@happyvertical/auth 0.74.8

package/dist/chunks/keycloak-t6JEUeOz.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-t6JEUeOz.js","sources":["../../src/shared/providers/keycloak.ts"],"sourcesContent":["/**\n * Keycloak Provider - OIDC/OAuth2 Authentication\n *\n * Implements full OIDC/OAuth2 authentication with Keycloak server including:\n * - OIDC Discovery\n * - Authorization Code Flow with PKCE\n * - Token validation using JWKS\n * - Token introspection\n * - User management via Admin API\n * - Session management\n */\n\nimport * as jose from 'jose';\n\nimport {\n  AccessDeniedError,\n  ConfigurationError,\n  InvalidClientError,\n  InvalidCredentialsError,\n  InvalidGrantError,\n  InvalidNonceError,\n  InvalidRedirectUriError,\n  InvalidStateError,\n  InvalidTokenError,\n  MfaRequiredError,\n  NetworkError,\n  NotImplementedError,\n  ProviderError,\n  TokenExpiredError,\n  UserAlreadyExistsError,\n  UserNotFoundError,\n} from '../errors.js';\nimport type {\n  AuthCapabilities,\n  AuthCredentials,\n  AuthInterface,\n  AuthorizationOptions,\n  AuthorizationResult,\n  AuthResult,\n  CodeExchangeParams,\n  CreateUserRequest,\n  KeycloakOptions,\n  LogoutOptions,\n  OIDCDiscoveryDocument,\n  Session,\n  TokenClaims,\n  TokenIntrospection,\n  TokenPayload,\n  TokenValidationOptions,\n  UserListResult,\n  UserProfile,\n  UserQuery,\n} from '../types.js';\n\n/**\n * Generate a random string for state/nonce/PKCE.\n */\nfunction generateRandomString(length = 32): string {\n  const array = new Uint8Array(length);\n  crypto.getRandomValues(array);\n  return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join(\n    '',\n  );\n}\n\n/**\n * Generate PKCE code verifier and challenge.\n */\nasync function generatePKCE(): Promise<{\n  verifier: string;\n  challenge: string;\n}> {\n  const verifier = generateRandomString(32);\n  const encoder = new TextEncoder();\n  const data = encoder.encode(verifier);\n  const hash = await crypto.subtle.digest('SHA-256', data);\n  const challenge = btoa(String.fromCharCode(...new Uint8Array(hash)))\n    .replace(/\\+/g, '-')\n    .replace(/\\//g, '_')\n    .replace(/=+$/, '');\n  return { verifier, challenge };\n}\n\n/**\n * Keycloak authentication provider.\n *\n * Implements full OIDC/OAuth2 authentication with Keycloak server.\n */\nexport class KeycloakProvider implements AuthInterface {\n  private options: Required<\n    Pick<KeycloakOptions, 'serverUrl' | 'realm' | 'clientId'>\n  > &\n    KeycloakOptions;\n  private discoveryDocument: OIDCDiscoveryDocument | null = null;\n  private jwks: jose.JWTVerifyGetKey | null = null;\n\n  constructor(options: KeycloakOptions) {\n    if (!options.serverUrl) {\n      throw new ConfigurationError('serverUrl is required', 'keycloak');\n    }\n    if (!options.realm) {\n      throw new ConfigurationError('realm is required', 'keycloak');\n    }\n    if (!options.clientId) {\n      throw new ConfigurationError('clientId is required', 'keycloak');\n    }\n\n    this.options = {\n      usePKCE: true,\n      verifySsl: true,\n      scopes: ['openid', 'profile', 'email'],\n      timeout: 30000,\n      maxRetries: 3,\n      ...options,\n    };\n  }\n\n  // ---------------------------------------------------------------------------\n  // INTERNAL HELPERS\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Get the base URL for the realm.\n   */\n  private getRealmUrl(): string {\n    return `${this.options.serverUrl}/realms/${this.options.realm}`;\n  }\n\n  /**\n   * Get the admin API base URL.\n   */\n  private getAdminUrl(): string {\n    return `${this.options.serverUrl}/admin/realms/${this.options.realm}`;\n  }\n\n  /**\n   * Make an HTTP request with error handling.\n   */\n  private async request<T>(\n    url: string,\n    options: RequestInit = {},\n    adminToken?: string,\n  ): Promise<T> {\n    const headers: Record<string, string> = {\n      'Content-Type': 'application/json',\n      ...this.options.headers,\n      ...(options.headers as Record<string, string>),\n    };\n\n    if (adminToken) {\n      headers['Authorization'] = `Bearer ${adminToken}`;\n    }\n\n    try {\n      const response = await fetch(url, {\n        ...options,\n        headers,\n        signal: AbortSignal.timeout(this.options.timeout || 30000),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.text().catch(() => '');\n        let errorData: Record<string, unknown> = {};\n        try {\n          errorData = JSON.parse(errorBody);\n        } catch {\n          // Not JSON\n        }\n\n        this.handleHttpError(response.status, errorData, errorBody);\n      }\n\n      const text = await response.text();\n      if (!text) return {} as T;\n      return JSON.parse(text) as T;\n    } catch (error) {\n      if (error instanceof Error && error.name === 'TimeoutError') {\n        throw new NetworkError('Request timed out', 'keycloak', error);\n      }\n      if (\n        error instanceof InvalidCredentialsError ||\n        error instanceof AccessDeniedError ||\n        error instanceof InvalidGrantError ||\n        error instanceof InvalidClientError ||\n        error instanceof UserNotFoundError ||\n        error instanceof ProviderError\n      ) {\n        throw error;\n      }\n      throw new NetworkError(\n        `Network error: ${error instanceof Error ? error.message : 'Unknown error'}`,\n        'keycloak',\n        error instanceof Error ? error : undefined,\n      );\n    }\n  }\n\n  /**\n   * Handle HTTP error responses.\n   */\n  private handleHttpError(\n    status: number,\n    data: Record<string, unknown>,\n    rawBody: string,\n  ): never {\n    const error = data.error as string | undefined;\n    const errorDescription =\n      data.errorMessage || data.error_description || rawBody;\n\n    switch (status) {\n      case 400:\n        if (error === 'invalid_grant') {\n          throw new InvalidGrantError(errorDescription as string, 'keycloak');\n        }\n        if (error === 'invalid_client') {\n          throw new InvalidClientError('keycloak');\n        }\n        throw new ProviderError(`Bad request: ${errorDescription}`, 'keycloak');\n\n      case 401:\n        throw new InvalidCredentialsError('keycloak');\n\n      case 403:\n        throw new AccessDeniedError(errorDescription as string, 'keycloak');\n\n      case 404:\n        throw new UserNotFoundError(undefined, 'keycloak');\n\n      case 409:\n        throw new UserAlreadyExistsError(undefined, 'keycloak');\n\n      default:\n        throw new ProviderError(\n          `Keycloak error (${status}): ${errorDescription}`,\n          'keycloak',\n        );\n    }\n  }\n\n  /**\n   * Fetch and cache the OIDC discovery document.\n   */\n  private async fetchDiscoveryDocument(): Promise<OIDCDiscoveryDocument> {\n    if (this.discoveryDocument) {\n      return this.discoveryDocument;\n    }\n\n    const url = `${this.getRealmUrl()}/.well-known/openid-configuration`;\n    this.discoveryDocument = await this.request<OIDCDiscoveryDocument>(url);\n    return this.discoveryDocument;\n  }\n\n  /**\n   * Get JWKS for token validation.\n   */\n  private async getJWKS(): Promise<jose.JWTVerifyGetKey> {\n    if (this.jwks) {\n      return this.jwks;\n    }\n\n    const discovery = await this.fetchDiscoveryDocument();\n    this.jwks = jose.createRemoteJWKSet(new URL(discovery.jwks_uri));\n    return this.jwks;\n  }\n\n  // ---------------------------------------------------------------------------\n  // AUTHENTICATION FLOWS\n  // ---------------------------------------------------------------------------\n\n  async getAuthorizationUrl(\n    options?: AuthorizationOptions,\n  ): Promise<AuthorizationResult> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    const state = options?.state || generateRandomString();\n    const nonce = options?.nonce || generateRandomString();\n    const scopes = options?.scopes ||\n      this.options.scopes || ['openid', 'profile', 'email'];\n    const redirectUri = options?.redirectUri || this.options.redirectUri;\n\n    if (!redirectUri) {\n      throw new ConfigurationError('redirectUri is required', 'keycloak');\n    }\n\n    const params = new URLSearchParams({\n      client_id: this.options.clientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      scope: scopes.join(' '),\n      state,\n      nonce,\n    });\n\n    if (options?.prompt) {\n      params.set('prompt', options.prompt);\n    }\n\n    if (options?.loginHint) {\n      params.set('login_hint', options.loginHint);\n    }\n\n    // Add extra params\n    if (options?.extraParams) {\n      for (const [key, value] of Object.entries(options.extraParams)) {\n        params.set(key, value);\n      }\n    }\n\n    let codeVerifier: string | undefined;\n    if (this.options.usePKCE) {\n      const pkce = await generatePKCE();\n      codeVerifier = pkce.verifier;\n      params.set('code_challenge', pkce.challenge);\n      params.set('code_challenge_method', 'S256');\n    }\n\n    const url = `${discovery.authorization_endpoint}?${params.toString()}`;\n\n    return {\n      url,\n      state,\n      nonce,\n      codeVerifier,\n    };\n  }\n\n  async exchangeCode(params: CodeExchangeParams): Promise<AuthResult> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    const redirectUri = params.redirectUri || this.options.redirectUri;\n    if (!redirectUri) {\n      throw new ConfigurationError('redirectUri is required', 'keycloak');\n    }\n\n    const body = new URLSearchParams({\n      grant_type: 'authorization_code',\n      client_id: this.options.clientId,\n      code: params.code,\n      redirect_uri: redirectUri,\n    });\n\n    if (this.options.clientSecret) {\n      body.set('client_secret', this.options.clientSecret);\n    }\n\n    if (params.codeVerifier) {\n      body.set('code_verifier', params.codeVerifier);\n    }\n\n    const response = await this.request<{\n      access_token: string;\n      refresh_token?: string;\n      id_token?: string;\n      expires_in: number;\n      token_type: string;\n      scope?: string;\n    }>(discovery.token_endpoint, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n\n    // Decode ID token to get user ID\n    let userId = '';\n    if (response.id_token) {\n      const payload = jose.decodeJwt(response.id_token);\n      userId = payload.sub || '';\n    }\n\n    return {\n      accessToken: response.access_token,\n      tokenType: response.token_type || 'Bearer',\n      expiresIn: response.expires_in,\n      refreshToken: response.refresh_token,\n      idToken: response.id_token,\n      scope: response.scope,\n      userId,\n    };\n  }\n\n  async authenticate(credentials: AuthCredentials): Promise<AuthResult> {\n    const discovery = await this.fetchDiscoveryDocument();\n    const grantType = credentials.grantType || 'password';\n\n    const scopes = credentials.scopes ||\n      this.options.scopes || ['openid', 'profile', 'email'];\n    const body = new URLSearchParams({\n      grant_type: grantType,\n      client_id: this.options.clientId,\n      scope: scopes.join(' '),\n    });\n\n    if (grantType === 'client_credentials') {\n      // Client credentials grant - requires client secret\n      if (!this.options.clientSecret) {\n        throw new InvalidCredentialsError('keycloak', {\n          reason: 'Client secret is required for client_credentials grant',\n        });\n      }\n      body.set('client_secret', this.options.clientSecret);\n    } else {\n      // Password grant - requires username and password\n      if (!credentials.username || !credentials.password) {\n        throw new InvalidCredentialsError('keycloak', {\n          reason: 'Username and password are required',\n        });\n      }\n      body.set('username', credentials.username);\n      body.set('password', credentials.password);\n\n      if (this.options.clientSecret) {\n        body.set('client_secret', this.options.clientSecret);\n      }\n\n      // Add MFA code if provided\n      if (credentials.mfaCode) {\n        body.set('totp', credentials.mfaCode);\n      }\n    }\n\n    try {\n      const response = await this.request<{\n        access_token: string;\n        refresh_token?: string;\n        id_token?: string;\n        expires_in: number;\n        token_type: string;\n        scope?: string;\n      }>(discovery.token_endpoint, {\n        method: 'POST',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n        body: body.toString(),\n      });\n\n      // Decode ID token to get user ID\n      let userId = '';\n      if (response.id_token) {\n        const payload = jose.decodeJwt(response.id_token);\n        userId = payload.sub || '';\n      } else if (response.access_token) {\n        const payload = jose.decodeJwt(response.access_token);\n        userId = payload.sub || '';\n      }\n\n      return {\n        accessToken: response.access_token,\n        tokenType: response.token_type || 'Bearer',\n        expiresIn: response.expires_in,\n        refreshToken: response.refresh_token,\n        idToken: response.id_token,\n        scope: response.scope,\n        userId,\n      };\n    } catch (error) {\n      // Check for MFA required\n      if (\n        error instanceof ProviderError &&\n        error.message.includes('invalid_grant') &&\n        error.message.includes('totp')\n      ) {\n        throw new MfaRequiredError('keycloak', ['totp']);\n      }\n      throw error;\n    }\n  }\n\n  async refresh(refreshToken: string): Promise<AuthResult> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      client_id: this.options.clientId,\n      refresh_token: refreshToken,\n    });\n\n    if (this.options.clientSecret) {\n      body.set('client_secret', this.options.clientSecret);\n    }\n\n    const response = await this.request<{\n      access_token: string;\n      refresh_token?: string;\n      id_token?: string;\n      expires_in: number;\n      token_type: string;\n      scope?: string;\n    }>(discovery.token_endpoint, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n\n    // Decode to get user ID\n    let userId = '';\n    if (response.access_token) {\n      const payload = jose.decodeJwt(response.access_token);\n      userId = payload.sub || '';\n    }\n\n    return {\n      accessToken: response.access_token,\n      tokenType: response.token_type || 'Bearer',\n      expiresIn: response.expires_in,\n      refreshToken: response.refresh_token || refreshToken,\n      idToken: response.id_token,\n      scope: response.scope,\n      userId,\n    };\n  }\n\n  async logout(options?: LogoutOptions): Promise<void> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    if (!discovery.end_session_endpoint) {\n      // Just revoke the token if no end_session_endpoint\n      if (options?.refreshToken && discovery.revocation_endpoint) {\n        await this.request(discovery.revocation_endpoint, {\n          method: 'POST',\n          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n          body: new URLSearchParams({\n            client_id: this.options.clientId,\n            token: options.refreshToken,\n            token_type_hint: 'refresh_token',\n          }).toString(),\n        });\n      }\n      return;\n    }\n\n    const params = new URLSearchParams({\n      client_id: this.options.clientId,\n    });\n\n    if (options?.token) {\n      params.set('id_token_hint', options.token);\n    }\n\n    if (options?.postLogoutRedirectUri) {\n      params.set('post_logout_redirect_uri', options.postLogoutRedirectUri);\n    }\n\n    // For logout, we typically redirect the user, but for server-side we can POST\n    if (options?.refreshToken && discovery.revocation_endpoint) {\n      const revokeParams = new URLSearchParams({\n        client_id: this.options.clientId,\n        token: options.refreshToken,\n        token_type_hint: 'refresh_token',\n      });\n      if (this.options.clientSecret) {\n        revokeParams.set('client_secret', this.options.clientSecret);\n      }\n      await this.request(discovery.revocation_endpoint, {\n        method: 'POST',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n        body: revokeParams.toString(),\n      });\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // TOKEN OPERATIONS\n  // ---------------------------------------------------------------------------\n\n  async validateToken(\n    token: string,\n    options?: TokenValidationOptions,\n  ): Promise<TokenClaims | null> {\n    try {\n      const jwks = await this.getJWKS();\n      const discovery = await this.fetchDiscoveryDocument();\n\n      const verifyOptions: jose.JWTVerifyOptions = {\n        issuer: options?.issuer || discovery.issuer,\n        clockTolerance: options?.clockTolerance || 0,\n      };\n\n      if (options?.audience) {\n        verifyOptions.audience = options.audience;\n      }\n\n      const { payload } = await jose.jwtVerify(token, jwks, verifyOptions);\n\n      // Check nonce if provided\n      if (options?.nonce && payload.nonce !== options.nonce) {\n        throw new InvalidNonceError('keycloak');\n      }\n\n      // Extract roles from Keycloak token structure\n      const roles: string[] = [];\n\n      // Realm roles\n      if (payload.realm_access && typeof payload.realm_access === 'object') {\n        const realmAccess = payload.realm_access as { roles?: string[] };\n        if (realmAccess.roles) {\n          roles.push(...realmAccess.roles);\n        }\n      }\n\n      // Client roles\n      if (\n        payload.resource_access &&\n        typeof payload.resource_access === 'object'\n      ) {\n        const resourceAccess = payload.resource_access as Record<\n          string,\n          { roles?: string[] }\n        >;\n        for (const client of Object.values(resourceAccess)) {\n          if (client.roles) {\n            roles.push(...client.roles);\n          }\n        }\n      }\n\n      return {\n        sub: payload.sub || '',\n        iss: payload.iss || '',\n        aud: payload.aud || '',\n        exp: payload.exp || 0,\n        iat: payload.iat || 0,\n        nbf: payload.nbf,\n        azp: payload.azp as string | undefined,\n        email: payload.email as string | undefined,\n        email_verified: payload.email_verified as boolean | undefined,\n        preferred_username: payload.preferred_username as string | undefined,\n        name: payload.name as string | undefined,\n        roles,\n        ...payload,\n      };\n    } catch (error) {\n      if (error instanceof jose.errors.JWTExpired) {\n        throw new TokenExpiredError('keycloak');\n      }\n      if (error instanceof jose.errors.JWTClaimValidationFailed) {\n        return null;\n      }\n      if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n        throw new InvalidTokenError('Invalid token signature', 'keycloak');\n      }\n      if (error instanceof InvalidNonceError) {\n        throw error;\n      }\n      return null;\n    }\n  }\n\n  decodeToken(token: string): TokenPayload {\n    try {\n      const parts = token.split('.');\n      if (parts.length !== 3) {\n        throw new InvalidTokenError('Invalid JWT format', 'keycloak');\n      }\n\n      const header = JSON.parse(atob(parts[0]));\n      const payload = jose.decodeJwt(token);\n\n      return {\n        header: {\n          alg: header.alg,\n          typ: header.typ,\n          kid: header.kid,\n        },\n        payload: payload as unknown as TokenClaims,\n        signature: parts[2],\n      };\n    } catch {\n      throw new InvalidTokenError('Failed to decode token', 'keycloak');\n    }\n  }\n\n  async introspectToken(token: string): Promise<TokenIntrospection> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    if (!discovery.introspection_endpoint) {\n      // Fallback to local validation\n      const claims = await this.validateToken(token);\n      return {\n        active: claims !== null,\n        claims: claims || undefined,\n      };\n    }\n\n    const body = new URLSearchParams({\n      client_id: this.options.clientId,\n      token,\n    });\n\n    if (this.options.clientSecret) {\n      body.set('client_secret', this.options.clientSecret);\n    }\n\n    const response = await this.request<{\n      active: boolean;\n      sub?: string;\n      iss?: string;\n      aud?: string | string[];\n      exp?: number;\n      iat?: number;\n      client_id?: string;\n      scope?: string;\n      token_type?: string;\n      [key: string]: unknown;\n    }>(discovery.introspection_endpoint, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n\n    if (!response.active) {\n      return { active: false };\n    }\n\n    return {\n      active: true,\n      claims: {\n        sub: response.sub || '',\n        iss: response.iss || '',\n        aud: response.aud || '',\n        exp: response.exp || 0,\n        iat: response.iat || 0,\n        ...response,\n      },\n      tokenType: response.token_type,\n      clientId: response.client_id,\n      scope: response.scope,\n    };\n  }\n\n  // ---------------------------------------------------------------------------\n  // USER OPERATIONS\n  // ---------------------------------------------------------------------------\n\n  async getProfile(tokenOrSession: string): Promise<UserProfile> {\n    const discovery = await this.fetchDiscoveryDocument();\n\n    const response = await this.request<{\n      sub: string;\n      preferred_username?: string;\n      email?: string;\n      email_verified?: boolean;\n      name?: string;\n      given_name?: string;\n      family_name?: string;\n      picture?: string;\n      [key: string]: unknown;\n    }>(discovery.userinfo_endpoint, {\n      method: 'GET',\n      headers: { Authorization: `Bearer ${tokenOrSession}` },\n    });\n\n    return {\n      id: response.sub,\n      username: response.preferred_username,\n      email: response.email,\n      emailVerified: response.email_verified,\n      firstName: response.given_name,\n      lastName: response.family_name,\n      displayName: response.name,\n      picture: response.picture,\n    };\n  }\n\n  async updateProfile(\n    tokenOrSession: string,\n    profile: Partial<UserProfile>,\n  ): Promise<UserProfile> {\n    // Get user ID from token\n    const payload = jose.decodeJwt(tokenOrSession);\n    const userId = payload.sub;\n\n    if (!userId) {\n      throw new InvalidTokenError('Token does not contain user ID', 'keycloak');\n    }\n\n    // Update via Account API (requires account-api feature in Keycloak)\n    const accountUrl = `${this.getRealmUrl()}/account`;\n\n    const updateData: Record<string, unknown> = {};\n    if (profile.firstName !== undefined)\n      updateData.firstName = profile.firstName;\n    if (profile.lastName !== undefined) updateData.lastName = profile.lastName;\n    if (profile.email !== undefined) updateData.email = profile.email;\n\n    await this.request(accountUrl, {\n      method: 'POST',\n      headers: { Authorization: `Bearer ${tokenOrSession}` },\n      body: JSON.stringify(updateData),\n    });\n\n    return this.getProfile(tokenOrSession);\n  }\n\n  async getUser(userId: string, adminToken?: string): Promise<UserProfile> {\n    if (!adminToken) {\n      throw new AccessDeniedError('Admin token required', 'keycloak');\n    }\n\n    const response = await this.request<KeycloakUser>(\n      `${this.getAdminUrl()}/users/${userId}`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    return this.mapKeycloakUser(response);\n  }\n\n  async createUser(\n    user: CreateUserRequest,\n    adminToken: string,\n  ): Promise<UserProfile> {\n    const keycloakUser: Partial<KeycloakUser> = {\n      username: user.username,\n      email: user.email,\n      firstName: user.firstName,\n      lastName: user.lastName,\n      enabled: user.enabled ?? true,\n      emailVerified: user.emailVerified ?? false,\n      attributes: user.attributes as Record<string, string[]>,\n    };\n\n    if (user.password) {\n      keycloakUser.credentials = [\n        {\n          type: 'password',\n          value: user.password,\n          temporary: false,\n        },\n      ];\n    }\n\n    const response = await fetch(`${this.getAdminUrl()}/users`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        Authorization: `Bearer ${adminToken}`,\n      },\n      body: JSON.stringify(keycloakUser),\n    });\n\n    if (!response.ok) {\n      const errorBody = await response.text();\n      if (response.status === 409) {\n        throw new UserAlreadyExistsError(user.username, 'keycloak');\n      }\n      throw new ProviderError(\n        `Failed to create user: ${errorBody}`,\n        'keycloak',\n      );\n    }\n\n    // Get the created user ID from Location header\n    const location = response.headers.get('Location');\n    if (!location) {\n      throw new ProviderError('Failed to get created user ID', 'keycloak');\n    }\n\n    const userId = location.split('/').pop()!;\n\n    // Assign roles if provided\n    if (user.roles?.length) {\n      await this.assignRoles(userId, user.roles, adminToken);\n    }\n\n    // Assign groups if provided\n    if (user.groups?.length) {\n      for (const groupName of user.groups) {\n        await this.addUserToGroup(userId, groupName, adminToken);\n      }\n    }\n\n    return this.getUser(userId, adminToken);\n  }\n\n  async updateUser(\n    userId: string,\n    updates: Partial<CreateUserRequest>,\n    adminToken: string,\n  ): Promise<UserProfile> {\n    const keycloakUser: Partial<KeycloakUser> = {};\n\n    if (updates.username !== undefined)\n      keycloakUser.username = updates.username;\n    if (updates.email !== undefined) keycloakUser.email = updates.email;\n    if (updates.firstName !== undefined)\n      keycloakUser.firstName = updates.firstName;\n    if (updates.lastName !== undefined)\n      keycloakUser.lastName = updates.lastName;\n    if (updates.enabled !== undefined) keycloakUser.enabled = updates.enabled;\n    if (updates.emailVerified !== undefined)\n      keycloakUser.emailVerified = updates.emailVerified;\n    if (updates.attributes !== undefined) {\n      keycloakUser.attributes = updates.attributes as Record<string, string[]>;\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}`,\n      {\n        method: 'PUT',\n        body: JSON.stringify(keycloakUser),\n      },\n      adminToken,\n    );\n\n    // Update password if provided\n    if (updates.password) {\n      await this.request(\n        `${this.getAdminUrl()}/users/${userId}/reset-password`,\n        {\n          method: 'PUT',\n          body: JSON.stringify({\n            type: 'password',\n            value: updates.password,\n            temporary: false,\n          }),\n        },\n        adminToken,\n      );\n    }\n\n    return this.getUser(userId, adminToken);\n  }\n\n  async deleteUser(userId: string, adminToken: string): Promise<void> {\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}`,\n      { method: 'DELETE' },\n      adminToken,\n    );\n  }\n\n  async listUsers(\n    query: UserQuery,\n    adminToken?: string,\n  ): Promise<UserListResult> {\n    if (!adminToken) {\n      throw new AccessDeniedError('Admin token required', 'keycloak');\n    }\n\n    const params = new URLSearchParams();\n\n    if (query.search) params.set('search', query.search);\n    if (query.email) params.set('email', query.email);\n    if (query.username) params.set('username', query.username);\n    if (query.enabled !== undefined)\n      params.set('enabled', String(query.enabled));\n    if (query.limit) params.set('max', String(query.limit));\n    if (query.offset) params.set('first', String(query.offset));\n\n    const users = await this.request<KeycloakUser[]>(\n      `${this.getAdminUrl()}/users?${params.toString()}`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    // Get total count\n    const countResponse = await this.request<number>(\n      `${this.getAdminUrl()}/users/count?${params.toString()}`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    return {\n      users: users.map((u) => this.mapKeycloakUser(u)),\n      total: countResponse,\n      limit: query.limit || 100,\n      offset: query.offset || 0,\n    };\n  }\n\n  async requestPasswordReset(email: string): Promise<void> {\n    // This requires admin privileges or self-service password reset configured\n    // We'll use the execute-actions-email endpoint\n    throw new NotImplementedError('requestPasswordReset', 'keycloak', {\n      reason:\n        'Requires admin token or use Keycloak login page for self-service reset',\n    });\n  }\n\n  async resetPassword(token: string, newPassword: string): Promise<void> {\n    // Password reset via token is handled by Keycloak's login flow\n    throw new NotImplementedError('resetPassword', 'keycloak', {\n      reason: 'Password reset is handled by Keycloak login flow',\n    });\n  }\n\n  // ---------------------------------------------------------------------------\n  // SESSION OPERATIONS\n  // ---------------------------------------------------------------------------\n\n  async listSessions(userId: string, adminToken?: string): Promise<Session[]> {\n    if (!adminToken) {\n      throw new AccessDeniedError('Admin token required', 'keycloak');\n    }\n\n    const sessions = await this.request<KeycloakSession[]>(\n      `${this.getAdminUrl()}/users/${userId}/sessions`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    return sessions.map((s) => ({\n      id: s.id,\n      userId: s.userId,\n      clientId: s.clients ? Object.keys(s.clients).join(', ') : undefined,\n      startedAt: new Date(s.start),\n      lastAccessedAt: new Date(s.lastAccess),\n      ipAddress: s.ipAddress,\n      userAgent: s.userAgent,\n    }));\n  }\n\n  async revokeSession(sessionId: string, adminToken?: string): Promise<void> {\n    if (!adminToken) {\n      throw new AccessDeniedError('Admin token required', 'keycloak');\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/sessions/${sessionId}`,\n      { method: 'DELETE' },\n      adminToken,\n    );\n  }\n\n  async revokeAllSessions(userId: string, adminToken?: string): Promise<void> {\n    if (!adminToken) {\n      throw new AccessDeniedError('Admin token required', 'keycloak');\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}/logout`,\n      { method: 'POST' },\n      adminToken,\n    );\n  }\n\n  // ---------------------------------------------------------------------------\n  // AUTHORIZATION\n  // ---------------------------------------------------------------------------\n\n  async hasRole(tokenOrUserId: string, role: string): Promise<boolean> {\n    const roles = await this.getRoles(tokenOrUserId);\n    return roles.includes(role);\n  }\n\n  async hasPermission(\n    tokenOrUserId: string,\n    permission: string,\n    resource?: string,\n  ): Promise<boolean> {\n    // Keycloak permissions are typically checked via the Authorization Services API\n    // For now, we check if the user has a role matching the permission\n    // A full implementation would use the entitlement API\n    const roles = await this.getRoles(tokenOrUserId);\n    const permissionRole = resource ? `${resource}:${permission}` : permission;\n    return roles.includes(permissionRole) || roles.includes(permission);\n  }\n\n  async getRoles(\n    tokenOrUserId: string,\n    adminToken?: string,\n  ): Promise<string[]> {\n    // First try to decode as JWT\n    try {\n      const claims = await this.validateToken(tokenOrUserId);\n      if (claims) {\n        return claims.roles || [];\n      }\n    } catch {\n      // Not a valid token, might be a user ID\n    }\n\n    // If admin token provided, try to fetch roles by user ID\n    if (adminToken) {\n      try {\n        const roleMappings = await this.request<{\n          realmMappings?: { name: string }[];\n        }>(\n          `${this.getAdminUrl()}/users/${tokenOrUserId}/role-mappings`,\n          { method: 'GET' },\n          adminToken,\n        );\n\n        return roleMappings.realmMappings?.map((r) => r.name) || [];\n      } catch {\n        // User ID not found or other error\n      }\n    }\n\n    return [];\n  }\n\n  async assignRole(\n    userId: string,\n    role: string,\n    adminToken: string,\n  ): Promise<void> {\n    // First, get the role\n    const roles = await this.request<KeycloakRole[]>(\n      `${this.getAdminUrl()}/roles`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    const roleObj = roles.find((r) => r.name === role);\n    if (!roleObj) {\n      throw new ProviderError(`Role not found: ${role}`, 'keycloak');\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,\n      {\n        method: 'POST',\n        body: JSON.stringify([roleObj]),\n      },\n      adminToken,\n    );\n  }\n\n  async removeRole(\n    userId: string,\n    role: string,\n    adminToken: string,\n  ): Promise<void> {\n    // First, get the role\n    const roles = await this.request<KeycloakRole[]>(\n      `${this.getAdminUrl()}/roles`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    const roleObj = roles.find((r) => r.name === role);\n    if (!roleObj) {\n      throw new ProviderError(`Role not found: ${role}`, 'keycloak');\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,\n      {\n        method: 'DELETE',\n        body: JSON.stringify([roleObj]),\n      },\n      adminToken,\n    );\n  }\n\n  // ---------------------------------------------------------------------------\n  // PROVIDER INFORMATION\n  // ---------------------------------------------------------------------------\n\n  async getCapabilities(): Promise<AuthCapabilities> {\n    return {\n      authorizationCode: true,\n      passwordGrant: true,\n      clientCredentials: true,\n      tokenRefresh: true,\n      oidc: true,\n      userManagement: true,\n      sessionManagement: true,\n      rbac: true,\n      passwordReset: true,\n      mfa: true,\n      socialLogin: true,\n      federation: true,\n      decentralized: false,\n    };\n  }\n\n  async getDiscoveryDocument(): Promise<OIDCDiscoveryDocument | null> {\n    return this.fetchDiscoveryDocument();\n  }\n\n  // ---------------------------------------------------------------------------\n  // PRIVATE HELPERS\n  // ---------------------------------------------------------------------------\n\n  private mapKeycloakUser(user: KeycloakUser): UserProfile {\n    return {\n      id: user.id,\n      username: user.username,\n      email: user.email,\n      emailVerified: user.emailVerified,\n      firstName: user.firstName,\n      lastName: user.lastName,\n      displayName:\n        user.firstName && user.lastName\n          ? `${user.firstName} ${user.lastName}`\n          : user.username,\n      enabled: user.enabled,\n      createdAt: user.createdTimestamp\n        ? new Date(user.createdTimestamp)\n        : undefined,\n      attributes: user.attributes,\n      groups: user.groups,\n    };\n  }\n\n  private async assignRoles(\n    userId: string,\n    roleNames: string[],\n    adminToken: string,\n  ): Promise<void> {\n    const allRoles = await this.request<KeycloakRole[]>(\n      `${this.getAdminUrl()}/roles`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    const rolesToAssign = allRoles.filter((r) => roleNames.includes(r.name));\n\n    if (rolesToAssign.length > 0) {\n      await this.request(\n        `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,\n        {\n          method: 'POST',\n          body: JSON.stringify(rolesToAssign),\n        },\n        adminToken,\n      );\n    }\n  }\n\n  private async addUserToGroup(\n    userId: string,\n    groupName: string,\n    adminToken: string,\n  ): Promise<void> {\n    // Get group by name\n    const groups = await this.request<KeycloakGroup[]>(\n      `${this.getAdminUrl()}/groups?search=${encodeURIComponent(groupName)}`,\n      { method: 'GET' },\n      adminToken,\n    );\n\n    const group = groups.find((g) => g.name === groupName);\n    if (!group) {\n      throw new ProviderError(`Group not found: ${groupName}`, 'keycloak');\n    }\n\n    await this.request(\n      `${this.getAdminUrl()}/users/${userId}/groups/${group.id}`,\n      { method: 'PUT' },\n      adminToken,\n    );\n  }\n}\n\n// ---------------------------------------------------------------------------\n// KEYCLOAK API TYPES\n// ---------------------------------------------------------------------------\n\ninterface KeycloakUser {\n  id: string;\n  username: string;\n  email?: string;\n  emailVerified?: boolean;\n  firstName?: string;\n  lastName?: string;\n  enabled?: boolean;\n  createdTimestamp?: number;\n  attributes?: Record<string, string[]>;\n  groups?: string[];\n  credentials?: Array<{\n    type: string;\n    value: string;\n    temporary?: boolean;\n  }>;\n}\n\ninterface KeycloakSession {\n  id: string;\n  userId: string;\n  username: string;\n  start: number;\n  lastAccess: number;\n  ipAddress?: string;\n  userAgent?: string;\n  clients?: Record<string, string>;\n}\n\ninterface KeycloakRole {\n  id: string;\n  name: string;\n  description?: string;\n  composite?: boolean;\n  clientRole?: boolean;\n  containerId?: string;\n}\n\ninterface KeycloakGroup {\n  id: string;\n  name: string;\n  path?: string;\n  subGroups?: KeycloakGroup[];\n}\n"],"names":["jose.createRemoteJWKSet","jose.decodeJwt","jose.jwtVerify","jose.errors.JWTExpired","jose.errors.JWTClaimValidationFailed","jose.errors.JWSSignatureVerificationFailed"],"mappings":";;AAyDA,SAAS,qBAAqB,SAAS,IAAY;AACjD,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,SAAO,gBAAgB,KAAK;AAC5B,SAAO,MAAM,KAAK,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE;AAAA,IACrE;AAAA,EAAA;AAEJ;AAKA,eAAe,eAGZ;AACD,QAAM,WAAW,qBAAqB,EAAE;AACxC,QAAM,UAAU,IAAI,YAAA;AACpB,QAAM,OAAO,QAAQ,OAAO,QAAQ;AACpC,QAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACvD,QAAM,YAAY,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,IAAI,CAAC,CAAC,EAChE,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACpB,SAAO,EAAE,UAAU,UAAA;AACrB;AAOO,MAAM,iBAA0C;AAAA,EAC7C;AAAA,EAIA,oBAAkD;AAAA,EAClD,OAAoC;AAAA,EAE5C,YAAY,SAA0B;AACpC,QAAI,CAAC,QAAQ,WAAW;AACtB,YAAM,IAAI,mBAAmB,yBAAyB,UAAU;AAAA,IAClE;AACA,QAAI,CAAC,QAAQ,OAAO;AAClB,YAAM,IAAI,mBAAmB,qBAAqB,UAAU;AAAA,IAC9D;AACA,QAAI,CAAC,QAAQ,UAAU;AACrB,YAAM,IAAI,mBAAmB,wBAAwB,UAAU;AAAA,IACjE;AAEA,SAAK,UAAU;AAAA,MACb,SAAS;AAAA,MACT,WAAW;AAAA,MACX,QAAQ,CAAC,UAAU,WAAW,OAAO;AAAA,MACrC,SAAS;AAAA,MACT,YAAY;AAAA,MACZ,GAAG;AAAA,IAAA;AAAA,EAEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,cAAsB;AAC5B,WAAO,GAAG,KAAK,QAAQ,SAAS,WAAW,KAAK,QAAQ,KAAK;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAsB;AAC5B,WAAO,GAAG,KAAK,QAAQ,SAAS,iBAAiB,KAAK,QAAQ,KAAK;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QACZ,KACA,UAAuB,CAAA,GACvB,YACY;AACZ,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,GAAG,KAAK,QAAQ;AAAA,MAChB,GAAI,QAAQ;AAAA,IAAA;AAGd,QAAI,YAAY;AACd,cAAQ,eAAe,IAAI,UAAU,UAAU;AAAA,IACjD;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,GAAG;AAAA,QACH;AAAA,QACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ,WAAW,GAAK;AAAA,MAAA,CAC1D;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,OAAO,MAAM,MAAM,EAAE;AACtD,YAAI,YAAqC,CAAA;AACzC,YAAI;AACF,sBAAY,KAAK,MAAM,SAAS;AAAA,QAClC,QAAQ;AAAA,QAER;AAEA,aAAK,gBAAgB,SAAS,QAAQ,WAAW,SAAS;AAAA,MAC5D;AAEA,YAAM,OAAO,MAAM,SAAS,KAAA;AAC5B,UAAI,CAAC,KAAM,QAAO,CAAA;AAClB,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,SAAS,OAAO;AACd,UAAI,iBAAiB,SAAS,MAAM,SAAS,gBAAgB;AAC3D,cAAM,IAAI,aAAa,qBAAqB,YAAY,KAAK;AAAA,MAC/D;AACA,UACE,iBAAiB,2BACjB,iBAAiB,qBACjB,iBAAiB,qBACjB,iBAAiB,sBACjB,iBAAiB,qBACjB,iBAAiB,eACjB;AACA,cAAM;AAAA,MACR;AACA,YAAM,IAAI;AAAA,QACR,kBAAkB,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,QAC1E;AAAA,QACA,iBAAiB,QAAQ,QAAQ;AAAA,MAAA;AAAA,IAErC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,gBACN,QACA,MACA,SACO;AACP,UAAM,QAAQ,KAAK;AACnB,UAAM,mBACJ,KAAK,gBAAgB,KAAK,qBAAqB;AAEjD,YAAQ,QAAA;AAAA,MACN,KAAK;AACH,YAAI,UAAU,iBAAiB;AAC7B,gBAAM,IAAI,kBAAkB,kBAA4B,UAAU;AAAA,QACpE;AACA,YAAI,UAAU,kBAAkB;AAC9B,gBAAM,IAAI,mBAAmB,UAAU;AAAA,QACzC;AACA,cAAM,IAAI,cAAc,gBAAgB,gBAAgB,IAAI,UAAU;AAAA,MAExE,KAAK;AACH,cAAM,IAAI,wBAAwB,UAAU;AAAA,MAE9C,KAAK;AACH,cAAM,IAAI,kBAAkB,kBAA4B,UAAU;AAAA,MAEpE,KAAK;AACH,cAAM,IAAI,kBAAkB,QAAW,UAAU;AAAA,MAEnD,KAAK;AACH,cAAM,IAAI,uBAAuB,QAAW,UAAU;AAAA,MAExD;AACE,cAAM,IAAI;AAAA,UACR,mBAAmB,MAAM,MAAM,gBAAgB;AAAA,UAC/C;AAAA,QAAA;AAAA,IACF;AAAA,EAEN;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,yBAAyD;AACrE,QAAI,KAAK,mBAAmB;AAC1B,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,GAAG,KAAK,YAAA,CAAa;AACjC,SAAK,oBAAoB,MAAM,KAAK,QAA+B,GAAG;AACtE,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,UAAyC;AACrD,QAAI,KAAK,MAAM;AACb,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,YAAY,MAAM,KAAK,uBAAA;AAC7B,SAAK,OAAOA,mBAAwB,IAAI,IAAI,UAAU,QAAQ,CAAC;AAC/D,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,oBACJ,SAC8B;AAC9B,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,QAAQ,SAAS,SAAS,qBAAA;AAChC,UAAM,QAAQ,SAAS,SAAS,qBAAA;AAChC,UAAM,SAAS,SAAS,UACtB,KAAK,QAAQ,UAAU,CAAC,UAAU,WAAW,OAAO;AACtD,UAAM,cAAc,SAAS,eAAe,KAAK,QAAQ;AAEzD,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,mBAAmB,2BAA2B,UAAU;AAAA,IACpE;AAEA,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,WAAW,KAAK,QAAQ;AAAA,MACxB,cAAc;AAAA,MACd,eAAe;AAAA,MACf,OAAO,OAAO,KAAK,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IAAA,CACD;AAED,QAAI,SAAS,QAAQ;AACnB,aAAO,IAAI,UAAU,QAAQ,MAAM;AAAA,IACrC;AAEA,QAAI,SAAS,WAAW;AACtB,aAAO,IAAI,cAAc,QAAQ,SAAS;AAAA,IAC5C;AAGA,QAAI,SAAS,aAAa;AACxB,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,QAAQ,WAAW,GAAG;AAC9D,eAAO,IAAI,KAAK,KAAK;AAAA,MACvB;AAAA,IACF;AAEA,QAAI;AACJ,QAAI,KAAK,QAAQ,SAAS;AACxB,YAAM,OAAO,MAAM,aAAA;AACnB,qBAAe,KAAK;AACpB,aAAO,IAAI,kBAAkB,KAAK,SAAS;AAC3C,aAAO,IAAI,yBAAyB,MAAM;AAAA,IAC5C;AAEA,UAAM,MAAM,GAAG,UAAU,sBAAsB,IAAI,OAAO,UAAU;AAEpE,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,aAAa,QAAiD;AAClE,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,cAAc,OAAO,eAAe,KAAK,QAAQ;AACvD,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,mBAAmB,2BAA2B,UAAU;AAAA,IACpE;AAEA,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,WAAW,KAAK,QAAQ;AAAA,MACxB,MAAM,OAAO;AAAA,MACb,cAAc;AAAA,IAAA,CACf;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAEA,QAAI,OAAO,cAAc;AACvB,WAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,IAC/C;AAEA,UAAM,WAAW,MAAM,KAAK,QAOzB,UAAU,gBAAgB;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAGD,QAAI,SAAS;AACb,QAAI,SAAS,UAAU;AACrB,YAAM,UAAUC,UAAe,SAAS,QAAQ;AAChD,eAAS,QAAQ,OAAO;AAAA,IAC1B;AAEA,WAAO;AAAA,MACL,aAAa,SAAS;AAAA,MACtB,WAAW,SAAS,cAAc;AAAA,MAClC,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS;AAAA,MACvB,SAAS,SAAS;AAAA,MAClB,OAAO,SAAS;AAAA,MAChB;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,aAAa,aAAmD;AACpE,UAAM,YAAY,MAAM,KAAK,uBAAA;AAC7B,UAAM,YAAY,YAAY,aAAa;AAE3C,UAAM,SAAS,YAAY,UACzB,KAAK,QAAQ,UAAU,CAAC,UAAU,WAAW,OAAO;AACtD,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,WAAW,KAAK,QAAQ;AAAA,MACxB,OAAO,OAAO,KAAK,GAAG;AAAA,IAAA,CACvB;AAED,QAAI,cAAc,sBAAsB;AAEtC,UAAI,CAAC,KAAK,QAAQ,cAAc;AAC9B,cAAM,IAAI,wBAAwB,YAAY;AAAA,UAC5C,QAAQ;AAAA,QAAA,CACT;AAAA,MACH;AACA,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD,OAAO;AAEL,UAAI,CAAC,YAAY,YAAY,CAAC,YAAY,UAAU;AAClD,cAAM,IAAI,wBAAwB,YAAY;AAAA,UAC5C,QAAQ;AAAA,QAAA,CACT;AAAA,MACH;AACA,WAAK,IAAI,YAAY,YAAY,QAAQ;AACzC,WAAK,IAAI,YAAY,YAAY,QAAQ;AAEzC,UAAI,KAAK,QAAQ,cAAc;AAC7B,aAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,MACrD;AAGA,UAAI,YAAY,SAAS;AACvB,aAAK,IAAI,QAAQ,YAAY,OAAO;AAAA,MACtC;AAAA,IACF;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,QAOzB,UAAU,gBAAgB;AAAA,QAC3B,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,QAC3B,MAAM,KAAK,SAAA;AAAA,MAAS,CACrB;AAGD,UAAI,SAAS;AACb,UAAI,SAAS,UAAU;AACrB,cAAM,UAAUA,UAAe,SAAS,QAAQ;AAChD,iBAAS,QAAQ,OAAO;AAAA,MAC1B,WAAW,SAAS,cAAc;AAChC,cAAM,UAAUA,UAAe,SAAS,YAAY;AACpD,iBAAS,QAAQ,OAAO;AAAA,MAC1B;AAEA,aAAO;AAAA,QACL,aAAa,SAAS;AAAA,QACtB,WAAW,SAAS,cAAc;AAAA,QAClC,WAAW,SAAS;AAAA,QACpB,cAAc,SAAS;AAAA,QACvB,SAAS,SAAS;AAAA,QAClB,OAAO,SAAS;AAAA,QAChB;AAAA,MAAA;AAAA,IAEJ,SAAS,OAAO;AAEd,UACE,iBAAiB,iBACjB,MAAM,QAAQ,SAAS,eAAe,KACtC,MAAM,QAAQ,SAAS,MAAM,GAC7B;AACA,cAAM,IAAI,iBAAiB,YAAY,CAAC,MAAM,CAAC;AAAA,MACjD;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,cAA2C;AACvD,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,WAAW,KAAK,QAAQ;AAAA,MACxB,eAAe;AAAA,IAAA,CAChB;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAEA,UAAM,WAAW,MAAM,KAAK,QAOzB,UAAU,gBAAgB;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAGD,QAAI,SAAS;AACb,QAAI,SAAS,cAAc;AACzB,YAAM,UAAUA,UAAe,SAAS,YAAY;AACpD,eAAS,QAAQ,OAAO;AAAA,IAC1B;AAEA,WAAO;AAAA,MACL,aAAa,SAAS;AAAA,MACtB,WAAW,SAAS,cAAc;AAAA,MAClC,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS,iBAAiB;AAAA,MACxC,SAAS,SAAS;AAAA,MAClB,OAAO,SAAS;AAAA,MAChB;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,OAAO,SAAwC;AACnD,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,QAAI,CAAC,UAAU,sBAAsB;AAEnC,UAAI,SAAS,gBAAgB,UAAU,qBAAqB;AAC1D,cAAM,KAAK,QAAQ,UAAU,qBAAqB;AAAA,UAChD,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,UAC3B,MAAM,IAAI,gBAAgB;AAAA,YACxB,WAAW,KAAK,QAAQ;AAAA,YACxB,OAAO,QAAQ;AAAA,YACf,iBAAiB;AAAA,UAAA,CAClB,EAAE,SAAA;AAAA,QAAS,CACb;AAAA,MACH;AACA;AAAA,IACF;AAEA,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,WAAW,KAAK,QAAQ;AAAA,IAAA,CACzB;AAED,QAAI,SAAS,OAAO;AAClB,aAAO,IAAI,iBAAiB,QAAQ,KAAK;AAAA,IAC3C;AAEA,QAAI,SAAS,uBAAuB;AAClC,aAAO,IAAI,4BAA4B,QAAQ,qBAAqB;AAAA,IACtE;AAGA,QAAI,SAAS,gBAAgB,UAAU,qBAAqB;AAC1D,YAAM,eAAe,IAAI,gBAAgB;AAAA,QACvC,WAAW,KAAK,QAAQ;AAAA,QACxB,OAAO,QAAQ;AAAA,QACf,iBAAiB;AAAA,MAAA,CAClB;AACD,UAAI,KAAK,QAAQ,cAAc;AAC7B,qBAAa,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,MAC7D;AACA,YAAM,KAAK,QAAQ,UAAU,qBAAqB;AAAA,QAChD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,QAC3B,MAAM,aAAa,SAAA;AAAA,MAAS,CAC7B;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cACJ,OACA,SAC6B;AAC7B,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,QAAA;AACxB,YAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,YAAM,gBAAuC;AAAA,QAC3C,QAAQ,SAAS,UAAU,UAAU;AAAA,QACrC,gBAAgB,SAAS,kBAAkB;AAAA,MAAA;AAG7C,UAAI,SAAS,UAAU;AACrB,sBAAc,WAAW,QAAQ;AAAA,MACnC;AAEA,YAAM,EAAE,YAAY,MAAMC,UAAe,OAAO,MAAM,aAAa;AAGnE,UAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,OAAO;AACrD,cAAM,IAAI,kBAAkB,UAAU;AAAA,MACxC;AAGA,YAAM,QAAkB,CAAA;AAGxB,UAAI,QAAQ,gBAAgB,OAAO,QAAQ,iBAAiB,UAAU;AACpE,cAAM,cAAc,QAAQ;AAC5B,YAAI,YAAY,OAAO;AACrB,gBAAM,KAAK,GAAG,YAAY,KAAK;AAAA,QACjC;AAAA,MACF;AAGA,UACE,QAAQ,mBACR,OAAO,QAAQ,oBAAoB,UACnC;AACA,cAAM,iBAAiB,QAAQ;AAI/B,mBAAW,UAAU,OAAO,OAAO,cAAc,GAAG;AAClD,cAAI,OAAO,OAAO;AAChB,kBAAM,KAAK,GAAG,OAAO,KAAK;AAAA,UAC5B;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ;AAAA,QACb,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,QACf,gBAAgB,QAAQ;AAAA,QACxB,oBAAoB,QAAQ;AAAA,QAC5B,MAAM,QAAQ;AAAA,QACd;AAAA,QACA,GAAG;AAAA,MAAA;AAAA,IAEP,SAAS,OAAO;AACd,UAAI,iBAAiBC,YAAwB;AAC3C,cAAM,IAAI,kBAAkB,UAAU;AAAA,MACxC;AACA,UAAI,iBAAiBC,0BAAsC;AACzD,eAAO;AAAA,MACT;AACA,UAAI,iBAAiBC,gCAA4C;AAC/D,cAAM,IAAI,kBAAkB,2BAA2B,UAAU;AAAA,MACnE;AACA,UAAI,iBAAiB,mBAAmB;AACtC,cAAM;AAAA,MACR;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,YAAY,OAA6B;AACvC,QAAI;AACF,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,UAAI,MAAM,WAAW,GAAG;AACtB,cAAM,IAAI,kBAAkB,sBAAsB,UAAU;AAAA,MAC9D;AAEA,YAAM,SAAS,KAAK,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;AACxC,YAAM,UAAUJ,UAAe,KAAK;AAEpC,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,KAAK,OAAO;AAAA,UACZ,KAAK,OAAO;AAAA,UACZ,KAAK,OAAO;AAAA,QAAA;AAAA,QAEd;AAAA,QACA,WAAW,MAAM,CAAC;AAAA,MAAA;AAAA,IAEtB,QAAQ;AACN,YAAM,IAAI,kBAAkB,0BAA0B,UAAU;AAAA,IAClE;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,OAA4C;AAChE,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,QAAI,CAAC,UAAU,wBAAwB;AAErC,YAAM,SAAS,MAAM,KAAK,cAAc,KAAK;AAC7C,aAAO;AAAA,QACL,QAAQ,WAAW;AAAA,QACnB,QAAQ,UAAU;AAAA,MAAA;AAAA,IAEtB;AAEA,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,WAAW,KAAK,QAAQ;AAAA,MACxB;AAAA,IAAA,CACD;AAED,QAAI,KAAK,QAAQ,cAAc;AAC7B,WAAK,IAAI,iBAAiB,KAAK,QAAQ,YAAY;AAAA,IACrD;AAEA,UAAM,WAAW,MAAM,KAAK,QAWzB,UAAU,wBAAwB;AAAA,MACnC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAA;AAAA,MAC3B,MAAM,KAAK,SAAA;AAAA,IAAS,CACrB;AAED,QAAI,CAAC,SAAS,QAAQ;AACpB,aAAO,EAAE,QAAQ,MAAA;AAAA,IACnB;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,QACN,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,KAAK,SAAS,OAAO;AAAA,QACrB,GAAG;AAAA,MAAA;AAAA,MAEL,WAAW,SAAS;AAAA,MACpB,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,IAAA;AAAA,EAEpB;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,gBAA8C;AAC7D,UAAM,YAAY,MAAM,KAAK,uBAAA;AAE7B,UAAM,WAAW,MAAM,KAAK,QAUzB,UAAU,mBAAmB;AAAA,MAC9B,QAAQ;AAAA,MACR,SAAS,EAAE,eAAe,UAAU,cAAc,GAAA;AAAA,IAAG,CACtD;AAED,WAAO;AAAA,MACL,IAAI,SAAS;AAAA,MACb,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,eAAe,SAAS;AAAA,MACxB,WAAW,SAAS;AAAA,MACpB,UAAU,SAAS;AAAA,MACnB,aAAa,SAAS;AAAA,MACtB,SAAS,SAAS;AAAA,IAAA;AAAA,EAEtB;AAAA,EAEA,MAAM,cACJ,gBACA,SACsB;AAEtB,UAAM,UAAUA,UAAe,cAAc;AAC7C,UAAM,SAAS,QAAQ;AAEvB,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,kBAAkB,kCAAkC,UAAU;AAAA,IAC1E;AAGA,UAAM,aAAa,GAAG,KAAK,YAAA,CAAa;AAExC,UAAM,aAAsC,CAAA;AAC5C,QAAI,QAAQ,cAAc;AACxB,iBAAW,YAAY,QAAQ;AACjC,QAAI,QAAQ,aAAa,OAAW,YAAW,WAAW,QAAQ;AAClE,QAAI,QAAQ,UAAU,OAAW,YAAW,QAAQ,QAAQ;AAE5D,UAAM,KAAK,QAAQ,YAAY;AAAA,MAC7B,QAAQ;AAAA,MACR,SAAS,EAAE,eAAe,UAAU,cAAc,GAAA;AAAA,MAClD,MAAM,KAAK,UAAU,UAAU;AAAA,IAAA,CAChC;AAED,WAAO,KAAK,WAAW,cAAc;AAAA,EACvC;AAAA,EAEA,MAAM,QAAQ,QAAgB,YAA2C;AACvE,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,kBAAkB,wBAAwB,UAAU;AAAA,IAChE;AAEA,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,WAAO,KAAK,gBAAgB,QAAQ;AAAA,EACtC;AAAA,EAEA,MAAM,WACJ,MACA,YACsB;AACtB,UAAM,eAAsC;AAAA,MAC1C,UAAU,KAAK;AAAA,MACf,OAAO,KAAK;AAAA,MACZ,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,SAAS,KAAK,WAAW;AAAA,MACzB,eAAe,KAAK,iBAAiB;AAAA,MACrC,YAAY,KAAK;AAAA,IAAA;AAGnB,QAAI,KAAK,UAAU;AACjB,mBAAa,cAAc;AAAA,QACzB;AAAA,UACE,MAAM;AAAA,UACN,OAAO,KAAK;AAAA,UACZ,WAAW;AAAA,QAAA;AAAA,MACb;AAAA,IAEJ;AAEA,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,YAAA,CAAa,UAAU;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,UAAU;AAAA,MAAA;AAAA,MAErC,MAAM,KAAK,UAAU,YAAY;AAAA,IAAA,CAClC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAY,MAAM,SAAS,KAAA;AACjC,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,uBAAuB,KAAK,UAAU,UAAU;AAAA,MAC5D;AACA,YAAM,IAAI;AAAA,QACR,0BAA0B,SAAS;AAAA,QACnC;AAAA,MAAA;AAAA,IAEJ;AAGA,UAAM,WAAW,SAAS,QAAQ,IAAI,UAAU;AAChD,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,cAAc,iCAAiC,UAAU;AAAA,IACrE;AAEA,UAAM,SAAS,SAAS,MAAM,GAAG,EAAE,IAAA;AAGnC,QAAI,KAAK,OAAO,QAAQ;AACtB,YAAM,KAAK,YAAY,QAAQ,KAAK,OAAO,UAAU;AAAA,IACvD;AAGA,QAAI,KAAK,QAAQ,QAAQ;AACvB,iBAAW,aAAa,KAAK,QAAQ;AACnC,cAAM,KAAK,eAAe,QAAQ,WAAW,UAAU;AAAA,MACzD;AAAA,IACF;AAEA,WAAO,KAAK,QAAQ,QAAQ,UAAU;AAAA,EACxC;AAAA,EAEA,MAAM,WACJ,QACA,SACA,YACsB;AACtB,UAAM,eAAsC,CAAA;AAE5C,QAAI,QAAQ,aAAa;AACvB,mBAAa,WAAW,QAAQ;AAClC,QAAI,QAAQ,UAAU,OAAW,cAAa,QAAQ,QAAQ;AAC9D,QAAI,QAAQ,cAAc;AACxB,mBAAa,YAAY,QAAQ;AACnC,QAAI,QAAQ,aAAa;AACvB,mBAAa,WAAW,QAAQ;AAClC,QAAI,QAAQ,YAAY,OAAW,cAAa,UAAU,QAAQ;AAClE,QAAI,QAAQ,kBAAkB;AAC5B,mBAAa,gBAAgB,QAAQ;AACvC,QAAI,QAAQ,eAAe,QAAW;AACpC,mBAAa,aAAa,QAAQ;AAAA,IACpC;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM,KAAK,UAAU,YAAY;AAAA,MAAA;AAAA,MAEnC;AAAA,IAAA;AAIF,QAAI,QAAQ,UAAU;AACpB,YAAM,KAAK;AAAA,QACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,QACrC;AAAA,UACE,QAAQ;AAAA,UACR,MAAM,KAAK,UAAU;AAAA,YACnB,MAAM;AAAA,YACN,OAAO,QAAQ;AAAA,YACf,WAAW;AAAA,UAAA,CACZ;AAAA,QAAA;AAAA,QAEH;AAAA,MAAA;AAAA,IAEJ;AAEA,WAAO,KAAK,QAAQ,QAAQ,UAAU;AAAA,EACxC;AAAA,EAEA,MAAM,WAAW,QAAgB,YAAmC;AAClE,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC,EAAE,QAAQ,SAAA;AAAA,MACV;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,UACJ,OACA,YACyB;AACzB,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,kBAAkB,wBAAwB,UAAU;AAAA,IAChE;AAEA,UAAM,SAAS,IAAI,gBAAA;AAEnB,QAAI,MAAM,OAAQ,QAAO,IAAI,UAAU,MAAM,MAAM;AACnD,QAAI,MAAM,MAAO,QAAO,IAAI,SAAS,MAAM,KAAK;AAChD,QAAI,MAAM,SAAU,QAAO,IAAI,YAAY,MAAM,QAAQ;AACzD,QAAI,MAAM,YAAY;AACpB,aAAO,IAAI,WAAW,OAAO,MAAM,OAAO,CAAC;AAC7C,QAAI,MAAM,MAAO,QAAO,IAAI,OAAO,OAAO,MAAM,KAAK,CAAC;AACtD,QAAI,MAAM,OAAQ,QAAO,IAAI,SAAS,OAAO,MAAM,MAAM,CAAC;AAE1D,UAAM,QAAQ,MAAM,KAAK;AAAA,MACvB,GAAG,KAAK,YAAA,CAAa,UAAU,OAAO,UAAU;AAAA,MAChD,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAIF,UAAM,gBAAgB,MAAM,KAAK;AAAA,MAC/B,GAAG,KAAK,YAAA,CAAa,gBAAgB,OAAO,UAAU;AAAA,MACtD,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,WAAO;AAAA,MACL,OAAO,MAAM,IAAI,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;AAAA,MAC/C,OAAO;AAAA,MACP,OAAO,MAAM,SAAS;AAAA,MACtB,QAAQ,MAAM,UAAU;AAAA,IAAA;AAAA,EAE5B;AAAA,EAEA,MAAM,qBAAqB,OAA8B;AAGvD,UAAM,IAAI,oBAAoB,wBAAwB,YAAY;AAAA,MAChE,QACE;AAAA,IAAA,CACH;AAAA,EACH;AAAA,EAEA,MAAM,cAAc,OAAe,aAAoC;AAErE,UAAM,IAAI,oBAAoB,iBAAiB,YAAY;AAAA,MACzD,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAa,QAAgB,YAAyC;AAC1E,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,kBAAkB,wBAAwB,UAAU;AAAA,IAChE;AAEA,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,WAAO,SAAS,IAAI,CAAC,OAAO;AAAA,MAC1B,IAAI,EAAE;AAAA,MACN,QAAQ,EAAE;AAAA,MACV,UAAU,EAAE,UAAU,OAAO,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI;AAAA,MAC1D,WAAW,IAAI,KAAK,EAAE,KAAK;AAAA,MAC3B,gBAAgB,IAAI,KAAK,EAAE,UAAU;AAAA,MACrC,WAAW,EAAE;AAAA,MACb,WAAW,EAAE;AAAA,IAAA,EACb;AAAA,EACJ;AAAA,EAEA,MAAM,cAAc,WAAmB,YAAoC;AACzE,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,kBAAkB,wBAAwB,UAAU;AAAA,IAChE;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,aAAa,SAAS;AAAA,MAC3C,EAAE,QAAQ,SAAA;AAAA,MACV;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,kBAAkB,QAAgB,YAAoC;AAC1E,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,kBAAkB,wBAAwB,UAAU;AAAA,IAChE;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC,EAAE,QAAQ,OAAA;AAAA,MACV;AAAA,IAAA;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAQ,eAAuB,MAAgC;AACnE,UAAM,QAAQ,MAAM,KAAK,SAAS,aAAa;AAC/C,WAAO,MAAM,SAAS,IAAI;AAAA,EAC5B;AAAA,EAEA,MAAM,cACJ,eACA,YACA,UACkB;AAIlB,UAAM,QAAQ,MAAM,KAAK,SAAS,aAAa;AAC/C,UAAM,iBAAiB,WAAW,GAAG,QAAQ,IAAI,UAAU,KAAK;AAChE,WAAO,MAAM,SAAS,cAAc,KAAK,MAAM,SAAS,UAAU;AAAA,EACpE;AAAA,EAEA,MAAM,SACJ,eACA,YACmB;AAEnB,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,cAAc,aAAa;AACrD,UAAI,QAAQ;AACV,eAAO,OAAO,SAAS,CAAA;AAAA,MACzB;AAAA,IACF,QAAQ;AAAA,IAER;AAGA,QAAI,YAAY;AACd,UAAI;AACF,cAAM,eAAe,MAAM,KAAK;AAAA,UAG9B,GAAG,KAAK,YAAA,CAAa,UAAU,aAAa;AAAA,UAC5C,EAAE,QAAQ,MAAA;AAAA,UACV;AAAA,QAAA;AAGF,eAAO,aAAa,eAAe,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,CAAA;AAAA,MAC3D,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,WAAO,CAAA;AAAA,EACT;AAAA,EAEA,MAAM,WACJ,QACA,MACA,YACe;AAEf,UAAM,QAAQ,MAAM,KAAK;AAAA,MACvB,GAAG,KAAK,YAAA,CAAa;AAAA,MACrB,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,UAAM,UAAU,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AACjD,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,cAAc,mBAAmB,IAAI,IAAI,UAAU;AAAA,IAC/D;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM,KAAK,UAAU,CAAC,OAAO,CAAC;AAAA,MAAA;AAAA,MAEhC;AAAA,IAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,WACJ,QACA,MACA,YACe;AAEf,UAAM,QAAQ,MAAM,KAAK;AAAA,MACvB,GAAG,KAAK,YAAA,CAAa;AAAA,MACrB,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,UAAM,UAAU,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AACjD,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,cAAc,mBAAmB,IAAI,IAAI,UAAU;AAAA,IAC/D;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,MACrC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM,KAAK,UAAU,CAAC,OAAO,CAAC;AAAA,MAAA;AAAA,MAEhC;AAAA,IAAA;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,kBAA6C;AACjD,WAAO;AAAA,MACL,mBAAmB;AAAA,MACnB,eAAe;AAAA,MACf,mBAAmB;AAAA,MACnB,cAAc;AAAA,MACd,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,mBAAmB;AAAA,MACnB,MAAM;AAAA,MACN,eAAe;AAAA,MACf,KAAK;AAAA,MACL,aAAa;AAAA,MACb,YAAY;AAAA,MACZ,eAAe;AAAA,IAAA;AAAA,EAEnB;AAAA,EAEA,MAAM,uBAA8D;AAClE,WAAO,KAAK,uBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMQ,gBAAgB,MAAiC;AACvD,WAAO;AAAA,MACL,IAAI,KAAK;AAAA,MACT,UAAU,KAAK;AAAA,MACf,OAAO,KAAK;AAAA,MACZ,eAAe,KAAK;AAAA,MACpB,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,aACE,KAAK,aAAa,KAAK,WACnB,GAAG,KAAK,SAAS,IAAI,KAAK,QAAQ,KAClC,KAAK;AAAA,MACX,SAAS,KAAK;AAAA,MACd,WAAW,KAAK,mBACZ,IAAI,KAAK,KAAK,gBAAgB,IAC9B;AAAA,MACJ,YAAY,KAAK;AAAA,MACjB,QAAQ,KAAK;AAAA,IAAA;AAAA,EAEjB;AAAA,EAEA,MAAc,YACZ,QACA,WACA,YACe;AACf,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B,GAAG,KAAK,YAAA,CAAa;AAAA,MACrB,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,UAAM,gBAAgB,SAAS,OAAO,CAAC,MAAM,UAAU,SAAS,EAAE,IAAI,CAAC;AAEvE,QAAI,cAAc,SAAS,GAAG;AAC5B,YAAM,KAAK;AAAA,QACT,GAAG,KAAK,YAAA,CAAa,UAAU,MAAM;AAAA,QACrC;AAAA,UACE,QAAQ;AAAA,UACR,MAAM,KAAK,UAAU,aAAa;AAAA,QAAA;AAAA,QAEpC;AAAA,MAAA;AAAA,IAEJ;AAAA,EACF;AAAA,EAEA,MAAc,eACZ,QACA,WACA,YACe;AAEf,UAAM,SAAS,MAAM,KAAK;AAAA,MACxB,GAAG,KAAK,YAAA,CAAa,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,MACpE,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAGF,UAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,SAAS,SAAS;AACrD,QAAI,CAAC,OAAO;AACV,YAAM,IAAI,cAAc,oBAAoB,SAAS,IAAI,UAAU;AAAA,IACrE;AAEA,UAAM,KAAK;AAAA,MACT,GAAG,KAAK,aAAa,UAAU,MAAM,WAAW,MAAM,EAAE;AAAA,MACxD,EAAE,QAAQ,MAAA;AAAA,MACV;AAAA,IAAA;AAAA,EAEJ;AACF;"}

package/dist/cli/claude-context.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=claude-context.d.ts.map

package/dist/cli/claude-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-context.d.ts","sourceRoot":"","sources":["../../src/cli/claude-context.ts"],"names":[],"mappings":""}

package/dist/cli/claude-context.js

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+import { existsSync, mkdirSync, copyFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+const Dirname = dirname(fileURLToPath(import.meta.url));
+const pkgRoot = join(Dirname, "../..");
+const targetDir = join(process.cwd(), ".claude");
+if (!existsSync(targetDir)) {
+  mkdirSync(targetDir, { recursive: true });
+}
+const pkgName = "auth";
+const agentMdSrc = existsSync(join(pkgRoot, "AGENT.md")) ? join(pkgRoot, "AGENT.md") : join(pkgRoot, "CLAUDE.md");
+const metaSrc = existsSync(join(pkgRoot, "metadata.json")) ? join(pkgRoot, "metadata.json") : join(pkgRoot, ".claude-meta.json");
+if (existsSync(agentMdSrc)) {
+  copyFileSync(agentMdSrc, join(targetDir, `have-${pkgName}.md`));
+}
+if (existsSync(metaSrc)) {
+  copyFileSync(metaSrc, join(targetDir, `have-${pkgName}.meta.json`));
+}
+console.log(`✓ Installed @happyvertical/${pkgName} context to .claude/`);
+//# sourceMappingURL=claude-context.js.map

package/dist/cli/claude-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-context.js","sources":["../../src/cli/claude-context.ts"],"sourcesContent":["#!/usr/bin/env node\n/**\n * CLI script to install agent context for @happyvertical/auth\n * Run the published context installer binary for this package.\n */\nimport { copyFileSync, existsSync, mkdirSync } from 'node:fs';\nimport { dirname, join } from 'node:path';\nimport { fileURLToPath } from 'node:url';\n\nconst Dirname = dirname(fileURLToPath(import.meta.url));\nconst pkgRoot = join(Dirname, '../..');\nconst targetDir = join(process.cwd(), '.claude');\n\nif (!existsSync(targetDir)) {\n  mkdirSync(targetDir, { recursive: true });\n}\n\nconst pkgName = 'auth';\nconst agentMdSrc = existsSync(join(pkgRoot, 'AGENT.md'))\n  ? join(pkgRoot, 'AGENT.md')\n  : join(pkgRoot, 'CLAUDE.md');\nconst metaSrc = existsSync(join(pkgRoot, 'metadata.json'))\n  ? join(pkgRoot, 'metadata.json')\n  : join(pkgRoot, '.claude-meta.json');\n\nif (existsSync(agentMdSrc)) {\n  copyFileSync(agentMdSrc, join(targetDir, `have-${pkgName}.md`));\n}\n\nif (existsSync(metaSrc)) {\n  copyFileSync(metaSrc, join(targetDir, `have-${pkgName}.meta.json`));\n}\n\nconsole.log(`✓ Installed @happyvertical/${pkgName} context to .claude/`);\n"],"names":[],"mappings":";;;;AASA,MAAM,UAAU,QAAQ,cAAc,YAAY,GAAG,CAAC;AACtD,MAAM,UAAU,KAAK,SAAS,OAAO;AACrC,MAAM,YAAY,KAAK,QAAQ,IAAA,GAAO,SAAS;AAE/C,IAAI,CAAC,WAAW,SAAS,GAAG;AAC1B,YAAU,WAAW,EAAE,WAAW,KAAA,CAAM;AAC1C;AAEA,MAAM,UAAU;AAChB,MAAM,aAAa,WAAW,KAAK,SAAS,UAAU,CAAC,IACnD,KAAK,SAAS,UAAU,IACxB,KAAK,SAAS,WAAW;AAC7B,MAAM,UAAU,WAAW,KAAK,SAAS,eAAe,CAAC,IACrD,KAAK,SAAS,eAAe,IAC7B,KAAK,SAAS,mBAAmB;AAErC,IAAI,WAAW,UAAU,GAAG;AAC1B,eAAa,YAAY,KAAK,WAAW,QAAQ,OAAO,KAAK,CAAC;AAChE;AAEA,IAAI,WAAW,OAAO,GAAG;AACvB,eAAa,SAAS,KAAK,WAAW,QAAQ,OAAO,YAAY,CAAC;AACpE;AAEA,QAAQ,IAAI,8BAA8B,OAAO,sBAAsB;"}

package/dist/index.d.ts

@@ -0,0 +1,65 @@
+/**
+ * @happyvertical/auth
+ *
+ * Unified authentication interface supporting:
+ * - Keycloak (OIDC/OAuth2)
+ * - AWS Cognito (OAuth2)
+ * - Kanidm (OIDC/OAuth2)
+ * - Google (OIDC)
+ * - GitHub (OAuth2)
+ * - Nostr (public key identity)
+ *
+ * @example
+ * ```typescript
+ * import { getAuth } from '@happyvertical/auth';
+ *
+ * // Keycloak
+ * const keycloak = await getAuth({
+ *   type: 'keycloak',
+ *   serverUrl: 'https://auth.example.com',
+ *   realm: 'my-realm',
+ *   clientId: 'my-app'
+ * });
+ *
+ * // Kanidm
+ * const kanidm = await getAuth({
+ *   type: 'kanidm',
+ *   serverUrl: 'https://idp.example.com',
+ *   clientId: 'my-app'
+ * });
+ *
+ * // Cognito
+ * const cognito = await getAuth({
+ *   type: 'cognito',
+ *   region: 'us-east-1',
+ *   userPoolId: 'us-east-1_xxx',
+ *   clientId: 'xxx'
+ * });
+ *
+ * // Nostr
+ * const nostr = await getAuth({
+ *   type: 'nostr',
+ *   relays: ['wss://relay.damus.io', 'wss://nos.lol']
+ * });
+ *
+ * // Authentication
+ * const result = await auth.authenticate({ username: 'user', password: 'pass' });
+ * console.log(result.accessToken);
+ *
+ * // Token validation
+ * const claims = await auth.validateToken(token);
+ * if (claims) {
+ *   console.log(`User: ${claims.sub}`);
+ * }
+ *
+ * // User profile
+ * const profile = await auth.getProfile(token);
+ * console.log(profile.email);
+ * ```
+ *
+ * @packageDocumentation
+ */
+export { AccessDeniedError, AuthError, AuthErrorCode, ChallengeExpiredError, ConfigurationError, ExtensionNotFoundError, hasErrorCode, InsufficientScopeError, InvalidClientError, InvalidCredentialsError, InvalidGrantError, InvalidKeyError, InvalidMfaCodeError, InvalidNonceError, InvalidRedirectUriError, InvalidRefreshTokenError, InvalidSignatureError, InvalidStateError, InvalidTokenError, isAuthError, MfaRequiredError, NetworkError, NotImplementedError, ProviderError, RelayError, SessionExpiredError, TokenExpiredError, UserAlreadyExistsError, UserDisabledError, UserNotFoundError, } from './shared/errors.js';
+export { getAuth, getAuthAuto } from './shared/factory.js';
+export type { AuthCapabilities, AuthCredentials, AuthInterface, AuthorizationOptions, AuthorizationResult, AuthResult, AWSCredentials, BaseAuthOptions, CodeExchangeParams, CognitoOptions, CreateUserRequest, GetAuthOptions, GitHubOptions, GoogleOptions, KanidmOptions, KeycloakOptions, LogoutOptions, NostrOptions, NostrSignedEvent, NostrSigner, NostrToken, NostrTokenOptions, NostrUnsignedEvent, OIDCDiscoveryDocument, RoleStoreConfig, Session, SessionStoreConfig, TokenClaims, TokenIntrospection, TokenPayload, TokenValidationOptions, UserListResult, UserProfile, UserQuery, WindowNostr, } from './shared/types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4DG;AAGH,OAAO,EAEL,iBAAiB,EACjB,SAAS,EACT,aAAa,EACb,qBAAqB,EACrB,kBAAkB,EAClB,sBAAsB,EACtB,YAAY,EACZ,sBAAsB,EACtB,kBAAkB,EAElB,uBAAuB,EACvB,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,EAExB,qBAAqB,EAErB,iBAAiB,EACjB,iBAAiB,EAEjB,WAAW,EACX,gBAAgB,EAChB,YAAY,EAEZ,mBAAmB,EAEnB,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,iBAAiB,EACjB,sBAAsB,EACtB,iBAAiB,EAEjB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAE3D,YAAY,EAEV,gBAAgB,EAChB,eAAe,EAEf,aAAa,EAEb,oBAAoB,EACpB,mBAAmB,EACnB,UAAU,EACV,cAAc,EACd,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EAEjB,cAAc,EACd,aAAa,EACb,aAAa,EACb,aAAa,EACb,eAAe,EACf,aAAa,EACb,YAAY,EAEZ,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EAEf,OAAO,EACP,kBAAkB,EAClB,WAAW,EACX,kBAAkB,EAClB,YAAY,EAEZ,sBAAsB,EACtB,cAAc,EAEd,WAAW,EACX,SAAS,EACT,WAAW,GACZ,MAAM,mBAAmB,CAAC"}