@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -1,20 +1,64 @@
1
1
  "use strict";
2
+ /**
3
+ * Cognito PostConfirmation trigger.
4
+ *
5
+ * Fires once per user-pool record after Cognito accepts a sign-up
6
+ * (`PostConfirmation_ConfirmSignUp`) or a forgotten-password confirmation
7
+ * (`PostConfirmation_ConfirmForgotPassword`). For federated identities the
8
+ * same trigger source is `PostConfirmation_ConfirmSignUp`; the
9
+ * `request.userAttributes.identities` JSON string is the disambiguator.
10
+ *
11
+ * Responsibilities (atomic, single Prisma transaction):
12
+ * 1. Upsert the `User` row (link `cognitoSub` to an existing email match,
13
+ * otherwise create with a derived handle).
14
+ * 2. Ensure a personal `Tenant` of `type=PERSONAL` exists for the user,
15
+ * plus a `TenantMember` with `role=OWNER`.
16
+ * 3. For federated users: exact-match the email domain against
17
+ * `tenant_domains` (verified only). If the domain belongs to a tenant
18
+ * with an `ACTIVE` IdP, resolve the user's role from `TenantRoleMapping`
19
+ * (against the `custom:idpGroups` attribute) and create / refresh a
20
+ * `TenantMember` row with `isJitProvisioned=true`.
21
+ * 4. Preserve the existing `ageTier` + parental-link logic from the v0.6
22
+ * stub (B2C requirement).
23
+ *
24
+ * Idempotency: every write is an upsert. Cognito retries up to 3 times.
25
+ *
26
+ * Cross-tenant isolation: domain lookup is exact-match-only. No substring,
27
+ * no wildcard. See sec finding #8 in
28
+ * plans/mvp/10-trellis-stages/02-cognito-triggers.md.
29
+ *
30
+ * No PII (email body, group claim contents, raw IdP attributes) is logged.
31
+ */
2
32
  Object.defineProperty(exports, "__esModule", { value: true });
3
33
  exports.handler = void 0;
4
34
  const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
5
35
  const client_1 = require("@prisma/client");
36
+ const claims_cache_1 = require("../lib/auth/claims-cache");
37
+ const derive_domain_1 = require("../lib/tenant/derive-domain");
38
+ const resolve_role_1 = require("../lib/tenant/resolve-role");
39
+ const derive_handle_1 = require("../lib/user/derive-handle");
6
40
  const secretsClient = new client_secrets_manager_1.SecretsManagerClient({ region: process.env.AWS_REGION });
7
41
  let prisma = null;
42
+ let cache = null;
8
43
  async function getPrisma() {
9
44
  if (prisma)
10
45
  return prisma;
11
46
  const secret = await secretsClient.send(new client_secrets_manager_1.GetSecretValueCommand({ SecretId: process.env.DB_SECRET_ARN }));
12
47
  const { username, password, host, port, dbname } = JSON.parse(secret.SecretString);
13
48
  prisma = new client_1.PrismaClient({
14
- datasources: { db: { url: `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${dbname}?connection_limit=1` } },
49
+ datasources: {
50
+ db: {
51
+ url: `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${dbname}?connection_limit=1`,
52
+ },
53
+ },
15
54
  });
16
55
  return prisma;
17
56
  }
57
+ function getCache() {
58
+ if (!cache)
59
+ cache = (0, claims_cache_1.createClaimsCacheFromEnv)();
60
+ return cache;
61
+ }
18
62
  function computeAgeTier(dateOfBirth) {
19
63
  const now = new Date();
20
64
  let age = now.getUTCFullYear() - dateOfBirth.getUTCFullYear();
@@ -28,52 +72,312 @@ function computeAgeTier(dateOfBirth) {
28
72
  return "TEEN";
29
73
  return "ADULT";
30
74
  }
75
+ function isFederatedEvent(event) {
76
+ const identitiesRaw = event.request.userAttributes["identities"];
77
+ if (!identitiesRaw)
78
+ return false;
79
+ try {
80
+ const parsed = JSON.parse(identitiesRaw);
81
+ return Array.isArray(parsed) && parsed.length > 0;
82
+ }
83
+ catch {
84
+ // Malformed `identities` is not a federation signal we can act on. Return
85
+ // false rather than over-classifying as federated, which would set
86
+ // role=B2B_PARTNER and run the org-tenant resolution path. (G2 M2)
87
+ return false;
88
+ }
89
+ }
90
+ function parseIdpGroups(raw) {
91
+ if (!raw)
92
+ return [];
93
+ // Split on `,` and `;` only — IdPs (notably Okta in displayName mode) may
94
+ // emit group names containing whitespace. Cognito's custom-attribute
95
+ // serialization is comma-separated; we accept semicolon as a defensive
96
+ // fallback. (G2 L1)
97
+ return raw
98
+ .split(/[,;]+/)
99
+ .map((s) => s.trim())
100
+ .filter(Boolean);
101
+ }
102
+ const SUPPORTED_TRIGGERS = new Set([
103
+ "PostConfirmation_ConfirmSignUp",
104
+ "PostConfirmation_ConfirmForgotPassword",
105
+ ]);
31
106
  const handler = async (event) => {
32
- if (event.triggerSource !== "PostConfirmation_ConfirmSignUp")
107
+ if (!SUPPORTED_TRIGGERS.has(event.triggerSource))
33
108
  return event;
34
- const { email, "custom:handle": handle, "custom:dateOfBirth": dateOfBirthStr } = event.request.userAttributes;
35
109
  const cognitoSub = event.userName;
36
- const db = await getPrisma();
37
- // Compute age tier from date of birth if provided
110
+ const attrs = event.request.userAttributes;
111
+ const email = attrs.email?.toLowerCase();
112
+ if (!email) {
113
+ console.warn(JSON.stringify({ event: "postconfirm.no_email", cognitoSub }));
114
+ return event;
115
+ }
116
+ const federated = isFederatedEvent(event);
117
+ const idpGroups = parseIdpGroups(attrs["custom:idpGroups"]);
118
+ const dobStr = attrs["custom:dateOfBirth"];
38
119
  let dateOfBirth;
39
120
  let ageTier = "ADULT";
40
- if (dateOfBirthStr) {
41
- dateOfBirth = new Date(dateOfBirthStr);
42
- if (!isNaN(dateOfBirth.getTime()) && dateOfBirth < new Date()) {
43
- ageTier = computeAgeTier(dateOfBirth);
44
- }
45
- else {
46
- dateOfBirth = undefined;
121
+ if (dobStr) {
122
+ const parsed = new Date(dobStr);
123
+ if (!isNaN(parsed.getTime()) && parsed < new Date()) {
124
+ dateOfBirth = parsed;
125
+ ageTier = computeAgeTier(parsed);
47
126
  }
48
127
  }
49
- const user = await db.user.upsert({
50
- where: { cognitoSub },
51
- create: {
52
- cognitoSub,
53
- email,
54
- handle: handle || email.split("@")[0],
55
- role: "END_USER",
56
- ...(dateOfBirth && { dateOfBirth, ageTier }),
57
- },
58
- update: {
59
- email,
60
- },
61
- });
62
- // If child account, create a pending parental link if guardian email is provided
128
+ const db = await getPrisma();
129
+ const result = await db.$transaction(async (tx) => provisionUserAndTenancy(tx, {
130
+ cognitoSub,
131
+ email,
132
+ emailVerified: attrs.email_verified,
133
+ federated,
134
+ idpGroups,
135
+ dateOfBirth,
136
+ ageTier,
137
+ providedHandle: attrs["custom:handle"],
138
+ }), { timeout: 8000 });
63
139
  if (ageTier === "CHILD") {
64
- const guardianEmail = event.request.userAttributes["custom:guardianEmail"];
140
+ const guardianEmail = attrs["custom:guardianEmail"]?.toLowerCase();
65
141
  if (guardianEmail) {
66
142
  const guardian = await db.user.findUnique({ where: { email: guardianEmail } });
67
143
  if (guardian) {
68
144
  await db.parentalLink.upsert({
69
- where: { childId_guardianId: { childId: user.id, guardianId: guardian.id } },
70
- create: { childId: user.id, guardianId: guardian.id, status: "PENDING" },
145
+ where: { childId_guardianId: { childId: result.userId, guardianId: guardian.id } },
146
+ create: { childId: result.userId, guardianId: guardian.id, status: "PENDING" },
71
147
  update: {},
72
148
  });
73
149
  }
74
150
  }
75
151
  }
152
+ await primeClaimsCache(cognitoSub, result);
153
+ console.log(JSON.stringify({
154
+ event: "postconfirm.ok",
155
+ cognitoSub,
156
+ userId: result.userId,
157
+ personalTenantId: result.personalTenantId,
158
+ orgTenantId: result.orgTenantId,
159
+ federated,
160
+ }));
76
161
  return event;
77
162
  };
78
163
  exports.handler = handler;
164
+ async function provisionUserAndTenancy(tx, input) {
165
+ const { cognitoSub, email, federated, idpGroups, dateOfBirth, ageTier, providedHandle, } = input;
166
+ const existing = await tx.user.findFirst({
167
+ where: { OR: [{ cognitoSub }, { email }] },
168
+ });
169
+ let user = existing;
170
+ if (!user) {
171
+ const initialHandle = (providedHandle && providedHandle.trim()) ||
172
+ (await (0, derive_handle_1.deriveHandle)(email, async (h) => {
173
+ const found = await tx.user.findFirst({ where: { handle: h }, select: { id: true } });
174
+ return !!found;
175
+ }));
176
+ user = await tx.user.create({
177
+ data: {
178
+ cognitoSub,
179
+ email,
180
+ handle: initialHandle,
181
+ role: federated ? "B2B_PARTNER" : "END_USER",
182
+ ...(dateOfBirth && { dateOfBirth, ageTier }),
183
+ },
184
+ });
185
+ }
186
+ else {
187
+ const updates = {};
188
+ if (!user.cognitoSub)
189
+ updates.cognitoSub = cognitoSub;
190
+ if (!user.handle) {
191
+ updates.handle = await (0, derive_handle_1.deriveHandle)(email, async (h) => {
192
+ const found = await tx.user.findFirst({
193
+ where: { handle: h, NOT: { id: user.id } },
194
+ select: { id: true },
195
+ });
196
+ return !!found;
197
+ });
198
+ }
199
+ if (Object.keys(updates).length > 0) {
200
+ user = await tx.user.update({ where: { id: user.id }, data: updates });
201
+ }
202
+ }
203
+ let personalTenantId = user.personalTenantId;
204
+ let personalTenantSlug = "";
205
+ if (!personalTenantId) {
206
+ const personalSlug = `personal-${user.id}`;
207
+ const personalTenant = await tx.tenant.create({
208
+ data: {
209
+ slug: personalSlug,
210
+ displayName: user.handle ?? "personal",
211
+ type: "PERSONAL",
212
+ personalOwnerUserId: user.id,
213
+ },
214
+ });
215
+ personalTenantId = personalTenant.id;
216
+ personalTenantSlug = personalTenant.slug;
217
+ await tx.tenantMember.upsert({
218
+ where: { tenantId_userId: { tenantId: personalTenant.id, userId: user.id } },
219
+ create: {
220
+ tenantId: personalTenant.id,
221
+ userId: user.id,
222
+ role: "OWNER",
223
+ status: "ACTIVE",
224
+ joinedAt: new Date(),
225
+ },
226
+ update: { status: "ACTIVE" },
227
+ });
228
+ await tx.user.update({
229
+ where: { id: user.id },
230
+ data: { personalTenantId: personalTenant.id },
231
+ });
232
+ }
233
+ else {
234
+ const personal = await tx.tenant.findUnique({
235
+ where: { id: personalTenantId },
236
+ select: { slug: true },
237
+ });
238
+ personalTenantSlug = personal?.slug ?? "";
239
+ await tx.tenantMember.upsert({
240
+ where: { tenantId_userId: { tenantId: personalTenantId, userId: user.id } },
241
+ create: {
242
+ tenantId: personalTenantId,
243
+ userId: user.id,
244
+ role: "OWNER",
245
+ status: "ACTIVE",
246
+ joinedAt: new Date(),
247
+ },
248
+ update: {},
249
+ });
250
+ }
251
+ let orgTenantId = null;
252
+ let orgTenantSlug = null;
253
+ let orgTenantRole = null;
254
+ if (federated) {
255
+ // Defensive: only resolve org-tenant membership when Cognito asserts the
256
+ // email is verified by the IdP. Native Cognito sign-ups always reach this
257
+ // trigger with email_verified=true; for federated identities the value
258
+ // depends on the IdP's attribute mapping. Without this check, an IdP
259
+ // misconfigured to skip verification would let a user claim any
260
+ // domain-bound tenant by self-asserting an email. Personal-tenant
261
+ // creation above is unaffected — Cognito has already authenticated them.
262
+ const emailVerified = input.emailVerified === "true";
263
+ if (!emailVerified) {
264
+ console.warn(JSON.stringify({ event: "postconfirm.federated.email_unverified", cognitoSub }));
265
+ return {
266
+ userId: user.id,
267
+ globalRole: user.role,
268
+ handle: user.handle ?? "",
269
+ personalTenantId: personalTenantId,
270
+ personalTenantSlug,
271
+ orgTenantId: null,
272
+ orgTenantSlug: null,
273
+ orgTenantRole: null,
274
+ };
275
+ }
276
+ const domain = (0, derive_domain_1.deriveEmailDomain)(email);
277
+ if (!domain) {
278
+ console.warn(JSON.stringify({ event: "postconfirm.federated.invalid_email", cognitoSub }));
279
+ }
280
+ else {
281
+ const tenantDomain = await tx.tenantDomain.findUnique({
282
+ where: { domain },
283
+ include: {
284
+ tenant: {
285
+ include: {
286
+ identityProvider: {
287
+ select: { status: true, defaultRole: true },
288
+ },
289
+ roleMappings: {
290
+ select: { idpGroupName: true, tenantRole: true, priority: true },
291
+ },
292
+ },
293
+ },
294
+ },
295
+ });
296
+ if (!tenantDomain) {
297
+ console.warn(JSON.stringify({ event: "postconfirm.federated.no_domain_match", cognitoSub }));
298
+ }
299
+ else if (!tenantDomain.verifiedAt) {
300
+ console.warn(JSON.stringify({
301
+ event: "postconfirm.federated.unverified_domain",
302
+ cognitoSub,
303
+ tenantId: tenantDomain.tenantId,
304
+ }));
305
+ }
306
+ else if (!tenantDomain.tenant.identityProvider ||
307
+ tenantDomain.tenant.identityProvider.status !== "ACTIVE") {
308
+ console.warn(JSON.stringify({
309
+ event: "postconfirm.federated.inactive_idp",
310
+ cognitoSub,
311
+ tenantId: tenantDomain.tenantId,
312
+ }));
313
+ }
314
+ else {
315
+ const role = (0, resolve_role_1.resolveTenantRole)(idpGroups, tenantDomain.tenant.roleMappings, tenantDomain.tenant.identityProvider.defaultRole);
316
+ if (!role) {
317
+ console.warn(JSON.stringify({
318
+ event: "postconfirm.federated.no_role",
319
+ cognitoSub,
320
+ tenantId: tenantDomain.tenantId,
321
+ }));
322
+ }
323
+ else {
324
+ await tx.tenantMember.upsert({
325
+ where: {
326
+ tenantId_userId: { tenantId: tenantDomain.tenantId, userId: user.id },
327
+ },
328
+ create: {
329
+ tenantId: tenantDomain.tenantId,
330
+ userId: user.id,
331
+ role,
332
+ status: "ACTIVE",
333
+ joinedAt: new Date(),
334
+ isJitProvisioned: true,
335
+ },
336
+ update: {
337
+ role,
338
+ status: "ACTIVE",
339
+ lastActiveAt: new Date(),
340
+ },
341
+ });
342
+ orgTenantId = tenantDomain.tenantId;
343
+ orgTenantSlug = tenantDomain.tenant.slug;
344
+ orgTenantRole = role;
345
+ }
346
+ }
347
+ }
348
+ }
349
+ return {
350
+ userId: user.id,
351
+ globalRole: user.role,
352
+ handle: user.handle ?? "",
353
+ personalTenantId: personalTenantId,
354
+ personalTenantSlug,
355
+ orgTenantId,
356
+ orgTenantSlug,
357
+ orgTenantRole,
358
+ };
359
+ }
360
+ async function primeClaimsCache(cognitoSub, result) {
361
+ const activeTenantId = result.orgTenantId ?? result.personalTenantId;
362
+ const activeTenantSlug = result.orgTenantSlug ?? result.personalTenantSlug;
363
+ const activeTenantRole = result.orgTenantRole ?? "OWNER";
364
+ const claims = {
365
+ userId: result.userId,
366
+ globalRole: result.globalRole,
367
+ activeTenantId,
368
+ tenantSlug: activeTenantSlug,
369
+ tenantRole: activeTenantRole,
370
+ handle: result.handle,
371
+ };
372
+ try {
373
+ await getCache().put(cognitoSub, claims);
374
+ }
375
+ catch (err) {
376
+ console.warn(JSON.stringify({
377
+ event: "postconfirm.cache_prime_failed",
378
+ cognitoSub,
379
+ error: err.code ?? "unknown",
380
+ }));
381
+ }
382
+ }
79
383
  //# sourceMappingURL=post-confirmation.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"post-confirmation.js","sourceRoot":"","sources":["../../src/lambda/post-confirmation.ts"],"names":[],"mappings":";;;AACA,4EAA8F;AAC9F,2CAA4D;AAE5D,MAAM,aAAa,GAAG,IAAI,6CAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AACnF,IAAI,MAAM,GAAwB,IAAI,CAAC;AAEvC,KAAK,UAAU,SAAS;IACtB,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAc,EAAE,CAAC,CAAC,CAAC;IAC7G,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAa,CAAC,CAAC;IACpF,MAAM,GAAG,IAAI,qBAAY,CAAC;QACxB,WAAW,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,gBAAgB,QAAQ,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,qBAAqB,EAAE,EAAE;KACtI,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,WAAiB;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,GAAG,CAAC,cAAc,EAAE,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAChE,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,EAAE,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;QACtF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAEM,MAAM,OAAO,GAAmC,KAAK,EAAE,KAAK,EAAE,EAAE;IACrE,IAAI,KAAK,CAAC,aAAa,KAAK,gCAAgC;QAAE,OAAO,KAAK,CAAC;IAE3E,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,oBAAoB,EAAE,cAAc,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;IAC9G,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;IAElC,MAAM,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;IAE7B,kDAAkD;IAClD,IAAI,WAA6B,CAAC;IAClC,IAAI,OAAO,GAAY,OAAO,CAAC;IAC/B,IAAI,cAAc,EAAE,CAAC;QACnB,WAAW,GAAG,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,IAAI,WAAW,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAC9D,OAAO,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,WAAW,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChC,KAAK,EAAE,EAAE,UAAU,EAAE;QACrB,MAAM,EAAE;YACN,UAAU;YACV,KAAK;YACL,MAAM,EAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrC,IAAI,EAAE,UAAU;YAChB,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;SAC7C;QACD,MAAM,EAAE;YACN,KAAK;SACN;KACF,CAAC,CAAC;IAEH,iFAAiF;IACjF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAC3E,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC/E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;oBAC3B,KAAK,EAAE,EAAE,kBAAkB,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE;oBAC5E,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;oBACxE,MAAM,EAAE,EAAE;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAlDW,QAAA,OAAO,WAkDlB"}
1
+ {"version":3,"file":"post-confirmation.js","sourceRoot":"","sources":["../../src/lambda/post-confirmation.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;;;AAMH,4EAA8F;AAC9F,2CAMwB;AACxB,2DAAoG;AACpG,+DAAgE;AAChE,6DAAsF;AACtF,6DAAyD;AAEzD,MAAM,aAAa,GAAG,IAAI,6CAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AACnF,IAAI,MAAM,GAAwB,IAAI,CAAC;AACvC,IAAI,KAAK,GAAuB,IAAI,CAAC;AAErC,KAAK,UAAU,SAAS;IACtB,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CACrC,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAc,EAAE,CAAC,CACpE,CAAC;IACF,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAa,CAAC,CAAC;IACpF,MAAM,GAAG,IAAI,qBAAY,CAAC;QACxB,WAAW,EAAE;YACX,EAAE,EAAE;gBACF,GAAG,EAAE,gBAAgB,QAAQ,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,qBAAqB;aAC7G;SACF;KACF,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ;IACf,IAAI,CAAC,KAAK;QAAE,KAAK,GAAG,IAAA,uCAAwB,GAAE,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,WAAiB;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,GAAG,CAAC,cAAc,EAAE,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAChE,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,EAAE,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;QACtF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAmC;IAC3D,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACzC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,mEAAmE;QACnE,mEAAmE;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAA8B;IACpD,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,0EAA0E;IAC1E,qEAAqE;IACrE,uEAAuE;IACvE,oBAAoB;IACpB,OAAO,GAAG;SACP,KAAK,CAAC,OAAO,CAAC;SACd,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAaD,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,gCAAgC;IAChC,wCAAwC;CACzC,CAAC,CAAC;AAEI,MAAM,OAAO,GAAmC,KAAK,EAAE,KAAK,EAAE,EAAE;IACrE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/D,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAE3C,IAAI,WAA6B,CAAC;IAClC,IAAI,OAAO,GAAY,OAAO,CAAC;IAC/B,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,MAAM,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACpD,WAAW,GAAG,MAAM,CAAC;YACrB,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAClC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,EAAE;QACxC,UAAU;QACV,KAAK;QACL,aAAa,EAAE,KAAK,CAAC,cAAc;QACnC,SAAS;QACT,SAAS;QACT,WAAW;QACX,OAAO;QACP,cAAc,EAAE,KAAK,CAAC,eAAe,CAAC;KACvC,CAAC,EACF,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;IAEF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,MAAM,aAAa,GAAG,KAAK,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC;QACnE,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC/E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;oBAC3B,KAAK,EAAE,EAAE,kBAAkB,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE;oBAClF,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;oBAC9E,MAAM,EAAE,EAAE;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAE3C,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC;QACb,KAAK,EAAE,gBAAgB;QACvB,UAAU;QACV,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS;KACV,CAAC,CACH,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AArEW,QAAA,OAAO,WAqElB;AAaF,KAAK,UAAU,uBAAuB,CACpC,EAA4B,EAC5B,KAAwB;IAExB,MAAM,EACJ,UAAU,EACV,KAAK,EACL,SAAS,EACT,SAAS,EACT,WAAW,EACX,OAAO,EACP,cAAc,GACf,GAAG,KAAK,CAAC;IAEV,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;QACvC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;KAC3C,CAAC,CAAC;IAEH,IAAI,IAAI,GAAG,QAAQ,CAAC;IACpB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,aAAa,GACjB,CAAC,cAAc,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;YACzC,CAAC,MAAM,IAAA,4BAAY,EAAC,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;gBACrC,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;gBACtF,OAAO,CAAC,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC,CAAC;QACN,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,UAAU;gBACV,KAAK;gBACL,MAAM,EAAE,aAAa;gBACrB,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU;gBAC5C,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;aAC7C;SACF,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;QACtD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,GAAG,MAAM,IAAA,4BAAY,EAAC,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;gBACrD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;oBACpC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAK,CAAC,EAAE,EAAE,EAAE;oBAC3C,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAC7C,IAAI,kBAAkB,GAAG,EAAE,CAAC;IAC5B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,YAAY,GAAG,YAAY,IAAI,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;YAC5C,IAAI,EAAE;gBACJ,IAAI,EAAE,YAAY;gBAClB,WAAW,EAAE,IAAI,CAAC,MAAM,IAAI,UAAU;gBACtC,IAAI,EAAE,UAAU;gBAChB,mBAAmB,EAAE,IAAI,CAAC,EAAE;aAC7B;SACF,CAAC,CAAC;QACH,gBAAgB,GAAG,cAAc,CAAC,EAAE,CAAC;QACrC,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC;QACzC,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,eAAe,EAAE,EAAE,QAAQ,EAAE,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;YAC5E,MAAM,EAAE;gBACN,QAAQ,EAAE,cAAc,CAAC,EAAE;gBAC3B,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;aACrB;YACD,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;SAC7B,CAAC,CAAC;QACH,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACnB,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;YACtB,IAAI,EAAE,EAAE,gBAAgB,EAAE,cAAc,CAAC,EAAE,EAAE;SAC9C,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC;YAC1C,KAAK,EAAE,EAAE,EAAE,EAAE,gBAAgB,EAAE;YAC/B,MAAM,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;SACvB,CAAC,CAAC;QACH,kBAAkB,GAAG,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAC1C,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,eAAe,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;YAC3E,MAAM,EAAE;gBACN,QAAQ,EAAE,gBAAgB;gBAC1B,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;aACrB;YACD,MAAM,EAAE,EAAE;SACX,CAAC,CAAC;IACL,CAAC;IAED,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,aAAa,GAAsB,IAAI,CAAC;IAC5C,IAAI,SAAS,EAAE,CAAC;QACd,yEAAyE;QACzE,0EAA0E;QAC1E,uEAAuE;QACvE,qEAAqE;QACrE,gEAAgE;QAChE,kEAAkE;QAClE,yEAAyE;QACzE,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,KAAK,MAAM,CAAC;QACrD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,wCAAwC,EAAE,UAAU,EAAE,CAAC,CAChF,CAAC;YACF,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,UAAU,EAAE,IAAI,CAAC,IAAI;gBACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBACzB,gBAAgB,EAAE,gBAAiB;gBACnC,kBAAkB;gBAClB,WAAW,EAAE,IAAI;gBACjB,aAAa,EAAE,IAAI;gBACnB,aAAa,EAAE,IAAI;aACpB,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAA,iCAAiB,EAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAC7F,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;gBACpD,KAAK,EAAE,EAAE,MAAM,EAAE;gBACjB,OAAO,EAAE;oBACP,MAAM,EAAE;wBACN,OAAO,EAAE;4BACP,gBAAgB,EAAE;gCAChB,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;6BAC5C;4BACD,YAAY,EAAE;gCACZ,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;6BACjE;yBACF;qBACF;iBACF;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,UAAU,EAAE,CAAC,CAC/E,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;gBACpC,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,yCAAyC;oBAChD,UAAU;oBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;iBAChC,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IACL,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB;gBACrC,YAAY,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,KAAK,QAAQ,EACxD,CAAC;gBACD,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,oCAAoC;oBAC3C,UAAU;oBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;iBAChC,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,IAAA,gCAAiB,EAC5B,SAAS,EACT,YAAY,CAAC,MAAM,CAAC,YAAkC,EACtD,YAAY,CAAC,MAAM,CAAC,gBAAgB,CAAC,WAAW,CACjD,CAAC;gBACF,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;wBACb,KAAK,EAAE,+BAA+B;wBACtC,UAAU;wBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;qBAChC,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,KAAK,EAAE;4BACL,eAAe,EAAE,EAAE,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE;yBACtE;wBACD,MAAM,EAAE;4BACN,QAAQ,EAAE,YAAY,CAAC,QAAQ;4BAC/B,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,IAAI;4BACJ,MAAM,EAAE,QAAQ;4BAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;4BACpB,gBAAgB,EAAE,IAAI;yBACvB;wBACD,MAAM,EAAE;4BACN,IAAI;4BACJ,MAAM,EAAE,QAAQ;4BAChB,YAAY,EAAE,IAAI,IAAI,EAAE;yBACzB;qBACF,CAAC,CAAC;oBACH,WAAW,GAAG,YAAY,CAAC,QAAQ,CAAC;oBACpC,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC;oBACzC,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;QACzB,gBAAgB,EAAE,gBAAiB;QACnC,kBAAkB;QAClB,WAAW;QACX,aAAa;QACb,aAAa;KACd,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA0B;IAC5E,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,gBAAgB,CAAC;IACrE,MAAM,gBAAgB,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,kBAAkB,CAAC;IAC3E,MAAM,gBAAgB,GAAG,MAAM,CAAC,aAAa,IAAI,OAAO,CAAC;IACzD,MAAM,MAAM,GAAiB;QAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,cAAc;QACd,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,gBAAgB;QAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IACF,IAAI,CAAC;QACH,MAAM,QAAQ,EAAE,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,gCAAgC;YACvC,UAAU;YACV,KAAK,EAAG,GAAyB,CAAC,IAAI,IAAI,SAAS;SACpD,CAAC,CACH,CAAC;IACJ,CAAC;AACH,CAAC"}
@@ -1,3 +1,23 @@
1
+ /**
2
+ * Cognito PreTokenGeneration trigger (V2 access-token override).
3
+ *
4
+ * Runs on every token issuance and refresh. Responsibilities:
5
+ * 1. Read the cached claims from DynamoDB.
6
+ * 2. On miss: load from RDS (User + active TenantMember + Tenant slug).
7
+ * 3. For federated users: re-resolve the tenant role from the current
8
+ * `custom:idpGroups` against `TenantRoleMapping`. This catches admin-side
9
+ * group changes within the access-token TTL.
10
+ * 4. Write the (possibly refreshed) claims back to DDB.
11
+ * 5. Override the access-token claims via the V2 response shape.
12
+ *
13
+ * Failure modes:
14
+ * - User row missing (drift after RDS restore): return minimal claims —
15
+ * the API responds 403 to tenant-scoped endpoints, never a 500 at sign-in.
16
+ * - DDB or RDS error: bubble up; Cognito treats the issuance as failed.
17
+ *
18
+ * No PII is logged. We log counts and decisions ("cache_hit", "drift",
19
+ * "role_refreshed") and the opaque cognitoSub.
20
+ */
1
21
  import type { PreTokenGenerationV2TriggerHandler } from "aws-lambda";
2
22
  export declare const handler: PreTokenGenerationV2TriggerHandler;
3
23
  //# sourceMappingURL=pre-token-generation.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"pre-token-generation.d.ts","sourceRoot":"","sources":["../../src/lambda/pre-token-generation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAoC,kCAAkC,EAAE,MAAM,YAAY,CAAC;AA0EvG,eAAO,MAAM,OAAO,EAAE,kCAkBrB,CAAC"}
1
+ {"version":3,"file":"pre-token-generation.d.ts","sourceRoot":"","sources":["../../src/lambda/pre-token-generation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAEV,kCAAkC,EACnC,MAAM,YAAY,CAAC;AAwKpB,eAAO,MAAM,OAAO,EAAE,kCAyHrB,CAAC"}