@deque/axe-auth 1.1.0-next.97bcb8e6 → 1.1.0-next.ac35e028

package/dist/oauth/getValidAccessToken.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getValidAccessToken = getValidAccessToken;
+const discoverOIDC_1 = require("./discoverOIDC");
+const errors_1 = require("./errors");
+const refreshTokens_1 = require("./refreshTokens");
+const tokenStore_1 = require("./tokenStore");
+const DEFAULT_EXPIRY_BUFFER_MS = 60_000;
+function defaultOnWarning(message) {
+    if (process.stderr.isTTY) {
+        console.error(`axe-auth: ${message}`);
+    }
+}
+function isInvalidGrant(err) {
+    return (err instanceof errors_1.OAuthFlowError &&
+        err.code === "TOKEN_EXCHANGE_FAILED" &&
+        err.details?.error === "invalid_grant");
+}
+function notAuthenticated(message, cause) {
+    return new errors_1.OAuthFlowError("NOT_AUTHENTICATED", message, cause === undefined ? undefined : { cause });
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+async function getValidAccessToken(options) {
+    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(), loadedEntry, signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
+    const loaded = loadedEntry ?? (await tokenStore.load());
+    if (!loaded.ok) {
+        switch (loaded.reason) {
+            case "empty":
+                throw notAuthenticated("No stored credentials. Run `axe-auth login` first.");
+            case "corrupt":
+                throw notAuthenticated("Stored credentials are unreadable. Run `axe-auth login` to re-authenticate.");
+            case "version-mismatch":
+                throw notAuthenticated(`Stored credentials are from an unsupported schema version (v:${loaded.storedVersion}). Run \`axe-auth login\` to re-authenticate.`);
+        }
+    }
+    // Guard against a mismatch between the requested issuer/client and
+    // the stored entry's. Under single-entry storage, the keychain
+    // holds one set of tokens minted against one (issuer, client)
+    // pair. Refreshing those tokens against a different
+    // discovery/token endpoint would land an unrelated refresh token
+    // at the wrong server and leak it. Refuse rather than silently
+    // proceed so direct library callers (the CLI's verbs warn + route
+    // before getting here) get a clear signal.
+    if (loaded.entry.issuerURL !== issuerURL ||
+        loaded.entry.clientId !== clientId) {
+        throw notAuthenticated(`Stored credentials are for issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}), but the requested issuer is ${issuerURL} (client ${clientId}). Run \`axe-auth login\` to re-authenticate.`);
+    }
+    const tokens = loaded.entry.tokens;
+    if (now() + expiryBufferMs < tokens.expiresAt) {
+        // Still fresh — no network call, no store write.
+        return tokens.accessToken;
+    }
+    if (!tokens.refreshToken) {
+        throw notAuthenticated("Access token has expired and no refresh token is available. Run `axe-auth login` to re-authenticate.");
+    }
+    const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
+        signal,
+        allowInsecureIssuer,
+    });
+    let fresh;
+    try {
+        fresh = await (0, refreshTokens_1.refreshTokens)({
+            tokenEndpoint: config.tokenEndpoint,
+            clientId,
+            refreshToken: tokens.refreshToken,
+            now,
+            signal,
+        });
+    }
+    catch (err) {
+        if (isInvalidGrant(err)) {
+            // Refresh token revoked / expired server-side. Best-effort
+            // clear of the stored tokens so the next run starts clean —
+            // but if the clear itself fails (e.g. KEYRING_UNAVAILABLE),
+            // prefer surfacing NOT_AUTHENTICATED so the user still gets
+            // the actionable "please run login" signal. Note the clear
+            // failure via onWarning; the next run will see the stale
+            // tokens, try to refresh, and land back here.
+            try {
+                await tokenStore.clear();
+            }
+            catch (clearErr) {
+                onWarning(`Failed to clear stored tokens after refresh rejection: ${clearErr instanceof Error ? clearErr.message : String(clearErr)}. Next run may need to clear manually.`);
+            }
+            throw notAuthenticated("Your session has expired. Run `axe-auth login` to re-authenticate.", err);
+        }
+        // Transient failure — leave the store alone so the user can
+        // retry without re-logging-in.
+        throw err;
+    }
+    // HAZARD: Keycloak (and most rotating-refresh-token providers) have
+    // already consumed the old refresh token server-side by the time
+    // `refreshTokens` returns. If persisting the rotated set fails
+    // here, we hold a valid access token in memory but the stored
+    // refresh token is now stale — the next invocation will POST it,
+    // get `invalid_grant`, and prompt re-authentication.
+    //
+    // We still return the fresh access token so the current call is
+    // useful, and warn the caller so "why does the next run need me to
+    // log in again?" has a breadcrumb.
+    try {
+        await tokenStore.save({
+            tokens: fresh,
+            issuerURL: loaded.entry.issuerURL,
+            clientId: loaded.entry.clientId,
+            allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
+        });
+    }
+    catch (err) {
+        onWarning(`Refreshed tokens could not be saved: ${err instanceof Error ? err.message : String(err)}. The current call will succeed, but the next invocation will require re-authentication.`);
+    }
+    return fresh.accessToken;
+}

package/dist/oauth/index.d.ts

@@ -0,0 +1,16 @@
+export { startCallbackServer } from "./callbackServer";
+export type { CallbackServerOptions, CallbackServerHandle, CallbackResult, } from "./callbackServer";
+export { OAuthCallbackError, OAuthFlowError } from "./errors";
+export type { OAuthCallbackErrorCode, OAuthCallbackErrorOptions, OAuthFlowErrorCode, OAuthFlowErrorOptions, } from "./errors";
+export { authorize } from "./authorize";
+export type { AuthorizeOptions } from "./authorize";
+export { getValidAccessToken } from "./getValidAccessToken";
+export type { GetValidAccessTokenOptions } from "./getValidAccessToken";
+export { refreshTokens } from "./refreshTokens";
+export type { RefreshTokensOptions } from "./refreshTokens";
+export type { TokenSet } from "./tokenResponse";
+export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
+export { discoverOIDC } from "./discoverOIDC";
+export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.refreshTokens = exports.getValidAccessToken = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
+var callbackServer_1 = require("./callbackServer");
+Object.defineProperty(exports, "startCallbackServer", { enumerable: true, get: function () { return callbackServer_1.startCallbackServer; } });
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "OAuthCallbackError", { enumerable: true, get: function () { return errors_1.OAuthCallbackError; } });
+Object.defineProperty(exports, "OAuthFlowError", { enumerable: true, get: function () { return errors_1.OAuthFlowError; } });
+var authorize_1 = require("./authorize");
+Object.defineProperty(exports, "authorize", { enumerable: true, get: function () { return authorize_1.authorize; } });
+var getValidAccessToken_1 = require("./getValidAccessToken");
+Object.defineProperty(exports, "getValidAccessToken", { enumerable: true, get: function () { return getValidAccessToken_1.getValidAccessToken; } });
+var refreshTokens_1 = require("./refreshTokens");
+Object.defineProperty(exports, "refreshTokens", { enumerable: true, get: function () { return refreshTokens_1.refreshTokens; } });
+var tokenStore_1 = require("./tokenStore");
+Object.defineProperty(exports, "KeyringTokenStore", { enumerable: true, get: function () { return tokenStore_1.KeyringTokenStore; } });
+Object.defineProperty(exports, "STORED_BLOB_VERSION", { enumerable: true, get: function () { return tokenStore_1.STORED_BLOB_VERSION; } });
+var discoverOIDC_1 = require("./discoverOIDC");
+Object.defineProperty(exports, "discoverOIDC", { enumerable: true, get: function () { return discoverOIDC_1.discoverOIDC; } });

package/dist/oauth/issuerURL.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+export declare function normalizeIssuerURL(url: string): string;

package/dist/oauth/issuerURL.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeIssuerURL = normalizeIssuerURL;
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+function normalizeIssuerURL(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return url.replace(/\/+$/, "");
+    }
+    // `URL.protocol` is already lowercased by the URL parser.
+    // `URL.host` retains input casing, so lowercase it explicitly.
+    const host = parsed.host.toLowerCase();
+    const pathname = parsed.pathname.replace(/\/+$/, "");
+    return `${parsed.protocol}//${host}${pathname}`;
+}

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;

package/dist/oauth/logo.generated.d.ts

@@ -0,0 +1 @@
+export declare const LOGO_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAALQAAAC0CAYAAAA9zQYyAAAgAElEQVR4nO2df4wd13XfP2dBEIRAEKpKEIKqCISgEo7gOKqqKPsYpXEE1b8i/4rtWo6jJP7RuLHqtq7gt0kdwXANp9jn2Ibr2IkTJc4PO45l2bUMNZV/xHZcRW+jyI4iCKoqCASjCgShCiyhEARBEHv6x7x755wz9y13982bt+R7X2D3zdy5c+fMne+ce865P0ZY4OJHf7gXkX9AFSQlCqDVr2qdV0YZVKttZZSPkEdBZVReOi7mPE1Jn2O1d/s0bquEpa4utMAsYQim6U8DT6VxSk1KqX/Te5A2dERs94Kkc6TxLkwbC0LPCxLB8naCmvSUlLRvIqnR7ApIeiswJFdcpqTZw3sybezq9nILzA7ZBKgh4VjWrliTwaeJ+HOcGWNNl/Yk3woWhJ4bWGbatFKSeJKKIbolf8xDIU/HNsfC5JgLaNMk2CBrZXJoyFpIU6vZNaSlcyaTfKtYEHouYO3htA9FthlTu9oPtoMleHQcG5ER6dz0WBB6LhCiFWPzRBtYg8YlEF58mRJNmI7VMwsbek4gxuRITpyNPwcil3iYNLDajNTlNdK7t59hQej5gViibZDm0kdIpkTudMH4mOklscdmR+oFoecG6oMcasjmzOtkC9enNezv7OyFnkEJhXWvoBc29FzBak5J+8budd3iZlsDma1TmX/dG1D/LTpWFpgOpNaqjbhxodvbEl0DwZ0mDmZIo5xusdDQc4XUjZ1IaGLHGvbtr1W+NkZNLAdfdoyQdIAFoecJ0bGzv04rh18bvsuDjoydncZzFB3DbrEg9LygGE8ORCwFJdxoOnu++LxWw1uid4wFoecFpVBcA4WBRpn0+BCz/cUcj13fHWNB6LlDIJnrXCmN9Wio7HIeZ5KEXscOsSD0vMHGm+2vD0bj1W+JoCGcJ1GFF8yUDrAg9DzBDR4qoUTAcfZGKjNeY0x6R1gQel5gQ3GpMyQed2G8MYxUo61dD6I5lkbbNaZ5TR+LjpV5QSPisMH4jbEOZNDSbgZLPK9kj08fC0LPK0o9e+PSi0SN2zsDC0LPC6w21QJrC8M16omuEoIgYXx1XAYh7y6Gjy4wdYTOjwSJeYRqdreU7elMfDvKjmCGjDl3ilgQei5QGK+cyAh+KCngbGWbPxPYsD8tNpO0uX0z3IzwbrCIcswFRoxLBFOttW9x/EaMiNhigrMnptxG9GQRh15gaogRikIkw2neUd4cejMhuDgVKy/9FQc/LWzoBaYCrQkKzbCctYFTgriDzeOm6KINndI6tqEXGnouIIZkFrFzpc5ep51nXEZjwJI1Wejc6lgQel4Qe+3O14sXNaszNzTkCeZI6byOsDA55gKBeNlESPvGJLGEbKxlFyIYLr89L7UG3Uc5FoSeC5jQWiNqgSHgKNF1osTtMQFs25kiNu/Chl5gGsgDh6zJMPqXQnlq0pw9rWNscEK+0YbraewWCw09NxgxLIfYNjGwKK5bl3oPbcQkmy1mP5k0MxjqsdDQ84LcK5iILF5TWyexMTaj4PyNnflCZcLMYMY3LDT0HEHMjyU1tUbVoG3tb9bQo+KyqVGwqWdkbsCC0PMDG5VoEM50g1vnMZIykpm4bw1qc60OsSD03MAwteTIhSz+OL6rvKGl7X5B63eIBaHnBZGsbvV9ahu7uFhj2g6OXt4O5khOo3MNvXAK5wYhCO2GhFL9U6OaXSSD8WE7B6P9XXndYUHouUGyj0O0IzmJoyz5t7QcmPtNu6HH0JXXvWe4IPS8IY53jpo4p1syJm2u9S8b/DZ6D7vDwoaeC1ii2RhzIVvWzmPGdMRFGsdeTxZd3wtME86eqLe1kCXu5O+rmJDfhtGLGXQRjrDQ0HMBYwJE7bop7sVu8o2y6gaae/pYaOi5gRacNB1jEWhz23aejD0nknlc3ulhQei5QIpEhEFHabZ3HmU3+rXhNpXysWSCqMmX8thzFz2FC7SP0EvS+GqVOeYG5ZvRdWLylD5in7vO7XiQRdhugakidkWbzpXcY5g0edK4drBRiE3b8xJKkwU6xILQcwFjM0j4hTB2wx7TWuOOKy/lt93gQWl3iYXJMRcwXdkuppz+Rfs3js1Ql9ywsdPB+GXaxcpJC0wNWfsmR9AOQDKa2i02o/guclOWmHQXPRF/rY5NjoWGnjuYUXX218I6gKWexajlo8lhExYmxwWE/nAJuARkH+gBIP3tB/4RsBdkd1jF8wzwD8BJkOcQnkP1OPA8yAsIZ1ldXm9fWKOdXUdL3AfHwvOF3qwDGEf0zQALQm8W/bUlYC9wJegNCP8M5VrgIMJ+lL2I7G4+1KDhssOU86wjchblBdDngCOsrD0BfB/VR4DnQE4zWJ5A+IK2zd3Y0iR1dgxNGM7JHEkb9mfYW7gg9Dj010B0N8o1wM0IPw1cD1yFytJY27AxBtg0vVrQYsoSsKf6kwPAi1F9zYgQ50CeBn2Y/vAvEPku6DFUzzE4vMUb0lo2F2em1sI2POccwILmjWNAZtzlnbAgdERlRlwP+gbgVpAXge5ySs4+QLvqpo0apDwJjuiFUFhcRqAqdxfoi0Yy/AKqZ4AfgNxHf/gV4GkGvU3clJGtscKokdkN/9TtymzK7r5jZUFogP4Q4CBwG3A78CJgqRjWiloswS0PMEpzJgamDPEPPH7ywebN5QiI7gEOgxxG9cOIrLGy9keofhWR51ndwCxJZVg72dm/aTPa0xPLPF6mKWC+Cd0f7gYOA78CvAKRfW6IZCZkwaES8+RiXosYy83a3SQ31mZOITGjOR1hFIRdqN40kv/DKPewMvw94HFWewWnckxMOJkUOWRnO1takrlDzCehV9b2oPoy4E5guYpEjI7FYZXuodhjEpLFpJ/H2z+PT9VwvvLYCwlEE6j6Eg6A/luUXwIeoD/8OMLDrPbOjb2Iu4QUDrQlc7m4aWG+CN0f7gZ5GfBrwI3ArnqyaLCJXdNq7WIqLeScJRMxQD0B7ddbMxnjPnUahWtZ1eia9HAN0b2ovBH0VpQH6A8/jMgPXE/1+WROaEvmjs3o+SD0ytoSqtcBHwZuIRE5IT/Y0U5Da5ndTGabpfACFDW9IUbpSafrOtscYw4UynIZcxl7UH0dIregeg/wUd+6hMvHTpbGhNdJZF7Y0O1hZQ1gP6p3Af8mmxaN8QyMMTHwickZFLOdYDsgGt4/9YPP2iy+FM3LubI2Wqs526zxWuxF5O0obxxT+JjrtylzIe8UcfESemW4hOrPIvJR4Kqcnolhm15DWDHpWbmUHmRohq0yyrwzjpJtAeK1nONp4PhrZTXnaLiHLLczEfY5YmLKa7Q26dotytwhLs7BSf21y0H+CPgCcFVmXGoGnXYd7XvNRtZIpbitJYxNt6eTrqWe9JYjlkylgTyxGbfXTMSyMscvUTWEiteIZog52JbMCxt6AlTx5FtAP4VyqNZSI20zdqayhIdasFftFCPrFGZNN8ocB9CDb8LdoolWi1KXb6+bTZxQbqM1EV++c/TCBbL2NPfsXowWZV6YHNtEFVP+D8BdCHsbNSl2wzyBGPgv2axjR6SZHdeiS8gYy4qMKJVZKMZulK5vX8yS7LEMtzuqi4Z504bM3eHiIPTK2mXAJ1B+DrFmlG038Z561sjpoQUtVCKx1VA57KVjiGK1eJCnMYLNksVs24FD+VbicXtOQfs25MfkizKn60W7YUKZO8SFTeiVNVC9CtXPI3KT55NtHo1tWTQpoFHzthnNZDLaMTpTDXNGymXH5bIaD9ySlybx7Ms0TnYIfDPO5EaIpkYrMi+cwq3gJcA3QW5yFTfWUbEaSmtyuDxjHprNa23E7FCmJlv89Zyyk5pYsbyGYozaVmtixTEjJfldun0Rw0nOv1AaL+akMneMC5fQ/eFhVP8HyKG6WcRrB/txHMWQbfSQxKRlZWIfavh1a1SYkzK57f7oOpZ42TxQI2O4L7XHrSzBDNJERlNmyVOzJoRbKTS9jNEsEnf6xDJ3jAvT5FgZvhT4IioHGq2a3Y/d2jlDgtJ0mswDdSaGOdX1pInPm7RdyRmL3ymxsITKZkXJNDL3VjrP3mZuOeJ1gowN82lKMneAC4vQ/TVAD6PyJYT9ZMdLapK58BXUBHVPqaBtrJoe/eZNs9+wh8OxVMQ4c6bR7Jvyc/GF5j1q0ZIWTGVnmY2MkaCN4q05gy9/Epk7xoVD6Kob+3qQL6PsrxIlPGSMhrIPOhxzJEgHgqaNRLHlO40c5EjHcroxh6w8mPxRs+V7iyq3UEZ8yaLmtiQ7n8yl+51Y5m5JfeHY0KqHUP0iqpeXm7JkFxYq0Iarxp5qbOFcVsiXyhB7IkHDmbz5eRbOsTLHkW6wOS4kmdPfWNiDI9u7YYY0Cm9H5o6V9IVB6P5wP8LnEbmmWPnWuy6OLQhpan9Hmsp2IiQzRmL+kYljncuo/UpoxLpNuaUBP64liWZLKZ85qOE3v8hW5gIZ8/la32cbMm/4orWPnW9yVIPxfx+4obZrk11oyaTefkwPsjFpVev8cfSa1XjONh7tR4JX116nmrH9DCLPgB5DeQ74f4icQqhmj6juAvaB/mPgAMoVwJWoXonIXmDJy2/s/PxTaOYb3ctB5nFq05Vjjufhr4mU9r5tK0a9vaHM3WJnE3plCHAXyK1AsGGD5ojDQYtNn61oCQ8+pZmHbR2furxzwNOgayj/E3gE5ChwGlgH1s87cbUac7KEsAvlEpSrgBcD/xzlRoRrgcuaI+nEaz23hG2J7OlftH+t9jXlFOvGIuSzLZeVz8rSscmxswmtvA70P5JMo6xZqZ+TG+aIP4bZzmnhYHG8Mb7JVs4BjwNfBr0feIpJ1sqoCL8OnB39nQQeoz/8U6pnsh+V60BfDdyM6jWI7PL3l1qpcE+xFYkKOrdcNM/JeawJUyqQOq0xrrxgV3eIGTQKm0R/7SCif1U1zUZTFYkXK9Hki3ZcHI2WzZJAikrrnATuB34P5BEGy6encKfjUXXt7wVuAN4K3Apc3hjLXHoxbRjOvtRAY9xKnHply0nlj9O0VqMLoUwB9HMMerdPUg1bwc7U0NXIuU+CXNHUOKbCk4Zydl7IFzV2SrNmRkOr6wvAHwOfROTp6SzNtQlUyxKcAr5Lf/hd4AqQnwPuADkI1PdfQmmUnITj1slLDmHDuTbllPwIV+6Ya3WEnUfoyr58O8KtLr0YRYiVPMaEiA+xaJMA6DmUr4B8kMHyE5PeSquozJRjwG+ysnY3qu8G3guyv6mCN8IGoYeNRhhCs55LnVfO4e7YgGZnhu2uBj5U9/yxgYMiIY+15wr2cM4btE+lpZ5CeT0ib9lxZI5YXT7JoPcbwI8DX4NRJCWH5PC/jlvG4duIb7GlK9ateQa27OysjnMup4edRej+2i5gtdI6eMfPQU26mn2a25jtFI7yq9KvI3o30EPk/pmZF9vBoHeEasmy94Keru7d3LMoLsRm6yPXRUo2miOH7dL5aRvP4czlVG58Dtq52bGzCI2+CnhNVSkNo7ewL+ThjVZLF7VRsgvFaBA9ifIO4FdYXT6x4VJaOxWrvXMIvwW8FuWYa/7zPY9g5wA2hqCaenGdSyYNxrSYpjVIUFNeh9g5hF4Z7gM+gMhugI3nowXNDLXmhYIDaDROyoseAV6N8Id+haELEKu9dZBvAS9H9cm6HqKtRUGrEuoIc276kzpN9DzlmrLm1imswlM/j8h1gHE2Cg5M9n+S82E0kX0JGn6S89AfBd7CoPfklO6oe1Sty+P0hz+D8iVErm/E4BVvbtm0FMbDHAOvZZ3DTbkct/TBvJocymXAe1GtO1DiFHlL8mzzYdLCQ3E2o9R5lIdBXntRkdli0DsCvAHVxwGcc51+I8mUUG8Eh87Y07meR+k2mtF4Lt1jZxAa/Xng6sZY3Ng8Qk12MRnsIHYbWmqEk3gU9PUMlp+Zxl3sGAx6R4E3UY0vqdJc/UTbmuCzJJMhaNlGPVv1H8qegbkBO4HQ/bW9IHeCLPkxAaG9LI69Hf2W9iVUMjyNyOsZ9I5N61Z2FAa9J0FuR/VUo54sinUmY9JGeRuktttB+XSM2RJ6ZQ2E2xCu9G2i+gpMKDWfsVl04ae0qSdQfRNwdAp3sZPxIPB+VOtQZF0nNMyDXH3ZPCObeMV6jrspzfx2bIHMltCqu1C9A3Qpa+FM1mSvGfbKKD154NZOzu56w/Y7C7wLePSCDMtNgsHyOiK/i8gDzRfeaGFr4tklHxoDoKBRx24dDxv2Yyamx2wJLXIYeIl3JqJmFvOmpwcgRiskhw+vSarfdeC/Inxlc98iuQixunwG1TtRTjXqtjFPMBxzExmkzpPICvjvggfHfNwkgilidmG7as3mdyDGdrYj5Iru+AgCbqSZNbexZfAI8MHyJxqmiJUhKLsQlkb3sD66x3MzebFEnkT1t4BfrfZzuiexP6f6zREQYyvbVtTmawx2ks5JPTtCq+5HuLWhmBNizBObL4aY0jHDbOEUyr9n0DvVuuwR/eESwqWoLIPeAPJPQa+gmqGyBHKOaijqcfpr/wv0EZCHQU8x6OBlW12G/vAToG9HOOAN2+jkhVBc8POqNKtsUr6oYGYT6Zhlx8qrRvFn/PjdkKsUzHeDyk1tu65b/TTC2nREH6E/vAz4WeDNKDeB7nFaatw44+omR8NC174AfI3B8nRfvEHvOP3h76L8erP+7L5JE7tvsu7gj9fPhtDVtwDf4CsNsrOxmSnzltxWy1ckOgp8lNUpNO/9IYhcjvIe0HcCBxr3IXbDPNTUvFfJexG5lerFfpb+8FPA3Qx6J9oXOuOzwL8D9tU8NoKn/djjWsts8oVzS2biDDT0rJzCy4F6ccXY5Rod59JAJWs3JyLXNvhHEJ5rXer+cA/wy8DfAv+J6suv4x9clD35T3kpLqXqHdWrQFaBv6Y/vI3+cFqK5gjwjWpTKdu3BVI2ZTaOX8onNCpijoaP3oTIpW6aEOAcvOh8lNa9sHWfR4/pU4j8aavaub9WTQlDvoTIb8NobZDGIjLqH2B8mDYyk2eFpG1A5BqqLw/8Pv3h/tHiOu2hcki/ALpeE9DIbLXxZmQeJddlFJ5Rx1q6e0JXM1Je6dLcrAijASQSnqDNA2OqCvwMlQPWDlaGgC6Dfh3h1srJA/fw8thh8TJlBzblVb9fgrAbkV8Avgkcap3UIg+iHM/1G2XOUY0tyNx4CTpWywaz0NB7Qaoejhg2cs2W1GGfonMFPh4NwEmQz7XWgbKyBsotwH0gh7xcgovTWofJcsCOC44f4UmInKle8OtQvo7qS0bLObQEfb52lqWW2Ym1TZlnYTQHzILQB0GvylrAjZs1Gjlx2w1GMm1jnh1hoh/KV9EWbWfVGxG+iMgBf+10XavJDKltHmy+4PWrKcflz/bWQYT7UA61dk9VTP4vfPzYCDS5zDPl9SwIfT3CJVmr5T/12+Btu6z51J9Xe5broH+y7bUyIlbWDgJfRqUKLTp5tamdATfW2C6n5WQ1afbe8jUkph0E+SL94YF2bgxQeRA4l8k57p62L3P9nDpG94QWfjw3dVb75m1jT9fnhDzmvNocOUY1GGdy9PPyY1fma5RajPyXbOgkb3Kc1MvrvS+8Jo/3itX21wEfZWWtpeiHPovqMR+Kk3DNSWUOtnlH6JbQ/TVQrt84kyHzRhXiIiQK8A0GvbMTSpicwHcDNzeHTkZY+1L8QxR73MoK7uWwYyE2vAa3ofqvtnIrG+AkVQivQLxA5Ilk7t726FhD66XEr7p6pw7nAKrZcA6IKxNgHeHr7YjI1YisOFls86lWHvPbkNGcG0N7jX1jYpWuVWEX8KFR7+RkGPTWEZ4sytyYlTKBzHMwfPQK4NK8F/v74zJfsYvWKURn751G5ZGJpatCincCB+om11wTaHy8PsliZS4tzpKa4kyM+CYXysJkqdKvBvnlbd1bhPK/nczpt3HPE8rcsZLumNByBcglgHGw3HHqY0Z7xIpuvvXHgBamVclB4LZCupFLfLoW8owLLWZtnvJLoZxx19a0/R76w72bup2NccTJbH9LDvt2Zb6oNbRwtU/Q8W+wc1Lwpkgy8epzH2Ow3MJSBHobkqIa4Xrpt3bU/LFiyMo6k6ODUWvZXtKx18OedwXwuq3c1Rg8i+Vp6brtydwZuiW06g8VVXMmSSSFzSO4c32c9O8mlq2/tgd4czDo6z911wt5RkKL3Vezb2WOx+rTg0E7+gn7Vfz3rawMJ312J4AzDZnjXxsyd4iuNfQVfixAatqC05HNDWk6Kggu7ll53E9PLpxeAxyqn6W10Y2sjWbamhfmvHFlYGzwaLI0zjGEcByRm1DZN+ENnwbOODMq3mdbMneIjjX0aM06i+RUxP5/AReTjj1RdXO2jvLsxLKJLCNyieuVLIWsrHwl0yP3oIk5x2p1YWw4MppZ9ppZGwqgexGdrAdJOIPomSxz+nUriLYhc7foOmx3mSdu0sQbvNV26daGgwXAGdDJxxCr/ljDAYpOkRoBY0jPDuiJvZ5uW31LlMwZt5BOSk/a0d5vbqnOE88/H2Qd5YyrcPttw1Zl7g4dmxyyN7/9pRkqVquVKsI5KylNzyLywkRyrQxBeFF2glxLEK6fmuKiw2RaEztS0OaxA7DiUEznWNrWwJSVoPrD1YdItwnlHMiZhhq1crYi8/ZF3A66dgp3ew1daMJjBTVMDtM8VtrqLIyazu1jF1X0ADcvkUAk+xLm2xjlywSI9wSNcoTmCx3PteclkdJ1qnOvBN1+V3hV3rq/rpWzLZm7RXeEXhnuQtjt1J4lRuaPsacbg5TE56/ynqtIPQFUllDZVzuniTjpuAZZzLaV2ZkYYvI4zVqXX7q3fI+WGKNWIZlB1bn7kAmfX7pHZy61LXO3SrPDOYWBvblHDVMByVYTHFHs0Ew3ERbfDG8buhtkybUGtux03aDIahPE5G18ig1z3ugmSiLbtI3KqPf3kBa33BaMLBN/vH4DmbXbeatdXuwcytm6Ai0rgoOR4DSIOS8TSD3RJpENXfdfw1L8S2RetgQNeTNB0m2EFiYfDw7Ctj5ez1mQCZZAMNrWmRPBvJpU5uqzdZ2hu+ZgdZn8ADYioDumzWPJyarDS0tMfh/nqJYV8M5QMo/Sda0M2b5XI1eS2WgrN3w0FRvTtS7TG6iNTWNDv0D+tsoESDJbGW09TyqzMKl/syV0PTipXnsiVZqGBx/DCi6eC7VWyE39LmDPRFIJ6wjHm826evt5bBw6yhyaXndOQDSp8gtiHU3qusn1xXEmJrSznbxMbcmsTH+hH4OuewpPNhwK28Tl+jXaITbzTa96N6qXTCRXNS3p6fp61A/MaaB0SeP42UbE3ptN07DtGp6Q1/kP5riG/CpPTb7q0hj5nUM8scyThVS3iI7DdpzwdleyMYP9rP6k82zvASYfIwzfr+QK2snKOdamDciNidL4JkmjFUgbDdbQ+HyEz//9MVffHLSw78ZttCbz/51Izi2i657C47nZdBwJb7y1LlxnQtBWFa92A5PPt1MeQvWsf2ekftkamipqJeqHmf6yUytlAtnf9Pa4XlOhcWJV9lmEh7ZxlzXyC2KfhdS/7cl8fCI5t4iubej/U9vDxs60NrJQE95quqwRtaQFrplYMuFJ4Ih7meryy76P+x0J7Gzr1BoFjVfSbNkOtTIVWoGq3LWqtZsE5gYbvl2hZdmezOsInX4xoWtCH61+ApkzYVNaeMslsklMHgH44clFk1MgX6t304Ox9rwhbL6PyHzwzqOR2zlQ4k+zL0UD6QXOL/YXEZ1w/PeY60ShJpJZT6M8P5mcW0PXhH4G1SouaXsD49iN3JTbpmz0MNXs187XSyYa1wCjsKL+CSojr9w6q0bTNh6gNYnUyxxVuR0m24jrmny2lcoqMJ97AuVeVg9v7z4jnMxBzoll5gUucpPjGPBCUZu5IaRBI7h86bjYJvEQaBuO4ROg92cZog2fBbAvmj0kzfxuYkC8n/gCGHu9dP9V3j9m0GtvMZ2SzHbczGQyH5t44NgW0TWhnxv9mWYcowGtoxWcMUbp6Tc5W9V5lwIvnli6QW8d5L+A+XyDdfxKy2NZfjecpnRPDUPTlFMw0oXaKfNlPofIR7d/gwVEszintyLz411/16ZbQldx08dcWuyEsDZqfuvHOSPJDNFdwEtbkVF4HNVP1wJgnms0PYLMzqwnyWblJD/xfG+2jHANsWXrOvBhaGEyQ4aR2TKxLZnRv21P1s1hFisn/U29k+yzQNg4hrjs6pNrr3ohXjlaSH0yrC5XxFEe871ehKZ5jEzOIknnOznDvUU02MKohfgWIne3q/GsGWe1rTCxzMo54ActCrspdE9o5eFqyCfkptzFmtNfcADTsfG4HjjYiowiL4C+DTUzYVxTKj4taTi7bffjjJyCCdoYfpqPKShHgDtYXT7dyv1ZlORpQ2Z4HniqdXnPg1lo6CeB5xoRIghNmrFP3biBkD+XK7sR3tjKesqryyDyA+BdoKedrEptAhlF5rSdBG1n/QVrUpnTqm2l0SogJ4C30cpE4DFI10vDeWFCmQF4ciR7p5jF6qMnEB7NlZTf8GjDYd52a8/Z/NTpVXjpdqqew8lRkfpeVN4DerooV0MzUd+P9QMaEwRMWiNsZjU7J1FuR/hea6uqJlgt7LYLdbw1mVP+77SzVsrW0D2hq4FA33S9gaUhllBwGMfYc2lf9VrQf9GerMuA/gHwi6AnfQsh3kGyMsdmJ2vtoAFzS5QKcuc+B/pq4M+nEimwPkFpdv12ZK7nPq6DfKN9oc+PWX1j5QEkDPx2dltyFE2FleLBtqmv8iwB7231ozuDXqWpkZ9GQ4TGEteZHklmmuaH/c33YM6ttPuDoD2UB1vXzBHOXIpO4SZldtvZ5n9iilKPxYwILUdzFCE20anNEldro0OxCTTbeUduIX3yoi2sLoPqo8BPofqbIKdrOaLHRMPIbNMAAAtGSURBVG3zJ5mzaaJjZM7N/Ang/cDLGfSO8JGOvzprHcJNy2x3801/G7TTDpWEWWnoM1SfWvCarUQEy14ZpW/08XphN+j7WVlrx5ZO+EgPBr2TiKyA/iTovbVtbeRwA6mSaFKbIiWZ4QVU7wZ+AuQ3GPTaj2ZsBDubu42P18OXZvVt9diOd4f+8EUgfwfszhWSCW3MDdslnrcLtptbFVTPAW8Cvjq1iu0/tATyYuB24DXAQUR2u3EQtTxGVtL9nKGaVPAV4POIPD2KgXeDlbU9qH4fkWsbM1DcM8BXd+Sua5wUqoXUf7STT1IXMMNPI8vToA8h8lKnlRukLp2KIbA2H4TILlQ/BHwPJh1mOQaDw1Wv58ra+1D9IHAt6GGEH0P1ENXHRS8BlkDWK20uz6I8CfI3oGvAEwx6nc65c3CzcgrHwJiEgdxQP6+UryrvK0i3064sZqeh37cGwi8hfNbFP5NjZKdm2WPWdrNaQoIaqQj/MUTvnMonkjfCyhqoLoHsQVlCOAd6FpH1rsc2jEV/bQ/C91Gu9SyIqpia9BLyNJ/NOZQfZdCbiUMIs9TQH1mG/vBelFVEDjg7ziISW/FawVW88cirzXejfBN4YCr3MA4VadepVvjcmRDM2na2PtNGJDCG69ZRd7bHd5lRdCNhVk5hBZFTiPyBSfCEhbrJa8Socxn1TnJeao7vAfkMK2tXsYCHApI+kTxCDjMSbGTxikZM3tqpXwc+OctGH2ZN6NVlUD6DmhBP0sLOqY61iW8Zk6NVT/G32a8CPsvKcLKZ4RcjdFxiJDl19Cb2FNZa/XGQB6YeNz8PZktoAOEoyJ9VO8bBi85HNElCoCNratsdnWOoejPKx+kP2w3lXejIA/ZH+yVtrDZd6nr2mnwd5BMMljtdJamE2RO6sjc/gUj1wflJPl6f8tp5frWGfydwF/22Pl55gSObZ+LrMUc1Ut2n7aI6H52jT4DeMy1Rt4LZExoAfQLVPzMGWfW79Y/XF/bT+bIE/CrQX5A6QbyT5yJNqZ5tk2iQ61nXgdVZxZ0jdgahq86PVdB6epZzPKTWKIx+Sx+vtzO1c770sBSEXaAfBL2LlRbHe1yIsGaGjWZs9eP1ysMI93Yl9vmwMwhd4SjwcaDpcDhtrLV2iJ0COuYcRtuVRtqF8Oson2Jlbb4dxWTW5Xo1HS2ufkNYL9Vt1dv5flZn2DkUsHMIXWnp30H1sWKIzmlro7XjTHGrUYIFY3q8lhDeieqX6Q+vmHgJhAsVduyMC8FpXcfeY8TVs3IPIt/rVObzYOcQusJJ4NdIawpv5eP1aXZ1jKPmPOa3enJLiLwC+A7ozays7bS66AZ+OQjqCEZwyK1SqbTzcdAPsNr9IP6NsLMeYjX2+Buofg4ohN/q3RpK6K2qf+OcNzcrI8etDyHch+oH6Q8vZa4Q69XGmMXXv99fB+4COdqltJvBbLt1xqE/PAAMEak+paxBWyQkC6LRLW48HR39a0wQKED1MYT3ozzAoLdzNE//IUD2AbsY9NoZbLWytgv4K5QbGyxwPbOWzKkl1PuB1++oOhphZ2noDHkOuANGq4HG6VkNSyQ6LhLyRKcmdCbUDtBLQP4bcB/94Q2tLIswKfpDqCYsfB24rsWSR2M5KLR84uvFzx88DtyxE8kMO5XQVffpAygfGy2wgo9F48NNtrewkbZBvqTZxeXbhcirEPlr4L/TH75q9B3wbrGytkR/eCPVWOm/RLix9WuU6ir95vqwYVPOoryLQe+Z1mVpCTs3FjvoQX/4IZQbEG7xHjfBWLIMj+o7HjO/acKAFPMuIbwCeBmqT9Ef3oNwH/A4q73pdPGuDEG5EngF8IvAMtUnN6CN76mUkOP7pbqjJjWsg34MuH8qcrSEnWlDW6ysHQS+juqh5rDR0IHiWkZTRnNGS03mRhnjylWo4q5HEL4N/CXK48AzIKe3PChnZQ3QJZTLgGsQDqO8HLgBuKwwU2cd+JcMet/e2oXGXn8J+A5KNUvevcvmvusQ3ddA3sJgCovdtIidT2iA/vAwcB/C/g1FtlwsHoiaKNou9pSNHMnkKOkp4HmQI6BPI/L3oMdRToCcAj1rXo5LEPaBXIbyT4CDoIeAq6gIXBg45V6udXRKhLZfzy051uijwM+w2ut08fLtYOeaHBbKQwh3AJ9FafbuuQ6WhmYxeaBOSNvBm88RkRC2yhrLhP6EvSh7gYPAzd58AapmOgmw5Af9BMc1v0BqRJFC69ImgomRv8foBHsGuJ3Bzicz7FSnMOIjPUDuReV9iJ7znSY2pBdtYjbYNs6Om91sNLiUzhc2//F6WULSn7muzZc7MvDXtRcufZqiDaSIkIVznPUEwlsQHp/C1aeCC4PQAIPldeB3gLuAdb+afomA1oG09mjK44xs82LYMkP825bhOh3UENsSMchie91K47ubAeHGrbQOd10n5yngzSAPdT4ncwJcOISGitTKgGoxlnPZLIgxZcB9ySn3fKV9w3x3TraNvUnQmKGh4dzROela+Rr4bVuWc3DxssVrbKZTaFuw9ePu7yTKG0C+tWMm9W4SFxahIS2aPkC5Cxl9O9wiRjswWlEIJoIajW2a/mwviy8nx69N+TavNVlKpk56YUoEFbwsSY5pkdktiONMn+dR3orwjQuNzHAhEhqqRclFBqjeierprCGtQ+VUL0ZzYjSS+DT7m52j5JSpORbKtMds6x3n4SU73Y2ZsNcNmlIL12wXZ1yoDn0W4U0g01kgsgNcmISGROpPA28DPeGHOzoVPdqUpnOlUA9ot1oRc35yHK2mtxpN67T8Ikldpv1zsth0rcv0RnVjszVUl1o39/oE8GqU7856ouskuHAJDenzEfcAr0X1qLNNLdkcDHmiQ9QwX6wmJZDSnhPsi2l8vH4aqH2ENao486OzWpOuLVzYhIaqi3zQexD4SeB7fuijdexopqV0G0rLyt2UEVllHb9YFgQnkKYMzoQIeRuyB7naxTqq9wCvZLB8dCpX6BgXPqETBr1ngZcDA9CzzUHrBK1aH8p2LLDjP17fHtaBDyHyFga9k62XPiNMs0GbDfprS6CvAPkkwtVFzWYdtwaMuWDDZzm8MabK8osRzJK4GmmMkmhISwk5LcnTctf3RYqLR0MnDJbXEf4c9KdQ/cNKW4+OJds0Q2lo7kh2d24hLf8aImbtnWxvbV638TaF6+fzgjwLbIiLj9AAq73KBBH+NfCmaiEUqENko+04dsJip328/uJrS6eCi5PQCau9cwx6XwP5CeADKM83TYcY7Qi/LsqhNElnnTqTd1xZOfYdVK51AJOpYp3ShYbeFC5uQicMlk+i/GegB9xN4xspGIKZ3xwBsXAGrydaqWcvd5aEUF5uHQphkvTONMKEC5wP81lN/eG1wJ2I3AZc0nDMNrJbx+WLDp6t2XH7G/mbUdG3PcD/IsV8aOiIQe8JkHeg+iOofgw4Doxx3gihNYzpgTmuBWJqHbrL2jhtU3Y0nSMZyl7gvJhPQkM1EXfQOwJyJ+iPoPou4EEYzYTOXdej/NEEGBdQdhaJtc+NObJhD2CD4YVrLTAOi5qyWBnuRrkWeAPwGpBDCNWM72geRLiZJUlbm8xuTLUhdDY/gr2SN3P6Ig69CSwIXUL10Z89wLXALcDLEV4Msh9lKZM31t6mbOcxzmaeadNIPwscAx4C3s+gd3Sym7u4sSD0ZlAR/ADVdwlvBHqg1wJXgOymMTfTaujRPjBWvVfZ1oFzKKeAowiPojIEfQR4eqesv7zTsSD0dlF9T3w/yNWgB4GDID8EejnIftB9IHsRHU3qFagGA50GTiFyAngeOAb69yhHqT5a+QzwwmgiwwJbxP8Hm/uj5T1hsjYAAAAASUVORK5CYII=";

package/dist/oauth/logo.generated.js

@@ -0,0 +1,7 @@
+"use strict";
+// Generated by scripts/encode-logo.js — do not edit by hand.
+// Source: assets/logo.png
+// To regenerate: node scripts/encode-logo.js
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LOGO_PNG_BASE64 = void 0;
+exports.LOGO_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAALQAAAC0CAYAAAA9zQYyAAAgAElEQVR4nO2df4wd13XfP2dBEIRAEKpKEIKqCISgEo7gOKqqKPsYpXEE1b8i/4rtWo6jJP7RuLHqtq7gt0kdwXANp9jn2Ibr2IkTJc4PO45l2bUMNZV/xHZcRW+jyI4iCKoqCASjCgShCiyhEARBEHv6x7x755wz9y13982bt+R7X2D3zdy5c+fMne+ce865P0ZY4OJHf7gXkX9AFSQlCqDVr2qdV0YZVKttZZSPkEdBZVReOi7mPE1Jn2O1d/s0bquEpa4utMAsYQim6U8DT6VxSk1KqX/Te5A2dERs94Kkc6TxLkwbC0LPCxLB8naCmvSUlLRvIqnR7ApIeiswJFdcpqTZw3sybezq9nILzA7ZBKgh4VjWrliTwaeJ+HOcGWNNl/Yk3woWhJ4bWGbatFKSeJKKIbolf8xDIU/HNsfC5JgLaNMk2CBrZXJoyFpIU6vZNaSlcyaTfKtYEHouYO3htA9FthlTu9oPtoMleHQcG5ER6dz0WBB6LhCiFWPzRBtYg8YlEF58mRJNmI7VMwsbek4gxuRITpyNPwcil3iYNLDajNTlNdK7t59hQej5gViibZDm0kdIpkTudMH4mOklscdmR+oFoecG6oMcasjmzOtkC9enNezv7OyFnkEJhXWvoBc29FzBak5J+8budd3iZlsDma1TmX/dG1D/LTpWFpgOpNaqjbhxodvbEl0DwZ0mDmZIo5xusdDQc4XUjZ1IaGLHGvbtr1W+NkZNLAdfdoyQdIAFoecJ0bGzv04rh18bvsuDjoydncZzFB3DbrEg9LygGE8ORCwFJdxoOnu++LxWw1uid4wFoecFpVBcA4WBRpn0+BCz/cUcj13fHWNB6LlDIJnrXCmN9Wio7HIeZ5KEXscOsSD0vMHGm+2vD0bj1W+JoCGcJ1GFF8yUDrAg9DzBDR4qoUTAcfZGKjNeY0x6R1gQel5gQ3GpMyQed2G8MYxUo61dD6I5lkbbNaZ5TR+LjpV5QSPisMH4jbEOZNDSbgZLPK9kj08fC0LPK0o9e+PSi0SN2zsDC0LPC6w21QJrC8M16omuEoIgYXx1XAYh7y6Gjy4wdYTOjwSJeYRqdreU7elMfDvKjmCGjDl3ilgQei5QGK+cyAh+KCngbGWbPxPYsD8tNpO0uX0z3IzwbrCIcswFRoxLBFOttW9x/EaMiNhigrMnptxG9GQRh15gaogRikIkw2neUd4cejMhuDgVKy/9FQc/LWzoBaYCrQkKzbCctYFTgriDzeOm6KINndI6tqEXGnouIIZkFrFzpc5ep51nXEZjwJI1Wejc6lgQel4Qe+3O14sXNaszNzTkCeZI6byOsDA55gKBeNlESPvGJLGEbKxlFyIYLr89L7UG3Uc5FoSeC5jQWiNqgSHgKNF1osTtMQFs25kiNu/Chl5gGsgDh6zJMPqXQnlq0pw9rWNscEK+0YbraewWCw09NxgxLIfYNjGwKK5bl3oPbcQkmy1mP5k0MxjqsdDQ84LcK5iILF5TWyexMTaj4PyNnflCZcLMYMY3LDT0HEHMjyU1tUbVoG3tb9bQo+KyqVGwqWdkbsCC0PMDG5VoEM50g1vnMZIykpm4bw1qc60OsSD03MAwteTIhSz+OL6rvKGl7X5B63eIBaHnBZGsbvV9ahu7uFhj2g6OXt4O5khOo3MNvXAK5wYhCO2GhFL9U6OaXSSD8WE7B6P9XXndYUHouUGyj0O0IzmJoyz5t7QcmPtNu6HH0JXXvWe4IPS8IY53jpo4p1syJm2u9S8b/DZ6D7vDwoaeC1ii2RhzIVvWzmPGdMRFGsdeTxZd3wtME86eqLe1kCXu5O+rmJDfhtGLGXQRjrDQ0HMBYwJE7bop7sVu8o2y6gaae/pYaOi5gRacNB1jEWhz23aejD0nknlc3ulhQei5QIpEhEFHabZ3HmU3+rXhNpXysWSCqMmX8thzFz2FC7SP0EvS+GqVOeYG5ZvRdWLylD5in7vO7XiQRdhugakidkWbzpXcY5g0edK4drBRiE3b8xJKkwU6xILQcwFjM0j4hTB2wx7TWuOOKy/lt93gQWl3iYXJMRcwXdkuppz+Rfs3js1Ql9ywsdPB+GXaxcpJC0wNWfsmR9AOQDKa2i02o/guclOWmHQXPRF/rY5NjoWGnjuYUXX218I6gKWexajlo8lhExYmxwWE/nAJuARkH+gBIP3tB/4RsBdkd1jF8wzwD8BJkOcQnkP1OPA8yAsIZ1ldXm9fWKOdXUdL3AfHwvOF3qwDGEf0zQALQm8W/bUlYC9wJegNCP8M5VrgIMJ+lL2I7G4+1KDhssOU86wjchblBdDngCOsrD0BfB/VR4DnQE4zWJ5A+IK2zd3Y0iR1dgxNGM7JHEkb9mfYW7gg9Dj010B0N8o1wM0IPw1cD1yFytJY27AxBtg0vVrQYsoSsKf6kwPAi1F9zYgQ50CeBn2Y/vAvEPku6DFUzzE4vMUb0lo2F2em1sI2POccwILmjWNAZtzlnbAgdERlRlwP+gbgVpAXge5ySs4+QLvqpo0apDwJjuiFUFhcRqAqdxfoi0Yy/AKqZ4AfgNxHf/gV4GkGvU3clJGtscKokdkN/9TtymzK7r5jZUFogP4Q4CBwG3A78CJgqRjWiloswS0PMEpzJgamDPEPPH7ywebN5QiI7gEOgxxG9cOIrLGy9keofhWR51ndwCxJZVg72dm/aTPa0xPLPF6mKWC+Cd0f7gYOA78CvAKRfW6IZCZkwaES8+RiXosYy83a3SQ31mZOITGjOR1hFIRdqN40kv/DKPewMvw94HFWewWnckxMOJkUOWRnO1takrlDzCehV9b2oPoy4E5guYpEjI7FYZXuodhjEpLFpJ/H2z+PT9VwvvLYCwlEE6j6Eg6A/luUXwIeoD/8OMLDrPbOjb2Iu4QUDrQlc7m4aWG+CN0f7gZ5GfBrwI3ArnqyaLCJXdNq7WIqLeScJRMxQD0B7ddbMxnjPnUahWtZ1eia9HAN0b2ovBH0VpQH6A8/jMgPXE/1+WROaEvmjs3o+SD0ytoSqtcBHwZuIRE5IT/Y0U5Da5ndTGabpfACFDW9IUbpSafrOtscYw4UynIZcxl7UH0dIregeg/wUd+6hMvHTpbGhNdJZF7Y0O1hZQ1gP6p3Af8mmxaN8QyMMTHwickZFLOdYDsgGt4/9YPP2iy+FM3LubI2Wqs526zxWuxF5O0obxxT+JjrtylzIe8UcfESemW4hOrPIvJR4Kqcnolhm15DWDHpWbmUHmRohq0yyrwzjpJtAeK1nONp4PhrZTXnaLiHLLczEfY5YmLKa7Q26dotytwhLs7BSf21y0H+CPgCcFVmXGoGnXYd7XvNRtZIpbitJYxNt6eTrqWe9JYjlkylgTyxGbfXTMSyMscvUTWEiteIZog52JbMCxt6AlTx5FtAP4VyqNZSI20zdqayhIdasFftFCPrFGZNN8ocB9CDb8LdoolWi1KXb6+bTZxQbqM1EV++c/TCBbL2NPfsXowWZV6YHNtEFVP+D8BdCHsbNSl2wzyBGPgv2axjR6SZHdeiS8gYy4qMKJVZKMZulK5vX8yS7LEMtzuqi4Z504bM3eHiIPTK2mXAJ1B+DrFmlG038Z561sjpoQUtVCKx1VA57KVjiGK1eJCnMYLNksVs24FD+VbicXtOQfs25MfkizKn60W7YUKZO8SFTeiVNVC9CtXPI3KT55NtHo1tWTQpoFHzthnNZDLaMTpTDXNGymXH5bIaD9ySlybx7Ms0TnYIfDPO5EaIpkYrMi+cwq3gJcA3QW5yFTfWUbEaSmtyuDxjHprNa23E7FCmJlv89Zyyk5pYsbyGYozaVmtixTEjJfldun0Rw0nOv1AaL+akMneMC5fQ/eFhVP8HyKG6WcRrB/txHMWQbfSQxKRlZWIfavh1a1SYkzK57f7oOpZ42TxQI2O4L7XHrSzBDNJERlNmyVOzJoRbKTS9jNEsEnf6xDJ3jAvT5FgZvhT4IioHGq2a3Y/d2jlDgtJ0mswDdSaGOdX1pInPm7RdyRmL3ymxsITKZkXJNDL3VjrP3mZuOeJ1gowN82lKMneAC4vQ/TVAD6PyJYT9ZMdLapK58BXUBHVPqaBtrJoe/eZNs9+wh8OxVMQ4c6bR7Jvyc/GF5j1q0ZIWTGVnmY2MkaCN4q05gy9/Epk7xoVD6Kob+3qQL6PsrxIlPGSMhrIPOhxzJEgHgqaNRLHlO40c5EjHcroxh6w8mPxRs+V7iyq3UEZ8yaLmtiQ7n8yl+51Y5m5JfeHY0KqHUP0iqpeXm7JkFxYq0Iarxp5qbOFcVsiXyhB7IkHDmbz5eRbOsTLHkW6wOS4kmdPfWNiDI9u7YYY0Cm9H5o6V9IVB6P5wP8LnEbmmWPnWuy6OLQhpan9Hmsp2IiQzRmL+kYljncuo/UpoxLpNuaUBP64liWZLKZ85qOE3v8hW5gIZ8/la32cbMm/4orWPnW9yVIPxfx+4obZrk11oyaTefkwPsjFpVev8cfSa1XjONh7tR4JX116nmrH9DCLPgB5DeQ74f4icQqhmj6juAvaB/mPgAMoVwJWoXonIXmDJy2/s/PxTaOYb3ctB5nFq05Vjjufhr4mU9r5tK0a9vaHM3WJnE3plCHAXyK1AsGGD5ojDQYtNn61oCQ8+pZmHbR2furxzwNOgayj/E3gE5ChwGlgH1s87cbUac7KEsAvlEpSrgBcD/xzlRoRrgcuaI+nEaz23hG2J7OlftH+t9jXlFOvGIuSzLZeVz8rSscmxswmtvA70P5JMo6xZqZ+TG+aIP4bZzmnhYHG8Mb7JVs4BjwNfBr0feIpJ1sqoCL8OnB39nQQeoz/8U6pnsh+V60BfDdyM6jWI7PL3l1qpcE+xFYkKOrdcNM/JeawJUyqQOq0xrrxgV3eIGTQKm0R/7SCif1U1zUZTFYkXK9Hki3ZcHI2WzZJAikrrnATuB34P5BEGy6encKfjUXXt7wVuAN4K3Apc3hjLXHoxbRjOvtRAY9xKnHply0nlj9O0VqMLoUwB9HMMerdPUg1bwc7U0NXIuU+CXNHUOKbCk4Zydl7IFzV2SrNmRkOr6wvAHwOfROTp6SzNtQlUyxKcAr5Lf/hd4AqQnwPuADkI1PdfQmmUnITj1slLDmHDuTbllPwIV+6Ya3WEnUfoyr58O8KtLr0YRYiVPMaEiA+xaJMA6DmUr4B8kMHyE5PeSquozJRjwG+ysnY3qu8G3guyv6mCN8IGoYeNRhhCs55LnVfO4e7YgGZnhu2uBj5U9/yxgYMiIY+15wr2cM4btE+lpZ5CeT0ib9lxZI5YXT7JoPcbwI8DX4NRJCWH5PC/jlvG4duIb7GlK9ateQa27OysjnMup4edRej+2i5gtdI6eMfPQU26mn2a25jtFI7yq9KvI3o30EPk/pmZF9vBoHeEasmy94Keru7d3LMoLsRm6yPXRUo2miOH7dL5aRvP4czlVG58Dtq52bGzCI2+CnhNVSkNo7ewL+ThjVZLF7VRsgvFaBA9ifIO4FdYXT6x4VJaOxWrvXMIvwW8FuWYa/7zPY9g5wA2hqCaenGdSyYNxrSYpjVIUFNeh9g5hF4Z7gM+gMhugI3nowXNDLXmhYIDaDROyoseAV6N8Id+haELEKu9dZBvAS9H9cm6HqKtRUGrEuoIc276kzpN9DzlmrLm1imswlM/j8h1gHE2Cg5M9n+S82E0kX0JGn6S89AfBd7CoPfklO6oe1Sty+P0hz+D8iVErm/E4BVvbtm0FMbDHAOvZZ3DTbkct/TBvJocymXAe1GtO1DiFHlL8mzzYdLCQ3E2o9R5lIdBXntRkdli0DsCvAHVxwGcc51+I8mUUG8Eh87Y07meR+k2mtF4Lt1jZxAa/Xng6sZY3Ng8Qk12MRnsIHYbWmqEk3gU9PUMlp+Zxl3sGAx6R4E3UY0vqdJc/UTbmuCzJJMhaNlGPVv1H8qegbkBO4HQ/bW9IHeCLPkxAaG9LI69Hf2W9iVUMjyNyOsZ9I5N61Z2FAa9J0FuR/VUo54sinUmY9JGeRuktttB+XSM2RJ6ZQ2E2xCu9G2i+gpMKDWfsVl04ae0qSdQfRNwdAp3sZPxIPB+VOtQZF0nNMyDXH3ZPCObeMV6jrspzfx2bIHMltCqu1C9A3Qpa+FM1mSvGfbKKD154NZOzu56w/Y7C7wLePSCDMtNgsHyOiK/i8gDzRfeaGFr4tklHxoDoKBRx24dDxv2Yyamx2wJLXIYeIl3JqJmFvOmpwcgRiskhw+vSarfdeC/Inxlc98iuQixunwG1TtRTjXqtjFPMBxzExmkzpPICvjvggfHfNwkgilidmG7as3mdyDGdrYj5Iru+AgCbqSZNbexZfAI8MHyJxqmiJUhKLsQlkb3sD66x3MzebFEnkT1t4BfrfZzuiexP6f6zREQYyvbVtTmawx2ks5JPTtCq+5HuLWhmBNizBObL4aY0jHDbOEUyr9n0DvVuuwR/eESwqWoLIPeAPJPQa+gmqGyBHKOaijqcfpr/wv0EZCHQU8x6OBlW12G/vAToG9HOOAN2+jkhVBc8POqNKtsUr6oYGYT6Zhlx8qrRvFn/PjdkKsUzHeDyk1tu65b/TTC2nREH6E/vAz4WeDNKDeB7nFaatw44+omR8NC174AfI3B8nRfvEHvOP3h76L8erP+7L5JE7tvsu7gj9fPhtDVtwDf4CsNsrOxmSnzltxWy1ckOgp8lNUpNO/9IYhcjvIe0HcCBxr3IXbDPNTUvFfJexG5lerFfpb+8FPA3Qx6J9oXOuOzwL8D9tU8NoKn/djjWsts8oVzS2biDDT0rJzCy4F6ccXY5Rod59JAJWs3JyLXNvhHEJ5rXer+cA/wy8DfAv+J6suv4x9clD35T3kpLqXqHdWrQFaBv6Y/vI3+cFqK5gjwjWpTKdu3BVI2ZTaOX8onNCpijoaP3oTIpW6aEOAcvOh8lNa9sHWfR4/pU4j8aavaub9WTQlDvoTIb8NobZDGIjLqH2B8mDYyk2eFpG1A5BqqLw/8Pv3h/tHiOu2hcki/ALpeE9DIbLXxZmQeJddlFJ5Rx1q6e0JXM1Je6dLcrAijASQSnqDNA2OqCvwMlQPWDlaGgC6Dfh3h1srJA/fw8thh8TJlBzblVb9fgrAbkV8Avgkcap3UIg+iHM/1G2XOUY0tyNx4CTpWywaz0NB7Qaoejhg2cs2W1GGfonMFPh4NwEmQz7XWgbKyBsotwH0gh7xcgovTWofJcsCOC44f4UmInKle8OtQvo7qS0bLObQEfb52lqWW2Ym1TZlnYTQHzILQB0GvylrAjZs1Gjlx2w1GMm1jnh1hoh/KV9EWbWfVGxG+iMgBf+10XavJDKltHmy+4PWrKcflz/bWQYT7UA61dk9VTP4vfPzYCDS5zDPl9SwIfT3CJVmr5T/12+Btu6z51J9Xe5broH+y7bUyIlbWDgJfRqUKLTp5tamdATfW2C6n5WQ1afbe8jUkph0E+SL94YF2bgxQeRA4l8k57p62L3P9nDpG94QWfjw3dVb75m1jT9fnhDzmvNocOUY1GGdy9PPyY1fma5RajPyXbOgkb3Kc1MvrvS+8Jo/3itX21wEfZWWtpeiHPovqMR+Kk3DNSWUOtnlH6JbQ/TVQrt84kyHzRhXiIiQK8A0GvbMTSpicwHcDNzeHTkZY+1L8QxR73MoK7uWwYyE2vAa3ofqvtnIrG+AkVQivQLxA5Ilk7t726FhD66XEr7p6pw7nAKrZcA6IKxNgHeHr7YjI1YisOFls86lWHvPbkNGcG0N7jX1jYpWuVWEX8KFR7+RkGPTWEZ4sytyYlTKBzHMwfPQK4NK8F/v74zJfsYvWKURn751G5ZGJpatCincCB+om11wTaHy8PsliZS4tzpKa4kyM+CYXysJkqdKvBvnlbd1bhPK/nczpt3HPE8rcsZLumNByBcglgHGw3HHqY0Z7xIpuvvXHgBamVclB4LZCupFLfLoW8owLLWZtnvJLoZxx19a0/R76w72bup2NccTJbH9LDvt2Zb6oNbRwtU/Q8W+wc1Lwpkgy8epzH2Ow3MJSBHobkqIa4Xrpt3bU/LFiyMo6k6ODUWvZXtKx18OedwXwuq3c1Rg8i+Vp6brtydwZuiW06g8VVXMmSSSFzSO4c32c9O8mlq2/tgd4czDo6z911wt5RkKL3Vezb2WOx+rTg0E7+gn7Vfz3rawMJ312J4AzDZnjXxsyd4iuNfQVfixAatqC05HNDWk6Kggu7ll53E9PLpxeAxyqn6W10Y2sjWbamhfmvHFlYGzwaLI0zjGEcByRm1DZN+ENnwbOODMq3mdbMneIjjX0aM06i+RUxP5/AReTjj1RdXO2jvLsxLKJLCNyieuVLIWsrHwl0yP3oIk5x2p1YWw4MppZ9ppZGwqgexGdrAdJOIPomSxz+nUriLYhc7foOmx3mSdu0sQbvNV26daGgwXAGdDJxxCr/ljDAYpOkRoBY0jPDuiJvZ5uW31LlMwZt5BOSk/a0d5vbqnOE88/H2Qd5YyrcPttw1Zl7g4dmxyyN7/9pRkqVquVKsI5KylNzyLywkRyrQxBeFF2glxLEK6fmuKiw2RaEztS0OaxA7DiUEznWNrWwJSVoPrD1YdItwnlHMiZhhq1crYi8/ZF3A66dgp3ew1daMJjBTVMDtM8VtrqLIyazu1jF1X0ADcvkUAk+xLm2xjlywSI9wSNcoTmCx3PteclkdJ1qnOvBN1+V3hV3rq/rpWzLZm7RXeEXhnuQtjt1J4lRuaPsacbg5TE56/ynqtIPQFUllDZVzuniTjpuAZZzLaV2ZkYYvI4zVqXX7q3fI+WGKNWIZlB1bn7kAmfX7pHZy61LXO3SrPDOYWBvblHDVMByVYTHFHs0Ew3ERbfDG8buhtkybUGtux03aDIahPE5G18ig1z3ugmSiLbtI3KqPf3kBa33BaMLBN/vH4DmbXbeatdXuwcytm6Ai0rgoOR4DSIOS8TSD3RJpENXfdfw1L8S2RetgQNeTNB0m2EFiYfDw7Ctj5ez1mQCZZAMNrWmRPBvJpU5uqzdZ2hu+ZgdZn8ADYioDumzWPJyarDS0tMfh/nqJYV8M5QMo/Sda0M2b5XI1eS2WgrN3w0FRvTtS7TG6iNTWNDv0D+tsoESDJbGW09TyqzMKl/syV0PTipXnsiVZqGBx/DCi6eC7VWyE39LmDPRFIJ6wjHm826evt5bBw6yhyaXndOQDSp8gtiHU3qusn1xXEmJrSznbxMbcmsTH+hH4OuewpPNhwK28Tl+jXaITbzTa96N6qXTCRXNS3p6fp61A/MaaB0SeP42UbE3ptN07DtGp6Q1/kP5riG/CpPTb7q0hj5nUM8scyThVS3iI7DdpzwdleyMYP9rP6k82zvASYfIwzfr+QK2snKOdamDciNidL4JkmjFUgbDdbQ+HyEz//9MVffHLSw78ZttCbz/51Izi2i657C47nZdBwJb7y1LlxnQtBWFa92A5PPt1MeQvWsf2ekftkamipqJeqHmf6yUytlAtnf9Pa4XlOhcWJV9lmEh7ZxlzXyC2KfhdS/7cl8fCI5t4iubej/U9vDxs60NrJQE95quqwRtaQFrplYMuFJ4Ih7meryy76P+x0J7Gzr1BoFjVfSbNkOtTIVWoGq3LWqtZsE5gYbvl2hZdmezOsInX4xoWtCH61+ApkzYVNaeMslsklMHgH44clFk1MgX6t304Ox9rwhbL6PyHzwzqOR2zlQ4k+zL0UD6QXOL/YXEZ1w/PeY60ShJpJZT6M8P5mcW0PXhH4G1SouaXsD49iN3JTbpmz0MNXs187XSyYa1wCjsKL+CSojr9w6q0bTNh6gNYnUyxxVuR0m24jrmny2lcoqMJ97AuVeVg9v7z4jnMxBzoll5gUucpPjGPBCUZu5IaRBI7h86bjYJvEQaBuO4ROg92cZog2fBbAvmj0kzfxuYkC8n/gCGHu9dP9V3j9m0GtvMZ2SzHbczGQyH5t44NgW0TWhnxv9mWYcowGtoxWcMUbp6Tc5W9V5lwIvnli6QW8d5L+A+XyDdfxKy2NZfjecpnRPDUPTlFMw0oXaKfNlPofIR7d/gwVEszintyLz411/16ZbQldx08dcWuyEsDZqfuvHOSPJDNFdwEtbkVF4HNVP1wJgnms0PYLMzqwnyWblJD/xfG+2jHANsWXrOvBhaGEyQ4aR2TKxLZnRv21P1s1hFisn/U29k+yzQNg4hrjs6pNrr3ohXjlaSH0yrC5XxFEe871ehKZ5jEzOIknnOznDvUU02MKohfgWIne3q/GsGWe1rTCxzMo54ActCrspdE9o5eFqyCfkptzFmtNfcADTsfG4HjjYiowiL4C+DTUzYVxTKj4taTi7bffjjJyCCdoYfpqPKShHgDtYXT7dyv1ZlORpQ2Z4HniqdXnPg1lo6CeB5xoRIghNmrFP3biBkD+XK7sR3tjKesqryyDyA+BdoKedrEptAhlF5rSdBG1n/QVrUpnTqm2l0SogJ4C30cpE4DFI10vDeWFCmQF4ciR7p5jF6qMnEB7NlZTf8GjDYd52a8/Z/NTpVXjpdqqew8lRkfpeVN4DerooV0MzUd+P9QMaEwRMWiNsZjU7J1FuR/hea6uqJlgt7LYLdbw1mVP+77SzVsrW0D2hq4FA33S9gaUhllBwGMfYc2lf9VrQf9GerMuA/gHwi6AnfQsh3kGyMsdmJ2vtoAFzS5QKcuc+B/pq4M+nEimwPkFpdv12ZK7nPq6DfKN9oc+PWX1j5QEkDPx2dltyFE2FleLBtqmv8iwB7231ozuDXqWpkZ9GQ4TGEteZHklmmuaH/c33YM6ttPuDoD2UB1vXzBHOXIpO4SZldtvZ5n9iilKPxYwILUdzFCE20anNEldro0OxCTTbeUduIX3yoi2sLoPqo8BPofqbIKdrOaLHRMPIbNMAAAtGSURBVG3zJ5mzaaJjZM7N/Ang/cDLGfSO8JGOvzprHcJNy2x3801/G7TTDpWEWWnoM1SfWvCarUQEy14ZpW/08XphN+j7WVlrx5ZO+EgPBr2TiKyA/iTovbVtbeRwA6mSaFKbIiWZ4QVU7wZ+AuQ3GPTaj2ZsBDubu42P18OXZvVt9diOd4f+8EUgfwfszhWSCW3MDdslnrcLtptbFVTPAW8Cvjq1iu0/tATyYuB24DXAQUR2u3EQtTxGVtL9nKGaVPAV4POIPD2KgXeDlbU9qH4fkWsbM1DcM8BXd+Sua5wUqoXUf7STT1IXMMNPI8vToA8h8lKnlRukLp2KIbA2H4TILlQ/BHwPJh1mOQaDw1Wv58ra+1D9IHAt6GGEH0P1ENXHRS8BlkDWK20uz6I8CfI3oGvAEwx6nc65c3CzcgrHwJiEgdxQP6+UryrvK0i3064sZqeh37cGwi8hfNbFP5NjZKdm2WPWdrNaQoIaqQj/MUTvnMonkjfCyhqoLoHsQVlCOAd6FpH1rsc2jEV/bQ/C91Gu9SyIqpia9BLyNJ/NOZQfZdCbiUMIs9TQH1mG/vBelFVEDjg7ziISW/FawVW88cirzXejfBN4YCr3MA4VadepVvjcmRDM2na2PtNGJDCG69ZRd7bHd5lRdCNhVk5hBZFTiPyBSfCEhbrJa8Socxn1TnJeao7vAfkMK2tXsYCHApI+kTxCDjMSbGTxikZM3tqpXwc+OctGH2ZN6NVlUD6DmhBP0sLOqY61iW8Zk6NVT/G32a8CPsvKcLKZ4RcjdFxiJDl19Cb2FNZa/XGQB6YeNz8PZktoAOEoyJ9VO8bBi85HNElCoCNratsdnWOoejPKx+kP2w3lXejIA/ZH+yVtrDZd6nr2mnwd5BMMljtdJamE2RO6sjc/gUj1wflJPl6f8tp5frWGfydwF/22Pl55gSObZ+LrMUc1Ut2n7aI6H52jT4DeMy1Rt4LZExoAfQLVPzMGWfW79Y/XF/bT+bIE/CrQX5A6QbyT5yJNqZ5tk2iQ61nXgdVZxZ0jdgahq86PVdB6epZzPKTWKIx+Sx+vtzO1c770sBSEXaAfBL2LlRbHe1yIsGaGjWZs9eP1ysMI93Yl9vmwMwhd4SjwcaDpcDhtrLV2iJ0COuYcRtuVRtqF8Oson2Jlbb4dxWTW5Xo1HS2ufkNYL9Vt1dv5flZn2DkUsHMIXWnp30H1sWKIzmlro7XjTHGrUYIFY3q8lhDeieqX6Q+vmHgJhAsVduyMC8FpXcfeY8TVs3IPIt/rVObzYOcQusJJ4NdIawpv5eP1aXZ1jKPmPOa3enJLiLwC+A7ozays7bS66AZ+OQjqCEZwyK1SqbTzcdAPsNr9IP6NsLMeYjX2+Buofg4ohN/q3RpK6K2qf+OcNzcrI8etDyHch+oH6Q8vZa4Q69XGmMXXv99fB+4COdqltJvBbLt1xqE/PAAMEak+paxBWyQkC6LRLW48HR39a0wQKED1MYT3ozzAoLdzNE//IUD2AbsY9NoZbLWytgv4K5QbGyxwPbOWzKkl1PuB1++oOhphZ2noDHkOuANGq4HG6VkNSyQ6LhLyRKcmdCbUDtBLQP4bcB/94Q2tLIswKfpDqCYsfB24rsWSR2M5KLR84uvFzx88DtyxE8kMO5XQVffpAygfGy2wgo9F48NNtrewkbZBvqTZxeXbhcirEPlr4L/TH75q9B3wbrGytkR/eCPVWOm/RLix9WuU6ir95vqwYVPOoryLQe+Z1mVpCTs3FjvoQX/4IZQbEG7xHjfBWLIMj+o7HjO/acKAFPMuIbwCeBmqT9Ef3oNwH/A4q73pdPGuDEG5EngF8IvAMtUnN6CN76mUkOP7pbqjJjWsg34MuH8qcrSEnWlDW6ysHQS+juqh5rDR0IHiWkZTRnNGS03mRhnjylWo4q5HEL4N/CXK48AzIKe3PChnZQ3QJZTLgGsQDqO8HLgBuKwwU2cd+JcMet/e2oXGXn8J+A5KNUvevcvmvusQ3ddA3sJgCovdtIidT2iA/vAwcB/C/g1FtlwsHoiaKNou9pSNHMnkKOkp4HmQI6BPI/L3oMdRToCcAj1rXo5LEPaBXIbyT4CDoIeAq6gIXBg45V6udXRKhLZfzy051uijwM+w2ut08fLtYOeaHBbKQwh3AJ9FafbuuQ6WhmYxeaBOSNvBm88RkRC2yhrLhP6EvSh7gYPAzd58AapmOgmw5Af9BMc1v0BqRJFC69ImgomRv8foBHsGuJ3Bzicz7FSnMOIjPUDuReV9iJ7znSY2pBdtYjbYNs6Om91sNLiUzhc2//F6WULSn7muzZc7MvDXtRcufZqiDaSIkIVznPUEwlsQHp/C1aeCC4PQAIPldeB3gLuAdb+afomA1oG09mjK44xs82LYMkP825bhOh3UENsSMchie91K47ubAeHGrbQOd10n5yngzSAPdT4ncwJcOISGitTKgGoxlnPZLIgxZcB9ySn3fKV9w3x3TraNvUnQmKGh4dzROela+Rr4bVuWc3DxssVrbKZTaFuw9ePu7yTKG0C+tWMm9W4SFxahIS2aPkC5Cxl9O9wiRjswWlEIJoIajW2a/mwviy8nx69N+TavNVlKpk56YUoEFbwsSY5pkdktiONMn+dR3orwjQuNzHAhEhqqRclFBqjeierprCGtQ+VUL0ZzYjSS+DT7m52j5JSpORbKtMds6x3n4SU73Y2ZsNcNmlIL12wXZ1yoDn0W4U0g01kgsgNcmISGROpPA28DPeGHOzoVPdqUpnOlUA9ot1oRc35yHK2mtxpN67T8Ikldpv1zsth0rcv0RnVjszVUl1o39/oE8GqU7856ouskuHAJDenzEfcAr0X1qLNNLdkcDHmiQ9QwX6wmJZDSnhPsi2l8vH4aqH2ENao486OzWpOuLVzYhIaqi3zQexD4SeB7fuijdexopqV0G0rLyt2UEVllHb9YFgQnkKYMzoQIeRuyB7naxTqq9wCvZLB8dCpX6BgXPqETBr1ngZcDA9CzzUHrBK1aH8p2LLDjP17fHtaBDyHyFga9k62XPiNMs0GbDfprS6CvAPkkwtVFzWYdtwaMuWDDZzm8MabK8osRzJK4GmmMkmhISwk5LcnTctf3RYqLR0MnDJbXEf4c9KdQ/cNKW4+OJds0Q2lo7kh2d24hLf8aImbtnWxvbV638TaF6+fzgjwLbIiLj9AAq73KBBH+NfCmaiEUqENko+04dsJip328/uJrS6eCi5PQCau9cwx6XwP5CeADKM83TYcY7Qi/LsqhNElnnTqTd1xZOfYdVK51AJOpYp3ShYbeFC5uQicMlk+i/GegB9xN4xspGIKZ3xwBsXAGrydaqWcvd5aEUF5uHQphkvTONMKEC5wP81lN/eG1wJ2I3AZc0nDMNrJbx+WLDp6t2XH7G/mbUdG3PcD/IsV8aOiIQe8JkHeg+iOofgw4Doxx3gihNYzpgTmuBWJqHbrL2jhtU3Y0nSMZyl7gvJhPQkM1EXfQOwJyJ+iPoPou4EEYzYTOXdej/NEEGBdQdhaJtc+NObJhD2CD4YVrLTAOi5qyWBnuRrkWeAPwGpBDCNWM72geRLiZJUlbm8xuTLUhdDY/gr2SN3P6Ig69CSwIXUL10Z89wLXALcDLEV4Msh9lKZM31t6mbOcxzmaeadNIPwscAx4C3s+gd3Sym7u4sSD0ZlAR/ADVdwlvBHqg1wJXgOymMTfTaujRPjBWvVfZ1oFzKKeAowiPojIEfQR4eqesv7zTsSD0dlF9T3w/yNWgB4GDID8EejnIftB9IHsRHU3qFagGA50GTiFyAngeOAb69yhHqT5a+QzwwmgiwwJbxP8Hm/uj5T1hsjYAAAAASUVORK5CYII=";

package/dist/oauth/openBrowser.d.ts

@@ -0,0 +1,19 @@
+import type { ChildProcess, SpawnOptions } from "node:child_process";
+/** Injection seam for `child_process.spawn`. Used by tests. */
+export type SpawnFn = (command: string, args: readonly string[], options: SpawnOptions) => ChildProcess;
+/** Options for `openBrowser`. */
+export interface OpenBrowserOptions {
+    /** Override for `process.platform`. Used by tests. */
+    platform?: NodeJS.Platform;
+    /** Override for `child_process.spawn`. Used by tests. */
+    spawnFn?: SpawnFn;
+}
+/**
+ * Launches the system browser at `url` in a detached child process.
+ * Returns synchronously once the child is spawned — completion of the
+ * browser load is intentionally not awaited.
+ *
+ * @param url Absolute URL to open.
+ * @param options Platform/spawn overrides; only exposed for tests.
+ */
+export declare function openBrowser(url: string, options?: OpenBrowserOptions): void;

package/dist/oauth/openBrowser.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openBrowser = openBrowser;
+const node_child_process_1 = require("node:child_process");
+const errors_1 = require("./errors");
+// On Windows `start` is a cmd.exe builtin, not a standalone binary.
+// The empty `""` pair is a positional placeholder for the window
+// title — without it `start` treats the URL as the title.
+//
+// The escape class covers:
+// - `& | ^ < >` — cmd metacharacters that would otherwise split the
+//   command line.
+// - `"` — would prematurely terminate the argument and break
+//   `start`'s quoting.
+// - `%` — triggers cmd.exe environment-variable expansion (e.g.
+//   `%USERNAME%`), which could leak or alter the URL.
+// - `\r \n` — embedded newlines let a crafted URL inject additional
+//   commands onto cmd.exe's line.
+//
+// URLs normally percent-encode most of these (so this is defense in
+// depth), but we do not fully trust the authorization endpoint that
+// came back from discovery.
+function windowsCommand(url) {
+    return {
+        command: "cmd.exe",
+        args: ["/c", "start", '""', url.replace(/[&|^<>"%\r\n]/g, (c) => `^${c}`)],
+    };
+}
+function browserCommand(platform, url) {
+    switch (platform) {
+        case "darwin":
+            return { command: "open", args: [url] };
+        case "win32":
+            return windowsCommand(url);
+        default:
+            // linux / freebsd / openbsd — xdg-open is part of xdg-utils which
+            // is near-universal on desktop Linux. Environments without it
+            // (headless servers, containers) will report the missing binary
+            // via an asynchronous child-process `error` event, which this
+            // module deliberately swallows (see `child.once("error", ...)`
+            // below); `BROWSER_LAUNCH_FAILED` is only raised for synchronous
+            // `spawn()` throws. The caller's fallback is the URL already
+            // surfaced via `onAuthorizationUrl` so the user can finish the
+            // flow manually.
+            return { command: "xdg-open", args: [url] };
+    }
+}
+/**
+ * Launches the system browser at `url` in a detached child process.
+ * Returns synchronously once the child is spawned — completion of the
+ * browser load is intentionally not awaited.
+ *
+ * @param url Absolute URL to open.
+ * @param options Platform/spawn overrides; only exposed for tests.
+ */
+function openBrowser(url, options = {}) {
+    const platform = options.platform ?? process.platform;
+    const spawnFn = options.spawnFn ?? node_child_process_1.spawn;
+    const { command, args } = browserCommand(platform, url);
+    let child;
+    try {
+        child = spawnFn(command, args, {
+            detached: true,
+            stdio: "ignore",
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("BROWSER_LAUNCH_FAILED", `Failed to launch the system browser (${command}). Open this URL manually:\n${url}`, { cause });
+    }
+    // `spawn` itself can succeed (the parent fork was fine) and then emit
+    // `error` asynchronously if the binary isn't on PATH. We can't surface
+    // that synchronously, but attaching a handler prevents the default
+    // "unhandled error" crash. Callers get a benign no-op if the browser
+    // never opens; the authorize() orchestrator prints the URL alongside
+    // the launch so the user has a fallback.
+    child.once("error", () => { });
+    child.unref();
+}

package/dist/oauth/pkce.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generates a cryptographically random PKCE `code_verifier` per RFC 7636
+ * §4.1. 43 base64url characters, 256 bits of entropy.
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Derives the PKCE S256 `code_challenge` for the given verifier per
+ * RFC 7636 §4.2: `BASE64URL(SHA256(ASCII(verifier)))`.
+ *
+ * @param verifier The PKCE verifier produced by `generateCodeVerifier`.
+ */
+export declare function deriveCodeChallenge(verifier: string): string;
+/**
+ * Generates a cryptographically random OAuth `state` value for CSRF
+ * protection. 22 base64url characters, 128 bits of entropy.
+ */
+export declare function generateState(): string;

package/dist/oauth/pkce.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.deriveCodeChallenge = deriveCodeChallenge;
+exports.generateState = generateState;
+const node_crypto_1 = require("node:crypto");
+// PKCE per RFC 7636. We only ever emit S256; plain is permitted by the RFC
+// but explicitly disallowed by our authorization-server config so it can't
+// silently fall back in the face of a buggy server.
+/**
+ * Entropy for the PKCE `code_verifier`. 32 bytes yields 43 base64url chars
+ * (no padding), the minimum length RFC 7636 allows (43–128). 256 bits
+ * matches the S256 hash's security ceiling.
+ */
+const VERIFIER_ENTROPY_BYTES = 32;
+/**
+ * Entropy for the CSRF `state` parameter. 16 bytes yields 22 base64url
+ * chars — unguessable without bloating the authorization URL.
+ */
+const STATE_ENTROPY_BYTES = 16;
+/**
+ * Generates a cryptographically random PKCE `code_verifier` per RFC 7636
+ * §4.1. 43 base64url characters, 256 bits of entropy.
+ */
+function generateCodeVerifier() {
+    return (0, node_crypto_1.randomBytes)(VERIFIER_ENTROPY_BYTES).toString("base64url");
+}
+/**
+ * Derives the PKCE S256 `code_challenge` for the given verifier per
+ * RFC 7636 §4.2: `BASE64URL(SHA256(ASCII(verifier)))`.
+ *
+ * @param verifier The PKCE verifier produced by `generateCodeVerifier`.
+ */
+function deriveCodeChallenge(verifier) {
+    return (0, node_crypto_1.createHash)("sha256").update(verifier, "ascii").digest("base64url");
+}
+/**
+ * Generates a cryptographically random OAuth `state` value for CSRF
+ * protection. 22 base64url characters, 128 bits of entropy.
+ */
+function generateState() {
+    return (0, node_crypto_1.randomBytes)(STATE_ENTROPY_BYTES).toString("base64url");
+}

package/dist/oauth/predicates.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+export declare function isNonEmptyString(v: unknown): v is string;

package/dist/oauth/predicates.js

@@ -0,0 +1,15 @@
+"use strict";
+// Type-guard predicates shared across the oauth modules. Keep this
+// narrow: anything more substantial than a one-liner probably
+// belongs in its own module rather than piling in here.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNonEmptyString = isNonEmptyString;
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}

package/dist/oauth/refreshTokens.d.ts

@@ -0,0 +1,30 @@
+import { type TokenSet } from "./tokenResponse";
+/** Options for `refreshTokens`. */
+export interface RefreshTokensOptions {
+    /** Token endpoint resolved from OIDC discovery. */
+    tokenEndpoint: string;
+    /** OAuth client identifier. */
+    clientId: string;
+    /** The refresh token to exchange for a new access token. */
+    refreshToken: string;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+export declare function refreshTokens(options: RefreshTokensOptions): Promise<TokenSet>;