npm - latchkey - Versions diffs - 2.7.3 → 2.8.0 - Mend

latchkey 2.7.3 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/README.md +49 -5
package/dist/scripts/cryptFile.js +2 -2
package/dist/scripts/cryptFile.js.map +1 -1
package/dist/scripts/recordBrowserSession.js +3 -2
package/dist/scripts/recordBrowserSession.js.map +1 -1
package/dist/src/cli.js +5 -4
package/dist/src/cli.js.map +1 -1
package/dist/src/cliCommands.d.ts.map +1 -1
package/dist/src/cliCommands.js +44 -6
package/dist/src/cliCommands.js.map +1 -1
package/dist/src/config.d.ts +29 -0
package/dist/src/config.d.ts.map +1 -1
package/dist/src/config.js +45 -0
package/dist/src/config.js.map +1 -1
package/dist/src/encryptedStorage.d.ts +9 -25
package/dist/src/encryptedStorage.d.ts.map +1 -1
package/dist/src/encryptedStorage.js +9 -52
package/dist/src/encryptedStorage.js.map +1 -1
package/dist/src/encryption.d.ts +45 -0
package/dist/src/encryption.d.ts.map +1 -1
package/dist/src/encryption.js +69 -0
package/dist/src/encryption.js.map +1 -1
package/dist/src/gateway/client.d.ts +12 -2
package/dist/src/gateway/client.d.ts.map +1 -1
package/dist/src/gateway/client.js +31 -4
package/dist/src/gateway/client.js.map +1 -1
package/dist/src/gateway/gatewayEndpoint.d.ts +11 -0
package/dist/src/gateway/gatewayEndpoint.d.ts.map +1 -1
package/dist/src/gateway/gatewayEndpoint.js +40 -4
package/dist/src/gateway/gatewayEndpoint.js.map +1 -1
package/dist/src/gateway/password.d.ts +16 -0
package/dist/src/gateway/password.d.ts.map +1 -0
package/dist/src/gateway/password.js +24 -0
package/dist/src/gateway/password.js.map +1 -0
package/dist/src/gateway/permissionPointer.d.ts +56 -0
package/dist/src/gateway/permissionPointer.d.ts.map +1 -0
package/dist/src/gateway/permissionPointer.js +171 -0
package/dist/src/gateway/permissionPointer.js.map +1 -0
package/dist/src/gateway/permissionsOverride.d.ts +56 -0
package/dist/src/gateway/permissionsOverride.d.ts.map +1 -0
package/dist/src/gateway/permissionsOverride.js +157 -0
package/dist/src/gateway/permissionsOverride.js.map +1 -0
package/dist/src/gateway/server.d.ts.map +1 -1
package/dist/src/gateway/server.js +34 -1
package/dist/src/gateway/server.js.map +1 -1
package/dist/src/index.d.ts +2 -2
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +2 -2
package/dist/src/index.js.map +1 -1
package/dist/src/oauthUtils.d.ts +11 -2
package/dist/src/oauthUtils.d.ts.map +1 -1
package/dist/src/oauthUtils.js +25 -4
package/dist/src/oauthUtils.js.map +1 -1
package/dist/src/serviceRegistry.d.ts.map +1 -1
package/dist/src/serviceRegistry.js +2 -1
package/dist/src/serviceRegistry.js.map +1 -1
package/dist/src/services/index.d.ts +1 -0
package/dist/src/services/index.d.ts.map +1 -1
package/dist/src/services/index.js +1 -0
package/dist/src/services/index.js.map +1 -1
package/dist/src/services/notion-mcp.d.ts +29 -0
package/dist/src/services/notion-mcp.d.ts.map +1 -0
package/dist/src/services/notion-mcp.js +156 -0
package/dist/src/services/notion-mcp.js.map +1 -0
package/dist/src/services/notion.d.ts.map +1 -1
package/dist/src/services/notion.js +3 -2
package/dist/src/services/notion.js.map +1 -1
package/dist/src/version.d.ts +1 -1
package/dist/src/version.js +1 -1
package/dist/tests/apiCredentialStore.test.js +2 -2
package/dist/tests/apiCredentialStore.test.js.map +1 -1
package/dist/tests/cli.test.js +95 -53
package/dist/tests/cli.test.js.map +1 -1
package/dist/tests/config.test.js +37 -0
package/dist/tests/config.test.js.map +1 -1
package/dist/tests/encryptedStorage.test.js +19 -39
package/dist/tests/encryptedStorage.test.js.map +1 -1
package/dist/tests/encryptedStorageKeyGeneration.test.js +2 -1
package/dist/tests/encryptedStorageKeyGeneration.test.js.map +1 -1
package/dist/tests/gateway.test.js +170 -7
package/dist/tests/gateway.test.js.map +1 -1
package/dist/tests/gatewayClient.test.js +74 -0
package/dist/tests/gatewayClient.test.js.map +1 -1
package/dist/tests/latchkeyEndpoint.test.js +7 -6
package/dist/tests/latchkeyEndpoint.test.js.map +1 -1
package/dist/tests/migrations.test.js +2 -2
package/dist/tests/migrations.test.js.map +1 -1
package/dist/tests/oauthUtils.test.d.ts +2 -0
package/dist/tests/oauthUtils.test.d.ts.map +1 -0
package/dist/tests/oauthUtils.test.js +63 -0
package/dist/tests/oauthUtils.test.js.map +1 -0
package/dist/tests/permissionPointer.test.d.ts +2 -0
package/dist/tests/permissionPointer.test.d.ts.map +1 -0
package/dist/tests/permissionPointer.test.js +152 -0
package/dist/tests/permissionPointer.test.js.map +1 -0
package/dist/tests/permissionsOverride.test.d.ts +2 -0
package/dist/tests/permissionsOverride.test.d.ts.map +1 -0
package/dist/tests/permissionsOverride.test.js +136 -0
package/dist/tests/permissionsOverride.test.js.map +1 -0
package/dist/tests/resolveEncryptionKey.test.d.ts +2 -0
package/dist/tests/resolveEncryptionKey.test.d.ts.map +1 -0
package/dist/tests/resolveEncryptionKey.test.js +26 -0
package/dist/tests/resolveEncryptionKey.test.js.map +1 -0
package/dist/tests/sharedOperations.test.js +34 -50
package/dist/tests/sharedOperations.test.js.map +1 -1
package/package.json +2 -2

package/dist/src/gateway/password.js ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Shared definitions for the optional gateway password used to authenticate
+ * requests between the latchkey CLI (in gateway mode) and the `latchkey
+ * gateway` server.
+ */
+import { timingSafeEqual } from 'node:crypto';
+/**
+ * HTTP header used to carry the shared secret. Lowercased to match how
+ * Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export const GATEWAY_PASSWORD_HEADER = 'x-latchkey-gateway-password';
+/**
+ * Compare two passwords in constant time relative to their length.
+ * Returns false when the values differ in length or contents.
+ */
+export function passwordsMatch(expected, provided) {
+    const expectedBytes = Buffer.from(expected, 'utf-8');
+    const providedBytes = Buffer.from(provided, 'utf-8');
+    if (expectedBytes.length !== providedBytes.length) {
+        return false;
+    }
+    return timingSafeEqual(expectedBytes, providedBytes);
+}
+//# sourceMappingURL=password.js.map

package/dist/src/gateway/password.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"password.js","sourceRoot":"","sources":["../../../src/gateway/password.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,6BAA6B,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,QAAgB;IAC/D,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,eAAe,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC"}

package/dist/src/gateway/permissionPointer.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Optional `x-latchkey-gateway-permission-pointer` header support.
+ *
+ * The header carries a minimal HS256 JWT whose only payload field is
+ * `permissionsConfig`, an absolute path to a `permissions.json` file.
+ * When the gateway receives such a header on a `/gateway/...` request and
+ * the JWT is valid, it uses the referenced permissions config instead of
+ * the default one for that single request.
+ *
+ * The signing key is derived from the Latchkey encryption key via HKDF-like
+ * HMAC-SHA256 with a domain-separation label, so the encryption key itself
+ * is never used to sign or verify these JWTs directly.
+ */
+/**
+ * HTTP header used to carry the permission-pointer JWT. Lowercased to match
+ * how Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export declare const PERMISSION_POINTER_HEADER = "x-latchkey-gateway-permission-pointer";
+export declare class InvalidPermissionPointerError extends Error {
+    constructor(message: string);
+}
+export declare class PermissionPointerFileMissingError extends Error {
+    constructor(filePath: string);
+}
+/**
+ * Derive the HS256 signing key used for permission-pointer JWTs from the
+ * Latchkey encryption key. The encryption key is base64-encoded; the
+ * derived key is the raw HMAC-SHA256 output (32 bytes).
+ */
+export declare function derivePermissionPointerSigningKey(encryptionKeyBase64: string): Buffer;
+/**
+ * Build a permission-pointer JWT for the given absolute path. The path is
+ * not validated here; callers that want to ensure the file exists must do
+ * so before calling this function.
+ */
+export declare function createPermissionPointerJwt(permissionsConfigPath: string, signingKey: Buffer): string;
+interface PermissionPointerPayload {
+    readonly permissionsConfig: string;
+}
+/**
+ * Verify a permission-pointer JWT and return its payload. Throws
+ * `InvalidPermissionPointerError` on any structural, signature, or content
+ * issue (i.e. anything that should be reported as "the JWT is invalid").
+ *
+ * This intentionally does not check that the referenced file exists; that
+ * concern is handled by `resolvePermissionPointer` so that file-system
+ * errors can be reported separately from JWT errors.
+ */
+export declare function verifyPermissionPointerJwt(token: string, signingKey: Buffer): PermissionPointerPayload;
+/**
+ * Verify a permission-pointer JWT and additionally require the referenced
+ * file to exist as a regular file. Returns the absolute path on success.
+ */
+export declare function resolvePermissionPointer(token: string, signingKey: Buffer): string;
+export {};
+//# sourceMappingURL=permissionPointer.d.ts.map

package/dist/src/gateway/permissionPointer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionPointer.d.ts","sourceRoot":"","sources":["../../../src/gateway/permissionPointer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0CAA0C,CAAC;AAYjF,qBAAa,6BAA8B,SAAQ,KAAK;gBAC1C,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,iCAAkC,SAAQ,KAAK;gBAC9C,QAAQ,EAAE,MAAM;CAI7B;AAkBD;;;;GAIG;AACH,wBAAgB,iCAAiC,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAGrF;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,qBAAqB,EAAE,MAAM,EAC7B,UAAU,EAAE,MAAM,GACjB,MAAM,CAWR;AAED,UAAU,wBAAwB;IAChC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACpC;AAsCD;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACxC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,GACjB,wBAAwB,CAqD1B;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAMlF"}

package/dist/src/gateway/permissionPointer.js ADDED Viewed

@@ -0,0 +1,171 @@
+/**
+ * Optional `x-latchkey-gateway-permission-pointer` header support.
+ *
+ * The header carries a minimal HS256 JWT whose only payload field is
+ * `permissionsConfig`, an absolute path to a `permissions.json` file.
+ * When the gateway receives such a header on a `/gateway/...` request and
+ * the JWT is valid, it uses the referenced permissions config instead of
+ * the default one for that single request.
+ *
+ * The signing key is derived from the Latchkey encryption key via HKDF-like
+ * HMAC-SHA256 with a domain-separation label, so the encryption key itself
+ * is never used to sign or verify these JWTs directly.
+ */
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { existsSync, statSync } from 'node:fs';
+import { isAbsolute } from 'node:path';
+/**
+ * HTTP header used to carry the permission-pointer JWT. Lowercased to match
+ * how Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export const PERMISSION_POINTER_HEADER = 'x-latchkey-gateway-permission-pointer';
+/**
+ * Domain-separation label mixed into the HMAC that derives the JWT signing
+ * key from the Latchkey encryption key. Changing this value invalidates all
+ * previously issued tokens.
+ */
+const SIGNING_KEY_DERIVATION_LABEL = 'latchkey:gateway:permission-pointer:v1';
+const JWT_HEADER = { alg: 'HS256', typ: 'JWT' };
+const JWT_HEADER_ENCODED = base64UrlEncode(Buffer.from(JSON.stringify(JWT_HEADER), 'utf-8'));
+export class InvalidPermissionPointerError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'InvalidPermissionPointerError';
+    }
+}
+export class PermissionPointerFileMissingError extends Error {
+    constructor(filePath) {
+        super(`Permission pointer references missing or invalid file: ${filePath}`);
+        this.name = 'PermissionPointerFileMissingError';
+    }
+}
+function base64UrlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+function base64UrlDecode(value) {
+    const padded = value
+        .replace(/-/g, '+')
+        .replace(/_/g, '/')
+        .padEnd(value.length + ((4 - (value.length % 4)) % 4), '=');
+    return Buffer.from(padded, 'base64');
+}
+/**
+ * Derive the HS256 signing key used for permission-pointer JWTs from the
+ * Latchkey encryption key. The encryption key is base64-encoded; the
+ * derived key is the raw HMAC-SHA256 output (32 bytes).
+ */
+export function derivePermissionPointerSigningKey(encryptionKeyBase64) {
+    const masterKey = Buffer.from(encryptionKeyBase64, 'base64');
+    return createHmac('sha256', masterKey).update(SIGNING_KEY_DERIVATION_LABEL).digest();
+}
+/**
+ * Build a permission-pointer JWT for the given absolute path. The path is
+ * not validated here; callers that want to ensure the file exists must do
+ * so before calling this function.
+ */
+export function createPermissionPointerJwt(permissionsConfigPath, signingKey) {
+    if (!isAbsolute(permissionsConfigPath)) {
+        throw new InvalidPermissionPointerError(`permissionsConfig path must be absolute: ${permissionsConfigPath}`);
+    }
+    const payload = { permissionsConfig: permissionsConfigPath };
+    const payloadEncoded = base64UrlEncode(Buffer.from(JSON.stringify(payload), 'utf-8'));
+    const signingInput = `${JWT_HEADER_ENCODED}.${payloadEncoded}`;
+    const signature = createHmac('sha256', signingKey).update(signingInput).digest();
+    return `${signingInput}.${base64UrlEncode(signature)}`;
+}
+function parsePayload(payloadEncoded) {
+    let payloadJson;
+    try {
+        payloadJson = base64UrlDecode(payloadEncoded).toString('utf-8');
+    }
+    catch {
+        throw new InvalidPermissionPointerError('Permission pointer payload is not valid base64url.');
+    }
+    let payload;
+    try {
+        payload = JSON.parse(payloadJson);
+    }
+    catch {
+        throw new InvalidPermissionPointerError('Permission pointer payload is not valid JSON.');
+    }
+    if (typeof payload !== 'object' ||
+        payload === null ||
+        !('permissionsConfig' in payload) ||
+        typeof payload.permissionsConfig !== 'string') {
+        throw new InvalidPermissionPointerError("Permission pointer payload must contain a string 'permissionsConfig' field.");
+    }
+    const permissionsConfig = payload.permissionsConfig;
+    if (!isAbsolute(permissionsConfig)) {
+        throw new InvalidPermissionPointerError(`Permission pointer 'permissionsConfig' must be an absolute path: ${permissionsConfig}`);
+    }
+    return { permissionsConfig };
+}
+/**
+ * Verify a permission-pointer JWT and return its payload. Throws
+ * `InvalidPermissionPointerError` on any structural, signature, or content
+ * issue (i.e. anything that should be reported as "the JWT is invalid").
+ *
+ * This intentionally does not check that the referenced file exists; that
+ * concern is handled by `resolvePermissionPointer` so that file-system
+ * errors can be reported separately from JWT errors.
+ */
+export function verifyPermissionPointerJwt(token, signingKey) {
+    const segments = token.split('.');
+    if (segments.length !== 3) {
+        throw new InvalidPermissionPointerError('Permission pointer JWT must have three dot-separated segments.');
+    }
+    const headerEncoded = segments[0];
+    const payloadEncoded = segments[1];
+    const signatureEncoded = segments[2];
+    let headerJson;
+    try {
+        headerJson = base64UrlDecode(headerEncoded).toString('utf-8');
+    }
+    catch {
+        throw new InvalidPermissionPointerError('Permission pointer header is not valid base64url.');
+    }
+    let header;
+    try {
+        header = JSON.parse(headerJson);
+    }
+    catch {
+        throw new InvalidPermissionPointerError('Permission pointer header is not valid JSON.');
+    }
+    if (typeof header !== 'object' ||
+        header === null ||
+        header.alg !== 'HS256' ||
+        header.typ !== 'JWT') {
+        throw new InvalidPermissionPointerError("Permission pointer header must declare alg='HS256' and typ='JWT'.");
+    }
+    let providedSignature;
+    try {
+        providedSignature = base64UrlDecode(signatureEncoded);
+    }
+    catch {
+        throw new InvalidPermissionPointerError('Permission pointer signature is not valid base64url.');
+    }
+    const expectedSignature = createHmac('sha256', signingKey)
+        .update(`${headerEncoded}.${payloadEncoded}`)
+        .digest();
+    if (providedSignature.length !== expectedSignature.length ||
+        !timingSafeEqual(providedSignature, expectedSignature)) {
+        throw new InvalidPermissionPointerError('Permission pointer signature is invalid.');
+    }
+    return parsePayload(payloadEncoded);
+}
+/**
+ * Verify a permission-pointer JWT and additionally require the referenced
+ * file to exist as a regular file. Returns the absolute path on success.
+ */
+export function resolvePermissionPointer(token, signingKey) {
+    const { permissionsConfig } = verifyPermissionPointerJwt(token, signingKey);
+    if (!existsSync(permissionsConfig) || !statSync(permissionsConfig).isFile()) {
+        throw new PermissionPointerFileMissingError(permissionsConfig);
+    }
+    return permissionsConfig;
+}
+//# sourceMappingURL=permissionPointer.js.map

package/dist/src/gateway/permissionPointer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionPointer.js","sourceRoot":"","sources":["../../../src/gateway/permissionPointer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,uCAAuC,CAAC;AAEjF;;;;GAIG;AACH,MAAM,4BAA4B,GAAG,wCAAwC,CAAC;AAE9E,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAW,CAAC;AACzD,MAAM,kBAAkB,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAE7F,MAAM,OAAO,6BAA8B,SAAQ,KAAK;IACtD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,+BAA+B,CAAC;IAC9C,CAAC;CACF;AAED,MAAM,OAAO,iCAAkC,SAAQ,KAAK;IAC1D,YAAY,QAAgB;QAC1B,KAAK,CAAC,0DAA0D,QAAQ,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,GAAG,mCAAmC,CAAC;IAClD,CAAC;CACF;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM;SACV,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK;SACjB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iCAAiC,CAAC,mBAA2B;IAC3E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;IAC7D,OAAO,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,4BAA4B,CAAC,CAAC,MAAM,EAAE,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,qBAA6B,EAC7B,UAAkB;IAElB,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,6BAA6B,CACrC,4CAA4C,qBAAqB,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,CAAC;IAC7D,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACtF,MAAM,YAAY,GAAG,GAAG,kBAAkB,IAAI,cAAc,EAAE,CAAC;IAC/D,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;IACjF,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAMD,SAAS,YAAY,CAAC,cAAsB;IAC1C,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,oDAAoD,CAAC,CAAC;IAChG,CAAC;IAED,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,+CAA+C,CAAC,CAAC;IAC3F,CAAC;IAED,IACE,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,KAAK,IAAI;QAChB,CAAC,CAAC,mBAAmB,IAAI,OAAO,CAAC;QACjC,OAAQ,OAAmC,CAAC,iBAAiB,KAAK,QAAQ,EAC1E,CAAC;QACD,MAAM,IAAI,6BAA6B,CACrC,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,iBAAiB,GAAI,OAAyC,CAAC,iBAAiB,CAAC;IACvF,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,6BAA6B,CACrC,oEAAoE,iBAAiB,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,iBAAiB,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAa,EACb,UAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,6BAA6B,CACrC,gEAAgE,CACjE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACnC,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IAEtC,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,mDAAmD,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,8CAA8C,CAAC,CAAC;IAC1F,CAAC;IACD,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,IAAI;QACd,MAAkC,CAAC,GAAG,KAAK,OAAO;QAClD,MAAkC,CAAC,GAAG,KAAK,KAAK,EACjD,CAAC;QACD,MAAM,IAAI,6BAA6B,CACrC,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAED,IAAI,iBAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,iBAAiB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,sDAAsD,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,iBAAiB,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SACvD,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;SAC5C,MAAM,EAAE,CAAC;IAEZ,IACE,iBAAiB,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM;QACrD,CAAC,eAAe,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EACtD,CAAC;QACD,MAAM,IAAI,6BAA6B,CAAC,0CAA0C,CAAC,CAAC;IACtF,CAAC;IAED,OAAO,YAAY,CAAC,cAAc,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,KAAa,EAAE,UAAkB;IACxE,MAAM,EAAE,iBAAiB,EAAE,GAAG,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC5E,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;QAC5E,MAAM,IAAI,iCAAiC,CAAC,iBAAiB,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC"}

package/dist/src/gateway/permissionsOverride.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Optional `x-latchkey-gateway-permissions-override` header support.
+ *
+ * The header carries a minimal HS256 JWT whose only payload field is
+ * `permissionsConfig`, an absolute path to a `permissions.json` file.
+ * When the gateway receives such a header on a `/gateway/...` request and
+ * the JWT is valid, it uses the referenced permissions config instead of
+ * the default one for that single request.
+ *
+ * The signing key is derived from the Latchkey encryption key via HKDF-like
+ * HMAC-SHA256 with a domain-separation label, so the encryption key itself
+ * is never used to sign or verify these JWTs directly.
+ */
+/**
+ * HTTP header used to carry the permissions-override JWT. Lowercased to match
+ * how Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export declare const PERMISSIONS_OVERRIDE_HEADER = "x-latchkey-gateway-permissions-override";
+export declare class InvalidPermissionsOverrideError extends Error {
+    constructor(message: string);
+}
+export declare class PermissionsOverrideFileMissingError extends Error {
+    constructor(filePath: string);
+}
+/**
+ * Derive the HS256 signing key used for permissions-override JWTs from the
+ * Latchkey encryption key. The encryption key is base64-encoded; the
+ * derived key is the raw HMAC-SHA256 output (32 bytes).
+ */
+export declare function derivePermissionsOverrideSigningKey(encryptionKeyBase64: string): Buffer;
+/**
+ * Build a permissions-override JWT for the given absolute path. The path is
+ * not validated here; callers that want to ensure the file exists must do
+ * so before calling this function.
+ */
+export declare function createPermissionsOverrideJwt(permissionsConfigPath: string, signingKey: Buffer): string;
+interface PermissionsOverridePayload {
+    readonly permissionsConfig: string;
+}
+/**
+ * Verify a permissions-override JWT and return its payload. Throws
+ * `InvalidPermissionsOverrideError` on any structural, signature, or content
+ * issue (i.e. anything that should be reported as "the JWT is invalid").
+ *
+ * This intentionally does not check that the referenced file exists; that
+ * concern is handled by `resolvePermissionsOverride` so that file-system
+ * errors can be reported separately from JWT errors.
+ */
+export declare function verifyPermissionsOverrideJwt(token: string, signingKey: Buffer): PermissionsOverridePayload;
+/**
+ * Verify a permissions-override JWT and additionally require the referenced
+ * file to exist as a regular file. Returns the absolute path on success.
+ */
+export declare function resolvePermissionsOverride(token: string, signingKey: Buffer): string;
+export {};
+//# sourceMappingURL=permissionsOverride.d.ts.map

package/dist/src/gateway/permissionsOverride.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionsOverride.d.ts","sourceRoot":"","sources":["../../../src/gateway/permissionsOverride.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH;;;GAGG;AACH,eAAO,MAAM,2BAA2B,4CAA4C,CAAC;AAYrF,qBAAa,+BAAgC,SAAQ,KAAK;gBAC5C,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,mCAAoC,SAAQ,KAAK;gBAChD,QAAQ,EAAE,MAAM;CAI7B;AAED;;;;GAIG;AACH,wBAAgB,mCAAmC,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAGvF;AAED;;;;GAIG;AACH,wBAAgB,4BAA4B,CAC1C,qBAAqB,EAAE,MAAM,EAC7B,UAAU,EAAE,MAAM,GACjB,MAAM,CAWR;AAED,UAAU,0BAA0B;IAClC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACpC;AAwCD;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,GACjB,0BAA0B,CAyD5B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAMpF"}

package/dist/src/gateway/permissionsOverride.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * Optional `x-latchkey-gateway-permissions-override` header support.
+ *
+ * The header carries a minimal HS256 JWT whose only payload field is
+ * `permissionsConfig`, an absolute path to a `permissions.json` file.
+ * When the gateway receives such a header on a `/gateway/...` request and
+ * the JWT is valid, it uses the referenced permissions config instead of
+ * the default one for that single request.
+ *
+ * The signing key is derived from the Latchkey encryption key via HKDF-like
+ * HMAC-SHA256 with a domain-separation label, so the encryption key itself
+ * is never used to sign or verify these JWTs directly.
+ */
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { existsSync, statSync } from 'node:fs';
+import { isAbsolute } from 'node:path';
+/**
+ * HTTP header used to carry the permissions-override JWT. Lowercased to match
+ * how Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export const PERMISSIONS_OVERRIDE_HEADER = 'x-latchkey-gateway-permissions-override';
+/**
+ * Domain-separation label mixed into the HMAC that derives the JWT signing
+ * key from the Latchkey encryption key. Changing this value invalidates all
+ * previously issued tokens.
+ */
+const SIGNING_KEY_DERIVATION_LABEL = 'latchkey:gateway:permissions-override:v1';
+const JWT_HEADER = { alg: 'HS256', typ: 'JWT' };
+const JWT_HEADER_ENCODED = Buffer.from(JSON.stringify(JWT_HEADER), 'utf-8').toString('base64url');
+export class InvalidPermissionsOverrideError extends Error {
+    constructor(message) {
+        super(`Latchkey: ${message}`);
+        this.name = 'InvalidPermissionsOverrideError';
+    }
+}
+export class PermissionsOverrideFileMissingError extends Error {
+    constructor(filePath) {
+        super(`Permissions override references missing or invalid file: ${filePath}`);
+        this.name = 'PermissionsOverrideFileMissingError';
+    }
+}
+/**
+ * Derive the HS256 signing key used for permissions-override JWTs from the
+ * Latchkey encryption key. The encryption key is base64-encoded; the
+ * derived key is the raw HMAC-SHA256 output (32 bytes).
+ */
+export function derivePermissionsOverrideSigningKey(encryptionKeyBase64) {
+    const masterKey = Buffer.from(encryptionKeyBase64, 'base64');
+    return createHmac('sha256', masterKey).update(SIGNING_KEY_DERIVATION_LABEL).digest();
+}
+/**
+ * Build a permissions-override JWT for the given absolute path. The path is
+ * not validated here; callers that want to ensure the file exists must do
+ * so before calling this function.
+ */
+export function createPermissionsOverrideJwt(permissionsConfigPath, signingKey) {
+    if (!isAbsolute(permissionsConfigPath)) {
+        throw new InvalidPermissionsOverrideError(`permissionsConfig path must be absolute: ${permissionsConfigPath}`);
+    }
+    const payload = { permissionsConfig: permissionsConfigPath };
+    const payloadEncoded = Buffer.from(JSON.stringify(payload), 'utf-8').toString('base64url');
+    const signingInput = `${JWT_HEADER_ENCODED}.${payloadEncoded}`;
+    const signature = createHmac('sha256', signingKey).update(signingInput).digest('base64url');
+    return `${signingInput}.${signature}`;
+}
+function parsePayload(payloadEncoded) {
+    let payloadJson;
+    try {
+        payloadJson = Buffer.from(payloadEncoded, 'base64url').toString('utf-8');
+    }
+    catch {
+        throw new InvalidPermissionsOverrideError('Permissions override payload is not valid base64url.');
+    }
+    let payload;
+    try {
+        payload = JSON.parse(payloadJson);
+    }
+    catch {
+        throw new InvalidPermissionsOverrideError('Permissions override payload is not valid JSON.');
+    }
+    if (typeof payload !== 'object' ||
+        payload === null ||
+        !('permissionsConfig' in payload) ||
+        typeof payload.permissionsConfig !== 'string') {
+        throw new InvalidPermissionsOverrideError("Permissions override payload must contain a string 'permissionsConfig' field.");
+    }
+    const permissionsConfig = payload.permissionsConfig;
+    if (!isAbsolute(permissionsConfig)) {
+        throw new InvalidPermissionsOverrideError(`Permissions override 'permissionsConfig' must be an absolute path: ${permissionsConfig}`);
+    }
+    return { permissionsConfig };
+}
+/**
+ * Verify a permissions-override JWT and return its payload. Throws
+ * `InvalidPermissionsOverrideError` on any structural, signature, or content
+ * issue (i.e. anything that should be reported as "the JWT is invalid").
+ *
+ * This intentionally does not check that the referenced file exists; that
+ * concern is handled by `resolvePermissionsOverride` so that file-system
+ * errors can be reported separately from JWT errors.
+ */
+export function verifyPermissionsOverrideJwt(token, signingKey) {
+    const segments = token.split('.');
+    if (segments.length !== 3) {
+        throw new InvalidPermissionsOverrideError('Permissions override JWT must have three dot-separated segments.');
+    }
+    const headerEncoded = segments[0];
+    const payloadEncoded = segments[1];
+    const signatureEncoded = segments[2];
+    let headerJson;
+    try {
+        headerJson = Buffer.from(headerEncoded, 'base64url').toString('utf-8');
+    }
+    catch {
+        throw new InvalidPermissionsOverrideError('Permissions override header is not valid base64url.');
+    }
+    let header;
+    try {
+        header = JSON.parse(headerJson);
+    }
+    catch {
+        throw new InvalidPermissionsOverrideError('Permissions override header is not valid JSON.');
+    }
+    if (typeof header !== 'object' ||
+        header === null ||
+        header.alg !== 'HS256' ||
+        header.typ !== 'JWT') {
+        throw new InvalidPermissionsOverrideError("Permissions override header must declare alg='HS256' and typ='JWT'.");
+    }
+    let providedSignature;
+    try {
+        providedSignature = Buffer.from(signatureEncoded, 'base64url');
+    }
+    catch {
+        throw new InvalidPermissionsOverrideError('Permissions override signature is not valid base64url.');
+    }
+    const expectedSignature = createHmac('sha256', signingKey)
+        .update(`${headerEncoded}.${payloadEncoded}`)
+        .digest();
+    if (providedSignature.length !== expectedSignature.length ||
+        !timingSafeEqual(providedSignature, expectedSignature)) {
+        throw new InvalidPermissionsOverrideError('Permissions override signature is invalid.');
+    }
+    return parsePayload(payloadEncoded);
+}
+/**
+ * Verify a permissions-override JWT and additionally require the referenced
+ * file to exist as a regular file. Returns the absolute path on success.
+ */
+export function resolvePermissionsOverride(token, signingKey) {
+    const { permissionsConfig } = verifyPermissionsOverrideJwt(token, signingKey);
+    if (!existsSync(permissionsConfig) || !statSync(permissionsConfig).isFile()) {
+        throw new PermissionsOverrideFileMissingError(permissionsConfig);
+    }
+    return permissionsConfig;
+}
+//# sourceMappingURL=permissionsOverride.js.map

package/dist/src/gateway/permissionsOverride.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionsOverride.js","sourceRoot":"","sources":["../../../src/gateway/permissionsOverride.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,yCAAyC,CAAC;AAErF;;;;GAIG;AACH,MAAM,4BAA4B,GAAG,0CAA0C,CAAC;AAEhF,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAW,CAAC;AACzD,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAElG,MAAM,OAAO,+BAAgC,SAAQ,KAAK;IACxD,YAAY,OAAe;QACzB,KAAK,CAAC,aAAa,OAAO,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,iCAAiC,CAAC;IAChD,CAAC;CACF;AAED,MAAM,OAAO,mCAAoC,SAAQ,KAAK;IAC5D,YAAY,QAAgB;QAC1B,KAAK,CAAC,4DAA4D,QAAQ,EAAE,CAAC,CAAC;QAC9E,IAAI,CAAC,IAAI,GAAG,qCAAqC,CAAC;IACpD,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,mCAAmC,CAAC,mBAA2B;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;IAC7D,OAAO,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,4BAA4B,CAAC,CAAC,MAAM,EAAE,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,4BAA4B,CAC1C,qBAA6B,EAC7B,UAAkB;IAElB,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,+BAA+B,CACvC,4CAA4C,qBAAqB,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,CAAC;IAC7D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3F,MAAM,YAAY,GAAG,GAAG,kBAAkB,IAAI,cAAc,EAAE,CAAC;IAC/D,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5F,OAAO,GAAG,YAAY,IAAI,SAAS,EAAE,CAAC;AACxC,CAAC;AAMD,SAAS,YAAY,CAAC,cAAsB;IAC1C,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAA+B,CACvC,sDAAsD,CACvD,CAAC;IACJ,CAAC;IAED,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAA+B,CAAC,iDAAiD,CAAC,CAAC;IAC/F,CAAC;IAED,IACE,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,KAAK,IAAI;QAChB,CAAC,CAAC,mBAAmB,IAAI,OAAO,CAAC;QACjC,OAAQ,OAAmC,CAAC,iBAAiB,KAAK,QAAQ,EAC1E,CAAC;QACD,MAAM,IAAI,+BAA+B,CACvC,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,iBAAiB,GAAI,OAAyC,CAAC,iBAAiB,CAAC;IACvF,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,+BAA+B,CACvC,sEAAsE,iBAAiB,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,iBAAiB,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,KAAa,EACb,UAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,+BAA+B,CACvC,kEAAkE,CACnE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACnC,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IAEtC,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAA+B,CACvC,qDAAqD,CACtD,CAAC;IACJ,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAA+B,CAAC,gDAAgD,CAAC,CAAC;IAC9F,CAAC;IACD,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,IAAI;QACd,MAAkC,CAAC,GAAG,KAAK,OAAO;QAClD,MAAkC,CAAC,GAAG,KAAK,KAAK,EACjD,CAAC;QACD,MAAM,IAAI,+BAA+B,CACvC,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,IAAI,iBAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAA+B,CACvC,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,iBAAiB,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SACvD,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;SAC5C,MAAM,EAAE,CAAC;IAEZ,IACE,iBAAiB,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM;QACrD,CAAC,eAAe,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EACtD,CAAC;QACD,MAAM,IAAI,+BAA+B,CAAC,4CAA4C,CAAC,CAAC;IAC1F,CAAC;IAED,OAAO,YAAY,CAAC,cAAc,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,KAAa,EAAE,UAAkB;IAC1E,MAAM,EAAE,iBAAiB,EAAE,GAAG,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC9E,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;QAC5E,MAAM,IAAI,mCAAmC,CAAC,iBAAiB,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC"}

package/dist/src/gateway/server.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/gateway/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,OAAO,EAIL,KAAK,cAAc,EACpB,MAAM,sBAAsB,CAAC;~~AAY9B~~,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,gBAAgB,EAAE,gBAAgB,EAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,~~CAmGxB~~"}
1	+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/gateway/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,OAAO,EAIL,KAAK,cAAc,EACpB,MAAM,sBAAsB,CAAC;AA8C9B,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,gBAAgB,EAAE,gBAAgB,EAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CA0GxB"}

package/dist/src/gateway/server.js CHANGED Viewed

@@ -8,10 +8,39 @@ import * as http from 'node:http';
 import { ErrorMessages } from '../errorMessages.js';
 import { extractTargetUrl, GATEWAY_PATH_PREFIX, handleGatewayRequest, } from './gatewayEndpoint.js';
 import { handleLatchkeyRequest } from './latchkeyEndpoint.js';
+import { GATEWAY_PASSWORD_HEADER, passwordsMatch } from './password.js';
 function sendErrorResponse(response, statusCode, message) {
     response.writeHead(statusCode, { 'Content-Type': 'application/json' });
     response.end(JSON.stringify({ error: message }));
 }
+/**
+ * Read a single header value, treating arrays (which Node returns for some
+ * headers) as missing because the password header is not allowed to repeat.
+ */
+function readSingleHeader(request, headerName) {
+    const value = request.headers[headerName];
+    if (typeof value === 'string')
+        return value;
+    return undefined;
+}
+/**
+ * If a password is configured, verify that the request presents it in the
+ * expected header. Returns true when the request should be allowed to
+ * proceed, and writes a 401 response and returns false otherwise.
+ */
+function enforcePassword(request, response, expectedPassword, deps) {
+    if (expectedPassword === null)
+        return true;
+    const provided = readSingleHeader(request, GATEWAY_PASSWORD_HEADER);
+    if (provided !== undefined && passwordsMatch(expectedPassword, provided)) {
+        return true;
+    }
+    const method = request.method ?? 'UNKNOWN';
+    const path = request.url ?? '';
+    deps.log(`${method} ${path} -> 401 (password)`);
+    sendErrorResponse(response, 401, 'Unauthorized: invalid or missing Latchkey gateway password.');
+    return false;
+}
 /**
  * Start the gateway HTTP server.
  */
@@ -19,6 +48,9 @@ export function startGateway(deps, apiCredentialStore, encryptedStorage, options
     const inFlightRequests = new Set();
     const server = http.createServer((request, response) => {
         const rawUrl = request.url ?? '';
+        if (!enforcePassword(request, response, options.password, deps)) {
+            return;
+        }
         // Health endpoint
         if (rawUrl === '/' && request.method === 'GET') {
             response.writeHead(200, { 'Content-Type': 'application/json' });
@@ -82,7 +114,8 @@ export function startGateway(deps, apiCredentialStore, encryptedStorage, options
     return new Promise((resolve, reject) => {
         server.on('error', reject);
         server.listen(options.port, options.host, () => {
-            deps.log(`Latchkey gateway listening on ${options.host}:${String(options.port)}`);
+            const passwordNote = options.password === null ? '' : ' (password authentication enabled)';
+            deps.log(`Latchkey gateway listening on ${options.host}:${String(options.port)}${passwordNote}`);
             resolve({ server, close });
         });
     });

package/dist/src/gateway/server.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/gateway/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,GAErB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;~~AAE9D~~,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAOD;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAqB,EACrB,kBAAsC,EACtC,gBAAkC,EAClC,OAAuB;IAEvB,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAiB,CAAC;IAElD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAEjC,kBAAkB;QAClB,IAAI,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC/C,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACtE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,qBAAqB,CAC1C,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,kBAAkB,EAClB,gBAAgB,CACjB,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;gBACzB,IAAI,CAAC,QAAQ,CACX,yCAAyC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAClG,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;oBAC1B,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACrC,KAAK,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE;gBAC/B,gBAAgB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YAC1C,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,IAAI,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;gBAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACzE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACxB,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,cAAc,GAAG,oBAAoB,CACzC,OAAO,EACP,QAAQ,EACR,SAAS,EACT,IAAI,EACJ,kBAAkB,EAClB,OAAO,CACR,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;YACzB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,QAAQ,CACX,6BAA6B,MAAM,IAAI,SAAS,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC9G,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,aAAa,CAAC,qBAAqB,CAAC,CAAC;YACxE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACrC,KAAK,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE;YAC/B,gBAAgB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,mBAAmB,GAAG,MAAM,CAAC;IAEnC,MAAM,KAAK,GAAG,GAAkB,EAAE;QAChC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,UAAU,CAAC,GAAG,EAAE;gBACd,MAAM,CAAC,mBAAmB,EAAE,CAAC;gBAC7B,OAAO,EAAE,CAAC;YACZ,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAE3B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE;YAC7C,IAAI,CAAC,~~GAAG~~,CAAC,iCAAiC,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,~~CAAC~~,CAAC;~~YAClF~~,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
1	+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/gateway/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,GAErB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAExE,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAA6B,EAAE,UAAkB;IACzE,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CACtB,OAA6B,EAC7B,QAA6B,EAC7B,gBAA+B,EAC/B,IAAqB;IAErB,IAAI,gBAAgB,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;IACpE,IAAI,QAAQ,KAAK,SAAS,IAAI,cAAc,CAAC,gBAAgB,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;IAC3C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,IAAI,oBAAoB,CAAC,CAAC;IAChD,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,6DAA6D,CAAC,CAAC;IAChG,OAAO,KAAK,CAAC;AACf,CAAC;AAOD;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAqB,EACrB,kBAAsC,EACtC,gBAAkC,EAClC,OAAuB;IAEvB,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAiB,CAAC;IAElD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAEjC,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC;YAChE,OAAO;QACT,CAAC;QAED,kBAAkB;QAClB,IAAI,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC/C,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACtE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,qBAAqB,CAC1C,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,kBAAkB,EAClB,gBAAgB,CACjB,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;gBACzB,IAAI,CAAC,QAAQ,CACX,yCAAyC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAClG,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;oBAC1B,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACrC,KAAK,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE;gBAC/B,gBAAgB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YAC1C,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,IAAI,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;gBAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACzE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACxB,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,cAAc,GAAG,oBAAoB,CACzC,OAAO,EACP,QAAQ,EACR,SAAS,EACT,IAAI,EACJ,kBAAkB,EAClB,OAAO,CACR,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;YACzB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,QAAQ,CACX,6BAA6B,MAAM,IAAI,SAAS,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC9G,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,aAAa,CAAC,qBAAqB,CAAC,CAAC;YACxE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACrC,KAAK,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE;YAC/B,gBAAgB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,mBAAmB,GAAG,MAAM,CAAC;IAEnC,MAAM,KAAK,GAAG,GAAkB,EAAE;QAChC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,UAAU,CAAC,GAAG,EAAE;gBACd,MAAM,CAAC,mBAAmB,EAAE,CAAC;gBAC7B,OAAO,EAAE,CAAC;YACZ,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAE3B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE;YAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,oCAAoC,CAAC;YAC3F,IAAI,CAAC,GAAG,CACN,iCAAiC,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,EAAE,CACvF,CAAC;YACF,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/index.d.ts CHANGED Viewed

@@ -6,8 +6,8 @@ export { deserializeCredentials, serializeCredentials } from './apiCredentials/s
 export { SlackApiCredentials } from './services/slack.js';
 export { ApiCredentialStore, ApiCredentialStoreError } from './apiCredentials/store.js';
 export { Config, CONFIG, InsecureFilePermissionsError } from './config.js';
-export { encrypt, decrypt, generateKey, EncryptionError, DecryptionError } from './encryption.js';
-export { EncryptedStorage, EncryptedStorageError, EncryptionKeyLostError, } from './encryptedStorage.js';
+export { encrypt, decrypt, generateKey, resolveEncryptionKey, EncryptionError, DecryptionError, EncryptionKeyError, EncryptionKeyLostError, EncryptionKeyUnavailableError, } from './encryption.js';
+export { EncryptedStorage, EncryptedStorageError } from './encryptedStorage.js';
 export { storeInKeychain, retrieveFromKeychain, deleteFromKeychain, KeychainError, KeychainNotAvailableError, KeychainTimeoutError, } from './keychain.js';
 export { run as runCurl, runCaptured as runCurlCaptured, setSubprocessRunner, resetSubprocessRunner, setCapturingSubprocessRunner, resetCapturingSubprocessRunner, } from './curl.js';
 export { typeLikeHuman, BrowserDisabledError, BrowserFlowsNotSupportedError, } from './playwrightUtils.js';

package/dist/src/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACjG,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAExF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE3E,OAAO,~~EAAE~~,OAAO,~~EAAE~~,OAAO,~~EAAE~~,WAAW,~~EAAE~~,eAAe,~~EAAE~~,eAAe,~~EAAE~~,MAAM,iBAAiB,CAAC;~~AAElG~~,OAAO,~~EACL~~,gBAAgB,~~EAChB~~,qBAAqB,~~EACrB~~,~~sBAAsB,GACvB,~~MAAM,uBAAuB,CAAC;~~AAE/B~~,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,GAAG,IAAI,OAAO,EACd,WAAW,IAAI,eAAe,EAC9B,mBAAmB,EACnB,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,OAAO,EACP,cAAc,EACd,oBAAoB,EACpB,6BAA6B,EAC7B,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,EACL,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,EACN,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,GACP,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACjG,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAExF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE3E,OAAO,EACL,OAAO,EACP,OAAO,EACP,WAAW,EACX,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAEhF,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,GAAG,IAAI,OAAO,EACd,WAAW,IAAI,eAAe,EAC9B,mBAAmB,EACnB,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,OAAO,EACP,cAAc,EACd,oBAAoB,EACpB,6BAA6B,EAC7B,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,EACL,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,EACN,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,GACP,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/src/index.js CHANGED Viewed

@@ -7,8 +7,8 @@ export { deserializeCredentials, serializeCredentials } from './apiCredentials/s
 export { SlackApiCredentials } from './services/slack.js';
 export { ApiCredentialStore, ApiCredentialStoreError } from './apiCredentials/store.js';
 export { Config, CONFIG, InsecureFilePermissionsError } from './config.js';
-export { encrypt, decrypt, generateKey, EncryptionError, DecryptionError } from './encryption.js';
-export { EncryptedStorage, EncryptedStorageError, EncryptionKeyLostError, } from './encryptedStorage.js';
+export { encrypt, decrypt, generateKey, resolveEncryptionKey, EncryptionError, DecryptionError, EncryptionKeyError, EncryptionKeyLostError, EncryptionKeyUnavailableError, } from './encryption.js';
+export { EncryptedStorage, EncryptedStorageError } from './encryptedStorage.js';
 export { storeInKeychain, retrieveFromKeychain, deleteFromKeychain, KeychainError, KeychainNotAvailableError, KeychainTimeoutError, } from './keychain.js';
 export { run as runCurl, runCaptured as runCurlCaptured, setSubprocessRunner, resetSubprocessRunner, setCapturingSubprocessRunner, resetCapturingSubprocessRunner, } from './curl.js';
 export { typeLikeHuman, BrowserDisabledError, BrowserFlowsNotSupportedError, } from './playwrightUtils.js';

package/dist/src/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,2BAA2B;AAC3B,OAAO,EAEL,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACjG,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAExF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE3E,OAAO,~~EAAE~~,OAAO,~~EAAE~~,OAAO,~~EAAE~~,WAAW,~~EAAE~~,eAAe,~~EAAE~~,eAAe,~~EAAE~~,MAAM,iBAAiB,CAAC;~~AAElG~~,OAAO,~~EACL~~,gBAAgB,~~EAChB~~,qBAAqB,~~EACrB~~,~~sBAAsB,GACvB,~~MAAM,uBAAuB,CAAC;~~AAE/B~~,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,GAAG,IAAI,OAAO,EACd,WAAW,IAAI,eAAe,EAC9B,mBAAmB,EACnB,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,sBAAsB,CAAC;AAE9B,WAAW;AACX,OAAO,EACL,OAAO,EACP,cAAc,EACd,oBAAoB,EACpB,6BAA6B,EAC7B,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,EACL,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,EACN,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,GACP,MAAM,qBAAqB,CAAC;AAE7B,kBAAkB;AAClB,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,2BAA2B;AAC3B,OAAO,EAEL,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACjG,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAExF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE3E,OAAO,EACL,OAAO,EACP,OAAO,EACP,WAAW,EACX,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAEhF,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,GAAG,IAAI,OAAO,EACd,WAAW,IAAI,eAAe,EAC9B,mBAAmB,EACnB,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,sBAAsB,CAAC;AAE9B,WAAW;AACX,OAAO,EACL,OAAO,EACP,cAAc,EACd,oBAAoB,EACpB,6BAA6B,EAC7B,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,EACL,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,EACN,OAAO,EACP,OAAO,EACP,MAAM,EACN,MAAM,GACP,MAAM,qBAAqB,CAAC;AAE7B,kBAAkB;AAClB,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC"}