@m1a0rz/agent-identity 0.4.1 → 0.4.2

package/README-cn.md

@@ -195,6 +195,7 @@ openclaw plugins install --link .
 | `sessionToken` | string | 否 | STS 临时会话令牌（或 `VOLCENGINE_SESSION_TOKEN`） |
 | `subagentTipPropagation` | boolean | 否 | 将 TIP 和 session 传播到子 agent。默认 false |
 | `webchatSessionExchange` | boolean | 否 | 启用 `identity.session.put` / `identity.session.get` gateway WS 方法供 webchat 客户端使用。默认 false |
+| `personalSessionMode` | boolean | 否 | 个人/单用户模式：TIP、OIDC session、凭据仅存储在 `agent:main:main`（不做按发送者或 per-channel-peer 隔离）。子 agent 会话不变。默认 false；多租户或群聊共享场景勿开启。 |
 
 \* AK/SK 至少通过 `accessKeyId`+`secretAccessKey`、环境变量、`credentialsMetadataUrl`+`roleTrn` 或 `credentialsFile` 之一提供。
 
@@ -243,8 +244,8 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为：
 
 | 方法 | 参数 | 响应 | 描述 |
 | --- | --- | --- | --- |
-| `identity.session.put` | `{ sessionKey, idToken, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | 将 OIDC id_token 注入到插件 session。通过 `buildEffectiveSessionKey` 解析实际存储 key（与 hooks/commands 相同的隔离逻辑）。 |
-| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey }` | 获取指定 session 已存储的 user token。 |
+| `identity.session.put` | `{ sessionKey, idToken, refreshToken?, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | 将 OIDC id_token 注入到插件 session；可选传入 `refreshToken`（加密存储），用于静默续期。通过 `buildEffectiveSessionKey` 解析实际存储 key（与 hooks/commands 相同的隔离逻辑）。 |
+| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey, hasRefreshToken }` | 获取指定 session 已存储的 user token。`hasRefreshToken` 表示是否存有 refresh token；响应中不会返回 refresh token 明文。 |
 
 - `senderId` 默认值为 `"openclaw-control-ui"`。对于 main session，实际存储 key 为 `agent:main:main:user:<senderId>`。
 - `channel` 可选；当 session 来源于可发送消息的渠道（feishu、telegram 等）时传入，可启用 per-channel-peer key 提升。
@@ -264,7 +265,7 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为：
 **典型流程（BFF → webchat → plugin）：**
 
 1. BFF 完成 3LO 登录并获取用户的 OIDC `id_token`
-2. Webchat 客户端调用 `identity.session.put`，传入 session key 和 `id_token`
+2. Webchat 客户端调用 `identity.session.put`，传入 session key 和 `id_token`（若需静默续期，可一并传入 token 响应中的 `refresh_token` 作为 `refreshToken`）
 3. 插件校验 token，存储 session，并获取 TIP
 4. 后续该 session 中的 agent 运行拥有有效身份——无需手动登录
 

package/README.md

@@ -195,6 +195,7 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
 | `sessionToken` | string | No | STS session token (or `VOLCENGINE_SESSION_TOKEN`) |
 | `subagentTipPropagation` | boolean | No | Propagate TIP and session to subagents. Default false |
 | `webchatSessionExchange` | boolean | No | Enable `identity.session.put` / `identity.session.get` gateway WS methods for webchat clients. Default false |
+| `personalSessionMode` | boolean | No | Single-user mode: TIP, OIDC session, and credentials are stored only under `agent:main:main` (no per-sender or per-channel-peer keys). Subagent sessions unchanged. Default false — do not enable for multi-tenant or shared groups. |
 
 \* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, `credentialsMetadataUrl`+`roleTrn`, or `credentialsFile`.
 
@@ -243,8 +244,8 @@ When `identity.webchatSessionExchange` is `true`, the plugin registers two gatew
 
 | Method | Params | Response | Description |
 | --- | --- | --- | --- |
-| `identity.session.put` | `{ sessionKey, idToken, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | Inject an OIDC id_token into a plugin session. Resolves effective storage key via `buildEffectiveSessionKey` (same sender isolation as hooks/commands). |
-| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey }` | Retrieve the stored user token for a session. |
+| `identity.session.put` | `{ sessionKey, idToken, refreshToken?, senderId?, channel? }` | `{ sub, expiresAt, effectiveSessionKey, hasTip }` | Inject an OIDC id_token into a plugin session; optional `refreshToken` is stored encrypted for silent token renewal. Resolves effective storage key via `buildEffectiveSessionKey` (same sender isolation as hooks/commands). |
+| `identity.session.get` | `{ sessionKey, senderId?, channel? }` | `{ userToken, sub, expiresAt, effectiveSessionKey, hasRefreshToken }` | Retrieve the stored user token for a session. `hasRefreshToken` indicates whether a refresh token is stored; the refresh token value is never returned. |
 
 - `senderId` defaults to `"openclaw-control-ui"`. The effective storage key is `agent:main:main:user:<senderId>` for main sessions.
 - `channel` is optional; when the session originates from a sendable channel (feishu, telegram, etc.), pass it to enable per-channel-peer key promotion.
@@ -264,7 +265,7 @@ Both methods are **restricted to webchat WS connections only** (`isWebchatConnec
 **Typical flow (BFF → webchat → plugin):**
 
 1. BFF completes 3LO login and obtains an OIDC `id_token` for the user
-2. Webchat client calls `identity.session.put` with the session key and `id_token`
+2. Webchat client calls `identity.session.put` with the session key and `id_token` (optionally `refreshToken` from the token response if silent renewal is desired)
 3. Plugin verifies the token, stores the session, and acquires TIP
 4. Subsequent agent runs in that session have a valid identity — no manual login needed
 

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA0E7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QAyatD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAkF7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA8etD"}

package/dist/index.js

@@ -13,15 +13,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+import { runPluginPreflight } from "./src/preflight/plugin-preflight.js";
+import { pluginState } from "./src/preflight/plugin-state.js";
 import { createIdentityCommand, createIdCommand } from "./src/commands/identity-commands.js";
 import { createBeforeAgentStartHandler } from "./src/hooks/before-agent-start.js";
 import { createLlmInputHandler } from "./src/hooks/llm-input.js";
 import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
 import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
 import { createSubagentEndedCleanupHandler } from "./src/hooks/subagent-ended-cleanup.js";
-import { setSender, clearSender } from "./src/store/sender-session-store.js";
+import { setSender, clearSender, setPersonalSessionMode } from "./src/store/sender-session-store.js";
 import { deriveSessionKey, needsSenderIsolation, } from "./src/utils/derive-session-key.js";
 import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
+import { createToolResultPersistHandler } from "./src/hooks/tool-result-persist.js";
 import { createAfterToolCallHandler } from "./src/hooks/after-tool-call.js";
 import * as skillPathStore from "./src/store/skill-path-store.js";
 import { createOIDCCallbackHandler, createOIDCCallbackHandlerLazy, } from "./src/routes/oidc-login.js";
@@ -34,7 +37,11 @@ import { createIdentityConfigSuggestTool } from "./src/tools/identity-config-sug
 import { createIdentityListRiskPatternsTool } from "./src/tools/identity-list-risk-patterns.js";
 import { createIdentityRiskCheckTool } from "./src/tools/identity-risk-check.js";
 import { createIdentityFetchTool } from "./src/tools/identity-fetch.js";
+import { createIdentityGetRoleCredentialsTool } from "./src/tools/identity-get-role-credentials.js";
+import { createIdentityGetTipTokenTool } from "./src/tools/identity-get-tip-token.js";
+import { createIdentityGetSessionTokenTool } from "./src/tools/identity-get-session-token.js";
 import { createIdentityListCredentialsTool } from "./src/tools/identity-list-credentials.js";
+import { createIdentityListRolesTool } from "./src/tools/identity-list-roles.js";
 import { createIdentityListTipsTool } from "./src/tools/identity-list-tips.js";
 import { createIdentityLoginTool } from "./src/tools/identity-login.js";
 import { createIdentityLogoutTool } from "./src/tools/identity-logout.js";
@@ -70,6 +77,10 @@ export default function register(api) {
     const storeDir = api.resolvePath(PLUGIN_STORE_DIR);
     initEncryptionKey(storeDir);
     const identityCfg = pluginConfig.identity;
+    setPersonalSessionMode(identityCfg?.personalSessionMode === true);
+    if (identityCfg?.personalSessionMode) {
+        logInfo(api.logger, "identity.personalSessionMode: non-subagent TIP/session/credentials use agent:main:main only");
+    }
     const hasIdentity = hasAnyIdentityConfig(identityCfg);
     const userpool = pluginConfig.userpool;
     const identityClient = hasIdentity
@@ -96,6 +107,9 @@ export default function register(api) {
             getResourceApiKey: async () => {
                 throw new Error("Identity not configured.");
             },
+            getUserCredential: async () => {
+                throw new Error("Identity not configured.");
+            },
             checkPermission: async () => {
                 throw new Error("Identity not configured.");
             },
@@ -106,9 +120,24 @@ export default function register(api) {
                 PageNumber: 1,
                 PageSize: 20,
             }),
+            listRoleCredentialProviders: async () => ({
+                RoleCredentialProviders: [],
+                TotalCount: 0,
+                PageNumber: 1,
+                PageSize: 20,
+            }),
+            getRoleCredentials: async () => {
+                throw new Error("Identity not configured.");
+            },
             getUserPool: async () => {
                 throw new Error("Identity not configured.");
             },
+            listIdentityProviders: async () => ({
+                pageNumber: 1,
+                pageSize: 10,
+                totalCount: 0,
+                data: [],
+            }),
             listUserPools: async () => ({
                 pageNumber: 1,
                 pageSize: 10,
@@ -278,23 +307,29 @@ export default function register(api) {
         getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
         configWorkloadName: identityCfg?.workloadName,
         identityClient: hasIdentity ? identityClient : undefined,
+        workloadPoolName: identityCfg?.workloadPoolName ?? "default",
+        userPoolName: userpool?.userPoolName,
         logger: api.logger,
         pluginConfig,
         sendCredentialMessage: sendToSession,
     };
     api.registerCommand(createIdentityCommand(identityCommandsDeps));
     api.registerCommand(createIdCommand(identityCommandsDeps));
-    logInfo(api.logger, "commands /identity, /id (login, status, logout, list-tips, list-credentials, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
+    logInfo(api.logger, "commands /identity, /id (login, status, logout, list, list-roles, list-tips, fetch, set, unset); HTTP callback /identity/oauth/callback (credential OAuth uses Identity callback)");
     // Tools (share deps with commands). Optional = only included when agent allowlist explicitly adds them.
     api.registerTool(createIdentityWhoamiTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityLogoutTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityStatusTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityLoginTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityListCredentialsTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityListRolesTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityListTipsTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityConfigTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentityConfigSuggestTool(), { optional: false });
     api.registerTool(createIdentityFetchTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetRoleCredentialsTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetTipTokenTool(identityCommandsDeps), { optional: false });
+    api.registerTool(createIdentityGetSessionTokenTool(identityCommandsDeps), { optional: false });
     api.registerTool(createIdentitySetBindingTool(identityCommandsDeps), { optional: true });
     api.registerTool(createIdentityUnsetBindingTool(identityCommandsDeps), { optional: true });
     api.registerTool(createIdentityRiskCheckTool({ pluginConfig, logger: api.logger }), { optional: true });
@@ -391,12 +426,12 @@ export default function register(api) {
         logger: api.logger,
     }));
     if (skillReadCheck) {
-        api.on("session_end", (_event, ctx) => {
-            if (ctx.sessionId)
-                skillPathStore.clearSessionById(ctx.sessionId);
+        api.on("session_end", (event) => {
+            if (event.sessionId)
+                skillPathStore.clearSessionById(event.sessionId);
         });
     }
-    // before_tool_call: authz, credential injection, group sender context
+    // before_tool_call: authz, credential injection, group sender context, contract injection
     api.on("before_tool_call", createBeforeToolCallHandler({
         storeDir,
         identityClient: hasIdentity ? identityClient : undefined,
@@ -408,9 +443,11 @@ export default function register(api) {
         identityService: hasIdentity ? identityService : undefined,
         getOidcConfigForRefresh: getOidcConfigForRefresh ?? undefined,
         configWorkloadName: identityCfg?.workloadName,
+        workspaceDir: api.resolvePath?.(".") ?? undefined,
     }));
     // Companion after_tool_call: restore env snapshot set by credential injection
     api.on("after_tool_call", createAfterToolCallHandler({ logger: api.logger }));
+    api.on("tool_result_persist", createToolResultPersistHandler({ logger: api.logger }));
     // Gateway WS methods: webchat session exchange (inject / retrieve user token)
     if (identityCfg?.webchatSessionExchange && hasIdentity) {
         const sessionMethodDeps = {
@@ -424,4 +461,38 @@ export default function register(api) {
         api.registerGatewayMethod("identity.session.get", createSessionGetHandler(sessionMethodDeps));
         logInfo(api.logger, "gateway methods: identity.session.put, identity.session.get (webchat session exchange)");
     }
+    // Preflight: run async after register() returns so startup is never blocked.
+    // On any failure, set pluginState.degraded so hooks skip all interception.
+    const authzEnabled = !!(authz?.agentCheck || authz?.toolCheck || authz?.requireRiskApproval);
+    runPluginPreflight({
+        identityClient,
+        identityService,
+        hasIdentity,
+        credentialConfig: identityCfg
+            ? {
+                accessKeyId: identityCfg.accessKeyId,
+                secretAccessKey: identityCfg.secretAccessKey,
+                sessionToken: identityCfg.sessionToken,
+                credentialsFile: identityCfg.credentialsFile,
+                credentialsMetadataUrl: identityCfg.credentialsMetadataUrl,
+                roleTrn: identityCfg.roleTrn,
+            }
+            : undefined,
+        userpool: dynamicOidcEnabled
+            ? { mode: "dynamic", userPoolName: userpool?.userPoolName }
+            : explicitOidcEnabled
+                ? { mode: "explicit", discoveryUrl: userpool?.discoveryUrl }
+                : undefined,
+        workloadPoolName: identityCfg?.workloadPoolName,
+        authzEnabled,
+        namespaceName: authz?.namespaceName ?? "default",
+        logger: api.logger,
+    }).then((result) => {
+        if (!result.ok) {
+            pluginState.degraded = true;
+            pluginState.failures = result.failures;
+        }
+    }).catch((err) => {
+        logWarn(api.logger, `[identity] preflight threw unexpectedly: ${String(err)}`);
+    });
 }

package/dist/scripts/demo-get-session.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
+ *
+ * Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
+ *
+ * Usage (after `pnpm build`):
+ *   node dist/scripts/demo-get-session.js <sessionKey>
+ *   node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
+ *   pnpm demo:get-session -- <sessionKey>
+ *
+ * Flags:
+ *   --print-token  Print full userToken (default: only prefix + length)
+ */
+export {};
+//# sourceMappingURL=demo-get-session.d.ts.map

package/dist/scripts/demo-get-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo-get-session.d.ts","sourceRoot":"","sources":["../../scripts/demo-get-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}

package/dist/scripts/demo-get-session.js

@@ -0,0 +1,58 @@
+/**
+ * Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
+ *
+ * Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
+ *
+ * Usage (after `pnpm build`):
+ *   node dist/scripts/demo-get-session.js <sessionKey>
+ *   node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
+ *   pnpm demo:get-session -- <sessionKey>
+ *
+ * Flags:
+ *   --print-token  Print full userToken (default: only prefix + length)
+ */
+import path from "node:path";
+import os from "node:os";
+import { initEncryptionKey } from "../src/store/encryption.js";
+import { getSession } from "../src/store/session-store.js";
+function usage() {
+    console.error(`Usage: demo-get-session [--print-token] <sessionKey>
+       demo-get-session [--print-token] <storeDir> <sessionKey>
+
+  storeDir defaults to ~/.openclaw/plugins/identity`);
+    process.exit(1);
+}
+async function main() {
+    const printToken = process.argv.includes("--print-token");
+    const args = process.argv.slice(2).filter((a) => a !== "--print-token");
+    if (args.length < 1 || args.length > 2)
+        usage();
+    const storeDir = args.length === 2
+        ? path.resolve(args[0])
+        : path.join(os.homedir(), ".openclaw", "plugins", "identity");
+    const sessionKey = args.length === 2 ? args[1] : args[0];
+    initEncryptionKey(storeDir);
+    const session = await getSession(storeDir, sessionKey);
+    if (!session) {
+        console.log(JSON.stringify({ ok: false, reason: "no session or expired", storeDir, sessionKey }, null, 2));
+        process.exit(2);
+    }
+    const tokenPreview = printToken
+        ? session.userToken
+        : `${session.userToken.slice(0, 12)}… (${session.userToken.length} chars)`;
+    console.log(JSON.stringify({
+        ok: true,
+        storeDir,
+        sessionKey,
+        sub: session.sub,
+        loginAt: session.loginAt,
+        expiresAt: session.expiresAt ?? null,
+        hasRefreshToken: Boolean(session.refreshToken),
+        claims: session.claims ?? null,
+        userToken: tokenPreview,
+    }, null, 2));
+}
+main().catch((err) => {
+    console.error(err);
+    process.exit(1);
+});

package/dist/src/actions/identity-actions.d.ts

@@ -15,6 +15,10 @@ export type OIDCConfigForCommand = {
     clientSecret?: string;
     scope?: string;
     callbackUrl: string;
+    /** UserPool UID (available when resolved dynamically via resolveOIDCConfig). */
+    poolUid?: string;
+    /** First identity provider cached at config resolve time. */
+    identityProvider?: string;
 };
 export type IdentityActionsLogger = {
     info?: (msg: string) => void;
@@ -28,11 +32,13 @@ export type IdentityActionsDeps = {
     getOidcConfigForRefresh?: () => Promise<OIDCConfigForRefresh>;
     configWorkloadName?: string;
     identityClient?: IdentityClientInterface;
+    workloadPoolName?: string;
+    userPoolName?: string;
     logger?: IdentityActionsLogger;
     pluginConfig?: PluginConfig;
     sendCredentialMessage?: (targetOrSessionKey: SessionKeyDeliveryTarget | string, text: string) => Promise<void>;
 };
-export type FetchFlow = "oauth2-user" | "oauth2-m2m" | "apikey";
+export type FetchFlow = "oauth2-user" | "oauth2-m2m" | "apikey" | "user";
 export type StatusResult = {
     loggedIn: boolean;
     sub: string | null;
@@ -69,14 +75,15 @@ export type LogoutResult = {
     ok: boolean;
 };
 export declare function runLogout(deps: IdentityActionsDeps, sessionKey: string): Promise<LogoutResult>;
+export type ProviderRow = {
+    name: string;
+    type: string;
+    flow?: string;
+    status: string;
+    binding?: string;
+};
 export type ListCredentialsResult = {
-    providers: Array<{
-        name: string;
-        type: string;
-        flow?: string;
-        status: string;
-        binding?: string;
-    }>;
+    providers: ProviderRow[];
     storedOnly: Array<{
         name: string;
         status: string;
@@ -89,8 +96,21 @@ export type ListCredentialsResult = {
 export type ListCredentialsFilter = {
     name?: string;
     flow?: string;
+    type?: string;
 };
 export declare function runListCredentials(deps: IdentityActionsDeps, sessionKey: string, page?: number, filter?: ListCredentialsFilter): Promise<ListCredentialsResult>;
+export type RoleProviderRow = {
+    name: string;
+    identitySource?: string;
+};
+export type ListRoleCredentialsResult = {
+    providers: RoleProviderRow[];
+    page: number;
+    hasMore: boolean;
+};
+export declare function runListRoleCredentials(deps: IdentityActionsDeps, sessionKey: string, filter?: {
+    name?: string;
+}): Promise<ListRoleCredentialsResult>;
 export type ListTipsResult = {
     tips: Array<{
         sessionKey: string;
@@ -148,4 +168,50 @@ export type UnsetBindingResult = {
 export declare function runUnsetBinding(deps: IdentityActionsDeps, sessionKey: string, params: {
     provider: string;
 }): Promise<UnsetBindingResult>;
+export type GetRoleCredentialsActionResult = {
+    kind: "success";
+    credentials: {
+        AccessKeyId: string;
+        SecretAccessKey: string;
+        SessionToken: string;
+        Expiration?: string;
+    };
+} | {
+    kind: "error";
+    message: string;
+};
+export declare function runGetRoleCredentials(deps: IdentityActionsDeps, sessionKey: string, params: {
+    providerName: string;
+    useTip?: boolean;
+    config?: import("openclaw/plugin-sdk").OpenClawConfig;
+}): Promise<GetRoleCredentialsActionResult>;
+export type GetTipTokenResult = {
+    kind: "success";
+    tipToken: string;
+    sub: string;
+    issuedAt: number;
+    expiresAt: number;
+} | {
+    kind: "error";
+    message: string;
+};
+/**
+ * Return the current TIP JWT for the session (refresh/obtain via user token if needed).
+ */
+export declare function runGetTipToken(deps: IdentityActionsDeps, sessionKey: string, config?: OpenClawConfig): Promise<GetTipTokenResult>;
+export type GetSessionTokenResult = {
+    kind: "success";
+    /** OIDC id_token stored for the session. */
+    sessionIdToken: string;
+    sub: string;
+    loginAt: number;
+    expiresAt?: number;
+} | {
+    kind: "error";
+    message: string;
+};
+/**
+ * Return the OIDC id_token (user / session identity token) for the session.
+ */
+export declare function runGetSessionToken(deps: IdentityActionsDeps, sessionKey: string): Promise<GetSessionTokenResult>;
 //# sourceMappingURL=identity-actions.d.ts.map

package/dist/src/actions/identity-actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AAgFhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CA8DtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CAqFhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA4ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CA4JtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
+{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;AAgHzE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAyDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CA6DhC;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,yBAAyB,CAAC,CA2CpC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA4ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CAgKtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B;AAED,MAAM,MAAM,8BAA8B,GACtC;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,qBAAqB,EAAE,cAAc,CAAC;CACvD,GACA,OAAO,CAAC,8BAA8B,CAAC,CAsDzC;AAED,MAAM,MAAM,iBAAiB,GACzB;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,MAAM,qBAAqB,GAC7B;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,4CAA4C;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC"}