npm - @happyvertical/smrt-secrets - Versions diffs - 0.30.0 - Mend

@happyvertical/smrt-secrets 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/AGENTS.md +66 -0
package/CLAUDE.md +1 -0
package/LICENSE +7 -0
package/README.md +144 -0
package/dist/__smrt-register__.d.ts +2 -0
package/dist/__smrt-register__.d.ts.map +1 -0
package/dist/chunks/SecretService-C91H6WJK.js +1275 -0
package/dist/chunks/SecretService-C91H6WJK.js.map +1 -0
package/dist/chunks/TenantKey-DzglnpAV.js +377 -0
package/dist/chunks/TenantKey-DzglnpAV.js.map +1 -0
package/dist/collections/SecretAuditLogCollection.d.ts +71 -0
package/dist/collections/SecretAuditLogCollection.d.ts.map +1 -0
package/dist/collections/SecretCollection.d.ts +63 -0
package/dist/collections/SecretCollection.d.ts.map +1 -0
package/dist/collections/TenantKeyCollection.d.ts +42 -0
package/dist/collections/TenantKeyCollection.d.ts.map +1 -0
package/dist/collections/index.d.ts +8 -0
package/dist/collections/index.d.ts.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +26 -0
package/dist/index.js.map +1 -0
package/dist/manifest.json +1272 -0
package/dist/models/Secret.d.ts +104 -0
package/dist/models/Secret.d.ts.map +1 -0
package/dist/models/SecretAuditLog.d.ts +123 -0
package/dist/models/SecretAuditLog.d.ts.map +1 -0
package/dist/models/TenantKey.d.ts +101 -0
package/dist/models/TenantKey.d.ts.map +1 -0
package/dist/models/index.d.ts +4 -0
package/dist/models/index.d.ts.map +1 -0
package/dist/models/index.js +8 -0
package/dist/models/index.js.map +1 -0
package/dist/services/SecretService.d.ts +266 -0
package/dist/services/SecretService.d.ts.map +1 -0
package/dist/services/SecretService.js +9 -0
package/dist/services/SecretService.js.map +1 -0
package/dist/smrt-knowledge.json +447 -0
package/package.json +71 -0

package/dist/chunks/SecretService-C91H6WJK.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SecretService-C91H6WJK.js","sources":["../../src/collections/SecretAuditLogCollection.ts","../../src/collections/SecretCollection.ts","../../src/collections/TenantKeyCollection.ts","../../../../node_modules/.pnpm/@happyvertical+logger@0.74.7_@sentry+node@10.51.0/node_modules/@happyvertical/logger/dist/index.js","../../src/services/SecretService.ts"],"sourcesContent":["/**\n * SecretAuditLogCollection - Collection manager for SecretAuditLog objects\n * @packageDocumentation\n */\n\nimport { SmrtCollection } from '@happyvertical/smrt-core';\nimport {\n type SecretAuditAction,\n SecretAuditLog,\n type SecretAuditResult,\n} from '../models/SecretAuditLog.js';\n\n/**\n * Options for listing audit logs\n */\nexport interface ListAuditLogsOptions {\n /**\n * Scope results to a single tenant's audit trail. Tenant-facing callers\n * (e.g. SecretService.getAuditLogs) must always set this — audit rows\n * reference secret names and must not leak across tenants (issue #1501).\n * Omit only for cross-tenant compliance tooling running under\n * withSuperAdminBypass().\n */\n tenantId?: string;\n /** Filter by secret name */\n secretName?: string;\n /** Filter by user ID */\n userId?: string;\n /** Filter by action type */\n action?: SecretAuditAction;\n /** Filter by result */\n result?: SecretAuditResult;\n /** Filter by date range start */\n since?: Date;\n /** Filter by date range end */\n until?: Date;\n /** Maximum number of results */\n limit?: number;\n /** Offset for pagination */\n offset?: number;\n}\n\n/**\n * Collection for managing SecretAuditLog objects\n */\nexport class SecretAuditLogCollection extends SmrtCollection<SecretAuditLog> {\n static readonly _itemClass = SecretAuditLog;\n\n /**\n * List audit logs with filtering options\n */\n async listLogs(\n options: ListAuditLogsOptions = {},\n ): Promise<SecretAuditLog[]> {\n const where: Record<string, unknown> = {};\n\n if (options.tenantId) {\n where.tenantId = options.tenantId;\n }\n\n if (options.secretName) {\n where.secretName = options.secretName;\n }\n\n if (options.userId) {\n where.userId = options.userId;\n }\n\n if (options.action) {\n where.action = options.action;\n }\n\n if (options.result) {\n where.result = options.result;\n }\n\n if (options.since) {\n where['created_at >'] = options.since.toISOString();\n }\n\n if (options.until) {\n where['created_at <'] = options.until.toISOString();\n }\n\n return this.list({\n where,\n limit: options.limit ?? 100,\n offset: options.offset,\n orderBy: 'created_at DESC',\n });\n }\n\n /**\n * Get audit logs for a specific secret\n */\n async getSecretHistory(\n secretName: string,\n limit: number = 50,\n ): Promise<SecretAuditLog[]> {\n return this.listLogs({ secretName, limit });\n }\n\n /**\n * Get audit logs for a specific user\n */\n async getUserActivity(\n userId: string,\n limit: number = 50,\n ): Promise<SecretAuditLog[]> {\n return this.listLogs({ userId, limit });\n }\n\n /**\n * Get recent failures\n */\n async getRecentFailures(limit: number = 20): Promise<SecretAuditLog[]> {\n return this.listLogs({ result: 'failure', limit });\n }\n\n /**\n * Get recent denied access attempts\n */\n async getRecentDenials(limit: number = 20): Promise<SecretAuditLog[]> {\n return this.listLogs({ result: 'denied', limit });\n }\n\n /**\n * Count operations by action type\n */\n async countByAction(\n since?: Date,\n ): Promise<Record<SecretAuditAction, number>> {\n const logs = await this.listLogs({ since, limit: 10000 });\n\n const counts: Record<SecretAuditAction, number> = {\n create: 0,\n read: 0,\n update: 0,\n delete: 0,\n rotate_key: 0,\n disable: 0,\n enable: 0,\n expire: 0,\n };\n\n for (const log of logs) {\n counts[log.action]++;\n }\n\n return counts;\n }\n\n /**\n * Count operations by result\n */\n async countByResult(\n since?: Date,\n ): Promise<Record<SecretAuditResult, number>> {\n const logs = await this.listLogs({ since, limit: 10000 });\n\n const counts: Record<SecretAuditResult, number> = {\n success: 0,\n failure: 0,\n denied: 0,\n };\n\n for (const log of logs) {\n counts[log.result]++;\n }\n\n return counts;\n }\n\n /**\n * Delete old audit logs\n * @param olderThanDays Delete logs older than this many days\n */\n async cleanup(olderThanDays: number = 365): Promise<number> {\n const cutoffDate = new Date();\n cutoffDate.setDate(cutoffDate.getDate() - olderThanDays);\n\n const oldLogs = await this.list({\n where: {\n 'created_at <': cutoffDate.toISOString(),\n },\n });\n\n let count = 0;\n for (const log of oldLogs) {\n await log.delete();\n count++;\n }\n\n return count;\n }\n}\n","/**\n * SecretCollection - Collection manager for Secret objects\n * @packageDocumentation\n */\n\nimport { SmrtCollection } from '@happyvertical/smrt-core';\nimport { Secret, type SecretStatus } from '../models/Secret.js';\n\n/**\n * Options for listing secrets\n */\nexport interface ListSecretsOptions {\n /** Filter by category */\n category?: string;\n /** Filter by status */\n status?: SecretStatus;\n /** Include expired secrets */\n includeExpired?: boolean;\n /** Maximum number of results */\n limit?: number;\n /** Offset for pagination */\n offset?: number;\n}\n\n/**\n * Collection for managing Secret objects\n *\n * All lookups take an explicit `tenantId` and scope on the authoritative\n * `tenant_id` column. Scoping must NOT rely on the tenancy interceptor\n * (which may be disabled in the host application) and must NOT use the\n * `context` column: `context = tenantId` is only a convention applied on\n * the create path, so pre-convention rows may have a divergent `context`.\n * See https://github.com/happyvertical/smrt/issues/1501\n */\nexport class SecretCollection extends SmrtCollection<Secret> {\n static readonly _itemClass = Secret;\n\n /**\n * Find a secret by name within the given tenant\n */\n async findByName(tenantId: string, name: string): Promise<Secret | null> {\n return this.get({ name, tenantId });\n }\n\n /**\n * List secrets for a tenant with filtering options\n */\n async listSecrets(\n tenantId: string,\n options: ListSecretsOptions = {},\n ): Promise<Secret[]> {\n const where: Record<string, unknown> = { tenantId };\n\n if (options.category) {\n where.category = options.category;\n }\n\n if (options.status) {\n where.status = options.status;\n }\n\n const secrets = await this.list({\n where,\n limit: options.limit,\n offset: options.offset,\n orderBy: 'name ASC',\n });\n\n // Filter out expired secrets unless explicitly included\n if (!options.includeExpired) {\n return secrets.filter((secret) => !secret.isExpired());\n }\n\n return secrets;\n }\n\n /**\n * List all active secrets for a tenant\n */\n async listActive(tenantId: string): Promise<Secret[]> {\n return this.listSecrets(tenantId, { status: 'active' });\n }\n\n /**\n * List a tenant's secrets by category\n */\n async listByCategory(tenantId: string, category: string): Promise<Secret[]> {\n return this.listSecrets(tenantId, { category, status: 'active' });\n }\n\n /**\n * List a tenant's secrets that need attention (expired or about to expire)\n */\n async listExpiring(\n tenantId: string,\n daysAhead: number = 30,\n ): Promise<Secret[]> {\n const futureDate = new Date();\n futureDate.setDate(futureDate.getDate() + daysAhead);\n\n const secrets = await this.list({\n where: {\n tenantId,\n status: 'active',\n 'expiresAt !=': null,\n 'expiresAt <': futureDate.toISOString(),\n },\n orderBy: 'expiresAt ASC',\n });\n\n return secrets;\n }\n\n /**\n * Get categories used in a tenant's secrets\n */\n async getCategories(tenantId: string): Promise<string[]> {\n const secrets = await this.list({ where: { tenantId } });\n const categories = new Set(secrets.map((s) => s.category).filter(Boolean));\n return Array.from(categories).sort();\n }\n\n /**\n * Count a tenant's secrets by status\n */\n async countByStatus(tenantId: string): Promise<Record<SecretStatus, number>> {\n const secrets = await this.list({ where: { tenantId } });\n\n const counts: Record<SecretStatus, number> = {\n active: 0,\n disabled: 0,\n expired: 0,\n };\n\n for (const secret of secrets) {\n if (secret.isExpired()) {\n counts.expired++;\n } else {\n counts[secret.status]++;\n }\n }\n\n return counts;\n }\n\n /**\n * Delete a tenant's secret by name\n */\n async deleteByName(tenantId: string, name: string): Promise<boolean> {\n const secret = await this.findByName(tenantId, name);\n if (!secret) return false;\n\n await secret.delete();\n return true;\n }\n}\n","/**\n * TenantKeyCollection - Collection manager for TenantKey objects\n * @packageDocumentation\n */\n\nimport { SmrtCollection } from '@happyvertical/smrt-core';\nimport { TenantKey, type TenantKeyStatus } from '../models/TenantKey.js';\n\n/**\n * Collection for managing TenantKey objects\n */\nexport class TenantKeyCollection extends SmrtCollection<TenantKey> {\n static readonly _itemClass = TenantKey;\n\n /**\n * Get the active key for a tenant\n */\n async getActiveKey(tenantId: string): Promise<TenantKey | null> {\n return this.get({\n tenantId,\n status: 'active',\n });\n }\n\n /**\n * List all key versions for a tenant\n */\n async listKeyVersions(tenantId: string): Promise<TenantKey[]> {\n return this.list({\n where: { tenantId },\n orderBy: 'version DESC',\n });\n }\n\n /**\n * Get a specific key version for a tenant\n */\n async getKeyVersion(\n tenantId: string,\n version: number,\n ): Promise<TenantKey | null> {\n return this.get({\n tenantId,\n version,\n });\n }\n\n /**\n * Find keys that need rotation\n */\n async findKeysNeedingRotation(): Promise<TenantKey[]> {\n const now = new Date();\n\n return this.list({\n where: {\n status: 'active',\n 'rotateAfter !=': null,\n 'rotateAfter <': now.toISOString(),\n },\n orderBy: 'rotateAfter ASC',\n });\n }\n\n /**\n * List all active keys across all tenants\n */\n async listAllActiveKeys(): Promise<TenantKey[]> {\n return this.list({\n where: { status: 'active' },\n orderBy: 'created_at DESC',\n });\n }\n\n /**\n * Count keys by status\n */\n async countByStatus(): Promise<Record<TenantKeyStatus, number>> {\n const keys = await this.list({});\n\n const counts: Record<TenantKeyStatus, number> = {\n active: 0,\n rotating: 0,\n retired: 0,\n compromised: 0,\n };\n\n for (const key of keys) {\n counts[key.status]++;\n }\n\n return counts;\n }\n\n /**\n * Mark a key as compromised (should trigger re-encryption)\n */\n async markCompromised(tenantId: string, keyId: string): Promise<boolean> {\n const key = await this.get({\n id: keyId,\n tenantId,\n });\n\n if (!key) return false;\n\n key.markCompromised();\n await key.save();\n return true;\n }\n\n /**\n * Delete old retired keys that are no longer needed\n * @param olderThanDays Delete keys retired more than this many days ago\n */\n async cleanupRetiredKeys(olderThanDays: number = 90): Promise<number> {\n const cutoffDate = new Date();\n cutoffDate.setDate(cutoffDate.getDate() - olderThanDays);\n\n const oldKeys = await this.list({\n where: {\n status: 'retired',\n 'retiredAt <': cutoffDate.toISOString(),\n },\n });\n\n let count = 0;\n for (const key of oldKeys) {\n await key.delete();\n count++;\n }\n\n return count;\n }\n}\n","import { loadEnvConfig } from \"@happyvertical/utils\";\nclass LoggerAdapter {\n constructor(logger) {\n this.logger = logger;\n }\n /**\n * Handle a signal and log appropriately\n *\n * @param signal - Signal to log\n */\n async handle(signal) {\n const context = {\n id: signal.id,\n objectId: signal.objectId,\n className: signal.className,\n method: signal.method,\n timestamp: signal.timestamp\n };\n if (signal.duration !== void 0) {\n context.duration = signal.duration;\n }\n if (signal.metadata) {\n context.metadata = signal.metadata;\n }\n switch (signal.type) {\n case \"start\":\n this.logger.debug(\n `${signal.className}.${signal.method}() started`,\n context\n );\n break;\n case \"step\":\n this.logger.debug(\n `${signal.className}.${signal.method}() step: ${signal.step || \"unknown\"}`,\n context\n );\n break;\n case \"end\":\n this.logger.info(\n `${signal.className}.${signal.method}() completed in ${signal.duration}ms`,\n {\n ...context,\n result: signal.result !== void 0 ? \"present\" : \"none\"\n }\n );\n break;\n case \"error\":\n this.logger.error(\n `${signal.className}.${signal.method}() failed: ${signal.error?.message || \"Unknown error\"}`,\n {\n ...context,\n error: signal.error ? {\n message: signal.error.message,\n name: signal.error.name,\n stack: signal.error.stack\n } : void 0\n }\n );\n break;\n }\n }\n}\nclass ConsoleLogger {\n constructor(level = \"info\") {\n this.level = level;\n }\n static LEVELS = [\n \"debug\",\n \"info\",\n \"warn\",\n \"error\"\n ];\n /**\n * Check if a log level should be output\n *\n * @param level - Log level to check\n * @returns True if level meets threshold\n */\n shouldLog(level) {\n const currentIndex = ConsoleLogger.LEVELS.indexOf(this.level);\n const messageIndex = ConsoleLogger.LEVELS.indexOf(level);\n return messageIndex >= currentIndex;\n }\n /**\n * Format context for console output\n *\n * @param context - Structured metadata\n * @returns Formatted context string\n */\n formatContext(context) {\n if (!context || Object.keys(context).length === 0) {\n return \"\";\n }\n return ` ${JSON.stringify(context)}`;\n }\n debug(message, context) {\n if (this.shouldLog(\"debug\")) {\n console.debug(`[DEBUG] ${message}${this.formatContext(context)}`);\n }\n }\n info(message, context) {\n if (this.shouldLog(\"info\")) {\n console.info(`[INFO] ${message}${this.formatContext(context)}`);\n }\n }\n warn(message, context) {\n if (this.shouldLog(\"warn\")) {\n console.warn(`[WARN] ${message}${this.formatContext(context)}`);\n }\n }\n error(message, context) {\n if (this.shouldLog(\"error\")) {\n console.error(`[ERROR] ${message}${this.formatContext(context)}`);\n }\n }\n}\nclass NoopLogger {\n debug(_message, _context) {\n }\n info(_message, _context) {\n }\n warn(_message, _context) {\n }\n error(_message, _context) {\n }\n}\nfunction createLogger(config) {\n if (typeof config === \"boolean\") {\n if (!config) {\n return new NoopLogger();\n }\n const envConfig = loadEnvConfig(\n {},\n {\n packageName: \"logger\",\n schema: { level: \"string\" }\n }\n );\n return new ConsoleLogger(envConfig.level || \"info\");\n }\n const mergedConfig = loadEnvConfig(config, {\n packageName: \"logger\",\n schema: { level: \"string\" }\n });\n const level = mergedConfig.level || \"info\";\n return new ConsoleLogger(level);\n}\nconst PACKAGE_VERSION_INITIALIZED = true;\nexport {\n ConsoleLogger,\n LoggerAdapter,\n PACKAGE_VERSION_INITIALIZED,\n createLogger\n};\n//# sourceMappingURL=index.js.map\n","/**\n * SecretService - High-level API for per-tenant secret management\n * @packageDocumentation\n */\n\n// Self-register this package's manifest for consumers that import via this\n// subpath without the main entry. See src/__smrt-register__.ts (issue #1132).\nimport '../__smrt-register__.js';\n\nimport { createLogger } from '@happyvertical/logger';\nimport {\n AMKUnavailableError,\n DecryptionError,\n type EncryptedEnvelope,\n EncryptionError,\n EnvelopeEncryption,\n getSecretStore,\n type SecretStore,\n TenantKeyMissingError,\n} from '@happyvertical/secrets';\nimport {\n getCurrentTenant,\n requireTenantId,\n withTenant,\n} from '@happyvertical/smrt-tenancy';\nimport type { DatabaseInterface } from '@happyvertical/sql';\nimport { SecretAuditLogCollection } from '../collections/SecretAuditLogCollection.js';\nimport { SecretCollection } from '../collections/SecretCollection.js';\nimport { TenantKeyCollection } from '../collections/TenantKeyCollection.js';\nimport type { Secret } from '../models/Secret.js';\nimport {\n createAuditEntry,\n type SecretAuditAction,\n type SecretAuditLog,\n} from '../models/SecretAuditLog.js';\nimport type { TenantKey } from '../models/TenantKey.js';\n\nconst logger = createLogger({ level: 'info' });\n\n/**\n * Options for creating a SecretService\n */\nexport interface SecretServiceOptions {\n /** Database connection */\n db: DatabaseInterface;\n /** Environment variable containing the AMK (64 hex chars) */\n amkEnvVar?: string;\n /** AMK key identifier */\n amkKeyId?: string;\n /** Enable audit logging (default: true) */\n auditEnabled?: boolean;\n}\n\n/**\n * Options for storing a secret\n */\nexport interface StoreSecretOptions {\n /** Human-readable description */\n description?: string;\n /** Category for organization */\n category?: string;\n /** Optional expiration date */\n expiresAt?: Date;\n /** Additional metadata */\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Result of retrieving a secret\n */\nexport interface RetrievedSecret {\n /** The decrypted secret value */\n value: string;\n /** Secret metadata */\n name: string;\n description: string;\n category: string;\n expiresAt: Date | null;\n createdAt: Date;\n lastAccessedAt: Date | null;\n accessCount: number;\n metadata: Record<string, unknown>;\n}\n\nexport type SecretKeyDriftIssueSeverity = 'info' | 'warning' | 'error';\n\nexport type SecretKeyDriftIssueCode =\n | 'amk_unavailable'\n | 'active_secrets_without_usable_active_key'\n | 'missing_active_tenant_encryption_key'\n | 'multiple_active_tenant_encryption_keys'\n | 'active_tenant_encryption_key_amk_mismatch'\n | 'active_tenant_encryption_key_unwrap_failed'\n | 'secret_envelope_invalid_json'\n | 'secret_envelope_invalid_wrapped_key'\n | 'secret_envelope_missing_tenant_encryption_key'\n | 'secret_envelope_unwrap_failed'\n | 'smrt_tenant_keys_query_failed'\n | 'smrt_tenant_keys_not_mirrored';\n\nexport type SecretKeyDriftRepairAction =\n | 'delete-unrecoverable-secret'\n | 'delete-unusable-tenant-encryption-key'\n | 'store-fresh-secret-value'\n | 'none';\n\nexport interface SecretKeyDriftIssue {\n code: SecretKeyDriftIssueCode;\n severity: SecretKeyDriftIssueSeverity;\n message: string;\n repairAction: SecretKeyDriftRepairAction;\n secretId?: string;\n secretName?: string;\n keyId?: string;\n sourceTable?: 'secrets' | 'tenant_encryption_keys' | 'tenant_keys';\n details?: Record<string, string | number | boolean | null>;\n}\n\nexport interface DiagnoseTenantSecretKeyDriftOptions {\n /**\n * Limit secret-envelope checks to these names. Tenant key checks still run.\n */\n secretNames?: string[];\n}\n\nexport interface SecretKeyDriftReport {\n tenantId: string;\n checkedAt: Date;\n ok: boolean;\n summary: {\n activeSecretCount: number;\n tenantEncryptionKeyCount: number;\n activeTenantEncryptionKeyCount: number;\n usableActiveTenantEncryptionKeyCount: number;\n smrtTenantKeyCount: number;\n activeSmrtTenantKeyCount: number;\n };\n issues: SecretKeyDriftIssue[];\n}\n\nexport interface RepairTenantSecretKeyDriftOptions\n extends DiagnoseTenantSecretKeyDriftOptions {\n /**\n * Preview affected rows without deleting anything.\n */\n dryRun?: boolean;\n /**\n * Required for destructive repair. This deletes encrypted values/key rows\n * that cannot be used with the currently configured AMK.\n */\n confirmDeleteUnrecoverableData?: boolean;\n}\n\nexport interface SecretKeyDriftRepairResult {\n tenantId: string;\n dryRun: boolean;\n issuesBefore: SecretKeyDriftIssue[];\n remainingIssues: SecretKeyDriftIssue[];\n wouldDeleteSecrets: number;\n wouldDeleteTenantEncryptionKeys: number;\n deletedSecrets: number;\n deletedTenantEncryptionKeys: number;\n secretNames: string[];\n tenantEncryptionKeyIds: string[];\n}\n\nexport class SecretKeyDriftError extends Error {\n readonly code = 'SECRET_KEY_DRIFT';\n readonly tenantId: string;\n readonly report: SecretKeyDriftReport;\n readonly cause?: Error;\n\n constructor(\n message: string,\n tenantId: string,\n report: SecretKeyDriftReport,\n cause?: Error,\n ) {\n super(message);\n this.name = 'SecretKeyDriftError';\n this.tenantId = tenantId;\n this.report = report;\n this.cause = cause;\n }\n}\n\ninterface TenantEncryptionKeyRow {\n id: string;\n tenant_id: string;\n wrapped_key: string;\n amk_key_id: string;\n status: string;\n version: number;\n rotate_after: string | null;\n retired_at: string | null;\n created_at: string;\n updated_at: string;\n}\n\ninterface SecretDiagnosisRow {\n id: string;\n name: string;\n encrypted_value: string;\n status: string;\n tenant_id: string;\n}\n\ninterface WrappedKeyCheck {\n usable: boolean;\n error?: string;\n fingerprint?: string;\n}\n\ninterface SmrtTenantKeyDiagnosisRows {\n keys: TenantKey[];\n error?: Error;\n}\n\ntype TransactionCapableDatabase = DatabaseInterface & {\n transaction?: <T>(\n callback: (tx: DatabaseInterface) => Promise<T>,\n ) => Promise<T>;\n};\n\n/**\n * SecretService provides high-level operations for managing per-tenant secrets.\n *\n * It integrates with:\n * - `@happyvertical/secrets` for envelope encryption\n * - `@happyvertical/smrt-tenancy` for tenant context\n * - Audit logging for compliance\n *\n * @example\n * ```typescript\n * import { SecretService } from '@happyvertical/smrt-secrets';\n * import { withTenant } from '@happyvertical/smrt-tenancy';\n *\n * const service = await SecretService.create({ db });\n *\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * // Store a secret\n * await service.store('stripe-api-key', 'sk_live_xxx', {\n * category: 'api-keys',\n * description: 'Stripe production API key'\n * });\n *\n * // Retrieve the secret\n * const secret = await service.retrieve('stripe-api-key');\n * console.log(secret.value); // 'sk_live_xxx'\n *\n * // List secret names (without values)\n * const secrets = await service.list();\n *\n * // Rotate tenant's encryption key\n * await service.rotateKey();\n *\n * // Delete a secret\n * await service.delete('stripe-api-key');\n * });\n * ```\n */\nexport class SecretService {\n private db: DatabaseInterface;\n private secretStore: SecretStore;\n private secrets: SecretCollection;\n private tenantKeys: TenantKeyCollection;\n private auditLogs: SecretAuditLogCollection;\n private auditEnabled: boolean;\n private amkEnvVar: string;\n private amkKeyId: string;\n\n private constructor(\n db: DatabaseInterface,\n secretStore: SecretStore,\n secrets: SecretCollection,\n tenantKeys: TenantKeyCollection,\n auditLogs: SecretAuditLogCollection,\n auditEnabled: boolean,\n amkEnvVar: string,\n amkKeyId: string,\n ) {\n this.db = db;\n this.secretStore = secretStore;\n this.secrets = secrets;\n this.tenantKeys = tenantKeys;\n this.auditLogs = auditLogs;\n this.auditEnabled = auditEnabled;\n this.amkEnvVar = amkEnvVar;\n this.amkKeyId = amkKeyId;\n }\n\n /**\n * Create a new SecretService instance\n */\n static async create(options: SecretServiceOptions): Promise<SecretService> {\n const {\n db,\n amkEnvVar = 'SMRT_SECRET_MASTER_KEY',\n amkKeyId = 'smrt-amk-v1',\n auditEnabled = true,\n } = options;\n\n // Create the underlying secret store\n const secretStore = await getSecretStore({\n type: 'database',\n db,\n amk: {\n provider: 'env',\n keyEnvVar: amkEnvVar,\n keyId: amkKeyId,\n },\n });\n\n // Create collections - pass db directly (DatabaseConfig accepts DatabaseInterface)\n const baseOptions = { db };\n const secrets = await SecretCollection.create(baseOptions);\n const tenantKeys = await TenantKeyCollection.create(baseOptions);\n const auditLogs = await SecretAuditLogCollection.create(baseOptions);\n\n return new SecretService(\n db,\n secretStore,\n secrets,\n tenantKeys,\n auditLogs,\n auditEnabled,\n amkEnvVar,\n amkKeyId,\n );\n }\n\n /**\n * Store a secret for the current tenant\n */\n async store(\n name: string,\n value: string,\n options: StoreSecretOptions = {},\n ): Promise<Secret> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n // Track whether this is an update to use correct audit action on error\n let isUpdate = false;\n\n try {\n // Check if secret already exists for THIS tenant (issue #1501: an\n // unscoped lookup here used to find another tenant's same-named row and\n // clobber it with an envelope encrypted under the caller's TDEK).\n let existing = await this.secrets.findByName(tenantId, name);\n // Defense-in-depth: even if a lookup regression ever returns a foreign\n // row again, never save over it — fall through to the create path,\n // which is tenant-scoped via the (slug, context=tenantId) upsert key.\n if (existing && existing.tenantId !== tenantId) {\n existing = null;\n }\n isUpdate = existing !== null;\n\n // Encrypt the value\n const envelope = await this.secretStore.encrypt(tenantId, name, value, {\n metadata: options.metadata\n ? this.serializeMetadata(options.metadata)\n : undefined,\n });\n\n if (existing) {\n // Update existing secret\n existing.encryptedValue = JSON.stringify(envelope);\n existing.description = options.description ?? existing.description;\n existing.category = options.category ?? existing.category;\n existing.expiresAt = options.expiresAt ?? existing.expiresAt;\n existing.metadata = options.metadata ?? existing.metadata;\n await existing.save();\n\n await this.audit(\n existing.id ?? null,\n name,\n userId,\n 'update',\n 'success',\n );\n return existing;\n }\n\n // Create new secret\n // Set context to tenantId for per-tenant uniqueness\n // The UPSERT uses (slug, context) as conflict columns, so different tenants\n // can have secrets with the same name\n const secret = await this.secrets.create({\n name,\n description: options.description ?? '',\n category: options.category ?? '',\n encryptedValue: JSON.stringify(envelope),\n keyVersion: 1,\n status: 'active',\n expiresAt: options.expiresAt ?? null,\n metadata: options.metadata ?? {},\n context: tenantId, // Per-tenant uniqueness\n tenantId,\n });\n\n await this.audit(secret.id ?? null, name, userId, 'create', 'success');\n return secret;\n } catch (error) {\n const classifiedError = await this.classifyTenantKeyFailure(\n tenantId,\n name,\n error,\n );\n await this.audit(\n null,\n name,\n userId,\n isUpdate ? 'update' : 'create',\n 'failure',\n {\n error: classifiedError.message,\n },\n );\n throw classifiedError;\n }\n }\n\n /**\n * Store a secret for a specific tenant.\n *\n * This is useful for integrations that already resolved tenant ownership but\n * may be running outside the application's ambient tenant context.\n */\n async storeForTenant(\n tenantId: string,\n name: string,\n value: string,\n options: StoreSecretOptions = {},\n ): Promise<Secret> {\n return withTenant({ tenantId }, () => this.store(name, value, options));\n }\n\n /**\n * Retrieve a secret for the current tenant\n */\n async retrieve(name: string): Promise<RetrievedSecret> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n // Track whether we've already audited to avoid double-auditing\n let audited = false;\n\n try {\n const secret = await this.secrets.findByName(tenantId, name);\n // Ownership check before any decrypt attempt (issue #1501): a row owned\n // by another tenant must behave exactly like \"not found\", never surface\n // as a cross-tenant decrypt failure.\n if (!secret || secret.tenantId !== tenantId) {\n await this.audit(null, name, userId, 'read', 'failure', {\n error: 'Secret not found',\n });\n audited = true;\n throw new Error(`Secret '${name}' not found`);\n }\n\n if (!secret.isUsable()) {\n const reason = secret.isExpired()\n ? 'Secret expired'\n : 'Secret disabled';\n await this.audit(secret.id ?? null, name, userId, 'read', 'failure', {\n error: reason,\n });\n audited = true;\n throw new Error(reason);\n }\n\n // Decrypt the value\n const envelope: EncryptedEnvelope = JSON.parse(secret.encryptedValue);\n const decrypted = await this.secretStore.decrypt(tenantId, envelope);\n\n // Access tracking is operational telemetry. Retrieval should still\n // succeed if the decrypted value is available but this write fails.\n const previousLastAccessedAt = secret.lastAccessedAt;\n const previousAccessCount = secret.accessCount;\n try {\n secret.recordAccess();\n await secret.save();\n } catch (trackingError) {\n secret.lastAccessedAt = previousLastAccessedAt;\n secret.accessCount = previousAccessCount;\n logger.error('Failed to update secret access tracking', {\n error: trackingError,\n });\n }\n\n await this.audit(secret.id ?? null, name, userId, 'read', 'success');\n\n return {\n value: decrypted.value,\n name: secret.name,\n description: secret.description,\n category: secret.category,\n expiresAt: secret.expiresAt,\n createdAt: secret.created_at ?? new Date(),\n lastAccessedAt: secret.lastAccessedAt,\n accessCount: secret.accessCount,\n metadata: secret.metadata,\n };\n } catch (error) {\n const classifiedError = await this.classifyTenantKeyFailure(\n tenantId,\n name,\n error,\n );\n // Only audit if we haven't already audited this error\n if (!audited) {\n await this.audit(null, name, userId, 'read', 'failure', {\n error: classifiedError.message,\n });\n }\n throw classifiedError;\n }\n }\n\n /**\n * Retrieve a secret for a specific tenant.\n */\n async retrieveForTenant(\n tenantId: string,\n name: string,\n ): Promise<RetrievedSecret> {\n return withTenant({ tenantId }, () => this.retrieve(name));\n }\n\n /**\n * Diagnose tenant secret/key drift without exposing decrypted values.\n */\n async diagnoseTenantSecretKeyDrift(\n tenantId: string,\n options: DiagnoseTenantSecretKeyDriftOptions = {},\n ): Promise<SecretKeyDriftReport> {\n const activeSecrets = await this.listActiveSecretRowsForDiagnosis(\n tenantId,\n options.secretNames,\n );\n const tenantEncryptionKeys =\n await this.listTenantEncryptionKeyRows(tenantId);\n const smrtTenantKeyRows =\n await this.listSmrtTenantKeysForDiagnosis(tenantId);\n const smrtTenantKeys = smrtTenantKeyRows.keys;\n const issues: SecretKeyDriftIssue[] = [];\n\n const activeTenantEncryptionKeys = tenantEncryptionKeys.filter(\n (key) => key.status === 'active',\n );\n const activeSmrtTenantKeys = smrtTenantKeys.filter(\n (key) => key.status === 'active',\n );\n const amk = this.getConfiguredAmkForDiagnosis();\n\n if (!amk.usable) {\n issues.push({\n code: 'amk_unavailable',\n severity: 'error',\n message: amk.error ?? `AMK ${this.amkEnvVar} is unavailable`,\n repairAction: 'none',\n details: {\n amkEnvVar: this.amkEnvVar,\n amkKeyId: this.amkKeyId,\n },\n });\n }\n\n if (activeSecrets.length > 0 && activeTenantEncryptionKeys.length === 0) {\n issues.push({\n code: 'missing_active_tenant_encryption_key',\n severity: 'error',\n message:\n 'Active tenant secrets exist, but tenant_encryption_keys has no active key for encryption.',\n repairAction: 'store-fresh-secret-value',\n sourceTable: 'tenant_encryption_keys',\n details: {\n activeSecretCount: activeSecrets.length,\n },\n });\n }\n\n if (smrtTenantKeyRows.error) {\n issues.push({\n code: 'smrt_tenant_keys_query_failed',\n severity: 'error',\n message:\n 'Unable to query SMRT tenant_keys while diagnosing tenant secret key drift.',\n repairAction: 'none',\n sourceTable: 'tenant_keys',\n details: {\n error: smrtTenantKeyRows.error.message,\n },\n });\n }\n\n if (activeTenantEncryptionKeys.length > 1) {\n issues.push({\n code: 'multiple_active_tenant_encryption_keys',\n severity: 'error',\n message:\n 'tenant_encryption_keys has multiple active keys for this tenant; encryption may use an arbitrary active key.',\n repairAction: 'none',\n sourceTable: 'tenant_encryption_keys',\n details: {\n activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length,\n },\n });\n }\n\n const activeKeyChecks: WrappedKeyCheck[] = [];\n\n for (const key of tenantEncryptionKeys) {\n const check = amk.value\n ? this.checkWrappedKey(key.wrapped_key, amk.value)\n : { usable: false, error: amk.error };\n\n if (key.status === 'active') {\n activeKeyChecks.push(check);\n }\n\n if (key.status === 'active' && key.amk_key_id !== this.amkKeyId) {\n issues.push({\n code: 'active_tenant_encryption_key_amk_mismatch',\n severity: 'warning',\n message:\n 'Active tenant_encryption_keys row was wrapped by a different AMK key id than this SecretService is configured to use.',\n repairAction: 'none',\n keyId: key.id,\n sourceTable: 'tenant_encryption_keys',\n details: {\n rowAmkKeyId: key.amk_key_id,\n configuredAmkKeyId: this.amkKeyId,\n },\n });\n }\n\n if (key.status === 'active' && !check.usable && amk.value) {\n issues.push({\n code: 'active_tenant_encryption_key_unwrap_failed',\n severity: 'error',\n message:\n 'Active tenant_encryption_keys row cannot be unwrapped by the currently configured AMK.',\n repairAction: 'delete-unusable-tenant-encryption-key',\n keyId: key.id,\n sourceTable: 'tenant_encryption_keys',\n details: {\n version: key.version,\n error: check.error ?? null,\n },\n });\n }\n }\n\n const usableActiveTenantEncryptionKeyCount = activeKeyChecks.filter(\n (check) => check.usable,\n ).length;\n\n if (\n activeSecrets.length > 0 &&\n usableActiveTenantEncryptionKeyCount === 0\n ) {\n issues.push({\n code: 'active_secrets_without_usable_active_key',\n severity: 'error',\n message:\n 'Active secrets exist, but no active tenant_encryption_keys row can be used with the current AMK.',\n repairAction: 'store-fresh-secret-value',\n sourceTable: 'tenant_encryption_keys',\n details: {\n activeSecretCount: activeSecrets.length,\n activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length,\n },\n });\n }\n\n const keyFingerprintToRow = new Map<string, TenantEncryptionKeyRow>();\n for (const key of tenantEncryptionKeys) {\n const fingerprint = this.getWrappedKeyFingerprint(key.wrapped_key);\n if (fingerprint) {\n keyFingerprintToRow.set(fingerprint, key);\n }\n }\n\n for (const secret of activeSecrets) {\n const envelope = this.parseSecretEnvelopeForDiagnosis(secret, issues);\n if (!envelope) continue;\n\n const envelopeFingerprint = this.getWrappedKeyFingerprint(\n envelope.wrappedKey,\n );\n const envelopeCheck = amk.value\n ? this.checkWrappedKey(envelope.wrappedKey, amk.value)\n : {\n usable: false,\n error: amk.error,\n fingerprint: envelopeFingerprint,\n };\n\n if (!envelopeCheck.fingerprint) {\n issues.push({\n code: 'secret_envelope_invalid_wrapped_key',\n severity: 'error',\n message:\n 'Secret encryptedValue contains an invalid wrapped key format.',\n repairAction: 'delete-unrecoverable-secret',\n secretId: secret.id,\n secretName: secret.name,\n sourceTable: 'secrets',\n details: {\n error: envelopeCheck.error ?? null,\n },\n });\n continue;\n }\n\n const matchingKey = keyFingerprintToRow.get(envelopeCheck.fingerprint);\n if (!matchingKey) {\n issues.push({\n code: 'secret_envelope_missing_tenant_encryption_key',\n severity: 'error',\n message:\n 'Secret envelope does not match any tenant_encryption_keys row for this tenant.',\n repairAction: !amk.value\n ? 'none'\n : envelopeCheck.usable\n ? 'none'\n : 'delete-unrecoverable-secret',\n secretId: secret.id,\n secretName: secret.name,\n sourceTable: 'secrets',\n });\n }\n\n if (!envelopeCheck.usable && amk.value) {\n issues.push({\n code: 'secret_envelope_unwrap_failed',\n severity: 'error',\n message:\n 'Secret envelope cannot be unwrapped by the currently configured AMK.',\n repairAction: 'delete-unrecoverable-secret',\n secretId: secret.id,\n secretName: secret.name,\n keyId: matchingKey?.id,\n sourceTable: 'secrets',\n details: {\n error: envelopeCheck.error ?? null,\n },\n });\n }\n }\n\n if (\n activeSecrets.length > 0 &&\n tenantEncryptionKeys.length > 0 &&\n smrtTenantKeys.length === 0 &&\n !smrtTenantKeyRows.error\n ) {\n issues.push({\n code: 'smrt_tenant_keys_not_mirrored',\n severity: 'info',\n message:\n 'SMRT tenant_keys has no rows for this tenant, while the lower-level tenant_encryption_keys table does. SecretService uses tenant_encryption_keys for encryption.',\n repairAction: 'none',\n sourceTable: 'tenant_keys',\n });\n }\n\n return {\n tenantId,\n checkedAt: new Date(),\n ok: !issues.some((issue) => issue.severity === 'error'),\n summary: {\n activeSecretCount: activeSecrets.length,\n tenantEncryptionKeyCount: tenantEncryptionKeys.length,\n activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length,\n usableActiveTenantEncryptionKeyCount,\n smrtTenantKeyCount: smrtTenantKeys.length,\n activeSmrtTenantKeyCount: activeSmrtTenantKeys.length,\n },\n issues,\n };\n }\n\n /**\n * Diagnose drift for the current tenant context.\n */\n async diagnoseCurrentTenantSecretKeyDrift(\n options: DiagnoseTenantSecretKeyDriftOptions = {},\n ): Promise<SecretKeyDriftReport> {\n return this.diagnoseTenantSecretKeyDrift(requireTenantId(), options);\n }\n\n /**\n * Delete unrecoverable secret/key rows identified by diagnosis.\n *\n * This never attempts to recover or expose secret values. Use dryRun first\n * to preview destructive changes.\n */\n async repairTenantSecretKeyDrift(\n tenantId: string,\n options: RepairTenantSecretKeyDriftOptions = {},\n ): Promise<SecretKeyDriftRepairResult> {\n const dryRun = options.dryRun ?? false;\n const before = await this.diagnoseTenantSecretKeyDrift(tenantId, options);\n const secretIds = new Set<string>();\n const secretNames = new Map<string, string>();\n const tenantEncryptionKeyIds = new Set<string>();\n\n for (const issue of before.issues) {\n if (\n issue.repairAction === 'delete-unrecoverable-secret' &&\n issue.secretId\n ) {\n secretIds.add(issue.secretId);\n if (issue.secretName) {\n secretNames.set(issue.secretId, issue.secretName);\n }\n }\n\n if (\n issue.repairAction === 'delete-unusable-tenant-encryption-key' &&\n issue.keyId\n ) {\n tenantEncryptionKeyIds.add(issue.keyId);\n }\n }\n\n const wouldDeleteSecrets = secretIds.size;\n const wouldDeleteTenantEncryptionKeys = tenantEncryptionKeyIds.size;\n const wouldDeleteUnrecoverableData =\n wouldDeleteSecrets + wouldDeleteTenantEncryptionKeys > 0;\n\n if (\n !dryRun &&\n wouldDeleteUnrecoverableData &&\n !options.confirmDeleteUnrecoverableData\n ) {\n throw new Error(\n 'repairTenantSecretKeyDrift requires confirmDeleteUnrecoverableData: true before deleting encrypted secrets or tenant key rows.',\n );\n }\n\n let deletedSecrets = 0;\n let deletedTenantEncryptionKeys = 0;\n\n if (!dryRun) {\n const runDeletes = async (db: DatabaseInterface) => {\n const deletedSecretRows = await this.deleteRowsByIds(\n 'secrets',\n tenantId,\n secretIds,\n db,\n );\n const deletedTenantEncryptionKeyRows = await this.deleteRowsByIds(\n 'tenant_encryption_keys',\n tenantId,\n tenantEncryptionKeyIds,\n db,\n );\n return {\n deletedSecrets: deletedSecretRows,\n deletedTenantEncryptionKeys: deletedTenantEncryptionKeyRows,\n };\n };\n const txDb = this.db as TransactionCapableDatabase;\n const deleteResult =\n typeof txDb.transaction === 'function'\n ? await txDb.transaction((db) => runDeletes(db))\n : await runDeletes(this.db);\n\n deletedSecrets = deleteResult.deletedSecrets;\n deletedTenantEncryptionKeys = deleteResult.deletedTenantEncryptionKeys;\n await this.auditSecretDriftRepairDeletes(\n tenantId,\n secretIds,\n secretNames,\n );\n }\n\n const after = dryRun\n ? before\n : await this.diagnoseTenantSecretKeyDrift(tenantId, options);\n\n return {\n tenantId,\n dryRun,\n issuesBefore: before.issues,\n remainingIssues: after.issues,\n wouldDeleteSecrets,\n wouldDeleteTenantEncryptionKeys,\n deletedSecrets,\n deletedTenantEncryptionKeys,\n secretNames: Array.from(secretNames.values()).sort(),\n tenantEncryptionKeyIds: Array.from(tenantEncryptionKeyIds).sort(),\n };\n }\n\n /**\n * List secrets for the current tenant (names only, not values)\n */\n async list(options: { category?: string } = {}): Promise<Secret[]> {\n return this.secrets.listSecrets(requireTenantId(), {\n category: options.category,\n status: 'active',\n });\n }\n\n /**\n * Delete a secret\n */\n async delete(name: string): Promise<boolean> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n const secret = await this.secrets.findByName(tenantId, name);\n // Ownership check (issue #1501): never delete another tenant's row\n if (!secret || secret.tenantId !== tenantId) {\n return false;\n }\n\n try {\n await secret.delete();\n await this.audit(secret.id ?? null, name, userId, 'delete', 'success');\n return true;\n } catch (error) {\n await this.audit(secret.id ?? null, name, userId, 'delete', 'failure', {\n error: (error as Error).message,\n });\n throw error;\n }\n }\n\n /**\n * Disable a secret (soft delete)\n */\n async disable(name: string): Promise<boolean> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n const secret = await this.secrets.findByName(tenantId, name);\n // Ownership check (issue #1501): never mutate another tenant's row\n if (!secret || secret.tenantId !== tenantId) {\n return false;\n }\n\n secret.disable();\n await secret.save();\n await this.audit(secret.id ?? null, name, userId, 'disable', 'success');\n return true;\n }\n\n /**\n * Enable a disabled secret\n */\n async enable(name: string): Promise<boolean> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n const secret = await this.secrets.findByName(tenantId, name);\n // Ownership check (issue #1501): never mutate another tenant's row\n if (!secret || secret.tenantId !== tenantId) {\n return false;\n }\n\n secret.enable();\n await secret.save();\n await this.audit(secret.id ?? null, name, userId, 'enable', 'success');\n return true;\n }\n\n /**\n * Rotate the tenant's encryption key\n *\n * This creates a new TDEK and marks the old one as retired.\n * Existing secrets remain encrypted with the old key and can still\n * be decrypted (the old key is kept in retired state).\n *\n * For full re-encryption, call reencryptAll() after rotation.\n */\n async rotateKey(): Promise<void> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n try {\n await this.secretStore.rotateTenantKey(tenantId);\n await this.audit(null, '', userId, 'rotate_key', 'success', {\n tenantId,\n });\n } catch (error) {\n await this.audit(null, '', userId, 'rotate_key', 'failure', {\n tenantId,\n error: (error as Error).message,\n });\n throw error;\n }\n }\n\n /**\n * Re-encrypt all secrets with the current active key\n *\n * Call this after key rotation to ensure all secrets use the new key.\n * This is optional but recommended for security.\n */\n async reencryptAll(): Promise<{ success: number; failed: number }> {\n const tenantId = requireTenantId();\n const userId = this.getCurrentUserId();\n\n // Scope to the current tenant (issue #1501): re-encryption must never\n // touch (or attempt to decrypt) other tenants' rows.\n const secrets = await this.secrets.list({ where: { tenantId } });\n let success = 0;\n let failed = 0;\n\n for (const secret of secrets) {\n try {\n // Decrypt with old key\n const envelope: EncryptedEnvelope = JSON.parse(secret.encryptedValue);\n const decrypted = await this.secretStore.decrypt(tenantId, envelope);\n\n // Re-encrypt with new key\n const newEnvelope = await this.secretStore.encrypt(\n tenantId,\n secret.name,\n decrypted.value,\n );\n\n secret.encryptedValue = JSON.stringify(newEnvelope);\n await secret.save();\n\n success++;\n } catch (error) {\n failed++;\n await this.audit(\n secret.id ?? null,\n secret.name,\n userId,\n 'update',\n 'failure',\n {\n action: 'reencrypt',\n error: (error as Error).message,\n },\n );\n }\n }\n\n return { success, failed };\n }\n\n /**\n * Get audit logs for the current tenant\n */\n async getAuditLogs(\n options: { secretName?: string; limit?: number } = {},\n ): Promise<SecretAuditLog[]> {\n return this.auditLogs.listLogs({\n // Scope to the current tenant (issue #1501): audit logs reference\n // secret names and must not leak across tenants.\n tenantId: requireTenantId(),\n secretName: options.secretName,\n limit: options.limit ?? 100,\n });\n }\n\n /**\n * Get secret categories for the current tenant\n */\n async getCategories(): Promise<string[]> {\n return this.secrets.getCategories(requireTenantId());\n }\n\n /**\n * Check if a secret exists for the current tenant\n */\n async exists(name: string): Promise<boolean> {\n const tenantId = requireTenantId();\n const secret = await this.secrets.findByName(tenantId, name);\n return secret !== null && secret.tenantId === tenantId;\n }\n\n // Private methods\n\n private async listActiveSecretRowsForDiagnosis(\n tenantId: string,\n secretNames?: string[],\n ): Promise<SecretDiagnosisRow[]> {\n const params: unknown[] = [tenantId];\n let nameFilter = '';\n\n if (secretNames && secretNames.length > 0) {\n const placeholders = secretNames.map(() => '?').join(', ');\n nameFilter = ` AND name IN (${placeholders})`;\n params.push(...secretNames);\n }\n\n const result = await this.db.query(\n `\n SELECT id, name, encrypted_value, status, tenant_id\n FROM \"secrets\"\n WHERE tenant_id = ? AND status = 'active'${nameFilter}\n ORDER BY name ASC\n `,\n ...params,\n );\n\n return this.rowsFromResult<SecretDiagnosisRow>(result);\n }\n\n private async listTenantEncryptionKeyRows(\n tenantId: string,\n ): Promise<TenantEncryptionKeyRow[]> {\n const result = await this.db.query(\n `\n SELECT id, tenant_id, wrapped_key, amk_key_id, status, version,\n rotate_after, retired_at, created_at, updated_at\n FROM \"tenant_encryption_keys\"\n WHERE tenant_id = ?\n ORDER BY version DESC\n `,\n tenantId,\n );\n\n return this.rowsFromResult<TenantEncryptionKeyRow>(result);\n }\n\n private async listSmrtTenantKeysForDiagnosis(\n tenantId: string,\n ): Promise<SmrtTenantKeyDiagnosisRows> {\n try {\n return { keys: await this.tenantKeys.listKeyVersions(tenantId) };\n } catch (error) {\n return { keys: [], error: this.toError(error) };\n }\n }\n\n private getConfiguredAmkForDiagnosis():\n | { usable: true; value: Buffer }\n | { usable: false; error: string; value?: undefined } {\n const keyHex = process.env[this.amkEnvVar];\n if (!keyHex) {\n return {\n usable: false,\n error: `Application Master Key not found in environment variable: ${this.amkEnvVar}`,\n };\n }\n\n try {\n return {\n usable: true,\n value: EnvelopeEncryption.parseHexKey(keyHex),\n };\n } catch (error) {\n return {\n usable: false,\n error: `Invalid AMK in ${this.amkEnvVar}: ${\n this.toError(error).message\n }`,\n };\n }\n }\n\n private checkWrappedKey(wrappedKey: string, amk: Buffer): WrappedKeyCheck {\n const fingerprint = this.getWrappedKeyFingerprint(wrappedKey);\n\n try {\n const parsed = EnvelopeEncryption.parseWrappedKey(wrappedKey);\n const dataKey = EnvelopeEncryption.unwrapKey(\n parsed.wrappedKey,\n parsed.iv,\n parsed.authTag,\n amk,\n );\n dataKey.fill(0);\n return { usable: true, fingerprint };\n } catch (error) {\n return {\n usable: false,\n fingerprint,\n error: this.toError(error).message,\n };\n }\n }\n\n private getWrappedKeyFingerprint(wrappedKey: string): string | undefined {\n try {\n return EnvelopeEncryption.parseWrappedKey(wrappedKey).wrappedKey;\n } catch {\n return undefined;\n }\n }\n\n private parseSecretEnvelopeForDiagnosis(\n secret: SecretDiagnosisRow,\n issues: SecretKeyDriftIssue[],\n ): EncryptedEnvelope | null {\n try {\n return JSON.parse(secret.encrypted_value) as EncryptedEnvelope;\n } catch (error) {\n issues.push({\n code: 'secret_envelope_invalid_json',\n severity: 'error',\n message: 'Secret encryptedValue is not valid EncryptedEnvelope JSON.',\n repairAction: 'delete-unrecoverable-secret',\n secretId: secret.id,\n secretName: secret.name,\n sourceTable: 'secrets',\n details: {\n error: this.toError(error).message,\n },\n });\n return null;\n }\n }\n\n private async deleteRowsByIds(\n tableName: 'secrets' | 'tenant_encryption_keys',\n tenantId: string,\n ids: Set<string>,\n db: DatabaseInterface = this.db,\n ): Promise<number> {\n if (ids.size === 0) return 0;\n\n const idList = Array.from(ids);\n const placeholders = idList.map(() => '?').join(', ');\n const result = await db.query(\n `DELETE FROM \"${tableName}\" WHERE tenant_id = ? AND id IN (${placeholders})`,\n tenantId,\n ...idList,\n );\n\n return typeof result.rowCount === 'number'\n ? result.rowCount\n : idList.length;\n }\n\n private async auditSecretDriftRepairDeletes(\n tenantId: string,\n secretIds: Set<string>,\n secretNames: Map<string, string>,\n ): Promise<void> {\n if (secretIds.size === 0) return;\n\n const userId = this.getCurrentUserId();\n await withTenant({ tenantId }, async () => {\n for (const secretId of secretIds) {\n await this.audit(\n secretId,\n secretNames.get(secretId) ?? '',\n userId,\n 'delete',\n 'success',\n {\n action: 'repairTenantSecretKeyDrift',\n reason: 'unrecoverable-secret-key-drift',\n },\n );\n }\n });\n }\n\n private rowsFromResult<T>(result: unknown): T[] {\n if (Array.isArray(result)) return result as T[];\n if (\n result &&\n typeof result === 'object' &&\n Array.isArray((result as { rows?: unknown }).rows)\n ) {\n return (result as { rows: T[] }).rows;\n }\n return [];\n }\n\n private async classifyTenantKeyFailure(\n tenantId: string,\n secretName: string,\n error: unknown,\n ): Promise<Error> {\n const normalized = this.toError(error);\n if (!this.shouldClassifyTenantKeyFailure(normalized)) {\n return normalized;\n }\n\n try {\n const report = await this.diagnoseTenantSecretKeyDrift(tenantId, {\n secretNames: [secretName],\n });\n const errorCodes = report.issues\n .filter((issue) => issue.severity === 'error')\n .map((issue) => issue.code);\n\n if (errorCodes.length === 0) {\n return normalized;\n }\n\n return new SecretKeyDriftError(\n `Secret '${secretName}' for tenant '${tenantId}' failed because secret key drift was detected: ${[\n ...new Set(errorCodes),\n ].join(\n ', ',\n )}. Run diagnoseTenantSecretKeyDrift() for details and repairTenantSecretKeyDrift() for explicit cleanup of unrecoverable rows.`,\n tenantId,\n report,\n normalized,\n );\n } catch {\n return normalized;\n }\n }\n\n private shouldClassifyTenantKeyFailure(error: Error): boolean {\n const code = this.getSecretErrorCode(error);\n if (error instanceof AMKUnavailableError || code === 'AMK_UNAVAILABLE') {\n return false;\n }\n\n return (\n error instanceof TenantKeyMissingError ||\n error instanceof EncryptionError ||\n error instanceof DecryptionError ||\n code === 'TENANT_KEY_MISSING' ||\n code === 'ENCRYPTION_FAILED' ||\n code === 'DECRYPTION_FAILED'\n );\n }\n\n private getSecretErrorCode(error: Error): string | undefined {\n const code = (error as { code?: unknown }).code;\n return typeof code === 'string' ? code : undefined;\n }\n\n private toError(error: unknown): Error {\n return error instanceof Error ? error : new Error(String(error));\n }\n\n private getCurrentUserId(): string {\n const ctx = getCurrentTenant();\n return ctx?.userId ?? 'system';\n }\n\n private async audit(\n secretId: string | null,\n secretName: string,\n userId: string,\n action: SecretAuditAction,\n result: 'success' | 'failure' | 'denied',\n details?: Record<string, unknown>,\n ): Promise<void> {\n if (!this.auditEnabled) return;\n\n try {\n const tenantId = getCurrentTenant()?.tenantId ?? null;\n const log = await this.auditLogs.create(\n createAuditEntry({\n secretId,\n secretName,\n userId,\n action,\n result,\n details,\n tenantId,\n }),\n );\n await log.save();\n } catch (error) {\n // Don't throw on audit failure - log and continue\n logger.error('Failed to write audit log', { error });\n }\n }\n\n private serializeMetadata(\n metadata: Record<string, unknown>,\n ): Record<string, string> {\n const result: Record<string, string> = {};\n for (const [key, value] of Object.entries(metadata)) {\n result[key] = typeof value === 'string' ? value : JSON.stringify(value);\n }\n return result;\n }\n}\n"],"names":[],"mappings":";;;;;AA6CO,MAAM,iCAAiC,eAA+B;AAAA,EAC3E,OAAgB,aAAa;AAAA;AAAA;AAAA;AAAA,EAK7B,MAAM,SACJ,UAAgC,IACL;AAC3B,UAAM,QAAiC,CAAA;AAEvC,QAAI,QAAQ,UAAU;AACpB,YAAM,WAAW,QAAQ;AAAA,IAC3B;AAEA,QAAI,QAAQ,YAAY;AACtB,YAAM,aAAa,QAAQ;AAAA,IAC7B;AAEA,QAAI,QAAQ,QAAQ;AAClB,YAAM,SAAS,QAAQ;AAAA,IACzB;AAEA,QAAI,QAAQ,QAAQ;AAClB,YAAM,SAAS,QAAQ;AAAA,IACzB;AAEA,QAAI,QAAQ,QAAQ;AAClB,YAAM,SAAS,QAAQ;AAAA,IACzB;AAEA,QAAI,QAAQ,OAAO;AACjB,YAAM,cAAc,IAAI,QAAQ,MAAM,YAAA;AAAA,IACxC;AAEA,QAAI,QAAQ,OAAO;AACjB,YAAM,cAAc,IAAI,QAAQ,MAAM,YAAA;AAAA,IACxC;AAEA,WAAO,KAAK,KAAK;AAAA,MACf;AAAA,MACA,OAAO,QAAQ,SAAS;AAAA,MACxB,QAAQ,QAAQ;AAAA,MAChB,SAAS;AAAA,IAAA,CACV;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBACJ,YACA,QAAgB,IACW;AAC3B,WAAO,KAAK,SAAS,EAAE,YAAY,OAAO;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBACJ,QACA,QAAgB,IACW;AAC3B,WAAO,KAAK,SAAS,EAAE,QAAQ,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAkB,QAAgB,IAA+B;AACrE,WAAO,KAAK,SAAS,EAAE,QAAQ,WAAW,OAAO;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBAAiB,QAAgB,IAA+B;AACpE,WAAO,KAAK,SAAS,EAAE,QAAQ,UAAU,OAAO;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,OAC4C;AAC5C,UAAM,OAAO,MAAM,KAAK,SAAS,EAAE,OAAO,OAAO,KAAO;AAExD,UAAM,SAA4C;AAAA,MAChD,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,QAAQ;AAAA,IAAA;AAGV,eAAW,OAAO,MAAM;AACtB,aAAO,IAAI,MAAM;AAAA,IACnB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,OAC4C;AAC5C,UAAM,OAAO,MAAM,KAAK,SAAS,EAAE,OAAO,OAAO,KAAO;AAExD,UAAM,SAA4C;AAAA,MAChD,SAAS;AAAA,MACT,SAAS;AAAA,MACT,QAAQ;AAAA,IAAA;AAGV,eAAW,OAAO,MAAM;AACtB,aAAO,IAAI,MAAM;AAAA,IACnB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAQ,gBAAwB,KAAsB;AAC1D,UAAM,iCAAiB,KAAA;AACvB,eAAW,QAAQ,WAAW,QAAA,IAAY,aAAa;AAEvD,UAAM,UAAU,MAAM,KAAK,KAAK;AAAA,MAC9B,OAAO;AAAA,QACL,gBAAgB,WAAW,YAAA;AAAA,MAAY;AAAA,IACzC,CACD;AAED,QAAI,QAAQ;AACZ,eAAW,OAAO,SAAS;AACzB,YAAM,IAAI,OAAA;AACV;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;ACjKO,MAAM,yBAAyB,eAAuB;AAAA,EAC3D,OAAgB,aAAa;AAAA;AAAA;AAAA;AAAA,EAK7B,MAAM,WAAW,UAAkB,MAAsC;AACvE,WAAO,KAAK,IAAI,EAAE,MAAM,UAAU;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YACJ,UACA,UAA8B,IACX;AACnB,UAAM,QAAiC,EAAE,SAAA;AAEzC,QAAI,QAAQ,UAAU;AACpB,YAAM,WAAW,QAAQ;AAAA,IAC3B;AAEA,QAAI,QAAQ,QAAQ;AAClB,YAAM,SAAS,QAAQ;AAAA,IACzB;AAEA,UAAM,UAAU,MAAM,KAAK,KAAK;AAAA,MAC9B;AAAA,MACA,OAAO,QAAQ;AAAA,MACf,QAAQ,QAAQ;AAAA,MAChB,SAAS;AAAA,IAAA,CACV;AAGD,QAAI,CAAC,QAAQ,gBAAgB;AAC3B,aAAO,QAAQ,OAAO,CAAC,WAAW,CAAC,OAAO,WAAW;AAAA,IACvD;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,UAAqC;AACpD,WAAO,KAAK,YAAY,UAAU,EAAE,QAAQ,UAAU;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,UAAkB,UAAqC;AAC1E,WAAO,KAAK,YAAY,UAAU,EAAE,UAAU,QAAQ,UAAU;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aACJ,UACA,YAAoB,IACD;AACnB,UAAM,iCAAiB,KAAA;AACvB,eAAW,QAAQ,WAAW,QAAA,IAAY,SAAS;AAEnD,UAAM,UAAU,MAAM,KAAK,KAAK;AAAA,MAC9B,OAAO;AAAA,QACL;AAAA,QACA,QAAQ;AAAA,QACR,gBAAgB;AAAA,QAChB,eAAe,WAAW,YAAA;AAAA,MAAY;AAAA,MAExC,SAAS;AAAA,IAAA,CACV;AAED,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,UAAqC;AACvD,UAAM,UAAU,MAAM,KAAK,KAAK,EAAE,OAAO,EAAE,SAAA,GAAY;AACvD,UAAM,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,OAAO,CAAC;AACzE,WAAO,MAAM,KAAK,UAAU,EAAE,KAAA;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,UAAyD;AAC3E,UAAM,UAAU,MAAM,KAAK,KAAK,EAAE,OAAO,EAAE,SAAA,GAAY;AAEvD,UAAM,SAAuC;AAAA,MAC3C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,SAAS;AAAA,IAAA;AAGX,eAAW,UAAU,SAAS;AAC5B,UAAI,OAAO,aAAa;AACtB,eAAO;AAAA,MACT,OAAO;AACL,eAAO,OAAO,MAAM;AAAA,MACtB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,UAAkB,MAAgC;AACnE,UAAM,SAAS,MAAM,KAAK,WAAW,UAAU,IAAI;AACnD,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,OAAO,OAAA;AACb,WAAO;AAAA,EACT;AACF;AChJO,MAAM,4BAA4B,eAA0B;AAAA,EACjE,OAAgB,aAAa;AAAA;AAAA;AAAA;AAAA,EAK7B,MAAM,aAAa,UAA6C;AAC9D,WAAO,KAAK,IAAI;AAAA,MACd;AAAA,MACA,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,UAAwC;AAC5D,WAAO,KAAK,KAAK;AAAA,MACf,OAAO,EAAE,SAAA;AAAA,MACT,SAAS;AAAA,IAAA,CACV;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,UACA,SAC2B;AAC3B,WAAO,KAAK,IAAI;AAAA,MACd;AAAA,MACA;AAAA,IAAA,CACD;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,0BAAgD;AACpD,UAAM,0BAAU,KAAA;AAEhB,WAAO,KAAK,KAAK;AAAA,MACf,OAAO;AAAA,QACL,QAAQ;AAAA,QACR,kBAAkB;AAAA,QAClB,iBAAiB,IAAI,YAAA;AAAA,MAAY;AAAA,MAEnC,SAAS;AAAA,IAAA,CACV;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAA0C;AAC9C,WAAO,KAAK,KAAK;AAAA,MACf,OAAO,EAAE,QAAQ,SAAA;AAAA,MACjB,SAAS;AAAA,IAAA,CACV;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAA0D;AAC9D,UAAM,OAAO,MAAM,KAAK,KAAK,CAAA,CAAE;AAE/B,UAAM,SAA0C;AAAA,MAC9C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,SAAS;AAAA,MACT,aAAa;AAAA,IAAA;AAGf,eAAW,OAAO,MAAM;AACtB,aAAO,IAAI,MAAM;AAAA,IACnB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,UAAkB,OAAiC;AACvE,UAAM,MAAM,MAAM,KAAK,IAAI;AAAA,MACzB,IAAI;AAAA,MACJ;AAAA,IAAA,CACD;AAED,QAAI,CAAC,IAAK,QAAO;AAEjB,QAAI,gBAAA;AACJ,UAAM,IAAI,KAAA;AACV,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,mBAAmB,gBAAwB,IAAqB;AACpE,UAAM,iCAAiB,KAAA;AACvB,eAAW,QAAQ,WAAW,QAAA,IAAY,aAAa;AAEvD,UAAM,UAAU,MAAM,KAAK,KAAK;AAAA,MAC9B,OAAO;AAAA,QACL,QAAQ;AAAA,QACR,eAAe,WAAW,YAAA;AAAA,MAAY;AAAA,IACxC,CACD;AAED,QAAI,QAAQ;AACZ,eAAW,OAAO,SAAS;AACzB,YAAM,IAAI,OAAA;AACV;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;ACtEA,MAAM,cAAc;AAAA,EAClB,YAAY,QAAQ,QAAQ;AAC1B,SAAK,QAAQ;AAAA,EACf;AAAA,EACA,OAAO,SAAS;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOE,UAAU,OAAO;AACf,UAAM,eAAe,cAAc,OAAO,QAAQ,KAAK,KAAK;AAC5D,UAAM,eAAe,cAAc,OAAO,QAAQ,KAAK;AACvD,WAAO,gBAAgB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAc,SAAS;AACrB,QAAI,CAAC,WAAW,OAAO,KAAK,OAAO,EAAE,WAAW,GAAG;AACjD,aAAO;AAAA,IACT;AACA,WAAO,IAAI,KAAK,UAAU,OAAO,CAAC;AAAA,EACpC;AAAA,EACA,MAAM,SAAS,SAAS;AACtB,QAAI,KAAK,UAAU,OAAO,GAAG;AAC3B,cAAQ,MAAM,WAAW,OAAO,GAAG,KAAK,cAAc,OAAO,CAAC,EAAE;AAAA,IAClE;AAAA,EACF;AAAA,EACA,KAAK,SAAS,SAAS;AACrB,QAAI,KAAK,UAAU,MAAM,GAAG;AAC1B,cAAQ,KAAK,UAAU,OAAO,GAAG,KAAK,cAAc,OAAO,CAAC,EAAE;AAAA,IAChE;AAAA,EACF;AAAA,EACA,KAAK,SAAS,SAAS;AACrB,QAAI,KAAK,UAAU,MAAM,GAAG;AAC1B,cAAQ,KAAK,UAAU,OAAO,GAAG,KAAK,cAAc,OAAO,CAAC,EAAE;AAAA,IAChE;AAAA,EACF;AAAA,EACA,MAAM,SAAS,SAAS;AACtB,QAAI,KAAK,UAAU,OAAO,GAAG;AAC3B,cAAQ,MAAM,WAAW,OAAO,GAAG,KAAK,cAAc,OAAO,CAAC,EAAE;AAAA,IAClE;AAAA,EACF;AACF;AACA,MAAM,WAAW;AAAA,EACf,MAAM,UAAU,UAAU;AAAA,EAC1B;AAAA,EACA,KAAK,UAAU,UAAU;AAAA,EACzB;AAAA,EACA,KAAK,UAAU,UAAU;AAAA,EACzB;AAAA,EACA,MAAM,UAAU,UAAU;AAAA,EAC1B;AACF;AACA,SAAS,aAAa,QAAQ;AAC5B,MAAI,OAAO,WAAW,WAAW;AAC/B,QAAI,CAAC,QAAQ;AACX,aAAO,IAAI,WAAU;AAAA,IACvB;AACA,UAAM,YAAY;AAAA,MAChB,CAAA;AAAA,MACA;AAAA,QACE,aAAa;AAAA,QACb,QAAQ,EAAE,OAAO,SAAQ;AAAA,MACjC;AAAA,IACA;AACI,WAAO,IAAI,cAAc,UAAU,SAAS,MAAM;AAAA,EACpD;AACA,QAAM,eAAe,cAAc,QAAQ;AAAA,IACzC,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,SAAQ;AAAA,EAC7B,CAAG;AACD,QAAM,QAAQ,aAAa,SAAS;AACpC,SAAO,IAAI,cAAc,KAAK;AAChC;AC7GA,MAAM,SAAS,aAAa,EAAE,OAAO,QAAQ;AAiItC,MAAM,4BAA4B,MAAM;AAAA,EACpC,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACA;AAAA,EAET,YACE,SACA,UACA,QACA,OACA;AACA,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,WAAW;AAChB,SAAK,SAAS;AACd,SAAK,QAAQ;AAAA,EACf;AACF;AA6EO,MAAM,cAAc;AAAA,EACjB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA,YACN,IACA,aACA,SACA,YACA,WACA,cACA,WACA,UACA;AACA,SAAK,KAAK;AACV,SAAK,cAAc;AACnB,SAAK,UAAU;AACf,SAAK,aAAa;AAClB,SAAK,YAAY;AACjB,SAAK,eAAe;AACpB,SAAK,YAAY;AACjB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAO,SAAuD;AACzE,UAAM;AAAA,MACJ;AAAA,MACA,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,IAAA,IACb;AAGJ,UAAM,cAAc,MAAM,eAAe;AAAA,MACvC,MAAM;AAAA,MACN;AAAA,MACA,KAAK;AAAA,QACH,UAAU;AAAA,QACV,WAAW;AAAA,QACX,OAAO;AAAA,MAAA;AAAA,IACT,CACD;AAGD,UAAM,cAAc,EAAE,GAAA;AACtB,UAAM,UAAU,MAAM,iBAAiB,OAAO,WAAW;AACzD,UAAM,aAAa,MAAM,oBAAoB,OAAO,WAAW;AAC/D,UAAM,YAAY,MAAM,yBAAyB,OAAO,WAAW;AAEnE,WAAO,IAAI;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IAAA;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MACJ,MACA,OACA,UAA8B,CAAA,GACb;AACjB,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAGpB,QAAI,WAAW;AAEf,QAAI;AAIF,UAAI,WAAW,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAI3D,UAAI,YAAY,SAAS,aAAa,UAAU;AAC9C,mBAAW;AAAA,MACb;AACA,iBAAW,aAAa;AAGxB,YAAM,WAAW,MAAM,KAAK,YAAY,QAAQ,UAAU,MAAM,OAAO;AAAA,QACrE,UAAU,QAAQ,WACd,KAAK,kBAAkB,QAAQ,QAAQ,IACvC;AAAA,MAAA,CACL;AAED,UAAI,UAAU;AAEZ,iBAAS,iBAAiB,KAAK,UAAU,QAAQ;AACjD,iBAAS,cAAc,QAAQ,eAAe,SAAS;AACvD,iBAAS,WAAW,QAAQ,YAAY,SAAS;AACjD,iBAAS,YAAY,QAAQ,aAAa,SAAS;AACnD,iBAAS,WAAW,QAAQ,YAAY,SAAS;AACjD,cAAM,SAAS,KAAA;AAEf,cAAM,KAAK;AAAA,UACT,SAAS,MAAM;AAAA,UACf;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QAAA;AAEF,eAAO;AAAA,MACT;AAMA,YAAM,SAAS,MAAM,KAAK,QAAQ,OAAO;AAAA,QACvC;AAAA,QACA,aAAa,QAAQ,eAAe;AAAA,QACpC,UAAU,QAAQ,YAAY;AAAA,QAC9B,gBAAgB,KAAK,UAAU,QAAQ;AAAA,QACvC,YAAY;AAAA,QACZ,QAAQ;AAAA,QACR,WAAW,QAAQ,aAAa;AAAA,QAChC,UAAU,QAAQ,YAAY,CAAA;AAAA,QAC9B,SAAS;AAAA;AAAA,QACT;AAAA,MAAA,CACD;AAED,YAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,UAAU,SAAS;AACrE,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,kBAAkB,MAAM,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA;AAAA,MAAA;AAEF,YAAM,KAAK;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW,WAAW;AAAA,QACtB;AAAA,QACA;AAAA,UACE,OAAO,gBAAgB;AAAA,QAAA;AAAA,MACzB;AAEF,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,eACJ,UACA,MACA,OACA,UAA8B,CAAA,GACb;AACjB,WAAO,WAAW,EAAE,SAAA,GAAY,MAAM,KAAK,MAAM,MAAM,OAAO,OAAO,CAAC;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,SAAS,MAAwC;AACrD,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAGpB,QAAI,UAAU;AAEd,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAI3D,UAAI,CAAC,UAAU,OAAO,aAAa,UAAU;AAC3C,cAAM,KAAK,MAAM,MAAM,MAAM,QAAQ,QAAQ,WAAW;AAAA,UACtD,OAAO;AAAA,QAAA,CACR;AACD,kBAAU;AACV,cAAM,IAAI,MAAM,WAAW,IAAI,aAAa;AAAA,MAC9C;AAEA,UAAI,CAAC,OAAO,YAAY;AACtB,cAAM,SAAS,OAAO,UAAA,IAClB,mBACA;AACJ,cAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,QAAQ,WAAW;AAAA,UACnE,OAAO;AAAA,QAAA,CACR;AACD,kBAAU;AACV,cAAM,IAAI,MAAM,MAAM;AAAA,MACxB;AAGA,YAAM,WAA8B,KAAK,MAAM,OAAO,cAAc;AACpE,YAAM,YAAY,MAAM,KAAK,YAAY,QAAQ,UAAU,QAAQ;AAInE,YAAM,yBAAyB,OAAO;AACtC,YAAM,sBAAsB,OAAO;AACnC,UAAI;AACF,eAAO,aAAA;AACP,cAAM,OAAO,KAAA;AAAA,MACf,SAAS,eAAe;AACtB,eAAO,iBAAiB;AACxB,eAAO,cAAc;AACrB,eAAO,MAAM,2CAA2C;AAAA,UACtD,OAAO;AAAA,QAAA,CACR;AAAA,MACH;AAEA,YAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,QAAQ,SAAS;AAEnE,aAAO;AAAA,QACL,OAAO,UAAU;AAAA,QACjB,MAAM,OAAO;AAAA,QACb,aAAa,OAAO;AAAA,QACpB,UAAU,OAAO;AAAA,QACjB,WAAW,OAAO;AAAA,QAClB,WAAW,OAAO,cAAc,oBAAI,KAAA;AAAA,QACpC,gBAAgB,OAAO;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,UAAU,OAAO;AAAA,MAAA;AAAA,IAErB,SAAS,OAAO;AACd,YAAM,kBAAkB,MAAM,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA;AAAA,MAAA;AAGF,UAAI,CAAC,SAAS;AACZ,cAAM,KAAK,MAAM,MAAM,MAAM,QAAQ,QAAQ,WAAW;AAAA,UACtD,OAAO,gBAAgB;AAAA,QAAA,CACxB;AAAA,MACH;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBACJ,UACA,MAC0B;AAC1B,WAAO,WAAW,EAAE,SAAA,GAAY,MAAM,KAAK,SAAS,IAAI,CAAC;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,6BACJ,UACA,UAA+C,IAChB;AAC/B,UAAM,gBAAgB,MAAM,KAAK;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,IAAA;AAEV,UAAM,uBACJ,MAAM,KAAK,4BAA4B,QAAQ;AACjD,UAAM,oBACJ,MAAM,KAAK,+BAA+B,QAAQ;AACpD,UAAM,iBAAiB,kBAAkB;AACzC,UAAM,SAAgC,CAAA;AAEtC,UAAM,6BAA6B,qBAAqB;AAAA,MACtD,CAAC,QAAQ,IAAI,WAAW;AAAA,IAAA;AAE1B,UAAM,uBAAuB,eAAe;AAAA,MAC1C,CAAC,QAAQ,IAAI,WAAW;AAAA,IAAA;AAE1B,UAAM,MAAM,KAAK,6BAAA;AAEjB,QAAI,CAAC,IAAI,QAAQ;AACf,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SAAS,IAAI,SAAS,OAAO,KAAK,SAAS;AAAA,QAC3C,cAAc;AAAA,QACd,SAAS;AAAA,UACP,WAAW,KAAK;AAAA,UAChB,UAAU,KAAK;AAAA,QAAA;AAAA,MACjB,CACD;AAAA,IACH;AAEA,QAAI,cAAc,SAAS,KAAK,2BAA2B,WAAW,GAAG;AACvE,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SACE;AAAA,QACF,cAAc;AAAA,QACd,aAAa;AAAA,QACb,SAAS;AAAA,UACP,mBAAmB,cAAc;AAAA,QAAA;AAAA,MACnC,CACD;AAAA,IACH;AAEA,QAAI,kBAAkB,OAAO;AAC3B,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SACE;AAAA,QACF,cAAc;AAAA,QACd,aAAa;AAAA,QACb,SAAS;AAAA,UACP,OAAO,kBAAkB,MAAM;AAAA,QAAA;AAAA,MACjC,CACD;AAAA,IACH;AAEA,QAAI,2BAA2B,SAAS,GAAG;AACzC,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SACE;AAAA,QACF,cAAc;AAAA,QACd,aAAa;AAAA,QACb,SAAS;AAAA,UACP,gCAAgC,2BAA2B;AAAA,QAAA;AAAA,MAC7D,CACD;AAAA,IACH;AAEA,UAAM,kBAAqC,CAAA;AAE3C,eAAW,OAAO,sBAAsB;AACtC,YAAM,QAAQ,IAAI,QACd,KAAK,gBAAgB,IAAI,aAAa,IAAI,KAAK,IAC/C,EAAE,QAAQ,OAAO,OAAO,IAAI,MAAA;AAEhC,UAAI,IAAI,WAAW,UAAU;AAC3B,wBAAgB,KAAK,KAAK;AAAA,MAC5B;AAEA,UAAI,IAAI,WAAW,YAAY,IAAI,eAAe,KAAK,UAAU;AAC/D,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,UAAU;AAAA,UACV,SACE;AAAA,UACF,cAAc;AAAA,UACd,OAAO,IAAI;AAAA,UACX,aAAa;AAAA,UACb,SAAS;AAAA,YACP,aAAa,IAAI;AAAA,YACjB,oBAAoB,KAAK;AAAA,UAAA;AAAA,QAC3B,CACD;AAAA,MACH;AAEA,UAAI,IAAI,WAAW,YAAY,CAAC,MAAM,UAAU,IAAI,OAAO;AACzD,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,UAAU;AAAA,UACV,SACE;AAAA,UACF,cAAc;AAAA,UACd,OAAO,IAAI;AAAA,UACX,aAAa;AAAA,UACb,SAAS;AAAA,YACP,SAAS,IAAI;AAAA,YACb,OAAO,MAAM,SAAS;AAAA,UAAA;AAAA,QACxB,CACD;AAAA,MACH;AAAA,IACF;AAEA,UAAM,uCAAuC,gBAAgB;AAAA,MAC3D,CAAC,UAAU,MAAM;AAAA,IAAA,EACjB;AAEF,QACE,cAAc,SAAS,KACvB,yCAAyC,GACzC;AACA,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SACE;AAAA,QACF,cAAc;AAAA,QACd,aAAa;AAAA,QACb,SAAS;AAAA,UACP,mBAAmB,cAAc;AAAA,UACjC,gCAAgC,2BAA2B;AAAA,QAAA;AAAA,MAC7D,CACD;AAAA,IACH;AAEA,UAAM,0CAA0B,IAAA;AAChC,eAAW,OAAO,sBAAsB;AACtC,YAAM,cAAc,KAAK,yBAAyB,IAAI,WAAW;AACjE,UAAI,aAAa;AACf,4BAAoB,IAAI,aAAa,GAAG;AAAA,MAC1C;AAAA,IACF;AAEA,eAAW,UAAU,eAAe;AAClC,YAAM,WAAW,KAAK,gCAAgC,QAAQ,MAAM;AACpE,UAAI,CAAC,SAAU;AAEf,YAAM,sBAAsB,KAAK;AAAA,QAC/B,SAAS;AAAA,MAAA;AAEX,YAAM,gBAAgB,IAAI,QACtB,KAAK,gBAAgB,SAAS,YAAY,IAAI,KAAK,IACnD;AAAA,QACE,QAAQ;AAAA,QACR,OAAO,IAAI;AAAA,QACX,aAAa;AAAA,MAAA;AAGnB,UAAI,CAAC,cAAc,aAAa;AAC9B,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,UAAU;AAAA,UACV,SACE;AAAA,UACF,cAAc;AAAA,UACd,UAAU,OAAO;AAAA,UACjB,YAAY,OAAO;AAAA,UACnB,aAAa;AAAA,UACb,SAAS;AAAA,YACP,OAAO,cAAc,SAAS;AAAA,UAAA;AAAA,QAChC,CACD;AACD;AAAA,MACF;AAEA,YAAM,cAAc,oBAAoB,IAAI,cAAc,WAAW;AACrE,UAAI,CAAC,aAAa;AAChB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,UAAU;AAAA,UACV,SACE;AAAA,UACF,cAAc,CAAC,IAAI,QACf,SACA,cAAc,SACZ,SACA;AAAA,UACN,UAAU,OAAO;AAAA,UACjB,YAAY,OAAO;AAAA,UACnB,aAAa;AAAA,QAAA,CACd;AAAA,MACH;AAEA,UAAI,CAAC,cAAc,UAAU,IAAI,OAAO;AACtC,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,UAAU;AAAA,UACV,SACE;AAAA,UACF,cAAc;AAAA,UACd,UAAU,OAAO;AAAA,UACjB,YAAY,OAAO;AAAA,UACnB,OAAO,aAAa;AAAA,UACpB,aAAa;AAAA,UACb,SAAS;AAAA,YACP,OAAO,cAAc,SAAS;AAAA,UAAA;AAAA,QAChC,CACD;AAAA,MACH;AAAA,IACF;AAEA,QACE,cAAc,SAAS,KACvB,qBAAqB,SAAS,KAC9B,eAAe,WAAW,KAC1B,CAAC,kBAAkB,OACnB;AACA,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SACE;AAAA,QACF,cAAc;AAAA,QACd,aAAa;AAAA,MAAA,CACd;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,+BAAe,KAAA;AAAA,MACf,IAAI,CAAC,OAAO,KAAK,CAAC,UAAU,MAAM,aAAa,OAAO;AAAA,MACtD,SAAS;AAAA,QACP,mBAAmB,cAAc;AAAA,QACjC,0BAA0B,qBAAqB;AAAA,QAC/C,gCAAgC,2BAA2B;AAAA,QAC3D;AAAA,QACA,oBAAoB,eAAe;AAAA,QACnC,0BAA0B,qBAAqB;AAAA,MAAA;AAAA,MAEjD;AAAA,IAAA;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oCACJ,UAA+C,IAChB;AAC/B,WAAO,KAAK,6BAA6B,gBAAA,GAAmB,OAAO;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,2BACJ,UACA,UAA6C,IACR;AACrC,UAAM,SAAS,QAAQ,UAAU;AACjC,UAAM,SAAS,MAAM,KAAK,6BAA6B,UAAU,OAAO;AACxE,UAAM,gCAAgB,IAAA;AACtB,UAAM,kCAAkB,IAAA;AACxB,UAAM,6CAA6B,IAAA;AAEnC,eAAW,SAAS,OAAO,QAAQ;AACjC,UACE,MAAM,iBAAiB,iCACvB,MAAM,UACN;AACA,kBAAU,IAAI,MAAM,QAAQ;AAC5B,YAAI,MAAM,YAAY;AACpB,sBAAY,IAAI,MAAM,UAAU,MAAM,UAAU;AAAA,QAClD;AAAA,MACF;AAEA,UACE,MAAM,iBAAiB,2CACvB,MAAM,OACN;AACA,+BAAuB,IAAI,MAAM,KAAK;AAAA,MACxC;AAAA,IACF;AAEA,UAAM,qBAAqB,UAAU;AACrC,UAAM,kCAAkC,uBAAuB;AAC/D,UAAM,+BACJ,qBAAqB,kCAAkC;AAEzD,QACE,CAAC,UACD,gCACA,CAAC,QAAQ,gCACT;AACA,YAAM,IAAI;AAAA,QACR;AAAA,MAAA;AAAA,IAEJ;AAEA,QAAI,iBAAiB;AACrB,QAAI,8BAA8B;AAElC,QAAI,CAAC,QAAQ;AACX,YAAM,aAAa,OAAO,OAA0B;AAClD,cAAM,oBAAoB,MAAM,KAAK;AAAA,UACnC;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,iCAAiC,MAAM,KAAK;AAAA,UAChD;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QAAA;AAEF,eAAO;AAAA,UACL,gBAAgB;AAAA,UAChB,6BAA6B;AAAA,QAAA;AAAA,MAEjC;AACA,YAAM,OAAO,KAAK;AAClB,YAAM,eACJ,OAAO,KAAK,gBAAgB,aACxB,MAAM,KAAK,YAAY,CAAC,OAAO,WAAW,EAAE,CAAC,IAC7C,MAAM,WAAW,KAAK,EAAE;AAE9B,uBAAiB,aAAa;AAC9B,oCAA8B,aAAa;AAC3C,YAAM,KAAK;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,MAAA;AAAA,IAEJ;AAEA,UAAM,QAAQ,SACV,SACA,MAAM,KAAK,6BAA6B,UAAU,OAAO;AAE7D,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,cAAc,OAAO;AAAA,MACrB,iBAAiB,MAAM;AAAA,MACvB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,aAAa,MAAM,KAAK,YAAY,OAAA,CAAQ,EAAE,KAAA;AAAA,MAC9C,wBAAwB,MAAM,KAAK,sBAAsB,EAAE,KAAA;AAAA,IAAK;AAAA,EAEpE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,UAAiC,IAAuB;AACjE,WAAO,KAAK,QAAQ,YAAY,gBAAA,GAAmB;AAAA,MACjD,UAAU,QAAQ;AAAA,MAClB,QAAQ;AAAA,IAAA,CACT;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,MAAgC;AAC3C,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAEpB,UAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAE3D,QAAI,CAAC,UAAU,OAAO,aAAa,UAAU;AAC3C,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,OAAO,OAAA;AACb,YAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,UAAU,SAAS;AACrE,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,UAAU,WAAW;AAAA,QACrE,OAAQ,MAAgB;AAAA,MAAA,CACzB;AACD,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,MAAgC;AAC5C,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAEpB,UAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAE3D,QAAI,CAAC,UAAU,OAAO,aAAa,UAAU;AAC3C,aAAO;AAAA,IACT;AAEA,WAAO,QAAA;AACP,UAAM,OAAO,KAAA;AACb,UAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,WAAW,SAAS;AACtE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,MAAgC;AAC3C,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAEpB,UAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAE3D,QAAI,CAAC,UAAU,OAAO,aAAa,UAAU;AAC3C,aAAO;AAAA,IACT;AAEA,WAAO,OAAA;AACP,UAAM,OAAO,KAAA;AACb,UAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM,QAAQ,UAAU,SAAS;AACrE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,YAA2B;AAC/B,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAEpB,QAAI;AACF,YAAM,KAAK,YAAY,gBAAgB,QAAQ;AAC/C,YAAM,KAAK,MAAM,MAAM,IAAI,QAAQ,cAAc,WAAW;AAAA,QAC1D;AAAA,MAAA,CACD;AAAA,IACH,SAAS,OAAO;AACd,YAAM,KAAK,MAAM,MAAM,IAAI,QAAQ,cAAc,WAAW;AAAA,QAC1D;AAAA,QACA,OAAQ,MAAgB;AAAA,MAAA,CACzB;AACD,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,eAA6D;AACjE,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,KAAK,iBAAA;AAIpB,UAAM,UAAU,MAAM,KAAK,QAAQ,KAAK,EAAE,OAAO,EAAE,SAAA,GAAY;AAC/D,QAAI,UAAU;AACd,QAAI,SAAS;AAEb,eAAW,UAAU,SAAS;AAC5B,UAAI;AAEF,cAAM,WAA8B,KAAK,MAAM,OAAO,cAAc;AACpE,cAAM,YAAY,MAAM,KAAK,YAAY,QAAQ,UAAU,QAAQ;AAGnE,cAAM,cAAc,MAAM,KAAK,YAAY;AAAA,UACzC;AAAA,UACA,OAAO;AAAA,UACP,UAAU;AAAA,QAAA;AAGZ,eAAO,iBAAiB,KAAK,UAAU,WAAW;AAClD,cAAM,OAAO,KAAA;AAEb;AAAA,MACF,SAAS,OAAO;AACd;AACA,cAAM,KAAK;AAAA,UACT,OAAO,MAAM;AAAA,UACb,OAAO;AAAA,UACP;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,YACR,OAAQ,MAAgB;AAAA,UAAA;AAAA,QAC1B;AAAA,MAEJ;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,OAAA;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aACJ,UAAmD,IACxB;AAC3B,WAAO,KAAK,UAAU,SAAS;AAAA;AAAA;AAAA,MAG7B,UAAU,gBAAA;AAAA,MACV,YAAY,QAAQ;AAAA,MACpB,OAAO,QAAQ,SAAS;AAAA,IAAA,CACzB;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAmC;AACvC,WAAO,KAAK,QAAQ,cAAc,gBAAA,CAAiB;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,MAAgC;AAC3C,UAAM,WAAW,gBAAA;AACjB,UAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,UAAU,IAAI;AAC3D,WAAO,WAAW,QAAQ,OAAO,aAAa;AAAA,EAChD;AAAA;AAAA,EAIA,MAAc,iCACZ,UACA,aAC+B;AAC/B,UAAM,SAAoB,CAAC,QAAQ;AACnC,QAAI,aAAa;AAEjB,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,YAAM,eAAe,YAAY,IAAI,MAAM,GAAG,EAAE,KAAK,IAAI;AACzD,mBAAa,iBAAiB,YAAY;AAC1C,aAAO,KAAK,GAAG,WAAW;AAAA,IAC5B;AAEA,UAAM,SAAS,MAAM,KAAK,GAAG;AAAA,MAC3B;AAAA;AAAA;AAAA,mDAG6C,UAAU;AAAA;AAAA;AAAA,MAGvD,GAAG;AAAA,IAAA;AAGL,WAAO,KAAK,eAAmC,MAAM;AAAA,EACvD;AAAA,EAEA,MAAc,4BACZ,UACmC;AACnC,UAAM,SAAS,MAAM,KAAK,GAAG;AAAA,MAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA;AAAA,IAAA;AAGF,WAAO,KAAK,eAAuC,MAAM;AAAA,EAC3D;AAAA,EAEA,MAAc,+BACZ,UACqC;AACrC,QAAI;AACF,aAAO,EAAE,MAAM,MAAM,KAAK,WAAW,gBAAgB,QAAQ,EAAA;AAAA,IAC/D,SAAS,OAAO;AACd,aAAO,EAAE,MAAM,IAAI,OAAO,KAAK,QAAQ,KAAK,EAAA;AAAA,IAC9C;AAAA,EACF;AAAA,EAEQ,+BAEgD;AACtD,UAAM,SAAS,QAAQ,IAAI,KAAK,SAAS;AACzC,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,OAAO,6DAA6D,KAAK,SAAS;AAAA,MAAA;AAAA,IAEtF;AAEA,QAAI;AACF,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,OAAO,mBAAmB,YAAY,MAAM;AAAA,MAAA;AAAA,IAEhD,SAAS,OAAO;AACd,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,OAAO,kBAAkB,KAAK,SAAS,KACrC,KAAK,QAAQ,KAAK,EAAE,OACtB;AAAA,MAAA;AAAA,IAEJ;AAAA,EACF;AAAA,EAEQ,gBAAgB,YAAoB,KAA8B;AACxE,UAAM,cAAc,KAAK,yBAAyB,UAAU;AAE5D,QAAI;AACF,YAAM,SAAS,mBAAmB,gBAAgB,UAAU;AAC5D,YAAM,UAAU,mBAAmB;AAAA,QACjC,OAAO;AAAA,QACP,OAAO;AAAA,QACP,OAAO;AAAA,QACP;AAAA,MAAA;AAEF,cAAQ,KAAK,CAAC;AACd,aAAO,EAAE,QAAQ,MAAM,YAAA;AAAA,IACzB,SAAS,OAAO;AACd,aAAO;AAAA,QACL,QAAQ;AAAA,QACR;AAAA,QACA,OAAO,KAAK,QAAQ,KAAK,EAAE;AAAA,MAAA;AAAA,IAE/B;AAAA,EACF;AAAA,EAEQ,yBAAyB,YAAwC;AACvE,QAAI;AACF,aAAO,mBAAmB,gBAAgB,UAAU,EAAE;AAAA,IACxD,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,gCACN,QACA,QAC0B;AAC1B,QAAI;AACF,aAAO,KAAK,MAAM,OAAO,eAAe;AAAA,IAC1C,SAAS,OAAO;AACd,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SAAS;AAAA,QACT,cAAc;AAAA,QACd,UAAU,OAAO;AAAA,QACjB,YAAY,OAAO;AAAA,QACnB,aAAa;AAAA,QACb,SAAS;AAAA,UACP,OAAO,KAAK,QAAQ,KAAK,EAAE;AAAA,QAAA;AAAA,MAC7B,CACD;AACD,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,gBACZ,WACA,UACA,KACA,KAAwB,KAAK,IACZ;AACjB,QAAI,IAAI,SAAS,EAAG,QAAO;AAE3B,UAAM,SAAS,MAAM,KAAK,GAAG;AAC7B,UAAM,eAAe,OAAO,IAAI,MAAM,GAAG,EAAE,KAAK,IAAI;AACpD,UAAM,SAAS,MAAM,GAAG;AAAA,MACtB,gBAAgB,SAAS,oCAAoC,YAAY;AAAA,MACzE;AAAA,MACA,GAAG;AAAA,IAAA;AAGL,WAAO,OAAO,OAAO,aAAa,WAC9B,OAAO,WACP,OAAO;AAAA,EACb;AAAA,EAEA,MAAc,8BACZ,UACA,WACA,aACe;AACf,QAAI,UAAU,SAAS,EAAG;AAE1B,UAAM,SAAS,KAAK,iBAAA;AACpB,UAAM,WAAW,EAAE,SAAA,GAAY,YAAY;AACzC,iBAAW,YAAY,WAAW;AAChC,cAAM,KAAK;AAAA,UACT;AAAA,UACA,YAAY,IAAI,QAAQ,KAAK;AAAA,UAC7B;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,YACR,QAAQ;AAAA,UAAA;AAAA,QACV;AAAA,MAEJ;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,eAAkB,QAAsB;AAC9C,QAAI,MAAM,QAAQ,MAAM,EAAG,QAAO;AAClC,QACE,UACA,OAAO,WAAW,YAClB,MAAM,QAAS,OAA8B,IAAI,GACjD;AACA,aAAQ,OAAyB;AAAA,IACnC;AACA,WAAO,CAAA;AAAA,EACT;AAAA,EAEA,MAAc,yBACZ,UACA,YACA,OACgB;AAChB,UAAM,aAAa,KAAK,QAAQ,KAAK;AACrC,QAAI,CAAC,KAAK,+BAA+B,UAAU,GAAG;AACpD,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,6BAA6B,UAAU;AAAA,QAC/D,aAAa,CAAC,UAAU;AAAA,MAAA,CACzB;AACD,YAAM,aAAa,OAAO,OACvB,OAAO,CAAC,UAAU,MAAM,aAAa,OAAO,EAC5C,IAAI,CAAC,UAAU,MAAM,IAAI;AAE5B,UAAI,WAAW,WAAW,GAAG;AAC3B,eAAO;AAAA,MACT;AAEA,aAAO,IAAI;AAAA,QACT,WAAW,UAAU,iBAAiB,QAAQ,mDAAmD;AAAA,UAC/F,GAAG,IAAI,IAAI,UAAU;AAAA,QAAA,EACrB;AAAA,UACA;AAAA,QAAA,CACD;AAAA,QACD;AAAA,QACA;AAAA,QACA;AAAA,MAAA;AAAA,IAEJ,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,+BAA+B,OAAuB;AAC5D,UAAM,OAAO,KAAK,mBAAmB,KAAK;AAC1C,QAAI,iBAAiB,uBAAuB,SAAS,mBAAmB;AACtE,aAAO;AAAA,IACT;AAEA,WACE,iBAAiB,yBACjB,iBAAiB,mBACjB,iBAAiB,mBACjB,SAAS,wBACT,SAAS,uBACT,SAAS;AAAA,EAEb;AAAA,EAEQ,mBAAmB,OAAkC;AAC3D,UAAM,OAAQ,MAA6B;AAC3C,WAAO,OAAO,SAAS,WAAW,OAAO;AAAA,EAC3C;AAAA,EAEQ,QAAQ,OAAuB;AACrC,WAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,EACjE;AAAA,EAEQ,mBAA2B;AACjC,UAAM,MAAM,iBAAA;AACZ,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA,EAEA,MAAc,MACZ,UACA,YACA,QACA,QACA,QACA,SACe;AACf,QAAI,CAAC,KAAK,aAAc;AAExB,QAAI;AACF,YAAM,WAAW,oBAAoB,YAAY;AACjD,YAAM,MAAM,MAAM,KAAK,UAAU;AAAA,QAC/B,iBAAiB;AAAA,UACf;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QAAA,CACD;AAAA,MAAA;AAEH,YAAM,IAAI,KAAA;AAAA,IACZ,SAAS,OAAO;AAEd,aAAO,MAAM,6BAA6B,EAAE,MAAA,CAAO;AAAA,IACrD;AAAA,EACF;AAAA,EAEQ,kBACN,UACwB;AACxB,UAAM,SAAiC,CAAA;AACvC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,QAAQ,GAAG;AACnD,aAAO,GAAG,IAAI,OAAO,UAAU,WAAW,QAAQ,KAAK,UAAU,KAAK;AAAA,IACxE;AACA,WAAO;AAAA,EACT;AACF;","x_google_ignoreList":[3]}

package/dist/chunks/TenantKey-DzglnpAV.js ADDED Viewed

@@ -0,0 +1,377 @@
+import { ObjectRegistry, foreignKey, crossPackageRef, smrt, SmrtObject } from "@happyvertical/smrt-core";
+ObjectRegistry.registerPackageManifest(
+  new URL("./manifest.json", import.meta.url)
+);
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc$2 = Object.getOwnPropertyDescriptor;
+var __decorateClass$2 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$2(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+let SecretAuditLog = class extends SmrtObject {
+  /**
+   * Tenant associated with the audited secret operation.
+   */
+  tenantId = null;
+  secretId = null;
+  /**
+   * Name of the secret at the time of the operation
+   */
+  secretName = "";
+  userId = "";
+  /**
+   * The action that was performed
+   */
+  action = "read";
+  /**
+   * Result of the operation
+   */
+  result = "success";
+  /**
+   * IP address of the client (if available)
+   */
+  ipAddress = "";
+  /**
+   * User agent string (if available)
+   */
+  userAgent = "";
+  /**
+   * Additional context about the operation
+   */
+  details = {};
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) {
+      this.tenantId = options.tenantId;
+    }
+    if (options.secretId !== void 0) this.secretId = options.secretId;
+    if (options.secretName !== void 0) this.secretName = options.secretName;
+    if (options.userId !== void 0) this.userId = options.userId;
+    if (options.action !== void 0) this.action = options.action;
+    if (options.result !== void 0) this.result = options.result;
+    if (options.ipAddress !== void 0) this.ipAddress = options.ipAddress;
+    if (options.userAgent !== void 0) this.userAgent = options.userAgent;
+    if (options.details !== void 0) this.details = options.details;
+  }
+  /**
+   * Check if this was a successful operation
+   */
+  isSuccess() {
+    return this.result === "success";
+  }
+  /**
+   * Check if this was a failed operation
+   */
+  isFailure() {
+    return this.result === "failure";
+  }
+  /**
+   * Check if this was a denied operation (permission denied)
+   */
+  isDenied() {
+    return this.result === "denied";
+  }
+  /**
+   * Check if this is a read operation
+   */
+  isReadAction() {
+    return this.action === "read";
+  }
+  /**
+   * Check if this is a write operation (create, update, delete)
+   */
+  isWriteAction() {
+    return ["create", "update", "delete"].includes(this.action);
+  }
+  /**
+   * Check if this is a key operation
+   */
+  isKeyOperation() {
+    return this.action === "rotate_key";
+  }
+};
+__decorateClass$2([
+  foreignKey("Secret")
+], SecretAuditLog.prototype, "secretId", 2);
+__decorateClass$2([
+  crossPackageRef("@happyvertical/smrt-users:User")
+], SecretAuditLog.prototype, "userId", 2);
+SecretAuditLog = __decorateClass$2([
+  smrt({
+    tenantScoped: true,
+    api: { include: [] },
+    // No API exposure
+    mcp: { include: [] },
+    // No MCP exposure
+    // CLI runs in-process for compliance review; HTTP exposure is intentionally
+    // excluded, so skipApiCheck acknowledges the cli.include / api.include divergence.
+    cli: { include: ["list"], skipApiCheck: true }
+  })
+], SecretAuditLog);
+function createAuditEntry(params) {
+  const tenantId = params.tenantId === void 0 || params.tenantId === "system" ? null : params.tenantId;
+  const entry = {
+    secretId: params.secretId ?? null,
+    secretName: params.secretName,
+    userId: params.userId,
+    action: params.action,
+    result: params.result,
+    ipAddress: params.ipAddress ?? "",
+    userAgent: params.userAgent ?? "",
+    details: params.details ?? {},
+    tenantId
+  };
+  return entry;
+}
+var __getOwnPropDesc$1 = Object.getOwnPropertyDescriptor;
+var __decorateClass$1 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$1(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = decorator(result) || result;
+  return result;
+};
+let Secret = class extends SmrtObject {
+  /**
+   * Tenant that owns this secret. Also stored in context for per-tenant name uniqueness.
+   */
+  tenantId = "";
+  /**
+   * Unique name for the secret within the tenant
+   */
+  name = "";
+  /**
+   * Human-readable description
+   */
+  description = "";
+  /**
+   * Category for organization (e.g., 'database', 'api-key', 'oauth')
+   */
+  category = "";
+  /**
+   * JSON-encoded EncryptedEnvelope from @happyvertical/secrets
+   */
+  encryptedValue = "";
+  /**
+   * Version of the tenant key used to encrypt this secret
+   */
+  keyVersion = 1;
+  /**
+   * Current status of the secret
+   */
+  status = "active";
+  /**
+   * Optional expiration date
+   */
+  expiresAt = null;
+  /**
+   * Last time this secret was accessed (decrypted)
+   */
+  lastAccessedAt = null;
+  /**
+   * Number of times this secret has been accessed
+   */
+  accessCount = 0;
+  /**
+   * Additional metadata stored with the secret
+   */
+  metadata = {};
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) this.tenantId = options.tenantId;
+    if (options.name !== void 0) this.name = options.name;
+    if (options.description !== void 0)
+      this.description = options.description;
+    if (options.category !== void 0) this.category = options.category;
+    if (options.encryptedValue !== void 0)
+      this.encryptedValue = options.encryptedValue;
+    if (options.keyVersion !== void 0) this.keyVersion = options.keyVersion;
+    if (options.status !== void 0) this.status = options.status;
+    if (options.expiresAt !== void 0) {
+      this.expiresAt = options.expiresAt instanceof Date ? options.expiresAt : options.expiresAt ? new Date(options.expiresAt) : null;
+    }
+    if (options.lastAccessedAt !== void 0) {
+      this.lastAccessedAt = options.lastAccessedAt instanceof Date ? options.lastAccessedAt : options.lastAccessedAt ? new Date(options.lastAccessedAt) : null;
+    }
+    if (options.accessCount !== void 0)
+      this.accessCount = options.accessCount;
+    if (options.metadata !== void 0) this.metadata = options.metadata;
+  }
+  /**
+   * Check if the secret is currently active
+   */
+  isActive() {
+    return this.status === "active";
+  }
+  /**
+   * Check if the secret has expired
+   */
+  isExpired() {
+    if (!this.expiresAt) return false;
+    return /* @__PURE__ */ new Date() >= this.expiresAt;
+  }
+  /**
+   * Check if the secret can be used (active and not expired)
+   */
+  isUsable() {
+    return this.isActive() && !this.isExpired();
+  }
+  /**
+   * Record an access to this secret
+   */
+  recordAccess() {
+    this.lastAccessedAt = /* @__PURE__ */ new Date();
+    this.accessCount += 1;
+  }
+  /**
+   * Disable the secret
+   */
+  disable() {
+    this.status = "disabled";
+  }
+  /**
+   * Enable the secret
+   */
+  enable() {
+    this.status = "active";
+  }
+};
+Secret = __decorateClass$1([
+  smrt({
+    tenantScoped: true,
+    // NO API or MCP exposure for security
+    api: { include: [] },
+    mcp: { include: [] },
+    // CLI runs in-process; secrets must never be reachable over HTTP, so
+    // skipApiCheck acknowledges the cli.include / api.include divergence.
+    cli: { include: ["list"], skipApiCheck: true }
+    // Only list names, not values
+  })
+], Secret);
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = decorator(result) || result;
+  return result;
+};
+let TenantKey = class extends SmrtObject {
+  /**
+   * Tenant ID this key belongs to
+   */
+  tenantId = "";
+  /**
+   * Wrapped key data (format: wrappedKey:iv:authTag)
+   */
+  wrappedKey = "";
+  /**
+   * ID of the AMK used to wrap this key
+   */
+  amkKeyId = "";
+  /**
+   * Current status of the key
+   */
+  status = "active";
+  /**
+   * Version number (increments on rotation)
+   */
+  version = 1;
+  /**
+   * Recommended rotation date
+   */
+  rotateAfter = null;
+  /**
+   * When the key was retired (if applicable)
+   */
+  retiredAt = null;
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) this.tenantId = options.tenantId;
+    if (options.wrappedKey !== void 0) this.wrappedKey = options.wrappedKey;
+    if (options.amkKeyId !== void 0) this.amkKeyId = options.amkKeyId;
+    if (options.status !== void 0) this.status = options.status;
+    if (options.version !== void 0) this.version = options.version;
+    if (options.rotateAfter !== void 0) {
+      this.rotateAfter = options.rotateAfter instanceof Date ? options.rotateAfter : options.rotateAfter ? new Date(options.rotateAfter) : null;
+    }
+    if (options.retiredAt !== void 0) {
+      this.retiredAt = options.retiredAt instanceof Date ? options.retiredAt : options.retiredAt ? new Date(options.retiredAt) : null;
+    }
+  }
+  /**
+   * Check if this key is currently active
+   */
+  isActive() {
+    return this.status === "active";
+  }
+  /**
+   * Check if this key needs rotation
+   */
+  needsRotation() {
+    if (!this.rotateAfter) return false;
+    return /* @__PURE__ */ new Date() >= this.rotateAfter;
+  }
+  /**
+   * Check if this key is retired
+   */
+  isRetired() {
+    return this.status === "retired";
+  }
+  /**
+   * Check if this key is compromised
+   */
+  isCompromised() {
+    return this.status === "compromised";
+  }
+  /**
+   * Check if this key can be used for decryption
+   * (active or retired keys can decrypt)
+   */
+  canDecrypt() {
+    return this.status === "active" || this.status === "retired";
+  }
+  /**
+   * Check if this key can be used for encryption
+   * (only active keys should encrypt)
+   */
+  canEncrypt() {
+    return this.status === "active";
+  }
+  /**
+   * Mark this key as retired
+   */
+  retire() {
+    this.status = "retired";
+    this.retiredAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Mark this key as compromised
+   */
+  markCompromised() {
+    this.status = "compromised";
+  }
+};
+TenantKey = __decorateClass([
+  smrt({
+    // NOT tenant-scoped - this model tracks keys FOR tenants
+    api: { include: [] },
+    // No API exposure
+    mcp: { include: [] },
+    // No MCP exposure
+    // CLI runs in-process for key-rotation tooling and audit; HTTP exposure is
+    // intentionally excluded, so skipApiCheck acknowledges the divergence.
+    cli: { include: ["list", "get"], skipApiCheck: true }
+  })
+], TenantKey);
+export {
+  Secret as S,
+  TenantKey as T,
+  SecretAuditLog as a,
+  createAuditEntry as c
+};
+//# sourceMappingURL=TenantKey-DzglnpAV.js.map

package/dist/chunks/TenantKey-DzglnpAV.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"TenantKey-DzglnpAV.js","sources":["../../src/__smrt-register__.ts","../../src/models/SecretAuditLog.ts","../../src/models/Secret.ts","../../src/models/TenantKey.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n new URL('./manifest.json', import.meta.url),\n);\n","/**\n * SecretAuditLog model - Audit trail for secret operations\n * @packageDocumentation\n */\n\nimport type { SmrtCreateInput } from '@happyvertical/smrt-core';\nimport {\n crossPackageRef,\n foreignKey,\n SmrtObject,\n smrt,\n} from '@happyvertical/smrt-core';\n\n/**\n * Secret audit action types\n */\nexport type SecretAuditAction =\n | 'create'\n | 'read'\n | 'update'\n | 'delete'\n | 'rotate_key'\n | 'disable'\n | 'enable'\n | 'expire';\n\n/**\n * Audit result types\n */\nexport type SecretAuditResult = 'success' | 'failure' | 'denied';\n\n/**\n * SecretAuditLog records all operations on secrets for compliance\n * and security monitoring.\n *\n * Every secret operation (create, read, update, delete, key rotation)\n * is logged with the user, action, result, and relevant details.\n *\n * **Retention**: Audit logs should be retained according to your\n * compliance requirements (typically 1-7 years).\n *\n * @example\n * ```typescript\n * // Query recent audit logs\n * const logs = await auditLogs.list({\n * where: { tenantId: 'tenant-123' },\n * orderBy: 'created_at DESC',\n * limit: 100\n * });\n *\n * // Filter by action\n * const reads = await auditLogs.list({\n * where: {\n * tenantId: 'tenant-123',\n * action: 'read'\n * }\n * });\n *\n * // Filter by secret name\n * const apiKeyLogs = await auditLogs.list({\n * where: {\n * tenantId: 'tenant-123',\n * secretName: 'stripe-api-key'\n * }\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `SecretAuditLog` uses the inline `tenantScoped: true` form on `@smrt()` rather than\n// the dedicated `@TenantScoped` decorator. Audit-trail queries are read-mostly and run\n// in mixed contexts — under a tenant for tenant-scoped reports, and (prospectively)\n// under super-admin bypass for compliance review. Cross-tenant audit queries should\n// be wrapped in `withSuperAdminBypass()` from `@happyvertical/smrt-tenancy` at the\n// call site; this package has no such call sites today, so the pattern is\n// prescriptive guidance for compliance tooling rather than current practice. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n tenantScoped: true,\n api: { include: [] }, // No API exposure\n mcp: { include: [] }, // No MCP exposure\n // CLI runs in-process for compliance review; HTTP exposure is intentionally\n // excluded, so skipApiCheck acknowledges the cli.include / api.include divergence.\n cli: { include: ['list'], skipApiCheck: true },\n})\nexport class SecretAuditLog extends SmrtObject {\n /**\n * Tenant associated with the audited secret operation.\n */\n tenantId: string | null = null;\n\n /**\n * ID of the secret (may be null for deleted secrets)\n */\n @foreignKey('Secret')\n secretId: string | null = null;\n\n /**\n * Name of the secret at the time of the operation\n */\n secretName: string = '';\n\n /**\n * ID of the user who performed the action\n */\n @crossPackageRef('@happyvertical/smrt-users:User')\n userId: string = '';\n\n /**\n * The action that was performed\n */\n action: SecretAuditAction = 'read';\n\n /**\n * Result of the operation\n */\n result: SecretAuditResult = 'success';\n\n /**\n * IP address of the client (if available)\n */\n ipAddress: string = '';\n\n /**\n * User agent string (if available)\n */\n userAgent: string = '';\n\n /**\n * Additional context about the operation\n */\n details: Record<string, unknown> = {};\n\n constructor(options: any = {}) {\n super(options);\n if (options.tenantId !== undefined) {\n this.tenantId = options.tenantId;\n }\n if (options.secretId !== undefined) this.secretId = options.secretId;\n if (options.secretName !== undefined) this.secretName = options.secretName;\n if (options.userId !== undefined) this.userId = options.userId;\n if (options.action !== undefined) this.action = options.action;\n if (options.result !== undefined) this.result = options.result;\n if (options.ipAddress !== undefined) this.ipAddress = options.ipAddress;\n if (options.userAgent !== undefined) this.userAgent = options.userAgent;\n if (options.details !== undefined) this.details = options.details;\n }\n\n /**\n * Check if this was a successful operation\n */\n isSuccess(): boolean {\n return this.result === 'success';\n }\n\n /**\n * Check if this was a failed operation\n */\n isFailure(): boolean {\n return this.result === 'failure';\n }\n\n /**\n * Check if this was a denied operation (permission denied)\n */\n isDenied(): boolean {\n return this.result === 'denied';\n }\n\n /**\n * Check if this is a read operation\n */\n isReadAction(): boolean {\n return this.action === 'read';\n }\n\n /**\n * Check if this is a write operation (create, update, delete)\n */\n isWriteAction(): boolean {\n return ['create', 'update', 'delete'].includes(this.action);\n }\n\n /**\n * Check if this is a key operation\n */\n isKeyOperation(): boolean {\n return this.action === 'rotate_key';\n }\n}\n\n/**\n * Create an audit log entry for a secret operation\n */\nexport function createAuditEntry(params: {\n secretId?: string | null;\n secretName: string;\n tenantId?: string | null;\n userId: string;\n action: SecretAuditAction;\n result: SecretAuditResult;\n ipAddress?: string;\n userAgent?: string;\n details?: Record<string, unknown>;\n}): SmrtCreateInput<SecretAuditLog> {\n const tenantId =\n params.tenantId === undefined || params.tenantId === 'system'\n ? null\n : params.tenantId;\n\n const entry: SmrtCreateInput<SecretAuditLog> = {\n secretId: params.secretId ?? null,\n secretName: params.secretName,\n userId: params.userId,\n action: params.action,\n result: params.result,\n ipAddress: params.ipAddress ?? '',\n userAgent: params.userAgent ?? '',\n details: params.details ?? {},\n tenantId,\n };\n return entry;\n}\n","/**\n * Secret model - Tenant-scoped encrypted secrets storage\n * @packageDocumentation\n */\n\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Secret status values\n */\nexport type SecretStatus = 'active' | 'disabled' | 'expired';\n\n/**\n * Secret represents an encrypted value stored per-tenant.\n *\n * Secrets are tenant-scoped and use envelope encryption:\n * - Each tenant has their own Data Encryption Key (TDEK)\n * - The TDEK is wrapped by the Application Master Key (AMK)\n * - Secret values are encrypted by the unwrapped TDEK\n *\n * **Security**: This model deliberately excludes API and MCP exposure\n * to prevent accidental secret leakage. Secrets are only accessible\n * via CLI commands or direct service calls.\n *\n * @example\n * ```typescript\n * import { SecretService } from '@happyvertical/smrt-secrets';\n *\n * const service = await SecretService.create({ db });\n *\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * // Store a secret\n * await service.store('api-key', 'sk_live_xxx', { category: 'stripe' });\n *\n * // Retrieve (auto-decrypts)\n * const apiKey = await service.retrieve('api-key');\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `Secret` uses the inline `tenantScoped: true` form on `@smrt()` rather than the\n// dedicated `@TenantScoped` decorator from `@happyvertical/smrt-tenancy`. The boolean\n// form gives us required-mode tenant scoping without depending on the tenancy package\n// at the model layer, while `SecretService` performs manual scoping by setting\n// `context = tenantId` on each row. The `(slug, context)` upsert key derived from the\n// base `SmrtObject` fields is what gives different tenants isolated namespaces for\n// secret names — switching to the decorator without changing the upsert key would\n// surface false-positive name collisions across tenants. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n tenantScoped: true,\n // NO API or MCP exposure for security\n api: { include: [] },\n mcp: { include: [] },\n // CLI runs in-process; secrets must never be reachable over HTTP, so\n // skipApiCheck acknowledges the cli.include / api.include divergence.\n cli: { include: ['list'], skipApiCheck: true }, // Only list names, not values\n})\nexport class Secret extends SmrtObject {\n /**\n * Tenant that owns this secret. Also stored in context for per-tenant name uniqueness.\n */\n tenantId: string = '';\n\n /**\n * Unique name for the secret within the tenant\n */\n name: string = '';\n\n /**\n * Human-readable description\n */\n description: string = '';\n\n /**\n * Category for organization (e.g., 'database', 'api-key', 'oauth')\n */\n category: string = '';\n\n /**\n * JSON-encoded EncryptedEnvelope from @happyvertical/secrets\n */\n encryptedValue: string = '';\n\n /**\n * Version of the tenant key used to encrypt this secret\n */\n keyVersion: number = 1;\n\n /**\n * Current status of the secret\n */\n status: SecretStatus = 'active';\n\n /**\n * Optional expiration date\n */\n expiresAt: Date | null = null;\n\n /**\n * Last time this secret was accessed (decrypted)\n */\n lastAccessedAt: Date | null = null;\n\n /**\n * Number of times this secret has been accessed\n */\n accessCount: number = 0;\n\n /**\n * Additional metadata stored with the secret\n */\n metadata: Record<string, unknown> = {};\n\n constructor(options: any = {}) {\n super(options);\n if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n if (options.name !== undefined) this.name = options.name;\n if (options.description !== undefined)\n this.description = options.description;\n if (options.category !== undefined) this.category = options.category;\n if (options.encryptedValue !== undefined)\n this.encryptedValue = options.encryptedValue;\n if (options.keyVersion !== undefined) this.keyVersion = options.keyVersion;\n if (options.status !== undefined) this.status = options.status;\n if (options.expiresAt !== undefined) {\n this.expiresAt =\n options.expiresAt instanceof Date\n ? options.expiresAt\n : options.expiresAt\n ? new Date(options.expiresAt)\n : null;\n }\n if (options.lastAccessedAt !== undefined) {\n this.lastAccessedAt =\n options.lastAccessedAt instanceof Date\n ? options.lastAccessedAt\n : options.lastAccessedAt\n ? new Date(options.lastAccessedAt)\n : null;\n }\n if (options.accessCount !== undefined)\n this.accessCount = options.accessCount;\n if (options.metadata !== undefined) this.metadata = options.metadata;\n }\n\n /**\n * Check if the secret is currently active\n */\n isActive(): boolean {\n return this.status === 'active';\n }\n\n /**\n * Check if the secret has expired\n */\n isExpired(): boolean {\n if (!this.expiresAt) return false;\n return new Date() >= this.expiresAt;\n }\n\n /**\n * Check if the secret can be used (active and not expired)\n */\n isUsable(): boolean {\n return this.isActive() && !this.isExpired();\n }\n\n /**\n * Record an access to this secret\n */\n recordAccess(): void {\n this.lastAccessedAt = new Date();\n this.accessCount += 1;\n }\n\n /**\n * Disable the secret\n */\n disable(): void {\n this.status = 'disabled';\n }\n\n /**\n * Enable the secret\n */\n enable(): void {\n this.status = 'active';\n }\n}\n","/**\n * TenantKey model - Tracks per-tenant Data Encryption Keys (TDEKs)\n * @packageDocumentation\n */\n\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Key status values\n */\nexport type TenantKeyStatus = 'active' | 'rotating' | 'retired' | 'compromised';\n\n/**\n * TenantKey tracks the per-tenant Data Encryption Keys (TDEKs).\n *\n * Each tenant has one or more TDEKs stored in wrapped form. The wrapped key\n * can only be decrypted using the Application Master Key (AMK).\n *\n * **Key Lifecycle**:\n * 1. `active` - Current key used for encryption\n * 2. `rotating` - Transitional state during rotation\n * 3. `retired` - Old key kept for decryption of existing secrets\n * 4. `compromised` - Key marked as compromised, should not be used\n *\n * **Note**: This model is NOT tenant-scoped itself because it tracks\n * keys FOR tenants, not secrets owned BY tenants.\n *\n * @example\n * ```typescript\n * // Get active key for a tenant\n * const key = await tenantKeys.get({\n * tenantId: 'tenant-123',\n * status: 'active'\n * });\n *\n * // List all key versions for a tenant\n * const versions = await tenantKeys.list({\n * where: { tenantId: 'tenant-123' },\n * orderBy: 'version DESC'\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `TenantKey` is deliberately NOT tenant-scoped — neither via the decorator nor via\n// `tenantScoped: true` on `@smrt()`. The row carries a `tenantId` column because each\n// TDEK belongs to a tenant, but the model itself must remain queryable across tenants\n// (e.g. cross-tenant key-rotation tooling, AMK rewrap jobs, super-admin auditing).\n// Adding the tenancy interceptor here would silently filter out keys the rotation\n// service needs to inspect. See `packages/secrets/CLAUDE.md` \"Known exceptions to\n// monorepo standards\" for the full rationale.\n@smrt({\n // NOT tenant-scoped - this model tracks keys FOR tenants\n api: { include: [] }, // No API exposure\n mcp: { include: [] }, // No MCP exposure\n // CLI runs in-process for key-rotation tooling and audit; HTTP exposure is\n // intentionally excluded, so skipApiCheck acknowledges the divergence.\n cli: { include: ['list', 'get'], skipApiCheck: true },\n})\nexport class TenantKey extends SmrtObject {\n /**\n * Tenant ID this key belongs to\n */\n tenantId: string = '';\n\n /**\n * Wrapped key data (format: wrappedKey:iv:authTag)\n */\n wrappedKey: string = '';\n\n /**\n * ID of the AMK used to wrap this key\n */\n amkKeyId: string = '';\n\n /**\n * Current status of the key\n */\n status: TenantKeyStatus = 'active';\n\n /**\n * Version number (increments on rotation)\n */\n version: number = 1;\n\n /**\n * Recommended rotation date\n */\n rotateAfter: Date | null = null;\n\n /**\n * When the key was retired (if applicable)\n */\n retiredAt: Date | null = null;\n\n constructor(options: any = {}) {\n super(options);\n if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n if (options.wrappedKey !== undefined) this.wrappedKey = options.wrappedKey;\n if (options.amkKeyId !== undefined) this.amkKeyId = options.amkKeyId;\n if (options.status !== undefined) this.status = options.status;\n if (options.version !== undefined) this.version = options.version;\n if (options.rotateAfter !== undefined) {\n this.rotateAfter =\n options.rotateAfter instanceof Date\n ? options.rotateAfter\n : options.rotateAfter\n ? new Date(options.rotateAfter)\n : null;\n }\n if (options.retiredAt !== undefined) {\n this.retiredAt =\n options.retiredAt instanceof Date\n ? options.retiredAt\n : options.retiredAt\n ? new Date(options.retiredAt)\n : null;\n }\n }\n\n /**\n * Check if this key is currently active\n */\n isActive(): boolean {\n return this.status === 'active';\n }\n\n /**\n * Check if this key needs rotation\n */\n needsRotation(): boolean {\n if (!this.rotateAfter) return false;\n return new Date() >= this.rotateAfter;\n }\n\n /**\n * Check if this key is retired\n */\n isRetired(): boolean {\n return this.status === 'retired';\n }\n\n /**\n * Check if this key is compromised\n */\n isCompromised(): boolean {\n return this.status === 'compromised';\n }\n\n /**\n * Check if this key can be used for decryption\n * (active or retired keys can decrypt)\n */\n canDecrypt(): boolean {\n return this.status === 'active' || this.status === 'retired';\n }\n\n /**\n * Check if this key can be used for encryption\n * (only active keys should encrypt)\n */\n canEncrypt(): boolean {\n return this.status === 'active';\n }\n\n /**\n * Mark this key as retired\n */\n retire(): void {\n this.status = 'retired';\n this.retiredAt = new Date();\n }\n\n /**\n * Mark this key as compromised\n */\n markCompromised(): void {\n this.status = 'compromised';\n }\n}\n"],"names":["__decorateClass"],"mappings":";AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;;;;;;;;;;;AC4DO,IAAM,iBAAN,cAA6B,WAAW;AAAA;AAAA;AAAA;AAAA,EAI7C,WAA0B;AAAA,EAM1B,WAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,aAAqB;AAAA,EAMrB,SAAiB;AAAA;AAAA;AAAA;AAAA,EAKjB,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,UAAmC,CAAA;AAAA,EAEnC,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,QAAW;AAClC,WAAK,WAAW,QAAQ;AAAA,IAC1B;AACA,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAwB;AACtB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,CAAC,UAAU,UAAU,QAAQ,EAAE,SAAS,KAAK,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA0B;AACxB,WAAO,KAAK,WAAW;AAAA,EACzB;AACF;AA9FEA,kBAAA;AAAA,EADC,WAAW,QAAQ;AAAA,GATT,eAUX,WAAA,YAAA,CAAA;AAWAA,kBAAA;AAAA,EADC,gBAAgB,gCAAgC;AAAA,GApBtC,eAqBX,WAAA,UAAA,CAAA;AArBW,iBAANA,kBAAA;AAAA,EARN,KAAK;AAAA,IACJ,cAAc;AAAA,IACd,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA,EAAK,CAC9C;AAAA,GACY,cAAA;AA6GN,SAAS,iBAAiB,QAUG;AAClC,QAAM,WACJ,OAAO,aAAa,UAAa,OAAO,aAAa,WACjD,OACA,OAAO;AAEb,QAAM,QAAyC;AAAA,IAC7C,UAAU,OAAO,YAAY;AAAA,IAC7B,YAAY,OAAO;AAAA,IACnB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO,aAAa;AAAA,IAC/B,WAAW,OAAO,aAAa;AAAA,IAC/B,SAAS,OAAO,WAAW,CAAA;AAAA,IAC3B;AAAA,EAAA;AAEF,SAAO;AACT;;;;;;;;;ACnKO,IAAM,SAAN,cAAqB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIrC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,OAAe;AAAA;AAAA;AAAA;AAAA,EAKf,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,iBAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,SAAuB;AAAA;AAAA;AAAA;AAAA,EAKvB,YAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,iBAA8B;AAAA;AAAA;AAAA;AAAA,EAK9B,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAoC,CAAA;AAAA,EAEpC,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,SAAS,OAAW,MAAK,OAAO,QAAQ;AACpD,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,mBAAmB;AAC7B,WAAK,iBAAiB,QAAQ;AAChC,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AACA,QAAI,QAAQ,mBAAmB,QAAW;AACxC,WAAK,iBACH,QAAQ,0BAA0B,OAC9B,QAAQ,iBACR,QAAQ,iBACN,IAAI,KAAK,QAAQ,cAAc,IAC/B;AAAA,IACV;AACA,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,QAAI,CAAC,KAAK,UAAW,QAAO;AAC5B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,SAAA,KAAc,CAAC,KAAK,UAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,eAAqB;AACnB,SAAK,qCAAqB,KAAA;AAC1B,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAgB;AACd,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AAAA,EAChB;AACF;AAnIa,SAANA,kBAAA;AAAA,EATN,KAAK;AAAA,IACJ,cAAc;AAAA;AAAA,IAEd,KAAK,EAAE,SAAS,GAAC;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA;AAAA,EAAK,CAC9C;AAAA,GACY,MAAA;;;;;;;;;ACAN,IAAM,YAAN,cAAwB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIxC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,SAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,UAAkB;AAAA;AAAA;AAAA;AAAA,EAKlB,cAA2B;AAAA;AAAA;AAAA;AAAA,EAK3B,YAAyB;AAAA,EAEzB,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAC1D,QAAI,QAAQ,gBAAgB,QAAW;AACrC,WAAK,cACH,QAAQ,uBAAuB,OAC3B,QAAQ,cACR,QAAQ,cACN,IAAI,KAAK,QAAQ,WAAW,IAC5B;AAAA,IACV;AACA,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,QAAI,CAAC,KAAK,YAAa,QAAO;AAC9B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW,YAAY,KAAK,WAAW;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AACd,SAAK,gCAAgB,KAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,SAAS;AAAA,EAChB;AACF;AAxHa,YAAN,gBAAA;AAAA,EARN,KAAK;AAAA;AAAA,IAEJ,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,QAAQ,KAAK,GAAG,cAAc,KAAA;AAAA,EAAK,CACrD;AAAA,GACY,SAAA;"}