@actuate-media/cms-core 0.1.0

package/dist/security/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/security/access.ts"],"names":[],"mappings":"AAYA,MAAM,cAAc,GAAyB;IAC3C,KAAK,EAAE,GAAG;IACV,MAAM,EAAE,EAAE;IACV,MAAM,EAAE,EAAE;IACV,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,oFAAoF;AACpF,MAAM,UAAU,WAAW,CACzB,QAAc,EACd,YAAkB;IAElB,OAAO,cAAc,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,YAAY,CAAC,CAAC;AAClE,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,qBAAqB,CAAC,IAAU;IAC9C,MAAM,WAAW,GAAiB;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE;KAClC,CAAC;IAEF,IAAI,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;QAChC,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;QAChC,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;QAC/B,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,kFAAkF;AAClF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAuC,EACvC,IAAqB;IAErB,MAAM,MAAM,GAAoC,EAAE,CAAC;IAEnD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;YACrB,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAuC,EACvC,IAA6B,EAC7B,IAAqB;IAErB,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YACpC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACpB,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,SAA2B,EAC3B,MAAuC,EACvC,IAA6B,EAC7B,IAAqB;IAErB,MAAM,SAAS,GAAG,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC3D,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY;KACpD,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,SAAS,KAAK,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnD,SAAS;YACX,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACpB,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACpB,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/security/anomaly-detection.d.ts

@@ -0,0 +1,17 @@
+export interface LoginAttempt {
+    userId: string;
+    ipAddress: string;
+    userAgent: string;
+    timestamp: Date;
+    success: boolean;
+}
+export interface AnomalyResult {
+    suspicious: boolean;
+    reasons: string[];
+    riskScore: number;
+}
+/** Analyze a login attempt for anomalous behavior. */
+export declare function detectLoginAnomaly(attempt: LoginAttempt, _recentAttempts: LoginAttempt[]): Promise<AnomalyResult>;
+/** Check if there are too many failed login attempts for an account. */
+export declare function checkBruteForce(recentAttempts: LoginAttempt[], maxFailures?: number, windowMs?: number): boolean;
+//# sourceMappingURL=anomaly-detection.d.ts.map

package/dist/security/anomaly-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anomaly-detection.d.ts","sourceRoot":"","sources":["../../src/security/anomaly-detection.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,sDAAsD;AACtD,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,YAAY,EACrB,eAAe,EAAE,YAAY,EAAE,GAC9B,OAAO,CAAC,aAAa,CAAC,CAWxB;AAED,wEAAwE;AACxE,wBAAgB,eAAe,CAC7B,cAAc,EAAE,YAAY,EAAE,EAC9B,WAAW,SAAI,EACf,QAAQ,SAAiB,GACxB,OAAO,CAMT"}

package/dist/security/anomaly-detection.js

@@ -0,0 +1,17 @@
+/** Analyze a login attempt for anomalous behavior. */
+export async function detectLoginAnomaly(attempt, _recentAttempts) {
+    const reasons = [];
+    let riskScore = 0;
+    // TODO: implement geo-velocity check
+    // TODO: implement impossible-travel detection
+    // TODO: implement device fingerprint comparison
+    void attempt;
+    return { suspicious: riskScore > 50, reasons, riskScore };
+}
+/** Check if there are too many failed login attempts for an account. */
+export function checkBruteForce(recentAttempts, maxFailures = 5, windowMs = 15 * 60 * 1000) {
+    const cutoff = Date.now() - windowMs;
+    const recentFailures = recentAttempts.filter((a) => !a.success && a.timestamp.getTime() > cutoff);
+    return recentFailures.length >= maxFailures;
+}
+//# sourceMappingURL=anomaly-detection.js.map

package/dist/security/anomaly-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"anomaly-detection.js","sourceRoot":"","sources":["../../src/security/anomaly-detection.ts"],"names":[],"mappings":"AAcA,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAqB,EACrB,eAA+B;IAE/B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,qCAAqC;IACrC,8CAA8C;IAC9C,gDAAgD;IAEhD,KAAK,OAAO,CAAC;IAEb,OAAO,EAAE,UAAU,EAAE,SAAS,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAC5D,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,eAAe,CAC7B,cAA8B,EAC9B,WAAW,GAAG,CAAC,EACf,QAAQ,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IAEzB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC;IACrC,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,MAAM,CACpD,CAAC;IACF,OAAO,cAAc,CAAC,MAAM,IAAI,WAAW,CAAC;AAC9C,CAAC"}

package/dist/security/api-key-enhanced.d.ts

@@ -0,0 +1,25 @@
+export interface ApiKeyScope {
+    collections?: string[];
+    actions?: ("read" | "create" | "update" | "delete")[];
+    globals?: string[];
+    media?: boolean;
+}
+export interface EnhancedApiKeyConfig {
+    prefix: string;
+    scopes: ApiKeyScope;
+    ipRestrictions?: string[];
+    expiresAt?: Date;
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+}
+/** Generate a new API key with scoped permissions. */
+export declare function generateApiKey(config: EnhancedApiKeyConfig): Promise<{
+    key: string;
+    keyHash: string;
+    keyPrefix: string;
+}>;
+/** Validate an API key's scopes against a requested action. */
+export declare function validateApiKeyScope(scopes: ApiKeyScope, collection: string, action: "read" | "create" | "update" | "delete"): boolean;
+//# sourceMappingURL=api-key-enhanced.d.ts.map

package/dist/security/api-key-enhanced.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-enhanced.d.ts","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,CAAC,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC;IACtD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,WAAW,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACvD;AAED,sDAAsD;AACtD,wBAAsB,cAAc,CAClC,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAiB9D;AAED,+DAA+D;AAC/D,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,WAAW,EACnB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAC9C,OAAO,CAQT"}

package/dist/security/api-key-enhanced.js

@@ -0,0 +1,25 @@
+/** Generate a new API key with scoped permissions. */
+export async function generateApiKey(config) {
+    const rawBytes = crypto.getRandomValues(new Uint8Array(32));
+    const rawKey = Array.from(rawBytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+    const key = `${config.prefix}_${rawKey}`;
+    const keyPrefix = key.slice(0, config.prefix.length + 9);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(key));
+    const keyHash = Array.from(new Uint8Array(hashBuffer))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+    return { key, keyHash, keyPrefix };
+}
+/** Validate an API key's scopes against a requested action. */
+export function validateApiKeyScope(scopes, collection, action) {
+    if (scopes.collections && !scopes.collections.includes(collection)) {
+        return false;
+    }
+    if (scopes.actions && !scopes.actions.includes(action)) {
+        return false;
+    }
+    return true;
+}
+//# sourceMappingURL=api-key-enhanced.js.map

package/dist/security/api-key-enhanced.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-enhanced.js","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAeA,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAEzD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAC3C,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAC9B,CAAC;IACF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;SACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AACrC,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,mBAAmB,CACjC,MAAmB,EACnB,UAAkB,EAClB,MAA+C;IAE/C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/security/audit.d.ts

@@ -0,0 +1,39 @@
+export interface AuditEntry {
+    event: string;
+    userId?: string;
+    ipAddress?: string;
+    userAgent?: string;
+    details?: Record<string, unknown>;
+    timestamp?: Date;
+}
+export interface AuditLogQuery {
+    event?: string;
+    userId?: string;
+    from?: Date;
+    to?: Date;
+    limit?: number;
+    offset?: number;
+}
+export interface AuditLogResult {
+    entries: AuditEntry[];
+    total: number;
+}
+/** Record an audit log event. */
+export declare function logEvent(event: {
+    event: string;
+    userId?: string;
+    ipAddress?: string;
+    userAgent?: string;
+    details?: Record<string, unknown>;
+}): Promise<void>;
+/** Query audit log entries with filters and pagination. */
+export declare function getAuditLog(options?: {
+    userId?: string;
+    event?: string;
+    page?: number;
+    pageSize?: number;
+}): Promise<{
+    entries: any[];
+    total: number;
+}>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/security/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,EAAE,CAAC,EAAE,IAAI,CAAC;IACV,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,GAAG,OAAO,CAAC,IAAI,CAAC,CAehB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAAC,OAAO,GAAE;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACd,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmBlD"}

package/dist/security/audit.js

@@ -0,0 +1,40 @@
+import { getDB } from '../db';
+/** Record an audit log event. */
+export async function logEvent(event) {
+    try {
+        const db = getDB();
+        await db.auditLog.create({
+            data: {
+                event: event.event,
+                userId: event.userId ?? null,
+                ipAddress: event.ipAddress ?? null,
+                userAgent: event.userAgent ?? null,
+                details: event.details ?? {},
+            },
+        });
+    }
+    catch {
+        // Fail open — audit logging should never block the primary operation
+    }
+}
+/** Query audit log entries with filters and pagination. */
+export async function getAuditLog(options = {}) {
+    const db = getDB();
+    const { userId, event, page = 1, pageSize = 50 } = options;
+    const where = {};
+    if (userId)
+        where.userId = userId;
+    if (event)
+        where.event = event;
+    const [entries, total] = await Promise.all([
+        db.auditLog.findMany({
+            where,
+            orderBy: { timestamp: 'desc' },
+            skip: (page - 1) * pageSize,
+            take: pageSize,
+        }),
+        db.auditLog.count({ where }),
+    ]);
+    return { entries, total };
+}
+//# sourceMappingURL=audit.js.map

package/dist/security/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAyB9B,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAC;QACxB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,EAAE;aAC7B;SACF,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAK9B,EAAE;IACJ,MAAM,EAAE,GAAG,KAAK,EAAO,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IAE3D,MAAM,KAAK,GAAQ,EAAE,CAAC;IACtB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAClC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC;IAE/B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC"}

package/dist/security/breach-check.d.ts

@@ -0,0 +1,3 @@
+/** Check a password against the HaveIBeenPwned Passwords API using k-anonymity. */
+export declare function checkBreached(password: string): Promise<boolean>;
+//# sourceMappingURL=breach-check.d.ts.map

package/dist/security/breach-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"breach-check.d.ts","sourceRoot":"","sources":["../../src/security/breach-check.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA0BtE"}

package/dist/security/breach-check.js

@@ -0,0 +1,27 @@
+/** Check a password against the HaveIBeenPwned Passwords API using k-anonymity. */
+export async function checkBreached(password) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(password);
+    const hashBuffer = await crypto.subtle.digest('SHA-1', data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('')
+        .toUpperCase();
+    const prefix = hashHex.substring(0, 5);
+    const suffix = hashHex.substring(5);
+    try {
+        const response = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
+            headers: { 'User-Agent': 'ActuateCMS-PasswordCheck' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!response.ok)
+            return false;
+        const text = await response.text();
+        return text.split('\n').some((line) => line.startsWith(suffix));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=breach-check.js.map

package/dist/security/breach-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"breach-check.js","sourceRoot":"","sources":["../../src/security/breach-check.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,SAAS;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC;SACR,WAAW,EAAE,CAAC;IAEjB,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wCAAwC,MAAM,EAAE,EAAE;YAC7E,OAAO,EAAE,EAAE,YAAY,EAAE,0BAA0B,EAAE;YACrD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAE/B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/security/cors.d.ts

@@ -0,0 +1,11 @@
+export interface CorsConfig {
+    allowedOrigins: string[] | "*";
+    allowedMethods?: string[];
+    allowedHeaders?: string[];
+    exposedHeaders?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+}
+/** Build CORS headers for a given request origin. */
+export declare function getCorsHeaders(requestOrigin: string | null, config: CorsConfig): Record<string, string>;
+//# sourceMappingURL=cors.d.ts.map

package/dist/security/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,cAAc,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAKD,qDAAqD;AACrD,wBAAgB,cAAc,CAC5B,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,EAAE,UAAU,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAwBxB"}

package/dist/security/cors.js

@@ -0,0 +1,33 @@
+const DEFAULT_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"];
+const DEFAULT_HEADERS = ["Content-Type", "Authorization", "X-CSRF-Token"];
+/** Build CORS headers for a given request origin. */
+export function getCorsHeaders(requestOrigin, config) {
+    const headers = {};
+    const allowedOrigin = resolveOrigin(requestOrigin, config.allowedOrigins);
+    if (!allowedOrigin)
+        return headers;
+    headers["Access-Control-Allow-Origin"] = allowedOrigin;
+    headers["Access-Control-Allow-Methods"] = (config.allowedMethods ?? DEFAULT_METHODS).join(", ");
+    headers["Access-Control-Allow-Headers"] = (config.allowedHeaders ?? DEFAULT_HEADERS).join(", ");
+    if (config.exposedHeaders?.length) {
+        headers["Access-Control-Expose-Headers"] = config.exposedHeaders.join(", ");
+    }
+    if (config.credentials) {
+        headers["Access-Control-Allow-Credentials"] = "true";
+    }
+    if (config.maxAge !== undefined) {
+        headers["Access-Control-Max-Age"] = String(config.maxAge);
+    }
+    if (config.allowedOrigins !== "*") {
+        headers["Vary"] = "Origin";
+    }
+    return headers;
+}
+function resolveOrigin(requestOrigin, allowed) {
+    if (allowed === "*")
+        return "*";
+    if (!requestOrigin)
+        return null;
+    return allowed.includes(requestOrigin) ? requestOrigin : null;
+}
+//# sourceMappingURL=cors.js.map

package/dist/security/cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC7E,MAAM,eAAe,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;AAE1E,qDAAqD;AACrD,MAAM,UAAU,cAAc,CAC5B,aAA4B,EAC5B,MAAkB;IAElB,MAAM,OAAO,GAA2B,EAAE,CAAC;IAE3C,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;IAC1E,IAAI,CAAC,aAAa;QAAE,OAAO,OAAO,CAAC;IAEnC,OAAO,CAAC,6BAA6B,CAAC,GAAG,aAAa,CAAC;IACvD,OAAO,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChG,OAAO,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhG,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;QAClC,OAAO,CAAC,+BAA+B,CAAC,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,OAAO,CAAC,kCAAkC,CAAC,GAAG,MAAM,CAAC;IACvD,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,CAAC,wBAAwB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,KAAK,GAAG,EAAE,CAAC;QAClC,OAAO,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;IAC7B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,aAAa,CACpB,aAA4B,EAC5B,OAAuB;IAEvB,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAChC,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC;AAChE,CAAC"}

package/dist/security/csp-nonces.d.ts

@@ -0,0 +1,5 @@
+/** Generate a cryptographically secure nonce for Content Security Policy inline scripts/styles. */
+export declare function generateCspNonce(): string;
+/** Build a CSP header value incorporating the generated nonce. */
+export declare function buildCspHeader(nonce: string, directives?: Record<string, string[]>): string;
+//# sourceMappingURL=csp-nonces.d.ts.map

package/dist/security/csp-nonces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp-nonces.d.ts","sourceRoot":"","sources":["../../src/security/csp-nonces.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,wBAAgB,gBAAgB,IAAI,MAAM,CAGzC;AAED,kEAAkE;AAClE,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,MAAM,CAiB3F"}

package/dist/security/csp-nonces.js

@@ -0,0 +1,24 @@
+/** Generate a cryptographically secure nonce for Content Security Policy inline scripts/styles. */
+export function generateCspNonce() {
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    return btoa(String.fromCharCode(...bytes));
+}
+/** Build a CSP header value incorporating the generated nonce. */
+export function buildCspHeader(nonce, directives) {
+    const defaults = {
+        "default-src": ["'self'"],
+        "script-src": ["'self'", `'nonce-${nonce}'`],
+        "style-src": ["'self'", `'nonce-${nonce}'`, "'unsafe-inline'"],
+        "img-src": ["'self'", "data:", "https:"],
+        "font-src": ["'self'"],
+        "connect-src": ["'self'"],
+        "frame-ancestors": ["'none'"],
+        "base-uri": ["'self'"],
+        "form-action": ["'self'"],
+        ...directives,
+    };
+    return Object.entries(defaults)
+        .map(([key, values]) => `${key} ${values.join(" ")}`)
+        .join("; ");
+}
+//# sourceMappingURL=csp-nonces.js.map

package/dist/security/csp-nonces.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp-nonces.js","sourceRoot":"","sources":["../../src/security/csp-nonces.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,MAAM,UAAU,gBAAgB;IAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,cAAc,CAAC,KAAa,EAAE,UAAqC;IACjF,MAAM,QAAQ,GAA6B;QACzC,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,CAAC;QAC5C,WAAW,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,iBAAiB,CAAC;QAC9D,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;QACxC,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,GAAG,UAAU;KACd,CAAC;IAEF,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;SAC5B,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;SACpD,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC"}

package/dist/security/csrf.d.ts

@@ -0,0 +1,5 @@
+/** Generate a CSRF token using Web Crypto. */
+export declare function generateToken(): Promise<string>;
+/** Validate a submitted CSRF token against the stored value using constant-time comparison. */
+export declare function validateToken(token: string, storedToken: string): boolean;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/security/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAKrD;AAED,+FAA+F;AAC/F,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAWzE"}

package/dist/security/csrf.js

@@ -0,0 +1,20 @@
+/** Generate a CSRF token using Web Crypto. */
+export async function generateToken() {
+    const bytes = crypto.getRandomValues(new Uint8Array(32));
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/** Validate a submitted CSRF token against the stored value using constant-time comparison. */
+export function validateToken(token, storedToken) {
+    if (token.length !== storedToken.length)
+        return false;
+    const a = new TextEncoder().encode(token);
+    const b = new TextEncoder().encode(storedToken);
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=csrf.js.map

package/dist/security/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,WAAmB;IAC9D,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAEtD,MAAM,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEhD,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/security/encrypted-fields.d.ts

@@ -0,0 +1,5 @@
+/** Encrypt a field value using AES-256-GCM. */
+export declare function encryptField(value: string, keyHex: string): Promise<string>;
+/** Decrypt a field value encrypted with AES-256-GCM. */
+export declare function decryptField(encrypted: string, keyHex: string): Promise<string>;
+//# sourceMappingURL=encrypted-fields.d.ts.map

package/dist/security/encrypted-fields.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-fields.d.ts","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAIA,+CAA+C;AAC/C,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAgBjB;AAED,wDAAwD;AACxD,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAajB"}

package/dist/security/encrypted-fields.js

@@ -0,0 +1,40 @@
+const ALGORITHM = "AES-GCM";
+const IV_LENGTH = 12;
+const TAG_LENGTH = 128;
+/** Encrypt a field value using AES-256-GCM. */
+export async function encryptField(value, keyHex) {
+    const key = await importKey(keyHex);
+    const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+    const encoded = new TextEncoder().encode(value);
+    const ciphertext = await crypto.subtle.encrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, encoded);
+    const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+    combined.set(iv);
+    combined.set(new Uint8Array(ciphertext), iv.length);
+    return bufferToHex(combined);
+}
+/** Decrypt a field value encrypted with AES-256-GCM. */
+export async function decryptField(encrypted, keyHex) {
+    const key = await importKey(keyHex);
+    const data = hexToBuffer(encrypted);
+    const iv = data.slice(0, IV_LENGTH);
+    const ciphertext = data.slice(IV_LENGTH);
+    const decrypted = await crypto.subtle.decrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, ciphertext);
+    return new TextDecoder().decode(decrypted);
+}
+async function importKey(keyHex) {
+    const keyData = hexToBuffer(keyHex);
+    return crypto.subtle.importKey("raw", keyData, ALGORITHM, false, ["encrypt", "decrypt"]);
+}
+function bufferToHex(buffer) {
+    return Array.from(buffer)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+function hexToBuffer(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+    }
+    return bytes;
+}
+//# sourceMappingURL=encrypted-fields.js.map

package/dist/security/encrypted-fields.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-fields.js","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,SAAS,CAAC;AAC5B,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAa,EACb,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEhD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,OAAO,CACR,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACnE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAEpD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAEzC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,UAAU,CACX,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAkC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AACtH,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/security/headers.d.ts

@@ -0,0 +1,11 @@
+export interface SecurityHeadersConfig {
+    contentSecurityPolicy?: string;
+    strictTransportSecurity?: string;
+    xContentTypeOptions?: string;
+    xFrameOptions?: string;
+    referrerPolicy?: string;
+    permissionsPolicy?: string;
+}
+/** Get the default security headers for HTTP responses. */
+export declare function getSecurityHeaders(overrides?: SecurityHeadersConfig): Record<string, string>;
+//# sourceMappingURL=headers.d.ts.map

package/dist/security/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,qBAAqB;IACpC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAWD,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAChC,SAAS,CAAC,EAAE,qBAAqB,GAChC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAuBxB"}

package/dist/security/headers.js

@@ -0,0 +1,32 @@
+const DEFAULT_HEADERS = {
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    "X-XSS-Protection": "0",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+    "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload",
+    "Permissions-Policy": "camera=(), microphone=(), geolocation=()",
+};
+/** Get the default security headers for HTTP responses. */
+export function getSecurityHeaders(overrides) {
+    const headers = { ...DEFAULT_HEADERS };
+    if (overrides?.contentSecurityPolicy) {
+        headers["Content-Security-Policy"] = overrides.contentSecurityPolicy;
+    }
+    if (overrides?.strictTransportSecurity) {
+        headers["Strict-Transport-Security"] = overrides.strictTransportSecurity;
+    }
+    if (overrides?.xContentTypeOptions) {
+        headers["X-Content-Type-Options"] = overrides.xContentTypeOptions;
+    }
+    if (overrides?.xFrameOptions) {
+        headers["X-Frame-Options"] = overrides.xFrameOptions;
+    }
+    if (overrides?.referrerPolicy) {
+        headers["Referrer-Policy"] = overrides.referrerPolicy;
+    }
+    if (overrides?.permissionsPolicy) {
+        headers["Permissions-Policy"] = overrides.permissionsPolicy;
+    }
+    return headers;
+}
+//# sourceMappingURL=headers.js.map

package/dist/security/headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAA2B;IAC9C,wBAAwB,EAAE,SAAS;IACnC,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,GAAG;IACvB,iBAAiB,EAAE,iCAAiC;IACpD,2BAA2B,EAAE,8CAA8C;IAC3E,oBAAoB,EAAE,0CAA0C;CACjE,CAAC;AAEF,2DAA2D;AAC3D,MAAM,UAAU,kBAAkB,CAChC,SAAiC;IAEjC,MAAM,OAAO,GAAG,EAAE,GAAG,eAAe,EAAE,CAAC;IAEvC,IAAI,SAAS,EAAE,qBAAqB,EAAE,CAAC;QACrC,OAAO,CAAC,yBAAyB,CAAC,GAAG,SAAS,CAAC,qBAAqB,CAAC;IACvE,CAAC;IACD,IAAI,SAAS,EAAE,uBAAuB,EAAE,CAAC;QACvC,OAAO,CAAC,2BAA2B,CAAC,GAAG,SAAS,CAAC,uBAAuB,CAAC;IAC3E,CAAC;IACD,IAAI,SAAS,EAAE,mBAAmB,EAAE,CAAC;QACnC,OAAO,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,mBAAmB,CAAC;IACpE,CAAC;IACD,IAAI,SAAS,EAAE,aAAa,EAAE,CAAC;QAC7B,OAAO,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,aAAa,CAAC;IACvD,CAAC;IACD,IAAI,SAAS,EAAE,cAAc,EAAE,CAAC;QAC9B,OAAO,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,cAAc,CAAC;IACxD,CAAC;IACD,IAAI,SAAS,EAAE,iBAAiB,EAAE,CAAC;QACjC,OAAO,CAAC,oBAAoB,CAAC,GAAG,SAAS,CAAC,iBAAiB,CAAC;IAC9D,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/security/index.d.ts

@@ -0,0 +1,31 @@
+export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access";
+export type { Role, Permission, FieldAccessUser } from "./access";
+export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf";
+export { createRateLimiter } from "./rate-limit";
+export type { RateLimiter, RateLimitConfig, RateLimitResult } from "./rate-limit";
+export { sanitizeHtml, stripHtml } from "./sanitize";
+export { validateMimeType, checkMagicBytes } from "./upload";
+export { validateWebhookUrl, resolveAndCheck } from "./webhook";
+export { logEvent, getAuditLog } from "./audit";
+export type { AuditEntry, AuditLogQuery, AuditLogResult } from "./audit";
+export { getSecurityHeaders } from "./headers";
+export type { SecurityHeadersConfig } from "./headers";
+export { applySecurityMiddleware } from "./middleware";
+export type { SecurityMiddlewareConfig, SecurityMiddlewareResult } from "./middleware";
+export { checkBreached } from "./breach-check";
+export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection";
+export type { LoginAttempt, AnomalyResult } from "./anomaly-detection";
+export { requiresReauth, verifyReauth } from "./reauth";
+export type { ReauthConfig, ReauthContext } from "./reauth";
+export { isIpAllowed } from "./ip-allowlist";
+export { enforceSessionLimits } from "./session-limits";
+export type { SessionInfo, SessionLimitConfig } from "./session-limits";
+export { encryptField, decryptField } from "./encrypted-fields";
+export { getCorsHeaders } from "./cors";
+export type { CorsConfig } from "./cors";
+export { generateCspNonce, buildCspHeader } from "./csp-nonces";
+export { generateSecurityTxt } from "./security-txt";
+export type { SecurityTxtConfig } from "./security-txt";
+export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced";
+export type { ApiKeyScope, EnhancedApiKeyConfig } from "./api-key-enhanced";
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC1H,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAElE,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAEhG,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAElF,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,YAAY,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAEvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACvD,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEvE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxD,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE5D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAExE,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEhE,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEzC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAExD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,20 @@
+export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access";
+export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf";
+export { createRateLimiter } from "./rate-limit";
+export { sanitizeHtml, stripHtml } from "./sanitize";
+export { validateMimeType, checkMagicBytes } from "./upload";
+export { validateWebhookUrl, resolveAndCheck } from "./webhook";
+export { logEvent, getAuditLog } from "./audit";
+export { getSecurityHeaders } from "./headers";
+export { applySecurityMiddleware } from "./middleware";
+export { checkBreached } from "./breach-check";
+export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection";
+export { requiresReauth, verifyReauth } from "./reauth";
+export { isIpAllowed } from "./ip-allowlist";
+export { enforceSessionLimits } from "./session-limits";
+export { encryptField, decryptField } from "./encrypted-fields";
+export { getCorsHeaders } from "./cors";
+export { generateCspNonce, buildCspHeader } from "./csp-nonces";
+export { generateSecurityTxt } from "./security-txt";
+export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced";
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAG1H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAEhG,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGhD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAG/C,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAGvD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG1E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAGxD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEhE,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AAGxC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/security/ip-allowlist.d.ts

@@ -0,0 +1,3 @@
+/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+export declare function isIpAllowed(ip: string, allowlist: string[]): boolean;
+//# sourceMappingURL=ip-allowlist.d.ts.map

package/dist/security/ip-allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,wBAAgB,WAAW,CACzB,EAAE,EAAE,MAAM,EACV,SAAS,EAAE,MAAM,EAAE,GAClB,OAAO,CAWT"}

package/dist/security/ip-allowlist.js

@@ -0,0 +1,35 @@
+/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+export function isIpAllowed(ip, allowlist) {
+    if (allowlist.length === 0)
+        return true;
+    for (const entry of allowlist) {
+        if (entry.includes("/")) {
+            if (isInCidr(ip, entry))
+                return true;
+        }
+        else if (ip === entry) {
+            return true;
+        }
+    }
+    return false;
+}
+function isInCidr(ip, cidr) {
+    const [range, bitsStr] = cidr.split("/");
+    if (!range || !bitsStr)
+        return false;
+    const bits = parseInt(bitsStr, 10);
+    const ipNum = ipToNumber(ip);
+    const rangeNum = ipToNumber(range);
+    if (ipNum === null || rangeNum === null)
+        return false;
+    const mask = ~((1 << (32 - bits)) - 1) >>> 0;
+    return (ipNum & mask) === (rangeNum & mask);
+}
+function ipToNumber(ip) {
+    const parts = ip.split(".").map(Number);
+    if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+        return null;
+    }
+    return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0;
+}
+//# sourceMappingURL=ip-allowlist.js.map

package/dist/security/ip-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,UAAU,WAAW,CACzB,EAAU,EACV,SAAmB;IAEnB,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvC,CAAC;aAAM,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU,EAAE,IAAY;IACxC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAEnC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAEtD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC"}