@enbox/auth 0.4.0 → 0.6.0

package/dist/esm/connect/import.js

@@ -0,0 +1,131 @@
+/**
+ * Identity import flows.
+ *
+ * - Import from BIP-39 recovery phrase (re-derive vault + identity).
+ * - Import from PortableIdentity JSON.
+ * @module
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { DEFAULT_DWN_ENDPOINTS } from '../types.js';
+import { registerWithDwnEndpoints } from '../registration.js';
+import { createDefaultIdentity, ensureVaultReady, finalizeSession, resolveIdentityDids, startSyncIfEnabled } from './lifecycle.js';
+/**
+ * Import (or recover) an identity from a BIP-39 recovery phrase.
+ *
+ * This re-initializes the vault with the given phrase and password,
+ * recovering the agent DID and all derived keys.
+ */
+export function importFromPhrase(ctx, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a, _b, _c;
+        const { userAgent, emitter, storage } = ctx;
+        const { recoveryPhrase, password } = options;
+        const sync = (_a = options.sync) !== null && _a !== void 0 ? _a : ctx.defaultSync;
+        const dwnEndpoints = (_c = (_b = options.dwnEndpoints) !== null && _b !== void 0 ? _b : ctx.defaultDwnEndpoints) !== null && _c !== void 0 ? _c : DEFAULT_DWN_ENDPOINTS;
+        // Initialize the vault with the recovery phrase and start the agent.
+        const isFirstLaunch = yield userAgent.firstLaunch();
+        yield ensureVaultReady({
+            userAgent,
+            emitter,
+            password,
+            isFirstLaunch,
+            recoveryPhrase,
+            dwnEndpoints,
+        });
+        // The recovery phrase re-derives the same agent DID,
+        // but the user identity might not exist yet — create one if needed.
+        const identities = yield userAgent.identity.list();
+        let identity = identities[0];
+        let isNewIdentity = false;
+        if (!identity) {
+            isNewIdentity = true;
+            identity = yield createDefaultIdentity(userAgent, dwnEndpoints);
+        }
+        const { connectedDid, delegateDid } = resolveIdentityDids(identity);
+        // Register with DWN endpoints (if registration options are provided).
+        if (ctx.registration) {
+            yield registerWithDwnEndpoints({
+                userAgent: userAgent,
+                dwnEndpoints,
+                agentDid: userAgent.agentDid.uri,
+                connectedDid,
+                storage: storage,
+            }, ctx.registration);
+        }
+        // Register sync for new identities.
+        if (isNewIdentity && sync !== 'off') {
+            yield userAgent.sync.registerIdentity({
+                did: connectedDid,
+                options: { delegateDid, protocols: [] },
+            });
+        }
+        // Start sync.
+        startSyncIfEnabled(userAgent, sync);
+        // Persist session info, build AuthSession, and emit lifecycle events.
+        return finalizeSession({
+            userAgent,
+            emitter,
+            storage,
+            connectedDid,
+            delegateDid,
+            identityName: identity.metadata.name,
+            identityConnectedDid: identity.metadata.connectedDid,
+        });
+    });
+}
+/**
+ * Import an identity from a PortableIdentity JSON object.
+ *
+ * The portable identity contains the DID's private keys and metadata,
+ * allowing it to be used on this device.
+ */
+export function importFromPortable(ctx, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a, _b;
+        const { userAgent, emitter, storage } = ctx;
+        const sync = (_a = options.sync) !== null && _a !== void 0 ? _a : ctx.defaultSync;
+        const identity = yield userAgent.identity.import({
+            portableIdentity: options.portableIdentity,
+        });
+        const { connectedDid, delegateDid } = resolveIdentityDids(identity);
+        // Register with DWN endpoints (if registration options are provided).
+        // For portable imports, extract endpoints from the DID document's DWN service.
+        if (ctx.registration) {
+            const dwnEndpoints = (_b = ctx.defaultDwnEndpoints) !== null && _b !== void 0 ? _b : DEFAULT_DWN_ENDPOINTS;
+            yield registerWithDwnEndpoints({
+                userAgent: userAgent,
+                dwnEndpoints,
+                agentDid: userAgent.agentDid.uri,
+                connectedDid,
+                storage: storage,
+            }, ctx.registration);
+        }
+        // Register and start sync.
+        if (sync !== 'off') {
+            yield userAgent.sync.registerIdentity({
+                did: connectedDid,
+                options: { delegateDid, protocols: [] },
+            });
+        }
+        startSyncIfEnabled(userAgent, sync);
+        // Persist session info, build AuthSession, and emit lifecycle events.
+        return finalizeSession({
+            userAgent,
+            emitter,
+            storage,
+            connectedDid,
+            delegateDid,
+            identityName: identity.metadata.name,
+            identityConnectedDid: identity.metadata.connectedDid,
+        });
+    });
+}
+//# sourceMappingURL=import.js.map

package/dist/esm/connect/import.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"import.js","sourceRoot":"","sources":["../../../src/connect/import.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;;;;;;;;;;AAMH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEnI;;;;;GAKG;AACH,MAAM,UAAgB,gBAAgB,CACpC,GAAgB,EAChB,OAAgC;;;QAEhC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAC5C,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAA,OAAO,CAAC,IAAI,mCAAI,GAAG,CAAC,WAAW,CAAC;QAC7C,MAAM,YAAY,GAAG,MAAA,MAAA,OAAO,CAAC,YAAY,mCAAI,GAAG,CAAC,mBAAmB,mCAAI,qBAAqB,CAAC;QAE9F,qEAAqE;QACrE,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,gBAAgB,CAAC;YACrB,SAAS;YACT,OAAO;YACP,QAAQ;YACR,aAAa;YACb,cAAc;YACd,YAAY;SACb,CAAC,CAAC;QAEH,qDAAqD;QACrD,oEAAoE;QACpE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnD,IAAI,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,aAAa,GAAG,KAAK,CAAC;QAE1B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,aAAa,GAAG,IAAI,CAAC;YACrB,QAAQ,GAAG,MAAM,qBAAqB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAEpE,sEAAsE;QACtE,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrB,MAAM,wBAAwB,CAC5B;gBACE,SAAS,EAAG,SAAS;gBACrB,YAAY;gBACZ,QAAQ,EAAI,SAAS,CAAC,QAAQ,CAAC,GAAG;gBAClC,YAAY;gBACZ,OAAO,EAAK,OAAO;aACpB,EACD,GAAG,CAAC,YAAY,CACjB,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,aAAa,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACpC,MAAM,SAAS,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACpC,GAAG,EAAO,YAAY;gBACtB,OAAO,EAAG,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE;aACzC,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAEpC,sEAAsE;QACtE,OAAO,eAAe,CAAC;YACrB,SAAS;YACT,OAAO;YACP,OAAO;YACP,YAAY;YACZ,WAAW;YACX,YAAY,EAAW,QAAQ,CAAC,QAAQ,CAAC,IAAI;YAC7C,oBAAoB,EAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACtD,CAAC,CAAC;IACL,CAAC;CAAA;AAED;;;;;GAKG;AACH,MAAM,UAAgB,kBAAkB,CACtC,GAAgB,EAChB,OAAkC;;;QAElC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAC5C,MAAM,IAAI,GAAG,MAAA,OAAO,CAAC,IAAI,mCAAI,GAAG,CAAC,WAAW,CAAC;QAE7C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC/C,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAC,CAAC;QAEH,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAEpE,sEAAsE;QACtE,+EAA+E;QAC/E,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrB,MAAM,YAAY,GAAG,MAAA,GAAG,CAAC,mBAAmB,mCAAI,qBAAqB,CAAC;YACtE,MAAM,wBAAwB,CAC5B;gBACE,SAAS,EAAG,SAAS;gBACrB,YAAY;gBACZ,QAAQ,EAAI,SAAS,CAAC,QAAQ,CAAC,GAAG;gBAClC,YAAY;gBACZ,OAAO,EAAK,OAAO;aACpB,EACD,GAAG,CAAC,YAAY,CACjB,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACnB,MAAM,SAAS,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACpC,GAAG,EAAO,YAAY;gBACtB,OAAO,EAAG,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE;aACzC,CAAC,CAAC;QACL,CAAC;QAED,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAEpC,sEAAsE;QACtE,OAAO,eAAe,CAAC;YACrB,SAAS;YACT,OAAO;YACP,OAAO;YACP,YAAY;YACZ,WAAW;YACX,YAAY,EAAW,QAAQ,CAAC,QAAQ,CAAC,IAAI;YAC7C,oBAAoB,EAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACtD,CAAC,CAAC;IACL,CAAC;CAAA"}

package/dist/esm/connect/lifecycle.js

@@ -0,0 +1,235 @@
+/**
+ * Shared helpers for connect flows.
+ *
+ * Consolidates duplicated logic across `local-connect`, `session-restore`,
+ * `wallet-connect`, and `import-identity` flows:
+ *
+ * - Password resolution chain
+ * - Vault init/start lifecycle
+ * - Sync mode/interval calculation and startup
+ * - `connectedDid` / `delegateDid` derivation from identity metadata
+ * - Session finalization (storage persistence + AuthSession construction + events)
+ *
+ * @module
+ * @internal
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { AuthSession } from '../identity-session.js';
+import { DEFAULT_DWN_ENDPOINTS, INSECURE_DEFAULT_PASSWORD, STORAGE_KEYS } from '../types.js';
+// ─── resolvePassword ─────────────────────────────────────────────
+/**
+ * Resolve a password through the standard chain:
+ * explicit option → manager default → provider → insecure fallback.
+ *
+ * Emits a console warning when the insecure default is used.
+ *
+ * @param ctx          - The flow context (provides `defaultPassword` and `passwordProvider`).
+ * @param explicit     - An explicit password from the caller (highest priority).
+ * @param isFirstLaunch - Whether the vault has never been initialized.
+ * @returns The resolved password string.
+ *
+ * @internal
+ */
+export function resolvePassword(ctx, explicit, isFirstLaunch) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let password = explicit !== null && explicit !== void 0 ? explicit : ctx.defaultPassword;
+        if (!password && ctx.passwordProvider) {
+            try {
+                password = yield ctx.passwordProvider.getPassword({
+                    reason: isFirstLaunch ? 'create' : 'unlock',
+                });
+            }
+            catch (_a) {
+                // Provider failed — fall through to insecure default.
+            }
+        }
+        password !== null && password !== void 0 ? password : (password = INSECURE_DEFAULT_PASSWORD);
+        if (password === INSECURE_DEFAULT_PASSWORD) {
+            console.warn('[@enbox/auth] SECURITY WARNING: No password set. Using insecure default. ' +
+                'Set a password via AuthManager.create({ password }) or connect({ password }) ' +
+                'to protect your identity vault.');
+        }
+        return password;
+    });
+}
+// ─── ensureVaultReady ────────────────────────────────────────────
+/**
+ * Initialize (on first launch) and start the agent, then emit `vault-unlocked`.
+ *
+ * This consolidates the 5 copies of:
+ * ```ts
+ * if (isFirstLaunch) { await userAgent.initialize({ password, ... }); }
+ * await userAgent.start({ password });
+ * emitter.emit('vault-unlocked', {});
+ * ```
+ *
+ * @returns The recovery phrase if the vault was just initialized, otherwise `undefined`.
+ *
+ * @internal
+ */
+export function ensureVaultReady(params) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { userAgent, emitter, password, isFirstLaunch } = params;
+        let recoveryPhrase;
+        if (isFirstLaunch) {
+            recoveryPhrase = yield userAgent.initialize({
+                password,
+                recoveryPhrase: params.recoveryPhrase,
+                dwnEndpoints: params.dwnEndpoints,
+            });
+        }
+        yield userAgent.start({ password });
+        emitter.emit('vault-unlocked', {});
+        return recoveryPhrase;
+    });
+}
+// ─── startSyncIfEnabled ─────────────────────────────────────────
+/**
+ * Start DWN synchronisation if `sync` is not `'off'`.
+ *
+ * Consolidates 6 copies of:
+ * ```ts
+ * const syncMode = sync === undefined ? 'live' : 'poll';
+ * const syncInterval = sync ?? (syncMode === 'live' ? '5m' : '2m');
+ * userAgent.sync.startSync({ mode: syncMode, interval: syncInterval })
+ *   .catch((err) => console.error('[@enbox/auth] Sync failed:', err));
+ * ```
+ *
+ * @internal
+ */
+export function startSyncIfEnabled(userAgent, sync) {
+    if (sync === 'off') {
+        return;
+    }
+    const syncMode = sync === undefined ? 'live' : 'poll';
+    const syncInterval = sync !== null && sync !== void 0 ? sync : (syncMode === 'live' ? '5m' : '2m');
+    userAgent.sync.startSync({ mode: syncMode, interval: syncInterval })
+        .catch((err) => {
+        console.error('[@enbox/auth] Sync failed:', err);
+    });
+}
+// ─── createDefaultIdentity ──────────────────────────────────────
+/**
+ * Create a new `did:dht` identity with Ed25519 signing and X25519
+ * encryption keys, and a DWN service endpoint.
+ *
+ * This consolidates the identical identity creation block that was
+ * duplicated in `localConnect` and `importFromPhrase`.
+ *
+ * @internal
+ */
+export function createDefaultIdentity(userAgent_1) {
+    return __awaiter(this, arguments, void 0, function* (userAgent, dwnEndpoints = DEFAULT_DWN_ENDPOINTS, name = 'Default') {
+        return userAgent.identity.create({
+            didMethod: 'dht',
+            metadata: { name },
+            didOptions: {
+                services: [
+                    {
+                        id: 'dwn',
+                        type: 'DecentralizedWebNode',
+                        serviceEndpoint: dwnEndpoints,
+                    }
+                ],
+                verificationMethods: [
+                    {
+                        algorithm: 'Ed25519',
+                        id: 'sig',
+                        purposes: ['assertionMethod', 'authentication'],
+                    },
+                    {
+                        algorithm: 'X25519',
+                        id: 'enc',
+                        purposes: ['keyAgreement'],
+                    },
+                ],
+            },
+        });
+    });
+}
+// ─── resolveIdentityDids ────────────────────────────────────────
+/**
+ * Derive `connectedDid` and `delegateDid` from identity metadata.
+ *
+ * For a **local** identity: `connectedDid` is the identity's own DID URI
+ * and `delegateDid` is `undefined`.
+ *
+ * For a **wallet-connected** identity: `connectedDid` is the external wallet
+ * DID, and `delegateDid` is the local identity's DID URI.
+ *
+ * @param identity            - The bearer identity to extract DIDs from.
+ * @param storedDelegateDid   - Optional fallback delegate DID from storage,
+ *   used by session-restore when the identity metadata doesn't include a
+ *   `connectedDid` but a delegate DID was persisted in a prior session.
+ *
+ * @internal
+ */
+export function resolveIdentityDids(identity, storedDelegateDid) {
+    var _a;
+    const connectedDid = (_a = identity.metadata.connectedDid) !== null && _a !== void 0 ? _a : identity.did.uri;
+    const delegateDid = identity.metadata.connectedDid
+        ? identity.did.uri
+        : (storedDelegateDid !== null && storedDelegateDid !== void 0 ? storedDelegateDid : undefined);
+    return { connectedDid, delegateDid };
+}
+// ─── finalizeSession ────────────────────────────────────────────
+/**
+ * Persist session markers, build an `AuthSession`, and emit lifecycle events.
+ *
+ * Consolidates 5 copies of:
+ * ```ts
+ * await storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
+ * await storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
+ * const session = new AuthSession({ ... });
+ * emitter.emit('identity-added', { identity: identityInfo });
+ * emitter.emit('session-start', { session: { ... } });
+ * ```
+ *
+ * @param params.emitIdentityAdded - Whether to emit `identity-added`. Defaults to `true`.
+ *   Set to `false` for session-restore (identity was already added in the original flow).
+ * @param params.extraStorageKeys  - Additional key-value pairs to persist (e.g. delegate/connected DIDs
+ *   for wallet-connect flows).
+ *
+ * @internal
+ */
+export function finalizeSession(params) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { userAgent, emitter, storage, connectedDid, delegateDid, recoveryPhrase, identityName, identityConnectedDid, emitIdentityAdded = true, extraStorageKeys, } = params;
+        // Persist session markers.
+        yield storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
+        yield storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
+        if (extraStorageKeys) {
+            for (const [key, value] of Object.entries(extraStorageKeys)) {
+                yield storage.set(key, value);
+            }
+        }
+        const identityInfo = {
+            didUri: connectedDid,
+            name: identityName,
+            connectedDid: identityConnectedDid,
+        };
+        const session = new AuthSession({
+            agent: userAgent,
+            did: connectedDid,
+            delegateDid,
+            recoveryPhrase,
+            identity: identityInfo,
+        });
+        if (emitIdentityAdded) {
+            emitter.emit('identity-added', { identity: identityInfo });
+        }
+        emitter.emit('session-start', {
+            session: { did: connectedDid, delegateDid, identity: identityInfo },
+        });
+        return session;
+    });
+}
+//# sourceMappingURL=lifecycle.js.map

package/dist/esm/connect/lifecycle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.js","sourceRoot":"","sources":["../../../src/connect/lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;AAQH,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAyB7F,oEAAoE;AAEpE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAgB,eAAe,CACnC,GAA8D,EAC9D,QAA4B,EAC5B,aAAsB;;QAEtB,IAAI,QAAQ,GAAG,QAAQ,aAAR,QAAQ,cAAR,QAAQ,GAAI,GAAG,CAAC,eAAe,CAAC;QAE/C,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,GAAG,CAAC,gBAAgB,CAAC,WAAW,CAAC;oBAChD,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;iBAC5C,CAAC,CAAC;YACL,CAAC;YAAC,WAAM,CAAC;gBACP,sDAAsD;YACxD,CAAC;QACH,CAAC;QAED,QAAQ,aAAR,QAAQ,cAAR,QAAQ,IAAR,QAAQ,GAAK,yBAAyB,EAAC;QAEvC,IAAI,QAAQ,KAAK,yBAAyB,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CACV,2EAA2E;gBAC3E,+EAA+E;gBAC/E,iCAAiC,CAClC,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CAAA;AAED,oEAAoE;AAEpE;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAgB,gBAAgB,CAAC,MAOtC;;QACC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;QAC/D,IAAI,cAAkC,CAAC;QAEvC,IAAI,aAAa,EAAE,CAAC;YAClB,cAAc,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC;gBAC1C,QAAQ;gBACR,cAAc,EAAG,MAAM,CAAC,cAAc;gBACtC,YAAY,EAAK,MAAM,CAAC,YAAY;aACrC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QAEnC,OAAO,cAAc,CAAC;IACxB,CAAC;CAAA;AAED,mEAAmE;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAChC,SAAyB,EACzB,IAA4B;IAE5B,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,YAAY,GAAG,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAEjE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;SACjE,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACP,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;GAQG;AACH,MAAM,UAAgB,qBAAqB;yDACzC,SAAyB,EACzB,eAAyB,qBAAqB,EAC9C,IAAI,GAAG,SAAS;QAEhB,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC/B,SAAS,EAAI,KAAK;YAClB,QAAQ,EAAK,EAAE,IAAI,EAAE;YACrB,UAAU,EAAG;gBACX,QAAQ,EAAE;oBACR;wBACE,EAAE,EAAgB,KAAK;wBACvB,IAAI,EAAc,sBAAsB;wBACxC,eAAe,EAAG,YAAY;qBAC/B;iBACF;gBACD,mBAAmB,EAAE;oBACnB;wBACE,SAAS,EAAG,SAAS;wBACrB,EAAE,EAAU,KAAK;wBACjB,QAAQ,EAAI,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;qBAClD;oBACD;wBACE,SAAS,EAAG,QAAQ;wBACpB,EAAE,EAAU,KAAK;wBACjB,QAAQ,EAAI,CAAC,cAAc,CAAC;qBAC7B;iBACF;aACF;SACF,CAAC,CAAC;IACL,CAAC;CAAA;AAED,mEAAmE;AAEnE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAwB,EACxB,iBAA0B;;IAK1B,MAAM,YAAY,GAAG,MAAA,QAAQ,CAAC,QAAQ,CAAC,YAAY,mCAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;IACxE,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY;QAChD,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG;QAClB,CAAC,CAAC,CAAC,iBAAiB,aAAjB,iBAAiB,cAAjB,iBAAiB,GAAI,SAAS,CAAC,CAAC;IACrC,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAgB,eAAe,CAAC,MAWrC;;QACC,MAAM,EACJ,SAAS,EACT,OAAO,EACP,OAAO,EACP,YAAY,EACZ,WAAW,EACX,cAAc,EACd,YAAY,EACZ,oBAAoB,EACpB,iBAAiB,GAAG,IAAI,EACxB,gBAAgB,GACjB,GAAG,MAAM,CAAC;QAEX,2BAA2B;QAC3B,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;QAE9D,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC5D,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,MAAM,YAAY,GAAiB;YACjC,MAAM,EAAS,YAAY;YAC3B,IAAI,EAAW,YAAY;YAC3B,YAAY,EAAG,oBAAoB;SACpC,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,KAAK,EAAM,SAAS;YACpB,GAAG,EAAQ,YAAY;YACvB,WAAW;YACX,cAAc;YACd,QAAQ,EAAG,YAAY;SACxB,CAAC,CAAC;QAEH,IAAI,iBAAiB,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE;YAC5B,OAAO,EAAE,EAAE,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE;SACpE,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;CAAA"}

package/dist/esm/connect/local.js

@@ -0,0 +1,91 @@
+/**
+ * Local DID connect flow.
+ *
+ * Creates or reconnects a local identity with vault-protected keys.
+ * This replaces the "Mode D/E" paths in Enbox.connect().
+ * @module
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { applyLocalDwnDiscovery } from '../discovery.js';
+import { DEFAULT_DWN_ENDPOINTS } from '../types.js';
+import { registerWithDwnEndpoints } from '../registration.js';
+import { createDefaultIdentity, ensureVaultReady, finalizeSession, resolveIdentityDids, resolvePassword, startSyncIfEnabled } from './lifecycle.js';
+/**
+ * Execute the local connect flow.
+ *
+ * - On first launch: initializes the vault, creates a new DID, returns recovery phrase.
+ * - On subsequent launches: unlocks the vault and reconnects to the existing identity.
+ */
+export function localConnect(ctx_1) {
+    return __awaiter(this, arguments, void 0, function* (ctx, options = {}) {
+        var _a, _b, _c, _d, _e;
+        const { userAgent, emitter, storage } = ctx;
+        // Resolve password through the standard chain.
+        const isFirstLaunch = yield userAgent.firstLaunch();
+        const password = yield resolvePassword(ctx, options.password, isFirstLaunch);
+        const sync = (_a = options.sync) !== null && _a !== void 0 ? _a : ctx.defaultSync;
+        const dwnEndpoints = (_c = (_b = options.dwnEndpoints) !== null && _b !== void 0 ? _b : ctx.defaultDwnEndpoints) !== null && _c !== void 0 ? _c : DEFAULT_DWN_ENDPOINTS;
+        // Initialize vault on first launch and start the agent.
+        const recoveryPhrase = yield ensureVaultReady({
+            userAgent,
+            emitter,
+            password,
+            isFirstLaunch,
+            recoveryPhrase: options.recoveryPhrase,
+            dwnEndpoints,
+        });
+        // Apply local DWN discovery (browser redirect payload or persisted endpoint).
+        // In remote mode, discovery already ran before agent creation — skip.
+        if (!userAgent.dwn.isRemoteMode) {
+            yield applyLocalDwnDiscovery(userAgent, storage, emitter);
+        }
+        // Find or create the user identity.
+        const identities = yield userAgent.identity.list();
+        let identity = identities[0];
+        let isNewIdentity = false;
+        if (!identity) {
+            isNewIdentity = true;
+            identity = yield createDefaultIdentity(userAgent, dwnEndpoints, (_e = (_d = options.metadata) === null || _d === void 0 ? void 0 : _d.name) !== null && _e !== void 0 ? _e : 'Default');
+        }
+        const { connectedDid, delegateDid } = resolveIdentityDids(identity);
+        // Register with DWN endpoints (if registration options are provided).
+        if (ctx.registration) {
+            yield registerWithDwnEndpoints({
+                userAgent: userAgent,
+                dwnEndpoints,
+                agentDid: userAgent.agentDid.uri,
+                connectedDid,
+                storage: storage,
+            }, ctx.registration);
+        }
+        // Register sync for new identities.
+        if (isNewIdentity && sync !== 'off') {
+            yield userAgent.sync.registerIdentity({
+                did: connectedDid,
+                options: { delegateDid, protocols: [] },
+            });
+        }
+        // Start sync.
+        startSyncIfEnabled(userAgent, sync);
+        // Persist session info, build AuthSession, and emit lifecycle events.
+        return finalizeSession({
+            userAgent,
+            emitter,
+            storage,
+            connectedDid,
+            delegateDid,
+            recoveryPhrase,
+            identityName: identity.metadata.name,
+            identityConnectedDid: identity.metadata.connectedDid,
+        });
+    });
+}
+//# sourceMappingURL=local.js.map

package/dist/esm/connect/local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local.js","sourceRoot":"","sources":["../../../src/connect/local.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;;;;;;;;;;AAMH,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,mBAAmB,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEpJ;;;;;GAKG;AACH,MAAM,UAAgB,YAAY;yDAChC,GAAgB,EAChB,UAA+B,EAAE;;QAEjC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAE5C,+CAA+C;QAC/C,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAE7E,MAAM,IAAI,GAAG,MAAA,OAAO,CAAC,IAAI,mCAAI,GAAG,CAAC,WAAW,CAAC;QAC7C,MAAM,YAAY,GAAG,MAAA,MAAA,OAAO,CAAC,YAAY,mCAAI,GAAG,CAAC,mBAAmB,mCAAI,qBAAqB,CAAC;QAE9F,wDAAwD;QACxD,MAAM,cAAc,GAAG,MAAM,gBAAgB,CAAC;YAC5C,SAAS;YACT,OAAO;YACP,QAAQ;YACR,aAAa;YACb,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,YAAY;SACb,CAAC,CAAC;QAEH,8EAA8E;QAC9E,sEAAsE;QACtE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YAChC,MAAM,sBAAsB,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAED,oCAAoC;QACpC,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnD,IAAI,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,aAAa,GAAG,KAAK,CAAC;QAE1B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,aAAa,GAAG,IAAI,CAAC;YACrB,QAAQ,GAAG,MAAM,qBAAqB,CAAC,SAAS,EAAE,YAAY,EAAE,MAAA,MAAA,OAAO,CAAC,QAAQ,0CAAE,IAAI,mCAAI,SAAS,CAAC,CAAC;QACvG,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAEpE,sEAAsE;QACtE,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrB,MAAM,wBAAwB,CAC5B;gBACE,SAAS,EAAG,SAAS;gBACrB,YAAY;gBACZ,QAAQ,EAAI,SAAS,CAAC,QAAQ,CAAC,GAAG;gBAClC,YAAY;gBACZ,OAAO,EAAK,OAAO;aACpB,EACD,GAAG,CAAC,YAAY,CACjB,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,aAAa,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACpC,MAAM,SAAS,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACpC,GAAG,EAAO,YAAY;gBACtB,OAAO,EAAG,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE;aACzC,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAEpC,sEAAsE;QACtE,OAAO,eAAe,CAAC;YACrB,SAAS;YACT,OAAO;YACP,OAAO;YACP,YAAY;YACZ,WAAW;YACX,cAAc;YACd,YAAY,EAAW,QAAQ,CAAC,QAAQ,CAAC,IAAI;YAC7C,oBAAoB,EAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACtD,CAAC,CAAC;IACL,CAAC;CAAA"}

package/dist/esm/{flows/session-restore.js → connect/restore.js}

@@ -14,9 +14,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-import { applyLocalDwnDiscovery } from './dwn-discovery.js';
-import { AuthSession } from '../identity-session.js';
-import { INSECURE_DEFAULT_PASSWORD, STORAGE_KEYS } from '../types.js';
+import { applyLocalDwnDiscovery } from '../discovery.js';
+import { STORAGE_KEYS } from '../types.js';
+import { ensureVaultReady, finalizeSession, resolveIdentityDids, resolvePassword, startSyncIfEnabled } from './lifecycle.js';
 /**
  * Attempt to restore a previous session.
  *
@@ -25,35 +25,40 @@ import { INSECURE_DEFAULT_PASSWORD, STORAGE_KEYS } from '../types.js';
  */
 export function restoreSession(ctx_1) {
     return __awaiter(this, arguments, void 0, function* (ctx, options = {}) {
-        var _a, _b;
         const { userAgent, emitter, storage } = ctx;
         // Check if there was a previous session.
         const previouslyConnected = yield storage.get(STORAGE_KEYS.PREVIOUSLY_CONNECTED);
         if (previouslyConnected !== 'true') {
             return undefined;
         }
-        // Resolve password: explicit option → callback → manager default → insecure fallback.
-        let password = (_a = options.password) !== null && _a !== void 0 ? _a : ctx.defaultPassword;
-        if (!password && options.onPasswordRequired) {
-            password = yield options.onPasswordRequired();
+        // Resolve password: explicit option → callback → provider → manager default → insecure fallback.
+        // Note: restoreSession has an extra `onPasswordRequired` callback that sits between
+        // the explicit password and the provider. We handle that here, then delegate the
+        // remainder of the chain to `resolvePassword()`.
+        let explicitPassword = options.password;
+        if (!explicitPassword && !ctx.defaultPassword && options.onPasswordRequired) {
+            explicitPassword = yield options.onPasswordRequired();
         }
-        password !== null && password !== void 0 ? password : (password = INSECURE_DEFAULT_PASSWORD);
-        // Warn if using insecure default.
-        if (password === INSECURE_DEFAULT_PASSWORD) {
-            console.warn('[@enbox/auth] SECURITY WARNING: No password set. Using insecure default. ' +
-                'Set a password to protect your identity vault.');
-        }
-        // Start the agent (initializes + unlocks vault).
-        if (yield userAgent.firstLaunch()) {
-            // Vault doesn't exist yet — this shouldn't happen if previouslyConnected is true.
-            // Clean up the stale flag and return undefined.
+        // Check for stale session marker: if the vault was never initialized,
+        // previouslyConnected is a leftover — clean up and bail.
+        const isFirstLaunch = yield userAgent.firstLaunch();
+        if (isFirstLaunch) {
             yield storage.remove(STORAGE_KEYS.PREVIOUSLY_CONNECTED);
             return undefined;
         }
-        yield userAgent.start({ password });
-        emitter.emit('vault-unlocked', {});
+        const password = yield resolvePassword(ctx, explicitPassword, false);
+        // Start the agent (vault is known to exist).
+        yield ensureVaultReady({
+            userAgent,
+            emitter,
+            password,
+            isFirstLaunch: false,
+        });
         // Apply local DWN discovery (browser redirect payload or persisted endpoint).
-        yield applyLocalDwnDiscovery(userAgent, storage, emitter);
+        // In remote mode, discovery already ran before agent creation — skip.
+        if (!userAgent.dwn.isRemoteMode) {
+            yield applyLocalDwnDiscovery(userAgent, storage, emitter);
+        }
         // Determine which identity to reconnect.
         const activeIdentityDid = yield storage.get(STORAGE_KEYS.ACTIVE_IDENTITY);
         const storedDelegateDid = yield storage.get(STORAGE_KEYS.DELEGATE_DID);
@@ -78,37 +83,21 @@ export function restoreSession(ctx_1) {
             yield storage.remove(STORAGE_KEYS.CONNECTED_DID);
             return undefined;
         }
-        const connectedDid = (_b = identity.metadata.connectedDid) !== null && _b !== void 0 ? _b : identity.did.uri;
-        const delegateDid = identity.metadata.connectedDid
-            ? identity.did.uri
-            : (storedDelegateDid !== null && storedDelegateDid !== void 0 ? storedDelegateDid : undefined);
+        const { connectedDid, delegateDid } = resolveIdentityDids(identity, storedDelegateDid !== null && storedDelegateDid !== void 0 ? storedDelegateDid : undefined);
         // Start sync.
-        const sync = ctx.defaultSync;
-        if (sync !== 'off') {
-            const syncMode = sync === undefined ? 'live' : 'poll';
-            const syncInterval = sync !== null && sync !== void 0 ? sync : (syncMode === 'live' ? '5m' : '2m');
-            userAgent.sync.startSync({ mode: syncMode, interval: syncInterval })
-                .catch((err) => {
-                console.error('[@enbox/auth] Sync failed:', err);
-            });
-        }
-        // Update persisted session info.
-        yield storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
-        const identityInfo = {
-            didUri: connectedDid,
-            name: identity.metadata.name,
-            connectedDid: identity.metadata.connectedDid,
-        };
-        const session = new AuthSession({
-            agent: userAgent,
-            did: connectedDid,
+        startSyncIfEnabled(userAgent, ctx.defaultSync);
+        // Persist session info, build AuthSession, and emit lifecycle events.
+        // Session restore does not emit `identity-added` (identity was already added in the original flow).
+        return finalizeSession({
+            userAgent,
+            emitter,
+            storage,
+            connectedDid,
             delegateDid,
-            identity: identityInfo,
-        });
-        emitter.emit('session-start', {
-            session: { did: connectedDid, delegateDid, identity: identityInfo },
+            identityName: identity.metadata.name,
+            identityConnectedDid: identity.metadata.connectedDid,
+            emitIdentityAdded: false,
         });
-        return session;
     });
 }
-//# sourceMappingURL=session-restore.js.map
+//# sourceMappingURL=restore.js.map

package/dist/esm/connect/restore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"restore.js","sourceRoot":"","sources":["../../../src/connect/restore.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;;;;;;;;;;AAMH,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,mBAAmB,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAE7H;;;;;GAKG;AACH,MAAM,UAAgB,cAAc;yDAClC,GAAgB,EAChB,UAAiC,EAAE;QAEnC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAE5C,yCAAyC;QACzC,MAAM,mBAAmB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAC;QACjF,IAAI,mBAAmB,KAAK,MAAM,EAAE,CAAC;YACnC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,iGAAiG;QACjG,oFAAoF;QACpF,iFAAiF;QACjF,iDAAiD;QACjD,IAAI,gBAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC;QAExC,IAAI,CAAC,gBAAgB,IAAI,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAC5E,gBAAgB,GAAG,MAAM,OAAO,CAAC,kBAAkB,EAAE,CAAC;QACxD,CAAC;QAED,sEAAsE;QACtE,yDAAyD;QACzD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,CAAC;QACpD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAC;YACxD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAErE,6CAA6C;QAC7C,MAAM,gBAAgB,CAAC;YACrB,SAAS;YACT,OAAO;YACP,QAAQ;YACR,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;QAEH,8EAA8E;QAC9E,sEAAsE;QACtE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YAChC,MAAM,sBAAsB,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAED,yCAAyC;QACzC,MAAM,iBAAiB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QAC1E,MAAM,iBAAiB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;QAEvE,gEAAgE;QAChE,IAAI,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;QAE5D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,4CAA4C;YAC5C,IAAI,iBAAiB,EAAE,CAAC;gBACtB,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACzE,CAAC;YAED,6CAA6C;YAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnD,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,mDAAmD;YACnD,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAC;YACxD,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YACnD,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;YAChD,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;YACjD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,mBAAmB,CACvD,QAAQ,EAAE,iBAAiB,aAAjB,iBAAiB,cAAjB,iBAAiB,GAAI,SAAS,CACzC,CAAC;QAEF,cAAc;QACd,kBAAkB,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAE/C,sEAAsE;QACtE,oGAAoG;QACpG,OAAO,eAAe,CAAC;YACrB,SAAS;YACT,OAAO;YACP,OAAO;YACP,YAAY;YACZ,WAAW;YACX,YAAY,EAAW,QAAQ,CAAC,QAAQ,CAAC,IAAI;YAC7C,oBAAoB,EAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY;YACrD,iBAAiB,EAAM,KAAK;SAC7B,CAAC,CAAC;IACL,CAAC;CAAA"}