@frontmcp/sdk 0.4.0 → 0.5.0

package/src/auth/session/encrypted-authorization-vault.js

@@ -0,0 +1,493 @@
+"use strict";
+/**
+ * Encrypted Authorization Vault
+ *
+ * A vault implementation that encrypts all sensitive data using a key
+ * derived from the client's JWT authorization token.
+ *
+ * Security Properties:
+ * - Zero-knowledge storage: Server cannot decrypt credentials
+ * - Client-side key: Encryption key derived from JWT (client must present token)
+ * - Authenticated encryption: AES-256-GCM prevents tampering
+ * - Per-vault keys: Each vault has a unique encryption key
+ *
+ * Usage:
+ * ```typescript
+ * const vault = new EncryptedRedisVault(redis, encryption);
+ *
+ * // On each request, derive key from JWT and set context
+ * const key = encryption.deriveKeyFromToken(token, claims);
+ * vault.setEncryptionKey(key);
+ *
+ * // Now all operations automatically encrypt/decrypt
+ * await vault.addAppCredential(vaultId, credential);
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EncryptedRedisVault = exports.redisVaultEntrySchema = void 0;
+exports.createEncryptedVault = createEncryptedVault;
+const zod_1 = require("zod");
+const node_crypto_1 = require("node:crypto");
+const node_async_hooks_1 = require("node:async_hooks");
+const vault_encryption_1 = require("./vault-encryption");
+// ============================================
+// Encrypted Vault Entry Schema
+// ============================================
+/**
+ * What we store in Redis - minimal metadata + encrypted blob
+ */
+exports.redisVaultEntrySchema = zod_1.z.object({
+    /** Vault ID */
+    id: zod_1.z.string(),
+    /** User sub (for lookup) */
+    userSub: zod_1.z.string(),
+    /** User email (optional, for display) */
+    userEmail: zod_1.z.string().optional(),
+    /** User name (optional, for display) */
+    userName: zod_1.z.string().optional(),
+    /** Client ID */
+    clientId: zod_1.z.string(),
+    /** Creation timestamp */
+    createdAt: zod_1.z.number(),
+    /** Last access timestamp */
+    lastAccessAt: zod_1.z.number(),
+    /** Authorized app IDs (unencrypted for quick auth checks) */
+    authorizedAppIds: zod_1.z.array(zod_1.z.string()),
+    /** Skipped app IDs (unencrypted for quick checks) */
+    skippedAppIds: zod_1.z.array(zod_1.z.string()),
+    /** Pending auth request IDs (unencrypted for lookup) */
+    pendingAuthIds: zod_1.z.array(zod_1.z.string()),
+    /** Encrypted sensitive data blob */
+    encrypted: vault_encryption_1.encryptedDataSchema,
+});
+/**
+ * Module-level AsyncLocalStorage for request-scoped encryption context.
+ * This ensures concurrent requests don't interfere with each other's encryption keys.
+ */
+const encryptionContextStorage = new node_async_hooks_1.AsyncLocalStorage();
+// ============================================
+// Encrypted Redis Vault Implementation
+// ============================================
+/**
+ * Redis vault with client-side encryption
+ *
+ * All sensitive data (tokens, credentials, consent, pending auths)
+ * is encrypted using a key derived from the client's JWT.
+ *
+ * Use `runWithContext()` to set encryption context for concurrent safety.
+ */
+class EncryptedRedisVault {
+    redis;
+    encryption;
+    namespace;
+    constructor(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    redis, encryption, namespace = 'vault:') {
+        this.redis = redis;
+        this.encryption = encryption;
+        this.namespace = namespace;
+    }
+    /**
+     * Run a callback with encryption context set for the current async scope.
+     * This is the recommended way to set encryption context as it is safe for
+     * concurrent requests (each request gets its own isolated context).
+     *
+     * @param context - Encryption context with key and vaultId
+     * @param fn - Async function to run with the context
+     * @returns The result of the callback
+     *
+     * @example
+     * ```typescript
+     * const result = await vault.runWithContext({ key, vaultId }, async () => {
+     *   await vault.get(id);
+     *   await vault.update(id, data);
+     *   return 'done';
+     * });
+     * ```
+     */
+    runWithContext(context, fn) {
+        return encryptionContextStorage.run(context, fn);
+    }
+    /**
+     * Get current encryption key from AsyncLocalStorage.
+     */
+    getKey() {
+        const asyncContext = encryptionContextStorage.getStore();
+        if (asyncContext) {
+            return asyncContext.key;
+        }
+        throw new Error('Encryption context not set. Use runWithContext() before performing vault operations.');
+    }
+    /**
+     * Create Redis key from vault ID
+     */
+    redisKey(id) {
+        return `${this.namespace}${id}`;
+    }
+    /**
+     * Create credential key from appId and providerId
+     */
+    credentialKey(appId, providerId) {
+        return `${appId}:${providerId}`;
+    }
+    /**
+     * Encrypt sensitive data
+     */
+    encryptSensitive(data) {
+        return this.encryption.encryptObject(data, this.getKey());
+    }
+    /**
+     * Decrypt sensitive data
+     */
+    decryptSensitive(encrypted) {
+        return this.encryption.decryptObject(encrypted, this.getKey());
+    }
+    /**
+     * Convert Redis entry to full vault entry (decrypts sensitive data)
+     */
+    toVaultEntry(redisEntry) {
+        const sensitive = this.decryptSensitive(redisEntry.encrypted);
+        return {
+            id: redisEntry.id,
+            userSub: redisEntry.userSub,
+            userEmail: redisEntry.userEmail,
+            userName: redisEntry.userName,
+            clientId: redisEntry.clientId,
+            createdAt: redisEntry.createdAt,
+            lastAccessAt: redisEntry.lastAccessAt,
+            appCredentials: sensitive.appCredentials,
+            consent: sensitive.consent,
+            federated: sensitive.federated,
+            pendingAuths: sensitive.pendingAuths,
+            authorizedAppIds: redisEntry.authorizedAppIds,
+            skippedAppIds: redisEntry.skippedAppIds,
+        };
+    }
+    /**
+     * Convert vault entry to Redis entry (encrypts sensitive data)
+     */
+    toRedisEntry(entry) {
+        const sensitive = {
+            appCredentials: entry.appCredentials,
+            consent: entry.consent,
+            federated: entry.federated,
+            pendingAuths: entry.pendingAuths,
+        };
+        return {
+            id: entry.id,
+            userSub: entry.userSub,
+            userEmail: entry.userEmail,
+            userName: entry.userName,
+            clientId: entry.clientId,
+            createdAt: entry.createdAt,
+            lastAccessAt: entry.lastAccessAt,
+            authorizedAppIds: entry.authorizedAppIds,
+            skippedAppIds: entry.skippedAppIds,
+            pendingAuthIds: entry.pendingAuths.map((p) => p.id),
+            encrypted: this.encryptSensitive(sensitive),
+        };
+    }
+    /**
+     * Save entry to Redis
+     */
+    async saveEntry(entry) {
+        const redisEntry = this.toRedisEntry(entry);
+        await this.redis.set(this.redisKey(entry.id), JSON.stringify(redisEntry));
+    }
+    /**
+     * Load entry from Redis
+     */
+    async loadEntry(id) {
+        const data = await this.redis.get(this.redisKey(id));
+        if (!data)
+            return null;
+        try {
+            const redisEntry = exports.redisVaultEntrySchema.parse(JSON.parse(data));
+            return this.toVaultEntry(redisEntry);
+        }
+        catch (error) {
+            // Could be decryption failure (wrong key) or corrupt data
+            throw new Error(`Failed to load vault ${id}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    // ============================================
+    // AuthorizationVault Interface Implementation
+    // ============================================
+    async create(params) {
+        const now = Date.now();
+        const entry = {
+            id: (0, node_crypto_1.randomUUID)(),
+            userSub: params.userSub,
+            userEmail: params.userEmail,
+            userName: params.userName,
+            clientId: params.clientId,
+            createdAt: now,
+            lastAccessAt: now,
+            appCredentials: {},
+            consent: params.consent,
+            federated: params.federated,
+            pendingAuths: [],
+            authorizedAppIds: params.authorizedAppIds ?? [],
+            skippedAppIds: params.skippedAppIds ?? [],
+        };
+        await this.saveEntry(entry);
+        return entry;
+    }
+    async get(id) {
+        const entry = await this.loadEntry(id);
+        if (!entry)
+            return null;
+        // Update last access time
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+        return entry;
+    }
+    async update(id, updates) {
+        const entry = await this.loadEntry(id);
+        if (!entry) {
+            throw new Error(`Vault entry not found: ${id}`);
+        }
+        Object.assign(entry, updates, { lastAccessAt: Date.now() });
+        await this.saveEntry(entry);
+    }
+    async delete(id) {
+        await this.redis.del(this.redisKey(id));
+    }
+    async updateConsent(vaultId, consent) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        entry.consent = consent;
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async authorizeApp(vaultId, appId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
+        if (!entry.authorizedAppIds.includes(appId)) {
+            entry.authorizedAppIds.push(appId);
+        }
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async createPendingAuth(vaultId, params) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry) {
+            throw new Error(`Vault not found: ${vaultId}`);
+        }
+        const now = Date.now();
+        const pendingAuth = {
+            id: (0, node_crypto_1.randomUUID)(),
+            appId: params.appId,
+            toolId: params.toolId,
+            authUrl: params.authUrl,
+            requiredScopes: params.requiredScopes,
+            elicitId: params.elicitId,
+            createdAt: now,
+            expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),
+            status: 'pending',
+        };
+        entry.pendingAuths.push(pendingAuth);
+        entry.lastAccessAt = now;
+        await this.saveEntry(entry);
+        return pendingAuth;
+    }
+    async getPendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return null;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (!pendingAuth)
+            return null;
+        if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {
+            pendingAuth.status = 'expired';
+            await this.saveEntry(entry);
+        }
+        return pendingAuth;
+    }
+    async completePendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'completed';
+            // Authorize app inline (don't call authorizeApp which reloads entry)
+            entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== pendingAuth.appId);
+            if (!entry.authorizedAppIds.includes(pendingAuth.appId)) {
+                entry.authorizedAppIds.push(pendingAuth.appId);
+            }
+            entry.lastAccessAt = Date.now();
+            await this.saveEntry(entry);
+        }
+    }
+    async cancelPendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'cancelled';
+            await this.saveEntry(entry);
+        }
+    }
+    async isAppAuthorized(vaultId, appId) {
+        // Quick check without decryption - authorizedAppIds is unencrypted
+        const data = await this.redis.get(this.redisKey(vaultId));
+        if (!data)
+            return false;
+        try {
+            const parsed = JSON.parse(data);
+            return Array.isArray(parsed.authorizedAppIds) && parsed.authorizedAppIds.includes(appId);
+        }
+        catch {
+            return false;
+        }
+    }
+    async getPendingAuths(vaultId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return [];
+        const now = Date.now();
+        let updated = false;
+        const pending = entry.pendingAuths.filter((p) => {
+            if (now > p.expiresAt && p.status === 'pending') {
+                p.status = 'expired';
+                updated = true;
+            }
+            return p.status === 'pending';
+        });
+        if (updated) {
+            await this.saveEntry(entry);
+        }
+        return pending;
+    }
+    // ============================================
+    // App Credential Methods
+    // ============================================
+    async addAppCredential(vaultId, credential) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
+        if (!shouldStore)
+            return;
+        const key = this.credentialKey(credential.appId, credential.providerId);
+        entry.appCredentials[key] = credential;
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async removeAppCredential(vaultId, appId, providerId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        delete entry.appCredentials[key];
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async getAppCredentials(vaultId, appId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return [];
+        const prefix = `${appId}:`;
+        return Object.entries(entry.appCredentials)
+            .filter(([key]) => key.startsWith(prefix))
+            .map(([, cred]) => cred);
+    }
+    async getCredential(vaultId, appId, providerId) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return null;
+        const key = this.credentialKey(appId, providerId);
+        return entry.appCredentials[key] ?? null;
+    }
+    async getAllCredentials(vaultId, filterByConsent = false) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return [];
+        const allCredentials = Object.values(entry.appCredentials);
+        if (!filterByConsent || !entry.consent?.enabled) {
+            return allCredentials;
+        }
+        const consentedToolIds = new Set(entry.consent.selectedToolIds);
+        return allCredentials.filter((cred) => {
+            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
+        });
+    }
+    async updateCredential(vaultId, appId, providerId, updates) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential)
+            return;
+        Object.assign(credential, updates);
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async shouldStoreCredential(vaultId, appId, toolIds) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return false;
+        if (!entry.consent?.enabled) {
+            return true;
+        }
+        if (toolIds && toolIds.length > 0) {
+            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
+        }
+        const consentedToolIds = entry.consent.selectedToolIds;
+        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
+    }
+    async invalidateCredential(vaultId, appId, providerId, reason) {
+        await this.updateCredential(vaultId, appId, providerId, {
+            isValid: false,
+            invalidReason: reason,
+        });
+    }
+    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
+        const entry = await this.loadEntry(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential || credential.credential.type !== 'oauth')
+            return;
+        // Update OAuth tokens
+        credential.credential.accessToken = tokens.accessToken;
+        if (tokens.refreshToken !== undefined) {
+            credential.credential.refreshToken = tokens.refreshToken;
+        }
+        if (tokens.expiresAt !== undefined) {
+            credential.credential.expiresAt = tokens.expiresAt;
+            credential.expiresAt = tokens.expiresAt;
+        }
+        credential.isValid = true;
+        credential.invalidReason = undefined;
+        entry.lastAccessAt = Date.now();
+        await this.saveEntry(entry);
+    }
+    async cleanup() {
+        // Redis cleanup would use SCAN to find and clean entries
+        // For encrypted vault, this needs careful handling
+        // as we can't read data without the encryption key
+    }
+}
+exports.EncryptedRedisVault = EncryptedRedisVault;
+// ============================================
+// Factory Function
+// ============================================
+/**
+ * Create an encrypted vault with the given configuration
+ */
+function createEncryptedVault(
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+redis, config = {}) {
+    const encryption = new vault_encryption_1.VaultEncryption({ pepper: config.pepper });
+    const vault = new EncryptedRedisVault(redis, encryption, config.namespace);
+    return { vault, encryption };
+}
+//# sourceMappingURL=encrypted-authorization-vault.js.map

package/src/auth/session/encrypted-authorization-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-authorization-vault.js","sourceRoot":"","sources":["../../../../src/auth/session/encrypted-authorization-vault.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;;AAujBH,oDAYC;AAjkBD,6BAAwB;AACxB,6CAAyC;AACzC,uDAAqD;AACrD,yDAA6G;AAW7G,+CAA+C;AAC/C,+BAA+B;AAC/B,+CAA+C;AAE/C;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,eAAe;IACf,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,4BAA4B;IAC5B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,yCAAyC;IACzC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,wCAAwC;IACxC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,gBAAgB;IAChB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,yBAAyB;IACzB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,6DAA6D;IAC7D,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,qDAAqD;IACrD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAClC,wDAAwD;IACxD,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACnC,oCAAoC;IACpC,SAAS,EAAE,sCAAmB;CAC/B,CAAC,CAAC;AAmBH;;;GAGG;AACH,MAAM,wBAAwB,GAAG,IAAI,oCAAiB,EAAqB,CAAC;AAE5E,+CAA+C;AAC/C,uCAAuC;AACvC,+CAA+C;AAE/C;;;;;;;GAOG;AACH,MAAa,mBAAmB;IAGX;IACA;IACA;IAJnB;IACE,8DAA8D;IAC7C,KAAU,EACV,UAA2B,EAC3B,YAAY,QAAQ;QAFpB,UAAK,GAAL,KAAK,CAAK;QACV,eAAU,GAAV,UAAU,CAAiB;QAC3B,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAI,OAA0B,EAAE,EAAwB;QACpE,OAAO,wBAAwB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,MAAM;QACZ,MAAM,YAAY,GAAG,wBAAwB,CAAC,QAAQ,EAAE,CAAC;QACzD,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,GAAG,CAAC;QAC1B,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;IAC1G,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,EAAU;QACzB,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,KAAa,EAAE,UAAkB;QACrD,OAAO,GAAG,KAAK,IAAI,UAAU,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,IAAwB;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,SAAwB;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAqB,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,UAA2B;QAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAE9D,OAAO;YACL,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,cAAc,EAAE,SAAS,CAAC,cAA+C;YACzE,OAAO,EAAE,SAAS,CAAC,OAAyC;YAC5D,SAAS,EAAE,SAAS,CAAC,SAA6C;YAClE,YAAY,EAAE,SAAS,CAAC,YAAwC;YAChE,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;YAC7C,aAAa,EAAE,UAAU,CAAC,aAAa;SACxC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,KAA8B;QACjD,MAAM,SAAS,GAAuB;YACpC,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,YAAY,EAAE,KAAK,CAAC,YAAY;SACjC,CAAC;QAEF,OAAO;YACL,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;YACxC,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,cAAc,EAAE,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC;SAC5C,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAA8B;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,EAAU;QAChC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,6BAAqB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,0DAA0D;YAC1D,MAAM,IAAI,KAAK,CAAC,wBAAwB,EAAE,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,8CAA8C;IAC9C,+CAA+C;IAE/C,KAAK,CAAC,MAAM,CAAC,MASZ;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAA4B;YACrC,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,cAAc,EAAE,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,EAAE;YAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;QAEF,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,0BAA0B;QAC1B,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,OAAyC;QAChE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAA2B;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC;QACxB,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,KAAa;QAC/C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,OAAe,EACf,MAOC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YACjD,MAAM,EAAE,SAAS;SAClB,CAAC;QAEF,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC;QACzB,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE5B,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,aAAqB;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC3E,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC;YAC/B,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,aAAqB;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YAEjC,qEAAqE;YACrE,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;YACnF,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxD,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACjD,CAAC;YACD,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,aAAqB;QAC5D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YACjC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,KAAa;QAClD,mEAAmE;QACnE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC3F,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe;QACnC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChD,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC;gBACrB,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;YACD,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+CAA+C;IAC/C,yBAAyB;IACzB,+CAA+C;IAE/C,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,UAAyB;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;QAChF,IAAI,CAAC,WAAW;YAAE,OAAO;QAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QACxE,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;QACvC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QAC1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,KAAa;QACpD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAC;QAC3B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;aACzC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QACpE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,eAAe,GAAG,KAAK;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAE3D,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAChD,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChE,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACpC,OAAO,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,OAA4G;QAE5G,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU;YAAE,OAAO;QAExB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAAe,EAAE,KAAa,EAAE,OAAkB;QAC5E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,OAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;QACvD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB,EAAE,MAAc;QAC3F,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;YACtD,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,sBAAsB,CAC1B,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,MAA0E;QAE1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO;YAAE,OAAO;QAElE,sBAAsB;QACtB,UAAU,CAAC,UAAU,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACvD,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACtC,UAAU,CAAC,UAAU,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;YACnD,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAC1C,CAAC;QAED,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC;QAC1B,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO;QACX,yDAAyD;QACzD,mDAAmD;QACnD,mDAAmD;IACrD,CAAC;CACF;AA3dD,kDA2dC;AAED,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,oBAAoB;AAClC,8DAA8D;AAC9D,KAAU,EACV,SAGI,EAAE;IAEN,MAAM,UAAU,GAAG,IAAI,kCAAe,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG,IAAI,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAE3E,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AAC/B,CAAC","sourcesContent":["/**\n * Encrypted Authorization Vault\n *\n * A vault implementation that encrypts all sensitive data using a key\n * derived from the client's JWT authorization token.\n *\n * Security Properties:\n * - Zero-knowledge storage: Server cannot decrypt credentials\n * - Client-side key: Encryption key derived from JWT (client must present token)\n * - Authenticated encryption: AES-256-GCM prevents tampering\n * - Per-vault keys: Each vault has a unique encryption key\n *\n * Usage:\n * ```typescript\n * const vault = new EncryptedRedisVault(redis, encryption);\n *\n * // On each request, derive key from JWT and set context\n * const key = encryption.deriveKeyFromToken(token, claims);\n * vault.setEncryptionKey(key);\n *\n * // Now all operations automatically encrypt/decrypt\n * await vault.addAppCredential(vaultId, credential);\n * ```\n */\n\nimport { z } from 'zod';\nimport { randomUUID } from 'node:crypto';\nimport { AsyncLocalStorage } from 'node:async_hooks';\nimport { VaultEncryption, EncryptedData, VaultSensitiveData, encryptedDataSchema } from './vault-encryption';\nimport {\n  AuthorizationVault,\n  AuthorizationVaultEntry,\n  AppCredential,\n  VaultConsentRecord,\n  VaultFederatedRecord,\n  PendingIncrementalAuth,\n  authorizationVaultEntrySchema,\n} from './authorization-vault';\n\n// ============================================\n// Encrypted Vault Entry Schema\n// ============================================\n\n/**\n * What we store in Redis - minimal metadata + encrypted blob\n */\nexport const redisVaultEntrySchema = z.object({\n  /** Vault ID */\n  id: z.string(),\n  /** User sub (for lookup) */\n  userSub: z.string(),\n  /** User email (optional, for display) */\n  userEmail: z.string().optional(),\n  /** User name (optional, for display) */\n  userName: z.string().optional(),\n  /** Client ID */\n  clientId: z.string(),\n  /** Creation timestamp */\n  createdAt: z.number(),\n  /** Last access timestamp */\n  lastAccessAt: z.number(),\n  /** Authorized app IDs (unencrypted for quick auth checks) */\n  authorizedAppIds: z.array(z.string()),\n  /** Skipped app IDs (unencrypted for quick checks) */\n  skippedAppIds: z.array(z.string()),\n  /** Pending auth request IDs (unencrypted for lookup) */\n  pendingAuthIds: z.array(z.string()),\n  /** Encrypted sensitive data blob */\n  encrypted: encryptedDataSchema,\n});\n\nexport type RedisVaultEntry = z.infer<typeof redisVaultEntrySchema>;\n\n// ============================================\n// Encryption Context\n// ============================================\n\n/**\n * Encryption context for the current request\n * Must be set before performing vault operations\n */\nexport interface EncryptionContext {\n  /** Encryption key derived from JWT */\n  key: Buffer;\n  /** Vault ID (from JWT jti claim) */\n  vaultId: string;\n}\n\n/**\n * Module-level AsyncLocalStorage for request-scoped encryption context.\n * This ensures concurrent requests don't interfere with each other's encryption keys.\n */\nconst encryptionContextStorage = new AsyncLocalStorage<EncryptionContext>();\n\n// ============================================\n// Encrypted Redis Vault Implementation\n// ============================================\n\n/**\n * Redis vault with client-side encryption\n *\n * All sensitive data (tokens, credentials, consent, pending auths)\n * is encrypted using a key derived from the client's JWT.\n *\n * Use `runWithContext()` to set encryption context for concurrent safety.\n */\nexport class EncryptedRedisVault implements AuthorizationVault {\n  constructor(\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    private readonly redis: any,\n    private readonly encryption: VaultEncryption,\n    private readonly namespace = 'vault:',\n  ) {}\n\n  /**\n   * Run a callback with encryption context set for the current async scope.\n   * This is the recommended way to set encryption context as it is safe for\n   * concurrent requests (each request gets its own isolated context).\n   *\n   * @param context - Encryption context with key and vaultId\n   * @param fn - Async function to run with the context\n   * @returns The result of the callback\n   *\n   * @example\n   * ```typescript\n   * const result = await vault.runWithContext({ key, vaultId }, async () => {\n   *   await vault.get(id);\n   *   await vault.update(id, data);\n   *   return 'done';\n   * });\n   * ```\n   */\n  runWithContext<T>(context: EncryptionContext, fn: () => T | Promise<T>): T | Promise<T> {\n    return encryptionContextStorage.run(context, fn);\n  }\n\n  /**\n   * Get current encryption key from AsyncLocalStorage.\n   */\n  private getKey(): Buffer {\n    const asyncContext = encryptionContextStorage.getStore();\n    if (asyncContext) {\n      return asyncContext.key;\n    }\n\n    throw new Error('Encryption context not set. Use runWithContext() before performing vault operations.');\n  }\n\n  /**\n   * Create Redis key from vault ID\n   */\n  private redisKey(id: string): string {\n    return `${this.namespace}${id}`;\n  }\n\n  /**\n   * Create credential key from appId and providerId\n   */\n  private credentialKey(appId: string, providerId: string): string {\n    return `${appId}:${providerId}`;\n  }\n\n  /**\n   * Encrypt sensitive data\n   */\n  private encryptSensitive(data: VaultSensitiveData): EncryptedData {\n    return this.encryption.encryptObject(data, this.getKey());\n  }\n\n  /**\n   * Decrypt sensitive data\n   */\n  private decryptSensitive(encrypted: EncryptedData): VaultSensitiveData {\n    return this.encryption.decryptObject<VaultSensitiveData>(encrypted, this.getKey());\n  }\n\n  /**\n   * Convert Redis entry to full vault entry (decrypts sensitive data)\n   */\n  private toVaultEntry(redisEntry: RedisVaultEntry): AuthorizationVaultEntry {\n    const sensitive = this.decryptSensitive(redisEntry.encrypted);\n\n    return {\n      id: redisEntry.id,\n      userSub: redisEntry.userSub,\n      userEmail: redisEntry.userEmail,\n      userName: redisEntry.userName,\n      clientId: redisEntry.clientId,\n      createdAt: redisEntry.createdAt,\n      lastAccessAt: redisEntry.lastAccessAt,\n      appCredentials: sensitive.appCredentials as Record<string, AppCredential>,\n      consent: sensitive.consent as VaultConsentRecord | undefined,\n      federated: sensitive.federated as VaultFederatedRecord | undefined,\n      pendingAuths: sensitive.pendingAuths as PendingIncrementalAuth[],\n      authorizedAppIds: redisEntry.authorizedAppIds,\n      skippedAppIds: redisEntry.skippedAppIds,\n    };\n  }\n\n  /**\n   * Convert vault entry to Redis entry (encrypts sensitive data)\n   */\n  private toRedisEntry(entry: AuthorizationVaultEntry): RedisVaultEntry {\n    const sensitive: VaultSensitiveData = {\n      appCredentials: entry.appCredentials,\n      consent: entry.consent,\n      federated: entry.federated,\n      pendingAuths: entry.pendingAuths,\n    };\n\n    return {\n      id: entry.id,\n      userSub: entry.userSub,\n      userEmail: entry.userEmail,\n      userName: entry.userName,\n      clientId: entry.clientId,\n      createdAt: entry.createdAt,\n      lastAccessAt: entry.lastAccessAt,\n      authorizedAppIds: entry.authorizedAppIds,\n      skippedAppIds: entry.skippedAppIds,\n      pendingAuthIds: entry.pendingAuths.map((p) => p.id),\n      encrypted: this.encryptSensitive(sensitive),\n    };\n  }\n\n  /**\n   * Save entry to Redis\n   */\n  private async saveEntry(entry: AuthorizationVaultEntry): Promise<void> {\n    const redisEntry = this.toRedisEntry(entry);\n    await this.redis.set(this.redisKey(entry.id), JSON.stringify(redisEntry));\n  }\n\n  /**\n   * Load entry from Redis\n   */\n  private async loadEntry(id: string): Promise<AuthorizationVaultEntry | null> {\n    const data = await this.redis.get(this.redisKey(id));\n    if (!data) return null;\n\n    try {\n      const redisEntry = redisVaultEntrySchema.parse(JSON.parse(data));\n      return this.toVaultEntry(redisEntry);\n    } catch (error) {\n      // Could be decryption failure (wrong key) or corrupt data\n      throw new Error(`Failed to load vault ${id}: ${error instanceof Error ? error.message : 'Unknown error'}`);\n    }\n  }\n\n  // ============================================\n  // AuthorizationVault Interface Implementation\n  // ============================================\n\n  async create(params: {\n    userSub: string;\n    userEmail?: string;\n    userName?: string;\n    clientId: string;\n    consent?: VaultConsentRecord;\n    federated?: VaultFederatedRecord;\n    authorizedAppIds?: string[];\n    skippedAppIds?: string[];\n  }): Promise<AuthorizationVaultEntry> {\n    const now = Date.now();\n    const entry: AuthorizationVaultEntry = {\n      id: randomUUID(),\n      userSub: params.userSub,\n      userEmail: params.userEmail,\n      userName: params.userName,\n      clientId: params.clientId,\n      createdAt: now,\n      lastAccessAt: now,\n      appCredentials: {},\n      consent: params.consent,\n      federated: params.federated,\n      pendingAuths: [],\n      authorizedAppIds: params.authorizedAppIds ?? [],\n      skippedAppIds: params.skippedAppIds ?? [],\n    };\n\n    await this.saveEntry(entry);\n    return entry;\n  }\n\n  async get(id: string): Promise<AuthorizationVaultEntry | null> {\n    const entry = await this.loadEntry(id);\n    if (!entry) return null;\n\n    // Update last access time\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n\n    return entry;\n  }\n\n  async update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void> {\n    const entry = await this.loadEntry(id);\n    if (!entry) {\n      throw new Error(`Vault entry not found: ${id}`);\n    }\n\n    Object.assign(entry, updates, { lastAccessAt: Date.now() });\n    await this.saveEntry(entry);\n  }\n\n  async delete(id: string): Promise<void> {\n    await this.redis.del(this.redisKey(id));\n  }\n\n  async updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    entry.consent = consent;\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async authorizeApp(vaultId: string, appId: string): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);\n    if (!entry.authorizedAppIds.includes(appId)) {\n      entry.authorizedAppIds.push(appId);\n    }\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async createPendingAuth(\n    vaultId: string,\n    params: {\n      appId: string;\n      toolId?: string;\n      authUrl: string;\n      requiredScopes?: string[];\n      elicitId?: string;\n      ttlMs?: number;\n    },\n  ): Promise<PendingIncrementalAuth> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) {\n      throw new Error(`Vault not found: ${vaultId}`);\n    }\n\n    const now = Date.now();\n    const pendingAuth: PendingIncrementalAuth = {\n      id: randomUUID(),\n      appId: params.appId,\n      toolId: params.toolId,\n      authUrl: params.authUrl,\n      requiredScopes: params.requiredScopes,\n      elicitId: params.elicitId,\n      createdAt: now,\n      expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),\n      status: 'pending',\n    };\n\n    entry.pendingAuths.push(pendingAuth);\n    entry.lastAccessAt = now;\n    await this.saveEntry(entry);\n\n    return pendingAuth;\n  }\n\n  async getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return null;\n\n    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n    if (!pendingAuth) return null;\n\n    if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {\n      pendingAuth.status = 'expired';\n      await this.saveEntry(entry);\n    }\n\n    return pendingAuth;\n  }\n\n  async completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n    if (pendingAuth) {\n      pendingAuth.status = 'completed';\n\n      // Authorize app inline (don't call authorizeApp which reloads entry)\n      entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== pendingAuth.appId);\n      if (!entry.authorizedAppIds.includes(pendingAuth.appId)) {\n        entry.authorizedAppIds.push(pendingAuth.appId);\n      }\n      entry.lastAccessAt = Date.now();\n      await this.saveEntry(entry);\n    }\n  }\n\n  async cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n    if (pendingAuth) {\n      pendingAuth.status = 'cancelled';\n      await this.saveEntry(entry);\n    }\n  }\n\n  async isAppAuthorized(vaultId: string, appId: string): Promise<boolean> {\n    // Quick check without decryption - authorizedAppIds is unencrypted\n    const data = await this.redis.get(this.redisKey(vaultId));\n    if (!data) return false;\n\n    try {\n      const parsed = JSON.parse(data);\n      return Array.isArray(parsed.authorizedAppIds) && parsed.authorizedAppIds.includes(appId);\n    } catch {\n      return false;\n    }\n  }\n\n  async getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return [];\n\n    const now = Date.now();\n    let updated = false;\n\n    const pending = entry.pendingAuths.filter((p) => {\n      if (now > p.expiresAt && p.status === 'pending') {\n        p.status = 'expired';\n        updated = true;\n      }\n      return p.status === 'pending';\n    });\n\n    if (updated) {\n      await this.saveEntry(entry);\n    }\n\n    return pending;\n  }\n\n  // ============================================\n  // App Credential Methods\n  // ============================================\n\n  async addAppCredential(vaultId: string, credential: AppCredential): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);\n    if (!shouldStore) return;\n\n    const key = this.credentialKey(credential.appId, credential.providerId);\n    entry.appCredentials[key] = credential;\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const key = this.credentialKey(appId, providerId);\n    delete entry.appCredentials[key];\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return [];\n\n    const prefix = `${appId}:`;\n    return Object.entries(entry.appCredentials)\n      .filter(([key]) => key.startsWith(prefix))\n      .map(([, cred]) => cred);\n  }\n\n  async getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return null;\n\n    const key = this.credentialKey(appId, providerId);\n    return entry.appCredentials[key] ?? null;\n  }\n\n  async getAllCredentials(vaultId: string, filterByConsent = false): Promise<AppCredential[]> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return [];\n\n    const allCredentials = Object.values(entry.appCredentials);\n\n    if (!filterByConsent || !entry.consent?.enabled) {\n      return allCredentials;\n    }\n\n    const consentedToolIds = new Set(entry.consent.selectedToolIds);\n    return allCredentials.filter((cred) => {\n      return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));\n    });\n  }\n\n  async updateCredential(\n    vaultId: string,\n    appId: string,\n    providerId: string,\n    updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>,\n  ): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const key = this.credentialKey(appId, providerId);\n    const credential = entry.appCredentials[key];\n    if (!credential) return;\n\n    Object.assign(credential, updates);\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return false;\n\n    if (!entry.consent?.enabled) {\n      return true;\n    }\n\n    if (toolIds && toolIds.length > 0) {\n      return toolIds.some((toolId) => entry.consent!.selectedToolIds.includes(toolId));\n    }\n\n    const consentedToolIds = entry.consent.selectedToolIds;\n    return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));\n  }\n\n  async invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void> {\n    await this.updateCredential(vaultId, appId, providerId, {\n      isValid: false,\n      invalidReason: reason,\n    });\n  }\n\n  async refreshOAuthCredential(\n    vaultId: string,\n    appId: string,\n    providerId: string,\n    tokens: { accessToken: string; refreshToken?: string; expiresAt?: number },\n  ): Promise<void> {\n    const entry = await this.loadEntry(vaultId);\n    if (!entry) return;\n\n    const key = this.credentialKey(appId, providerId);\n    const credential = entry.appCredentials[key];\n    if (!credential || credential.credential.type !== 'oauth') return;\n\n    // Update OAuth tokens\n    credential.credential.accessToken = tokens.accessToken;\n    if (tokens.refreshToken !== undefined) {\n      credential.credential.refreshToken = tokens.refreshToken;\n    }\n    if (tokens.expiresAt !== undefined) {\n      credential.credential.expiresAt = tokens.expiresAt;\n      credential.expiresAt = tokens.expiresAt;\n    }\n\n    credential.isValid = true;\n    credential.invalidReason = undefined;\n    entry.lastAccessAt = Date.now();\n    await this.saveEntry(entry);\n  }\n\n  async cleanup(): Promise<void> {\n    // Redis cleanup would use SCAN to find and clean entries\n    // For encrypted vault, this needs careful handling\n    // as we can't read data without the encryption key\n  }\n}\n\n// ============================================\n// Factory Function\n// ============================================\n\n/**\n * Create an encrypted vault with the given configuration\n */\nexport function createEncryptedVault(\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  redis: any,\n  config: {\n    pepper?: string;\n    namespace?: string;\n  } = {},\n): { vault: EncryptedRedisVault; encryption: VaultEncryption } {\n  const encryption = new VaultEncryption({ pepper: config.pepper });\n  const vault = new EncryptedRedisVault(redis, encryption, config.namespace);\n\n  return { vault, encryption };\n}\n"]}

package/src/auth/session/index.d.ts

@@ -1,4 +1,4 @@
-export { SessionService } from './session.service';
-export type { CreateSessionArgs } from './session.types';
-export { isSoonExpiringProvider } from './token.refresh';
-export { Session } from './record/session.base';
+export * from './transport-session.types';
+export { TransportSessionManager, InMemorySessionStore } from './transport-session.manager';
+export * from './authorization.store';
+export * from './authorization-vault';

package/src/auth/session/index.js

@@ -1,10 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Session = exports.isSoonExpiringProvider = exports.SessionService = void 0;
-var session_service_1 = require("./session.service");
-Object.defineProperty(exports, "SessionService", { enumerable: true, get: function () { return session_service_1.SessionService; } });
-var token_refresh_1 = require("./token.refresh");
-Object.defineProperty(exports, "isSoonExpiringProvider", { enumerable: true, get: function () { return token_refresh_1.isSoonExpiringProvider; } });
-var session_base_1 = require("./record/session.base");
-Object.defineProperty(exports, "Session", { enumerable: true, get: function () { return session_base_1.Session; } });
+exports.InMemorySessionStore = exports.TransportSessionManager = void 0;
+const tslib_1 = require("tslib");
+// Transport session architecture
+tslib_1.__exportStar(require("./transport-session.types"), exports);
+var transport_session_manager_1 = require("./transport-session.manager");
+Object.defineProperty(exports, "TransportSessionManager", { enumerable: true, get: function () { return transport_session_manager_1.TransportSessionManager; } });
+Object.defineProperty(exports, "InMemorySessionStore", { enumerable: true, get: function () { return transport_session_manager_1.InMemorySessionStore; } });
+// Authorization store for OAuth flows
+tslib_1.__exportStar(require("./authorization.store"), exports);
+// Authorization vault for stateful sessions
+tslib_1.__exportStar(require("./authorization-vault"), exports);
 //# sourceMappingURL=index.js.map

package/src/auth/session/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/session/index.ts"],"names":[],"mappings":";;;AAAA,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AAEvB,iDAAyD;AAAhD,uHAAA,sBAAsB,OAAA;AAE/B,sDAAgD;AAAvC,uGAAA,OAAO,OAAA","sourcesContent":["export { SessionService } from './session.service';\nexport type { CreateSessionArgs } from './session.types';\nexport { isSoonExpiringProvider } from './token.refresh';\n\nexport { Session } from './record/session.base';\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/session/index.ts"],"names":[],"mappings":";;;;AAAA,iCAAiC;AACjC,oEAA0C;AAC1C,yEAA4F;AAAnF,oIAAA,uBAAuB,OAAA;AAAE,iIAAA,oBAAoB,OAAA;AAEtD,sCAAsC;AACtC,gEAAsC;AAEtC,4CAA4C;AAC5C,gEAAsC","sourcesContent":["// Transport session architecture\nexport * from './transport-session.types';\nexport { TransportSessionManager, InMemorySessionStore } from './transport-session.manager';\n\n// Authorization store for OAuth flows\nexport * from './authorization.store';\n\n// Authorization vault for stateful sessions\nexport * from './authorization-vault';\n"]}

package/src/auth/session/session.schema.d.ts

@@ -2,4 +2,4 @@ import { z } from 'zod';
 import { TransparentSession } from './record/session.transparent';
 import { StatefulSession } from './record/session.stateful';
 import { StatelessSession } from './record/session.stateless';
-export declare const SessionSchema: z.ZodUnion<[z.ZodType<TransparentSession, z.ZodTypeDef, TransparentSession>, z.ZodType<StatefulSession, z.ZodTypeDef, StatefulSession>, z.ZodType<StatelessSession, z.ZodTypeDef, StatelessSession>]>;
+export declare const SessionSchema: z.ZodUnion<readonly [z.ZodCustom<TransparentSession, TransparentSession>, z.ZodCustom<StatefulSession, StatefulSession>, z.ZodCustom<StatelessSession, StatelessSession>]>;

package/src/auth/session/session.service.d.ts

@@ -11,7 +11,7 @@ export declare class SessionService {
      * Create and persist a new Session from verified auth data.
      * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
      */
-    createSession(scope: Scope, args: CreateSessionArgs): Promise<StatelessSession | StatefulSession | TransparentSession>;
+    createSession(scope: Scope, args: CreateSessionArgs): Promise<TransparentSession | StatefulSession | StatelessSession>;
     private createOrchestratedSession;
     private createTransparentSession;
 }