@aspect-wallet/sdk 0.1.0

package/dist/audit/history.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Audit history and event streaming.
+ * Corresponds to SPEC-013 Section 12.
+ */
+import type { Address, AuditHistoryQuery, AuditHistoryResult, WebhookConfig, WebhookInfo } from '../types.js';
+import { ApiClient } from '../transport/api.js';
+/**
+ * Audit module for querying operation history, event streams, and webhook management.
+ */
+export declare class AuditClient {
+    private readonly api;
+    readonly webhooks: WebhookManager;
+    constructor(api: ApiClient);
+    /** Get full operation history for a wallet */
+    getHistory(address: Address, query?: AuditHistoryQuery): Promise<AuditHistoryResult>;
+    /**
+     * Subscribe to real-time events for a wallet.
+     * Returns an unsubscribe function.
+     */
+    subscribe(address: Address, options: {
+        events: string[];
+        onEvent: (event: {
+            type: string;
+            userOpHash?: string;
+            success?: boolean;
+            [key: string]: unknown;
+        }) => void;
+        onError?: (error: Error) => void;
+    }): () => void;
+}
+/**
+ * Webhook management for server-side notifications.
+ */
+export declare class WebhookManager {
+    private readonly api;
+    constructor(api: ApiClient);
+    /** Register a new webhook */
+    create(config: WebhookConfig): Promise<WebhookInfo>;
+    /** List all registered webhooks */
+    list(): Promise<WebhookInfo[]>;
+    /** Remove a webhook */
+    remove(webhookId: string): Promise<void>;
+}
+//# sourceMappingURL=history.d.ts.map

package/dist/audit/history.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.d.ts","sourceRoot":"","sources":["../../src/audit/history.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,WAAW,EACZ,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;GAEG;AACH,qBAAa,WAAW;IAGV,OAAO,CAAC,QAAQ,CAAC,GAAG;IAFhC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;gBAEL,GAAG,EAAE,SAAS;IAI3C,8CAA8C;IACxC,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAc1F;;;OAGG;IACH,SAAS,CACP,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,CAAC,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,UAAU,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,OAAO,CAAC;YAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;SAAE,KAAK,IAAI,CAAC;QAC3G,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;KAClC,GACA,MAAM,IAAI;CAwBd;AAED;;GAEG;AACH,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C,6BAA6B;IACvB,MAAM,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC;IAIzD,mCAAmC;IAC7B,IAAI,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IAIpC,uBAAuB;IACjB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}

package/dist/audit/history.js

@@ -0,0 +1,80 @@
+/**
+ * Audit history and event streaming.
+ * Corresponds to SPEC-013 Section 12.
+ */
+/**
+ * Audit module for querying operation history, event streams, and webhook management.
+ */
+export class AuditClient {
+    api;
+    webhooks;
+    constructor(api) {
+        this.api = api;
+        this.webhooks = new WebhookManager(api);
+    }
+    /** Get full operation history for a wallet */
+    async getHistory(address, query) {
+        const params = {};
+        if (query?.limit != null)
+            params['limit'] = query.limit.toString();
+        if (query?.offset != null)
+            params['offset'] = query.offset.toString();
+        if (query?.from)
+            params['from'] = query.from;
+        if (query?.to)
+            params['to'] = query.to;
+        if (query?.types)
+            params['types'] = query.types.join(',');
+        return this.api.get(`/audit/history`, {
+            wallet: address,
+            ...params,
+        });
+    }
+    /**
+     * Subscribe to real-time events for a wallet.
+     * Returns an unsubscribe function.
+     */
+    subscribe(address, options) {
+        const params = new URLSearchParams({
+            wallet: address,
+            events: options.events.join(','),
+        });
+        const baseUrl = this.api.baseUrl;
+        const eventSource = new EventSource(`${baseUrl}/audit/events?${params.toString()}`);
+        eventSource.onmessage = (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                options.onEvent(data);
+            }
+            catch (error) {
+                options.onError?.(error instanceof Error ? error : new Error(String(error)));
+            }
+        };
+        eventSource.onerror = () => {
+            options.onError?.(new Error('Event stream connection error'));
+        };
+        return () => eventSource.close();
+    }
+}
+/**
+ * Webhook management for server-side notifications.
+ */
+export class WebhookManager {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /** Register a new webhook */
+    async create(config) {
+        return this.api.post('/audit/webhooks', config);
+    }
+    /** List all registered webhooks */
+    async list() {
+        return this.api.get('/audit/webhooks');
+    }
+    /** Remove a webhook */
+    async remove(webhookId) {
+        await this.api.delete(`/audit/webhooks/${webhookId}`);
+    }
+}
+//# sourceMappingURL=history.js.map

package/dist/audit/history.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.js","sourceRoot":"","sources":["../../src/audit/history.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH;;GAEG;AACH,MAAM,OAAO,WAAW;IAGO;IAFpB,QAAQ,CAAiB;IAElC,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;QACzC,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,8CAA8C;IAC9C,KAAK,CAAC,UAAU,CAAC,OAAgB,EAAE,KAAyB;QAC1D,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,IAAI,KAAK,EAAE,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnE,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI;YAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtE,IAAI,KAAK,EAAE,IAAI;YAAE,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;QAC7C,IAAI,KAAK,EAAE,EAAE;YAAE,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;QACvC,IAAI,KAAK,EAAE,KAAK;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE1D,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAqB,gBAAgB,EAAE;YACxD,MAAM,EAAE,OAAO;YACf,GAAG,MAAM;SACV,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,SAAS,CACP,OAAgB,EAChB,OAIC;QAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAI,IAAI,CAAC,GAAsC,CAAC,OAAO,CAAC;QACrE,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,GAAG,OAAO,iBAAiB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAEpF,WAAW,CAAC,SAAS,GAAG,CAAC,KAAK,EAAE,EAAE;YAChC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;gBAC/D,OAAO,CAAC,OAAO,CAAC,IAAgD,CAAC,CAAC;YACpE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC,CAAC;QAEF,WAAW,CAAC,OAAO,GAAG,GAAG,EAAE;YACzB,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC;QAEF,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAc;IACI;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C,6BAA6B;IAC7B,KAAK,CAAC,MAAM,CAAC,MAAqB;QAChC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAc,iBAAiB,EAAE,MAAM,CAAC,CAAC;IAC/D,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,IAAI;QACR,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAgB,iBAAiB,CAAC,CAAC;IACxD,CAAC;IAED,uBAAuB;IACvB,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,SAAS,EAAE,CAAC,CAAC;IACxD,CAAC;CACF"}

package/dist/auth/email.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Email OTP authentication flow.
+ * Corresponds to SPEC-013 Section 7.1.
+ *
+ * Flow:
+ * 1. Send OTP to user's email
+ * 2. User enters OTP code
+ * 3. Verify OTP -> returns session + wallet info
+ * 4. First-time: Turnkey sub-org created, key generated, wallet address computed
+ * 5. Returning: existing key loaded
+ */
+import { ApiClient } from '../transport/api.js';
+import { SessionManager } from './session.js';
+import type { SessionInfo } from '../types.js';
+/**
+ * Email OTP authentication client.
+ * Handles the two-step email verification flow.
+ */
+export declare class AuthClient {
+    private readonly api;
+    readonly session: SessionManager;
+    constructor(api: ApiClient);
+    /**
+     * Send an OTP code to the user's email address.
+     * Rate limited: 5/hour per email.
+     */
+    sendEmailOtp(email: string): Promise<void>;
+    /**
+     * Verify the OTP code and establish a session.
+     * Rate limited: 3 attempts per OTP.
+     *
+     * @returns Session info including JWT, user, wallet, and signer details
+     */
+    verifyEmailOtp(params: {
+        email: string;
+        code: string;
+    }): Promise<SessionInfo>;
+    /** Check if the user is authenticated */
+    isAuthenticated(): boolean;
+    /** Get the current session */
+    getSession(): SessionInfo | null;
+    /** Refresh the current session */
+    refreshSession(): Promise<SessionInfo>;
+    /** Logout and revoke session */
+    logout(): Promise<void>;
+    /**
+     * Link an email to an existing account (for backup auth).
+     * Sends an OTP to the new email for verification.
+     */
+    linkEmail(email: string): Promise<void>;
+}
+//# sourceMappingURL=email.d.ts.map

package/dist/auth/email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../../src/auth/email.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C;;;GAGG;AACH,qBAAa,UAAU;IAGT,OAAO,CAAC,QAAQ,CAAC,GAAG;IAFhC,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;gBAEJ,GAAG,EAAE,SAAS;IAI3C;;;OAGG;IACG,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD;;;;;OAKG;IACG,cAAc,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,WAAW,CAAC;IAMnF,yCAAyC;IACzC,eAAe,IAAI,OAAO;IAI1B,8BAA8B;IAC9B,UAAU,IAAI,WAAW,GAAG,IAAI;IAIhC,kCAAkC;IAC5B,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;IAI5C,gCAAgC;IAC1B,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7B;;;OAGG;IACG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG9C"}

package/dist/auth/email.js

@@ -0,0 +1,66 @@
+/**
+ * Email OTP authentication flow.
+ * Corresponds to SPEC-013 Section 7.1.
+ *
+ * Flow:
+ * 1. Send OTP to user's email
+ * 2. User enters OTP code
+ * 3. Verify OTP -> returns session + wallet info
+ * 4. First-time: Turnkey sub-org created, key generated, wallet address computed
+ * 5. Returning: existing key loaded
+ */
+import { SessionManager } from './session.js';
+/**
+ * Email OTP authentication client.
+ * Handles the two-step email verification flow.
+ */
+export class AuthClient {
+    api;
+    session;
+    constructor(api) {
+        this.api = api;
+        this.session = new SessionManager(api);
+    }
+    /**
+     * Send an OTP code to the user's email address.
+     * Rate limited: 5/hour per email.
+     */
+    async sendEmailOtp(email) {
+        await this.api.post('/auth/email/otp', { email });
+    }
+    /**
+     * Verify the OTP code and establish a session.
+     * Rate limited: 3 attempts per OTP.
+     *
+     * @returns Session info including JWT, user, wallet, and signer details
+     */
+    async verifyEmailOtp(params) {
+        const session = await this.api.post('/auth/email/verify', params);
+        this.session.setSession(session);
+        return session;
+    }
+    /** Check if the user is authenticated */
+    isAuthenticated() {
+        return this.session.isAuthenticated();
+    }
+    /** Get the current session */
+    getSession() {
+        return this.session.getSession();
+    }
+    /** Refresh the current session */
+    async refreshSession() {
+        return this.session.refreshSession();
+    }
+    /** Logout and revoke session */
+    async logout() {
+        return this.session.logout();
+    }
+    /**
+     * Link an email to an existing account (for backup auth).
+     * Sends an OTP to the new email for verification.
+     */
+    async linkEmail(email) {
+        await this.api.post('/auth/link/email', { email });
+    }
+}
+//# sourceMappingURL=email.js.map

package/dist/auth/email.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.js","sourceRoot":"","sources":["../../src/auth/email.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAG9C;;;GAGG;AACH,MAAM,OAAO,UAAU;IAGQ;IAFpB,OAAO,CAAiB;IAEjC,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;QACzC,IAAI,CAAC,OAAO,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,MAAuC;QAC1D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAc,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC/E,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,yCAAyC;IACzC,eAAe;QACb,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;IACxC,CAAC;IAED,8BAA8B;IAC9B,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;IACnC,CAAC;IAED,kCAAkC;IAClC,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;IACvC,CAAC;IAED,gCAAgC;IAChC,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;CACF"}

package/dist/auth/oauth.d.ts

@@ -0,0 +1,47 @@
+/**
+ * OAuth authentication flows (Google, Apple, Facebook).
+ * Corresponds to SPEC-013 Section 7.2.
+ *
+ * All OAuth providers follow the same pattern:
+ * 1. Open OAuth popup/redirect
+ * 2. Exchange provider token with backend
+ * 3. Backend maps identity to Turnkey sub-org + signing key
+ * 4. Returns session info with wallet address
+ */
+import { ApiClient } from '../transport/api.js';
+import { SessionManager } from './session.js';
+import type { SessionInfo } from '../types.js';
+type OAuthProvider = 'google' | 'apple' | 'facebook';
+/**
+ * OAuth authentication client.
+ * Supports Google, Apple, and Facebook login flows.
+ * All providers create a Turnkey sub-org on first login and map to the same wallet
+ * when linking multiple auth methods.
+ */
+export declare class OAuthClient {
+    private readonly api;
+    private readonly session;
+    constructor(api: ApiClient, session: SessionManager);
+    /**
+     * Login with Google OAuth.
+     * Opens popup, exchanges token, maps to Turnkey key, returns session.
+     */
+    loginWithGoogle(): Promise<SessionInfo>;
+    /**
+     * Login with Apple OAuth.
+     */
+    loginWithApple(): Promise<SessionInfo>;
+    /**
+     * Login with Facebook OAuth.
+     */
+    loginWithFacebook(): Promise<SessionInfo>;
+    /**
+     * Link an OAuth provider to an existing account.
+     * Same Turnkey sub-org, same wallet -- just adds an auth path.
+     */
+    linkOAuthProvider(provider: OAuthProvider): Promise<void>;
+    private loginWithProvider;
+    private openOAuthPopup;
+}
+export {};
+//# sourceMappingURL=oauth.d.ts.map

package/dist/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,KAAK,aAAa,GAAG,QAAQ,GAAG,OAAO,GAAG,UAAU,CAAC;AAErD;;;;;GAKG;AACH,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,GAAG;IACpB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBADP,GAAG,EAAE,SAAS,EACd,OAAO,EAAE,cAAc;IAG1C;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,WAAW,CAAC;IAI7C;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;IAI5C;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,WAAW,CAAC;IAI/C;;;OAGG;IACG,iBAAiB,CAAC,QAAQ,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;YAIjD,iBAAiB;IAmB/B,OAAO,CAAC,cAAc;CAmDvB"}

package/dist/auth/oauth.js

@@ -0,0 +1,103 @@
+/**
+ * OAuth authentication flows (Google, Apple, Facebook).
+ * Corresponds to SPEC-013 Section 7.2.
+ *
+ * All OAuth providers follow the same pattern:
+ * 1. Open OAuth popup/redirect
+ * 2. Exchange provider token with backend
+ * 3. Backend maps identity to Turnkey sub-org + signing key
+ * 4. Returns session info with wallet address
+ */
+/**
+ * OAuth authentication client.
+ * Supports Google, Apple, and Facebook login flows.
+ * All providers create a Turnkey sub-org on first login and map to the same wallet
+ * when linking multiple auth methods.
+ */
+export class OAuthClient {
+    api;
+    session;
+    constructor(api, session) {
+        this.api = api;
+        this.session = session;
+    }
+    /**
+     * Login with Google OAuth.
+     * Opens popup, exchanges token, maps to Turnkey key, returns session.
+     */
+    async loginWithGoogle() {
+        return this.loginWithProvider('google');
+    }
+    /**
+     * Login with Apple OAuth.
+     */
+    async loginWithApple() {
+        return this.loginWithProvider('apple');
+    }
+    /**
+     * Login with Facebook OAuth.
+     */
+    async loginWithFacebook() {
+        return this.loginWithProvider('facebook');
+    }
+    /**
+     * Link an OAuth provider to an existing account.
+     * Same Turnkey sub-org, same wallet -- just adds an auth path.
+     */
+    async linkOAuthProvider(provider) {
+        await this.api.post(`/auth/link/${provider}`, {});
+    }
+    async loginWithProvider(provider) {
+        // Get the OAuth redirect URL from the backend
+        const { authUrl } = await this.api.post(`/auth/oauth/${provider}/init`, { redirectUri: typeof window !== 'undefined' ? window.location.origin + '/auth/callback' : '' });
+        // In a browser, open a popup for the OAuth flow
+        const token = await this.openOAuthPopup(authUrl);
+        // Exchange the OAuth token for a session
+        const session = await this.api.post(`/auth/oauth/${provider}`, {
+            token,
+        });
+        this.session.setSession(session);
+        return session;
+    }
+    openOAuthPopup(authUrl) {
+        return new Promise((resolve, reject) => {
+            if (typeof window === 'undefined') {
+                reject(new Error('OAuth popup requires a browser environment'));
+                return;
+            }
+            const width = 500;
+            const height = 600;
+            const left = window.screenX + (window.outerWidth - width) / 2;
+            const top = window.screenY + (window.outerHeight - height) / 2;
+            const popup = window.open(authUrl, 'fcx-oauth', `width=${width},height=${height},left=${left},top=${top}`);
+            if (!popup) {
+                reject(new Error('Failed to open OAuth popup. Check popup blocker settings.'));
+                return;
+            }
+            const handleMessage = (event) => {
+                if (event.data?.type === 'FCX_OAUTH_CALLBACK' && event.data?.token) {
+                    window.removeEventListener('message', handleMessage);
+                    popup.close();
+                    resolve(event.data.token);
+                }
+            };
+            window.addEventListener('message', handleMessage);
+            // Timeout after 5 minutes
+            const timeout = setTimeout(() => {
+                window.removeEventListener('message', handleMessage);
+                popup.close();
+                reject(new Error('OAuth flow timed out'));
+            }, 300_000);
+            // Check if popup was closed manually
+            const checkClosed = setInterval(() => {
+                if (popup.closed) {
+                    clearInterval(checkClosed);
+                    clearTimeout(timeout);
+                    window.removeEventListener('message', handleMessage);
+                    reject(new Error('OAuth popup closed by user'));
+                }
+            }, 1000);
+        });
+    }
+}
+//# sourceMappingURL=oauth.js.map

package/dist/auth/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAQH;;;;;GAKG;AACH,MAAM,OAAO,WAAW;IAEH;IACA;IAFnB,YACmB,GAAc,EACd,OAAuB;QADvB,QAAG,GAAH,GAAG,CAAW;QACd,YAAO,GAAP,OAAO,CAAgB;IACvC,CAAC;IAEJ;;;OAGG;IACH,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,OAAO,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,QAAuB;QAC7C,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,QAAuB;QACrD,8CAA8C;QAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CACrC,eAAe,QAAQ,OAAO,EAC9B,EAAE,WAAW,EAAE,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,CAChG,CAAC;QAEF,gDAAgD;QAChD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAEjD,yCAAyC;QACzC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAc,eAAe,QAAQ,EAAE,EAAE;YAC1E,KAAK;SACN,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,cAAc,CAAC,OAAe;QACpC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC,CAAC;gBAChE,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,GAAG,CAAC;YAClB,MAAM,MAAM,GAAG,GAAG,CAAC;YACnB,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,MAAM,CAAC,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YAE/D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CACvB,OAAO,EACP,WAAW,EACX,SAAS,KAAK,WAAW,MAAM,SAAS,IAAI,QAAQ,GAAG,EAAE,CAC1D,CAAC;YAEF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAC;gBAC/E,OAAO;YACT,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,KAAmB,EAAE,EAAE;gBAC5C,IAAI,KAAK,CAAC,IAAI,EAAE,IAAI,KAAK,oBAAoB,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;oBACnE,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;oBACrD,KAAK,CAAC,KAAK,EAAE,CAAC;oBACd,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC,CAAC;YAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YAElD,0BAA0B;YAC1B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC9B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;gBACrD,KAAK,CAAC,KAAK,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;YAC5C,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,qCAAqC;YACrC,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE;gBACnC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;oBACjB,aAAa,CAAC,WAAW,CAAC,CAAC;oBAC3B,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;oBACrD,MAAM,CAAC,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC,CAAC;gBAClD,CAAC;YACH,CAAC,EAAE,IAAI,CAAC,CAAC;QACX,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/auth/passkey-auth.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Passkey as authentication credential.
+ * Corresponds to SPEC-013 Section 7.3.
+ *
+ * Flow:
+ * - Register: After initial login, create P256 key in device secure enclave
+ * - Login: Prompt biometric, sign challenge, backend verifies, issues session
+ */
+import { ApiClient } from '../transport/api.js';
+import { SessionManager } from './session.js';
+import type { SessionInfo } from '../types.js';
+interface PasskeyCredential {
+    credentialId: string;
+    publicKey: string;
+    displayName: string;
+}
+/**
+ * Passkey authentication client.
+ * Handles WebAuthn credential registration and authentication flows.
+ */
+export declare class PasskeyAuthClient {
+    private readonly api;
+    private readonly session;
+    constructor(api: ApiClient, session: SessionManager);
+    /**
+     * Register a new passkey credential (after initial login via email/OAuth).
+     * Prompts biometric on device, stores P256 public key in backend and optionally on-chain.
+     */
+    registerPasskey(params: {
+        displayName: string;
+    }): Promise<PasskeyCredential>;
+    /**
+     * Login with a registered passkey.
+     * Prompts biometric, signs challenge, backend verifies and issues session JWT.
+     */
+    loginWithPasskey(): Promise<SessionInfo>;
+}
+export {};
+//# sourceMappingURL=passkey-auth.d.ts.map

package/dist/auth/passkey-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey-auth.d.ts","sourceRoot":"","sources":["../../src/auth/passkey-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAW,WAAW,EAAE,MAAM,aAAa,CAAC;AAExD,UAAU,iBAAiB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,qBAAa,iBAAiB;IAE1B,OAAO,CAAC,QAAQ,CAAC,GAAG;IACpB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBADP,GAAG,EAAE,SAAS,EACd,OAAO,EAAE,cAAc;IAG1C;;;OAGG;IACG,eAAe,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA6BlF;;;OAGG;IACG,gBAAgB,IAAI,OAAO,CAAC,WAAW,CAAC;CA6B/C"}

package/dist/auth/passkey-auth.js

@@ -0,0 +1,108 @@
+/**
+ * Passkey as authentication credential.
+ * Corresponds to SPEC-013 Section 7.3.
+ *
+ * Flow:
+ * - Register: After initial login, create P256 key in device secure enclave
+ * - Login: Prompt biometric, sign challenge, backend verifies, issues session
+ */
+/**
+ * Passkey authentication client.
+ * Handles WebAuthn credential registration and authentication flows.
+ */
+export class PasskeyAuthClient {
+    api;
+    session;
+    constructor(api, session) {
+        this.api = api;
+        this.session = session;
+    }
+    /**
+     * Register a new passkey credential (after initial login via email/OAuth).
+     * Prompts biometric on device, stores P256 public key in backend and optionally on-chain.
+     */
+    async registerPasskey(params) {
+        // Get creation options from server
+        const options = await this.api.post('/auth/passkey/register/options', { displayName: params.displayName });
+        if (typeof navigator === 'undefined' || !navigator.credentials) {
+            throw new Error('WebAuthn not available in this environment');
+        }
+        // Create credential
+        const credential = (await navigator.credentials.create({
+            publicKey: deserializeCreationOptions(options),
+        }));
+        const response = credential.response;
+        // Send credential to server for verification and storage
+        const result = await this.api.post('/auth/passkey/register', {
+            credentialId: bufferToBase64Url(credential.rawId),
+            attestationObject: bufferToBase64Url(response.attestationObject),
+            clientDataJSON: bufferToBase64Url(response.clientDataJSON),
+            displayName: params.displayName,
+        });
+        return result;
+    }
+    /**
+     * Login with a registered passkey.
+     * Prompts biometric, signs challenge, backend verifies and issues session JWT.
+     */
+    async loginWithPasskey() {
+        // Get authentication options from server
+        const options = await this.api.post('/auth/passkey/authenticate/options', {});
+        if (typeof navigator === 'undefined' || !navigator.credentials) {
+            throw new Error('WebAuthn not available in this environment');
+        }
+        // Get assertion
+        const assertion = (await navigator.credentials.get({
+            publicKey: deserializeRequestOptions(options),
+        }));
+        const response = assertion.response;
+        // Send to server for verification
+        const session = await this.api.post('/auth/passkey/authenticate', {
+            credentialId: bufferToBase64Url(assertion.rawId),
+            authenticatorData: bufferToBase64Url(response.authenticatorData),
+            clientDataJSON: bufferToBase64Url(response.clientDataJSON),
+            signature: bufferToBase64Url(response.signature),
+        });
+        this.session.setSession(session);
+        return session;
+    }
+}
+function bufferToBase64Url(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+function deserializeCreationOptions(options) {
+    return {
+        ...options,
+        challenge: base64UrlToBuffer(options.challenge),
+        user: {
+            ...options.user,
+            id: base64UrlToBuffer(options.user.id),
+        },
+    };
+}
+function deserializeRequestOptions(options) {
+    return {
+        ...options,
+        challenge: base64UrlToBuffer(options.challenge),
+        allowCredentials: options.allowCredentials?.map((cred) => ({
+            ...cred,
+            id: base64UrlToBuffer(cred.id),
+        })),
+    };
+}
+function base64UrlToBuffer(base64url) {
+    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+    const padding = '='.repeat((4 - (base64.length % 4)) % 4);
+    const binary = atob(base64 + padding);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}
+//# sourceMappingURL=passkey-auth.js.map

package/dist/auth/passkey-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey-auth.js","sourceRoot":"","sources":["../../src/auth/passkey-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAYH;;;GAGG;AACH,MAAM,OAAO,iBAAiB;IAET;IACA;IAFnB,YACmB,GAAc,EACd,OAAuB;QADvB,QAAG,GAAH,GAAG,CAAW;QACd,YAAO,GAAP,OAAO,CAAgB;IACvC,CAAC;IAEJ;;;OAGG;IACH,KAAK,CAAC,eAAe,CAAC,MAA+B;QACnD,mCAAmC;QACnC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CACjC,gCAAgC,EAChC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CACpC,CAAC;QAEF,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,oBAAoB;QACpB,MAAM,UAAU,GAAG,CAAC,MAAM,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC;YACrD,SAAS,EAAE,0BAA0B,CAAC,OAAO,CAAC;SAC/C,CAAC,CAAwB,CAAC;QAE3B,MAAM,QAAQ,GAAG,UAAU,CAAC,QAA4C,CAAC;QAEzE,yDAAyD;QACzD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAoB,wBAAwB,EAAE;YAC9E,YAAY,EAAE,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC;YACjD,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAChE,cAAc,EAAE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC;YAC1D,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB;QACpB,yCAAyC;QACzC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CACjC,oCAAoC,EACpC,EAAE,CACH,CAAC;QAEF,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,gBAAgB;QAChB,MAAM,SAAS,GAAG,CAAC,MAAM,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC;YACjD,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;SAC9C,CAAC,CAAwB,CAAC;QAE3B,MAAM,QAAQ,GAAG,SAAS,CAAC,QAA0C,CAAC;QAEtE,kCAAkC;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAc,4BAA4B,EAAE;YAC7E,YAAY,EAAE,iBAAiB,CAAC,SAAS,CAAC,KAAK,CAAC;YAChD,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAChE,cAAc,EAAE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC;YAC1D,SAAS,EAAE,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC;SACjD,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,MAAmB;IAC5C,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,0BAA0B,CACjC,OAA2C;IAE3C,OAAO;QACL,GAAG,OAAO;QACV,SAAS,EAAE,iBAAiB,CAAC,OAAO,CAAC,SAA8B,CAAC;QACpE,IAAI,EAAE;YACJ,GAAG,OAAO,CAAC,IAAI;YACf,EAAE,EAAE,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAuB,CAAC;SAC5D;KACF,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAChC,OAA0C;IAE1C,OAAO;QACL,GAAG,OAAO;QACV,SAAS,EAAE,iBAAiB,CAAC,OAAO,CAAC,SAA8B,CAAC;QACpE,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzD,GAAG,IAAI;YACP,EAAE,EAAE,iBAAiB,CAAC,IAAI,CAAC,EAAuB,CAAC;SACpD,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB;IAC1C,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAC;AACtB,CAAC"}

package/dist/auth/session.d.ts

@@ -0,0 +1,30 @@
+/**
+ * JWT session management.
+ * Corresponds to SPEC-013 Section 7.4.
+ */
+import { ApiClient } from '../transport/api.js';
+import type { SessionInfo } from '../types.js';
+/**
+ * Manages authentication sessions (JWT lifecycle).
+ * Sessions are short-lived (1-24h), RS256 signed, and revocable.
+ */
+export declare class SessionManager {
+    private readonly api;
+    private currentSession;
+    constructor(api: ApiClient);
+    /** Get the current session */
+    getSession(): SessionInfo | null;
+    /** Check if the user is authenticated with a valid session */
+    isAuthenticated(): boolean;
+    /** Set the session (called internally by auth flows) */
+    setSession(session: SessionInfo): void;
+    /** Refresh the current session */
+    refreshSession(): Promise<SessionInfo>;
+    /** Get session info from the server */
+    getServerSession(): Promise<SessionInfo>;
+    /** Logout and revoke the current session */
+    logout(): Promise<void>;
+    /** Clear the local session without server-side revocation */
+    clearLocal(): void;
+}
+//# sourceMappingURL=session.d.ts.map

package/dist/auth/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C;;;GAGG;AACH,qBAAa,cAAc;IAGb,OAAO,CAAC,QAAQ,CAAC,GAAG;IAFhC,OAAO,CAAC,cAAc,CAA4B;gBAErB,GAAG,EAAE,SAAS;IAE3C,8BAA8B;IAC9B,UAAU,IAAI,WAAW,GAAG,IAAI;IAOhC,8DAA8D;IAC9D,eAAe,IAAI,OAAO;IAI1B,wDAAwD;IACxD,UAAU,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAKtC,kCAAkC;IAC5B,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;IAa5C,uCAAuC;IACjC,gBAAgB,IAAI,OAAO,CAAC,WAAW,CAAC;IAI9C,4CAA4C;IACtC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ7B,6DAA6D;IAC7D,UAAU,IAAI,IAAI;CAInB"}