d.ts.map +1 -0
- package/dist/admin-api/middleware/audit.js +65 -0
- package/dist/admin-api/middleware/audit.js.map +1 -0
- package/dist/admin-api/middleware/capability.d.ts +8 -0
- package/dist/admin-api/middleware/capability.d.ts.map +1 -0
- package/dist/admin-api/middleware/capability.js +65 -0
- package/dist/admin-api/middleware/capability.js.map +1 -0
- package/dist/admin-api/middleware/principal.d.ts +18 -0
- package/dist/admin-api/middleware/principal.d.ts.map +1 -0
- package/dist/admin-api/middleware/principal.js +128 -0
- package/dist/admin-api/middleware/principal.js.map +1 -0
- package/dist/admin-api/routes/archive-review.d.ts +80 -0
- package/dist/admin-api/routes/archive-review.d.ts.map +1 -0
- package/dist/admin-api/routes/archive-review.js +70 -0
- package/dist/admin-api/routes/archive-review.js.map +1 -0
- package/dist/admin-api/routes/archive.d.ts +145 -0
- package/dist/admin-api/routes/archive.d.ts.map +1 -0
- package/dist/admin-api/routes/archive.js +540 -0
- package/dist/admin-api/routes/archive.js.map +1 -0
- package/dist/admin-api/routes/assets.d.ts +21 -0
- package/dist/admin-api/routes/assets.d.ts.map +1 -0
- package/dist/admin-api/routes/assets.js +586 -0
- package/dist/admin-api/routes/assets.js.map +1 -0
- package/dist/admin-api/routes/audit.d.ts +71 -0
- package/dist/admin-api/routes/audit.d.ts.map +1 -0
- package/dist/admin-api/routes/audit.js +178 -0
- package/dist/admin-api/routes/audit.js.map +1 -0
- package/dist/admin-api/routes/compare.d.ts.map +1 -1
- package/dist/admin-api/routes/compare.js +3 -2
- package/dist/admin-api/routes/compare.js.map +1 -1
- package/dist/admin-api/routes/fields.d.ts.map +1 -1
- package/dist/admin-api/routes/fields.js +2 -1
- package/dist/admin-api/routes/fields.js.map +1 -1
- package/dist/admin-api/routes/fragments.d.ts +13 -1
- package/dist/admin-api/routes/fragments.d.ts.map +1 -1
- package/dist/admin-api/routes/fragments.js +128 -67
- package/dist/admin-api/routes/fragments.js.map +1 -1
- package/dist/admin-api/routes/health.d.ts +60 -0
- package/dist/admin-api/routes/health.d.ts.map +1 -0
- package/dist/admin-api/routes/health.js +65 -0
- package/dist/admin-api/routes/health.js.map +1 -0
- package/dist/admin-api/routes/history.d.ts +2 -1
- package/dist/admin-api/routes/history.d.ts.map +1 -1
- package/dist/admin-api/routes/history.js +26 -4
- package/dist/admin-api/routes/history.js.map +1 -1
- package/dist/admin-api/routes/pages.d.ts +20 -1
- package/dist/admin-api/routes/pages.d.ts.map +1 -1
- package/dist/admin-api/routes/pages.js +158 -85
- package/dist/admin-api/routes/pages.js.map +1 -1
- package/dist/admin-api/routes/preview.d.ts.map +1 -1
- package/dist/admin-api/routes/preview.js +56 -17
- package/dist/admin-api/routes/preview.js.map +1 -1
- package/dist/admin-api/routes/publish.d.ts +19 -1
- package/dist/admin-api/routes/publish.d.ts.map +1 -1
- package/dist/admin-api/routes/publish.js +548 -99
- package/dist/admin-api/routes/publish.js.map +1 -1
- package/dist/admin-api/routes/rename.d.ts +62 -0
- package/dist/admin-api/routes/rename.d.ts.map +1 -0
- package/dist/admin-api/routes/rename.js +366 -0
- package/dist/admin-api/routes/rename.js.map +1 -0
- package/dist/admin-api/routes/site.d.ts.map +1 -1
- package/dist/admin-api/routes/site.js +6 -18
- package/dist/admin-api/routes/site.js.map +1 -1
- package/dist/admin-api/routes/system.d.ts +23 -0
- package/dist/admin-api/routes/system.d.ts.map +1 -0
- package/dist/admin-api/routes/system.js +115 -0
- package/dist/admin-api/routes/system.js.map +1 -0
- package/dist/admin-api/routes/templates.d.ts +11 -1
- package/dist/admin-api/routes/templates.d.ts.map +1 -1
- package/dist/admin-api/routes/templates.js +36 -3
- package/dist/admin-api/routes/templates.js.map +1 -1
- package/dist/admin-api/routes/validation.d.ts +47 -0
- package/dist/admin-api/routes/validation.d.ts.map +1 -0
- package/dist/admin-api/routes/validation.js +120 -0
- package/dist/admin-api/routes/validation.js.map +1 -0
- package/dist/admin-api/schemas/archive.d.ts +124 -0
- package/dist/admin-api/schemas/archive.d.ts.map +1 -0
- package/dist/admin-api/schemas/archive.js +93 -0
- package/dist/admin-api/schemas/archive.js.map +1 -0
- package/dist/admin-api/schemas/assets.d.ts +64 -0
- package/dist/admin-api/schemas/assets.d.ts.map +1 -0
- package/dist/admin-api/schemas/assets.js +59 -0
- package/dist/admin-api/schemas/assets.js.map +1 -0
- package/dist/admin-api/schemas/audit.d.ts +175 -0
- package/dist/admin-api/schemas/audit.d.ts.map +1 -0
- package/dist/admin-api/schemas/audit.js +91 -0
- package/dist/admin-api/schemas/audit.js.map +1 -0
- package/dist/admin-api/schemas/error.d.ts +94 -0
- package/dist/admin-api/schemas/error.d.ts.map +1 -0
- package/dist/admin-api/schemas/error.js +79 -0
- package/dist/admin-api/schemas/error.js.map +1 -0
- package/dist/admin-api/schemas/fragments.d.ts +2 -0
- package/dist/admin-api/schemas/fragments.d.ts.map +1 -1
- package/dist/admin-api/schemas/fragments.js +4 -0
- package/dist/admin-api/schemas/fragments.js.map +1 -1
- package/dist/admin-api/schemas/index.d.ts +10 -0
- package/dist/admin-api/schemas/index.d.ts.map +1 -1
- package/dist/admin-api/schemas/index.js +10 -0
- package/dist/admin-api/schemas/index.js.map +1 -1
- package/dist/admin-api/schemas/pages.d.ts +2 -0
- package/dist/admin-api/schemas/pages.d.ts.map +1 -1
- package/dist/admin-api/schemas/pages.js +11 -0
- package/dist/admin-api/schemas/pages.js.map +1 -1
- package/dist/admin-api/schemas/rename.d.ts +77 -0
- package/dist/admin-api/schemas/rename.d.ts.map +1 -0
- package/dist/admin-api/schemas/rename.js +75 -0
- package/dist/admin-api/schemas/rename.js.map +1 -0
- package/dist/admin-api/schemas/site.d.ts +3 -2
- package/dist/admin-api/schemas/site.d.ts.map +1 -1
- package/dist/admin-api/schemas/site.js +3 -2
- package/dist/admin-api/schemas/site.js.map +1 -1
- package/dist/admin-api/schemas/system.d.ts +28 -0
- package/dist/admin-api/schemas/system.d.ts.map +1 -0
- package/dist/admin-api/schemas/system.js +35 -0
- package/dist/admin-api/schemas/system.js.map +1 -0
- package/dist/admin-api/schemas/targets.d.ts +55 -0
- package/dist/admin-api/schemas/targets.d.ts.map +1 -1
- package/dist/admin-api/schemas/targets.js +46 -0
- package/dist/admin-api/schemas/targets.js.map +1 -1
- package/dist/admin-api/schemas/templates.d.ts +54 -0
- package/dist/admin-api/schemas/templates.d.ts.map +1 -1
- package/dist/admin-api/schemas/templates.js +21 -0
- package/dist/admin-api/schemas/templates.js.map +1 -1
- package/dist/admin-api/schemas/validation.d.ts +101 -0
- package/dist/admin-api/schemas/validation.d.ts.map +1 -0
- package/dist/admin-api/schemas/validation.js +57 -0
- package/dist/admin-api/schemas/validation.js.map +1 -0
- package/dist/admin-api/source-context.d.ts +66 -17
- package/dist/admin-api/source-context.d.ts.map +1 -1
- package/dist/admin-api/source-context.js +43 -8
- package/dist/admin-api/source-context.js.map +1 -1
- package/dist/ai/adapter-scaffold.d.ts +63 -0
- package/dist/ai/adapter-scaffold.d.ts.map +1 -0
- package/dist/ai/adapter-scaffold.js +89 -0
- package/dist/ai/adapter-scaffold.js.map +1 -0
- package/dist/ai/compose-prompt.d.ts +50 -0
- package/dist/ai/compose-prompt.d.ts.map +1 -0
- package/dist/ai/compose-prompt.js +49 -0
- package/dist/ai/compose-prompt.js.map +1 -0
- package/dist/ai/errors.d.ts +65 -0
- package/dist/ai/errors.d.ts.map +1 -0
- package/dist/ai/errors.js +59 -0
- package/dist/ai/errors.js.map +1 -0
- package/dist/ai/index.d.ts +17 -0
- package/dist/ai/index.d.ts.map +1 -0
- package/dist/ai/index.js +16 -0
- package/dist/ai/index.js.map +1 -0
- package/dist/ai/provider.d.ts +76 -0
- package/dist/ai/provider.d.ts.map +1 -0
- package/dist/ai/provider.js +13 -0
- package/dist/ai/provider.js.map +1 -0
- package/dist/ai/refusal.d.ts +50 -0
- package/dist/ai/refusal.d.ts.map +1 -0
- package/dist/ai/refusal.js +100 -0
- package/dist/ai/refusal.js.map +1 -0
- package/dist/ai/vision-prep.d.ts +32 -0
- package/dist/ai/vision-prep.d.ts.map +1 -0
- package/dist/ai/vision-prep.js +113 -0
- package/dist/ai/vision-prep.js.map +1 -0
- package/dist/alt/adapter.d.ts +140 -0
- package/dist/alt/adapter.d.ts.map +1 -0
- package/dist/alt/adapter.js +7 -0
- package/dist/alt/adapter.js.map +1 -0
- package/dist/alt/anthropic.d.ts +63 -0
- package/dist/alt/anthropic.d.ts.map +1 -0
- package/dist/alt/anthropic.js +147 -0
- package/dist/alt/anthropic.js.map +1 -0
- package/dist/alt/config.d.ts +67 -0
- package/dist/alt/config.d.ts.map +1 -0
- package/dist/alt/config.js +41 -0
- package/dist/alt/config.js.map +1 -0
- package/dist/alt/factory.d.ts +19 -0
- package/dist/alt/factory.d.ts.map +1 -0
- package/dist/alt/factory.js +69 -0
- package/dist/alt/factory.js.map +1 -0
- package/dist/alt/null-adapter.d.ts +3 -0
- package/dist/alt/null-adapter.d.ts.map +1 -0
- package/dist/alt/null-adapter.js +43 -0
- package/dist/alt/null-adapter.js.map +1 -0
- package/dist/alt/ollama.d.ts +40 -0
- package/dist/alt/ollama.d.ts.map +1 -0
- package/dist/alt/ollama.js +139 -0
- package/dist/alt/ollama.js.map +1 -0
- package/dist/alt/openai.d.ts +46 -0
- package/dist/alt/openai.d.ts.map +1 -0
- package/dist/alt/openai.js +118 -0
- package/dist/alt/openai.js.map +1 -0
- package/dist/alt/prompt-policies.d.ts +79 -0
- package/dist/alt/prompt-policies.d.ts.map +1 -0
- package/dist/alt/prompt-policies.js +67 -0
- package/dist/alt/prompt-policies.js.map +1 -0
- package/dist/alt/route-handler.d.ts +56 -0
- package/dist/alt/route-handler.d.ts.map +1 -0
- package/dist/alt/route-handler.js +122 -0
- package/dist/alt/route-handler.js.map +1 -0
- package/dist/alt/suggester.d.ts +57 -0
- package/dist/alt/suggester.d.ts.map +1 -0
- package/dist/alt/suggester.js +133 -0
- package/dist/alt/suggester.js.map +1 -0
- package/dist/app.js +1 -1
- package/dist/app.js.map +1 -1
- package/dist/archive-aliases.d.ts +79 -0
- package/dist/archive-aliases.d.ts.map +1 -0
- package/dist/archive-aliases.js +60 -0
- package/dist/archive-aliases.js.map +1 -0
- package/dist/archive-helpers.d.ts +73 -0
- package/dist/archive-helpers.d.ts.map +1 -0
- package/dist/archive-helpers.js +94 -0
- package/dist/archive-helpers.js.map +1 -0
- package/dist/assets/analyze-audio.d.ts +3 -0
- package/dist/assets/analyze-audio.d.ts.map +1 -0
- package/dist/assets/analyze-audio.js +80 -0
- package/dist/assets/analyze-audio.js.map +1 -0
- package/dist/assets/analyze-image.d.ts +19 -0
- package/dist/assets/analyze-image.d.ts.map +1 -0
- package/dist/assets/analyze-image.js +123 -0
- package/dist/assets/analyze-image.js.map +1 -0
- package/dist/assets/analyze.d.ts +94 -0
- package/dist/assets/analyze.d.ts.map +1 -0
- package/dist/assets/analyze.js +45 -0
- package/dist/assets/analyze.js.map +1 -0
- package/dist/assets/asset-deps.d.ts +30 -0
- package/dist/assets/asset-deps.d.ts.map +1 -0
- package/dist/assets/asset-deps.js +42 -0
- package/dist/assets/asset-deps.js.map +1 -0
- package/dist/assets/asset-paths.d.ts +155 -0
- package/dist/assets/asset-paths.d.ts.map +1 -0
- package/dist/assets/asset-paths.js +197 -0
- package/dist/assets/asset-paths.js.map +1 -0
- package/dist/assets/delete.d.ts +75 -0
- package/dist/assets/delete.d.ts.map +1 -0
- package/dist/assets/delete.js +82 -0
- package/dist/assets/delete.js.map +1 -0
- package/dist/assets/errors.d.ts +241 -0
- package/dist/assets/errors.d.ts.map +1 -0
- package/dist/assets/errors.js +300 -0
- package/dist/assets/errors.js.map +1 -0
- package/dist/assets/find-refs.d.ts +37 -0
- package/dist/assets/find-refs.d.ts.map +1 -0
- package/dist/assets/find-refs.js +35 -0
- package/dist/assets/find-refs.js.map +1 -0
- package/dist/assets/hash.d.ts +13 -0
- package/dist/assets/hash.d.ts.map +1 -0
- package/dist/assets/hash.js +43 -0
- package/dist/assets/hash.js.map +1 -0
- package/dist/assets/image-metadata.d.ts +11 -0
- package/dist/assets/image-metadata.d.ts.map +1 -0
- package/dist/assets/image-metadata.js +31 -0
- package/dist/assets/image-metadata.js.map +1 -0
- package/dist/assets/ingest-locale.d.ts +86 -0
- package/dist/assets/ingest-locale.d.ts.map +1 -0
- package/dist/assets/ingest-locale.js +209 -0
- package/dist/assets/ingest-locale.js.map +1 -0
- package/dist/assets/ingest.d.ts +96 -0
- package/dist/assets/ingest.d.ts.map +1 -0
- package/dist/assets/ingest.js +308 -0
- package/dist/assets/ingest.js.map +1 -0
- package/dist/assets/kind-compat.d.ts +34 -0
- package/dist/assets/kind-compat.d.ts.map +1 -0
- package/dist/assets/kind-compat.js +33 -0
- package/dist/assets/kind-compat.js.map +1 -0
- package/dist/assets/list.d.ts +46 -0
- package/dist/assets/list.d.ts.map +1 -0
- package/dist/assets/list.js +102 -0
- package/dist/assets/list.js.map +1 -0
- package/dist/assets/manifest-default.d.ts +56 -0
- package/dist/assets/manifest-default.d.ts.map +1 -0
- package/dist/assets/manifest-default.js +120 -0
- package/dist/assets/manifest-default.js.map +1 -0
- package/dist/assets/manifest-filename.d.ts +52 -0
- package/dist/assets/manifest-filename.d.ts.map +1 -0
- package/dist/assets/manifest-filename.js +104 -0
- package/dist/assets/manifest-filename.js.map +1 -0
- package/dist/assets/manifest-locale.d.ts +60 -0
- package/dist/assets/manifest-locale.d.ts.map +1 -0
- package/dist/assets/manifest-locale.js +206 -0
- package/dist/assets/manifest-locale.js.map +1 -0
- package/dist/assets/manifest-merge.d.ts +66 -0
- package/dist/assets/manifest-merge.d.ts.map +1 -0
- package/dist/assets/manifest-merge.js +82 -0
- package/dist/assets/manifest-merge.js.map +1 -0
- package/dist/assets/manifest.d.ts +83 -0
- package/dist/assets/manifest.d.ts.map +1 -0
- package/dist/assets/manifest.js +93 -0
- package/dist/assets/manifest.js.map +1 -0
- package/dist/assets/mime-sniff.d.ts +18 -0
- package/dist/assets/mime-sniff.d.ts.map +1 -0
- package/dist/assets/mime-sniff.js +84 -0
- package/dist/assets/mime-sniff.js.map +1 -0
- package/dist/assets/preprocess-svg.d.ts +3 -0
- package/dist/assets/preprocess-svg.d.ts.map +1 -0
- package/dist/assets/preprocess-svg.js +49 -0
- package/dist/assets/preprocess-svg.js.map +1 -0
- package/dist/assets/preprocess.d.ts +62 -0
- package/dist/assets/preprocess.d.ts.map +1 -0
- package/dist/assets/preprocess.js +86 -0
- package/dist/assets/preprocess.js.map +1 -0
- package/dist/assets/publish-plan.d.ts +41 -0
- package/dist/assets/publish-plan.d.ts.map +1 -0
- package/dist/assets/publish-plan.js +49 -0
- package/dist/assets/publish-plan.js.map +1 -0
- package/dist/assets/publish.d.ts +33 -0
- package/dist/assets/publish.d.ts.map +1 -0
- package/dist/assets/publish.js +81 -0
- package/dist/assets/publish.js.map +1 -0
- package/dist/assets/refs.d.ts +37 -0
- package/dist/assets/refs.d.ts.map +1 -0
- package/dist/assets/refs.js +33 -0
- package/dist/assets/refs.js.map +1 -0
- package/dist/assets/remove-override.d.ts +42 -0
- package/dist/assets/remove-override.d.ts.map +1 -0
- package/dist/assets/remove-override.js +53 -0
- package/dist/assets/remove-override.js.map +1 -0
- package/dist/assets/rename.d.ts +43 -0
- package/dist/assets/rename.d.ts.map +1 -0
- package/dist/assets/rename.js +271 -0
- package/dist/assets/rename.js.map +1 -0
- package/dist/assets/replace.d.ts +37 -0
- package/dist/assets/replace.d.ts.map +1 -0
- package/dist/assets/replace.js +195 -0
- package/dist/assets/replace.js.map +1 -0
- package/dist/assets/resolve.d.ts +141 -0
- package/dist/assets/resolve.d.ts.map +1 -0
- package/dist/assets/resolve.js +381 -0
- package/dist/assets/resolve.js.map +1 -0
- package/dist/assets/rewrite-manifest-asset-ref.d.ts +44 -0
- package/dist/assets/rewrite-manifest-asset-ref.d.ts.map +1 -0
- package/dist/assets/rewrite-manifest-asset-ref.js +51 -0
- package/dist/assets/rewrite-manifest-asset-ref.js.map +1 -0
- package/dist/assets/scan-manifest-for-asset.d.ts +63 -0
- package/dist/assets/scan-manifest-for-asset.d.ts.map +1 -0
- package/dist/assets/scan-manifest-for-asset.js +105 -0
- package/dist/assets/scan-manifest-for-asset.js.map +1 -0
- package/dist/assets/serve-route.d.ts +45 -0
- package/dist/assets/serve-route.d.ts.map +1 -0
- package/dist/assets/serve-route.js +123 -0
- package/dist/assets/serve-route.js.map +1 -0
- package/dist/assets/svg-sanitize.d.ts +38 -0
- package/dist/assets/svg-sanitize.d.ts.map +1 -0
- package/dist/assets/svg-sanitize.js +209 -0
- package/dist/assets/svg-sanitize.js.map +1 -0
- package/dist/assets/update-metadata.d.ts +61 -0
- package/dist/assets/update-metadata.d.ts.map +1 -0
- package/dist/assets/update-metadata.js +82 -0
- package/dist/assets/update-metadata.js.map +1 -0
- package/dist/assets/url.d.ts +82 -0
- package/dist/assets/url.d.ts.map +1 -0
- package/dist/assets/url.js +103 -0
- package/dist/assets/url.js.map +1 -0
- package/dist/assets/validate.d.ts +74 -0
- package/dist/assets/validate.d.ts.map +1 -0
- package/dist/assets/validate.js +136 -0
- package/dist/assets/validate.js.map +1 -0
- package/dist/assets/variants.d.ts +23 -0
- package/dist/assets/variants.d.ts.map +1 -0
- package/dist/assets/variants.js +74 -0
- package/dist/assets/variants.js.map +1 -0
- package/dist/audit/config.d.ts +75 -0
- package/dist/audit/config.d.ts.map +1 -0
- package/dist/audit/config.js +91 -0
- package/dist/audit/config.js.map +1 -0
- package/dist/audit/context.d.ts +98 -0
- package/dist/audit/context.d.ts.map +1 -0
- package/dist/audit/context.js +51 -0
- package/dist/audit/context.js.map +1 -0
- package/dist/audit/errors.d.ts +73 -0
- package/dist/audit/errors.d.ts.map +1 -0
- package/dist/audit/errors.js +78 -0
- package/dist/audit/errors.js.map +1 -0
- package/dist/audit/index.d.ts +16 -0
- package/dist/audit/index.d.ts.map +1 -0
- package/dist/audit/index.js +10 -0
- package/dist/audit/index.js.map +1 -0
- package/dist/audit/provider.d.ts +73 -0
- package/dist/audit/provider.d.ts.map +1 -0
- package/dist/audit/provider.js +2 -0
- package/dist/audit/provider.js.map +1 -0
- package/dist/audit/providers/history.d.ts +66 -0
- package/dist/audit/providers/history.d.ts.map +1 -0
- package/dist/audit/providers/history.js +102 -0
- package/dist/audit/providers/history.js.map +1 -0
- package/dist/audit/pseudonymize.d.ts +26 -0
- package/dist/audit/pseudonymize.d.ts.map +1 -0
- package/dist/audit/pseudonymize.js +86 -0
- package/dist/audit/pseudonymize.js.map +1 -0
- package/dist/audit/recorder.d.ts +102 -0
- package/dist/audit/recorder.d.ts.map +1 -0
- package/dist/audit/recorder.js +55 -0
- package/dist/audit/recorder.js.map +1 -0
- package/dist/audit/retention.d.ts +83 -0
- package/dist/audit/retention.d.ts.map +1 -0
- package/dist/audit/retention.js +142 -0
- package/dist/audit/retention.js.map +1 -0
- package/dist/audit/source-ip.d.ts +32 -0
- package/dist/audit/source-ip.d.ts.map +1 -0
- package/dist/audit/source-ip.js +164 -0
- package/dist/audit/source-ip.js.map +1 -0
- package/dist/audit/types.d.ts +143 -0
- package/dist/audit/types.d.ts.map +1 -0
- package/dist/audit/types.js +33 -0
- package/dist/audit/types.js.map +1 -0
- package/dist/audit/user-agent.d.ts +28 -0
- package/dist/audit/user-agent.d.ts.map +1 -0
- package/dist/audit/user-agent.js +63 -0
- package/dist/audit/user-agent.js.map +1 -0
- package/dist/auth/capabilities.d.ts +28 -0
- package/dist/auth/capabilities.d.ts.map +1 -0
- package/dist/auth/capabilities.js +101 -0
- package/dist/auth/capabilities.js.map +1 -0
- package/dist/auth/config.d.ts +109 -0
- package/dist/auth/config.d.ts.map +1 -0
- package/dist/auth/config.js +221 -0
- package/dist/auth/config.js.map +1 -0
- package/dist/auth/errors.d.ts +72 -0
- package/dist/auth/errors.d.ts.map +1 -0
- package/dist/auth/errors.js +78 -0
- package/dist/auth/errors.js.map +1 -0
- package/dist/auth/factory.d.ts +43 -0
- package/dist/auth/factory.d.ts.map +1 -0
- package/dist/auth/factory.js +48 -0
- package/dist/auth/factory.js.map +1 -0
- package/dist/auth/index.d.ts +21 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +14 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/ip-match.d.ts +29 -0
- package/dist/auth/ip-match.d.ts.map +1 -0
- package/dist/auth/ip-match.js +162 -0
- package/dist/auth/ip-match.js.map +1 -0
- package/dist/auth/provider.d.ts +76 -0
- package/dist/auth/provider.d.ts.map +1 -0
- package/dist/auth/provider.js +2 -0
- package/dist/auth/provider.js.map +1 -0
- package/dist/auth/providers/aws-cognito.d.ts +55 -0
- package/dist/auth/providers/aws-cognito.d.ts.map +1 -0
- package/dist/auth/providers/aws-cognito.js +114 -0
- package/dist/auth/providers/aws-cognito.js.map +1 -0
- package/dist/auth/providers/azure-easy-auth.d.ts +7 -0
- package/dist/auth/providers/azure-easy-auth.d.ts.map +1 -0
- package/dist/auth/providers/azure-easy-auth.js +48 -0
- package/dist/auth/providers/azure-easy-auth.js.map +1 -0
- package/dist/auth/providers/cloudflare-access.d.ts +71 -0
- package/dist/auth/providers/cloudflare-access.d.ts.map +1 -0
- package/dist/auth/providers/cloudflare-access.js +120 -0
- package/dist/auth/providers/cloudflare-access.js.map +1 -0
- package/dist/auth/providers/forwarded-user.d.ts +31 -0
- package/dist/auth/providers/forwarded-user.d.ts.map +1 -0
- package/dist/auth/providers/forwarded-user.js +72 -0
- package/dist/auth/providers/forwarded-user.js.map +1 -0
- package/dist/auth/providers/none.d.ts +6 -0
- package/dist/auth/providers/none.d.ts.map +1 -0
- package/dist/auth/providers/none.js +19 -0
- package/dist/auth/providers/none.js.map +1 -0
- package/dist/auth/providers/tailscale.d.ts +7 -0
- package/dist/auth/providers/tailscale.d.ts.map +1 -0
- package/dist/auth/providers/tailscale.js +30 -0
- package/dist/auth/providers/tailscale.js.map +1 -0
- package/dist/auth/role-resolver.d.ts +38 -0
- package/dist/auth/role-resolver.d.ts.map +1 -0
- package/dist/auth/role-resolver.js +92 -0
- package/dist/auth/role-resolver.js.map +1 -0
- package/dist/auth/types.d.ts +150 -0
- package/dist/auth/types.d.ts.map +1 -0
- package/dist/auth/types.js +60 -0
- package/dist/auth/types.js.map +1 -0
- package/dist/cache/errors.d.ts +41 -0
- package/dist/cache/errors.d.ts.map +1 -0
- package/dist/cache/errors.js +44 -0
- package/dist/cache/errors.js.map +1 -0
- package/dist/cache/factories.d.ts +17 -0
- package/dist/cache/factories.d.ts.map +1 -0
- package/dist/cache/factories.js +17 -0
- package/dist/cache/factories.js.map +1 -0
- package/dist/cache/keys.d.ts +63 -0
- package/dist/cache/keys.d.ts.map +1 -0
- package/dist/cache/keys.js +145 -0
- package/dist/cache/keys.js.map +1 -0
- package/dist/cache/memory.d.ts +51 -0
- package/dist/cache/memory.d.ts.map +1 -0
- package/dist/cache/memory.js +204 -0
- package/dist/cache/memory.js.map +1 -0
- package/dist/cache/per-site.d.ts +22 -0
- package/dist/cache/per-site.d.ts.map +1 -0
- package/dist/cache/per-site.js +114 -0
- package/dist/cache/per-site.js.map +1 -0
- package/dist/cache/types.d.ts +142 -0
- package/dist/cache/types.d.ts.map +1 -0
- package/dist/cache/types.js +33 -0
- package/dist/cache/types.js.map +1 -0
- package/dist/cli/archive.d.ts +44 -0
- package/dist/cli/archive.d.ts.map +1 -0
- package/dist/cli/archive.js +310 -0
- package/dist/cli/archive.js.map +1 -0
- package/dist/cli/assets-cli.d.ts +58 -0
- package/dist/cli/assets-cli.d.ts.map +1 -0
- package/dist/cli/assets-cli.js +233 -0
- package/dist/cli/assets-cli.js.map +1 -0
- package/dist/cli/assets-display.d.ts +112 -0
- package/dist/cli/assets-display.d.ts.map +1 -0
- package/dist/cli/assets-display.js +106 -0
- package/dist/cli/assets-display.js.map +1 -0
- package/dist/cli/bootstrap.d.ts +15 -10
- package/dist/cli/bootstrap.d.ts.map +1 -1
- package/dist/cli/bootstrap.js +59 -24
- package/dist/cli/bootstrap.js.map +1 -1
- package/dist/cli/dev-template-watcher.d.ts +29 -0
- package/dist/cli/dev-template-watcher.d.ts.map +1 -0
- package/dist/cli/dev-template-watcher.js +38 -0
- package/dist/cli/dev-template-watcher.js.map +1 -0
- package/dist/cli/history.d.ts.map +1 -1
- package/dist/cli/history.js +5 -3
- package/dist/cli/history.js.map +1 -1
- package/dist/cli/index.js +737 -374
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/validate-flags.d.ts +29 -0
- package/dist/cli/validate-flags.d.ts.map +1 -0
- package/dist/cli/validate-flags.js +49 -0
- package/dist/cli/validate-flags.js.map +1 -0
- package/dist/compare.d.ts +1 -1
- package/dist/compare.d.ts.map +1 -1
- package/dist/compare.js +40 -35
- package/dist/compare.js.map +1 -1
- package/dist/component-ids.d.ts +25 -0
- package/dist/component-ids.d.ts.map +1 -0
- package/dist/component-ids.js +83 -0
- package/dist/component-ids.js.map +1 -0
- package/dist/config/define.d.ts +61 -0
- package/dist/config/define.d.ts.map +1 -0
- package/dist/config/define.js +64 -0
- package/dist/config/define.js.map +1 -0
- package/dist/config/errors.d.ts +32 -0
- package/dist/config/errors.d.ts.map +1 -0
- package/dist/config/errors.js +40 -0
- package/dist/config/errors.js.map +1 -0
- package/dist/config/index.d.ts +13 -0
- package/dist/config/index.d.ts.map +1 -0
- package/dist/config/index.js +20 -0
- package/dist/config/index.js.map +1 -0
- package/dist/config/loader.d.ts +105 -0
- package/dist/config/loader.d.ts.map +1 -0
- package/dist/config/loader.js +265 -0
- package/dist/config/loader.js.map +1 -0
- package/dist/config/schemas.d.ts +89 -0
- package/dist/config/schemas.d.ts.map +1 -0
- package/dist/config/schemas.js +172 -0
- package/dist/config/schemas.js.map +1 -0
- package/dist/config/types.d.ts +32 -0
- package/dist/config/types.d.ts.map +1 -0
- package/dist/config/types.js +15 -0
- package/dist/config/types.js.map +1 -0
- package/dist/dep-sidecars.d.ts +127 -0
- package/dist/dep-sidecars.d.ts.map +1 -0
- package/dist/dep-sidecars.js +122 -0
- package/dist/dep-sidecars.js.map +1 -0
- package/dist/deploy/cloudflare-workers.d.ts +46 -0
- package/dist/deploy/cloudflare-workers.d.ts.map +1 -0
- package/dist/deploy/cloudflare-workers.js +213 -0
- package/dist/deploy/cloudflare-workers.js.map +1 -0
- package/dist/deploy/errors.d.ts +66 -0
- package/dist/deploy/errors.d.ts.map +1 -0
- package/dist/deploy/errors.js +82 -0
- package/dist/deploy/errors.js.map +1 -0
- package/dist/deploy/index.d.ts +9 -0
- package/dist/deploy/index.d.ts.map +1 -0
- package/dist/deploy/index.js +3 -0
- package/dist/deploy/index.js.map +1 -0
- package/dist/deploy/types.d.ts +162 -0
- package/dist/deploy/types.d.ts.map +1 -0
- package/dist/deploy/types.js +2 -0
- package/dist/deploy/types.js.map +1 -0
- package/dist/editor/AssetEmbeddedWidget.d.ts +3 -0
- package/dist/editor/AssetEmbeddedWidget.d.ts.map +1 -0
- package/dist/editor/AssetEmbeddedWidget.js +146 -0
- package/dist/editor/AssetEmbeddedWidget.js.map +1 -0
- package/dist/editor/mount.d.ts +12 -1
- package/dist/editor/mount.d.ts.map +1 -1
- package/dist/editor/mount.js +36 -5
- package/dist/editor/mount.js.map +1 -1
- package/dist/format.d.ts +44 -0
- package/dist/format.d.ts.map +1 -0
- package/dist/format.js +65 -0
- package/dist/format.js.map +1 -0
- package/dist/fragment-deps.d.ts +24 -0
- package/dist/fragment-deps.d.ts.map +1 -0
- package/dist/fragment-deps.js +20 -0
- package/dist/fragment-deps.js.map +1 -0
- package/dist/fragments/create.d.ts +70 -0
- package/dist/fragments/create.d.ts.map +1 -0
- package/dist/fragments/create.js +93 -0
- package/dist/fragments/create.js.map +1 -0
- package/dist/fragments/publish.d.ts +37 -0
- package/dist/fragments/publish.d.ts.map +1 -0
- package/dist/fragments/publish.js +52 -0
- package/dist/fragments/publish.js.map +1 -0
- package/dist/fragments/save.d.ts +81 -0
- package/dist/fragments/save.d.ts.map +1 -0
- package/dist/fragments/save.js +105 -0
- package/dist/fragments/save.js.map +1 -0
- package/dist/hash.d.ts +0 -6
- package/dist/hash.d.ts.map +1 -1
- package/dist/hash.js +0 -18
- package/dist/hash.js.map +1 -1
- package/dist/history-provider.d.ts.map +1 -1
- package/dist/history-provider.js +30 -8
- package/dist/history-provider.js.map +1 -1
- package/dist/history-recorder.d.ts +10 -6
- package/dist/history-recorder.d.ts.map +1 -1
- package/dist/history-recorder.js +13 -5
- package/dist/history-recorder.js.map +1 -1
- package/dist/history-restorer.d.ts.map +1 -1
- package/dist/history-restorer.js +34 -2
- package/dist/history-restorer.js.map +1 -1
- package/dist/history.d.ts +26 -8
- package/dist/history.d.ts.map +1 -1
- package/dist/hooks/audit-emitter.d.ts +73 -0
- package/dist/hooks/audit-emitter.d.ts.map +1 -0
- package/dist/hooks/audit-emitter.js +13 -0
- package/dist/hooks/audit-emitter.js.map +1 -0
- package/dist/hooks/context.d.ts +78 -0
- package/dist/hooks/context.d.ts.map +1 -0
- package/dist/hooks/context.js +56 -0
- package/dist/hooks/context.js.map +1 -0
- package/dist/hooks/contribution.d.ts +90 -0
- package/dist/hooks/contribution.d.ts.map +1 -0
- package/dist/hooks/contribution.js +2 -0
- package/dist/hooks/contribution.js.map +1 -0
- package/dist/hooks/dispatch.d.ts +30 -0
- package/dist/hooks/dispatch.d.ts.map +1 -0
- package/dist/hooks/dispatch.js +252 -0
- package/dist/hooks/dispatch.js.map +1 -0
- package/dist/hooks/errors.d.ts +100 -0
- package/dist/hooks/errors.d.ts.map +1 -0
- package/dist/hooks/errors.js +103 -0
- package/dist/hooks/errors.js.map +1 -0
- package/dist/hooks/index.d.ts +15 -0
- package/dist/hooks/index.d.ts.map +1 -0
- package/dist/hooks/index.js +6 -0
- package/dist/hooks/index.js.map +1 -0
- package/dist/hooks/registry.d.ts +53 -0
- package/dist/hooks/registry.d.ts.map +1 -0
- package/dist/hooks/registry.js +139 -0
- package/dist/hooks/registry.js.map +1 -0
- package/dist/hooks/storage.d.ts +43 -0
- package/dist/hooks/storage.d.ts.map +1 -0
- package/dist/hooks/storage.js +2 -0
- package/dist/hooks/storage.js.map +1 -0
- package/dist/hooks/types.d.ts +324 -0
- package/dist/hooks/types.d.ts.map +1 -0
- package/dist/hooks/types.js +2 -0
- package/dist/hooks/types.js.map +1 -0
- package/dist/index.d.ts +27 -9
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +50 -7
- package/dist/index.js.map +1 -1
- package/dist/locale.d.ts +25 -1
- package/dist/locale.d.ts.map +1 -1
- package/dist/locale.js +44 -2
- package/dist/locale.js.map +1 -1
- package/dist/manifest-save.d.ts +255 -0
- package/dist/manifest-save.d.ts.map +1 -0
- package/dist/manifest-save.js +260 -0
- package/dist/manifest-save.js.map +1 -0
- package/dist/manifest.d.ts +1 -2
- package/dist/manifest.d.ts.map +1 -1
- package/dist/manifest.js +43 -44
- package/dist/manifest.js.map +1 -1
- package/dist/node-floor.d.ts +3 -0
- package/dist/node-floor.d.ts.map +1 -0
- package/dist/node-floor.js +3 -0
- package/dist/node-floor.js.map +1 -0
- package/dist/pages/create.d.ts +103 -0
- package/dist/pages/create.d.ts.map +1 -0
- package/dist/pages/create.js +117 -0
- package/dist/pages/create.js.map +1 -0
- package/dist/pages/publish.d.ts +59 -0
- package/dist/pages/publish.d.ts.map +1 -0
- package/dist/pages/publish.js +78 -0
- package/dist/pages/publish.js.map +1 -0
- package/dist/pages/save.d.ts +97 -0
- package/dist/pages/save.d.ts.map +1 -0
- package/dist/pages/save.js +138 -0
- package/dist/pages/save.js.map +1 -0
- package/dist/providers/_atomic-write.d.ts +9 -0
- package/dist/providers/_atomic-write.d.ts.map +1 -0
- package/dist/providers/_atomic-write.js +72 -0
- package/dist/providers/_atomic-write.js.map +1 -0
- package/dist/providers/_rm-ignore-missing.d.ts +31 -0
- package/dist/providers/_rm-ignore-missing.d.ts.map +1 -0
- package/dist/providers/_rm-ignore-missing.js +12 -0
- package/dist/providers/_rm-ignore-missing.js.map +1 -0
- package/dist/providers/_stream-interop.d.ts +23 -0
- package/dist/providers/_stream-interop.d.ts.map +1 -0
- package/dist/providers/_stream-interop.js +21 -0
- package/dist/providers/_stream-interop.js.map +1 -0
- package/dist/providers/azure-blob.d.ts.map +1 -1
- package/dist/providers/azure-blob.js +60 -0
- package/dist/providers/azure-blob.js.map +1 -1
- package/dist/providers/factories.d.ts +65 -0
- package/dist/providers/factories.d.ts.map +1 -0
- package/dist/providers/factories.js +189 -0
- package/dist/providers/factories.js.map +1 -0
- package/dist/providers/filesystem.d.ts +4 -0
- package/dist/providers/filesystem.d.ts.map +1 -1
- package/dist/providers/filesystem.js +63 -2
- package/dist/providers/filesystem.js.map +1 -1
- package/dist/providers/s3.d.ts.map +1 -1
- package/dist/providers/s3.js +84 -1
- package/dist/providers/s3.js.map +1 -1
- package/dist/publish-item.d.ts +225 -0
- package/dist/publish-item.d.ts.map +1 -0
- package/dist/publish-item.js +210 -0
- package/dist/publish-item.js.map +1 -0
- package/dist/publish-rendered.d.ts +37 -17
- package/dist/publish-rendered.d.ts.map +1 -1
- package/dist/publish-rendered.js +144 -71
- package/dist/publish-rendered.js.map +1 -1
- package/dist/publish-renderers.d.ts +132 -0
- package/dist/publish-renderers.d.ts.map +1 -0
- package/dist/publish-renderers.js +240 -0
- package/dist/publish-renderers.js.map +1 -0
- package/dist/publish-run.d.ts +223 -0
- package/dist/publish-run.d.ts.map +1 -0
- package/dist/publish-run.js +307 -0
- package/dist/publish-run.js.map +1 -0
- package/dist/publish.d.ts +13 -12
- package/dist/publish.d.ts.map +1 -1
- package/dist/publish.js +24 -57
- package/dist/publish.js.map +1 -1
- package/dist/render-for-analysis.d.ts +24 -0
- package/dist/render-for-analysis.d.ts.map +1 -0
- package/dist/render-for-analysis.js +146 -0
- package/dist/render-for-analysis.js.map +1 -0
- package/dist/resolver.d.ts +12 -2
- package/dist/resolver.d.ts.map +1 -1
- package/dist/resolver.js +101 -32
- package/dist/resolver.js.map +1 -1
- package/dist/runtime/archive-marker.d.ts +62 -0
- package/dist/runtime/archive-marker.d.ts.map +1 -0
- package/dist/runtime/archive-marker.js +88 -0
- package/dist/runtime/archive-marker.js.map +1 -0
- package/dist/runtime/capability-gap-warnings.d.ts +42 -0
- package/dist/runtime/capability-gap-warnings.d.ts.map +1 -0
- package/dist/runtime/capability-gap-warnings.js +28 -0
- package/dist/runtime/capability-gap-warnings.js.map +1 -0
- package/dist/runtime/redirects-emit.d.ts +93 -0
- package/dist/runtime/redirects-emit.d.ts.map +1 -0
- package/dist/runtime/redirects-emit.js +89 -0
- package/dist/runtime/redirects-emit.js.map +1 -0
- package/dist/runtime/runtime-capabilities.d.ts +79 -0
- package/dist/runtime/runtime-capabilities.d.ts.map +1 -0
- package/dist/runtime/runtime-capabilities.js +60 -0
- package/dist/runtime/runtime-capabilities.js.map +1 -0
- package/dist/save-etag.d.ts +69 -0
- package/dist/save-etag.d.ts.map +1 -0
- package/dist/save-etag.js +118 -0
- package/dist/save-etag.js.map +1 -0
- package/dist/schema/dimensions.d.ts +78 -0
- package/dist/schema/dimensions.d.ts.map +1 -0
- package/dist/schema/dimensions.js +97 -0
- package/dist/schema/dimensions.js.map +1 -0
- package/dist/schema/helpers.d.ts +108 -0
- package/dist/schema/helpers.d.ts.map +1 -0
- package/dist/schema/helpers.js +133 -0
- package/dist/schema/helpers.js.map +1 -0
- package/dist/schema/index.d.ts +27 -0
- package/dist/schema/index.d.ts.map +1 -0
- package/dist/schema/index.js +25 -0
- package/dist/schema/index.js.map +1 -0
- package/dist/schema/types.d.ts +390 -0
- package/dist/schema/types.d.ts.map +1 -0
- package/dist/schema/types.js +25 -0
- package/dist/schema/types.js.map +1 -0
- package/dist/selector-chain.d.ts +63 -0
- package/dist/selector-chain.d.ts.map +1 -0
- package/dist/selector-chain.js +58 -0
- package/dist/selector-chain.js.map +1 -0
- package/dist/sidecars.d.ts +19 -18
- package/dist/sidecars.d.ts.map +1 -1
- package/dist/sidecars.js +70 -62
- package/dist/sidecars.js.map +1 -1
- package/dist/site-loader.d.ts +42 -4
- package/dist/site-loader.d.ts.map +1 -1
- package/dist/site-loader.js +27 -8
- package/dist/site-loader.js.map +1 -1
- package/dist/targets.d.ts +21 -12
- package/dist/targets.d.ts.map +1 -1
- package/dist/targets.js +27 -117
- package/dist/targets.js.map +1 -1
- package/dist/testing/admin-cache-contract.d.ts +52 -0
- package/dist/testing/admin-cache-contract.d.ts.map +1 -0
- package/dist/testing/admin-cache-contract.js +203 -0
- package/dist/testing/admin-cache-contract.js.map +1 -0
- package/dist/testing/index.d.ts +11 -0
- package/dist/testing/index.d.ts.map +1 -0
- package/dist/testing/index.js +11 -0
- package/dist/testing/index.js.map +1 -0
- package/dist/themes.d.ts +69 -0
- package/dist/themes.d.ts.map +1 -0
- package/dist/themes.js +85 -0
- package/dist/themes.js.map +1 -0
- package/dist/transforms/adapter.d.ts +115 -0
- package/dist/transforms/adapter.d.ts.map +1 -0
- package/dist/transforms/adapter.js +2 -0
- package/dist/transforms/adapter.js.map +1 -0
- package/dist/transforms/cloudflare.d.ts +17 -0
- package/dist/transforms/cloudflare.d.ts.map +1 -0
- package/dist/transforms/cloudflare.js +110 -0
- package/dist/transforms/cloudflare.js.map +1 -0
- package/dist/transforms/factories.d.ts +16 -0
- package/dist/transforms/factories.d.ts.map +1 -0
- package/dist/transforms/factories.js +18 -0
- package/dist/transforms/factories.js.map +1 -0
- package/dist/transforms/index.d.ts +17 -0
- package/dist/transforms/index.d.ts.map +1 -0
- package/dist/transforms/index.js +6 -0
- package/dist/transforms/index.js.map +1 -0
- package/dist/transforms/sharp.d.ts +17 -0
- package/dist/transforms/sharp.d.ts.map +1 -0
- package/dist/transforms/sharp.js +57 -0
- package/dist/transforms/sharp.js.map +1 -0
- package/dist/types.d.ts +485 -34
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +20 -1
- package/dist/types.js.map +1 -1
- package/dist/validation/alt-required-walker.d.ts +27 -0
- package/dist/validation/alt-required-walker.d.ts.map +1 -0
- package/dist/validation/alt-required-walker.js +108 -0
- package/dist/validation/alt-required-walker.js.map +1 -0
- package/dist/validation/default-registry.d.ts +12 -0
- package/dist/validation/default-registry.d.ts.map +1 -0
- package/dist/validation/default-registry.js +55 -0
- package/dist/validation/default-registry.js.map +1 -0
- package/dist/validation/publish-audit.d.ts +44 -0
- package/dist/validation/publish-audit.d.ts.map +1 -0
- package/dist/validation/publish-audit.js +64 -0
- package/dist/validation/publish-audit.js.map +1 -0
- package/dist/validation/registry.d.ts +23 -0
- package/dist/validation/registry.d.ts.map +1 -0
- package/dist/validation/registry.js +15 -0
- package/dist/validation/registry.js.map +1 -0
- package/dist/validation/save-delta.d.ts +46 -0
- package/dist/validation/save-delta.d.ts.map +1 -0
- package/dist/validation/save-delta.js +57 -0
- package/dist/validation/save-delta.js.map +1 -0
- package/dist/validation/scanner.d.ts +91 -0
- package/dist/validation/scanner.d.ts.map +1 -0
- package/dist/validation/scanner.js +327 -0
- package/dist/validation/scanner.js.map +1 -0
- package/dist/validation/template-impact.d.ts +52 -0
- package/dist/validation/template-impact.d.ts.map +1 -0
- package/dist/validation/template-impact.js +53 -0
- package/dist/validation/template-impact.js.map +1 -0
- package/dist/validation/types.d.ts +123 -0
- package/dist/validation/types.d.ts.map +1 -0
- package/dist/validation/types.js +7 -0
- package/dist/validation/types.js.map +1 -0
- package/dist/validation/validators/accessibility.d.ts +3 -0
- package/dist/validation/validators/accessibility.d.ts.map +1 -0
- package/dist/validation/validators/accessibility.js +106 -0
- package/dist/validation/validators/accessibility.js.map +1 -0
- package/dist/validation/validators/aliasof-points-to-archived.d.ts +40 -0
- package/dist/validation/validators/aliasof-points-to-archived.d.ts.map +1 -0
- package/dist/validation/validators/aliasof-points-to-archived.js +34 -0
- package/dist/validation/validators/aliasof-points-to-archived.js.map +1 -0
- package/dist/validation/validators/alt-required.d.ts +3 -0
- package/dist/validation/validators/alt-required.d.ts.map +1 -0
- package/dist/validation/validators/alt-required.js +118 -0
- package/dist/validation/validators/alt-required.js.map +1 -0
- package/dist/validation/validators/archive-not-supported-on-target.d.ts +3 -0
- package/dist/validation/validators/archive-not-supported-on-target.d.ts.map +1 -0
- package/dist/validation/validators/archive-not-supported-on-target.js +38 -0
- package/dist/validation/validators/archive-not-supported-on-target.js.map +1 -0
- package/dist/validation/validators/broken-links.d.ts +3 -0
- package/dist/validation/validators/broken-links.d.ts.map +1 -0
- package/dist/validation/validators/broken-links.js +190 -0
- package/dist/validation/validators/broken-links.js.map +1 -0
- package/dist/validation/validators/circular-alias.d.ts +36 -0
- package/dist/validation/validators/circular-alias.d.ts.map +1 -0
- package/dist/validation/validators/circular-alias.js +63 -0
- package/dist/validation/validators/circular-alias.js.map +1 -0
- package/dist/validation/validators/circular-fragment.d.ts +15 -0
- package/dist/validation/validators/circular-fragment.d.ts.map +1 -0
- package/dist/validation/validators/circular-fragment.js +97 -0
- package/dist/validation/validators/circular-fragment.js.map +1 -0
- package/dist/validation/validators/dangling-alias.d.ts +38 -0
- package/dist/validation/validators/dangling-alias.d.ts.map +1 -0
- package/dist/validation/validators/dangling-alias.js +31 -0
- package/dist/validation/validators/dangling-alias.js.map +1 -0
- package/dist/validation/validators/deploy-target-type-supported.d.ts +3 -0
- package/dist/validation/validators/deploy-target-type-supported.d.ts.map +1 -0
- package/dist/validation/validators/deploy-target-type-supported.js +32 -0
- package/dist/validation/validators/deploy-target-type-supported.js.map +1 -0
- package/dist/validation/validators/dynamic-route-conflict.d.ts +18 -0
- package/dist/validation/validators/dynamic-route-conflict.d.ts.map +1 -0
- package/dist/validation/validators/dynamic-route-conflict.js +80 -0
- package/dist/validation/validators/dynamic-route-conflict.js.map +1 -0
- package/dist/validation/validators/html-validity.d.ts +3 -0
- package/dist/validation/validators/html-validity.d.ts.map +1 -0
- package/dist/validation/validators/html-validity.js +89 -0
- package/dist/validation/validators/html-validity.js.map +1 -0
- package/dist/validation/validators/orphaned-locale-file.d.ts +21 -0
- package/dist/validation/validators/orphaned-locale-file.d.ts.map +1 -0
- package/dist/validation/validators/orphaned-locale-file.js +84 -0
- package/dist/validation/validators/orphaned-locale-file.js.map +1 -0
- package/dist/validation/validators/referenced-archived-without-alias.d.ts +3 -0
- package/dist/validation/validators/referenced-archived-without-alias.d.ts.map +1 -0
- package/dist/validation/validators/referenced-archived-without-alias.js +65 -0
- package/dist/validation/validators/referenced-archived-without-alias.js.map +1 -0
- package/dist/validation/validators/referenced-asset-exists.d.ts +13 -0
- package/dist/validation/validators/referenced-asset-exists.d.ts.map +1 -0
- package/dist/validation/validators/referenced-asset-exists.js +80 -0
- package/dist/validation/validators/referenced-asset-exists.js.map +1 -0
- package/dist/validation/validators/referenced-fragment-exists.d.ts +9 -0
- package/dist/validation/validators/referenced-fragment-exists.d.ts.map +1 -0
- package/dist/validation/validators/referenced-fragment-exists.js +52 -0
- package/dist/validation/validators/referenced-fragment-exists.js.map +1 -0
- package/dist/validation/validators/referenced-template-exists.d.ts +10 -0
- package/dist/validation/validators/referenced-template-exists.d.ts.map +1 -0
- package/dist/validation/validators/referenced-template-exists.js +74 -0
- package/dist/validation/validators/referenced-template-exists.js.map +1 -0
- package/dist/validation/validators/schema-conformance.d.ts +17 -0
- package/dist/validation/validators/schema-conformance.d.ts.map +1 -0
- package/dist/validation/validators/schema-conformance.js +94 -0
- package/dist/validation/validators/schema-conformance.js.map +1 -0
- package/dist/validation/validators/target-deploy-coverage.d.ts +3 -0
- package/dist/validation/validators/target-deploy-coverage.d.ts.map +1 -0
- package/dist/validation/validators/target-deploy-coverage.js +37 -0
- package/dist/validation/validators/target-deploy-coverage.js.map +1 -0
- package/dist/validation/validators/unused-fragment.d.ts +16 -0
- package/dist/validation/validators/unused-fragment.d.ts.map +1 -0
- package/dist/validation/validators/unused-fragment.js +86 -0
- package/dist/validation/validators/unused-fragment.js.map +1 -0
- package/package.json +69 -27
- package/admin-dist/assets/index-B6pVot0Y.css +0 -1
- package/admin-dist/assets/index-DniLwxJA.js +0 -609
- package/admin-dist/assets/rolldown-runtime-COnpUsM8.js +0 -1
- package/admin-dist/assets/vendor-rjsf-HKBAjOmQ.js +0 -32
- package/admin-dist/assets/vendor-tiptap-IyO99U4R.js +0 -142
- package/admin-dist/assets/vendor-vue-D3wBSmDf.js +0 -1
- package/dist/providers/r2.d.ts +0 -8
- package/dist/providers/r2.d.ts.map +0 -1
- package/dist/providers/r2.js +0 -86
- package/dist/providers/r2.js.map +0 -1
- package/dist/publish-locale.d.ts +0 -44
- package/dist/publish-locale.d.ts.map +0 -1
- package/dist/publish-locale.js +0 -103
- package/dist/publish-locale.js.map +0 -1
- package/dist/source-sidecars.d.ts +0 -32
- package/dist/source-sidecars.d.ts.map +0 -1
- package/dist/source-sidecars.js +0 -98
- package/dist/source-sidecars.js.map +0 -1
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import { AuthenticationError } from '../errors.js';
|
|
2
|
+
import { expandRole } from '../capabilities.js';
|
|
3
|
+
const NAMEID_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier';
|
|
4
|
+
const EMAIL_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress';
|
|
5
|
+
export function createAzureEasyAuthProvider(config = {}) {
|
|
6
|
+
const defaultRole = config.defaultRole ?? 'editor';
|
|
7
|
+
return {
|
|
8
|
+
trustMode: 'azure-easy-auth',
|
|
9
|
+
async extractPrincipal(req) {
|
|
10
|
+
const encoded = req.headers.get('x-ms-client-principal');
|
|
11
|
+
if (!encoded || encoded.length === 0) {
|
|
12
|
+
// No identity header — anonymous. Easy Auth is configured
|
|
13
|
+
// to require auth; reaching Gazetta without the header
|
|
14
|
+
// means the request bypassed the platform (only possible
|
|
15
|
+
// if the operator misconfigured).
|
|
16
|
+
return null;
|
|
17
|
+
}
|
|
18
|
+
let parsed;
|
|
19
|
+
try {
|
|
20
|
+
const json = Buffer.from(encoded, 'base64').toString('utf-8');
|
|
21
|
+
parsed = JSON.parse(json);
|
|
22
|
+
}
|
|
23
|
+
catch (err) {
|
|
24
|
+
throw new AuthenticationError(`X-MS-CLIENT-PRINCIPAL header is not valid base64-encoded JSON: ${err.message}`);
|
|
25
|
+
}
|
|
26
|
+
if (!parsed || typeof parsed !== 'object' || !Array.isArray(parsed.claims)) {
|
|
27
|
+
throw new AuthenticationError('X-MS-CLIENT-PRINCIPAL is malformed (missing claims array)');
|
|
28
|
+
}
|
|
29
|
+
// Prefer X-MS-CLIENT-PRINCIPAL-ID when present (stable id);
|
|
30
|
+
// fall back to the nameidentifier claim.
|
|
31
|
+
const idHeader = req.headers.get('x-ms-client-principal-id');
|
|
32
|
+
const nameIdClaim = parsed.claims.find(c => c.typ === NAMEID_CLAIM)?.val;
|
|
33
|
+
const id = idHeader ?? nameIdClaim;
|
|
34
|
+
if (!id) {
|
|
35
|
+
throw new AuthenticationError('X-MS-CLIENT-PRINCIPAL has no nameidentifier claim and no X-MS-CLIENT-PRINCIPAL-ID');
|
|
36
|
+
}
|
|
37
|
+
const email = parsed.claims.find(c => c.typ === EMAIL_CLAIM)?.val;
|
|
38
|
+
return {
|
|
39
|
+
id,
|
|
40
|
+
email,
|
|
41
|
+
role: defaultRole,
|
|
42
|
+
trustMode: 'azure-easy-auth',
|
|
43
|
+
capabilities: expandRole(defaultRole) ?? [],
|
|
44
|
+
};
|
|
45
|
+
},
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=azure-easy-auth.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"azure-easy-auth.js","sourceRoot":"","sources":["../../../src/auth/providers/azure-easy-auth.ts"],"names":[],"mappings":"AAsDA,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAiB/C,MAAM,YAAY,GAAG,sEAAsE,CAAA;AAC3F,MAAM,WAAW,GAAG,oEAAoE,CAAA;AAExF,MAAM,UAAU,2BAA2B,CAAC,SAA8B,EAAE;IAC1E,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAClD,OAAO;QACL,SAAS,EAAE,iBAAiB;QAC5B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;YACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrC,0DAA0D;gBAC1D,uDAAuD;gBACvD,yDAAyD;gBACzD,kCAAkC;gBAClC,OAAO,IAAI,CAAA;YACb,CAAC;YAED,IAAI,MAA4B,CAAA;YAChC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;gBAC7D,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyB,CAAA;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAC3B,kEAAmE,GAAa,CAAC,OAAO,EAAE,CAC3F,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,mBAAmB,CAAC,2DAA2D,CAAC,CAAA;YAC5F,CAAC;YAED,4DAA4D;YAC5D,yCAAyC;YACzC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;YAC5D,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,YAAY,CAAC,EAAE,GAAG,CAAA;YACxE,MAAM,EAAE,GAAG,QAAQ,IAAI,WAAW,CAAA;YAClC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAC3B,mFAAmF,CACpF,CAAA;YACH,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,WAAW,CAAC,EAAE,GAAG,CAAA;YAEjE,OAAO;gBACL,EAAE;gBACF,KAAK;gBACL,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,iBAAiB;gBAC5B,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `cloudflare-access` trust mode — Cloudflare Zero Trust / Access
|
|
3
|
+
* fronting the admin. The platform issues a signed JWT in the
|
|
4
|
+
* `Cf-Access-Jwt-Assertion` header (or cookie); Gazetta verifies
|
|
5
|
+
* the signature against Cloudflare's published JWKS and reads the
|
|
6
|
+
* subject + email from the verified payload.
|
|
7
|
+
*
|
|
8
|
+
* # Why JWT verification, not header trust
|
|
9
|
+
*
|
|
10
|
+
* Cloudflare Access's JWT carries a real signature. Anyone behind
|
|
11
|
+
* the Worker boundary can claim a header value, but only Cloudflare's
|
|
12
|
+
* private key can produce a valid token. Verifying the signature is
|
|
13
|
+
* the security contract — without it, this trust mode is no safer
|
|
14
|
+
* than `forwarded-user` without a whitelist.
|
|
15
|
+
*
|
|
16
|
+
* # JWKS endpoint shape
|
|
17
|
+
*
|
|
18
|
+
* Cloudflare publishes per-team-domain JWKS at:
|
|
19
|
+
*
|
|
20
|
+
* https://{teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs
|
|
21
|
+
*
|
|
22
|
+
* Operators set `teamDomain` in `site.config.ts admin.auth`; the
|
|
23
|
+
* provider builds the URL and uses `jose`'s `createRemoteJWKSet`
|
|
24
|
+
* for verification + automatic key rotation.
|
|
25
|
+
*
|
|
26
|
+
* # Failure modes
|
|
27
|
+
*
|
|
28
|
+
* - JWT missing / expired / signature invalid → `AuthenticationError`
|
|
29
|
+
* (middleware → 401)
|
|
30
|
+
* - JWKS endpoint unreachable → `AuthenticationError` (fail-CLOSED
|
|
31
|
+
* here, NOT fail-open like Universal Provider Requirement #5
|
|
32
|
+
* suggests for transport errors — auth is the security boundary;
|
|
33
|
+
* a JWKS outage that fails open would let unsigned tokens
|
|
34
|
+
* through)
|
|
35
|
+
* - `aud` claim mismatch (when configured) → `AuthenticationError`
|
|
36
|
+
*
|
|
37
|
+
* # SOLID lenses
|
|
38
|
+
*
|
|
39
|
+
* - SRP: JWT verification only. Source-IP extraction is not this
|
|
40
|
+
* provider's concern (Cloudflare's signed assertion IS the trust;
|
|
41
|
+
* the source IP would be Cloudflare's edge anyway).
|
|
42
|
+
* - DIP: jose's `createRemoteJWKSet` is the verifier dependency;
|
|
43
|
+
* test injects a different verifier via the optional
|
|
44
|
+
* `jwksFactory` constructor option for unit tests.
|
|
45
|
+
*/
|
|
46
|
+
import { type JWTVerifyGetKey } from 'jose';
|
|
47
|
+
import type { AuthIdentityProvider } from '../provider.js';
|
|
48
|
+
export interface CloudflareAccessConfig {
|
|
49
|
+
/**
|
|
50
|
+
* Cloudflare Zero Trust team domain (the part before
|
|
51
|
+
* `.cloudflareaccess.com`). Required. Example: `'acme'` for
|
|
52
|
+
* `https://acme.cloudflareaccess.com`.
|
|
53
|
+
*/
|
|
54
|
+
teamDomain: string;
|
|
55
|
+
/**
|
|
56
|
+
* Optional `aud` claim verification. Cloudflare Access tokens
|
|
57
|
+
* carry an `aud` claim identifying the application; production
|
|
58
|
+
* deployments SHOULD set this to prevent token replay across
|
|
59
|
+
* Access-protected apps in the same team domain.
|
|
60
|
+
*/
|
|
61
|
+
audience?: string;
|
|
62
|
+
/** Optional default role until Cut 6's role-resolver wires up. */
|
|
63
|
+
defaultRole?: string;
|
|
64
|
+
/**
|
|
65
|
+
* Internal: factory for the JWKS verifier. Tests inject a stub;
|
|
66
|
+
* production calls `createRemoteJWKSet`.
|
|
67
|
+
*/
|
|
68
|
+
jwksFactory?: (jwksUrl: URL) => JWTVerifyGetKey;
|
|
69
|
+
}
|
|
70
|
+
export declare function createCloudflareAccessAuthProvider(config: CloudflareAccessConfig): AuthIdentityProvider;
|
|
71
|
+
//# sourceMappingURL=cloudflare-access.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cloudflare-access.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/cloudflare-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAkD,KAAK,eAAe,EAAE,MAAM,MAAM,CAAA;AAE3F,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,sBAAsB;IACrC;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAA;IAClB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,eAAe,CAAA;CAChD;AAgBD,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,sBAAsB,GAAG,oBAAoB,CA6DvG"}
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `cloudflare-access` trust mode — Cloudflare Zero Trust / Access
|
|
3
|
+
* fronting the admin. The platform issues a signed JWT in the
|
|
4
|
+
* `Cf-Access-Jwt-Assertion` header (or cookie); Gazetta verifies
|
|
5
|
+
* the signature against Cloudflare's published JWKS and reads the
|
|
6
|
+
* subject + email from the verified payload.
|
|
7
|
+
*
|
|
8
|
+
* # Why JWT verification, not header trust
|
|
9
|
+
*
|
|
10
|
+
* Cloudflare Access's JWT carries a real signature. Anyone behind
|
|
11
|
+
* the Worker boundary can claim a header value, but only Cloudflare's
|
|
12
|
+
* private key can produce a valid token. Verifying the signature is
|
|
13
|
+
* the security contract — without it, this trust mode is no safer
|
|
14
|
+
* than `forwarded-user` without a whitelist.
|
|
15
|
+
*
|
|
16
|
+
* # JWKS endpoint shape
|
|
17
|
+
*
|
|
18
|
+
* Cloudflare publishes per-team-domain JWKS at:
|
|
19
|
+
*
|
|
20
|
+
* https://{teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs
|
|
21
|
+
*
|
|
22
|
+
* Operators set `teamDomain` in `site.config.ts admin.auth`; the
|
|
23
|
+
* provider builds the URL and uses `jose`'s `createRemoteJWKSet`
|
|
24
|
+
* for verification + automatic key rotation.
|
|
25
|
+
*
|
|
26
|
+
* # Failure modes
|
|
27
|
+
*
|
|
28
|
+
* - JWT missing / expired / signature invalid → `AuthenticationError`
|
|
29
|
+
* (middleware → 401)
|
|
30
|
+
* - JWKS endpoint unreachable → `AuthenticationError` (fail-CLOSED
|
|
31
|
+
* here, NOT fail-open like Universal Provider Requirement #5
|
|
32
|
+
* suggests for transport errors — auth is the security boundary;
|
|
33
|
+
* a JWKS outage that fails open would let unsigned tokens
|
|
34
|
+
* through)
|
|
35
|
+
* - `aud` claim mismatch (when configured) → `AuthenticationError`
|
|
36
|
+
*
|
|
37
|
+
* # SOLID lenses
|
|
38
|
+
*
|
|
39
|
+
* - SRP: JWT verification only. Source-IP extraction is not this
|
|
40
|
+
* provider's concern (Cloudflare's signed assertion IS the trust;
|
|
41
|
+
* the source IP would be Cloudflare's edge anyway).
|
|
42
|
+
* - DIP: jose's `createRemoteJWKSet` is the verifier dependency;
|
|
43
|
+
* test injects a different verifier via the optional
|
|
44
|
+
* `jwksFactory` constructor option for unit tests.
|
|
45
|
+
*/
|
|
46
|
+
import { jwtVerify, createRemoteJWKSet } from 'jose';
|
|
47
|
+
import { AuthenticationError, AuthConfigurationError } from '../errors.js';
|
|
48
|
+
import { expandRole } from '../capabilities.js';
|
|
49
|
+
export function createCloudflareAccessAuthProvider(config) {
|
|
50
|
+
if (!config.teamDomain || config.teamDomain.length === 0) {
|
|
51
|
+
throw new AuthConfigurationError('cloudflare-access trust mode requires teamDomain (your Cloudflare Zero Trust team domain, e.g. "acme")');
|
|
52
|
+
}
|
|
53
|
+
// Validate the teamDomain shape — Cloudflare team domains are
|
|
54
|
+
// lowercase alphanumeric + hyphens; reject obvious typos.
|
|
55
|
+
if (!/^[a-z0-9][a-z0-9-]*$/.test(config.teamDomain)) {
|
|
56
|
+
throw new AuthConfigurationError(`Invalid teamDomain "${config.teamDomain}": must be lowercase alphanumeric + hyphens (the part before .cloudflareaccess.com)`);
|
|
57
|
+
}
|
|
58
|
+
const jwksUrl = new URL(`https://${config.teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs`);
|
|
59
|
+
const expectedIssuer = `https://${config.teamDomain}.cloudflareaccess.com`;
|
|
60
|
+
const jwks = (config.jwksFactory ?? createRemoteJWKSet)(jwksUrl);
|
|
61
|
+
const defaultRole = config.defaultRole ?? 'editor';
|
|
62
|
+
return {
|
|
63
|
+
trustMode: 'cloudflare-access',
|
|
64
|
+
async extractPrincipal(req) {
|
|
65
|
+
// Cloudflare Access can deliver the assertion in either a
|
|
66
|
+
// header or cookie. We accept both; header takes precedence
|
|
67
|
+
// because it's the documented integration path.
|
|
68
|
+
const token = req.headers.get('cf-access-jwt-assertion') ?? extractFromCookie(req.headers.get('cookie'));
|
|
69
|
+
if (!token) {
|
|
70
|
+
// No Cloudflare-Access token at all — anonymous. Middleware
|
|
71
|
+
// turns this into 401.
|
|
72
|
+
return null;
|
|
73
|
+
}
|
|
74
|
+
let payload;
|
|
75
|
+
try {
|
|
76
|
+
const result = await jwtVerify(token, jwks, {
|
|
77
|
+
issuer: expectedIssuer,
|
|
78
|
+
audience: config.audience,
|
|
79
|
+
});
|
|
80
|
+
payload = result.payload;
|
|
81
|
+
}
|
|
82
|
+
catch (err) {
|
|
83
|
+
// jose throws JOSEError subclasses for signature / expiry /
|
|
84
|
+
// claim mismatches. We don't differentiate — every failure
|
|
85
|
+
// surfaces as AuthenticationError → 401 per Universal
|
|
86
|
+
// Provider Requirement (auth fails closed on token failure).
|
|
87
|
+
throw new AuthenticationError(`Cloudflare Access JWT verification failed: ${err.message}`);
|
|
88
|
+
}
|
|
89
|
+
const id = payload.sub ?? payload.identity_nonce;
|
|
90
|
+
if (!id) {
|
|
91
|
+
throw new AuthenticationError('Cloudflare Access JWT has no sub or identity_nonce claim');
|
|
92
|
+
}
|
|
93
|
+
return {
|
|
94
|
+
id,
|
|
95
|
+
email: payload.email,
|
|
96
|
+
role: defaultRole,
|
|
97
|
+
trustMode: 'cloudflare-access',
|
|
98
|
+
capabilities: expandRole(defaultRole) ?? [],
|
|
99
|
+
};
|
|
100
|
+
},
|
|
101
|
+
};
|
|
102
|
+
}
|
|
103
|
+
/**
|
|
104
|
+
* Cloudflare Access also delivers the JWT via the
|
|
105
|
+
* `CF_Authorization` cookie. Extract it from the Cookie header
|
|
106
|
+
* if present.
|
|
107
|
+
*/
|
|
108
|
+
function extractFromCookie(cookieHeader) {
|
|
109
|
+
if (!cookieHeader)
|
|
110
|
+
return null;
|
|
111
|
+
const cookies = cookieHeader.split(';');
|
|
112
|
+
for (const cookie of cookies) {
|
|
113
|
+
const trimmed = cookie.trim();
|
|
114
|
+
if (trimmed.startsWith('CF_Authorization=')) {
|
|
115
|
+
return trimmed.slice('CF_Authorization='.length);
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
return null;
|
|
119
|
+
}
|
|
120
|
+
//# sourceMappingURL=cloudflare-access.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cloudflare-access.js","sourceRoot":"","sources":["../../../src/auth/providers/cloudflare-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAyC,MAAM,MAAM,CAAA;AAG3F,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAuC/C,MAAM,UAAU,kCAAkC,CAAC,MAA8B;IAC/E,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,sBAAsB,CAC9B,wGAAwG,CACzG,CAAA;IACH,CAAC;IACD,8DAA8D;IAC9D,0DAA0D;IAC1D,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,sBAAsB,CAC9B,uBAAuB,MAAM,CAAC,UAAU,qFAAqF,CAC9H,CAAA;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,MAAM,CAAC,UAAU,4CAA4C,CAAC,CAAA;IACjG,MAAM,cAAc,GAAG,WAAW,MAAM,CAAC,UAAU,uBAAuB,CAAA;IAC1E,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAA;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,mBAAmB;QAC9B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,0DAA0D;YAC1D,4DAA4D;YAC5D,gDAAgD;YAChD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAA;YACxG,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,4DAA4D;gBAC5D,uBAAuB;gBACvB,OAAO,IAAI,CAAA;YACb,CAAC;YAED,IAAI,OAA+B,CAAA;YACnC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAyB,KAAK,EAAE,IAAI,EAAE;oBAClE,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAA;gBACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,4DAA4D;gBAC5D,2DAA2D;gBAC3D,sDAAsD;gBACtD,6DAA6D;gBAC7D,MAAM,IAAI,mBAAmB,CAAC,8CAA+C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YACvG,CAAC;YAED,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,cAAc,CAAA;YAChD,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAAC,0DAA0D,CAAC,CAAA;YAC3F,CAAC;YAED,OAAO;gBACL,EAAE;gBACF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,mBAAmB;gBAC9B,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,YAAgC;IACzD,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAA;IAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAA;QAC7B,IAAI,OAAO,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC5C,OAAO,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAA;QAClD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import type { AuthIdentityProvider } from '../provider.js';
|
|
2
|
+
export interface ForwardedUserConfig {
|
|
3
|
+
/**
|
|
4
|
+
* Whitelisted source IPs / CIDRs that may set the forwarded
|
|
5
|
+
* headers. Empty (or undefined) when `allowAnyOrigin: true`.
|
|
6
|
+
* Validated at config-load.
|
|
7
|
+
*/
|
|
8
|
+
trustedProxies?: readonly string[];
|
|
9
|
+
/**
|
|
10
|
+
* Explicit opt-out of source-IP protection. Required when
|
|
11
|
+
* `trustedProxies` is empty. Use only in dev or trusted private
|
|
12
|
+
* networks.
|
|
13
|
+
*/
|
|
14
|
+
allowAnyOrigin?: boolean;
|
|
15
|
+
/**
|
|
16
|
+
* Group claim → role mapping from the upstream layer's
|
|
17
|
+
* `X-Forwarded-Groups` header. Resolver (Cut 6) consumes this;
|
|
18
|
+
* the provider just exposes the raw groups via Principal.role.
|
|
19
|
+
* Until Cut 6 lands, the provider returns `role: 'editor'` as a
|
|
20
|
+
* sensible default — overridden once role-resolver wires up.
|
|
21
|
+
*/
|
|
22
|
+
defaultRole?: string;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Construct a `forwarded-user` provider. Validates `trustedProxies`
|
|
26
|
+
* at construction (per Universal Provider Requirement #6 — config
|
|
27
|
+
* errors throw; transport errors fail-open). Returned provider is
|
|
28
|
+
* stateless after construction; safe to share across requests.
|
|
29
|
+
*/
|
|
30
|
+
export declare function createForwardedUserAuthProvider(config: ForwardedUserConfig): AuthIdentityProvider;
|
|
31
|
+
//# sourceMappingURL=forwarded-user.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"forwarded-user.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/forwarded-user.ts"],"names":[],"mappings":"AAuCA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAKvE,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAClC;;;;OAIG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,MAAM,EAAE,mBAAmB,GAAG,oBAAoB,CAsEjG"}
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
import { AuthenticationError, AuthConfigurationError } from '../errors.js';
|
|
2
|
+
import { ipMatchesAny, parseRules } from '../ip-match.js';
|
|
3
|
+
import { expandRole } from '../capabilities.js';
|
|
4
|
+
/**
|
|
5
|
+
* Construct a `forwarded-user` provider. Validates `trustedProxies`
|
|
6
|
+
* at construction (per Universal Provider Requirement #6 — config
|
|
7
|
+
* errors throw; transport errors fail-open). Returned provider is
|
|
8
|
+
* stateless after construction; safe to share across requests.
|
|
9
|
+
*/
|
|
10
|
+
export function createForwardedUserAuthProvider(config) {
|
|
11
|
+
// Pre-parse the trustedProxies list at construction so per-request
|
|
12
|
+
// checks are O(N) over already-parsed rules. Throws AuthConfigurationError
|
|
13
|
+
// at boot if any rule is malformed — operator sees the failure
|
|
14
|
+
// before requests start arriving.
|
|
15
|
+
let parsedRules = [];
|
|
16
|
+
if (config.trustedProxies && config.trustedProxies.length > 0) {
|
|
17
|
+
try {
|
|
18
|
+
parsedRules = parseRules(config.trustedProxies);
|
|
19
|
+
}
|
|
20
|
+
catch (err) {
|
|
21
|
+
throw new AuthConfigurationError(`Invalid trustedProxies entry: ${err.message}. Each entry must be an IP literal (e.g. "10.0.0.1") or CIDR (e.g. "10.0.0.0/8").`);
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
if (!config.allowAnyOrigin && parsedRules.length === 0) {
|
|
25
|
+
// Schema-level refine should catch this, but defense-in-depth:
|
|
26
|
+
// if a caller bypasses the schema (e.g., constructed by a plugin
|
|
27
|
+
// with a wrong shape), surface the error at construction.
|
|
28
|
+
throw new AuthConfigurationError('forwarded-user trust mode requires trustedProxies (IP whitelist) OR allowAnyOrigin: true');
|
|
29
|
+
}
|
|
30
|
+
const defaultRole = config.defaultRole ?? 'editor';
|
|
31
|
+
return {
|
|
32
|
+
trustMode: 'forwarded-user',
|
|
33
|
+
async extractPrincipal(req) {
|
|
34
|
+
// Source-IP protection FIRST — before any header read. A
|
|
35
|
+
// request from an untrusted source has its forwarded headers
|
|
36
|
+
// ignored entirely; we treat it as if the headers weren't
|
|
37
|
+
// set. Returning null lets the middleware decide between 401
|
|
38
|
+
// (require auth) and synthetic anonymous (none-mode-style).
|
|
39
|
+
// For forwarded-user we always require auth — middleware
|
|
40
|
+
// surfaces this as 401.
|
|
41
|
+
if (!config.allowAnyOrigin) {
|
|
42
|
+
if (!req.sourceIp || !ipMatchesAny(req.sourceIp, parsedRules)) {
|
|
43
|
+
throw new AuthenticationError(req.sourceIp
|
|
44
|
+
? `Request source IP ${req.sourceIp} is not in the configured trustedProxies whitelist`
|
|
45
|
+
: 'Request source IP is unknown; trusted-proxy verification cannot run');
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
const user = req.headers.get('x-forwarded-user');
|
|
49
|
+
if (!user || user.length === 0) {
|
|
50
|
+
// No identity header — anonymous. Middleware turns this
|
|
51
|
+
// into 401.
|
|
52
|
+
return null;
|
|
53
|
+
}
|
|
54
|
+
const email = req.headers.get('x-forwarded-email') ?? undefined;
|
|
55
|
+
// Capabilities = the default role's built-in capability set.
|
|
56
|
+
// Group-claim → role mapping (via roleMapping config + the
|
|
57
|
+
// X-Forwarded-Groups header) is a follow-up. For v1 every
|
|
58
|
+
// authenticated forwarded-user gets the configured defaultRole's
|
|
59
|
+
// capabilities; operators wanting role-by-group set the
|
|
60
|
+
// roleMapping in admin.auth and override defaultRole.
|
|
61
|
+
const capabilities = expandRole(defaultRole) ?? [];
|
|
62
|
+
return {
|
|
63
|
+
id: user,
|
|
64
|
+
email,
|
|
65
|
+
role: defaultRole,
|
|
66
|
+
trustMode: 'forwarded-user',
|
|
67
|
+
capabilities,
|
|
68
|
+
};
|
|
69
|
+
},
|
|
70
|
+
};
|
|
71
|
+
}
|
|
72
|
+
//# sourceMappingURL=forwarded-user.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"forwarded-user.js","sourceRoot":"","sources":["../../../src/auth/providers/forwarded-user.ts"],"names":[],"mappings":"AAwCA,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,YAAY,EAAmB,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAyB/C;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,MAA2B;IACzE,mEAAmE;IACnE,2EAA2E;IAC3E,+DAA+D;IAC/D,kCAAkC;IAClC,IAAI,WAAW,GAAiB,EAAE,CAAA;IAClC,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC;YACH,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,sBAAsB,CAC9B,iCAAkC,GAAa,CAAC,OAAO,mFAAmF,CAC3I,CAAA;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,+DAA+D;QAC/D,iEAAiE;QACjE,0DAA0D;QAC1D,MAAM,IAAI,sBAAsB,CAC9B,0FAA0F,CAC3F,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,gBAAgB;QAC3B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,yDAAyD;YACzD,6DAA6D;YAC7D,0DAA0D;YAC1D,6DAA6D;YAC7D,4DAA4D;YAC5D,yDAAyD;YACzD,wBAAwB;YACxB,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;oBAC9D,MAAM,IAAI,mBAAmB,CAC3B,GAAG,CAAC,QAAQ;wBACV,CAAC,CAAC,qBAAqB,GAAG,CAAC,QAAQ,oDAAoD;wBACvF,CAAC,CAAC,qEAAqE,CAC1E,CAAA;gBACH,CAAC;YACH,CAAC;YAED,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YAChD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,wDAAwD;gBACxD,YAAY;gBACZ,OAAO,IAAI,CAAA;YACb,CAAC;YAED,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAA;YAC/D,6DAA6D;YAC7D,2DAA2D;YAC3D,0DAA0D;YAC1D,iEAAiE;YACjE,wDAAwD;YACxD,sDAAsD;YACtD,MAAM,YAAY,GAAG,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE,CAAA;YAClD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,KAAK;gBACL,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,gBAAgB;gBAC3B,YAAY;aACb,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import type { AuthIdentityProvider } from '../provider.js';
|
|
2
|
+
/** Reserved subject identifier for unauthenticated / pre-RBAC contexts. */
|
|
3
|
+
export declare const UNKNOWN_ACTOR_ID = "unknown";
|
|
4
|
+
/** Singleton instance — `none` mode has no per-instance state. */
|
|
5
|
+
export declare const noneAuthProvider: AuthIdentityProvider;
|
|
6
|
+
//# sourceMappingURL=none.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"none.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/none.ts"],"names":[],"mappings":"AAmCA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAEvE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB,YAAY,CAAA;AAEzC,kEAAkE;AAClE,eAAO,MAAM,gBAAgB,EAAE,oBAc9B,CAAA"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/** Reserved subject identifier for unauthenticated / pre-RBAC contexts. */
|
|
2
|
+
export const UNKNOWN_ACTOR_ID = 'unknown';
|
|
3
|
+
/** Singleton instance — `none` mode has no per-instance state. */
|
|
4
|
+
export const noneAuthProvider = {
|
|
5
|
+
trustMode: 'none',
|
|
6
|
+
async extractPrincipal(_req) {
|
|
7
|
+
// Always returns the canonical unknown principal with full
|
|
8
|
+
// capabilities. Never returns null (would force middleware to
|
|
9
|
+
// synthesize an anonymous principal anyway — cleaner to do it
|
|
10
|
+
// here once).
|
|
11
|
+
return {
|
|
12
|
+
id: UNKNOWN_ACTOR_ID,
|
|
13
|
+
role: 'admin',
|
|
14
|
+
trustMode: 'none',
|
|
15
|
+
capabilities: ['*'],
|
|
16
|
+
};
|
|
17
|
+
},
|
|
18
|
+
};
|
|
19
|
+
//# sourceMappingURL=none.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"none.js","sourceRoot":"","sources":["../../../src/auth/providers/none.ts"],"names":[],"mappings":"AAqCA,2EAA2E;AAC3E,MAAM,CAAC,MAAM,gBAAgB,GAAG,SAAS,CAAA;AAEzC,kEAAkE;AAClE,MAAM,CAAC,MAAM,gBAAgB,GAAyB;IACpD,SAAS,EAAE,MAAM;IACjB,KAAK,CAAC,gBAAgB,CAAC,IAAiB;QACtC,2DAA2D;QAC3D,8DAA8D;QAC9D,8DAA8D;QAC9D,cAAc;QACd,OAAO;YACL,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,MAAM;YACjB,YAAY,EAAE,CAAC,GAAG,CAAC;SACpB,CAAA;IACH,CAAC;CACF,CAAA"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import type { AuthIdentityProvider } from '../provider.js';
|
|
2
|
+
export interface TailscaleConfig {
|
|
3
|
+
/** Optional default role until Cut 6's role-resolver wires up. */
|
|
4
|
+
defaultRole?: string;
|
|
5
|
+
}
|
|
6
|
+
export declare function createTailscaleAuthProvider(config?: TailscaleConfig): AuthIdentityProvider;
|
|
7
|
+
//# sourceMappingURL=tailscale.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tailscale.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/tailscale.ts"],"names":[],"mappings":"AA6BA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAGvE,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,wBAAgB,2BAA2B,CAAC,MAAM,GAAE,eAAoB,GAAG,oBAAoB,CA4B9F"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import { expandRole } from '../capabilities.js';
|
|
2
|
+
export function createTailscaleAuthProvider(config = {}) {
|
|
3
|
+
const defaultRole = config.defaultRole ?? 'editor';
|
|
4
|
+
return {
|
|
5
|
+
trustMode: 'tailscale',
|
|
6
|
+
async extractPrincipal(req) {
|
|
7
|
+
const login = req.headers.get('tailscale-user-login');
|
|
8
|
+
if (!login || login.length === 0) {
|
|
9
|
+
// No tailscale identity — request bypassed Tailscale's
|
|
10
|
+
// serve. Either the operator misconfigured, or a request
|
|
11
|
+
// arrived through a different listener. Anonymous → 401.
|
|
12
|
+
return null;
|
|
13
|
+
}
|
|
14
|
+
// Tailscale-User-Login is shaped `user@tailnet.ts.net`.
|
|
15
|
+
// We treat the whole string as id; operators wanting a
|
|
16
|
+
// shorter display name can map via roleMapping or use the
|
|
17
|
+
// tailscale-user-name header if present.
|
|
18
|
+
return {
|
|
19
|
+
id: login,
|
|
20
|
+
// Tailscale's email-shaped login is functionally the user's
|
|
21
|
+
// email for display purposes.
|
|
22
|
+
email: login,
|
|
23
|
+
role: defaultRole,
|
|
24
|
+
trustMode: 'tailscale',
|
|
25
|
+
capabilities: expandRole(defaultRole) ?? [],
|
|
26
|
+
};
|
|
27
|
+
},
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
//# sourceMappingURL=tailscale.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tailscale.js","sourceRoot":"","sources":["../../../src/auth/providers/tailscale.ts"],"names":[],"mappings":"AA8BA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAO/C,MAAM,UAAU,2BAA2B,CAAC,SAA0B,EAAE;IACtE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAClD,OAAO;QACL,SAAS,EAAE,WAAW;QACtB,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAA;YACrD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,uDAAuD;gBACvD,yDAAyD;gBACzD,yDAAyD;gBACzD,OAAO,IAAI,CAAA;YACb,CAAC;YAED,wDAAwD;YACxD,uDAAuD;YACvD,0DAA0D;YAC1D,yCAAyC;YACzC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,4DAA4D;gBAC5D,8BAA8B;gBAC9B,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,WAAW;gBACtB,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import { type RoleMapping } from './types.js';
|
|
2
|
+
export interface ResolveRoleArgs {
|
|
3
|
+
/** Group names from the upstream auth provider's claim. */
|
|
4
|
+
groups: ReadonlyArray<string>;
|
|
5
|
+
/** Operator's roleMapping config (claim + map + defaultRole). */
|
|
6
|
+
mapping?: RoleMapping;
|
|
7
|
+
/** Custom role declarations from `site.config.ts admin.auth.roles`. */
|
|
8
|
+
customRoles?: Readonly<Record<string, ReadonlyArray<string>>>;
|
|
9
|
+
}
|
|
10
|
+
export interface ResolvedRole {
|
|
11
|
+
/** The chosen Gazetta role name. */
|
|
12
|
+
name: string;
|
|
13
|
+
/** The role's capability set after alias expansion. */
|
|
14
|
+
capabilities: ReadonlyArray<string>;
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* Resolve the principal's role + capability set.
|
|
18
|
+
*
|
|
19
|
+
* Returns `null` when:
|
|
20
|
+
* - No group matches AND `defaultRole` is null (deny access)
|
|
21
|
+
* - Resolved role name doesn't expand (unknown role)
|
|
22
|
+
*
|
|
23
|
+
* Caller (middleware) translates `null` into 403 / 401 per request
|
|
24
|
+
* shape.
|
|
25
|
+
*/
|
|
26
|
+
export declare function resolveRole(args: ResolveRoleArgs): ResolvedRole | null;
|
|
27
|
+
/**
|
|
28
|
+
* Validate that a custom role's capabilities don't redefine
|
|
29
|
+
* built-in roles with surprising semantics. Per design-auth-rbac.md
|
|
30
|
+
* Q3: unknown capabilities flagged; reserved built-in role names
|
|
31
|
+
* cannot be redeclared.
|
|
32
|
+
*
|
|
33
|
+
* Returns the list of validation issues; empty array means valid.
|
|
34
|
+
* Caller decides strict-mode (throw) vs warn-mode (log) per
|
|
35
|
+
* `admin.auth.strict`.
|
|
36
|
+
*/
|
|
37
|
+
export declare function validateCustomRoles(customRoles: Readonly<Record<string, ReadonlyArray<string>>>): string[];
|
|
38
|
+
//# sourceMappingURL=role-resolver.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"role-resolver.d.ts","sourceRoot":"","sources":["../../src/auth/role-resolver.ts"],"names":[],"mappings":"AA8BA,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,YAAY,CAAA;AAE7D,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IAC7B,iEAAiE;IACjE,OAAO,CAAC,EAAE,WAAW,CAAA;IACrB,uEAAuE;IACvE,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;CAC9D;AAED,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,uDAAuD;IACvD,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACpC;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,YAAY,GAAG,IAAI,CAiCtE;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,EAAE,CAU1G"}
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Role resolution — translates upstream group claims into a Gazetta
|
|
3
|
+
* role + the role's capability set.
|
|
4
|
+
*
|
|
5
|
+
* # The resolution chain
|
|
6
|
+
*
|
|
7
|
+
* 1. Pull the group list from the principal's claims (header /
|
|
8
|
+
* JWT payload — provider-specific, surfaces as a `string[]`)
|
|
9
|
+
* 2. Walk the operator's `roleMapping.map` from `site.config.ts`;
|
|
10
|
+
* first matching upstream group → Gazetta role name
|
|
11
|
+
* 3. Fall back to `roleMapping.defaultRole` if no group matches;
|
|
12
|
+
* `null` means deny access
|
|
13
|
+
* 4. Expand the role name to its capability set via
|
|
14
|
+
* `expandRole(name, customRoles)`
|
|
15
|
+
*
|
|
16
|
+
* # Why "first match wins" not "highest precedence"
|
|
17
|
+
*
|
|
18
|
+
* Per `design-auth-rbac.md` Q3 lock: priority is array order in the
|
|
19
|
+
* map config. Operators control precedence by ordering their map.
|
|
20
|
+
* Predictable, deterministic, no implicit precedence.
|
|
21
|
+
*
|
|
22
|
+
* # SOLID lenses
|
|
23
|
+
*
|
|
24
|
+
* - SRP: pure function over (groups, mapping, customRoles);
|
|
25
|
+
* doesn't read `site.config.ts` directly, doesn't depend on
|
|
26
|
+
* specific provider shape.
|
|
27
|
+
* - DIP: providers pass the resolved groups; this module doesn't
|
|
28
|
+
* know about JWT claims or HTTP headers.
|
|
29
|
+
*/
|
|
30
|
+
import { expandRole } from './capabilities.js';
|
|
31
|
+
import { BUILT_IN_ROLES } from './types.js';
|
|
32
|
+
/**
|
|
33
|
+
* Resolve the principal's role + capability set.
|
|
34
|
+
*
|
|
35
|
+
* Returns `null` when:
|
|
36
|
+
* - No group matches AND `defaultRole` is null (deny access)
|
|
37
|
+
* - Resolved role name doesn't expand (unknown role)
|
|
38
|
+
*
|
|
39
|
+
* Caller (middleware) translates `null` into 403 / 401 per request
|
|
40
|
+
* shape.
|
|
41
|
+
*/
|
|
42
|
+
export function resolveRole(args) {
|
|
43
|
+
const { groups, mapping, customRoles } = args;
|
|
44
|
+
let roleName;
|
|
45
|
+
if (mapping) {
|
|
46
|
+
// First-match-wins per array order. Iteration order of an object
|
|
47
|
+
// literal is insertion-order in modern JS; operator's config
|
|
48
|
+
// ordering IS the precedence.
|
|
49
|
+
for (const [group, role] of Object.entries(mapping.map)) {
|
|
50
|
+
if (groups.includes(group)) {
|
|
51
|
+
roleName = role;
|
|
52
|
+
break;
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
// Fall through to defaultRole if no group matched.
|
|
56
|
+
if (!roleName) {
|
|
57
|
+
roleName = mapping.defaultRole;
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
// Without a mapping (or with an empty map + null defaultRole),
|
|
61
|
+
// there's no role to assign.
|
|
62
|
+
if (!roleName)
|
|
63
|
+
return null;
|
|
64
|
+
const capabilities = expandRole(roleName, customRoles);
|
|
65
|
+
if (!capabilities) {
|
|
66
|
+
// Unknown role — operator misconfiguration. The site-loader
|
|
67
|
+
// should catch this at boot via strict validation; this is the
|
|
68
|
+
// defense-in-depth check.
|
|
69
|
+
return null;
|
|
70
|
+
}
|
|
71
|
+
return { name: roleName, capabilities };
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Validate that a custom role's capabilities don't redefine
|
|
75
|
+
* built-in roles with surprising semantics. Per design-auth-rbac.md
|
|
76
|
+
* Q3: unknown capabilities flagged; reserved built-in role names
|
|
77
|
+
* cannot be redeclared.
|
|
78
|
+
*
|
|
79
|
+
* Returns the list of validation issues; empty array means valid.
|
|
80
|
+
* Caller decides strict-mode (throw) vs warn-mode (log) per
|
|
81
|
+
* `admin.auth.strict`.
|
|
82
|
+
*/
|
|
83
|
+
export function validateCustomRoles(customRoles) {
|
|
84
|
+
const issues = [];
|
|
85
|
+
for (const name of Object.keys(customRoles)) {
|
|
86
|
+
if (name in BUILT_IN_ROLES) {
|
|
87
|
+
issues.push(`Custom role "${name}" conflicts with a built-in role. Choose a different name; built-in roles can't be redefined.`);
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
return issues;
|
|
91
|
+
}
|
|
92
|
+
//# sourceMappingURL=role-resolver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"role-resolver.js","sourceRoot":"","sources":["../../src/auth/role-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAoB,MAAM,YAAY,CAAA;AAkB7D;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW,CAAC,IAAqB;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,CAAA;IAC7C,IAAI,QAAmC,CAAA;IAEvC,IAAI,OAAO,EAAE,CAAC;QACZ,iEAAiE;QACjE,6DAA6D;QAC7D,8BAA8B;QAC9B,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxD,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3B,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAK;YACP,CAAC;QACH,CAAC;QACD,mDAAmD;QACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAA;QAChC,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,6BAA6B;IAC7B,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IACtD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,4DAA4D;QAC5D,+DAA+D;QAC/D,0BAA0B;QAC1B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AACzC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAA4D;IAC9F,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,IAAI,IAAI,IAAI,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CACT,gBAAgB,IAAI,+FAA+F,CACpH,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC"}
|