npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/auth/session/encrypted-authorization-vault.js DELETED Viewed

@@ -1,493 +0,0 @@
-"use strict";
-/**
- * Encrypted Authorization Vault
- *
- * A vault implementation that encrypts all sensitive data using a key
- * derived from the client's JWT authorization token.
- *
- * Security Properties:
- * - Zero-knowledge storage: Server cannot decrypt credentials
- * - Client-side key: Encryption key derived from JWT (client must present token)
- * - Authenticated encryption: AES-256-GCM prevents tampering
- * - Per-vault keys: Each vault has a unique encryption key
- *
- * Usage:
- * ```typescript
- * const vault = new EncryptedRedisVault(redis, encryption);
- *
- * // On each request, derive key from JWT and set context
- * const key = encryption.deriveKeyFromToken(token, claims);
- * vault.setEncryptionKey(key);
- *
- * // Now all operations automatically encrypt/decrypt
- * await vault.addAppCredential(vaultId, credential);
- * ```
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.EncryptedRedisVault = exports.redisVaultEntrySchema = void 0;
-exports.createEncryptedVault = createEncryptedVault;
-const zod_1 = require("zod");
-const node_crypto_1 = require("node:crypto");
-const node_async_hooks_1 = require("node:async_hooks");
-const vault_encryption_1 = require("./vault-encryption");
-// ============================================
-// Encrypted Vault Entry Schema
-// ============================================
-/**
- * What we store in Redis - minimal metadata + encrypted blob
- */
-exports.redisVaultEntrySchema = zod_1.z.object({
-    /** Vault ID */
-    id: zod_1.z.string(),
-    /** User sub (for lookup) */
-    userSub: zod_1.z.string(),
-    /** User email (optional, for display) */
-    userEmail: zod_1.z.string().optional(),
-    /** User name (optional, for display) */
-    userName: zod_1.z.string().optional(),
-    /** Client ID */
-    clientId: zod_1.z.string(),
-    /** Creation timestamp */
-    createdAt: zod_1.z.number(),
-    /** Last access timestamp */
-    lastAccessAt: zod_1.z.number(),
-    /** Authorized app IDs (unencrypted for quick auth checks) */
-    authorizedAppIds: zod_1.z.array(zod_1.z.string()),
-    /** Skipped app IDs (unencrypted for quick checks) */
-    skippedAppIds: zod_1.z.array(zod_1.z.string()),
-    /** Pending auth request IDs (unencrypted for lookup) */
-    pendingAuthIds: zod_1.z.array(zod_1.z.string()),
-    /** Encrypted sensitive data blob */
-    encrypted: vault_encryption_1.encryptedDataSchema,
-});
-/**
- * Module-level AsyncLocalStorage for request-scoped encryption context.
- * This ensures concurrent requests don't interfere with each other's encryption keys.
- */
-const encryptionContextStorage = new node_async_hooks_1.AsyncLocalStorage();
-// ============================================
-// Encrypted Redis Vault Implementation
-// ============================================
-/**
- * Redis vault with client-side encryption
- *
- * All sensitive data (tokens, credentials, consent, pending auths)
- * is encrypted using a key derived from the client's JWT.
- *
- * Use `runWithContext()` to set encryption context for concurrent safety.
- */
-class EncryptedRedisVault {
-    redis;
-    encryption;
-    namespace;
-    constructor(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    redis, encryption, namespace = 'vault:') {
-        this.redis = redis;
-        this.encryption = encryption;
-        this.namespace = namespace;
-    }
-    /**
-     * Run a callback with encryption context set for the current async scope.
-     * This is the recommended way to set encryption context as it is safe for
-     * concurrent requests (each request gets its own isolated context).
-     *
-     * @param context - Encryption context with key and vaultId
-     * @param fn - Async function to run with the context
-     * @returns The result of the callback
-     *
-     * @example
-     * ```typescript
-     * const result = await vault.runWithContext({ key, vaultId }, async () => {
-     *   await vault.get(id);
-     *   await vault.update(id, data);
-     *   return 'done';
-     * });
-     * ```
-     */
-    runWithContext(context, fn) {
-        return encryptionContextStorage.run(context, fn);
-    }
-    /**
-     * Get current encryption key from AsyncLocalStorage.
-     */
-    getKey() {
-        const asyncContext = encryptionContextStorage.getStore();
-        if (asyncContext) {
-            return asyncContext.key;
-        }
-        throw new Error('Encryption context not set. Use runWithContext() before performing vault operations.');
-    }
-    /**
-     * Create Redis key from vault ID
-     */
-    redisKey(id) {
-        return `${this.namespace}${id}`;
-    }
-    /**
-     * Create credential key from appId and providerId
-     */
-    credentialKey(appId, providerId) {
-        return `${appId}:${providerId}`;
-    }
-    /**
-     * Encrypt sensitive data
-     */
-    encryptSensitive(data) {
-        return this.encryption.encryptObject(data, this.getKey());
-    }
-    /**
-     * Decrypt sensitive data
-     */
-    decryptSensitive(encrypted) {
-        return this.encryption.decryptObject(encrypted, this.getKey());
-    }
-    /**
-     * Convert Redis entry to full vault entry (decrypts sensitive data)
-     */
-    toVaultEntry(redisEntry) {
-        const sensitive = this.decryptSensitive(redisEntry.encrypted);
-        return {
-            id: redisEntry.id,
-            userSub: redisEntry.userSub,
-            userEmail: redisEntry.userEmail,
-            userName: redisEntry.userName,
-            clientId: redisEntry.clientId,
-            createdAt: redisEntry.createdAt,
-            lastAccessAt: redisEntry.lastAccessAt,
-            appCredentials: sensitive.appCredentials,
-            consent: sensitive.consent,
-            federated: sensitive.federated,
-            pendingAuths: sensitive.pendingAuths,
-            authorizedAppIds: redisEntry.authorizedAppIds,
-            skippedAppIds: redisEntry.skippedAppIds,
-        };
-    }
-    /**
-     * Convert vault entry to Redis entry (encrypts sensitive data)
-     */
-    toRedisEntry(entry) {
-        const sensitive = {
-            appCredentials: entry.appCredentials,
-            consent: entry.consent,
-            federated: entry.federated,
-            pendingAuths: entry.pendingAuths,
-        };
-        return {
-            id: entry.id,
-            userSub: entry.userSub,
-            userEmail: entry.userEmail,
-            userName: entry.userName,
-            clientId: entry.clientId,
-            createdAt: entry.createdAt,
-            lastAccessAt: entry.lastAccessAt,
-            authorizedAppIds: entry.authorizedAppIds,
-            skippedAppIds: entry.skippedAppIds,
-            pendingAuthIds: entry.pendingAuths.map((p) => p.id),
-            encrypted: this.encryptSensitive(sensitive),
-        };
-    }
-    /**
-     * Save entry to Redis
-     */
-    async saveEntry(entry) {
-        const redisEntry = this.toRedisEntry(entry);
-        await this.redis.set(this.redisKey(entry.id), JSON.stringify(redisEntry));
-    }
-    /**
-     * Load entry from Redis
-     */
-    async loadEntry(id) {
-        const data = await this.redis.get(this.redisKey(id));
-        if (!data)
-            return null;
-        try {
-            const redisEntry = exports.redisVaultEntrySchema.parse(JSON.parse(data));
-            return this.toVaultEntry(redisEntry);
-        }
-        catch (error) {
-            // Could be decryption failure (wrong key) or corrupt data
-            throw new Error(`Failed to load vault ${id}: ${error instanceof Error ? error.message : 'Unknown error'}`);
-        }
-    }
-    // ============================================
-    // AuthorizationVault Interface Implementation
-    // ============================================
-    async create(params) {
-        const now = Date.now();
-        const entry = {
-            id: (0, node_crypto_1.randomUUID)(),
-            userSub: params.userSub,
-            userEmail: params.userEmail,
-            userName: params.userName,
-            clientId: params.clientId,
-            createdAt: now,
-            lastAccessAt: now,
-            appCredentials: {},
-            consent: params.consent,
-            federated: params.federated,
-            pendingAuths: [],
-            authorizedAppIds: params.authorizedAppIds ?? [],
-            skippedAppIds: params.skippedAppIds ?? [],
-        };
-        await this.saveEntry(entry);
-        return entry;
-    }
-    async get(id) {
-        const entry = await this.loadEntry(id);
-        if (!entry)
-            return null;
-        // Update last access time
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-        return entry;
-    }
-    async update(id, updates) {
-        const entry = await this.loadEntry(id);
-        if (!entry) {
-            throw new Error(`Vault entry not found: ${id}`);
-        }
-        Object.assign(entry, updates, { lastAccessAt: Date.now() });
-        await this.saveEntry(entry);
-    }
-    async delete(id) {
-        await this.redis.del(this.redisKey(id));
-    }
-    async updateConsent(vaultId, consent) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        entry.consent = consent;
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async authorizeApp(vaultId, appId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
-        if (!entry.authorizedAppIds.includes(appId)) {
-            entry.authorizedAppIds.push(appId);
-        }
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async createPendingAuth(vaultId, params) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry) {
-            throw new Error(`Vault not found: ${vaultId}`);
-        }
-        const now = Date.now();
-        const pendingAuth = {
-            id: (0, node_crypto_1.randomUUID)(),
-            appId: params.appId,
-            toolId: params.toolId,
-            authUrl: params.authUrl,
-            requiredScopes: params.requiredScopes,
-            elicitId: params.elicitId,
-            createdAt: now,
-            expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),
-            status: 'pending',
-        };
-        entry.pendingAuths.push(pendingAuth);
-        entry.lastAccessAt = now;
-        await this.saveEntry(entry);
-        return pendingAuth;
-    }
-    async getPendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return null;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (!pendingAuth)
-            return null;
-        if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {
-            pendingAuth.status = 'expired';
-            await this.saveEntry(entry);
-        }
-        return pendingAuth;
-    }
-    async completePendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'completed';
-            // Authorize app inline (don't call authorizeApp which reloads entry)
-            entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== pendingAuth.appId);
-            if (!entry.authorizedAppIds.includes(pendingAuth.appId)) {
-                entry.authorizedAppIds.push(pendingAuth.appId);
-            }
-            entry.lastAccessAt = Date.now();
-            await this.saveEntry(entry);
-        }
-    }
-    async cancelPendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'cancelled';
-            await this.saveEntry(entry);
-        }
-    }
-    async isAppAuthorized(vaultId, appId) {
-        // Quick check without decryption - authorizedAppIds is unencrypted
-        const data = await this.redis.get(this.redisKey(vaultId));
-        if (!data)
-            return false;
-        try {
-            const parsed = JSON.parse(data);
-            return Array.isArray(parsed.authorizedAppIds) && parsed.authorizedAppIds.includes(appId);
-        }
-        catch {
-            return false;
-        }
-    }
-    async getPendingAuths(vaultId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return [];
-        const now = Date.now();
-        let updated = false;
-        const pending = entry.pendingAuths.filter((p) => {
-            if (now > p.expiresAt && p.status === 'pending') {
-                p.status = 'expired';
-                updated = true;
-            }
-            return p.status === 'pending';
-        });
-        if (updated) {
-            await this.saveEntry(entry);
-        }
-        return pending;
-    }
-    // ============================================
-    // App Credential Methods
-    // ============================================
-    async addAppCredential(vaultId, credential) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
-        if (!shouldStore)
-            return;
-        const key = this.credentialKey(credential.appId, credential.providerId);
-        entry.appCredentials[key] = credential;
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async removeAppCredential(vaultId, appId, providerId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        delete entry.appCredentials[key];
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async getAppCredentials(vaultId, appId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return [];
-        const prefix = `${appId}:`;
-        return Object.entries(entry.appCredentials)
-            .filter(([key]) => key.startsWith(prefix))
-            .map(([, cred]) => cred);
-    }
-    async getCredential(vaultId, appId, providerId) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return null;
-        const key = this.credentialKey(appId, providerId);
-        return entry.appCredentials[key] ?? null;
-    }
-    async getAllCredentials(vaultId, filterByConsent = false) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return [];
-        const allCredentials = Object.values(entry.appCredentials);
-        if (!filterByConsent || !entry.consent?.enabled) {
-            return allCredentials;
-        }
-        const consentedToolIds = new Set(entry.consent.selectedToolIds);
-        return allCredentials.filter((cred) => {
-            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
-        });
-    }
-    async updateCredential(vaultId, appId, providerId, updates) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential)
-            return;
-        Object.assign(credential, updates);
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async shouldStoreCredential(vaultId, appId, toolIds) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return false;
-        if (!entry.consent?.enabled) {
-            return true;
-        }
-        if (toolIds && toolIds.length > 0) {
-            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
-        }
-        const consentedToolIds = entry.consent.selectedToolIds;
-        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
-    }
-    async invalidateCredential(vaultId, appId, providerId, reason) {
-        await this.updateCredential(vaultId, appId, providerId, {
-            isValid: false,
-            invalidReason: reason,
-        });
-    }
-    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
-        const entry = await this.loadEntry(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential || credential.credential.type !== 'oauth')
-            return;
-        // Update OAuth tokens
-        credential.credential.accessToken = tokens.accessToken;
-        if (tokens.refreshToken !== undefined) {
-            credential.credential.refreshToken = tokens.refreshToken;
-        }
-        if (tokens.expiresAt !== undefined) {
-            credential.credential.expiresAt = tokens.expiresAt;
-            credential.expiresAt = tokens.expiresAt;
-        }
-        credential.isValid = true;
-        credential.invalidReason = undefined;
-        entry.lastAccessAt = Date.now();
-        await this.saveEntry(entry);
-    }
-    async cleanup() {
-        // Redis cleanup would use SCAN to find and clean entries
-        // For encrypted vault, this needs careful handling
-        // as we can't read data without the encryption key
-    }
-}
-exports.EncryptedRedisVault = EncryptedRedisVault;
-// ============================================
-// Factory Function
-// ============================================
-/**
- * Create an encrypted vault with the given configuration
- */
-function createEncryptedVault(
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-redis, config = {}) {
-    const encryption = new vault_encryption_1.VaultEncryption({ pepper: config.pepper });
-    const vault = new EncryptedRedisVault(redis, encryption, config.namespace);
-    return { vault, encryption };
-}
-//# sourceMappingURL=encrypted-authorization-vault.js.map

package/src/auth/session/encrypted-authorization-vault.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"encrypted-authorization-vault.js","sourceRoot":"","sources":["../../../../src/auth/session/encrypted-authorization-vault.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;;AAujBH,oDAYC;AAjkBD,6BAAwB;AACxB,6CAAyC;AACzC,uDAAqD;AACrD,yDAA6G;AAW7G,+CAA+C;AAC/C,+BAA+B;AAC/B,+CAA+C;AAE/C;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,eAAe;IACf,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,4BAA4B;IAC5B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,yCAAyC;IACzC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,wCAAwC;IACxC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,gBAAgB;IAChB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,yBAAyB;IACzB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,6DAA6D;IAC7D,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,qDAAqD;IACrD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAClC,wDAAwD;IACxD,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACnC,oCAAoC;IACpC,SAAS,EAAE,sCAAmB;CAC/B,CAAC,CAAC;AAmBH;;;GAGG;AACH,MAAM,wBAAwB,GAAG,IAAI,oCAAiB,EAAqB,CAAC;AAE5E,+CAA+C;AAC/C,uCAAuC;AACvC,+CAA+C;AAE/C;;;;;;;GAOG;AACH,MAAa,mBAAmB;IAGX;IACA;IACA;IAJnB;IACE,8DAA8D;IAC7C,KAAU,EACV,UAA2B,EAC3B,YAAY,QAAQ;QAFpB,UAAK,GAAL,KAAK,CAAK;QACV,eAAU,GAAV,UAAU,CAAiB;QAC3B,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAI,OAA0B,EAAE,EAAwB;QACpE,OAAO,wBAAwB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,MAAM;QACZ,MAAM,YAAY,GAAG,wBAAwB,CAAC,QAAQ,EAAE,CAAC;QACzD,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,GAAG,CAAC;QAC1B,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;IAC1G,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,EAAU;QACzB,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,KAAa,EAAE,UAAkB;QACrD,OAAO,GAAG,KAAK,IAAI,UAAU,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,IAAwB;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,SAAwB;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAqB,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,UAA2B;QAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAE9D,OAAO;YACL,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,cAAc,EAAE,SAAS,CAAC,cAA+C;YACzE,OAAO,EAAE,SAAS,CAAC,OAAyC;YAC5D,SAAS,EAAE,SAAS,CAAC,SAA6C;YAClE,YAAY,EAAE,SAAS,CAAC,YAAwC;YAChE,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;YAC7C,aAAa,EAAE,UAAU,CAAC,aAAa;SACxC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,KAA8B;QACjD,MAAM,SAAS,GAAuB;YACpC,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,YAAY,EAAE,KAAK,CAAC,YAAY;SACjC,CAAC;QAEF,OAAO;YACL,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;YACxC,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,cAAc,EAAE,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC;SAC5C,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAA8B;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,EAAU;QAChC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,6BAAqB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,0DAA0D;YAC1D,MAAM,IAAI,KAAK,CAAC,wBAAwB,EAAE,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,8CAA8C;IAC9C,+CAA+C;IAE/C,KAAK,CAAC,MAAM,CAAC,MASZ;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAA4B;YACrC,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,cAAc,EAAE,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,EAAE;YAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;QAEF,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,0BAA0B;QAC1B,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,OAAyC;QAChE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAA2B;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC;QACxB,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,KAAa;QAC/C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,OAAe,EACf,MAOC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YACjD,MAAM,EAAE,SAAS;SAClB,CAAC;QAEF,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC;QACzB,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE5B,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,aAAqB;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC3E,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC;YAC/B,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,aAAqB;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YAEjC,qEAAqE;YACrE,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;YACnF,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxD,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACjD,CAAC;YACD,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,aAAqB;QAC5D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC;QAC3E,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC;YACjC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,KAAa;QAClD,mEAAmE;QACnE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC3F,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe;QACnC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChD,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC;gBACrB,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;YACD,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+CAA+C;IAC/C,yBAAyB;IACzB,+CAA+C;IAE/C,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,UAAyB;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;QAChF,IAAI,CAAC,WAAW;YAAE,OAAO;QAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QACxE,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;QACvC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QAC1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,KAAa;QACpD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAC;QAC3B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;aACzC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB;QACpE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,OAAO,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,eAAe,GAAG,KAAK;QAC9D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAE3D,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAChD,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChE,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACpC,OAAO,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,OAA4G;QAE5G,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU;YAAE,OAAO;QAExB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAAe,EAAE,KAAa,EAAE,OAAkB;QAC5E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,OAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;QACvD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,OAAe,EAAE,KAAa,EAAE,UAAkB,EAAE,MAAc;QAC3F,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;YACtD,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,sBAAsB,CAC1B,OAAe,EACf,KAAa,EACb,UAAkB,EAClB,MAA0E;QAE1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO;YAAE,OAAO;QAElE,sBAAsB;QACtB,UAAU,CAAC,UAAU,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACvD,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACtC,UAAU,CAAC,UAAU,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;YACnD,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAC1C,CAAC;QAED,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC;QAC1B,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC;QACrC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO;QACX,yDAAyD;QACzD,mDAAmD;QACnD,mDAAmD;IACrD,CAAC;CACF;AA3dD,kDA2dC;AAED,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,oBAAoB;AAClC,8DAA8D;AAC9D,KAAU,EACV,SAGI,EAAE;IAEN,MAAM,UAAU,GAAG,IAAI,kCAAe,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG,IAAI,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAE3E,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AAC/B,CAAC","sourcesContent":["/**\n * Encrypted Authorization Vault\n *\n * A vault implementation that encrypts all sensitive data using a key\n * derived from the client's JWT authorization token.\n *\n * Security Properties:\n * - Zero-knowledge storage: Server cannot decrypt credentials\n * - Client-side key: Encryption key derived from JWT (client must present token)\n * - Authenticated encryption: AES-256-GCM prevents tampering\n * - Per-vault keys: Each vault has a unique encryption key\n *\n * Usage:\n * ```typescript\n * const vault = new EncryptedRedisVault(redis, encryption);\n *\n * // On each request, derive key from JWT and set context\n * const key = encryption.deriveKeyFromToken(token, claims);\n * vault.setEncryptionKey(key);\n *\n * // Now all operations automatically encrypt/decrypt\n * await vault.addAppCredential(vaultId, credential);\n * ```\n */\n\nimport { z } from 'zod';\nimport { randomUUID } from 'node:crypto';\nimport { AsyncLocalStorage } from 'node:async_hooks';\nimport { VaultEncryption, EncryptedData, VaultSensitiveData, encryptedDataSchema } from './vault-encryption';\nimport {\n AuthorizationVault,\n AuthorizationVaultEntry,\n AppCredential,\n VaultConsentRecord,\n VaultFederatedRecord,\n PendingIncrementalAuth,\n authorizationVaultEntrySchema,\n} from './authorization-vault';\n\n// ============================================\n// Encrypted Vault Entry Schema\n// ============================================\n\n/**\n * What we store in Redis - minimal metadata + encrypted blob\n */\nexport const redisVaultEntrySchema = z.object({\n /** Vault ID */\n id: z.string(),\n /** User sub (for lookup) */\n userSub: z.string(),\n /** User email (optional, for display) */\n userEmail: z.string().optional(),\n /** User name (optional, for display) */\n userName: z.string().optional(),\n /** Client ID */\n clientId: z.string(),\n /** Creation timestamp */\n createdAt: z.number(),\n /** Last access timestamp */\n lastAccessAt: z.number(),\n /** Authorized app IDs (unencrypted for quick auth checks) */\n authorizedAppIds: z.array(z.string()),\n /** Skipped app IDs (unencrypted for quick checks) */\n skippedAppIds: z.array(z.string()),\n /** Pending auth request IDs (unencrypted for lookup) */\n pendingAuthIds: z.array(z.string()),\n /** Encrypted sensitive data blob */\n encrypted: encryptedDataSchema,\n});\n\nexport type RedisVaultEntry = z.infer<typeof redisVaultEntrySchema>;\n\n// ============================================\n// Encryption Context\n// ============================================\n\n/**\n * Encryption context for the current request\n * Must be set before performing vault operations\n */\nexport interface EncryptionContext {\n /** Encryption key derived from JWT */\n key: Buffer;\n /** Vault ID (from JWT jti claim) */\n vaultId: string;\n}\n\n/**\n * Module-level AsyncLocalStorage for request-scoped encryption context.\n * This ensures concurrent requests don't interfere with each other's encryption keys.\n */\nconst encryptionContextStorage = new AsyncLocalStorage<EncryptionContext>();\n\n// ============================================\n// Encrypted Redis Vault Implementation\n// ============================================\n\n/**\n * Redis vault with client-side encryption\n *\n * All sensitive data (tokens, credentials, consent, pending auths)\n * is encrypted using a key derived from the client's JWT.\n *\n * Use `runWithContext()` to set encryption context for concurrent safety.\n */\nexport class EncryptedRedisVault implements AuthorizationVault {\n constructor(\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n private readonly redis: any,\n private readonly encryption: VaultEncryption,\n private readonly namespace = 'vault:',\n ) {}\n\n /**\n * Run a callback with encryption context set for the current async scope.\n * This is the recommended way to set encryption context as it is safe for\n * concurrent requests (each request gets its own isolated context).\n *\n * @param context - Encryption context with key and vaultId\n * @param fn - Async function to run with the context\n * @returns The result of the callback\n *\n * @example\n * ```typescript\n * const result = await vault.runWithContext({ key, vaultId }, async () => {\n * await vault.get(id);\n * await vault.update(id, data);\n * return 'done';\n * });\n * ```\n */\n runWithContext<T>(context: EncryptionContext, fn: () => T | Promise<T>): T | Promise<T> {\n return encryptionContextStorage.run(context, fn);\n }\n\n /**\n * Get current encryption key from AsyncLocalStorage.\n */\n private getKey(): Buffer {\n const asyncContext = encryptionContextStorage.getStore();\n if (asyncContext) {\n return asyncContext.key;\n }\n\n throw new Error('Encryption context not set. Use runWithContext() before performing vault operations.');\n }\n\n /**\n * Create Redis key from vault ID\n */\n private redisKey(id: string): string {\n return `${this.namespace}${id}`;\n }\n\n /**\n * Create credential key from appId and providerId\n */\n private credentialKey(appId: string, providerId: string): string {\n return `${appId}:${providerId}`;\n }\n\n /**\n * Encrypt sensitive data\n */\n private encryptSensitive(data: VaultSensitiveData): EncryptedData {\n return this.encryption.encryptObject(data, this.getKey());\n }\n\n /**\n * Decrypt sensitive data\n */\n private decryptSensitive(encrypted: EncryptedData): VaultSensitiveData {\n return this.encryption.decryptObject<VaultSensitiveData>(encrypted, this.getKey());\n }\n\n /**\n * Convert Redis entry to full vault entry (decrypts sensitive data)\n */\n private toVaultEntry(redisEntry: RedisVaultEntry): AuthorizationVaultEntry {\n const sensitive = this.decryptSensitive(redisEntry.encrypted);\n\n return {\n id: redisEntry.id,\n userSub: redisEntry.userSub,\n userEmail: redisEntry.userEmail,\n userName: redisEntry.userName,\n clientId: redisEntry.clientId,\n createdAt: redisEntry.createdAt,\n lastAccessAt: redisEntry.lastAccessAt,\n appCredentials: sensitive.appCredentials as Record<string, AppCredential>,\n consent: sensitive.consent as VaultConsentRecord | undefined,\n federated: sensitive.federated as VaultFederatedRecord | undefined,\n pendingAuths: sensitive.pendingAuths as PendingIncrementalAuth[],\n authorizedAppIds: redisEntry.authorizedAppIds,\n skippedAppIds: redisEntry.skippedAppIds,\n };\n }\n\n /**\n * Convert vault entry to Redis entry (encrypts sensitive data)\n */\n private toRedisEntry(entry: AuthorizationVaultEntry): RedisVaultEntry {\n const sensitive: VaultSensitiveData = {\n appCredentials: entry.appCredentials,\n consent: entry.consent,\n federated: entry.federated,\n pendingAuths: entry.pendingAuths,\n };\n\n return {\n id: entry.id,\n userSub: entry.userSub,\n userEmail: entry.userEmail,\n userName: entry.userName,\n clientId: entry.clientId,\n createdAt: entry.createdAt,\n lastAccessAt: entry.lastAccessAt,\n authorizedAppIds: entry.authorizedAppIds,\n skippedAppIds: entry.skippedAppIds,\n pendingAuthIds: entry.pendingAuths.map((p) => p.id),\n encrypted: this.encryptSensitive(sensitive),\n };\n }\n\n /**\n * Save entry to Redis\n */\n private async saveEntry(entry: AuthorizationVaultEntry): Promise<void> {\n const redisEntry = this.toRedisEntry(entry);\n await this.redis.set(this.redisKey(entry.id), JSON.stringify(redisEntry));\n }\n\n /**\n * Load entry from Redis\n */\n private async loadEntry(id: string): Promise<AuthorizationVaultEntry | null> {\n const data = await this.redis.get(this.redisKey(id));\n if (!data) return null;\n\n try {\n const redisEntry = redisVaultEntrySchema.parse(JSON.parse(data));\n return this.toVaultEntry(redisEntry);\n } catch (error) {\n // Could be decryption failure (wrong key) or corrupt data\n throw new Error(`Failed to load vault ${id}: ${error instanceof Error ? error.message : 'Unknown error'}`);\n }\n }\n\n // ============================================\n // AuthorizationVault Interface Implementation\n // ============================================\n\n async create(params: {\n userSub: string;\n userEmail?: string;\n userName?: string;\n clientId: string;\n consent?: VaultConsentRecord;\n federated?: VaultFederatedRecord;\n authorizedAppIds?: string[];\n skippedAppIds?: string[];\n }): Promise<AuthorizationVaultEntry> {\n const now = Date.now();\n const entry: AuthorizationVaultEntry = {\n id: randomUUID(),\n userSub: params.userSub,\n userEmail: params.userEmail,\n userName: params.userName,\n clientId: params.clientId,\n createdAt: now,\n lastAccessAt: now,\n appCredentials: {},\n consent: params.consent,\n federated: params.federated,\n pendingAuths: [],\n authorizedAppIds: params.authorizedAppIds ?? [],\n skippedAppIds: params.skippedAppIds ?? [],\n };\n\n await this.saveEntry(entry);\n return entry;\n }\n\n async get(id: string): Promise<AuthorizationVaultEntry | null> {\n const entry = await this.loadEntry(id);\n if (!entry) return null;\n\n // Update last access time\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n\n return entry;\n }\n\n async update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void> {\n const entry = await this.loadEntry(id);\n if (!entry) {\n throw new Error(`Vault entry not found: ${id}`);\n }\n\n Object.assign(entry, updates, { lastAccessAt: Date.now() });\n await this.saveEntry(entry);\n }\n\n async delete(id: string): Promise<void> {\n await this.redis.del(this.redisKey(id));\n }\n\n async updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n entry.consent = consent;\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async authorizeApp(vaultId: string, appId: string): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);\n if (!entry.authorizedAppIds.includes(appId)) {\n entry.authorizedAppIds.push(appId);\n }\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async createPendingAuth(\n vaultId: string,\n params: {\n appId: string;\n toolId?: string;\n authUrl: string;\n requiredScopes?: string[];\n elicitId?: string;\n ttlMs?: number;\n },\n ): Promise<PendingIncrementalAuth> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) {\n throw new Error(`Vault not found: ${vaultId}`);\n }\n\n const now = Date.now();\n const pendingAuth: PendingIncrementalAuth = {\n id: randomUUID(),\n appId: params.appId,\n toolId: params.toolId,\n authUrl: params.authUrl,\n requiredScopes: params.requiredScopes,\n elicitId: params.elicitId,\n createdAt: now,\n expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),\n status: 'pending',\n };\n\n entry.pendingAuths.push(pendingAuth);\n entry.lastAccessAt = now;\n await this.saveEntry(entry);\n\n return pendingAuth;\n }\n\n async getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return null;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (!pendingAuth) return null;\n\n if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {\n pendingAuth.status = 'expired';\n await this.saveEntry(entry);\n }\n\n return pendingAuth;\n }\n\n async completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'completed';\n\n // Authorize app inline (don't call authorizeApp which reloads entry)\n entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== pendingAuth.appId);\n if (!entry.authorizedAppIds.includes(pendingAuth.appId)) {\n entry.authorizedAppIds.push(pendingAuth.appId);\n }\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n }\n\n async cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);\n if (pendingAuth) {\n pendingAuth.status = 'cancelled';\n await this.saveEntry(entry);\n }\n }\n\n async isAppAuthorized(vaultId: string, appId: string): Promise<boolean> {\n // Quick check without decryption - authorizedAppIds is unencrypted\n const data = await this.redis.get(this.redisKey(vaultId));\n if (!data) return false;\n\n try {\n const parsed = JSON.parse(data);\n return Array.isArray(parsed.authorizedAppIds) && parsed.authorizedAppIds.includes(appId);\n } catch {\n return false;\n }\n }\n\n async getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return [];\n\n const now = Date.now();\n let updated = false;\n\n const pending = entry.pendingAuths.filter((p) => {\n if (now > p.expiresAt && p.status === 'pending') {\n p.status = 'expired';\n updated = true;\n }\n return p.status === 'pending';\n });\n\n if (updated) {\n await this.saveEntry(entry);\n }\n\n return pending;\n }\n\n // ============================================\n // App Credential Methods\n // ============================================\n\n async addAppCredential(vaultId: string, credential: AppCredential): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);\n if (!shouldStore) return;\n\n const key = this.credentialKey(credential.appId, credential.providerId);\n entry.appCredentials[key] = credential;\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n delete entry.appCredentials[key];\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return [];\n\n const prefix = `${appId}:`;\n return Object.entries(entry.appCredentials)\n .filter(([key]) => key.startsWith(prefix))\n .map(([, cred]) => cred);\n }\n\n async getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return null;\n\n const key = this.credentialKey(appId, providerId);\n return entry.appCredentials[key] ?? null;\n }\n\n async getAllCredentials(vaultId: string, filterByConsent = false): Promise<AppCredential[]> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return [];\n\n const allCredentials = Object.values(entry.appCredentials);\n\n if (!filterByConsent || !entry.consent?.enabled) {\n return allCredentials;\n }\n\n const consentedToolIds = new Set(entry.consent.selectedToolIds);\n return allCredentials.filter((cred) => {\n return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));\n });\n }\n\n async updateCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>,\n ): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential) return;\n\n Object.assign(credential, updates);\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return false;\n\n if (!entry.consent?.enabled) {\n return true;\n }\n\n if (toolIds && toolIds.length > 0) {\n return toolIds.some((toolId) => entry.consent!.selectedToolIds.includes(toolId));\n }\n\n const consentedToolIds = entry.consent.selectedToolIds;\n return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));\n }\n\n async invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void> {\n await this.updateCredential(vaultId, appId, providerId, {\n isValid: false,\n invalidReason: reason,\n });\n }\n\n async refreshOAuthCredential(\n vaultId: string,\n appId: string,\n providerId: string,\n tokens: { accessToken: string; refreshToken?: string; expiresAt?: number },\n ): Promise<void> {\n const entry = await this.loadEntry(vaultId);\n if (!entry) return;\n\n const key = this.credentialKey(appId, providerId);\n const credential = entry.appCredentials[key];\n if (!credential || credential.credential.type !== 'oauth') return;\n\n // Update OAuth tokens\n credential.credential.accessToken = tokens.accessToken;\n if (tokens.refreshToken !== undefined) {\n credential.credential.refreshToken = tokens.refreshToken;\n }\n if (tokens.expiresAt !== undefined) {\n credential.credential.expiresAt = tokens.expiresAt;\n credential.expiresAt = tokens.expiresAt;\n }\n\n credential.isValid = true;\n credential.invalidReason = undefined;\n entry.lastAccessAt = Date.now();\n await this.saveEntry(entry);\n }\n\n async cleanup(): Promise<void> {\n // Redis cleanup would use SCAN to find and clean entries\n // For encrypted vault, this needs careful handling\n // as we can't read data without the encryption key\n }\n}\n\n// ============================================\n// Factory Function\n// ============================================\n\n/**\n * Create an encrypted vault with the given configuration\n */\nexport function createEncryptedVault(\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n redis: any,\n config: {\n pepper?: string;\n namespace?: string;\n } = {},\n): { vault: EncryptedRedisVault; encryption: VaultEncryption } {\n const encryption = new VaultEncryption({ pepper: config.pepper });\n const vault = new EncryptedRedisVault(redis, encryption, config.namespace);\n\n return { vault, encryption };\n}\n"]}

package/src/auth/session/index.js DELETED Viewed

@@ -1,16 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedisSessionStore = exports.InMemorySessionStore = exports.TransportSessionManager = void 0;
-const tslib_1 = require("tslib");
-// Transport session architecture
-tslib_1.__exportStar(require("./transport-session.types"), exports);
-var transport_session_manager_1 = require("./transport-session.manager");
-Object.defineProperty(exports, "TransportSessionManager", { enumerable: true, get: function () { return transport_session_manager_1.TransportSessionManager; } });
-Object.defineProperty(exports, "InMemorySessionStore", { enumerable: true, get: function () { return transport_session_manager_1.InMemorySessionStore; } });
-var redis_session_store_1 = require("./redis-session.store");
-Object.defineProperty(exports, "RedisSessionStore", { enumerable: true, get: function () { return redis_session_store_1.RedisSessionStore; } });
-// Authorization store for OAuth flows
-tslib_1.__exportStar(require("./authorization.store"), exports);
-// Authorization vault for stateful sessions
-tslib_1.__exportStar(require("./authorization-vault"), exports);
-//# sourceMappingURL=index.js.map

package/src/auth/session/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/session/index.ts"],"names":[],"mappings":";;;;AAAA,iCAAiC;AACjC,oEAA0C;AAC1C,yEAA4F;AAAnF,oIAAA,uBAAuB,OAAA;AAAE,iIAAA,oBAAoB,OAAA;AACtD,6DAA0D;AAAjD,wHAAA,iBAAiB,OAAA;AAE1B,sCAAsC;AACtC,gEAAsC;AAEtC,4CAA4C;AAC5C,gEAAsC","sourcesContent":["// Transport session architecture\nexport * from './transport-session.types';\nexport { TransportSessionManager, InMemorySessionStore } from './transport-session.manager';\nexport { RedisSessionStore } from './redis-session.store';\n\n// Authorization store for OAuth flows\nexport * from './authorization.store';\n\n// Authorization vault for stateful sessions\nexport * from './authorization-vault';\n"]}