npm - gazetta - Versions diffs - 0.7.0 → 0.8.0 - Mend

gazetta 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (738) hide show

package/admin-dist/assets/index-CBeq0rRb.js +693 -0
package/admin-dist/assets/index-Dtg1dTZQ.css +1 -0
package/admin-dist/assets/rolldown-runtime-BYbx6iT9.js +1 -0
package/admin-dist/assets/{vendor-primevue-C0Q_YTCb.js → vendor-primevue-CBGHkaXv.js} +183 -39
package/admin-dist/assets/{vendor-react-BipDVGow.js → vendor-react-BdW_kNCG.js} +2 -2
package/admin-dist/assets/vendor-rjsf-lN2SztQt.js +33 -0
package/admin-dist/assets/vendor-tiptap-C36yDquB.js +141 -0
package/admin-dist/assets/vendor-vue-Bt5uR1VW.js +1 -0
package/admin-dist/assets/workbox-window.prod.es5-DGMtIXHc.js +2 -0
package/admin-dist/index.html +8 -8
package/admin-dist/sw.js +1 -0
package/dist/admin-api/archived-name-conflict.d.ts +31 -0
package/dist/admin-api/archived-name-conflict.d.ts.map +1 -0
package/dist/admin-api/archived-name-conflict.js +226 -0
package/dist/admin-api/archived-name-conflict.js.map +1 -0
package/dist/admin-api/cache-stats-logger.d.ts +83 -0
package/dist/admin-api/cache-stats-logger.d.ts.map +1 -0
package/dist/admin-api/cache-stats-logger.js +59 -0
package/dist/admin-api/cache-stats-logger.js.map +1 -0
package/dist/admin-api/hook-audit-emitter.d.ts +38 -0
package/dist/admin-api/hook-audit-emitter.d.ts.map +1 -0
package/dist/admin-api/hook-audit-emitter.js +21 -0
package/dist/admin-api/hook-audit-emitter.js.map +1 -0
package/dist/admin-api/index.d.ts +84 -0
package/dist/admin-api/index.d.ts.map +1 -1
package/dist/admin-api/index.js +254 -9
package/dist/admin-api/index.js.map +1 -1
package/dist/admin-api/middleware/audit.d.ts +25 -0
package/dist/admin-api/middleware/audit.d.ts.map +1 -0
package/dist/admin-api/middleware/audit.js +65 -0
package/dist/admin-api/middleware/audit.js.map +1 -0
package/dist/admin-api/middleware/capability.d.ts +8 -0
package/dist/admin-api/middleware/capability.d.ts.map +1 -0
package/dist/admin-api/middleware/capability.js +65 -0
package/dist/admin-api/middleware/capability.js.map +1 -0
package/dist/admin-api/middleware/principal.d.ts +18 -0
package/dist/admin-api/middleware/principal.d.ts.map +1 -0
package/dist/admin-api/middleware/principal.js +128 -0
package/dist/admin-api/middleware/principal.js.map +1 -0
package/dist/admin-api/routes/archive-review.d.ts +80 -0
package/dist/admin-api/routes/archive-review.d.ts.map +1 -0
package/dist/admin-api/routes/archive-review.js +70 -0
package/dist/admin-api/routes/archive-review.js.map +1 -0
package/dist/admin-api/routes/archive.d.ts +145 -0
package/dist/admin-api/routes/archive.d.ts.map +1 -0
package/dist/admin-api/routes/archive.js +540 -0
package/dist/admin-api/routes/archive.js.map +1 -0
package/dist/admin-api/routes/assets.d.ts +6 -1
package/dist/admin-api/routes/assets.d.ts.map +1 -1
package/dist/admin-api/routes/assets.js +167 -14
package/dist/admin-api/routes/assets.js.map +1 -1
package/dist/admin-api/routes/audit.d.ts +71 -0
package/dist/admin-api/routes/audit.d.ts.map +1 -0
package/dist/admin-api/routes/audit.js +178 -0
package/dist/admin-api/routes/audit.js.map +1 -0
package/dist/admin-api/routes/compare.d.ts.map +1 -1
package/dist/admin-api/routes/compare.js +3 -2
package/dist/admin-api/routes/compare.js.map +1 -1
package/dist/admin-api/routes/fields.d.ts.map +1 -1
package/dist/admin-api/routes/fields.js +2 -1
package/dist/admin-api/routes/fields.js.map +1 -1
package/dist/admin-api/routes/fragments.d.ts +13 -1
package/dist/admin-api/routes/fragments.d.ts.map +1 -1
package/dist/admin-api/routes/fragments.js +127 -92
package/dist/admin-api/routes/fragments.js.map +1 -1
package/dist/admin-api/routes/health.d.ts +60 -0
package/dist/admin-api/routes/health.d.ts.map +1 -0
package/dist/admin-api/routes/health.js +65 -0
package/dist/admin-api/routes/health.js.map +1 -0
package/dist/admin-api/routes/history.d.ts +2 -1
package/dist/admin-api/routes/history.d.ts.map +1 -1
package/dist/admin-api/routes/history.js +26 -4
package/dist/admin-api/routes/history.js.map +1 -1
package/dist/admin-api/routes/pages.d.ts +20 -1
package/dist/admin-api/routes/pages.d.ts.map +1 -1
package/dist/admin-api/routes/pages.js +157 -117
package/dist/admin-api/routes/pages.js.map +1 -1
package/dist/admin-api/routes/preview.d.ts.map +1 -1
package/dist/admin-api/routes/preview.js +56 -17
package/dist/admin-api/routes/preview.js.map +1 -1
package/dist/admin-api/routes/publish.d.ts +19 -1
package/dist/admin-api/routes/publish.d.ts.map +1 -1
package/dist/admin-api/routes/publish.js +508 -92
package/dist/admin-api/routes/publish.js.map +1 -1
package/dist/admin-api/routes/rename.d.ts +62 -0
package/dist/admin-api/routes/rename.d.ts.map +1 -0
package/dist/admin-api/routes/rename.js +366 -0
package/dist/admin-api/routes/rename.js.map +1 -0
package/dist/admin-api/routes/site.d.ts.map +1 -1
package/dist/admin-api/routes/site.js +6 -18
package/dist/admin-api/routes/site.js.map +1 -1
package/dist/admin-api/routes/system.d.ts +23 -0
package/dist/admin-api/routes/system.d.ts.map +1 -0
package/dist/admin-api/routes/system.js +115 -0
package/dist/admin-api/routes/system.js.map +1 -0
package/dist/admin-api/routes/templates.d.ts +11 -1
package/dist/admin-api/routes/templates.d.ts.map +1 -1
package/dist/admin-api/routes/templates.js +36 -3
package/dist/admin-api/routes/templates.js.map +1 -1
package/dist/admin-api/routes/validation.d.ts +47 -0
package/dist/admin-api/routes/validation.d.ts.map +1 -0
package/dist/admin-api/routes/validation.js +120 -0
package/dist/admin-api/routes/validation.js.map +1 -0
package/dist/admin-api/schemas/archive.d.ts +124 -0
package/dist/admin-api/schemas/archive.d.ts.map +1 -0
package/dist/admin-api/schemas/archive.js +93 -0
package/dist/admin-api/schemas/archive.js.map +1 -0
package/dist/admin-api/schemas/assets.d.ts +16 -0
package/dist/admin-api/schemas/assets.d.ts.map +1 -1
package/dist/admin-api/schemas/assets.js +15 -0
package/dist/admin-api/schemas/assets.js.map +1 -1
package/dist/admin-api/schemas/audit.d.ts +175 -0
package/dist/admin-api/schemas/audit.d.ts.map +1 -0
package/dist/admin-api/schemas/audit.js +91 -0
package/dist/admin-api/schemas/audit.js.map +1 -0
package/dist/admin-api/schemas/error.d.ts +94 -0
package/dist/admin-api/schemas/error.d.ts.map +1 -0
package/dist/admin-api/schemas/error.js +79 -0
package/dist/admin-api/schemas/error.js.map +1 -0
package/dist/admin-api/schemas/fragments.d.ts +2 -0
package/dist/admin-api/schemas/fragments.d.ts.map +1 -1
package/dist/admin-api/schemas/fragments.js +4 -0
package/dist/admin-api/schemas/fragments.js.map +1 -1
package/dist/admin-api/schemas/index.d.ts +8 -0
package/dist/admin-api/schemas/index.d.ts.map +1 -1
package/dist/admin-api/schemas/index.js +8 -0
package/dist/admin-api/schemas/index.js.map +1 -1
package/dist/admin-api/schemas/pages.d.ts +2 -0
package/dist/admin-api/schemas/pages.d.ts.map +1 -1
package/dist/admin-api/schemas/pages.js +11 -0
package/dist/admin-api/schemas/pages.js.map +1 -1
package/dist/admin-api/schemas/rename.d.ts +77 -0
package/dist/admin-api/schemas/rename.d.ts.map +1 -0
package/dist/admin-api/schemas/rename.js +75 -0
package/dist/admin-api/schemas/rename.js.map +1 -0
package/dist/admin-api/schemas/site.d.ts +3 -2
package/dist/admin-api/schemas/site.d.ts.map +1 -1
package/dist/admin-api/schemas/site.js +3 -2
package/dist/admin-api/schemas/site.js.map +1 -1
package/dist/admin-api/schemas/system.d.ts +28 -0
package/dist/admin-api/schemas/system.d.ts.map +1 -0
package/dist/admin-api/schemas/system.js +35 -0
package/dist/admin-api/schemas/system.js.map +1 -0
package/dist/admin-api/schemas/targets.d.ts +55 -0
package/dist/admin-api/schemas/targets.d.ts.map +1 -1
package/dist/admin-api/schemas/targets.js +46 -0
package/dist/admin-api/schemas/targets.js.map +1 -1
package/dist/admin-api/schemas/templates.d.ts +54 -0
package/dist/admin-api/schemas/templates.d.ts.map +1 -1
package/dist/admin-api/schemas/templates.js +21 -0
package/dist/admin-api/schemas/templates.js.map +1 -1
package/dist/admin-api/schemas/validation.d.ts +101 -0
package/dist/admin-api/schemas/validation.d.ts.map +1 -0
package/dist/admin-api/schemas/validation.js +57 -0
package/dist/admin-api/schemas/validation.js.map +1 -0
package/dist/admin-api/source-context.d.ts +66 -10
package/dist/admin-api/source-context.d.ts.map +1 -1
package/dist/admin-api/source-context.js +43 -5
package/dist/admin-api/source-context.js.map +1 -1
package/dist/ai/adapter-scaffold.d.ts +63 -0
package/dist/ai/adapter-scaffold.d.ts.map +1 -0
package/dist/ai/adapter-scaffold.js +89 -0
package/dist/ai/adapter-scaffold.js.map +1 -0
package/dist/ai/compose-prompt.d.ts +50 -0
package/dist/ai/compose-prompt.d.ts.map +1 -0
package/dist/ai/compose-prompt.js +49 -0
package/dist/ai/compose-prompt.js.map +1 -0
package/dist/ai/errors.d.ts +65 -0
package/dist/ai/errors.d.ts.map +1 -0
package/dist/ai/errors.js +59 -0
package/dist/ai/errors.js.map +1 -0
package/dist/ai/index.d.ts +17 -0
package/dist/ai/index.d.ts.map +1 -0
package/dist/ai/index.js +16 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/provider.d.ts +76 -0
package/dist/ai/provider.d.ts.map +1 -0
package/dist/ai/provider.js +13 -0
package/dist/ai/provider.js.map +1 -0
package/dist/ai/refusal.d.ts +50 -0
package/dist/ai/refusal.d.ts.map +1 -0
package/dist/ai/refusal.js +100 -0
package/dist/ai/refusal.js.map +1 -0
package/dist/ai/vision-prep.d.ts +32 -0
package/dist/ai/vision-prep.d.ts.map +1 -0
package/dist/ai/vision-prep.js +113 -0
package/dist/ai/vision-prep.js.map +1 -0
package/dist/alt/adapter.d.ts +140 -0
package/dist/alt/adapter.d.ts.map +1 -0
package/dist/alt/adapter.js +7 -0
package/dist/alt/adapter.js.map +1 -0
package/dist/alt/anthropic.d.ts +63 -0
package/dist/alt/anthropic.d.ts.map +1 -0
package/dist/alt/anthropic.js +147 -0
package/dist/alt/anthropic.js.map +1 -0
package/dist/alt/config.d.ts +67 -0
package/dist/alt/config.d.ts.map +1 -0
package/dist/alt/config.js +41 -0
package/dist/alt/config.js.map +1 -0
package/dist/alt/factory.d.ts +19 -0
package/dist/alt/factory.d.ts.map +1 -0
package/dist/alt/factory.js +69 -0
package/dist/alt/factory.js.map +1 -0
package/dist/alt/null-adapter.d.ts +3 -0
package/dist/alt/null-adapter.d.ts.map +1 -0
package/dist/alt/null-adapter.js +43 -0
package/dist/alt/null-adapter.js.map +1 -0
package/dist/alt/ollama.d.ts +40 -0
package/dist/alt/ollama.d.ts.map +1 -0
package/dist/alt/ollama.js +139 -0
package/dist/alt/ollama.js.map +1 -0
package/dist/alt/openai.d.ts +46 -0
package/dist/alt/openai.d.ts.map +1 -0
package/dist/alt/openai.js +118 -0
package/dist/alt/openai.js.map +1 -0
package/dist/alt/prompt-policies.d.ts +79 -0
package/dist/alt/prompt-policies.d.ts.map +1 -0
package/dist/alt/prompt-policies.js +67 -0
package/dist/alt/prompt-policies.js.map +1 -0
package/dist/alt/route-handler.d.ts +56 -0
package/dist/alt/route-handler.d.ts.map +1 -0
package/dist/alt/route-handler.js +122 -0
package/dist/alt/route-handler.js.map +1 -0
package/dist/alt/suggester.d.ts +57 -0
package/dist/alt/suggester.d.ts.map +1 -0
package/dist/alt/suggester.js +133 -0
package/dist/alt/suggester.js.map +1 -0
package/dist/app.js +1 -1
package/dist/app.js.map +1 -1
package/dist/archive-aliases.d.ts +79 -0
package/dist/archive-aliases.d.ts.map +1 -0
package/dist/archive-aliases.js +60 -0
package/dist/archive-aliases.js.map +1 -0
package/dist/archive-helpers.d.ts +73 -0
package/dist/archive-helpers.d.ts.map +1 -0
package/dist/archive-helpers.js +94 -0
package/dist/archive-helpers.js.map +1 -0
package/dist/assets/find-refs.d.ts +1 -1
package/dist/assets/find-refs.js +1 -1
package/dist/assets/find-refs.js.map +1 -1
package/dist/assets/rename.js +1 -1
package/dist/assets/rename.js.map +1 -1
package/dist/assets/replace.js +1 -1
package/dist/assets/replace.js.map +1 -1
package/dist/assets/resolve.js +4 -4
package/dist/assets/resolve.js.map +1 -1
package/dist/assets/serve-route.js +2 -2
package/dist/assets/serve-route.js.map +1 -1
package/dist/assets/validate.d.ts +1 -1
package/dist/assets/validate.js +1 -1
package/dist/audit/config.d.ts +75 -0
package/dist/audit/config.d.ts.map +1 -0
package/dist/audit/config.js +91 -0
package/dist/audit/config.js.map +1 -0
package/dist/audit/context.d.ts +98 -0
package/dist/audit/context.d.ts.map +1 -0
package/dist/audit/context.js +51 -0
package/dist/audit/context.js.map +1 -0
package/dist/audit/errors.d.ts +73 -0
package/dist/audit/errors.d.ts.map +1 -0
package/dist/audit/errors.js +78 -0
package/dist/audit/errors.js.map +1 -0
package/dist/audit/index.d.ts +16 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +10 -0
package/dist/audit/index.js.map +1 -0
package/dist/audit/provider.d.ts +73 -0
package/dist/audit/provider.d.ts.map +1 -0
package/dist/audit/provider.js +2 -0
package/dist/audit/provider.js.map +1 -0
package/dist/audit/providers/history.d.ts +66 -0
package/dist/audit/providers/history.d.ts.map +1 -0
package/dist/audit/providers/history.js +102 -0
package/dist/audit/providers/history.js.map +1 -0
package/dist/audit/pseudonymize.d.ts +26 -0
package/dist/audit/pseudonymize.d.ts.map +1 -0
package/dist/audit/pseudonymize.js +86 -0
package/dist/audit/pseudonymize.js.map +1 -0
package/dist/audit/recorder.d.ts +102 -0
package/dist/audit/recorder.d.ts.map +1 -0
package/dist/audit/recorder.js +55 -0
package/dist/audit/recorder.js.map +1 -0
package/dist/audit/retention.d.ts +83 -0
package/dist/audit/retention.d.ts.map +1 -0
package/dist/audit/retention.js +142 -0
package/dist/audit/retention.js.map +1 -0
package/dist/audit/source-ip.d.ts +32 -0
package/dist/audit/source-ip.d.ts.map +1 -0
package/dist/audit/source-ip.js +164 -0
package/dist/audit/source-ip.js.map +1 -0
package/dist/audit/types.d.ts +143 -0
package/dist/audit/types.d.ts.map +1 -0
package/dist/audit/types.js +33 -0
package/dist/audit/types.js.map +1 -0
package/dist/audit/user-agent.d.ts +28 -0
package/dist/audit/user-agent.d.ts.map +1 -0
package/dist/audit/user-agent.js +63 -0
package/dist/audit/user-agent.js.map +1 -0
package/dist/auth/capabilities.d.ts +28 -0
package/dist/auth/capabilities.d.ts.map +1 -0
package/dist/auth/capabilities.js +101 -0
package/dist/auth/capabilities.js.map +1 -0
package/dist/auth/config.d.ts +109 -0
package/dist/auth/config.d.ts.map +1 -0
package/dist/auth/config.js +221 -0
package/dist/auth/config.js.map +1 -0
package/dist/auth/errors.d.ts +72 -0
package/dist/auth/errors.d.ts.map +1 -0
package/dist/auth/errors.js +78 -0
package/dist/auth/errors.js.map +1 -0
package/dist/auth/factory.d.ts +43 -0
package/dist/auth/factory.d.ts.map +1 -0
package/dist/auth/factory.js +48 -0
package/dist/auth/factory.js.map +1 -0
package/dist/auth/index.d.ts +21 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +14 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/ip-match.d.ts +29 -0
package/dist/auth/ip-match.d.ts.map +1 -0
package/dist/auth/ip-match.js +162 -0
package/dist/auth/ip-match.js.map +1 -0
package/dist/auth/provider.d.ts +76 -0
package/dist/auth/provider.d.ts.map +1 -0
package/dist/auth/provider.js +2 -0
package/dist/auth/provider.js.map +1 -0
package/dist/auth/providers/aws-cognito.d.ts +55 -0
package/dist/auth/providers/aws-cognito.d.ts.map +1 -0
package/dist/auth/providers/aws-cognito.js +114 -0
package/dist/auth/providers/aws-cognito.js.map +1 -0
package/dist/auth/providers/azure-easy-auth.d.ts +7 -0
package/dist/auth/providers/azure-easy-auth.d.ts.map +1 -0
package/dist/auth/providers/azure-easy-auth.js +48 -0
package/dist/auth/providers/azure-easy-auth.js.map +1 -0
package/dist/auth/providers/cloudflare-access.d.ts +71 -0
package/dist/auth/providers/cloudflare-access.d.ts.map +1 -0
package/dist/auth/providers/cloudflare-access.js +120 -0
package/dist/auth/providers/cloudflare-access.js.map +1 -0
package/dist/auth/providers/forwarded-user.d.ts +31 -0
package/dist/auth/providers/forwarded-user.d.ts.map +1 -0
package/dist/auth/providers/forwarded-user.js +72 -0
package/dist/auth/providers/forwarded-user.js.map +1 -0
package/dist/auth/providers/none.d.ts +6 -0
package/dist/auth/providers/none.d.ts.map +1 -0
package/dist/auth/providers/none.js +19 -0
package/dist/auth/providers/none.js.map +1 -0
package/dist/auth/providers/tailscale.d.ts +7 -0
package/dist/auth/providers/tailscale.d.ts.map +1 -0
package/dist/auth/providers/tailscale.js +30 -0
package/dist/auth/providers/tailscale.js.map +1 -0
package/dist/auth/role-resolver.d.ts +38 -0
package/dist/auth/role-resolver.d.ts.map +1 -0
package/dist/auth/role-resolver.js +92 -0
package/dist/auth/role-resolver.js.map +1 -0
package/dist/auth/types.d.ts +150 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +60 -0
package/dist/auth/types.js.map +1 -0
package/dist/cache/errors.d.ts +41 -0
package/dist/cache/errors.d.ts.map +1 -0
package/dist/cache/errors.js +44 -0
package/dist/cache/errors.js.map +1 -0
package/dist/cache/factories.d.ts +17 -0
package/dist/cache/factories.d.ts.map +1 -0
package/dist/cache/factories.js +17 -0
package/dist/cache/factories.js.map +1 -0
package/dist/cache/keys.d.ts +63 -0
package/dist/cache/keys.d.ts.map +1 -0
package/dist/cache/keys.js +145 -0
package/dist/cache/keys.js.map +1 -0
package/dist/cache/memory.d.ts +51 -0
package/dist/cache/memory.d.ts.map +1 -0
package/dist/cache/memory.js +204 -0
package/dist/cache/memory.js.map +1 -0
package/dist/cache/per-site.d.ts +22 -0
package/dist/cache/per-site.d.ts.map +1 -0
package/dist/cache/per-site.js +114 -0
package/dist/cache/per-site.js.map +1 -0
package/dist/cache/types.d.ts +142 -0
package/dist/cache/types.d.ts.map +1 -0
package/dist/cache/types.js +33 -0
package/dist/cache/types.js.map +1 -0
package/dist/cli/archive.d.ts +44 -0
package/dist/cli/archive.d.ts.map +1 -0
package/dist/cli/archive.js +310 -0
package/dist/cli/archive.js.map +1 -0
package/dist/cli/bootstrap.d.ts +15 -8
package/dist/cli/bootstrap.d.ts.map +1 -1
package/dist/cli/bootstrap.js +59 -23
package/dist/cli/bootstrap.js.map +1 -1
package/dist/cli/dev-template-watcher.d.ts +29 -0
package/dist/cli/dev-template-watcher.d.ts.map +1 -0
package/dist/cli/dev-template-watcher.js +38 -0
package/dist/cli/dev-template-watcher.js.map +1 -0
package/dist/cli/history.d.ts.map +1 -1
package/dist/cli/history.js +5 -3
package/dist/cli/history.js.map +1 -1
package/dist/cli/index.js +712 -395
package/dist/cli/index.js.map +1 -1
package/dist/cli/validate-flags.d.ts +29 -0
package/dist/cli/validate-flags.d.ts.map +1 -0
package/dist/cli/validate-flags.js +49 -0
package/dist/cli/validate-flags.js.map +1 -0
package/dist/compare.d.ts +1 -1
package/dist/compare.d.ts.map +1 -1
package/dist/compare.js +25 -23
package/dist/compare.js.map +1 -1
package/dist/component-ids.d.ts +25 -0
package/dist/component-ids.d.ts.map +1 -0
package/dist/component-ids.js +83 -0
package/dist/component-ids.js.map +1 -0
package/dist/config/define.d.ts +61 -0
package/dist/config/define.d.ts.map +1 -0
package/dist/config/define.js +64 -0
package/dist/config/define.js.map +1 -0
package/dist/config/errors.d.ts +32 -0
package/dist/config/errors.d.ts.map +1 -0
package/dist/config/errors.js +40 -0
package/dist/config/errors.js.map +1 -0
package/dist/config/index.d.ts +13 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +20 -0
package/dist/config/index.js.map +1 -0
package/dist/config/loader.d.ts +105 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +265 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schemas.d.ts +89 -0
package/dist/config/schemas.d.ts.map +1 -0
package/dist/config/schemas.js +172 -0
package/dist/config/schemas.js.map +1 -0
package/dist/config/types.d.ts +32 -0
package/dist/config/types.d.ts.map +1 -0
package/dist/config/types.js +15 -0
package/dist/config/types.js.map +1 -0
package/dist/deploy/cloudflare-workers.d.ts +46 -0
package/dist/deploy/cloudflare-workers.d.ts.map +1 -0
package/dist/deploy/cloudflare-workers.js +213 -0
package/dist/deploy/cloudflare-workers.js.map +1 -0
package/dist/deploy/errors.d.ts +66 -0
package/dist/deploy/errors.d.ts.map +1 -0
package/dist/deploy/errors.js +82 -0
package/dist/deploy/errors.js.map +1 -0
package/dist/deploy/index.d.ts +9 -0
package/dist/deploy/index.d.ts.map +1 -0
package/dist/deploy/index.js +3 -0
package/dist/deploy/index.js.map +1 -0
package/dist/deploy/types.d.ts +162 -0
package/dist/deploy/types.d.ts.map +1 -0
package/dist/deploy/types.js +2 -0
package/dist/deploy/types.js.map +1 -0
package/dist/fragments/create.d.ts +70 -0
package/dist/fragments/create.d.ts.map +1 -0
package/dist/fragments/create.js +93 -0
package/dist/fragments/create.js.map +1 -0
package/dist/fragments/publish.d.ts +37 -0
package/dist/fragments/publish.d.ts.map +1 -0
package/dist/fragments/publish.js +52 -0
package/dist/fragments/publish.js.map +1 -0
package/dist/fragments/save.d.ts +81 -0
package/dist/fragments/save.d.ts.map +1 -0
package/dist/fragments/save.js +105 -0
package/dist/fragments/save.js.map +1 -0
package/dist/history-recorder.d.ts +5 -5
package/dist/history-recorder.d.ts.map +1 -1
package/dist/history-recorder.js +4 -4
package/dist/history-recorder.js.map +1 -1
package/dist/history-restorer.js +2 -2
package/dist/history-restorer.js.map +1 -1
package/dist/history.d.ts +1 -1
package/dist/hooks/audit-emitter.d.ts +73 -0
package/dist/hooks/audit-emitter.d.ts.map +1 -0
package/dist/hooks/audit-emitter.js +13 -0
package/dist/hooks/audit-emitter.js.map +1 -0
package/dist/hooks/context.d.ts +78 -0
package/dist/hooks/context.d.ts.map +1 -0
package/dist/hooks/context.js +56 -0
package/dist/hooks/context.js.map +1 -0
package/dist/hooks/contribution.d.ts +90 -0
package/dist/hooks/contribution.d.ts.map +1 -0
package/dist/hooks/contribution.js +2 -0
package/dist/hooks/contribution.js.map +1 -0
package/dist/hooks/dispatch.d.ts +30 -0
package/dist/hooks/dispatch.d.ts.map +1 -0
package/dist/hooks/dispatch.js +252 -0
package/dist/hooks/dispatch.js.map +1 -0
package/dist/hooks/errors.d.ts +100 -0
package/dist/hooks/errors.d.ts.map +1 -0
package/dist/hooks/errors.js +103 -0
package/dist/hooks/errors.js.map +1 -0
package/dist/hooks/index.d.ts +15 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +6 -0
package/dist/hooks/index.js.map +1 -0
package/dist/hooks/registry.d.ts +53 -0
package/dist/hooks/registry.d.ts.map +1 -0
package/dist/hooks/registry.js +139 -0
package/dist/hooks/registry.js.map +1 -0
package/dist/hooks/storage.d.ts +43 -0
package/dist/hooks/storage.d.ts.map +1 -0
package/dist/hooks/storage.js +2 -0
package/dist/hooks/storage.js.map +1 -0
package/dist/hooks/types.d.ts +324 -0
package/dist/hooks/types.d.ts.map +1 -0
package/dist/hooks/types.js +2 -0
package/dist/hooks/types.js.map +1 -0
package/dist/index.d.ts +26 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +49 -5
package/dist/index.js.map +1 -1
package/dist/locale.d.ts +5 -1
package/dist/locale.d.ts.map +1 -1
package/dist/locale.js +6 -2
package/dist/locale.js.map +1 -1
package/dist/manifest-save.d.ts +255 -0
package/dist/manifest-save.d.ts.map +1 -0
package/dist/manifest-save.js +260 -0
package/dist/manifest-save.js.map +1 -0
package/dist/manifest.d.ts +1 -2
package/dist/manifest.d.ts.map +1 -1
package/dist/manifest.js +43 -44
package/dist/manifest.js.map +1 -1
package/dist/node-floor.d.ts +3 -0
package/dist/node-floor.d.ts.map +1 -0
package/dist/node-floor.js +3 -0
package/dist/node-floor.js.map +1 -0
package/dist/pages/create.d.ts +103 -0
package/dist/pages/create.d.ts.map +1 -0
package/dist/pages/create.js +117 -0
package/dist/pages/create.js.map +1 -0
package/dist/pages/publish.d.ts +59 -0
package/dist/pages/publish.d.ts.map +1 -0
package/dist/pages/publish.js +78 -0
package/dist/pages/publish.js.map +1 -0
package/dist/pages/save.d.ts +97 -0
package/dist/pages/save.d.ts.map +1 -0
package/dist/pages/save.js +138 -0
package/dist/pages/save.js.map +1 -0
package/dist/providers/factories.d.ts +65 -0
package/dist/providers/factories.d.ts.map +1 -0
package/dist/providers/factories.js +189 -0
package/dist/providers/factories.js.map +1 -0
package/dist/publish-item.d.ts +225 -0
package/dist/publish-item.d.ts.map +1 -0
package/dist/publish-item.js +210 -0
package/dist/publish-item.js.map +1 -0
package/dist/publish-rendered.d.ts.map +1 -1
package/dist/publish-rendered.js +75 -6
package/dist/publish-rendered.js.map +1 -1
package/dist/publish-renderers.d.ts +132 -0
package/dist/publish-renderers.d.ts.map +1 -0
package/dist/publish-renderers.js +240 -0
package/dist/publish-renderers.js.map +1 -0
package/dist/publish-run.d.ts +223 -0
package/dist/publish-run.d.ts.map +1 -0
package/dist/publish-run.js +307 -0
package/dist/publish-run.js.map +1 -0
package/dist/publish.d.ts.map +1 -1
package/dist/publish.js +1 -10
package/dist/publish.js.map +1 -1
package/dist/render-for-analysis.d.ts +24 -0
package/dist/render-for-analysis.d.ts.map +1 -0
package/dist/render-for-analysis.js +146 -0
package/dist/render-for-analysis.js.map +1 -0
package/dist/resolver.d.ts.map +1 -1
package/dist/resolver.js +47 -23
package/dist/resolver.js.map +1 -1
package/dist/runtime/archive-marker.d.ts +62 -0
package/dist/runtime/archive-marker.d.ts.map +1 -0
package/dist/runtime/archive-marker.js +88 -0
package/dist/runtime/archive-marker.js.map +1 -0
package/dist/runtime/capability-gap-warnings.d.ts +42 -0
package/dist/runtime/capability-gap-warnings.d.ts.map +1 -0
package/dist/runtime/capability-gap-warnings.js +28 -0
package/dist/runtime/capability-gap-warnings.js.map +1 -0
package/dist/runtime/redirects-emit.d.ts +93 -0
package/dist/runtime/redirects-emit.d.ts.map +1 -0
package/dist/runtime/redirects-emit.js +89 -0
package/dist/runtime/redirects-emit.js.map +1 -0
package/dist/runtime/runtime-capabilities.d.ts +79 -0
package/dist/runtime/runtime-capabilities.d.ts.map +1 -0
package/dist/runtime/runtime-capabilities.js +60 -0
package/dist/runtime/runtime-capabilities.js.map +1 -0
package/dist/save-etag.d.ts +69 -0
package/dist/save-etag.d.ts.map +1 -0
package/dist/save-etag.js +118 -0
package/dist/save-etag.js.map +1 -0
package/dist/site-loader.d.ts +42 -4
package/dist/site-loader.d.ts.map +1 -1
package/dist/site-loader.js +27 -8
package/dist/site-loader.js.map +1 -1
package/dist/targets.d.ts +21 -12
package/dist/targets.d.ts.map +1 -1
package/dist/targets.js +27 -95
package/dist/targets.js.map +1 -1
package/dist/testing/admin-cache-contract.d.ts +52 -0
package/dist/testing/admin-cache-contract.d.ts.map +1 -0
package/dist/testing/admin-cache-contract.js +203 -0
package/dist/testing/admin-cache-contract.js.map +1 -0
package/dist/testing/index.d.ts +11 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +11 -0
package/dist/testing/index.js.map +1 -0
package/dist/transforms/factories.d.ts +16 -0
package/dist/transforms/factories.d.ts.map +1 -0
package/dist/transforms/factories.js +18 -0
package/dist/transforms/factories.js.map +1 -0
package/dist/transforms/index.d.ts +10 -17
package/dist/transforms/index.d.ts.map +1 -1
package/dist/transforms/index.js +4 -28
package/dist/transforms/index.js.map +1 -1
package/dist/transforms/sharp.d.ts +15 -1
package/dist/transforms/sharp.d.ts.map +1 -1
package/dist/transforms/sharp.js +34 -20
package/dist/transforms/sharp.js.map +1 -1
package/dist/types.d.ts +379 -52
package/dist/types.d.ts.map +1 -1
package/dist/types.js +20 -1
package/dist/types.js.map +1 -1
package/dist/validation/alt-required-walker.d.ts +27 -0
package/dist/validation/alt-required-walker.d.ts.map +1 -0
package/dist/validation/alt-required-walker.js +108 -0
package/dist/validation/alt-required-walker.js.map +1 -0
package/dist/validation/default-registry.d.ts +12 -0
package/dist/validation/default-registry.d.ts.map +1 -0
package/dist/validation/default-registry.js +55 -0
package/dist/validation/default-registry.js.map +1 -0
package/dist/validation/publish-audit.d.ts +44 -0
package/dist/validation/publish-audit.d.ts.map +1 -0
package/dist/validation/publish-audit.js +64 -0
package/dist/validation/publish-audit.js.map +1 -0
package/dist/validation/registry.d.ts +23 -0
package/dist/validation/registry.d.ts.map +1 -0
package/dist/validation/registry.js +15 -0
package/dist/validation/registry.js.map +1 -0
package/dist/validation/save-delta.d.ts +46 -0
package/dist/validation/save-delta.d.ts.map +1 -0
package/dist/validation/save-delta.js +57 -0
package/dist/validation/save-delta.js.map +1 -0
package/dist/validation/scanner.d.ts +91 -0
package/dist/validation/scanner.d.ts.map +1 -0
package/dist/validation/scanner.js +327 -0
package/dist/validation/scanner.js.map +1 -0
package/dist/validation/template-impact.d.ts +52 -0
package/dist/validation/template-impact.d.ts.map +1 -0
package/dist/validation/template-impact.js +53 -0
package/dist/validation/template-impact.js.map +1 -0
package/dist/validation/types.d.ts +123 -0
package/dist/validation/types.d.ts.map +1 -0
package/dist/validation/types.js +7 -0
package/dist/validation/types.js.map +1 -0
package/dist/validation/validators/accessibility.d.ts +3 -0
package/dist/validation/validators/accessibility.d.ts.map +1 -0
package/dist/validation/validators/accessibility.js +106 -0
package/dist/validation/validators/accessibility.js.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts +40 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.js +34 -0
package/dist/validation/validators/aliasof-points-to-archived.js.map +1 -0
package/dist/validation/validators/alt-required.d.ts +3 -0
package/dist/validation/validators/alt-required.d.ts.map +1 -0
package/dist/validation/validators/alt-required.js +118 -0
package/dist/validation/validators/alt-required.js.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts +3 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.js +38 -0
package/dist/validation/validators/archive-not-supported-on-target.js.map +1 -0
package/dist/validation/validators/broken-links.d.ts +3 -0
package/dist/validation/validators/broken-links.d.ts.map +1 -0
package/dist/validation/validators/broken-links.js +190 -0
package/dist/validation/validators/broken-links.js.map +1 -0
package/dist/validation/validators/circular-alias.d.ts +36 -0
package/dist/validation/validators/circular-alias.d.ts.map +1 -0
package/dist/validation/validators/circular-alias.js +63 -0
package/dist/validation/validators/circular-alias.js.map +1 -0
package/dist/validation/validators/circular-fragment.d.ts +15 -0
package/dist/validation/validators/circular-fragment.d.ts.map +1 -0
package/dist/validation/validators/circular-fragment.js +97 -0
package/dist/validation/validators/circular-fragment.js.map +1 -0
package/dist/validation/validators/dangling-alias.d.ts +38 -0
package/dist/validation/validators/dangling-alias.d.ts.map +1 -0
package/dist/validation/validators/dangling-alias.js +31 -0
package/dist/validation/validators/dangling-alias.js.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts +3 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.js +32 -0
package/dist/validation/validators/deploy-target-type-supported.js.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts +18 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.js +80 -0
package/dist/validation/validators/dynamic-route-conflict.js.map +1 -0
package/dist/validation/validators/html-validity.d.ts +3 -0
package/dist/validation/validators/html-validity.d.ts.map +1 -0
package/dist/validation/validators/html-validity.js +89 -0
package/dist/validation/validators/html-validity.js.map +1 -0
package/dist/validation/validators/orphaned-locale-file.d.ts +21 -0
package/dist/validation/validators/orphaned-locale-file.d.ts.map +1 -0
package/dist/validation/validators/orphaned-locale-file.js +84 -0
package/dist/validation/validators/orphaned-locale-file.js.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts +3 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.js +65 -0
package/dist/validation/validators/referenced-archived-without-alias.js.map +1 -0
package/dist/validation/validators/referenced-asset-exists.d.ts +13 -0
package/dist/validation/validators/referenced-asset-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-asset-exists.js +80 -0
package/dist/validation/validators/referenced-asset-exists.js.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts +9 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.js +52 -0
package/dist/validation/validators/referenced-fragment-exists.js.map +1 -0
package/dist/validation/validators/referenced-template-exists.d.ts +10 -0
package/dist/validation/validators/referenced-template-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-template-exists.js +74 -0
package/dist/validation/validators/referenced-template-exists.js.map +1 -0
package/dist/validation/validators/schema-conformance.d.ts +17 -0
package/dist/validation/validators/schema-conformance.d.ts.map +1 -0
package/dist/validation/validators/schema-conformance.js +94 -0
package/dist/validation/validators/schema-conformance.js.map +1 -0
package/dist/validation/validators/target-deploy-coverage.d.ts +3 -0
package/dist/validation/validators/target-deploy-coverage.d.ts.map +1 -0
package/dist/validation/validators/target-deploy-coverage.js +37 -0
package/dist/validation/validators/target-deploy-coverage.js.map +1 -0
package/dist/validation/validators/unused-fragment.d.ts +16 -0
package/dist/validation/validators/unused-fragment.d.ts.map +1 -0
package/dist/validation/validators/unused-fragment.js +86 -0
package/dist/validation/validators/unused-fragment.js.map +1 -0
package/package.json +54 -31
package/admin-dist/assets/index-BO9-CXmW.css +0 -1
package/admin-dist/assets/index-Ufu8zZH_.js +0 -668
package/admin-dist/assets/rolldown-runtime-COnpUsM8.js +0 -1
package/admin-dist/assets/vendor-rjsf-HKBAjOmQ.js +0 -32
package/admin-dist/assets/vendor-tiptap-IyO99U4R.js +0 -142
package/admin-dist/assets/vendor-vue-D3wBSmDf.js +0 -1
package/dist/publish-locale.d.ts +0 -44
package/dist/publish-locale.d.ts.map +0 -1
package/dist/publish-locale.js +0 -103
package/dist/publish-locale.js.map +0 -1

package/dist/auth/ip-match.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Parsed CIDR rule. Exposed for tests and reuse by other providers
+ * that may want to validate operator-supplied rule strings.
+ */
+export interface ParsedRule {
+    /** Original rule string (for diagnostics). */
+    raw: string;
+    /** Address family — 4 (IPv4) or 6 (IPv6). */
+    family: 4 | 6;
+    /** Network address as bigint (left-aligned for IPv4 to fit IPv6). */
+    network: bigint;
+    /** Number of leading bits that must match. 32 for IPv4-exact; 128 for IPv6-exact. */
+    prefixBits: number;
+}
+/**
+ * Parse a single rule. Throws on malformed input. Operator's
+ * `trustedProxies` array passes through this once at boot; rules
+ * are validated then cached as `ParsedRule[]` for fast per-request
+ * checks.
+ */
+export declare function parseRule(raw: string): ParsedRule;
+/** Build all rules; throws on the first malformed entry with rule context. */
+export declare function parseRules(rawRules: readonly string[]): ParsedRule[];
+/**
+ * Test whether an IP matches any rule. Returns false for unknown
+ * input (empty string, malformed) — fail-closed.
+ */
+export declare function ipMatchesAny(ip: string | undefined, rules: readonly ParsedRule[]): boolean;
+//# sourceMappingURL=ip-match.d.ts.map

package/dist/auth/ip-match.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ip-match.d.ts","sourceRoot":"","sources":["../../src/auth/ip-match.ts"],"names":[],"mappings":"AAoCA;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,8CAA8C;IAC9C,GAAG,EAAE,MAAM,CAAA;IACX,6CAA6C;IAC7C,MAAM,EAAE,CAAC,GAAG,CAAC,CAAA;IACb,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAA;IACf,qFAAqF;IACrF,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CA8BjD;AAED,8EAA8E;AAC9E,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,GAAG,UAAU,EAAE,CAEpE;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,EAAE,KAAK,EAAE,SAAS,UAAU,EAAE,GAAG,OAAO,CAiB1F"}

package/dist/auth/ip-match.js ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * IP / CIDR membership testing for header-spoofing protection.
+ *
+ * # Why a custom matcher and not a library
+ *
+ * Three reasons:
+ *   - Zero-dep: `net.isIP` ships with Node 22; we only need
+ *     equality + CIDR-prefix checks. A library adds 50KB to a
+ *     small concern.
+ *   - IPv4 + IPv6 mixing: industrial libs (e.g. `ipaddr.js`) handle
+ *     edge cases we don't have (IPv4-mapped IPv6 addresses, etc.).
+ *     For the auth use case the operator-supplied list is small and
+ *     well-understood — they wrote each entry by hand.
+ *   - Multi-instance discipline: the matcher is a pure function over
+ *     `(ip, ruleList)`. No state, no async, no shared mutable cache.
+ *
+ * # Supported syntax
+ *
+ *   - `1.2.3.4` — exact IPv4 match
+ *   - `10.0.0.0/8` — IPv4 CIDR
+ *   - `fe80::1` — exact IPv6 match
+ *   - `fd00::/8` — IPv6 CIDR
+ *
+ * Mixed-family rules are fine; an IPv4 source is checked only
+ * against IPv4 rules, IPv6 against IPv6.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: this module owns IP-vs-rule comparison; doesn't read
+ *     headers, doesn't construct providers.
+ *   - LSP: future provider-specific source-IP needs (e.g.,
+ *     `cloudflare-access` reads `Cf-Connecting-IP`) consume the
+ *     same matcher.
+ */
+import { isIP } from 'node:net';
+/**
+ * Parse a single rule. Throws on malformed input. Operator's
+ * `trustedProxies` array passes through this once at boot; rules
+ * are validated then cached as `ParsedRule[]` for fast per-request
+ * checks.
+ */
+export function parseRule(raw) {
+    const slash = raw.indexOf('/');
+    let addr;
+    let prefix;
+    if (slash >= 0) {
+        addr = raw.slice(0, slash);
+        const prefixStr = raw.slice(slash + 1);
+        prefix = Number.parseInt(prefixStr, 10);
+        if (!Number.isInteger(prefix) || prefix < 0) {
+            throw new Error(`Invalid CIDR prefix in "${raw}": "${prefixStr}" must be a non-negative integer`);
+        }
+    }
+    else {
+        addr = raw;
+        prefix = -1; // sentinel: exact match — set per-family below
+    }
+    const family = isIP(addr);
+    if (family === 0) {
+        throw new Error(`Invalid IP address in "${raw}": "${addr}" is not a valid IPv4 or IPv6 address`);
+    }
+    const maxPrefix = family === 4 ? 32 : 128;
+    if (prefix === -1)
+        prefix = maxPrefix;
+    if (prefix > maxPrefix) {
+        throw new Error(`Invalid CIDR prefix in "${raw}": ${prefix} exceeds max ${maxPrefix} for IPv${family}`);
+    }
+    const fullBits = family === 4 ? ipv4ToBigInt(addr) : ipv6ToBigInt(addr);
+    // Mask off non-prefix bits so the network is canonical (operator
+    // can write 10.1.2.3/8 and we treat it the same as 10.0.0.0/8).
+    const totalBits = family === 4 ? 32 : 128;
+    const network = fullBits & cidrMask(prefix, totalBits);
+    return { raw, family: family, network, prefixBits: prefix };
+}
+/** Build all rules; throws on the first malformed entry with rule context. */
+export function parseRules(rawRules) {
+    return rawRules.map(parseRule);
+}
+/**
+ * Test whether an IP matches any rule. Returns false for unknown
+ * input (empty string, malformed) — fail-closed.
+ */
+export function ipMatchesAny(ip, rules) {
+    if (!ip)
+        return false;
+    const family = isIP(ip);
+    if (family === 0)
+        return false;
+    let value;
+    try {
+        value = family === 4 ? ipv4ToBigInt(ip) : ipv6ToBigInt(ip);
+    }
+    catch {
+        return false;
+    }
+    const totalBits = family === 4 ? 32 : 128;
+    for (const rule of rules) {
+        if (rule.family !== family)
+            continue;
+        const masked = value & cidrMask(rule.prefixBits, totalBits);
+        if (masked === rule.network)
+            return true;
+    }
+    return false;
+}
+// --- Internals ---
+function ipv4ToBigInt(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        throw new Error(`Invalid IPv4: ${ip}`);
+    let n = 0n;
+    for (const part of parts) {
+        const octet = Number.parseInt(part, 10);
+        if (!Number.isInteger(octet) || octet < 0 || octet > 255) {
+            throw new Error(`Invalid IPv4 octet: ${part}`);
+        }
+        n = (n << 8n) | BigInt(octet);
+    }
+    return n;
+}
+function ipv6ToBigInt(ip) {
+    // Handle :: shorthand by expanding to the right number of zero
+    // groups. Doesn't handle IPv4-mapped IPv6 addresses
+    // (e.g. ::ffff:1.2.3.4) — operators with hybrid stacks list
+    // both representations explicitly.
+    const doubleColon = ip.indexOf('::');
+    let groups;
+    if (doubleColon >= 0) {
+        const left = ip.slice(0, doubleColon).split(':').filter(Boolean);
+        const right = ip
+            .slice(doubleColon + 2)
+            .split(':')
+            .filter(Boolean);
+        const fillCount = 8 - left.length - right.length;
+        if (fillCount < 0)
+            throw new Error(`Invalid IPv6: too many groups in ${ip}`);
+        groups = [...left, ...new Array(fillCount).fill('0'), ...right];
+    }
+    else {
+        groups = ip.split(':');
+    }
+    if (groups.length !== 8)
+        throw new Error(`Invalid IPv6: expected 8 groups, got ${groups.length} in ${ip}`);
+    let n = 0n;
+    for (const group of groups) {
+        const value = Number.parseInt(group, 16);
+        if (!Number.isInteger(value) || value < 0 || value > 0xffff) {
+            throw new Error(`Invalid IPv6 group: ${group}`);
+        }
+        n = (n << 16n) | BigInt(value);
+    }
+    return n;
+}
+function cidrMask(prefixBits, totalBits) {
+    if (prefixBits === 0)
+        return 0n;
+    if (prefixBits === totalBits)
+        return (1n << BigInt(totalBits)) - 1n;
+    const ones = (1n << BigInt(prefixBits)) - 1n;
+    return ones << BigInt(totalBits - prefixBits);
+}
+//# sourceMappingURL=ip-match.js.map

package/dist/auth/ip-match.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ip-match.js","sourceRoot":"","sources":["../../src/auth/ip-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAiB/B;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,IAAY,CAAA;IAChB,IAAI,MAAc,CAAA;IAClB,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACf,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAA;QAC1B,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAA;QACtC,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,OAAO,SAAS,kCAAkC,CAAC,CAAA;QACnG,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,GAAG,CAAA;QACV,MAAM,GAAG,CAAC,CAAC,CAAA,CAAC,+CAA+C;IAC7D,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,OAAO,IAAI,uCAAuC,CAAC,CAAA;IAClG,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,IAAI,MAAM,KAAK,CAAC,CAAC;QAAE,MAAM,GAAG,SAAS,CAAA;IACrC,IAAI,MAAM,GAAG,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,MAAM,MAAM,gBAAgB,SAAS,WAAW,MAAM,EAAE,CAAC,CAAA;IACzG,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAA;IACvE,iEAAiE;IACjE,gEAAgE;IAChE,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;IACtD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAe,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACtE,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,UAAU,CAAC,QAA2B;IACpD,OAAO,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,EAAsB,EAAE,KAA4B;IAC/E,IAAI,CAAC,EAAE;QAAE,OAAO,KAAK,CAAA;IACrB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,CAAA;IACvB,IAAI,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAC9B,IAAI,KAAa,CAAA;IACjB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAA;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAA;IACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;YAAE,SAAQ;QACpC,MAAM,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;QAC3D,IAAI,MAAM,KAAK,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;IAC1C,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,oBAAoB;AAEpB,SAAS,YAAY,CAAC,EAAU;IAC9B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAA;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAA;IACV,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAA;QAChD,CAAC;QACD,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,YAAY,CAAC,EAAU;IAC9B,+DAA+D;IAC/D,oDAAoD;IACpD,4DAA4D;IAC5D,mCAAmC;IACnC,MAAM,WAAW,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IACpC,IAAI,MAAgB,CAAA;IACpB,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAChE,MAAM,KAAK,GAAG,EAAE;aACb,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,OAAO,CAAC,CAAA;QAClB,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAA;QAChD,IAAI,SAAS,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,EAAE,EAAE,CAAC,CAAA;QAC5E,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAA;IACjE,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,MAAM,CAAC,MAAM,OAAO,EAAE,EAAE,CAAC,CAAA;IAC1G,IAAI,CAAC,GAAG,EAAE,CAAA;IACV,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACxC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,MAAM,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAA;QACjD,CAAC;QACD,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IAChC,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,QAAQ,CAAC,UAAkB,EAAE,SAAiB;IACrD,IAAI,UAAU,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IAC/B,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,CAAC,EAAE,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,CAAA;IACnE,MAAM,IAAI,GAAG,CAAC,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,CAAA;IAC5C,OAAO,IAAI,IAAI,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC,CAAA;AAC/C,CAAC"}

package/dist/auth/provider.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * `AuthIdentityProvider` — the seam between Gazetta and upstream
+ * authentication.
+ *
+ * # The contract
+ *
+ * Each provider knows how to extract a `Principal` from one trust
+ * mode's request shape. The `extractPrincipal(req)` method is
+ * synchronous-or-async; the auth middleware awaits it and attaches
+ * the result to the Hono request context.
+ *
+ * # Error semantics
+ *
+ *   - Returns `null` when the request has no identity (anonymous,
+ *     no upstream auth applied) — the middleware decides whether to
+ *     reject (401) or grant the `unknown` principal based on the
+ *     trust mode
+ *   - Throws `AuthenticationError` when the identity is corrupt
+ *     (signature verification failed, header malformed)
+ *   - Never throws on transport errors (per Universal Provider
+ *     Requirement #5 — fail-open) — JWKS fetch failures fall back
+ *     to fail-closed reject with a structured log
+ *
+ * # Why a registered factory pattern
+ *
+ * Trust modes are operator-configurable in `site.config.ts`. The
+ * dispatcher reads `admin.auth.trust` and constructs the matching
+ * provider. Plugin promotion (per ADR-0009 + `design-plugins.md`):
+ * external trust modes ship as npm packages exporting a factory
+ * function returning `AuthIdentityProvider`; operators import the
+ * factory and assign the result to `admin.auth` directly. No
+ * runtime register method.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: each provider owns one trust mode's mechanics; doesn't
+ *     read config, doesn't dispatch, doesn't wire middleware.
+ *   - LSP: every provider satisfies the same interface; consumers
+ *     branch only on `provider.trustMode` for diagnostics, never
+ *     for behavior.
+ *   - DIP: middleware depends on this interface, not on concrete
+ *     classes.
+ *   - ISP: interface stays narrow — name + extract function. No
+ *     capability-detection methods every provider must stub out.
+ */
+import type { Principal, TrustMode } from './types.js';
+/**
+ * Minimal request shape the provider needs. We don't depend on Hono
+ * directly here so providers can be unit-tested with synthetic
+ * requests; the middleware adapts the Hono request before calling.
+ */
+export interface AuthRequest {
+    /** Map of header name → value. Header names are lowercased per HTTP convention. */
+    headers: ReadonlyMap<string, string>;
+    /** Source IP after trust-mode-driven extraction. Optional. */
+    sourceIp?: string;
+    /** Method + URL — providers rarely need these, but available. */
+    method?: string;
+    url?: string;
+}
+/**
+ * The provider contract. Trust-mode-specific implementations live
+ * under `auth/providers/`.
+ */
+export interface AuthIdentityProvider {
+    /** Identifies the trust mode this provider implements. */
+    readonly trustMode: TrustMode;
+    /**
+     * Pull identity from the request. Returns `null` when no identity
+     * is present (anonymous request); throws `AuthenticationError` for
+     * corrupted credentials. Configuration errors surface at provider
+     * construction, not here.
+     */
+    extractPrincipal(req: AuthRequest): Promise<Principal | null>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/auth/provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAEtD;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,mFAAmF;IACnF,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,0DAA0D;IAC1D,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B;;;;;OAKG;IACH,gBAAgB,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAA;CAC9D"}

package/dist/auth/provider.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=provider.js.map

package/dist/auth/provider.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":""}

package/dist/auth/providers/aws-cognito.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * `aws-cognito` trust mode — AWS Application Load Balancer fronting
+ * the admin with Cognito user pool authentication. ALB injects a
+ * signed JWT in the `x-amzn-oidc-data` header containing the
+ * authenticated user's claims.
+ *
+ * # Why JWT verification (just like cloudflare-access)
+ *
+ * The ALB-issued token is signed with AWS's per-region key. Verifying
+ * the signature is the security contract — without it, anyone behind
+ * the LB or with header-injection access can forge identity.
+ *
+ * # JWKS endpoint shape
+ *
+ * AWS publishes the verification keys at:
+ *
+ *     https://public-keys.auth.elb.{region}.amazonaws.com/{kid}
+ *
+ * Unlike Cloudflare's single-JWKS endpoint, AWS's endpoint is keyed
+ * by the JWT header's `kid`. jose's `createRemoteJWKSet` doesn't fit
+ * this shape; we wire a custom `JWTVerifyGetKey` that fetches the
+ * specific kid. The `jwksFactory` injection point makes this pluggable
+ * for tests.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: same as cloudflare-access — JWT verification only.
+ *   - LSP: same `AuthIdentityProvider` shape.
+ *   - DIP: jwksFactory injection point lets tests run without HTTP.
+ */
+import { type JWTVerifyGetKey } from 'jose';
+import type { AuthIdentityProvider } from '../provider.js';
+export interface AwsCognitoConfig {
+    /**
+     * AWS region the ALB runs in. Required to construct the JWKS URL
+     * (`public-keys.auth.elb.{region}.amazonaws.com`).
+     */
+    region: string;
+    /**
+     * Optional `aud` claim — Cognito user-pool app client id. Setting
+     * this prevents token replay across other Cognito-protected apps
+     * sharing the same user pool.
+     */
+    audience?: string;
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+    /**
+     * Internal: factory for the JWKS verifier. Tests inject a stub.
+     * Production builds a fetch-based key resolver per AWS's
+     * keyed-by-kid endpoint shape.
+     */
+    jwksFactory?: (region: string) => JWTVerifyGetKey;
+}
+export declare function createAwsCognitoAuthProvider(config: AwsCognitoConfig): AuthIdentityProvider;
+//# sourceMappingURL=aws-cognito.d.ts.map

package/dist/auth/providers/aws-cognito.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-cognito.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/aws-cognito.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EAA8B,KAAK,eAAe,EAAE,MAAM,MAAM,CAAA;AAEvE,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,eAAe,CAAA;CAClD;AAyDD,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,gBAAgB,GAAG,oBAAoB,CA2C3F"}

package/dist/auth/providers/aws-cognito.js ADDED Viewed

@@ -0,0 +1,114 @@
+/**
+ * `aws-cognito` trust mode — AWS Application Load Balancer fronting
+ * the admin with Cognito user pool authentication. ALB injects a
+ * signed JWT in the `x-amzn-oidc-data` header containing the
+ * authenticated user's claims.
+ *
+ * # Why JWT verification (just like cloudflare-access)
+ *
+ * The ALB-issued token is signed with AWS's per-region key. Verifying
+ * the signature is the security contract — without it, anyone behind
+ * the LB or with header-injection access can forge identity.
+ *
+ * # JWKS endpoint shape
+ *
+ * AWS publishes the verification keys at:
+ *
+ *     https://public-keys.auth.elb.{region}.amazonaws.com/{kid}
+ *
+ * Unlike Cloudflare's single-JWKS endpoint, AWS's endpoint is keyed
+ * by the JWT header's `kid`. jose's `createRemoteJWKSet` doesn't fit
+ * this shape; we wire a custom `JWTVerifyGetKey` that fetches the
+ * specific kid. The `jwksFactory` injection point makes this pluggable
+ * for tests.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: same as cloudflare-access — JWT verification only.
+ *   - LSP: same `AuthIdentityProvider` shape.
+ *   - DIP: jwksFactory injection point lets tests run without HTTP.
+ */
+import { jwtVerify } from 'jose';
+import { AuthenticationError, AuthConfigurationError } from '../errors.js';
+import { expandRole } from '../capabilities.js';
+/**
+ * Default JWKS factory — fetches AWS's per-kid public key. Each
+ * verification call may hit a different kid; the resolver caches
+ * downloaded keys to keep verification fast under steady load.
+ *
+ * Operators may want to override this with a `createRemoteJWKSet`
+ * variant if they front Cognito directly (without ALB) — that's
+ * outside Cut 5's scope; the injection point keeps it open.
+ */
+function defaultJwksFactory(region) {
+    const cache = new Map();
+    return async (header) => {
+        if (!header.kid) {
+            throw new AuthenticationError('AWS Cognito JWT has no kid in header');
+        }
+        const cached = cache.get(header.kid);
+        if (cached)
+            return cached;
+        const url = `https://public-keys.auth.elb.${region}.amazonaws.com/${encodeURIComponent(header.kid)}`;
+        const res = await fetch(url);
+        if (!res.ok) {
+            throw new AuthenticationError(`AWS public-keys endpoint returned ${res.status} for kid ${header.kid}`);
+        }
+        const pem = await res.text();
+        // Defer to Web Crypto's importKey via jose — actually jose
+        // accepts CryptoKey directly. We use Node's crypto subtle to
+        // import the PEM. This works in Node 22+ which has full WebCrypto.
+        const subtle = (globalThis.crypto ?? require('node:crypto').webcrypto).subtle;
+        const key = await subtle.importKey('spki', pemToDer(pem), { name: 'ECDSA', namedCurve: header.alg === 'ES512' ? 'P-521' : 'P-256' }, false, ['verify']);
+        cache.set(header.kid, key);
+        return key;
+    };
+}
+function pemToDer(pem) {
+    const body = pem
+        .replace(/-----BEGIN [^-]+-----/, '')
+        .replace(/-----END [^-]+-----/, '')
+        .replace(/\s+/g, '');
+    const bin = Buffer.from(body, 'base64');
+    return bin.buffer.slice(bin.byteOffset, bin.byteOffset + bin.byteLength);
+}
+export function createAwsCognitoAuthProvider(config) {
+    if (!config.region || config.region.length === 0) {
+        throw new AuthConfigurationError('aws-cognito trust mode requires region (e.g. "us-east-1")');
+    }
+    if (!/^[a-z]{2}-[a-z]+-\d+$/.test(config.region)) {
+        throw new AuthConfigurationError(`Invalid region "${config.region}": expected AWS region format like "us-east-1" or "eu-west-2"`);
+    }
+    const jwks = (config.jwksFactory ?? defaultJwksFactory)(config.region);
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'aws-cognito',
+        async extractPrincipal(req) {
+            const token = req.headers.get('x-amzn-oidc-data');
+            if (!token)
+                return null;
+            let payload;
+            try {
+                const result = await jwtVerify(token, jwks, {
+                    audience: config.audience,
+                });
+                payload = result.payload;
+            }
+            catch (err) {
+                throw new AuthenticationError(`AWS Cognito JWT verification failed: ${err.message}`);
+            }
+            const id = payload.sub ?? payload.username;
+            if (!id) {
+                throw new AuthenticationError('AWS Cognito JWT has no sub or username claim');
+            }
+            return {
+                id,
+                email: payload.email,
+                role: defaultRole,
+                trustMode: 'aws-cognito',
+                capabilities: expandRole(defaultRole) ?? [],
+            };
+        },
+    };
+}
+//# sourceMappingURL=aws-cognito.js.map

package/dist/auth/providers/aws-cognito.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-cognito.js","sourceRoot":"","sources":["../../../src/auth/providers/aws-cognito.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EAAE,SAAS,EAAyC,MAAM,MAAM,CAAA;AAGvE,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AA+B/C;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAA;IAC1C,OAAO,KAAK,EAAE,MAAsC,EAAE,EAAE;QACtD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,mBAAmB,CAAC,sCAAsC,CAAC,CAAA;QACvE,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QACzB,MAAM,GAAG,GAAG,gCAAgC,MAAM,kBAAkB,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAA;QACpG,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,mBAAmB,CAAC,qCAAqC,GAAG,CAAC,MAAM,YAAY,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;QACxG,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC5B,2DAA2D;QAC3D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,MAAM,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAA;QAC7E,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAChC,MAAM,EACN,QAAQ,CAAC,GAAG,CAAC,EACb,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,EACzE,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAA;QACD,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC1B,OAAO,GAAG,CAAA;IACZ,CAAC,CAAA;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;SACpC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC;SAClC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACtB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IACvC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,CAAA;AAC1E,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAAwB;IACnE,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,sBAAsB,CAAC,2DAA2D,CAAC,CAAA;IAC/F,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,sBAAsB,CAC9B,mBAAmB,MAAM,CAAC,MAAM,+DAA+D,CAChG,CAAA;IACH,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACtE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,aAAa;QACxB,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACjD,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAA;YAEvB,IAAI,OAAsB,CAAA;YAC1B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAgB,KAAK,EAAE,IAAI,EAAE;oBACzD,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAA;gBACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAAC,wCAAyC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YACjG,CAAC;YAED,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAA;YAC1C,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAAC,8CAA8C,CAAC,CAAA;YAC/E,CAAC;YAED,OAAO;gBACL,EAAE;gBACF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,aAAa;gBACxB,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/auth/providers/azure-easy-auth.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AuthIdentityProvider } from '../provider.js';
+export interface AzureEasyAuthConfig {
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+}
+export declare function createAzureEasyAuthProvider(config?: AzureEasyAuthConfig): AuthIdentityProvider;
+//# sourceMappingURL=azure-easy-auth.d.ts.map

package/dist/auth/providers/azure-easy-auth.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"azure-easy-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/azure-easy-auth.ts"],"names":[],"mappings":"AAqDA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAeD,wBAAgB,2BAA2B,CAAC,MAAM,GAAE,mBAAwB,GAAG,oBAAoB,CAkDlG"}

package/dist/auth/providers/azure-easy-auth.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { AuthenticationError } from '../errors.js';
+import { expandRole } from '../capabilities.js';
+const NAMEID_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier';
+const EMAIL_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress';
+export function createAzureEasyAuthProvider(config = {}) {
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'azure-easy-auth',
+        async extractPrincipal(req) {
+            const encoded = req.headers.get('x-ms-client-principal');
+            if (!encoded || encoded.length === 0) {
+                // No identity header — anonymous. Easy Auth is configured
+                // to require auth; reaching Gazetta without the header
+                // means the request bypassed the platform (only possible
+                // if the operator misconfigured).
+                return null;
+            }
+            let parsed;
+            try {
+                const json = Buffer.from(encoded, 'base64').toString('utf-8');
+                parsed = JSON.parse(json);
+            }
+            catch (err) {
+                throw new AuthenticationError(`X-MS-CLIENT-PRINCIPAL header is not valid base64-encoded JSON: ${err.message}`);
+            }
+            if (!parsed || typeof parsed !== 'object' || !Array.isArray(parsed.claims)) {
+                throw new AuthenticationError('X-MS-CLIENT-PRINCIPAL is malformed (missing claims array)');
+            }
+            // Prefer X-MS-CLIENT-PRINCIPAL-ID when present (stable id);
+            // fall back to the nameidentifier claim.
+            const idHeader = req.headers.get('x-ms-client-principal-id');
+            const nameIdClaim = parsed.claims.find(c => c.typ === NAMEID_CLAIM)?.val;
+            const id = idHeader ?? nameIdClaim;
+            if (!id) {
+                throw new AuthenticationError('X-MS-CLIENT-PRINCIPAL has no nameidentifier claim and no X-MS-CLIENT-PRINCIPAL-ID');
+            }
+            const email = parsed.claims.find(c => c.typ === EMAIL_CLAIM)?.val;
+            return {
+                id,
+                email,
+                role: defaultRole,
+                trustMode: 'azure-easy-auth',
+                capabilities: expandRole(defaultRole) ?? [],
+            };
+        },
+    };
+}
+//# sourceMappingURL=azure-easy-auth.js.map

package/dist/auth/providers/azure-easy-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azure-easy-auth.js","sourceRoot":"","sources":["../../../src/auth/providers/azure-easy-auth.ts"],"names":[],"mappings":"AAsDA,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAiB/C,MAAM,YAAY,GAAG,sEAAsE,CAAA;AAC3F,MAAM,WAAW,GAAG,oEAAoE,CAAA;AAExF,MAAM,UAAU,2BAA2B,CAAC,SAA8B,EAAE;IAC1E,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAClD,OAAO;QACL,SAAS,EAAE,iBAAiB;QAC5B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;YACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrC,0DAA0D;gBAC1D,uDAAuD;gBACvD,yDAAyD;gBACzD,kCAAkC;gBAClC,OAAO,IAAI,CAAA;YACb,CAAC;YAED,IAAI,MAA4B,CAAA;YAChC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;gBAC7D,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyB,CAAA;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAC3B,kEAAmE,GAAa,CAAC,OAAO,EAAE,CAC3F,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,mBAAmB,CAAC,2DAA2D,CAAC,CAAA;YAC5F,CAAC;YAED,4DAA4D;YAC5D,yCAAyC;YACzC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;YAC5D,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,YAAY,CAAC,EAAE,GAAG,CAAA;YACxE,MAAM,EAAE,GAAG,QAAQ,IAAI,WAAW,CAAA;YAClC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAC3B,mFAAmF,CACpF,CAAA;YACH,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,WAAW,CAAC,EAAE,GAAG,CAAA;YAEjE,OAAO;gBACL,EAAE;gBACF,KAAK;gBACL,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,iBAAiB;gBAC5B,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/auth/providers/cloudflare-access.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * `cloudflare-access` trust mode — Cloudflare Zero Trust / Access
+ * fronting the admin. The platform issues a signed JWT in the
+ * `Cf-Access-Jwt-Assertion` header (or cookie); Gazetta verifies
+ * the signature against Cloudflare's published JWKS and reads the
+ * subject + email from the verified payload.
+ *
+ * # Why JWT verification, not header trust
+ *
+ * Cloudflare Access's JWT carries a real signature. Anyone behind
+ * the Worker boundary can claim a header value, but only Cloudflare's
+ * private key can produce a valid token. Verifying the signature is
+ * the security contract — without it, this trust mode is no safer
+ * than `forwarded-user` without a whitelist.
+ *
+ * # JWKS endpoint shape
+ *
+ * Cloudflare publishes per-team-domain JWKS at:
+ *
+ *     https://{teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs
+ *
+ * Operators set `teamDomain` in `site.config.ts admin.auth`; the
+ * provider builds the URL and uses `jose`'s `createRemoteJWKSet`
+ * for verification + automatic key rotation.
+ *
+ * # Failure modes
+ *
+ *   - JWT missing / expired / signature invalid → `AuthenticationError`
+ *     (middleware → 401)
+ *   - JWKS endpoint unreachable → `AuthenticationError` (fail-CLOSED
+ *     here, NOT fail-open like Universal Provider Requirement #5
+ *     suggests for transport errors — auth is the security boundary;
+ *     a JWKS outage that fails open would let unsigned tokens
+ *     through)
+ *   - `aud` claim mismatch (when configured) → `AuthenticationError`
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: JWT verification only. Source-IP extraction is not this
+ *     provider's concern (Cloudflare's signed assertion IS the trust;
+ *     the source IP would be Cloudflare's edge anyway).
+ *   - DIP: jose's `createRemoteJWKSet` is the verifier dependency;
+ *     test injects a different verifier via the optional
+ *     `jwksFactory` constructor option for unit tests.
+ */
+import { type JWTVerifyGetKey } from 'jose';
+import type { AuthIdentityProvider } from '../provider.js';
+export interface CloudflareAccessConfig {
+    /**
+     * Cloudflare Zero Trust team domain (the part before
+     * `.cloudflareaccess.com`). Required. Example: `'acme'` for
+     * `https://acme.cloudflareaccess.com`.
+     */
+    teamDomain: string;
+    /**
+     * Optional `aud` claim verification. Cloudflare Access tokens
+     * carry an `aud` claim identifying the application; production
+     * deployments SHOULD set this to prevent token replay across
+     * Access-protected apps in the same team domain.
+     */
+    audience?: string;
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+    /**
+     * Internal: factory for the JWKS verifier. Tests inject a stub;
+     * production calls `createRemoteJWKSet`.
+     */
+    jwksFactory?: (jwksUrl: URL) => JWTVerifyGetKey;
+}
+export declare function createCloudflareAccessAuthProvider(config: CloudflareAccessConfig): AuthIdentityProvider;
+//# sourceMappingURL=cloudflare-access.d.ts.map

package/dist/auth/providers/cloudflare-access.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cloudflare-access.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/cloudflare-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAkD,KAAK,eAAe,EAAE,MAAM,MAAM,CAAA;AAE3F,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAIvE,MAAM,WAAW,sBAAsB;IACrC;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAA;IAClB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,eAAe,CAAA;CAChD;AAgBD,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,sBAAsB,GAAG,oBAAoB,CA6DvG"}