Refactored identity token generation into separate service

refs https://linear.app/ghost/issue/AP-500

The logic for generating identity tokens, whilst small, is something
that we don't want to duplicate - as it concerns security & access - so
can easily break interactions between different services. We're gonna
need to use identity tokens as part of the initialisation of the
activitypub service, so this is pulling it out preemptively for that use
case

We shouldn't have logic inside of the endpoint controllers anyway, so
this is kinda general cleanup.

ghost/core/core/boot.js

@@ -333,6 +333,7 @@ async function initServices() {
     debug('Begin: initServices');
 
     debug('Begin: Services');
+    const identityTokens = require('./server/services/identity-tokens');
     const stripe = require('./server/services/stripe');
     const members = require('./server/services/members');
     const tiers = require('./server/services/tiers');
@@ -380,6 +381,7 @@ async function initServices() {
     await emailAddressService.init(),
 
     await Promise.all([
+        identityTokens.init(),
         memberAttribution.init(),
         mentionsService.init(),
         mentionsEmailReport.init(),

ghost/core/core/server/api/endpoints/identities.js

@@ -1,28 +1,4 @@
 const logging = require('@tryghost/logging');
-const settings = require('../../../shared/settings-cache');
-const urlUtils = require('../../../shared/url-utils');
-const jwt = require('jsonwebtoken');
-const jose = require('node-jose');
-const issuer = urlUtils.urlFor('admin', true);
-
-const dangerousPrivateKey = settings.get('ghost_private_key');
-const keyStore = jose.JWK.createKeyStore();
-const keyStoreReady = keyStore.add(dangerousPrivateKey, 'pem');
-
-const getKeyID = async () => {
-    const key = await keyStoreReady;
-    return key.kid;
-};
-
-const sign = async (claims, options = {}) => {
-    const kid = await getKeyID();
-    return jwt.sign(claims, dangerousPrivateKey, Object.assign({
-        issuer,
-        expiresIn: '5m',
-        algorithm: 'RS256',
-        keyid: kid
-    }, options));
-};
 
 /** @type {import('@tryghost/api-framework').Controller} */
 const controller = {
@@ -33,6 +9,8 @@ const controller = {
         },
         permissions: true,
         async query(frame) {
+            const IdentityTokenService = require('../../services/identity-tokens');
+
             let role = null;
             try {
                 await frame.user.load(['roles']);
@@ -40,13 +18,9 @@ const controller = {
             } catch (err) {
                 logging.warn('Could not load role for identity');
             }
-            const claims = {
-                sub: frame.user.get('email')
-            };
-            if (typeof role === 'string') {
-                claims.role = role;
-            }
-            const token = await sign(claims);
+
+            const token = await IdentityTokenService.instance.getTokenForUser(frame.user.get('email'), role);
+
             return {token};
         }
     }

ghost/core/core/server/services/identity-tokens/IdentityTokenServiceWrapper.js

@@ -0,0 +1,28 @@
+const {IdentityTokenService} = require('@tryghost/identity-token-service');
+
+module.exports = class IdentityTokenServiceWrapper {
+    /** @type IdentityTokenService */
+    static instance;
+
+    static async init() {
+        if (IdentityTokenServiceWrapper.instance) {
+            return;
+        }
+
+        const urlUtils = require('../../../shared/url-utils');
+        const issuer = urlUtils.urlFor('admin', true);
+
+        const settings = require('../../../shared/settings-cache');
+        const jose = require('node-jose');
+
+        const privateKey = settings.get('ghost_private_key');
+        const keyStore = jose.JWK.createKeyStore();
+        const key = await keyStore.add(privateKey, 'pem');
+
+        IdentityTokenServiceWrapper.instance = new IdentityTokenService(
+            privateKey,
+            issuer,
+            key.kid
+        );
+    }
+};

ghost/core/core/server/services/identity-tokens/index.js

@@ -0,0 +1 @@
+module.exports = require('./IdentityTokenServiceWrapper');

ghost/core/package.json

@@ -96,6 +96,7 @@
     "@tryghost/html-to-plaintext": "0.0.0",
     "@tryghost/http-cache-utils": "0.1.17",
     "@tryghost/i18n": "0.0.0",
+    "@tryghost/identity-token-service": "0.0.0",
     "@tryghost/image-transform": "1.3.0",
     "@tryghost/importer-handler-content-files": "0.0.0",
     "@tryghost/importer-revue": "0.0.0",

ghost/identity-token-service/.eslintrc.js

@@ -0,0 +1,7 @@
+module.exports = {
+    parser: '@typescript-eslint/parser',
+    plugins: ['ghost'],
+    extends: [
+        'plugin:ghost/ts'
+    ]
+};

ghost/identity-token-service/README.md

@@ -0,0 +1,21 @@
+# Identity Token Service
+
+
+## Usage
+
+
+## Develop
+
+This is a monorepo package.
+
+Follow the instructions for the top-level repo.
+1. `git clone` this repo & `cd` into it as usual
+2. Run `yarn` to install top-level dependencies.
+
+
+
+## Test
+
+- `yarn lint` run just eslint
+- `yarn test` run lint and tests
+

ghost/identity-token-service/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@tryghost/identity-token-service",
+  "version": "0.0.0",
+  "repository": "https://github.com/TryGhost/Ghost/tree/main/packages/identity-token-service",
+  "author": "Ghost Foundation",
+  "private": true,
+  "main": "build/index.js",
+  "types": "build/index.d.ts",
+  "scripts": {
+    "dev": "tsc --watch --preserveWatchOutput --sourceMap",
+    "build": "tsc",
+    "build:ts": "tsc",
+    "prepare": "tsc",
+    "test:unit": "NODE_ENV=testing c8 --src src --all --check-coverage --100 --reporter text --reporter cobertura mocha -r ts-node/register './test/**/*.test.ts'",
+    "test": "yarn test:types && yarn test:unit",
+    "test:types": "tsc --noEmit",
+    "lint:code": "eslint src/ --ext .ts --cache",
+    "lint": "yarn lint:code && yarn lint:test",
+    "lint:test": "eslint -c test/.eslintrc.js test/ --ext .ts --cache"
+  },
+  "files": [
+    "build"
+  ],
+  "devDependencies": {
+    "c8": "10.1.2",
+    "mocha": "10.8.2",
+    "node-jose": "2.2.0",
+    "sinon": "19.0.2",
+    "ts-node": "10.9.2",
+    "typescript": "5.6.3"
+  },
+  "dependencies": {
+    "jsonwebtoken": "8.5.1"
+  }
+}

ghost/identity-token-service/private.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYhlD7QVSExM/t
+qtFuJh5tJVMInFMNdoYVTFC+1uEMJnaNfSgvI1fpBSbhBc9Dirg76RNh1uUbX/fm
+tpanZ2TULkh4e7MqOI4gIyrsyxT5ouRGYFEdXMGGLBfffwTC8e6ndoKyRq6hF1PO
+UOgcSAEh5UalRsftfLNpmDJNjIKKkfRoHovyVhwi5QBaD7VjTdDR1ip0CSA1Xn5l
+MxHc3mLnshAqaLu4aDcyFE8z70IyhwUcRYkYniZG6HlbaTyOL/tDCmVCjt3rvMGh
+TzAOhxdB5UKzV/9gC4rpKgaK2BSh+e5FT9UMEgXmRQXuxKMuCb5iF5l326LgYwtX
+tsqrc6ePAgMBAAECggEAQA2kQ6gfePR4R9zFQAdVHsweb07LGCvOynH2tPZjo2kh
+v3Cwp/8lQ5As0DJS5RAEJ/DNeXi4VYM7hhHm+d2TfAIF4Ec+qjv+/+MU+0WcBOxS
+BnYbioOyKAkra2oZ006rxXshDwJdAvzbbpkOqRXaF+SEAxPTEVqds/o9IdEg31Uf
+OS/ZjH2XbtsVOTMbXB21RrgthdjYbcqZzVRD8gClOgo7i6nskZGZRFbmb96qBpCX
+hkpRLEQJbOhmCHqkGStInjS41PIfzjYu5JjfDaFJQqnOpwWcmhj8SNej1ocEpTcU
+7xH+M/tyW1v88qFZiPm8St7bSL9HqWz4S/bNBwlyuQKBgQDJgcPPDLCI8woSexAG
+I4sHxaGGl4mmGlH321HEHNcQft2JWBBpXGqi+F8VsG7wUsGHdRiM6bqseg3b7szr
+iodeyl6WL/4nrQdZP/5RCARgNCIP9scKWGSlPkBh60xKD4+g0p1hL6kCrzB8SXYr
+NnIlMWcw8uV/D4eYb9qGtY1O1wKBgQDBxYiSyT0eum2yTnIva+CORIRoRpsXK0/y
+StC/ydYPI7Ozb+rB5ep+b/F7UuQJjY8o+TPKGmxh608Do62sHDAPtR948aNxV1M5
+mIIoiPciJsc32D2Gv+UVUhpTSO1ncaJ8mumngfdC+CSosDWxTZiGq4JU+ww+5402
+R34gEVDuCQKBgE2Vgd+pQhsogFtHOI80hiYy6JMaq2vhvGeS8PNyKzf1sLRdzMvU
+QlaHDI0cRkqPgmX2JsKyhyY7RDTGx+10g9RyVGK9Db0W+LpbUj6+uHiV+ftth4sr
+J20b/8vzvYbSYPmJvgCaShd3flKMMkxHBUHeuJ13F/eI8is1/cxaAJM3AoGBAJHq
+NREL9zmXe5mE1xl8q8mWMPrxCELnO7mhuxZhYA9gfCbIRUij4PQ7SeXrIotLDR32
+opgzU6Bc+NAtxk9PnqWFZ+DEXaaw8pvxizoJAci22Nflv1ckU9a9T9OdnCCEgq5A
+XWjlRpQoljptDtGoNA5dQrTJo4wPA9h297QgNgg5AoGAOlKZuC4Fa4RWaltvgLrQ
+6twylZTGVSm/njtK/FYdTen1wmNG6rDhkBkOMJnQKwgtjQHke9XxOpqLZTePLNs6
+m+HAlDNOZe7ryiuK7dj04wY2qoO/kCsxO9bR1M8LGRWFIHd4e8ExGWn5Qxk0/9X+
+8/teeCoaDHNy7R6167uxyX8=
+-----END PRIVATE KEY-----

ghost/identity-token-service/src/IdentityTokenService.ts

@@ -0,0 +1,28 @@
+import {sign} from 'jsonwebtoken';
+
+export class IdentityTokenService {
+    constructor(
+        private privateKey: string,
+        private issuer: string,
+        private keyId: string
+    ) {}
+
+    async getTokenForUser(email: string, role?: string) {
+        const claims: Record<string, string> = {
+            sub: email
+        };
+
+        if (typeof role === 'string') {
+            claims.role = role;
+        }
+
+        const token = sign(claims, this.privateKey, {
+            issuer: this.issuer,
+            expiresIn: '5m',
+            algorithm: 'RS256',
+            keyid: this.keyId
+        });
+
+        return token;
+    }
+}

ghost/identity-token-service/src/index.ts

@@ -0,0 +1 @@
+export * from './IdentityTokenService';

ghost/identity-token-service/test/.eslintrc.js

@@ -0,0 +1,7 @@
+module.exports = {
+    parser: '@typescript-eslint/parser',
+    plugins: ['ghost'],
+    extends: [
+        'plugin:ghost/test'
+    ]
+};

ghost/identity-token-service/test/IdentityTokenService.test.ts

@@ -0,0 +1,58 @@
+import assert from 'assert/strict';
+import {IdentityTokenService} from '../src';
+import {JWK} from 'node-jose';
+import {verify} from 'jsonwebtoken';
+
+describe('IdentityTokenService', function () {
+    it('Can create JWTs', async function () {
+        const privateKey = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYhlD7QVSExM/t
+qtFuJh5tJVMInFMNdoYVTFC+1uEMJnaNfSgvI1fpBSbhBc9Dirg76RNh1uUbX/fm
+tpanZ2TULkh4e7MqOI4gIyrsyxT5ouRGYFEdXMGGLBfffwTC8e6ndoKyRq6hF1PO
+UOgcSAEh5UalRsftfLNpmDJNjIKKkfRoHovyVhwi5QBaD7VjTdDR1ip0CSA1Xn5l
+MxHc3mLnshAqaLu4aDcyFE8z70IyhwUcRYkYniZG6HlbaTyOL/tDCmVCjt3rvMGh
+TzAOhxdB5UKzV/9gC4rpKgaK2BSh+e5FT9UMEgXmRQXuxKMuCb5iF5l326LgYwtX
+tsqrc6ePAgMBAAECggEAQA2kQ6gfePR4R9zFQAdVHsweb07LGCvOynH2tPZjo2kh
+v3Cwp/8lQ5As0DJS5RAEJ/DNeXi4VYM7hhHm+d2TfAIF4Ec+qjv+/+MU+0WcBOxS
+BnYbioOyKAkra2oZ006rxXshDwJdAvzbbpkOqRXaF+SEAxPTEVqds/o9IdEg31Uf
+OS/ZjH2XbtsVOTMbXB21RrgthdjYbcqZzVRD8gClOgo7i6nskZGZRFbmb96qBpCX
+hkpRLEQJbOhmCHqkGStInjS41PIfzjYu5JjfDaFJQqnOpwWcmhj8SNej1ocEpTcU
+7xH+M/tyW1v88qFZiPm8St7bSL9HqWz4S/bNBwlyuQKBgQDJgcPPDLCI8woSexAG
+I4sHxaGGl4mmGlH321HEHNcQft2JWBBpXGqi+F8VsG7wUsGHdRiM6bqseg3b7szr
+iodeyl6WL/4nrQdZP/5RCARgNCIP9scKWGSlPkBh60xKD4+g0p1hL6kCrzB8SXYr
+NnIlMWcw8uV/D4eYb9qGtY1O1wKBgQDBxYiSyT0eum2yTnIva+CORIRoRpsXK0/y
+StC/ydYPI7Ozb+rB5ep+b/F7UuQJjY8o+TPKGmxh608Do62sHDAPtR948aNxV1M5
+mIIoiPciJsc32D2Gv+UVUhpTSO1ncaJ8mumngfdC+CSosDWxTZiGq4JU+ww+5402
+R34gEVDuCQKBgE2Vgd+pQhsogFtHOI80hiYy6JMaq2vhvGeS8PNyKzf1sLRdzMvU
+QlaHDI0cRkqPgmX2JsKyhyY7RDTGx+10g9RyVGK9Db0W+LpbUj6+uHiV+ftth4sr
+J20b/8vzvYbSYPmJvgCaShd3flKMMkxHBUHeuJ13F/eI8is1/cxaAJM3AoGBAJHq
+NREL9zmXe5mE1xl8q8mWMPrxCELnO7mhuxZhYA9gfCbIRUij4PQ7SeXrIotLDR32
+opgzU6Bc+NAtxk9PnqWFZ+DEXaaw8pvxizoJAci22Nflv1ckU9a9T9OdnCCEgq5A
+XWjlRpQoljptDtGoNA5dQrTJo4wPA9h297QgNgg5AoGAOlKZuC4Fa4RWaltvgLrQ
+6twylZTGVSm/njtK/FYdTen1wmNG6rDhkBkOMJnQKwgtjQHke9XxOpqLZTePLNs6
+m+HAlDNOZe7ryiuK7dj04wY2qoO/kCsxO9bR1M8LGRWFIHd4e8ExGWn5Qxk0/9X+
+8/teeCoaDHNy7R6167uxyX8=
+-----END PRIVATE KEY-----`;
+        const issuer = 'issuer.com';
+        const keyStore = JWK.createKeyStore();
+        const key = await keyStore.add(privateKey, 'pem');
+
+        const service = new IdentityTokenService(
+            privateKey,
+            issuer,
+            key.kid
+        );
+
+        const token = await service.getTokenForUser('egg@ghost.org', 'Legend');
+
+        const claims = verify(token, key.toPEM());
+
+        if (typeof claims === 'string') {
+            throw new Error('Unexpected return type');
+        }
+
+        assert.equal(claims.sub, 'egg@ghost.org');
+        assert.equal(claims.role, 'Legend');
+        assert.equal(claims.iss, 'issuer.com');
+    });
+});

ghost/identity-token-service/tsconfig.json

@@ -0,0 +1,110 @@
+{
+  "compilerOptions": {
+    /* Visit https://aka.ms/tsconfig to read more about this file */
+
+    /* Projects */
+    "incremental": true,                              /* Save .tsbuildinfo files to allow for incremental compilation of projects. */
+    // "composite": true,                                /* Enable constraints that allow a TypeScript project to be used with project references. */
+    // "tsBuildInfoFile": "./.tsbuildinfo",              /* Specify the path to .tsbuildinfo incremental compilation file. */
+    // "disableSourceOfProjectReferenceRedirect": true,  /* Disable preferring source files instead of declaration files when referencing composite projects. */
+    // "disableSolutionSearching": true,                 /* Opt a project out of multi-project reference checking when editing. */
+    // "disableReferencedProjectLoad": true,             /* Reduce the number of projects loaded automatically by TypeScript. */
+
+    /* Language and Environment */
+    "target": "es2022",                                  /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */
+    // "lib": ["es2019"],                                      /* Specify a set of bundled library declaration files that describe the target runtime environment. */
+    // "jsx": "preserve",                                /* Specify what JSX code is generated. */
+    // "experimentalDecorators": true,                   /* Enable experimental support for legacy experimental decorators. */
+    // "emitDecoratorMetadata": true,                    /* Emit design-type metadata for decorated declarations in source files. */
+    // "jsxFactory": "",                                 /* Specify the JSX factory function used when targeting React JSX emit, e.g. 'React.createElement' or 'h'. */
+    // "jsxFragmentFactory": "",                         /* Specify the JSX Fragment reference used for fragments when targeting React JSX emit e.g. 'React.Fragment' or 'Fragment'. */
+    // "jsxImportSource": "",                            /* Specify module specifier used to import the JSX factory functions when using 'jsx: react-jsx*'. */
+    // "reactNamespace": "",                             /* Specify the object invoked for 'createElement'. This only applies when targeting 'react' JSX emit. */
+    // "noLib": true,                                    /* Disable including any library files, including the default lib.d.ts. */
+    // "useDefineForClassFields": true,                  /* Emit ECMAScript-standard-compliant class fields. */
+    // "moduleDetection": "auto",                        /* Control what method is used to detect module-format JS files. */
+
+    /* Modules */
+    "module": "commonjs",                                /* Specify what module code is generated. */
+    "rootDir": "src",                                    /* Specify the root folder within your source files. */
+    // "moduleResolution": "node10",                     /* Specify how TypeScript looks up a file from a given module specifier. */
+    // "baseUrl": "./",                                  /* Specify the base directory to resolve non-relative module names. */
+    // "paths": {},                                      /* Specify a set of entries that re-map imports to additional lookup locations. */
+    // "rootDirs": [],                                   /* Allow multiple folders to be treated as one when resolving modules. */
+    // "typeRoots": [],                                  /* Specify multiple folders that act like './node_modules/@types'. */
+    // "types": [],                                      /* Specify type package names to be included without being referenced in a source file. */
+    // "allowUmdGlobalAccess": true,                     /* Allow accessing UMD globals from modules. */
+    // "moduleSuffixes": [],                             /* List of file name suffixes to search when resolving a module. */
+    // "allowImportingTsExtensions": true,               /* Allow imports to include TypeScript file extensions. Requires '--moduleResolution bundler' and either '--noEmit' or '--emitDeclarationOnly' to be set. */
+    // "resolvePackageJsonExports": true,                /* Use the package.json 'exports' field when resolving package imports. */
+    // "resolvePackageJsonImports": true,                /* Use the package.json 'imports' field when resolving imports. */
+    // "customConditions": [],                           /* Conditions to set in addition to the resolver-specific defaults when resolving imports. */
+    "resolveJsonModule": true,                           /* Enable importing .json files. */
+    // "allowArbitraryExtensions": true,                 /* Enable importing files with any extension, provided a declaration file is present. */
+    // "noResolve": true,                                /* Disallow 'import's, 'require's or '<reference>'s from expanding the number of files TypeScript should add to a project. */
+
+    /* JavaScript Support */
+    // "allowJs": true,                                  /* Allow JavaScript files to be a part of your program. Use the 'checkJS' option to get errors from these files. */
+    // "checkJs": true,                                  /* Enable error reporting in type-checked JavaScript files. */
+    // "maxNodeModuleJsDepth": 1,                        /* Specify the maximum folder depth used for checking JavaScript files from 'node_modules'. Only applicable with 'allowJs'. */
+
+    /* Emit */
+    "declaration": true,                              /* Generate .d.ts files from TypeScript and JavaScript files in your project. */
+    // "declarationMap": true,                           /* Create sourcemaps for d.ts files. */
+    // "emitDeclarationOnly": true,                      /* Only output d.ts files and not JavaScript files. */
+    // "sourceMap": true,                                /* Create source map files for emitted JavaScript files. */
+    // "inlineSourceMap": true,                          /* Include sourcemap files inside the emitted JavaScript. */
+    // "outFile": "./",                                  /* Specify a file that bundles all outputs into one JavaScript file. If 'declaration' is true, also designates a file that bundles all .d.ts output. */
+    "outDir": "build",                                   /* Specify an output folder for all emitted files. */
+    // "removeComments": true,                           /* Disable emitting comments. */
+    // "noEmit": true,                                   /* Disable emitting files from a compilation. */
+    // "importHelpers": true,                            /* Allow importing helper functions from tslib once per project, instead of including them per-file. */
+    // "importsNotUsedAsValues": "remove",               /* Specify emit/checking behavior for imports that are only used for types. */
+    // "downlevelIteration": true,                       /* Emit more compliant, but verbose and less performant JavaScript for iteration. */
+    // "sourceRoot": "",                                 /* Specify the root path for debuggers to find the reference source code. */
+    // "mapRoot": "",                                    /* Specify the location where debugger should locate map files instead of generated locations. */
+    // "inlineSources": true,                            /* Include source code in the sourcemaps inside the emitted JavaScript. */
+    // "emitBOM": true,                                  /* Emit a UTF-8 Byte Order Mark (BOM) in the beginning of output files. */
+    // "newLine": "crlf",                                /* Set the newline character for emitting files. */
+    // "stripInternal": true,                            /* Disable emitting declarations that have '@internal' in their JSDoc comments. */
+    // "noEmitHelpers": true,                            /* Disable generating custom helper functions like '__extends' in compiled output. */
+    // "noEmitOnError": true,                            /* Disable emitting files if any type checking errors are reported. */
+    // "preserveConstEnums": true,                       /* Disable erasing 'const enum' declarations in generated code. */
+    // "declarationDir": "./",                           /* Specify the output directory for generated declaration files. */
+    // "preserveValueImports": true,                     /* Preserve unused imported values in the JavaScript output that would otherwise be removed. */
+
+    /* Interop Constraints */
+    // "isolatedModules": true,                          /* Ensure that each file can be safely transpiled without relying on other imports. */
+    // "verbatimModuleSyntax": true,                     /* Do not transform or elide any imports or exports not marked as type-only, ensuring they are written in the output file's format based on the 'module' setting. */
+    // "allowSyntheticDefaultImports": true,             /* Allow 'import x from y' when a module doesn't have a default export. */
+    "esModuleInterop": true,                             /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */
+    // "preserveSymlinks": true,                         /* Disable resolving symlinks to their realpath. This correlates to the same flag in node. */
+    "forceConsistentCasingInFileNames": true,            /* Ensure that casing is correct in imports. */
+
+    /* Type Checking */
+    "strict": true,                                      /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                               /* Enable error reporting for expressions and declarations with an implied 'any' type. */
+    // "strictNullChecks": true,                         /* When type checking, take into account 'null' and 'undefined'. */
+    // "strictFunctionTypes": true,                      /* When assigning functions, check to ensure parameters and the return values are subtype-compatible. */
+    // "strictBindCallApply": true,                      /* Check that the arguments for 'bind', 'call', and 'apply' methods match the original function. */
+    // "strictPropertyInitialization": true,             /* Check for class properties that are declared but not set in the constructor. */
+    // "noImplicitThis": true,                           /* Enable error reporting when 'this' is given the type 'any'. */
+    // "useUnknownInCatchVariables": true,               /* Default catch clause variables as 'unknown' instead of 'any'. */
+    // "alwaysStrict": true,                             /* Ensure 'use strict' is always emitted. */
+    // "noUnusedLocals": true,                           /* Enable error reporting when local variables aren't read. */
+    // "noUnusedParameters": true,                       /* Raise an error when a function parameter isn't read. */
+    // "exactOptionalPropertyTypes": true,               /* Interpret optional property types as written, rather than adding 'undefined'. */
+    // "noImplicitReturns": true,                        /* Enable error reporting for codepaths that do not explicitly return in a function. */
+    // "noFallthroughCasesInSwitch": true,               /* Enable error reporting for fallthrough cases in switch statements. */
+    // "noUncheckedIndexedAccess": true,                 /* Add 'undefined' to a type when accessed using an index. */
+    // "noImplicitOverride": true,                       /* Ensure overriding members in derived classes are marked with an override modifier. */
+    // "noPropertyAccessFromIndexSignature": true,       /* Enforces using indexed accessors for keys declared using an indexed type. */
+    // "allowUnusedLabels": true,                        /* Disable error reporting for unused labels. */
+    // "allowUnreachableCode": true,                     /* Disable error reporting for unreachable code. */
+
+    /* Completeness */
+    // "skipDefaultLibCheck": true,                      /* Skip type checking .d.ts files that are included with TypeScript. */
+    "skipLibCheck": true                                 /* Skip type checking all .d.ts files. */
+  },
+  "include": ["src/**/*"]
+}

yarn.lock

@@ -23559,6 +23559,32 @@ mocha@10.7.3:
     yargs-parser "^20.2.9"
     yargs-unparser "^2.0.0"
 
+mocha@10.8.2:
+  version "10.8.2"
+  resolved "https://registry.yarnpkg.com/mocha/-/mocha-10.8.2.tgz#8d8342d016ed411b12a429eb731b825f961afb96"
+  integrity sha512-VZlYo/WE8t1tstuRmqgeyBgCbJc/lEdopaa+axcKzTBJ+UIdlAB9XnmvTCAH4pwR4ElNInaedhEBmZD8iCSVEg==
+  dependencies:
+    ansi-colors "^4.1.3"
+    browser-stdout "^1.3.1"
+    chokidar "^3.5.3"
+    debug "^4.3.5"
+    diff "^5.2.0"
+    escape-string-regexp "^4.0.0"
+    find-up "^5.0.0"
+    glob "^8.1.0"
+    he "^1.2.0"
+    js-yaml "^4.1.0"
+    log-symbols "^4.1.0"
+    minimatch "^5.1.6"
+    ms "^2.1.3"
+    serialize-javascript "^6.0.2"
+    strip-json-comments "^3.1.1"
+    supports-color "^8.1.1"
+    workerpool "^6.5.1"
+    yargs "^16.2.0"
+    yargs-parser "^20.2.9"
+    yargs-unparser "^2.0.0"
+
 mocha@^2.5.3:
   version "2.5.3"
   resolved "https://registry.yarnpkg.com/mocha/-/mocha-2.5.3.tgz#161be5bdeb496771eb9b35745050b622b5aefc58"
@@ -30630,6 +30656,11 @@ typescript@5.6.2, typescript@^5.0.4:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.6.2.tgz#d1de67b6bef77c41823f822df8f0b3bcff60a5a0"
   integrity sha512-NW8ByodCSNCwZeghjN3o+JX5OFH0Ojg6sadjEKY4huZ52TqbJTJnDo5+Tw98lSy63NZvi4n+ez5m2u5d4PkZyw==
 
+typescript@5.6.3:
+  version "5.6.3"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.6.3.tgz#5f3449e31c9d94febb17de03cc081dd56d81db5b"
+  integrity sha512-hjcS1mhfuyi4WW8IWtjP7brDrG2cuDZukyrYrSauoXGNgx0S7zceP07adYkJycEr56BOUTNPzbInooiN3fn1qw==
+
 ua-parser-js@1.0.39:
   version "1.0.39"
   resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-1.0.39.tgz#bfc07f361549bf249bd8f4589a4cccec18fd2018"