@innvoid/getmarket-sdk 0.2.7 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/chunk-HNOUEVHW.js +410 -0
  2. package/dist/chunk-HNOUEVHW.js.map +1 -0
  3. package/dist/express.d.cts +1 -1
  4. package/dist/express.d.ts +1 -1
  5. package/dist/index.cjs +282 -342
  6. package/dist/index.cjs.map +1 -1
  7. package/dist/index.d.cts +11 -24
  8. package/dist/index.d.ts +11 -24
  9. package/dist/index.js +196 -15
  10. package/dist/index.js.map +1 -1
  11. package/dist/middlewares/index.cjs +88 -204
  12. package/dist/middlewares/index.cjs.map +1 -1
  13. package/dist/middlewares/index.d.cts +34 -40
  14. package/dist/middlewares/index.d.ts +34 -40
  15. package/dist/middlewares/index.js +1 -1
  16. package/dist/{types-CRECQuHp.d.cts → types-Cc_McZgD.d.cts} +12 -10
  17. package/dist/{types-CRECQuHp.d.ts → types-Cc_McZgD.d.ts} +12 -10
  18. package/package.json +2 -2
  19. package/dist/chunk-WM2QICZQ.js +0 -666
  20. package/dist/chunk-WM2QICZQ.js.map +0 -1
package/dist/middlewares/index.cjs CHANGED
@@ -168,6 +168,9 @@ function internalAuth(req, res, next) {
168
168
  function getAuth(req) {
169
169
  return req.auth ?? {};
170
170
  }
171
+ function hasAuthContext(req) {
172
+ return !!req.auth;
173
+ }
171
174
  function normalizeCode(v) {
172
175
  if (!v) return null;
173
176
  if (typeof v === "string") return v;
@@ -192,7 +195,7 @@ function permsSet(list) {
192
195
  }
193
196
  function requireAuthContext() {
194
197
  return (req, res, next) => {
195
- if (!req.auth) {
198
+ if (!hasAuthContext(req)) {
196
199
  return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
197
200
  }
198
201
  return next();
@@ -206,6 +209,9 @@ function requirePermissions(perms, options) {
206
209
  const sysAdminBypass = options?.sysAdminBypass !== false;
207
210
  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
208
211
  return (req, res, next) => {
212
+ if (!hasAuthContext(req)) {
213
+ return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
214
+ }
209
215
  const auth = getAuth(req);
210
216
  if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
211
217
  const allow = permsSet(auth.permissions);
@@ -231,6 +237,9 @@ function requireAnyPermission(perms, options) {
231
237
  const sysAdminBypass = options?.sysAdminBypass !== false;
232
238
  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
233
239
  return (req, res, next) => {
240
+ if (!hasAuthContext(req)) {
241
+ return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
242
+ }
234
243
  const auth = getAuth(req);
235
244
  if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
236
245
  const allow = permsSet(auth.permissions);
@@ -256,6 +265,9 @@ function requireRoles(roles, options) {
256
265
  const sysAdminBypass = options?.sysAdminBypass !== false;
257
266
  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
258
267
  return (req, res, next) => {
268
+ if (!hasAuthContext(req)) {
269
+ return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
270
+ }
259
271
  const auth = getAuth(req);
260
272
  if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
261
273
  const have = rolesSet(auth);
@@ -272,6 +284,9 @@ function requireRolesOrAnyPermission(roles, perms, options) {
272
284
  const sysAdminBypass = options?.sysAdminBypass !== false;
273
285
  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
274
286
  return (req, res, next) => {
287
+ if (!hasAuthContext(req)) {
288
+ return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
289
+ }
275
290
  const auth = getAuth(req);
276
291
  if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
277
292
  const haveRoles = rolesSet(auth);
@@ -297,171 +312,6 @@ function requireRolesOrAnyPermission(roles, perms, options) {
297
312
  };
298
313
  }
299
314
 
300
- // src/auth/authentication.ts
301
- var import_firebase_admin = __toESM(require("firebase-admin"), 1);
302
- var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
303
- var import_fs2 = __toESM(require("fs"), 1);
304
- function getBearerToken(req) {
305
- const auth = String(req.headers?.authorization || "");
306
- if (!auth.startsWith("Bearer ")) return null;
307
- const token = auth.slice(7).trim();
308
- return token.length ? token : null;
309
- }
310
- function readPublicKey() {
311
- const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
312
- const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
313
- if (publicKeyPath) {
314
- const v = import_fs2.default.readFileSync(publicKeyPath, "utf8").trim();
315
- if (v) return v;
316
- }
317
- const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
318
- if (envKey) return envKey;
319
- throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
320
- }
321
- function verifyBackendJwtRS256(raw) {
322
- const publicKey = readPublicKey();
323
- const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
324
- const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
325
- return import_jsonwebtoken.default.verify(raw, publicKey, {
326
- algorithms: ["RS256"],
327
- audience,
328
- issuer
329
- });
330
- }
331
- function normalizeUid(v) {
332
- const s = String(v ?? "").trim();
333
- return s.length ? s : null;
334
- }
335
- function deriveCompanyBranch(decoded, companyUid, branchUid) {
336
- const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
337
- const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
338
- const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
339
- return { companiesFromToken, company, branch };
340
- }
341
- function extractEmployeeUid(decoded) {
342
- const direct = normalizeUid(decoded?.employee_uid);
343
- if (direct) return direct;
344
- const sub = normalizeUid(decoded?.sub);
345
- if (!sub) return null;
346
- const m = /^emp:(.+)$/i.exec(sub);
347
- return m?.[1] ? normalizeUid(m[1]) : null;
348
- }
349
- function extractCustomerUid(decoded) {
350
- const direct = normalizeUid(decoded?.customer_uid);
351
- if (direct) return direct;
352
- const sub = normalizeUid(decoded?.sub);
353
- if (!sub) return null;
354
- const m = /^cus:(.+)$/i.exec(sub);
355
- return m?.[1] ? normalizeUid(m[1]) : null;
356
- }
357
- function createAuthMiddleware(opts) {
358
- const { subject, allowFirebaseIdToken = false } = opts;
359
- return async (req, res, next) => {
360
- const token = getBearerToken(req);
361
- if (!token) {
362
- return res.status(401).json({
363
- ok: false,
364
- code: "AUTH_MISSING_TOKEN",
365
- message: "Missing Authorization Bearer token"
366
- });
367
- }
368
- try {
369
- const decoded = verifyBackendJwtRS256(token);
370
- const headerCtx = req.context || {};
371
- const companyUid = normalizeUid(headerCtx.company_uid);
372
- const branchUid = normalizeUid(headerCtx.branch_uid);
373
- const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
374
- const ctx = {
375
- tokenType: "backend",
376
- subject,
377
- company_uid: companyUid ?? void 0,
378
- branch_uid: branchUid ?? void 0,
379
- companies: companiesFromToken,
380
- company,
381
- branch,
382
- roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
383
- permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
384
- denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
385
- session: {
386
- jti: decoded?.jti,
387
- device_id: decoded?.device_id,
388
- expires_at: decoded?.exp
389
- }
390
- };
391
- if (subject === "employee") {
392
- const employee_uid = extractEmployeeUid(decoded);
393
- if (!employee_uid) {
394
- return res.status(401).json({
395
- ok: false,
396
- code: "AUTH_EMPLOYEE_UID_MISSING",
397
- message: "employee_uid missing in token (expected employee_uid or sub=emp:<uid>)"
398
- });
399
- }
400
- ctx.employee_uid = employee_uid;
401
- const embedded = decoded?.employee ?? decoded?.user ?? null;
402
- ctx.employee = embedded && typeof embedded === "object" ? embedded : { uid: employee_uid, email: decoded?.email ?? null };
403
- } else {
404
- const customer_uid = extractCustomerUid(decoded);
405
- if (!customer_uid) {
406
- return res.status(401).json({
407
- ok: false,
408
- code: "AUTH_CUSTOMER_UID_MISSING",
409
- message: "customer_uid missing in token (expected customer_uid or sub=cus:<uid>)"
410
- });
411
- }
412
- ctx.customer_uid = customer_uid;
413
- const embedded = decoded?.customer ?? null;
414
- ctx.customer = embedded && typeof embedded === "object" ? embedded : { uid: customer_uid };
415
- }
416
- req.auth = ctx;
417
- return next();
418
- } catch {
419
- if (!allowFirebaseIdToken) {
420
- return res.status(401).json({
421
- ok: false,
422
- code: "AUTH_INVALID_TOKEN",
423
- message: "Invalid or expired token"
424
- });
425
- }
426
- try {
427
- const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
428
- if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
429
- return res.status(401).json({
430
- ok: false,
431
- code: "AUTH_EMAIL_NOT_VERIFIED",
432
- message: "Email not verified"
433
- });
434
- }
435
- const headerCtx = req.context || {};
436
- const companyUid = normalizeUid(headerCtx.company_uid);
437
- const branchUid = normalizeUid(headerCtx.branch_uid);
438
- req.auth = {
439
- tokenType: "backend",
440
- subject,
441
- firebase: firebaseDecoded,
442
- company_uid: companyUid ?? void 0,
443
- branch_uid: branchUid ?? void 0,
444
- companies: [],
445
- roles: [],
446
- permissions: [],
447
- denied_permissions: []
448
- };
449
- return next();
450
- } catch {
451
- return res.status(401).json({
452
- ok: false,
453
- code: "AUTH_INVALID_TOKEN",
454
- message: "Invalid or expired token"
455
- });
456
- }
457
- }
458
- };
459
- }
460
- var authEmployeeRequired = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: false });
461
- var authCustomerRequired = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: false });
462
- var authEmployeeAllowFirebase = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: true });
463
- var authCustomerAllowFirebase = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: true });
464
-
465
315
  // src/middlewares/guards.ts
466
316
  function normalizeRole(r) {
467
317
  if (!r) return null;
@@ -473,100 +323,134 @@ function normalizePerm(p) {
473
323
  if (typeof p === "string") return p;
474
324
  return p.code || p.name || null;
475
325
  }
476
- function isSysAdmin2(roles) {
477
- if (!Array.isArray(roles)) return false;
478
- return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
479
- }
480
326
  function getAuth2(req) {
481
327
  return req.auth ?? {};
482
328
  }
329
+ function roleSet(auth) {
330
+ return new Set(
331
+ (auth.roles ?? []).map(normalizeRole).filter(Boolean)
332
+ );
333
+ }
483
334
  function permissionSets(auth) {
484
- const allow = new Set((auth.permissions ?? []).map(normalizePerm).filter(Boolean));
485
- const deny = new Set((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean));
335
+ const allow = new Set(
336
+ (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
337
+ );
338
+ const deny = new Set(
339
+ (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
340
+ );
486
341
  return { allow, deny };
487
342
  }
488
- function roleSet(auth) {
489
- return new Set((auth.roles ?? []).map(normalizeRole).filter(Boolean));
343
+ function normalizeHandlers(auth) {
344
+ if (!auth) return [];
345
+ return Array.isArray(auth) ? auth : [auth];
346
+ }
347
+ function buildBaseChain(options) {
348
+ const chain = [];
349
+ if (options?.includeParseHeaders !== false) {
350
+ chain.push(parseHeaders);
351
+ }
352
+ chain.push(...normalizeHandlers(options?.auth));
353
+ return chain;
354
+ }
355
+ function hasSysAdmin(auth, options) {
356
+ const sysAdminBypass = options?.sysAdminBypass !== false;
357
+ if (!sysAdminBypass) return false;
358
+ const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
359
+ return roleSet(auth).has(sysAdminRole);
490
360
  }
491
- function allowSysAdminOrAnyPermission(...perms) {
492
- const required = (perms ?? []).filter(Boolean);
361
+ function allowSysAdminOrAnyPermission(perms, options) {
362
+ const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
493
363
  return [
494
- parseHeaders,
495
- authEmployeeRequired,
364
+ ...buildBaseChain(options),
496
365
  (req, res, next) => {
497
366
  const auth = getAuth2(req);
498
- if (isSysAdmin2(auth.roles)) return next();
367
+ if (hasSysAdmin(auth, options)) return next();
499
368
  const { allow, deny } = permissionSets(auth);
500
369
  for (const p of required) {
501
370
  if (deny.has(p)) {
502
- return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
371
+ return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
372
+ denied: p
373
+ });
503
374
  }
504
375
  }
505
376
  const ok = required.some((p) => allow.has(p));
506
377
  if (!ok) {
507
- return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", { required });
378
+ return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
379
+ required,
380
+ mode: "ANY"
381
+ });
508
382
  }
509
383
  return next();
510
384
  }
511
385
  ];
512
386
  }
513
- function allowSysAdminOrPermissionsAll(...perms) {
514
- const required = (perms ?? []).filter(Boolean);
387
+ function allowSysAdminOrPermissionsAll(perms, options) {
388
+ const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
515
389
  return [
516
- parseHeaders,
517
- authEmployeeRequired,
390
+ ...buildBaseChain(options),
518
391
  (req, res, next) => {
519
392
  const auth = getAuth2(req);
520
- if (isSysAdmin2(auth.roles)) return next();
393
+ if (hasSysAdmin(auth, options)) return next();
521
394
  const { allow, deny } = permissionSets(auth);
522
395
  for (const p of required) {
523
396
  if (deny.has(p)) {
524
- return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
397
+ return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
398
+ denied: p
399
+ });
525
400
  }
526
401
  }
527
402
  const missing = required.filter((p) => !allow.has(p));
528
403
  if (missing.length) {
529
- return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", { required, missing });
404
+ return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
405
+ required,
406
+ missing,
407
+ mode: "ALL"
408
+ });
530
409
  }
531
410
  return next();
532
411
  }
533
412
  ];
534
413
  }
535
- function allowSysAdminOrRoles(...roles) {
536
- const required = (roles ?? []).filter(Boolean);
414
+ function allowSysAdminOrRoles(roles, options) {
415
+ const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
537
416
  return [
538
- parseHeaders,
539
- authEmployeeRequired,
417
+ ...buildBaseChain(options),
540
418
  (req, res, next) => {
541
419
  const auth = getAuth2(req);
542
- if (isSysAdmin2(auth.roles)) return next();
420
+ if (hasSysAdmin(auth, options)) return next();
543
421
  const have = roleSet(auth);
544
422
  const ok = required.some((r) => have.has(r));
545
423
  if (!ok) {
546
- return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required });
424
+ return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
425
+ required,
426
+ mode: "ANY"
427
+ });
547
428
  }
548
429
  return next();
549
430
  }
550
431
  ];
551
432
  }
552
- function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
433
+ function allowSysAdminOrRolesOrAnyPermission(roles, permissions, options) {
553
434
  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
554
435
  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
555
436
  return [
556
- parseHeaders,
557
- authEmployeeRequired,
437
+ ...buildBaseChain(options),
558
438
  (req, res, next) => {
559
439
  const auth = getAuth2(req);
560
- if (isSysAdmin2(auth.roles)) return next();
440
+ if (hasSysAdmin(auth, options)) return next();
561
441
  const { allow, deny } = permissionSets(auth);
442
+ const haveRoles = roleSet(auth);
562
443
  for (const p of requiredPerms) {
563
444
  if (deny.has(p)) {
564
- return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`, { permission: p });
445
+ return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
446
+ denied: p
447
+ });
565
448
  }
566
449
  }
567
- const haveRoles = roleSet(auth);
568
- if (requiredRoles.some((r) => haveRoles.has(r))) return next();
569
- if (requiredPerms.some((p) => allow.has(p))) return next();
450
+ const okRole = requiredRoles.some((r) => haveRoles.has(r));
451
+ if (okRole) return next();
452
+ const okPerm = requiredPerms.some((p) => allow.has(p));
453
+ if (okPerm) return next();
570
454
  return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
571
455
  roles: requiredRoles,
572
456
  permissions: requiredPerms,
@@ -575,8 +459,8 @@ function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
575
459
  }
576
460
  ];
577
461
  }
578
- function allowAuthAdminOrPerm(permission) {
579
- return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission]);
462
+ function allowAuthAdminOrPerm(permission, options) {
463
+ return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission], options);
580
464
  }
581
465
  // Annotate the CommonJS export names for ESM import in node:
582
466
  0 && (module.exports = {
package/dist/middlewares/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/middlewares/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts","../../src/middlewares/parseHeaders.ts","../../src/middlewares/requestId.ts","../../src/middlewares/internalAuth.ts","../../src/middlewares/respond.ts","../../src/middlewares/authorization.ts","../../src/auth/authentication.ts","../../src/middlewares/guards.ts"],"sourcesContent":["// packages/sdk/src/middlewares/index.ts\nexport {default as parseHeaders} from \"./parseHeaders\";\nexport {default as requestId} from \"./requestId\";\nexport {default as internalAuth} from \"./internalAuth\";\n\nexport {sendOk, sendError} from \"./respond\";\n\nexport * from \"./authorization\";\nexport * from \"./guards\";\n","// packages/sdk/src/constants.ts\nexport const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","// packages/sdk/src/parse.ts\nimport {\n HEADER_BRANCH_UID,\n HEADER_COMPANY_UID,\n HEADER_EMPLOYEE_UID,\n HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n requestId?: string | null;\n company_uid?: string | null;\n branch_uid?: string | null;\n employee_uid?: string | null;\n};\n\nfunction normalizeHeaderValue(v: unknown): string | null {\n if (typeof v !== \"string\") return null;\n const s = v.trim();\n if (!s) return null;\n\n // ✅ NO-LEGACY: bloquea JSON en headers\n if (s.startsWith(\"{\") || s.startsWith(\"[\") || s.includes('\"')) return null;\n\n // Evitar valores demasiado cortos (basura)\n if (s.length < 6) return null;\n\n return s;\n}\n\n/**\n * Lee header aunque venga en mayúsculas/minúsculas (Express suele bajar a lower-case).\n */\nfunction h(headers: Record<string, any>, key: string): unknown {\n return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];\n}\n\n/**\n * ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional; NO reemplaza JWT)\n * - x-request-id: string (opcional)\n */\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n return {\n requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,\n company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,\n branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,\n employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null,\n };\n}\n","// sdk/src/middlewares/parseHeaders.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {getRequestContextFromHeaders} from \"../headers\";\n\n/**\n * ✅ NO-LEGACY / ESTÁNDAR:\n * - Lee SOLO x-company y x-branch (UIDs planos)\n * - Setea req.context = { company_uid, branch_uid }\n * - NO toca req.auth (auth lo setea authentication/requireAuth)\n */\nexport default function parseHeaders(req: Request, _res: Response, next: NextFunction) {\n (req as any).context = getRequestContextFromHeaders(req.headers as any);\n next();\n}\n","// middlewares/requestId.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\nexport const REQUEST_ID_HEADER = \"x-request-id\";\nexport const REQUEST_ID_HEADER_ALT = \"x-requestid\";\nexport const RESPONSE_REQUEST_ID_HEADER = \"X-Request-Id\";\n\n// Si quieres IDs más cortos (opcional). Por defecto usamos UUID.\nfunction nanoidLike(len = 21) {\n return randomBytes(16).toString(\"base64url\").slice(0, len);\n}\n\nexport default function requestId(req: Request, res: Response, next: NextFunction) {\n const headerId = (req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT]) as\n | string\n | undefined;\n\n // ✅ estándar único: usa UUID (o cambia a nanoidLike() si prefieres corto)\n const id = headerId?.trim() || randomUUID();\n\n // ✅ estándar único (no legacy)\n (req as any).requestId = id;\n res.locals.requestId = id;\n\n // ✅ respuesta\n res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport fs from \"fs\";\nimport crypto from \"crypto\";\nimport {sendError} from \"./respond\";\nimport {HEADER_INTERNAL_API_KEY} from \"../headers\";\n\nfunction readSecretFile(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nfunction splitKeys(v?: string | null): string[] {\n if (!v) return [];\n return v.split(\",\").map((s) => s.trim()).filter(Boolean);\n}\n\nfunction getExpectedKeys(): string[] {\n const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);\n const envKey = (process.env.INTERNAL_API_KEY || \"\").trim();\n const raw = fileKey || envKey;\n return splitKeys(raw);\n}\n\nfunction extractToken(req: Request): string | null {\n const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || \"\").trim();\n return apiKey || null;\n}\n\nfunction safeEquals(a: string, b: string): boolean {\n const aa = Buffer.from(a);\n const bb = Buffer.from(b);\n if (aa.length !== bb.length) return false;\n return crypto.timingSafeEqual(aa, bb);\n}\n\nexport default function internalAuth(req: Request, res: Response, next: NextFunction) {\n const token = extractToken(req);\n\n if (!token) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);\n }\n\n const expectedKeys = getExpectedKeys();\n if (expectedKeys.length === 0) {\n return sendError(\n req,\n res,\n 500,\n \"MISCONFIGURED_INTERNAL_AUTH\",\n \"Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)\"\n );\n }\n\n const ok = expectedKeys.some((k) => safeEquals(token, k));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Invalid internal api key\");\n }\n\n return next();\n}\n","// packages/sdk/src/middleware/respond.ts\nimport type {Request, Response} from \"express\";\n\nexport function sendOk<T>(_req: Request, res: Response, data: T, statusCode = 200) {\n return res.status(statusCode).json({ok: true, data, requestId: res.locals?.requestId ?? null});\n}\n\nexport function sendError(\n _req: Request,\n res: Response,\n statusCode: number,\n code: string,\n message: string,\n details?: any\n) {\n return res.status(statusCode).json({\n ok: false,\n error: {code, message, ...(details !== undefined ? {details} : {})},\n requestId: res.locals?.requestId ?? null,\n });\n}\n","// packages/sdk/src/middlewares/authorization.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {sendError} from \"./respond\";\n\ntype AuthRole = string | { code?: string; name?: string };\ntype AuthPermission = string | { code?: string; name?: string };\n\ntype AuthShape = {\n roles?: AuthRole[];\n permissions?: AuthPermission[];\n denied_permissions?: AuthPermission[];\n};\n\nfunction getAuth(req: Request): AuthShape {\n return ((req as any).auth ?? {}) as AuthShape;\n}\n\nfunction normalizeCode(v: any): string | null {\n if (!v) return null;\n if (typeof v === \"string\") return v;\n if (typeof v === \"object\") return v.code || v.name || null;\n return null;\n}\n\nfunction rolesSet(auth: AuthShape): Set<string> {\n const out = new Set<string>();\n for (const r of auth.roles || []) {\n const c = normalizeCode(r);\n if (c) out.add(c);\n }\n return out;\n}\n\nfunction permsSet(list?: AuthPermission[]): Set<string> {\n const out = new Set<string>();\n for (const p of list || []) {\n const c = normalizeCode(p);\n if (c) out.add(c);\n }\n return out;\n}\n\n/**\n * 401 si no existe req.auth (contexto auth).\n * Útil para proteger rutas donde SIEMPRE debe existir auth.\n */\nexport function requireAuthContext() {\n return (req: Request, res: Response, next: NextFunction) => {\n if (!(req as any).auth) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n };\n}\n\n/**\n * Helper: SYS_ADMIN bypass (por defecto activo)\n */\nfunction isSysAdmin(auth: AuthShape, sysAdminRole: string) {\n const have = rolesSet(auth);\n return have.has(sysAdminRole);\n}\n\n/**\n * Requiere TODOS los permisos indicados.\n * Regla: denied_permissions siempre gana sobre permissions.\n *\n * options:\n * - sysAdminBypass: default true\n * - sysAdminRole: default \"SYS_ADMIN\"\n */\nexport function requirePermissions(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = perms.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions\", {\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n };\n}\n\n/**\n * Requiere AL MENOS 1 permiso de la lista (ANY/OR).\n * Regla: denied_permissions siempre gana.\n */\nexport function requireAnyPermission(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre (si alguno requerido está denegado explícitamente)\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = perms.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n required: perms,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\n/**\n * Requiere al menos 1 rol (ANY/OR).\n * options:\n * - sysAdminBypass: default true\n * - sysAdminRole: default \"SYS_ADMIN\"\n */\nexport function requireRoles(\n roles: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n // SYS_ADMIN bypass aplica también aquí\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const have = rolesSet(auth);\n if (!roles.some((r) => have.has(r))) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required: roles,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\n/**\n * Requiere (roles ANY) OR (permissions ANY).\n * deny_permissions siempre gana sobre permissions.\n */\nexport function requireRolesOrAnyPermission(\n roles: string[],\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const haveRoles = rolesSet(auth);\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre (si cualquiera de los permisos evaluados está denegado explícitamente)\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = roles.some((r) => haveRoles.has(r));\n const okPerm = perms.some((p) => allow.has(p));\n\n if (!okRole && !okPerm) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Access denied\", {\n roles,\n permissions: perms,\n mode: \"ROLES_OR_PERMS_ANY\",\n });\n }\n\n return next();\n };\n}\n","// packages/sdk/src/auth/authentication.ts\nimport type {NextFunction, Response} from \"express\";\nimport admin from \"firebase-admin\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\nimport fs from \"fs\";\n\ntype Subject = \"employee\" | \"customer\";\ntype TokenType = \"backend\";\n\nexport interface AuthContext {\n tokenType: TokenType;\n subject: Subject;\n\n // ✅ UID-first canonical\n employee_uid?: string;\n customer_uid?: string;\n\n // Opcional (puede venir embebido o ser ref mínimo)\n employee?: any;\n customer?: any;\n\n company_uid?: string;\n branch_uid?: string;\n\n company?: any;\n branch?: any;\n companies?: any[];\n\n roles?: any[];\n permissions?: any[];\n denied_permissions?: any[];\n\n session?: { jti?: string; device_id?: string; expires_at?: number };\n firebase?: admin.auth.DecodedIdToken;\n}\n\n/**\n * ✅ ÚNICO estándar:\n * - Authorization: Bearer <token>\n */\nfunction getBearerToken(req: any): string | null {\n const auth = String(req.headers?.authorization || \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nfunction readPublicKey(): string {\n const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;\n const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || \"\";\n\n if (publicKeyPath) {\n const v = fs.readFileSync(publicKeyPath, \"utf8\").trim();\n if (v) return v;\n }\n\n const envKey = publicKeyEnv.replace(/\\\\n/g, \"\\n\").trim();\n if (envKey) return envKey;\n\n throw new Error(\"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\");\n}\n\nfunction verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readPublicKey();\n const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || \"getmarket.api\";\n const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || \"getmarket-auth\";\n\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n\nfunction normalizeUid(v: any): string | null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\nfunction deriveCompanyBranch(decoded: any, companyUid: string | null, branchUid: string | null) {\n const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];\n\n const company =\n decoded?.company ??\n (companyUid ? companiesFromToken.find((c: any) => c?.uid === companyUid) : null) ??\n null;\n\n const branch =\n decoded?.branch ??\n (branchUid && company?.branches ? (company.branches || []).find((b: any) => b?.uid === branchUid) : null) ??\n null;\n\n return {companiesFromToken, company, branch};\n}\n\n/**\n * ✅ UID-first extractors\n * - decoded.employee_uid / decoded.customer_uid\n * - decoded.sub = \"emp:<uid>\" / \"cus:<uid>\"\n */\nfunction extractEmployeeUid(decoded: any): string | null {\n const direct = normalizeUid(decoded?.employee_uid);\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const m = /^emp:(.+)$/i.exec(sub);\n return m?.[1] ? normalizeUid(m[1]) : null;\n}\n\nfunction extractCustomerUid(decoded: any): string | null {\n const direct = normalizeUid(decoded?.customer_uid);\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const m = /^cus:(.+)$/i.exec(sub);\n return m?.[1] ? normalizeUid(m[1]) : null;\n}\n\nexport function createAuthMiddleware(opts: { subject: Subject; allowFirebaseIdToken?: boolean }) {\n const {subject, allowFirebaseIdToken = false} = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n // 1) Backend JWT RS256\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const headerCtx = (req as any).context || {};\n const companyUid = normalizeUid(headerCtx.company_uid);\n const branchUid = normalizeUid(headerCtx.branch_uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(decoded, companyUid, branchUid);\n\n const ctx: AuthContext = {\n tokenType: \"backend\",\n subject,\n\n company_uid: companyUid ?? undefined,\n branch_uid: branchUid ?? undefined,\n\n companies: companiesFromToken,\n company,\n branch,\n\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],\n\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n if (subject === \"employee\") {\n const employee_uid = extractEmployeeUid(decoded);\n if (!employee_uid) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_UID_MISSING\",\n message: \"employee_uid missing in token (expected employee_uid or sub=emp:<uid>)\",\n });\n }\n ctx.employee_uid = employee_uid;\n\n // ✅ employee embebido es opcional; si no viene, dejamos ref mínimo\n const embedded = decoded?.employee ?? decoded?.user ?? null;\n ctx.employee = embedded && typeof embedded === \"object\"\n ? embedded\n : {uid: employee_uid, email: decoded?.email ?? null};\n } else {\n const customer_uid = extractCustomerUid(decoded);\n if (!customer_uid) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_UID_MISSING\",\n message: \"customer_uid missing in token (expected customer_uid or sub=cus:<uid>)\",\n });\n }\n ctx.customer_uid = customer_uid;\n\n const embedded = decoded?.customer ?? null;\n ctx.customer = embedded && typeof embedded === \"object\"\n ? embedded\n : {uid: customer_uid};\n }\n\n req.auth = ctx;\n return next();\n } catch {\n // 2) Firebase opcional\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n const headerCtx = (req as any).context || {};\n const companyUid = normalizeUid(headerCtx.company_uid);\n const branchUid = normalizeUid(headerCtx.branch_uid);\n\n req.auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: companyUid ?? undefined,\n branch_uid: branchUid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n };\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n\nexport const authEmployeeRequired = createAuthMiddleware({subject: \"employee\", allowFirebaseIdToken: false});\nexport const authCustomerRequired = createAuthMiddleware({subject: \"customer\", allowFirebaseIdToken: false});\nexport const authEmployeeAllowFirebase = createAuthMiddleware({subject: \"employee\", allowFirebaseIdToken: true});\nexport const authCustomerAllowFirebase = createAuthMiddleware({subject: \"customer\", allowFirebaseIdToken: true});\n","// packages/sdk/src/middlewares/guards.ts\nimport type {Request, Response, NextFunction, RequestHandler} from \"express\";\nimport parseHeaders from \"./parseHeaders\";\nimport {authEmployeeRequired} from \"../auth\";\nimport {sendError} from \"./respond\";\n\ntype RoleShape = string | { code?: string; name?: string };\ntype PermShape = string | { code?: string; name?: string };\n\nfunction normalizeRole(r: RoleShape): string | null {\n if (!r) return null;\n if (typeof r === \"string\") return r;\n return r.code || r.name || null;\n}\n\nfunction normalizePerm(p: PermShape): string | null {\n if (!p) return null;\n if (typeof p === \"string\") return p;\n return p.code || p.name || null;\n}\n\nfunction isSysAdmin(roles: RoleShape[] | undefined): boolean {\n if (!Array.isArray(roles)) return false;\n return roles.some((r) => normalizeRole(r) === \"SYS_ADMIN\");\n}\n\nfunction getAuth(req: Request) {\n return ((req as any).auth ?? {}) as {\n roles?: RoleShape[];\n permissions?: PermShape[];\n denied_permissions?: PermShape[];\n };\n}\n\nfunction permissionSets(auth: ReturnType<typeof getAuth>) {\n const allow = new Set<string>((auth.permissions ?? []).map(normalizePerm).filter(Boolean) as string[]);\n const deny = new Set<string>((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean) as string[]);\n return {allow, deny};\n}\n\nfunction roleSet(auth: ReturnType<typeof getAuth>) {\n return new Set<string>((auth.roles ?? []).map(normalizeRole).filter(Boolean) as string[]);\n}\n\n/**\n * ✅ SysAdmin bypass OR (ANY) permissions\n * - Si tiene alguno de los permisos => OK\n * - denied_permissions gana siempre\n */\nexport function allowSysAdminOrAnyPermission(...perms: string[]): RequestHandler[] {\n const required = (perms ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {denied: p});\n }\n }\n\n const ok = required.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ANY)\", {required});\n }\n\n return next();\n },\n ];\n}\n\n/**\n * ✅ SysAdmin bypass OR (ALL) permissions (AND)\n */\nexport function allowSysAdminOrPermissionsAll(...perms: string[]): RequestHandler[] {\n const required = (perms ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {denied: p});\n }\n }\n\n const missing = required.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ALL)\", {required, missing});\n }\n\n return next();\n },\n ];\n}\n\n/**\n * ✅ SysAdmin bypass OR roles (ANY)\n */\nexport function allowSysAdminOrRoles(...roles: string[]): RequestHandler[] {\n const required = (roles ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const have = roleSet(auth);\n\n const ok = required.some((r) => have.has(r));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {required});\n }\n\n return next();\n },\n ];\n}\n\n/**\n * ✅ SYS_ADMIN bypass OR (ANY) roles OR (ANY) permissions\n * - denied_permissions siempre gana\n */\nexport function allowSysAdminOrRolesOrAnyPermission(\n roles: string | string[],\n permissions: string | string[]\n): RequestHandler[] {\n const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n for (const p of requiredPerms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied: ${p}`, {permission: p});\n }\n }\n\n const haveRoles = roleSet(auth);\n if (requiredRoles.some((r) => haveRoles.has(r))) return next();\n\n if (requiredPerms.some((p) => allow.has(p))) return next();\n\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n roles: requiredRoles,\n permissions: requiredPerms,\n mode: \"ROLES_OR_ANY_PERMISSION\",\n });\n },\n ];\n}\n\n/**\n * ✅ Helper específico Auth:\n * Rol AUTH_ADMIN o permiso fino (y SYS_ADMIN bypass)\n */\nexport function allowAuthAdminOrPerm(permission: string): RequestHandler[] {\n return allowSysAdminOrRolesOrAnyPermission([\"AUTH_ADMIN\"], [permission]);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;;;ACQvC,SAAS,qBAAqB,GAA2B;AACrD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,MAAI,CAAC,EAAG,QAAO;AAGf,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,EAAG,QAAO;AAGtE,MAAI,EAAE,SAAS,EAAG,QAAO;AAEzB,SAAO;AACX;AAKA,SAAS,EAAE,SAA8B,KAAsB;AAC3D,SAAO,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC;AAClF;AASO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IAClE,aAAa,qBAAqB,EAAE,SAAS,kBAAkB,CAAC,KAAK;AAAA,IACrE,YAAY,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IACnE,cAAc,qBAAqB,EAAE,SAAS,mBAAmB,CAAC,KAAK;AAAA,EAC3E;AACJ;;;ACxCe,SAAR,aAA8B,KAAc,MAAgB,MAAoB;AACnF,EAAC,IAAY,UAAU,6BAA6B,IAAI,OAAc;AACtE,OAAK;AACT;;;ACXA,oBAAsC;AAE/B,IAAM,oBAAoB;AAC1B,IAAM,wBAAwB;AAC9B,IAAM,6BAA6B;AAO3B,SAAR,UAA2B,KAAc,KAAe,MAAoB;AAC/E,QAAM,WAAY,IAAI,QAAQ,iBAAiB,KAAK,IAAI,QAAQ,qBAAqB;AAKrF,QAAM,KAAK,UAAU,KAAK,SAAK,0BAAW;AAG1C,EAAC,IAAY,YAAY;AACzB,MAAI,OAAO,YAAY;AAGvB,MAAI,UAAU,4BAA4B,EAAE;AAE5C,OAAK;AACT;;;AC5BA,gBAAe;AACf,IAAAA,iBAAmB;;;ACCZ,SAAS,OAAU,MAAe,KAAe,MAAS,aAAa,KAAK;AAC/E,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK,EAAC,IAAI,MAAM,MAAM,WAAW,IAAI,QAAQ,aAAa,KAAI,CAAC;AACjG;AAEO,SAAS,UACZ,MACA,KACA,YACA,MACA,SACA,SACF;AACE,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC/B,IAAI;AAAA,IACJ,OAAO,EAAC,MAAM,SAAS,GAAI,YAAY,SAAY,EAAC,QAAO,IAAI,CAAC,EAAE;AAAA,IAClE,WAAW,IAAI,QAAQ,aAAa;AAAA,EACxC,CAAC;AACL;;;ADdA,SAAS,eAAe,MAA8B;AAClD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,UAAAC,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,UAAU,GAA6B;AAC5C,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,SAAO,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAC3D;AAEA,SAAS,kBAA4B;AACjC,QAAM,UAAU,eAAe,QAAQ,IAAI,qBAAqB;AAChE,QAAM,UAAU,QAAQ,IAAI,oBAAoB,IAAI,KAAK;AACzD,QAAM,MAAM,WAAW;AACvB,SAAO,UAAU,GAAG;AACxB;AAEA,SAAS,aAAa,KAA6B;AAC/C,QAAM,UAAU,IAAI,OAAO,uBAAuB,KAAK,IAAI,KAAK;AAChE,SAAO,UAAU;AACrB;AAEA,SAAS,WAAW,GAAW,GAAoB;AAC/C,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,SAAO,eAAAC,QAAO,gBAAgB,IAAI,EAAE;AACxC;AAEe,SAAR,aAA8B,KAAc,KAAe,MAAoB;AAClF,QAAM,QAAQ,aAAa,GAAG;AAE9B,MAAI,CAAC,OAAO;AACR,WAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,6BAA6B,uBAAuB,GAAG;AAAA,EAC3G;AAEA,QAAM,eAAe,gBAAgB;AACrC,MAAI,aAAa,WAAW,GAAG;AAC3B,WAAO;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,KAAK,aAAa,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,CAAC;AACxD,MAAI,CAAC,IAAI;AACL,WAAO,UAAU,KAAK,KAAK,KAAK,aAAa,0BAA0B;AAAA,EAC3E;AAEA,SAAO,KAAK;AAChB;;;AEnDA,SAAS,QAAQ,KAAyB;AACtC,SAAS,IAAY,QAAQ,CAAC;AAClC;AAEA,SAAS,cAAc,GAAuB;AAC1C,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,EAAE,QAAQ,EAAE,QAAQ;AACtD,SAAO;AACX;AAEA,SAAS,SAAS,MAA8B;AAC5C,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,KAAK,SAAS,CAAC,GAAG;AAC9B,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EACpB;AACA,SAAO;AACX;AAEA,SAAS,SAAS,MAAsC;AACpD,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,QAAQ,CAAC,GAAG;AACxB,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EACpB;AACA,SAAO;AACX;AAMO,SAAS,qBAAqB;AACjC,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,QAAI,CAAE,IAAY,MAAM;AACpB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IAC1E;AACA,WAAO,KAAK;AAAA,EAChB;AACJ;AAKA,SAAS,WAAW,MAAiB,cAAsB;AACvD,QAAM,OAAO,SAAS,IAAI;AAC1B,SAAO,KAAK,IAAI,YAAY;AAChC;AAUO,SAAS,mBACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,UAAU,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACjD,QAAI,QAAQ,QAAQ;AAChB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,uBAAuB;AAAA,QAChE;AAAA,QACA,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAMO,SAAS,qBACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,KAAK,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACzC,QAAI,CAAC,IAAI;AACL,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAC9D,UAAU;AAAA,QACV,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAQO,SAAS,aACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAGxB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,OAAO,SAAS,IAAI;AAC1B,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,GAAG;AACjC,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,QAC7D,UAAU;AAAA,QACV,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAMO,SAAS,4BACZ,OACA,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,YAAY,SAAS,IAAI;AAC/B,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACjD,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAE7C,QAAI,CAAC,UAAU,CAAC,QAAQ;AACpB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,iBAAiB;AAAA,QAC1D;AAAA,QACA,aAAa;AAAA,QACb,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;;;AC3NA,4BAAkB;AAClB,0BAA8B;AAC9B,IAAAC,aAAe;AAoCf,SAAS,eAAe,KAAyB;AAC7C,QAAM,OAAO,OAAO,IAAI,SAAS,iBAAiB,EAAE;AACpD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAClC;AAEA,SAAS,gBAAwB;AAC7B,QAAM,gBAAgB,QAAQ,IAAI;AAClC,QAAM,eAAe,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB;AAE3F,MAAI,eAAe;AACf,UAAM,IAAI,WAAAC,QAAG,aAAa,eAAe,MAAM,EAAE,KAAK;AACtD,QAAI,EAAG,QAAO;AAAA,EAClB;AAEA,QAAM,SAAS,aAAa,QAAQ,QAAQ,IAAI,EAAE,KAAK;AACvD,MAAI,OAAQ,QAAO;AAEnB,QAAM,IAAI,MAAM,4FAA4F;AAChH;AAEA,SAAS,sBAAsB,KAAyB;AACpD,QAAM,YAAY,cAAc;AAChC,QAAM,WAAW,QAAQ,IAAI,gBAAgB,QAAQ,IAAI,qBAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI,cAAc,QAAQ,IAAI,mBAAmB;AAExE,SAAO,oBAAAC,QAAI,OAAO,KAAK,WAAW;AAAA,IAC9B,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACJ,CAAC;AACL;AAEA,SAAS,aAAa,GAAuB;AACzC,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AAC1B;AAEA,SAAS,oBAAoB,SAAc,YAA2B,WAA0B;AAC5F,QAAM,qBAAqB,MAAM,QAAQ,SAAS,SAAS,IAAI,QAAQ,YAAY,CAAC;AAEpF,QAAM,UACF,SAAS,YACR,aAAa,mBAAmB,KAAK,CAAC,MAAW,GAAG,QAAQ,UAAU,IAAI,SAC3E;AAEJ,QAAM,SACF,SAAS,WACR,aAAa,SAAS,YAAY,QAAQ,YAAY,CAAC,GAAG,KAAK,CAAC,MAAW,GAAG,QAAQ,SAAS,IAAI,SACpG;AAEJ,SAAO,EAAC,oBAAoB,SAAS,OAAM;AAC/C;AAOA,SAAS,mBAAmB,SAA6B;AACrD,QAAM,SAAS,aAAa,SAAS,YAAY;AACjD,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,IAAI,cAAc,KAAK,GAAG;AAChC,SAAO,IAAI,CAAC,IAAI,aAAa,EAAE,CAAC,CAAC,IAAI;AACzC;AAEA,SAAS,mBAAmB,SAA6B;AACrD,QAAM,SAAS,aAAa,SAAS,YAAY;AACjD,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,IAAI,cAAc,KAAK,GAAG;AAChC,SAAO,IAAI,CAAC,IAAI,aAAa,EAAE,CAAC,CAAC,IAAI;AACzC;AAEO,SAAS,qBAAqB,MAA4D;AAC7F,QAAM,EAAC,SAAS,uBAAuB,MAAK,IAAI;AAEhD,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC1D,UAAM,QAAQ,eAAe,GAAG;AAChC,QAAI,CAAC,OAAO;AACR,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACxB,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACb,CAAC;AAAA,IACL;AAGA,QAAI;AACA,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,YAAM,aAAa,aAAa,UAAU,WAAW;AACrD,YAAM,YAAY,aAAa,UAAU,UAAU;AAEnD,YAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI,oBAAoB,SAAS,YAAY,SAAS;AAEhG,YAAM,MAAmB;AAAA,QACrB,WAAW;AAAA,QACX;AAAA,QAEA,aAAa,cAAc;AAAA,QAC3B,YAAY,aAAa;AAAA,QAEzB,WAAW;AAAA,QACX;AAAA,QACA;AAAA,QAEA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,QAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IAAI,QAAQ,qBAAqB,CAAC;AAAA,QAE/F,SAAS;AAAA,UACL,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACzB;AAAA,MACJ;AAEA,UAAI,YAAY,YAAY;AACxB,cAAM,eAAe,mBAAmB,OAAO;AAC/C,YAAI,CAAC,cAAc;AACf,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,eAAe;AAGnB,cAAM,WAAW,SAAS,YAAY,SAAS,QAAQ;AACvD,YAAI,WAAW,YAAY,OAAO,aAAa,WACzC,WACA,EAAC,KAAK,cAAc,OAAO,SAAS,SAAS,KAAI;AAAA,MAC3D,OAAO;AACH,cAAM,eAAe,mBAAmB,OAAO;AAC/C,YAAI,CAAC,cAAc;AACf,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,eAAe;AAEnB,cAAM,WAAW,SAAS,YAAY;AACtC,YAAI,WAAW,YAAY,OAAO,aAAa,WACzC,WACA,EAAC,KAAK,aAAY;AAAA,MAC5B;AAEA,UAAI,OAAO;AACX,aAAO,KAAK;AAAA,IAChB,QAAQ;AAEJ,UAAI,CAAC,sBAAsB;AACvB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAEA,UAAI;AACA,cAAM,kBAAkB,MAAM,sBAAAC,QAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACnE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAEA,cAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,cAAM,aAAa,aAAa,UAAU,WAAW;AACrD,cAAM,YAAY,aAAa,UAAU,UAAU;AAEnD,YAAI,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,cAAc;AAAA,UAC3B,YAAY,aAAa;AAAA,UACzB,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACzB;AAEA,eAAO,KAAK;AAAA,MAChB,QAAQ;AACJ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ;AACJ;AAEO,IAAM,uBAAuB,qBAAqB,EAAC,SAAS,YAAY,sBAAsB,MAAK,CAAC;AACpG,IAAM,uBAAuB,qBAAqB,EAAC,SAAS,YAAY,sBAAsB,MAAK,CAAC;AACpG,IAAM,4BAA4B,qBAAqB,EAAC,SAAS,YAAY,sBAAsB,KAAI,CAAC;AACxG,IAAM,4BAA4B,qBAAqB,EAAC,SAAS,YAAY,sBAAsB,KAAI,CAAC;;;ACrP/G,SAAS,cAAc,GAA6B;AAChD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC/B;AAEA,SAAS,cAAc,GAA6B;AAChD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC/B;AAEA,SAASC,YAAW,OAAyC;AACzD,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG,QAAO;AAClC,SAAO,MAAM,KAAK,CAAC,MAAM,cAAc,CAAC,MAAM,WAAW;AAC7D;AAEA,SAASC,SAAQ,KAAc;AAC3B,SAAS,IAAY,QAAQ,CAAC;AAKlC;AAEA,SAAS,eAAe,MAAkC;AACtD,QAAM,QAAQ,IAAI,KAAa,KAAK,eAAe,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AACrG,QAAM,OAAO,IAAI,KAAa,KAAK,sBAAsB,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AAC3G,SAAO,EAAC,OAAO,KAAI;AACvB;AAEA,SAAS,QAAQ,MAAkC;AAC/C,SAAO,IAAI,KAAa,KAAK,SAAS,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AAC5F;AAOO,SAAS,gCAAgC,OAAmC;AAC/E,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOA,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACtB,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI,EAAC,QAAQ,EAAC,CAAC;AAAA,QACvF;AAAA,MACJ;AAEA,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAC5C,UAAI,CAAC,IAAI;AACL,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B,EAAC,SAAQ,CAAC;AAAA,MACxF;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAKO,SAAS,iCAAiC,OAAmC;AAChF,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACtB,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI,EAAC,QAAQ,EAAC,CAAC;AAAA,QACvF;AAAA,MACJ;AAEA,YAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACpD,UAAI,QAAQ,QAAQ;AAChB,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B,EAAC,UAAU,QAAO,CAAC;AAAA,MACjG;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAKO,SAAS,wBAAwB,OAAmC;AACvE,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,OAAO,QAAQ,IAAI;AAEzB,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;AAC3C,UAAI,CAAC,IAAI;AACL,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB,EAAC,SAAQ,CAAC;AAAA,MAC/E;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAMO,SAAS,oCACZ,OACA,aACgB;AAChB,QAAM,iBAAiB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAC7E,QAAM,iBAAiB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW,GAAG,OAAO,OAAO;AAE/F,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AACzC,iBAAW,KAAK,eAAe;AAC3B,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,WAAW,CAAC,IAAI,EAAC,YAAY,EAAC,CAAC;AAAA,QAChF;AAAA,MACJ;AAEA,YAAM,YAAY,QAAQ,IAAI;AAC9B,UAAI,cAAc,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC,EAAG,QAAO,KAAK;AAE7D,UAAI,cAAc,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC,EAAG,QAAO,KAAK;AAEzD,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAC9D,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAAA,EACJ;AACJ;AAMO,SAAS,qBAAqB,YAAsC;AACvE,SAAO,oCAAoC,CAAC,YAAY,GAAG,CAAC,UAAU,CAAC;AAC3E;","names":["import_crypto","fs","crypto","import_fs","fs","jwt","admin","isSysAdmin","getAuth"]}
1
+ {"version":3,"sources":["../../src/middlewares/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts","../../src/middlewares/parseHeaders.ts","../../src/middlewares/requestId.ts","../../src/middlewares/internalAuth.ts","../../src/middlewares/respond.ts","../../src/middlewares/authorization.ts","../../src/middlewares/guards.ts"],"sourcesContent":["export { default as parseHeaders } from \"./parseHeaders\";\nexport { default as requestId } from \"./requestId\";\nexport { default as internalAuth } from \"./internalAuth\";\n\nexport { sendOk, sendError } from \"./respond\";\n\n// authorization.ts\nexport {\n requireAuthContext,\n requirePermissions,\n requireAnyPermission,\n requireRoles,\n requireRolesOrAnyPermission,\n} from \"./authorization\";\n\n// guards.ts\nexport {\n allowSysAdminOrAnyPermission,\n allowSysAdminOrPermissionsAll,\n allowSysAdminOrRoles,\n allowSysAdminOrRolesOrAnyPermission,\n allowAuthAdminOrPerm,\n} from \"./guards\";\n","// packages/sdk/src/constants.ts\nexport const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","// packages/sdk/src/parse.ts\nimport {\n HEADER_BRANCH_UID,\n HEADER_COMPANY_UID,\n HEADER_EMPLOYEE_UID,\n HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n requestId?: string | null;\n company_uid?: string | null;\n branch_uid?: string | null;\n employee_uid?: string | null;\n};\n\nfunction normalizeHeaderValue(v: unknown): string | null {\n if (typeof v !== \"string\") return null;\n const s = v.trim();\n if (!s) return null;\n\n // ✅ NO-LEGACY: bloquea JSON en headers\n if (s.startsWith(\"{\") || s.startsWith(\"[\") || s.includes('\"')) return null;\n\n // Evitar valores demasiado cortos (basura)\n if (s.length < 6) return null;\n\n return s;\n}\n\n/**\n * Lee header aunque venga en mayúsculas/minúsculas (Express suele bajar a lower-case).\n */\nfunction h(headers: Record<string, any>, key: string): unknown {\n return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];\n}\n\n/**\n * ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional; NO reemplaza JWT)\n * - x-request-id: string (opcional)\n */\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n return {\n requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,\n company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,\n branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,\n employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null,\n };\n}\n","// sdk/src/middlewares/parseHeaders.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {getRequestContextFromHeaders} from \"../headers\";\n\n/**\n * ✅ NO-LEGACY / ESTÁNDAR:\n * - Lee SOLO x-company y x-branch (UIDs planos)\n * - Setea req.context = { company_uid, branch_uid }\n * - NO toca req.auth (auth lo setea authentication/requireAuth)\n */\nexport default function parseHeaders(req: Request, _res: Response, next: NextFunction) {\n (req as any).context = getRequestContextFromHeaders(req.headers as any);\n next();\n}\n","// middlewares/requestId.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\nexport const REQUEST_ID_HEADER = \"x-request-id\";\nexport const REQUEST_ID_HEADER_ALT = \"x-requestid\";\nexport const RESPONSE_REQUEST_ID_HEADER = \"X-Request-Id\";\n\n// Si quieres IDs más cortos (opcional). Por defecto usamos UUID.\nfunction nanoidLike(len = 21) {\n return randomBytes(16).toString(\"base64url\").slice(0, len);\n}\n\nexport default function requestId(req: Request, res: Response, next: NextFunction) {\n const headerId = (req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT]) as\n | string\n | undefined;\n\n // ✅ estándar único: usa UUID (o cambia a nanoidLike() si prefieres corto)\n const id = headerId?.trim() || randomUUID();\n\n // ✅ estándar único (no legacy)\n (req as any).requestId = id;\n res.locals.requestId = id;\n\n // ✅ respuesta\n res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport fs from \"fs\";\nimport crypto from \"crypto\";\nimport {sendError} from \"./respond\";\nimport {HEADER_INTERNAL_API_KEY} from \"../headers\";\n\nfunction readSecretFile(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nfunction splitKeys(v?: string | null): string[] {\n if (!v) return [];\n return v.split(\",\").map((s) => s.trim()).filter(Boolean);\n}\n\nfunction getExpectedKeys(): string[] {\n const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);\n const envKey = (process.env.INTERNAL_API_KEY || \"\").trim();\n const raw = fileKey || envKey;\n return splitKeys(raw);\n}\n\nfunction extractToken(req: Request): string | null {\n const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || \"\").trim();\n return apiKey || null;\n}\n\nfunction safeEquals(a: string, b: string): boolean {\n const aa = Buffer.from(a);\n const bb = Buffer.from(b);\n if (aa.length !== bb.length) return false;\n return crypto.timingSafeEqual(aa, bb);\n}\n\nexport default function internalAuth(req: Request, res: Response, next: NextFunction) {\n const token = extractToken(req);\n\n if (!token) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);\n }\n\n const expectedKeys = getExpectedKeys();\n if (expectedKeys.length === 0) {\n return sendError(\n req,\n res,\n 500,\n \"MISCONFIGURED_INTERNAL_AUTH\",\n \"Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)\"\n );\n }\n\n const ok = expectedKeys.some((k) => safeEquals(token, k));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Invalid internal api key\");\n }\n\n return next();\n}\n","// packages/sdk/src/middleware/respond.ts\nimport type {Request, Response} from \"express\";\n\nexport function sendOk<T>(_req: Request, res: Response, data: T, statusCode = 200) {\n return res.status(statusCode).json({ok: true, data, requestId: res.locals?.requestId ?? null});\n}\n\nexport function sendError(\n _req: Request,\n res: Response,\n statusCode: number,\n code: string,\n message: string,\n details?: any\n) {\n return res.status(statusCode).json({\n ok: false,\n error: {code, message, ...(details !== undefined ? {details} : {})},\n requestId: res.locals?.requestId ?? null,\n });\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport {sendError} from \"./respond\";\n\ntype AuthRole = string | { code?: string; name?: string };\ntype AuthPermission = string | { code?: string; name?: string };\n\ntype AuthShape = {\n roles?: AuthRole[];\n permissions?: AuthPermission[];\n denied_permissions?: AuthPermission[];\n};\n\nfunction getAuth(req: Request): AuthShape {\n return ((req as any).auth ?? {}) as AuthShape;\n}\n\nfunction hasAuthContext(req: Request): boolean {\n return !!(req as any).auth;\n}\n\nfunction normalizeCode(v: any): string | null {\n if (!v) return null;\n if (typeof v === \"string\") return v;\n if (typeof v === \"object\") return v.code || v.name || null;\n return null;\n}\n\nfunction rolesSet(auth: AuthShape): Set<string> {\n const out = new Set<string>();\n for (const r of auth.roles || []) {\n const c = normalizeCode(r);\n if (c) out.add(c);\n }\n return out;\n}\n\nfunction permsSet(list?: AuthPermission[]): Set<string> {\n const out = new Set<string>();\n for (const p of list || []) {\n const c = normalizeCode(p);\n if (c) out.add(c);\n }\n return out;\n}\n\nexport function requireAuthContext() {\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n };\n}\n\nfunction isSysAdmin(auth: AuthShape, sysAdminRole: string) {\n const have = rolesSet(auth);\n return have.has(sysAdminRole);\n}\n\nexport function requirePermissions(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = perms.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions\", {\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireAnyPermission(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = perms.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n required: perms,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireRoles(\n roles: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const have = rolesSet(auth);\n if (!roles.some((r) => have.has(r))) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required: roles,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireRolesOrAnyPermission(\n roles: string[],\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const haveRoles = rolesSet(auth);\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = roles.some((r) => haveRoles.has(r));\n const okPerm = perms.some((p) => allow.has(p));\n\n if (!okRole && !okPerm) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Access denied\", {\n roles,\n permissions: perms,\n mode: \"ROLES_OR_PERMS_ANY\",\n });\n }\n\n return next();\n };\n}\n","import type {Request, Response, NextFunction, RequestHandler} from \"express\";\nimport parseHeaders from \"./parseHeaders\";\nimport {sendError} from \"./respond\";\n\ntype RoleShape = string | { code?: string; name?: string };\ntype PermShape = string | { code?: string; name?: string };\n\ntype GuardOptions = {\n /**\n * Middleware(s) de autenticación del microservicio.\n * Ej:\n * allowSysAdminOrAnyPermission([\"sale.read\"], { auth: authEmployeeRequired })\n */\n auth?: RequestHandler | RequestHandler[];\n\n /**\n * Si true, agrega parseHeaders automáticamente.\n * Default: true\n */\n includeParseHeaders?: boolean;\n\n /**\n * Rol que representa SysAdmin.\n * Default: SYS_ADMIN\n */\n sysAdminRole?: string;\n\n /**\n * Si false, desactiva bypass por SysAdmin.\n * Default: true\n */\n sysAdminBypass?: boolean;\n};\n\nfunction normalizeRole(r: RoleShape): string | null {\n if (!r) return null;\n if (typeof r === \"string\") return r;\n return r.code || r.name || null;\n}\n\nfunction normalizePerm(p: PermShape): string | null {\n if (!p) return null;\n if (typeof p === \"string\") return p;\n return p.code || p.name || null;\n}\n\nfunction getAuth(req: Request) {\n return ((req as any).auth ?? {}) as {\n roles?: RoleShape[];\n permissions?: PermShape[];\n denied_permissions?: PermShape[];\n };\n}\n\nfunction roleSet(auth: ReturnType<typeof getAuth>) {\n return new Set<string>(\n (auth.roles ?? []).map(normalizeRole).filter(Boolean) as string[]\n );\n}\n\nfunction permissionSets(auth: ReturnType<typeof getAuth>) {\n const allow = new Set<string>(\n (auth.permissions ?? []).map(normalizePerm).filter(Boolean) as string[]\n );\n const deny = new Set<string>(\n (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean) as string[]\n );\n return {allow, deny};\n}\n\nfunction normalizeHandlers(auth?: RequestHandler | RequestHandler[]): RequestHandler[] {\n if (!auth) return [];\n return Array.isArray(auth) ? auth : [auth];\n}\n\nfunction buildBaseChain(options?: GuardOptions): RequestHandler[] {\n const chain: RequestHandler[] = [];\n\n if (options?.includeParseHeaders !== false) {\n chain.push(parseHeaders);\n }\n\n chain.push(...normalizeHandlers(options?.auth));\n\n return chain;\n}\n\nfunction hasSysAdmin(auth: ReturnType<typeof getAuth>, options?: GuardOptions): boolean {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n if (!sysAdminBypass) return false;\n\n const sysAdminRole = options?.sysAdminRole || \"SYS_ADMIN\";\n return roleSet(auth).has(sysAdminRole);\n}\n\n/**\n * Exige que exista req.auth.\n * Útil cuando auth ya fue montado antes y quieres validar contexto.\n */\nexport function requireAuthContext(options?: GuardOptions): RequestHandler[] {\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n if (!(req as any).auth) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n },\n ];\n}\n\n/**\n * SYS_ADMIN bypass OR ANY permission\n */\nexport function allowSysAdminOrAnyPermission(\n perms: string[] | string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = required.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ANY)\", {\n required,\n mode: \"ANY\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/**\n * SYS_ADMIN bypass OR ALL permissions\n */\nexport function allowSysAdminOrPermissionsAll(\n perms: string[] | string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = required.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ALL)\", {\n required,\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/**\n * SYS_ADMIN bypass OR ANY role\n */\nexport function allowSysAdminOrRoles(\n roles: string[] | string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const have = roleSet(auth);\n const ok = required.some((r) => have.has(r));\n\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required,\n mode: \"ANY\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/**\n * SYS_ADMIN bypass OR (roles ANY) OR (permissions ANY)\n * denied_permissions siempre gana\n */\nexport function allowSysAdminOrRolesOrAnyPermission(\n roles: string | string[],\n permissions: string | string[],\n options?: GuardOptions\n): RequestHandler[] {\n const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n const haveRoles = roleSet(auth);\n\n for (const p of requiredPerms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = requiredRoles.some((r) => haveRoles.has(r));\n if (okRole) return next();\n\n const okPerm = requiredPerms.some((p) => allow.has(p));\n if (okPerm) return next();\n\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n roles: requiredRoles,\n permissions: requiredPerms,\n mode: \"ROLES_OR_ANY_PERMISSION\",\n });\n },\n ];\n}\n\n/**\n * Helper típico para AUTH backoffice\n */\nexport function allowAuthAdminOrPerm(\n permission: string,\n options?: GuardOptions\n): RequestHandler[] {\n return allowSysAdminOrRolesOrAnyPermission([\"AUTH_ADMIN\"], [permission], options);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;;;ACQvC,SAAS,qBAAqB,GAA2B;AACrD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,MAAI,CAAC,EAAG,QAAO;AAGf,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,EAAG,QAAO;AAGtE,MAAI,EAAE,SAAS,EAAG,QAAO;AAEzB,SAAO;AACX;AAKA,SAAS,EAAE,SAA8B,KAAsB;AAC3D,SAAO,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC;AAClF;AASO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IAClE,aAAa,qBAAqB,EAAE,SAAS,kBAAkB,CAAC,KAAK;AAAA,IACrE,YAAY,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IACnE,cAAc,qBAAqB,EAAE,SAAS,mBAAmB,CAAC,KAAK;AAAA,EAC3E;AACJ;;;ACxCe,SAAR,aAA8B,KAAc,MAAgB,MAAoB;AACnF,EAAC,IAAY,UAAU,6BAA6B,IAAI,OAAc;AACtE,OAAK;AACT;;;ACXA,oBAAsC;AAE/B,IAAM,oBAAoB;AAC1B,IAAM,wBAAwB;AAC9B,IAAM,6BAA6B;AAO3B,SAAR,UAA2B,KAAc,KAAe,MAAoB;AAC/E,QAAM,WAAY,IAAI,QAAQ,iBAAiB,KAAK,IAAI,QAAQ,qBAAqB;AAKrF,QAAM,KAAK,UAAU,KAAK,SAAK,0BAAW;AAG1C,EAAC,IAAY,YAAY;AACzB,MAAI,OAAO,YAAY;AAGvB,MAAI,UAAU,4BAA4B,EAAE;AAE5C,OAAK;AACT;;;AC5BA,gBAAe;AACf,IAAAA,iBAAmB;;;ACCZ,SAAS,OAAU,MAAe,KAAe,MAAS,aAAa,KAAK;AAC/E,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK,EAAC,IAAI,MAAM,MAAM,WAAW,IAAI,QAAQ,aAAa,KAAI,CAAC;AACjG;AAEO,SAAS,UACZ,MACA,KACA,YACA,MACA,SACA,SACF;AACE,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC/B,IAAI;AAAA,IACJ,OAAO,EAAC,MAAM,SAAS,GAAI,YAAY,SAAY,EAAC,QAAO,IAAI,CAAC,EAAE;AAAA,IAClE,WAAW,IAAI,QAAQ,aAAa;AAAA,EACxC,CAAC;AACL;;;ADdA,SAAS,eAAe,MAA8B;AAClD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,UAAAC,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,UAAU,GAA6B;AAC5C,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,SAAO,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAC3D;AAEA,SAAS,kBAA4B;AACjC,QAAM,UAAU,eAAe,QAAQ,IAAI,qBAAqB;AAChE,QAAM,UAAU,QAAQ,IAAI,oBAAoB,IAAI,KAAK;AACzD,QAAM,MAAM,WAAW;AACvB,SAAO,UAAU,GAAG;AACxB;AAEA,SAAS,aAAa,KAA6B;AAC/C,QAAM,UAAU,IAAI,OAAO,uBAAuB,KAAK,IAAI,KAAK;AAChE,SAAO,UAAU;AACrB;AAEA,SAAS,WAAW,GAAW,GAAoB;AAC/C,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,SAAO,eAAAC,QAAO,gBAAgB,IAAI,EAAE;AACxC;AAEe,SAAR,aAA8B,KAAc,KAAe,MAAoB;AAClF,QAAM,QAAQ,aAAa,GAAG;AAE9B,MAAI,CAAC,OAAO;AACR,WAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,6BAA6B,uBAAuB,GAAG;AAAA,EAC3G;AAEA,QAAM,eAAe,gBAAgB;AACrC,MAAI,aAAa,WAAW,GAAG;AAC3B,WAAO;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,KAAK,aAAa,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,CAAC;AACxD,MAAI,CAAC,IAAI;AACL,WAAO,UAAU,KAAK,KAAK,KAAK,aAAa,0BAA0B;AAAA,EAC3E;AAEA,SAAO,KAAK;AAChB;;;AEpDA,SAAS,QAAQ,KAAyB;AACxC,SAAS,IAAY,QAAQ,CAAC;AAChC;AAEA,SAAS,eAAe,KAAuB;AAC7C,SAAO,CAAC,CAAE,IAAY;AACxB;AAEA,SAAS,cAAc,GAAuB;AAC5C,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,EAAE,QAAQ,EAAE,QAAQ;AACtD,SAAO;AACT;AAEA,SAAS,SAAS,MAA8B;AAC9C,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,KAAK,SAAS,CAAC,GAAG;AAChC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EAClB;AACA,SAAO;AACT;AAEA,SAAS,SAAS,MAAsC;AACtD,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,QAAQ,CAAC,GAAG;AAC1B,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EAClB;AACA,SAAO;AACT;AAEO,SAAS,qBAAqB;AACnC,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AACA,WAAO,KAAK;AAAA,EACd;AACF;AAEA,SAAS,WAAW,MAAiB,cAAsB;AACzD,QAAM,OAAO,SAAS,IAAI;AAC1B,SAAO,KAAK,IAAI,YAAY;AAC9B;AAEO,SAAS,mBACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACjD,QAAI,QAAQ,QAAQ;AAClB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,uBAAuB;AAAA,QAClE;AAAA,QACA,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,qBACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,KAAK,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACzC,QAAI,CAAC,IAAI;AACP,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAChE,UAAU;AAAA,QACV,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,aACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,OAAO,SAAS,IAAI;AAC1B,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,GAAG;AACnC,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,QAC/D,UAAU;AAAA,QACV,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,4BACd,OACA,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,YAAY,SAAS,IAAI;AAC/B,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACjD,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAE7C,QAAI,CAAC,UAAU,CAAC,QAAQ;AACtB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,iBAAiB;AAAA,QAC5D;AAAA,QACA,aAAa;AAAA,QACb,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;;;AC7KA,SAAS,cAAc,GAA6B;AAClD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC7B;AAEA,SAAS,cAAc,GAA6B;AAClD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC7B;AAEA,SAASC,SAAQ,KAAc;AAC7B,SAAS,IAAY,QAAQ,CAAC;AAKhC;AAEA,SAAS,QAAQ,MAAkC;AACjD,SAAO,IAAI;AAAA,KACR,KAAK,SAAS,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EACtD;AACF;AAEA,SAAS,eAAe,MAAkC;AACxD,QAAM,QAAQ,IAAI;AAAA,KACf,KAAK,eAAe,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EAC5D;AACA,QAAM,OAAO,IAAI;AAAA,KACd,KAAK,sBAAsB,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EACnE;AACA,SAAO,EAAC,OAAO,KAAI;AACrB;AAEA,SAAS,kBAAkB,MAA4D;AACrF,MAAI,CAAC,KAAM,QAAO,CAAC;AACnB,SAAO,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC,IAAI;AAC3C;AAEA,SAAS,eAAe,SAA0C;AAChE,QAAM,QAA0B,CAAC;AAEjC,MAAI,SAAS,wBAAwB,OAAO;AAC1C,UAAM,KAAK,YAAY;AAAA,EACzB;AAEA,QAAM,KAAK,GAAG,kBAAkB,SAAS,IAAI,CAAC;AAE9C,SAAO;AACT;AAEA,SAAS,YAAY,MAAkC,SAAiC;AACtF,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,MAAI,CAAC,eAAgB,QAAO;AAE5B,QAAM,eAAe,SAAS,gBAAgB;AAC9C,SAAO,QAAQ,IAAI,EAAE,IAAI,YAAY;AACvC;AAqBO,SAAS,6BACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOC,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACxB,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAC5C,UAAI,CAAC,IAAI;AACP,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B;AAAA,UACxE;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAKO,SAAS,8BACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACxB,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACpD,UAAI,QAAQ,QAAQ;AAClB,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B;AAAA,UACxE;AAAA,UACA;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAKO,SAAS,qBACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,OAAO,QAAQ,IAAI;AACzB,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;AAE3C,UAAI,CAAC,IAAI;AACP,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,UAC/D;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAMO,SAAS,oCACd,OACA,aACA,SACkB;AAClB,QAAM,iBAAiB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAC7E,QAAM,iBAAiB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW,GAAG,OAAO,OAAO;AAE/F,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AACzC,YAAM,YAAY,QAAQ,IAAI;AAE9B,iBAAW,KAAK,eAAe;AAC7B,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,SAAS,cAAc,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACzD,UAAI,OAAQ,QAAO,KAAK;AAExB,YAAM,SAAS,cAAc,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACrD,UAAI,OAAQ,QAAO,KAAK;AAExB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAChE,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAKO,SAAS,qBACd,YACA,SACkB;AAClB,SAAO,oCAAoC,CAAC,YAAY,GAAG,CAAC,UAAU,GAAG,OAAO;AAClF;","names":["import_crypto","fs","crypto","getAuth","getAuth"]}