@executor-js/sdk 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +125 -107
- package/dist/blob.d.ts +48 -0
- package/dist/blob.d.ts.map +1 -0
- package/dist/blob.test.d.ts +2 -0
- package/dist/blob.test.d.ts.map +1 -0
- package/dist/chunk-6LMMN2GP.js +4396 -0
- package/dist/chunk-6LMMN2GP.js.map +1 -0
- package/dist/config.d.ts +14 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/connections.d.ts +107 -0
- package/dist/connections.d.ts.map +1 -0
- package/dist/connections.test.d.ts +2 -0
- package/dist/connections.test.d.ts.map +1 -0
- package/dist/core-schema.d.ts +372 -0
- package/dist/core-schema.d.ts.map +1 -0
- package/dist/core.js +273 -57
- package/dist/core.js.map +1 -1
- package/dist/elicitation.d.ts +18 -34
- package/dist/elicitation.d.ts.map +1 -1
- package/dist/error-handling.test.d.ts +2 -0
- package/dist/error-handling.test.d.ts.map +1 -0
- package/dist/errors.d.ts +95 -24
- package/dist/errors.d.ts.map +1 -1
- package/dist/executor.d.ts +107 -48
- package/dist/executor.d.ts.map +1 -1
- package/dist/executor.test.d.ts +2 -0
- package/dist/executor.test.d.ts.map +1 -0
- package/dist/ids.d.ts +6 -4
- package/dist/ids.d.ts.map +1 -1
- package/dist/index.d.ts +22 -16
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +80 -308
- package/dist/index.js.map +1 -1
- package/dist/oauth-discovery.d.ts +138 -0
- package/dist/oauth-discovery.d.ts.map +1 -0
- package/dist/oauth-discovery.test.d.ts +2 -0
- package/dist/oauth-discovery.test.d.ts.map +1 -0
- package/dist/oauth-helpers.d.ts +89 -0
- package/dist/oauth-helpers.d.ts.map +1 -0
- package/dist/oauth-helpers.test.d.ts +2 -0
- package/dist/oauth-helpers.test.d.ts.map +1 -0
- package/dist/oauth-popup-types.d.ts +14 -0
- package/dist/oauth-popup-types.d.ts.map +1 -0
- package/dist/oauth-service.d.ts +33 -0
- package/dist/oauth-service.d.ts.map +1 -0
- package/dist/oauth.d.ts +275 -0
- package/dist/oauth.d.ts.map +1 -0
- package/dist/plugin.d.ts +261 -27
- package/dist/plugin.d.ts.map +1 -1
- package/dist/policies.d.ts +56 -64
- package/dist/policies.d.ts.map +1 -1
- package/dist/policies.test.d.ts +2 -0
- package/dist/policies.test.d.ts.map +1 -0
- package/dist/promise-executor.d.ts +26 -128
- package/dist/promise-executor.d.ts.map +1 -1
- package/dist/promise.d.ts +12 -6
- package/dist/promise.d.ts.map +1 -1
- package/dist/promise.test.d.ts +2 -0
- package/dist/promise.test.d.ts.map +1 -0
- package/dist/schema-types.d.ts +6 -5
- package/dist/schema-types.d.ts.map +1 -1
- package/dist/scope.d.ts +5 -15
- package/dist/scope.d.ts.map +1 -1
- package/dist/scoped-adapter.d.ts +13 -0
- package/dist/scoped-adapter.d.ts.map +1 -0
- package/dist/scoped-adapter.test.d.ts +2 -0
- package/dist/scoped-adapter.test.d.ts.map +1 -0
- package/dist/secret-backed-value.d.ts +27 -0
- package/dist/secret-backed-value.d.ts.map +1 -0
- package/dist/secrets.d.ts +52 -106
- package/dist/secrets.d.ts.map +1 -1
- package/dist/testing.d.ts +5 -3
- package/dist/testing.d.ts.map +1 -1
- package/dist/types.d.ts +84 -0
- package/dist/types.d.ts.map +1 -0
- package/package.json +7 -4
- package/dist/chunk-D7CT3UMO.js +0 -1386
- package/dist/chunk-D7CT3UMO.js.map +0 -1
- package/dist/in-memory/policy-engine.d.ts +0 -10
- package/dist/in-memory/policy-engine.d.ts.map +0 -1
- package/dist/in-memory/secret-store.d.ts +0 -16
- package/dist/in-memory/secret-store.d.ts.map +0 -1
- package/dist/in-memory/tool-registry.d.ts +0 -35
- package/dist/in-memory/tool-registry.d.ts.map +0 -1
- package/dist/index.test.d.ts +0 -2
- package/dist/index.test.d.ts.map +0 -1
- package/dist/plugin-kv.d.ts +0 -48
- package/dist/plugin-kv.d.ts.map +0 -1
- package/dist/plugins/in-memory-tools.d.ts +0 -42
- package/dist/plugins/in-memory-tools.d.ts.map +0 -1
- package/dist/runtime-tools.d.ts +0 -41
- package/dist/runtime-tools.d.ts.map +0 -1
- package/dist/sources.d.ts +0 -130
- package/dist/sources.d.ts.map +0 -1
- package/dist/tools.d.ts +0 -219
- package/dist/tools.d.ts.map +0 -1
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
import { Effect, Schema } from "effect";
|
|
2
|
+
import { createPkceCodeChallenge } from "./oauth-helpers";
|
|
3
|
+
declare const OAuthDiscoveryError_base: new <A extends Record<string, any> = {}>(args: import("effect/Types").VoidIfEmpty<{ readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }>) => import("effect/Cause").YieldableError & {
|
|
4
|
+
readonly _tag: "OAuthDiscoveryError";
|
|
5
|
+
} & Readonly<A>;
|
|
6
|
+
/** Separate tag from `OAuth2Error` so callers can distinguish discovery
|
|
7
|
+
* / DCR failures (happen once, before any token round-trips) from
|
|
8
|
+
* token-endpoint failures. A plugin's refresh path should never have
|
|
9
|
+
* to inspect error messages to tell "metadata drifted, re-discover"
|
|
10
|
+
* apart from "refresh token is no longer honoured". */
|
|
11
|
+
export declare class OAuthDiscoveryError extends OAuthDiscoveryError_base<{
|
|
12
|
+
readonly message: string;
|
|
13
|
+
readonly status?: number;
|
|
14
|
+
readonly cause?: unknown;
|
|
15
|
+
}> {
|
|
16
|
+
}
|
|
17
|
+
export declare const OAuthProtectedResourceMetadataSchema: Schema.Struct<{
|
|
18
|
+
readonly resource: Schema.optional<Schema.String>;
|
|
19
|
+
readonly authorization_servers: Schema.optional<Schema.$Array<Schema.String>>;
|
|
20
|
+
readonly scopes_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
21
|
+
readonly bearer_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
22
|
+
readonly resource_documentation: Schema.optional<Schema.String>;
|
|
23
|
+
}>;
|
|
24
|
+
export type OAuthProtectedResourceMetadata = typeof OAuthProtectedResourceMetadataSchema.Type;
|
|
25
|
+
export declare const OAuthAuthorizationServerMetadataSchema: Schema.Struct<{
|
|
26
|
+
readonly issuer: Schema.String;
|
|
27
|
+
readonly authorization_endpoint: Schema.String;
|
|
28
|
+
readonly token_endpoint: Schema.String;
|
|
29
|
+
readonly registration_endpoint: Schema.optional<Schema.String>;
|
|
30
|
+
readonly scopes_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
31
|
+
readonly response_types_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
32
|
+
readonly grant_types_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
33
|
+
readonly code_challenge_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
34
|
+
readonly token_endpoint_auth_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
35
|
+
readonly revocation_endpoint: Schema.optional<Schema.String>;
|
|
36
|
+
readonly introspection_endpoint: Schema.optional<Schema.String>;
|
|
37
|
+
readonly userinfo_endpoint: Schema.optional<Schema.String>;
|
|
38
|
+
readonly id_token_signing_alg_values_supported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
39
|
+
}>;
|
|
40
|
+
export type OAuthAuthorizationServerMetadata = typeof OAuthAuthorizationServerMetadataSchema.Type;
|
|
41
|
+
export type DynamicClientMetadata = {
|
|
42
|
+
readonly client_name?: string;
|
|
43
|
+
readonly redirect_uris: readonly string[];
|
|
44
|
+
readonly grant_types?: readonly string[];
|
|
45
|
+
readonly response_types?: readonly string[];
|
|
46
|
+
readonly token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
|
|
47
|
+
readonly scope?: string;
|
|
48
|
+
readonly application_type?: "web" | "native";
|
|
49
|
+
readonly client_uri?: string;
|
|
50
|
+
readonly logo_uri?: string;
|
|
51
|
+
readonly contacts?: readonly string[];
|
|
52
|
+
readonly software_id?: string;
|
|
53
|
+
readonly software_version?: string;
|
|
54
|
+
/** Escape hatch for provider-specific extensions; merged last. */
|
|
55
|
+
readonly extra?: Readonly<Record<string, unknown>>;
|
|
56
|
+
};
|
|
57
|
+
export declare const OAuthClientInformationSchema: Schema.Struct<{
|
|
58
|
+
readonly client_id: Schema.String;
|
|
59
|
+
readonly client_secret: Schema.optional<Schema.String>;
|
|
60
|
+
readonly client_id_issued_at: Schema.optional<Schema.Number>;
|
|
61
|
+
readonly client_secret_expires_at: Schema.optional<Schema.Number>;
|
|
62
|
+
readonly registration_access_token: Schema.optional<Schema.String>;
|
|
63
|
+
readonly registration_client_uri: Schema.optional<Schema.String>;
|
|
64
|
+
readonly token_endpoint_auth_method: Schema.optional<Schema.String>;
|
|
65
|
+
readonly grant_types: Schema.optional<Schema.$Array<Schema.String>>;
|
|
66
|
+
readonly response_types: Schema.optional<Schema.$Array<Schema.String>>;
|
|
67
|
+
readonly redirect_uris: Schema.optional<Schema.$Array<Schema.String>>;
|
|
68
|
+
readonly client_name: Schema.optional<Schema.String>;
|
|
69
|
+
readonly scope: Schema.optional<Schema.String>;
|
|
70
|
+
}>;
|
|
71
|
+
export type OAuthClientInformation = typeof OAuthClientInformationSchema.Type;
|
|
72
|
+
export interface DiscoveryRequestOptions {
|
|
73
|
+
/** Injected for tests. Defaults to the global `fetch`. */
|
|
74
|
+
readonly fetch?: typeof fetch;
|
|
75
|
+
/** Abort the request after this many ms. Default 20000. */
|
|
76
|
+
readonly timeoutMs?: number;
|
|
77
|
+
/** Send `MCP-Protocol-Version: <value>` on every request. Harmless
|
|
78
|
+
* for non-MCP servers; required by the MCP authorization spec. */
|
|
79
|
+
readonly mcpProtocolVersion?: string;
|
|
80
|
+
/** Credentials needed to reach the protected resource itself. These
|
|
81
|
+
* are intentionally used only for resource-side probes, never for
|
|
82
|
+
* authorization-server metadata, DCR, authorization, or token calls. */
|
|
83
|
+
readonly resourceHeaders?: Readonly<Record<string, string>>;
|
|
84
|
+
readonly resourceQueryParams?: Readonly<Record<string, string>>;
|
|
85
|
+
}
|
|
86
|
+
export declare const discoverProtectedResourceMetadata: (resourceUrl: string, options?: DiscoveryRequestOptions) => Effect.Effect<{
|
|
87
|
+
readonly metadataUrl: string;
|
|
88
|
+
readonly metadata: OAuthProtectedResourceMetadata;
|
|
89
|
+
} | null, OAuthDiscoveryError>;
|
|
90
|
+
export declare const discoverAuthorizationServerMetadata: (issuer: string, options?: DiscoveryRequestOptions) => Effect.Effect<{
|
|
91
|
+
readonly metadataUrl: string;
|
|
92
|
+
readonly metadata: OAuthAuthorizationServerMetadata;
|
|
93
|
+
} | null, OAuthDiscoveryError>;
|
|
94
|
+
export interface RegisterDynamicClientInput {
|
|
95
|
+
readonly registrationEndpoint: string;
|
|
96
|
+
readonly metadata: DynamicClientMetadata;
|
|
97
|
+
readonly initialAccessToken?: string | null;
|
|
98
|
+
}
|
|
99
|
+
export declare const registerDynamicClient: (input: RegisterDynamicClientInput, options?: DiscoveryRequestOptions) => Effect.Effect<OAuthClientInformation, OAuthDiscoveryError>;
|
|
100
|
+
export interface DynamicAuthorizationState {
|
|
101
|
+
readonly resourceMetadata: OAuthProtectedResourceMetadata | null;
|
|
102
|
+
readonly resourceMetadataUrl: string | null;
|
|
103
|
+
readonly authorizationServerUrl: string;
|
|
104
|
+
readonly authorizationServerMetadataUrl: string;
|
|
105
|
+
readonly authorizationServerMetadata: OAuthAuthorizationServerMetadata;
|
|
106
|
+
readonly clientInformation: OAuthClientInformation;
|
|
107
|
+
}
|
|
108
|
+
export interface DynamicAuthorizationStartResult {
|
|
109
|
+
readonly authorizationUrl: string;
|
|
110
|
+
readonly codeVerifier: string;
|
|
111
|
+
readonly state: DynamicAuthorizationState;
|
|
112
|
+
}
|
|
113
|
+
export interface BeginDynamicAuthorizationInput {
|
|
114
|
+
readonly endpoint: string;
|
|
115
|
+
readonly redirectUrl: string;
|
|
116
|
+
/** RFC 6749 `state` — callers typically pass a per-session random id. */
|
|
117
|
+
readonly state: string;
|
|
118
|
+
/** Defaults: `redirect_uris=[redirectUrl]`, `token_endpoint_auth_method="none"`
|
|
119
|
+
* (public client + PKCE). */
|
|
120
|
+
readonly clientMetadata?: Partial<DynamicClientMetadata>;
|
|
121
|
+
/** Scopes to request. Defaults to `scopes_supported`; omitted if
|
|
122
|
+
* neither is set. */
|
|
123
|
+
readonly scopes?: readonly string[];
|
|
124
|
+
/** Pre-existing state from a previous flow. When provided, the
|
|
125
|
+
* matching discovery / DCR step is skipped so multi-user sign-ins
|
|
126
|
+
* against the same source don't re-pay those costs. */
|
|
127
|
+
readonly previousState?: {
|
|
128
|
+
readonly authorizationServerUrl?: string | null;
|
|
129
|
+
readonly authorizationServerMetadata?: OAuthAuthorizationServerMetadata | null;
|
|
130
|
+
readonly authorizationServerMetadataUrl?: string | null;
|
|
131
|
+
readonly resourceMetadata?: OAuthProtectedResourceMetadata | null;
|
|
132
|
+
readonly resourceMetadataUrl?: string | null;
|
|
133
|
+
readonly clientInformation?: OAuthClientInformation | null;
|
|
134
|
+
};
|
|
135
|
+
}
|
|
136
|
+
export declare const beginDynamicAuthorization: (input: BeginDynamicAuthorizationInput, options?: DiscoveryRequestOptions) => Effect.Effect<DynamicAuthorizationStartResult, OAuthDiscoveryError>;
|
|
137
|
+
export { createPkceCodeChallenge };
|
|
138
|
+
//# sourceMappingURL=oauth-discovery.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-discovery.d.ts","sourceRoot":"","sources":["../src/oauth-discovery.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAQ,MAAM,EAAU,MAAM,EAAE,MAAM,QAAQ,CAAC;AAGtD,OAAO,EAGL,uBAAuB,EAExB,MAAM,iBAAiB,CAAC;;;;AAMzB;;;;wDAIwD;AACxD,qBAAa,mBAAoB,SAAQ,yBAEvC;IACA,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;CAAG;AAmBL,eAAO,MAAM,oCAAoC;;;;;;EAMY,CAAC;AAC9D,MAAM,MAAM,8BAA8B,GACxC,OAAO,oCAAoC,CAAC,IAAI,CAAC;AAEnD,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;EAcY,CAAC;AAChE,MAAM,MAAM,gCAAgC,GAC1C,OAAO,sCAAsC,CAAC,IAAI,CAAC;AAErD,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,0BAA0B,CAAC,EAChC,MAAM,GACN,qBAAqB,GACrB,oBAAoB,GACpB,iBAAiB,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,kEAAkE;IAClE,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACpD,CAAC;AAEF,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;EAaY,CAAC;AACtD,MAAM,MAAM,sBAAsB,GAAG,OAAO,4BAA4B,CAAC,IAAI,CAAC;AAY9E,MAAM,WAAW,uBAAuB;IACtC,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IAC9B,2DAA2D;IAC3D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;uEACmE;IACnE,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC;;6EAEyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACjE;AA6ED,eAAO,MAAM,iCAAiC,GAC5C,aAAa,MAAM,EACnB,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CACZ;IAAE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,QAAQ,EAAE,8BAA8B,CAAA;CAAE,GACnF,IAAI,EACN,mBAAmB,CA0DjB,CAAC;AAyBL,eAAO,MAAM,mCAAmC,GAC9C,QAAQ,MAAM,EACd,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CACZ;IACE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,gCAAgC,CAAC;CACrD,GACD,IAAI,EACN,mBAAmB,CAuDjB,CAAC;AASL,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;IACzC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7C;AAYD,eAAO,MAAM,qBAAqB,GAChC,OAAO,0BAA0B,EACjC,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,CA4EzD,CAAC;AAMJ,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,gBAAgB,EAAE,8BAA8B,GAAG,IAAI,CAAC;IACjE,QAAQ,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,8BAA8B,EAAE,MAAM,CAAC;IAChD,QAAQ,CAAC,2BAA2B,EAAE,gCAAgC,CAAC;IACvE,QAAQ,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;CACpD;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,yBAAyB,CAAC;CAC3C;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,yEAAyE;IACzE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;kCAC8B;IAC9B,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACzD;0BACsB;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;4DAEwD;IACxD,QAAQ,CAAC,aAAa,CAAC,EAAE;QACvB,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAChD,QAAQ,CAAC,2BAA2B,CAAC,EAAE,gCAAgC,GAAG,IAAI,CAAC;QAC/E,QAAQ,CAAC,8BAA8B,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACxD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,8BAA8B,GAAG,IAAI,CAAC;QAClE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,sBAAsB,GAAG,IAAI,CAAC;KAC5D,CAAC;CACH;AAED,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,EACrC,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CAAC,+BAA+B,EAAE,mBAAmB,CAwHjE,CAAC;AAEL,OAAO,EAAE,uBAAuB,EAAE,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-discovery.test.d.ts","sourceRoot":"","sources":["../src/oauth-discovery.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
import { Effect } from "effect";
|
|
2
|
+
declare const OAuth2Error_base: new <A extends Record<string, any> = {}>(args: import("effect/Types").VoidIfEmpty<{ readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }>) => import("effect/Cause").YieldableError & {
|
|
3
|
+
readonly _tag: "OAuth2Error";
|
|
4
|
+
} & Readonly<A>;
|
|
5
|
+
export declare class OAuth2Error extends OAuth2Error_base<{
|
|
6
|
+
readonly message: string;
|
|
7
|
+
/**
|
|
8
|
+
* RFC 6749 §5.2 error code, when the token endpoint returned one
|
|
9
|
+
* (`invalid_grant`, `invalid_client`, `unauthorized_client`, ...).
|
|
10
|
+
* Callers use this to distinguish terminal failures (a refresh token
|
|
11
|
+
* the AS no longer honours → re-auth required) from transient ones.
|
|
12
|
+
*/
|
|
13
|
+
readonly error?: string;
|
|
14
|
+
readonly cause?: unknown;
|
|
15
|
+
}> {
|
|
16
|
+
}
|
|
17
|
+
export type OAuth2TokenResponse = {
|
|
18
|
+
readonly access_token: string;
|
|
19
|
+
readonly token_type?: string;
|
|
20
|
+
readonly refresh_token?: string;
|
|
21
|
+
readonly expires_in?: number;
|
|
22
|
+
readonly scope?: string;
|
|
23
|
+
};
|
|
24
|
+
/** Refresh tokens this many ms before expiry to avoid mid-request expiration. */
|
|
25
|
+
export declare const OAUTH2_REFRESH_SKEW_MS = 60000;
|
|
26
|
+
/** Default token-endpoint timeout. */
|
|
27
|
+
export declare const OAUTH2_DEFAULT_TIMEOUT_MS = 20000;
|
|
28
|
+
export declare const createPkceCodeVerifier: () => string;
|
|
29
|
+
export declare const createPkceCodeChallenge: (verifier: string) => Promise<string>;
|
|
30
|
+
export type BuildAuthorizationUrlInput = {
|
|
31
|
+
readonly authorizationUrl: string;
|
|
32
|
+
readonly clientId: string;
|
|
33
|
+
readonly redirectUrl: string;
|
|
34
|
+
readonly scopes: readonly string[];
|
|
35
|
+
readonly state: string;
|
|
36
|
+
/** Pre-computed base64url S256 challenge (from `createPkceCodeChallenge`). */
|
|
37
|
+
readonly codeChallenge: string;
|
|
38
|
+
/** Separator between scopes. RFC 6749 says space; some providers use comma. */
|
|
39
|
+
readonly scopeSeparator?: string;
|
|
40
|
+
/** Provider-specific extras (e.g. Google's `access_type=offline`). */
|
|
41
|
+
readonly extraParams?: Readonly<Record<string, string>>;
|
|
42
|
+
};
|
|
43
|
+
/** Build an RFC 6749 §4.1.1 authorization URL. Sync; pre-computed
|
|
44
|
+
* challenge lets this stay out of the Promise world. */
|
|
45
|
+
export declare const buildAuthorizationUrl: (input: BuildAuthorizationUrlInput) => string;
|
|
46
|
+
export type ClientAuthMethod = "body" | "basic";
|
|
47
|
+
export type ExchangeAuthorizationCodeInput = {
|
|
48
|
+
readonly tokenUrl: string;
|
|
49
|
+
readonly issuerUrl?: string | null;
|
|
50
|
+
readonly clientId: string;
|
|
51
|
+
readonly clientSecret?: string | null;
|
|
52
|
+
readonly redirectUrl: string;
|
|
53
|
+
readonly codeVerifier: string;
|
|
54
|
+
readonly code: string;
|
|
55
|
+
readonly clientAuth?: ClientAuthMethod;
|
|
56
|
+
readonly idTokenSigningAlgValuesSupported?: readonly string[];
|
|
57
|
+
readonly timeoutMs?: number;
|
|
58
|
+
};
|
|
59
|
+
export declare const exchangeAuthorizationCode: (input: ExchangeAuthorizationCodeInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
|
|
60
|
+
export type ExchangeClientCredentialsInput = {
|
|
61
|
+
readonly tokenUrl: string;
|
|
62
|
+
readonly clientId: string;
|
|
63
|
+
readonly clientSecret: string;
|
|
64
|
+
readonly scopes?: readonly string[];
|
|
65
|
+
readonly scopeSeparator?: string;
|
|
66
|
+
readonly clientAuth?: ClientAuthMethod;
|
|
67
|
+
readonly timeoutMs?: number;
|
|
68
|
+
};
|
|
69
|
+
export declare const exchangeClientCredentials: (input: ExchangeClientCredentialsInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
|
|
70
|
+
export type RefreshAccessTokenInput = {
|
|
71
|
+
readonly tokenUrl: string;
|
|
72
|
+
readonly issuerUrl?: string | null;
|
|
73
|
+
readonly clientId: string;
|
|
74
|
+
readonly clientSecret?: string | null;
|
|
75
|
+
readonly refreshToken: string;
|
|
76
|
+
readonly scopes?: readonly string[];
|
|
77
|
+
readonly scopeSeparator?: string;
|
|
78
|
+
readonly clientAuth?: ClientAuthMethod;
|
|
79
|
+
readonly idTokenSigningAlgValuesSupported?: readonly string[];
|
|
80
|
+
readonly timeoutMs?: number;
|
|
81
|
+
};
|
|
82
|
+
export declare const refreshAccessToken: (input: RefreshAccessTokenInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
|
|
83
|
+
export declare const shouldRefreshToken: (input: {
|
|
84
|
+
readonly expiresAt: number | null;
|
|
85
|
+
readonly now?: number;
|
|
86
|
+
readonly skewMs?: number;
|
|
87
|
+
}) => boolean;
|
|
88
|
+
export {};
|
|
89
|
+
//# sourceMappingURL=oauth-helpers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-helpers.d.ts","sourceRoot":"","sources":["../src/oauth-helpers.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAQ,MAAM,EAAE,MAAM,QAAQ,CAAC;;;;AAOtC,qBAAa,WAAY,SAAQ,iBAAgC;IAC/D,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;CAAG;AAML,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAMF,iFAAiF;AACjF,eAAO,MAAM,sBAAsB,QAAS,CAAC;AAE7C,sCAAsC;AACtC,eAAO,MAAM,yBAAyB,QAAS,CAAC;AAMhD,eAAO,MAAM,sBAAsB,QAAO,MACN,CAAC;AAErC,eAAO,MAAM,uBAAuB,GAAI,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAC7B,CAAC;AAM7C,MAAM,MAAM,0BAA0B,GAAG;IACvC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,8EAA8E;IAC9E,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,+EAA+E;IAC/E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,sEAAsE;IACtE,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACzD,CAAC;AAEF;yDACyD;AACzD,eAAO,MAAM,qBAAqB,GAAI,OAAO,0BAA0B,KAAG,MAgBzE,CAAC;AAwCF,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,OAAO,CAAC;AA2IhD,MAAM,MAAM,8BAA8B,GAAG;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,KACpC,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAiC7C,CAAC;AAML,MAAM,MAAM,8BAA8B,GAAG;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,KACpC,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CA4B7C,CAAC;AAML,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,OAAO,uBAAuB,KAC7B,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CA0C7C,CAAC;AAML,eAAO,MAAM,kBAAkB,GAAI,OAAO;IACxC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,KAAG,OAKH,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-helpers.test.d.ts","sourceRoot":"","sources":["../src/oauth-helpers.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/** Message type literal used to identify our popup results. */
|
|
2
|
+
export declare const OAUTH_POPUP_MESSAGE_TYPE: "executor:oauth-result";
|
|
3
|
+
export type OAuthPopupResult<TAuth> = ({
|
|
4
|
+
readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;
|
|
5
|
+
readonly ok: true;
|
|
6
|
+
readonly sessionId: string;
|
|
7
|
+
} & TAuth) | {
|
|
8
|
+
readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;
|
|
9
|
+
readonly ok: false;
|
|
10
|
+
readonly sessionId: string | null;
|
|
11
|
+
readonly error: string;
|
|
12
|
+
};
|
|
13
|
+
export declare const isOAuthPopupResult: <TAuth>(value: unknown) => value is OAuthPopupResult<TAuth>;
|
|
14
|
+
//# sourceMappingURL=oauth-popup-types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-popup-types.d.ts","sourceRoot":"","sources":["../src/oauth-popup-types.ts"],"names":[],"mappings":"AAQA,+DAA+D;AAC/D,eAAO,MAAM,wBAAwB,EAAG,uBAAgC,CAAC;AAEzE,MAAM,MAAM,gBAAgB,CAAC,KAAK,IAC9B,CAAC;IACC,QAAQ,CAAC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IAC/C,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B,GAAG,KAAK,CAAC,GACV;IACE,QAAQ,CAAC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IAC/C,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB,CAAC;AAEN,eAAO,MAAM,kBAAkB,GAAI,KAAK,EACtC,OAAO,OAAO,KACb,KAAK,IAAI,gBAAgB,CAAC,KAAK,CAG+B,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { Effect } from "effect";
|
|
2
|
+
import type { DBAdapter, StorageFailure, TypedAdapter } from "@executor-js/storage-core";
|
|
3
|
+
import { CreateConnectionInput, type ConnectionProvider, type ConnectionRef } from "./connections";
|
|
4
|
+
import type { ConnectionProviderNotRegisteredError } from "./errors";
|
|
5
|
+
import type { CoreSchema } from "./core-schema";
|
|
6
|
+
import { SetSecretInput, type SecretRef } from "./secrets";
|
|
7
|
+
import { type OAuthService } from "./oauth";
|
|
8
|
+
export interface OAuthServiceDeps {
|
|
9
|
+
/** Typed core-schema adapter. Already scope-wrapped upstream so reads
|
|
10
|
+
* fall through the scope stack; writes stamp the scope the caller
|
|
11
|
+
* named (`tokenScope` on start input). */
|
|
12
|
+
readonly adapter: TypedAdapter<CoreSchema>;
|
|
13
|
+
/** Raw adapter for opening transactions — the typed one doesn't expose
|
|
14
|
+
* `.transaction` directly. */
|
|
15
|
+
readonly rawAdapter: DBAdapter;
|
|
16
|
+
/** Resolves client-id / client-secret refs at start + refresh time.
|
|
17
|
+
* A `null` return means "secret row is gone" and aborts the flow. */
|
|
18
|
+
readonly secretsGet: (id: string) => Effect.Effect<string | null, StorageFailure>;
|
|
19
|
+
readonly secretsSet: (input: SetSecretInput) => Effect.Effect<SecretRef, StorageFailure>;
|
|
20
|
+
/** Mints the Connection row + backing secret rows. Called from
|
|
21
|
+
* `complete` (and from `start` for `client-credentials`). */
|
|
22
|
+
readonly connectionsCreate: (input: CreateConnectionInput) => Effect.Effect<ConnectionRef, ConnectionProviderNotRegisteredError | StorageFailure>;
|
|
23
|
+
/** Random session id generator. Tests override to make outputs
|
|
24
|
+
* deterministic. */
|
|
25
|
+
readonly newSessionId?: () => string;
|
|
26
|
+
/** `Date.now()` substitute — tests override to drive TTL behavior. */
|
|
27
|
+
readonly now?: () => number;
|
|
28
|
+
}
|
|
29
|
+
export declare const makeOAuth2Service: (deps: OAuthServiceDeps) => {
|
|
30
|
+
readonly service: OAuthService;
|
|
31
|
+
readonly connectionProvider: ConnectionProvider;
|
|
32
|
+
};
|
|
33
|
+
//# sourceMappingURL=oauth-service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-service.d.ts","sourceRoot":"","sources":["../src/oauth-service.ts"],"names":[],"mappings":"AAqCA,OAAO,EAAE,MAAM,EAAU,MAAM,QAAQ,CAAC;AAExC,OAAO,KAAK,EACV,SAAS,EACT,cAAc,EACd,YAAY,EACb,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAEL,qBAAqB,EAErB,KAAK,kBAAkB,EAGvB,KAAK,aAAa,EACnB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,oCAAoC,EACrC,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,cAAc,EAAE,KAAK,SAAS,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAgBL,KAAK,YAAY,EAGlB,MAAM,SAAS,CAAC;AAmMjB,MAAM,WAAW,gBAAgB;IAC/B;;+CAE2C;IAC3C,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;IAC3C;mCAC+B;IAC/B,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B;0EACsE;IACtE,QAAQ,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,EAAE,cAAc,CAAC,CAAC;IAClF,QAAQ,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACzF;kEAC8D;IAC9D,QAAQ,CAAC,iBAAiB,EAAE,CAC1B,KAAK,EAAE,qBAAqB,KACzB,MAAM,CAAC,MAAM,CAChB,aAAa,EACb,oCAAoC,GAAG,cAAc,CACtD,CAAC;IACF;yBACqB;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,MAAM,CAAC;IACrC,sEAAsE;IACtE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAyCD,eAAO,MAAM,iBAAiB,GAC5B,MAAM,gBAAgB,KACrB;IAAE,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAAC,QAAQ,CAAC,kBAAkB,EAAE,kBAAkB,CAAA;CAq7BnF,CAAC"}
|
package/dist/oauth.d.ts
ADDED
|
@@ -0,0 +1,275 @@
|
|
|
1
|
+
import { Effect, Schema } from "effect";
|
|
2
|
+
import type { StorageFailure } from "@executor-js/storage-core";
|
|
3
|
+
import { ConnectionId } from "./ids";
|
|
4
|
+
/** RFC 9728 + RFC 8414 + RFC 7591 + PKCE: discover protected-resource
|
|
5
|
+
* metadata, discover the authorization server, dynamically register a
|
|
6
|
+
* client, then PKCE-encode the authorization URL. Zero pre-configured
|
|
7
|
+
* credentials — the user just pastes a resource URL. */
|
|
8
|
+
export declare const OAuthDynamicDcrStrategy: Schema.Struct<{
|
|
9
|
+
readonly kind: Schema.Literal<"dynamic-dcr">;
|
|
10
|
+
/** Scopes to request. Defaults to whatever `scopes_supported`
|
|
11
|
+
* advertises; caller can narrow or extend. */
|
|
12
|
+
readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
|
|
13
|
+
}>;
|
|
14
|
+
export type OAuthDynamicDcrStrategy = typeof OAuthDynamicDcrStrategy.Type;
|
|
15
|
+
/** RFC 6749 authorization code + PKCE with pre-configured endpoints +
|
|
16
|
+
* client_id. Used when the caller has out-of-band-registered an OAuth
|
|
17
|
+
* app (Google via Cloud Console, GitHub via developer portal, etc.) or
|
|
18
|
+
* when the auth-server URL is declared in an OpenAPI `securityScheme`. */
|
|
19
|
+
export declare const OAuthAuthorizationCodeStrategy: Schema.Struct<{
|
|
20
|
+
readonly kind: Schema.Literal<"authorization-code">;
|
|
21
|
+
readonly authorizationEndpoint: Schema.String;
|
|
22
|
+
readonly tokenEndpoint: Schema.String;
|
|
23
|
+
/** Expected authorization-server issuer for ID token validation. Some
|
|
24
|
+
* providers use a token endpoint host that differs from issuer, or a
|
|
25
|
+
* path-scoped issuer such as Okta custom authorization servers. */
|
|
26
|
+
readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
|
|
27
|
+
/** Secret id holding the `client_id`. Using a secret row rather than
|
|
28
|
+
* an inline string so the value lives at the scope where the caller
|
|
29
|
+
* configured it and shadowing behaves consistently. */
|
|
30
|
+
readonly clientIdSecretId: Schema.String;
|
|
31
|
+
/** Secret id for `client_secret`. Null for public clients using
|
|
32
|
+
* PKCE without a confidential secret. */
|
|
33
|
+
readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
|
|
34
|
+
readonly scopes: Schema.$Array<Schema.String>;
|
|
35
|
+
/** Separator between scopes. RFC 6749 says space; some providers
|
|
36
|
+
* (GitHub classic) use comma. */
|
|
37
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
38
|
+
/** Provider-specific params injected at authorization URL build time
|
|
39
|
+
* (Google's `access_type=offline`, `prompt=consent`, ...). */
|
|
40
|
+
readonly extraAuthorizationParams: Schema.optional<Schema.$Record<Schema.String, Schema.String>>;
|
|
41
|
+
/** `"body"` (default) sends client creds in the form body; `"basic"`
|
|
42
|
+
* uses HTTP Basic auth. Stripe-style servers require basic. */
|
|
43
|
+
readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
|
|
44
|
+
}>;
|
|
45
|
+
export type OAuthAuthorizationCodeStrategy = typeof OAuthAuthorizationCodeStrategy.Type;
|
|
46
|
+
/** RFC 6749 §4.4 client credentials — no user redirect, no PKCE. Used
|
|
47
|
+
* for server-to-server integrations where the plugin has both
|
|
48
|
+
* `client_id` and `client_secret` and the server will mint tokens
|
|
49
|
+
* directly on the token endpoint. */
|
|
50
|
+
export declare const OAuthClientCredentialsStrategy: Schema.Struct<{
|
|
51
|
+
readonly kind: Schema.Literal<"client-credentials">;
|
|
52
|
+
readonly tokenEndpoint: Schema.String;
|
|
53
|
+
readonly clientIdSecretId: Schema.String;
|
|
54
|
+
readonly clientSecretSecretId: Schema.String;
|
|
55
|
+
readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
|
|
56
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
57
|
+
readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
|
|
58
|
+
}>;
|
|
59
|
+
export type OAuthClientCredentialsStrategy = typeof OAuthClientCredentialsStrategy.Type;
|
|
60
|
+
/** Tagged union of every start-time strategy shape. A new strategy (e.g.
|
|
61
|
+
* device-code) is added here; the service's start/complete routes on
|
|
62
|
+
* `kind`. */
|
|
63
|
+
export declare const OAuthStrategy: Schema.Union<readonly [Schema.Struct<{
|
|
64
|
+
readonly kind: Schema.Literal<"dynamic-dcr">;
|
|
65
|
+
/** Scopes to request. Defaults to whatever `scopes_supported`
|
|
66
|
+
* advertises; caller can narrow or extend. */
|
|
67
|
+
readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
|
|
68
|
+
}>, Schema.Struct<{
|
|
69
|
+
readonly kind: Schema.Literal<"authorization-code">;
|
|
70
|
+
readonly authorizationEndpoint: Schema.String;
|
|
71
|
+
readonly tokenEndpoint: Schema.String;
|
|
72
|
+
/** Expected authorization-server issuer for ID token validation. Some
|
|
73
|
+
* providers use a token endpoint host that differs from issuer, or a
|
|
74
|
+
* path-scoped issuer such as Okta custom authorization servers. */
|
|
75
|
+
readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
|
|
76
|
+
/** Secret id holding the `client_id`. Using a secret row rather than
|
|
77
|
+
* an inline string so the value lives at the scope where the caller
|
|
78
|
+
* configured it and shadowing behaves consistently. */
|
|
79
|
+
readonly clientIdSecretId: Schema.String;
|
|
80
|
+
/** Secret id for `client_secret`. Null for public clients using
|
|
81
|
+
* PKCE without a confidential secret. */
|
|
82
|
+
readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
|
|
83
|
+
readonly scopes: Schema.$Array<Schema.String>;
|
|
84
|
+
/** Separator between scopes. RFC 6749 says space; some providers
|
|
85
|
+
* (GitHub classic) use comma. */
|
|
86
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
87
|
+
/** Provider-specific params injected at authorization URL build time
|
|
88
|
+
* (Google's `access_type=offline`, `prompt=consent`, ...). */
|
|
89
|
+
readonly extraAuthorizationParams: Schema.optional<Schema.$Record<Schema.String, Schema.String>>;
|
|
90
|
+
/** `"body"` (default) sends client creds in the form body; `"basic"`
|
|
91
|
+
* uses HTTP Basic auth. Stripe-style servers require basic. */
|
|
92
|
+
readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
|
|
93
|
+
}>, Schema.Struct<{
|
|
94
|
+
readonly kind: Schema.Literal<"client-credentials">;
|
|
95
|
+
readonly tokenEndpoint: Schema.String;
|
|
96
|
+
readonly clientIdSecretId: Schema.String;
|
|
97
|
+
readonly clientSecretSecretId: Schema.String;
|
|
98
|
+
readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
|
|
99
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
100
|
+
readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
|
|
101
|
+
}>]>;
|
|
102
|
+
export type OAuthStrategy = typeof OAuthStrategy.Type;
|
|
103
|
+
/** Discriminator mirrors `OAuthStrategy["kind"]`. Refresh reads
|
|
104
|
+
* `tokenEndpoint` + `clientAuth` + client id/secret refs directly and
|
|
105
|
+
* never re-runs discovery. */
|
|
106
|
+
export declare const OAuthProviderState: Schema.Union<readonly [Schema.Struct<{
|
|
107
|
+
readonly kind: Schema.Literal<"dynamic-dcr">;
|
|
108
|
+
readonly tokenEndpoint: Schema.String;
|
|
109
|
+
readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
|
|
110
|
+
readonly authorizationServerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
|
|
111
|
+
readonly authorizationServerMetadataUrl: Schema.NullOr<Schema.String>;
|
|
112
|
+
readonly idTokenSigningAlgValuesSupported: Schema.optional<Schema.$Array<Schema.String>>;
|
|
113
|
+
/** DCR-minted client_id. Embedded inline (not a secret) — DCR
|
|
114
|
+
* clients are public-ish by design; the secret part (if the AS
|
|
115
|
+
* issued one) is a separate secret row. */
|
|
116
|
+
readonly clientId: Schema.String;
|
|
117
|
+
readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
|
|
118
|
+
readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
|
|
119
|
+
readonly scopes: Schema.withDecodingDefaultType<Schema.$Array<Schema.String>>;
|
|
120
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
121
|
+
readonly scope: Schema.NullOr<Schema.String>;
|
|
122
|
+
}>, Schema.Struct<{
|
|
123
|
+
readonly kind: Schema.Literal<"authorization-code">;
|
|
124
|
+
readonly tokenEndpoint: Schema.String;
|
|
125
|
+
readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
|
|
126
|
+
readonly clientIdSecretId: Schema.String;
|
|
127
|
+
readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
|
|
128
|
+
readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
|
|
129
|
+
readonly scopes: Schema.withDecodingDefaultType<Schema.$Array<Schema.String>>;
|
|
130
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
131
|
+
readonly scope: Schema.NullOr<Schema.String>;
|
|
132
|
+
}>, Schema.Struct<{
|
|
133
|
+
readonly kind: Schema.Literal<"client-credentials">;
|
|
134
|
+
readonly tokenEndpoint: Schema.String;
|
|
135
|
+
readonly clientIdSecretId: Schema.String;
|
|
136
|
+
readonly clientSecretSecretId: Schema.String;
|
|
137
|
+
readonly scopes: Schema.$Array<Schema.String>;
|
|
138
|
+
readonly scopeSeparator: Schema.optional<Schema.String>;
|
|
139
|
+
readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
|
|
140
|
+
readonly scope: Schema.NullOr<Schema.String>;
|
|
141
|
+
}>]>;
|
|
142
|
+
export type OAuthProviderState = typeof OAuthProviderState.Type;
|
|
143
|
+
/** The canonical refresh handler key. Every OAuth2-minted connection
|
|
144
|
+
* registers under this single value; the handler switches on
|
|
145
|
+
* `providerState.kind`. Historical per-plugin keys (`mcp:oauth2`,
|
|
146
|
+
* `openapi:oauth2`, `google-discovery:google`) are aliased to this
|
|
147
|
+
* during migration. */
|
|
148
|
+
export declare const OAUTH2_PROVIDER_KEY: "oauth2";
|
|
149
|
+
export interface OAuthProbeInput {
|
|
150
|
+
readonly endpoint: string;
|
|
151
|
+
readonly headers?: Record<string, string>;
|
|
152
|
+
readonly queryParams?: Record<string, string>;
|
|
153
|
+
}
|
|
154
|
+
export interface OAuthProbeResult {
|
|
155
|
+
/** RFC 9728 resource metadata the server advertises, if any. */
|
|
156
|
+
readonly resourceMetadata: Record<string, unknown> | null;
|
|
157
|
+
readonly resourceMetadataUrl: string | null;
|
|
158
|
+
/** RFC 8414 / OIDC metadata for the authorization server tied to the
|
|
159
|
+
* resource, if the server advertised one and we could fetch it. */
|
|
160
|
+
readonly authorizationServerMetadata: Record<string, unknown> | null;
|
|
161
|
+
readonly authorizationServerMetadataUrl: string | null;
|
|
162
|
+
readonly authorizationServerUrl: string | null;
|
|
163
|
+
/** True iff the AS advertises `registration_endpoint` and
|
|
164
|
+
* `token_endpoint_auth_methods_supported` includes `"none"` (public
|
|
165
|
+
* client + PKCE). A `false` value here doesn't mean OAuth is
|
|
166
|
+
* unavailable — just that the dynamic-DCR strategy can't run and the
|
|
167
|
+
* caller must fall back to `authorization-code` with user-supplied
|
|
168
|
+
* client credentials. */
|
|
169
|
+
readonly supportsDynamicRegistration: boolean;
|
|
170
|
+
/** True iff an unauth POST to the endpoint responded with `401` and
|
|
171
|
+
* an MCP-shaped `WWW-Authenticate: Bearer` challenge (RFC 6750).
|
|
172
|
+
* MCP-only signal; non-MCP OAuth-protected APIs usually encode auth
|
|
173
|
+
* failures inside their own protocol envelope and never surface
|
|
174
|
+
* this flag. */
|
|
175
|
+
readonly isBearerChallengeEndpoint: boolean;
|
|
176
|
+
}
|
|
177
|
+
export interface OAuthStartInput {
|
|
178
|
+
/** Resource URL the caller wants a token for. For `dynamic-dcr` this
|
|
179
|
+
* is the probe target; for `authorization-code` it's stored only so
|
|
180
|
+
* the UI can display "signed in to X." */
|
|
181
|
+
readonly endpoint: string;
|
|
182
|
+
readonly headers?: Record<string, string>;
|
|
183
|
+
readonly queryParams?: Record<string, string>;
|
|
184
|
+
/** Pre-decided `Connection.id`. Writing it before the flow starts
|
|
185
|
+
* lets callers stamp `{kind:"oauth2", connectionId}` onto a source
|
|
186
|
+
* row atomically with the start call. Convention:
|
|
187
|
+
* `${pluginId}-oauth2-${namespace}`. */
|
|
188
|
+
readonly connectionId: string;
|
|
189
|
+
/** Scope where the resulting `Connection` + its backing secrets
|
|
190
|
+
* land. Innermost scope for per-user sign-ins. */
|
|
191
|
+
readonly tokenScope: string;
|
|
192
|
+
/** Redirect URL the authorization server will bounce back to. For
|
|
193
|
+
* strategies that don't redirect (`client-credentials`) pass a
|
|
194
|
+
* placeholder; it's persisted but unused. */
|
|
195
|
+
readonly redirectUrl: string;
|
|
196
|
+
readonly strategy: OAuthStrategy;
|
|
197
|
+
/** Which plugin is initiating the flow. Persisted on the session +
|
|
198
|
+
* stamped on the minted Connection's identity label for UI. */
|
|
199
|
+
readonly pluginId: string;
|
|
200
|
+
/** Optional human label for the minted Connection, e.g. "Spotify OAuth". */
|
|
201
|
+
readonly identityLabel?: string;
|
|
202
|
+
}
|
|
203
|
+
export interface OAuthStartResult {
|
|
204
|
+
readonly sessionId: string;
|
|
205
|
+
/** Present for user-interactive strategies. `null` for
|
|
206
|
+
* `client-credentials`, which skips straight to a Connection write
|
|
207
|
+
* inside `start`. */
|
|
208
|
+
readonly authorizationUrl: string | null;
|
|
209
|
+
/** For strategies that don't redirect, the Connection has already
|
|
210
|
+
* been minted. Surfaced so callers can stamp the source row
|
|
211
|
+
* immediately without waiting on a completion callback. */
|
|
212
|
+
readonly completedConnection: {
|
|
213
|
+
readonly connectionId: string;
|
|
214
|
+
} | null;
|
|
215
|
+
}
|
|
216
|
+
export interface OAuthCompleteInput {
|
|
217
|
+
/** RFC 6749 `state` parameter — maps to a session row id. */
|
|
218
|
+
readonly state: string;
|
|
219
|
+
readonly code?: string;
|
|
220
|
+
/** RFC 6749 `error` parameter — set when the AS redirected back with
|
|
221
|
+
* a failure. The service surfaces this as a tagged error. */
|
|
222
|
+
readonly error?: string;
|
|
223
|
+
}
|
|
224
|
+
export interface OAuthCompleteResult {
|
|
225
|
+
readonly connectionId: string;
|
|
226
|
+
readonly expiresAt: number | null;
|
|
227
|
+
readonly scope: string | null;
|
|
228
|
+
}
|
|
229
|
+
declare const OAuthProbeError_base: Schema.Class<OAuthProbeError, Schema.TaggedStruct<"OAuthProbeError", {
|
|
230
|
+
readonly message: Schema.String;
|
|
231
|
+
}>, import("effect/Cause").YieldableError>;
|
|
232
|
+
export declare class OAuthProbeError extends OAuthProbeError_base {
|
|
233
|
+
static annotations: {
|
|
234
|
+
httpApiStatus: number;
|
|
235
|
+
};
|
|
236
|
+
}
|
|
237
|
+
declare const OAuthStartError_base: Schema.Class<OAuthStartError, Schema.TaggedStruct<"OAuthStartError", {
|
|
238
|
+
readonly message: Schema.String;
|
|
239
|
+
}>, import("effect/Cause").YieldableError>;
|
|
240
|
+
export declare class OAuthStartError extends OAuthStartError_base {
|
|
241
|
+
static annotations: {
|
|
242
|
+
httpApiStatus: number;
|
|
243
|
+
};
|
|
244
|
+
}
|
|
245
|
+
declare const OAuthCompleteError_base: Schema.Class<OAuthCompleteError, Schema.TaggedStruct<"OAuthCompleteError", {
|
|
246
|
+
readonly message: Schema.String;
|
|
247
|
+
/** RFC 6749 §5.2 error code, when the token endpoint returned one.
|
|
248
|
+
* Callers distinguish terminal failures (`invalid_grant` ⇒
|
|
249
|
+
* re-auth required) from transient ones. */
|
|
250
|
+
readonly code: Schema.optional<Schema.String>;
|
|
251
|
+
}>, import("effect/Cause").YieldableError>;
|
|
252
|
+
export declare class OAuthCompleteError extends OAuthCompleteError_base {
|
|
253
|
+
static annotations: {
|
|
254
|
+
httpApiStatus: number;
|
|
255
|
+
};
|
|
256
|
+
}
|
|
257
|
+
declare const OAuthSessionNotFoundError_base: Schema.Class<OAuthSessionNotFoundError, Schema.TaggedStruct<"OAuthSessionNotFoundError", {
|
|
258
|
+
readonly sessionId: Schema.String;
|
|
259
|
+
}>, import("effect/Cause").YieldableError>;
|
|
260
|
+
export declare class OAuthSessionNotFoundError extends OAuthSessionNotFoundError_base {
|
|
261
|
+
static annotations: {
|
|
262
|
+
httpApiStatus: number;
|
|
263
|
+
};
|
|
264
|
+
}
|
|
265
|
+
export interface OAuthService {
|
|
266
|
+
readonly probe: (input: OAuthProbeInput) => Effect.Effect<OAuthProbeResult, OAuthProbeError>;
|
|
267
|
+
readonly start: (input: OAuthStartInput) => Effect.Effect<OAuthStartResult, OAuthStartError | StorageFailure>;
|
|
268
|
+
readonly complete: (input: OAuthCompleteInput) => Effect.Effect<OAuthCompleteResult, OAuthCompleteError | OAuthSessionNotFoundError | StorageFailure>;
|
|
269
|
+
/** Drop an in-flight session without completing — used when the
|
|
270
|
+
* user cancels the popup or the source is deleted mid-onboarding. */
|
|
271
|
+
readonly cancel: (sessionId: string, tokenScope?: string) => Effect.Effect<void, StorageFailure>;
|
|
272
|
+
}
|
|
273
|
+
export declare const OAUTH2_SESSION_TTL_MS: number;
|
|
274
|
+
export { ConnectionId };
|
|
275
|
+
//# sourceMappingURL=oauth.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAmBA,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAExC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEhE,OAAO,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AAWrC;;;yDAGyD;AACzD,eAAO,MAAM,uBAAuB;;IAElC;mDAC+C;;EAE/C,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,uBAAuB,CAAC,IAAI,CAAC;AAE1E;;;2EAG2E;AAC3E,eAAO,MAAM,8BAA8B;;;;IAIzC;;wEAEoE;;IAEpE;;4DAEwD;;IAExD;8CAC0C;;;IAG1C;sCACkC;;IAElC;mEAC+D;;IAI/D;oEACgE;;EAEhE,CAAC;AACH,MAAM,MAAM,8BAA8B,GACxC,OAAO,8BAA8B,CAAC,IAAI,CAAC;AAE7C;;;sCAGsC;AACtC,eAAO,MAAM,8BAA8B;;;;;;;;EAQzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GACxC,OAAO,8BAA8B,CAAC,IAAI,CAAC;AAE7C;;cAEc;AACd,eAAO,MAAM,aAAa;;IA5DxB;mDAC+C;;;;;;IAa/C;;wEAEoE;;IAEpE;;4DAEwD;;IAExD;8CAC0C;;;IAG1C;sCACkC;;IAElC;mEAC+D;;IAI/D;oEACgE;;;;;;;;;;IA6BhE,CAAC;AACH,MAAM,MAAM,aAAa,GAAG,OAAO,aAAa,CAAC,IAAI,CAAC;AAQtD;;+BAE+B;AAC/B,eAAO,MAAM,kBAAkB;;;;;;;IAU3B;;gDAE4C;;;;;;;;;;;;;;;;;;;;;;;;;;IA6B9C,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,OAAO,kBAAkB,CAAC,IAAI,CAAC;AAEhE;;;;wBAIwB;AACxB,eAAO,MAAM,mBAAmB,EAAG,QAAiB,CAAC;AAMrD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/C;AAED,MAAM,WAAW,gBAAgB;IAC/B,gEAAgE;IAChE,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC1D,QAAQ,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5C;wEACoE;IACpE,QAAQ,CAAC,2BAA2B,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrE,QAAQ,CAAC,8BAA8B,EAAE,MAAM,GAAG,IAAI,CAAC;IACvD,QAAQ,CAAC,sBAAsB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/C;;;;;8BAK0B;IAC1B,QAAQ,CAAC,2BAA2B,EAAE,OAAO,CAAC;IAC9C;;;;qBAIiB;IACjB,QAAQ,CAAC,yBAAyB,EAAE,OAAO,CAAC;CAC7C;AAMD,MAAM,WAAW,eAAe;IAC9B;;+CAE2C;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C;;;6CAGyC;IACzC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;uDACmD;IACnD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;kDAE8C;IAC9C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC;oEACgE;IAChE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,4EAA4E;IAC5E,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;0BAEsB;IACtB,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC;;gEAE4D;IAC5D,QAAQ,CAAC,mBAAmB,EAAE;QAAE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACxE;AAED,MAAM,WAAW,kBAAkB;IACjC,6DAA6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;;;;AAWD,qBAAa,eAAgB,SAAQ,oBAKpC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;;AAED,qBAAa,eAAgB,SAAQ,oBAKpC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;IAMG;;iDAE6C;;;AANjD,qBAAa,kBAAmB,SAAQ,uBASvC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;;AAED,qBAAa,yBAA0B,SAAQ,8BAK9C;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;AAOD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,CACd,KAAK,EAAE,eAAe,KACnB,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IACtD,QAAQ,CAAC,KAAK,EAAE,CACd,KAAK,EAAE,eAAe,KACnB,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,eAAe,GAAG,cAAc,CAAC,CAAC;IACvE,QAAQ,CAAC,QAAQ,EAAE,CACjB,KAAK,EAAE,kBAAkB,KACtB,MAAM,CAAC,MAAM,CAChB,mBAAmB,EACnB,kBAAkB,GAAG,yBAAyB,GAAG,cAAc,CAChE,CAAC;IACF;0EACsE;IACtE,QAAQ,CAAC,MAAM,EAAE,CACf,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,KAChB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;CAC1C;AAOD,eAAO,MAAM,qBAAqB,QAAiB,CAAC;AAIpD,OAAO,EAAE,YAAY,EAAE,CAAC"}
|