@enbox/auth 0.4.0 → 0.6.0

package/dist/esm/password-provider.js

@@ -0,0 +1,319 @@
+/**
+ * PasswordProvider — composable password acquisition strategies.
+ *
+ * Replaces ad-hoc password prompting scattered across CLI consumers
+ * (env vars, raw-mode TTY, `/dev/tty` + `stty`, `@clack/prompts`, etc.)
+ * with a single, composable abstraction.
+ *
+ * @example Chained provider (env first, fall back to TTY)
+ * ```ts
+ * import { PasswordProvider } from '@enbox/auth';
+ *
+ * const provider = PasswordProvider.chain([
+ *   PasswordProvider.fromEnv('ENBOX_PASSWORD'),
+ *   PasswordProvider.fromTty({ prompt: 'Vault password: ' }),
+ * ]);
+ *
+ * const auth = await AuthManager.create({ passwordProvider: provider });
+ * ```
+ *
+ * @module
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+// ─── Internal helpers ────────────────────────────────────────────
+/**
+ * Read a password from a raw-mode TTY stream.
+ *
+ * Reads character-by-character with no echo. Handles Enter (resolve),
+ * Ctrl-C (reject), backspace, and printable characters.
+ *
+ * @internal Exported for testing only.
+ */
+export function readPasswordRawMode(stdin, stdout, prompt) {
+    stdout.write(prompt);
+    return new Promise((resolve, reject) => {
+        let buf = '';
+        stdin.setRawMode(true);
+        stdin.setEncoding('utf8');
+        stdin.resume();
+        const onData = (ch) => {
+            const code = ch.charCodeAt(0);
+            if (ch === '\r' || ch === '\n') {
+                // Enter — done.
+                stdin.setRawMode(false);
+                stdin.pause();
+                stdin.removeListener('data', onData);
+                stdout.write('\n');
+                resolve(buf);
+            }
+            else if (code === 3) {
+                // Ctrl-C — abort.
+                stdin.setRawMode(false);
+                stdin.pause();
+                stdin.removeListener('data', onData);
+                stdout.write('\n');
+                reject(new Error('[@enbox/auth] PasswordProvider.fromTty: cancelled by user.'));
+            }
+            else if (code === 127 || code === 8) {
+                // Backspace / Delete.
+                if (buf.length > 0) {
+                    buf = buf.slice(0, -1);
+                }
+            }
+            else if (code >= 32) {
+                // Printable character.
+                buf += ch;
+            }
+        };
+        stdin.on('data', onData);
+    });
+}
+/**
+ * Read a password from `/dev/tty` using synchronous I/O.
+ *
+ * Opens `/dev/tty` directly, uses `stty -echo` to suppress input,
+ * reads until newline, then restores echo and closes file descriptors.
+ *
+ * @param prompt - The prompt string to display.
+ * @param io - Injectable I/O functions (defaults to `node:fs` + `node:child_process`).
+ * @internal Exported for testing only.
+ */
+export function readPasswordDevTty(prompt, io) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // Use injected I/O or import real modules.
+        let fsIo;
+        if (io) {
+            fsIo = io;
+        }
+        else {
+            const { openSync, readSync, writeSync, closeSync } = yield import('node:fs');
+            const { execSync } = yield import('node:child_process');
+            fsIo = {
+                openSync,
+                readSync,
+                writeSync,
+                closeSync,
+                execSync: (cmd, opts) => { execSync(cmd, opts); },
+            };
+        }
+        let readFd;
+        let writeFd;
+        try {
+            readFd = fsIo.openSync('/dev/tty', 'r');
+            writeFd = fsIo.openSync('/dev/tty', 'w');
+        }
+        catch (_a) {
+            throw new Error('[@enbox/auth] PasswordProvider.fromDevTty: cannot open /dev/tty. ' +
+                'No controlling terminal available.');
+        }
+        try {
+            // Suppress echo.
+            try {
+                fsIo.execSync('stty -echo < /dev/tty', { stdio: 'ignore' });
+            }
+            catch (_b) {
+                // Continue — the user sees their password but the flow works.
+            }
+            fsIo.writeSync(writeFd, prompt);
+            // Cooked-mode read (line-buffered; terminal handles backspace).
+            const readBuf = new Uint8Array(256);
+            const decoder = new TextDecoder('utf-8');
+            let password = '';
+            while (true) {
+                const bytesRead = fsIo.readSync(readFd, readBuf, 0, readBuf.length, null);
+                if (bytesRead === 0) {
+                    break;
+                }
+                password += decoder.decode(readBuf.subarray(0, bytesRead), { stream: true });
+                const nlIdx = password.indexOf('\n');
+                if (nlIdx !== -1) {
+                    password = password.slice(0, nlIdx);
+                    break;
+                }
+                const crIdx = password.indexOf('\r');
+                if (crIdx !== -1) {
+                    password = password.slice(0, crIdx);
+                    break;
+                }
+            }
+            fsIo.writeSync(writeFd, '\n');
+            return password;
+        }
+        finally {
+            // Restore echo.
+            try {
+                fsIo.execSync('stty echo < /dev/tty', { stdio: 'ignore' });
+            }
+            catch ( /* best-effort */_c) { /* best-effort */ }
+            fsIo.closeSync(readFd);
+            fsIo.closeSync(writeFd);
+        }
+    });
+}
+// ─── Factory functions ───────────────────────────────────────────
+export var PasswordProvider;
+(function (PasswordProvider) {
+    /**
+     * Read the password from an environment variable.
+     *
+     * Throws if the variable is not set or is empty, allowing `chain()`
+     * to fall through to the next provider.
+     *
+     * @param envVar - Name of the environment variable. Default: `'ENBOX_PASSWORD'`.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromEnv('MY_APP_PASSWORD');
+     * ```
+     */
+    function fromEnv(envVar = 'ENBOX_PASSWORD') {
+        return {
+            getPassword() {
+                return __awaiter(this, void 0, void 0, function* () {
+                    const value = process.env[envVar];
+                    if (!value) {
+                        throw new Error(`[@enbox/auth] PasswordProvider.fromEnv: environment variable '${envVar}' is not set.`);
+                    }
+                    return value;
+                });
+            },
+        };
+    }
+    PasswordProvider.fromEnv = fromEnv;
+    /**
+     * Wrap an async callback as a password provider.
+     *
+     * This is the escape hatch for custom UI (e.g. `@clack/prompts`,
+     * Electron dialog, browser modal).
+     *
+     * @param callback - Called with the password context; must return a password string.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromCallback(async ({ reason }) => {
+     *   if (reason === 'create') {
+     *     return await showCreatePasswordDialog();
+     *   }
+     *   return await showUnlockDialog();
+     * });
+     * ```
+     */
+    function fromCallback(callback) {
+        return { getPassword: callback };
+    }
+    PasswordProvider.fromCallback = fromCallback;
+    /**
+     * Prompt for a password via `process.stdin` in raw mode.
+     *
+     * Input is read character-by-character with no echo. Handles
+     * backspace and Ctrl-C (rejects with an error). Only works when
+     * `process.stdin.isTTY` is `true`; throws otherwise so `chain()`
+     * can fall through to the next provider.
+     *
+     * Suitable for main CLI processes that own stdin/stdout.
+     *
+     * @param options - Optional configuration.
+     * @param options.prompt - Text to display before reading. Default: `'Vault password: '`.
+     *
+     * @example
+     * ```ts
+     * const provider = PasswordProvider.fromTty({ prompt: 'Password: ' });
+     * ```
+     */
+    function fromTty(options = {}) {
+        var _a;
+        const prompt = (_a = options.prompt) !== null && _a !== void 0 ? _a : 'Vault password: ';
+        return {
+            getPassword() {
+                return __awaiter(this, void 0, void 0, function* () {
+                    if (!process.stdin.isTTY) {
+                        throw new Error('[@enbox/auth] PasswordProvider.fromTty: stdin is not a TTY.');
+                    }
+                    return readPasswordRawMode(process.stdin, process.stdout, prompt);
+                });
+            },
+        };
+    }
+    PasswordProvider.fromTty = fromTty;
+    /**
+     * Prompt for a password via `/dev/tty` (Unix only).
+     *
+     * Opens `/dev/tty` directly, bypassing `process.stdin`. This is
+     * essential for subprocesses where stdin is owned by the parent
+     * (e.g. Git credential helpers, SSH, GPG). Uses `stty -echo` to
+     * suppress input echo.
+     *
+     * Throws if `/dev/tty` cannot be opened (e.g. non-Unix platform,
+     * no controlling terminal), allowing `chain()` to fall through.
+     *
+     * @param options - Optional configuration.
+     * @param options.prompt - Text to display before reading. Default: `'Vault password: '`.
+     *
+     * @example
+     * ```ts
+     * // For git credential helpers:
+     * const provider = PasswordProvider.fromDevTty();
+     * ```
+     */
+    function fromDevTty(options = {}) {
+        var _a;
+        const prompt = (_a = options.prompt) !== null && _a !== void 0 ? _a : 'Vault password: ';
+        return {
+            getPassword() {
+                return __awaiter(this, void 0, void 0, function* () {
+                    return readPasswordDevTty(prompt);
+                });
+            },
+        };
+    }
+    PasswordProvider.fromDevTty = fromDevTty;
+    /**
+     * Compose multiple providers with automatic fallback.
+     *
+     * Tries each provider in order. If a provider throws, the next one
+     * is tried. If all providers fail, the last error is rethrown.
+     *
+     * @param providers - Ordered list of providers to try.
+     *
+     * @example
+     * ```ts
+     * // Try env var first, then interactive TTY, then /dev/tty for subprocesses.
+     * const provider = PasswordProvider.chain([
+     *   PasswordProvider.fromEnv('ENBOX_PASSWORD'),
+     *   PasswordProvider.fromTty(),
+     *   PasswordProvider.fromDevTty(),
+     * ]);
+     * ```
+     */
+    function chain(providers) {
+        if (providers.length === 0) {
+            throw new Error('[@enbox/auth] PasswordProvider.chain: at least one provider is required.');
+        }
+        return {
+            getPassword(context) {
+                return __awaiter(this, void 0, void 0, function* () {
+                    let lastError;
+                    for (const provider of providers) {
+                        try {
+                            return yield provider.getPassword(context);
+                        }
+                        catch (err) {
+                            lastError = err instanceof Error ? err : new Error(String(err));
+                        }
+                    }
+                    throw lastError !== null && lastError !== void 0 ? lastError : new Error('[@enbox/auth] PasswordProvider.chain: all providers failed.');
+                });
+            },
+        };
+    }
+    PasswordProvider.chain = chain;
+})(PasswordProvider || (PasswordProvider = {}));
+//# sourceMappingURL=password-provider.js.map

package/dist/esm/password-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-provider.js","sourceRoot":"","sources":["../../src/password-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;;;;;;;;;AAsDH,oEAAoE;AAEpE;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAkB,EAClB,MAAmB,EACnB,MAAc;IAEd,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAErB,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,GAAG,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACvB,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC1B,KAAK,CAAC,MAAM,EAAE,CAAC;QAEf,MAAM,MAAM,GAAG,CAAC,EAAU,EAAQ,EAAE;YAClC,MAAM,IAAI,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAE9B,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC/B,gBAAgB;gBAChB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBACxB,KAAK,CAAC,KAAK,EAAE,CAAC;gBACd,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACrC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,CAAC;YACf,CAAC;iBAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACtB,kBAAkB;gBAClB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBACxB,KAAK,CAAC,KAAK,EAAE,CAAC;gBACd,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACrC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACnB,MAAM,CAAC,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC,CAAC;YAClF,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACtC,sBAAsB;gBACtB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACnB,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;gBACtB,uBAAuB;gBACvB,GAAG,IAAI,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC;QAEF,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC;AAWD;;;;;;;;;GASG;AACH,MAAM,UAAgB,kBAAkB,CACtC,MAAc,EACd,EAAa;;QAEb,2CAA2C;QAC3C,IAAI,IAAc,CAAC;QACnB,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,GAAG,EAAE,CAAC;QACZ,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7E,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YACxD,IAAI,GAAG;gBACL,QAAQ;gBACR,QAAQ;gBACR,SAAS;gBACT,SAAS;gBACT,QAAQ,EAAE,CAAC,GAAW,EAAE,IAAuB,EAAQ,EAAE,GAAG,QAAQ,CAAC,GAAG,EAAE,IAAW,CAAC,CAAC,CAAC,CAAC;aAC1F,CAAC;QACJ,CAAC;QAED,IAAI,MAAc,CAAC;QACnB,IAAI,OAAe,CAAC;QAEpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;YACxC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAC3C,CAAC;QAAC,WAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,mEAAmE;gBACnE,oCAAoC,CACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,iBAAiB;YACjB,IAAI,CAAC;gBACH,IAAI,CAAC,QAAQ,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC9D,CAAC;YAAC,WAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;YAED,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAEhC,gEAAgE;YAChE,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,QAAQ,GAAG,EAAE,CAAC;YAElB,OAAO,IAAI,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC1E,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;oBAAC,MAAM;gBAAC,CAAC;gBAE/B,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAE7E,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACrC,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;oBAAC,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;oBAAC,MAAM;gBAAC,CAAC;gBAEjE,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACrC,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;oBAAC,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;oBAAC,MAAM;gBAAC,CAAC;YACnE,CAAC;YAED,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC9B,OAAO,QAAQ,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,gBAAgB;YAChB,IAAI,CAAC;gBAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAAC,CAAC;YAAC,QAAQ,iBAAiB,IAAnB,CAAC,CAAC,iBAAiB,CAAC,CAAC;YAC/F,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;CAAA;AAED,oEAAoE;AAGpE,MAAM,KAAW,gBAAgB,CAgKhC;AAhKD,WAAiB,gBAAgB;IAE/B;;;;;;;;;;;;OAYG;IACH,SAAgB,OAAO,CAAC,MAAM,GAAG,gBAAgB;QAC/C,OAAO;YACC,WAAW;;oBACf,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAClC,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,MAAM,IAAI,KAAK,CACb,iEAAiE,MAAM,eAAe,CACvF,CAAC;oBACJ,CAAC;oBACD,OAAO,KAAK,CAAC;gBACf,CAAC;aAAA;SACF,CAAC;IACJ,CAAC;IAZe,wBAAO,UAYtB,CAAA;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,YAAY,CAC1B,QAAuD;QAEvD,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;IACnC,CAAC;IAJe,6BAAY,eAI3B,CAAA;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,OAAO,CAAC,UAA+B,EAAE;;QACvD,MAAM,MAAM,GAAG,MAAA,OAAO,CAAC,MAAM,mCAAI,kBAAkB,CAAC;QAEpD,OAAO;YACC,WAAW;;oBACf,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;wBACzB,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAC;oBACJ,CAAC;oBAED,OAAO,mBAAmB,CACxB,OAAO,CAAC,KAA+B,EACvC,OAAO,CAAC,MAAM,EACd,MAAM,CACP,CAAC;gBACJ,CAAC;aAAA;SACF,CAAC;IACJ,CAAC;IAlBe,wBAAO,UAkBtB,CAAA;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACH,SAAgB,UAAU,CAAC,UAA+B,EAAE;;QAC1D,MAAM,MAAM,GAAG,MAAA,OAAO,CAAC,MAAM,mCAAI,kBAAkB,CAAC;QAEpD,OAAO;YACC,WAAW;;oBACf,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;gBACpC,CAAC;aAAA;SACF,CAAC;IACJ,CAAC;IARe,2BAAU,aAQzB,CAAA;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAgB,KAAK,CAAC,SAA6B;QACjD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO;YACC,WAAW,CAAC,OAAwB;;oBACxC,IAAI,SAA4B,CAAC;oBAEjC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;wBACjC,IAAI,CAAC;4BACH,OAAO,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;wBAC7C,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;wBAClE,CAAC;oBACH,CAAC;oBAED,MAAM,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;gBAC9F,CAAC;aAAA;SACF,CAAC;IACJ,CAAC;IApBe,sBAAK,QAoBpB,CAAA;AACH,CAAC,EAhKgB,gBAAgB,KAAhB,gBAAgB,QAgKhC"}

package/dist/esm/{flows/dwn-registration.js → registration.js}

@@ -20,6 +20,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 import { DwnRegistrar } from '@enbox/dwn-clients';
+import { STORAGE_KEYS } from './types.js';
 /**
  * Register the agent and connected DIDs with the configured DWN endpoints.
  *
@@ -35,8 +36,17 @@ import { DwnRegistrar } from '@enbox/dwn-clients';
 export function registerWithDwnEndpoints(ctx, registration) {
     return __awaiter(this, void 0, void 0, function* () {
         var _a;
-        const { userAgent, dwnEndpoints, agentDid, connectedDid } = ctx;
-        const updatedTokens = Object.assign({}, ((_a = registration.registrationTokens) !== null && _a !== void 0 ? _a : {}));
+        const { userAgent, dwnEndpoints, agentDid, connectedDid, storage } = ctx;
+        // Load initial tokens: when persistTokens is enabled, load from storage
+        // (ignoring any explicit registrationTokens). Otherwise use the explicit map.
+        let seedTokens = {};
+        if (registration.persistTokens && storage) {
+            seedTokens = yield loadTokensFromStorage(storage);
+        }
+        else {
+            seedTokens = (_a = registration.registrationTokens) !== null && _a !== void 0 ? _a : {};
+        }
+        const updatedTokens = Object.assign({}, seedTokens);
         try {
             for (const dwnEndpoint of dwnEndpoints) {
                 const serverInfo = yield userAgent.rpc.getServerInfo(dwnEndpoint);
@@ -108,7 +118,11 @@ export function registerWithDwnEndpoints(ctx, registration) {
                     }
                 }
             }
-            // Notify app of updated tokens for persistence.
+            // Persist tokens to storage when auto-persistence is enabled.
+            if (registration.persistTokens && storage) {
+                yield saveTokensToStorage(storage, updatedTokens);
+            }
+            // Notify app of updated tokens (always, even when auto-persisting).
             if (registration.onRegistrationTokens) {
                 registration.onRegistrationTokens(updatedTokens);
             }
@@ -119,4 +133,36 @@ export function registerWithDwnEndpoints(ctx, registration) {
         }
     });
 }
-//# sourceMappingURL=dwn-registration.js.map
+// ─── Storage helpers ──────────────────────────────────────────────
+/**
+ * Load registration tokens from a `StorageAdapter`.
+ *
+ * Returns an empty record if no tokens are stored or the stored value
+ * is corrupt (best-effort — never throws).
+ *
+ * @internal
+ */
+export function loadTokensFromStorage(storage) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const raw = yield storage.get(STORAGE_KEYS.REGISTRATION_TOKENS);
+            if (!raw) {
+                return {};
+            }
+            return JSON.parse(raw);
+        }
+        catch (_a) {
+            return {};
+        }
+    });
+}
+/**
+ * Save registration tokens to a `StorageAdapter`.
+ * @internal
+ */
+export function saveTokensToStorage(storage, tokens) {
+    return __awaiter(this, void 0, void 0, function* () {
+        yield storage.set(STORAGE_KEYS.REGISTRATION_TOKENS, JSON.stringify(tokens));
+    });
+}
+//# sourceMappingURL=registration.js.map

package/dist/esm/registration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;;;;;;;;;;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA6B1C;;;;;;;;;;;GAWG;AACH,MAAM,UAAgB,wBAAwB,CAC5C,GAAwB,EACxB,YAAiC;;;QAEjC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAEzE,wEAAwE;QACxE,8EAA8E;QAC9E,IAAI,UAAU,GAA0C,EAAE,CAAC;QAE3D,IAAI,YAAY,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;YAC1C,UAAU,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,MAAA,YAAY,CAAC,kBAAkB,mCAAI,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,aAAa,qBAA+C,UAAU,CAAE,CAAC;QAE/E,IAAI,CAAC;YACH,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;gBAElE,IAAI,UAAU,CAAC,wBAAwB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACrD,SAAS;gBACX,CAAC;gBAED,gCAAgC;gBAChC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC;qBAC5C,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAiB,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;gBAElE,MAAM,eAAe,GACnB,UAAU,CAAC,wBAAwB,CAAC,QAAQ,CAAC,kBAAkB,CAAC;uBAC7D,UAAU,CAAC,YAAY,KAAK,SAAS,CAAC;gBAE3C,IAAI,eAAe,IAAI,YAAY,CAAC,sBAAsB,EAAE,CAAC;oBAC3D,6BAA6B;oBAC7B,IAAI,SAAS,GAAG,aAAa,CAAC,WAAW,CAAsC,CAAC;oBAEhF,0BAA0B;oBAC1B,IAAI,CAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,SAAS,MAAK,SAAS,IAAI,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;wBAC3E,IAAI,SAAS,CAAC,UAAU,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;4BACnD,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAC3D,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,YAAY,CAC7C,CAAC;4BACF,SAAS,GAAG;gCACV,iBAAiB,EAAG,SAAS,CAAC,iBAAiB;gCAC/C,YAAY,EAAQ,SAAS,CAAC,YAAY;gCAC1C,SAAS,EAAW,SAAS,CAAC,SAAS,KAAK,SAAS;oCACnD,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gCACzD,QAAQ,EAAK,SAAS,CAAC,QAAQ;gCAC/B,UAAU,EAAG,SAAS,CAAC,UAAU;6BAClC,CAAC;4BACF,aAAa,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC;wBACzC,CAAC;6BAAM,CAAC;4BACN,SAAS,GAAG,SAAS,CAAC;wBACxB,CAAC;oBACH,CAAC;oBAED,8CAA8C;oBAC9C,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;wBAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;wBAClC,MAAM,YAAY,GAAG,UAAU,CAAC,YAAa,CAAC;wBAC9C,MAAM,SAAS,GAAG,YAAY,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;wBACtE,MAAM,YAAY,GAAG,GAAG,YAAY,CAAC,YAAY,GAAG,SAAS,EAAE;8BAC3D,gBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE;8BACjD,UAAU,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;wBAE1C,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;4BAC3D,YAAY;4BACZ,WAAW;4BACX,KAAK;yBACN,CAAC,CAAC;wBAEH,IAAI,UAAU,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;4BAC/B,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;wBAC/E,CAAC;wBAED,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,gBAAgB,CACvD,YAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,EAAE,WAAW,CACpD,CAAC;wBAEF,SAAS,GAAG;4BACV,iBAAiB,EAAG,aAAa,CAAC,iBAAiB;4BACnD,YAAY,EAAQ,aAAa,CAAC,YAAY;4BAC9C,SAAS,EAAW,aAAa,CAAC,SAAS,KAAK,SAAS;gCACvD,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;4BAC7D,QAAQ,EAAK,YAAY,CAAC,QAAQ;4BAClC,UAAU,EAAG,YAAY,CAAC,UAAU;yBACrC,CAAC;wBACF,aAAa,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC;oBACzC,CAAC;oBAED,mDAAmD;oBACnD,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;wBACjC,MAAM,YAAY,CAAC,uBAAuB,CACxC,WAAW,EAAE,GAAG,EAAE,SAAS,CAAC,iBAAiB,CAC9C,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,oDAAoD;oBACpD,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;wBACjC,MAAM,YAAY,CAAC,cAAc,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,IAAI,YAAY,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;gBAC1C,MAAM,mBAAmB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YACpD,CAAC;YAED,oEAAoE;YACpE,IAAI,YAAY,CAAC,oBAAoB,EAAE,CAAC;gBACtC,YAAY,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAC;YACnD,CAAC;YAED,YAAY,CAAC,SAAS,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;CAAA;AAED,qEAAqE;AAErE;;;;;;;GAOG;AACH,MAAM,UAAgB,qBAAqB,CACzC,OAAuB;;QAEvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC;YAChE,IAAI,CAAC,GAAG,EAAE,CAAC;gBAAC,OAAO,EAAE,CAAC;YAAC,CAAC;YACxB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0C,CAAC;QAClE,CAAC;QAAC,WAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CAAA;AAED;;;GAGG;AACH,MAAM,UAAgB,mBAAmB,CACvC,OAAuB,EACvB,MAA6C;;QAE7C,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,mBAAmB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9E,CAAC;CAAA"}

package/dist/esm/types.js

@@ -5,6 +5,8 @@
 // ─── Internal helpers ────────────────────────────────────────────
 /** The insecure default password used when none is provided. */
 export const INSECURE_DEFAULT_PASSWORD = 'insecure-static-phrase';
+/** Default DWN endpoints for new identities when none are configured. */
+export const DEFAULT_DWN_ENDPOINTS = ['https://enbox-dwn.fly.dev'];
 /**
  * Storage keys used by the auth manager for session persistence.
  * @internal
@@ -19,12 +21,20 @@ export const STORAGE_KEYS = {
     /** The connected DID (for wallet-connected sessions). */
     CONNECTED_DID: 'enbox:auth:connectedDid',
     /**
-     * The base URL of the local DWN server discovered via the `dwn://register`
+     * The base URL of the local DWN server discovered via the `dwn://connect`
      * browser redirect flow. Persisted so subsequent page loads can skip the
      * redirect and inject the endpoint directly.
      *
      * @see https://github.com/enboxorg/enbox/issues/589
      */
     LOCAL_DWN_ENDPOINT: 'enbox:auth:localDwnEndpoint',
+    /**
+     * JSON-serialised `Record<string, RegistrationTokenData>` for DWN endpoint
+     * registration tokens. Automatically loaded before registration and saved
+     * after new/refreshed tokens are obtained when `persistTokens` is enabled.
+     *
+     * @see https://github.com/enboxorg/enbox/issues/690
+     */
+    REGISTRATION_TOKENS: 'enbox:auth:registrationTokens',
 };
 //# sourceMappingURL=types.js.map

package/dist/esm/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuXH,oEAAoE;AAEpE,gEAAgE;AAChE,MAAM,CAAC,MAAM,yBAAyB,GAAG,wBAAwB,CAAC;AAElE;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,oDAAoD;IACpD,oBAAoB,EAAE,gCAAgC;IAEtD,+CAA+C;IAC/C,eAAe,EAAE,2BAA2B;IAE5C,4DAA4D;IAC5D,YAAY,EAAE,wBAAwB;IAEtC,yDAAyD;IACzD,aAAa,EAAE,yBAAyB;IAExC;;;;;;OAMG;IACH,kBAAkB,EAAE,6BAA6B;CACzC,CAAC"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA2cH,oEAAoE;AAEpE,gEAAgE;AAChE,MAAM,CAAC,MAAM,yBAAyB,GAAG,wBAAwB,CAAC;AAElE,yEAAyE;AACzE,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,2BAA2B,CAAC,CAAC;AAEnE;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,oDAAoD;IACpD,oBAAoB,EAAE,gCAAgC;IAEtD,+CAA+C;IAC/C,eAAe,EAAE,2BAA2B;IAE5C,4DAA4D;IAC5D,YAAY,EAAE,wBAAwB;IAEtC,yDAAyD;IACzD,aAAa,EAAE,yBAAyB;IAExC;;;;;;OAMG;IACH,kBAAkB,EAAE,6BAA6B;IAEjD;;;;;;OAMG;IACH,mBAAmB,EAAE,+BAA+B;CAC5C,CAAC"}

package/dist/esm/wallet-connect-client.js

@@ -0,0 +1,188 @@
+/**
+ * WalletConnect client — initiates the relay-mediated connect flow.
+ *
+ * Moved from `@enbox/agent/src/connect.ts` because `initClient` has zero
+ * coupling to agent internals (no vault, no key store, no DWN processing,
+ * no sync). Its only consumer is `auth/src/connect/wallet.ts`.
+ *
+ * The server-side counterpart (`EnboxConnectProtocol`) correctly stays in
+ * `@enbox/agent` because it uses `agent.processDwnRequest()`,
+ * `agent.sendDwnRequest()`, and `AgentPermissionsApi`.
+ *
+ * @module
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { CryptoUtils } from '@enbox/crypto';
+import { DidJwk } from '@enbox/dids';
+import { Convert, logger } from '@enbox/common';
+import { DwnInterfaceName, DwnMethodName } from '@enbox/dwn-sdk-js';
+import { EnboxConnectProtocol, pollWithTtl } from '@enbox/agent';
+/**
+ * Initiates the wallet connect process. Used when a client wants to obtain
+ * a did from a provider.
+ */
+function initClient(_a) {
+    return __awaiter(this, arguments, void 0, function* ({ displayName, connectServerUrl, walletUri, permissionRequests, onWalletUriReady, validatePin, }) {
+        // ephemeral client did for ECDH, signing, verification
+        const clientDid = yield DidJwk.create();
+        // TODO: properly implement PKCE. this implementation is lacking server side validations and more.
+        // https://github.com/enboxorg/enbox/issues/829
+        // Derive the code challenge based on the code verifier
+        // const { codeChallengeBytes, codeChallengeBase64Url } =
+        //   await Oidc.generateCodeChallenge();
+        const encryptionKey = CryptoUtils.randomBytes(32);
+        // Build callback URL for the connect request.
+        const callbackEndpoint = EnboxConnectProtocol.buildConnectUrl({
+            baseURL: connectServerUrl,
+            endpoint: 'callback',
+        });
+        // Build the connect request.
+        const request = yield EnboxConnectProtocol.createConnectRequest({
+            clientDid: clientDid.uri,
+            callbackUrl: callbackEndpoint,
+            permissionRequests: permissionRequests,
+            appName: displayName,
+        });
+        // Sign the request as a JWT.
+        const requestJwt = yield EnboxConnectProtocol.signJwt({
+            did: clientDid,
+            data: request,
+        });
+        if (!requestJwt) {
+            throw new Error('Unable to sign requestObject');
+        }
+        // Encrypt the request JWT with the symmetric key.
+        const requestObjectJwe = yield EnboxConnectProtocol.encryptRequest({
+            jwt: requestJwt,
+            encryptionKey,
+        });
+        const pushedAuthorizationRequestEndpoint = EnboxConnectProtocol.buildConnectUrl({
+            baseURL: connectServerUrl,
+            endpoint: 'pushedAuthorizationRequest',
+        });
+        const parResponse = yield fetch(pushedAuthorizationRequestEndpoint, {
+            body: JSON.stringify({ request: requestObjectJwe }),
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            signal: AbortSignal.timeout(30000),
+        });
+        if (!parResponse.ok) {
+            throw new Error(`${parResponse.status}: ${parResponse.statusText}`);
+        }
+        const parData = yield parResponse.json();
+        // a deeplink to a compatible wallet. if the wallet scans this link it should receive
+        // a route to its Connect provider flow and the params of where to fetch the auth request.
+        logger.log(`Wallet URI: ${walletUri}`);
+        const generatedWalletUri = new URL(walletUri);
+        generatedWalletUri.searchParams.set('request_uri', parData.request_uri);
+        generatedWalletUri.searchParams.set('encryption_key', Convert.uint8Array(encryptionKey).toBase64Url());
+        // call user's callback so they can send the URI to the wallet as they see fit
+        onWalletUriReady(generatedWalletUri.toString());
+        const tokenUrl = EnboxConnectProtocol.buildConnectUrl({
+            baseURL: connectServerUrl,
+            endpoint: 'token',
+            tokenParam: request.state,
+        });
+        // subscribe to receiving a response from the wallet with default TTL. receive ciphertext of {@link EnboxConnectResponse}
+        const authResponse = yield pollWithTtl(() => fetch(tokenUrl, { signal: AbortSignal.timeout(30000) }));
+        if (authResponse) {
+            const jwe = yield (authResponse === null || authResponse === void 0 ? void 0 : authResponse.text());
+            // Get the PIN from the user and use it as AAD to decrypt.
+            const pin = yield validatePin();
+            const jwt = yield EnboxConnectProtocol.decryptResponse(clientDid, jwe, pin);
+            const verifiedResponse = (yield EnboxConnectProtocol.verifyJwt({
+                jwt,
+            }));
+            return {
+                delegateGrants: verifiedResponse.delegateGrants,
+                delegatePortableDid: verifiedResponse.delegatePortableDid,
+                connectedDid: verifiedResponse.providerDid,
+            };
+        }
+    });
+}
+/**
+ * Creates a set of Dwn Permission Scopes to request for a given protocol.
+ *
+ * If no permissions are provided, the default is to request all relevant record permissions (write, read, delete, query, subscribe).
+ * 'configure' is not included by default, as this gives the application a lot of control over the protocol.
+ */
+function createPermissionRequestForProtocol({ definition, permissions }) {
+    const requests = [];
+    // Add the ability to query for the specific protocol
+    requests.push({
+        protocol: definition.protocol,
+        interface: DwnInterfaceName.Protocols,
+        method: DwnMethodName.Query,
+    });
+    // A Messages.Read grant is a unified scope that covers MessagesRead, MessagesSync, and MessagesSubscribe.
+    // This single grant enables sync and real-time subscriptions for the protocol.
+    requests.push({
+        protocol: definition.protocol,
+        interface: DwnInterfaceName.Messages,
+        method: DwnMethodName.Read,
+    });
+    // We also request any additional permissions the user has requested for this protocol
+    for (const permission of permissions) {
+        switch (permission) {
+            case 'write':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Records,
+                    method: DwnMethodName.Write,
+                });
+                break;
+            case 'read':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Records,
+                    method: DwnMethodName.Read,
+                });
+                break;
+            case 'delete':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Records,
+                    method: DwnMethodName.Delete,
+                });
+                break;
+            case 'query':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Records,
+                    method: DwnMethodName.Query,
+                });
+                break;
+            case 'subscribe':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Records,
+                    method: DwnMethodName.Subscribe,
+                });
+                break;
+            case 'configure':
+                requests.push({
+                    protocol: definition.protocol,
+                    interface: DwnInterfaceName.Protocols,
+                    method: DwnMethodName.Configure,
+                });
+                break;
+        }
+    }
+    return {
+        protocolDefinition: definition,
+        permissionScopes: requests,
+    };
+}
+export const WalletConnect = { initClient, createPermissionRequestForProtocol };
+//# sourceMappingURL=wallet-connect-client.js.map

package/dist/esm/wallet-connect-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet-connect-client.js","sourceRoot":"","sources":["../../src/wallet-connect-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;;;;;;;;;;AAKH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AA+DjE;;;GAGG;AACH,SAAe,UAAU;yDAAC,EACxB,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,gBAAgB,EAChB,WAAW,GACgB;QAK3B,uDAAuD;QACvD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;QAExC,kGAAkG;QAClG,+CAA+C;QAC/C,uDAAuD;QACvD,yDAAyD;QACzD,wCAAwC;QACxC,MAAM,aAAa,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAElD,8CAA8C;QAC9C,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,eAAe,CAAC;YAC5D,OAAO,EAAI,gBAAgB;YAC3B,QAAQ,EAAG,UAAU;SACtB,CAAC,CAAC;QAEH,6BAA6B;QAC7B,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC;YAC9D,SAAS,EAAY,SAAS,CAAC,GAAG;YAClC,WAAW,EAAU,gBAAgB;YACrC,kBAAkB,EAAG,kBAAkB;YACvC,OAAO,EAAc,WAAW;SACjC,CAAC,CAAC;QAEH,6BAA6B;QAC7B,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC;YACpD,GAAG,EAAI,SAAS;YAChB,IAAI,EAAG,OAA6C;SACrD,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,kDAAkD;QAClD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,cAAc,CAAC;YACjE,GAAG,EAAE,UAAU;YACf,aAAa;SACd,CAAC,CAAC;QAEH,MAAM,kCAAkC,GAAG,oBAAoB,CAAC,eAAe,CAAC;YAC9E,OAAO,EAAI,gBAAgB;YAC3B,QAAQ,EAAG,4BAA4B;SACxC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,kCAAkC,EAAE;YAClE,IAAI,EAAM,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;YACvD,MAAM,EAAI,MAAM;YAChB,OAAO,EAAG;gBACR,cAAc,EAAE,kBAAkB;aACnC;YACD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAM,CAAC;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,OAAO,GAA0B,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC;QAEhE,qFAAqF;QACrF,0FAA0F;QAC1F,MAAM,CAAC,GAAG,CAAC,eAAe,SAAS,EAAE,CAAC,CAAC;QACvC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC9C,kBAAkB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACxE,kBAAkB,CAAC,YAAY,CAAC,GAAG,CACjC,gBAAgB,EAChB,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAChD,CAAC;QAEF,8EAA8E;QAC9E,gBAAgB,CAAC,kBAAkB,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,eAAe,CAAC;YACpD,OAAO,EAAM,gBAAgB;YAC7B,QAAQ,EAAK,OAAO;YACpB,UAAU,EAAG,OAAO,CAAC,KAAK;SAC3B,CAAC,CAAC;QAEH,yHAAyH;QACzH,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QAEvG,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,MAAM,CAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI,EAAE,CAAA,CAAC;YAEvC,0DAA0D;YAC1D,MAAM,GAAG,GAAG,MAAM,WAAW,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,eAAe,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC5E,MAAM,gBAAgB,GAAG,CAAC,MAAM,oBAAoB,CAAC,SAAS,CAAC;gBAC7D,GAAG;aACJ,CAAC,CAAoC,CAAC;YAEvC,OAAO;gBACL,cAAc,EAAQ,gBAAgB,CAAC,cAAc;gBACrD,mBAAmB,EAAG,gBAAgB,CAAC,mBAAmB;gBAC1D,YAAY,EAAU,gBAAgB,CAAC,WAAW;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;CAAA;AAED;;;;;GAKG;AACH,SAAS,kCAAkC,CAAC,EAAE,UAAU,EAAE,WAAW,EAA6B;IAChG,MAAM,QAAQ,GAAyB,EAAE,CAAC;IAE1C,qDAAqD;IACrD,QAAQ,CAAC,IAAI,CAAC;QACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;QAC/B,SAAS,EAAG,gBAAgB,CAAC,SAAS;QACtC,MAAM,EAAM,aAAa,CAAC,KAAK;KAChC,CAAC,CAAC;IAEH,0GAA0G;IAC1G,+EAA+E;IAC/E,QAAQ,CAAC,IAAI,CAAC;QACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;QAC/B,SAAS,EAAG,gBAAgB,CAAC,QAAQ;QACrC,MAAM,EAAM,aAAa,CAAC,IAAI;KAC/B,CAAC,CAAC;IAEH,sFAAsF;IACtF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,QAAQ,UAAU,EAAE,CAAC;YACnB,KAAK,OAAO;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,OAAO;oBACpC,MAAM,EAAM,aAAa,CAAC,KAAK;iBAChC,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,MAAM;gBACT,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,OAAO;oBACpC,MAAM,EAAM,aAAa,CAAC,IAAI;iBAC/B,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,QAAQ;gBACX,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,OAAO;oBACpC,MAAM,EAAM,aAAa,CAAC,MAAM;iBACjC,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,OAAO;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,OAAO;oBACpC,MAAM,EAAM,aAAa,CAAC,KAAK;iBAChC,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,WAAW;gBACd,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,OAAO;oBACpC,MAAM,EAAM,aAAa,CAAC,SAAS;iBACpC,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,WAAW;gBACd,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAI,UAAU,CAAC,QAAQ;oBAC/B,SAAS,EAAG,gBAAgB,CAAC,SAAS;oBACtC,MAAM,EAAM,aAAa,CAAC,SAAS;iBACpC,CAAC,CAAC;gBACH,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO;QACL,kBAAkB,EAAG,UAAU;QAC/B,gBAAgB,EAAK,QAAQ;KAC9B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,UAAU,EAAE,kCAAkC,EAAE,CAAC"}