@classytic/arc 1.1.0 → 2.1.2

package/dist/org/index.d.mts

@@ -0,0 +1,69 @@
+import "../elevation-B_2dRLVP.mjs";
+import { S as RouteHandler } from "../interface-Ch8HU9uM.mjs";
+import { i as UserBase } from "../types-aYB4V7uN.mjs";
+import "../types/index.mjs";
+import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
+import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";
+
+//#region src/org/orgGuard.d.ts
+interface OrgGuardOptions {
+  /** Require organization context (default: true) */
+  requireOrgContext?: boolean;
+  /** Required org-level roles */
+  roles?: string[];
+}
+/**
+ * Create org guard middleware.
+ * Reads `request.scope` for org context and roles.
+ * Elevated scope always passes.
+ */
+declare function orgGuard(options?: OrgGuardOptions): RouteHandler;
+/**
+ * Shorthand for requiring org context
+ */
+declare function requireOrg(): RouteHandler;
+/**
+ * Require org context with specific roles
+ */
+declare function requireOrgRole(...roles: string[]): RouteHandler;
+//#endregion
+//#region src/org/orgMembership.d.ts
+interface OrgMembershipOptions {
+  /** Path to user's organizations array */
+  userOrgsPath?: string;
+  /** Optional DB lookup function */
+  validateFromDb?: (userId: string, orgId: string) => Promise<boolean>;
+}
+interface OrgRolesOptions {
+  /** Path to user's organizations array */
+  userOrgsPath?: string;
+}
+/**
+ * Check if user is member of organization.
+ * This is a low-level utility for checking membership from user object data.
+ * For request-level checks, use `request.scope` (isMember/isElevated guards).
+ */
+declare function orgMembershipCheck(user: UserBase | undefined | null, orgId: string | undefined | null, options?: OrgMembershipOptions): Promise<boolean>;
+/**
+ * Get user's role in organization from user object data.
+ * For request-level role checks, use `request.scope.orgRoles` (when scope is 'member').
+ */
+declare function getUserOrgRoles(user: UserBase | undefined | null, orgId: string | undefined | null, options?: OrgRolesOptions): string[];
+/**
+ * Check if user has specific role in organization from user object data.
+ * For request-level role checks, use `requireOrgRole()` permission or `request.scope`.
+ */
+declare function hasOrgRole(user: UserBase | undefined | null, orgId: string | undefined | null, roles: string | string[], options?: OrgRolesOptions): boolean;
+//#endregion
+//#region src/org/organizationPlugin.d.ts
+declare module 'fastify' {
+  interface FastifyInstance {
+    /** Middleware: require the caller to hold one of the listed org roles */
+    requireOrgRole: (roles: string[]) => RouteHandlerMethod;
+  }
+}
+declare const organizationPlugin: FastifyPluginAsync<OrganizationPluginOptions>;
+declare const _default: FastifyPluginAsync<OrganizationPluginOptions>;
+//#endregion
+export { type InvitationAdapter, type InvitationDoc, type MemberDoc, type OrgAdapter, type OrgDoc, type OrgGuardOptions, type OrgMembershipOptions, type OrgPermissionStatement, type OrgRole, type OrgRolesOptions, type OrganizationPluginOptions, getUserOrgRoles, hasOrgRole, orgGuard, orgMembershipCheck, _default as organizationPlugin, organizationPlugin as organizationPluginFn, requireOrg, requireOrgRole };
+//# sourceMappingURL=index.d.mts.map

package/dist/org/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/org/orgGuard.ts","../../src/org/orgMembership.ts","../../src/org/organizationPlugin.ts"],"mappings":";;;;;;;;UAsBiB,eAAA;EAYQ;EAVvB,iBAAA;EAUmE;EARnE,KAAA;AAAA;;;;;AAkEF;iBA1DgB,QAAA,CAAS,OAAA,GAAS,eAAA,GAAuB,YAAA;;;;iBAmDzC,UAAA,CAAA,GAAc,YAAA;;;AC7E9B;iBDoFgB,cAAA,CAAA,GAAkB,KAAA,aAAkB,YAAA;;;UCpFnC,oBAAA;;EAEf,YAAA;EDY8B;ECV9B,cAAA,IAAkB,MAAA,UAAgB,KAAA,aAAkB,OAAA;AAAA;AAAA,UAGrC,eAAA;EDmBD;ECjBd,YAAA;AAAA;;;;;;iBAQoB,kBAAA,CACpB,IAAA,EAAM,QAAA,qBACN,KAAA,6BACA,OAAA,GAAS,oBAAA,GACR,OAAA;ADwDH;;;;AAAA,iBCxBgB,eAAA,CACd,IAAA,EAAM,QAAA,qBACN,KAAA,6BACA,OAAA,GAAS,eAAA;AD4BX;;;;AAAA,iBCRgB,UAAA,CACd,IAAA,EAAM,QAAA,qBACN,KAAA,6BACA,KAAA,qBACA,OAAA,GAAS,eAAA;;;;YC3CC,eAAA;IF+CI;IE7CZ,cAAA,GAAiB,KAAA,eAAoB,kBAAA;EAAA;AAAA;AAAA,cA0DnC,kBAAA,EAAoB,kBAAA,CAAmB,yBAAA;AAAA,cAAyB,QAAA"}

package/dist/org/index.mjs

@@ -0,0 +1,514 @@
+import { c as isElevated, i as getOrgRoles, l as isMember, n as PUBLIC_SCOPE, o as hasOrgAccess } from "../types-Beqn1Un7.mjs";
+import fp from "fastify-plugin";
+
+//#region src/org/orgGuard.ts
+/**
+* Create org guard middleware.
+* Reads `request.scope` for org context and roles.
+* Elevated scope always passes.
+*/
+function orgGuard(options = {}) {
+	const { requireOrgContext = true, roles = [] } = options;
+	return async function orgGuardMiddleware(request, reply) {
+		const scope = request.scope ?? PUBLIC_SCOPE;
+		if (isElevated(scope)) return;
+		if (requireOrgContext && !hasOrgAccess(scope)) {
+			reply.code(403).send({
+				success: false,
+				error: "Organization context required",
+				code: "ORG_CONTEXT_REQUIRED",
+				message: "This endpoint requires an organization context. Please specify organization via x-organization-id header."
+			});
+			return;
+		}
+		if (roles.length > 0 && isMember(scope)) {
+			const userOrgRoles = getOrgRoles(scope);
+			if (!roles.some((role) => userOrgRoles.includes(role))) {
+				reply.code(403).send({
+					success: false,
+					error: "Insufficient organization permissions",
+					code: "ORG_ROLE_REQUIRED",
+					message: `This action requires one of these organization roles: ${roles.join(", ")}`,
+					required: roles,
+					current: userOrgRoles
+				});
+				return;
+			}
+		}
+	};
+}
+/**
+* Shorthand for requiring org context
+*/
+function requireOrg() {
+	return orgGuard({ requireOrgContext: true });
+}
+/**
+* Require org context with specific roles
+*/
+function requireOrgRole(...roles) {
+	return orgGuard({
+		requireOrgContext: true,
+		roles
+	});
+}
+
+//#endregion
+//#region src/org/orgMembership.ts
+/**
+* Check if user is member of organization.
+* This is a low-level utility for checking membership from user object data.
+* For request-level checks, use `request.scope` (isMember/isElevated guards).
+*/
+async function orgMembershipCheck(user, orgId, options = {}) {
+	const { userOrgsPath = "organizations", validateFromDb } = options;
+	if (!user || !orgId) return false;
+	if ((user[userOrgsPath] ?? []).some((o) => {
+		return (o.organizationId?.toString() ?? String(o)) === orgId.toString();
+	})) return true;
+	if (validateFromDb) {
+		const userId = (user._id ?? user.id)?.toString();
+		if (userId) return validateFromDb(userId, orgId);
+	}
+	return false;
+}
+/**
+* Get user's role in organization from user object data.
+* For request-level role checks, use `request.scope.orgRoles` (when scope is 'member').
+*/
+function getUserOrgRoles(user, orgId, options = {}) {
+	const { userOrgsPath = "organizations" } = options;
+	if (!user || !orgId) return [];
+	return (user[userOrgsPath] ?? []).find((o) => {
+		return (o.organizationId?.toString() ?? String(o)) === orgId.toString();
+	})?.roles ?? [];
+}
+/**
+* Check if user has specific role in organization from user object data.
+* For request-level role checks, use `requireOrgRole()` permission or `request.scope`.
+*/
+function hasOrgRole(user, orgId, roles, options = {}) {
+	const userOrgRoles = getUserOrgRoles(user, orgId, options);
+	return (Array.isArray(roles) ? roles : [roles]).some((role) => userOrgRoles.includes(role));
+}
+
+//#endregion
+//#region src/org/organizationPlugin.ts
+/**
+* Organization Plugin -- Full org management with REST endpoints
+*
+* Creates these routes:
+* - POST   /api/organizations                          -- Create org
+* - GET    /api/organizations                          -- List user's orgs
+* - GET    /api/organizations/:orgId                   -- Get org
+* - PATCH  /api/organizations/:orgId                   -- Update org
+* - DELETE /api/organizations/:orgId                   -- Delete org
+* - GET    /api/organizations/:orgId/members           -- List members
+* - POST   /api/organizations/:orgId/members           -- Add member
+* - PATCH  /api/organizations/:orgId/members/:userId   -- Update role
+* - DELETE /api/organizations/:orgId/members/:userId   -- Remove member
+*
+* @example
+* import { organizationPlugin } from '@classytic/arc/org';
+*
+* await fastify.register(organizationPlugin, {
+*   adapter: myMongooseOrgAdapter,
+*   basePath: '/api/organizations',
+*   enableInvitations: false,
+* });
+*/
+const DEFAULT_ROLES = [
+	{
+		name: "owner",
+		permissions: [{
+			resource: "*",
+			action: ["*"]
+		}]
+	},
+	{
+		name: "admin",
+		permissions: [{
+			resource: "org",
+			action: ["read", "update"]
+		}, {
+			resource: "members",
+			action: ["*"]
+		}]
+	},
+	{
+		name: "member",
+		permissions: [{
+			resource: "org",
+			action: ["read"]
+		}, {
+			resource: "members",
+			action: ["read"]
+		}]
+	}
+];
+/** Extract a UserBase from the request (set by auth plugin). */
+function getUser(request) {
+	return request.user;
+}
+/** Get user id (supports both `id` and `_id`). */
+function getUserId(user) {
+	const raw = user.id ?? user._id;
+	return raw ? String(raw) : void 0;
+}
+/** Standard JSON error reply. */
+function sendError(reply, statusCode, code, message) {
+	reply.code(statusCode).send({
+		success: false,
+		code,
+		error: message
+	});
+}
+const organizationPlugin = async (fastify, opts) => {
+	const { adapter, roles = DEFAULT_ROLES, basePath = "/api/organizations", enableInvitations = false } = opts;
+	const validRoleNames = new Set(roles.map((r) => r.name));
+	/**
+	* Create a preHandler that:
+	* 1. Ensures the request is authenticated
+	* 2. Looks up the caller's membership in the org identified by `:orgId`
+	* 3. Verifies the caller holds one of the required roles
+	*/
+	fastify.decorate("requireOrgRole", function requireOrgRole(requiredRoles) {
+		return async function requireOrgRoleHandler(request, reply) {
+			const user = getUser(request);
+			if (!user) {
+				sendError(reply, 401, "UNAUTHORIZED", "Authentication required");
+				return;
+			}
+			const userId = getUserId(user);
+			if (!userId) {
+				sendError(reply, 401, "UNAUTHORIZED", "Unable to determine user identity");
+				return;
+			}
+			const { orgId } = request.params;
+			if (!orgId) {
+				sendError(reply, 400, "MISSING_ORG_ID", "Organization ID is required");
+				return;
+			}
+			const member = await adapter.getMember(orgId, userId);
+			if (!member) {
+				sendError(reply, 403, "NOT_A_MEMBER", "You are not a member of this organization");
+				return;
+			}
+			if (!requiredRoles.includes(member.role)) {
+				sendError(reply, 403, "INSUFFICIENT_ROLE", `This action requires one of these roles: ${requiredRoles.join(", ")}`);
+				return;
+			}
+		};
+	});
+	/** Wrap preHandlers so that authenticate is called first (if available). */
+	function withAuth(...extra) {
+		const handlers = [];
+		const inst = fastify;
+		if (typeof inst.authenticate === "function") handlers.push(inst.authenticate);
+		handlers.push(...extra);
+		return handlers;
+	}
+	function generateSlug(name) {
+		return name.toLowerCase().trim().replace(/[^\w\s-]/g, "").replace(/[\s_]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+	}
+	/**
+	* POST / -- Create organization
+	*
+	* Body: { name: string; slug?: string; [key: string]: unknown }
+	* The authenticated user becomes the owner.
+	*/
+	fastify.post(basePath, { preHandler: withAuth() }, async (request, reply) => {
+		const user = getUser(request);
+		if (!user) {
+			sendError(reply, 401, "UNAUTHORIZED", "Authentication required");
+			return;
+		}
+		const userId = getUserId(user);
+		if (!userId) {
+			sendError(reply, 401, "UNAUTHORIZED", "Unable to determine user identity");
+			return;
+		}
+		const body = request.body;
+		if (!body?.name) {
+			sendError(reply, 400, "VALIDATION_ERROR", "Organization name is required");
+			return;
+		}
+		const slug = body.slug ?? generateSlug(body.name);
+		if (await adapter.getOrgBySlug(slug)) {
+			sendError(reply, 409, "SLUG_TAKEN", `An organization with slug '${slug}' already exists`);
+			return;
+		}
+		const org = await adapter.createOrg({
+			...body,
+			name: body.name,
+			slug,
+			ownerId: userId
+		});
+		await adapter.addMember(org.id, userId, "owner");
+		reply.code(201).send({
+			success: true,
+			data: org
+		});
+	});
+	/**
+	* GET / -- List the authenticated user's organizations
+	*/
+	fastify.get(basePath, { preHandler: withAuth() }, async (request, reply) => {
+		const user = getUser(request);
+		if (!user) {
+			sendError(reply, 401, "UNAUTHORIZED", "Authentication required");
+			return;
+		}
+		const userId = getUserId(user);
+		if (!userId) {
+			sendError(reply, 401, "UNAUTHORIZED", "Unable to determine user identity");
+			return;
+		}
+		const orgs = await adapter.listUserOrgs(userId);
+		reply.send({
+			success: true,
+			data: orgs
+		});
+	});
+	/**
+	* GET /:orgId -- Get a single organization
+	*/
+	fastify.get(`${basePath}/:orgId`, { preHandler: withAuth(fastify.requireOrgRole([
+		"owner",
+		"admin",
+		"member"
+	])) }, async (request, reply) => {
+		const { orgId } = request.params;
+		const org = await adapter.getOrg(orgId);
+		if (!org) {
+			sendError(reply, 404, "NOT_FOUND", "Organization not found");
+			return;
+		}
+		reply.send({
+			success: true,
+			data: org
+		});
+	});
+	/**
+	* PATCH /:orgId -- Update organization
+	*/
+	fastify.patch(`${basePath}/:orgId`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+		const { orgId } = request.params;
+		const body = request.body;
+		if (!body || Object.keys(body).length === 0) {
+			sendError(reply, 400, "VALIDATION_ERROR", "Request body must not be empty");
+			return;
+		}
+		const { ownerId: _ownerId, id: _id, ...updates } = body;
+		const org = await adapter.updateOrg(orgId, updates);
+		if (!org) {
+			sendError(reply, 404, "NOT_FOUND", "Organization not found");
+			return;
+		}
+		reply.send({
+			success: true,
+			data: org
+		});
+	});
+	/**
+	* DELETE /:orgId -- Delete organization (owner only)
+	*/
+	fastify.delete(`${basePath}/:orgId`, { preHandler: withAuth(fastify.requireOrgRole(["owner"])) }, async (request, reply) => {
+		const { orgId } = request.params;
+		if (!await adapter.getOrg(orgId)) {
+			sendError(reply, 404, "NOT_FOUND", "Organization not found");
+			return;
+		}
+		await adapter.deleteOrg(orgId);
+		reply.send({
+			success: true,
+			message: "Organization deleted"
+		});
+	});
+	/**
+	* GET /:orgId/members -- List members
+	*/
+	fastify.get(`${basePath}/:orgId/members`, { preHandler: withAuth(fastify.requireOrgRole([
+		"owner",
+		"admin",
+		"member"
+	])) }, async (request, reply) => {
+		const { orgId } = request.params;
+		const members = await adapter.listMembers(orgId);
+		reply.send({
+			success: true,
+			data: members
+		});
+	});
+	/**
+	* POST /:orgId/members -- Add a member
+	*
+	* Body: { userId: string; role: string }
+	*/
+	fastify.post(`${basePath}/:orgId/members`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+		const { orgId } = request.params;
+		const body = request.body;
+		if (!body?.userId || !body.role) {
+			sendError(reply, 400, "VALIDATION_ERROR", "userId and role are required");
+			return;
+		}
+		if (!validRoleNames.has(body.role)) {
+			sendError(reply, 400, "INVALID_ROLE", `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(", ")}`);
+			return;
+		}
+		if (await adapter.getMember(orgId, body.userId)) {
+			sendError(reply, 409, "ALREADY_MEMBER", "User is already a member of this organization");
+			return;
+		}
+		const member = await adapter.addMember(orgId, body.userId, body.role);
+		reply.code(201).send({
+			success: true,
+			data: member
+		});
+	});
+	/**
+	* PATCH /:orgId/members/:userId -- Update a member's role
+	*
+	* Body: { role: string }
+	*/
+	fastify.patch(`${basePath}/:orgId/members/:userId`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+		const { orgId, userId } = request.params;
+		const body = request.body;
+		if (!body?.role) {
+			sendError(reply, 400, "VALIDATION_ERROR", "role is required");
+			return;
+		}
+		if (!validRoleNames.has(body.role)) {
+			sendError(reply, 400, "INVALID_ROLE", `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(", ")}`);
+			return;
+		}
+		const currentMember = await adapter.getMember(orgId, userId);
+		if (!currentMember) {
+			sendError(reply, 404, "NOT_FOUND", "Member not found");
+			return;
+		}
+		if (currentMember.role === "owner" && body.role !== "owner") {
+			if ((await adapter.listMembers(orgId)).filter((m) => m.role === "owner").length <= 1) {
+				sendError(reply, 400, "LAST_OWNER", "Cannot change the role of the last owner. Transfer ownership first.");
+				return;
+			}
+		}
+		const member = await adapter.updateMemberRole(orgId, userId, body.role);
+		if (!member) {
+			sendError(reply, 404, "NOT_FOUND", "Member not found");
+			return;
+		}
+		reply.send({
+			success: true,
+			data: member
+		});
+	});
+	/**
+	* DELETE /:orgId/members/:userId -- Remove a member
+	*/
+	fastify.delete(`${basePath}/:orgId/members/:userId`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+		const { orgId, userId } = request.params;
+		const member = await adapter.getMember(orgId, userId);
+		if (!member) {
+			sendError(reply, 404, "NOT_FOUND", "Member not found");
+			return;
+		}
+		if (member.role === "owner") {
+			if ((await adapter.listMembers(orgId)).filter((m) => m.role === "owner").length <= 1) {
+				sendError(reply, 400, "LAST_OWNER", "Cannot remove the last owner. Transfer ownership or delete the organization.");
+				return;
+			}
+		}
+		await adapter.removeMember(orgId, userId);
+		reply.send({
+			success: true,
+			message: "Member removed"
+		});
+	});
+	if (enableInvitations && adapter.invitations) {
+		const inv = adapter.invitations;
+		/**
+		* POST /:orgId/invitations -- Create invitation
+		*
+		* Body: { email: string; role: string; expiresAt?: string }
+		*/
+		fastify.post(`${basePath}/:orgId/invitations`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+			const user = getUser(request);
+			const userId = user ? getUserId(user) : void 0;
+			if (!userId) {
+				sendError(reply, 401, "UNAUTHORIZED", "Authentication required");
+				return;
+			}
+			const { orgId } = request.params;
+			const body = request.body;
+			if (!body?.email || !body.role) {
+				sendError(reply, 400, "VALIDATION_ERROR", "email and role are required");
+				return;
+			}
+			if (!validRoleNames.has(body.role)) {
+				sendError(reply, 400, "INVALID_ROLE", `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(", ")}`);
+				return;
+			}
+			const defaultExpiry = new Date(Date.now() + 10080 * 60 * 1e3);
+			const expiresAt = body.expiresAt ? new Date(body.expiresAt) : defaultExpiry;
+			const invitation = await inv.create({
+				orgId,
+				email: body.email,
+				role: body.role,
+				invitedBy: userId,
+				status: "pending",
+				expiresAt
+			});
+			reply.code(201).send({
+				success: true,
+				data: invitation
+			});
+		});
+		/**
+		* GET /:orgId/invitations -- List pending invitations
+		*/
+		fastify.get(`${basePath}/:orgId/invitations`, { preHandler: withAuth(fastify.requireOrgRole(["owner", "admin"])) }, async (request, reply) => {
+			const { orgId } = request.params;
+			const invitations = await inv.listPending(orgId);
+			reply.send({
+				success: true,
+				data: invitations
+			});
+		});
+		/**
+		* POST /invitations/:invitationId/accept -- Accept invitation
+		*/
+		fastify.post(`${basePath}/invitations/:invitationId/accept`, { preHandler: withAuth() }, async (request, reply) => {
+			const { invitationId } = request.params;
+			await inv.accept(invitationId);
+			reply.send({
+				success: true,
+				message: "Invitation accepted"
+			});
+		});
+		/**
+		* POST /invitations/:invitationId/reject -- Reject invitation
+		*/
+		fastify.post(`${basePath}/invitations/:invitationId/reject`, { preHandler: withAuth() }, async (request, reply) => {
+			const { invitationId } = request.params;
+			await inv.reject(invitationId);
+			reply.send({
+				success: true,
+				message: "Invitation rejected"
+			});
+		});
+	}
+	fastify.log?.debug?.({
+		basePath,
+		roles: [...validRoleNames],
+		invitations: enableInvitations
+	}, "Organization plugin registered");
+};
+var organizationPlugin_default = fp(organizationPlugin, {
+	name: "arc-organization",
+	fastify: "5.x"
+});
+
+//#endregion
+export { getUserOrgRoles, hasOrgRole, orgGuard, orgMembershipCheck, organizationPlugin_default as organizationPlugin, organizationPlugin as organizationPluginFn, requireOrg, requireOrgRole };
+//# sourceMappingURL=index.mjs.map

package/dist/org/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/org/orgGuard.ts","../../src/org/orgMembership.ts","../../src/org/organizationPlugin.ts"],"sourcesContent":["/**\n * Organization Guard Middleware\n *\n * Ensures organization context is present before handler execution.\n *\n * @example\n * // Require org context\n * fastify.get('/invoices', {\n *   preHandler: [fastify.authenticate, orgGuard()]\n * }, handler);\n *\n * // Require specific org roles\n * fastify.post('/invoices', {\n *   preHandler: [fastify.authenticate, orgGuard({ roles: ['admin', 'accountant'] })]\n * }, handler);\n */\n\nimport type { FastifyReply } from 'fastify';\nimport type { RequestWithExtras, RouteHandler } from '../types/index.js';\nimport type { RequestScope } from '../scope/types.js';\nimport { isMember, isElevated, hasOrgAccess, getOrgRoles, PUBLIC_SCOPE } from '../scope/types.js';\n\nexport interface OrgGuardOptions {\n  /** Require organization context (default: true) */\n  requireOrgContext?: boolean;\n  /** Required org-level roles */\n  roles?: string[];\n}\n\n/**\n * Create org guard middleware.\n * Reads `request.scope` for org context and roles.\n * Elevated scope always passes.\n */\nexport function orgGuard(options: OrgGuardOptions = {}): RouteHandler {\n  const {\n    requireOrgContext = true,\n    roles = [],\n  } = options;\n\n  return async function orgGuardMiddleware(\n    request: RequestWithExtras,\n    reply: FastifyReply\n  ): Promise<void> {\n    const scope = request.scope ?? PUBLIC_SCOPE;\n\n    // Elevated scope always passes\n    if (isElevated(scope)) return;\n\n    // Check org context exists\n    if (requireOrgContext && !hasOrgAccess(scope)) {\n      reply.code(403).send({\n        success: false,\n        error: 'Organization context required',\n        code: 'ORG_CONTEXT_REQUIRED',\n        message:\n          'This endpoint requires an organization context. ' +\n          'Please specify organization via x-organization-id header.',\n      });\n      return;\n    }\n\n    // Check org-level roles if specified\n    if (roles.length > 0 && isMember(scope)) {\n      const userOrgRoles = getOrgRoles(scope);\n      const hasRequiredRole = roles.some((role) => userOrgRoles.includes(role));\n\n      if (!hasRequiredRole) {\n        reply.code(403).send({\n          success: false,\n          error: 'Insufficient organization permissions',\n          code: 'ORG_ROLE_REQUIRED',\n          message: `This action requires one of these organization roles: ${roles.join(', ')}`,\n          required: roles,\n          current: userOrgRoles,\n        });\n        return;\n      }\n    }\n  };\n}\n\n/**\n * Shorthand for requiring org context\n */\nexport function requireOrg(): RouteHandler {\n  return orgGuard({ requireOrgContext: true });\n}\n\n/**\n * Require org context with specific roles\n */\nexport function requireOrgRole(...roles: string[]): RouteHandler {\n  return orgGuard({ requireOrgContext: true, roles });\n}\n\nexport default orgGuard;\n","/**\n * Organization Membership Utilities\n *\n * Server-side membership validation.\n */\n\nimport type { UserBase, UserOrganization } from '../types/index.js';\n\nexport interface OrgMembershipOptions {\n  /** Path to user's organizations array */\n  userOrgsPath?: string;\n  /** Optional DB lookup function */\n  validateFromDb?: (userId: string, orgId: string) => Promise<boolean>;\n}\n\nexport interface OrgRolesOptions {\n  /** Path to user's organizations array */\n  userOrgsPath?: string;\n}\n\n/**\n * Check if user is member of organization.\n * This is a low-level utility for checking membership from user object data.\n * For request-level checks, use `request.scope` (isMember/isElevated guards).\n */\nexport async function orgMembershipCheck(\n  user: UserBase | undefined | null,\n  orgId: string | undefined | null,\n  options: OrgMembershipOptions = {}\n): Promise<boolean> {\n  const {\n    userOrgsPath = 'organizations',\n    validateFromDb,\n  } = options;\n\n  if (!user || !orgId) return false;\n\n  // Check from user object\n  const userOrgs = ((user as UserBase & { [key: string]: unknown })[userOrgsPath] ?? []) as UserOrganization[];\n  const isMemberFromUser = userOrgs.some((o) => {\n    const memberOrgId = o.organizationId?.toString() ?? String(o);\n    return memberOrgId === orgId.toString();\n  });\n\n  if (isMemberFromUser) return true;\n\n  // Optional: validate from database\n  if (validateFromDb) {\n    const userId = (user._id ?? user.id)?.toString();\n    if (userId) {\n      return validateFromDb(userId, orgId);\n    }\n  }\n\n  return false;\n}\n\n/**\n * Get user's role in organization from user object data.\n * For request-level role checks, use `request.scope.orgRoles` (when scope is 'member').\n */\nexport function getUserOrgRoles(\n  user: UserBase | undefined | null,\n  orgId: string | undefined | null,\n  options: OrgRolesOptions = {}\n): string[] {\n  const { userOrgsPath = 'organizations' } = options;\n\n  if (!user || !orgId) return [];\n\n  const userOrgs = ((user as UserBase & { [key: string]: unknown })[userOrgsPath] ?? []) as UserOrganization[];\n  const membership = userOrgs.find((o) => {\n    const memberOrgId = o.organizationId?.toString() ?? String(o);\n    return memberOrgId === orgId.toString();\n  });\n\n  const membershipRoles = membership as { roles?: string[] } | undefined;\n  return membershipRoles?.roles ?? [];\n}\n\n/**\n * Check if user has specific role in organization from user object data.\n * For request-level role checks, use `requireOrgRole()` permission or `request.scope`.\n */\nexport function hasOrgRole(\n  user: UserBase | undefined | null,\n  orgId: string | undefined | null,\n  roles: string | string[],\n  options: OrgRolesOptions = {}\n): boolean {\n  const userOrgRoles = getUserOrgRoles(user, orgId, options);\n  const requiredRoles = Array.isArray(roles) ? roles : [roles];\n\n  return requiredRoles.some((role) => userOrgRoles.includes(role));\n}\n\nexport default { orgMembershipCheck, getUserOrgRoles, hasOrgRole };\n","/**\n * Organization Plugin -- Full org management with REST endpoints\n *\n * Creates these routes:\n * - POST   /api/organizations                          -- Create org\n * - GET    /api/organizations                          -- List user's orgs\n * - GET    /api/organizations/:orgId                   -- Get org\n * - PATCH  /api/organizations/:orgId                   -- Update org\n * - DELETE /api/organizations/:orgId                   -- Delete org\n * - GET    /api/organizations/:orgId/members           -- List members\n * - POST   /api/organizations/:orgId/members           -- Add member\n * - PATCH  /api/organizations/:orgId/members/:userId   -- Update role\n * - DELETE /api/organizations/:orgId/members/:userId   -- Remove member\n *\n * @example\n * import { organizationPlugin } from '@classytic/arc/org';\n *\n * await fastify.register(organizationPlugin, {\n *   adapter: myMongooseOrgAdapter,\n *   basePath: '/api/organizations',\n *   enableInvitations: false,\n * });\n */\n\nimport fp from 'fastify-plugin';\nimport type {\n  FastifyInstance,\n  FastifyPluginAsync,\n  FastifyReply,\n  FastifyRequest,\n  RouteHandlerMethod,\n} from 'fastify';\nimport type {\n  OrgAdapter,\n  OrgRole,\n  OrganizationPluginOptions,\n  MemberDoc,\n} from './types.js';\nimport type { UserBase } from '../permissions/types.js';\n\n// ---------------------------------------------------------------------------\n// Fastify type augmentations\n// ---------------------------------------------------------------------------\n\ndeclare module 'fastify' {\n  interface FastifyInstance {\n    /** Middleware: require the caller to hold one of the listed org roles */\n    requireOrgRole: (roles: string[]) => RouteHandlerMethod;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Default roles\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_ROLES: OrgRole[] = [\n  {\n    name: 'owner',\n    permissions: [{ resource: '*', action: ['*'] }],\n  },\n  {\n    name: 'admin',\n    permissions: [\n      { resource: 'org', action: ['read', 'update'] },\n      { resource: 'members', action: ['*'] },\n    ],\n  },\n  {\n    name: 'member',\n    permissions: [\n      { resource: 'org', action: ['read'] },\n      { resource: 'members', action: ['read'] },\n    ],\n  },\n];\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Extract a UserBase from the request (set by auth plugin). */\nfunction getUser(request: FastifyRequest): UserBase | undefined {\n  return (request as FastifyRequest & { user?: UserBase }).user;\n}\n\n/** Get user id (supports both `id` and `_id`). */\nfunction getUserId(user: UserBase): string | undefined {\n  const raw = user.id ?? user._id;\n  return raw ? String(raw) : undefined;\n}\n\n/** Standard JSON error reply. */\nfunction sendError(\n  reply: FastifyReply,\n  statusCode: number,\n  code: string,\n  message: string,\n): void {\n  void reply.code(statusCode).send({ success: false, code, error: message });\n}\n\n// ---------------------------------------------------------------------------\n// Plugin implementation\n// ---------------------------------------------------------------------------\n\nconst organizationPlugin: FastifyPluginAsync<OrganizationPluginOptions> = async (\n  fastify: FastifyInstance,\n  opts: OrganizationPluginOptions,\n) => {\n  const {\n    adapter,\n    roles = DEFAULT_ROLES,\n    basePath = '/api/organizations',\n    enableInvitations = false,\n  } = opts;\n\n  // Collect valid role names for quick validation\n  const validRoleNames = new Set(roles.map((r) => r.name));\n\n  // --------------------------------------------------\n  // requireOrgRole decorator\n  // --------------------------------------------------\n\n  /**\n   * Create a preHandler that:\n   * 1. Ensures the request is authenticated\n   * 2. Looks up the caller's membership in the org identified by `:orgId`\n   * 3. Verifies the caller holds one of the required roles\n   */\n  fastify.decorate(\n    'requireOrgRole',\n    function requireOrgRole(requiredRoles: string[]): RouteHandlerMethod {\n      return async function requireOrgRoleHandler(\n        request: FastifyRequest,\n        reply: FastifyReply,\n      ): Promise<void> {\n        const user = getUser(request);\n        if (!user) {\n          sendError(reply, 401, 'UNAUTHORIZED', 'Authentication required');\n          return;\n        }\n\n        const userId = getUserId(user);\n        if (!userId) {\n          sendError(reply, 401, 'UNAUTHORIZED', 'Unable to determine user identity');\n          return;\n        }\n\n        const { orgId } = request.params as { orgId?: string };\n        if (!orgId) {\n          sendError(reply, 400, 'MISSING_ORG_ID', 'Organization ID is required');\n          return;\n        }\n\n        const member = await adapter.getMember(orgId, userId);\n        if (!member) {\n          sendError(reply, 403, 'NOT_A_MEMBER', 'You are not a member of this organization');\n          return;\n        }\n\n        const hasRole = requiredRoles.includes(member.role);\n        if (!hasRole) {\n          sendError(\n            reply,\n            403,\n            'INSUFFICIENT_ROLE',\n            `This action requires one of these roles: ${requiredRoles.join(', ')}`,\n          );\n          return;\n        }\n      };\n    },\n  );\n\n  // --------------------------------------------------\n  // Auth helper -- optional authenticate decorator\n  // --------------------------------------------------\n\n  /** Wrap preHandlers so that authenticate is called first (if available). */\n  function withAuth(...extra: RouteHandlerMethod[]): RouteHandlerMethod[] {\n    const handlers: RouteHandlerMethod[] = [];\n    const inst = fastify as FastifyInstance & { authenticate?: RouteHandlerMethod };\n    if (typeof inst.authenticate === 'function') {\n      handlers.push(inst.authenticate);\n    }\n    handlers.push(...extra);\n    return handlers;\n  }\n\n  // --------------------------------------------------\n  // Slug helper\n  // --------------------------------------------------\n\n  function generateSlug(name: string): string {\n    return name\n      .toLowerCase()\n      .trim()\n      .replace(/[^\\w\\s-]/g, '')\n      .replace(/[\\s_]+/g, '-')\n      .replace(/-+/g, '-')\n      .replace(/^-|-$/g, '');\n  }\n\n  // --------------------------------------------------\n  // Organization routes\n  // --------------------------------------------------\n\n  /**\n   * POST / -- Create organization\n   *\n   * Body: { name: string; slug?: string; [key: string]: unknown }\n   * The authenticated user becomes the owner.\n   */\n  fastify.post(\n    basePath,\n    { preHandler: withAuth() },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const user = getUser(request);\n      if (!user) {\n        sendError(reply, 401, 'UNAUTHORIZED', 'Authentication required');\n        return;\n      }\n\n      const userId = getUserId(user);\n      if (!userId) {\n        sendError(reply, 401, 'UNAUTHORIZED', 'Unable to determine user identity');\n        return;\n      }\n\n      const body = request.body as { name?: string; slug?: string; [key: string]: unknown } | undefined;\n      if (!body?.name) {\n        sendError(reply, 400, 'VALIDATION_ERROR', 'Organization name is required');\n        return;\n      }\n\n      const slug = body.slug ?? generateSlug(body.name);\n\n      // Check slug uniqueness\n      const existing = await adapter.getOrgBySlug(slug);\n      if (existing) {\n        sendError(reply, 409, 'SLUG_TAKEN', `An organization with slug '${slug}' already exists`);\n        return;\n      }\n\n      const org = await adapter.createOrg({ ...body, name: body.name, slug, ownerId: userId });\n\n      // Auto-add creator as owner\n      await adapter.addMember(org.id, userId, 'owner');\n\n      void reply.code(201).send({ success: true, data: org });\n    },\n  );\n\n  /**\n   * GET / -- List the authenticated user's organizations\n   */\n  fastify.get(\n    basePath,\n    { preHandler: withAuth() },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const user = getUser(request);\n      if (!user) {\n        sendError(reply, 401, 'UNAUTHORIZED', 'Authentication required');\n        return;\n      }\n\n      const userId = getUserId(user);\n      if (!userId) {\n        sendError(reply, 401, 'UNAUTHORIZED', 'Unable to determine user identity');\n        return;\n      }\n\n      const orgs = await adapter.listUserOrgs(userId);\n      void reply.send({ success: true, data: orgs });\n    },\n  );\n\n  /**\n   * GET /:orgId -- Get a single organization\n   */\n  fastify.get(\n    `${basePath}/:orgId`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin', 'member'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId } = request.params as { orgId: string };\n      const org = await adapter.getOrg(orgId);\n\n      if (!org) {\n        sendError(reply, 404, 'NOT_FOUND', 'Organization not found');\n        return;\n      }\n\n      void reply.send({ success: true, data: org });\n    },\n  );\n\n  /**\n   * PATCH /:orgId -- Update organization\n   */\n  fastify.patch(\n    `${basePath}/:orgId`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId } = request.params as { orgId: string };\n      const body = request.body as Partial<Record<string, unknown>> | undefined;\n\n      if (!body || Object.keys(body).length === 0) {\n        sendError(reply, 400, 'VALIDATION_ERROR', 'Request body must not be empty');\n        return;\n      }\n\n      // Prevent changing ownerId or id through PATCH\n      const { ownerId: _ownerId, id: _id, ...updates } = body;\n\n      const org = await adapter.updateOrg(orgId, updates);\n      if (!org) {\n        sendError(reply, 404, 'NOT_FOUND', 'Organization not found');\n        return;\n      }\n\n      void reply.send({ success: true, data: org });\n    },\n  );\n\n  /**\n   * DELETE /:orgId -- Delete organization (owner only)\n   */\n  fastify.delete(\n    `${basePath}/:orgId`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId } = request.params as { orgId: string };\n\n      const org = await adapter.getOrg(orgId);\n      if (!org) {\n        sendError(reply, 404, 'NOT_FOUND', 'Organization not found');\n        return;\n      }\n\n      await adapter.deleteOrg(orgId);\n      void reply.send({ success: true, message: 'Organization deleted' });\n    },\n  );\n\n  // --------------------------------------------------\n  // Member routes\n  // --------------------------------------------------\n\n  /**\n   * GET /:orgId/members -- List members\n   */\n  fastify.get(\n    `${basePath}/:orgId/members`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin', 'member'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId } = request.params as { orgId: string };\n      const members = await adapter.listMembers(orgId);\n      void reply.send({ success: true, data: members });\n    },\n  );\n\n  /**\n   * POST /:orgId/members -- Add a member\n   *\n   * Body: { userId: string; role: string }\n   */\n  fastify.post(\n    `${basePath}/:orgId/members`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId } = request.params as { orgId: string };\n      const body = request.body as { userId?: string; role?: string } | undefined;\n\n      if (!body?.userId || !body.role) {\n        sendError(reply, 400, 'VALIDATION_ERROR', 'userId and role are required');\n        return;\n      }\n\n      if (!validRoleNames.has(body.role)) {\n        sendError(\n          reply,\n          400,\n          'INVALID_ROLE',\n          `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(', ')}`,\n        );\n        return;\n      }\n\n      // Prevent duplicate membership\n      const existing = await adapter.getMember(orgId, body.userId);\n      if (existing) {\n        sendError(reply, 409, 'ALREADY_MEMBER', 'User is already a member of this organization');\n        return;\n      }\n\n      const member = await adapter.addMember(orgId, body.userId, body.role);\n      void reply.code(201).send({ success: true, data: member });\n    },\n  );\n\n  /**\n   * PATCH /:orgId/members/:userId -- Update a member's role\n   *\n   * Body: { role: string }\n   */\n  fastify.patch(\n    `${basePath}/:orgId/members/:userId`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId, userId } = request.params as { orgId: string; userId: string };\n      const body = request.body as { role?: string } | undefined;\n\n      if (!body?.role) {\n        sendError(reply, 400, 'VALIDATION_ERROR', 'role is required');\n        return;\n      }\n\n      if (!validRoleNames.has(body.role)) {\n        sendError(\n          reply,\n          400,\n          'INVALID_ROLE',\n          `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(', ')}`,\n        );\n        return;\n      }\n\n      // Prevent demoting the last owner\n      const currentMember = await adapter.getMember(orgId, userId);\n      if (!currentMember) {\n        sendError(reply, 404, 'NOT_FOUND', 'Member not found');\n        return;\n      }\n\n      if (currentMember.role === 'owner' && body.role !== 'owner') {\n        const members = await adapter.listMembers(orgId);\n        const ownerCount = members.filter((m: MemberDoc) => m.role === 'owner').length;\n        if (ownerCount <= 1) {\n          sendError(\n            reply,\n            400,\n            'LAST_OWNER',\n            'Cannot change the role of the last owner. Transfer ownership first.',\n          );\n          return;\n        }\n      }\n\n      const member = await adapter.updateMemberRole(orgId, userId, body.role);\n      if (!member) {\n        sendError(reply, 404, 'NOT_FOUND', 'Member not found');\n        return;\n      }\n\n      void reply.send({ success: true, data: member });\n    },\n  );\n\n  /**\n   * DELETE /:orgId/members/:userId -- Remove a member\n   */\n  fastify.delete(\n    `${basePath}/:orgId/members/:userId`,\n    { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n    async (request: FastifyRequest, reply: FastifyReply) => {\n      const { orgId, userId } = request.params as { orgId: string; userId: string };\n\n      const member = await adapter.getMember(orgId, userId);\n      if (!member) {\n        sendError(reply, 404, 'NOT_FOUND', 'Member not found');\n        return;\n      }\n\n      // Prevent removing the last owner\n      if (member.role === 'owner') {\n        const members = await adapter.listMembers(orgId);\n        const ownerCount = members.filter((m: MemberDoc) => m.role === 'owner').length;\n        if (ownerCount <= 1) {\n          sendError(\n            reply,\n            400,\n            'LAST_OWNER',\n            'Cannot remove the last owner. Transfer ownership or delete the organization.',\n          );\n          return;\n        }\n      }\n\n      await adapter.removeMember(orgId, userId);\n      void reply.send({ success: true, message: 'Member removed' });\n    },\n  );\n\n  // --------------------------------------------------\n  // Invitation routes (optional)\n  // --------------------------------------------------\n\n  if (enableInvitations && adapter.invitations) {\n    const inv = adapter.invitations;\n\n    /**\n     * POST /:orgId/invitations -- Create invitation\n     *\n     * Body: { email: string; role: string; expiresAt?: string }\n     */\n    fastify.post(\n      `${basePath}/:orgId/invitations`,\n      { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n      async (request: FastifyRequest, reply: FastifyReply) => {\n        const user = getUser(request);\n        const userId = user ? getUserId(user) : undefined;\n        if (!userId) {\n          sendError(reply, 401, 'UNAUTHORIZED', 'Authentication required');\n          return;\n        }\n\n        const { orgId } = request.params as { orgId: string };\n        const body = request.body as { email?: string; role?: string; expiresAt?: string } | undefined;\n\n        if (!body?.email || !body.role) {\n          sendError(reply, 400, 'VALIDATION_ERROR', 'email and role are required');\n          return;\n        }\n\n        if (!validRoleNames.has(body.role)) {\n          sendError(\n            reply,\n            400,\n            'INVALID_ROLE',\n            `Invalid role '${body.role}'. Valid roles: ${[...validRoleNames].join(', ')}`,\n          );\n          return;\n        }\n\n        const defaultExpiry = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days\n        const expiresAt = body.expiresAt ? new Date(body.expiresAt) : defaultExpiry;\n\n        const invitation = await inv.create({\n          orgId,\n          email: body.email,\n          role: body.role,\n          invitedBy: userId,\n          status: 'pending',\n          expiresAt,\n        });\n\n        void reply.code(201).send({ success: true, data: invitation });\n      },\n    );\n\n    /**\n     * GET /:orgId/invitations -- List pending invitations\n     */\n    fastify.get(\n      `${basePath}/:orgId/invitations`,\n      { preHandler: withAuth(fastify.requireOrgRole(['owner', 'admin'])) },\n      async (request: FastifyRequest, reply: FastifyReply) => {\n        const { orgId } = request.params as { orgId: string };\n        const invitations = await inv.listPending(orgId);\n        void reply.send({ success: true, data: invitations });\n      },\n    );\n\n    /**\n     * POST /invitations/:invitationId/accept -- Accept invitation\n     */\n    fastify.post(\n      `${basePath}/invitations/:invitationId/accept`,\n      { preHandler: withAuth() },\n      async (request: FastifyRequest, reply: FastifyReply) => {\n        const { invitationId } = request.params as { invitationId: string };\n        await inv.accept(invitationId);\n        void reply.send({ success: true, message: 'Invitation accepted' });\n      },\n    );\n\n    /**\n     * POST /invitations/:invitationId/reject -- Reject invitation\n     */\n    fastify.post(\n      `${basePath}/invitations/:invitationId/reject`,\n      { preHandler: withAuth() },\n      async (request: FastifyRequest, reply: FastifyReply) => {\n        const { invitationId } = request.params as { invitationId: string };\n        await inv.reject(invitationId);\n        void reply.send({ success: true, message: 'Invitation rejected' });\n      },\n    );\n  }\n\n  fastify.log?.debug?.(\n    { basePath, roles: [...validRoleNames], invitations: enableInvitations },\n    'Organization plugin registered',\n  );\n};\n\nexport default fp(organizationPlugin, {\n  name: 'arc-organization',\n  fastify: '5.x',\n});\n\nexport { organizationPlugin };\n"],"mappings":";;;;;;;;;AAkCA,SAAgB,SAAS,UAA2B,EAAE,EAAgB;CACpE,MAAM,EACJ,oBAAoB,MACpB,QAAQ,EAAE,KACR;AAEJ,QAAO,eAAe,mBACpB,SACA,OACe;EACf,MAAM,QAAQ,QAAQ,SAAS;AAG/B,MAAI,WAAW,MAAM,CAAE;AAGvB,MAAI,qBAAqB,CAAC,aAAa,MAAM,EAAE;AAC7C,SAAM,KAAK,IAAI,CAAC,KAAK;IACnB,SAAS;IACT,OAAO;IACP,MAAM;IACN,SACE;IAEH,CAAC;AACF;;AAIF,MAAI,MAAM,SAAS,KAAK,SAAS,MAAM,EAAE;GACvC,MAAM,eAAe,YAAY,MAAM;AAGvC,OAAI,CAFoB,MAAM,MAAM,SAAS,aAAa,SAAS,KAAK,CAAC,EAEnD;AACpB,UAAM,KAAK,IAAI,CAAC,KAAK;KACnB,SAAS;KACT,OAAO;KACP,MAAM;KACN,SAAS,yDAAyD,MAAM,KAAK,KAAK;KAClF,UAAU;KACV,SAAS;KACV,CAAC;AACF;;;;;;;;AASR,SAAgB,aAA2B;AACzC,QAAO,SAAS,EAAE,mBAAmB,MAAM,CAAC;;;;;AAM9C,SAAgB,eAAe,GAAG,OAA+B;AAC/D,QAAO,SAAS;EAAE,mBAAmB;EAAM;EAAO,CAAC;;;;;;;;;;ACpErD,eAAsB,mBACpB,MACA,OACA,UAAgC,EAAE,EAChB;CAClB,MAAM,EACJ,eAAe,iBACf,mBACE;AAEJ,KAAI,CAAC,QAAQ,CAAC,MAAO,QAAO;AAS5B,MANmB,KAA+C,iBAAiB,EAAE,EACnD,MAAM,MAAM;AAE5C,UADoB,EAAE,gBAAgB,UAAU,IAAI,OAAO,EAAE,MACtC,MAAM,UAAU;GACvC,CAEoB,QAAO;AAG7B,KAAI,gBAAgB;EAClB,MAAM,UAAU,KAAK,OAAO,KAAK,KAAK,UAAU;AAChD,MAAI,OACF,QAAO,eAAe,QAAQ,MAAM;;AAIxC,QAAO;;;;;;AAOT,SAAgB,gBACd,MACA,OACA,UAA2B,EAAE,EACnB;CACV,MAAM,EAAE,eAAe,oBAAoB;AAE3C,KAAI,CAAC,QAAQ,CAAC,MAAO,QAAO,EAAE;AAS9B,SAPmB,KAA+C,iBAAiB,EAAE,EACzD,MAAM,MAAM;AAEtC,UADoB,EAAE,gBAAgB,UAAU,IAAI,OAAO,EAAE,MACtC,MAAM,UAAU;GACvC,EAGsB,SAAS,EAAE;;;;;;AAOrC,SAAgB,WACd,MACA,OACA,OACA,UAA2B,EAAE,EACpB;CACT,MAAM,eAAe,gBAAgB,MAAM,OAAO,QAAQ;AAG1D,SAFsB,MAAM,QAAQ,MAAM,GAAG,QAAQ,CAAC,MAAM,EAEvC,MAAM,SAAS,aAAa,SAAS,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACtClE,MAAM,gBAA2B;CAC/B;EACE,MAAM;EACN,aAAa,CAAC;GAAE,UAAU;GAAK,QAAQ,CAAC,IAAI;GAAE,CAAC;EAChD;CACD;EACE,MAAM;EACN,aAAa,CACX;GAAE,UAAU;GAAO,QAAQ,CAAC,QAAQ,SAAS;GAAE,EAC/C;GAAE,UAAU;GAAW,QAAQ,CAAC,IAAI;GAAE,CACvC;EACF;CACD;EACE,MAAM;EACN,aAAa,CACX;GAAE,UAAU;GAAO,QAAQ,CAAC,OAAO;GAAE,EACrC;GAAE,UAAU;GAAW,QAAQ,CAAC,OAAO;GAAE,CAC1C;EACF;CACF;;AAOD,SAAS,QAAQ,SAA+C;AAC9D,QAAQ,QAAiD;;;AAI3D,SAAS,UAAU,MAAoC;CACrD,MAAM,MAAM,KAAK,MAAM,KAAK;AAC5B,QAAO,MAAM,OAAO,IAAI,GAAG;;;AAI7B,SAAS,UACP,OACA,YACA,MACA,SACM;AACN,CAAK,MAAM,KAAK,WAAW,CAAC,KAAK;EAAE,SAAS;EAAO;EAAM,OAAO;EAAS,CAAC;;AAO5E,MAAM,qBAAoE,OACxE,SACA,SACG;CACH,MAAM,EACJ,SACA,QAAQ,eACR,WAAW,sBACX,oBAAoB,UAClB;CAGJ,MAAM,iBAAiB,IAAI,IAAI,MAAM,KAAK,MAAM,EAAE,KAAK,CAAC;;;;;;;AAYxD,SAAQ,SACN,kBACA,SAAS,eAAe,eAA6C;AACnE,SAAO,eAAe,sBACpB,SACA,OACe;GACf,MAAM,OAAO,QAAQ,QAAQ;AAC7B,OAAI,CAAC,MAAM;AACT,cAAU,OAAO,KAAK,gBAAgB,0BAA0B;AAChE;;GAGF,MAAM,SAAS,UAAU,KAAK;AAC9B,OAAI,CAAC,QAAQ;AACX,cAAU,OAAO,KAAK,gBAAgB,oCAAoC;AAC1E;;GAGF,MAAM,EAAE,UAAU,QAAQ;AAC1B,OAAI,CAAC,OAAO;AACV,cAAU,OAAO,KAAK,kBAAkB,8BAA8B;AACtE;;GAGF,MAAM,SAAS,MAAM,QAAQ,UAAU,OAAO,OAAO;AACrD,OAAI,CAAC,QAAQ;AACX,cAAU,OAAO,KAAK,gBAAgB,4CAA4C;AAClF;;AAIF,OAAI,CADY,cAAc,SAAS,OAAO,KAAK,EACrC;AACZ,cACE,OACA,KACA,qBACA,4CAA4C,cAAc,KAAK,KAAK,GACrE;AACD;;;GAIP;;CAOD,SAAS,SAAS,GAAG,OAAmD;EACtE,MAAM,WAAiC,EAAE;EACzC,MAAM,OAAO;AACb,MAAI,OAAO,KAAK,iBAAiB,WAC/B,UAAS,KAAK,KAAK,aAAa;AAElC,WAAS,KAAK,GAAG,MAAM;AACvB,SAAO;;CAOT,SAAS,aAAa,MAAsB;AAC1C,SAAO,KACJ,aAAa,CACb,MAAM,CACN,QAAQ,aAAa,GAAG,CACxB,QAAQ,WAAW,IAAI,CACvB,QAAQ,OAAO,IAAI,CACnB,QAAQ,UAAU,GAAG;;;;;;;;AAa1B,SAAQ,KACN,UACA,EAAE,YAAY,UAAU,EAAE,EAC1B,OAAO,SAAyB,UAAwB;EACtD,MAAM,OAAO,QAAQ,QAAQ;AAC7B,MAAI,CAAC,MAAM;AACT,aAAU,OAAO,KAAK,gBAAgB,0BAA0B;AAChE;;EAGF,MAAM,SAAS,UAAU,KAAK;AAC9B,MAAI,CAAC,QAAQ;AACX,aAAU,OAAO,KAAK,gBAAgB,oCAAoC;AAC1E;;EAGF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,MAAM,MAAM;AACf,aAAU,OAAO,KAAK,oBAAoB,gCAAgC;AAC1E;;EAGF,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,KAAK;AAIjD,MADiB,MAAM,QAAQ,aAAa,KAAK,EACnC;AACZ,aAAU,OAAO,KAAK,cAAc,8BAA8B,KAAK,kBAAkB;AACzF;;EAGF,MAAM,MAAM,MAAM,QAAQ,UAAU;GAAE,GAAG;GAAM,MAAM,KAAK;GAAM;GAAM,SAAS;GAAQ,CAAC;AAGxF,QAAM,QAAQ,UAAU,IAAI,IAAI,QAAQ,QAAQ;AAEhD,EAAK,MAAM,KAAK,IAAI,CAAC,KAAK;GAAE,SAAS;GAAM,MAAM;GAAK,CAAC;GAE1D;;;;AAKD,SAAQ,IACN,UACA,EAAE,YAAY,UAAU,EAAE,EAC1B,OAAO,SAAyB,UAAwB;EACtD,MAAM,OAAO,QAAQ,QAAQ;AAC7B,MAAI,CAAC,MAAM;AACT,aAAU,OAAO,KAAK,gBAAgB,0BAA0B;AAChE;;EAGF,MAAM,SAAS,UAAU,KAAK;AAC9B,MAAI,CAAC,QAAQ;AACX,aAAU,OAAO,KAAK,gBAAgB,oCAAoC;AAC1E;;EAGF,MAAM,OAAO,MAAM,QAAQ,aAAa,OAAO;AAC/C,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,MAAM;GAAM,CAAC;GAEjD;;;;AAKD,SAAQ,IACN,GAAG,SAAS,UACZ,EAAE,YAAY,SAAS,QAAQ,eAAe;EAAC;EAAS;EAAS;EAAS,CAAC,CAAC,EAAE,EAC9E,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,UAAU,QAAQ;EAC1B,MAAM,MAAM,MAAM,QAAQ,OAAO,MAAM;AAEvC,MAAI,CAAC,KAAK;AACR,aAAU,OAAO,KAAK,aAAa,yBAAyB;AAC5D;;AAGF,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,MAAM;GAAK,CAAC;GAEhD;;;;AAKD,SAAQ,MACN,GAAG,SAAS,UACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,UAAU,QAAQ;EAC1B,MAAM,OAAO,QAAQ;AAErB,MAAI,CAAC,QAAQ,OAAO,KAAK,KAAK,CAAC,WAAW,GAAG;AAC3C,aAAU,OAAO,KAAK,oBAAoB,iCAAiC;AAC3E;;EAIF,MAAM,EAAE,SAAS,UAAU,IAAI,KAAK,GAAG,YAAY;EAEnD,MAAM,MAAM,MAAM,QAAQ,UAAU,OAAO,QAAQ;AACnD,MAAI,CAAC,KAAK;AACR,aAAU,OAAO,KAAK,aAAa,yBAAyB;AAC5D;;AAGF,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,MAAM;GAAK,CAAC;GAEhD;;;;AAKD,SAAQ,OACN,GAAG,SAAS,UACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,QAAQ,CAAC,CAAC,EAAE,EAC3D,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,UAAU,QAAQ;AAG1B,MAAI,CADQ,MAAM,QAAQ,OAAO,MAAM,EAC7B;AACR,aAAU,OAAO,KAAK,aAAa,yBAAyB;AAC5D;;AAGF,QAAM,QAAQ,UAAU,MAAM;AAC9B,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,SAAS;GAAwB,CAAC;GAEtE;;;;AASD,SAAQ,IACN,GAAG,SAAS,kBACZ,EAAE,YAAY,SAAS,QAAQ,eAAe;EAAC;EAAS;EAAS;EAAS,CAAC,CAAC,EAAE,EAC9E,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,UAAU,QAAQ;EAC1B,MAAM,UAAU,MAAM,QAAQ,YAAY,MAAM;AAChD,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,MAAM;GAAS,CAAC;GAEpD;;;;;;AAOD,SAAQ,KACN,GAAG,SAAS,kBACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,UAAU,QAAQ;EAC1B,MAAM,OAAO,QAAQ;AAErB,MAAI,CAAC,MAAM,UAAU,CAAC,KAAK,MAAM;AAC/B,aAAU,OAAO,KAAK,oBAAoB,+BAA+B;AACzE;;AAGF,MAAI,CAAC,eAAe,IAAI,KAAK,KAAK,EAAE;AAClC,aACE,OACA,KACA,gBACA,iBAAiB,KAAK,KAAK,kBAAkB,CAAC,GAAG,eAAe,CAAC,KAAK,KAAK,GAC5E;AACD;;AAKF,MADiB,MAAM,QAAQ,UAAU,OAAO,KAAK,OAAO,EAC9C;AACZ,aAAU,OAAO,KAAK,kBAAkB,gDAAgD;AACxF;;EAGF,MAAM,SAAS,MAAM,QAAQ,UAAU,OAAO,KAAK,QAAQ,KAAK,KAAK;AACrE,EAAK,MAAM,KAAK,IAAI,CAAC,KAAK;GAAE,SAAS;GAAM,MAAM;GAAQ,CAAC;GAE7D;;;;;;AAOD,SAAQ,MACN,GAAG,SAAS,0BACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,OAAO,WAAW,QAAQ;EAClC,MAAM,OAAO,QAAQ;AAErB,MAAI,CAAC,MAAM,MAAM;AACf,aAAU,OAAO,KAAK,oBAAoB,mBAAmB;AAC7D;;AAGF,MAAI,CAAC,eAAe,IAAI,KAAK,KAAK,EAAE;AAClC,aACE,OACA,KACA,gBACA,iBAAiB,KAAK,KAAK,kBAAkB,CAAC,GAAG,eAAe,CAAC,KAAK,KAAK,GAC5E;AACD;;EAIF,MAAM,gBAAgB,MAAM,QAAQ,UAAU,OAAO,OAAO;AAC5D,MAAI,CAAC,eAAe;AAClB,aAAU,OAAO,KAAK,aAAa,mBAAmB;AACtD;;AAGF,MAAI,cAAc,SAAS,WAAW,KAAK,SAAS,SAGlD;QAFgB,MAAM,QAAQ,YAAY,MAAM,EACrB,QAAQ,MAAiB,EAAE,SAAS,QAAQ,CAAC,UACtD,GAAG;AACnB,cACE,OACA,KACA,cACA,sEACD;AACD;;;EAIJ,MAAM,SAAS,MAAM,QAAQ,iBAAiB,OAAO,QAAQ,KAAK,KAAK;AACvE,MAAI,CAAC,QAAQ;AACX,aAAU,OAAO,KAAK,aAAa,mBAAmB;AACtD;;AAGF,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,MAAM;GAAQ,CAAC;GAEnD;;;;AAKD,SAAQ,OACN,GAAG,SAAS,0BACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;EACtD,MAAM,EAAE,OAAO,WAAW,QAAQ;EAElC,MAAM,SAAS,MAAM,QAAQ,UAAU,OAAO,OAAO;AACrD,MAAI,CAAC,QAAQ;AACX,aAAU,OAAO,KAAK,aAAa,mBAAmB;AACtD;;AAIF,MAAI,OAAO,SAAS,SAGlB;QAFgB,MAAM,QAAQ,YAAY,MAAM,EACrB,QAAQ,MAAiB,EAAE,SAAS,QAAQ,CAAC,UACtD,GAAG;AACnB,cACE,OACA,KACA,cACA,+EACD;AACD;;;AAIJ,QAAM,QAAQ,aAAa,OAAO,OAAO;AACzC,EAAK,MAAM,KAAK;GAAE,SAAS;GAAM,SAAS;GAAkB,CAAC;GAEhE;AAMD,KAAI,qBAAqB,QAAQ,aAAa;EAC5C,MAAM,MAAM,QAAQ;;;;;;AAOpB,UAAQ,KACN,GAAG,SAAS,sBACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;GACtD,MAAM,OAAO,QAAQ,QAAQ;GAC7B,MAAM,SAAS,OAAO,UAAU,KAAK,GAAG;AACxC,OAAI,CAAC,QAAQ;AACX,cAAU,OAAO,KAAK,gBAAgB,0BAA0B;AAChE;;GAGF,MAAM,EAAE,UAAU,QAAQ;GAC1B,MAAM,OAAO,QAAQ;AAErB,OAAI,CAAC,MAAM,SAAS,CAAC,KAAK,MAAM;AAC9B,cAAU,OAAO,KAAK,oBAAoB,8BAA8B;AACxE;;AAGF,OAAI,CAAC,eAAe,IAAI,KAAK,KAAK,EAAE;AAClC,cACE,OACA,KACA,gBACA,iBAAiB,KAAK,KAAK,kBAAkB,CAAC,GAAG,eAAe,CAAC,KAAK,KAAK,GAC5E;AACD;;GAGF,MAAM,gBAAgB,IAAI,KAAK,KAAK,KAAK,GAAG,QAAc,KAAK,IAAK;GACpE,MAAM,YAAY,KAAK,YAAY,IAAI,KAAK,KAAK,UAAU,GAAG;GAE9D,MAAM,aAAa,MAAM,IAAI,OAAO;IAClC;IACA,OAAO,KAAK;IACZ,MAAM,KAAK;IACX,WAAW;IACX,QAAQ;IACR;IACD,CAAC;AAEF,GAAK,MAAM,KAAK,IAAI,CAAC,KAAK;IAAE,SAAS;IAAM,MAAM;IAAY,CAAC;IAEjE;;;;AAKD,UAAQ,IACN,GAAG,SAAS,sBACZ,EAAE,YAAY,SAAS,QAAQ,eAAe,CAAC,SAAS,QAAQ,CAAC,CAAC,EAAE,EACpE,OAAO,SAAyB,UAAwB;GACtD,MAAM,EAAE,UAAU,QAAQ;GAC1B,MAAM,cAAc,MAAM,IAAI,YAAY,MAAM;AAChD,GAAK,MAAM,KAAK;IAAE,SAAS;IAAM,MAAM;IAAa,CAAC;IAExD;;;;AAKD,UAAQ,KACN,GAAG,SAAS,oCACZ,EAAE,YAAY,UAAU,EAAE,EAC1B,OAAO,SAAyB,UAAwB;GACtD,MAAM,EAAE,iBAAiB,QAAQ;AACjC,SAAM,IAAI,OAAO,aAAa;AAC9B,GAAK,MAAM,KAAK;IAAE,SAAS;IAAM,SAAS;IAAuB,CAAC;IAErE;;;;AAKD,UAAQ,KACN,GAAG,SAAS,oCACZ,EAAE,YAAY,UAAU,EAAE,EAC1B,OAAO,SAAyB,UAAwB;GACtD,MAAM,EAAE,iBAAiB,QAAQ;AACjC,SAAM,IAAI,OAAO,aAAa;AAC9B,GAAK,MAAM,KAAK;IAAE,SAAS;IAAM,SAAS;IAAuB,CAAC;IAErE;;AAGH,SAAQ,KAAK,QACX;EAAE;EAAU,OAAO,CAAC,GAAG,eAAe;EAAE,aAAa;EAAmB,EACxE,iCACD;;AAGH,iCAAe,GAAG,oBAAoB;CACpC,MAAM;CACN,SAAS;CACV,CAAC"}