@commonpub/server 0.5.0 → 0.7.1

package/dist/federation/mirroring.js

@@ -0,0 +1,172 @@
+/**
+ * Instance mirroring — subscribe to all content from a remote instance.
+ * Uses standard AP semantics: instance B's Service actor follows instance A's Service actor.
+ * Content arrives via normal inbox Create activities, filtered by mirror config.
+ */
+import { eq, and, sql } from 'drizzle-orm';
+import { instanceMirrors, activities, followRelationships, } from '@commonpub/schema';
+import { buildFollowActivity } from '@commonpub/protocol';
+/**
+ * Create a new instance mirror subscription.
+ * The instance actor will follow the remote instance actor to receive content.
+ */
+export async function createMirror(db, remoteDomain, remoteActorUri, direction, localDomain, filters) {
+    const [row] = await db
+        .insert(instanceMirrors)
+        .values({
+        remoteDomain,
+        remoteActorUri,
+        direction,
+        status: 'active', // Start as active immediately
+        filterContentTypes: filters?.contentTypes ?? null,
+        filterTags: filters?.tags ?? null,
+    })
+        .returning();
+    // For pull mirrors: Follow the remote instance actor so they deliver content to us
+    if (direction === 'pull') {
+        const localActorUri = `https://${localDomain}/actor`;
+        const followActivity = buildFollowActivity(localDomain, localActorUri, remoteActorUri);
+        // Store the follow relationship so the remote can find us
+        await db.insert(followRelationships).values({
+            followerActorUri: localActorUri,
+            followingActorUri: remoteActorUri,
+            status: 'pending',
+        }).onConflictDoNothing();
+        // Queue the Follow for delivery
+        await db.insert(activities).values({
+            type: 'Follow',
+            actorUri: localActorUri,
+            objectUri: remoteActorUri,
+            payload: followActivity,
+            direction: 'outbound',
+            status: 'pending',
+        });
+    }
+    return mirrorRowToConfig(row);
+}
+/**
+ * Activate a pending mirror (called after the Follow is accepted).
+ */
+export async function activateMirror(db, mirrorId) {
+    await db
+        .update(instanceMirrors)
+        .set({ status: 'active', updatedAt: new Date() })
+        .where(eq(instanceMirrors.id, mirrorId));
+}
+/**
+ * Pause a mirror — stops content ingestion but keeps the follow active.
+ */
+export async function pauseMirror(db, mirrorId) {
+    await db
+        .update(instanceMirrors)
+        .set({ status: 'paused', updatedAt: new Date() })
+        .where(eq(instanceMirrors.id, mirrorId));
+}
+/**
+ * Resume a paused mirror.
+ */
+export async function resumeMirror(db, mirrorId) {
+    await db
+        .update(instanceMirrors)
+        .set({ status: 'active', updatedAt: new Date() })
+        .where(eq(instanceMirrors.id, mirrorId));
+}
+/**
+ * Cancel a mirror — removes the subscription entirely.
+ * Content already received is NOT deleted (can be cleaned up separately).
+ */
+export async function cancelMirror(db, mirrorId) {
+    await db.delete(instanceMirrors).where(eq(instanceMirrors.id, mirrorId));
+}
+/**
+ * List all instance mirrors with stats.
+ */
+export async function listMirrors(db) {
+    const rows = await db.select().from(instanceMirrors).orderBy(instanceMirrors.createdAt);
+    return rows.map(mirrorRowToConfig);
+}
+/**
+ * Get a single mirror by ID.
+ */
+export async function getMirror(db, mirrorId) {
+    const [row] = await db
+        .select()
+        .from(instanceMirrors)
+        .where(eq(instanceMirrors.id, mirrorId))
+        .limit(1);
+    return row ? mirrorRowToConfig(row) : null;
+}
+/**
+ * Check if inbound content should be accepted by a mirror.
+ * Applies content type and tag filters.
+ * Returns the mirror ID if accepted, null if rejected.
+ *
+ * CRITICAL FOR LOOP PREVENTION:
+ * - Only accepts content from the mirror's remoteDomain
+ * - Rejects content that originated from our own domain (checked upstream in onCreate)
+ */
+export async function matchMirrorForContent(db, originDomain, apType, cpubType, tags) {
+    // Find active mirror for this origin domain
+    const [mirror] = await db
+        .select()
+        .from(instanceMirrors)
+        .where(and(eq(instanceMirrors.remoteDomain, originDomain), eq(instanceMirrors.status, 'active'), eq(instanceMirrors.direction, 'pull')))
+        .limit(1);
+    if (!mirror)
+        return null;
+    // Apply content type filter
+    if (mirror.filterContentTypes) {
+        const allowedTypes = mirror.filterContentTypes;
+        const contentType = cpubType ?? apType.toLowerCase();
+        if (!allowedTypes.includes(contentType))
+            return null;
+    }
+    // Apply tag filter
+    if (mirror.filterTags) {
+        const requiredTags = mirror.filterTags;
+        const contentTags = tags.map((t) => t.name.toLowerCase().replace(/^#/, ''));
+        const hasMatchingTag = requiredTags.some((rt) => contentTags.includes(rt.toLowerCase().replace(/^#/, '')));
+        if (!hasMatchingTag)
+            return null;
+    }
+    // Update mirror stats
+    await db
+        .update(instanceMirrors)
+        .set({
+        contentCount: sql `${instanceMirrors.contentCount} + 1`,
+        lastSyncAt: new Date(),
+        updatedAt: new Date(),
+    })
+        .where(eq(instanceMirrors.id, mirror.id));
+    return mirror.id;
+}
+/**
+ * Record a mirror error (for admin visibility).
+ */
+export async function recordMirrorError(db, mirrorId, error) {
+    await db
+        .update(instanceMirrors)
+        .set({
+        errorCount: sql `${instanceMirrors.errorCount} + 1`,
+        lastError: error,
+        updatedAt: new Date(),
+    })
+        .where(eq(instanceMirrors.id, mirrorId));
+}
+function mirrorRowToConfig(row) {
+    return {
+        id: row.id,
+        remoteDomain: row.remoteDomain,
+        remoteActorUri: row.remoteActorUri,
+        status: row.status,
+        direction: row.direction,
+        filterContentTypes: row.filterContentTypes,
+        filterTags: row.filterTags,
+        contentCount: row.contentCount,
+        errorCount: row.errorCount,
+        lastError: row.lastError,
+        lastSyncAt: row.lastSyncAt?.toISOString() ?? null,
+        createdAt: row.createdAt.toISOString(),
+    };
+}
+//# sourceMappingURL=mirroring.js.map

package/dist/federation/mirroring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mirroring.js","sourceRoot":"","sources":["../../src/federation/mirroring.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,eAAe,EAEf,UAAU,EACV,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAkB1D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,EAAM,EACN,YAAoB,EACpB,cAAsB,EACtB,SAA0B,EAC1B,WAAmB,EACnB,OAAsD;IAEtD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,CAAC,eAAe,CAAC;SACvB,MAAM,CAAC;QACN,YAAY;QACZ,cAAc;QACd,SAAS;QACT,MAAM,EAAE,QAAQ,EAAE,8BAA8B;QAChD,kBAAkB,EAAE,OAAO,EAAE,YAAY,IAAI,IAAI;QACjD,UAAU,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI;KAClC,CAAC;SACD,SAAS,EAAE,CAAC;IAEf,mFAAmF;IACnF,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,aAAa,GAAG,WAAW,WAAW,QAAQ,CAAC;QACrD,MAAM,cAAc,GAAG,mBAAmB,CAAC,WAAW,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;QAEvF,0DAA0D;QAC1D,MAAM,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC;YAC1C,gBAAgB,EAAE,aAAa;YAC/B,iBAAiB,EAAE,cAAc;YACjC,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC,mBAAmB,EAAE,CAAC;QAEzB,gCAAgC;QAChC,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC;YACjC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,aAAa;YACvB,SAAS,EAAE,cAAc;YACzB,OAAO,EAAE,cAAc;YACvB,SAAS,EAAE,UAAU;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,iBAAiB,CAAC,GAAI,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,EAAM,EAAE,QAAgB;IAC3D,MAAM,EAAE;SACL,MAAM,CAAC,eAAe,CAAC;SACvB,GAAG,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;SAChD,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAAM,EAAE,QAAgB;IACxD,MAAM,EAAE;SACL,MAAM,CAAC,eAAe,CAAC;SACvB,GAAG,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;SAChD,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EAAM,EAAE,QAAgB;IACzD,MAAM,EAAE;SACL,MAAM,CAAC,eAAe,CAAC;SACvB,GAAG,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;SAChD,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EAAM,EAAE,QAAgB;IACzD,MAAM,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAAM;IACtC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACxF,OAAO,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,EAAM,EAAE,QAAgB;IACtD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,eAAe,CAAC;SACrB,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;SACvC,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,EAAM,EACN,YAAoB,EACpB,MAAc,EACd,QAAuB,EACvB,IAA6B;IAE7B,4CAA4C;IAC5C,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,eAAe,CAAC;SACrB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,eAAe,CAAC,YAAY,EAAE,YAAY,CAAC,EAC9C,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,EACpC,EAAE,CAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,CACtC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,4BAA4B;IAC5B,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,kBAA8B,CAAC;QAC3D,MAAM,WAAW,GAAG,QAAQ,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACrD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;IACvD,CAAC;IAED,mBAAmB;IACnB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,YAAY,GAAG,MAAM,CAAC,UAAsB,CAAC;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAC9C,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CACzD,CAAC;QACF,IAAI,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;IACnC,CAAC;IAED,sBAAsB;IACtB,MAAM,EAAE;SACL,MAAM,CAAC,eAAe,CAAC;SACvB,GAAG,CAAC;QACH,YAAY,EAAE,GAAG,CAAA,GAAG,eAAe,CAAC,YAAY,MAAM;QACtD,UAAU,EAAE,IAAI,IAAI,EAAE;QACtB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE5C,OAAO,MAAM,CAAC,EAAE,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAM,EACN,QAAgB,EAChB,KAAa;IAEb,MAAM,EAAE;SACL,MAAM,CAAC,eAAe,CAAC;SACvB,GAAG,CAAC;QACH,UAAU,EAAE,GAAG,CAAA,GAAG,eAAe,CAAC,UAAU,MAAM;QAClD,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAwC;IACjE,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,cAAc,EAAE,GAAG,CAAC,cAAc;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,kBAAkB,EAAE,GAAG,CAAC,kBAAqC;QAC7D,UAAU,EAAE,GAAG,CAAC,UAA6B;QAC7C,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,IAAI;QACjD,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE;KACvC,CAAC;AACJ,CAAC"}

package/dist/federation/oauth.d.ts

@@ -0,0 +1,115 @@
+import { type OAuthAuthorizeRequest, type OAuthTokenRequest, type OAuthDynamicRegistrationRequest } from '@commonpub/protocol';
+import type { DB } from '../types.js';
+export interface AuthorizeResult {
+    /** Authorization code to return to the client */
+    code: string;
+    /** Redirect URI to send the user back to */
+    redirectUri: string;
+    /** State parameter to pass through */
+    state?: string;
+}
+export interface TokenResult {
+    accessToken: string;
+    tokenType: 'Bearer';
+    expiresIn: number;
+    /** User info embedded in token response */
+    user: {
+        id: string;
+        username: string;
+        displayName: string | null;
+        avatarUrl: string | null;
+        actorUri: string;
+    };
+}
+/**
+ * Process an OAuth2 authorization request.
+ * Validates the client, generates an auth code, returns redirect info.
+ * Called after user consents on the authorize page.
+ */
+export declare function processAuthorize(db: DB, params: OAuthAuthorizeRequest, userId: string, domain: string): Promise<AuthorizeResult | {
+    error: string;
+    errorDescription: string;
+}>;
+/**
+ * Exchange an authorization code for an access token.
+ * Validates the client credentials and code, returns user info.
+ */
+export declare function processTokenExchange(db: DB, params: OAuthTokenRequest, domain: string): Promise<TokenResult | {
+    error: string;
+    errorDescription: string;
+}>;
+export interface RegisteredClient {
+    clientId: string;
+    clientSecret: string;
+}
+/**
+ * Register this instance as an OAuth client with a remote instance.
+ * In v1, this is done manually by admins. Returns client credentials for storage.
+ */
+export declare function registerOAuthClient(db: DB, instanceDomain: string, redirectUris: string[]): Promise<RegisteredClient>;
+/**
+ * Link a federated account to a local user after successful OAuth callback.
+ */
+export declare function linkFederatedAccount(db: DB, userId: string, actorUri: string, instanceDomain: string, profile?: {
+    preferredUsername?: string;
+    displayName?: string;
+    avatarUrl?: string;
+}): Promise<void>;
+/**
+ * Find a local user linked to a federated account by actor URI.
+ */
+export declare function findUserByFederatedAccount(db: DB, actorUri: string): Promise<{
+    userId: string;
+    username: string;
+} | null>;
+/**
+ * List registered OAuth clients (for admin panel).
+ */
+export declare function listOAuthClients(db: DB): Promise<Array<{
+    id: string;
+    clientId: string;
+    instanceDomain: string;
+    createdAt: Date;
+}>>;
+/**
+ * Process a dynamic OAuth client registration request.
+ * Idempotent: if a client already exists for this domain, returns existing credentials.
+ */
+export declare function processDynamicRegistration(db: DB, request: OAuthDynamicRegistrationRequest): Promise<{
+    clientId: string;
+    clientSecret: string;
+} | {
+    error: string;
+    errorDescription: string;
+}>;
+export interface OAuthLoginState {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    instanceDomain: string;
+    expiresAt: number;
+}
+/**
+ * Store OAuth login state for the federated login flow.
+ * Returns a state token that should be passed to the remote authorize endpoint.
+ */
+export declare function storeOAuthState(db: DB, state: Omit<OAuthLoginState, 'expiresAt'>): Promise<string>;
+/**
+ * Consume OAuth login state (single-use). Returns null if expired or not found.
+ */
+export declare function consumeOAuthState(db: DB, stateToken: string): Promise<OAuthLoginState | null>;
+/**
+ * Exchange an authorization code with a remote instance's token endpoint.
+ */
+export declare function exchangeCodeForToken(state: OAuthLoginState, code: string): Promise<{
+    accessToken: string;
+    user: {
+        id: string;
+        username: string;
+        displayName: string | null;
+        avatarUrl: string | null;
+        actorUri: string;
+    };
+} | null>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/federation/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/federation/oauth.ts"],"names":[],"mappings":"AAaA,OAAO,EAIL,KAAK,qBAAqB,EAC1B,KAAK,iBAAiB,EACtB,KAAK,+BAA+B,EACrC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAYtC,MAAM,WAAW,eAAe;IAC9B,iDAAiD;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,QAAQ,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,EAAE,EAAE,EAAE,EACN,MAAM,EAAE,qBAAqB,EAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BxE;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,EAAE,EACN,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAAC,CAsDpE;AAID,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,EAAE,EAAE,EAAE,EACN,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC,gBAAgB,CAAC,CAY3B;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,EAAE,EACN,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,OAAO,CAAC,EAAE;IAAE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GACjF,OAAO,CAAC,IAAI,CAAC,CA+Bf;AAED;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,EAAE,EAAE,EAAE,EACN,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAYtD;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,EAAE,EAAE,EAAE,GACL,OAAO,CAAC,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAAC,CAS3F;AAID;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,EAAE,EAAE,EAAE,EACN,OAAO,EAAE,+BAA+B,GACvC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAAC,CAkBnG;AAOD,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,EAAE,EAAE,EAAE,EACN,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,GACxC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,EAAE,EAAE,EAAE,EACN,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAoBjC;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,eAAe,EACtB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IACT,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CAChH,GAAG,IAAI,CAAC,CAoCR"}

package/dist/federation/oauth.js

@@ -0,0 +1,277 @@
+/**
+ * OAuth2 authorization server and client functions for federation SSO.
+ * Implements the server side (authorize + token endpoints) and
+ * client side (initiate login + handle callback) of cross-instance SSO.
+ */
+import { eq } from 'drizzle-orm';
+import { oauthClients, users, federatedAccounts, instanceSettings, } from '@commonpub/schema';
+import { validateAuthorizeRequest, validateTokenRequest, validateDynamicRegistration, } from '@commonpub/protocol';
+import { storeAuthCode, consumeAuthCode } from '../oauthCodes.js';
+/** Generate a cryptographically secure random token (hex-encoded, 256 bits) */
+function generateSecureToken() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * Process an OAuth2 authorization request.
+ * Validates the client, generates an auth code, returns redirect info.
+ * Called after user consents on the authorize page.
+ */
+export async function processAuthorize(db, params, userId, domain) {
+    // Look up the client
+    const [client] = await db
+        .select()
+        .from(oauthClients)
+        .where(eq(oauthClients.clientId, params.clientId))
+        .limit(1);
+    const oauthClient = client
+        ? {
+            clientId: client.clientId,
+            clientSecret: client.clientSecret,
+            redirectUris: client.redirectUris,
+            instanceDomain: client.instanceDomain,
+        }
+        : null;
+    // Validate the request
+    const validationError = validateAuthorizeRequest(params, oauthClient);
+    if (validationError)
+        return validationError;
+    // Generate authorization code (cryptographically secure, 32 bytes = 256 bits)
+    const code = generateSecureToken();
+    await storeAuthCode(db, code, userId, params.clientId, params.redirectUri);
+    return {
+        code,
+        redirectUri: params.redirectUri,
+        state: params.state,
+    };
+}
+/**
+ * Exchange an authorization code for an access token.
+ * Validates the client credentials and code, returns user info.
+ */
+export async function processTokenExchange(db, params, domain) {
+    // Look up the client
+    const [client] = await db
+        .select()
+        .from(oauthClients)
+        .where(eq(oauthClients.clientId, params.clientId))
+        .limit(1);
+    const oauthClient = client
+        ? {
+            clientId: client.clientId,
+            clientSecret: client.clientSecret,
+            redirectUris: client.redirectUris,
+            instanceDomain: client.instanceDomain,
+        }
+        : null;
+    // Validate the request
+    const validationError = validateTokenRequest(params, oauthClient);
+    if (validationError)
+        return validationError;
+    // Consume the auth code (single-use)
+    const codeResult = await consumeAuthCode(db, params.code, params.clientId, params.redirectUri);
+    if (!codeResult) {
+        return { error: 'invalid_grant', errorDescription: 'Invalid or expired authorization code' };
+    }
+    // Look up the user
+    const [user] = await db
+        .select()
+        .from(users)
+        .where(eq(users.id, codeResult.userId))
+        .limit(1);
+    if (!user) {
+        return { error: 'server_error', errorDescription: 'User not found' };
+    }
+    // Generate a cryptographically secure access token
+    const accessToken = generateSecureToken();
+    const actorUri = `https://${domain}/users/${user.username}`;
+    return {
+        accessToken,
+        tokenType: 'Bearer',
+        expiresIn: 3600,
+        user: {
+            id: user.id,
+            username: user.username,
+            displayName: user.displayName,
+            avatarUrl: user.avatarUrl ?? null,
+            actorUri,
+        },
+    };
+}
+/**
+ * Register this instance as an OAuth client with a remote instance.
+ * In v1, this is done manually by admins. Returns client credentials for storage.
+ */
+export async function registerOAuthClient(db, instanceDomain, redirectUris) {
+    const clientId = `cpub_${generateSecureToken().slice(0, 32)}`;
+    const clientSecret = `cpubs_${generateSecureToken()}`;
+    await db.insert(oauthClients).values({
+        clientId,
+        clientSecret,
+        redirectUris,
+        instanceDomain,
+    });
+    return { clientId, clientSecret };
+}
+/**
+ * Link a federated account to a local user after successful OAuth callback.
+ */
+export async function linkFederatedAccount(db, userId, actorUri, instanceDomain, profile) {
+    // Check if already linked
+    const existing = await db
+        .select()
+        .from(federatedAccounts)
+        .where(eq(federatedAccounts.actorUri, actorUri))
+        .limit(1);
+    if (existing.length > 0) {
+        // Update the link
+        await db
+            .update(federatedAccounts)
+            .set({
+            userId,
+            lastSyncedAt: new Date(),
+            ...(profile?.preferredUsername && { preferredUsername: profile.preferredUsername }),
+            ...(profile?.displayName && { displayName: profile.displayName }),
+            ...(profile?.avatarUrl && { avatarUrl: profile.avatarUrl }),
+        })
+            .where(eq(federatedAccounts.actorUri, actorUri));
+    }
+    else {
+        await db.insert(federatedAccounts).values({
+            userId,
+            actorUri,
+            instanceDomain,
+            preferredUsername: profile?.preferredUsername,
+            displayName: profile?.displayName,
+            avatarUrl: profile?.avatarUrl,
+            lastSyncedAt: new Date(),
+        });
+    }
+}
+/**
+ * Find a local user linked to a federated account by actor URI.
+ */
+export async function findUserByFederatedAccount(db, actorUri) {
+    const rows = await db
+        .select({
+        userId: federatedAccounts.userId,
+        username: users.username,
+    })
+        .from(federatedAccounts)
+        .innerJoin(users, eq(federatedAccounts.userId, users.id))
+        .where(eq(federatedAccounts.actorUri, actorUri))
+        .limit(1);
+    return rows[0] ?? null;
+}
+/**
+ * List registered OAuth clients (for admin panel).
+ */
+export async function listOAuthClients(db) {
+    return db
+        .select({
+        id: oauthClients.id,
+        clientId: oauthClients.clientId,
+        instanceDomain: oauthClients.instanceDomain,
+        createdAt: oauthClients.createdAt,
+    })
+        .from(oauthClients);
+}
+// --- Dynamic Client Registration ---
+/**
+ * Process a dynamic OAuth client registration request.
+ * Idempotent: if a client already exists for this domain, returns existing credentials.
+ */
+export async function processDynamicRegistration(db, request) {
+    const validationError = validateDynamicRegistration(request);
+    if (validationError)
+        return validationError;
+    // Check for existing client with this domain (idempotent)
+    const [existing] = await db
+        .select()
+        .from(oauthClients)
+        .where(eq(oauthClients.instanceDomain, request.instanceDomain))
+        .limit(1);
+    if (existing) {
+        return { clientId: existing.clientId, clientSecret: existing.clientSecret };
+    }
+    // Register new client
+    const result = await registerOAuthClient(db, request.instanceDomain, request.redirectUris);
+    return result;
+}
+// --- OAuth State Management (for federated login flow) ---
+const OAUTH_STATE_PREFIX = 'oauth_state:';
+const OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
+/**
+ * Store OAuth login state for the federated login flow.
+ * Returns a state token that should be passed to the remote authorize endpoint.
+ */
+export async function storeOAuthState(db, state) {
+    const stateToken = generateSecureToken();
+    const key = `${OAUTH_STATE_PREFIX}${stateToken}`;
+    await db.insert(instanceSettings).values({
+        key,
+        value: {
+            ...state,
+            expiresAt: Date.now() + OAUTH_STATE_TTL_MS,
+        },
+    });
+    return stateToken;
+}
+/**
+ * Consume OAuth login state (single-use). Returns null if expired or not found.
+ */
+export async function consumeOAuthState(db, stateToken) {
+    const key = `${OAUTH_STATE_PREFIX}${stateToken}`;
+    const rows = await db
+        .select()
+        .from(instanceSettings)
+        .where(eq(instanceSettings.key, key))
+        .limit(1);
+    if (rows.length === 0)
+        return null;
+    // Delete immediately (single-use)
+    await db.delete(instanceSettings).where(eq(instanceSettings.key, key));
+    const state = rows[0].value;
+    // Check expiry
+    if (Date.now() > state.expiresAt)
+        return null;
+    return state;
+}
+/**
+ * Exchange an authorization code with a remote instance's token endpoint.
+ */
+export async function exchangeCodeForToken(state, code) {
+    try {
+        const response = await fetch(state.tokenEndpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: 'authorization_code',
+                code,
+                client_id: state.clientId,
+                client_secret: state.clientSecret,
+                redirect_uri: state.redirectUri,
+            }),
+        });
+        if (!response.ok)
+            return null;
+        const data = await response.json();
+        if (!data.access_token || !data.user)
+            return null;
+        return {
+            accessToken: data.access_token,
+            user: {
+                id: data.user.id,
+                username: data.user.username,
+                displayName: data.user.displayName ?? null,
+                avatarUrl: data.user.avatarUrl ?? null,
+                actorUri: data.user.actorUri ?? `https://${state.instanceDomain}/users/${data.user.username}`,
+            },
+        };
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=oauth.js.map

package/dist/federation/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/federation/oauth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,EAAE,EAAW,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,YAAY,EAEZ,KAAK,EACL,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,2BAA2B,GAI5B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAElE,+EAA+E;AAC/E,SAAS,mBAAmB;IAC1B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5E,CAAC;AA2BD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,EAAM,EACN,MAA6B,EAC7B,MAAc,EACd,MAAc;IAEd,qBAAqB;IACrB,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,YAAY,CAAC;SAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;SACjD,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,MAAM,WAAW,GAAG,MAAM;QACxB,CAAC,CAAC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,YAAY,EAAE,MAAM,CAAC,YAAwB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC;QACH,CAAC,CAAC,IAAI,CAAC;IAET,uBAAuB;IACvB,MAAM,eAAe,GAAG,wBAAwB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACtE,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAE5C,8EAA8E;IAC9E,MAAM,IAAI,GAAG,mBAAmB,EAAE,CAAC;IACnC,MAAM,aAAa,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAE3E,OAAO;QACL,IAAI;QACJ,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAM,EACN,MAAyB,EACzB,MAAc;IAEd,qBAAqB;IACrB,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,YAAY,CAAC;SAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;SACjD,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,MAAM,WAAW,GAAG,MAAM;QACxB,CAAC,CAAC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,YAAY,EAAE,MAAM,CAAC,YAAwB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC;QACH,CAAC,CAAC,IAAI,CAAC;IAET,uBAAuB;IACvB,MAAM,eAAe,GAAG,oBAAoB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAClE,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAE5C,qCAAqC;IACrC,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAC/F,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,uCAAuC,EAAE,CAAC;IAC/F,CAAC;IAED,mBAAmB;IACnB,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,EAAE;SACpB,MAAM,EAAE;SACR,IAAI,CAAC,KAAK,CAAC;SACX,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;SACtC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;IACvE,CAAC;IAED,mDAAmD;IACnD,MAAM,WAAW,GAAG,mBAAmB,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,WAAW,MAAM,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;IAE5D,OAAO;QACL,WAAW;QACX,SAAS,EAAE,QAAQ;QACnB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE;YACJ,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;YACjC,QAAQ;SACT;KACF,CAAC;AACJ,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,EAAM,EACN,cAAsB,EACtB,YAAsB;IAEtB,MAAM,QAAQ,GAAG,QAAQ,mBAAmB,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAC9D,MAAM,YAAY,GAAG,SAAS,mBAAmB,EAAE,EAAE,CAAC;IAEtD,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QACnC,QAAQ;QACR,YAAY;QACZ,YAAY;QACZ,cAAc;KACf,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAM,EACN,MAAc,EACd,QAAgB,EAChB,cAAsB,EACtB,OAAkF;IAElF,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,iBAAiB,CAAC;SACvB,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;SAC/C,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,kBAAkB;QAClB,MAAM,EAAE;aACL,MAAM,CAAC,iBAAiB,CAAC;aACzB,GAAG,CAAC;YACH,MAAM;YACN,YAAY,EAAE,IAAI,IAAI,EAAE;YACxB,GAAG,CAAC,OAAO,EAAE,iBAAiB,IAAI,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,EAAE,CAAC;YACnF,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;YACjE,GAAG,CAAC,OAAO,EAAE,SAAS,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC;SAC5D,CAAC;aACD,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC;YACxC,MAAM;YACN,QAAQ;YACR,cAAc;YACd,iBAAiB,EAAE,OAAO,EAAE,iBAAiB;YAC7C,WAAW,EAAE,OAAO,EAAE,WAAW;YACjC,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,YAAY,EAAE,IAAI,IAAI,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,EAAM,EACN,QAAgB;IAEhB,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,CAAC;QACN,MAAM,EAAE,iBAAiB,CAAC,MAAM;QAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;SACD,IAAI,CAAC,iBAAiB,CAAC;SACvB,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;SACxD,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;SAC/C,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,EAAM;IAEN,OAAO,EAAE;SACN,MAAM,CAAC;QACN,EAAE,EAAE,YAAY,CAAC,EAAE;QACnB,QAAQ,EAAE,YAAY,CAAC,QAAQ;QAC/B,cAAc,EAAE,YAAY,CAAC,cAAc;QAC3C,SAAS,EAAE,YAAY,CAAC,SAAS;KAClC,CAAC;SACD,IAAI,CAAC,YAAY,CAAC,CAAC;AACxB,CAAC;AAED,sCAAsC;AAEtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,EAAM,EACN,OAAwC;IAExC,MAAM,eAAe,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAE5C,0DAA0D;IAC1D,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;SACxB,MAAM,EAAE;SACR,IAAI,CAAC,YAAY,CAAC;SAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;SAC9D,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC;IAC9E,CAAC;IAED,sBAAsB;IACtB,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,EAAE,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC3F,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,4DAA4D;AAE5D,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAWxD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAM,EACN,KAAyC;IAEzC,MAAM,UAAU,GAAG,mBAAmB,EAAE,CAAC;IACzC,MAAM,GAAG,GAAG,GAAG,kBAAkB,GAAG,UAAU,EAAE,CAAC;IAEjD,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC;QACvC,GAAG;QACH,KAAK,EAAE;YACL,GAAG,KAAK;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB;SAC3C;KACF,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAM,EACN,UAAkB;IAElB,MAAM,GAAG,GAAG,GAAG,kBAAkB,GAAG,UAAU,EAAE,CAAC;IAEjD,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,EAAE;SACR,IAAI,CAAC,gBAAgB,CAAC;SACtB,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;SACpC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,kCAAkC;IAClC,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAEvE,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC,KAAwB,CAAC;IAEhD,eAAe;IACf,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAsB,EACtB,IAAY;IAKZ,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,SAAS,EAAE,KAAK,CAAC,QAAQ;gBACzB,aAAa,EAAE,KAAK,CAAC,YAAY;gBACjC,YAAY,EAAE,KAAK,CAAC,WAAW;aAChC,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAG/B,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAElD,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,IAAI,EAAE;gBACJ,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;gBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAC5B,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI;gBAC1C,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI;gBACtC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,WAAW,KAAK,CAAC,cAAc,UAAU,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE;aAC9F;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}