npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/auth/session/authorization-vault.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"authorization-vault.js","sourceRoot":"","sources":["../../../../src/auth/session/authorization-vault.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;AAEH,6BAAwB;AACxB,6CAAyC;AAEzC,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC;IACzC,OAAO,EAAE,mBAAmB;IAC5B,SAAS,EAAE,kCAAkC;IAC7C,OAAO,EAAE,iCAAiC;IAC1C,QAAQ,EAAE,wBAAwB;IAClC,aAAa,EAAE,sCAAsC;IACrD,MAAM,EAAE,yBAAyB;IACjC,QAAQ,EAAE,yBAAyB;CACpC,CAAC,CAAC;AAIH,+CAA+C;AAC/C,6BAA6B;AAC7B,+CAA+C;AAE/C;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACxB,mBAAmB;IACnB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,+BAA+B;IAC/B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,oCAAoC;IACpC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;IACvC,4CAA4C;IAC5C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,qBAAqB;IACrB,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACvC,mCAAmC;IACnC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1B,wBAAwB;IACxB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,8DAA8D;IAC9D,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IAC3C,gEAAgE;IAChE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,2CAA2C;IAC3C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAClC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACxB,eAAe;IACf,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,eAAe;IACf,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,gEAAgE;IAChE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,6BAA6B;IAC7B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,iEAAiE;IACjE,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC9B,iBAAiB;IACjB,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,4CAA4C;IAC5C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,uBAAuB;IACvB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,mCAAmC;IACnC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,qCAAqC;IACrC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,wCAAwC;IACxC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACvB,sCAAsC;IACtC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,+BAA+B;IAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,6CAA6C;IAC7C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,sCAAsC;IACtC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,6BAA6B;IAC7B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,gCAAgC;IAChC,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC;IACvC,qCAAqC;IACrC,OAAO,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,gBAAgB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC3D,6BAAqB;IACrB,8BAAsB;IACtB,iCAAyB;IACzB,8BAAsB;IACtB,kCAA0B;IAC1B,4BAAoB;IACpB,8BAAsB;CACvB,CAAC,CAAC;AAWH,+CAA+C;AAC/C,wBAAwB;AACxB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,wCAAwC;IACxC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,yEAAyE;IACzE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,0BAA0B;IAC1B,UAAU,EAAE,wBAAgB;IAC5B,6CAA6C;IAC7C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,8CAA8C;IAC9C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,4CAA4C;IAC5C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,iDAAiD;IACjD,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,6CAA6C;IAC7C,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,gDAAgD;IAChD,QAAQ,EAAE,OAAC;SACR,MAAM,CAAC;QACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC5B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC5B,CAAC;SACD,QAAQ,EAAE;IACb,sCAAsC;IACtC,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACvD,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,kCAAkC;IAClC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE;IACpB,8CAA8C;IAC9C,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACpC,4CAA4C;IAC5C,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,uCAAuC;IACvC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,2CAA2C;IAC3C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACnC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,sCAAsC;IACtC,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACxC,+DAA+D;IAC/D,kBAAkB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACvC,0BAA0B;IAC1B,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,mDAAmD;IACnD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;CACxB,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,iCAAiC;IACjC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,8BAA8B;IAC9B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,8CAA8C;IAC9C,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,wBAAwB;IACxB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,sBAAsB;IACtB,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC9C,mCAAmC;IACnC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,yCAAyC;IACzC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,2BAA2B;IAC3B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;CACjE,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,gDAAgD;IAChD,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,8BAA8B;IAC9B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,iBAAiB;IACjB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,gBAAgB;IAChB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,0CAA0C;IAC1C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,yBAAyB;IACzB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,0DAA0D;IAC1D,cAAc,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,2BAAmB,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACrE,qBAAqB;IACrB,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAC5C,6BAA6B;IAC7B,SAAS,EAAE,kCAA0B,CAAC,QAAQ,EAAE;IAChD,iDAAiD;IACjD,YAAY,EAAE,OAAC,CAAC,KAAK,CAAC,oCAA4B,CAAC;IACnD,qCAAqC;IACrC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,kDAAkD;IAClD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CACnC,CAAC,CAAC;AAqKH,+CAA+C;AAC/C,2BAA2B;AAC3B,+CAA+C;AAE/C;;;;;GAKG;AACH,MAAa,0BAA0B;IAC7B,MAAM,GAAG,IAAI,GAAG,EAAmC,CAAC;IAE5D,yDAAyD;IACxC,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEnD,KAAK,CAAC,MAAM,CAAC,MASZ;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAA4B;YACrC,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,cAAc,EAAE,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,EAAE;YAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,oEAAoE;QACpE,sDAAsD;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,OAAyC;QAChE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAA2B;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC;QACxB,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,KAAa;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,yCAAyC;QACzC,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,OAAe,EACf,MAOC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,gBAAgB,CAAC;YACxD,MAAM,EAAE,SAAS;SAClB,CAAC;QAEF,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC;QAEzB,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,aAAqB;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,EAAE,CAAC;YACvC,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC;QACjC,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,aAAqB;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YAEjC,yBAAyB;YACzB,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,aAAqB;QAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;QACnC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,KAAa;QAClD,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,OAAO,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,mCAAmC;QACnC,OAAO,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChD,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC;YACvB,CAAC;YACD,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACtC,iCAAiC;YACjC,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACnD,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAChD,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC;gBACvB,CAAC;gBACD,wDAAwD;gBACxD,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;YAChC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,yBAAyB;IACzB,+CAA+C;IAE/C,wDAAwD;IAChD,aAAa,CAAC,KAAa,EAAE,UAAkB;QACrD,OAAO,GAAG,KAAK,IAAI,UAAU,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,UAAyB;QAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,4CAA4C;QAC5C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;QAChF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QACxE,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;QACvC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,KAAa;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAC;QAC3B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;aACzC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QACpE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,eAAe,GAAG,KAAK;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAE3D,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAChD,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,4FAA4F;QAC5F,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChE,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACpC,+CAA+C;YAC/C,kEAAkE;YAClE,OAAO,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,OAA4G;QAE5G,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU;YAAE,OAAO;QAExB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAAe,EAAE,KAAa,EAAE,OAAkB;QAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,0CAA0C;QAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,4DAA4D;QAC5D,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,OAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;QACvD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB,EAAE,MAAc;QAC3F,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;YACtD,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,sBAAsB,CAC1B,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,MAA0E;QAE1E,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO;YAAE,OAAO;QAElE,sBAAsB;QACtB,UAAU,CAAC,UAAU,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACvD,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACtC,UAAU,CAAC,UAAU,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;YACnD,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAC1C,CAAC;QAED,sBAAsB;QACtB,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC;QAC1B,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;CACF;AAxUD,gEAwUC;AAED,+CAA+C;AAC/C,qCAAqC;AACrC,+CAA+C;AAE/C;;;;;GAKG;AACH,MAAa,uBAAuB;IAGf;IACA;IAHnB;IACE,8DAA8D;IAC7C,KAAU,EACV,YAAY,QAAQ;QADpB,UAAK,GAAL,KAAK,CAAK;QACV,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEI,GAAG,CAAC,EAAU;QACpB,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;IAClC,CAAC;IAED,wDAAwD;IAChD,aAAa,CAAC,KAAa,EAAE,UAAkB;QACrD,OAAO,GAAG,KAAK,IAAI,UAAU,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MASZ;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAA4B;YACrC,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,cAAc,EAAE,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,EAAE;YAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;QAC1D,oEAAoE;QACpE,sDAAsD;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,OAAyC;QAChE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAA2B;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC;QACxB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,KAAa;QAC/C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,OAAe,EACf,MAOC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YACjD,MAAM,EAAE,SAAS;SAClB,CAAC;QAEF,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAE/D,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,aAAqB;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC3E,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC;YAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACjE,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,aAAqB;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YACjC,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,aAAqB;QAC5D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YACjC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,KAAa;QAClD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,OAAO,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe;QACnC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChD,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC;gBACrB,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;YACD,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACjE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,yDAAyD;QACzD,wBAAwB;IAC1B,CAAC;IAED,+CAA+C;IAC/C,yBAAyB;IACzB,+CAA+C;IAE/C,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,UAAyB;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,4CAA4C;QAC5C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;QAChF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QACxE,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;QACvC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QAC1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,KAAa;QACpD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAC;QAC3B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;aACzC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QACpE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,eAAe,GAAG,KAAK;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAE3D,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAChD,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,4FAA4F;QAC5F,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChE,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACpC,OAAO,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,OAA4G;QAE5G,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU;YAAE,OAAO;QAExB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAAe,EAAE,KAAa,EAAE,OAAkB;QAC5E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,0CAA0C;QAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,4DAA4D;QAC5D,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,OAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;QACvD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB,EAAE,MAAc;QAC3F,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;YACtD,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,sBAAsB,CAC1B,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,MAA0E;QAE1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO;YAAE,OAAO;QAElE,sBAAsB;QACtB,UAAU,CAAC,UAAU,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACvD,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACtC,UAAU,CAAC,UAAU,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;YACnD,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAC1C,CAAC;QAED,sBAAsB;QACtB,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC;QAC1B,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC;QACrC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;CACF;AAxUD,0DAwUC","sourcesContent":["/**\n * Authorization Vault\n *\n * Secure storage for stateful authorization sessions.\n * Stores provider tokens, consent selections, and session metadata.\n *\n * Supports multiple credential types:\n * - OAuth tokens (access_token, refresh_token, scopes)\n * - API Keys (key value, header name)\n * - Basic Auth (username, password)\n * - Private Keys (PEM/JWK format for signing)\n * - Custom credentials (extensible)\n *\n * In stateful mode:\n * - Access token is a non-rotatable key to this vault\n * - All sensitive data stored server-side\n * - Supports incremental authorization via links\n *\n * In stateless mode:\n * - No vault used, all data in JWT claims\n * - No incremental authorization support\n */\n\nimport { z } from 'zod';\nimport { randomUUID } from 'node:crypto';\n\n// ============================================\n// Credential Type Enum\n// ============================================\n\n/**\n * Supported credential types for app authentication\n */\nexport const credentialTypeSchema = z.enum([\n 'oauth', // OAuth 2.0 tokens\n 'api_key', // API key (header or query param)\n 'basic', // Basic auth (username:password)\n 'bearer', // Bearer token (static)\n 'private_key', // Private key for signing (JWT, etc.)\n 'mtls', // Mutual TLS certificate\n 'custom', // Custom credential type\n]);\n\nexport type CredentialType = z.infer<typeof credentialTypeSchema>;\n\n// ============================================\n// Credential Schemas by Type\n// ============================================\n\n/**\n * OAuth credential - standard OAuth 2.0 tokens\n */\nexport const oauthCredentialSchema = z.object({\n type: z.literal('oauth'),\n /** Access token */\n accessToken: z.string(),\n /** Refresh token (optional) */\n refreshToken: z.string().optional(),\n /** Token type (usually 'Bearer') */\n tokenType: z.string().default('Bearer'),\n /** Token expiration timestamp (epoch ms) */\n expiresAt: z.number().optional(),\n /** Granted scopes */\n scopes: z.array(z.string()).default([]),\n /** ID token for OIDC (optional) */\n idToken: z.string().optional(),\n});\n\n/**\n * API Key credential - sent in header or query param\n */\nexport const apiKeyCredentialSchema = z.object({\n type: z.literal('api_key'),\n /** The API key value */\n key: z.string().min(1),\n /** Header name to use (e.g., 'X-API-Key', 'Authorization') */\n headerName: z.string().default('X-API-Key'),\n /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */\n headerPrefix: z.string().optional(),\n /** Alternative: send as query parameter */\n queryParam: z.string().optional(),\n});\n\n/**\n * Basic Auth credential - username and password\n */\nexport const basicAuthCredentialSchema = z.object({\n type: z.literal('basic'),\n /** Username */\n username: z.string().min(1),\n /** Password */\n password: z.string(),\n /** Pre-computed base64 encoded value (optional, for caching) */\n encodedValue: z.string().optional(),\n});\n\n/**\n * Bearer token credential - static bearer token\n */\nexport const bearerCredentialSchema = z.object({\n type: z.literal('bearer'),\n /** The bearer token value */\n token: z.string().min(1),\n /** Token expiration (optional, for static tokens that expire) */\n expiresAt: z.number().optional(),\n});\n\n/**\n * Private key credential - for JWT signing or request signing\n */\nexport const privateKeyCredentialSchema = z.object({\n type: z.literal('private_key'),\n /** Key format */\n format: z.enum(['pem', 'jwk', 'pkcs8', 'pkcs12']),\n /** The key data (PEM string or JWK JSON) */\n keyData: z.string(),\n /** Key ID (for JWK) */\n keyId: z.string().optional(),\n /** Algorithm to use for signing */\n algorithm: z.string().optional(),\n /** Passphrase if key is encrypted */\n passphrase: z.string().optional(),\n /** Associated certificate (for mTLS) */\n certificate: z.string().optional(),\n});\n\n/**\n * mTLS credential - client certificate for mutual TLS\n */\nexport const mtlsCredentialSchema = z.object({\n type: z.literal('mtls'),\n /** Client certificate (PEM format) */\n certificate: z.string(),\n /** Private key (PEM format) */\n privateKey: z.string(),\n /** Passphrase if private key is encrypted */\n passphrase: z.string().optional(),\n /** CA certificate chain (optional) */\n caCertificate: z.string().optional(),\n});\n\n/**\n * Custom credential - extensible for app-specific auth\n */\nexport const customCredentialSchema = z.object({\n type: z.literal('custom'),\n /** Custom type identifier */\n customType: z.string().min(1),\n /** Arbitrary credential data */\n data: z.record(z.string(), z.unknown()),\n /** Headers to include in requests */\n headers: z.record(z.string(), z.string()).optional(),\n});\n\n/**\n * Union of all credential types\n */\nexport const credentialSchema = z.discriminatedUnion('type', [\n oauthCredentialSchema,\n apiKeyCredentialSchema,\n basicAuthCredentialSchema,\n bearerCredentialSchema,\n privateKeyCredentialSchema,\n mtlsCredentialSchema,\n customCredentialSchema,\n]);\n\nexport type OAuthCredential = z.infer<typeof oauthCredentialSchema>;\nexport type ApiKeyCredential = z.infer<typeof apiKeyCredentialSchema>;\nexport type BasicAuthCredential = z.infer<typeof basicAuthCredentialSchema>;\nexport type BearerCredential = z.infer<typeof bearerCredentialSchema>;\nexport type PrivateKeyCredential = z.infer<typeof privateKeyCredentialSchema>;\nexport type MtlsCredential = z.infer<typeof mtlsCredentialSchema>;\nexport type CustomCredential = z.infer<typeof customCredentialSchema>;\nexport type Credential = z.infer<typeof credentialSchema>;\n\n// ============================================\n// App Credential Schema\n// ============================================\n\n/**\n * Credential stored for an app in the vault\n */\nexport const appCredentialSchema = z.object({\n /** App ID this credential belongs to */\n appId: z.string().min(1),\n /** Provider ID within the app (for apps with multiple auth providers) */\n providerId: z.string().min(1),\n /** The credential data */\n credential: credentialSchema,\n /** Timestamp when credential was acquired */\n acquiredAt: z.number(),\n /** Timestamp when credential was last used */\n lastUsedAt: z.number().optional(),\n /** Credential expiration (if applicable) */\n expiresAt: z.number().optional(),\n /** Whether this credential is currently valid */\n isValid: z.boolean().default(true),\n /** Error message if credential is invalid */\n invalidReason: z.string().optional(),\n /** User info associated with this credential */\n userInfo: z\n .object({\n sub: z.string().optional(),\n email: z.string().optional(),\n name: z.string().optional(),\n })\n .optional(),\n /** Metadata for tracking/debugging */\n metadata: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport type AppCredential = z.infer<typeof appCredentialSchema>;\n\n/**\n * Consent record stored in vault\n */\nexport const vaultConsentRecordSchema = z.object({\n /** Whether consent was enabled */\n enabled: z.boolean(),\n /** Selected tool IDs (user approved these) */\n selectedToolIds: z.array(z.string()),\n /** Available tool IDs at time of consent */\n availableToolIds: z.array(z.string()),\n /** Timestamp when consent was given */\n consentedAt: z.number(),\n /** Consent version for tracking changes */\n version: z.string().default('1.0'),\n});\n\n/**\n * Federated login record stored in vault\n */\nexport const vaultFederatedRecordSchema = z.object({\n /** Provider IDs that were selected */\n selectedProviderIds: z.array(z.string()),\n /** Provider IDs that were skipped (can be authorized later) */\n skippedProviderIds: z.array(z.string()),\n /** Primary provider ID */\n primaryProviderId: z.string().optional(),\n /** Timestamp when federated login was completed */\n completedAt: z.number(),\n});\n\n/**\n * Pending incremental authorization request\n */\nexport const pendingIncrementalAuthSchema = z.object({\n /** Unique ID for this request */\n id: z.string(),\n /** App ID being authorized */\n appId: z.string(),\n /** Tool ID that triggered the auth request */\n toolId: z.string().optional(),\n /** Authorization URL */\n authUrl: z.string(),\n /** Required scopes */\n requiredScopes: z.array(z.string()).optional(),\n /** Whether elicit is being used */\n elicitId: z.string().optional(),\n /** Timestamp when request was created */\n createdAt: z.number(),\n /** Expiration timestamp */\n expiresAt: z.number(),\n /** Status of the request */\n status: z.enum(['pending', 'completed', 'cancelled', 'expired']),\n});\n\n/**\n * Authorization vault entry (the full session state)\n */\nexport const authorizationVaultEntrySchema = z.object({\n /** Vault ID (maps to access token jti claim) */\n id: z.string(),\n /** User subject identifier */\n userSub: z.string(),\n /** User email */\n userEmail: z.string().optional(),\n /** User name */\n userName: z.string().optional(),\n /** Client ID that created this session */\n clientId: z.string(),\n /** Creation timestamp */\n createdAt: z.number(),\n /** Last access timestamp */\n lastAccessAt: z.number(),\n /** App credentials (keyed by `${appId}:${providerId}`) */\n appCredentials: z.record(z.string(), appCredentialSchema).default({}),\n /** Consent record */\n consent: vaultConsentRecordSchema.optional(),\n /** Federated login record */\n federated: vaultFederatedRecordSchema.optional(),\n /** Pending incremental authorization requests */\n pendingAuths: z.array(pendingIncrementalAuthSchema),\n /** Apps that are fully authorized */\n authorizedAppIds: z.array(z.string()),\n /** Apps that were skipped (not yet authorized) */\n skippedAppIds: z.array(z.string()),\n});\n\n// ============================================\n// Types\n// ============================================\n\nexport type VaultConsentRecord = z.infer<typeof vaultConsentRecordSchema>;\nexport type VaultFederatedRecord = z.infer<typeof vaultFederatedRecordSchema>;\nexport type PendingIncrementalAuth = z.infer<typeof pendingIncrementalAuthSchema>;\nexport type AuthorizationVaultEntry = z.infer<typeof authorizationVaultEntrySchema>;\n\n// ============================================\n// Authorization Vault Interface\n// ============================================\n\nexport interface AuthorizationVault {\n /**\n * Create a new vault entry\n */\n create(params: {\n userSub: string;\n userEmail?: string;\n userName?: string;\n clientId: string;\n consent?: VaultConsentRecord;\n federated?: VaultFederatedRecord;\n authorizedAppIds?: string[];\n skippedAppIds?: string[];\n }): Promise<AuthorizationVaultEntry>;\n\n /**\n * Get vault entry by ID\n */\n get(id: string): Promise<AuthorizationVaultEntry | null>;\n\n /**\n * Update vault entry\n */\n update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;\n\n /**\n * Delete vault entry\n */\n delete(id: string): Promise<void>;\n\n /**\n * Update consent in the vault\n */\n updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;\n\n /**\n * Add app to authorized list (for incremental auth)\n */\n authorizeApp(vaultId: string, appId: string): Promise<void>;\n\n /**\n * Create a pending incremental auth request\n */\n createPendingAuth(\n vaultId: string,\n params: {\n appId: string;\n toolId?: string;\n authUrl: string;\n requiredScopes?: string[];\n elicitId?: string;\n ttlMs?: number;\n },\n ): Promise<PendingIncrementalAuth>;\n\n /**\n * Get pending auth by ID\n */\n getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;\n\n /**\n * Complete a pending incremental auth\n */\n completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;\n\n /**\n * Cancel a pending incremental auth\n */\n cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;\n\n /**\n * Check if app is authorized\n */\n isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;\n\n /**\n * Get all pending auths for a vault\n */\n getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;\n\n // ============================================\n // App Credential Methods\n // ============================================\n\n /**\n * Add an app credential to the vault\n * Only stores if app is authorized AND (consent disabled OR app tools in consent)\n */\n addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;\n\n /**\n * Remove an app credential from the vault\n */\n removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;\n\n /**\n * Get all credentials for a specific app\n */\n getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;\n\n /**\n * Get a specific credential for an app and provider\n */\n getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;\n\n /**\n * Get all credentials in the vault (filtered by consent if enabled)\n * @param filterByConsent If true, only returns credentials for apps with consented tools\n */\n getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;\n\n /**\n * Update credential metadata (last used, validity, etc.)\n */\n updateCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>,\n ): Promise<void>;\n\n /**\n * Check if a credential should be stored based on consent\n * Returns true if:\n * - Consent is disabled, OR\n * - The app has at least one tool in the consent selection\n */\n shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;\n\n /**\n * Invalidate a credential (mark as invalid without removing)\n */\n invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;\n\n /**\n * Refresh an OAuth credential (update tokens)\n */\n refreshOAuthCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n tokens: { accessToken: string; refreshToken?: string; expiresAt?: number },\n ): Promise<void>;\n\n /**\n * Cleanup expired entries and pending auths\n */\n cleanup(): Promise<void>;\n}\n\n// ============================================\n// In-Memory Implementation\n// ============================================\n\n/**\n * In-Memory Authorization Vault\n *\n * Development/testing implementation. Data is lost on restart.\n * For production, use RedisAuthorizationVault.\n */\nexport class InMemoryAuthorizationVault implements AuthorizationVault {\n private vaults = new Map<string, AuthorizationVaultEntry>();\n\n /** Default TTL for pending auth requests (10 minutes) */\n private readonly pendingAuthTtlMs = 10 * 60 * 1000;\n\n async create(params: {\n userSub: string;\n userEmail?: string;\n userName?: string;\n clientId: string;\n consent?: VaultConsentRecord;\n federated?: VaultFederatedRecord;\n authorizedAppIds?: string[];\n skippedAppIds?: string[];\n }): Promise<AuthorizationVaultEntry> {\n const now = Date.now();\n const entry: AuthorizationVaultEntry = {\n id: randomUUID(),\n userSub: params.userSub,\n userEmail: params.userEmail,\n userName: params.userName,\n clientId: params.clientId,\n createdAt: now,\n lastAccessAt: now,\n appCredentials: {},\n consent: params.consent,\n federated: params.federated,\n pendingAuths: [],\n authorizedAppIds: params.authorizedAppIds ?? [],\n skippedAppIds: params.skippedAppIds ?? [],\n };\n\n this.vaults.set(entry.id, entry);\n return entry;\n }\n\n async get(id: string): Promise<AuthorizationVaultEntry | null> {\n const entry = this.vaults.get(id);\n if (!entry) return null;\n\n // Note: lastAccessAt is updated on explicit operations, not on read\n // This prevents unnecessary writes on read operations\n return entry;\n }\n\n async update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void> {\n const entry = this.vaults.get(id);\n if (!entry) return;\n\n Object.assign(entry, updates, { lastAccessAt: Date.now() });\n }\n\n async delete(id: string): Promise<void> {\n this.vaults.delete(id);\n }\n\n async updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n entry.consent = consent;\n entry.lastAccessAt = Date.now();\n }\n\n async authorizeApp(vaultId: string, appId: string): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n // Remove from skipped, add to authorized\n entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);\n if (!entry.authorizedAppIds.includes(appId)) {\n entry.authorizedAppIds.push(appId);\n }\n entry.lastAccessAt = Date.now();\n }\n\n async createPendingAuth(\n vaultId: string,\n params: {\n appId: string;\n toolId?: string;\n authUrl: string;\n requiredScopes?: string[];\n elicitId?: string;\n ttlMs?: number;\n },\n ): Promise<PendingIncrementalAuth> {\n const entry = this.vaults.get(vaultId);\n if (!entry) {\n throw new Error(`Vault not found: ${vaultId}`);\n }\n\n const now = Date.now();\n const pendingAuth: PendingIncrementalAuth = {\n id: randomUUID(),\n appId: params.appId,\n toolId: params.toolId,\n authUrl: params.authUrl,\n requiredScopes: params.requiredScopes,\n elicitId: params.elicitId,\n createdAt: now,\n expiresAt: now + (params.ttlMs ?? this.pendingAuthTtlMs),\n status: 'pending',\n };\n\n entry.pendingAuths.push(pendingAuth);\n entry.lastAccessAt = now;\n\n return pendingAuth;\n }\n\n async getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return null;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (!pendingAuth) return null;\n\n // Check if expired\n if (Date.now() > pendingAuth.expiresAt) {\n pendingAuth.status = 'expired';\n }\n\n return pendingAuth;\n }\n\n async completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'completed';\n\n // Auto-authorize the app\n await this.authorizeApp(vaultId, pendingAuth.appId);\n }\n }\n\n async cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'cancelled';\n }\n }\n\n async isAppAuthorized(vaultId: string, appId: string): Promise<boolean> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return false;\n\n return entry.authorizedAppIds.includes(appId);\n }\n\n async getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return [];\n\n const now = Date.now();\n\n // Update expired status and filter\n return entry.pendingAuths.filter((p) => {\n if (now > p.expiresAt && p.status === 'pending') {\n p.status = 'expired';\n }\n return p.status === 'pending';\n });\n }\n\n async cleanup(): Promise<void> {\n const now = Date.now();\n\n for (const [id, entry] of this.vaults) {\n // Clean up expired pending auths\n entry.pendingAuths = entry.pendingAuths.filter((p) => {\n if (now > p.expiresAt && p.status === 'pending') {\n p.status = 'expired';\n }\n // Keep for audit trail, or remove completely if desired\n return p.status === 'pending';\n });\n }\n }\n\n // ============================================\n // App Credential Methods\n // ============================================\n\n /** Create a credential key from appId and providerId */\n private credentialKey(appId: string, providerId: string): string {\n return `${appId}:${providerId}`;\n }\n\n async addAppCredential(vaultId: string, credential: AppCredential): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n // Check if we should store based on consent\n const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);\n if (!shouldStore) {\n return;\n }\n\n const key = this.credentialKey(credential.appId, credential.providerId);\n entry.appCredentials[key] = credential;\n entry.lastAccessAt = Date.now();\n }\n\n async removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n delete entry.appCredentials[key];\n entry.lastAccessAt = Date.now();\n }\n\n async getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return [];\n\n const prefix = `${appId}:`;\n return Object.entries(entry.appCredentials)\n .filter(([key]) => key.startsWith(prefix))\n .map(([, cred]) => cred);\n }\n\n async getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return null;\n\n const key = this.credentialKey(appId, providerId);\n return entry.appCredentials[key] ?? null;\n }\n\n async getAllCredentials(vaultId: string, filterByConsent = false): Promise<AppCredential[]> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return [];\n\n const allCredentials = Object.values(entry.appCredentials);\n\n if (!filterByConsent || !entry.consent?.enabled) {\n return allCredentials;\n }\n\n // Filter by consent - only return credentials for apps that have tools in consent selection\n const consentedToolIds = new Set(entry.consent.selectedToolIds);\n return allCredentials.filter((cred) => {\n // Check if any tool for this app is in consent\n // Tool IDs are typically formatted as `appId:toolName` or similar\n return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));\n });\n }\n\n async updateCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>,\n ): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential) return;\n\n Object.assign(credential, updates);\n entry.lastAccessAt = Date.now();\n }\n\n async shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return false;\n\n // If consent is not enabled, always allow\n if (!entry.consent?.enabled) {\n return true;\n }\n\n // If toolIds provided, check if any match consent selection\n if (toolIds && toolIds.length > 0) {\n return toolIds.some((toolId) => entry.consent!.selectedToolIds.includes(toolId));\n }\n\n // Check if any tool for this app is in consent selection\n const consentedToolIds = entry.consent.selectedToolIds;\n return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));\n }\n\n async invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void> {\n await this.updateCredential(vaultId, appId, providerId, {\n isValid: false,\n invalidReason: reason,\n });\n }\n\n async refreshOAuthCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n tokens: { accessToken: string; refreshToken?: string; expiresAt?: number },\n ): Promise<void> {\n const entry = this.vaults.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential || credential.credential.type !== 'oauth') return;\n\n // Update OAuth tokens\n credential.credential.accessToken = tokens.accessToken;\n if (tokens.refreshToken !== undefined) {\n credential.credential.refreshToken = tokens.refreshToken;\n }\n if (tokens.expiresAt !== undefined) {\n credential.credential.expiresAt = tokens.expiresAt;\n credential.expiresAt = tokens.expiresAt;\n }\n\n // Mark as valid again\n credential.isValid = true;\n credential.invalidReason = undefined;\n entry.lastAccessAt = Date.now();\n }\n}\n\n// ============================================\n// Redis Implementation (placeholder)\n// ============================================\n\n/**\n * Redis Authorization Vault (placeholder)\n *\n * Production implementation using Redis for distributed storage.\n * TODO: Implement after in-memory vault is validated.\n */\nexport class RedisAuthorizationVault implements AuthorizationVault {\n constructor(\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n private readonly redis: any,\n private readonly namespace = 'vault:',\n ) {}\n\n private key(id: string): string {\n return `${this.namespace}${id}`;\n }\n\n /** Create a credential key from appId and providerId */\n private credentialKey(appId: string, providerId: string): string {\n return `${appId}:${providerId}`;\n }\n\n async create(params: {\n userSub: string;\n userEmail?: string;\n userName?: string;\n clientId: string;\n consent?: VaultConsentRecord;\n federated?: VaultFederatedRecord;\n authorizedAppIds?: string[];\n skippedAppIds?: string[];\n }): Promise<AuthorizationVaultEntry> {\n const now = Date.now();\n const entry: AuthorizationVaultEntry = {\n id: randomUUID(),\n userSub: params.userSub,\n userEmail: params.userEmail,\n userName: params.userName,\n clientId: params.clientId,\n createdAt: now,\n lastAccessAt: now,\n appCredentials: {},\n consent: params.consent,\n federated: params.federated,\n pendingAuths: [],\n authorizedAppIds: params.authorizedAppIds ?? [],\n skippedAppIds: params.skippedAppIds ?? [],\n };\n\n await this.redis.set(this.key(entry.id), JSON.stringify(entry));\n return entry;\n }\n\n async get(id: string): Promise<AuthorizationVaultEntry | null> {\n const data = await this.redis.get(this.key(id));\n if (!data) return null;\n\n const entry = JSON.parse(data) as AuthorizationVaultEntry;\n // Note: lastAccessAt is updated on explicit operations, not on read\n // This prevents unnecessary writes on read operations\n return entry;\n }\n\n async update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void> {\n const entry = await this.get(id);\n if (!entry) return;\n\n Object.assign(entry, updates, { lastAccessAt: Date.now() });\n await this.redis.set(this.key(id), JSON.stringify(entry));\n }\n\n async delete(id: string): Promise<void> {\n await this.redis.del(this.key(id));\n }\n\n async updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n entry.consent = consent;\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n async authorizeApp(vaultId: string, appId: string): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);\n if (!entry.authorizedAppIds.includes(appId)) {\n entry.authorizedAppIds.push(appId);\n }\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n async createPendingAuth(\n vaultId: string,\n params: {\n appId: string;\n toolId?: string;\n authUrl: string;\n requiredScopes?: string[];\n elicitId?: string;\n ttlMs?: number;\n },\n ): Promise<PendingIncrementalAuth> {\n const entry = await this.get(vaultId);\n if (!entry) {\n throw new Error(`Vault not found: ${vaultId}`);\n }\n\n const now = Date.now();\n const pendingAuth: PendingIncrementalAuth = {\n id: randomUUID(),\n appId: params.appId,\n toolId: params.toolId,\n authUrl: params.authUrl,\n requiredScopes: params.requiredScopes,\n elicitId: params.elicitId,\n createdAt: now,\n expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),\n status: 'pending',\n };\n\n entry.pendingAuths.push(pendingAuth);\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n\n return pendingAuth;\n }\n\n async getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null> {\n const entry = await this.get(vaultId);\n if (!entry) return null;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (!pendingAuth) return null;\n\n if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {\n pendingAuth.status = 'expired';\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n return pendingAuth;\n }\n\n async completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'completed';\n await this.authorizeApp(vaultId, pendingAuth.appId);\n }\n }\n\n async cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'cancelled';\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n }\n\n async isAppAuthorized(vaultId: string, appId: string): Promise<boolean> {\n const entry = await this.get(vaultId);\n if (!entry) return false;\n\n return entry.authorizedAppIds.includes(appId);\n }\n\n async getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]> {\n const entry = await this.get(vaultId);\n if (!entry) return [];\n\n const now = Date.now();\n let updated = false;\n\n const pending = entry.pendingAuths.filter((p) => {\n if (now > p.expiresAt && p.status === 'pending') {\n p.status = 'expired';\n updated = true;\n }\n return p.status === 'pending';\n });\n\n if (updated) {\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n return pending;\n }\n\n async cleanup(): Promise<void> {\n // Redis cleanup would use SCAN to find and clean entries\n // This is a placeholder\n }\n\n // ============================================\n // App Credential Methods\n // ============================================\n\n async addAppCredential(vaultId: string, credential: AppCredential): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n // Check if we should store based on consent\n const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);\n if (!shouldStore) {\n return;\n }\n\n const key = this.credentialKey(credential.appId, credential.providerId);\n entry.appCredentials[key] = credential;\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n async removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n delete entry.appCredentials[key];\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n async getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]> {\n const entry = await this.get(vaultId);\n if (!entry) return [];\n\n const prefix = `${appId}:`;\n return Object.entries(entry.appCredentials)\n .filter(([key]) => key.startsWith(prefix))\n .map(([, cred]) => cred);\n }\n\n async getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null> {\n const entry = await this.get(vaultId);\n if (!entry) return null;\n\n const key = this.credentialKey(appId, providerId);\n return entry.appCredentials[key] ?? null;\n }\n\n async getAllCredentials(vaultId: string, filterByConsent = false): Promise<AppCredential[]> {\n const entry = await this.get(vaultId);\n if (!entry) return [];\n\n const allCredentials = Object.values(entry.appCredentials);\n\n if (!filterByConsent || !entry.consent?.enabled) {\n return allCredentials;\n }\n\n // Filter by consent - only return credentials for apps that have tools in consent selection\n const consentedToolIds = new Set(entry.consent.selectedToolIds);\n return allCredentials.filter((cred) => {\n return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));\n });\n }\n\n async updateCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>,\n ): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential) return;\n\n Object.assign(credential, updates);\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n\n async shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean> {\n const entry = await this.get(vaultId);\n if (!entry) return false;\n\n // If consent is not enabled, always allow\n if (!entry.consent?.enabled) {\n return true;\n }\n\n // If toolIds provided, check if any match consent selection\n if (toolIds && toolIds.length > 0) {\n return toolIds.some((toolId) => entry.consent!.selectedToolIds.includes(toolId));\n }\n\n // Check if any tool for this app is in consent selection\n const consentedToolIds = entry.consent.selectedToolIds;\n return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));\n }\n\n async invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void> {\n await this.updateCredential(vaultId, appId, providerId, {\n isValid: false,\n invalidReason: reason,\n });\n }\n\n async refreshOAuthCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n tokens: { accessToken: string; refreshToken?: string; expiresAt?: number },\n ): Promise<void> {\n const entry = await this.get(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential || credential.credential.type !== 'oauth') return;\n\n // Update OAuth tokens\n credential.credential.accessToken = tokens.accessToken;\n if (tokens.refreshToken !== undefined) {\n credential.credential.refreshToken = tokens.refreshToken;\n }\n if (tokens.expiresAt !== undefined) {\n credential.credential.expiresAt = tokens.expiresAt;\n credential.expiresAt = tokens.expiresAt;\n }\n\n // Mark as valid again\n credential.isValid = true;\n credential.invalidReason = undefined;\n await this.redis.set(this.key(vaultId), JSON.stringify(entry));\n }\n}\n"]}

package/src/auth/session/authorization.store.js DELETED Viewed

@@ -1,323 +0,0 @@
-"use strict";
-// auth/session/authorization.store.ts
-/**
- * Authorization Store for OAuth flows
- *
- * Stores authorization codes, PKCE challenges, and pending authorizations.
- * Supports both in-memory (dev/test) and Redis (production) backends.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedisAuthorizationStore = exports.InMemoryAuthorizationStore = exports.authorizationCodeRecordSchema = exports.pkceChallengeSchema = void 0;
-exports.verifyPkce = verifyPkce;
-exports.generatePkceChallenge = generatePkceChallenge;
-const node_crypto_1 = require("node:crypto");
-const zod_1 = require("zod");
-/**
- * Zod schemas for validation
- */
-exports.pkceChallengeSchema = zod_1.z.object({
-    challenge: zod_1.z.string().min(43).max(128),
-    method: zod_1.z.literal('S256'),
-});
-exports.authorizationCodeRecordSchema = zod_1.z.object({
-    code: zod_1.z.string().min(1),
-    clientId: zod_1.z.string().min(1),
-    redirectUri: zod_1.z.string().url(),
-    scopes: zod_1.z.array(zod_1.z.string()),
-    pkce: exports.pkceChallengeSchema,
-    userSub: zod_1.z.string().min(1),
-    userEmail: zod_1.z.string().email().optional(),
-    userName: zod_1.z.string().optional(),
-    state: zod_1.z.string().optional(),
-    createdAt: zod_1.z.number(),
-    expiresAt: zod_1.z.number(),
-    used: zod_1.z.boolean(),
-    resource: zod_1.z.string().url().optional(),
-});
-/**
- * PKCE utilities
- */
-function verifyPkce(codeVerifier, challenge) {
-    if (challenge.method !== 'S256') {
-        return false;
-    }
-    // S256: BASE64URL(SHA256(code_verifier)) === code_challenge
-    const hash = (0, node_crypto_1.createHash)('sha256').update(codeVerifier).digest('base64url');
-    return hash === challenge.challenge;
-}
-function generatePkceChallenge(codeVerifier) {
-    const challenge = (0, node_crypto_1.createHash)('sha256').update(codeVerifier).digest('base64url');
-    return { challenge, method: 'S256' };
-}
-/**
- * In-Memory Authorization Store
- *
- * Development/testing implementation. Data is lost on restart.
- * For production, use RedisAuthorizationStore.
- */
-class InMemoryAuthorizationStore {
-    codes = new Map();
-    pending = new Map();
-    refreshTokens = new Map();
-    /** Default TTL for authorization codes (60 seconds) */
-    codeTtlMs = 60 * 1000;
-    /** Default TTL for pending authorizations (10 minutes) */
-    pendingTtlMs = 10 * 60 * 1000;
-    /** Default TTL for refresh tokens (30 days) */
-    refreshTtlMs = 30 * 24 * 60 * 60 * 1000;
-    generateCode() {
-        // Generate a cryptographically secure authorization code
-        return (0, node_crypto_1.randomUUID)().replace(/-/g, '') + (0, node_crypto_1.randomUUID)().replace(/-/g, '');
-    }
-    generateRefreshToken() {
-        return (0, node_crypto_1.randomUUID)() + '-' + (0, node_crypto_1.randomUUID)();
-    }
-    async storeAuthorizationCode(record) {
-        this.codes.set(record.code, record);
-    }
-    async getAuthorizationCode(code) {
-        const record = this.codes.get(code);
-        if (!record)
-            return null;
-        // Check expiration
-        if (Date.now() > record.expiresAt) {
-            this.codes.delete(code);
-            return null;
-        }
-        return record;
-    }
-    async markCodeUsed(code) {
-        const record = this.codes.get(code);
-        if (record) {
-            record.used = true;
-        }
-    }
-    async deleteAuthorizationCode(code) {
-        this.codes.delete(code);
-    }
-    async storePendingAuthorization(record) {
-        this.pending.set(record.id, record);
-    }
-    async getPendingAuthorization(id) {
-        const record = this.pending.get(id);
-        if (!record)
-            return null;
-        // Check expiration
-        if (Date.now() > record.expiresAt) {
-            this.pending.delete(id);
-            return null;
-        }
-        return record;
-    }
-    async deletePendingAuthorization(id) {
-        this.pending.delete(id);
-    }
-    async storeRefreshToken(record) {
-        this.refreshTokens.set(record.token, record);
-    }
-    async getRefreshToken(token) {
-        const record = this.refreshTokens.get(token);
-        if (!record)
-            return null;
-        // Check expiration and revocation
-        if (Date.now() > record.expiresAt || record.revoked) {
-            return null;
-        }
-        return record;
-    }
-    async revokeRefreshToken(token) {
-        const record = this.refreshTokens.get(token);
-        if (record) {
-            record.revoked = true;
-        }
-    }
-    async rotateRefreshToken(oldToken, newRecord) {
-        // Revoke old token
-        await this.revokeRefreshToken(oldToken);
-        // Store new token with reference to old
-        newRecord.previousToken = oldToken;
-        await this.storeRefreshToken(newRecord);
-    }
-    async cleanup() {
-        const now = Date.now();
-        // Clean expired codes
-        for (const [code, record] of this.codes) {
-            if (now > record.expiresAt) {
-                this.codes.delete(code);
-            }
-        }
-        // Clean expired pending authorizations
-        for (const [id, record] of this.pending) {
-            if (now > record.expiresAt) {
-                this.pending.delete(id);
-            }
-        }
-        // Clean expired/revoked refresh tokens
-        for (const [token, record] of this.refreshTokens) {
-            if (now > record.expiresAt || record.revoked) {
-                this.refreshTokens.delete(token);
-            }
-        }
-    }
-    /**
-     * Create an authorization code record with defaults
-     */
-    createCodeRecord(params) {
-        const now = Date.now();
-        return {
-            code: this.generateCode(),
-            clientId: params.clientId,
-            redirectUri: params.redirectUri,
-            scopes: params.scopes,
-            pkce: params.pkce,
-            userSub: params.userSub,
-            userEmail: params.userEmail,
-            userName: params.userName,
-            state: params.state,
-            resource: params.resource,
-            createdAt: now,
-            expiresAt: now + this.codeTtlMs,
-            used: false,
-            // Consent and Federated Login Data
-            selectedToolIds: params.selectedToolIds,
-            selectedProviderIds: params.selectedProviderIds,
-            skippedProviderIds: params.skippedProviderIds,
-            consentEnabled: params.consentEnabled,
-            federatedLoginUsed: params.federatedLoginUsed,
-        };
-    }
-    /**
-     * Create a pending authorization record with defaults
-     */
-    createPendingRecord(params) {
-        const now = Date.now();
-        return {
-            id: (0, node_crypto_1.randomUUID)(),
-            clientId: params.clientId,
-            redirectUri: params.redirectUri,
-            scopes: params.scopes,
-            pkce: params.pkce,
-            state: params.state,
-            resource: params.resource,
-            createdAt: now,
-            expiresAt: now + this.pendingTtlMs,
-            // Progressive/Incremental Authorization Fields
-            isIncremental: params.isIncremental,
-            targetAppId: params.targetAppId,
-            targetToolId: params.targetToolId,
-            existingSessionId: params.existingSessionId,
-            existingAuthorizationId: params.existingAuthorizationId,
-            // Federated Login State
-            federatedLogin: params.federatedLogin,
-            // Consent State
-            consent: params.consent,
-        };
-    }
-    /**
-     * Create a refresh token record with defaults
-     */
-    createRefreshTokenRecord(params) {
-        const now = Date.now();
-        return {
-            token: this.generateRefreshToken(),
-            clientId: params.clientId,
-            userSub: params.userSub,
-            scopes: params.scopes,
-            resource: params.resource,
-            createdAt: now,
-            expiresAt: now + this.refreshTtlMs,
-            revoked: false,
-        };
-    }
-}
-exports.InMemoryAuthorizationStore = InMemoryAuthorizationStore;
-/**
- * Redis Authorization Store (placeholder)
- *
- * Production implementation using Redis for distributed storage.
- * TODO: Implement after in-memory store is validated.
- */
-class RedisAuthorizationStore {
-    redis;
-    namespace;
-    constructor(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    redis, namespace = 'oauth:') {
-        this.redis = redis;
-        this.namespace = namespace;
-    }
-    key(type, id) {
-        return `${this.namespace}${type}:${id}`;
-    }
-    generateCode() {
-        return (0, node_crypto_1.randomUUID)().replace(/-/g, '') + (0, node_crypto_1.randomUUID)().replace(/-/g, '');
-    }
-    generateRefreshToken() {
-        return (0, node_crypto_1.randomUUID)() + '-' + (0, node_crypto_1.randomUUID)();
-    }
-    async storeAuthorizationCode(record) {
-        const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);
-        await this.redis.set(this.key('code', record.code), JSON.stringify(record), 'EX', Math.max(ttl, 1));
-    }
-    async getAuthorizationCode(code) {
-        const data = await this.redis.get(this.key('code', code));
-        if (!data)
-            return null;
-        return JSON.parse(data);
-    }
-    async markCodeUsed(code) {
-        const record = await this.getAuthorizationCode(code);
-        if (record) {
-            record.used = true;
-            const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
-            await this.redis.set(this.key('code', code), JSON.stringify(record), 'EX', Math.max(ttl, 1));
-        }
-    }
-    async deleteAuthorizationCode(code) {
-        await this.redis.del(this.key('code', code));
-    }
-    async storePendingAuthorization(record) {
-        const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);
-        await this.redis.set(this.key('pending', record.id), JSON.stringify(record), 'EX', ttl);
-    }
-    async getPendingAuthorization(id) {
-        const data = await this.redis.get(this.key('pending', id));
-        if (!data)
-            return null;
-        return JSON.parse(data);
-    }
-    async deletePendingAuthorization(id) {
-        await this.redis.del(this.key('pending', id));
-    }
-    async storeRefreshToken(record) {
-        const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
-        await this.redis.set(this.key('refresh', record.token), JSON.stringify(record), 'EX', ttl);
-    }
-    async getRefreshToken(token) {
-        const data = await this.redis.get(this.key('refresh', token));
-        if (!data)
-            return null;
-        const record = JSON.parse(data);
-        if (record.revoked)
-            return null;
-        return record;
-    }
-    async revokeRefreshToken(token) {
-        const record = await this.getRefreshToken(token);
-        if (record) {
-            record.revoked = true;
-            const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
-            await this.redis.set(this.key('refresh', token), JSON.stringify(record), 'EX', Math.max(ttl, 1));
-        }
-    }
-    async rotateRefreshToken(oldToken, newRecord) {
-        await this.revokeRefreshToken(oldToken);
-        newRecord.previousToken = oldToken;
-        await this.storeRefreshToken(newRecord);
-    }
-    async cleanup() {
-        // Redis handles cleanup via TTL, nothing to do here
-    }
-}
-exports.RedisAuthorizationStore = RedisAuthorizationStore;
-//# sourceMappingURL=authorization.store.js.map

package/src/auth/session/authorization.store.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"authorization.store.js","sourceRoot":"","sources":["../../../../src/auth/session/authorization.store.ts"],"names":[],"mappings":";AAAA,sCAAsC;AACtC;;;;;GAKG;;;AAmNH,gCAQC;AAED,sDAGC;AA9ND,6CAAqD;AACrD,6BAAwB;AA0JxB;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACtC,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CAC1B,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC7B,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,IAAI,EAAE,2BAAmB;IACzB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACxC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,IAAI,EAAE,OAAC,CAAC,OAAO,EAAE;IACjB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AA6BH;;GAEG;AACH,SAAgB,UAAU,CAAC,YAAoB,EAAE,SAAwB;IACvE,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4DAA4D;IAC5D,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC3E,OAAO,IAAI,KAAK,SAAS,CAAC,SAAS,CAAC;AACtC,CAAC;AAED,SAAgB,qBAAqB,CAAC,YAAoB;IACxD,MAAM,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAa,0BAA0B;IAC7B,KAAK,GAAG,IAAI,GAAG,EAAmC,CAAC;IACnD,OAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IACxD,aAAa,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE9D,uDAAuD;IACtC,SAAS,GAAG,EAAE,GAAG,IAAI,CAAC;IACvC,0DAA0D;IACzC,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC/C,+CAA+C;IAC9B,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD,YAAY;QACV,yDAAyD;QACzD,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,oBAAoB;QAClB,OAAO,IAAA,wBAAU,GAAE,GAAG,GAAG,GAAG,IAAA,wBAAU,GAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAA+B;QAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAY;QACxC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,MAAkC;QAChE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,EAAU;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,EAAU;QACzC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAA0B;QAChD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAa;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,kCAAkC;QAClC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,SAA6B;QACtE,mBAAmB;QACnB,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAExC,wCAAwC;QACxC,SAAS,CAAC,aAAa,GAAG,QAAQ,CAAC;QACnC,MAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,sBAAsB;QACtB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACjD,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC7C,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAgBhB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,SAAS;YAC/B,IAAI,EAAE,KAAK;YACX,mCAAmC;YACnC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,MAiBnB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,YAAY;YAClC,+CAA+C;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;YACvD,wBAAwB;YACxB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,gBAAgB;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,wBAAwB,CAAC,MAKxB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,oBAAoB,EAAE;YAClC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,YAAY;YAClC,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;CACF;AA7OD,gEA6OC;AAED;;;;;GAKG;AACH,MAAa,uBAAuB;IAGf;IACA;IAHnB;IACE,8DAA8D;IAC7C,KAAU,EACV,YAAY,QAAQ;QADpB,UAAK,GAAL,KAAK,CAAK;QACV,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEI,GAAG,CAAC,IAAoC,EAAE,EAAU;QAC1D,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;IAC1C,CAAC;IAED,YAAY;QACV,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,oBAAoB;QAClB,OAAO,IAAA,wBAAU,GAAE,GAAG,GAAG,GAAG,IAAA,wBAAU,GAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAA+B;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;IACtG,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY;QACrC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;YACnB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/F,CAAC;IACH,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAY;QACxC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,MAAkC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1F,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,EAAU;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA+B,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,EAAU;QACzC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAA0B;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAa;QACjC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAuB,CAAC;QACtD,IAAI,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa;QACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACnG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,SAA6B;QACtE,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACxC,SAAS,CAAC,aAAa,GAAG,QAAQ,CAAC;QACnC,MAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,oDAAoD;IACtD,CAAC;CACF;AAzFD,0DAyFC","sourcesContent":["// auth/session/authorization.store.ts\n/**\n * Authorization Store for OAuth flows\n *\n * Stores authorization codes, PKCE challenges, and pending authorizations.\n * Supports both in-memory (dev/test) and Redis (production) backends.\n */\n\nimport { randomUUID, createHash } from 'node:crypto';\nimport { z } from 'zod';\n\n/**\n * PKCE challenge data\n */\nexport interface PkceChallenge {\n /** S256 hashed code_challenge */\n challenge: string;\n /** Always 'S256' per OAuth 2.1 */\n method: 'S256';\n}\n\n/**\n * Authorization code record stored during the OAuth flow\n */\nexport interface AuthorizationCodeRecord {\n /** The authorization code (opaque string) */\n code: string;\n /** Client ID that requested authorization */\n clientId: string;\n /** Redirect URI used in the authorization request */\n redirectUri: string;\n /** Requested scopes */\n scopes: string[];\n /** PKCE challenge for verification */\n pkce: PkceChallenge;\n /** User identifier (sub claim) */\n userSub: string;\n /** User email if available */\n userEmail?: string;\n /** User name if available */\n userName?: string;\n /** Original state parameter */\n state?: string;\n /** Creation timestamp (epoch ms) */\n createdAt: number;\n /** Expiration timestamp (epoch ms) - codes are short-lived (60s default) */\n expiresAt: number;\n /** Whether this code has been used (single-use) */\n used: boolean;\n /** Resource/audience the token will be issued for */\n resource?: string;\n\n // Consent and Federated Login Data\n /** Selected tool IDs from consent flow */\n selectedToolIds?: string[];\n /** Selected provider IDs from federated login */\n selectedProviderIds?: string[];\n /** Skipped provider IDs from federated login (for progressive auth) */\n skippedProviderIds?: string[];\n /** Whether consent was enabled for this authorization */\n consentEnabled?: boolean;\n /** Whether federated login was used */\n federatedLoginUsed?: boolean;\n}\n\n/**\n * Consent state for tool selection\n */\nexport interface ConsentStateRecord {\n /** Whether consent flow is enabled */\n enabled: boolean;\n /** Available tool IDs for consent */\n availableToolIds: string[];\n /** Selected tool IDs (after user selection) */\n selectedToolIds?: string[];\n /** Whether consent has been completed */\n consentCompleted: boolean;\n /** Timestamp when consent was completed */\n consentCompletedAt?: number;\n}\n\n/**\n * Federated login state for multi-provider auth\n */\nexport interface FederatedLoginStateRecord {\n /** Available provider IDs */\n providerIds: string[];\n /** Selected provider IDs */\n selectedProviderIds?: string[];\n /** Skipped provider IDs */\n skippedProviderIds?: string[];\n /** Provider-specific user data (after auth) */\n providerUserData?: Record<string, { email?: string; name?: string; sub?: string }>;\n}\n\n/**\n * Pending authorization request (before user authenticates)\n */\nexport interface PendingAuthorizationRecord {\n /** Unique ID for this pending authorization */\n id: string;\n /** Client ID requesting authorization */\n clientId: string;\n /** Redirect URI for callback */\n redirectUri: string;\n /** Requested scopes */\n scopes: string[];\n /** PKCE challenge */\n pkce: PkceChallenge;\n /** Original state parameter from client */\n state?: string;\n /** Resource/audience */\n resource?: string;\n /** Creation timestamp */\n createdAt: number;\n /** Expiration timestamp (pending requests expire after 10 minutes) */\n expiresAt: number;\n\n // Progressive/Incremental Authorization Fields\n /** Whether this is an incremental authorization request */\n isIncremental?: boolean;\n /** Target app ID for incremental authorization */\n targetAppId?: string;\n /** Target tool ID that triggered the incremental auth */\n targetToolId?: string;\n /** Existing session ID for incremental auth (to expand the token vault) */\n existingSessionId?: string;\n /** Existing authorization ID to expand */\n existingAuthorizationId?: string;\n\n // Federated Login State\n /** Federated login state for multi-provider auth */\n federatedLogin?: FederatedLoginStateRecord;\n\n // Consent State\n /** Consent state for tool selection */\n consent?: ConsentStateRecord;\n}\n\n/**\n * Refresh token record\n */\nexport interface RefreshTokenRecord {\n /** The refresh token (opaque string) */\n token: string;\n /** Client ID */\n clientId: string;\n /** User identifier */\n userSub: string;\n /** Granted scopes */\n scopes: string[];\n /** Resource/audience */\n resource?: string;\n /** Creation timestamp */\n createdAt: number;\n /** Expiration timestamp */\n expiresAt: number;\n /** Whether this token has been revoked */\n revoked: boolean;\n /** Previous token if rotated */\n previousToken?: string;\n}\n\n/**\n * Zod schemas for validation\n */\nexport const pkceChallengeSchema = z.object({\n challenge: z.string().min(43).max(128),\n method: z.literal('S256'),\n});\n\nexport const authorizationCodeRecordSchema = z.object({\n code: z.string().min(1),\n clientId: z.string().min(1),\n redirectUri: z.string().url(),\n scopes: z.array(z.string()),\n pkce: pkceChallengeSchema,\n userSub: z.string().min(1),\n userEmail: z.string().email().optional(),\n userName: z.string().optional(),\n state: z.string().optional(),\n createdAt: z.number(),\n expiresAt: z.number(),\n used: z.boolean(),\n resource: z.string().url().optional(),\n});\n\n/**\n * Authorization Store Interface\n */\nexport interface AuthorizationStore {\n // Authorization code operations\n storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;\n getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;\n markCodeUsed(code: string): Promise<void>;\n deleteAuthorizationCode(code: string): Promise<void>;\n\n // Pending authorization operations\n storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;\n getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;\n deletePendingAuthorization(id: string): Promise<void>;\n\n // Refresh token operations\n storeRefreshToken(record: RefreshTokenRecord): Promise<void>;\n getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;\n revokeRefreshToken(token: string): Promise<void>;\n rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;\n\n // Utility\n generateCode(): string;\n generateRefreshToken(): string;\n cleanup(): Promise<void>;\n}\n\n/**\n * PKCE utilities\n */\nexport function verifyPkce(codeVerifier: string, challenge: PkceChallenge): boolean {\n if (challenge.method !== 'S256') {\n return false;\n }\n\n // S256: BASE64URL(SHA256(code_verifier)) === code_challenge\n const hash = createHash('sha256').update(codeVerifier).digest('base64url');\n return hash === challenge.challenge;\n}\n\nexport function generatePkceChallenge(codeVerifier: string): PkceChallenge {\n const challenge = createHash('sha256').update(codeVerifier).digest('base64url');\n return { challenge, method: 'S256' };\n}\n\n/**\n * In-Memory Authorization Store\n *\n * Development/testing implementation. Data is lost on restart.\n * For production, use RedisAuthorizationStore.\n */\nexport class InMemoryAuthorizationStore implements AuthorizationStore {\n private codes = new Map<string, AuthorizationCodeRecord>();\n private pending = new Map<string, PendingAuthorizationRecord>();\n private refreshTokens = new Map<string, RefreshTokenRecord>();\n\n /** Default TTL for authorization codes (60 seconds) */\n private readonly codeTtlMs = 60 * 1000;\n /** Default TTL for pending authorizations (10 minutes) */\n private readonly pendingTtlMs = 10 * 60 * 1000;\n /** Default TTL for refresh tokens (30 days) */\n private readonly refreshTtlMs = 30 * 24 * 60 * 60 * 1000;\n\n generateCode(): string {\n // Generate a cryptographically secure authorization code\n return randomUUID().replace(/-/g, '') + randomUUID().replace(/-/g, '');\n }\n\n generateRefreshToken(): string {\n return randomUUID() + '-' + randomUUID();\n }\n\n async storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void> {\n this.codes.set(record.code, record);\n }\n\n async getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null> {\n const record = this.codes.get(code);\n if (!record) return null;\n\n // Check expiration\n if (Date.now() > record.expiresAt) {\n this.codes.delete(code);\n return null;\n }\n\n return record;\n }\n\n async markCodeUsed(code: string): Promise<void> {\n const record = this.codes.get(code);\n if (record) {\n record.used = true;\n }\n }\n\n async deleteAuthorizationCode(code: string): Promise<void> {\n this.codes.delete(code);\n }\n\n async storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void> {\n this.pending.set(record.id, record);\n }\n\n async getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null> {\n const record = this.pending.get(id);\n if (!record) return null;\n\n // Check expiration\n if (Date.now() > record.expiresAt) {\n this.pending.delete(id);\n return null;\n }\n\n return record;\n }\n\n async deletePendingAuthorization(id: string): Promise<void> {\n this.pending.delete(id);\n }\n\n async storeRefreshToken(record: RefreshTokenRecord): Promise<void> {\n this.refreshTokens.set(record.token, record);\n }\n\n async getRefreshToken(token: string): Promise<RefreshTokenRecord | null> {\n const record = this.refreshTokens.get(token);\n if (!record) return null;\n\n // Check expiration and revocation\n if (Date.now() > record.expiresAt || record.revoked) {\n return null;\n }\n\n return record;\n }\n\n async revokeRefreshToken(token: string): Promise<void> {\n const record = this.refreshTokens.get(token);\n if (record) {\n record.revoked = true;\n }\n }\n\n async rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void> {\n // Revoke old token\n await this.revokeRefreshToken(oldToken);\n\n // Store new token with reference to old\n newRecord.previousToken = oldToken;\n await this.storeRefreshToken(newRecord);\n }\n\n async cleanup(): Promise<void> {\n const now = Date.now();\n\n // Clean expired codes\n for (const [code, record] of this.codes) {\n if (now > record.expiresAt) {\n this.codes.delete(code);\n }\n }\n\n // Clean expired pending authorizations\n for (const [id, record] of this.pending) {\n if (now > record.expiresAt) {\n this.pending.delete(id);\n }\n }\n\n // Clean expired/revoked refresh tokens\n for (const [token, record] of this.refreshTokens) {\n if (now > record.expiresAt || record.revoked) {\n this.refreshTokens.delete(token);\n }\n }\n }\n\n /**\n * Create an authorization code record with defaults\n */\n createCodeRecord(params: {\n clientId: string;\n redirectUri: string;\n scopes: string[];\n pkce: PkceChallenge;\n userSub: string;\n userEmail?: string;\n userName?: string;\n state?: string;\n resource?: string;\n // Consent and Federated Login Data\n selectedToolIds?: string[];\n selectedProviderIds?: string[];\n skippedProviderIds?: string[];\n consentEnabled?: boolean;\n federatedLoginUsed?: boolean;\n }): AuthorizationCodeRecord {\n const now = Date.now();\n return {\n code: this.generateCode(),\n clientId: params.clientId,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n pkce: params.pkce,\n userSub: params.userSub,\n userEmail: params.userEmail,\n userName: params.userName,\n state: params.state,\n resource: params.resource,\n createdAt: now,\n expiresAt: now + this.codeTtlMs,\n used: false,\n // Consent and Federated Login Data\n selectedToolIds: params.selectedToolIds,\n selectedProviderIds: params.selectedProviderIds,\n skippedProviderIds: params.skippedProviderIds,\n consentEnabled: params.consentEnabled,\n federatedLoginUsed: params.federatedLoginUsed,\n };\n }\n\n /**\n * Create a pending authorization record with defaults\n */\n createPendingRecord(params: {\n clientId: string;\n redirectUri: string;\n scopes: string[];\n pkce: PkceChallenge;\n state?: string;\n resource?: string;\n // Progressive/Incremental Authorization Fields\n isIncremental?: boolean;\n targetAppId?: string;\n targetToolId?: string;\n existingSessionId?: string;\n existingAuthorizationId?: string;\n // Federated Login State\n federatedLogin?: FederatedLoginStateRecord;\n // Consent State\n consent?: ConsentStateRecord;\n }): PendingAuthorizationRecord {\n const now = Date.now();\n return {\n id: randomUUID(),\n clientId: params.clientId,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n pkce: params.pkce,\n state: params.state,\n resource: params.resource,\n createdAt: now,\n expiresAt: now + this.pendingTtlMs,\n // Progressive/Incremental Authorization Fields\n isIncremental: params.isIncremental,\n targetAppId: params.targetAppId,\n targetToolId: params.targetToolId,\n existingSessionId: params.existingSessionId,\n existingAuthorizationId: params.existingAuthorizationId,\n // Federated Login State\n federatedLogin: params.federatedLogin,\n // Consent State\n consent: params.consent,\n };\n }\n\n /**\n * Create a refresh token record with defaults\n */\n createRefreshTokenRecord(params: {\n clientId: string;\n userSub: string;\n scopes: string[];\n resource?: string;\n }): RefreshTokenRecord {\n const now = Date.now();\n return {\n token: this.generateRefreshToken(),\n clientId: params.clientId,\n userSub: params.userSub,\n scopes: params.scopes,\n resource: params.resource,\n createdAt: now,\n expiresAt: now + this.refreshTtlMs,\n revoked: false,\n };\n }\n}\n\n/**\n * Redis Authorization Store (placeholder)\n *\n * Production implementation using Redis for distributed storage.\n * TODO: Implement after in-memory store is validated.\n */\nexport class RedisAuthorizationStore implements AuthorizationStore {\n constructor(\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n private readonly redis: any,\n private readonly namespace = 'oauth:',\n ) {}\n\n private key(type: 'code' | 'pending' | 'refresh', id: string): string {\n return `${this.namespace}${type}:${id}`;\n }\n\n generateCode(): string {\n return randomUUID().replace(/-/g, '') + randomUUID().replace(/-/g, '');\n }\n\n generateRefreshToken(): string {\n return randomUUID() + '-' + randomUUID();\n }\n\n async storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void> {\n const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);\n await this.redis.set(this.key('code', record.code), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n }\n\n async getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null> {\n const data = await this.redis.get(this.key('code', code));\n if (!data) return null;\n return JSON.parse(data) as AuthorizationCodeRecord;\n }\n\n async markCodeUsed(code: string): Promise<void> {\n const record = await this.getAuthorizationCode(code);\n if (record) {\n record.used = true;\n const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n await this.redis.set(this.key('code', code), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n }\n }\n\n async deleteAuthorizationCode(code: string): Promise<void> {\n await this.redis.del(this.key('code', code));\n }\n\n async storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void> {\n const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);\n await this.redis.set(this.key('pending', record.id), JSON.stringify(record), 'EX', ttl);\n }\n\n async getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null> {\n const data = await this.redis.get(this.key('pending', id));\n if (!data) return null;\n return JSON.parse(data) as PendingAuthorizationRecord;\n }\n\n async deletePendingAuthorization(id: string): Promise<void> {\n await this.redis.del(this.key('pending', id));\n }\n\n async storeRefreshToken(record: RefreshTokenRecord): Promise<void> {\n const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n await this.redis.set(this.key('refresh', record.token), JSON.stringify(record), 'EX', ttl);\n }\n\n async getRefreshToken(token: string): Promise<RefreshTokenRecord | null> {\n const data = await this.redis.get(this.key('refresh', token));\n if (!data) return null;\n const record = JSON.parse(data) as RefreshTokenRecord;\n if (record.revoked) return null;\n return record;\n }\n\n async revokeRefreshToken(token: string): Promise<void> {\n const record = await this.getRefreshToken(token);\n if (record) {\n record.revoked = true;\n const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n await this.redis.set(this.key('refresh', token), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n }\n }\n\n async rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void> {\n await this.revokeRefreshToken(oldToken);\n newRecord.previousToken = oldToken;\n await this.storeRefreshToken(newRecord);\n }\n\n async cleanup(): Promise<void> {\n // Redis handles cleanup via TTL, nothing to do here\n }\n}\n"]}