@doist/todoist-cli 1.57.0 → 1.59.0

package/dist/lib/auth.js

@@ -1,7 +1,9 @@
-import { createSecureStore, SecureStoreUnavailableError, SECURE_STORE_DESCRIPTION, } from './secure-store.js';
-export { AUTH_FLAG_ORDER, CONFIG_PATH, readConfig, writeConfig, } from './config.js';
-import { CONFIG_PATH, readConfig, writeConfig, } from './config.js';
+import { accountForUser, createSecureStore, LEGACY_ACCOUNT_NAME, SECURE_STORE_DESCRIPTION, SecureStoreUnavailableError, } from './secure-store.js';
+export { AUTH_FLAG_ORDER, CONFIG_PATH, CONFIG_VERSION, readConfig, writeConfig, } from './config.js';
+import { CONFIG_PATH, CONFIG_VERSION, readConfig, writeConfig, } from './config.js';
 import { CliError } from './errors.js';
+import { getRequestedUserRef } from './global-args.js';
+import { findUserByRef, getDefaultUser, getStoredUsers, NoUserSelectedError, removeStoredUser, setDefaultUser as setDefaultUserInConfig, upsertStoredUser, UserNotFoundError, } from './users.js';
 export const TOKEN_ENV_VAR = 'TODOIST_API_TOKEN';
 export class NoTokenError extends CliError {
     constructor() {
@@ -9,223 +11,413 @@ export class NoTokenError extends CliError {
         this.name = 'NoTokenError';
     }
 }
-export async function getApiToken() {
-    // Priority 1: Environment variable
+// ---------------------------------------------------------------------------
+// Public API — used by api/core, uploads, stats, doctor, auth subcommands
+// ---------------------------------------------------------------------------
+/**
+ * Resolve which stored user this invocation should act as, and load their
+ * token. Honors `--user <ref>`, then `user.defaultUser`, then a single stored
+ * user. Throws `NoUserSelectedError` when multiple users are stored without a
+ * default and no `--user` was passed; `UserNotFoundError` when `--user` does
+ * not match; `NoTokenError` when no users are stored.
+ *
+ * `TODOIST_API_TOKEN` short-circuits the resolver entirely — env tokens act as
+ * an anonymous identity for the duration of the command.
+ */
+export async function resolveActiveUser(opts = {}) {
     const envToken = process.env[TOKEN_ENV_VAR];
     if (envToken) {
-        return envToken;
+        return {
+            id: 'env',
+            email: '',
+            token: envToken,
+            authMode: 'unknown',
+            source: 'env',
+        };
     }
     const config = await readConfig();
-    const configToken = getConfigToken(config);
-    const secureStore = createSecureStore();
-    if (configToken) {
-        try {
-            await secureStore.setSecret(configToken);
-            const cleanupWarning = await cleanupAuthFallbackState(config, 'Token was migrated to secure storage,');
-            if (cleanupWarning) {
-                warn(cleanupWarning);
-            }
+    const users = getStoredUsers(config);
+    const requestedRef = opts.ref ?? getRequestedUserRef();
+    // Gate the legacy fallback on the *absence* of `config.users` rather than
+    // an empty array. A v2 config that has been logged out (`users: []`) must
+    // not silently fall back to a stale `api-token` keyring entry — that
+    // would let a forgotten v1 credential reauthenticate the next command.
+    const isLegacyShape = !Array.isArray(config.users);
+    if (users.length === 0) {
+        if (requestedRef) {
+            // Asked for a specific user, but the store is empty — same error
+            // as missing user, scoped to the request.
+            throw new UserNotFoundError(requestedRef);
         }
-        catch (error) {
-            if (!(error instanceof SecureStoreUnavailableError)) {
-                throw error;
-            }
+        if (isLegacyShape) {
+            return resolveLegacyToken(config);
         }
-        return configToken;
+        throw new NoTokenError();
     }
-    if (config.pendingSecureStoreClear) {
-        try {
-            await secureStore.deleteSecret();
-            const cleanupWarning = await cleanupAuthFallbackState(config, 'Secure-store token was removed,');
-            if (cleanupWarning) {
-                warn(cleanupWarning);
+    let target;
+    if (requestedRef) {
+        const found = findUserByRef(config, requestedRef);
+        if (!found)
+            throw new UserNotFoundError(requestedRef);
+        target = found.user;
+    }
+    else if (config.user?.defaultUser) {
+        const found = findUserByRef(config, config.user.defaultUser);
+        if (!found) {
+            // Default points at a missing user — treat like no default.
+            if (users.length === 1) {
+                target = users[0];
             }
-        }
-        catch (error) {
-            if (!(error instanceof SecureStoreUnavailableError)) {
-                throw error;
+            else {
+                throw new NoUserSelectedError();
             }
         }
-        throw new NoTokenError();
-    }
-    try {
-        const storedToken = await secureStore.getSecret();
-        if (storedToken?.trim()) {
-            return storedToken;
+        else {
+            target = found.user;
         }
     }
-    catch (error) {
-        if (!(error instanceof SecureStoreUnavailableError)) {
-            throw error;
-        }
+    else if (users.length === 1) {
+        target = users[0];
     }
-    throw new NoTokenError();
+    else {
+        throw new NoUserSelectedError();
+    }
+    const { token, source } = await loadTokenForStoredUser(target);
+    return {
+        id: target.id,
+        email: target.email,
+        token,
+        authMode: target.auth_mode ?? 'unknown',
+        authScope: target.auth_scope,
+        authFlags: target.auth_flags,
+        source,
+    };
+}
+/**
+ * Backwards-compatible no-arg accessor for the active user's token. Most call
+ * sites (uploads, stats, api/core) only need the bearer string.
+ */
+export async function getApiToken() {
+    const resolved = await resolveActiveUser();
+    return resolved.token;
 }
+/**
+ * Like `resolveActiveUser` but returns whichever credentials are at hand
+ * without mutating storage. Useful for `td doctor` / `td config view` where
+ * we want to inspect (and report on) what would be used.
+ */
 export async function probeApiToken() {
-    const envToken = process.env[TOKEN_ENV_VAR];
-    if (envToken) {
-        return {
-            token: envToken,
-            metadata: { authMode: 'unknown', source: 'env' },
-        };
-    }
-    const config = await readConfig();
-    const configToken = getConfigToken(config);
-    if (configToken) {
-        return {
-            token: configToken,
-            metadata: {
-                authMode: config.auth_mode ?? 'unknown',
-                authScope: config.auth_scope,
-                authFlags: config.auth_flags,
-                source: 'config-file',
-            },
-        };
-    }
-    if (config.pendingSecureStoreClear) {
-        throw new NoTokenError();
-    }
-    const secureStore = createSecureStore();
+    const resolved = await resolveActiveUser();
+    return {
+        token: resolved.token,
+        metadata: resolvedToMetadata(resolved),
+    };
+}
+export async function getAuthMetadata() {
     try {
-        const storedToken = await secureStore.getSecret();
-        if (storedToken?.trim()) {
-            return {
-                token: storedToken.trim(),
-                metadata: {
-                    authMode: config.auth_mode ?? 'unknown',
-                    authScope: config.auth_scope,
-                    authFlags: config.auth_flags,
-                    source: 'secure-store',
-                },
-            };
-        }
+        const resolved = await resolveActiveUser();
+        return resolvedToMetadata(resolved);
     }
     catch (error) {
-        if (!(error instanceof SecureStoreUnavailableError)) {
-            throw error;
+        // Metadata callers (e.g. `ensureWriteAllowed`, scope-error
+        // remediation) need a sensible default rather than a hard failure
+        // when credentials are missing or the keyring is offline. Diagnostic
+        // commands use `probeApiToken` for that — it intentionally lets
+        // `SecureStoreUnavailableError` propagate so it can be reported.
+        if (error instanceof NoTokenError || error instanceof SecureStoreUnavailableError) {
+            return { authMode: 'unknown', source: 'secure-store' };
         }
         throw error;
     }
-    throw new NoTokenError();
 }
-export async function saveApiToken(token, options = {}) {
-    // Validate token (non-empty, reasonable length)
-    if (!token || token.trim().length < 10) {
+/**
+ * Add or update a user record. Stores the token in the OS credential manager
+ * under `user-<id>` when available, falls back to per-user plaintext in config.
+ * Sets `defaultUser` automatically if this is the first user being stored.
+ */
+export async function upsertUser(input) {
+    if (!input.token || input.token.trim().length < 10) {
         throw new CliError('INVALID_TOKEN', 'Invalid token: Token must be at least 10 characters');
     }
-    const trimmedToken = token.trim();
-    const secureStore = createSecureStore();
+    if (!input.id) {
+        throw new CliError('INVALID_USER', 'Cannot store user record: missing id');
+    }
+    if (!input.email) {
+        throw new CliError('INVALID_USER', 'Cannot store user record: missing email');
+    }
+    const trimmedToken = input.token.trim();
+    const config = await readConfig();
+    const previouslyExisted = getStoredUsers(config).some((u) => u.id === input.id);
+    // Always set the first user as the default — even if `config.user.defaultUser`
+    // points at a stale/orphaned id, that pointer would otherwise wedge multi-user
+    // resolution on subsequent logins.
+    const shouldSetDefault = getStoredUsers(config).length === 0;
+    const baseRecord = {
+        id: input.id,
+        email: input.email,
+        auth_mode: input.authMode,
+        auth_scope: input.authScope,
+        auth_flags: input.authFlags,
+    };
+    const secureStore = createSecureStore(accountForUser(input.id));
+    let storedSecurely = false;
     try {
         await secureStore.setSecret(trimmedToken);
-        const existingConfig = await readConfig();
-        const configWithMeta = withAuthMetadata(existingConfig, options);
-        const warning = await cleanupAuthFallbackState(configWithMeta, 'Token was stored securely,');
-        return warning ? { storage: 'secure-store', warning } : { storage: 'secure-store' };
+        storedSecurely = true;
     }
     catch (error) {
-        if (!(error instanceof SecureStoreUnavailableError)) {
+        if (!(error instanceof SecureStoreUnavailableError))
             throw error;
+    }
+    const userRecord = storedSecurely
+        ? baseRecord
+        : { ...baseRecord, api_token: trimmedToken };
+    let next = ensureV2Shape(config);
+    next = upsertStoredUser(next, userRecord).config;
+    if (shouldSetDefault) {
+        next = setDefaultUserInConfig(next, input.id);
+    }
+    next = stripLegacyAuthFields(next);
+    try {
+        await writeConfig(next);
+    }
+    catch (error) {
+        // Config write is the source of truth — without it, later commands
+        // can't resolve the user even though the keyring holds the secret.
+        // Roll the keyring back so we don't leak credentials for a non-stored
+        // account, then surface the failure.
+        if (storedSecurely) {
+            try {
+                await secureStore.deleteSecret();
+            }
+            catch {
+                // best effort — the original error is what the user needs
+            }
         }
+        const detail = error instanceof Error && error.message ? `: ${error.message}` : '';
+        throw new CliError('CONFIG_WRITE_FAILED', `Could not persist account record to ${CONFIG_PATH}${detail}`, ['Check file permissions on ~/.config/todoist-cli/, then re-run the command']);
     }
-    const config = await readConfig();
-    config.api_token = trimmedToken;
-    delete config.pendingSecureStoreClear;
-    config.auth_mode = options.authMode;
-    config.auth_scope = options.authScope;
-    config.auth_flags = options.authFlags;
-    await writeConfig(config);
     return {
-        storage: 'config-file',
-        warning: buildFallbackWarning('token saved as plaintext in'),
+        storage: storedSecurely ? 'secure-store' : 'config-file',
+        warning: storedSecurely ? undefined : buildFallbackWarning('token saved as plaintext in'),
+        replaced: previouslyExisted,
     };
 }
-export async function clearApiToken() {
+/**
+ * Remove the active user (resolved via `--user` or default). For multi-user
+ * installs without a default, callers must pass `--user <ref>` to disambiguate.
+ */
+export async function clearApiToken(opts = {}) {
     const config = await readConfig();
-    const secureStore = createSecureStore();
+    const users = getStoredUsers(config);
+    const requestedRef = opts.ref ?? getRequestedUserRef();
+    // No users stored yet — fall through to legacy logout only on a v1-shaped
+    // config (no `users` key at all). Empty `users: []` is an already-clean
+    // v2 install; treat it as a no-op rather than poking the legacy keyring.
+    if (users.length === 0) {
+        if (!Array.isArray(config.users)) {
+            return clearLegacyToken(config);
+        }
+        if (requestedRef) {
+            throw new UserNotFoundError(requestedRef);
+        }
+        throw new NoTokenError();
+    }
+    let target;
+    if (requestedRef) {
+        const found = findUserByRef(config, requestedRef);
+        if (!found)
+            throw new UserNotFoundError(requestedRef);
+        target = found.user;
+    }
+    else {
+        const def = getDefaultUser(config);
+        if (def) {
+            target = def;
+        }
+        else if (users.length === 1) {
+            target = users[0];
+        }
+        else {
+            throw new NoUserSelectedError();
+        }
+    }
+    return removeUserById(target.id);
+}
+/**
+ * Remove a specific user by id. Used by `td user remove` and as the underlying
+ * primitive for `clearApiToken`.
+ *
+ * Order matters: write the new config first (the source of truth) and only
+ * then delete the secret. If the config update fails the keyring is untouched,
+ * so the user remains fully functional and a retry will simply re-attempt
+ * the same operation. A keyring delete failure after a successful config
+ * update leaves an orphan secret that the keyring's own service can clean up
+ * later — the CLI no longer references it.
+ */
+export async function removeUserById(id) {
+    const config = await readConfig();
+    const next = stripLegacyAuthFields(removeStoredUser(ensureV2Shape(config), id));
+    try {
+        await writeConfig(next);
+    }
+    catch (error) {
+        const detail = error instanceof Error && error.message ? `: ${error.message}` : '';
+        throw new CliError('CONFIG_WRITE_FAILED', `Could not update ${CONFIG_PATH}${detail}`, [
+            'Check file permissions on ~/.config/todoist-cli/, then re-run the command',
+        ]);
+    }
+    const secureStore = createSecureStore(accountForUser(id));
     try {
         await secureStore.deleteSecret();
-        const warning = await cleanupAllAuthState(config, 'Secure-store token was removed,');
-        return warning ? { storage: 'secure-store', warning } : { storage: 'secure-store' };
     }
     catch (error) {
-        if (!(error instanceof SecureStoreUnavailableError)) {
+        if (!(error instanceof SecureStoreUnavailableError))
             throw error;
-        }
+        return {
+            storage: 'config-file',
+            warning: buildFallbackWarning('local auth state cleared in'),
+        };
     }
-    await writeConfig(withPendingSecureStoreClear(withoutAuthMetadata(config)));
-    return {
-        storage: 'config-file',
-        warning: buildFallbackWarning('local auth state cleared in'),
-    };
+    return { storage: 'secure-store' };
 }
-export async function getAuthMetadata() {
-    if (process.env[TOKEN_ENV_VAR]) {
-        return { authMode: 'unknown', source: 'env' };
-    }
+export async function setDefaultUserId(id) {
+    const config = ensureV2Shape(await readConfig());
+    const found = findUserByRef(config, id);
+    if (!found)
+        throw new UserNotFoundError(id);
+    await writeConfig(stripLegacyAuthFields(setDefaultUserInConfig(config, found.user.id)));
+}
+export async function listStoredUsers() {
     const config = await readConfig();
-    if (config.auth_mode) {
+    return getStoredUsers(config);
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+async function loadTokenForStoredUser(user) {
+    if (user.api_token?.trim()) {
+        return { token: user.api_token.trim(), source: 'config-file' };
+    }
+    const secureStore = createSecureStore(accountForUser(user.id));
+    // Re-throw `SecureStoreUnavailableError` rather than collapsing it into
+    // `NoTokenError`. A stored v2 user with the keyring offline is *not* the
+    // same situation as no credentials at all — `td doctor` and `td config
+    // view` both have dedicated handling for the unavailable-store case and
+    // should report the keyring failure rather than misleadingly say the user
+    // has no saved credentials.
+    const stored = await secureStore.getSecret();
+    if (stored?.trim()) {
+        return { token: stored.trim(), source: 'secure-store' };
+    }
+    throw new NoTokenError();
+}
+/**
+ * v1 fallback: when there are no v2 users in the config, see if a legacy
+ * single-user token is present (config plaintext or legacy `api-token`
+ * keyring entry). Returns it as a synthetic ResolvedUser so the CLI keeps
+ * working until postinstall (or `td auth login`) migrates the install.
+ */
+async function resolveLegacyToken(config) {
+    const legacyToken = typeof config.api_token === 'string' ? config.api_token.trim() : '';
+    if (legacyToken) {
         return {
-            authMode: config.auth_mode,
+            id: 'legacy',
+            email: '',
+            token: legacyToken,
+            authMode: config.auth_mode ?? 'unknown',
             authScope: config.auth_scope,
             authFlags: config.auth_flags,
-            source: getConfigToken(config) ? 'config-file' : 'secure-store',
+            source: 'config-file',
         };
     }
-    return {
-        authMode: 'unknown',
-        source: getConfigToken(config) ? 'config-file' : 'secure-store',
-    };
+    if (config.pendingSecureStoreClear) {
+        // v1 logout state: nothing to restore. Surface as the same NoTokenError
+        // the v1 path used to throw.
+        throw new NoTokenError();
+    }
+    const secureStore = createSecureStore(LEGACY_ACCOUNT_NAME);
+    try {
+        const stored = await secureStore.getSecret();
+        if (stored?.trim()) {
+            return {
+                id: 'legacy',
+                email: '',
+                token: stored.trim(),
+                authMode: config.auth_mode ?? 'unknown',
+                authScope: config.auth_scope,
+                authFlags: config.auth_flags,
+                source: 'secure-store',
+            };
+        }
+    }
+    catch (error) {
+        if (!(error instanceof SecureStoreUnavailableError))
+            throw error;
+    }
+    throw new NoTokenError();
 }
-async function cleanupAuthFallbackState(config, warningPrefix) {
+async function clearLegacyToken(config) {
+    const secureStore = createSecureStore(LEGACY_ACCOUNT_NAME);
     try {
-        await writeConfig(withoutAuthFallbackState(config));
-        return undefined;
+        await secureStore.deleteSecret();
+        const cleaned = stripLegacyAuthFields(config);
+        try {
+            await writeConfig(cleaned);
+        }
+        catch (error) {
+            return {
+                storage: 'secure-store',
+                warning: buildConfigCleanupWarning('Secure-store token was removed,', error),
+            };
+        }
+        return { storage: 'secure-store' };
     }
     catch (error) {
-        return buildConfigCleanupWarning(warningPrefix, error);
+        if (!(error instanceof SecureStoreUnavailableError))
+            throw error;
+    }
+    const cleared = {
+        ...stripLegacyAuthFields(config),
+        pendingSecureStoreClear: true,
+    };
+    try {
+        await writeConfig(cleared);
+    }
+    catch {
+        // best-effort
     }
+    return {
+        storage: 'config-file',
+        warning: buildFallbackWarning('local auth state cleared in'),
+    };
 }
-function getConfigToken(config) {
-    return typeof config.api_token === 'string' && config.api_token.trim()
-        ? config.api_token.trim()
-        : null;
+function ensureV2Shape(config) {
+    const next = { ...config, config_version: CONFIG_VERSION };
+    if (!Array.isArray(next.users)) {
+        next.users = [];
+    }
+    return next;
 }
-function withoutAuthFallbackState(config) {
-    const { api_token: _token, pendingSecureStoreClear: _pending, ...rest } = config;
+function stripLegacyAuthFields(config) {
+    const { api_token: _t, auth_mode: _m, auth_scope: _s, auth_flags: _f, pendingSecureStoreClear: _p, ...rest } = config;
     return rest;
 }
-function withPendingSecureStoreClear(config) {
-    return { ...withoutAuthFallbackState(config), pendingSecureStoreClear: true };
-}
-function withAuthMetadata(config, options) {
+function resolvedToMetadata(resolved) {
     return {
-        ...config,
-        auth_mode: options.authMode,
-        auth_scope: options.authScope,
-        auth_flags: options.authFlags,
+        authMode: resolved.authMode,
+        authScope: resolved.authScope,
+        authFlags: resolved.authFlags,
+        source: resolved.source,
+        userId: resolved.id === 'env' || resolved.id === 'legacy' ? undefined : resolved.id,
+        email: resolved.email || undefined,
     };
 }
-function withoutAuthMetadata(config) {
-    const { auth_mode: _mode, auth_scope: _scope, auth_flags: _flags, ...rest } = config;
-    return rest;
-}
-async function cleanupAllAuthState(config, warningPrefix) {
-    try {
-        await writeConfig(withoutAuthFallbackState(withoutAuthMetadata(config)));
-        return undefined;
-    }
-    catch (error) {
-        return buildConfigCleanupWarning(warningPrefix, error);
-    }
-}
 function buildFallbackWarning(action) {
     return `${SECURE_STORE_DESCRIPTION} unavailable; ${action} ${CONFIG_PATH}`;
 }
 function buildConfigCleanupWarning(prefix, error) {
     const detail = error instanceof Error && error.message ? ` (${error.message})` : '';
-    return `${prefix} but could not remove legacy plaintext token from ${CONFIG_PATH}${detail}`;
-}
-function warn(message) {
-    console.error(`Warning: ${message}`);
+    return `${prefix} but could not update ${CONFIG_PATH}${detail}`;
 }
 //# sourceMappingURL=auth.js.map

package/dist/lib/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/lib/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,iBAAiB,EACjB,2BAA2B,EAC3B,wBAAwB,GAC3B,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EACH,eAAe,EACf,WAAW,EACX,UAAU,EACV,WAAW,GAKd,MAAM,aAAa,CAAA;AAEpB,OAAO,EACH,WAAW,EACX,UAAU,EACV,WAAW,GAId,MAAM,aAAa,CAAA;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAEtC,MAAM,CAAC,MAAM,aAAa,GAAG,mBAAmB,CAAA;AAoBhD,MAAM,OAAO,YAAa,SAAQ,QAAQ;IACtC;QACI,KAAK,CACD,UAAU,EACV,2BAA2B,aAAa,yDAAyD,EACjG,CAAC,6CAA6C,CAAC,EAC/C,MAAM,CACT,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,cAAc,CAAA;IAC9B,CAAC;CACJ;AASD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC7B,mCAAmC;IACnC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAC3C,IAAI,QAAQ,EAAE,CAAC;QACX,OAAO,QAAQ,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IAC1C,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAA;IAEvC,IAAI,WAAW,EAAE,CAAC;QACd,IAAI,CAAC;YACD,MAAM,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAA;YACxC,MAAM,cAAc,GAAG,MAAM,wBAAwB,CACjD,MAAM,EACN,uCAAuC,CAC1C,CAAA;YACD,IAAI,cAAc,EAAE,CAAC;gBACjB,IAAI,CAAC,cAAc,CAAC,CAAA;YACxB,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;gBAClD,MAAM,KAAK,CAAA;YACf,CAAC;QACL,CAAC;QAED,OAAO,WAAW,CAAA;IACtB,CAAC;IAED,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC;QACjC,IAAI,CAAC;YACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;YAChC,MAAM,cAAc,GAAG,MAAM,wBAAwB,CACjD,MAAM,EACN,iCAAiC,CACpC,CAAA;YACD,IAAI,cAAc,EAAE,CAAC;gBACjB,IAAI,CAAC,cAAc,CAAC,CAAA;YACxB,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;gBAClD,MAAM,KAAK,CAAA;YACf,CAAC;QACL,CAAC;QAED,MAAM,IAAI,YAAY,EAAE,CAAA;IAC5B,CAAC;IAED,IAAI,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE,CAAA;QACjD,IAAI,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;YACtB,OAAO,WAAW,CAAA;QACtB,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;YAClD,MAAM,KAAK,CAAA;QACf,CAAC;IACL,CAAC;IAED,MAAM,IAAI,YAAY,EAAE,CAAA;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAC3C,IAAI,QAAQ,EAAE,CAAC;QACX,OAAO;YACH,KAAK,EAAE,QAAQ;YACf,QAAQ,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE;SACnD,CAAA;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IAE1C,IAAI,WAAW,EAAE,CAAC;QACd,OAAO;YACH,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;gBACvC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,MAAM,EAAE,aAAa;aACxB;SACJ,CAAA;IACL,CAAC;IAED,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC;QACjC,MAAM,IAAI,YAAY,EAAE,CAAA;IAC5B,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAA;IACvC,IAAI,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE,CAAA;QACjD,IAAI,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;YACtB,OAAO;gBACH,KAAK,EAAE,WAAW,CAAC,IAAI,EAAE;gBACzB,QAAQ,EAAE;oBACN,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;oBACvC,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC5B,MAAM,EAAE,cAAc;iBACzB;aACJ,CAAA;QACL,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;YAClD,MAAM,KAAK,CAAA;QACf,CAAC;QACD,MAAM,KAAK,CAAA;IACf,CAAC;IAED,MAAM,IAAI,YAAY,EAAE,CAAA;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAC9B,KAAa,EACb,UAA+B,EAAE;IAEjC,gDAAgD;IAChD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,QAAQ,CAAC,eAAe,EAAE,qDAAqD,CAAC,CAAA;IAC9F,CAAC;IAED,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,EAAE,CAAA;IACjC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAA;IAEvC,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;QACzC,MAAM,cAAc,GAAG,MAAM,UAAU,EAAE,CAAA;QACzC,MAAM,cAAc,GAAG,gBAAgB,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;QAChE,MAAM,OAAO,GAAG,MAAM,wBAAwB,CAAC,cAAc,EAAE,4BAA4B,CAAC,CAAA;QAC5F,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;IACvF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;YAClD,MAAM,KAAK,CAAA;QACf,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,CAAC,SAAS,GAAG,YAAY,CAAA;IAC/B,OAAO,MAAM,CAAC,uBAAuB,CAAA;IACrC,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAA;IACnC,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAA;IACrC,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAA;IACrC,MAAM,WAAW,CAAC,MAAM,CAAC,CAAA;IACzB,OAAO;QACH,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,oBAAoB,CAAC,6BAA6B,CAAC;KAC/D,CAAA;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa;IAC/B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAA;IAEvC,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;QAChC,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,MAAM,EAAE,iCAAiC,CAAC,CAAA;QACpF,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;IACvF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC,EAAE,CAAC;YAClD,MAAM,KAAK,CAAA;QACf,CAAC;IACL,CAAC;IAED,MAAM,WAAW,CAAC,2BAA2B,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;IAC3E,OAAO;QACH,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,oBAAoB,CAAC,6BAA6B,CAAC;KAC/D,CAAA;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACjC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,CAAA;IACjD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IAEjC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACnB,OAAO;YACH,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,SAAS,EAAE,MAAM,CAAC,UAAU;YAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;YAC5B,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,cAAc;SAClE,CAAA;IACL,CAAC;IAED,OAAO;QACH,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,cAAc;KAClE,CAAA;AACL,CAAC;AAED,KAAK,UAAU,wBAAwB,CACnC,MAAc,EACd,aAAqB;IAErB,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC,CAAA;QACnD,OAAO,SAAS,CAAA;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,OAAO,yBAAyB,CAAC,aAAa,EAAE,KAAK,CAAC,CAAA;IAC1D,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IAClC,OAAO,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;QAClE,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,IAAI,CAAA;AACd,CAAC;AAED,SAAS,wBAAwB,CAAC,MAAc;IAC5C,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,uBAAuB,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;IAChF,OAAO,IAAI,CAAA;AACf,CAAC;AAED,SAAS,2BAA2B,CAAC,MAAc;IAC/C,OAAO,EAAE,GAAG,wBAAwB,CAAC,MAAM,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAA;AACjF,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAA4B;IAClE,OAAO;QACH,GAAG,MAAM;QACT,SAAS,EAAE,OAAO,CAAC,QAAQ;QAC3B,UAAU,EAAE,OAAO,CAAC,SAAS;QAC7B,UAAU,EAAE,OAAO,CAAC,SAAS;KAChC,CAAA;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc;IACvC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;IACpF,OAAO,IAAI,CAAA;AACf,CAAC;AAED,KAAK,UAAU,mBAAmB,CAC9B,MAAc,EACd,aAAqB;IAErB,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxE,OAAO,SAAS,CAAA;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,OAAO,yBAAyB,CAAC,aAAa,EAAE,KAAK,CAAC,CAAA;IAC1D,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc;IACxC,OAAO,GAAG,wBAAwB,iBAAiB,MAAM,IAAI,WAAW,EAAE,CAAA;AAC9E,CAAC;AAED,SAAS,yBAAyB,CAAC,MAAc,EAAE,KAAc;IAC7D,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;IACnF,OAAO,GAAG,MAAM,qDAAqD,WAAW,GAAG,MAAM,EAAE,CAAA;AAC/F,CAAC;AAED,SAAS,IAAI,CAAC,OAAe;IACzB,OAAO,CAAC,KAAK,CAAC,YAAY,OAAO,EAAE,CAAC,CAAA;AACxC,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/lib/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,wBAAwB,EACxB,2BAA2B,GAC9B,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EACH,eAAe,EACf,WAAW,EACX,cAAc,EACd,UAAU,EACV,WAAW,GAMd,MAAM,aAAa,CAAA;AAEpB,OAAO,EACH,WAAW,EACX,cAAc,EACd,UAAU,EACV,WAAW,GAKd,MAAM,aAAa,CAAA;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACtC,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAA;AACtD,OAAO,EACH,aAAa,EACb,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,IAAI,sBAAsB,EACxC,gBAAgB,EAChB,iBAAiB,GACpB,MAAM,YAAY,CAAA;AAEnB,MAAM,CAAC,MAAM,aAAa,GAAG,mBAAmB,CAAA;AA8BhD,MAAM,OAAO,YAAa,SAAQ,QAAQ;IACtC;QACI,KAAK,CACD,UAAU,EACV,2BAA2B,aAAa,yDAAyD,EACjG,CAAC,6CAA6C,CAAC,EAC/C,MAAM,CACT,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,cAAc,CAAA;IAC9B,CAAC;CACJ;AASD,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAyB,EAAE;IAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAC3C,IAAI,QAAQ,EAAE,CAAC;QACX,OAAO;YACH,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE;YACT,KAAK,EAAE,QAAQ;YACf,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,KAAK;SAChB,CAAA;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,IAAI,mBAAmB,EAAE,CAAA;IAEtD,0EAA0E;IAC1E,0EAA0E;IAC1E,qEAAqE;IACrE,uEAAuE;IACvE,MAAM,aAAa,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,IAAI,YAAY,EAAE,CAAC;YACf,iEAAiE;YACjE,0CAA0C;YAC1C,MAAM,IAAI,iBAAiB,CAAC,YAAY,CAAC,CAAA;QAC7C,CAAC;QACD,IAAI,aAAa,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAA;QACrC,CAAC;QACD,MAAM,IAAI,YAAY,EAAE,CAAA;IAC5B,CAAC;IAED,IAAI,MAAkB,CAAA;IACtB,IAAI,YAAY,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,iBAAiB,CAAC,YAAY,CAAC,CAAA;QACrD,MAAM,GAAG,KAAK,CAAC,IAAI,CAAA;IACvB,CAAC;SAAM,IAAI,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,4DAA4D;YAC5D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrB,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACrB,CAAC;iBAAM,CAAC;gBACJ,MAAM,IAAI,mBAAmB,EAAE,CAAA;YACnC,CAAC;QACL,CAAC;aAAM,CAAC;YACJ,MAAM,GAAG,KAAK,CAAC,IAAI,CAAA;QACvB,CAAC;IACL,CAAC;SAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACrB,CAAC;SAAM,CAAC;QACJ,MAAM,IAAI,mBAAmB,EAAE,CAAA;IACnC,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,sBAAsB,CAAC,MAAM,CAAC,CAAA;IAC9D,OAAO;QACH,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;QACvC,SAAS,EAAE,MAAM,CAAC,UAAU;QAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;QAC5B,MAAM;KACT,CAAA;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC7B,MAAM,QAAQ,GAAG,MAAM,iBAAiB,EAAE,CAAA;IAC1C,OAAO,QAAQ,CAAC,KAAK,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IAC/B,MAAM,QAAQ,GAAG,MAAM,iBAAiB,EAAE,CAAA;IAC1C,OAAO;QACH,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;KACzC,CAAA;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACjC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,EAAE,CAAA;QAC1C,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,2DAA2D;QAC3D,kEAAkE;QAClE,qEAAqE;QACrE,gEAAgE;QAChE,iEAAiE;QACjE,IAAI,KAAK,YAAY,YAAY,IAAI,KAAK,YAAY,2BAA2B,EAAE,CAAC;YAChF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAC1D,CAAC;QACD,MAAM,KAAK,CAAA;IACf,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC5B,KAAsB;IAEtB,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACjD,MAAM,IAAI,QAAQ,CAAC,eAAe,EAAE,qDAAqD,CAAC,CAAA;IAC9F,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,QAAQ,CAAC,cAAc,EAAE,sCAAsC,CAAC,CAAA;IAC9E,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,QAAQ,CAAC,cAAc,EAAE,yCAAyC,CAAC,CAAA;IACjF,CAAC;IAED,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAA;IACvC,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,iBAAiB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,EAAE,CAAC,CAAA;IAC/E,+EAA+E;IAC/E,+EAA+E;IAC/E,mCAAmC;IACnC,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,CAAA;IAE5D,MAAM,UAAU,GAAe;QAC3B,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,UAAU,EAAE,KAAK,CAAC,SAAS;QAC3B,UAAU,EAAE,KAAK,CAAC,SAAS;KAC9B,CAAA;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAA;IAC/D,IAAI,cAAc,GAAG,KAAK,CAAA;IAC1B,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;QACzC,cAAc,GAAG,IAAI,CAAA;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC;YAAE,MAAM,KAAK,CAAA;IACpE,CAAC;IAED,MAAM,UAAU,GAAe,cAAc;QACzC,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,CAAA;IAEhD,IAAI,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IAChC,IAAI,GAAG,gBAAgB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,MAAM,CAAA;IAChD,IAAI,gBAAgB,EAAE,CAAC;QACnB,IAAI,GAAG,sBAAsB,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC,CAAA;IACjD,CAAC;IACD,IAAI,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAA;IAElC,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,mEAAmE;QACnE,mEAAmE;QACnE,sEAAsE;QACtE,qCAAqC;QACrC,IAAI,cAAc,EAAE,CAAC;YACjB,IAAI,CAAC;gBACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;YACpC,CAAC;YAAC,MAAM,CAAC;gBACL,0DAA0D;YAC9D,CAAC;QACL,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;QAClF,MAAM,IAAI,QAAQ,CACd,qBAAqB,EACrB,uCAAuC,WAAW,GAAG,MAAM,EAAE,EAC7D,CAAC,2EAA2E,CAAC,CAChF,CAAA;IACL,CAAC;IAED,OAAO;QACH,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa;QACxD,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,oBAAoB,CAAC,6BAA6B,CAAC;QACzF,QAAQ,EAAE,iBAAiB;KAC9B,CAAA;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAyB,EAAE;IAC3D,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,IAAI,mBAAmB,EAAE,CAAA;IAEtD,0EAA0E;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAA;QACnC,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACf,MAAM,IAAI,iBAAiB,CAAC,YAAY,CAAC,CAAA;QAC7C,CAAC;QACD,MAAM,IAAI,YAAY,EAAE,CAAA;IAC5B,CAAC;IAED,IAAI,MAAkB,CAAA;IACtB,IAAI,YAAY,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,iBAAiB,CAAC,YAAY,CAAC,CAAA;QACrD,MAAM,GAAG,KAAK,CAAC,IAAI,CAAA;IACvB,CAAC;SAAM,CAAC;QACJ,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;QAClC,IAAI,GAAG,EAAE,CAAC;YACN,MAAM,GAAG,GAAG,CAAA;QAChB,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,CAAC;aAAM,CAAC;YACJ,MAAM,IAAI,mBAAmB,EAAE,CAAA;QACnC,CAAC;IACL,CAAC;IAED,OAAO,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,EAAU;IAC3C,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;IAE/E,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;QAClF,MAAM,IAAI,QAAQ,CAAC,qBAAqB,EAAE,oBAAoB,WAAW,GAAG,MAAM,EAAE,EAAE;YAClF,2EAA2E;SAC9E,CAAC,CAAA;IACN,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAA;IACzD,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC;YAAE,MAAM,KAAK,CAAA;QAChE,OAAO;YACH,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,oBAAoB,CAAC,6BAA6B,CAAC;SAC/D,CAAA;IACL,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,EAAU;IAC7C,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,UAAU,EAAE,CAAC,CAAA;IAChD,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACvC,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,iBAAiB,CAAC,EAAE,CAAC,CAAA;IAC3C,MAAM,WAAW,CAAC,qBAAqB,CAAC,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;AAC3F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACjC,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,OAAO,cAAc,CAAC,MAAM,CAAC,CAAA;AACjC,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,KAAK,UAAU,sBAAsB,CACjC,IAAgB;IAEhB,IAAI,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAClE,CAAC;IACD,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAA;IAC9D,wEAAwE;IACxE,yEAAyE;IACzE,uEAAuE;IACvE,wEAAwE;IACxE,0EAA0E;IAC1E,4BAA4B;IAC5B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE,CAAA;IAC5C,IAAI,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC;QACjB,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;IAC3D,CAAC;IACD,MAAM,IAAI,YAAY,EAAE,CAAA;AAC5B,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,kBAAkB,CAAC,MAAc;IAC5C,MAAM,WAAW,GAAG,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IACvF,IAAI,WAAW,EAAE,CAAC;QACd,OAAO;YACH,EAAE,EAAE,QAAQ;YACZ,KAAK,EAAE,EAAE;YACT,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;YACvC,SAAS,EAAE,MAAM,CAAC,UAAU;YAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;YAC5B,MAAM,EAAE,aAAa;SACxB,CAAA;IACL,CAAC;IAED,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC;QACjC,wEAAwE;QACxE,6BAA6B;QAC7B,MAAM,IAAI,YAAY,EAAE,CAAA;IAC5B,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,CAAA;IAC1D,IAAI,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE,CAAA;QAC5C,IAAI,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC;YACjB,OAAO;gBACH,EAAE,EAAE,QAAQ;gBACZ,KAAK,EAAE,EAAE;gBACT,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE;gBACpB,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;gBACvC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,MAAM,EAAE,cAAc;aACzB,CAAA;QACL,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC;YAAE,MAAM,KAAK,CAAA;IACpE,CAAC;IAED,MAAM,IAAI,YAAY,EAAE,CAAA;AAC5B,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,MAAc;IAC1C,MAAM,WAAW,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,CAAA;IAE1D,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;QAChC,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAA;QAC7C,IAAI,CAAC;YACD,MAAM,WAAW,CAAC,OAAO,CAAC,CAAA;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,OAAO;gBACH,OAAO,EAAE,cAAc;gBACvB,OAAO,EAAE,yBAAyB,CAAC,iCAAiC,EAAE,KAAK,CAAC;aAC/E,CAAA;QACL,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,KAAK,YAAY,2BAA2B,CAAC;YAAE,MAAM,KAAK,CAAA;IACpE,CAAC;IAED,MAAM,OAAO,GAAW;QACpB,GAAG,qBAAqB,CAAC,MAAM,CAAC;QAChC,uBAAuB,EAAE,IAAI;KAChC,CAAA;IACD,IAAI,CAAC;QACD,MAAM,WAAW,CAAC,OAAO,CAAC,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACL,cAAc;IAClB,CAAC;IACD,OAAO;QACH,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,oBAAoB,CAAC,6BAA6B,CAAC;KAC/D,CAAA;AACL,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACjC,MAAM,IAAI,GAAW,EAAE,GAAG,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,CAAA;IAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,EAAE,CAAA;IACnB,CAAC;IACD,OAAO,IAAI,CAAA;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAc;IACzC,MAAM,EACF,SAAS,EAAE,EAAE,EACb,SAAS,EAAE,EAAE,EACb,UAAU,EAAE,EAAE,EACd,UAAU,EAAE,EAAE,EACd,uBAAuB,EAAE,EAAE,EAC3B,GAAG,IAAI,EACV,GAAG,MAAM,CAAA;IACV,OAAO,IAAI,CAAA;AACf,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAsB;IAC9C,OAAO;QACH,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,MAAM,EAAE,QAAQ,CAAC,EAAE,KAAK,KAAK,IAAI,QAAQ,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE;QACnF,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,SAAS;KACrC,CAAA;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc;IACxC,OAAO,GAAG,wBAAwB,iBAAiB,MAAM,IAAI,WAAW,EAAE,CAAA;AAC9E,CAAC;AAED,SAAS,yBAAyB,CAAC,MAAc,EAAE,KAAc;IAC7D,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;IACnF,OAAO,GAAG,MAAM,yBAAyB,WAAW,GAAG,MAAM,EAAE,CAAA;AACnE,CAAC"}

package/dist/lib/config.d.ts

@@ -7,6 +7,9 @@ export interface HelpCenterConfig {
 export interface WorkspaceConfig {
     defaultWorkspace?: string;
 }
+export interface UserConfig {
+    defaultUser?: string;
+}
 /**
  * Canonical ordered list of login flags. Acts as the single source of truth —
  * `AuthFlag`, `AUTH_FLAGS` (validation), and the display order of re-login
@@ -16,15 +19,33 @@ export interface WorkspaceConfig {
  */
 export declare const AUTH_FLAG_ORDER: readonly ["read-only", "app-management", "backups"];
 export type AuthFlag = (typeof AUTH_FLAG_ORDER)[number];
-export interface Config extends Record<string, unknown> {
-    api_token?: string;
-    pendingSecureStoreClear?: boolean;
+/**
+ * Per-user record stored in `config.users`. The token itself lives in the OS
+ * credential manager under account `user-<id>`; `api_token` only appears here
+ * when the credential manager was unavailable at save time (plaintext fallback).
+ */
+export interface StoredUser {
+    id: string;
+    email: string;
     auth_mode?: AuthMode;
     auth_scope?: string;
     auth_flags?: AuthFlag[];
+    api_token?: string;
+    pendingSecureStoreClear?: boolean;
+}
+export declare const CONFIG_VERSION: 2;
+export interface Config extends Record<string, unknown> {
+    config_version?: number;
+    user?: UserConfig;
+    users?: StoredUser[];
     update_channel?: UpdateChannel;
     hc?: HelpCenterConfig;
     workspace?: WorkspaceConfig;
+    api_token?: string;
+    pendingSecureStoreClear?: boolean;
+    auth_mode?: AuthMode;
+    auth_scope?: string;
+    auth_flags?: AuthFlag[];
 }
 export declare const AUTH_FLAGS: ReadonlySet<AuthFlag>;
 export declare function readConfig(): Promise<Config>;