@arch-cadre/core 0.0.6

package/dist/core/auth/rbac.mjs

@@ -0,0 +1,104 @@
+"use server";
+
+import { db } from "../../server/database/inject.mjs";
+import { permissionsTable, rolesTable, rolesToPermissionsTable, usersToPermissionsTable, usersToRolesTable } from "../../server/database/schema.mjs";
+import { notificationService } from "../notifications/service.mjs";
+import "../notifications/index.mjs";
+import { and, eq, inArray } from "drizzle-orm";
+
+//#region src/core/auth/rbac.ts
+if (typeof window === "undefined") notificationService.init();
+/**
+* CORE RBAC LOGIC
+* This file handles all database operations for Roles and Permissions.
+*/
+async function getRoles() {
+	return await db.select().from(rolesTable).orderBy(rolesTable.name);
+}
+async function getRoleById(roleId) {
+	const [role] = await db.select().from(rolesTable).where(eq(rolesTable.id, roleId));
+	return role;
+}
+async function createRole(name, description) {
+	return await db.insert(rolesTable).values({
+		name,
+		description
+	}).returning();
+}
+async function deleteRole(roleId) {
+	return await db.delete(rolesTable).where(eq(rolesTable.id, roleId));
+}
+async function getPermissions() {
+	return await db.select().from(permissionsTable).orderBy(permissionsTable.name);
+}
+async function createPermission(name, description) {
+	return await db.insert(permissionsTable).values({
+		name,
+		description
+	}).returning();
+}
+async function deletePermission(permissionId) {
+	return await db.delete(permissionsTable).where(eq(permissionsTable.id, permissionId));
+}
+async function getRolePermissions(roleId) {
+	return await db.select({
+		id: permissionsTable.id,
+		name: permissionsTable.name
+	}).from(rolesToPermissionsTable).innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id)).where(eq(rolesToPermissionsTable.roleId, roleId));
+}
+async function assignPermissionToRole(roleId, permissionId) {
+	return await db.insert(rolesToPermissionsTable).values({
+		roleId,
+		permissionId
+	}).onConflictDoNothing();
+}
+async function revokePermissionFromRole(roleId, permissionId) {
+	return await db.delete(rolesToPermissionsTable).where(and(eq(rolesToPermissionsTable.roleId, roleId), eq(rolesToPermissionsTable.permissionId, permissionId)));
+}
+async function assignRoleToUser(userId, roleId) {
+	return await db.insert(usersToRolesTable).values({
+		userId,
+		roleId
+	}).onConflictDoNothing();
+}
+async function revokeRoleFromUser(userId, roleId) {
+	return await db.delete(usersToRolesTable).where(and(eq(usersToRolesTable.userId, userId), eq(usersToRolesTable.roleId, roleId)));
+}
+async function assignPermissionToUser(userId, permissionId) {
+	return await db.insert(usersToPermissionsTable).values({
+		userId,
+		permissionId
+	}).onConflictDoNothing();
+}
+async function revokePermissionFromUser(userId, permissionId) {
+	return await db.delete(usersToPermissionsTable).where(and(eq(usersToPermissionsTable.userId, userId), eq(usersToPermissionsTable.permissionId, permissionId)));
+}
+async function getUserRbacData(userId) {
+	const roles = await db.select({
+		id: rolesTable.id,
+		name: rolesTable.name
+	}).from(usersToRolesTable).innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id)).where(eq(usersToRolesTable.userId, userId));
+	const directPermissions = await db.select({
+		id: permissionsTable.id,
+		name: permissionsTable.name
+	}).from(usersToPermissionsTable).innerJoin(permissionsTable, eq(usersToPermissionsTable.permissionId, permissionsTable.id)).where(eq(usersToPermissionsTable.userId, userId));
+	let rolePermissions = [];
+	if (roles.length > 0) {
+		const roleIds = roles.map((r) => r.id);
+		rolePermissions = await db.select({
+			id: permissionsTable.id,
+			name: permissionsTable.name
+		}).from(rolesToPermissionsTable).innerJoin(permissionsTable, eq(rolesToPermissionsTable.permissionId, permissionsTable.id)).where(inArray(rolesToPermissionsTable.roleId, roleIds));
+	}
+	const effectiveMap = /* @__PURE__ */ new Map();
+	for (const p of [...directPermissions, ...rolePermissions]) effectiveMap.set(p.id, p);
+	return {
+		roles,
+		directPermissions,
+		effectivePermissions: Array.from(effectiveMap.values())
+	};
+}
+
+//#endregion
+export { assignPermissionToRole, assignPermissionToUser, assignRoleToUser, createPermission, createRole, deletePermission, deleteRole, getPermissions, getRoleById, getRolePermissions, getRoles, getUserRbacData, revokePermissionFromRole, revokePermissionFromUser, revokeRoleFromUser };
+//# sourceMappingURL=rbac.mjs.map

package/dist/core/auth/rbac.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.mjs","names":[],"sources":["../../../src/core/auth/rbac.ts"],"sourcesContent":["\"use server\";\n\nimport { and, eq, inArray } from \"drizzle-orm\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { notificationService } from \"../notifications\";\n\n// Ensure notification service is loaded\nif (typeof window === \"undefined\") {\n  notificationService.init();\n}\n\n/**\n * CORE RBAC LOGIC\n * This file handles all database operations for Roles and Permissions.\n */\n\n// --- Roles ---\n\nexport async function getRoles() {\n  return await db.select().from(rolesTable).orderBy(rolesTable.name);\n}\n\nexport async function getRoleById(roleId: string) {\n  const [role] = await db\n    .select()\n    .from(rolesTable)\n    .where(eq(rolesTable.id, roleId));\n  return role;\n}\n\nexport async function createRole(name: string, description?: string) {\n  return await db.insert(rolesTable).values({ name, description }).returning();\n}\n\nexport async function deleteRole(roleId: string) {\n  return await db.delete(rolesTable).where(eq(rolesTable.id, roleId));\n}\n\n// --- Permissions ---\n\nexport async function getPermissions() {\n  return await db\n    .select()\n    .from(permissionsTable)\n    .orderBy(permissionsTable.name);\n}\n\nexport async function createPermission(name: string, description?: string) {\n  return await db\n    .insert(permissionsTable)\n    .values({ name, description })\n    .returning();\n}\n\nexport async function deletePermission(permissionId: string) {\n  return await db\n    .delete(permissionsTable)\n    .where(eq(permissionsTable.id, permissionId));\n}\n\n// --- Mappings ---\n\nexport async function getRolePermissions(roleId: string) {\n  return await db\n    .select({\n      id: permissionsTable.id,\n      name: permissionsTable.name,\n    })\n    .from(rolesToPermissionsTable)\n    .innerJoin(\n      permissionsTable,\n      eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n    )\n    .where(eq(rolesToPermissionsTable.roleId, roleId));\n}\n\nexport async function assignPermissionToRole(\n  roleId: string,\n  permissionId: string,\n) {\n  return await db\n    .insert(rolesToPermissionsTable)\n    .values({ roleId, permissionId })\n    .onConflictDoNothing();\n}\n\nexport async function revokePermissionFromRole(\n  roleId: string,\n  permissionId: string,\n) {\n  return await db\n    .delete(rolesToPermissionsTable)\n    .where(\n      and(\n        eq(rolesToPermissionsTable.roleId, roleId),\n        eq(rolesToPermissionsTable.permissionId, permissionId),\n      ),\n    );\n}\n\n// --- User Assignment ---\n\nexport async function assignRoleToUser(userId: string, roleId: string) {\n  return await db\n    .insert(usersToRolesTable)\n    .values({ userId, roleId })\n    .onConflictDoNothing();\n}\n\nexport async function revokeRoleFromUser(userId: string, roleId: string) {\n  return await db\n    .delete(usersToRolesTable)\n    .where(\n      and(\n        eq(usersToRolesTable.userId, userId),\n        eq(usersToRolesTable.roleId, roleId),\n      ),\n    );\n}\n\nexport async function assignPermissionToUser(\n  userId: string,\n  permissionId: string,\n) {\n  return await db\n    .insert(usersToPermissionsTable)\n    .values({ userId, permissionId })\n    .onConflictDoNothing();\n}\n\nexport async function revokePermissionFromUser(\n  userId: string,\n  permissionId: string,\n) {\n  return await db\n    .delete(usersToPermissionsTable)\n    .where(\n      and(\n        eq(usersToPermissionsTable.userId, userId),\n        eq(usersToPermissionsTable.permissionId, permissionId),\n      ),\n    );\n}\n\nexport async function getUserRbacData(userId: string) {\n  const roles = await db\n    .select({\n      id: rolesTable.id,\n      name: rolesTable.name,\n    })\n    .from(usersToRolesTable)\n    .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n    .where(eq(usersToRolesTable.userId, userId));\n\n  const directPermissions = await db\n    .select({\n      id: permissionsTable.id,\n      name: permissionsTable.name,\n    })\n    .from(usersToPermissionsTable)\n    .innerJoin(\n      permissionsTable,\n      eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n    )\n    .where(eq(usersToPermissionsTable.userId, userId));\n\n  // Fetch inherited permissions from roles\n  let rolePermissions: { id: string; name: string }[] = [];\n  if (roles.length > 0) {\n    const roleIds = roles.map((r) => r.id);\n    rolePermissions = await db\n      .select({\n        id: permissionsTable.id,\n        name: permissionsTable.name,\n      })\n      .from(rolesToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n  }\n\n  // Combine for effective permissions\n  const effectiveMap = new Map<string, { id: string; name: string }>();\n  for (const p of [...directPermissions, ...rolePermissions]) {\n    effectiveMap.set(p.id, p);\n  }\n\n  return {\n    roles,\n    directPermissions,\n    effectivePermissions: Array.from(effectiveMap.values()),\n  };\n}\n"],"mappings":";;;;;;;;;AAcA,IAAI,OAAO,WAAW,YACpB,qBAAoB,MAAM;;;;;AAU5B,eAAsB,WAAW;AAC/B,QAAO,MAAM,GAAG,QAAQ,CAAC,KAAK,WAAW,CAAC,QAAQ,WAAW,KAAK;;AAGpE,eAAsB,YAAY,QAAgB;CAChD,MAAM,CAAC,QAAQ,MAAM,GAClB,QAAQ,CACR,KAAK,WAAW,CAChB,MAAM,GAAG,WAAW,IAAI,OAAO,CAAC;AACnC,QAAO;;AAGT,eAAsB,WAAW,MAAc,aAAsB;AACnE,QAAO,MAAM,GAAG,OAAO,WAAW,CAAC,OAAO;EAAE;EAAM;EAAa,CAAC,CAAC,WAAW;;AAG9E,eAAsB,WAAW,QAAgB;AAC/C,QAAO,MAAM,GAAG,OAAO,WAAW,CAAC,MAAM,GAAG,WAAW,IAAI,OAAO,CAAC;;AAKrE,eAAsB,iBAAiB;AACrC,QAAO,MAAM,GACV,QAAQ,CACR,KAAK,iBAAiB,CACtB,QAAQ,iBAAiB,KAAK;;AAGnC,eAAsB,iBAAiB,MAAc,aAAsB;AACzE,QAAO,MAAM,GACV,OAAO,iBAAiB,CACxB,OAAO;EAAE;EAAM;EAAa,CAAC,CAC7B,WAAW;;AAGhB,eAAsB,iBAAiB,cAAsB;AAC3D,QAAO,MAAM,GACV,OAAO,iBAAiB,CACxB,MAAM,GAAG,iBAAiB,IAAI,aAAa,CAAC;;AAKjD,eAAsB,mBAAmB,QAAgB;AACvD,QAAO,MAAM,GACV,OAAO;EACN,IAAI,iBAAiB;EACrB,MAAM,iBAAiB;EACxB,CAAC,CACD,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,GAAG,wBAAwB,QAAQ,OAAO,CAAC;;AAGtD,eAAsB,uBACpB,QACA,cACA;AACA,QAAO,MAAM,GACV,OAAO,wBAAwB,CAC/B,OAAO;EAAE;EAAQ;EAAc,CAAC,CAChC,qBAAqB;;AAG1B,eAAsB,yBACpB,QACA,cACA;AACA,QAAO,MAAM,GACV,OAAO,wBAAwB,CAC/B,MACC,IACE,GAAG,wBAAwB,QAAQ,OAAO,EAC1C,GAAG,wBAAwB,cAAc,aAAa,CACvD,CACF;;AAKL,eAAsB,iBAAiB,QAAgB,QAAgB;AACrE,QAAO,MAAM,GACV,OAAO,kBAAkB,CACzB,OAAO;EAAE;EAAQ;EAAQ,CAAC,CAC1B,qBAAqB;;AAG1B,eAAsB,mBAAmB,QAAgB,QAAgB;AACvE,QAAO,MAAM,GACV,OAAO,kBAAkB,CACzB,MACC,IACE,GAAG,kBAAkB,QAAQ,OAAO,EACpC,GAAG,kBAAkB,QAAQ,OAAO,CACrC,CACF;;AAGL,eAAsB,uBACpB,QACA,cACA;AACA,QAAO,MAAM,GACV,OAAO,wBAAwB,CAC/B,OAAO;EAAE;EAAQ;EAAc,CAAC,CAChC,qBAAqB;;AAG1B,eAAsB,yBACpB,QACA,cACA;AACA,QAAO,MAAM,GACV,OAAO,wBAAwB,CAC/B,MACC,IACE,GAAG,wBAAwB,QAAQ,OAAO,EAC1C,GAAG,wBAAwB,cAAc,aAAa,CACvD,CACF;;AAGL,eAAsB,gBAAgB,QAAgB;CACpD,MAAM,QAAQ,MAAM,GACjB,OAAO;EACN,IAAI,WAAW;EACf,MAAM,WAAW;EAClB,CAAC,CACD,KAAK,kBAAkB,CACvB,UAAU,YAAY,GAAG,kBAAkB,QAAQ,WAAW,GAAG,CAAC,CAClE,MAAM,GAAG,kBAAkB,QAAQ,OAAO,CAAC;CAE9C,MAAM,oBAAoB,MAAM,GAC7B,OAAO;EACN,IAAI,iBAAiB;EACrB,MAAM,iBAAiB;EACxB,CAAC,CACD,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,GAAG,wBAAwB,QAAQ,OAAO,CAAC;CAGpD,IAAI,kBAAkD,EAAE;AACxD,KAAI,MAAM,SAAS,GAAG;EACpB,MAAM,UAAU,MAAM,KAAK,MAAM,EAAE,GAAG;AACtC,oBAAkB,MAAM,GACrB,OAAO;GACN,IAAI,iBAAiB;GACrB,MAAM,iBAAiB;GACxB,CAAC,CACD,KAAK,wBAAwB,CAC7B,UACC,kBACA,GAAG,wBAAwB,cAAc,iBAAiB,GAAG,CAC9D,CACA,MAAM,QAAQ,wBAAwB,QAAQ,QAAQ,CAAC;;CAI5D,MAAM,+BAAe,IAAI,KAA2C;AACpE,MAAK,MAAM,KAAK,CAAC,GAAG,mBAAmB,GAAG,gBAAgB,CACxD,cAAa,IAAI,EAAE,IAAI,EAAE;AAG3B,QAAO;EACL;EACA;EACA,sBAAsB,MAAM,KAAK,aAAa,QAAQ,CAAC;EACxD"}

package/dist/core/auth/session.cjs

@@ -0,0 +1,161 @@
+"use server";
+
+const require_runtime = require('../../_virtual/_rolldown/runtime.cjs');
+const require_inject = require('../../server/database/inject.cjs');
+const require_schema = require('../../server/database/schema.cjs');
+const require_augment = require('./augment.cjs');
+const require_logic = require('./logic.cjs');
+const require_bootstrap = require('../bootstrap.cjs');
+let drizzle_orm = require("drizzle-orm");
+let _oslojs_crypto_sha2 = require("@oslojs/crypto/sha2");
+let _oslojs_encoding = require("@oslojs/encoding");
+let date_fns = require("date-fns");
+let next_headers = require("next/headers");
+let next_navigation = require("next/navigation");
+
+//#region src/core/auth/session.ts
+/**
+* Returns the user's IP address.
+*/
+async function getIPAddress() {
+	return (await (0, next_headers.headers)()).get("x-forwarded-for");
+}
+/**
+* Validates the session token.
+*/
+async function validateSessionToken(token) {
+	await require_bootstrap.ensureSystemInitialized();
+	const sessionId = (0, _oslojs_encoding.encodeHexLowerCase)((0, _oslojs_crypto_sha2.sha256)(new TextEncoder().encode(token)));
+	const [row] = await require_inject.db.select({
+		session: require_schema.sessionTable,
+		user: require_schema.userTable
+	}).from(require_schema.sessionTable).innerJoin(require_schema.userTable, (0, drizzle_orm.eq)(require_schema.sessionTable.userId, require_schema.userTable.id)).where((0, drizzle_orm.eq)(require_schema.sessionTable.id, sessionId));
+	if (!row || !row.user) return {
+		session: null,
+		user: null
+	};
+	const { session: baseSession, user: baseUser } = row;
+	const { password, recovery_code, ...safeUser } = baseUser;
+	if (/* @__PURE__ */ new Date() > baseSession.expiresAt) {
+		await require_inject.db.delete(require_schema.sessionTable).where((0, drizzle_orm.eq)(require_schema.sessionTable.id, baseSession.id));
+		return {
+			session: null,
+			user: null
+		};
+	}
+	const augmentedUser = await require_logic.performFullUserAugmentation(safeUser);
+	const augmentedSession = await require_augment.augmentSession(baseSession);
+	return {
+		session: augmentedSession ? { ...augmentedSession } : null,
+		user: augmentedUser ? { ...augmentedUser } : null
+	};
+}
+/**
+* Returns the current user session from cookies.
+*/
+const getCurrentSession = async () => {
+	const token = (await (0, next_headers.cookies)()).get("session")?.value ?? null;
+	if (token === null) return {
+		session: null,
+		user: null
+	};
+	return await validateSessionToken(token);
+};
+/**
+* Invalidates a single session.
+*/
+async function invalidateSession(sessionId) {
+	await require_bootstrap.ensureSystemInitialized();
+	await require_inject.db.delete(require_schema.sessionTable).where((0, drizzle_orm.eq)(require_schema.sessionTable.id, sessionId));
+}
+/**
+* Invalidates all user sessions.
+*/
+async function invalidateUserSessions(userId) {
+	await require_bootstrap.ensureSystemInitialized();
+	await require_inject.db.delete(require_schema.sessionTable).where((0, drizzle_orm.eq)(require_schema.sessionTable.userId, userId));
+}
+/**
+* Sets the session token in a cookie.
+*/
+async function setSessionTokenCookie(token, expiresAt) {
+	(await (0, next_headers.cookies)()).set("session", token, {
+		httpOnly: true,
+		path: "/",
+		secure: process.env.NODE_ENV === "production",
+		sameSite: "lax",
+		expires: expiresAt
+	});
+}
+/**
+* Removes the session token cookie.
+*/
+async function deleteSessionTokenCookie() {
+	(await (0, next_headers.cookies)()).delete("session");
+}
+/**
+* Generates a new random session token.
+*/
+async function generateSessionToken() {
+	const tokenBytes = new Uint8Array(20);
+	crypto.getRandomValues(tokenBytes);
+	return (0, _oslojs_encoding.encodeBase32LowerCaseNoPadding)(tokenBytes).toLowerCase();
+}
+/**
+* Creates a new session in the database.
+*/
+async function createSession(token, userId, flags) {
+	await require_bootstrap.ensureSystemInitialized();
+	const sessionId = (0, _oslojs_encoding.encodeHexLowerCase)((0, _oslojs_crypto_sha2.sha256)(new TextEncoder().encode(token)));
+	const [session] = await require_inject.db.insert(require_schema.sessionTable).values({
+		id: sessionId,
+		expiresAt: new Date((0, date_fns.addDays)(/* @__PURE__ */ new Date(), 7)),
+		active_organization_id: flags.activeOrganizationId,
+		userId
+	}).returning();
+	return session;
+}
+/**
+* Signs the user out and redirects to the sign-in page.
+*/
+async function sessionSignOut() {
+	const { session } = await getCurrentSession();
+	if (session) {
+		await invalidateSession(session.id);
+		await deleteSessionTokenCookie();
+	}
+	(0, next_navigation.redirect)("/signin");
+}
+/**
+* Get all active sessions for a user.
+*/
+async function getUserSessions(userId, currentSessionId) {
+	await require_bootstrap.ensureSystemInitialized();
+	return (await require_inject.db.select().from(require_schema.sessionTable).where((0, drizzle_orm.eq)(require_schema.sessionTable.userId, userId))).map((session) => ({
+		id: session.id,
+		createdAt: session.createdAt,
+		expiresAt: session.expiresAt,
+		isCurrent: session.id === currentSessionId
+	}));
+}
+/**
+* Invalidate all sessions for a user except the specified current one.
+*/
+async function invalidateOtherSessions(userId, currentSessionId) {
+	await require_bootstrap.ensureSystemInitialized();
+	await require_inject.db.delete(require_schema.sessionTable).where((0, drizzle_orm.and)((0, drizzle_orm.eq)(require_schema.sessionTable.userId, userId), (0, drizzle_orm.ne)(require_schema.sessionTable.id, currentSessionId)));
+}
+
+//#endregion
+exports.createSession = createSession;
+exports.deleteSessionTokenCookie = deleteSessionTokenCookie;
+exports.generateSessionToken = generateSessionToken;
+exports.getCurrentSession = getCurrentSession;
+exports.getIPAddress = getIPAddress;
+exports.getUserSessions = getUserSessions;
+exports.invalidateOtherSessions = invalidateOtherSessions;
+exports.invalidateSession = invalidateSession;
+exports.invalidateUserSessions = invalidateUserSessions;
+exports.sessionSignOut = sessionSignOut;
+exports.setSessionTokenCookie = setSessionTokenCookie;
+exports.validateSessionToken = validateSessionToken;

package/dist/core/auth/session.d.cts

@@ -0,0 +1,54 @@
+import { AuthSession, Session, SessionFlags, UserSession } from "./types.cjs";
+
+//#region src/core/auth/session.d.ts
+/**
+ * Returns the user's IP address.
+ */
+declare function getIPAddress(): Promise<string | null>;
+/**
+ * Validates the session token.
+ */
+declare function validateSessionToken(token: string): Promise<AuthSession>;
+/**
+ * Returns the current user session from cookies.
+ */
+declare const getCurrentSession: () => Promise<AuthSession>;
+/**
+ * Invalidates a single session.
+ */
+declare function invalidateSession(sessionId: string): Promise<void>;
+/**
+ * Invalidates all user sessions.
+ */
+declare function invalidateUserSessions(userId: string): Promise<void>;
+/**
+ * Sets the session token in a cookie.
+ */
+declare function setSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Removes the session token cookie.
+ */
+declare function deleteSessionTokenCookie(): Promise<void>;
+/**
+ * Generates a new random session token.
+ */
+declare function generateSessionToken(): Promise<string>;
+/**
+ * Creates a new session in the database.
+ */
+declare function createSession(token: string, userId: string, flags: SessionFlags): Promise<Session>;
+/**
+ * Signs the user out and redirects to the sign-in page.
+ */
+declare function sessionSignOut(): Promise<void>;
+/**
+ * Get all active sessions for a user.
+ */
+declare function getUserSessions(userId: string, currentSessionId: string): Promise<UserSession[]>;
+/**
+ * Invalidate all sessions for a user except the specified current one.
+ */
+declare function invalidateOtherSessions(userId: string, currentSessionId: string): Promise<void>;
+//#endregion
+export { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, getIPAddress, getUserSessions, invalidateOtherSessions, invalidateSession, invalidateUserSessions, sessionSignOut, setSessionTokenCookie, validateSessionToken };
+//# sourceMappingURL=session.d.cts.map

package/dist/core/auth/session.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.cts","names":[],"sources":["../../../src/core/auth/session.ts"],"mappings":";;;;;AA4BA;iBAAsB,YAAA,CAAA,GAAgB,OAAA;;;;iBAOhB,oBAAA,CACpB,KAAA,WACC,OAAA,CAAQ,WAAA;;;;cA0CE,iBAAA,QAA8B,OAAA,CAAQ,WAAA;;;;iBAc7B,iBAAA,CAAkB,SAAA,WAAoB,OAAA;AAd5D;;;AAAA,iBAsBsB,sBAAA,CAAuB,MAAA,WAAiB,OAAA;;AAR9D;;iBAgBsB,qBAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAXH;iBAyBsB,wBAAA,CAAA,GAA4B,OAAA;;;;iBAQ5B,oBAAA,CAAA,GAAwB,OAAA;;;;iBASxB,aAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,EAAO,YAAA,GACN,OAAA,CAAQ,OAAA;;;;iBAoBW,cAAA,CAAA,GAAc,OAAA;;AAzCpC;;iBAuDsB,eAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA,CAAQ,WAAA;;;AAlDX;iBAoEsB,uBAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA"}

package/dist/core/auth/session.d.mts

@@ -0,0 +1,54 @@
+import { AuthSession, Session, SessionFlags, UserSession } from "./types.mjs";
+
+//#region src/core/auth/session.d.ts
+/**
+ * Returns the user's IP address.
+ */
+declare function getIPAddress(): Promise<string | null>;
+/**
+ * Validates the session token.
+ */
+declare function validateSessionToken(token: string): Promise<AuthSession>;
+/**
+ * Returns the current user session from cookies.
+ */
+declare const getCurrentSession: () => Promise<AuthSession>;
+/**
+ * Invalidates a single session.
+ */
+declare function invalidateSession(sessionId: string): Promise<void>;
+/**
+ * Invalidates all user sessions.
+ */
+declare function invalidateUserSessions(userId: string): Promise<void>;
+/**
+ * Sets the session token in a cookie.
+ */
+declare function setSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
+/**
+ * Removes the session token cookie.
+ */
+declare function deleteSessionTokenCookie(): Promise<void>;
+/**
+ * Generates a new random session token.
+ */
+declare function generateSessionToken(): Promise<string>;
+/**
+ * Creates a new session in the database.
+ */
+declare function createSession(token: string, userId: string, flags: SessionFlags): Promise<Session>;
+/**
+ * Signs the user out and redirects to the sign-in page.
+ */
+declare function sessionSignOut(): Promise<void>;
+/**
+ * Get all active sessions for a user.
+ */
+declare function getUserSessions(userId: string, currentSessionId: string): Promise<UserSession[]>;
+/**
+ * Invalidate all sessions for a user except the specified current one.
+ */
+declare function invalidateOtherSessions(userId: string, currentSessionId: string): Promise<void>;
+//#endregion
+export { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, getIPAddress, getUserSessions, invalidateOtherSessions, invalidateSession, invalidateUserSessions, sessionSignOut, setSessionTokenCookie, validateSessionToken };
+//# sourceMappingURL=session.d.mts.map

package/dist/core/auth/session.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.mts","names":[],"sources":["../../../src/core/auth/session.ts"],"mappings":";;;;;AA4BA;iBAAsB,YAAA,CAAA,GAAgB,OAAA;;;;iBAOhB,oBAAA,CACpB,KAAA,WACC,OAAA,CAAQ,WAAA;;;;cA0CE,iBAAA,QAA8B,OAAA,CAAQ,WAAA;;;;iBAc7B,iBAAA,CAAkB,SAAA,WAAoB,OAAA;AAd5D;;;AAAA,iBAsBsB,sBAAA,CAAuB,MAAA,WAAiB,OAAA;;AAR9D;;iBAgBsB,qBAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAXH;iBAyBsB,wBAAA,CAAA,GAA4B,OAAA;;;;iBAQ5B,oBAAA,CAAA,GAAwB,OAAA;;;;iBASxB,aAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,EAAO,YAAA,GACN,OAAA,CAAQ,OAAA;;;;iBAoBW,cAAA,CAAA,GAAc,OAAA;;AAzCpC;;iBAuDsB,eAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA,CAAQ,WAAA;;;AAlDX;iBAoEsB,uBAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA"}

package/dist/core/auth/session.mjs

@@ -0,0 +1,150 @@
+"use server";
+
+import { db } from "../../server/database/inject.mjs";
+import { sessionTable, userTable } from "../../server/database/schema.mjs";
+import { augmentSession } from "./augment.mjs";
+import { performFullUserAugmentation } from "./logic.mjs";
+import { ensureSystemInitialized } from "../bootstrap.mjs";
+import { and, eq, ne } from "drizzle-orm";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from "@oslojs/encoding";
+import { addDays } from "date-fns";
+import { cookies, headers } from "next/headers";
+import { redirect } from "next/navigation";
+
+//#region src/core/auth/session.ts
+/**
+* Returns the user's IP address.
+*/
+async function getIPAddress() {
+	return (await headers()).get("x-forwarded-for");
+}
+/**
+* Validates the session token.
+*/
+async function validateSessionToken(token) {
+	await ensureSystemInitialized();
+	const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+	const [row] = await db.select({
+		session: sessionTable,
+		user: userTable
+	}).from(sessionTable).innerJoin(userTable, eq(sessionTable.userId, userTable.id)).where(eq(sessionTable.id, sessionId));
+	if (!row || !row.user) return {
+		session: null,
+		user: null
+	};
+	const { session: baseSession, user: baseUser } = row;
+	const { password, recovery_code, ...safeUser } = baseUser;
+	if (/* @__PURE__ */ new Date() > baseSession.expiresAt) {
+		await db.delete(sessionTable).where(eq(sessionTable.id, baseSession.id));
+		return {
+			session: null,
+			user: null
+		};
+	}
+	const augmentedUser = await performFullUserAugmentation(safeUser);
+	const augmentedSession = await augmentSession(baseSession);
+	return {
+		session: augmentedSession ? { ...augmentedSession } : null,
+		user: augmentedUser ? { ...augmentedUser } : null
+	};
+}
+/**
+* Returns the current user session from cookies.
+*/
+const getCurrentSession = async () => {
+	const token = (await cookies()).get("session")?.value ?? null;
+	if (token === null) return {
+		session: null,
+		user: null
+	};
+	return await validateSessionToken(token);
+};
+/**
+* Invalidates a single session.
+*/
+async function invalidateSession(sessionId) {
+	await ensureSystemInitialized();
+	await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));
+}
+/**
+* Invalidates all user sessions.
+*/
+async function invalidateUserSessions(userId) {
+	await ensureSystemInitialized();
+	await db.delete(sessionTable).where(eq(sessionTable.userId, userId));
+}
+/**
+* Sets the session token in a cookie.
+*/
+async function setSessionTokenCookie(token, expiresAt) {
+	(await cookies()).set("session", token, {
+		httpOnly: true,
+		path: "/",
+		secure: process.env.NODE_ENV === "production",
+		sameSite: "lax",
+		expires: expiresAt
+	});
+}
+/**
+* Removes the session token cookie.
+*/
+async function deleteSessionTokenCookie() {
+	(await cookies()).delete("session");
+}
+/**
+* Generates a new random session token.
+*/
+async function generateSessionToken() {
+	const tokenBytes = new Uint8Array(20);
+	crypto.getRandomValues(tokenBytes);
+	return encodeBase32LowerCaseNoPadding(tokenBytes).toLowerCase();
+}
+/**
+* Creates a new session in the database.
+*/
+async function createSession(token, userId, flags) {
+	await ensureSystemInitialized();
+	const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+	const [session] = await db.insert(sessionTable).values({
+		id: sessionId,
+		expiresAt: new Date(addDays(/* @__PURE__ */ new Date(), 7)),
+		active_organization_id: flags.activeOrganizationId,
+		userId
+	}).returning();
+	return session;
+}
+/**
+* Signs the user out and redirects to the sign-in page.
+*/
+async function sessionSignOut() {
+	const { session } = await getCurrentSession();
+	if (session) {
+		await invalidateSession(session.id);
+		await deleteSessionTokenCookie();
+	}
+	redirect("/signin");
+}
+/**
+* Get all active sessions for a user.
+*/
+async function getUserSessions(userId, currentSessionId) {
+	await ensureSystemInitialized();
+	return (await db.select().from(sessionTable).where(eq(sessionTable.userId, userId))).map((session) => ({
+		id: session.id,
+		createdAt: session.createdAt,
+		expiresAt: session.expiresAt,
+		isCurrent: session.id === currentSessionId
+	}));
+}
+/**
+* Invalidate all sessions for a user except the specified current one.
+*/
+async function invalidateOtherSessions(userId, currentSessionId) {
+	await ensureSystemInitialized();
+	await db.delete(sessionTable).where(and(eq(sessionTable.userId, userId), ne(sessionTable.id, currentSessionId)));
+}
+
+//#endregion
+export { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, getIPAddress, getUserSessions, invalidateOtherSessions, invalidateSession, invalidateUserSessions, sessionSignOut, setSessionTokenCookie, validateSessionToken };
+//# sourceMappingURL=session.mjs.map

package/dist/core/auth/session.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.mjs","names":[],"sources":["../../../src/core/auth/session.ts"],"sourcesContent":["\"use server\";\n\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  encodeBase32LowerCaseNoPadding,\n  encodeHexLowerCase,\n} from \"@oslojs/encoding\";\nimport { addDays } from \"date-fns\";\nimport { and, eq, ne } from \"drizzle-orm\";\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { db } from \"../../server/database/inject\";\nimport { sessionTable, userTable } from \"../../server/database/schema\";\nimport { ensureSystemInitialized } from \"../bootstrap\";\nimport { augmentSession } from \"./augment\";\nimport { performFullUserAugmentation } from \"./logic\";\n\nimport type {\n  AuthSession,\n  Session,\n  SessionFlags,\n  User,\n  UserSession,\n} from \"./types\";\n\n/**\n * Returns the user's IP address.\n */\nexport async function getIPAddress(): Promise<string | null> {\n  return (await headers()).get(\"x-forwarded-for\");\n}\n\n/**\n * Validates the session token.\n */\nexport async function validateSessionToken(\n  token: string,\n): Promise<AuthSession> {\n  await ensureSystemInitialized();\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [row] = await db\n    .select({\n      session: sessionTable,\n      user: userTable,\n    })\n    .from(sessionTable)\n    .innerJoin(userTable, eq(sessionTable.userId, userTable.id))\n    .where(eq(sessionTable.id, sessionId));\n\n  if (!row || !row.user) {\n    return { session: null, user: null };\n  }\n\n  const { session: baseSession, user: baseUser } = row;\n\n  // STRICTLY remove non-serializable and sensitive fields\n  const { password, recovery_code, ...safeUser } = baseUser;\n\n  // Check if session is expired\n  if (new Date() > baseSession.expiresAt) {\n    await db.delete(sessionTable).where(eq(sessionTable.id, baseSession.id));\n    return { session: null, user: null };\n  }\n\n  // AUGMENT (EXTENSIBILITY POINTS)\n  const augmentedUser = await performFullUserAugmentation(safeUser as User);\n  const augmentedSession = await augmentSession(baseSession as Session);\n\n  // ENSURE PLAIN OBJECTS for Client Components\n  return {\n    session: augmentedSession ? { ...augmentedSession } : null,\n    user: augmentedUser ? { ...augmentedUser } : null,\n  };\n}\n\n/**\n * Returns the current user session from cookies.\n */\nexport const getCurrentSession = async (): Promise<AuthSession> => {\n  const cookieStore = await cookies();\n  const token = cookieStore.get(\"session\")?.value ?? null;\n\n  if (token === null) {\n    return { session: null, user: null };\n  }\n\n  return await validateSessionToken(token);\n};\n\n/**\n * Invalidates a single session.\n */\nexport async function invalidateSession(sessionId: string): Promise<void> {\n  await ensureSystemInitialized();\n  await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));\n}\n\n/**\n * Invalidates all user sessions.\n */\nexport async function invalidateUserSessions(userId: string): Promise<void> {\n  await ensureSystemInitialized();\n  await db.delete(sessionTable).where(eq(sessionTable.userId, userId));\n}\n\n/**\n * Sets the session token in a cookie.\n */\nexport async function setSessionTokenCookie(\n  token: string,\n  expiresAt: Date,\n): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.set(\"session\", token, {\n    httpOnly: true,\n    path: \"/\",\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    expires: expiresAt,\n  });\n}\n\n/**\n * Removes the session token cookie.\n */\nexport async function deleteSessionTokenCookie(): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.delete(\"session\");\n}\n\n/**\n * Generates a new random session token.\n */\nexport async function generateSessionToken(): Promise<string> {\n  const tokenBytes = new Uint8Array(20);\n  crypto.getRandomValues(tokenBytes);\n  return encodeBase32LowerCaseNoPadding(tokenBytes).toLowerCase();\n}\n\n/**\n * Creates a new session in the database.\n */\nexport async function createSession(\n  token: string,\n  userId: string,\n  flags: SessionFlags,\n): Promise<Session> {\n  await ensureSystemInitialized();\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [session] = await db\n    .insert(sessionTable)\n    .values({\n      id: sessionId,\n      expiresAt: new Date(addDays(new Date(), 7)),\n      active_organization_id: flags.activeOrganizationId,\n      userId: userId,\n    })\n    .returning();\n\n  return session;\n}\n\n/**\n * Signs the user out and redirects to the sign-in page.\n */\nexport async function sessionSignOut() {\n  const { session } = await getCurrentSession();\n\n  if (session) {\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n\n  redirect(\"/signin\");\n}\n\n/**\n * Get all active sessions for a user.\n */\nexport async function getUserSessions(\n  userId: string,\n  currentSessionId: string,\n): Promise<UserSession[]> {\n  await ensureSystemInitialized();\n  const sessions = await db\n    .select()\n    .from(sessionTable)\n    .where(eq(sessionTable.userId, userId));\n\n  return sessions.map((session) => ({\n    id: session.id,\n    createdAt: session.createdAt,\n    expiresAt: session.expiresAt,\n    isCurrent: session.id === currentSessionId,\n  }));\n}\n\n/**\n * Invalidate all sessions for a user except the specified current one.\n */\nexport async function invalidateOtherSessions(\n  userId: string,\n  currentSessionId: string,\n): Promise<void> {\n  await ensureSystemInitialized();\n  await db\n    .delete(sessionTable)\n    .where(\n      and(\n        eq(sessionTable.userId, userId),\n        ne(sessionTable.id, currentSessionId),\n      ),\n    );\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AA4BA,eAAsB,eAAuC;AAC3D,SAAQ,MAAM,SAAS,EAAE,IAAI,kBAAkB;;;;;AAMjD,eAAsB,qBACpB,OACsB;AACtB,OAAM,yBAAyB;CAC/B,MAAM,YAAY,mBAAmB,OAAO,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;CAE7E,MAAM,CAAC,OAAO,MAAM,GACjB,OAAO;EACN,SAAS;EACT,MAAM;EACP,CAAC,CACD,KAAK,aAAa,CAClB,UAAU,WAAW,GAAG,aAAa,QAAQ,UAAU,GAAG,CAAC,CAC3D,MAAM,GAAG,aAAa,IAAI,UAAU,CAAC;AAExC,KAAI,CAAC,OAAO,CAAC,IAAI,KACf,QAAO;EAAE,SAAS;EAAM,MAAM;EAAM;CAGtC,MAAM,EAAE,SAAS,aAAa,MAAM,aAAa;CAGjD,MAAM,EAAE,UAAU,eAAe,GAAG,aAAa;AAGjD,qBAAI,IAAI,MAAM,GAAG,YAAY,WAAW;AACtC,QAAM,GAAG,OAAO,aAAa,CAAC,MAAM,GAAG,aAAa,IAAI,YAAY,GAAG,CAAC;AACxE,SAAO;GAAE,SAAS;GAAM,MAAM;GAAM;;CAItC,MAAM,gBAAgB,MAAM,4BAA4B,SAAiB;CACzE,MAAM,mBAAmB,MAAM,eAAe,YAAuB;AAGrE,QAAO;EACL,SAAS,mBAAmB,EAAE,GAAG,kBAAkB,GAAG;EACtD,MAAM,gBAAgB,EAAE,GAAG,eAAe,GAAG;EAC9C;;;;;AAMH,MAAa,oBAAoB,YAAkC;CAEjE,MAAM,SADc,MAAM,SAAS,EACT,IAAI,UAAU,EAAE,SAAS;AAEnD,KAAI,UAAU,KACZ,QAAO;EAAE,SAAS;EAAM,MAAM;EAAM;AAGtC,QAAO,MAAM,qBAAqB,MAAM;;;;;AAM1C,eAAsB,kBAAkB,WAAkC;AACxE,OAAM,yBAAyB;AAC/B,OAAM,GAAG,OAAO,aAAa,CAAC,MAAM,GAAG,aAAa,IAAI,UAAU,CAAC;;;;;AAMrE,eAAsB,uBAAuB,QAA+B;AAC1E,OAAM,yBAAyB;AAC/B,OAAM,GAAG,OAAO,aAAa,CAAC,MAAM,GAAG,aAAa,QAAQ,OAAO,CAAC;;;;;AAMtE,eAAsB,sBACpB,OACA,WACe;AAEf,EADoB,MAAM,SAAS,EACvB,IAAI,WAAW,OAAO;EAChC,UAAU;EACV,MAAM;EACN,QAAQ,QAAQ,IAAI,aAAa;EACjC,UAAU;EACV,SAAS;EACV,CAAC;;;;;AAMJ,eAAsB,2BAA0C;AAE9D,EADoB,MAAM,SAAS,EACvB,OAAO,UAAU;;;;;AAM/B,eAAsB,uBAAwC;CAC5D,MAAM,aAAa,IAAI,WAAW,GAAG;AACrC,QAAO,gBAAgB,WAAW;AAClC,QAAO,+BAA+B,WAAW,CAAC,aAAa;;;;;AAMjE,eAAsB,cACpB,OACA,QACA,OACkB;AAClB,OAAM,yBAAyB;CAC/B,MAAM,YAAY,mBAAmB,OAAO,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;CAE7E,MAAM,CAAC,WAAW,MAAM,GACrB,OAAO,aAAa,CACpB,OAAO;EACN,IAAI;EACJ,WAAW,IAAI,KAAK,wBAAQ,IAAI,MAAM,EAAE,EAAE,CAAC;EAC3C,wBAAwB,MAAM;EACtB;EACT,CAAC,CACD,WAAW;AAEd,QAAO;;;;;AAMT,eAAsB,iBAAiB;CACrC,MAAM,EAAE,YAAY,MAAM,mBAAmB;AAE7C,KAAI,SAAS;AACX,QAAM,kBAAkB,QAAQ,GAAG;AACnC,QAAM,0BAA0B;;AAGlC,UAAS,UAAU;;;;;AAMrB,eAAsB,gBACpB,QACA,kBACwB;AACxB,OAAM,yBAAyB;AAM/B,SALiB,MAAM,GACpB,QAAQ,CACR,KAAK,aAAa,CAClB,MAAM,GAAG,aAAa,QAAQ,OAAO,CAAC,EAEzB,KAAK,aAAa;EAChC,IAAI,QAAQ;EACZ,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,WAAW,QAAQ,OAAO;EAC3B,EAAE;;;;;AAML,eAAsB,wBACpB,QACA,kBACe;AACf,OAAM,yBAAyB;AAC/B,OAAM,GACH,OAAO,aAAa,CACpB,MACC,IACE,GAAG,aAAa,QAAQ,OAAO,EAC/B,GAAG,aAAa,IAAI,iBAAiB,CACtC,CACF"}

package/dist/core/auth/types.d.cts

@@ -0,0 +1,55 @@
+import { passwordResetSessionTable, sessionTable, userTable } from "../../server/database/schema.cjs";
+import { UserPermission, UserRole } from "../types.cjs";
+
+//#region src/core/auth/types.d.ts
+type User = typeof userTable.$inferSelect;
+type Session = typeof sessionTable.$inferSelect & Record<string, any>;
+type PasswordResetSession = typeof passwordResetSessionTable.$inferSelect & Record<string, any>;
+/**
+ * Represents a user with all potential extensions.
+ * Use this type in UI components that require data added by modules.
+ */
+type FullUser = User & Record<string, any> & {
+  roles: UserRole[];
+  permissions: UserPermission[];
+};
+/**
+ * Basic session context.
+ */
+interface AuthSession {
+  session: Session | null;
+  user: FullUser | null;
+}
+interface SessionFlags {
+  [key: string]: any;
+}
+type UserSession = {
+  id: string;
+  createdAt: Date;
+  expiresAt: Date;
+  isCurrent: boolean;
+  [key: string]: any;
+};
+type AuthResponse = {
+  status: "SUCCESS";
+  session: Session;
+  user: FullUser;
+  redirect?: string;
+} | {
+  status: "CHALLENGE_REQUIRED";
+  type: string;
+  userId: string;
+  tempToken?: string;
+  redirect?: string;
+} | {
+  status: "ERROR";
+  message: string;
+  redirect?: string;
+};
+interface PasswordResetAuthSession {
+  session: PasswordResetSession | null;
+  user: FullUser | null;
+}
+//#endregion
+export { AuthResponse, AuthSession, FullUser, PasswordResetAuthSession, PasswordResetSession, Session, SessionFlags, User, UserSession };
+//# sourceMappingURL=types.d.cts.map

package/dist/core/auth/types.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.cts","names":[],"sources":["../../../src/core/auth/types.ts"],"mappings":";;;;KASY,IAAA,UAAc,SAAA,CAAU,YAAA;AAAA,KACxB,OAAA,UAAiB,YAAA,CAAa,YAAA,GAAe,MAAA;AAAA,KAC7C,oBAAA,UACH,yBAAA,CAA0B,YAAA,GAAe,MAAA;;;;AAFlD;KAQY,QAAA,GAAW,IAAA,GACrB,MAAA;EACE,KAAA,EAAO,QAAA;EACP,WAAA,EAAa,cAAA;AAAA;;;;UAMA,WAAA;EACf,OAAA,EAAS,OAAA;EACT,IAAA,EAAM,QAAA;AAAA;AAAA,UAGS,YAAA;EAAA,CACd,GAAA;AAAA;AAAA,KAGS,WAAA;EACV,EAAA;EACA,SAAA,EAAW,IAAA;EACX,SAAA,EAAW,IAAA;EACX,SAAA;EAAA,CACC,GAAA;AAAA;AAAA,KAGS,YAAA;EACN,MAAA;EAAmB,OAAA,EAAS,OAAA;EAAS,IAAA,EAAM,QAAA;EAAU,QAAA;AAAA;EAErD,MAAA;EACA,IAAA;EACA,MAAA;EACA,SAAA;EACA,QAAA;AAAA;EAEA,MAAA;EAAiB,OAAA;EAAiB,QAAA;AAAA;AAAA,UAEvB,wBAAA;EACf,OAAA,EAAS,oBAAA;EACT,IAAA,EAAM,QAAA;AAAA"}