webdaemon 11.4.2 → 11.4.3

package/dist/index.js

@@ -0,0 +1,1627 @@
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+var __async = (__this, __arguments, generator) => {
+  return new Promise((resolve, reject) => {
+    var fulfilled = (value) => {
+      try {
+        step(generator.next(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var rejected = (value) => {
+      try {
+        step(generator.throw(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
+    step((generator = generator.apply(__this, __arguments)).next());
+  });
+};
+
+// js/Digest.js
+function shortSafeDigest(message, length = 0) {
+  return __async(this, null, function* () {
+    const msgUint8 = new TextEncoder().encode(message);
+    if (!crypto.subtle) {
+      throw "Requires secure origin (localhost or https:)";
+    }
+    const hashBuffer = yield crypto.subtle.digest("SHA-1", msgUint8);
+    const hashArray = new Uint8Array(hashBuffer);
+    const byteString = String.fromCodePoint(...hashArray);
+    const base64 = btoa(byteString);
+    const base64Safe = base64.replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
+    return length ? base64Safe.substring(0, length) : base64Safe;
+  });
+}
+function shortHexDigest(message, length = 0) {
+  return __async(this, null, function* () {
+    const msgUint8 = new TextEncoder().encode(message);
+    if (!crypto.subtle) {
+      throw "Requires secure origin (localhost or https:)";
+    }
+    const hashBuffer = yield crypto.subtle.digest("SHA-1", msgUint8);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    return length ? hashHex.substring(0, length) : hashHex;
+  });
+}
+
+// js/KeyPair.js
+var DEFAULT_ALGORITHM = {
+  name: "RSASSA-PKCS1-v1_5",
+  modulusLength: 2048,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+};
+var _algorithm, _keypair;
+var KeyPair = class {
+  constructor(algorithm = DEFAULT_ALGORITHM) {
+    __privateAdd(this, _algorithm);
+    __privateAdd(this, _keypair);
+    __privateSet(this, _algorithm, algorithm);
+    if (!crypto.subtle) {
+      throw "Crypto.subtle requires secure environment";
+    }
+  }
+  generate() {
+    return __async(this, null, function* () {
+      __privateSet(this, _keypair, yield crypto.subtle.generateKey(
+        __privateGet(this, _algorithm),
+        true,
+        ["sign", "verify"]
+      ));
+    });
+  }
+  publicJwk() {
+    return __async(this, null, function* () {
+      const publicKey = __privateGet(this, _keypair).publicKey;
+      const publicJwk = yield crypto.subtle.exportKey("jwk", publicKey);
+      return publicJwk;
+    });
+  }
+  privateJwk() {
+    return __async(this, null, function* () {
+      const privateKey = __privateGet(this, _keypair).privateKey;
+      const privateJwk = yield crypto.subtle.exportKey("jwk", privateKey);
+      return privateJwk;
+    });
+  }
+};
+_algorithm = new WeakMap();
+_keypair = new WeakMap();
+
+// js/Token.js
+var ALGORITHM = {
+  name: "RSASSA-PKCS1-v1_5",
+  hash: "SHA-256"
+};
+var MATCH_ORIGIN = /https?:\/\/[^\/]+$/;
+var TOKEN_IAT_LEEWAY_MILLIS = 1e3 * 30;
+var _payload, _signatureBase64, _audUrl, _subUrl, _srcUrl, _signatory;
+var _Token = class _Token {
+  // Set upon successful verification of signature.
+  /**
+   * Constructor takes either a signed base64 token, or a payload object.
+   *
+   * If successful, the payload and optionally the signature fields are
+   * populated.
+   *
+   * @param {object | string} source a payload, or a base64 token
+   */
+  constructor(source) {
+    // Specification per String.split() function.
+    /** @type{Token} */
+    __privateAdd(this, _payload, null);
+    /** @type{string} */
+    __privateAdd(this, _signatureBase64, null);
+    /** @type{URL} */
+    __privateAdd(this, _audUrl);
+    /** @type{URL} */
+    __privateAdd(this, _subUrl);
+    /** @type{URL} */
+    __privateAdd(this, _srcUrl);
+    /** @type {Signatory} */
+    __privateAdd(this, _signatory);
+    let payload = null;
+    if (typeof source == "object") {
+      payload = source;
+    } else if (typeof source == "string") {
+      try {
+        payload = JSON.parse(atob(source));
+      } catch (_e) {
+        throw "Invalid token format";
+      }
+    } else {
+      throw `Cannot construct token from ${typeof source}`;
+    }
+    __privateSet(this, _signatureBase64, payload.sig);
+    delete payload.sig;
+    __privateSet(this, _payload, payload);
+    const {
+      iss,
+      aud,
+      sub,
+      src,
+      scope,
+      iat,
+      exp
+    } = payload;
+    if (!iss || !aud || !sub || !src || !scope || !iat || !exp) {
+      throw "Token must include iss, aud, sub, src, scope, iat and exp";
+    }
+    if (!aud.match(MATCH_ORIGIN) || !sub.match(MATCH_ORIGIN)) {
+      throw "The aud and sub attributes must be origins";
+    }
+    __privateSet(this, _audUrl, new URL(aud));
+    __privateSet(this, _subUrl, new URL(sub));
+    if (src.includes("?") || src.includes("#")) {
+      throw "The src attribute must have no query or fragment component.";
+    }
+    __privateSet(this, _srcUrl, new URL(src));
+    __privateSet(this, _payload, payload);
+  }
+  /**
+   * Generates the signature for the object using the private key provided by the
+   * supplied callback and stores the result.
+   *
+   * @param {Promise<JsonWebKey>} privateJwkPromise the private key used for signing.
+   * @return {Promise<string>} resolved with the base64 signature if signed successfully.
+   */
+  signWith(privateJwkPromise) {
+    return __async(this, null, function* () {
+      if (__privateGet(this, _payload) == null) {
+        throw "No payload to sign";
+      }
+      const privateJwk = yield privateJwkPromise;
+      const privateKey = yield crypto.subtle.importKey("jwk", privateJwk, ALGORITHM, true, ["sign"]);
+      const toSign = JSON.stringify(__privateGet(this, _payload));
+      const messageBuffer = new TextEncoder().encode(toSign).buffer;
+      const signature = yield crypto.subtle.sign(ALGORITHM, privateKey, messageBuffer);
+      const signatureBase64 = _Token.bytesToBase64(new Uint8Array(signature));
+      __privateSet(this, _signatureBase64, signatureBase64);
+      return signatureBase64;
+    });
+  }
+  /**
+   * Retrieves the signatory using the `iss` field, checks the signature
+   * and if valid sets the signatory property in this instance.
+   *
+   * @throws {string} if signatory cannot be retrieved or signature doesn't match.
+   */
+  verifySignatory() {
+    return __async(this, null, function* () {
+      yield this.fetchSignatory();
+      yield this.checkSignature(Promise.resolve(__privateGet(this, _signatory).jwk));
+    });
+  }
+  /**
+   * Fetches the signatory from the `iss` URL, setting the instance
+   * property.
+   *
+   * The signatory comprises the `role` label and  the public `jwk`.
+   *
+   * Caching may be introduced to reduce latency and bandwidth use.
+   *
+   * @throws {string} error if fetch fails or returns an error response.
+   */
+  fetchSignatory() {
+    return __async(this, null, function* () {
+      const issuer = this.getIssuer();
+      try {
+        const response2 = yield fetch(issuer, {
+          headers: {
+            "content-type": "application/json"
+          }
+        });
+        const json = yield response2.json();
+        if ("error" in json) {
+          throw json.error;
+        }
+        __privateSet(this, _signatory, json.ok);
+      } catch (_e) {
+        throw `Failed to read signatory at ${issuer}`;
+      }
+    });
+  }
+  /**
+   * Checks the signature using the public key provided by the supplied callback,
+   * and stores the result.
+   *
+   * @param {Promise<JsonWebKey>} publicJwkPromise the public key used to verify the signature.
+   * @throws {string} exception if signature cannot be verified or the public key is null or error.
+   */
+  checkSignature(publicJwkPromise) {
+    return __async(this, null, function* () {
+      const publicJwk = yield publicJwkPromise;
+      if (!publicJwk || "error" in publicJwk) {
+        throw publicJwk.error;
+      }
+      const publicKey = yield crypto.subtle.importKey("jwk", publicJwk, ALGORITHM, true, ["verify"]);
+      const toCheck = JSON.stringify(__privateGet(this, _payload));
+      const messageBuffer = new TextEncoder().encode(toCheck).buffer;
+      const sigBuffer = _Token.base64ToBytes(__privateGet(this, _signatureBase64)).buffer;
+      const isVerified = yield crypto.subtle.verify(ALGORITHM, publicKey, sigBuffer, messageBuffer);
+      if (!isVerified) {
+        throw "Signature cannot be verified";
+      }
+    });
+  }
+  /**
+   * Returns the payload with the `sig` property added.
+   *
+   * @return {SignedTokenPayload} the payload with additional `sig` property.
+   */
+  getSignedPayload() {
+    if (__privateGet(this, _signatureBase64) === null) {
+      throw "Not yet signed";
+    }
+    return __spreadProps(__spreadValues({}, __privateGet(this, _payload)), {
+      sig: __privateGet(this, _signatureBase64)
+    });
+  }
+  /**
+   * Returns the payload whether signed or not.
+   *
+   * @return {TokenPayload} the payload object without signature.
+   */
+  getPayload() {
+    return __privateGet(this, _payload);
+  }
+  /**
+   * Returns the `aud` field as a string.
+   *
+   * @return {string} the `aud` field value.
+   */
+  getAud() {
+    return __privateGet(this, _audUrl).origin;
+  }
+  /**
+   * Returns the `aud` host which is the party name handling the request.
+   *
+   * @return {string} the party name.
+   */
+  getParty() {
+    return __privateGet(this, _audUrl).host;
+  }
+  /**
+   * Returns the `sub` field as a string.
+   *
+   * @return {string} the `sub` field value.
+   */
+  getSub() {
+    return __privateGet(this, _subUrl).origin;
+  }
+  /**
+   * Returns the `sub` host, which is the counterparty name making the
+   * request.
+   *
+   * @return {string} the counterparty name.
+   */
+  getCounterparty() {
+    return __privateGet(this, _subUrl).host;
+  }
+  /**
+   * Returns the role of the signatory who signed on behalf of the
+   * counterparty.
+   *
+   * @returns {string} role of the verified signatory.
+   */
+  getSignatoryRole() {
+    return __privateGet(this, _signatory).role;
+  }
+  /**
+   * Returns the `src` URL.
+   *
+   * @return {URL} the source URL.
+   */
+  getSourceUrl() {
+    return __privateGet(this, _srcUrl);
+  }
+  /**
+   * Returns the `issuer` field as a URL. The counterparty is inferred from
+   * the host name which generally matches the sub field.
+   *
+   * @return {URL} the issuer URL.
+   */
+  getIssuer() {
+    return new URL(this.getPayload().iss);
+  }
+  /**
+   * Returns the list of zero or more sources for which scope is requested.
+   *
+   * @return {string[]} a list of source URL strings.
+   */
+  getSources() {
+    const sources = [];
+    for (const source in __privateGet(this, _payload).scope) {
+      sources.push(source);
+    }
+    return sources;
+  }
+  /**
+   * Returns the scope for the source as an array of capability tokens.
+   *
+   * These can be separated by any mix of space, comma, semicolon
+   * or vertical bar.
+   *
+   * @param {string} source whose capabilities are returned.
+   * @return {string[]} zero or more scope tokens.
+   */
+  getCapabilities(source) {
+    const scope = __privateGet(this, _payload).scope;
+    if (!(source in scope)) {
+      throw `Source '${source}' not in scope`;
+    }
+    return scope[source].split(_Token.SCOPE_SEPARATOR);
+  }
+  /**
+   * Returns true if the supplied capability is present in the token
+   * scope under the specified source, otherwise false.
+   *
+   * @param {string} source the source under which the capability is expected.
+   * @param {string} capability the capability being tested.
+   * @return {boolean} true if capability is present in the scope, otherwise false.
+   */
+  hasCapability(source, capability) {
+    return this.getCapabilities(source).includes(capability);
+  }
+  /**
+   * Checks the token is within the period defined by the `iat` and `exp`
+   * date fields.
+   *
+   * @throws {string} exception if not within valid period.
+   */
+  checkPeriod() {
+    const {
+      iat,
+      exp
+    } = __privateGet(this, _payload);
+    const now = Date.now();
+    if (now < iat - TOKEN_IAT_LEEWAY_MILLIS) {
+      throw "Token is not yet valid";
+    }
+    if (now > exp) {
+      throw "Token has expired";
+    }
+  }
+  /**
+   * Returns the signed object including the `sig` property as a base64 string.
+   *
+   * @return {string} the signed object as a base64 string.
+   */
+  asSignedBase64() {
+    return btoa(JSON.stringify(this.getSignedPayload()));
+  }
+  /**
+   * Returns a base64 JSON string corresponding to the provided byte array.
+   *
+   * @param {Uint8Array} bytes to be encoded as a base64 string.
+   * @returns {string} the encoded bytes.
+   */
+  static bytesToBase64(bytes) {
+    const binString = Array.from(bytes, (x) => String.fromCodePoint(x)).join("");
+    return btoa(binString);
+  }
+  /**
+   * Returns the byte array decoded from the base64 string.
+   *
+   * @param {string} base64
+   * @returns {Uint8Array} the decoded bytes.
+   */
+  static base64ToBytes(base64) {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (m) => m.codePointAt(0));
+  }
+  /**
+   * Returns a new token using the x-tabserver-token header on the
+   * request.
+   *
+   * @param {Request} the request.
+   * @return {Token | null} the token, or null if no header is present.
+   * @throws {string} exception if token cannot be constructed.
+   */
+  static from(request) {
+    if (request.headers.has(_Token.TOKEN_HEADER)) {
+      return new _Token(request.headers.get(_Token.TOKEN_HEADER));
+    }
+    return null;
+  }
+  /**
+   * Converts an object whose string keys map to token objects
+   * into  URL-friendly search params suitable for use in a
+   * query string or fragment.
+   *
+   * The string keys are normally the audience hostname, or the
+   * special key 'party' which holds the identity token whose
+   * `aud` and `sub` are the same.
+   *
+   * @param {TokenSet} tokenSet the set of tokens keyed by string.
+   * @returns {string}
+   */
+  static toSearchString(tokenSet) {
+    const searchParams = new URLSearchParams();
+    for (const key in tokenSet) {
+      const token = tokenSet[key];
+      const tokenBase64 = token.asSignedBase64();
+      searchParams.append(key, tokenBase64);
+    }
+    return searchParams.toString();
+  }
+};
+_payload = new WeakMap();
+_signatureBase64 = new WeakMap();
+_audUrl = new WeakMap();
+_subUrl = new WeakMap();
+_srcUrl = new WeakMap();
+_signatory = new WeakMap();
+// Standard sources.
+__publicField(_Token, "Source", {
+  PARTY_CONTROL: "party:control"
+  // Party control subject, a pseudo-source with scope granted to counterparties.
+});
+// Standard counterparty pattern.
+__publicField(_Token, "Counterparty", {
+  PUBLIC: "public"
+  // Public counterparty, matching requests with no host specified in sub.
+});
+// Standard signatory roles.
+__publicField(_Token, "SignatoryRole", {
+  PARTY: "party",
+  PARENT: "parent"
+});
+// Standard scope labels.
+__publicField(_Token, "Capability", {
+  OPEN: "open",
+  // Capability to open source files and start tab runners.
+  CLOSE: "close",
+  // Capability to close source files and stop tab runners.
+  GRANT: "grant",
+  // Capability to create relation records.
+  REVOKE: "revoke",
+  // Capability to delete relation records.
+  OFFER: "offer",
+  // Capability to create a party offer for a device to claim.
+  RETRACT: "retract",
+  // Capability to delete a party offer before it is claimed.
+  DELETE: "delete",
+  // Capability to delete devices.
+  CATALOG: "catalog",
+  // Capability to get sources, devices, alerts etc.
+  ALIAS: "alias",
+  // Capability to set the alias for a counterparty host.
+  UNALIAS: "unalias",
+  // Capability to unset the alias for a counterparty host.
+  GET_ITEM: "getitem",
+  // Capability to get a storage item.
+  SET_ITEM: "setitem",
+  // Capability to set (and remove) a storage item.
+  ALERT: "alert",
+  // Capability to post and delete alerts.
+  LOG: "log",
+  // Capability to view logs.
+  READ: "read",
+  // Capability to read from drive.
+  WRITE: "write"
+  // Capability to write to drive.
+});
+__publicField(_Token, "DEFAULT_EXPIRY_MILLIS", 1e3 * 60 * 60 * 24);
+__publicField(_Token, "TOKEN_HEADER", "x-tabserver-token");
+__publicField(_Token, "SCOPE_SEPARATOR", /[\s,;\|]+/);
+var Token = _Token;
+
+// js/BrowserApp.js
+var PARTY_PARAM = "party";
+var _instance, _appName, _appUrlKey, _partyKey, _tokensKey;
+var _BrowserApp = class _BrowserApp {
+  /**
+   * Constructs a BrowserApp instance with the app name. This should be
+   * unique per origin. Spaces are _NOT_ allowed in this name.
+   *
+   * @param {string} appName a unique name for this app per origin.
+   */
+  constructor(appName) {
+    __privateAdd(this, _appName);
+    __privateAdd(this, _appUrlKey);
+    __privateAdd(this, _partyKey);
+    __privateAdd(this, _tokensKey);
+    __privateSet(this, _appName, appName);
+    __privateSet(this, _partyKey, `${appName}Party`);
+    __privateSet(this, _tokensKey, `${appName}Tokens`);
+    __privateSet(this, _appUrlKey, `${appName}Url`);
+  }
+  /**
+   * Gets the singleton instance of BrowserApp. On invocations
+   * after the first, the app name must be omitted or match
+   * the first-used app name.
+   *
+   * @param {string=} appName
+   * @return {Promise<BrowserApp>} instance of browser app.
+   */
+  static getInstance(appName = null) {
+    return __async(this, null, function* () {
+      if (!appName && !__privateGet(_BrowserApp, _instance)) {
+        throw `Must provide app name`;
+      }
+      if (appName && __privateGet(_BrowserApp, _instance) && appName !== __privateGet(__privateGet(_BrowserApp, _instance), _appName)) {
+        throw `Cannot change app name to ${appName}`;
+      }
+      if (!__privateGet(_BrowserApp, _instance)) {
+        __privateSet(_BrowserApp, _instance, new _BrowserApp(appName));
+        yield __privateGet(_BrowserApp, _instance).init();
+      }
+      return __privateGet(_BrowserApp, _instance);
+    });
+  }
+  /**
+   * Initialises the instance with the party name and tokens passed
+   * in the #fragment and ?query string search parameters.
+   *
+   *   - party is passed in the special parameter 'party'.
+   *   - tokens are passed in the remaining parameters keyed by host name.
+   *
+   * The entire #fragment is parsed into search params, if present.
+   * Query params whose name starts with the special character 'æ' are
+   * extracted, if present.
+   *
+   * The window location is replaced with the 'clean' version that
+   * no longer includes tokens.
+   *
+   * @return {Promise<BrowserApp>} instance promise.
+   * @throws {string} error if party token `src` does not match our window location.
+   */
+  init() {
+    return __async(this, null, function* () {
+      const ourUrl = new URL(globalThis.location);
+      const tokenParams = new URLSearchParams(ourUrl.hash.substring(1));
+      ourUrl.hash = "";
+      for (const [key, value] of ourUrl.searchParams) {
+        if (key.startsWith("\xE6")) {
+          tokenParams.set(key.substring(1), value);
+          ourUrl.searchParams.delete(key);
+        }
+      }
+      sessionStorage[__privateGet(this, _appUrlKey)] = ourUrl.toString();
+      if (tokenParams.has(PARTY_PARAM)) {
+        sessionStorage[__privateGet(this, _tokensKey)] = tokenParams.toString();
+        const identityToken = this.getToken();
+        yield identityToken.verifySignatory();
+        sessionStorage[__privateGet(this, _partyKey)] = identityToken.getParty();
+        const srcUrl = identityToken.getSourceUrl();
+        if (srcUrl.origin !== ourUrl.origin || srcUrl.pathname !== ourUrl.pathname) {
+          throw `Party token is for different app: ${srcUrl}`;
+        }
+      }
+      globalThis.history.replaceState(null, "", ourUrl.toString());
+      return this;
+    });
+  }
+  /**
+   * Returns true if this app is an orphan, i.e. has not been launched from
+   * a Dæmon shell.
+   *
+   * Otherwise returns false.
+   *
+   * @return {boolean} true if an orphan without Dæmon, otherwise false.
+    */
+  isOrphan() {
+    return sessionStorage[__privateGet(this, _partyKey)] == void 0 || sessionStorage[__privateGet(this, _tokensKey)] == void 0;
+  }
+  /**
+   * Returns the app name. This is normally used to disambiguate properties
+   * of this app from others, such as those sharing a web origin and therefore
+   * sharing localStorage or sessionStorage.
+   *
+   * Note that this is a client-side name not known to the tabserver.
+   *
+   * @return {string} the app name.
+   */
+  getAppName() {
+    return __privateGet(this, _appName);
+  }
+  /**
+   * Returns the app url, obtained from window.location at time of app init,
+   * or the empty string if not initialised.
+   *
+   * @return {string} the app url, or the empty string.
+   */
+  getAppUrl() {
+    return sessionStorage[__privateGet(this, _appUrlKey)] || "";
+  }
+  /**
+   * Returns the party hostname, being the Dæmon that launched this app.
+   *
+   * @return {string} the party (Dæmon) hostname.
+   */
+  getParty() {
+    return sessionStorage[__privateGet(this, _partyKey)];
+  }
+  /**
+   * Returns the party origin, being the protocol (http: or https:)
+   * and the party hostname.
+   *
+   * @return {string} the party origin.
+   */
+  getPartyOrigin() {
+    return `${globalThis.location.protocol}//${this.getParty()}`;
+  }
+  /**
+   * Returns the base64-encoded token for the supplied party. If no
+   * party is specified, returns the token for the launching party.
+   *
+   * @param {string} party the party, or the launching party if not specified.
+   * @return {string} the base64-encoded token for the party.
+   */
+  getTokenBase64(party = PARTY_PARAM) {
+    const tokens = sessionStorage[__privateGet(this, _tokensKey)];
+    const searchParams = new URLSearchParams(tokens);
+    const tokenBase64 = searchParams.get(party);
+    if (!tokenBase64) {
+      throw `No token for ${party}, check 'audience' in YML`;
+    }
+    return tokenBase64;
+  }
+  /**
+   * Gets the token for a party either as a base64-encoded string, or as a
+   * Token object depending on the asBase64 argument.
+   *
+   * If the party is not passed or is null, the default is the launching party.
+   * If the asBase64 is not passed, the default is true.
+   *
+   * @param {string=} party the audience for the token. Defaults to the identity token 'party'.
+   * @return {Token} the pre-generated token for the given party.
+   */
+  getToken(party = PARTY_PARAM) {
+    const tokenBase64 = this.getTokenBase64(party);
+    return new Token(tokenBase64);
+  }
+  /**
+   * Gets the value of the named parameter, or null if no value is supplied.
+   *
+   * The parameter name is case insensitive.
+   *
+   * The parameter is specified as:
+   *   - an attribute on the webdaemon meta tag, or
+   *   - a search parameter in the query string of the URL
+   *
+   * where the query string parameter takes priority if present.
+   *
+   * @param {string} name
+   * @return {string | null} parameter value or null if not present.
+   */
+  getParam(name) {
+    const searchParams = new URL(globalThis.location).searchParams;
+    for (const [paramName, value] of searchParams) {
+      if (name.toLowerCase() == paramName.toLowerCase()) {
+        return value;
+      }
+    }
+    const metaElement = document.querySelector("link[rel=webdaemon]");
+    return metaElement.getAttribute(name);
+  }
+  /**
+   * Returns true if the named parameter is present, even if with empty
+   * or null value.
+   *
+   * @param {string} name
+   * @return {boolean} true if the parameter exists, otherwise false.
+   */
+  hasParam(name) {
+    const searchParams = new URL(globalThis.location).searchParams;
+    if (searchParams.has(name)) {
+      return true;
+    }
+    const metaElement = document.querySelector("link[rel=webdaemon]");
+    return metaElement.hasAttribute(name);
+  }
+  /**
+   * Returns the currently raised launch alert for this app,
+   * or null if none.
+   *
+   * @return { Promise<AlertType | null> } raised launch alert, or null if none.
+   * @throws {string} exception if alert catalog cannot be retrieved.
+   */
+  getLaunchAlert() {
+    return __async(this, null, function* () {
+      const origin = this.getPartyOrigin();
+      const url = new URL(`${origin}/catalog`);
+      url.searchParams.append("alert", "");
+      const response2 = yield fetch(url, {
+        headers: {
+          "X-Tabserver-Token": this.getTokenBase64(),
+          "Accept": "application/json"
+        }
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+      const alert = json.ok.alert.find(
+        (alert2) => alert2.type == "LAUNCH" && alert2.sourceUrl == this.getAppUrl()
+      );
+      return alert || null;
+    });
+  }
+  /**
+   * Resolves the currently raised launch alert for this app, if any.
+   *
+   * @throws {string} exception if alert cannot be resolved.
+   */
+  resolveLaunchAlert() {
+    return __async(this, null, function* () {
+      const origin = this.getPartyOrigin();
+      const url = new URL(`${origin}/resolve`);
+      const response2 = yield fetch(url, {
+        method: "POST",
+        headers: {
+          "X-Tabserver-Token": this.getTokenBase64(),
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          type: "LAUNCH",
+          source: this.getAppUrl()
+        })
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+    });
+  }
+  /**
+   * Resolves the currently raised launch alert for this app, if any.
+   *
+   * @throws {string} exception if alert cannot be resolved.
+   */
+  rejectLaunchAlert() {
+    return __async(this, null, function* () {
+      const origin = this.getPartyOrigin();
+      const url = new URL(`${origin}/reject`);
+      const response2 = yield fetch(url, {
+        method: "POST",
+        headers: {
+          "X-Tabserver-Token": this.getTokenBase64(),
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          type: "LAUNCH",
+          source: this.getAppUrl()
+        })
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+    });
+  }
+};
+_instance = new WeakMap();
+_appName = new WeakMap();
+_appUrlKey = new WeakMap();
+_partyKey = new WeakMap();
+_tokensKey = new WeakMap();
+__privateAdd(_BrowserApp, _instance);
+var BrowserApp = _BrowserApp;
+
+// js/Alert.js
+function getLaunchAlert() {
+  return __async(this, null, function* () {
+    const app = yield BrowserApp.getInstance();
+    const origin = app.getPartyOrigin();
+    const url = new URL(`${origin}/catalog`);
+    url.searchParams.append("alert", "");
+    const response2 = yield fetch(url, {
+      headers: {
+        "X-Tabserver-Token": this.getTokenBase64(),
+        "Accept": "application/json"
+      }
+    });
+    const json = yield response2.json();
+    if ("error" in json) {
+      throw json.error;
+    }
+    const alert = json.ok.alert.find(
+      (alert2) => alert2.type == "LAUNCH" && alert2.sourceUrl == app.getAppUrl()
+    );
+    return alert || null;
+  });
+}
+
+// js/ParentHelper.js
+var _privateJwk, _publicJwk, _daemon, _issUrl, _source, _token, _claimCode, _ParentHelper_instances, generateKeyPair_fn, buildToken_fn;
+var ParentHelper = class {
+  constructor() {
+    __privateAdd(this, _ParentHelper_instances);
+    __privateAdd(this, _privateJwk);
+    // Signs the token used for activate and offer.
+    __privateAdd(this, _publicJwk);
+    // Verifies the signed token, must be made publicly visible.
+    __privateAdd(this, _daemon);
+    // The host name of the daemon being parented.
+    __privateAdd(this, _issUrl);
+    // Callback-supplied URL for the pubicly visible issuer object.
+    __privateAdd(this, _source);
+    // The HTML source URL, which must match origin: header iff present in daemon request.
+    __privateAdd(this, _token);
+    // The token used for check activate and offer calls to the daemon.
+    __privateAdd(this, _claimCode);
+  }
+  // The claim code returned by fetchOffer.
+  /**
+   * Generates the keypair for this instance and invokes callback for daemon
+   * name and signatory path.
+   *
+   * The callback should:
+   * 1. Save the generated public key such that it is publically visible.
+   * 2. Return the externally addressable signatory path.
+   *
+   * @param {SignatoryCallback} signatoryCallback
+   * @return {Promise<TokenBase64>}
+   */
+  init(signatoryCallback) {
+    return __async(this, null, function* () {
+      yield __privateMethod(this, _ParentHelper_instances, generateKeyPair_fn).call(this);
+      const {
+        daemon,
+        source,
+        // Only needed if offer request is made from a browser.
+        issUrl
+      } = yield signatoryCallback({
+        role: "parent",
+        publicJwk: __privateGet(this, _publicJwk)
+      });
+      __privateSet(this, _daemon, daemon);
+      __privateSet(this, _source, source);
+      __privateSet(this, _issUrl, issUrl);
+      yield __privateMethod(this, _ParentHelper_instances, buildToken_fn).call(this);
+    });
+  }
+  /**
+   * Uses the token to check activate the daemon. An already
+   * activated daemon with this parent is retained, or a new
+   * daemon is created so long as the sub of the pre-generated
+   * token matches a parent record in the provider.
+   *
+   * @throws {string} exception if daemon cannot be activated.
+   */
+  checkActivate() {
+    return __async(this, null, function* () {
+      const url = new URL(`${__privateGet(this, _token).getAud()}/activate`);
+      const token = yield __privateGet(this, _token).asSignedBase64();
+      const body = {};
+      let response2;
+      try {
+        response2 = yield fetch(url, {
+          method: "POST",
+          headers: {
+            "x-tabserver-token": token,
+            "content-type": "application/json"
+          },
+          body: JSON.stringify(body)
+        });
+      } catch (e) {
+        console.error(e);
+        throw `Cannot activate ${__privateGet(this, _token).getParty()}`;
+      }
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+    });
+  }
+  /**
+   * Uses the token to create a device offer on the daemon with default
+   * type 'TRANSIENT' and ttl of 300s.
+   *
+   * @param {'NO_CHECK' | 'DO_CHECK'} flow to use. For QR offers, use checked flow.
+   * @param {OfferOptions} options to use when making the offer, if any.
+   * @return {Promise<Offer>} offer claimCode and checkState ('NO_CHECK' or 'AWAIT_CHECK').
+   */
+  makeOffer(_0) {
+    return __async(this, arguments, function* (flow, options = {}) {
+      const {
+        type = "TRANSIENT",
+        ttl = 300,
+        expiry = 30
+      } = options;
+      const url = new URL(`${__privateGet(this, _token).getAud()}/offer`);
+      const token = yield __privateGet(this, _token).asSignedBase64();
+      const body = {
+        role: "party",
+        type,
+        ttl,
+        description: `Offered by ${__privateGet(this, _token).getCounterparty()}`,
+        expiry: new Date(Date.now() + 1e3 * expiry),
+        flow
+      };
+      const response2 = yield fetch(url, {
+        method: "POST",
+        headers: {
+          "x-tabserver-token": token,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+      const {
+        claimCode,
+        _checkState
+      } = json.ok;
+      __privateSet(this, _claimCode, claimCode);
+      return json.ok;
+    });
+  }
+  /**
+   * Returns the check state for the offer. This is used when
+   * awaiting claim.
+   *
+   * @return {Promise<void>}
+   */
+  checkState() {
+    return __async(this, null, function* () {
+      const url = new URL(`${__privateGet(this, _token).getAud()}/offer/check`);
+      url.searchParams.append("claimCode", __privateGet(this, _claimCode));
+      const token = yield __privateGet(this, _token).asSignedBase64();
+      const response2 = yield fetch(url, {
+        headers: {
+          "x-tabserver-token": token
+        }
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+      return json.ok.checkState;
+    });
+  }
+  /**
+  * Posts the check code that confirms the offering device has
+  * got the expected claiming device, and returns the resulting check state.
+  *
+  * @param {string} checkCode the check code obtained from the claiming device.
+  * @return {Promise<ConfirmResult>} the check state following confirmation.
+  */
+  confirmClaim(checkCode) {
+    return __async(this, null, function* () {
+      const url = new URL(`${__privateGet(this, _token).getAud()}/offer/confirm`);
+      const token = yield __privateGet(this, _token).asSignedBase64();
+      const body = {
+        claimCode: __privateGet(this, _claimCode),
+        checkCode
+      };
+      const response2 = yield fetch(url, {
+        method: "POST",
+        headers: {
+          "x-tabserver-token": token,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+      const json = yield response2.json();
+      if ("error" in json) {
+        throw json.error;
+      }
+      return json.ok;
+    });
+  }
+  /**
+   * Returns the daemon name.
+   *
+   * @return {string} daemon name, e.g. 'daemon.once.id'.
+   */
+  getDaemon() {
+    return __privateGet(this, _daemon);
+  }
+  /**
+   * Returns the daemon origin, suitable for redirection or claiming
+   * a code.
+   *
+   * @return {URL} daemon origin e.g. 'https://daemon.once.id'.
+   */
+  getDaemonUrl() {
+    return new URL(`${__privateGet(this, _issUrl).protocol}//${__privateGet(this, _daemon)}`);
+  }
+};
+_privateJwk = new WeakMap();
+_publicJwk = new WeakMap();
+_daemon = new WeakMap();
+_issUrl = new WeakMap();
+_source = new WeakMap();
+_token = new WeakMap();
+_claimCode = new WeakMap();
+_ParentHelper_instances = new WeakSet();
+generateKeyPair_fn = function() {
+  return __async(this, null, function* () {
+    const keyPair = new KeyPair();
+    yield keyPair.generate();
+    __privateSet(this, _privateJwk, yield keyPair.privateJwk());
+    __privateSet(this, _publicJwk, yield keyPair.publicJwk());
+  });
+};
+buildToken_fn = function() {
+  return __async(this, null, function* () {
+    const iss = __privateGet(this, _issUrl).toString();
+    const aud = `${__privateGet(this, _issUrl).protocol}//${__privateGet(this, _daemon)}`;
+    const sub = __privateGet(this, _issUrl).origin;
+    let src;
+    if (__privateGet(this, _source)) {
+      const srcUrl = new URL(__privateGet(this, _source));
+      src = `${srcUrl.origin}${srcUrl.pathname}`;
+    } else {
+      src = "party:control";
+    }
+    const payload = {
+      iss,
+      aud,
+      sub,
+      src,
+      scope: {
+        "party:control": "offer"
+      },
+      iat: Date.now(),
+      exp: Date.now() + 1e3 * 60 * 3
+    };
+    const token = new Token(payload);
+    yield token.signWith(Promise.resolve(__privateGet(this, _privateJwk)));
+    __privateSet(this, _token, token);
+  });
+};
+
+// js/QrCode.js
+var BASE_URL = "https://qrcode.tec-it.com/API/QRCode";
+var IMG_CLASS = "qrcode";
+var _img, _content;
+var QrCode = class {
+  /**
+   * Constructor takes img element and
+   * the string to show in the QR code.
+   * @param {HTMLImageElement} img the image element to use.
+   * @param {string} content the content of the qr code.
+   */
+  constructor(img, content) {
+    __privateAdd(this, _img);
+    __privateAdd(this, _content);
+    __privateSet(this, _img, img);
+    __privateSet(this, _content, content);
+  }
+  /**
+   * Returns a promise that is resolved when the image loads
+   * successfully, or rejected if the image load fails.
+   */
+  generate() {
+    const url = new URL(BASE_URL);
+    url.searchParams.append("data", __privateGet(this, _content));
+    __privateGet(this, _img).classList.add(IMG_CLASS);
+    __privateGet(this, _img).src = url.toString();
+    return new Promise((resolve, reject) => {
+      __privateGet(this, _img).onload = resolve;
+      __privateGet(this, _img).onerror = reject;
+    });
+  }
+};
+_img = new WeakMap();
+_content = new WeakMap();
+
+// js/Storage.js
+var KEY_PATTERN = /^[\w\-.]+(?:\/[\w\-.]+)*$/;
+var KEYLIKE_PATTERN = /^[\w\-.%_]+(?:\/[\w\-.%_]+)*$/;
+function assertValid(key) {
+  if (key.match(KEY_PATTERN) == null) {
+    throw `DaemonStorage: Invalid key: '${key}`;
+  }
+}
+function assertValidLike(keylike) {
+  if (keylike.match(KEYLIKE_PATTERN) == null) {
+    throw `DaemonStorage: Invalid like key: ${keylike}`;
+  }
+}
+function serialise(value) {
+  try {
+    return JSON.stringify(value);
+  } catch (_e) {
+    throw `DaemonStorage: Invalid value`;
+  }
+}
+function setItem(token, key, value) {
+  return __async(this, null, function* () {
+    assertValid(key);
+    const body = serialise(value);
+    const url = `${token.getAud()}/storage/${key}`;
+    const response2 = yield fetch(url, {
+      method: "PUT",
+      headers: {
+        "X-Tabserver-Token": token.asSignedBase64(),
+        "Content-Type": "application/json"
+      },
+      body
+    });
+    return response2.json();
+  });
+}
+function getItem(token, key) {
+  return __async(this, null, function* () {
+    assertValid(key);
+    const url = `${token.getAud()}/storage/${key}`;
+    const response2 = yield fetch(url, {
+      method: "GET",
+      headers: {
+        "X-Tabserver-Token": token.asSignedBase64()
+      }
+    });
+    return response2.json();
+  });
+}
+function getItemsLike(token, keylike) {
+  return __async(this, null, function* () {
+    assertValidLike(keylike);
+    const url = new URL(`${token.getAud()}/storage`);
+    url.searchParams.append("like", keylike);
+    console.log(url);
+    const response2 = yield fetch(url, {
+      method: "GET",
+      headers: {
+        "X-Tabserver-Token": token.asSignedBase64()
+      }
+    });
+    return yield response2.json();
+  });
+}
+function removeItem(token, key) {
+  return __async(this, null, function* () {
+    assertValid(key);
+    const url = `${token.getAud()}/storage/${key}`;
+    const response2 = yield fetch(url, {
+      method: "DELETE",
+      headers: {
+        "X-Tabserver-Token": token.asSignedBase64()
+      }
+    });
+    return response2.json();
+  });
+}
+
+// ts/Assertions.ts
+function notNull(value) {
+  return value !== null;
+}
+function isDefined(value) {
+  return value !== void 0;
+}
+
+// ts/Responses.ts
+function response(rvalue, extraHeaders) {
+  var _a;
+  if ("ok" in rvalue) {
+    const body2 = JSON.stringify(rvalue);
+    return new Response(body2, {
+      status: 200,
+      headers: __spreadProps(__spreadValues({}, extraHeaders), {
+        "Content-Type": "application/json",
+        "Access-Control-Allow-Origin": "*"
+      })
+    });
+  }
+  const error = rvalue.error;
+  const [, status, message] = (_a = error.match(/(\d{3})\s(.+)/)) != null ? _a : [null, "200", error];
+  const body = JSON.stringify({
+    error: message
+  });
+  return new Response(body, {
+    status: Number(status),
+    headers: __spreadProps(__spreadValues({}, extraHeaders), {
+      "Content-Type": "application/json",
+      "Access-Control-Allow-Origin": "*"
+    })
+  });
+}
+function response404(json = {
+  error: "404 Not Found"
+}) {
+  const body = JSON.stringify(json);
+  return new Response(body, {
+    status: 404,
+    headers: {
+      "Content-Type": "application/json",
+      "Access-Control-Allow-Origin": "*"
+    }
+  });
+}
+function response302(url, extraHeaders = []) {
+  return new Response(null, {
+    status: 302,
+    headers: __spreadValues({
+      "Location": url.toString(),
+      "Access-Control-Allow-Origin": "*"
+    }, extraHeaders)
+  });
+}
+function buildCookie(payload) {
+  const {
+    name,
+    value,
+    domain,
+    sameSite,
+    path = "/",
+    expires,
+    secure = true,
+    httpOnly = true
+  } = payload;
+  const builder = [];
+  builder.push(`${encodeURIComponent(name)}=${encodeURIComponent(value)}`);
+  if (domain) builder.push(`Domain=${domain}`);
+  if (sameSite) builder.push(`SameSite=${sameSite}`);
+  builder.push(`Path=${path}`);
+  if (expires) builder.push(`Expires=${expires.toUTCString()}`);
+  if (secure) builder.push(`Secure`);
+  if (httpOnly) builder.push("HttpOnly");
+  const cookie = builder.join("; ");
+  return cookie;
+}
+
+// ts/Lifecycle.ts
+var DAEMON_PREFIX = "daemon";
+var CONFIG_PATH = "config";
+var EVENT_PATH = "event";
+var PUBLIC_JWK_PATH = "public.jwk";
+var CONFIG_KEY = "config";
+var PRIVATE_JWK_KEY = "privateJwk";
+var PUBLIC_JWK_KEY = "publicJwk";
+var DEFAULT_TTL_MILLIS = 1e3 * 60 * 60;
+var _instance2;
+var _Lifecycle = class _Lifecycle extends EventTarget {
+  static getInstance() {
+    return __privateGet(this, _instance2);
+  }
+  /**
+   * All system requests are under the /daemon/ path.
+   *
+   * @param {Request} request to be tested.
+   * @returns {boolean} true if the request is a lifecycle request.
+   */
+  static shouldHandle(request) {
+    return _Lifecycle.isConfig(request) || _Lifecycle.isEvent(request) || _Lifecycle.isPublicJwk(request);
+  }
+  static isConfig(request) {
+    const url = new URL(request.url);
+    return request.method == "POST" && url.pathname == `/${DAEMON_PREFIX}/${CONFIG_PATH}` && request.headers.get("Content-Type") == "application/json";
+  }
+  static isEvent(request) {
+    const url = new URL(request.url);
+    return request.method == "POST" && url.pathname == `/${DAEMON_PREFIX}/${EVENT_PATH}` && request.headers.get("Content-Type") == "application/json";
+  }
+  static isPublicJwk(request) {
+    const url = new URL(request.url);
+    return request.method == "GET" && url.pathname == `/${DAEMON_PREFIX}/${PUBLIC_JWK_PATH}`;
+  }
+  /**
+   * Handles a lifecycle request.
+   *
+   * @param {Request} request to be handled.
+   * @returns {Response} response for caller.
+   */
+  handler(request) {
+    return __async(this, null, function* () {
+      if (_Lifecycle.isConfig(request)) {
+        return yield this.handleConfig(request);
+      }
+      if (_Lifecycle.isEvent(request)) {
+        return yield this.handleEvent(request);
+      }
+      if (_Lifecycle.isPublicJwk(request)) {
+        return yield this.handlePublicJwk();
+      }
+      return response({
+        error: "Invalid daemon request"
+      });
+    });
+  }
+  /**
+   * Saves the lifecycle config object provided in the request body.
+   *
+   * Fires a 'config' lifecycle event.
+   *
+   * @param {Request} request containing the configuration json.
+   * @return {Response} ok response.
+   */
+  handleConfig(request) {
+    return __async(this, null, function* () {
+      const configJson = yield request.json();
+      sessionStorage.setItem(CONFIG_KEY, JSON.stringify(configJson));
+      this.dispatchEvent(new CustomEvent("config", {
+        detail: configJson
+      }));
+      return response({
+        ok: true
+      });
+    });
+  }
+  /**
+   * Fires a lifecycle event upon receiving an event request.
+   *
+   * @param {Request} request containing the event.
+   * @return {Response} ok response.
+   */
+  handleEvent(request) {
+    return __async(this, null, function* () {
+      const {
+        type,
+        payload
+      } = yield request.json();
+      this.dispatchEvent(new CustomEvent(type, {
+        detail: payload
+      }));
+      return response({
+        ok: true
+      });
+    });
+  }
+  /**
+   * Responds with the JSON public key used to verify tokens
+   * produced by this instance.
+   *
+   * @return {Response} the response containing the Signatory (role, jwk).
+   */
+  handlePublicJwk() {
+    return __async(this, null, function* () {
+      const role = "party";
+      const jwk = yield _Lifecycle.getPublicKey();
+      return Response.json({
+        ok: {
+          role,
+          jwk
+        }
+      });
+    });
+  }
+  /**
+   * Returns the configuration object stored on initialisation.
+   * @return {DaemonConfig} the daemon configuration object.
+   * @throws {string} exception if config is not yet initialised.
+   */
+  static getConfig() {
+    const json = sessionStorage.getItem(CONFIG_KEY);
+    if (!json) {
+      throw "DaemonConfig not ready";
+    }
+    return JSON.parse(json);
+  }
+  /**
+   * Generates if necessary and returns a private key for
+   * use in signing tokens.
+   *
+   * @returns {JSONWebKey} the private key for this session.
+   */
+  static getPrivateKey() {
+    return __async(this, null, function* () {
+      const jsonWebKey = sessionStorage.getItem(PRIVATE_JWK_KEY);
+      if (!jsonWebKey) {
+        const keyPair = yield _Lifecycle.generateKeys();
+        return keyPair.privateJwk();
+      }
+      return JSON.parse(jsonWebKey);
+    });
+  }
+  /**
+   * Generates if necessary and returns a public key for
+   * use by third parties to verifying tokens we generate.
+   *
+   * @returns {JSONWebKey} the public key for this session.
+   */
+  static getPublicKey() {
+    return __async(this, null, function* () {
+      const jsonWebKey = sessionStorage.getItem(PUBLIC_JWK_KEY);
+      if (!jsonWebKey) {
+        const keyPair = yield _Lifecycle.generateKeys();
+        return keyPair.publicJwk();
+      }
+      return JSON.parse(jsonWebKey);
+    });
+  }
+  /**
+   * Generates and stores the serialised public and private JWK keys in
+   * sessionStorage which survives the life of this process instance.
+   *
+   * @returns {KeyPair} keyPair as generated and stored in sessionStorage.
+   */
+  static generateKeys() {
+    return __async(this, null, function* () {
+      const keyPair = new KeyPair();
+      yield keyPair.generate();
+      const privateJwk = yield keyPair.privateJwk();
+      const publicJwk = yield keyPair.publicJwk();
+      sessionStorage.setItem(PRIVATE_JWK_KEY, JSON.stringify(privateJwk));
+      sessionStorage.setItem(PUBLIC_JWK_KEY, JSON.stringify(publicJwk));
+      return keyPair;
+    });
+  }
+  /**
+   * Returns a token suitable for the `x-tabserver-token` header
+   * in a request to the supplied party with the required
+   * scope.
+   *
+   * If party is omitted, it defaults to this party.
+   * If
+   *
+   * @param {Scope} scope map of string source -> space-separated capabilities.
+   * @param {string=} party the party host name to whom the request will be sent.
+   * @param { src=} src the HTML page from which the request is (actually or notionally) made.
+   * @param {number=} ttlMillis the lifetime of this token.
+   * @returns {Token} the signed token.
+   * @throws {string} if configuration not yet initialised.
+   *
+  */
+  static getTokenFor(_0) {
+    return __async(this, arguments, function* (scope, party = null, src = null, ttlMillis = DEFAULT_TTL_MILLIS) {
+      const config = _Lifecycle.getConfig();
+      if (!config) {
+        throw "Lifecycle configuration not yet available";
+      }
+      const {
+        system: {
+          protocol,
+          party: us,
+          issuer,
+          source
+        }
+      } = config;
+      const appSourceUrl = new URL(source);
+      const aud = party ? `${protocol}//${party}` : `${protocol}//${us}`;
+      const sub = `${protocol}//${us}`;
+      const now = Date.now();
+      const payload = {
+        iss: issuer,
+        aud,
+        sub,
+        src: src != null ? src : `${appSourceUrl.origin}${appSourceUrl.pathname}`,
+        scope,
+        iat: now,
+        exp: now + ttlMillis
+      };
+      const token = new Token(payload);
+      yield token.signWith(_Lifecycle.getPrivateKey());
+      return token;
+    });
+  }
+  /**
+   * Returns a token for our party with the setitem and getitem
+   * capabilities on the party control source.
+   */
+  static getStorageToken() {
+    const {
+      system: {
+        party
+      }
+    } = _Lifecycle.getConfig();
+    const scope = {
+      [Token.Source.PARTY_CONTROL]: `${Token.Capability.GET_ITEM} ${Token.Capability.SET_ITEM}`
+    };
+    return _Lifecycle.getTokenFor(scope, party);
+  }
+};
+_instance2 = new WeakMap();
+__privateAdd(_Lifecycle, _instance2, new _Lifecycle());
+var Lifecycle = _Lifecycle;
+
+// ts/Requests.ts
+var X_FORWARDED_HOST = "x-forwarded-host";
+var X_FORWARDED_PROTO = "x-forwarded-proto";
+var X_FORWARDED_PATHNAME = "x-forwarded-pathname";
+function getClientProtocol(request) {
+  if (request.headers.has(X_FORWARDED_PROTO)) {
+    return request.headers.get(X_FORWARDED_PROTO) + ":";
+  }
+  return new URL(request.url).protocol;
+}
+function getClientHost(request) {
+  if (request.headers.has(X_FORWARDED_HOST)) {
+    return request.headers.get(X_FORWARDED_HOST) || "";
+  }
+  return new URL(request.url).host;
+}
+function getClientPathname(request) {
+  if (request.headers.has(X_FORWARDED_PATHNAME)) {
+    return request.headers.get(X_FORWARDED_PATHNAME) || "";
+  }
+  return new URL(request.url).pathname;
+}
+function getClientUrlPhp(request) {
+  const protocol = getClientProtocol(request);
+  const host = getClientHost(request);
+  const pathname = getClientPathname(request);
+  return new URL(`${protocol}//${host}${pathname}`);
+}
+function getClientUrl(request) {
+  const originalUrl = new URL(request.url);
+  const newUrl = getClientUrlPhp(request);
+  newUrl.search = originalUrl.search;
+  newUrl.hash = originalUrl.hash;
+  return newUrl;
+}
+function getPathname(request) {
+  const url = new URL(request.url);
+  return url.pathname;
+}
+function getCookie(request, cookieName) {
+  const cookies = getCookies(request);
+  if (cookieName in cookies) {
+    return cookies[cookieName];
+  }
+  return null;
+}
+function getCookies(request) {
+  const cookies = {};
+  const headerValue = request.headers.get("Cookie");
+  if (headerValue) {
+    for (const keyVal of headerValue.split("; ")) {
+      const [key, value] = keyVal.split("=");
+      cookies[key] = value;
+    }
+  }
+  return cookies;
+}
+export {
+  BrowserApp,
+  CONFIG_PATH,
+  DAEMON_PREFIX,
+  EVENT_PATH,
+  IMG_CLASS,
+  KeyPair,
+  Lifecycle,
+  PUBLIC_JWK_PATH,
+  ParentHelper,
+  QrCode,
+  Token,
+  buildCookie,
+  getClientHost,
+  getClientPathname,
+  getClientProtocol,
+  getClientUrl,
+  getClientUrlPhp,
+  getCookie,
+  getCookies,
+  getItem,
+  getItemsLike,
+  getLaunchAlert,
+  getPathname,
+  isDefined,
+  notNull,
+  removeItem,
+  response,
+  response302,
+  response404,
+  setItem,
+  shortHexDigest,
+  shortSafeDigest
+};
+//# sourceMappingURL=index.js.map