@commonpub/server 2.48.0 → 2.50.0

package/dist/identity/fediClient.d.ts

@@ -0,0 +1,82 @@
+/**
+ * FediClient — opaque, protocol-agnostic facade for calling a remote
+ * Fediverse instance as a linked identity. Phase 1a defines the
+ * interface; Phase 1b plumbs in the megalodon-backed implementation.
+ *
+ * Why opaque: callers (action handlers) should never see the bearer
+ * token, never call `fetch` directly, never know whether the remote
+ * is Mastodon vs Pleroma vs CommonPub. They write `client.statuses.create({ ... })`
+ * and the wrapper handles authentication, software-specific quirks,
+ * 401-detection-as-revocation, audit logging, and rate-limit backoff.
+ *
+ * The interface is intentionally narrow — only the actions we proxy.
+ * Add methods as Phase 4 (delegated actions) opens specific surfaces.
+ *
+ * See docs/sessions/136-cross-instance-identity-plan.md.
+ */
+import type { LinkedIdentity } from '@commonpub/auth';
+/**
+ * The minimal account shape returned by a verify-credentials call. All
+ * Mastodon-API-compatible servers expose this at GET /api/v1/accounts/verify_credentials.
+ * CommonPub instances expose the same shape via the OAuth token-exchange
+ * response (per existing `processTokenExchange`).
+ */
+export interface VerifiedAccount {
+    /** Stable id at the remote (string for Mastodon API compat). */
+    id: string;
+    /** Bare username, no @host. */
+    username: string;
+    /** Full handle: `user@host`. Mastodon-API field name. */
+    acct: string;
+    /** Display name (optional). */
+    displayName?: string;
+    /** Avatar URL (optional). */
+    avatar?: string;
+    /** Canonical AP actor URI when known. */
+    url?: string;
+}
+export interface FediClient {
+    /** Phase 1: only the verification call lands here. Phase 4 expands. */
+    account: {
+        verifyCredentials(): Promise<VerifiedAccount>;
+    };
+}
+/**
+ * A FediClient factory. Phase 1b will register a real implementation
+ * via `setFediClientFactory` at app init; the factory closes over the
+ * DB handle, decryption key, audit logger, and any other dependencies
+ * a real client needs without forcing those onto `run()`'s call sites.
+ *
+ * Tests register mock factories per-case via `setFediClientFactory`
+ * and clear with `setFediClientFactory(null)` in afterEach.
+ */
+export type FediClientFactory = (identity: LinkedIdentity) => Promise<FediClient>;
+/**
+ * Register the FediClient factory. Called once at app init by Phase 1b's
+ * Nitro plugin (something like `setFediClientFactory(makeMastodonFactory(useDB(), tokenKey))`).
+ *
+ * Pass `null` to clear (used in tests).
+ *
+ * Why factory-registration instead of explicit DI through `run()`:
+ *   - keeps `run()`'s signature simple — no DB / audit-logger cruft
+ *     leaking into every call site
+ *   - keeps `@commonpub/server` framework-agnostic — no h3 / Nuxt
+ *     specific globals
+ *   - app init is the natural place to wire dependencies once
+ */
+export declare function setFediClientFactory(factory: FediClientFactory | null): void;
+/**
+ * Construct a FediClient for a linked identity. Delegates to the
+ * registered factory; throws if no factory has been registered (i.e.,
+ * Phase 1b plumbing isn't in place yet, or the test forgot to call
+ * `setFediClientFactory`).
+ *
+ * The Phase 1b factory will:
+ *   1. Read federated_accounts row for `identity.id`
+ *   2. Decrypt access_token via `decryptToken` (@commonpub/infra)
+ *   3. Construct megalodon client based on `identity.softwareKind`
+ *   4. Wrap with 401-detection (mark revoked_at on auth failure),
+ *      audit logging, and rate-limit handling
+ */
+export declare function getFediClient(identity: LinkedIdentity): Promise<FediClient>;
+//# sourceMappingURL=fediClient.d.ts.map

package/dist/identity/fediClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fediClient.d.ts","sourceRoot":"","sources":["../../src/identity/fediClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,EAAE,EAAE,MAAM,CAAC;IACX,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,uEAAuE;IACvE,OAAO,EAAE;QACP,iBAAiB,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;KAC/C,CAAC;CAKH;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,QAAQ,EAAE,cAAc,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;AAIlF;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,IAAI,GAAG,IAAI,CAE5E;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,CAUjF"}

package/dist/identity/fediClient.js

@@ -0,0 +1,40 @@
+let registeredFactory = null;
+/**
+ * Register the FediClient factory. Called once at app init by Phase 1b's
+ * Nitro plugin (something like `setFediClientFactory(makeMastodonFactory(useDB(), tokenKey))`).
+ *
+ * Pass `null` to clear (used in tests).
+ *
+ * Why factory-registration instead of explicit DI through `run()`:
+ *   - keeps `run()`'s signature simple — no DB / audit-logger cruft
+ *     leaking into every call site
+ *   - keeps `@commonpub/server` framework-agnostic — no h3 / Nuxt
+ *     specific globals
+ *   - app init is the natural place to wire dependencies once
+ */
+export function setFediClientFactory(factory) {
+    registeredFactory = factory;
+}
+/**
+ * Construct a FediClient for a linked identity. Delegates to the
+ * registered factory; throws if no factory has been registered (i.e.,
+ * Phase 1b plumbing isn't in place yet, or the test forgot to call
+ * `setFediClientFactory`).
+ *
+ * The Phase 1b factory will:
+ *   1. Read federated_accounts row for `identity.id`
+ *   2. Decrypt access_token via `decryptToken` (@commonpub/infra)
+ *   3. Construct megalodon client based on `identity.softwareKind`
+ *   4. Wrap with 401-detection (mark revoked_at on auth failure),
+ *      audit logging, and rate-limit handling
+ */
+export async function getFediClient(identity) {
+    if (!registeredFactory) {
+        throw new Error(`FediClient factory not registered. ` +
+            `Phase 1b: call setFediClientFactory(...) at app init. ` +
+            `Tests: register a mock via setFediClientFactory(async () => mockClient). ` +
+            `See docs/sessions/136-cross-instance-identity-plan.md.`);
+    }
+    return registeredFactory(identity);
+}
+//# sourceMappingURL=fediClient.js.map

package/dist/identity/fediClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fediClient.js","sourceRoot":"","sources":["../../src/identity/fediClient.ts"],"names":[],"mappings":"AA6DA,IAAI,iBAAiB,GAA6B,IAAI,CAAC;AAEvD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAiC;IACpE,iBAAiB,GAAG,OAAO,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAwB;IAC1D,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,qCAAqC;YACrC,wDAAwD;YACxD,2EAA2E;YAC3E,wDAAwD,CACzD,CAAC;IACJ,CAAC;IACD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC"}

package/dist/identity/health.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Identity-configuration startup invariants.
+ *
+ * Cross-instance delegated authorization stores OAuth bearer tokens at
+ * rest under a symmetric key (`CPUB_FED_TOKEN_KEY`). If any feature
+ * flag that *uses* tokens is enabled but the key is missing, the
+ * operator has misconfigured the deploy — better to refuse to start
+ * than to fail at first OAuth callback when a real user is mid-sign-in.
+ *
+ * Phase 1b plugs this into a Nitro plugin that runs at app init:
+ *
+ *     // layers/base/server/plugins/identity-startup.ts
+ *     export default defineNitroPlugin(() => {
+ *       assertIdentityConfig(useConfig());
+ *     });
+ *
+ * `actingAs` does NOT need the key — it's purely a UI identity-context
+ * switcher and doesn't store tokens. Listed exclusion below.
+ */
+import type { CommonPubConfig } from '@commonpub/config';
+export interface IdentityConfigCheckResult {
+    ok: boolean;
+    errors: ReadonlyArray<string>;
+}
+/**
+ * Inspect the config; return the list of identity-related
+ * misconfigurations. Empty errors → `ok: true`.
+ *
+ * Pure function: no env mutation, no I/O beyond reading the env var
+ * (which `isTokenKeyConfigured` does without logging the key).
+ */
+export declare function checkIdentityConfig(config: CommonPubConfig): IdentityConfigCheckResult;
+/**
+ * Same as `checkIdentityConfig` but throws on any error. Use at
+ * Nitro-plugin startup so a misconfigured deploy fails to boot rather
+ * than 500-ing on first user OAuth attempt.
+ *
+ * Error message lists ALL detected problems (not just the first) so
+ * operators can fix everything in one go.
+ */
+export declare function assertIdentityConfig(config: CommonPubConfig): void;
+//# sourceMappingURL=health.d.ts.map

package/dist/identity/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../src/identity/health.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGzD,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/B;AAeD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,yBAAyB,CAatF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI,CAOlE"}

package/dist/identity/health.js

@@ -0,0 +1,43 @@
+import { isTokenKeyConfigured } from '@commonpub/infra';
+/**
+ * True iff this flag set requires an active `CPUB_FED_TOKEN_KEY`.
+ * `actingAs` alone is fine — it's UI state, not token I/O.
+ */
+function requiresTokenKey(id) {
+    return (id.linkRemoteAccounts ||
+        id.signInWithRemote ||
+        id.remoteInteract ||
+        id.remotePublish);
+}
+/**
+ * Inspect the config; return the list of identity-related
+ * misconfigurations. Empty errors → `ok: true`.
+ *
+ * Pure function: no env mutation, no I/O beyond reading the env var
+ * (which `isTokenKeyConfigured` does without logging the key).
+ */
+export function checkIdentityConfig(config) {
+    const errors = [];
+    const id = config.features.identity;
+    if (requiresTokenKey(id) && !isTokenKeyConfigured()) {
+        errors.push('CPUB_FED_TOKEN_KEY env var must be set when any of ' +
+            'features.identity.{linkRemoteAccounts, signInWithRemote, remoteInteract, remotePublish} ' +
+            'is enabled. Generate with: openssl rand -hex 32');
+    }
+    return { ok: errors.length === 0, errors };
+}
+/**
+ * Same as `checkIdentityConfig` but throws on any error. Use at
+ * Nitro-plugin startup so a misconfigured deploy fails to boot rather
+ * than 500-ing on first user OAuth attempt.
+ *
+ * Error message lists ALL detected problems (not just the first) so
+ * operators can fix everything in one go.
+ */
+export function assertIdentityConfig(config) {
+    const result = checkIdentityConfig(config);
+    if (!result.ok) {
+        throw new Error(`Cross-instance identity misconfigured:\n  - ${result.errors.join('\n  - ')}`);
+    }
+}
+//# sourceMappingURL=health.js.map

package/dist/identity/health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.js","sourceRoot":"","sources":["../../src/identity/health.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAOxD;;;GAGG;AACH,SAAS,gBAAgB,CAAC,EAA2C;IACnE,OAAO,CACL,EAAE,CAAC,kBAAkB;QACrB,EAAE,CAAC,gBAAgB;QACnB,EAAE,CAAC,cAAc;QACjB,EAAE,CAAC,aAAa,CACjB,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAuB;IACzD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAEpC,IAAI,gBAAgB,CAAC,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CACT,qDAAqD;YACrD,0FAA0F;YAC1F,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAuB;IAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAC9E,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/identity/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @commonpub/server / identity — cross-instance delegated authorization.
+ *
+ * Phase 1a foundation: types + action router + FediClient interface.
+ * Phase 1b lands the OAuth flow + FediClient implementation.
+ * Phase 3 lands resolveIdentityContext middleware.
+ * Phase 4 lands ActionRoute declarations for publish/like/follow/comment.
+ *
+ * See docs/sessions/136-cross-instance-identity-plan.md.
+ */
+export type { ActionRoute } from './router.js';
+export { run, ActionUnavailable, InsufficientScopes, LinkedIdentityRevoked, } from './router.js';
+export type { FediClient, VerifiedAccount, FediClientFactory } from './fediClient.js';
+export { getFediClient, setFediClientFactory } from './fediClient.js';
+export type { IdentityConfigCheckResult } from './health.js';
+export { checkIdentityConfig, assertIdentityConfig } from './health.js';
+export { createMastodonFediClientFactory } from './mastodonFactory.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/identity/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/identity/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,aAAa,CAAC;AAErB,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACtF,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,YAAY,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExE,OAAO,EAAE,+BAA+B,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/identity/index.js

@@ -0,0 +1,15 @@
+/**
+ * @commonpub/server / identity — cross-instance delegated authorization.
+ *
+ * Phase 1a foundation: types + action router + FediClient interface.
+ * Phase 1b lands the OAuth flow + FediClient implementation.
+ * Phase 3 lands resolveIdentityContext middleware.
+ * Phase 4 lands ActionRoute declarations for publish/like/follow/comment.
+ *
+ * See docs/sessions/136-cross-instance-identity-plan.md.
+ */
+export { run, ActionUnavailable, InsufficientScopes, LinkedIdentityRevoked, } from './router.js';
+export { getFediClient, setFediClientFactory } from './fediClient.js';
+export { checkIdentityConfig, assertIdentityConfig } from './health.js';
+export { createMastodonFediClientFactory } from './mastodonFactory.js';
+//# sourceMappingURL=index.js.map

package/dist/identity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/identity/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAGtE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExE,OAAO,EAAE,+BAA+B,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/identity/mastodonFactory.d.ts

@@ -0,0 +1,12 @@
+import type { DB } from '../types.js';
+import type { FediClientFactory } from './fediClient.js';
+/**
+ * Build a FediClientFactory closed over a DB handle. Call this once at
+ * app init and pass the result to `setFediClientFactory`.
+ *
+ *   import { setFediClientFactory } from '@commonpub/server';
+ *   import { createMastodonFediClientFactory } from '@commonpub/server';
+ *   setFediClientFactory(createMastodonFediClientFactory(useDB()));
+ */
+export declare function createMastodonFediClientFactory(db: DB): FediClientFactory;
+//# sourceMappingURL=mastodonFactory.d.ts.map

package/dist/identity/mastodonFactory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mastodonFactory.d.ts","sourceRoot":"","sources":["../../src/identity/mastodonFactory.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAMtC,OAAO,KAAK,EAAc,iBAAiB,EAAmB,MAAM,iBAAiB,CAAC;AAyFtF;;;;;;;GAOG;AACH,wBAAgB,+BAA+B,CAAC,EAAE,EAAE,EAAE,GAAG,iBAAiB,CAEzE"}

package/dist/identity/mastodonFactory.js

@@ -0,0 +1,118 @@
+/**
+ * Mastodon-API-backed FediClient factory.
+ *
+ * Wires `setFediClientFactory(...)` for Phase 1b runtime: the factory
+ * is registered once at app init by a Nitro plugin (which closes over
+ * the request-scoped DB), and `run()` calls `getFediClient(identity)`
+ * on the linked-identity path, which delegates here.
+ *
+ * Behaviour:
+ *   1. Load the federated_account row's decrypted access token.
+ *   2. Map `identity.softwareKind` → megalodon's recognized server kinds
+ *      (akkoma → pleroma; cpub/unknown → mastodon).
+ *   3. Construct a `MegalodonInterface` client.
+ *   4. Wrap calls so a 401 response auto-marks the row revoked AND
+ *      throws `LinkedIdentityRevoked` — UI then prompts re-link.
+ *
+ * The wrapped client implements only the `FediClient` surface
+ * (`account.verifyCredentials` for now). Phase 4 expansion adds
+ * statuses/favourites/follows.
+ *
+ * See docs/sessions/136-cross-instance-identity-plan.md.
+ */
+import generator from 'megalodon';
+import { LinkedIdentityRevoked } from './router.js';
+import { getDecryptedAccessToken, revokeFederatedAccountGrant, } from '../federation/oauth.js';
+/**
+ * Map our `SoftwareKind` to megalodon's. Akkoma is a Pleroma fork that
+ * megalodon doesn't differentiate. CommonPub speaks the Mastodon API
+ * surface, so `cpub` and `unknown` both fall back to 'mastodon'.
+ */
+function toMegalodonSns(kind) {
+    switch (kind) {
+        case 'mastodon': return 'mastodon';
+        case 'pleroma': return 'pleroma';
+        case 'akkoma': return 'pleroma';
+        case 'gotosocial': return 'gotosocial';
+        case 'firefish': return 'firefish';
+        case 'cpub': return 'mastodon';
+        case 'unknown': return 'mastodon';
+    }
+}
+/**
+ * True iff the error looks like a 401 from megalodon's axios layer.
+ * megalodon doesn't surface a typed error class for HTTP status, so we
+ * sniff the shape that axios + megalodon's wrapper produce.
+ */
+function isUnauthorized(err) {
+    if (!err || typeof err !== 'object')
+        return false;
+    const e = err;
+    return e.response?.status === 401 || e.status === 401;
+}
+/**
+ * Construct a real Mastodon-API-backed FediClient for a linked identity.
+ * On 401, soft-revokes the grant (sets `federated_accounts.revoked_at`)
+ * and re-throws `LinkedIdentityRevoked` — UI surfaces the re-link
+ * prompt.
+ *
+ * Other failures (5xx, network) propagate unchanged.
+ */
+async function buildFediClient(db, identity) {
+    const token = await getDecryptedAccessToken(db, identity.id);
+    if (!token) {
+        // No token stored OR row was revoked OR row missing. Either way, the
+        // grant is unusable — surface it as revoked so callers prompt re-link.
+        throw new LinkedIdentityRevoked(identity);
+    }
+    const sns = toMegalodonSns(identity.softwareKind);
+    const baseUrl = `https://${identity.instance}`;
+    const client = generator(sns, baseUrl, token, 'CommonPub/1.0 (+https://commonpub.io)');
+    // Last-verified-at could be refreshed here; deferred to Phase 4 when
+    // a periodic re-verify cron makes sense.
+    return {
+        account: {
+            async verifyCredentials() {
+                try {
+                    const resp = await client.verifyAccountCredentials();
+                    const a = resp.data;
+                    return {
+                        id: String(a.id),
+                        username: a.username,
+                        acct: a.acct,
+                        displayName: a.display_name ?? undefined,
+                        avatar: a.avatar ?? undefined,
+                        url: a.url ?? undefined,
+                    };
+                }
+                catch (err) {
+                    if (isUnauthorized(err)) {
+                        // Soft-revoke; do this before throwing so the UI's
+                        // re-link prompt sees the persisted state.
+                        await revokeFederatedAccountGrant(db, identity.id).catch(() => {
+                            // Best-effort: a failure here doesn't change the auth
+                            // outcome (we still want to surface the re-link prompt).
+                            // The next `getDecryptedAccessToken` for this row will
+                            // still succeed with the stale token until the next call
+                            // attempts and 401s again — eventually consistent.
+                        });
+                        throw new LinkedIdentityRevoked(identity);
+                    }
+                    throw err;
+                }
+            },
+        },
+    };
+}
+/**
+ * Build a FediClientFactory closed over a DB handle. Call this once at
+ * app init and pass the result to `setFediClientFactory`.
+ *
+ *   import { setFediClientFactory } from '@commonpub/server';
+ *   import { createMastodonFediClientFactory } from '@commonpub/server';
+ *   setFediClientFactory(createMastodonFediClientFactory(useDB()));
+ */
+export function createMastodonFediClientFactory(db) {
+    return (identity) => buildFediClient(db, identity);
+}
+//# sourceMappingURL=mastodonFactory.js.map

package/dist/identity/mastodonFactory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mastodonFactory.js","sourceRoot":"","sources":["../../src/identity/mastodonFactory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,SAAS,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EACL,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,wBAAwB,CAAC;AAMhC;;;;GAIG;AACH,SAAS,cAAc,CAAC,IAAkB;IACxC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,UAAU,CAAC,CAAC,OAAO,UAAU,CAAC;QACnC,KAAK,SAAS,CAAC,CAAE,OAAO,SAAS,CAAC;QAClC,KAAK,QAAQ,CAAC,CAAG,OAAO,SAAS,CAAC;QAClC,KAAK,YAAY,CAAC,CAAC,OAAO,YAAY,CAAC;QACvC,KAAK,UAAU,CAAC,CAAC,OAAO,UAAU,CAAC;QACnC,KAAK,MAAM,CAAC,CAAK,OAAO,UAAU,CAAC;QACnC,KAAK,SAAS,CAAC,CAAE,OAAO,UAAU,CAAC;IACrC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClD,MAAM,CAAC,GAAG,GAA0D,CAAC;IACrE,OAAO,CAAC,CAAC,QAAQ,EAAE,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,CAAC;AACxD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,eAAe,CAAC,EAAM,EAAE,QAAwB;IAC7D,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,qEAAqE;QACrE,uEAAuE;QACvE,MAAM,IAAI,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,WAAW,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAC/C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,uCAAuC,CAAC,CAAC;IAEvF,qEAAqE;IACrE,yCAAyC;IACzC,OAAO;QACL,OAAO,EAAE;YACP,KAAK,CAAC,iBAAiB;gBACrB,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,wBAAwB,EAAE,CAAC;oBACrD,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;oBACpB,OAAO;wBACL,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;wBAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;wBACpB,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,WAAW,EAAE,CAAC,CAAC,YAAY,IAAI,SAAS;wBACxC,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS;wBAC7B,GAAG,EAAE,CAAC,CAAC,GAAG,IAAI,SAAS;qBACxB,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;wBACxB,mDAAmD;wBACnD,2CAA2C;wBAC3C,MAAM,2BAA2B,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;4BAC5D,sDAAsD;4BACtD,yDAAyD;4BACzD,uDAAuD;4BACvD,yDAAyD;4BACzD,mDAAmD;wBACrD,CAAC,CAAC,CAAC;wBACH,MAAM,IAAI,qBAAqB,CAAC,QAAQ,CAAC,CAAC;oBAC5C,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,+BAA+B,CAAC,EAAM;IACpD,OAAO,CAAC,QAAwB,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;AACrE,CAAC"}

package/dist/identity/router.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Action router — the only place that branches on `active.kind === 'linked'`.
+ *
+ * Every user-facing action gets one ActionRoute declaration with two
+ * halves: `local` (run against this instance's DB as the session user)
+ * and `remote` (proxied via FediClient to the linked identity's home).
+ * The `run()` helper picks the right half based on which identity is
+ * currently active in the request context.
+ *
+ * Adding a new proxiable action = one new file with an ActionRoute.
+ * Existing controllers don't grow `if (linked)` branches.
+ *
+ * See docs/sessions/136-cross-instance-identity-plan.md.
+ */
+import type { Identity, LinkedIdentity, NativeIdentity, Scope } from '@commonpub/auth';
+import type { FediClient } from './fediClient.js';
+/**
+ * Event-type generic. The router doesn't care what event/context shape
+ * the caller's framework uses — it passes the event through to the
+ * `local` handler unchanged. Layer-side code (Nitro/h3) will instantiate
+ * `ActionRoute<H3Event, ...>`; framework-agnostic tests use `unknown`.
+ *
+ * This keeps `@commonpub/server` framework-agnostic (no h3 dep) while
+ * still flowing strong types into layer-side controllers.
+ */
+export interface ActionRoute<TEvent, TIn, TOut> {
+    /** Stable name — used for audit logs, scope-error messages, metrics. */
+    name: string;
+    /** Required scopes when running via a linked identity. Ignored for native. */
+    scopes: ReadonlyArray<Scope>;
+    /** Handler when the active identity is the session's native user. */
+    local(event: TEvent, identity: NativeIdentity, input: TIn): Promise<TOut>;
+    /**
+     * Handler when the active identity is a linked OAuth grant. Optional —
+     * actions that should never be proxied (admin, settings, identity
+     * management itself) leave this undefined and `run()` throws
+     * `ActionUnavailable` if a linked identity tries to invoke.
+     */
+    remote?(client: FediClient, identity: LinkedIdentity, input: TIn): Promise<TOut>;
+}
+export declare class ActionUnavailable extends Error {
+    readonly action: string;
+    readonly reason: string;
+    constructor(action: string, reason: string);
+}
+export declare class InsufficientScopes extends Error {
+    readonly action: string;
+    readonly required: ReadonlyArray<Scope>;
+    readonly granted: ReadonlyArray<Scope>;
+    constructor(action: string, required: ReadonlyArray<Scope>, granted: ReadonlyArray<Scope>);
+}
+export declare class LinkedIdentityRevoked extends Error {
+    readonly identity: LinkedIdentity;
+    constructor(identity: LinkedIdentity);
+}
+/**
+ * Dispatch an action against the currently active identity.
+ *
+ * The active identity is *passed in* rather than read from request
+ * context here — this keeps `run()` a pure function of its inputs and
+ * makes it trivially unit-testable. The middleware that resolves
+ * IdentityContext (Phase 3+) will read `event.context.identity.active`
+ * and forward it.
+ *
+ * Behaviour:
+ *   - `active.kind === 'native'`  → call `action.local(event, active, input)`
+ *   - `active.kind === 'linked'`  → check scopes + revocation, then call
+ *                                   `action.remote(client, active, input)`
+ *
+ * Throws `ActionUnavailable` if the action has no `remote` half but a
+ * linked identity tries it. Throws `LinkedIdentityRevoked` if the
+ * grant is revoked. Throws `InsufficientScopes` if the grant doesn't
+ * cover what the action needs.
+ *
+ * Phase 1a: `getFediClient` is unimplemented; the linked path will
+ * throw at client construction. Phase 1b plumbs it in.
+ */
+export declare function run<TEvent, TIn, TOut>(event: TEvent, active: Identity, action: ActionRoute<TEvent, TIn, TOut>, input: TIn): Promise<TOut>;
+//# sourceMappingURL=router.d.ts.map

package/dist/identity/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/identity/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,KAAK,EACV,QAAQ,EACR,cAAc,EACd,cAAc,EACd,KAAK,EACN,MAAM,iBAAiB,CAAC;AAEzB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAGlD;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI;IAC5C,wEAAwE;IACxE,IAAI,EAAE,MAAM,CAAC;IACb,8EAA8E;IAC9E,MAAM,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;IAC7B,qEAAqE;IACrE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1E;;;;;OAKG;IACH,MAAM,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClF;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBACZ,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAM3C;AAED,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;IACxC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;gBAC3B,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC;CAO1F;AAED,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;gBACtB,QAAQ,EAAE,cAAc;CAKrC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EACzC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,QAAQ,EAChB,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,EACtC,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,IAAI,CAAC,CAgBf"}

package/dist/identity/router.js

@@ -0,0 +1,72 @@
+import { hasAllScopes, isUsableLinkedIdentity } from '@commonpub/auth';
+import { getFediClient } from './fediClient.js';
+export class ActionUnavailable extends Error {
+    action;
+    reason;
+    constructor(action, reason) {
+        super(`Action "${action}" unavailable: ${reason}`);
+        this.name = 'ActionUnavailable';
+        this.action = action;
+        this.reason = reason;
+    }
+}
+export class InsufficientScopes extends Error {
+    action;
+    required;
+    granted;
+    constructor(action, required, granted) {
+        super(`Action "${action}" needs scopes [${required.join(', ')}]; have [${granted.join(', ')}]`);
+        this.name = 'InsufficientScopes';
+        this.action = action;
+        this.required = required;
+        this.granted = granted;
+    }
+}
+export class LinkedIdentityRevoked extends Error {
+    identity;
+    constructor(identity) {
+        super(`Linked identity ${identity.handle} is revoked; user must re-link`);
+        this.name = 'LinkedIdentityRevoked';
+        this.identity = identity;
+    }
+}
+/**
+ * Dispatch an action against the currently active identity.
+ *
+ * The active identity is *passed in* rather than read from request
+ * context here — this keeps `run()` a pure function of its inputs and
+ * makes it trivially unit-testable. The middleware that resolves
+ * IdentityContext (Phase 3+) will read `event.context.identity.active`
+ * and forward it.
+ *
+ * Behaviour:
+ *   - `active.kind === 'native'`  → call `action.local(event, active, input)`
+ *   - `active.kind === 'linked'`  → check scopes + revocation, then call
+ *                                   `action.remote(client, active, input)`
+ *
+ * Throws `ActionUnavailable` if the action has no `remote` half but a
+ * linked identity tries it. Throws `LinkedIdentityRevoked` if the
+ * grant is revoked. Throws `InsufficientScopes` if the grant doesn't
+ * cover what the action needs.
+ *
+ * Phase 1a: `getFediClient` is unimplemented; the linked path will
+ * throw at client construction. Phase 1b plumbs it in.
+ */
+export async function run(event, active, action, input) {
+    if (active.kind === 'native') {
+        return action.local(event, active, input);
+    }
+    // active.kind === 'linked'
+    if (!action.remote) {
+        throw new ActionUnavailable(action.name, 'not-proxiable');
+    }
+    if (!isUsableLinkedIdentity(active)) {
+        throw new LinkedIdentityRevoked(active);
+    }
+    if (!hasAllScopes(active.scopes, action.scopes)) {
+        throw new InsufficientScopes(action.name, action.scopes, active.scopes);
+    }
+    const client = await getFediClient(active);
+    return action.remote(client, active, input);
+}
+//# sourceMappingURL=router.js.map

package/dist/identity/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/identity/router.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAEvE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AA2BhD,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,MAAM,CAAS;IACf,MAAM,CAAS;IACxB,YAAY,MAAc,EAAE,MAAc;QACxC,KAAK,CAAC,WAAW,MAAM,kBAAkB,MAAM,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,MAAM,CAAS;IACf,QAAQ,CAAuB;IAC/B,OAAO,CAAuB;IACvC,YAAY,MAAc,EAAE,QAA8B,EAAE,OAA6B;QACvF,KAAK,CAAC,WAAW,MAAM,mBAAmB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChG,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IACrC,QAAQ,CAAiB;IAClC,YAAY,QAAwB;QAClC,KAAK,CAAC,mBAAmB,QAAQ,CAAC,MAAM,gCAAgC,CAAC,CAAC;QAC1E,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,GAAG,CACvB,KAAa,EACb,MAAgB,EAChB,MAAsC,EACtC,KAAU;IAEV,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;IACD,2BAA2B;IAC3B,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,IAAI,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC"}

package/dist/index.d.ts

@@ -64,4 +64,8 @@ export type { SafeFetchOptions } from './import/ssrf.js';
 export { SmtpEmailAdapter, ResendEmailAdapter, ConsoleEmailAdapter, emailTemplates, } from './email.js';
 export type { EmailAdapter, EmailMessage } from './email.js';
 export * from './publicApi/index.js';
+export type { ActionRoute, FediClient, VerifiedAccount, FediClientFactory, IdentityConfigCheckResult, } from './identity/index.js';
+export { run, getFediClient, setFediClientFactory, ActionUnavailable, InsufficientScopes, LinkedIdentityRevoked, checkIdentityConfig, assertIdentityConfig, createMastodonFediClientFactory, } from './identity/index.js';
+export type { FederatedAccountGrant } from './federation/oauth.js';
+export { getDecryptedAccessToken, revokeFederatedAccountGrant, } from './federation/oauth.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACrE,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGvE,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACpE,YAAY,EACV,OAAO,EACP,WAAW,EACX,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,WAAW,EACX,SAAS,EACT,UAAU,EACV,aAAa,EACb,WAAW,EACX,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,WAAW,EACX,aAAa,EACb,UAAU,EACV,OAAO,EACP,UAAU,EACV,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,aAAa,EACb,aAAa,EACb,0BAA0B,EAC1B,0BAA0B,GAC3B,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAGxE,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EACxB,6BAA6B,EAC7B,mBAAmB,EACnB,SAAS,EACT,mBAAmB,EACnB,UAAU,EACV,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGjD,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,eAAe,EACf,wBAAwB,EACxB,aAAa,EACb,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7D,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAG9D,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,SAAS,EACT,SAAS,EACT,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,WAAW,EACX,iBAAiB,EACjB,UAAU,EACV,UAAU,EACV,UAAU,EACV,QAAQ,EACR,SAAS,EACT,UAAU,EACV,aAAa,EACb,cAAc,EACd,WAAW,EACX,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,WAAW,EACX,WAAW,EACX,WAAW,EACX,OAAO,EACP,SAAS,EACT,QAAQ,EACR,QAAQ,EACR,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,cAAc,EACd,UAAU,GACX,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,aAAa,EACb,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,UAAU,EACV,OAAO,EACT,YAAY,EACV,YAAY,EACZ,aAAa,EACb,aAAa,EACb,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,UAAU,EACV,YAAY,EACZ,WAAW,EACX,aAAa,EACb,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGtE,OAAO,EACL,SAAS,EACT,aAAa,EACb,UAAU,EACV,UAAU,EACV,UAAU,EACV,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,MAAM,EACN,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,aAAa,EACb,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,GACd,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGzD,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGpE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAGlF,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAClH,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAGjF,OAAO,EACL,uBAAuB,EACvB,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,cAAc,EACd,YAAY,EACZ,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,EACnB,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,2BAA2B,EAC3B,sBAAsB,EACtB,cAAc,EACd,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,SAAS,EACT,KAAK,YAAY,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,mBAAmB,EACnB,qBAAqB,EACrB,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,EAC7B,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,0BAA0B,EAC1B,kBAAkB,EAClB,KAAK,cAAc,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EAEjB,iBAAiB,EACjB,eAAe,EACf,yBAAyB,EACzB,eAAe,EACf,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,sBAAsB,EACtB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,wBAAwB,EACxB,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,2BAA2B,EAC3B,2BAA2B,EAC3B,qBAAqB,EACrB,uBAAuB,EACvB,4BAA4B,EAC5B,2BAA2B,EAC3B,0BAA0B,EAC1B,gBAAgB,EAChB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAGtF,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,eAAe,EACf,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,wBAAwB,EACxB,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,EAC1B,0BAA0B,GAC3B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAGvG,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,kBAAkB,EAClB,wBAAwB,EACxB,WAAW,EACX,gBAAgB,EAChB,qBAAqB,EACrB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAG1E,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,aAAa,EACb,WAAW,EACX,YAAY,EACZ,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAGzD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,EAClB,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,OAAO,EACL,YAAY,EACZ,cAAc,EACd,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGjF,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGrF,OAAO,EACL,UAAU,EACV,cAAc,EACd,WAAW,EACX,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,SAAS,EACT,UAAU,EACV,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,aAAa,EACb,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,SAAS,EACT,cAAc,GACf,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,UAAU,EACV,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,wBAAwB,EACxB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,WAAW,EACX,WAAW,EACX,aAAa,EACb,iBAAiB,GAClB,MAAM,4BAA4B,CAAC;AACpC,YAAY,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,kBAAkB,EAClB,YAAY,EACZ,eAAe,EACf,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,WAAW,GACZ,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGzD,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG7D,cAAc,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACrE,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGvE,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACpE,YAAY,EACV,OAAO,EACP,WAAW,EACX,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,WAAW,EACX,SAAS,EACT,UAAU,EACV,aAAa,EACb,WAAW,EACX,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,WAAW,EACX,aAAa,EACb,UAAU,EACV,OAAO,EACP,UAAU,EACV,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,aAAa,EACb,aAAa,EACb,0BAA0B,EAC1B,0BAA0B,GAC3B,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAGxE,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EACxB,6BAA6B,EAC7B,mBAAmB,EACnB,SAAS,EACT,mBAAmB,EACnB,UAAU,EACV,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGjD,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,eAAe,EACf,wBAAwB,EACxB,aAAa,EACb,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7D,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAG9D,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,SAAS,EACT,SAAS,EACT,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,WAAW,EACX,iBAAiB,EACjB,UAAU,EACV,UAAU,EACV,UAAU,EACV,QAAQ,EACR,SAAS,EACT,UAAU,EACV,aAAa,EACb,cAAc,EACd,WAAW,EACX,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,WAAW,EACX,WAAW,EACX,WAAW,EACX,OAAO,EACP,SAAS,EACT,QAAQ,EACR,QAAQ,EACR,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,cAAc,EACd,UAAU,GACX,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,aAAa,EACb,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,UAAU,EACV,OAAO,EACT,YAAY,EACV,YAAY,EACZ,aAAa,EACb,aAAa,EACb,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,UAAU,EACV,YAAY,EACZ,WAAW,EACX,aAAa,EACb,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGtE,OAAO,EACL,SAAS,EACT,aAAa,EACb,UAAU,EACV,UAAU,EACV,UAAU,EACV,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,MAAM,EACN,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,aAAa,EACb,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,GACd,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGzD,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGpE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAGlF,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAClH,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAGjF,OAAO,EACL,uBAAuB,EACvB,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,cAAc,EACd,YAAY,EACZ,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,EACnB,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,2BAA2B,EAC3B,sBAAsB,EACtB,cAAc,EACd,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,SAAS,EACT,KAAK,YAAY,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,EAChB,mBAAmB,EACnB,qBAAqB,EACrB,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,EAC7B,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,0BAA0B,EAC1B,kBAAkB,EAClB,KAAK,cAAc,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EAEjB,iBAAiB,EACjB,eAAe,EACf,yBAAyB,EACzB,eAAe,EACf,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,sBAAsB,EACtB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,wBAAwB,EACxB,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,2BAA2B,EAC3B,2BAA2B,EAC3B,qBAAqB,EACrB,uBAAuB,EACvB,4BAA4B,EAC5B,2BAA2B,EAC3B,0BAA0B,EAC1B,gBAAgB,EAChB,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAGtF,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,eAAe,EACf,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,wBAAwB,EACxB,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,EAC1B,0BAA0B,GAC3B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAGvG,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,kBAAkB,EAClB,wBAAwB,EACxB,WAAW,EACX,gBAAgB,EAChB,qBAAqB,EACrB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAG1E,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,aAAa,EACb,WAAW,EACX,YAAY,EACZ,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAGzD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,EAClB,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,OAAO,EACL,YAAY,EACZ,cAAc,EACd,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGjF,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGrF,OAAO,EACL,UAAU,EACV,cAAc,EACd,WAAW,EACX,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,SAAS,EACT,UAAU,EACV,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,aAAa,EACb,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,SAAS,EACT,cAAc,GACf,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,UAAU,EACV,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,wBAAwB,EACxB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,WAAW,EACX,WAAW,EACX,aAAa,EACb,iBAAiB,GAClB,MAAM,4BAA4B,CAAC;AACpC,YAAY,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,kBAAkB,EAClB,YAAY,EACZ,eAAe,EACf,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,WAAW,GACZ,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGzD,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG7D,cAAc,sBAAsB,CAAC;AAQrC,YAAY,EACV,WAAW,EACX,UAAU,EACV,eAAe,EACf,iBAAiB,EACjB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,GAAG,EACH,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,+BAA+B,GAChC,MAAM,qBAAqB,CAAC;AAG7B,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EACL,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -69,4 +69,6 @@ export { isPrivateUrl, safeFetch, safeFetchBinary } from './import/ssrf.js';
 export { SmtpEmailAdapter, ResendEmailAdapter, ConsoleEmailAdapter, emailTemplates, } from './email.js';
 // Public API (admin-scoped Bearer keys for external consumers)
 export * from './publicApi/index.js';
+export { run, getFediClient, setFediClientFactory, ActionUnavailable, InsufficientScopes, LinkedIdentityRevoked, checkIdentityConfig, assertIdentityConfig, createMastodonFediClientFactory, } from './identity/index.js';
+export { getDecryptedAccessToken, revokeFederatedAccountGrant, } from './federation/oauth.js';
 //# sourceMappingURL=index.js.map