npm - @happyvertical/auth - Versions diffs - 0.74.8 - Mend

@happyvertical/auth 0.74.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/AGENT.md +33 -0
package/LICENSE +7 -0
package/README.md +73 -0
package/dist/chunks/cognito-dmypylFX.js +128 -0
package/dist/chunks/cognito-dmypylFX.js.map +1 -0
package/dist/chunks/decode_jwt-D2OK1b8a.js +1395 -0
package/dist/chunks/decode_jwt-D2OK1b8a.js.map +1 -0
package/dist/chunks/github-NSZp5tVm.js +413 -0
package/dist/chunks/github-NSZp5tVm.js.map +1 -0
package/dist/chunks/google-HXk2ctYR.js +483 -0
package/dist/chunks/google-HXk2ctYR.js.map +1 -0
package/dist/chunks/index-BpsMhFXS.js +151 -0
package/dist/chunks/index-BpsMhFXS.js.map +1 -0
package/dist/chunks/kanidm-hkw-YPVF.js +747 -0
package/dist/chunks/kanidm-hkw-YPVF.js.map +1 -0
package/dist/chunks/keycloak-t6JEUeOz.js +871 -0
package/dist/chunks/keycloak-t6JEUeOz.js.map +1 -0
package/dist/cli/claude-context.d.ts +3 -0
package/dist/cli/claude-context.d.ts.map +1 -0
package/dist/cli/claude-context.js +21 -0
package/dist/cli/claude-context.js.map +1 -0
package/dist/index.d.ts +65 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +499 -0
package/dist/index.js.map +1 -0
package/dist/shared/errors.d.ts +227 -0
package/dist/shared/errors.d.ts.map +1 -0
package/dist/shared/factory.d.ts +85 -0
package/dist/shared/factory.d.ts.map +1 -0
package/dist/shared/providers/cognito.d.ts +38 -0
package/dist/shared/providers/cognito.d.ts.map +1 -0
package/dist/shared/providers/github.d.ts +65 -0
package/dist/shared/providers/github.d.ts.map +1 -0
package/dist/shared/providers/google.d.ts +58 -0
package/dist/shared/providers/google.d.ts.map +1 -0
package/dist/shared/providers/kanidm.d.ts +78 -0
package/dist/shared/providers/kanidm.d.ts.map +1 -0
package/dist/shared/providers/keycloak.d.ts +67 -0
package/dist/shared/providers/keycloak.d.ts.map +1 -0
package/dist/shared/providers/nostr/index.d.ts +47 -0
package/dist/shared/providers/nostr/index.d.ts.map +1 -0
package/dist/shared/types.d.ts +812 -0
package/dist/shared/types.d.ts.map +1 -0
package/metadata.json +32 -0
package/package.json +60 -0

package/dist/chunks/kanidm-hkw-YPVF.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"kanidm-hkw-YPVF.js","sources":["../../src/shared/providers/kanidm.ts"],"sourcesContent":["/**\n * Kanidm Provider - OAuth2/OIDC Authentication\n *\n * Implements OAuth2/OIDC authentication with Kanidm server including:\n * - OIDC Discovery (client-specific endpoints)\n * - Authorization Code Flow with PKCE (required by Kanidm)\n * - Token validation using JWKS (ES256)\n * - Token introspection\n * - User management via Kanidm's native /v1/ API\n */\n\nimport * as jose from 'jose';\n\nimport {\n AccessDeniedError,\n ConfigurationError,\n InvalidClientError,\n InvalidCredentialsError,\n InvalidGrantError,\n InvalidNonceError,\n InvalidTokenError,\n NetworkError,\n NotImplementedError,\n ProviderError,\n TokenExpiredError,\n UserAlreadyExistsError,\n UserNotFoundError,\n} from '../errors.js';\nimport type {\n AuthCapabilities,\n AuthCredentials,\n AuthInterface,\n AuthorizationOptions,\n AuthorizationResult,\n AuthResult,\n CodeExchangeParams,\n CreateUserRequest,\n KanidmOptions,\n LogoutOptions,\n OIDCDiscoveryDocument,\n Session,\n TokenClaims,\n TokenIntrospection,\n TokenPayload,\n TokenValidationOptions,\n UserListResult,\n UserProfile,\n UserQuery,\n} from '../types.js';\n\n/**\n * Generate a random string for state/nonce/PKCE.\n */\nfunction generateRandomString(length = 32): string {\n const array = new Uint8Array(length);\n crypto.getRandomValues(array);\n return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join(\n '',\n );\n}\n\n/**\n * Generate PKCE code verifier and challenge.\n */\nasync function generatePKCE(): Promise<{\n verifier: string;\n challenge: string;\n}> {\n const verifier = generateRandomString(32);\n const encoder = new TextEncoder();\n const data = encoder.encode(verifier);\n const hash = await crypto.subtle.digest('SHA-256', data);\n const challenge = btoa(String.fromCharCode(...new Uint8Array(hash)))\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+$/, '');\n return { verifier, challenge };\n}\n\n/**\n * Kanidm authentication provider.\n *\n * Implements OAuth2/OIDC authentication with Kanidm server.\n * Key differences from Keycloak:\n * - Client-specific OIDC endpoints: /oauth2/openid/{clientId}/...\n * - ES256 token signing (not RS256)\n * - Authorization code flow only (no password grant)\n * - Native /v1/ API for admin operations (multi-step auth)\n */\nexport class KanidmProvider implements AuthInterface {\n private options: Required<Pick<KanidmOptions, 'serverUrl' | 'clientId'>> &\n KanidmOptions;\n private discoveryDocument: OIDCDiscoveryDocument | null = null;\n private jwks: jose.JWTVerifyGetKey | null = null;\n private adminToken: string | null = null;\n private adminTokenExpiry: number = 0;\n\n constructor(options: KanidmOptions) {\n if (!options.serverUrl) {\n throw new ConfigurationError('serverUrl is required', 'kanidm');\n }\n if (!options.clientId) {\n throw new ConfigurationError('clientId is required', 'kanidm');\n }\n\n this.options = {\n usePKCE: true, // Required by Kanidm\n verifySsl: true,\n scopes: ['openid', 'profile', 'email', 'groups'],\n timeout: 30000,\n maxRetries: 3,\n ...options,\n };\n }\n\n // ---------------------------------------------------------------------------\n // INTERNAL HELPERS\n // ---------------------------------------------------------------------------\n\n /**\n * Get the OIDC base URL for this client.\n * Kanidm uses client-specific OIDC endpoints.\n */\n private getOidcBaseUrl(): string {\n return `${this.options.serverUrl}/oauth2/openid/${this.options.clientId}`;\n }\n\n /**\n * Get the native API base URL.\n */\n private getApiBaseUrl(): string {\n return `${this.options.serverUrl}/v1`;\n }\n\n /**\n * Make an HTTP request with error handling.\n */\n private async request<T>(\n url: string,\n options: RequestInit = {},\n token?: string,\n ): Promise<T> {\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n ...this.options.headers,\n ...(options.headers as Record<string, string>),\n };\n\n if (token) {\n headers.Authorization = `Bearer ${token}`;\n }\n\n try {\n const response = await fetch(url, {\n ...options,\n headers,\n signal: AbortSignal.timeout(this.options.timeout || 30000),\n });\n\n if (!response.ok) {\n const errorBody = await response.text().catch(() => '');\n let errorData: Record<string, unknown> = {};\n try {\n errorData = JSON.parse(errorBody);\n } catch {\n // Not JSON\n }\n\n this.handleHttpError(response.status, errorData, errorBody);\n }\n\n const text = await response.text();\n if (!text) return {} as T;\n return JSON.parse(text) as T;\n } catch (error) {\n if (error instanceof Error && error.name === 'TimeoutError') {\n throw new NetworkError('Request timed out', 'kanidm', error);\n }\n if (\n error instanceof InvalidCredentialsError ||\n error instanceof AccessDeniedError ||\n error instanceof InvalidGrantError ||\n error instanceof InvalidClientError ||\n error instanceof UserNotFoundError ||\n error instanceof ProviderError\n ) {\n throw error;\n }\n throw new NetworkError(\n `Network error: ${error instanceof Error ? error.message : 'Unknown error'}`,\n 'kanidm',\n error instanceof Error ? error : undefined,\n );\n }\n }\n\n /**\n * Handle HTTP error responses.\n */\n private handleHttpError(\n status: number,\n data: Record<string, unknown>,\n rawBody: string,\n ): never {\n const error = data.error as string | undefined;\n const errorDescription =\n data.message || data.error_description || data.errorMessage || rawBody;\n\n switch (status) {\n case 400:\n if (error === 'invalid_grant') {\n throw new InvalidGrantError(errorDescription as string, 'kanidm');\n }\n if (error === 'invalid_client') {\n throw new InvalidClientError('kanidm');\n }\n throw new ProviderError(`Bad request: ${errorDescription}`, 'kanidm');\n\n case 401:\n throw new InvalidCredentialsError('kanidm');\n\n case 403:\n throw new AccessDeniedError(errorDescription as string, 'kanidm');\n\n case 404:\n throw new UserNotFoundError(undefined, 'kanidm');\n\n case 409:\n throw new UserAlreadyExistsError(undefined, 'kanidm');\n\n default:\n throw new ProviderError(\n `Kanidm error (${status}): ${errorDescription}`,\n 'kanidm',\n );\n }\n }\n\n /**\n * Fetch and cache the OIDC discovery document.\n */\n private async fetchDiscoveryDocument(): Promise<OIDCDiscoveryDocument> {\n if (this.discoveryDocument) {\n return this.discoveryDocument;\n }\n\n const url = `${this.getOidcBaseUrl()}/.well-known/openid-configuration`;\n this.discoveryDocument = await this.request<OIDCDiscoveryDocument>(url);\n return this.discoveryDocument;\n }\n\n /**\n * Get JWKS for token validation.\n */\n private async getJWKS(): Promise<jose.JWTVerifyGetKey> {\n if (this.jwks) {\n return this.jwks;\n }\n\n const discovery = await this.fetchDiscoveryDocument();\n this.jwks = jose.createRemoteJWKSet(new URL(discovery.jwks_uri));\n return this.jwks;\n }\n\n /**\n * Authenticate with Kanidm's native API to get an admin token.\n * Uses the multi-step authentication flow.\n */\n private async getAdminToken(): Promise<string> {\n // Check if we have a valid cached token\n if (this.adminToken && Date.now() < this.adminTokenExpiry) {\n return this.adminToken;\n }\n\n if (!this.options.adminUsername || !this.options.adminPassword) {\n throw new ConfigurationError(\n 'adminUsername and adminPassword are required for admin operations',\n 'kanidm',\n );\n }\n\n const authUrl = `${this.getApiBaseUrl()}/auth`;\n\n // Step 1: Initialize auth\n const initResponse = await fetch(authUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n step: {\n init2: {\n username: this.options.adminUsername,\n issue: 'token',\n privileged: true,\n },\n },\n }),\n signal: AbortSignal.timeout(this.options.timeout || 30000),\n });\n\n if (!initResponse.ok) {\n throw new InvalidCredentialsError('kanidm', {\n reason: 'Failed to initialize admin authentication',\n });\n }\n\n // Get session cookie from response\n const cookies = initResponse.headers.get('set-cookie');\n\n // Step 2: Begin password authentication\n const beginResponse = await fetch(authUrl, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(cookies ? { Cookie: cookies } : {}),\n },\n body: JSON.stringify({\n step: {\n begin: 'password',\n },\n }),\n signal: AbortSignal.timeout(this.options.timeout || 30000),\n });\n\n if (!beginResponse.ok) {\n throw new InvalidCredentialsError('kanidm', {\n reason: 'Failed to begin password authentication',\n });\n }\n\n // Step 3: Provide password\n const credResponse = await fetch(authUrl, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(cookies ? { Cookie: cookies } : {}),\n },\n body: JSON.stringify({\n step: {\n cred: {\n password: this.options.adminPassword,\n },\n },\n }),\n signal: AbortSignal.timeout(this.options.timeout || 30000),\n });\n\n if (!credResponse.ok) {\n throw new InvalidCredentialsError('kanidm', {\n reason: 'Invalid admin credentials',\n });\n }\n\n const result = (await credResponse.json()) as {\n state?: { success?: string };\n token?: string;\n };\n\n // Extract token from response\n const token = result.state?.success || result.token;\n if (!token) {\n throw new ProviderError(\n 'Failed to obtain admin token from Kanidm',\n 'kanidm',\n );\n }\n\n this.adminToken = token;\n // Cache for 1 hour (Kanidm tokens typically last longer, but this is safe)\n this.adminTokenExpiry = Date.now() + 3600000;\n\n return this.adminToken;\n }\n\n // ---------------------------------------------------------------------------\n // AUTHENTICATION FLOWS\n // ---------------------------------------------------------------------------\n\n async getAuthorizationUrl(\n options?: AuthorizationOptions,\n ): Promise<AuthorizationResult> {\n const discovery = await this.fetchDiscoveryDocument();\n\n const state = options?.state || generateRandomString();\n const nonce = options?.nonce || generateRandomString();\n const scopes = options?.scopes ||\n this.options.scopes || ['openid', 'profile', 'email', 'groups'];\n const redirectUri = options?.redirectUri || this.options.redirectUri;\n\n if (!redirectUri) {\n throw new ConfigurationError('redirectUri is required', 'kanidm');\n }\n\n const params = new URLSearchParams({\n client_id: this.options.clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n scope: scopes.join(' '),\n state,\n nonce,\n });\n\n if (options?.prompt) {\n params.set('prompt', options.prompt);\n }\n\n if (options?.loginHint) {\n params.set('login_hint', options.loginHint);\n }\n\n // Add extra params\n if (options?.extraParams) {\n for (const [key, value] of Object.entries(options.extraParams)) {\n params.set(key, value);\n }\n }\n\n // PKCE is required by Kanidm\n const pkce = await generatePKCE();\n params.set('code_challenge', pkce.challenge);\n params.set('code_challenge_method', 'S256');\n\n const url = `${discovery.authorization_endpoint}?${params.toString()}`;\n\n return {\n url,\n state,\n nonce,\n codeVerifier: pkce.verifier,\n };\n }\n\n async exchangeCode(params: CodeExchangeParams): Promise<AuthResult> {\n const discovery = await this.fetchDiscoveryDocument();\n\n const redirectUri = params.redirectUri || this.options.redirectUri;\n if (!redirectUri) {\n throw new ConfigurationError('redirectUri is required', 'kanidm');\n }\n\n const body = new URLSearchParams({\n grant_type: 'authorization_code',\n client_id: this.options.clientId,\n code: params.code,\n redirect_uri: redirectUri,\n });\n\n if (this.options.clientSecret) {\n body.set('client_secret', this.options.clientSecret);\n }\n\n // Code verifier is required for PKCE\n if (params.codeVerifier) {\n body.set('code_verifier', params.codeVerifier);\n }\n\n const response = await this.request<{\n access_token: string;\n refresh_token?: string;\n id_token?: string;\n expires_in: number;\n token_type: string;\n scope?: string;\n }>(discovery.token_endpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n });\n\n // Decode ID token to get user ID\n let userId = '';\n if (response.id_token) {\n const payload = jose.decodeJwt(response.id_token);\n userId = payload.sub || '';\n }\n\n return {\n accessToken: response.access_token,\n tokenType: response.token_type || 'Bearer',\n expiresIn: response.expires_in,\n refreshToken: response.refresh_token,\n idToken: response.id_token,\n scope: response.scope,\n userId,\n };\n }\n\n async authenticate(_credentials: AuthCredentials): Promise<AuthResult> {\n // Kanidm only supports authorization_code grant for OAuth2\n // Direct authentication is not supported via OAuth2\n throw new NotImplementedError('authenticate', 'kanidm', {\n reason:\n 'Kanidm only supports authorization code flow. Use getAuthorizationUrl() and exchangeCode() instead.',\n });\n }\n\n async refresh(refreshToken: string): Promise<AuthResult> {\n const discovery = await this.fetchDiscoveryDocument();\n\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n client_id: this.options.clientId,\n refresh_token: refreshToken,\n });\n\n if (this.options.clientSecret) {\n body.set('client_secret', this.options.clientSecret);\n }\n\n const response = await this.request<{\n access_token: string;\n refresh_token?: string;\n id_token?: string;\n expires_in: number;\n token_type: string;\n scope?: string;\n }>(discovery.token_endpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n });\n\n // Decode to get user ID\n let userId = '';\n if (response.access_token) {\n const payload = jose.decodeJwt(response.access_token);\n userId = payload.sub || '';\n }\n\n return {\n accessToken: response.access_token,\n tokenType: response.token_type || 'Bearer',\n expiresIn: response.expires_in,\n refreshToken: response.refresh_token || refreshToken,\n idToken: response.id_token,\n scope: response.scope,\n userId,\n };\n }\n\n async logout(options?: LogoutOptions): Promise<void> {\n const discovery = await this.fetchDiscoveryDocument();\n\n // Revoke refresh token if provided\n // Silently ignore failures - invalid tokens are effectively already revoked\n if (options?.refreshToken && discovery.revocation_endpoint) {\n const body = new URLSearchParams({\n client_id: this.options.clientId,\n token: options.refreshToken,\n token_type_hint: 'refresh_token',\n });\n\n if (this.options.clientSecret) {\n body.set('client_secret', this.options.clientSecret);\n }\n\n try {\n await this.request(discovery.revocation_endpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n });\n } catch {\n // Ignore revocation errors - token may already be invalid/revoked\n }\n }\n\n // Revoke access token if provided\n // Silently ignore failures - invalid tokens are effectively already revoked\n if (options?.token && discovery.revocation_endpoint) {\n const body = new URLSearchParams({\n client_id: this.options.clientId,\n token: options.token,\n token_type_hint: 'access_token',\n });\n\n if (this.options.clientSecret) {\n body.set('client_secret', this.options.clientSecret);\n }\n\n try {\n await this.request(discovery.revocation_endpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n });\n } catch {\n // Ignore revocation errors - token may already be invalid/revoked\n }\n }\n }\n\n // ---------------------------------------------------------------------------\n // TOKEN OPERATIONS\n // ---------------------------------------------------------------------------\n\n async validateToken(\n token: string,\n options?: TokenValidationOptions,\n ): Promise<TokenClaims | null> {\n try {\n const jwks = await this.getJWKS();\n const discovery = await this.fetchDiscoveryDocument();\n\n const verifyOptions: jose.JWTVerifyOptions = {\n issuer: options?.issuer || discovery.issuer,\n clockTolerance: options?.clockTolerance || 0,\n };\n\n if (options?.audience) {\n verifyOptions.audience = options.audience;\n }\n\n const { payload } = await jose.jwtVerify(token, jwks, verifyOptions);\n\n // Check nonce if provided\n if (options?.nonce && payload.nonce !== options.nonce) {\n throw new InvalidNonceError('kanidm');\n }\n\n // Extract groups from Kanidm token structure\n // Kanidm uses 'groups' claim directly\n const groups = (payload.groups as string[]) || [];\n\n return {\n sub: payload.sub || '',\n iss: payload.iss || '',\n aud: payload.aud || '',\n exp: payload.exp || 0,\n iat: payload.iat || 0,\n nbf: payload.nbf,\n azp: payload.azp as string | undefined,\n email: payload.email as string | undefined,\n email_verified: payload.email_verified as boolean | undefined,\n preferred_username: payload.preferred_username as string | undefined,\n name: payload.name as string | undefined,\n roles: groups, // Map groups to roles for consistency\n ...payload,\n };\n } catch (error) {\n if (error instanceof jose.errors.JWTExpired) {\n throw new TokenExpiredError('kanidm');\n }\n if (error instanceof jose.errors.JWTClaimValidationFailed) {\n return null;\n }\n if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n throw new InvalidTokenError('Invalid token signature', 'kanidm');\n }\n if (error instanceof InvalidNonceError) {\n throw error;\n }\n return null;\n }\n }\n\n decodeToken(token: string): TokenPayload {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) {\n throw new InvalidTokenError('Invalid JWT format', 'kanidm');\n }\n\n const header = JSON.parse(atob(parts[0]));\n const payload = jose.decodeJwt(token);\n\n return {\n header: {\n alg: header.alg,\n typ: header.typ,\n kid: header.kid,\n },\n payload: payload as unknown as TokenClaims,\n signature: parts[2],\n };\n } catch {\n throw new InvalidTokenError('Failed to decode token', 'kanidm');\n }\n }\n\n async introspectToken(token: string): Promise<TokenIntrospection> {\n const discovery = await this.fetchDiscoveryDocument();\n\n if (!discovery.introspection_endpoint) {\n // Fallback to local validation\n const claims = await this.validateToken(token);\n return {\n active: claims !== null,\n claims: claims || undefined,\n };\n }\n\n const body = new URLSearchParams({\n client_id: this.options.clientId,\n token,\n });\n\n if (this.options.clientSecret) {\n body.set('client_secret', this.options.clientSecret);\n }\n\n const response = await this.request<{\n active: boolean;\n sub?: string;\n iss?: string;\n aud?: string | string[];\n exp?: number;\n iat?: number;\n client_id?: string;\n scope?: string;\n token_type?: string;\n [key: string]: unknown;\n }>(discovery.introspection_endpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n });\n\n if (!response.active) {\n return { active: false };\n }\n\n return {\n active: true,\n claims: {\n sub: response.sub || '',\n iss: response.iss || '',\n aud: response.aud || '',\n exp: response.exp || 0,\n iat: response.iat || 0,\n ...response,\n },\n tokenType: response.token_type,\n clientId: response.client_id,\n scope: response.scope,\n };\n }\n\n // ---------------------------------------------------------------------------\n // USER OPERATIONS\n // ---------------------------------------------------------------------------\n\n async getProfile(tokenOrSession: string): Promise<UserProfile> {\n const discovery = await this.fetchDiscoveryDocument();\n\n const response = await this.request<{\n sub: string;\n preferred_username?: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n given_name?: string;\n family_name?: string;\n picture?: string;\n groups?: string[];\n [key: string]: unknown;\n }>(discovery.userinfo_endpoint, {\n method: 'GET',\n headers: { Authorization: `Bearer ${tokenOrSession}` },\n });\n\n return {\n id: response.sub,\n username: response.preferred_username,\n email: response.email,\n emailVerified: response.email_verified,\n firstName: response.given_name,\n lastName: response.family_name,\n displayName: response.name,\n picture: response.picture,\n groups: response.groups,\n };\n }\n\n async updateProfile(\n _tokenOrSession: string,\n _profile: Partial<UserProfile>,\n ): Promise<UserProfile> {\n // Kanidm doesn't expose profile update via OAuth2/OIDC\n throw new NotImplementedError('updateProfile', 'kanidm', {\n reason:\n 'Profile updates are not supported via OAuth2. Use admin API with createUser/updateUser.',\n });\n }\n\n async getUser(userId: string, _adminToken?: string): Promise<UserProfile> {\n const token = await this.getAdminToken();\n\n const response = await this.request<KanidmPerson>(\n `${this.getApiBaseUrl()}/person/${userId}`,\n { method: 'GET' },\n token,\n );\n\n return this.mapKanidmPerson(response);\n }\n\n async createUser(\n user: CreateUserRequest,\n _adminToken: string,\n ): Promise<UserProfile> {\n const token = await this.getAdminToken();\n\n const kanidmPerson: Partial<KanidmPersonCreate> = {\n attrs: {\n name: [user.username],\n displayname: [\n user.firstName && user.lastName\n ? `${user.firstName} ${user.lastName}`\n : user.username,\n ],\n },\n };\n\n if (user.email && kanidmPerson.attrs) {\n kanidmPerson.attrs.mail = [user.email];\n }\n\n const response = await fetch(`${this.getApiBaseUrl()}/person`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify(kanidmPerson),\n });\n\n if (!response.ok) {\n const errorBody = await response.text();\n if (response.status === 409) {\n throw new UserAlreadyExistsError(user.username, 'kanidm');\n }\n throw new ProviderError(`Failed to create user: ${errorBody}`, 'kanidm');\n }\n\n // Fetch the created user\n return this.getUser(user.username, token);\n }\n\n async updateUser(\n userId: string,\n updates: Partial<CreateUserRequest>,\n _adminToken: string,\n ): Promise<UserProfile> {\n const token = await this.getAdminToken();\n\n const attrs: Record<string, string[]> = {};\n\n if (updates.email !== undefined) {\n attrs.mail = [updates.email];\n }\n\n if (updates.firstName !== undefined || updates.lastName !== undefined) {\n const displayName =\n updates.firstName && updates.lastName\n ? `${updates.firstName} ${updates.lastName}`\n : updates.firstName || updates.lastName || '';\n if (displayName) {\n attrs.displayname = [displayName];\n }\n }\n\n await this.request(\n `${this.getApiBaseUrl()}/person/${userId}`,\n {\n method: 'PATCH',\n body: JSON.stringify({ attrs }),\n },\n token,\n );\n\n return this.getUser(userId, token);\n }\n\n async deleteUser(userId: string, _adminToken: string): Promise<void> {\n const token = await this.getAdminToken();\n\n await this.request(\n `${this.getApiBaseUrl()}/person/${userId}`,\n { method: 'DELETE' },\n token,\n );\n }\n\n async listUsers(\n query: UserQuery,\n _adminToken?: string,\n ): Promise<UserListResult> {\n const token = await this.getAdminToken();\n\n // Kanidm uses a different query format\n let url = `${this.getApiBaseUrl()}/person`;\n\n // Add search filter if provided\n // Note: Kanidm API may have different filtering capabilities\n const params = new URLSearchParams();\n if (query.search) {\n params.set('search', query.search);\n }\n\n if (params.toString()) {\n url += `?${params.toString()}`;\n }\n\n const response = await this.request<KanidmPerson[]>(\n url,\n { method: 'GET' },\n token,\n );\n\n const users = Array.isArray(response) ? response : [];\n\n // Apply client-side filtering and pagination\n let filteredUsers = users.map((u) => this.mapKanidmPerson(u));\n\n if (query.email) {\n filteredUsers = filteredUsers.filter((u) => u.email === query.email);\n }\n\n if (query.username) {\n filteredUsers = filteredUsers.filter(\n (u) => u.username === query.username,\n );\n }\n\n const total = filteredUsers.length;\n const offset = query.offset || 0;\n const limit = query.limit || 100;\n\n return {\n users: filteredUsers.slice(offset, offset + limit),\n total,\n limit,\n offset,\n };\n }\n\n async requestPasswordReset(_email: string): Promise<void> {\n throw new NotImplementedError('requestPasswordReset', 'kanidm', {\n reason: 'Password reset is not exposed via Kanidm API',\n });\n }\n\n async resetPassword(_token: string, _newPassword: string): Promise<void> {\n throw new NotImplementedError('resetPassword', 'kanidm', {\n reason: 'Password reset is not exposed via Kanidm API',\n });\n }\n\n // ---------------------------------------------------------------------------\n // SESSION OPERATIONS\n // ---------------------------------------------------------------------------\n\n async listSessions(\n _userId: string,\n _adminToken?: string,\n ): Promise<Session[]> {\n throw new NotImplementedError('listSessions', 'kanidm', {\n reason: 'Session management is not exposed via Kanidm API',\n });\n }\n\n async revokeSession(_sessionId: string, _adminToken?: string): Promise<void> {\n throw new NotImplementedError('revokeSession', 'kanidm', {\n reason: 'Session management is not exposed via Kanidm API',\n });\n }\n\n async revokeAllSessions(\n _userId: string,\n _adminToken?: string,\n ): Promise<void> {\n throw new NotImplementedError('revokeAllSessions', 'kanidm', {\n reason: 'Session management is not exposed via Kanidm API',\n });\n }\n\n // ---------------------------------------------------------------------------\n // AUTHORIZATION\n // ---------------------------------------------------------------------------\n\n async hasRole(tokenOrUserId: string, role: string): Promise<boolean> {\n const roles = await this.getRoles(tokenOrUserId);\n return roles.includes(role);\n }\n\n async hasPermission(\n tokenOrUserId: string,\n permission: string,\n resource?: string,\n ): Promise<boolean> {\n // Check if the user has a group matching the permission\n const roles = await this.getRoles(tokenOrUserId);\n const permissionRole = resource ? `${resource}:${permission}` : permission;\n return roles.includes(permissionRole) || roles.includes(permission);\n }\n\n async getRoles(\n tokenOrUserId: string,\n _adminToken?: string,\n ): Promise<string[]> {\n // First try to decode as JWT\n try {\n const claims = await this.validateToken(tokenOrUserId);\n if (claims) {\n return claims.roles || [];\n }\n } catch {\n // Not a valid token\n }\n\n // Try to get user and return their groups\n try {\n const user = await this.getUser(tokenOrUserId);\n return user.groups || [];\n } catch {\n // User not found or other error\n }\n\n return [];\n }\n\n async assignRole(\n _userId: string,\n _role: string,\n _adminToken: string,\n ): Promise<void> {\n throw new NotImplementedError('assignRole', 'kanidm', {\n reason:\n 'Role assignment via API requires group management. Use Kanidm CLI to add users to groups.',\n });\n }\n\n async removeRole(\n _userId: string,\n _role: string,\n _adminToken: string,\n ): Promise<void> {\n throw new NotImplementedError('removeRole', 'kanidm', {\n reason:\n 'Role removal via API requires group management. Use Kanidm CLI to remove users from groups.',\n });\n }\n\n // ---------------------------------------------------------------------------\n // PROVIDER INFORMATION\n // ---------------------------------------------------------------------------\n\n async getCapabilities(): Promise<AuthCapabilities> {\n return {\n authorizationCode: true,\n passwordGrant: false, // Not supported\n clientCredentials: false, // Not supported\n tokenRefresh: true,\n oidc: true,\n userManagement: true, // Via /v1/person API\n sessionManagement: false, // Not exposed\n rbac: true, // Via groups claim\n passwordReset: false, // Not exposed via API\n mfa: true, // Webauthn/passkeys supported\n socialLogin: false,\n federation: true,\n decentralized: false,\n };\n }\n\n async getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null> {\n return this.fetchDiscoveryDocument();\n }\n\n // ---------------------------------------------------------------------------\n // PRIVATE HELPERS\n // ---------------------------------------------------------------------------\n\n private mapKanidmPerson(person: KanidmPerson): UserProfile {\n const attrs = person.attrs || {};\n\n return {\n id: attrs.uuid?.[0] || attrs.name?.[0] || '',\n username: attrs.name?.[0],\n email: attrs.mail?.[0],\n displayName: attrs.displayname?.[0],\n groups: attrs.memberof,\n enabled: true, // Kanidm doesn't expose this directly\n };\n }\n}\n\n// ---------------------------------------------------------------------------\n// KANIDM API TYPES\n// ---------------------------------------------------------------------------\n\ninterface KanidmPerson {\n attrs: {\n uuid?: string[];\n name?: string[];\n displayname?: string[];\n mail?: string[];\n memberof?: string[];\n [key: string]: string[] | undefined;\n };\n}\n\ninterface KanidmPersonCreate {\n attrs: {\n name: string[];\n displayname?: string[];\n mail?: string[];\n [key: string]: string[] | undefined;\n };\n}\n"],"names":["jose.createRemoteJWKSet","jose.decodeJwt","jose.jwtVerify","jose.errors.JWTExpired","jose.errors.JWTClaimValidationFailed","jose.errors.JWSSignatureVerificationFailed"],"mappings":";;AAqDA,SAAS,qBAAqB,SAAS,IAAY;AACjD,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,SAAO,gBAAgB,KAAK;AAC5B,SAAO,MAAM,KAAK,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE;AAAA,IACrE;AAAA,EAAA;AAEJ;AAKA,eAAe,eAGZ;AACD,QAAM,WAAW,qBAAqB,EAAE;AACxC,QAAM,UAAU,IAAI,YAAA;AACpB,QAAM,OAAO,QAAQ,OAAO,QAAQ;AACpC,QAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACvD,QAAM,YAAY,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,IAAI,CAAC,CAAC,EAChE,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACpB,SAAO,EAAE,UAAU,UAAA;AACrB;AAYO,MAAM,eAAwC;AAAA,EAC3C;AAAA,EAEA,oBAAkD;AAAA,EAClD,OAAoC;AAAA,EACpC,aAA4B;AAAA,EAC5B,mBAA2B;AAAA,EAEnC,YAAY,SAAwB;AAClC,QAAI,CAAC,QAAQ,WAAW;AACtB,YAAM,IAAI,mBAAmB,yBAAyB,QAAQ;AAAA,IAChE;AACA,QAAI,CAAC,QAAQ,UAAU;AACrB,YAAM,IAAI,mBAAmB,wBAAwB,QAAQ;AAAA,IAC/D;AAEA,SAAK,UAAU;AAAA,MACb,SAAS;AAAA;AAAA,MACT,WAAW;AAAA,MACX,QAAQ,CAAC,UAAU,WAAW,SAAS,QAAQ;AAAA,MAC/C,SAAS;AAAA,MACT,YAAY;AAAA,MACZ,GAAG;AAAA,IAAA;AAAA,EAEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,iBAAyB;AAC/B,WAAO,GAAG,KAAK,QAAQ,SAAS,kBAAkB,KAAK,QAAQ,QAAQ;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAwB;AAC9B,WAAO,GAAG,KAAK,QAAQ,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QACZ,KACA,UAAuB,CAAA,GACvB,OACY;AACZ,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,GAAG,KAAK,QAAQ;AAAA,MAChB,GAAI,QAAQ;AAAA,IAAA;AAGd,QAAI,OAAO;AACT,cAAQ,gBAAgB,UAAU,KAAK;AAAA,IACzC;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,GAAG;AAAA,QACH;AAAA,QACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ,WAAW,GAAK;AAAA,MAAA,CAC1D;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,OAAO,MAAM,MAAM,EAAE;AACtD,YAAI,YAAqC,CAAA;AACzC,YAAI;AACF,sBAAY,KAAK,MAAM,SAAS;AAAA,QAClC,QAAQ;AAAA,QAER;AAEA,aAAK,gBAAgB,SAAS,QAAQ,WAAW,SAAS;AAAA,MAC5D;AAEA,YAAM,OAAO,MAAM,SAAS,KAAA;AAC5B,UAAI,CAAC,KAAM,QAAO,CAAA;AAClB,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,SAAS,OAAO;AACd,UAAI,iBAAiB,SAAS,MAAM,SAAS,gBAAgB;AAC3D,cAAM,IAAI,aAAa,qBAAqB,UAAU,KAAK;AAAA,MAC7D;AACA,UACE,iBAAiB,2BACjB,iBAAiB,qBACjB,iBAAiB,qBACjB,iBAAiB,sBACjB,iBAAiB,qBACjB,iBAAiB,eACjB;AACA,cAAM;AAAA,MACR;AACA,YAAM,IAAI;AAAA,QACR,kBAAkB,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,QAC1E;AAAA,QACA,iBAAiB,QAAQ,QAAQ;AAAA,MAAA;AAAA,IAErC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,gBACN,QACA,MACA,SACO;AACP,UAAM,QAAQ,KAAK;AACnB,UAAM,mBACJ,KAAK,WAAW,KAAK,qBAAqB,KAAK,gBAAgB;AAEjE,YAAQ,QAAA;AAAA,MACN,KAAK;AACH,YAAI,UAAU,iBAAiB;AAC7B,gBAAM,IAAI,kBAAkB,kBAA4B,QAAQ;AAAA,QAClE;AACA,YAAI,UAAU,kBAAkB;AAC9B,gBAAM,IAAI,mBAAmB,QAAQ;AAAA,QACvC;AACA,cAAM,IAAI,cAAc,gBAAgB,gBAAgB,IAAI,QAAQ;AAAA,MAEtE,KAAK;AACH,cAAM,IAAI,wBAAwB,QAAQ;AAAA,MAE5C,KAAK;AACH,cAAM,IAAI,kBAAkB,kBAA4B,QAAQ;AAAA,MAElE,KAAK;AACH,cAAM,IAAI,kBAAkB,QAAW,QAAQ;AAAA,MAEjD,KAAK;AACH,cAAM,IAAI,uBAAuB,QAAW,QAAQ;AAAA,MAEtD;AACE,cAAM,IAAI;AAAA,UACR,iBAAiB,MAAM,MAAM,gBAAgB;AAAA,UAC7C;AAAA,QAAA;AAAA,IACF;AAAA,EAEN;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,yBAAyD;AACrE,QAAI,KAAK,mBAAmB;AAC1B,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,GAAG,KAAK,eAAA,CAAgB;AACpC,SAAK,oBAAoB,MAAM,KAAK,QAA+B,GAAG;AACtE,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,UAAyC;AACrD,QAAI,KAAK,MAAM;AACb,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,YAAY,MAAM,KAAK,uBAAA;AAC7B,SAAK,OAAOA,mBAAwB,IAAI,IAAI,UAAU,QAAQ,CAAC;AAC/D,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBAAiC;AAE7C,QAAI,KAAK,cAAc,KAAK,IAAA,IAAQ,KAAK,kBAAkB;AACzD,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,CAAC,KAAK,QAAQ,iBAAiB,CAAC,KAAK,QAAQ,eAAe;AAC9D,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MAAA;AAAA,IAEJ;AAEA,UAAM,UAAU,GAAG,KAAK,cAAA,CAAe;AAGvC,UAAM,eAAe,MAAM,MAAM,SAAS;AAAA,MACxC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAA;AAAA,MAC3B,MAAM,KAAK,UAAU;AAAA,QACnB,MAAM;AAAA,UACJ,OAAO;AAAA,YACL,UAAU,KAAK,QAAQ;AAAA,YACvB,OAAO;AAAA,YACP,YAAY;AAAA,UAAA;AAAA,QACd;AAAA,MACF,CACD;AAAA,MACD,QAAQ,YAAY,QAAQ,KAAK,QAAQ,WAAW,GAAK;AAAA,IAAA,CAC1D;AAED,QAAI,CAAC,aAAa,IAAI;AACpB,YAAM,IAAI,wBAAwB,UAAU;AAAA,QAC1C,QAAQ;AAAA,MAAA,CACT;AAAA,IACH;AAGA,UAAM,UAAU,aAAa,QAAQ,IAAI,YAAY;AAGrD,UAAM,gBAAgB,MAAM,MAAM,SAAS;AAAA,MACzC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,GAAI,UAAU,EAAE,QAAQ,YAAY,CAAA;AAAA,MAAC;AAAA,MAEvC,MAAM,KAAK,UAAU;AAAA,QACnB,MAAM;AAAA,UACJ,OAAO;AAAA,QAAA;AAAA,MACT,CACD;AAAA,MACD,QAAQ,YAAY,QAAQ,KAAK,QAAQ,WAAW,GAAK;AAAA,IAAA,CAC1D;AAED,QAAI,CAAC,cAAc,IAAI;AACrB,YAAM,IAAI,wBAAwB,UAAU;AAAA,QAC1C,QAAQ;AAAA,MAAA,CACT;AAAA,IACH;AAGA,UAAM,eAAe,MAAM,MAAM,SAAS;AAAA,MACxC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,GAAI,UAAU,EAAE,QAAQ,YAAY,CAAA;AAAA,MAAC;AAAA,MAEvC,MAAM,KAAK,UAAU;AAAA,QACnB,MAAM;AAAA,UACJ,MAAM;AAAA,YACJ,UAAU,KAAK,QAAQ;AAAA,UAAA;AAAA,QACzB;AAAA,MACF,CACD;AAAA,MACD,QAAQ,YAAY,QAAQ,KAAK,QAAQ,WAAW,GAAK;AAAA,IAAA,CAC1D;AAED,QAAI,CAAC,aAAa,IAAI;AACpB,YAAM,IAAI,wBAAwB,UAAU;AAAA,QAC1C,QAAQ;AAAA,MAAA,CACT;AAAA,IACH;AAEA,UAAM,SAAU,MAAM,aAAa,KAAA;AAMnC,UAAM,QAAQ,OAAO,OAAO,WAAW,OAAO;AAC9C,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MAAA;AAAA,IAEJ;AAEA,SAAK,aAAa;AAElB,SAAK,mBAAmB,KAAK,IAAA,IAAQ;AAErC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,oBACJ,SAC8B;AAC9B,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,QAAQ,SAAS,SAAS,qBAAA;AAChC,UAAM,QAAQ,SAAS,SAAS,qBAAA;AAChC,UAAM,SAAS,SAAS,UACtB,KAAK,QAAQ,UAAU,CAAC,UAAU,WAAW,SAAS,QAAQ;AAChE,UAAM,cAAc,SAAS,eAAe,KAAK,QAAQ;AAEzD,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,mBAAmB,2BAA2B,QAAQ;AAAA,IAClE;AAEA,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,WAAW,KAAK,QAAQ;AAAA,MACxB,cAAc;AAAA,MACd,eAAe;AAAA,MACf,OAAO,OAAO,KAAK,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IAAA,CACD;AAED,QAAI,SAAS,QAAQ;AACnB,aAAO,IAAI,UAAU,QAAQ,MAAM;AAAA,IACrC;AAEA,QAAI,SAAS,WAAW;AACtB,aAAO,IAAI,cAAc,QAAQ,SAAS;AAAA,IAC5C;AAGA,QAAI,SAAS,aAAa;AACxB,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,QAAQ,WAAW,GAAG;AAC9D,eAAO,IAAI,KAAK,KAAK;AAAA,MACvB;AAAA,IACF;AAGA,UAAM,OAAO,MAAM,aAAA;AACnB,WAAO,IAAI,kBAAkB,KAAK,SAAS;AAC3C,WAAO,IAAI,yBAAyB,MAAM;AAE1C,UAAM,MAAM,GAAG,UAAU,sBAAsB,IAAI,OAAO,UAAU;AAEpE,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,cAAc,KAAK;AAAA,IAAA;AAAA,EAEvB;AAAA,EAEA,MAAM,aAAa,QAAiD;AAClE,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,cAAc,OAAO,eAAe,KAAK,QAAQ;AACvD,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,mBAAmB,2BAA2B,QAAQ;AAAA,IAClE;AAEA,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,WAAW,KAAK,QAAQ;AAAA,MACxB,MAAM,OAAO;AAAA,MACb,cAAc;AAAA,IAAA,CACf;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAGA,QAAI,OAAO,cAAc;AACvB,WAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,IAC/C;AAEA,UAAM,WAAW,MAAM,KAAK,QAOzB,UAAU,gBAAgB;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAGD,QAAI,SAAS;AACb,QAAI,SAAS,UAAU;AACrB,YAAM,UAAUC,UAAe,SAAS,QAAQ;AAChD,eAAS,QAAQ,OAAO;AAAA,IAC1B;AAEA,WAAO;AAAA,MACL,aAAa,SAAS;AAAA,MACtB,WAAW,SAAS,cAAc;AAAA,MAClC,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS;AAAA,MACvB,SAAS,SAAS;AAAA,MAClB,OAAO,SAAS;AAAA,MAChB;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,aAAa,cAAoD;AAGrE,UAAM,IAAI,oBAAoB,gBAAgB,UAAU;AAAA,MACtD,QACE;AAAA,IAAA,CACH;AAAA,EACH;AAAA,EAEA,MAAM,QAAQ,cAA2C;AACvD,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,WAAW,KAAK,QAAQ;AAAA,MACxB,eAAe;AAAA,IAAA,CAChB;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAEA,UAAM,WAAW,MAAM,KAAK,QAOzB,UAAU,gBAAgB;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAGD,QAAI,SAAS;AACb,QAAI,SAAS,cAAc;AACzB,YAAM,UAAUA,UAAe,SAAS,YAAY;AACpD,eAAS,QAAQ,OAAO;AAAA,IAC1B;AAEA,WAAO;AAAA,MACL,aAAa,SAAS;AAAA,MACtB,WAAW,SAAS,cAAc;AAAA,MAClC,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS,iBAAiB;AAAA,MACxC,SAAS,SAAS;AAAA,MAClB,OAAO,SAAS;AAAA,MAChB;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,OAAO,SAAwC;AACnD,UAAM,YAAY,MAAM,KAAK,uBAAA;AAI7B,QAAI,SAAS,gBAAgB,UAAU,qBAAqB;AAC1D,YAAM,OAAO,IAAI,gBAAgB;AAAA,QAC/B,WAAW,KAAK,QAAQ;AAAA,QACxB,OAAO,QAAQ;AAAA,QACf,iBAAiB;AAAA,MAAA,CAClB;AAED,UAAI,KAAK,QAAQ,cAAc;AAC7B,aAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,MACrD;AAEA,UAAI;AACF,cAAM,KAAK,QAAQ,UAAU,qBAAqB;AAAA,UAChD,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,UAC3B,MAAM,KAAK,SAAA;AAAA,QAAS,CACrB;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF;AAIA,QAAI,SAAS,SAAS,UAAU,qBAAqB;AACnD,YAAM,OAAO,IAAI,gBAAgB;AAAA,QAC/B,WAAW,KAAK,QAAQ;AAAA,QACxB,OAAO,QAAQ;AAAA,QACf,iBAAiB;AAAA,MAAA,CAClB;AAED,UAAI,KAAK,QAAQ,cAAc;AAC7B,aAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,MACrD;AAEA,UAAI;AACF,cAAM,KAAK,QAAQ,UAAU,qBAAqB;AAAA,UAChD,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,UAC3B,MAAM,KAAK,SAAA;AAAA,QAAS,CACrB;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cACJ,OACA,SAC6B;AAC7B,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,QAAA;AACxB,YAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,YAAM,gBAAuC;AAAA,QAC3C,QAAQ,SAAS,UAAU,UAAU;AAAA,QACrC,gBAAgB,SAAS,kBAAkB;AAAA,MAAA;AAG7C,UAAI,SAAS,UAAU;AACrB,sBAAc,WAAW,QAAQ;AAAA,MACnC;AAEA,YAAM,EAAE,YAAY,MAAMC,UAAe,OAAO,MAAM,aAAa;AAGnE,UAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,OAAO;AACrD,cAAM,IAAI,kBAAkB,QAAQ;AAAA,MACtC;AAIA,YAAM,SAAU,QAAQ,UAAuB,CAAA;AAE/C,aAAO;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ;AAAA,QACb,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,QACf,gBAAgB,QAAQ;AAAA,QACxB,oBAAoB,QAAQ;AAAA,QAC5B,MAAM,QAAQ;AAAA,QACd,OAAO;AAAA;AAAA,QACP,GAAG;AAAA,MAAA;AAAA,IAEP,SAAS,OAAO;AACd,UAAI,iBAAiBC,YAAwB;AAC3C,cAAM,IAAI,kBAAkB,QAAQ;AAAA,MACtC;AACA,UAAI,iBAAiBC,0BAAsC;AACzD,eAAO;AAAA,MACT;AACA,UAAI,iBAAiBC,gCAA4C;AAC/D,cAAM,IAAI,kBAAkB,2BAA2B,QAAQ;AAAA,MACjE;AACA,UAAI,iBAAiB,mBAAmB;AACtC,cAAM;AAAA,MACR;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,YAAY,OAA6B;AACvC,QAAI;AACF,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,UAAI,MAAM,WAAW,GAAG;AACtB,cAAM,IAAI,kBAAkB,sBAAsB,QAAQ;AAAA,MAC5D;AAEA,YAAM,SAAS,KAAK,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;AACxC,YAAM,UAAUJ,UAAe,KAAK;AAEpC,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,KAAK,OAAO;AAAA,UACZ,KAAK,OAAO;AAAA,UACZ,KAAK,OAAO;AAAA,QAAA;AAAA,QAEd;AAAA,QACA,WAAW,MAAM,CAAC;AAAA,MAAA;AAAA,IAEtB,QAAQ;AACN,YAAM,IAAI,kBAAkB,0BAA0B,QAAQ;AAAA,IAChE;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,OAA4C;AAChE,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,QAAI,CAAC,UAAU,wBAAwB;AAErC,YAAM,SAAS,MAAM,KAAK,cAAc,KAAK;AAC7C,aAAO;AAAA,QACL,QAAQ,WAAW;AAAA,QACnB,QAAQ,UAAU;AAAA,MAAA;AAAA,IAEtB;AAEA,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,WAAW,KAAK,QAAQ;AAAA,MACxB;AAAA,IAAA,CACD;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAEA,UAAM,WAAW,MAAM,KAAK,QAWzB,UAAU,wBAAwB;AAAA,MACnC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAED,QAAI,CAAC,SAAS,QAAQ;AACpB,aAAO,EAAE,QAAQ,MAAA;AAAA,IACnB;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,QACN,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,GAAG;AAAA,MAAA;AAAA,MAEL,WAAW,SAAS;AAAA,MACpB,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,IAAA;AAAA,EAEpB;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,gBAA8C;AAC7D,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,WAAW,MAAM,KAAK,QAWzB,UAAU,mBAAmB;AAAA,MAC9B,QAAQ;AAAA,MACR,SAAS,EAAE,eAAe,UAAU,cAAc,GAAA;AAAA,IAAG,CACtD;AAED,WAAO;AAAA,MACL,IAAI,SAAS;AAAA,MACb,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,eAAe,SAAS;AAAA,MACxB,WAAW,SAAS;AAAA,MACpB,UAAU,SAAS;AAAA,MACnB,aAAa,SAAS;AAAA,MACtB,SAAS,SAAS;AAAA,MAClB,QAAQ,SAAS;AAAA,IAAA;AAAA,EAErB;AAAA,EAEA,MAAM,cACJ,iBACA,UACsB;AAEtB,UAAM,IAAI,oBAAoB,iBAAiB,UAAU;AAAA,MACvD,QACE;AAAA,IAAA,CACH;AAAA,EACH;AAAA,EAEA,MAAM,QAAQ,QAAgB,aAA4C;AACxE,UAAM,QAAQ,MAAM,KAAK,cAAA;AAEzB,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B,GAAG,KAAK,cAAA,CAAe,WAAW,MAAM;AAAA,MACxC,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,WAAO,KAAK,gBAAgB,QAAQ;AAAA,EACtC;AAAA,EAEA,MAAM,WACJ,MACA,aACsB;AACtB,UAAM,QAAQ,MAAM,KAAK,cAAA;AAEzB,UAAM,eAA4C;AAAA,MAChD,OAAO;AAAA,QACL,MAAM,CAAC,KAAK,QAAQ;AAAA,QACpB,aAAa;AAAA,UACX,KAAK,aAAa,KAAK,WACnB,GAAG,KAAK,SAAS,IAAI,KAAK,QAAQ,KAClC,KAAK;AAAA,QAAA;AAAA,MACX;AAAA,IACF;AAGF,QAAI,KAAK,SAAS,aAAa,OAAO;AACpC,mBAAa,MAAM,OAAO,CAAC,KAAK,KAAK;AAAA,IACvC;AAEA,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,cAAA,CAAe,WAAW;AAAA,MAC7D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK;AAAA,MAAA;AAAA,MAEhC,MAAM,KAAK,UAAU,YAAY;AAAA,IAAA,CAClC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAY,MAAM,SAAS,KAAA;AACjC,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,uBAAuB,KAAK,UAAU,QAAQ;AAAA,MAC1D;AACA,YAAM,IAAI,cAAc,0BAA0B,SAAS,IAAI,QAAQ;AAAA,IACzE;AAGA,WAAO,KAAK,QAAQ,KAAK,UAAU,KAAK;AAAA,EAC1C;AAAA,EAEA,MAAM,WACJ,QACA,SACA,aACsB;AACtB,UAAM,QAAQ,MAAM,KAAK,cAAA;AAEzB,UAAM,QAAkC,CAAA;AAExC,QAAI,QAAQ,UAAU,QAAW;AAC/B,YAAM,OAAO,CAAC,QAAQ,KAAK;AAAA,IAC7B;AAEA,QAAI,QAAQ,cAAc,UAAa,QAAQ,aAAa,QAAW;AACrE,YAAM,cACJ,QAAQ,aAAa,QAAQ,WACzB,GAAG,QAAQ,SAAS,IAAI,QAAQ,QAAQ,KACxC,QAAQ,aAAa,QAAQ,YAAY;AAC/C,UAAI,aAAa;AACf,cAAM,cAAc,CAAC,WAAW;AAAA,MAClC;AAAA,IACF;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,cAAA,CAAe,WAAW,MAAM;AAAA,MACxC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM,KAAK,UAAU,EAAE,OAAO;AAAA,MAAA;AAAA,MAEhC;AAAA,IAAA;AAGF,WAAO,KAAK,QAAQ,QAAQ,KAAK;AAAA,EACnC;AAAA,EAEA,MAAM,WAAW,QAAgB,aAAoC;AACnE,UAAM,QAAQ,MAAM,KAAK,cAAA;AAEzB,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,cAAA,CAAe,WAAW,MAAM;AAAA,MACxC,EAAE,QAAQ,SAAA;AAAA,MACV;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,UACJ,OACA,aACyB;AACzB,UAAM,QAAQ,MAAM,KAAK,cAAA;AAGzB,QAAI,MAAM,GAAG,KAAK,cAAA,CAAe;AAIjC,UAAM,SAAS,IAAI,gBAAA;AACnB,QAAI,MAAM,QAAQ;AAChB,aAAO,IAAI,UAAU,MAAM,MAAM;AAAA,IACnC;AAEA,QAAI,OAAO,YAAY;AACrB,aAAO,IAAI,OAAO,SAAA,CAAU;AAAA,IAC9B;AAEA,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B;AAAA,MACA,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,UAAM,QAAQ,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAA;AAGnD,QAAI,gBAAgB,MAAM,IAAI,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;AAE5D,QAAI,MAAM,OAAO;AACf,sBAAgB,cAAc,OAAO,CAAC,MAAM,EAAE,UAAU,MAAM,KAAK;AAAA,IACrE;AAEA,QAAI,MAAM,UAAU;AAClB,sBAAgB,cAAc;AAAA,QAC5B,CAAC,MAAM,EAAE,aAAa,MAAM;AAAA,MAAA;AAAA,IAEhC;AAEA,UAAM,QAAQ,cAAc;AAC5B,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,QAAQ,MAAM,SAAS;AAE7B,WAAO;AAAA,MACL,OAAO,cAAc,MAAM,QAAQ,SAAS,KAAK;AAAA,MACjD;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,qBAAqB,QAA+B;AACxD,UAAM,IAAI,oBAAoB,wBAAwB,UAAU;AAAA,MAC9D,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA,EAEA,MAAM,cAAc,QAAgB,cAAqC;AACvE,UAAM,IAAI,oBAAoB,iBAAiB,UAAU;AAAA,MACvD,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aACJ,SACA,aACoB;AACpB,UAAM,IAAI,oBAAoB,gBAAgB,UAAU;AAAA,MACtD,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA,EAEA,MAAM,cAAc,YAAoB,aAAqC;AAC3E,UAAM,IAAI,oBAAoB,iBAAiB,UAAU;AAAA,MACvD,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA,EAEA,MAAM,kBACJ,SACA,aACe;AACf,UAAM,IAAI,oBAAoB,qBAAqB,UAAU;AAAA,MAC3D,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAQ,eAAuB,MAAgC;AACnE,UAAM,QAAQ,MAAM,KAAK,SAAS,aAAa;AAC/C,WAAO,MAAM,SAAS,IAAI;AAAA,EAC5B;AAAA,EAEA,MAAM,cACJ,eACA,YACA,UACkB;AAElB,UAAM,QAAQ,MAAM,KAAK,SAAS,aAAa;AAC/C,UAAM,iBAAiB,WAAW,GAAG,QAAQ,IAAI,UAAU,KAAK;AAChE,WAAO,MAAM,SAAS,cAAc,KAAK,MAAM,SAAS,UAAU;AAAA,EACpE;AAAA,EAEA,MAAM,SACJ,eACA,aACmB;AAEnB,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,cAAc,aAAa;AACrD,UAAI,QAAQ;AACV,eAAO,OAAO,SAAS,CAAA;AAAA,MACzB;AAAA,IACF,QAAQ;AAAA,IAER;AAGA,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,QAAQ,aAAa;AAC7C,aAAO,KAAK,UAAU,CAAA;AAAA,IACxB,QAAQ;AAAA,IAER;AAEA,WAAO,CAAA;AAAA,EACT;AAAA,EAEA,MAAM,WACJ,SACA,OACA,aACe;AACf,UAAM,IAAI,oBAAoB,cAAc,UAAU;AAAA,MACpD,QACE;AAAA,IAAA,CACH;AAAA,EACH;AAAA,EAEA,MAAM,WACJ,SACA,OACA,aACe;AACf,UAAM,IAAI,oBAAoB,cAAc,UAAU;AAAA,MACpD,QACE;AAAA,IAAA,CACH;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,kBAA6C;AACjD,WAAO;AAAA,MACL,mBAAmB;AAAA,MACnB,eAAe;AAAA;AAAA,MACf,mBAAmB;AAAA;AAAA,MACnB,cAAc;AAAA,MACd,MAAM;AAAA,MACN,gBAAgB;AAAA;AAAA,MAChB,mBAAmB;AAAA;AAAA,MACnB,MAAM;AAAA;AAAA,MACN,eAAe;AAAA;AAAA,MACf,KAAK;AAAA;AAAA,MACL,aAAa;AAAA,MACb,YAAY;AAAA,MACZ,eAAe;AAAA,IAAA;AAAA,EAEnB;AAAA,EAEA,MAAM,uBAA8D;AAClE,WAAO,KAAK,uBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMQ,gBAAgB,QAAmC;AACzD,UAAM,QAAQ,OAAO,SAAS,CAAA;AAE9B,WAAO;AAAA,MACL,IAAI,MAAM,OAAO,CAAC,KAAK,MAAM,OAAO,CAAC,KAAK;AAAA,MAC1C,UAAU,MAAM,OAAO,CAAC;AAAA,MACxB,OAAO,MAAM,OAAO,CAAC;AAAA,MACrB,aAAa,MAAM,cAAc,CAAC;AAAA,MAClC,QAAQ,MAAM;AAAA,MACd,SAAS;AAAA;AAAA,IAAA;AAAA,EAEb;AACF;"}