npm - sliccy - Versions diffs - 3.40.1 → 3.40.3 - Mend

sliccy 3.40.1 → 3.40.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (230) hide show

package/README.md CHANGED Viewed

@@ -11,7 +11,7 @@ If this scares, confuses, or excites you, keep reading.
 # slicc — Self-Licking Ice Cream Cone
-[![67% Vibe_Coded](https://img.shields.io/badge/67%25-Vibe_Coded-ff69b4?style=for-the-badge&logo=claude&logoColor=white)](https://github.com/ai-ecoverse/vibe-coded-badge-action)
+[![63% Vibe_Coded](https://img.shields.io/badge/63%25-Vibe_Coded-ff69b4?style=for-the-badge&logo=claude&logoColor=white)](https://github.com/ai-ecoverse/vibe-coded-badge-action)
 [![npm](https://img.shields.io/npm/v/sliccy)](https://www.npmjs.com/package/sliccy)

package/dist/node-server/_shared/index.d.ts CHANGED Viewed

@@ -3,4 +3,6 @@ export * from './oauth-extra-domains-storage.js';
 export * from './secret-masking.js';
 export * from './secrets-pipeline.js';
 export * from './session-secret-store.js';
+export * from './sign-and-forward.js';
+export * from './sigv4.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/node-server/_shared/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,uBAAuB,CAAC;AACtC,cAAc,kCAAkC,CAAC;AACjD,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,uBAAuB,CAAC;AACtC,cAAc,kCAAkC,CAAC;AACjD,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,uBAAuB,CAAC;AACtC,cAAc,YAAY,CAAC"}

package/dist/node-server/_shared/index.js CHANGED Viewed

@@ -4,4 +4,6 @@ export * from './oauth-extra-domains-storage.js';
 export * from './secret-masking.js';
 export * from './secrets-pipeline.js';
 export * from './session-secret-store.js';
+export * from './sign-and-forward.js';
+export * from './sigv4.js';
 //# sourceMappingURL=index.js.map

package/dist/node-server/_shared/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iFAAiF;AAEjF,cAAc,uBAAuB,CAAC;AACtC,cAAc,kCAAkC,CAAC;AACjD,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iFAAiF;AAEjF,cAAc,uBAAuB,CAAC;AACtC,cAAc,kCAAkC,CAAC;AACjD,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,uBAAuB,CAAC;AACtC,cAAc,YAAY,CAAC"}

package/dist/node-server/_shared/sign-and-forward.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Shared sign-and-forward orchestration for S3 and Adobe da.live mounts.
+ *
+ * The browser-side mount backends never compute SigV4 signatures or hold
+ * credentials. They post envelopes through a transport (CLI: HTTP POST to
+ * node-server's `/api/s3-sign-and-forward`; extension: `chrome.runtime`
+ * message to the service worker). All transports ultimately call into this
+ * module, which validates the envelope, resolves credentials via a pluggable
+ * async secret getter, signs (S3) or attaches a Bearer token (DA), forwards
+ * to upstream, and returns a JSON-cloneable reply.
+ *
+ * `executeS3SignAndForward` / `executeDaSignAndForward` are consumed by:
+ *   - `packages/chrome-extension/src/service-worker.ts` (extension path,
+ *     reads from `chrome.storage.local`)
+ *   - `packages/node-server/src/secrets/sign-and-forward.ts` (CLI path,
+ *     wraps these in Express handlers via a SecretStore adapter)
+ *   - tests in `packages/shared-ts/tests/sign-and-forward.test.ts`
+ */
+declare const ALLOWED_METHODS: readonly ["GET", "PUT", "POST", "DELETE", "HEAD"];
+type SignedMethod = (typeof ALLOWED_METHODS)[number];
+export interface S3SignAndForwardEnvelope {
+    profile: string;
+    method: SignedMethod;
+    bucket: string;
+    key: string;
+    query?: Record<string, string>;
+    headers?: Record<string, string>;
+    bodyBase64?: string | null;
+}
+export interface DaSignAndForwardEnvelope {
+    imsToken: string;
+    method: SignedMethod;
+    /** Path including leading slash, e.g. `/source/<org>/<repo>/<key>`. */
+    path: string;
+    query?: Record<string, string>;
+    headers?: Record<string, string>;
+    bodyBase64?: string | null;
+}
+export type SignAndForwardErrorCode = 'invalid_profile' | 'invalid_request' | 'profile_not_configured' | 'fetch_failed' | 'internal';
+export interface SignAndForwardSuccess {
+    ok: true;
+    status: number;
+    headers: Record<string, string>;
+    bodyBase64: string;
+}
+export interface SignAndForwardFailure {
+    ok: false;
+    error: string;
+    errorCode: SignAndForwardErrorCode;
+}
+export type SignAndForwardReply = SignAndForwardSuccess | SignAndForwardFailure;
+/**
+ * Async secret getter — async to support `chrome.storage.local` directly.
+ * Returns `undefined` for missing keys.
+ */
+export interface SecretGetter {
+    get(key: string): Promise<string | undefined>;
+}
+/**
+ * S3 sign-and-forward. See module header for the architecture context.
+ *
+ * @param env       Validated envelope from a transport layer.
+ * @param store     Async secret getter (chrome.storage in SW; mock in tests).
+ * @param fetchImpl Injectable fetch — defaults to `globalThis.fetch`.
+ */
+export declare function executeS3SignAndForward(env: Partial<S3SignAndForwardEnvelope> | undefined, store: SecretGetter, fetchImpl?: typeof fetch): Promise<SignAndForwardReply>;
+/**
+ * DA sign-and-forward. The IMS bearer token is passed transiently in the
+ * envelope (the browser already holds it via the existing Adobe LLM
+ * provider OAuth flow). Routing through this module gives architectural
+ * parity with S3 and a clean migration point for v2 server-side OAuth.
+ */
+export declare function executeDaSignAndForward(env: Partial<DaSignAndForwardEnvelope> | undefined, fetchImpl?: typeof fetch): Promise<SignAndForwardReply>;
+export {};
+//# sourceMappingURL=sign-and-forward.d.ts.map

package/dist/node-server/_shared/sign-and-forward.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign-and-forward.d.ts","sourceRoot":"","sources":["../src/sign-and-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,QAAA,MAAM,eAAe,mDAAoD,CAAC;AAC1E,KAAK,YAAY,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC;AAiBrD,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;IACrB,uEAAuE;IACvE,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,MAAM,uBAAuB,GAC/B,iBAAiB,GACjB,iBAAiB,GACjB,wBAAwB,GACxB,cAAc,GACd,UAAU,CAAC;AAEf,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,IAAI,CAAC;IACT,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,KAAK,CAAC;IACV,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,uBAAuB,CAAC;CACpC;AAED,MAAM,MAAM,mBAAmB,GAAG,qBAAqB,GAAG,qBAAqB,CAAC;AAEhF;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;CAC/C;AA2ID;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,OAAO,CAAC,wBAAwB,CAAC,GAAG,SAAS,EAClD,KAAK,EAAE,YAAY,EACnB,SAAS,GAAE,OAAO,KAAa,GAC9B,OAAO,CAAC,mBAAmB,CAAC,CAsF9B;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,OAAO,CAAC,wBAAwB,CAAC,GAAG,SAAS,EAClD,SAAS,GAAE,OAAO,KAAa,GAC9B,OAAO,CAAC,mBAAmB,CAAC,CA6D9B"}

package/dist/node-server/_shared/sign-and-forward.js ADDED Viewed

@@ -0,0 +1,278 @@
+/**
+ * Shared sign-and-forward orchestration for S3 and Adobe da.live mounts.
+ *
+ * The browser-side mount backends never compute SigV4 signatures or hold
+ * credentials. They post envelopes through a transport (CLI: HTTP POST to
+ * node-server's `/api/s3-sign-and-forward`; extension: `chrome.runtime`
+ * message to the service worker). All transports ultimately call into this
+ * module, which validates the envelope, resolves credentials via a pluggable
+ * async secret getter, signs (S3) or attaches a Bearer token (DA), forwards
+ * to upstream, and returns a JSON-cloneable reply.
+ *
+ * `executeS3SignAndForward` / `executeDaSignAndForward` are consumed by:
+ *   - `packages/chrome-extension/src/service-worker.ts` (extension path,
+ *     reads from `chrome.storage.local`)
+ *   - `packages/node-server/src/secrets/sign-and-forward.ts` (CLI path,
+ *     wraps these in Express handlers via a SecretStore adapter)
+ *   - tests in `packages/shared-ts/tests/sign-and-forward.test.ts`
+ */
+import { signSigV4 } from './sigv4.js';
+// ---------------- envelope contract ----------------
+const ALLOWED_METHODS = ['GET', 'PUT', 'POST', 'DELETE', 'HEAD'];
+const PROFILE_NAME_REGEX = /^[a-zA-Z0-9._-]+$/;
+const HOP_BY_HOP = new Set([
+    'connection',
+    'keep-alive',
+    'proxy-authenticate',
+    'proxy-authorization',
+    'te',
+    'trailer',
+    'transfer-encoding',
+    'upgrade',
+]);
+const DA_ORIGIN = 'https://admin.da.live';
+function nodeBuffer() {
+    return globalThis.Buffer;
+}
+function decodeBase64(b64) {
+    // Node fast-path: Buffer.from decodes the multi-MB S3 mount payloads the CLI
+    // float moves far faster than the per-byte atob loop. Feature-detected so the
+    // browser and extension service-worker bundles (no Buffer global) fall back to
+    // the universal path. Buffer extends Uint8Array, so the return type holds.
+    const B = nodeBuffer();
+    if (B) {
+        return B.from(b64, 'base64');
+    }
+    // atob is a global in browsers, extension service workers, and Node 22+.
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function encodeBase64(bytes) {
+    // Node fast-path — see decodeBase64.
+    const B = nodeBuffer();
+    if (B) {
+        return B.from(bytes).toString('base64');
+    }
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+function isAllowedMethod(m) {
+    return typeof m === 'string' && ALLOWED_METHODS.includes(m);
+}
+class ProfileNotConfiguredError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ProfileNotConfiguredError';
+    }
+}
+async function resolveS3Profile(name, store) {
+    const accessKeyId = await store.get(`s3.${name}.access_key_id`);
+    const secretAccessKey = await store.get(`s3.${name}.secret_access_key`);
+    if (!accessKeyId) {
+        throw new ProfileNotConfiguredError(`profile '${name}' missing required field 'access_key_id'. ` +
+            `Set it via: secret set s3.${name}.access_key_id <value>`);
+    }
+    if (!secretAccessKey) {
+        throw new ProfileNotConfiguredError(`profile '${name}' missing required field 'secret_access_key'. ` +
+            `Set it via: secret set s3.${name}.secret_access_key <value>`);
+    }
+    return {
+        accessKeyId,
+        secretAccessKey,
+        sessionToken: await store.get(`s3.${name}.session_token`),
+        region: (await store.get(`s3.${name}.region`)) ?? 'us-east-1',
+        endpoint: await store.get(`s3.${name}.endpoint`),
+        pathStyle: (await store.get(`s3.${name}.path_style`)) === 'true',
+    };
+}
+function buildS3Url(profile, bucket, key, query) {
+    let host;
+    if (profile.endpoint) {
+        try {
+            host = new URL(profile.endpoint).host;
+        }
+        catch {
+            throw new Error(`profile endpoint is not a valid URL: ${profile.endpoint}`);
+        }
+    }
+    else {
+        host = `s3.${profile.region}.amazonaws.com`;
+    }
+    const encodedKey = key.split('/').map(encodeURIComponent).join('/');
+    const encodedBucket = encodeURIComponent(bucket);
+    const pathPart = profile.pathStyle ? `${encodedBucket}/${encodedKey}` : encodedKey;
+    const hostPart = profile.pathStyle ? host : `${encodedBucket}.${host}`;
+    const url = new URL(`https://${hostPart}/${pathPart}`);
+    if (query) {
+        for (const [k, v] of Object.entries(query)) {
+            url.searchParams.set(k, v);
+        }
+    }
+    return url;
+}
+function passthroughHeaders(upstream) {
+    const out = {};
+    upstream.headers.forEach((value, key) => {
+        if (!HOP_BY_HOP.has(key.toLowerCase())) {
+            out[key] = value;
+        }
+    });
+    return out;
+}
+// ---------------- orchestrators ----------------
+/**
+ * S3 sign-and-forward. See module header for the architecture context.
+ *
+ * @param env       Validated envelope from a transport layer.
+ * @param store     Async secret getter (chrome.storage in SW; mock in tests).
+ * @param fetchImpl Injectable fetch — defaults to `globalThis.fetch`.
+ */
+export async function executeS3SignAndForward(env, store, fetchImpl = fetch) {
+    if (typeof env?.profile !== 'string' ||
+        env.profile.length === 0 ||
+        !PROFILE_NAME_REGEX.test(env.profile)) {
+        return {
+            ok: false,
+            error: 'invalid profile name (allowed: alphanumeric, dot, underscore, hyphen)',
+            errorCode: 'invalid_profile',
+        };
+    }
+    if (!isAllowedMethod(env.method)) {
+        return { ok: false, error: 'invalid method', errorCode: 'invalid_request' };
+    }
+    if (typeof env.bucket !== 'string' || env.bucket.length === 0) {
+        return { ok: false, error: 'invalid bucket', errorCode: 'invalid_request' };
+    }
+    if (typeof env.key !== 'string') {
+        return { ok: false, error: 'invalid key', errorCode: 'invalid_request' };
+    }
+    let profile;
+    try {
+        profile = await resolveS3Profile(env.profile, store);
+    }
+    catch (err) {
+        if (err instanceof ProfileNotConfiguredError) {
+            return { ok: false, error: err.message, errorCode: 'profile_not_configured' };
+        }
+        throw err;
+    }
+    let url;
+    try {
+        url = buildS3Url(profile, env.bucket, env.key, env.query);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: err instanceof Error ? err.message : 'failed to build URL',
+            errorCode: 'invalid_request',
+        };
+    }
+    const body = typeof env.bodyBase64 === 'string' && env.bodyBase64.length > 0
+        ? decodeBase64(env.bodyBase64)
+        : undefined;
+    const signed = await signSigV4({
+        method: env.method,
+        url,
+        headers: { ...(env.headers ?? {}), Host: url.host },
+        body,
+    }, {
+        accessKeyId: profile.accessKeyId,
+        secretAccessKey: profile.secretAccessKey,
+        sessionToken: profile.sessionToken,
+    }, profile.region, 's3');
+    let upstream;
+    try {
+        upstream = await fetchImpl(url.toString(), {
+            method: signed.method,
+            headers: signed.headers,
+            body: signed.body,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `S3 fetch failed: ${err instanceof Error ? err.message : String(err)}`,
+            errorCode: 'fetch_failed',
+        };
+    }
+    const upstreamBody = new Uint8Array(await upstream.arrayBuffer());
+    return {
+        ok: true,
+        status: upstream.status,
+        headers: passthroughHeaders(upstream),
+        bodyBase64: encodeBase64(upstreamBody),
+    };
+}
+/**
+ * DA sign-and-forward. The IMS bearer token is passed transiently in the
+ * envelope (the browser already holds it via the existing Adobe LLM
+ * provider OAuth flow). Routing through this module gives architectural
+ * parity with S3 and a clean migration point for v2 server-side OAuth.
+ */
+export async function executeDaSignAndForward(env, fetchImpl = fetch) {
+    if (typeof env?.imsToken !== 'string' || env.imsToken.length === 0) {
+        return { ok: false, error: 'imsToken is required', errorCode: 'invalid_request' };
+    }
+    if (!isAllowedMethod(env.method)) {
+        return { ok: false, error: 'invalid method', errorCode: 'invalid_request' };
+    }
+    if (typeof env.path !== 'string' || !env.path.startsWith('/')) {
+        return {
+            ok: false,
+            error: 'path must be a string starting with /',
+            errorCode: 'invalid_request',
+        };
+    }
+    let url;
+    try {
+        url = new URL(DA_ORIGIN + env.path);
+        if (env.query) {
+            for (const [k, v] of Object.entries(env.query)) {
+                url.searchParams.set(k, v);
+            }
+        }
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: err instanceof Error ? err.message : 'failed to build URL',
+            errorCode: 'invalid_request',
+        };
+    }
+    const body = typeof env.bodyBase64 === 'string' && env.bodyBase64.length > 0
+        ? decodeBase64(env.bodyBase64)
+        : undefined;
+    let upstream;
+    try {
+        upstream = await fetchImpl(url.toString(), {
+            method: env.method,
+            headers: {
+                ...(env.headers ?? {}),
+                Authorization: `Bearer ${env.imsToken}`,
+            },
+            body: body,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `DA fetch failed: ${err instanceof Error ? err.message : String(err)}`,
+            errorCode: 'fetch_failed',
+        };
+    }
+    const upstreamBody = new Uint8Array(await upstream.arrayBuffer());
+    return {
+        ok: true,
+        status: upstream.status,
+        headers: passthroughHeaders(upstream),
+        bodyBase64: encodeBase64(upstreamBody),
+    };
+}
+//# sourceMappingURL=sign-and-forward.js.map

package/dist/node-server/_shared/sign-and-forward.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign-and-forward.js","sourceRoot":"","sources":["../src/sign-and-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,sDAAsD;AAEtD,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAU,CAAC;AAG1E,MAAM,kBAAkB,GAAG,mBAAmB,CAAC;AAE/C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,SAAS;IACT,mBAAmB;IACnB,SAAS;CACV,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,uBAAuB,CAAC;AAwE1C,SAAS,UAAU;IACjB,OAAQ,UAA0C,CAAC,MAAM,CAAC;AAC5D,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,6EAA6E;IAC7E,8EAA8E;IAC9E,+EAA+E;IAC/E,2EAA2E;IAC3E,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,CAAC;QACN,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC/B,CAAC;IACD,yEAAyE;IACzE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,KAAiB;IACrC,qCAAqC;IACrC,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,CAAC;QACN,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAK,eAAqC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,yBAA0B,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AAED,KAAK,UAAU,gBAAgB,CAAC,IAAY,EAAE,KAAmB;IAC/D,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,gBAAgB,CAAC,CAAC;IAChE,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,oBAAoB,CAAC,CAAC;IAExE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,yBAAyB,CACjC,YAAY,IAAI,4CAA4C;YAC1D,6BAA6B,IAAI,wBAAwB,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,yBAAyB,CACjC,YAAY,IAAI,gDAAgD;YAC9D,6BAA6B,IAAI,4BAA4B,CAChE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,WAAW;QACX,eAAe;QACf,YAAY,EAAE,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACzD,MAAM,EAAE,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC,IAAI,WAAW;QAC7D,QAAQ,EAAE,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,WAAW,CAAC;QAChD,SAAS,EAAE,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,aAAa,CAAC,CAAC,KAAK,MAAM;KACjE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CACjB,OAAkB,EAClB,MAAc,EACd,GAAW,EACX,KAA8B;IAE9B,IAAI,IAAY,CAAC;IACjB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,gBAAgB,CAAC;IAC9C,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpE,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,aAAa,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;IACnF,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,aAAa,IAAI,IAAI,EAAE,CAAC;IACvE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAC;IAEvD,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAkB;IAC5C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kDAAkD;AAElD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAkD,EAClD,KAAmB,EACnB,YAA0B,KAAK;IAE/B,IACE,OAAO,GAAG,EAAE,OAAO,KAAK,QAAQ;QAChC,GAAG,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QACxB,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EACrC,CAAC;QACD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,uEAAuE;YAC9E,SAAS,EAAE,iBAAiB;SAC7B,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC3E,CAAC;IAED,IAAI,OAAkB,CAAC;IACvB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,yBAAyB,EAAE,CAAC;YAC7C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC;QAChF,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;IAC5D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;YACjE,SAAS,EAAE,iBAAiB;SAC7B,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC7D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;QAC9B,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B;QACE,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,GAAG;QACH,OAAO,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;QACnD,IAAI;KACL,EACD;QACE,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,EACD,OAAO,CAAC,MAAM,EACd,IAAI,CACL,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YACzC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAA2B;SACzC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC7E,SAAS,EAAE,cAAc;SAC1B,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAClE,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,OAAO,EAAE,kBAAkB,CAAC,QAAQ,CAAC;QACrC,UAAU,EAAE,YAAY,CAAC,YAAY,CAAC;KACvC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAkD,EAClD,YAA0B,KAAK;IAE/B,IAAI,OAAO,GAAG,EAAE,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC;IACpF,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,uCAAuC;YAC9C,SAAS,EAAE,iBAAiB;SAC7B,CAAC;IACJ,CAAC;IAED,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;YACjE,SAAS,EAAE,iBAAiB;SAC7B,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC7D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;QAC9B,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YACzC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE;gBACP,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;gBACtB,aAAa,EAAE,UAAU,GAAG,CAAC,QAAQ,EAAE;aACxC;YACD,IAAI,EAAE,IAA2B;SAClC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC7E,SAAS,EAAE,cAAc;SAC1B,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAClE,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,OAAO,EAAE,kBAAkB,CAAC,QAAQ,CAAC;QACrC,UAAU,EAAE,YAAY,CAAC,YAAY,CAAC;KACvC,CAAC;AACJ,CAAC"}

package/dist/node-server/_shared/sigv4.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * AWS SigV4 v4 signing — single platform-agnostic implementation.
+ *
+ * Pure function — given a request + credentials + region + service + clock,
+ * produces the same request with an `Authorization` header attached. Uses
+ * Web Crypto (`crypto.subtle`) which works in browsers, extension service
+ * workers, extension offscreen documents, and Node 22+ (where it lives on
+ * `globalThis.crypto`).
+ *
+ * Consumed via `@slicc/shared-ts` by the webapp/extension mount backends and
+ * the node-server sign-and-forward handlers. Verified against the canonical
+ * AWS SigV4 v4 test vectors in `packages/shared-ts/tests/sigv4.test.ts`.
+ */
+export interface SigV4Request {
+    method: 'GET' | 'PUT' | 'POST' | 'DELETE' | 'HEAD';
+    url: URL;
+    headers: Record<string, string>;
+    body?: Uint8Array;
+}
+export interface SigV4Credentials {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+}
+export declare function signSigV4(req: SigV4Request, creds: SigV4Credentials, region: string, service?: string, now?: Date): Promise<SigV4Request>;
+//# sourceMappingURL=sigv4.d.ts.map

package/dist/node-server/_shared/sigv4.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sigv4.d.ts","sourceRoot":"","sources":["../src/sigv4.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,KAAK,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACnD,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAyGD,wBAAsB,SAAS,CAC7B,GAAG,EAAE,YAAY,EACjB,KAAK,EAAE,gBAAgB,EACvB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,MAAa,EACtB,GAAG,GAAE,IAAiB,GACrB,OAAO,CAAC,YAAY,CAAC,CA8DvB"}

package/dist/node-server/{secrets/signing-s3.js → _shared/sigv4.js} RENAMED Viewed

@@ -1,24 +1,15 @@
 /**
- * AWS SigV4 v4 signing — node-server copy.
- *
- * **Mirrored from `packages/webapp/src/fs/mount/signing-s3.ts`.** Both files
- * are byte-for-byte equivalent in behavior and must stay in sync. The reason
- * for two copies is that `tsconfig.cli.json` pins `rootDir` to
- * `packages/node-server/src`, so cross-importing the webapp source under
- * NodeNext resolution is rejected by the compiler. Sharing via a workspace
- * package is a larger change than this PR's scope.
- *
- * Drift between the two copies is caught by both test suites running the
- * same canonical AWS test vectors:
- *  - `packages/webapp/tests/fs/mount/signing-s3.test.ts`
- *  - `packages/node-server/tests/secrets/signing-s3.test.ts`
- *
- * If you change one, change the other and verify both test suites pass.
+ * AWS SigV4 v4 signing — single platform-agnostic implementation.
  *
  * Pure function — given a request + credentials + region + service + clock,
  * produces the same request with an `Authorization` header attached. Uses
  * Web Crypto (`crypto.subtle`) which works in browsers, extension service
- * workers, and Node 22+ (where it lives on `globalThis.crypto`).
+ * workers, extension offscreen documents, and Node 22+ (where it lives on
+ * `globalThis.crypto`).
+ *
+ * Consumed via `@slicc/shared-ts` by the webapp/extension mount backends and
+ * the node-server sign-and-forward handlers. Verified against the canonical
+ * AWS SigV4 v4 test vectors in `packages/shared-ts/tests/sigv4.test.ts`.
  */
 const SIGNED_ALGORITHM = 'AWS4-HMAC-SHA256';
 const EMPTY_BODY_HASH = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
@@ -139,3 +130,4 @@ export async function signSigV4(req, creds, region, service = 's3', now = new Da
         },
     };
 }
+//# sourceMappingURL=sigv4.js.map

package/dist/node-server/_shared/sigv4.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sigv4.js","sourceRoot":"","sources":["../src/sigv4.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAeH,MAAM,gBAAgB,GAAG,kBAAkB,CAAC;AAC5C,MAAM,eAAe,GAAG,kEAAkE,CAAC;AAE3F,SAAS,GAAG,CAAC,KAA+B;IAC1C,MAAM,IAAI,GAAG,KAAK,YAAY,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACzE,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AASD,KAAK,UAAU,MAAM,CAAC,IAAgB;IACpC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAkB,CAAC,CAAC;IACzE,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;AACrB,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,GAA6B,EAAE,IAAY;IACnE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAA+B,EAC/B,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,GAAG,CAAC,CAAO;IAClB,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjE,OAAO,GAAG,CAAC,CAAC,cAAc,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;AAClF,CAAC;AAED,SAAS,OAAO,CAAC,CAAO;IACtB,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjE,OAAO,CACL,GAAG,CAAC,CAAC,cAAc,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,EAAE;QACxE,IAAI,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC,GAAG,CAC9E,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,YAAY,CAAC,GAAQ;IAC5B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACjC,kBAAkB,CAAC,CAAC,CAAC,CAAC,OAAO,CAC3B,UAAU,EACV,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CACxD,CACF,CAAC;IACF,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CACjC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAChE,CAAC;IACF,OAAO,MAAM;SACV,GAAG,CACF,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CACT,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAClG;SACA,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,OAA+B;IAIvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CACzC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAqB,CACjF,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAiB,EACjB,KAAuB,EACvB,MAAc,EACd,UAAkB,IAAI,EACtB,MAAY,IAAI,IAAI,EAAE;IAEtB,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACtB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAE9B,MAAM,SAAS,GAAG,GAAG,CAAC,IAAI,IAAI,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAExF,MAAM,OAAO,GAA2B;QACtC,GAAG,GAAG,CAAC,OAAO;QACd,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI;QAC1D,YAAY,EAAE,QAAQ;KACvB,CAAC;IACF,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,sCAAsC;IACtC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,CAAC,sBAAsB,CAAC,GAAG,QAAQ,CAAC;IAC7C,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QACvB,OAAO,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC;IACvD,CAAC;IACD,uEAAuE;IACvE,oCAAoC;IACpC,OAAO,OAAO,CAAC,IAAI,CAAC;IAEpB,MAAM,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,gBAAgB,GAAG;QACvB,GAAG,CAAC,MAAM;QACV,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;QACrB,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC;QACvB,mBAAmB;QACnB,aAAa;QACb,QAAQ;KACT,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,MAAM,eAAe,GAAG,GAAG,IAAI,IAAI,MAAM,IAAI,OAAO,eAAe,CAAC;IACpE,MAAM,YAAY,GAAG;QACnB,gBAAgB;QAChB,QAAQ;QACR,eAAe;QACf,MAAM,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;KACzD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,0DAA0D;IAC1D,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,KAAK,CAAC,eAAe,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;IAC/F,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAEhE,MAAM,aAAa,GACjB,GAAG,gBAAgB,eAAe,KAAK,CAAC,WAAW,IAAI,eAAe,IAAI;QAC1E,iBAAiB,aAAa,eAAe,SAAS,EAAE,CAAC;IAE3D,OAAO;QACL,GAAG,GAAG;QACN,OAAO,EAAE;YACP,GAAG,OAAO;YACV,aAAa,EAAE,aAAa;SAC7B;KACF,CAAC;AACJ,CAAC"}

package/dist/node-server/secrets/sign-and-forward.d.ts CHANGED Viewed

@@ -11,36 +11,17 @@
  *  4. Sign with SigV4 v4 (S3) or attach `Authorization: Bearer` (DA).
  *  5. Forward to the upstream and return the response as a JSON envelope.
  *
+ * The validate → resolve → sign → forward pipeline is shared with the
+ * extension service worker via `@slicc/shared-ts`. These handlers are thin
+ * Express adapters: they bridge the node-server `SecretStore` to the shared
+ * async `SecretGetter`, then map the structured reply onto an HTTP response.
+ *
  * Logging contract: never log envelope contents — request bodies or the
  * `imsToken` may contain credential material.
  */
 import type { Request, Response } from 'express';
 import type { SecretStore } from './types.js';
-/** Methods we permit through the signed proxies. */
-declare const ALLOWED_METHODS: readonly ["GET", "PUT", "POST", "DELETE", "HEAD"];
-type SignedMethod = (typeof ALLOWED_METHODS)[number];
-export interface S3SignAndForwardEnvelope {
-    profile: string;
-    method: SignedMethod;
-    bucket: string;
-    /** S3 key (the prefix is already baked in by the backend). */
-    key: string;
-    query?: Record<string, string>;
-    /** Extra headers from the backend (If-Match, Content-Type, ...). */
-    headers?: Record<string, string>;
-    /** Request body, base64-encoded. Null/absent for GET/HEAD/DELETE/listing. */
-    bodyBase64?: string | null;
-}
-export interface DaSignAndForwardEnvelope {
-    /** IMS bearer token, passed transiently. Never persisted server-side. */
-    imsToken: string;
-    method: SignedMethod;
-    /** Path including leading slash, e.g. `/source/<org>/<repo>/<key>`. */
-    path: string;
-    query?: Record<string, string>;
-    headers?: Record<string, string>;
-    bodyBase64?: string | null;
-}
+export type { DaSignAndForwardEnvelope, S3SignAndForwardEnvelope } from '../_shared/index.js';
 /**
  * Handle a `POST /api/s3-sign-and-forward` request. Validates the envelope,
  * resolves credentials, signs, forwards, returns a JSON envelope.
@@ -60,4 +41,3 @@ export declare function handleS3SignAndForward(req: Request, res: Response, secr
  * place to tighten the threat model in v2 (server-side OAuth).
  */
 export declare function handleDaSignAndForward(req: Request, res: Response): Promise<void>;
-export {};