@de-otio/trellis 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +6 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -1 +1 @@
1
- {"version":3,"file":"notification-handler.js","sourceRoot":"","sources":["../../src/lib/notification-handler.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAMH,8BAAqC;AACrC,qCAAkC;AAgBlC,wEAAwE;AACxE,MAAM,oBAAoB,GAAuB;IAC/C,cAAc;IACd,eAAe;CAChB,CAAC;AAEF,MAAa,mBAAmB;IAC9B;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CACtB,MAAc,EACd,IAAsB,EACtB,KAAa,EACb,IAAY,EACZ,IAAS,EACT,GAAQ;QAER,MAAM,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAE9D,mFAAmF;YACnF,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,sBAAsB,CAAC,UAAU,CAAC;oBACvD,KAAK,EAAE,EAAE,MAAM,EAAE;iBAClB,CAAC,CAAC;gBAEH,IAAI,KAAK,EAAE,CAAC;oBACV,oCAAoC;oBACpC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,EAAE,CAAC;wBACb,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;4BACrD,MAAM;4BACN,IAAI;yBACL,CAAC,CAAC;wBACH,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;oBACpB,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iEAAiE;YACjE,IAAI,WAAW,GAAgB,IAAI,IAAI,EAAE,CAAC;YAE1C,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;oBACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;oBACrB,MAAM,EAAE;wBACN,iBAAiB,EAAE,IAAI;wBACvB,eAAe,EAAE,IAAI;wBACrB,aAAa,EAAE,IAAI;qBACpB;iBACF,CAAC,CAAC;gBAEH,IAAI,IAAI,EAAE,iBAAiB,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzD,kDAAkD;oBAClD,WAAW,GAAG,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,yBAAyB;YACzB,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAChD,IAAI,EAAE;oBACJ,MAAM;oBACN,IAAI;oBACJ,KAAK;oBACL,IAAI;oBACJ,IAAI,EAAE,IAAI,IAAI,SAAS;oBACvB,WAAW;iBACZ;aACF,CAAC,CAAC;YAEH,OAAO,EAAE,EAAE,EAAE,YAAY,CAAC,EAAE,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,MAAM,KAAK,CAAC;QACd,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,MAAc,EACd,MAAqB,EACrB,KAAa,EACb,GAAQ;QAER,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAEnD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;gBACnD,KAAK,EAAE;oBACL,MAAM;oBACN,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC3D;gBACD,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,IAAI,EAAE,SAAS,GAAG,CAAC;aACpB,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,GAAG,SAAS,CAAC;YACjD,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;YAEhD,OAAO;gBACL,aAAa,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC/B,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;iBACrC,CAAC,CAAC;gBACH,MAAM,EAAE,OAAO;oBACb,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;oBACjD,CAAC,CAAC,SAAS;gBACb,OAAO;aACR,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CACZ,MAAc,EACd,cAAsB,EACtB,GAAQ;QAER,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;gBACnD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;aACtC,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,yBAAyB,CAAC,cAAc,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC3B,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;gBAC7B,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,GAAQ;QACxC,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;gBAC/B,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE;gBAC9B,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,cAAc,CAClB,MAAc,EACd,OAAe,EACf,GAAQ;QAER,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC9C,oDAAoD;gBACpD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;oBAC5C,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE;oBAC9B,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;iBACrB,CAAC,CAAC;gBACH,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;YAChC,CAAC;YAED,4BAA4B;YAC5B,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC;gBACxC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE;aAC/B,CAAC,CAAC;YAEH,OAAO,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC;QACzC,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CACnB,IAAsB,EACtB,KAMC;QAED,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,gBAAgB;gBACnB,OAAO,KAAK,CAAC,SAAS,CAAC;YACzB,KAAK,QAAQ;gBACX,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,kBAAkB;gBACrB,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,QAAQ;gBACX,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,sBAAsB,CAAC;YAC5B,KAAK,2BAA2B,CAAC;YACjC,KAAK,cAAc,CAAC;YACpB,KAAK,8BAA8B,CAAC;YACpC,KAAK,+BAA+B,CAAC;YACrC,KAAK,0BAA0B;gBAC7B,OAAO,KAAK,CAAC,mBAAmB,CAAC;YACnC,+DAA+D;YAC/D;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,IAItB;QACC,IACE,CAAC,IAAI,CAAC,iBAAiB;YACvB,IAAI,CAAC,eAAe,IAAI,IAAI;YAC5B,IAAI,CAAC,aAAa,IAAI,IAAI,EAC1B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,oBAAoB,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC;QAE/B,sDAAsD;QACtD,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChB,OAAO,oBAAoB,IAAI,KAAK,IAAI,oBAAoB,GAAG,GAAG,CAAC;QACrE,CAAC;QAED,8CAA8C;QAC9C,OAAO,oBAAoB,IAAI,KAAK,IAAI,oBAAoB,GAAG,GAAG,CAAC;IACrE,CAAC;CACF;AAzQD,kDAyQC;AAED,MAAa,yBAA0B,SAAQ,KAAK;IAClD,YAAY,cAAsB;QAChC,KAAK,CAAC,gBAAgB,cAAc,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AALD,8DAKC"}
1
+ {"version":3,"file":"notification-handler.js","sourceRoot":"","sources":["../../src/lib/notification-handler.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAMH,8BAAqC;AACrC,qCAAkC;AAgBlC,wEAAwE;AACxE,MAAM,oBAAoB,GAAuB;IAC/C,cAAc;IACd,eAAe;CAChB,CAAC;AAEF,MAAa,mBAAmB;IAC9B;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CACtB,MAAc,EACd,IAAsB,EACtB,KAAa,EACb,IAAY,EACZ,IAAS,EACT,GAAQ,EACR,QAAgB;QAEhB,MAAM,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAE9D,mFAAmF;YACnF,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,sBAAsB,CAAC,UAAU,CAAC;oBACvD,KAAK,EAAE,EAAE,MAAM,EAAE;iBAClB,CAAC,CAAC;gBAEH,IAAI,KAAK,EAAE,CAAC;oBACV,oCAAoC;oBACpC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,EAAE,CAAC;wBACb,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;4BACrD,MAAM;4BACN,IAAI;yBACL,CAAC,CAAC;wBACH,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;oBACpB,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iEAAiE;YACjE,IAAI,WAAW,GAAgB,IAAI,IAAI,EAAE,CAAC;YAE1C,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;oBACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;oBACrB,MAAM,EAAE;wBACN,iBAAiB,EAAE,IAAI;wBACvB,eAAe,EAAE,IAAI;wBACrB,aAAa,EAAE,IAAI;qBACpB;iBACF,CAAC,CAAC;gBAEH,IAAI,IAAI,EAAE,iBAAiB,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzD,kDAAkD;oBAClD,WAAW,GAAG,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,yBAAyB;YACzB,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAChD,IAAI,EAAE;oBACJ,MAAM;oBACN,IAAI;oBACJ,KAAK;oBACL,IAAI;oBACJ,IAAI,EAAE,IAAI,IAAI,SAAS;oBACvB,WAAW;oBACX,QAAQ;iBACT;aACF,CAAC,CAAC;YAEH,OAAO,EAAE,EAAE,EAAE,YAAY,CAAC,EAAE,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,MAAM,KAAK,CAAC;QACd,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,MAAc,EACd,MAAqB,EACrB,KAAa,EACb,GAAQ,EACR,QAAgB;QAEhB,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAEnD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;gBACnD,KAAK,EAAE;oBACL,MAAM;oBACN,QAAQ;oBACR,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC3D;gBACD,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,IAAI,EAAE,SAAS,GAAG,CAAC;aACpB,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,GAAG,SAAS,CAAC;YACjD,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;YAEhD,OAAO;gBACL,aAAa,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC/B,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;iBACrC,CAAC,CAAC;gBACH,MAAM,EAAE,OAAO;oBACb,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;oBACjD,CAAC,CAAC,SAAS;gBACb,OAAO;aACR,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CACZ,MAAc,EACd,cAAsB,EACtB,GAAQ,EACR,QAAgB;QAEhB,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;gBACnD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE;aAChD,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,yBAAyB,CAAC,cAAc,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC3B,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;gBAC7B,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,GAAQ,EAAE,QAAgB;QAC1D,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;gBAC/B,KAAK,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE;gBACxC,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,cAAc,CAClB,MAAc,EACd,OAAe,EACf,GAAQ,EACR,QAAgB;QAEhB,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC9C,oDAAoD;gBACpD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;oBAC5C,KAAK,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE;oBACxC,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;iBACrB,CAAC,CAAC;gBACH,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;YAChC,CAAC;YAED,4BAA4B;YAC5B,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC;gBACxC,KAAK,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE;aACzC,CAAC,CAAC;YAEH,OAAO,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC;QACzC,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CACnB,IAAsB,EACtB,KAMC;QAED,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,gBAAgB;gBACnB,OAAO,KAAK,CAAC,SAAS,CAAC;YACzB,KAAK,QAAQ;gBACX,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,kBAAkB;gBACrB,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,QAAQ;gBACX,OAAO,KAAK,CAAC,aAAa,CAAC;YAC7B,KAAK,sBAAsB,CAAC;YAC5B,KAAK,2BAA2B,CAAC;YACjC,KAAK,cAAc,CAAC;YACpB,KAAK,8BAA8B,CAAC;YACpC,KAAK,+BAA+B,CAAC;YACrC,KAAK,0BAA0B;gBAC7B,OAAO,KAAK,CAAC,mBAAmB,CAAC;YACnC,+DAA+D;YAC/D;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,IAItB;QACC,IACE,CAAC,IAAI,CAAC,iBAAiB;YACvB,IAAI,CAAC,eAAe,IAAI,IAAI;YAC5B,IAAI,CAAC,aAAa,IAAI,IAAI,EAC1B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,oBAAoB,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC;QAE/B,sDAAsD;QACtD,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChB,OAAO,oBAAoB,IAAI,KAAK,IAAI,oBAAoB,GAAG,GAAG,CAAC;QACrE,CAAC;QAED,8CAA8C;QAC9C,OAAO,oBAAoB,IAAI,KAAK,IAAI,oBAAoB,GAAG,GAAG,CAAC;IACrE,CAAC;CACF;AA/QD,kDA+QC;AAED,MAAa,yBAA0B,SAAQ,KAAK;IAClD,YAAY,cAAsB;QAChC,KAAK,CAAC,gBAAgB,cAAc,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AALD,8DAKC"}
@@ -0,0 +1,34 @@
1
+ /**
2
+ * Token issuance wrapper for the device-auth approval step.
3
+ *
4
+ * The device-auth flow needs to produce a fresh access+refresh token set
5
+ * scoped to the admin's identity but bound to the agent client id (so
6
+ * audit logs can attribute later API calls to the agent session).
7
+ *
8
+ * Cognito's `AdminInitiateAuth` is the lowest-friction call that fits.
9
+ * This wrapper hides the SDK shape so the route handler stays clean and
10
+ * unit tests can mock a single function.
11
+ */
12
+ import { CognitoIdentityProviderClient } from "@aws-sdk/client-cognito-identity-provider";
13
+ import type { TokenSet } from "./device-authorization";
14
+ export interface CognitoIssuerInput {
15
+ userPoolId: string;
16
+ /** Public agent client id (no client secret). */
17
+ clientId: string;
18
+ /** Admin's Cognito username (sub). */
19
+ username: string;
20
+ /** Admin's current refresh token (from the active web session). */
21
+ refreshToken: string;
22
+ }
23
+ export interface CognitoIssuer {
24
+ issueForAgent(input: CognitoIssuerInput): Promise<TokenSet>;
25
+ }
26
+ /** Default implementation backed by AWS SDK. */
27
+ export declare class AwsCognitoIssuer implements CognitoIssuer {
28
+ private readonly client;
29
+ constructor(client: CognitoIdentityProviderClient);
30
+ issueForAgent(input: CognitoIssuerInput): Promise<TokenSet>;
31
+ }
32
+ /** Build the default issuer using the global Cognito SDK client. */
33
+ export declare function createDefaultIssuer(): CognitoIssuer;
34
+ //# sourceMappingURL=cognito-issuer.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cognito-issuer.d.ts","sourceRoot":"","sources":["../../../src/lib/oauth/cognito-issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAEL,6BAA6B,EAC9B,MAAM,2CAA2C,CAAC;AACnD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAED,gDAAgD;AAChD,qBAAa,gBAAiB,YAAW,aAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,6BAA6B;IAE5D,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC;CAuBlE;AAED,oEAAoE;AACpE,wBAAgB,mBAAmB,IAAI,aAAa,CAKnD"}
@@ -0,0 +1,53 @@
1
+ "use strict";
2
+ /**
3
+ * Token issuance wrapper for the device-auth approval step.
4
+ *
5
+ * The device-auth flow needs to produce a fresh access+refresh token set
6
+ * scoped to the admin's identity but bound to the agent client id (so
7
+ * audit logs can attribute later API calls to the agent session).
8
+ *
9
+ * Cognito's `AdminInitiateAuth` is the lowest-friction call that fits.
10
+ * This wrapper hides the SDK shape so the route handler stays clean and
11
+ * unit tests can mock a single function.
12
+ */
13
+ Object.defineProperty(exports, "__esModule", { value: true });
14
+ exports.AwsCognitoIssuer = void 0;
15
+ exports.createDefaultIssuer = createDefaultIssuer;
16
+ const client_cognito_identity_provider_1 = require("@aws-sdk/client-cognito-identity-provider");
17
+ /** Default implementation backed by AWS SDK. */
18
+ class AwsCognitoIssuer {
19
+ client;
20
+ constructor(client) {
21
+ this.client = client;
22
+ }
23
+ async issueForAgent(input) {
24
+ const out = await this.client.send(new client_cognito_identity_provider_1.AdminInitiateAuthCommand({
25
+ UserPoolId: input.userPoolId,
26
+ ClientId: input.clientId,
27
+ AuthFlow: "REFRESH_TOKEN_AUTH",
28
+ AuthParameters: {
29
+ REFRESH_TOKEN: input.refreshToken,
30
+ },
31
+ }));
32
+ const r = out.AuthenticationResult;
33
+ if (!r?.AccessToken || !r?.ExpiresIn) {
34
+ throw new Error("Cognito AdminInitiateAuth returned no tokens");
35
+ }
36
+ return {
37
+ access_token: r.AccessToken,
38
+ refresh_token: r.RefreshToken ?? input.refreshToken,
39
+ id_token: r.IdToken,
40
+ token_type: "Bearer",
41
+ expires_in: r.ExpiresIn,
42
+ };
43
+ }
44
+ }
45
+ exports.AwsCognitoIssuer = AwsCognitoIssuer;
46
+ /** Build the default issuer using the global Cognito SDK client. */
47
+ function createDefaultIssuer() {
48
+ const client = new client_cognito_identity_provider_1.CognitoIdentityProviderClient({
49
+ region: process.env.COGNITO_REGION || process.env.AWS_REGION || "us-east-1",
50
+ });
51
+ return new AwsCognitoIssuer(client);
52
+ }
53
+ //# sourceMappingURL=cognito-issuer.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cognito-issuer.js","sourceRoot":"","sources":["../../../src/lib/oauth/cognito-issuer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAoDH,kDAKC;AAvDD,gGAGmD;AAiBnD,gDAAgD;AAChD,MAAa,gBAAgB;IACE;IAA7B,YAA6B,MAAqC;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,KAAK,CAAC,aAAa,CAAC,KAAyB;QAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAChC,IAAI,2DAAwB,CAAC;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,aAAa,EAAE,KAAK,CAAC,YAAY;aAClC;SACF,CAAC,CACH,CAAC;QACF,MAAM,CAAC,GAAG,GAAG,CAAC,oBAAoB,CAAC;QACnC,IAAI,CAAC,CAAC,EAAE,WAAW,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QACD,OAAO;YACL,YAAY,EAAE,CAAC,CAAC,WAAW;YAC3B,aAAa,EAAE,CAAC,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY;YACnD,QAAQ,EAAE,CAAC,CAAC,OAAO;YACnB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,CAAC,CAAC,SAAS;SACxB,CAAC;IACJ,CAAC;CACF;AA1BD,4CA0BC;AAED,oEAAoE;AACpE,SAAgB,mBAAmB;IACjC,MAAM,MAAM,GAAG,IAAI,gEAA6B,CAAC;QAC/C,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW;KAC5E,CAAC,CAAC;IACH,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC"}
@@ -0,0 +1,145 @@
1
+ /**
2
+ * RFC 8628 device authorization grant adapter (T9b-d).
3
+ *
4
+ * Three flows:
5
+ * 1. POST /oauth2/device_authorization — issue a device_code/user_code pair.
6
+ * 2. GET/POST /agents/authorize — interactive admin approval (separate file).
7
+ * 3. POST /oauth2/token (grant_type=device_code) — agent polls for tokens.
8
+ *
9
+ * Storage: a single DynamoDB table keyed on `device_code` (the agent's
10
+ * secret) with envelope-encrypted tokens. The user_code is a secondary
11
+ * index entry pointing back at the device_code so the approval page can
12
+ * look up the pending request.
13
+ *
14
+ * Security invariants:
15
+ * - device_code is 256-bit URL-safe random; never echoed in logs.
16
+ * - user_code uses an unambiguous 20-char alphabet; brute-force is
17
+ * bounded by the 10-failure lockout enforced by the approval page.
18
+ * - tokens are encrypted with a per-record DEK derived from device_code;
19
+ * a DynamoDB GetItem alone cannot decrypt.
20
+ * - record TTL flips to NOW+60s on approval. If the agent doesn't poll
21
+ * within 60s the row evaporates (read-once short-window).
22
+ * - successful poll deletes the row before returning (read-once strict).
23
+ */
24
+ import { type SealedEnvelope } from "./envelope-crypto";
25
+ /** Unambiguous user-code alphabet — no 0/O, 1/I/L, 2/Z, U/V, A/H, S/5, etc. */
26
+ export declare const USER_CODE_ALPHABET = "BCDFGHJKLMNPQRSTVWXZ";
27
+ /** 8-character user codes, displayed as `XXXX-XXXX` to humans. */
28
+ export declare const USER_CODE_LEN = 8;
29
+ /** Default RFC 8628 expires_in. */
30
+ export declare const DEFAULT_EXPIRES_IN = 600;
31
+ /** Default RFC 8628 polling interval. */
32
+ export declare const DEFAULT_INTERVAL = 5;
33
+ /** TTL for the post-approval window — agents must poll within this. */
34
+ export declare const POST_APPROVAL_TTL_SECONDS = 60;
35
+ /** Failure lockout threshold for user_code lookups against a single device_code. */
36
+ export declare const USER_CODE_FAILURE_LIMIT = 10;
37
+ export interface DeviceAuthRecord {
38
+ /** Primary key: device_code (the agent's secret). */
39
+ deviceCode: string;
40
+ /** SHA-256 hex of the user_code, for indirect lookup (PII-safe). */
41
+ userCodeHash: string;
42
+ /** Display form of the user code; only present until first GET. */
43
+ userCode?: string;
44
+ status: "pending" | "approved" | "denied";
45
+ /** UTC seconds since epoch — DynamoDB TTL trigger. */
46
+ expiresAt: number;
47
+ createdAt: number;
48
+ /** RFC 8628 polling interval (seconds). */
49
+ interval: number;
50
+ /** Track failed user_code lookups against this device_code. */
51
+ failedLookups: number;
52
+ /** Last poll timestamp; used to enforce `slow_down`. */
53
+ lastPolledAt?: number;
54
+ /** When status === approved, ciphertext blob bound to device_code. */
55
+ envelope?: SealedEnvelope;
56
+ /** Cognito user id of the admin who approved, for audit. */
57
+ approvedByUserId?: string;
58
+ /** Cognito sub bound to the issued tokens, used for revocation. */
59
+ cognitoSub?: string;
60
+ /** Tenant id from the admin's session at approval time. */
61
+ tenantId?: string;
62
+ /** Agent label (User-Agent of the polling client). */
63
+ agentLabel?: string;
64
+ /** Source IP of the agent at request time, anonymised. */
65
+ sourceIp?: string;
66
+ /** Session id (for revocation correlation in the refresh table). */
67
+ sessionId?: string;
68
+ }
69
+ export interface DeviceAuthResponse {
70
+ device_code: string;
71
+ user_code: string;
72
+ verification_uri: string;
73
+ verification_uri_complete: string;
74
+ expires_in: number;
75
+ interval: number;
76
+ }
77
+ export interface TokenSet {
78
+ access_token: string;
79
+ refresh_token: string;
80
+ id_token?: string;
81
+ token_type: "Bearer";
82
+ expires_in: number;
83
+ }
84
+ export interface DeviceAuthPollResult {
85
+ /** "ok" — tokens returned; "pending" — keep polling; "slow_down" — back off; "expired" — restart. */
86
+ outcome: "ok" | "pending" | "slow_down" | "expired" | "denied" | "gone";
87
+ tokens?: TokenSet;
88
+ }
89
+ /** Format a 4-char-grouped human display: `BCDF-GHJK`. */
90
+ export declare function formatUserCode(raw: string): string;
91
+ /** Strip the dash so callers can match the canonical alphabet. */
92
+ export declare function normaliseUserCode(input: string): string;
93
+ /** SHA-256 hex; used as the secondary lookup key for user_code. */
94
+ export declare function hashUserCode(userCode: string): string;
95
+ /**
96
+ * Generate a cryptographically random user_code from the unambiguous alphabet.
97
+ * Uniformly samples by rejecting bytes that would bias the modulo (alphabet
98
+ * length 20 doesn't divide 256 evenly).
99
+ */
100
+ export declare function generateUserCode(rng?: (n: number) => Buffer): string;
101
+ /** 256-bit URL-safe random device_code. */
102
+ export declare function generateDeviceCode(rng?: (n: number) => Buffer): string;
103
+ /**
104
+ * Issue a new device-authorization request. Stores a `pending` record with
105
+ * TTL = expires_in seconds, plus a secondary index row keyed by user_code hash.
106
+ */
107
+ export declare function startDeviceAuthorization(input: {
108
+ expiresIn?: number;
109
+ interval?: number;
110
+ verificationUriBase: string;
111
+ agentLabel?: string;
112
+ sourceIp?: string;
113
+ }): Promise<DeviceAuthResponse>;
114
+ /** Internal helper — load a record by device_code or return null. */
115
+ export declare function loadByDeviceCode(deviceCode: string): Promise<DeviceAuthRecord | null>;
116
+ /** Internal helper — resolve user_code to a device_code via the secondary key. */
117
+ export declare function lookupDeviceCodeByUserCode(userCode: string): Promise<string | null>;
118
+ /**
119
+ * Increment the failed-lookup counter on a device_code. Returns the new count.
120
+ * Once the count exceeds USER_CODE_FAILURE_LIMIT the record is deleted (lockout).
121
+ */
122
+ export declare function incrementFailedLookup(deviceCode: string): Promise<number>;
123
+ /** Delete a device-auth record (e.g. on lockout or successful poll). */
124
+ export declare function invalidateDeviceCode(deviceCode: string): Promise<void>;
125
+ export interface ApprovalContext {
126
+ deviceCode: string;
127
+ approvedByUserId: string;
128
+ cognitoSub: string;
129
+ tenantId: string;
130
+ tokens: TokenSet;
131
+ /** A new session id; used as the refresh-table key after first poll. */
132
+ sessionId: string;
133
+ }
134
+ /**
135
+ * Mark a device-auth record approved and stash the encrypted token blob.
136
+ * Re-keys the record's TTL to NOW + POST_APPROVAL_TTL_SECONDS.
137
+ */
138
+ export declare function approveDeviceAuth(ctx: ApprovalContext): Promise<void>;
139
+ /**
140
+ * Poll for tokens with a device_code. Implements the RFC 8628 §3.5/3.4
141
+ * outcomes: pending, slow_down, ok, expired, denied. On success the
142
+ * record is deleted before tokens return (read-once).
143
+ */
144
+ export declare function pollDeviceAuth(deviceCode: string): Promise<DeviceAuthPollResult>;
145
+ //# sourceMappingURL=device-authorization.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"device-authorization.d.ts","sourceRoot":"","sources":["../../../src/lib/oauth/device-authorization.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,OAAO,EAA0B,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEhF,+EAA+E;AAC/E,eAAO,MAAM,kBAAkB,yBAAyB,CAAC;AACzD,kEAAkE;AAClE,eAAO,MAAM,aAAa,IAAI,CAAC;AAC/B,mCAAmC;AACnC,eAAO,MAAM,kBAAkB,MAAM,CAAC;AACtC,yCAAyC;AACzC,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAClC,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,KAAK,CAAC;AAC5C,oFAAoF;AACpF,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,MAAM,WAAW,gBAAgB;IAC/B,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,oEAAoE;IACpE,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;IAC1C,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,4DAA4D;IAC5D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,QAAQ;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,qGAAqG;IACrG,OAAO,EAAE,IAAI,GAAG,SAAS,GAAG,WAAW,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAC;IACxE,MAAM,CAAC,EAAE,QAAQ,CAAC;CACnB;AAcD,0DAA0D;AAC1D,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGlD;AAED,kEAAkE;AAClE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED,mEAAmE;AACnE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAErD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,GAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAoB,GAAG,MAAM,CAajF;AAED,2CAA2C;AAC3C,wBAAgB,kBAAkB,CAAC,GAAG,GAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAoB,GAAG,MAAM,CAEnF;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,KAAK,EAAE;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAgE9B;AAED,qEAAqE;AACrE,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAW3F;AAED,kFAAkF;AAClF,wBAAsB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAYzF;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAuB/E;AAED,wEAAwE;AACxE,wBAAsB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAO5E;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,QAAQ,CAAC;IACjB,wEAAwE;IACxE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CA4B3E;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAyCtF"}
@@ -0,0 +1,312 @@
1
+ "use strict";
2
+ /**
3
+ * RFC 8628 device authorization grant adapter (T9b-d).
4
+ *
5
+ * Three flows:
6
+ * 1. POST /oauth2/device_authorization — issue a device_code/user_code pair.
7
+ * 2. GET/POST /agents/authorize — interactive admin approval (separate file).
8
+ * 3. POST /oauth2/token (grant_type=device_code) — agent polls for tokens.
9
+ *
10
+ * Storage: a single DynamoDB table keyed on `device_code` (the agent's
11
+ * secret) with envelope-encrypted tokens. The user_code is a secondary
12
+ * index entry pointing back at the device_code so the approval page can
13
+ * look up the pending request.
14
+ *
15
+ * Security invariants:
16
+ * - device_code is 256-bit URL-safe random; never echoed in logs.
17
+ * - user_code uses an unambiguous 20-char alphabet; brute-force is
18
+ * bounded by the 10-failure lockout enforced by the approval page.
19
+ * - tokens are encrypted with a per-record DEK derived from device_code;
20
+ * a DynamoDB GetItem alone cannot decrypt.
21
+ * - record TTL flips to NOW+60s on approval. If the agent doesn't poll
22
+ * within 60s the row evaporates (read-once short-window).
23
+ * - successful poll deletes the row before returning (read-once strict).
24
+ */
25
+ Object.defineProperty(exports, "__esModule", { value: true });
26
+ exports.USER_CODE_FAILURE_LIMIT = exports.POST_APPROVAL_TTL_SECONDS = exports.DEFAULT_INTERVAL = exports.DEFAULT_EXPIRES_IN = exports.USER_CODE_LEN = exports.USER_CODE_ALPHABET = void 0;
27
+ exports.formatUserCode = formatUserCode;
28
+ exports.normaliseUserCode = normaliseUserCode;
29
+ exports.hashUserCode = hashUserCode;
30
+ exports.generateUserCode = generateUserCode;
31
+ exports.generateDeviceCode = generateDeviceCode;
32
+ exports.startDeviceAuthorization = startDeviceAuthorization;
33
+ exports.loadByDeviceCode = loadByDeviceCode;
34
+ exports.lookupDeviceCodeByUserCode = lookupDeviceCodeByUserCode;
35
+ exports.incrementFailedLookup = incrementFailedLookup;
36
+ exports.invalidateDeviceCode = invalidateDeviceCode;
37
+ exports.approveDeviceAuth = approveDeviceAuth;
38
+ exports.pollDeviceAuth = pollDeviceAuth;
39
+ const client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
40
+ const util_dynamodb_1 = require("@aws-sdk/util-dynamodb");
41
+ const node_crypto_1 = require("node:crypto");
42
+ const envelope_crypto_1 = require("./envelope-crypto");
43
+ /** Unambiguous user-code alphabet — no 0/O, 1/I/L, 2/Z, U/V, A/H, S/5, etc. */
44
+ exports.USER_CODE_ALPHABET = "BCDFGHJKLMNPQRSTVWXZ";
45
+ /** 8-character user codes, displayed as `XXXX-XXXX` to humans. */
46
+ exports.USER_CODE_LEN = 8;
47
+ /** Default RFC 8628 expires_in. */
48
+ exports.DEFAULT_EXPIRES_IN = 600;
49
+ /** Default RFC 8628 polling interval. */
50
+ exports.DEFAULT_INTERVAL = 5;
51
+ /** TTL for the post-approval window — agents must poll within this. */
52
+ exports.POST_APPROVAL_TTL_SECONDS = 60;
53
+ /** Failure lockout threshold for user_code lookups against a single device_code. */
54
+ exports.USER_CODE_FAILURE_LIMIT = 10;
55
+ const ddb = new client_dynamodb_1.DynamoDBClient({
56
+ region: process.env.AWS_REGION || "us-east-1",
57
+ ...(process.env.DYNAMODB_ENDPOINT ? { endpoint: process.env.DYNAMODB_ENDPOINT } : {}),
58
+ });
59
+ function tableName() {
60
+ return (process.env.DEVICE_AUTH_TABLE ||
61
+ `${process.env.STAGE || "dev"}-trellis-device-auth`);
62
+ }
63
+ /** Format a 4-char-grouped human display: `BCDF-GHJK`. */
64
+ function formatUserCode(raw) {
65
+ if (raw.length !== exports.USER_CODE_LEN)
66
+ return raw;
67
+ return `${raw.slice(0, 4)}-${raw.slice(4)}`;
68
+ }
69
+ /** Strip the dash so callers can match the canonical alphabet. */
70
+ function normaliseUserCode(input) {
71
+ return input.replace(/[\s-]/g, "").toUpperCase();
72
+ }
73
+ /** SHA-256 hex; used as the secondary lookup key for user_code. */
74
+ function hashUserCode(userCode) {
75
+ return (0, node_crypto_1.createHash)("sha256").update(userCode).digest("hex");
76
+ }
77
+ /**
78
+ * Generate a cryptographically random user_code from the unambiguous alphabet.
79
+ * Uniformly samples by rejecting bytes that would bias the modulo (alphabet
80
+ * length 20 doesn't divide 256 evenly).
81
+ */
82
+ function generateUserCode(rng = node_crypto_1.randomBytes) {
83
+ const alphaLen = exports.USER_CODE_ALPHABET.length; // 20
84
+ const cutoff = Math.floor(256 / alphaLen) * alphaLen; // 240; reject 240..255
85
+ const out = [];
86
+ while (out.length < exports.USER_CODE_LEN) {
87
+ const buf = rng(exports.USER_CODE_LEN * 2); // oversample
88
+ for (let i = 0; i < buf.length && out.length < exports.USER_CODE_LEN; i++) {
89
+ const b = buf[i];
90
+ if (b >= cutoff)
91
+ continue;
92
+ out.push(exports.USER_CODE_ALPHABET[b % alphaLen]);
93
+ }
94
+ }
95
+ return out.join("");
96
+ }
97
+ /** 256-bit URL-safe random device_code. */
98
+ function generateDeviceCode(rng = node_crypto_1.randomBytes) {
99
+ return rng(32).toString("base64url");
100
+ }
101
+ /**
102
+ * Issue a new device-authorization request. Stores a `pending` record with
103
+ * TTL = expires_in seconds, plus a secondary index row keyed by user_code hash.
104
+ */
105
+ async function startDeviceAuthorization(input) {
106
+ const expiresIn = input.expiresIn ?? exports.DEFAULT_EXPIRES_IN;
107
+ const interval = input.interval ?? exports.DEFAULT_INTERVAL;
108
+ const now = Math.floor(Date.now() / 1000);
109
+ const expiresAt = now + expiresIn;
110
+ const deviceCode = generateDeviceCode();
111
+ const userCode = generateUserCode();
112
+ const userCodeHash = hashUserCode(userCode);
113
+ const record = {
114
+ deviceCode,
115
+ userCodeHash,
116
+ userCode,
117
+ status: "pending",
118
+ expiresAt,
119
+ createdAt: now,
120
+ interval,
121
+ failedLookups: 0,
122
+ agentLabel: input.agentLabel,
123
+ sourceIp: input.sourceIp,
124
+ };
125
+ await ddb.send(new client_dynamodb_1.PutItemCommand({
126
+ TableName: tableName(),
127
+ Item: (0, util_dynamodb_1.marshall)({
128
+ pk: `dc#${deviceCode}`,
129
+ sk: "rec",
130
+ ...record,
131
+ // DynamoDB TTL attribute (seconds since epoch).
132
+ ttl: expiresAt,
133
+ }, { removeUndefinedValues: true }),
134
+ ConditionExpression: "attribute_not_exists(pk)",
135
+ }));
136
+ await ddb.send(new client_dynamodb_1.PutItemCommand({
137
+ TableName: tableName(),
138
+ Item: (0, util_dynamodb_1.marshall)({
139
+ pk: `uc#${userCodeHash}`,
140
+ sk: "idx",
141
+ deviceCode,
142
+ createdAt: now,
143
+ ttl: expiresAt,
144
+ }, { removeUndefinedValues: true }),
145
+ }));
146
+ return {
147
+ device_code: deviceCode,
148
+ user_code: formatUserCode(userCode),
149
+ verification_uri: input.verificationUriBase,
150
+ verification_uri_complete: `${input.verificationUriBase}?user_code=${formatUserCode(userCode)}`,
151
+ expires_in: expiresIn,
152
+ interval,
153
+ };
154
+ }
155
+ /** Internal helper — load a record by device_code or return null. */
156
+ async function loadByDeviceCode(deviceCode) {
157
+ const out = await ddb.send(new client_dynamodb_1.GetItemCommand({
158
+ TableName: tableName(),
159
+ Key: (0, util_dynamodb_1.marshall)({ pk: `dc#${deviceCode}`, sk: "rec" }),
160
+ }));
161
+ if (!out.Item)
162
+ return null;
163
+ const raw = (0, util_dynamodb_1.unmarshall)(out.Item);
164
+ if (raw.ttl && raw.ttl < Math.floor(Date.now() / 1000))
165
+ return null;
166
+ return rawToRecord(raw);
167
+ }
168
+ /** Internal helper — resolve user_code to a device_code via the secondary key. */
169
+ async function lookupDeviceCodeByUserCode(userCode) {
170
+ const userCodeHash = hashUserCode(normaliseUserCode(userCode));
171
+ const out = await ddb.send(new client_dynamodb_1.GetItemCommand({
172
+ TableName: tableName(),
173
+ Key: (0, util_dynamodb_1.marshall)({ pk: `uc#${userCodeHash}`, sk: "idx" }),
174
+ }));
175
+ if (!out.Item)
176
+ return null;
177
+ const raw = (0, util_dynamodb_1.unmarshall)(out.Item);
178
+ if (raw.ttl && raw.ttl < Math.floor(Date.now() / 1000))
179
+ return null;
180
+ return raw.deviceCode || null;
181
+ }
182
+ /**
183
+ * Increment the failed-lookup counter on a device_code. Returns the new count.
184
+ * Once the count exceeds USER_CODE_FAILURE_LIMIT the record is deleted (lockout).
185
+ */
186
+ async function incrementFailedLookup(deviceCode) {
187
+ try {
188
+ const out = await ddb.send(new client_dynamodb_1.UpdateItemCommand({
189
+ TableName: tableName(),
190
+ Key: (0, util_dynamodb_1.marshall)({ pk: `dc#${deviceCode}`, sk: "rec" }),
191
+ UpdateExpression: "ADD failedLookups :one",
192
+ ExpressionAttributeValues: (0, util_dynamodb_1.marshall)({ ":one": 1 }),
193
+ ConditionExpression: "attribute_exists(pk)",
194
+ ReturnValues: "ALL_NEW",
195
+ }));
196
+ if (!out.Attributes)
197
+ return 0;
198
+ const updated = (0, util_dynamodb_1.unmarshall)(out.Attributes);
199
+ const newCount = updated.failedLookups ?? 0;
200
+ if (newCount >= exports.USER_CODE_FAILURE_LIMIT) {
201
+ await invalidateDeviceCode(deviceCode);
202
+ }
203
+ return newCount;
204
+ }
205
+ catch (err) {
206
+ if (err instanceof client_dynamodb_1.ConditionalCheckFailedException)
207
+ return 0;
208
+ throw err;
209
+ }
210
+ }
211
+ /** Delete a device-auth record (e.g. on lockout or successful poll). */
212
+ async function invalidateDeviceCode(deviceCode) {
213
+ await ddb.send(new client_dynamodb_1.DeleteItemCommand({
214
+ TableName: tableName(),
215
+ Key: (0, util_dynamodb_1.marshall)({ pk: `dc#${deviceCode}`, sk: "rec" }),
216
+ }));
217
+ }
218
+ /**
219
+ * Mark a device-auth record approved and stash the encrypted token blob.
220
+ * Re-keys the record's TTL to NOW + POST_APPROVAL_TTL_SECONDS.
221
+ */
222
+ async function approveDeviceAuth(ctx) {
223
+ const kek = await (0, envelope_crypto_1.resolveKek)();
224
+ const envelope = (0, envelope_crypto_1.seal)(JSON.stringify(ctx.tokens), ctx.deviceCode, kek);
225
+ const newTtl = Math.floor(Date.now() / 1000) + exports.POST_APPROVAL_TTL_SECONDS;
226
+ await ddb.send(new client_dynamodb_1.UpdateItemCommand({
227
+ TableName: tableName(),
228
+ Key: (0, util_dynamodb_1.marshall)({ pk: `dc#${ctx.deviceCode}`, sk: "rec" }),
229
+ UpdateExpression: "SET #status = :approved, envelope = :env, approvedByUserId = :u, cognitoSub = :s, tenantId = :t, sessionId = :sid, expiresAt = :ttl, #ttlAttr = :ttl REMOVE userCode",
230
+ ConditionExpression: "attribute_exists(pk) AND #status = :pending",
231
+ ExpressionAttributeNames: {
232
+ "#status": "status",
233
+ "#ttlAttr": "ttl",
234
+ },
235
+ ExpressionAttributeValues: (0, util_dynamodb_1.marshall)({
236
+ ":approved": "approved",
237
+ ":pending": "pending",
238
+ ":env": JSON.stringify(envelope),
239
+ ":u": ctx.approvedByUserId,
240
+ ":s": ctx.cognitoSub,
241
+ ":t": ctx.tenantId,
242
+ ":sid": ctx.sessionId,
243
+ ":ttl": newTtl,
244
+ }),
245
+ }));
246
+ }
247
+ /**
248
+ * Poll for tokens with a device_code. Implements the RFC 8628 §3.5/3.4
249
+ * outcomes: pending, slow_down, ok, expired, denied. On success the
250
+ * record is deleted before tokens return (read-once).
251
+ */
252
+ async function pollDeviceAuth(deviceCode) {
253
+ const record = await loadByDeviceCode(deviceCode);
254
+ if (!record)
255
+ return { outcome: "gone" };
256
+ const nowSec = Math.floor(Date.now() / 1000);
257
+ if (record.expiresAt < nowSec)
258
+ return { outcome: "expired" };
259
+ // RFC 8628 §6.1 — enforce per-device polling interval.
260
+ if (record.lastPolledAt && nowSec - record.lastPolledAt < record.interval) {
261
+ return { outcome: "slow_down" };
262
+ }
263
+ if (record.status === "denied")
264
+ return { outcome: "denied" };
265
+ if (record.status === "pending") {
266
+ // Best-effort lastPolledAt update so subsequent fast polls hit slow_down.
267
+ try {
268
+ await ddb.send(new client_dynamodb_1.UpdateItemCommand({
269
+ TableName: tableName(),
270
+ Key: (0, util_dynamodb_1.marshall)({ pk: `dc#${deviceCode}`, sk: "rec" }),
271
+ UpdateExpression: "SET lastPolledAt = :n",
272
+ ConditionExpression: "attribute_exists(pk) AND #status = :pending",
273
+ ExpressionAttributeNames: { "#status": "status" },
274
+ ExpressionAttributeValues: (0, util_dynamodb_1.marshall)({ ":n": nowSec, ":pending": "pending" }),
275
+ }));
276
+ }
277
+ catch (err) {
278
+ if (!(err instanceof client_dynamodb_1.ConditionalCheckFailedException))
279
+ throw err;
280
+ }
281
+ return { outcome: "pending" };
282
+ }
283
+ // status === approved. Decrypt, then delete the row before returning.
284
+ if (!record.envelope)
285
+ return { outcome: "expired" };
286
+ const kek = await (0, envelope_crypto_1.resolveKek)();
287
+ const plaintext = (0, envelope_crypto_1.open)(record.envelope, deviceCode, kek);
288
+ const tokens = JSON.parse(plaintext);
289
+ await invalidateDeviceCode(deviceCode);
290
+ return { outcome: "ok", tokens };
291
+ }
292
+ function rawToRecord(raw) {
293
+ return {
294
+ deviceCode: raw.deviceCode,
295
+ userCodeHash: raw.userCodeHash,
296
+ userCode: raw.userCode,
297
+ status: raw.status,
298
+ expiresAt: raw.expiresAt,
299
+ createdAt: raw.createdAt,
300
+ interval: raw.interval,
301
+ failedLookups: raw.failedLookups ?? 0,
302
+ lastPolledAt: raw.lastPolledAt,
303
+ envelope: raw.envelope ? JSON.parse(raw.envelope) : undefined,
304
+ approvedByUserId: raw.approvedByUserId,
305
+ cognitoSub: raw.cognitoSub,
306
+ tenantId: raw.tenantId,
307
+ agentLabel: raw.agentLabel,
308
+ sourceIp: raw.sourceIp,
309
+ sessionId: raw.sessionId,
310
+ };
311
+ }
312
+ //# sourceMappingURL=device-authorization.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"device-authorization.js","sourceRoot":"","sources":["../../../src/lib/oauth/device-authorization.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;;AAgGH,wCAGC;AAGD,8CAEC;AAGD,oCAEC;AAOD,4CAaC;AAGD,gDAEC;AAMD,4DAsEC;AAGD,4CAWC;AAGD,gEAYC;AAMD,sDAuBC;AAGD,oDAOC;AAgBD,8CA4BC;AAOD,wCAyCC;AAhXD,8DAOkC;AAClC,0DAA8D;AAC9D,6CAAsD;AACtD,uDAAgF;AAEhF,+EAA+E;AAClE,QAAA,kBAAkB,GAAG,sBAAsB,CAAC;AACzD,kEAAkE;AACrD,QAAA,aAAa,GAAG,CAAC,CAAC;AAC/B,mCAAmC;AACtB,QAAA,kBAAkB,GAAG,GAAG,CAAC;AACtC,yCAAyC;AAC5B,QAAA,gBAAgB,GAAG,CAAC,CAAC;AAClC,uEAAuE;AAC1D,QAAA,yBAAyB,GAAG,EAAE,CAAC;AAC5C,oFAAoF;AACvE,QAAA,uBAAuB,GAAG,EAAE,CAAC;AA0D1C,MAAM,GAAG,GAAG,IAAI,gCAAc,CAAC;IAC7B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW;IAC7C,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;CACtF,CAAC,CAAC;AAEH,SAAS,SAAS;IAChB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7B,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,sBAAsB,CACpD,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,SAAgB,cAAc,CAAC,GAAW;IACxC,IAAI,GAAG,CAAC,MAAM,KAAK,qBAAa;QAAE,OAAO,GAAG,CAAC;IAC7C,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,kEAAkE;AAClE,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;AACnD,CAAC;AAED,mEAAmE;AACnE,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC7D,CAAC;AAED;;;;GAIG;AACH,SAAgB,gBAAgB,CAAC,MAA6B,yBAAW;IACvE,MAAM,QAAQ,GAAG,0BAAkB,CAAC,MAAM,CAAC,CAAC,KAAK;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,QAAQ,CAAC,CAAC,uBAAuB;IAC7E,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,OAAO,GAAG,CAAC,MAAM,GAAG,qBAAa,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,GAAG,CAAC,qBAAa,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa;QACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,qBAAa,EAAE,CAAC,EAAE,EAAE,CAAC;YAClE,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;YAClB,IAAI,CAAC,IAAI,MAAM;gBAAE,SAAS;YAC1B,GAAG,CAAC,IAAI,CAAC,0BAAkB,CAAC,CAAC,GAAG,QAAQ,CAAE,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACtB,CAAC;AAED,2CAA2C;AAC3C,SAAgB,kBAAkB,CAAC,MAA6B,yBAAW;IACzE,OAAO,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,wBAAwB,CAAC,KAM9C;IACC,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,0BAAkB,CAAC;IACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,wBAAgB,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,GAAG,GAAG,SAAS,CAAC;IAElC,MAAM,UAAU,GAAG,kBAAkB,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,YAAY,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAqB;QAC/B,UAAU;QACV,YAAY;QACZ,QAAQ;QACR,MAAM,EAAE,SAAS;QACjB,SAAS;QACT,SAAS,EAAE,GAAG;QACd,QAAQ;QACR,aAAa,EAAE,CAAC;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;IAEF,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,gCAAc,CAAC;QACjB,SAAS,EAAE,SAAS,EAAE;QACtB,IAAI,EAAE,IAAA,wBAAQ,EACZ;YACE,EAAE,EAAE,MAAM,UAAU,EAAE;YACtB,EAAE,EAAE,KAAK;YACT,GAAG,MAAM;YACT,gDAAgD;YAChD,GAAG,EAAE,SAAS;SACf,EACD,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAChC;QACD,mBAAmB,EAAE,0BAA0B;KAChD,CAAC,CACH,CAAC;IAEF,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,gCAAc,CAAC;QACjB,SAAS,EAAE,SAAS,EAAE;QACtB,IAAI,EAAE,IAAA,wBAAQ,EACZ;YACE,EAAE,EAAE,MAAM,YAAY,EAAE;YACxB,EAAE,EAAE,KAAK;YACT,UAAU;YACV,SAAS,EAAE,GAAG;YACd,GAAG,EAAE,SAAS;SACf,EACD,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAChC;KACF,CAAC,CACH,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,UAAU;QACvB,SAAS,EAAE,cAAc,CAAC,QAAQ,CAAC;QACnC,gBAAgB,EAAE,KAAK,CAAC,mBAAmB;QAC3C,yBAAyB,EAAE,GAAG,KAAK,CAAC,mBAAmB,cAAc,cAAc,CAAC,QAAQ,CAAC,EAAE;QAC/F,UAAU,EAAE,SAAS;QACrB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,qEAAqE;AAC9D,KAAK,UAAU,gBAAgB,CAAC,UAAkB;IACvD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,CACxB,IAAI,gCAAc,CAAC;QACjB,SAAS,EAAE,SAAS,EAAE;QACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,UAAU,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;KACrD,CAAC,CACH,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,GAAG,GAAG,IAAA,0BAAU,EAAC,GAAG,CAAC,IAAI,CAA+C,CAAC;IAC/E,IAAI,GAAG,CAAC,GAAG,IAAK,GAAG,CAAC,GAAc,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAChF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,kFAAkF;AAC3E,KAAK,UAAU,0BAA0B,CAAC,QAAgB;IAC/D,MAAM,YAAY,GAAG,YAAY,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,CACxB,IAAI,gCAAc,CAAC;QACjB,SAAS,EAAE,SAAS,EAAE;QACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,YAAY,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;KACvD,CAAC,CACH,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,GAAG,GAAG,IAAA,0BAAU,EAAC,GAAG,CAAC,IAAI,CAA+C,CAAC;IAC/E,IAAI,GAAG,CAAC,GAAG,IAAK,GAAG,CAAC,GAAc,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAChF,OAAQ,GAAG,CAAC,UAAqB,IAAI,IAAI,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,qBAAqB,CAAC,UAAkB;IAC5D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,CACxB,IAAI,mCAAiB,CAAC;YACpB,SAAS,EAAE,SAAS,EAAE;YACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,UAAU,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;YACpD,gBAAgB,EAAE,wBAAwB;YAC1C,yBAAyB,EAAE,IAAA,wBAAQ,EAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;YAClD,mBAAmB,EAAE,sBAAsB;YAC3C,YAAY,EAAE,SAAS;SACxB,CAAC,CACH,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,UAAU;YAAE,OAAO,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,IAAA,0BAAU,EAAC,GAAG,CAAC,UAAU,CAA+B,CAAC;QACzE,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,IAAI,CAAC,CAAC;QAC5C,IAAI,QAAQ,IAAI,+BAAuB,EAAE,CAAC;YACxC,MAAM,oBAAoB,CAAC,UAAU,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,iDAA+B;YAAE,OAAO,CAAC,CAAC;QAC7D,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,wEAAwE;AACjE,KAAK,UAAU,oBAAoB,CAAC,UAAkB;IAC3D,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,mCAAiB,CAAC;QACpB,SAAS,EAAE,SAAS,EAAE;QACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,UAAU,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;KACrD,CAAC,CACH,CAAC;AACJ,CAAC;AAYD;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CAAC,GAAoB;IAC1D,MAAM,GAAG,GAAG,MAAM,IAAA,4BAAU,GAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,IAAA,sBAAI,EAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,iCAAyB,CAAC;IAEzE,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,mCAAiB,CAAC;QACpB,SAAS,EAAE,SAAS,EAAE;QACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,GAAG,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;QACxD,gBAAgB,EACd,sKAAsK;QACxK,mBAAmB,EAAE,6CAA6C;QAClE,wBAAwB,EAAE;YACxB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,KAAK;SAClB;QACD,yBAAyB,EAAE,IAAA,wBAAQ,EAAC;YAClC,WAAW,EAAE,UAAU;YACvB,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;YAChC,IAAI,EAAE,GAAG,CAAC,gBAAgB;YAC1B,IAAI,EAAE,GAAG,CAAC,UAAU;YACpB,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,MAAM,EAAE,GAAG,CAAC,SAAS;YACrB,MAAM,EAAE,MAAM;SACf,CAAC;KACH,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,cAAc,CAAC,UAAkB;IACrD,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAExC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,MAAM,CAAC,SAAS,GAAG,MAAM;QAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAE7D,uDAAuD;IACvD,IAAI,MAAM,CAAC,YAAY,IAAI,MAAM,GAAG,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1E,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAClC,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IAC7D,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,0EAA0E;QAC1E,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,mCAAiB,CAAC;gBACpB,SAAS,EAAE,SAAS,EAAE;gBACtB,GAAG,EAAE,IAAA,wBAAQ,EAAC,EAAE,EAAE,EAAE,MAAM,UAAU,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;gBACpD,gBAAgB,EAAE,uBAAuB;gBACzC,mBAAmB,EAAE,6CAA6C;gBAClE,wBAAwB,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;gBACjD,yBAAyB,EAAE,IAAA,wBAAQ,EAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;aAC7E,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,GAAG,YAAY,iDAA+B,CAAC;gBAAE,MAAM,GAAG,CAAC;QACnE,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAChC,CAAC;IAED,sEAAsE;IACtE,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,IAAA,4BAAU,GAAE,CAAC;IAC/B,MAAM,SAAS,GAAG,IAAA,sBAAI,EAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAa,CAAC;IAEjD,MAAM,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,WAAW,CAAC,GAA4B;IAC/C,OAAO;QACL,UAAU,EAAE,GAAG,CAAC,UAAoB;QACpC,YAAY,EAAE,GAAG,CAAC,YAAsB;QACxC,QAAQ,EAAE,GAAG,CAAC,QAA8B;QAC5C,MAAM,EAAE,GAAG,CAAC,MAA2C;QACvD,SAAS,EAAE,GAAG,CAAC,SAAmB;QAClC,SAAS,EAAE,GAAG,CAAC,SAAmB;QAClC,QAAQ,EAAE,GAAG,CAAC,QAAkB;QAChC,aAAa,EAAG,GAAG,CAAC,aAAwB,IAAI,CAAC;QACjD,YAAY,EAAE,GAAG,CAAC,YAAkC;QACpD,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAkB,CAAoB,CAAC,CAAC,CAAC,SAAS;QAC3F,gBAAgB,EAAE,GAAG,CAAC,gBAAsC;QAC5D,UAAU,EAAE,GAAG,CAAC,UAAgC;QAChD,QAAQ,EAAE,GAAG,CAAC,QAA8B;QAC5C,UAAU,EAAE,GAAG,CAAC,UAAgC;QAChD,QAAQ,EAAE,GAAG,CAAC,QAA8B;QAC5C,SAAS,EAAE,GAAG,CAAC,SAA+B;KAC/C,CAAC;AACJ,CAAC"}