opensentinel 2.1.1 → 3.1.1

package/dist/chunk-OCVQGBJK.js

@@ -0,0 +1,293 @@
+import {
+  auditLogs,
+  db
+} from "./chunk-XKYRH4FM.js";
+import {
+  env
+} from "./chunk-ZLZKF2PM.js";
+
+// src/core/security/audit-logger.ts
+import { createHmac, randomUUID } from "crypto";
+import { eq, and, gte, lte, desc, count, min, max, asc } from "drizzle-orm";
+var _cachedSigningKey = null;
+function getAuditSigningKey() {
+  if (_cachedSigningKey) return _cachedSigningKey;
+  if (env.AUDIT_SIGNING_KEY) {
+    _cachedSigningKey = env.AUDIT_SIGNING_KEY;
+    return _cachedSigningKey;
+  }
+  _cachedSigningKey = randomUUID();
+  console.warn(
+    "[audit-logger] AUDIT_SIGNING_KEY not set \u2014 using a random ephemeral key. Set AUDIT_SIGNING_KEY in .env for persistent tamper-proof audit chains."
+  );
+  return _cachedSigningKey;
+}
+function signAuditEntry(sequenceNumber, action, userId, resource, detailsJson, timestamp, previousHash) {
+  const key = getAuditSigningKey();
+  const data = [
+    String(sequenceNumber),
+    action,
+    userId ?? "",
+    resource ?? "",
+    detailsJson,
+    timestamp,
+    previousHash ?? ""
+  ].join("|");
+  return createHmac("sha256", key).update(data).digest("hex");
+}
+async function getLastAuditEntry() {
+  const [last] = await db.select({
+    sequenceNumber: auditLogs.sequenceNumber,
+    entryHash: auditLogs.entryHash
+  }).from(auditLogs).orderBy(desc(auditLogs.sequenceNumber)).limit(1);
+  if (!last || last.sequenceNumber == null || last.entryHash == null) {
+    return null;
+  }
+  return {
+    sequenceNumber: last.sequenceNumber,
+    entryHash: last.entryHash
+  };
+}
+async function logAudit(entry) {
+  const last = await getLastAuditEntry();
+  const sequenceNumber = (last?.sequenceNumber ?? 0) + 1;
+  const previousHash = last?.entryHash ?? null;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const detailsJson = entry.details ? JSON.stringify(entry.details) : "{}";
+  const entryHash = signAuditEntry(
+    sequenceNumber,
+    entry.action,
+    entry.userId,
+    entry.resource,
+    detailsJson,
+    timestamp,
+    previousHash
+  );
+  const [log] = await db.insert(auditLogs).values({
+    userId: entry.userId,
+    sessionId: entry.sessionId,
+    action: entry.action,
+    resource: entry.resource,
+    resourceId: entry.resourceId,
+    details: entry.details,
+    ipAddress: entry.ipAddress,
+    userAgent: entry.userAgent,
+    success: entry.success ?? true,
+    createdAt: new Date(timestamp),
+    sequenceNumber,
+    entryHash,
+    previousHash
+  }).returning();
+  return log.id;
+}
+async function queryAuditLogs(options = {}) {
+  const {
+    userId,
+    action,
+    resource,
+    startDate,
+    endDate,
+    limit = 100,
+    offset = 0
+  } = options;
+  let query = db.select().from(auditLogs);
+  const conditions = [];
+  if (userId) {
+    conditions.push(eq(auditLogs.userId, userId));
+  }
+  if (action) {
+    conditions.push(eq(auditLogs.action, action));
+  }
+  if (resource) {
+    conditions.push(eq(auditLogs.resource, resource));
+  }
+  if (startDate) {
+    conditions.push(gte(auditLogs.createdAt, startDate));
+  }
+  if (endDate) {
+    conditions.push(lte(auditLogs.createdAt, endDate));
+  }
+  if (conditions.length > 0) {
+    query = query.where(and(...conditions));
+  }
+  const logs = await query.orderBy(desc(auditLogs.createdAt)).limit(limit).offset(offset);
+  return logs;
+}
+async function getRecentUserActivity(userId, hours = 24) {
+  const since = new Date(Date.now() - hours * 60 * 60 * 1e3);
+  return db.select().from(auditLogs).where(and(eq(auditLogs.userId, userId), gte(auditLogs.createdAt, since))).orderBy(desc(auditLogs.createdAt)).limit(100);
+}
+async function countActionsByType(userId, startDate, endDate) {
+  const logs = await db.select().from(auditLogs).where(
+    and(
+      eq(auditLogs.userId, userId),
+      gte(auditLogs.createdAt, startDate),
+      lte(auditLogs.createdAt, endDate)
+    )
+  );
+  const counts = {};
+  for (const log of logs) {
+    counts[log.action] = (counts[log.action] || 0) + 1;
+  }
+  return counts;
+}
+async function verifyAuditChain(options) {
+  const fromSequence = options?.fromSequence ?? 1;
+  const batchLimit = options?.limit ?? 1e4;
+  let expectedPreviousHash = null;
+  let expectedSequence = fromSequence;
+  if (fromSequence > 1) {
+    const [prev] = await db.select({
+      sequenceNumber: auditLogs.sequenceNumber,
+      entryHash: auditLogs.entryHash
+    }).from(auditLogs).where(eq(auditLogs.sequenceNumber, fromSequence - 1)).limit(1);
+    expectedPreviousHash = prev?.entryHash ?? null;
+  }
+  const entries = await db.select().from(auditLogs).where(gte(auditLogs.sequenceNumber, fromSequence)).orderBy(asc(auditLogs.sequenceNumber)).limit(batchLimit);
+  const errors = [];
+  for (const entry of entries) {
+    const seq = entry.sequenceNumber;
+    if (seq == null) {
+      errors.push({
+        sequenceNumber: expectedSequence,
+        error: "Missing sequence number"
+      });
+      expectedSequence++;
+      continue;
+    }
+    if (seq !== expectedSequence) {
+      errors.push({
+        sequenceNumber: expectedSequence,
+        error: `Sequence gap: expected ${expectedSequence}, got ${seq}`
+      });
+      expectedSequence = seq;
+    }
+    if ((entry.previousHash ?? null) !== expectedPreviousHash) {
+      errors.push({
+        sequenceNumber: seq,
+        error: `Previous hash mismatch: expected ${expectedPreviousHash ?? "(null)"}, got ${entry.previousHash ?? "(null)"}`
+      });
+    }
+    const detailsJson = entry.details ? JSON.stringify(entry.details) : "{}";
+    const timestamp = entry.createdAt.toISOString();
+    const recomputed = signAuditEntry(
+      seq,
+      entry.action,
+      entry.userId ?? void 0,
+      entry.resource ?? void 0,
+      detailsJson,
+      timestamp,
+      entry.previousHash
+    );
+    if (recomputed !== entry.entryHash) {
+      errors.push({
+        sequenceNumber: seq,
+        error: "Entry hash mismatch \u2014 record may have been tampered with"
+      });
+    }
+    expectedPreviousHash = entry.entryHash;
+    expectedSequence = seq + 1;
+  }
+  return {
+    valid: errors.length === 0,
+    totalChecked: entries.length,
+    firstInvalid: errors.length > 0 ? errors[0].sequenceNumber : void 0,
+    errors
+  };
+}
+async function getAuditChainIntegrity() {
+  const [stats] = await db.select({
+    totalEntries: count(auditLogs.id),
+    oldestEntry: min(auditLogs.createdAt),
+    newestEntry: max(auditLogs.createdAt),
+    lastSequence: max(auditLogs.sequenceNumber)
+  }).from(auditLogs);
+  const totalEntries = Number(stats.totalEntries ?? 0);
+  const lastSequence = stats.lastSequence ?? 0;
+  const verifyFrom = Math.max(1, lastSequence - 999);
+  const verification = await verifyAuditChain({
+    fromSequence: verifyFrom,
+    limit: 1e3
+  });
+  return {
+    totalEntries,
+    oldestEntry: stats.oldestEntry ? new Date(stats.oldestEntry) : null,
+    newestEntry: stats.newestEntry ? new Date(stats.newestEntry) : null,
+    lastVerified: verification.totalChecked,
+    chainValid: verification.valid,
+    lastSequence
+  };
+}
+var audit = {
+  login: (userId, ipAddress, userAgent) => logAudit({
+    userId,
+    action: "login",
+    resource: "session",
+    ipAddress,
+    userAgent
+  }),
+  logout: (userId, sessionId) => logAudit({
+    userId,
+    sessionId,
+    action: "logout",
+    resource: "session"
+  }),
+  toolUse: (userId, toolName, input, success) => logAudit({
+    userId,
+    action: "tool_use",
+    resource: "tool",
+    resourceId: toolName,
+    details: { input },
+    success
+  }),
+  shellExecute: (userId, command, exitCode, durationMs) => logAudit({
+    userId,
+    action: "shell_execute",
+    resource: "shell",
+    details: { command, exitCode, durationMs },
+    success: exitCode === 0
+  }),
+  fileAccess: (userId, action, filePath) => logAudit({
+    userId,
+    action,
+    resource: "file",
+    resourceId: filePath
+  }),
+  memoryCreate: (userId, memoryId, memoryType) => logAudit({
+    userId,
+    action: "memory_create",
+    resource: "memory",
+    resourceId: memoryId,
+    details: { type: memoryType }
+  }),
+  modeChange: (userId, fromMode, toMode) => logAudit({
+    userId,
+    action: "mode_change",
+    resource: "mode",
+    details: { fromMode, toMode }
+  }),
+  agentSpawn: (userId, agentId, agentType) => logAudit({
+    userId,
+    action: "agent_spawn",
+    resource: "agent",
+    resourceId: agentId,
+    details: { type: agentType }
+  }),
+  error: (userId, errorType, message, context) => logAudit({
+    userId,
+    action: "error",
+    details: { errorType, message, ...context },
+    success: false
+  })
+};
+
+export {
+  logAudit,
+  queryAuditLogs,
+  getRecentUserActivity,
+  countActionsByType,
+  verifyAuditChain,
+  getAuditChainIntegrity,
+  audit
+};
+//# sourceMappingURL=chunk-OCVQGBJK.js.map

package/dist/chunk-OCVQGBJK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core/security/audit-logger.ts"],"sourcesContent":["import { createHmac, randomUUID } from \"crypto\";\nimport { db } from \"../../db\";\nimport { auditLogs, NewAuditLog } from \"../../db/schema\";\nimport { eq, and, gte, lte, desc, count, min, max, asc } from \"drizzle-orm\";\nimport { env } from \"../../config/env\";\n\nexport type AuditAction =\n  | \"login\"\n  | \"logout\"\n  | \"session_create\"\n  | \"session_invalidate\"\n  | \"api_key_create\"\n  | \"api_key_revoke\"\n  | \"tool_use\"\n  | \"chat_message\"\n  | \"memory_create\"\n  | \"memory_delete\"\n  | \"memory_archive\"\n  | \"settings_change\"\n  | \"mode_change\"\n  | \"agent_spawn\"\n  | \"agent_complete\"\n  | \"file_read\"\n  | \"file_write\"\n  | \"shell_execute\"\n  | \"web_browse\"\n  | \"error\";\n\nexport type AuditResource =\n  | \"session\"\n  | \"api_key\"\n  | \"tool\"\n  | \"chat\"\n  | \"memory\"\n  | \"settings\"\n  | \"mode\"\n  | \"agent\"\n  | \"file\"\n  | \"shell\"\n  | \"browser\";\n\nexport interface AuditLogEntry {\n  userId?: string;\n  sessionId?: string;\n  action: AuditAction;\n  resource?: AuditResource;\n  resourceId?: string;\n  details?: Record<string, unknown>;\n  ipAddress?: string;\n  userAgent?: string;\n  success?: boolean;\n}\n\n// --- Tamper-proof chain hashing helpers (SOC 2 compliance) ---\n\nlet _cachedSigningKey: string | null = null;\n\nfunction getAuditSigningKey(): string {\n  if (_cachedSigningKey) return _cachedSigningKey;\n  if (env.AUDIT_SIGNING_KEY) {\n    _cachedSigningKey = env.AUDIT_SIGNING_KEY;\n    return _cachedSigningKey;\n  }\n  _cachedSigningKey = randomUUID();\n  console.warn(\n    \"[audit-logger] AUDIT_SIGNING_KEY not set — using a random ephemeral key. \" +\n      \"Set AUDIT_SIGNING_KEY in .env for persistent tamper-proof audit chains.\"\n  );\n  return _cachedSigningKey;\n}\n\nfunction signAuditEntry(\n  sequenceNumber: number,\n  action: string,\n  userId: string | undefined,\n  resource: string | undefined,\n  detailsJson: string,\n  timestamp: string,\n  previousHash: string | null\n): string {\n  const key = getAuditSigningKey();\n  const data = [\n    String(sequenceNumber),\n    action,\n    userId ?? \"\",\n    resource ?? \"\",\n    detailsJson,\n    timestamp,\n    previousHash ?? \"\",\n  ].join(\"|\");\n  return createHmac(\"sha256\", key).update(data).digest(\"hex\");\n}\n\nasync function getLastAuditEntry(): Promise<{\n  sequenceNumber: number;\n  entryHash: string;\n} | null> {\n  const [last] = await db\n    .select({\n      sequenceNumber: auditLogs.sequenceNumber,\n      entryHash: auditLogs.entryHash,\n    })\n    .from(auditLogs)\n    .orderBy(desc(auditLogs.sequenceNumber))\n    .limit(1);\n\n  if (!last || last.sequenceNumber == null || last.entryHash == null) {\n    return null;\n  }\n\n  return {\n    sequenceNumber: last.sequenceNumber,\n    entryHash: last.entryHash,\n  };\n}\n\nexport async function logAudit(entry: AuditLogEntry): Promise<string> {\n  // Fetch previous chain entry for tamper-proof linking\n  const last = await getLastAuditEntry();\n  const sequenceNumber = (last?.sequenceNumber ?? 0) + 1;\n  const previousHash = last?.entryHash ?? null;\n\n  const timestamp = new Date().toISOString();\n  const detailsJson = entry.details ? JSON.stringify(entry.details) : \"{}\";\n\n  const entryHash = signAuditEntry(\n    sequenceNumber,\n    entry.action,\n    entry.userId,\n    entry.resource,\n    detailsJson,\n    timestamp,\n    previousHash\n  );\n\n  const [log] = await db\n    .insert(auditLogs)\n    .values({\n      userId: entry.userId,\n      sessionId: entry.sessionId,\n      action: entry.action,\n      resource: entry.resource,\n      resourceId: entry.resourceId,\n      details: entry.details,\n      ipAddress: entry.ipAddress,\n      userAgent: entry.userAgent,\n      success: entry.success ?? true,\n      createdAt: new Date(timestamp),\n      sequenceNumber,\n      entryHash,\n      previousHash,\n    })\n    .returning();\n\n  return log.id;\n}\n\nexport interface AuditQueryOptions {\n  userId?: string;\n  action?: AuditAction;\n  resource?: AuditResource;\n  startDate?: Date;\n  endDate?: Date;\n  limit?: number;\n  offset?: number;\n}\n\nexport async function queryAuditLogs(options: AuditQueryOptions = {}) {\n  const {\n    userId,\n    action,\n    resource,\n    startDate,\n    endDate,\n    limit = 100,\n    offset = 0,\n  } = options;\n\n  let query = db.select().from(auditLogs);\n\n  const conditions = [];\n\n  if (userId) {\n    conditions.push(eq(auditLogs.userId, userId));\n  }\n\n  if (action) {\n    conditions.push(eq(auditLogs.action, action));\n  }\n\n  if (resource) {\n    conditions.push(eq(auditLogs.resource, resource));\n  }\n\n  if (startDate) {\n    conditions.push(gte(auditLogs.createdAt, startDate));\n  }\n\n  if (endDate) {\n    conditions.push(lte(auditLogs.createdAt, endDate));\n  }\n\n  if (conditions.length > 0) {\n    query = query.where(and(...conditions)) as typeof query;\n  }\n\n  const logs = await query\n    .orderBy(desc(auditLogs.createdAt))\n    .limit(limit)\n    .offset(offset);\n\n  return logs;\n}\n\nexport async function getRecentUserActivity(\n  userId: string,\n  hours = 24\n): Promise<typeof auditLogs.$inferSelect[]> {\n  const since = new Date(Date.now() - hours * 60 * 60 * 1000);\n\n  return db\n    .select()\n    .from(auditLogs)\n    .where(and(eq(auditLogs.userId, userId), gte(auditLogs.createdAt, since)))\n    .orderBy(desc(auditLogs.createdAt))\n    .limit(100);\n}\n\nexport async function countActionsByType(\n  userId: string,\n  startDate: Date,\n  endDate: Date\n): Promise<Record<string, number>> {\n  const logs = await db\n    .select()\n    .from(auditLogs)\n    .where(\n      and(\n        eq(auditLogs.userId, userId),\n        gte(auditLogs.createdAt, startDate),\n        lte(auditLogs.createdAt, endDate)\n      )\n    );\n\n  const counts: Record<string, number> = {};\n  for (const log of logs) {\n    counts[log.action] = (counts[log.action] || 0) + 1;\n  }\n\n  return counts;\n}\n\n// --- Audit chain verification (SOC 2 compliance) ---\n\nexport async function verifyAuditChain(\n  options?: { fromSequence?: number; limit?: number }\n): Promise<{\n  valid: boolean;\n  totalChecked: number;\n  firstInvalid?: number;\n  errors: Array<{ sequenceNumber: number; error: string }>;\n}> {\n  const fromSequence = options?.fromSequence ?? 1;\n  const batchLimit = options?.limit ?? 10000;\n\n  // Fetch the entry just before fromSequence to get its hash for linkage check\n  let expectedPreviousHash: string | null = null;\n  let expectedSequence = fromSequence;\n\n  if (fromSequence > 1) {\n    const [prev] = await db\n      .select({\n        sequenceNumber: auditLogs.sequenceNumber,\n        entryHash: auditLogs.entryHash,\n      })\n      .from(auditLogs)\n      .where(eq(auditLogs.sequenceNumber, fromSequence - 1))\n      .limit(1);\n\n    expectedPreviousHash = prev?.entryHash ?? null;\n  }\n\n  const entries = await db\n    .select()\n    .from(auditLogs)\n    .where(gte(auditLogs.sequenceNumber, fromSequence))\n    .orderBy(asc(auditLogs.sequenceNumber))\n    .limit(batchLimit);\n\n  const errors: Array<{ sequenceNumber: number; error: string }> = [];\n\n  for (const entry of entries) {\n    const seq = entry.sequenceNumber;\n\n    if (seq == null) {\n      errors.push({\n        sequenceNumber: expectedSequence,\n        error: \"Missing sequence number\",\n      });\n      expectedSequence++;\n      continue;\n    }\n\n    // Check sequence continuity\n    if (seq !== expectedSequence) {\n      errors.push({\n        sequenceNumber: expectedSequence,\n        error: `Sequence gap: expected ${expectedSequence}, got ${seq}`,\n      });\n      expectedSequence = seq; // re-sync\n    }\n\n    // Check previousHash linkage\n    if ((entry.previousHash ?? null) !== expectedPreviousHash) {\n      errors.push({\n        sequenceNumber: seq,\n        error: `Previous hash mismatch: expected ${expectedPreviousHash ?? \"(null)\"}, got ${entry.previousHash ?? \"(null)\"}`,\n      });\n    }\n\n    // Recompute and verify entryHash\n    const detailsJson = entry.details ? JSON.stringify(entry.details) : \"{}\";\n    const timestamp = entry.createdAt.toISOString();\n\n    const recomputed = signAuditEntry(\n      seq,\n      entry.action,\n      entry.userId ?? undefined,\n      entry.resource ?? undefined,\n      detailsJson,\n      timestamp,\n      entry.previousHash\n    );\n\n    if (recomputed !== entry.entryHash) {\n      errors.push({\n        sequenceNumber: seq,\n        error: \"Entry hash mismatch — record may have been tampered with\",\n      });\n    }\n\n    // Advance expectations\n    expectedPreviousHash = entry.entryHash;\n    expectedSequence = seq + 1;\n  }\n\n  return {\n    valid: errors.length === 0,\n    totalChecked: entries.length,\n    firstInvalid: errors.length > 0 ? errors[0].sequenceNumber : undefined,\n    errors,\n  };\n}\n\nexport async function getAuditChainIntegrity(): Promise<{\n  totalEntries: number;\n  oldestEntry: Date | null;\n  newestEntry: Date | null;\n  lastVerified: number;\n  chainValid: boolean;\n  lastSequence: number;\n}> {\n  const [stats] = await db\n    .select({\n      totalEntries: count(auditLogs.id),\n      oldestEntry: min(auditLogs.createdAt),\n      newestEntry: max(auditLogs.createdAt),\n      lastSequence: max(auditLogs.sequenceNumber),\n    })\n    .from(auditLogs);\n\n  const totalEntries = Number(stats.totalEntries ?? 0);\n  const lastSequence = stats.lastSequence ?? 0;\n\n  // Verify the last 1000 entries\n  const verifyFrom = Math.max(1, lastSequence - 999);\n  const verification = await verifyAuditChain({\n    fromSequence: verifyFrom,\n    limit: 1000,\n  });\n\n  return {\n    totalEntries,\n    oldestEntry: stats.oldestEntry ? new Date(stats.oldestEntry) : null,\n    newestEntry: stats.newestEntry ? new Date(stats.newestEntry) : null,\n    lastVerified: verification.totalChecked,\n    chainValid: verification.valid,\n    lastSequence,\n  };\n}\n\n// Convenience functions for common audit events\nexport const audit = {\n  login: (userId: string, ipAddress?: string, userAgent?: string) =>\n    logAudit({\n      userId,\n      action: \"login\",\n      resource: \"session\",\n      ipAddress,\n      userAgent,\n    }),\n\n  logout: (userId: string, sessionId: string) =>\n    logAudit({\n      userId,\n      sessionId,\n      action: \"logout\",\n      resource: \"session\",\n    }),\n\n  toolUse: (\n    userId: string,\n    toolName: string,\n    input: Record<string, unknown>,\n    success: boolean\n  ) =>\n    logAudit({\n      userId,\n      action: \"tool_use\",\n      resource: \"tool\",\n      resourceId: toolName,\n      details: { input },\n      success,\n    }),\n\n  shellExecute: (\n    userId: string,\n    command: string,\n    exitCode: number,\n    durationMs: number\n  ) =>\n    logAudit({\n      userId,\n      action: \"shell_execute\",\n      resource: \"shell\",\n      details: { command, exitCode, durationMs },\n      success: exitCode === 0,\n    }),\n\n  fileAccess: (\n    userId: string,\n    action: \"file_read\" | \"file_write\",\n    filePath: string\n  ) =>\n    logAudit({\n      userId,\n      action,\n      resource: \"file\",\n      resourceId: filePath,\n    }),\n\n  memoryCreate: (userId: string, memoryId: string, memoryType: string) =>\n    logAudit({\n      userId,\n      action: \"memory_create\",\n      resource: \"memory\",\n      resourceId: memoryId,\n      details: { type: memoryType },\n    }),\n\n  modeChange: (\n    userId: string,\n    fromMode: string | null,\n    toMode: string\n  ) =>\n    logAudit({\n      userId,\n      action: \"mode_change\",\n      resource: \"mode\",\n      details: { fromMode, toMode },\n    }),\n\n  agentSpawn: (userId: string, agentId: string, agentType: string) =>\n    logAudit({\n      userId,\n      action: \"agent_spawn\",\n      resource: \"agent\",\n      resourceId: agentId,\n      details: { type: agentType },\n    }),\n\n  error: (\n    userId: string | undefined,\n    errorType: string,\n    message: string,\n    context?: Record<string, unknown>\n  ) =>\n    logAudit({\n      userId,\n      action: \"error\",\n      details: { errorType, message, ...context },\n      success: false,\n    }),\n};\n"],"mappings":";;;;;;;;;AAAA,SAAS,YAAY,kBAAkB;AAGvC,SAAS,IAAI,KAAK,KAAK,KAAK,MAAM,OAAO,KAAK,KAAK,WAAW;AAoD9D,IAAI,oBAAmC;AAEvC,SAAS,qBAA6B;AACpC,MAAI,kBAAmB,QAAO;AAC9B,MAAI,IAAI,mBAAmB;AACzB,wBAAoB,IAAI;AACxB,WAAO;AAAA,EACT;AACA,sBAAoB,WAAW;AAC/B,UAAQ;AAAA,IACN;AAAA,EAEF;AACA,SAAO;AACT;AAEA,SAAS,eACP,gBACA,QACA,QACA,UACA,aACA,WACA,cACQ;AACR,QAAM,MAAM,mBAAmB;AAC/B,QAAM,OAAO;AAAA,IACX,OAAO,cAAc;AAAA,IACrB;AAAA,IACA,UAAU;AAAA,IACV,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,gBAAgB;AAAA,EAClB,EAAE,KAAK,GAAG;AACV,SAAO,WAAW,UAAU,GAAG,EAAE,OAAO,IAAI,EAAE,OAAO,KAAK;AAC5D;AAEA,eAAe,oBAGL;AACR,QAAM,CAAC,IAAI,IAAI,MAAM,GAClB,OAAO;AAAA,IACN,gBAAgB,UAAU;AAAA,IAC1B,WAAW,UAAU;AAAA,EACvB,CAAC,EACA,KAAK,SAAS,EACd,QAAQ,KAAK,UAAU,cAAc,CAAC,EACtC,MAAM,CAAC;AAEV,MAAI,CAAC,QAAQ,KAAK,kBAAkB,QAAQ,KAAK,aAAa,MAAM;AAClE,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB;AACF;AAEA,eAAsB,SAAS,OAAuC;AAEpE,QAAM,OAAO,MAAM,kBAAkB;AACrC,QAAM,kBAAkB,MAAM,kBAAkB,KAAK;AACrD,QAAM,eAAe,MAAM,aAAa;AAExC,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,cAAc,MAAM,UAAU,KAAK,UAAU,MAAM,OAAO,IAAI;AAEpE,QAAM,YAAY;AAAA,IAChB;AAAA,IACA,MAAM;AAAA,IACN,MAAM;AAAA,IACN,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,CAAC,GAAG,IAAI,MAAM,GACjB,OAAO,SAAS,EAChB,OAAO;AAAA,IACN,QAAQ,MAAM;AAAA,IACd,WAAW,MAAM;AAAA,IACjB,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,YAAY,MAAM;AAAA,IAClB,SAAS,MAAM;AAAA,IACf,WAAW,MAAM;AAAA,IACjB,WAAW,MAAM;AAAA,IACjB,SAAS,MAAM,WAAW;AAAA,IAC1B,WAAW,IAAI,KAAK,SAAS;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,UAAU;AAEb,SAAO,IAAI;AACb;AAYA,eAAsB,eAAe,UAA6B,CAAC,GAAG;AACpE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR,SAAS;AAAA,EACX,IAAI;AAEJ,MAAI,QAAQ,GAAG,OAAO,EAAE,KAAK,SAAS;AAEtC,QAAM,aAAa,CAAC;AAEpB,MAAI,QAAQ;AACV,eAAW,KAAK,GAAG,UAAU,QAAQ,MAAM,CAAC;AAAA,EAC9C;AAEA,MAAI,QAAQ;AACV,eAAW,KAAK,GAAG,UAAU,QAAQ,MAAM,CAAC;AAAA,EAC9C;AAEA,MAAI,UAAU;AACZ,eAAW,KAAK,GAAG,UAAU,UAAU,QAAQ,CAAC;AAAA,EAClD;AAEA,MAAI,WAAW;AACb,eAAW,KAAK,IAAI,UAAU,WAAW,SAAS,CAAC;AAAA,EACrD;AAEA,MAAI,SAAS;AACX,eAAW,KAAK,IAAI,UAAU,WAAW,OAAO,CAAC;AAAA,EACnD;AAEA,MAAI,WAAW,SAAS,GAAG;AACzB,YAAQ,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC;AAAA,EACxC;AAEA,QAAM,OAAO,MAAM,MAChB,QAAQ,KAAK,UAAU,SAAS,CAAC,EACjC,MAAM,KAAK,EACX,OAAO,MAAM;AAEhB,SAAO;AACT;AAEA,eAAsB,sBACpB,QACA,QAAQ,IACkC;AAC1C,QAAM,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,KAAK,GAAI;AAE1D,SAAO,GACJ,OAAO,EACP,KAAK,SAAS,EACd,MAAM,IAAI,GAAG,UAAU,QAAQ,MAAM,GAAG,IAAI,UAAU,WAAW,KAAK,CAAC,CAAC,EACxE,QAAQ,KAAK,UAAU,SAAS,CAAC,EACjC,MAAM,GAAG;AACd;AAEA,eAAsB,mBACpB,QACA,WACA,SACiC;AACjC,QAAM,OAAO,MAAM,GAChB,OAAO,EACP,KAAK,SAAS,EACd;AAAA,IACC;AAAA,MACE,GAAG,UAAU,QAAQ,MAAM;AAAA,MAC3B,IAAI,UAAU,WAAW,SAAS;AAAA,MAClC,IAAI,UAAU,WAAW,OAAO;AAAA,IAClC;AAAA,EACF;AAEF,QAAM,SAAiC,CAAC;AACxC,aAAW,OAAO,MAAM;AACtB,WAAO,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,KAAK;AAAA,EACnD;AAEA,SAAO;AACT;AAIA,eAAsB,iBACpB,SAMC;AACD,QAAM,eAAe,SAAS,gBAAgB;AAC9C,QAAM,aAAa,SAAS,SAAS;AAGrC,MAAI,uBAAsC;AAC1C,MAAI,mBAAmB;AAEvB,MAAI,eAAe,GAAG;AACpB,UAAM,CAAC,IAAI,IAAI,MAAM,GAClB,OAAO;AAAA,MACN,gBAAgB,UAAU;AAAA,MAC1B,WAAW,UAAU;AAAA,IACvB,CAAC,EACA,KAAK,SAAS,EACd,MAAM,GAAG,UAAU,gBAAgB,eAAe,CAAC,CAAC,EACpD,MAAM,CAAC;AAEV,2BAAuB,MAAM,aAAa;AAAA,EAC5C;AAEA,QAAM,UAAU,MAAM,GACnB,OAAO,EACP,KAAK,SAAS,EACd,MAAM,IAAI,UAAU,gBAAgB,YAAY,CAAC,EACjD,QAAQ,IAAI,UAAU,cAAc,CAAC,EACrC,MAAM,UAAU;AAEnB,QAAM,SAA2D,CAAC;AAElE,aAAW,SAAS,SAAS;AAC3B,UAAM,MAAM,MAAM;AAElB,QAAI,OAAO,MAAM;AACf,aAAO,KAAK;AAAA,QACV,gBAAgB;AAAA,QAChB,OAAO;AAAA,MACT,CAAC;AACD;AACA;AAAA,IACF;AAGA,QAAI,QAAQ,kBAAkB;AAC5B,aAAO,KAAK;AAAA,QACV,gBAAgB;AAAA,QAChB,OAAO,0BAA0B,gBAAgB,SAAS,GAAG;AAAA,MAC/D,CAAC;AACD,yBAAmB;AAAA,IACrB;AAGA,SAAK,MAAM,gBAAgB,UAAU,sBAAsB;AACzD,aAAO,KAAK;AAAA,QACV,gBAAgB;AAAA,QAChB,OAAO,oCAAoC,wBAAwB,QAAQ,SAAS,MAAM,gBAAgB,QAAQ;AAAA,MACpH,CAAC;AAAA,IACH;AAGA,UAAM,cAAc,MAAM,UAAU,KAAK,UAAU,MAAM,OAAO,IAAI;AACpE,UAAM,YAAY,MAAM,UAAU,YAAY;AAE9C,UAAM,aAAa;AAAA,MACjB;AAAA,MACA,MAAM;AAAA,MACN,MAAM,UAAU;AAAA,MAChB,MAAM,YAAY;AAAA,MAClB;AAAA,MACA;AAAA,MACA,MAAM;AAAA,IACR;AAEA,QAAI,eAAe,MAAM,WAAW;AAClC,aAAO,KAAK;AAAA,QACV,gBAAgB;AAAA,QAChB,OAAO;AAAA,MACT,CAAC;AAAA,IACH;AAGA,2BAAuB,MAAM;AAC7B,uBAAmB,MAAM;AAAA,EAC3B;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,cAAc,QAAQ;AAAA,IACtB,cAAc,OAAO,SAAS,IAAI,OAAO,CAAC,EAAE,iBAAiB;AAAA,IAC7D;AAAA,EACF;AACF;AAEA,eAAsB,yBAOnB;AACD,QAAM,CAAC,KAAK,IAAI,MAAM,GACnB,OAAO;AAAA,IACN,cAAc,MAAM,UAAU,EAAE;AAAA,IAChC,aAAa,IAAI,UAAU,SAAS;AAAA,IACpC,aAAa,IAAI,UAAU,SAAS;AAAA,IACpC,cAAc,IAAI,UAAU,cAAc;AAAA,EAC5C,CAAC,EACA,KAAK,SAAS;AAEjB,QAAM,eAAe,OAAO,MAAM,gBAAgB,CAAC;AACnD,QAAM,eAAe,MAAM,gBAAgB;AAG3C,QAAM,aAAa,KAAK,IAAI,GAAG,eAAe,GAAG;AACjD,QAAM,eAAe,MAAM,iBAAiB;AAAA,IAC1C,cAAc;AAAA,IACd,OAAO;AAAA,EACT,CAAC;AAED,SAAO;AAAA,IACL;AAAA,IACA,aAAa,MAAM,cAAc,IAAI,KAAK,MAAM,WAAW,IAAI;AAAA,IAC/D,aAAa,MAAM,cAAc,IAAI,KAAK,MAAM,WAAW,IAAI;AAAA,IAC/D,cAAc,aAAa;AAAA,IAC3B,YAAY,aAAa;AAAA,IACzB;AAAA,EACF;AACF;AAGO,IAAM,QAAQ;AAAA,EACnB,OAAO,CAAC,QAAgB,WAAoB,cAC1C,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AAAA,EAEH,QAAQ,CAAC,QAAgB,cACvB,SAAS;AAAA,IACP;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAAA,EAEH,SAAS,CACP,QACA,UACA,OACA,YAEA,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,SAAS,EAAE,MAAM;AAAA,IACjB;AAAA,EACF,CAAC;AAAA,EAEH,cAAc,CACZ,QACA,SACA,UACA,eAEA,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS,EAAE,SAAS,UAAU,WAAW;AAAA,IACzC,SAAS,aAAa;AAAA,EACxB,CAAC;AAAA,EAEH,YAAY,CACV,QACA,QACA,aAEA,SAAS;AAAA,IACP;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV,YAAY;AAAA,EACd,CAAC;AAAA,EAEH,cAAc,CAAC,QAAgB,UAAkB,eAC/C,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,SAAS,EAAE,MAAM,WAAW;AAAA,EAC9B,CAAC;AAAA,EAEH,YAAY,CACV,QACA,UACA,WAEA,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS,EAAE,UAAU,OAAO;AAAA,EAC9B,CAAC;AAAA,EAEH,YAAY,CAAC,QAAgB,SAAiB,cAC5C,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,SAAS,EAAE,MAAM,UAAU;AAAA,EAC7B,CAAC;AAAA,EAEH,OAAO,CACL,QACA,WACA,SACA,YAEA,SAAS;AAAA,IACP;AAAA,IACA,QAAQ;AAAA,IACR,SAAS,EAAE,WAAW,SAAS,GAAG,QAAQ;AAAA,IAC1C,SAAS;AAAA,EACX,CAAC;AACL;","names":[]}

package/dist/chunk-P6QINGFL.js

@@ -0,0 +1,332 @@
+// src/integrations/spotify/auth.ts
+var SpotifyAuthError = class extends Error {
+  statusCode;
+  spotifyError;
+  constructor(message, statusCode, spotifyError) {
+    super(message);
+    this.name = "SpotifyAuthError";
+    this.statusCode = statusCode;
+    this.spotifyError = spotifyError;
+  }
+};
+var SPOTIFY_SCOPES = {
+  // Images
+  UGC_IMAGE_UPLOAD: "ugc-image-upload",
+  // Spotify Connect
+  USER_READ_PLAYBACK_STATE: "user-read-playback-state",
+  USER_MODIFY_PLAYBACK_STATE: "user-modify-playback-state",
+  USER_READ_CURRENTLY_PLAYING: "user-read-currently-playing",
+  // Playback
+  STREAMING: "streaming",
+  APP_REMOTE_CONTROL: "app-remote-control",
+  // Users
+  USER_READ_EMAIL: "user-read-email",
+  USER_READ_PRIVATE: "user-read-private",
+  // Follow
+  USER_FOLLOW_READ: "user-follow-read",
+  USER_FOLLOW_MODIFY: "user-follow-modify",
+  // Library
+  USER_LIBRARY_MODIFY: "user-library-modify",
+  USER_LIBRARY_READ: "user-library-read",
+  // Listening History
+  USER_READ_PLAYBACK_POSITION: "user-read-playback-position",
+  USER_TOP_READ: "user-top-read",
+  USER_READ_RECENTLY_PLAYED: "user-read-recently-played",
+  // Playlists
+  PLAYLIST_MODIFY_PRIVATE: "playlist-modify-private",
+  PLAYLIST_READ_COLLABORATIVE: "playlist-read-collaborative",
+  PLAYLIST_READ_PRIVATE: "playlist-read-private",
+  PLAYLIST_MODIFY_PUBLIC: "playlist-modify-public"
+};
+var DEFAULT_SCOPES = [
+  SPOTIFY_SCOPES.USER_READ_PLAYBACK_STATE,
+  SPOTIFY_SCOPES.USER_MODIFY_PLAYBACK_STATE,
+  SPOTIFY_SCOPES.USER_READ_CURRENTLY_PLAYING,
+  SPOTIFY_SCOPES.USER_READ_EMAIL,
+  SPOTIFY_SCOPES.USER_READ_PRIVATE,
+  SPOTIFY_SCOPES.USER_LIBRARY_MODIFY,
+  SPOTIFY_SCOPES.USER_LIBRARY_READ,
+  SPOTIFY_SCOPES.USER_TOP_READ,
+  SPOTIFY_SCOPES.USER_READ_RECENTLY_PLAYED,
+  SPOTIFY_SCOPES.PLAYLIST_MODIFY_PRIVATE,
+  SPOTIFY_SCOPES.PLAYLIST_READ_COLLABORATIVE,
+  SPOTIFY_SCOPES.PLAYLIST_READ_PRIVATE,
+  SPOTIFY_SCOPES.PLAYLIST_MODIFY_PUBLIC
+];
+var SPOTIFY_ACCOUNTS_URL = "https://accounts.spotify.com";
+var SPOTIFY_API_URL = "https://api.spotify.com/v1";
+var SpotifyAuth = class {
+  config;
+  tokens = null;
+  tokenRefreshPromise = null;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Get the Base64 encoded client credentials
+   */
+  getBasicAuthHeader() {
+    const credentials = `${this.config.clientId}:${this.config.clientSecret}`;
+    return `Basic ${Buffer.from(credentials).toString("base64")}`;
+  }
+  /**
+   * Generate the authorization URL for the OAuth2 flow
+   */
+  getAuthorizationUrl(scopes = DEFAULT_SCOPES, state, showDialog = false) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      response_type: "code",
+      redirect_uri: this.config.redirectUri,
+      scope: scopes.join(" "),
+      show_dialog: String(showDialog)
+    });
+    if (state) {
+      params.set("state", state);
+    }
+    return `${SPOTIFY_ACCOUNTS_URL}/authorize?${params.toString()}`;
+  }
+  /**
+   * Exchange an authorization code for tokens
+   */
+  async exchangeCode(code) {
+    const response = await fetch(`${SPOTIFY_ACCOUNTS_URL}/api/token`, {
+      method: "POST",
+      headers: {
+        Authorization: this.getBasicAuthHeader(),
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri
+      })
+    });
+    if (!response.ok) {
+      const error = await this.parseErrorResponse(response);
+      throw new SpotifyAuthError(
+        `Failed to exchange code: ${error.message}`,
+        response.status,
+        error
+      );
+    }
+    const data = await response.json();
+    this.tokens = this.parseTokenResponse(data);
+    return this.tokens;
+  }
+  /**
+   * Refresh the access token using the refresh token
+   */
+  async refreshAccessToken(refreshToken) {
+    const tokenToRefresh = refreshToken ?? this.tokens?.refreshToken;
+    if (!tokenToRefresh) {
+      throw new SpotifyAuthError("No refresh token available");
+    }
+    if (this.tokenRefreshPromise) {
+      return this.tokenRefreshPromise;
+    }
+    this.tokenRefreshPromise = this.performTokenRefresh(tokenToRefresh);
+    try {
+      const tokens = await this.tokenRefreshPromise;
+      return tokens;
+    } finally {
+      this.tokenRefreshPromise = null;
+    }
+  }
+  async performTokenRefresh(refreshToken) {
+    const response = await fetch(`${SPOTIFY_ACCOUNTS_URL}/api/token`, {
+      method: "POST",
+      headers: {
+        Authorization: this.getBasicAuthHeader(),
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      const error = await this.parseErrorResponse(response);
+      throw new SpotifyAuthError(
+        `Failed to refresh token: ${error.message}`,
+        response.status,
+        error
+      );
+    }
+    const data = await response.json();
+    this.tokens = {
+      ...this.parseTokenResponse(data),
+      refreshToken: data.refresh_token ?? refreshToken
+    };
+    return this.tokens;
+  }
+  /**
+   * Parse the token response into our internal format
+   */
+  parseTokenResponse(data) {
+    return {
+      accessToken: data.access_token,
+      tokenType: data.token_type,
+      scope: data.scope,
+      expiresAt: Date.now() + data.expires_in * 1e3,
+      refreshToken: data.refresh_token ?? ""
+    };
+  }
+  /**
+   * Parse an error response from Spotify
+   */
+  async parseErrorResponse(response) {
+    try {
+      const data = await response.json();
+      if (data.error) {
+        return data.error;
+      }
+      return {
+        status: response.status,
+        message: data.error_description ?? response.statusText
+      };
+    } catch {
+      return {
+        status: response.status,
+        message: response.statusText
+      };
+    }
+  }
+  /**
+   * Check if the current access token is expired (or about to expire)
+   */
+  isTokenExpired(bufferMs = 6e4) {
+    if (!this.tokens) {
+      return true;
+    }
+    return Date.now() >= this.tokens.expiresAt - bufferMs;
+  }
+  /**
+   * Get a valid access token, refreshing if necessary
+   */
+  async getAccessToken() {
+    if (!this.tokens) {
+      throw new SpotifyAuthError("Not authenticated. Please authenticate first.");
+    }
+    if (this.isTokenExpired()) {
+      await this.refreshAccessToken();
+    }
+    return this.tokens.accessToken;
+  }
+  /**
+   * Get the current tokens
+   */
+  getTokens() {
+    return this.tokens;
+  }
+  /**
+   * Set tokens (useful for restoring from storage)
+   */
+  setTokens(tokens) {
+    this.tokens = tokens;
+  }
+  /**
+   * Clear stored tokens
+   */
+  clearTokens() {
+    this.tokens = null;
+  }
+  /**
+   * Check if authenticated
+   */
+  isAuthenticated() {
+    return this.tokens !== null && !!this.tokens.refreshToken;
+  }
+  /**
+   * Make an authenticated request to the Spotify API
+   */
+  async request(endpoint, options = {}) {
+    const accessToken = await this.getAccessToken();
+    const url = endpoint.startsWith("http") ? endpoint : `${SPOTIFY_API_URL}${endpoint}`;
+    const response = await fetch(url, {
+      ...options,
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        ...options.headers
+      }
+    });
+    if (response.status === 204) {
+      return void 0;
+    }
+    if (!response.ok) {
+      if (response.status === 401) {
+        await this.refreshAccessToken();
+        return this.request(endpoint, options);
+      }
+      const error = await this.parseErrorResponse(response);
+      throw new SpotifyAuthError(
+        `API request failed: ${error.message}`,
+        response.status,
+        error
+      );
+    }
+    const text = await response.text();
+    if (!text) {
+      return void 0;
+    }
+    return JSON.parse(text);
+  }
+  /**
+   * GET request helper
+   */
+  async get(endpoint, params) {
+    let url = endpoint;
+    if (params) {
+      const searchParams = new URLSearchParams(params);
+      url = `${endpoint}?${searchParams.toString()}`;
+    }
+    return this.request(url, { method: "GET" });
+  }
+  /**
+   * POST request helper
+   */
+  async post(endpoint, body) {
+    return this.request(endpoint, {
+      method: "POST",
+      body: body ? JSON.stringify(body) : void 0
+    });
+  }
+  /**
+   * PUT request helper
+   */
+  async put(endpoint, body) {
+    return this.request(endpoint, {
+      method: "PUT",
+      body: body ? JSON.stringify(body) : void 0
+    });
+  }
+  /**
+   * DELETE request helper
+   */
+  async delete(endpoint, body) {
+    return this.request(endpoint, {
+      method: "DELETE",
+      body: body ? JSON.stringify(body) : void 0
+    });
+  }
+  /**
+   * Get the current user's profile
+   */
+  async getCurrentUser() {
+    return this.get("/me");
+  }
+};
+function createSpotifyAuth(config) {
+  return new SpotifyAuth(config);
+}
+var auth_default = SpotifyAuth;
+
+export {
+  SpotifyAuthError,
+  SPOTIFY_SCOPES,
+  DEFAULT_SCOPES,
+  SpotifyAuth,
+  createSpotifyAuth,
+  auth_default
+};
+//# sourceMappingURL=chunk-P6QINGFL.js.map