@deque/axe-auth 1.1.0-next.97bcb8e6 → 1.1.0-next.f7b98204

package/dist/oauth/discoverOIDC.d.ts

@@ -0,0 +1,50 @@
+/** Subset of the OIDC discovery document that this package consumes. */
+export interface OIDCConfiguration {
+    /** Issuer identifier. Same value the authorization server will claim in tokens. */
+    issuer: string;
+    /** Endpoint the browser is redirected to for authorization. */
+    authorizationEndpoint: string;
+    /** Endpoint for code → token exchange and refresh-token grants. */
+    tokenEndpoint: string;
+    /** Present on most providers (Keycloak, Auth0); OIDC spec does not require it. */
+    revocationEndpoint?: string;
+    /** Present on providers that implement RP-initiated logout (OIDC session management). */
+    endSessionEndpoint?: string;
+}
+/** Options for `discoverOIDC`. */
+export interface DiscoverOIDCOptions {
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+    /**
+     * Permit non-HTTPS issuer URLs whose host is not a loopback literal.
+     * Loopback hosts (`localhost`, `127.0.0.1`, `[::1]`) are always
+     * allowed over http since they cannot be intercepted remotely; this
+     * flag is for corporate dev setups or reverse-proxy scenarios where
+     * http is the only available path. Default `false`.
+     */
+    allowInsecureIssuer?: boolean;
+}
+/**
+ * Fetches and parses the OpenID Connect discovery document for a given
+ * issuer. Fails fast (no retry) so the caller does not open a browser
+ * against an unreachable authorization server.
+ *
+ * This function uses the OIDC discovery well-known path as a
+ * convention — most OAuth 2.0 providers expose it regardless of
+ * whether you intend to perform identity validation. This library
+ * itself does not perform OIDC identity validation (no id_token /
+ * nonce / signature checks); callers needing OIDC-strength identity
+ * assurance should layer that on top.
+ *
+ * Verifies that the server's claimed `issuer` matches the URL the
+ * caller passed in, per OIDC Discovery §3 / defence against a hostile
+ * discovery response redirecting `authorization_endpoint` and
+ * `token_endpoint` to attacker-controlled hosts.
+ *
+ * @param issuerURL Authorization-server URL the discovery document
+ *   claims as its `issuer`. For Keycloak, callers build this as
+ *   `${serverURL}/realms/${realm}`. For other providers it is the
+ *   hostname (or issuer path) advertised in their discovery document.
+ *   Trailing slashes tolerated.
+ */
+export declare function discoverOIDC(issuerURL: string, options?: DiscoverOIDCOptions): Promise<OIDCConfiguration>;

package/dist/oauth/discoverOIDC.js

@@ -0,0 +1,145 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOIDC = discoverOIDC;
+const errors_1 = require("./errors");
+const issuerURL_1 = require("./issuerURL");
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}
+function optionalString(v) {
+    return isNonEmptyString(v) ? v : undefined;
+}
+/**
+ * Throws `DISCOVERY_FAILED` if `url` is not safe to transmit OAuth
+ * secrets over. `https:` is always fine; `http:` is only fine for
+ * loopback hosts, or for any host when `allowInsecurePermitted` is
+ * `true`. `label` describes the URL being checked ("issuer URL",
+ * "token_endpoint", etc.) and appears in the error message.
+ */
+function assertSecureURL(url, label, allowInsecurePermitted) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `${label} is not a valid URL: ${url}`);
+    }
+    if (parsed.protocol === "https:")
+        return;
+    if (parsed.protocol === "http:") {
+        const host = parsed.host.toLowerCase();
+        // Keycloak on localhost:8080 → host === "localhost:8080"; strip
+        // the port for the loopback check.
+        const hostname = host.replace(/:\d+$/, "");
+        if (LOOPBACK_HOSTS.has(hostname))
+            return;
+        if (allowInsecurePermitted)
+            return;
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Refusing to use ${label} over http:// against non-loopback host ${parsed.host}. Use https:// or pass allowInsecureIssuer: true to override (only do this on trusted networks).`);
+    }
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported ${label} scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
+}
+function buildDiscoveryURL(issuerURL) {
+    // Use URL parsing (rather than string concat) so the discovery path
+    // lands on the URL's pathname, not accidentally after a query string
+    // or fragment. `normalizeIssuerURL` already strips those, but
+    // defense in depth keeps the contract obvious from the code.
+    const normalized = new URL((0, issuerURL_1.normalizeIssuerURL)(issuerURL));
+    normalized.search = "";
+    normalized.hash = "";
+    normalized.pathname = `${normalized.pathname.replace(/\/$/, "")}/.well-known/openid-configuration`;
+    return normalized.toString();
+}
+function parseConfiguration(body, url) {
+    const missing = [];
+    if (!isNonEmptyString(body.issuer))
+        missing.push("issuer");
+    if (!isNonEmptyString(body.authorization_endpoint)) {
+        missing.push("authorization_endpoint");
+    }
+    if (!isNonEmptyString(body.token_endpoint))
+        missing.push("token_endpoint");
+    if (missing.length > 0) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} is missing required field(s): ${missing.join(", ")}`);
+    }
+    return {
+        issuer: body.issuer,
+        authorizationEndpoint: body.authorization_endpoint,
+        tokenEndpoint: body.token_endpoint,
+        revocationEndpoint: optionalString(body.revocation_endpoint),
+        endSessionEndpoint: optionalString(body.end_session_endpoint),
+    };
+}
+/**
+ * Fetches and parses the OpenID Connect discovery document for a given
+ * issuer. Fails fast (no retry) so the caller does not open a browser
+ * against an unreachable authorization server.
+ *
+ * This function uses the OIDC discovery well-known path as a
+ * convention — most OAuth 2.0 providers expose it regardless of
+ * whether you intend to perform identity validation. This library
+ * itself does not perform OIDC identity validation (no id_token /
+ * nonce / signature checks); callers needing OIDC-strength identity
+ * assurance should layer that on top.
+ *
+ * Verifies that the server's claimed `issuer` matches the URL the
+ * caller passed in, per OIDC Discovery §3 / defence against a hostile
+ * discovery response redirecting `authorization_endpoint` and
+ * `token_endpoint` to attacker-controlled hosts.
+ *
+ * @param issuerURL Authorization-server URL the discovery document
+ *   claims as its `issuer`. For Keycloak, callers build this as
+ *   `${serverURL}/realms/${realm}`. For other providers it is the
+ *   hostname (or issuer path) advertised in their discovery document.
+ *   Trailing slashes tolerated.
+ */
+async function discoverOIDC(issuerURL, options = {}) {
+    const allowInsecure = options.allowInsecureIssuer ?? false;
+    assertSecureURL(issuerURL, "issuer URL", allowInsecure);
+    const url = buildDiscoveryURL(issuerURL);
+    let response;
+    try {
+        response = await fetch(url, { signal: options.signal });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the authentication server at ${url}. Check the URL and your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Authentication server at ${url} responded with HTTP ${response.status}. Check the issuer URL.`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Authentication server at ${url} did not return a valid JSON OpenID configuration`, { cause });
+    }
+    if (body === null || typeof body !== "object") {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} was not a JSON object`);
+    }
+    const config = parseConfiguration(body, url);
+    // OIDC Discovery §3: the `issuer` value returned MUST equal the URL
+    // the client used for discovery. Without this check (and without
+    // id_token signature validation, which this library does not do),
+    // a hostile discovery response could redirect the authorization and
+    // token endpoints to attacker hosts while still appearing to come
+    // from the legitimate origin.
+    if ((0, issuerURL_1.normalizeIssuerURL)(config.issuer) !== (0, issuerURL_1.normalizeIssuerURL)(issuerURL)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Issuer mismatch: requested ${issuerURL} but discovery document claims ${config.issuer}`);
+    }
+    // Enforce scheme on the endpoints the flow actually hits. A tampered
+    // discovery response could claim the legitimate issuer while
+    // returning http://... for authorization_endpoint or token_endpoint,
+    // which would leak the auth code + PKCE verifier to a cleartext
+    // path. Same loopback / allowInsecureIssuer policy as the input.
+    assertSecureURL(config.authorizationEndpoint, "authorization_endpoint", allowInsecure);
+    assertSecureURL(config.tokenEndpoint, "token_endpoint", allowInsecure);
+    if (config.revocationEndpoint) {
+        assertSecureURL(config.revocationEndpoint, "revocation_endpoint", allowInsecure);
+    }
+    if (config.endSessionEndpoint) {
+        assertSecureURL(config.endSessionEndpoint, "end_session_endpoint", allowInsecure);
+    }
+    return config;
+}

package/dist/oauth/errors.d.ts

@@ -0,0 +1,73 @@
+/** Error codes raised by the loopback callback server. */
+export type OAuthCallbackErrorCode = 
+/** No callback arrived within `timeoutMs`; a retry is reasonable. */
+"TIMEOUT"
+/** Callback `state` did not match `expectedState`. Surface a generic failure — do NOT echo the expected value. */
+ | "STATE_MISMATCH"
+/** Callback carried `?error=...`. `details` holds `error` and optionally `error_description` for display. */
+ | "PROVIDER_ERROR"
+/** Callback had no `code` parameter; treat as a malformed response. */
+ | "MISSING_CODE"
+/** Could not bind the loopback port. No retry — environment likely blocked. */
+ | "BIND_FAILED"
+/** Caller's `AbortSignal` fired. Expected; no user-facing message. */
+ | "ABORTED";
+/** Options for `OAuthCallbackError`. */
+export interface OAuthCallbackErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
+    details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
+    cause?: unknown;
+}
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
+export declare class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
+    readonly code: OAuthCallbackErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
+    readonly details?: Record<string, string>;
+    constructor(code: OAuthCallbackErrorCode, message: string, options?: OAuthCallbackErrorOptions);
+}
+/** Error codes raised by the OAuth flow orchestrator and its helpers. */
+export type OAuthFlowErrorCode = 
+/** OIDC discovery could not reach or parse the authorization server. No browser was opened. */
+"DISCOVERY_FAILED"
+/** Could not launch the system browser. User should be told to open the URL manually. */
+ | "BROWSER_LAUNCH_FAILED"
+/** Authorization code → token exchange was rejected by the authorization server. */
+ | "TOKEN_EXCHANGE_FAILED"
+/** System keychain is unavailable (e.g. no D-Bus secret service on Linux). */
+ | "KEYRING_UNAVAILABLE"
+/** Authorization endpoint returned by discovery cannot be used (e.g. already carries an OAuth-required param). Server misconfiguration. */
+ | "INVALID_AUTHORIZATION_ENDPOINT";
+/** Options for `OAuthFlowError`. */
+export interface OAuthFlowErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
+    details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
+    cause?: unknown;
+}
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+export declare class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    readonly code: OAuthFlowErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
+    readonly details?: Record<string, string>;
+    constructor(code: OAuthFlowErrorCode, message: string, options?: OAuthFlowErrorOptions);
+}

package/dist/oauth/errors.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthFlowError = exports.OAuthCallbackError = void 0;
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
+class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
+    code;
+    /** Structured metadata carried alongside the error, if any. */
+    details;
+    constructor(code, message, options = {}) {
+        super(message, { cause: options.cause });
+        this.name = "OAuthCallbackError";
+        this.code = code;
+        this.details = options.details;
+    }
+}
+exports.OAuthCallbackError = OAuthCallbackError;
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    code;
+    /** Structured metadata carried alongside the error, if any. */
+    details;
+    constructor(code, message, options = {}) {
+        super(message, { cause: options.cause });
+        this.name = "OAuthFlowError";
+        this.code = code;
+        this.details = options.details;
+    }
+}
+exports.OAuthFlowError = OAuthFlowError;

package/dist/oauth/index.d.ts

@@ -0,0 +1,11 @@
+export { startCallbackServer } from "./callbackServer";
+export type { CallbackServerOptions, CallbackServerHandle, CallbackResult, } from "./callbackServer";
+export { OAuthCallbackError, OAuthFlowError } from "./errors";
+export type { OAuthCallbackErrorCode, OAuthCallbackErrorOptions, OAuthFlowErrorCode, OAuthFlowErrorOptions, } from "./errors";
+export { authorize } from "./authorize";
+export type { AuthorizeOptions } from "./authorize";
+export type { TokenSet } from "./tokenExchange";
+export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
+export type { TokenStore, LoadResult, KeyringEntry, KeyringEntryFactory, } from "./tokenStore";
+export { discoverOIDC } from "./discoverOIDC";
+export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
+var callbackServer_1 = require("./callbackServer");
+Object.defineProperty(exports, "startCallbackServer", { enumerable: true, get: function () { return callbackServer_1.startCallbackServer; } });
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "OAuthCallbackError", { enumerable: true, get: function () { return errors_1.OAuthCallbackError; } });
+Object.defineProperty(exports, "OAuthFlowError", { enumerable: true, get: function () { return errors_1.OAuthFlowError; } });
+var authorize_1 = require("./authorize");
+Object.defineProperty(exports, "authorize", { enumerable: true, get: function () { return authorize_1.authorize; } });
+var tokenStore_1 = require("./tokenStore");
+Object.defineProperty(exports, "KeyringTokenStore", { enumerable: true, get: function () { return tokenStore_1.KeyringTokenStore; } });
+Object.defineProperty(exports, "STORED_BLOB_VERSION", { enumerable: true, get: function () { return tokenStore_1.STORED_BLOB_VERSION; } });
+var discoverOIDC_1 = require("./discoverOIDC");
+Object.defineProperty(exports, "discoverOIDC", { enumerable: true, get: function () { return discoverOIDC_1.discoverOIDC; } });

package/dist/oauth/issuerURL.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+export declare function normalizeIssuerURL(url: string): string;

package/dist/oauth/issuerURL.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeIssuerURL = normalizeIssuerURL;
+/**
+ * Canonicalizes an OIDC issuer URL for equivalence comparison. Two URLs
+ * that normalize to the same string refer to the same issuer, which is
+ * what `discoverOIDC` uses to build discovery URLs and what
+ * `KeyringTokenStore` uses to key keychain entries.
+ *
+ * Rules (per RFC 3986 §6.2 URI comparison):
+ * - Trailing slashes stripped from the path.
+ * - Scheme and authority (host + optional port) lowercased — both are
+ *   case-insensitive per the RFC.
+ * - Default ports (80 for http, 443 for https) collapsed via `URL.host`.
+ * - Path preserved case-sensitively.
+ * - Query string and fragment dropped: OIDC issuers are defined by
+ *   scheme + authority + path, and carrying them through would break
+ *   downstream path concatenation (e.g. appending
+ *   `/.well-known/openid-configuration`).
+ *
+ * If the input is not a parseable URL, the function trims trailing
+ * slashes and returns — discovery will surface a clearer error than
+ * this function could.
+ */
+function normalizeIssuerURL(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return url.replace(/\/+$/, "");
+    }
+    // `URL.protocol` is already lowercased by the URL parser.
+    // `URL.host` retains input casing, so lowercase it explicitly.
+    const host = parsed.host.toLowerCase();
+    const pathname = parsed.pathname.replace(/\/+$/, "");
+    return `${parsed.protocol}//${host}${pathname}`;
+}

package/dist/oauth/logo.generated.d.ts

@@ -0,0 +1 @@
+export declare const LOGO_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAALQAAAC0CAYAAAA9zQYyAAAgAElEQVR4nO2df4wd13XfP2dBEIRAEKpKEIKqCISgEo7gOKqqKPsYpXEE1b8i/4rtWo6jJP7RuLHqtq7gt0kdwXANp9jn2Ibr2IkTJc4PO45l2bUMNZV/xHZcRW+jyI4iCKoqCASjCgShCiyhEARBEHv6x7x755wz9y13982bt+R7X2D3zdy5c+fMne+ce865P0ZY4OJHf7gXkX9AFSQlCqDVr2qdV0YZVKttZZSPkEdBZVReOi7mPE1Jn2O1d/s0bquEpa4utMAsYQim6U8DT6VxSk1KqX/Te5A2dERs94Kkc6TxLkwbC0LPCxLB8naCmvSUlLRvIqnR7ApIeiswJFdcpqTZw3sybezq9nILzA7ZBKgh4VjWrliTwaeJ+HOcGWNNl/Yk3woWhJ4bWGbatFKSeJKKIbolf8xDIU/HNsfC5JgLaNMk2CBrZXJoyFpIU6vZNaSlcyaTfKtYEHouYO3htA9FthlTu9oPtoMleHQcG5ER6dz0WBB6LhCiFWPzRBtYg8YlEF58mRJNmI7VMwsbek4gxuRITpyNPwcil3iYNLDajNTlNdK7t59hQej5gViibZDm0kdIpkTudMH4mOklscdmR+oFoecG6oMcasjmzOtkC9enNezv7OyFnkEJhXWvoBc29FzBak5J+8budd3iZlsDma1TmX/dG1D/LTpWFpgOpNaqjbhxodvbEl0DwZ0mDmZIo5xusdDQc4XUjZ1IaGLHGvbtr1W+NkZNLAdfdoyQdIAFoecJ0bGzv04rh18bvsuDjoydncZzFB3DbrEg9LygGE8ORCwFJdxoOnu++LxWw1uid4wFoecFpVBcA4WBRpn0+BCz/cUcj13fHWNB6LlDIJnrXCmN9Wio7HIeZ5KEXscOsSD0vMHGm+2vD0bj1W+JoCGcJ1GFF8yUDrAg9DzBDR4qoUTAcfZGKjNeY0x6R1gQel5gQ3GpMyQed2G8MYxUo61dD6I5lkbbNaZ5TR+LjpV5QSPisMH4jbEOZNDSbgZLPK9kj08fC0LPK0o9e+PSi0SN2zsDC0LPC6w21QJrC8M16omuEoIgYXx1XAYh7y6Gjy4wdYTOjwSJeYRqdreU7elMfDvKjmCGjDl3ilgQei5QGK+cyAh+KCngbGWbPxPYsD8tNpO0uX0z3IzwbrCIcswFRoxLBFOttW9x/EaMiNhigrMnptxG9GQRh15gaogRikIkw2neUd4cejMhuDgVKy/9FQc/LWzoBaYCrQkKzbCctYFTgriDzeOm6KINndI6tqEXGnouIIZkFrFzpc5ep51nXEZjwJI1Wejc6lgQel4Qe+3O14sXNaszNzTkCeZI6byOsDA55gKBeNlESPvGJLGEbKxlFyIYLr89L7UG3Uc5FoSeC5jQWiNqgSHgKNF1osTtMQFs25kiNu/Chl5gGsgDh6zJMPqXQnlq0pw9rWNscEK+0YbraewWCw09NxgxLIfYNjGwKK5bl3oPbcQkmy1mP5k0MxjqsdDQ84LcK5iILF5TWyexMTaj4PyNnflCZcLMYMY3LDT0HEHMjyU1tUbVoG3tb9bQo+KyqVGwqWdkbsCC0PMDG5VoEM50g1vnMZIykpm4bw1qc60OsSD03MAwteTIhSz+OL6rvKGl7X5B63eIBaHnBZGsbvV9ahu7uFhj2g6OXt4O5khOo3MNvXAK5wYhCO2GhFL9U6OaXSSD8WE7B6P9XXndYUHouUGyj0O0IzmJoyz5t7QcmPtNu6HH0JXXvWe4IPS8IY53jpo4p1syJm2u9S8b/DZ6D7vDwoaeC1ii2RhzIVvWzmPGdMRFGsdeTxZd3wtME86eqLe1kCXu5O+rmJDfhtGLGXQRjrDQ0HMBYwJE7bop7sVu8o2y6gaae/pYaOi5gRacNB1jEWhz23aejD0nknlc3ulhQei5QIpEhEFHabZ3HmU3+rXhNpXysWSCqMmX8thzFz2FC7SP0EvS+GqVOeYG5ZvRdWLylD5in7vO7XiQRdhugakidkWbzpXcY5g0edK4drBRiE3b8xJKkwU6xILQcwFjM0j4hTB2wx7TWuOOKy/lt93gQWl3iYXJMRcwXdkuppz+Rfs3js1Ql9ywsdPB+GXaxcpJC0wNWfsmR9AOQDKa2i02o/guclOWmHQXPRF/rY5NjoWGnjuYUXX218I6gKWexajlo8lhExYmxwWE/nAJuARkH+gBIP3tB/4RsBdkd1jF8wzwD8BJkOcQnkP1OPA8yAsIZ1ldXm9fWKOdXUdL3AfHwvOF3qwDGEf0zQALQm8W/bUlYC9wJegNCP8M5VrgIMJ+lL2I7G4+1KDhssOU86wjchblBdDngCOsrD0BfB/VR4DnQE4zWJ5A+IK2zd3Y0iR1dgxNGM7JHEkb9mfYW7gg9Dj010B0N8o1wM0IPw1cD1yFytJY27AxBtg0vVrQYsoSsKf6kwPAi1F9zYgQ50CeBn2Y/vAvEPku6DFUzzE4vMUb0lo2F2em1sI2POccwILmjWNAZtzlnbAgdERlRlwP+gbgVpAXge5ySs4+QLvqpo0apDwJjuiFUFhcRqAqdxfoi0Yy/AKqZ4AfgNxHf/gV4GkGvU3clJGtscKokdkN/9TtymzK7r5jZUFogP4Q4CBwG3A78CJgqRjWiloswS0PMEpzJgamDPEPPH7ywebN5QiI7gEOgxxG9cOIrLGy9keofhWR51ndwCxJZVg72dm/aTPa0xPLPF6mKWC+Cd0f7gYOA78CvAKRfW6IZCZkwaES8+RiXosYy83a3SQ31mZOITGjOR1hFIRdqN40kv/DKPewMvw94HFWewWnckxMOJkUOWRnO1takrlDzCehV9b2oPoy4E5guYpEjI7FYZXuodhjEpLFpJ/H2z+PT9VwvvLYCwlEE6j6Eg6A/luUXwIeoD/8OMLDrPbOjb2Iu4QUDrQlc7m4aWG+CN0f7gZ5GfBrwI3ArnqyaLCJXdNq7WIqLeScJRMxQD0B7ddbMxnjPnUahWtZ1eia9HAN0b2ovBH0VpQH6A8/jMgPXE/1+WROaEvmjs3o+SD0ytoSqtcBHwZuIRE5IT/Y0U5Da5ndTGabpfACFDW9IUbpSafrOtscYw4UynIZcxl7UH0dIregeg/wUd+6hMvHTpbGhNdJZF7Y0O1hZQ1gP6p3Af8mmxaN8QyMMTHwickZFLOdYDsgGt4/9YPP2iy+FM3LubI2Wqs526zxWuxF5O0obxxT+JjrtylzIe8UcfESemW4hOrPIvJR4Kqcnolhm15DWDHpWbmUHmRohq0yyrwzjpJtAeK1nONp4PhrZTXnaLiHLLczEfY5YmLKa7Q26dotytwhLs7BSf21y0H+CPgCcFVmXGoGnXYd7XvNRtZIpbitJYxNt6eTrqWe9JYjlkylgTyxGbfXTMSyMscvUTWEiteIZog52JbMCxt6AlTx5FtAP4VyqNZSI20zdqayhIdasFftFCPrFGZNN8ocB9CDb8LdoolWi1KXb6+bTZxQbqM1EV++c/TCBbL2NPfsXowWZV6YHNtEFVP+D8BdCHsbNSl2wzyBGPgv2axjR6SZHdeiS8gYy4qMKJVZKMZulK5vX8yS7LEMtzuqi4Z504bM3eHiIPTK2mXAJ1B+DrFmlG038Z561sjpoQUtVCKx1VA57KVjiGK1eJCnMYLNksVs24FD+VbicXtOQfs25MfkizKn60W7YUKZO8SFTeiVNVC9CtXPI3KT55NtHo1tWTQpoFHzthnNZDLaMTpTDXNGymXH5bIaD9ySlybx7Ms0TnYIfDPO5EaIpkYrMi+cwq3gJcA3QW5yFTfWUbEaSmtyuDxjHprNa23E7FCmJlv89Zyyk5pYsbyGYozaVmtixTEjJfldun0Rw0nOv1AaL+akMneMC5fQ/eFhVP8HyKG6WcRrB/txHMWQbfSQxKRlZWIfavh1a1SYkzK57f7oOpZ42TxQI2O4L7XHrSzBDNJERlNmyVOzJoRbKTS9jNEsEnf6xDJ3jAvT5FgZvhT4IioHGq2a3Y/d2jlDgtJ0mswDdSaGOdX1pInPm7RdyRmL3ymxsITKZkXJNDL3VjrP3mZuOeJ1gowN82lKMneAC4vQ/TVAD6PyJYT9ZMdLapK58BXUBHVPqaBtrJoe/eZNs9+wh8OxVMQ4c6bR7Jvyc/GF5j1q0ZIWTGVnmY2MkaCN4q05gy9/Epk7xoVD6Kob+3qQL6PsrxIlPGSMhrIPOhxzJEgHgqaNRLHlO40c5EjHcroxh6w8mPxRs+V7iyq3UEZ8yaLmtiQ7n8yl+51Y5m5JfeHY0KqHUP0iqpeXm7JkFxYq0Iarxp5qbOFcVsiXyhB7IkHDmbz5eRbOsTLHkW6wOS4kmdPfWNiDI9u7YYY0Cm9H5o6V9IVB6P5wP8LnEbmmWPnWuy6OLQhpan9Hmsp2IiQzRmL+kYljncuo/UpoxLpNuaUBP64liWZLKZ85qOE3v8hW5gIZ8/la32cbMm/4orWPnW9yVIPxfx+4obZrk11oyaTefkwPsjFpVev8cfSa1XjONh7tR4JX116nmrH9DCLPgB5DeQ74f4icQqhmj6juAvaB/mPgAMoVwJWoXonIXmDJy2/s/PxTaOYb3ctB5nFq05Vjjufhr4mU9r5tK0a9vaHM3WJnE3plCHAXyK1AsGGD5ojDQYtNn61oCQ8+pZmHbR2furxzwNOgayj/E3gE5ChwGlgH1s87cbUac7KEsAvlEpSrgBcD/xzlRoRrgcuaI+nEaz23hG2J7OlftH+t9jXlFOvGIuSzLZeVz8rSscmxswmtvA70P5JMo6xZqZ+TG+aIP4bZzmnhYHG8Mb7JVs4BjwNfBr0feIpJ1sqoCL8OnB39nQQeoz/8U6pnsh+V60BfDdyM6jWI7PL3l1qpcE+xFYkKOrdcNM/JeawJUyqQOq0xrrxgV3eIGTQKm0R/7SCif1U1zUZTFYkXK9Hki3ZcHI2WzZJAikrrnATuB34P5BEGy6encKfjUXXt7wVuAN4K3Apc3hjLXHoxbRjOvtRAY9xKnHply0nlj9O0VqMLoUwB9HMMerdPUg1bwc7U0NXIuU+CXNHUOKbCk4Zydl7IFzV2SrNmRkOr6wvAHwOfROTp6SzNtQlUyxKcAr5Lf/hd4AqQnwPuADkI1PdfQmmUnITj1slLDmHDuTbllPwIV+6Ya3WEnUfoyr58O8KtLr0YRYiVPMaEiA+xaJMA6DmUr4B8kMHyE5PeSquozJRjwG+ysnY3qu8G3guyv6mCN8IGoYeNRhhCs55LnVfO4e7YgGZnhu2uBj5U9/yxgYMiIY+15wr2cM4btE+lpZ5CeT0ib9lxZI5YXT7JoPcbwI8DX4NRJCWH5PC/jlvG4duIb7GlK9ateQa27OysjnMup4edRej+2i5gtdI6eMfPQU26mn2a25jtFI7yq9KvI3o30EPk/pmZF9vBoHeEasmy94Keru7d3LMoLsRm6yPXRUo2miOH7dL5aRvP4czlVG58Dtq52bGzCI2+CnhNVSkNo7ewL+ThjVZLF7VRsgvFaBA9ifIO4FdYXT6x4VJaOxWrvXMIvwW8FuWYa/7zPY9g5wA2hqCaenGdSyYNxrSYpjVIUFNeh9g5hF4Z7gM+gMhugI3nowXNDLXmhYIDaDROyoseAV6N8Id+haELEKu9dZBvAS9H9cm6HqKtRUGrEuoIc276kzpN9DzlmrLm1imswlM/j8h1gHE2Cg5M9n+S82E0kX0JGn6S89AfBd7CoPfklO6oe1Sty+P0hz+D8iVErm/E4BVvbtm0FMbDHAOvZZ3DTbkct/TBvJocymXAe1GtO1DiFHlL8mzzYdLCQ3E2o9R5lIdBXntRkdli0DsCvAHVxwGcc51+I8mUUG8Eh87Y07meR+k2mtF4Lt1jZxAa/Xng6sZY3Ng8Qk12MRnsIHYbWmqEk3gU9PUMlp+Zxl3sGAx6R4E3UY0vqdJc/UTbmuCzJJMhaNlGPVv1H8qegbkBO4HQ/bW9IHeCLPkxAaG9LI69Hf2W9iVUMjyNyOsZ9I5N61Z2FAa9J0FuR/VUo54sinUmY9JGeRuktttB+XSM2RJ6ZQ2E2xCu9G2i+gpMKDWfsVl04ae0qSdQfRNwdAp3sZPxIPB+VOtQZF0nNMyDXH3ZPCObeMV6jrspzfx2bIHMltCqu1C9A3Qpa+FM1mSvGfbKKD154NZOzu56w/Y7C7wLePSCDMtNgsHyOiK/i8gDzRfeaGFr4tklHxoDoKBRx24dDxv2Yyamx2wJLXIYeIl3JqJmFvOmpwcgRiskhw+vSarfdeC/Inxlc98iuQixunwG1TtRTjXqtjFPMBxzExmkzpPICvjvggfHfNwkgilidmG7as3mdyDGdrYj5Iru+AgCbqSZNbexZfAI8MHyJxqmiJUhKLsQlkb3sD66x3MzebFEnkT1t4BfrfZzuiexP6f6zREQYyvbVtTmawx2ks5JPTtCq+5HuLWhmBNizBObL4aY0jHDbOEUyr9n0DvVuuwR/eESwqWoLIPeAPJPQa+gmqGyBHKOaijqcfpr/wv0EZCHQU8x6OBlW12G/vAToG9HOOAN2+jkhVBc8POqNKtsUr6oYGYT6Zhlx8qrRvFn/PjdkKsUzHeDyk1tu65b/TTC2nREH6E/vAz4WeDNKDeB7nFaatw44+omR8NC174AfI3B8nRfvEHvOP3h76L8erP+7L5JE7tvsu7gj9fPhtDVtwDf4CsNsrOxmSnzltxWy1ckOgp8lNUpNO/9IYhcjvIe0HcCBxr3IXbDPNTUvFfJexG5lerFfpb+8FPA3Qx6J9oXOuOzwL8D9tU8NoKn/djjWsts8oVzS2biDDT0rJzCy4F6ccXY5Rod59JAJWs3JyLXNvhHEJ5rXer+cA/wy8DfAv+J6suv4x9clD35T3kpLqXqHdWrQFaBv6Y/vI3+cFqK5gjwjWpTKdu3BVI2ZTaOX8onNCpijoaP3oTIpW6aEOAcvOh8lNa9sHWfR4/pU4j8aavaub9WTQlDvoTIb8NobZDGIjLqH2B8mDYyk2eFpG1A5BqqLw/8Pv3h/tHiOu2hcki/ALpeE9DIbLXxZmQeJddlFJ5Rx1q6e0JXM1Je6dLcrAijASQSnqDNA2OqCvwMlQPWDlaGgC6Dfh3h1srJA/fw8thh8TJlBzblVb9fgrAbkV8Avgkcap3UIg+iHM/1G2XOUY0tyNx4CTpWywaz0NB7Qaoejhg2cs2W1GGfonMFPh4NwEmQz7XWgbKyBsotwH0gh7xcgovTWofJcsCOC44f4UmInKle8OtQvo7qS0bLObQEfb52lqWW2Ym1TZlnYTQHzILQB0GvylrAjZs1Gjlx2w1GMm1jnh1hoh/KV9EWbWfVGxG+iMgBf+10XavJDKltHmy+4PWrKcflz/bWQYT7UA61dk9VTP4vfPzYCDS5zDPl9SwIfT3CJVmr5T/12+Btu6z51J9Xe5broH+y7bUyIlbWDgJfRqUKLTp5tamdATfW2C6n5WQ1afbe8jUkph0E+SL94YF2bgxQeRA4l8k57p62L3P9nDpG94QWfjw3dVb75m1jT9fnhDzmvNocOUY1GGdy9PPyY1fma5RajPyXbOgkb3Kc1MvrvS+8Jo/3itX21wEfZWWtpeiHPovqMR+Kk3DNSWUOtnlH6JbQ/TVQrt84kyHzRhXiIiQK8A0GvbMTSpicwHcDNzeHTkZY+1L8QxR73MoK7uWwYyE2vAa3ofqvtnIrG+AkVQivQLxA5Ilk7t726FhD66XEr7p6pw7nAKrZcA6IKxNgHeHr7YjI1YisOFls86lWHvPbkNGcG0N7jX1jYpWuVWEX8KFR7+RkGPTWEZ4sytyYlTKBzHMwfPQK4NK8F/v74zJfsYvWKURn751G5ZGJpatCincCB+om11wTaHy8PsliZS4tzpKa4kyM+CYXysJkqdKvBvnlbd1bhPK/nczpt3HPE8rcsZLumNByBcglgHGw3HHqY0Z7xIpuvvXHgBamVclB4LZCupFLfLoW8owLLWZtnvJLoZxx19a0/R76w72bup2NccTJbH9LDvt2Zb6oNbRwtU/Q8W+wc1Lwpkgy8epzH2Ow3MJSBHobkqIa4Xrpt3bU/LFiyMo6k6ODUWvZXtKx18OedwXwuq3c1Rg8i+Vp6brtydwZuiW06g8VVXMmSSSFzSO4c32c9O8mlq2/tgd4czDo6z911wt5RkKL3Vezb2WOx+rTg0E7+gn7Vfz3rawMJ312J4AzDZnjXxsyd4iuNfQVfixAatqC05HNDWk6Kggu7ll53E9PLpxeAxyqn6W10Y2sjWbamhfmvHFlYGzwaLI0zjGEcByRm1DZN+ENnwbOODMq3mdbMneIjjX0aM06i+RUxP5/AReTjj1RdXO2jvLsxLKJLCNyieuVLIWsrHwl0yP3oIk5x2p1YWw4MppZ9ppZGwqgexGdrAdJOIPomSxz+nUriLYhc7foOmx3mSdu0sQbvNV26daGgwXAGdDJxxCr/ljDAYpOkRoBY0jPDuiJvZ5uW31LlMwZt5BOSk/a0d5vbqnOE88/H2Qd5YyrcPttw1Zl7g4dmxyyN7/9pRkqVquVKsI5KylNzyLywkRyrQxBeFF2glxLEK6fmuKiw2RaEztS0OaxA7DiUEznWNrWwJSVoPrD1YdItwnlHMiZhhq1crYi8/ZF3A66dgp3ew1daMJjBTVMDtM8VtrqLIyazu1jF1X0ADcvkUAk+xLm2xjlywSI9wSNcoTmCx3PteclkdJ1qnOvBN1+V3hV3rq/rpWzLZm7RXeEXhnuQtjt1J4lRuaPsacbg5TE56/ynqtIPQFUllDZVzuniTjpuAZZzLaV2ZkYYvI4zVqXX7q3fI+WGKNWIZlB1bn7kAmfX7pHZy61LXO3SrPDOYWBvblHDVMByVYTHFHs0Ew3ERbfDG8buhtkybUGtux03aDIahPE5G18ig1z3ugmSiLbtI3KqPf3kBa33BaMLBN/vH4DmbXbeatdXuwcytm6Ai0rgoOR4DSIOS8TSD3RJpENXfdfw1L8S2RetgQNeTNB0m2EFiYfDw7Ctj5ez1mQCZZAMNrWmRPBvJpU5uqzdZ2hu+ZgdZn8ADYioDumzWPJyarDS0tMfh/nqJYV8M5QMo/Sda0M2b5XI1eS2WgrN3w0FRvTtS7TG6iNTWNDv0D+tsoESDJbGW09TyqzMKl/syV0PTipXnsiVZqGBx/DCi6eC7VWyE39LmDPRFIJ6wjHm826evt5bBw6yhyaXndOQDSp8gtiHU3qusn1xXEmJrSznbxMbcmsTH+hH4OuewpPNhwK28Tl+jXaITbzTa96N6qXTCRXNS3p6fp61A/MaaB0SeP42UbE3ptN07DtGp6Q1/kP5riG/CpPTb7q0hj5nUM8scyThVS3iI7DdpzwdleyMYP9rP6k82zvASYfIwzfr+QK2snKOdamDciNidL4JkmjFUgbDdbQ+HyEz//9MVffHLSw78ZttCbz/51Izi2i657C47nZdBwJb7y1LlxnQtBWFa92A5PPt1MeQvWsf2ekftkamipqJeqHmf6yUytlAtnf9Pa4XlOhcWJV9lmEh7ZxlzXyC2KfhdS/7cl8fCI5t4iubej/U9vDxs60NrJQE95quqwRtaQFrplYMuFJ4Ih7meryy76P+x0J7Gzr1BoFjVfSbNkOtTIVWoGq3LWqtZsE5gYbvl2hZdmezOsInX4xoWtCH61+ApkzYVNaeMslsklMHgH44clFk1MgX6t304Ox9rwhbL6PyHzwzqOR2zlQ4k+zL0UD6QXOL/YXEZ1w/PeY60ShJpJZT6M8P5mcW0PXhH4G1SouaXsD49iN3JTbpmz0MNXs187XSyYa1wCjsKL+CSojr9w6q0bTNh6gNYnUyxxVuR0m24jrmny2lcoqMJ97AuVeVg9v7z4jnMxBzoll5gUucpPjGPBCUZu5IaRBI7h86bjYJvEQaBuO4ROg92cZog2fBbAvmj0kzfxuYkC8n/gCGHu9dP9V3j9m0GtvMZ2SzHbczGQyH5t44NgW0TWhnxv9mWYcowGtoxWcMUbp6Tc5W9V5lwIvnli6QW8d5L+A+XyDdfxKy2NZfjecpnRPDUPTlFMw0oXaKfNlPofIR7d/gwVEszintyLz411/16ZbQldx08dcWuyEsDZqfuvHOSPJDNFdwEtbkVF4HNVP1wJgnms0PYLMzqwnyWblJD/xfG+2jHANsWXrOvBhaGEyQ4aR2TKxLZnRv21P1s1hFisn/U29k+yzQNg4hrjs6pNrr3ohXjlaSH0yrC5XxFEe871ehKZ5jEzOIknnOznDvUU02MKohfgWIne3q/GsGWe1rTCxzMo54ActCrspdE9o5eFqyCfkptzFmtNfcADTsfG4HjjYiowiL4C+DTUzYVxTKj4taTi7bffjjJyCCdoYfpqPKShHgDtYXT7dyv1ZlORpQ2Z4HniqdXnPg1lo6CeB5xoRIghNmrFP3biBkD+XK7sR3tjKesqryyDyA+BdoKedrEptAhlF5rSdBG1n/QVrUpnTqm2l0SogJ4C30cpE4DFI10vDeWFCmQF4ciR7p5jF6qMnEB7NlZTf8GjDYd52a8/Z/NTpVXjpdqqew8lRkfpeVN4DerooV0MzUd+P9QMaEwRMWiNsZjU7J1FuR/hea6uqJlgt7LYLdbw1mVP+77SzVsrW0D2hq4FA33S9gaUhllBwGMfYc2lf9VrQf9GerMuA/gHwi6AnfQsh3kGyMsdmJ2vtoAFzS5QKcuc+B/pq4M+nEimwPkFpdv12ZK7nPq6DfKN9oc+PWX1j5QEkDPx2dltyFE2FleLBtqmv8iwB7231ozuDXqWpkZ9GQ4TGEteZHklmmuaH/c33YM6ttPuDoD2UB1vXzBHOXIpO4SZldtvZ5n9iilKPxYwILUdzFCE20anNEldro0OxCTTbeUduIX3yoi2sLoPqo8BPofqbIKdrOaLHRMPIbNMAAAtGSURBVG3zJ5mzaaJjZM7N/Ang/cDLGfSO8JGOvzprHcJNy2x3801/G7TTDpWEWWnoM1SfWvCarUQEy14ZpW/08XphN+j7WVlrx5ZO+EgPBr2TiKyA/iTovbVtbeRwA6mSaFKbIiWZ4QVU7wZ+AuQ3GPTaj2ZsBDubu42P18OXZvVt9diOd4f+8EUgfwfszhWSCW3MDdslnrcLtptbFVTPAW8Cvjq1iu0/tATyYuB24DXAQUR2u3EQtTxGVtL9nKGaVPAV4POIPD2KgXeDlbU9qH4fkWsbM1DcM8BXd+Sua5wUqoXUf7STT1IXMMNPI8vToA8h8lKnlRukLp2KIbA2H4TILlQ/BHwPJh1mOQaDw1Wv58ra+1D9IHAt6GGEH0P1ENXHRS8BlkDWK20uz6I8CfI3oGvAEwx6nc65c3CzcgrHwJiEgdxQP6+UryrvK0i3064sZqeh37cGwi8hfNbFP5NjZKdm2WPWdrNaQoIaqQj/MUTvnMonkjfCyhqoLoHsQVlCOAd6FpH1rsc2jEV/bQ/C91Gu9SyIqpia9BLyNJ/NOZQfZdCbiUMIs9TQH1mG/vBelFVEDjg7ziISW/FawVW88cirzXejfBN4YCr3MA4VadepVvjcmRDM2na2PtNGJDCG69ZRd7bHd5lRdCNhVk5hBZFTiPyBSfCEhbrJa8Socxn1TnJeao7vAfkMK2tXsYCHApI+kTxCDjMSbGTxikZM3tqpXwc+OctGH2ZN6NVlUD6DmhBP0sLOqY61iW8Zk6NVT/G32a8CPsvKcLKZ4RcjdFxiJDl19Cb2FNZa/XGQB6YeNz8PZktoAOEoyJ9VO8bBi85HNElCoCNratsdnWOoejPKx+kP2w3lXejIA/ZH+yVtrDZd6nr2mnwd5BMMljtdJamE2RO6sjc/gUj1wflJPl6f8tp5frWGfydwF/22Pl55gSObZ+LrMUc1Ut2n7aI6H52jT4DeMy1Rt4LZExoAfQLVPzMGWfW79Y/XF/bT+bIE/CrQX5A6QbyT5yJNqZ5tk2iQ61nXgdVZxZ0jdgahq86PVdB6epZzPKTWKIx+Sx+vtzO1c770sBSEXaAfBL2LlRbHe1yIsGaGjWZs9eP1ysMI93Yl9vmwMwhd4SjwcaDpcDhtrLV2iJ0COuYcRtuVRtqF8Oson2Jlbb4dxWTW5Xo1HS2ufkNYL9Vt1dv5flZn2DkUsHMIXWnp30H1sWKIzmlro7XjTHGrUYIFY3q8lhDeieqX6Q+vmHgJhAsVduyMC8FpXcfeY8TVs3IPIt/rVObzYOcQusJJ4NdIawpv5eP1aXZ1jKPmPOa3enJLiLwC+A7ozays7bS66AZ+OQjqCEZwyK1SqbTzcdAPsNr9IP6NsLMeYjX2+Buofg4ohN/q3RpK6K2qf+OcNzcrI8etDyHch+oH6Q8vZa4Q69XGmMXXv99fB+4COdqltJvBbLt1xqE/PAAMEak+paxBWyQkC6LRLW48HR39a0wQKED1MYT3ozzAoLdzNE//IUD2AbsY9NoZbLWytgv4K5QbGyxwPbOWzKkl1PuB1++oOhphZ2noDHkOuANGq4HG6VkNSyQ6LhLyRKcmdCbUDtBLQP4bcB/94Q2tLIswKfpDqCYsfB24rsWSR2M5KLR84uvFzx88DtyxE8kMO5XQVffpAygfGy2wgo9F48NNtrewkbZBvqTZxeXbhcirEPlr4L/TH75q9B3wbrGytkR/eCPVWOm/RLix9WuU6ir95vqwYVPOoryLQe+Z1mVpCTs3FjvoQX/4IZQbEG7xHjfBWLIMj+o7HjO/acKAFPMuIbwCeBmqT9Ef3oNwH/A4q73pdPGuDEG5EngF8IvAMtUnN6CN76mUkOP7pbqjJjWsg34MuH8qcrSEnWlDW6ysHQS+juqh5rDR0IHiWkZTRnNGS03mRhnjylWo4q5HEL4N/CXK48AzIKe3PChnZQ3QJZTLgGsQDqO8HLgBuKwwU2cd+JcMet/e2oXGXn8J+A5KNUvevcvmvusQ3ddA3sJgCovdtIidT2iA/vAwcB/C/g1FtlwsHoiaKNou9pSNHMnkKOkp4HmQI6BPI/L3oMdRToCcAj1rXo5LEPaBXIbyT4CDoIeAq6gIXBg45V6udXRKhLZfzy051uijwM+w2ut08fLtYOeaHBbKQwh3AJ9FafbuuQ6WhmYxeaBOSNvBm88RkRC2yhrLhP6EvSh7gYPAzd58AapmOgmw5Af9BMc1v0BqRJFC69ImgomRv8foBHsGuJ3Bzicz7FSnMOIjPUDuReV9iJ7znSY2pBdtYjbYNs6Om91sNLiUzhc2//F6WULSn7muzZc7MvDXtRcufZqiDaSIkIVznPUEwlsQHp/C1aeCC4PQAIPldeB3gLuAdb+afomA1oG09mjK44xs82LYMkP825bhOh3UENsSMchie91K47ubAeHGrbQOd10n5yngzSAPdT4ncwJcOISGitTKgGoxlnPZLIgxZcB9ySn3fKV9w3x3TraNvUnQmKGh4dzROela+Rr4bVuWc3DxssVrbKZTaFuw9ePu7yTKG0C+tWMm9W4SFxahIS2aPkC5Cxl9O9wiRjswWlEIJoIajW2a/mwviy8nx69N+TavNVlKpk56YUoEFbwsSY5pkdktiONMn+dR3orwjQuNzHAhEhqqRclFBqjeierprCGtQ+VUL0ZzYjSS+DT7m52j5JSpORbKtMds6x3n4SU73Y2ZsNcNmlIL12wXZ1yoDn0W4U0g01kgsgNcmISGROpPA28DPeGHOzoVPdqUpnOlUA9ot1oRc35yHK2mtxpN67T8Ikldpv1zsth0rcv0RnVjszVUl1o39/oE8GqU7856ouskuHAJDenzEfcAr0X1qLNNLdkcDHmiQ9QwX6wmJZDSnhPsi2l8vH4aqH2ENao486OzWpOuLVzYhIaqi3zQexD4SeB7fuijdexopqV0G0rLyt2UEVllHb9YFgQnkKYMzoQIeRuyB7naxTqq9wCvZLB8dCpX6BgXPqETBr1ngZcDA9CzzUHrBK1aH8p2LLDjP17fHtaBDyHyFga9k62XPiNMs0GbDfprS6CvAPkkwtVFzWYdtwaMuWDDZzm8MabK8osRzJK4GmmMkmhISwk5LcnTctf3RYqLR0MnDJbXEf4c9KdQ/cNKW4+OJds0Q2lo7kh2d24hLf8aImbtnWxvbV638TaF6+fzgjwLbIiLj9AAq73KBBH+NfCmaiEUqENko+04dsJip328/uJrS6eCi5PQCau9cwx6XwP5CeADKM83TYcY7Qi/LsqhNElnnTqTd1xZOfYdVK51AJOpYp3ShYbeFC5uQicMlk+i/GegB9xN4xspGIKZ3xwBsXAGrydaqWcvd5aEUF5uHQphkvTONMKEC5wP81lN/eG1wJ2I3AZc0nDMNrJbx+WLDp6t2XH7G/mbUdG3PcD/IsV8aOiIQe8JkHeg+iOofgw4Doxx3gihNYzpgTmuBWJqHbrL2jhtU3Y0nSMZyl7gvJhPQkM1EXfQOwJyJ+iPoPou4EEYzYTOXdej/NEEGBdQdhaJtc+NObJhD2CD4YVrLTAOi5qyWBnuRrkWeAPwGpBDCNWM72geRLiZJUlbm8xuTLUhdDY/gr2SN3P6Ig69CSwIXUL10Z89wLXALcDLEV4Msh9lKZM31t6mbOcxzmaeadNIPwscAx4C3s+gd3Sym7u4sSD0ZlAR/ADVdwlvBHqg1wJXgOymMTfTaujRPjBWvVfZ1oFzKKeAowiPojIEfQR4eqesv7zTsSD0dlF9T3w/yNWgB4GDID8EejnIftB9IHsRHU3qFagGA50GTiFyAngeOAb69yhHqT5a+QzwwmgiwwJbxP8Hm/uj5T1hsjYAAAAASUVORK5CYII=";

package/dist/oauth/logo.generated.js

@@ -0,0 +1,7 @@
+"use strict";
+// Generated by scripts/encode-logo.js — do not edit by hand.
+// Source: assets/logo.png
+// To regenerate: node scripts/encode-logo.js
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LOGO_PNG_BASE64 = void 0;
+exports.LOGO_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAALQAAAC0CAYAAAA9zQYyAAAgAElEQVR4nO2df4wd13XfP2dBEIRAEKpKEIKqCISgEo7gOKqqKPsYpXEE1b8i/4rtWo6jJP7RuLHqtq7gt0kdwXANp9jn2Ibr2IkTJc4PO45l2bUMNZV/xHZcRW+jyI4iCKoqCASjCgShCiyhEARBEHv6x7x755wz9y13982bt+R7X2D3zdy5c+fMne+ce865P0ZY4OJHf7gXkX9AFSQlCqDVr2qdV0YZVKttZZSPkEdBZVReOi7mPE1Jn2O1d/s0bquEpa4utMAsYQim6U8DT6VxSk1KqX/Te5A2dERs94Kkc6TxLkwbC0LPCxLB8naCmvSUlLRvIqnR7ApIeiswJFdcpqTZw3sybezq9nILzA7ZBKgh4VjWrliTwaeJ+HOcGWNNl/Yk3woWhJ4bWGbatFKSeJKKIbolf8xDIU/HNsfC5JgLaNMk2CBrZXJoyFpIU6vZNaSlcyaTfKtYEHouYO3htA9FthlTu9oPtoMleHQcG5ER6dz0WBB6LhCiFWPzRBtYg8YlEF58mRJNmI7VMwsbek4gxuRITpyNPwcil3iYNLDajNTlNdK7t59hQej5gViibZDm0kdIpkTudMH4mOklscdmR+oFoecG6oMcasjmzOtkC9enNezv7OyFnkEJhXWvoBc29FzBak5J+8budd3iZlsDma1TmX/dG1D/LTpWFpgOpNaqjbhxodvbEl0DwZ0mDmZIo5xusdDQc4XUjZ1IaGLHGvbtr1W+NkZNLAdfdoyQdIAFoecJ0bGzv04rh18bvsuDjoydncZzFB3DbrEg9LygGE8ORCwFJdxoOnu++LxWw1uid4wFoecFpVBcA4WBRpn0+BCz/cUcj13fHWNB6LlDIJnrXCmN9Wio7HIeZ5KEXscOsSD0vMHGm+2vD0bj1W+JoCGcJ1GFF8yUDrAg9DzBDR4qoUTAcfZGKjNeY0x6R1gQel5gQ3GpMyQed2G8MYxUo61dD6I5lkbbNaZ5TR+LjpV5QSPisMH4jbEOZNDSbgZLPK9kj08fC0LPK0o9e+PSi0SN2zsDC0LPC6w21QJrC8M16omuEoIgYXx1XAYh7y6Gjy4wdYTOjwSJeYRqdreU7elMfDvKjmCGjDl3ilgQei5QGK+cyAh+KCngbGWbPxPYsD8tNpO0uX0z3IzwbrCIcswFRoxLBFOttW9x/EaMiNhigrMnptxG9GQRh15gaogRikIkw2neUd4cejMhuDgVKy/9FQc/LWzoBaYCrQkKzbCctYFTgriDzeOm6KINndI6tqEXGnouIIZkFrFzpc5ep51nXEZjwJI1Wejc6lgQel4Qe+3O14sXNaszNzTkCeZI6byOsDA55gKBeNlESPvGJLGEbKxlFyIYLr89L7UG3Uc5FoSeC5jQWiNqgSHgKNF1osTtMQFs25kiNu/Chl5gGsgDh6zJMPqXQnlq0pw9rWNscEK+0YbraewWCw09NxgxLIfYNjGwKK5bl3oPbcQkmy1mP5k0MxjqsdDQ84LcK5iILF5TWyexMTaj4PyNnflCZcLMYMY3LDT0HEHMjyU1tUbVoG3tb9bQo+KyqVGwqWdkbsCC0PMDG5VoEM50g1vnMZIykpm4bw1qc60OsSD03MAwteTIhSz+OL6rvKGl7X5B63eIBaHnBZGsbvV9ahu7uFhj2g6OXt4O5khOo3MNvXAK5wYhCO2GhFL9U6OaXSSD8WE7B6P9XXndYUHouUGyj0O0IzmJoyz5t7QcmPtNu6HH0JXXvWe4IPS8IY53jpo4p1syJm2u9S8b/DZ6D7vDwoaeC1ii2RhzIVvWzmPGdMRFGsdeTxZd3wtME86eqLe1kCXu5O+rmJDfhtGLGXQRjrDQ0HMBYwJE7bop7sVu8o2y6gaae/pYaOi5gRacNB1jEWhz23aejD0nknlc3ulhQei5QIpEhEFHabZ3HmU3+rXhNpXysWSCqMmX8thzFz2FC7SP0EvS+GqVOeYG5ZvRdWLylD5in7vO7XiQRdhugakidkWbzpXcY5g0edK4drBRiE3b8xJKkwU6xILQcwFjM0j4hTB2wx7TWuOOKy/lt93gQWl3iYXJMRcwXdkuppz+Rfs3js1Ql9ywsdPB+GXaxcpJC0wNWfsmR9AOQDKa2i02o/guclOWmHQXPRF/rY5NjoWGnjuYUXX218I6gKWexajlo8lhExYmxwWE/nAJuARkH+gBIP3tB/4RsBdkd1jF8wzwD8BJkOcQnkP1OPA8yAsIZ1ldXm9fWKOdXUdL3AfHwvOF3qwDGEf0zQALQm8W/bUlYC9wJegNCP8M5VrgIMJ+lL2I7G4+1KDhssOU86wjchblBdDngCOsrD0BfB/VR4DnQE4zWJ5A+IK2zd3Y0iR1dgxNGM7JHEkb9mfYW7gg9Dj010B0N8o1wM0IPw1cD1yFytJY27AxBtg0vVrQYsoSsKf6kwPAi1F9zYgQ50CeBn2Y/vAvEPku6DFUzzE4vMUb0lo2F2em1sI2POccwILmjWNAZtzlnbAgdERlRlwP+gbgVpAXge5ySs4+QLvqpo0apDwJjuiFUFhcRqAqdxfoi0Yy/AKqZ4AfgNxHf/gV4GkGvU3clJGtscKokdkN/9TtymzK7r5jZUFogP4Q4CBwG3A78CJgqRjWiloswS0PMEpzJgamDPEPPH7ywebN5QiI7gEOgxxG9cOIrLGy9keofhWR51ndwCxJZVg72dm/aTPa0xPLPF6mKWC+Cd0f7gYOA78CvAKRfW6IZCZkwaES8+RiXosYy83a3SQ31mZOITGjOR1hFIRdqN40kv/DKPewMvw94HFWewWnckxMOJkUOWRnO1takrlDzCehV9b2oPoy4E5guYpEjI7FYZXuodhjEpLFpJ/H2z+PT9VwvvLYCwlEE6j6Eg6A/luUXwIeoD/8OMLDrPbOjb2Iu4QUDrQlc7m4aWG+CN0f7gZ5GfBrwI3ArnqyaLCJXdNq7WIqLeScJRMxQD0B7ddbMxnjPnUahWtZ1eia9HAN0b2ovBH0VpQH6A8/jMgPXE/1+WROaEvmjs3o+SD0ytoSqtcBHwZuIRE5IT/Y0U5Da5ndTGabpfACFDW9IUbpSafrOtscYw4UynIZcxl7UH0dIregeg/wUd+6hMvHTpbGhNdJZF7Y0O1hZQ1gP6p3Af8mmxaN8QyMMTHwickZFLOdYDsgGt4/9YPP2iy+FM3LubI2Wqs526zxWuxF5O0obxxT+JjrtylzIe8UcfESemW4hOrPIvJR4Kqcnolhm15DWDHpWbmUHmRohq0yyrwzjpJtAeK1nONp4PhrZTXnaLiHLLczEfY5YmLKa7Q26dotytwhLs7BSf21y0H+CPgCcFVmXGoGnXYd7XvNRtZIpbitJYxNt6eTrqWe9JYjlkylgTyxGbfXTMSyMscvUTWEiteIZog52JbMCxt6AlTx5FtAP4VyqNZSI20zdqayhIdasFftFCPrFGZNN8ocB9CDb8LdoolWi1KXb6+bTZxQbqM1EV++c/TCBbL2NPfsXowWZV6YHNtEFVP+D8BdCHsbNSl2wzyBGPgv2axjR6SZHdeiS8gYy4qMKJVZKMZulK5vX8yS7LEMtzuqi4Z504bM3eHiIPTK2mXAJ1B+DrFmlG038Z561sjpoQUtVCKx1VA57KVjiGK1eJCnMYLNksVs24FD+VbicXtOQfs25MfkizKn60W7YUKZO8SFTeiVNVC9CtXPI3KT55NtHo1tWTQpoFHzthnNZDLaMTpTDXNGymXH5bIaD9ySlybx7Ms0TnYIfDPO5EaIpkYrMi+cwq3gJcA3QW5yFTfWUbEaSmtyuDxjHprNa23E7FCmJlv89Zyyk5pYsbyGYozaVmtixTEjJfldun0Rw0nOv1AaL+akMneMC5fQ/eFhVP8HyKG6WcRrB/txHMWQbfSQxKRlZWIfavh1a1SYkzK57f7oOpZ42TxQI2O4L7XHrSzBDNJERlNmyVOzJoRbKTS9jNEsEnf6xDJ3jAvT5FgZvhT4IioHGq2a3Y/d2jlDgtJ0mswDdSaGOdX1pInPm7RdyRmL3ymxsITKZkXJNDL3VjrP3mZuOeJ1gowN82lKMneAC4vQ/TVAD6PyJYT9ZMdLapK58BXUBHVPqaBtrJoe/eZNs9+wh8OxVMQ4c6bR7Jvyc/GF5j1q0ZIWTGVnmY2MkaCN4q05gy9/Epk7xoVD6Kob+3qQL6PsrxIlPGSMhrIPOhxzJEgHgqaNRLHlO40c5EjHcroxh6w8mPxRs+V7iyq3UEZ8yaLmtiQ7n8yl+51Y5m5JfeHY0KqHUP0iqpeXm7JkFxYq0Iarxp5qbOFcVsiXyhB7IkHDmbz5eRbOsTLHkW6wOS4kmdPfWNiDI9u7YYY0Cm9H5o6V9IVB6P5wP8LnEbmmWPnWuy6OLQhpan9Hmsp2IiQzRmL+kYljncuo/UpoxLpNuaUBP64liWZLKZ85qOE3v8hW5gIZ8/la32cbMm/4orWPnW9yVIPxfx+4obZrk11oyaTefkwPsjFpVev8cfSa1XjONh7tR4JX116nmrH9DCLPgB5DeQ74f4icQqhmj6juAvaB/mPgAMoVwJWoXonIXmDJy2/s/PxTaOYb3ctB5nFq05Vjjufhr4mU9r5tK0a9vaHM3WJnE3plCHAXyK1AsGGD5ojDQYtNn61oCQ8+pZmHbR2furxzwNOgayj/E3gE5ChwGlgH1s87cbUac7KEsAvlEpSrgBcD/xzlRoRrgcuaI+nEaz23hG2J7OlftH+t9jXlFOvGIuSzLZeVz8rSscmxswmtvA70P5JMo6xZqZ+TG+aIP4bZzmnhYHG8Mb7JVs4BjwNfBr0feIpJ1sqoCL8OnB39nQQeoz/8U6pnsh+V60BfDdyM6jWI7PL3l1qpcE+xFYkKOrdcNM/JeawJUyqQOq0xrrxgV3eIGTQKm0R/7SCif1U1zUZTFYkXK9Hki3ZcHI2WzZJAikrrnATuB34P5BEGy6encKfjUXXt7wVuAN4K3Apc3hjLXHoxbRjOvtRAY9xKnHply0nlj9O0VqMLoUwB9HMMerdPUg1bwc7U0NXIuU+CXNHUOKbCk4Zydl7IFzV2SrNmRkOr6wvAHwOfROTp6SzNtQlUyxKcAr5Lf/hd4AqQnwPuADkI1PdfQmmUnITj1slLDmHDuTbllPwIV+6Ya3WEnUfoyr58O8KtLr0YRYiVPMaEiA+xaJMA6DmUr4B8kMHyE5PeSquozJRjwG+ysnY3qu8G3guyv6mCN8IGoYeNRhhCs55LnVfO4e7YgGZnhu2uBj5U9/yxgYMiIY+15wr2cM4btE+lpZ5CeT0ib9lxZI5YXT7JoPcbwI8DX4NRJCWH5PC/jlvG4duIb7GlK9ateQa27OysjnMup4edRej+2i5gtdI6eMfPQU26mn2a25jtFI7yq9KvI3o30EPk/pmZF9vBoHeEasmy94Keru7d3LMoLsRm6yPXRUo2miOH7dL5aRvP4czlVG58Dtq52bGzCI2+CnhNVSkNo7ewL+ThjVZLF7VRsgvFaBA9ifIO4FdYXT6x4VJaOxWrvXMIvwW8FuWYa/7zPY9g5wA2hqCaenGdSyYNxrSYpjVIUFNeh9g5hF4Z7gM+gMhugI3nowXNDLXmhYIDaDROyoseAV6N8Id+haELEKu9dZBvAS9H9cm6HqKtRUGrEuoIc276kzpN9DzlmrLm1imswlM/j8h1gHE2Cg5M9n+S82E0kX0JGn6S89AfBd7CoPfklO6oe1Sty+P0hz+D8iVErm/E4BVvbtm0FMbDHAOvZZ3DTbkct/TBvJocymXAe1GtO1DiFHlL8mzzYdLCQ3E2o9R5lIdBXntRkdli0DsCvAHVxwGcc51+I8mUUG8Eh87Y07meR+k2mtF4Lt1jZxAa/Xng6sZY3Ng8Qk12MRnsIHYbWmqEk3gU9PUMlp+Zxl3sGAx6R4E3UY0vqdJc/UTbmuCzJJMhaNlGPVv1H8qegbkBO4HQ/bW9IHeCLPkxAaG9LI69Hf2W9iVUMjyNyOsZ9I5N61Z2FAa9J0FuR/VUo54sinUmY9JGeRuktttB+XSM2RJ6ZQ2E2xCu9G2i+gpMKDWfsVl04ae0qSdQfRNwdAp3sZPxIPB+VOtQZF0nNMyDXH3ZPCObeMV6jrspzfx2bIHMltCqu1C9A3Qpa+FM1mSvGfbKKD154NZOzu56w/Y7C7wLePSCDMtNgsHyOiK/i8gDzRfeaGFr4tklHxoDoKBRx24dDxv2Yyamx2wJLXIYeIl3JqJmFvOmpwcgRiskhw+vSarfdeC/Inxlc98iuQixunwG1TtRTjXqtjFPMBxzExmkzpPICvjvggfHfNwkgilidmG7as3mdyDGdrYj5Iru+AgCbqSZNbexZfAI8MHyJxqmiJUhKLsQlkb3sD66x3MzebFEnkT1t4BfrfZzuiexP6f6zREQYyvbVtTmawx2ks5JPTtCq+5HuLWhmBNizBObL4aY0jHDbOEUyr9n0DvVuuwR/eESwqWoLIPeAPJPQa+gmqGyBHKOaijqcfpr/wv0EZCHQU8x6OBlW12G/vAToG9HOOAN2+jkhVBc8POqNKtsUr6oYGYT6Zhlx8qrRvFn/PjdkKsUzHeDyk1tu65b/TTC2nREH6E/vAz4WeDNKDeB7nFaatw44+omR8NC174AfI3B8nRfvEHvOP3h76L8erP+7L5JE7tvsu7gj9fPhtDVtwDf4CsNsrOxmSnzltxWy1ckOgp8lNUpNO/9IYhcjvIe0HcCBxr3IXbDPNTUvFfJexG5lerFfpb+8FPA3Qx6J9oXOuOzwL8D9tU8NoKn/djjWsts8oVzS2biDDT0rJzCy4F6ccXY5Rod59JAJWs3JyLXNvhHEJ5rXer+cA/wy8DfAv+J6suv4x9clD35T3kpLqXqHdWrQFaBv6Y/vI3+cFqK5gjwjWpTKdu3BVI2ZTaOX8onNCpijoaP3oTIpW6aEOAcvOh8lNa9sHWfR4/pU4j8aavaub9WTQlDvoTIb8NobZDGIjLqH2B8mDYyk2eFpG1A5BqqLw/8Pv3h/tHiOu2hcki/ALpeE9DIbLXxZmQeJddlFJ5Rx1q6e0JXM1Je6dLcrAijASQSnqDNA2OqCvwMlQPWDlaGgC6Dfh3h1srJA/fw8thh8TJlBzblVb9fgrAbkV8Avgkcap3UIg+iHM/1G2XOUY0tyNx4CTpWywaz0NB7Qaoejhg2cs2W1GGfonMFPh4NwEmQz7XWgbKyBsotwH0gh7xcgovTWofJcsCOC44f4UmInKle8OtQvo7qS0bLObQEfb52lqWW2Ym1TZlnYTQHzILQB0GvylrAjZs1Gjlx2w1GMm1jnh1hoh/KV9EWbWfVGxG+iMgBf+10XavJDKltHmy+4PWrKcflz/bWQYT7UA61dk9VTP4vfPzYCDS5zDPl9SwIfT3CJVmr5T/12+Btu6z51J9Xe5broH+y7bUyIlbWDgJfRqUKLTp5tamdATfW2C6n5WQ1afbe8jUkph0E+SL94YF2bgxQeRA4l8k57p62L3P9nDpG94QWfjw3dVb75m1jT9fnhDzmvNocOUY1GGdy9PPyY1fma5RajPyXbOgkb3Kc1MvrvS+8Jo/3itX21wEfZWWtpeiHPovqMR+Kk3DNSWUOtnlH6JbQ/TVQrt84kyHzRhXiIiQK8A0GvbMTSpicwHcDNzeHTkZY+1L8QxR73MoK7uWwYyE2vAa3ofqvtnIrG+AkVQivQLxA5Ilk7t726FhD66XEr7p6pw7nAKrZcA6IKxNgHeHr7YjI1YisOFls86lWHvPbkNGcG0N7jX1jYpWuVWEX8KFR7+RkGPTWEZ4sytyYlTKBzHMwfPQK4NK8F/v74zJfsYvWKURn751G5ZGJpatCincCB+om11wTaHy8PsliZS4tzpKa4kyM+CYXysJkqdKvBvnlbd1bhPK/nczpt3HPE8rcsZLumNByBcglgHGw3HHqY0Z7xIpuvvXHgBamVclB4LZCupFLfLoW8owLLWZtnvJLoZxx19a0/R76w72bup2NccTJbH9LDvt2Zb6oNbRwtU/Q8W+wc1Lwpkgy8epzH2Ow3MJSBHobkqIa4Xrpt3bU/LFiyMo6k6ODUWvZXtKx18OedwXwuq3c1Rg8i+Vp6brtydwZuiW06g8VVXMmSSSFzSO4c32c9O8mlq2/tgd4czDo6z911wt5RkKL3Vezb2WOx+rTg0E7+gn7Vfz3rawMJ312J4AzDZnjXxsyd4iuNfQVfixAatqC05HNDWk6Kggu7ll53E9PLpxeAxyqn6W10Y2sjWbamhfmvHFlYGzwaLI0zjGEcByRm1DZN+ENnwbOODMq3mdbMneIjjX0aM06i+RUxP5/AReTjj1RdXO2jvLsxLKJLCNyieuVLIWsrHwl0yP3oIk5x2p1YWw4MppZ9ppZGwqgexGdrAdJOIPomSxz+nUriLYhc7foOmx3mSdu0sQbvNV26daGgwXAGdDJxxCr/ljDAYpOkRoBY0jPDuiJvZ5uW31LlMwZt5BOSk/a0d5vbqnOE88/H2Qd5YyrcPttw1Zl7g4dmxyyN7/9pRkqVquVKsI5KylNzyLywkRyrQxBeFF2glxLEK6fmuKiw2RaEztS0OaxA7DiUEznWNrWwJSVoPrD1YdItwnlHMiZhhq1crYi8/ZF3A66dgp3ew1daMJjBTVMDtM8VtrqLIyazu1jF1X0ADcvkUAk+xLm2xjlywSI9wSNcoTmCx3PteclkdJ1qnOvBN1+V3hV3rq/rpWzLZm7RXeEXhnuQtjt1J4lRuaPsacbg5TE56/ynqtIPQFUllDZVzuniTjpuAZZzLaV2ZkYYvI4zVqXX7q3fI+WGKNWIZlB1bn7kAmfX7pHZy61LXO3SrPDOYWBvblHDVMByVYTHFHs0Ew3ERbfDG8buhtkybUGtux03aDIahPE5G18ig1z3ugmSiLbtI3KqPf3kBa33BaMLBN/vH4DmbXbeatdXuwcytm6Ai0rgoOR4DSIOS8TSD3RJpENXfdfw1L8S2RetgQNeTNB0m2EFiYfDw7Ctj5ez1mQCZZAMNrWmRPBvJpU5uqzdZ2hu+ZgdZn8ADYioDumzWPJyarDS0tMfh/nqJYV8M5QMo/Sda0M2b5XI1eS2WgrN3w0FRvTtS7TG6iNTWNDv0D+tsoESDJbGW09TyqzMKl/syV0PTipXnsiVZqGBx/DCi6eC7VWyE39LmDPRFIJ6wjHm826evt5bBw6yhyaXndOQDSp8gtiHU3qusn1xXEmJrSznbxMbcmsTH+hH4OuewpPNhwK28Tl+jXaITbzTa96N6qXTCRXNS3p6fp61A/MaaB0SeP42UbE3ptN07DtGp6Q1/kP5riG/CpPTb7q0hj5nUM8scyThVS3iI7DdpzwdleyMYP9rP6k82zvASYfIwzfr+QK2snKOdamDciNidL4JkmjFUgbDdbQ+HyEz//9MVffHLSw78ZttCbz/51Izi2i657C47nZdBwJb7y1LlxnQtBWFa92A5PPt1MeQvWsf2ekftkamipqJeqHmf6yUytlAtnf9Pa4XlOhcWJV9lmEh7ZxlzXyC2KfhdS/7cl8fCI5t4iubej/U9vDxs60NrJQE95quqwRtaQFrplYMuFJ4Ih7meryy76P+x0J7Gzr1BoFjVfSbNkOtTIVWoGq3LWqtZsE5gYbvl2hZdmezOsInX4xoWtCH61+ApkzYVNaeMslsklMHgH44clFk1MgX6t304Ox9rwhbL6PyHzwzqOR2zlQ4k+zL0UD6QXOL/YXEZ1w/PeY60ShJpJZT6M8P5mcW0PXhH4G1SouaXsD49iN3JTbpmz0MNXs187XSyYa1wCjsKL+CSojr9w6q0bTNh6gNYnUyxxVuR0m24jrmny2lcoqMJ97AuVeVg9v7z4jnMxBzoll5gUucpPjGPBCUZu5IaRBI7h86bjYJvEQaBuO4ROg92cZog2fBbAvmj0kzfxuYkC8n/gCGHu9dP9V3j9m0GtvMZ2SzHbczGQyH5t44NgW0TWhnxv9mWYcowGtoxWcMUbp6Tc5W9V5lwIvnli6QW8d5L+A+XyDdfxKy2NZfjecpnRPDUPTlFMw0oXaKfNlPofIR7d/gwVEszintyLz411/16ZbQldx08dcWuyEsDZqfuvHOSPJDNFdwEtbkVF4HNVP1wJgnms0PYLMzqwnyWblJD/xfG+2jHANsWXrOvBhaGEyQ4aR2TKxLZnRv21P1s1hFisn/U29k+yzQNg4hrjs6pNrr3ohXjlaSH0yrC5XxFEe871ehKZ5jEzOIknnOznDvUU02MKohfgWIne3q/GsGWe1rTCxzMo54ActCrspdE9o5eFqyCfkptzFmtNfcADTsfG4HjjYiowiL4C+DTUzYVxTKj4taTi7bffjjJyCCdoYfpqPKShHgDtYXT7dyv1ZlORpQ2Z4HniqdXnPg1lo6CeB5xoRIghNmrFP3biBkD+XK7sR3tjKesqryyDyA+BdoKedrEptAhlF5rSdBG1n/QVrUpnTqm2l0SogJ4C30cpE4DFI10vDeWFCmQF4ciR7p5jF6qMnEB7NlZTf8GjDYd52a8/Z/NTpVXjpdqqew8lRkfpeVN4DerooV0MzUd+P9QMaEwRMWiNsZjU7J1FuR/hea6uqJlgt7LYLdbw1mVP+77SzVsrW0D2hq4FA33S9gaUhllBwGMfYc2lf9VrQf9GerMuA/gHwi6AnfQsh3kGyMsdmJ2vtoAFzS5QKcuc+B/pq4M+nEimwPkFpdv12ZK7nPq6DfKN9oc+PWX1j5QEkDPx2dltyFE2FleLBtqmv8iwB7231ozuDXqWpkZ9GQ4TGEteZHklmmuaH/c33YM6ttPuDoD2UB1vXzBHOXIpO4SZldtvZ5n9iilKPxYwILUdzFCE20anNEldro0OxCTTbeUduIX3yoi2sLoPqo8BPofqbIKdrOaLHRMPIbNMAAAtGSURBVG3zJ5mzaaJjZM7N/Ang/cDLGfSO8JGOvzprHcJNy2x3801/G7TTDpWEWWnoM1SfWvCarUQEy14ZpW/08XphN+j7WVlrx5ZO+EgPBr2TiKyA/iTovbVtbeRwA6mSaFKbIiWZ4QVU7wZ+AuQ3GPTaj2ZsBDubu42P18OXZvVt9diOd4f+8EUgfwfszhWSCW3MDdslnrcLtptbFVTPAW8Cvjq1iu0/tATyYuB24DXAQUR2u3EQtTxGVtL9nKGaVPAV4POIPD2KgXeDlbU9qH4fkWsbM1DcM8BXd+Sua5wUqoXUf7STT1IXMMNPI8vToA8h8lKnlRukLp2KIbA2H4TILlQ/BHwPJh1mOQaDw1Wv58ra+1D9IHAt6GGEH0P1ENXHRS8BlkDWK20uz6I8CfI3oGvAEwx6nc65c3CzcgrHwJiEgdxQP6+UryrvK0i3064sZqeh37cGwi8hfNbFP5NjZKdm2WPWdrNaQoIaqQj/MUTvnMonkjfCyhqoLoHsQVlCOAd6FpH1rsc2jEV/bQ/C91Gu9SyIqpia9BLyNJ/NOZQfZdCbiUMIs9TQH1mG/vBelFVEDjg7ziISW/FawVW88cirzXejfBN4YCr3MA4VadepVvjcmRDM2na2PtNGJDCG69ZRd7bHd5lRdCNhVk5hBZFTiPyBSfCEhbrJa8Socxn1TnJeao7vAfkMK2tXsYCHApI+kTxCDjMSbGTxikZM3tqpXwc+OctGH2ZN6NVlUD6DmhBP0sLOqY61iW8Zk6NVT/G32a8CPsvKcLKZ4RcjdFxiJDl19Cb2FNZa/XGQB6YeNz8PZktoAOEoyJ9VO8bBi85HNElCoCNratsdnWOoejPKx+kP2w3lXejIA/ZH+yVtrDZd6nr2mnwd5BMMljtdJamE2RO6sjc/gUj1wflJPl6f8tp5frWGfydwF/22Pl55gSObZ+LrMUc1Ut2n7aI6H52jT4DeMy1Rt4LZExoAfQLVPzMGWfW79Y/XF/bT+bIE/CrQX5A6QbyT5yJNqZ5tk2iQ61nXgdVZxZ0jdgahq86PVdB6epZzPKTWKIx+Sx+vtzO1c770sBSEXaAfBL2LlRbHe1yIsGaGjWZs9eP1ysMI93Yl9vmwMwhd4SjwcaDpcDhtrLV2iJ0COuYcRtuVRtqF8Oson2Jlbb4dxWTW5Xo1HS2ufkNYL9Vt1dv5flZn2DkUsHMIXWnp30H1sWKIzmlro7XjTHGrUYIFY3q8lhDeieqX6Q+vmHgJhAsVduyMC8FpXcfeY8TVs3IPIt/rVObzYOcQusJJ4NdIawpv5eP1aXZ1jKPmPOa3enJLiLwC+A7ozays7bS66AZ+OQjqCEZwyK1SqbTzcdAPsNr9IP6NsLMeYjX2+Buofg4ohN/q3RpK6K2qf+OcNzcrI8etDyHch+oH6Q8vZa4Q69XGmMXXv99fB+4COdqltJvBbLt1xqE/PAAMEak+paxBWyQkC6LRLW48HR39a0wQKED1MYT3ozzAoLdzNE//IUD2AbsY9NoZbLWytgv4K5QbGyxwPbOWzKkl1PuB1++oOhphZ2noDHkOuANGq4HG6VkNSyQ6LhLyRKcmdCbUDtBLQP4bcB/94Q2tLIswKfpDqCYsfB24rsWSR2M5KLR84uvFzx88DtyxE8kMO5XQVffpAygfGy2wgo9F48NNtrewkbZBvqTZxeXbhcirEPlr4L/TH75q9B3wbrGytkR/eCPVWOm/RLix9WuU6ir95vqwYVPOoryLQe+Z1mVpCTs3FjvoQX/4IZQbEG7xHjfBWLIMj+o7HjO/acKAFPMuIbwCeBmqT9Ef3oNwH/A4q73pdPGuDEG5EngF8IvAMtUnN6CN76mUkOP7pbqjJjWsg34MuH8qcrSEnWlDW6ysHQS+juqh5rDR0IHiWkZTRnNGS03mRhnjylWo4q5HEL4N/CXK48AzIKe3PChnZQ3QJZTLgGsQDqO8HLgBuKwwU2cd+JcMet/e2oXGXn8J+A5KNUvevcvmvusQ3ddA3sJgCovdtIidT2iA/vAwcB/C/g1FtlwsHoiaKNou9pSNHMnkKOkp4HmQI6BPI/L3oMdRToCcAj1rXo5LEPaBXIbyT4CDoIeAq6gIXBg45V6udXRKhLZfzy051uijwM+w2ut08fLtYOeaHBbKQwh3AJ9FafbuuQ6WhmYxeaBOSNvBm88RkRC2yhrLhP6EvSh7gYPAzd58AapmOgmw5Af9BMc1v0BqRJFC69ImgomRv8foBHsGuJ3Bzicz7FSnMOIjPUDuReV9iJ7znSY2pBdtYjbYNs6Om91sNLiUzhc2//F6WULSn7muzZc7MvDXtRcufZqiDaSIkIVznPUEwlsQHp/C1aeCC4PQAIPldeB3gLuAdb+afomA1oG09mjK44xs82LYMkP825bhOh3UENsSMchie91K47ubAeHGrbQOd10n5yngzSAPdT4ncwJcOISGitTKgGoxlnPZLIgxZcB9ySn3fKV9w3x3TraNvUnQmKGh4dzROela+Rr4bVuWc3DxssVrbKZTaFuw9ePu7yTKG0C+tWMm9W4SFxahIS2aPkC5Cxl9O9wiRjswWlEIJoIajW2a/mwviy8nx69N+TavNVlKpk56YUoEFbwsSY5pkdktiONMn+dR3orwjQuNzHAhEhqqRclFBqjeierprCGtQ+VUL0ZzYjSS+DT7m52j5JSpORbKtMds6x3n4SU73Y2ZsNcNmlIL12wXZ1yoDn0W4U0g01kgsgNcmISGROpPA28DPeGHOzoVPdqUpnOlUA9ot1oRc35yHK2mtxpN67T8Ikldpv1zsth0rcv0RnVjszVUl1o39/oE8GqU7856ouskuHAJDenzEfcAr0X1qLNNLdkcDHmiQ9QwX6wmJZDSnhPsi2l8vH4aqH2ENao486OzWpOuLVzYhIaqi3zQexD4SeB7fuijdexopqV0G0rLyt2UEVllHb9YFgQnkKYMzoQIeRuyB7naxTqq9wCvZLB8dCpX6BgXPqETBr1ngZcDA9CzzUHrBK1aH8p2LLDjP17fHtaBDyHyFga9k62XPiNMs0GbDfprS6CvAPkkwtVFzWYdtwaMuWDDZzm8MabK8osRzJK4GmmMkmhISwk5LcnTctf3RYqLR0MnDJbXEf4c9KdQ/cNKW4+OJds0Q2lo7kh2d24hLf8aImbtnWxvbV638TaF6+fzgjwLbIiLj9AAq73KBBH+NfCmaiEUqENko+04dsJip328/uJrS6eCi5PQCau9cwx6XwP5CeADKM83TYcY7Qi/LsqhNElnnTqTd1xZOfYdVK51AJOpYp3ShYbeFC5uQicMlk+i/GegB9xN4xspGIKZ3xwBsXAGrydaqWcvd5aEUF5uHQphkvTONMKEC5wP81lN/eG1wJ2I3AZc0nDMNrJbx+WLDp6t2XH7G/mbUdG3PcD/IsV8aOiIQe8JkHeg+iOofgw4Doxx3gihNYzpgTmuBWJqHbrL2jhtU3Y0nSMZyl7gvJhPQkM1EXfQOwJyJ+iPoPou4EEYzYTOXdej/NEEGBdQdhaJtc+NObJhD2CD4YVrLTAOi5qyWBnuRrkWeAPwGpBDCNWM72geRLiZJUlbm8xuTLUhdDY/gr2SN3P6Ig69CSwIXUL10Z89wLXALcDLEV4Msh9lKZM31t6mbOcxzmaeadNIPwscAx4C3s+gd3Sym7u4sSD0ZlAR/ADVdwlvBHqg1wJXgOymMTfTaujRPjBWvVfZ1oFzKKeAowiPojIEfQR4eqesv7zTsSD0dlF9T3w/yNWgB4GDID8EejnIftB9IHsRHU3qFagGA50GTiFyAngeOAb69yhHqT5a+QzwwmgiwwJbxP8Hm/uj5T1hsjYAAAAASUVORK5CYII=";

package/dist/oauth/openBrowser.d.ts

@@ -0,0 +1,19 @@
+import type { ChildProcess, SpawnOptions } from "node:child_process";
+/** Injection seam for `child_process.spawn`. Used by tests. */
+export type SpawnFn = (command: string, args: readonly string[], options: SpawnOptions) => ChildProcess;
+/** Options for `openBrowser`. */
+export interface OpenBrowserOptions {
+    /** Override for `process.platform`. Used by tests. */
+    platform?: NodeJS.Platform;
+    /** Override for `child_process.spawn`. Used by tests. */
+    spawnFn?: SpawnFn;
+}
+/**
+ * Launches the system browser at `url` in a detached child process.
+ * Returns synchronously once the child is spawned — completion of the
+ * browser load is intentionally not awaited.
+ *
+ * @param url Absolute URL to open.
+ * @param options Platform/spawn overrides; only exposed for tests.
+ */
+export declare function openBrowser(url: string, options?: OpenBrowserOptions): void;

package/dist/oauth/openBrowser.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openBrowser = openBrowser;
+const node_child_process_1 = require("node:child_process");
+const errors_1 = require("./errors");
+// On Windows `start` is a cmd.exe builtin, not a standalone binary.
+// The empty `""` pair is a positional placeholder for the window
+// title — without it `start` treats the URL as the title.
+//
+// The escape class covers:
+// - `& | ^ < >` — cmd metacharacters that would otherwise split the
+//   command line.
+// - `"` — would prematurely terminate the argument and break
+//   `start`'s quoting.
+// - `%` — triggers cmd.exe environment-variable expansion (e.g.
+//   `%USERNAME%`), which could leak or alter the URL.
+// - `\r \n` — embedded newlines let a crafted URL inject additional
+//   commands onto cmd.exe's line.
+//
+// URLs normally percent-encode most of these (so this is defense in
+// depth), but we do not fully trust the authorization endpoint that
+// came back from discovery.
+function windowsCommand(url) {
+    return {
+        command: "cmd.exe",
+        args: ["/c", "start", '""', url.replace(/[&|^<>"%\r\n]/g, (c) => `^${c}`)],
+    };
+}
+function browserCommand(platform, url) {
+    switch (platform) {
+        case "darwin":
+            return { command: "open", args: [url] };
+        case "win32":
+            return windowsCommand(url);
+        default:
+            // linux / freebsd / openbsd — xdg-open is part of xdg-utils which
+            // is near-universal on desktop Linux. Environments without it
+            // (headless servers, containers) will report the missing binary
+            // via an asynchronous child-process `error` event, which this
+            // module deliberately swallows (see `child.once("error", ...)`
+            // below); `BROWSER_LAUNCH_FAILED` is only raised for synchronous
+            // `spawn()` throws. The caller's fallback is the URL already
+            // surfaced via `onAuthorizationUrl` so the user can finish the
+            // flow manually.
+            return { command: "xdg-open", args: [url] };
+    }
+}
+/**
+ * Launches the system browser at `url` in a detached child process.
+ * Returns synchronously once the child is spawned — completion of the
+ * browser load is intentionally not awaited.
+ *
+ * @param url Absolute URL to open.
+ * @param options Platform/spawn overrides; only exposed for tests.
+ */
+function openBrowser(url, options = {}) {
+    const platform = options.platform ?? process.platform;
+    const spawnFn = options.spawnFn ?? node_child_process_1.spawn;
+    const { command, args } = browserCommand(platform, url);
+    let child;
+    try {
+        child = spawnFn(command, args, {
+            detached: true,
+            stdio: "ignore",
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("BROWSER_LAUNCH_FAILED", `Failed to launch the system browser (${command}). Open this URL manually:\n${url}`, { cause });
+    }
+    // `spawn` itself can succeed (the parent fork was fine) and then emit
+    // `error` asynchronously if the binary isn't on PATH. We can't surface
+    // that synchronously, but attaching a handler prevents the default
+    // "unhandled error" crash. Callers get a benign no-op if the browser
+    // never opens; the authorize() orchestrator prints the URL alongside
+    // the launch so the user has a fallback.
+    child.once("error", () => { });
+    child.unref();
+}

package/dist/oauth/pkce.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generates a cryptographically random PKCE `code_verifier` per RFC 7636
+ * §4.1. 43 base64url characters, 256 bits of entropy.
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Derives the PKCE S256 `code_challenge` for the given verifier per
+ * RFC 7636 §4.2: `BASE64URL(SHA256(ASCII(verifier)))`.
+ *
+ * @param verifier The PKCE verifier produced by `generateCodeVerifier`.
+ */
+export declare function deriveCodeChallenge(verifier: string): string;
+/**
+ * Generates a cryptographically random OAuth `state` value for CSRF
+ * protection. 22 base64url characters, 128 bits of entropy.
+ */
+export declare function generateState(): string;

package/dist/oauth/pkce.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.deriveCodeChallenge = deriveCodeChallenge;
+exports.generateState = generateState;
+const node_crypto_1 = require("node:crypto");
+// PKCE per RFC 7636. We only ever emit S256; plain is permitted by the RFC
+// but explicitly disallowed by our authorization-server config so it can't
+// silently fall back in the face of a buggy server.
+/**
+ * Entropy for the PKCE `code_verifier`. 32 bytes yields 43 base64url chars
+ * (no padding), the minimum length RFC 7636 allows (43–128). 256 bits
+ * matches the S256 hash's security ceiling.
+ */
+const VERIFIER_ENTROPY_BYTES = 32;
+/**
+ * Entropy for the CSRF `state` parameter. 16 bytes yields 22 base64url
+ * chars — unguessable without bloating the authorization URL.
+ */
+const STATE_ENTROPY_BYTES = 16;
+/**
+ * Generates a cryptographically random PKCE `code_verifier` per RFC 7636
+ * §4.1. 43 base64url characters, 256 bits of entropy.
+ */
+function generateCodeVerifier() {
+    return (0, node_crypto_1.randomBytes)(VERIFIER_ENTROPY_BYTES).toString("base64url");
+}
+/**
+ * Derives the PKCE S256 `code_challenge` for the given verifier per
+ * RFC 7636 §4.2: `BASE64URL(SHA256(ASCII(verifier)))`.
+ *
+ * @param verifier The PKCE verifier produced by `generateCodeVerifier`.
+ */
+function deriveCodeChallenge(verifier) {
+    return (0, node_crypto_1.createHash)("sha256").update(verifier, "ascii").digest("base64url");
+}
+/**
+ * Generates a cryptographically random OAuth `state` value for CSRF
+ * protection. 22 base64url characters, 128 bits of entropy.
+ */
+function generateState() {
+    return (0, node_crypto_1.randomBytes)(STATE_ENTROPY_BYTES).toString("base64url");
+}