kavachos 0.0.6 → 0.1.0

package/README.md

@@ -1,69 +1,202 @@
-# kavachos
+<p align="center">
+  <img src="https://kavachos.com/logo.svg" height="64" alt="KavachOS" />
+</p>
 
-Auth OS for AI agents. Identity, permissions, delegation, and audit.
+<h1 align="center">kavachos</h1>
 
-[![npm](https://img.shields.io/npm/v/kavachos)](https://www.npmjs.com/package/kavachos)
-[![license](https://img.shields.io/badge/license-MIT-blue)](https://github.com/kavachos/kavachos/blob/main/LICENSE)
+<p align="center">
+  <strong>The auth OS for AI agents and humans</strong><br />
+  Identity, permissions, delegation, and audit for the agentic era.
+</p>
 
-## Install
+<p align="center">
+  <a href="https://www.npmjs.com/package/kavachos"><img src="https://img.shields.io/npm/v/kavachos?style=flat-square&color=c9a84c" alt="npm" /></a>
+  <a href="https://www.npmjs.com/package/kavachos"><img src="https://img.shields.io/npm/dm/kavachos?style=flat-square&color=c9a84c" alt="downloads" /></a>
+  <a href="https://github.com/kavachos/kavachos/actions"><img src="https://img.shields.io/github/actions/workflow/status/kavachos/kavachos/ci.yml?style=flat-square&label=tests" alt="tests" /></a>
+  <a href="https://github.com/kavachos/kavachos/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue?style=flat-square" alt="MIT" /></a>
+  <a href="https://www.typescriptlang.org/"><img src="https://img.shields.io/badge/TypeScript-strict-blue?style=flat-square" alt="TypeScript" /></a>
+  <a href="https://docs.kavachos.com"><img src="https://img.shields.io/badge/docs-kavachos.com-c9a84c?style=flat-square" alt="docs" /></a>
+</p>
 
-```bash
+<p align="center">
+  <a href="https://docs.kavachos.com/docs/quickstart">Quickstart</a> &middot;
+  <a href="https://docs.kavachos.com/docs">Documentation</a> &middot;
+  <a href="https://github.com/kavachos/kavachos/tree/main/examples">Examples</a> &middot;
+  <a href="https://app.kavachos.com">KavachOS Cloud</a>
+</p>
+
+---
+
+## Why kavachos?
+
+Every auth library handles human login. None of them handle **AI agent identity**. KavachOS gives every agent its own bearer token, scoped permissions, delegation chains, and an immutable audit trail. Plus full human auth (14 methods, 27+ OAuth providers, passkeys, SSO) so you don't need two auth systems.
+
+```
 npm install kavachos
-# or
-pnpm add kavachos
 ```
 
 ## Quick start
 
 ```typescript
-import { createKavach } from 'kavachos';
+import { createKavach } from "kavachos";
+import { emailPassword } from "kavachos/auth";
 
 const kavach = createKavach({
-  database: { provider: 'sqlite', url: 'kavach.db' },
+  database: { provider: "sqlite", url: "kavach.db" },
+  plugins: [emailPassword()],
 });
 
-// Create an agent with scoped permissions
+// Create an AI agent with scoped permissions
 const agent = await kavach.agent.create({
-  ownerId: 'user-123',
-  name: 'github-reader',
-  type: 'autonomous',
+  ownerId: "user-123",
+  name: "github-reader",
+  type: "autonomous",
   permissions: [
-    { resource: 'mcp:github:*', actions: ['read'] },
-    {
-      resource: 'mcp:deploy:production',
-      actions: ['execute'],
-      constraints: { requireApproval: true },
-    },
+    { resource: "mcp:github:*", actions: ["read"] },
+    { resource: "mcp:deploy:production", actions: ["execute"],
+      constraints: { requireApproval: true } },
   ],
 });
 
-// Authorize an action
+// Authorize and audit (< 1ms)
 const result = await kavach.authorize(agent.id, {
-  action: 'read',
-  resource: 'mcp:github:repos',
+  action: "read",
+  resource: "mcp:github:repos",
 });
-// { allowed: true, auditId: 'aud_...' }
+// { allowed: true, auditId: "aud_..." }
+```
+
+## Features
+
+<table>
+<tr>
+<td width="50%">
+
+### Agent identity
+- Cryptographic bearer tokens (`kv_...`)
+- Wildcard permission matching (`mcp:github:*`)
+- Delegation chains with depth limits
+- Immutable audit trail
+- Trust scoring and anomaly detection
+- Budget policies and cost attribution
+- CIBA-style human approval flows
+
+</td>
+<td width="50%">
+
+### Human auth (14 methods)
+- Email + password
+- Magic link, email OTP
+- Passkey / WebAuthn
+- TOTP 2FA
+- Phone SMS
+- Google One-tap
+- Sign In With Ethereum
+- Anonymous auth
+- Session freshness enforcement
+
+</td>
+</tr>
+<tr>
+<td>
+
+### OAuth (27+ providers)
+Google, GitHub, Apple, Microsoft, Discord, Slack, GitLab, LinkedIn, Twitter/X, Facebook, Spotify, Twitch, Reddit, Notion, plus a generic OIDC factory for any provider.
+
+</td>
+<td>
+
+### MCP OAuth 2.1
+Spec-compliant authorization server for Model Context Protocol. PKCE S256, RFC 9728 / 8707 / 8414 / 7591.
+
+</td>
+</tr>
+<tr>
+<td>
+
+### Enterprise
+Organizations + RBAC, SAML SSO, SCIM directory sync, admin controls, API key management, multi-tenant isolation, GDPR compliance.
+
+</td>
+<td>
+
+### Edge compatible
+Runs on Cloudflare Workers (D1), Deno, Bun, and Node.js. Only 3 runtime deps: `drizzle-orm`, `jose`, `zod`.
 
-// Query the audit trail
-const logs = await kavach.audit.query({ agentId: agent.id });
+</td>
+</tr>
+</table>
+
+### Security
+
+Rate limiting (per-agent and per-IP) &middot; HIBP breach checking &middot; CSRF protection &middot; httpOnly secure cookies &middot; Email enumeration prevention &middot; Trusted device windows &middot; Password reset with signed tokens
+
+## Framework adapters
+
+Works with every major framework:
+
+| Framework | Package | Framework | Package |
+|-----------|---------|-----------|---------|
+| **Hono** | `@kavachos/hono` | **Nuxt** | `@kavachos/nuxt` |
+| **Express** | `@kavachos/express` | **SvelteKit** | `@kavachos/sveltekit` |
+| **Next.js** | `@kavachos/nextjs` | **Astro** | `@kavachos/astro` |
+| **Fastify** | `@kavachos/fastify` | **NestJS** | `@kavachos/nestjs` |
+
+## Client libraries
+
+| Package | What |
+|---------|------|
+| `@kavachos/react` | KavachProvider + hooks |
+| `@kavachos/vue` | Vue 3 plugin + composables |
+| `@kavachos/svelte` | Svelte stores |
+| `@kavachos/ui` | 7 pre-built auth components (SignIn, SignUp, UserButton...) |
+| `@kavachos/expo` | React Native / Expo |
+| `@kavachos/electron` | Electron desktop |
+| `@kavachos/client` | Zero-dep TypeScript REST client |
+
+## Databases
+
+SQLite, PostgreSQL, MySQL, Cloudflare D1, libSQL (Turso). Tables are auto-created on first run.
+
+```typescript
+// Cloudflare Workers + D1
+createKavach({ database: { provider: "d1", binding: env.KAVACH_DB } });
+
+// PostgreSQL
+createKavach({ database: { provider: "postgres", url: process.env.DATABASE_URL } });
+```
+
+## Plugins
+
+Auth methods are plugins. Enable what you need:
+
+```typescript
+import {
+  emailPassword, magicLink, passkey, totp,
+  organizations, sso, admin, apiKeys, webhooks,
+} from "kavachos/auth";
+
+createKavach({
+  database: { provider: "sqlite", url: "kavach.db" },
+  plugins: [emailPassword(), magicLink({ sendMagicLink }), passkey(), totp()],
+});
 ```
 
-## What's included
+## KavachOS Cloud
 
-- **Agent identity** - create, scope, revoke, and rotate agent credentials. Each agent gets an opaque bearer token (`kv_...`) and a permanent audit identity.
-- **Permission engine** - resource-based access control with colon-separated hierarchies (`mcp:github:*`) and wildcard matching. Constraints support rate limits, time windows, and human-in-the-loop approval gates.
-- **Delegation chains** - an orchestrator can delegate a subset of its permissions to a sub-agent, with depth limits and expiry. Chains are auditable and revocable at any point.
-- **Audit trail** - every authorization decision is written to an immutable log. Export as JSON or CSV for EU AI Act Article 12, SOC 2 CC6.1-CC7.2, and ISO 42001 compliance.
-- **MCP OAuth 2.1** - spec-compliant authorization server for the Model Context Protocol, with PKCE (S256), Protected Resource Metadata (RFC 9728), and Resource Indicators (RFC 8707).
+Don't want to self-host? [KavachOS Cloud](https://app.kavachos.com) is the managed version with dashboard, billing, and zero infrastructure.
 
-## Full docs
+| | Free | Starter | Growth | Scale |
+|---|---|---|---|---|
+| MAU | 1,000 | 10,000 | 50,000 | 200,000 |
+| Price | $0 | $29/mo | $79/mo | $199/mo |
 
-[kavachos.com/docs](https://kavachos.com/docs)
+[Start free](https://app.kavachos.com/sign-up) &middot; [Compare plans](https://kavachos.com/pricing) &middot; [Self-host instead](https://docs.kavachos.com/docs/quickstart)
 
-## Source
+## Documentation
 
-[github.com/kavachos/kavachos](https://github.com/kavachos/kavachos)
+Full docs at **[docs.kavachos.com](https://docs.kavachos.com/docs)**
 
 ## License
 
-MIT
+[MIT](https://github.com/kavachos/kavachos/blob/main/LICENSE)

package/dist/a2a/index.d.ts

@@ -1,8 +1,9 @@
 import * as jose from 'jose';
-import { A as AgentIdentity } from '../types-W8X0PXE7.js';
+import { A as AgentIdentity } from '../types-6D7iJvGD.js';
 import { z } from 'zod';
 import { R as Result } from '../types-BuHrZcjE.js';
 import 'drizzle-orm/sqlite-core';
+import '../redirect/index.js';
 
 /**
  * A2A (Agent-to-Agent) protocol types for KavachOS.

package/dist/agent/index.d.ts

@@ -1,8 +1,9 @@
-import { D as Database, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput } from '../types-W8X0PXE7.js';
-export { Z as AgentConfig } from '../types-W8X0PXE7.js';
+import { D as Database, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput } from '../types-6D7iJvGD.js';
+export { Y as AgentConfig } from '../types-6D7iJvGD.js';
 import 'drizzle-orm/sqlite-core';
 import '../types-BuHrZcjE.js';
 import 'zod';
+import '../redirect/index.js';
 
 interface AgentModuleConfig {
     db: Database;

package/dist/audit/index.d.ts

@@ -1,7 +1,8 @@
-import { D as Database, k as AuditFilter, l as AuditEntry, m as AuditExportOptions } from '../types-W8X0PXE7.js';
+import { D as Database, k as AuditFilter, l as AuditEntry, m as AuditExportOptions } from '../types-6D7iJvGD.js';
 import 'drizzle-orm/sqlite-core';
 import '../types-BuHrZcjE.js';
 import 'zod';
+import '../redirect/index.js';
 
 interface AuditModuleConfig {
     db: Database;

package/dist/auth/index.d.ts

@@ -1,9 +1,10 @@
 import { z } from 'zod';
-import { a2 as AuthAdapter, o as ResolvedUser, L as KavachPlugin, D as Database, X as AdminConfig, p as SessionManager, $ as ApiKeyManagerConfig, a7 as EmailOtpConfig, P as Permission, ab as MagicLinkConfig, ag as OrgConfig, al as PasskeyConfig, I as PluginEndpoint, aF as TotpConfig } from '../types-W8X0PXE7.js';
-export { u as AdminModule, Y as AdminUser, _ as ApiKey, v as ApiKeyManagerModule, a3 as CaptchaConfig, G as CaptchaModule, a4 as CaptchaVerifyResult, a5 as CreateTokenInput, E as EmailOtpModule, a8 as EmailVerificationConfig, y as EmailVerificationModule, r as MagicLinkModule, ad as OidcProvider, ae as OneTimeTokenConfig, z as OneTimeTokenModule, af as OneTimeTokenPurpose, ah as OrgInvitation, ai as OrgMember, O as OrgModule, aj as OrgRole, ak as Organization, am as PasskeyCredential, s as PasskeyModule, an as PasswordResetConfig, x as PasswordResetModule, ap as PhoneAuthConfig, F as PhoneAuthModule, av as RevokeTokensResult, aw as SSO_ERROR, ax as SamlProvider, aA as SsoAuditEvent, aB as SsoConfig, aC as SsoConnection, aD as SsoError, t as SsoModule, T as TotpModule, aG as TotpSetup, aH as UsernameAuthConfig, w as UsernameAuthModule, aI as ValidateTokenResult, bv as WebhookConfig, bw as WebhookEvent, W as WebhookModule, aS as createAdminModule, aT as createApiKeyManagerModule, aV as createCaptchaModule, aY as createEmailOtpModule, aZ as createEmailVerificationModule, a_ as createMagicLinkModule, a$ as createOneTimeTokenModule, b0 as createOrgModule, b1 as createPasskeyModule, b2 as createPasswordResetModule, b3 as createPhoneAuthModule, b7 as createSsoModule, b8 as createTotpModule, b9 as createUsernameAuthModule, bx as createWebhookModule } from '../types-W8X0PXE7.js';
+import { a1 as AuthAdapter, o as ResolvedUser, J as KavachPlugin, D as Database, Q as AdminConfig, p as SessionManager, _ as ApiKeyManagerConfig, a6 as EmailOtpConfig, P as Permission, aa as MagicLinkConfig, af as OrgConfig, ak as PasskeyConfig, H as PluginEndpoint, aB as TotpConfig } from '../types-6D7iJvGD.js';
+export { u as AdminModule, X as AdminUser, Z as ApiKey, v as ApiKeyManagerModule, a2 as CaptchaConfig, G as CaptchaModule, a3 as CaptchaVerifyResult, a4 as CreateTokenInput, E as EmailOtpModule, a7 as EmailVerificationConfig, y as EmailVerificationModule, r as MagicLinkModule, ac as OidcProvider, ad as OneTimeTokenConfig, z as OneTimeTokenModule, ae as OneTimeTokenPurpose, ag as OrgInvitation, ah as OrgMember, O as OrgModule, ai as OrgRole, aj as Organization, al as PasskeyCredential, s as PasskeyModule, am as PasswordResetConfig, x as PasswordResetModule, ao as PhoneAuthConfig, F as PhoneAuthModule, ar as RevokeTokensResult, as as SSO_ERROR, at as SamlProvider, aw as SsoAuditEvent, ax as SsoConfig, ay as SsoConnection, az as SsoError, t as SsoModule, T as TotpModule, aC as TotpSetup, aD as UsernameAuthConfig, w as UsernameAuthModule, aE as ValidateTokenResult, bq as WebhookConfig, br as WebhookEvent, W as WebhookModule, aO as createAdminModule, aP as createApiKeyManagerModule, aR as createCaptchaModule, aU as createEmailOtpModule, aV as createEmailVerificationModule, aW as createMagicLinkModule, aX as createOneTimeTokenModule, aY as createOrgModule, aZ as createPasskeyModule, a_ as createPasswordResetModule, a$ as createPhoneAuthModule, b2 as createSsoModule, b3 as createTotpModule, b4 as createUsernameAuthModule, bs as createWebhookModule } from '../types-6D7iJvGD.js';
 import { R as Result } from '../types-BuHrZcjE.js';
 import * as jose from 'jose';
 import 'drizzle-orm/sqlite-core';
+import '../redirect/index.js';
 
 /**
  * JWT bearer-token auth adapter.

package/dist/auth/index.js

@@ -1,4 +1,4 @@
-export { EVENT_TYPES, HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from '../chunk-FKVAXCNJ.js';
+export { EVENT_TYPES, HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from '../chunk-IEOOSOJ4.js';
 import '../chunk-KDL6A76K.js';
 import '../chunk-QCRHJMDX.js';
 import '../chunk-NSBPE2FW.js';

package/dist/{chunk-FKVAXCNJ.js → chunk-IEOOSOJ4.js}

@@ -4,8 +4,6 @@ import * as jose2 from 'jose';
 import { jwtVerify, SignJWT, createRemoteJWKSet, importJWK } from 'jose';
 import { z } from 'zod';
 import { eq, like, sql, lt, and, gte, lte, asc, desc, gt, inArray, or, notInArray } from 'drizzle-orm';
-import { randomUUID, createHash, randomBytes as randomBytes$1, createVerify } from 'crypto';
-import { TextEncoder as TextEncoder$1 } from 'util';
 import { deflateRaw } from 'zlib';
 
 var BearerAuthOptionsSchema = z.object({
@@ -10548,7 +10546,7 @@ function getSamlAttributeValue(assertion, attributeName) {
   return null;
 }
 function deflateRawAsync(input) {
-  const encoder = new TextEncoder$1();
+  const encoder = new TextEncoder();
   return new Promise((resolve, reject) => {
     deflateRaw(encoder.encode(input), (err2, result) => {
       if (err2) reject(err2);
@@ -10564,14 +10562,33 @@ function uint8ArrayToBase64(bytes) {
   return btoa(binary);
 }
 async function buildSamlAuthnRequest(provider) {
-  const requestId = `_${randomBytes$1(16).toString("hex")}`;
+  const requestId = `_${randomBytesHex(16)}`;
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const xml = `<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="${requestId}" Version="2.0" IssueInstant="${now}" Destination="${provider.entryPoint}" AssertionConsumerServiceURL="${provider.callbackUrl}"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">${provider.entityId ?? provider.issuer}</saml:Issuer></samlp:AuthnRequest>`;
   const deflated = await deflateRawAsync(xml);
   const b64 = uint8ArrayToBase64(deflated);
   return { requestId, encoded: encodeURIComponent(b64) };
 }
-function verifySamlSignature(doc, certPem) {
+function pemToArrayBuffer(pem) {
+  const base64 = pem.replace(/-----[^-]+-----/g, "").replace(/\s+/g, "");
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function base64ToArrayBuffer(b64) {
+  let base64 = b64.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) base64 += "=";
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+async function verifySamlSignature(doc, certPem) {
   const signatureNode = findElement(doc, "Signature");
   if (!signatureNode) return false;
   const signedInfoNode = findElement(signatureNode, "SignedInfo");
@@ -10617,15 +10634,22 @@ function verifySamlSignature(doc, certPem) {
         referencedContent = removeSignatureFromXml(doc.rawOuterXml);
       }
       if (referencedContent && expectedDigest) {
-        let hashAlgo;
+        let digestHashName;
         if (digestAlgo.includes("sha256") || digestAlgo.includes("SHA256")) {
-          hashAlgo = "sha256";
+          digestHashName = "SHA-256";
         } else if (digestAlgo.includes("sha1") || digestAlgo.includes("SHA1")) {
-          hashAlgo = "sha1";
+          digestHashName = "SHA-1";
         } else {
-          hashAlgo = "sha256";
+          digestHashName = "SHA-256";
+        }
+        const contentBuf = new TextEncoder().encode(referencedContent);
+        const digestBuf = await globalThis.crypto.subtle.digest(digestHashName, contentBuf);
+        const digestBytes = new Uint8Array(digestBuf);
+        let digestBinary = "";
+        for (let i = 0; i < digestBytes.length; i++) {
+          digestBinary += String.fromCharCode(digestBytes[i]);
         }
-        const actualDigest = createHash(hashAlgo).update(referencedContent).digest("base64");
+        const actualDigest = btoa(digestBinary);
         if (actualDigest !== expectedDigest) {
           return false;
         }
@@ -10635,10 +10659,24 @@ function verifySamlSignature(doc, certPem) {
   const normalizedCert = certPem.includes("-----") ? certPem : `-----BEGIN CERTIFICATE-----
 ${certPem}
 -----END CERTIFICATE-----`;
-  const verifier = createVerify(nodeAlgo);
-  verifier.update(signedInfoNode.rawOuterXml);
   try {
-    return verifier.verify(normalizedCert, sigValue, "base64");
+    const hashName = nodeAlgo === "RSA-SHA1" ? "SHA-1" : "SHA-256";
+    const certDer = pemToArrayBuffer(normalizedCert);
+    const cryptoKey = await globalThis.crypto.subtle.importKey(
+      "spki",
+      certDer,
+      { name: "RSASSA-PKCS1-v1_5", hash: hashName },
+      false,
+      ["verify"]
+    );
+    const signatureBuffer = base64ToArrayBuffer(sigValue);
+    const dataBuffer = new TextEncoder().encode(signedInfoNode.rawOuterXml);
+    return await globalThis.crypto.subtle.verify(
+      "RSASSA-PKCS1-v1_5",
+      cryptoKey,
+      signatureBuffer,
+      dataBuffer
+    );
   } catch {
     return false;
   }
@@ -10655,7 +10693,7 @@ function removeSignatureFromXml(xml) {
   }
   return result;
 }
-function parseSamlResponse(samlResponse, provider, expectedRequestId) {
+async function parseSamlResponse(samlResponse, provider, expectedRequestId) {
   const decoded = atob(samlResponse);
   let doc;
   try {
@@ -10683,7 +10721,7 @@ function parseSamlResponse(samlResponse, provider, expectedRequestId) {
         "SAML response is not signed but signature is required"
       );
     }
-    if (!verifySamlSignature(doc, provider.cert)) {
+    if (!await verifySamlSignature(doc, provider.cert)) {
       throw new SsoError(
         SSO_ERROR.SAML_SIGNATURE_INVALID,
         "SAML response signature verification failed"
@@ -10839,20 +10877,22 @@ var RateLimiter = class {
     }
   }
 };
-function encodeState(stateTtlSeconds) {
+async function encodeState(stateTtlSeconds) {
   const now = Date.now();
   const expires = now + stateTtlSeconds * 1e3;
-  const random = randomBytes$1(16).toString("hex");
+  const random = randomBytesHex(16);
   const payload = `${random}.${expires}`;
-  const hash = createHash("sha256").update(payload).digest("hex").slice(0, 8);
+  const hashBytes = await sha256Raw(payload);
+  const hash = toHex(hashBytes).slice(0, 8);
   return `${payload}.${hash}`;
 }
-function validateStateToken(state) {
+async function validateStateToken(state) {
   const parts = state.split(".");
   if (parts.length !== 3) return false;
   const [random, expiresStr, hash] = parts;
   const payload = `${random}.${expiresStr}`;
-  const expectedHash = createHash("sha256").update(payload).digest("hex").slice(0, 8);
+  const hashBytes = await sha256Raw(payload);
+  const expectedHash = toHex(hashBytes).slice(0, 8);
   if (hash !== expectedHash) return false;
   const expires = Number.parseInt(expiresStr, 10);
   if (Number.isNaN(expires)) return false;
@@ -10887,7 +10927,7 @@ function createSsoModule(config, db) {
     auditLog({ ...event, timestamp: /* @__PURE__ */ new Date() });
   }
   async function createConnection(input) {
-    const id = `sso_${randomUUID().replace(/-/g, "")}`;
+    const id = `sso_${generateId().replace(/-/g, "")}`;
     const now = /* @__PURE__ */ new Date();
     await db.insert(ssoConnections).values({
       id,
@@ -10980,8 +11020,9 @@ function createSsoModule(config, db) {
         `SAML provider "${conn.providerId}" not configured`
       );
     try {
-      const { email, name } = parseSamlResponse(samlResponse, provider, expectedRequestId);
-      const userId = `saml_${createHash("sha256").update(`${conn.providerId}:${email}`).digest("hex").slice(0, 32)}`;
+      const { email, name } = await parseSamlResponse(samlResponse, provider, expectedRequestId);
+      const userIdHash = await sha256Raw(`${conn.providerId}:${email}`);
+      const userId = `saml_${toHex(userIdHash).slice(0, 32)}`;
       emitAudit({
         type: "sso_login_success",
         connectionId,
@@ -11114,8 +11155,8 @@ function createSsoModule(config, db) {
     }
     if (payload.at_hash && tokens.access_token) {
       const atHash = payload.at_hash;
-      const accessTokenHash = createHash("sha256").update(tokens.access_token).digest();
-      const leftHalf = accessTokenHash.subarray(0, accessTokenHash.length / 2);
+      const accessTokenHashBytes = await sha256Raw(tokens.access_token);
+      const leftHalf = accessTokenHashBytes.subarray(0, accessTokenHashBytes.length / 2);
       const expectedAtHash = uint8ArrayToBase64Url(leftHalf);
       if (atHash !== expectedAtHash) {
         emitAudit({
@@ -11134,7 +11175,8 @@ function createSsoModule(config, db) {
       );
     }
     const name = payload.name ?? void 0;
-    const userId = `oidc_${createHash("sha256").update(`${conn.providerId}:${payload.sub}`).digest("hex").slice(0, 32)}`;
+    const oidcUserIdHash = await sha256Raw(`${conn.providerId}:${payload.sub}`);
+    const userId = `oidc_${toHex(oidcUserIdHash).slice(0, 32)}`;
     emitAudit({
       type: "sso_login_success",
       connectionId,
@@ -11146,10 +11188,10 @@ function createSsoModule(config, db) {
       orgId: conn.orgId
     };
   }
-  function generateState() {
+  async function generateState() {
     return encodeState(stateTtlSeconds);
   }
-  function validateState(state) {
+  async function validateState(state) {
     return validateStateToken(state);
   }
   async function handleRequest(request) {
@@ -12512,5 +12554,5 @@ function createWebhookModule(configs) {
 }
 
 export { EVENT_TYPES, HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys2 as apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSessionManager, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit };
-//# sourceMappingURL=chunk-FKVAXCNJ.js.map
-//# sourceMappingURL=chunk-FKVAXCNJ.js.map
+//# sourceMappingURL=chunk-IEOOSOJ4.js.map
+//# sourceMappingURL=chunk-IEOOSOJ4.js.map