pipework 0.1.0

package/dist/auth/multi-org.js

@@ -0,0 +1,163 @@
+import { SignJWT, jwtVerify, importPKCS8, importSPKI } from 'jose';
+import { sql } from '../db/sql.js';
+import { ForbiddenError, UnauthorizedError, ConflictError, NotFoundError } from '../errors/index.js';
+import { assertValidIdentifier } from '../db/identifiers.js';
+export function createMultiOrgSessions(config) {
+    const tableName = config.table ?? 'pipework_user_orgs';
+    assertValidIdentifier(tableName, 'multi-org membership table');
+    const t = sql.raw(`"${tableName}"`);
+    const orgSelectAudience = `${config.audience}:org-select`;
+    const orgSelectExpiresIn = config.orgSelectToken?.expiresIn ?? '10m';
+    let cachedPrivateKey = null;
+    let cachedPublicKey = null;
+    async function getPrivateKey() {
+        if (cachedPrivateKey === null) {
+            cachedPrivateKey = await importPKCS8(config.signing.privateKey, config.signing.algorithm);
+        }
+        return cachedPrivateKey;
+    }
+    async function getPublicKey() {
+        if (cachedPublicKey === null) {
+            cachedPublicKey = await importSPKI(config.signing.publicKey, config.signing.algorithm);
+        }
+        return cachedPublicKey;
+    }
+    function parseExpiry(exp) {
+        const match = exp.match(/^(\d+)([smhd])$/);
+        if (match === null)
+            throw new Error(`Invalid expiry format: ${exp}`);
+        const value = parseInt(match[1], 10);
+        const unit = match[2];
+        switch (unit) {
+            case 's': return value;
+            case 'm': return value * 60;
+            case 'h': return value * 3600;
+            case 'd': return value * 86400;
+            default: return value;
+        }
+    }
+    async function signOrgSelectToken(userId) {
+        const key = await getPrivateKey();
+        const expiresInSeconds = parseExpiry(orgSelectExpiresIn);
+        return new SignJWT({ purpose: 'org_select' })
+            .setProtectedHeader({ alg: config.signing.algorithm })
+            .setSubject(userId)
+            .setIssuer(config.issuer)
+            .setAudience(orgSelectAudience)
+            .setIssuedAt()
+            .setExpirationTime(`${expiresInSeconds}s`)
+            .sign(key);
+    }
+    async function verifyOrgSelectToken(token) {
+        const key = await getPublicKey();
+        try {
+            const { payload } = await jwtVerify(token, key, {
+                algorithms: [config.signing.algorithm],
+                issuer: config.issuer,
+                audience: orgSelectAudience,
+            });
+            if (payload['purpose'] !== 'org_select') {
+                throw new Error('wrong purpose');
+            }
+            return payload.sub;
+        }
+        catch {
+            throw new UnauthorizedError('Invalid or expired organization selection token. Please log in again.');
+        }
+    }
+    async function requireMembership(db, userId, orgId) {
+        const rows = await db.execute(sql `SELECT 1 FROM ${t} WHERE user_id = ${userId} AND org_id = ${orgId}`);
+        if (rows.length === 0) {
+            throw new ForbiddenError('You are not a member of this organization.');
+        }
+    }
+    async function resolveLogin(response, db, user) {
+        const rows = await db.execute(sql `SELECT org_id, role FROM ${t} WHERE user_id = ${user.id} ORDER BY joined_at`);
+        if (rows.length === 0) {
+            throw new ForbiddenError('User has no organization memberships. Contact your administrator to be added to an organization.');
+        }
+        if (rows.length === 1) {
+            const orgId = rows[0]['org_id'];
+            const result = await config.sessions.issueTokensHttp(response, db, { id: user.id, tenantId: orgId });
+            return { type: 'authenticated', accessToken: result.accessToken, expiresIn: result.expiresIn };
+        }
+        const orgIds = rows.map(r => r['org_id']);
+        let orgNames = null;
+        if (config.resolveOrgNames !== undefined) {
+            orgNames = await config.resolveOrgNames(db, orgIds);
+        }
+        const orgs = orgIds.map(id => ({
+            id,
+            name: orgNames?.get(id) ?? id,
+        }));
+        const sessionToken = await signOrgSelectToken(user.id);
+        return { type: 'org_select', sessionToken, orgs };
+    }
+    async function selectOrg(response, db, sessionToken, orgId) {
+        const userId = await verifyOrgSelectToken(sessionToken);
+        await requireMembership(db, userId, orgId);
+        return config.sessions.issueTokensHttp(response, db, { id: userId, tenantId: orgId });
+    }
+    async function switchOrg(response, db, _request, orgId, userId) {
+        await requireMembership(db, userId, orgId);
+        return config.sessions.issueTokensHttp(response, db, { id: userId, tenantId: orgId });
+    }
+    async function listOrgs(db, userId) {
+        const rows = await db.execute(sql `SELECT org_id, role FROM ${t} WHERE user_id = ${userId} ORDER BY joined_at`);
+        const orgIds = rows.map(r => r['org_id']);
+        let orgNames = null;
+        if (config.resolveOrgNames !== undefined && orgIds.length > 0) {
+            orgNames = await config.resolveOrgNames(db, orgIds);
+        }
+        const orgs = rows.map(r => {
+            const orgId = r['org_id'];
+            return {
+                id: orgId,
+                name: orgNames?.get(orgId) ?? orgId,
+                role: r['role'] ?? null,
+            };
+        });
+        return { orgs };
+    }
+    async function addMember(db, params) {
+        const role = params.role ?? null;
+        const addedBy = params.addedBy ?? null;
+        const rows = await db.execute(sql `INSERT INTO ${t} (user_id, org_id, role, added_by)
+          VALUES (${params.userId}, ${params.orgId}, ${role}, ${addedBy})
+          ON CONFLICT (user_id, org_id) DO NOTHING
+          RETURNING id`);
+        if (rows.length === 0) {
+            throw new ConflictError('User is already a member of this organization.');
+        }
+        return { id: rows[0]['id'] };
+    }
+    async function removeMember(db, params) {
+        const rows = await db.execute(sql `DELETE FROM ${t} WHERE user_id = ${params.userId} AND org_id = ${params.orgId} RETURNING id`);
+        if (rows.length === 0) {
+            throw new NotFoundError('Membership');
+        }
+        await config.sessions.bumpVersion(db, params.userId);
+    }
+    async function checkMembershipFn(db, userId, orgId) {
+        const rows = await db.execute(sql `SELECT id, org_id, role, joined_at FROM ${t} WHERE user_id = ${userId} AND org_id = ${orgId}`);
+        if (rows.length === 0)
+            return null;
+        const row = rows[0];
+        return {
+            id: row['id'],
+            orgId: row['org_id'],
+            role: row['role'] ?? null,
+            joinedAt: new Date(row['joined_at']),
+        };
+    }
+    return {
+        resolveLogin,
+        selectOrg,
+        switchOrg,
+        listOrgs,
+        addMember,
+        removeMember,
+        checkMembership: checkMembershipFn,
+    };
+}
+//# sourceMappingURL=multi-org.js.map

package/dist/auth/multi-org.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"multi-org.js","sourceRoot":"","sources":["../../src/auth/multi-org.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,MAAM,CAAA;AAClE,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACpG,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAA;AAyF5D,MAAM,UAAU,sBAAsB,CAAC,MAAsB;IAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,IAAI,oBAAoB,CAAA;IACtD,qBAAqB,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAA;IAC9D,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAA;IAEnC,MAAM,iBAAiB,GAAG,GAAG,MAAM,CAAC,QAAQ,aAAa,CAAA;IACzD,MAAM,kBAAkB,GAAG,MAAM,CAAC,cAAc,EAAE,SAAS,IAAI,KAAK,CAAA;IAEpE,IAAI,gBAAgB,GAAqB,IAAI,CAAA;IAC7C,IAAI,eAAe,GAAqB,IAAI,CAAA;IAE5C,KAAK,UAAU,aAAa;QAC1B,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;YAC9B,gBAAgB,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAC3F,CAAC;QACD,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,KAAK,UAAU,YAAY;QACzB,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;YAC7B,eAAe,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QACxF,CAAC;QACD,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,SAAS,WAAW,CAAC,GAAW;QAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAC1C,IAAI,KAAK,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAA;QACpE,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAA;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAA;YACtB,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,CAAA;YAC3B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAA;YAC7B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,KAAK,CAAA;YAC9B,OAAO,CAAC,CAAC,OAAO,KAAK,CAAA;QACvB,CAAC;IACH,CAAC;IAED,KAAK,UAAU,kBAAkB,CAAC,MAAc;QAC9C,MAAM,GAAG,GAAG,MAAM,aAAa,EAAE,CAAA;QACjC,MAAM,gBAAgB,GAAG,WAAW,CAAC,kBAAkB,CAAC,CAAA;QACxD,OAAO,IAAI,OAAO,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;aAC1C,kBAAkB,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;aACrD,UAAU,CAAC,MAAM,CAAC;aAClB,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;aACxB,WAAW,CAAC,iBAAiB,CAAC;aAC9B,WAAW,EAAE;aACb,iBAAiB,CAAC,GAAG,gBAAgB,GAAG,CAAC;aACzC,IAAI,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,KAAa;QAC/C,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;QAChC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE;gBAC9C,UAAU,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;gBACtC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,iBAAiB;aAC5B,CAAC,CAAA;YACF,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,YAAY,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAA;YAClC,CAAC;YACD,OAAO,OAAO,CAAC,GAAI,CAAA;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CACzB,uEAAuE,CACxE,CAAA;QACH,CAAC;IACH,CAAC;IAED,KAAK,UAAU,iBAAiB,CAAC,EAAM,EAAE,MAAc,EAAE,KAAa;QACpE,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,iBAAiB,CAAC,oBAAoB,MAAM,iBAAiB,KAAK,EAAE,CACxE,CAAA;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,cAAc,CAAC,4CAA4C,CAAC,CAAA;QACxE,CAAC;IACH,CAAC;IAED,KAAK,UAAU,YAAY,CACzB,QAAsB,EACtB,EAAM,EACN,IAAoB;QAEpB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,4BAA4B,CAAC,oBAAoB,IAAI,CAAC,EAAE,qBAAqB,CACjF,CAAA;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,cAAc,CACtB,kGAAkG,CACnG,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAW,CAAA;YAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAA;YACpG,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAA;QAChG,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAW,CAAC,CAAA;QACnD,IAAI,QAAQ,GAA+B,IAAI,CAAA;QAC/C,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;YACzC,QAAQ,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QACrD,CAAC;QAED,MAAM,IAAI,GAAc,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACxC,EAAE;YACF,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;SAC9B,CAAC,CAAC,CAAA;QAEH,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QACtD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,IAAI,EAAE,CAAA;IACnD,CAAC;IAED,KAAK,UAAU,SAAS,CACtB,QAAsB,EACtB,EAAM,EACN,YAAoB,EACpB,KAAa;QAEb,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAA;QACvD,MAAM,iBAAiB,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1C,OAAO,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAA;IACvF,CAAC;IAED,KAAK,UAAU,SAAS,CACtB,QAAsB,EACtB,EAAM,EACN,QAAqB,EACrB,KAAa,EACb,MAAc;QAEd,MAAM,iBAAiB,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1C,OAAO,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAA;IACvF,CAAC;IAED,KAAK,UAAU,QAAQ,CACrB,EAAM,EACN,MAAc;QAEd,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,4BAA4B,CAAC,oBAAoB,MAAM,qBAAqB,CAChF,CAAA;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAW,CAAC,CAAA;QACnD,IAAI,QAAQ,GAA+B,IAAI,CAAA;QAC/C,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,QAAQ,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QACrD,CAAC;QAED,MAAM,IAAI,GAA0B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAC/C,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAW,CAAA;YACnC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK;gBACnC,IAAI,EAAG,CAAC,CAAC,MAAM,CAAmB,IAAI,IAAI;aAC3C,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,EAAE,IAAI,EAAE,CAAA;IACjB,CAAC;IAED,KAAK,UAAU,SAAS,CACtB,EAAM,EACN,MAA0E;QAE1E,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAA;QAChC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,IAAI,CAAA;QACtC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,eAAe,CAAC;oBACL,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,KAAK,KAAK,IAAI,KAAK,OAAO;;uBAEhD,CAClB,CAAA;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,aAAa,CAAC,gDAAgD,CAAC,CAAA;QAC3E,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,IAAI,CAAW,EAAE,CAAA;IACzC,CAAC;IAED,KAAK,UAAU,YAAY,CACzB,EAAM,EACN,MAAyC;QAEzC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,eAAe,CAAC,oBAAoB,MAAM,CAAC,MAAM,iBAAiB,MAAM,CAAC,KAAK,eAAe,CACjG,CAAA;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,aAAa,CAAC,YAAY,CAAC,CAAA;QACvC,CAAC;QAED,MAAM,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;IACtD,CAAC;IAED,KAAK,UAAU,iBAAiB,CAC9B,EAAM,EACN,MAAc,EACd,KAAa;QAEb,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,2CAA2C,CAAC,oBAAoB,MAAM,iBAAiB,KAAK,EAAE,CAClG,CAAA;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAElC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;QACpB,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,IAAI,CAAW;YACvB,KAAK,EAAE,GAAG,CAAC,QAAQ,CAAW;YAC9B,IAAI,EAAG,GAAG,CAAC,MAAM,CAAmB,IAAI,IAAI;YAC5C,QAAQ,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAW,CAAC;SAC/C,CAAA;IACH,CAAC;IAED,OAAO;QACL,YAAY;QACZ,SAAS;QACT,SAAS;QACT,QAAQ;QACR,SAAS;QACT,YAAY;QACZ,eAAe,EAAE,iBAAiB;KACnC,CAAA;AACH,CAAC"}

package/dist/auth/namespace.d.ts

@@ -0,0 +1,14 @@
+import { createSessions } from './sessions.js';
+import { createMultiOrgSessions } from './multi-org.js';
+import { runAuthChain } from './chain.js';
+import { resolveCookieConfig, parseCookieHeader, buildSetCookieHeader, buildClearCookieHeader } from './cookie.js';
+export declare const auth: {
+    createSessions: typeof createSessions;
+    createMultiOrg: typeof createMultiOrgSessions;
+    runChain: typeof runAuthChain;
+    resolveCookie: typeof resolveCookieConfig;
+    parseCookie: typeof parseCookieHeader;
+    buildSetCookie: typeof buildSetCookieHeader;
+    buildClearCookie: typeof buildClearCookieHeader;
+};
+//# sourceMappingURL=namespace.d.ts.map

package/dist/auth/namespace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../src/auth/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACzC,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AAElH,eAAO,MAAM,IAAI;;;;;;;;CAQhB,CAAA"}

package/dist/auth/namespace.js

@@ -0,0 +1,14 @@
+import { createSessions } from './sessions.js';
+import { createMultiOrgSessions } from './multi-org.js';
+import { runAuthChain } from './chain.js';
+import { resolveCookieConfig, parseCookieHeader, buildSetCookieHeader, buildClearCookieHeader } from './cookie.js';
+export const auth = {
+    createSessions,
+    createMultiOrg: createMultiOrgSessions,
+    runChain: runAuthChain,
+    resolveCookie: resolveCookieConfig,
+    parseCookie: parseCookieHeader,
+    buildSetCookie: buildSetCookieHeader,
+    buildClearCookie: buildClearCookieHeader,
+};
+//# sourceMappingURL=namespace.js.map

package/dist/auth/namespace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../src/auth/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACzC,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AAElH,MAAM,CAAC,MAAM,IAAI,GAAG;IAClB,cAAc;IACd,cAAc,EAAE,sBAAsB;IACtC,QAAQ,EAAE,YAAY;IACtB,aAAa,EAAE,mBAAmB;IAClC,WAAW,EAAE,iBAAiB;IAC9B,cAAc,EAAE,oBAAoB;IACpC,gBAAgB,EAAE,sBAAsB;CACzC,CAAA"}

package/dist/auth/sessions.d.ts

@@ -0,0 +1,64 @@
+import type { DB } from '../db/index.js';
+import type { CookieConfig } from './cookie.js';
+import type { HttpRequest, HttpResponse } from '../http/types.js';
+export interface SessionConfig {
+    readonly signing: {
+        algorithm: 'ES256';
+        privateKey: string;
+        publicKey: string;
+    };
+    readonly issuer: string;
+    readonly audience: string;
+    readonly accessToken: {
+        expiresIn: string;
+    };
+    readonly refreshToken: {
+        expiresIn: string;
+        rotateOnUse: boolean;
+        reuseDetection: boolean;
+        cookie?: CookieConfig;
+    };
+    readonly versionCheck: boolean;
+    readonly versionCacheTtlMs?: number;
+    readonly resolveRoles?: (db: DB, userId: string, tenantId: string) => Promise<string[]>;
+    readonly environment?: string;
+}
+export interface TokenPair {
+    readonly accessToken: string;
+    readonly refreshToken: string;
+    readonly expiresIn: number;
+}
+export interface TokenPayload {
+    readonly sub: string;
+    readonly tid: string;
+    readonly av: number;
+    readonly roles: string[] | undefined;
+}
+export interface HttpTokenResult {
+    readonly accessToken: string;
+    readonly expiresIn: number;
+}
+export type { HttpRequest, HttpResponse };
+export interface Sessions {
+    issueTokens(db: DB, user: {
+        id: string;
+        tenantId: string;
+        roles?: string[];
+    }): Promise<TokenPair>;
+    refresh(db: DB, refreshToken: string): Promise<TokenPair>;
+    revokeAll(db: DB, userId: string): Promise<void>;
+    bumpVersion(db: DB, userId: string): Promise<void>;
+    verifyAccessToken(token: string): Promise<TokenPayload>;
+    checkVersion(db: DB, userId: string, tokenVersion: number): Promise<boolean>;
+    cleanExpiredTokens(db: DB): Promise<number>;
+    issueTokensHttp(response: HttpResponse, db: DB, user: {
+        id: string;
+        tenantId: string;
+        roles?: string[];
+    }): Promise<HttpTokenResult>;
+    refreshHttp(response: HttpResponse, db: DB, request: HttpRequest): Promise<HttpTokenResult>;
+    revokeHttp(response: HttpResponse, db: DB, request: HttpRequest): Promise<void>;
+    revokeAllHttp(response: HttpResponse, db: DB, userId: string): Promise<void>;
+}
+export declare function createSessions(config: SessionConfig): Sessions;
+//# sourceMappingURL=sessions.d.ts.map

package/dist/auth/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../src/auth/sessions.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAA;AAExC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG/C,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAEjE,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,OAAO,EAAE;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IAC/E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IAC3C,QAAQ,CAAC,YAAY,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,YAAY,CAAA;KAAE,CAAA;IAClH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAA;IAC9B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;IACnC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACvF,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC9B;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CACrC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;CAC3B;AAED,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AAEzC,MAAM,WAAW,QAAQ;IACvB,WAAW,CAAC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;IACjG,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;IACzD,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChD,WAAW,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAClD,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;IACvD,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC5E,kBAAkB,CAAC,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC3C,eAAe,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IACnI,WAAW,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC3F,UAAU,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/E,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7E;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,QAAQ,CAmQ9D"}

package/dist/auth/sessions.js

@@ -0,0 +1,230 @@
+import { SignJWT, jwtVerify, importPKCS8, importSPKI } from 'jose';
+import { sql } from '../db/sql.js';
+import { UnauthorizedError } from '../errors/index.js';
+import { resolveCookieConfig, buildSetCookieHeader, buildClearCookieHeader, parseCookieHeader } from './cookie.js';
+export function createSessions(config) {
+    const environment = config.environment ?? 'production';
+    if (environment === 'production') {
+        validateSigningKeys(config);
+    }
+    let privateKey = null;
+    let publicKey = null;
+    const versionCache = new Map();
+    const cacheTtl = config.versionCacheTtlMs ?? 60_000;
+    async function getPrivateKey() {
+        if (!privateKey)
+            privateKey = await importPKCS8(config.signing.privateKey, config.signing.algorithm);
+        return privateKey;
+    }
+    async function getPublicKey() {
+        if (!publicKey)
+            publicKey = await importSPKI(config.signing.publicKey, config.signing.algorithm);
+        return publicKey;
+    }
+    function parseExpiry(exp) {
+        const match = exp.match(/^(\d+)([smhd])$/);
+        if (!match)
+            throw new Error(`Invalid expiry format: ${exp}`);
+        const value = parseInt(match[1], 10);
+        const unit = match[2];
+        switch (unit) {
+            case 's': return value;
+            case 'm': return value * 60;
+            case 'h': return value * 3600;
+            case 'd': return value * 86400;
+            default: return value;
+        }
+    }
+    async function getOrCreateVersion(db, userId) {
+        const rows = await db.execute(sql `INSERT INTO pipework_auth_versions (user_id, version) VALUES (${userId}, 1)
+          ON CONFLICT (user_id) DO NOTHING
+          RETURNING version`);
+        if (rows.length > 0)
+            return rows[0]['version'];
+        const existing = await db.execute(sql `SELECT version FROM pipework_auth_versions WHERE user_id = ${userId}`);
+        const row = existing[0];
+        if (row === undefined)
+            return 1;
+        return row['version'];
+    }
+    async function issueTokens(db, user) {
+        const key = await getPrivateKey();
+        const version = config.versionCheck ? await getOrCreateVersion(db, user.id) : 1;
+        const expiresInSeconds = parseExpiry(config.accessToken.expiresIn);
+        const accessToken = await new SignJWT({ tid: user.tenantId, av: version, roles: user.roles })
+            .setProtectedHeader({ alg: config.signing.algorithm })
+            .setSubject(user.id)
+            .setIssuer(config.issuer)
+            .setAudience(config.audience)
+            .setIssuedAt()
+            .setExpirationTime(`${expiresInSeconds}s`)
+            .sign(key);
+        const familyId = crypto.randomUUID();
+        const refreshTokenValue = crypto.randomUUID();
+        const refreshHash = await hashToken(refreshTokenValue);
+        const refreshExpiresIn = parseExpiry(config.refreshToken.expiresIn);
+        const expiresAt = new Date(Date.now() + refreshExpiresIn * 1000);
+        await db.execute(sql `INSERT INTO pipework_refresh_tokens (user_id, tenant_id, token_hash, family_id, expires_at)
+          VALUES (${user.id}, ${user.tenantId}, ${refreshHash}, ${familyId}::uuid, ${expiresAt.toISOString()}::timestamptz)`);
+        return { accessToken, refreshToken: refreshTokenValue, expiresIn: expiresInSeconds };
+    }
+    async function refresh(db, refreshToken) {
+        const tokenHash = await hashToken(refreshToken);
+        return db.transaction(async (tx) => {
+            const rows = await tx.execute(sql `SELECT id, user_id, tenant_id, family_id, revoked_at, expires_at
+            FROM pipework_refresh_tokens
+            WHERE token_hash = ${tokenHash}
+            FOR UPDATE`);
+            if (rows.length === 0) {
+                throw new UnauthorizedError('Invalid refresh token');
+            }
+            const row = rows[0];
+            const userId = row['user_id'];
+            const tenantId = row['tenant_id'];
+            const familyId = row['family_id'];
+            const revokedAt = row['revoked_at'];
+            const expiresAt = new Date(row['expires_at']);
+            if (expiresAt < new Date()) {
+                throw new UnauthorizedError('Refresh token expired');
+            }
+            if (revokedAt !== null) {
+                if (config.refreshToken.reuseDetection) {
+                    await tx.execute(sql `UPDATE pipework_refresh_tokens SET revoked_at = now()
+                WHERE family_id = ${familyId}::uuid AND revoked_at IS NULL`);
+                }
+                throw new UnauthorizedError('Refresh token reuse detected — all sessions revoked');
+            }
+            if (config.refreshToken.rotateOnUse) {
+                await tx.execute(sql `UPDATE pipework_refresh_tokens SET revoked_at = now() WHERE token_hash = ${tokenHash}`);
+            }
+            const roles = config.resolveRoles
+                ? await config.resolveRoles(tx, userId, tenantId)
+                : undefined;
+            return issueTokens(tx, roles ? { id: userId, tenantId, roles } : { id: userId, tenantId });
+        });
+    }
+    async function revokeAll(db, userId) {
+        await db.execute(sql `UPDATE pipework_refresh_tokens SET revoked_at = now()
+          WHERE user_id = ${userId} AND revoked_at IS NULL`);
+    }
+    async function bumpVersion(db, userId) {
+        await db.execute(sql `INSERT INTO pipework_auth_versions (user_id, version, updated_at)
+          VALUES (${userId}, 2, now())
+          ON CONFLICT (user_id)
+          DO UPDATE SET version = pipework_auth_versions.version + 1, updated_at = now()`);
+        versionCache.delete(userId);
+    }
+    async function verifyAccessToken(token) {
+        const key = await getPublicKey();
+        try {
+            const { payload } = await jwtVerify(token, key, {
+                algorithms: [config.signing.algorithm],
+                issuer: config.issuer,
+                audience: config.audience,
+            });
+            return {
+                sub: payload.sub,
+                tid: payload['tid'],
+                av: payload['av'],
+                roles: payload['roles'],
+            };
+        }
+        catch {
+            throw new UnauthorizedError('Invalid access token');
+        }
+    }
+    async function checkVersion(db, userId, tokenVersion) {
+        const cached = versionCache.get(userId);
+        if (cached && cached.expiresAt > Date.now()) {
+            return cached.version === tokenVersion;
+        }
+        const rows = await db.execute(sql `SELECT version FROM pipework_auth_versions WHERE user_id = ${userId}`);
+        const currentVersion = rows.length > 0 ? rows[0]['version'] : 1;
+        versionCache.set(userId, { version: currentVersion, expiresAt: Date.now() + cacheTtl });
+        return currentVersion === tokenVersion;
+    }
+    async function cleanExpiredTokens(db) {
+        const rows = await db.execute(sql `DELETE FROM pipework_refresh_tokens WHERE expires_at < now() RETURNING id`);
+        return rows.length;
+    }
+    function getCookieConfig() {
+        const cookie = config.refreshToken.cookie;
+        if (cookie === undefined) {
+            throw new Error('Cookie-based session methods require refreshToken.cookie configuration');
+        }
+        return resolveCookieConfig(cookie, config.environment ?? 'production');
+    }
+    function getRefreshMaxAge() {
+        return parseExpiry(config.refreshToken.expiresIn);
+    }
+    async function issueTokensHttp(response, db, user) {
+        const resolved = getCookieConfig();
+        const pair = await issueTokens(db, user);
+        response.header('Set-Cookie', buildSetCookieHeader(resolved, pair.refreshToken, getRefreshMaxAge()));
+        return { accessToken: pair.accessToken, expiresIn: pair.expiresIn };
+    }
+    async function refreshHttp(response, db, request) {
+        const resolved = getCookieConfig();
+        const token = parseCookieHeader(request.headers['cookie'], resolved.name);
+        if (token === undefined) {
+            throw new UnauthorizedError('Missing refresh token cookie');
+        }
+        const pair = await refresh(db, token);
+        response.header('Set-Cookie', buildSetCookieHeader(resolved, pair.refreshToken, getRefreshMaxAge()));
+        return { accessToken: pair.accessToken, expiresIn: pair.expiresIn };
+    }
+    async function revokeHttp(response, db, request) {
+        const resolved = getCookieConfig();
+        const token = parseCookieHeader(request.headers['cookie'], resolved.name);
+        if (token === undefined) {
+            throw new UnauthorizedError('Missing refresh token cookie');
+        }
+        const tokenHash = await hashToken(token);
+        await db.execute(sql `UPDATE pipework_refresh_tokens SET revoked_at = now()
+          WHERE token_hash = ${tokenHash} AND revoked_at IS NULL`);
+        response.header('Set-Cookie', buildClearCookieHeader(resolved));
+    }
+    async function revokeAllHttp(response, db, userId) {
+        const resolved = getCookieConfig();
+        await revokeAll(db, userId);
+        response.header('Set-Cookie', buildClearCookieHeader(resolved));
+    }
+    return {
+        issueTokens, refresh, revokeAll, bumpVersion, verifyAccessToken, checkVersion, cleanExpiredTokens,
+        issueTokensHttp, refreshHttp, revokeHttp, revokeAllHttp,
+    };
+}
+const TEST_KEY_PATTERNS = [
+    'test', 'example', 'dummy', 'placeholder', 'changeme', 'insecure', 'dev-only',
+];
+function validateSigningKeys(config) {
+    const problems = [];
+    const { privateKey, publicKey } = config.signing;
+    if (privateKey.length < 100) {
+        problems.push('Private key appears too short for ES256. Ensure you are using a real PKCS#8 key.');
+    }
+    if (publicKey.length < 80) {
+        problems.push('Public key appears too short for ES256. Ensure you are using a real SPKI key.');
+    }
+    const combined = (privateKey + publicKey).toLowerCase();
+    for (const pattern of TEST_KEY_PATTERNS) {
+        if (combined.includes(pattern)) {
+            problems.push(`Signing key material contains "${pattern}" — this looks like a test key.`);
+            break;
+        }
+    }
+    if (!privateKey.includes('BEGIN') || !publicKey.includes('BEGIN')) {
+        problems.push('Keys should be PEM-encoded (BEGIN PRIVATE KEY / BEGIN PUBLIC KEY).');
+    }
+    if (problems.length > 0) {
+        throw new Error(`[pipework] Session signing keys are not suitable for production:\n\n${problems.map(p => `  - ${p}`).join('\n')}\n\n` +
+            '  Generate production keys with: openssl ecparam -genkey -name prime256v1 -noout | openssl pkcs8 -topk8 -nocrypt\n');
+    }
+}
+async function hashToken(token) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(token);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    return Buffer.from(hash).toString('hex');
+}
+//# sourceMappingURL=sessions.js.map

package/dist/auth/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","sourceRoot":"","sources":["../../src/auth/sessions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,MAAM,CAAA;AAClE,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAEtD,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAkDlH,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,YAAY,CAAA;IACtD,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;QACjC,mBAAmB,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC;IAED,IAAI,UAAU,GAAqB,IAAI,CAAA;IACvC,IAAI,SAAS,GAAqB,IAAI,CAAA;IACtC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkD,CAAA;IAC9E,MAAM,QAAQ,GAAG,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAA;IAEnD,KAAK,UAAU,aAAa;QAC1B,IAAI,CAAC,UAAU;YAAE,UAAU,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QACpG,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,KAAK,UAAU,YAAY;QACzB,IAAI,CAAC,SAAS;YAAE,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAChG,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,SAAS,WAAW,CAAC,GAAW;QAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAC1C,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAA;QAC5D,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAA;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAA;YACtB,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,CAAA;YAC3B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAA;YAC7B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,KAAK,CAAA;YAC9B,OAAO,CAAC,CAAC,OAAO,KAAK,CAAA;QACvB,CAAC;IACH,CAAC;IAED,KAAK,UAAU,kBAAkB,CAAC,EAAM,EAAE,MAAc;QACtD,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,iEAAiE,MAAM;;4BAEpD,CACvB,CAAA;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,CAAE,CAAC,SAAS,CAAW,CAAA;QAEzD,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAC/B,GAAG,CAAA,8DAA8D,MAAM,EAAE,CAC1E,CAAA;QACD,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;QACvB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,CAAC,CAAA;QAC/B,OAAO,GAAG,CAAC,SAAS,CAAW,CAAA;IACjC,CAAC;IAED,KAAK,UAAU,WAAW,CACxB,EAAM,EACN,IAAwD;QAExD,MAAM,GAAG,GAAG,MAAM,aAAa,EAAE,CAAA;QACjC,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAC/E,MAAM,gBAAgB,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QAElE,MAAM,WAAW,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;aAC1F,kBAAkB,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;aACrD,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;aACnB,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;aACxB,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;aAC5B,WAAW,EAAE;aACb,iBAAiB,CAAC,GAAG,gBAAgB,GAAG,CAAC;aACzC,IAAI,CAAC,GAAG,CAAC,CAAA;QAEZ,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACpC,MAAM,iBAAiB,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QAC7C,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,iBAAiB,CAAC,CAAA;QACtD,MAAM,gBAAgB,GAAG,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QACnE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,GAAG,IAAI,CAAC,CAAA;QAEhE,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA;oBACW,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,QAAQ,WAAW,SAAS,CAAC,WAAW,EAAE,gBAAgB,CACvH,CAAA;QAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAA;IACtF,CAAC;IAED,KAAK,UAAU,OAAO,CAAC,EAAM,EAAE,YAAoB;QACjD,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,CAAA;QAE/C,OAAO,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA;;iCAEsB,SAAS;uBACnB,CAChB,CAAA;YAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAA;YACtD,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;YACpB,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAW,CAAA;YACvC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,CAAW,CAAA;YAC3C,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,CAAW,CAAA;YAC3C,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAkB,CAAA;YACpD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAW,CAAC,CAAA;YAEvD,IAAI,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC3B,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAA;YACtD,CAAC;YAED,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBACvB,IAAI,MAAM,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;oBACvC,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA;oCACqB,QAAQ,+BAA+B,CAChE,CAAA;gBACH,CAAC;gBACD,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,CAAC,CAAA;YACpF,CAAC;YAED,IAAI,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC;gBACpC,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA,4EAA4E,SAAS,EAAE,CAC3F,CAAA;YACH,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY;gBAC/B,CAAC,CAAC,MAAM,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC;gBACjD,CAAC,CAAC,SAAS,CAAA;YAEb,OAAO,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC5F,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,UAAU,SAAS,CAAC,EAAM,EAAE,MAAc;QAC7C,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA;4BACmB,MAAM,yBAAyB,CACtD,CAAA;IACH,CAAC;IAED,KAAK,UAAU,WAAW,CAAC,EAAM,EAAE,MAAc;QAC/C,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA;oBACW,MAAM;;yFAE+D,CACpF,CAAA;QACD,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC;IAED,KAAK,UAAU,iBAAiB,CAAC,KAAa;QAC5C,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;QAChC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE;gBAC9C,UAAU,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;gBACtC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAA;YACF,OAAO;gBACL,GAAG,EAAE,OAAO,CAAC,GAAI;gBACjB,GAAG,EAAE,OAAO,CAAC,KAAK,CAAW;gBAC7B,EAAE,EAAE,OAAO,CAAC,IAAI,CAAW;gBAC3B,KAAK,EAAE,OAAO,CAAC,OAAO,CAAyB;aAChD,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,EAAM,EAAE,MAAc,EAAE,YAAoB;QACtE,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACvC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC,OAAO,KAAK,YAAY,CAAA;QACxC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,8DAA8D,MAAM,EAAE,CAC1E,CAAA;QACD,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,CAAE,CAAC,SAAS,CAAY,CAAC,CAAC,CAAC,CAAC,CAAA;QAC5E,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC,CAAA;QACvF,OAAO,cAAc,KAAK,YAAY,CAAA;IACxC,CAAC;IAED,KAAK,UAAU,kBAAkB,CAAC,EAAM;QACtC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAC3B,GAAG,CAAA,2EAA2E,CAC/E,CAAA;QACD,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED,SAAS,eAAe;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAA;QACzC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAA;QAC3F,CAAC;QACD,OAAO,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,WAAW,IAAI,YAAY,CAAC,CAAA;IACxE,CAAC;IAED,SAAS,gBAAgB;QACvB,OAAO,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;IACnD,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,QAAsB,EACtB,EAAM,EACN,IAAwD;QAExD,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;QACxC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAA;QACpG,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAA;IACrE,CAAC;IAED,KAAK,UAAU,WAAW,CACxB,QAAsB,EACtB,EAAM,EACN,OAAoB;QAEpB,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;QAClC,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAA;QACzE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAA;QAC7D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAA;QACrC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAA;QACpG,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAA;IACrE,CAAC;IAED,KAAK,UAAU,UAAU,CACvB,QAAsB,EACtB,EAAM,EACN,OAAoB;QAEpB,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;QAClC,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAA;QACzE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAA;QAC7D,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAA;QACxC,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA;+BACsB,SAAS,yBAAyB,CAC5D,CAAA;QACD,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAA;IACjE,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,QAAsB,EACtB,EAAM,EACN,MAAc;QAEd,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;QAClC,MAAM,SAAS,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QAC3B,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAA;IACjE,CAAC;IAED,OAAO;QACL,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,iBAAiB,EAAE,YAAY,EAAE,kBAAkB;QACjG,eAAe,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa;KACxD,CAAA;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;CAC9E,CAAA;AAED,SAAS,mBAAmB,CAAC,MAAqB;IAChD,MAAM,QAAQ,GAAa,EAAE,CAAA;IAC7B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,OAAO,CAAA;IAEhD,IAAI,UAAU,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC,kFAAkF,CAAC,CAAA;IACnG,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAA;IAChG,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,UAAU,GAAG,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA;IACvD,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC,kCAAkC,OAAO,iCAAiC,CAAC,CAAA;YACzF,MAAK;QACP,CAAC;IACH,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAClE,QAAQ,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAA;IACrF,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,uEAAuE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;YACrH,oHAAoH,CACrH,CAAA;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,KAAa;IACpC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAClC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IACxD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AAC1C,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,14 @@
+export interface AuthStrategy<TAuth> {
+    readonly name: string;
+    extract(request: AuthRequest): Promise<TAuth | null>;
+    verify(extracted: TAuth): Promise<TAuth>;
+}
+export interface AuthRequest {
+    readonly headers: Readonly<Record<string, string | undefined>>;
+    readonly cookies: Readonly<Record<string, string | undefined>>;
+}
+export interface BaseAuth {
+    readonly userId: string;
+    readonly tenantId: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY,CAAC,KAAK;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAA;IACpD,MAAM,CAAC,SAAS,EAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAA;IAC9D,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAA;CAC/D;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CAC1B"}

package/dist/auth/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":""}

package/dist/behavior/audited.d.ts

@@ -0,0 +1,5 @@
+import type { ResourceOperations } from '../fixture/types.js';
+import type { AuditedBehaviorConfig } from './types.js';
+import type { Audit } from '../audit/types.js';
+export declare function applyAudited<TAuth>(ops: ResourceOperations<TAuth>, config: AuditedBehaviorConfig | Audit, resourceName: string): ResourceOperations<TAuth>;
+//# sourceMappingURL=audited.d.ts.map

package/dist/behavior/audited.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audited.d.ts","sourceRoot":"","sources":["../../src/behavior/audited.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAc,MAAM,qBAAqB,CAAA;AACzE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AACvD,OAAO,KAAK,EAAE,KAAK,EAAoB,MAAM,mBAAmB,CAAA;AAEhE,wBAAgB,YAAY,CAAC,KAAK,EAChC,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,EAC9B,MAAM,EAAE,qBAAqB,GAAG,KAAK,EACrC,YAAY,EAAE,MAAM,GACnB,kBAAkB,CAAC,KAAK,CAAC,CAkE3B"}

package/dist/behavior/audited.js

@@ -0,0 +1,78 @@
+export function applyAudited(ops, config, resourceName) {
+    const audit = 'emit' in config ? config : config.audit;
+    const isConfig = !('emit' in config);
+    const entityType = isConfig && config.entityType !== undefined
+        ? config.entityType
+        : singularize(resourceName);
+    const prefix = isConfig && config.actionPrefix !== undefined
+        ? config.actionPrefix
+        : entityType;
+    const result = { ...ops };
+    if (ops.create !== undefined) {
+        const original = ops.create;
+        result['create'] = {
+            input: original.input,
+            handler: async (db, auth, tenant, input) => {
+                const created = await original.handler(db, auth, tenant, input);
+                const opts = {
+                    actionType: `${prefix}.created`,
+                    entityType,
+                    entityId: extractEntityId(created),
+                    after: created,
+                };
+                await audit.emit(opts);
+                return created;
+            },
+        };
+    }
+    if (ops.update !== undefined) {
+        const original = ops.update;
+        result['update'] = {
+            input: original.input,
+            handler: async (db, auth, tenant, id, input) => {
+                const before = ops.get !== undefined ? await ops.get(db, auth, tenant, id) : null;
+                const updated = await original.handler(db, auth, tenant, id, input);
+                const opts = {
+                    actionType: `${prefix}.updated`,
+                    entityType,
+                    entityId: id,
+                    before: before ?? undefined,
+                    after: updated,
+                };
+                await audit.emit(opts);
+                return updated;
+            },
+        };
+    }
+    if (ops.delete !== undefined) {
+        const original = ops.delete;
+        result['delete'] = async (db, auth, tenant, id) => {
+            const before = ops.get !== undefined ? await ops.get(db, auth, tenant, id) : null;
+            await original(db, auth, tenant, id);
+            const opts = {
+                actionType: `${prefix}.deleted`,
+                entityType,
+                entityId: id,
+                before: before ?? undefined,
+            };
+            await audit.emit(opts);
+        };
+    }
+    return result;
+}
+function extractEntityId(result) {
+    if (result !== null && typeof result === 'object' && 'id' in result) {
+        return String(result.id);
+    }
+    return 'unknown';
+}
+function singularize(s) {
+    if (s.endsWith('ies'))
+        return s.slice(0, -3) + 'y';
+    if (s.endsWith('ses') || s.endsWith('xes'))
+        return s.slice(0, -2);
+    if (s.endsWith('s') && !s.endsWith('ss'))
+        return s.slice(0, -1);
+    return s;
+}
+//# sourceMappingURL=audited.js.map