@cat-factory/server 0.6.0

package/dist/auth/GitHubOAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GitHubOAuth.js","sourceRoot":"","sources":["../../src/auth/GitHubOAuth.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAC9E,sFAAsF;AAEtF,MAAM,UAAU,GAAG,aAAa,CAAA;AAChC,MAAM,WAAW,GAAG,YAAY,CAAA;AAuChC,MAAM,OAAO,WAAW;IACO,IAAI;IAAjC,YAA6B,IAA6B;oBAA7B,IAAI;IAA4B,CAAC;IAE9D,uEAAuE;IACvE,YAAY,CAAC,MAA8D;QACzE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAClE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAA;QACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAA;QAC3C,wEAAwE;QACxE,0EAA0E;QAC1E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,CAAA;QAC1D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;QAC7C,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;IACvB,CAAC;IAED,4DAA4D;IAC5D,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,WAAmB;QAClD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,2BAA2B,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;YACjF,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,UAAU;aACzB;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAC7B,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY;gBACrC,IAAI;gBACJ,YAAY,EAAE,WAAW;aAC1B,CAAC;SACH,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;QACjF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAA;QAChD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,IAAI,iCAAiC,CAAC,CAAA;QAC5F,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAA;IAC1B,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,SAAS,CAAC,WAAmB;QACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC3D,OAAO,EAAE;gBACP,MAAM,EAAE,6BAA6B;gBACrC,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,YAAY,EAAE,UAAU;gBACxB,sBAAsB,EAAE,WAAW;aACpC;SACF,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;QAC7E,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAA;QACrD,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;SAC1B,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,WAAmB;QACrC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,yBAAyB,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC7E,OAAO,EAAE;gBACP,MAAM,EAAE,6BAA6B;gBACrC,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,YAAY,EAAE,UAAU;gBACxB,sBAAsB,EAAE,WAAW;aACpC;SACF,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3E,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAwB,CAAA;QACtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;IACnD,CAAC;CACF"}

package/dist/auth/GoogleOAuth.d.ts

@@ -0,0 +1,35 @@
+export interface GoogleOAuthDependencies {
+    clientId: string;
+    clientSecret: string;
+    /** OAuth host (authorize). Defaults to accounts.google.com. */
+    oauthBase?: string;
+    /** Userinfo API base. Defaults to www.googleapis.com. */
+    apiBase?: string;
+}
+/** The Google identity behind an authorization code (the OAuth provider's subject). */
+export interface GoogleIdentity {
+    /** Google `sub` — the stable identity subject. */
+    subject: string;
+    email: string | null;
+    /** Whether Google has verified the user owns `email` (gates domain-allowlist + link). */
+    emailVerified: boolean;
+    name: string | null;
+    avatarUrl: string | null;
+}
+export declare class GoogleOAuth {
+    private readonly deps;
+    constructor(deps: GoogleOAuthDependencies);
+    private get oauthBase();
+    private get apiBase();
+    /** The Google URL the browser is sent to in order to authorise. */
+    authorizeUrl(params: {
+        redirectUri: string;
+        state: string;
+        scope?: string;
+    }): string;
+    /** Exchange the callback `code` for an access token. */
+    exchangeCode(code: string, redirectUri: string): Promise<string>;
+    /** Resolve the authenticated Google user behind an access token. */
+    fetchUser(accessToken: string): Promise<GoogleIdentity>;
+}
+//# sourceMappingURL=GoogleOAuth.d.ts.map

package/dist/auth/GoogleOAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleOAuth.d.ts","sourceRoot":"","sources":["../../src/auth/GoogleOAuth.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAiBD,uFAAuF;AACvF,MAAM,WAAW,cAAc;IAC7B,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,yFAAyF;IACzF,aAAa,EAAE,OAAO,CAAA;IACtB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CACzB;AAED,qBAAa,WAAW;IACV,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,uBAAuB,EAAI;IAE9D,OAAO,KAAK,SAAS,GAEpB;IACD,OAAO,KAAK,OAAO,GAElB;IAED,mEAAmE;IACnE,YAAY,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM,CAQnF;IAED,wDAAwD;IAClD,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBrE;IAED,oEAAoE;IAC9D,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAa5D;CACF"}

package/dist/auth/GoogleOAuth.js

@@ -0,0 +1,66 @@
+// Minimal Google OAuth2 / OpenID Connect web-flow client (the user login flow).
+// Built on `fetch` only, so it runs in a plain Workers isolate and in Node — a
+// mirror of GitHubOAuth. Endpoints default to Google's but are overridable for tests.
+const DEFAULT_OAUTH_BASE = 'https://accounts.google.com';
+const DEFAULT_API_BASE = 'https://www.googleapis.com';
+const TOKEN_PATH = 'https://oauth2.googleapis.com/token';
+export class GoogleOAuth {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    get oauthBase() {
+        return this.deps.oauthBase || DEFAULT_OAUTH_BASE;
+    }
+    get apiBase() {
+        return this.deps.apiBase || DEFAULT_API_BASE;
+    }
+    /** The Google URL the browser is sent to in order to authorise. */
+    authorizeUrl(params) {
+        const url = new URL('/o/oauth2/v2/auth', this.oauthBase);
+        url.searchParams.set('client_id', this.deps.clientId);
+        url.searchParams.set('redirect_uri', params.redirectUri);
+        url.searchParams.set('state', params.state);
+        url.searchParams.set('response_type', 'code');
+        url.searchParams.set('scope', params.scope ?? 'openid email profile');
+        return url.toString();
+    }
+    /** Exchange the callback `code` for an access token. */
+    async exchangeCode(code, redirectUri) {
+        const res = await fetch(TOKEN_PATH, {
+            method: 'POST',
+            headers: { accept: 'application/json', 'content-type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                client_id: this.deps.clientId,
+                client_secret: this.deps.clientSecret,
+                code,
+                redirect_uri: redirectUri,
+                grant_type: 'authorization_code',
+            }),
+        });
+        if (!res.ok)
+            throw new Error(`Google token exchange failed (HTTP ${res.status})`);
+        const body = (await res.json());
+        if (!body.access_token) {
+            throw new Error(body.error_description || body.error || 'Google returned no access token');
+        }
+        return body.access_token;
+    }
+    /** Resolve the authenticated Google user behind an access token. */
+    async fetchUser(accessToken) {
+        const res = await fetch(new URL('/oauth2/v3/userinfo', this.apiBase), {
+            headers: { authorization: `Bearer ${accessToken}` },
+        });
+        if (!res.ok)
+            throw new Error(`Google userinfo fetch failed (HTTP ${res.status})`);
+        const info = (await res.json());
+        return {
+            subject: info.sub,
+            email: info.email ?? null,
+            emailVerified: info.email_verified === true || info.email_verified === 'true',
+            name: info.name ?? null,
+            avatarUrl: info.picture ?? null,
+        };
+    }
+}
+//# sourceMappingURL=GoogleOAuth.js.map

package/dist/auth/GoogleOAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleOAuth.js","sourceRoot":"","sources":["../../src/auth/GoogleOAuth.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,+EAA+E;AAC/E,sFAAsF;AAEtF,MAAM,kBAAkB,GAAG,6BAA6B,CAAA;AACxD,MAAM,gBAAgB,GAAG,4BAA4B,CAAA;AACrD,MAAM,UAAU,GAAG,qCAAqC,CAAA;AAqCxD,MAAM,OAAO,WAAW;IACO,IAAI;IAAjC,YAA6B,IAA6B;oBAA7B,IAAI;IAA4B,CAAC;IAE9D,IAAY,SAAS;QACnB,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAA;IAClD,CAAC;IACD,IAAY,OAAO;QACjB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAA;IAC9C,CAAC;IAED,mEAAmE;IACnE,YAAY,CAAC,MAA8D;QACzE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;QACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAA;QACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAA;QAC3C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;QAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,sBAAsB,CAAC,CAAA;QACrE,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;IACvB,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,WAAmB;QAClD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;YAClC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAC5F,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAC7B,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY;gBACrC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,oBAAoB;aACjC,CAAC;SACH,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;QACjF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAA;QAChD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,IAAI,iCAAiC,CAAC,CAAA;QAC5F,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAA;IAC1B,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,SAAS,CAAC,WAAmB;QACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,qBAAqB,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YACpE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;SACpD,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;QACjF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAmB,CAAA;QACjD,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;YACzB,aAAa,EAAE,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,IAAI,CAAC,cAAc,KAAK,MAAM;YAC7E,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;SAChC,CAAA;IACH,CAAC;CACF"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,15 @@
+import type { Context, MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../http/env.js';
+import { type SessionPayload } from './signing.js';
+/** Extract the bearer token from the Authorization header, if present. */
+export declare function bearerToken<E extends AppEnv>(c: Context<E>): string | null;
+/** Verify the request's bearer token against the configured session secret. */
+export declare function verifySession<E extends AppEnv>(c: Context<E>): Promise<SessionPayload | null>;
+/**
+ * Gate a route group. Preflight (OPTIONS) is always allowed so CORS isn't broken.
+ * When auth is enabled, require a valid session and stash the user on the
+ * context. When it is NOT configured, fail closed (503) — unless the local-dev
+ * escape hatch `AUTH_DEV_OPEN` is set, which passes through (dev + tests).
+ */
+export declare function requireAuth<E extends AppEnv>(): MiddlewareHandler<E>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AACtD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAC5C,OAAO,EAA8B,KAAK,cAAc,EAAE,MAAM,cAAc,CAAA;AAgB9E,0EAA0E;AAC1E,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,IAAI,CAK1E;AAED,+EAA+E;AAC/E,wBAAgB,aAAa,CAAC,CAAC,SAAS,MAAM,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAQ7F;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,KAAK,iBAAiB,CAAC,CAAC,CAAC,CA0BpE"}

package/dist/auth/middleware.js

@@ -0,0 +1,63 @@
+import { HmacSigner, TOKEN_AUDIENCE } from './signing.js';
+// Bearer-token auth for the API. The session token is minted by the OAuth
+// callback (see the facade's AuthController) and carried by the SPA as
+// `Authorization: Bearer <token>`.
+//
+// The gate FAILS CLOSED: if auth is unconfigured, protected routes are refused
+// (503) rather than served openly — production must always have auth present.
+// The only way to run open is the explicit local-dev/test escape hatch
+// `AUTH_DEV_OPEN=true` (config.auth.devOpen).
+// The functions are generic over the Hono env so a facade whose app adds runtime
+// `Bindings` (e.g. the Worker's `Env`) on top of the shared Variables can still use
+// them — Hono's Context is invariant, so a non-generic `Context<AppEnv>` would reject
+// a `Context<AppEnv & { Bindings }>`.
+/** Extract the bearer token from the Authorization header, if present. */
+export function bearerToken(c) {
+    const header = c.req.header('Authorization');
+    if (!header)
+        return null;
+    const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+    return match ? match[1] : null;
+}
+/** Verify the request's bearer token against the configured session secret. */
+export function verifySession(c) {
+    const cfg = c.get('container').config.auth;
+    if (!cfg.enabled)
+        return Promise.resolve(null);
+    // Pin the `session` audience: a container LLM-proxy token or a WS ticket — both
+    // signed with the same secret — must NOT be accepted as a user session.
+    return new HmacSigner(cfg.sessionSecret).verify(bearerToken(c), {
+        aud: TOKEN_AUDIENCE.session,
+    });
+}
+/**
+ * Gate a route group. Preflight (OPTIONS) is always allowed so CORS isn't broken.
+ * When auth is enabled, require a valid session and stash the user on the
+ * context. When it is NOT configured, fail closed (503) — unless the local-dev
+ * escape hatch `AUTH_DEV_OPEN` is set, which passes through (dev + tests).
+ */
+export function requireAuth() {
+    return async (c, next) => {
+        if (c.req.method === 'OPTIONS')
+            return next();
+        const cfg = c.get('container').config.auth;
+        if (!cfg.enabled) {
+            if (cfg.devOpen)
+                return next();
+            return c.json({
+                error: {
+                    code: 'auth_not_configured',
+                    message: 'Authentication is required but not configured. Set the GitHub OAuth ' +
+                        'credentials and AUTH_SESSION_SECRET, or AUTH_DEV_OPEN=true for local dev.',
+                },
+            }, 503);
+        }
+        const user = await verifySession(c);
+        if (!user) {
+            return c.json({ error: { code: 'unauthorized', message: 'Authentication required' } }, 401);
+        }
+        c.set('user', user);
+        await next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAuB,MAAM,cAAc,CAAA;AAE9E,0EAA0E;AAC1E,uEAAuE;AACvE,mCAAmC;AACnC,EAAE;AACF,+EAA+E;AAC/E,8EAA8E;AAC9E,uEAAuE;AACvE,8CAA8C;AAE9C,iFAAiF;AACjF,oFAAoF;AACpF,sFAAsF;AACtF,sCAAsC;AAEtC,0EAA0E;AAC1E,MAAM,UAAU,WAAW,CAAmB,CAAa;IACzD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IACxB,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;IACpD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,IAAI,CAAA;AACjC,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,aAAa,CAAmB,CAAa;IAC3D,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,IAAI,CAAA;IAC1C,IAAI,CAAC,GAAG,CAAC,OAAO;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9C,gFAAgF;IAChF,wEAAwE;IACxE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC,CAAC,EAAE;QAC9E,GAAG,EAAE,cAAc,CAAC,OAAO;KAC5B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,EAAE,CAAA;QAC7C,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,IAAI,CAAA;QAC1C,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,GAAG,CAAC,OAAO;gBAAE,OAAO,IAAI,EAAE,CAAA;YAC9B,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EACL,sEAAsE;wBACtE,2EAA2E;iBAC9E;aACF,EACD,GAAG,CACJ,CAAA;QACH,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAA;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,yBAAyB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAC7F,CAAC;QACD,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;QACnB,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/auth/signing.d.ts

@@ -0,0 +1,50 @@
+/** Distinct token audiences. Each verifier pins exactly one of these. */
+export declare const TOKEN_AUDIENCE: {
+    /** SPA user session (Authorization: Bearer). */
+    readonly session: 'session';
+    /** OAuth login `state` nonce. */
+    readonly oauthState: 'oauth-state';
+    /** Implementation-container → LLM proxy token. */
+    readonly container: 'llm-proxy';
+    /** Single-workspace WebSocket event-stream ticket. */
+    readonly wsTicket: 'ws';
+};
+export type TokenAudience = (typeof TOKEN_AUDIENCE)[keyof typeof TOKEN_AUDIENCE];
+/** Identity we surface to the client. */
+export interface SessionUser {
+    /** Internal user id (`usr_*`) — stable across login providers. */
+    id: string;
+    /** Display handle (GitHub login for GitHub users, else email/local-part). */
+    login: string;
+    name: string | null;
+    avatarUrl: string | null;
+    /** Primary email, when known. */
+    email?: string | null;
+}
+/** A signed session: the user plus an absolute expiry (epoch ms). */
+export interface SessionPayload extends SessionUser {
+    /** Audience pin — always `session` for a user session. */
+    aud: typeof TOKEN_AUDIENCE.session;
+    exp: number;
+}
+export declare class HmacSigner {
+    private readonly secret;
+    private keyPromise?;
+    constructor(secret: string);
+    sign(payload: object): Promise<string>;
+    /**
+     * Return the payload when the signature is valid, unexpired, and (when an
+     * expected audience is given) carries a matching `aud` claim; else null.
+     *
+     * `opts.aud` is REQUIRED in practice for every protected verification: it pins
+     * the token class so a token minted for another audience (e.g. a container
+     * proxy token) cannot be replayed here. It is optional only so the same
+     * primitive can verify legacy/audience-less payloads in tests.
+     */
+    verify<T extends object>(token: string | null | undefined, opts?: {
+        aud?: TokenAudience;
+    }): Promise<T | null>;
+    private mac;
+    private importKey;
+}
+//# sourceMappingURL=signing.d.ts.map

package/dist/auth/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/auth/signing.ts"],"names":[],"mappings":"AAqBA,yEAAyE;AACzE,eAAO,MAAM,cAAc;IACzB,gDAAgD;aAChD,OAAO,EAAE,SAAS;IAClB,iCAAiC;aACjC,UAAU,EAAE,aAAa;IACzB,kDAAkD;aAClD,SAAS,EAAE,WAAW;IACtB,sDAAsD;aACtD,QAAQ,EAAE,IAAI;CACN,CAAA;AAEV,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,OAAO,cAAc,CAAC,CAAA;AAEhF,yCAAyC;AACzC,MAAM,WAAW,WAAW;IAC1B,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAA;IACV,6EAA6E;IAC7E,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACtB;AAED,qEAAqE;AACrE,MAAM,WAAW,cAAe,SAAQ,WAAW;IACjD,0DAA0D;IAC1D,GAAG,EAAE,OAAO,cAAc,CAAC,OAAO,CAAA;IAClC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,qBAAa,UAAU;IAGT,OAAO,CAAC,QAAQ,CAAC,MAAM;IAFnC,OAAO,CAAC,UAAU,CAAC,CAAoB;IAEvC,YAA6B,MAAM,EAAE,MAAM,EAAI;IAEzC,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG3C;IAED;;;;;;;;OAQG;IACG,MAAM,CAAC,CAAC,SAAS,MAAM,EAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,aAAa,CAAA;KAAE,GAC7B,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CA6BnB;YAEa,GAAG;IAKjB,OAAO,CAAC,SAAS;CAYlB"}

package/dist/auth/signing.js

@@ -0,0 +1,96 @@
+import { base64url, base64urlToBytes, timingSafeEqual } from '../crypto/encoding.js';
+// Stateless signed tokens for the auth flow, built on Web Crypto (HMAC-SHA256) —
+// no Node `crypto` module, so it runs in a plain Workers isolate and in Node. The
+// same primitive (and the same session secret) backs several distinct token classes:
+//   - the *session token* the SPA carries as `Authorization: Bearer`
+//   - the OAuth *state* nonce that protects the login round-trip from CSRF
+//   - the *container* token an implementation container uses against the LLM proxy
+//   - the short-lived *ws ticket* that authorises one WebSocket event stream
+//
+// Because they share a key and verifier, every token MUST carry an `aud`
+// (audience) claim and every verifier MUST pin the audience it expects, so a
+// token minted for one purpose cannot be replayed as another (e.g. a container
+// proxy token acting as a full user session). `verify` rejects any token whose
+// `aud` does not match the caller's expected audience.
+//
+// Format: `base64url(JSON payload).base64url(HMAC(base64url(JSON payload)))`.
+// The payload is base64url (no dots), so the dot split is unambiguous. Payloads
+// carrying an `exp` (epoch ms) are rejected once expired. There is no server-side
+// store: logout is a client-side drop and expiry bounds the blast radius.
+/** Distinct token audiences. Each verifier pins exactly one of these. */
+export const TOKEN_AUDIENCE = {
+    /** SPA user session (Authorization: Bearer). */
+    session: 'session',
+    /** OAuth login `state` nonce. */
+    oauthState: 'oauth-state',
+    /** Implementation-container → LLM proxy token. */
+    container: 'llm-proxy',
+    /** Single-workspace WebSocket event-stream ticket. */
+    wsTicket: 'ws',
+};
+export class HmacSigner {
+    secret;
+    keyPromise;
+    constructor(secret) {
+        this.secret = secret;
+    }
+    async sign(payload) {
+        const body = base64url(JSON.stringify(payload));
+        return `${body}.${base64url(await this.mac(body))}`;
+    }
+    /**
+     * Return the payload when the signature is valid, unexpired, and (when an
+     * expected audience is given) carries a matching `aud` claim; else null.
+     *
+     * `opts.aud` is REQUIRED in practice for every protected verification: it pins
+     * the token class so a token minted for another audience (e.g. a container
+     * proxy token) cannot be replayed here. It is optional only so the same
+     * primitive can verify legacy/audience-less payloads in tests.
+     */
+    async verify(token, opts) {
+        if (!token)
+            return null;
+        const dot = token.indexOf('.');
+        if (dot <= 0 || dot === token.length - 1)
+            return null;
+        const body = token.slice(0, dot);
+        // Decode the signature segment defensively: a malformed base64url tail must
+        // fail closed (null → 401), never throw out of `atob` into a 500.
+        let provided;
+        try {
+            provided = base64urlToBytes(token.slice(dot + 1));
+        }
+        catch {
+            return null;
+        }
+        const expected = new Uint8Array(await this.mac(body));
+        if (!timingSafeEqual(provided, expected))
+            return null;
+        let payload;
+        try {
+            payload = JSON.parse(new TextDecoder().decode(base64urlToBytes(body)));
+        }
+        catch {
+            return null;
+        }
+        const exp = payload.exp;
+        if (typeof exp === 'number' && exp < Date.now())
+            return null;
+        // Audience pin: when the caller expects a specific audience, the token's
+        // `aud` must match exactly. This is the cross-token-confusion defence.
+        if (opts?.aud !== undefined && payload.aud !== opts.aud)
+            return null;
+        return payload;
+    }
+    async mac(input) {
+        const key = await this.importKey();
+        return crypto.subtle.sign('HMAC', key, new TextEncoder().encode(input));
+    }
+    importKey() {
+        if (!this.keyPromise) {
+            this.keyPromise = crypto.subtle.importKey('raw', new TextEncoder().encode(this.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        }
+        return this.keyPromise;
+    }
+}
+//# sourceMappingURL=signing.js.map

package/dist/auth/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/auth/signing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAEpF,iFAAiF;AACjF,kFAAkF;AAClF,qFAAqF;AACrF,qEAAqE;AACrE,2EAA2E;AAC3E,mFAAmF;AACnF,6EAA6E;AAC7E,EAAE;AACF,yEAAyE;AACzE,6EAA6E;AAC7E,+EAA+E;AAC/E,+EAA+E;AAC/E,uDAAuD;AACvD,EAAE;AACF,8EAA8E;AAC9E,gFAAgF;AAChF,kFAAkF;AAClF,0EAA0E;AAE1E,yEAAyE;AACzE,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,gDAAgD;IAChD,OAAO,EAAE,SAAS;IAClB,iCAAiC;IACjC,UAAU,EAAE,aAAa;IACzB,kDAAkD;IAClD,SAAS,EAAE,WAAW;IACtB,sDAAsD;IACtD,QAAQ,EAAE,IAAI;CACN,CAAA;AAuBV,MAAM,OAAO,UAAU;IAGQ,MAAM;IAF3B,UAAU,CAAqB;IAEvC,YAA6B,MAAc;sBAAd,MAAM;IAAW,CAAC;IAE/C,KAAK,CAAC,IAAI,CAAC,OAAe;QACxB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAA;QAC/C,OAAO,GAAG,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAA;IACrD,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM,CACV,KAAgC,EAChC,IAA8B;QAE9B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QACrD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QAEhC,4EAA4E;QAC5E,kEAAkE;QAClE,IAAI,QAAoB,CAAA;QACxB,IAAI,CAAC;YACH,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QACrD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAA;QAErD,IAAI,OAAU,CAAA;QACd,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAM,CAAA;QAC7E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QACD,MAAM,GAAG,GAAI,OAA6B,CAAC,GAAG,CAAA;QAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC5D,yEAAyE;QACzE,uEAAuE;QACvE,IAAI,IAAI,EAAE,GAAG,KAAK,SAAS,IAAK,OAA6B,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAC3F,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,KAAK,CAAC,GAAG,CAAC,KAAa;QAC7B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAA;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;IACzE,CAAC;IAEO,SAAS;QACf,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACrC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;QACH,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;CACF"}

package/dist/auth/wsTicket.d.ts

@@ -0,0 +1,34 @@
+import type { AuthConfig } from '../config/types.js';
+import { TOKEN_AUDIENCE } from './signing.js';
+/** Ticket lifetime: just long enough to open the socket. */
+export declare const WS_TICKET_TTL_MS: number;
+export interface WsTicket {
+    aud: typeof TOKEN_AUDIENCE.wsTicket;
+    workspaceId: string;
+    exp: number;
+}
+/**
+ * Mint a workspace-scoped WS ticket. Returns `''` when auth is disabled (dev) — the
+ * handshake is then open and no ticket is needed.
+ */
+export declare function mintWsTicket(auth: AuthConfig, workspaceId: string): Promise<string>;
+/**
+ * The verdict of authorising a WS upgrade, modelled so each facade maps it to its own
+ * transport's rejection (an HTTP status on the Worker's `Response`, a raw status line
+ * on the Node socket).
+ */
+export type WsUpgradeAuth = {
+    ok: true;
+} | {
+    ok: false;
+    status: 401 | 503;
+    message: string;
+};
+/**
+ * Authorise a WS event-stream upgrade for `workspaceId` from its `?ticket=`:
+ *   - auth enabled  → require a valid, unexpired, workspace-matching ticket (else 401)
+ *   - auth disabled but dev-open → allow (open handshake)
+ *   - auth unconfigured in production → 503 (mirror `requireAuth`: fail closed)
+ */
+export declare function authorizeWsUpgrade(auth: AuthConfig, ticket: string | undefined, workspaceId: string): Promise<WsUpgradeAuth>;
+//# sourceMappingURL=wsTicket.d.ts.map

package/dist/auth/wsTicket.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wsTicket.d.ts","sourceRoot":"","sources":["../../src/auth/wsTicket.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AACpD,OAAO,EAAc,cAAc,EAAE,MAAM,cAAc,CAAA;AAczD,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,QAAY,CAAA;AAEzC,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,OAAO,cAAc,CAAC,QAAQ,CAAA;IACnC,WAAW,EAAE,MAAM,CAAA;IACnB,GAAG,EAAE,MAAM,CAAA;CACZ;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQzF;AAED;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAE5F;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,UAAU,EAChB,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAcxB"}

package/dist/auth/wsTicket.js

@@ -0,0 +1,50 @@
+import { HmacSigner, TOKEN_AUDIENCE } from './signing.js';
+// The short-lived, single-workspace ticket that authorises ONE WebSocket event-stream
+// handshake. A browser can't set `Authorization` on a WS handshake, so the SPA mints
+// this over the authenticated REST channel (`POST .../events/ticket`) and passes it as
+// `?ticket=`. It is audience-pinned (`ws`) and bound to one `workspaceId`, so it cannot
+// be replayed as a session, against the LLM proxy, or for another workspace.
+//
+// The mint + verify live here (not inline in the controller) because both runtimes need
+// them: the Cloudflare Worker verifies inside the shared `eventsController` GET handler,
+// while the Node service verifies in its HTTP-server `upgrade` listener (the upgrade
+// can't be expressed as a Hono `Response` there, so it bypasses the controller). One
+// implementation keeps the two handshakes authorising identically.
+/** Ticket lifetime: just long enough to open the socket. */
+export const WS_TICKET_TTL_MS = 60 * 1000;
+/**
+ * Mint a workspace-scoped WS ticket. Returns `''` when auth is disabled (dev) — the
+ * handshake is then open and no ticket is needed.
+ */
+export async function mintWsTicket(auth, workspaceId) {
+    if (!auth.enabled)
+        return '';
+    const ticket = {
+        aud: TOKEN_AUDIENCE.wsTicket,
+        workspaceId,
+        exp: Date.now() + WS_TICKET_TTL_MS,
+    };
+    return new HmacSigner(auth.sessionSecret).sign(ticket);
+}
+/**
+ * Authorise a WS event-stream upgrade for `workspaceId` from its `?ticket=`:
+ *   - auth enabled  → require a valid, unexpired, workspace-matching ticket (else 401)
+ *   - auth disabled but dev-open → allow (open handshake)
+ *   - auth unconfigured in production → 503 (mirror `requireAuth`: fail closed)
+ */
+export async function authorizeWsUpgrade(auth, ticket, workspaceId) {
+    if (auth.enabled) {
+        const verified = await new HmacSigner(auth.sessionSecret).verify(ticket, {
+            aud: TOKEN_AUDIENCE.wsTicket,
+        });
+        if (!verified || verified.workspaceId !== workspaceId) {
+            return { ok: false, status: 401, message: 'unauthorized' };
+        }
+        return { ok: true };
+    }
+    if (!auth.devOpen) {
+        return { ok: false, status: 503, message: 'authentication is required but not configured' };
+    }
+    return { ok: true };
+}
+//# sourceMappingURL=wsTicket.js.map

package/dist/auth/wsTicket.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wsTicket.js","sourceRoot":"","sources":["../../src/auth/wsTicket.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAEzD,sFAAsF;AACtF,qFAAqF;AACrF,uFAAuF;AACvF,wFAAwF;AACxF,6EAA6E;AAC7E,EAAE;AACF,wFAAwF;AACxF,yFAAyF;AACzF,qFAAqF;AACrF,qFAAqF;AACrF,mEAAmE;AAEnE,4DAA4D;AAC5D,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,GAAG,IAAI,CAAA;AAQzC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAgB,EAAE,WAAmB;IACtE,IAAI,CAAC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAA;IAC5B,MAAM,MAAM,GAAa;QACvB,GAAG,EAAE,cAAc,CAAC,QAAQ;QAC5B,WAAW;QACX,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB;KACnC,CAAA;IACD,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;AACxD,CAAC;AASD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAgB,EAChB,MAA0B,EAC1B,WAAmB;IAEnB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,CAAW,MAAM,EAAE;YACjF,GAAG,EAAE,cAAc,CAAC,QAAQ;SAC7B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;QAC5D,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAA;IAC7F,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACrB,CAAC"}