@enbox/auth 0.3.1 → 0.5.0

package/dist/types/flows/dwn-discovery.d.ts

@@ -7,26 +7,21 @@
  *
  * ## Discovery channels (browser, highest to lowest priority)
  *
- * 1. **URL fragment payload** — A `dwn://register` redirect just landed
+ * 1. **URL fragment payload** — A `dwn://connect` redirect just landed
  *    on the page with the endpoint in `#`. Highest priority because it's
  *    fresh and explicit.
  * 2. **Persisted endpoint** (localStorage) — A previously discovered
  *    endpoint restored and re-validated via `GET /info`.
- * 3. **Agent-level discovery** (transparent, runs on every `sendRequest`)
- *    — `~/.enbox/dwn.json` discovery file (Node/Bun only; skipped in
- *    browsers) and sequential port probing on `127.0.0.1:{3000,55500–55509}`.
- *    This channel works even if the browser-specific functions here
- *    return `false`.
  *
  * ## Discovery channels (CLI / native, all transparent)
  *
- * In Node/Bun environments, all discovery happens automatically inside
+ * In Node/Bun environments, the agent's `LocalDwnDiscovery` reads the
+ * `~/.enbox/dwn.json` discovery file automatically inside
  * `AgentDwnApi.getLocalDwnEndpoint()`. The browser-specific functions
  * in this module (`checkUrlForDwnDiscoveryPayload`, `requestLocalDwnDiscovery`)
- * are not needed — the agent reads `~/.enbox/dwn.json` and probes ports
- * on its own.
+ * are not needed in those environments.
  *
- * @see https://github.com/enboxorg/enbox/issues/589
+ * @see https://github.com/enboxorg/enbox/issues/677
  * @module
  */
 import type { EnboxUserAgent } from '@enbox/agent';
@@ -36,7 +31,7 @@ import type { StorageAdapter } from '../types.js';
  * Check the current page URL for a `DwnDiscoveryPayload` in the fragment.
  *
  * This is called once at the start of a connection flow to detect whether
- * the user was just redirected back from a `dwn://register` handler. If a
+ * the user was just redirected back from a `dwn://connect` handler. If a
  * valid payload is found, the endpoint is persisted and the fragment is
  * cleared to prevent double-reads.
  *
@@ -44,6 +39,28 @@ import type { StorageAdapter } from '../types.js';
  *   was found in the URL.
  */
 export declare function checkUrlForDwnDiscoveryPayload(): string | undefined;
+/**
+ * Run local DWN discovery **before the agent exists**.
+ *
+ * This is the standalone counterpart of {@link applyLocalDwnDiscovery} and
+ * is designed to be called in `AuthManager.create()`, before
+ * `EnboxUserAgent.create()`, so the agent creation can decide whether to
+ * spin up an in-process DWN or operate in remote mode.
+ *
+ * Discovery channels (highest → lowest priority):
+ * 1. **URL fragment payload** — A `dwn://connect` redirect just landed.
+ * 2. **Persisted endpoint** (localStorage) — A previously discovered
+ *    endpoint, re-validated via `GET /info`.
+ *
+ * When a valid endpoint is found it is persisted to storage. When a
+ * previously-persisted endpoint is stale, it is removed.
+ *
+ * @param storage - The auth storage adapter (for reading/writing the
+ *   cached endpoint).
+ * @returns The validated endpoint URL, or `undefined` if no local DWN
+ *   server is available.
+ */
+export declare function discoverLocalDwn(storage: StorageAdapter): Promise<string | undefined>;
 /**
  * Persist a discovered local DWN endpoint in auth storage.
  *
@@ -76,25 +93,18 @@ export declare function restoreLocalDwnEndpoint(agent: EnboxUserAgent, storage:
  * Run the full local DWN discovery sequence for a browser connection flow.
  *
  * This function handles the **receiving** side of local DWN discovery in
- * the browser. It does NOT trigger the `dwn://register` redirect — use
+ * the browser. It does NOT trigger the `dwn://connect` redirect — use
  * {@link requestLocalDwnDiscovery} for that.
  *
  * The discovery channels, from highest to lowest priority:
  *
- * 1. **URL fragment payload** — A `dwn://register` redirect just landed on
+ * 1. **URL fragment payload** — A `dwn://connect` redirect just landed on
  *    this page with the DWN endpoint in `#`. This is the highest-priority
  *    signal because it's fresh and explicit.
  *
  * 2. **Persisted endpoint** (localStorage) — A previously discovered
  *    endpoint is restored and re-validated via `GET /info`.
  *
- * 3. **Agent-level discovery** (transparent) — Even if this function
- *    returns `false`, the agent's `LocalDwnDiscovery` will independently
- *    try the discovery file (`~/.enbox/dwn.json`) and port probing on
- *    every `sendRequest()` call. Those channels are not available in
- *    browsers (no filesystem access, CORS may block probes), but they
- *    work transparently in Node/Bun CLI environments.
- *
  * When an `emitter` is provided, this function emits:
  * - `'local-dwn-available'` with the endpoint when discovery succeeds.
  * - `'local-dwn-unavailable'` when no local DWN could be reached.
@@ -106,52 +116,29 @@ export declare function restoreLocalDwnEndpoint(agent: EnboxUserAgent, storage:
  */
 export declare function applyLocalDwnDiscovery(agent: EnboxUserAgent, storage: StorageAdapter, emitter?: AuthEventEmitter): Promise<boolean>;
 /**
- * Initiate the `dwn://register` flow by opening the register URL.
+ * Initiate the `dwn://connect` flow by opening the connect URL.
  *
- * This asks the operating system to route `dwn://register?callback=<url>`
+ * This asks the operating system to route `dwn://connect?callback=<url>`
  * to the registered handler (electrobun-dwn), which will redirect the
  * user's browser back to `callbackUrl` with the local DWN endpoint
  * encoded in the URL fragment.
  *
- * **Important:** There is no reliable cross-browser API to detect whether
- * a `dwn://` handler is installed. If no handler is registered, this call
- * will silently fail or show an OS-level error dialog. Use
- * {@link probeLocalDwn} first to check if a local DWN is already
- * reachable via port probing — if it is, you can skip the register flow
- * entirely and call {@link applyLocalDwnDiscovery} instead.
+ * **Note:** There is no reliable cross-browser API to detect whether a
+ * `dwn://` handler is installed. If no handler is registered, this call
+ * will silently fail or show an OS-level error dialog.
  *
  * @param callbackUrl - The URL to redirect back to. Defaults to the
  *   current page URL (without its fragment) if running in a browser.
- * @returns `true` if the register URL was opened, `false` if no
+ * @returns `true` if the connect URL was opened, `false` if no
  *   callback URL could be determined (e.g. no `globalThis.location`).
  *
  * @example
  * ```ts
- * // Check if local DWN is already available via direct probe.
- * const alreadyAvailable = await probeLocalDwn();
- * if (!alreadyAvailable) {
- *   // No local DWN found — trigger the dwn://register flow.
- *   requestLocalDwnDiscovery();
- *   // The page will reload with the endpoint in the URL fragment.
- * }
+ * // Trigger the dwn://connect flow to discover a local DWN.
+ * requestLocalDwnDiscovery();
+ * // The page will reload with the endpoint in the URL fragment.
+ * // On the next connect/restore, applyLocalDwnDiscovery() reads it.
  * ```
  */
 export declare function requestLocalDwnDiscovery(callbackUrl?: string): boolean;
-/**
- * Probe whether a local DWN server is reachable via direct HTTP fetch.
- *
- * Attempts `GET http://127.0.0.1:{port}/info` on the well-known port
- * candidates and returns the endpoint URL of the first server that
- * responds with a valid `@enbox/dwn-server` identity.
- *
- * This is useful in browsers to check if a local DWN is available
- * *before* triggering the `dwn://register` redirect flow — if the
- * server is already reachable (CORS permitting), the redirect is
- * unnecessary.
- *
- * @returns The local DWN endpoint URL, or `undefined` if no server
- *   was found. Returns `undefined` (rather than throwing) on CORS
- *   errors or network failures.
- */
-export declare function probeLocalDwn(): Promise<string | undefined>;
 //# sourceMappingURL=dwn-discovery.d.ts.map

package/dist/types/flows/dwn-discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dwn-discovery.d.ts","sourceRoot":"","sources":["../../../src/flows/dwn-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD;;;;;;;;;;GAUG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,GAAG,SAAS,CAkBnE;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,cAAc,EACvB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,cAAc,EACrB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,cAAc,EACrB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAuBtE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAsBjE"}
+{"version":3,"file":"dwn-discovery.d.ts","sourceRoot":"","sources":["../../../src/flows/dwn-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAKnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD;;;;;;;;;;GAUG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,GAAG,SAAS,CAkBnE;AA4BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAwB7B;AAID;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,cAAc,EACvB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,cAAc,EACrB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,cAAc,EACrB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAID;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAuBtE"}

package/dist/types/flows/dwn-registration.d.ts

@@ -11,7 +11,7 @@
  * @module
  */
 import type { EnboxUserAgent } from '@enbox/agent';
-import type { RegistrationOptions } from '../types.js';
+import type { RegistrationOptions, RegistrationTokenData, StorageAdapter } from '../types.js';
 /** @internal */
 export interface RegistrationContext {
     /** The user agent with RPC access for getServerInfo(). */
@@ -22,6 +22,11 @@ export interface RegistrationContext {
     agentDid: string;
     /** The connected DID URI (the identity's DID). */
     connectedDid: string;
+    /**
+     * Storage adapter for automatic token persistence.
+     * Only used when `registration.persistTokens` is `true`.
+     */
+    storage?: StorageAdapter;
 }
 /**
  * Register the agent and connected DIDs with the configured DWN endpoints.
@@ -36,4 +41,18 @@ export interface RegistrationContext {
  * @internal
  */
 export declare function registerWithDwnEndpoints(ctx: RegistrationContext, registration: RegistrationOptions): Promise<void>;
+/**
+ * Load registration tokens from a `StorageAdapter`.
+ *
+ * Returns an empty record if no tokens are stored or the stored value
+ * is corrupt (best-effort — never throws).
+ *
+ * @internal
+ */
+export declare function loadTokensFromStorage(storage: StorageAdapter): Promise<Record<string, RegistrationTokenData>>;
+/**
+ * Save registration tokens to a `StorageAdapter`.
+ * @internal
+ */
+export declare function saveTokensToStorage(storage: StorageAdapter, tokens: Record<string, RegistrationTokenData>): Promise<void>;
 //# sourceMappingURL=dwn-registration.d.ts.map

package/dist/types/flows/dwn-registration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dwn-registration.d.ts","sourceRoot":"","sources":["../../../src/flows/dwn-registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD,OAAO,KAAK,EACV,mBAAmB,EAEpB,MAAM,aAAa,CAAC;AAErB,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,0DAA0D;IAC1D,SAAS,EAAE,cAAc,CAAC;IAE1B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,mBAAmB,EACxB,YAAY,EAAE,mBAAmB,GAChC,OAAO,CAAC,IAAI,CAAC,CAwGf"}
+{"version":3,"file":"dwn-registration.d.ts","sourceRoot":"","sources":["../../../src/flows/dwn-registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAMnD,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EACf,MAAM,aAAa,CAAC;AAErB,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,0DAA0D;IAC1D,SAAS,EAAE,cAAc,CAAC;IAE1B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,mBAAmB,EACxB,YAAY,EAAE,mBAAmB,GAChC,OAAO,CAAC,IAAI,CAAC,CAqHf;AAID;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAQhD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,GAC5C,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/types/flows/import-identity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"import-identity.d.ts","sourceRoot":"","sources":["../../../src/flows/import-identity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,KAAK,EACV,uBAAuB,EACvB,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,UAAU,EACX,MAAM,aAAa,CAAC;AAErB,gBAAgB;AAChB,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,aAAa,EAClB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,WAAW,CAAC,CAuGtB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,aAAa,EAClB,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,WAAW,CAAC,CA6DtB"}
+{"version":3,"file":"import-identity.d.ts","sourceRoot":"","sources":["../../../src/flows/import-identity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,KAAK,EACV,uBAAuB,EACvB,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,UAAU,EACX,MAAM,aAAa,CAAC;AAErB,gBAAgB;AAChB,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,aAAa,EAClB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,WAAW,CAAC,CAwGtB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,aAAa,EAClB,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,WAAW,CAAC,CA8DtB"}

package/dist/types/flows/local-connect.d.ts

@@ -7,6 +7,7 @@
  */
 import type { EnboxUserAgent } from '@enbox/agent';
 import type { AuthEventEmitter } from '../events.js';
+import type { PasswordProvider } from '../password-provider.js';
 import type { LocalConnectOptions, RegistrationOptions, StorageAdapter, SyncOption } from '../types.js';
 import { AuthSession } from '../identity-session.js';
 /** @internal */
@@ -15,6 +16,7 @@ export interface LocalConnectContext {
     emitter: AuthEventEmitter;
     storage: StorageAdapter;
     defaultPassword?: string;
+    passwordProvider?: PasswordProvider;
     defaultSync?: SyncOption;
     defaultDwnEndpoints?: string[];
     registration?: RegistrationOptions;

package/dist/types/flows/local-connect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"local-connect.d.ts","sourceRoot":"","sources":["../../../src/flows/local-connect.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGxG,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAIrD,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,mBAAmB,EACxB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,CAoItB"}
+{"version":3,"file":"local-connect.d.ts","sourceRoot":"","sources":["../../../src/flows/local-connect.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGxG,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAIrD,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,mBAAmB,EACxB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,CAuJtB"}

package/dist/types/flows/session-restore.d.ts

@@ -7,6 +7,7 @@
  */
 import type { EnboxUserAgent } from '@enbox/agent';
 import type { AuthEventEmitter } from '../events.js';
+import type { PasswordProvider } from '../password-provider.js';
 import type { RestoreSessionOptions, StorageAdapter, SyncOption } from '../types.js';
 import { AuthSession } from '../identity-session.js';
 /** @internal */
@@ -15,6 +16,7 @@ export interface SessionRestoreContext {
     emitter: AuthEventEmitter;
     storage: StorageAdapter;
     defaultPassword?: string;
+    passwordProvider?: PasswordProvider;
     defaultSync?: SyncOption;
 }
 /**

package/dist/types/flows/session-restore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-restore.d.ts","sourceRoot":"","sources":["../../../src/flows/session-restore.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,qBAAqB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGrF,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,gBAAgB;AAChB,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,UAAU,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,qBAAqB,EAC1B,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAmGlC"}
+{"version":3,"file":"session-restore.d.ts","sourceRoot":"","sources":["../../../src/flows/session-restore.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,qBAAqB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGrF,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,gBAAgB;AAChB,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,WAAW,CAAC,EAAE,UAAU,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,qBAAqB,EAC1B,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAqHlC"}

package/dist/types/flows/wallet-connect.d.ts

@@ -1,7 +1,7 @@
 /**
- * Wallet connect (OIDC/QR) flow.
+ * Wallet connect (Enbox Connect relay) flow.
  *
- * Connects to an external wallet via the WalletConnect relay protocol,
+ * Connects to an external wallet via the Enbox Connect relay protocol,
  * importing a delegated DID with permission grants.
  * This replaces the "Mode B/C" paths in Enbox.connect().
  * @module

package/dist/types/flows/wallet-connect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"wallet-connect.d.ts","sourceRoot":"","sources":["../../../src/flows/wallet-connect.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,iCAAiC,EAAyD,cAAc,EAAE,MAAM,cAAc,CAAC;AAG7I,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEzG,gBAAgB;AAChB,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,KAAK,EAAE,cAAc,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,iCAAiC,EAAE,CAAC;CAC7C,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAmCpB;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,oBAAoB,EACzB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC,CAsItB"}
+{"version":3,"file":"wallet-connect.d.ts","sourceRoot":"","sources":["../../../src/flows/wallet-connect.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,iCAAiC,EAAyD,cAAc,EAAE,MAAM,cAAc,CAAC;AAG7I,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEzG,gBAAgB;AAChB,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,KAAK,EAAE,cAAc,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,iCAAiC,EAAE,CAAC;CAC7C,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAmCpB;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,oBAAoB,EACzB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC,CAuItB"}

package/dist/types/index.d.ts

@@ -37,9 +37,12 @@ export { AuthManager } from './auth-manager.js';
 export { AuthSession } from './identity-session.js';
 export { VaultManager } from './vault/vault-manager.js';
 export { AuthEventEmitter } from './events.js';
+export { PasswordProvider } from './password-provider.js';
+export type { PasswordContext } from './password-provider.js';
 export { EnboxUserAgent, HdIdentityVault } from '@enbox/agent';
 export { processConnectedGrants } from './flows/wallet-connect.js';
-export { applyLocalDwnDiscovery, checkUrlForDwnDiscoveryPayload, clearLocalDwnEndpoint, persistLocalDwnEndpoint, probeLocalDwn, requestLocalDwnDiscovery, restoreLocalDwnEndpoint, } from './flows/dwn-discovery.js';
+export { loadTokensFromStorage, saveTokensToStorage } from './flows/dwn-registration.js';
+export { applyLocalDwnDiscovery, checkUrlForDwnDiscoveryPayload, clearLocalDwnEndpoint, discoverLocalDwn, persistLocalDwnEndpoint, requestLocalDwnDiscovery, restoreLocalDwnEndpoint, } from './flows/dwn-discovery.js';
 export { BrowserStorage, LevelStorage, MemoryStorage, createDefaultStorage } from './storage/storage.js';
-export type { AuthEvent, AuthEventHandler, AuthEventMap, AuthManagerOptions, AuthSessionInfo, AuthState, ConnectPermissionRequest, DisconnectOptions, IdentityInfo, IdentityVaultBackup, ImportFromPhraseOptions, ImportFromPortableOptions, LocalConnectOptions, LocalDwnStrategy, PortableIdentity, ProviderAuthParams, ProviderAuthResult, RegistrationOptions, RegistrationTokenData, RestoreSessionOptions, StorageAdapter, SyncOption, WalletConnectOptions, } from './types.js';
+export type { AuthEvent, AuthEventHandler, AuthEventMap, AuthManagerOptions, AuthSessionInfo, AuthState, ConnectPermissionRequest, DisconnectOptions, HeadlessConnectOptions, IdentityInfo, IdentityVaultBackup, ImportFromPhraseOptions, ImportFromPortableOptions, LocalConnectOptions, LocalDwnStrategy, PortableIdentity, ProviderAuthParams, ProviderAuthResult, RegistrationOptions, RegistrationTokenData, RestoreSessionOptions, ShutdownOptions, StorageAdapter, SyncOption, WalletConnectOptions, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAI/C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAG/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAGnE,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,qBAAqB,EACrB,uBAAuB,EACvB,aAAa,EACb,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGzG,YAAY,EACV,SAAS,EACT,gBAAgB,EAChB,YAAY,EACZ,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,wBAAwB,EACxB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,cAAc,EACd,UAAU,EACV,oBAAoB,GACrB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,YAAY,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAI9D,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAG/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAGnE,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAGzF,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGzG,YAAY,EACV,SAAS,EACT,gBAAgB,EAChB,YAAY,EACZ,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,wBAAwB,EACxB,iBAAiB,EACjB,sBAAsB,EACtB,YAAY,EACZ,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,eAAe,EACf,cAAc,EACd,UAAU,EACV,oBAAoB,GACrB,MAAM,YAAY,CAAC"}

package/dist/types/password-provider.d.ts

@@ -0,0 +1,194 @@
+/**
+ * PasswordProvider — composable password acquisition strategies.
+ *
+ * Replaces ad-hoc password prompting scattered across CLI consumers
+ * (env vars, raw-mode TTY, `/dev/tty` + `stty`, `@clack/prompts`, etc.)
+ * with a single, composable abstraction.
+ *
+ * @example Chained provider (env first, fall back to TTY)
+ * ```ts
+ * import { PasswordProvider } from '@enbox/auth';
+ *
+ * const provider = PasswordProvider.chain([
+ *   PasswordProvider.fromEnv('ENBOX_PASSWORD'),
+ *   PasswordProvider.fromTty({ prompt: 'Vault password: ' }),
+ * ]);
+ *
+ * const auth = await AuthManager.create({ passwordProvider: provider });
+ * ```
+ *
+ * @module
+ */
+/** Context passed to a password provider explaining why a password is needed. */
+export interface PasswordContext {
+    /**
+     * Why the password is being requested.
+     *
+     * - `'create'` — first launch, creating a new vault (prompt may ask
+     *   for confirmation).
+     * - `'unlock'` — unlocking an existing vault.
+     */
+    reason: 'create' | 'unlock';
+}
+/**
+ * A strategy for obtaining a vault password.
+ *
+ * Implementations may be interactive (TTY prompts) or non-interactive
+ * (environment variables, cached values). Use {@link PasswordProvider.chain}
+ * to compose multiple strategies with automatic fallback.
+ */
+export interface PasswordProvider {
+    /**
+     * Obtain a password.
+     *
+     * @param context - Why the password is needed.
+     * @returns The password string.
+     * @throws If the provider cannot obtain a password (e.g. env var
+     *   not set, no TTY available). The error is caught by `chain()`
+     *   which falls through to the next provider.
+     */
+    getPassword(context: PasswordContext): Promise<string>;
+}
+/** @internal Minimal interface for an stdin-like readable stream. */
+export interface TtyReadable {
+    isTTY?: boolean;
+    setRawMode(mode: boolean): void;
+    setEncoding(encoding: string): void;
+    resume(): void;
+    pause(): void;
+    on(event: 'data', listener: (chunk: string) => void): void;
+    removeListener(event: 'data', listener: (chunk: string) => void): void;
+}
+/** @internal Minimal interface for an stdout-like writable stream. */
+export interface TtyWritable {
+    write(data: string): boolean;
+}
+/**
+ * Read a password from a raw-mode TTY stream.
+ *
+ * Reads character-by-character with no echo. Handles Enter (resolve),
+ * Ctrl-C (reject), backspace, and printable characters.
+ *
+ * @internal Exported for testing only.
+ */
+export declare function readPasswordRawMode(stdin: TtyReadable, stdout: TtyWritable, prompt: string): Promise<string>;
+/** @internal Injectable I/O for testing `readPasswordDevTty`. */
+export interface DevTtyIo {
+    openSync(path: string, flags: string): number;
+    readSync(fd: number, buf: Uint8Array, offset: number, length: number, position: null): number;
+    writeSync(fd: number, data: string): number;
+    closeSync(fd: number): void;
+    execSync(cmd: string, opts: {
+        stdio: string;
+    }): void;
+}
+/**
+ * Read a password from `/dev/tty` using synchronous I/O.
+ *
+ * Opens `/dev/tty` directly, uses `stty -echo` to suppress input,
+ * reads until newline, then restores echo and closes file descriptors.
+ *
+ * @param prompt - The prompt string to display.
+ * @param io - Injectable I/O functions (defaults to `node:fs` + `node:child_process`).
+ * @internal Exported for testing only.
+ */
+export declare function readPasswordDevTty(prompt: string, io?: DevTtyIo): Promise<string>;
+export declare namespace PasswordProvider {
+    /**
+     * Read the password from an environment variable.
+     *
+     * Throws if the variable is not set or is empty, allowing `chain()`
+     * to fall through to the next provider.
+     *
+     * @param envVar - Name of the environment variable. Default: `'ENBOX_PASSWORD'`.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromEnv('MY_APP_PASSWORD');
+     * ```
+     */
+    function fromEnv(envVar?: string): PasswordProvider;
+    /**
+     * Wrap an async callback as a password provider.
+     *
+     * This is the escape hatch for custom UI (e.g. `@clack/prompts`,
+     * Electron dialog, browser modal).
+     *
+     * @param callback - Called with the password context; must return a password string.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromCallback(async ({ reason }) => {
+     *   if (reason === 'create') {
+     *     return await showCreatePasswordDialog();
+     *   }
+     *   return await showUnlockDialog();
+     * });
+     * ```
+     */
+    function fromCallback(callback: (context: PasswordContext) => Promise<string>): PasswordProvider;
+    /**
+     * Prompt for a password via `process.stdin` in raw mode.
+     *
+     * Input is read character-by-character with no echo. Handles
+     * backspace and Ctrl-C (rejects with an error). Only works when
+     * `process.stdin.isTTY` is `true`; throws otherwise so `chain()`
+     * can fall through to the next provider.
+     *
+     * Suitable for main CLI processes that own stdin/stdout.
+     *
+     * @param options - Optional configuration.
+     * @param options.prompt - Text to display before reading. Default: `'Vault password: '`.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromTty({ prompt: 'Password: ' });
+     * ```
+     */
+    function fromTty(options?: {
+        prompt?: string;
+    }): PasswordProvider;
+    /**
+     * Prompt for a password via `/dev/tty` (Unix only).
+     *
+     * Opens `/dev/tty` directly, bypassing `process.stdin`. This is
+     * essential for subprocesses where stdin is owned by the parent
+     * (e.g. Git credential helpers, SSH, GPG). Uses `stty -echo` to
+     * suppress input echo.
+     *
+     * Throws if `/dev/tty` cannot be opened (e.g. non-Unix platform,
+     * no controlling terminal), allowing `chain()` to fall through.
+     *
+     * @param options - Optional configuration.
+     * @param options.prompt - Text to display before reading. Default: `'Vault password: '`.
+     *
+     * @example
+     * ```ts
+     * // For git credential helpers:
+     * const provider = PasswordProvider.fromDevTty();
+     * ```
+     */
+    function fromDevTty(options?: {
+        prompt?: string;
+    }): PasswordProvider;
+    /**
+     * Compose multiple providers with automatic fallback.
+     *
+     * Tries each provider in order. If a provider throws, the next one
+     * is tried. If all providers fail, the last error is rethrown.
+     *
+     * @param providers - Ordered list of providers to try.
+     *
+     * @example
+     * ```ts
+     * // Try env var first, then interactive TTY, then /dev/tty for subprocesses.
+     * const provider = PasswordProvider.chain([
+     *   PasswordProvider.fromEnv('ENBOX_PASSWORD'),
+     *   PasswordProvider.fromTty(),
+     *   PasswordProvider.fromDevTty(),
+     * ]);
+     * ```
+     */
+    function chain(providers: PasswordProvider[]): PasswordProvider;
+}
+//# sourceMappingURL=password-provider.d.ts.map

package/dist/types/password-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-provider.d.ts","sourceRoot":"","sources":["../../src/password-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,iFAAiF;AACjF,MAAM,WAAW,eAAe;IAC9B;;;;;;OAMG;IACH,MAAM,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;;;;;OAQG;IACH,WAAW,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACxD;AAID,qEAAqE;AACrE,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAAC;IAChC,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,MAAM,IAAI,IAAI,CAAC;IACf,KAAK,IAAI,IAAI,CAAC;IACd,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC3D,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;CACxE;AAED,sEAAsE;AACtE,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;CAC9B;AAID;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAuCjB;AAED,iEAAiE;AACjE,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,GAAG,MAAM,CAAC;IAC9F,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5C,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACtD;AAED;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,EACd,EAAE,CAAC,EAAE,QAAQ,GACZ,OAAO,CAAC,MAAM,CAAC,CAkEjB;AAKD,yBAAiB,gBAAgB,CAAC;IAEhC;;;;;;;;;;;;OAYG;IACH,SAAgB,OAAO,CAAC,MAAM,SAAmB,GAAG,gBAAgB,CAYnE;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,YAAY,CAC1B,QAAQ,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC,MAAM,CAAC,GACtD,gBAAgB,CAElB;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,OAAO,CAAC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,gBAAgB,CAkB3E;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACH,SAAgB,UAAU,CAAC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,gBAAgB,CAQ9E;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,KAAK,CAAC,SAAS,EAAE,gBAAgB,EAAE,GAAG,gBAAgB,CAoBrE;CACF"}