@archlast/server 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Archlast Team
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,32 @@
+# @archlast/server
+
+Archlast server library exports (schema, functions, types) plus Docker
+runtime metadata and templates.
+
+## Install
+
+```bash
+npm install @archlast/server --save-dev
+```
+
+## Library usage
+
+```ts
+import { defineSchema, defineTable, v } from "@archlast/server/schema/definition";
+
+export default defineSchema({
+  tasks: defineTable({
+    id: v.id(),
+    text: v.string(),
+  }),
+});
+```
+
+## Docker templates
+
+Docker compose templates and configuration examples are available under
+`templates/` in this package.
+
+## Publishing (maintainers)
+
+See `docs/npm-publishing.md` for release and publish steps.

package/dist/admin/auth.d.ts

@@ -0,0 +1,79 @@
+import type { IDatabaseClient } from "../db/interfaces.js";
+import { type AdminUser, type AdminSession } from "./schema.js";
+/**
+ * Admin Authentication Service
+ *
+ * Handles admin login, session management, and authentication middleware.
+ * Uses IDatabaseClient for Document Store compatibility.
+ */
+export declare const ADMIN_SESSION_COOKIE_NAME = "archlast_admin_session";
+export declare const ADMIN_SESSION_TTL_MS: number;
+export interface LoginResult {
+    success: true;
+    token: string;
+    user: Omit<AdminUser, "password_hash">;
+}
+export interface SetupResult {
+    success: true;
+    token: string;
+    user: Omit<AdminUser, "password_hash">;
+}
+export interface AuthError {
+    success: false;
+    error: string;
+}
+/**
+ * Check if setup is required (no admin users exist)
+ */
+export declare function isSetupRequired(db: IDatabaseClient): Promise<boolean>;
+/**
+ * Setup: Create the first admin user
+ */
+export declare function setupFirstAdmin(db: IDatabaseClient, username: string, password: string, userAgent: string | null, ipAddress: string | null): Promise<SetupResult | AuthError>;
+/**
+ * Login: Authenticate admin user
+ */
+export declare function loginAdmin(db: IDatabaseClient, username: string, password: string, userAgent: string | null, ipAddress: string | null): Promise<LoginResult | AuthError>;
+/**
+ * Logout: Invalidate session
+ */
+export declare function logoutAdmin(db: IDatabaseClient, token: string): Promise<void>;
+/**
+ * Verify session and get admin user
+ */
+export declare function verifyAdminSession(db: IDatabaseClient, token: string): Promise<{
+    user: Omit<AdminUser, "password_hash">;
+    session: AdminSession;
+} | null>;
+/**
+ * Extract all potential session tokens from request (legacy, without deobfuscation)
+ */
+export declare function extractAdminSessionTokens(req: Request): string[];
+/**
+ * Middleware: Require admin authentication
+ * Supports multiple token types in order of precedence:
+ * 1. sat_ admin tokens (long-lived, dashboard-generated) - now with dynamic obfuscation
+ * 2. ast_ session tokens (login sessions) - not obfuscated (for browser)
+ * 3. ak_ API keys (legacy, user-created) - not obfuscated
+ */
+export declare function requireAdminAuth(db: IDatabaseClient, req: Request, requestPath?: string): Promise<{
+    user: Omit<AdminUser, "password_hash">;
+    session: AdminSession;
+} | null>;
+/**
+ * Serialize session cookie (Set-Cookie header value)
+ */
+export declare function serializeAdminSessionCookie(token: string): string;
+/**
+ * Serialize delete session cookie (Set-Cookie header value)
+ */
+export declare function serializeDeleteAdminSessionCookie(): string;
+/**
+ * Get user agent from request
+ */
+export declare function getUserAgent(req: Request): string | null;
+/**
+ * Get IP address from request
+ */
+export declare function getIpAddress(req: Request): string | null;
+//# sourceMappingURL=auth.d.ts.map

package/dist/admin/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/admin/auth.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAgBH,KAAK,SAAS,EACd,KAAK,YAAY,EACpB,MAAM,aAAa,CAAC;AAErB;;;;;GAKG;AAEH,eAAO,MAAM,yBAAyB,2BAA2B,CAAC;AAClE,eAAO,MAAM,oBAAoB,QAA0B,CAAC;AAE5D,MAAM,WAAW,WAAW;IACxB,OAAO,EAAE,IAAI,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,WAAW;IACxB,OAAO,EAAE,IAAI,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,SAAS;IACtB,OAAO,EAAE,KAAK,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,EAAE,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAE3E;AAED;;GAEG;AACH,wBAAsB,eAAe,CACjC,EAAE,EAAE,eAAe,EACnB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACzB,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CA2DlC;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC5B,EAAE,EAAE,eAAe,EACnB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,SAAS,EAAE,MAAM,GAAG,IAAI,GACzB,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAoDlC;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEnF;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACpC,EAAE,EAAE,eAAe,EACnB,KAAK,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GAAG,IAAI,CAAC,CAiDnF;AA+GD;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,CA0BhE;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CAClC,EAAE,EAAE,eAAe,EACnB,GAAG,EAAE,OAAO,EACZ,WAAW,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GAAG,IAAI,CAAC,CA0InF;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOjE;AAED;;GAEG;AACH,wBAAgB,iCAAiC,IAAI,MAAM,CAE1D;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAExD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAcxD"}

package/dist/admin/auth.js

@@ -0,0 +1,487 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ADMIN_SESSION_TTL_MS = exports.ADMIN_SESSION_COOKIE_NAME = void 0;
+exports.isSetupRequired = isSetupRequired;
+exports.setupFirstAdmin = setupFirstAdmin;
+exports.loginAdmin = loginAdmin;
+exports.logoutAdmin = logoutAdmin;
+exports.verifyAdminSession = verifyAdminSession;
+exports.extractAdminSessionTokens = extractAdminSessionTokens;
+exports.requireAdminAuth = requireAdminAuth;
+exports.serializeAdminSessionCookie = serializeAdminSessionCookie;
+exports.serializeDeleteAdminSessionCookie = serializeDeleteAdminSessionCookie;
+exports.getUserAgent = getUserAgent;
+exports.getIpAddress = getIpAddress;
+const crypto_js_1 = require("../auth/system/crypto.js");
+const logger_js_1 = require("../logging/logger.js");
+const crypto_1 = require("crypto");
+const cuid2_1 = require("@paralleldrive/cuid2");
+const schema_js_1 = require("./schema.js");
+/**
+ * Admin Authentication Service
+ *
+ * Handles admin login, session management, and authentication middleware.
+ * Uses IDatabaseClient for Document Store compatibility.
+ */
+exports.ADMIN_SESSION_COOKIE_NAME = "archlast_admin_session";
+exports.ADMIN_SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+/**
+ * Check if setup is required (no admin users exist)
+ */
+async function isSetupRequired(db) {
+    return !(await (0, schema_js_1.hasAnyAdminUsers)(db));
+}
+/**
+ * Setup: Create the first admin user
+ */
+async function setupFirstAdmin(db, username, password, userAgent, ipAddress) {
+    try {
+        // Verify no admins exist
+        if (!(await isSetupRequired(db))) {
+            return { success: false, error: "Setup already completed" };
+        }
+        // Validate username
+        const normalizedUsername = (0, schema_js_1.normalizeUsername)(username);
+        if (!(0, schema_js_1.isValidUsername)(normalizedUsername)) {
+            return { success: false, error: "Invalid username. Must be 3-32 characters, alphanumeric and underscore only." };
+        }
+        // Validate password
+        if (!password || password.length < 8) {
+            return { success: false, error: "Password must be at least 8 characters" };
+        }
+        // Hash password
+        const passwordHash = await (0, crypto_js_1.hashPassword)(password);
+        // Create first admin user (always super admin)
+        const user = await (0, schema_js_1.createFirstAdminUser)(db, normalizedUsername, passwordHash);
+        // Create session
+        const token = `ast_${(0, cuid2_1.createId)()}`; // Admin Session Token
+        const session = await (0, schema_js_1.createAdminSession)(db, user._id, token, exports.ADMIN_SESSION_TTL_MS, userAgent, ipAddress);
+        return {
+            success: true,
+            token: session.token,
+            user: {
+                _id: user._id,
+                _collection: user._collection,
+                username: user.username,
+                name: user.name,
+                avatar_url: user.avatar_url,
+                is_super_admin: user.is_super_admin,
+                created_at: user.created_at,
+                updated_at: user.updated_at,
+            },
+        };
+    }
+    catch (err) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: "Setup error:",
+            context: { err },
+        });
+        return { success: false, error: "Setup failed" };
+    }
+}
+/**
+ * Login: Authenticate admin user
+ */
+async function loginAdmin(db, username, password, userAgent, ipAddress) {
+    try {
+        // Find user by username
+        const normalizedUsername = (0, schema_js_1.normalizeUsername)(username);
+        const user = await (0, schema_js_1.findAdminUserByUsername)(db, normalizedUsername);
+        if (!user) {
+            return { success: false, error: "Invalid username or password" };
+        }
+        // Verify password
+        const isValid = await (0, crypto_js_1.verifyPassword)(password, user.password_hash);
+        if (!isValid) {
+            return { success: false, error: "Invalid username or password" };
+        }
+        // Create session
+        const token = `ast_${(0, cuid2_1.createId)()}`;
+        const session = await (0, schema_js_1.createAdminSession)(db, user._id, token, exports.ADMIN_SESSION_TTL_MS, userAgent, ipAddress);
+        return {
+            success: true,
+            token: session.token,
+            user: {
+                _id: user._id,
+                _collection: user._collection,
+                username: user.username,
+                name: user.name,
+                avatar_url: user.avatar_url,
+                is_super_admin: user.is_super_admin,
+                created_at: user.created_at,
+                updated_at: user.updated_at,
+            },
+        };
+    }
+    catch (err) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: "[Admin Auth] Login error:",
+            context: { err },
+        });
+        return { success: false, error: "Login failed" };
+    }
+}
+/**
+ * Logout: Invalidate session
+ */
+async function logoutAdmin(db, token) {
+    await (0, schema_js_1.deleteAdminSession)(db, token);
+}
+/**
+ * Verify session and get admin user
+ */
+async function verifyAdminSession(db, token) {
+    try {
+        const session = await (0, schema_js_1.findAdminSessionByToken)(db, token);
+        if (!session) {
+            return null;
+        }
+        const user = await (0, schema_js_1.findAdminUserById)(db, session.admin_user_id);
+        if (!user) {
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "warn",
+                kind: "system",
+                message: `[Admin Auth] User not found for session`,
+            });
+            return null;
+        }
+        // Update last accessed time
+        await (0, schema_js_1.updateSessionLastAccessed)(db, session._id);
+        return {
+            user: {
+                _id: user._id,
+                _collection: user._collection,
+                username: user.username,
+                name: user.name,
+                avatar_url: user.avatar_url,
+                is_super_admin: user.is_super_admin,
+                created_at: user.created_at,
+                updated_at: user.updated_at,
+            },
+            session,
+        };
+    }
+    catch (err) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: "[Admin Auth] Session verification error",
+            context: {
+                error: err instanceof Error ? err.message : String(err),
+                stack: err instanceof Error ? err.stack : undefined,
+            },
+        });
+        return null;
+    }
+}
+// ============================================================================
+// TOKEN OBFUSCATION
+// ============================================================================
+const TOKEN_OBFUSCATION_SECRET = process.env.ARCHLAST_TOKEN_OBFUSCATION_SECRET || "archlast-default-secret-change-in-production";
+const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+/**
+ * Deobfuscate a dynamic token and return the raw token
+ * Format: v1:<timestamp>:<nonce>:<signature>:<token>
+ * Returns null if invalid (expired, bad signature, etc.)
+ */
+function deobfuscateToken(obfuscated, requestPath) {
+    try {
+        // Parse format: v1:timestamp:nonce:signature:token
+        const parts = obfuscated.split(":");
+        if (parts.length !== 5 || parts[0] !== "v1") {
+            // Not an obfuscated token, return as-is
+            return obfuscated;
+        }
+        const [, timestampStr, nonce, signature, token] = parts;
+        const timestamp = parseInt(timestampStr, 10);
+        // Check timestamp is within window
+        const now = Date.now();
+        if (Math.abs(now - timestamp) > TIMESTAMP_WINDOW_MS) {
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "warn",
+                kind: "system",
+                message: `[Token Obfuscation] Timestamp outside window: ${Math.abs(now - timestamp)}ms ago`,
+            });
+            return null;
+        }
+        // Verify signature
+        const message = `${token}:${timestamp}:${nonce}:${requestPath}`;
+        const expectedSignature = (0, crypto_1.createHmac)("sha256", TOKEN_OBFUSCATION_SECRET)
+            .update(message)
+            .digest("base64url");
+        // Use timing-safe comparison to prevent timing attacks
+        if (!(0, crypto_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature))) {
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "warn",
+                kind: "system",
+                message: `[Token Obfuscation] Signature verification failed`,
+            });
+            return null;
+        }
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "debug",
+            kind: "system",
+            message: `[Token Obfuscation] ✓ Token deobfuscated successfully`,
+        });
+        return token;
+    }
+    catch (error) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: `[Token Obfuscation] Deobfuscation error`,
+            context: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Extract and deobfuscate all potential session tokens from request
+ */
+function extractAndDeobfuscateTokens(req, requestPath) {
+    const tokens = [];
+    // 1. X-Admin-Token header
+    const xAdminToken = req.headers.get("x-admin-token");
+    if (xAdminToken) {
+        const deobfuscated = deobfuscateToken(xAdminToken, requestPath);
+        if (deobfuscated)
+            tokens.push(deobfuscated);
+    }
+    // 2. Authorization header
+    const authHeader = req.headers.get("authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+        const token = authHeader.slice(7);
+        const deobfuscated = deobfuscateToken(token, requestPath);
+        if (deobfuscated)
+            tokens.push(deobfuscated);
+    }
+    // 3. Cookie (session tokens are not obfuscated)
+    const cookieHeader = req.headers.get("cookie");
+    if (cookieHeader) {
+        const cookies = cookieHeader.split(";").map((c) => c.trim());
+        for (const cookie of cookies) {
+            const [name, value] = cookie.split("=");
+            if (name === exports.ADMIN_SESSION_COOKIE_NAME) {
+                tokens.push(value); // Session tokens (ast_) are not obfuscated
+            }
+        }
+    }
+    return tokens;
+}
+/**
+ * Extract all potential session tokens from request (legacy, without deobfuscation)
+ */
+function extractAdminSessionTokens(req) {
+    const tokens = [];
+    // 1. X-Admin-Token header (highest priority, manual bypass)
+    const xAdminToken = req.headers.get("x-admin-token");
+    if (xAdminToken)
+        tokens.push(xAdminToken);
+    // 2. Authorization header
+    const authHeader = req.headers.get("authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+        tokens.push(authHeader.slice(7));
+    }
+    // 3. Cookie
+    const cookieHeader = req.headers.get("cookie");
+    if (cookieHeader) {
+        const cookies = cookieHeader.split(";").map((c) => c.trim());
+        for (const cookie of cookies) {
+            const [name, value] = cookie.split("=");
+            if (name === exports.ADMIN_SESSION_COOKIE_NAME) {
+                tokens.push(value);
+            }
+        }
+    }
+    return tokens;
+}
+/**
+ * Middleware: Require admin authentication
+ * Supports multiple token types in order of precedence:
+ * 1. sat_ admin tokens (long-lived, dashboard-generated) - now with dynamic obfuscation
+ * 2. ast_ session tokens (login sessions) - not obfuscated (for browser)
+ * 3. ak_ API keys (legacy, user-created) - not obfuscated
+ */
+async function requireAdminAuth(db, req, requestPath) {
+    // Get request path for signature verification
+    const path = requestPath || new URL(req.url).pathname;
+    // Extract and deobfuscate tokens
+    const tokens = extractAndDeobfuscateTokens(req, path);
+    if (tokens.length === 0) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "warn",
+            kind: "system",
+            message: "[Admin Auth] No auth tokens found in request",
+            context: { headers: Object.fromEntries(req.headers.entries()) },
+        });
+        return null;
+    }
+    logger_js_1.logger.log({
+        timestamp: Date.now(),
+        level: "debug",
+        kind: "system",
+        message: `[Admin Auth] Found ${tokens.length} token(s)`,
+        context: { tokenTypes: tokens.map(t => `${t.slice(0, 4)}...${t.slice(-4)}`) },
+    });
+    for (const token of tokens) {
+        // 1. Check for sat_ admin tokens (Server Admin Tokens - dashboard-generated)
+        if (token.startsWith("sat_")) {
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "debug",
+                kind: "system",
+                message: `[Admin Auth] Checking sat_ token`,
+                context: { tokenPrefix: token.slice(0, 12) + "..." },
+            });
+            const adminTokenRecord = await (0, schema_js_1.findAdminTokenByToken)(db, token);
+            if (!adminTokenRecord) {
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "warn",
+                    kind: "system",
+                    message: `[Admin Auth] sat_ token not found in database`,
+                    context: { tokenPrefix: token.slice(0, 12) + "..." },
+                });
+            }
+            if (adminTokenRecord) {
+                const user = await (0, schema_js_1.findAdminUserById)(db, adminTokenRecord.created_by_admin_id);
+                if (user) {
+                    await (0, schema_js_1.updateAdminTokenLastUsed)(db, adminTokenRecord._id);
+                    const now = Date.now();
+                    logger_js_1.logger.log({
+                        timestamp: Date.now(),
+                        level: "info",
+                        kind: "system",
+                        message: `[Admin Auth] ✓ sat_ token authenticated`,
+                        context: { user: user.username, tokenName: adminTokenRecord.name },
+                    });
+                    return {
+                        user: {
+                            _id: user._id,
+                            _collection: user._collection,
+                            username: user.username,
+                            name: user.name,
+                            avatar_url: user.avatar_url,
+                            is_super_admin: user.is_super_admin,
+                            created_at: user.created_at,
+                            updated_at: user.updated_at,
+                        },
+                        session: {
+                            _id: adminTokenRecord._id,
+                            _collection: "admin_tokens",
+                            admin_user_id: user._id,
+                            token: adminTokenRecord.token,
+                            expires_at: adminTokenRecord.expires_at ?? now + exports.ADMIN_SESSION_TTL_MS,
+                            user_agent: req.headers.get("user-agent"),
+                            ip_address: getIpAddress(req),
+                            created_at: adminTokenRecord.created_at,
+                            last_accessed_at: now,
+                        },
+                    };
+                }
+            }
+        }
+        // 2. Check for ast_ session tokens (login sessions)
+        if (token.startsWith("ast_")) {
+            const sessionAuth = await verifyAdminSession(db, token);
+            if (sessionAuth) {
+                return sessionAuth;
+            }
+        }
+        // 3. Check for ak_ API keys (legacy, user-level access)
+        if (token.startsWith("ak_")) {
+            const apiKey = await (0, schema_js_1.findApiKeyByKey)(db, token);
+            if (apiKey) {
+                const user = await (0, schema_js_1.findAdminUserById)(db, apiKey.created_by_admin_id);
+                if (user) {
+                    await (0, schema_js_1.updateApiKeyLastUsed)(db, apiKey._id);
+                    const now = Date.now();
+                    return {
+                        user: {
+                            _id: user._id,
+                            _collection: user._collection,
+                            username: user.username,
+                            name: user.name,
+                            avatar_url: user.avatar_url,
+                            is_super_admin: user.is_super_admin,
+                            created_at: user.created_at,
+                            updated_at: user.updated_at,
+                        },
+                        session: {
+                            _id: apiKey._id,
+                            _collection: "api_keys",
+                            admin_user_id: user._id,
+                            token: apiKey.key,
+                            expires_at: now + exports.ADMIN_SESSION_TTL_MS,
+                            user_agent: req.headers.get("user-agent"),
+                            ip_address: getIpAddress(req),
+                            created_at: apiKey.created_at,
+                            last_accessed_at: now,
+                        },
+                    };
+                }
+            }
+        }
+        // If this token failed, loop to the next one (e.g. Invalid Bearer -> Try Cookie)
+    }
+    logger_js_1.logger.log({
+        timestamp: Date.now(),
+        level: "warn",
+        kind: "system",
+        message: "[Admin Auth] All tokens failed validation",
+    });
+    return null;
+}
+/**
+ * Serialize session cookie (Set-Cookie header value)
+ */
+function serializeAdminSessionCookie(token) {
+    const maxAge = Math.floor(exports.ADMIN_SESSION_TTL_MS / 1000); // seconds
+    const isProd = process.env.NODE_ENV === "production";
+    // Important: SameSite=Lax allows the cookie to be sent on top-level navigations but blocks it on cross-site subrequests.
+    // For localhost development on different ports (e.g. 4000 vs 4001), Lax is fine.
+    // Secure should only be true if valid HTTPS is available.
+    return `${exports.ADMIN_SESSION_COOKIE_NAME}=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}${isProd ? "; Secure" : ""}`;
+}
+/**
+ * Serialize delete session cookie (Set-Cookie header value)
+ */
+function serializeDeleteAdminSessionCookie() {
+    return `${exports.ADMIN_SESSION_COOKIE_NAME}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`;
+}
+/**
+ * Get user agent from request
+ */
+function getUserAgent(req) {
+    return req.headers.get("user-agent");
+}
+/**
+ * Get IP address from request
+ */
+function getIpAddress(req) {
+    // Check common headers for proxied requests
+    const forwarded = req.headers.get("x-forwarded-for");
+    if (forwarded) {
+        return forwarded.split(",")[0].trim();
+    }
+    const realIp = req.headers.get("x-real-ip");
+    if (realIp) {
+        return realIp;
+    }
+    // Fallback to direct connection (may be proxy IP in production)
+    return null;
+}
+//# sourceMappingURL=auth.js.map

package/dist/admin/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/admin/auth.ts"],"names":[],"mappings":";;;AAwDA,0CAEC;AAKD,0CAiEC;AAKD,gCA0DC;AAKD,kCAEC;AAKD,gDAoDC;AAkHD,8DA0BC;AASD,4CA8IC;AAKD,kEAOC;AAKD,8EAEC;AAKD,oCAEC;AAKD,oCAcC;AA/kBD,wDAAwE;AACxE,oDAA8C;AAC9C,mCAAqD;AAErD,gDAAgD;AAEhD,2CAkBqB;AAErB;;;;;GAKG;AAEU,QAAA,yBAAyB,GAAG,wBAAwB,CAAC;AACrD,QAAA,oBAAoB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAmBtE;;GAEG;AACI,KAAK,UAAU,eAAe,CAAC,EAAmB;IACrD,OAAO,CAAC,CAAC,MAAM,IAAA,4BAAgB,EAAC,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,eAAe,CACjC,EAAmB,EACnB,QAAgB,EAChB,QAAgB,EAChB,SAAwB,EACxB,SAAwB;IAExB,IAAI,CAAC;QACD,yBAAyB;QACzB,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAChE,CAAC;QAED,oBAAoB;QACpB,MAAM,kBAAkB,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,CAAC;QACvD,IAAI,CAAC,IAAA,2BAAe,EAAC,kBAAkB,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8EAA8E,EAAE,CAAC;QACrH,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC/E,CAAC;QAED,gBAAgB;QAChB,MAAM,YAAY,GAAG,MAAM,IAAA,wBAAY,EAAC,QAAQ,CAAC,CAAC;QAElD,+CAA+C;QAC/C,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAoB,EAAC,EAAE,EAAE,kBAAkB,EAAE,YAAY,CAAC,CAAC;QAE9E,iBAAiB;QACjB,MAAM,KAAK,GAAG,OAAO,IAAA,gBAAQ,GAAE,EAAE,CAAC,CAAC,sBAAsB;QACzD,MAAM,OAAO,GAAG,MAAM,IAAA,8BAAkB,EACpC,EAAE,EACF,IAAI,CAAC,GAAG,EACR,KAAK,EACL,4BAAoB,EACpB,SAAS,EACT,SAAS,CACZ,CAAC;QAEF,OAAO;YACH,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE;gBACF,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;aAC9B;SACJ,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,EAAE,GAAG,EAAE;SACnB,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACrD,CAAC;AACL,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,UAAU,CAC5B,EAAmB,EACnB,QAAgB,EAChB,QAAgB,EAChB,SAAwB,EACxB,SAAwB;IAExB,IAAI,CAAC;QACD,wBAAwB;QACxB,MAAM,kBAAkB,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,MAAM,IAAA,mCAAuB,EAAC,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAEnE,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACrE,CAAC;QAED,kBAAkB;QAClB,MAAM,OAAO,GAAG,MAAM,IAAA,0BAAc,EAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAEnE,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACrE,CAAC;QAED,iBAAiB;QACjB,MAAM,KAAK,GAAG,OAAO,IAAA,gBAAQ,GAAE,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,MAAM,IAAA,8BAAkB,EACpC,EAAE,EACF,IAAI,CAAC,GAAG,EACR,KAAK,EACL,4BAAoB,EACpB,SAAS,EACT,SAAS,CACZ,CAAC;QAEF,OAAO;YACH,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE;gBACF,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;aAC9B;SACJ,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,2BAA2B;YACpC,OAAO,EAAE,EAAE,GAAG,EAAE;SACnB,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACrD,CAAC;AACL,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,WAAW,CAAC,EAAmB,EAAE,KAAa;IAChE,MAAM,IAAA,8BAAa,EAAC,EAAE,EAAE,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACpC,EAAmB,EACnB,KAAa;IAEb,IAAI,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,IAAA,mCAAuB,EAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAEzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAA,6BAAiB,EAAC,EAAE,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;QAEhE,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,yCAAyC;aACrD,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,4BAA4B;QAC5B,MAAM,IAAA,qCAAyB,EAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAEjD,OAAO;YACH,IAAI,EAAE;gBACF,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;aAC9B;YACD,OAAO;SACV,CAAC;IACN,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACpB,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,yCAAyC;YAClD,OAAO,EAAE;gBACL,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvD,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACtD;SACJ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,MAAM,wBAAwB,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,IAAI,8CAA8C,CAAC;AACjI,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEvD;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;IAC7D,IAAI,CAAC;QACD,mDAAmD;QACnD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1C,wCAAwC;YACxC,OAAO,UAAU,CAAC;QACtB,CAAC;QAED,MAAM,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAE7C,mCAAmC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,SAAS,CAAC,GAAG,mBAAmB,EAAE,CAAC;YAClD,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,iDAAiD,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,SAAS,CAAC,QAAQ;aAC9F,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,mBAAmB;QACnB,MAAM,OAAO,GAAG,GAAG,KAAK,IAAI,SAAS,IAAI,KAAK,IAAI,WAAW,EAAE,CAAC;QAChE,MAAM,iBAAiB,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,wBAAwB,CAAC;aACnE,MAAM,CAAC,OAAO,CAAC;aACf,MAAM,CAAC,WAAW,CAAC,CAAC;QAEzB,uDAAuD;QACvD,IAAI,CAAC,IAAA,wBAAe,EAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC;YAC3E,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,mDAAmD;aAC/D,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,uDAAuD;SACnE,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,yCAAyC;YAClD,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;SAC7E,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAAC,GAAY,EAAE,WAAmB;IAClE,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,0BAA0B;IAC1B,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACrD,IAAI,WAAW,EAAE,CAAC;QACd,MAAM,YAAY,GAAG,gBAAgB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,YAAY;YAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,YAAY,GAAG,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAC1D,IAAI,YAAY;YAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAED,gDAAgD;IAChD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,YAAY,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7D,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,IAAI,KAAK,iCAAyB,EAAE,CAAC;gBACrC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,2CAA2C;YACnE,CAAC;QACL,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CAAC,GAAY;IAClD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,4DAA4D;IAC5D,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACrD,IAAI,WAAW;QAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE1C,0BAA0B;IAC1B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,YAAY;IACZ,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,YAAY,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7D,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,IAAI,KAAK,iCAAyB,EAAE,CAAC;gBACrC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;QACL,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB,CAClC,EAAmB,EACnB,GAAY,EACZ,WAAoB;IAEpB,8CAA8C;IAC9C,MAAM,IAAI,GAAG,WAAW,IAAI,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IAEtD,iCAAiC;IACjC,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,MAAM;YACb,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,8CAA8C;YACvD,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,EAAE;SAClE,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,kBAAM,CAAC,GAAG,CAAC;QACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,sBAAsB,MAAM,CAAC,MAAM,WAAW;QACvD,OAAO,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE;KAChF,CAAC,CAAC;IAEH,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QACzB,6EAA6E;QAC7E,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,kCAAkC;gBAC3C,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE;aACvD,CAAC,CAAC;YACH,MAAM,gBAAgB,GAAG,MAAM,IAAA,iCAAqB,EAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAChE,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACpB,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,MAAM;oBACb,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,+CAA+C;oBACxD,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE;iBACvD,CAAC,CAAC;YACP,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACnB,MAAM,IAAI,GAAG,MAAM,IAAA,6BAAiB,EAAC,EAAE,EAAE,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;gBAC/E,IAAI,IAAI,EAAE,CAAC;oBACP,MAAM,IAAA,oCAAwB,EAAC,EAAE,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC;oBACzD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBACvB,kBAAM,CAAC,GAAG,CAAC;wBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;wBACrB,KAAK,EAAE,MAAM;wBACb,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,yCAAyC;wBAClD,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,CAAC,IAAI,EAAE;qBACrE,CAAC,CAAC;oBACH,OAAO;wBACH,IAAI,EAAE;4BACF,GAAG,EAAE,IAAI,CAAC,GAAG;4BACb,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;4BACnC,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC9B;wBACD,OAAO,EAAE;4BACL,GAAG,EAAE,gBAAgB,CAAC,GAAG;4BACzB,WAAW,EAAE,cAAc;4BAC3B,aAAa,EAAE,IAAI,CAAC,GAAG;4BACvB,KAAK,EAAE,gBAAgB,CAAC,KAAK;4BAC7B,UAAU,EAAE,gBAAgB,CAAC,UAAU,IAAI,GAAG,GAAG,4BAAoB;4BACrE,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;4BACzC,UAAU,EAAE,YAAY,CAAC,GAAG,CAAC;4BAC7B,UAAU,EAAE,gBAAgB,CAAC,UAAU;4BACvC,gBAAgB,EAAE,GAAG;yBACxB;qBACJ,CAAC;gBACN,CAAC;YACL,CAAC;QACL,CAAC;QAED,oDAAoD;QACpD,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACxD,IAAI,WAAW,EAAE,CAAC;gBACd,OAAO,WAAW,CAAC;YACvB,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,IAAA,2BAAe,EAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAChD,IAAI,MAAM,EAAE,CAAC;gBACT,MAAM,IAAI,GAAG,MAAM,IAAA,6BAAiB,EAAC,EAAE,EAAE,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBACrE,IAAI,IAAI,EAAE,CAAC;oBACP,MAAM,IAAA,gCAAoB,EAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBACvB,OAAO;wBACH,IAAI,EAAE;4BACF,GAAG,EAAE,IAAI,CAAC,GAAG;4BACb,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;4BACnC,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC9B;wBACD,OAAO,EAAE;4BACL,GAAG,EAAE,MAAM,CAAC,GAAG;4BACf,WAAW,EAAE,UAAU;4BACvB,aAAa,EAAE,IAAI,CAAC,GAAG;4BACvB,KAAK,EAAE,MAAM,CAAC,GAAG;4BACjB,UAAU,EAAE,GAAG,GAAG,4BAAoB;4BACtC,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;4BACzC,UAAU,EAAE,YAAY,CAAC,GAAG,CAAC;4BAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;4BAC7B,gBAAgB,EAAE,GAAG;yBACxB;qBACJ,CAAC;gBACN,CAAC;YACL,CAAC;QACL,CAAC;QAED,iFAAiF;IACrF,CAAC;IAED,kBAAM,CAAC,GAAG,CAAC;QACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,2CAA2C;KACvD,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,2BAA2B,CAAC,KAAa;IACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,4BAAoB,GAAG,IAAI,CAAC,CAAC,CAAC,UAAU;IAClE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,yHAAyH;IACzH,iFAAiF;IACjF,0DAA0D;IAC1D,OAAO,GAAG,iCAAyB,IAAI,KAAK,6CAA6C,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACjI,CAAC;AAED;;GAEG;AACH,SAAgB,iCAAiC;IAC7C,OAAO,GAAG,iCAAyB,8CAA8C,CAAC;AACtF,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,GAAY;IACrC,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,GAAY;IACrC,4CAA4C;IAC5C,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACrD,IAAI,SAAS,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACT,OAAO,MAAM,CAAC;IAClB,CAAC;IAED,gEAAgE;IAChE,OAAO,IAAI,CAAC;AAChB,CAAC"}