@loom-framework/core 0.1.0-alpha.149 → 0.1.0-alpha.150

package/builtin-skills/app-skill/SKILL.md

@@ -1,27 +1,32 @@
 ---
 name: {{projectName}}-data
 description: |
-  [阅读 references/models.md 中的数据模型和 AI 按钮定义，编写触发短语。
-  包含：用户语言中的常见增删改查动词、各数据模型相关的操作、AI 按钮的标签。
+  ⚠️ TODO: 根据下方 [TODO] 标记补全触发短语。阅读 references/models.md 中的数据模型和 AI 按钮定义，
+  编写触发短语，包含：用户语言中的常见增删改查动词、各数据模型相关的操作、AI 按钮的标签。
   格式："This skill should be used when the user asks to '短语1', '短语2',
-  or any request about <此项目管理的内容> in the {{projectName}} project."]
+  or any request about <此项目管理的内容> in the {{projectName}} project."
 version: 1.0.0
 ---
 
 # {{projectName}} — App Skill
 
+> **此文件由 `loom generate capabilities` 生成。标记为 [TODO] 的部分需要手动编辑补全。** 
+> references/models.md 和 references/data-semantics.md 会每次重新生成，无需手动编辑。
+
 ## Overview
 
-[阅读 references/models.md，用2-3句话描述：项目做什么、管理哪些数据模型、用户如何通过 AI 对话与数据交互。]
+[TODO: 阅读 references/models.md，用2-3句话描述项目做什么、管理哪些数据模型、用户如何通过 AI 对话与数据交互。]
 
 ## Usage Scenarios
 
-[**必须加载 references/models.md 和 references/data-semantics.md**，这两个文件包含从 loom.config.ts 动态注入的项目特定信息，不加载则无法生成正确内容。
+**必须加载 references/models.md 和 references/data-semantics.md**，这两个文件包含从 loom.config.ts 动态注入的项目特定信息，不加载则无法生成正确内容：
 - models.md — 当前项目的数据模型字段表（字段名、类型、enum 取值、默认值）、AI 按钮定义（id、label、prompt、placement）、CLI 命令语法（read/write/update/delete，不要使用 create/list 等不存在的命令）。
 - data-semantics.md — 当前项目的数据模型名称列表、write 的 --data JSON 构造规则（字段类型格式、enum 取值约束、贴合业务的真实示例值）、read 的 --filter JSON 构造规则（优先用 enum/boolean 字段筛选、跨模型关联查询）。
-再生成8-10个典型用户请求，每个格式：用户说的话 → 对应的 `loom data` CLI 命令。每个数据模型至少包含一个场景。]
+
+[TODO: 生成8-10个典型用户请求，每个格式：用户说的话 → 对应的 `loom data` CLI 命令。每个数据模型至少包含一个场景。]
 
 ## Technical Reference
 
 - 数据模型结构、CLI 语法和操作规范：**references/models.md**
-- 语义引导（示例数据生成、筛选选择、关系推断）：**references/data-semantics.md**
+- 语义引导（示例数据生成、筛选选择、关系推断）：**references/data-semantics.md**
+<!-- AUTH_REF -->

package/builtin-skills/app-skill/references/auth.md

@@ -0,0 +1,164 @@
+# Auth Commands Reference
+
+## CLI Authentication
+
+CLI commands require authentication when auth is enabled. Provide token via:
+
+1. **`--token` flag**: `loom data read <model> --token <jwt>`
+2. **`LOOM_TOKEN` env**: `LOOM_TOKEN=<jwt> loom data read <model>`
+
+When auth is not enabled, CLI commands use local DataAdapter without token.
+
+### AI Chat Sessions
+
+When using AI chat (web UI), `LOOM_TOKEN` is automatically set in the AI's environment.
+AI can run `loom data read`, `loom user list`, etc. directly — the token matches the logged-in user's identity and permissions.
+
+## Authentication Commands
+
+### Login
+```bash
+loom auth login -u <username> -p <password>
+loom auth login  # interactive prompt
+```
+
+### Register (admin token required)
+```bash
+loom auth register -u <username> -p <password> [--role <role>] --token <admin-jwt>
+```
+
+### Logout
+```bash
+loom auth logout --refresh-token <token> --token <jwt>
+```
+
+### Whoami
+```bash
+loom auth whoami --token <jwt>
+```
+
+## User Management (Admin Only)
+
+### Add User
+```bash
+loom user add <username> -p <password> -r <role> --token <admin-jwt>
+```
+
+### List Users
+```bash
+loom user list --token <jwt>
+```
+
+### Update User
+```bash
+loom user update <id> -r <role> --token <jwt>
+loom user update <id> -p <newpassword> --token <jwt>
+```
+
+### Delete User
+```bash
+loom user delete <id> --token <admin-jwt>
+```
+
+### Change Role
+```bash
+loom user role <id> <role> --token <admin-jwt>
+```
+
+## Role Info
+
+### List Roles
+```bash
+loom role list [--token <jwt>]
+```
+
+### Permission Levels
+```bash
+loom role permissions
+```
+
+## Data Commands with Auth
+
+When auth is enabled, data commands route through HTTP API and require token:
+
+```bash
+loom data read <model> --token <jwt>
+loom data write <model> --data '<json>' --token <jwt>
+loom data update <model> --id <id> --data '<json>' --token <jwt>
+loom data delete <model> --id <id> --token <jwt>
+loom data schema <model> --token <jwt>
+```
+
+Optional: `--server <url>` (default: http://localhost:3000)
+
+## Permission Model
+
+### Levels (hierarchical)
+| Level | Access |
+|-------|--------|
+| `none` | No access |
+| `read` | GET (read-only) |
+| `write` | GET, POST, PUT |
+| `admin` | GET, POST, PUT, DELETE |
+
+### Configuration in loom.config.ts
+```typescript
+auth: {
+  provider: 'builtin',
+  secret: 'env:JWT_SECRET',  // or plain string (not recommended)
+  roles: [
+    { role: 'admin', permissions: [{ model: '*', level: 'admin' }] },
+    { role: 'editor', permissions: [{ model: 'items', level: 'write' }] },
+    { role: 'viewer', permissions: [{ model: '*', level: 'read' }] },
+  ],
+  permissions: {
+    defaults: {
+      read: 'read',
+      write: 'write',
+      readIncludesAiButtons: false,  // viewer sees AI buttons?
+      writeExcludesDelete: false,     // writer can delete?
+    },
+  },
+}
+```
+
+### Wildcard Permissions
+Use `model: '*'` to apply a permission level to all models.
+Explicit model permissions override wildcards.
+
+### Default Admin User
+When auth is first enabled, a default admin user is created:
+- Username: `admin`
+- Password: `admin123`
+- **Change this immediately after first login!**
+
+### Service Token
+Each user gets a service token at registration time (long-lived JWT, 30-day TTL).
+Returned in the API response when creating a user — the admin should save it securely.
+Used by Process automation to execute as the user.
+
+## API Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| POST | /api/v1/auth/login | No | Login |
+| POST | /api/v1/auth/register | Admin | Register new user |
+| POST | /api/v1/auth/logout | Yes | Logout |
+| POST | /api/v1/auth/refresh | No* | Refresh token |
+| GET | /api/v1/auth/whoami | Yes | Current user |
+| GET | /api/v1/auth/roles | Yes | List roles |
+| GET | /api/v1/auth/users | Admin | List users |
+| POST | /api/v1/auth/users | Admin | Create user |
+| GET | /api/v1/auth/users/:id | Self/Admin | Get user |
+| PUT | /api/v1/auth/users/:id | Self/Admin | Update user |
+| DELETE | /api/v1/auth/users/:id | Admin | Delete user |
+
+*Refresh requires valid refresh token in store
+
+## Audit Fields
+
+When auth is enabled, write operations automatically inject:
+- `createdBy` — username of the user who created the record (POST)
+- `updatedBy` — username of the user who last updated the record (PUT)
+
+These fields are optional and don't affect existing data.

package/builtin-skills/app-skill/references/models.md

@@ -20,6 +20,8 @@
 
 <!-- AI_BUTTONS -->
 
+<!-- AUTH_ROLES -->
+
 ## 操作规范
 
 1. 所有数据操作必须使用 `loom data` CLI 命令，不要直接访问文件或数据库。

package/builtin-skills/loom/SKILL.md

@@ -65,9 +65,10 @@ loom generate capabilities
 
 | 文件 | 说明 | 覆盖策略 |
 |------|------|---------|
-| `SKILL.md` | Skill 主文档（含 TODO 模板） | 仅首次创建，不覆盖 |
+| `SKILL.md` | Skill 主文档（含 TODO 模板） | 仅首次创建，不覆盖。若需重建：删除整个 skill 目录后重新执行 |
 | `references/models.md` | 数据模型字段表 + AI 按钮定义 + CLI 语法 | 每次重新生成 |
 | `references/data-semantics.md` | 语义引导（示例数据、筛选规则、跨模型关联） | 每次重新生成 |
+| `references/auth.md` | 认证鉴权命令参考（`--token`/`LOOM_TOKEN` 用法、权限模型） | Auth 启用时每次重新生成 |
 
 每次修改数据模型或 AI 按钮后，重新运行此命令即可更新 `references/` 下的自动生成内容，`SKILL.md` 中手动补充的内容不会被覆盖。
 
@@ -95,6 +96,19 @@ loom generate dashboard <name>
 
 此命令从 `loom.config.ts` 的 `dashboards` 字段读取配置，自动生成 Dashboard 页面并接线 App.tsx。
 
+### 5.5 启用认证鉴权（可选）
+
+当用户需要多用户支持、权限控制时，帮助用户在 `loom.config.ts` 中添加 `auth` 配置：
+
+1. **询问需求**：是否需要登录功能？有哪些角色？每个角色能做什么？
+2. **编辑配置**：在 `loom.config.ts` 中添加 `auth` 字段（Schema 见上方）。至少定义一个 `admin` 角色
+3. **设置密钥**：`secret` 推荐 `env:JWT_SECRET`，不要硬编码。提醒用户设置环境变量 `export JWT_SECRET=your-secret`
+4. **重启后端**：auth 配置需要重启后端生效（**必须先询问用户**）
+5. **首次登录**：默认创建 admin 用户（密码 `admin123`），**提醒用户立即修改密码**
+6. **生成 app-skill**：`loom generate capabilities` 更新 Skill 中的 auth.md
+
+启用后自动获得：登录页 + 路由守卫 + RBAC 权限控制 + 用户管理页 + CLI `--token`/`LOOM_TOKEN` 鉴权。
+
 ### 重启服务前必须询问用户
 
 修改 `loom.config.ts` 后如果需要重启后端服务（如增删 AI 按钮、修改 enum 值、新增模型等场景），**必须先询问用户是否可以重启**，得到确认后再执行 `loom dev` 或停止/重启服务。不要自动重启，因为用户可能正在使用页面或调试中。
@@ -149,8 +163,8 @@ loom generate page <Name> --model <model-name> --force
 | `loom generate capabilities` | 生成应用 Skill（`references/models.md` + `references/data-semantics.md`，`SKILL.md` 仅首次创建不覆盖） |
 | `loom generate dashboard <name>` | 从 loom.config.ts dashboards 生成 Dashboard 页面 |
 | `loom generate dashboard <name> --force` | 重建 Dashboard 页面（自动备份旧文件到 `.loom/backup/`） |
-| `loom generate system-settings <model\|skill>` | 生成系统管理页面（模型管理或技能管理），首次调用创建子菜单，后续调用追加子页面 |
-| `loom generate system-settings <model\|skill> --force` | 重建系统管理页面（自动备份旧文件到 `.loom/backup/`） |
+| `loom generate system-settings <model\|skill\|user>` | 生成系统管理页面（模型管理、技能管理或用户管理），首次调用创建子菜单，后续调用追加子页面 |
+| `loom generate system-settings <model\|skill\|user> --force` | 重建系统管理页面（自动备份旧文件到 `.loom/backup/`） |
 | `loom generate skill <name>` | 生成自定义 Skill 脚架 |
 
 ## loom.config.ts Schema（核心）
@@ -201,6 +215,24 @@ export default defineConfig({
     filterDimensions: [],     // 可选：启用下拉筛选，见 references/dashboard.md
     layout: [{ row: [{ type: 'stat', title: { 'zh-CN': '总数', 'en-US': 'Total' }, model: 'items', aggregate: 'count', span: 6 }] }],
   }],
+  auth: {                     // 可选：认证与鉴权，启用后生成登录页、用户管理、RBAC 权限控制
+    provider: 'builtin',      // 'builtin' — 内置认证
+    secret: 'env:JWT_SECRET', // JWT 签名密钥，推荐用 env: 引用环境变量，不要硬编码
+    accessTokenTtl: 3600,     // 可选，access token 有效期（秒），默认 3600（1h）
+    refreshTokenTtl: 604800,  // 可选，refresh token 有效期（秒），默认 604800（7d）
+    roles: [                  // 角色定义，至少一个 admin 角色
+      { role: 'admin', permissions: [{ model: '*', level: 'admin' }] },
+      { role: 'viewer', permissions: [{ model: '*', level: 'read' }] },
+    ],
+    permissions: {            // 可选：默认权限和行为配置
+      defaults: {
+        read: 'read',                   // 未显式配置的模型默认读权限
+        write: 'write',                 // 未显式配置的模型默认写权限
+        readIncludesAiButtons: false,   // read 权限是否可见 AI 按钮
+        writeExcludesDelete: false,     // write 权限是否排除删除操作
+      },
+    },
+  },
 });
 ```
 

package/dist/backend/ai/engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/backend/ai/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAM5F,wCAAwC;AACxC,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,QAAQ,GAAG,cAAc,GAAG,iBAAiB,GAAG,QAAQ,GAAG,cAAc,CAAC;AAEnH,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;AAE3D,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,gBAAgB,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,MAAM,CAAC,EAAE,YAAY,CAAC;CACvB;AAED;;;;;;GAMG;AACH,qBAAa,gBAAiB,YAAW,QAAQ;IAC/C,QAAQ,CAAC,IAAI,iBAAiB;IAE9B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,eAAe,CAAwC;IAC/D,OAAO,CAAC,MAAM,CAAC,CAAe;gBAElB,OAAO,EAAE,uBAAuB;IAM5C,OAAO,CAAC,GAAG;IAUX;;OAEG;IACI,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,cAAc,CAAC,OAAO,CAAC;IAmJ5E;;OAEG;IACH,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAUvC;;OAEG;IACH,OAAO,IAAI,IAAI;CAQhB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,GAC5C,MAAM,CAQR"}
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/backend/ai/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAM5F,wCAAwC;AACxC,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,QAAQ,GAAG,cAAc,GAAG,iBAAiB,GAAG,QAAQ,GAAG,cAAc,CAAC;AAEnH,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;AAE3D,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,gBAAgB,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,MAAM,CAAC,EAAE,YAAY,CAAC;CACvB;AAED;;;;;;GAMG;AACH,qBAAa,gBAAiB,YAAW,QAAQ;IAC/C,QAAQ,CAAC,IAAI,iBAAiB;IAE9B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,eAAe,CAAwC;IAC/D,OAAO,CAAC,MAAM,CAAC,CAAe;gBAElB,OAAO,EAAE,uBAAuB;IAM5C,OAAO,CAAC,GAAG;IAUX;;OAEG;IACI,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,cAAc,CAAC,OAAO,CAAC;IAoJ5E;;OAEG;IACH,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAUvC;;OAEG;IACH,OAAO,IAAI,IAAI;CAQhB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,GAC5C,MAAM,CAQR"}

package/dist/backend/ai/engine.js

@@ -92,6 +92,7 @@ export class ClaudeCodeEngine {
             env: {
                 ...process.env,
                 CLAUDE_PLUGIN_ROOT: pluginRoot,
+                ...(options.userToken ? { LOOM_TOKEN: options.userToken } : {}),
             },
         });
         // Track active process for cleanup

package/dist/backend/ai/engine.js.map

@@ -1 +1 @@
-{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/backend/ai/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,eAAe,CAAC;AACzD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,iBAAiB,EAAuB,MAAM,oBAAoB,CAAC;AAE5E,4DAA4D;AAC5D,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAsB3C;;;;;;GAMG;AACH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,aAAa,CAAC;IAEtB,MAAM,CAAmB;IACzB,WAAW,CAAS;IACpB,eAAe,GAA8B,IAAI,GAAG,EAAE,CAAC;IACvD,MAAM,CAAgB;IAE9B,YAAY,OAAgC;QAC1C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAEO,GAAG,CAAC,KAAqB,EAAE,SAAiB,EAAE,OAAe,EAAE,IAAc;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,KAAK;YACL,SAAS;YACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,CAAC,IAAI,CAAC,MAAc,EAAE,OAAsB;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,QAAQ,CAAC;QAChF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,0BAA0B,CAAC;QACrF,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAEpF,gDAAgD;QAChD,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAE/D,MAAM,IAAI,GAAG;YACX,IAAI;YACJ,iBAAiB,EAAE,aAAa;YAChC,WAAW;YACX,4BAA4B;SAC7B,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;YAC1C,IAAI,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QACjD,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK;YAC/B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,KAAK,CAAC;YAC5C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAElC,gEAAgE;QAChE,IAAI,WAAW,EAAE,SAAS,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,WAAW,GAA2B,EAAE,CAAC;YAC/C,IAAI,WAAW,CAAC,SAAS;gBAAE,WAAW,CAAC,oBAAoB,GAAG,WAAW,CAAC,SAAS,CAAC;YACpF,IAAI,WAAW,CAAC,OAAO;gBAAE,WAAW,CAAC,kBAAkB,GAAG,WAAW,CAAC,OAAO,CAAC;YAC9E,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC;QAED,2BAA2B;QAC3B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE,IAAI,CAAC;QACrD,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClC,CAAC;QAED,oDAAoD;QACpD,iEAAiE;QACjE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;QAE1C,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEf,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,yBAAyB,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACxF,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,EAAE,kBAAkB,UAAU,CAAC,MAAM,EAAE,EAAE;YAC3E,aAAa,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;SACvC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE;YAC3C,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,kBAAkB,EAAE,UAAU;aAC/B;SACF,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAE1D,qCAAqC;QACrC,IAAI,YAAY,GAAG,EAAE,CAAC;QACtB,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,YAAY,IAAI,IAAI,CAAC;YACrB,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,2CAA2C;QAC3C,IAAI,aAAwD,CAAC;QAC7D,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9D,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC9B,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC7B,UAAU,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBACtD,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,OAAO,IAAI,CAAC,CAAC,CAAC;YACxE,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,IAAI,aAAa;oBAAE,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC/C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAE/C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBAChC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,SAAS,EAAE,4BAA4B,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;gBAC5H,CAAC;gBAED,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC/B,IAAI,aAAa;oBAAE,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC/C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAC/C,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,mCAAmC;QACnC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACrC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAEzB,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM;gBAC9B,CAAC,CAAC,CAAC,KAAqB,EAAE,EAAE;oBACxB,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzE,CAAC;gBACH,CAAC,CAAC,SAAS,CAAC;YAEd,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,iBAAiB,CAAC,YAAY,CAAC,MAAO,EAAE,YAAY,CAAC,EAAE,CAAC;gBAChF,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,eAAe,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;gBAEvG,6EAA6E;gBAC7E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;oBAChD,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,CAAC;oBACpD,MAAM,YAAuB,CAAC;oBAE9B,IAAI,SAAS,EAAE,CAAC;wBACd,MAAM;4BACJ,IAAI,EAAE,cAAc;4BACpB,SAAS;4BACT,KAAK;yBACN,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM;gBACJ,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,MAAM,iBAAiB,CAAC;QAExB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACrB,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,OAAO;QACL,KAAK,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACrD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAc,EACd,KAA6C;IAE7C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEhD,MAAM,QAAQ,GAAG,KAAK;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;SACtC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO,GAAG,MAAM,+DAA+D,QAAQ,EAAE,CAAC;AAC5F,CAAC"}
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/backend/ai/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,eAAe,CAAC;AACzD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,iBAAiB,EAAuB,MAAM,oBAAoB,CAAC;AAE5E,4DAA4D;AAC5D,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAsB3C;;;;;;GAMG;AACH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,aAAa,CAAC;IAEtB,MAAM,CAAmB;IACzB,WAAW,CAAS;IACpB,eAAe,GAA8B,IAAI,GAAG,EAAE,CAAC;IACvD,MAAM,CAAgB;IAE9B,YAAY,OAAgC;QAC1C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAEO,GAAG,CAAC,KAAqB,EAAE,SAAiB,EAAE,OAAe,EAAE,IAAc;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,KAAK;YACL,SAAS;YACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,CAAC,IAAI,CAAC,MAAc,EAAE,OAAsB;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,QAAQ,CAAC;QAChF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,0BAA0B,CAAC;QACrF,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAEpF,gDAAgD;QAChD,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAE/D,MAAM,IAAI,GAAG;YACX,IAAI;YACJ,iBAAiB,EAAE,aAAa;YAChC,WAAW;YACX,4BAA4B;SAC7B,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;YAC1C,IAAI,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QACjD,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK;YAC/B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,KAAK,CAAC;YAC5C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAElC,gEAAgE;QAChE,IAAI,WAAW,EAAE,SAAS,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,WAAW,GAA2B,EAAE,CAAC;YAC/C,IAAI,WAAW,CAAC,SAAS;gBAAE,WAAW,CAAC,oBAAoB,GAAG,WAAW,CAAC,SAAS,CAAC;YACpF,IAAI,WAAW,CAAC,OAAO;gBAAE,WAAW,CAAC,kBAAkB,GAAG,WAAW,CAAC,OAAO,CAAC;YAC9E,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC;QAED,2BAA2B;QAC3B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE,IAAI,CAAC;QACrD,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClC,CAAC;QAED,oDAAoD;QACpD,iEAAiE;QACjE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;QAE1C,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEf,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,yBAAyB,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACxF,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,EAAE,kBAAkB,UAAU,CAAC,MAAM,EAAE,EAAE;YAC3E,aAAa,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;SACvC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE;YAC3C,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,kBAAkB,EAAE,UAAU;gBAC9B,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChE;SACF,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAE1D,qCAAqC;QACrC,IAAI,YAAY,GAAG,EAAE,CAAC;QACtB,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,YAAY,IAAI,IAAI,CAAC;YACrB,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,2CAA2C;QAC3C,IAAI,aAAwD,CAAC;QAC7D,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9D,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC9B,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC7B,UAAU,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBACtD,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,OAAO,IAAI,CAAC,CAAC,CAAC;YACxE,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,IAAI,aAAa;oBAAE,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC/C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAE/C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBAChC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,SAAS,EAAE,4BAA4B,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;gBAC5H,CAAC;gBAED,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC/B,IAAI,aAAa;oBAAE,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC/C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAC/C,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,mCAAmC;QACnC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACrC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAEzB,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM;gBAC9B,CAAC,CAAC,CAAC,KAAqB,EAAE,EAAE;oBACxB,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzE,CAAC;gBACH,CAAC,CAAC,SAAS,CAAC;YAEd,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,iBAAiB,CAAC,YAAY,CAAC,MAAO,EAAE,YAAY,CAAC,EAAE,CAAC;gBAChF,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,eAAe,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;gBAEvG,6EAA6E;gBAC7E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;oBAChD,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,CAAC;oBACpD,MAAM,YAAuB,CAAC;oBAE9B,IAAI,SAAS,EAAE,CAAC;wBACd,MAAM;4BACJ,IAAI,EAAE,cAAc;4BACpB,SAAS;4BACT,KAAK;yBACN,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM;gBACJ,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,MAAM,iBAAiB,CAAC;QAExB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACrB,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,OAAO;QACL,KAAK,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACrD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAc,EACd,KAA6C;IAE7C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEhD,MAAM,QAAQ,GAAG,KAAK;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;SACtC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO,GAAG,MAAM,+DAA+D,QAAQ,EAAE,CAAC;AAC5F,CAAC"}

package/dist/backend/auth/jwt.d.ts

@@ -0,0 +1,16 @@
+/**
+ * JWT token utilities
+ */
+import type { AuthConfig } from '../../types/auth.js';
+export interface TokenPayload {
+    userId: string;
+    username: string;
+    role: string;
+}
+export declare function signAccessToken(session: TokenPayload, config: AuthConfig): string;
+export declare function signRefreshToken(session: TokenPayload, config: AuthConfig): string;
+export declare function signServiceToken(session: TokenPayload, config: AuthConfig): string;
+export declare function verifyToken(token: string, config: AuthConfig): TokenPayload;
+export declare function refreshAccessToken(refreshToken: string, config: AuthConfig): string;
+export declare function isTokenExpired(token: string): boolean;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/backend/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/backend/auth/jwt.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAMtD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,wBAAgB,eAAe,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAIjF;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAIlF;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAGlF;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,YAAY,CAI3E;AAED,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,CAOnF;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQrD"}

package/dist/backend/auth/jwt.js

@@ -0,0 +1,57 @@
+/**
+ * JWT token utilities
+ */
+import jwt from 'jsonwebtoken';
+const DEFAULT_ACCESS_TTL = 900;
+const DEFAULT_REFRESH_TTL = 604800;
+const DEFAULT_SERVICE_TTL = 2592000; // 30 days
+function resolveSecret(secret) {
+    if (secret.startsWith('env:')) {
+        const envVar = secret.slice(4);
+        const value = process.env[envVar];
+        if (!value) {
+            throw new Error(`JWT secret environment variable ${envVar} is not set`);
+        }
+        return value;
+    }
+    return secret;
+}
+export function signAccessToken(session, config) {
+    const secret = resolveSecret(config.secret);
+    const ttl = config.accessTokenTtl ?? DEFAULT_ACCESS_TTL;
+    return jwt.sign(session, secret, { expiresIn: ttl });
+}
+export function signRefreshToken(session, config) {
+    const secret = resolveSecret(config.secret);
+    const ttl = config.refreshTokenTtl ?? DEFAULT_REFRESH_TTL;
+    return jwt.sign({ ...session, type: 'refresh' }, secret, { expiresIn: ttl });
+}
+export function signServiceToken(session, config) {
+    const secret = resolveSecret(config.secret);
+    return jwt.sign({ ...session, type: 'service' }, secret, { expiresIn: DEFAULT_SERVICE_TTL });
+}
+export function verifyToken(token, config) {
+    const secret = resolveSecret(config.secret);
+    const decoded = jwt.verify(token, secret);
+    return decoded;
+}
+export function refreshAccessToken(refreshToken, config) {
+    const payload = verifyToken(refreshToken, config);
+    if (payload.type !== 'refresh') {
+        throw new Error('Not a refresh token');
+    }
+    const { type: _, exp: __, iat: ___, ...session } = payload;
+    return signAccessToken(session, config);
+}
+export function isTokenExpired(token) {
+    try {
+        const decoded = jwt.decode(token);
+        if (!decoded?.exp)
+            return true;
+        return decoded.exp * 1000 < Date.now();
+    }
+    catch {
+        return true;
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/backend/auth/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/backend/auth/jwt.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,GAAG,MAAM,cAAc,CAAC;AAG/B,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAC/B,MAAM,mBAAmB,GAAG,MAAM,CAAC;AACnC,MAAM,mBAAmB,GAAG,OAAO,CAAC,CAAC,UAAU;AAQ/C,SAAS,aAAa,CAAC,MAAc;IACnC,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mCAAmC,MAAM,aAAa,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAqB,EAAE,MAAkB;IACvE,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,cAAc,IAAI,kBAAkB,CAAC;IACxD,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAqB,EAAE,MAAkB;IACxE,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,mBAAmB,CAAC;IAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAqB,EAAE,MAAkB;IACxE,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,MAAkB;IAC3D,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,OAAuB,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,YAAoB,EAAE,MAAkB;IACzE,MAAM,OAAO,GAAG,WAAW,CAAC,YAAY,EAAE,MAAM,CAAiE,CAAC;IAClH,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,OAAO,CAAC;IAC3D,OAAO,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAA4B,CAAC;QAC7D,IAAI,CAAC,OAAO,EAAE,GAAG;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/backend/auth/password.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Password hashing and verification utilities
+ */
+export declare function validatePasswordStrength(password: string): {
+    valid: boolean;
+    message?: string;
+};
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/backend/auth/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../../src/backend/auth/password.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAK/F;AAED,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEpE;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAErF"}

package/dist/backend/auth/password.js

@@ -0,0 +1,19 @@
+/**
+ * Password hashing and verification utilities
+ */
+import bcrypt from 'bcryptjs';
+const SALT_ROUNDS = 12;
+const MIN_PASSWORD_LENGTH = 8;
+export function validatePasswordStrength(password) {
+    if (!password || password.length < MIN_PASSWORD_LENGTH) {
+        return { valid: false, message: `Password must be at least ${MIN_PASSWORD_LENGTH} characters` };
+    }
+    return { valid: true };
+}
+export async function hashPassword(password) {
+    return bcrypt.hash(password, SALT_ROUNDS);
+}
+export async function verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+}
+//# sourceMappingURL=password.js.map

package/dist/backend/auth/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../../src/backend/auth/password.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,MAAM,MAAM,UAAU,CAAC;AAE9B,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAE9B,MAAM,UAAU,wBAAwB,CAAC,QAAgB;IACvD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACvD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,6BAA6B,mBAAmB,aAAa,EAAE,CAAC;IAClG,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAY;IACjE,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AACxC,CAAC"}

package/dist/backend/auth/rbac.d.ts

@@ -0,0 +1,34 @@
+/**
+ * RBAC Middleware
+ *
+ * Two-layer auth:
+ * 1. Routes with :model param → model-level permission check
+ * 2. Routes without :model param → binary authentication (just verify logged in)
+ *
+ * Exempt routes: login, register, refresh
+ */
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import type { AuthConfig, AuthPermissionLevel } from '../../types/auth.js';
+/** Resolve required permission level for a method, respecting writeExcludesDelete config */
+export declare function getRequiredLevel(method: string, config: AuthConfig): AuthPermissionLevel;
+/** Resolve effective permission for a model given user role and config */
+export declare function resolvePermission(model: string, roleName: string, config: AuthConfig): AuthPermissionLevel;
+/** Check if user level meets required level */
+export declare function hasPermission(userLevel: AuthPermissionLevel, requiredLevel: AuthPermissionLevel): boolean;
+/** Extend FastifyRequest with user info */
+declare module 'fastify' {
+    interface FastifyRequest {
+        user?: {
+            userId: string;
+            username: string;
+            role: string;
+            /** Raw JWT token for passing to child processes (e.g. LOOM_TOKEN for AI engine) */
+            token?: string;
+        };
+    }
+}
+export interface AuthMiddlewareOptions {
+    config: AuthConfig;
+}
+export declare function createAuthMiddleware(options: AuthMiddlewareOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/backend/auth/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../../src/backend/auth/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAwB,MAAM,qBAAqB,CAAC;AAoBjG,4FAA4F;AAC5F,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,mBAAmB,CAOxF;AASD,0EAA0E;AAC1E,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,UAAU,GACjB,mBAAmB,CAcrB;AAED,+CAA+C;AAC/C,wBAAgB,aAAa,CAAC,SAAS,EAAE,mBAAmB,EAAE,aAAa,EAAE,mBAAmB,GAAG,OAAO,CAEzG;AAED,2CAA2C;AAC3C,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,IAAI,CAAC,EAAE;YACL,MAAM,EAAE,MAAM,CAAC;YACf,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,mFAAmF;YACnF,KAAK,CAAC,EAAE,MAAM,CAAC;SAChB,CAAC;KACH;CACF;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,UAAU,CAAC;CACpB;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,IAGnD,SAAS,cAAc,EAAE,OAAO,YAAY,mBA8D3D"}

package/dist/backend/auth/rbac.js

@@ -0,0 +1,124 @@
+/**
+ * RBAC Middleware
+ *
+ * Two-layer auth:
+ * 1. Routes with :model param → model-level permission check
+ * 2. Routes without :model param → binary authentication (just verify logged in)
+ *
+ * Exempt routes: login, register, refresh
+ */
+import { verifyToken } from './jwt.js';
+/** Permission hierarchy: none < read < write < admin */
+const LEVEL_HIERARCHY = {
+    none: 0,
+    read: 1,
+    write: 2,
+    admin: 3,
+};
+/** HTTP method → minimum permission level for model routes (base, before writeExcludesDelete override) */
+const BASE_METHOD_LEVEL = {
+    GET: 'read',
+    POST: 'write',
+    PUT: 'write',
+    PATCH: 'write',
+    DELETE: 'admin',
+};
+/** Resolve required permission level for a method, respecting writeExcludesDelete config */
+export function getRequiredLevel(method, config) {
+    const base = BASE_METHOD_LEVEL[method] ?? 'read';
+    // writeExcludesDelete defaults to false: write level includes delete unless explicitly set to true
+    if (method === 'DELETE' && config.permissions.defaults.writeExcludesDelete !== true) {
+        return 'write';
+    }
+    return base;
+}
+/** Exempt paths (no auth required) */
+const EXEMPT_PATHS = [
+    '/api/v1/auth/login',
+    '/api/v1/auth/register',
+    '/api/v1/auth/refresh',
+];
+/** Resolve effective permission for a model given user role and config */
+export function resolvePermission(model, roleName, config) {
+    const role = config.roles.find(r => r.role === roleName);
+    if (!role)
+        return config.permissions.defaults.read;
+    // Check explicit model permission
+    const modelPerm = role.permissions.find(p => p.model === model);
+    if (modelPerm)
+        return modelPerm.level;
+    // Check wildcard permission
+    const wildcardPerm = role.permissions.find(p => p.model === '*');
+    if (wildcardPerm)
+        return wildcardPerm.level;
+    // Fall back to defaults based on method
+    return config.permissions.defaults.read;
+}
+/** Check if user level meets required level */
+export function hasPermission(userLevel, requiredLevel) {
+    return LEVEL_HIERARCHY[userLevel] >= LEVEL_HIERARCHY[requiredLevel];
+}
+export function createAuthMiddleware(options) {
+    const { config } = options;
+    return async (request, reply) => {
+        // Skip exempt paths (exact match or path boundary)
+        if (EXEMPT_PATHS.some(p => {
+            if (request.url === p)
+                return true;
+            if (request.url.startsWith(p + '/') || request.url.startsWith(p + '?'))
+                return true;
+            return false;
+        })) {
+            return;
+        }
+        // Extract and verify token
+        const authHeader = request.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            reply.code(401).send({ error: 'Authentication required' });
+            return;
+        }
+        const token = authHeader.slice(7);
+        try {
+            const payload = verifyToken(token, config);
+            // Reject refresh tokens used for API access
+            if (payload.type === 'refresh') {
+                reply.code(401).send({ error: 'Refresh tokens cannot be used for API access' });
+                return;
+            }
+            request.user = {
+                userId: payload.userId,
+                username: payload.username,
+                role: payload.role,
+                token,
+            };
+        }
+        catch {
+            reply.code(401).send({ error: 'Invalid or expired token' });
+            return;
+        }
+        // Model-level permission check (for routes with :model param)
+        const model = request.params?.model;
+        if (model) {
+            const method = request.method;
+            const requiredLevel = getRequiredLevel(method, config);
+            const userLevel = resolvePermission(model, request.user.role, config);
+            if (!hasPermission(userLevel, requiredLevel)) {
+                request.log.warn({
+                    userId: request.user?.userId,
+                    role: request.user?.role,
+                    model,
+                    method: request.method,
+                    required: requiredLevel,
+                    actual: userLevel,
+                }, 'Auth: permission denied');
+                reply.code(403).send({
+                    error: 'Insufficient permissions',
+                    required: requiredLevel,
+                    actual: userLevel,
+                });
+                return;
+            }
+        }
+    };
+}
+//# sourceMappingURL=rbac.js.map

package/dist/backend/auth/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../../src/backend/auth/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAE,WAAW,EAAqB,MAAM,UAAU,CAAC;AAE1D,wDAAwD;AACxD,MAAM,eAAe,GAAwC;IAC3D,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,0GAA0G;AAC1G,MAAM,iBAAiB,GAAwC;IAC7D,GAAG,EAAE,MAAM;IACX,IAAI,EAAE,OAAO;IACb,GAAG,EAAE,OAAO;IACZ,KAAK,EAAE,OAAO;IACd,MAAM,EAAE,OAAO;CAChB,CAAC;AAEF,4FAA4F;AAC5F,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAAkB;IACjE,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;IACjD,mGAAmG;IACnG,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,mBAAmB,KAAK,IAAI,EAAE,CAAC;QACpF,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sCAAsC;AACtC,MAAM,YAAY,GAAG;IACnB,oBAAoB;IACpB,uBAAuB;IACvB,sBAAsB;CACvB,CAAC;AAEF,0EAA0E;AAC1E,MAAM,UAAU,iBAAiB,CAC/B,KAAa,EACb,QAAgB,EAChB,MAAkB;IAElB,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;IAEnD,kCAAkC;IAClC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IAChE,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC;IAEtC,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC;IACjE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC;IAE5C,wCAAwC;IACxC,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;AAC1C,CAAC;AAED,+CAA+C;AAC/C,MAAM,UAAU,aAAa,CAAC,SAA8B,EAAE,aAAkC;IAC9F,OAAO,eAAe,CAAC,SAAS,CAAC,IAAI,eAAe,CAAC,aAAa,CAAC,CAAC;AACtE,CAAC;AAmBD,MAAM,UAAU,oBAAoB,CAAC,OAA8B;IACjE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE3B,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAE,EAAE;QAC5D,mDAAmD;QACnD,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;YACxB,IAAI,OAAO,CAAC,GAAG,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YACpF,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,EAAE,CAAC;YACH,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3C,4CAA4C;YAC5C,IAAK,OAA4C,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8CAA8C,EAAE,CAAC,CAAC;gBAChF,OAAO;YACT,CAAC;YACD,OAAO,CAAC,IAAI,GAAG;gBACb,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,KAAK;aACN,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QAED,8DAA8D;QAC9D,MAAM,KAAK,GAAI,OAAO,CAAC,MAA6C,EAAE,KAAK,CAAC;QAC5E,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAC9B,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEvD,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAEtE,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;oBACf,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM;oBAC5B,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI;oBACxB,KAAK;oBACL,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,aAAa;oBACvB,MAAM,EAAE,SAAS;iBAClB,EAAE,yBAAyB,CAAC,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,0BAA0B;oBACjC,QAAQ,EAAE,aAAa;oBACvB,MAAM,EAAE,SAAS;iBAClB,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/backend/auth/service-token.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Service Token management
+ *
+ * Issues service tokens for Process automation and CLI auth.
+ * Service tokens are long-lived (30d), not affected by password changes.
+ * Returned via API response on user creation — caller is responsible for storage.
+ */
+import type { AuthConfig } from '../../types/auth.js';
+/** Issue a service token for the given user (does not persist to file) */
+export declare function issueServiceToken(userId: string, username: string, role: string, config: AuthConfig): string;
+//# sourceMappingURL=service-token.d.ts.map

package/dist/backend/auth/service-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-token.d.ts","sourceRoot":"","sources":["../../../src/backend/auth/service-token.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,0EAA0E;AAC1E,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,UAAU,GACjB,MAAM,CAER"}