@happyvertical/smrt-users 0.30.0

package/dist/services/OidcLoginService.d.ts

@@ -0,0 +1,134 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { OidcClaims, OidcIdentityResult } from '../collections/UserCollection.js';
+export type OidcProviderKind = 'kanidm' | 'dex' | 'generic';
+export type OidcTokenEndpointAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'none';
+export interface OidcProviderConfig {
+    /**
+     * Optional preset label for documentation and UI.
+     *
+     * Kanidm and Dex are standards-compliant OIDC providers, so the preset does
+     * not change protocol behavior; it lets apps name their intent clearly.
+     */
+    kind?: OidcProviderKind;
+    /** OIDC issuer URL, e.g. https://id.example.com/dex */
+    issuer: string;
+    /** OAuth2/OIDC client ID registered with the provider */
+    clientId: string;
+    /** OAuth2/OIDC client secret for confidential clients */
+    clientSecret?: string;
+    /**
+     * Redirect URI registered with the provider.
+     *
+     * SvelteKit helpers can derive this from the current request when omitted.
+     */
+    redirectUri?: string;
+    /** Scopes to request. Defaults to openid profile email. */
+    scopes?: string[];
+    /** Override the discovery document URL when needed. */
+    discoveryUrl?: string;
+    /** Additional authorization request parameters. */
+    authorizationParams?: Record<string, string | number | boolean | undefined>;
+    /**
+     * Client authentication method for the token endpoint.
+     *
+     * Defaults to client_secret_basic when clientSecret exists, otherwise none.
+     */
+    tokenEndpointAuthMethod?: OidcTokenEndpointAuthMethod;
+}
+export interface OidcProviderResolutionOptions {
+    defaultProvider?: string;
+    providers?: Record<string, OidcProviderConfig>;
+}
+export interface UsersOidcConfig extends OidcProviderResolutionOptions {
+    /** Seconds before login transaction cookies expire. */
+    transactionTtl?: number;
+}
+export interface OidcProviderResolution {
+    provider: OidcProviderConfig;
+    providerName: string;
+}
+export interface ResolvedOidcProviderConfig extends OidcProviderConfig {
+    redirectUri: string;
+}
+export interface OidcProviderMetadata {
+    authorization_endpoint: string;
+    end_session_endpoint?: string;
+    issuer: string;
+    jwks_uri: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+    [key: string]: unknown;
+}
+export interface OidcTransaction {
+    codeVerifier: string;
+    createdAt: number;
+    nonce: string;
+    provider: string;
+    returnTo?: string;
+    state: string;
+}
+export interface CreateAuthorizationUrlOptions {
+    authorizationParams?: Record<string, string | number | boolean | undefined>;
+    transaction?: OidcTransaction;
+}
+export interface OidcTokenSet {
+    accessToken?: string;
+    expiresAt?: Date;
+    idToken: string;
+    refreshToken?: string;
+    scope?: string;
+    tokenType?: string;
+}
+export interface OidcCallbackResult {
+    claims: OidcClaims;
+    tokens: OidcTokenSet;
+}
+export interface OidcLoginResult extends OidcIdentityResult {
+    claims: OidcClaims;
+    tokens: OidcTokenSet;
+}
+export interface OidcLoginServiceOptions extends SmrtClassOptions {
+    /** Provider key, e.g. kanidm or dex */
+    providerName: string;
+    /** Fully resolved provider config. redirectUri is required here. */
+    provider: ResolvedOidcProviderConfig;
+    /** Optional fetch override for tests or custom runtimes. */
+    fetch?: typeof fetch;
+    /** JWT clock tolerance passed to jose. Defaults to 15 seconds. */
+    clockTolerance?: number | string;
+    /** Provider metadata cache TTL in milliseconds. Defaults to 5 minutes. */
+    metadataCacheTtlMs?: number;
+}
+export declare class OidcLoginError extends Error {
+    constructor(message: string);
+}
+export declare function getUsersOidcConfig(): UsersOidcConfig;
+export declare function encodeOidcTransaction(transaction: OidcTransaction): string;
+export declare function decodeOidcTransaction(value: string): OidcTransaction;
+export declare function resolveOidcProviderConfig(providerName?: string, options?: OidcProviderResolutionOptions): OidcProviderResolution;
+export declare class OidcLoginService {
+    private readonly classOptions;
+    private readonly clockTolerance;
+    private readonly fetchImpl;
+    private readonly metadataCacheTtlMs;
+    private metadataFetchedAt;
+    private metadataPromise?;
+    private remoteJwks?;
+    readonly provider: ResolvedOidcProviderConfig;
+    readonly providerName: string;
+    constructor(options: OidcLoginServiceOptions);
+    createTransaction(returnTo?: string): OidcTransaction;
+    getMetadata(): Promise<OidcProviderMetadata>;
+    private fetchMetadata;
+    createAuthorizationUrl(options?: CreateAuthorizationUrlOptions): Promise<{
+        transaction: OidcTransaction;
+        url: URL;
+    }>;
+    exchangeCallback(callbackUrl: string | URL, transaction: OidcTransaction): Promise<OidcCallbackResult>;
+    completeLogin(callbackUrl: string | URL, transaction: OidcTransaction): Promise<OidcLoginResult>;
+    private validateCallback;
+    private exchangeCode;
+    private enrichClaimsFromUserInfo;
+    private verifyIdToken;
+}
+//# sourceMappingURL=OidcLoginService.d.ts.map

package/dist/services/OidcLoginService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcLoginService.d.ts","sourceRoot":"","sources":["../../src/services/OidcLoginService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAQjE,OAAO,EACL,KAAK,UAAU,EACf,KAAK,kBAAkB,EAExB,MAAM,kCAAkC,CAAC;AAO1C,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE5D,MAAM,MAAM,2BAA2B,GACnC,qBAAqB,GACrB,oBAAoB,GACpB,MAAM,CAAC;AAEX,MAAM,WAAW,kBAAkB;IACjC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,uDAAuD;IACvD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAAC;IAC5E;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,2BAA2B,CAAC;CACvD;AAED,MAAM,WAAW,6BAA6B;IAC5C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CAChD;AAED,MAAM,WAAW,eAAgB,SAAQ,6BAA6B;IACpE,uDAAuD;IACvD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,0BAA2B,SAAQ,kBAAkB;IACpE,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,6BAA6B;IAC5C,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAAC;IAC5E,WAAW,CAAC,EAAE,eAAe,CAAC;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,eAAgB,SAAQ,kBAAkB;IACzD,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,uBAAwB,SAAQ,gBAAgB;IAC/D,uCAAuC;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,QAAQ,EAAE,0BAA0B,CAAC;IACrC,4DAA4D;IAC5D,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,0EAA0E;IAC1E,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,qBAAa,cAAe,SAAQ,KAAK;gBAC3B,OAAO,EAAE,MAAM;CAI5B;AAqBD,wBAAgB,kBAAkB,IAAI,eAAe,CAGpD;AA6ND,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,eAAe,GAAG,MAAM,CAG1E;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,CAQpE;AAED,wBAAgB,yBAAyB,CACvC,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,GAAE,6BAAkC,GAC1C,sBAAsB,CAgCxB;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAmB;IAChD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAkB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAe;IACzC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAAC,CAAgC;IACxD,OAAO,CAAC,UAAU,CAAC,CAAkB;IACrC,QAAQ,CAAC,QAAQ,EAAE,0BAA0B,CAAC;IAC9C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;gBAElB,OAAO,EAAE,uBAAuB;IA4B5C,iBAAiB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,eAAe;IAW/C,WAAW,IAAI,OAAO,CAAC,oBAAoB,CAAC;YAqBpC,aAAa;IAuCrB,sBAAsB,CAC1B,OAAO,GAAE,6BAAkC,GAC1C,OAAO,CAAC;QAAE,WAAW,EAAE,eAAe,CAAC;QAAC,GAAG,EAAE,GAAG,CAAA;KAAE,CAAC;IA2BhD,gBAAgB,CACpB,WAAW,EAAE,MAAM,GAAG,GAAG,EACzB,WAAW,EAAE,eAAe,GAC3B,OAAO,CAAC,kBAAkB,CAAC;IAYxB,aAAa,CACjB,WAAW,EAAE,MAAM,GAAG,GAAG,EACzB,WAAW,EAAE,eAAe,GAC3B,OAAO,CAAC,eAAe,CAAC;IAe3B,OAAO,CAAC,gBAAgB;YAwCV,YAAY;YA8DZ,wBAAwB;YAsCxB,aAAa;CAuB5B"}

package/dist/services/PermissionCatalogService.d.ts

@@ -0,0 +1,62 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+export type PermissionCatalogSource = 'manifest' | 'config' | 'runtime';
+export type PostgresPermissionAction = 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE';
+export interface PostgresPermissionBinding {
+    action: Lowercase<PostgresPermissionAction> | PostgresPermissionAction;
+    permission?: string;
+    schemaName?: string;
+    tableName: string;
+    tenantField?: string;
+}
+export interface PermissionDefinition {
+    category?: string;
+    className?: string;
+    collection?: string;
+    description?: string;
+    name?: string;
+    postgres?: {
+        bindings?: PostgresPermissionBinding[];
+    };
+    qualifiedName?: string;
+    slug: string;
+    source?: PermissionCatalogSource;
+}
+export interface PermissionCatalog {
+    customPermissions: PermissionDefinition[];
+    manifestPermissions: PermissionDefinition[];
+    permissions: PermissionDefinition[];
+    runtimePermissions: PermissionDefinition[];
+}
+export interface PermissionCatalogSyncResult {
+    catalog: PermissionCatalog;
+    created: string[];
+    unchanged: string[];
+    updated: string[];
+}
+export interface UsersConfig extends Record<string, unknown> {
+    permissions?: {
+        custom?: PermissionDefinition[];
+        postgres?: {
+            bindings?: PostgresPermissionBinding[];
+            enabled?: boolean;
+        };
+    };
+}
+declare global {
+    var __smrtUsersPermissionRegistrations: Map<number, PermissionDefinition[]> | undefined;
+    var __smrtUsersPermissionRegistrationCounter: number | undefined;
+}
+export declare function registerPermissionDefinitions(definitions: PermissionDefinition[]): () => void;
+export declare class PermissionCatalogService {
+    private readonly options;
+    constructor(options?: SmrtClassOptions);
+    getUsersConfig(): UsersConfig;
+    getRuntimePermissionDefinitions(): PermissionDefinition[];
+    getCustomPermissionDefinitions(): PermissionDefinition[];
+    getCatalog(): PermissionCatalog;
+    syncPermissionCatalog(): Promise<PermissionCatalogSyncResult>;
+    private getManifestPermissionDefinitions;
+    static create(options?: SmrtClassOptions): PermissionCatalogService;
+}
+export declare function syncPermissionCatalog(options?: SmrtClassOptions): Promise<PermissionCatalogSyncResult>;
+//# sourceMappingURL=PermissionCatalogService.d.ts.map

package/dist/services/PermissionCatalogService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionCatalogService.d.ts","sourceRoot":"","sources":["../../src/services/PermissionCatalogService.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAIL,KAAK,gBAAgB,EACtB,MAAM,0BAA0B,CAAC;AAOlC,MAAM,MAAM,uBAAuB,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;AAExE,MAAM,MAAM,wBAAwB,GAChC,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,CAAC;AAEb,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,SAAS,CAAC,wBAAwB,CAAC,GAAG,wBAAwB,CAAC;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE,yBAAyB,EAAE,CAAC;KACxC,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,uBAAuB,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,EAAE,oBAAoB,EAAE,CAAC;IAC1C,mBAAmB,EAAE,oBAAoB,EAAE,CAAC;IAC5C,WAAW,EAAE,oBAAoB,EAAE,CAAC;IACpC,kBAAkB,EAAE,oBAAoB,EAAE,CAAC;CAC5C;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,WAAY,SAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC1D,WAAW,CAAC,EAAE;QACZ,MAAM,CAAC,EAAE,oBAAoB,EAAE,CAAC;QAChC,QAAQ,CAAC,EAAE;YACT,QAAQ,CAAC,EAAE,yBAAyB,EAAE,CAAC;YACvC,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,CAAC;KACH,CAAC;CACH;AAED,OAAO,CAAC,MAAM,CAAC;IAEb,IAAI,kCAAkC,EAClC,GAAG,CAAC,MAAM,EAAE,oBAAoB,EAAE,CAAC,GACnC,SAAS,CAAC;IAEd,IAAI,wCAAwC,EAAE,MAAM,GAAG,SAAS,CAAC;CAClE;AA4TD,wBAAgB,6BAA6B,CAC3C,WAAW,EAAE,oBAAoB,EAAE,GAClC,MAAM,IAAI,CASZ;AAED,qBAAa,wBAAwB;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,GAAE,gBAAqB;IAE3D,cAAc,IAAI,WAAW;IAI7B,+BAA+B,IAAI,oBAAoB,EAAE;IAIzD,8BAA8B,IAAI,oBAAoB,EAAE;IAIxD,UAAU,IAAI,iBAAiB;IA0BzB,qBAAqB,IAAI,OAAO,CAAC,2BAA2B,CAAC;IAoDnE,OAAO,CAAC,gCAAgC;IA8GxC,MAAM,CAAC,MAAM,CAAC,OAAO,GAAE,gBAAqB,GAAG,wBAAwB;CAGxE;AAED,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,2BAA2B,CAAC,CAEtC"}

package/dist/services/PermissionResolver.d.ts

@@ -0,0 +1,150 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { Membership } from '../models/Membership.js';
+import { Tenant } from '../models/Tenant.js';
+/**
+ * Permission resolution result
+ */
+export interface PermissionResolutionResult {
+    /** Set of granted permission slugs */
+    permissions: Set<string>;
+    /** Membership ID used for resolution */
+    membershipId: string | null;
+    /** Role ID from membership */
+    roleId: string | null;
+    /** Group IDs that contributed permissions */
+    groupIds: string[];
+    /** Permission IDs explicitly denied */
+    deniedPermissionIds: string[];
+}
+export interface PermissionResolutionOptions {
+    /**
+     * Active membership already resolved by the caller for this user/tenant.
+     * Passing this lets request-scoped session loaders avoid re-querying the
+     * same membership row before resolving permissions.
+     */
+    membership?: Membership | null;
+}
+/**
+ * Tenant permission inheritance chain result
+ */
+export interface TenantPermissionInheritanceResult {
+    /** Effective tenant permissions (slugs) after inheritance resolution */
+    permissions: Set<string>;
+    /** Tenant IDs that contributed to the inheritance chain */
+    contributingTenantIds: string[];
+    /** Whether inheritance was active (at least one tenant in chain had inheritPermissions: true) */
+    inheritanceActive: boolean;
+}
+/**
+ * PermissionResolver resolves the effective permissions for a user in a tenant.
+ *
+ * Resolution algorithm:
+ * 1. Resolve tenant hierarchy permissions (if hierarchical tenants are used)
+ * 2. Get user's membership in the tenant
+ * 3. Get base permissions from membership's role
+ * 4. Get user's groups in the tenant
+ * 5. Add permissions from group roles
+ * 6. Apply membership overrides (grant/deny)
+ *
+ * DENY overrides take precedence over GRANT overrides at every level.
+ *
+ * ## Hierarchical Tenant Permissions
+ *
+ * When tenants are organized hierarchically, permissions can cascade from
+ * parent tenants to child tenants. The cascade is controlled by:
+ * - Parent's `cascadePermissions`: If true, parent pushes permissions down
+ * - Child's `inheritPermissions`: If true, child accepts parent's permissions
+ *
+ * Child tenants can override inherited permissions using TenantPermissionOverride:
+ * - INHERIT: Use parent's value (default)
+ * - GRANT: Explicitly grant at this level
+ * - DENY: Explicitly block (even if parent grants)
+ *
+ * @example
+ * ```typescript
+ * const resolver = new PermissionResolver(options);
+ * await resolver.initialize();
+ *
+ * // Check single permission
+ * const canCreate = await resolver.hasPermission(userId, tenantId, 'articles.create');
+ *
+ * // Get all permissions
+ * const result = await resolver.resolvePermissions(userId, tenantId);
+ * console.log(result.permissions); // Set<string>
+ *
+ * // Resolve tenant-level permissions only (without user context)
+ * const tenantPerms = await resolver.resolveTenantPermissions(tenantId);
+ * ```
+ */
+export declare class PermissionResolver {
+    private options;
+    private membershipCollection;
+    private rolePermissionCollection;
+    private membershipOverrideCollection;
+    private groupMemberCollection;
+    private groupRoleCollection;
+    private permissionCollection;
+    private tenantCollection;
+    private tenantPermissionOverrideCollection;
+    constructor(options: SmrtClassOptions);
+    /**
+     * Initialize collections
+     *
+     * Note: The `as any` casts are required because `SmrtCollection.create()` is
+     * declared with a protected constructor and a static factory. TypeScript
+     * cannot infer that the static `create()` returns the concrete subclass type
+     * when invoked through a subclass reference, so the cast is needed to call
+     * `create(options)` on each collection. This is a known SMRT framework
+     * limitation around the protected-constructor + static-factory pattern.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Resolve effective permissions for a tenant, considering hierarchy inheritance.
+     *
+     * Algorithm:
+     * 1. Get the tenant and its ancestors (from root to immediate parent)
+     * 2. Batch fetch all permission overrides for the entire chain (single query)
+     * 3. Walk down the chain, building up permissions:
+     *    - Start with root tenant's permissions
+     *    - For each child: if parent.cascadePermissions && child.inheritPermissions:
+     *      - Merge parent's permissions
+     *      - Apply child's overrides (GRANT adds, DENY removes)
+     * 4. Return the final effective permission set
+     */
+    resolveTenantPermissions(tenantId: string): Promise<TenantPermissionInheritanceResult>;
+    /**
+     * Get the inheritance chain for a tenant (for debugging/display purposes)
+     */
+    getTenantInheritanceChain(tenantId: string): Promise<Array<{
+        tenant: Tenant;
+        inherits: boolean;
+        cascades: boolean;
+    }>>;
+    /**
+     * Resolve all effective permissions for a user in a tenant
+     *
+     * Algorithm:
+     * 1. Get membership and collect all permission IDs from all sources
+     * 2. Batch fetch all permissions in a single query
+     * 3. Apply permissions from role, groups, and overrides
+     * 4. DENY overrides take precedence over GRANT
+     */
+    resolvePermissions(userId: string, tenantId: string, options?: PermissionResolutionOptions): Promise<PermissionResolutionResult>;
+    /**
+     * Check if a user has a specific permission in a tenant
+     */
+    hasPermission(userId: string, tenantId: string, permissionSlug: string, options?: PermissionResolutionOptions): Promise<boolean>;
+    /**
+     * Check if a user has all of the specified permissions
+     */
+    hasAllPermissions(userId: string, tenantId: string, permissionSlugs: string[], options?: PermissionResolutionOptions): Promise<boolean>;
+    /**
+     * Check if a user has any of the specified permissions
+     */
+    hasAnyPermission(userId: string, tenantId: string, permissionSlugs: string[], options?: PermissionResolutionOptions): Promise<boolean>;
+    /**
+     * Static factory method
+     */
+    static create(options: SmrtClassOptions): Promise<PermissionResolver>;
+}
+//# sourceMappingURL=PermissionResolver.d.ts.map

package/dist/services/PermissionResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionResolver.d.ts","sourceRoot":"","sources":["../../src/services/PermissionResolver.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AASjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,sCAAsC;IACtC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,wCAAwC;IACxC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,uCAAuC;IACvC,mBAAmB,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,2BAA2B;IAC1C;;;;OAIG;IACH,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD,wEAAwE;IACxE,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,2DAA2D;IAC3D,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,iGAAiG;IACjG,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,OAAO,CAAmB;IAClC,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,wBAAwB,CAA4B;IAC5D,OAAO,CAAC,4BAA4B,CAAgC;IACpE,OAAO,CAAC,qBAAqB,CAAyB;IACtD,OAAO,CAAC,mBAAmB,CAAuB;IAClD,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,gBAAgB,CAAoB;IAC5C,OAAO,CAAC,kCAAkC,CAAsC;gBAEpE,OAAO,EAAE,gBAAgB;IAIrC;;;;;;;;;OASG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA+BjC;;;;;;;;;;;;OAYG;IACG,wBAAwB,CAC5B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,iCAAiC,CAAC;IA6G7C;;OAEG;IACG,yBAAyB,CAC7B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAmC3E;;;;;;;;OAQG;IACG,kBAAkB,CACtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,0BAA0B,CAAC;IA6ItC;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,EACzB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;IACG,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,EACzB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAK5E"}

package/dist/services/PostgresPermissionPolicies.d.ts

@@ -0,0 +1,29 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { PostgresPermissionAction, PostgresPermissionBinding } from './PermissionCatalogService.js';
+export interface PostgresPermissionPolicyReportItem {
+    className?: string;
+    collection?: string;
+    qualifiedName?: string;
+    reason: string;
+    schemaName?: string;
+    tableName?: string;
+}
+export interface PostgresPermissionPolicyTarget {
+    actions: Partial<Record<PostgresPermissionAction, string[]>>;
+    className?: string;
+    collection?: string;
+    qualifiedName?: string;
+    schemaName: string;
+    tableName: string;
+    tenantField: string;
+}
+export interface GeneratePostgresPermissionSqlResult {
+    bindings: PostgresPermissionBinding[];
+    skipped: PostgresPermissionPolicyReportItem[];
+    sql: string;
+    statements: string[];
+    targets: PostgresPermissionPolicyTarget[];
+}
+export declare function generatePostgresPermissionSql(options?: SmrtClassOptions): GeneratePostgresPermissionSqlResult;
+export declare function applyPostgresPermissionPolicies(options?: SmrtClassOptions): Promise<GeneratePostgresPermissionSqlResult>;
+//# sourceMappingURL=PostgresPermissionPolicies.d.ts.map

package/dist/services/PostgresPermissionPolicies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PostgresPermissionPolicies.d.ts","sourceRoot":"","sources":["../../src/services/PostgresPermissionPolicies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAEL,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC/B,MAAM,+BAA+B,CAAC;AAmBvC,MAAM,WAAW,kCAAkC;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,wBAAwB,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mCAAmC;IAClD,QAAQ,EAAE,yBAAyB,EAAE,CAAC;IACtC,OAAO,EAAE,kCAAkC,EAAE,CAAC;IAC9C,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,8BAA8B,EAAE,CAAC;CAC3C;AAuQD,wBAAgB,6BAA6B,CAC3C,OAAO,GAAE,gBAAqB,GAC7B,mCAAmC,CAgOrC;AAED,wBAAsB,+BAA+B,CACnD,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,mCAAmC,CAAC,CA0B9C"}

package/dist/services/SessionPermissionContext.d.ts

@@ -0,0 +1,43 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { DatabaseInterface } from '@happyvertical/sql';
+import { SessionContext, SessionService } from './SessionService.js';
+interface QueryableDatabase extends DatabaseInterface {
+    beginTransaction?: () => Promise<TransactionDatabase>;
+    url: string;
+}
+interface TransactionDatabase extends QueryableDatabase {
+    commit: () => Promise<void>;
+    isActive: () => boolean;
+    rollback: () => Promise<void>;
+}
+export interface SessionPermissionRuntimeContext {
+    database?: QueryableDatabase;
+    permissions: string[];
+    permissionSet: Set<string>;
+    membership: SessionContext['membership'];
+    postgresRls: boolean;
+    session: SessionContext | null;
+    sessionId: string | null;
+    superAdminBypass: boolean;
+    systemContext: boolean;
+    tenantId: string | null;
+    user: SessionContext['user'] | null;
+    userId: string | null;
+}
+export interface SessionPermissionRuntimeOptions extends SmrtClassOptions {
+    enterTenantContext?: boolean;
+    postgresRls?: boolean;
+    sessionId?: string | null;
+    sessionService?: SessionService;
+    superAdminBypass?: boolean;
+    systemContext?: boolean;
+}
+declare global {
+    var __smrtGetRequestPermissionContext: (() => SessionPermissionRuntimeContext | undefined) | undefined;
+    var __smrtGetRequestScopedDatabase: (() => QueryableDatabase | undefined) | undefined;
+}
+export declare function getCurrentSessionPermissionContext(): SessionPermissionRuntimeContext | undefined;
+export declare function getRequestScopedDatabase(): QueryableDatabase | undefined;
+export declare function withSessionPermissionContext<T>(options: SessionPermissionRuntimeOptions, fn: (context: SessionPermissionRuntimeContext) => Promise<T>): Promise<T>;
+export {};
+//# sourceMappingURL=SessionPermissionContext.d.ts.map

package/dist/services/SessionPermissionContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SessionPermissionContext.d.ts","sourceRoot":"","sources":["../../src/services/SessionPermissionContext.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AACjE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EAEf,MAAM,qBAAqB,CAAC;AAE7B,UAAU,iBAAkB,SAAQ,iBAAiB;IACnD,gBAAgB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACtD,GAAG,EAAE,MAAM,CAAC;CACb;AAED,UAAU,mBAAoB,SAAQ,iBAAiB;IACrD,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,QAAQ,EAAE,MAAM,OAAO,CAAC;IACxB,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC3B,UAAU,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;IACzC,WAAW,EAAE,OAAO,CAAC;IACrB,OAAO,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IACpC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,+BAAgC,SAAQ,gBAAgB;IACvE,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,OAAO,CAAC,MAAM,CAAC;IAEb,IAAI,iCAAiC,EACjC,CAAC,MAAM,+BAA+B,GAAG,SAAS,CAAC,GACnD,SAAS,CAAC;IAEd,IAAI,8BAA8B,EAC9B,CAAC,MAAM,iBAAiB,GAAG,SAAS,CAAC,GACrC,SAAS,CAAC;CACf;AAKD,wBAAgB,kCAAkC,IAC9C,+BAA+B,GAC/B,SAAS,CAEZ;AAED,wBAAgB,wBAAwB,IAAI,iBAAiB,GAAG,SAAS,CAExE;AA2GD,wBAAsB,4BAA4B,CAAC,CAAC,EAClD,OAAO,EAAE,+BAA+B,EACxC,EAAE,EAAE,CAAC,OAAO,EAAE,+BAA+B,KAAK,OAAO,CAAC,CAAC,CAAC,GAC3D,OAAO,CAAC,CAAC,CAAC,CAoFZ"}

package/dist/services/SessionService.d.ts

@@ -0,0 +1,139 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { CreateSessionOptions } from '../collections/SessionCollection.js';
+import { Membership } from '../models/Membership.js';
+import { User } from '../models/User.js';
+/**
+ * Session context with user and permissions
+ */
+export interface SessionContext {
+    /** The User record */
+    user: User;
+    /** Active membership for the current tenant, if one was resolved */
+    membership?: Membership | null;
+    /** Resolved permission slugs */
+    permissions: string[];
+    /** Tenant ID from session (if any) */
+    tenantId: string | null;
+    /** Session ID */
+    sessionId: string;
+}
+/**
+ * Options for SessionService
+ */
+export interface SessionServiceOptions extends SmrtClassOptions {
+    /** Default session TTL in seconds (default: 7 days) */
+    defaultTTL?: number;
+    /** Cookie name (default: 'sid') */
+    cookieName?: string;
+    /** Whether to auto-extend sessions on access (default: false) */
+    autoExtend?: boolean;
+}
+/**
+ * SessionService provides high-level session management that combines
+ * session storage with user and permission loading.
+ *
+ * This is the main service to use for session-based authentication.
+ *
+ * @example
+ * ```typescript
+ * const sessionService = await SessionService.create({
+ *   db: { type: 'sqlite', url: 'app.db' },
+ *   defaultTTL: 7 * 24 * 60 * 60, // 7 days
+ * });
+ *
+ * // Create session after login
+ * const sessionId = await sessionService.createSession(userId, tenantId);
+ *
+ * // Load session context on each request
+ * const context = await sessionService.loadSessionContext(sessionId);
+ * if (context) {
+ *   console.log('User:', context.user.email);
+ *   console.log('Permissions:', context.permissions);
+ * }
+ *
+ * // Destroy session on logout
+ * await sessionService.destroySession(sessionId);
+ * ```
+ */
+export declare class SessionService {
+    private options;
+    private sessionCollection;
+    private userCollection;
+    private membershipCollection;
+    private permissionResolver;
+    private defaultTTL;
+    private autoExtend;
+    constructor(options: SessionServiceOptions);
+    /**
+     * Initialize collections
+     */
+    initialize(): Promise<void>;
+    /**
+     * Create a new session for a user
+     *
+     * @param userId - The user ID
+     * @param tenantId - Optional tenant context
+     * @param options - Additional session options
+     * @returns The session ID
+     */
+    createSession(userId: string, tenantId?: string, options?: Partial<CreateSessionOptions>): Promise<string>;
+    /**
+     * Load full session context (user + permissions)
+     *
+     * Returns null if session is invalid or user doesn't exist
+     */
+    loadSessionContext(sessionId: string): Promise<SessionContext | null>;
+    /**
+     * Get the initialized database connection backing this session service.
+     */
+    getDatabase(): import('@happyvertical/sql').DatabaseInterface;
+    /**
+     * Refresh session (extend expiry, update lastAccessed)
+     */
+    refreshSession(sessionId: string): Promise<boolean>;
+    /**
+     * Destroy a session (revoke it)
+     */
+    destroySession(sessionId: string): Promise<boolean>;
+    /**
+     * Destroy all sessions for a user (logout from all devices)
+     */
+    destroyAllUserSessions(userId: string): Promise<number>;
+    /**
+     * Switch tenant context for a session.
+     *
+     * A session's `tenantId` is the tenant-isolation key for every `@TenantScoped`
+     * query, so it must never be set to a tenant the session's user is not an
+     * active member of — otherwise a caller could read/write another tenant's data
+     * by feeding an arbitrary id here (e.g. straight from untrusted form data).
+     * Fail-closed (#1400): returns `false` without switching when the session is
+     * unknown or the user has no active membership in the target tenant. Passing
+     * `null` clears the tenant context and is always allowed.
+     */
+    switchTenant(sessionId: string, tenantId: string | null): Promise<boolean>;
+    /**
+     * Get all active sessions for a user (for "manage sessions" UI)
+     */
+    getUserSessions(userId: string): Promise<import('../index.js').Session[]>;
+    /**
+     * Clean up expired sessions (run periodically)
+     */
+    cleanupExpiredSessions(): Promise<number>;
+    /**
+     * Check if a permission is granted for the session
+     */
+    hasPermission(sessionId: string, permission: string): Promise<boolean>;
+    /**
+     * Get session data
+     */
+    getSessionData<T>(sessionId: string, key: string): Promise<T | undefined>;
+    /**
+     * Set session data
+     */
+    setSessionData(sessionId: string, key: string, value: unknown): Promise<boolean>;
+    /**
+     * Static factory method
+     */
+    static create(options: SessionServiceOptions): Promise<SessionService>;
+}
+//# sourceMappingURL=SessionService.d.ts.map

package/dist/services/SessionService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SessionService.d.ts","sourceRoot":"","sources":["../../src/services/SessionService.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EACL,KAAK,oBAAoB,EAE1B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAE1D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAG9C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sBAAsB;IACtB,IAAI,EAAE,IAAI,CAAC;IACX,oEAAoE;IACpE,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B,gCAAgC;IAChC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iEAAiE;IACjE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,iBAAiB,CAAqB;IAC9C,OAAO,CAAC,cAAc,CAAkB;IACxC,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,kBAAkB,CAAsB;IAChD,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAU;gBAEhB,OAAO,EAAE,qBAAqB;IAM1C;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAWjC;;;;;;;OAOG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GACtC,OAAO,CAAC,MAAM,CAAC;IAalB;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA6C3E;;OAEG;IACH,WAAW;IAIX;;OAEG;IACG,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD;;OAEG;IACG,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD;;OAEG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI7D;;;;;;;;;;OAUG;IACG,YAAY,CAChB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,GAAG,IAAI,GACtB,OAAO,CAAC,OAAO,CAAC;IAiBnB;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM;IAIpC;;OAEG;IACG,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI/C;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAM5E;;OAEG;IACG,cAAc,CAAC,CAAC,EACpB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IAIzB;;OAEG;IACG,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,OAAO,CAAC;IAInB;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,cAAc,CAAC;CAK7E"}