latchkey 2.7.2 → 2.8.0

package/dist/src/encryptedStorage.d.ts

@@ -1,40 +1,24 @@
 /**
- * Encrypted file storage with automatic key management.
- * Encryption keys are retrieved from:
- * 1. Provided encryptionKeyOverride option
- * 2. System keychain
- * 3. Generated and stored in keychain (first run)
- *
- * Throws if neither a system keychain nor LATCHKEY_ENCRYPTION_KEY is available.
+ * Encrypted file storage. The master encryption key is resolved by
+ * `resolveEncryptionKey` (see `encryption.ts`), which handles the keychain /
+ * override / generate-on-first-run logic. This module only deals with
+ * reading and writing encrypted files.
  */
 export declare class EncryptedStorageError extends Error {
     constructor(message: string);
 }
-export declare class EncryptionKeyLostError extends EncryptedStorageError {
-    constructor();
-}
 export declare class PathIsDirectoryError extends Error {
     constructor(filePath: string);
 }
-export interface EncryptedStorageOptions {
-    encryptionKeyOverride?: string | null;
-    serviceName?: string;
-    accountName?: string;
-    /**
-     * When false, refuse to generate a new encryption key if the keychain has no key.
-     * This prevents silently replacing a lost key, which would make existing encrypted data unreadable.
-     * Set to false when encrypted files already exist on disk.
-     */
-    allowKeyGeneration?: boolean;
-}
 /**
- * Manages encrypted file storage with automatic key handling.
+ * Read and write encrypted files using a pre-resolved master key. Use
+ * `resolveEncryptionKey` (from `encryption.ts`) to obtain the key from the
+ * keychain / environment / generation-on-first-run logic, then construct
+ * `EncryptedStorage` directly.
  */
 export declare class EncryptedStorage {
     private readonly key;
-    private constructor();
-    static create(options?: EncryptedStorageOptions): Promise<EncryptedStorage>;
-    private static initializeKey;
+    constructor(key: string);
     /**
      * Read and decrypt a file.
      */

package/dist/src/encryptedStorage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encryptedStorage.d.ts","sourceRoot":"","sources":["../../src/encryptedStorage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,sBAAuB,SAAQ,qBAAqB;;CAUhE;AAED,qBAAa,oBAAqB,SAAQ,KAAK;gBACjC,QAAQ,EAAE,MAAM;CAI7B;AAED,MAAM,WAAW,uBAAuB;IACtC,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B,OAAO;WAIM,MAAM,CAAC,OAAO,GAAE,uBAA4B,GAAG,OAAO,CAAC,gBAAgB,CAAC;mBAKhE,aAAa;IAkClC;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAgCzC;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;CAkBnD"}
+{"version":3,"file":"encryptedStorage.d.ts","sourceRoot":"","sources":["../../src/encryptedStorage.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,oBAAqB,SAAQ,KAAK;gBACjC,QAAQ,EAAE,MAAM;CAI7B;AAED;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;gBAEjB,GAAG,EAAE,MAAM;IAIvB;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAgCzC;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;CAkBnD"}

package/dist/src/encryptedStorage.js

@@ -1,18 +1,13 @@
 /**
- * Encrypted file storage with automatic key management.
- * Encryption keys are retrieved from:
- * 1. Provided encryptionKeyOverride option
- * 2. System keychain
- * 3. Generated and stored in keychain (first run)
- *
- * Throws if neither a system keychain nor LATCHKEY_ENCRYPTION_KEY is available.
+ * Encrypted file storage. The master encryption key is resolved by
+ * `resolveEncryptionKey` (see `encryption.ts`), which handles the keychain /
+ * override / generate-on-first-run logic. This module only deals with
+ * reading and writing encrypted files.
  */
 import { existsSync, mkdirSync, readFileSync, statSync } from 'node:fs';
 import { dirname } from 'node:path';
 import { writeFileAtomic } from './atomicWrite.js';
-import { DEFAULT_KEYRING_SERVICE_NAME, DEFAULT_KEYRING_ACCOUNT_NAME } from './config.js';
-import { encrypt, decrypt, generateKey, DecryptionError } from './encryption.js';
-import { retrieveFromKeychain, storeInKeychain, KeychainNotAvailableError } from './keychain.js';
+import { decrypt, DecryptionError, encrypt } from './encryption.js';
 const ENCRYPTED_FILE_PREFIX = 'LATCHKEY_ENCRYPTED:';
 export class EncryptedStorageError extends Error {
     constructor(message) {
@@ -20,15 +15,6 @@ export class EncryptedStorageError extends Error {
         this.name = 'EncryptedStorageError';
     }
 }
-export class EncryptionKeyLostError extends EncryptedStorageError {
-    constructor() {
-        super('The encryption key was lost from the system keychain and encrypted data already exists. ' +
-            'Generating a new key would make existing data unreadable. ' +
-            'Restore the keychain or set LATCHKEY_ENCRYPTION_KEY, ' +
-            'or delete the encrypted files and start fresh with `latchkey auth clear`.');
-        this.name = 'EncryptionKeyLostError';
-    }
-}
 export class PathIsDirectoryError extends Error {
     constructor(filePath) {
         super(`Path is a directory, not a file: ${filePath}`);
@@ -36,45 +22,16 @@ export class PathIsDirectoryError extends Error {
     }
 }
 /**
- * Manages encrypted file storage with automatic key handling.
+ * Read and write encrypted files using a pre-resolved master key. Use
+ * `resolveEncryptionKey` (from `encryption.ts`) to obtain the key from the
+ * keychain / environment / generation-on-first-run logic, then construct
+ * `EncryptedStorage` directly.
  */
 export class EncryptedStorage {
     key;
     constructor(key) {
         this.key = key;
     }
-    static async create(options = {}) {
-        const key = await EncryptedStorage.initializeKey(options);
-        return new EncryptedStorage(key);
-    }
-    static async initializeKey(options) {
-        // If key was provided via override, use it
-        if (options.encryptionKeyOverride !== undefined && options.encryptionKeyOverride !== null) {
-            return options.encryptionKeyOverride;
-        }
-        const serviceName = options.serviceName ?? DEFAULT_KEYRING_SERVICE_NAME;
-        const accountName = options.accountName ?? DEFAULT_KEYRING_ACCOUNT_NAME;
-        try {
-            const keychainKey = await retrieveFromKeychain(serviceName, accountName);
-            if (keychainKey) {
-                return keychainKey;
-            }
-            if (options.allowKeyGeneration === false) {
-                throw new EncryptionKeyLostError();
-            }
-            // Generate new key and store in keychain
-            const newKey = generateKey();
-            await storeInKeychain(serviceName, accountName, newKey);
-            return newKey;
-        }
-        catch (error) {
-            if (error instanceof KeychainNotAvailableError) {
-                throw new EncryptedStorageError('No encryption key available. ' +
-                    'Set LATCHKEY_ENCRYPTION_KEY or ensure system keychain is accessible.');
-            }
-            throw error;
-        }
-    }
     /**
      * Read and decrypt a file.
      */

package/dist/src/encryptedStorage.js.map

@@ -1 +1 @@
-{"version":3,"file":"encryptedStorage.js","sourceRoot":"","sources":["../../src/encryptedStorage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,4BAA4B,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACjF,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAEjG,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAEpD,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,qBAAqB;IAC/D;QACE,KAAK,CACH,0FAA0F;YACxF,4DAA4D;YAC5D,uDAAuD;YACvD,2EAA2E,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAC7C,YAAY,QAAgB;QAC1B,KAAK,CAAC,oCAAoC,QAAQ,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAcD;;GAEG;AACH,MAAM,OAAO,gBAAgB;IACV,GAAG,CAAS;IAE7B,YAAoB,GAAW;QAC7B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,UAAmC,EAAE;QACvD,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAC1D,OAAO,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,OAAgC;QACjE,2CAA2C;QAC3C,IAAI,OAAO,CAAC,qBAAqB,KAAK,SAAS,IAAI,OAAO,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;YAC1F,OAAO,OAAO,CAAC,qBAAqB,CAAC;QACvC,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAA4B,CAAC;QACxE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAA4B,CAAC;QAExE,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACzE,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,WAAW,CAAC;YACrB,CAAC;YAED,IAAI,OAAO,CAAC,kBAAkB,KAAK,KAAK,EAAE,CAAC;gBACzC,MAAM,IAAI,sBAAsB,EAAE,CAAC;YACrC,CAAC;YAED,yCAAyC;YACzC,MAAM,MAAM,GAAG,WAAW,EAAE,CAAC;YAC7B,MAAM,eAAe,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;YACxD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,yBAAyB,EAAE,CAAC;gBAC/C,MAAM,IAAI,qBAAqB,CAC7B,+BAA+B;oBAC7B,sEAAsE,CACzE,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,QAAgB;QACvB,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,qBAAqB,CAC7B,0BAA0B,QAAQ,IAAI;gBACpC,oDAAoD,CACvD,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;gBACrC,MAAM,IAAI,qBAAqB,CAC7B,2BAA2B,KAAK,CAAC,OAAO,IAAI,GAAG,sCAAsC,CACtF,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,QAAgB,EAAE,OAAe;QACzC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,WAAW,GAAG,qBAAqB,GAAG,aAAa,CAAC;QAE1D,eAAe,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,CAAC;CACF"}
+{"version":3,"file":"encryptedStorage.js","sourceRoot":"","sources":["../../src/encryptedStorage.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAEpE,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAEpD,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAC7C,YAAY,QAAgB;QAC1B,KAAK,CAAC,oCAAoC,QAAQ,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,gBAAgB;IACV,GAAG,CAAS;IAE7B,YAAY,GAAW;QACrB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,QAAgB;QACvB,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,qBAAqB,CAC7B,0BAA0B,QAAQ,IAAI;gBACpC,oDAAoD,CACvD,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;gBACrC,MAAM,IAAI,qBAAqB,CAC7B,2BAA2B,KAAK,CAAC,OAAO,IAAI,GAAG,sCAAsC,CACtF,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,QAAgB,EAAE,OAAe;QACzC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,WAAW,GAAG,qBAAqB,GAAG,aAAa,CAAC;QAE1D,eAAe,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,CAAC;CACF"}

package/dist/src/encryption.d.ts

@@ -1,6 +1,10 @@
 /**
  * Encryption utilities for secure credential storage.
  * Uses AES-256-GCM for authenticated encryption.
+ *
+ * Also exposes `resolveEncryptionKey`, which returns the master key Latchkey
+ * uses for encryption (and for deriving sub-keys for other purposes such as
+ * signing gateway permissions-override JWTs).
  */
 export declare class EncryptionError extends Error {
     constructor(message: string);
@@ -8,6 +12,47 @@ export declare class EncryptionError extends Error {
 export declare class DecryptionError extends Error {
     constructor(message: string);
 }
+/**
+ * Common base class for encryption-key resolution problems. Catching this
+ * lets callers handle all key-acquisition failures uniformly.
+ */
+export declare class EncryptionKeyError extends Error {
+    constructor(message: string);
+}
+export declare class EncryptionKeyLostError extends EncryptionKeyError {
+    constructor();
+}
+export declare class EncryptionKeyUnavailableError extends EncryptionKeyError {
+    constructor();
+}
+export interface ResolveEncryptionKeyOptions {
+    /**
+     * If provided, this key is used as-is and the keychain is not consulted.
+     */
+    encryptionKeyOverride?: string | null;
+    serviceName?: string;
+    accountName?: string;
+    /**
+     * When false, refuse to generate a new encryption key if the keychain has
+     * no key. Used to prevent silently replacing a lost key, which would make
+     * existing encrypted data unreadable. Set to false when encrypted files
+     * already exist on disk.
+     */
+    allowKeyGeneration?: boolean;
+}
+/**
+ * Resolve the Latchkey master encryption key. Precedence:
+ *   1. `encryptionKeyOverride` from the caller (typically
+ *      `LATCHKEY_ENCRYPTION_KEY`),
+ *   2. system keychain entry,
+ *   3. freshly generated key, stored in the keychain (only when
+ *      `allowKeyGeneration` is true).
+ *
+ * Throws `EncryptionKeyLostError` when the keychain has no key but generation
+ * is disallowed, and `EncryptionKeyUnavailableError` when no key can be
+ * obtained at all (e.g. no keychain available and no override set).
+ */
+export declare function resolveEncryptionKey(options?: ResolveEncryptionKeyOptions): Promise<string>;
 /**
  * Encrypt data using AES-256-GCM.
  * The key should be a base64-encoded 256-bit key.

package/dist/src/encryption.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../src/encryption.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CA0BpE;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAiCxE;AAED;;;GAGG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAEpC"}
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../src/encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAWH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,sBAAuB,SAAQ,kBAAkB;;CAU7D;AAED,qBAAa,6BAA8B,SAAQ,kBAAkB;;CAQpE;AAED,MAAM,WAAW,2BAA2B;IAC1C;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,MAAM,CAAC,CA2BjB;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CA0BpE;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAiCxE;AAED;;;GAGG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAEpC"}

package/dist/src/encryption.js

@@ -1,8 +1,14 @@
 /**
  * Encryption utilities for secure credential storage.
  * Uses AES-256-GCM for authenticated encryption.
+ *
+ * Also exposes `resolveEncryptionKey`, which returns the master key Latchkey
+ * uses for encryption (and for deriving sub-keys for other purposes such as
+ * signing gateway permissions-override JWTs).
  */
 import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import { DEFAULT_KEYRING_ACCOUNT_NAME, DEFAULT_KEYRING_SERVICE_NAME } from './config.js';
+import { KeychainNotAvailableError, retrieveFromKeychain, storeInKeychain } from './keychain.js';
 const ALGORITHM = 'aes-256-gcm';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 12; // 96 bits for GCM
@@ -19,6 +25,69 @@ export class DecryptionError extends Error {
         this.name = 'DecryptionError';
     }
 }
+/**
+ * Common base class for encryption-key resolution problems. Catching this
+ * lets callers handle all key-acquisition failures uniformly.
+ */
+export class EncryptionKeyError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'EncryptionKeyError';
+    }
+}
+export class EncryptionKeyLostError extends EncryptionKeyError {
+    constructor() {
+        super('The encryption key was lost from the system keychain and encrypted data already exists. ' +
+            'Generating a new key would make existing data unreadable. ' +
+            'Restore the keychain or set LATCHKEY_ENCRYPTION_KEY, ' +
+            'or delete the encrypted files and start fresh with `latchkey auth clear`.');
+        this.name = 'EncryptionKeyLostError';
+    }
+}
+export class EncryptionKeyUnavailableError extends EncryptionKeyError {
+    constructor() {
+        super('No encryption key available. ' +
+            'Set LATCHKEY_ENCRYPTION_KEY or ensure system keychain is accessible.');
+        this.name = 'EncryptionKeyUnavailableError';
+    }
+}
+/**
+ * Resolve the Latchkey master encryption key. Precedence:
+ *   1. `encryptionKeyOverride` from the caller (typically
+ *      `LATCHKEY_ENCRYPTION_KEY`),
+ *   2. system keychain entry,
+ *   3. freshly generated key, stored in the keychain (only when
+ *      `allowKeyGeneration` is true).
+ *
+ * Throws `EncryptionKeyLostError` when the keychain has no key but generation
+ * is disallowed, and `EncryptionKeyUnavailableError` when no key can be
+ * obtained at all (e.g. no keychain available and no override set).
+ */
+export async function resolveEncryptionKey(options = {}) {
+    if (options.encryptionKeyOverride !== undefined && options.encryptionKeyOverride !== null) {
+        return options.encryptionKeyOverride;
+    }
+    const serviceName = options.serviceName ?? DEFAULT_KEYRING_SERVICE_NAME;
+    const accountName = options.accountName ?? DEFAULT_KEYRING_ACCOUNT_NAME;
+    try {
+        const keychainKey = await retrieveFromKeychain(serviceName, accountName);
+        if (keychainKey !== null) {
+            return keychainKey;
+        }
+        if (options.allowKeyGeneration === false) {
+            throw new EncryptionKeyLostError();
+        }
+        const newKey = generateKey();
+        await storeInKeychain(serviceName, accountName, newKey);
+        return newKey;
+    }
+    catch (error) {
+        if (error instanceof KeychainNotAvailableError) {
+            throw new EncryptionKeyUnavailableError();
+        }
+        throw error;
+    }
+}
 /**
  * Encrypt data using AES-256-GCM.
  * The key should be a base64-encoded 256-bit key.

package/dist/src/encryption.js.map

@@ -1 +1 @@
-{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/encryption.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE5E,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,kBAAkB;AACxC,MAAM,eAAe,GAAG,EAAE,CAAC,CAAC,WAAW;AAEvC,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,SAAiB;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,eAAe,CACvB,gCAAgC,MAAM,CAAC,UAAU,CAAC,eAAe,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;QAElC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;QACtF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEpC,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;QAC1D,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;YACrC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,aAAqB,EAAE,SAAiB;IAC9D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,eAAe,CACvB,gCAAgC,MAAM,CAAC,UAAU,CAAC,eAAe,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAEtD,4EAA4E;QAC5E,IAAI,QAAQ,CAAC,MAAM,GAAG,SAAS,GAAG,eAAe,EAAE,CAAC;YAClD,MAAM,IAAI,eAAe,CAAC,mCAAmC,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;QAC1E,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;QAElE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1F,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;YACrC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC"}
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,4BAA4B,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEjG,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,kBAAkB;AACxC,MAAM,eAAe,GAAG,EAAE,CAAC,CAAC,WAAW;AAEvC,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,kBAAkB;IAC5D;QACE,KAAK,CACH,0FAA0F;YACxF,4DAA4D;YAC5D,uDAAuD;YACvD,2EAA2E,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,MAAM,OAAO,6BAA8B,SAAQ,kBAAkB;IACnE;QACE,KAAK,CACH,+BAA+B;YAC7B,sEAAsE,CACzE,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,+BAA+B,CAAC;IAC9C,CAAC;CACF;AAkBD;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAuC,EAAE;IAEzC,IAAI,OAAO,CAAC,qBAAqB,KAAK,SAAS,IAAI,OAAO,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;QAC1F,OAAO,OAAO,CAAC,qBAAqB,CAAC;IACvC,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAA4B,CAAC;IACxE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAA4B,CAAC;IAExE,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QACzE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,IAAI,OAAO,CAAC,kBAAkB,KAAK,KAAK,EAAE,CAAC;YACzC,MAAM,IAAI,sBAAsB,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,EAAE,CAAC;QAC7B,MAAM,eAAe,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACxD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,yBAAyB,EAAE,CAAC;YAC/C,MAAM,IAAI,6BAA6B,EAAE,CAAC;QAC5C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,SAAiB;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,eAAe,CACvB,gCAAgC,MAAM,CAAC,UAAU,CAAC,eAAe,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;QAElC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;QACtF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEpC,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;QAC1D,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;YACrC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,aAAqB,EAAE,SAAiB;IAC9D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,eAAe,CACvB,gCAAgC,MAAM,CAAC,UAAU,CAAC,eAAe,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAEtD,4EAA4E;QAC5E,IAAI,QAAQ,CAAC,MAAM,GAAG,SAAS,GAAG,eAAe,EAAE,CAAC;YAClD,MAAM,IAAI,eAAe,CAAC,mCAAmC,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;QAC1E,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;QAElE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1F,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;YACrC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC"}

package/dist/src/gateway/client.d.ts

@@ -17,8 +17,12 @@ export declare class GatewayCurlRewriteError extends Error {
 }
 /**
  * POST a request to the gateway's `/latchkey/` endpoint and return its `result`.
+ * When `password` is provided, it is sent in the gateway password header so
+ * the request can be authenticated by a password-protected gateway. When
+ * `permissionsOverride` is provided, it is sent in the permissions-override
+ * header so the gateway uses an alternative permissions.json for this request.
  */
-export declare function callLatchkeyEndpoint(gatewayUrl: string, request: LatchkeyRequest): Promise<unknown>;
+export declare function callLatchkeyEndpoint(gatewayUrl: string, request: LatchkeyRequest, password?: string | null, permissionsOverride?: string | null): Promise<unknown>;
 /**
  * Build the URL used to proxy a `latchkey curl` invocation through the
  * gateway's `/gateway/` endpoint.
@@ -27,6 +31,12 @@ export declare function buildGatewayProxyUrl(gatewayUrl: string, targetUrl: stri
 /**
  * Rewrite a curl argument list so the target URL points at the gateway's
  * `/gateway/<target>` endpoint. Returns a new array; the original is unchanged.
+ *
+ * When `password` is provided, an `-H` argument carrying the gateway
+ * password header is prepended so the rewritten curl call can authenticate
+ * against a password-protected gateway. When `permissionsOverride` is
+ * provided, an `-H` argument carrying the permissions-override JWT is also
+ * prepended.
  */
-export declare function rewriteCurlArgumentsForGateway(curlArguments: readonly string[], targetUrl: string, gatewayUrl: string): readonly string[];
+export declare function rewriteCurlArgumentsForGateway(curlArguments: readonly string[], targetUrl: string, gatewayUrl: string, password?: string | null, permissionsOverride?: string | null): readonly string[];
 //# sourceMappingURL=client.d.ts.map

package/dist/src/gateway/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/gateway/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED,qBAAa,+BAAgC,SAAQ,KAAK;gBAC5C,WAAW,EAAE,MAAM;CAOhC;AAED,qBAAa,uBAAwB,SAAQ,KAAK;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAOD;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,OAAO,CAAC,CAoClB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAElF;AAED;;;GAGG;AACH,wBAAgB,8BAA8B,CAC5C,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,SAAS,MAAM,EAAE,CAkBnB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/gateway/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAI7D,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED,qBAAa,+BAAgC,SAAQ,KAAK;gBAC5C,WAAW,EAAE,MAAM;CAOhC;AAED,qBAAa,uBAAwB,SAAQ,KAAK;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAOD;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,GAAE,MAAM,GAAG,IAAW,EAC9B,mBAAmB,GAAE,MAAM,GAAG,IAAW,GACxC,OAAO,CAAC,OAAO,CAAC,CA4ClB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAElF;AAED;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,CAC5C,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,QAAQ,GAAE,MAAM,GAAG,IAAW,EAC9B,mBAAmB,GAAE,MAAM,GAAG,IAAW,GACxC,SAAS,MAAM,EAAE,CA0BnB"}

package/dist/src/gateway/client.js

@@ -4,6 +4,8 @@
  * Commands are forwarded to the gateway's `/latchkey/` RPC endpoint, while
  * `latchkey curl` has its target URL rewritten to route through `/gateway/`.
  */
+import { GATEWAY_PASSWORD_HEADER } from './password.js';
+import { PERMISSIONS_OVERRIDE_HEADER } from './permissionsOverride.js';
 export class GatewayRequestError extends Error {
     statusCode;
     constructor(message, statusCode) {
@@ -31,14 +33,25 @@ function buildEndpointUrl(gatewayUrl, path) {
 }
 /**
  * POST a request to the gateway's `/latchkey/` endpoint and return its `result`.
+ * When `password` is provided, it is sent in the gateway password header so
+ * the request can be authenticated by a password-protected gateway. When
+ * `permissionsOverride` is provided, it is sent in the permissions-override
+ * header so the gateway uses an alternative permissions.json for this request.
  */
-export async function callLatchkeyEndpoint(gatewayUrl, request) {
+export async function callLatchkeyEndpoint(gatewayUrl, request, password = null, permissionsOverride = null) {
     const endpoint = buildEndpointUrl(gatewayUrl, '/latchkey');
+    const headers = { 'Content-Type': 'application/json' };
+    if (password !== null) {
+        headers[GATEWAY_PASSWORD_HEADER] = password;
+    }
+    if (permissionsOverride !== null) {
+        headers[PERMISSIONS_OVERRIDE_HEADER] = permissionsOverride;
+    }
     let response;
     try {
         response = await fetch(endpoint, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers,
             body: JSON.stringify(request),
         });
     }
@@ -73,8 +86,14 @@ export function buildGatewayProxyUrl(gatewayUrl, targetUrl) {
 /**
  * Rewrite a curl argument list so the target URL points at the gateway's
  * `/gateway/<target>` endpoint. Returns a new array; the original is unchanged.
+ *
+ * When `password` is provided, an `-H` argument carrying the gateway
+ * password header is prepended so the rewritten curl call can authenticate
+ * against a password-protected gateway. When `permissionsOverride` is
+ * provided, an `-H` argument carrying the permissions-override JWT is also
+ * prepended.
  */
-export function rewriteCurlArgumentsForGateway(curlArguments, targetUrl, gatewayUrl) {
+export function rewriteCurlArgumentsForGateway(curlArguments, targetUrl, gatewayUrl, password = null, permissionsOverride = null) {
     const occurrences = curlArguments.reduce((count, argument) => (argument === targetUrl ? count + 1 : count), 0);
     if (occurrences === 0) {
         throw new GatewayCurlRewriteError(`Target URL '${targetUrl}' not found in curl arguments; refusing to rewrite.`);
@@ -84,6 +103,14 @@ export function rewriteCurlArgumentsForGateway(curlArguments, targetUrl, gateway
             `refusing to rewrite to avoid ambiguous substitution.`);
     }
     const proxyUrl = buildGatewayProxyUrl(gatewayUrl, targetUrl);
-    return curlArguments.map((argument) => (argument === targetUrl ? proxyUrl : argument));
+    const rewritten = curlArguments.map((argument) => (argument === targetUrl ? proxyUrl : argument));
+    const extraHeaders = [];
+    if (password !== null) {
+        extraHeaders.push('-H', `${GATEWAY_PASSWORD_HEADER}: ${password}`);
+    }
+    if (permissionsOverride !== null) {
+        extraHeaders.push('-H', `${PERMISSIONS_OVERRIDE_HEADER}: ${permissionsOverride}`);
+    }
+    return [...extraHeaders, ...rewritten];
 }
 //# sourceMappingURL=client.js.map

package/dist/src/gateway/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/gateway/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,UAAU,CAAS;IAE5B,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,OAAO,+BAAgC,SAAQ,KAAK;IACxD,YAAY,WAAmB;QAC7B,KAAK,CACH,IAAI,WAAW,oDAAoD;YACjE,mDAAmD,CACtD,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,iCAAiC,CAAC;IAChD,CAAC;CACF;AAED,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY;IACxD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5C,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB,EAClB,OAAwB;IAExB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAE3D,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YAC/B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,IAAI,mBAAmB,CAAC,uCAAuC,QAAQ,KAAK,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,UAAgD,CAAC;IACrD,IAAI,CAAC;QACH,UAAU;YACR,QAAQ,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAA0C,CAAC;IAC1F,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,mBAAmB,CAC3B,kDAAkD,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,QAAQ,EAAE,EAC5F,QAAQ,CAAC,MAAM,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GACX,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ;YAClC,CAAC,CAAC,UAAU,CAAC,KAAK;YAClB,CAAC,CAAC,oCAAoC,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACvE,MAAM,IAAI,mBAAmB,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB,EAAE,SAAiB;IACxE,OAAO,GAAG,gBAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,SAAS,EAAE,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,aAAgC,EAChC,SAAiB,EACjB,UAAkB;IAElB,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CACtC,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EACjE,CAAC,CACF,CAAC;IACF,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,uBAAuB,CAC/B,eAAe,SAAS,qDAAqD,CAC9E,CAAC;IACJ,CAAC;IACD,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,eAAe,SAAS,aAAa,WAAW,CAAC,QAAQ,EAAE,4BAA4B;YACrF,sDAAsD,CACzD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7D,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzF,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/gateway/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAC;AAEvE,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,UAAU,CAAS;IAE5B,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,OAAO,+BAAgC,SAAQ,KAAK;IACxD,YAAY,WAAmB;QAC7B,KAAK,CACH,IAAI,WAAW,oDAAoD;YACjE,mDAAmD,CACtD,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,iCAAiC,CAAC;IAChD,CAAC;CACF;AAED,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY;IACxD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5C,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB,EAClB,OAAwB,EACxB,WAA0B,IAAI,EAC9B,sBAAqC,IAAI;IAEzC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAE3D,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC/E,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,CAAC,uBAAuB,CAAC,GAAG,QAAQ,CAAC;IAC9C,CAAC;IACD,IAAI,mBAAmB,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO,CAAC,2BAA2B,CAAC,GAAG,mBAAmB,CAAC;IAC7D,CAAC;IAED,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YAC/B,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,IAAI,mBAAmB,CAAC,uCAAuC,QAAQ,KAAK,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,UAAgD,CAAC;IACrD,IAAI,CAAC;QACH,UAAU;YACR,QAAQ,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAA0C,CAAC;IAC1F,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,mBAAmB,CAC3B,kDAAkD,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,QAAQ,EAAE,EAC5F,QAAQ,CAAC,MAAM,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GACX,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ;YAClC,CAAC,CAAC,UAAU,CAAC,KAAK;YAClB,CAAC,CAAC,oCAAoC,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACvE,MAAM,IAAI,mBAAmB,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB,EAAE,SAAiB;IACxE,OAAO,GAAG,gBAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,SAAS,EAAE,CAAC;AACpE,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,8BAA8B,CAC5C,aAAgC,EAChC,SAAiB,EACjB,UAAkB,EAClB,WAA0B,IAAI,EAC9B,sBAAqC,IAAI;IAEzC,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CACtC,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EACjE,CAAC,CACF,CAAC;IACF,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,uBAAuB,CAC/B,eAAe,SAAS,qDAAqD,CAC9E,CAAC;IACJ,CAAC;IACD,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,eAAe,SAAS,aAAa,WAAW,CAAC,QAAQ,EAAE,4BAA4B;YACrF,sDAAsD,CACzD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClG,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,uBAAuB,KAAK,QAAQ,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,mBAAmB,KAAK,IAAI,EAAE,CAAC;QACjC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,2BAA2B,KAAK,mBAAmB,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,CAAC,GAAG,YAAY,EAAE,GAAG,SAAS,CAAC,CAAC;AACzC,CAAC"}

package/dist/src/gateway/gatewayEndpoint.d.ts

@@ -16,6 +16,17 @@ export interface GatewayOptions {
     readonly port: number;
     readonly host: string;
     readonly maxBodySize: number;
+    /**
+     * When set, the gateway requires every incoming request to present this
+     * value in the `X-Latchkey-Gateway-Password` header. When null, no
+     * authentication is enforced.
+     */
+    readonly password: string | null;
+    /**
+     * HMAC key used to verify per-request `X-Latchkey-Gateway-Permissions-Override`
+     * JWTs.
+     */
+    readonly permissionsOverrideSigningKey: Buffer;
 }
 /**
  * Extract the target URL from a raw gateway request URL.

package/dist/src/gateway/gatewayEndpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gatewayEndpoint.d.ts","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AA2BzD,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAE/C,qBAAa,iBAAkB,SAAQ,KAAK;;CAK3C;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAwBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU9D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,SAAS,MAAM,EAAE,CAqBnB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG;IACxD,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC;CACjD,CAiCA;AAkED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,IAAI,CAAC,eAAe,EAC7B,QAAQ,EAAE,IAAI,CAAC,cAAc,EAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA6Hf"}
+{"version":3,"file":"gatewayEndpoint.d.ts","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAwCzD,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAE/C,qBAAa,iBAAkB,SAAQ,KAAK;;CAK3C;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC;;;OAGG;IACH,QAAQ,CAAC,6BAA6B,EAAE,MAAM,CAAC;CAChD;AAwBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU9D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,SAAS,MAAM,EAAE,CAqBnB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG;IACxD,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC;CACjD,CAiCA;AAkED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,IAAI,CAAC,eAAe,EAC7B,QAAQ,EAAE,IAAI,CAAC,cAAc,EAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA6Jf"}

package/dist/src/gateway/gatewayEndpoint.js

@@ -11,6 +11,8 @@ import { tmpdir } from 'node:os';
 import { CredentialsExpiredError, NoCredentialsForServiceError, NoServiceForUrlError, prepareCurlInvocation, RequestNotPermittedError, UrlExtractionFailedError, } from '../curlInjection.js';
 import { PermissionCheckError } from '../permissions.js';
 import { ErrorMessages } from '../errorMessages.js';
+import { GATEWAY_PASSWORD_HEADER } from './password.js';
+import { InvalidPermissionsOverrideError, PERMISSIONS_OVERRIDE_HEADER, PermissionsOverrideFileMissingError, resolvePermissionsOverride, } from './permissionsOverride.js';
 /**
  * Headers that should not be forwarded between client and upstream (hop-by-hop).
  */
@@ -25,6 +27,11 @@ const HOP_BY_HOP_HEADERS = new Set([
     'upgrade',
     'host',
 ]);
+/**
+ * Headers that the gateway consumes itself and must not forward to upstream
+ * (in addition to hop-by-hop headers).
+ */
+const GATEWAY_INTERNAL_HEADERS = new Set([GATEWAY_PASSWORD_HEADER, PERMISSIONS_OVERRIDE_HEADER]);
 export const GATEWAY_PATH_PREFIX = '/gateway/';
 export class BodyTooLargeError extends Error {
     constructor() {
@@ -177,6 +184,31 @@ function forwardResponse(response, parsed, body) {
  * Execute a proxied request through the credential injection pipeline.
  */
 export async function handleGatewayRequest(request, response, targetUrl, deps, apiCredentialStore, options) {
+    // Resolve the permissions config for this request. When the client
+    // supplied a permissions-override JWT, validate it and use the referenced
+    // file; otherwise fall back to the gateway's default config path.
+    const pointerHeader = request.headers[PERMISSIONS_OVERRIDE_HEADER];
+    const pointerToken = typeof pointerHeader === 'string' ? pointerHeader : undefined;
+    let permissionsConfigPath = deps.config.permissionsConfigPath;
+    if (pointerToken !== undefined) {
+        try {
+            permissionsConfigPath = resolvePermissionsOverride(pointerToken, options.permissionsOverrideSigningKey);
+        }
+        catch (error) {
+            const method = request.method ?? 'UNKNOWN';
+            if (error instanceof InvalidPermissionsOverrideError) {
+                deps.log(`${method} ${targetUrl} -> 401 (permissions override)`);
+                sendErrorResponse(response, 401, error.message);
+                return;
+            }
+            if (error instanceof PermissionsOverrideFileMissingError) {
+                deps.log(`${method} ${targetUrl} -> 400 (permissions override)`);
+                sendErrorResponse(response, 400, error.message);
+                return;
+            }
+            throw error;
+        }
+    }
     // Read body
     let body;
     try {
@@ -191,16 +223,20 @@ export async function handleGatewayRequest(request, response, targetUrl, deps, a
         }
         throw error;
     }
-    // Build curl arguments from the incoming request
+    // Build curl arguments from the incoming request, dropping headers that
+    // must not be forwarded upstream: HTTP hop-by-hop headers and headers
+    // the gateway itself consumes (password, permissions override).
     const method = request.method ?? 'GET';
     const headerMap = new Map();
     const rawHeaders = request.rawHeaders;
     for (let i = 0; i < rawHeaders.length; i += 2) {
         const name = rawHeaders[i];
         const value = rawHeaders[i + 1];
-        if (!HOP_BY_HOP_HEADERS.has(name.toLowerCase())) {
-            headerMap.set(name, value);
+        const lowerName = name.toLowerCase();
+        if (HOP_BY_HOP_HEADERS.has(lowerName) || GATEWAY_INTERNAL_HEADERS.has(lowerName)) {
+            continue;
         }
+        headerMap.set(name, value);
     }
     const curlArguments = buildCurlArguments(method, headerMap, targetUrl, body !== null);
     let allArguments;
@@ -208,7 +244,7 @@ export async function handleGatewayRequest(request, response, targetUrl, deps, a
         allArguments = await prepareCurlInvocation(curlArguments, apiCredentialStore, {
             registry: deps.registry,
             checkPermission: deps.checkPermission,
-            permissionsConfigPath: deps.config.permissionsConfigPath,
+            permissionsConfigPath,
             permissionsDoNotUseBuiltinSchemas: deps.config.permissionsDoNotUseBuiltinSchemas,
             passthroughUnknown: deps.config.passthroughUnknown,
         });

package/dist/src/gateway/gatewayEndpoint.js.map

@@ -1 +1 @@
-{"version":3,"file":"gatewayEndpoint.js","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD;;GAEG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAQD,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,uBAAuB,CAAC,QAA6B,EAAE,MAAuB;IACrF,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAAC,aAAa,CAAC;IAC3F,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,mBAAmB,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,OAAoC,EACpC,SAAiB,EACjB,OAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC/C,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IAIrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,wEAAwE;IACxE,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,iDAAiD;QACjD,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,gDAAgD;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAA6B,EAC7B,WAAmB;IAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACnC,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,WAAW,EAAE,CAAC;gBAC5B,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACrB,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,QAA6B,EAC7B,MAA+E,EAC/E,IAAY;IAEZ,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA6B,EAC7B,QAA6B,EAC7B,SAAiB,EACjB,IAAqB,EACrB,kBAAsC,EACtC,OAAuB;IAEvB,YAAY;IACZ,IAAI,IAAmB,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,iDAAiD;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QACjC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,KAAK,IAAI,CAAC,CAAC;IAEtF,IAAI,YAA+B,CAAC;IACpC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,qBAAqB,CAAC,aAAa,EAAE,kBAAkB,EAAE;YAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,qBAAqB,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB;YACxD,iCAAiC,EAAE,IAAI,CAAC,MAAM,CAAC,iCAAiC;YAChF,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SACnD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;YAC9C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IACE,KAAK,YAAY,wBAAwB;YACzC,KAAK,YAAY,oBAAoB;YACrC,KAAK,YAAY,4BAA4B;YAC7C,KAAK,YAAY,uBAAuB,EACxC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5C,IAAI,CAAC;QACH,qEAAqE;QACrE,sEAAsE;QACtE,4DAA4D;QAC5D,uEAAuE;QACvE,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAoB,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE;YAChE,KAAK,EAAE,IAAI,IAAI,SAAS;SACzB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,iEAAiE;YACjE,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,4CAA4C;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAChD,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;QAE5C,eAAe,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"gatewayEndpoint.js","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EACL,+BAA+B,EAC/B,2BAA2B,EAC3B,mCAAmC,EACnC,0BAA0B,GAC3B,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,CAAC,uBAAuB,EAAE,2BAA2B,CAAC,CAAC,CAAC;AAEjG,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAmBD,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,uBAAuB,CAAC,QAA6B,EAAE,MAAuB;IACrF,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAAC,aAAa,CAAC;IAC3F,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,mBAAmB,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,OAAoC,EACpC,SAAiB,EACjB,OAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC/C,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IAIrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,wEAAwE;IACxE,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,iDAAiD;QACjD,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,gDAAgD;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAA6B,EAC7B,WAAmB;IAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACnC,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,WAAW,EAAE,CAAC;gBAC5B,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACrB,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,QAA6B,EAC7B,MAA+E,EAC/E,IAAY;IAEZ,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA6B,EAC7B,QAA6B,EAC7B,SAAiB,EACjB,IAAqB,EACrB,kBAAsC,EACtC,OAAuB;IAEvB,mEAAmE;IACnE,0EAA0E;IAC1E,kEAAkE;IAClE,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IACnF,IAAI,qBAAqB,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAC9D,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,qBAAqB,GAAG,0BAA0B,CAChD,YAAY,EACZ,OAAO,CAAC,6BAA6B,CACtC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,KAAK,YAAY,+BAA+B,EAAE,CAAC;gBACrD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,gCAAgC,CAAC,CAAC;gBACjE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YACD,IAAI,KAAK,YAAY,mCAAmC,EAAE,CAAC;gBACzD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,gCAAgC,CAAC,CAAC;gBACjE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,YAAY;IACZ,IAAI,IAAmB,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,wEAAwE;IACxE,sEAAsE;IACtE,gEAAgE;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,wBAAwB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjF,SAAS;QACX,CAAC;QACD,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,KAAK,IAAI,CAAC,CAAC;IAEtF,IAAI,YAA+B,CAAC;IACpC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,qBAAqB,CAAC,aAAa,EAAE,kBAAkB,EAAE;YAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,qBAAqB;YACrB,iCAAiC,EAAE,IAAI,CAAC,MAAM,CAAC,iCAAiC;YAChF,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SACnD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;YAC9C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IACE,KAAK,YAAY,wBAAwB;YACzC,KAAK,YAAY,oBAAoB;YACrC,KAAK,YAAY,4BAA4B;YAC7C,KAAK,YAAY,uBAAuB,EACxC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5C,IAAI,CAAC;QACH,qEAAqE;QACrE,sEAAsE;QACtE,4DAA4D;QAC5D,uEAAuE;QACvE,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAoB,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE;YAChE,KAAK,EAAE,IAAI,IAAI,SAAS;SACzB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,iEAAiE;YACjE,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,4CAA4C;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAChD,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;QAE5C,eAAe,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/src/gateway/password.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Shared definitions for the optional gateway password used to authenticate
+ * requests between the latchkey CLI (in gateway mode) and the `latchkey
+ * gateway` server.
+ */
+/**
+ * HTTP header used to carry the shared secret. Lowercased to match how
+ * Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export declare const GATEWAY_PASSWORD_HEADER = "x-latchkey-gateway-password";
+/**
+ * Compare two passwords in constant time relative to their length.
+ * Returns false when the values differ in length or contents.
+ */
+export declare function passwordsMatch(expected: string, provided: string): boolean;
+//# sourceMappingURL=password.d.ts.map

package/dist/src/gateway/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../../src/gateway/password.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,eAAO,MAAM,uBAAuB,gCAAgC,CAAC;AAErE;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAO1E"}