npm - @code-rag/core - Versions diffs - 0.1.0 - Mend

@code-rag/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (347) hide show

package/LICENSE +21 -0
package/README.md +19 -0
package/dist/auth/audit-log.d.ts +35 -0
package/dist/auth/audit-log.js +110 -0
package/dist/auth/audit-log.js.map +1 -0
package/dist/auth/audit-log.test.d.ts +1 -0
package/dist/auth/audit-log.test.js +261 -0
package/dist/auth/audit-log.test.js.map +1 -0
package/dist/auth/index.d.ts +6 -0
package/dist/auth/index.js +5 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/oidc-provider.d.ts +49 -0
package/dist/auth/oidc-provider.js +358 -0
package/dist/auth/oidc-provider.js.map +1 -0
package/dist/auth/oidc-provider.test.d.ts +1 -0
package/dist/auth/oidc-provider.test.js +520 -0
package/dist/auth/oidc-provider.test.js.map +1 -0
package/dist/auth/rbac.d.ts +29 -0
package/dist/auth/rbac.js +75 -0
package/dist/auth/rbac.js.map +1 -0
package/dist/auth/rbac.test.d.ts +1 -0
package/dist/auth/rbac.test.js +224 -0
package/dist/auth/rbac.test.js.map +1 -0
package/dist/auth/saml-provider.d.ts +51 -0
package/dist/auth/saml-provider.js +355 -0
package/dist/auth/saml-provider.js.map +1 -0
package/dist/auth/saml-provider.test.d.ts +1 -0
package/dist/auth/saml-provider.test.js +422 -0
package/dist/auth/saml-provider.test.js.map +1 -0
package/dist/auth/types.d.ts +81 -0
package/dist/auth/types.js +11 -0
package/dist/auth/types.js.map +1 -0
package/dist/auth/types.test.d.ts +1 -0
package/dist/auth/types.test.js +147 -0
package/dist/auth/types.test.js.map +1 -0
package/dist/backlog/ab-reference-scanner.d.ts +10 -0
package/dist/backlog/ab-reference-scanner.js +22 -0
package/dist/backlog/ab-reference-scanner.js.map +1 -0
package/dist/backlog/ab-reference-scanner.test.d.ts +1 -0
package/dist/backlog/ab-reference-scanner.test.js +83 -0
package/dist/backlog/ab-reference-scanner.test.js.map +1 -0
package/dist/backlog/azure-devops-provider.d.ts +59 -0
package/dist/backlog/azure-devops-provider.js +283 -0
package/dist/backlog/azure-devops-provider.js.map +1 -0
package/dist/backlog/backlog-provider.d.ts +13 -0
package/dist/backlog/backlog-provider.js +6 -0
package/dist/backlog/backlog-provider.js.map +1 -0
package/dist/backlog/backlog-provider.test.d.ts +1 -0
package/dist/backlog/backlog-provider.test.js +426 -0
package/dist/backlog/backlog-provider.test.js.map +1 -0
package/dist/backlog/clickup-provider.d.ts +55 -0
package/dist/backlog/clickup-provider.js +301 -0
package/dist/backlog/clickup-provider.js.map +1 -0
package/dist/backlog/clickup-provider.test.d.ts +1 -0
package/dist/backlog/clickup-provider.test.js +426 -0
package/dist/backlog/clickup-provider.test.js.map +1 -0
package/dist/backlog/clickup-reference-scanner.d.ts +10 -0
package/dist/backlog/clickup-reference-scanner.js +32 -0
package/dist/backlog/clickup-reference-scanner.js.map +1 -0
package/dist/backlog/clickup-reference-scanner.test.d.ts +1 -0
package/dist/backlog/clickup-reference-scanner.test.js +92 -0
package/dist/backlog/clickup-reference-scanner.test.js.map +1 -0
package/dist/backlog/code-linker.d.ts +63 -0
package/dist/backlog/code-linker.js +90 -0
package/dist/backlog/code-linker.js.map +1 -0
package/dist/backlog/code-linker.test.d.ts +1 -0
package/dist/backlog/code-linker.test.js +325 -0
package/dist/backlog/code-linker.test.js.map +1 -0
package/dist/backlog/index.d.ts +14 -0
package/dist/backlog/index.js +8 -0
package/dist/backlog/index.js.map +1 -0
package/dist/backlog/jira-provider.d.ts +60 -0
package/dist/backlog/jira-provider.js +272 -0
package/dist/backlog/jira-provider.js.map +1 -0
package/dist/backlog/jira-provider.test.d.ts +1 -0
package/dist/backlog/jira-provider.test.js +449 -0
package/dist/backlog/jira-provider.test.js.map +1 -0
package/dist/backlog/jira-reference-scanner.d.ts +11 -0
package/dist/backlog/jira-reference-scanner.js +26 -0
package/dist/backlog/jira-reference-scanner.js.map +1 -0
package/dist/backlog/jira-reference-scanner.test.d.ts +1 -0
package/dist/backlog/jira-reference-scanner.test.js +127 -0
package/dist/backlog/jira-reference-scanner.test.js.map +1 -0
package/dist/backlog/types.d.ts +22 -0
package/dist/backlog/types.js +1 -0
package/dist/backlog/types.js.map +1 -0
package/dist/chunker/ast-chunker.d.ts +45 -0
package/dist/chunker/ast-chunker.js +292 -0
package/dist/chunker/ast-chunker.js.map +1 -0
package/dist/chunker/ast-chunker.test.d.ts +1 -0
package/dist/chunker/ast-chunker.test.js +391 -0
package/dist/chunker/ast-chunker.test.js.map +1 -0
package/dist/chunker/chunker.d.ts +8 -0
package/dist/chunker/chunker.js +1 -0
package/dist/chunker/chunker.js.map +1 -0
package/dist/chunker/index.d.ts +3 -0
package/dist/chunker/index.js +2 -0
package/dist/chunker/index.js.map +1 -0
package/dist/config/config-parser.d.ts +15 -0
package/dist/config/config-parser.js +283 -0
package/dist/config/config-parser.js.map +1 -0
package/dist/config/config-parser.test.d.ts +1 -0
package/dist/config/config-parser.test.js +699 -0
package/dist/config/config-parser.test.js.map +1 -0
package/dist/docs/confluence-provider.d.ts +121 -0
package/dist/docs/confluence-provider.js +459 -0
package/dist/docs/confluence-provider.js.map +1 -0
package/dist/docs/confluence-provider.test.d.ts +1 -0
package/dist/docs/confluence-provider.test.js +765 -0
package/dist/docs/confluence-provider.test.js.map +1 -0
package/dist/docs/index.d.ts +4 -0
package/dist/docs/index.js +2 -0
package/dist/docs/index.js.map +1 -0
package/dist/docs/sharepoint-provider.d.ts +150 -0
package/dist/docs/sharepoint-provider.js +637 -0
package/dist/docs/sharepoint-provider.js.map +1 -0
package/dist/docs/sharepoint-provider.test.d.ts +1 -0
package/dist/docs/sharepoint-provider.test.js +873 -0
package/dist/docs/sharepoint-provider.test.js.map +1 -0
package/dist/embedding/bm25-index.d.ts +12 -0
package/dist/embedding/bm25-index.js +89 -0
package/dist/embedding/bm25-index.js.map +1 -0
package/dist/embedding/bm25-index.test.d.ts +1 -0
package/dist/embedding/bm25-index.test.js +289 -0
package/dist/embedding/bm25-index.test.js.map +1 -0
package/dist/embedding/hybrid-search.d.ts +13 -0
package/dist/embedding/hybrid-search.js +124 -0
package/dist/embedding/hybrid-search.js.map +1 -0
package/dist/embedding/hybrid-search.test.d.ts +1 -0
package/dist/embedding/hybrid-search.test.js +266 -0
package/dist/embedding/hybrid-search.test.js.map +1 -0
package/dist/embedding/index.d.ts +11 -0
package/dist/embedding/index.js +7 -0
package/dist/embedding/index.js.map +1 -0
package/dist/embedding/lancedb-store.d.ts +21 -0
package/dist/embedding/lancedb-store.js +172 -0
package/dist/embedding/lancedb-store.js.map +1 -0
package/dist/embedding/lancedb-store.test.d.ts +1 -0
package/dist/embedding/lancedb-store.test.js +268 -0
package/dist/embedding/lancedb-store.test.js.map +1 -0
package/dist/embedding/model-lifecycle-manager.d.ts +83 -0
package/dist/embedding/model-lifecycle-manager.js +419 -0
package/dist/embedding/model-lifecycle-manager.js.map +1 -0
package/dist/embedding/model-lifecycle-manager.test.d.ts +1 -0
package/dist/embedding/model-lifecycle-manager.test.js +642 -0
package/dist/embedding/model-lifecycle-manager.test.js.map +1 -0
package/dist/embedding/ollama-embedding-provider.d.ts +16 -0
package/dist/embedding/ollama-embedding-provider.js +74 -0
package/dist/embedding/ollama-embedding-provider.js.map +1 -0
package/dist/embedding/ollama-embedding-provider.test.d.ts +1 -0
package/dist/embedding/ollama-embedding-provider.test.js +198 -0
package/dist/embedding/ollama-embedding-provider.test.js.map +1 -0
package/dist/embedding/openai-compatible-embedding-provider.d.ts +19 -0
package/dist/embedding/openai-compatible-embedding-provider.js +108 -0
package/dist/embedding/openai-compatible-embedding-provider.js.map +1 -0
package/dist/embedding/openai-compatible-embedding-provider.test.d.ts +1 -0
package/dist/embedding/openai-compatible-embedding-provider.test.js +456 -0
package/dist/embedding/openai-compatible-embedding-provider.test.js.map +1 -0
package/dist/embedding/qdrant-store.d.ts +28 -0
package/dist/embedding/qdrant-store.js +174 -0
package/dist/embedding/qdrant-store.js.map +1 -0
package/dist/embedding/qdrant-store.test.d.ts +1 -0
package/dist/embedding/qdrant-store.test.js +359 -0
package/dist/embedding/qdrant-store.test.js.map +1 -0
package/dist/enrichment/index.d.ts +4 -0
package/dist/enrichment/index.js +2 -0
package/dist/enrichment/index.js.map +1 -0
package/dist/enrichment/nl-enricher.d.ts +16 -0
package/dist/enrichment/nl-enricher.js +47 -0
package/dist/enrichment/nl-enricher.js.map +1 -0
package/dist/enrichment/nl-enricher.test.d.ts +1 -0
package/dist/enrichment/nl-enricher.test.js +154 -0
package/dist/enrichment/nl-enricher.test.js.map +1 -0
package/dist/enrichment/ollama-client.d.ts +18 -0
package/dist/enrichment/ollama-client.js +55 -0
package/dist/enrichment/ollama-client.js.map +1 -0
package/dist/enrichment/ollama-client.test.d.ts +1 -0
package/dist/enrichment/ollama-client.test.js +129 -0
package/dist/enrichment/ollama-client.test.js.map +1 -0
package/dist/git/git-client.d.ts +22 -0
package/dist/git/git-client.js +6 -0
package/dist/git/git-client.js.map +1 -0
package/dist/git/git-client.test.d.ts +1 -0
package/dist/git/git-client.test.js +200 -0
package/dist/git/git-client.test.js.map +1 -0
package/dist/git/ignore-filter.d.ts +2 -0
package/dist/git/ignore-filter.js +31 -0
package/dist/git/ignore-filter.js.map +1 -0
package/dist/git/ignore-filter.test.d.ts +1 -0
package/dist/git/ignore-filter.test.js +87 -0
package/dist/git/ignore-filter.test.js.map +1 -0
package/dist/git/index.d.ts +4 -0
package/dist/git/index.js +3 -0
package/dist/git/index.js.map +1 -0
package/dist/git/simple-git-client.d.ts +12 -0
package/dist/git/simple-git-client.js +138 -0
package/dist/git/simple-git-client.js.map +1 -0
package/dist/graph/cross-repo-resolver.d.ts +50 -0
package/dist/graph/cross-repo-resolver.js +315 -0
package/dist/graph/cross-repo-resolver.js.map +1 -0
package/dist/graph/cross-repo-resolver.test.d.ts +1 -0
package/dist/graph/cross-repo-resolver.test.js +548 -0
package/dist/graph/cross-repo-resolver.test.js.map +1 -0
package/dist/graph/dependency-graph.d.ts +44 -0
package/dist/graph/dependency-graph.js +108 -0
package/dist/graph/dependency-graph.js.map +1 -0
package/dist/graph/dependency-graph.test.d.ts +1 -0
package/dist/graph/dependency-graph.test.js +276 -0
package/dist/graph/dependency-graph.test.js.map +1 -0
package/dist/graph/graph-builder.d.ts +11 -0
package/dist/graph/graph-builder.js +113 -0
package/dist/graph/graph-builder.js.map +1 -0
package/dist/graph/graph-builder.test.d.ts +1 -0
package/dist/graph/graph-builder.test.js +178 -0
package/dist/graph/graph-builder.test.js.map +1 -0
package/dist/graph/import-resolver.d.ts +11 -0
package/dist/graph/import-resolver.js +199 -0
package/dist/graph/import-resolver.js.map +1 -0
package/dist/graph/import-resolver.test.d.ts +1 -0
package/dist/graph/import-resolver.test.js +282 -0
package/dist/graph/import-resolver.test.js.map +1 -0
package/dist/graph/index.d.ts +7 -0
package/dist/graph/index.js +4 -0
package/dist/graph/index.js.map +1 -0
package/dist/index.d.ts +31 -0
package/dist/index.js +15 -0
package/dist/index.js.map +1 -0
package/dist/indexer/file-scanner.d.ts +34 -0
package/dist/indexer/file-scanner.js +69 -0
package/dist/indexer/file-scanner.js.map +1 -0
package/dist/indexer/file-scanner.test.d.ts +1 -0
package/dist/indexer/file-scanner.test.js +110 -0
package/dist/indexer/file-scanner.test.js.map +1 -0
package/dist/indexer/file-watcher.d.ts +79 -0
package/dist/indexer/file-watcher.js +148 -0
package/dist/indexer/incremental-indexer.d.ts +67 -0
package/dist/indexer/incremental-indexer.js +142 -0
package/dist/indexer/incremental-indexer.js.map +1 -0
package/dist/indexer/incremental-indexer.test.d.ts +1 -0
package/dist/indexer/incremental-indexer.test.js +266 -0
package/dist/indexer/incremental-indexer.test.js.map +1 -0
package/dist/indexer/index-check.d.ts +22 -0
package/dist/indexer/index-check.js +74 -0
package/dist/indexer/index-check.js.map +1 -0
package/dist/indexer/index-check.test.d.ts +1 -0
package/dist/indexer/index-check.test.js +100 -0
package/dist/indexer/index-check.test.js.map +1 -0
package/dist/indexer/index-state.d.ts +61 -0
package/dist/indexer/index-state.js +82 -0
package/dist/indexer/index-state.js.map +1 -0
package/dist/indexer/index-state.test.d.ts +1 -0
package/dist/indexer/index-state.test.js +140 -0
package/dist/indexer/index-state.test.js.map +1 -0
package/dist/indexer/index.d.ts +12 -0
package/dist/indexer/index.js +6 -0
package/dist/indexer/index.js.map +1 -0
package/dist/indexer/multi-repo-indexer.d.ts +63 -0
package/dist/indexer/multi-repo-indexer.js +144 -0
package/dist/indexer/multi-repo-indexer.js.map +1 -0
package/dist/indexer/multi-repo-indexer.test.d.ts +1 -0
package/dist/indexer/multi-repo-indexer.test.js +238 -0
package/dist/indexer/multi-repo-indexer.test.js.map +1 -0
package/dist/parser/index.d.ts +4 -0
package/dist/parser/index.js +3 -0
package/dist/parser/index.js.map +1 -0
package/dist/parser/language-registry.d.ts +46 -0
package/dist/parser/language-registry.js +219 -0
package/dist/parser/language-registry.js.map +1 -0
package/dist/parser/language-registry.test.d.ts +1 -0
package/dist/parser/language-registry.test.js +225 -0
package/dist/parser/language-registry.test.js.map +1 -0
package/dist/parser/markdown-parser.d.ts +124 -0
package/dist/parser/markdown-parser.js +487 -0
package/dist/parser/markdown-parser.js.map +1 -0
package/dist/parser/markdown-parser.test.d.ts +1 -0
package/dist/parser/markdown-parser.test.js +600 -0
package/dist/parser/markdown-parser.test.js.map +1 -0
package/dist/parser/tree-sitter-parser.d.ts +32 -0
package/dist/parser/tree-sitter-parser.js +146 -0
package/dist/parser/tree-sitter-parser.js.map +1 -0
package/dist/retrieval/context-expander.d.ts +51 -0
package/dist/retrieval/context-expander.js +218 -0
package/dist/retrieval/context-expander.js.map +1 -0
package/dist/retrieval/context-expander.test.d.ts +1 -0
package/dist/retrieval/context-expander.test.js +339 -0
package/dist/retrieval/context-expander.test.js.map +1 -0
package/dist/retrieval/cross-encoder-reranker.d.ts +16 -0
package/dist/retrieval/cross-encoder-reranker.js +90 -0
package/dist/retrieval/cross-encoder-reranker.js.map +1 -0
package/dist/retrieval/cross-encoder-reranker.test.d.ts +1 -0
package/dist/retrieval/cross-encoder-reranker.test.js +305 -0
package/dist/retrieval/cross-encoder-reranker.test.js.map +1 -0
package/dist/retrieval/index.d.ts +8 -0
package/dist/retrieval/index.js +4 -0
package/dist/retrieval/index.js.map +1 -0
package/dist/retrieval/query-analyzer.d.ts +29 -0
package/dist/retrieval/query-analyzer.js +238 -0
package/dist/retrieval/query-analyzer.js.map +1 -0
package/dist/retrieval/query-analyzer.test.d.ts +1 -0
package/dist/retrieval/query-analyzer.test.js +236 -0
package/dist/retrieval/query-analyzer.test.js.map +1 -0
package/dist/retrieval/token-budget.d.ts +51 -0
package/dist/retrieval/token-budget.js +141 -0
package/dist/retrieval/token-budget.js.map +1 -0
package/dist/retrieval/token-budget.test.d.ts +1 -0
package/dist/retrieval/token-budget.test.js +404 -0
package/dist/retrieval/token-budget.test.js.map +1 -0
package/dist/storage/azure-blob-provider.d.ts +19 -0
package/dist/storage/azure-blob-provider.js +199 -0
package/dist/storage/azure-blob-provider.js.map +1 -0
package/dist/storage/azure-blob-provider.test.d.ts +1 -0
package/dist/storage/azure-blob-provider.test.js +250 -0
package/dist/storage/azure-blob-provider.test.js.map +1 -0
package/dist/storage/gcs-provider.d.ts +22 -0
package/dist/storage/gcs-provider.js +241 -0
package/dist/storage/gcs-provider.js.map +1 -0
package/dist/storage/gcs-provider.test.d.ts +1 -0
package/dist/storage/gcs-provider.test.js +299 -0
package/dist/storage/gcs-provider.test.js.map +1 -0
package/dist/storage/index.d.ts +5 -0
package/dist/storage/index.js +4 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/s3-provider.d.ts +21 -0
package/dist/storage/s3-provider.js +220 -0
package/dist/storage/s3-provider.js.map +1 -0
package/dist/storage/s3-provider.test.d.ts +1 -0
package/dist/storage/s3-provider.test.js +329 -0
package/dist/storage/s3-provider.test.js.map +1 -0
package/dist/storage/types.d.ts +65 -0
package/dist/storage/types.js +12 -0
package/dist/storage/types.js.map +1 -0
package/dist/types/chunk.d.ts +32 -0
package/dist/types/chunk.js +1 -0
package/dist/types/chunk.js.map +1 -0
package/dist/types/config.d.ts +71 -0
package/dist/types/config.js +1 -0
package/dist/types/config.js.map +1 -0
package/dist/types/index.d.ts +5 -0
package/dist/types/index.js +1 -0
package/dist/types/index.js.map +1 -0
package/dist/types/provider.d.ts +54 -0
package/dist/types/provider.js +36 -0
package/dist/types/provider.js.map +1 -0
package/dist/types/search.d.ts +27 -0
package/dist/types/search.js +1 -0
package/dist/types/search.js.map +1 -0
package/package.json +70 -0

package/dist/auth/oidc-provider.test.js ADDED Viewed

@@ -0,0 +1,520 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createSign, generateKeyPairSync } from 'node:crypto';
+import { OIDCProvider } from './oidc-provider.js';
+import { AuthError } from './types.js';
+// ---------------------------------------------------------------------------
+// RSA key pair for signing test JWTs
+// ---------------------------------------------------------------------------
+const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+});
+// Extract n and e from JWK format for testing
+const jwkExport = publicKey.export({ format: 'jwk' });
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function base64UrlEncode(data) {
+    const buf = typeof data === 'string' ? Buffer.from(data) : data;
+    return buf.toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+}
+function createJwt(payload, options) {
+    const header = {
+        alg: options?.alg ?? 'RS256',
+        typ: 'JWT',
+        kid: options?.kid ?? 'test-key-1',
+    };
+    const headerB64 = base64UrlEncode(JSON.stringify(header));
+    const payloadB64 = base64UrlEncode(JSON.stringify(payload));
+    const data = `${headerB64}.${payloadB64}`;
+    const signer = createSign('RSA-SHA256');
+    signer.update(data);
+    const signature = signer.sign(privateKey);
+    const sigB64 = base64UrlEncode(signature);
+    return `${data}.${sigB64}`;
+}
+function defaultConfig() {
+    return {
+        issuerUrl: 'https://idp.example.com',
+        clientId: 'coderag-client',
+        clientSecret: 'secret',
+        audience: 'coderag-api',
+        roleMapping: {
+            'CodeRAG-Admin': 'admin',
+            'CodeRAG-Dev': 'developer',
+            'CodeRAG-Reader': 'viewer',
+        },
+    };
+}
+function defaultDiscovery() {
+    return {
+        issuer: 'https://idp.example.com',
+        authorization_endpoint: 'https://idp.example.com/authorize',
+        token_endpoint: 'https://idp.example.com/token',
+        userinfo_endpoint: 'https://idp.example.com/userinfo',
+        jwks_uri: 'https://idp.example.com/.well-known/jwks.json',
+    };
+}
+function defaultJwks() {
+    return {
+        keys: [
+            {
+                kty: 'RSA',
+                kid: 'test-key-1',
+                use: 'sig',
+                n: jwkExport.n,
+                e: jwkExport.e,
+            },
+        ],
+    };
+}
+function createMockFetch(responses) {
+    return vi.fn(async (input) => {
+        const url = typeof input === 'string' ? input : input.toString();
+        const response = responses[url];
+        if (!response) {
+            return {
+                ok: false,
+                status: 404,
+                json: async () => ({}),
+                text: async () => '',
+            };
+        }
+        return {
+            ok: response.ok,
+            status: response.status,
+            json: async () => response.body,
+            text: async () => JSON.stringify(response.body),
+        };
+    });
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('OIDCProvider', () => {
+    let config;
+    beforeEach(() => {
+        config = defaultConfig();
+    });
+    // -----------------------------------------------------------------------
+    // Constructor
+    // -----------------------------------------------------------------------
+    describe('constructor', () => {
+        it('should have name set to oidc', () => {
+            const provider = new OIDCProvider(config);
+            expect(provider.name).toBe('oidc');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // initialize
+    // -----------------------------------------------------------------------
+    describe('initialize', () => {
+        it('should fetch discovery document and JWKS', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: defaultJwks(),
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            const result = await provider.initialize();
+            expect(result.isOk()).toBe(true);
+            expect(mockFetch).toHaveBeenCalledTimes(2);
+        });
+        it('should return error when discovery fails', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: false,
+                    status: 500,
+                    body: {},
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            const result = await provider.initialize();
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error).toBeInstanceOf(AuthError);
+                expect(result.error.message).toContain('discovery failed');
+            }
+        });
+        it('should return error when JWKS fetch fails', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: false,
+                    status: 500,
+                    body: {},
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            const result = await provider.initialize();
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('JWKS fetch failed');
+            }
+        });
+        it('should return error on network failure', async () => {
+            const mockFetch = vi.fn(async () => {
+                throw new Error('Network unreachable');
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            const result = await provider.initialize();
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('Network unreachable');
+            }
+        });
+        it('should strip trailing slash from issuer URL', async () => {
+            const configWithSlash = {
+                ...config,
+                issuerUrl: 'https://idp.example.com/',
+            };
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: defaultJwks(),
+                },
+            });
+            const provider = new OIDCProvider(configWithSlash, mockFetch);
+            const result = await provider.initialize();
+            expect(result.isOk()).toBe(true);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // validateToken
+    // -----------------------------------------------------------------------
+    describe('validateToken', () => {
+        async function createInitializedProvider(jwks) {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: jwks ?? defaultJwks(),
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            await provider.initialize();
+            return provider;
+        }
+        it('should validate a valid JWT with n/e JWKS key', async () => {
+            const provider = await createInitializedProvider();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'user-123',
+                email: 'user@example.com',
+                iss: 'https://idp.example.com',
+                aud: 'coderag-api',
+                exp: now + 3600,
+                iat: now,
+            });
+            const result = await provider.validateToken(token);
+            expect(result.isOk()).toBe(true);
+            if (result.isOk()) {
+                expect(result.value.userId).toBe('user-123');
+                expect(result.value.email).toBe('user@example.com');
+                expect(result.value.exp).toBe(now + 3600);
+                expect(result.value.iat).toBe(now);
+            }
+        });
+        it('should reject an expired token', async () => {
+            const provider = await createInitializedProvider();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'user-123',
+                email: 'user@example.com',
+                iss: 'https://idp.example.com',
+                aud: 'coderag-api',
+                exp: now - 100,
+                iat: now - 3700,
+            });
+            const result = await provider.validateToken(token);
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('expired');
+            }
+        });
+        it('should reject a token with wrong issuer', async () => {
+            const provider = await createInitializedProvider();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'user-123',
+                iss: 'https://evil.example.com',
+                aud: 'coderag-api',
+                exp: now + 3600,
+                iat: now,
+            });
+            const result = await provider.validateToken(token);
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('Invalid issuer');
+            }
+        });
+        it('should reject a token with wrong audience', async () => {
+            const provider = await createInitializedProvider();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'user-123',
+                iss: 'https://idp.example.com',
+                aud: 'wrong-audience',
+                exp: now + 3600,
+                iat: now,
+            });
+            const result = await provider.validateToken(token);
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('Invalid audience');
+            }
+        });
+        it('should accept a token with audience as array', async () => {
+            const provider = await createInitializedProvider();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'user-123',
+                iss: 'https://idp.example.com',
+                aud: ['other-api', 'coderag-api'],
+                exp: now + 3600,
+                iat: now,
+            });
+            const result = await provider.validateToken(token);
+            expect(result.isOk()).toBe(true);
+        });
+        it('should reject a malformed JWT (not 3 parts)', async () => {
+            const provider = await createInitializedProvider();
+            const result = await provider.validateToken('not.a.valid.jwt.token');
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('expected 3 parts');
+            }
+        });
+        it('should reject a JWT with invalid header JSON', async () => {
+            const provider = await createInitializedProvider();
+            const badHeader = base64UrlEncode('not-json');
+            const payload = base64UrlEncode(JSON.stringify({ sub: 'test' }));
+            const result = await provider.validateToken(`${badHeader}.${payload}.sig`);
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('malformed header');
+            }
+        });
+        it('should reject a JWT with invalid payload JSON', async () => {
+            const provider = await createInitializedProvider();
+            const header = base64UrlEncode(JSON.stringify({ alg: 'RS256', kid: 'test-key-1' }));
+            const badPayload = base64UrlEncode('not-json');
+            const result = await provider.validateToken(`${header}.${badPayload}.sig`);
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('malformed payload');
+            }
+        });
+    });
+    // -----------------------------------------------------------------------
+    // authenticate (delegates to validateToken)
+    // -----------------------------------------------------------------------
+    describe('authenticate', () => {
+        it('should return AuthToken for valid JWT', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: defaultJwks(),
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            await provider.initialize();
+            const now = Math.floor(Date.now() / 1000);
+            const token = createJwt({
+                sub: 'u-1',
+                email: 'a@b.com',
+                iss: 'https://idp.example.com',
+                aud: 'coderag-api',
+                exp: now + 3600,
+                iat: now,
+                roles: ['CodeRAG-Admin'],
+            });
+            const result = await provider.authenticate(token);
+            expect(result.isOk()).toBe(true);
+            if (result.isOk()) {
+                expect(result.value.userId).toBe('u-1');
+                expect(result.value.roles).toContain('admin');
+            }
+        });
+    });
+    // -----------------------------------------------------------------------
+    // getUserInfo
+    // -----------------------------------------------------------------------
+    describe('getUserInfo', () => {
+        it('should fetch and cache user info', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: defaultJwks(),
+                },
+                'https://idp.example.com/userinfo': {
+                    ok: true,
+                    status: 200,
+                    body: {
+                        sub: 'user-42',
+                        email: 'jane@example.com',
+                        name: 'Jane Doe',
+                        groups: ['CodeRAG-Dev'],
+                    },
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            await provider.initialize();
+            const result = await provider.getUserInfo('some-access-token');
+            expect(result.isOk()).toBe(true);
+            if (result.isOk()) {
+                expect(result.value.id).toBe('user-42');
+                expect(result.value.email).toBe('jane@example.com');
+                expect(result.value.name).toBe('Jane Doe');
+                expect(result.value.roles).toContain('developer');
+            }
+            // Verify cache works
+            const rolesResult = await provider.getUserRoles('user-42');
+            expect(rolesResult.isOk()).toBe(true);
+            if (rolesResult.isOk()) {
+                expect(rolesResult.value).toContain('developer');
+            }
+        });
+        it('should return error when not initialized', async () => {
+            const provider = new OIDCProvider(config);
+            const result = await provider.getUserInfo('token');
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('not initialized');
+            }
+        });
+        it('should return error on userinfo HTTP failure', async () => {
+            const mockFetch = createMockFetch({
+                'https://idp.example.com/.well-known/openid-configuration': {
+                    ok: true,
+                    status: 200,
+                    body: defaultDiscovery(),
+                },
+                'https://idp.example.com/.well-known/jwks.json': {
+                    ok: true,
+                    status: 200,
+                    body: defaultJwks(),
+                },
+                'https://idp.example.com/userinfo': {
+                    ok: false,
+                    status: 401,
+                    body: {},
+                },
+            });
+            const provider = new OIDCProvider(config, mockFetch);
+            await provider.initialize();
+            const result = await provider.getUserInfo('bad-token');
+            expect(result.isErr()).toBe(true);
+            if (result.isErr()) {
+                expect(result.error.message).toContain('Userinfo request failed');
+            }
+        });
+    });
+    // -----------------------------------------------------------------------
+    // mapRoles
+    // -----------------------------------------------------------------------
+    describe('mapRoles', () => {
+        it('should map OIDC group claims using roleMapping', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({
+                groups: ['CodeRAG-Admin', 'other-group'],
+            });
+            expect(roles).toContain('admin');
+            expect(roles).not.toContain('other-group');
+        });
+        it('should accept direct role names (admin, developer, viewer)', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({ roles: ['admin'] });
+            expect(roles).toContain('admin');
+        });
+        it('should support roles as a comma-separated string', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({ roles: 'admin' });
+            expect(roles).toContain('admin');
+        });
+        it('should handle Keycloak realm_access.roles claim', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({
+                realm_access: { roles: ['CodeRAG-Dev'] },
+            });
+            expect(roles).toContain('developer');
+        });
+        it('should default to viewer when no mapping matches', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({ groups: ['unrelated-group'] });
+            expect(roles).toEqual(['viewer']);
+        });
+        it('should default to viewer when claims are empty', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({});
+            expect(roles).toEqual(['viewer']);
+        });
+        it('should deduplicate roles', () => {
+            const provider = new OIDCProvider(config);
+            const roles = provider.mapRoles({
+                roles: ['admin'],
+                groups: ['CodeRAG-Admin'],
+            });
+            // admin appears from both, should be deduplicated
+            const adminCount = roles.filter((r) => r === 'admin').length;
+            expect(adminCount).toBe(1);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // getUserRoles / getUserRepos (cache miss)
+    // -----------------------------------------------------------------------
+    describe('getUserRoles (cache miss)', () => {
+        it('should return viewer for unknown user', async () => {
+            const provider = new OIDCProvider(config);
+            const result = await provider.getUserRoles('unknown-user');
+            expect(result.isOk()).toBe(true);
+            if (result.isOk()) {
+                expect(result.value).toEqual(['viewer']);
+            }
+        });
+    });
+    describe('getUserRepos (cache miss)', () => {
+        it('should return empty array for unknown user', async () => {
+            const provider = new OIDCProvider(config);
+            const result = await provider.getUserRepos('unknown-user');
+            expect(result.isOk()).toBe(true);
+            if (result.isOk()) {
+                expect(result.value).toEqual([]);
+            }
+        });
+    });
+});
+//# sourceMappingURL=oidc-provider.test.js.map

package/dist/auth/oidc-provider.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-provider.test.js","sourceRoot":"","sources":["../../src/auth/oidc-provider.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,8EAA8E;AAC9E,qCAAqC;AACrC,8EAA8E;AAE9E,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;IAC3D,aAAa,EAAE,IAAI;CACpB,CAAC,CAAC;AAEH,8CAA8C;AAC9C,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAInD,CAAC;AAEF,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC1F,CAAC;AAED,SAAS,SAAS,CAChB,OAAgC,EAChC,OAIC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,OAAO;QAC5B,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,YAAY;KAClC,CAAC;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAE1C,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAE1C,OAAO,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,SAAS,EAAE,yBAAyB;QACpC,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,QAAQ;QACtB,QAAQ,EAAE,aAAa;QACvB,WAAW,EAAE;YACX,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE,WAAW;YAC1B,gBAAgB,EAAE,QAAQ;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO;QACL,MAAM,EAAE,yBAAyB;QACjC,sBAAsB,EAAE,mCAAmC;QAC3D,cAAc,EAAE,+BAA+B;QAC/C,iBAAiB,EAAE,kCAAkC;QACrD,QAAQ,EAAE,+CAA+C;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,WAAW;IAClB,OAAO;QACL,IAAI,EAAE;YACJ;gBACE,GAAG,EAAE,KAAK;gBACV,GAAG,EAAE,YAAY;gBACjB,GAAG,EAAE,KAAK;gBACV,CAAC,EAAE,SAAS,CAAC,CAAC;gBACd,CAAC,EAAE,SAAS,CAAC,CAAC;aACf;SACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAyE;IAEzE,OAAO,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,KAAwB,EAAE,EAAE;QAC9C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACjE,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACT,CAAC;QAChB,CAAC;QACD,OAAO;YACL,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,QAAQ,CAAC,IAAI;YAC/B,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC;SACpC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,MAAkB,CAAC;IAEvB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,aAAa,EAAE,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,cAAc;IACd,0EAA0E;IAE1E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,aAAa;IACb,0EAA0E;IAE1E,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;gBAC/C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE;gBACjC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC,CAA4B,CAAC;YAE9B,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;YAChE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,eAAe,GAAe;gBAClC,GAAG,MAAM;gBACT,SAAS,EAAE,0BAA0B;aACtC,CAAC;YACF,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,gBAAgB;IAChB,0EAA0E;IAE1E,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,KAAK,UAAU,yBAAyB,CACtC,IAA+C;YAE/C,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,IAAI,IAAI,WAAW,EAAE;iBAC5B;aACF,CAAC,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,KAAK,EAAE,kBAAkB;gBACzB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;gBAC1C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,KAAK,EAAE,kBAAkB;gBACzB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,GAAG;gBACd,GAAG,EAAE,GAAG,GAAG,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,0BAA0B;gBAC/B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,gBAAgB;gBACrB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;gBACjC,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,uBAAuB,CAAC,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,GAAG,SAAS,IAAI,OAAO,MAAM,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YACpF,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,GAAG,MAAM,IAAI,UAAU,MAAM,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,4CAA4C;IAC5C,0EAA0E;IAE1E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,KAAK;gBACV,KAAK,EAAE,SAAS;gBAChB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;gBACR,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACxC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAChD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,cAAc;IACd,0EAA0E;IAE1E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;gBACD,kCAAkC,EAAE;oBAClC,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE;wBACJ,GAAG,EAAE,SAAS;wBACd,KAAK,EAAE,kBAAkB;wBACzB,IAAI,EAAE,UAAU;wBAChB,MAAM,EAAE,CAAC,aAAa,CAAC;qBACxB;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;YAE/D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACpD,CAAC;YAED,qBAAqB;YACrB,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;gBACvB,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACnD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;gBACD,kCAAkC,EAAE;oBAClC,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,WAAW;IACX,0EAA0E;IAE1E,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;QACxB,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,MAAM,EAAE,CAAC,eAAe,EAAE,aAAa,CAAC;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACjC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,KAAK,EAAE,CAAC,OAAO,CAAC;gBAChB,MAAM,EAAE,CAAC,eAAe,CAAC;aAC1B,CAAC,CAAC;YACH,kDAAkD;YAClD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;YAC7D,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,2CAA2C;IAC3C,0EAA0E;IAE1E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACnC,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/rbac.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import type { Action, Role, User } from './types.js';
+import type { SearchResult } from '../types/search.js';
+export declare class RBACManager {
+    /**
+     * Returns `true` when at least one of the user's roles permits `action`.
+     */
+    hasPermission(user: User, action: Action): boolean;
+    /**
+     * Returns `true` when the user's `allowedRepos` list contains `repoName`.
+     *
+     * Admin users with an empty `allowedRepos` list are granted access to every
+     * repository (convention: empty list = unrestricted for admins).
+     */
+    canAccessRepo(user: User, repoName: string): boolean;
+    /**
+     * Filters search results so the user only sees chunks from repos they can
+     * access.  Results without a `repoName` in metadata are kept (they belong
+     * to the default / single-repo setup).
+     */
+    filterResultsByAccess(user: User, results: readonly SearchResult[]): readonly SearchResult[];
+    /**
+     * Returns the effective privilege level of a role (higher = more access).
+     */
+    getRoleLevel(role: Role): number;
+    /**
+     * Returns the highest-privilege role the user holds.
+     */
+    getHighestRole(user: User): Role;
+}

package/dist/auth/rbac.js ADDED Viewed

@@ -0,0 +1,75 @@
+import { ROLE_HIERARCHY } from './types.js';
+// ---------------------------------------------------------------------------
+// Permission matrix
+// ---------------------------------------------------------------------------
+/**
+ * Maps each role to the set of actions it may perform.
+ *
+ * Role hierarchy is **additive** — a higher role inherits all permissions of
+ * lower roles.  The matrix is kept explicit so callers can inspect it without
+ * understanding hierarchy logic.
+ */
+const ROLE_ACTIONS = {
+    viewer: new Set(['search', 'context', 'status']),
+    developer: new Set(['search', 'context', 'status', 'explain', 'docs']),
+    admin: new Set(['search', 'context', 'status', 'explain', 'docs', 'index', 'configure']),
+};
+// ---------------------------------------------------------------------------
+// RBACManager
+// ---------------------------------------------------------------------------
+export class RBACManager {
+    /**
+     * Returns `true` when at least one of the user's roles permits `action`.
+     */
+    hasPermission(user, action) {
+        return user.roles.some((role) => {
+            const allowed = ROLE_ACTIONS[role];
+            return allowed !== undefined && allowed.has(action);
+        });
+    }
+    /**
+     * Returns `true` when the user's `allowedRepos` list contains `repoName`.
+     *
+     * Admin users with an empty `allowedRepos` list are granted access to every
+     * repository (convention: empty list = unrestricted for admins).
+     */
+    canAccessRepo(user, repoName) {
+        // Admins with an empty allowedRepos list have unrestricted access.
+        if (user.roles.includes('admin') && user.allowedRepos.length === 0) {
+            return true;
+        }
+        return user.allowedRepos.includes(repoName);
+    }
+    /**
+     * Filters search results so the user only sees chunks from repos they can
+     * access.  Results without a `repoName` in metadata are kept (they belong
+     * to the default / single-repo setup).
+     */
+    filterResultsByAccess(user, results) {
+        return results.filter((result) => {
+            const repoName = result.metadata.repoName;
+            if (repoName === undefined) {
+                return true; // single-repo mode — no filtering needed
+            }
+            return this.canAccessRepo(user, repoName);
+        });
+    }
+    /**
+     * Returns the effective privilege level of a role (higher = more access).
+     */
+    getRoleLevel(role) {
+        return ROLE_HIERARCHY.indexOf(role);
+    }
+    /**
+     * Returns the highest-privilege role the user holds.
+     */
+    getHighestRole(user) {
+        let highest = 'viewer';
+        for (const role of user.roles) {
+            if (this.getRoleLevel(role) > this.getRoleLevel(highest)) {
+                highest = role;
+            }
+        }
+        return highest;
+    }
+}

package/dist/auth/rbac.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/auth/rbac.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,YAAY,GAAgD;IAChE,MAAM,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACxD,SAAS,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC9E,KAAK,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;CACjG,CAAC;AAEF,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACtB;;OAEG;IACH,aAAa,CAAC,IAAU,EAAE,MAAc;QACtC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;YAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YACnC,OAAO,OAAO,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,aAAa,CAAC,IAAU,EAAE,QAAgB;QACxC,mEAAmE;QACnE,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,qBAAqB,CAAC,IAAU,EAAE,OAAgC;QAChE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC,CAAC,yCAAyC;YACxD,CAAC;YACD,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAU;QACrB,OAAO,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAU;QACvB,IAAI,OAAO,GAAS,QAAQ,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/auth/rbac.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};