@cedros/login-react 0.0.12 → 0.0.13

package/dist/apiClient-B2JxVPlH.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiClient-B2JxVPlH.js","sources":["../src/utils/csrf.ts","../src/context/useCedrosLogin.ts","../src/utils/apiClient.ts"],"sourcesContent":["// UI-CSRF: Minimum CSRF token length to prevent weak/trivial tokens\n// UI-07: Raised from 20 to 32 bytes to meet minimum entropy requirements\nconst MIN_CSRF_TOKEN_LENGTH = 32;\n\nexport function getCsrfToken(): string | null {\n  if (typeof document === 'undefined') return null;\n\n  const metaTag = document.querySelector('meta[name=\"csrf-token\"]');\n  if (metaTag) {\n    const content = metaTag.getAttribute('content');\n    // UI-CSRF: Reject weak tokens\n    if (content && content.length >= MIN_CSRF_TOKEN_LENGTH) {\n      return content;\n    }\n  }\n\n  // UI-2 FIX: Use case-insensitive comparison for cookie names.\n  // Server may set cookie with different casing (XSRF-TOKEN, xsrf-token, etc.)\n  const cookies = document.cookie.split(';');\n  for (const cookie of cookies) {\n    const [name, ...rest] = cookie.trim().split('=');\n    const value = rest.join('=');\n    const nameLower = name.toLowerCase();\n    if (nameLower === 'xsrf-token' || nameLower === 'csrf-token') {\n      try {\n        const decoded = decodeURIComponent(value.trim());\n        // UI-CSRF: Reject weak tokens\n        if (decoded.length >= MIN_CSRF_TOKEN_LENGTH) {\n          return decoded;\n        }\n      } catch {\n        // Malformed URL-encoded value - skip this cookie\n        continue;\n      }\n    }\n  }\n\n  return null;\n}\n","import { useContext } from 'react';\nimport {\n  AuthStateContext,\n  AuthUIContext,\n  CedrosLoginContext,\n  type AuthStateContextValue,\n  type AuthUIContextValue,\n  type CedrosLoginContextValue,\n} from './CedrosLoginContext';\n\n/**\n * Hook to access the full Cedros Login context.\n * Must be used within a CedrosLoginProvider.\n *\n * For better performance, prefer `useAuthState()` or `useAuthUI()` when you\n * only need a subset of the context. This hook re-renders on any change.\n */\nexport function useCedrosLogin(): CedrosLoginContextValue {\n  const context = useContext(CedrosLoginContext);\n  if (!context) {\n    throw new Error('useCedrosLogin must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n\n/**\n * Optional version of useCedrosLogin that returns null instead of throwing\n * when used outside a CedrosLoginProvider. Useful for components that need\n * to work in both provider and non-provider contexts (e.g., Storybook demos).\n */\nexport function useCedrosLoginOptional(): CedrosLoginContextValue | null {\n  return useContext(CedrosLoginContext);\n}\n\n/**\n * Hook to access only auth state (user, authState, config, logout, refreshUser).\n *\n * Does NOT re-render on UI state changes (modal, error). Use this in components\n * that only need to know about authentication status.\n */\nexport function useAuthState(): AuthStateContextValue {\n  const context = useContext(AuthStateContext);\n  if (!context) {\n    throw new Error('useAuthState must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n\n/**\n * Hook to access only UI state (isModalOpen, error, openModal, closeModal).\n *\n * Does NOT re-render on auth state changes (login, token refresh). Use this\n * in components that only control the login modal or display errors.\n */\nexport function useAuthUI(): AuthUIContextValue {\n  const context = useContext(AuthUIContext);\n  if (!context) {\n    throw new Error('useAuthUI must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n","import type { AuthError, AuthErrorCode } from '../types';\nimport { getCsrfToken } from './csrf';\n\nconst DEFAULT_TIMEOUT_MS = 10_000;\nconst DEFAULT_RETRY_ATTEMPTS = 2;\n\nexport interface ApiClientConfig {\n  baseUrl: string;\n  timeoutMs?: number;\n  retryAttempts?: number;\n  getAccessToken?: () => string | null;\n}\n\n/**\n * M-02: Response validator function type.\n * Returns the validated data or throws on invalid shape.\n */\nexport type ResponseValidator<T> = (data: unknown) => T;\n\nexport interface RequestOptions<T = unknown> {\n  method: 'GET' | 'HEAD' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';\n  path: string;\n  body?: unknown;\n  credentials?: RequestCredentials;\n  skipRetry?: boolean;\n  /** M-02: Optional validator to verify response shape at runtime */\n  validator?: ResponseValidator<T>;\n}\n\n/**\n * Creates an authentication error from response data\n */\nexport function createAuthError(\n  data: { code?: string; message?: string; details?: Record<string, unknown> },\n  fallbackMessage: string\n): AuthError {\n  return {\n    code: (data.code as AuthErrorCode) || 'SERVER_ERROR',\n    message: data.message || fallbackMessage,\n    details: data.details,\n  };\n}\n\n/**\n * Creates a network error\n */\nexport function createNetworkError(): AuthError {\n  return {\n    code: 'NETWORK_ERROR',\n    message: 'Unable to connect to server',\n  };\n}\n\n/**\n * Fetch with timeout support\n */\nasync function fetchWithTimeout(\n  url: string,\n  options: RequestInit,\n  timeoutMs: number\n): Promise<Response> {\n  const controller = new AbortController();\n  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);\n\n  try {\n    const response = await fetch(url, {\n      ...options,\n      signal: controller.signal,\n    });\n    return response;\n  } finally {\n    clearTimeout(timeoutId);\n  }\n}\n\n/**\n * Determines if an error is retryable\n * UI-8 FIX: AbortError (timeout) should NOT be retried - server may have processed request\n */\nfunction isRetryableError(error: unknown): boolean {\n  if (error instanceof Error) {\n    if ((error as { retryable?: boolean }).retryable) return true;\n    // UI-8: AbortError from timeout should NOT be retried\n    // Server may have processed the request (just responded slowly)\n    // Retrying could cause duplicate operations\n    if (error.name === 'AbortError') return false;\n    // Network errors (connection failed) are safe to retry\n    if (error.message.includes('fetch')) return true;\n  }\n  return false;\n}\n\n/**\n * Delays execution for the specified duration\n */\nfunction delay(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * API client for making authenticated requests with timeout and retry support\n */\nexport class ApiClient {\n  private baseUrl: string;\n  private timeoutMs: number;\n  private retryAttempts: number;\n  private getAccessToken?: () => string | null;\n\n  constructor(config: ApiClientConfig) {\n    this.baseUrl = config.baseUrl;\n    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n    this.retryAttempts = config.retryAttempts ?? DEFAULT_RETRY_ATTEMPTS;\n    this.getAccessToken = config.getAccessToken;\n  }\n\n  /**\n   * Make an API request with timeout and optional retry\n   */\n  async request<T>(options: RequestOptions<T>): Promise<T> {\n    const { method, path, body, credentials = 'include', skipRetry = false, validator } = options;\n    const url = `${this.baseUrl}${path}`;\n    // S-10: DELETE excluded — retrying mid-flight DELETE failures risks double-deletion\n    const isIdempotent = method === 'GET' || method === 'HEAD' || method === 'PUT';\n    const maxAttempts = skipRetry || !isIdempotent ? 1 : this.retryAttempts + 1;\n\n    // Build headers with CSRF token if available\n    const headers: Record<string, string> = {};\n    if (body !== undefined) {\n      headers['Content-Type'] = 'application/json';\n    }\n    const accessToken = this.getAccessToken?.();\n    if (accessToken) {\n      headers.Authorization = `Bearer ${accessToken}`;\n    }\n    const csrfToken = getCsrfToken();\n    if (csrfToken) {\n      headers['X-CSRF-Token'] = csrfToken;\n    }\n\n    let lastError: unknown;\n\n    for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n      try {\n        const response = await fetchWithTimeout(\n          url,\n          {\n            method,\n            headers,\n            credentials,\n            body: body !== undefined ? JSON.stringify(body) : undefined,\n          },\n          this.timeoutMs\n        );\n\n        const contentType = response.headers.get('content-type') || '';\n        let data: { code?: string; message?: string; details?: Record<string, unknown> } = {};\n\n        if (contentType.includes('application/json')) {\n          if (response.status !== 204) {\n            try {\n              data = (await response.json()) as {\n                code?: string;\n                message?: string;\n                details?: Record<string, unknown>;\n              };\n            } catch (e) {\n              // UI-JSON: Include actual parse error for easier debugging\n              const parseError = e instanceof Error ? e.message : 'parse failed';\n              throw new Error(`Invalid JSON response: ${parseError}`);\n            }\n          }\n        } else {\n          // U-01: Handle non-JSON responses with informative error messages\n          // Proxies/load balancers may return HTML error pages (502, 503)\n          const text = await response.text();\n          if (text) {\n            // Truncate very long responses (e.g., HTML pages) for readability\n            const truncated = text.length > 200 ? text.slice(0, 200) + '...' : text;\n            const isHtml = contentType.includes('text/html') || text.trimStart().startsWith('<');\n            data = {\n              message: isHtml\n                ? `Unexpected HTML response (${response.status}). The server may be unavailable.`\n                : truncated,\n            };\n          }\n        }\n\n        if (!response.ok) {\n          // Don't retry 4xx errors (client errors)\n          if (response.status >= 400 && response.status < 500) {\n            throw { isApiError: true, data, status: response.status };\n          }\n          // Retry 5xx errors\n          const err = new Error(`Server error: ${response.status}`);\n          (err as { retryable?: boolean }).retryable = true;\n          throw err;\n        }\n\n        // M-02: Apply response validation if provided\n        if (validator) {\n          try {\n            return validator(data);\n          } catch (validationError) {\n            throw new Error(\n              `Response validation failed: ${validationError instanceof Error ? validationError.message : 'Invalid response shape'}`\n            );\n          }\n        }\n\n        return data as T;\n      } catch (error) {\n        lastError = error;\n\n        // Don't retry API errors (4xx responses)\n        if (typeof error === 'object' && error !== null && 'isApiError' in error) {\n          throw error;\n        }\n\n        // Check if we should retry\n        if (attempt < maxAttempts && isRetryableError(error)) {\n          // Exponential backoff: 100ms, 200ms, 400ms...\n          await delay(100 * Math.pow(2, attempt - 1));\n          continue;\n        }\n\n        throw error;\n      }\n    }\n\n    throw lastError;\n  }\n\n  /**\n   * POST request helper\n   */\n  async post<T>(path: string, body: unknown, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'POST', path, body, ...options });\n  }\n\n  /**\n   * GET request helper\n   */\n  async get<T>(path: string, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'GET', path, ...options });\n  }\n\n  /**\n   * PATCH request helper\n   */\n  async patch<T>(path: string, body: unknown, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'PATCH', path, body, ...options });\n  }\n\n  /**\n   * DELETE request helper\n   */\n  async delete<T>(path: string, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'DELETE', path, ...options });\n  }\n}\n\ninterface ApiErrorResponse {\n  isApiError: true;\n  data: { code?: string; message?: string; details?: Record<string, unknown> };\n  status: number;\n}\n\nfunction isApiErrorResponse(err: unknown): err is ApiErrorResponse {\n  return typeof err === 'object' && err !== null && 'isApiError' in err;\n}\n\nfunction isAuthError(err: unknown): err is AuthError {\n  return typeof err === 'object' && err !== null && 'code' in err && 'message' in err;\n}\n\n/**\n * M-02: Helper to create a basic object shape validator.\n * Checks that required keys exist and are of expected types.\n * @example\n * const validateUser = createValidator<User>({\n *   id: 'string',\n *   email: 'string',\n *   role: 'string',\n * });\n */\nexport function createValidator<T>(\n  shape: Record<keyof T & string, 'string' | 'number' | 'boolean' | 'object'>\n): ResponseValidator<T> {\n  return (data: unknown): T => {\n    if (typeof data !== 'object' || data === null) {\n      throw new Error('Expected object response');\n    }\n    const obj = data as Record<string, unknown>;\n    for (const [key, expectedType] of Object.entries(shape)) {\n      if (!(key in obj)) {\n        throw new Error(`Missing required field: ${key}`);\n      }\n      const actualType = typeof obj[key];\n      if (actualType !== expectedType) {\n        throw new Error(`Invalid type for ${key}: expected ${expectedType}, got ${actualType}`);\n      }\n    }\n    return data as T;\n  };\n}\n\n/**\n * Converts API errors to AuthError format\n */\nexport function handleApiError(err: unknown, fallbackMessage: string): AuthError {\n  // Already an AuthError\n  if (isAuthError(err)) {\n    return err;\n  }\n\n  // API error response (4xx/5xx)\n  if (isApiErrorResponse(err)) {\n    return createAuthError(err.data, fallbackMessage);\n  }\n\n  if (err instanceof Error) {\n    if (err.name === 'AbortError') {\n      return {\n        code: 'NETWORK_ERROR',\n        message: 'Request timed out',\n      };\n    }\n    if (\n      err.message.startsWith('Server error:') ||\n      err.message.startsWith('Invalid JSON response')\n    ) {\n      return {\n        code: 'SERVER_ERROR',\n        message: fallbackMessage,\n      };\n    }\n  }\n\n  // Network or timeout error\n  return createNetworkError();\n}\n"],"names":["MIN_CSRF_TOKEN_LENGTH","getCsrfToken","metaTag","content","cookies","cookie","name","rest","value","nameLower","decoded","useCedrosLogin","context","useContext","CedrosLoginContext","useCedrosLoginOptional","useAuthState","AuthStateContext","useAuthUI","AuthUIContext","DEFAULT_TIMEOUT_MS","DEFAULT_RETRY_ATTEMPTS","createAuthError","data","fallbackMessage","createNetworkError","fetchWithTimeout","url","options","timeoutMs","controller","timeoutId","isRetryableError","error","delay","ms","resolve","ApiClient","config","method","path","body","credentials","skipRetry","validator","maxAttempts","headers","accessToken","csrfToken","lastError","attempt","response","contentType","e","parseError","text","truncated","err","validationError","isApiErrorResponse","isAuthError","handleApiError"],"mappings":";;AAEA,MAAMA,IAAwB;AAEvB,SAASC,IAA8B;AAC5C,MAAI,OAAO,WAAa,IAAa,QAAO;AAE5C,QAAMC,IAAU,SAAS,cAAc,yBAAyB;AAChE,MAAIA,GAAS;AACX,UAAMC,IAAUD,EAAQ,aAAa,SAAS;AAE9C,QAAIC,KAAWA,EAAQ,UAAUH;AAC/B,aAAOG;AAAA,EAEX;AAIA,QAAMC,IAAU,SAAS,OAAO,MAAM,GAAG;AACzC,aAAWC,KAAUD,GAAS;AAC5B,UAAM,CAACE,GAAM,GAAGC,CAAI,IAAIF,EAAO,KAAA,EAAO,MAAM,GAAG,GACzCG,IAAQD,EAAK,KAAK,GAAG,GACrBE,IAAYH,EAAK,YAAA;AACvB,QAAIG,MAAc,gBAAgBA,MAAc;AAC9C,UAAI;AACF,cAAMC,IAAU,mBAAmBF,EAAM,KAAA,CAAM;AAE/C,YAAIE,EAAQ,UAAUV;AACpB,iBAAOU;AAAA,MAEX,QAAQ;AAEN;AAAA,MACF;AAAA,EAEJ;AAEA,SAAO;AACT;ACrBO,SAASC,IAA0C;AACxD,QAAMC,IAAUC,EAAWC,CAAkB;AAC7C,MAAI,CAACF;AACH,UAAM,IAAI,MAAM,0DAA0D;AAE5E,SAAOA;AACT;AAOO,SAASG,IAAyD;AACvE,SAAOF,EAAWC,CAAkB;AACtC;AAQO,SAASE,IAAsC;AACpD,QAAMJ,IAAUC,EAAWI,CAAgB;AAC3C,MAAI,CAACL;AACH,UAAM,IAAI,MAAM,wDAAwD;AAE1E,SAAOA;AACT;AAQO,SAASM,IAAgC;AAC9C,QAAMN,IAAUC,EAAWM,CAAa;AACxC,MAAI,CAACP;AACH,UAAM,IAAI,MAAM,qDAAqD;AAEvE,SAAOA;AACT;ACzDA,MAAMQ,IAAqB,KACrBC,IAAyB;AA4BxB,SAASC,EACdC,GACAC,GACW;AACX,SAAO;AAAA,IACL,MAAOD,EAAK,QAA0B;AAAA,IACtC,SAASA,EAAK,WAAWC;AAAA,IACzB,SAASD,EAAK;AAAA,EAAA;AAElB;AAKO,SAASE,IAAgC;AAC9C,SAAO;AAAA,IACL,MAAM;AAAA,IACN,SAAS;AAAA,EAAA;AAEb;AAKA,eAAeC,EACbC,GACAC,GACAC,GACmB;AACnB,QAAMC,IAAa,IAAI,gBAAA,GACjBC,IAAY,WAAW,MAAMD,EAAW,MAAA,GAASD,CAAS;AAEhE,MAAI;AAKF,WAJiB,MAAM,MAAMF,GAAK;AAAA,MAChC,GAAGC;AAAA,MACH,QAAQE,EAAW;AAAA,IAAA,CACpB;AAAA,EAEH,UAAA;AACE,iBAAaC,CAAS;AAAA,EACxB;AACF;AAMA,SAASC,EAAiBC,GAAyB;AACjD,MAAIA,aAAiB,OAAO;AAC1B,QAAKA,EAAkC,UAAW,QAAO;AAIzD,QAAIA,EAAM,SAAS,aAAc,QAAO;AAExC,QAAIA,EAAM,QAAQ,SAAS,OAAO,EAAG,QAAO;AAAA,EAC9C;AACA,SAAO;AACT;AAKA,SAASC,EAAMC,GAA2B;AACxC,SAAO,IAAI,QAAQ,CAACC,MAAY,WAAWA,GAASD,CAAE,CAAC;AACzD;AAKO,MAAME,EAAU;AAAA,EACb;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAYC,GAAyB;AACnC,SAAK,UAAUA,EAAO,SACtB,KAAK,YAAYA,EAAO,aAAalB,GACrC,KAAK,gBAAgBkB,EAAO,iBAAiBjB,GAC7C,KAAK,iBAAiBiB,EAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAWV,GAAwC;AACvD,UAAM,EAAE,QAAAW,GAAQ,MAAAC,GAAM,MAAAC,GAAM,aAAAC,IAAc,WAAW,WAAAC,IAAY,IAAO,WAAAC,EAAA,IAAchB,GAChFD,IAAM,GAAG,KAAK,OAAO,GAAGa,CAAI,IAG5BK,IAAcF,KAAa,EADZJ,MAAW,SAASA,MAAW,UAAUA,MAAW,SACxB,IAAI,KAAK,gBAAgB,GAGpEO,IAAkC,CAAA;AACxC,IAAIL,MAAS,WACXK,EAAQ,cAAc,IAAI;AAE5B,UAAMC,IAAc,KAAK,iBAAA;AACzB,IAAIA,MACFD,EAAQ,gBAAgB,UAAUC,CAAW;AAE/C,UAAMC,IAAY/C,EAAA;AAClB,IAAI+C,MACFF,EAAQ,cAAc,IAAIE;AAG5B,QAAIC;AAEJ,aAASC,IAAU,GAAGA,KAAWL,GAAaK;AAC5C,UAAI;AACF,cAAMC,IAAW,MAAMzB;AAAA,UACrBC;AAAA,UACA;AAAA,YACE,QAAAY;AAAA,YACA,SAAAO;AAAA,YACA,aAAAJ;AAAA,YACA,MAAMD,MAAS,SAAY,KAAK,UAAUA,CAAI,IAAI;AAAA,UAAA;AAAA,UAEpD,KAAK;AAAA,QAAA,GAGDW,IAAcD,EAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,YAAI5B,IAA+E,CAAA;AAEnF,YAAI6B,EAAY,SAAS,kBAAkB;AACzC,cAAID,EAAS,WAAW;AACtB,gBAAI;AACF,cAAA5B,IAAQ,MAAM4B,EAAS,KAAA;AAAA,YAKzB,SAASE,GAAG;AAEV,oBAAMC,IAAaD,aAAa,QAAQA,EAAE,UAAU;AACpD,oBAAM,IAAI,MAAM,0BAA0BC,CAAU,EAAE;AAAA,YACxD;AAAA,eAEG;AAGL,gBAAMC,IAAO,MAAMJ,EAAS,KAAA;AAC5B,cAAII,GAAM;AAER,kBAAMC,IAAYD,EAAK,SAAS,MAAMA,EAAK,MAAM,GAAG,GAAG,IAAI,QAAQA;AAEnE,YAAAhC,IAAO;AAAA,cACL,SAFa6B,EAAY,SAAS,WAAW,KAAKG,EAAK,UAAA,EAAY,WAAW,GAAG,IAG7E,6BAA6BJ,EAAS,MAAM,sCAC5CK;AAAA,YAAA;AAAA,UAER;AAAA,QACF;AAEA,YAAI,CAACL,EAAS,IAAI;AAEhB,cAAIA,EAAS,UAAU,OAAOA,EAAS,SAAS;AAC9C,kBAAM,EAAE,YAAY,IAAM,MAAA5B,GAAM,QAAQ4B,EAAS,OAAA;AAGnD,gBAAMM,IAAM,IAAI,MAAM,iBAAiBN,EAAS,MAAM,EAAE;AACvD,gBAAAM,EAAgC,YAAY,IACvCA;AAAA,QACR;AAGA,YAAIb;AACF,cAAI;AACF,mBAAOA,EAAUrB,CAAI;AAAA,UACvB,SAASmC,GAAiB;AACxB,kBAAM,IAAI;AAAA,cACR,+BAA+BA,aAA2B,QAAQA,EAAgB,UAAU,wBAAwB;AAAA,YAAA;AAAA,UAExH;AAGF,eAAOnC;AAAA,MACT,SAASU,GAAO;AAId,YAHAgB,IAAYhB,GAGR,OAAOA,KAAU,YAAYA,MAAU,QAAQ,gBAAgBA;AACjE,gBAAMA;AAIR,YAAIiB,IAAUL,KAAeb,EAAiBC,CAAK,GAAG;AAEpD,gBAAMC,EAAM,MAAM,KAAK,IAAI,GAAGgB,IAAU,CAAC,CAAC;AAC1C;AAAA,QACF;AAEA,cAAMjB;AAAA,MACR;AAGF,UAAMgB;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAQT,GAAcC,GAAeb,GAAkD;AAC3F,WAAO,KAAK,QAAW,EAAE,QAAQ,QAAQ,MAAAY,GAAM,MAAAC,GAAM,GAAGb,GAAS;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAOY,GAAcZ,GAAkD;AAC3E,WAAO,KAAK,QAAW,EAAE,QAAQ,OAAO,MAAAY,GAAM,GAAGZ,GAAS;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAASY,GAAcC,GAAeb,GAAkD;AAC5F,WAAO,KAAK,QAAW,EAAE,QAAQ,SAAS,MAAAY,GAAM,MAAAC,GAAM,GAAGb,GAAS;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAUY,GAAcZ,GAAkD;AAC9E,WAAO,KAAK,QAAW,EAAE,QAAQ,UAAU,MAAAY,GAAM,GAAGZ,GAAS;AAAA,EAC/D;AACF;AAQA,SAAS+B,EAAmBF,GAAuC;AACjE,SAAO,OAAOA,KAAQ,YAAYA,MAAQ,QAAQ,gBAAgBA;AACpE;AAEA,SAASG,EAAYH,GAAgC;AACnD,SAAO,OAAOA,KAAQ,YAAYA,MAAQ,QAAQ,UAAUA,KAAO,aAAaA;AAClF;AAoCO,SAASI,EAAeJ,GAAcjC,GAAoC;AAE/E,MAAIoC,EAAYH,CAAG;AACjB,WAAOA;AAIT,MAAIE,EAAmBF,CAAG;AACxB,WAAOnC,EAAgBmC,EAAI,MAAMjC,CAAe;AAGlD,MAAIiC,aAAe,OAAO;AACxB,QAAIA,EAAI,SAAS;AACf,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,MAAA;AAGb,QACEA,EAAI,QAAQ,WAAW,eAAe,KACtCA,EAAI,QAAQ,WAAW,uBAAuB;AAE9C,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAASjC;AAAA,MAAA;AAAA,EAGf;AAGA,SAAOC,EAAA;AACT;"}

package/dist/apiClient-CTTKhsYb.cjs

@@ -0,0 +1 @@
+"use strict";const h=require("react"),m=require("./LoadingSpinner-d6sSxgQN.cjs"),w=32;function C(){if(typeof document>"u")return null;const t=document.querySelector('meta[name="csrf-token"]');if(t){const r=t.getAttribute("content");if(r&&r.length>=w)return r}const e=document.cookie.split(";");for(const r of e){const[s,...i]=r.trim().split("="),a=i.join("="),l=s.toLowerCase();if(l==="xsrf-token"||l==="csrf-token")try{const u=decodeURIComponent(a.trim());if(u.length>=w)return u}catch{continue}}return null}function b(){const t=h.useContext(m.CedrosLoginContext);if(!t)throw new Error("useCedrosLogin must be used within a CedrosLoginProvider");return t}function S(){return h.useContext(m.CedrosLoginContext)}function v(){const t=h.useContext(m.AuthStateContext);if(!t)throw new Error("useAuthState must be used within a CedrosLoginProvider");return t}function L(){const t=h.useContext(m.AuthUIContext);if(!t)throw new Error("useAuthUI must be used within a CedrosLoginProvider");return t}const k=1e4,x=2;function U(t,e){return{code:t.code||"SERVER_ERROR",message:t.message||e,details:t.details}}function O(){return{code:"NETWORK_ERROR",message:"Unable to connect to server"}}async function I(t,e,r){const s=new AbortController,i=setTimeout(()=>s.abort(),r);try{return await fetch(t,{...e,signal:s.signal})}finally{clearTimeout(i)}}function _(t){if(t instanceof Error){if(t.retryable)return!0;if(t.name==="AbortError")return!1;if(t.message.includes("fetch"))return!0}return!1}function q(t){return new Promise(e=>setTimeout(e,t))}class M{baseUrl;timeoutMs;retryAttempts;getAccessToken;constructor(e){this.baseUrl=e.baseUrl,this.timeoutMs=e.timeoutMs??k,this.retryAttempts=e.retryAttempts??x,this.getAccessToken=e.getAccessToken}async request(e){const{method:r,path:s,body:i,credentials:a="include",skipRetry:l=!1,validator:u}=e,R=`${this.baseUrl}${s}`,E=l||!(r==="GET"||r==="HEAD"||r==="PUT")?1:this.retryAttempts+1,d={};i!==void 0&&(d["Content-Type"]="application/json");const A=this.getAccessToken?.();A&&(d.Authorization=`Bearer ${A}`);const T=C();T&&(d["X-CSRF-Token"]=T);let g;for(let f=1;f<=E;f++)try{const n=await I(R,{method:r,headers:d,credentials:a,body:i!==void 0?JSON.stringify(i):void 0},this.timeoutMs),y=n.headers.get("content-type")||"";let c={};if(y.includes("application/json")){if(n.status!==204)try{c=await n.json()}catch(o){const p=o instanceof Error?o.message:"parse failed";throw new Error(`Invalid JSON response: ${p}`)}}else{const o=await n.text();if(o){const p=o.length>200?o.slice(0,200)+"...":o;c={message:y.includes("text/html")||o.trimStart().startsWith("<")?`Unexpected HTML response (${n.status}). The server may be unavailable.`:p}}}if(!n.ok){if(n.status>=400&&n.status<500)throw{isApiError:!0,data:c,status:n.status};const o=new Error(`Server error: ${n.status}`);throw o.retryable=!0,o}if(u)try{return u(c)}catch(o){throw new Error(`Response validation failed: ${o instanceof Error?o.message:"Invalid response shape"}`)}return c}catch(n){if(g=n,typeof n=="object"&&n!==null&&"isApiError"in n)throw n;if(f<E&&_(n)){await q(100*Math.pow(2,f-1));continue}throw n}throw g}async post(e,r,s){return this.request({method:"POST",path:e,body:r,...s})}async get(e,r){return this.request({method:"GET",path:e,...r})}async patch(e,r,s){return this.request({method:"PATCH",path:e,body:r,...s})}async delete(e,r){return this.request({method:"DELETE",path:e,...r})}}function N(t){return typeof t=="object"&&t!==null&&"isApiError"in t}function P(t){return typeof t=="object"&&t!==null&&"code"in t&&"message"in t}function j(t,e){if(P(t))return t;if(N(t))return U(t.data,e);if(t instanceof Error){if(t.name==="AbortError")return{code:"NETWORK_ERROR",message:"Request timed out"};if(t.message.startsWith("Server error:")||t.message.startsWith("Invalid JSON response"))return{code:"SERVER_ERROR",message:e}}return O()}exports.ApiClient=M;exports.getCsrfToken=C;exports.handleApiError=j;exports.useAuthState=v;exports.useAuthUI=L;exports.useCedrosLogin=b;exports.useCedrosLoginOptional=S;

package/dist/apiClient-CTTKhsYb.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiClient-CTTKhsYb.cjs","sources":["../src/utils/csrf.ts","../src/context/useCedrosLogin.ts","../src/utils/apiClient.ts"],"sourcesContent":["// UI-CSRF: Minimum CSRF token length to prevent weak/trivial tokens\n// UI-07: Raised from 20 to 32 bytes to meet minimum entropy requirements\nconst MIN_CSRF_TOKEN_LENGTH = 32;\n\nexport function getCsrfToken(): string | null {\n  if (typeof document === 'undefined') return null;\n\n  const metaTag = document.querySelector('meta[name=\"csrf-token\"]');\n  if (metaTag) {\n    const content = metaTag.getAttribute('content');\n    // UI-CSRF: Reject weak tokens\n    if (content && content.length >= MIN_CSRF_TOKEN_LENGTH) {\n      return content;\n    }\n  }\n\n  // UI-2 FIX: Use case-insensitive comparison for cookie names.\n  // Server may set cookie with different casing (XSRF-TOKEN, xsrf-token, etc.)\n  const cookies = document.cookie.split(';');\n  for (const cookie of cookies) {\n    const [name, ...rest] = cookie.trim().split('=');\n    const value = rest.join('=');\n    const nameLower = name.toLowerCase();\n    if (nameLower === 'xsrf-token' || nameLower === 'csrf-token') {\n      try {\n        const decoded = decodeURIComponent(value.trim());\n        // UI-CSRF: Reject weak tokens\n        if (decoded.length >= MIN_CSRF_TOKEN_LENGTH) {\n          return decoded;\n        }\n      } catch {\n        // Malformed URL-encoded value - skip this cookie\n        continue;\n      }\n    }\n  }\n\n  return null;\n}\n","import { useContext } from 'react';\nimport {\n  AuthStateContext,\n  AuthUIContext,\n  CedrosLoginContext,\n  type AuthStateContextValue,\n  type AuthUIContextValue,\n  type CedrosLoginContextValue,\n} from './CedrosLoginContext';\n\n/**\n * Hook to access the full Cedros Login context.\n * Must be used within a CedrosLoginProvider.\n *\n * For better performance, prefer `useAuthState()` or `useAuthUI()` when you\n * only need a subset of the context. This hook re-renders on any change.\n */\nexport function useCedrosLogin(): CedrosLoginContextValue {\n  const context = useContext(CedrosLoginContext);\n  if (!context) {\n    throw new Error('useCedrosLogin must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n\n/**\n * Optional version of useCedrosLogin that returns null instead of throwing\n * when used outside a CedrosLoginProvider. Useful for components that need\n * to work in both provider and non-provider contexts (e.g., Storybook demos).\n */\nexport function useCedrosLoginOptional(): CedrosLoginContextValue | null {\n  return useContext(CedrosLoginContext);\n}\n\n/**\n * Hook to access only auth state (user, authState, config, logout, refreshUser).\n *\n * Does NOT re-render on UI state changes (modal, error). Use this in components\n * that only need to know about authentication status.\n */\nexport function useAuthState(): AuthStateContextValue {\n  const context = useContext(AuthStateContext);\n  if (!context) {\n    throw new Error('useAuthState must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n\n/**\n * Hook to access only UI state (isModalOpen, error, openModal, closeModal).\n *\n * Does NOT re-render on auth state changes (login, token refresh). Use this\n * in components that only control the login modal or display errors.\n */\nexport function useAuthUI(): AuthUIContextValue {\n  const context = useContext(AuthUIContext);\n  if (!context) {\n    throw new Error('useAuthUI must be used within a CedrosLoginProvider');\n  }\n  return context;\n}\n","import type { AuthError, AuthErrorCode } from '../types';\nimport { getCsrfToken } from './csrf';\n\nconst DEFAULT_TIMEOUT_MS = 10_000;\nconst DEFAULT_RETRY_ATTEMPTS = 2;\n\nexport interface ApiClientConfig {\n  baseUrl: string;\n  timeoutMs?: number;\n  retryAttempts?: number;\n  getAccessToken?: () => string | null;\n}\n\n/**\n * M-02: Response validator function type.\n * Returns the validated data or throws on invalid shape.\n */\nexport type ResponseValidator<T> = (data: unknown) => T;\n\nexport interface RequestOptions<T = unknown> {\n  method: 'GET' | 'HEAD' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';\n  path: string;\n  body?: unknown;\n  credentials?: RequestCredentials;\n  skipRetry?: boolean;\n  /** M-02: Optional validator to verify response shape at runtime */\n  validator?: ResponseValidator<T>;\n}\n\n/**\n * Creates an authentication error from response data\n */\nexport function createAuthError(\n  data: { code?: string; message?: string; details?: Record<string, unknown> },\n  fallbackMessage: string\n): AuthError {\n  return {\n    code: (data.code as AuthErrorCode) || 'SERVER_ERROR',\n    message: data.message || fallbackMessage,\n    details: data.details,\n  };\n}\n\n/**\n * Creates a network error\n */\nexport function createNetworkError(): AuthError {\n  return {\n    code: 'NETWORK_ERROR',\n    message: 'Unable to connect to server',\n  };\n}\n\n/**\n * Fetch with timeout support\n */\nasync function fetchWithTimeout(\n  url: string,\n  options: RequestInit,\n  timeoutMs: number\n): Promise<Response> {\n  const controller = new AbortController();\n  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);\n\n  try {\n    const response = await fetch(url, {\n      ...options,\n      signal: controller.signal,\n    });\n    return response;\n  } finally {\n    clearTimeout(timeoutId);\n  }\n}\n\n/**\n * Determines if an error is retryable\n * UI-8 FIX: AbortError (timeout) should NOT be retried - server may have processed request\n */\nfunction isRetryableError(error: unknown): boolean {\n  if (error instanceof Error) {\n    if ((error as { retryable?: boolean }).retryable) return true;\n    // UI-8: AbortError from timeout should NOT be retried\n    // Server may have processed the request (just responded slowly)\n    // Retrying could cause duplicate operations\n    if (error.name === 'AbortError') return false;\n    // Network errors (connection failed) are safe to retry\n    if (error.message.includes('fetch')) return true;\n  }\n  return false;\n}\n\n/**\n * Delays execution for the specified duration\n */\nfunction delay(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * API client for making authenticated requests with timeout and retry support\n */\nexport class ApiClient {\n  private baseUrl: string;\n  private timeoutMs: number;\n  private retryAttempts: number;\n  private getAccessToken?: () => string | null;\n\n  constructor(config: ApiClientConfig) {\n    this.baseUrl = config.baseUrl;\n    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n    this.retryAttempts = config.retryAttempts ?? DEFAULT_RETRY_ATTEMPTS;\n    this.getAccessToken = config.getAccessToken;\n  }\n\n  /**\n   * Make an API request with timeout and optional retry\n   */\n  async request<T>(options: RequestOptions<T>): Promise<T> {\n    const { method, path, body, credentials = 'include', skipRetry = false, validator } = options;\n    const url = `${this.baseUrl}${path}`;\n    // S-10: DELETE excluded — retrying mid-flight DELETE failures risks double-deletion\n    const isIdempotent = method === 'GET' || method === 'HEAD' || method === 'PUT';\n    const maxAttempts = skipRetry || !isIdempotent ? 1 : this.retryAttempts + 1;\n\n    // Build headers with CSRF token if available\n    const headers: Record<string, string> = {};\n    if (body !== undefined) {\n      headers['Content-Type'] = 'application/json';\n    }\n    const accessToken = this.getAccessToken?.();\n    if (accessToken) {\n      headers.Authorization = `Bearer ${accessToken}`;\n    }\n    const csrfToken = getCsrfToken();\n    if (csrfToken) {\n      headers['X-CSRF-Token'] = csrfToken;\n    }\n\n    let lastError: unknown;\n\n    for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n      try {\n        const response = await fetchWithTimeout(\n          url,\n          {\n            method,\n            headers,\n            credentials,\n            body: body !== undefined ? JSON.stringify(body) : undefined,\n          },\n          this.timeoutMs\n        );\n\n        const contentType = response.headers.get('content-type') || '';\n        let data: { code?: string; message?: string; details?: Record<string, unknown> } = {};\n\n        if (contentType.includes('application/json')) {\n          if (response.status !== 204) {\n            try {\n              data = (await response.json()) as {\n                code?: string;\n                message?: string;\n                details?: Record<string, unknown>;\n              };\n            } catch (e) {\n              // UI-JSON: Include actual parse error for easier debugging\n              const parseError = e instanceof Error ? e.message : 'parse failed';\n              throw new Error(`Invalid JSON response: ${parseError}`);\n            }\n          }\n        } else {\n          // U-01: Handle non-JSON responses with informative error messages\n          // Proxies/load balancers may return HTML error pages (502, 503)\n          const text = await response.text();\n          if (text) {\n            // Truncate very long responses (e.g., HTML pages) for readability\n            const truncated = text.length > 200 ? text.slice(0, 200) + '...' : text;\n            const isHtml = contentType.includes('text/html') || text.trimStart().startsWith('<');\n            data = {\n              message: isHtml\n                ? `Unexpected HTML response (${response.status}). The server may be unavailable.`\n                : truncated,\n            };\n          }\n        }\n\n        if (!response.ok) {\n          // Don't retry 4xx errors (client errors)\n          if (response.status >= 400 && response.status < 500) {\n            throw { isApiError: true, data, status: response.status };\n          }\n          // Retry 5xx errors\n          const err = new Error(`Server error: ${response.status}`);\n          (err as { retryable?: boolean }).retryable = true;\n          throw err;\n        }\n\n        // M-02: Apply response validation if provided\n        if (validator) {\n          try {\n            return validator(data);\n          } catch (validationError) {\n            throw new Error(\n              `Response validation failed: ${validationError instanceof Error ? validationError.message : 'Invalid response shape'}`\n            );\n          }\n        }\n\n        return data as T;\n      } catch (error) {\n        lastError = error;\n\n        // Don't retry API errors (4xx responses)\n        if (typeof error === 'object' && error !== null && 'isApiError' in error) {\n          throw error;\n        }\n\n        // Check if we should retry\n        if (attempt < maxAttempts && isRetryableError(error)) {\n          // Exponential backoff: 100ms, 200ms, 400ms...\n          await delay(100 * Math.pow(2, attempt - 1));\n          continue;\n        }\n\n        throw error;\n      }\n    }\n\n    throw lastError;\n  }\n\n  /**\n   * POST request helper\n   */\n  async post<T>(path: string, body: unknown, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'POST', path, body, ...options });\n  }\n\n  /**\n   * GET request helper\n   */\n  async get<T>(path: string, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'GET', path, ...options });\n  }\n\n  /**\n   * PATCH request helper\n   */\n  async patch<T>(path: string, body: unknown, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'PATCH', path, body, ...options });\n  }\n\n  /**\n   * DELETE request helper\n   */\n  async delete<T>(path: string, options?: Partial<RequestOptions<T>>): Promise<T> {\n    return this.request<T>({ method: 'DELETE', path, ...options });\n  }\n}\n\ninterface ApiErrorResponse {\n  isApiError: true;\n  data: { code?: string; message?: string; details?: Record<string, unknown> };\n  status: number;\n}\n\nfunction isApiErrorResponse(err: unknown): err is ApiErrorResponse {\n  return typeof err === 'object' && err !== null && 'isApiError' in err;\n}\n\nfunction isAuthError(err: unknown): err is AuthError {\n  return typeof err === 'object' && err !== null && 'code' in err && 'message' in err;\n}\n\n/**\n * M-02: Helper to create a basic object shape validator.\n * Checks that required keys exist and are of expected types.\n * @example\n * const validateUser = createValidator<User>({\n *   id: 'string',\n *   email: 'string',\n *   role: 'string',\n * });\n */\nexport function createValidator<T>(\n  shape: Record<keyof T & string, 'string' | 'number' | 'boolean' | 'object'>\n): ResponseValidator<T> {\n  return (data: unknown): T => {\n    if (typeof data !== 'object' || data === null) {\n      throw new Error('Expected object response');\n    }\n    const obj = data as Record<string, unknown>;\n    for (const [key, expectedType] of Object.entries(shape)) {\n      if (!(key in obj)) {\n        throw new Error(`Missing required field: ${key}`);\n      }\n      const actualType = typeof obj[key];\n      if (actualType !== expectedType) {\n        throw new Error(`Invalid type for ${key}: expected ${expectedType}, got ${actualType}`);\n      }\n    }\n    return data as T;\n  };\n}\n\n/**\n * Converts API errors to AuthError format\n */\nexport function handleApiError(err: unknown, fallbackMessage: string): AuthError {\n  // Already an AuthError\n  if (isAuthError(err)) {\n    return err;\n  }\n\n  // API error response (4xx/5xx)\n  if (isApiErrorResponse(err)) {\n    return createAuthError(err.data, fallbackMessage);\n  }\n\n  if (err instanceof Error) {\n    if (err.name === 'AbortError') {\n      return {\n        code: 'NETWORK_ERROR',\n        message: 'Request timed out',\n      };\n    }\n    if (\n      err.message.startsWith('Server error:') ||\n      err.message.startsWith('Invalid JSON response')\n    ) {\n      return {\n        code: 'SERVER_ERROR',\n        message: fallbackMessage,\n      };\n    }\n  }\n\n  // Network or timeout error\n  return createNetworkError();\n}\n"],"names":["MIN_CSRF_TOKEN_LENGTH","getCsrfToken","metaTag","content","cookies","cookie","name","rest","value","nameLower","decoded","useCedrosLogin","context","useContext","CedrosLoginContext","useCedrosLoginOptional","useAuthState","AuthStateContext","useAuthUI","AuthUIContext","DEFAULT_TIMEOUT_MS","DEFAULT_RETRY_ATTEMPTS","createAuthError","data","fallbackMessage","createNetworkError","fetchWithTimeout","url","options","timeoutMs","controller","timeoutId","isRetryableError","error","delay","ms","resolve","ApiClient","config","method","path","body","credentials","skipRetry","validator","maxAttempts","headers","accessToken","csrfToken","lastError","attempt","response","contentType","e","parseError","text","truncated","err","validationError","isApiErrorResponse","isAuthError","handleApiError"],"mappings":"iFAEMA,EAAwB,GAEvB,SAASC,GAA8B,CAC5C,GAAI,OAAO,SAAa,IAAa,OAAO,KAE5C,MAAMC,EAAU,SAAS,cAAc,yBAAyB,EAChE,GAAIA,EAAS,CACX,MAAMC,EAAUD,EAAQ,aAAa,SAAS,EAE9C,GAAIC,GAAWA,EAAQ,QAAUH,EAC/B,OAAOG,CAEX,CAIA,MAAMC,EAAU,SAAS,OAAO,MAAM,GAAG,EACzC,UAAWC,KAAUD,EAAS,CAC5B,KAAM,CAACE,EAAM,GAAGC,CAAI,EAAIF,EAAO,KAAA,EAAO,MAAM,GAAG,EACzCG,EAAQD,EAAK,KAAK,GAAG,EACrBE,EAAYH,EAAK,YAAA,EACvB,GAAIG,IAAc,cAAgBA,IAAc,aAC9C,GAAI,CACF,MAAMC,EAAU,mBAAmBF,EAAM,KAAA,CAAM,EAE/C,GAAIE,EAAQ,QAAUV,EACpB,OAAOU,CAEX,MAAQ,CAEN,QACF,CAEJ,CAEA,OAAO,IACT,CCrBO,SAASC,GAA0C,CACxD,MAAMC,EAAUC,EAAAA,WAAWC,oBAAkB,EAC7C,GAAI,CAACF,EACH,MAAM,IAAI,MAAM,0DAA0D,EAE5E,OAAOA,CACT,CAOO,SAASG,GAAyD,CACvE,OAAOF,EAAAA,WAAWC,EAAAA,kBAAkB,CACtC,CAQO,SAASE,GAAsC,CACpD,MAAMJ,EAAUC,EAAAA,WAAWI,kBAAgB,EAC3C,GAAI,CAACL,EACH,MAAM,IAAI,MAAM,wDAAwD,EAE1E,OAAOA,CACT,CAQO,SAASM,GAAgC,CAC9C,MAAMN,EAAUC,EAAAA,WAAWM,eAAa,EACxC,GAAI,CAACP,EACH,MAAM,IAAI,MAAM,qDAAqD,EAEvE,OAAOA,CACT,CCzDA,MAAMQ,EAAqB,IACrBC,EAAyB,EA4BxB,SAASC,EACdC,EACAC,EACW,CACX,MAAO,CACL,KAAOD,EAAK,MAA0B,eACtC,QAASA,EAAK,SAAWC,EACzB,QAASD,EAAK,OAAA,CAElB,CAKO,SAASE,GAAgC,CAC9C,MAAO,CACL,KAAM,gBACN,QAAS,6BAAA,CAEb,CAKA,eAAeC,EACbC,EACAC,EACAC,EACmB,CACnB,MAAMC,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAA,EAASD,CAAS,EAEhE,GAAI,CAKF,OAJiB,MAAM,MAAMF,EAAK,CAChC,GAAGC,EACH,OAAQE,EAAW,MAAA,CACpB,CAEH,QAAA,CACE,aAAaC,CAAS,CACxB,CACF,CAMA,SAASC,EAAiBC,EAAyB,CACjD,GAAIA,aAAiB,MAAO,CAC1B,GAAKA,EAAkC,UAAW,MAAO,GAIzD,GAAIA,EAAM,OAAS,aAAc,MAAO,GAExC,GAAIA,EAAM,QAAQ,SAAS,OAAO,EAAG,MAAO,EAC9C,CACA,MAAO,EACT,CAKA,SAASC,EAAMC,EAA2B,CACxC,OAAO,IAAI,QAASC,GAAY,WAAWA,EAASD,CAAE,CAAC,CACzD,CAKO,MAAME,CAAU,CACb,QACA,UACA,cACA,eAER,YAAYC,EAAyB,CACnC,KAAK,QAAUA,EAAO,QACtB,KAAK,UAAYA,EAAO,WAAalB,EACrC,KAAK,cAAgBkB,EAAO,eAAiBjB,EAC7C,KAAK,eAAiBiB,EAAO,cAC/B,CAKA,MAAM,QAAWV,EAAwC,CACvD,KAAM,CAAE,OAAAW,EAAQ,KAAAC,EAAM,KAAAC,EAAM,YAAAC,EAAc,UAAW,UAAAC,EAAY,GAAO,UAAAC,CAAA,EAAchB,EAChFD,EAAM,GAAG,KAAK,OAAO,GAAGa,CAAI,GAG5BK,EAAcF,GAAa,EADZJ,IAAW,OAASA,IAAW,QAAUA,IAAW,OACxB,EAAI,KAAK,cAAgB,EAGpEO,EAAkC,CAAA,EACpCL,IAAS,SACXK,EAAQ,cAAc,EAAI,oBAE5B,MAAMC,EAAc,KAAK,iBAAA,EACrBA,IACFD,EAAQ,cAAgB,UAAUC,CAAW,IAE/C,MAAMC,EAAY/C,EAAA,EACd+C,IACFF,EAAQ,cAAc,EAAIE,GAG5B,IAAIC,EAEJ,QAASC,EAAU,EAAGA,GAAWL,EAAaK,IAC5C,GAAI,CACF,MAAMC,EAAW,MAAMzB,EACrBC,EACA,CACE,OAAAY,EACA,QAAAO,EACA,YAAAJ,EACA,KAAMD,IAAS,OAAY,KAAK,UAAUA,CAAI,EAAI,MAAA,EAEpD,KAAK,SAAA,EAGDW,EAAcD,EAAS,QAAQ,IAAI,cAAc,GAAK,GAC5D,IAAI5B,EAA+E,CAAA,EAEnF,GAAI6B,EAAY,SAAS,kBAAkB,GACzC,GAAID,EAAS,SAAW,IACtB,GAAI,CACF5B,EAAQ,MAAM4B,EAAS,KAAA,CAKzB,OAASE,EAAG,CAEV,MAAMC,EAAaD,aAAa,MAAQA,EAAE,QAAU,eACpD,MAAM,IAAI,MAAM,0BAA0BC,CAAU,EAAE,CACxD,MAEG,CAGL,MAAMC,EAAO,MAAMJ,EAAS,KAAA,EAC5B,GAAII,EAAM,CAER,MAAMC,EAAYD,EAAK,OAAS,IAAMA,EAAK,MAAM,EAAG,GAAG,EAAI,MAAQA,EAEnEhC,EAAO,CACL,QAFa6B,EAAY,SAAS,WAAW,GAAKG,EAAK,UAAA,EAAY,WAAW,GAAG,EAG7E,6BAA6BJ,EAAS,MAAM,oCAC5CK,CAAA,CAER,CACF,CAEA,GAAI,CAACL,EAAS,GAAI,CAEhB,GAAIA,EAAS,QAAU,KAAOA,EAAS,OAAS,IAC9C,KAAM,CAAE,WAAY,GAAM,KAAA5B,EAAM,OAAQ4B,EAAS,MAAA,EAGnD,MAAMM,EAAM,IAAI,MAAM,iBAAiBN,EAAS,MAAM,EAAE,EACvD,MAAAM,EAAgC,UAAY,GACvCA,CACR,CAGA,GAAIb,EACF,GAAI,CACF,OAAOA,EAAUrB,CAAI,CACvB,OAASmC,EAAiB,CACxB,MAAM,IAAI,MACR,+BAA+BA,aAA2B,MAAQA,EAAgB,QAAU,wBAAwB,EAAA,CAExH,CAGF,OAAOnC,CACT,OAASU,EAAO,CAId,GAHAgB,EAAYhB,EAGR,OAAOA,GAAU,UAAYA,IAAU,MAAQ,eAAgBA,EACjE,MAAMA,EAIR,GAAIiB,EAAUL,GAAeb,EAAiBC,CAAK,EAAG,CAEpD,MAAMC,EAAM,IAAM,KAAK,IAAI,EAAGgB,EAAU,CAAC,CAAC,EAC1C,QACF,CAEA,MAAMjB,CACR,CAGF,MAAMgB,CACR,CAKA,MAAM,KAAQT,EAAcC,EAAeb,EAAkD,CAC3F,OAAO,KAAK,QAAW,CAAE,OAAQ,OAAQ,KAAAY,EAAM,KAAAC,EAAM,GAAGb,EAAS,CACnE,CAKA,MAAM,IAAOY,EAAcZ,EAAkD,CAC3E,OAAO,KAAK,QAAW,CAAE,OAAQ,MAAO,KAAAY,EAAM,GAAGZ,EAAS,CAC5D,CAKA,MAAM,MAASY,EAAcC,EAAeb,EAAkD,CAC5F,OAAO,KAAK,QAAW,CAAE,OAAQ,QAAS,KAAAY,EAAM,KAAAC,EAAM,GAAGb,EAAS,CACpE,CAKA,MAAM,OAAUY,EAAcZ,EAAkD,CAC9E,OAAO,KAAK,QAAW,CAAE,OAAQ,SAAU,KAAAY,EAAM,GAAGZ,EAAS,CAC/D,CACF,CAQA,SAAS+B,EAAmBF,EAAuC,CACjE,OAAO,OAAOA,GAAQ,UAAYA,IAAQ,MAAQ,eAAgBA,CACpE,CAEA,SAASG,EAAYH,EAAgC,CACnD,OAAO,OAAOA,GAAQ,UAAYA,IAAQ,MAAQ,SAAUA,GAAO,YAAaA,CAClF,CAoCO,SAASI,EAAeJ,EAAcjC,EAAoC,CAE/E,GAAIoC,EAAYH,CAAG,EACjB,OAAOA,EAIT,GAAIE,EAAmBF,CAAG,EACxB,OAAOnC,EAAgBmC,EAAI,KAAMjC,CAAe,EAGlD,GAAIiC,aAAe,MAAO,CACxB,GAAIA,EAAI,OAAS,aACf,MAAO,CACL,KAAM,gBACN,QAAS,mBAAA,EAGb,GACEA,EAAI,QAAQ,WAAW,eAAe,GACtCA,EAAI,QAAQ,WAAW,uBAAuB,EAE9C,MAAO,CACL,KAAM,eACN,QAASjC,CAAA,CAGf,CAGA,OAAOC,EAAA,CACT"}