@atxp/client 0.2.21 → 0.3.0

package/dist/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js

@@ -0,0 +1,398 @@
+import pkceChallenge from '../../../../../pkce-challenge/dist/index.browser.js';
+import { LATEST_PROTOCOL_VERSION } from '../types.js';
+import { OAuthProtectedResourceMetadataSchema, OAuthMetadataSchema, OAuthClientInformationFullSchema, OAuthTokensSchema } from '../shared/auth.js';
+import { resourceUrlFromServerUrl, checkResourceAllowed } from '../shared/auth-utils.js';
+
+class UnauthorizedError extends Error {
+    constructor(message) {
+        super(message !== null && message !== void 0 ? message : "Unauthorized");
+    }
+}
+/**
+ * Orchestrates the full auth flow with a server.
+ *
+ * This can be used as a single entry point for all authorization functionality,
+ * instead of linking together the other lower-level functions in this module.
+ */
+async function auth(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }) {
+    let resourceMetadata;
+    let authorizationServerUrl = serverUrl;
+    try {
+        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl });
+        if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
+            authorizationServerUrl = resourceMetadata.authorization_servers[0];
+        }
+    }
+    catch (_a) {
+        // Ignore errors and fall back to /.well-known/oauth-authorization-server
+    }
+    const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
+    const metadata = await discoverOAuthMetadata(authorizationServerUrl);
+    // Handle client registration if needed
+    let clientInformation = await Promise.resolve(provider.clientInformation());
+    if (!clientInformation) {
+        if (authorizationCode !== undefined) {
+            throw new Error("Existing OAuth client information is required when exchanging an authorization code");
+        }
+        if (!provider.saveClientInformation) {
+            throw new Error("OAuth client information must be saveable for dynamic registration");
+        }
+        const fullInformation = await registerClient(authorizationServerUrl, {
+            metadata,
+            clientMetadata: provider.clientMetadata,
+        });
+        await provider.saveClientInformation(fullInformation);
+        clientInformation = fullInformation;
+    }
+    // Exchange authorization code for tokens
+    if (authorizationCode !== undefined) {
+        const codeVerifier = await provider.codeVerifier();
+        const tokens = await exchangeAuthorization(authorizationServerUrl, {
+            metadata,
+            clientInformation,
+            authorizationCode,
+            codeVerifier,
+            redirectUri: provider.redirectUrl,
+            resource,
+        });
+        await provider.saveTokens(tokens);
+        return "AUTHORIZED";
+    }
+    const tokens = await provider.tokens();
+    // Handle token refresh or new authorization
+    if (tokens === null || tokens === void 0 ? void 0 : tokens.refresh_token) {
+        try {
+            // Attempt to refresh the token
+            const newTokens = await refreshAuthorization(authorizationServerUrl, {
+                metadata,
+                clientInformation,
+                refreshToken: tokens.refresh_token,
+                resource,
+            });
+            await provider.saveTokens(newTokens);
+            return "AUTHORIZED";
+        }
+        catch (_b) {
+            // Could not refresh OAuth tokens
+        }
+    }
+    const state = provider.state ? await provider.state() : undefined;
+    // Start new authorization flow
+    const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {
+        metadata,
+        clientInformation,
+        state,
+        redirectUrl: provider.redirectUrl,
+        scope: scope || provider.clientMetadata.scope,
+        resource,
+    });
+    await provider.saveCodeVerifier(codeVerifier);
+    await provider.redirectToAuthorization(authorizationUrl);
+    return "REDIRECT";
+}
+async function selectResourceURL(serverUrl, provider, resourceMetadata) {
+    const defaultResource = resourceUrlFromServerUrl(serverUrl);
+    // If provider has custom validation, delegate to it
+    if (provider.validateResourceURL) {
+        return await provider.validateResourceURL(defaultResource, resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.resource);
+    }
+    // Only include resource parameter when Protected Resource Metadata is present
+    if (!resourceMetadata) {
+        return undefined;
+    }
+    // Validate that the metadata's resource is compatible with our request
+    if (!checkResourceAllowed({ requestedResource: defaultResource, configuredResource: resourceMetadata.resource })) {
+        throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${defaultResource} (or origin)`);
+    }
+    // Prefer the resource from metadata since it's what the server is telling us to request
+    return new URL(resourceMetadata.resource);
+}
+/**
+ * Extract resource_metadata from response header.
+ */
+function extractResourceMetadataUrl(res) {
+    const authenticateHeader = res.headers.get("WWW-Authenticate");
+    if (!authenticateHeader) {
+        return undefined;
+    }
+    const [type, scheme] = authenticateHeader.split(' ');
+    if (type.toLowerCase() !== 'bearer' || !scheme) {
+        return undefined;
+    }
+    const regex = /resource_metadata="([^"]*)"/;
+    const match = regex.exec(authenticateHeader);
+    if (!match) {
+        return undefined;
+    }
+    try {
+        return new URL(match[1]);
+    }
+    catch (_a) {
+        return undefined;
+    }
+}
+/**
+ * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
+async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
+    var _a;
+    let url;
+    if (opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl) {
+        url = new URL(opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl);
+    }
+    else {
+        url = new URL("/.well-known/oauth-protected-resource", serverUrl);
+    }
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: {
+                "MCP-Protocol-Version": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION
+            }
+        });
+    }
+    catch (error) {
+        // CORS errors come back as TypeError
+        if (error instanceof TypeError) {
+            response = await fetch(url);
+        }
+        else {
+            throw error;
+        }
+    }
+    if (response.status === 404) {
+        throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
+    }
+    if (!response.ok) {
+        throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
+    }
+    return OAuthProtectedResourceMetadataSchema.parse(await response.json());
+}
+/**
+ * Helper function to handle fetch with CORS retry logic
+ */
+async function fetchWithCorsRetry(url, headers) {
+    try {
+        return await fetch(url, { headers });
+    }
+    catch (error) {
+        if (error instanceof TypeError) {
+            if (headers) {
+                // CORS errors come back as TypeError, retry without headers
+                return fetchWithCorsRetry(url);
+            }
+            else {
+                // We're getting CORS errors on retry too, return undefined
+                return undefined;
+            }
+        }
+        throw error;
+    }
+}
+/**
+ * Constructs the well-known path for OAuth metadata discovery
+ */
+function buildWellKnownPath(pathname) {
+    let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+    if (pathname.endsWith('/')) {
+        // Strip trailing slash from pathname to avoid double slashes
+        wellKnownPath = wellKnownPath.slice(0, -1);
+    }
+    return wellKnownPath;
+}
+/**
+ * Tries to discover OAuth metadata at a specific URL
+ */
+async function tryMetadataDiscovery(url, protocolVersion) {
+    const headers = {
+        "MCP-Protocol-Version": protocolVersion
+    };
+    return await fetchWithCorsRetry(url, headers);
+}
+/**
+ * Determines if fallback to root discovery should be attempted
+ */
+function shouldAttemptFallback(response, pathname) {
+    return !response || response.status === 404 && pathname !== '/';
+}
+/**
+ * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
+async function discoverOAuthMetadata(authorizationServerUrl, opts) {
+    var _a;
+    const issuer = new URL(authorizationServerUrl);
+    const protocolVersion = (_a = void 0 ) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
+    // Try path-aware discovery first (RFC 8414 compliant)
+    const wellKnownPath = buildWellKnownPath(issuer.pathname);
+    const pathAwareUrl = new URL(wellKnownPath, issuer);
+    let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
+    // If path-aware discovery fails with 404, try fallback to root discovery
+    if (shouldAttemptFallback(response, issuer.pathname)) {
+        const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
+        response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+    }
+    if (!response || response.status === 404) {
+        return undefined;
+    }
+    if (!response.ok) {
+        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
+    }
+    return OAuthMetadataSchema.parse(await response.json());
+}
+/**
+ * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
+ */
+async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource, }) {
+    const responseType = "code";
+    const codeChallengeMethod = "S256";
+    let authorizationUrl;
+    if (metadata) {
+        authorizationUrl = new URL(metadata.authorization_endpoint);
+        if (!metadata.response_types_supported.includes(responseType)) {
+            throw new Error(`Incompatible auth server: does not support response type ${responseType}`);
+        }
+        if (!metadata.code_challenge_methods_supported ||
+            !metadata.code_challenge_methods_supported.includes(codeChallengeMethod)) {
+            throw new Error(`Incompatible auth server: does not support code challenge method ${codeChallengeMethod}`);
+        }
+    }
+    else {
+        authorizationUrl = new URL("/authorize", authorizationServerUrl);
+    }
+    // Generate PKCE challenge
+    const challenge = await pkceChallenge();
+    const codeVerifier = challenge.code_verifier;
+    const codeChallenge = challenge.code_challenge;
+    authorizationUrl.searchParams.set("response_type", responseType);
+    authorizationUrl.searchParams.set("client_id", clientInformation.client_id);
+    authorizationUrl.searchParams.set("code_challenge", codeChallenge);
+    authorizationUrl.searchParams.set("code_challenge_method", codeChallengeMethod);
+    authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
+    if (state) {
+        authorizationUrl.searchParams.set("state", state);
+    }
+    if (scope) {
+        authorizationUrl.searchParams.set("scope", scope);
+    }
+    if (resource) {
+        authorizationUrl.searchParams.set("resource", resource.href);
+    }
+    return { authorizationUrl, codeVerifier };
+}
+/**
+ * Exchanges an authorization code for an access token with the given server.
+ */
+async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, }) {
+    const grantType = "authorization_code";
+    let tokenUrl;
+    if (metadata) {
+        tokenUrl = new URL(metadata.token_endpoint);
+        if (metadata.grant_types_supported &&
+            !metadata.grant_types_supported.includes(grantType)) {
+            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
+        }
+    }
+    else {
+        tokenUrl = new URL("/token", authorizationServerUrl);
+    }
+    // Exchange code for tokens
+    const params = new URLSearchParams({
+        grant_type: grantType,
+        client_id: clientInformation.client_id,
+        code: authorizationCode,
+        code_verifier: codeVerifier,
+        redirect_uri: String(redirectUri),
+    });
+    if (clientInformation.client_secret) {
+        params.set("client_secret", clientInformation.client_secret);
+    }
+    if (resource) {
+        params.set("resource", resource.href);
+    }
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: params,
+    });
+    if (!response.ok) {
+        throw new Error(`Token exchange failed: HTTP ${response.status}`);
+    }
+    return OAuthTokensSchema.parse(await response.json());
+}
+/**
+ * Exchange a refresh token for an updated access token.
+ */
+async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, }) {
+    const grantType = "refresh_token";
+    let tokenUrl;
+    if (metadata) {
+        tokenUrl = new URL(metadata.token_endpoint);
+        if (metadata.grant_types_supported &&
+            !metadata.grant_types_supported.includes(grantType)) {
+            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
+        }
+    }
+    else {
+        tokenUrl = new URL("/token", authorizationServerUrl);
+    }
+    // Exchange refresh token
+    const params = new URLSearchParams({
+        grant_type: grantType,
+        client_id: clientInformation.client_id,
+        refresh_token: refreshToken,
+    });
+    if (clientInformation.client_secret) {
+        params.set("client_secret", clientInformation.client_secret);
+    }
+    if (resource) {
+        params.set("resource", resource.href);
+    }
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: params,
+    });
+    if (!response.ok) {
+        throw new Error(`Token refresh failed: HTTP ${response.status}`);
+    }
+    return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });
+}
+/**
+ * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.
+ */
+async function registerClient(authorizationServerUrl, { metadata, clientMetadata, }) {
+    let registrationUrl;
+    if (metadata) {
+        if (!metadata.registration_endpoint) {
+            throw new Error("Incompatible auth server: does not support dynamic client registration");
+        }
+        registrationUrl = new URL(metadata.registration_endpoint);
+    }
+    else {
+        registrationUrl = new URL("/register", authorizationServerUrl);
+    }
+    const response = await fetch(registrationUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify(clientMetadata),
+    });
+    if (!response.ok) {
+        throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+    }
+    return OAuthClientInformationFullSchema.parse(await response.json());
+}
+
+export { UnauthorizedError, auth, discoverOAuthMetadata, discoverOAuthProtectedResourceMetadata, exchangeAuthorization, extractResourceMetadataUrl, refreshAuthorization, registerClient, selectResourceURL, startAuthorization };
+//# sourceMappingURL=auth.js.map

package/dist/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sources":["../../../../../../../../../node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js"],"sourcesContent":["import pkceChallenge from \"pkce-challenge\";\nimport { LATEST_PROTOCOL_VERSION } from \"../types.js\";\nimport { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from \"../shared/auth.js\";\nimport { checkResourceAllowed, resourceUrlFromServerUrl } from \"../shared/auth-utils.js\";\nexport class UnauthorizedError extends Error {\n    constructor(message) {\n        super(message !== null && message !== void 0 ? message : \"Unauthorized\");\n    }\n}\n/**\n * Orchestrates the full auth flow with a server.\n *\n * This can be used as a single entry point for all authorization functionality,\n * instead of linking together the other lower-level functions in this module.\n */\nexport async function auth(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }) {\n    let resourceMetadata;\n    let authorizationServerUrl = serverUrl;\n    try {\n        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl });\n        if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {\n            authorizationServerUrl = resourceMetadata.authorization_servers[0];\n        }\n    }\n    catch (_a) {\n        // Ignore errors and fall back to /.well-known/oauth-authorization-server\n    }\n    const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);\n    const metadata = await discoverOAuthMetadata(authorizationServerUrl);\n    // Handle client registration if needed\n    let clientInformation = await Promise.resolve(provider.clientInformation());\n    if (!clientInformation) {\n        if (authorizationCode !== undefined) {\n            throw new Error(\"Existing OAuth client information is required when exchanging an authorization code\");\n        }\n        if (!provider.saveClientInformation) {\n            throw new Error(\"OAuth client information must be saveable for dynamic registration\");\n        }\n        const fullInformation = await registerClient(authorizationServerUrl, {\n            metadata,\n            clientMetadata: provider.clientMetadata,\n        });\n        await provider.saveClientInformation(fullInformation);\n        clientInformation = fullInformation;\n    }\n    // Exchange authorization code for tokens\n    if (authorizationCode !== undefined) {\n        const codeVerifier = await provider.codeVerifier();\n        const tokens = await exchangeAuthorization(authorizationServerUrl, {\n            metadata,\n            clientInformation,\n            authorizationCode,\n            codeVerifier,\n            redirectUri: provider.redirectUrl,\n            resource,\n        });\n        await provider.saveTokens(tokens);\n        return \"AUTHORIZED\";\n    }\n    const tokens = await provider.tokens();\n    // Handle token refresh or new authorization\n    if (tokens === null || tokens === void 0 ? void 0 : tokens.refresh_token) {\n        try {\n            // Attempt to refresh the token\n            const newTokens = await refreshAuthorization(authorizationServerUrl, {\n                metadata,\n                clientInformation,\n                refreshToken: tokens.refresh_token,\n                resource,\n            });\n            await provider.saveTokens(newTokens);\n            return \"AUTHORIZED\";\n        }\n        catch (_b) {\n            // Could not refresh OAuth tokens\n        }\n    }\n    const state = provider.state ? await provider.state() : undefined;\n    // Start new authorization flow\n    const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {\n        metadata,\n        clientInformation,\n        state,\n        redirectUrl: provider.redirectUrl,\n        scope: scope || provider.clientMetadata.scope,\n        resource,\n    });\n    await provider.saveCodeVerifier(codeVerifier);\n    await provider.redirectToAuthorization(authorizationUrl);\n    return \"REDIRECT\";\n}\nexport async function selectResourceURL(serverUrl, provider, resourceMetadata) {\n    const defaultResource = resourceUrlFromServerUrl(serverUrl);\n    // If provider has custom validation, delegate to it\n    if (provider.validateResourceURL) {\n        return await provider.validateResourceURL(defaultResource, resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.resource);\n    }\n    // Only include resource parameter when Protected Resource Metadata is present\n    if (!resourceMetadata) {\n        return undefined;\n    }\n    // Validate that the metadata's resource is compatible with our request\n    if (!checkResourceAllowed({ requestedResource: defaultResource, configuredResource: resourceMetadata.resource })) {\n        throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${defaultResource} (or origin)`);\n    }\n    // Prefer the resource from metadata since it's what the server is telling us to request\n    return new URL(resourceMetadata.resource);\n}\n/**\n * Extract resource_metadata from response header.\n */\nexport function extractResourceMetadataUrl(res) {\n    const authenticateHeader = res.headers.get(\"WWW-Authenticate\");\n    if (!authenticateHeader) {\n        return undefined;\n    }\n    const [type, scheme] = authenticateHeader.split(' ');\n    if (type.toLowerCase() !== 'bearer' || !scheme) {\n        return undefined;\n    }\n    const regex = /resource_metadata=\"([^\"]*)\"/;\n    const match = regex.exec(authenticateHeader);\n    if (!match) {\n        return undefined;\n    }\n    try {\n        return new URL(match[1]);\n    }\n    catch (_a) {\n        return undefined;\n    }\n}\n/**\n * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n */\nexport async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {\n    var _a;\n    let url;\n    if (opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl) {\n        url = new URL(opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl);\n    }\n    else {\n        url = new URL(\"/.well-known/oauth-protected-resource\", serverUrl);\n    }\n    let response;\n    try {\n        response = await fetch(url, {\n            headers: {\n                \"MCP-Protocol-Version\": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION\n            }\n        });\n    }\n    catch (error) {\n        // CORS errors come back as TypeError\n        if (error instanceof TypeError) {\n            response = await fetch(url);\n        }\n        else {\n            throw error;\n        }\n    }\n    if (response.status === 404) {\n        throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);\n    }\n    if (!response.ok) {\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);\n    }\n    return OAuthProtectedResourceMetadataSchema.parse(await response.json());\n}\n/**\n * Helper function to handle fetch with CORS retry logic\n */\nasync function fetchWithCorsRetry(url, headers) {\n    try {\n        return await fetch(url, { headers });\n    }\n    catch (error) {\n        if (error instanceof TypeError) {\n            if (headers) {\n                // CORS errors come back as TypeError, retry without headers\n                return fetchWithCorsRetry(url);\n            }\n            else {\n                // We're getting CORS errors on retry too, return undefined\n                return undefined;\n            }\n        }\n        throw error;\n    }\n}\n/**\n * Constructs the well-known path for OAuth metadata discovery\n */\nfunction buildWellKnownPath(pathname) {\n    let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;\n    if (pathname.endsWith('/')) {\n        // Strip trailing slash from pathname to avoid double slashes\n        wellKnownPath = wellKnownPath.slice(0, -1);\n    }\n    return wellKnownPath;\n}\n/**\n * Tries to discover OAuth metadata at a specific URL\n */\nasync function tryMetadataDiscovery(url, protocolVersion) {\n    const headers = {\n        \"MCP-Protocol-Version\": protocolVersion\n    };\n    return await fetchWithCorsRetry(url, headers);\n}\n/**\n * Determines if fallback to root discovery should be attempted\n */\nfunction shouldAttemptFallback(response, pathname) {\n    return !response || response.status === 404 && pathname !== '/';\n}\n/**\n * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n */\nexport async function discoverOAuthMetadata(authorizationServerUrl, opts) {\n    var _a;\n    const issuer = new URL(authorizationServerUrl);\n    const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;\n    // Try path-aware discovery first (RFC 8414 compliant)\n    const wellKnownPath = buildWellKnownPath(issuer.pathname);\n    const pathAwareUrl = new URL(wellKnownPath, issuer);\n    let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);\n    // If path-aware discovery fails with 404, try fallback to root discovery\n    if (shouldAttemptFallback(response, issuer.pathname)) {\n        const rootUrl = new URL(\"/.well-known/oauth-authorization-server\", issuer);\n        response = await tryMetadataDiscovery(rootUrl, protocolVersion);\n    }\n    if (!response || response.status === 404) {\n        return undefined;\n    }\n    if (!response.ok) {\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);\n    }\n    return OAuthMetadataSchema.parse(await response.json());\n}\n/**\n * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.\n */\nexport async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource, }) {\n    const responseType = \"code\";\n    const codeChallengeMethod = \"S256\";\n    let authorizationUrl;\n    if (metadata) {\n        authorizationUrl = new URL(metadata.authorization_endpoint);\n        if (!metadata.response_types_supported.includes(responseType)) {\n            throw new Error(`Incompatible auth server: does not support response type ${responseType}`);\n        }\n        if (!metadata.code_challenge_methods_supported ||\n            !metadata.code_challenge_methods_supported.includes(codeChallengeMethod)) {\n            throw new Error(`Incompatible auth server: does not support code challenge method ${codeChallengeMethod}`);\n        }\n    }\n    else {\n        authorizationUrl = new URL(\"/authorize\", authorizationServerUrl);\n    }\n    // Generate PKCE challenge\n    const challenge = await pkceChallenge();\n    const codeVerifier = challenge.code_verifier;\n    const codeChallenge = challenge.code_challenge;\n    authorizationUrl.searchParams.set(\"response_type\", responseType);\n    authorizationUrl.searchParams.set(\"client_id\", clientInformation.client_id);\n    authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n    authorizationUrl.searchParams.set(\"code_challenge_method\", codeChallengeMethod);\n    authorizationUrl.searchParams.set(\"redirect_uri\", String(redirectUrl));\n    if (state) {\n        authorizationUrl.searchParams.set(\"state\", state);\n    }\n    if (scope) {\n        authorizationUrl.searchParams.set(\"scope\", scope);\n    }\n    if (resource) {\n        authorizationUrl.searchParams.set(\"resource\", resource.href);\n    }\n    return { authorizationUrl, codeVerifier };\n}\n/**\n * Exchanges an authorization code for an access token with the given server.\n */\nexport async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, }) {\n    const grantType = \"authorization_code\";\n    let tokenUrl;\n    if (metadata) {\n        tokenUrl = new URL(metadata.token_endpoint);\n        if (metadata.grant_types_supported &&\n            !metadata.grant_types_supported.includes(grantType)) {\n            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);\n        }\n    }\n    else {\n        tokenUrl = new URL(\"/token\", authorizationServerUrl);\n    }\n    // Exchange code for tokens\n    const params = new URLSearchParams({\n        grant_type: grantType,\n        client_id: clientInformation.client_id,\n        code: authorizationCode,\n        code_verifier: codeVerifier,\n        redirect_uri: String(redirectUri),\n    });\n    if (clientInformation.client_secret) {\n        params.set(\"client_secret\", clientInformation.client_secret);\n    }\n    if (resource) {\n        params.set(\"resource\", resource.href);\n    }\n    const response = await fetch(tokenUrl, {\n        method: \"POST\",\n        headers: {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n        },\n        body: params,\n    });\n    if (!response.ok) {\n        throw new Error(`Token exchange failed: HTTP ${response.status}`);\n    }\n    return OAuthTokensSchema.parse(await response.json());\n}\n/**\n * Exchange a refresh token for an updated access token.\n */\nexport async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, }) {\n    const grantType = \"refresh_token\";\n    let tokenUrl;\n    if (metadata) {\n        tokenUrl = new URL(metadata.token_endpoint);\n        if (metadata.grant_types_supported &&\n            !metadata.grant_types_supported.includes(grantType)) {\n            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);\n        }\n    }\n    else {\n        tokenUrl = new URL(\"/token\", authorizationServerUrl);\n    }\n    // Exchange refresh token\n    const params = new URLSearchParams({\n        grant_type: grantType,\n        client_id: clientInformation.client_id,\n        refresh_token: refreshToken,\n    });\n    if (clientInformation.client_secret) {\n        params.set(\"client_secret\", clientInformation.client_secret);\n    }\n    if (resource) {\n        params.set(\"resource\", resource.href);\n    }\n    const response = await fetch(tokenUrl, {\n        method: \"POST\",\n        headers: {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n        },\n        body: params,\n    });\n    if (!response.ok) {\n        throw new Error(`Token refresh failed: HTTP ${response.status}`);\n    }\n    return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });\n}\n/**\n * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.\n */\nexport async function registerClient(authorizationServerUrl, { metadata, clientMetadata, }) {\n    let registrationUrl;\n    if (metadata) {\n        if (!metadata.registration_endpoint) {\n            throw new Error(\"Incompatible auth server: does not support dynamic client registration\");\n        }\n        registrationUrl = new URL(metadata.registration_endpoint);\n    }\n    else {\n        registrationUrl = new URL(\"/register\", authorizationServerUrl);\n    }\n    const response = await fetch(registrationUrl, {\n        method: \"POST\",\n        headers: {\n            \"Content-Type\": \"application/json\",\n        },\n        body: JSON.stringify(clientMetadata),\n    });\n    if (!response.ok) {\n        throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);\n    }\n    return OAuthClientInformationFullSchema.parse(await response.json());\n}\n//# sourceMappingURL=auth.js.map"],"names":[],"mappings":";;;;;AAIO,MAAM,iBAAiB,SAAS,KAAK,CAAC;AAC7C,IAAI,WAAW,CAAC,OAAO,EAAE;AACzB,QAAQ,KAAK,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,MAAM,GAAG,OAAO,GAAG,cAAc,CAAC;AAChF,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE;AACnG,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,sBAAsB,GAAG,SAAS;AAC1C,IAAI,IAAI;AACR,QAAQ,gBAAgB,GAAG,MAAM,sCAAsC,CAAC,SAAS,EAAE,EAAE,mBAAmB,EAAE,CAAC;AAC3G,QAAQ,IAAI,gBAAgB,CAAC,qBAAqB,IAAI,gBAAgB,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE;AACzG,YAAY,sBAAsB,GAAG,gBAAgB,CAAC,qBAAqB,CAAC,CAAC,CAAC;AAC9E,QAAQ;AACR,IAAI;AACJ,IAAI,OAAO,EAAE,EAAE;AACf;AACA,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,CAAC;AACnF,IAAI,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,sBAAsB,CAAC;AACxE;AACA,IAAI,IAAI,iBAAiB,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;AAC/E,IAAI,IAAI,CAAC,iBAAiB,EAAE;AAC5B,QAAQ,IAAI,iBAAiB,KAAK,SAAS,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC;AAClH,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC;AACjG,QAAQ;AACR,QAAQ,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,sBAAsB,EAAE;AAC7E,YAAY,QAAQ;AACpB,YAAY,cAAc,EAAE,QAAQ,CAAC,cAAc;AACnD,SAAS,CAAC;AACV,QAAQ,MAAM,QAAQ,CAAC,qBAAqB,CAAC,eAAe,CAAC;AAC7D,QAAQ,iBAAiB,GAAG,eAAe;AAC3C,IAAI;AACJ;AACA,IAAI,IAAI,iBAAiB,KAAK,SAAS,EAAE;AACzC,QAAQ,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE;AAC1D,QAAQ,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,sBAAsB,EAAE;AAC3E,YAAY,QAAQ;AACpB,YAAY,iBAAiB;AAC7B,YAAY,iBAAiB;AAC7B,YAAY,YAAY;AACxB,YAAY,WAAW,EAAE,QAAQ,CAAC,WAAW;AAC7C,YAAY,QAAQ;AACpB,SAAS,CAAC;AACV,QAAQ,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;AACzC,QAAQ,OAAO,YAAY;AAC3B,IAAI;AACJ,IAAI,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE;AAC1C;AACA,IAAI,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC,aAAa,EAAE;AAC9E,QAAQ,IAAI;AACZ;AACA,YAAY,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,sBAAsB,EAAE;AACjF,gBAAgB,QAAQ;AACxB,gBAAgB,iBAAiB;AACjC,gBAAgB,YAAY,EAAE,MAAM,CAAC,aAAa;AAClD,gBAAgB,QAAQ;AACxB,aAAa,CAAC;AACd,YAAY,MAAM,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;AAChD,YAAY,OAAO,YAAY;AAC/B,QAAQ;AACR,QAAQ,OAAO,EAAE,EAAE;AACnB;AACA,QAAQ;AACR,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,GAAG,SAAS;AACrE;AACA,IAAI,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,sBAAsB,EAAE;AAChG,QAAQ,QAAQ;AAChB,QAAQ,iBAAiB;AACzB,QAAQ,KAAK;AACb,QAAQ,WAAW,EAAE,QAAQ,CAAC,WAAW;AACzC,QAAQ,KAAK,EAAE,KAAK,IAAI,QAAQ,CAAC,cAAc,CAAC,KAAK;AACrD,QAAQ,QAAQ;AAChB,KAAK,CAAC;AACN,IAAI,MAAM,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC;AACjD,IAAI,MAAM,QAAQ,CAAC,uBAAuB,CAAC,gBAAgB,CAAC;AAC5D,IAAI,OAAO,UAAU;AACrB;AACO,eAAe,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE;AAC/E,IAAI,MAAM,eAAe,GAAG,wBAAwB,CAAC,SAAS,CAAC;AAC/D;AACA,IAAI,IAAI,QAAQ,CAAC,mBAAmB,EAAE;AACtC,QAAQ,OAAO,MAAM,QAAQ,CAAC,mBAAmB,CAAC,eAAe,EAAE,gBAAgB,KAAK,IAAI,IAAI,gBAAgB,KAAK,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC;AACjK,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,gBAAgB,EAAE;AAC3B,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,oBAAoB,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,QAAQ,EAAE,CAAC,EAAE;AACtH,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,mBAAmB,EAAE,gBAAgB,CAAC,QAAQ,CAAC,yBAAyB,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC;AACjI,IAAI;AACJ;AACA,IAAI,OAAO,IAAI,GAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC;AAC7C;AACA;AACA;AACA;AACO,SAAS,0BAA0B,CAAC,GAAG,EAAE;AAChD,IAAI,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;AAClE,IAAI,IAAI,CAAC,kBAAkB,EAAE;AAC7B,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC;AACxD,IAAI,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE;AACpD,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,6BAA6B;AAC/C,IAAI,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC;AAChD,IAAI,IAAI,CAAC,KAAK,EAAE;AAChB,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,IAAI;AACR,QAAQ,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAChC,IAAI;AACJ,IAAI,OAAO,EAAE,EAAE;AACf,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,sCAAsC,CAAC,SAAS,EAAE,IAAI,EAAE;AAC9E,IAAI,IAAI,EAAE;AACV,IAAI,IAAI,GAAG;AACX,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,mBAAmB,EAAE;AAC9E,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,mBAAmB,CAAC;AAC3F,IAAI;AACJ,SAAS;AACT,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,SAAS,CAAC;AACzE,IAAI;AACJ,IAAI,IAAI,QAAQ;AAChB,IAAI,IAAI;AACR,QAAQ,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;AACpC,YAAY,OAAO,EAAE;AACrB,gBAAgB,sBAAsB,EAAE,CAAC,EAAE,GAAG,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,IAAI,CAAC,eAAe,MAAM,IAAI,IAAI,EAAE,KAAK,KAAK,CAAC,GAAG,EAAE,GAAG;AACjJ;AACA,SAAS,CAAC;AACV,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB;AACA,QAAQ,IAAI,KAAK,YAAY,SAAS,EAAE;AACxC,YAAY,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC;AACvC,QAAQ;AACR,aAAa;AACb,YAAY,MAAM,KAAK;AACvB,QAAQ;AACR,IAAI;AACJ,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AACjC,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,yEAAyE,CAAC,CAAC;AACpG,IAAI;AACJ,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,6DAA6D,CAAC,CAAC;AAC/G,IAAI;AACJ,IAAI,OAAO,oCAAoC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC5E;AACA;AACA;AACA;AACA,eAAe,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE;AAChD,IAAI,IAAI;AACR,QAAQ,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC;AAC5C,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB,QAAQ,IAAI,KAAK,YAAY,SAAS,EAAE;AACxC,YAAY,IAAI,OAAO,EAAE;AACzB;AACA,gBAAgB,OAAO,kBAAkB,CAAC,GAAG,CAAC;AAC9C,YAAY;AACZ,iBAAiB;AACjB;AACA,gBAAgB,OAAO,SAAS;AAChC,YAAY;AACZ,QAAQ;AACR,QAAQ,MAAM,KAAK;AACnB,IAAI;AACJ;AACA;AACA;AACA;AACA,SAAS,kBAAkB,CAAC,QAAQ,EAAE;AACtC,IAAI,IAAI,aAAa,GAAG,CAAC,uCAAuC,EAAE,QAAQ,CAAC,CAAC;AAC5E,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AAChC;AACA,QAAQ,aAAa,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AAClD,IAAI;AACJ,IAAI,OAAO,aAAa;AACxB;AACA;AACA;AACA;AACA,eAAe,oBAAoB,CAAC,GAAG,EAAE,eAAe,EAAE;AAC1D,IAAI,MAAM,OAAO,GAAG;AACpB,QAAQ,sBAAsB,EAAE;AAChC,KAAK;AACL,IAAI,OAAO,MAAM,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC;AACjD;AACA;AACA;AACA;AACA,SAAS,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE;AACnD,IAAI,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,KAAK,GAAG;AACnE;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,qBAAqB,CAAC,sBAAsB,EAAE,IAAI,EAAE;AAC1E,IAAI,IAAI,EAAE;AACV,IAAI,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC;AAClD,IAAI,MAAM,eAAe,GAAG,CAAC,EAAE,GAAsC,MAAM,CAAuB,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,EAAE,GAAG,uBAAuB;AAC5J;AACA,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC;AAC7D,IAAI,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC;AACvD,IAAI,IAAI,QAAQ,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,eAAe,CAAC;AAC5E;AACA,IAAI,IAAI,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE;AAC1D,QAAQ,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC;AAClF,QAAQ,QAAQ,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,eAAe,CAAC;AACvE,IAAI;AACJ,IAAI,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9C,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,yCAAyC,CAAC,CAAC;AAC3F,IAAI;AACJ,IAAI,OAAO,mBAAmB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC3D;AACA;AACA;AACA;AACO,eAAe,kBAAkB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,GAAG,EAAE;AACxI,IAAI,MAAM,YAAY,GAAG,MAAM;AAC/B,IAAI,MAAM,mBAAmB,GAAG,MAAM;AACtC,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC;AACnE,QAAQ,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;AACvE,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,yDAAyD,EAAE,YAAY,CAAC,CAAC,CAAC;AACvG,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,gCAAgC;AACtD,YAAY,CAAC,QAAQ,CAAC,gCAAgC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE;AACtF,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,iEAAiE,EAAE,mBAAmB,CAAC,CAAC,CAAC;AACtH,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,sBAAsB,CAAC;AACxE,IAAI;AACJ;AACA,IAAI,MAAM,SAAS,GAAG,MAAM,aAAa,EAAE;AAC3C,IAAI,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa;AAChD,IAAI,MAAM,aAAa,GAAG,SAAS,CAAC,cAAc;AAClD,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC;AACpE,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,iBAAiB,CAAC,SAAS,CAAC;AAC/E,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC;AACtE,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,mBAAmB,CAAC;AACnF,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;AAC1E,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AACpE,IAAI;AACJ,IAAI,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE;AAC7C;AACA;AACA;AACA;AACO,eAAe,qBAAqB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,GAAG,EAAE;AAC9J,IAAI,MAAM,SAAS,GAAG,oBAAoB;AAC1C,IAAI,IAAI,QAAQ;AAChB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;AACnD,QAAQ,IAAI,QAAQ,CAAC,qBAAqB;AAC1C,YAAY,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;AACjE,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,sDAAsD,EAAE,SAAS,CAAC,CAAC,CAAC;AACjG,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sBAAsB,CAAC;AAC5D,IAAI;AACJ;AACA,IAAI,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;AACvC,QAAQ,UAAU,EAAE,SAAS;AAC7B,QAAQ,SAAS,EAAE,iBAAiB,CAAC,SAAS;AAC9C,QAAQ,IAAI,EAAE,iBAAiB;AAC/B,QAAQ,aAAa,EAAE,YAAY;AACnC,QAAQ,YAAY,EAAE,MAAM,CAAC,WAAW,CAAC;AACzC,KAAK,CAAC;AACN,IAAI,IAAI,iBAAiB,CAAC,aAAa,EAAE;AACzC,QAAQ,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,aAAa,CAAC;AACpE,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AAC7C,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;AAC3C,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO,EAAE;AACjB,YAAY,cAAc,EAAE,mCAAmC;AAC/D,SAAS;AACT,QAAQ,IAAI,EAAE,MAAM;AACpB,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,4BAA4B,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzE,IAAI;AACJ,IAAI,OAAO,iBAAiB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzD;AACA;AACA;AACA;AACO,eAAe,oBAAoB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,GAAG,EAAE;AAC7H,IAAI,MAAM,SAAS,GAAG,eAAe;AACrC,IAAI,IAAI,QAAQ;AAChB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;AACnD,QAAQ,IAAI,QAAQ,CAAC,qBAAqB;AAC1C,YAAY,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;AACjE,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,sDAAsD,EAAE,SAAS,CAAC,CAAC,CAAC;AACjG,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sBAAsB,CAAC;AAC5D,IAAI;AACJ;AACA,IAAI,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;AACvC,QAAQ,UAAU,EAAE,SAAS;AAC7B,QAAQ,SAAS,EAAE,iBAAiB,CAAC,SAAS;AAC9C,QAAQ,aAAa,EAAE,YAAY;AACnC,KAAK,CAAC;AACN,IAAI,IAAI,iBAAiB,CAAC,aAAa,EAAE;AACzC,QAAQ,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,aAAa,CAAC;AACpE,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AAC7C,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;AAC3C,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO,EAAE;AACjB,YAAY,cAAc,EAAE,mCAAmC;AAC/D,SAAS;AACT,QAAQ,IAAI,EAAE,MAAM;AACpB,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,2BAA2B,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACxE,IAAI;AACJ,IAAI,OAAO,iBAAiB,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;AAC/F;AACA;AACA;AACA;AACO,eAAe,cAAc,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,cAAc,GAAG,EAAE;AAC5F,IAAI,IAAI,eAAe;AACvB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC;AACrG,QAAQ;AACR,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC;AACjE,IAAI;AACJ,SAAS;AACT,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,sBAAsB,CAAC;AACtE,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE;AAClD,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO,EAAE;AACjB,YAAY,cAAc,EAAE,kBAAkB;AAC9C,SAAS;AACT,QAAQ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;AAC5C,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,yCAAyC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACtF,IAAI;AACJ,IAAI,OAAO,gCAAgC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACxE;;;;","x_google_ignoreList":[0]}