@code-rag/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (347) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +19 -0
  3. package/dist/auth/audit-log.d.ts +35 -0
  4. package/dist/auth/audit-log.js +110 -0
  5. package/dist/auth/audit-log.js.map +1 -0
  6. package/dist/auth/audit-log.test.d.ts +1 -0
  7. package/dist/auth/audit-log.test.js +261 -0
  8. package/dist/auth/audit-log.test.js.map +1 -0
  9. package/dist/auth/index.d.ts +6 -0
  10. package/dist/auth/index.js +5 -0
  11. package/dist/auth/index.js.map +1 -0
  12. package/dist/auth/oidc-provider.d.ts +49 -0
  13. package/dist/auth/oidc-provider.js +358 -0
  14. package/dist/auth/oidc-provider.js.map +1 -0
  15. package/dist/auth/oidc-provider.test.d.ts +1 -0
  16. package/dist/auth/oidc-provider.test.js +520 -0
  17. package/dist/auth/oidc-provider.test.js.map +1 -0
  18. package/dist/auth/rbac.d.ts +29 -0
  19. package/dist/auth/rbac.js +75 -0
  20. package/dist/auth/rbac.js.map +1 -0
  21. package/dist/auth/rbac.test.d.ts +1 -0
  22. package/dist/auth/rbac.test.js +224 -0
  23. package/dist/auth/rbac.test.js.map +1 -0
  24. package/dist/auth/saml-provider.d.ts +51 -0
  25. package/dist/auth/saml-provider.js +355 -0
  26. package/dist/auth/saml-provider.js.map +1 -0
  27. package/dist/auth/saml-provider.test.d.ts +1 -0
  28. package/dist/auth/saml-provider.test.js +422 -0
  29. package/dist/auth/saml-provider.test.js.map +1 -0
  30. package/dist/auth/types.d.ts +81 -0
  31. package/dist/auth/types.js +11 -0
  32. package/dist/auth/types.js.map +1 -0
  33. package/dist/auth/types.test.d.ts +1 -0
  34. package/dist/auth/types.test.js +147 -0
  35. package/dist/auth/types.test.js.map +1 -0
  36. package/dist/backlog/ab-reference-scanner.d.ts +10 -0
  37. package/dist/backlog/ab-reference-scanner.js +22 -0
  38. package/dist/backlog/ab-reference-scanner.js.map +1 -0
  39. package/dist/backlog/ab-reference-scanner.test.d.ts +1 -0
  40. package/dist/backlog/ab-reference-scanner.test.js +83 -0
  41. package/dist/backlog/ab-reference-scanner.test.js.map +1 -0
  42. package/dist/backlog/azure-devops-provider.d.ts +59 -0
  43. package/dist/backlog/azure-devops-provider.js +283 -0
  44. package/dist/backlog/azure-devops-provider.js.map +1 -0
  45. package/dist/backlog/backlog-provider.d.ts +13 -0
  46. package/dist/backlog/backlog-provider.js +6 -0
  47. package/dist/backlog/backlog-provider.js.map +1 -0
  48. package/dist/backlog/backlog-provider.test.d.ts +1 -0
  49. package/dist/backlog/backlog-provider.test.js +426 -0
  50. package/dist/backlog/backlog-provider.test.js.map +1 -0
  51. package/dist/backlog/clickup-provider.d.ts +55 -0
  52. package/dist/backlog/clickup-provider.js +301 -0
  53. package/dist/backlog/clickup-provider.js.map +1 -0
  54. package/dist/backlog/clickup-provider.test.d.ts +1 -0
  55. package/dist/backlog/clickup-provider.test.js +426 -0
  56. package/dist/backlog/clickup-provider.test.js.map +1 -0
  57. package/dist/backlog/clickup-reference-scanner.d.ts +10 -0
  58. package/dist/backlog/clickup-reference-scanner.js +32 -0
  59. package/dist/backlog/clickup-reference-scanner.js.map +1 -0
  60. package/dist/backlog/clickup-reference-scanner.test.d.ts +1 -0
  61. package/dist/backlog/clickup-reference-scanner.test.js +92 -0
  62. package/dist/backlog/clickup-reference-scanner.test.js.map +1 -0
  63. package/dist/backlog/code-linker.d.ts +63 -0
  64. package/dist/backlog/code-linker.js +90 -0
  65. package/dist/backlog/code-linker.js.map +1 -0
  66. package/dist/backlog/code-linker.test.d.ts +1 -0
  67. package/dist/backlog/code-linker.test.js +325 -0
  68. package/dist/backlog/code-linker.test.js.map +1 -0
  69. package/dist/backlog/index.d.ts +14 -0
  70. package/dist/backlog/index.js +8 -0
  71. package/dist/backlog/index.js.map +1 -0
  72. package/dist/backlog/jira-provider.d.ts +60 -0
  73. package/dist/backlog/jira-provider.js +272 -0
  74. package/dist/backlog/jira-provider.js.map +1 -0
  75. package/dist/backlog/jira-provider.test.d.ts +1 -0
  76. package/dist/backlog/jira-provider.test.js +449 -0
  77. package/dist/backlog/jira-provider.test.js.map +1 -0
  78. package/dist/backlog/jira-reference-scanner.d.ts +11 -0
  79. package/dist/backlog/jira-reference-scanner.js +26 -0
  80. package/dist/backlog/jira-reference-scanner.js.map +1 -0
  81. package/dist/backlog/jira-reference-scanner.test.d.ts +1 -0
  82. package/dist/backlog/jira-reference-scanner.test.js +127 -0
  83. package/dist/backlog/jira-reference-scanner.test.js.map +1 -0
  84. package/dist/backlog/types.d.ts +22 -0
  85. package/dist/backlog/types.js +1 -0
  86. package/dist/backlog/types.js.map +1 -0
  87. package/dist/chunker/ast-chunker.d.ts +45 -0
  88. package/dist/chunker/ast-chunker.js +292 -0
  89. package/dist/chunker/ast-chunker.js.map +1 -0
  90. package/dist/chunker/ast-chunker.test.d.ts +1 -0
  91. package/dist/chunker/ast-chunker.test.js +391 -0
  92. package/dist/chunker/ast-chunker.test.js.map +1 -0
  93. package/dist/chunker/chunker.d.ts +8 -0
  94. package/dist/chunker/chunker.js +1 -0
  95. package/dist/chunker/chunker.js.map +1 -0
  96. package/dist/chunker/index.d.ts +3 -0
  97. package/dist/chunker/index.js +2 -0
  98. package/dist/chunker/index.js.map +1 -0
  99. package/dist/config/config-parser.d.ts +15 -0
  100. package/dist/config/config-parser.js +283 -0
  101. package/dist/config/config-parser.js.map +1 -0
  102. package/dist/config/config-parser.test.d.ts +1 -0
  103. package/dist/config/config-parser.test.js +699 -0
  104. package/dist/config/config-parser.test.js.map +1 -0
  105. package/dist/docs/confluence-provider.d.ts +121 -0
  106. package/dist/docs/confluence-provider.js +459 -0
  107. package/dist/docs/confluence-provider.js.map +1 -0
  108. package/dist/docs/confluence-provider.test.d.ts +1 -0
  109. package/dist/docs/confluence-provider.test.js +765 -0
  110. package/dist/docs/confluence-provider.test.js.map +1 -0
  111. package/dist/docs/index.d.ts +4 -0
  112. package/dist/docs/index.js +2 -0
  113. package/dist/docs/index.js.map +1 -0
  114. package/dist/docs/sharepoint-provider.d.ts +150 -0
  115. package/dist/docs/sharepoint-provider.js +637 -0
  116. package/dist/docs/sharepoint-provider.js.map +1 -0
  117. package/dist/docs/sharepoint-provider.test.d.ts +1 -0
  118. package/dist/docs/sharepoint-provider.test.js +873 -0
  119. package/dist/docs/sharepoint-provider.test.js.map +1 -0
  120. package/dist/embedding/bm25-index.d.ts +12 -0
  121. package/dist/embedding/bm25-index.js +89 -0
  122. package/dist/embedding/bm25-index.js.map +1 -0
  123. package/dist/embedding/bm25-index.test.d.ts +1 -0
  124. package/dist/embedding/bm25-index.test.js +289 -0
  125. package/dist/embedding/bm25-index.test.js.map +1 -0
  126. package/dist/embedding/hybrid-search.d.ts +13 -0
  127. package/dist/embedding/hybrid-search.js +124 -0
  128. package/dist/embedding/hybrid-search.js.map +1 -0
  129. package/dist/embedding/hybrid-search.test.d.ts +1 -0
  130. package/dist/embedding/hybrid-search.test.js +266 -0
  131. package/dist/embedding/hybrid-search.test.js.map +1 -0
  132. package/dist/embedding/index.d.ts +11 -0
  133. package/dist/embedding/index.js +7 -0
  134. package/dist/embedding/index.js.map +1 -0
  135. package/dist/embedding/lancedb-store.d.ts +21 -0
  136. package/dist/embedding/lancedb-store.js +172 -0
  137. package/dist/embedding/lancedb-store.js.map +1 -0
  138. package/dist/embedding/lancedb-store.test.d.ts +1 -0
  139. package/dist/embedding/lancedb-store.test.js +268 -0
  140. package/dist/embedding/lancedb-store.test.js.map +1 -0
  141. package/dist/embedding/model-lifecycle-manager.d.ts +83 -0
  142. package/dist/embedding/model-lifecycle-manager.js +419 -0
  143. package/dist/embedding/model-lifecycle-manager.js.map +1 -0
  144. package/dist/embedding/model-lifecycle-manager.test.d.ts +1 -0
  145. package/dist/embedding/model-lifecycle-manager.test.js +642 -0
  146. package/dist/embedding/model-lifecycle-manager.test.js.map +1 -0
  147. package/dist/embedding/ollama-embedding-provider.d.ts +16 -0
  148. package/dist/embedding/ollama-embedding-provider.js +74 -0
  149. package/dist/embedding/ollama-embedding-provider.js.map +1 -0
  150. package/dist/embedding/ollama-embedding-provider.test.d.ts +1 -0
  151. package/dist/embedding/ollama-embedding-provider.test.js +198 -0
  152. package/dist/embedding/ollama-embedding-provider.test.js.map +1 -0
  153. package/dist/embedding/openai-compatible-embedding-provider.d.ts +19 -0
  154. package/dist/embedding/openai-compatible-embedding-provider.js +108 -0
  155. package/dist/embedding/openai-compatible-embedding-provider.js.map +1 -0
  156. package/dist/embedding/openai-compatible-embedding-provider.test.d.ts +1 -0
  157. package/dist/embedding/openai-compatible-embedding-provider.test.js +456 -0
  158. package/dist/embedding/openai-compatible-embedding-provider.test.js.map +1 -0
  159. package/dist/embedding/qdrant-store.d.ts +28 -0
  160. package/dist/embedding/qdrant-store.js +174 -0
  161. package/dist/embedding/qdrant-store.js.map +1 -0
  162. package/dist/embedding/qdrant-store.test.d.ts +1 -0
  163. package/dist/embedding/qdrant-store.test.js +359 -0
  164. package/dist/embedding/qdrant-store.test.js.map +1 -0
  165. package/dist/enrichment/index.d.ts +4 -0
  166. package/dist/enrichment/index.js +2 -0
  167. package/dist/enrichment/index.js.map +1 -0
  168. package/dist/enrichment/nl-enricher.d.ts +16 -0
  169. package/dist/enrichment/nl-enricher.js +47 -0
  170. package/dist/enrichment/nl-enricher.js.map +1 -0
  171. package/dist/enrichment/nl-enricher.test.d.ts +1 -0
  172. package/dist/enrichment/nl-enricher.test.js +154 -0
  173. package/dist/enrichment/nl-enricher.test.js.map +1 -0
  174. package/dist/enrichment/ollama-client.d.ts +18 -0
  175. package/dist/enrichment/ollama-client.js +55 -0
  176. package/dist/enrichment/ollama-client.js.map +1 -0
  177. package/dist/enrichment/ollama-client.test.d.ts +1 -0
  178. package/dist/enrichment/ollama-client.test.js +129 -0
  179. package/dist/enrichment/ollama-client.test.js.map +1 -0
  180. package/dist/git/git-client.d.ts +22 -0
  181. package/dist/git/git-client.js +6 -0
  182. package/dist/git/git-client.js.map +1 -0
  183. package/dist/git/git-client.test.d.ts +1 -0
  184. package/dist/git/git-client.test.js +200 -0
  185. package/dist/git/git-client.test.js.map +1 -0
  186. package/dist/git/ignore-filter.d.ts +2 -0
  187. package/dist/git/ignore-filter.js +31 -0
  188. package/dist/git/ignore-filter.js.map +1 -0
  189. package/dist/git/ignore-filter.test.d.ts +1 -0
  190. package/dist/git/ignore-filter.test.js +87 -0
  191. package/dist/git/ignore-filter.test.js.map +1 -0
  192. package/dist/git/index.d.ts +4 -0
  193. package/dist/git/index.js +3 -0
  194. package/dist/git/index.js.map +1 -0
  195. package/dist/git/simple-git-client.d.ts +12 -0
  196. package/dist/git/simple-git-client.js +138 -0
  197. package/dist/git/simple-git-client.js.map +1 -0
  198. package/dist/graph/cross-repo-resolver.d.ts +50 -0
  199. package/dist/graph/cross-repo-resolver.js +315 -0
  200. package/dist/graph/cross-repo-resolver.js.map +1 -0
  201. package/dist/graph/cross-repo-resolver.test.d.ts +1 -0
  202. package/dist/graph/cross-repo-resolver.test.js +548 -0
  203. package/dist/graph/cross-repo-resolver.test.js.map +1 -0
  204. package/dist/graph/dependency-graph.d.ts +44 -0
  205. package/dist/graph/dependency-graph.js +108 -0
  206. package/dist/graph/dependency-graph.js.map +1 -0
  207. package/dist/graph/dependency-graph.test.d.ts +1 -0
  208. package/dist/graph/dependency-graph.test.js +276 -0
  209. package/dist/graph/dependency-graph.test.js.map +1 -0
  210. package/dist/graph/graph-builder.d.ts +11 -0
  211. package/dist/graph/graph-builder.js +113 -0
  212. package/dist/graph/graph-builder.js.map +1 -0
  213. package/dist/graph/graph-builder.test.d.ts +1 -0
  214. package/dist/graph/graph-builder.test.js +178 -0
  215. package/dist/graph/graph-builder.test.js.map +1 -0
  216. package/dist/graph/import-resolver.d.ts +11 -0
  217. package/dist/graph/import-resolver.js +199 -0
  218. package/dist/graph/import-resolver.js.map +1 -0
  219. package/dist/graph/import-resolver.test.d.ts +1 -0
  220. package/dist/graph/import-resolver.test.js +282 -0
  221. package/dist/graph/import-resolver.test.js.map +1 -0
  222. package/dist/graph/index.d.ts +7 -0
  223. package/dist/graph/index.js +4 -0
  224. package/dist/graph/index.js.map +1 -0
  225. package/dist/index.d.ts +31 -0
  226. package/dist/index.js +15 -0
  227. package/dist/index.js.map +1 -0
  228. package/dist/indexer/file-scanner.d.ts +34 -0
  229. package/dist/indexer/file-scanner.js +69 -0
  230. package/dist/indexer/file-scanner.js.map +1 -0
  231. package/dist/indexer/file-scanner.test.d.ts +1 -0
  232. package/dist/indexer/file-scanner.test.js +110 -0
  233. package/dist/indexer/file-scanner.test.js.map +1 -0
  234. package/dist/indexer/file-watcher.d.ts +79 -0
  235. package/dist/indexer/file-watcher.js +148 -0
  236. package/dist/indexer/incremental-indexer.d.ts +67 -0
  237. package/dist/indexer/incremental-indexer.js +142 -0
  238. package/dist/indexer/incremental-indexer.js.map +1 -0
  239. package/dist/indexer/incremental-indexer.test.d.ts +1 -0
  240. package/dist/indexer/incremental-indexer.test.js +266 -0
  241. package/dist/indexer/incremental-indexer.test.js.map +1 -0
  242. package/dist/indexer/index-check.d.ts +22 -0
  243. package/dist/indexer/index-check.js +74 -0
  244. package/dist/indexer/index-check.js.map +1 -0
  245. package/dist/indexer/index-check.test.d.ts +1 -0
  246. package/dist/indexer/index-check.test.js +100 -0
  247. package/dist/indexer/index-check.test.js.map +1 -0
  248. package/dist/indexer/index-state.d.ts +61 -0
  249. package/dist/indexer/index-state.js +82 -0
  250. package/dist/indexer/index-state.js.map +1 -0
  251. package/dist/indexer/index-state.test.d.ts +1 -0
  252. package/dist/indexer/index-state.test.js +140 -0
  253. package/dist/indexer/index-state.test.js.map +1 -0
  254. package/dist/indexer/index.d.ts +12 -0
  255. package/dist/indexer/index.js +6 -0
  256. package/dist/indexer/index.js.map +1 -0
  257. package/dist/indexer/multi-repo-indexer.d.ts +63 -0
  258. package/dist/indexer/multi-repo-indexer.js +144 -0
  259. package/dist/indexer/multi-repo-indexer.js.map +1 -0
  260. package/dist/indexer/multi-repo-indexer.test.d.ts +1 -0
  261. package/dist/indexer/multi-repo-indexer.test.js +238 -0
  262. package/dist/indexer/multi-repo-indexer.test.js.map +1 -0
  263. package/dist/parser/index.d.ts +4 -0
  264. package/dist/parser/index.js +3 -0
  265. package/dist/parser/index.js.map +1 -0
  266. package/dist/parser/language-registry.d.ts +46 -0
  267. package/dist/parser/language-registry.js +219 -0
  268. package/dist/parser/language-registry.js.map +1 -0
  269. package/dist/parser/language-registry.test.d.ts +1 -0
  270. package/dist/parser/language-registry.test.js +225 -0
  271. package/dist/parser/language-registry.test.js.map +1 -0
  272. package/dist/parser/markdown-parser.d.ts +124 -0
  273. package/dist/parser/markdown-parser.js +487 -0
  274. package/dist/parser/markdown-parser.js.map +1 -0
  275. package/dist/parser/markdown-parser.test.d.ts +1 -0
  276. package/dist/parser/markdown-parser.test.js +600 -0
  277. package/dist/parser/markdown-parser.test.js.map +1 -0
  278. package/dist/parser/tree-sitter-parser.d.ts +32 -0
  279. package/dist/parser/tree-sitter-parser.js +146 -0
  280. package/dist/parser/tree-sitter-parser.js.map +1 -0
  281. package/dist/retrieval/context-expander.d.ts +51 -0
  282. package/dist/retrieval/context-expander.js +218 -0
  283. package/dist/retrieval/context-expander.js.map +1 -0
  284. package/dist/retrieval/context-expander.test.d.ts +1 -0
  285. package/dist/retrieval/context-expander.test.js +339 -0
  286. package/dist/retrieval/context-expander.test.js.map +1 -0
  287. package/dist/retrieval/cross-encoder-reranker.d.ts +16 -0
  288. package/dist/retrieval/cross-encoder-reranker.js +90 -0
  289. package/dist/retrieval/cross-encoder-reranker.js.map +1 -0
  290. package/dist/retrieval/cross-encoder-reranker.test.d.ts +1 -0
  291. package/dist/retrieval/cross-encoder-reranker.test.js +305 -0
  292. package/dist/retrieval/cross-encoder-reranker.test.js.map +1 -0
  293. package/dist/retrieval/index.d.ts +8 -0
  294. package/dist/retrieval/index.js +4 -0
  295. package/dist/retrieval/index.js.map +1 -0
  296. package/dist/retrieval/query-analyzer.d.ts +29 -0
  297. package/dist/retrieval/query-analyzer.js +238 -0
  298. package/dist/retrieval/query-analyzer.js.map +1 -0
  299. package/dist/retrieval/query-analyzer.test.d.ts +1 -0
  300. package/dist/retrieval/query-analyzer.test.js +236 -0
  301. package/dist/retrieval/query-analyzer.test.js.map +1 -0
  302. package/dist/retrieval/token-budget.d.ts +51 -0
  303. package/dist/retrieval/token-budget.js +141 -0
  304. package/dist/retrieval/token-budget.js.map +1 -0
  305. package/dist/retrieval/token-budget.test.d.ts +1 -0
  306. package/dist/retrieval/token-budget.test.js +404 -0
  307. package/dist/retrieval/token-budget.test.js.map +1 -0
  308. package/dist/storage/azure-blob-provider.d.ts +19 -0
  309. package/dist/storage/azure-blob-provider.js +199 -0
  310. package/dist/storage/azure-blob-provider.js.map +1 -0
  311. package/dist/storage/azure-blob-provider.test.d.ts +1 -0
  312. package/dist/storage/azure-blob-provider.test.js +250 -0
  313. package/dist/storage/azure-blob-provider.test.js.map +1 -0
  314. package/dist/storage/gcs-provider.d.ts +22 -0
  315. package/dist/storage/gcs-provider.js +241 -0
  316. package/dist/storage/gcs-provider.js.map +1 -0
  317. package/dist/storage/gcs-provider.test.d.ts +1 -0
  318. package/dist/storage/gcs-provider.test.js +299 -0
  319. package/dist/storage/gcs-provider.test.js.map +1 -0
  320. package/dist/storage/index.d.ts +5 -0
  321. package/dist/storage/index.js +4 -0
  322. package/dist/storage/index.js.map +1 -0
  323. package/dist/storage/s3-provider.d.ts +21 -0
  324. package/dist/storage/s3-provider.js +220 -0
  325. package/dist/storage/s3-provider.js.map +1 -0
  326. package/dist/storage/s3-provider.test.d.ts +1 -0
  327. package/dist/storage/s3-provider.test.js +329 -0
  328. package/dist/storage/s3-provider.test.js.map +1 -0
  329. package/dist/storage/types.d.ts +65 -0
  330. package/dist/storage/types.js +12 -0
  331. package/dist/storage/types.js.map +1 -0
  332. package/dist/types/chunk.d.ts +32 -0
  333. package/dist/types/chunk.js +1 -0
  334. package/dist/types/chunk.js.map +1 -0
  335. package/dist/types/config.d.ts +71 -0
  336. package/dist/types/config.js +1 -0
  337. package/dist/types/config.js.map +1 -0
  338. package/dist/types/index.d.ts +5 -0
  339. package/dist/types/index.js +1 -0
  340. package/dist/types/index.js.map +1 -0
  341. package/dist/types/provider.d.ts +54 -0
  342. package/dist/types/provider.js +36 -0
  343. package/dist/types/provider.js.map +1 -0
  344. package/dist/types/search.d.ts +27 -0
  345. package/dist/types/search.js +1 -0
  346. package/dist/types/search.js.map +1 -0
  347. package/package.json +70 -0
@@ -0,0 +1,520 @@
1
+ import { describe, it, expect, vi, beforeEach } from 'vitest';
2
+ import { createSign, generateKeyPairSync } from 'node:crypto';
3
+ import { OIDCProvider } from './oidc-provider.js';
4
+ import { AuthError } from './types.js';
5
+ // ---------------------------------------------------------------------------
6
+ // RSA key pair for signing test JWTs
7
+ // ---------------------------------------------------------------------------
8
+ const { publicKey, privateKey } = generateKeyPairSync('rsa', {
9
+ modulusLength: 2048,
10
+ });
11
+ // Extract n and e from JWK format for testing
12
+ const jwkExport = publicKey.export({ format: 'jwk' });
13
+ // ---------------------------------------------------------------------------
14
+ // Helpers
15
+ // ---------------------------------------------------------------------------
16
+ function base64UrlEncode(data) {
17
+ const buf = typeof data === 'string' ? Buffer.from(data) : data;
18
+ return buf.toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
19
+ }
20
+ function createJwt(payload, options) {
21
+ const header = {
22
+ alg: options?.alg ?? 'RS256',
23
+ typ: 'JWT',
24
+ kid: options?.kid ?? 'test-key-1',
25
+ };
26
+ const headerB64 = base64UrlEncode(JSON.stringify(header));
27
+ const payloadB64 = base64UrlEncode(JSON.stringify(payload));
28
+ const data = `${headerB64}.${payloadB64}`;
29
+ const signer = createSign('RSA-SHA256');
30
+ signer.update(data);
31
+ const signature = signer.sign(privateKey);
32
+ const sigB64 = base64UrlEncode(signature);
33
+ return `${data}.${sigB64}`;
34
+ }
35
+ function defaultConfig() {
36
+ return {
37
+ issuerUrl: 'https://idp.example.com',
38
+ clientId: 'coderag-client',
39
+ clientSecret: 'secret',
40
+ audience: 'coderag-api',
41
+ roleMapping: {
42
+ 'CodeRAG-Admin': 'admin',
43
+ 'CodeRAG-Dev': 'developer',
44
+ 'CodeRAG-Reader': 'viewer',
45
+ },
46
+ };
47
+ }
48
+ function defaultDiscovery() {
49
+ return {
50
+ issuer: 'https://idp.example.com',
51
+ authorization_endpoint: 'https://idp.example.com/authorize',
52
+ token_endpoint: 'https://idp.example.com/token',
53
+ userinfo_endpoint: 'https://idp.example.com/userinfo',
54
+ jwks_uri: 'https://idp.example.com/.well-known/jwks.json',
55
+ };
56
+ }
57
+ function defaultJwks() {
58
+ return {
59
+ keys: [
60
+ {
61
+ kty: 'RSA',
62
+ kid: 'test-key-1',
63
+ use: 'sig',
64
+ n: jwkExport.n,
65
+ e: jwkExport.e,
66
+ },
67
+ ],
68
+ };
69
+ }
70
+ function createMockFetch(responses) {
71
+ return vi.fn(async (input) => {
72
+ const url = typeof input === 'string' ? input : input.toString();
73
+ const response = responses[url];
74
+ if (!response) {
75
+ return {
76
+ ok: false,
77
+ status: 404,
78
+ json: async () => ({}),
79
+ text: async () => '',
80
+ };
81
+ }
82
+ return {
83
+ ok: response.ok,
84
+ status: response.status,
85
+ json: async () => response.body,
86
+ text: async () => JSON.stringify(response.body),
87
+ };
88
+ });
89
+ }
90
+ // ---------------------------------------------------------------------------
91
+ // Tests
92
+ // ---------------------------------------------------------------------------
93
+ describe('OIDCProvider', () => {
94
+ let config;
95
+ beforeEach(() => {
96
+ config = defaultConfig();
97
+ });
98
+ // -----------------------------------------------------------------------
99
+ // Constructor
100
+ // -----------------------------------------------------------------------
101
+ describe('constructor', () => {
102
+ it('should have name set to oidc', () => {
103
+ const provider = new OIDCProvider(config);
104
+ expect(provider.name).toBe('oidc');
105
+ });
106
+ });
107
+ // -----------------------------------------------------------------------
108
+ // initialize
109
+ // -----------------------------------------------------------------------
110
+ describe('initialize', () => {
111
+ it('should fetch discovery document and JWKS', async () => {
112
+ const mockFetch = createMockFetch({
113
+ 'https://idp.example.com/.well-known/openid-configuration': {
114
+ ok: true,
115
+ status: 200,
116
+ body: defaultDiscovery(),
117
+ },
118
+ 'https://idp.example.com/.well-known/jwks.json': {
119
+ ok: true,
120
+ status: 200,
121
+ body: defaultJwks(),
122
+ },
123
+ });
124
+ const provider = new OIDCProvider(config, mockFetch);
125
+ const result = await provider.initialize();
126
+ expect(result.isOk()).toBe(true);
127
+ expect(mockFetch).toHaveBeenCalledTimes(2);
128
+ });
129
+ it('should return error when discovery fails', async () => {
130
+ const mockFetch = createMockFetch({
131
+ 'https://idp.example.com/.well-known/openid-configuration': {
132
+ ok: false,
133
+ status: 500,
134
+ body: {},
135
+ },
136
+ });
137
+ const provider = new OIDCProvider(config, mockFetch);
138
+ const result = await provider.initialize();
139
+ expect(result.isErr()).toBe(true);
140
+ if (result.isErr()) {
141
+ expect(result.error).toBeInstanceOf(AuthError);
142
+ expect(result.error.message).toContain('discovery failed');
143
+ }
144
+ });
145
+ it('should return error when JWKS fetch fails', async () => {
146
+ const mockFetch = createMockFetch({
147
+ 'https://idp.example.com/.well-known/openid-configuration': {
148
+ ok: true,
149
+ status: 200,
150
+ body: defaultDiscovery(),
151
+ },
152
+ 'https://idp.example.com/.well-known/jwks.json': {
153
+ ok: false,
154
+ status: 500,
155
+ body: {},
156
+ },
157
+ });
158
+ const provider = new OIDCProvider(config, mockFetch);
159
+ const result = await provider.initialize();
160
+ expect(result.isErr()).toBe(true);
161
+ if (result.isErr()) {
162
+ expect(result.error.message).toContain('JWKS fetch failed');
163
+ }
164
+ });
165
+ it('should return error on network failure', async () => {
166
+ const mockFetch = vi.fn(async () => {
167
+ throw new Error('Network unreachable');
168
+ });
169
+ const provider = new OIDCProvider(config, mockFetch);
170
+ const result = await provider.initialize();
171
+ expect(result.isErr()).toBe(true);
172
+ if (result.isErr()) {
173
+ expect(result.error.message).toContain('Network unreachable');
174
+ }
175
+ });
176
+ it('should strip trailing slash from issuer URL', async () => {
177
+ const configWithSlash = {
178
+ ...config,
179
+ issuerUrl: 'https://idp.example.com/',
180
+ };
181
+ const mockFetch = createMockFetch({
182
+ 'https://idp.example.com/.well-known/openid-configuration': {
183
+ ok: true,
184
+ status: 200,
185
+ body: defaultDiscovery(),
186
+ },
187
+ 'https://idp.example.com/.well-known/jwks.json': {
188
+ ok: true,
189
+ status: 200,
190
+ body: defaultJwks(),
191
+ },
192
+ });
193
+ const provider = new OIDCProvider(configWithSlash, mockFetch);
194
+ const result = await provider.initialize();
195
+ expect(result.isOk()).toBe(true);
196
+ });
197
+ });
198
+ // -----------------------------------------------------------------------
199
+ // validateToken
200
+ // -----------------------------------------------------------------------
201
+ describe('validateToken', () => {
202
+ async function createInitializedProvider(jwks) {
203
+ const mockFetch = createMockFetch({
204
+ 'https://idp.example.com/.well-known/openid-configuration': {
205
+ ok: true,
206
+ status: 200,
207
+ body: defaultDiscovery(),
208
+ },
209
+ 'https://idp.example.com/.well-known/jwks.json': {
210
+ ok: true,
211
+ status: 200,
212
+ body: jwks ?? defaultJwks(),
213
+ },
214
+ });
215
+ const provider = new OIDCProvider(config, mockFetch);
216
+ await provider.initialize();
217
+ return provider;
218
+ }
219
+ it('should validate a valid JWT with n/e JWKS key', async () => {
220
+ const provider = await createInitializedProvider();
221
+ const now = Math.floor(Date.now() / 1000);
222
+ const token = createJwt({
223
+ sub: 'user-123',
224
+ email: 'user@example.com',
225
+ iss: 'https://idp.example.com',
226
+ aud: 'coderag-api',
227
+ exp: now + 3600,
228
+ iat: now,
229
+ });
230
+ const result = await provider.validateToken(token);
231
+ expect(result.isOk()).toBe(true);
232
+ if (result.isOk()) {
233
+ expect(result.value.userId).toBe('user-123');
234
+ expect(result.value.email).toBe('user@example.com');
235
+ expect(result.value.exp).toBe(now + 3600);
236
+ expect(result.value.iat).toBe(now);
237
+ }
238
+ });
239
+ it('should reject an expired token', async () => {
240
+ const provider = await createInitializedProvider();
241
+ const now = Math.floor(Date.now() / 1000);
242
+ const token = createJwt({
243
+ sub: 'user-123',
244
+ email: 'user@example.com',
245
+ iss: 'https://idp.example.com',
246
+ aud: 'coderag-api',
247
+ exp: now - 100,
248
+ iat: now - 3700,
249
+ });
250
+ const result = await provider.validateToken(token);
251
+ expect(result.isErr()).toBe(true);
252
+ if (result.isErr()) {
253
+ expect(result.error.message).toContain('expired');
254
+ }
255
+ });
256
+ it('should reject a token with wrong issuer', async () => {
257
+ const provider = await createInitializedProvider();
258
+ const now = Math.floor(Date.now() / 1000);
259
+ const token = createJwt({
260
+ sub: 'user-123',
261
+ iss: 'https://evil.example.com',
262
+ aud: 'coderag-api',
263
+ exp: now + 3600,
264
+ iat: now,
265
+ });
266
+ const result = await provider.validateToken(token);
267
+ expect(result.isErr()).toBe(true);
268
+ if (result.isErr()) {
269
+ expect(result.error.message).toContain('Invalid issuer');
270
+ }
271
+ });
272
+ it('should reject a token with wrong audience', async () => {
273
+ const provider = await createInitializedProvider();
274
+ const now = Math.floor(Date.now() / 1000);
275
+ const token = createJwt({
276
+ sub: 'user-123',
277
+ iss: 'https://idp.example.com',
278
+ aud: 'wrong-audience',
279
+ exp: now + 3600,
280
+ iat: now,
281
+ });
282
+ const result = await provider.validateToken(token);
283
+ expect(result.isErr()).toBe(true);
284
+ if (result.isErr()) {
285
+ expect(result.error.message).toContain('Invalid audience');
286
+ }
287
+ });
288
+ it('should accept a token with audience as array', async () => {
289
+ const provider = await createInitializedProvider();
290
+ const now = Math.floor(Date.now() / 1000);
291
+ const token = createJwt({
292
+ sub: 'user-123',
293
+ iss: 'https://idp.example.com',
294
+ aud: ['other-api', 'coderag-api'],
295
+ exp: now + 3600,
296
+ iat: now,
297
+ });
298
+ const result = await provider.validateToken(token);
299
+ expect(result.isOk()).toBe(true);
300
+ });
301
+ it('should reject a malformed JWT (not 3 parts)', async () => {
302
+ const provider = await createInitializedProvider();
303
+ const result = await provider.validateToken('not.a.valid.jwt.token');
304
+ expect(result.isErr()).toBe(true);
305
+ if (result.isErr()) {
306
+ expect(result.error.message).toContain('expected 3 parts');
307
+ }
308
+ });
309
+ it('should reject a JWT with invalid header JSON', async () => {
310
+ const provider = await createInitializedProvider();
311
+ const badHeader = base64UrlEncode('not-json');
312
+ const payload = base64UrlEncode(JSON.stringify({ sub: 'test' }));
313
+ const result = await provider.validateToken(`${badHeader}.${payload}.sig`);
314
+ expect(result.isErr()).toBe(true);
315
+ if (result.isErr()) {
316
+ expect(result.error.message).toContain('malformed header');
317
+ }
318
+ });
319
+ it('should reject a JWT with invalid payload JSON', async () => {
320
+ const provider = await createInitializedProvider();
321
+ const header = base64UrlEncode(JSON.stringify({ alg: 'RS256', kid: 'test-key-1' }));
322
+ const badPayload = base64UrlEncode('not-json');
323
+ const result = await provider.validateToken(`${header}.${badPayload}.sig`);
324
+ expect(result.isErr()).toBe(true);
325
+ if (result.isErr()) {
326
+ expect(result.error.message).toContain('malformed payload');
327
+ }
328
+ });
329
+ });
330
+ // -----------------------------------------------------------------------
331
+ // authenticate (delegates to validateToken)
332
+ // -----------------------------------------------------------------------
333
+ describe('authenticate', () => {
334
+ it('should return AuthToken for valid JWT', async () => {
335
+ const mockFetch = createMockFetch({
336
+ 'https://idp.example.com/.well-known/openid-configuration': {
337
+ ok: true,
338
+ status: 200,
339
+ body: defaultDiscovery(),
340
+ },
341
+ 'https://idp.example.com/.well-known/jwks.json': {
342
+ ok: true,
343
+ status: 200,
344
+ body: defaultJwks(),
345
+ },
346
+ });
347
+ const provider = new OIDCProvider(config, mockFetch);
348
+ await provider.initialize();
349
+ const now = Math.floor(Date.now() / 1000);
350
+ const token = createJwt({
351
+ sub: 'u-1',
352
+ email: 'a@b.com',
353
+ iss: 'https://idp.example.com',
354
+ aud: 'coderag-api',
355
+ exp: now + 3600,
356
+ iat: now,
357
+ roles: ['CodeRAG-Admin'],
358
+ });
359
+ const result = await provider.authenticate(token);
360
+ expect(result.isOk()).toBe(true);
361
+ if (result.isOk()) {
362
+ expect(result.value.userId).toBe('u-1');
363
+ expect(result.value.roles).toContain('admin');
364
+ }
365
+ });
366
+ });
367
+ // -----------------------------------------------------------------------
368
+ // getUserInfo
369
+ // -----------------------------------------------------------------------
370
+ describe('getUserInfo', () => {
371
+ it('should fetch and cache user info', async () => {
372
+ const mockFetch = createMockFetch({
373
+ 'https://idp.example.com/.well-known/openid-configuration': {
374
+ ok: true,
375
+ status: 200,
376
+ body: defaultDiscovery(),
377
+ },
378
+ 'https://idp.example.com/.well-known/jwks.json': {
379
+ ok: true,
380
+ status: 200,
381
+ body: defaultJwks(),
382
+ },
383
+ 'https://idp.example.com/userinfo': {
384
+ ok: true,
385
+ status: 200,
386
+ body: {
387
+ sub: 'user-42',
388
+ email: 'jane@example.com',
389
+ name: 'Jane Doe',
390
+ groups: ['CodeRAG-Dev'],
391
+ },
392
+ },
393
+ });
394
+ const provider = new OIDCProvider(config, mockFetch);
395
+ await provider.initialize();
396
+ const result = await provider.getUserInfo('some-access-token');
397
+ expect(result.isOk()).toBe(true);
398
+ if (result.isOk()) {
399
+ expect(result.value.id).toBe('user-42');
400
+ expect(result.value.email).toBe('jane@example.com');
401
+ expect(result.value.name).toBe('Jane Doe');
402
+ expect(result.value.roles).toContain('developer');
403
+ }
404
+ // Verify cache works
405
+ const rolesResult = await provider.getUserRoles('user-42');
406
+ expect(rolesResult.isOk()).toBe(true);
407
+ if (rolesResult.isOk()) {
408
+ expect(rolesResult.value).toContain('developer');
409
+ }
410
+ });
411
+ it('should return error when not initialized', async () => {
412
+ const provider = new OIDCProvider(config);
413
+ const result = await provider.getUserInfo('token');
414
+ expect(result.isErr()).toBe(true);
415
+ if (result.isErr()) {
416
+ expect(result.error.message).toContain('not initialized');
417
+ }
418
+ });
419
+ it('should return error on userinfo HTTP failure', async () => {
420
+ const mockFetch = createMockFetch({
421
+ 'https://idp.example.com/.well-known/openid-configuration': {
422
+ ok: true,
423
+ status: 200,
424
+ body: defaultDiscovery(),
425
+ },
426
+ 'https://idp.example.com/.well-known/jwks.json': {
427
+ ok: true,
428
+ status: 200,
429
+ body: defaultJwks(),
430
+ },
431
+ 'https://idp.example.com/userinfo': {
432
+ ok: false,
433
+ status: 401,
434
+ body: {},
435
+ },
436
+ });
437
+ const provider = new OIDCProvider(config, mockFetch);
438
+ await provider.initialize();
439
+ const result = await provider.getUserInfo('bad-token');
440
+ expect(result.isErr()).toBe(true);
441
+ if (result.isErr()) {
442
+ expect(result.error.message).toContain('Userinfo request failed');
443
+ }
444
+ });
445
+ });
446
+ // -----------------------------------------------------------------------
447
+ // mapRoles
448
+ // -----------------------------------------------------------------------
449
+ describe('mapRoles', () => {
450
+ it('should map OIDC group claims using roleMapping', () => {
451
+ const provider = new OIDCProvider(config);
452
+ const roles = provider.mapRoles({
453
+ groups: ['CodeRAG-Admin', 'other-group'],
454
+ });
455
+ expect(roles).toContain('admin');
456
+ expect(roles).not.toContain('other-group');
457
+ });
458
+ it('should accept direct role names (admin, developer, viewer)', () => {
459
+ const provider = new OIDCProvider(config);
460
+ const roles = provider.mapRoles({ roles: ['admin'] });
461
+ expect(roles).toContain('admin');
462
+ });
463
+ it('should support roles as a comma-separated string', () => {
464
+ const provider = new OIDCProvider(config);
465
+ const roles = provider.mapRoles({ roles: 'admin' });
466
+ expect(roles).toContain('admin');
467
+ });
468
+ it('should handle Keycloak realm_access.roles claim', () => {
469
+ const provider = new OIDCProvider(config);
470
+ const roles = provider.mapRoles({
471
+ realm_access: { roles: ['CodeRAG-Dev'] },
472
+ });
473
+ expect(roles).toContain('developer');
474
+ });
475
+ it('should default to viewer when no mapping matches', () => {
476
+ const provider = new OIDCProvider(config);
477
+ const roles = provider.mapRoles({ groups: ['unrelated-group'] });
478
+ expect(roles).toEqual(['viewer']);
479
+ });
480
+ it('should default to viewer when claims are empty', () => {
481
+ const provider = new OIDCProvider(config);
482
+ const roles = provider.mapRoles({});
483
+ expect(roles).toEqual(['viewer']);
484
+ });
485
+ it('should deduplicate roles', () => {
486
+ const provider = new OIDCProvider(config);
487
+ const roles = provider.mapRoles({
488
+ roles: ['admin'],
489
+ groups: ['CodeRAG-Admin'],
490
+ });
491
+ // admin appears from both, should be deduplicated
492
+ const adminCount = roles.filter((r) => r === 'admin').length;
493
+ expect(adminCount).toBe(1);
494
+ });
495
+ });
496
+ // -----------------------------------------------------------------------
497
+ // getUserRoles / getUserRepos (cache miss)
498
+ // -----------------------------------------------------------------------
499
+ describe('getUserRoles (cache miss)', () => {
500
+ it('should return viewer for unknown user', async () => {
501
+ const provider = new OIDCProvider(config);
502
+ const result = await provider.getUserRoles('unknown-user');
503
+ expect(result.isOk()).toBe(true);
504
+ if (result.isOk()) {
505
+ expect(result.value).toEqual(['viewer']);
506
+ }
507
+ });
508
+ });
509
+ describe('getUserRepos (cache miss)', () => {
510
+ it('should return empty array for unknown user', async () => {
511
+ const provider = new OIDCProvider(config);
512
+ const result = await provider.getUserRepos('unknown-user');
513
+ expect(result.isOk()).toBe(true);
514
+ if (result.isOk()) {
515
+ expect(result.value).toEqual([]);
516
+ }
517
+ });
518
+ });
519
+ });
520
+ //# sourceMappingURL=oidc-provider.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oidc-provider.test.js","sourceRoot":"","sources":["../../src/auth/oidc-provider.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,8EAA8E;AAC9E,qCAAqC;AACrC,8EAA8E;AAE9E,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;IAC3D,aAAa,EAAE,IAAI;CACpB,CAAC,CAAC;AAEH,8CAA8C;AAC9C,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAInD,CAAC;AAEF,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC1F,CAAC;AAED,SAAS,SAAS,CAChB,OAAgC,EAChC,OAIC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,OAAO;QAC5B,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,YAAY;KAClC,CAAC;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAE1C,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAE1C,OAAO,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,SAAS,EAAE,yBAAyB;QACpC,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,QAAQ;QACtB,QAAQ,EAAE,aAAa;QACvB,WAAW,EAAE;YACX,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE,WAAW;YAC1B,gBAAgB,EAAE,QAAQ;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO;QACL,MAAM,EAAE,yBAAyB;QACjC,sBAAsB,EAAE,mCAAmC;QAC3D,cAAc,EAAE,+BAA+B;QAC/C,iBAAiB,EAAE,kCAAkC;QACrD,QAAQ,EAAE,+CAA+C;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,WAAW;IAClB,OAAO;QACL,IAAI,EAAE;YACJ;gBACE,GAAG,EAAE,KAAK;gBACV,GAAG,EAAE,YAAY;gBACjB,GAAG,EAAE,KAAK;gBACV,CAAC,EAAE,SAAS,CAAC,CAAC;gBACd,CAAC,EAAE,SAAS,CAAC,CAAC;aACf;SACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAyE;IAEzE,OAAO,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,KAAwB,EAAE,EAAE;QAC9C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACjE,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACT,CAAC;QAChB,CAAC;QACD,OAAO;YACL,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,QAAQ,CAAC,IAAI;YAC/B,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC;SACpC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,MAAkB,CAAC;IAEvB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,aAAa,EAAE,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,cAAc;IACd,0EAA0E;IAE1E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,aAAa;IACb,0EAA0E;IAE1E,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;gBAC/C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE;gBACjC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC,CAA4B,CAAC;YAE9B,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;YAChE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,eAAe,GAAe;gBAClC,GAAG,MAAM;gBACT,SAAS,EAAE,0BAA0B;aACtC,CAAC;YACF,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,gBAAgB;IAChB,0EAA0E;IAE1E,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,KAAK,UAAU,yBAAyB,CACtC,IAA+C;YAE/C,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,IAAI,IAAI,WAAW,EAAE;iBAC5B;aACF,CAAC,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,KAAK,EAAE,kBAAkB;gBACzB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;gBAC1C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,KAAK,EAAE,kBAAkB;gBACzB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,GAAG;gBACd,GAAG,EAAE,GAAG,GAAG,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,0BAA0B;gBAC/B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,gBAAgB;gBACrB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;gBACjC,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,uBAAuB,CAAC,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,GAAG,SAAS,IAAI,OAAO,MAAM,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YACpF,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,GAAG,MAAM,IAAI,UAAU,MAAM,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,4CAA4C;IAC5C,0EAA0E;IAE1E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;aACF,CAAC,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC;gBACtB,GAAG,EAAE,KAAK;gBACV,KAAK,EAAE,SAAS;gBAChB,GAAG,EAAE,yBAAyB;gBAC9B,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,GAAG,GAAG,IAAI;gBACf,GAAG,EAAE,GAAG;gBACR,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACxC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAChD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,cAAc;IACd,0EAA0E;IAE1E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;gBACD,kCAAkC,EAAE;oBAClC,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE;wBACJ,GAAG,EAAE,SAAS;wBACd,KAAK,EAAE,kBAAkB;wBACzB,IAAI,EAAE,UAAU;wBAChB,MAAM,EAAE,CAAC,aAAa,CAAC;qBACxB;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;YAE/D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACpD,CAAC;YAED,qBAAqB;YACrB,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;gBACvB,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACnD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,SAAS,GAAG,eAAe,CAAC;gBAChC,0DAA0D,EAAE;oBAC1D,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,gBAAgB,EAAE;iBACzB;gBACD,+CAA+C,EAAE;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,WAAW,EAAE;iBACpB;gBACD,kCAAkC,EAAE;oBAClC,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE;iBACT;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,WAAW;IACX,0EAA0E;IAE1E,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;QACxB,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,MAAM,EAAE,CAAC,eAAe,EAAE,aAAa,CAAC;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACjC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,KAAK,EAAE,CAAC,OAAO,CAAC;gBAChB,MAAM,EAAE,CAAC,eAAe,CAAC;aAC1B,CAAC,CAAC;YACH,kDAAkD;YAClD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;YAC7D,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,2CAA2C;IAC3C,0EAA0E;IAE1E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACnC,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -0,0 +1,29 @@
1
+ import type { Action, Role, User } from './types.js';
2
+ import type { SearchResult } from '../types/search.js';
3
+ export declare class RBACManager {
4
+ /**
5
+ * Returns `true` when at least one of the user's roles permits `action`.
6
+ */
7
+ hasPermission(user: User, action: Action): boolean;
8
+ /**
9
+ * Returns `true` when the user's `allowedRepos` list contains `repoName`.
10
+ *
11
+ * Admin users with an empty `allowedRepos` list are granted access to every
12
+ * repository (convention: empty list = unrestricted for admins).
13
+ */
14
+ canAccessRepo(user: User, repoName: string): boolean;
15
+ /**
16
+ * Filters search results so the user only sees chunks from repos they can
17
+ * access. Results without a `repoName` in metadata are kept (they belong
18
+ * to the default / single-repo setup).
19
+ */
20
+ filterResultsByAccess(user: User, results: readonly SearchResult[]): readonly SearchResult[];
21
+ /**
22
+ * Returns the effective privilege level of a role (higher = more access).
23
+ */
24
+ getRoleLevel(role: Role): number;
25
+ /**
26
+ * Returns the highest-privilege role the user holds.
27
+ */
28
+ getHighestRole(user: User): Role;
29
+ }
@@ -0,0 +1,75 @@
1
+ import { ROLE_HIERARCHY } from './types.js';
2
+ // ---------------------------------------------------------------------------
3
+ // Permission matrix
4
+ // ---------------------------------------------------------------------------
5
+ /**
6
+ * Maps each role to the set of actions it may perform.
7
+ *
8
+ * Role hierarchy is **additive** — a higher role inherits all permissions of
9
+ * lower roles. The matrix is kept explicit so callers can inspect it without
10
+ * understanding hierarchy logic.
11
+ */
12
+ const ROLE_ACTIONS = {
13
+ viewer: new Set(['search', 'context', 'status']),
14
+ developer: new Set(['search', 'context', 'status', 'explain', 'docs']),
15
+ admin: new Set(['search', 'context', 'status', 'explain', 'docs', 'index', 'configure']),
16
+ };
17
+ // ---------------------------------------------------------------------------
18
+ // RBACManager
19
+ // ---------------------------------------------------------------------------
20
+ export class RBACManager {
21
+ /**
22
+ * Returns `true` when at least one of the user's roles permits `action`.
23
+ */
24
+ hasPermission(user, action) {
25
+ return user.roles.some((role) => {
26
+ const allowed = ROLE_ACTIONS[role];
27
+ return allowed !== undefined && allowed.has(action);
28
+ });
29
+ }
30
+ /**
31
+ * Returns `true` when the user's `allowedRepos` list contains `repoName`.
32
+ *
33
+ * Admin users with an empty `allowedRepos` list are granted access to every
34
+ * repository (convention: empty list = unrestricted for admins).
35
+ */
36
+ canAccessRepo(user, repoName) {
37
+ // Admins with an empty allowedRepos list have unrestricted access.
38
+ if (user.roles.includes('admin') && user.allowedRepos.length === 0) {
39
+ return true;
40
+ }
41
+ return user.allowedRepos.includes(repoName);
42
+ }
43
+ /**
44
+ * Filters search results so the user only sees chunks from repos they can
45
+ * access. Results without a `repoName` in metadata are kept (they belong
46
+ * to the default / single-repo setup).
47
+ */
48
+ filterResultsByAccess(user, results) {
49
+ return results.filter((result) => {
50
+ const repoName = result.metadata.repoName;
51
+ if (repoName === undefined) {
52
+ return true; // single-repo mode — no filtering needed
53
+ }
54
+ return this.canAccessRepo(user, repoName);
55
+ });
56
+ }
57
+ /**
58
+ * Returns the effective privilege level of a role (higher = more access).
59
+ */
60
+ getRoleLevel(role) {
61
+ return ROLE_HIERARCHY.indexOf(role);
62
+ }
63
+ /**
64
+ * Returns the highest-privilege role the user holds.
65
+ */
66
+ getHighestRole(user) {
67
+ let highest = 'viewer';
68
+ for (const role of user.roles) {
69
+ if (this.getRoleLevel(role) > this.getRoleLevel(highest)) {
70
+ highest = role;
71
+ }
72
+ }
73
+ return highest;
74
+ }
75
+ }
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/auth/rbac.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,YAAY,GAAgD;IAChE,MAAM,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACxD,SAAS,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC9E,KAAK,EAAE,IAAI,GAAG,CAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;CACjG,CAAC;AAEF,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACtB;;OAEG;IACH,aAAa,CAAC,IAAU,EAAE,MAAc;QACtC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;YAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YACnC,OAAO,OAAO,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,aAAa,CAAC,IAAU,EAAE,QAAgB;QACxC,mEAAmE;QACnE,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,qBAAqB,CAAC,IAAU,EAAE,OAAgC;QAChE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC,CAAC,yCAAyC;YACxD,CAAC;YACD,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAU;QACrB,OAAO,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAU;QACvB,IAAI,OAAO,GAAS,QAAQ,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}
@@ -0,0 +1 @@
1
+ export {};