@globaltracking/auth-middleware 2.0.0

package/dist/index.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasAnyPermission = exports.hasPermission = exports.hasRole = exports.authErrorHandler = exports.requireSelf = exports.requireTenant = exports.requireAnyPermission = exports.requirePermission = exports.requireRole = exports.authenticate = exports.JwtStrategy = exports.TrustedHeadersStrategy = exports.GatewayHeaderStrategy = exports.extractUser = exports.ForbiddenError = exports.UnauthorizedError = exports.AuthError = exports.resetConfig = exports.getConfig = exports.initAuth = void 0;
+// Configuration
+var config_1 = require("./config");
+Object.defineProperty(exports, "initAuth", { enumerable: true, get: function () { return config_1.initAuth; } });
+Object.defineProperty(exports, "getConfig", { enumerable: true, get: function () { return config_1.getConfig; } });
+Object.defineProperty(exports, "resetConfig", { enumerable: true, get: function () { return config_1.resetConfig; } });
+// Errors
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_1.AuthError; } });
+Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: function () { return errors_1.UnauthorizedError; } });
+Object.defineProperty(exports, "ForbiddenError", { enumerable: true, get: function () { return errors_1.ForbiddenError; } });
+// Core extraction
+var extract_user_1 = require("./extract-user");
+Object.defineProperty(exports, "extractUser", { enumerable: true, get: function () { return extract_user_1.extractUser; } });
+var gateway_header_strategy_1 = require("./strategies/gateway-header.strategy");
+Object.defineProperty(exports, "GatewayHeaderStrategy", { enumerable: true, get: function () { return gateway_header_strategy_1.GatewayHeaderStrategy; } });
+var trusted_headers_strategy_1 = require("./strategies/trusted-headers.strategy");
+Object.defineProperty(exports, "TrustedHeadersStrategy", { enumerable: true, get: function () { return trusted_headers_strategy_1.TrustedHeadersStrategy; } });
+var jwt_strategy_1 = require("./strategies/jwt.strategy");
+Object.defineProperty(exports, "JwtStrategy", { enumerable: true, get: function () { return jwt_strategy_1.JwtStrategy; } });
+// Middlewares
+var authenticate_1 = require("./middlewares/authenticate");
+Object.defineProperty(exports, "authenticate", { enumerable: true, get: function () { return authenticate_1.authenticate; } });
+var require_role_1 = require("./middlewares/require-role");
+Object.defineProperty(exports, "requireRole", { enumerable: true, get: function () { return require_role_1.requireRole; } });
+var require_permission_1 = require("./middlewares/require-permission");
+Object.defineProperty(exports, "requirePermission", { enumerable: true, get: function () { return require_permission_1.requirePermission; } });
+Object.defineProperty(exports, "requireAnyPermission", { enumerable: true, get: function () { return require_permission_1.requireAnyPermission; } });
+var require_tenant_1 = require("./middlewares/require-tenant");
+Object.defineProperty(exports, "requireTenant", { enumerable: true, get: function () { return require_tenant_1.requireTenant; } });
+var require_self_1 = require("./middlewares/require-self");
+Object.defineProperty(exports, "requireSelf", { enumerable: true, get: function () { return require_self_1.requireSelf; } });
+var error_handler_1 = require("./middlewares/error-handler");
+Object.defineProperty(exports, "authErrorHandler", { enumerable: true, get: function () { return error_handler_1.authErrorHandler; } });
+// Utility functions
+var helpers_1 = require("./utils/helpers");
+Object.defineProperty(exports, "hasRole", { enumerable: true, get: function () { return helpers_1.hasRole; } });
+Object.defineProperty(exports, "hasPermission", { enumerable: true, get: function () { return helpers_1.hasPermission; } });
+Object.defineProperty(exports, "hasAnyPermission", { enumerable: true, get: function () { return helpers_1.hasAnyPermission; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,gBAAgB;AAChB,mCAA4D;AAAnD,kGAAA,QAAQ,OAAA;AAAE,mGAAA,SAAS,OAAA;AAAE,qGAAA,WAAW,OAAA;AAKzC,SAAS;AACT,mCAAwE;AAA/D,mGAAA,SAAS,OAAA;AAAE,2GAAA,iBAAiB,OAAA;AAAE,wGAAA,cAAc,OAAA;AAErD,kBAAkB;AAClB,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AAIpB,gFAA6E;AAApE,gIAAA,qBAAqB,OAAA;AAC9B,kFAA+E;AAAtE,kIAAA,sBAAsB,OAAA;AAC/B,0DAAwD;AAA/C,2GAAA,WAAW,OAAA;AAEpB,cAAc;AACd,2DAA0D;AAAjD,4GAAA,YAAY,OAAA;AACrB,2DAAyD;AAAhD,2GAAA,WAAW,OAAA;AACpB,uEAA2F;AAAlF,uHAAA,iBAAiB,OAAA;AAAE,0HAAA,oBAAoB,OAAA;AAChD,+DAA6D;AAApD,+GAAA,aAAa,OAAA;AACtB,2DAAyD;AAAhD,2GAAA,WAAW,OAAA;AACpB,6DAA+D;AAAtD,iHAAA,gBAAgB,OAAA;AAEzB,oBAAoB;AACpB,2CAA2E;AAAlE,kGAAA,OAAO,OAAA;AAAE,wGAAA,aAAa,OAAA;AAAE,2GAAA,gBAAgB,OAAA"}

package/dist/middlewares/authenticate.d.ts

@@ -0,0 +1,10 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Express middleware that extracts user context from the request.
+ * Sets `req.user` with the authenticated AuthUser.
+ *
+ * Tries gateway header first (production), then falls back to JWT (local dev).
+ * Passes UnauthorizedError to next() if no valid auth context is found.
+ */
+export declare function authenticate(req: Request, _res: Response, next: NextFunction): void;
+//# sourceMappingURL=authenticate.d.ts.map

package/dist/middlewares/authenticate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.d.ts","sourceRoot":"","sources":["../../src/middlewares/authenticate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAI1D;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAWnF"}

package/dist/middlewares/authenticate.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authenticate = authenticate;
+const extract_user_1 = require("../extract-user");
+const errors_1 = require("../errors");
+/**
+ * Express middleware that extracts user context from the request.
+ * Sets `req.user` with the authenticated AuthUser.
+ *
+ * Tries gateway header first (production), then falls back to JWT (local dev).
+ * Passes UnauthorizedError to next() if no valid auth context is found.
+ */
+function authenticate(req, _res, next) {
+    try {
+        req.user = (0, extract_user_1.extractUser)(req);
+        next();
+    }
+    catch (err) {
+        if (err instanceof errors_1.UnauthorizedError) {
+            next(err);
+            return;
+        }
+        next(new errors_1.UnauthorizedError('Authentication failed'));
+    }
+}
+//# sourceMappingURL=authenticate.js.map

package/dist/middlewares/authenticate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../../src/middlewares/authenticate.ts"],"names":[],"mappings":";;AAWA,oCAWC;AArBD,kDAA8C;AAC9C,sCAA8C;AAE9C;;;;;;GAMG;AACH,SAAgB,YAAY,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB;IAC3E,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,GAAG,IAAA,0BAAW,EAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,0BAAiB,EAAE,CAAC;YACrC,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,0BAAiB,CAAC,uBAAuB,CAAC,CAAC,CAAC;IACvD,CAAC;AACH,CAAC"}

package/dist/middlewares/error-handler.d.ts

@@ -0,0 +1,12 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Express error handler for authentication/authorization errors.
+ * Catches AuthError (and subclasses) and returns the standard error envelope.
+ * Non-auth errors are passed to the next error handler.
+ *
+ * Must be registered AFTER all routes:
+ * @example
+ * app.use(authErrorHandler);
+ */
+export declare function authErrorHandler(err: Error, _req: Request, res: Response, next: NextFunction): void;
+//# sourceMappingURL=error-handler.d.ts.map

package/dist/middlewares/error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../src/middlewares/error-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,KAAK,EACV,IAAI,EAAE,OAAO,EACb,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,IAAI,CAQN"}

package/dist/middlewares/error-handler.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authErrorHandler = authErrorHandler;
+const errors_1 = require("../errors");
+/**
+ * Express error handler for authentication/authorization errors.
+ * Catches AuthError (and subclasses) and returns the standard error envelope.
+ * Non-auth errors are passed to the next error handler.
+ *
+ * Must be registered AFTER all routes:
+ * @example
+ * app.use(authErrorHandler);
+ */
+function authErrorHandler(err, _req, res, next) {
+    if (err instanceof errors_1.AuthError) {
+        res.status(err.statusCode).json(err.toResponse());
+        return;
+    }
+    // Not our error — pass to next error handler
+    next(err);
+}
+//# sourceMappingURL=error-handler.js.map

package/dist/middlewares/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../src/middlewares/error-handler.ts"],"names":[],"mappings":";;AAYA,4CAaC;AAxBD,sCAAsC;AAEtC;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAC9B,GAAU,EACV,IAAa,EACb,GAAa,EACb,IAAkB;IAElB,IAAI,GAAG,YAAY,kBAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IAED,6CAA6C;IAC7C,IAAI,CAAC,GAAG,CAAC,CAAC;AACZ,CAAC"}

package/dist/middlewares/require-permission.d.ts

@@ -0,0 +1,12 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Returns middleware that checks if the user has ALL of the required permissions.
+ * Admin roles (from config.adminRoles) bypass this check.
+ */
+export declare function requirePermission(...permissions: string[]): (req: Request, _res: Response, next: NextFunction) => void;
+/**
+ * Returns middleware that checks if the user has AT LEAST ONE of the listed permissions.
+ * Admin roles (from config.adminRoles) bypass this check.
+ */
+export declare function requireAnyPermission(...permissions: string[]): (req: Request, _res: Response, next: NextFunction) => void;
+//# sourceMappingURL=require-permission.d.ts.map

package/dist/middlewares/require-permission.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-permission.d.ts","sourceRoot":"","sources":["../../src/middlewares/require-permission.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAI1D;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,WAAW,EAAE,MAAM,EAAE,IAChD,KAAK,OAAO,EAAE,MAAM,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CA6BhE;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,WAAW,EAAE,MAAM,EAAE,IACnD,KAAK,OAAO,EAAE,MAAM,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CA6BhE"}

package/dist/middlewares/require-permission.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requirePermission = requirePermission;
+exports.requireAnyPermission = requireAnyPermission;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+/**
+ * Returns middleware that checks if the user has ALL of the required permissions.
+ * Admin roles (from config.adminRoles) bypass this check.
+ */
+function requirePermission(...permissions) {
+    return (req, _res, next) => {
+        if (!req.user) {
+            next(new errors_1.UnauthorizedError('Authentication required'));
+            return;
+        }
+        const config = (0, config_1.getConfig)();
+        // Admin roles bypass all permission checks
+        if (config.adminRoles.includes(req.user.role)) {
+            next();
+            return;
+        }
+        const userPerms = new Set(req.user.permissions);
+        const missing = permissions.filter((p) => !userPerms.has(p));
+        if (missing.length > 0) {
+            next(new errors_1.ForbiddenError('Insufficient permissions', {
+                required: permissions,
+                missing_permissions: missing,
+            }));
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Returns middleware that checks if the user has AT LEAST ONE of the listed permissions.
+ * Admin roles (from config.adminRoles) bypass this check.
+ */
+function requireAnyPermission(...permissions) {
+    return (req, _res, next) => {
+        if (!req.user) {
+            next(new errors_1.UnauthorizedError('Authentication required'));
+            return;
+        }
+        const config = (0, config_1.getConfig)();
+        // Admin roles bypass all permission checks
+        if (config.adminRoles.includes(req.user.role)) {
+            next();
+            return;
+        }
+        const userPerms = new Set(req.user.permissions);
+        const hasAny = permissions.some((p) => userPerms.has(p));
+        if (!hasAny) {
+            next(new errors_1.ForbiddenError('Insufficient permissions — need at least one', {
+                required_any: permissions,
+                actual: req.user.permissions,
+            }));
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=require-permission.js.map

package/dist/middlewares/require-permission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-permission.js","sourceRoot":"","sources":["../../src/middlewares/require-permission.ts"],"names":[],"mappings":";;AAQA,8CA8BC;AAMD,oDA8BC;AAzED,sCAAsC;AACtC,sCAA8D;AAE9D;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,GAAG,WAAqB;IACxD,OAAO,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAQ,EAAE;QAChE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,0BAAiB,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAE3B,2CAA2C;QAC3C,IAAI,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE7D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,CACF,IAAI,uBAAc,CAAC,0BAA0B,EAAE;gBAC7C,QAAQ,EAAE,WAAW;gBACrB,mBAAmB,EAAE,OAAO;aAC7B,CAAC,CACH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,GAAG,WAAqB;IAC3D,OAAO,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAQ,EAAE;QAChE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,0BAAiB,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAE3B,2CAA2C;QAC3C,IAAI,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CACF,IAAI,uBAAc,CAAC,8CAA8C,EAAE;gBACjE,YAAY,EAAE,WAAW;gBACzB,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,WAAW;aAC7B,CAAC,CACH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middlewares/require-role.d.ts

@@ -0,0 +1,12 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Returns middleware that checks if the authenticated user has one of the allowed roles.
+ *
+ * @param roles - One or more allowed role strings
+ * @returns Express middleware
+ *
+ * @example
+ * app.delete('/v1/vehicles/:id', authenticate, requireRole('super_admin', 'fleet_manager'), handler);
+ */
+export declare function requireRole(...roles: string[]): (req: Request, _res: Response, next: NextFunction) => void;
+//# sourceMappingURL=require-role.d.ts.map

package/dist/middlewares/require-role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-role.d.ts","sourceRoot":"","sources":["../../src/middlewares/require-role.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,IACpC,KAAK,OAAO,EAAE,MAAM,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkBhE"}

package/dist/middlewares/require-role.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireRole = requireRole;
+const errors_1 = require("../errors");
+/**
+ * Returns middleware that checks if the authenticated user has one of the allowed roles.
+ *
+ * @param roles - One or more allowed role strings
+ * @returns Express middleware
+ *
+ * @example
+ * app.delete('/v1/vehicles/:id', authenticate, requireRole('super_admin', 'fleet_manager'), handler);
+ */
+function requireRole(...roles) {
+    return (req, _res, next) => {
+        if (!req.user) {
+            next(new errors_1.UnauthorizedError('Authentication required'));
+            return;
+        }
+        if (!roles.includes(req.user.role)) {
+            next(new errors_1.ForbiddenError('Insufficient role', {
+                required: roles,
+                actual: req.user.role,
+            }));
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=require-role.js.map

package/dist/middlewares/require-role.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-role.js","sourceRoot":"","sources":["../../src/middlewares/require-role.ts"],"names":[],"mappings":";;AAYA,kCAmBC;AA9BD,sCAA8D;AAE9D;;;;;;;;GAQG;AACH,SAAgB,WAAW,CAAC,GAAG,KAAe;IAC5C,OAAO,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAQ,EAAE;QAChE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,0BAAiB,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,IAAI,CACF,IAAI,uBAAc,CAAC,mBAAmB,EAAE;gBACtC,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;aACtB,CAAC,CACH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middlewares/require-self.d.ts

@@ -0,0 +1,10 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Returns middleware that ensures the authenticated user can only access their own resources.
+ * Compares `req.user.userId` with `req.params[paramName]`.
+ * Admin roles (from config.adminRoles) bypass this check.
+ *
+ * @param paramName - Route parameter name to compare against. Default: 'userId'
+ */
+export declare function requireSelf(paramName?: string): (req: Request, _res: Response, next: NextFunction) => void;
+//# sourceMappingURL=require-self.d.ts.map

package/dist/middlewares/require-self.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-self.d.ts","sourceRoot":"","sources":["../../src/middlewares/require-self.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAI1D;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,SAAS,SAAW,IACtC,KAAK,OAAO,EAAE,MAAM,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAiChE"}

package/dist/middlewares/require-self.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireSelf = requireSelf;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+/**
+ * Returns middleware that ensures the authenticated user can only access their own resources.
+ * Compares `req.user.userId` with `req.params[paramName]`.
+ * Admin roles (from config.adminRoles) bypass this check.
+ *
+ * @param paramName - Route parameter name to compare against. Default: 'userId'
+ */
+function requireSelf(paramName = 'userId') {
+    return (req, _res, next) => {
+        if (!req.user) {
+            next(new errors_1.UnauthorizedError('Authentication required'));
+            return;
+        }
+        const config = (0, config_1.getConfig)();
+        // Admin roles bypass self check
+        if (config.adminRoles.includes(req.user.role)) {
+            next();
+            return;
+        }
+        const targetUserId = req.params[paramName];
+        if (!targetUserId) {
+            next(new errors_1.ForbiddenError(`Route parameter '${paramName}' is missing`));
+            return;
+        }
+        if (req.user.userId !== targetUserId) {
+            next(new errors_1.ForbiddenError('You can only access your own resources', {
+                target: targetUserId,
+                actual: req.user.userId,
+            }));
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=require-self.js.map

package/dist/middlewares/require-self.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-self.js","sourceRoot":"","sources":["../../src/middlewares/require-self.ts"],"names":[],"mappings":";;AAWA,kCAkCC;AA5CD,sCAAsC;AACtC,sCAA8D;AAE9D;;;;;;GAMG;AACH,SAAgB,WAAW,CAAC,SAAS,GAAG,QAAQ;IAC9C,OAAO,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAQ,EAAE;QAChE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,0BAAiB,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAE3B,gCAAgC;QAChC,IAAI,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE3C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,IAAI,CAAC,IAAI,uBAAc,CAAC,oBAAoB,SAAS,cAAc,CAAC,CAAC,CAAC;YACtE,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YACrC,IAAI,CACF,IAAI,uBAAc,CAAC,wCAAwC,EAAE;gBAC3D,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;aACxB,CAAC,CACH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middlewares/require-tenant.d.ts

@@ -0,0 +1,11 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Middleware that ensures the authenticated user has a tenantId.
+ * Sets `req.tenantId` for convenience in downstream handlers.
+ *
+ * @example
+ * app.get('/v1/vehicles', authenticate, requireTenant, handler);
+ * // handler can use req.tenantId directly
+ */
+export declare function requireTenant(req: Request, _res: Response, next: NextFunction): void;
+//# sourceMappingURL=require-tenant.d.ts.map

package/dist/middlewares/require-tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-tenant.d.ts","sourceRoot":"","sources":["../../src/middlewares/require-tenant.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAapF"}

package/dist/middlewares/require-tenant.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireTenant = requireTenant;
+const errors_1 = require("../errors");
+/**
+ * Middleware that ensures the authenticated user has a tenantId.
+ * Sets `req.tenantId` for convenience in downstream handlers.
+ *
+ * @example
+ * app.get('/v1/vehicles', authenticate, requireTenant, handler);
+ * // handler can use req.tenantId directly
+ */
+function requireTenant(req, _res, next) {
+    if (!req.user) {
+        next(new errors_1.UnauthorizedError('Authentication required'));
+        return;
+    }
+    if (!req.user.tenantId) {
+        next(new errors_1.ForbiddenError('Tenant context required'));
+        return;
+    }
+    req.tenantId = req.user.tenantId;
+    next();
+}
+//# sourceMappingURL=require-tenant.js.map

package/dist/middlewares/require-tenant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-tenant.js","sourceRoot":"","sources":["../../src/middlewares/require-tenant.ts"],"names":[],"mappings":";;AAWA,sCAaC;AAvBD,sCAA8D;AAE9D;;;;;;;GAOG;AACH,SAAgB,aAAa,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB;IAC5E,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,IAAI,CAAC,IAAI,0BAAiB,CAAC,yBAAyB,CAAC,CAAC,CAAC;QACvD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,uBAAc,CAAC,yBAAyB,CAAC,CAAC,CAAC;QACpD,OAAO;IACT,CAAC;IAED,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;IACjC,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/nestjs/constants.d.ts

@@ -0,0 +1,5 @@
+export declare const GT_AUTH_CONFIG = "GT_AUTH_CONFIG";
+export declare const IS_PUBLIC_KEY = "isPublic";
+export declare const PERMISSIONS_KEY = "permissions";
+export declare const ROLES_KEY = "roles";
+//# sourceMappingURL=constants.d.ts.map

package/dist/nestjs/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/nestjs/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,cAAc,mBAAmB,CAAC;AAC/C,eAAO,MAAM,aAAa,aAAa,CAAC;AACxC,eAAO,MAAM,eAAe,gBAAgB,CAAC;AAC7C,eAAO,MAAM,SAAS,UAAU,CAAC"}

package/dist/nestjs/constants.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ROLES_KEY = exports.PERMISSIONS_KEY = exports.IS_PUBLIC_KEY = exports.GT_AUTH_CONFIG = void 0;
+exports.GT_AUTH_CONFIG = 'GT_AUTH_CONFIG';
+exports.IS_PUBLIC_KEY = 'isPublic';
+exports.PERMISSIONS_KEY = 'permissions';
+exports.ROLES_KEY = 'roles';
+//# sourceMappingURL=constants.js.map

package/dist/nestjs/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/nestjs/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,gBAAgB,CAAC;AAClC,QAAA,aAAa,GAAG,UAAU,CAAC;AAC3B,QAAA,eAAe,GAAG,aAAa,CAAC;AAChC,QAAA,SAAS,GAAG,OAAO,CAAC"}

package/dist/nestjs/decorators/index.d.ts

@@ -0,0 +1,44 @@
+import { AuthUser } from '../../types';
+/**
+ * Extract the authenticated user (or a specific property) from the request.
+ *
+ * @example
+ * @Get()
+ * getProfile(@CurrentUser() user: AuthUser) { ... }
+ *
+ * @Get()
+ * getProfile(@CurrentUser('userId') userId: string) { ... }
+ */
+export declare const CurrentUser: (...dataOrPipes: (keyof AuthUser | import("@nestjs/common").PipeTransform<any, any> | import("@nestjs/common").Type<import("@nestjs/common").PipeTransform<any, any>> | undefined)[]) => ParameterDecorator;
+/**
+ * Extract the current organization ID from the authenticated user.
+ *
+ * @example
+ * @Get()
+ * list(@CurrentOrg() orgId: string) { ... }
+ */
+export declare const CurrentOrg: (...dataOrPipes: unknown[]) => ParameterDecorator;
+/**
+ * Mark a route as public — bypasses InternalOnlyGuard and PermissionsGuard.
+ */
+export declare const Public: () => import("@nestjs/common").CustomDecorator<string>;
+/**
+ * Require specific permissions on a route.
+ * Format: 'resource:action' e.g. 'vehicles:create', 'geofences:read'
+ *
+ * @example
+ * @Post()
+ * @RequirePermissions('vehicles:create')
+ * create(@Body() dto: CreateVehicleDto) { ... }
+ */
+export declare const RequirePermissions: (...permissions: string[]) => import("@nestjs/common").CustomDecorator<string>;
+/**
+ * Require specific roles on a route.
+ *
+ * @example
+ * @Delete(':id')
+ * @RequireRoles('system_admin')
+ * remove(@Param('id') id: string) { ... }
+ */
+export declare const RequireRoles: (...roles: string[]) => import("@nestjs/common").CustomDecorator<string>;
+//# sourceMappingURL=index.d.ts.map

package/dist/nestjs/decorators/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/nestjs/decorators/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,6MASvB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,mDAKtB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,MAAM,wDAAyC,CAAC;AAE7D;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAAI,GAAG,aAAa,MAAM,EAAE,qDAChB,CAAC;AAE5C;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GAAI,GAAG,OAAO,MAAM,EAAE,qDAChB,CAAC"}

package/dist/nestjs/decorators/index.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequireRoles = exports.RequirePermissions = exports.Public = exports.CurrentOrg = exports.CurrentUser = void 0;
+const common_1 = require("@nestjs/common");
+const constants_1 = require("../constants");
+/**
+ * Extract the authenticated user (or a specific property) from the request.
+ *
+ * @example
+ * @Get()
+ * getProfile(@CurrentUser() user: AuthUser) { ... }
+ *
+ * @Get()
+ * getProfile(@CurrentUser('userId') userId: string) { ... }
+ */
+exports.CurrentUser = (0, common_1.createParamDecorator)((data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    const user = request.user;
+    if (data) {
+        return user?.[data];
+    }
+    return user;
+});
+/**
+ * Extract the current organization ID from the authenticated user.
+ *
+ * @example
+ * @Get()
+ * list(@CurrentOrg() orgId: string) { ... }
+ */
+exports.CurrentOrg = (0, common_1.createParamDecorator)((_data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user?.orgId;
+});
+/**
+ * Mark a route as public — bypasses InternalOnlyGuard and PermissionsGuard.
+ */
+const Public = () => (0, common_1.SetMetadata)(constants_1.IS_PUBLIC_KEY, true);
+exports.Public = Public;
+/**
+ * Require specific permissions on a route.
+ * Format: 'resource:action' e.g. 'vehicles:create', 'geofences:read'
+ *
+ * @example
+ * @Post()
+ * @RequirePermissions('vehicles:create')
+ * create(@Body() dto: CreateVehicleDto) { ... }
+ */
+const RequirePermissions = (...permissions) => (0, common_1.SetMetadata)(constants_1.PERMISSIONS_KEY, permissions);
+exports.RequirePermissions = RequirePermissions;
+/**
+ * Require specific roles on a route.
+ *
+ * @example
+ * @Delete(':id')
+ * @RequireRoles('system_admin')
+ * remove(@Param('id') id: string) { ... }
+ */
+const RequireRoles = (...roles) => (0, common_1.SetMetadata)(constants_1.ROLES_KEY, roles);
+exports.RequireRoles = RequireRoles;
+//# sourceMappingURL=index.js.map

package/dist/nestjs/decorators/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/nestjs/decorators/index.ts"],"names":[],"mappings":";;;AAAA,2CAAqF;AAErF,4CAAyE;AAEzE;;;;;;;;;GASG;AACU,QAAA,WAAW,GAAG,IAAA,6BAAoB,EAC7C,CAAC,IAAgC,EAAE,GAAqB,EAAE,EAAE;IAC1D,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;IAChD,MAAM,IAAI,GAAyB,OAAO,CAAC,IAAI,CAAC;IAChD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CACF,CAAC;AAEF;;;;;;GAMG;AACU,QAAA,UAAU,GAAG,IAAA,6BAAoB,EAC5C,CAAC,KAAc,EAAE,GAAqB,EAAE,EAAE;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;IAChD,OAAO,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;AAC7B,CAAC,CACF,CAAC;AAEF;;GAEG;AACI,MAAM,MAAM,GAAG,GAAG,EAAE,CAAC,IAAA,oBAAW,EAAC,yBAAa,EAAE,IAAI,CAAC,CAAC;AAAhD,QAAA,MAAM,UAA0C;AAE7D;;;;;;;;GAQG;AACI,MAAM,kBAAkB,GAAG,CAAC,GAAG,WAAqB,EAAE,EAAE,CAC7D,IAAA,oBAAW,EAAC,2BAAe,EAAE,WAAW,CAAC,CAAC;AAD/B,QAAA,kBAAkB,sBACa;AAE5C;;;;;;;GAOG;AACI,MAAM,YAAY,GAAG,CAAC,GAAG,KAAe,EAAE,EAAE,CACjD,IAAA,oBAAW,EAAC,qBAAS,EAAE,KAAK,CAAC,CAAC;AADnB,QAAA,YAAY,gBACO"}

package/dist/nestjs/filters/auth-exception.filter.d.ts

@@ -0,0 +1,16 @@
+import { ArgumentsHost, ExceptionFilter } from '@nestjs/common';
+import { AuthError } from '../../errors';
+/**
+ * NestJS exception filter for AuthError and its subclasses.
+ * Returns the standard Global Tracking error envelope via toResponse().
+ *
+ * Register globally or per-controller:
+ * ```
+ * app.useGlobalFilters(new AuthExceptionFilter());
+ * ```
+ */
+export declare class AuthExceptionFilter implements ExceptionFilter {
+    private readonly logger;
+    catch(exception: AuthError, host: ArgumentsHost): void;
+}
+//# sourceMappingURL=auth-exception.filter.d.ts.map

package/dist/nestjs/filters/auth-exception.filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-exception.filter.d.ts","sourceRoot":"","sources":["../../../src/nestjs/filters/auth-exception.filter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAS,eAAe,EAAU,MAAM,gBAAgB,CAAC;AAE/E,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC;;;;;;;;GAQG;AACH,qBACa,mBAAoB,YAAW,eAAe;IACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwC;IAE/D,KAAK,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,GAAG,IAAI;CAQvD"}

package/dist/nestjs/filters/auth-exception.filter.js

@@ -0,0 +1,37 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AuthExceptionFilter_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthExceptionFilter = void 0;
+const common_1 = require("@nestjs/common");
+const errors_1 = require("../../errors");
+/**
+ * NestJS exception filter for AuthError and its subclasses.
+ * Returns the standard Global Tracking error envelope via toResponse().
+ *
+ * Register globally or per-controller:
+ * ```
+ * app.useGlobalFilters(new AuthExceptionFilter());
+ * ```
+ */
+let AuthExceptionFilter = AuthExceptionFilter_1 = class AuthExceptionFilter {
+    constructor() {
+        this.logger = new common_1.Logger(AuthExceptionFilter_1.name);
+    }
+    catch(exception, host) {
+        const ctx = host.switchToHttp();
+        const response = ctx.getResponse();
+        this.logger.warn(`${exception.code}: ${exception.message}`);
+        response.status(exception.statusCode).json(exception.toResponse());
+    }
+};
+exports.AuthExceptionFilter = AuthExceptionFilter;
+exports.AuthExceptionFilter = AuthExceptionFilter = AuthExceptionFilter_1 = __decorate([
+    (0, common_1.Catch)(errors_1.AuthError)
+], AuthExceptionFilter);
+//# sourceMappingURL=auth-exception.filter.js.map

package/dist/nestjs/filters/auth-exception.filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-exception.filter.js","sourceRoot":"","sources":["../../../src/nestjs/filters/auth-exception.filter.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAA+E;AAE/E,yCAAyC;AAEzC;;;;;;;;GAQG;AAEI,IAAM,mBAAmB,2BAAzB,MAAM,mBAAmB;IAAzB;QACY,WAAM,GAAG,IAAI,eAAM,CAAC,qBAAmB,CAAC,IAAI,CAAC,CAAC;IAUjE,CAAC;IARC,KAAK,CAAC,SAAoB,EAAE,IAAmB;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAY,CAAC;QAE7C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAE5D,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;IACrE,CAAC;CACF,CAAA;AAXY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,cAAK,EAAC,kBAAS,CAAC;GACJ,mBAAmB,CAW/B"}

package/dist/nestjs/gt-auth.module.d.ts

@@ -0,0 +1,31 @@
+import { DynamicModule, MiddlewareConsumer, NestModule } from '@nestjs/common';
+import { AuthConfig } from '../types';
+export interface GtAuthModuleOptions extends AuthConfig {
+}
+export interface GtAuthModuleAsyncOptions {
+    imports?: any[];
+    inject?: any[];
+    useFactory: (...args: any[]) => GtAuthModuleOptions | Promise<GtAuthModuleOptions>;
+}
+/**
+ * NestJS dynamic module for Global Tracking authentication and authorization.
+ *
+ * Provides: InternalOnlyGuard, GtPermissionsGuard, GtAuthGuard,
+ * OrgContextInterceptor, AuthExceptionFilter, and the GtTrustedHeadersMiddleware.
+ *
+ * @example
+ * ```typescript
+ * GtAuthModule.forRoot({
+ *   strategies: ['trusted-headers'],
+ *   internalGatewayToken: 'secret',
+ *   adminRoles: ['system_admin', 'org_admin'],
+ *   rbacServiceUrl: 'http://gt-rbac-service:3000',
+ * })
+ * ```
+ */
+export declare class GtAuthModule implements NestModule {
+    configure(consumer: MiddlewareConsumer): void;
+    static forRoot(options?: GtAuthModuleOptions): DynamicModule;
+    static forRootAsync(options: GtAuthModuleAsyncOptions): DynamicModule;
+}
+//# sourceMappingURL=gt-auth.module.d.ts.map

package/dist/nestjs/gt-auth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gt-auth.module.d.ts","sourceRoot":"","sources":["../../src/nestjs/gt-auth.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAU,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACvF,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAUtC,MAAM,WAAW,mBAAoB,SAAQ,UAAU;CAAG;AAE1D,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IAChB,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;CACpF;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBACa,YAAa,YAAW,UAAU;IAC7C,SAAS,CAAC,QAAQ,EAAE,kBAAkB,GAAG,IAAI;IAI7C,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,mBAAwB,GAAG,aAAa;IA4BhE,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;CA+BtE"}