zeroauth 1.0.0

package/dist/data/catalog.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * ZeroAuth Curated Catalog Data Loader
+ *
+ * Loads the curated-catalog.json file generated by the Python generator script.
+ * Provides static data for intent-based routing without database dependencies.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.catalogLoader = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+class CatalogLoader {
+    constructor() {
+        this.catalog = null;
+        // Path relative to the API startup location
+        this.catalogPath = path.join(__dirname, "../../data/curated-catalog.json");
+    }
+    /**
+     * Load the curated catalog from JSON file.
+     * Should be called at API startup.
+     */
+    loadCatalog() {
+        try {
+            if (!fs.existsSync(this.catalogPath)) {
+                throw new Error(`Curated catalog file not found: ${this.catalogPath}`);
+            }
+            const data = fs.readFileSync(this.catalogPath, "utf-8");
+            this.catalog = JSON.parse(data);
+            console.log(`📊 Loaded curated catalog with ${this.catalog.length} models`);
+            return this.catalog;
+        }
+        catch (error) {
+            console.error("❌ Failed to load curated catalog:", error);
+            throw error;
+        }
+    }
+    /**
+     * Get the loaded catalog. Throws if not loaded.
+     */
+    getCatalog() {
+        if (!this.catalog) {
+            throw new Error("Catalog not loaded. Call loadCatalog() first.");
+        }
+        return this.catalog;
+    }
+    /**
+     * Find a model by intent alias (e.g., "intent:budget" -> "zeroauth-budget")
+     * This now filters for enabled models only.
+     */
+    findModelByIntent(intentAlias) {
+        const catalog = this.getCatalog();
+        // Prioritize enabled models for the given intent
+        return catalog.find((model) => model.intent_alias === intentAlias && model.enabled) || null;
+    }
+    /**
+     * Get all available intent aliases for error messages
+     */
+    getAvailableIntents() {
+        const catalog = this.getCatalog();
+        return [...new Set(catalog.map((model) => model.intent_alias))];
+    }
+    /**
+     * Get the default Free Developer Profile (no compliance checks)
+     */
+    getDefaultProfile() {
+        return {
+            tier: "Tier 1: Developer (Free)",
+            required_tags: {}, // Empty - no compliance enforcement
+            optimization_goal: "COST",
+        };
+    }
+}
+// Singleton instance
+exports.catalogLoader = new CatalogLoader();
+//# sourceMappingURL=catalog.js.map

package/dist/data/catalog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.js","sourceRoot":"","sources":["../../src/data/catalog.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAsB7B,MAAM,aAAa;IAIjB;QAHQ,YAAO,GAA0B,IAAI,CAAC;QAI5C,4CAA4C;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,iCAAiC,CAAC,CAAC;IAC7E,CAAC;IAED;;;OAGG;IACH,WAAW;QACT,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YACzE,CAAC;YAED,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;YAElD,OAAO,CAAC,GAAG,CACT,kCAAkC,IAAI,CAAC,OAAO,CAAC,MAAM,SAAS,CAC/D,CAAC;YACF,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,WAAmB;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,iDAAiD;QACjD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,YAAY,KAAK,WAAW,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC;IAC9F,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClE,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO;YACL,IAAI,EAAE,0BAA0B;YAChC,aAAa,EAAE,EAAE,EAAE,oCAAoC;YACvD,iBAAiB,EAAE,MAAM;SAC1B,CAAC;IACJ,CAAC;CACF;AAED,qBAAqB;AACR,QAAA,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC"}

package/dist/db/dal.d.ts

@@ -0,0 +1,75 @@
+import { PrismaClient, Prisma } from "@prisma/client";
+declare const prisma: PrismaClient<Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
+/**
+ * Finds an existing UserIdentity by their Clerk ID, or creates a new
+ * Organization, SecurityProfile, and UserIdentity in a single transaction
+ * if it's their first time logging in.
+ *
+ * @param clerkUserId - The 'id' of the user from the Clerk JWT (e.g., 'user_clerk_jane').
+ * @returns The UserIdentity and its associated SecurityProfile.
+ */
+export declare function findOrCreateUserIdentity(clerkUserId: string): Promise<{
+    securityProfile: {
+        organization: {
+            name: string;
+            id: string;
+            plan_tier: string;
+            stripe_customer_id: string | null;
+            createdAt: Date;
+            updatedAt: Date;
+        };
+        complianceFrameworks: {
+            security_profile_id: string;
+            framework_id: string;
+        }[];
+    } & {
+        name: string;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organization_id: string;
+    };
+} & {
+    id: string;
+    createdAt: Date;
+    security_profile_id: string;
+}>;
+/**
+ * Finds an existing WorkloadIdentity by its cloud-native identifier,
+ * or returns null if not found.
+ *
+ * @param cloud - The cloud provider (e.g., "AWS", "GCP").
+ * @param cloudIdentity - The unique cloud identifier (e.g., an ARN).
+ * @returns The WorkloadIdentity and its SecurityProfile, or null.
+ */
+export declare function findWorkloadIdentity(cloud: string, cloudIdentity: string): Promise<({
+    securityProfile: {
+        organization: {
+            name: string;
+            id: string;
+            plan_tier: string;
+            stripe_customer_id: string | null;
+            createdAt: Date;
+            updatedAt: Date;
+        };
+        complianceFrameworks: {
+            security_profile_id: string;
+            framework_id: string;
+        }[];
+    } & {
+        name: string;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organization_id: string;
+    };
+} & {
+    id: string;
+    createdAt: Date;
+    security_profile_id: string;
+    cloud: string;
+    cloud_identity: string;
+}) | null>;
+export declare function createWorkloadIdentity(organizationId: string, profileName: string, cloud: string, cloudIdentity: string, complianceFrameworks?: string[]): Promise<void>;
+export { prisma };
+//# sourceMappingURL=dal.d.ts.map

package/dist/db/dal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dal.d.ts","sourceRoot":"","sources":["../../src/db/dal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAItD,QAAA,MAAM,MAAM,uGAAqB,CAAC;AAElC;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAAC,WAAW,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;GAkFjE;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;WAkCtB;AAED,wBAAsB,sBAAsB,CAC1C,cAAc,EAAE,MAAM,EACtB,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,oBAAoB,GAAE,MAAM,EAAO,iBASpC;AAID,OAAO,EAAE,MAAM,EAAE,CAAC"}

package/dist/db/dal.js

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prisma = void 0;
+exports.findOrCreateUserIdentity = findOrCreateUserIdentity;
+exports.findWorkloadIdentity = findWorkloadIdentity;
+exports.createWorkloadIdentity = createWorkloadIdentity;
+const client_1 = require("@prisma/client");
+const logger_1 = require("../logger");
+// Initialize a singleton Prisma Client
+const prisma = new client_1.PrismaClient();
+exports.prisma = prisma;
+/**
+ * Finds an existing UserIdentity by their Clerk ID, or creates a new
+ * Organization, SecurityProfile, and UserIdentity in a single transaction
+ * if it's their first time logging in.
+ *
+ * @param clerkUserId - The 'id' of the user from the Clerk JWT (e.g., 'user_clerk_jane').
+ * @returns The UserIdentity and its associated SecurityProfile.
+ */
+async function findOrCreateUserIdentity(clerkUserId) {
+    logger_1.log.info({ clerkUserId }, "Finding or creating user identity...");
+    // 1. Check if user identity already exists
+    const existingIdentity = await prisma.userIdentity.findUnique({
+        where: { id: clerkUserId },
+        include: {
+            securityProfile: {
+                include: {
+                    organization: true,
+                    complianceFrameworks: true,
+                },
+            },
+        },
+    });
+    if (existingIdentity) {
+        logger_1.log.info({ clerkUserId, profileId: existingIdentity.security_profile_id }, "Found existing user identity.");
+        return existingIdentity;
+    }
+    // 2. User does not exist. Create new org, profile, and identity
+    //    in a single transaction [cite: 297-300].
+    logger_1.log.info({ clerkUserId }, "No existing identity found. Creating new user...");
+    try {
+        const newUserIdentity = await prisma.$transaction(async (tx) => {
+            // Create the Organization [cite: 298]
+            const newOrg = await tx.organization.create({
+                data: {
+                    name: `${clerkUserId}'s Organization`,
+                    plan_tier: "free",
+                },
+            });
+            // Create the default SecurityProfile [cite: 299]
+            const newProfile = await tx.securityProfile.create({
+                data: {
+                    name: "Default Profile",
+                    organization_id: newOrg.id,
+                },
+            });
+            // Create the UserIdentity and link it all [cite: 300]
+            const newUser = await tx.userIdentity.create({
+                data: {
+                    id: clerkUserId,
+                    security_profile_id: newProfile.id,
+                },
+                include: {
+                    securityProfile: {
+                        include: {
+                            organization: true,
+                            complianceFrameworks: true,
+                        },
+                    },
+                },
+            });
+            return newUser;
+        });
+        logger_1.log.info({
+            clerkUserId,
+            profileId: newUserIdentity.security_profile_id,
+            orgId: newUserIdentity.securityProfile.organization_id,
+        }, "Successfully created new user, org, and default profile.");
+        return newUserIdentity;
+    }
+    catch (error) {
+        logger_1.log.error({ clerkUserId, error }, "Error during new user auto-provisioning transaction.");
+        throw new Error("Failed to provision new user identity.");
+    }
+}
+/**
+ * Finds an existing WorkloadIdentity by its cloud-native identifier,
+ * or returns null if not found.
+ *
+ * @param cloud - The cloud provider (e.g., "AWS", "GCP").
+ * @param cloudIdentity - The unique cloud identifier (e.g., an ARN).
+ * @returns The WorkloadIdentity and its SecurityProfile, or null.
+ */
+async function findWorkloadIdentity(cloud, cloudIdentity) {
+    logger_1.log.info({ cloud, cloudIdentity }, "Finding workload identity...");
+    const workloadIdentity = await prisma.workloadIdentity.findUnique({
+        where: {
+            cloud_cloud_identity: {
+                cloud: cloud,
+                cloud_identity: cloudIdentity,
+            },
+        },
+        include: {
+            securityProfile: {
+                include: {
+                    organization: true,
+                    complianceFrameworks: true,
+                },
+            },
+        },
+    });
+    if (workloadIdentity) {
+        logger_1.log.info({ cloud, cloudIdentity, profileId: workloadIdentity.security_profile_id }, "Found existing workload identity.");
+        return workloadIdentity;
+    }
+    logger_1.log.warn({ cloud, cloudIdentity }, "Workload identity not found in database.");
+    return null;
+}
+async function createWorkloadIdentity(organizationId, profileName, cloud, cloudIdentity, complianceFrameworks = []) {
+    logger_1.log.info({ organizationId, profileName, cloud, cloudIdentity }, "Creating new workload identity...");
+    // This will be implemented with proper database connection once API is fully connected
+    throw new Error("Database operations not supported in this environment");
+}
+//# sourceMappingURL=dal.js.map

package/dist/db/dal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dal.js","sourceRoot":"","sources":["../../src/db/dal.ts"],"names":[],"mappings":";;;AAcA,4DAkFC;AAUD,oDAoCC;AAED,wDAcC;AA9JD,2CAAsD;AACtD,sCAAgC;AAEhC,uCAAuC;AACvC,MAAM,MAAM,GAAG,IAAI,qBAAY,EAAE,CAAC;AA8JzB,wBAAM;AA5Jf;;;;;;;GAOG;AACI,KAAK,UAAU,wBAAwB,CAAC,WAAmB;IAChE,YAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,EAAE,sCAAsC,CAAC,CAAC;IAElE,2CAA2C;IAC3C,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC;QAC5D,KAAK,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE;QAC1B,OAAO,EAAE;YACP,eAAe,EAAE;gBACf,OAAO,EAAE;oBACP,YAAY,EAAE,IAAI;oBAClB,oBAAoB,EAAE,IAAI;iBAC3B;aACF;SACF;KACF,CAAC,CAAC;IAEH,IAAI,gBAAgB,EAAE,CAAC;QACrB,YAAG,CAAC,IAAI,CACN,EAAE,WAAW,EAAE,SAAS,EAAE,gBAAgB,CAAC,mBAAmB,EAAE,EAChE,+BAA+B,CAChC,CAAC;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,gEAAgE;IAChE,8CAA8C;IAC9C,YAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,EAAE,kDAAkD,CAAC,CAAC;IAC9E,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,YAAY,CAC/C,KAAK,EAAE,EAA4B,EAAE,EAAE;YACrC,sCAAsC;YACtC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC1C,IAAI,EAAE;oBACJ,IAAI,EAAE,GAAG,WAAW,iBAAiB;oBACrC,SAAS,EAAE,MAAM;iBAClB;aACF,CAAC,CAAC;YAEH,iDAAiD;YACjD,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC;gBACjD,IAAI,EAAE;oBACJ,IAAI,EAAE,iBAAiB;oBACvB,eAAe,EAAE,MAAM,CAAC,EAAE;iBAC3B;aACF,CAAC,CAAC;YAEH,sDAAsD;YACtD,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC3C,IAAI,EAAE;oBACJ,EAAE,EAAE,WAAW;oBACf,mBAAmB,EAAE,UAAU,CAAC,EAAE;iBACnC;gBACD,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,OAAO,EAAE;4BACP,YAAY,EAAE,IAAI;4BAClB,oBAAoB,EAAE,IAAI;yBAC3B;qBACF;iBACF;aACF,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC;QACjB,CAAC,CACF,CAAC;QAEF,YAAG,CAAC,IAAI,CACN;YACE,WAAW;YACX,SAAS,EAAE,eAAe,CAAC,mBAAmB;YAC9C,KAAK,EAAE,eAAe,CAAC,eAAe,CAAC,eAAe;SACvD,EACD,0DAA0D,CAC3D,CAAC;QACF,OAAO,eAAe,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,YAAG,CAAC,KAAK,CACP,EAAE,WAAW,EAAE,KAAK,EAAE,EACtB,sDAAsD,CACvD,CAAC;QACF,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,oBAAoB,CACxC,KAAa,EACb,aAAqB;IAErB,YAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,8BAA8B,CAAC,CAAC;IAEnE,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC;QAChE,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,KAAK,EAAE,KAAK;gBACZ,cAAc,EAAE,aAAa;aAC9B;SACF;QACD,OAAO,EAAE;YACP,eAAe,EAAE;gBACf,OAAO,EAAE;oBACP,YAAY,EAAE,IAAI;oBAClB,oBAAoB,EAAE,IAAI;iBAC3B;aACF;SACF;KACF,CAAC,CAAC;IAEH,IAAI,gBAAgB,EAAE,CAAC;QACrB,YAAG,CAAC,IAAI,CACN,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,gBAAgB,CAAC,mBAAmB,EAAE,EACzE,mCAAmC,CACpC,CAAC;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,YAAG,CAAC,IAAI,CACN,EAAE,KAAK,EAAE,aAAa,EAAE,EACxB,0CAA0C,CAC3C,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,cAAsB,EACtB,WAAmB,EACnB,KAAa,EACb,aAAqB,EACrB,uBAAiC,EAAE;IAEnC,YAAG,CAAC,IAAI,CACN,EAAE,cAAc,EAAE,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,EACrD,mCAAmC,CACpC,CAAC;IAEF,uFAAuF;IACvF,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;AAC3E,CAAC"}

package/dist/index.js

@@ -0,0 +1,156 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handler = handler;
+const axios_1 = __importDefault(require("axios"));
+const jwt = __importStar(require("jsonwebtoken"));
+const jwk_to_pem_1 = __importDefault(require("jwk-to-pem"));
+// --- Identity Provider Agnostic Configuration ---
+const OIDC_ISSUER_URL = process.env.OIDC_ISSUER_URL;
+const OIDC_JWKS_URL = process.env.OIDC_JWKS_URL; // New variable for internal JWKS fetching
+const OIDC_AUDIENCE = process.env.OIDC_AUDIENCE;
+// JWKS cache
+let jwksCache = null;
+let jwksCacheTime = 0;
+const JWKS_CACHE_DURATION = 3600000; // 1 hour
+async function getJwks() {
+    if (!OIDC_JWKS_URL) {
+        throw new Error("OIDC_JWKS_URL environment variable is not set.");
+    }
+    const now = Date.now();
+    if (jwksCache && now - jwksCacheTime < JWKS_CACHE_DURATION) {
+        return jwksCache;
+    }
+    // Use OIDC_JWKS_URL directly if it's a full URL, otherwise construct from OIDC_ISSUER_URL
+    const jwksUrl = OIDC_JWKS_URL && OIDC_JWKS_URL.includes("://")
+        ? OIDC_JWKS_URL
+        : `${OIDC_ISSUER_URL}/.well-known/jwks.json`;
+    try {
+        const response = await axios_1.default.get(jwksUrl);
+        jwksCache = response.data;
+        jwksCacheTime = now;
+        return jwksCache;
+    }
+    catch (error) {
+        console.error("Error fetching JWKS:", error);
+        throw new Error(`Could not fetch JWKS`);
+    }
+}
+async function verifyToken(token) {
+    const jwks = await getJwks();
+    const unverifiedHeader = jwt.decode(token, { complete: true });
+    if (!unverifiedHeader ||
+        typeof unverifiedHeader === "string" ||
+        !unverifiedHeader.header.kid) {
+        throw new Error("Invalid token header.");
+    }
+    const key = jwks.keys.find((k) => k.kid === unverifiedHeader.header.kid);
+    if (!key) {
+        throw new Error("Could not find a matching public key.");
+    }
+    const pem = (0, jwk_to_pem_1.default)(key);
+    try {
+        const payload = jwt.verify(token, pem, {
+            algorithms: ["RS256"],
+            audience: OIDC_AUDIENCE,
+            issuer: OIDC_ISSUER_URL,
+        });
+        return payload;
+    }
+    catch (error) {
+        throw new Error(`Token is invalid: ${error}`);
+    }
+}
+async function handler(event) {
+    console.log("=== Authorizer handler called ===");
+    console.log("Event:", JSON.stringify(event, null, 2));
+    try {
+        const authHeader = event.headers?.authorization || event.headers?.Authorization;
+        console.log("Auth header present:", !!authHeader);
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            console.log("Invalid or missing auth header");
+            return {
+                principalId: "unauthorized",
+                policyDocument: {
+                    Version: "2012-10-17",
+                    Statement: [
+                        {
+                            Action: "execute-api:Invoke",
+                            Effect: "Deny",
+                            Resource: event.methodArn,
+                        },
+                    ],
+                },
+            };
+        }
+        const token = authHeader.substring(7);
+        console.log("Token extracted, verifying...");
+        await verifyToken(token);
+        console.log("Token verified successfully");
+        return {
+            principalId: "user",
+            policyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Action: "execute-api:Invoke",
+                        Effect: "Allow",
+                        Resource: event.methodArn,
+                    },
+                ],
+            },
+        };
+    }
+    catch (error) {
+        console.error("=== Authorization failed ===");
+        console.error("Error:", error);
+        return {
+            principalId: "unauthorized",
+            policyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Action: "execute-api:Invoke",
+                        Effect: "Deny",
+                        Resource: event.methodArn,
+                    },
+                ],
+            },
+        };
+    }
+}

package/dist/index.ts

@@ -0,0 +1,134 @@
+import axios from "axios";
+import * as jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+
+// --- Identity Provider Agnostic Configuration ---
+const OIDC_ISSUER_URL = process.env.OIDC_ISSUER_URL;
+const OIDC_JWKS_URL = process.env.OIDC_JWKS_URL; // New variable for internal JWKS fetching
+const OIDC_AUDIENCE = process.env.OIDC_AUDIENCE;
+
+// JWKS cache
+let jwksCache: any = null;
+let jwksCacheTime = 0;
+const JWKS_CACHE_DURATION = 3600000; // 1 hour
+
+async function getJwks() {
+  if (!OIDC_JWKS_URL) {
+    throw new Error("OIDC_JWKS_URL environment variable is not set.");
+  }
+
+  const now = Date.now();
+  if (jwksCache && now - jwksCacheTime < JWKS_CACHE_DURATION) {
+    return jwksCache;
+  }
+
+  // Use OIDC_JWKS_URL directly if it's a full URL, otherwise construct from OIDC_ISSUER_URL
+  const jwksUrl =
+    OIDC_JWKS_URL && OIDC_JWKS_URL.includes("://")
+      ? OIDC_JWKS_URL
+      : `${OIDC_ISSUER_URL}/.well-known/jwks.json`;
+  try {
+    const response = await axios.get(jwksUrl);
+    jwksCache = response.data;
+    jwksCacheTime = now;
+    return jwksCache;
+  } catch (error) {
+    console.error("Error fetching JWKS:", error);
+    throw new Error(`Could not fetch JWKS`);
+  }
+}
+
+async function verifyToken(token: string) {
+  const jwks = await getJwks();
+  const unverifiedHeader = jwt.decode(token, { complete: true });
+
+  if (
+    !unverifiedHeader ||
+    typeof unverifiedHeader === "string" ||
+    !unverifiedHeader.header.kid
+  ) {
+    throw new Error("Invalid token header.");
+  }
+
+  const key = jwks.keys.find((k: any) => k.kid === unverifiedHeader.header.kid);
+  if (!key) {
+    throw new Error("Could not find a matching public key.");
+  }
+
+  const pem = jwkToPem(key as jwkToPem.JWK);
+
+  try {
+    const payload = jwt.verify(token, pem, {
+      algorithms: ["RS256"],
+      audience: OIDC_AUDIENCE,
+      issuer: OIDC_ISSUER_URL,
+    });
+    return payload;
+  } catch (error) {
+    throw new Error(`Token is invalid: ${error}`);
+  }
+}
+
+export async function handler(event: any) {
+  console.log("=== Authorizer handler called ===");
+  console.log("Event:", JSON.stringify(event, null, 2));
+
+  try {
+    const authHeader =
+      event.headers?.authorization || event.headers?.Authorization;
+    console.log("Auth header present:", !!authHeader);
+
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      console.log("Invalid or missing auth header");
+      return {
+        principalId: "unauthorized",
+        policyDocument: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Action: "execute-api:Invoke",
+              Effect: "Deny",
+              Resource: event.methodArn,
+            },
+          ],
+        },
+      };
+    }
+
+    const token = authHeader.substring(7);
+    console.log("Token extracted, verifying...");
+
+    await verifyToken(token);
+    console.log("Token verified successfully");
+
+    return {
+      principalId: "user",
+      policyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Action: "execute-api:Invoke",
+            Effect: "Allow",
+            Resource: event.methodArn,
+          },
+        ],
+      },
+    };
+  } catch (error) {
+    console.error("=== Authorization failed ===");
+    console.error("Error:", error);
+    return {
+      principalId: "unauthorized",
+      policyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Action: "execute-api:Invoke",
+            Effect: "Deny",
+            Resource: event.methodArn,
+          },
+        ],
+      },
+    };
+  }
+}

package/dist/logger.d.ts

@@ -0,0 +1,8 @@
+export declare const log: import("pino").Logger<{
+    level: string;
+    serializers: {
+        err: typeof import("pino-std-serializers").err;
+        error: typeof import("pino-std-serializers").err;
+    };
+}>;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAgBA,eAAO,MAAM,GAAG;;;;;;EAAS,CAAC"}

package/dist/logger.js

@@ -0,0 +1,19 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.log = void 0;
+// src/logger.ts - Centralized logging system
+const pino_1 = __importDefault(require("pino"));
+// Create logger configuration
+const logger = (0, pino_1.default)({
+    level: process.env.ZEROAUTH_DEBUG ? "debug" : "info",
+    serializers: {
+        err: pino_1.default.stdSerializers.err,
+        error: pino_1.default.stdSerializers.err,
+    },
+}, process.stdout);
+// Export the logger directly
+exports.log = logger;
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":";;;;;;AAAA,6CAA6C;AAC7C,gDAAwB;AAExB,8BAA8B;AAC9B,MAAM,MAAM,GAAG,IAAA,cAAI,EACjB;IACE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;IACpD,WAAW,EAAE;QACX,GAAG,EAAE,cAAI,CAAC,cAAc,CAAC,GAAG;QAC5B,KAAK,EAAE,cAAI,CAAC,cAAc,CAAC,GAAG;KAC/B;CACF,EACD,OAAO,CAAC,MAAM,CACf,CAAC;AAEF,6BAA6B;AAChB,QAAA,GAAG,GAAG,MAAM,CAAC"}

package/dist/test/setup.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=setup.d.ts.map

package/dist/test/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/test/setup.ts"],"names":[],"mappings":""}