@kabyeon/nexusjs 0.6.5

package/dist/auth/index.js.map

@@ -0,0 +1,25 @@
+{
+  "version": 3,
+  "sources": ["../src/core/constants.ts", "../src/core/decorators/controller.ts", "../src/core/decorators/http-methods.ts", "../src/core/decorators/params.ts", "../src/core/decorators/validate.ts", "../src/auth/auth.ts", "../src/core/decorators/module.ts", "../src/core/decorators/index.ts", "../src/core/decorators/injectable.ts", "../src/core/decorators/repository.ts", "../src/core/decorators/metadata.ts", "../src/auth/auth.service.ts", "../src/auth/auth.controller.ts", "../src/auth/auth.module.ts", "../src/auth/middleware.ts", "../src/auth/decorators/current-user.ts"],
+  "sourcesContent": [
+    "/**\n * Metadata keys used by reflect-metadata for storing decorator data.\n *\n * These constants are the contract between decorators and the framework\n * core (DI container, router, validator).\n */\nexport const METADATA_KEY = {\n\t/** Marks a class as a Nest-style controller, stores route prefix. */\n\tCONTROLLER: \"nexus:controller\",\n\n\t/** Marks a class as an injectable provider. */\n\tINJECTABLE: \"nexus:injectable\",\n\n\t/** Marks a class as a repository. */\n\tREPOSITORY: \"nexus:repository\",\n\n\t/** Marks a class as a module. Stores module options. */\n\tMODULE: \"nexus:module\",\n\n\t/** HTTP method routes registered on a controller (Get/Post/...). */\n\tROUTES: \"nexus:routes\",\n\n\t/** Method parameter type metadata (body/query/param/headers/ctx). */\n\tPARAMS: \"nexus:params\",\n\n\t/** Validation schema per method (Zod schema or class). */\n\tVALIDATE: \"nexus:validate\",\n\n\t/** Class-level design:paramtypes (built-in). */\n\tPARAMTYPES: \"design:paramtypes\",\n\n\t/** Class-level design:type (built-in). */\n\tTYPE: \"design:type\",\n\n\t/** Class-level design:returntype (built-in). */\n\tRETURNTYPE: \"design:returntype\",\n\n\t/** Provider token to inject for a parameter (for custom tokens). */\n\tINJECT: \"nexus:inject\",\n} as const;\n\nexport type MetadataKey = (typeof METADATA_KEY)[keyof typeof METADATA_KEY];\n\n/** Available parameter decorator locations. */\nexport const PARAM_TYPES = {\n\tREQUEST: 0,\n\tRESPONSE: 1,\n\tNEXT: 2,\n\tBODY: 3,\n\tQUERY: 4,\n\tPARAM: 5,\n\tHEADERS: 6,\n\tCTX: 7,\n\tUSER: 8,\n} as const;\n\nexport type ParamType = (typeof PARAM_TYPES)[keyof typeof PARAM_TYPES];\n\n/** HTTP methods supported by the router. */\nexport const HTTP_METHODS = [\n\t\"GET\",\n\t\"POST\",\n\t\"PUT\",\n\t\"DELETE\",\n\t\"PATCH\",\n\t\"OPTIONS\",\n\t\"HEAD\",\n] as const;\nexport type HttpMethod = (typeof HTTP_METHODS)[number];\n",
+    "/**\n * @Controller decorator.\n *\n * Marks a class as a controller and registers a route prefix.\n * Routes inside the controller class are decorated with @Get/@Post/etc.\n *\n * @example\n * ```ts\n * @Controller('/users')\n * class UserController {\n *   @Get('/')\n *   list() { ... }\n * }\n * ```\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY } from \"../constants.js\";\nimport type { ControllerMetadata } from \"../di/tokens.js\";\n\nexport function Controller(prefix: string = \"/\"): ClassDecorator {\n\treturn (target: object) => {\n\t\tconst normalized = normalizePrefix(prefix);\n\t\tconst meta: ControllerMetadata = { prefix: normalized };\n\t\tReflect.defineMetadata(METADATA_KEY.CONTROLLER, meta, target);\n\t};\n}\n\nexport function getControllerMetadata(target: any): ControllerMetadata {\n\treturn (\n\t\tReflect.getMetadata(METADATA_KEY.CONTROLLER, target) ?? { prefix: \"/\" }\n\t);\n}\n\nexport function isController(target: any): boolean {\n\treturn Reflect.hasMetadata(METADATA_KEY.CONTROLLER, target);\n}\n\n/**\n * Normalize a prefix so we can safely concatenate it with handler paths.\n * - Empty string becomes '/'.\n * - Trailing slashes are trimmed (we re-add them on the join).\n * - No leading slash is added; the router always joins with `/`.\n */\nfunction normalizePrefix(prefix: string): string {\n\tif (!prefix) return \"\";\n\tif (prefix !== \"/\" && prefix.endsWith(\"/\")) {\n\t\treturn prefix.slice(0, -1);\n\t}\n\treturn prefix;\n}\n",
+    "/**\n * HTTP method decorators.\n *\n * `@Get`, `@Post`, `@Put`, `@Delete`, `@Patch`, `@Options`, `@Head` mark a\n * controller method as a route handler. The path argument is appended to\n * the controller's prefix.\n *\n * @example\n * ```ts\n * @Controller('/users')\n * class UserController {\n *   @Get('/')\n *   list() {}\n *\n *   @Post('/')\n *   create(@Body() body: CreateUserDto) {}\n * }\n * ```\n */\nimport \"reflect-metadata\";\nimport { HTTP_METHODS, METADATA_KEY, type HttpMethod } from \"../constants.js\";\nimport type { RouteMetadata } from \"../di/tokens.js\";\n\nfunction defineRoute(method: HttpMethod, path: string): MethodDecorator {\n\treturn (\n\t\ttarget: object,\n\t\tpropertyKey: string | symbol,\n\t\tdescriptor: PropertyDescriptor,\n\t) => {\n\t\tconst routes: RouteMetadata[] =\n\t\t\tReflect.getMetadata(METADATA_KEY.ROUTES, target.constructor) ?? [];\n\n\t\troutes.push({\n\t\t\tmethod,\n\t\t\tpath: normalizePath(path),\n\t\t\tpropertyKey,\n\t\t\thandler: descriptor.value,\n\t\t});\n\n\t\tReflect.defineMetadata(METADATA_KEY.ROUTES, routes, target.constructor);\n\t};\n}\n\nfunction normalizePath(path: string): string {\n\tif (!path || path === \"/\") return \"/\";\n\treturn path.startsWith(\"/\") ? path : `/${path}`;\n}\n\nexport const Get = (path: string = \"/\") => defineRoute(\"GET\", path);\nexport const Post = (path: string = \"/\") => defineRoute(\"POST\", path);\nexport const Put = (path: string = \"/\") => defineRoute(\"PUT\", path);\nexport const Delete = (path: string = \"/\") => defineRoute(\"DELETE\", path);\nexport const Patch = (path: string = \"/\") => defineRoute(\"PATCH\", path);\nexport const Options = (path: string = \"/\") => defineRoute(\"OPTIONS\", path);\nexport const Head = (path: string = \"/\") => defineRoute(\"HEAD\", path);\n\nexport function getRoutes(target: any): RouteMetadata[] {\n\treturn Reflect.getMetadata(METADATA_KEY.ROUTES, target) ?? [];\n}\n\nexport { HTTP_METHODS };\nexport type { RouteMetadata };\n",
+    "/**\n * Parameter decorators.\n *\n * These mark a controller method argument as a source of request data:\n *   - `@Req()`        → Hono context\n *   - `@Res()`        → Response helper\n *   - `@Next()`       → next() callback (for middleware-style handlers)\n *   - `@Body()`       → request body (parsed)\n *   - `@Query('key')` → a single query param, or full query object\n *   - `@Param('key')` → a single path param, or full params object\n *   - `@Headers('k')` → a single header, or full headers object\n *   - `@Ctx()`        → Hono context (alias for @Req)\n *   - `@User()`       → authenticated user (resolved via auth provider)\n *\n * The metadata is read by the router at mount time to build the\n * handler invocation list.\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY, PARAM_TYPES } from \"../constants.js\";\nimport type { ParamMetadata } from \"../di/tokens.js\";\n\nexport function createParamDecorator(\n\ttype: number,\n\tdata?: string | object,\n): ParameterDecorator {\n\treturn (\n\t\ttarget: object,\n\t\tpropertyKey: string | symbol | undefined,\n\t\tparameterIndex: number,\n\t) => {\n\t\t// Method parameter: target is the prototype, propertyKey is the method name.\n\t\t// Constructor parameter: target is the class, propertyKey is undefined.\n\t\tif (propertyKey !== undefined) {\n\t\t\tconst params: ParamMetadata[] =\n\t\t\t\tReflect.getMetadata(METADATA_KEY.PARAMS, target, propertyKey) ?? [];\n\t\t\tparams.push({\n\t\t\t\tindex: parameterIndex,\n\t\t\t\ttype,\n\t\t\t\tname: typeof data === \"string\" ? data : undefined,\n\t\t\t\tdata: typeof data === \"object\" ? data : undefined,\n\t\t\t});\n\t\t\tReflect.defineMetadata(METADATA_KEY.PARAMS, params, target, propertyKey);\n\t\t} else {\n\t\t\tconst params: ParamMetadata[] =\n\t\t\t\tReflect.getMetadata(METADATA_KEY.PARAMS, target) ?? [];\n\t\t\tparams.push({\n\t\t\t\tindex: parameterIndex,\n\t\t\t\ttype,\n\t\t\t\tname: typeof data === \"string\" ? data : undefined,\n\t\t\t\tdata: typeof data === \"object\" ? data : undefined,\n\t\t\t});\n\t\t\tReflect.defineMetadata(METADATA_KEY.PARAMS, params, target);\n\t\t}\n\t};\n}\n\nexport const Req = () => createParamDecorator(PARAM_TYPES.REQUEST);\nexport const Res = () => createParamDecorator(PARAM_TYPES.RESPONSE);\nexport const Next = () => createParamDecorator(PARAM_TYPES.NEXT);\nexport const Body = (key?: string) =>\n\tcreateParamDecorator(PARAM_TYPES.BODY, key);\nexport const Query = (key?: string) =>\n\tcreateParamDecorator(PARAM_TYPES.QUERY, key);\nexport const Param = (key?: string) =>\n\tcreateParamDecorator(PARAM_TYPES.PARAM, key);\nexport const Headers = (key?: string) =>\n\tcreateParamDecorator(PARAM_TYPES.HEADERS, key);\nexport const Ctx = () => createParamDecorator(PARAM_TYPES.CTX);\nexport const User = () => createParamDecorator(PARAM_TYPES.USER);\n\nexport function getParamMetadata(\n\ttarget: any,\n\tpropertyKey: string | symbol,\n): ParamMetadata[] {\n\treturn Reflect.getMetadata(METADATA_KEY.PARAMS, target, propertyKey) ?? [];\n}\n\nexport { PARAM_TYPES };\n",
+    "/**\n * @Validate decorator.\n *\n * Attaches Zod schemas (or class validators) to a route handler. Each\n * schema is run against the corresponding request part before the handler\n * executes; failed validation throws or returns a 400 response.\n *\n * @example\n * ```ts\n * const UserSchema = z.object({ name: z.string(), email: z.email() });\n *\n * @Post('/')\n * @Validate({ body: UserSchema })\n * create(@Body() body: z.infer<typeof UserSchema>) { ... }\n * ```\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY } from \"../constants.js\";\nimport type { ValidationMetadata } from \"../di/tokens.js\";\n\nexport function Validate(options: ValidationMetadata): MethodDecorator {\n\treturn (\n\t\ttarget: object,\n\t\tpropertyKey: string | symbol,\n\t\tdescriptor: PropertyDescriptor,\n\t) => {\n\t\tReflect.defineMetadata(\n\t\t\tMETADATA_KEY.VALIDATE,\n\t\t\toptions,\n\t\t\ttarget.constructor,\n\t\t\tpropertyKey,\n\t\t);\n\t};\n}\n\nexport function getValidationMetadata(\n\ttarget: any,\n\tpropertyKey: string | symbol,\n): ValidationMetadata | undefined {\n\treturn Reflect.getMetadata(METADATA_KEY.VALIDATE, target, propertyKey);\n}\n",
+    "/**\n * `createAuth()` — wrap better-auth's `betterAuth()` factory with\n * NexusJS-friendly defaults.\n *\n * This is the **only** place that talks to better-auth directly. Every\n * other NexusJS auth module consumes the resulting `Auth` instance via\n * DI or the registered token.\n *\n * Why an adapter layer instead of calling `betterAuth()` directly?\n *   1. NexusJS users write `auth.config.ts`, not raw better-auth options.\n *      The adapter translates between the two.\n *   2. Plugin selection (jwt, passkey) is toggled by boolean flags,\n *      not by importing plugin objects.\n *   3. Cookie / CORS / cross-subdomain defaults match Hono's `cors()`\n *      middleware so the two never conflict.\n *\n * Usage:\n *   // src/auth/auth.ts\n *   import { createAuth } from 'nexusjs/auth';\n *   export const auth = createAuth({\n *     basePath: '/api/auth',\n *     emailAndPassword: { enabled: true },\n *     socialProviders: {\n *       github: {\n *         clientId: process.env.GITHUB_CLIENT_ID!,\n *         clientSecret: process.env.GITHUB_CLIENT_SECRET!,\n *       },\n *     },\n *   });\n */\n\nimport { betterAuth } from \"better-auth\";\nimport type { AuthConfig } from \"./types.js\";\n\ntype BetterAuthInstance = ReturnType<typeof betterAuth>;\n\n/**\n * Create a better-auth instance with NexusJS-friendly defaults.\n *\n * @param config NexusJS-shaped config (see types.ts).\n * @returns A `better-auth` Auth instance.\n */\nexport function createAuth(config: AuthConfig = {}): BetterAuthInstance {\n\tconst secret = config.secret ?? process.env[\"BETTER_AUTH_SECRET\"];\n\tconst baseURL = config.baseUrl ?? process.env[\"BETTER_AUTH_URL\"];\n\n\tif (!secret) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_SECRET is required. \" +\n\t\t\t\t\"Generate one with `openssl rand -base64 32` and add it to .env.\",\n\t\t);\n\t}\n\tif (!baseURL) {\n\t\tthrow new Error(\n\t\t\t\"[nexus/auth] BETTER_AUTH_URL is required (e.g. http://localhost:3000).\",\n\t\t);\n\t}\n\n\tconst plugins: Array<unknown> = [];\n\n\t// JWT plugin — opt-in.\n\tif (config.jwt?.enabled) {\n\t\t// Lazy import so the plugin's transitive dependencies don't load\n\t\t// when the user hasn't asked for JWT.\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { jwt } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tjwt({\n\t\t\t\tjwks: {\n\t\t\t\t\tpath: config.jwt.jwksPath ?? \"/api/auth/jwks\",\n\t\t\t\t},\n\t\t\t\tissuer: config.jwt.issuer ?? baseURL,\n\t\t\t\taudience: config.jwt.audience ?? baseURL,\n\t\t\t\texpiresIn: config.jwt.expiresIn ?? 60 * 15,\n\t\t\t}),\n\t\t);\n\t}\n\n\t// Passkey plugin — opt-in.\n\tif (config.passkey?.enabled) {\n\t\t// eslint-disable-next-line @typescript-eslint/no-require-imports\n\t\tconst { passkey } = require(\"better-auth/plugins\");\n\t\tplugins.push(\n\t\t\tpasskey({\n\t\t\t\trpName: config.passkey.rpName,\n\t\t\t\trpID: config.passkey.rpId,\n\t\t\t\torigin: config.passkey.origin,\n\t\t\t}),\n\t\t);\n\t}\n\n\treturn betterAuth({\n\t\tsecret,\n\t\tbaseURL,\n\t\tbasePath: config.basePath ?? \"/api/auth\",\n\t\temailAndPassword: {\n\t\t\tenabled: config.emailAndPassword?.enabled ?? true,\n\t\t\trequireEmailVerification:\n\t\t\t\tconfig.emailAndPassword?.requireEmailVerification ?? false,\n\t\t\tminPasswordLength: config.emailAndPassword?.minPasswordLength ?? 8,\n\t\t\tmaxPasswordLength: config.emailAndPassword?.maxPasswordLength ?? 128,\n\t\t},\n\t\tsession: {\n\t\t\texpiresIn: config.sessionExpiresInSeconds ?? 60 * 60 * 24 * 7, // 7 days\n\t\t},\n\t\tsocialProviders: config.socialProviders as never,\n\t\tadvanced: {\n\t\t\tcookies: {\n\t\t\t\tsessionToken: {\n\t\t\t\t\tattributes: {\n\t\t\t\t\t\tsameSite: (config.cookieSameSite ?? \"lax\") as\n\t\t\t\t\t\t\t| \"lax\"\n\t\t\t\t\t\t\t| \"strict\"\n\t\t\t\t\t\t\t| \"none\",\n\t\t\t\t\t\tsecure:\n\t\t\t\t\t\t\tconfig.cookieSecure ?? process.env[\"NODE_ENV\"] === \"production\",\n\t\t\t\t\t\t...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tcrossSubDomainCookies: config.crossSubDomainCookies?.enabled\n\t\t\t\t? {\n\t\t\t\t\t\tenabled: true,\n\t\t\t\t\t\tdomain: config.crossSubDomainCookies.domain,\n\t\t\t\t\t}\n\t\t\t\t: undefined,\n\t\t},\n\t\tplugins,\n\t} as never) as unknown as BetterAuthInstance;\n}\n\n/**\n * Type alias for the returned auth instance — convenient for DI token\n * typings.\n */\nexport type NexusAuth = ReturnType<typeof createAuth>;\n",
+    "/**\n * @Module decorator.\n *\n * Marks a class as a Nest-style module: a logical grouping of\n * controllers and providers with explicit imports/exports.\n *\n * @example\n * ```ts\n * @Module({\n *   imports: [UserModule],\n *   controllers: [UserController],\n *   providers: [UserService],\n *   exports: [UserService],\n * })\n * class AppModule {}\n * ```\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY } from \"../constants.js\";\nimport type { ModuleOptions, Type } from \"../di/tokens.js\";\n\nexport function Module(options: ModuleOptions = {}): ClassDecorator {\n\treturn (target: object) => {\n\t\tReflect.defineMetadata(METADATA_KEY.MODULE, options, target);\n\t};\n}\n\n/** Read the @Module options from a class. */\nexport function getModuleOptions(target: Type<any>): ModuleOptions {\n\treturn Reflect.getMetadata(METADATA_KEY.MODULE, target) ?? {};\n}\n",
+    "/**\n * Convenience barrel for all decorators.\n */\nexport * from \"./module.js\";\nexport * from \"./controller.js\";\nexport * from \"./injectable.js\";\nexport * from \"./http-methods.js\";\nexport * from \"./params.js\";\nexport * from \"./validate.js\";\nexport * from \"./repository.js\";\nexport * from \"./metadata.js\";\n",
+    "/**\n * @Injectable decorator.\n *\n * Marks a class as available for DI. The container uses reflect-metadata's\n * `design:paramtypes` to read constructor parameter types and resolve them\n * automatically.\n *\n * @example\n * ```ts\n * @Injectable()\n * class UserService {\n *   constructor(private repo: UserRepository) {}\n * }\n *\n * @Injectable({ scope: 'request' })\n * class RequestContext {\n *   constructor(@Inject(REQUEST) private req: any) {}\n * }\n * ```\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY } from \"../constants.js\";\n\nexport interface InjectableOptions {\n\tscope?: \"singleton\" | \"request\" | \"transient\";\n}\n\nexport function Injectable(options: InjectableOptions = {}): ClassDecorator {\n\treturn (target: object) => {\n\t\tReflect.defineMetadata(METADATA_KEY.INJECTABLE, true, target);\n\t\tif (options.scope) {\n\t\t\tReflect.defineMetadata(\n\t\t\t\t\"nexus:di:scope\",\n\t\t\t\toptions.scope,\n\t\t\t\ttarget,\n\t\t\t);\n\t\t}\n\t};\n}\n\nexport function isInjectable(target: any): boolean {\n\treturn Reflect.hasMetadata(METADATA_KEY.INJECTABLE, target);\n}\n\n/**\n * Read the scope declared on a class via `@Injectable({ scope })`.\n * Returns undefined when no scope is declared (defaults to singleton).\n */\nexport function getScope(\n\ttarget: any,\n): \"singleton\" | \"request\" | \"transient\" | undefined {\n\treturn Reflect.getMetadata(\"nexus:di:scope\", target);\n}\n\n/**\n * Mark a parameter as resolved by a specific token instead of its declared\n * type. Useful for interfaces, abstract classes, or string tokens.\n *\n * @example\n * ```ts\n * constructor(@Inject('CONFIG') private config: AppConfig) {}\n * ```\n */\nexport function Inject<T = any>(token: any): ParameterDecorator {\n\treturn (\n\t\ttarget: object,\n\t\tpropertyKey: string | symbol | undefined,\n\t\tparameterIndex: number,\n\t) => {\n\t\tconst existing: Map<number, any> =\n\t\t\tReflect.getMetadata(METADATA_KEY.INJECT, target) ?? new Map();\n\t\texisting.set(parameterIndex, token);\n\t\tReflect.defineMetadata(METADATA_KEY.INJECT, existing, target);\n\t};\n}",
+    "/**\n * @Repository decorator.\n *\n * Marks a class as a Spring-style repository. Repositories are normal\n * `@Injectable()` classes; the decorator is a marker so the framework\n * can register them with a database adapter (Drizzle/Prisma) and emit\n * a friendly error if you forget to wire one.\n *\n * @example\n * ```ts\n * @Repository()\n * class UserRepository {\n *   findAll() { return db.select().from(users); }\n * }\n * ```\n */\nimport \"reflect-metadata\";\nimport { METADATA_KEY } from \"../constants.js\";\nimport type { InjectionToken } from \"../di/tokens.js\";\n\nexport function Repository(entityToken?: InjectionToken<any>): ClassDecorator {\n\treturn (target: object) => {\n\t\tReflect.defineMetadata(\n\t\t\tMETADATA_KEY.REPOSITORY,\n\t\t\t{ entity: entityToken },\n\t\t\ttarget,\n\t\t);\n\t\tReflect.defineMetadata(METADATA_KEY.INJECTABLE, true, target);\n\t};\n}\n\nexport function getRepositoryMetadata(\n\ttarget: any,\n): { entity?: InjectionToken<any> } | undefined {\n\treturn Reflect.getMetadata(METADATA_KEY.REPOSITORY, target);\n}\n\nexport function isRepository(target: any): boolean {\n\treturn Reflect.hasMetadata(METADATA_KEY.REPOSITORY, target);\n}\n",
+    "/**\n * Reflect-metadata helper. Centralizes the keys the framework uses so\n * decorator files stay clean.\n */\nexport { METADATA_KEY, PARAM_TYPES, HTTP_METHODS } from \"../constants.js\";\nexport type { MetadataKey, ParamType, HttpMethod } from \"../constants.js\";\n",
+    "/**\n * `AuthService` — DI-friendly wrapper around a better-auth instance.\n *\n * Why a service wrapper?\n *   - Hides the raw better-auth object behind a stable NexusJS API.\n *   - Exposes the high-level operations controllers need:\n *     signUp, signIn, signOut, getSession, oauthUrl, jwt, passkey.\n *   - Allows tests to swap the implementation via DI.\n *\n * Usage:\n *   constructor(@Inject(AuthService.TOKEN) private auth: AuthService) {}\n *\n *   await this.auth.signUp.email({ email, password, name });\n *   const session = await this.auth.getSession({ headers: c.req.raw.headers });\n *   return this.auth.redirect('/dashboard');  // 302\n */\n\nimport { Inject, Injectable } from \"../core/decorators/index.js\";\nimport type {\n\tAuthUser,\n\tAuthSessionRecord,\n\tAuthSession,\n\tAuthConfig,\n} from \"./types.js\";\nimport { createAuth, type NexusAuth } from \"./auth.js\";\nimport type { SessionService } from \"../session/index.js\";\n\n@Injectable()\nexport class AuthService {\n\t/** DI token — use with `@Inject(AuthService.TOKEN)`. */\n\tstatic readonly TOKEN = Symbol.for(\"nexus:AuthService\");\n\n\t/** The underlying better-auth instance. */\n\treadonly instance: NexusAuth;\n\n\t/**\n\t * Optional SessionService binding. When set, `getSession()` will\n\t * first check the SessionService's cookie before falling back to\n\t * better-auth. This enables shared session state between the two\n\t * modules (e.g. flash messages, guest cart).\n\t *\n\t * Set via `bindSession()` from a feature module's `onInit`, or via\n\t * DI when both modules are present.\n\t */\n\t#sessionService: SessionService | null = null;\n\n\tconstructor(\n\t\t@Inject(\"AUTH_CONFIG\") private readonly config: AuthConfig,\n\t) {\n\t\t// Lazy: defer construction to the first call so module-load\n\t\t// order doesn't matter.\n\t\tthis.instance = createAuth(this.config);\n\t}\n\n\t// ===========================================================================\n\t// Session integration\n\t// ===========================================================================\n\n\t/**\n\t * Bind a SessionService. When bound, `getSession()` consults the\n\t * SessionService first and falls back to better-auth. Returns `this`\n\t * for chaining.\n\t */\n\tbindSession(sessionService: SessionService): this {\n\t\tthis.#sessionService = sessionService;\n\t\treturn this;\n\t}\n\n\t/**\n\t * Returns true when a SessionService has been bound.\n\t */\n\thasSessionBinding(): boolean {\n\t\treturn this.#sessionService !== null;\n\t}\n\n\t// ===========================================================================\n\t// Session\n\t// ===========================================================================\n\n\t/**\n\t * Get the current session from a request. Returns `null` if not\n\t * authenticated.\n\t *\n\t * When a SessionService is bound, we try it first (cookie-based,\n\t * stateless, edge-friendly); better-auth remains the source of\n\t * truth for `user` / `session` records. The cookie value carries\n\t * `userId` which lets you cross-reference both systems.\n\t */\n\tasync getSession(input: { headers: Headers }): Promise<AuthSession> {\n\t\t// 1) Try SessionService (cookie-based) first.\n\t\tif (this.#sessionService) {\n\t\t\tconst cookieName = this.#sessionService.cookieName;\n\t\t\tif (cookieName) {\n\t\t\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\t\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\t\t\tif (value) {\n\t\t\t\t\tconst decoded = this.#sessionService.decodeCookie(value);\n\t\t\t\t\tif (decoded?.userId) {\n\t\t\t\t\t\t// Hydrate the user from better-auth (so the returned\n\t\t\t\t\t\t// shape matches what controllers expect).\n\t\t\t\t\t\tconst fromBetterAuth = (await this.instance.api.getSession({\n\t\t\t\t\t\t\theaders: input.headers,\n\t\t\t\t\t\t})) as AuthSession | null;\n\t\t\t\t\t\tif (fromBetterAuth?.user) {\n\t\t\t\t\t\t\treturn fromBetterAuth;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// 2) Fallback to better-auth.\n\t\tconst result = await this.instance.api.getSession({\n\t\t\theaders: input.headers,\n\t\t});\n\t\treturn result as AuthSession;\n\t}\n\n\t/**\n\t * Read the raw SessionService record from a request (no better-auth\n\t * lookup). Returns null when no SessionService is bound or no\n\t * session is found.\n\t */\n\tasync getRawSession(input: { headers: Headers }) {\n\t\tif (!this.#sessionService) return null;\n\t\tconst cookieName = this.#sessionService.cookieName;\n\t\tif (!cookieName) return null;\n\t\tconst cookieHeader = input.headers.get(\"cookie\") ?? \"\";\n\t\tconst value = parseCookie(cookieHeader, cookieName);\n\t\tif (!value) return null;\n\t\treturn this.#sessionService.decodeCookie(value);\n\t}\n\n\t// ===========================================================================\n\t// Sign up / Sign in / Sign out\n\t// ===========================================================================\n\n\t/**\n\t * Email + password sign-up. Throws if email/password is disabled\n\t * in the auth config.\n\t */\n\tasync signUp(input: {\n\t\temail: string;\n\t\tpassword: string;\n\t\tname: string;\n\t\timage?: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signUpEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Email + password sign-in. */\n\tasync signIn(input: { email: string; password: string; callbackURL?: string }) {\n\t\treturn this.instance.api.signInEmail({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/** Sign out — invalidates the current session. */\n\tasync signOut(input: { headers: Headers }) {\n\t\treturn this.instance.api.signOut({\n\t\t\theaders: input.headers,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// Social / OAuth\n\t// ===========================================================================\n\n\t/**\n\t * Get the URL the client should redirect to for a social sign-in.\n\t */\n\tasync getOAuthUrl(input: {\n\t\tprovider: string;\n\t\tcallbackURL?: string;\n\t}) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\tbody: input as never,\n\t\t});\n\t}\n\n\t/**\n\t * Sign in / link a social account and return the user.\n\t */\n\tasync handleOAuthCallback(input: { headers: Headers; query: Record<string, string> }) {\n\t\treturn this.instance.api.signInSocial({\n\t\t\theaders: input.headers,\n\t\t\tquery: input.query,\n\t\t\tbody: {} as never,\n\t\t});\n\t}\n\n\t// ===========================================================================\n\t// JWT\n\t// ===========================================================================\n\n\t/**\n\t * Issue a JWT for the currently-authenticated user. Returns\n\t * `{ token, expiresAt }`. Requires the JWT plugin (`config.jwt.enabled`).\n\t */\n\tasync issueJwt(input: { userId: string }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tsignJWT?: (input: { body: { userId: string } }) => Promise<{\n\t\t\t\ttoken: string;\n\t\t\t\texpiresAt: Date;\n\t\t\t}>;\n\t\t};\n\t\tif (!api.signJWT) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] JWT plugin not enabled. Set `auth.jwt.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.signJWT({ body: { userId: input.userId } });\n\t}\n\n\t// ===========================================================================\n\t// Passkey\n\t// ===========================================================================\n\n\tasync registerPasskey(input: { headers: Headers }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tregister: (input: { headers: Headers }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\n\t\t\t\t\"[nexus/auth] Passkey plugin not enabled. Set `auth.passkey.enabled: true` in nx.config.ts.\",\n\t\t\t);\n\t\t}\n\t\treturn api.passkey.register({ headers: input.headers });\n\t}\n\n\tasync authenticatePasskey(input: { headers: Headers; body: unknown }) {\n\t\tconst api = this.instance.api as unknown as {\n\t\t\tpasskey?: {\n\t\t\t\tauthenticate: (input: { headers: Headers; body: unknown }) => Promise<unknown>;\n\t\t\t};\n\t\t};\n\t\tif (!api.passkey) {\n\t\t\tthrow new Error(\"[nexus/auth] Passkey plugin not enabled.\");\n\t\t}\n\t\treturn api.passkey.authenticate({ headers: input.headers, body: input.body });\n\t}\n\n\t// ===========================================================================\n\t// Helpers\n\t// ===========================================================================\n\n\t/**\n\t * Build a redirect Response. Used by controllers that need to send\n\t * the user to a different page after sign-in / sign-up.\n\t */\n\tredirect(to: string, status: 302 | 303 | 307 | 308 = 302): Response {\n\t\treturn new Response(null, { status, headers: { Location: to } });\n\t}\n\n\t/**\n\t * Convert a session into the `AuthVariables` shape Hono expects.\n\t */\n\ttoContextVariables(session: AuthSession): {\n\t\tuser: AuthUser | null;\n\t\tsession: AuthSessionRecord | null;\n\t} {\n\t\tif (!session) return { user: null, session: null };\n\t\treturn { user: session.user, session: session.session };\n\t}\n}\n\n/**\n * Extract a single cookie value from a `Cookie` header string.\n * Tiny helper to avoid pulling in a cookie-parsing dependency.\n */\nfunction parseCookie(cookieHeader: string, name: string): string | null {\n\tif (!cookieHeader) return null;\n\tconst parts = cookieHeader.split(\";\");\n\tfor (const part of parts) {\n\t\tconst eq = part.indexOf(\"=\");\n\t\tif (eq < 0) continue;\n\t\tconst k = part.slice(0, eq).trim();\n\t\tif (k === name) {\n\t\t\treturn decodeURIComponent(part.slice(eq + 1).trim());\n\t\t}\n\t}\n\treturn null;\n}",
+    "/**\n * `AuthController` — built-in controller exposing common auth endpoints.\n *\n * Mount it in any `@Module` to get a working auth API:\n *\n *   @Module({\n *     controllers: [AuthController],\n *     providers: [AuthService],\n *   })\n *   export class AuthModule {}\n *\n * Endpoints (all prefixed with `config.basePath`, default `/api/auth`):\n *   - GET  /session               → current session\n *   - POST /sign-up/email         → email/password registration\n *   - POST /sign-in/email         → email/password login\n *   - POST /sign-out              → invalidate session\n *   - GET  /sign-in/:provider     → start OAuth flow\n *   - GET  /callback/:provider    → OAuth callback\n *   - POST /jwt                   → issue JWT (JWT plugin only)\n *   - POST /passkey/register      → start passkey registration\n *   - POST /passkey/authenticate  → complete passkey auth\n *\n * Most of the actual logic is delegated to `auth.handler` from\n * better-auth. The controller exists to make the routes visible to\n * `nx route:list` and to add NexusJS-style DI.\n */\n\nimport {\n\tBody,\n\tController,\n\tGet,\n\tInject,\n\tPost,\n\tReq,\n\tRes,\n} from \"../core/decorators/index.js\";\nimport type { Context } from \"hono\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthSession } from \"./types.js\";\n\n@Controller(\"/api/auth\")\nexport class AuthController {\n\tconstructor(@Inject(AuthService.TOKEN) private readonly auth: AuthService) {}\n\n\t/**\n\t * GET /api/auth/session\n\t * Returns the current session (or null if unauthenticated).\n\t */\n\t@Get(\"/session\")\n\tasync session(@Req() c: Context) {\n\t\tconst session: AuthSession = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(session ?? { user: null, session: null });\n\t}\n\n\t/**\n\t * POST /api/auth/sign-up/email\n\t * Body: { email, password, name, callbackURL? }\n\t */\n\t@Post(\"/sign-up/email\")\n\tasync signUpEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signUp(body);\n\t\treturn c.json(result, 201);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-in/email\n\t * Body: { email, password, callbackURL? }\n\t */\n\t@Post(\"/sign-in/email\")\n\tasync signInEmail(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.signIn(body);\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/sign-out\n\t */\n\t@Post(\"/sign-out\")\n\tasync signOut(@Req() c: Context, @Res() _res: Response) {\n\t\tawait this.auth.signOut({ headers: c.req.raw.headers });\n\t\treturn c.json({ ok: true });\n\t}\n\n\t/**\n\t * GET /api/auth/sign-in/:provider\n\t * Returns a redirect to the social provider's auth page.\n\t */\n\t@Get(\"/sign-in/:provider\")\n\tasync socialSignIn(\n\t\t@Req() c: Context,\n\t\t@Body() _body: never,\n\t) {\n\t\tconst provider = c.req.param(\"provider\") ?? \"\";\n\t\tconst callbackURL = c.req.query(\"callbackURL\") ?? \"/\";\n\t\tconst result = await this.auth.getOAuthUrl({ provider, callbackURL });\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * GET /api/auth/callback/:provider\n\t * Social provider redirect target. The better-auth handler does the\n\t * real work; this is a passthrough for `route:list` visibility.\n\t */\n\t@Get(\"/callback/:provider\")\n\tasync oauthCallback(@Req() c: Context) {\n\t\tconst result = await this.auth.handleOAuthCallback({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tquery: c.req.query() as Record<string, string>,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/jwt\n\t * Issues a JWT for the current user. Requires the JWT plugin.\n\t */\n\t@Post(\"/jwt\")\n\tasync issueJwt(@Req() c: Context) {\n\t\tconst session = await this.auth.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\tif (!session) return c.json({ error: \"Unauthorized\" }, 401);\n\t\tconst token = await this.auth.issueJwt({ userId: session.user.id });\n\t\treturn c.json(token);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/register\n\t * Start passkey registration. Requires the passkey plugin.\n\t */\n\t@Post(\"/passkey/register\")\n\tasync passkeyRegister(@Req() c: Context) {\n\t\tconst result = await this.auth.registerPasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\t\treturn c.json(result);\n\t}\n\n\t/**\n\t * POST /api/auth/passkey/authenticate\n\t * Body: passkey assertion\n\t */\n\t@Post(\"/passkey/authenticate\")\n\tasync passkeyAuthenticate(@Req() c: Context, @Body() body: any) {\n\t\tconst result = await this.auth.authenticatePasskey({\n\t\t\theaders: c.req.raw.headers,\n\t\t\tbody,\n\t\t});\n\t\treturn c.json(result);\n\t}\n}",
+    "/**\n * `AuthModule` — drop-in module for adding auth to any NexusJS app.\n *\n * Usage:\n *   // src/app/app.module.ts\n *   @Module({\n *     imports: [AuthModule.forRoot({ ... })],\n *   })\n *   export class AppModule {}\n *\n * The `forRoot` static factory builds a one-off `AuthModule` subclass\n * pre-configured with the user's `auth` config. The provider token\n * `'AUTH_CONFIG'` carries the config to the `AuthService` constructor.\n *\n * AuthService is registered under **both** its class token and\n * `AuthService.TOKEN` (a Symbol). The class token is what the\n * container scans; the Symbol is what `@Inject(AuthService.TOKEN)`\n * looks up. Both resolve to the same instance via `useExisting`.\n */\n\nimport \"reflect-metadata\";\nimport { Module } from \"../core/decorators/module.js\";\nimport { AuthController } from \"./auth.controller.js\";\nimport { AuthService } from \"./auth.service.js\";\nimport type { AuthConfig } from \"./types.js\";\n\n@Module({\n\tcontrollers: [AuthController],\n\tproviders: [\n\t\tAuthService,\n\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t],\n\texports: [AuthService, AuthService.TOKEN],\n})\nexport class AuthModule {\n\t/**\n\t * Build a configured `AuthModule` class with the given config.\n\t *\n\t * The returned class can be `imports`-ed by any other module and\n\t * will provide the `AuthService` (and a `AUTH_CONFIG` value\n\t * provider) to its container.\n\t */\n\tstatic forRoot(config: AuthConfig) {\n\t\t@Module({\n\t\t\tcontrollers: [AuthController],\n\t\t\tproviders: [\n\t\t\t\tAuthService,\n\t\t\t\t{ provide: AuthService.TOKEN, useExisting: AuthService },\n\t\t\t\t{ provide: \"AUTH_CONFIG\", useValue: config },\n\t\t\t],\n\t\t\texports: [AuthService, AuthService.TOKEN],\n\t\t})\n\t\tclass ConfiguredAuthModule {}\n\n\t\t// Tag the dynamic class so the user can see where it came from.\n\t\tObject.defineProperty(ConfiguredAuthModule, \"name\", {\n\t\t\tvalue: \"ConfiguredAuthModule\",\n\t\t});\n\n\t\treturn ConfiguredAuthModule;\n\t}\n}\n",
+    "/**\n * `authMiddleware` — populate `c.var.user` and `c.var.session` on\n * every request, optionally enforcing a \"must be logged in\" policy.\n *\n * This is a Hono middleware that wraps better-auth's `getSession`.\n * It runs after the better-auth handler has set its own cookies, so\n * subsequent reads are cheap (a single DB lookup).\n *\n * Three modes:\n *   - optional  → always allow; populate user/session if present\n *   - required  → 401 if no user\n *   - scoped    → require user only for paths matching a regex\n *\n * Usage:\n *   import { authMiddleware } from 'nexusjs/auth';\n *   app.use('*', authMiddleware(auth, { mode: 'optional' }));\n *   app.use('/api/*', authMiddleware(auth, { mode: 'required' }));\n */\n\nimport type { Context, MiddlewareHandler, Next } from \"hono\";\nimport type { Auth } from \"better-auth\";\nimport type { AuthVariables } from \"./types.js\";\n\nexport type AuthMiddlewareMode = \"optional\" | \"required\" | \"scoped\";\n\nexport interface AuthMiddlewareOptions {\n\t/** Auth mode. Default: `'optional'`. */\n\tmode?: AuthMiddlewareMode;\n\t/** Path matcher (only used in `'scoped'` mode). */\n\tscope?: RegExp;\n\t/** Path matcher for `'scoped'` mode's protected set. */\n\tprotectedPaths?: RegExp | RegExp[];\n\t/** Path matcher for paths that should be skipped entirely. */\n\tignoredPaths?: RegExp | RegExp[];\n\t/** Customize the 401 response. */\n\tonUnauthenticated?: (c: Context) => Response | Promise<Response>;\n\t/** Customize the 403 response when a scope check fails. */\n\tonForbidden?: (c: Context) => Response | Promise<Response>;\n}\n\nexport function authMiddleware(\n\tauth: Auth,\n\toptions: AuthMiddlewareOptions = {},\n): MiddlewareHandler<{ Variables: AuthVariables }> {\n\tconst {\n\t\tmode = \"optional\",\n\t\tscope,\n\t\tprotectedPaths,\n\t\tignoredPaths,\n\t\tonUnauthenticated = defaultUnauthenticated,\n\t\tonForbidden = defaultForbidden,\n\t} = options;\n\n\tconst ignored = toMatcher(ignoredPaths);\n\tconst protected_ =\n\t\tmode === \"scoped\"\n\t\t\t? toMatcher(scope ?? protectedPaths ?? /^\\/.+/) // everything\n\t\t\t: null;\n\n\treturn async (c, next) => {\n\t\tconst path = c.req.path;\n\n\t\t// Skip ignored paths entirely (e.g. health checks).\n\t\tif (ignored?.test(path)) {\n\t\t\treturn next();\n\t\t}\n\n\t\t// Populate the session.\n\t\tconst session = await auth.api.getSession({\n\t\t\theaders: c.req.raw.headers,\n\t\t});\n\n\t\tif (session) {\n\t\t\tc.set(\"user\", session.user as never);\n\t\t\tc.set(\"session\", session.session as never);\n\t\t} else {\n\t\t\tc.set(\"user\", null);\n\t\t\tc.set(\"session\", null);\n\t\t}\n\n\t\t// Apply mode.\n\t\tif (mode === \"required\" || (protected_?.test(path) && session === null)) {\n\t\t\tif (session === null) return onUnauthenticated(c);\n\t\t}\n\n\t\t// Scope-based forbidden check (e.g. \"user must have a specific role\").\n\t\t// Skipped here — the route handler can call `requireRole(...)` itself.\n\n\t\treturn next();\n\t};\n}\n\nfunction toMatcher(input?: RegExp | RegExp[]): RegExp | null {\n\tif (!input) return null;\n\tif (Array.isArray(input)) {\n\t\treturn new RegExp(input.map((r) => `(?:${r.source})`).join(\"|\"));\n\t}\n\treturn input;\n}\n\nfunction defaultUnauthenticated(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Unauthorized\", message: \"Authentication required.\" },\n\t\t401,\n\t);\n}\n\nfunction defaultForbidden(c: Context): Response {\n\treturn c.json(\n\t\t{ error: \"Forbidden\", message: \"Insufficient permissions.\" },\n\t\t403,\n\t);\n}\n\n/**\n * `authHandler` — mount better-auth's catch-all handler at a path.\n *\n * Use this instead of writing the `app.on(['POST', 'GET'], path, ...)`\n * boilerplate yourself.\n *\n *   app.use('/api/auth/*', cors({ ... }));\n *   app.all('/api/auth/*', authHandler(auth));\n */\nexport function authHandler(auth: Auth): MiddlewareHandler {\n\treturn async (c) => auth.handler(c.req.raw);\n}\n",
+    "/**\n * `@CurrentUser()` — controller parameter decorator that injects the\n * authenticated user (and optionally the session) into a handler.\n *\n * Usage:\n *   @Get('/me')\n *   me(@CurrentUser() user: AuthUser) {\n *     return user;\n *   }\n *\n *   @Get('/profile')\n *   profile(@CurrentUser({ session: true }) ctx: { user: AuthUser; session: AuthSessionRecord }) {\n *     return ctx;\n *   }\n *\n *   @Get('/dashboard')\n *   dashboard(@CurrentUser({ required: true }) user: AuthUser) {\n *     // 401 is thrown before the handler if no user is present.\n *     return this.dashboardService.forUser(user.id);\n *   }\n */\n\nimport \"reflect-metadata\";\nimport { createParamDecorator } from \"../../core/decorators/params.js\";\nimport { PARAM_TYPES } from \"../../core/constants.js\";\nimport type { AuthUser, AuthSessionRecord } from \"../types.js\";\n\nexport interface CurrentUserOptions {\n\t/**\n\t * Include the session in the injected value. Default: `false`.\n\t * When true, the value is `{ user, session }` instead of just the user.\n\t */\n\tsession?: boolean;\n\t/**\n\t * Throw 401 if no user is present. Default: `false`.\n\t * When true, the framework returns a 401 response without invoking\n\t * the handler.\n\t */\n\trequired?: boolean;\n\t/**\n\t * Throw 403 if the user does not satisfy the predicate.\n\t */\n\tassert?: (user: AuthUser) => boolean | Promise<boolean>;\n}\n\n/**\n * Inject the authenticated user (or `{ user, session }` if `session: true`).\n */\nexport function CurrentUser(\n\toptions: CurrentUserOptions = {},\n): ParameterDecorator {\n\treturn createParamDecorator(PARAM_TYPES.USER, options as never);\n}\n\n/**\n * Convenience: throw 401 with a JSON body when no user is present.\n * Exposed for users who want to enforce auth inside the handler.\n */\nexport class UnauthenticatedError extends Error {\n\treadonly status = 401;\n\tconstructor(message = \"Authentication required.\") {\n\t\tsuper(message);\n\t\tthis.name = \"UnauthenticatedError\";\n\t}\n}\n\nexport class ForbiddenError extends Error {\n\treadonly status = 403;\n\tconstructor(message = \"Insufficient permissions.\") {\n\t\tsuper(message);\n\t\tthis.name = \"ForbiddenError\";\n\t}\n}\n\n// Re-export session record type for convenience.\nexport type { AuthSessionRecord as AuthSession };\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAMa,cAsCA,aAeA;AAAA;AAAA,EArDA,eAAe;AAAA,IAE3B,YAAY;AAAA,IAGZ,YAAY;AAAA,IAGZ,YAAY;AAAA,IAGZ,QAAQ;AAAA,IAGR,QAAQ;AAAA,IAGR,QAAQ;AAAA,IAGR,UAAU;AAAA,IAGV,YAAY;AAAA,IAGZ,MAAM;AAAA,IAGN,YAAY;AAAA,IAGZ,QAAQ;AAAA,EACT;AAAA,EAKa,cAAc;AAAA,IAC1B,SAAS;AAAA,IACT,UAAU;AAAA,IACV,MAAM;AAAA,IACN,MAAM;AAAA,IACN,OAAO;AAAA,IACP,OAAO;AAAA,IACP,SAAS;AAAA,IACT,KAAK;AAAA,IACL,MAAM;AAAA,EACP;AAAA,EAKa,eAAe;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAAA;;;ACpDA;AAIO,SAAS,UAAU,CAAC,SAAiB,KAAqB;AAAA,EAChE,OAAO,CAAC,WAAmB;AAAA,IAC1B,MAAM,aAAa,gBAAgB,MAAM;AAAA,IACzC,MAAM,OAA2B,EAAE,QAAQ,WAAW;AAAA,IACtD,QAAQ,eAAe,aAAa,YAAY,MAAM,MAAM;AAAA;AAAA;AAIvD,SAAS,qBAAqB,CAAC,QAAiC;AAAA,EACtE,OACC,QAAQ,YAAY,aAAa,YAAY,MAAM,KAAK,EAAE,QAAQ,IAAI;AAAA;AAIjE,SAAS,YAAY,CAAC,QAAsB;AAAA,EAClD,OAAO,QAAQ,YAAY,aAAa,YAAY,MAAM;AAAA;AAS3D,SAAS,eAAe,CAAC,QAAwB;AAAA,EAChD,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EACpB,IAAI,WAAW,OAAO,OAAO,SAAS,GAAG,GAAG;AAAA,IAC3C,OAAO,OAAO,MAAM,GAAG,EAAE;AAAA,EAC1B;AAAA,EACA,OAAO;AAAA;AAAA;AAAA,EAhCR;AAAA;;;ACGA;AAIA,SAAS,WAAW,CAAC,QAAoB,MAA+B;AAAA,EACvE,OAAO,CACN,QACA,aACA,eACI;AAAA,IACJ,MAAM,SACL,QAAQ,YAAY,aAAa,QAAQ,OAAO,WAAW,KAAK,CAAC;AAAA,IAElE,OAAO,KAAK;AAAA,MACX;AAAA,MACA,MAAM,cAAc,IAAI;AAAA,MACxB;AAAA,MACA,SAAS,WAAW;AAAA,IACrB,CAAC;AAAA,IAED,QAAQ,eAAe,aAAa,QAAQ,QAAQ,OAAO,WAAW;AAAA;AAAA;AAIxE,SAAS,aAAa,CAAC,MAAsB;AAAA,EAC5C,IAAI,CAAC,QAAQ,SAAS;AAAA,IAAK,OAAO;AAAA,EAClC,OAAO,KAAK,WAAW,GAAG,IAAI,OAAO,IAAI;AAAA;AAWnC,SAAS,SAAS,CAAC,QAA8B;AAAA,EACvD,OAAO,QAAQ,YAAY,aAAa,QAAQ,MAAM,KAAK,CAAC;AAAA;AAAA,IAThD,MAAM,CAAC,OAAe,QAAQ,YAAY,OAAO,IAAI,GACrD,OAAO,CAAC,OAAe,QAAQ,YAAY,QAAQ,IAAI,GACvD,MAAM,CAAC,OAAe,QAAQ,YAAY,OAAO,IAAI,GACrD,SAAS,CAAC,OAAe,QAAQ,YAAY,UAAU,IAAI,GAC3D,QAAQ,CAAC,OAAe,QAAQ,YAAY,SAAS,IAAI,GACzD,UAAU,CAAC,OAAe,QAAQ,YAAY,WAAW,IAAI,GAC7D,OAAO,CAAC,OAAe,QAAQ,YAAY,QAAQ,IAAI;AAAA;AAAA,EAlCpE;AAAA;;;ACHA;AAIO,SAAS,oBAAoB,CACnC,MACA,MACqB;AAAA,EACrB,OAAO,CACN,QACA,aACA,mBACI;AAAA,IAGJ,IAAI,gBAAgB,WAAW;AAAA,MAC9B,MAAM,SACL,QAAQ,YAAY,aAAa,QAAQ,QAAQ,WAAW,KAAK,CAAC;AAAA,MACnE,OAAO,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,QACA,MAAM,OAAO,SAAS,WAAW,OAAO;AAAA,QACxC,MAAM,OAAO,SAAS,WAAW,OAAO;AAAA,MACzC,CAAC;AAAA,MACD,QAAQ,eAAe,aAAa,QAAQ,QAAQ,QAAQ,WAAW;AAAA,IACxE,EAAO;AAAA,MACN,MAAM,SACL,QAAQ,YAAY,aAAa,QAAQ,MAAM,KAAK,CAAC;AAAA,MACtD,OAAO,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,QACA,MAAM,OAAO,SAAS,WAAW,OAAO;AAAA,QACxC,MAAM,OAAO,SAAS,WAAW,OAAO;AAAA,MACzC,CAAC;AAAA,MACD,QAAQ,eAAe,aAAa,QAAQ,QAAQ,MAAM;AAAA;AAAA;AAAA;AAmBtD,SAAS,gBAAgB,CAC/B,QACA,aACkB;AAAA,EAClB,OAAO,QAAQ,YAAY,aAAa,QAAQ,QAAQ,WAAW,KAAK,CAAC;AAAA;AAAA,IAlB7D,MAAM,MAAM,qBAAqB,YAAY,OAAO,GACpD,MAAM,MAAM,qBAAqB,YAAY,QAAQ,GACrD,OAAO,MAAM,qBAAqB,YAAY,IAAI,GAClD,OAAO,CAAC,QACpB,qBAAqB,YAAY,MAAM,GAAG,GAC9B,QAAQ,CAAC,QACrB,qBAAqB,YAAY,OAAO,GAAG,GAC/B,QAAQ,CAAC,QACrB,qBAAqB,YAAY,OAAO,GAAG,GAC/B,UAAU,CAAC,QACvB,qBAAqB,YAAY,SAAS,GAAG,GACjC,MAAM,MAAM,qBAAqB,YAAY,GAAG,GAChD,OAAO,MAAM,qBAAqB,YAAY,IAAI;AAAA;AAAA,EAlD/D;AAAA;;;ACFA;AAIO,SAAS,QAAQ,CAAC,SAA8C;AAAA,EACtE,OAAO,CACN,QACA,aACA,eACI;AAAA,IACJ,QAAQ,eACP,aAAa,UACb,SACA,OAAO,aACP,WACD;AAAA;AAAA;AAIK,SAAS,qBAAqB,CACpC,QACA,aACiC;AAAA,EACjC,OAAO,QAAQ,YAAY,aAAa,UAAU,QAAQ,WAAW;AAAA;AAAA;AAAA,EAtBtE;AAAA;;ACcA;AAWO,SAAS,UAAU,CAAC,SAAqB,CAAC,GAAuB;AAAA,EACvE,MAAM,SAAS,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC5C,MAAM,UAAU,OAAO,WAAW,QAAQ,IAAI;AAAA,EAE9C,IAAI,CAAC,QAAQ;AAAA,IACZ,MAAM,IAAI,MACT,kDACC,iEACF;AAAA,EACD;AAAA,EACA,IAAI,CAAC,SAAS;AAAA,IACb,MAAM,IAAI,MACT,wEACD;AAAA,EACD;AAAA,EAEA,MAAM,UAA0B,CAAC;AAAA,EAGjC,IAAI,OAAO,KAAK,SAAS;AAAA,IAIxB,QAAQ;AAAA,IACR,QAAQ,KACP,IAAI;AAAA,MACH,MAAM;AAAA,QACL,MAAM,OAAO,IAAI,YAAY;AAAA,MAC9B;AAAA,MACA,QAAQ,OAAO,IAAI,UAAU;AAAA,MAC7B,UAAU,OAAO,IAAI,YAAY;AAAA,MACjC,WAAW,OAAO,IAAI,aAAa,KAAK;AAAA,IACzC,CAAC,CACF;AAAA,EACD;AAAA,EAGA,IAAI,OAAO,SAAS,SAAS;AAAA,IAE5B,QAAQ;AAAA,IACR,QAAQ,KACP,QAAQ;AAAA,MACP,QAAQ,OAAO,QAAQ;AAAA,MACvB,MAAM,OAAO,QAAQ;AAAA,MACrB,QAAQ,OAAO,QAAQ;AAAA,IACxB,CAAC,CACF;AAAA,EACD;AAAA,EAEA,OAAO,WAAW;AAAA,IACjB;AAAA,IACA;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB;AAAA,MACjB,SAAS,OAAO,kBAAkB,WAAW;AAAA,MAC7C,0BACC,OAAO,kBAAkB,4BAA4B;AAAA,MACtD,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,MACjE,mBAAmB,OAAO,kBAAkB,qBAAqB;AAAA,IAClE;AAAA,IACA,SAAS;AAAA,MACR,WAAW,OAAO,2BAA2B,KAAK,KAAK,KAAK;AAAA,IAC7D;AAAA,IACA,iBAAiB,OAAO;AAAA,IACxB,UAAU;AAAA,MACT,SAAS;AAAA,QACR,cAAc;AAAA,UACb,YAAY;AAAA,YACX,UAAW,OAAO,kBAAkB;AAAA,YAIpC,QACC,OAAO,gBAAgB,QAAQ,IAAI,gBAAgB;AAAA,eAChD,OAAO,eAAe,EAAE,QAAQ,OAAO,aAAa,IAAI,CAAC;AAAA,UAC9D;AAAA,QACD;AAAA,MACD;AAAA,MACA,uBAAuB,OAAO,uBAAuB,UAClD;AAAA,QACA,SAAS;AAAA,QACT,QAAQ,OAAO,sBAAsB;AAAA,MACtC,IACC;AAAA,IACJ;AAAA,IACA;AAAA,EACD,CAAU;AAAA;;AC9GX;AADA;AAIO,SAAS,MAAM,CAAC,UAAyB,CAAC,GAAmB;AAAA,EACnE,OAAO,CAAC,WAAmB;AAAA,IAC1B,QAAQ,eAAe,aAAa,QAAQ,SAAS,MAAM;AAAA;AAAA;AAKtD,SAAS,gBAAgB,CAAC,QAAkC;AAAA,EAClE,OAAO,QAAQ,YAAY,aAAa,QAAQ,MAAM,KAAK,CAAC;AAAA;;;ACzB7D;;;ACiBA;AADA;AAOO,SAAS,UAAU,CAAC,UAA6B,CAAC,GAAmB;AAAA,EAC3E,OAAO,CAAC,WAAmB;AAAA,IAC1B,QAAQ,eAAe,aAAa,YAAY,MAAM,MAAM;AAAA,IAC5D,IAAI,QAAQ,OAAO;AAAA,MAClB,QAAQ,eACP,kBACA,QAAQ,OACR,MACD;AAAA,IACD;AAAA;AAAA;AAIK,SAAS,YAAY,CAAC,QAAsB;AAAA,EAClD,OAAO,QAAQ,YAAY,aAAa,YAAY,MAAM;AAAA;AAOpD,SAAS,QAAQ,CACvB,QACoD;AAAA,EACpD,OAAO,QAAQ,YAAY,kBAAkB,MAAM;AAAA;AAY7C,SAAS,MAAe,CAAC,OAAgC;AAAA,EAC/D,OAAO,CACN,QACA,aACA,mBACI;AAAA,IACJ,MAAM,WACL,QAAQ,YAAY,aAAa,QAAQ,MAAM,KAAK,IAAI;AAAA,IACzD,SAAS,IAAI,gBAAgB,KAAK;AAAA,IAClC,QAAQ,eAAe,aAAa,QAAQ,UAAU,MAAM;AAAA;AAAA;;;ADlE9D;AACA;AACA;;;AESA;AADA;AAIO,SAAS,UAAU,CAAC,aAAmD;AAAA,EAC7E,OAAO,CAAC,WAAmB;AAAA,IAC1B,QAAQ,eACP,aAAa,YACb,EAAE,QAAQ,YAAY,GACtB,MACD;AAAA,IACA,QAAQ,eAAe,aAAa,YAAY,MAAM,MAAM;AAAA;AAAA;AAIvD,SAAS,qBAAqB,CACpC,QAC+C;AAAA,EAC/C,OAAO,QAAQ,YAAY,aAAa,YAAY,MAAM;AAAA;AAGpD,SAAS,YAAY,CAAC,QAAsB;AAAA,EAClD,OAAO,QAAQ,YAAY,aAAa,YAAY,MAAM;AAAA;;AClC3D;;ACwBO,MAAM,YAAY;AAAA,EAmBiB;AAAA,SAjBzB,QAAQ,OAAO,IAAI,mBAAmB;AAAA,EAG7C;AAAA,EAWT,kBAAyC;AAAA,EAEzC,WAAW,CAC8B,QACvC;AAAA,IADuC;AAAA,IAIxC,KAAK,WAAW,WAAW,KAAK,MAAM;AAAA;AAAA,EAYvC,WAAW,CAAC,gBAAsC;AAAA,IACjD,KAAK,kBAAkB;AAAA,IACvB,OAAO;AAAA;AAAA,EAMR,iBAAiB,GAAY;AAAA,IAC5B,OAAO,KAAK,oBAAoB;AAAA;AAAA,OAgB3B,WAAU,CAAC,OAAmD;AAAA,IAEnE,IAAI,KAAK,iBAAiB;AAAA,MACzB,MAAM,aAAa,KAAK,gBAAgB;AAAA,MACxC,IAAI,YAAY;AAAA,QACf,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,QACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,QAClD,IAAI,OAAO;AAAA,UACV,MAAM,UAAU,KAAK,gBAAgB,aAAa,KAAK;AAAA,UACvD,IAAI,SAAS,QAAQ;AAAA,YAGpB,MAAM,iBAAkB,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,cAC1D,SAAS,MAAM;AAAA,YAChB,CAAC;AAAA,YACD,IAAI,gBAAgB,MAAM;AAAA,cACzB,OAAO;AAAA,YACR;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAAA,IAGA,MAAM,SAAS,MAAM,KAAK,SAAS,IAAI,WAAW;AAAA,MACjD,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAQF,cAAa,CAAC,OAA6B;AAAA,IAChD,IAAI,CAAC,KAAK;AAAA,MAAiB,OAAO;AAAA,IAClC,MAAM,aAAa,KAAK,gBAAgB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAY,OAAO;AAAA,IACxB,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK;AAAA,IACpD,MAAM,QAAQ,YAAY,cAAc,UAAU;AAAA,IAClD,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,KAAK,gBAAgB,aAAa,KAAK;AAAA;AAAA,OAWzC,OAAM,CAAC,OAMV;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,OAAM,CAAC,OAAkE;AAAA,IAC9E,OAAO,KAAK,SAAS,IAAI,YAAY;AAAA,MACpC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAII,QAAO,CAAC,OAA6B;AAAA,IAC1C,OAAO,KAAK,SAAS,IAAI,QAAQ;AAAA,MAChC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA;AAAA,OAUI,YAAW,CAAC,OAGf;AAAA,IACF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,MAAM;AAAA,IACP,CAAC;AAAA;AAAA,OAMI,oBAAmB,CAAC,OAA4D;AAAA,IACrF,OAAO,KAAK,SAAS,IAAI,aAAa;AAAA,MACrC,SAAS,MAAM;AAAA,MACf,OAAO,MAAM;AAAA,MACb,MAAM,CAAC;AAAA,IACR,CAAC;AAAA;AAAA,OAWI,SAAQ,CAAC,OAA2B;AAAA,IACzC,MAAM,MAAM,KAAK,SAAS;AAAA,IAM1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,oFACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,EAAE,MAAM,EAAE,QAAQ,MAAM,OAAO,EAAE,CAAC;AAAA;AAAA,OAOhD,gBAAe,CAAC,OAA6B;AAAA,IAClD,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MACT,4FACD;AAAA,IACD;AAAA,IACA,OAAO,IAAI,QAAQ,SAAS,EAAE,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,OAGjD,oBAAmB,CAAC,OAA4C;AAAA,IACrE,MAAM,MAAM,KAAK,SAAS;AAAA,IAK1B,IAAI,CAAC,IAAI,SAAS;AAAA,MACjB,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IACA,OAAO,IAAI,QAAQ,aAAa,EAAE,SAAS,MAAM,SAAS,MAAM,MAAM,KAAK,CAAC;AAAA;AAAA,EAW7E,QAAQ,CAAC,IAAY,SAAgC,KAAe;AAAA,IACnE,OAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,SAAS,EAAE,UAAU,GAAG,EAAE,CAAC;AAAA;AAAA,EAMhE,kBAAkB,CAAC,SAGjB;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,MAAM,MAAM,SAAS,KAAK;AAAA,IACjD,OAAO,EAAE,MAAM,QAAQ,MAAM,SAAS,QAAQ,QAAQ;AAAA;AAExD;AAjPa,cAAN;AAAA,EADN,WAAW;AAAA,EAoBT,kCAAO,aAAa;AAAA,EAnBhB;AAAA;AAAA;AAAA,GAAM;AAuPb,SAAS,WAAW,CAAC,cAAsB,MAA6B;AAAA,EACvE,IAAI,CAAC;AAAA,IAAc,OAAO;AAAA,EAC1B,MAAM,QAAQ,aAAa,MAAM,GAAG;AAAA,EACpC,WAAW,QAAQ,OAAO;AAAA,IACzB,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG;AAAA,IACZ,MAAM,IAAI,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AAAA,IACjC,IAAI,MAAM,MAAM;AAAA,MACf,OAAO,mBAAmB,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC;AAAA,IACpD;AAAA,EACD;AAAA,EACA,OAAO;AAAA;;ACrPD,MAAM,eAAe;AAAA,EAC6B;AAAA,EAAxD,WAAW,CAA6C,MAAmB;AAAA,IAAnB;AAAA;AAAA,OAOlD,QAAO,CAAQ,GAAY;AAAA,IAChC,MAAM,UAAuB,MAAM,KAAK,KAAK,WAAW;AAAA,MACvD,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,MAAM,SAAS,KAAK,CAAC;AAAA;AAAA,OAQjD,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,QAAQ,GAAG;AAAA;AAAA,OAQpB,YAAW,CAAQ,GAAoB,MAAW;AAAA,IACvD,MAAM,SAAS,MAAM,KAAK,KAAK,OAAO,IAAI;AAAA,IAC1C,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAOf,QAAO,CAAQ,GAAmB,MAAgB;AAAA,IACvD,MAAM,KAAK,KAAK,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,QAAQ,CAAC;AAAA,IACtD,OAAO,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA;AAAA,OAQrB,aAAY,CACV,GACC,OACP;AAAA,IACD,MAAM,WAAW,EAAE,IAAI,MAAM,UAAU,KAAK;AAAA,IAC5C,MAAM,cAAc,EAAE,IAAI,MAAM,aAAa,KAAK;AAAA,IAClD,MAAM,SAAS,MAAM,KAAK,KAAK,YAAY,EAAE,UAAU,YAAY,CAAC;AAAA,IACpE,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OASf,cAAa,CAAQ,GAAY;AAAA,IACtC,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB,OAAO,EAAE,IAAI,MAAM;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,SAAQ,CAAQ,GAAY;AAAA,IACjC,MAAM,UAAU,MAAM,KAAK,KAAK,WAAW;AAAA,MAC1C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,IAAI,CAAC;AAAA,MAAS,OAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,IAC1D,MAAM,QAAQ,MAAM,KAAK,KAAK,SAAS,EAAE,QAAQ,QAAQ,KAAK,GAAG,CAAC;AAAA,IAClE,OAAO,EAAE,KAAK,KAAK;AAAA;AAAA,OAQd,gBAAe,CAAQ,GAAY;AAAA,IACxC,MAAM,SAAS,MAAM,KAAK,KAAK,gBAAgB;AAAA,MAC9C,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAAA,OAQf,oBAAmB,CAAQ,GAAoB,MAAW;AAAA,IAC/D,MAAM,SAAS,MAAM,KAAK,KAAK,oBAAoB;AAAA,MAClD,SAAS,EAAE,IAAI,IAAI;AAAA,MACnB;AAAA,IACD,CAAC;AAAA,IACD,OAAO,EAAE,KAAK,MAAM;AAAA;AAEtB;AAvGO;AAAA,EADL,IAAI,UAAU;AAAA,EACA,+BAAI;AAAA,EAAb;AAAA;AAAA;AAAA;AAAA;AAAA,GARM,eAQN;AAYA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GApBM,eAoBN;AAUA;AAAA,EADL,KAAK,gBAAgB;AAAA,EACH,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAArC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GA9BM,eA8BN;AASA;AAAA,EADL,KAAK,WAAW;AAAA,EACF,+BAAI;AAAA,EAAe,+BAAI;AAAA,EAAhC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAvCM,eAuCN;AAUA;AAAA,EADL,IAAI,oBAAoB;AAAA,EAEvB,+BAAI;AAAA,EACJ,gCAAK;AAAA,EAFD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAjDM,eAiDN;AAgBA;AAAA,EADL,IAAI,qBAAqB;AAAA,EACL,+BAAI;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA,GAjEM,eAiEN;AAaA;AAAA,EADL,KAAK,MAAM;AAAA,EACI,+BAAI;AAAA,EAAd;AAAA;AAAA;AAAA;AAAA;AAAA,GA9EM,eA8EN;AAcA;AAAA,EADL,KAAK,mBAAmB;AAAA,EACF,+BAAI;AAAA,EAArB;AAAA;AAAA;AAAA;AAAA;AAAA,GA5FM,eA4FN;AAYA;AAAA,EADL,KAAK,uBAAuB;AAAA,EACF,+BAAI;AAAA,EAAe,gCAAK;AAAA,EAA7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAxGM,eAwGN;AAxGM,iBAAN;AAAA,EADN,WAAW,WAAW;AAAA,EAET,kCAAO,YAAY,KAAK;AAAA,EAD/B;AAAA;AAAA;AAAA,GAAM;;ACrBb;AAcO,MAAM,WAAW;AAAA,SAQhB,OAAO,CAAC,QAAoB;AAAA,IAUlC,MAAM,qBAAqB;AAAA,IAAC;AAAA,IAAtB,uBAAN;AAAA,MATC,OAAO;AAAA,QACP,aAAa,CAAC,cAAc;AAAA,QAC5B,WAAW;AAAA,UACV;AAAA,UACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,UACvD,EAAE,SAAS,eAAe,UAAU,OAAO;AAAA,QAC5C;AAAA,QACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,MACzC,CAAC;AAAA,OACK;AAAA,IAGN,OAAO,eAAe,sBAAsB,QAAQ;AAAA,MACnD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AA3Ba,aAAN;AAAA,EARN,OAAO;AAAA,IACP,aAAa,CAAC,cAAc;AAAA,IAC5B,WAAW;AAAA,MACV;AAAA,MACA,EAAE,SAAS,YAAY,OAAO,aAAa,YAAY;AAAA,IACxD;AAAA,IACA,SAAS,CAAC,aAAa,YAAY,KAAK;AAAA,EACzC,CAAC;AAAA,GACY;;ACMN,SAAS,cAAc,CAC7B,MACA,UAAiC,CAAC,GACgB;AAAA,EAClD;AAAA,IACC,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB;AAAA,IACpB,cAAc;AAAA,MACX;AAAA,EAEJ,MAAM,UAAU,UAAU,YAAY;AAAA,EACtC,MAAM,aACL,SAAS,WACN,UAAU,SAAS,kBAAkB,OAAO,IAC5C;AAAA,EAEJ,OAAO,OAAO,GAAG,SAAS;AAAA,IACzB,MAAM,OAAO,EAAE,IAAI;AAAA,IAGnB,IAAI,SAAS,KAAK,IAAI,GAAG;AAAA,MACxB,OAAO,KAAK;AAAA,IACb;AAAA,IAGA,MAAM,UAAU,MAAM,KAAK,IAAI,WAAW;AAAA,MACzC,SAAS,EAAE,IAAI,IAAI;AAAA,IACpB,CAAC;AAAA,IAED,IAAI,SAAS;AAAA,MACZ,EAAE,IAAI,QAAQ,QAAQ,IAAa;AAAA,MACnC,EAAE,IAAI,WAAW,QAAQ,OAAgB;AAAA,IAC1C,EAAO;AAAA,MACN,EAAE,IAAI,QAAQ,IAAI;AAAA,MAClB,EAAE,IAAI,WAAW,IAAI;AAAA;AAAA,IAItB,IAAI,SAAS,cAAe,YAAY,KAAK,IAAI,KAAK,YAAY,MAAO;AAAA,MACxE,IAAI,YAAY;AAAA,QAAM,OAAO,kBAAkB,CAAC;AAAA,IACjD;AAAA,IAKA,OAAO,KAAK;AAAA;AAAA;AAId,SAAS,SAAS,CAAC,OAA0C;AAAA,EAC5D,IAAI,CAAC;AAAA,IAAO,OAAO;AAAA,EACnB,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,OAAO,IAAI,OAAO,MAAM,IAAI,CAAC,MAAM,MAAM,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC;AAAA,EAChE;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,sBAAsB,CAAC,GAAsB;AAAA,EACrD,OAAO,EAAE,KACR,EAAE,OAAO,gBAAgB,SAAS,2BAA2B,GAC7D,GACD;AAAA;AAGD,SAAS,gBAAgB,CAAC,GAAsB;AAAA,EAC/C,OAAO,EAAE,KACR,EAAE,OAAO,aAAa,SAAS,4BAA4B,GAC3D,GACD;AAAA;AAYM,SAAS,WAAW,CAAC,MAA+B;AAAA,EAC1D,OAAO,OAAO,MAAM,KAAK,QAAQ,EAAE,IAAI,GAAG;AAAA;;ACrG3C;AACA;AAFA;AA0BO,SAAS,WAAW,CAC1B,UAA8B,CAAC,GACV;AAAA,EACrB,OAAO,qBAAqB,YAAY,MAAM,OAAgB;AAAA;AAAA;AAOxD,MAAM,6BAA6B,MAAM;AAAA,EACtC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,4BAA4B;AAAA,IACjD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;AAAA;AAEO,MAAM,uBAAuB,MAAM;AAAA,EAChC,SAAS;AAAA,EAClB,WAAW,CAAC,UAAU,6BAA6B;AAAA,IAClD,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA;AAEd;",
+  "debugId": "1678BD891AB4BB6764756E2164756E21",
+  "names": []
+}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,50 @@
+/**
+ * `authMiddleware` — populate `c.var.user` and `c.var.session` on
+ * every request, optionally enforcing a "must be logged in" policy.
+ *
+ * This is a Hono middleware that wraps better-auth's `getSession`.
+ * It runs after the better-auth handler has set its own cookies, so
+ * subsequent reads are cheap (a single DB lookup).
+ *
+ * Three modes:
+ *   - optional  → always allow; populate user/session if present
+ *   - required  → 401 if no user
+ *   - scoped    → require user only for paths matching a regex
+ *
+ * Usage:
+ *   import { authMiddleware } from 'nexusjs/auth';
+ *   app.use('*', authMiddleware(auth, { mode: 'optional' }));
+ *   app.use('/api/*', authMiddleware(auth, { mode: 'required' }));
+ */
+import type { Context, MiddlewareHandler } from "hono";
+import type { Auth } from "better-auth";
+import type { AuthVariables } from "./types.js";
+export type AuthMiddlewareMode = "optional" | "required" | "scoped";
+export interface AuthMiddlewareOptions {
+    /** Auth mode. Default: `'optional'`. */
+    mode?: AuthMiddlewareMode;
+    /** Path matcher (only used in `'scoped'` mode). */
+    scope?: RegExp;
+    /** Path matcher for `'scoped'` mode's protected set. */
+    protectedPaths?: RegExp | RegExp[];
+    /** Path matcher for paths that should be skipped entirely. */
+    ignoredPaths?: RegExp | RegExp[];
+    /** Customize the 401 response. */
+    onUnauthenticated?: (c: Context) => Response | Promise<Response>;
+    /** Customize the 403 response when a scope check fails. */
+    onForbidden?: (c: Context) => Response | Promise<Response>;
+}
+export declare function authMiddleware(auth: Auth, options?: AuthMiddlewareOptions): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * `authHandler` — mount better-auth's catch-all handler at a path.
+ *
+ * Use this instead of writing the `app.on(['POST', 'GET'], path, ...)`
+ * boilerplate yourself.
+ *
+ *   app.use('/api/auth/*', cors({ ... }));
+ *   app.all('/api/auth/*', authHandler(auth));
+ */
+export declare function authHandler(auth: Auth): MiddlewareHandler;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAQ,MAAM,MAAM,CAAC;AAC7D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,qBAAqB;IACrC,wCAAwC;IACxC,IAAI,CAAC,EAAE,kBAAkB,CAAC;IAC1B,mDAAmD;IACnD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACnC,8DAA8D;IAC9D,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,kCAAkC;IAClC,iBAAiB,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjE,2DAA2D;IAC3D,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC3D;AAED,wBAAgB,cAAc,CAC7B,IAAI,EAAE,IAAI,EACV,OAAO,GAAE,qBAA0B,GACjC,iBAAiB,CAAC;IAAE,SAAS,EAAE,aAAa,CAAA;CAAE,CAAC,CA+CjD;AAwBD;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG,iBAAiB,CAEzD"}

package/dist/auth/types.d.ts

@@ -0,0 +1,135 @@
+/**
+ * Auth types — the contract between NexusJS and better-auth.
+ *
+ * Better-auth provides a comprehensive set of authentication primitives
+ * (email/password, OAuth, magic links, passkeys, JWT). We don't try to
+ * re-implement any of that — we adapt better-auth's surface to fit
+ * NexusJS's DI / decorator model.
+ *
+ * Most types are re-exported from `better-auth` so consumers can use
+ * them directly. The few we define here are NexusJS-specific helpers.
+ */
+import type { Auth } from "better-auth";
+export type { Auth } from "better-auth";
+/** Per-request session payload (user + session). */
+export type AuthSession = {
+    user: AuthUser;
+    session: AuthSessionRecord;
+} | null;
+export type AuthUser = {
+    id: string;
+    email: string;
+    emailVerified: boolean;
+    name: string;
+    image?: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+    [key: string]: unknown;
+};
+export type AuthSessionRecord = {
+    id: string;
+    userId: string;
+    token: string;
+    expiresAt: Date;
+    ipAddress?: string | null;
+    userAgent?: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+    [key: string]: unknown;
+};
+/** Configuration knobs for the auth subsystem. */
+export interface AuthConfig {
+    /**
+     * Better-auth handler mount path.
+     * Default: `'/api/auth/*'`.
+     */
+    basePath?: string;
+    /** Enable email + password authentication. Default: true. */
+    emailAndPassword?: {
+        enabled?: boolean;
+        requireEmailVerification?: boolean;
+        minPasswordLength?: number;
+        maxPasswordLength?: number;
+    };
+    /** Social providers keyed by provider name (github, google, etc.). */
+    socialProviders?: Record<string, SocialProviderConfig>;
+    /** JWT plugin settings (token + JWKS endpoint). */
+    jwt?: JwtConfig;
+    /** Passkey (WebAuthn) plugin settings. */
+    passkey?: PasskeyConfig;
+    /** Session expiry in seconds. Default: 7 days. */
+    sessionExpiresInSeconds?: number;
+    /** Cookie domain. Useful for subdomains. */
+    cookieDomain?: string;
+    /** Cross-subdomain cookies (turn on for `*.example.com`). */
+    crossSubDomainCookies?: {
+        enabled: boolean;
+        domain?: string;
+    };
+    /**
+     * Cookie attribute strategy for cross-origin requests.
+     * - 'lax'      → same-site only (default, safest)
+     * - 'none'     → cross-site; requires `secure: true`
+     * - 'strict'   → same-origin only
+     */
+    cookieSameSite?: "lax" | "strict" | "none";
+    /** `Secure` flag on cookies. Default: true in production. */
+    cookieSecure?: boolean;
+    /** A custom `BETTER_AUTH_SECRET` (otherwise read from env). */
+    secret?: string;
+    /** Custom `BETTER_AUTH_URL` (otherwise read from env). */
+    baseUrl?: string;
+}
+export interface SocialProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    scope?: string[];
+    redirectURI?: string;
+}
+export interface JwtConfig {
+    enabled: boolean;
+    /** Path for JWKS endpoint. Default: `/api/auth/jwks`. */
+    jwksPath?: string;
+    /** Issuer claim. Default: baseUrl. */
+    issuer?: string;
+    /** Audience claim. Default: baseUrl. */
+    audience?: string;
+    /** Token TTL in seconds. Default: 15 min. */
+    expiresIn?: number;
+}
+export interface PasskeyConfig {
+    enabled: boolean;
+    /** Relying Party name (displayed by the browser). */
+    rpName: string;
+    /** Relying Party ID (typically the domain). */
+    rpId: string;
+    /** Allowed origins (e.g. `https://example.com`). */
+    origin: string | string[];
+}
+/** Per-request authentication context attached to the Hono context. */
+export interface AuthContext {
+    user: AuthUser | null;
+    session: AuthSessionRecord | null;
+}
+/**
+ * Type augmentation so the Hono context has `user` and `session` keys.
+ *
+ * Usage in user code:
+ *   import type { AuthVariables } from 'nexusjs/auth';
+ *   const app = new Hono<{ Variables: AuthVariables }>();
+ */
+export type AuthVariables = {
+    user: AuthUser | null;
+    session: AuthSessionRecord | null;
+};
+/**
+ * A loose type that matches what `betterAuth.handler` returns for
+ * `getSession()`. Re-exported so users don't need to import from
+ * `better-auth` directly when extending the auth instance.
+ */
+export type SecondaryStorage = NonNullable<Auth extends {
+    options: {
+        secondaryStorage?: infer S;
+    };
+} ? S : never>;
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAMxC,YAAY,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAExC,oDAAoD;AACpD,MAAM,MAAM,WAAW,GAAG;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,iBAAiB,CAAC;CAC3B,GAAG,IAAI,CAAC;AAET,MAAM,MAAM,QAAQ,GAAG;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACvB,CAAC;AAEF,kDAAkD;AAClD,MAAM,WAAW,UAAU;IAC1B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE;QAClB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,wBAAwB,CAAC,EAAE,OAAO,CAAC;QACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;IAEF,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAEvD,mDAAmD;IACnD,GAAG,CAAC,EAAE,SAAS,CAAC;IAEhB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB,kDAAkD;IAClD,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAEjC,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,6DAA6D;IAC7D,qBAAqB,CAAC,EAAE;QACvB,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF;;;;;OAKG;IACH,cAAc,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAE3C,6DAA6D;IAC7D,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,0DAA0D;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,SAAS;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,qDAAqD;IACrD,MAAM,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;CAClC;AAMD;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;CAClC,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG,WAAW,CACzC,IAAI,SAAS;IAAE,OAAO,EAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,CAAA;KAAE,CAAA;CAAE,GAAG,CAAC,GAAG,KAAK,CACpE,CAAC"}

package/dist/cache/cache.module.d.ts

@@ -0,0 +1,22 @@
+/**
+ * `CacheModule` — drop-in caching.
+ *
+ *   @Module({
+ *     imports: [
+ *       CacheModule.forRoot({
+ *         store: new MemoryStore({ max: 50_000 }),
+ *         defaultTtl: 300,        // 5 min
+ *         prefix: 'myapp',
+ *       }),
+ *     ],
+ *   })
+ *   export class AppModule {}
+ */
+import "reflect-metadata";
+import type { CacheConfig } from "./types.js";
+export declare class CacheModule {
+    static forRoot(config?: CacheConfig): {
+        new (): {};
+    };
+}
+//# sourceMappingURL=cache.module.d.ts.map

package/dist/cache/cache.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.module.d.ts","sourceRoot":"","sources":["../../src/cache/cache.module.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,kBAAkB,CAAC;AAI1B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,qBAOa,WAAW;IACvB,MAAM,CAAC,OAAO,CAAC,MAAM,GAAE,WAAgB;;;CAmBvC"}

package/dist/cache/cache.service.d.ts

@@ -0,0 +1,37 @@
+import type { CacheConfig, CacheStore } from "./types.js";
+export declare class CacheService {
+    /** DI token. */
+    static readonly TOKEN: unique symbol;
+    store: CacheStore;
+    defaultTtl: number;
+    prefix: string;
+    constructor(config?: CacheConfig);
+    private key;
+    get<T = unknown>(k: string): Promise<T | undefined>;
+    set<T = unknown>(k: string, value: T, ttl?: number): Promise<void>;
+    set<T = unknown>(k: string, value: T, opts: {
+        ttl?: number;
+        tags?: string[];
+    }): Promise<void>;
+    delete(k: string): Promise<boolean>;
+    clear(pattern?: string): Promise<number>;
+    /** Get or compute-and-store. */
+    wrap<T>(k: string, fn: () => Promise<T>, ttl?: number): Promise<T>;
+    /**
+     * Tag-based invalidation. Delegates to the underlying store.
+     * Stores without a tag index (the default `MemoryStore`) return 0.
+     * Use `DrizzleCacheStore` (or implement `invalidateByTag` on a
+     * custom store) for true tag-based removal.
+     */
+    invalidateByTag(tag: string): Promise<number>;
+    /** Sweep expired entries. No-op on stores that don't implement `gc()`. */
+    gc(): Promise<number>;
+    /** Apply the configured prefix to a tag name. */
+    private prefixedTag;
+    /**
+     * Apply @Cacheable / @CacheInvalidate decorators to an existing service
+     * instance. The framework's DI container does this automatically.
+     */
+    applyDecorators(target: any): void;
+}
+//# sourceMappingURL=cache.service.d.ts.map

package/dist/cache/cache.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.service.d.ts","sourceRoot":"","sources":["../../src/cache/cache.service.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAM1D,qBACa,YAAY;IACxB,gBAAgB;IAChB,MAAM,CAAC,QAAQ,CAAC,KAAK,gBAAoC;IAEzD,KAAK,EAAE,UAAU,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;gBAEqB,MAAM,GAAE,WAAgB;IAM5D,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IAInD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAClE,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAa7F,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAInC,KAAK,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI9C,gCAAgC;IAC1B,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIxE;;;;;OAKG;IACG,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOnD,0EAA0E;IACpE,EAAE,IAAI,OAAO,CAAC,MAAM,CAAC;IAO3B,iDAAiD;IACjD,OAAO,CAAC,WAAW;IAInB;;;OAGG;IACH,eAAe,CAAC,MAAM,EAAE,GAAG,GAAG,IAAI;CAuBlC"}

package/dist/cache/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Public entry point for `nexusjs/cache`.
+ */
+export * from "./types.js";
+export { MemoryStore, DrizzleCacheStore } from "./stores/index.js";
+export type { MemoryStoreOptions, DrizzleCacheOptions } from "./stores/index.js";
+export { CacheService } from "./cache.service.js";
+export { CacheModule } from "./cache.module.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/cache/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cache/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACnE,YAAY,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}