@dxheroes/local-mcp-backend 0.9.2 → 0.10.0

package/.turbo/turbo-build.log

@@ -1,9 +1,9 @@
 
-> @dxheroes/local-mcp-backend@0.9.2 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
+> @dxheroes/local-mcp-backend@0.10.0 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
 > nest build
 
 -  TSC  Initializing type checker...
 ✔  TSC  Initializing type checker...
 >  TSC  Found 0 issues.
 >  SWC  Running...
-Successfully compiled: 56 files with swc (92.29ms)
+Successfully compiled: 60 files with swc (100.08ms)

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## [0.10.0](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.9.2...backend-v0.10.0) (2026-03-12)
+
+
+### Features
+
+* **auth:** implement MCP OAuth guard and enhance authentication flow ([14f6355](https://github.com/DXHeroes/local-mcp-gateway/commit/14f6355b7e3e1d2a2a757643c7bc1946aa1e09cd))
+* enhance OAuth integration and add custom headers support for MCP servers ([0904743](https://github.com/DXHeroes/local-mcp-gateway/commit/09047436072810f5876a2c92ba47f6f90f8f6103))
+
+
+### Code Refactoring
+
+* **auth:** streamline MCP OAuth guard and enhance configuration ([38972a3](https://github.com/DXHeroes/local-mcp-gateway/commit/38972a3c94c377d8f5d6c9c714d6ccab91765a99))
+* **database:** update OAuth models and migrations for improved schema ([a92b074](https://github.com/DXHeroes/local-mcp-gateway/commit/a92b07400050b30decdda1dc82f4647d49c38c91))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @dxheroes/local-mcp-core bumped to 0.8.0
+    * @dxheroes/local-mcp-database bumped to 0.5.3
+    * @dxheroes/mcp-gemini-deep-research bumped to 0.5.6
+    * @dxheroes/mcp-merk bumped to 0.3.6
+    * @dxheroes/mcp-toggl bumped to 0.3.6
+  * devDependencies
+    * @dxheroes/local-mcp-config bumped to 0.4.11
+
 ## [0.9.2](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.9.1...backend-v0.9.2) (2026-03-11)
 
 

package/dist/__tests__/integration/mcp-proxy-auth-http.test.js

@@ -0,0 +1,246 @@
+import { createServer } from "node:http";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { AllExceptionsFilter } from "../../common/filters/all-exceptions.filter.js";
+import { McpOAuthGuard } from "../../modules/auth/mcp-oauth.guard.js";
+import { createMcpProtectedResourceMetadata, resolvePublicAuthBaseUrl, resolvePublicBackendOrigin } from "../../modules/auth/mcp-oauth.utils.js";
+function createConfigService(values) {
+    return {
+        get: vi.fn((key)=>values[key])
+    };
+}
+function createAuthServiceMock() {
+    return {
+        validateMcpToken: vi.fn().mockResolvedValue(null)
+    };
+}
+async function startTestApp(options) {
+    const authService = createAuthServiceMock();
+    const configService = createConfigService({
+        'app.port': 3001,
+        BETTER_AUTH_URL: options?.backendUrl ?? 'http://localhost:3001'
+    });
+    const guard = new McpOAuthGuard(authService, configService);
+    const filter = new AllExceptionsFilter();
+    const backendOrigin = resolvePublicBackendOrigin(configService);
+    const authBaseUrl = resolvePublicAuthBaseUrl(configService);
+    const createRequest = (req)=>{
+        const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+        return {
+            method: req.method ?? 'GET',
+            url: `${url.pathname}${url.search}`,
+            headers: req.headers,
+            query: Object.fromEntries(url.searchParams.entries()),
+            user: undefined
+        };
+    };
+    const createResponse = (res)=>{
+        const response = {
+            setHeader (name, value) {
+                res.setHeader(name, value);
+                return response;
+            },
+            status (statusCode) {
+                res.statusCode = statusCode;
+                return response;
+            },
+            json (body) {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify(body));
+            }
+        };
+        return response;
+    };
+    const handleGuardedRoute = async (nodeRequest, nodeResponse, responseBody)=>{
+        const request = createRequest(nodeRequest);
+        const response = createResponse(nodeResponse);
+        const context = {
+            switchToHttp: ()=>({
+                    getRequest: ()=>request,
+                    getResponse: ()=>response
+                })
+        };
+        const host = {
+            switchToHttp: ()=>({
+                    getRequest: ()=>request,
+                    getResponse: ()=>response
+                })
+        };
+        try {
+            await guard.canActivate(context);
+            response.json(responseBody(request));
+        } catch (error) {
+            filter.catch(error, host);
+        }
+    };
+    const server = await new Promise((resolve)=>{
+        const listeningServer = createServer(async (req, res)=>{
+            const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+            if (req.method === 'GET' && url.pathname === '/api/mcp/test') {
+                await handleGuardedRoute(req, res, (request)=>({
+                        ok: true,
+                        userId: request.user?.id ?? null
+                    }));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/api/mcp/sse') {
+                await handleGuardedRoute(req, res, (request)=>({
+                        ok: true,
+                        token: request.query.access_token ?? null,
+                        userId: request.user?.id ?? null
+                    }));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/.well-known/oauth-protected-resource') {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify(createMcpProtectedResourceMetadata(configService)));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/.well-known/oauth-authorization-server') {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify({
+                    issuer: backendOrigin,
+                    authorization_endpoint: `${authBaseUrl}/mcp/authorize`,
+                    token_endpoint: `${authBaseUrl}/mcp/token`,
+                    registration_endpoint: `${authBaseUrl}/mcp/register`,
+                    jwks_uri: `${authBaseUrl}/mcp/jwks`,
+                    response_types_supported: [
+                        'code'
+                    ],
+                    grant_types_supported: [
+                        'authorization_code',
+                        'refresh_token'
+                    ],
+                    code_challenge_methods_supported: [
+                        'S256'
+                    ]
+                }));
+                return;
+            }
+            if (req.method === 'POST' && url.pathname === '/api/auth/mcp/register') {
+                res.statusCode = 201;
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify({
+                    client_id: 'cursor-client',
+                    client_secret: 'cursor-secret',
+                    redirect_uris: [
+                        'https://cursor.sh/callback'
+                    ]
+                }));
+                return;
+            }
+            res.statusCode = 404;
+            res.end();
+        }).listen(0, ()=>resolve(listeningServer));
+    });
+    const address = server.address();
+    if (!address || typeof address === 'string') {
+        throw new Error('Failed to resolve test server address');
+    }
+    return {
+        close: ()=>new Promise((resolve, reject)=>{
+                server.close((error)=>{
+                    if (error) {
+                        reject(error);
+                        return;
+                    }
+                    resolve();
+                });
+            }),
+        authService,
+        baseUrl: `http://127.0.0.1:${address.port}`
+    };
+}
+describe('MCP proxy auth HTTP contract', ()=>{
+    let close;
+    let authService;
+    let baseUrl;
+    beforeEach(async ()=>{
+        const result = await startTestApp({
+            backendUrl: 'http://localhost:9631'
+        });
+        close = result.close;
+        authService = result.authService;
+        baseUrl = result.baseUrl;
+    });
+    afterEach(async ()=>{
+        if (close) {
+            await close();
+        }
+    });
+    it('returns 401 with MCP discovery headers when token is missing', async ()=>{
+        const response = await fetch(`${baseUrl}/api/mcp/test`);
+        const body = await response.json();
+        expect(response.status).toBe(401);
+        expect(response.headers.get('access-control-expose-headers')).toBe('WWW-Authenticate');
+        expect(response.headers.get('www-authenticate')).toContain('resource_metadata=');
+        expect(response.headers.get('www-authenticate')).toContain('resource_metadata_uri=');
+        expect(body.message).toBe('Bearer token required');
+    });
+    it('serves protected resource metadata with Better Auth-backed URLs', async ()=>{
+        const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body).toEqual({
+            resource: 'http://localhost:9631/api/mcp',
+            authorization_servers: [
+                'http://localhost:9631'
+            ],
+            bearer_methods_supported: [
+                'header'
+            ],
+            scopes_supported: [
+                'openid',
+                'profile',
+                'email',
+                'offline_access'
+            ],
+            jwks_uri: 'http://localhost:9631/api/auth/mcp/jwks',
+            resource_signing_alg_values_supported: [
+                'RS256',
+                'none'
+            ]
+        });
+    });
+    it('serves authorization server metadata with MCP registration endpoint', async ()=>{
+        const response = await fetch(`${baseUrl}/.well-known/oauth-authorization-server`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body.registration_endpoint).toBe('http://localhost:9631/api/auth/mcp/register');
+        expect(body.authorization_endpoint).toBe('http://localhost:9631/api/auth/mcp/authorize');
+        expect(body.token_endpoint).toBe('http://localhost:9631/api/auth/mcp/token');
+    });
+    it('exposes the advertised registration endpoint', async ()=>{
+        const response = await fetch(`${baseUrl}/api/auth/mcp/register`, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json'
+            },
+            body: JSON.stringify({
+                redirect_uris: [
+                    'https://cursor.sh/callback'
+                ]
+            })
+        });
+        const body = await response.json();
+        expect(response.status).toBe(201);
+        expect(body.client_id).toBe('cursor-client');
+    });
+    it('accepts access_token query params for SSE fallback', async ()=>{
+        authService.validateMcpToken.mockResolvedValue({
+            id: 'user-sse',
+            name: 'SSE User',
+            email: 'sse@example.com'
+        });
+        const response = await fetch(`${baseUrl}/api/mcp/sse?access_token=sse-token`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body).toEqual({
+            ok: true,
+            token: 'sse-token',
+            userId: 'user-sse'
+        });
+        expect(authService.validateMcpToken).toHaveBeenCalledWith('sse-token');
+    });
+});
+
+//# sourceMappingURL=mcp-proxy-auth-http.test.js.map

package/dist/__tests__/integration/mcp-proxy-auth-http.test.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/__tests__/integration/mcp-proxy-auth-http.test.ts"],"sourcesContent":["import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';\nimport type { ConfigService } from '@nestjs/config';\nimport { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';\nimport { AllExceptionsFilter } from '../../common/filters/all-exceptions.filter.js';\nimport { AuthService, type AuthUser } from '../../modules/auth/auth.service.js';\nimport { McpOAuthGuard } from '../../modules/auth/mcp-oauth.guard.js';\nimport {\n  createMcpProtectedResourceMetadata,\n  resolvePublicAuthBaseUrl,\n  resolvePublicBackendOrigin,\n} from '../../modules/auth/mcp-oauth.utils.js';\n\ntype MockAuthService = {\n  validateMcpToken: ReturnType<typeof vi.fn>;\n};\n\ntype MockConfigService = {\n  get: ReturnType<typeof vi.fn>;\n};\n\nfunction createConfigService(values: Record<string, unknown>): MockConfigService {\n  return {\n    get: vi.fn((key: string) => values[key]),\n  };\n}\n\nfunction createAuthServiceMock(): MockAuthService {\n  return {\n    validateMcpToken: vi.fn().mockResolvedValue(null),\n  };\n}\n\nasync function startTestApp(options?: {\n  backendUrl?: string;\n}): Promise<{\n  close: () => Promise<void>;\n  authService: MockAuthService;\n  baseUrl: string;\n}> {\n  const authService = createAuthServiceMock();\n  const configService = createConfigService({\n    'app.port': 3001,\n    BETTER_AUTH_URL: options?.backendUrl ?? 'http://localhost:3001',\n  });\n  const guard = new McpOAuthGuard(authService as unknown as AuthService, configService as never);\n  const filter = new AllExceptionsFilter();\n  const backendOrigin = resolvePublicBackendOrigin(configService as unknown as ConfigService);\n  const authBaseUrl = resolvePublicAuthBaseUrl(configService as unknown as ConfigService);\n\n  const createRequest = (req: IncomingMessage) => {\n    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n    return {\n      method: req.method ?? 'GET',\n      url: `${url.pathname}${url.search}`,\n      headers: req.headers,\n      query: Object.fromEntries(url.searchParams.entries()),\n      user: undefined,\n    };\n  };\n\n  const createResponse = (res: ServerResponse) => {\n    const response = {\n      setHeader(name: string, value: string) {\n        res.setHeader(name, value);\n        return response;\n      },\n      status(statusCode: number) {\n        res.statusCode = statusCode;\n        return response;\n      },\n      json(body: unknown) {\n        res.setHeader('content-type', 'application/json');\n        res.end(JSON.stringify(body));\n      },\n    };\n\n    return response;\n  };\n\n  const handleGuardedRoute = async (\n    nodeRequest: IncomingMessage,\n    nodeResponse: ServerResponse,\n    responseBody: (request: ReturnType<typeof createRequest>) => Record<string, unknown>\n  ) => {\n    const request = createRequest(nodeRequest);\n    const response = createResponse(nodeResponse);\n    const context = {\n      switchToHttp: () => ({\n        getRequest: () => request,\n        getResponse: () => response,\n      }),\n    } as never;\n\n    const host = {\n      switchToHttp: () => ({\n        getRequest: () => request,\n        getResponse: () => response,\n      }),\n    } as never;\n\n    try {\n      await guard.canActivate(context);\n      response.json(responseBody(request));\n    } catch (error) {\n      filter.catch(error, host);\n    }\n  };\n\n  const server = await new Promise<import('node:http').Server>((resolve) => {\n    const listeningServer = createServer(async (req, res) => {\n      const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n\n      if (req.method === 'GET' && url.pathname === '/api/mcp/test') {\n        await handleGuardedRoute(req, res, (request) => ({\n          ok: true,\n          userId: (request as { user?: AuthUser }).user?.id ?? null,\n        }));\n        return;\n      }\n\n      if (req.method === 'GET' && url.pathname === '/api/mcp/sse') {\n        await handleGuardedRoute(req, res, (request) => ({\n          ok: true,\n          token: request.query.access_token ?? null,\n          userId: (request as { user?: AuthUser }).user?.id ?? null,\n        }));\n        return;\n      }\n\n      if (req.method === 'GET' && url.pathname === '/.well-known/oauth-protected-resource') {\n        res.setHeader('content-type', 'application/json');\n        res.end(JSON.stringify(createMcpProtectedResourceMetadata(configService as unknown as ConfigService)));\n        return;\n      }\n\n      if (req.method === 'GET' && url.pathname === '/.well-known/oauth-authorization-server') {\n        res.setHeader('content-type', 'application/json');\n        res.end(\n          JSON.stringify({\n            issuer: backendOrigin,\n            authorization_endpoint: `${authBaseUrl}/mcp/authorize`,\n            token_endpoint: `${authBaseUrl}/mcp/token`,\n            registration_endpoint: `${authBaseUrl}/mcp/register`,\n            jwks_uri: `${authBaseUrl}/mcp/jwks`,\n            response_types_supported: ['code'],\n            grant_types_supported: ['authorization_code', 'refresh_token'],\n            code_challenge_methods_supported: ['S256'],\n          })\n        );\n        return;\n      }\n\n      if (req.method === 'POST' && url.pathname === '/api/auth/mcp/register') {\n        res.statusCode = 201;\n        res.setHeader('content-type', 'application/json');\n        res.end(\n          JSON.stringify({\n            client_id: 'cursor-client',\n            client_secret: 'cursor-secret',\n            redirect_uris: ['https://cursor.sh/callback'],\n          })\n        );\n        return;\n      }\n\n      res.statusCode = 404;\n      res.end();\n    }).listen(0, () => resolve(listeningServer));\n  });\n  const address = server.address();\n  if (!address || typeof address === 'string') {\n    throw new Error('Failed to resolve test server address');\n  }\n\n  return {\n    close: () =>\n      new Promise<void>((resolve, reject) => {\n        server.close((error) => {\n          if (error) {\n            reject(error);\n            return;\n          }\n          resolve();\n        });\n      }),\n    authService,\n    baseUrl: `http://127.0.0.1:${address.port}`,\n  };\n}\n\ndescribe('MCP proxy auth HTTP contract', () => {\n  let close: (() => Promise<void>) | undefined;\n  let authService: MockAuthService;\n  let baseUrl: string;\n\n  beforeEach(async () => {\n    const result = await startTestApp({\n      backendUrl: 'http://localhost:9631',\n    });\n    close = result.close;\n    authService = result.authService;\n    baseUrl = result.baseUrl;\n  });\n\n  afterEach(async () => {\n    if (close) {\n      await close();\n    }\n  });\n\n  it('returns 401 with MCP discovery headers when token is missing', async () => {\n    const response = await fetch(`${baseUrl}/api/mcp/test`);\n    const body = (await response.json()) as Record<string, unknown>;\n\n    expect(response.status).toBe(401);\n    expect(response.headers.get('access-control-expose-headers')).toBe('WWW-Authenticate');\n    expect(response.headers.get('www-authenticate')).toContain('resource_metadata=');\n    expect(response.headers.get('www-authenticate')).toContain('resource_metadata_uri=');\n    expect(body.message).toBe('Bearer token required');\n  });\n\n  it('serves protected resource metadata with Better Auth-backed URLs', async () => {\n    const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);\n    const body = (await response.json()) as Record<string, unknown>;\n\n    expect(response.status).toBe(200);\n    expect(body).toEqual({\n      resource: 'http://localhost:9631/api/mcp',\n      authorization_servers: ['http://localhost:9631'],\n      bearer_methods_supported: ['header'],\n      scopes_supported: ['openid', 'profile', 'email', 'offline_access'],\n      jwks_uri: 'http://localhost:9631/api/auth/mcp/jwks',\n      resource_signing_alg_values_supported: ['RS256', 'none'],\n    });\n  });\n\n  it('serves authorization server metadata with MCP registration endpoint', async () => {\n    const response = await fetch(`${baseUrl}/.well-known/oauth-authorization-server`);\n    const body = (await response.json()) as Record<string, unknown>;\n\n    expect(response.status).toBe(200);\n    expect(body.registration_endpoint).toBe('http://localhost:9631/api/auth/mcp/register');\n    expect(body.authorization_endpoint).toBe('http://localhost:9631/api/auth/mcp/authorize');\n    expect(body.token_endpoint).toBe('http://localhost:9631/api/auth/mcp/token');\n  });\n\n  it('exposes the advertised registration endpoint', async () => {\n    const response = await fetch(`${baseUrl}/api/auth/mcp/register`, {\n      method: 'POST',\n      headers: {\n        'content-type': 'application/json',\n      },\n      body: JSON.stringify({\n        redirect_uris: ['https://cursor.sh/callback'],\n      }),\n    });\n    const body = (await response.json()) as Record<string, unknown>;\n\n    expect(response.status).toBe(201);\n    expect(body.client_id).toBe('cursor-client');\n  });\n\n  it('accepts access_token query params for SSE fallback', async () => {\n    authService.validateMcpToken.mockResolvedValue({\n      id: 'user-sse',\n      name: 'SSE User',\n      email: 'sse@example.com',\n    });\n\n    const response = await fetch(`${baseUrl}/api/mcp/sse?access_token=sse-token`);\n    const body = (await response.json()) as Record<string, unknown>;\n\n    expect(response.status).toBe(200);\n    expect(body).toEqual({\n      ok: true,\n      token: 'sse-token',\n      userId: 'user-sse',\n    });\n    expect(authService.validateMcpToken).toHaveBeenCalledWith('sse-token');\n  });\n});\n"],"names":["createServer","afterEach","beforeEach","describe","expect","it","vi","AllExceptionsFilter","McpOAuthGuard","createMcpProtectedResourceMetadata","resolvePublicAuthBaseUrl","resolvePublicBackendOrigin","createConfigService","values","get","fn","key","createAuthServiceMock","validateMcpToken","mockResolvedValue","startTestApp","options","authService","configService","BETTER_AUTH_URL","backendUrl","guard","filter","backendOrigin","authBaseUrl","createRequest","req","url","URL","headers","host","method","pathname","search","query","Object","fromEntries","searchParams","entries","user","undefined","createResponse","res","response","setHeader","name","value","status","statusCode","json","body","end","JSON","stringify","handleGuardedRoute","nodeRequest","nodeResponse","responseBody","request","context","switchToHttp","getRequest","getResponse","canActivate","error","catch","server","Promise","resolve","listeningServer","ok","userId","id","token","access_token","issuer","authorization_endpoint","token_endpoint","registration_endpoint","jwks_uri","response_types_supported","grant_types_supported","code_challenge_methods_supported","client_id","client_secret","redirect_uris","listen","address","Error","close","reject","baseUrl","port","result","fetch","toBe","toContain","message","toEqual","resource","authorization_servers","bearer_methods_supported","scopes_supported","resource_signing_alg_values_supported","email","toHaveBeenCalledWith"],"mappings":"AAAA,SAASA,YAAY,QAAmD,YAAY;AAEpF,SAASC,SAAS,EAAEC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AACzE,SAASC,mBAAmB,QAAQ,gDAAgD;AAEpF,SAASC,aAAa,QAAQ,wCAAwC;AACtE,SACEC,kCAAkC,EAClCC,wBAAwB,EACxBC,0BAA0B,QACrB,wCAAwC;AAU/C,SAASC,oBAAoBC,MAA+B;IAC1D,OAAO;QACLC,KAAKR,GAAGS,EAAE,CAAC,CAACC,MAAgBH,MAAM,CAACG,IAAI;IACzC;AACF;AAEA,SAASC;IACP,OAAO;QACLC,kBAAkBZ,GAAGS,EAAE,GAAGI,iBAAiB,CAAC;IAC9C;AACF;AAEA,eAAeC,aAAaC,OAE3B;IAKC,MAAMC,cAAcL;IACpB,MAAMM,gBAAgBX,oBAAoB;QACxC,YAAY;QACZY,iBAAiBH,SAASI,cAAc;IAC1C;IACA,MAAMC,QAAQ,IAAIlB,cAAcc,aAAuCC;IACvE,MAAMI,SAAS,IAAIpB;IACnB,MAAMqB,gBAAgBjB,2BAA2BY;IACjD,MAAMM,cAAcnB,yBAAyBa;IAE7C,MAAMO,gBAAgB,CAACC;QACrB,MAAMC,MAAM,IAAIC,IAAIF,IAAIC,GAAG,IAAI,KAAK,CAAC,OAAO,EAAED,IAAIG,OAAO,CAACC,IAAI,IAAI,aAAa;QAC/E,OAAO;YACLC,QAAQL,IAAIK,MAAM,IAAI;YACtBJ,KAAK,GAAGA,IAAIK,QAAQ,GAAGL,IAAIM,MAAM,EAAE;YACnCJ,SAASH,IAAIG,OAAO;YACpBK,OAAOC,OAAOC,WAAW,CAACT,IAAIU,YAAY,CAACC,OAAO;YAClDC,MAAMC;QACR;IACF;IAEA,MAAMC,iBAAiB,CAACC;QACtB,MAAMC,WAAW;YACfC,WAAUC,IAAY,EAAEC,KAAa;gBACnCJ,IAAIE,SAAS,CAACC,MAAMC;gBACpB,OAAOH;YACT;YACAI,QAAOC,UAAkB;gBACvBN,IAAIM,UAAU,GAAGA;gBACjB,OAAOL;YACT;YACAM,MAAKC,IAAa;gBAChBR,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CAACC,KAAKC,SAAS,CAACH;YACzB;QACF;QAEA,OAAOP;IACT;IAEA,MAAMW,qBAAqB,OACzBC,aACAC,cACAC;QAEA,MAAMC,UAAUjC,cAAc8B;QAC9B,MAAMZ,WAAWF,eAAee;QAChC,MAAMG,UAAU;YACdC,cAAc,IAAO,CAAA;oBACnBC,YAAY,IAAMH;oBAClBI,aAAa,IAAMnB;gBACrB,CAAA;QACF;QAEA,MAAMb,OAAO;YACX8B,cAAc,IAAO,CAAA;oBACnBC,YAAY,IAAMH;oBAClBI,aAAa,IAAMnB;gBACrB,CAAA;QACF;QAEA,IAAI;YACF,MAAMtB,MAAM0C,WAAW,CAACJ;YACxBhB,SAASM,IAAI,CAACQ,aAAaC;QAC7B,EAAE,OAAOM,OAAO;YACd1C,OAAO2C,KAAK,CAACD,OAAOlC;QACtB;IACF;IAEA,MAAMoC,SAAS,MAAM,IAAIC,QAAoC,CAACC;QAC5D,MAAMC,kBAAkB1E,aAAa,OAAO+B,KAAKgB;YAC/C,MAAMf,MAAM,IAAIC,IAAIF,IAAIC,GAAG,IAAI,KAAK,CAAC,OAAO,EAAED,IAAIG,OAAO,CAACC,IAAI,IAAI,aAAa;YAE/E,IAAIJ,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,iBAAiB;gBAC5D,MAAMsB,mBAAmB5B,KAAKgB,KAAK,CAACgB,UAAa,CAAA;wBAC/CY,IAAI;wBACJC,QAAQ,AAACb,QAAgCnB,IAAI,EAAEiC,MAAM;oBACvD,CAAA;gBACA;YACF;YAEA,IAAI9C,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,gBAAgB;gBAC3D,MAAMsB,mBAAmB5B,KAAKgB,KAAK,CAACgB,UAAa,CAAA;wBAC/CY,IAAI;wBACJG,OAAOf,QAAQxB,KAAK,CAACwC,YAAY,IAAI;wBACrCH,QAAQ,AAACb,QAAgCnB,IAAI,EAAEiC,MAAM;oBACvD,CAAA;gBACA;YACF;YAEA,IAAI9C,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,yCAAyC;gBACpFU,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CAACC,KAAKC,SAAS,CAACjD,mCAAmCc;gBAC1D;YACF;YAEA,IAAIQ,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,2CAA2C;gBACtFU,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CACLC,KAAKC,SAAS,CAAC;oBACbsB,QAAQpD;oBACRqD,wBAAwB,GAAGpD,YAAY,cAAc,CAAC;oBACtDqD,gBAAgB,GAAGrD,YAAY,UAAU,CAAC;oBAC1CsD,uBAAuB,GAAGtD,YAAY,aAAa,CAAC;oBACpDuD,UAAU,GAAGvD,YAAY,SAAS,CAAC;oBACnCwD,0BAA0B;wBAAC;qBAAO;oBAClCC,uBAAuB;wBAAC;wBAAsB;qBAAgB;oBAC9DC,kCAAkC;wBAAC;qBAAO;gBAC5C;gBAEF;YACF;YAEA,IAAIxD,IAAIK,MAAM,KAAK,UAAUJ,IAAIK,QAAQ,KAAK,0BAA0B;gBACtEU,IAAIM,UAAU,GAAG;gBACjBN,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CACLC,KAAKC,SAAS,CAAC;oBACb8B,WAAW;oBACXC,eAAe;oBACfC,eAAe;wBAAC;qBAA6B;gBAC/C;gBAEF;YACF;YAEA3C,IAAIM,UAAU,GAAG;YACjBN,IAAIS,GAAG;QACT,GAAGmC,MAAM,CAAC,GAAG,IAAMlB,QAAQC;IAC7B;IACA,MAAMkB,UAAUrB,OAAOqB,OAAO;IAC9B,IAAI,CAACA,WAAW,OAAOA,YAAY,UAAU;QAC3C,MAAM,IAAIC,MAAM;IAClB;IAEA,OAAO;QACLC,OAAO,IACL,IAAItB,QAAc,CAACC,SAASsB;gBAC1BxB,OAAOuB,KAAK,CAAC,CAACzB;oBACZ,IAAIA,OAAO;wBACT0B,OAAO1B;wBACP;oBACF;oBACAI;gBACF;YACF;QACFnD;QACA0E,SAAS,CAAC,iBAAiB,EAAEJ,QAAQK,IAAI,EAAE;IAC7C;AACF;AAEA9F,SAAS,gCAAgC;IACvC,IAAI2F;IACJ,IAAIxE;IACJ,IAAI0E;IAEJ9F,WAAW;QACT,MAAMgG,SAAS,MAAM9E,aAAa;YAChCK,YAAY;QACd;QACAqE,QAAQI,OAAOJ,KAAK;QACpBxE,cAAc4E,OAAO5E,WAAW;QAChC0E,UAAUE,OAAOF,OAAO;IAC1B;IAEA/F,UAAU;QACR,IAAI6F,OAAO;YACT,MAAMA;QACR;IACF;IAEAzF,GAAG,gEAAgE;QACjE,MAAM2C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,aAAa,CAAC;QACtD,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjClD,OAAO4C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BhG,OAAO4C,SAASd,OAAO,CAACpB,GAAG,CAAC,kCAAkCsF,IAAI,CAAC;QACnEhG,OAAO4C,SAASd,OAAO,CAACpB,GAAG,CAAC,qBAAqBuF,SAAS,CAAC;QAC3DjG,OAAO4C,SAASd,OAAO,CAACpB,GAAG,CAAC,qBAAqBuF,SAAS,CAAC;QAC3DjG,OAAOmD,KAAK+C,OAAO,EAAEF,IAAI,CAAC;IAC5B;IAEA/F,GAAG,mEAAmE;QACpE,MAAM2C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,qCAAqC,CAAC;QAC9E,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjClD,OAAO4C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BhG,OAAOmD,MAAMgD,OAAO,CAAC;YACnBC,UAAU;YACVC,uBAAuB;gBAAC;aAAwB;YAChDC,0BAA0B;gBAAC;aAAS;YACpCC,kBAAkB;gBAAC;gBAAU;gBAAW;gBAAS;aAAiB;YAClEvB,UAAU;YACVwB,uCAAuC;gBAAC;gBAAS;aAAO;QAC1D;IACF;IAEAvG,GAAG,uEAAuE;QACxE,MAAM2C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,uCAAuC,CAAC;QAChF,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjClD,OAAO4C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BhG,OAAOmD,KAAK4B,qBAAqB,EAAEiB,IAAI,CAAC;QACxChG,OAAOmD,KAAK0B,sBAAsB,EAAEmB,IAAI,CAAC;QACzChG,OAAOmD,KAAK2B,cAAc,EAAEkB,IAAI,CAAC;IACnC;IAEA/F,GAAG,gDAAgD;QACjD,MAAM2C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,sBAAsB,CAAC,EAAE;YAC/D5D,QAAQ;YACRF,SAAS;gBACP,gBAAgB;YAClB;YACAqB,MAAME,KAAKC,SAAS,CAAC;gBACnBgC,eAAe;oBAAC;iBAA6B;YAC/C;QACF;QACA,MAAMnC,OAAQ,MAAMP,SAASM,IAAI;QAEjClD,OAAO4C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BhG,OAAOmD,KAAKiC,SAAS,EAAEY,IAAI,CAAC;IAC9B;IAEA/F,GAAG,sDAAsD;QACvDiB,YAAYJ,gBAAgB,CAACC,iBAAiB,CAAC;YAC7C0D,IAAI;YACJ3B,MAAM;YACN2D,OAAO;QACT;QAEA,MAAM7D,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,mCAAmC,CAAC;QAC5E,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjClD,OAAO4C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BhG,OAAOmD,MAAMgD,OAAO,CAAC;YACnB5B,IAAI;YACJG,OAAO;YACPF,QAAQ;QACV;QACAxE,OAAOkB,YAAYJ,gBAAgB,EAAE4F,oBAAoB,CAAC;IAC5D;AACF"}

package/dist/__tests__/integration/oauth-authorize-callback.test.js

@@ -0,0 +1,122 @@
+import { createServer } from "node:http";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { OAuthController } from "../../modules/oauth/oauth.controller.js";
+function createOAuthServiceMock() {
+    return {
+        discoverAndAuthorize: vi.fn(),
+        handleCallback: vi.fn()
+    };
+}
+describe('OAuth authorize and callback HTTP contract', ()=>{
+    let close;
+    let oauthService;
+    let baseUrl;
+    beforeEach(async ()=>{
+        oauthService = createOAuthServiceMock();
+        const controller = new OAuthController(oauthService);
+        const server = await new Promise((resolve)=>{
+            const listeningServer = createServer(async (req, res)=>{
+                const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+                const request = {
+                    protocol: 'http',
+                    query: Object.fromEntries(url.searchParams.entries()),
+                    get: (headerName)=>{
+                        if (headerName.toLowerCase() === 'host') {
+                            return req.headers.host ?? '';
+                        }
+                        return undefined;
+                    }
+                };
+                const response = {
+                    redirect (location) {
+                        res.statusCode = 302;
+                        res.setHeader('location', location);
+                        res.end();
+                    },
+                    status (statusCode) {
+                        res.statusCode = statusCode;
+                        return response;
+                    },
+                    send (body) {
+                        res.setHeader('content-type', 'text/html; charset=utf-8');
+                        res.end(body);
+                    }
+                };
+                if (req.method === 'GET' && url.pathname.startsWith('/api/oauth/authorize/')) {
+                    const serverId = url.pathname.split('/').pop() ?? '';
+                    await controller.authorize(serverId, request, response);
+                    return;
+                }
+                if (req.method === 'GET' && url.pathname === '/api/oauth/callback') {
+                    await controller.callback(typeof request.query.code === 'string' ? request.query.code : '', typeof request.query.state === 'string' ? request.query.state : '', request, response);
+                    return;
+                }
+                res.statusCode = 404;
+                res.end();
+            }).listen(0, ()=>resolve(listeningServer));
+        });
+        const address = server.address();
+        if (!address || typeof address === 'string') {
+            throw new Error('Failed to resolve test server address');
+        }
+        close = ()=>new Promise((resolve, reject)=>{
+                server.close((error)=>{
+                    if (error) {
+                        reject(error);
+                        return;
+                    }
+                    resolve();
+                });
+            });
+        baseUrl = `http://127.0.0.1:${address.port}`;
+    });
+    afterEach(async ()=>{
+        if (close) {
+            await close();
+        }
+    });
+    it('redirects authorize requests to the discovered authorization URL', async ()=>{
+        oauthService.discoverAndAuthorize.mockResolvedValue('https://auth.example.com/authorize?client_id=abc');
+        const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`, {
+            redirect: 'manual'
+        });
+        expect(response.status).toBe(302);
+        expect(response.headers.get('location')).toBe('https://auth.example.com/authorize?client_id=abc');
+        expect(oauthService.discoverAndAuthorize).toHaveBeenCalledWith('server-1', `${baseUrl}/api/oauth/callback`);
+    });
+    it('renders an error page when authorize discovery fails', async ()=>{
+        oauthService.discoverAndAuthorize.mockRejectedValue(new Error('Metadata discovery failed'));
+        const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(400);
+        expect(html).toContain('Error: Metadata discovery failed');
+    });
+    it('rejects callbacks without code or state', async ()=>{
+        const response = await fetch(`${baseUrl}/api/oauth/callback`);
+        const html = await response.text();
+        expect(response.status).toBe(400);
+        expect(html).toContain('Missing code or state parameter');
+    });
+    it('renders a success page for valid callbacks', async ()=>{
+        oauthService.handleCallback.mockResolvedValue({
+            success: true
+        });
+        const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(200);
+        expect(html).toContain('Authorization successful! This window will close.');
+        expect(oauthService.handleCallback).toHaveBeenCalledWith('server-1', 'auth-code', `${baseUrl}/api/oauth/callback`);
+    });
+    it('renders a failure page when callback token exchange fails', async ()=>{
+        oauthService.handleCallback.mockResolvedValue({
+            success: false,
+            error: 'Token exchange failed'
+        });
+        const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(200);
+        expect(html).toContain('Error: Token exchange failed');
+    });
+});
+
+//# sourceMappingURL=oauth-authorize-callback.test.js.map

package/dist/__tests__/integration/oauth-authorize-callback.test.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/__tests__/integration/oauth-authorize-callback.test.ts"],"sourcesContent":["import { createServer } from 'node:http';\nimport { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';\nimport { OAuthController } from '../../modules/oauth/oauth.controller.js';\nimport { OAuthService } from '../../modules/oauth/oauth.service.js';\n\nfunction createOAuthServiceMock() {\n  return {\n    discoverAndAuthorize: vi.fn(),\n    handleCallback: vi.fn(),\n  };\n}\n\ndescribe('OAuth authorize and callback HTTP contract', () => {\n  let close: (() => Promise<void>) | undefined;\n  let oauthService: ReturnType<typeof createOAuthServiceMock>;\n  let baseUrl: string;\n\n  beforeEach(async () => {\n    oauthService = createOAuthServiceMock();\n    const controller = new OAuthController(oauthService as unknown as OAuthService);\n\n    const server = await new Promise<import('node:http').Server>((resolve) => {\n      const listeningServer = createServer(async (req, res) => {\n        const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n        const request = {\n          protocol: 'http',\n          query: Object.fromEntries(url.searchParams.entries()),\n          get: (headerName: string) => {\n            if (headerName.toLowerCase() === 'host') {\n              return req.headers.host ?? '';\n            }\n            return undefined;\n          },\n        };\n        const response = {\n          redirect(location: string) {\n            res.statusCode = 302;\n            res.setHeader('location', location);\n            res.end();\n          },\n          status(statusCode: number) {\n            res.statusCode = statusCode;\n            return response;\n          },\n          send(body: string) {\n            res.setHeader('content-type', 'text/html; charset=utf-8');\n            res.end(body);\n          },\n        };\n\n        if (req.method === 'GET' && url.pathname.startsWith('/api/oauth/authorize/')) {\n          const serverId = url.pathname.split('/').pop() ?? '';\n          await controller.authorize(serverId, request as never, response as never);\n          return;\n        }\n\n        if (req.method === 'GET' && url.pathname === '/api/oauth/callback') {\n          await controller.callback(\n            typeof request.query.code === 'string' ? request.query.code : '',\n            typeof request.query.state === 'string' ? request.query.state : '',\n            request as never,\n            response as never\n          );\n          return;\n        }\n\n        res.statusCode = 404;\n        res.end();\n      }).listen(0, () => resolve(listeningServer));\n    });\n    const address = server.address();\n    if (!address || typeof address === 'string') {\n      throw new Error('Failed to resolve test server address');\n    }\n\n    close = () =>\n      new Promise<void>((resolve, reject) => {\n        server.close((error) => {\n          if (error) {\n            reject(error);\n            return;\n          }\n          resolve();\n        });\n      });\n    baseUrl = `http://127.0.0.1:${address.port}`;\n  });\n\n  afterEach(async () => {\n    if (close) {\n      await close();\n    }\n  });\n\n  it('redirects authorize requests to the discovered authorization URL', async () => {\n    oauthService.discoverAndAuthorize.mockResolvedValue('https://auth.example.com/authorize?client_id=abc');\n\n    const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`, {\n      redirect: 'manual',\n    });\n\n    expect(response.status).toBe(302);\n    expect(response.headers.get('location')).toBe('https://auth.example.com/authorize?client_id=abc');\n    expect(oauthService.discoverAndAuthorize).toHaveBeenCalledWith(\n      'server-1',\n      `${baseUrl}/api/oauth/callback`\n    );\n  });\n\n  it('renders an error page when authorize discovery fails', async () => {\n    oauthService.discoverAndAuthorize.mockRejectedValue(new Error('Metadata discovery failed'));\n\n    const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`);\n    const html = await response.text();\n\n    expect(response.status).toBe(400);\n    expect(html).toContain('Error: Metadata discovery failed');\n  });\n\n  it('rejects callbacks without code or state', async () => {\n    const response = await fetch(`${baseUrl}/api/oauth/callback`);\n    const html = await response.text();\n\n    expect(response.status).toBe(400);\n    expect(html).toContain('Missing code or state parameter');\n  });\n\n  it('renders a success page for valid callbacks', async () => {\n    oauthService.handleCallback.mockResolvedValue({ success: true });\n\n    const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);\n    const html = await response.text();\n\n    expect(response.status).toBe(200);\n    expect(html).toContain('Authorization successful! This window will close.');\n    expect(oauthService.handleCallback).toHaveBeenCalledWith(\n      'server-1',\n      'auth-code',\n      `${baseUrl}/api/oauth/callback`\n    );\n  });\n\n  it('renders a failure page when callback token exchange fails', async () => {\n    oauthService.handleCallback.mockResolvedValue({\n      success: false,\n      error: 'Token exchange failed',\n    });\n\n    const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);\n    const html = await response.text();\n\n    expect(response.status).toBe(200);\n    expect(html).toContain('Error: Token exchange failed');\n  });\n});\n"],"names":["createServer","afterEach","beforeEach","describe","expect","it","vi","OAuthController","createOAuthServiceMock","discoverAndAuthorize","fn","handleCallback","close","oauthService","baseUrl","controller","server","Promise","resolve","listeningServer","req","res","url","URL","headers","host","request","protocol","query","Object","fromEntries","searchParams","entries","get","headerName","toLowerCase","undefined","response","redirect","location","statusCode","setHeader","end","status","send","body","method","pathname","startsWith","serverId","split","pop","authorize","callback","code","state","listen","address","Error","reject","error","port","mockResolvedValue","fetch","toBe","toHaveBeenCalledWith","mockRejectedValue","html","text","toContain","success"],"mappings":"AAAA,SAASA,YAAY,QAAQ,YAAY;AACzC,SAASC,SAAS,EAAEC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AACzE,SAASC,eAAe,QAAQ,0CAA0C;AAG1E,SAASC;IACP,OAAO;QACLC,sBAAsBH,GAAGI,EAAE;QAC3BC,gBAAgBL,GAAGI,EAAE;IACvB;AACF;AAEAP,SAAS,8CAA8C;IACrD,IAAIS;IACJ,IAAIC;IACJ,IAAIC;IAEJZ,WAAW;QACTW,eAAeL;QACf,MAAMO,aAAa,IAAIR,gBAAgBM;QAEvC,MAAMG,SAAS,MAAM,IAAIC,QAAoC,CAACC;YAC5D,MAAMC,kBAAkBnB,aAAa,OAAOoB,KAAKC;gBAC/C,MAAMC,MAAM,IAAIC,IAAIH,IAAIE,GAAG,IAAI,KAAK,CAAC,OAAO,EAAEF,IAAII,OAAO,CAACC,IAAI,IAAI,aAAa;gBAC/E,MAAMC,UAAU;oBACdC,UAAU;oBACVC,OAAOC,OAAOC,WAAW,CAACR,IAAIS,YAAY,CAACC,OAAO;oBAClDC,KAAK,CAACC;wBACJ,IAAIA,WAAWC,WAAW,OAAO,QAAQ;4BACvC,OAAOf,IAAII,OAAO,CAACC,IAAI,IAAI;wBAC7B;wBACA,OAAOW;oBACT;gBACF;gBACA,MAAMC,WAAW;oBACfC,UAASC,QAAgB;wBACvBlB,IAAImB,UAAU,GAAG;wBACjBnB,IAAIoB,SAAS,CAAC,YAAYF;wBAC1BlB,IAAIqB,GAAG;oBACT;oBACAC,QAAOH,UAAkB;wBACvBnB,IAAImB,UAAU,GAAGA;wBACjB,OAAOH;oBACT;oBACAO,MAAKC,IAAY;wBACfxB,IAAIoB,SAAS,CAAC,gBAAgB;wBAC9BpB,IAAIqB,GAAG,CAACG;oBACV;gBACF;gBAEA,IAAIzB,IAAI0B,MAAM,KAAK,SAASxB,IAAIyB,QAAQ,CAACC,UAAU,CAAC,0BAA0B;oBAC5E,MAAMC,WAAW3B,IAAIyB,QAAQ,CAACG,KAAK,CAAC,KAAKC,GAAG,MAAM;oBAClD,MAAMpC,WAAWqC,SAAS,CAACH,UAAUvB,SAAkBW;oBACvD;gBACF;gBAEA,IAAIjB,IAAI0B,MAAM,KAAK,SAASxB,IAAIyB,QAAQ,KAAK,uBAAuB;oBAClE,MAAMhC,WAAWsC,QAAQ,CACvB,OAAO3B,QAAQE,KAAK,CAAC0B,IAAI,KAAK,WAAW5B,QAAQE,KAAK,CAAC0B,IAAI,GAAG,IAC9D,OAAO5B,QAAQE,KAAK,CAAC2B,KAAK,KAAK,WAAW7B,QAAQE,KAAK,CAAC2B,KAAK,GAAG,IAChE7B,SACAW;oBAEF;gBACF;gBAEAhB,IAAImB,UAAU,GAAG;gBACjBnB,IAAIqB,GAAG;YACT,GAAGc,MAAM,CAAC,GAAG,IAAMtC,QAAQC;QAC7B;QACA,MAAMsC,UAAUzC,OAAOyC,OAAO;QAC9B,IAAI,CAACA,WAAW,OAAOA,YAAY,UAAU;YAC3C,MAAM,IAAIC,MAAM;QAClB;QAEA9C,QAAQ,IACN,IAAIK,QAAc,CAACC,SAASyC;gBAC1B3C,OAAOJ,KAAK,CAAC,CAACgD;oBACZ,IAAIA,OAAO;wBACTD,OAAOC;wBACP;oBACF;oBACA1C;gBACF;YACF;QACFJ,UAAU,CAAC,iBAAiB,EAAE2C,QAAQI,IAAI,EAAE;IAC9C;IAEA5D,UAAU;QACR,IAAIW,OAAO;YACT,MAAMA;QACR;IACF;IAEAP,GAAG,oEAAoE;QACrEQ,aAAaJ,oBAAoB,CAACqD,iBAAiB,CAAC;QAEpD,MAAMzB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,6BAA6B,CAAC,EAAE;YACtEwB,UAAU;QACZ;QAEAlC,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAOiC,SAASb,OAAO,CAACS,GAAG,CAAC,aAAa+B,IAAI,CAAC;QAC9C5D,OAAOS,aAAaJ,oBAAoB,EAAEwD,oBAAoB,CAC5D,YACA,GAAGnD,QAAQ,mBAAmB,CAAC;IAEnC;IAEAT,GAAG,wDAAwD;QACzDQ,aAAaJ,oBAAoB,CAACyD,iBAAiB,CAAC,IAAIR,MAAM;QAE9D,MAAMrB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,6BAA6B,CAAC;QACtE,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;IAEAhE,GAAG,2CAA2C;QAC5C,MAAMgC,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,mBAAmB,CAAC;QAC5D,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;IAEAhE,GAAG,8CAA8C;QAC/CQ,aAAaF,cAAc,CAACmD,iBAAiB,CAAC;YAAEQ,SAAS;QAAK;QAE9D,MAAMjC,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,iDAAiD,CAAC;QAC1F,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;QACvBjE,OAAOS,aAAaF,cAAc,EAAEsD,oBAAoB,CACtD,YACA,aACA,GAAGnD,QAAQ,mBAAmB,CAAC;IAEnC;IAEAT,GAAG,6DAA6D;QAC9DQ,aAAaF,cAAc,CAACmD,iBAAiB,CAAC;YAC5CQ,SAAS;YACTV,OAAO;QACT;QAEA,MAAMvB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,iDAAiD,CAAC;QAC1F,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;AACF"}