npm - @happyvertical/auth - Versions diffs - 0.74.8 - Mend

@happyvertical/auth 0.74.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/AGENT.md +33 -0
package/LICENSE +7 -0
package/README.md +73 -0
package/dist/chunks/cognito-dmypylFX.js +128 -0
package/dist/chunks/cognito-dmypylFX.js.map +1 -0
package/dist/chunks/decode_jwt-D2OK1b8a.js +1395 -0
package/dist/chunks/decode_jwt-D2OK1b8a.js.map +1 -0
package/dist/chunks/github-NSZp5tVm.js +413 -0
package/dist/chunks/github-NSZp5tVm.js.map +1 -0
package/dist/chunks/google-HXk2ctYR.js +483 -0
package/dist/chunks/google-HXk2ctYR.js.map +1 -0
package/dist/chunks/index-BpsMhFXS.js +151 -0
package/dist/chunks/index-BpsMhFXS.js.map +1 -0
package/dist/chunks/kanidm-hkw-YPVF.js +747 -0
package/dist/chunks/kanidm-hkw-YPVF.js.map +1 -0
package/dist/chunks/keycloak-t6JEUeOz.js +871 -0
package/dist/chunks/keycloak-t6JEUeOz.js.map +1 -0
package/dist/cli/claude-context.d.ts +3 -0
package/dist/cli/claude-context.d.ts.map +1 -0
package/dist/cli/claude-context.js +21 -0
package/dist/cli/claude-context.js.map +1 -0
package/dist/index.d.ts +65 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +499 -0
package/dist/index.js.map +1 -0
package/dist/shared/errors.d.ts +227 -0
package/dist/shared/errors.d.ts.map +1 -0
package/dist/shared/factory.d.ts +85 -0
package/dist/shared/factory.d.ts.map +1 -0
package/dist/shared/providers/cognito.d.ts +38 -0
package/dist/shared/providers/cognito.d.ts.map +1 -0
package/dist/shared/providers/github.d.ts +65 -0
package/dist/shared/providers/github.d.ts.map +1 -0
package/dist/shared/providers/google.d.ts +58 -0
package/dist/shared/providers/google.d.ts.map +1 -0
package/dist/shared/providers/kanidm.d.ts +78 -0
package/dist/shared/providers/kanidm.d.ts.map +1 -0
package/dist/shared/providers/keycloak.d.ts +67 -0
package/dist/shared/providers/keycloak.d.ts.map +1 -0
package/dist/shared/providers/nostr/index.d.ts +47 -0
package/dist/shared/providers/nostr/index.d.ts.map +1 -0
package/dist/shared/types.d.ts +812 -0
package/dist/shared/types.d.ts.map +1 -0
package/metadata.json +32 -0
package/package.json +60 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,499 @@
+import { loadEnvConfig, ValidationError } from "@happyvertical/utils";
+var AuthErrorCode = /* @__PURE__ */ ((AuthErrorCode2) => {
+  AuthErrorCode2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCode2["INVALID_TOKEN"] = "INVALID_TOKEN";
+  AuthErrorCode2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+  AuthErrorCode2["INVALID_REFRESH_TOKEN"] = "INVALID_REFRESH_TOKEN";
+  AuthErrorCode2["SESSION_EXPIRED"] = "SESSION_EXPIRED";
+  AuthErrorCode2["MFA_REQUIRED"] = "MFA_REQUIRED";
+  AuthErrorCode2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCode2["ACCESS_DENIED"] = "ACCESS_DENIED";
+  AuthErrorCode2["INSUFFICIENT_SCOPE"] = "INSUFFICIENT_SCOPE";
+  AuthErrorCode2["INVALID_ROLE"] = "INVALID_ROLE";
+  AuthErrorCode2["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+  AuthErrorCode2["USER_ALREADY_EXISTS"] = "USER_ALREADY_EXISTS";
+  AuthErrorCode2["USER_DISABLED"] = "USER_DISABLED";
+  AuthErrorCode2["PROVIDER_ERROR"] = "PROVIDER_ERROR";
+  AuthErrorCode2["CONFIGURATION_ERROR"] = "CONFIGURATION_ERROR";
+  AuthErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  AuthErrorCode2["INVALID_STATE"] = "INVALID_STATE";
+  AuthErrorCode2["INVALID_NONCE"] = "INVALID_NONCE";
+  AuthErrorCode2["INVALID_GRANT"] = "INVALID_GRANT";
+  AuthErrorCode2["INVALID_CLIENT"] = "INVALID_CLIENT";
+  AuthErrorCode2["INVALID_REDIRECT_URI"] = "INVALID_REDIRECT_URI";
+  AuthErrorCode2["INVALID_SIGNATURE"] = "INVALID_SIGNATURE";
+  AuthErrorCode2["RELAY_ERROR"] = "RELAY_ERROR";
+  AuthErrorCode2["CHALLENGE_EXPIRED"] = "CHALLENGE_EXPIRED";
+  AuthErrorCode2["EXTENSION_NOT_FOUND"] = "EXTENSION_NOT_FOUND";
+  AuthErrorCode2["INVALID_KEY"] = "INVALID_KEY";
+  AuthErrorCode2["NOT_IMPLEMENTED"] = "NOT_IMPLEMENTED";
+  AuthErrorCode2["UNKNOWN_ERROR"] = "UNKNOWN_ERROR";
+  return AuthErrorCode2;
+})(AuthErrorCode || {});
+class AuthError extends Error {
+  code;
+  provider;
+  context;
+  constructor(message, code, provider, context) {
+    super(message);
+    this.name = "AuthError";
+    this.code = code;
+    this.provider = provider;
+    this.context = context;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, AuthError);
+    }
+  }
+  /**
+   * Convert error to JSON for logging/serialization.
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      code: this.code,
+      provider: this.provider,
+      context: this.context,
+      stack: this.stack
+    };
+  }
+}
+class InvalidCredentialsError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid credentials",
+      "INVALID_CREDENTIALS",
+      provider,
+      context
+    );
+    this.name = "InvalidCredentialsError";
+  }
+}
+class InvalidTokenError extends AuthError {
+  constructor(message, provider, context) {
+    super(
+      message || "Invalid token",
+      "INVALID_TOKEN",
+      provider,
+      context
+    );
+    this.name = "InvalidTokenError";
+  }
+}
+class TokenExpiredError extends AuthError {
+  expiredAt;
+  constructor(provider, expiredAt, context) {
+    super("Token has expired", "TOKEN_EXPIRED", provider, context);
+    this.name = "TokenExpiredError";
+    this.expiredAt = expiredAt;
+  }
+}
+class InvalidRefreshTokenError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid or expired refresh token",
+      "INVALID_REFRESH_TOKEN",
+      provider,
+      context
+    );
+    this.name = "InvalidRefreshTokenError";
+  }
+}
+class SessionExpiredError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Session has expired",
+      "SESSION_EXPIRED",
+      provider,
+      context
+    );
+    this.name = "SessionExpiredError";
+  }
+}
+class MfaRequiredError extends AuthError {
+  mfaMethods;
+  constructor(provider, mfaMethods, context) {
+    super(
+      "Multi-factor authentication required",
+      "MFA_REQUIRED",
+      provider,
+      context
+    );
+    this.name = "MfaRequiredError";
+    this.mfaMethods = mfaMethods;
+  }
+}
+class InvalidMfaCodeError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid MFA code",
+      "INVALID_MFA_CODE",
+      provider,
+      context
+    );
+    this.name = "InvalidMfaCodeError";
+  }
+}
+class AccessDeniedError extends AuthError {
+  constructor(message, provider, context) {
+    super(
+      message || "Access denied",
+      "ACCESS_DENIED",
+      provider,
+      context
+    );
+    this.name = "AccessDeniedError";
+  }
+}
+class InsufficientScopeError extends AuthError {
+  requiredScopes;
+  grantedScopes;
+  constructor(requiredScopes, grantedScopes, provider, context) {
+    super(
+      `Insufficient scope. Required: ${requiredScopes?.join(", ") || "unknown"}`,
+      "INSUFFICIENT_SCOPE",
+      provider,
+      context
+    );
+    this.name = "InsufficientScopeError";
+    this.requiredScopes = requiredScopes;
+    this.grantedScopes = grantedScopes;
+  }
+}
+class UserNotFoundError extends AuthError {
+  userId;
+  constructor(userId, provider, context) {
+    super(
+      userId ? `User not found: ${userId}` : "User not found",
+      "USER_NOT_FOUND",
+      provider,
+      context
+    );
+    this.name = "UserNotFoundError";
+    this.userId = userId;
+  }
+}
+class UserAlreadyExistsError extends AuthError {
+  constructor(identifier, provider, context) {
+    super(
+      identifier ? `User already exists: ${identifier}` : "User already exists",
+      "USER_ALREADY_EXISTS",
+      provider,
+      context
+    );
+    this.name = "UserAlreadyExistsError";
+  }
+}
+class UserDisabledError extends AuthError {
+  constructor(userId, provider, context) {
+    super(
+      userId ? `User is disabled: ${userId}` : "User is disabled",
+      "USER_DISABLED",
+      provider,
+      context
+    );
+    this.name = "UserDisabledError";
+  }
+}
+class ProviderError extends AuthError {
+  originalError;
+  constructor(message, provider, originalError, context) {
+    super(message, "PROVIDER_ERROR", provider, context);
+    this.name = "ProviderError";
+    this.originalError = originalError;
+  }
+}
+class ConfigurationError extends AuthError {
+  constructor(message, provider, context) {
+    super(message, "CONFIGURATION_ERROR", provider, context);
+    this.name = "ConfigurationError";
+  }
+}
+class NetworkError extends AuthError {
+  originalError;
+  constructor(message, provider, originalError, context) {
+    super(
+      message || "Network error",
+      "NETWORK_ERROR",
+      provider,
+      context
+    );
+    this.name = "NetworkError";
+    this.originalError = originalError;
+  }
+}
+class InvalidStateError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid or mismatched state parameter",
+      "INVALID_STATE",
+      provider,
+      context
+    );
+    this.name = "InvalidStateError";
+  }
+}
+class InvalidNonceError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid or mismatched nonce",
+      "INVALID_NONCE",
+      provider,
+      context
+    );
+    this.name = "InvalidNonceError";
+  }
+}
+class InvalidGrantError extends AuthError {
+  constructor(message, provider, context) {
+    super(
+      message || "Invalid grant",
+      "INVALID_GRANT",
+      provider,
+      context
+    );
+    this.name = "InvalidGrantError";
+  }
+}
+class InvalidClientError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid client credentials",
+      "INVALID_CLIENT",
+      provider,
+      context
+    );
+    this.name = "InvalidClientError";
+  }
+}
+class InvalidRedirectUriError extends AuthError {
+  constructor(provider, context) {
+    super(
+      "Invalid or mismatched redirect URI",
+      "INVALID_REDIRECT_URI",
+      provider,
+      context
+    );
+    this.name = "InvalidRedirectUriError";
+  }
+}
+class InvalidSignatureError extends AuthError {
+  constructor(message, context) {
+    super(
+      message || "Invalid event signature",
+      "INVALID_SIGNATURE",
+      "nostr",
+      context
+    );
+    this.name = "InvalidSignatureError";
+  }
+}
+class RelayError extends AuthError {
+  relayUrl;
+  originalError;
+  constructor(message, relayUrl, originalError, context) {
+    super(message, "RELAY_ERROR", "nostr", {
+      ...context,
+      relayUrl
+    });
+    this.name = "RelayError";
+    this.relayUrl = relayUrl;
+    this.originalError = originalError;
+  }
+}
+class ChallengeExpiredError extends AuthError {
+  constructor(context) {
+    super(
+      "Authentication challenge has expired",
+      "CHALLENGE_EXPIRED",
+      "nostr",
+      context
+    );
+    this.name = "ChallengeExpiredError";
+  }
+}
+class ExtensionNotFoundError extends AuthError {
+  constructor(context) {
+    super(
+      "NIP-07 browser extension not found. Install nos2x, Alby, or similar.",
+      "EXTENSION_NOT_FOUND",
+      "nostr",
+      context
+    );
+    this.name = "ExtensionNotFoundError";
+  }
+}
+class InvalidKeyError extends AuthError {
+  constructor(message, context) {
+    super(
+      message || "Invalid key format",
+      "INVALID_KEY",
+      "nostr",
+      context
+    );
+    this.name = "InvalidKeyError";
+  }
+}
+class NotImplementedError extends AuthError {
+  operation;
+  constructor(operation, provider, context) {
+    super(
+      `Operation '${operation}' is not supported by this provider`,
+      "NOT_IMPLEMENTED",
+      provider,
+      context
+    );
+    this.name = "NotImplementedError";
+    this.operation = operation;
+  }
+}
+function isAuthError(error) {
+  return error instanceof AuthError;
+}
+function hasErrorCode(error, code) {
+  return isAuthError(error) && error.code === code;
+}
+function isKeycloakOptions(options) {
+  return options.type === "keycloak";
+}
+function isCognitoOptions(options) {
+  return options.type === "cognito";
+}
+function isNostrOptions(options) {
+  return options.type === "nostr";
+}
+function isKanidmOptions(options) {
+  return options.type === "kanidm";
+}
+function isGoogleOptions(options) {
+  return options.type === "google";
+}
+function isGitHubOptions(options) {
+  return options.type === "github";
+}
+async function getAuth(options) {
+  const configuredOptions = loadEnvConfig(
+    options,
+    {
+      packageName: "auth",
+      schema: {
+        type: "string",
+        serverUrl: "string",
+        realm: "string",
+        clientId: "string",
+        clientSecret: "string",
+        redirectUri: "string",
+        scopes: "string",
+        // Will be comma-separated
+        region: "string",
+        userPoolId: "string",
+        domain: "string",
+        relays: "string",
+        // Will be comma-separated
+        privateKey: "string",
+        challengeExpiration: "number",
+        relayTimeout: "number",
+        timeout: "number",
+        maxRetries: "number",
+        // Kanidm-specific
+        adminUsername: "string",
+        adminPassword: "string"
+      },
+      transform: {
+        // Transform comma-separated strings to arrays
+        relays: (value) => value.split(",").map((r) => r.trim()).filter(Boolean),
+        scopes: (value) => value.split(",").map((s) => s.trim()).filter(Boolean)
+      }
+    }
+  );
+  options = configuredOptions;
+  if (isKeycloakOptions(options)) {
+    const { KeycloakProvider } = await import("./chunks/keycloak-t6JEUeOz.js");
+    return new KeycloakProvider(options);
+  }
+  if (isCognitoOptions(options)) {
+    const { CognitoProvider } = await import("./chunks/cognito-dmypylFX.js");
+    return new CognitoProvider(options);
+  }
+  if (isNostrOptions(options)) {
+    const { NostrProvider } = await import("./chunks/index-BpsMhFXS.js");
+    return new NostrProvider(options);
+  }
+  if (isKanidmOptions(options)) {
+    const { KanidmProvider } = await import("./chunks/kanidm-hkw-YPVF.js");
+    return new KanidmProvider(options);
+  }
+  if (isGoogleOptions(options)) {
+    const { GoogleProvider } = await import("./chunks/google-HXk2ctYR.js");
+    return new GoogleProvider(options);
+  }
+  if (isGitHubOptions(options)) {
+    const { GitHubProvider } = await import("./chunks/github-NSZp5tVm.js");
+    return new GitHubProvider(options);
+  }
+  throw new ValidationError("Unsupported auth provider type", {
+    supportedTypes: [
+      "keycloak",
+      "cognito",
+      "nostr",
+      "kanidm",
+      "google",
+      "github"
+    ],
+    providedType: options.type
+  });
+}
+async function getAuthAuto(options) {
+  if (options.serverUrl && options.realm) {
+    return getAuth({ ...options, type: "keycloak" });
+  }
+  if (options.region && options.userPoolId) {
+    return getAuth({ ...options, type: "cognito" });
+  }
+  if (options.relays && Array.isArray(options.relays) && options.relays.length > 0) {
+    return getAuth({ ...options, type: "nostr" });
+  }
+  throw new ValidationError(
+    "Could not auto-detect auth provider from options",
+    {
+      hint: 'Please specify a "type" field or provide provider-specific configuration',
+      supportedTypes: ["keycloak", "cognito", "nostr"],
+      providedOptions: Object.keys(options)
+    }
+  );
+}
+export {
+  AccessDeniedError,
+  AuthError,
+  AuthErrorCode,
+  ChallengeExpiredError,
+  ConfigurationError,
+  ExtensionNotFoundError,
+  InsufficientScopeError,
+  InvalidClientError,
+  InvalidCredentialsError,
+  InvalidGrantError,
+  InvalidKeyError,
+  InvalidMfaCodeError,
+  InvalidNonceError,
+  InvalidRedirectUriError,
+  InvalidRefreshTokenError,
+  InvalidSignatureError,
+  InvalidStateError,
+  InvalidTokenError,
+  MfaRequiredError,
+  NetworkError,
+  NotImplementedError,
+  ProviderError,
+  RelayError,
+  SessionExpiredError,
+  TokenExpiredError,
+  UserAlreadyExistsError,
+  UserDisabledError,
+  UserNotFoundError,
+  getAuth,
+  getAuthAuto,
+  hasErrorCode,
+  isAuthError
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sources":["../src/shared/errors.ts","../src/shared/factory.ts"],"sourcesContent":["/**\n * @happyvertical/auth - Error Classes\n *\n * Standardized authentication error types for consistent error handling\n * across all providers (Keycloak, Cognito, Nostr).\n */\n\n/**\n * Authentication error codes.\n */\nexport enum AuthErrorCode {\n // Authentication errors\n INVALID_CREDENTIALS = 'INVALID_CREDENTIALS',\n INVALID_TOKEN = 'INVALID_TOKEN',\n TOKEN_EXPIRED = 'TOKEN_EXPIRED',\n INVALID_REFRESH_TOKEN = 'INVALID_REFRESH_TOKEN',\n SESSION_EXPIRED = 'SESSION_EXPIRED',\n MFA_REQUIRED = 'MFA_REQUIRED',\n INVALID_MFA_CODE = 'INVALID_MFA_CODE',\n\n // Authorization errors\n ACCESS_DENIED = 'ACCESS_DENIED',\n INSUFFICIENT_SCOPE = 'INSUFFICIENT_SCOPE',\n INVALID_ROLE = 'INVALID_ROLE',\n\n // User management errors\n USER_NOT_FOUND = 'USER_NOT_FOUND',\n USER_ALREADY_EXISTS = 'USER_ALREADY_EXISTS',\n USER_DISABLED = 'USER_DISABLED',\n\n // Provider errors\n PROVIDER_ERROR = 'PROVIDER_ERROR',\n CONFIGURATION_ERROR = 'CONFIGURATION_ERROR',\n NETWORK_ERROR = 'NETWORK_ERROR',\n\n // OAuth/OIDC errors\n INVALID_STATE = 'INVALID_STATE',\n INVALID_NONCE = 'INVALID_NONCE',\n INVALID_GRANT = 'INVALID_GRANT',\n INVALID_CLIENT = 'INVALID_CLIENT',\n INVALID_REDIRECT_URI = 'INVALID_REDIRECT_URI',\n\n // Nostr-specific errors\n INVALID_SIGNATURE = 'INVALID_SIGNATURE',\n RELAY_ERROR = 'RELAY_ERROR',\n CHALLENGE_EXPIRED = 'CHALLENGE_EXPIRED',\n EXTENSION_NOT_FOUND = 'EXTENSION_NOT_FOUND',\n INVALID_KEY = 'INVALID_KEY',\n\n // General\n NOT_IMPLEMENTED = 'NOT_IMPLEMENTED',\n UNKNOWN_ERROR = 'UNKNOWN_ERROR',\n}\n\n/**\n * Base authentication error class.\n */\nexport class AuthError extends Error {\n public readonly code: AuthErrorCode;\n public readonly provider?: string;\n public readonly context?: Record<string, unknown>;\n\n constructor(\n message: string,\n code: AuthErrorCode,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(message);\n this.name = 'AuthError';\n this.code = code;\n this.provider = provider;\n this.context = context;\n\n // Maintains proper stack trace for where our error was thrown (only available on V8)\n if (Error.captureStackTrace) {\n Error.captureStackTrace(this, AuthError);\n }\n }\n\n /**\n * Convert error to JSON for logging/serialization.\n */\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n message: this.message,\n code: this.code,\n provider: this.provider,\n context: this.context,\n stack: this.stack,\n };\n }\n}\n\n// =============================================================================\n// AUTHENTICATION ERRORS\n// =============================================================================\n\n/**\n * Invalid credentials error.\n */\nexport class InvalidCredentialsError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid credentials',\n AuthErrorCode.INVALID_CREDENTIALS,\n provider,\n context,\n );\n this.name = 'InvalidCredentialsError';\n }\n}\n\n/**\n * Invalid token error.\n */\nexport class InvalidTokenError extends AuthError {\n constructor(\n message?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n message || 'Invalid token',\n AuthErrorCode.INVALID_TOKEN,\n provider,\n context,\n );\n this.name = 'InvalidTokenError';\n }\n}\n\n/**\n * Token expired error.\n */\nexport class TokenExpiredError extends AuthError {\n public readonly expiredAt?: Date;\n\n constructor(\n provider?: string,\n expiredAt?: Date,\n context?: Record<string, unknown>,\n ) {\n super('Token has expired', AuthErrorCode.TOKEN_EXPIRED, provider, context);\n this.name = 'TokenExpiredError';\n this.expiredAt = expiredAt;\n }\n}\n\n/**\n * Invalid refresh token error.\n */\nexport class InvalidRefreshTokenError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid or expired refresh token',\n AuthErrorCode.INVALID_REFRESH_TOKEN,\n provider,\n context,\n );\n this.name = 'InvalidRefreshTokenError';\n }\n}\n\n/**\n * Session expired error.\n */\nexport class SessionExpiredError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Session has expired',\n AuthErrorCode.SESSION_EXPIRED,\n provider,\n context,\n );\n this.name = 'SessionExpiredError';\n }\n}\n\n/**\n * MFA required error.\n */\nexport class MfaRequiredError extends AuthError {\n public readonly mfaMethods?: string[];\n\n constructor(\n provider?: string,\n mfaMethods?: string[],\n context?: Record<string, unknown>,\n ) {\n super(\n 'Multi-factor authentication required',\n AuthErrorCode.MFA_REQUIRED,\n provider,\n context,\n );\n this.name = 'MfaRequiredError';\n this.mfaMethods = mfaMethods;\n }\n}\n\n/**\n * Invalid MFA code error.\n */\nexport class InvalidMfaCodeError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid MFA code',\n AuthErrorCode.INVALID_MFA_CODE,\n provider,\n context,\n );\n this.name = 'InvalidMfaCodeError';\n }\n}\n\n// =============================================================================\n// AUTHORIZATION ERRORS\n// =============================================================================\n\n/**\n * Access denied error.\n */\nexport class AccessDeniedError extends AuthError {\n constructor(\n message?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n message || 'Access denied',\n AuthErrorCode.ACCESS_DENIED,\n provider,\n context,\n );\n this.name = 'AccessDeniedError';\n }\n}\n\n/**\n * Insufficient scope error.\n */\nexport class InsufficientScopeError extends AuthError {\n public readonly requiredScopes?: string[];\n public readonly grantedScopes?: string[];\n\n constructor(\n requiredScopes?: string[],\n grantedScopes?: string[],\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n `Insufficient scope. Required: ${requiredScopes?.join(', ') || 'unknown'}`,\n AuthErrorCode.INSUFFICIENT_SCOPE,\n provider,\n context,\n );\n this.name = 'InsufficientScopeError';\n this.requiredScopes = requiredScopes;\n this.grantedScopes = grantedScopes;\n }\n}\n\n// =============================================================================\n// USER MANAGEMENT ERRORS\n// =============================================================================\n\n/**\n * User not found error.\n */\nexport class UserNotFoundError extends AuthError {\n public readonly userId?: string;\n\n constructor(\n userId?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n userId ? `User not found: ${userId}` : 'User not found',\n AuthErrorCode.USER_NOT_FOUND,\n provider,\n context,\n );\n this.name = 'UserNotFoundError';\n this.userId = userId;\n }\n}\n\n/**\n * User already exists error.\n */\nexport class UserAlreadyExistsError extends AuthError {\n constructor(\n identifier?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n identifier ? `User already exists: ${identifier}` : 'User already exists',\n AuthErrorCode.USER_ALREADY_EXISTS,\n provider,\n context,\n );\n this.name = 'UserAlreadyExistsError';\n }\n}\n\n/**\n * User disabled error.\n */\nexport class UserDisabledError extends AuthError {\n constructor(\n userId?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n userId ? `User is disabled: ${userId}` : 'User is disabled',\n AuthErrorCode.USER_DISABLED,\n provider,\n context,\n );\n this.name = 'UserDisabledError';\n }\n}\n\n// =============================================================================\n// PROVIDER ERRORS\n// =============================================================================\n\n/**\n * Provider error.\n */\nexport class ProviderError extends AuthError {\n public readonly originalError?: Error;\n\n constructor(\n message: string,\n provider?: string,\n originalError?: Error,\n context?: Record<string, unknown>,\n ) {\n super(message, AuthErrorCode.PROVIDER_ERROR, provider, context);\n this.name = 'ProviderError';\n this.originalError = originalError;\n }\n}\n\n/**\n * Configuration error.\n */\nexport class ConfigurationError extends AuthError {\n constructor(\n message: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(message, AuthErrorCode.CONFIGURATION_ERROR, provider, context);\n this.name = 'ConfigurationError';\n }\n}\n\n/**\n * Network error.\n */\nexport class NetworkError extends AuthError {\n public readonly originalError?: Error;\n\n constructor(\n message?: string,\n provider?: string,\n originalError?: Error,\n context?: Record<string, unknown>,\n ) {\n super(\n message || 'Network error',\n AuthErrorCode.NETWORK_ERROR,\n provider,\n context,\n );\n this.name = 'NetworkError';\n this.originalError = originalError;\n }\n}\n\n// =============================================================================\n// OAUTH/OIDC ERRORS\n// =============================================================================\n\n/**\n * Invalid state error.\n */\nexport class InvalidStateError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid or mismatched state parameter',\n AuthErrorCode.INVALID_STATE,\n provider,\n context,\n );\n this.name = 'InvalidStateError';\n }\n}\n\n/**\n * Invalid nonce error.\n */\nexport class InvalidNonceError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid or mismatched nonce',\n AuthErrorCode.INVALID_NONCE,\n provider,\n context,\n );\n this.name = 'InvalidNonceError';\n }\n}\n\n/**\n * Invalid grant error.\n */\nexport class InvalidGrantError extends AuthError {\n constructor(\n message?: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n message || 'Invalid grant',\n AuthErrorCode.INVALID_GRANT,\n provider,\n context,\n );\n this.name = 'InvalidGrantError';\n }\n}\n\n/**\n * Invalid client error.\n */\nexport class InvalidClientError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid client credentials',\n AuthErrorCode.INVALID_CLIENT,\n provider,\n context,\n );\n this.name = 'InvalidClientError';\n }\n}\n\n/**\n * Invalid redirect URI error.\n */\nexport class InvalidRedirectUriError extends AuthError {\n constructor(provider?: string, context?: Record<string, unknown>) {\n super(\n 'Invalid or mismatched redirect URI',\n AuthErrorCode.INVALID_REDIRECT_URI,\n provider,\n context,\n );\n this.name = 'InvalidRedirectUriError';\n }\n}\n\n// =============================================================================\n// NOSTR-SPECIFIC ERRORS\n// =============================================================================\n\n/**\n * Invalid signature error.\n */\nexport class InvalidSignatureError extends AuthError {\n constructor(message?: string, context?: Record<string, unknown>) {\n super(\n message || 'Invalid event signature',\n AuthErrorCode.INVALID_SIGNATURE,\n 'nostr',\n context,\n );\n this.name = 'InvalidSignatureError';\n }\n}\n\n/**\n * Relay error.\n */\nexport class RelayError extends AuthError {\n public readonly relayUrl?: string;\n public readonly originalError?: Error;\n\n constructor(\n message: string,\n relayUrl?: string,\n originalError?: Error,\n context?: Record<string, unknown>,\n ) {\n super(message, AuthErrorCode.RELAY_ERROR, 'nostr', {\n ...context,\n relayUrl,\n });\n this.name = 'RelayError';\n this.relayUrl = relayUrl;\n this.originalError = originalError;\n }\n}\n\n/**\n * Challenge expired error.\n */\nexport class ChallengeExpiredError extends AuthError {\n constructor(context?: Record<string, unknown>) {\n super(\n 'Authentication challenge has expired',\n AuthErrorCode.CHALLENGE_EXPIRED,\n 'nostr',\n context,\n );\n this.name = 'ChallengeExpiredError';\n }\n}\n\n/**\n * NIP-07 extension not found error.\n */\nexport class ExtensionNotFoundError extends AuthError {\n constructor(context?: Record<string, unknown>) {\n super(\n 'NIP-07 browser extension not found. Install nos2x, Alby, or similar.',\n AuthErrorCode.EXTENSION_NOT_FOUND,\n 'nostr',\n context,\n );\n this.name = 'ExtensionNotFoundError';\n }\n}\n\n/**\n * Invalid key error.\n */\nexport class InvalidKeyError extends AuthError {\n constructor(message?: string, context?: Record<string, unknown>) {\n super(\n message || 'Invalid key format',\n AuthErrorCode.INVALID_KEY,\n 'nostr',\n context,\n );\n this.name = 'InvalidKeyError';\n }\n}\n\n// =============================================================================\n// GENERAL ERRORS\n// =============================================================================\n\n/**\n * Not implemented error.\n */\nexport class NotImplementedError extends AuthError {\n public readonly operation: string;\n\n constructor(\n operation: string,\n provider?: string,\n context?: Record<string, unknown>,\n ) {\n super(\n `Operation '${operation}' is not supported by this provider`,\n AuthErrorCode.NOT_IMPLEMENTED,\n provider,\n context,\n );\n this.name = 'NotImplementedError';\n this.operation = operation;\n }\n}\n\n/**\n * Check if an error is an AuthError.\n */\nexport function isAuthError(error: unknown): error is AuthError {\n return error instanceof AuthError;\n}\n\n/**\n * Check if an error has a specific error code.\n */\nexport function hasErrorCode(error: unknown, code: AuthErrorCode): boolean {\n return isAuthError(error) && error.code === code;\n}\n","/**\n * @happyvertical/auth - Factory Functions\n *\n * Creates authentication provider instances based on configuration.\n * Supports Keycloak, AWS Cognito, and Nostr providers.\n */\n\nimport { loadEnvConfig, ValidationError } from '@happyvertical/utils';\n\nimport type {\n AuthInterface,\n CognitoOptions,\n GetAuthOptions,\n GitHubOptions,\n GoogleOptions,\n KanidmOptions,\n KeycloakOptions,\n NostrOptions,\n} from './types';\n\n// =============================================================================\n// TYPE GUARDS\n// =============================================================================\n\n/**\n * Checks if the options are for Keycloak provider.\n */\nfunction isKeycloakOptions(\n options: GetAuthOptions,\n): options is KeycloakOptions {\n return options.type === 'keycloak';\n}\n\n/**\n * Checks if the options are for Cognito provider.\n */\nfunction isCognitoOptions(options: GetAuthOptions): options is CognitoOptions {\n return options.type === 'cognito';\n}\n\n/**\n * Checks if the options are for Nostr provider.\n */\nfunction isNostrOptions(options: GetAuthOptions): options is NostrOptions {\n return options.type === 'nostr';\n}\n\n/**\n * Checks if the options are for Kanidm provider.\n */\nfunction isKanidmOptions(options: GetAuthOptions): options is KanidmOptions {\n return options.type === 'kanidm';\n}\n\n/**\n * Checks if the options are for Google provider.\n */\nfunction isGoogleOptions(options: GetAuthOptions): options is GoogleOptions {\n return options.type === 'google';\n}\n\n/**\n * Checks if the options are for GitHub provider.\n */\nfunction isGitHubOptions(options: GetAuthOptions): options is GitHubOptions {\n return options.type === 'github';\n}\n\n// =============================================================================\n// FACTORY FUNCTION\n// =============================================================================\n\n/**\n * Creates an authentication provider instance based on the provided options.\n *\n * Supports environment variable configuration using the pattern:\n * - HAVE_AUTH_TYPE → provider type ('keycloak' | 'cognito' | 'nostr')\n * - HAVE_AUTH_SERVER_URL → serverUrl (Keycloak)\n * - HAVE_AUTH_REALM → realm (Keycloak)\n * - HAVE_AUTH_CLIENT_ID → clientId\n * - HAVE_AUTH_CLIENT_SECRET → clientSecret\n * - HAVE_AUTH_REDIRECT_URI → redirectUri\n * - HAVE_AUTH_REGION → region (Cognito)\n * - HAVE_AUTH_USER_POOL_ID → userPoolId (Cognito)\n * - HAVE_AUTH_DOMAIN → domain (Cognito)\n * - HAVE_AUTH_RELAYS → relays (Nostr, comma-separated)\n * - HAVE_AUTH_TIMEOUT → timeout (number)\n * - HAVE_AUTH_MAX_RETRIES → maxRetries (number)\n *\n * User-provided options always take precedence over environment variables.\n *\n * @param options - Configuration options for the auth provider\n * @returns Promise resolving to an AuthInterface implementation\n * @throws {ValidationError} When the provider type is unsupported or invalid\n *\n * @example\n * ```typescript\n * // Create Keycloak client\n * const auth = await getAuth({\n * type: 'keycloak',\n * serverUrl: 'https://auth.example.com',\n * realm: 'my-realm',\n * clientId: 'my-app'\n * });\n *\n * // Create Cognito client\n * const auth = await getAuth({\n * type: 'cognito',\n * region: 'us-east-1',\n * userPoolId: 'us-east-1_xxx',\n * clientId: 'xxx'\n * });\n *\n * // Create Nostr client\n * const auth = await getAuth({\n * type: 'nostr',\n * relays: ['wss://relay.damus.io', 'wss://nos.lol']\n * });\n *\n * // Use environment variables\n * // Set: HAVE_AUTH_TYPE=keycloak, HAVE_AUTH_SERVER_URL=..., etc.\n * const auth = await getAuth({} as GetAuthOptions);\n * ```\n */\nexport async function getAuth(options: GetAuthOptions): Promise<AuthInterface> {\n // Load environment variables with user options taking precedence\n const configuredOptions = loadEnvConfig(\n options as unknown as Record<string, unknown>,\n {\n packageName: 'auth',\n schema: {\n type: 'string',\n serverUrl: 'string',\n realm: 'string',\n clientId: 'string',\n clientSecret: 'string',\n redirectUri: 'string',\n scopes: 'string', // Will be comma-separated\n region: 'string',\n userPoolId: 'string',\n domain: 'string',\n relays: 'string', // Will be comma-separated\n privateKey: 'string',\n challengeExpiration: 'number',\n relayTimeout: 'number',\n timeout: 'number',\n maxRetries: 'number',\n // Kanidm-specific\n adminUsername: 'string',\n adminPassword: 'string',\n },\n transform: {\n // Transform comma-separated strings to arrays\n relays: (value: string) =>\n value\n .split(',')\n .map((r) => r.trim())\n .filter(Boolean),\n scopes: (value: string) =>\n value\n .split(',')\n .map((s) => s.trim())\n .filter(Boolean),\n },\n },\n ) as unknown as GetAuthOptions;\n options = configuredOptions;\n\n if (isKeycloakOptions(options)) {\n const { KeycloakProvider } = await import('./providers/keycloak.js');\n return new KeycloakProvider(options);\n }\n\n if (isCognitoOptions(options)) {\n const { CognitoProvider } = await import('./providers/cognito.js');\n return new CognitoProvider(options);\n }\n\n if (isNostrOptions(options)) {\n const { NostrProvider } = await import('./providers/nostr/index.js');\n return new NostrProvider(options);\n }\n\n if (isKanidmOptions(options)) {\n const { KanidmProvider } = await import('./providers/kanidm.js');\n return new KanidmProvider(options);\n }\n\n if (isGoogleOptions(options)) {\n const { GoogleProvider } = await import('./providers/google.js');\n return new GoogleProvider(options);\n }\n\n if (isGitHubOptions(options)) {\n const { GitHubProvider } = await import('./providers/github.js');\n return new GitHubProvider(options);\n }\n\n throw new ValidationError('Unsupported auth provider type', {\n supportedTypes: [\n 'keycloak',\n 'cognito',\n 'nostr',\n 'kanidm',\n 'google',\n 'github',\n ],\n providedType: (options as Record<string, unknown>).type,\n });\n}\n\n/**\n * Auto-detect provider based on available configuration.\n *\n * @param options - Configuration options that may contain provider-specific settings\n * @returns Promise resolving to an AuthInterface based on detected configuration\n * @throws {ValidationError} When no provider can be detected\n *\n * @example\n * ```typescript\n * // Auto-detect Keycloak from serverUrl and realm\n * const auth = await getAuthAuto({\n * serverUrl: 'https://auth.example.com',\n * realm: 'my-realm',\n * clientId: 'my-app'\n * });\n *\n * // Auto-detect Cognito from region and userPoolId\n * const auth = await getAuthAuto({\n * region: 'us-east-1',\n * userPoolId: 'us-east-1_xxx',\n * clientId: 'xxx'\n * });\n *\n * // Auto-detect Nostr from relays\n * const auth = await getAuthAuto({\n * relays: ['wss://relay.damus.io']\n * });\n * ```\n */\nexport async function getAuthAuto(\n options: Record<string, unknown>,\n): Promise<AuthInterface> {\n // Detect Keycloak from serverUrl and realm\n if (options.serverUrl && options.realm) {\n return getAuth({ ...options, type: 'keycloak' } as KeycloakOptions);\n }\n\n // Detect Cognito from region and userPoolId\n if (options.region && options.userPoolId) {\n return getAuth({ ...options, type: 'cognito' } as CognitoOptions);\n }\n\n // Detect Nostr from relays\n if (\n options.relays &&\n Array.isArray(options.relays) &&\n options.relays.length > 0\n ) {\n return getAuth({ ...options, type: 'nostr' } as NostrOptions);\n }\n\n throw new ValidationError(\n 'Could not auto-detect auth provider from options',\n {\n hint: 'Please specify a \"type\" field or provide provider-specific configuration',\n supportedTypes: ['keycloak', 'cognito', 'nostr'],\n providedOptions: Object.keys(options),\n },\n );\n}\n"],"names":["AuthErrorCode"],"mappings":";AAUO,IAAK,kCAAAA,mBAAL;AAELA,iBAAA,qBAAA,IAAsB;AACtBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,uBAAA,IAAwB;AACxBA,iBAAA,iBAAA,IAAkB;AAClBA,iBAAA,cAAA,IAAe;AACfA,iBAAA,kBAAA,IAAmB;AAGnBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,oBAAA,IAAqB;AACrBA,iBAAA,cAAA,IAAe;AAGfA,iBAAA,gBAAA,IAAiB;AACjBA,iBAAA,qBAAA,IAAsB;AACtBA,iBAAA,eAAA,IAAgB;AAGhBA,iBAAA,gBAAA,IAAiB;AACjBA,iBAAA,qBAAA,IAAsB;AACtBA,iBAAA,eAAA,IAAgB;AAGhBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,eAAA,IAAgB;AAChBA,iBAAA,gBAAA,IAAiB;AACjBA,iBAAA,sBAAA,IAAuB;AAGvBA,iBAAA,mBAAA,IAAoB;AACpBA,iBAAA,aAAA,IAAc;AACdA,iBAAA,mBAAA,IAAoB;AACpBA,iBAAA,qBAAA,IAAsB;AACtBA,iBAAA,aAAA,IAAc;AAGdA,iBAAA,iBAAA,IAAkB;AAClBA,iBAAA,eAAA,IAAgB;AAzCN,SAAAA;AAAA,GAAA,iBAAA,CAAA,CAAA;AA+CL,MAAM,kBAAkB,MAAM;AAAA,EACnB;AAAA,EACA;AAAA,EACA;AAAA,EAEhB,YACE,SACA,MACA,UACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,OAAO;AACZ,SAAK,WAAW;AAChB,SAAK,UAAU;AAGf,QAAI,MAAM,mBAAmB;AAC3B,YAAM,kBAAkB,MAAM,SAAS;AAAA,IACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAkC;AAChC,WAAO;AAAA,MACL,MAAM,KAAK;AAAA,MACX,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,MACX,UAAU,KAAK;AAAA,MACf,SAAS,KAAK;AAAA,MACd,OAAO,KAAK;AAAA,IAAA;AAAA,EAEhB;AACF;AASO,MAAM,gCAAgC,UAAU;AAAA,EACrD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YACE,SACA,UACA,SACA;AACA;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,0BAA0B,UAAU;AAAA,EAC/B;AAAA,EAEhB,YACE,UACA,WACA,SACA;AACA,UAAM,qBAAqB,iBAA6B,UAAU,OAAO;AACzE,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAKO,MAAM,iCAAiC,UAAU;AAAA,EACtD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,4BAA4B,UAAU;AAAA,EACjD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,yBAAyB,UAAU;AAAA,EAC9B;AAAA,EAEhB,YACE,UACA,YACA,SACA;AACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AACZ,SAAK,aAAa;AAAA,EACpB;AACF;AAKO,MAAM,4BAA4B,UAAU;AAAA,EACjD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AASO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YACE,SACA,UACA,SACA;AACA;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,+BAA+B,UAAU;AAAA,EACpC;AAAA,EACA;AAAA,EAEhB,YACE,gBACA,eACA,UACA,SACA;AACA;AAAA,MACE,iCAAiC,gBAAgB,KAAK,IAAI,KAAK,SAAS;AAAA,MACxE;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AACZ,SAAK,iBAAiB;AACtB,SAAK,gBAAgB;AAAA,EACvB;AACF;AASO,MAAM,0BAA0B,UAAU;AAAA,EAC/B;AAAA,EAEhB,YACE,QACA,UACA,SACA;AACA;AAAA,MACE,SAAS,mBAAmB,MAAM,KAAK;AAAA,MACvC;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAKO,MAAM,+BAA+B,UAAU;AAAA,EACpD,YACE,YACA,UACA,SACA;AACA;AAAA,MACE,aAAa,wBAAwB,UAAU,KAAK;AAAA,MACpD;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YACE,QACA,UACA,SACA;AACA;AAAA,MACE,SAAS,qBAAqB,MAAM,KAAK;AAAA,MACzC;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AASO,MAAM,sBAAsB,UAAU;AAAA,EAC3B;AAAA,EAEhB,YACE,SACA,UACA,eACA,SACA;AACA,UAAM,SAAS,kBAA8B,UAAU,OAAO;AAC9D,SAAK,OAAO;AACZ,SAAK,gBAAgB;AAAA,EACvB;AACF;AAKO,MAAM,2BAA2B,UAAU;AAAA,EAChD,YACE,SACA,UACA,SACA;AACA,UAAM,SAAS,uBAAmC,UAAU,OAAO;AACnE,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,qBAAqB,UAAU;AAAA,EAC1B;AAAA,EAEhB,YACE,SACA,UACA,eACA,SACA;AACA;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AACZ,SAAK,gBAAgB;AAAA,EACvB;AACF;AASO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,0BAA0B,UAAU;AAAA,EAC/C,YACE,SACA,UACA,SACA;AACA;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,2BAA2B,UAAU;AAAA,EAChD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,gCAAgC,UAAU;AAAA,EACrD,YAAY,UAAmB,SAAmC;AAChE;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AASO,MAAM,8BAA8B,UAAU;AAAA,EACnD,YAAY,SAAkB,SAAmC;AAC/D;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,mBAAmB,UAAU;AAAA,EACxB;AAAA,EACA;AAAA,EAEhB,YACE,SACA,UACA,eACA,SACA;AACA,UAAM,SAAS,eAA2B,SAAS;AAAA,MACjD,GAAG;AAAA,MACH;AAAA,IAAA,CACD;AACD,SAAK,OAAO;AACZ,SAAK,WAAW;AAChB,SAAK,gBAAgB;AAAA,EACvB;AACF;AAKO,MAAM,8BAA8B,UAAU;AAAA,EACnD,YAAY,SAAmC;AAC7C;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,+BAA+B,UAAU;AAAA,EACpD,YAAY,SAAmC;AAC7C;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AAKO,MAAM,wBAAwB,UAAU;AAAA,EAC7C,YAAY,SAAkB,SAAmC;AAC/D;AAAA,MACE,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AAAA,EACd;AACF;AASO,MAAM,4BAA4B,UAAU;AAAA,EACjC;AAAA,EAEhB,YACE,WACA,UACA,SACA;AACA;AAAA,MACE,cAAc,SAAS;AAAA,MACvB;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAEF,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAKO,SAAS,YAAY,OAAoC;AAC9D,SAAO,iBAAiB;AAC1B;AAKO,SAAS,aAAa,OAAgB,MAA8B;AACzE,SAAO,YAAY,KAAK,KAAK,MAAM,SAAS;AAC9C;ACzjBA,SAAS,kBACP,SAC4B;AAC5B,SAAO,QAAQ,SAAS;AAC1B;AAKA,SAAS,iBAAiB,SAAoD;AAC5E,SAAO,QAAQ,SAAS;AAC1B;AAKA,SAAS,eAAe,SAAkD;AACxE,SAAO,QAAQ,SAAS;AAC1B;AAKA,SAAS,gBAAgB,SAAmD;AAC1E,SAAO,QAAQ,SAAS;AAC1B;AAKA,SAAS,gBAAgB,SAAmD;AAC1E,SAAO,QAAQ,SAAS;AAC1B;AAKA,SAAS,gBAAgB,SAAmD;AAC1E,SAAO,QAAQ,SAAS;AAC1B;AA0DA,eAAsB,QAAQ,SAAiD;AAE7E,QAAM,oBAAoB;AAAA,IACxB;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,WAAW;AAAA,QACX,OAAO;AAAA,QACP,UAAU;AAAA,QACV,cAAc;AAAA,QACd,aAAa;AAAA,QACb,QAAQ;AAAA;AAAA,QACR,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,QAAQ;AAAA,QACR,QAAQ;AAAA;AAAA,QACR,YAAY;AAAA,QACZ,qBAAqB;AAAA,QACrB,cAAc;AAAA,QACd,SAAS;AAAA,QACT,YAAY;AAAA;AAAA,QAEZ,eAAe;AAAA,QACf,eAAe;AAAA,MAAA;AAAA,MAEjB,WAAW;AAAA;AAAA,QAET,QAAQ,CAAC,UACP,MACG,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAA,CAAM,EACnB,OAAO,OAAO;AAAA,QACnB,QAAQ,CAAC,UACP,MACG,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAA,CAAM,EACnB,OAAO,OAAO;AAAA,MAAA;AAAA,IACrB;AAAA,EACF;AAEF,YAAU;AAEV,MAAI,kBAAkB,OAAO,GAAG;AAC9B,UAAM,EAAE,iBAAA,IAAqB,MAAM,OAAO,+BAAyB;AACnE,WAAO,IAAI,iBAAiB,OAAO;AAAA,EACrC;AAEA,MAAI,iBAAiB,OAAO,GAAG;AAC7B,UAAM,EAAE,gBAAA,IAAoB,MAAM,OAAO,8BAAwB;AACjE,WAAO,IAAI,gBAAgB,OAAO;AAAA,EACpC;AAEA,MAAI,eAAe,OAAO,GAAG;AAC3B,UAAM,EAAE,cAAA,IAAkB,MAAM,OAAO,4BAA4B;AACnE,WAAO,IAAI,cAAc,OAAO;AAAA,EAClC;AAEA,MAAI,gBAAgB,OAAO,GAAG;AAC5B,UAAM,EAAE,eAAA,IAAmB,MAAM,OAAO,6BAAuB;AAC/D,WAAO,IAAI,eAAe,OAAO;AAAA,EACnC;AAEA,MAAI,gBAAgB,OAAO,GAAG;AAC5B,UAAM,EAAE,eAAA,IAAmB,MAAM,OAAO,6BAAuB;AAC/D,WAAO,IAAI,eAAe,OAAO;AAAA,EACnC;AAEA,MAAI,gBAAgB,OAAO,GAAG;AAC5B,UAAM,EAAE,eAAA,IAAmB,MAAM,OAAO,6BAAuB;AAC/D,WAAO,IAAI,eAAe,OAAO;AAAA,EACnC;AAEA,QAAM,IAAI,gBAAgB,kCAAkC;AAAA,IAC1D,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAAA,IAEF,cAAe,QAAoC;AAAA,EAAA,CACpD;AACH;AA+BA,eAAsB,YACpB,SACwB;AAExB,MAAI,QAAQ,aAAa,QAAQ,OAAO;AACtC,WAAO,QAAQ,EAAE,GAAG,SAAS,MAAM,YAA+B;AAAA,EACpE;AAGA,MAAI,QAAQ,UAAU,QAAQ,YAAY;AACxC,WAAO,QAAQ,EAAE,GAAG,SAAS,MAAM,WAA6B;AAAA,EAClE;AAGA,MACE,QAAQ,UACR,MAAM,QAAQ,QAAQ,MAAM,KAC5B,QAAQ,OAAO,SAAS,GACxB;AACA,WAAO,QAAQ,EAAE,GAAG,SAAS,MAAM,SAAyB;AAAA,EAC9D;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,gBAAgB,CAAC,YAAY,WAAW,OAAO;AAAA,MAC/C,iBAAiB,OAAO,KAAK,OAAO;AAAA,IAAA;AAAA,EACtC;AAEJ;"}