@elliotding/ai-agent-mcp 0.1.26 → 0.1.27

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAkBH,kDAqEC;AAMD,kEAkEC;AAMD,8CAgEC;AAMD,0DAKC;AA7OD,uDAA8D;AAC9D,+CAAgD;AAChD,4CAAyC;AASzC;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CACvC,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,0CAA0C;QAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,mEAAmE;aAC7E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;QAEjE,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yBAAyB,CAC1B,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;QAEvB,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,EACD,4CAA4C,OAAO,CAAC,MAAM,EAAE,CAC7D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,2BAA2B,CAC/C,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtC,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,OAAO,EAAE,CAAC;YACZ,4BAA4B;YAC5B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;YACvB,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,EACD,oCAAoC,OAAO,CAAC,MAAM,EAAE,CACrD,CAAC;YACF,OAAO;QACT,CAAC;QAED,+DAA+D;QAC/D,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;SACf,EACD,uDAAuD,CACxD,CAAC;QAEF,oFAAoF;QACpF,uDAAuD;IACzD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,KAAK,EAAE,OAA6B,EAAE,KAAmB,EAAiB,EAAE;QACjF,IAAI,CAAC;YACH,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClB,eAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB,EACD,gDAAgD,CACjD,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,mBAAmB;YACnB,MAAM,eAAe,GAAG,IAAA,6BAAe,EAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAEvE,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC7B,eAAM,CAAC,IAAI,CACT;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;oBACzB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,QAAQ;oBACR,MAAM,EAAE,eAAe,CAAC,MAAM;iBAC/B,EACD,8BAA8B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAC/E,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,eAAe,CAAC,MAAM,IAAI,0BAA0B;iBAC9D,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;gBAC3B,QAAQ;aACT,EACD,+BAA+B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAChF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC;gBACX,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,QAAQ;gBACR,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EAAE,wBAAwB,CAAC,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,uBAAuB;gBAC9B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,uBAAuB,CACrC,QAAgB,EAChB,IAAkB;IAElB,OAAO,IAAA,6BAAe,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/auth/permissions.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Permission Control System
+ * Group-based access control for MCP tools
+ * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
+ */
+/**
+ * Known groups from CSP
+ * Users may belong to one or more groups
+ */
+export declare const KnownGroups: {
+    readonly ZNET: "zNet";
+    readonly CLIENT_PUBLIC: "Client-Public";
+    readonly ADMIN: "admin";
+};
+/**
+ * Permission level for operations
+ */
+export declare enum PermissionLevel {
+    READ = "read",
+    WRITE = "write",
+    ADMIN = "admin"
+}
+/**
+ * Tool permission configuration
+ */
+export interface ToolPermission {
+    tool: string;
+    allowedGroups: string[];
+    requiredPermission: PermissionLevel;
+}
+/**
+ * Initialize permission system
+ */
+export declare function initializePermissions(customRules?: ToolPermission[]): void;
+/**
+ * Check if a user has permission to access a tool
+ * @param toolName - The name of the tool to check
+ * @param userGroups - The groups the user belongs to (from CSP API)
+ */
+export declare function checkPermission(toolName: string, userGroups: string[]): {
+    allowed: boolean;
+    reason?: string;
+};
+/**
+ * Get permission info for a tool
+ */
+export declare function getToolPermission(toolName: string): ToolPermission | undefined;
+/**
+ * Get all permission rules
+ */
+export declare function getAllPermissions(): ToolPermission[];
+/**
+ * Update permission rule for a tool
+ */
+export declare function updatePermission(permission: ToolPermission): void;
+/**
+ * Remove permission rule for a tool
+ */
+export declare function removePermission(toolName: string): void;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/auth/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;CAId,CAAC;AAEX;;GAEG;AACH,oBAAY,eAAe;IACzB,IAAI,SAAS;IACb,KAAK,UAAU;IACf,KAAK,UAAU;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,eAAe,CAAC;CACrC;AAkDD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,GAAG,IAAI,CAqB1E;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAAE,GACnB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAwKvC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAE9E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAEpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,cAAc,GAAG,IAAI,CAMjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAGvD"}

package/dist/auth/permissions.js

@@ -0,0 +1,262 @@
+"use strict";
+/**
+ * Permission Control System
+ * Group-based access control for MCP tools
+ * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionLevel = exports.KnownGroups = void 0;
+exports.initializePermissions = initializePermissions;
+exports.checkPermission = checkPermission;
+exports.getToolPermission = getToolPermission;
+exports.getAllPermissions = getAllPermissions;
+exports.updatePermission = updatePermission;
+exports.removePermission = removePermission;
+const logger_1 = require("../utils/logger");
+/**
+ * Known groups from CSP
+ * Users may belong to one or more groups
+ */
+exports.KnownGroups = {
+    ZNET: 'zNet', // zNet team - full access
+    CLIENT_PUBLIC: 'Client-Public', // Client-Public team - standard access
+    ADMIN: 'admin', // Admin group - full access (if exists)
+};
+/**
+ * Permission level for operations
+ */
+var PermissionLevel;
+(function (PermissionLevel) {
+    PermissionLevel["READ"] = "read";
+    PermissionLevel["WRITE"] = "write";
+    PermissionLevel["ADMIN"] = "admin";
+})(PermissionLevel || (exports.PermissionLevel = PermissionLevel = {}));
+/**
+ * Default permission rules for each tool
+ * All authenticated users (with valid groups) can use these tools
+ */
+const defaultPermissions = [
+    // sync_resources - available to all authenticated users
+    {
+        tool: 'sync_resources',
+        allowedGroups: ['*'], // * means all authenticated users
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // manage_subscription - available to all authenticated users
+    {
+        tool: 'manage_subscription',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // search_resources - read-only, all authenticated users
+    {
+        tool: 'search_resources',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.READ,
+    },
+    // upload_resource - requires write permission
+    {
+        tool: 'upload_resource',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // uninstall_resource - requires write permission
+    {
+        tool: 'uninstall_resource',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // track_usage - internal telemetry tool, always allowed for all authenticated users
+    {
+        tool: 'track_usage',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+];
+/**
+ * Custom permission rules (can be overridden via config)
+ */
+let permissionRules = new Map();
+/**
+ * Initialize permission system
+ */
+function initializePermissions(customRules) {
+    // Load default permissions
+    for (const perm of defaultPermissions) {
+        permissionRules.set(perm.tool, perm);
+    }
+    // Override with custom rules if provided
+    if (customRules && customRules.length > 0) {
+        logger_1.logger.info({ count: customRules.length }, 'Loading custom permission rules');
+        for (const perm of customRules) {
+            permissionRules.set(perm.tool, perm);
+        }
+    }
+    logger_1.logger.info({ toolCount: permissionRules.size }, 'Permission system initialized');
+}
+/**
+ * Check if a user has permission to access a tool
+ * @param toolName - The name of the tool to check
+ * @param userGroups - The groups the user belongs to (from CSP API)
+ */
+function checkPermission(toolName, userGroups) {
+    const checkStartTime = Date.now();
+    logger_1.logger.debug({
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        timestamp: new Date().toISOString()
+    }, `Checking permission for tool: ${toolName}`);
+    // Check if tool has permission rules
+    const permission = permissionRules.get(toolName);
+    if (!permission) {
+        // If no permission rule defined, deny by default
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            result: 'denied',
+            reason: 'no_rule',
+            timestamp: new Date().toISOString()
+        }, 'No permission rule found for tool, denying access');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            userGroups,
+            reason: 'no_rule',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `Tool '${toolName}' has no permission rule defined`,
+        };
+    }
+    // If no groups provided, deny access
+    if (!userGroups || userGroups.length === 0) {
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            result: 'denied',
+            reason: 'no_groups',
+            timestamp: new Date().toISOString()
+        }, 'Permission denied: user has no groups');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            reason: 'no_groups',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `User must belong to at least one group to access tools`,
+        };
+    }
+    // Admin group bypasses all checks
+    if (userGroups.includes(exports.KnownGroups.ADMIN) || userGroups.includes('admin')) {
+        logger_1.logger.info({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            result: 'granted',
+            reason: 'admin_bypass',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Admin group access granted');
+        (0, logger_1.logAuthAttempt)('permission_check', true, {
+            toolName,
+            userGroups,
+            reason: 'admin',
+            duration: Date.now() - checkStartTime
+        });
+        return { allowed: true };
+    }
+    // Check if tool allows all authenticated users
+    if (permission.allowedGroups.includes('*')) {
+        logger_1.logger.info({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            result: 'granted',
+            reason: 'wildcard',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Permission granted (tool allows all authenticated users)');
+        (0, logger_1.logAuthAttempt)('permission_check', true, {
+            toolName,
+            userGroups,
+            reason: 'wildcard',
+            duration: Date.now() - checkStartTime
+        });
+        return { allowed: true };
+    }
+    // Check if user belongs to any of the allowed groups
+    const hasAllowedGroup = userGroups.some((group) => permission.allowedGroups.includes(group));
+    if (!hasAllowedGroup) {
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            result: 'denied',
+            reason: 'group_mismatch',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Permission denied: user not in allowed groups');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            reason: 'group_mismatch',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
+        };
+    }
+    logger_1.logger.info({
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        allowedGroups: permission.allowedGroups,
+        result: 'granted',
+        reason: 'group_match',
+        duration: Date.now() - checkStartTime,
+        timestamp: new Date().toISOString()
+    }, 'Permission granted (user in allowed groups)');
+    (0, logger_1.logAuthAttempt)('permission_check', true, {
+        toolName,
+        userGroups,
+        matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
+        duration: Date.now() - checkStartTime
+    });
+    return { allowed: true };
+}
+/**
+ * Get permission info for a tool
+ */
+function getToolPermission(toolName) {
+    return permissionRules.get(toolName);
+}
+/**
+ * Get all permission rules
+ */
+function getAllPermissions() {
+    return Array.from(permissionRules.values());
+}
+/**
+ * Update permission rule for a tool
+ */
+function updatePermission(permission) {
+    permissionRules.set(permission.tool, permission);
+    logger_1.logger.info({ tool: permission.tool, permission }, 'Permission rule updated');
+}
+/**
+ * Remove permission rule for a tool
+ */
+function removePermission(toolName) {
+    permissionRules.delete(toolName);
+    logger_1.logger.info({ toolName }, 'Permission rule removed');
+}
+// Initialize with default permissions
+initializePermissions();
+//# sourceMappingURL=permissions.js.map

package/dist/auth/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAmFH,sDAqBC;AAOD,0CA2KC;AAKD,8CAEC;AAKD,8CAEC;AAKD,4CAMC;AAKD,4CAGC;AAzTD,4CAAyD;AAEzD;;;GAGG;AACU,QAAA,WAAW,GAAG;IACzB,IAAI,EAAE,MAAM,EAAuB,0BAA0B;IAC7D,aAAa,EAAE,eAAe,EAAK,uCAAuC;IAC1E,KAAK,EAAE,OAAO,EAAqB,wCAAwC;CACnE,CAAC;AAEX;;GAEG;AACH,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,gCAAa,CAAA;IACb,kCAAe,CAAA;IACf,kCAAe,CAAA;AACjB,CAAC,EAJW,eAAe,+BAAf,eAAe,QAI1B;AAWD;;;GAGG;AACH,MAAM,kBAAkB,GAAqB;IAC3C,wDAAwD;IACxD;QACE,IAAI,EAAE,gBAAgB;QACtB,aAAa,EAAE,CAAC,GAAG,CAAC,EAAG,kCAAkC;QACzD,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,qBAAqB;QAC3B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,wDAAwD;IACxD;QACE,IAAI,EAAE,kBAAkB;QACxB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,IAAI;KACzC;IACD,8CAA8C;IAC9C;QACE,IAAI,EAAE,iBAAiB;QACvB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,iDAAiD;IACjD;QACE,IAAI,EAAE,oBAAoB;QAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,oFAAoF;IACpF;QACE,IAAI,EAAE,aAAa;QACnB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;CACF,CAAC;AAEF;;GAEG;AACH,IAAI,eAAe,GAAgC,IAAI,GAAG,EAAE,CAAC;AAE7D;;GAEG;AACH,SAAgB,qBAAqB,CAAC,WAA8B;IAClE,2BAA2B;IAC3B,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;QACtC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IAED,yCAAyC;IACzC,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,eAAM,CAAC,IAAI,CACT,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,EAC7B,iCAAiC,CAClC,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,eAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,eAAe,CAAC,IAAI,EAAE,EACnC,+BAA+B,CAChC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,UAAoB;IAEpB,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAElC,eAAM,CAAC,KAAK,CAAC;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EAAE,iCAAiC,QAAQ,EAAE,CAAC,CAAC;IAEhD,qCAAqC;IACrC,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,iDAAiD;QACjD,eAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EAAE,mDAAmD,CAAC,CAAC;QAExD,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,kCAAkC;SAC5D,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,uCAAuC,CACxC,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,wDAAwD;SACjE,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,IAAI,UAAU,CAAC,QAAQ,CAAC,mBAAW,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3E,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,cAAc;YACtB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,4BAA4B,CAC7B,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,+CAA+C;IAC/C,IAAI,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,0DAA0D,CAC3D,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAChD,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CACzC,CAAC;IAEF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,+CAA+C,CAChD,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,oCAAoC,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACnG,CAAC;IACJ,CAAC;IAED,eAAM,CAAC,IAAI,CACT;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,aAAa;QACvC,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE,aAAa;QACrB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;QACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EACD,6CAA6C,CAC9C,CAAC;IAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;QACvC,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC3E,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;KACtC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,UAA0B;IACzD,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACjD,eAAM,CAAC,IAAI,CACT,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,EACrC,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,QAAgB;IAC/C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjC,eAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,yBAAyB,CAAC,CAAC;AACvD,CAAC;AAED,sCAAsC;AACtC,qBAAqB,EAAE,CAAC"}

package/dist/auth/token-validator.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Token Validation via CSP API
+ * Validates tokens by calling CSP /user/permissions endpoint
+ */
+/**
+ * Token validation payload structure
+ */
+export interface TokenPayload {
+    userId: string;
+    email: string;
+    groups: string[];
+    roles?: string[];
+    [key: string]: unknown;
+}
+/**
+ * Start cache cleanup interval
+ */
+export declare function startCacheCleanup(): void;
+/**
+ * Stop cache cleanup interval
+ */
+export declare function stopCacheCleanup(): void;
+/**
+ * Verify token by calling CSP API /user/permissions
+ * @param token - The JWT token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+export declare function verifyTokenViaAPI(token: string): Promise<TokenPayload | null>;
+/**
+ * Verify token with caching
+ * Uses cached result if available to reduce API calls
+ * @param token - The token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+export declare function verifyToken(token: string): Promise<TokenPayload | null>;
+/**
+ * Clear token from cache (e.g., after logout)
+ * @param token - The token to invalidate
+ */
+export declare function invalidateToken(token: string): void;
+/**
+ * Clear all cached tokens
+ */
+export declare function clearTokenCache(): void;
+/**
+ * Get cache statistics
+ */
+export declare function getTokenCacheStats(): {
+    size: number;
+    tokens: string[];
+};
+//# sourceMappingURL=token-validator.d.ts.map

package/dist/auth/token-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validator.d.ts","sourceRoot":"","sources":["../../src/auth/token-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AA+CD;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CASxC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAMvC;AAKD;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAkGnF;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAqD7E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAMnD;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAMtC;AAED;;GAEG;AACH,wBAAgB,kBAAkB;;;EAMjC"}

package/dist/auth/token-validator.js

@@ -0,0 +1,215 @@
+"use strict";
+/**
+ * Token Validation via CSP API
+ * Validates tokens by calling CSP /user/permissions endpoint
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startCacheCleanup = startCacheCleanup;
+exports.stopCacheCleanup = stopCacheCleanup;
+exports.verifyTokenViaAPI = verifyTokenViaAPI;
+exports.verifyToken = verifyToken;
+exports.invalidateToken = invalidateToken;
+exports.clearTokenCache = clearTokenCache;
+exports.getTokenCacheStats = getTokenCacheStats;
+const client_1 = require("../api/client");
+const logger_1 = require("../utils/logger");
+/**
+ * Token validation cache (in-memory, 5 minute TTL)
+ */
+const tokenCache = new Map();
+/**
+ * Cache cleanup interval reference (for cleanup on shutdown)
+ */
+let cacheCleanupInterval = null;
+/**
+ * Clean expired cache entries
+ */
+function cleanExpiredCache() {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [token, entry] of tokenCache.entries()) {
+        if (entry.expireAt < now) {
+            tokenCache.delete(token);
+            cleaned++;
+        }
+    }
+    if (cleaned > 0) {
+        logger_1.logger.debug({ type: 'cache_cleanup', cleaned, remaining: tokenCache.size }, `Cleaned ${cleaned} expired token(s) from cache`);
+    }
+}
+/**
+ * Start cache cleanup interval
+ */
+function startCacheCleanup() {
+    if (cacheCleanupInterval) {
+        logger_1.logger.warn('Cache cleanup interval already running');
+        return;
+    }
+    // Clean cache every minute
+    cacheCleanupInterval = setInterval(cleanExpiredCache, 60000);
+    logger_1.logger.info('Token cache cleanup interval started (60s)');
+}
+/**
+ * Stop cache cleanup interval
+ */
+function stopCacheCleanup() {
+    if (cacheCleanupInterval) {
+        clearInterval(cacheCleanupInterval);
+        cacheCleanupInterval = null;
+        logger_1.logger.info('Token cache cleanup interval stopped');
+    }
+}
+// Start cleanup on module load
+startCacheCleanup();
+/**
+ * Verify token by calling CSP API /user/permissions
+ * @param token - The JWT token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+async function verifyTokenViaAPI(token) {
+    const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
+    const startTime = Date.now();
+    try {
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'verify_token_api',
+            tokenPreview,
+            timestamp: new Date().toISOString()
+        }, 'Calling CSP API /user/permissions to validate token');
+        // Call CSP API to validate the token presented in the SSE Authorization header.
+        const response = await client_1.apiClient.get('/csp/api/user/permissions', {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+            timeout: 5000, // 5 second timeout for auth check
+        });
+        const duration = Date.now() - startTime;
+        // Check response code (2000 means success)
+        if (response.code === 2000 && response.data) {
+            const payload = {
+                userId: response.data.user_id,
+                email: response.data.email,
+                groups: response.data.groups || [],
+                roles: response.data.groups || [], // Alias for backward compatibility
+            };
+            logger_1.logger.info({
+                type: 'auth',
+                operation: 'verify_token_api',
+                userId: payload.userId,
+                email: payload.email,
+                groups: payload.groups,
+                duration,
+                timestamp: new Date().toISOString()
+            }, `Token validated successfully for user ${payload.userId}`);
+            (0, logger_1.logAuthAttempt)('token_validation', true, {
+                userId: payload.userId,
+                email: payload.email,
+                groups: payload.groups,
+                duration
+            });
+            return payload;
+        }
+        logger_1.logger.warn({
+            type: 'auth',
+            operation: 'verify_token_api',
+            code: response.code,
+            message: response.message,
+            tokenPreview,
+            duration,
+            timestamp: new Date().toISOString()
+        }, 'Token validation failed - invalid or expired token');
+        (0, logger_1.logAuthAttempt)('token_validation', false, {
+            code: response.code,
+            message: response.message,
+            duration
+        });
+        return null;
+    }
+    catch (error) {
+        const duration = Date.now() - startTime;
+        (0, logger_1.logError)(error, {
+            type: 'auth',
+            operation: 'verify_token_api',
+            tokenPreview,
+            duration,
+            timestamp: new Date().toISOString()
+        });
+        (0, logger_1.logAuthAttempt)('token_validation', false, {
+            error: error instanceof Error ? error.message : String(error),
+            duration
+        });
+        return null;
+    }
+}
+/**
+ * Verify token with caching
+ * Uses cached result if available to reduce API calls
+ * @param token - The token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+async function verifyToken(token) {
+    const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
+    // Check cache first
+    const cached = tokenCache.get(token);
+    if (cached && cached.expireAt > Date.now()) {
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'verify_token',
+            userId: cached.payload.userId,
+            email: cached.payload.email,
+            cacheHit: true,
+            tokenPreview,
+            timestamp: new Date().toISOString()
+        }, 'Token validation cache hit');
+        return cached.payload;
+    }
+    logger_1.logger.debug({
+        type: 'auth',
+        operation: 'verify_token',
+        cacheHit: false,
+        tokenPreview,
+        timestamp: new Date().toISOString()
+    }, 'Token validation cache miss, calling API');
+    // Validate via API
+    const payload = await verifyTokenViaAPI(token);
+    // Cache the result if valid (5 minute TTL)
+    if (payload) {
+        const expireAt = Date.now() + 5 * 60 * 1000; // 5 minutes
+        tokenCache.set(token, { payload, expireAt });
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'verify_token',
+            userId: payload.userId,
+            email: payload.email,
+            cacheTTL: '5min',
+            timestamp: new Date().toISOString()
+        }, 'Token validation result cached (5 min TTL)');
+    }
+    return payload;
+}
+/**
+ * Clear token from cache (e.g., after logout)
+ * @param token - The token to invalidate
+ */
+function invalidateToken(token) {
+    tokenCache.delete(token);
+    logger_1.logger.debug({ type: 'auth', operation: 'invalidate_token' }, 'Token removed from cache');
+}
+/**
+ * Clear all cached tokens
+ */
+function clearTokenCache() {
+    tokenCache.clear();
+    logger_1.logger.info({ type: 'auth', operation: 'clear_cache' }, 'All cached tokens cleared');
+}
+/**
+ * Get cache statistics
+ */
+function getTokenCacheStats() {
+    cleanExpiredCache();
+    return {
+        size: tokenCache.size,
+        tokens: Array.from(tokenCache.keys()).map(t => t.substring(0, 10) + '...'),
+    };
+}
+//# sourceMappingURL=token-validator.js.map

package/dist/auth/token-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validator.js","sourceRoot":"","sources":["../../src/auth/token-validator.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAiEH,8CASC;AAKD,4CAMC;AAUD,8CAkGC;AAQD,kCAqDC;AAMD,0CAMC;AAKD,0CAMC;AAKD,gDAMC;AA9RD,0CAA0C;AAC1C,4CAAmE;AA2BnE;;GAEG;AACH,MAAM,UAAU,GAAG,IAAI,GAAG,EAAuD,CAAC;AAElF;;GAEG;AACH,IAAI,oBAAoB,GAA0B,IAAI,CAAC;AAEvD;;GAEG;AACH,SAAS,iBAAiB;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,QAAQ,GAAG,GAAG,EAAE,CAAC;YACzB,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACzB,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,eAAM,CAAC,KAAK,CACV,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,IAAI,EAAE,EAC9D,WAAW,OAAO,8BAA8B,CACjD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,IAAI,oBAAoB,EAAE,CAAC;QACzB,eAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO;IACT,CAAC;IAED,2BAA2B;IAC3B,oBAAoB,GAAG,WAAW,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;IAC7D,eAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,IAAI,oBAAoB,EAAE,CAAC;QACzB,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACpC,oBAAoB,GAAG,IAAI,CAAC;QAC5B,eAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,+BAA+B;AAC/B,iBAAiB,EAAE,CAAC;AAEpB;;;;GAIG;AACI,KAAK,UAAU,iBAAiB,CAAC,KAAa;IACnD,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACzF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,kBAAkB;YAC7B,YAAY;YACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,qDAAqD,CACtD,CAAC;QAEF,gFAAgF;QAChF,MAAM,QAAQ,GAAG,MAAM,kBAAS,CAAC,GAAG,CAClC,2BAA2B,EAC3B;YACE,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,KAAK,EAAE;aACnC;YACD,OAAO,EAAE,IAAI,EAAE,kCAAkC;SAClD,CACF,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,2CAA2C;QAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAiB;gBAC5B,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO;gBAC7B,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK;gBAC1B,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE;gBAClC,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,EAAG,mCAAmC;aACxE,CAAC;YAEF,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,EACD,yCAAyC,OAAO,CAAC,MAAM,EAAE,CAC1D,CAAC;YAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;gBACvC,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ;aACT,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,kBAAkB;YAC7B,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,YAAY;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,oDAAoD,CACrD,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,QAAQ;SACT,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,IAAA,iBAAQ,EAAC,KAAc,EAAE;YACvB,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,kBAAkB;YAC7B,YAAY;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;QAEH,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC7D,QAAQ;SACT,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,WAAW,CAAC,KAAa;IAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAEzF,oBAAoB;IACpB,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC3C,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,cAAc;YACzB,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;YAC7B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YAC3B,QAAQ,EAAE,IAAI;YACd,YAAY;YACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,4BAA4B,CAC7B,CAAC;QACF,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED,eAAM,CAAC,KAAK,CACV;QACE,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,cAAc;QACzB,QAAQ,EAAE,KAAK;QACf,YAAY;QACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EACD,0CAA0C,CAC3C,CAAC;IAEF,mBAAmB;IACnB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/C,2CAA2C;IAC3C,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;QACzD,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7C,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,cAAc;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,4CAA4C,CAC7C,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,KAAa;IAC3C,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzB,eAAM,CAAC,KAAK,CACV,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,EAC/C,0BAA0B,CAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;IACnB,eAAM,CAAC,IAAI,CACT,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,EAC1C,2BAA2B,CAC5B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB;IAChC,iBAAiB,EAAE,CAAC;IACpB,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,IAAI;QACrB,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC;KAC3E,CAAC;AACJ,CAAC"}