@authcore/core 0.7.0 → 0.12.0

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 David Ouatedem
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 David Ouatedem
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,125 +1,141 @@
-# @authcore/core
-
-> Framework-agnostic authentication engine. Types, validation, password hashing, JWT, and adapter interfaces.
-
-This is the core package that powers all AuthCore framework adapters. You typically won't use it directly. Use [`@authcore/express`](https://www.npmjs.com/package/@authcore/express) or [`@authcore/fastify`](https://www.npmjs.com/package/@authcore/fastify) instead.
-
-## Install
-
-```bash
-npm install @authcore/core
-```
-
-## What's Inside
-
-### `createAuth(config)`
-
-The main factory that creates an auth instance with `register`, `login`, `verifyToken`, `verifyEmail`, `forgotPassword`, `resetPassword`, `invite`, and `acceptInvitation` methods.
-
-```ts
-import { createAuth } from '@authcore/core'
-
-const auth = createAuth({
-  db: myDatabaseAdapter,
-  session: { strategy: 'jwt', secret: 'your-secret', expiresIn: '7d' },
-  email: { provider: myEmailAdapter, from: 'auth@example.com' },
-  features: ['emailVerification', 'passwordReset', 'invitation'],
-  password: { minLength: 8 },
-  rbac: { defaultRole: 'user' },
-  callbacks: {
-    onSignUp: (user) => { /* ... */ },
-    onSignIn: (user) => { /* ... */ },
-  },
-})
-
-const { user, token } = await auth.register({ email: 'user@example.com', password: 'securepass' })
-const { user, token } = await auth.login({ email: 'user@example.com', password: 'securepass' })
-const publicUser = await auth.verifyToken(token)
-```
-
-### Adapter Interfaces
-
-Implement these to add support for any database or email provider:
-
-```ts
-import type { DatabaseAdapter, EmailAdapter } from '@authcore/core'
-```
-
-**DatabaseAdapter:**
-
-```ts
-interface DatabaseAdapter {
-  findUserByEmail(email: string): Promise<User | null>
-  findUserById(id: string): Promise<User | null>
-  createUser(data: CreateUserInput): Promise<User>
-  updateUser(id: string, data: Partial<User>): Promise<User>
-  createToken(data: CreateTokenInput): Promise<Token>
-  findToken(rawToken: string, type: TokenType): Promise<Token | null>
-  deleteToken(id: string): Promise<void>
-  deleteExpiredTokens(): Promise<void>
-}
-```
-
-**EmailAdapter:**
-
-```ts
-interface EmailAdapter {
-  send(options: { from: string; to: string; subject: string; html: string; text: string }): Promise<void>
-}
-```
-
-### Types
-
-```ts
-import type {
-  User,
-  PublicUser,
-  Token,
-  TokenType,
-  AuthCoreConfig,
-  AuthCore,
-  DatabaseAdapter,
-  EmailAdapter,
-  AuthError,
-} from '@authcore/core'
-```
-
-### Utilities
-
-```ts
-import {
-  hashPassword,
-  verifyPassword,
-  generateOpaqueToken,
-  hashToken,
-  safeCompareTokens,
-  signJwt,
-  verifyJwt,
-} from '@authcore/core'
-```
-
-### Validation Schemas (Zod)
-
-```ts
-import {
-  registerSchema,
-  loginSchema,
-  forgotPasswordSchema,
-  resetPasswordSchema,
-  verifyEmailSchema,
-  inviteSchema,
-  acceptInvitationSchema,
-} from '@authcore/core'
-```
-
-### RBAC
-
-Users have a `role` field (string). The default role for new registrations is `'user'`, configurable via `rbac.defaultRole`. The role is included in the JWT payload, so role checks don't need extra database lookups.
-
-### Invitation
-
-Enable the `'invitation'` feature to let authenticated users invite new users by email. The invited user receives a link to set their password and activate their account. Invitation tokens expire in 48 hours.
-
-## License
-
-[MIT](https://github.com/david-ouatedem/auth-core/blob/main/LICENSE)
+# @authcore/core
+
+> Framework-agnostic authentication engine. Types, validation, password hashing, JWT, and adapter interfaces.
+
+This is the core package that powers all AuthCore framework adapters. You typically won't use it directly. Use [`@authcore/express`](https://www.npmjs.com/package/@authcore/express) or [`@authcore/fastify`](https://www.npmjs.com/package/@authcore/fastify) instead.
+
+## Install
+
+```bash
+npm install @authcore/core
+```
+
+## What's Inside
+
+### `createAuth(config)`
+
+The main factory that creates an auth instance with `register`, `login`, `verifyToken`, `verifyEmail`, `forgotPassword`, `resetPassword`, `invite`, `acceptInvitation`, `refresh`, `revoke`, and `revokeAll` methods.
+
+```ts
+import { createAuth } from '@authcore/core'
+
+const auth = createAuth({
+  db: myDatabaseAdapter,
+  session: {
+    strategy: 'jwt',
+    secret: 'your-secret',
+    expiresIn: '7d',
+    cookieName: 'my_token',     // optional; default 'authcore_token'
+  },
+  email: { provider: myEmailAdapter, from: 'auth@example.com' },
+  features: ['emailVerification', 'passwordReset', 'invitation'],
+  password: { minLength: 8 },
+  rbac: { defaultRole: 'user' },
+  callbacks: {
+    onSignUp: (user) => { /* ... */ },
+    onSignIn: (user) => { /* ... */ },
+  },
+})
+
+const { user, token } = await auth.register({ email: 'user@example.com', password: 'securepass' })
+const { user, token } = await auth.login({ email: 'user@example.com', password: 'securepass' })
+const publicUser = await auth.verifyToken(token)
+
+// Direct-core callers MUST pass a resetUrl. Framework adapters do this for you.
+await auth.forgotPassword(
+  { email: 'user@example.com' },
+  { resetUrl: 'https://app.example.com/reset-password' },
+)
+
+// The resolved config is exposed so framework adapters can read session.cookieName, etc.
+console.log(auth.config.session.cookieName)
+```
+
+> **Breaking change in 0.9 (direct-core callers only):** `auth.forgotPassword(input)` is now `auth.forgotPassword(input, { resetUrl })`. The framework adapters (`@authcore/express`, `@authcore/fastify`, `@authcore/nestjs`) build the URL automatically from `baseUrl + paths.resetPassword`, so apps using those packages are unaffected. Direct-core callers must add the second argument or `forgotPassword` throws `AuthError('resetUrl is required', 'MISSING_URL', 500)`. This is a deliberate loud failure that replaces the pre-0.9 silent leak of `session.secret` into reset-email URLs.
+
+### Adapter Interfaces
+
+Implement these to add support for any database or email provider:
+
+```ts
+import type { DatabaseAdapter, EmailAdapter } from '@authcore/core'
+```
+
+**DatabaseAdapter:**
+
+```ts
+interface DatabaseAdapter {
+  findUserByEmail(email: string): Promise<User | null>
+  findUserById(id: string): Promise<User | null>
+  createUser(data: CreateUserInput): Promise<User>
+  updateUser(id: string, data: Partial<User>): Promise<User>
+  createToken(data: CreateTokenInput): Promise<Token>
+  findToken(rawToken: string, type: TokenType): Promise<Token | null>
+  deleteToken(id: string): Promise<void>
+  deleteExpiredTokens(): Promise<void>
+}
+```
+
+**EmailAdapter:**
+
+```ts
+interface EmailAdapter {
+  send(options: { from: string; to: string; subject: string; html: string; text: string }): Promise<void>
+}
+```
+
+### Types
+
+```ts
+import type {
+  User,
+  PublicUser,
+  Token,
+  TokenType,
+  AuthCoreConfig,
+  AuthCore,
+  DatabaseAdapter,
+  EmailAdapter,
+  AuthError,
+} from '@authcore/core'
+```
+
+### Utilities
+
+```ts
+import {
+  hashPassword,
+  verifyPassword,
+  generateOpaqueToken,
+  hashToken,
+  safeCompareTokens,
+  signJwt,
+  verifyJwt,
+} from '@authcore/core'
+```
+
+### Validation Schemas (Zod)
+
+```ts
+import {
+  registerSchema,
+  loginSchema,
+  forgotPasswordSchema,
+  resetPasswordSchema,
+  verifyEmailSchema,
+  inviteSchema,
+  acceptInvitationSchema,
+} from '@authcore/core'
+```
+
+### RBAC
+
+Users have a `role` field (string). The default role for new registrations is `'user'`, configurable via `rbac.defaultRole`. The role is included in the JWT payload, so role checks don't need extra database lookups.
+
+### Invitation
+
+Enable the `'invitation'` feature to let authenticated users invite new users by email. The invited user receives a link to set their password and activate their account. Invitation tokens expire in 48 hours.
+
+## License
+
+[MIT](https://github.com/david-ouatedem/auth-core/blob/main/LICENSE)

package/dist/auth.d.ts

@@ -4,27 +4,42 @@ export declare class AuthError extends Error {
     readonly statusCode: number;
     constructor(message: string, code: string, statusCode: number);
 }
+/** Successful authentication — full session minted. */
+export interface SessionResult {
+    user: PublicUser;
+    token: string;
+    refreshToken: string;
+}
+/** First-factor passed, awaiting TOTP / recovery code. */
+export interface TwoFactorChallengeResult {
+    requires2FA: true;
+    /** Short-lived JWT (5 min default) to pass back to `verifyTwoFactor` / `useRecoveryCode`. */
+    challengeToken: string;
+}
+/** Login result is either a full session or a 2FA challenge. */
+export type LoginResult = SessionResult | TwoFactorChallengeResult;
 /**
  * The AuthCore instance returned by createAuth.
- * Framework adapters (Express, Fastify) wrap this object.
+ * Framework adapters (Express, Fastify, NestJS, Next.js) wrap this object.
  */
 export interface AuthCore {
     /**
      * Register a new user.
      * @throws AuthError on validation failure (400) or duplicate email (409)
      */
-    register(input: unknown): Promise<{
-        user: PublicUser;
-        token: string;
-    }>;
+    register(input: unknown): Promise<SessionResult>;
     /**
      * Authenticate a user with email/password.
+     *
+     * Returns a discriminated union — narrow on `'requires2FA' in result`:
+     * - **Session**: `{ user, token, refreshToken }` when 2FA is off for that user.
+     * - **Challenge**: `{ requires2FA: true, challengeToken }` when 2FA is on. Pass
+     *   the `challengeToken` to {@link verifyTwoFactor} or {@link useRecoveryCode}
+     *   along with the user's code to complete the login.
+     *
      * @throws AuthError on invalid credentials (401)
      */
-    login(input: unknown): Promise<{
-        user: PublicUser;
-        token: string;
-    }>;
+    login(input: unknown): Promise<LoginResult>;
     /**
      * Verify a JWT and return the public user.
      * Returns null if the token is invalid or expired.
@@ -45,9 +60,14 @@ export interface AuthCore {
      */
     verifyEmail(input: unknown): Promise<void>;
     /**
-     * Initiate password reset. Always returns successfully (prevents enumeration).
+     * Initiate password reset. Always returns successfully when called via a framework
+     * adapter (prevents email enumeration). Throws `MISSING_URL` (500) if called directly
+     * without a `resetUrl`. Framework adapters always supply one built from baseUrl +
+     * the configured reset-password route.
      */
-    forgotPassword(input: unknown): Promise<void>;
+    forgotPassword(input: unknown, params?: {
+        resetUrl: string;
+    }): Promise<void>;
     /**
      * Complete password reset using the raw token.
      * @throws AuthError if token is invalid or expired (400)
@@ -65,10 +85,118 @@ export interface AuthCore {
      * Accept an invitation by setting a password.
      * @throws AuthError if token is invalid or expired (400)
      */
-    acceptInvitation(input: unknown): Promise<{
+    acceptInvitation(input: unknown): Promise<SessionResult>;
+    /**
+     * Exchange a refresh token for a new JWT + a freshly rotated refresh token.
+     * The old refresh token is invalidated atomically.
+     * @throws AuthError(401, 'INVALID_TOKEN') if the refresh token is missing, invalid, or expired
+     */
+    refresh(rawRefreshToken: string): Promise<SessionResult>;
+    /**
+     * Revoke a single refresh token. Idempotent — succeeds even if the token doesn't exist.
+     */
+    revoke(rawRefreshToken: string): Promise<void>;
+    /**
+     * Revoke every outstanding refresh token for a user ("log out everywhere").
+     */
+    revokeAll(userId: string): Promise<void>;
+    /**
+     * Send a magic-link email. Always resolves successfully — does not reveal
+     * whether the email exists in the database (enumeration-safe). By default
+     * a new user is auto-created if none exists; the email is marked verified
+     * because receipt of the link proves email ownership.
+     *
+     * Requires the `magicLink` feature flag and a configured email provider.
+     *
+     * @throws AuthError(500, 'FEATURE_DISABLED') if the feature flag is off.
+     * @throws AuthError(500, 'EMAIL_NOT_CONFIGURED') if no email provider is set.
+     * @throws AuthError(500, 'MISSING_URL') if `magicLinkUrl` is not supplied.
+     */
+    sendMagicLink(input: unknown, params: {
+        magicLinkUrl: string;
+    }): Promise<void>;
+    /**
+     * Consume a magic-link token. Returns a full session: user + JWT + refresh.
+     * Tokens are single-use; a second call with the same raw token throws.
+     * @throws AuthError(400, 'INVALID_TOKEN') if the token is unknown or expired.
+     */
+    consumeMagicLink(input: unknown): Promise<{
         user: PublicUser;
         token: string;
+        refreshToken: string;
+    }>;
+    /**
+     * Begin an OAuth flow with the provider registered under the given id (e.g. 'google').
+     * Returns the authorization URL the user must be redirected to.
+     * @throws AuthError if the provider isn't registered in `config.oauth`.
+     */
+    oauthStart(providerId: string, redirectUri: string): Promise<{
+        authorizationUrl: string;
+        state: string;
+    }>;
+    /**
+     * Complete an OAuth callback. Validates state, exchanges code for tokens, links or creates
+     * the user according to the auto-link policy (email-verified only).
+     * @throws AuthError on invalid state (401), EMAIL_NOT_VERIFIED_BY_PROVIDER (409), or
+     *   upstream provider failure (502).
+     */
+    oauthCallback(providerId: string, params: {
+        code: string;
+        state: string;
+        redirectUri: string;
+    }): Promise<SessionResult & {
+        isNewUser: boolean;
+    }>;
+    /**
+     * Begin 2FA enrollment. Returns the new TOTP secret, an `otpauth://` URL
+     * suitable for QR rendering, and 10 single-use recovery codes the user
+     * MUST store. Calls this method overwrite any prior unconfirmed setup.
+     *
+     * The secret is persisted on the user with `twoFactorEnabled` still
+     * `false` — call {@link enableTwoFactor} with the first generated code to
+     * flip the flag.
+     *
+     * @throws AuthError(404, 'USER_NOT_FOUND') if the user does not exist.
+     */
+    setupTwoFactor(userId: string): Promise<{
+        secret: string;
+        otpauthUrl: string;
+        recoveryCodes: string[];
     }>;
+    /**
+     * Confirm 2FA enrollment by verifying the first authenticator code.
+     * @throws AuthError(400, 'TWO_FACTOR_NOT_SET_UP') if setup hasn't run.
+     * @throws AuthError(400, 'INVALID_TWO_FACTOR_CODE') on a wrong code.
+     */
+    enableTwoFactor(userId: string, code: string): Promise<void>;
+    /**
+     * Disable 2FA for the user. Requires the user's current password as a
+     * confirmation step (prevents an attacker with a stolen session cookie from
+     * silently turning off 2FA).
+     *
+     * @throws AuthError(401, 'INVALID_CREDENTIALS') if the password is wrong.
+     * @throws AuthError(404, 'USER_NOT_FOUND') if the user does not exist.
+     */
+    disableTwoFactor(userId: string, password: string): Promise<void>;
+    /**
+     * Complete a 2FA-pending login. Pass the `challengeToken` from {@link login}
+     * along with the user's current TOTP code.
+     *
+     * @throws AuthError(401, 'INVALID_TOKEN') if the challenge JWT is invalid or expired.
+     * @throws AuthError(401, 'INVALID_TWO_FACTOR_CODE') if the TOTP code is wrong.
+     */
+    verifyTwoFactor(challengeToken: string, code: string): Promise<SessionResult>;
+    /**
+     * Complete a 2FA-pending login using a single-use recovery code. Same
+     * challenge flow as {@link verifyTwoFactor}; the matching recovery code is
+     * deleted before the session is returned.
+     *
+     * @throws AuthError(401, 'INVALID_TOKEN') if the challenge JWT is invalid or expired.
+     * @throws AuthError(401, 'INVALID_RECOVERY_CODE') if the code is unknown.
+     */
+    useRecoveryCode(challengeToken: string, code: string): Promise<SessionResult>;
+    /** The resolved configuration this instance was created with. */
+    readonly config: AuthCoreConfig;
 }
 /**
  * Create an AuthCore instance from the provided configuration.

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAwBjE,qBAAa,SAAU,SAAQ,KAAK;aAGhB,IAAI,EAAE,MAAM;aACZ,UAAU,EAAE,MAAM;gBAFlC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM;CAKrC;AAED;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEtE;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEnE;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAA;IAEtD;;;OAGG;IACH,qBAAqB,CAAC,MAAM,EAAE;QAC5B,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,MAAM,CAAA;QACb,eAAe,EAAE,MAAM,CAAA;KACxB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEjB;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE1C;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE7C;;;OAGG;IACH,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE5C;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEpE;;;OAGG;IACH,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC/E;AAqBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,cAAc,GAAG,QAAQ,CA8P3D"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAyDjE,qBAAa,SAAU,SAAQ,KAAK;aAGhB,IAAI,EAAE,MAAM;aACZ,UAAU,EAAE,MAAM;gBAFlC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM;CAKrC;AAED,uDAAuD;AACvD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,UAAU,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,0DAA0D;AAC1D,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,IAAI,CAAA;IACjB,6FAA6F;IAC7F,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,gEAAgE;AAChE,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,wBAAwB,CAAA;AAElE;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAEhD;;;;;;;;;;OAUG;IACH,KAAK,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,CAAA;IAE3C;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAA;IAEtD;;;OAGG;IACH,qBAAqB,CAAC,MAAM,EAAE;QAC5B,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,MAAM,CAAA;QACb,eAAe,EAAE,MAAM,CAAA;KACxB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEjB;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE1C;;;;;OAKG;IACH,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE5E;;;OAGG;IACH,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE5C;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEpE;;;OAGG;IACH,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAExD;;;;OAIG;IACH,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAExD;;OAEG;IACH,MAAM,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE9C;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAExC;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE9E;;;;OAIG;IACH,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEpG;;;;OAIG;IACH,UAAU,CACR,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;QAAE,gBAAgB,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAEvD;;;;;OAKG;IACH,aAAa,CACX,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAC3D,OAAO,CAAC,aAAa,GAAG;QAAE,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;IAElD;;;;;;;;;;OAUG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACtC,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,MAAM,CAAA;QAClB,aAAa,EAAE,MAAM,EAAE,CAAA;KACxB,CAAC,CAAA;IAEF;;;;OAIG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE5D;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEjE;;;;;;OAMG;IACH,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAE7E;;;;;;;OAOG;IACH,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAE7E,iEAAiE;IACjE,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAA;CAChC;AAuBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,cAAc,GAAG,QAAQ,CA0hB3D"}