@deque/axe-auth 1.1.0-next.97bcb8e6 → 1.1.0-next.9e34c9bf

package/dist/oauth/discoverSSOConfig.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverSSOConfig = discoverSSOConfig;
+const errors_1 = require("./errors");
+const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
+function assertSecureServerURL(serverURL, allowInsecure) {
+    let parsed;
+    try {
+        parsed = new URL(serverURL);
+    }
+    catch {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server URL is not a valid URL: ${serverURL}`);
+    }
+    if (parsed.protocol === "https:")
+        return parsed;
+    if (parsed.protocol === "http:") {
+        const hostname = parsed.host.toLowerCase().replace(/:\d+$/, "");
+        if (LOOPBACK_HOSTS.has(hostname))
+            return parsed;
+        if (allowInsecure)
+            return parsed;
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Refusing to use axe server URL over http:// against non-loopback host ${parsed.host}. Use https:// or pass --allow-insecure-issuer to override (only do this on trusted networks).`);
+    }
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported axe server URL scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
+}
+function buildSSOConfigURL(parsed) {
+    const copy = new URL(parsed.toString());
+    copy.search = "";
+    copy.hash = "";
+    copy.pathname = `${copy.pathname.replace(/\/+$/, "")}/api/sso-config`;
+    return copy.toString();
+}
+/**
+ * Fetches and parses the axe server's `/api/sso-config` discovery
+ * endpoint. Used by `axe-auth login` to derive the OAuth issuer URL,
+ * realm, and CLI-specific client ID from the axe server URL the user
+ * supplied (or the SaaS prod default), so users no longer have to know
+ * the underlying Keycloak coordinates.
+ *
+ * Distinguishes three failure shapes for the operator-relevant cases:
+ *
+ * - `mcpClientId` field absent: the axe server deployment predates the
+ *   field entirely. Surfaces as "needs upgrading".
+ * - `mcpClientId` is `null`: the axe server version supports the field
+ *   but the operator has not configured `KEYCLOAK_MCP_PUBLIC_CLIENT_ID`.
+ *   Surfaces as "ask the operator to configure".
+ * - any non-empty string: returned as-is.
+ *
+ * Other failure modes (unreachable, non-2xx, malformed JSON, missing
+ * `url` / `realm`) all map to `DISCOVERY_FAILED` with a descriptive
+ * message. The caller is expected to surface these errors verbatim.
+ */
+async function discoverSSOConfig(serverURL, options = {}) {
+    const allowInsecure = options.allowInsecure ?? false;
+    const parsed = assertSecureServerURL(serverURL, allowInsecure);
+    const url = buildSSOConfigURL(parsed);
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the axe server at ${url}. Check the --server URL and your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} responded with HTTP ${response.status}. Check the --server URL.`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} did not return valid JSON.`, { cause });
+    }
+    if (body === null || typeof body !== "object" || Array.isArray(body)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} returned a non-object response body.`);
+    }
+    const raw = body;
+    const missing = [];
+    if (!(0, predicates_1.isNonEmptyString)(raw.url))
+        missing.push("url");
+    if (!(0, predicates_1.isNonEmptyString)(raw.realm))
+        missing.push("realm");
+    if (missing.length > 0) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `${url} is missing required field(s): ${missing.join(", ")}`);
+    }
+    if (!("mcpClientId" in raw)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} does not advertise OAuth-based MCP authentication. The deployment may need to be upgraded to a version that supports the axe-auth CLI.`);
+    }
+    if (raw.mcpClientId === null) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} has not been configured for OAuth-based MCP authentication. Ask your operator to set the KEYCLOAK_MCP_PUBLIC_CLIENT_ID environment variable on the axe server.`);
+    }
+    if (!(0, predicates_1.isNonEmptyString)(raw.mcpClientId)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} returned a malformed mcpClientId (expected a non-empty string).`);
+    }
+    return {
+        url: raw.url,
+        realm: raw.realm,
+        mcpClientId: raw.mcpClientId,
+    };
+}

package/dist/oauth/errors.d.ts

@@ -0,0 +1,77 @@
+/** Error codes raised by the loopback callback server. */
+export type OAuthCallbackErrorCode = 
+/** No callback arrived within `timeoutMs`; a retry is reasonable. */
+"TIMEOUT"
+/** Callback `state` did not match `expectedState`. Surface a generic failure — do NOT echo the expected value. */
+ | "STATE_MISMATCH"
+/** Callback carried `?error=...`. `details` holds `error` and optionally `error_description` for display. */
+ | "PROVIDER_ERROR"
+/** Callback had no `code` parameter; treat as a malformed response. */
+ | "MISSING_CODE"
+/** Could not bind the loopback port. No retry — environment likely blocked. */
+ | "BIND_FAILED"
+/** Caller's `AbortSignal` fired. Expected; no user-facing message. */
+ | "ABORTED";
+/** Options for `OAuthCallbackError`. */
+export interface OAuthCallbackErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
+    details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
+    cause?: unknown;
+}
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
+export declare class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
+    readonly code: OAuthCallbackErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
+    readonly details?: Record<string, string>;
+    constructor(code: OAuthCallbackErrorCode, message: string, options?: OAuthCallbackErrorOptions);
+}
+/** Error codes raised by the OAuth flow orchestrator and its helpers. */
+export type OAuthFlowErrorCode = 
+/** OIDC discovery could not reach or parse the authorization server. No browser was opened. */
+"DISCOVERY_FAILED"
+/** Could not launch the system browser. User should be told to open the URL manually. */
+ | "BROWSER_LAUNCH_FAILED"
+/** Authorization code → token exchange was rejected by the authorization server. */
+ | "TOKEN_EXCHANGE_FAILED"
+/** System keychain is unavailable (e.g. no D-Bus secret service on Linux). */
+ | "KEYRING_UNAVAILABLE"
+/** OAuth blob is too large for the OS keystore (Windows Credential Manager: 2560 UTF-16 chars per entry, MAX_CHUNKS chunks max). The keystore itself is healthy; the IDP is issuing tokens with too many claims. */
+ | "TOKEN_TOO_LARGE"
+/** Authorization endpoint returned by discovery cannot be used (e.g. already carries an OAuth-required param). Server misconfiguration. */
+ | "INVALID_AUTHORIZATION_ENDPOINT"
+/** No usable stored credentials; the user needs to run `login` to re-authenticate. Covers empty / corrupt / version-mismatched store and refresh tokens the authorization server has revoked. */
+ | "NOT_AUTHENTICATED";
+/** Options for `OAuthFlowError`. */
+export interface OAuthFlowErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
+    details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
+    cause?: unknown;
+}
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+export declare class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    readonly code: OAuthFlowErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
+    readonly details?: Record<string, string>;
+    constructor(code: OAuthFlowErrorCode, message: string, options?: OAuthFlowErrorOptions);
+}

package/dist/oauth/errors.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthFlowError = exports.OAuthCallbackError = void 0;
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
+class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
+    code;
+    /** Structured metadata carried alongside the error, if any. */
+    details;
+    constructor(code, message, options = {}) {
+        super(message, { cause: options.cause });
+        this.name = "OAuthCallbackError";
+        this.code = code;
+        this.details = options.details;
+    }
+}
+exports.OAuthCallbackError = OAuthCallbackError;
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    code;
+    /** Structured metadata carried alongside the error, if any. */
+    details;
+    constructor(code, message, options = {}) {
+        super(message, { cause: options.cause });
+        this.name = "OAuthFlowError";
+        this.code = code;
+        this.details = options.details;
+    }
+}
+exports.OAuthFlowError = OAuthFlowError;

package/dist/oauth/getValidAccessToken.d.ts

@@ -0,0 +1,54 @@
+import { type LoadResult, type TokenStore } from "./tokenStore";
+/** Options for `getValidAccessToken`. */
+export interface GetValidAccessTokenOptions {
+    /** OIDC issuer URL. Must match the stored entry's `issuerURL`; mismatch throws NOT_AUTHENTICATED. */
+    issuerURL: string;
+    /** OAuth client identifier. Must match the stored entry's `clientId`; same mismatch behavior as `issuerURL`. */
+    clientId: string;
+    /**
+     * How close to expiry preemptive refresh kicks in, in ms. Default
+     * 60_000. Buffer covers clock skew vs. the server. Assumes
+     * access-token TTL ≫ this; otherwise every call refreshes.
+     */
+    expiryBufferMs?: number;
+    /** Override for the token store. */
+    tokenStore?: TokenStore;
+    /** Pre-loaded `tokenStore.load()` result so the dispatcher's keychain read isn't repeated. */
+    loadedEntry?: LoadResult;
+    /** Aborts discovery + the refresh POST when fired. */
+    signal?: AbortSignal;
+    /** Forwarded to discovery; permits non-loopback http. */
+    allowInsecureIssuer?: boolean;
+    /** Called for soft warnings (e.g. rotated tokens couldn't be persisted — see HAZARD note in the body). Default prints to stderr only when stderr is a TTY. */
+    onWarning?: (message: string) => void;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+export declare function getValidAccessToken(options: GetValidAccessTokenOptions): Promise<string>;

package/dist/oauth/getValidAccessToken.js

@@ -0,0 +1,131 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getValidAccessToken = getValidAccessToken;
+const discoverOIDC_1 = require("./discoverOIDC");
+const errors_1 = require("./errors");
+const refreshTokens_1 = require("./refreshTokens");
+const tokenStore_1 = require("./tokenStore");
+const DEFAULT_EXPIRY_BUFFER_MS = 60_000;
+function defaultOnWarning(message) {
+    if (process.stderr.isTTY) {
+        console.error(`axe-auth: ${message}`);
+    }
+}
+function isInvalidGrant(err) {
+    return (err instanceof errors_1.OAuthFlowError &&
+        err.code === "TOKEN_EXCHANGE_FAILED" &&
+        err.details?.error === "invalid_grant");
+}
+function notAuthenticated(message, cause) {
+    return new errors_1.OAuthFlowError("NOT_AUTHENTICATED", message, cause === undefined ? undefined : { cause });
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+async function getValidAccessToken(options) {
+    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(), loadedEntry, signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
+    const loaded = loadedEntry ?? (await tokenStore.load());
+    if (!loaded.ok) {
+        switch (loaded.reason) {
+            case "empty":
+                throw notAuthenticated("No stored credentials. Run `axe-auth login` first.");
+            case "corrupt":
+                throw notAuthenticated("Stored credentials are unreadable. Run `axe-auth login` to re-authenticate.");
+            case "version-mismatch":
+                throw notAuthenticated(`Stored credentials are from an unsupported schema version (v:${loaded.storedVersion}). Run \`axe-auth login\` to re-authenticate.`);
+        }
+    }
+    // Refuse on issuer/client mismatch: refreshing tokens at a
+    // different endpoint would leak the refresh token to the wrong
+    // server.
+    if (loaded.entry.issuerURL !== issuerURL ||
+        loaded.entry.clientId !== clientId) {
+        throw notAuthenticated(`Stored credentials are for issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}), but the requested issuer is ${issuerURL} (client ${clientId}). Run \`axe-auth login\` to re-authenticate.`);
+    }
+    const tokens = loaded.entry.tokens;
+    if (now() + expiryBufferMs < tokens.expiresAt) {
+        return tokens.accessToken;
+    }
+    if (!tokens.refreshToken) {
+        throw notAuthenticated("Access token has expired and no refresh token is available. Run `axe-auth login` to re-authenticate.");
+    }
+    const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
+        signal,
+        allowInsecureIssuer,
+    });
+    let fresh;
+    try {
+        fresh = await (0, refreshTokens_1.refreshTokens)({
+            tokenEndpoint: config.tokenEndpoint,
+            clientId,
+            refreshToken: tokens.refreshToken,
+            now,
+            signal,
+        });
+    }
+    catch (err) {
+        if (isInvalidGrant(err)) {
+            // Best-effort clear: if the clear itself fails, still surface
+            // NOT_AUTHENTICATED so the user gets the "please run login"
+            // signal — the next run will refresh, land back here, and
+            // retry the clear.
+            try {
+                await tokenStore.clear();
+            }
+            catch (clearErr) {
+                onWarning(`Failed to clear stored tokens after refresh rejection: ${clearErr instanceof Error ? clearErr.message : String(clearErr)}. Next run may need to clear manually.`);
+            }
+            throw notAuthenticated("Your session has expired. Run `axe-auth login` to re-authenticate.", err);
+        }
+        // Transient failure — leave the store alone so the user can
+        // retry without re-logging-in.
+        throw err;
+    }
+    // HAZARD: Keycloak (and most rotating-refresh-token providers) have
+    // already consumed the old refresh token server-side by the time
+    // `refreshTokens` returns. If persisting the rotated set fails
+    // here, we hold a valid access token in memory but the stored
+    // refresh token is now stale — the next invocation will POST it,
+    // get `invalid_grant`, and prompt re-authentication.
+    //
+    // We still return the fresh access token so the current call is
+    // useful, and warn the caller so "why does the next run need me to
+    // log in again?" has a breadcrumb.
+    try {
+        await tokenStore.save({
+            tokens: fresh,
+            issuerURL: loaded.entry.issuerURL,
+            clientId: loaded.entry.clientId,
+            allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
+            walnutURL: loaded.entry.walnutURL,
+        });
+    }
+    catch (err) {
+        onWarning(`Refreshed tokens could not be saved: ${err instanceof Error ? err.message : String(err)}. The current call will succeed, but the next invocation will require re-authentication.`);
+    }
+    return fresh.accessToken;
+}

package/dist/oauth/index.d.ts

@@ -0,0 +1,16 @@
+export { startCallbackServer } from "./callbackServer";
+export type { CallbackServerOptions, CallbackServerHandle, CallbackResult, } from "./callbackServer";
+export { OAuthCallbackError, OAuthFlowError } from "./errors";
+export type { OAuthCallbackErrorCode, OAuthCallbackErrorOptions, OAuthFlowErrorCode, OAuthFlowErrorOptions, } from "./errors";
+export { authorize } from "./authorize";
+export type { AuthorizeOptions } from "./authorize";
+export { getValidAccessToken } from "./getValidAccessToken";
+export type { GetValidAccessTokenOptions } from "./getValidAccessToken";
+export { refreshTokens } from "./refreshTokens";
+export type { RefreshTokensOptions } from "./refreshTokens";
+export type { TokenSet } from "./tokenResponse";
+export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
+export { discoverOIDC } from "./discoverOIDC";
+export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.refreshTokens = exports.getValidAccessToken = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
+var callbackServer_1 = require("./callbackServer");
+Object.defineProperty(exports, "startCallbackServer", { enumerable: true, get: function () { return callbackServer_1.startCallbackServer; } });
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "OAuthCallbackError", { enumerable: true, get: function () { return errors_1.OAuthCallbackError; } });
+Object.defineProperty(exports, "OAuthFlowError", { enumerable: true, get: function () { return errors_1.OAuthFlowError; } });
+var authorize_1 = require("./authorize");
+Object.defineProperty(exports, "authorize", { enumerable: true, get: function () { return authorize_1.authorize; } });
+var getValidAccessToken_1 = require("./getValidAccessToken");
+Object.defineProperty(exports, "getValidAccessToken", { enumerable: true, get: function () { return getValidAccessToken_1.getValidAccessToken; } });
+var refreshTokens_1 = require("./refreshTokens");
+Object.defineProperty(exports, "refreshTokens", { enumerable: true, get: function () { return refreshTokens_1.refreshTokens; } });
+var tokenStore_1 = require("./tokenStore");
+Object.defineProperty(exports, "KeyringTokenStore", { enumerable: true, get: function () { return tokenStore_1.KeyringTokenStore; } });
+Object.defineProperty(exports, "STORED_BLOB_VERSION", { enumerable: true, get: function () { return tokenStore_1.STORED_BLOB_VERSION; } });
+var discoverOIDC_1 = require("./discoverOIDC");
+Object.defineProperty(exports, "discoverOIDC", { enumerable: true, get: function () { return discoverOIDC_1.discoverOIDC; } });

package/dist/oauth/issuerURL.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+export declare function normalizeIssuerURL(url: string): string;

package/dist/oauth/issuerURL.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeIssuerURL = normalizeIssuerURL;
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+function normalizeIssuerURL(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return url.replace(/\/+$/, "");
+    }
+    // `URL.protocol` is already lowercased by the URL parser.
+    // `URL.host` retains input casing, so lowercase it explicitly.
+    const host = parsed.host.toLowerCase();
+    const pathname = parsed.pathname.replace(/\/+$/, "");
+    return `${parsed.protocol}//${host}${pathname}`;
+}

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;

package/dist/oauth/logo.generated.d.ts

@@ -0,0 +1 @@
+export declare const LOGO_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAALQAAAC0CAYAAAA9zQYyAAAgAElEQVR4nO2df4wd13XfP2dBEIRAEKpKEIKqCISgEo7gOKqqKPsYpXEE1b8i/4rtWo6jJP7RuLHqtq7gt0kdwXANp9jn2Ibr2IkTJc4PO45l2bUMNZV/xHZcRW+jyI4iCKoqCASjCgShCiyhEARBEHv6x7x755wz9y13982bt+R7X2D3zdy5c+fMne+ce865P0ZY4OJHf7gXkX9AFSQlCqDVr2qdV0YZVKttZZSPkEdBZVReOi7mPE1Jn2O1d/s0bquEpa4utMAsYQim6U8DT6VxSk1KqX/Te5A2dERs94Kkc6TxLkwbC0LPCxLB8naCmvSUlLRvIqnR7ApIeiswJFdcpqTZw3sybezq9nILzA7ZBKgh4VjWrliTwaeJ+HOcGWNNl/Yk3woWhJ4bWGbatFKSeJKKIbolf8xDIU/HNsfC5JgLaNMk2CBrZXJoyFpIU6vZNaSlcyaTfKtYEHouYO3htA9FthlTu9oPtoMleHQcG5ER6dz0WBB6LhCiFWPzRBtYg8YlEF58mRJNmI7VMwsbek4gxuRITpyNPwcil3iYNLDajNTlNdK7t59hQej5gViibZDm0kdIpkTudMH4mOklscdmR+oFoecG6oMcasjmzOtkC9enNezv7OyFnkEJhXWvoBc29FzBak5J+8budd3iZlsDma1TmX/dG1D/LTpWFpgOpNaqjbhxodvbEl0DwZ0mDmZIo5xusdDQc4XUjZ1IaGLHGvbtr1W+NkZNLAdfdoyQdIAFoecJ0bGzv04rh18bvsuDjoydncZzFB3DbrEg9LygGE8ORCwFJdxoOnu++LxWw1uid4wFoecFpVBcA4WBRpn0+BCz/cUcj13fHWNB6LlDIJnrXCmN9Wio7HIeZ5KEXscOsSD0vMHGm+2vD0bj1W+JoCGcJ1GFF8yUDrAg9DzBDR4qoUTAcfZGKjNeY0x6R1gQel5gQ3GpMyQed2G8MYxUo61dD6I5lkbbNaZ5TR+LjpV5QSPisMH4jbEOZNDSbgZLPK9kj08fC0LPK0o9e+PSi0SN2zsDC0LPC6w21QJrC8M16omuEoIgYXx1XAYh7y6Gjy4wdYTOjwSJeYRqdreU7elMfDvKjmCGjDl3ilgQei5QGK+cyAh+KCngbGWbPxPYsD8tNpO0uX0z3IzwbrCIcswFRoxLBFOttW9x/EaMiNhigrMnptxG9GQRh15gaogRikIkw2neUd4cejMhuDgVKy/9FQc/LWzoBaYCrQkKzbCctYFTgriDzeOm6KINndI6tqEXGnouIIZkFrFzpc5ep51nXEZjwJI1Wejc6lgQel4Qe+3O14sXNaszNzTkCeZI6byOsDA55gKBeNlESPvGJLGEbKxlFyIYLr89L7UG3Uc5FoSeC5jQWiNqgSHgKNF1osTtMQFs25kiNu/Chl5gGsgDh6zJMPqXQnlq0pw9rWNscEK+0YbraewWCw09NxgxLIfYNjGwKK5bl3oPbcQkmy1mP5k0MxjqsdDQ84LcK5iILF5TWyexMTaj4PyNnflCZcLMYMY3LDT0HEHMjyU1tUbVoG3tb9bQo+KyqVGwqWdkbsCC0PMDG5VoEM50g1vnMZIykpm4bw1qc60OsSD03MAwteTIhSz+OL6rvKGl7X5B63eIBaHnBZGsbvV9ahu7uFhj2g6OXt4O5khOo3MNvXAK5wYhCO2GhFL9U6OaXSSD8WE7B6P9XXndYUHouUGyj0O0IzmJoyz5t7QcmPtNu6HH0JXXvWe4IPS8IY53jpo4p1syJm2u9S8b/DZ6D7vDwoaeC1ii2RhzIVvWzmPGdMRFGsdeTxZd3wtME86eqLe1kCXu5O+rmJDfhtGLGXQRjrDQ0HMBYwJE7bop7sVu8o2y6gaae/pYaOi5gRacNB1jEWhz23aejD0nknlc3ulhQei5QIpEhEFHabZ3HmU3+rXhNpXysWSCqMmX8thzFz2FC7SP0EvS+GqVOeYG5ZvRdWLylD5in7vO7XiQRdhugakidkWbzpXcY5g0edK4drBRiE3b8xJKkwU6xILQcwFjM0j4hTB2wx7TWuOOKy/lt93gQWl3iYXJMRcwXdkuppz+Rfs3js1Ql9ywsdPB+GXaxcpJC0wNWfsmR9AOQDKa2i02o/guclOWmHQXPRF/rY5NjoWGnjuYUXX218I6gKWexajlo8lhExYmxwWE/nAJuARkH+gBIP3tB/4RsBdkd1jF8wzwD8BJkOcQnkP1OPA8yAsIZ1ldXm9fWKOdXUdL3AfHwvOF3qwDGEf0zQALQm8W/bUlYC9wJegNCP8M5VrgIMJ+lL2I7G4+1KDhssOU86wjchblBdDngCOsrD0BfB/VR4DnQE4zWJ5A+IK2zd3Y0iR1dgxNGM7JHEkb9mfYW7gg9Dj010B0N8o1wM0IPw1cD1yFytJY27AxBtg0vVrQYsoSsKf6kwPAi1F9zYgQ50CeBn2Y/vAvEPku6DFUzzE4vMUb0lo2F2em1sI2POccwILmjWNAZtzlnbAgdERlRlwP+gbgVpAXge5ySs4+QLvqpo0apDwJjuiFUFhcRqAqdxfoi0Yy/AKqZ4AfgNxHf/gV4GkGvU3clJGtscKokdkN/9TtymzK7r5jZUFogP4Q4CBwG3A78CJgqRjWiloswS0PMEpzJgamDPEPPH7ywebN5QiI7gEOgxxG9cOIrLGy9keofhWR51ndwCxJZVg72dm/aTPa0xPLPF6mKWC+Cd0f7gYOA78CvAKRfW6IZCZkwaES8+RiXosYy83a3SQ31mZOITGjOR1hFIRdqN40kv/DKPewMvw94HFWewWnckxMOJkUOWRnO1takrlDzCehV9b2oPoy4E5guYpEjI7FYZXuodhjEpLFpJ/H2z+PT9VwvvLYCwlEE6j6Eg6A/luUXwIeoD/8OMLDrPbOjb2Iu4QUDrQlc7m4aWG+CN0f7gZ5GfBrwI3ArnqyaLCJXdNq7WIqLeScJRMxQD0B7ddbMxnjPnUahWtZ1eia9HAN0b2ovBH0VpQH6A8/jMgPXE/1+WROaEvmjs3o+SD0ytoSqtcBHwZuIRE5IT/Y0U5Da5ndTGabpfACFDW9IUbpSafrOtscYw4UynIZcxl7UH0dIregeg/wUd+6hMvHTpbGhNdJZF7Y0O1hZQ1gP6p3Af8mmxaN8QyMMTHwickZFLOdYDsgGt4/9YPP2iy+FM3LubI2Wqs526zxWuxF5O0obxxT+JjrtylzIe8UcfESemW4hOrPIvJR4Kqcnolhm15DWDHpWbmUHmRohq0yyrwzjpJtAeK1nONp4PhrZTXnaLiHLLczEfY5YmLKa7Q26dotytwhLs7BSf21y0H+CPgCcFVmXGoGnXYd7XvNRtZIpbitJYxNt6eTrqWe9JYjlkylgTyxGbfXTMSyMscvUTWEiteIZog52JbMCxt6AlTx5FtAP4VyqNZSI20zdqayhIdasFftFCPrFGZNN8ocB9CDb8LdoolWi1KXb6+bTZxQbqM1EV++c/TCBbL2NPfsXowWZV6YHNtEFVP+D8BdCHsbNSl2wzyBGPgv2axjR6SZHdeiS8gYy4qMKJVZKMZulK5vX8yS7LEMtzuqi4Z504bM3eHiIPTK2mXAJ1B+DrFmlG038Z561sjpoQUtVCKx1VA57KVjiGK1eJCnMYLNksVs24FD+VbicXtOQfs25MfkizKn60W7YUKZO8SFTeiVNVC9CtXPI3KT55NtHo1tWTQpoFHzthnNZDLaMTpTDXNGymXH5bIaD9ySlybx7Ms0TnYIfDPO5EaIpkYrMi+cwq3gJcA3QW5yFTfWUbEaSmtyuDxjHprNa23E7FCmJlv89Zyyk5pYsbyGYozaVmtixTEjJfldun0Rw0nOv1AaL+akMneMC5fQ/eFhVP8HyKG6WcRrB/txHMWQbfSQxKRlZWIfavh1a1SYkzK57f7oOpZ42TxQI2O4L7XHrSzBDNJERlNmyVOzJoRbKTS9jNEsEnf6xDJ3jAvT5FgZvhT4IioHGq2a3Y/d2jlDgtJ0mswDdSaGOdX1pInPm7RdyRmL3ymxsITKZkXJNDL3VjrP3mZuOeJ1gowN82lKMneAC4vQ/TVAD6PyJYT9ZMdLapK58BXUBHVPqaBtrJoe/eZNs9+wh8OxVMQ4c6bR7Jvyc/GF5j1q0ZIWTGVnmY2MkaCN4q05gy9/Epk7xoVD6Kob+3qQL6PsrxIlPGSMhrIPOhxzJEgHgqaNRLHlO40c5EjHcroxh6w8mPxRs+V7iyq3UEZ8yaLmtiQ7n8yl+51Y5m5JfeHY0KqHUP0iqpeXm7JkFxYq0Iarxp5qbOFcVsiXyhB7IkHDmbz5eRbOsTLHkW6wOS4kmdPfWNiDI9u7YYY0Cm9H5o6V9IVB6P5wP8LnEbmmWPnWuy6OLQhpan9Hmsp2IiQzRmL+kYljncuo/UpoxLpNuaUBP64liWZLKZ85qOE3v8hW5gIZ8/la32cbMm/4orWPnW9yVIPxfx+4obZrk11oyaTefkwPsjFpVev8cfSa1XjONh7tR4JX116nmrH9DCLPgB5DeQ74f4icQqhmj6juAvaB/mPgAMoVwJWoXonIXmDJy2/s/PxTaOYb3ctB5nFq05Vjjufhr4mU9r5tK0a9vaHM3WJnE3plCHAXyK1AsGGD5ojDQYtNn61oCQ8+pZmHbR2furxzwNOgayj/E3gE5ChwGlgH1s87cbUac7KEsAvlEpSrgBcD/xzlRoRrgcuaI+nEaz23hG2J7OlftH+t9jXlFOvGIuSzLZeVz8rSscmxswmtvA70P5JMo6xZqZ+TG+aIP4bZzmnhYHG8Mb7JVs4BjwNfBr0feIpJ1sqoCL8OnB39nQQeoz/8U6pnsh+V60BfDdyM6jWI7PL3l1qpcE+xFYkKOrdcNM/JeawJUyqQOq0xrrxgV3eIGTQKm0R/7SCif1U1zUZTFYkXK9Hki3ZcHI2WzZJAikrrnATuB34P5BEGy6encKfjUXXt7wVuAN4K3Apc3hjLXHoxbRjOvtRAY9xKnHply0nlj9O0VqMLoUwB9HMMerdPUg1bwc7U0NXIuU+CXNHUOKbCk4Zydl7IFzV2SrNmRkOr6wvAHwOfROTp6SzNtQlUyxKcAr5Lf/hd4AqQnwPuADkI1PdfQmmUnITj1slLDmHDuTbllPwIV+6Ya3WEnUfoyr58O8KtLr0YRYiVPMaEiA+xaJMA6DmUr4B8kMHyE5PeSquozJRjwG+ysnY3qu8G3guyv6mCN8IGoYeNRhhCs55LnVfO4e7YgGZnhu2uBj5U9/yxgYMiIY+15wr2cM4btE+lpZ5CeT0ib9lxZI5YXT7JoPcbwI8DX4NRJCWH5PC/jlvG4duIb7GlK9ateQa27OysjnMup4edRej+2i5gtdI6eMfPQU26mn2a25jtFI7yq9KvI3o30EPk/pmZF9vBoHeEasmy94Keru7d3LMoLsRm6yPXRUo2miOH7dL5aRvP4czlVG58Dtq52bGzCI2+CnhNVSkNo7ewL+ThjVZLF7VRsgvFaBA9ifIO4FdYXT6x4VJaOxWrvXMIvwW8FuWYa/7zPY9g5wA2hqCaenGdSyYNxrSYpjVIUFNeh9g5hF4Z7gM+gMhugI3nowXNDLXmhYIDaDROyoseAV6N8Id+haELEKu9dZBvAS9H9cm6HqKtRUGrEuoIc276kzpN9DzlmrLm1imswlM/j8h1gHE2Cg5M9n+S82E0kX0JGn6S89AfBd7CoPfklO6oe1Sty+P0hz+D8iVErm/E4BVvbtm0FMbDHAOvZZ3DTbkct/TBvJocymXAe1GtO1DiFHlL8mzzYdLCQ3E2o9R5lIdBXntRkdli0DsCvAHVxwGcc51+I8mUUG8Eh87Y07meR+k2mtF4Lt1jZxAa/Xng6sZY3Ng8Qk12MRnsIHYbWmqEk3gU9PUMlp+Zxl3sGAx6R4E3UY0vqdJc/UTbmuCzJJMhaNlGPVv1H8qegbkBO4HQ/bW9IHeCLPkxAaG9LI69Hf2W9iVUMjyNyOsZ9I5N61Z2FAa9J0FuR/VUo54sinUmY9JGeRuktttB+XSM2RJ6ZQ2E2xCu9G2i+gpMKDWfsVl04ae0qSdQfRNwdAp3sZPxIPB+VOtQZF0nNMyDXH3ZPCObeMV6jrspzfx2bIHMltCqu1C9A3Qpa+FM1mSvGfbKKD154NZOzu56w/Y7C7wLePSCDMtNgsHyOiK/i8gDzRfeaGFr4tklHxoDoKBRx24dDxv2Yyamx2wJLXIYeIl3JqJmFvOmpwcgRiskhw+vSarfdeC/Inxlc98iuQixunwG1TtRTjXqtjFPMBxzExmkzpPICvjvggfHfNwkgilidmG7as3mdyDGdrYj5Iru+AgCbqSZNbexZfAI8MHyJxqmiJUhKLsQlkb3sD66x3MzebFEnkT1t4BfrfZzuiexP6f6zREQYyvbVtTmawx2ks5JPTtCq+5HuLWhmBNizBObL4aY0jHDbOEUyr9n0DvVuuwR/eESwqWoLIPeAPJPQa+gmqGyBHKOaijqcfpr/wv0EZCHQU8x6OBlW12G/vAToG9HOOAN2+jkhVBc8POqNKtsUr6oYGYT6Zhlx8qrRvFn/PjdkKsUzHeDyk1tu65b/TTC2nREH6E/vAz4WeDNKDeB7nFaatw44+omR8NC174AfI3B8nRfvEHvOP3h76L8erP+7L5JE7tvsu7gj9fPhtDVtwDf4CsNsrOxmSnzltxWy1ckOgp8lNUpNO/9IYhcjvIe0HcCBxr3IXbDPNTUvFfJexG5lerFfpb+8FPA3Qx6J9oXOuOzwL8D9tU8NoKn/djjWsts8oVzS2biDDT0rJzCy4F6ccXY5Rod59JAJWs3JyLXNvhHEJ5rXer+cA/wy8DfAv+J6suv4x9clD35T3kpLqXqHdWrQFaBv6Y/vI3+cFqK5gjwjWpTKdu3BVI2ZTaOX8onNCpijoaP3oTIpW6aEOAcvOh8lNa9sHWfR4/pU4j8aavaub9WTQlDvoTIb8NobZDGIjLqH2B8mDYyk2eFpG1A5BqqLw/8Pv3h/tHiOu2hcki/ALpeE9DIbLXxZmQeJddlFJ5Rx1q6e0JXM1Je6dLcrAijASQSnqDNA2OqCvwMlQPWDlaGgC6Dfh3h1srJA/fw8thh8TJlBzblVb9fgrAbkV8Avgkcap3UIg+iHM/1G2XOUY0tyNx4CTpWywaz0NB7Qaoejhg2cs2W1GGfonMFPh4NwEmQz7XWgbKyBsotwH0gh7xcgovTWofJcsCOC44f4UmInKle8OtQvo7qS0bLObQEfb52lqWW2Ym1TZlnYTQHzILQB0GvylrAjZs1Gjlx2w1GMm1jnh1hoh/KV9EWbWfVGxG+iMgBf+10XavJDKltHmy+4PWrKcflz/bWQYT7UA61dk9VTP4vfPzYCDS5zDPl9SwIfT3CJVmr5T/12+Btu6z51J9Xe5broH+y7bUyIlbWDgJfRqUKLTp5tamdATfW2C6n5WQ1afbe8jUkph0E+SL94YF2bgxQeRA4l8k57p62L3P9nDpG94QWfjw3dVb75m1jT9fnhDzmvNocOUY1GGdy9PPyY1fma5RajPyXbOgkb3Kc1MvrvS+8Jo/3itX21wEfZWWtpeiHPovqMR+Kk3DNSWUOtnlH6JbQ/TVQrt84kyHzRhXiIiQK8A0GvbMTSpicwHcDNzeHTkZY+1L8QxR73MoK7uWwYyE2vAa3ofqvtnIrG+AkVQivQLxA5Ilk7t726FhD66XEr7p6pw7nAKrZcA6IKxNgHeHr7YjI1YisOFls86lWHvPbkNGcG0N7jX1jYpWuVWEX8KFR7+RkGPTWEZ4sytyYlTKBzHMwfPQK4NK8F/v74zJfsYvWKURn751G5ZGJpatCincCB+om11wTaHy8PsliZS4tzpKa4kyM+CYXysJkqdKvBvnlbd1bhPK/nczpt3HPE8rcsZLumNByBcglgHGw3HHqY0Z7xIpuvvXHgBamVclB4LZCupFLfLoW8owLLWZtnvJLoZxx19a0/R76w72bup2NccTJbH9LDvt2Zb6oNbRwtU/Q8W+wc1Lwpkgy8epzH2Ow3MJSBHobkqIa4Xrpt3bU/LFiyMo6k6ODUWvZXtKx18OedwXwuq3c1Rg8i+Vp6brtydwZuiW06g8VVXMmSSSFzSO4c32c9O8mlq2/tgd4czDo6z911wt5RkKL3Vezb2WOx+rTg0E7+gn7Vfz3rawMJ312J4AzDZnjXxsyd4iuNfQVfixAatqC05HNDWk6Kggu7ll53E9PLpxeAxyqn6W10Y2sjWbamhfmvHFlYGzwaLI0zjGEcByRm1DZN+ENnwbOODMq3mdbMneIjjX0aM06i+RUxP5/AReTjj1RdXO2jvLsxLKJLCNyieuVLIWsrHwl0yP3oIk5x2p1YWw4MppZ9ppZGwqgexGdrAdJOIPomSxz+nUriLYhc7foOmx3mSdu0sQbvNV26daGgwXAGdDJxxCr/ljDAYpOkRoBY0jPDuiJvZ5uW31LlMwZt5BOSk/a0d5vbqnOE88/H2Qd5YyrcPttw1Zl7g4dmxyyN7/9pRkqVquVKsI5KylNzyLywkRyrQxBeFF2glxLEK6fmuKiw2RaEztS0OaxA7DiUEznWNrWwJSVoPrD1YdItwnlHMiZhhq1crYi8/ZF3A66dgp3ew1daMJjBTVMDtM8VtrqLIyazu1jF1X0ADcvkUAk+xLm2xjlywSI9wSNcoTmCx3PteclkdJ1qnOvBN1+V3hV3rq/rpWzLZm7RXeEXhnuQtjt1J4lRuaPsacbg5TE56/ynqtIPQFUllDZVzuniTjpuAZZzLaV2ZkYYvI4zVqXX7q3fI+WGKNWIZlB1bn7kAmfX7pHZy61LXO3SrPDOYWBvblHDVMByVYTHFHs0Ew3ERbfDG8buhtkybUGtux03aDIahPE5G18ig1z3ugmSiLbtI3KqPf3kBa33BaMLBN/vH4DmbXbeatdXuwcytm6Ai0rgoOR4DSIOS8TSD3RJpENXfdfw1L8S2RetgQNeTNB0m2EFiYfDw7Ctj5ez1mQCZZAMNrWmRPBvJpU5uqzdZ2hu+ZgdZn8ADYioDumzWPJyarDS0tMfh/nqJYV8M5QMo/Sda0M2b5XI1eS2WgrN3w0FRvTtS7TG6iNTWNDv0D+tsoESDJbGW09TyqzMKl/syV0PTipXnsiVZqGBx/DCi6eC7VWyE39LmDPRFIJ6wjHm826evt5bBw6yhyaXndOQDSp8gtiHU3qusn1xXEmJrSznbxMbcmsTH+hH4OuewpPNhwK28Tl+jXaITbzTa96N6qXTCRXNS3p6fp61A/MaaB0SeP42UbE3ptN07DtGp6Q1/kP5riG/CpPTb7q0hj5nUM8scyThVS3iI7DdpzwdleyMYP9rP6k82zvASYfIwzfr+QK2snKOdamDciNidL4JkmjFUgbDdbQ+HyEz//9MVffHLSw78ZttCbz/51Izi2i657C47nZdBwJb7y1LlxnQtBWFa92A5PPt1MeQvWsf2ekftkamipqJeqHmf6yUytlAtnf9Pa4XlOhcWJV9lmEh7ZxlzXyC2KfhdS/7cl8fCI5t4iubej/U9vDxs60NrJQE95quqwRtaQFrplYMuFJ4Ih7meryy76P+x0J7Gzr1BoFjVfSbNkOtTIVWoGq3LWqtZsE5gYbvl2hZdmezOsInX4xoWtCH61+ApkzYVNaeMslsklMHgH44clFk1MgX6t304Ox9rwhbL6PyHzwzqOR2zlQ4k+zL0UD6QXOL/YXEZ1w/PeY60ShJpJZT6M8P5mcW0PXhH4G1SouaXsD49iN3JTbpmz0MNXs187XSyYa1wCjsKL+CSojr9w6q0bTNh6gNYnUyxxVuR0m24jrmny2lcoqMJ97AuVeVg9v7z4jnMxBzoll5gUucpPjGPBCUZu5IaRBI7h86bjYJvEQaBuO4ROg92cZog2fBbAvmj0kzfxuYkC8n/gCGHu9dP9V3j9m0GtvMZ2SzHbczGQyH5t44NgW0TWhnxv9mWYcowGtoxWcMUbp6Tc5W9V5lwIvnli6QW8d5L+A+XyDdfxKy2NZfjecpnRPDUPTlFMw0oXaKfNlPofIR7d/gwVEszintyLz411/16ZbQldx08dcWuyEsDZqfuvHOSPJDNFdwEtbkVF4HNVP1wJgnms0PYLMzqwnyWblJD/xfG+2jHANsWXrOvBhaGEyQ4aR2TKxLZnRv21P1s1hFisn/U29k+yzQNg4hrjs6pNrr3ohXjlaSH0yrC5XxFEe871ehKZ5jEzOIknnOznDvUU02MKohfgWIne3q/GsGWe1rTCxzMo54ActCrspdE9o5eFqyCfkptzFmtNfcADTsfG4HjjYiowiL4C+DTUzYVxTKj4taTi7bffjjJyCCdoYfpqPKShHgDtYXT7dyv1ZlORpQ2Z4HniqdXnPg1lo6CeB5xoRIghNmrFP3biBkD+XK7sR3tjKesqryyDyA+BdoKedrEptAhlF5rSdBG1n/QVrUpnTqm2l0SogJ4C30cpE4DFI10vDeWFCmQF4ciR7p5jF6qMnEB7NlZTf8GjDYd52a8/Z/NTpVXjpdqqew8lRkfpeVN4DerooV0MzUd+P9QMaEwRMWiNsZjU7J1FuR/hea6uqJlgt7LYLdbw1mVP+77SzVsrW0D2hq4FA33S9gaUhllBwGMfYc2lf9VrQf9GerMuA/gHwi6AnfQsh3kGyMsdmJ2vtoAFzS5QKcuc+B/pq4M+nEimwPkFpdv12ZK7nPq6DfKN9oc+PWX1j5QEkDPx2dltyFE2FleLBtqmv8iwB7231ozuDXqWpkZ9GQ4TGEteZHklmmuaH/c33YM6ttPuDoD2UB1vXzBHOXIpO4SZldtvZ5n9iilKPxYwILUdzFCE20anNEldro0OxCTTbeUduIX3yoi2sLoPqo8BPofqbIKdrOaLHRMPIbNMAAAtGSURBVG3zJ5mzaaJjZM7N/Ang/cDLGfSO8JGOvzprHcJNy2x3801/G7TTDpWEWWnoM1SfWvCarUQEy14ZpW/08XphN+j7WVlrx5ZO+EgPBr2TiKyA/iTovbVtbeRwA6mSaFKbIiWZ4QVU7wZ+AuQ3GPTaj2ZsBDubu42P18OXZvVt9diOd4f+8EUgfwfszhWSCW3MDdslnrcLtptbFVTPAW8Cvjq1iu0/tATyYuB24DXAQUR2u3EQtTxGVtL9nKGaVPAV4POIPD2KgXeDlbU9qH4fkWsbM1DcM8BXd+Sua5wUqoXUf7STT1IXMMNPI8vToA8h8lKnlRukLp2KIbA2H4TILlQ/BHwPJh1mOQaDw1Wv58ra+1D9IHAt6GGEH0P1ENXHRS8BlkDWK20uz6I8CfI3oGvAEwx6nc65c3CzcgrHwJiEgdxQP6+UryrvK0i3064sZqeh37cGwi8hfNbFP5NjZKdm2WPWdrNaQoIaqQj/MUTvnMonkjfCyhqoLoHsQVlCOAd6FpH1rsc2jEV/bQ/C91Gu9SyIqpia9BLyNJ/NOZQfZdCbiUMIs9TQH1mG/vBelFVEDjg7ziISW/FawVW88cirzXejfBN4YCr3MA4VadepVvjcmRDM2na2PtNGJDCG69ZRd7bHd5lRdCNhVk5hBZFTiPyBSfCEhbrJa8Socxn1TnJeao7vAfkMK2tXsYCHApI+kTxCDjMSbGTxikZM3tqpXwc+OctGH2ZN6NVlUD6DmhBP0sLOqY61iW8Zk6NVT/G32a8CPsvKcLKZ4RcjdFxiJDl19Cb2FNZa/XGQB6YeNz8PZktoAOEoyJ9VO8bBi85HNElCoCNratsdnWOoejPKx+kP2w3lXejIA/ZH+yVtrDZd6nr2mnwd5BMMljtdJamE2RO6sjc/gUj1wflJPl6f8tp5frWGfydwF/22Pl55gSObZ+LrMUc1Ut2n7aI6H52jT4DeMy1Rt4LZExoAfQLVPzMGWfW79Y/XF/bT+bIE/CrQX5A6QbyT5yJNqZ5tk2iQ61nXgdVZxZ0jdgahq86PVdB6epZzPKTWKIx+Sx+vtzO1c770sBSEXaAfBL2LlRbHe1yIsGaGjWZs9eP1ysMI93Yl9vmwMwhd4SjwcaDpcDhtrLV2iJ0COuYcRtuVRtqF8Oson2Jlbb4dxWTW5Xo1HS2ufkNYL9Vt1dv5flZn2DkUsHMIXWnp30H1sWKIzmlro7XjTHGrUYIFY3q8lhDeieqX6Q+vmHgJhAsVduyMC8FpXcfeY8TVs3IPIt/rVObzYOcQusJJ4NdIawpv5eP1aXZ1jKPmPOa3enJLiLwC+A7ozays7bS66AZ+OQjqCEZwyK1SqbTzcdAPsNr9IP6NsLMeYjX2+Buofg4ohN/q3RpK6K2qf+OcNzcrI8etDyHch+oH6Q8vZa4Q69XGmMXXv99fB+4COdqltJvBbLt1xqE/PAAMEak+paxBWyQkC6LRLW48HR39a0wQKED1MYT3ozzAoLdzNE//IUD2AbsY9NoZbLWytgv4K5QbGyxwPbOWzKkl1PuB1++oOhphZ2noDHkOuANGq4HG6VkNSyQ6LhLyRKcmdCbUDtBLQP4bcB/94Q2tLIswKfpDqCYsfB24rsWSR2M5KLR84uvFzx88DtyxE8kMO5XQVffpAygfGy2wgo9F48NNtrewkbZBvqTZxeXbhcirEPlr4L/TH75q9B3wbrGytkR/eCPVWOm/RLix9WuU6ir95vqwYVPOoryLQe+Z1mVpCTs3FjvoQX/4IZQbEG7xHjfBWLIMj+o7HjO/acKAFPMuIbwCeBmqT9Ef3oNwH/A4q73pdPGuDEG5EngF8IvAMtUnN6CN76mUkOP7pbqjJjWsg34MuH8qcrSEnWlDW6ysHQS+juqh5rDR0IHiWkZTRnNGS03mRhnjylWo4q5HEL4N/CXK48AzIKe3PChnZQ3QJZTLgGsQDqO8HLgBuKwwU2cd+JcMet/e2oXGXn8J+A5KNUvevcvmvusQ3ddA3sJgCovdtIidT2iA/vAwcB/C/g1FtlwsHoiaKNou9pSNHMnkKOkp4HmQI6BPI/L3oMdRToCcAj1rXo5LEPaBXIbyT4CDoIeAq6gIXBg45V6udXRKhLZfzy051uijwM+w2ut08fLtYOeaHBbKQwh3AJ9FafbuuQ6WhmYxeaBOSNvBm88RkRC2yhrLhP6EvSh7gYPAzd58AapmOgmw5Af9BMc1v0BqRJFC69ImgomRv8foBHsGuJ3Bzicz7FSnMOIjPUDuReV9iJ7znSY2pBdtYjbYNs6Om91sNLiUzhc2//F6WULSn7muzZc7MvDXtRcufZqiDaSIkIVznPUEwlsQHp/C1aeCC4PQAIPldeB3gLuAdb+afomA1oG09mjK44xs82LYMkP825bhOh3UENsSMchie91K47ubAeHGrbQOd10n5yngzSAPdT4ncwJcOISGitTKgGoxlnPZLIgxZcB9ySn3fKV9w3x3TraNvUnQmKGh4dzROela+Rr4bVuWc3DxssVrbKZTaFuw9ePu7yTKG0C+tWMm9W4SFxahIS2aPkC5Cxl9O9wiRjswWlEIJoIajW2a/mwviy8nx69N+TavNVlKpk56YUoEFbwsSY5pkdktiONMn+dR3orwjQuNzHAhEhqqRclFBqjeierprCGtQ+VUL0ZzYjSS+DT7m52j5JSpORbKtMds6x3n4SU73Y2ZsNcNmlIL12wXZ1yoDn0W4U0g01kgsgNcmISGROpPA28DPeGHOzoVPdqUpnOlUA9ot1oRc35yHK2mtxpN67T8Ikldpv1zsth0rcv0RnVjszVUl1o39/oE8GqU7856ouskuHAJDenzEfcAr0X1qLNNLdkcDHmiQ9QwX6wmJZDSnhPsi2l8vH4aqH2ENao486OzWpOuLVzYhIaqi3zQexD4SeB7fuijdexopqV0G0rLyt2UEVllHb9YFgQnkKYMzoQIeRuyB7naxTqq9wCvZLB8dCpX6BgXPqETBr1ngZcDA9CzzUHrBK1aH8p2LLDjP17fHtaBDyHyFga9k62XPiNMs0GbDfprS6CvAPkkwtVFzWYdtwaMuWDDZzm8MabK8osRzJK4GmmMkmhISwk5LcnTctf3RYqLR0MnDJbXEf4c9KdQ/cNKW4+OJds0Q2lo7kh2d24hLf8aImbtnWxvbV638TaF6+fzgjwLbIiLj9AAq73KBBH+NfCmaiEUqENko+04dsJip328/uJrS6eCi5PQCau9cwx6XwP5CeADKM83TYcY7Qi/LsqhNElnnTqTd1xZOfYdVK51AJOpYp3ShYbeFC5uQicMlk+i/GegB9xN4xspGIKZ3xwBsXAGrydaqWcvd5aEUF5uHQphkvTONMKEC5wP81lN/eG1wJ2I3AZc0nDMNrJbx+WLDp6t2XH7G/mbUdG3PcD/IsV8aOiIQe8JkHeg+iOofgw4Doxx3gihNYzpgTmuBWJqHbrL2jhtU3Y0nSMZyl7gvJhPQkM1EXfQOwJyJ+iPoPou4EEYzYTOXdej/NEEGBdQdhaJtc+NObJhD2CD4YVrLTAOi5qyWBnuRrkWeAPwGpBDCNWM72geRLiZJUlbm8xuTLUhdDY/gr2SN3P6Ig69CSwIXUL10Z89wLXALcDLEV4Msh9lKZM31t6mbOcxzmaeadNIPwscAx4C3s+gd3Sym7u4sSD0ZlAR/ADVdwlvBHqg1wJXgOymMTfTaujRPjBWvVfZ1oFzKKeAowiPojIEfQR4eqesv7zTsSD0dlF9T3w/yNWgB4GDID8EejnIftB9IHsRHU3qFagGA50GTiFyAngeOAb69yhHqT5a+QzwwmgiwwJbxP8Hm/uj5T1hsjYAAAAASUVORK5CYII=";