@frontmcp/auth 0.9.0 → 0.11.0

package/jwks/jwks.service.d.ts

@@ -2,6 +2,7 @@ import { JSONWebKeySet } from 'jose';
 import { JwksServiceOptions, ProviderVerifyRef, VerifyResult } from './jwks.types';
 export declare class JwksService {
     private readonly opts;
+    private readonly logger;
     private warnedProviders;
     private orchestratorKey;
     private providerJwks;

package/jwks/jwks.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwks.service.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAuD,aAAa,EAAO,MAAM,MAAM,CAAC;AAE/F,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAWnF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAEnB;IAEF,OAAO,CAAC,eAAe,CAAqB;IAG5C,OAAO,CAAC,eAAe,CAKrB;IAGF,OAAO,CAAC,YAAY,CAAiE;IAGrF,OAAO,CAAC,cAAc,CAAS;IAE/B,OAAO,CAAC,cAAc,CAA4B;IAElD,OAAO,CAAC,cAAc,CAAC,CAAiB;gBAE5B,IAAI,CAAC,EAAE,kBAAkB;IAcrC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAM/B;;;OAGG;YACW,iBAAiB;IAc/B,mFAAmF;IAC7E,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC;IAQ7C,uEAAuE;IACjE,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsCtF;;;OAGG;IACG,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqDnG;;OAEG;IACH,OAAO,CAAC,cAAc;IAatB;;;OAGG;YACW,iBAAiB;IA4E/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAqBvB,kEAAkE;IAClE,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa;IAIvD;;;;;;OAMG;IACG,kBAAkB,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAmCpF,yEAAyE;IACnE,mBAAmB,IAAI,OAAO,CAAC,aAAa,CAAC;IAKnD,wEAAwE;IAClE,yBAAyB,IAAI,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,OAAO,aAAa,EAAE,SAAS,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;YAShG,YAAY;YAaZ,cAAc;YAQd,SAAS;YAgBT,qBAAqB;YAyBrB,yBAAyB;IA0DvC,OAAO,CAAC,WAAW;CAgBpB"}
+{"version":3,"file":"jwks.service.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAuD,aAAa,EAAO,MAAM,MAAM,CAAC;AAE/F,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAanF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAEnB;IAEF,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IACpC,OAAO,CAAC,eAAe,CAAqB;IAG5C,OAAO,CAAC,eAAe,CAKrB;IAGF,OAAO,CAAC,YAAY,CAAiE;IAGrF,OAAO,CAAC,cAAc,CAAS;IAE/B,OAAO,CAAC,cAAc,CAA4B;IAElD,OAAO,CAAC,cAAc,CAAC,CAAiB;gBAE5B,IAAI,CAAC,EAAE,kBAAkB;IAerC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAM/B;;;OAGG;YACW,iBAAiB;IAc/B,mFAAmF;IAC7E,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC;IAQ7C,uEAAuE;IACjE,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsCtF;;;OAGG;IACG,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqDnG;;OAEG;IACH,OAAO,CAAC,cAAc;IAatB;;;OAGG;YACW,iBAAiB;IA4E/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAqBvB,kEAAkE;IAClE,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa;IAIvD;;;;;;OAMG;IACG,kBAAkB,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAmCpF,yEAAyE;IACnE,mBAAmB,IAAI,OAAO,CAAC,aAAa,CAAC;IAKnD,wEAAwE;IAClE,yBAAyB,IAAI,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,OAAO,aAAa,EAAE,SAAS,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;YAShG,YAAY;YAaZ,cAAc;YAQd,SAAS;YAgBT,qBAAqB;YAyBrB,yBAAyB;IA+DvC,OAAO,CAAC,WAAW;CAgBpB"}

package/jwks/jwks.types.d.ts

@@ -1,5 +1,6 @@
 import { JSONWebKeySet } from 'jose';
 import { DevKeyPersistenceOptions } from './dev-key-persistence';
+import type { AuthLogger } from '../common/auth-logger.interface';
 export type JwksServiceOptions = {
     orchestratorAlg?: 'RS256' | 'ES256';
     rotateDays?: number;
@@ -12,6 +13,8 @@ export type JwksServiceOptions = {
      * When enabled, keys are saved to a file and reloaded on server restart.
      */
     devKeyPersistence?: DevKeyPersistenceOptions;
+    /** Optional logger. If not provided, logging is disabled. */
+    logger?: AuthLogger;
 };
 export type { DevKeyPersistenceOptions };
 /** Rich descriptor used by verification & fetching */

package/jwks/jwks.types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwks.types.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,wBAAwB,CAAC;CAC9C,CAAC;AAEF,YAAY,EAAE,wBAAwB,EAAE,CAAC;AAEzC,sDAAsD;AACtD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC"}
+{"version":3,"file":"jwks.types.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAElE,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,wBAAwB,CAAC;IAC7C,6DAA6D;IAC7D,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB,CAAC;AAEF,YAAY,EAAE,wBAAwB,EAAE,CAAC;AAEzC,sDAAsD;AACtD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC"}

package/machine-id/index.d.ts

@@ -0,0 +1,2 @@
+export { getMachineId, setMachineIdOverride } from './machine-id';
+//# sourceMappingURL=index.d.ts.map

package/machine-id/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/machine-id/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC"}

package/machine-id/machine-id.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Machine ID Utility
+ *
+ * Single source of truth for the machine ID used across session management.
+ *
+ * Configuration Priority:
+ * 1. MACHINE_ID environment variable (highest priority, recommended for production)
+ * 2. File persistence in dev mode (.frontmcp/machine-id)
+ * 3. Random UUID (ephemeral, invalidates sessions on restart)
+ *
+ * For distributed deployments with Redis session storage, set MACHINE_ID
+ * to the same value across all instances to allow session portability,
+ * or use unique values per instance to enforce session affinity.
+ */
+/**
+ * Get the current machine ID.
+ * Returns the override (if set via `setMachineIdOverride`) or the computed value.
+ */
+export declare function getMachineId(): string;
+/**
+ * Set a process-wide machine ID override.
+ * Pass `undefined` to clear the override and revert to the computed value.
+ *
+ * This is used by `create()` to inject a stable machine ID for session continuity,
+ * especially when using Redis-backed sessions across process restarts.
+ */
+export declare function setMachineIdOverride(id: string | undefined): void;
+//# sourceMappingURL=machine-id.d.ts.map

package/machine-id/machine-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"machine-id.d.ts","sourceRoot":"","sources":["../../src/machine-id/machine-id.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;GAaG;AA+GH;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAEjE"}

package/options/app-auth.schema.d.ts

@@ -0,0 +1,272 @@
+import { z } from 'zod';
+export declare const appAuthOptionsSchema: z.ZodUnion<readonly [z.ZodObject<{
+    mode: z.ZodLiteral<"public">;
+    issuer: z.ZodOptional<z.ZodString>;
+    sessionTtl: z.ZodDefault<z.ZodNumber>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+    }, z.core.$strip>>;
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+            defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    federatedAuth: z.ZodOptional<z.ZodObject<{
+        stateValidation: z.ZodDefault<z.ZodEnum<{
+            format: "format";
+            strict: "strict";
+        }>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    cimd: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        cache: z.ZodOptional<z.ZodObject<{
+            type: z.ZodDefault<z.ZodEnum<{
+                memory: "memory";
+                redis: "redis";
+            }>>;
+            defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+            maxTtlMs: z.ZodDefault<z.ZodNumber>;
+            minTtlMs: z.ZodDefault<z.ZodNumber>;
+            redis: z.ZodOptional<z.ZodObject<{
+                url: z.ZodOptional<z.ZodString>;
+                host: z.ZodOptional<z.ZodString>;
+                port: z.ZodOptional<z.ZodNumber>;
+                password: z.ZodOptional<z.ZodString>;
+                db: z.ZodOptional<z.ZodNumber>;
+                tls: z.ZodOptional<z.ZodBoolean>;
+                keyPrefix: z.ZodDefault<z.ZodString>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        security: z.ZodOptional<z.ZodObject<{
+            blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+            allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+            allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        network: z.ZodOptional<z.ZodObject<{
+            timeoutMs: z.ZodDefault<z.ZodNumber>;
+            maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+            redirectPolicy: z.ZodDefault<z.ZodEnum<{
+                deny: "deny";
+                "same-origin": "same-origin";
+                allow: "allow";
+            }>>;
+            maxRedirects: z.ZodDefault<z.ZodNumber>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"local">;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+            defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    federatedAuth: z.ZodOptional<z.ZodObject<{
+        stateValidation: z.ZodDefault<z.ZodEnum<{
+            format: "format";
+            strict: "strict";
+        }>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    cimd: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        cache: z.ZodOptional<z.ZodObject<{
+            type: z.ZodDefault<z.ZodEnum<{
+                memory: "memory";
+                redis: "redis";
+            }>>;
+            defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+            maxTtlMs: z.ZodDefault<z.ZodNumber>;
+            minTtlMs: z.ZodDefault<z.ZodNumber>;
+            redis: z.ZodOptional<z.ZodObject<{
+                url: z.ZodOptional<z.ZodString>;
+                host: z.ZodOptional<z.ZodString>;
+                port: z.ZodOptional<z.ZodNumber>;
+                password: z.ZodOptional<z.ZodString>;
+                db: z.ZodOptional<z.ZodNumber>;
+                tls: z.ZodOptional<z.ZodBoolean>;
+                keyPrefix: z.ZodDefault<z.ZodString>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        security: z.ZodOptional<z.ZodObject<{
+            blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+            allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+            allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        network: z.ZodOptional<z.ZodObject<{
+            timeoutMs: z.ZodDefault<z.ZodNumber>;
+            maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+            redirectPolicy: z.ZodDefault<z.ZodEnum<{
+                deny: "deny";
+                "same-origin": "same-origin";
+                allow: "allow";
+            }>>;
+            maxRedirects: z.ZodDefault<z.ZodNumber>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"remote">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>]>;
+export type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;
+export type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;
+//# sourceMappingURL=app-auth.schema.d.ts.map

package/options/app-auth.schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-auth.schema.d.ts","sourceRoot":"","sources":["../../src/options/app-auth.schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAoCxB,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mBAK/B,CAAC;AAMH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC"}

package/options/index.d.ts

@@ -0,0 +1,15 @@
+export type { PublicAccessConfig, LocalSigningConfig, RemoteProviderConfig, TokenStorageConfig, TokenStorageMemory, TokenStorageRedis, TokenRefreshConfig, SkippedAppBehavior, ConsentConfig, FederatedAuthConfig, IncrementalAuthConfig, PublicAuthOptionsInterface, TransparentAuthOptionsInterface, OrchestratedLocalOptionsInterface, OrchestratedRemoteOptionsInterface, OrchestratedAuthOptionsInterface, AuthOptionsInterface, AuthMode, OrchestratedType, } from './interfaces';
+export { publicAccessConfigSchema, localSigningConfigSchema, remoteProviderConfigSchema, tokenStorageConfigSchema, tokenRefreshConfigSchema, skippedAppBehaviorSchema, consentConfigSchema, federatedAuthConfigSchema, incrementalAuthConfigSchema, } from './shared.schemas';
+export type { PublicAccessConfig as PublicAccessConfigZod, PublicAccessConfigInput, LocalSigningConfig as LocalSigningConfigZod, LocalSigningConfigInput, RemoteProviderConfig as RemoteProviderConfigZod, RemoteProviderConfigInput, TokenStorageConfig as TokenStorageConfigZod, TokenStorageConfigInput, TokenRefreshConfig as TokenRefreshConfigZod, TokenRefreshConfigInput, SkippedAppBehavior as SkippedAppBehaviorZod, ConsentConfig as ConsentConfigZod, ConsentConfigInput, FederatedAuthConfig as FederatedAuthConfigZod, FederatedAuthConfigInput, IncrementalAuthConfig as IncrementalAuthConfigZod, IncrementalAuthConfigInput, RedisConfig, } from './shared.schemas';
+export { publicAuthOptionsSchema } from './public.schema';
+export type { PublicAuthOptions, PublicAuthOptionsInput } from './public.schema';
+export { transparentAuthOptionsSchema } from './transparent.schema';
+export type { TransparentAuthOptions, TransparentAuthOptionsInput } from './transparent.schema';
+export { orchestratedLocalSchema, orchestratedRemoteSchema, orchestratedAuthOptionsSchema, } from './orchestrated.schema';
+export type { OrchestratedLocalOptions, OrchestratedLocalOptionsInput, OrchestratedRemoteOptions, OrchestratedRemoteOptionsInput, OrchestratedAuthOptions, OrchestratedAuthOptionsInput, OrchestratedType as OrchestratedTypeZod, } from './orchestrated.schema';
+export { authOptionsSchema } from './schema';
+export type { AuthOptions, AuthOptionsInput, AuthMode as AuthModeZod } from './schema';
+export { appAuthOptionsSchema } from './app-auth.schema';
+export type { AppAuthOptions, AppAuthOptionsInput } from './app-auth.schema';
+export { parseAuthOptions, isPublicMode, isTransparentMode, isOrchestratedMode, isOrchestratedLocal, isOrchestratedRemote, allowsPublicAccess, } from './utils';
+//# sourceMappingURL=index.d.ts.map

package/options/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/options/index.ts"],"names":[],"mappings":"AAMA,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,aAAa,EACb,mBAAmB,EACnB,qBAAqB,EACrB,0BAA0B,EAC1B,+BAA+B,EAC/B,iCAAiC,EACjC,kCAAkC,EAClC,gCAAgC,EAChC,oBAAoB,EACpB,QAAQ,EACR,gBAAgB,GACjB,MAAM,cAAc,CAAC;AAKtB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,wBAAwB,EACxB,wBAAwB,EACxB,mBAAmB,EACnB,yBAAyB,EACzB,2BAA2B,GAC5B,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EACV,kBAAkB,IAAI,qBAAqB,EAC3C,uBAAuB,EACvB,kBAAkB,IAAI,qBAAqB,EAC3C,uBAAuB,EACvB,oBAAoB,IAAI,uBAAuB,EAC/C,yBAAyB,EACzB,kBAAkB,IAAI,qBAAqB,EAC3C,uBAAuB,EACvB,kBAAkB,IAAI,qBAAqB,EAC3C,uBAAuB,EACvB,kBAAkB,IAAI,qBAAqB,EAC3C,aAAa,IAAI,gBAAgB,EACjC,kBAAkB,EAClB,mBAAmB,IAAI,sBAAsB,EAC7C,wBAAwB,EACxB,qBAAqB,IAAI,wBAAwB,EACjD,0BAA0B,EAC1B,WAAW,GACZ,MAAM,kBAAkB,CAAC;AAK1B,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,YAAY,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAKjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sBAAsB,CAAC;AACpE,YAAY,EAAE,sBAAsB,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAKhG,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,wBAAwB,EACxB,6BAA6B,EAC7B,yBAAyB,EACzB,8BAA8B,EAC9B,uBAAuB,EACvB,4BAA4B,EAC5B,gBAAgB,IAAI,mBAAmB,GACxC,MAAM,uBAAuB,CAAC;AAK/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC7C,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,UAAU,CAAC;AAKvF,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAK7E,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,SAAS,CAAC"}

package/options/interfaces.d.ts

@@ -0,0 +1,250 @@
+import { JSONWebKeySet, JWK } from '../common/jwt.types';
+import type { RedisConfig } from '../session/transport-session.types';
+/**
+ * Public access configuration for tools/prompts
+ */
+export interface PublicAccessConfig {
+    /**
+     * Allow all tools or explicit whitelist
+     * @default 'all'
+     */
+    tools?: 'all' | string[];
+    /**
+     * Allow all prompts or explicit whitelist
+     * @default 'all'
+     */
+    prompts?: 'all' | string[];
+    /**
+     * Rate limit per IP per minute
+     * @default 60
+     */
+    rateLimit?: number;
+}
+/**
+ * Local signing configuration (for orchestrated local type)
+ */
+export interface LocalSigningConfig {
+    /**
+     * Private key for signing orchestrated tokens
+     * @default auto-generated
+     */
+    signKey?: JWK | Uint8Array;
+    /**
+     * JWKS for token verification
+     * @default auto-generated
+     */
+    jwks?: JSONWebKeySet;
+    /**
+     * Issuer identifier for orchestrated tokens
+     * @default auto-derived from server URL
+     */
+    issuer?: string;
+}
+/**
+ * Remote OAuth provider configuration (for orchestrated remote and transparent)
+ */
+export interface RemoteProviderConfig {
+    /**
+     * OAuth provider base URL
+     * @example 'https://auth.example.com'
+     */
+    provider: string;
+    /** Provider display name */
+    name?: string;
+    /**
+     * Unique identifier for this provider
+     * @default derived from provider URL
+     */
+    id?: string;
+    /**
+     * Inline JWKS for offline token verification
+     * Falls back to fetching from provider's /.well-known/jwks.json
+     */
+    jwks?: JSONWebKeySet;
+    /** Custom JWKS URI if not at standard path */
+    jwksUri?: string;
+    /** Client ID for this MCP server (for orchestrated mode) */
+    clientId?: string;
+    /** Client secret (for confidential clients in orchestrated mode) */
+    clientSecret?: string;
+    /** Scopes to request from the upstream provider */
+    scopes?: string[];
+    /**
+     * Enable Dynamic Client Registration (DCR)
+     * @default false
+     */
+    dcrEnabled?: boolean;
+    /** Authorization endpoint override */
+    authEndpoint?: string;
+    /** Token endpoint override */
+    tokenEndpoint?: string;
+    /** Registration endpoint override (for DCR) */
+    registrationEndpoint?: string;
+    /** User info endpoint override */
+    userInfoEndpoint?: string;
+}
+/**
+ * Token storage - in-memory
+ */
+export interface TokenStorageMemory {
+    type: 'memory';
+}
+/**
+ * Token storage - Redis
+ */
+export interface TokenStorageRedis {
+    type: 'redis';
+    config: RedisConfig;
+}
+/**
+ * Token storage configuration for orchestrated mode
+ */
+export type TokenStorageConfig = TokenStorageMemory | TokenStorageRedis;
+/**
+ * Token refresh configuration
+ */
+export interface TokenRefreshConfig {
+    /**
+     * Enable automatic token refresh
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Refresh token before expiry by this many seconds
+     * @default 60
+     */
+    skewSeconds?: number;
+}
+/**
+ * Behavior when a tool from a skipped (not yet authorized) app is called
+ */
+export type SkippedAppBehavior = 'anonymous' | 'require-auth';
+/**
+ * Consent configuration for tool selection
+ */
+export interface ConsentConfig {
+    /**
+     * Enable consent flow for tool selection
+     * @default false
+     */
+    enabled?: boolean;
+    /**
+     * Group tools by app in the consent UI
+     * @default true
+     */
+    groupByApp?: boolean;
+    /**
+     * Show tool descriptions in consent UI
+     * @default true
+     */
+    showDescriptions?: boolean;
+    /**
+     * Allow selecting all tools at once
+     * @default true
+     */
+    allowSelectAll?: boolean;
+    /**
+     * Require at least one tool to be selected
+     * @default true
+     */
+    requireSelection?: boolean;
+    /** Custom message to display on consent page */
+    customMessage?: string;
+    /**
+     * Remember consent for future sessions
+     * @default true
+     */
+    rememberConsent?: boolean;
+    /** Tools to exclude from consent (always available) */
+    excludedTools?: string[];
+    /** Tools to always include in consent (pre-selected) */
+    defaultSelectedTools?: string[];
+}
+/**
+ * Federated authentication configuration
+ */
+export interface FederatedAuthConfig {
+    /**
+     * How strictly to validate the OAuth state parameter on provider callbacks.
+     * - 'strict': Validates the full state parameter matches the session (recommended)
+     * - 'format': Only validates the state format is correct
+     */
+    stateValidation: 'strict' | 'format';
+}
+/**
+ * Progressive/Incremental authorization configuration
+ */
+export interface IncrementalAuthConfig {
+    /**
+     * Enable incremental (progressive) authorization
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Behavior when a tool from a skipped app is called
+     * @default 'anonymous'
+     */
+    skippedAppBehavior?: SkippedAppBehavior;
+    /**
+     * Allow users to skip app authorization during initial auth flow
+     * @default true
+     */
+    allowSkip?: boolean;
+    /**
+     * Show all apps in a single authorization page (vs step-by-step)
+     * @default true
+     */
+    showAllAppsAtOnce?: boolean;
+}
+export interface PublicAuthOptionsInterface {
+    mode: 'public';
+    issuer?: string;
+    sessionTtl?: number;
+    anonymousScopes?: string[];
+    publicAccess?: PublicAccessConfig;
+    jwks?: JSONWebKeySet;
+    signKey?: JWK | Uint8Array;
+}
+export interface TransparentAuthOptionsInterface {
+    mode: 'transparent';
+    remote: RemoteProviderConfig;
+    expectedAudience?: string | string[];
+    requiredScopes?: string[];
+    allowAnonymous?: boolean;
+    anonymousScopes?: string[];
+    publicAccess?: PublicAccessConfig;
+}
+export interface OrchestratedLocalOptionsInterface {
+    mode: 'orchestrated';
+    type: 'local';
+    local?: LocalSigningConfig;
+    tokenStorage?: TokenStorageConfig;
+    allowDefaultPublic?: boolean;
+    anonymousScopes?: string[];
+    publicAccess?: PublicAccessConfig;
+    consent?: ConsentConfig;
+    federatedAuth?: FederatedAuthConfig;
+    refresh?: TokenRefreshConfig;
+    expectedAudience?: string | string[];
+    incrementalAuth?: IncrementalAuthConfig;
+}
+export interface OrchestratedRemoteOptionsInterface {
+    mode: 'orchestrated';
+    type: 'remote';
+    remote: RemoteProviderConfig;
+    local?: LocalSigningConfig;
+    tokenStorage?: TokenStorageConfig;
+    allowDefaultPublic?: boolean;
+    anonymousScopes?: string[];
+    publicAccess?: PublicAccessConfig;
+    consent?: ConsentConfig;
+    federatedAuth?: FederatedAuthConfig;
+    refresh?: TokenRefreshConfig;
+    expectedAudience?: string | string[];
+    incrementalAuth?: IncrementalAuthConfig;
+}
+export type AuthOptionsInterface = PublicAuthOptionsInterface | TransparentAuthOptionsInterface | OrchestratedLocalOptionsInterface | OrchestratedRemoteOptionsInterface;
+export type OrchestratedAuthOptionsInterface = OrchestratedLocalOptionsInterface | OrchestratedRemoteOptionsInterface;
+export type AuthMode = 'public' | 'transparent' | 'orchestrated';
+export type OrchestratedType = 'local' | 'remote';
+//# sourceMappingURL=interfaces.d.ts.map

package/options/interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../src/options/interfaces.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AAMtE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;IAEzB;;;OAGG;IACH,OAAO,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;IAE3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC;IAE3B;;;OAGG;IACH,IAAI,CAAC,EAAE,aAAa,CAAC;IAErB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,IAAI,CAAC,EAAE,aAAa,CAAC;IAErB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,8BAA8B;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,+CAA+C;IAC/C,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B,kCAAkC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,QAAQ,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,EAAE,WAAW,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC;AAExE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,cAAc,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B,uDAAuD;IACvD,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB,wDAAwD;IACxD,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,eAAe,EAAE,QAAQ,GAAG,QAAQ,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IAExC;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAMD,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,QAAQ,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,OAAO,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC;CAC5B;AAED,MAAM,WAAW,+BAA+B;IAC9C,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,oBAAoB,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACrC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;CACnC;AAED,MAAM,WAAW,iCAAiC;IAChD,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,CAAC,EAAE,kBAAkB,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,aAAa,CAAC,EAAE,mBAAmB,CAAC;IACpC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACrC,eAAe,CAAC,EAAE,qBAAqB,CAAC;CACzC;AAED,MAAM,WAAW,kCAAkC;IACjD,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,QAAQ,CAAC;IACf,MAAM,EAAE,oBAAoB,CAAC;IAC7B,KAAK,CAAC,EAAE,kBAAkB,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,aAAa,CAAC,EAAE,mBAAmB,CAAC;IACpC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACrC,eAAe,CAAC,EAAE,qBAAqB,CAAC;CACzC;AAMD,MAAM,MAAM,oBAAoB,GAC5B,0BAA0B,GAC1B,+BAA+B,GAC/B,iCAAiC,GACjC,kCAAkC,CAAC;AAEvC,MAAM,MAAM,gCAAgC,GAAG,iCAAiC,GAAG,kCAAkC,CAAC;AAEtH,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,aAAa,GAAG,cAAc,CAAC;AAEjE,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,QAAQ,CAAC"}