@chaaskit/server 0.1.0

package/dist/services/email/providers/ses.js

@@ -0,0 +1,97 @@
+/**
+ * AWS SES Email Provider
+ *
+ * Production-ready email provider using Amazon SES.
+ * Uses the AWS SDK default credential chain (environment variables, shared credentials,
+ * IAM instance/task roles, etc.).
+ *
+ * Requires @aws-sdk/client-ses to be installed:
+ *   pnpm add @aws-sdk/client-ses
+ */
+/**
+ * AWS SES Email Provider
+ */
+export class SESEmailProvider {
+    name = 'ses';
+    client = null;
+    region;
+    fromAddress;
+    fromName;
+    closed = false;
+    constructor(config, fromAddress, fromName) {
+        this.region = config.region;
+        this.fromAddress = fromAddress;
+        this.fromName = fromName;
+        console.log(`[SES] Email provider initialized (region: ${config.region})`);
+    }
+    async getClient() {
+        if (this.client) {
+            return this.client;
+        }
+        // Dynamic import to avoid requiring the SDK at compile time
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const sesModule = await import('@aws-sdk/client-ses');
+        const SESClient = sesModule.SESClient;
+        this.client = new SESClient({
+            region: this.region,
+        });
+        return this.client;
+    }
+    async send(message) {
+        if (this.closed) {
+            throw new Error('Email provider is closed');
+        }
+        const client = await this.getClient();
+        const toAddresses = Array.isArray(message.to) ? message.to : [message.to];
+        const from = this.fromName
+            ? `${this.fromName} <${this.fromAddress}>`
+            : this.fromAddress;
+        // Dynamic import for the command
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const sesModule = await import('@aws-sdk/client-ses');
+        const SendEmailCommand = sesModule.SendEmailCommand;
+        const commandInput = {
+            Source: from,
+            Destination: {
+                ToAddresses: toAddresses,
+            },
+            Message: {
+                Subject: {
+                    Data: message.subject,
+                    Charset: 'UTF-8',
+                },
+                Body: {
+                    ...(message.text && {
+                        Text: {
+                            Data: message.text,
+                            Charset: 'UTF-8',
+                        },
+                    }),
+                    ...(message.html && {
+                        Html: {
+                            Data: message.html,
+                            Charset: 'UTF-8',
+                        },
+                    }),
+                },
+            },
+            ...(message.replyTo && {
+                ReplyToAddresses: [message.replyTo],
+            }),
+        };
+        const command = new SendEmailCommand(commandInput);
+        const response = await client.send(command);
+        console.log(`[SES] Email sent to ${toAddresses.join(', ')} (messageId: ${response.MessageId})`);
+        return {
+            messageId: response.MessageId ?? 'unknown',
+        };
+    }
+    async close() {
+        this.closed = true;
+        if (this.client) {
+            this.client.destroy();
+        }
+        console.log('[SES] Email provider closed');
+    }
+}
+//# sourceMappingURL=ses.js.map

package/dist/services/email/providers/ses.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ses.js","sourceRoot":"","sources":["../../../../src/services/email/providers/ses.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAwBH;;GAEG;AACH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,KAAK,CAAC;IAEd,MAAM,GAAyB,IAAI,CAAC;IACpC,MAAM,CAAS;IACf,WAAW,CAAS;IACpB,QAAQ,CAAU;IAClB,MAAM,GAAG,KAAK,CAAC;IAEvB,YAAY,MAA8B,EAAE,WAAmB,EAAE,QAAiB;QAChF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,OAAO,CAAC,GAAG,CAAC,6CAA6C,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED,4DAA4D;QAC5D,8DAA8D;QAC9D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,qBAA4B,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC;YAC1B,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAkB,CAAC;QAEpB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAqB;QAC9B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAEtC,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ;YACxB,CAAC,CAAC,GAAG,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,WAAW,GAAG;YAC1C,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;QAErB,iCAAiC;QACjC,8DAA8D;QAC9D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,qBAA4B,CAAC,CAAC;QAC7D,MAAM,gBAAgB,GAAG,SAAS,CAAC,gBAAgB,CAAC;QAEpD,MAAM,YAAY,GAA0B;YAC1C,MAAM,EAAE,IAAI;YACZ,WAAW,EAAE;gBACX,WAAW,EAAE,WAAW;aACzB;YACD,OAAO,EAAE;gBACP,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO,CAAC,OAAO;oBACrB,OAAO,EAAE,OAAO;iBACjB;gBACD,IAAI,EAAE;oBACJ,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI;wBAClB,IAAI,EAAE;4BACJ,IAAI,EAAE,OAAO,CAAC,IAAI;4BAClB,OAAO,EAAE,OAAO;yBACjB;qBACF,CAAC;oBACF,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI;wBAClB,IAAI,EAAE;4BACJ,IAAI,EAAE,OAAO,CAAC,IAAI;4BAClB,OAAO,EAAE,OAAO;yBACjB;qBACF,CAAC;iBACH;aACF;YACD,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI;gBACrB,gBAAgB,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;aACpC,CAAC;SACH,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,CAAC,GAAG,CAAC,uBAAuB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;QAEhG,OAAO;YACL,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,SAAS;SAC3C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACxB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC7C,CAAC;CACF"}

package/dist/services/email/templates.js

@@ -0,0 +1,194 @@
+/**
+ * Email template generators for transactional emails
+ */
+/**
+ * Generate the common email wrapper HTML
+ */
+function wrapInEmailTemplate(content, params) {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${params.appName}</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+      line-height: 1.6;
+      color: #333;
+      background-color: #f5f5f5;
+      margin: 0;
+      padding: 0;
+    }
+    .container {
+      max-width: 560px;
+      margin: 0 auto;
+      padding: 40px 20px;
+    }
+    .card {
+      background-color: #ffffff;
+      border-radius: 8px;
+      box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+      padding: 40px;
+    }
+    .header {
+      text-align: center;
+      margin-bottom: 32px;
+    }
+    .header h1 {
+      color: #1a1a1a;
+      font-size: 24px;
+      font-weight: 600;
+      margin: 0;
+    }
+    .content {
+      margin-bottom: 32px;
+    }
+    .code-display {
+      background-color: #f8f9fa;
+      border: 2px solid #e9ecef;
+      border-radius: 8px;
+      padding: 24px;
+      text-align: center;
+      margin: 24px 0;
+    }
+    .code {
+      font-family: 'SF Mono', Monaco, 'Courier New', monospace;
+      font-size: 36px;
+      font-weight: 700;
+      letter-spacing: 8px;
+      color: #1a1a1a;
+    }
+    .button {
+      display: inline-block;
+      background-color: #6366f1;
+      color: #ffffff !important;
+      text-decoration: none;
+      padding: 14px 32px;
+      border-radius: 6px;
+      font-weight: 600;
+      font-size: 16px;
+    }
+    .button:hover {
+      background-color: #4f46e5;
+    }
+    .button-container {
+      text-align: center;
+      margin: 24px 0;
+    }
+    .footer {
+      text-align: center;
+      color: #6b7280;
+      font-size: 14px;
+      margin-top: 24px;
+    }
+    .muted {
+      color: #6b7280;
+      font-size: 14px;
+    }
+    .divider {
+      border-top: 1px solid #e5e7eb;
+      margin: 24px 0;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="card">
+      ${content}
+    </div>
+    <div class="footer">
+      <p>&copy; ${new Date().getFullYear()} ${params.appName}. All rights reserved.</p>
+    </div>
+  </div>
+</body>
+</html>
+`.trim();
+}
+/**
+ * Generate verification email HTML
+ */
+export function generateVerificationEmailHtml(code, config) {
+    const content = `
+    <div class="header">
+      <h1>Verify your email</h1>
+    </div>
+    <div class="content">
+      <p>Welcome to ${config.app.name}! Please enter this verification code to complete your registration:</p>
+      <div class="code-display">
+        <span class="code">${code}</span>
+      </div>
+      <p class="muted">This code will expire in 15 minutes. If you didn't create an account with ${config.app.name}, you can safely ignore this email.</p>
+    </div>
+  `;
+    return wrapInEmailTemplate(content, {
+        appName: config.app.name,
+        appUrl: config.app.url,
+    });
+}
+/**
+ * Generate verification email plain text
+ */
+export function generateVerificationEmailText(code, config) {
+    return `
+Verify your email
+
+Welcome to ${config.app.name}! Please enter this verification code to complete your registration:
+
+${code}
+
+This code will expire in 15 minutes.
+
+If you didn't create an account with ${config.app.name}, you can safely ignore this email.
+`.trim();
+}
+/**
+ * Generate team invitation email HTML
+ */
+export function generateTeamInviteEmailHtml(teamName, inviteUrl, inviterName, config) {
+    const inviterText = inviterName
+        ? `${inviterName} has invited you`
+        : 'You have been invited';
+    const content = `
+    <div class="header">
+      <h1>You're invited to join a team</h1>
+    </div>
+    <div class="content">
+      <p>${inviterText} to join <strong>${teamName}</strong> on ${config.app.name}.</p>
+      <p>Click the button below to accept the invitation and join the team:</p>
+      <div class="button-container">
+        <a href="${inviteUrl}" class="button">Accept Invitation</a>
+      </div>
+      <div class="divider"></div>
+      <p class="muted">This invitation will expire in 7 days. If you don't have an account yet, you'll be able to create one when you accept the invitation.</p>
+      <p class="muted">If you can't click the button, copy and paste this link into your browser:</p>
+      <p class="muted" style="word-break: break-all;">${inviteUrl}</p>
+    </div>
+  `;
+    return wrapInEmailTemplate(content, {
+        appName: config.app.name,
+        appUrl: config.app.url,
+    });
+}
+/**
+ * Generate team invitation email plain text
+ */
+export function generateTeamInviteEmailText(teamName, inviteUrl, inviterName, config) {
+    const inviterText = inviterName
+        ? `${inviterName} has invited you`
+        : 'You have been invited';
+    return `
+You're invited to join a team
+
+${inviterText} to join "${teamName}" on ${config.app.name}.
+
+Accept the invitation by visiting this link:
+${inviteUrl}
+
+This invitation will expire in 7 days.
+
+If you don't have an account yet, you'll be able to create one when you accept the invitation.
+`.trim();
+}
+//# sourceMappingURL=templates.js.map

package/dist/services/email/templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"templates.js","sourceRoot":"","sources":["../../../src/services/email/templates.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAe,EAAE,MAA0B;IACtE,OAAO;;;;;;WAME,MAAM,CAAC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAqFjB,OAAO;;;kBAGG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,MAAM,CAAC,OAAO;;;;;CAK3D,CAAC,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,6BAA6B,CAC3C,IAAY,EACZ,MAAiB;IAEjB,MAAM,OAAO,GAAG;;;;;sBAKI,MAAM,CAAC,GAAG,CAAC,IAAI;;6BAER,IAAI;;mGAEkE,MAAM,CAAC,GAAG,CAAC,IAAI;;GAE/G,CAAC;IAEF,OAAO,mBAAmB,CAAC,OAAO,EAAE;QAClC,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI;QACxB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,6BAA6B,CAC3C,IAAY,EACZ,MAAiB;IAEjB,OAAO;;;aAGI,MAAM,CAAC,GAAG,CAAC,IAAI;;EAE1B,IAAI;;;;uCAIiC,MAAM,CAAC,GAAG,CAAC,IAAI;CACrD,CAAC,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,2BAA2B,CACzC,QAAgB,EAChB,SAAiB,EACjB,WAA0B,EAC1B,MAAiB;IAEjB,MAAM,WAAW,GAAG,WAAW;QAC7B,CAAC,CAAC,GAAG,WAAW,kBAAkB;QAClC,CAAC,CAAC,uBAAuB,CAAC;IAE5B,MAAM,OAAO,GAAG;;;;;WAKP,WAAW,oBAAoB,QAAQ,gBAAgB,MAAM,CAAC,GAAG,CAAC,IAAI;;;mBAG9D,SAAS;;;;;wDAK4B,SAAS;;GAE9D,CAAC;IAEF,OAAO,mBAAmB,CAAC,OAAO,EAAE;QAClC,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI;QACxB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,2BAA2B,CACzC,QAAgB,EAChB,SAAiB,EACjB,WAA0B,EAC1B,MAAiB;IAEjB,MAAM,WAAW,GAAG,WAAW;QAC7B,CAAC,CAAC,GAAG,WAAW,kBAAkB;QAClC,CAAC,CAAC,uBAAuB,CAAC;IAE5B,OAAO;;;EAGP,WAAW,aAAa,QAAQ,QAAQ,MAAM,CAAC,GAAG,CAAC,IAAI;;;EAGvD,SAAS;;;;;CAKV,CAAC,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/services/email/types.js

@@ -0,0 +1,5 @@
+/**
+ * Email service type definitions
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/services/email/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/services/email/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/services/encryption.js

@@ -0,0 +1,69 @@
+import crypto from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+function getEncryptionKey() {
+    const keySource = process.env.MCP_CREDENTIAL_KEY || process.env.SESSION_SECRET;
+    if (!keySource || keySource.length < 32) {
+        throw new Error('MCP_CREDENTIAL_KEY or SESSION_SECRET must be set and at least 32 characters');
+    }
+    // Derive a 32-byte key from the source using SHA-256
+    return crypto.createHash('sha256').update(keySource).digest();
+}
+export function encryptCredential(data) {
+    const key = getEncryptionKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const plaintext = JSON.stringify(data);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:ciphertext (all base64)
+    return [
+        iv.toString('base64'),
+        authTag.toString('base64'),
+        encrypted.toString('base64'),
+    ].join(':');
+}
+export function decryptCredential(encryptedString) {
+    const key = getEncryptionKey();
+    const parts = encryptedString.split(':');
+    if (parts.length !== 3) {
+        throw new Error('Invalid encrypted credential format');
+    }
+    const [ivBase64, authTagBase64, ciphertextBase64] = parts;
+    const iv = Buffer.from(ivBase64, 'base64');
+    const authTag = Buffer.from(authTagBase64, 'base64');
+    const ciphertext = Buffer.from(ciphertextBase64, 'base64');
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+        decipher.update(ciphertext),
+        decipher.final(),
+    ]);
+    return JSON.parse(decrypted.toString('utf8'));
+}
+// Helper to check if OAuth token is expired (with 5 min buffer)
+export function isTokenExpired(expiresAt) {
+    if (!expiresAt)
+        return false;
+    const bufferMs = 5 * 60 * 1000; // 5 minutes
+    return Date.now() >= (expiresAt * 1000) - bufferMs;
+}
+// Generate PKCE code verifier and challenge
+export function generatePKCE() {
+    const codeVerifier = crypto.randomBytes(32).toString('base64url');
+    const codeChallenge = crypto
+        .createHash('sha256')
+        .update(codeVerifier)
+        .digest('base64url');
+    return { codeVerifier, codeChallenge };
+}
+// Generate state for OAuth CSRF protection
+export function generateOAuthState() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+//# sourceMappingURL=encryption.js.map

package/dist/services/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/services/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,UAAU,GAAG,EAAE,CAAC;AAEtB,SAAS,gBAAgB;IACvB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAE/E,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;AAChE,CAAC;AAQD,MAAM,UAAU,iBAAiB,CAAC,IAA6B;IAC7D,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC;QAChC,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,6CAA6C;IAC7C,OAAO;QACL,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACrB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC1B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC7B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,eAAuB;IAEvB,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,QAAQ,EAAE,aAAa,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAC1D,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IAE3D,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;QAC3B,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAM,CAAC;AACrD,CAAC;AAcD,gEAAgE;AAChE,MAAM,UAAU,cAAc,CAAC,SAAkB;IAC/C,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;IAC5C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,QAAQ,CAAC;AACrD,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,YAAY;IAC1B,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,MAAM;SACzB,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,YAAY,CAAC;SACpB,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvB,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;AACzC,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,kBAAkB;IAChC,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC"}

package/dist/services/oauth-discovery.js

@@ -0,0 +1,226 @@
+const metadataCache = new Map();
+// Persistent client registrations (survives cache expiry but not server restart)
+const clientRegistrations = new Map();
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+async function fetchJson(url) {
+    try {
+        const response = await fetch(url, {
+            headers: { Accept: 'application/json' },
+        });
+        if (!response.ok) {
+            console.log(`[OAuth Discovery] ${url} returned ${response.status}`);
+            return null;
+        }
+        return await response.json();
+    }
+    catch (error) {
+        console.log(`[OAuth Discovery] Failed to fetch ${url}:`, error);
+        return null;
+    }
+}
+// Discover protected resource metadata from MCP server
+async function discoverProtectedResourceMetadata(serverUrl) {
+    const url = new URL(serverUrl);
+    // Try well-known paths per RFC 9728
+    // Path-aware: /.well-known/oauth-protected-resource/path
+    const pathAwareUrl = `${url.origin}/.well-known/oauth-protected-resource${url.pathname}`;
+    let metadata = await fetchJson(pathAwareUrl);
+    if (metadata)
+        return metadata;
+    // Root well-known
+    const rootUrl = `${url.origin}/.well-known/oauth-protected-resource`;
+    metadata = await fetchJson(rootUrl);
+    if (metadata)
+        return metadata;
+    // Try making an unauthenticated request to get WWW-Authenticate header
+    try {
+        const response = await fetch(serverUrl, { method: 'GET' });
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            if (wwwAuth) {
+                // Parse: Bearer resource_metadata="url", scope="scopes"
+                const resourceMetadataMatch = wwwAuth.match(/resource_metadata="([^"]+)"/);
+                if (resourceMetadataMatch) {
+                    metadata = await fetchJson(resourceMetadataMatch[1]);
+                    if (metadata)
+                        return metadata;
+                }
+            }
+        }
+    }
+    catch {
+        // Ignore fetch errors
+    }
+    return null;
+}
+// Discover authorization server metadata
+async function discoverAuthServerMetadata(issuer) {
+    const url = new URL(issuer);
+    // Try paths per RFC 8414 and OpenID Connect Discovery
+    const paths = url.pathname && url.pathname !== '/'
+        ? [
+            // Path-aware discovery
+            `${url.origin}/.well-known/oauth-authorization-server${url.pathname}`,
+            `${url.origin}/.well-known/openid-configuration${url.pathname}`,
+            `${issuer}/.well-known/openid-configuration`,
+        ]
+        : [
+            `${url.origin}/.well-known/oauth-authorization-server`,
+            `${url.origin}/.well-known/openid-configuration`,
+        ];
+    for (const path of paths) {
+        const metadata = await fetchJson(path);
+        if (metadata) {
+            // Verify PKCE support
+            if (metadata.code_challenge_methods_supported &&
+                !metadata.code_challenge_methods_supported.includes('S256')) {
+                console.warn(`[OAuth Discovery] Auth server doesn't support S256 PKCE`);
+            }
+            return metadata;
+        }
+    }
+    return null;
+}
+// Dynamic client registration per RFC 7591
+async function registerClient(registrationEndpoint, config) {
+    const apiUrl = process.env.API_URL || 'http://localhost:3000';
+    const appUrl = process.env.APP_URL || 'http://localhost:5173';
+    const request = {
+        client_name: config.oauth?.clientName || config.name || 'Chat SaaS Client',
+        redirect_uris: [
+            `${apiUrl}/api/mcp/oauth/callback`,
+        ],
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'none', // Public client
+        client_uri: config.oauth?.clientUri || appUrl,
+    };
+    try {
+        const response = await fetch(registrationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json',
+            },
+            body: JSON.stringify(request),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            console.error(`[OAuth Discovery] Client registration failed:`, errorText);
+            return null;
+        }
+        return await response.json();
+    }
+    catch (error) {
+        console.error(`[OAuth Discovery] Client registration error:`, error);
+        return null;
+    }
+}
+// Store client registration in memory
+function storeClientRegistration(serverId, registration) {
+    clientRegistrations.set(serverId, registration);
+    console.log(`[OAuth Discovery] Stored client registration for ${serverId}`);
+}
+// Load stored client registration from memory
+function loadClientRegistration(serverId) {
+    const registration = clientRegistrations.get(serverId);
+    if (!registration) {
+        return null;
+    }
+    // Check if expired
+    if (registration.client_secret_expires_at &&
+        registration.client_secret_expires_at * 1000 < Date.now()) {
+        clientRegistrations.delete(serverId);
+        return null;
+    }
+    return registration;
+}
+// Main discovery function
+export async function discoverOAuthConfig(config) {
+    if (!config.url) {
+        console.error('[OAuth Discovery] Server URL is required');
+        return null;
+    }
+    // Check if manually configured
+    if (config.oauth?.authorizationEndpoint && config.oauth?.tokenEndpoint && config.oauth?.clientId) {
+        let clientId = config.oauth.clientId;
+        // Resolve env var reference
+        if (clientId.startsWith('${') && clientId.endsWith('}')) {
+            const envVar = clientId.slice(2, -1);
+            clientId = process.env[envVar] || '';
+        }
+        let clientSecret;
+        if (config.oauth.clientSecretEnvVar) {
+            clientSecret = process.env[config.oauth.clientSecretEnvVar];
+        }
+        return {
+            authorizationEndpoint: config.oauth.authorizationEndpoint,
+            tokenEndpoint: config.oauth.tokenEndpoint,
+            clientId,
+            clientSecret,
+            scopes: config.oauth.scopes,
+        };
+    }
+    // Check cache
+    const cached = metadataCache.get(config.url);
+    if (cached && cached.expiresAt > Date.now()) {
+        if (cached.authServer && cached.clientRegistration) {
+            return {
+                authorizationEndpoint: cached.authServer.authorization_endpoint,
+                tokenEndpoint: cached.authServer.token_endpoint,
+                clientId: cached.clientRegistration.client_id,
+                clientSecret: cached.clientRegistration.client_secret,
+                scopes: cached.protectedResource?.scopes_supported || config.oauth?.scopes,
+            };
+        }
+    }
+    console.log(`[OAuth Discovery] Discovering OAuth config for ${config.url}`);
+    // Step 1: Discover protected resource metadata
+    const protectedResource = await discoverProtectedResourceMetadata(config.url);
+    if (!protectedResource?.authorization_servers?.length) {
+        console.error('[OAuth Discovery] No authorization servers found in protected resource metadata');
+        return null;
+    }
+    const authServerUrl = protectedResource.authorization_servers[0];
+    console.log(`[OAuth Discovery] Found authorization server: ${authServerUrl}`);
+    // Step 2: Discover authorization server metadata
+    const authServer = await discoverAuthServerMetadata(authServerUrl);
+    if (!authServer) {
+        console.error('[OAuth Discovery] Failed to discover authorization server metadata');
+        return null;
+    }
+    console.log(`[OAuth Discovery] Found endpoints: auth=${authServer.authorization_endpoint}, token=${authServer.token_endpoint}`);
+    // Step 3: Get or create client registration
+    let clientRegistration = loadClientRegistration(config.id);
+    if (!clientRegistration && authServer.registration_endpoint) {
+        console.log(`[OAuth Discovery] Registering client at ${authServer.registration_endpoint}`);
+        clientRegistration = await registerClient(authServer.registration_endpoint, config);
+        if (clientRegistration) {
+            storeClientRegistration(config.id, clientRegistration);
+            console.log(`[OAuth Discovery] Client registered: ${clientRegistration.client_id}`);
+        }
+    }
+    if (!clientRegistration) {
+        console.error('[OAuth Discovery] No client registration available');
+        return null;
+    }
+    // Cache the results
+    metadataCache.set(config.url, {
+        protectedResource,
+        authServer,
+        clientRegistration,
+        expiresAt: Date.now() + CACHE_TTL_MS,
+    });
+    return {
+        authorizationEndpoint: authServer.authorization_endpoint,
+        tokenEndpoint: authServer.token_endpoint,
+        clientId: clientRegistration.client_id,
+        clientSecret: clientRegistration.client_secret,
+        scopes: protectedResource.scopes_supported || config.oauth?.scopes,
+    };
+}
+// Clear cached metadata (e.g., when client registration fails)
+export function clearOAuthCache(serverUrl) {
+    metadataCache.delete(serverUrl);
+}
+//# sourceMappingURL=oauth-discovery.js.map

package/dist/services/oauth-discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-discovery.js","sourceRoot":"","sources":["../../src/services/oauth-discovery.ts"],"names":[],"mappings":"AAUA,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAC;AACxD,iFAAiF;AACjF,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAA8B,CAAC;AAClE,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAiD9C,KAAK,UAAU,SAAS,CAAI,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,aAAa,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAO,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,qCAAqC,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,KAAK,UAAU,iCAAiC,CAC9C,SAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,oCAAoC;IACpC,yDAAyD;IACzD,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,MAAM,wCAAwC,GAAG,CAAC,QAAQ,EAAE,CAAC;IACzF,IAAI,QAAQ,GAAG,MAAM,SAAS,CAA4B,YAAY,CAAC,CAAC;IACxE,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,kBAAkB;IAClB,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,MAAM,uCAAuC,CAAC;IACrE,QAAQ,GAAG,MAAM,SAAS,CAA4B,OAAO,CAAC,CAAC;IAC/D,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,uEAAuE;IACvE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACzD,IAAI,OAAO,EAAE,CAAC;gBACZ,wDAAwD;gBACxD,MAAM,qBAAqB,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBAC3E,IAAI,qBAAqB,EAAE,CAAC;oBAC1B,QAAQ,GAAG,MAAM,SAAS,CAA4B,qBAAqB,CAAC,CAAC,CAAC,CAAC,CAAC;oBAChF,IAAI,QAAQ;wBAAE,OAAO,QAAQ,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yCAAyC;AACzC,KAAK,UAAU,0BAA0B,CACvC,MAAc;IAEd,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAE5B,sDAAsD;IACtD,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG;QAChD,CAAC,CAAC;YACE,uBAAuB;YACvB,GAAG,GAAG,CAAC,MAAM,0CAA0C,GAAG,CAAC,QAAQ,EAAE;YACrE,GAAG,GAAG,CAAC,MAAM,oCAAoC,GAAG,CAAC,QAAQ,EAAE;YAC/D,GAAG,MAAM,mCAAmC;SAC7C;QACH,CAAC,CAAC;YACE,GAAG,GAAG,CAAC,MAAM,yCAAyC;YACtD,GAAG,GAAG,CAAC,MAAM,mCAAmC;SACjD,CAAC;IAEN,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAqB,IAAI,CAAC,CAAC;QAC3D,IAAI,QAAQ,EAAE,CAAC;YACb,sBAAsB;YACtB,IACE,QAAQ,CAAC,gCAAgC;gBACzC,CAAC,QAAQ,CAAC,gCAAgC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAC3D,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;YAC1E,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2CAA2C;AAC3C,KAAK,UAAU,cAAc,CAC3B,oBAA4B,EAC5B,MAAuB;IAEvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAuB,CAAC;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAuB,CAAC;IAE9D,MAAM,OAAO,GAA+B;QAC1C,WAAW,EAAE,MAAM,CAAC,KAAK,EAAE,UAAU,IAAI,MAAM,CAAC,IAAI,IAAI,kBAAkB;QAC1E,aAAa,EAAE;YACb,GAAG,MAAM,yBAAyB;SACnC;QACD,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QACpD,cAAc,EAAE,CAAC,MAAM,CAAC;QACxB,0BAA0B,EAAE,MAAM,EAAE,gBAAgB;QACpD,UAAU,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,IAAI,MAAM;KAC9C,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oBAAoB,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,SAAS,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAwB,CAAC;IACrD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,KAAK,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,sCAAsC;AACtC,SAAS,uBAAuB,CAC9B,QAAgB,EAChB,YAAgC;IAEhC,mBAAmB,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,oDAAoD,QAAQ,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,8CAA8C;AAC9C,SAAS,sBAAsB,CAC7B,QAAgB;IAEhB,MAAM,YAAY,GAAG,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mBAAmB;IACnB,IACE,YAAY,CAAC,wBAAwB;QACrC,YAAY,CAAC,wBAAwB,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EACzD,CAAC;QACD,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,0BAA0B;AAC1B,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAuB;IAEvB,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,IAAI,MAAM,CAAC,KAAK,EAAE,qBAAqB,IAAI,MAAM,CAAC,KAAK,EAAE,aAAa,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;QACjG,IAAI,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC;QACrC,4BAA4B;QAC5B,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACrC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACvC,CAAC;QAED,IAAI,YAAgC,CAAC;QACrC,IAAI,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC;YACpC,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO;YACL,qBAAqB,EAAE,MAAM,CAAC,KAAK,CAAC,qBAAqB;YACzD,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa;YACzC,QAAQ;YACR,YAAY;YACZ,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;SAC5B,CAAC;IACJ,CAAC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,qBAAqB,EAAE,MAAM,CAAC,UAAU,CAAC,sBAAsB;gBAC/D,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,cAAc;gBAC/C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAC,SAAS;gBAC7C,YAAY,EAAE,MAAM,CAAC,kBAAkB,CAAC,aAAa;gBACrD,MAAM,EAAE,MAAM,CAAC,iBAAiB,EAAE,gBAAgB,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM;aAC3E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,kDAAkD,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAE5E,+CAA+C;IAC/C,MAAM,iBAAiB,GAAG,MAAM,iCAAiC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC9E,IAAI,CAAC,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,EAAE,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,iFAAiF,CAAC,CAAC;QACjG,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,iDAAiD,aAAa,EAAE,CAAC,CAAC;IAE9E,iDAAiD;IACjD,MAAM,UAAU,GAAG,MAAM,0BAA0B,CAAC,aAAa,CAAC,CAAC;IACnE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACpF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,2CAA2C,UAAU,CAAC,sBAAsB,WAAW,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC;IAEhI,4CAA4C;IAC5C,IAAI,kBAAkB,GAAG,sBAAsB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAE3D,IAAI,CAAC,kBAAkB,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,2CAA2C,UAAU,CAAC,qBAAqB,EAAE,CAAC,CAAC;QAC3F,kBAAkB,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAEpF,IAAI,kBAAkB,EAAE,CAAC;YACvB,uBAAuB,CAAC,MAAM,CAAC,EAAE,EAAE,kBAAkB,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,wCAAwC,kBAAkB,CAAC,SAAS,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oBAAoB;IACpB,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE;QAC5B,iBAAiB;QACjB,UAAU;QACV,kBAAkB;QAClB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY;KACrC,CAAC,CAAC;IAEH,OAAO;QACL,qBAAqB,EAAE,UAAU,CAAC,sBAAsB;QACxD,aAAa,EAAE,UAAU,CAAC,cAAc;QACxC,QAAQ,EAAE,kBAAkB,CAAC,SAAS;QACtC,YAAY,EAAE,kBAAkB,CAAC,aAAa;QAC9C,MAAM,EAAE,iBAAiB,CAAC,gBAAgB,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM;KACnE,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}