@amodalai/runtime 0.3.69 → 0.3.71

package/dist/src/auth/strategies/oidc.js

@@ -0,0 +1,284 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * OidcAuthStrategy — full OAuth2.1/OIDC dance via `openid-client`.
+ *
+ * Handles:
+ *  - Discovery against the IdP's `.well-known/openid-configuration`
+ *  - Authorization-code + PKCE login flow at `/auth/login`
+ *  - Callback at `/auth/callback` — exchanges code for tokens, verifies
+ *    the id_token, and issues an HMAC-signed session cookie
+ *  - Per-request verification of the session cookie (via JWKS for the
+ *    session JWT — actually HMAC since we sign it ourselves)
+ *  - Optional `authorize(claims)` rule for group/role gating
+ *
+ * Covers Okta, Azure AD, Google Workspace, Auth0 OIDC, OneLogin,
+ * Authentik, Keycloak — anything OIDC-compliant.
+ */
+import { Router } from 'express';
+import rateLimit from 'express-rate-limit';
+import * as oidc from 'openid-client';
+import { SignJWT, jwtVerify } from 'jose';
+const STATE_COOKIE = 'amodal_oauth_state';
+const STATE_TTL_SECONDS = 5 * 60;
+export class OidcAuthStrategy {
+    name = 'oidc';
+    opts;
+    sessionKey;
+    discoveryPromise = null;
+    constructor(options) {
+        this.opts = {
+            issuer: options.issuer,
+            clientId: options.clientId,
+            clientSecret: options.clientSecret,
+            callbackUrl: options.callbackUrl,
+            scopes: options.scopes ?? ['openid', 'email', 'profile'],
+            sessionSecret: options.sessionSecret,
+            cookieName: options.cookieName ?? 'amodal_session',
+            sessionTtlSeconds: options.sessionTtlSeconds ?? 24 * 3600,
+            authMethod: options.authMethod ?? 'oidc',
+            allowInsecureRequests: options.allowInsecureRequests ?? false,
+        };
+        if (options.authorize)
+            this.opts.authorize = options.authorize;
+        this.sessionKey = new TextEncoder().encode(options.sessionSecret);
+    }
+    valid(req) {
+        return readCookie(req, this.opts.cookieName) !== null;
+    }
+    async authenticate(req) {
+        const cookie = readCookie(req, this.opts.cookieName);
+        if (!cookie)
+            return { kind: 'rejected', reason: 'No session cookie' };
+        let payload;
+        try {
+            const result = await jwtVerify(cookie, this.sessionKey, {
+                algorithms: ['HS256'],
+                issuer: 'amodal-runtime',
+            });
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `Session JWT invalid: ${detail}` };
+        }
+        const session = {
+            user: {
+                id: typeof payload['sub'] === 'string' ? payload['sub'] : '',
+                ...(typeof payload['email'] === 'string' ? { email: payload['email'] } : {}),
+                ...(typeof payload['name'] === 'string' ? { name: payload['name'] } : {}),
+            },
+            method: this.opts.authMethod,
+            claims: readClaims(payload['claims']),
+        };
+        return { kind: 'authenticated', session };
+    }
+    routes() {
+        const router = Router();
+        // Rate-limit the OAuth-dance endpoints. Both `/auth/login` and
+        // `/auth/callback` perform authorization side-effects (issuing
+        // signed cookies, exchanging codes with the IdP) and would
+        // otherwise be vulnerable to scrape / discovery flooding /
+        // credential-stuffing-adjacent abuse. Logout doesn't need to be
+        // rate-limited — it only clears a cookie.
+        const authLimiter = rateLimit({
+            windowMs: 15 * 60 * 1000,
+            max: 60,
+            standardHeaders: true,
+            legacyHeaders: false,
+        });
+        router.get('/auth/login', authLimiter, (req, res) => {
+            void this.handleLogin(req, res);
+        });
+        router.get('/auth/callback', authLimiter, (req, res) => {
+            void this.handleCallback(req, res);
+        });
+        router.post('/auth/logout', (_req, res) => {
+            clearCookie(res, this.opts.cookieName);
+            res.json({ ok: true });
+        });
+        return router;
+    }
+    // ---- internals ----------------------------------------------------------
+    async config() {
+        if (!this.discoveryPromise) {
+            this.discoveryPromise = oidc.discovery(new URL(this.opts.issuer), this.opts.clientId, this.opts.clientSecret, undefined, this.opts.allowInsecureRequests
+                ? { execute: [oidc.allowInsecureRequests] }
+                : undefined);
+        }
+        return this.discoveryPromise;
+    }
+    async handleLogin(req, res) {
+        try {
+            const config = await this.config();
+            const codeVerifier = oidc.randomPKCECodeVerifier();
+            const codeChallenge = await oidc.calculatePKCECodeChallenge(codeVerifier);
+            const state = oidc.randomState();
+            const returnTo = typeof req.query['return_to'] === 'string' ? req.query['return_to'] : '/';
+            // Stash state + codeVerifier + return_to in a short-lived signed cookie
+            // so the callback can recover them without server-side state.
+            const stateCookie = await new SignJWT({
+                state,
+                codeVerifier,
+                returnTo,
+            })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuer('amodal-runtime')
+                .setIssuedAt()
+                .setExpirationTime(`${STATE_TTL_SECONDS}s`)
+                .sign(this.sessionKey);
+            setCookie(res, STATE_COOKIE, stateCookie, STATE_TTL_SECONDS);
+            const url = oidc.buildAuthorizationUrl(config, {
+                redirect_uri: this.opts.callbackUrl,
+                scope: this.opts.scopes.join(' '),
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                state,
+            });
+            res.redirect(url.href);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: { code: 'OIDC_LOGIN_FAILED', message } });
+        }
+    }
+    async handleCallback(req, res) {
+        try {
+            const stateCookie = readCookie(req, STATE_COOKIE);
+            if (!stateCookie) {
+                res.status(400).json({ error: { code: 'NO_STATE', message: 'OAuth state cookie missing' } });
+                return;
+            }
+            let stateClaims;
+            try {
+                const verified = await jwtVerify(stateCookie, this.sessionKey, {
+                    algorithms: ['HS256'],
+                    issuer: 'amodal-runtime',
+                });
+                stateClaims = verified.payload;
+            }
+            catch (err) {
+                const detail = err instanceof Error ? err.message : String(err);
+                res.status(400).json({ error: { code: 'BAD_STATE', message: `OAuth state invalid: ${detail}` } });
+                return;
+            }
+            clearCookie(res, STATE_COOKIE);
+            const expectedState = typeof stateClaims['state'] === 'string' ? stateClaims['state'] : '';
+            const codeVerifier = typeof stateClaims['codeVerifier'] === 'string' ? stateClaims['codeVerifier'] : '';
+            const returnTo = typeof stateClaims['returnTo'] === 'string' ? stateClaims['returnTo'] : '/';
+            if (!expectedState || !codeVerifier) {
+                res.status(400).json({ error: { code: 'BAD_STATE', message: 'State payload malformed' } });
+                return;
+            }
+            const config = await this.config();
+            const fullUrl = new URL(req.originalUrl, `${req.protocol}://${req.get('host') ?? 'localhost'}`);
+            const tokens = await oidc.authorizationCodeGrant(config, fullUrl, {
+                pkceCodeVerifier: codeVerifier,
+                expectedState,
+            });
+            const claims = tokens.claims();
+            if (!claims) {
+                res.status(401).json({ error: { code: 'NO_CLAIMS', message: 'id_token missing claims' } });
+                return;
+            }
+            const user = await this.resolveUser(claims);
+            if (!user) {
+                res.status(403).json({ error: { code: 'FORBIDDEN', message: 'User not authorized for this agent' } });
+                return;
+            }
+            const sessionJwt = await new SignJWT({
+                sub: user.id,
+                ...(user.email ? { email: user.email } : {}),
+                ...(user.name ? { name: user.name } : {}),
+                claims: { ...claims },
+            })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuer('amodal-runtime')
+                .setSubject(user.id)
+                .setIssuedAt()
+                .setExpirationTime(`${this.opts.sessionTtlSeconds}s`)
+                .sign(this.sessionKey);
+            setCookie(res, this.opts.cookieName, sessionJwt, this.opts.sessionTtlSeconds);
+            res.redirect(returnTo);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: { code: 'OIDC_CALLBACK_FAILED', message } });
+        }
+    }
+    async resolveUser(claims) {
+        if (this.opts.authorize) {
+            const result = await this.opts.authorize(claims);
+            return result;
+        }
+        const id = typeof claims['sub'] === 'string' ? claims['sub'] : null;
+        if (!id)
+            return null;
+        const out = { id };
+        if (typeof claims['email'] === 'string')
+            out.email = claims['email'];
+        if (typeof claims['name'] === 'string')
+            out.name = claims['name'];
+        return out;
+    }
+}
+/**
+ * Defensive narrowing for the `claims` blob we round-trip through the
+ * session JWT. Anything other than a plain object yields an empty
+ * record; avoids a blanket `as Record<string, unknown>` cast on data
+ * that started life as JSON.
+ */
+function readClaims(raw) {
+    if (raw == null || typeof raw !== 'object' || Array.isArray(raw))
+        return {};
+    const out = {};
+    for (const [k, v] of Object.entries(raw))
+        out[k] = v;
+    return out;
+}
+function readCookie(req, name) {
+    const header = req.headers['cookie'];
+    if (typeof header !== 'string' || header.length === 0)
+        return null;
+    for (const pair of header.split(';')) {
+        const trimmed = pair.trim();
+        const eq = trimmed.indexOf('=');
+        if (eq === -1)
+            continue;
+        if (trimmed.slice(0, eq) !== name)
+            continue;
+        const value = trimmed.slice(eq + 1);
+        return value.length > 0 ? decodeURIComponent(value) : null;
+    }
+    return null;
+}
+function setCookie(res, name, value, ttlSeconds) {
+    const parts = [
+        `${name}=${encodeURIComponent(value)}`,
+        'Path=/',
+        `Max-Age=${ttlSeconds}`,
+        'HttpOnly',
+        'Secure',
+        'SameSite=Lax',
+    ];
+    appendSetCookie(res, parts.join('; '));
+}
+function clearCookie(res, name) {
+    appendSetCookie(res, `${name}=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax`);
+}
+function appendSetCookie(res, value) {
+    const existing = res.getHeader('Set-Cookie');
+    if (existing == null) {
+        res.setHeader('Set-Cookie', value);
+        return;
+    }
+    if (Array.isArray(existing)) {
+        res.setHeader('Set-Cookie', [...existing, value]);
+        return;
+    }
+    res.setHeader('Set-Cookie', [String(existing), value]);
+}
+//# sourceMappingURL=oidc.js.map

package/dist/src/auth/strategies/oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAC,MAAM,EAAC,MAAM,SAAS,CAAC;AAE/B,OAAO,SAAS,MAAM,oBAAoB,CAAC;AAC3C,OAAO,KAAK,IAAI,MAAM,eAAe,CAAC;AACtC,OAAO,EAAC,OAAO,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AA+BxC,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAC1C,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,CAAC;AAEjC,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,IAAI,CAMnB;IACe,UAAU,CAAa;IAChC,gBAAgB,GAAuC,IAAI,CAAC;IAEpE,YAAY,OAAgC;QAC1C,IAAI,CAAC,IAAI,GAAG;YACV,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,gBAAgB;YAClD,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,IAAI,EAAE,GAAG,IAAI;YACzD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,MAAM;YACxC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB,IAAI,KAAK;SAC9D,CAAC;QACF,IAAI,OAAO,CAAC,SAAS;YAAE,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAC,CAAC;QAEpE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE;gBACtD,UAAU,EAAE,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,gBAAgB;aACzB,CAAC,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,wBAAwB,MAAM,EAAE,EAAC,CAAC;QACtE,CAAC;QAED,MAAM,OAAO,GAAgB;YAC3B,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC5D,GAAG,CAAC,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,GAAG,CAAC,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACxE;YACD,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;SACtC,CAAC;QACF,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAC,CAAC;IAC1C,CAAC;IAED,MAAM;QACJ,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,2DAA2D;QAC3D,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,WAAW,GAAG,SAAS,CAAC;YAC5B,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACxB,GAAG,EAAE,EAAE;YACP,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAClD,KAAK,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,gBAAgB,EAAE,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACrD,KAAK,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YACxC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACvC,GAAG,CAAC,IAAI,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,MAAM;QAClB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,SAAS,CACpC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAClB,IAAI,CAAC,IAAI,CAAC,YAAY,EACtB,SAAS,EACT,IAAI,CAAC,IAAI,CAAC,qBAAqB;gBAC7B,CAAC,CAAC,EAAC,OAAO,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAAC;gBACzC,CAAC,CAAC,SAAS,CACd,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,GAAY,EAAE,GAAa;QACnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,YAAY,GAAG,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACnD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,OAAO,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAE3F,wEAAwE;YACxE,8DAA8D;YAC9D,MAAM,WAAW,GAAG,MAAM,IAAI,OAAO,CAAC;gBACpC,KAAK;gBACL,YAAY;gBACZ,QAAQ;aACT,CAAC;iBACC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,SAAS,CAAC,gBAAgB,CAAC;iBAC3B,WAAW,EAAE;iBACb,iBAAiB,CAAC,GAAG,iBAAiB,GAAG,CAAC;iBAC1C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEzB,SAAS,CAAC,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC;YAE7D,MAAM,GAAG,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE;gBAC7C,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;gBACnC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBACjC,cAAc,EAAE,aAAa;gBAC7B,qBAAqB,EAAE,MAAM;gBAC7B,KAAK;aACN,CAAC,CAAC;YACH,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAC,EAAC,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,GAAY,EAAE,GAAa;QACtD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,UAAU,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAClD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,4BAA4B,EAAC,EAAC,CAAC,CAAC;gBACzF,OAAO;YACT,CAAC;YAED,IAAI,WAAuB,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE;oBAC7D,UAAU,EAAE,CAAC,OAAO,CAAC;oBACrB,MAAM,EAAE,gBAAgB;iBACzB,CAAC,CAAC;gBACH,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,wBAAwB,MAAM,EAAE,EAAC,EAAC,CAAC,CAAC;gBAC9F,OAAO;YACT,CAAC;YAED,WAAW,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAE/B,MAAM,aAAa,GAAG,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,YAAY,GAAG,OAAO,WAAW,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxG,MAAM,QAAQ,GAAG,OAAO,WAAW,CAAC,UAAU,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7F,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,yBAAyB,EAAC,EAAC,CAAC,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC;YAChG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,OAAO,EAAE;gBAChE,gBAAgB,EAAE,YAAY;gBAC9B,aAAa;aACd,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,yBAAyB,EAAC,EAAC,CAAC,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,oCAAoC,EAAC,EAAC,CAAC,CAAC;gBAClG,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,IAAI,OAAO,CAAC;gBACnC,GAAG,EAAE,IAAI,CAAC,EAAE;gBACZ,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,EAAE,EAAC,GAAG,MAAM,EAAC;aACpB,CAAC;iBACC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,SAAS,CAAC,gBAAgB,CAAC;iBAC3B,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;iBACnB,WAAW,EAAE;iBACb,iBAAiB,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,GAAG,CAAC;iBACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEzB,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC9E,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAC,EAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,MAAkB;QAC1C,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACjD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,MAAM,EAAE,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpE,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACrB,MAAM,GAAG,GAAwB,EAAC,EAAE,EAAC,CAAC;QACtC,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAClE,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,GAAY;IAC9B,IAAI,GAAG,IAAI,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAC5E,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,GAAY,EAAE,IAAY;IAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI;YAAE,SAAS;QAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,GAAa,EAAE,IAAY,EAAE,KAAa,EAAE,UAAkB;IAC/E,MAAM,KAAK,GAAG;QACZ,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE;QACtC,QAAQ;QACR,WAAW,UAAU,EAAE;QACvB,UAAU;QACV,QAAQ;QACR,cAAc;KACf,CAAC;IACF,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,WAAW,CAAC,GAAa,EAAE,IAAY;IAC9C,eAAe,CAAC,GAAG,EAAE,GAAG,IAAI,sDAAsD,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,eAAe,CAAC,GAAa,EAAE,KAAa;IACnD,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;QACrB,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACnC,OAAO;IACT,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IACD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/src/auth/strategies/oidc.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/oidc.test.js

@@ -0,0 +1,111 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * OIDC strategy tests focus on the bits we own: cookie verification on
+ * subsequent requests, route mounting, logout. The OAuth dance itself
+ * (login redirect, callback exchange) is delegated to `openid-client`
+ * and exercised at the boundary by mocking that module.
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { SignJWT } from 'jose';
+import express from 'express';
+import supertest from 'supertest';
+const oidcMocks = {
+    discovery: vi.fn(),
+    randomPKCECodeVerifier: vi.fn(() => 'pkce-verifier'),
+    calculatePKCECodeChallenge: vi.fn(() => Promise.resolve('pkce-challenge')),
+    randomState: vi.fn(() => 'state-abc'),
+    buildAuthorizationUrl: vi.fn((_cfg, params) => {
+        const u = new URL('https://acme.okta.com/oauth2/v1/authorize');
+        for (const [k, v] of Object.entries(params))
+            u.searchParams.set(k, String(v));
+        return u;
+    }),
+    authorizationCodeGrant: vi.fn(),
+};
+vi.mock('openid-client', () => oidcMocks);
+const { OidcAuthStrategy } = await import('./oidc.js');
+const SESSION_SECRET = 'a-secret-of-at-least-16-chars';
+const KEY = new TextEncoder().encode(SESSION_SECRET);
+function reqWith(cookie) {
+    return { headers: cookie ? { cookie } : {} };
+}
+async function mintSession(payload) {
+    return new SignJWT(payload)
+        .setProtectedHeader({ alg: 'HS256' })
+        .setIssuer('amodal-runtime')
+        .setSubject('u-1')
+        .setIssuedAt()
+        .setExpirationTime('1h')
+        .sign(KEY);
+}
+function newStrategy() {
+    return new OidcAuthStrategy({
+        issuer: 'https://acme.okta.com',
+        clientId: 'abc',
+        clientSecret: 'shh',
+        callbackUrl: 'https://agent.example.com/auth/callback',
+        sessionSecret: SESSION_SECRET,
+    });
+}
+describe('OidcAuthStrategy — cookie verification', () => {
+    beforeEach(() => {
+        Object.values(oidcMocks).forEach((m) => {
+            if (typeof m.mockReset === 'function') {
+                m.mockReset();
+            }
+        });
+    });
+    it('valid() is false without the session cookie', () => {
+        const s = newStrategy();
+        expect(s.valid(reqWith())).toBe(false);
+    });
+    it('authenticates with a valid session cookie', async () => {
+        const token = await mintSession({ sub: 'u-1', email: 'a@b', name: 'Alice', claims: { groups: ['eng'] } });
+        const s = newStrategy();
+        const r = await s.authenticate(reqWith(`amodal_session=${token}`));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u-1', email: 'a@b', name: 'Alice' });
+            expect(r.session.method).toBe('oidc');
+            expect(r.session.claims).toEqual({ groups: ['eng'] });
+        }
+    });
+    it('rejects a session cookie signed with the wrong secret', async () => {
+        const token = await new SignJWT({ sub: 'u' })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuer('amodal-runtime')
+            .setIssuedAt()
+            .setExpirationTime('1h')
+            .sign(new TextEncoder().encode('different-secret-of-16-chars'));
+        const s = newStrategy();
+        const r = await s.authenticate(reqWith(`amodal_session=${token}`));
+        expect(r.kind).toBe('rejected');
+    });
+});
+describe('OidcAuthStrategy — routes', () => {
+    it('GET /auth/login redirects to the IdP authorize URL', async () => {
+        const s = newStrategy();
+        const app = express();
+        app.use(s.routes());
+        const res = await supertest(app).get('/auth/login');
+        expect(res.status).toBe(302);
+        expect(res.headers['location']).toContain('https://acme.okta.com/oauth2/v1/authorize');
+        expect(res.headers['location']).toContain('state=state-abc');
+        // Sets the OAuth state cookie for the callback to recover
+        expect(res.headers['set-cookie']?.[0]).toMatch(/amodal_oauth_state=/);
+    });
+    it('POST /auth/logout clears the session cookie', async () => {
+        const s = newStrategy();
+        const app = express();
+        app.use(s.routes());
+        const res = await supertest(app).post('/auth/logout');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual({ ok: true });
+        expect(res.headers['set-cookie']?.[0]).toMatch(/amodal_session=; .*Max-Age=0/);
+    });
+});
+//# sourceMappingURL=oidc.test.js.map

package/dist/src/auth/strategies/oidc.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;GAKG;AACH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAC,MAAM,QAAQ,CAAC;AAC5D,OAAO,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAC7B,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,SAAS,MAAM,WAAW,CAAC;AAElC,MAAM,SAAS,GAAG;IAChB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;IAClB,sBAAsB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC;IACpD,0BAA0B,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC1E,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC;IACrC,qBAAqB,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,IAAa,EAAE,MAA+B,EAAE,EAAE;QAC9E,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,2CAA2C,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9E,OAAO,CAAC,CAAC;IACX,CAAC,CAAC;IACF,sBAAsB,EAAE,EAAE,CAAC,EAAE,EAAE;CAChC,CAAC;AACF,EAAE,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;AAE1C,MAAM,EAAC,gBAAgB,EAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;AAErD,MAAM,cAAc,GAAG,+BAA+B,CAAC;AACvD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAErD,SAAS,OAAO,CAAC,MAAe;IAC9B,OAAO,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,EAAC,MAAM,EAAC,CAAC,CAAC,CAAC,EAAE,EAAuB,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAgC;IACzD,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;SACxB,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;SAClC,SAAS,CAAC,gBAAgB,CAAC;SAC3B,UAAU,CAAC,KAAK,CAAC;SACjB,WAAW,EAAE;SACb,iBAAiB,CAAC,IAAI,CAAC;SACvB,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,IAAI,gBAAgB,CAAC;QAC1B,MAAM,EAAE,uBAAuB;QAC/B,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,yCAAyC;QACtD,aAAa,EAAE,cAAc;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACtD,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,IAAI,OAAQ,CAA8B,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;gBACnE,CAA6B,CAAC,SAAS,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,EAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAC,MAAM,EAAE,CAAC,KAAK,CAAC,EAAC,EAAC,CAAC,CAAC;QACtG,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAC,CAAC,CAAC;YACzE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,CAAC,KAAK,CAAC,EAAC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAC,GAAG,EAAE,GAAG,EAAC,CAAC;aACxC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;aAClC,SAAS,CAAC,gBAAgB,CAAC;aAC3B,WAAW,EAAE;aACb,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACpD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,2CAA2C,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC7D,0DAA0D;QAC1D,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/strategies/strategies.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/strategies.test.js

@@ -0,0 +1,190 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { ApiKeyAuthStrategy } from './api-key.js';
+import { HeaderAuthStrategy } from './header.js';
+import { NoneAuthStrategy } from './none.js';
+const jwtVerifyMock = vi.fn();
+const createRemoteJWKSetMock = vi.fn(() => () => Promise.resolve({}));
+vi.mock('jose', () => ({
+    jwtVerify: jwtVerifyMock,
+    createRemoteJWKSet: createRemoteJWKSetMock,
+}));
+const { JwksAuthStrategy } = await import('./jwks.js');
+const { CookieSessionStrategy } = await import('./cookie.js');
+function reqAuth(value) {
+    return { headers: value === null ? {} : { authorization: value } };
+}
+function reqHeaders(headers) {
+    return { headers };
+}
+describe('JwksAuthStrategy', () => {
+    beforeEach(() => {
+        jwtVerifyMock.mockReset();
+        createRemoteJWKSetMock.mockClear();
+    });
+    it('valid() is false when there is no Bearer header', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth(null))).toBe(false);
+    });
+    it('valid() is false on ak_-prefixed tokens (lets ApiKeyAuthStrategy handle)', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth('Bearer ak_xyz'))).toBe(false);
+    });
+    it('valid() is true on a 3-segment Bearer token', () => {
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        expect(s.valid(reqAuth('Bearer aa.bb.cc'))).toBe(true);
+    });
+    it('rejects with reason when jwtVerify rejects', async () => {
+        jwtVerifyMock.mockRejectedValue(new Error('signature verification failed'));
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        const r = await s.authenticate(reqAuth('Bearer aa.bb.cc'));
+        expect(r.kind).toBe('rejected');
+        if (r.kind === 'rejected') {
+            expect(r.reason).toMatch(/signature verification failed/);
+        }
+    });
+    it('builds an authenticated session from the verified payload', async () => {
+        jwtVerifyMock.mockResolvedValue({
+            payload: { sub: 'user-42', email: 'user@example.com', agent_id: 'agent-1', scope_id: 'tenant-7' },
+        });
+        const s = new JwksAuthStrategy({ jwksUrl: 'https://example.com/.well-known/jwks.json' });
+        const r = await s.authenticate(reqAuth('Bearer aa.bb.cc'));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'user-42', email: 'user@example.com' });
+            expect(r.session.agentId).toBe('agent-1');
+            expect(r.session.scopeId).toBe('tenant-7');
+            expect(r.session.method).toBe('jwks');
+        }
+    });
+    it('passes jwksOptions through to createRemoteJWKSet', () => {
+        new JwksAuthStrategy({
+            jwksUrl: 'https://example.com/.well-known/jwks.json',
+            jwksOptions: { cooldownDuration: 30_000 },
+        });
+        expect(createRemoteJWKSetMock).toHaveBeenCalledWith(expect.any(URL), expect.objectContaining({ cooldownDuration: 30_000 }));
+    });
+});
+describe('ApiKeyAuthStrategy', () => {
+    it('valid() is false without ak_ prefix', () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        expect(s.valid(reqAuth('Bearer aa.bb.cc'))).toBe(false);
+        expect(s.valid(reqAuth(null))).toBe(false);
+    });
+    it('valid() is true on ak_ Bearer', () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        expect(s.valid(reqAuth('Bearer ak_abc'))).toBe(true);
+    });
+    it('rejects when validate returns null', async () => {
+        const s = new ApiKeyAuthStrategy({ validate: () => Promise.resolve(null) });
+        const r = await s.authenticate(reqAuth('Bearer ak_bad'));
+        expect(r.kind).toBe('rejected');
+    });
+    it('authenticates when validate returns a result', async () => {
+        const s = new ApiKeyAuthStrategy({
+            validate: () => Promise.resolve({ userId: 'u1', email: 'a@b', agentId: 'agent-1' }),
+        });
+        const r = await s.authenticate(reqAuth('Bearer ak_good'));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'u1', email: 'a@b' });
+            expect(r.session.agentId).toBe('agent-1');
+            expect(r.session.method).toBe('api-key');
+        }
+    });
+    it('LRU cache hits skip the validate callback', async () => {
+        const validate = vi.fn(() => Promise.resolve({ userId: 'u1' }));
+        const s = new ApiKeyAuthStrategy({ validate, cacheMaxEntries: 100 });
+        await s.authenticate(reqAuth('Bearer ak_x'));
+        await s.authenticate(reqAuth('Bearer ak_x'));
+        expect(validate).toHaveBeenCalledTimes(1);
+    });
+    it('LRU evicts oldest when cap is hit', async () => {
+        const validate = vi.fn(() => Promise.resolve({ userId: 'u' }));
+        const s = new ApiKeyAuthStrategy({ validate, cacheMaxEntries: 2 });
+        await s.authenticate(reqAuth('Bearer ak_a'));
+        await s.authenticate(reqAuth('Bearer ak_b'));
+        await s.authenticate(reqAuth('Bearer ak_c')); // evicts ak_a
+        await s.authenticate(reqAuth('Bearer ak_a')); // miss → revalidate
+        expect(validate).toHaveBeenCalledTimes(4);
+    });
+});
+describe('HeaderAuthStrategy', () => {
+    it('valid() is false without the configured header', () => {
+        const s = new HeaderAuthStrategy({});
+        expect(s.valid(reqHeaders({}))).toBe(false);
+    });
+    it('reads from default X-Auth-User', async () => {
+        const s = new HeaderAuthStrategy({});
+        const r = await s.authenticate(reqHeaders({ 'x-auth-user': 'u-1' }));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('u-1');
+            expect(r.session.scopeId).toBe('u-1');
+        }
+    });
+    it('honors custom header name (case-insensitive)', async () => {
+        const s = new HeaderAuthStrategy({ headerName: 'X-Subject' });
+        const r = await s.authenticate(reqHeaders({ 'x-subject': 'u-2' }));
+        expect(r.kind).toBe('authenticated');
+    });
+});
+describe('NoneAuthStrategy', () => {
+    it('valid() is always true (chain stops here)', () => {
+        const s = new NoneAuthStrategy();
+        expect(s.valid({})).toBe(true);
+    });
+    it('produces a synthetic anonymous session', async () => {
+        const s = new NoneAuthStrategy();
+        const r = await s.authenticate({});
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('anonymous');
+            expect(r.session.method).toBe('none');
+        }
+    });
+    it('honors a custom userId', async () => {
+        const s = new NoneAuthStrategy({ userId: 'guest' });
+        const r = await s.authenticate({});
+        if (r.kind === 'authenticated') {
+            expect(r.session.user.id).toBe('guest');
+        }
+    });
+});
+describe('CookieSessionStrategy', () => {
+    beforeEach(() => {
+        jwtVerifyMock.mockReset();
+    });
+    it('valid() is false when the cookie is absent', () => {
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        expect(s.valid(reqHeaders({}))).toBe(false);
+    });
+    it('valid() is true when the configured cookie is present', () => {
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        expect(s.valid(reqHeaders({ cookie: 'amodal_session=abc.def.ghi; other=x' }))).toBe(true);
+    });
+    it('verifies the cookie JWT and builds a session', async () => {
+        jwtVerifyMock.mockResolvedValue({ payload: { sub: 'cu-1', email: 'c@x' } });
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        const r = await s.authenticate(reqHeaders({ cookie: 'amodal_session=aa.bb.cc' }));
+        expect(r.kind).toBe('authenticated');
+        if (r.kind === 'authenticated') {
+            expect(r.session.user).toEqual({ id: 'cu-1', email: 'c@x' });
+            expect(r.session.method).toBe('cookie');
+        }
+    });
+    it('rejects when JWT verify fails', async () => {
+        jwtVerifyMock.mockRejectedValue(new Error('expired'));
+        const s = new CookieSessionStrategy({ jwksUrl: 'https://example.com/jwks' });
+        const r = await s.authenticate(reqHeaders({ cookie: 'amodal_session=aa.bb.cc' }));
+        expect(r.kind).toBe('rejected');
+        if (r.kind === 'rejected') {
+            expect(r.reason).toMatch(/expired/);
+        }
+    });
+});
+//# sourceMappingURL=strategies.test.js.map

package/dist/src/auth/strategies/strategies.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategies.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/strategies.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAC,MAAM,QAAQ,CAAC;AAE5D,OAAO,EAAC,kBAAkB,EAAC,MAAM,cAAc,CAAC;AAChD,OAAO,EAAC,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAE3C,MAAM,aAAa,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAC9B,MAAM,sBAAsB,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;AAEtE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACrB,SAAS,EAAE,aAAa;IACxB,kBAAkB,EAAE,sBAAsB;CAC3C,CAAC,CAAC,CAAC;AAEJ,MAAM,EAAC,gBAAgB,EAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;AACrD,MAAM,EAAC,qBAAqB,EAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;AAE5D,SAAS,OAAO,CAAC,KAAoB;IACnC,OAAO,EAAC,OAAO,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,KAAK,EAAC,EAAuB,CAAC;AACvF,CAAC;AACD,SAAS,UAAU,CAAC,OAA0C;IAC5D,OAAO,EAAC,OAAO,EAAuB,CAAC;AACzC,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,CAAC,SAAS,EAAE,CAAC;QAC1B,sBAAsB,CAAC,SAAS,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,aAAa,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QAC5E,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,aAAa,CAAC,iBAAiB,CAAC;YAC9B,OAAO,EAAE,EAAC,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAC;SAChG,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,OAAO,EAAE,2CAA2C,EAAC,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAC,CAAC,CAAC;YAC3E,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,IAAI,gBAAgB,CAAC;YACnB,OAAO,EAAE,2CAA2C;YACpD,WAAW,EAAE,EAAC,gBAAgB,EAAE,MAAM,EAAC;SACxC,CAAC,CAAC;QACH,MAAM,CAAC,sBAAsB,CAAC,CAAC,oBAAoB,CACjD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EACf,MAAM,CAAC,gBAAgB,CAAC,EAAC,gBAAgB,EAAE,MAAM,EAAC,CAAC,CACpD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;QACzD,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC;YAC/B,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAC,CAAC;SAClF,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YACzD,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,IAAI,EAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,eAAe,EAAE,GAAG,EAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,QAAQ,EAAE,eAAe,EAAE,CAAC,EAAC,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,cAAc;QAC5D,MAAM,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,oBAAoB;QAClE,MAAM,CAAC,QAAQ,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,aAAa,EAAE,KAAK,EAAC,CAAC,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,CAAC,GAAG,IAAI,kBAAkB,CAAC,EAAC,UAAU,EAAE,WAAW,EAAC,CAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,WAAW,EAAE,KAAK,EAAC,CAAC,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,EAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,CAAC,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,EAAa,CAAC,CAAC;QAC9C,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAC,MAAM,EAAE,OAAO,EAAC,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,EAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,CAAC,SAAS,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CACJ,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,qCAAqC,EAAC,CAAC,CAAC,CACrE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,aAAa,CAAC,iBAAiB,CAAC,EAAC,OAAO,EAAE,EAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAC,EAAC,CAAC,CAAC;QACxE,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,yBAAyB,EAAC,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAC,CAAC,CAAC;YAC3D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,aAAa,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,IAAI,qBAAqB,CAAC,EAAC,OAAO,EAAE,0BAA0B,EAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,EAAC,MAAM,EAAE,yBAAyB,EAAC,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}