npm - @go-mondo/nextjs-auth - Versions diffs - 0.2.0 → 0.2.1 - Mend

@go-mondo/nextjs-auth 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/client.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/errors/auth.ts","../src/errors/access-token.ts","../src/crypto/secrets.ts","../src/http/cookies.ts","../src/session/model.ts","../src/session/assert.ts","../src/session/utils.ts","../src/session/stores/abstract-store.ts","../src/session/stores/stateless-store.ts","../src/oauth/oidc.ts","../src/oauth/access-token.ts","../src/errors/config.ts","../src/config/routes.ts","../src/config/schema.ts","../src/config/utils.ts","../src/config/config.ts","../src/core/instance.ts","../src/errors/handlers.ts","../src/errors/state.ts","../src/transactions/store.ts","../src/routes/callback.ts","../src/oauth/types.ts","../src/http/url.ts","../src/routes/login.ts","../src/routes/logout.ts","../src/routes/session.ts","../src/routes/access-token.ts","../src/client.ts"],"names":["cookies","parse","cookie","serialize","bool","ironSession","getIronSession","oidc","z","NextResponse","handler","buildOptions"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,WAAA,CAAY,cAAsB,KAAA,EAAuB;AAChE,EAAA,IAAI,CAAC,OAAO,OAAO,YAAA;AACnB,EAAA,MAAM,SAAA,GAAY,YAAA,CAAa,QAAA,CAAS,GAAG,IAAI,EAAA,GAAK,GAAA;AACpD,EAAA,OAAO,GAAG,YAAY,CAAA,EAAG,SAAS,CAAA,QAAA,EAAW,MAAM,OAAO,CAAA,CAAA;AAC5D;AAgBO,IAAe,SAAA,GAAf,cAAiC,KAAA,CAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO5B,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,KAAA;AAAA;AAAA;AAAA;AAAA,EAKA,MAAA;AAAA;AAAA;AAAA;AAAA,EAKhB,YAAY,OAAA,EAA2B;AAErC,IAAA,KAAA,CAAM,WAAA,CAAY,OAAA,CAAQ,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAC,CAAA;AACjD,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AACrB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAAA,EACxB;AACF,CAAA;;;AC/BO,IAAM,gBAAA,GAAN,MAAM,iBAAA,SAAyB,SAAA,CAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM9C,WAAA,CAAY,IAAA,EAA4B,OAAA,EAAiB,KAAA,EAAe;AAEtE,IAAA,KAAA,CAAM,EAAE,IAAA,EAAY,OAAA,EAAkB,IAAA,EAAM,kBAAA,EAAoB,OAAO,CAAA;AAEvE,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAC9C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,iBAAA,CAAiB,SAAS,CAAA;AAAA,EACxD;AACF,CAAA;;;AC5BO,SAAS,WAAW,MAAA,EAAyB;AAClD,EAAA,MAAM,YAAA,GAAe,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,MAAM,IAC5C,MAAA,CAAO,MAAA,GACP,CAAC,MAAA,CAAO,MAAM,CAAA;AAElB,EAAA,MAAM,UAAmB,EAAC;AAC1B,EAAA,YAAA,CAAa,OAAA,CAAQ,CAAC,MAAA,EAAQ,KAAA,KAAU;AACtC,IAAA,OAAA,CAAQ,YAAA,CAAa,MAAA,GAAS,KAAK,CAAA,GAAI,MAAA;AAAA,EACzC,CAAC,CAAA;AAED,EAAA,OAAO,OAAA;AACT;ACKA,eAAsB,aAAA,CACpB,KACA,GAAA,EACsB;AACtB,EAAA,IAAI,GAAA,EAAK;AACP,IAAA,OAAO,IAAI,eAAA,CAAgB,GAAA,EAAK,GAAG,CAAA;AAAA,EACrC;AAEA,EAAA,OAAOA,kBAAA,EAAQ;AACjB;AAKO,IAAM,kBAAN,MAA6C;AAAA,EAClD,WAAA,CACW,KACA,GAAA,EACT;AAFS,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AAAA,EACR;AAAA,EAFQ,GAAA;AAAA,EACA,GAAA;AAAA,EAGX,IAAI,UAAA,EAAiE;AACnE,IAAA,MAAM,KAAA,GAAQC,YAAA,CAAM,IAAA,CAAK,GAAA,CAAI,OAAA,CAAQ,IAAI,QAAQ,CAAA,IAAK,EAAE,CAAA,CAAE,UAAU,CAAA;AAEpE,IAAA,OAAO,UAAU,MAAA,GAAY,MAAA,GAAY,EAAE,IAAA,EAAM,YAAY,KAAA,EAAM;AAAA,EACrE;AAAA,EAIA,GAAA,CACE,aAAA,EACA,KAAA,EACA,MAAA,EACA;AACA,IAAA,IAAI,OAAO,kBAAkB,QAAA,EAAU;AACrC,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,aAAA,EAAe,KAAA,EAAiB,MAAM,CAAA;AAAA,IAC9D;AAEA,IAAA,OAAO,IAAA,CAAK,SAAA;AAAA,MACV,aAAA,CAAc,IAAA;AAAA,MACd,aAAA,CAAc,KAAA;AAAA,MACd;AAAA,KACF;AAAA,EACF;AAAA,EAEQ,SAAA,CACN,IAAA,EACA,KAAA,EACAC,QAAA,EACA;AACA,IAAA,IAAI,CAAC,KAAK,GAAA,EAAK;AACb,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAA,GAAcC,gBAAA,CAAU,IAAA,EAAM,KAAA,EAAOD,QAAM,CAAA;AAEjD,IAAA,IAAA,CAAK,GAAA,CAAI,OAAA,CAAQ,MAAA,CAAO,YAAA,EAAc,WAAW,CAAA;AAAA,EACnD;AACF,CAAA;;;AC7DO,IAAM,UAAN,MAEP;AAAA;AAAA;AAAA;AAAA,EAIE,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,KAAA,EAAsC;AAChD,IAAA,IAAA,CAAK,OAAO,KAAA,CAAM,IAAA;AAClB,IAAA,IAAA,CAAK,WAAW,KAAA,CAAM,QAAA;AACtB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,iBAAiB,KAAA,CAAM,cAAA;AAC5B,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,aAAA;AAAA,EAC7B;AACF,CAAA;AASO,SAAS,0BACd,qBAAA,EACqB;AACrB,EAAA,MAAM,EAAE,KAAK,GAAA,EAAK,GAAA,EAAK,KAAK,KAAA,EAAO,GAAG,MAAK,GAAI,SAAA;AAAA,IAC7C,qBAAA,CAAsB;AAAA,GACxB;AAEA,EAAA,MAAM;AAAA,IACJ,QAAA;AAAA,IACA,YAAA;AAAA,IACA,KAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA,UAAA;AAAA,IACA,GAAG;AAAA,GACL,GAAI,qBAAA;AAEJ,EAAA,MAAM,gBAAgB,YAAA,GAClB;AAAA,IACE,WAAA,EAAa,YAAA;AAAA,IACb,KAAA;AAAA,IACA,SAAA,EAAW,KAAK,KAAA,CAAM,IAAA,CAAK,KAAI,GAAI,GAAI,CAAA,GAAI,MAAA,CAAO,UAAU,CAAA;AAAA,IAC5D,YAAA,EAAc,aAAA;AAAA,IACd,IAAA,EAAM;AAAA,GACR,GACA,MAAA;AAEJ,EAAA,MAAM,iBAAiB,QAAA,GACnB;AAAA,IACE,OAAA,EAAS;AAAA,GACX,GACA,MAAA;AAEJ,EAAA,OAAO,MAAA,CAAO,MAAA;AAAA,IACZ,IAAI,OAAA,CAAQ;AAAA,MACV,IAAA;AAAA,MACA,QAAA,EAAU,GAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW,GAAA;AAAA,MACX,aAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,IACD;AAAA,GACF;AACF;AAEA,SAAS,UAAmB,GAAA,EAAsB;AAChD,EAAA,MAAM,GAAG,OAAO,CAAA,GAAI,GAAA,CAAI,MAAM,GAAG,CAAA;AAEjC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,UAAU,sBAAsB,CAAA;AAAA,EAC5C;AAEA,EAAA,MAAM,UAAA,GAAa,QAAQ,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC/D,EAAA,MAAM,SAAS,UAAA,CAAW,MAAA;AAAA,IACxB,UAAA,CAAW,MAAA,GAAA,CAAW,CAAA,GAAK,UAAA,CAAW,SAAS,CAAA,IAAM,CAAA;AAAA,IACrD;AAAA,GACF;AAEA,EAAA,MAAM,OAAA,GACJ,OAAO,IAAA,KAAS,UAAA,GACZ,IAAA,CAAK,MAAM,CAAA,GACX,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA,CAAE,SAAS,QAAQ,CAAA;AAErD,EAAA,MAAM,IAAA,GAAO,kBAAA;AAAA,IACX,KAAA,CAAM,IAAA;AAAA,MACJ,OAAA;AAAA,MACA,CAAC,IAAA,KAAS,CAAA,CAAA,EAAI,IAAA,CAAK,UAAA,CAAW,CAAC,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA;AAAA,KAChE,CAAE,KAAK,EAAE;AAAA,GACX;AAEA,EAAA,OAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AACxB;;;AC5JO,IAAM,aAAA,GAAgB,CAACE,KAAAA,EAAe,GAAA,KAAgB;AAC3D,EAAA,IAAI,CAACA,KAAAA,EAAM;AACT,IAAA,MAAM,IAAI,MAAM,GAAG,CAAA;AAAA,EACrB;AACF,CAAA;;;ACJO,IAAM,KAAA,GAAQ,MAAe,IAAA,CAAK,GAAA,KAAQ,GAAA,GAAQ,CAAA;;;ACYlD,IAAe,uBAAf,MAEP;AAAA,EACE,YAA+B,MAAA,EAAgB;AAAhB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAiB;AAAA,EAAjB,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW/B,MAAa,GAAA,GAAgD;AAC3D,IAAA,MAAM,EAAE,gBAAA,EAAkB,YAAA,EAAa,GAAI,KAAK,MAAA,CAAO,OAAA;AACvD,IAAA,MAAM,MAAM,KAAA,EAAM;AAElB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,IAAA,EAAK;AAEhC,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,aAAA;AAAA,UACE,QAAQ,SAAA,GAAY,GAAA;AAAA,UACpB;AAAA,SACF;AAEA,QAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,UAAA,aAAA;AAAA,YACE,OAAA,CAAQ,YAAY,YAAA,GAAe,GAAA;AAAA,YACnC;AAAA,WACF;AAAA,QACF;AAEA,QAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,UAAA,aAAA;AAAA,YACE,OAAA,CAAQ,WAAW,gBAAA,GAAmB,GAAA;AAAA,YACtC;AAAA,WACF;AAAA,QACF;AAEA,QAAA,OAAO,OAAA;AAAA,MACT;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,OAAA,EAA6C;AACrD,IAAA,OAAA,CAAQ,SAAA,GAAY,YAAA,CAAa,OAAA,CAAQ,SAAA,EAAW,KAAK,MAAA,EAAQ;AAAA,MAC/D,UAAU,OAAA,CAAQ;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,CAAK,KAAK,OAAO,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,GAAwB;AAC5B,IAAA,MAAM,KAAK,OAAA,EAAQ;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAA,GAAkD;AACtD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,GAAA,EAAI;AAC/B,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,YAAA,KAAiB,KAAA,EAAO;AAC9C,MAAA,OAAO,OAAA;AAAA,IACT;AAEA,IAAA,MAAM,YAAY,KAAA,EAAM;AACxB,IAAA,MAAM,SAAA,GAAY,YAAA,CAAa,SAAA,EAAW,IAAA,CAAK,MAAA,EAAQ;AAAA,MACrD,UAAU,OAAA,CAAQ;AAAA,KACnB,CAAA;AAED,IAAA,OAAA,CAAQ,SAAA,GAAY,SAAA;AACpB,IAAA,OAAA,CAAQ,SAAA,GAAY,SAAA;AAEpB,IAAA,MAAM,IAAA,CAAK,IAAI,OAAO,CAAA;AAEtB,IAAA,OAAO,OAAA;AAAA,EACT;AACF,CAAA;AAEA,SAAS,YAAA,CACP,SAAA,EACA,MAAA,EACA,OAAA,EACQ;AACR,EAAA,MAAM,EAAE,gBAAA,EAAkB,YAAA,EAAa,GAAI,MAAA,CAAO,OAAA;AAClD,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,IAAA,UAAA,CAAW,IAAA,CAAK,YAAY,YAAY,CAAA;AAAA,EAC1C;AAEA,EAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,IAAA,UAAA,CAAW,IAAA,CAAK,OAAA,CAAQ,QAAA,GAAW,gBAAgB,CAAA;AAAA,EACrD;AAEA,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAA;AAC/B;;;AC9FO,SAAS,mBAAA,CACd,MAAA,EACA,OAAA,EACA,QAAA,EACmC;AACnC,EAAA,OAAO,IAAI,wBAAA,CAAyB,MAAA,EAAQ,OAAA,EAAS,QAAQ,CAAA;AAC/D;AAKO,IAAM,wBAAA,GAAN,cAEG,oBAAA,CAAiC;AAAA,EAKzC,WAAA,CACE,MAAA,EACA,OAAA,GAAkC,MAAA,EAClC,QAAA,GAAoC,MAAA,EACnB,WAAA,GAEyB,MACxC,aAAA,CAAc,OAAA,EAAS,QAAQ,CAAA,EACjC;AACA,IAAA,KAAA,CAAM,MAAM,CAAA;AALK,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AAOjB,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,OAAA,CAAQ,IAAA;AACjC,IAAA,IAAA,CAAK,aAAA,GAAgB;AAAA,MACnB,GAAG,OAAO,OAAA,CAAQ,MAAA;AAAA,MAClB,QAAA,EAAU;AAAA,KACZ;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,WAAW,MAAM,CAAA;AAAA,EAClC;AAAA,EAdmB,WAAA;AAAA,EARF,OAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA,EAsBjB,MAAM,IAAA,GAAiD;AACrD,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAI,OAAA,CAAQ;AAAA,MACjB,GAAG,OAAA,CAAQ,IAAA;AAAA,MACX,aAAA,EAAe,cAAc,IAAA,IAAQ,MAAA;AAAA,MACrC,cAAA,EAAgB,eAAe,IAAA,IAAQ;AAAA,KACxC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,MAAM;AAAA,MACJ,IAAA;AAAA,MACA,QAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA,aAAA,EAAe,KAAA;AAAA,MACf,cAAA,EAAgB;AAAA,KAClB,GAAI,OAAA;AAEJ,IAAA,OAAA,CAAQ,IAAA,GAAO,EAAE,IAAA,EAAM,QAAA,EAAU,WAAW,SAAA,EAAU;AACtD,IAAA,cAAA,CAAe,IAAA,GAAO,KAAA;AACtB,IAAA,aAAA,CAAc,IAAA,GAAO,KAAA;AAErB,IAAA,MAAM,QAAQ,GAAA,CAAI;AAAA,MAChB,QAAQ,IAAA,EAAK;AAAA,MACb,cAAc,IAAA,EAAK;AAAA,MACnB,eAAe,IAAA;AAAK,KACrB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,OAAA,GAAyB;AAC7B,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,MAAM,QAAQ,GAAA,CAAI;AAAA,MAChB,QAAQ,OAAA,EAAQ;AAAA,MAChB,cAAc,OAAA,EAAQ;AAAA,MACtB,eAAe,OAAA;AAAQ,KACxB,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAA,GAAgB;AAC5B,IAAA,OAAO,MAAM,QAAQ,GAAA,CAAI;AAAA,MACvB,IAAA,CAAK,UAAwC,SAAS,CAAA;AAAA,MACtD,IAAA,CAAK,UAAgC,eAAe,CAAA;AAAA,MACpD,IAAA,CAAK,UAAiC,gBAAgB;AAAA,KACvD,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,UACZ,IAAA,EACyE;AACzE,IAAA,MAAMC,aAAA,GAAc,MAAMC,0BAAA,CAExB,MAAM,KAAK,WAAA,CAAY,IAAA,CAAK,MAAM,CAAA,EAAG;AAAA,MACrC,UAAA,EAAY,CAAA,EAAG,IAAA,CAAK,UAAU,IAAI,IAAI,CAAA,CAAA;AAAA,MACtC,UAAU,IAAA,CAAK,OAAA;AAAA,MACf,eAAe,IAAA,CAAK;AAAA,KACrB,CAAA;AAED,IAAA,OAAOD,aAAA;AAAA,EACT;AACF,CAAA;AC9HA,eAAsB,aACpB,MAAA,EAC6B;AAC7B,EAAA,MAAM,kBAAA,GACJ,OAAO,aAAA,CAAc,QAAA,CAAS,WAAW,CAAA,IACzC,MAAA,CAAO,aAAA,CAAc,QAAA,CAAS,WAAW,CAAA;AAE3C,EAAA,OAAO,MAAWE,eAAA,CAAA,SAAA;AAAA,IAChB,IAAI,GAAA,CAAI,MAAA,CAAO,aAAa,CAAA;AAAA,IAC5B,MAAA,CAAO,QAAA;AAAA,IACP,MAAA,CAAO,YAAA;AAAA,IACP,MAAA;AAAA,IACA,kBAAA,GACI;AAAA,MACE,OAAA,EAAS,CAAMA,eAAA,CAAA,qBAAqB;AAAA,KACtC,GACA;AAAA,GACN;AACF;;;ACuBO,SAAS,sBACd,QAAA,EACgB;AAChB,EAAA,OAAO,OAAO,OAAA,GAAU,EAAC,KAAM;AAC7B,IAAA,MAAM,YAAA,GAAe,mBAAA,CAAgC,QAAA,CAAS,MAAM,CAAA;AACpE,IAAA,MAAM,OAAA,GAAU,MAAM,YAAA,CAAa,GAAA,EAAI;AAEvC,IAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,qBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,gBAAgB,OAAA,CAAQ,aAAA;AAC9B,IAAA,IAAI,CAAC,eAAe,WAAA,EAAa;AAC/B,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,0BAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAI,iBAAA,CAAkB,aAAA,EAAe,OAAO,CAAA,EAAG;AAC7C,MAAA,OAAO,oBAAoB,aAAa,CAAA;AAAA,IAC1C;AAEA,IAAA,IAAI,CAAC,cAAc,YAAA,EAAc;AAC/B,MAAA,MAAM,IAAI,gBAAA;AAAA,QACR,SAAA,CAAU,eAAe,OAAO,CAAA,GAAA,0BAAA,8BAAA,wBAAA;AAAA,QAGhC;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,kBAAA,CAAmB,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,EACtD,CAAA;AACF;AAEA,eAAe,kBAAA,CACb,QAAA,EACA,OAAA,EACA,OAAA,EAC4B;AAC5B,EAAA,MAAMA,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AACzC,EAAA,MAAM,gBAAgB,OAAA,CAAQ,aAAA;AAE9B,EAAA,IAAI,CAAC,eAAe,YAAA,EAAc;AAChC,IAAA,MAAM,IAAI,gBAAA;AAAA,MAAA,2BAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,qBAAqB,OAAO,CAAA;AAC3C,IAAA,MAAM,MAAA,GAAS,MAAMA,KAAAA,CAAK,iBAAA;AAAA,MACxB,MAAM,YAAA,CAAa,QAAA,CAAS,MAAM,CAAA;AAAA,MAClC,aAAA,CAAc,YAAA;AAAA,MACd;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,OAAO,YAAA,EAAc;AACxB,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,0BAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,sBAAA,GAA+C;AAAA,MACnD,aAAa,MAAA,CAAO,YAAA;AAAA,MACpB,SAAA,EACE,OAAM,GACN,MAAA,CAAO,OAAO,UAAA,IAAc,aAAA,CAAc,SAAA,GAAY,KAAA,EAAO,CAAA;AAAA,MAC/D,OACE,MAAA,CAAO,KAAA,IAAS,gBAAgB,OAAA,CAAQ,MAAM,KAAK,aAAA,CAAc,KAAA;AAAA,MACnE,YAAA,EAAc,MAAA,CAAO,aAAA,IAAiB,aAAA,CAAc,YAAA;AAAA,MACpD,IAAA,EAAM,MAAA,CAAO,UAAA,IAAc,aAAA,CAAc;AAAA,KAC3C;AAEA,IAAA,OAAA,CAAQ,aAAA,GAAgB,sBAAA;AACxB,IAAA,MAAM,mBAAA,CAAgC,QAAA,CAAS,MAAM,CAAA,CAAE,IAAI,OAAO,CAAA;AAElE,IAAA,OAAO,oBAAoB,sBAAsB,CAAA;AAAA,EACnD,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,gBAAA,EAAkB;AACrC,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,IAAI,gBAAA;AAAA,MAAA,0BAAA;AAAA,MAER,2BAAA;AAAA,MACA,KAAA,YAAiB,QAAQ,KAAA,GAAQ;AAAA,KACnC;AAAA,EACF;AACF;AAEA,SAAS,iBAAA,CACP,eACA,OAAA,EACS;AACT,EAAA,OACE,OAAA,CAAQ,OAAA,KAAY,IAAA,IACpB,CAAC,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA,IACjC,SAAA,CAAU,aAAA,CAAc,KAAA,EAAO,OAAA,CAAQ,MAAM,CAAA;AAEjD;AAEA,SAAS,SAAA,CACP,eACA,OAAA,EACS;AACT,EAAA,MAAM,IAAA,GAAO,QAAQ,sBAAA,IAA0B,EAAA;AAC/C,EAAA,OAAO,aAAA,CAAc,SAAA,IAAa,KAAA,EAAM,GAAI,IAAA;AAC9C;AAEA,SAAS,SAAA,CACP,cACA,cAAA,EACS;AACT,EAAA,MAAM,QAAA,GAAW,gBAAgB,cAAc,CAAA;AAC/C,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAA,CAAK,YAAA,IAAgB,EAAA,EAAI,MAAM,KAAK,CAAA,CAAE,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,EAAA,OAAO,QAAA,CAAS,KAAA,CAAM,KAAK,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU,OAAA,CAAQ,GAAA,CAAI,KAAK,CAAC,CAAA;AAClE;AAEA,SAAS,qBACP,OAAA,EAC6B;AAC7B,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,IAAI,eAAA,EAAgB;AACnC,EAAA,MAAA,CAAO,GAAA,CAAI,SAAS,KAAK,CAAA;AACzB,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,gBAAgB,MAAA,EAA4C;AACnE,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,IAAA,OAAO,MAAA,CAAO,KAAK,GAAG,CAAA;AAAA,EACxB;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,oBACP,aAAA,EACmB;AACnB,EAAA,OAAO;AAAA,IACL,aAAa,aAAA,CAAc,WAAA;AAAA,IAC3B,WAAW,aAAA,CAAc,SAAA;AAAA,IACzB,OAAO,aAAA,CAAc,KAAA;AAAA,IACrB,MAAM,aAAA,CAAc;AAAA,GACtB;AACF;;;AChMO,IAAM,WAAA,GAAN,MAAM,YAAA,SAAoB,SAAA,CAAU;AAAA,EACzC,OAAuB,IAAA,GAAO,uBAAA;AAAA;AAAA;AAAA;AAAA,EAKd,MAAA;AAAA;AAAA;AAAA;AAAA,EAKhB,YAAY,MAAA,EAAgC;AAC1C,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,YAAA,CAAY,IAAA;AAAA,MAClB,OAAA,EAAS,CAAA;AAAA,EAAiD,YAAA;AAAA,QACxD;AAAA,OACD,CAAA,CAAA;AAAA,MACD,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAC9C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,YAAA,CAAY,SAAS,CAAA;AAAA,EACnD;AACF,CAAA;AAEA,SAAS,aAAa,MAAA,EAAwC;AAC5D,EAAA,OAAO,MAAA,CACJ,GAAA,CAAI,CAAC,KAAA,KAAU;AACd,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,EAAM,MAAA,GACrB,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,iBAAiB,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAC1C,QAAA;AACJ,IAAA,OAAO,CAAA,EAAA,EAAK,IAAI,CAAA,EAAA,EAAK,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,EACpC,CAAC,CAAA,CACA,IAAA,CAAK,IAAI,CAAA;AACd;AAEA,SAAS,kBACP,OAAA,EACQ;AACR,EAAA,OAAO,OAAO,OAAA,KAAY,QAAA,IAAY,OAAA,KAAY,IAAA,IAAQ,KAAA,IAAS,OAAA,GAC/D,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,GAClB,MAAA,CAAO,OAAO,CAAA;AACpB;;;AC5DO,IAAM,cAAA,GAAiB;AAAA,EAC5B,KAAA,EAAO,aAAA;AAAA,EACP,QAAA,EAAU,gBAAA;AAAA,EACV,MAAA,EAAQ,cAAA;AAAA,EACR,OAAA,EAAS,eAAA;AAAA,EACT,WAAA,EAAa,oBAAA;AAAA,EACb,kBAAA,EAAoB;AACtB,CAAA;ACTA,IAAM,qBAAqBC,KAAA,CACxB,MAAA,EAAO,CACP,UAAA,CAAW,KAAK,sBAAsB,CAAA,CACtC,MAAA,CAAO,CAAC,UAAU,CAAC,KAAA,CAAM,SAAS,IAAI,CAAA,EAAG,wBAAwB,CAAA,CACjE,QAAA;AAAA,EACC;AACF,CAAA;AAEF,IAAM,kBAAkBA,KAAA,CACrB,MAAA,EAAO,CACP,GAAA,GACA,SAAA,CAAU,CAAC,KAAA,KAAU,KAAA,CAAM,QAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAC9C,SAAS,8DAA8D,CAAA;AAE1E,IAAM,6BAAA,GAAgCA,MAAE,KAAA,CAAM;AAAA,EAC5CA,MAAE,MAAA,EAAO;AAAA,EACTA,MAAE,MAAA,EAAO;AAAA,EACTA,MAAE,OAAA;AACJ,CAAC,CAAA;AAED,IAAM,aAAA,GAAgBA,MACnB,MAAA,CAAO;AAAA,EACN,IAAA,EAAMA,KAAA,CACH,MAAA,EAAO,CACP,QAAA,GACA,OAAA,CAAQ,OAAO,CAAA,CACf,QAAA,CAAS,qDAAqD,CAAA;AAAA,EACjE,cAAcA,KAAA,CACX,KAAA,CAAM,CAACA,KAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAGA,MAAE,OAAA,CAAQ,KAAK,CAAC,CAAC,CAAA,CAC/C,QAAQ,EAAA,GAAK,EAAA,GAAK,EAAE,CAAA,CACpB,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,kBAAkBA,KAAA,CACf,KAAA,CAAM,CAACA,KAAA,CAAE,QAAO,CAAE,QAAA,EAAS,EAAGA,KAAA,CAAE,QAAQ,KAAK,CAAC,CAAC,CAAA,CAC/C,OAAA,CAAQ,KAAK,CAAA,CACb,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,IACN,QAAQA,KAAA,CACL,MAAA,GACA,QAAA,EAAS,CACT,SAAS,4CAA4C,CAAA;AAAA,IACxD,IAAA,EAAM,mBAAmB,QAAA,EAAS,CAC/B,QAAQ,GAAG,CAAA,CACX,SAAS,iCAAiC,CAAA;AAAA,IAC7C,QAAA,EAAUA,KAAA,CACP,OAAA,EAAQ,CACR,QAAA,GACA,OAAA,CAAQ,IAAI,CAAA,CACZ,QAAA,CAAS,wDAAwD,CAAA;AAAA,IACpE,QAAA,EAAUA,KAAA,CACP,IAAA,CAAK,CAAC,OAAO,QAAA,EAAU,MAAM,CAAC,CAAA,CAC9B,UAAS,CACT,OAAA,CAAQ,KAAK,CAAA,CACb,SAAS,2CAA2C,CAAA;AAAA,IACvD,MAAA,EAAQA,MACL,OAAA,EAAQ,CACR,QAAQ,IAAI,CAAA,CACZ,SAAS,wCAAwC;AAAA,GACrD,CAAA,CACA,QAAA,CAAS,2DAA2D;AACzE,CAAC,CAAA,CACA,MAAA;AAAA,EACC,CAAC,OAAA,KACC,OAAA,CAAQ,YAAA,KAAiB,KAAA,IAAS,QAAQ,gBAAA,KAAqB,KAAA;AAAA,EACjE;AACF,CAAA,CACC,SAAS,sDAAsD,CAAA;AAElE,IAAM,MAAA,GAASA,MACZ,MAAA,CAAO;AAAA,EACN,aAAA,EAAeA,MACZ,MAAA,CAAO;AAAA,IACN,aAAA,EAAeA,MACZ,IAAA,CAAK,CAAC,MAAM,CAAC,CAAA,CACb,OAAA,CAAQ,MAAM,CAAA,CACd,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,KAAA,EAAOA,MACJ,MAAA,EAAO,CACP,QAAQ,sBAAsB,CAAA,CAC9B,SAAS,wCAAwC,CAAA;AAAA,IACpD,aAAA,EAAeA,KAAA,CACZ,IAAA,CAAK,CAAC,OAAA,EAAS,WAAW,CAAC,CAAA,CAC3B,OAAA,CAAQ,OAAO,CAAA,CACf,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,UAAUA,KAAA,CACP,MAAA,GACA,QAAA,EAAS,CACT,SAAS,kDAAkD,CAAA;AAAA,IAC9D,OAAA,EAASA,KAAA,CACN,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,OAAA,EAAS,KAAK,CAAC,CAAA,CACtC,QAAA,EAAS,CACT,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,MAAA,EAAQA,KAAA,CACL,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAA,EAAW,gBAAgB,CAAC,CAAA,CACnD,QAAA,EAAS,CACT,SAAS,0DAA0D,CAAA;AAAA,IACtE,SAASA,KAAA,CACN,MAAA,GACA,QAAA,EAAS,CACT,SAAS,yCAAyC,CAAA;AAAA,IACrD,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,qDAAqD,CAAA;AAAA,IACjE,eAAeA,KAAA,CACZ,MAAA,GACA,QAAA,EAAS,CACT,SAAS,uDAAuD,CAAA;AAAA,IACnE,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,oDAAoD,CAAA;AAAA,IAChE,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,yCAAyC;AAAA,GACtD,CAAA,CACA,QAAA,CAAS,6BAA6B,CAAA,CACtC,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,SAAS,eAAA,CAAgB,QAAA;AAAA,IACvB;AAAA,GACF;AAAA,EACA,QAAA,EAAUA,MACP,MAAA,EAAO,CACP,IAAI,CAAC,CAAA,CACL,SAAS,sDAAsD,CAAA;AAAA,EAClE,YAAA,EAAcA,MACX,MAAA,EAAO,CACP,IAAI,CAAC,CAAA,CACL,SAAS,4DAA4D,CAAA;AAAA,EACxE,eAAe,eAAA,CAAgB,QAAA;AAAA,IAC7B;AAAA,GACF;AAAA,EACA,MAAA,EAAQA,MACL,KAAA,CAAM,CAACA,MAAE,MAAA,EAAO,CAAE,GAAA,CAAI,EAAE,CAAA,EAAGA,KAAA,CAAE,MAAMA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,EAAE,CAAC,EAAE,GAAA,CAAI,CAAC,CAAC,CAAC,CAAA,CAC9D,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,OAAA,EAAS,aAAA;AAAA,EACT,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,IACN,KAAA,EAAO,kBAAA,CAAmB,OAAA,CAAQ,aAAa,CAAA,CAAE,QAAA;AAAA,MAC/C;AAAA,KACF;AAAA,IACA,QAAA,EAAU,kBAAA,CAAmB,OAAA,CAAQ,gBAAgB,CAAA,CAAE,QAAA;AAAA,MACrD;AAAA,KACF;AAAA,IACA,MAAA,EAAQ,kBAAA,CAAmB,OAAA,CAAQ,cAAc,CAAA,CAAE,QAAA;AAAA,MACjD;AAAA,KACF;AAAA,IACA,OAAA,EAAS,kBAAA,CAAmB,OAAA,CAAQ,eAAe,CAAA,CAAE,QAAA;AAAA,MACnD;AAAA,KACF;AAAA,IACA,WAAA,EAAa,kBAAA,CAAmB,OAAA,CAAQ,oBAAoB,CAAA,CAAE,QAAA;AAAA,MAC5D;AAAA,KACF;AAAA,IACA,kBAAA,EAAoB,kBAAA,CAAmB,OAAA,CAAQ,GAAG,CAAA,CAAE,QAAA;AAAA,MAClD;AAAA;AACF,GACD,CAAA,CACA,QAAA,CAAS,gDAAgD,CAAA;AAAA,EAC5D,WAAA,EAAaA,MACV,MAAA,CAAO;AAAA,IACN,MAAMA,KAAA,CACH,MAAA,EAAO,CACP,OAAA,CAAQ,oBAAoB,CAAA,CAC5B,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,MACN,QAAQA,KAAA,CACL,MAAA,GACA,QAAA,EAAS,CACT,SAAS,gDAAgD,CAAA;AAAA,MAC5D,QAAQA,KAAA,CACL,OAAA,GACA,QAAA,EAAS,CACT,SAAS,4CAA4C,CAAA;AAAA,MACxD,QAAA,EAAUA,KAAA,CACP,IAAA,CAAK,CAAC,KAAA,EAAO,QAAA,EAAU,MAAM,CAAC,CAAA,CAC9B,OAAA,CAAQ,KAAK,CAAA,CACb,SAAS,+CAA+C,CAAA;AAAA,MAC3D,IAAA,EAAM,mBAAmB,QAAA,EAAS,CAC/B,QAAQ,GAAG,CAAA,CACX,SAAS,qCAAqC;AAAA,KAClD,CAAA,CACA,QAAA,CAAS,uDAAuD;AAAA,GACpE,CAAA,CACA,QAAA,CAAS,2DAA2D;AACzE,CAAC,CAAA,CACA,SAAS,oDAAoD,CAAA;AAEhE,IAAO,cAAA,GAAQ,MAAA;;;AC/Mf,IAAM,SAAS,CAAC,GAAA,EAAK,IAAA,EAAM,OAAA,EAAS,KAAK,KAAK,CAAA;AAEvC,IAAM,IAAA,GAAO,CAClB,KAAA,EACA,YAAA,KACwB;AACxB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,EAAA,EAAI,OAAO,YAAA;AAChD,EAAA,IAAI,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA;AAC5B,IAAA,OAAO,CAAC,MAAA,CAAO,QAAA,CAAS,MAAM,WAAA,EAAY,CAAE,MAAM,CAAA;AACpD,EAAA,OAAO,CAAC,CAAC,KAAA;AACX,CAAA;AAEO,IAAM,GAAA,GAAM,CAAC,KAAA,KAClB,KAAA,KAAU,UAAa,KAAA,KAAU,EAAA,GAAK,SAAY,CAAC,KAAA;;;ACyC9C,IAAM,SAAA,GAAY,CAAC,MAAA,GAAwB,EAAC,KAAc;AAC/D,EAAA,MAAM,YAAA,GAAe,QAAQ,GAAA,CAAI,YAAA;AACjC,EAAA,MAAM,qBAAA,GAAwB,QAAQ,GAAA,CAAI,qBAAA;AAC1C,EAAA,MAAM,YAAA,GACJ,OAAA,CAAQ,GAAA,CAAI,YAAA,IAAgB,QAAQ,GAAA,CAAI,wBAAA;AAC1C,EAAA,MAAM,eAAA,GAAkB,QAAQ,GAAA,CAAI,eAAA;AACpC,EAAA,MAAM,mBAAA,GAAsB,QAAQ,GAAA,CAAI,mBAAA;AACxC,EAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,cAAA;AACnC,EAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,WAAA;AAEhC,EAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,cAAA;AACnC,EAAA,MAAM,YAAA,GAAe,QAAQ,GAAA,CAAI,YAAA;AACjC,EAAA,MAAM,aAAA,GAAgB,QAAQ,GAAA,CAAI,aAAA;AAClC,EAAA,MAAM,yBAAA,GAA4B,QAAQ,GAAA,CAAI,yBAAA;AAC9C,EAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,kBAAA;AACvC,EAAA,MAAM,8BAAA,GACJ,QAAQ,GAAA,CAAI,8BAAA;AACd,EAAA,MAAM,0BAAA,GAA6B,QAAQ,GAAA,CAAI,0BAAA;AAE/C,EAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,kBAAA;AACvC,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,2BAAA;AAChD,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AACd,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,mBAAA;AAChD,EAAA,MAAM,yBAAA,GAA4B,QAAQ,GAAA,CAAI,iBAAA;AAC9C,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,mBAAA;AAChD,EAAA,MAAM,8BAAA,GAAiC,QAAQ,GAAA,CAAI,sBAAA;AAEnD,EAAA,MAAM,sBAAA,GAAyB,QAAQ,GAAA,CAAI,6BAAA;AAC3C,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AACd,EAAA,MAAM,6BAAA,GACJ,QAAQ,GAAA,CAAI,6BAAA;AACd,EAAA,MAAM,kCAAA,GACJ,QAAQ,GAAA,CAAI,kCAAA;AACd,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AAEd,EAAA,MAAM,OAAA,GACJ,gBAAgB,CAAC,cAAA,CAAe,KAAK,YAAsB,CAAA,GACvD,CAAA,QAAA,EAAW,YAAY,CAAA,CAAA,GACvB,YAAA;AAEN,EAAA,MAAM,MAAA,GAAS,eAAO,SAAA,CAAU;AAAA,IAC9B,MAAA,EAAQ,YAAA;AAAA,IACR,aAAA,EAAe,qBAAA;AAAA,IACf,OAAA;AAAA,IACA,QAAA,EAAU,eAAA;AAAA,IACV,YAAA,EAAc,mBAAA;AAAA,IACd,GAAG,MAAA;AAAA,IACH,aAAA,EAAe;AAAA,MACb,aAAA,EAAe,MAAA;AAAA,MACf,QAAA,EAAU,cAAA;AAAA,MACV,KAAA,EAAO,WAAA;AAAA,MACP,GAAG,MAAA,CAAO;AAAA,KACZ;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,kBAAA;AAAA,MACN,YAAA,EAAc,SAAS,2BAA2B,CAAA;AAAA,MAClD,gBAAA,EAAkB,SAAS,+BAA+B,CAAA;AAAA,MAC1D,GAAG,MAAA,CAAO,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ,2BAAA;AAAA,QACR,MAAM,yBAAA,IAA6B,GAAA;AAAA,QACnC,MAAA,EAAQ,KAAK,2BAA2B,CAAA;AAAA,QACxC,QAAA,EAAU,8BAAA;AAAA,QAKV,GAAG,OAAO,OAAA,EAAS;AAAA;AACrB,KACF;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,QAAA,EACE,MAAA,CAAO,MAAA,EAAQ,QAAA,IAAY,kBAAkB,cAAA,CAAe,QAAA;AAAA,MAC9D,OACE,MAAA,CAAO,MAAA,EAAQ,SACf,OAAA,CAAQ,GAAA,CAAI,2BACZ,cAAA,CAAe,KAAA;AAAA,MACjB,MAAA,EAAQ,MAAA,CAAO,MAAA,EAAQ,MAAA,IAAU,gBAAgB,cAAA,CAAe,MAAA;AAAA,MAChE,SACE,MAAA,CAAO,MAAA,EAAQ,OAAA,IACf,aAAA,IACA,6BACA,cAAA,CAAe,OAAA;AAAA,MACjB,aACE,MAAA,CAAO,MAAA,EAAQ,WAAA,IACf,kBAAA,IACA,kCACA,cAAA,CAAe,WAAA;AAAA,MACjB,kBAAA,EACE,MAAA,CAAO,MAAA,EAAQ,kBAAA,IACf,8BACA,cAAA,CAAe;AAAA,KACnB;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,sBAAA;AAAA,MACN,GAAG,MAAA,CAAO,WAAA;AAAA,MACV,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ,+BAAA;AAAA,QACR,MAAM,6BAAA,IAAiC,GAAA;AAAA,QACvC,MAAA,EAAQ,KAAK,+BAA+B,CAAA;AAAA,QAC5C,QAAA,EAAU,kCAAA;AAAA,QAKV,GAAG,OAAO,WAAA,EAAa;AAAA;AACzB;AACF,GACD,CAAA;AAED,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,MAAM,IAAI,WAAA,CAAY,MAAA,CAAO,KAAA,CAAM,MAAM,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,MAAA,CAAO,IAAA;AAChB,CAAA;AAEA,SAAS,SAAS,KAAA,EAAuD;AACvE,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,KAAK,CAAC,IAAK,IAAA,CAAK,KAAK,CAAA,GAAc,GAAA,CAAI,KAAK,CAAA;AACzE;;;ACnKO,IAAM,YAAA,GAAe,CAAC,MAAA,KAA0C;AACrE,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,OAAO;AAAA,IACL;AAAA,GACF;AACF,CAAA;;;ACGA,IAAM,YAAA,GAAN,cAA2B,SAAA,CAAU;AAAA,EACnC,YAAY,OAAA,EAA8B;AACxC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI,QAAA,IAAY,OAAA,CAAQ,KAAA,EAAO,MAAA,GAAS,QAAQ,KAAA,CAAM,MAAA;AAEtD,IAAA,KAAA,CAAM,EAAE,GAAG,OAAA,EAAS,MAAA,EAAQ,CAAA;AAAA,EAC9B;AACF,CAAA;AAKO,IAAM,oBAAA,GAAN,MAAM,qBAAA,SAA6B,YAAA,CAAa;AAAA,EACrD,OAAuB,IAAA,GAAe,8BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,qBAAA,CAAqB,IAAA;AAAA,MAC3B,OAAA,EAAS,0BAAA;AAAA,MACT,IAAA,EAAM,sBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,qBAAA,CAAqB,SAAS,CAAA;AAAA,EAC5D;AACF,CAAA;AAKO,IAAM,iBAAA,GAAN,MAAM,kBAAA,SAA0B,YAAA,CAAa;AAAA,EAClD,OAAuB,IAAA,GAAe,2BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,kBAAA,CAAkB,IAAA;AAAA,MACxB,OAAA,EAAS,uBAAA;AAAA,MACT,IAAA,EAAM,mBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,kBAAA,CAAkB,SAAS,CAAA;AAAA,EACzD;AACF,CAAA;AAKO,IAAM,kBAAA,GAAN,MAAM,mBAAA,SAA2B,YAAA,CAAa;AAAA,EACnD,OAAuB,IAAA,GAAe,4BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,mBAAA,CAAmB,IAAA;AAAA,MACzB,OAAA,EAAS,wBAAA;AAAA,MACT,IAAA,EAAM,oBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,mBAAA,CAAmB,SAAS,CAAA;AAAA,EAC1D;AACF,CAAA;;;AClDO,IAAM,uBAAA,GAAN,MAAM,wBAAA,SAAgC,KAAA,CAAM;AAAA,EACjD,OAAO,OAAA,GACL,4FAAA;AAAA,EACF,MAAA,GAAS,GAAA;AAAA,EACT,UAAA,GAAa,GAAA;AAAA,EAEb,WAAA,GAAc;AAEZ,IAAA,KAAA,CAAM,yBAAwB,OAAO,CAAA;AACrC,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,wBAAA,CAAwB,SAAS,CAAA;AAAA,EAC/D;AACF,CAAA;ACpBO,SAAS,uBAAA,CACd,QACA,WAAA,EACkB;AAClB,EAAA,OAAO,IAAI,gBAAA;AAAA,IACT,WAAW,MAAM,CAAA;AAAA,IACjB,WAAA;AAAA,IACA,OAAO,WAAA,CAAY,IAAA;AAAA,IACnB;AAAA,MACE,GAAG,OAAO,WAAA,CAAY,MAAA;AAAA,MACtB,QAAA,EAAU;AAAA;AACZ,GACF;AACF;AAQO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,WAAA,CACmB,OAAA,EACA,WAAA,EACA,UAAA,EACA,aAAA,EACjB;AAJiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EAChB;AAAA,EAJgB,OAAA;AAAA,EACA,WAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA;AAAA;AAAA;AAAA,EAMnB,MAAM,KAAK,KAAA,EAAwC;AACjD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AAEpC,IAAA,MAAA,CAAO,gBAAgB,KAAA,CAAM,aAAA;AAC7B,IAAA,MAAA,CAAO,QAAQ,KAAA,CAAM,KAAA;AACrB,IAAA,MAAA,CAAO,QAAQ,KAAA,CAAM,KAAA;AACrB,IAAA,MAAA,CAAO,UAAU,KAAA,CAAM,OAAA;AACvB,IAAA,MAAA,CAAO,YAAY,KAAA,CAAM,SAAA;AAEzB,IAAA,OAAO,MAAM,OAAO,IAAA,EAAK;AAAA,EAC3B;AAAA,EAEA,MAAc,SAAA,GAAoD;AAChE,IAAA,MAAMH,gBAAc,MAAMC,0BAAAA;AAAA,MACxB,IAAA,CAAK,WAAA;AAAA,MACL;AAAA,QACE,YAAY,IAAA,CAAK,UAAA;AAAA,QACjB,UAAU,IAAA,CAAK,OAAA;AAAA,QACf,eAAe,IAAA,CAAK;AAAA;AACtB,KACF;AAEA,IAAA,OAAOD,aAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,IAAA,GAA8C;AAClD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AAEpC,IAAA,IAAI,CAAC,OAAO,aAAA,IAAiB,CAAC,OAAO,KAAA,IAAS,CAAC,OAAO,KAAA,EAAO;AAC3D,MAAA,MAAA,CAAO,OAAA,EAAQ;AACf,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,eAAe,MAAA,CAAO,aAAA;AAAA,MACtB,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO;AAAA,KACpB;AAEA,IAAA,MAAA,CAAO,OAAA,EAAQ;AAEf,IAAA,OAAO,MAAA;AAAA,EACT;AACF,CAAA;;;AClEO,IAAM,yBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,WAAA,GAAc,MAAM,aAAA,EAAc;AAExC,IAAA,OAAO,MAAM,OAAA;AAAA,MACX,QAAA;AAAA,MACA,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAAA,MACf,uBAAA,CAAwB,QAAA,CAAS,MAAA,EAAQ,WAAW,CAAA;AAAA,MACpD,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,MAC/C;AAAA,KACF;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,qBAAqB,CAAsB,CAAA;AAAA,EACvD;AACF,CAAA;AAEF,eAAe,QACb,EAAE,MAAA,IACF,UAAA,EACA,gBAAA,EACA,cACA,OAAA,EACmB;AACnB,EAAA,MAAME,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AACzC,EAAA,MAAM,gBAAA,GAAmB,MAAM,gBAAA,CAAiB,IAAA,EAAK;AACrD,EAAA,IAAI,CAAC,gBAAA,EAAkB;AACrB,IAAA,MAAM,IAAI,uBAAA,EAAwB;AAAA,EACpC;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,MAAM,CAAA;AAE9C,EAAA,MAAM,MAAA,GAAqC,MAAMA,KAAAA,CAAK,sBAAA;AAAA,IACpD,YAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,MACE,kBAAkB,gBAAA,CAAiB,aAAA;AAAA,MACnC,eAAe,gBAAA,CAAiB,KAAA;AAAA,MAChC,eAAe,gBAAA,CAAiB,KAAA;AAAA,MAChC,eAAA,EAAiB,IAAA;AAAA,MACjB,QAAQ,gBAAA,CAAiB;AAAA,KAC3B;AAAA,IACA,OAAA,EAAS;AAAA,GACX;AAEA,EAAA,MAAM,OAAA,GAAU,MAAM,yBAAA,CAAsC,MAAM,CAAA;AAClE,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,MAAM,YAAA,CAAa,IAAI,OAAO,CAAA;AAAA,EAChC;AAEA,EAAA,OAAOE,sBAAA,CAAa,QAAA,CAAS,gBAAA,CAAiB,SAAA,IAAa,OAAO,OAAO,CAAA;AAC3E;;;AC9EO,IAAM,mBAAA,GAAsB;AAAA,EACjC,IAAA,EAAM;AACR,CAAA;;;ACVO,SAAS,cAAA,CACd,mBACA,WAAA,EACoB;AACpB,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,IAAI,GAAA,CAAI,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAC9C,SAAS,EAAA,EAAI;AACX,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,IAAI,GAAA,CAAI,MAAA,KAAW,WAAA,CAAY,MAAA,EAAQ;AACrC,IAAA,OAAO,IAAI,QAAA,EAAS;AAAA,EACtB;AACA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,2BAAA,CACd,QACA,MAAA,EACK;AACL,EAAA,OAAO,cAAA,CAAe,MAAA,EAAQ,MAAA,CAAO,MAAA,CAAO,UAAU,MAAM,CAAA;AAC9D;AAQO,SAAS,cAAA,CACd,MAAA,EACA,SAAA,EACA,MAAA,EACK;AACL,EAAA,IAAI,qBAAqB,GAAA,EAAK;AAC5B,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,OAAO,IAAI,IAAI,SAAS,CAAA;AAAA,EAC1B,SAAS,CAAA,EAAG;AACV,IAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,UAAU,MAAA,CAAO,OAAA,EAAS,SAAS,CAAC,CAAA;AAAA,EAC7D;AACF;AAEA,SAAS,OAAA,CAAQ,MAAc,IAAA,EAAsB;AACnD,EAAA,OAAO,CAAA,EAAG,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAAA,EAAI,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAAA;AAChE;;;ACfO,IAAM,sBACX,CAAC,QAAA,KACD,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAE3B,IAAA,OAAO,MAAMC,QAAAA;AAAA,MACX,QAAA;AAAA,MACA,uBAAA,CAAwB,QAAA,CAAS,MAAA,EAAQ,MAAM,eAAe,CAAA;AAAA,MAC9D,YAAA;AAAA,QACE,QAAA,CAAS,MAAA;AAAA,QACT,OAAA;AAAA,QACA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAU,CAAA;AAAA,QAC/B,GAAA,CAAI;AAAA,OACN;AAAA,MACA,GAAA,CAAI;AAAA,KACN;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,kBAAkB,CAAsB,CAAA;AAAA,EACpD;AACF,CAAA;AAEF,eAAeA,SACb,EAAE,MAAA,EAAO,EACT,gBAAA,EACA,SACA,aAAA,EACmB;AACnB,EAAA,MAAMH,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AAEzC,EAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,MAAA,CAAO,OAAA;AAE7C,EAAA,MAAM,gBAAA,GAAqC;AAAA,IACzC,KAAA,EAAOA,MAAK,WAAA,EAAY;AAAA,IACxB,KAAA,EAAOA,MAAK,WAAA,EAAY;AAAA,IACxB,aAAA,EAAeA,MAAK,sBAAA,EAAuB;AAAA,IAC3C,SAAA,EAAW;AAAA,GACb;AAEA,EAAA,MAAM,UAAA,GAAsC;AAAA,IAC1C,YAAA,EAAc,2BAAA,CAA4B,MAAA,EAAQ,aAAa,EAAE,QAAA,EAAS;AAAA,IAC1E,GAAG,MAAA,CAAO,aAAA;AAAA,IACV,GAAI,OAAA,EAAS,aAAA,IAAiB,EAAC;AAAA,IAC/B,OAAO,gBAAA,CAAiB,KAAA;AAAA,IACxB,OAAO,gBAAA,CAAiB,KAAA;AAAA,IACxB,uBAAuB,mBAAA,CAAoB,IAAA;AAAA,IAC3C,cAAA,EAAgB,MAAMA,KAAAA,CAAK,0BAAA;AAAA,MACzB,gBAAA,CAAiB;AAAA;AACnB,GACF;AAEA,EAAA,IAAI,WAAW,OAAA,EAAS;AACtB,IAAA,gBAAA,CAAiB,UAAU,UAAA,CAAW,OAAA;AAAA,EACxC;AAEA,EAAA,MAAM,gBAAA,CAAiB,KAAK,gBAAgB,CAAA;AAE5C,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,MAAM,CAAA;AAE9C,EAAA,MAAM,mBAAmBA,KAAAA,CAAK,qBAAA;AAAA,IAC5B,YAAA;AAAA,IACA,6BAA6B,UAAU;AAAA,GACzC;AAEA,EAAA,OAAOE,sBAAAA,CAAa,SAAS,gBAAgB,CAAA;AAC/C;AAEA,SAAS,6BACP,UAAA,EACwB;AACxB,EAAA,MAAM,6BAAqD,EAAC;AAE5D,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,EAAG;AACrD,IAAA,IAAI,UAAU,MAAA,EAAW;AACvB,MAAA,0BAAA,CAA2B,GAAG,CAAA,GAAI,MAAA,CAAO,KAAK,CAAA;AAAA,IAChD;AAAA,EACF;AAEA,EAAA,OAAO,0BAAA;AACT;AAQA,IAAM,YAAA,GAAe,CACnB,MAAA,EACA,IAAA,EACA,mBACA,aAAA,KACiB;AACjB,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAC;AAEzB,EAAA,IAAI,iBAAA,EAAmB;AACrB,IAAA,MAAM,cAAc,IAAI,GAAA;AAAA,MACtB,OAAA,EAAS,aAAA,EAAe,YAAA,IAAgB,aAAA,IAAiB,MAAA,CAAO;AAAA,KAClE;AACA,IAAA,OAAA,CAAQ,QAAA,GAAW,cAAA,CAAe,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAClE;AAEA,EAAA,OAAO,OAAA;AACT,CAAA;AC7GO,IAAM,uBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAE3B,IAAA,OAAO,MAAMC,QAAAA;AAAA,MACX,QAAA;AAAA,MACA,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,MAC/CC,aAAAA;AAAA,QACE,QAAA,CAAS,MAAA;AAAA,QACT,OAAA;AAAA,QACA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAU;AAAA;AACjC,KACF;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,mBAAmB,CAAsB,CAAA;AAAA,EACrD;AACF,CAAA;AAEF,eAAeD,QAAAA,CACb,EAAE,MAAA,EAAO,EACT,cACA,OAAA,EACmB;AACnB,EAAA,IAAI,SAAA,GAAY,cAAA;AAAA,IACd,MAAA;AAAA,IACA,OAAA,EAAS,QAAA,IAAY,MAAA,CAAO,MAAA,CAAO;AAAA,GACrC;AAEA,EAAA,MAAM,aAAa,MAAA,EAAO;AAE1B,EAAA,IAAI,SAAS,YAAA,EAAc;AACzB,IAAA,SAAA,GAAY,IAAI,GAAA;AAAA,MACd,CAAC,WAAW,CAAA,WAAA,EAAc,SAAA,CAAU,UAAU,CAAA,CAAE,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AAAA,MAC1D,MAAA,CAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,OAAOD,sBAAAA,CAAa,SAAS,SAAS,CAAA;AACxC;AAQA,IAAME,aAAAA,GAAe,CACnB,MAAA,EACA,IAAA,EACA,iBAAA,KACkB;AAClB,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAC;AAEzB,EAAA,IAAI,iBAAA,EAAmB;AACrB,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,MAAA,CAAO,OAAO,CAAA;AAC1C,IAAA,OAAA,CAAQ,QAAA,GAAW,cAAA,CAAe,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAClE;AAEA,EAAA,OAAO,OAAA;AACT,CAAA;AClEO,IAAM,wBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,IAAA,KAAqC;AAC1C,EAAA,OAAO,MAAMD,QAAAA;AAAA,IACX,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,IAC/C;AAAA,GACF;AACF,CAAA;AAEF,eAAeA,QAAAA,CACb,cACA,OAAA,EACmB;AACnB,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,EAAS,KAAA,KAAU,QACtC,YAAA,CAAa,KAAA,EAAM,GACnB,YAAA,CAAa,GAAA,EAAI,CAAA;AAErB,EAAA,MAAM,SAAS,OAAA,EAAS,SAAA,GAAY,OAAA,EAAS,SAAA,CAAU,OAAO,CAAA,GAAI,OAAA;AAElE,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,MACd;AAAA,QACE,KAAA,EAAO,iBAAA;AAAA,QACP,iBAAA,EAAmB;AAAA,OACrB;AAAA,MACA,EAAE,MAAA,EAAQ,GAAA,EAAK,UAAA,EAAY,cAAA;AAAe,KAC5C;AAAA,EACF;AAEA,EAAA,OAAOD,sBAAAA,CAAa,KAAK,MAAM,CAAA;AACjC;AC5BO,IAAM,4BACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,SAAA,EAAW,GAAG,aAAA,EAAc,GAAI,WAAW,EAAC;AACpD,IAAA,MAAM,cAAA,GAAiB,MAAM,iBAAA,CAAkB,GAAG,CAAA;AAClD,IAAA,MAAM,KAAA,GAAQ,MAAM,qBAAA,CAAkC,QAAQ,CAAA,CAAE;AAAA,MAC9D,GAAG,aAAA;AAAA,MACH,GAAI,kBAAkB;AAAC,KACxB,CAAA;AACD,IAAA,OAAOA,sBAAAA,CAAa,IAAA,CAAK,SAAA,GAAY,KAAK,KAAK,KAAK,CAAA;AAAA,EACtD,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,gBAAA,EAAkB;AACrC,MAAA,OAAOA,sBAAAA,CAAa,IAAA;AAAA,QAClB;AAAA,UACE,OAAO,KAAA,CAAM,IAAA;AAAA,UACb,mBAAmB,KAAA,CAAM;AAAA,SAC3B;AAAA,QACA,EAAE,MAAA,EAAQ,aAAA,CAAc,KAAA,CAAM,IAA4B,CAAA;AAAE,OAC9D;AAAA,IACF;AAEA,IAAA,MAAM,KAAA;AAAA,EACR;AACF,CAAA;AAEF,eAAe,kBACb,GAAA,EACgD;AAChD,EAAA,IAAI,GAAA,CAAI,WAAW,MAAA,EAAQ;AACzB,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,MAAM,YAAA,CAAa,GAAG,CAAA;AACnC,EAAA,IAAI,CAAC,QAAA,CAAS,IAAI,CAAA,EAAG;AACnB,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,UAAqC,EAAC;AAC5C,EAAA,MAAM,MAAA,GAAS,SAAA,CAAU,IAAA,CAAK,MAAM,CAAA;AAEpC,EAAA,IAAI,OAAO,IAAA,CAAK,OAAA,KAAY,SAAA,EAAW;AACrC,IAAA,OAAA,CAAQ,UAAU,IAAA,CAAK,OAAA;AAAA,EACzB;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,sBAAA,KAA2B,QAAA,EAAU;AACnD,IAAA,OAAA,CAAQ,yBAAyB,IAAA,CAAK,sBAAA;AAAA,EACxC;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAA,CAAQ,MAAA,GAAS,MAAA;AAAA,EACnB;AAEA,EAAA,OAAO,OAAA;AACT;AAEA,eAAe,aAAa,GAAA,EAAgC;AAC1D,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,IAAI,IAAA,EAAK;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAEA,SAAS,UAAU,KAAA,EAAoD;AACrE,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,IACE,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,IACnB,KAAA,CAAM,KAAA,CAAM,CAAC,KAAA,KAAU,OAAO,KAAA,KAAU,QAAQ,CAAA,EAChD;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,SAAS,KAAA,EAAkD;AAClE,EAAA,OAAO,OAAA,CAAQ,KAAA,IAAS,OAAO,KAAA,KAAU,QAAQ,CAAA;AACnD;AAEA,SAAS,cAAc,IAAA,EAAoC;AACzD,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAA,qBAAA;AAAA,IACA,KAAA,0BAAA;AAAA,IACA,KAAA,2BAAA;AAAA,IACA,KAAA,0BAAA;AACE,MAAA,OAAO,GAAA;AAAA,IACT,KAAA,wBAAA;AACE,MAAA,OAAO,GAAA;AAAA,IACT,KAAA,0BAAA;AACE,MAAA,OAAO,GAAA;AAAA;AAEb;;;ACxEO,IAAM,kBAAN,MAA0D;AAAA,EAC9C,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQjB,YAAY,MAAA,EAAwB;AAClC,IAAA,IAAA,CAAK,QAAA,GAAW,aAAa,MAAM,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAS;AACX,IAAA,OAAO,KAAK,QAAA,CAAS,MAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAA,CAAW,OAAA,GAAyC,EAAC,EAAG;AACtD,IAAA,OAAO,OAAO,OAAA,KAAwC;AACpD,MAAA,MAAM,EAAE,QAAA,EAAS,GAAI,IAAI,GAAA,CAAI,QAAQ,GAAG,CAAA;AACxC,MAAA,MAAM,EAAE,MAAA,EAAO,GAAI,IAAA,CAAK,MAAA;AAExB,MAAA,IAAI,QAAA,KAAa,OAAO,KAAA,EAAO;AAC7B,QAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,CAAQ,KAAK,EAAE,OAAO,CAAA;AAAA,MAChD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,QAAA,EAAU;AAChC,QAAA,OAAO,IAAA,CAAK,cAAA,CAAe,OAAA,CAAQ,QAAQ,EAAE,OAAO,CAAA;AAAA,MACtD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,MAAA,EAAQ;AAC9B,QAAA,OAAO,IAAA,CAAK,YAAA,CAAa,OAAA,CAAQ,MAAM,EAAE,OAAO,CAAA;AAAA,MAClD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,OAAA,EAAS;AAC/B,QAAA,OAAO,IAAA,CAAK,aAAA,CAAc,OAAA,CAAQ,OAAO,EAAE,OAAO,CAAA;AAAA,MACpD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,WAAA,EAAa;AACnC,QAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,OAAA,CAAQ,WAAW,EAAE,OAAO,CAAA;AAAA,MAC5D;AAEA,MAAA,OAAOA,sBAAAA,CAAa,IAAA;AAAA,QAClB;AAAA,UACE,KAAA,EAAO,UAAA;AAAA,UACP,iBAAA,EAAmB,yCAAyC,QAAQ,CAAA,CAAA;AAAA,SACtE;AAAA,QACA,EAAE,QAAQ,GAAA;AAAI,OAChB;AAAA,IACF,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,OAAA,EAAwB;AAClC,IAAA,OAAO,mBAAA,CAAoB,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe,OAAA,EAA2B;AACxC,IAAA,OAAO,sBAAA,CAAmC,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAA,EAAyB;AACpC,IAAA,OAAO,oBAAA,CAAiC,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,OAAA,EAAsC;AAClD,IAAA,OAAO,qBAAA,CAAkC,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EACjE;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,OAAA,EAA8B;AAC9C,IAAA,OAAO,yBAAA,CAAsC,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,YAAY;AACvB,IAAA,OAAO,mBAAA,CAAgC,IAAA,CAAK,MAAM,CAAA,CAAE,GAAA,EAAI;AAAA,EAC1D,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA,GAAiB,CAAC,OAAA,KAAoC;AACpD,IAAA,OAAO,qBAAA,CAAkC,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAO,CAAA;AAAA,EACjE,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,GAAQ,OACN,OAAA,EACA,OAAA,GAAwB,EAAC,KACS;AAClC,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAE/B,IAAA,IAAI,YAAY,GAAA,CAAI,QAAA,EAAU,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,EAAG;AACjD,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,OAAA,CAAQ,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,QAAA,GAAWA,uBAAa,IAAA,EAAK;AACnC,IAAA,MAAM,YAAA,GAAe,mBAAA;AAAA,MACnB,IAAA,CAAK,MAAA;AAAA,MACL,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,OAAA,GAAU,MAAM,YAAA,CAAa,GAAA,EAAI;AAEvC,IAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,MAAA,MAAM,WACJ,OAAO,OAAA,CAAQ,QAAA,KAAa,UAAA,GACxB,MAAM,OAAA,CAAQ,QAAA,CAAS,OAAO,CAAA,GAC9B,QAAQ,QAAA,IAAY,CAAA,EAAG,IAAI,QAAQ,CAAA,EAAG,IAAI,MAAM,CAAA,CAAA;AAEtD,MAAA,OAAOA,sBAAAA,CAAa,QAAA;AAAA,QAClB,IAAI,GAAA;AAAA,UACF,CAAA,EAAG,KAAK,MAAA,CAAO,MAAA,CAAO,KAAK,CAAA,UAAA,EAAa,kBAAA,CAAmB,QAAQ,CAAC,CAAA,CAAA;AAAA,UACpE,GAAA,CAAI;AAAA;AACN,OACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAa,KAAA,EAAM;AACzB,IAAA,OAAO,QAAA;AAAA,EACT,CAAA;AACF;AASO,SAAS,WACd,MAAA,EACA;AACA,EAAA,OAAO,IAAI,gBAA4B,MAAM,CAAA;AAC/C;AAIA,SAAS,WAAA,CAAY,UAAkB,MAAA,EAA6B;AAClE,EAAA,OAAO;AAAA,IACL,MAAA,CAAO,KAAA;AAAA,IACP,MAAA,CAAO,QAAA;AAAA,IACP,MAAA,CAAO,MAAA;AAAA,IACP,MAAA,CAAO,OAAA;AAAA,IACP,MAAA,CAAO;AAAA,GACT,CAAE,SAAS,QAAQ,CAAA;AACrB;AAEA,SAAS,YAAA,CACP,QAAA,EACA,WAAA,GAA2C,EAAC,EACnC;AACT,EAAA,OAAO,WAAA,CAAY,IAAA;AAAA,IAAK,CAAC,IAAA,KACvB,OAAO,IAAA,KAAS,QAAA,GAAW,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,GAAI,IAAA,CAAK,IAAA,CAAK,QAAQ;AAAA,GAC3E;AACF","file":"client.cjs","sourcesContent":["function appendCause(errorMessage: string, cause?: Error): string {\n if (!cause) return errorMessage;\n const separator = errorMessage.endsWith('.') ? '' : '.';\n return `${errorMessage}${separator} CAUSE: ${cause.message}`;\n}\n\ntype AuthErrorOptions = {\n code: string;\n message: string;\n name: string;\n cause?: Error;\n status?: number;\n};\n\n/*\n The base class for all SDK errors.\n \n Subclasses expose stable machine-readable codes for application-level error\n * handling.\n /\nexport abstract class AuthError extends Error {\n /\n A machine-readable error code that remains stable within a major version of the SDK. You\n * should rely on this error code to handle errors. In contrast, the error message is not part of\n * the API and can change anytime. Do not parse or otherwise rely on the error message to\n * handle errors.\n /\n public readonly code: string;\n\n /\n The error class name.\n /\n public readonly name: string;\n\n /\n The underlying error, if any.\n \n IMPORTANT When this error is from the Identity Provider ({@link IdentityProviderError}) it can contain user\n * input and is only escaped using basic escaping for putting untrusted data directly into the HTML body.\n \n You should not render this error without using a templating engine that will properly escape it for other\n * HTML contexts first.\n /\n public readonly cause?: Error;\n\n /\n The HTTP status code, if any.\n /\n public readonly status?: number;\n\n /\n @param options - Error metadata used by SDK-specific subclasses.\n /\n constructor(options: AuthErrorOptions) {\n / c8 ignore next /\n super(appendCause(options.message, options.cause));\n this.code = options.code;\n this.name = options.name;\n this.cause = options.cause;\n this.status = options.status;\n }\n}\n","import { AuthError } from './auth';\n\n/\n Error codes for {@link AccessTokenError}.\n /\nexport enum AccessTokenErrorCode {\n /* No valid session was available. /\n MISSING_SESSION = 'ERR_MISSING_SESSION',\n\n /* Session exists but does not contain an access token. /\n MISSING_ACCESS_TOKEN = 'ERR_MISSING_ACCESS_TOKEN',\n\n /* Refresh was required but no refresh token was stored. /\n MISSING_REFRESH_TOKEN = 'ERR_MISSING_REFRESH_TOKEN',\n\n /* Access token is expired and cannot be returned as-is. /\n EXPIRED_ACCESS_TOKEN = 'ERR_EXPIRED_ACCESS_TOKEN',\n\n /* Access token does not include the requested scopes. /\n INSUFFICIENT_SCOPE = 'ERR_INSUFFICIENT_SCOPE',\n\n /* Refresh token grant failed or returned an invalid response. /\n FAILED_REFRESH_GRANT = 'ERR_FAILED_REFRESH_GRANT',\n}\n\n/\n Error thrown when an access token cannot be returned or refreshed.\n \n Use {@link AccessTokenError.code} for stable error handling.\n /\nexport class AccessTokenError extends AuthError {\n /\n @param code - Stable machine-readable error code.\n * @param message - Human-readable diagnostic message.\n * @param cause - Optional lower-level error.\n /\n constructor(code: AccessTokenErrorCode, message: string, cause?: Error) {\n / c8 ignore next /\n super({ code: code, message: message, name: 'AccessTokenError', cause });\n\n Error.captureStackTrace(this, this.constructor);\n Object.setPrototypeOf(this, AccessTokenError.prototype);\n }\n}\n","import type { Config } from '../config/types';\n\n/\n Password map format expected by `iron-session`.\n \n Higher numeric keys represent newer secrets.\n /\nexport type Secrets = Record<number, string>;\n\n/\n Converts configured secrets into the rotation map used to seal and unseal\n * `iron-session` cookies.\n \n @param config - Validated auth configuration.\n /\nexport function getSecrets(config: Config): Secrets {\n const secretsArray = Array.isArray(config.secret)\n ? config.secret\n : [config.secret];\n\n const secrets: Secrets = {};\n secretsArray.forEach((secret, index) => {\n secrets[secretsArray.length - index] = secret;\n });\n\n return secrets;\n}\n","import { parse, serialize, type SerializeOptions } from 'cookie';\nimport { cookies } from 'next/headers.js';\n\ninterface CookieListItem\n extends Pick<SerializeOptions, 'domain' \| 'path' \| 'sameSite' \| 'secure'> {\n name: string;\n value: string;\n}\n\ntype ResponseCookie = CookieListItem &\n Pick<SerializeOptions, 'httpOnly' \| 'maxAge' \| 'priority'>;\n\n/\n Minimal cookie API shared by `next/headers` cookies and request/response\n * adapters used in route handlers and proxy.\n /\nexport interface CookieStore {\n get: (name: string) => { name: string; value: string } \| undefined;\n set: {\n (name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n (options: ResponseCookie): void;\n };\n}\n\n/\n Returns a cookie store for the current execution context.\n \n Without a request it delegates to Next.js `cookies()`. With a request it\n * adapts Web `Request`/`Response` objects so session updates can append\n * `Set-Cookie` headers.\n /\nexport async function cookieFactory(\n req?: Request,\n res?: Response,\n): Promise<CookieStore> {\n if (req) {\n return new HttpCookieStore(req, res);\n }\n\n return cookies();\n}\n\n/\n Cookie store adapter for Web `Request` and `Response` objects.\n /\nexport class HttpCookieStore implements CookieStore {\n constructor(\n readonly req: Request,\n readonly res?: Response,\n ) {}\n\n get(cookieName: string): { name: string; value: string } \| undefined {\n const value = parse(this.req.headers.get('cookie') ?? '')[cookieName];\n\n return value === undefined ? undefined : { name: cookieName, value };\n }\n\n set(name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n set(options: ResponseCookie): void;\n set(\n nameOrOptions: string \| ResponseCookie,\n value?: string,\n cookie?: Partial<ResponseCookie>,\n ) {\n if (typeof nameOrOptions === 'string') {\n return this.setCookie(nameOrOptions, value as string, cookie);\n }\n\n return this.setCookie(\n nameOrOptions.name,\n nameOrOptions.value,\n nameOrOptions,\n );\n }\n\n private setCookie(\n name: string,\n value: string,\n cookie?: Partial<ResponseCookie>,\n ) {\n if (!this.res) {\n return;\n }\n\n const cookieValue = serialize(name, value, cookie);\n\n this.res.headers.append('set-cookie', cookieValue);\n }\n}\n","import type { TokenEndpointResponse } from '../oauth/types';\nimport type {\n Claims,\n IdTokenClaims,\n SessionAuthentication,\n SessionAuthorization,\n SessionInterface,\n UserProfile,\n} from './types';\n\n/\n Serializable session payload stored across sealed cookies.\n /\nexport type SerializedSession<UserClaims extends Claims = Claims> =\n SessionInterface<UserClaims> & {\n authentication?: SessionAuthentication;\n authorization?: SessionAuthorization;\n };\n\n/\n The user's session.\n \n The public session shape combines the base user claims cookie with optional\n * authentication and authorization cookies.\n \n @category Server\n /\nexport class Session<UserClaims extends Claims = Claims>\n implements SessionInterface<UserClaims>\n{\n /\n The authenticated user (claims from the `id_token`)\n /\n user: UserProfile<UserClaims>;\n\n /\n A timestamp when authentication / session occurred\n /\n issuedAt: number;\n\n /\n A timestamp when authentication / session was last updated (touched)\n /\n updatedAt: number;\n\n /\n A timestamp when the authentication / session is set to expire\n /\n expiresAt: number;\n\n /\n OAuth access-token state stored separately from the base session payload.\n /\n authorization?: SessionAuthorization;\n\n /\n OIDC authentication token state stored separately from the base session\n * payload.\n /\n authentication?: SessionAuthentication;\n\n [key: string]: any;\n\n /\n Creates a normalized session object from sealed cookie payloads.\n /\n constructor(props: SerializedSession<UserClaims>) {\n this.user = props.user;\n this.issuedAt = props.issuedAt;\n this.updatedAt = props.updatedAt;\n this.expiresAt = props.expiresAt;\n this.authentication = props.authentication;\n this.authorization = props.authorization;\n }\n}\n\n/\n Converts an OIDC token endpoint response into the session model stored in\n * sealed cookies.\n \n @param tokenEndpointResponse - Token endpoint response returned by\n * `openid-client`.\n /\nexport function fromTokenEndpointResponse<UserClaims extends Claims = Claims>(\n tokenEndpointResponse: TokenEndpointResponse,\n): Session<UserClaims> {\n const { iat, exp, aud, iss, nonce, ...user } = decodeJwt<IdTokenClaims>(\n tokenEndpointResponse.id_token as string,\n );\n\n const {\n id_token,\n access_token,\n scope,\n expires_in,\n expires_at,\n refresh_token,\n token_type,\n ...remainder\n } = tokenEndpointResponse;\n\n const authorization = access_token\n ? {\n accessToken: access_token,\n scope,\n expiresAt: Math.floor(Date.now() / 1000) + Number(expires_in),\n refreshToken: refresh_token,\n type: token_type,\n }\n : undefined;\n\n const authentication = id_token\n ? {\n idToken: id_token,\n }\n : undefined;\n\n return Object.assign(\n new Session({\n user: user as UserProfile<UserClaims>,\n issuedAt: iat,\n updatedAt: iat,\n expiresAt: exp,\n authorization,\n authentication,\n }),\n remainder,\n );\n}\n\nfunction decodeJwt<TClaims>(jwt: string): TClaims {\n const [, payload] = jwt.split('.');\n\n if (!payload) {\n throw new TypeError('Invalid JWT payload.');\n }\n\n const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');\n const padded = normalized.padEnd(\n normalized.length + ((4 - (normalized.length % 4)) % 4),\n '=',\n );\n\n const decoded =\n typeof atob === 'function'\n ? atob(padded)\n : Buffer.from(padded, 'base64').toString('binary');\n\n const json = decodeURIComponent(\n Array.from(\n decoded,\n (char) => `%${char.charCodeAt(0).toString(16).padStart(2, '0')}`,\n ).join(''),\n );\n\n return JSON.parse(json) as TClaims;\n}\n","export const assertBoolean = (bool: boolean, msg: string) => {\n if (!bool) {\n throw new Error(msg);\n }\n};\n","export const epoch = (): number => (Date.now() / 1000) \| 0;\n","import type { Config } from '../../config/types';\nimport { assertBoolean } from '../assert';\nimport type { Session } from '../model';\nimport type { Claims } from '../types';\nimport { epoch } from '../utils';\nimport type { SessionStoreInterface } from './types';\n\n/\n Base session store behavior shared by concrete storage implementations.\n \n The base class enforces absolute and idle expiry before returning a session.\n /\nexport abstract class AbstractSessionStore<UserClaims extends Claims = Claims>\n implements SessionStoreInterface<UserClaims>\n{\n constructor(protected readonly config: Config) {}\n\n protected abstract _get(): Promise<Session<UserClaims> \| undefined>;\n protected abstract _set(session: Session<UserClaims>): Promise<void>;\n protected abstract _delete(): Promise<void>;\n\n /\n Reads and validates the current session.\n \n @returns The session, or `undefined` when missing, expired, or malformed.\n /\n public async get(): Promise<Session<UserClaims> \| undefined> {\n const { absoluteDuration, idleDuration } = this.config.session;\n const now = epoch();\n\n try {\n const session = await this._get();\n\n if (session) {\n assertBoolean(\n session.expiresAt > now,\n 'it is expired based on the effective session expiry',\n );\n\n if (idleDuration !== false) {\n assertBoolean(\n session.updatedAt + idleDuration > now,\n 'it is expired based on current idleDuration rules',\n );\n }\n\n if (absoluteDuration !== false) {\n assertBoolean(\n session.issuedAt + absoluteDuration > now,\n 'it is expired based on current absoluteDuration rules',\n );\n }\n\n return session;\n }\n } catch {\n return undefined;\n }\n\n return undefined;\n }\n\n /\n Persists a complete session.\n /\n async set(session: Session<UserClaims>): Promise<void> {\n session.expiresAt = calculateExp(session.updatedAt, this.config, {\n issuedAt: session.issuedAt,\n });\n await this._set(session);\n }\n\n /\n Clears the session from the backing store.\n /\n async delete(): Promise<void> {\n await this._delete();\n }\n\n /\n Updates idle expiry timestamps and persists the session.\n \n When idle sessions are disabled, this returns the current session\n * without modifying cookies.\n /\n async touch(): Promise<Session<UserClaims> \| undefined> {\n const session = await this.get();\n if (!session) {\n return;\n }\n\n if (this.config.session.idleDuration === false) {\n return session;\n }\n\n const updatedAt = epoch();\n const expiresAt = calculateExp(updatedAt, this.config, {\n issuedAt: session.issuedAt,\n });\n\n session.updatedAt = updatedAt;\n session.expiresAt = expiresAt;\n\n await this.set(session);\n\n return session;\n }\n}\n\nfunction calculateExp(\n updatedAt: number,\n config: Config,\n session: Pick<Session, 'issuedAt'>,\n): number {\n const { absoluteDuration, idleDuration } = config.session;\n const candidates: number[] = [];\n\n if (idleDuration !== false) {\n candidates.push(updatedAt + idleDuration);\n }\n\n if (absoluteDuration !== false) {\n candidates.push(session.issuedAt + absoluteDuration);\n }\n\n return Math.min(...candidates);\n}\n","import type { SerializeOptions } from 'cookie';\nimport { getIronSession, type IronSession } from 'iron-session';\nimport type { Config } from '../../config/types';\nimport { getSecrets, type Secrets } from '../../crypto/secrets';\nimport { type CookieStore, cookieFactory } from '../../http/cookies';\nimport { Session } from '../model';\nimport type {\n AnyRequest,\n AnyResponse,\n Claims,\n SessionAuthentication,\n SessionAuthorization,\n SessionInterface,\n SessionPart,\n} from '../types';\nimport { AbstractSessionStore } from './abstract-store';\nimport type { SessionStoreInterface } from './types';\n\ntype CookieType = 'Session' \| 'Authorization' \| 'Authentication';\n\ntype IronSessionPayload<Payload> = {\n data: Payload;\n};\n\n/\n Creates the default stateless session store.\n \n @param config - Validated auth configuration.\n * @param request - Optional request used to read cookies outside\n * `next/headers`.\n * @param response - Optional response used to write `Set-Cookie` headers.\n /\nexport function sessionStoreFactory<UserClaims extends Claims>(\n config: Config,\n request?: AnyRequest,\n response?: AnyResponse,\n): SessionStoreInterface<UserClaims> {\n return new NewStatelessSessionStore(config, request, response);\n}\n\n/\n Stateless session store backed by three sealed `iron-session` cookies.\n /\nexport class NewStatelessSessionStore<\n UserClaims extends Claims,\n> extends AbstractSessionStore<UserClaims> {\n private readonly secrets: Secrets;\n private readonly cookieName: string;\n private readonly cookieOptions: SerializeOptions;\n\n constructor(\n config: Config,\n request: AnyRequest \| undefined = undefined,\n response: AnyResponse \| undefined = undefined,\n private readonly cookieStore: (\n config: Config,\n ) => CookieStore \| Promise<CookieStore> = () =>\n cookieFactory(request, response),\n ) {\n super(config);\n\n this.cookieName = config.session.name;\n this.cookieOptions = {\n ...config.session.cookie,\n httpOnly: true,\n };\n\n this.secrets = getSecrets(config);\n }\n\n async _get(): Promise<Session<UserClaims> \| undefined> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n if (!session.data) {\n return undefined;\n }\n\n return new Session({\n ...session.data,\n authorization: authorization.data \|\| undefined,\n authentication: authentication.data \|\| undefined,\n });\n }\n\n async _set(payload: Session<UserClaims>): Promise<void> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n const {\n user,\n issuedAt,\n updatedAt,\n expiresAt,\n authorization: authz,\n authentication: authn,\n } = payload;\n\n session.data = { user, issuedAt, updatedAt, expiresAt };\n authentication.data = authn;\n authorization.data = authz;\n\n await Promise.all([\n session.save(),\n authorization.save(),\n authentication.save(),\n ]);\n }\n\n async _delete(): Promise<void> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n await Promise.all([\n session.destroy(),\n authorization.destroy(),\n authentication.destroy(),\n ]);\n }\n\n private async getAllCookies() {\n return await Promise.all([\n this.getCookie<SessionInterface<UserClaims>>('Session'),\n this.getCookie<SessionAuthorization>('Authorization'),\n this.getCookie<SessionAuthentication>('Authentication'),\n ]);\n }\n\n private async getCookie<S extends SessionPart>(\n type: CookieType,\n ): Promise<IronSession<Partial<IronSessionPayload<S \| undefined \| null>>>> {\n const ironSession = await getIronSession<\n IronSessionPayload<S \| undefined \| null>\n >(await this.cookieStore(this.config), {\n cookieName: `${this.cookieName}.${type}`,\n password: this.secrets,\n cookieOptions: this.cookieOptions,\n });\n\n return ironSession;\n }\n}\n","import as oidc from 'openid-client';\nimport type { Config } from '../config/types';\n\n/*\n Discovers the provider metadata and returns an `openid-client`\n * configuration for the current auth client.\n \n Localhost issuers are allowed to use insecure HTTP so local identity-provider\n * development remains possible.\n \n @param config - Validated auth configuration.\n /\nexport async function discoverOIDC(\n config: Config,\n): Promise<oidc.Configuration> {\n const isLocalDevelopment =\n config.issuerBaseURL.includes('localhost') \|\|\n config.issuerBaseURL.includes('127.0.0.1');\n\n return await oidc.discovery(\n new URL(config.issuerBaseURL),\n config.clientId,\n config.clientSecret,\n undefined,\n isLocalDevelopment\n ? {\n execute: [oidc.allowInsecureRequests],\n }\n : undefined,\n );\n}\n","import { AccessTokenError, AccessTokenErrorCode } from '../errors/access-token';\nimport type { MondoInstance } from '../core/instance';\nimport type { Session } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { Claims, SessionAuthorization } from '../session/types';\nimport { epoch } from '../session/utils';\nimport { discoverOIDC } from './oidc';\n\nexport type AccessTokenResult = {\n /* Bearer token value returned by the identity provider. /\n accessToken: string;\n\n /* Epoch seconds when the access token expires. /\n expiresAt: number;\n\n /* Space-delimited scopes granted to the access token. /\n scope?: string;\n\n /* Token type returned by the identity provider, usually `Bearer`. /\n type?: string;\n};\n\nexport type GetAccessTokenOptions = {\n /\n Refresh even when the current access token is still valid.\n /\n refresh?: boolean;\n\n /\n Required scopes for the returned access token.\n /\n scopes?: string \| Array<string>;\n\n /\n Number of seconds before expiry that should be treated as already expired.\n /\n refreshBeforeExpiresIn?: number;\n};\n\nexport type GetAccessToken = (\n options?: GetAccessTokenOptions,\n) => Promise<AccessTokenResult>;\n\n/\n Creates a server-side access-token getter bound to one auth client instance.\n \n The getter returns the current sealed-cookie access token when it is valid for\n * the requested scopes. If it is expired, explicitly refreshed, or missing the\n * requested scopes, the getter uses the stored refresh token and persists the\n * refreshed authorization payload back to the session cookies.\n \n @param instance - Validated auth client instance.\n /\nexport function getAccessTokenFactory<UserClaims extends Claims>(\n instance: MondoInstance,\n): GetAccessToken {\n return async (options = {}) => {\n const sessionStore = sessionStoreFactory<UserClaims>(instance.config);\n const session = await sessionStore.get();\n\n if (!session?.user) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_SESSION,\n 'A session is required to get an access token.',\n );\n }\n\n const authorization = session.authorization;\n if (!authorization?.accessToken) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_ACCESS_TOKEN,\n 'The session does not contain an access token.',\n );\n }\n\n if (canUseAccessToken(authorization, options)) {\n return toAccessTokenResult(authorization);\n }\n\n if (!authorization.refreshToken) {\n throw new AccessTokenError(\n isExpired(authorization, options)\n ? AccessTokenErrorCode.EXPIRED_ACCESS_TOKEN\n : AccessTokenErrorCode.INSUFFICIENT_SCOPE,\n 'The access token cannot be refreshed because the session does not contain a refresh token.',\n );\n }\n\n return refreshAccessToken(instance, session, options);\n };\n}\n\nasync function refreshAccessToken<UserClaims extends Claims>(\n instance: MondoInstance,\n session: Session<UserClaims>,\n options: GetAccessTokenOptions,\n): Promise<AccessTokenResult> {\n const oidc = await import('openid-client');\n const authorization = session.authorization;\n\n if (!authorization?.refreshToken) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_REFRESH_TOKEN,\n 'The session does not contain a refresh token.',\n );\n }\n\n try {\n const params = getRefreshParameters(options);\n const tokens = await oidc.refreshTokenGrant(\n await discoverOIDC(instance.config),\n authorization.refreshToken,\n params,\n );\n\n if (!tokens.access_token) {\n throw new AccessTokenError(\n AccessTokenErrorCode.FAILED_REFRESH_GRANT,\n 'The refresh grant did not return an access token.',\n );\n }\n\n const refreshedAuthorization: SessionAuthorization = {\n accessToken: tokens.access_token,\n expiresAt:\n epoch() +\n Number(tokens.expires_in ?? authorization.expiresAt - epoch()),\n scope:\n tokens.scope ?? normalizeScopes(options.scopes) ?? authorization.scope,\n refreshToken: tokens.refresh_token ?? authorization.refreshToken,\n type: tokens.token_type ?? authorization.type,\n };\n\n session.authorization = refreshedAuthorization;\n await sessionStoreFactory<UserClaims>(instance.config).set(session);\n\n return toAccessTokenResult(refreshedAuthorization);\n } catch (error) {\n if (error instanceof AccessTokenError) {\n throw error;\n }\n\n throw new AccessTokenError(\n AccessTokenErrorCode.FAILED_REFRESH_GRANT,\n 'The refresh grant failed.',\n error instanceof Error ? error : undefined,\n );\n }\n}\n\nfunction canUseAccessToken(\n authorization: SessionAuthorization,\n options: GetAccessTokenOptions,\n): boolean {\n return (\n options.refresh !== true &&\n !isExpired(authorization, options) &&\n hasScopes(authorization.scope, options.scopes)\n );\n}\n\nfunction isExpired(\n authorization: SessionAuthorization,\n options: GetAccessTokenOptions,\n): boolean {\n const skew = options.refreshBeforeExpiresIn ?? 60;\n return authorization.expiresAt <= epoch() + skew;\n}\n\nfunction hasScopes(\n grantedScope: string \| undefined,\n requiredScopes: string \| Array<string> \| undefined,\n): boolean {\n const required = normalizeScopes(requiredScopes);\n if (!required) {\n return true;\n }\n\n const granted = new Set((grantedScope ?? '').split(/\\s+/).filter(Boolean));\n return required.split(/\\s+/).every((scope) => granted.has(scope));\n}\n\nfunction getRefreshParameters(\n options: GetAccessTokenOptions,\n): URLSearchParams \| undefined {\n const scope = normalizeScopes(options.scopes);\n if (!scope) {\n return undefined;\n }\n\n const params = new URLSearchParams();\n params.set('scope', scope);\n return params;\n}\n\nfunction normalizeScopes(scopes: string \| Array<string> \| undefined) {\n if (Array.isArray(scopes)) {\n return scopes.join(' ');\n }\n\n return scopes;\n}\n\nfunction toAccessTokenResult(\n authorization: SessionAuthorization,\n): AccessTokenResult {\n return {\n accessToken: authorization.accessToken,\n expiresAt: authorization.expiresAt,\n scope: authorization.scope,\n type: authorization.type,\n };\n}\n","import { AuthError } from './auth';\n\n/\n Standard Schema V1 path segment shape.\n /\nexport interface ConfigIssuePathSegment {\n readonly key: PropertyKey;\n}\n\n/\n Standard Schema V1 issue shape returned by configuration validation.\n /\nexport interface ConfigIssue {\n readonly message: string;\n readonly path?: readonly (PropertyKey \| ConfigIssuePathSegment)[] \| undefined;\n}\n\n/\n Error thrown when auth configuration validation fails.\n /\nexport class ConfigError extends AuthError {\n public static readonly code = 'ERR_CONFIG_VALIDATION';\n\n /\n Standard Schema validation issues for the invalid configuration.\n /\n public readonly issues: readonly ConfigIssue[];\n\n /\n @param issues - Standard Schema validation issues.\n /\n constructor(issues: readonly ConfigIssue[]) {\n super({\n code: ConfigError.code,\n message: `Invalid @go-mondo/nextjs-auth configuration:\\n${formatIssues(\n issues,\n )}`,\n name: 'ConfigError',\n });\n\n this.issues = issues;\n\n Error.captureStackTrace(this, this.constructor);\n Object.setPrototypeOf(this, ConfigError.prototype);\n }\n}\n\nfunction formatIssues(issues: readonly ConfigIssue[]): string {\n return issues\n .map((issue) => {\n const path = issue.path?.length\n ? issue.path.map(formatPathSegment).join('.')\n : 'config';\n return `- ${path}: ${issue.message}`;\n })\n .join('\\n');\n}\n\nfunction formatPathSegment(\n segment: NonNullable<ConfigIssue['path']>[number],\n): string {\n return typeof segment === 'object' && segment !== null && 'key' in segment\n ? String(segment.key)\n : String(segment);\n}\n","/\n Built-in auth route defaults used by both server configuration and\n * browser-safe client helpers.\n /\nexport const DEFAULT_ROUTES = {\n login: '/auth/login',\n callback: '/auth/callback',\n logout: '/auth/logout',\n session: '/auth/session',\n accessToken: '/auth/access-token',\n postLogoutRedirect: '/',\n} as const;\n\n/\n Returns the session route that browser code can safely call.\n \n The full server configuration reads secret-bearing environment variables, so\n * client hooks use the public session route override instead.\n /\nexport function getPublicSessionRoute(): string {\n return typeof process === 'undefined'\n ? DEFAULT_ROUTES.session\n : process.env.NEXT_PUBLIC_SESSION_ROUTE \|\| DEFAULT_ROUTES.session;\n}\n\n/\n Returns the access-token route that browser code can safely call.\n \n The full server configuration may read secret-bearing environment variables,\n * so client hooks use the public access-token route override instead.\n /\nexport function getPublicAccessTokenRoute(): string {\n return typeof process === 'undefined'\n ? DEFAULT_ROUTES.accessToken\n : process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE \|\| DEFAULT_ROUTES.accessToken;\n}\n","import { z } from 'zod';\n\nconst RelativePathSchema = z\n .string()\n .startsWith('/', 'Must start with \"/\".')\n .refine((value) => !value.includes('//'), 'Must not contain \"//\".')\n .describe(\n 'An application-relative path, such as \"/auth/login\". Double slashes are not allowed.',\n );\n\nconst StringUrlSchema = z\n .string()\n .url()\n .transform((value) => value.replace(/\\/+$/, ''))\n .describe('An absolute URL. Trailing slashes are removed after parsing.');\n\nconst AuthorizationParamValueSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n]);\n\nconst SessionSchema = z\n .object({\n name: z\n .string()\n .optional()\n .default('Mondo')\n .describe('Cookie name prefix used for the session cookie set.'),\n idleDuration: z\n .union([z.number().positive(), z.literal(false)])\n .default(24 60 * 60)\n .describe(\n 'Idle session duration in seconds. Set to false to disable activity-based session extension.',\n ),\n absoluteDuration: z\n .union([z.number().positive(), z.literal(false)])\n .default(false)\n .describe(\n 'Absolute session duration in seconds from login. Set to false to disable a hard maximum lifetime.',\n ),\n cookie: z\n .object({\n domain: z\n .string()\n .optional()\n .describe('Optional domain shared by session cookies.'),\n path: RelativePathSchema.optional()\n .default('/')\n .describe('Path scope for session cookies.'),\n httpOnly: z\n .boolean()\n .optional()\n .default(true)\n .describe('Always true for server-managed authentication cookies.'),\n sameSite: z\n .enum(['lax', 'strict', 'none'])\n .optional()\n .default('lax')\n .describe('SameSite policy used for session cookies.'),\n secure: z\n .boolean()\n .default(true)\n .describe('Whether session cookies require HTTPS.'),\n })\n .describe('Cookie options for the tamper-proof iron-session cookies.'),\n })\n .refine(\n (session) =>\n session.idleDuration !== false \|\| session.absoluteDuration !== false,\n 'At least one of idleDuration or absoluteDuration must be enabled.',\n )\n .describe('Application session storage and expiration settings.');\n\nconst Schema = z\n .object({\n authorization: z\n .object({\n response_type: z\n .enum(['code'])\n .default('code')\n .describe(\n 'OAuth response type. This SDK uses authorization code flow.',\n ),\n scope: z\n .string()\n .default('openid profile email')\n .describe('Default scopes requested during login.'),\n response_mode: z\n .enum(['query', 'form_post'])\n .default('query')\n .describe(\n 'How the authorization response is returned to the callback.',\n ),\n audience: z\n .string()\n .optional()\n .describe('Optional API audience for access token issuance.'),\n display: z\n .enum(['page', 'popup', 'touch', 'wap'])\n .optional()\n .describe(\n 'OIDC display preference forwarded to the authorization URL.',\n ),\n prompt: z\n .enum(['none', 'login', 'consent', 'select_account'])\n .optional()\n .describe('OIDC prompt behavior forwarded to the authorization URL.'),\n max_age: z\n .number()\n .optional()\n .describe('Maximum authentication age, in seconds.'),\n ui_locales: z\n .string()\n .optional()\n .describe('Preferred UI locales sent to the identity provider.'),\n id_token_hint: z\n .string()\n .optional()\n .describe('Optional ID token hint sent to the identity provider.'),\n login_hint: z\n .string()\n .optional()\n .describe('Optional login hint sent to the identity provider.'),\n acr_values: z\n .string()\n .optional()\n .describe('Optional authentication context values.'),\n })\n .catchall(AuthorizationParamValueSchema)\n .describe(\n 'Authorization URL parameters. Unknown string, number, and boolean values are preserved for provider-specific options.',\n ),\n baseURL: StringUrlSchema.describe(\n 'Public application origin used to construct default redirect URLs.',\n ),\n clientId: z\n .string()\n .min(1)\n .describe('OIDC client identifier for this Next.js application.'),\n clientSecret: z\n .string()\n .min(1)\n .describe('OIDC client secret used for token endpoint authentication.'),\n issuerBaseURL: StringUrlSchema.describe(\n 'Issuer origin used for OIDC discovery and logout redirects.',\n ),\n secret: z\n .union([z.string().min(32), z.array(z.string().min(32)).min(1)])\n .describe(\n 'Secret or rotated secrets used by iron-session to seal transaction and session cookies.',\n ),\n session: SessionSchema,\n routes: z\n .object({\n login: RelativePathSchema.default('/auth/login').describe(\n 'Route that starts the login transaction.',\n ),\n callback: RelativePathSchema.default('/auth/callback').describe(\n 'Route that completes the authorization code exchange.',\n ),\n logout: RelativePathSchema.default('/auth/logout').describe(\n 'Route that clears the application session.',\n ),\n session: RelativePathSchema.default('/auth/session').describe(\n 'Route that returns the current session as JSON.',\n ),\n accessToken: RelativePathSchema.default('/auth/access-token').describe(\n 'Route that returns or refreshes the current access token.',\n ),\n postLogoutRedirect: RelativePathSchema.default('/').describe(\n 'Application path to redirect to after logout.',\n ),\n })\n .describe('Application routes mounted by the auth client.'),\n transaction: z\n .object({\n name: z\n .string()\n .default('Mondo.Verification')\n .describe(\n 'Cookie name used to store login transaction verification.',\n ),\n cookie: z\n .object({\n domain: z\n .string()\n .optional()\n .describe('Optional domain shared by transaction cookies.'),\n secure: z\n .boolean()\n .optional()\n .describe('Whether transaction cookies require HTTPS.'),\n sameSite: z\n .enum(['lax', 'strict', 'none'])\n .default('lax')\n .describe('SameSite policy used for transaction cookies.'),\n path: RelativePathSchema.optional()\n .default('/')\n .describe('Path scope for transaction cookies.'),\n })\n .describe('Cookie options for temporary login transaction state.'),\n })\n .describe('Short-lived state used to verify authorization callbacks.'),\n })\n .describe('Validated configuration for @go-mondo/nextjs-auth.');\n\nexport default Schema;\n","const FALSEY = ['n', 'no', 'false', '0', 'off'];\n\nexport const bool = (\n param?: any,\n defaultValue?: boolean,\n): boolean \| undefined => {\n if (param === undefined \|\| param === '') return defaultValue;\n if (param && typeof param === 'string')\n return !FALSEY.includes(param.toLowerCase().trim());\n return !!param;\n};\n\nexport const num = (param?: string): number \| undefined =>\n param === undefined \|\| param === '' ? undefined : +param;\n","import { ConfigError } from '../errors/config';\nimport { DEFAULT_ROUTES } from './routes';\nimport schema from './schema';\nimport type {\n Config,\n CookieConfig,\n PartialConfig,\n SessionConfig,\n TransactionConfig,\n} from './types';\nimport { bool, num } from './utils';\n\n/*\n Reads configuration from environment variables and explicit overrides, then\n * validates the merged result with the Zod schema.\n \n ### Required\n \n - `MONDO_SECRET`: See {@link Config.secret}.\n * - `MONDO_ISSUER_BASE_URL`: See {@link Config.issuerBaseURL}.\n * - `APP_BASE_URL`: See {@link Config.baseURL}.\n * - `MONDO_CLIENT_ID`: See {@link Config.clientId}.\n * - `MONDO_CLIENT_SECRET`: See {@link Config.clientSecret}.\n \n ### Optional\n \n - `NEXT_PUBLIC_LOGIN_ROUTE`: See {@link Config.routes}.\n * - `NEXT_PUBLIC_SESSION_ROUTE`: See {@link Config.routes}.\n * - `NEXT_PUBLIC_ACCESS_TOKEN_ROUTE`: See {@link Config.routes}.\n * - `CALLBACK_ROUTE`: See {@link Config.routes}.\n * - `LOGOUT_ROUTE`: See {@link Config.routes}.\n * - `SESSION_ROUTE`: See {@link Config.routes}.\n * - `ACCESS_TOKEN_ROUTE`: See {@link Config.routes}.\n * - `POST_LOGOUT_REDIRECT_ROUTE`: See {@link Config.routes}.\n * - `MONDO_AUDIENCE`: See {@link Config.authorization}.\n * - `MONDO_SCOPE`: See {@link Config.authorization}.\n * - `MONDO_SESSION_NAME`: See {@link SessionConfig.name}.\n * - `MONDO_SESSION_IDLE_DURATION`: See {@link SessionConfig.idleDuration}.\n * - `MONDO_SESSION_ABSOLUTE_DURATION`: See\n * {@link SessionConfig.absoluteDuration}.\n * - `MONDO_SESSION_COOKIE_DOMAIN`: See {@link CookieConfig.domain}.\n * - `MONDO_SESSION_COOKIE_PATH`: See {@link CookieConfig.path}.\n * - `MONDO_SESSION_COOKIE_SECURE`: See {@link CookieConfig.secure}.\n * - `MONDO_SESSION_COOKIE_SAME_SITE`: See {@link CookieConfig.sameSite}.\n \n - `MONDO_TRANSACTION_NAME` See {@link TransactionConfig.name}.\n * - `MONDO_TRANSACTION_COOKIE_DOMAIN` See {@link CookieConfig.domain}.\n * - `MONDO_TRANSACTION_COOKIE_PATH` See {@link CookieConfig.path}.\n * - `MONDO_TRANSACTION_COOKIE_SECURE` See {@link CookieConfig.secure}.\n * - `MONDO_TRANSACTION_COOKIE_SAME_SITE` See {@link CookieConfig.sameSite}.\n \n @param params - Optional explicit configuration overrides.\n * @throws {@link ConfigError} when required values are missing or invalid.\n /\nexport const getConfig = (params: PartialConfig = {}): Config => {\n const MONDO_SECRET = process.env.MONDO_SECRET;\n const MONDO_ISSUER_BASE_URL = process.env.MONDO_ISSUER_BASE_URL;\n const APP_BASE_URL =\n process.env.APP_BASE_URL \|\| process.env.NEXT_PUBLIC_APP_BASE_URL;\n const MONDO_CLIENT_ID = process.env.MONDO_CLIENT_ID;\n const MONDO_CLIENT_SECRET = process.env.MONDO_CLIENT_SECRET;\n const MONDO_AUDIENCE = process.env.MONDO_AUDIENCE;\n const MONDO_SCOPE = process.env.MONDO_SCOPE;\n\n const CALLBACK_ROUTE = process.env.CALLBACK_ROUTE;\n const LOGOUT_ROUTE = process.env.LOGOUT_ROUTE;\n const SESSION_ROUTE = process.env.SESSION_ROUTE;\n const NEXT_PUBLIC_SESSION_ROUTE = process.env.NEXT_PUBLIC_SESSION_ROUTE;\n const ACCESS_TOKEN_ROUTE = process.env.ACCESS_TOKEN_ROUTE;\n const NEXT_PUBLIC_ACCESS_TOKEN_ROUTE =\n process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE;\n const POST_LOGOUT_REDIRECT_ROUTE = process.env.POST_LOGOUT_REDIRECT_ROUTE;\n\n const MONDO_SESSION_NAME = process.env.MONDO_SESSION_NAME;\n const MONDO_SESSION_IDLE_DURATION = process.env.MONDO_SESSION_IDLE_DURATION;\n const MONDO_SESSION_ABSOLUTE_DURATION =\n process.env.MONDO_SESSION_ABSOLUTE_DURATION;\n const MONDO_SESSION_COOKIE_DOMAIN = process.env.MONDO_COOKIE_DOMAIN;\n const MONDO_SESSION_COOKIE_PATH = process.env.MONDO_COOKIE_PATH;\n const MONDO_SESSION_COOKIE_SECURE = process.env.MONDO_COOKIE_SECURE;\n const MONDO_SESSION_COOKIE_SAME_SITE = process.env.MONDO_COOKIE_SAME_SITE;\n\n const MONDO_TRANSACTION_NAME = process.env.MONDO_TRANSACTION_COOKIE_NAME;\n const MONDO_TRANSACTION_COOKIE_DOMAIN =\n process.env.MONDO_TRANSACTION_COOKIE_DOMAIN;\n const MONDO_TRANSACTION_COOKIE_PATH =\n process.env.MONDO_TRANSACTION_COOKIE_PATH;\n const MONDO_TRANSACTION_COOKIE_SAME_SITE =\n process.env.MONDO_TRANSACTION_COOKIE_SAME_SITE;\n const MONDO_TRANSACTION_COOKIE_SECURE =\n process.env.MONDO_TRANSACTION_COOKIE_SECURE;\n\n const baseURL =\n APP_BASE_URL && !/^https?:\\/\\//.test(APP_BASE_URL as string)\n ? `https://${APP_BASE_URL}`\n : APP_BASE_URL;\n\n const result = schema.safeParse({\n secret: MONDO_SECRET,\n issuerBaseURL: MONDO_ISSUER_BASE_URL,\n baseURL: baseURL,\n clientId: MONDO_CLIENT_ID,\n clientSecret: MONDO_CLIENT_SECRET,\n ...params,\n authorization: {\n response_type: 'code',\n audience: MONDO_AUDIENCE,\n scope: MONDO_SCOPE,\n ...params.authorization,\n },\n session: {\n name: MONDO_SESSION_NAME,\n idleDuration: duration(MONDO_SESSION_IDLE_DURATION),\n absoluteDuration: duration(MONDO_SESSION_ABSOLUTE_DURATION),\n ...params.session,\n cookie: {\n domain: MONDO_SESSION_COOKIE_DOMAIN,\n path: MONDO_SESSION_COOKIE_PATH \|\| '/',\n secure: bool(MONDO_SESSION_COOKIE_SECURE),\n sameSite: MONDO_SESSION_COOKIE_SAME_SITE as\n \| 'lax'\n \| 'strict'\n \| 'none'\n \| undefined,\n ...params.session?.cookie,\n },\n },\n routes: {\n callback:\n params.routes?.callback \|\| CALLBACK_ROUTE \|\| DEFAULT_ROUTES.callback,\n login:\n params.routes?.login \|\|\n process.env.NEXT_PUBLIC_LOGIN_ROUTE \|\|\n DEFAULT_ROUTES.login,\n logout: params.routes?.logout \|\| LOGOUT_ROUTE \|\| DEFAULT_ROUTES.logout,\n session:\n params.routes?.session \|\|\n SESSION_ROUTE \|\|\n NEXT_PUBLIC_SESSION_ROUTE \|\|\n DEFAULT_ROUTES.session,\n accessToken:\n params.routes?.accessToken \|\|\n ACCESS_TOKEN_ROUTE \|\|\n NEXT_PUBLIC_ACCESS_TOKEN_ROUTE \|\|\n DEFAULT_ROUTES.accessToken,\n postLogoutRedirect:\n params.routes?.postLogoutRedirect \|\|\n POST_LOGOUT_REDIRECT_ROUTE \|\|\n DEFAULT_ROUTES.postLogoutRedirect,\n },\n transaction: {\n name: MONDO_TRANSACTION_NAME,\n ...params.transaction,\n cookie: {\n domain: MONDO_TRANSACTION_COOKIE_DOMAIN,\n path: MONDO_TRANSACTION_COOKIE_PATH \|\| '/',\n secure: bool(MONDO_TRANSACTION_COOKIE_SECURE),\n sameSite: MONDO_TRANSACTION_COOKIE_SAME_SITE as\n \| 'lax'\n \| 'strict'\n \| 'none'\n \| undefined,\n ...params.transaction?.cookie,\n },\n },\n });\n\n if (!result.success) {\n throw new ConfigError(result.error.issues);\n }\n\n return result.data;\n};\n\nfunction duration(value: string \| undefined): number \| false \| undefined {\n if (!value) {\n return undefined;\n }\n\n return Number.isNaN(Number(value)) ? (bool(value) as false) : num(value);\n}\n","import { getConfig } from '../config/config';\nimport type { Config, PartialConfig } from '../config/types';\n\n/\n Runtime state shared by route handlers and server helpers.\n /\nexport type MondoInstance = {\n /* Validated auth configuration for this client instance. /\n config: Config;\n};\n\n/\n Validates configuration and creates the runtime auth instance.\n \n @param params - Optional explicit config. Environment variables provide the\n * remaining values.\n /\nexport const initInstance = (params?: PartialConfig): MondoInstance => {\n const config = getConfig(params);\n return {\n config,\n };\n};\n","import { AuthError } from './auth';\n\n/\n Error shape used by lower-level HTTP libraries.\n /\ninterface HttpError extends Error {\n status: number;\n statusCode: number;\n}\n\n/\n Supported causes for route-handler errors.\n /\nexport type HandlerErrorCause = Error \| AuthError \| HttpError;\n\ntype HandlerErrorOptions = {\n code: string;\n message: string;\n name: string;\n cause: HandlerErrorCause;\n};\n\n/\n Base class for errors thrown by route handlers.\n /\nclass HandlerError extends AuthError {\n constructor(options: HandlerErrorOptions) {\n let status: number \| undefined;\n if ('status' in options.cause) status = options.cause.status;\n / c8 ignore next /\n super({ ...options, status });\n }\n}\n\n/\n Error thrown when callback handling fails.\n /\nexport class CallbackHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_CALLBACK_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: CallbackHandlerError.code,\n message: 'Callback handler failed.',\n name: 'CallbackHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, CallbackHandlerError.prototype);\n }\n}\n\n/\n Error thrown when login handling fails.\n /\nexport class LoginHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_LOGIN_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: LoginHandlerError.code,\n message: 'Login handler failed.',\n name: 'LoginHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, LoginHandlerError.prototype);\n }\n}\n\n/\n Error thrown when logout handling fails.\n /\nexport class LogoutHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_LOGOUT_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: LogoutHandlerError.code,\n message: 'Logout handler failed.',\n name: 'LogoutHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, LogoutHandlerError.prototype);\n }\n}\n","/\n Error used when the callback response is missing a `state` parameter.\n /\nexport class MissingStateParamError extends Error {\n static message = 'Missing state parameter in Authorization Response.';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MissingStateParamError.message);\n Object.setPrototypeOf(this, MissingStateParamError.prototype);\n }\n}\n\n/\n Error used when transaction state exists but cannot be parsed.\n /\nexport class MalformedStateCookieError extends Error {\n static message = 'Your state cookie is not valid JSON.';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MalformedStateCookieError.message);\n Object.setPrototypeOf(this, MalformedStateCookieError.prototype);\n }\n}\n\n/\n Error used when the callback cannot find the login transaction cookie.\n /\nexport class MissingStateCookieError extends Error {\n static message =\n 'Missing state cookie from login request (check login URL, callback URL and cookie config).';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MissingStateCookieError.message);\n Object.setPrototypeOf(this, MissingStateCookieError.prototype);\n }\n}\n","import type { SerializeOptions } from 'cookie';\nimport { getIronSession, type IronSession } from 'iron-session';\nimport type { Config } from '../config/types';\nimport { getSecrets, type Secrets } from '../crypto/secrets';\nimport type { CookieStore } from '../http/cookies';\nimport type { AuthorizationCodeParams } from '../oauth/types';\n\nexport type AuthVerification = Pick<\n AuthorizationCodeParams,\n 'nonce' \| 'state' \| 'max_age'\n> & {\n /* PKCE verifier used during callback token exchange. /\n code_verifier: string;\n\n /* Application URL to redirect to after the callback succeeds. /\n return_to?: string;\n};\n\n/\n Creates the transaction store used during login and callback.\n \n @param config - Validated auth configuration.\n * @param cookieStore - Cookie store bound to the login or callback request.\n /\nexport function transactionStoreFactory(\n config: Config,\n cookieStore: CookieStore,\n): TransactionStore {\n return new TransactionStore(\n getSecrets(config),\n cookieStore,\n config.transaction.name,\n {\n ...config.transaction.cookie,\n httpOnly: true,\n },\n );\n}\n\n/\n Short-lived store for PKCE, nonce, state, and `returnTo` verification data.\n \n The transaction is saved before redirecting to the identity provider and is\n * destroyed as soon as the callback reads it.\n /\nexport class TransactionStore {\n constructor(\n private readonly secrets: Secrets,\n private readonly cookieStore: CookieStore,\n private readonly cookieName: string,\n private readonly cookieOptions: SerializeOptions,\n ) {}\n\n /\n Saves transaction verification data in a sealed cookie.\n /\n async save(value: AuthVerification): Promise<void> {\n const cookie = await this.getCookie();\n\n cookie.code_verifier = value.code_verifier;\n cookie.nonce = value.nonce;\n cookie.state = value.state;\n cookie.max_age = value.max_age;\n cookie.return_to = value.return_to;\n\n return await cookie.save();\n }\n\n private async getCookie(): Promise<IronSession<AuthVerification>> {\n const ironSession = await getIronSession<AuthVerification>(\n this.cookieStore,\n {\n cookieName: this.cookieName,\n password: this.secrets,\n cookieOptions: this.cookieOptions,\n },\n );\n\n return ironSession;\n }\n\n /\n Reads and destroys the transaction cookie.\n \n @returns Verification data, or `undefined` when the cookie is missing or\n * malformed.\n /\n async read(): Promise<AuthVerification \| undefined> {\n const cookie = await this.getCookie();\n\n if (!cookie.code_verifier \|\| !cookie.nonce \|\| !cookie.state) {\n cookie.destroy();\n return undefined;\n }\n\n const result: AuthVerification = {\n code_verifier: cookie.code_verifier,\n nonce: cookie.nonce,\n state: cookie.state,\n max_age: cookie.max_age,\n return_to: cookie.return_to,\n };\n\n cookie.destroy();\n\n return result;\n }\n}\n","import { NextResponse } from 'next/server.js';\nimport type as oidc from 'openid-client';\nimport { cookieFactory } from '../http/cookies';\nimport {\n CallbackHandlerError,\n type HandlerErrorCause,\n} from '../errors/handlers';\nimport { MissingStateCookieError } from '../errors/state';\nimport type { MondoInstance } from '../core/instance';\nimport { fromTokenEndpointResponse } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\nimport {\n type TransactionStore,\n transactionStoreFactory,\n} from '../transactions/store';\nimport { discoverOIDC } from '../oauth/oidc';\n\nexport interface CallbackOptions {\n /*\n Additional parameters sent to the token endpoint during code exchange.\n /\n tokenParameters?: URLSearchParams \| Record<string, string>;\n}\n\n/\n Builds a route handler for the configured callback route.\n /\nexport type CallbackHandler = (\n options?: CallbackOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a callback handler bound to one auth client instance.\n \n The returned handler verifies PKCE, state, and nonce, exchanges the code for\n * tokens, stores the sealed session cookies, and redirects back to `returnTo`.\n \n @param instance - Validated auth client instance.\n /\nexport const callbackHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance) =>\n (options?: CallbackOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const cookieStore = await cookieFactory();\n\n return await handler<UserClaims>(\n instance,\n new URL(req.url),\n transactionStoreFactory(instance.config, cookieStore),\n sessionStoreFactory<UserClaims>(instance.config),\n options,\n );\n } catch (e) {\n throw new CallbackHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler<UserClaims extends Claims>(\n { config }: MondoInstance,\n requestUrl: URL,\n transactionStore: TransactionStore,\n sessionStore: SessionStoreInterface<UserClaims>,\n options?: CallbackOptions,\n): Promise<Response> {\n const oidc = await import('openid-client');\n const authVerification = await transactionStore.read();\n if (!authVerification) {\n throw new MissingStateCookieError();\n }\n\n const clientConfig = await discoverOIDC(config);\n\n const tokens: oidc.TokenEndpointResponse = await oidc.authorizationCodeGrant(\n clientConfig,\n requestUrl,\n {\n pkceCodeVerifier: authVerification.code_verifier,\n expectedState: authVerification.state,\n expectedNonce: authVerification.nonce,\n idTokenExpected: true,\n maxAge: authVerification.max_age,\n },\n options?.tokenParameters,\n );\n\n const session = await fromTokenEndpointResponse<UserClaims>(tokens);\n if (session) {\n await sessionStore.set(session);\n }\n\n return NextResponse.redirect(authVerification.return_to \|\| config.baseURL);\n}\n","/\n Minimal token endpoint response shape used by the session model.\n /\nexport interface TokenEndpointResponse {\n access_token?: string;\n token_type?: string;\n id_token?: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n [key: string]: unknown;\n}\n\n/\n PKCE challenge method supported by this SDK.\n /\nexport const CodeChallengeMethod = {\n S256: 'S256',\n} as const;\n\ntype PKCEParams = {\n code_challenge_method: typeof CodeChallengeMethod.S256;\n code_challenge: string;\n};\n\ntype AuthorizationCodeOptionalParams = {\n audience?: string;\n};\n\n/\n Authorization URL parameters assembled for the login redirect.\n \n Runtime-generated fields such as `state`, `nonce`, and PKCE values are added\n * by the login route handler rather than accepted from user config.\n /\nexport type AuthorizationCodeParams = {\n response_type: 'code';\n scope: string;\n redirect_uri: string;\n state: string;\n nonce: string;\n response_mode?: 'query' \| 'form_post';\n display?: 'page' \| 'popup' \| 'touch' \| 'wap';\n prompt?: 'none' \| 'login' \| 'consent' \| 'select_account';\n max_age?: number;\n ui_locales?: string;\n id_token_hint?: string;\n login_hint?: string;\n acr_values?: string;\n} & AuthorizationCodeOptionalParams &\n PKCEParams;\n\ntype BaseConfigurableAuthorizationParams = Omit<\n AuthorizationCodeParams,\n 'client_id' \| 'state' \| 'nonce' \| 'code_challenge_method' \| 'code_challenge'\n>;\n\n/\n Per-request authorization parameter overrides accepted by `handleLogin`.\n /\nexport type OverrideAuthorizationParams =\n Partial<BaseConfigurableAuthorizationParams>;\n","import type { Config } from '../config/types';\n\n/\n Returns a same-origin redirect target or `undefined`.\n \n @param dangerousRedirect - Untrusted path or URL from a request.\n * @param safeBaseUrl - Origin that redirects must stay within.\n /\nexport function toSafeRedirect(\n dangerousRedirect: string,\n safeBaseUrl: URL,\n): string \| undefined {\n let url: URL;\n try {\n url = new URL(dangerousRedirect, safeBaseUrl);\n } catch (_e) {\n return undefined;\n }\n if (url.origin === safeBaseUrl.origin) {\n return url.toString();\n }\n return undefined;\n}\n\n/\n Builds the redirect URI sent to the identity provider.\n \n @param config - Validated auth configuration.\n * @param origin - Optional request origin used for preview deployments and\n * multi-host apps.\n /\nexport function getAuthorizationRedirectURL(\n config: Config,\n origin?: string,\n): URL {\n return pathOrURLToURL(config, config.routes.callback, origin);\n}\n\n/\n Converts either an absolute URL or application path into a URL object.\n \n Relative paths resolve against the request origin when provided, otherwise\n * against the configured base URL.\n /\nexport function pathOrURLToURL(\n config: Config,\n pathOrUrl: string \| URL,\n origin?: string,\n): URL {\n if (pathOrUrl instanceof URL) {\n return pathOrUrl;\n }\n\n try {\n return new URL(pathOrUrl);\n } catch (_) {\n return new URL(joinURL(origin \|\| config.baseURL, pathOrUrl));\n }\n}\n\nfunction joinURL(base: string, path: string): string {\n return `${base.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`;\n}\n","import { NextResponse } from 'next/server.js';\nimport type { Config } from '../config/types';\nimport { cookieFactory } from '../http/cookies';\nimport { type HandlerErrorCause, LoginHandlerError } from '../errors/handlers';\nimport type { MondoInstance } from '../core/instance';\nimport {\n type AuthVerification,\n type TransactionStore,\n transactionStoreFactory,\n} from '../transactions/store';\nimport {\n type AuthorizationCodeParams,\n CodeChallengeMethod,\n type OverrideAuthorizationParams,\n} from '../oauth/types';\nimport { discoverOIDC } from '../oauth/oidc';\nimport { getAuthorizationRedirectURL, toSafeRedirect } from '../http/url';\n\ntype AuthorizationParams = OverrideAuthorizationParams;\n\nexport interface LoginOptions {\n /\n Override the default authorization parameters for this login request.\n /\n authorization?: Partial<AuthorizationParams>;\n\n /\n URL to return to after login. Overrides the default in {@link BaseConfig.baseURL}.\n /\n returnTo?: string;\n}\n\n/\n Builds a route handler for the configured login route.\n /\nexport type LoginHandler = (\n options?: LoginOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a login handler bound to one auth client instance.\n \n The returned handler creates PKCE verification state, stores it in the\n * transaction cookie, and redirects the user to the provider authorization URL.\n \n @param instance - Validated auth client instance.\n /\nexport const loginHandlerFactory =\n (instance: MondoInstance) =>\n (options?: LoginOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const url = new URL(req.url);\n\n return await handler(\n instance,\n transactionStoreFactory(instance.config, await cookieFactory()),\n buildOptions(\n instance.config,\n options,\n url.searchParams.get('returnTo'),\n url.origin,\n ),\n url.origin,\n );\n } catch (e) {\n throw new LoginHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler(\n { config }: MondoInstance,\n transactionStore: TransactionStore,\n options?: LoginOptions,\n requestOrigin?: string,\n): Promise<Response> {\n const oidc = await import('openid-client');\n\n const returnTo = options?.returnTo \|\| config.baseURL;\n\n const authVerification: AuthVerification = {\n nonce: oidc.randomNonce(),\n state: oidc.randomState(),\n code_verifier: oidc.randomPKCECodeVerifier(),\n return_to: returnTo,\n };\n\n const parameters: AuthorizationCodeParams = {\n redirect_uri: getAuthorizationRedirectURL(config, requestOrigin).toString(),\n ...config.authorization,\n ...(options?.authorization \|\| {}),\n nonce: authVerification.nonce,\n state: authVerification.state,\n code_challenge_method: CodeChallengeMethod.S256,\n code_challenge: await oidc.calculatePKCECodeChallenge(\n authVerification.code_verifier,\n ),\n };\n\n if (parameters.max_age) {\n authVerification.max_age = parameters.max_age;\n }\n\n await transactionStore.save(authVerification);\n\n const clientConfig = await discoverOIDC(config);\n\n const authorizationUrl = oidc.buildAuthorizationUrl(\n clientConfig,\n toAuthorizationUrlParameters(parameters),\n );\n\n return NextResponse.redirect(authorizationUrl);\n}\n\nfunction toAuthorizationUrlParameters(\n parameters: AuthorizationCodeParams,\n): Record<string, string> {\n const authorizationUrlParameters: Record<string, string> = {};\n\n for (const [key, value] of Object.entries(parameters)) {\n if (value !== undefined) {\n authorizationUrlParameters[key] = String(value);\n }\n }\n\n return authorizationUrlParameters;\n}\n\n/\n Merges static login options with a request `returnTo` value.\n \n The query string value is treated as untrusted input and must resolve to the\n * same origin as the application or current request.\n /\nconst buildOptions = (\n config: Config,\n opts?: LoginOptions,\n dangerousReturnTo?: string \| undefined \| null,\n requestOrigin?: string,\n): LoginOptions => {\n const options = opts \|\| {};\n\n if (dangerousReturnTo) {\n const safeBaseUrl = new URL(\n options?.authorization?.redirect_uri \|\| requestOrigin \|\| config.baseURL,\n );\n options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);\n }\n\n return options;\n};\n","import { NextResponse } from 'next/server.js';\nimport type { Config } from '../config/types';\nimport { type HandlerErrorCause, LogoutHandlerError } from '../errors/handlers';\nimport type { MondoInstance } from '../core/instance';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\nimport { pathOrURLToURL, toSafeRedirect } from '../http/url';\n\n/\n Options for clearing the local session and choosing the post-logout redirect.\n /\nexport interface LogoutOptions {\n /\n Application path to return to after logout.\n /\n returnTo?: string;\n\n /\n If set to `true`, the logout will also log out the user from the identity provider.\n * This is useful for Single Sign Out (SSO) scenarios.\n * If set to `false`, the user will only be logged out from the application.\n * Defaults to `false`.\n /\n singleLogOut?: boolean;\n}\n\n/\n Builds a route handler for the configured logout route.\n /\nexport type LogoutHandler = (\n options?: LogoutOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a logout handler bound to one auth client instance.\n \n The returned handler destroys all session cookies and redirects either to the\n * configured application URL or to the provider logout endpoint for SSO logout.\n \n @param instance - Validated auth client instance.\n /\nexport const logoutHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance): LogoutHandler =>\n (options?: LogoutOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const url = new URL(req.url);\n\n return await handler<UserClaims>(\n instance,\n sessionStoreFactory<UserClaims>(instance.config),\n buildOptions(\n instance.config,\n options,\n url.searchParams.get('returnTo'),\n ),\n );\n } catch (e) {\n throw new LogoutHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler<UserClaims extends Claims>(\n { config }: MondoInstance,\n sessionCache: SessionStoreInterface<UserClaims>,\n options?: LogoutOptions,\n): Promise<Response> {\n let returnURL = pathOrURLToURL(\n config,\n options?.returnTo \|\| config.routes.postLogoutRedirect,\n );\n\n await sessionCache.delete();\n\n if (options?.singleLogOut) {\n returnURL = new URL(\n ['/logout', `redirectTo=${returnURL.toString()}`].join('?'),\n config.issuerBaseURL,\n );\n }\n\n return NextResponse.redirect(returnURL);\n}\n\n/\n Merges static logout options with a request `returnTo` value.\n \n The query string value is treated as untrusted input and must resolve to the\n * configured application origin.\n /\nconst buildOptions = (\n config: Config,\n opts?: LogoutOptions,\n dangerousReturnTo?: string \| undefined \| null,\n): LogoutOptions => {\n const options = opts \|\| {};\n\n if (dangerousReturnTo) {\n const safeBaseUrl = new URL(config.baseURL);\n options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);\n }\n\n return options;\n};\n","import { NextResponse } from 'next/server.js';\nimport type { MondoInstance } from '../core/instance';\nimport type { Session } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\n\nexport interface SessionOptions<UserClaims extends Claims = Claims> {\n /\n Whether this route should also roll the session expiry forward.\n \n Defaults to `true`.\n /\n touch?: boolean;\n\n /\n Transform the session prior to returning it\n \n @param session - Current session, or `undefined` when missing or expired.\n /\n transform?: (session: Session<UserClaims> \| undefined) => unknown;\n}\n\n/\n Builds a route handler for the configured session route.\n /\nexport type SessionHandler<UserClaims extends Claims = Claims> = (\n options?: SessionOptions<UserClaims>,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a session handler bound to one auth client instance.\n \n The returned handler reads the sealed session cookies and returns JSON, or a\n * 401 response when the session is missing or expired.\n \n @param instance - Validated auth client instance.\n /\nexport const sessionHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance) =>\n (options?: SessionOptions<UserClaims>) =>\n async (_req: Request): Promise<Response> => {\n return await handler<UserClaims>(\n sessionStoreFactory<UserClaims>(instance.config),\n options,\n );\n };\n\nasync function handler<UserClaims extends Claims>(\n sessionStore: SessionStoreInterface<UserClaims>,\n options?: SessionOptions<UserClaims>,\n): Promise<Response> {\n const session = await (options?.touch !== false\n ? sessionStore.touch()\n : sessionStore.get());\n\n const result = options?.transform ? options?.transform(session) : session;\n\n if (!result) {\n return Response.json(\n {\n error: 'SessionNotFound',\n error_description: 'Session does not exist or has expired',\n },\n { status: 401, statusText: 'Unauthorized' },\n );\n }\n\n return NextResponse.json(result);\n}\n","import { NextResponse } from 'next/server.js';\nimport {\n type AccessTokenResult,\n type GetAccessTokenOptions,\n getAccessTokenFactory,\n} from '../oauth/access-token';\nimport { AccessTokenError, AccessTokenErrorCode } from '../errors/access-token';\nimport type { MondoInstance } from '../core/instance';\nimport type { Claims } from '../session/types';\n\nexport interface AccessTokenOptions extends GetAccessTokenOptions {\n /\n Optional projection applied before the route returns JSON.\n /\n transform?: (token: AccessTokenResult) => unknown;\n}\n\ntype AccessTokenRequestOptions = Pick<\n GetAccessTokenOptions,\n 'refresh' \| 'refreshBeforeExpiresIn' \| 'scopes'\n>;\n\n/\n Builds a route handler for the configured access-token route.\n /\nexport type AccessTokenHandler = (\n options?: AccessTokenOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates an access-token handler bound to one auth client instance.\n \n The returned handler exposes the same refresh behavior as\n * `auth.getAccessToken()` and maps stable access-token error codes to HTTP\n * statuses.\n \n POST requests may provide `refresh`, `refreshBeforeExpiresIn`, and `scopes`\n * as JSON body options. Omitted body fields keep the static handler options.\n \n @param instance - Validated auth client instance.\n /\nexport const accessTokenHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance): AccessTokenHandler =>\n (options?: AccessTokenOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const { transform, ...staticOptions } = options ?? {};\n const requestOptions = await getRequestOptions(req);\n const token = await getAccessTokenFactory<UserClaims>(instance)({\n ...staticOptions,\n ...(requestOptions ?? {}),\n });\n return NextResponse.json(transform?.(token) ?? token);\n } catch (error) {\n if (error instanceof AccessTokenError) {\n return NextResponse.json(\n {\n error: error.code,\n error_description: error.message,\n },\n { status: getStatusCode(error.code as AccessTokenErrorCode) },\n );\n }\n\n throw error;\n }\n };\n\nasync function getRequestOptions(\n req: Request,\n): Promise<AccessTokenRequestOptions \| undefined> {\n if (req.method !== 'POST') {\n return undefined;\n }\n\n const body = await readJsonBody(req);\n if (!isRecord(body)) {\n return undefined;\n }\n\n const options: AccessTokenRequestOptions = {};\n const scopes = getScopes(body.scopes);\n\n if (typeof body.refresh === 'boolean') {\n options.refresh = body.refresh;\n }\n\n if (typeof body.refreshBeforeExpiresIn === 'number') {\n options.refreshBeforeExpiresIn = body.refreshBeforeExpiresIn;\n }\n\n if (scopes) {\n options.scopes = scopes;\n }\n\n return options;\n}\n\nasync function readJsonBody(req: Request): Promise<unknown> {\n try {\n return await req.json();\n } catch {\n return undefined;\n }\n}\n\nfunction getScopes(value: unknown): string \| Array<string> \| undefined {\n if (typeof value === 'string') {\n return value;\n }\n\n if (\n Array.isArray(value) &&\n value.every((scope) => typeof scope === 'string')\n ) {\n return value;\n }\n\n return undefined;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return Boolean(value && typeof value === 'object');\n}\n\nfunction getStatusCode(code: AccessTokenErrorCode): number {\n switch (code) {\n case AccessTokenErrorCode.MISSING_SESSION:\n case AccessTokenErrorCode.MISSING_ACCESS_TOKEN:\n case AccessTokenErrorCode.MISSING_REFRESH_TOKEN:\n case AccessTokenErrorCode.EXPIRED_ACCESS_TOKEN:\n return 401;\n case AccessTokenErrorCode.INSUFFICIENT_SCOPE:\n return 403;\n case AccessTokenErrorCode.FAILED_REFRESH_GRANT:\n return 502;\n }\n}\n","import { NextResponse } from 'next/server.js';\nimport {\n type GetAccessTokenOptions,\n getAccessTokenFactory,\n} from './oauth/access-token';\nimport type { PartialConfig } from './config/types';\nimport { initInstance, type MondoInstance } from './core/instance';\nimport {\n type CallbackOptions,\n callbackHandlerFactory,\n} from './routes/callback';\nimport { type LoginOptions, loginHandlerFactory } from './routes/login';\nimport { type LogoutOptions, logoutHandlerFactory } from './routes/logout';\nimport { type SessionOptions, sessionHandlerFactory } from './routes/session';\nimport {\n type AccessTokenOptions,\n accessTokenHandlerFactory,\n} from './routes/access-token';\nimport { sessionStoreFactory } from './session/stores/stateless-store';\nimport type { Claims } from './session/types';\n\n/\n Route-level options used by {@link MondoAuthClient.handleAuth}.\n \n Each property customizes the matching built-in route while keeping the same\n * default route mounting behavior.\n /\nexport type HandleAuthOptions<UserClaims extends Claims = Claims> = {\n /* Options applied to the login route. /\n login?: LoginOptions;\n\n /* Options applied to the callback route. /\n callback?: CallbackOptions;\n\n /* Options applied to the logout route. /\n logout?: LogoutOptions;\n\n /* Options applied to the session JSON route. /\n session?: SessionOptions<UserClaims>;\n\n /* Options applied to the access-token JSON route. /\n accessToken?: AccessTokenOptions;\n};\n\n/\n Options for protecting requests from Next.js `proxy.ts`.\n /\nexport type ProxyOptions = {\n /\n Paths that should pass through without an authenticated session.\n /\n publicPaths?: Array<string \| RegExp>;\n\n /\n A route-specific return URL override for unauthenticated redirects.\n /\n returnTo?: string \| ((request: Request) => string \| Promise<string>);\n};\n\n/\n Modern entry point for applications. Create one instance in `src/lib/auth.ts`,\n * then reuse it from route handlers, server code, and `proxy.ts`.\n \n @typeParam UserClaims - App-specific claims expected on `session.user`.\n /\nexport class MondoAuthClient<UserClaims extends Claims = Claims> {\n private readonly instance: MondoInstance;\n\n /\n Creates a client and validates configuration immediately.\n \n @param config - Optional explicit config. Environment variables provide the\n * remaining values.\n /\n constructor(config?: PartialConfig) {\n this.instance = initInstance(config);\n }\n\n /\n Validated auth configuration used by this client.\n /\n get config() {\n return this.instance.config;\n }\n\n /\n Returns one route handler that serves all configured auth routes.\n \n Mount this from a catch-all route such as\n * `src/app/auth/[...auth]/route.ts`.\n /\n handleAuth(options: HandleAuthOptions<UserClaims> = {}) {\n return async (request: Request): Promise<Response> => {\n const { pathname } = new URL(request.url);\n const { routes } = this.config;\n\n if (pathname === routes.login) {\n return this.handleLogin(options.login)(request);\n }\n\n if (pathname === routes.callback) {\n return this.handleCallback(options.callback)(request);\n }\n\n if (pathname === routes.logout) {\n return this.handleLogout(options.logout)(request);\n }\n\n if (pathname === routes.session) {\n return this.handleSession(options.session)(request);\n }\n\n if (pathname === routes.accessToken) {\n return this.handleAccessToken(options.accessToken)(request);\n }\n\n return NextResponse.json(\n {\n error: 'NotFound',\n error_description: `No Mondo auth route is configured for ${pathname}.`,\n },\n { status: 404 },\n );\n };\n }\n\n /\n Creates a route handler that starts the OIDC login redirect.\n /\n handleLogin(options?: LoginOptions) {\n return loginHandlerFactory(this.instance)(options);\n }\n\n /\n Creates a route handler that completes the OIDC callback.\n /\n handleCallback(options?: CallbackOptions) {\n return callbackHandlerFactory<UserClaims>(this.instance)(options);\n }\n\n /\n Creates a route handler that clears the local session.\n /\n handleLogout(options?: LogoutOptions) {\n return logoutHandlerFactory<UserClaims>(this.instance)(options);\n }\n\n /\n Creates a route handler that returns the current session as JSON.\n /\n handleSession(options?: SessionOptions<UserClaims>) {\n return sessionHandlerFactory<UserClaims>(this.instance)(options);\n }\n\n /\n Creates a route handler that returns or refreshes the current access token.\n /\n handleAccessToken(options?: AccessTokenOptions) {\n return accessTokenHandlerFactory<UserClaims>(this.instance)(options);\n }\n\n /\n Reads the current sealed-cookie session in server code.\n /\n getSession = async () => {\n return sessionStoreFactory<UserClaims>(this.config).get();\n };\n\n /\n Returns the current access token, refreshing with the stored refresh token\n * when the token is expired or missing required scopes.\n /\n getAccessToken = (options?: GetAccessTokenOptions) => {\n return getAccessTokenFactory<UserClaims>(this.instance)(options);\n };\n\n /\n Drop this into `proxy.ts` to protect matched routes and keep idle sessions\n * fresh at the request boundary.\n /\n proxy = async (\n request: Request,\n options: ProxyOptions = {},\n ): Promise<Response \| undefined> => {\n const url = new URL(request.url);\n\n if (isAuthRoute(url.pathname, this.config.routes)) {\n return undefined;\n }\n\n if (isPublicPath(url.pathname, options.publicPaths)) {\n return undefined;\n }\n\n const response = NextResponse.next();\n const sessionStore = sessionStoreFactory<UserClaims>(\n this.config,\n request,\n response,\n );\n const session = await sessionStore.get();\n\n if (!session?.user) {\n const returnTo =\n typeof options.returnTo === 'function'\n ? await options.returnTo(request)\n : options.returnTo \|\| `${url.pathname}${url.search}`;\n\n return NextResponse.redirect(\n new URL(\n `${this.config.routes.login}?returnTo=${encodeURIComponent(returnTo)}`,\n url.origin,\n ),\n );\n }\n\n await sessionStore.touch();\n return response;\n };\n}\n\n/\n Creates a configured Mondo auth client.\n \n @typeParam UserClaims - App-specific claims expected on `session.user`.\n * @param config - Optional explicit config. Environment variables provide the\n * remaining values.\n */\nexport function createAuth<UserClaims extends Claims = Claims>(\n config?: PartialConfig,\n) {\n return new MondoAuthClient<UserClaims>(config);\n}\n\ntype AuthRoutes = MondoInstance['config']['routes'];\n\nfunction isAuthRoute(pathname: string, routes: AuthRoutes): boolean {\n return [\n routes.login,\n routes.callback,\n routes.logout,\n routes.session,\n routes.accessToken,\n ].includes(pathname);\n}\n\nfunction isPublicPath(\n pathname: string,\n publicPaths: ProxyOptions['publicPaths'] = [],\n): boolean {\n return publicPaths.some((path) =>\n typeof path === 'string' ? pathname.startsWith(path) : path.test(pathname),\n );\n}\n"]}
1	+ {"version":3,"sources":["../src/errors/auth.ts","../src/errors/access-token.ts","../src/crypto/secrets.ts","../src/http/cookies.ts","../src/session/model.ts","../src/session/assert.ts","../src/session/utils.ts","../src/session/stores/abstract-store.ts","../src/session/stores/stateless-store.ts","../src/oauth/oidc.ts","../src/oauth/access-token.ts","../src/errors/config.ts","../src/config/routes.ts","../src/config/schema.ts","../src/config/utils.ts","../src/config/config.ts","../src/core/instance.ts","../src/errors/handlers.ts","../src/errors/state.ts","../src/transactions/store.ts","../src/routes/callback.ts","../src/oauth/types.ts","../src/http/url.ts","../src/routes/login.ts","../src/routes/logout.ts","../src/routes/session.ts","../src/routes/access-token.ts","../src/client.ts"],"names":["cookies","parse","cookie","serialize","bool","ironSession","getIronSession","oidc","z","NextResponse","handler","buildOptions"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,WAAA,CAAY,cAAsB,KAAA,EAAuB;AAChE,EAAA,IAAI,CAAC,OAAO,OAAO,YAAA;AACnB,EAAA,MAAM,SAAA,GAAY,YAAA,CAAa,QAAA,CAAS,GAAG,IAAI,EAAA,GAAK,GAAA;AACpD,EAAA,OAAO,GAAG,YAAY,CAAA,EAAG,SAAS,CAAA,QAAA,EAAW,MAAM,OAAO,CAAA,CAAA;AAC5D;AAgBO,IAAe,SAAA,GAAf,cAAiC,KAAA,CAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO5B,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,KAAA;AAAA;AAAA;AAAA;AAAA,EAKA,MAAA;AAAA;AAAA;AAAA;AAAA,EAKhB,YAAY,OAAA,EAA2B;AAErC,IAAA,KAAA,CAAM,WAAA,CAAY,OAAA,CAAQ,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAC,CAAA;AACjD,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AACrB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAAA,EACxB;AACF,CAAA;;;AC/BO,IAAM,gBAAA,GAAN,MAAM,iBAAA,SAAyB,SAAA,CAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM9C,WAAA,CAAY,IAAA,EAA4B,OAAA,EAAiB,KAAA,EAAe;AAEtE,IAAA,KAAA,CAAM,EAAE,IAAA,EAAY,OAAA,EAAkB,IAAA,EAAM,kBAAA,EAAoB,OAAO,CAAA;AAEvE,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAC9C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,iBAAA,CAAiB,SAAS,CAAA;AAAA,EACxD;AACF,CAAA;;;AC5BO,SAAS,WAAW,MAAA,EAAyB;AAClD,EAAA,MAAM,YAAA,GAAe,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,MAAM,IAC5C,MAAA,CAAO,MAAA,GACP,CAAC,MAAA,CAAO,MAAM,CAAA;AAElB,EAAA,MAAM,UAAmB,EAAC;AAC1B,EAAA,YAAA,CAAa,OAAA,CAAQ,CAAC,MAAA,EAAQ,KAAA,KAAU;AACtC,IAAA,OAAA,CAAQ,YAAA,CAAa,MAAA,GAAS,KAAK,CAAA,GAAI,MAAA;AAAA,EACzC,CAAC,CAAA;AAED,EAAA,OAAO,OAAA;AACT;ACKA,eAAsB,aAAA,CACpB,KACA,GAAA,EACsB;AACtB,EAAA,IAAI,GAAA,EAAK;AACP,IAAA,OAAO,IAAI,eAAA,CAAgB,GAAA,EAAK,GAAG,CAAA;AAAA,EACrC;AAEA,EAAA,OAAOA,kBAAA,EAAQ;AACjB;AAKO,IAAM,kBAAN,MAA6C;AAAA,EAClD,WAAA,CACW,KACA,GAAA,EACT;AAFS,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AAAA,EACR;AAAA,EAFQ,GAAA;AAAA,EACA,GAAA;AAAA,EAGX,IAAI,UAAA,EAAiE;AACnE,IAAA,MAAM,KAAA,GAAQC,YAAA,CAAM,IAAA,CAAK,GAAA,CAAI,OAAA,CAAQ,IAAI,QAAQ,CAAA,IAAK,EAAE,CAAA,CAAE,UAAU,CAAA;AAEpE,IAAA,OAAO,UAAU,MAAA,GAAY,MAAA,GAAY,EAAE,IAAA,EAAM,YAAY,KAAA,EAAM;AAAA,EACrE;AAAA,EAIA,GAAA,CACE,aAAA,EACA,KAAA,EACA,MAAA,EACA;AACA,IAAA,IAAI,OAAO,kBAAkB,QAAA,EAAU;AACrC,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,aAAA,EAAe,KAAA,EAAiB,MAAM,CAAA;AAAA,IAC9D;AAEA,IAAA,OAAO,IAAA,CAAK,SAAA;AAAA,MACV,aAAA,CAAc,IAAA;AAAA,MACd,aAAA,CAAc,KAAA;AAAA,MACd;AAAA,KACF;AAAA,EACF;AAAA,EAEQ,SAAA,CACN,IAAA,EACA,KAAA,EACAC,QAAA,EACA;AACA,IAAA,IAAI,CAAC,KAAK,GAAA,EAAK;AACb,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAA,GAAcC,gBAAA,CAAU,IAAA,EAAM,KAAA,EAAOD,QAAM,CAAA;AAEjD,IAAA,IAAA,CAAK,GAAA,CAAI,OAAA,CAAQ,MAAA,CAAO,YAAA,EAAc,WAAW,CAAA;AAAA,EACnD;AACF,CAAA;;;AC7DO,IAAM,UAAN,MAEP;AAAA;AAAA;AAAA;AAAA,EAIE,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,KAAA,EAAsC;AAChD,IAAA,IAAA,CAAK,OAAO,KAAA,CAAM,IAAA;AAClB,IAAA,IAAA,CAAK,WAAW,KAAA,CAAM,QAAA;AACtB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,iBAAiB,KAAA,CAAM,cAAA;AAC5B,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,aAAA;AAAA,EAC7B;AACF,CAAA;AASO,SAAS,0BACd,qBAAA,EACqB;AACrB,EAAA,MAAM,EAAE,KAAK,GAAA,EAAK,GAAA,EAAK,KAAK,KAAA,EAAO,GAAG,MAAK,GAAI,SAAA;AAAA,IAC7C,qBAAA,CAAsB;AAAA,GACxB;AAEA,EAAA,MAAM;AAAA,IACJ,QAAA;AAAA,IACA,YAAA;AAAA,IACA,KAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA,UAAA;AAAA,IACA,GAAG;AAAA,GACL,GAAI,qBAAA;AAEJ,EAAA,MAAM,gBAAgB,YAAA,GAClB;AAAA,IACE,WAAA,EAAa,YAAA;AAAA,IACb,KAAA;AAAA,IACA,SAAA,EAAW,KAAK,KAAA,CAAM,IAAA,CAAK,KAAI,GAAI,GAAI,CAAA,GAAI,MAAA,CAAO,UAAU,CAAA;AAAA,IAC5D,YAAA,EAAc,aAAA;AAAA,IACd,IAAA,EAAM;AAAA,GACR,GACA,MAAA;AAEJ,EAAA,MAAM,iBAAiB,QAAA,GACnB;AAAA,IACE,OAAA,EAAS;AAAA,GACX,GACA,MAAA;AAEJ,EAAA,OAAO,MAAA,CAAO,MAAA;AAAA,IACZ,IAAI,OAAA,CAAQ;AAAA,MACV,IAAA;AAAA,MACA,QAAA,EAAU,GAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW,GAAA;AAAA,MACX,aAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,IACD;AAAA,GACF;AACF;AAEA,SAAS,UAAmB,GAAA,EAAsB;AAChD,EAAA,MAAM,GAAG,OAAO,CAAA,GAAI,GAAA,CAAI,MAAM,GAAG,CAAA;AAEjC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,UAAU,sBAAsB,CAAA;AAAA,EAC5C;AAEA,EAAA,MAAM,UAAA,GAAa,QAAQ,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC/D,EAAA,MAAM,SAAS,UAAA,CAAW,MAAA;AAAA,IACxB,UAAA,CAAW,MAAA,GAAA,CAAW,CAAA,GAAK,UAAA,CAAW,SAAS,CAAA,IAAM,CAAA;AAAA,IACrD;AAAA,GACF;AAEA,EAAA,MAAM,OAAA,GACJ,OAAO,IAAA,KAAS,UAAA,GACZ,IAAA,CAAK,MAAM,CAAA,GACX,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA,CAAE,SAAS,QAAQ,CAAA;AAErD,EAAA,MAAM,IAAA,GAAO,kBAAA;AAAA,IACX,KAAA,CAAM,IAAA;AAAA,MACJ,OAAA;AAAA,MACA,CAAC,IAAA,KAAS,CAAA,CAAA,EAAI,IAAA,CAAK,UAAA,CAAW,CAAC,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA;AAAA,KAChE,CAAE,KAAK,EAAE;AAAA,GACX;AAEA,EAAA,OAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AACxB;;;AC5JO,IAAM,aAAA,GAAgB,CAACE,KAAAA,EAAe,GAAA,KAAgB;AAC3D,EAAA,IAAI,CAACA,KAAAA,EAAM;AACT,IAAA,MAAM,IAAI,MAAM,GAAG,CAAA;AAAA,EACrB;AACF,CAAA;;;ACJO,IAAM,KAAA,GAAQ,MAAe,IAAA,CAAK,GAAA,KAAQ,GAAA,GAAQ,CAAA;;;ACYlD,IAAe,uBAAf,MAEP;AAAA,EACE,YAA+B,MAAA,EAAgB;AAAhB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAiB;AAAA,EAAjB,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW/B,MAAa,GAAA,GAAgD;AAC3D,IAAA,MAAM,EAAE,gBAAA,EAAkB,YAAA,EAAa,GAAI,KAAK,MAAA,CAAO,OAAA;AACvD,IAAA,MAAM,MAAM,KAAA,EAAM;AAElB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,IAAA,EAAK;AAEhC,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,aAAA;AAAA,UACE,QAAQ,SAAA,GAAY,GAAA;AAAA,UACpB;AAAA,SACF;AAEA,QAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,UAAA,aAAA;AAAA,YACE,OAAA,CAAQ,YAAY,YAAA,GAAe,GAAA;AAAA,YACnC;AAAA,WACF;AAAA,QACF;AAEA,QAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,UAAA,aAAA;AAAA,YACE,OAAA,CAAQ,WAAW,gBAAA,GAAmB,GAAA;AAAA,YACtC;AAAA,WACF;AAAA,QACF;AAEA,QAAA,OAAO,OAAA;AAAA,MACT;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,OAAA,EAA6C;AACrD,IAAA,OAAA,CAAQ,SAAA,GAAY,YAAA,CAAa,OAAA,CAAQ,SAAA,EAAW,KAAK,MAAA,EAAQ;AAAA,MAC/D,UAAU,OAAA,CAAQ;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,CAAK,KAAK,OAAO,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,GAAwB;AAC5B,IAAA,MAAM,KAAK,OAAA,EAAQ;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAA,GAAkD;AACtD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,GAAA,EAAI;AAC/B,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,YAAA,KAAiB,KAAA,EAAO;AAC9C,MAAA,OAAO,OAAA;AAAA,IACT;AAEA,IAAA,MAAM,YAAY,KAAA,EAAM;AACxB,IAAA,MAAM,SAAA,GAAY,YAAA,CAAa,SAAA,EAAW,IAAA,CAAK,MAAA,EAAQ;AAAA,MACrD,UAAU,OAAA,CAAQ;AAAA,KACnB,CAAA;AAED,IAAA,OAAA,CAAQ,SAAA,GAAY,SAAA;AACpB,IAAA,OAAA,CAAQ,SAAA,GAAY,SAAA;AAEpB,IAAA,MAAM,IAAA,CAAK,IAAI,OAAO,CAAA;AAEtB,IAAA,OAAO,OAAA;AAAA,EACT;AACF,CAAA;AAEA,SAAS,YAAA,CACP,SAAA,EACA,MAAA,EACA,OAAA,EACQ;AACR,EAAA,MAAM,EAAE,gBAAA,EAAkB,YAAA,EAAa,GAAI,MAAA,CAAO,OAAA;AAClD,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,IAAA,UAAA,CAAW,IAAA,CAAK,YAAY,YAAY,CAAA;AAAA,EAC1C;AAEA,EAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,IAAA,UAAA,CAAW,IAAA,CAAK,OAAA,CAAQ,QAAA,GAAW,gBAAgB,CAAA;AAAA,EACrD;AAEA,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAA;AAC/B;;;AC9FO,SAAS,mBAAA,CACd,MAAA,EACA,OAAA,EACA,QAAA,EACmC;AACnC,EAAA,OAAO,IAAI,wBAAA,CAAyB,MAAA,EAAQ,OAAA,EAAS,QAAQ,CAAA;AAC/D;AAKO,IAAM,wBAAA,GAAN,cAEG,oBAAA,CAAiC;AAAA,EAKzC,WAAA,CACE,MAAA,EACA,OAAA,GAAkC,MAAA,EAClC,QAAA,GAAoC,MAAA,EACnB,WAAA,GAEyB,MACxC,aAAA,CAAc,OAAA,EAAS,QAAQ,CAAA,EACjC;AACA,IAAA,KAAA,CAAM,MAAM,CAAA;AALK,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AAOjB,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,OAAA,CAAQ,IAAA;AACjC,IAAA,IAAA,CAAK,aAAA,GAAgB;AAAA,MACnB,GAAG,OAAO,OAAA,CAAQ,MAAA;AAAA,MAClB,QAAA,EAAU;AAAA,KACZ;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,WAAW,MAAM,CAAA;AAAA,EAClC;AAAA,EAdmB,WAAA;AAAA,EARF,OAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA,EAsBjB,MAAM,IAAA,GAAiD;AACrD,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAI,OAAA,CAAQ;AAAA,MACjB,GAAG,OAAA,CAAQ,IAAA;AAAA,MACX,aAAA,EAAe,cAAc,IAAA,IAAQ,MAAA;AAAA,MACrC,cAAA,EAAgB,eAAe,IAAA,IAAQ;AAAA,KACxC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,MAAM;AAAA,MACJ,IAAA;AAAA,MACA,QAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA,aAAA,EAAe,KAAA;AAAA,MACf,cAAA,EAAgB;AAAA,KAClB,GAAI,OAAA;AAEJ,IAAA,OAAA,CAAQ,IAAA,GAAO,EAAE,IAAA,EAAM,QAAA,EAAU,WAAW,SAAA,EAAU;AACtD,IAAA,cAAA,CAAe,IAAA,GAAO,KAAA;AACtB,IAAA,aAAA,CAAc,IAAA,GAAO,KAAA;AAErB,IAAA,MAAM,QAAQ,GAAA,CAAI;AAAA,MAChB,QAAQ,IAAA,EAAK;AAAA,MACb,cAAc,IAAA,EAAK;AAAA,MACnB,eAAe,IAAA;AAAK,KACrB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,OAAA,GAAyB;AAC7B,IAAA,MAAM,CAAC,OAAA,EAAS,aAAA,EAAe,cAAc,CAAA,GAAI,MAAM,KAAK,aAAA,EAAc;AAE1E,IAAA,MAAM,QAAQ,GAAA,CAAI;AAAA,MAChB,QAAQ,OAAA,EAAQ;AAAA,MAChB,cAAc,OAAA,EAAQ;AAAA,MACtB,eAAe,OAAA;AAAQ,KACxB,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAA,GAAgB;AAC5B,IAAA,OAAO,MAAM,QAAQ,GAAA,CAAI;AAAA,MACvB,IAAA,CAAK,UAAwC,SAAS,CAAA;AAAA,MACtD,IAAA,CAAK,UAAgC,eAAe,CAAA;AAAA,MACpD,IAAA,CAAK,UAAiC,gBAAgB;AAAA,KACvD,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,UACZ,IAAA,EACyE;AACzE,IAAA,MAAMC,aAAA,GAAc,MAAMC,0BAAA,CAExB,MAAM,KAAK,WAAA,CAAY,IAAA,CAAK,MAAM,CAAA,EAAG;AAAA,MACrC,UAAA,EAAY,CAAA,EAAG,IAAA,CAAK,UAAU,IAAI,IAAI,CAAA,CAAA;AAAA,MACtC,UAAU,IAAA,CAAK,OAAA;AAAA,MACf,eAAe,IAAA,CAAK;AAAA,KACrB,CAAA;AAED,IAAA,OAAOD,aAAA;AAAA,EACT;AACF,CAAA;AC9HA,eAAsB,aACpB,MAAA,EAC6B;AAC7B,EAAA,MAAM,kBAAA,GACJ,OAAO,aAAA,CAAc,QAAA,CAAS,WAAW,CAAA,IACzC,MAAA,CAAO,aAAA,CAAc,QAAA,CAAS,WAAW,CAAA;AAE3C,EAAA,OAAO,MAAWE,eAAA,CAAA,SAAA;AAAA,IAChB,IAAI,GAAA,CAAI,MAAA,CAAO,aAAa,CAAA;AAAA,IAC5B,MAAA,CAAO,QAAA;AAAA,IACP,MAAA,CAAO,YAAA;AAAA,IACP,MAAA;AAAA,IACA,kBAAA,GACI;AAAA,MACE,OAAA,EAAS,CAAMA,eAAA,CAAA,qBAAqB;AAAA,KACtC,GACA;AAAA,GACN;AACF;;;ACuBO,SAAS,sBACd,QAAA,EACgB;AAChB,EAAA,OAAO,OAAO,OAAA,GAAU,EAAC,KAAM;AAC7B,IAAA,MAAM,YAAA,GAAe,mBAAA,CAAgC,QAAA,CAAS,MAAM,CAAA;AACpE,IAAA,MAAM,OAAA,GAAU,MAAM,YAAA,CAAa,GAAA,EAAI;AAEvC,IAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,qBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,gBAAgB,OAAA,CAAQ,aAAA;AAC9B,IAAA,IAAI,CAAC,eAAe,WAAA,EAAa;AAC/B,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,0BAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAI,iBAAA,CAAkB,aAAA,EAAe,OAAO,CAAA,EAAG;AAC7C,MAAA,OAAO,oBAAoB,aAAa,CAAA;AAAA,IAC1C;AAEA,IAAA,IAAI,CAAC,cAAc,YAAA,EAAc;AAC/B,MAAA,MAAM,IAAI,gBAAA;AAAA,QACR,SAAA,CAAU,eAAe,OAAO,CAAA,GAAA,0BAAA,8BAAA,wBAAA;AAAA,QAGhC;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,kBAAA,CAAmB,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,EACtD,CAAA;AACF;AAEA,eAAe,kBAAA,CACb,QAAA,EACA,OAAA,EACA,OAAA,EAC4B;AAC5B,EAAA,MAAMA,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AACzC,EAAA,MAAM,gBAAgB,OAAA,CAAQ,aAAA;AAE9B,EAAA,IAAI,CAAC,eAAe,YAAA,EAAc;AAChC,IAAA,MAAM,IAAI,gBAAA;AAAA,MAAA,2BAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,qBAAqB,OAAO,CAAA;AAC3C,IAAA,MAAM,MAAA,GAAS,MAAMA,KAAAA,CAAK,iBAAA;AAAA,MACxB,MAAM,YAAA,CAAa,QAAA,CAAS,MAAM,CAAA;AAAA,MAClC,aAAA,CAAc,YAAA;AAAA,MACd;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,OAAO,YAAA,EAAc;AACxB,MAAA,MAAM,IAAI,gBAAA;AAAA,QAAA,0BAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,sBAAA,GAA+C;AAAA,MACnD,aAAa,MAAA,CAAO,YAAA;AAAA,MACpB,SAAA,EACE,OAAM,GACN,MAAA,CAAO,OAAO,UAAA,IAAc,aAAA,CAAc,SAAA,GAAY,KAAA,EAAO,CAAA;AAAA,MAC/D,OACE,MAAA,CAAO,KAAA,IAAS,gBAAgB,OAAA,CAAQ,MAAM,KAAK,aAAA,CAAc,KAAA;AAAA,MACnE,YAAA,EAAc,MAAA,CAAO,aAAA,IAAiB,aAAA,CAAc,YAAA;AAAA,MACpD,IAAA,EAAM,MAAA,CAAO,UAAA,IAAc,aAAA,CAAc;AAAA,KAC3C;AAEA,IAAA,OAAA,CAAQ,aAAA,GAAgB,sBAAA;AACxB,IAAA,MAAM,mBAAA,CAAgC,QAAA,CAAS,MAAM,CAAA,CAAE,IAAI,OAAO,CAAA;AAElE,IAAA,OAAO,oBAAoB,sBAAsB,CAAA;AAAA,EACnD,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,gBAAA,EAAkB;AACrC,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,IAAI,gBAAA;AAAA,MAAA,0BAAA;AAAA,MAER,2BAAA;AAAA,MACA,KAAA,YAAiB,QAAQ,KAAA,GAAQ;AAAA,KACnC;AAAA,EACF;AACF;AAEA,SAAS,iBAAA,CACP,eACA,OAAA,EACS;AACT,EAAA,OACE,OAAA,CAAQ,OAAA,KAAY,IAAA,IACpB,CAAC,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA,IACjC,SAAA,CAAU,aAAA,CAAc,KAAA,EAAO,OAAA,CAAQ,MAAM,CAAA;AAEjD;AAEA,SAAS,SAAA,CACP,eACA,OAAA,EACS;AACT,EAAA,MAAM,IAAA,GAAO,QAAQ,sBAAA,IAA0B,EAAA;AAC/C,EAAA,OAAO,aAAA,CAAc,SAAA,IAAa,KAAA,EAAM,GAAI,IAAA;AAC9C;AAEA,SAAS,SAAA,CACP,cACA,cAAA,EACS;AACT,EAAA,MAAM,QAAA,GAAW,gBAAgB,cAAc,CAAA;AAC/C,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAA,CAAK,YAAA,IAAgB,EAAA,EAAI,MAAM,KAAK,CAAA,CAAE,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,EAAA,OAAO,QAAA,CAAS,KAAA,CAAM,KAAK,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU,OAAA,CAAQ,GAAA,CAAI,KAAK,CAAC,CAAA;AAClE;AAEA,SAAS,qBACP,OAAA,EAC6B;AAC7B,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,IAAI,eAAA,EAAgB;AACnC,EAAA,MAAA,CAAO,GAAA,CAAI,SAAS,KAAK,CAAA;AACzB,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,gBAAgB,MAAA,EAA4C;AACnE,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,IAAA,OAAO,MAAA,CAAO,KAAK,GAAG,CAAA;AAAA,EACxB;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,oBACP,aAAA,EACmB;AACnB,EAAA,OAAO;AAAA,IACL,aAAa,aAAA,CAAc,WAAA;AAAA,IAC3B,WAAW,aAAA,CAAc,SAAA;AAAA,IACzB,OAAO,aAAA,CAAc,KAAA;AAAA,IACrB,MAAM,aAAA,CAAc;AAAA,GACtB;AACF;;;AChMO,IAAM,WAAA,GAAN,MAAM,YAAA,SAAoB,SAAA,CAAU;AAAA,EACzC,OAAuB,IAAA,GAAO,uBAAA;AAAA;AAAA;AAAA;AAAA,EAKd,MAAA;AAAA;AAAA;AAAA;AAAA,EAKhB,YAAY,MAAA,EAAgC;AAC1C,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,YAAA,CAAY,IAAA;AAAA,MAClB,OAAA,EAAS,CAAA;AAAA,EAAiD,YAAA;AAAA,QACxD;AAAA,OACD,CAAA,CAAA;AAAA,MACD,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAC9C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,YAAA,CAAY,SAAS,CAAA;AAAA,EACnD;AACF,CAAA;AAEA,SAAS,aAAa,MAAA,EAAwC;AAC5D,EAAA,OAAO,MAAA,CACJ,GAAA,CAAI,CAAC,KAAA,KAAU;AACd,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,EAAM,MAAA,GACrB,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,iBAAiB,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAC1C,QAAA;AACJ,IAAA,OAAO,CAAA,EAAA,EAAK,IAAI,CAAA,EAAA,EAAK,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,EACpC,CAAC,CAAA,CACA,IAAA,CAAK,IAAI,CAAA;AACd;AAEA,SAAS,kBACP,OAAA,EACQ;AACR,EAAA,OAAO,OAAO,OAAA,KAAY,QAAA,IAAY,OAAA,KAAY,IAAA,IAAQ,KAAA,IAAS,OAAA,GAC/D,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,GAClB,MAAA,CAAO,OAAO,CAAA;AACpB;;;AC5DO,IAAM,cAAA,GAAiB;AAAA,EAC5B,KAAA,EAAO,aAAA;AAAA,EACP,QAAA,EAAU,gBAAA;AAAA,EACV,MAAA,EAAQ,cAAA;AAAA,EACR,OAAA,EAAS,eAAA;AAAA,EACT,WAAA,EAAa,oBAAA;AAAA,EACb,kBAAA,EAAoB;AACtB,CAAA;ACTA,IAAM,qBAAqBC,KAAA,CACxB,MAAA,EAAO,CACP,UAAA,CAAW,KAAK,sBAAsB,CAAA,CACtC,MAAA,CAAO,CAAC,UAAU,CAAC,KAAA,CAAM,SAAS,IAAI,CAAA,EAAG,wBAAwB,CAAA,CACjE,QAAA;AAAA,EACC;AACF,CAAA;AAEF,IAAM,kBAAkBA,KAAA,CACrB,MAAA,EAAO,CACP,GAAA,GACA,SAAA,CAAU,CAAC,KAAA,KAAU,KAAA,CAAM,QAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAC9C,SAAS,8DAA8D,CAAA;AAE1E,IAAM,6BAAA,GAAgCA,MAAE,KAAA,CAAM;AAAA,EAC5CA,MAAE,MAAA,EAAO;AAAA,EACTA,MAAE,MAAA,EAAO;AAAA,EACTA,MAAE,OAAA;AACJ,CAAC,CAAA;AAED,IAAM,aAAA,GAAgBA,MACnB,MAAA,CAAO;AAAA,EACN,IAAA,EAAMA,KAAA,CACH,MAAA,EAAO,CACP,QAAA,GACA,OAAA,CAAQ,OAAO,CAAA,CACf,QAAA,CAAS,qDAAqD,CAAA;AAAA,EACjE,cAAcA,KAAA,CACX,KAAA,CAAM,CAACA,KAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAGA,MAAE,OAAA,CAAQ,KAAK,CAAC,CAAC,CAAA,CAC/C,QAAQ,EAAA,GAAK,EAAA,GAAK,EAAE,CAAA,CACpB,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,kBAAkBA,KAAA,CACf,KAAA,CAAM,CAACA,KAAA,CAAE,QAAO,CAAE,QAAA,EAAS,EAAGA,KAAA,CAAE,QAAQ,KAAK,CAAC,CAAC,CAAA,CAC/C,OAAA,CAAQ,KAAK,CAAA,CACb,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,IACN,QAAQA,KAAA,CACL,MAAA,GACA,QAAA,EAAS,CACT,SAAS,4CAA4C,CAAA;AAAA,IACxD,IAAA,EAAM,mBAAmB,QAAA,EAAS,CAC/B,QAAQ,GAAG,CAAA,CACX,SAAS,iCAAiC,CAAA;AAAA,IAC7C,QAAA,EAAUA,KAAA,CACP,OAAA,EAAQ,CACR,QAAA,GACA,OAAA,CAAQ,IAAI,CAAA,CACZ,QAAA,CAAS,wDAAwD,CAAA;AAAA,IACpE,QAAA,EAAUA,KAAA,CACP,IAAA,CAAK,CAAC,OAAO,QAAA,EAAU,MAAM,CAAC,CAAA,CAC9B,UAAS,CACT,OAAA,CAAQ,KAAK,CAAA,CACb,SAAS,2CAA2C,CAAA;AAAA,IACvD,MAAA,EAAQA,MACL,OAAA,EAAQ,CACR,QAAQ,IAAI,CAAA,CACZ,SAAS,wCAAwC;AAAA,GACrD,CAAA,CACA,QAAA,CAAS,2DAA2D;AACzE,CAAC,CAAA,CACA,MAAA;AAAA,EACC,CAAC,OAAA,KACC,OAAA,CAAQ,YAAA,KAAiB,KAAA,IAAS,QAAQ,gBAAA,KAAqB,KAAA;AAAA,EACjE;AACF,CAAA,CACC,SAAS,sDAAsD,CAAA;AAElE,IAAM,MAAA,GAASA,MACZ,MAAA,CAAO;AAAA,EACN,aAAA,EAAeA,MACZ,MAAA,CAAO;AAAA,IACN,aAAA,EAAeA,MACZ,IAAA,CAAK,CAAC,MAAM,CAAC,CAAA,CACb,OAAA,CAAQ,MAAM,CAAA,CACd,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,KAAA,EAAOA,MACJ,MAAA,EAAO,CACP,QAAQ,sBAAsB,CAAA,CAC9B,SAAS,wCAAwC,CAAA;AAAA,IACpD,aAAA,EAAeA,KAAA,CACZ,IAAA,CAAK,CAAC,OAAA,EAAS,WAAW,CAAC,CAAA,CAC3B,OAAA,CAAQ,OAAO,CAAA,CACf,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,UAAUA,KAAA,CACP,MAAA,GACA,QAAA,EAAS,CACT,SAAS,kDAAkD,CAAA;AAAA,IAC9D,OAAA,EAASA,KAAA,CACN,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,OAAA,EAAS,KAAK,CAAC,CAAA,CACtC,QAAA,EAAS,CACT,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,MAAA,EAAQA,KAAA,CACL,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAA,EAAW,gBAAgB,CAAC,CAAA,CACnD,QAAA,EAAS,CACT,SAAS,0DAA0D,CAAA;AAAA,IACtE,SAASA,KAAA,CACN,MAAA,GACA,QAAA,EAAS,CACT,SAAS,yCAAyC,CAAA;AAAA,IACrD,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,qDAAqD,CAAA;AAAA,IACjE,eAAeA,KAAA,CACZ,MAAA,GACA,QAAA,EAAS,CACT,SAAS,uDAAuD,CAAA;AAAA,IACnE,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,oDAAoD,CAAA;AAAA,IAChE,YAAYA,KAAA,CACT,MAAA,GACA,QAAA,EAAS,CACT,SAAS,yCAAyC;AAAA,GACtD,CAAA,CACA,QAAA,CAAS,6BAA6B,CAAA,CACtC,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,SAAS,eAAA,CAAgB,QAAA;AAAA,IACvB;AAAA,GACF;AAAA,EACA,QAAA,EAAUA,MACP,MAAA,EAAO,CACP,IAAI,CAAC,CAAA,CACL,SAAS,sDAAsD,CAAA;AAAA,EAClE,YAAA,EAAcA,MACX,MAAA,EAAO,CACP,IAAI,CAAC,CAAA,CACL,SAAS,4DAA4D,CAAA;AAAA,EACxE,eAAe,eAAA,CAAgB,QAAA;AAAA,IAC7B;AAAA,GACF;AAAA,EACA,MAAA,EAAQA,MACL,KAAA,CAAM,CAACA,MAAE,MAAA,EAAO,CAAE,GAAA,CAAI,EAAE,CAAA,EAAGA,KAAA,CAAE,MAAMA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,EAAE,CAAC,EAAE,GAAA,CAAI,CAAC,CAAC,CAAC,CAAA,CAC9D,QAAA;AAAA,IACC;AAAA,GACF;AAAA,EACF,OAAA,EAAS,aAAA;AAAA,EACT,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,IACN,KAAA,EAAO,kBAAA,CAAmB,OAAA,CAAQ,aAAa,CAAA,CAAE,QAAA;AAAA,MAC/C;AAAA,KACF;AAAA,IACA,QAAA,EAAU,kBAAA,CAAmB,OAAA,CAAQ,gBAAgB,CAAA,CAAE,QAAA;AAAA,MACrD;AAAA,KACF;AAAA,IACA,MAAA,EAAQ,kBAAA,CAAmB,OAAA,CAAQ,cAAc,CAAA,CAAE,QAAA;AAAA,MACjD;AAAA,KACF;AAAA,IACA,OAAA,EAAS,kBAAA,CAAmB,OAAA,CAAQ,eAAe,CAAA,CAAE,QAAA;AAAA,MACnD;AAAA,KACF;AAAA,IACA,WAAA,EAAa,kBAAA,CAAmB,OAAA,CAAQ,oBAAoB,CAAA,CAAE,QAAA;AAAA,MAC5D;AAAA,KACF;AAAA,IACA,kBAAA,EAAoB,kBAAA,CAAmB,OAAA,CAAQ,GAAG,CAAA,CAAE,QAAA;AAAA,MAClD;AAAA;AACF,GACD,CAAA,CACA,QAAA,CAAS,gDAAgD,CAAA;AAAA,EAC5D,WAAA,EAAaA,MACV,MAAA,CAAO;AAAA,IACN,MAAMA,KAAA,CACH,MAAA,EAAO,CACP,OAAA,CAAQ,oBAAoB,CAAA,CAC5B,QAAA;AAAA,MACC;AAAA,KACF;AAAA,IACF,MAAA,EAAQA,MACL,MAAA,CAAO;AAAA,MACN,QAAQA,KAAA,CACL,MAAA,GACA,QAAA,EAAS,CACT,SAAS,gDAAgD,CAAA;AAAA,MAC5D,QAAQA,KAAA,CACL,OAAA,GACA,QAAA,EAAS,CACT,SAAS,4CAA4C,CAAA;AAAA,MACxD,QAAA,EAAUA,KAAA,CACP,IAAA,CAAK,CAAC,KAAA,EAAO,QAAA,EAAU,MAAM,CAAC,CAAA,CAC9B,OAAA,CAAQ,KAAK,CAAA,CACb,SAAS,+CAA+C,CAAA;AAAA,MAC3D,IAAA,EAAM,mBAAmB,QAAA,EAAS,CAC/B,QAAQ,GAAG,CAAA,CACX,SAAS,qCAAqC;AAAA,KAClD,CAAA,CACA,QAAA,CAAS,uDAAuD;AAAA,GACpE,CAAA,CACA,QAAA,CAAS,2DAA2D;AACzE,CAAC,CAAA,CACA,SAAS,oDAAoD,CAAA;AAEhE,IAAO,cAAA,GAAQ,MAAA;;;AC/Mf,IAAM,SAAS,CAAC,GAAA,EAAK,IAAA,EAAM,OAAA,EAAS,KAAK,KAAK,CAAA;AAEvC,IAAM,IAAA,GAAO,CAClB,KAAA,EACA,YAAA,KACwB;AACxB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,EAAA,EAAI,OAAO,YAAA;AAChD,EAAA,IAAI,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA;AAC5B,IAAA,OAAO,CAAC,MAAA,CAAO,QAAA,CAAS,MAAM,WAAA,EAAY,CAAE,MAAM,CAAA;AACpD,EAAA,OAAO,CAAC,CAAC,KAAA;AACX,CAAA;AAEO,IAAM,GAAA,GAAM,CAAC,KAAA,KAClB,KAAA,KAAU,UAAa,KAAA,KAAU,EAAA,GAAK,SAAY,CAAC,KAAA;;;ACyC9C,IAAM,SAAA,GAAY,CAAC,MAAA,GAAwB,EAAC,KAAc;AAC/D,EAAA,MAAM,YAAA,GAAe,QAAQ,GAAA,CAAI,YAAA;AACjC,EAAA,MAAM,qBAAA,GAAwB,QAAQ,GAAA,CAAI,qBAAA;AAC1C,EAAA,MAAM,YAAA,GACJ,OAAA,CAAQ,GAAA,CAAI,YAAA,IAAgB,QAAQ,GAAA,CAAI,wBAAA;AAC1C,EAAA,MAAM,eAAA,GAAkB,QAAQ,GAAA,CAAI,eAAA;AACpC,EAAA,MAAM,mBAAA,GAAsB,QAAQ,GAAA,CAAI,mBAAA;AACxC,EAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,cAAA;AACnC,EAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,WAAA;AAEhC,EAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,cAAA;AACnC,EAAA,MAAM,YAAA,GAAe,QAAQ,GAAA,CAAI,YAAA;AACjC,EAAA,MAAM,aAAA,GAAgB,QAAQ,GAAA,CAAI,aAAA;AAClC,EAAA,MAAM,yBAAA,GAA4B,QAAQ,GAAA,CAAI,yBAAA;AAC9C,EAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,kBAAA;AACvC,EAAA,MAAM,8BAAA,GACJ,QAAQ,GAAA,CAAI,8BAAA;AACd,EAAA,MAAM,0BAAA,GAA6B,QAAQ,GAAA,CAAI,0BAAA;AAE/C,EAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,kBAAA;AACvC,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,2BAAA;AAChD,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AACd,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,mBAAA;AAChD,EAAA,MAAM,yBAAA,GAA4B,QAAQ,GAAA,CAAI,iBAAA;AAC9C,EAAA,MAAM,2BAAA,GAA8B,QAAQ,GAAA,CAAI,mBAAA;AAChD,EAAA,MAAM,8BAAA,GAAiC,QAAQ,GAAA,CAAI,sBAAA;AAEnD,EAAA,MAAM,sBAAA,GAAyB,QAAQ,GAAA,CAAI,6BAAA;AAC3C,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AACd,EAAA,MAAM,6BAAA,GACJ,QAAQ,GAAA,CAAI,6BAAA;AACd,EAAA,MAAM,kCAAA,GACJ,QAAQ,GAAA,CAAI,kCAAA;AACd,EAAA,MAAM,+BAAA,GACJ,QAAQ,GAAA,CAAI,+BAAA;AAEd,EAAA,MAAM,OAAA,GACJ,gBAAgB,CAAC,cAAA,CAAe,KAAK,YAAsB,CAAA,GACvD,CAAA,QAAA,EAAW,YAAY,CAAA,CAAA,GACvB,YAAA;AAEN,EAAA,MAAM,MAAA,GAAS,eAAO,SAAA,CAAU;AAAA,IAC9B,MAAA,EAAQ,YAAA;AAAA,IACR,aAAA,EAAe,qBAAA;AAAA,IACf,OAAA;AAAA,IACA,QAAA,EAAU,eAAA;AAAA,IACV,YAAA,EAAc,mBAAA;AAAA,IACd,GAAG,MAAA;AAAA,IACH,aAAA,EAAe;AAAA,MACb,aAAA,EAAe,MAAA;AAAA,MACf,QAAA,EAAU,cAAA;AAAA,MACV,KAAA,EAAO,WAAA;AAAA,MACP,GAAG,MAAA,CAAO;AAAA,KACZ;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,kBAAA;AAAA,MACN,YAAA,EAAc,SAAS,2BAA2B,CAAA;AAAA,MAClD,gBAAA,EAAkB,SAAS,+BAA+B,CAAA;AAAA,MAC1D,GAAG,MAAA,CAAO,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ,2BAAA;AAAA,QACR,MAAM,yBAAA,IAA6B,GAAA;AAAA,QACnC,MAAA,EAAQ,KAAK,2BAA2B,CAAA;AAAA,QACxC,QAAA,EAAU,8BAAA;AAAA,QAKV,GAAG,OAAO,OAAA,EAAS;AAAA;AACrB,KACF;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,QAAA,EACE,MAAA,CAAO,MAAA,EAAQ,QAAA,IAAY,kBAAkB,cAAA,CAAe,QAAA;AAAA,MAC9D,OACE,MAAA,CAAO,MAAA,EAAQ,SACf,OAAA,CAAQ,GAAA,CAAI,2BACZ,cAAA,CAAe,KAAA;AAAA,MACjB,MAAA,EAAQ,MAAA,CAAO,MAAA,EAAQ,MAAA,IAAU,gBAAgB,cAAA,CAAe,MAAA;AAAA,MAChE,SACE,MAAA,CAAO,MAAA,EAAQ,OAAA,IACf,aAAA,IACA,6BACA,cAAA,CAAe,OAAA;AAAA,MACjB,aACE,MAAA,CAAO,MAAA,EAAQ,WAAA,IACf,kBAAA,IACA,kCACA,cAAA,CAAe,WAAA;AAAA,MACjB,kBAAA,EACE,MAAA,CAAO,MAAA,EAAQ,kBAAA,IACf,8BACA,cAAA,CAAe;AAAA,KACnB;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,sBAAA;AAAA,MACN,GAAG,MAAA,CAAO,WAAA;AAAA,MACV,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ,+BAAA;AAAA,QACR,MAAM,6BAAA,IAAiC,GAAA;AAAA,QACvC,MAAA,EAAQ,KAAK,+BAA+B,CAAA;AAAA,QAC5C,QAAA,EAAU,kCAAA;AAAA,QAKV,GAAG,OAAO,WAAA,EAAa;AAAA;AACzB;AACF,GACD,CAAA;AAED,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,MAAM,IAAI,WAAA,CAAY,MAAA,CAAO,KAAA,CAAM,MAAM,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,MAAA,CAAO,IAAA;AAChB,CAAA;AAEA,SAAS,SAAS,KAAA,EAAuD;AACvE,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,KAAK,CAAC,IAAK,IAAA,CAAK,KAAK,CAAA,GAAc,GAAA,CAAI,KAAK,CAAA;AACzE;;;ACnKO,IAAM,YAAA,GAAe,CAAC,MAAA,KAA0C;AACrE,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,OAAO;AAAA,IACL;AAAA,GACF;AACF,CAAA;;;ACGA,IAAM,YAAA,GAAN,cAA2B,SAAA,CAAU;AAAA,EACnC,YAAY,OAAA,EAA8B;AACxC,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI,QAAA,IAAY,OAAA,CAAQ,KAAA,EAAO,MAAA,GAAS,QAAQ,KAAA,CAAM,MAAA;AAEtD,IAAA,KAAA,CAAM,EAAE,GAAG,OAAA,EAAS,MAAA,EAAQ,CAAA;AAAA,EAC9B;AACF,CAAA;AAKO,IAAM,oBAAA,GAAN,MAAM,qBAAA,SAA6B,YAAA,CAAa;AAAA,EACrD,OAAuB,IAAA,GAAe,8BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,qBAAA,CAAqB,IAAA;AAAA,MAC3B,OAAA,EAAS,0BAAA;AAAA,MACT,IAAA,EAAM,sBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,qBAAA,CAAqB,SAAS,CAAA;AAAA,EAC5D;AACF,CAAA;AAKO,IAAM,iBAAA,GAAN,MAAM,kBAAA,SAA0B,YAAA,CAAa;AAAA,EAClD,OAAuB,IAAA,GAAe,2BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,kBAAA,CAAkB,IAAA;AAAA,MACxB,OAAA,EAAS,uBAAA;AAAA,MACT,IAAA,EAAM,mBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,kBAAA,CAAkB,SAAS,CAAA;AAAA,EACzD;AACF,CAAA;AAKO,IAAM,kBAAA,GAAN,MAAM,mBAAA,SAA2B,YAAA,CAAa;AAAA,EACnD,OAAuB,IAAA,GAAe,4BAAA;AAAA,EAEtC,YAAY,KAAA,EAA0B;AACpC,IAAA,KAAA,CAAM;AAAA,MACJ,MAAM,mBAAA,CAAmB,IAAA;AAAA,MACzB,OAAA,EAAS,wBAAA;AAAA,MACT,IAAA,EAAM,oBAAA;AAAA,MACN;AAAA,KACD,CAAA;AACD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,mBAAA,CAAmB,SAAS,CAAA;AAAA,EAC1D;AACF,CAAA;;;AClDO,IAAM,uBAAA,GAAN,MAAM,wBAAA,SAAgC,KAAA,CAAM;AAAA,EACjD,OAAO,OAAA,GACL,4FAAA;AAAA,EACF,MAAA,GAAS,GAAA;AAAA,EACT,UAAA,GAAa,GAAA;AAAA,EAEb,WAAA,GAAc;AAEZ,IAAA,KAAA,CAAM,yBAAwB,OAAO,CAAA;AACrC,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,wBAAA,CAAwB,SAAS,CAAA;AAAA,EAC/D;AACF,CAAA;ACpBO,SAAS,uBAAA,CACd,QACA,WAAA,EACkB;AAClB,EAAA,OAAO,IAAI,gBAAA;AAAA,IACT,WAAW,MAAM,CAAA;AAAA,IACjB,WAAA;AAAA,IACA,OAAO,WAAA,CAAY,IAAA;AAAA,IACnB;AAAA,MACE,GAAG,OAAO,WAAA,CAAY,MAAA;AAAA,MACtB,QAAA,EAAU;AAAA;AACZ,GACF;AACF;AAQO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,WAAA,CACmB,OAAA,EACA,WAAA,EACA,UAAA,EACA,aAAA,EACjB;AAJiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EAChB;AAAA,EAJgB,OAAA;AAAA,EACA,WAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA;AAAA;AAAA;AAAA,EAMnB,MAAM,KAAK,KAAA,EAAwC;AACjD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AAEpC,IAAA,MAAA,CAAO,gBAAgB,KAAA,CAAM,aAAA;AAC7B,IAAA,MAAA,CAAO,QAAQ,KAAA,CAAM,KAAA;AACrB,IAAA,MAAA,CAAO,QAAQ,KAAA,CAAM,KAAA;AACrB,IAAA,MAAA,CAAO,UAAU,KAAA,CAAM,OAAA;AACvB,IAAA,MAAA,CAAO,YAAY,KAAA,CAAM,SAAA;AAEzB,IAAA,OAAO,MAAM,OAAO,IAAA,EAAK;AAAA,EAC3B;AAAA,EAEA,MAAc,SAAA,GAAoD;AAChE,IAAA,MAAMH,gBAAc,MAAMC,0BAAAA;AAAA,MACxB,IAAA,CAAK,WAAA;AAAA,MACL;AAAA,QACE,YAAY,IAAA,CAAK,UAAA;AAAA,QACjB,UAAU,IAAA,CAAK,OAAA;AAAA,QACf,eAAe,IAAA,CAAK;AAAA;AACtB,KACF;AAEA,IAAA,OAAOD,aAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,IAAA,GAA8C;AAClD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AAEpC,IAAA,IAAI,CAAC,OAAO,aAAA,IAAiB,CAAC,OAAO,KAAA,IAAS,CAAC,OAAO,KAAA,EAAO;AAC3D,MAAA,MAAA,CAAO,OAAA,EAAQ;AACf,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,eAAe,MAAA,CAAO,aAAA;AAAA,MACtB,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO;AAAA,KACpB;AAEA,IAAA,MAAA,CAAO,OAAA,EAAQ;AAEf,IAAA,OAAO,MAAA;AAAA,EACT;AACF,CAAA;;;AClEO,IAAM,yBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,WAAA,GAAc,MAAM,aAAA,EAAc;AAExC,IAAA,OAAO,MAAM,OAAA;AAAA,MACX,QAAA;AAAA,MACA,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAAA,MACf,uBAAA,CAAwB,QAAA,CAAS,MAAA,EAAQ,WAAW,CAAA;AAAA,MACpD,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,MAC/C;AAAA,KACF;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,qBAAqB,CAAsB,CAAA;AAAA,EACvD;AACF,CAAA;AAEF,eAAe,QACb,EAAE,MAAA,IACF,UAAA,EACA,gBAAA,EACA,cACA,OAAA,EACmB;AACnB,EAAA,MAAME,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AACzC,EAAA,MAAM,gBAAA,GAAmB,MAAM,gBAAA,CAAiB,IAAA,EAAK;AACrD,EAAA,IAAI,CAAC,gBAAA,EAAkB;AACrB,IAAA,MAAM,IAAI,uBAAA,EAAwB;AAAA,EACpC;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,MAAM,CAAA;AAE9C,EAAA,MAAM,MAAA,GAAqC,MAAMA,KAAAA,CAAK,sBAAA;AAAA,IACpD,YAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,MACE,kBAAkB,gBAAA,CAAiB,aAAA;AAAA,MACnC,eAAe,gBAAA,CAAiB,KAAA;AAAA,MAChC,eAAe,gBAAA,CAAiB,KAAA;AAAA,MAChC,eAAA,EAAiB,IAAA;AAAA,MACjB,QAAQ,gBAAA,CAAiB;AAAA,KAC3B;AAAA,IACA,OAAA,EAAS;AAAA,GACX;AAEA,EAAA,MAAM,OAAA,GAAU,MAAM,yBAAA,CAAsC,MAAM,CAAA;AAClE,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,MAAM,YAAA,CAAa,IAAI,OAAO,CAAA;AAAA,EAChC;AAEA,EAAA,OAAOE,sBAAA,CAAa,QAAA,CAAS,gBAAA,CAAiB,SAAA,IAAa,OAAO,OAAO,CAAA;AAC3E;;;AC9EO,IAAM,mBAAA,GAAsB;AAAA,EACjC,IAAA,EAAM;AACR,CAAA;;;ACVO,SAAS,cAAA,CACd,mBACA,WAAA,EACoB;AACpB,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,IAAI,GAAA,CAAI,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAC9C,SAAS,EAAA,EAAI;AACX,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,IAAI,GAAA,CAAI,MAAA,KAAW,WAAA,CAAY,MAAA,EAAQ;AACrC,IAAA,OAAO,IAAI,QAAA,EAAS;AAAA,EACtB;AACA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,2BAAA,CACd,QACA,MAAA,EACK;AACL,EAAA,OAAO,cAAA,CAAe,MAAA,EAAQ,MAAA,CAAO,MAAA,CAAO,UAAU,MAAM,CAAA;AAC9D;AAQO,SAAS,cAAA,CACd,MAAA,EACA,SAAA,EACA,MAAA,EACK;AACL,EAAA,IAAI,qBAAqB,GAAA,EAAK;AAC5B,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,OAAO,IAAI,IAAI,SAAS,CAAA;AAAA,EAC1B,SAAS,CAAA,EAAG;AACV,IAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,UAAU,MAAA,CAAO,OAAA,EAAS,SAAS,CAAC,CAAA;AAAA,EAC7D;AACF;AAEA,SAAS,OAAA,CAAQ,MAAc,IAAA,EAAsB;AACnD,EAAA,OAAO,CAAA,EAAG,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAAA,EAAI,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAC,CAAA,CAAA;AAChE;;;ACfO,IAAM,sBACX,CAAC,QAAA,KACD,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAE3B,IAAA,OAAO,MAAMC,QAAAA;AAAA,MACX,QAAA;AAAA,MACA,uBAAA,CAAwB,QAAA,CAAS,MAAA,EAAQ,MAAM,eAAe,CAAA;AAAA,MAC9D,YAAA;AAAA,QACE,QAAA,CAAS,MAAA;AAAA,QACT,OAAA;AAAA,QACA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAU,CAAA;AAAA,QAC/B,GAAA,CAAI;AAAA,OACN;AAAA,MACA,GAAA,CAAI;AAAA,KACN;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,kBAAkB,CAAsB,CAAA;AAAA,EACpD;AACF,CAAA;AAEF,eAAeA,SACb,EAAE,MAAA,EAAO,EACT,gBAAA,EACA,SACA,aAAA,EACmB;AACnB,EAAA,MAAMH,KAAAA,GAAO,MAAM,OAAO,eAAe,CAAA;AAEzC,EAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,MAAA,CAAO,OAAA;AAE7C,EAAA,MAAM,gBAAA,GAAqC;AAAA,IACzC,KAAA,EAAOA,MAAK,WAAA,EAAY;AAAA,IACxB,KAAA,EAAOA,MAAK,WAAA,EAAY;AAAA,IACxB,aAAA,EAAeA,MAAK,sBAAA,EAAuB;AAAA,IAC3C,SAAA,EAAW;AAAA,GACb;AAEA,EAAA,MAAM,UAAA,GAAsC;AAAA,IAC1C,YAAA,EAAc,2BAAA,CAA4B,MAAA,EAAQ,aAAa,EAAE,QAAA,EAAS;AAAA,IAC1E,GAAG,MAAA,CAAO,aAAA;AAAA,IACV,GAAI,OAAA,EAAS,aAAA,IAAiB,EAAC;AAAA,IAC/B,OAAO,gBAAA,CAAiB,KAAA;AAAA,IACxB,OAAO,gBAAA,CAAiB,KAAA;AAAA,IACxB,uBAAuB,mBAAA,CAAoB,IAAA;AAAA,IAC3C,cAAA,EAAgB,MAAMA,KAAAA,CAAK,0BAAA;AAAA,MACzB,gBAAA,CAAiB;AAAA;AACnB,GACF;AAEA,EAAA,IAAI,WAAW,OAAA,EAAS;AACtB,IAAA,gBAAA,CAAiB,UAAU,UAAA,CAAW,OAAA;AAAA,EACxC;AAEA,EAAA,MAAM,gBAAA,CAAiB,KAAK,gBAAgB,CAAA;AAE5C,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,MAAM,CAAA;AAE9C,EAAA,MAAM,mBAAmBA,KAAAA,CAAK,qBAAA;AAAA,IAC5B,YAAA;AAAA,IACA,6BAA6B,UAAU;AAAA,GACzC;AAEA,EAAA,OAAOE,sBAAAA,CAAa,SAAS,gBAAgB,CAAA;AAC/C;AAEA,SAAS,6BACP,UAAA,EACwB;AACxB,EAAA,MAAM,6BAAqD,EAAC;AAE5D,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,EAAG;AACrD,IAAA,IAAI,UAAU,MAAA,EAAW;AACvB,MAAA,0BAAA,CAA2B,GAAG,CAAA,GAAI,MAAA,CAAO,KAAK,CAAA;AAAA,IAChD;AAAA,EACF;AAEA,EAAA,OAAO,0BAAA;AACT;AAQA,IAAM,YAAA,GAAe,CACnB,MAAA,EACA,IAAA,EACA,mBACA,aAAA,KACiB;AACjB,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAC;AAEzB,EAAA,IAAI,iBAAA,EAAmB;AACrB,IAAA,MAAM,cAAc,IAAI,GAAA;AAAA,MACtB,OAAA,EAAS,aAAA,EAAe,YAAA,IAAgB,aAAA,IAAiB,MAAA,CAAO;AAAA,KAClE;AACA,IAAA,OAAA,CAAQ,QAAA,GAAW,cAAA,CAAe,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAClE;AAEA,EAAA,OAAO,OAAA;AACT,CAAA;AC7GO,IAAM,uBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA;AAE3B,IAAA,OAAO,MAAMC,QAAAA;AAAA,MACX,QAAA;AAAA,MACA,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,MAC/CC,aAAAA;AAAA,QACE,QAAA,CAAS,MAAA;AAAA,QACT,OAAA;AAAA,QACA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAU;AAAA;AACjC,KACF;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,mBAAmB,CAAsB,CAAA;AAAA,EACrD;AACF,CAAA;AAEF,eAAeD,QAAAA,CACb,EAAE,MAAA,EAAO,EACT,cACA,OAAA,EACmB;AACnB,EAAA,IAAI,SAAA,GAAY,cAAA;AAAA,IACd,MAAA;AAAA,IACA,OAAA,EAAS,QAAA,IAAY,MAAA,CAAO,MAAA,CAAO;AAAA,GACrC;AAEA,EAAA,MAAM,aAAa,MAAA,EAAO;AAE1B,EAAA,IAAI,SAAS,YAAA,EAAc;AACzB,IAAA,SAAA,GAAY,IAAI,GAAA;AAAA,MACd,CAAC,WAAW,CAAA,WAAA,EAAc,SAAA,CAAU,UAAU,CAAA,CAAE,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AAAA,MAC1D,MAAA,CAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,OAAOD,sBAAAA,CAAa,SAAS,SAAS,CAAA;AACxC;AAQA,IAAME,aAAAA,GAAe,CACnB,MAAA,EACA,IAAA,EACA,iBAAA,KACkB;AAClB,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAC;AAEzB,EAAA,IAAI,iBAAA,EAAmB;AACrB,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,MAAA,CAAO,OAAO,CAAA;AAC1C,IAAA,OAAA,CAAQ,QAAA,GAAW,cAAA,CAAe,iBAAA,EAAmB,WAAW,CAAA;AAAA,EAClE;AAEA,EAAA,OAAO,OAAA;AACT,CAAA;AClEO,IAAM,wBACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,IAAA,KAAqC;AAC1C,EAAA,OAAO,MAAMD,QAAAA;AAAA,IACX,mBAAA,CAAgC,SAAS,MAAM,CAAA;AAAA,IAC/C;AAAA,GACF;AACF,CAAA;AAEF,eAAeA,QAAAA,CACb,cACA,OAAA,EACmB;AACnB,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,EAAS,KAAA,KAAU,QACtC,YAAA,CAAa,KAAA,EAAM,GACnB,YAAA,CAAa,GAAA,EAAI,CAAA;AAErB,EAAA,MAAM,SAAS,OAAA,EAAS,SAAA,GAAY,OAAA,EAAS,SAAA,CAAU,OAAO,CAAA,GAAI,OAAA;AAElE,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,MACd;AAAA,QACE,KAAA,EAAO,iBAAA;AAAA,QACP,iBAAA,EAAmB;AAAA,OACrB;AAAA,MACA,EAAE,MAAA,EAAQ,GAAA,EAAK,UAAA,EAAY,cAAA;AAAe,KAC5C;AAAA,EACF;AAEA,EAAA,OAAOD,sBAAAA,CAAa,KAAK,MAAM,CAAA;AACjC;AC5BO,IAAM,4BACX,CAA4B,QAAA,KAC5B,CAAC,OAAA,KACD,OAAO,GAAA,KAAoC;AACzC,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,SAAA,EAAW,GAAG,aAAA,EAAc,GAAI,WAAW,EAAC;AACpD,IAAA,MAAM,cAAA,GAAiB,MAAM,iBAAA,CAAkB,GAAG,CAAA;AAClD,IAAA,MAAM,KAAA,GAAQ,MAAM,qBAAA,CAAkC,QAAQ,CAAA,CAAE;AAAA,MAC9D,GAAG,aAAA;AAAA,MACH,GAAI,kBAAkB;AAAC,KACxB,CAAA;AACD,IAAA,OAAOA,sBAAAA,CAAa,IAAA,CAAK,SAAA,GAAY,KAAK,KAAK,KAAK,CAAA;AAAA,EACtD,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,gBAAA,EAAkB;AACrC,MAAA,OAAOA,sBAAAA,CAAa,IAAA;AAAA,QAClB;AAAA,UACE,OAAO,KAAA,CAAM,IAAA;AAAA,UACb,mBAAmB,KAAA,CAAM;AAAA,SAC3B;AAAA,QACA,EAAE,MAAA,EAAQ,aAAA,CAAc,KAAA,CAAM,IAA4B,CAAA;AAAE,OAC9D;AAAA,IACF;AAEA,IAAA,MAAM,KAAA;AAAA,EACR;AACF,CAAA;AAEF,eAAe,kBACb,GAAA,EACgD;AAChD,EAAA,IAAI,GAAA,CAAI,WAAW,MAAA,EAAQ;AACzB,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,MAAM,YAAA,CAAa,GAAG,CAAA;AACnC,EAAA,IAAI,CAAC,QAAA,CAAS,IAAI,CAAA,EAAG;AACnB,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,UAAqC,EAAC;AAC5C,EAAA,MAAM,MAAA,GAAS,SAAA,CAAU,IAAA,CAAK,MAAM,CAAA;AAEpC,EAAA,IAAI,OAAO,IAAA,CAAK,OAAA,KAAY,SAAA,EAAW;AACrC,IAAA,OAAA,CAAQ,UAAU,IAAA,CAAK,OAAA;AAAA,EACzB;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,sBAAA,KAA2B,QAAA,EAAU;AACnD,IAAA,OAAA,CAAQ,yBAAyB,IAAA,CAAK,sBAAA;AAAA,EACxC;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAA,CAAQ,MAAA,GAAS,MAAA;AAAA,EACnB;AAEA,EAAA,OAAO,OAAA;AACT;AAEA,eAAe,aAAa,GAAA,EAAgC;AAC1D,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,IAAI,IAAA,EAAK;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAEA,SAAS,UAAU,KAAA,EAAoD;AACrE,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,IACE,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,IACnB,KAAA,CAAM,KAAA,CAAM,CAAC,KAAA,KAAU,OAAO,KAAA,KAAU,QAAQ,CAAA,EAChD;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,SAAS,KAAA,EAAkD;AAClE,EAAA,OAAO,OAAA,CAAQ,KAAA,IAAS,OAAO,KAAA,KAAU,QAAQ,CAAA;AACnD;AAEA,SAAS,cAAc,IAAA,EAAoC;AACzD,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAA,qBAAA;AAAA,IACA,KAAA,0BAAA;AAAA,IACA,KAAA,2BAAA;AAAA,IACA,KAAA,0BAAA;AACE,MAAA,OAAO,GAAA;AAAA,IACT,KAAA,wBAAA;AACE,MAAA,OAAO,GAAA;AAAA,IACT,KAAA,0BAAA;AACE,MAAA,OAAO,GAAA;AAAA;AAEb;;;ACxEO,IAAM,kBAAN,MAA0D;AAAA,EACvD,QAAA;AAAA,EACS,eAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUjB,YAAY,MAAA,EAAwB;AAClC,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAS;AACX,IAAA,OAAO,IAAA,CAAK,aAAY,CAAE,MAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAA,CAAW,OAAA,GAAyC,EAAC,EAAG;AACtD,IAAA,OAAO,OAAO,OAAA,KAAwC;AACpD,MAAA,MAAM,EAAE,QAAA,EAAS,GAAI,IAAI,GAAA,CAAI,QAAQ,GAAG,CAAA;AACxC,MAAA,MAAM,EAAE,MAAA,EAAO,GAAI,IAAA,CAAK,MAAA;AAExB,MAAA,IAAI,QAAA,KAAa,OAAO,KAAA,EAAO;AAC7B,QAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,CAAQ,KAAK,EAAE,OAAO,CAAA;AAAA,MAChD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,QAAA,EAAU;AAChC,QAAA,OAAO,IAAA,CAAK,cAAA,CAAe,OAAA,CAAQ,QAAQ,EAAE,OAAO,CAAA;AAAA,MACtD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,MAAA,EAAQ;AAC9B,QAAA,OAAO,IAAA,CAAK,YAAA,CAAa,OAAA,CAAQ,MAAM,EAAE,OAAO,CAAA;AAAA,MAClD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,OAAA,EAAS;AAC/B,QAAA,OAAO,IAAA,CAAK,aAAA,CAAc,OAAA,CAAQ,OAAO,EAAE,OAAO,CAAA;AAAA,MACpD;AAEA,MAAA,IAAI,QAAA,KAAa,OAAO,WAAA,EAAa;AACnC,QAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,OAAA,CAAQ,WAAW,EAAE,OAAO,CAAA;AAAA,MAC5D;AAEA,MAAA,OAAOA,sBAAAA,CAAa,IAAA;AAAA,QAClB;AAAA,UACE,KAAA,EAAO,UAAA;AAAA,UACP,iBAAA,EAAmB,yCAAyC,QAAQ,CAAA,CAAA;AAAA,SACtE;AAAA,QACA,EAAE,QAAQ,GAAA;AAAI,OAChB;AAAA,IACF,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,OAAA,EAAwB;AAClC,IAAA,OAAO,mBAAA,CAAoB,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe,OAAA,EAA2B;AACxC,IAAA,OAAO,sBAAA,CAAmC,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAA,EAAyB;AACpC,IAAA,OAAO,oBAAA,CAAiC,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,OAAA,EAAsC;AAClD,IAAA,OAAO,qBAAA,CAAkC,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,OAAA,EAA8B;AAC9C,IAAA,OAAO,yBAAA,CAAsC,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,YAAY;AACvB,IAAA,OAAO,mBAAA,CAAgC,IAAA,CAAK,MAAM,CAAA,CAAE,GAAA,EAAI;AAAA,EAC1D,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA,GAAiB,CAAC,OAAA,KAAoC;AACpD,IAAA,OAAO,qBAAA,CAAkC,IAAA,CAAK,WAAA,EAAa,EAAE,OAAO,CAAA;AAAA,EACtE,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,GAAQ,OACN,OAAA,EACA,OAAA,GAAwB,EAAC,KACS;AAClC,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAE/B,IAAA,IAAI,YAAY,GAAA,CAAI,QAAA,EAAU,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,EAAG;AACjD,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,OAAA,CAAQ,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,QAAA,GAAWA,uBAAa,IAAA,EAAK;AACnC,IAAA,MAAM,YAAA,GAAe,mBAAA;AAAA,MACnB,IAAA,CAAK,MAAA;AAAA,MACL,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,OAAA,GAAU,MAAM,YAAA,CAAa,GAAA,EAAI;AAEvC,IAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,MAAA,MAAM,WACJ,OAAO,OAAA,CAAQ,QAAA,KAAa,UAAA,GACxB,MAAM,OAAA,CAAQ,QAAA,CAAS,OAAO,CAAA,GAC9B,QAAQ,QAAA,IAAY,CAAA,EAAG,IAAI,QAAQ,CAAA,EAAG,IAAI,MAAM,CAAA,CAAA;AAEtD,MAAA,OAAOA,sBAAAA,CAAa,QAAA;AAAA,QAClB,IAAI,GAAA;AAAA,UACF,CAAA,EAAG,KAAK,MAAA,CAAO,MAAA,CAAO,KAAK,CAAA,UAAA,EAAa,kBAAA,CAAmB,QAAQ,CAAC,CAAA,CAAA;AAAA,UACpE,GAAA,CAAI;AAAA;AACN,OACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAa,KAAA,EAAM;AACzB,IAAA,OAAO,QAAA;AAAA,EACT,CAAA;AAAA,EAEQ,WAAA,GAA6B;AACnC,IAAA,IAAA,CAAK,QAAA,KAAa,YAAA,CAAa,IAAA,CAAK,eAAe,CAAA;AACnD,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AACF;AASO,SAAS,WACd,MAAA,EACA;AACA,EAAA,OAAO,IAAI,gBAA4B,MAAM,CAAA;AAC/C;AAIA,SAAS,WAAA,CAAY,UAAkB,MAAA,EAA6B;AAClE,EAAA,OAAO;AAAA,IACL,MAAA,CAAO,KAAA;AAAA,IACP,MAAA,CAAO,QAAA;AAAA,IACP,MAAA,CAAO,MAAA;AAAA,IACP,MAAA,CAAO,OAAA;AAAA,IACP,MAAA,CAAO;AAAA,GACT,CAAE,SAAS,QAAQ,CAAA;AACrB;AAEA,SAAS,YAAA,CACP,QAAA,EACA,WAAA,GAA2C,EAAC,EACnC;AACT,EAAA,OAAO,WAAA,CAAY,IAAA;AAAA,IAAK,CAAC,IAAA,KACvB,OAAO,IAAA,KAAS,QAAA,GAAW,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,GAAI,IAAA,CAAK,IAAA,CAAK,QAAQ;AAAA,GAC3E;AACF","file":"client.cjs","sourcesContent":["function appendCause(errorMessage: string, cause?: Error): string {\n if (!cause) return errorMessage;\n const separator = errorMessage.endsWith('.') ? '' : '.';\n return `${errorMessage}${separator} CAUSE: ${cause.message}`;\n}\n\ntype AuthErrorOptions = {\n code: string;\n message: string;\n name: string;\n cause?: Error;\n status?: number;\n};\n\n/*\n The base class for all SDK errors.\n \n Subclasses expose stable machine-readable codes for application-level error\n * handling.\n /\nexport abstract class AuthError extends Error {\n /\n A machine-readable error code that remains stable within a major version of the SDK. You\n * should rely on this error code to handle errors. In contrast, the error message is not part of\n * the API and can change anytime. Do not parse or otherwise rely on the error message to\n * handle errors.\n /\n public readonly code: string;\n\n /\n The error class name.\n /\n public readonly name: string;\n\n /\n The underlying error, if any.\n \n IMPORTANT When this error is from the Identity Provider ({@link IdentityProviderError}) it can contain user\n * input and is only escaped using basic escaping for putting untrusted data directly into the HTML body.\n \n You should not render this error without using a templating engine that will properly escape it for other\n * HTML contexts first.\n /\n public readonly cause?: Error;\n\n /\n The HTTP status code, if any.\n /\n public readonly status?: number;\n\n /\n @param options - Error metadata used by SDK-specific subclasses.\n /\n constructor(options: AuthErrorOptions) {\n / c8 ignore next /\n super(appendCause(options.message, options.cause));\n this.code = options.code;\n this.name = options.name;\n this.cause = options.cause;\n this.status = options.status;\n }\n}\n","import { AuthError } from './auth';\n\n/\n Error codes for {@link AccessTokenError}.\n /\nexport enum AccessTokenErrorCode {\n /* No valid session was available. /\n MISSING_SESSION = 'ERR_MISSING_SESSION',\n\n /* Session exists but does not contain an access token. /\n MISSING_ACCESS_TOKEN = 'ERR_MISSING_ACCESS_TOKEN',\n\n /* Refresh was required but no refresh token was stored. /\n MISSING_REFRESH_TOKEN = 'ERR_MISSING_REFRESH_TOKEN',\n\n /* Access token is expired and cannot be returned as-is. /\n EXPIRED_ACCESS_TOKEN = 'ERR_EXPIRED_ACCESS_TOKEN',\n\n /* Access token does not include the requested scopes. /\n INSUFFICIENT_SCOPE = 'ERR_INSUFFICIENT_SCOPE',\n\n /* Refresh token grant failed or returned an invalid response. /\n FAILED_REFRESH_GRANT = 'ERR_FAILED_REFRESH_GRANT',\n}\n\n/\n Error thrown when an access token cannot be returned or refreshed.\n \n Use {@link AccessTokenError.code} for stable error handling.\n /\nexport class AccessTokenError extends AuthError {\n /\n @param code - Stable machine-readable error code.\n * @param message - Human-readable diagnostic message.\n * @param cause - Optional lower-level error.\n /\n constructor(code: AccessTokenErrorCode, message: string, cause?: Error) {\n / c8 ignore next /\n super({ code: code, message: message, name: 'AccessTokenError', cause });\n\n Error.captureStackTrace(this, this.constructor);\n Object.setPrototypeOf(this, AccessTokenError.prototype);\n }\n}\n","import type { Config } from '../config/types';\n\n/\n Password map format expected by `iron-session`.\n \n Higher numeric keys represent newer secrets.\n /\nexport type Secrets = Record<number, string>;\n\n/\n Converts configured secrets into the rotation map used to seal and unseal\n * `iron-session` cookies.\n \n @param config - Validated auth configuration.\n /\nexport function getSecrets(config: Config): Secrets {\n const secretsArray = Array.isArray(config.secret)\n ? config.secret\n : [config.secret];\n\n const secrets: Secrets = {};\n secretsArray.forEach((secret, index) => {\n secrets[secretsArray.length - index] = secret;\n });\n\n return secrets;\n}\n","import { parse, serialize, type SerializeOptions } from 'cookie';\nimport { cookies } from 'next/headers.js';\n\ninterface CookieListItem\n extends Pick<SerializeOptions, 'domain' \| 'path' \| 'sameSite' \| 'secure'> {\n name: string;\n value: string;\n}\n\ntype ResponseCookie = CookieListItem &\n Pick<SerializeOptions, 'httpOnly' \| 'maxAge' \| 'priority'>;\n\n/\n Minimal cookie API shared by `next/headers` cookies and request/response\n * adapters used in route handlers and proxy.\n /\nexport interface CookieStore {\n get: (name: string) => { name: string; value: string } \| undefined;\n set: {\n (name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n (options: ResponseCookie): void;\n };\n}\n\n/\n Returns a cookie store for the current execution context.\n \n Without a request it delegates to Next.js `cookies()`. With a request it\n * adapts Web `Request`/`Response` objects so session updates can append\n * `Set-Cookie` headers.\n /\nexport async function cookieFactory(\n req?: Request,\n res?: Response,\n): Promise<CookieStore> {\n if (req) {\n return new HttpCookieStore(req, res);\n }\n\n return cookies();\n}\n\n/\n Cookie store adapter for Web `Request` and `Response` objects.\n /\nexport class HttpCookieStore implements CookieStore {\n constructor(\n readonly req: Request,\n readonly res?: Response,\n ) {}\n\n get(cookieName: string): { name: string; value: string } \| undefined {\n const value = parse(this.req.headers.get('cookie') ?? '')[cookieName];\n\n return value === undefined ? undefined : { name: cookieName, value };\n }\n\n set(name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n set(options: ResponseCookie): void;\n set(\n nameOrOptions: string \| ResponseCookie,\n value?: string,\n cookie?: Partial<ResponseCookie>,\n ) {\n if (typeof nameOrOptions === 'string') {\n return this.setCookie(nameOrOptions, value as string, cookie);\n }\n\n return this.setCookie(\n nameOrOptions.name,\n nameOrOptions.value,\n nameOrOptions,\n );\n }\n\n private setCookie(\n name: string,\n value: string,\n cookie?: Partial<ResponseCookie>,\n ) {\n if (!this.res) {\n return;\n }\n\n const cookieValue = serialize(name, value, cookie);\n\n this.res.headers.append('set-cookie', cookieValue);\n }\n}\n","import type { TokenEndpointResponse } from '../oauth/types';\nimport type {\n Claims,\n IdTokenClaims,\n SessionAuthentication,\n SessionAuthorization,\n SessionInterface,\n UserProfile,\n} from './types';\n\n/\n Serializable session payload stored across sealed cookies.\n /\nexport type SerializedSession<UserClaims extends Claims = Claims> =\n SessionInterface<UserClaims> & {\n authentication?: SessionAuthentication;\n authorization?: SessionAuthorization;\n };\n\n/\n The user's session.\n \n The public session shape combines the base user claims cookie with optional\n * authentication and authorization cookies.\n \n @category Server\n /\nexport class Session<UserClaims extends Claims = Claims>\n implements SessionInterface<UserClaims>\n{\n /\n The authenticated user (claims from the `id_token`)\n /\n user: UserProfile<UserClaims>;\n\n /\n A timestamp when authentication / session occurred\n /\n issuedAt: number;\n\n /\n A timestamp when authentication / session was last updated (touched)\n /\n updatedAt: number;\n\n /\n A timestamp when the authentication / session is set to expire\n /\n expiresAt: number;\n\n /\n OAuth access-token state stored separately from the base session payload.\n /\n authorization?: SessionAuthorization;\n\n /\n OIDC authentication token state stored separately from the base session\n * payload.\n /\n authentication?: SessionAuthentication;\n\n [key: string]: any;\n\n /\n Creates a normalized session object from sealed cookie payloads.\n /\n constructor(props: SerializedSession<UserClaims>) {\n this.user = props.user;\n this.issuedAt = props.issuedAt;\n this.updatedAt = props.updatedAt;\n this.expiresAt = props.expiresAt;\n this.authentication = props.authentication;\n this.authorization = props.authorization;\n }\n}\n\n/\n Converts an OIDC token endpoint response into the session model stored in\n * sealed cookies.\n \n @param tokenEndpointResponse - Token endpoint response returned by\n * `openid-client`.\n /\nexport function fromTokenEndpointResponse<UserClaims extends Claims = Claims>(\n tokenEndpointResponse: TokenEndpointResponse,\n): Session<UserClaims> {\n const { iat, exp, aud, iss, nonce, ...user } = decodeJwt<IdTokenClaims>(\n tokenEndpointResponse.id_token as string,\n );\n\n const {\n id_token,\n access_token,\n scope,\n expires_in,\n expires_at,\n refresh_token,\n token_type,\n ...remainder\n } = tokenEndpointResponse;\n\n const authorization = access_token\n ? {\n accessToken: access_token,\n scope,\n expiresAt: Math.floor(Date.now() / 1000) + Number(expires_in),\n refreshToken: refresh_token,\n type: token_type,\n }\n : undefined;\n\n const authentication = id_token\n ? {\n idToken: id_token,\n }\n : undefined;\n\n return Object.assign(\n new Session({\n user: user as UserProfile<UserClaims>,\n issuedAt: iat,\n updatedAt: iat,\n expiresAt: exp,\n authorization,\n authentication,\n }),\n remainder,\n );\n}\n\nfunction decodeJwt<TClaims>(jwt: string): TClaims {\n const [, payload] = jwt.split('.');\n\n if (!payload) {\n throw new TypeError('Invalid JWT payload.');\n }\n\n const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');\n const padded = normalized.padEnd(\n normalized.length + ((4 - (normalized.length % 4)) % 4),\n '=',\n );\n\n const decoded =\n typeof atob === 'function'\n ? atob(padded)\n : Buffer.from(padded, 'base64').toString('binary');\n\n const json = decodeURIComponent(\n Array.from(\n decoded,\n (char) => `%${char.charCodeAt(0).toString(16).padStart(2, '0')}`,\n ).join(''),\n );\n\n return JSON.parse(json) as TClaims;\n}\n","export const assertBoolean = (bool: boolean, msg: string) => {\n if (!bool) {\n throw new Error(msg);\n }\n};\n","export const epoch = (): number => (Date.now() / 1000) \| 0;\n","import type { Config } from '../../config/types';\nimport { assertBoolean } from '../assert';\nimport type { Session } from '../model';\nimport type { Claims } from '../types';\nimport { epoch } from '../utils';\nimport type { SessionStoreInterface } from './types';\n\n/\n Base session store behavior shared by concrete storage implementations.\n \n The base class enforces absolute and idle expiry before returning a session.\n /\nexport abstract class AbstractSessionStore<UserClaims extends Claims = Claims>\n implements SessionStoreInterface<UserClaims>\n{\n constructor(protected readonly config: Config) {}\n\n protected abstract _get(): Promise<Session<UserClaims> \| undefined>;\n protected abstract _set(session: Session<UserClaims>): Promise<void>;\n protected abstract _delete(): Promise<void>;\n\n /\n Reads and validates the current session.\n \n @returns The session, or `undefined` when missing, expired, or malformed.\n /\n public async get(): Promise<Session<UserClaims> \| undefined> {\n const { absoluteDuration, idleDuration } = this.config.session;\n const now = epoch();\n\n try {\n const session = await this._get();\n\n if (session) {\n assertBoolean(\n session.expiresAt > now,\n 'it is expired based on the effective session expiry',\n );\n\n if (idleDuration !== false) {\n assertBoolean(\n session.updatedAt + idleDuration > now,\n 'it is expired based on current idleDuration rules',\n );\n }\n\n if (absoluteDuration !== false) {\n assertBoolean(\n session.issuedAt + absoluteDuration > now,\n 'it is expired based on current absoluteDuration rules',\n );\n }\n\n return session;\n }\n } catch {\n return undefined;\n }\n\n return undefined;\n }\n\n /\n Persists a complete session.\n /\n async set(session: Session<UserClaims>): Promise<void> {\n session.expiresAt = calculateExp(session.updatedAt, this.config, {\n issuedAt: session.issuedAt,\n });\n await this._set(session);\n }\n\n /\n Clears the session from the backing store.\n /\n async delete(): Promise<void> {\n await this._delete();\n }\n\n /\n Updates idle expiry timestamps and persists the session.\n \n When idle sessions are disabled, this returns the current session\n * without modifying cookies.\n /\n async touch(): Promise<Session<UserClaims> \| undefined> {\n const session = await this.get();\n if (!session) {\n return;\n }\n\n if (this.config.session.idleDuration === false) {\n return session;\n }\n\n const updatedAt = epoch();\n const expiresAt = calculateExp(updatedAt, this.config, {\n issuedAt: session.issuedAt,\n });\n\n session.updatedAt = updatedAt;\n session.expiresAt = expiresAt;\n\n await this.set(session);\n\n return session;\n }\n}\n\nfunction calculateExp(\n updatedAt: number,\n config: Config,\n session: Pick<Session, 'issuedAt'>,\n): number {\n const { absoluteDuration, idleDuration } = config.session;\n const candidates: number[] = [];\n\n if (idleDuration !== false) {\n candidates.push(updatedAt + idleDuration);\n }\n\n if (absoluteDuration !== false) {\n candidates.push(session.issuedAt + absoluteDuration);\n }\n\n return Math.min(...candidates);\n}\n","import type { SerializeOptions } from 'cookie';\nimport { getIronSession, type IronSession } from 'iron-session';\nimport type { Config } from '../../config/types';\nimport { getSecrets, type Secrets } from '../../crypto/secrets';\nimport { type CookieStore, cookieFactory } from '../../http/cookies';\nimport { Session } from '../model';\nimport type {\n AnyRequest,\n AnyResponse,\n Claims,\n SessionAuthentication,\n SessionAuthorization,\n SessionInterface,\n SessionPart,\n} from '../types';\nimport { AbstractSessionStore } from './abstract-store';\nimport type { SessionStoreInterface } from './types';\n\ntype CookieType = 'Session' \| 'Authorization' \| 'Authentication';\n\ntype IronSessionPayload<Payload> = {\n data: Payload;\n};\n\n/\n Creates the default stateless session store.\n \n @param config - Validated auth configuration.\n * @param request - Optional request used to read cookies outside\n * `next/headers`.\n * @param response - Optional response used to write `Set-Cookie` headers.\n /\nexport function sessionStoreFactory<UserClaims extends Claims>(\n config: Config,\n request?: AnyRequest,\n response?: AnyResponse,\n): SessionStoreInterface<UserClaims> {\n return new NewStatelessSessionStore(config, request, response);\n}\n\n/\n Stateless session store backed by three sealed `iron-session` cookies.\n /\nexport class NewStatelessSessionStore<\n UserClaims extends Claims,\n> extends AbstractSessionStore<UserClaims> {\n private readonly secrets: Secrets;\n private readonly cookieName: string;\n private readonly cookieOptions: SerializeOptions;\n\n constructor(\n config: Config,\n request: AnyRequest \| undefined = undefined,\n response: AnyResponse \| undefined = undefined,\n private readonly cookieStore: (\n config: Config,\n ) => CookieStore \| Promise<CookieStore> = () =>\n cookieFactory(request, response),\n ) {\n super(config);\n\n this.cookieName = config.session.name;\n this.cookieOptions = {\n ...config.session.cookie,\n httpOnly: true,\n };\n\n this.secrets = getSecrets(config);\n }\n\n async _get(): Promise<Session<UserClaims> \| undefined> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n if (!session.data) {\n return undefined;\n }\n\n return new Session({\n ...session.data,\n authorization: authorization.data \|\| undefined,\n authentication: authentication.data \|\| undefined,\n });\n }\n\n async _set(payload: Session<UserClaims>): Promise<void> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n const {\n user,\n issuedAt,\n updatedAt,\n expiresAt,\n authorization: authz,\n authentication: authn,\n } = payload;\n\n session.data = { user, issuedAt, updatedAt, expiresAt };\n authentication.data = authn;\n authorization.data = authz;\n\n await Promise.all([\n session.save(),\n authorization.save(),\n authentication.save(),\n ]);\n }\n\n async _delete(): Promise<void> {\n const [session, authorization, authentication] = await this.getAllCookies();\n\n await Promise.all([\n session.destroy(),\n authorization.destroy(),\n authentication.destroy(),\n ]);\n }\n\n private async getAllCookies() {\n return await Promise.all([\n this.getCookie<SessionInterface<UserClaims>>('Session'),\n this.getCookie<SessionAuthorization>('Authorization'),\n this.getCookie<SessionAuthentication>('Authentication'),\n ]);\n }\n\n private async getCookie<S extends SessionPart>(\n type: CookieType,\n ): Promise<IronSession<Partial<IronSessionPayload<S \| undefined \| null>>>> {\n const ironSession = await getIronSession<\n IronSessionPayload<S \| undefined \| null>\n >(await this.cookieStore(this.config), {\n cookieName: `${this.cookieName}.${type}`,\n password: this.secrets,\n cookieOptions: this.cookieOptions,\n });\n\n return ironSession;\n }\n}\n","import as oidc from 'openid-client';\nimport type { Config } from '../config/types';\n\n/*\n Discovers the provider metadata and returns an `openid-client`\n * configuration for the current auth client.\n \n Localhost issuers are allowed to use insecure HTTP so local identity-provider\n * development remains possible.\n \n @param config - Validated auth configuration.\n /\nexport async function discoverOIDC(\n config: Config,\n): Promise<oidc.Configuration> {\n const isLocalDevelopment =\n config.issuerBaseURL.includes('localhost') \|\|\n config.issuerBaseURL.includes('127.0.0.1');\n\n return await oidc.discovery(\n new URL(config.issuerBaseURL),\n config.clientId,\n config.clientSecret,\n undefined,\n isLocalDevelopment\n ? {\n execute: [oidc.allowInsecureRequests],\n }\n : undefined,\n );\n}\n","import { AccessTokenError, AccessTokenErrorCode } from '../errors/access-token';\nimport type { MondoInstance } from '../core/instance';\nimport type { Session } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { Claims, SessionAuthorization } from '../session/types';\nimport { epoch } from '../session/utils';\nimport { discoverOIDC } from './oidc';\n\nexport type AccessTokenResult = {\n /* Bearer token value returned by the identity provider. /\n accessToken: string;\n\n /* Epoch seconds when the access token expires. /\n expiresAt: number;\n\n /* Space-delimited scopes granted to the access token. /\n scope?: string;\n\n /* Token type returned by the identity provider, usually `Bearer`. /\n type?: string;\n};\n\nexport type GetAccessTokenOptions = {\n /\n Refresh even when the current access token is still valid.\n /\n refresh?: boolean;\n\n /\n Required scopes for the returned access token.\n /\n scopes?: string \| Array<string>;\n\n /\n Number of seconds before expiry that should be treated as already expired.\n /\n refreshBeforeExpiresIn?: number;\n};\n\nexport type GetAccessToken = (\n options?: GetAccessTokenOptions,\n) => Promise<AccessTokenResult>;\n\n/\n Creates a server-side access-token getter bound to one auth client instance.\n \n The getter returns the current sealed-cookie access token when it is valid for\n * the requested scopes. If it is expired, explicitly refreshed, or missing the\n * requested scopes, the getter uses the stored refresh token and persists the\n * refreshed authorization payload back to the session cookies.\n \n @param instance - Validated auth client instance.\n /\nexport function getAccessTokenFactory<UserClaims extends Claims>(\n instance: MondoInstance,\n): GetAccessToken {\n return async (options = {}) => {\n const sessionStore = sessionStoreFactory<UserClaims>(instance.config);\n const session = await sessionStore.get();\n\n if (!session?.user) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_SESSION,\n 'A session is required to get an access token.',\n );\n }\n\n const authorization = session.authorization;\n if (!authorization?.accessToken) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_ACCESS_TOKEN,\n 'The session does not contain an access token.',\n );\n }\n\n if (canUseAccessToken(authorization, options)) {\n return toAccessTokenResult(authorization);\n }\n\n if (!authorization.refreshToken) {\n throw new AccessTokenError(\n isExpired(authorization, options)\n ? AccessTokenErrorCode.EXPIRED_ACCESS_TOKEN\n : AccessTokenErrorCode.INSUFFICIENT_SCOPE,\n 'The access token cannot be refreshed because the session does not contain a refresh token.',\n );\n }\n\n return refreshAccessToken(instance, session, options);\n };\n}\n\nasync function refreshAccessToken<UserClaims extends Claims>(\n instance: MondoInstance,\n session: Session<UserClaims>,\n options: GetAccessTokenOptions,\n): Promise<AccessTokenResult> {\n const oidc = await import('openid-client');\n const authorization = session.authorization;\n\n if (!authorization?.refreshToken) {\n throw new AccessTokenError(\n AccessTokenErrorCode.MISSING_REFRESH_TOKEN,\n 'The session does not contain a refresh token.',\n );\n }\n\n try {\n const params = getRefreshParameters(options);\n const tokens = await oidc.refreshTokenGrant(\n await discoverOIDC(instance.config),\n authorization.refreshToken,\n params,\n );\n\n if (!tokens.access_token) {\n throw new AccessTokenError(\n AccessTokenErrorCode.FAILED_REFRESH_GRANT,\n 'The refresh grant did not return an access token.',\n );\n }\n\n const refreshedAuthorization: SessionAuthorization = {\n accessToken: tokens.access_token,\n expiresAt:\n epoch() +\n Number(tokens.expires_in ?? authorization.expiresAt - epoch()),\n scope:\n tokens.scope ?? normalizeScopes(options.scopes) ?? authorization.scope,\n refreshToken: tokens.refresh_token ?? authorization.refreshToken,\n type: tokens.token_type ?? authorization.type,\n };\n\n session.authorization = refreshedAuthorization;\n await sessionStoreFactory<UserClaims>(instance.config).set(session);\n\n return toAccessTokenResult(refreshedAuthorization);\n } catch (error) {\n if (error instanceof AccessTokenError) {\n throw error;\n }\n\n throw new AccessTokenError(\n AccessTokenErrorCode.FAILED_REFRESH_GRANT,\n 'The refresh grant failed.',\n error instanceof Error ? error : undefined,\n );\n }\n}\n\nfunction canUseAccessToken(\n authorization: SessionAuthorization,\n options: GetAccessTokenOptions,\n): boolean {\n return (\n options.refresh !== true &&\n !isExpired(authorization, options) &&\n hasScopes(authorization.scope, options.scopes)\n );\n}\n\nfunction isExpired(\n authorization: SessionAuthorization,\n options: GetAccessTokenOptions,\n): boolean {\n const skew = options.refreshBeforeExpiresIn ?? 60;\n return authorization.expiresAt <= epoch() + skew;\n}\n\nfunction hasScopes(\n grantedScope: string \| undefined,\n requiredScopes: string \| Array<string> \| undefined,\n): boolean {\n const required = normalizeScopes(requiredScopes);\n if (!required) {\n return true;\n }\n\n const granted = new Set((grantedScope ?? '').split(/\\s+/).filter(Boolean));\n return required.split(/\\s+/).every((scope) => granted.has(scope));\n}\n\nfunction getRefreshParameters(\n options: GetAccessTokenOptions,\n): URLSearchParams \| undefined {\n const scope = normalizeScopes(options.scopes);\n if (!scope) {\n return undefined;\n }\n\n const params = new URLSearchParams();\n params.set('scope', scope);\n return params;\n}\n\nfunction normalizeScopes(scopes: string \| Array<string> \| undefined) {\n if (Array.isArray(scopes)) {\n return scopes.join(' ');\n }\n\n return scopes;\n}\n\nfunction toAccessTokenResult(\n authorization: SessionAuthorization,\n): AccessTokenResult {\n return {\n accessToken: authorization.accessToken,\n expiresAt: authorization.expiresAt,\n scope: authorization.scope,\n type: authorization.type,\n };\n}\n","import { AuthError } from './auth';\n\n/\n Standard Schema V1 path segment shape.\n /\nexport interface ConfigIssuePathSegment {\n readonly key: PropertyKey;\n}\n\n/\n Standard Schema V1 issue shape returned by configuration validation.\n /\nexport interface ConfigIssue {\n readonly message: string;\n readonly path?: readonly (PropertyKey \| ConfigIssuePathSegment)[] \| undefined;\n}\n\n/\n Error thrown when auth configuration validation fails.\n /\nexport class ConfigError extends AuthError {\n public static readonly code = 'ERR_CONFIG_VALIDATION';\n\n /\n Standard Schema validation issues for the invalid configuration.\n /\n public readonly issues: readonly ConfigIssue[];\n\n /\n @param issues - Standard Schema validation issues.\n /\n constructor(issues: readonly ConfigIssue[]) {\n super({\n code: ConfigError.code,\n message: `Invalid @go-mondo/nextjs-auth configuration:\\n${formatIssues(\n issues,\n )}`,\n name: 'ConfigError',\n });\n\n this.issues = issues;\n\n Error.captureStackTrace(this, this.constructor);\n Object.setPrototypeOf(this, ConfigError.prototype);\n }\n}\n\nfunction formatIssues(issues: readonly ConfigIssue[]): string {\n return issues\n .map((issue) => {\n const path = issue.path?.length\n ? issue.path.map(formatPathSegment).join('.')\n : 'config';\n return `- ${path}: ${issue.message}`;\n })\n .join('\\n');\n}\n\nfunction formatPathSegment(\n segment: NonNullable<ConfigIssue['path']>[number],\n): string {\n return typeof segment === 'object' && segment !== null && 'key' in segment\n ? String(segment.key)\n : String(segment);\n}\n","/\n Built-in auth route defaults used by both server configuration and\n * browser-safe client helpers.\n /\nexport const DEFAULT_ROUTES = {\n login: '/auth/login',\n callback: '/auth/callback',\n logout: '/auth/logout',\n session: '/auth/session',\n accessToken: '/auth/access-token',\n postLogoutRedirect: '/',\n} as const;\n\n/\n Returns the session route that browser code can safely call.\n \n The full server configuration reads secret-bearing environment variables, so\n * client hooks use the public session route override instead.\n /\nexport function getPublicSessionRoute(): string {\n return typeof process === 'undefined'\n ? DEFAULT_ROUTES.session\n : process.env.NEXT_PUBLIC_SESSION_ROUTE \|\| DEFAULT_ROUTES.session;\n}\n\n/\n Returns the access-token route that browser code can safely call.\n \n The full server configuration may read secret-bearing environment variables,\n * so client hooks use the public access-token route override instead.\n /\nexport function getPublicAccessTokenRoute(): string {\n return typeof process === 'undefined'\n ? DEFAULT_ROUTES.accessToken\n : process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE \|\| DEFAULT_ROUTES.accessToken;\n}\n","import { z } from 'zod';\n\nconst RelativePathSchema = z\n .string()\n .startsWith('/', 'Must start with \"/\".')\n .refine((value) => !value.includes('//'), 'Must not contain \"//\".')\n .describe(\n 'An application-relative path, such as \"/auth/login\". Double slashes are not allowed.',\n );\n\nconst StringUrlSchema = z\n .string()\n .url()\n .transform((value) => value.replace(/\\/+$/, ''))\n .describe('An absolute URL. Trailing slashes are removed after parsing.');\n\nconst AuthorizationParamValueSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n]);\n\nconst SessionSchema = z\n .object({\n name: z\n .string()\n .optional()\n .default('Mondo')\n .describe('Cookie name prefix used for the session cookie set.'),\n idleDuration: z\n .union([z.number().positive(), z.literal(false)])\n .default(24 60 * 60)\n .describe(\n 'Idle session duration in seconds. Set to false to disable activity-based session extension.',\n ),\n absoluteDuration: z\n .union([z.number().positive(), z.literal(false)])\n .default(false)\n .describe(\n 'Absolute session duration in seconds from login. Set to false to disable a hard maximum lifetime.',\n ),\n cookie: z\n .object({\n domain: z\n .string()\n .optional()\n .describe('Optional domain shared by session cookies.'),\n path: RelativePathSchema.optional()\n .default('/')\n .describe('Path scope for session cookies.'),\n httpOnly: z\n .boolean()\n .optional()\n .default(true)\n .describe('Always true for server-managed authentication cookies.'),\n sameSite: z\n .enum(['lax', 'strict', 'none'])\n .optional()\n .default('lax')\n .describe('SameSite policy used for session cookies.'),\n secure: z\n .boolean()\n .default(true)\n .describe('Whether session cookies require HTTPS.'),\n })\n .describe('Cookie options for the tamper-proof iron-session cookies.'),\n })\n .refine(\n (session) =>\n session.idleDuration !== false \|\| session.absoluteDuration !== false,\n 'At least one of idleDuration or absoluteDuration must be enabled.',\n )\n .describe('Application session storage and expiration settings.');\n\nconst Schema = z\n .object({\n authorization: z\n .object({\n response_type: z\n .enum(['code'])\n .default('code')\n .describe(\n 'OAuth response type. This SDK uses authorization code flow.',\n ),\n scope: z\n .string()\n .default('openid profile email')\n .describe('Default scopes requested during login.'),\n response_mode: z\n .enum(['query', 'form_post'])\n .default('query')\n .describe(\n 'How the authorization response is returned to the callback.',\n ),\n audience: z\n .string()\n .optional()\n .describe('Optional API audience for access token issuance.'),\n display: z\n .enum(['page', 'popup', 'touch', 'wap'])\n .optional()\n .describe(\n 'OIDC display preference forwarded to the authorization URL.',\n ),\n prompt: z\n .enum(['none', 'login', 'consent', 'select_account'])\n .optional()\n .describe('OIDC prompt behavior forwarded to the authorization URL.'),\n max_age: z\n .number()\n .optional()\n .describe('Maximum authentication age, in seconds.'),\n ui_locales: z\n .string()\n .optional()\n .describe('Preferred UI locales sent to the identity provider.'),\n id_token_hint: z\n .string()\n .optional()\n .describe('Optional ID token hint sent to the identity provider.'),\n login_hint: z\n .string()\n .optional()\n .describe('Optional login hint sent to the identity provider.'),\n acr_values: z\n .string()\n .optional()\n .describe('Optional authentication context values.'),\n })\n .catchall(AuthorizationParamValueSchema)\n .describe(\n 'Authorization URL parameters. Unknown string, number, and boolean values are preserved for provider-specific options.',\n ),\n baseURL: StringUrlSchema.describe(\n 'Public application origin used to construct default redirect URLs.',\n ),\n clientId: z\n .string()\n .min(1)\n .describe('OIDC client identifier for this Next.js application.'),\n clientSecret: z\n .string()\n .min(1)\n .describe('OIDC client secret used for token endpoint authentication.'),\n issuerBaseURL: StringUrlSchema.describe(\n 'Issuer origin used for OIDC discovery and logout redirects.',\n ),\n secret: z\n .union([z.string().min(32), z.array(z.string().min(32)).min(1)])\n .describe(\n 'Secret or rotated secrets used by iron-session to seal transaction and session cookies.',\n ),\n session: SessionSchema,\n routes: z\n .object({\n login: RelativePathSchema.default('/auth/login').describe(\n 'Route that starts the login transaction.',\n ),\n callback: RelativePathSchema.default('/auth/callback').describe(\n 'Route that completes the authorization code exchange.',\n ),\n logout: RelativePathSchema.default('/auth/logout').describe(\n 'Route that clears the application session.',\n ),\n session: RelativePathSchema.default('/auth/session').describe(\n 'Route that returns the current session as JSON.',\n ),\n accessToken: RelativePathSchema.default('/auth/access-token').describe(\n 'Route that returns or refreshes the current access token.',\n ),\n postLogoutRedirect: RelativePathSchema.default('/').describe(\n 'Application path to redirect to after logout.',\n ),\n })\n .describe('Application routes mounted by the auth client.'),\n transaction: z\n .object({\n name: z\n .string()\n .default('Mondo.Verification')\n .describe(\n 'Cookie name used to store login transaction verification.',\n ),\n cookie: z\n .object({\n domain: z\n .string()\n .optional()\n .describe('Optional domain shared by transaction cookies.'),\n secure: z\n .boolean()\n .optional()\n .describe('Whether transaction cookies require HTTPS.'),\n sameSite: z\n .enum(['lax', 'strict', 'none'])\n .default('lax')\n .describe('SameSite policy used for transaction cookies.'),\n path: RelativePathSchema.optional()\n .default('/')\n .describe('Path scope for transaction cookies.'),\n })\n .describe('Cookie options for temporary login transaction state.'),\n })\n .describe('Short-lived state used to verify authorization callbacks.'),\n })\n .describe('Validated configuration for @go-mondo/nextjs-auth.');\n\nexport default Schema;\n","const FALSEY = ['n', 'no', 'false', '0', 'off'];\n\nexport const bool = (\n param?: any,\n defaultValue?: boolean,\n): boolean \| undefined => {\n if (param === undefined \|\| param === '') return defaultValue;\n if (param && typeof param === 'string')\n return !FALSEY.includes(param.toLowerCase().trim());\n return !!param;\n};\n\nexport const num = (param?: string): number \| undefined =>\n param === undefined \|\| param === '' ? undefined : +param;\n","import { ConfigError } from '../errors/config';\nimport { DEFAULT_ROUTES } from './routes';\nimport schema from './schema';\nimport type {\n Config,\n CookieConfig,\n PartialConfig,\n SessionConfig,\n TransactionConfig,\n} from './types';\nimport { bool, num } from './utils';\n\n/*\n Reads configuration from environment variables and explicit overrides, then\n * validates the merged result with the Zod schema.\n \n ### Required\n \n - `MONDO_SECRET`: See {@link Config.secret}.\n * - `MONDO_ISSUER_BASE_URL`: See {@link Config.issuerBaseURL}.\n * - `APP_BASE_URL`: See {@link Config.baseURL}.\n * - `MONDO_CLIENT_ID`: See {@link Config.clientId}.\n * - `MONDO_CLIENT_SECRET`: See {@link Config.clientSecret}.\n \n ### Optional\n \n - `NEXT_PUBLIC_LOGIN_ROUTE`: See {@link Config.routes}.\n * - `NEXT_PUBLIC_SESSION_ROUTE`: See {@link Config.routes}.\n * - `NEXT_PUBLIC_ACCESS_TOKEN_ROUTE`: See {@link Config.routes}.\n * - `CALLBACK_ROUTE`: See {@link Config.routes}.\n * - `LOGOUT_ROUTE`: See {@link Config.routes}.\n * - `SESSION_ROUTE`: See {@link Config.routes}.\n * - `ACCESS_TOKEN_ROUTE`: See {@link Config.routes}.\n * - `POST_LOGOUT_REDIRECT_ROUTE`: See {@link Config.routes}.\n * - `MONDO_AUDIENCE`: See {@link Config.authorization}.\n * - `MONDO_SCOPE`: See {@link Config.authorization}.\n * - `MONDO_SESSION_NAME`: See {@link SessionConfig.name}.\n * - `MONDO_SESSION_IDLE_DURATION`: See {@link SessionConfig.idleDuration}.\n * - `MONDO_SESSION_ABSOLUTE_DURATION`: See\n * {@link SessionConfig.absoluteDuration}.\n * - `MONDO_SESSION_COOKIE_DOMAIN`: See {@link CookieConfig.domain}.\n * - `MONDO_SESSION_COOKIE_PATH`: See {@link CookieConfig.path}.\n * - `MONDO_SESSION_COOKIE_SECURE`: See {@link CookieConfig.secure}.\n * - `MONDO_SESSION_COOKIE_SAME_SITE`: See {@link CookieConfig.sameSite}.\n \n - `MONDO_TRANSACTION_NAME` See {@link TransactionConfig.name}.\n * - `MONDO_TRANSACTION_COOKIE_DOMAIN` See {@link CookieConfig.domain}.\n * - `MONDO_TRANSACTION_COOKIE_PATH` See {@link CookieConfig.path}.\n * - `MONDO_TRANSACTION_COOKIE_SECURE` See {@link CookieConfig.secure}.\n * - `MONDO_TRANSACTION_COOKIE_SAME_SITE` See {@link CookieConfig.sameSite}.\n \n @param params - Optional explicit configuration overrides.\n * @throws {@link ConfigError} when required values are missing or invalid.\n /\nexport const getConfig = (params: PartialConfig = {}): Config => {\n const MONDO_SECRET = process.env.MONDO_SECRET;\n const MONDO_ISSUER_BASE_URL = process.env.MONDO_ISSUER_BASE_URL;\n const APP_BASE_URL =\n process.env.APP_BASE_URL \|\| process.env.NEXT_PUBLIC_APP_BASE_URL;\n const MONDO_CLIENT_ID = process.env.MONDO_CLIENT_ID;\n const MONDO_CLIENT_SECRET = process.env.MONDO_CLIENT_SECRET;\n const MONDO_AUDIENCE = process.env.MONDO_AUDIENCE;\n const MONDO_SCOPE = process.env.MONDO_SCOPE;\n\n const CALLBACK_ROUTE = process.env.CALLBACK_ROUTE;\n const LOGOUT_ROUTE = process.env.LOGOUT_ROUTE;\n const SESSION_ROUTE = process.env.SESSION_ROUTE;\n const NEXT_PUBLIC_SESSION_ROUTE = process.env.NEXT_PUBLIC_SESSION_ROUTE;\n const ACCESS_TOKEN_ROUTE = process.env.ACCESS_TOKEN_ROUTE;\n const NEXT_PUBLIC_ACCESS_TOKEN_ROUTE =\n process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE;\n const POST_LOGOUT_REDIRECT_ROUTE = process.env.POST_LOGOUT_REDIRECT_ROUTE;\n\n const MONDO_SESSION_NAME = process.env.MONDO_SESSION_NAME;\n const MONDO_SESSION_IDLE_DURATION = process.env.MONDO_SESSION_IDLE_DURATION;\n const MONDO_SESSION_ABSOLUTE_DURATION =\n process.env.MONDO_SESSION_ABSOLUTE_DURATION;\n const MONDO_SESSION_COOKIE_DOMAIN = process.env.MONDO_COOKIE_DOMAIN;\n const MONDO_SESSION_COOKIE_PATH = process.env.MONDO_COOKIE_PATH;\n const MONDO_SESSION_COOKIE_SECURE = process.env.MONDO_COOKIE_SECURE;\n const MONDO_SESSION_COOKIE_SAME_SITE = process.env.MONDO_COOKIE_SAME_SITE;\n\n const MONDO_TRANSACTION_NAME = process.env.MONDO_TRANSACTION_COOKIE_NAME;\n const MONDO_TRANSACTION_COOKIE_DOMAIN =\n process.env.MONDO_TRANSACTION_COOKIE_DOMAIN;\n const MONDO_TRANSACTION_COOKIE_PATH =\n process.env.MONDO_TRANSACTION_COOKIE_PATH;\n const MONDO_TRANSACTION_COOKIE_SAME_SITE =\n process.env.MONDO_TRANSACTION_COOKIE_SAME_SITE;\n const MONDO_TRANSACTION_COOKIE_SECURE =\n process.env.MONDO_TRANSACTION_COOKIE_SECURE;\n\n const baseURL =\n APP_BASE_URL && !/^https?:\\/\\//.test(APP_BASE_URL as string)\n ? `https://${APP_BASE_URL}`\n : APP_BASE_URL;\n\n const result = schema.safeParse({\n secret: MONDO_SECRET,\n issuerBaseURL: MONDO_ISSUER_BASE_URL,\n baseURL: baseURL,\n clientId: MONDO_CLIENT_ID,\n clientSecret: MONDO_CLIENT_SECRET,\n ...params,\n authorization: {\n response_type: 'code',\n audience: MONDO_AUDIENCE,\n scope: MONDO_SCOPE,\n ...params.authorization,\n },\n session: {\n name: MONDO_SESSION_NAME,\n idleDuration: duration(MONDO_SESSION_IDLE_DURATION),\n absoluteDuration: duration(MONDO_SESSION_ABSOLUTE_DURATION),\n ...params.session,\n cookie: {\n domain: MONDO_SESSION_COOKIE_DOMAIN,\n path: MONDO_SESSION_COOKIE_PATH \|\| '/',\n secure: bool(MONDO_SESSION_COOKIE_SECURE),\n sameSite: MONDO_SESSION_COOKIE_SAME_SITE as\n \| 'lax'\n \| 'strict'\n \| 'none'\n \| undefined,\n ...params.session?.cookie,\n },\n },\n routes: {\n callback:\n params.routes?.callback \|\| CALLBACK_ROUTE \|\| DEFAULT_ROUTES.callback,\n login:\n params.routes?.login \|\|\n process.env.NEXT_PUBLIC_LOGIN_ROUTE \|\|\n DEFAULT_ROUTES.login,\n logout: params.routes?.logout \|\| LOGOUT_ROUTE \|\| DEFAULT_ROUTES.logout,\n session:\n params.routes?.session \|\|\n SESSION_ROUTE \|\|\n NEXT_PUBLIC_SESSION_ROUTE \|\|\n DEFAULT_ROUTES.session,\n accessToken:\n params.routes?.accessToken \|\|\n ACCESS_TOKEN_ROUTE \|\|\n NEXT_PUBLIC_ACCESS_TOKEN_ROUTE \|\|\n DEFAULT_ROUTES.accessToken,\n postLogoutRedirect:\n params.routes?.postLogoutRedirect \|\|\n POST_LOGOUT_REDIRECT_ROUTE \|\|\n DEFAULT_ROUTES.postLogoutRedirect,\n },\n transaction: {\n name: MONDO_TRANSACTION_NAME,\n ...params.transaction,\n cookie: {\n domain: MONDO_TRANSACTION_COOKIE_DOMAIN,\n path: MONDO_TRANSACTION_COOKIE_PATH \|\| '/',\n secure: bool(MONDO_TRANSACTION_COOKIE_SECURE),\n sameSite: MONDO_TRANSACTION_COOKIE_SAME_SITE as\n \| 'lax'\n \| 'strict'\n \| 'none'\n \| undefined,\n ...params.transaction?.cookie,\n },\n },\n });\n\n if (!result.success) {\n throw new ConfigError(result.error.issues);\n }\n\n return result.data;\n};\n\nfunction duration(value: string \| undefined): number \| false \| undefined {\n if (!value) {\n return undefined;\n }\n\n return Number.isNaN(Number(value)) ? (bool(value) as false) : num(value);\n}\n","import { getConfig } from '../config/config';\nimport type { Config, PartialConfig } from '../config/types';\n\n/\n Runtime state shared by route handlers and server helpers.\n /\nexport type MondoInstance = {\n /* Validated auth configuration for this client instance. /\n config: Config;\n};\n\n/\n Validates configuration and creates the runtime auth instance.\n \n @param params - Optional explicit config. Environment variables provide the\n * remaining values.\n /\nexport const initInstance = (params?: PartialConfig): MondoInstance => {\n const config = getConfig(params);\n return {\n config,\n };\n};\n","import { AuthError } from './auth';\n\n/\n Error shape used by lower-level HTTP libraries.\n /\ninterface HttpError extends Error {\n status: number;\n statusCode: number;\n}\n\n/\n Supported causes for route-handler errors.\n /\nexport type HandlerErrorCause = Error \| AuthError \| HttpError;\n\ntype HandlerErrorOptions = {\n code: string;\n message: string;\n name: string;\n cause: HandlerErrorCause;\n};\n\n/\n Base class for errors thrown by route handlers.\n /\nclass HandlerError extends AuthError {\n constructor(options: HandlerErrorOptions) {\n let status: number \| undefined;\n if ('status' in options.cause) status = options.cause.status;\n / c8 ignore next /\n super({ ...options, status });\n }\n}\n\n/\n Error thrown when callback handling fails.\n /\nexport class CallbackHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_CALLBACK_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: CallbackHandlerError.code,\n message: 'Callback handler failed.',\n name: 'CallbackHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, CallbackHandlerError.prototype);\n }\n}\n\n/\n Error thrown when login handling fails.\n /\nexport class LoginHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_LOGIN_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: LoginHandlerError.code,\n message: 'Login handler failed.',\n name: 'LoginHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, LoginHandlerError.prototype);\n }\n}\n\n/\n Error thrown when logout handling fails.\n /\nexport class LogoutHandlerError extends HandlerError {\n public static readonly code: string = 'ERR_LOGOUT_HANDLER_FAILURE';\n\n constructor(cause: HandlerErrorCause) {\n super({\n code: LogoutHandlerError.code,\n message: 'Logout handler failed.',\n name: 'LogoutHandlerError',\n cause,\n }); / c8 ignore next /\n Object.setPrototypeOf(this, LogoutHandlerError.prototype);\n }\n}\n","/\n Error used when the callback response is missing a `state` parameter.\n /\nexport class MissingStateParamError extends Error {\n static message = 'Missing state parameter in Authorization Response.';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MissingStateParamError.message);\n Object.setPrototypeOf(this, MissingStateParamError.prototype);\n }\n}\n\n/\n Error used when transaction state exists but cannot be parsed.\n /\nexport class MalformedStateCookieError extends Error {\n static message = 'Your state cookie is not valid JSON.';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MalformedStateCookieError.message);\n Object.setPrototypeOf(this, MalformedStateCookieError.prototype);\n }\n}\n\n/\n Error used when the callback cannot find the login transaction cookie.\n /\nexport class MissingStateCookieError extends Error {\n static message =\n 'Missing state cookie from login request (check login URL, callback URL and cookie config).';\n status = 400;\n statusCode = 400;\n\n constructor() {\n / c8 ignore next /\n super(MissingStateCookieError.message);\n Object.setPrototypeOf(this, MissingStateCookieError.prototype);\n }\n}\n","import type { SerializeOptions } from 'cookie';\nimport { getIronSession, type IronSession } from 'iron-session';\nimport type { Config } from '../config/types';\nimport { getSecrets, type Secrets } from '../crypto/secrets';\nimport type { CookieStore } from '../http/cookies';\nimport type { AuthorizationCodeParams } from '../oauth/types';\n\nexport type AuthVerification = Pick<\n AuthorizationCodeParams,\n 'nonce' \| 'state' \| 'max_age'\n> & {\n /* PKCE verifier used during callback token exchange. /\n code_verifier: string;\n\n /* Application URL to redirect to after the callback succeeds. /\n return_to?: string;\n};\n\n/\n Creates the transaction store used during login and callback.\n \n @param config - Validated auth configuration.\n * @param cookieStore - Cookie store bound to the login or callback request.\n /\nexport function transactionStoreFactory(\n config: Config,\n cookieStore: CookieStore,\n): TransactionStore {\n return new TransactionStore(\n getSecrets(config),\n cookieStore,\n config.transaction.name,\n {\n ...config.transaction.cookie,\n httpOnly: true,\n },\n );\n}\n\n/\n Short-lived store for PKCE, nonce, state, and `returnTo` verification data.\n \n The transaction is saved before redirecting to the identity provider and is\n * destroyed as soon as the callback reads it.\n /\nexport class TransactionStore {\n constructor(\n private readonly secrets: Secrets,\n private readonly cookieStore: CookieStore,\n private readonly cookieName: string,\n private readonly cookieOptions: SerializeOptions,\n ) {}\n\n /\n Saves transaction verification data in a sealed cookie.\n /\n async save(value: AuthVerification): Promise<void> {\n const cookie = await this.getCookie();\n\n cookie.code_verifier = value.code_verifier;\n cookie.nonce = value.nonce;\n cookie.state = value.state;\n cookie.max_age = value.max_age;\n cookie.return_to = value.return_to;\n\n return await cookie.save();\n }\n\n private async getCookie(): Promise<IronSession<AuthVerification>> {\n const ironSession = await getIronSession<AuthVerification>(\n this.cookieStore,\n {\n cookieName: this.cookieName,\n password: this.secrets,\n cookieOptions: this.cookieOptions,\n },\n );\n\n return ironSession;\n }\n\n /\n Reads and destroys the transaction cookie.\n \n @returns Verification data, or `undefined` when the cookie is missing or\n * malformed.\n /\n async read(): Promise<AuthVerification \| undefined> {\n const cookie = await this.getCookie();\n\n if (!cookie.code_verifier \|\| !cookie.nonce \|\| !cookie.state) {\n cookie.destroy();\n return undefined;\n }\n\n const result: AuthVerification = {\n code_verifier: cookie.code_verifier,\n nonce: cookie.nonce,\n state: cookie.state,\n max_age: cookie.max_age,\n return_to: cookie.return_to,\n };\n\n cookie.destroy();\n\n return result;\n }\n}\n","import { NextResponse } from 'next/server.js';\nimport type as oidc from 'openid-client';\nimport { cookieFactory } from '../http/cookies';\nimport {\n CallbackHandlerError,\n type HandlerErrorCause,\n} from '../errors/handlers';\nimport { MissingStateCookieError } from '../errors/state';\nimport type { MondoInstance } from '../core/instance';\nimport { fromTokenEndpointResponse } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\nimport {\n type TransactionStore,\n transactionStoreFactory,\n} from '../transactions/store';\nimport { discoverOIDC } from '../oauth/oidc';\n\nexport interface CallbackOptions {\n /*\n Additional parameters sent to the token endpoint during code exchange.\n /\n tokenParameters?: URLSearchParams \| Record<string, string>;\n}\n\n/\n Builds a route handler for the configured callback route.\n /\nexport type CallbackHandler = (\n options?: CallbackOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a callback handler bound to one auth client instance.\n \n The returned handler verifies PKCE, state, and nonce, exchanges the code for\n * tokens, stores the sealed session cookies, and redirects back to `returnTo`.\n \n @param instance - Validated auth client instance.\n /\nexport const callbackHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance) =>\n (options?: CallbackOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const cookieStore = await cookieFactory();\n\n return await handler<UserClaims>(\n instance,\n new URL(req.url),\n transactionStoreFactory(instance.config, cookieStore),\n sessionStoreFactory<UserClaims>(instance.config),\n options,\n );\n } catch (e) {\n throw new CallbackHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler<UserClaims extends Claims>(\n { config }: MondoInstance,\n requestUrl: URL,\n transactionStore: TransactionStore,\n sessionStore: SessionStoreInterface<UserClaims>,\n options?: CallbackOptions,\n): Promise<Response> {\n const oidc = await import('openid-client');\n const authVerification = await transactionStore.read();\n if (!authVerification) {\n throw new MissingStateCookieError();\n }\n\n const clientConfig = await discoverOIDC(config);\n\n const tokens: oidc.TokenEndpointResponse = await oidc.authorizationCodeGrant(\n clientConfig,\n requestUrl,\n {\n pkceCodeVerifier: authVerification.code_verifier,\n expectedState: authVerification.state,\n expectedNonce: authVerification.nonce,\n idTokenExpected: true,\n maxAge: authVerification.max_age,\n },\n options?.tokenParameters,\n );\n\n const session = await fromTokenEndpointResponse<UserClaims>(tokens);\n if (session) {\n await sessionStore.set(session);\n }\n\n return NextResponse.redirect(authVerification.return_to \|\| config.baseURL);\n}\n","/\n Minimal token endpoint response shape used by the session model.\n /\nexport interface TokenEndpointResponse {\n access_token?: string;\n token_type?: string;\n id_token?: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n [key: string]: unknown;\n}\n\n/\n PKCE challenge method supported by this SDK.\n /\nexport const CodeChallengeMethod = {\n S256: 'S256',\n} as const;\n\ntype PKCEParams = {\n code_challenge_method: typeof CodeChallengeMethod.S256;\n code_challenge: string;\n};\n\ntype AuthorizationCodeOptionalParams = {\n audience?: string;\n};\n\n/\n Authorization URL parameters assembled for the login redirect.\n \n Runtime-generated fields such as `state`, `nonce`, and PKCE values are added\n * by the login route handler rather than accepted from user config.\n /\nexport type AuthorizationCodeParams = {\n response_type: 'code';\n scope: string;\n redirect_uri: string;\n state: string;\n nonce: string;\n response_mode?: 'query' \| 'form_post';\n display?: 'page' \| 'popup' \| 'touch' \| 'wap';\n prompt?: 'none' \| 'login' \| 'consent' \| 'select_account';\n max_age?: number;\n ui_locales?: string;\n id_token_hint?: string;\n login_hint?: string;\n acr_values?: string;\n} & AuthorizationCodeOptionalParams &\n PKCEParams;\n\ntype BaseConfigurableAuthorizationParams = Omit<\n AuthorizationCodeParams,\n 'client_id' \| 'state' \| 'nonce' \| 'code_challenge_method' \| 'code_challenge'\n>;\n\n/\n Per-request authorization parameter overrides accepted by `handleLogin`.\n /\nexport type OverrideAuthorizationParams =\n Partial<BaseConfigurableAuthorizationParams>;\n","import type { Config } from '../config/types';\n\n/\n Returns a same-origin redirect target or `undefined`.\n \n @param dangerousRedirect - Untrusted path or URL from a request.\n * @param safeBaseUrl - Origin that redirects must stay within.\n /\nexport function toSafeRedirect(\n dangerousRedirect: string,\n safeBaseUrl: URL,\n): string \| undefined {\n let url: URL;\n try {\n url = new URL(dangerousRedirect, safeBaseUrl);\n } catch (_e) {\n return undefined;\n }\n if (url.origin === safeBaseUrl.origin) {\n return url.toString();\n }\n return undefined;\n}\n\n/\n Builds the redirect URI sent to the identity provider.\n \n @param config - Validated auth configuration.\n * @param origin - Optional request origin used for preview deployments and\n * multi-host apps.\n /\nexport function getAuthorizationRedirectURL(\n config: Config,\n origin?: string,\n): URL {\n return pathOrURLToURL(config, config.routes.callback, origin);\n}\n\n/\n Converts either an absolute URL or application path into a URL object.\n \n Relative paths resolve against the request origin when provided, otherwise\n * against the configured base URL.\n /\nexport function pathOrURLToURL(\n config: Config,\n pathOrUrl: string \| URL,\n origin?: string,\n): URL {\n if (pathOrUrl instanceof URL) {\n return pathOrUrl;\n }\n\n try {\n return new URL(pathOrUrl);\n } catch (_) {\n return new URL(joinURL(origin \|\| config.baseURL, pathOrUrl));\n }\n}\n\nfunction joinURL(base: string, path: string): string {\n return `${base.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`;\n}\n","import { NextResponse } from 'next/server.js';\nimport type { Config } from '../config/types';\nimport { cookieFactory } from '../http/cookies';\nimport { type HandlerErrorCause, LoginHandlerError } from '../errors/handlers';\nimport type { MondoInstance } from '../core/instance';\nimport {\n type AuthVerification,\n type TransactionStore,\n transactionStoreFactory,\n} from '../transactions/store';\nimport {\n type AuthorizationCodeParams,\n CodeChallengeMethod,\n type OverrideAuthorizationParams,\n} from '../oauth/types';\nimport { discoverOIDC } from '../oauth/oidc';\nimport { getAuthorizationRedirectURL, toSafeRedirect } from '../http/url';\n\ntype AuthorizationParams = OverrideAuthorizationParams;\n\nexport interface LoginOptions {\n /\n Override the default authorization parameters for this login request.\n /\n authorization?: Partial<AuthorizationParams>;\n\n /\n URL to return to after login. Overrides the default in {@link BaseConfig.baseURL}.\n /\n returnTo?: string;\n}\n\n/\n Builds a route handler for the configured login route.\n /\nexport type LoginHandler = (\n options?: LoginOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a login handler bound to one auth client instance.\n \n The returned handler creates PKCE verification state, stores it in the\n * transaction cookie, and redirects the user to the provider authorization URL.\n \n @param instance - Validated auth client instance.\n /\nexport const loginHandlerFactory =\n (instance: MondoInstance) =>\n (options?: LoginOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const url = new URL(req.url);\n\n return await handler(\n instance,\n transactionStoreFactory(instance.config, await cookieFactory()),\n buildOptions(\n instance.config,\n options,\n url.searchParams.get('returnTo'),\n url.origin,\n ),\n url.origin,\n );\n } catch (e) {\n throw new LoginHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler(\n { config }: MondoInstance,\n transactionStore: TransactionStore,\n options?: LoginOptions,\n requestOrigin?: string,\n): Promise<Response> {\n const oidc = await import('openid-client');\n\n const returnTo = options?.returnTo \|\| config.baseURL;\n\n const authVerification: AuthVerification = {\n nonce: oidc.randomNonce(),\n state: oidc.randomState(),\n code_verifier: oidc.randomPKCECodeVerifier(),\n return_to: returnTo,\n };\n\n const parameters: AuthorizationCodeParams = {\n redirect_uri: getAuthorizationRedirectURL(config, requestOrigin).toString(),\n ...config.authorization,\n ...(options?.authorization \|\| {}),\n nonce: authVerification.nonce,\n state: authVerification.state,\n code_challenge_method: CodeChallengeMethod.S256,\n code_challenge: await oidc.calculatePKCECodeChallenge(\n authVerification.code_verifier,\n ),\n };\n\n if (parameters.max_age) {\n authVerification.max_age = parameters.max_age;\n }\n\n await transactionStore.save(authVerification);\n\n const clientConfig = await discoverOIDC(config);\n\n const authorizationUrl = oidc.buildAuthorizationUrl(\n clientConfig,\n toAuthorizationUrlParameters(parameters),\n );\n\n return NextResponse.redirect(authorizationUrl);\n}\n\nfunction toAuthorizationUrlParameters(\n parameters: AuthorizationCodeParams,\n): Record<string, string> {\n const authorizationUrlParameters: Record<string, string> = {};\n\n for (const [key, value] of Object.entries(parameters)) {\n if (value !== undefined) {\n authorizationUrlParameters[key] = String(value);\n }\n }\n\n return authorizationUrlParameters;\n}\n\n/\n Merges static login options with a request `returnTo` value.\n \n The query string value is treated as untrusted input and must resolve to the\n * same origin as the application or current request.\n /\nconst buildOptions = (\n config: Config,\n opts?: LoginOptions,\n dangerousReturnTo?: string \| undefined \| null,\n requestOrigin?: string,\n): LoginOptions => {\n const options = opts \|\| {};\n\n if (dangerousReturnTo) {\n const safeBaseUrl = new URL(\n options?.authorization?.redirect_uri \|\| requestOrigin \|\| config.baseURL,\n );\n options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);\n }\n\n return options;\n};\n","import { NextResponse } from 'next/server.js';\nimport type { Config } from '../config/types';\nimport { type HandlerErrorCause, LogoutHandlerError } from '../errors/handlers';\nimport type { MondoInstance } from '../core/instance';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\nimport { pathOrURLToURL, toSafeRedirect } from '../http/url';\n\n/\n Options for clearing the local session and choosing the post-logout redirect.\n /\nexport interface LogoutOptions {\n /\n Application path to return to after logout.\n /\n returnTo?: string;\n\n /\n If set to `true`, the logout will also log out the user from the identity provider.\n * This is useful for Single Sign Out (SSO) scenarios.\n * If set to `false`, the user will only be logged out from the application.\n * Defaults to `false`.\n /\n singleLogOut?: boolean;\n}\n\n/\n Builds a route handler for the configured logout route.\n /\nexport type LogoutHandler = (\n options?: LogoutOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a logout handler bound to one auth client instance.\n \n The returned handler destroys all session cookies and redirects either to the\n * configured application URL or to the provider logout endpoint for SSO logout.\n \n @param instance - Validated auth client instance.\n /\nexport const logoutHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance): LogoutHandler =>\n (options?: LogoutOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const url = new URL(req.url);\n\n return await handler<UserClaims>(\n instance,\n sessionStoreFactory<UserClaims>(instance.config),\n buildOptions(\n instance.config,\n options,\n url.searchParams.get('returnTo'),\n ),\n );\n } catch (e) {\n throw new LogoutHandlerError(e as HandlerErrorCause);\n }\n };\n\nasync function handler<UserClaims extends Claims>(\n { config }: MondoInstance,\n sessionCache: SessionStoreInterface<UserClaims>,\n options?: LogoutOptions,\n): Promise<Response> {\n let returnURL = pathOrURLToURL(\n config,\n options?.returnTo \|\| config.routes.postLogoutRedirect,\n );\n\n await sessionCache.delete();\n\n if (options?.singleLogOut) {\n returnURL = new URL(\n ['/logout', `redirectTo=${returnURL.toString()}`].join('?'),\n config.issuerBaseURL,\n );\n }\n\n return NextResponse.redirect(returnURL);\n}\n\n/\n Merges static logout options with a request `returnTo` value.\n \n The query string value is treated as untrusted input and must resolve to the\n * configured application origin.\n /\nconst buildOptions = (\n config: Config,\n opts?: LogoutOptions,\n dangerousReturnTo?: string \| undefined \| null,\n): LogoutOptions => {\n const options = opts \|\| {};\n\n if (dangerousReturnTo) {\n const safeBaseUrl = new URL(config.baseURL);\n options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);\n }\n\n return options;\n};\n","import { NextResponse } from 'next/server.js';\nimport type { MondoInstance } from '../core/instance';\nimport type { Session } from '../session/model';\nimport { sessionStoreFactory } from '../session/stores/stateless-store';\nimport type { SessionStoreInterface } from '../session/stores/types';\nimport type { Claims } from '../session/types';\n\nexport interface SessionOptions<UserClaims extends Claims = Claims> {\n /\n Whether this route should also roll the session expiry forward.\n \n Defaults to `true`.\n /\n touch?: boolean;\n\n /\n Transform the session prior to returning it\n \n @param session - Current session, or `undefined` when missing or expired.\n /\n transform?: (session: Session<UserClaims> \| undefined) => unknown;\n}\n\n/\n Builds a route handler for the configured session route.\n /\nexport type SessionHandler<UserClaims extends Claims = Claims> = (\n options?: SessionOptions<UserClaims>,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates a session handler bound to one auth client instance.\n \n The returned handler reads the sealed session cookies and returns JSON, or a\n * 401 response when the session is missing or expired.\n \n @param instance - Validated auth client instance.\n /\nexport const sessionHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance) =>\n (options?: SessionOptions<UserClaims>) =>\n async (_req: Request): Promise<Response> => {\n return await handler<UserClaims>(\n sessionStoreFactory<UserClaims>(instance.config),\n options,\n );\n };\n\nasync function handler<UserClaims extends Claims>(\n sessionStore: SessionStoreInterface<UserClaims>,\n options?: SessionOptions<UserClaims>,\n): Promise<Response> {\n const session = await (options?.touch !== false\n ? sessionStore.touch()\n : sessionStore.get());\n\n const result = options?.transform ? options?.transform(session) : session;\n\n if (!result) {\n return Response.json(\n {\n error: 'SessionNotFound',\n error_description: 'Session does not exist or has expired',\n },\n { status: 401, statusText: 'Unauthorized' },\n );\n }\n\n return NextResponse.json(result);\n}\n","import { NextResponse } from 'next/server.js';\nimport {\n type AccessTokenResult,\n type GetAccessTokenOptions,\n getAccessTokenFactory,\n} from '../oauth/access-token';\nimport { AccessTokenError, AccessTokenErrorCode } from '../errors/access-token';\nimport type { MondoInstance } from '../core/instance';\nimport type { Claims } from '../session/types';\n\nexport interface AccessTokenOptions extends GetAccessTokenOptions {\n /\n Optional projection applied before the route returns JSON.\n /\n transform?: (token: AccessTokenResult) => unknown;\n}\n\ntype AccessTokenRequestOptions = Pick<\n GetAccessTokenOptions,\n 'refresh' \| 'refreshBeforeExpiresIn' \| 'scopes'\n>;\n\n/\n Builds a route handler for the configured access-token route.\n /\nexport type AccessTokenHandler = (\n options?: AccessTokenOptions,\n) => (req: Request) => Promise<Response>;\n\n/\n Creates an access-token handler bound to one auth client instance.\n \n The returned handler exposes the same refresh behavior as\n * `auth.getAccessToken()` and maps stable access-token error codes to HTTP\n * statuses.\n \n POST requests may provide `refresh`, `refreshBeforeExpiresIn`, and `scopes`\n * as JSON body options. Omitted body fields keep the static handler options.\n \n @param instance - Validated auth client instance.\n /\nexport const accessTokenHandlerFactory =\n <UserClaims extends Claims>(instance: MondoInstance): AccessTokenHandler =>\n (options?: AccessTokenOptions) =>\n async (req: Request): Promise<Response> => {\n try {\n const { transform, ...staticOptions } = options ?? {};\n const requestOptions = await getRequestOptions(req);\n const token = await getAccessTokenFactory<UserClaims>(instance)({\n ...staticOptions,\n ...(requestOptions ?? {}),\n });\n return NextResponse.json(transform?.(token) ?? token);\n } catch (error) {\n if (error instanceof AccessTokenError) {\n return NextResponse.json(\n {\n error: error.code,\n error_description: error.message,\n },\n { status: getStatusCode(error.code as AccessTokenErrorCode) },\n );\n }\n\n throw error;\n }\n };\n\nasync function getRequestOptions(\n req: Request,\n): Promise<AccessTokenRequestOptions \| undefined> {\n if (req.method !== 'POST') {\n return undefined;\n }\n\n const body = await readJsonBody(req);\n if (!isRecord(body)) {\n return undefined;\n }\n\n const options: AccessTokenRequestOptions = {};\n const scopes = getScopes(body.scopes);\n\n if (typeof body.refresh === 'boolean') {\n options.refresh = body.refresh;\n }\n\n if (typeof body.refreshBeforeExpiresIn === 'number') {\n options.refreshBeforeExpiresIn = body.refreshBeforeExpiresIn;\n }\n\n if (scopes) {\n options.scopes = scopes;\n }\n\n return options;\n}\n\nasync function readJsonBody(req: Request): Promise<unknown> {\n try {\n return await req.json();\n } catch {\n return undefined;\n }\n}\n\nfunction getScopes(value: unknown): string \| Array<string> \| undefined {\n if (typeof value === 'string') {\n return value;\n }\n\n if (\n Array.isArray(value) &&\n value.every((scope) => typeof scope === 'string')\n ) {\n return value;\n }\n\n return undefined;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return Boolean(value && typeof value === 'object');\n}\n\nfunction getStatusCode(code: AccessTokenErrorCode): number {\n switch (code) {\n case AccessTokenErrorCode.MISSING_SESSION:\n case AccessTokenErrorCode.MISSING_ACCESS_TOKEN:\n case AccessTokenErrorCode.MISSING_REFRESH_TOKEN:\n case AccessTokenErrorCode.EXPIRED_ACCESS_TOKEN:\n return 401;\n case AccessTokenErrorCode.INSUFFICIENT_SCOPE:\n return 403;\n case AccessTokenErrorCode.FAILED_REFRESH_GRANT:\n return 502;\n }\n}\n","import { NextResponse } from 'next/server.js';\nimport {\n type GetAccessTokenOptions,\n getAccessTokenFactory,\n} from './oauth/access-token';\nimport type { PartialConfig } from './config/types';\nimport { initInstance, type MondoInstance } from './core/instance';\nimport {\n type CallbackOptions,\n callbackHandlerFactory,\n} from './routes/callback';\nimport { type LoginOptions, loginHandlerFactory } from './routes/login';\nimport { type LogoutOptions, logoutHandlerFactory } from './routes/logout';\nimport { type SessionOptions, sessionHandlerFactory } from './routes/session';\nimport {\n type AccessTokenOptions,\n accessTokenHandlerFactory,\n} from './routes/access-token';\nimport { sessionStoreFactory } from './session/stores/stateless-store';\nimport type { Claims } from './session/types';\n\n/\n Route-level options used by {@link MondoAuthClient.handleAuth}.\n \n Each property customizes the matching built-in route while keeping the same\n * default route mounting behavior.\n /\nexport type HandleAuthOptions<UserClaims extends Claims = Claims> = {\n /* Options applied to the login route. /\n login?: LoginOptions;\n\n /* Options applied to the callback route. /\n callback?: CallbackOptions;\n\n /* Options applied to the logout route. /\n logout?: LogoutOptions;\n\n /* Options applied to the session JSON route. /\n session?: SessionOptions<UserClaims>;\n\n /* Options applied to the access-token JSON route. /\n accessToken?: AccessTokenOptions;\n};\n\n/\n Options for protecting requests from Next.js `proxy.ts`.\n /\nexport type ProxyOptions = {\n /\n Paths that should pass through without an authenticated session.\n /\n publicPaths?: Array<string \| RegExp>;\n\n /\n A route-specific return URL override for unauthenticated redirects.\n /\n returnTo?: string \| ((request: Request) => string \| Promise<string>);\n};\n\n/\n Modern entry point for applications. Create one instance in `src/lib/auth.ts`,\n * then reuse it from route handlers, server code, and `proxy.ts`.\n \n @typeParam UserClaims - App-specific claims expected on `session.user`.\n /\nexport class MondoAuthClient<UserClaims extends Claims = Claims> {\n private instance?: MondoInstance;\n private readonly configOverrides?: PartialConfig;\n\n /\n Creates a client. Configuration is validated lazily the first time it is\n * needed so importing the client is safe before Next.js loads environment\n * files.\n \n @param config - Optional explicit config. Environment variables provide the\n * remaining values.\n /\n constructor(config?: PartialConfig) {\n this.configOverrides = config;\n }\n\n /\n Validated auth configuration used by this client.\n /\n get config() {\n return this.getInstance().config;\n }\n\n /\n Returns one route handler that serves all configured auth routes.\n \n Mount this from a catch-all route such as\n * `src/app/auth/[...auth]/route.ts`.\n /\n handleAuth(options: HandleAuthOptions<UserClaims> = {}) {\n return async (request: Request): Promise<Response> => {\n const { pathname } = new URL(request.url);\n const { routes } = this.config;\n\n if (pathname === routes.login) {\n return this.handleLogin(options.login)(request);\n }\n\n if (pathname === routes.callback) {\n return this.handleCallback(options.callback)(request);\n }\n\n if (pathname === routes.logout) {\n return this.handleLogout(options.logout)(request);\n }\n\n if (pathname === routes.session) {\n return this.handleSession(options.session)(request);\n }\n\n if (pathname === routes.accessToken) {\n return this.handleAccessToken(options.accessToken)(request);\n }\n\n return NextResponse.json(\n {\n error: 'NotFound',\n error_description: `No Mondo auth route is configured for ${pathname}.`,\n },\n { status: 404 },\n );\n };\n }\n\n /\n Creates a route handler that starts the OIDC login redirect.\n /\n handleLogin(options?: LoginOptions) {\n return loginHandlerFactory(this.getInstance())(options);\n }\n\n /\n Creates a route handler that completes the OIDC callback.\n /\n handleCallback(options?: CallbackOptions) {\n return callbackHandlerFactory<UserClaims>(this.getInstance())(options);\n }\n\n /\n Creates a route handler that clears the local session.\n /\n handleLogout(options?: LogoutOptions) {\n return logoutHandlerFactory<UserClaims>(this.getInstance())(options);\n }\n\n /\n Creates a route handler that returns the current session as JSON.\n /\n handleSession(options?: SessionOptions<UserClaims>) {\n return sessionHandlerFactory<UserClaims>(this.getInstance())(options);\n }\n\n /\n Creates a route handler that returns or refreshes the current access token.\n /\n handleAccessToken(options?: AccessTokenOptions) {\n return accessTokenHandlerFactory<UserClaims>(this.getInstance())(options);\n }\n\n /\n Reads the current sealed-cookie session in server code.\n /\n getSession = async () => {\n return sessionStoreFactory<UserClaims>(this.config).get();\n };\n\n /\n Returns the current access token, refreshing with the stored refresh token\n * when the token is expired or missing required scopes.\n /\n getAccessToken = (options?: GetAccessTokenOptions) => {\n return getAccessTokenFactory<UserClaims>(this.getInstance())(options);\n };\n\n /\n Drop this into `proxy.ts` to protect matched routes and keep idle sessions\n * fresh at the request boundary.\n /\n proxy = async (\n request: Request,\n options: ProxyOptions = {},\n ): Promise<Response \| undefined> => {\n const url = new URL(request.url);\n\n if (isAuthRoute(url.pathname, this.config.routes)) {\n return undefined;\n }\n\n if (isPublicPath(url.pathname, options.publicPaths)) {\n return undefined;\n }\n\n const response = NextResponse.next();\n const sessionStore = sessionStoreFactory<UserClaims>(\n this.config,\n request,\n response,\n );\n const session = await sessionStore.get();\n\n if (!session?.user) {\n const returnTo =\n typeof options.returnTo === 'function'\n ? await options.returnTo(request)\n : options.returnTo \|\| `${url.pathname}${url.search}`;\n\n return NextResponse.redirect(\n new URL(\n `${this.config.routes.login}?returnTo=${encodeURIComponent(returnTo)}`,\n url.origin,\n ),\n );\n }\n\n await sessionStore.touch();\n return response;\n };\n\n private getInstance(): MondoInstance {\n this.instance ??= initInstance(this.configOverrides);\n return this.instance;\n }\n}\n\n/\n Creates a configured Mondo auth client.\n \n @typeParam UserClaims - App-specific claims expected on `session.user`.\n * @param config - Optional explicit config. Environment variables provide the\n * remaining values.\n */\nexport function createAuth<UserClaims extends Claims = Claims>(\n config?: PartialConfig,\n) {\n return new MondoAuthClient<UserClaims>(config);\n}\n\ntype AuthRoutes = MondoInstance['config']['routes'];\n\nfunction isAuthRoute(pathname: string, routes: AuthRoutes): boolean {\n return [\n routes.login,\n routes.callback,\n routes.logout,\n routes.session,\n routes.accessToken,\n ].includes(pathname);\n}\n\nfunction isPublicPath(\n pathname: string,\n publicPaths: ProxyOptions['publicPaths'] = [],\n): boolean {\n return publicPaths.some((path) =>\n typeof path === 'string' ? pathname.startsWith(path) : path.test(pathname),\n );\n}\n"]}

package/dist/client.d.cts CHANGED Viewed

@@ -86,9 +86,12 @@ type ProxyOptions = {
  * @typeParam UserClaims - App-specific claims expected on `session.user`.
  */
 declare class MondoAuthClient<UserClaims extends Claims = Claims> {
-    private readonly instance;
+    private instance?;
+    private readonly configOverrides?;
     /**
-     * Creates a client and validates configuration immediately.
+     * Creates a client. Configuration is validated lazily the first time it is
+     * needed so importing the client is safe before Next.js loads environment
+     * files.
      *
      * @param config - Optional explicit config. Environment variables provide the
      * remaining values.
@@ -188,6 +191,7 @@ declare class MondoAuthClient<UserClaims extends Claims = Claims> {
      * fresh at the request boundary.
      */
     proxy: (request: Request, options?: ProxyOptions) => Promise<Response | undefined>;
+    private getInstance;
 }
 /**
  * Creates a configured Mondo auth client.