npm - gazetta - Versions diffs - 0.7.0 → 0.8.0 - Mend

gazetta 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (738) hide show

package/admin-dist/assets/index-CBeq0rRb.js +693 -0
package/admin-dist/assets/index-Dtg1dTZQ.css +1 -0
package/admin-dist/assets/rolldown-runtime-BYbx6iT9.js +1 -0
package/admin-dist/assets/{vendor-primevue-C0Q_YTCb.js → vendor-primevue-CBGHkaXv.js} +183 -39
package/admin-dist/assets/{vendor-react-BipDVGow.js → vendor-react-BdW_kNCG.js} +2 -2
package/admin-dist/assets/vendor-rjsf-lN2SztQt.js +33 -0
package/admin-dist/assets/vendor-tiptap-C36yDquB.js +141 -0
package/admin-dist/assets/vendor-vue-Bt5uR1VW.js +1 -0
package/admin-dist/assets/workbox-window.prod.es5-DGMtIXHc.js +2 -0
package/admin-dist/index.html +8 -8
package/admin-dist/sw.js +1 -0
package/dist/admin-api/archived-name-conflict.d.ts +31 -0
package/dist/admin-api/archived-name-conflict.d.ts.map +1 -0
package/dist/admin-api/archived-name-conflict.js +226 -0
package/dist/admin-api/archived-name-conflict.js.map +1 -0
package/dist/admin-api/cache-stats-logger.d.ts +83 -0
package/dist/admin-api/cache-stats-logger.d.ts.map +1 -0
package/dist/admin-api/cache-stats-logger.js +59 -0
package/dist/admin-api/cache-stats-logger.js.map +1 -0
package/dist/admin-api/hook-audit-emitter.d.ts +38 -0
package/dist/admin-api/hook-audit-emitter.d.ts.map +1 -0
package/dist/admin-api/hook-audit-emitter.js +21 -0
package/dist/admin-api/hook-audit-emitter.js.map +1 -0
package/dist/admin-api/index.d.ts +84 -0
package/dist/admin-api/index.d.ts.map +1 -1
package/dist/admin-api/index.js +254 -9
package/dist/admin-api/index.js.map +1 -1
package/dist/admin-api/middleware/audit.d.ts +25 -0
package/dist/admin-api/middleware/audit.d.ts.map +1 -0
package/dist/admin-api/middleware/audit.js +65 -0
package/dist/admin-api/middleware/audit.js.map +1 -0
package/dist/admin-api/middleware/capability.d.ts +8 -0
package/dist/admin-api/middleware/capability.d.ts.map +1 -0
package/dist/admin-api/middleware/capability.js +65 -0
package/dist/admin-api/middleware/capability.js.map +1 -0
package/dist/admin-api/middleware/principal.d.ts +18 -0
package/dist/admin-api/middleware/principal.d.ts.map +1 -0
package/dist/admin-api/middleware/principal.js +128 -0
package/dist/admin-api/middleware/principal.js.map +1 -0
package/dist/admin-api/routes/archive-review.d.ts +80 -0
package/dist/admin-api/routes/archive-review.d.ts.map +1 -0
package/dist/admin-api/routes/archive-review.js +70 -0
package/dist/admin-api/routes/archive-review.js.map +1 -0
package/dist/admin-api/routes/archive.d.ts +145 -0
package/dist/admin-api/routes/archive.d.ts.map +1 -0
package/dist/admin-api/routes/archive.js +540 -0
package/dist/admin-api/routes/archive.js.map +1 -0
package/dist/admin-api/routes/assets.d.ts +6 -1
package/dist/admin-api/routes/assets.d.ts.map +1 -1
package/dist/admin-api/routes/assets.js +167 -14
package/dist/admin-api/routes/assets.js.map +1 -1
package/dist/admin-api/routes/audit.d.ts +71 -0
package/dist/admin-api/routes/audit.d.ts.map +1 -0
package/dist/admin-api/routes/audit.js +178 -0
package/dist/admin-api/routes/audit.js.map +1 -0
package/dist/admin-api/routes/compare.d.ts.map +1 -1
package/dist/admin-api/routes/compare.js +3 -2
package/dist/admin-api/routes/compare.js.map +1 -1
package/dist/admin-api/routes/fields.d.ts.map +1 -1
package/dist/admin-api/routes/fields.js +2 -1
package/dist/admin-api/routes/fields.js.map +1 -1
package/dist/admin-api/routes/fragments.d.ts +13 -1
package/dist/admin-api/routes/fragments.d.ts.map +1 -1
package/dist/admin-api/routes/fragments.js +127 -92
package/dist/admin-api/routes/fragments.js.map +1 -1
package/dist/admin-api/routes/health.d.ts +60 -0
package/dist/admin-api/routes/health.d.ts.map +1 -0
package/dist/admin-api/routes/health.js +65 -0
package/dist/admin-api/routes/health.js.map +1 -0
package/dist/admin-api/routes/history.d.ts +2 -1
package/dist/admin-api/routes/history.d.ts.map +1 -1
package/dist/admin-api/routes/history.js +26 -4
package/dist/admin-api/routes/history.js.map +1 -1
package/dist/admin-api/routes/pages.d.ts +20 -1
package/dist/admin-api/routes/pages.d.ts.map +1 -1
package/dist/admin-api/routes/pages.js +157 -117
package/dist/admin-api/routes/pages.js.map +1 -1
package/dist/admin-api/routes/preview.d.ts.map +1 -1
package/dist/admin-api/routes/preview.js +56 -17
package/dist/admin-api/routes/preview.js.map +1 -1
package/dist/admin-api/routes/publish.d.ts +19 -1
package/dist/admin-api/routes/publish.d.ts.map +1 -1
package/dist/admin-api/routes/publish.js +508 -92
package/dist/admin-api/routes/publish.js.map +1 -1
package/dist/admin-api/routes/rename.d.ts +62 -0
package/dist/admin-api/routes/rename.d.ts.map +1 -0
package/dist/admin-api/routes/rename.js +366 -0
package/dist/admin-api/routes/rename.js.map +1 -0
package/dist/admin-api/routes/site.d.ts.map +1 -1
package/dist/admin-api/routes/site.js +6 -18
package/dist/admin-api/routes/site.js.map +1 -1
package/dist/admin-api/routes/system.d.ts +23 -0
package/dist/admin-api/routes/system.d.ts.map +1 -0
package/dist/admin-api/routes/system.js +115 -0
package/dist/admin-api/routes/system.js.map +1 -0
package/dist/admin-api/routes/templates.d.ts +11 -1
package/dist/admin-api/routes/templates.d.ts.map +1 -1
package/dist/admin-api/routes/templates.js +36 -3
package/dist/admin-api/routes/templates.js.map +1 -1
package/dist/admin-api/routes/validation.d.ts +47 -0
package/dist/admin-api/routes/validation.d.ts.map +1 -0
package/dist/admin-api/routes/validation.js +120 -0
package/dist/admin-api/routes/validation.js.map +1 -0
package/dist/admin-api/schemas/archive.d.ts +124 -0
package/dist/admin-api/schemas/archive.d.ts.map +1 -0
package/dist/admin-api/schemas/archive.js +93 -0
package/dist/admin-api/schemas/archive.js.map +1 -0
package/dist/admin-api/schemas/assets.d.ts +16 -0
package/dist/admin-api/schemas/assets.d.ts.map +1 -1
package/dist/admin-api/schemas/assets.js +15 -0
package/dist/admin-api/schemas/assets.js.map +1 -1
package/dist/admin-api/schemas/audit.d.ts +175 -0
package/dist/admin-api/schemas/audit.d.ts.map +1 -0
package/dist/admin-api/schemas/audit.js +91 -0
package/dist/admin-api/schemas/audit.js.map +1 -0
package/dist/admin-api/schemas/error.d.ts +94 -0
package/dist/admin-api/schemas/error.d.ts.map +1 -0
package/dist/admin-api/schemas/error.js +79 -0
package/dist/admin-api/schemas/error.js.map +1 -0
package/dist/admin-api/schemas/fragments.d.ts +2 -0
package/dist/admin-api/schemas/fragments.d.ts.map +1 -1
package/dist/admin-api/schemas/fragments.js +4 -0
package/dist/admin-api/schemas/fragments.js.map +1 -1
package/dist/admin-api/schemas/index.d.ts +8 -0
package/dist/admin-api/schemas/index.d.ts.map +1 -1
package/dist/admin-api/schemas/index.js +8 -0
package/dist/admin-api/schemas/index.js.map +1 -1
package/dist/admin-api/schemas/pages.d.ts +2 -0
package/dist/admin-api/schemas/pages.d.ts.map +1 -1
package/dist/admin-api/schemas/pages.js +11 -0
package/dist/admin-api/schemas/pages.js.map +1 -1
package/dist/admin-api/schemas/rename.d.ts +77 -0
package/dist/admin-api/schemas/rename.d.ts.map +1 -0
package/dist/admin-api/schemas/rename.js +75 -0
package/dist/admin-api/schemas/rename.js.map +1 -0
package/dist/admin-api/schemas/site.d.ts +3 -2
package/dist/admin-api/schemas/site.d.ts.map +1 -1
package/dist/admin-api/schemas/site.js +3 -2
package/dist/admin-api/schemas/site.js.map +1 -1
package/dist/admin-api/schemas/system.d.ts +28 -0
package/dist/admin-api/schemas/system.d.ts.map +1 -0
package/dist/admin-api/schemas/system.js +35 -0
package/dist/admin-api/schemas/system.js.map +1 -0
package/dist/admin-api/schemas/targets.d.ts +55 -0
package/dist/admin-api/schemas/targets.d.ts.map +1 -1
package/dist/admin-api/schemas/targets.js +46 -0
package/dist/admin-api/schemas/targets.js.map +1 -1
package/dist/admin-api/schemas/templates.d.ts +54 -0
package/dist/admin-api/schemas/templates.d.ts.map +1 -1
package/dist/admin-api/schemas/templates.js +21 -0
package/dist/admin-api/schemas/templates.js.map +1 -1
package/dist/admin-api/schemas/validation.d.ts +101 -0
package/dist/admin-api/schemas/validation.d.ts.map +1 -0
package/dist/admin-api/schemas/validation.js +57 -0
package/dist/admin-api/schemas/validation.js.map +1 -0
package/dist/admin-api/source-context.d.ts +66 -10
package/dist/admin-api/source-context.d.ts.map +1 -1
package/dist/admin-api/source-context.js +43 -5
package/dist/admin-api/source-context.js.map +1 -1
package/dist/ai/adapter-scaffold.d.ts +63 -0
package/dist/ai/adapter-scaffold.d.ts.map +1 -0
package/dist/ai/adapter-scaffold.js +89 -0
package/dist/ai/adapter-scaffold.js.map +1 -0
package/dist/ai/compose-prompt.d.ts +50 -0
package/dist/ai/compose-prompt.d.ts.map +1 -0
package/dist/ai/compose-prompt.js +49 -0
package/dist/ai/compose-prompt.js.map +1 -0
package/dist/ai/errors.d.ts +65 -0
package/dist/ai/errors.d.ts.map +1 -0
package/dist/ai/errors.js +59 -0
package/dist/ai/errors.js.map +1 -0
package/dist/ai/index.d.ts +17 -0
package/dist/ai/index.d.ts.map +1 -0
package/dist/ai/index.js +16 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/provider.d.ts +76 -0
package/dist/ai/provider.d.ts.map +1 -0
package/dist/ai/provider.js +13 -0
package/dist/ai/provider.js.map +1 -0
package/dist/ai/refusal.d.ts +50 -0
package/dist/ai/refusal.d.ts.map +1 -0
package/dist/ai/refusal.js +100 -0
package/dist/ai/refusal.js.map +1 -0
package/dist/ai/vision-prep.d.ts +32 -0
package/dist/ai/vision-prep.d.ts.map +1 -0
package/dist/ai/vision-prep.js +113 -0
package/dist/ai/vision-prep.js.map +1 -0
package/dist/alt/adapter.d.ts +140 -0
package/dist/alt/adapter.d.ts.map +1 -0
package/dist/alt/adapter.js +7 -0
package/dist/alt/adapter.js.map +1 -0
package/dist/alt/anthropic.d.ts +63 -0
package/dist/alt/anthropic.d.ts.map +1 -0
package/dist/alt/anthropic.js +147 -0
package/dist/alt/anthropic.js.map +1 -0
package/dist/alt/config.d.ts +67 -0
package/dist/alt/config.d.ts.map +1 -0
package/dist/alt/config.js +41 -0
package/dist/alt/config.js.map +1 -0
package/dist/alt/factory.d.ts +19 -0
package/dist/alt/factory.d.ts.map +1 -0
package/dist/alt/factory.js +69 -0
package/dist/alt/factory.js.map +1 -0
package/dist/alt/null-adapter.d.ts +3 -0
package/dist/alt/null-adapter.d.ts.map +1 -0
package/dist/alt/null-adapter.js +43 -0
package/dist/alt/null-adapter.js.map +1 -0
package/dist/alt/ollama.d.ts +40 -0
package/dist/alt/ollama.d.ts.map +1 -0
package/dist/alt/ollama.js +139 -0
package/dist/alt/ollama.js.map +1 -0
package/dist/alt/openai.d.ts +46 -0
package/dist/alt/openai.d.ts.map +1 -0
package/dist/alt/openai.js +118 -0
package/dist/alt/openai.js.map +1 -0
package/dist/alt/prompt-policies.d.ts +79 -0
package/dist/alt/prompt-policies.d.ts.map +1 -0
package/dist/alt/prompt-policies.js +67 -0
package/dist/alt/prompt-policies.js.map +1 -0
package/dist/alt/route-handler.d.ts +56 -0
package/dist/alt/route-handler.d.ts.map +1 -0
package/dist/alt/route-handler.js +122 -0
package/dist/alt/route-handler.js.map +1 -0
package/dist/alt/suggester.d.ts +57 -0
package/dist/alt/suggester.d.ts.map +1 -0
package/dist/alt/suggester.js +133 -0
package/dist/alt/suggester.js.map +1 -0
package/dist/app.js +1 -1
package/dist/app.js.map +1 -1
package/dist/archive-aliases.d.ts +79 -0
package/dist/archive-aliases.d.ts.map +1 -0
package/dist/archive-aliases.js +60 -0
package/dist/archive-aliases.js.map +1 -0
package/dist/archive-helpers.d.ts +73 -0
package/dist/archive-helpers.d.ts.map +1 -0
package/dist/archive-helpers.js +94 -0
package/dist/archive-helpers.js.map +1 -0
package/dist/assets/find-refs.d.ts +1 -1
package/dist/assets/find-refs.js +1 -1
package/dist/assets/find-refs.js.map +1 -1
package/dist/assets/rename.js +1 -1
package/dist/assets/rename.js.map +1 -1
package/dist/assets/replace.js +1 -1
package/dist/assets/replace.js.map +1 -1
package/dist/assets/resolve.js +4 -4
package/dist/assets/resolve.js.map +1 -1
package/dist/assets/serve-route.js +2 -2
package/dist/assets/serve-route.js.map +1 -1
package/dist/assets/validate.d.ts +1 -1
package/dist/assets/validate.js +1 -1
package/dist/audit/config.d.ts +75 -0
package/dist/audit/config.d.ts.map +1 -0
package/dist/audit/config.js +91 -0
package/dist/audit/config.js.map +1 -0
package/dist/audit/context.d.ts +98 -0
package/dist/audit/context.d.ts.map +1 -0
package/dist/audit/context.js +51 -0
package/dist/audit/context.js.map +1 -0
package/dist/audit/errors.d.ts +73 -0
package/dist/audit/errors.d.ts.map +1 -0
package/dist/audit/errors.js +78 -0
package/dist/audit/errors.js.map +1 -0
package/dist/audit/index.d.ts +16 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +10 -0
package/dist/audit/index.js.map +1 -0
package/dist/audit/provider.d.ts +73 -0
package/dist/audit/provider.d.ts.map +1 -0
package/dist/audit/provider.js +2 -0
package/dist/audit/provider.js.map +1 -0
package/dist/audit/providers/history.d.ts +66 -0
package/dist/audit/providers/history.d.ts.map +1 -0
package/dist/audit/providers/history.js +102 -0
package/dist/audit/providers/history.js.map +1 -0
package/dist/audit/pseudonymize.d.ts +26 -0
package/dist/audit/pseudonymize.d.ts.map +1 -0
package/dist/audit/pseudonymize.js +86 -0
package/dist/audit/pseudonymize.js.map +1 -0
package/dist/audit/recorder.d.ts +102 -0
package/dist/audit/recorder.d.ts.map +1 -0
package/dist/audit/recorder.js +55 -0
package/dist/audit/recorder.js.map +1 -0
package/dist/audit/retention.d.ts +83 -0
package/dist/audit/retention.d.ts.map +1 -0
package/dist/audit/retention.js +142 -0
package/dist/audit/retention.js.map +1 -0
package/dist/audit/source-ip.d.ts +32 -0
package/dist/audit/source-ip.d.ts.map +1 -0
package/dist/audit/source-ip.js +164 -0
package/dist/audit/source-ip.js.map +1 -0
package/dist/audit/types.d.ts +143 -0
package/dist/audit/types.d.ts.map +1 -0
package/dist/audit/types.js +33 -0
package/dist/audit/types.js.map +1 -0
package/dist/audit/user-agent.d.ts +28 -0
package/dist/audit/user-agent.d.ts.map +1 -0
package/dist/audit/user-agent.js +63 -0
package/dist/audit/user-agent.js.map +1 -0
package/dist/auth/capabilities.d.ts +28 -0
package/dist/auth/capabilities.d.ts.map +1 -0
package/dist/auth/capabilities.js +101 -0
package/dist/auth/capabilities.js.map +1 -0
package/dist/auth/config.d.ts +109 -0
package/dist/auth/config.d.ts.map +1 -0
package/dist/auth/config.js +221 -0
package/dist/auth/config.js.map +1 -0
package/dist/auth/errors.d.ts +72 -0
package/dist/auth/errors.d.ts.map +1 -0
package/dist/auth/errors.js +78 -0
package/dist/auth/errors.js.map +1 -0
package/dist/auth/factory.d.ts +43 -0
package/dist/auth/factory.d.ts.map +1 -0
package/dist/auth/factory.js +48 -0
package/dist/auth/factory.js.map +1 -0
package/dist/auth/index.d.ts +21 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +14 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/ip-match.d.ts +29 -0
package/dist/auth/ip-match.d.ts.map +1 -0
package/dist/auth/ip-match.js +162 -0
package/dist/auth/ip-match.js.map +1 -0
package/dist/auth/provider.d.ts +76 -0
package/dist/auth/provider.d.ts.map +1 -0
package/dist/auth/provider.js +2 -0
package/dist/auth/provider.js.map +1 -0
package/dist/auth/providers/aws-cognito.d.ts +55 -0
package/dist/auth/providers/aws-cognito.d.ts.map +1 -0
package/dist/auth/providers/aws-cognito.js +114 -0
package/dist/auth/providers/aws-cognito.js.map +1 -0
package/dist/auth/providers/azure-easy-auth.d.ts +7 -0
package/dist/auth/providers/azure-easy-auth.d.ts.map +1 -0
package/dist/auth/providers/azure-easy-auth.js +48 -0
package/dist/auth/providers/azure-easy-auth.js.map +1 -0
package/dist/auth/providers/cloudflare-access.d.ts +71 -0
package/dist/auth/providers/cloudflare-access.d.ts.map +1 -0
package/dist/auth/providers/cloudflare-access.js +120 -0
package/dist/auth/providers/cloudflare-access.js.map +1 -0
package/dist/auth/providers/forwarded-user.d.ts +31 -0
package/dist/auth/providers/forwarded-user.d.ts.map +1 -0
package/dist/auth/providers/forwarded-user.js +72 -0
package/dist/auth/providers/forwarded-user.js.map +1 -0
package/dist/auth/providers/none.d.ts +6 -0
package/dist/auth/providers/none.d.ts.map +1 -0
package/dist/auth/providers/none.js +19 -0
package/dist/auth/providers/none.js.map +1 -0
package/dist/auth/providers/tailscale.d.ts +7 -0
package/dist/auth/providers/tailscale.d.ts.map +1 -0
package/dist/auth/providers/tailscale.js +30 -0
package/dist/auth/providers/tailscale.js.map +1 -0
package/dist/auth/role-resolver.d.ts +38 -0
package/dist/auth/role-resolver.d.ts.map +1 -0
package/dist/auth/role-resolver.js +92 -0
package/dist/auth/role-resolver.js.map +1 -0
package/dist/auth/types.d.ts +150 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +60 -0
package/dist/auth/types.js.map +1 -0
package/dist/cache/errors.d.ts +41 -0
package/dist/cache/errors.d.ts.map +1 -0
package/dist/cache/errors.js +44 -0
package/dist/cache/errors.js.map +1 -0
package/dist/cache/factories.d.ts +17 -0
package/dist/cache/factories.d.ts.map +1 -0
package/dist/cache/factories.js +17 -0
package/dist/cache/factories.js.map +1 -0
package/dist/cache/keys.d.ts +63 -0
package/dist/cache/keys.d.ts.map +1 -0
package/dist/cache/keys.js +145 -0
package/dist/cache/keys.js.map +1 -0
package/dist/cache/memory.d.ts +51 -0
package/dist/cache/memory.d.ts.map +1 -0
package/dist/cache/memory.js +204 -0
package/dist/cache/memory.js.map +1 -0
package/dist/cache/per-site.d.ts +22 -0
package/dist/cache/per-site.d.ts.map +1 -0
package/dist/cache/per-site.js +114 -0
package/dist/cache/per-site.js.map +1 -0
package/dist/cache/types.d.ts +142 -0
package/dist/cache/types.d.ts.map +1 -0
package/dist/cache/types.js +33 -0
package/dist/cache/types.js.map +1 -0
package/dist/cli/archive.d.ts +44 -0
package/dist/cli/archive.d.ts.map +1 -0
package/dist/cli/archive.js +310 -0
package/dist/cli/archive.js.map +1 -0
package/dist/cli/bootstrap.d.ts +15 -8
package/dist/cli/bootstrap.d.ts.map +1 -1
package/dist/cli/bootstrap.js +59 -23
package/dist/cli/bootstrap.js.map +1 -1
package/dist/cli/dev-template-watcher.d.ts +29 -0
package/dist/cli/dev-template-watcher.d.ts.map +1 -0
package/dist/cli/dev-template-watcher.js +38 -0
package/dist/cli/dev-template-watcher.js.map +1 -0
package/dist/cli/history.d.ts.map +1 -1
package/dist/cli/history.js +5 -3
package/dist/cli/history.js.map +1 -1
package/dist/cli/index.js +712 -395
package/dist/cli/index.js.map +1 -1
package/dist/cli/validate-flags.d.ts +29 -0
package/dist/cli/validate-flags.d.ts.map +1 -0
package/dist/cli/validate-flags.js +49 -0
package/dist/cli/validate-flags.js.map +1 -0
package/dist/compare.d.ts +1 -1
package/dist/compare.d.ts.map +1 -1
package/dist/compare.js +25 -23
package/dist/compare.js.map +1 -1
package/dist/component-ids.d.ts +25 -0
package/dist/component-ids.d.ts.map +1 -0
package/dist/component-ids.js +83 -0
package/dist/component-ids.js.map +1 -0
package/dist/config/define.d.ts +61 -0
package/dist/config/define.d.ts.map +1 -0
package/dist/config/define.js +64 -0
package/dist/config/define.js.map +1 -0
package/dist/config/errors.d.ts +32 -0
package/dist/config/errors.d.ts.map +1 -0
package/dist/config/errors.js +40 -0
package/dist/config/errors.js.map +1 -0
package/dist/config/index.d.ts +13 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +20 -0
package/dist/config/index.js.map +1 -0
package/dist/config/loader.d.ts +105 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +265 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schemas.d.ts +89 -0
package/dist/config/schemas.d.ts.map +1 -0
package/dist/config/schemas.js +172 -0
package/dist/config/schemas.js.map +1 -0
package/dist/config/types.d.ts +32 -0
package/dist/config/types.d.ts.map +1 -0
package/dist/config/types.js +15 -0
package/dist/config/types.js.map +1 -0
package/dist/deploy/cloudflare-workers.d.ts +46 -0
package/dist/deploy/cloudflare-workers.d.ts.map +1 -0
package/dist/deploy/cloudflare-workers.js +213 -0
package/dist/deploy/cloudflare-workers.js.map +1 -0
package/dist/deploy/errors.d.ts +66 -0
package/dist/deploy/errors.d.ts.map +1 -0
package/dist/deploy/errors.js +82 -0
package/dist/deploy/errors.js.map +1 -0
package/dist/deploy/index.d.ts +9 -0
package/dist/deploy/index.d.ts.map +1 -0
package/dist/deploy/index.js +3 -0
package/dist/deploy/index.js.map +1 -0
package/dist/deploy/types.d.ts +162 -0
package/dist/deploy/types.d.ts.map +1 -0
package/dist/deploy/types.js +2 -0
package/dist/deploy/types.js.map +1 -0
package/dist/fragments/create.d.ts +70 -0
package/dist/fragments/create.d.ts.map +1 -0
package/dist/fragments/create.js +93 -0
package/dist/fragments/create.js.map +1 -0
package/dist/fragments/publish.d.ts +37 -0
package/dist/fragments/publish.d.ts.map +1 -0
package/dist/fragments/publish.js +52 -0
package/dist/fragments/publish.js.map +1 -0
package/dist/fragments/save.d.ts +81 -0
package/dist/fragments/save.d.ts.map +1 -0
package/dist/fragments/save.js +105 -0
package/dist/fragments/save.js.map +1 -0
package/dist/history-recorder.d.ts +5 -5
package/dist/history-recorder.d.ts.map +1 -1
package/dist/history-recorder.js +4 -4
package/dist/history-recorder.js.map +1 -1
package/dist/history-restorer.js +2 -2
package/dist/history-restorer.js.map +1 -1
package/dist/history.d.ts +1 -1
package/dist/hooks/audit-emitter.d.ts +73 -0
package/dist/hooks/audit-emitter.d.ts.map +1 -0
package/dist/hooks/audit-emitter.js +13 -0
package/dist/hooks/audit-emitter.js.map +1 -0
package/dist/hooks/context.d.ts +78 -0
package/dist/hooks/context.d.ts.map +1 -0
package/dist/hooks/context.js +56 -0
package/dist/hooks/context.js.map +1 -0
package/dist/hooks/contribution.d.ts +90 -0
package/dist/hooks/contribution.d.ts.map +1 -0
package/dist/hooks/contribution.js +2 -0
package/dist/hooks/contribution.js.map +1 -0
package/dist/hooks/dispatch.d.ts +30 -0
package/dist/hooks/dispatch.d.ts.map +1 -0
package/dist/hooks/dispatch.js +252 -0
package/dist/hooks/dispatch.js.map +1 -0
package/dist/hooks/errors.d.ts +100 -0
package/dist/hooks/errors.d.ts.map +1 -0
package/dist/hooks/errors.js +103 -0
package/dist/hooks/errors.js.map +1 -0
package/dist/hooks/index.d.ts +15 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +6 -0
package/dist/hooks/index.js.map +1 -0
package/dist/hooks/registry.d.ts +53 -0
package/dist/hooks/registry.d.ts.map +1 -0
package/dist/hooks/registry.js +139 -0
package/dist/hooks/registry.js.map +1 -0
package/dist/hooks/storage.d.ts +43 -0
package/dist/hooks/storage.d.ts.map +1 -0
package/dist/hooks/storage.js +2 -0
package/dist/hooks/storage.js.map +1 -0
package/dist/hooks/types.d.ts +324 -0
package/dist/hooks/types.d.ts.map +1 -0
package/dist/hooks/types.js +2 -0
package/dist/hooks/types.js.map +1 -0
package/dist/index.d.ts +26 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +49 -5
package/dist/index.js.map +1 -1
package/dist/locale.d.ts +5 -1
package/dist/locale.d.ts.map +1 -1
package/dist/locale.js +6 -2
package/dist/locale.js.map +1 -1
package/dist/manifest-save.d.ts +255 -0
package/dist/manifest-save.d.ts.map +1 -0
package/dist/manifest-save.js +260 -0
package/dist/manifest-save.js.map +1 -0
package/dist/manifest.d.ts +1 -2
package/dist/manifest.d.ts.map +1 -1
package/dist/manifest.js +43 -44
package/dist/manifest.js.map +1 -1
package/dist/node-floor.d.ts +3 -0
package/dist/node-floor.d.ts.map +1 -0
package/dist/node-floor.js +3 -0
package/dist/node-floor.js.map +1 -0
package/dist/pages/create.d.ts +103 -0
package/dist/pages/create.d.ts.map +1 -0
package/dist/pages/create.js +117 -0
package/dist/pages/create.js.map +1 -0
package/dist/pages/publish.d.ts +59 -0
package/dist/pages/publish.d.ts.map +1 -0
package/dist/pages/publish.js +78 -0
package/dist/pages/publish.js.map +1 -0
package/dist/pages/save.d.ts +97 -0
package/dist/pages/save.d.ts.map +1 -0
package/dist/pages/save.js +138 -0
package/dist/pages/save.js.map +1 -0
package/dist/providers/factories.d.ts +65 -0
package/dist/providers/factories.d.ts.map +1 -0
package/dist/providers/factories.js +189 -0
package/dist/providers/factories.js.map +1 -0
package/dist/publish-item.d.ts +225 -0
package/dist/publish-item.d.ts.map +1 -0
package/dist/publish-item.js +210 -0
package/dist/publish-item.js.map +1 -0
package/dist/publish-rendered.d.ts.map +1 -1
package/dist/publish-rendered.js +75 -6
package/dist/publish-rendered.js.map +1 -1
package/dist/publish-renderers.d.ts +132 -0
package/dist/publish-renderers.d.ts.map +1 -0
package/dist/publish-renderers.js +240 -0
package/dist/publish-renderers.js.map +1 -0
package/dist/publish-run.d.ts +223 -0
package/dist/publish-run.d.ts.map +1 -0
package/dist/publish-run.js +307 -0
package/dist/publish-run.js.map +1 -0
package/dist/publish.d.ts.map +1 -1
package/dist/publish.js +1 -10
package/dist/publish.js.map +1 -1
package/dist/render-for-analysis.d.ts +24 -0
package/dist/render-for-analysis.d.ts.map +1 -0
package/dist/render-for-analysis.js +146 -0
package/dist/render-for-analysis.js.map +1 -0
package/dist/resolver.d.ts.map +1 -1
package/dist/resolver.js +47 -23
package/dist/resolver.js.map +1 -1
package/dist/runtime/archive-marker.d.ts +62 -0
package/dist/runtime/archive-marker.d.ts.map +1 -0
package/dist/runtime/archive-marker.js +88 -0
package/dist/runtime/archive-marker.js.map +1 -0
package/dist/runtime/capability-gap-warnings.d.ts +42 -0
package/dist/runtime/capability-gap-warnings.d.ts.map +1 -0
package/dist/runtime/capability-gap-warnings.js +28 -0
package/dist/runtime/capability-gap-warnings.js.map +1 -0
package/dist/runtime/redirects-emit.d.ts +93 -0
package/dist/runtime/redirects-emit.d.ts.map +1 -0
package/dist/runtime/redirects-emit.js +89 -0
package/dist/runtime/redirects-emit.js.map +1 -0
package/dist/runtime/runtime-capabilities.d.ts +79 -0
package/dist/runtime/runtime-capabilities.d.ts.map +1 -0
package/dist/runtime/runtime-capabilities.js +60 -0
package/dist/runtime/runtime-capabilities.js.map +1 -0
package/dist/save-etag.d.ts +69 -0
package/dist/save-etag.d.ts.map +1 -0
package/dist/save-etag.js +118 -0
package/dist/save-etag.js.map +1 -0
package/dist/site-loader.d.ts +42 -4
package/dist/site-loader.d.ts.map +1 -1
package/dist/site-loader.js +27 -8
package/dist/site-loader.js.map +1 -1
package/dist/targets.d.ts +21 -12
package/dist/targets.d.ts.map +1 -1
package/dist/targets.js +27 -95
package/dist/targets.js.map +1 -1
package/dist/testing/admin-cache-contract.d.ts +52 -0
package/dist/testing/admin-cache-contract.d.ts.map +1 -0
package/dist/testing/admin-cache-contract.js +203 -0
package/dist/testing/admin-cache-contract.js.map +1 -0
package/dist/testing/index.d.ts +11 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +11 -0
package/dist/testing/index.js.map +1 -0
package/dist/transforms/factories.d.ts +16 -0
package/dist/transforms/factories.d.ts.map +1 -0
package/dist/transforms/factories.js +18 -0
package/dist/transforms/factories.js.map +1 -0
package/dist/transforms/index.d.ts +10 -17
package/dist/transforms/index.d.ts.map +1 -1
package/dist/transforms/index.js +4 -28
package/dist/transforms/index.js.map +1 -1
package/dist/transforms/sharp.d.ts +15 -1
package/dist/transforms/sharp.d.ts.map +1 -1
package/dist/transforms/sharp.js +34 -20
package/dist/transforms/sharp.js.map +1 -1
package/dist/types.d.ts +379 -52
package/dist/types.d.ts.map +1 -1
package/dist/types.js +20 -1
package/dist/types.js.map +1 -1
package/dist/validation/alt-required-walker.d.ts +27 -0
package/dist/validation/alt-required-walker.d.ts.map +1 -0
package/dist/validation/alt-required-walker.js +108 -0
package/dist/validation/alt-required-walker.js.map +1 -0
package/dist/validation/default-registry.d.ts +12 -0
package/dist/validation/default-registry.d.ts.map +1 -0
package/dist/validation/default-registry.js +55 -0
package/dist/validation/default-registry.js.map +1 -0
package/dist/validation/publish-audit.d.ts +44 -0
package/dist/validation/publish-audit.d.ts.map +1 -0
package/dist/validation/publish-audit.js +64 -0
package/dist/validation/publish-audit.js.map +1 -0
package/dist/validation/registry.d.ts +23 -0
package/dist/validation/registry.d.ts.map +1 -0
package/dist/validation/registry.js +15 -0
package/dist/validation/registry.js.map +1 -0
package/dist/validation/save-delta.d.ts +46 -0
package/dist/validation/save-delta.d.ts.map +1 -0
package/dist/validation/save-delta.js +57 -0
package/dist/validation/save-delta.js.map +1 -0
package/dist/validation/scanner.d.ts +91 -0
package/dist/validation/scanner.d.ts.map +1 -0
package/dist/validation/scanner.js +327 -0
package/dist/validation/scanner.js.map +1 -0
package/dist/validation/template-impact.d.ts +52 -0
package/dist/validation/template-impact.d.ts.map +1 -0
package/dist/validation/template-impact.js +53 -0
package/dist/validation/template-impact.js.map +1 -0
package/dist/validation/types.d.ts +123 -0
package/dist/validation/types.d.ts.map +1 -0
package/dist/validation/types.js +7 -0
package/dist/validation/types.js.map +1 -0
package/dist/validation/validators/accessibility.d.ts +3 -0
package/dist/validation/validators/accessibility.d.ts.map +1 -0
package/dist/validation/validators/accessibility.js +106 -0
package/dist/validation/validators/accessibility.js.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts +40 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.js +34 -0
package/dist/validation/validators/aliasof-points-to-archived.js.map +1 -0
package/dist/validation/validators/alt-required.d.ts +3 -0
package/dist/validation/validators/alt-required.d.ts.map +1 -0
package/dist/validation/validators/alt-required.js +118 -0
package/dist/validation/validators/alt-required.js.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts +3 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.js +38 -0
package/dist/validation/validators/archive-not-supported-on-target.js.map +1 -0
package/dist/validation/validators/broken-links.d.ts +3 -0
package/dist/validation/validators/broken-links.d.ts.map +1 -0
package/dist/validation/validators/broken-links.js +190 -0
package/dist/validation/validators/broken-links.js.map +1 -0
package/dist/validation/validators/circular-alias.d.ts +36 -0
package/dist/validation/validators/circular-alias.d.ts.map +1 -0
package/dist/validation/validators/circular-alias.js +63 -0
package/dist/validation/validators/circular-alias.js.map +1 -0
package/dist/validation/validators/circular-fragment.d.ts +15 -0
package/dist/validation/validators/circular-fragment.d.ts.map +1 -0
package/dist/validation/validators/circular-fragment.js +97 -0
package/dist/validation/validators/circular-fragment.js.map +1 -0
package/dist/validation/validators/dangling-alias.d.ts +38 -0
package/dist/validation/validators/dangling-alias.d.ts.map +1 -0
package/dist/validation/validators/dangling-alias.js +31 -0
package/dist/validation/validators/dangling-alias.js.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts +3 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.js +32 -0
package/dist/validation/validators/deploy-target-type-supported.js.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts +18 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.js +80 -0
package/dist/validation/validators/dynamic-route-conflict.js.map +1 -0
package/dist/validation/validators/html-validity.d.ts +3 -0
package/dist/validation/validators/html-validity.d.ts.map +1 -0
package/dist/validation/validators/html-validity.js +89 -0
package/dist/validation/validators/html-validity.js.map +1 -0
package/dist/validation/validators/orphaned-locale-file.d.ts +21 -0
package/dist/validation/validators/orphaned-locale-file.d.ts.map +1 -0
package/dist/validation/validators/orphaned-locale-file.js +84 -0
package/dist/validation/validators/orphaned-locale-file.js.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts +3 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.js +65 -0
package/dist/validation/validators/referenced-archived-without-alias.js.map +1 -0
package/dist/validation/validators/referenced-asset-exists.d.ts +13 -0
package/dist/validation/validators/referenced-asset-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-asset-exists.js +80 -0
package/dist/validation/validators/referenced-asset-exists.js.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts +9 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.js +52 -0
package/dist/validation/validators/referenced-fragment-exists.js.map +1 -0
package/dist/validation/validators/referenced-template-exists.d.ts +10 -0
package/dist/validation/validators/referenced-template-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-template-exists.js +74 -0
package/dist/validation/validators/referenced-template-exists.js.map +1 -0
package/dist/validation/validators/schema-conformance.d.ts +17 -0
package/dist/validation/validators/schema-conformance.d.ts.map +1 -0
package/dist/validation/validators/schema-conformance.js +94 -0
package/dist/validation/validators/schema-conformance.js.map +1 -0
package/dist/validation/validators/target-deploy-coverage.d.ts +3 -0
package/dist/validation/validators/target-deploy-coverage.d.ts.map +1 -0
package/dist/validation/validators/target-deploy-coverage.js +37 -0
package/dist/validation/validators/target-deploy-coverage.js.map +1 -0
package/dist/validation/validators/unused-fragment.d.ts +16 -0
package/dist/validation/validators/unused-fragment.d.ts.map +1 -0
package/dist/validation/validators/unused-fragment.js +86 -0
package/dist/validation/validators/unused-fragment.js.map +1 -0
package/package.json +54 -31
package/admin-dist/assets/index-BO9-CXmW.css +0 -1
package/admin-dist/assets/index-Ufu8zZH_.js +0 -668
package/admin-dist/assets/rolldown-runtime-COnpUsM8.js +0 -1
package/admin-dist/assets/vendor-rjsf-HKBAjOmQ.js +0 -32
package/admin-dist/assets/vendor-tiptap-IyO99U4R.js +0 -142
package/admin-dist/assets/vendor-vue-D3wBSmDf.js +0 -1
package/dist/publish-locale.d.ts +0 -44
package/dist/publish-locale.d.ts.map +0 -1
package/dist/publish-locale.js +0 -103
package/dist/publish-locale.js.map +0 -1

package/dist/auth/config.d.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Zod schema for the `admin.auth` block in `site.config.ts`. This
+ * cut ships only the `none`-mode shape; subsequent cuts add Zod
+ * variants for `forwarded-user`, `cloudflare-access`, etc.
+ *
+ * # Why a discriminated union
+ *
+ * Each trust mode's configuration shape is genuinely different
+ * (`forwarded-user` has `trustedProxyCount`; `cloudflare-access`
+ * has `teamDomain`; `none` has no provider-specific fields). A
+ * discriminated union on `trust:` lets TypeScript narrow per
+ * mode automatically and gives operators IDE autocomplete for the
+ * fields their chosen mode accepts.
+ *
+ * # Defaults
+ *
+ * Operators who don't set `admin.auth` run in `none` mode. The
+ * site-loader treats absent `admin.auth` as `{ trust: 'none' }`.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: schema validation only; doesn't construct providers.
+ *   - OCP: adding a trust mode appends one variant to the union;
+ *     existing variants unchanged.
+ */
+import { z } from 'zod';
+/**
+ * Top-level discriminated union. All v1 trust modes locked.
+ * Future plugin-supplied modes (per design-auth-rbac.md Q1's plugin
+ * promotion trigger) extend the union via the plugin contract — not
+ * by editing this file.
+ */
+export declare const AuthConfigSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    trust: z.ZodLiteral<"none">;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>, z.ZodObject<{
+    trust: z.ZodLiteral<"forwarded-user">;
+    trustedProxies: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    allowAnyOrigin: z.ZodOptional<z.ZodBoolean>;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    roleMapping: z.ZodOptional<z.ZodObject<{
+        claim: z.ZodString;
+        map: z.ZodRecord<z.ZodString, z.ZodString>;
+        defaultRole: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>, z.ZodObject<{
+    trust: z.ZodLiteral<"cloudflare-access">;
+    teamDomain: z.ZodString;
+    audience: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    roleMapping: z.ZodOptional<z.ZodObject<{
+        claim: z.ZodString;
+        map: z.ZodRecord<z.ZodString, z.ZodString>;
+        defaultRole: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>, z.ZodObject<{
+    trust: z.ZodLiteral<"azure-easy-auth">;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    roleMapping: z.ZodOptional<z.ZodObject<{
+        claim: z.ZodString;
+        map: z.ZodRecord<z.ZodString, z.ZodString>;
+        defaultRole: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>, z.ZodObject<{
+    trust: z.ZodLiteral<"aws-cognito">;
+    region: z.ZodString;
+    audience: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    roleMapping: z.ZodOptional<z.ZodObject<{
+        claim: z.ZodString;
+        map: z.ZodRecord<z.ZodString, z.ZodString>;
+        defaultRole: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>, z.ZodObject<{
+    trust: z.ZodLiteral<"tailscale">;
+    roles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        capabilities: z.ZodReadonly<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>>>;
+    roleMapping: z.ZodOptional<z.ZodObject<{
+        claim: z.ZodString;
+        map: z.ZodRecord<z.ZodString, z.ZodString>;
+        defaultRole: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>>;
+    strict: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>], "trust">;
+export type AuthConfig = z.infer<typeof AuthConfigSchema>;
+/**
+ * Reserved-prefix check. Future plugin-supplied capabilities use
+ * plugin-scoped prefixes (e.g., `@my-org/...:`); custom roles MUST
+ * NOT redefine reserved built-in prefixes with conflicting
+ * semantics. The role-resolver enforces this at load time.
+ */
+export declare function isReservedPrefix(capability: string): boolean;
+//# sourceMappingURL=config.d.ts.map

package/dist/auth/config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAkLvB;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAO3B,CAAA;AAEF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAM5D"}

package/dist/auth/config.js ADDED Viewed

@@ -0,0 +1,221 @@
+/**
+ * Zod schema for the `admin.auth` block in `site.config.ts`. This
+ * cut ships only the `none`-mode shape; subsequent cuts add Zod
+ * variants for `forwarded-user`, `cloudflare-access`, etc.
+ *
+ * # Why a discriminated union
+ *
+ * Each trust mode's configuration shape is genuinely different
+ * (`forwarded-user` has `trustedProxyCount`; `cloudflare-access`
+ * has `teamDomain`; `none` has no provider-specific fields). A
+ * discriminated union on `trust:` lets TypeScript narrow per
+ * mode automatically and gives operators IDE autocomplete for the
+ * fields their chosen mode accepts.
+ *
+ * # Defaults
+ *
+ * Operators who don't set `admin.auth` run in `none` mode. The
+ * site-loader treats absent `admin.auth` as `{ trust: 'none' }`.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: schema validation only; doesn't construct providers.
+ *   - OCP: adding a trust mode appends one variant to the union;
+ *     existing variants unchanged.
+ */
+import { z } from 'zod';
+import { RESERVED_CAPABILITY_PREFIXES } from './types.js';
+/**
+ * Capability-shape regex. Either a wildcard (`'*'`) or
+ * `<prefix>:<rest>` where `rest` may itself be a wildcard.
+ * Plugin-supplied capabilities use scoped prefixes (e.g.,
+ * `@my-org/search:rebuild-index`); the schema accepts those too.
+ */
+const capabilityRegex = /^(\*|[a-zA-Z@][a-zA-Z0-9@/_-]*:[a-zA-Z*][a-zA-Z0-9_-]*)$/;
+const capabilitySchema = z.string().regex(capabilityRegex, 'Capability must be either "*" or "<prefix>:<rest>"');
+/**
+ * Custom role definition — operator-declared in `site.config.ts`.
+ * Built-in roles (`admin`, `editor`, `viewer`) are predefined and
+ * don't appear here; operators only declare custom roles.
+ */
+const roleSchema = z
+    .object({
+    capabilities: z.array(capabilitySchema).readonly(),
+})
+    .strict();
+const roleMappingSchema = z
+    .object({
+    /** Which JSON claim / header field carries the upstream group list. */
+    claim: z.string(),
+    /** Map from upstream group name to Gazetta role name. */
+    map: z.record(z.string(), z.string()),
+    /** Fallback role when no group matches. `null` denies access. */
+    defaultRole: z.string().nullable().optional(),
+})
+    .strict();
+/**
+ * `none` trust mode — the default. No provider-specific fields.
+ * Operators omitting `admin.auth` entirely fall back to this shape
+ * with all defaults.
+ */
+const noneAuthSchema = z
+    .object({
+    trust: z.literal('none'),
+    /** Custom role declarations (rare in `none` mode but allowed). */
+    roles: z.record(z.string(), roleSchema).optional(),
+    /** Strict mode — invalid roles fail boot vs. log warning. */
+    strict: z.boolean().optional(),
+})
+    .strict();
+/**
+ * `forwarded-user` trust mode — generic reverse-proxy mode. The
+ * upstream layer (oauth2-proxy, Authelia, Caddy with `forward_auth`,
+ * etc.) populates `X-Forwarded-User` and optionally
+ * `X-Forwarded-Email` / `X-Forwarded-Groups`.
+ *
+ * # Header-spoofing protection
+ *
+ * Operators MUST configure source-IP protection per
+ * `design-auth-rbac.md` Q1: either `trustedProxies` (whitelist of
+ * IPs/CIDRs that may set the headers) OR `allowAnyOrigin: true`
+ * (explicit opt-in for dev / private networks).
+ *
+ * Default: fail-closed. Without `trustedProxies` AND without
+ * `allowAnyOrigin`, the provider rejects every request — surfaces
+ * as 401 with a config-hint message. This matches Q4's
+ * "fail-closed" recommendation in the design's "Source-IP whitelist
+ * semantics" open question.
+ */
+const forwardedUserAuthSchema = z
+    .object({
+    trust: z.literal('forwarded-user'),
+    /**
+     * IPs or CIDR blocks that may set the forwarded headers. Each
+     * entry is an IP literal (`192.168.1.10`) or CIDR
+     * (`10.0.0.0/8`, `fd00::/8`). Empty array + missing
+     * `allowAnyOrigin` → all requests rejected.
+     */
+    trustedProxies: z.array(z.string()).optional(),
+    /**
+     * Explicit opt-out of source-IP protection. Use ONLY in dev or
+     * trusted private networks (Tailscale, internal VPNs).
+     * Production deployments behind a public load balancer MUST
+     * use `trustedProxies` instead.
+     */
+    allowAnyOrigin: z.boolean().optional(),
+    roles: z.record(z.string(), roleSchema).optional(),
+    roleMapping: roleMappingSchema.optional(),
+    strict: z.boolean().optional(),
+})
+    .strict()
+    .refine(cfg => cfg.allowAnyOrigin || (cfg.trustedProxies && cfg.trustedProxies.length > 0), {
+    message: 'forwarded-user trust mode requires trustedProxies (IP whitelist) OR allowAnyOrigin: true. Without either, every request is rejected — likely a misconfiguration. Set trustedProxies for production deployments behind a known proxy; set allowAnyOrigin: true only in dev or trusted private networks.',
+    path: ['trustedProxies'],
+});
+/**
+ * `cloudflare-access` trust mode — Cloudflare Zero Trust fronting
+ * the admin. The platform issues a signed JWT in
+ * `Cf-Access-Jwt-Assertion` (or `CF_Authorization` cookie); Gazetta
+ * verifies the signature against Cloudflare's published JWKS.
+ *
+ * # Why no source-IP check
+ *
+ * The signed JWT IS the trust. Source IP would be Cloudflare's edge
+ * regardless of the original client; verifying the signature is the
+ * security boundary.
+ *
+ * # `audience` claim verification
+ *
+ * Optional but strongly recommended. Cloudflare Access tokens carry
+ * an `aud` claim identifying the application; production deployments
+ * SHOULD set this to prevent token replay across other
+ * Access-protected apps in the same team.
+ */
+const cloudflareAccessAuthSchema = z
+    .object({
+    trust: z.literal('cloudflare-access'),
+    /**
+     * Cloudflare Zero Trust team domain (the part before
+     * `.cloudflareaccess.com`). Lowercase alphanumeric + hyphens.
+     */
+    teamDomain: z.string().regex(/^[a-z0-9][a-z0-9-]*$/, 'teamDomain must be lowercase alphanumeric + hyphens'),
+    /** Optional aud claim — recommended for production. */
+    audience: z.string().optional(),
+    roles: z.record(z.string(), roleSchema).optional(),
+    roleMapping: roleMappingSchema.optional(),
+    strict: z.boolean().optional(),
+})
+    .strict();
+/**
+ * `azure-easy-auth` trust mode — Azure App Service Easy Auth.
+ * Trust boundary is the App Service sandbox; Gazetta just decodes
+ * the X-MS-CLIENT-PRINCIPAL header. No provider-specific config
+ * fields — the platform handles auth.
+ */
+const azureEasyAuthSchema = z
+    .object({
+    trust: z.literal('azure-easy-auth'),
+    roles: z.record(z.string(), roleSchema).optional(),
+    roleMapping: roleMappingSchema.optional(),
+    strict: z.boolean().optional(),
+})
+    .strict();
+/**
+ * `aws-cognito` trust mode — AWS ALB + Cognito user pool. JWT
+ * verification against per-region public keys.
+ */
+const awsCognitoAuthSchema = z
+    .object({
+    trust: z.literal('aws-cognito'),
+    /** AWS region (e.g. "us-east-1"). Required for the JWKS URL. */
+    region: z.string().regex(/^[a-z]{2}-[a-z]+-\d+$/, 'region must be an AWS region like "us-east-1"'),
+    /** Optional aud claim — Cognito user-pool app client id. */
+    audience: z.string().optional(),
+    roles: z.record(z.string(), roleSchema).optional(),
+    roleMapping: roleMappingSchema.optional(),
+    strict: z.boolean().optional(),
+})
+    .strict();
+/**
+ * `tailscale` trust mode — Tailscale Funnel / serve. Trust comes
+ * from the tailnet itself (only authenticated members can reach
+ * the listener). No provider-specific config.
+ */
+const tailscaleAuthSchema = z
+    .object({
+    trust: z.literal('tailscale'),
+    roles: z.record(z.string(), roleSchema).optional(),
+    roleMapping: roleMappingSchema.optional(),
+    strict: z.boolean().optional(),
+})
+    .strict();
+/**
+ * Top-level discriminated union. All v1 trust modes locked.
+ * Future plugin-supplied modes (per design-auth-rbac.md Q1's plugin
+ * promotion trigger) extend the union via the plugin contract — not
+ * by editing this file.
+ */
+export const AuthConfigSchema = z.discriminatedUnion('trust', [
+    noneAuthSchema,
+    forwardedUserAuthSchema,
+    cloudflareAccessAuthSchema,
+    azureEasyAuthSchema,
+    awsCognitoAuthSchema,
+    tailscaleAuthSchema,
+]);
+/**
+ * Reserved-prefix check. Future plugin-supplied capabilities use
+ * plugin-scoped prefixes (e.g., `@my-org/...:`); custom roles MUST
+ * NOT redefine reserved built-in prefixes with conflicting
+ * semantics. The role-resolver enforces this at load time.
+ */
+export function isReservedPrefix(capability) {
+    if (capability === '*')
+        return true;
+    const colonIdx = capability.indexOf(':');
+    if (colonIdx <= 0)
+        return false;
+    const prefix = capability.slice(0, colonIdx);
+    return RESERVED_CAPABILITY_PREFIXES.includes(prefix);
+}
+//# sourceMappingURL=config.js.map

package/dist/auth/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAA;AAEzD;;;;;GAKG;AACH,MAAM,eAAe,GAAG,0DAA0D,CAAA;AAElF,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,eAAe,EAAE,oDAAoD,CAAC,CAAA;AAEhH;;;;GAIG;AACH,MAAM,UAAU,GAAG,CAAC;KACjB,MAAM,CAAC;IACN,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;CACnD,CAAC;KACD,MAAM,EAAE,CAAA;AAEX,MAAM,iBAAiB,GAAG,CAAC;KACxB,MAAM,CAAC;IACN,uEAAuE;IACvE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,yDAAyD;IACzD,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;IACrC,iEAAiE;IACjE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;;GAIG;AACH,MAAM,cAAc,GAAG,CAAC;KACrB,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACxB,kEAAkE;IAClE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,6DAA6D;IAC7D,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,uBAAuB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IAClC;;;;;OAKG;IACH,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC9C;;;;;OAKG;IACH,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE;KACR,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE;IAC1F,OAAO,EACL,wSAAwS;IAC1S,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACzB,CAAC,CAAA;AAEJ;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,0BAA0B,GAAG,CAAC;KACjC,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC;IACrC;;;OAGG;IACH,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,sBAAsB,EAAE,qDAAqD,CAAC;IAC3G,uDAAuD;IACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACnC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;GAGG;AACH,MAAM,oBAAoB,GAAG,CAAC;KAC3B,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC/B,gEAAgE;IAChE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,EAAE,+CAA+C,CAAC;IAClG,4DAA4D;IAC5D,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;;GAIG;AACH,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAC7B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE;IAClD,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX;;;;;GAKG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,kBAAkB,CAAC,OAAO,EAAE;IAC5D,cAAc;IACd,uBAAuB;IACvB,0BAA0B;IAC1B,mBAAmB;IACnB,oBAAoB;IACpB,mBAAmB;CACpB,CAAC,CAAA;AAIF;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,IAAI,UAAU,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,QAAQ,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IAC5C,OAAQ,4BAAkD,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC7E,CAAC"}

package/dist/auth/errors.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Auth-specific error taxonomy. Distinct from validation errors;
+ * downstream consumers (route handlers, audit recorder) catch these
+ * to map to the right HTTP status and audit outcome.
+ *
+ * # Why a dedicated taxonomy
+ *
+ * Per `design-plugins.md`'s Universal Provider Requirements, every
+ * provider surface has its own error taxonomy. Auth's errors split
+ * along three axes:
+ *
+ *   - Configuration errors (invalid `site.config.ts admin.auth`
+ *     block) — surface at boot, fail closed
+ *   - Authentication errors (the upstream provider couldn't extract
+ *     identity) — surface as 401
+ *   - Authorization errors (principal lacks the required capability)
+ *     — surface as 403
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: error classes own only error identity and HTTP-status
+ *     mapping. They don't carry rendering logic — route handlers
+ *     map to JSON via `error-response.ts`.
+ *   - LSP: every subclass extends `AuthError` so route handlers
+ *     can branch on the base class then narrow by instanceof.
+ */
+/** Base class for all auth-related errors. */
+export declare class AuthError extends Error {
+    readonly name: string;
+    /** HTTP status the route should return. Subclasses override. */
+    readonly httpStatus: number;
+    constructor(message: string);
+}
+/**
+ * Thrown at config-load time when `admin.auth` is malformed (unknown
+ * trust mode, role-mapping references unknown capabilities, etc.).
+ * Admin won't start.
+ */
+export declare class AuthConfigurationError extends AuthError {
+    readonly name = "AuthConfigurationError";
+    readonly httpStatus = 500;
+}
+/**
+ * Thrown when the upstream provider's expected header / claim is
+ * missing, malformed, or fails signature verification. Surfaces as
+ * 401 with `WWW-Authenticate` hint pointing back at the upstream.
+ */
+export declare class AuthenticationError extends AuthError {
+    readonly name = "AuthenticationError";
+    readonly httpStatus = 401;
+}
+/**
+ * Thrown when an authenticated principal lacks the capability the
+ * route requires. Surfaces as 403 with structured body listing
+ * `missing` capabilities and the principal's `role`.
+ */
+export declare class AuthorizationError extends AuthError {
+    readonly name = "AuthorizationError";
+    readonly httpStatus = 403;
+    /**
+     * Capabilities the principal would need to authorize this request.
+     * Surfaced in the 403 body so authenticated users see what they
+     * can't do — per design-auth-rbac.md "Failure mode": existence-
+     * leak risk doesn't justify 404-hide-existence semantics for
+     * already-authenticated users.
+     */
+    readonly missing: ReadonlyArray<string>;
+    /** Principal's role at decision time — surfaced in the 403 body. */
+    readonly role: string;
+    constructor(message: string, missing: ReadonlyArray<string>, role: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/auth/errors.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,8CAA8C;AAC9C,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAkB,IAAI,EAAE,MAAM,CAAc;IAC5C,gEAAgE;IAChE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAM;gBACrB,OAAO,EAAE,MAAM;CAG5B;AAED;;;;GAIG;AACH,qBAAa,sBAAuB,SAAQ,SAAS;IACnD,SAAkB,IAAI,4BAA2B;IACjD,SAAkB,UAAU,OAAM;CACnC;AAED;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;IAChD,SAAkB,IAAI,yBAAwB;IAC9C,SAAkB,UAAU,OAAM;CACnC;AAED;;;;GAIG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,SAAkB,IAAI,wBAAuB;IAC7C,SAAkB,UAAU,OAAM;IAClC;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IACvC,oEAAoE;IACpE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;gBACT,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM;CAK1E"}

package/dist/auth/errors.js ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * Auth-specific error taxonomy. Distinct from validation errors;
+ * downstream consumers (route handlers, audit recorder) catch these
+ * to map to the right HTTP status and audit outcome.
+ *
+ * # Why a dedicated taxonomy
+ *
+ * Per `design-plugins.md`'s Universal Provider Requirements, every
+ * provider surface has its own error taxonomy. Auth's errors split
+ * along three axes:
+ *
+ *   - Configuration errors (invalid `site.config.ts admin.auth`
+ *     block) — surface at boot, fail closed
+ *   - Authentication errors (the upstream provider couldn't extract
+ *     identity) — surface as 401
+ *   - Authorization errors (principal lacks the required capability)
+ *     — surface as 403
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: error classes own only error identity and HTTP-status
+ *     mapping. They don't carry rendering logic — route handlers
+ *     map to JSON via `error-response.ts`.
+ *   - LSP: every subclass extends `AuthError` so route handlers
+ *     can branch on the base class then narrow by instanceof.
+ */
+/** Base class for all auth-related errors. */
+export class AuthError extends Error {
+    name = 'AuthError';
+    /** HTTP status the route should return. Subclasses override. */
+    httpStatus = 500;
+    constructor(message) {
+        super(message);
+    }
+}
+/**
+ * Thrown at config-load time when `admin.auth` is malformed (unknown
+ * trust mode, role-mapping references unknown capabilities, etc.).
+ * Admin won't start.
+ */
+export class AuthConfigurationError extends AuthError {
+    name = 'AuthConfigurationError';
+    httpStatus = 500;
+}
+/**
+ * Thrown when the upstream provider's expected header / claim is
+ * missing, malformed, or fails signature verification. Surfaces as
+ * 401 with `WWW-Authenticate` hint pointing back at the upstream.
+ */
+export class AuthenticationError extends AuthError {
+    name = 'AuthenticationError';
+    httpStatus = 401;
+}
+/**
+ * Thrown when an authenticated principal lacks the capability the
+ * route requires. Surfaces as 403 with structured body listing
+ * `missing` capabilities and the principal's `role`.
+ */
+export class AuthorizationError extends AuthError {
+    name = 'AuthorizationError';
+    httpStatus = 403;
+    /**
+     * Capabilities the principal would need to authorize this request.
+     * Surfaced in the 403 body so authenticated users see what they
+     * can't do — per design-auth-rbac.md "Failure mode": existence-
+     * leak risk doesn't justify 404-hide-existence semantics for
+     * already-authenticated users.
+     */
+    missing;
+    /** Principal's role at decision time — surfaced in the 403 body. */
+    role;
+    constructor(message, missing, role) {
+        super(message);
+        this.missing = missing;
+        this.role = role;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/auth/errors.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,8CAA8C;AAC9C,MAAM,OAAO,SAAU,SAAQ,KAAK;IAChB,IAAI,GAAW,WAAW,CAAA;IAC5C,gEAAgE;IACvD,UAAU,GAAW,GAAG,CAAA;IACjC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAA;IAChB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,sBAAuB,SAAQ,SAAS;IACjC,IAAI,GAAG,wBAAwB,CAAA;IAC/B,UAAU,GAAG,GAAG,CAAA;CACnC;AAED;;;;GAIG;AACH,MAAM,OAAO,mBAAoB,SAAQ,SAAS;IAC9B,IAAI,GAAG,qBAAqB,CAAA;IAC5B,UAAU,GAAG,GAAG,CAAA;CACnC;AAED;;;;GAIG;AACH,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC7B,IAAI,GAAG,oBAAoB,CAAA;IAC3B,UAAU,GAAG,GAAG,CAAA;IAClC;;;;;;OAMG;IACM,OAAO,CAAuB;IACvC,oEAAoE;IAC3D,IAAI,CAAQ;IACrB,YAAY,OAAe,EAAE,OAA8B,EAAE,IAAY;QACvE,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,OAAO,GAAG,OAAO,CAAA;QACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF"}

package/dist/auth/factory.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * `AuthIdentityProvider` factory — constructs the right provider
+ * from the typed `admin.auth` block in `site.config.ts`.
+ *
+ * # Why a factory and not direct provider exports
+ *
+ * Operators write `admin.auth: { trust: 'cloudflare-access', teamDomain: 'acme' }`
+ * in `site.config.ts`. The admin-api boot code receives this config
+ * (typed as `AuthConfig`) and needs to dispatch to the right provider
+ * factory. Centralizing the dispatch here keeps the built-in
+ * trust-mode set closed (per `design-auth-rbac.md` Q1) while
+ * leaving the operator-config field type open to any
+ * `AuthIdentityProvider` instance — including those returned by
+ * plugin-supplied factories.
+ *
+ * # Plugin promotion path
+ *
+ * Per ADR-0009 + `design-plugins.md`: external trust modes ship as
+ * npm packages exporting a factory function returning
+ * `AuthIdentityProvider`. The operator imports the factory and
+ * assigns its result to `admin.auth` directly (Pattern A factory-
+ * call-at-field). No runtime register method; no central registry
+ * for plugin-contributed providers — the type system accepts any
+ * conforming instance.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: dispatch only. Doesn't read from disk, doesn't construct
+ *     middleware. Pure function over (config) → AuthIdentityProvider.
+ *   - OCP: adding a trust mode is one new case in the switch + one
+ *     import. Existing cases unchanged.
+ *   - DIP: callers depend on AuthIdentityProvider, not on which
+ *     trust mode the operator picked.
+ */
+import type { AuthIdentityProvider } from './provider.js';
+import type { AuthConfig } from './config.js';
+/**
+ * Build the configured `AuthIdentityProvider`. Returns the
+ * `none`-mode provider when `config` is undefined (the default
+ * when `site.config.ts` has no `admin.auth` block).
+ */
+export declare function buildAuthProvider(config: AuthConfig | undefined): AuthIdentityProvider;
+//# sourceMappingURL=factory.d.ts.map

package/dist/auth/factory.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/auth/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAA;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAS7C;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,GAAG,SAAS,GAAG,oBAAoB,CAkCtF"}

package/dist/auth/factory.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { AuthConfigurationError } from './errors.js';
+import { noneAuthProvider } from './providers/none.js';
+import { createForwardedUserAuthProvider } from './providers/forwarded-user.js';
+import { createCloudflareAccessAuthProvider } from './providers/cloudflare-access.js';
+import { createAzureEasyAuthProvider } from './providers/azure-easy-auth.js';
+import { createAwsCognitoAuthProvider } from './providers/aws-cognito.js';
+import { createTailscaleAuthProvider } from './providers/tailscale.js';
+/**
+ * Build the configured `AuthIdentityProvider`. Returns the
+ * `none`-mode provider when `config` is undefined (the default
+ * when `site.config.ts` has no `admin.auth` block).
+ */
+export function buildAuthProvider(config) {
+    if (!config)
+        return noneAuthProvider;
+    switch (config.trust) {
+        case 'none':
+            return noneAuthProvider;
+        case 'forwarded-user':
+            return createForwardedUserAuthProvider({
+                trustedProxies: config.trustedProxies,
+                allowAnyOrigin: config.allowAnyOrigin,
+            });
+        case 'cloudflare-access':
+            return createCloudflareAccessAuthProvider({
+                teamDomain: config.teamDomain,
+                audience: config.audience,
+            });
+        case 'azure-easy-auth':
+            return createAzureEasyAuthProvider({});
+        case 'aws-cognito':
+            return createAwsCognitoAuthProvider({
+                region: config.region,
+                audience: config.audience,
+            });
+        case 'tailscale':
+            return createTailscaleAuthProvider({});
+        default: {
+            // Exhaustive check — the discriminated union should make
+            // this unreachable, but defense-in-depth against an operator
+            // bypassing the schema (e.g., constructing the manifest
+            // programmatically).
+            const exhaustiveCheck = config;
+            throw new AuthConfigurationError(`Unknown trust mode in admin.auth: ${JSON.stringify(exhaustiveCheck)}`);
+        }
+    }
+}
+//# sourceMappingURL=factory.js.map

package/dist/auth/factory.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/auth/factory.ts"],"names":[],"mappings":"AAoCA,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,+BAA+B,EAAE,MAAM,+BAA+B,CAAA;AAC/E,OAAO,EAAE,kCAAkC,EAAE,MAAM,kCAAkC,CAAA;AACrF,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAA;AAC5E,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAA;AAEtE;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA8B;IAC9D,IAAI,CAAC,MAAM;QAAE,OAAO,gBAAgB,CAAA;IAEpC,QAAQ,MAAM,CAAC,KAAK,EAAE,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,gBAAgB,CAAA;QACzB,KAAK,gBAAgB;YACnB,OAAO,+BAA+B,CAAC;gBACrC,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,cAAc,EAAE,MAAM,CAAC,cAAc;aACtC,CAAC,CAAA;QACJ,KAAK,mBAAmB;YACtB,OAAO,kCAAkC,CAAC;gBACxC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAA;QACJ,KAAK,iBAAiB;YACpB,OAAO,2BAA2B,CAAC,EAAE,CAAC,CAAA;QACxC,KAAK,aAAa;YAChB,OAAO,4BAA4B,CAAC;gBAClC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAA;QACJ,KAAK,WAAW;YACd,OAAO,2BAA2B,CAAC,EAAE,CAAC,CAAA;QACxC,OAAO,CAAC,CAAC,CAAC;YACR,yDAAyD;YACzD,6DAA6D;YAC7D,wDAAwD;YACxD,qBAAqB;YACrB,MAAM,eAAe,GAAU,MAAM,CAAA;YACrC,MAAM,IAAI,sBAAsB,CAAC,qCAAqC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC,CAAA;QAC1G,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Auth + RBAC barrel export. Imports are stable across cuts;
+ * subsequent cuts (forwarded-user, cloudflare-access, etc.) add
+ * exports without breaking the existing surface.
+ */
+export type { AuthRequest, AuthIdentityProvider } from './provider.js';
+export type { Principal, Role, RoleMapping, TrustMode, BuiltInCapability, } from './types.js';
+export { BUILT_IN_ROLES, RESERVED_CAPABILITY_PREFIXES } from './types.js';
+export { AuthError, AuthConfigurationError, AuthenticationError, AuthorizationError } from './errors.js';
+export { AuthConfigSchema, isReservedPrefix, type AuthConfig } from './config.js';
+export { noneAuthProvider, UNKNOWN_ACTOR_ID } from './providers/none.js';
+export { createForwardedUserAuthProvider, type ForwardedUserConfig } from './providers/forwarded-user.js';
+export { createCloudflareAccessAuthProvider, type CloudflareAccessConfig } from './providers/cloudflare-access.js';
+export { createAzureEasyAuthProvider, type AzureEasyAuthConfig } from './providers/azure-easy-auth.js';
+export { createAwsCognitoAuthProvider, type AwsCognitoConfig } from './providers/aws-cognito.js';
+export { createTailscaleAuthProvider, type TailscaleConfig } from './providers/tailscale.js';
+export { ipMatchesAny, parseRule, parseRules, type ParsedRule } from './ip-match.js';
+export { capabilityGrants, expandRole } from './capabilities.js';
+export { resolveRole, validateCustomRoles, type ResolveRoleArgs, type ResolvedRole } from './role-resolver.js';
+export { buildAuthProvider } from './factory.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAA;AACtE,YAAY,EACV,SAAS,EACT,IAAI,EACJ,WAAW,EACX,SAAS,EACT,iBAAiB,GAClB,MAAM,YAAY,CAAA;AACnB,OAAO,EAAE,cAAc,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AACxG,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,KAAK,UAAU,EAAE,MAAM,aAAa,CAAA;AACjF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACxE,OAAO,EAAE,+BAA+B,EAAE,KAAK,mBAAmB,EAAE,MAAM,+BAA+B,CAAA;AACzG,OAAO,EAAE,kCAAkC,EAAE,KAAK,sBAAsB,EAAE,MAAM,kCAAkC,CAAA;AAClH,OAAO,EAAE,2BAA2B,EAAE,KAAK,mBAAmB,EAAE,MAAM,gCAAgC,CAAA;AACtG,OAAO,EAAE,4BAA4B,EAAE,KAAK,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAChG,OAAO,EAAE,2BAA2B,EAAE,KAAK,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC5F,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,UAAU,EAAE,MAAM,eAAe,CAAA;AACpF,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAC9G,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA"}

package/dist/auth/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+export { BUILT_IN_ROLES, RESERVED_CAPABILITY_PREFIXES } from './types.js';
+export { AuthError, AuthConfigurationError, AuthenticationError, AuthorizationError } from './errors.js';
+export { AuthConfigSchema, isReservedPrefix } from './config.js';
+export { noneAuthProvider, UNKNOWN_ACTOR_ID } from './providers/none.js';
+export { createForwardedUserAuthProvider } from './providers/forwarded-user.js';
+export { createCloudflareAccessAuthProvider } from './providers/cloudflare-access.js';
+export { createAzureEasyAuthProvider } from './providers/azure-easy-auth.js';
+export { createAwsCognitoAuthProvider } from './providers/aws-cognito.js';
+export { createTailscaleAuthProvider } from './providers/tailscale.js';
+export { ipMatchesAny, parseRule, parseRules } from './ip-match.js';
+export { capabilityGrants, expandRole } from './capabilities.js';
+export { resolveRole, validateCustomRoles } from './role-resolver.js';
+export { buildAuthProvider } from './factory.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,cAAc,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AACxG,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAmB,MAAM,aAAa,CAAA;AACjF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACxE,OAAO,EAAE,+BAA+B,EAA4B,MAAM,+BAA+B,CAAA;AACzG,OAAO,EAAE,kCAAkC,EAA+B,MAAM,kCAAkC,CAAA;AAClH,OAAO,EAAE,2BAA2B,EAA4B,MAAM,gCAAgC,CAAA;AACtG,OAAO,EAAE,4BAA4B,EAAyB,MAAM,4BAA4B,CAAA;AAChG,OAAO,EAAE,2BAA2B,EAAwB,MAAM,0BAA0B,CAAA;AAC5F,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAmB,MAAM,eAAe,CAAA;AACpF,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAA2C,MAAM,oBAAoB,CAAA;AAC9G,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA"}