@mcp-z/client 1.0.0

package/dist/cjs/utils/sanitizer.js

@@ -0,0 +1,124 @@
+/**
+ * Minimal log sanitization for spawn operations
+ * Redacts credentials from environment variables and command arguments
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get sanitizeForLogging () {
+        return sanitizeForLogging;
+    },
+    get sanitizeForLoggingFormatter () {
+        return sanitizeForLoggingFormatter;
+    }
+});
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _object_spread(target) {
+    for(var i = 1; i < arguments.length; i++){
+        var source = arguments[i] != null ? arguments[i] : {};
+        var ownKeys = Object.keys(source);
+        if (typeof Object.getOwnPropertySymbols === "function") {
+            ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
+                return Object.getOwnPropertyDescriptor(source, sym).enumerable;
+            }));
+        }
+        ownKeys.forEach(function(key) {
+            _define_property(target, key, source[key]);
+        });
+    }
+    return target;
+}
+function ownKeys(object, enumerableOnly) {
+    var keys = Object.keys(object);
+    if (Object.getOwnPropertySymbols) {
+        var symbols = Object.getOwnPropertySymbols(object);
+        if (enumerableOnly) {
+            symbols = symbols.filter(function(sym) {
+                return Object.getOwnPropertyDescriptor(object, sym).enumerable;
+            });
+        }
+        keys.push.apply(keys, symbols);
+    }
+    return keys;
+}
+function _object_spread_props(target, source) {
+    source = source != null ? source : {};
+    if (Object.getOwnPropertyDescriptors) {
+        Object.defineProperties(target, Object.getOwnPropertyDescriptors(source));
+    } else {
+        ownKeys(Object(source)).forEach(function(key) {
+            Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key));
+        });
+    }
+    return target;
+}
+function _type_of(obj) {
+    "@swc/helpers - typeof";
+    return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj;
+}
+function sanitizeForLogging(message, obj) {
+    // Redact common credential patterns in message
+    var cleanMessage = message.replace(/key[=:]\S+/gi, 'key=[REDACTED]').replace(/secret[=:]\S+/gi, 'secret=[REDACTED]').replace(/token[=:]\S+/gi, 'token=[REDACTED]').replace(/password[=:]\S+/gi, 'password=[REDACTED]').replace(/auth[=:]\S+/gi, 'auth=[REDACTED]');
+    // Deep clone and redact sensitive env var keys
+    var cleanMeta = JSON.parse(JSON.stringify(obj));
+    // Redact sensitive environment variable values
+    if (cleanMeta.env && _type_of(cleanMeta.env) === 'object') {
+        var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+        try {
+            for(var _iterator = Object.keys(cleanMeta.env)[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+                var envKey = _step.value;
+                if (/key|secret|token|password|auth|credential/i.test(envKey)) {
+                    cleanMeta.env[envKey] = '[REDACTED]';
+                }
+            }
+        } catch (err) {
+            _didIteratorError = true;
+            _iteratorError = err;
+        } finally{
+            try {
+                if (!_iteratorNormalCompletion && _iterator.return != null) {
+                    _iterator.return();
+                }
+            } finally{
+                if (_didIteratorError) {
+                    throw _iteratorError;
+                }
+            }
+        }
+    }
+    return {
+        message: cleanMessage,
+        meta: cleanMeta
+    };
+}
+function sanitizeForLoggingFormatter() {
+    return {
+        log: function(obj) {
+            var message = obj.msg || obj.message || '';
+            var _sanitizeForLogging = sanitizeForLogging(message, obj), clean = _sanitizeForLogging.message, meta = _sanitizeForLogging.meta;
+            return _object_spread_props(_object_spread({}, meta), {
+                msg: clean
+            });
+        }
+    };
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/utils/sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/utils/sanitizer.ts"],"sourcesContent":["/**\n * Minimal log sanitization for spawn operations\n * Redacts credentials from environment variables and command arguments\n */\n\nimport type { SpawnMetadata } from '../connection/types.ts';\n\n/**\n * Sanitize log messages and metadata to prevent credential leakage\n *\n * Redacts common credential patterns:\n * - key=value, secret=value, token=value, password=value\n * - Environment variables with sensitive names\n *\n * @param message - Log message to sanitize\n * @param obj - Metadata object to sanitize\n * @returns Sanitized message and metadata\n */\nexport function sanitizeForLogging(message: string, obj: SpawnMetadata): { message: string; meta: SpawnMetadata } {\n  // Redact common credential patterns in message\n  const cleanMessage = message\n    .replace(/key[=:]\\S+/gi, 'key=[REDACTED]')\n    .replace(/secret[=:]\\S+/gi, 'secret=[REDACTED]')\n    .replace(/token[=:]\\S+/gi, 'token=[REDACTED]')\n    .replace(/password[=:]\\S+/gi, 'password=[REDACTED]')\n    .replace(/auth[=:]\\S+/gi, 'auth=[REDACTED]');\n\n  // Deep clone and redact sensitive env var keys\n  const cleanMeta = JSON.parse(JSON.stringify(obj));\n\n  // Redact sensitive environment variable values\n  if (cleanMeta.env && typeof cleanMeta.env === 'object') {\n    for (const envKey of Object.keys(cleanMeta.env)) {\n      if (/key|secret|token|password|auth|credential/i.test(envKey)) {\n        cleanMeta.env[envKey] = '[REDACTED]';\n      }\n    }\n  }\n\n  return { message: cleanMessage, meta: cleanMeta };\n}\n\nexport function sanitizeForLoggingFormatter() {\n  return {\n    log: (obj: SpawnMetadata) => {\n      const message = (obj.msg || obj.message || '') as string;\n      const { message: clean, meta } = sanitizeForLogging(message, obj);\n      return { ...meta, msg: clean };\n    },\n  };\n}\n"],"names":["sanitizeForLogging","sanitizeForLoggingFormatter","message","obj","cleanMessage","replace","cleanMeta","JSON","parse","stringify","env","Object","keys","envKey","test","meta","log","msg","clean"],"mappings":"AAAA;;;CAGC;;;;;;;;;;;QAeeA;eAAAA;;QAwBAC;eAAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAxBT,SAASD,mBAAmBE,OAAe,EAAEC,GAAkB;IACpE,+CAA+C;IAC/C,IAAMC,eAAeF,QAClBG,OAAO,CAAC,gBAAgB,kBACxBA,OAAO,CAAC,mBAAmB,qBAC3BA,OAAO,CAAC,kBAAkB,oBAC1BA,OAAO,CAAC,qBAAqB,uBAC7BA,OAAO,CAAC,iBAAiB;IAE5B,+CAA+C;IAC/C,IAAMC,YAAYC,KAAKC,KAAK,CAACD,KAAKE,SAAS,CAACN;IAE5C,+CAA+C;IAC/C,IAAIG,UAAUI,GAAG,IAAI,SAAOJ,UAAUI,GAAG,MAAK,UAAU;YACjD,kCAAA,2BAAA;;YAAL,QAAK,YAAgBC,OAAOC,IAAI,CAACN,UAAUI,GAAG,sBAAzC,SAAA,6BAAA,QAAA,yBAAA,iCAA4C;gBAA5C,IAAMG,SAAN;gBACH,IAAI,6CAA6CC,IAAI,CAACD,SAAS;oBAC7DP,UAAUI,GAAG,CAACG,OAAO,GAAG;gBAC1B;YACF;;YAJK;YAAA;;;qBAAA,6BAAA;oBAAA;;;oBAAA;0BAAA;;;;IAKP;IAEA,OAAO;QAAEX,SAASE;QAAcW,MAAMT;IAAU;AAClD;AAEO,SAASL;IACd,OAAO;QACLe,KAAK,SAACb;YACJ,IAAMD,UAAWC,IAAIc,GAAG,IAAId,IAAID,OAAO,IAAI;YAC3C,IAAiCF,sBAAAA,mBAAmBE,SAASC,MAArDD,AAASgB,QAAgBlB,oBAAzBE,SAAgBa,OAASf,oBAATe;YACxB,OAAO,wCAAKA;gBAAME,KAAKC;;QACzB;IACF;AACF"}

package/dist/esm/auth/capability-discovery.d.ts

@@ -0,0 +1,25 @@
+/**
+ * OAuth Server Capability Discovery
+ * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata
+ */
+import type { AuthCapabilities } from './types.js';
+/**
+ * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain
+ * Returns capabilities including DCR support detection
+ *
+ * Discovery Strategy:
+ * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)
+ * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata
+ * 3. Fall back to direct RFC 8414 discovery at resource origin
+ *
+ * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)
+ * @returns AuthCapabilities object with discovered endpoints and features
+ *
+ * @example
+ * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com
+ * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');
+ * if (caps.supportsDcr) {
+ *   console.log('Registration endpoint:', caps.registrationEndpoint);
+ * }
+ */
+export declare function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities>;

package/dist/esm/auth/capability-discovery.js

@@ -0,0 +1,110 @@
+/**
+ * OAuth Server Capability Discovery
+ * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata
+ */ import { discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.js';
+/**
+ * Extract origin (protocol + host) from a URL
+ * @param url - Full URL that may include a path
+ * @returns Origin (e.g., "https://example.com") or original string if invalid URL
+ *
+ * @example
+ * getOrigin('https://example.com/mcp') // → 'https://example.com'
+ * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'
+ */ function getOrigin(url) {
+    try {
+        return new URL(url).origin;
+    } catch  {
+        // Invalid URL - return as-is for graceful degradation
+        return url;
+    }
+}
+/**
+ * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain
+ * Returns capabilities including DCR support detection
+ *
+ * Discovery Strategy:
+ * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)
+ * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata
+ * 3. Fall back to direct RFC 8414 discovery at resource origin
+ *
+ * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)
+ * @returns AuthCapabilities object with discovered endpoints and features
+ *
+ * @example
+ * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com
+ * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');
+ * if (caps.supportsDcr) {
+ *   console.log('Registration endpoint:', caps.registrationEndpoint);
+ * }
+ */ export async function probeAuthCapabilities(baseUrl) {
+    try {
+        // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery
+        // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)
+        const resourceMetadata = await discoverProtectedResourceMetadata(baseUrl);
+        if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {
+            // Found protected resource metadata with authorization servers
+            // Discover the authorization server's metadata (RFC 8414)
+            const authServerUrl = resourceMetadata.authorization_servers[0];
+            if (!authServerUrl) {
+                // Array has length > 0 but first element is undefined/null - skip this path
+                return {
+                    supportsDcr: false
+                };
+            }
+            const authServerMetadata = await discoverAuthorizationServerMetadata(authServerUrl);
+            if (authServerMetadata) {
+                // Successfully discovered full OAuth metadata via RFC 9728 → RFC 8414 chain
+                const supportsDcr = !!authServerMetadata.registration_endpoint;
+                const capabilities = {
+                    supportsDcr
+                };
+                if (authServerMetadata.registration_endpoint) {
+                    capabilities.registrationEndpoint = authServerMetadata.registration_endpoint;
+                }
+                if (authServerMetadata.authorization_endpoint) {
+                    capabilities.authorizationEndpoint = authServerMetadata.authorization_endpoint;
+                }
+                if (authServerMetadata.token_endpoint) capabilities.tokenEndpoint = authServerMetadata.token_endpoint;
+                if (authServerMetadata.introspection_endpoint) {
+                    capabilities.introspectionEndpoint = authServerMetadata.introspection_endpoint;
+                }
+                // Prefer resource scopes over auth server scopes
+                const scopes = resourceMetadata.scopes_supported || authServerMetadata.scopes_supported;
+                if (scopes) capabilities.scopes = scopes;
+                return capabilities;
+            }
+        }
+        // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin
+        // This handles same-domain OAuth (traditional setup)
+        const origin = getOrigin(baseUrl);
+        const authServerMetadata = await discoverAuthorizationServerMetadata(origin);
+        if (authServerMetadata) {
+            const supportsDcr = !!authServerMetadata.registration_endpoint;
+            const capabilities = {
+                supportsDcr
+            };
+            if (authServerMetadata.registration_endpoint) {
+                capabilities.registrationEndpoint = authServerMetadata.registration_endpoint;
+            }
+            if (authServerMetadata.authorization_endpoint) {
+                capabilities.authorizationEndpoint = authServerMetadata.authorization_endpoint;
+            }
+            if (authServerMetadata.token_endpoint) capabilities.tokenEndpoint = authServerMetadata.token_endpoint;
+            if (authServerMetadata.introspection_endpoint) {
+                capabilities.introspectionEndpoint = authServerMetadata.introspection_endpoint;
+            }
+            if (authServerMetadata.scopes_supported) capabilities.scopes = authServerMetadata.scopes_supported;
+            return capabilities;
+        }
+        // No OAuth metadata found
+        return {
+            supportsDcr: false
+        };
+    } catch (_error) {
+        // Network error, invalid JSON, or other fetch failure
+        // Gracefully degrade - assume no DCR support
+        return {
+            supportsDcr: false
+        };
+    }
+}

package/dist/esm/auth/capability-discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/capability-discovery.ts"],"sourcesContent":["/**\n * OAuth Server Capability Discovery\n * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata\n */\n\nimport { discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.ts';\nimport type { AuthCapabilities } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain\n * Returns capabilities including DCR support detection\n *\n * Discovery Strategy:\n * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)\n * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata\n * 3. Fall back to direct RFC 8414 discovery at resource origin\n *\n * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns AuthCapabilities object with discovered endpoints and features\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');\n * if (caps.supportsDcr) {\n *   console.log('Registration endpoint:', caps.registrationEndpoint);\n * }\n */\nexport async function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities> {\n  try {\n    // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery\n    // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)\n    const resourceMetadata = await discoverProtectedResourceMetadata(baseUrl);\n\n    if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {\n      // Found protected resource metadata with authorization servers\n      // Discover the authorization server's metadata (RFC 8414)\n      const authServerUrl = resourceMetadata.authorization_servers[0];\n      if (!authServerUrl) {\n        // Array has length > 0 but first element is undefined/null - skip this path\n        return { supportsDcr: false };\n      }\n      const authServerMetadata = await discoverAuthorizationServerMetadata(authServerUrl);\n\n      if (authServerMetadata) {\n        // Successfully discovered full OAuth metadata via RFC 9728 → RFC 8414 chain\n        const supportsDcr = !!authServerMetadata.registration_endpoint;\n        const capabilities: AuthCapabilities = { supportsDcr };\n\n        if (authServerMetadata.registration_endpoint) {\n          capabilities.registrationEndpoint = authServerMetadata.registration_endpoint;\n        }\n        if (authServerMetadata.authorization_endpoint) {\n          capabilities.authorizationEndpoint = authServerMetadata.authorization_endpoint;\n        }\n        if (authServerMetadata.token_endpoint) capabilities.tokenEndpoint = authServerMetadata.token_endpoint;\n        if (authServerMetadata.introspection_endpoint) {\n          capabilities.introspectionEndpoint = authServerMetadata.introspection_endpoint;\n        }\n\n        // Prefer resource scopes over auth server scopes\n        const scopes = resourceMetadata.scopes_supported || authServerMetadata.scopes_supported;\n        if (scopes) capabilities.scopes = scopes;\n\n        return capabilities;\n      }\n    }\n\n    // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin\n    // This handles same-domain OAuth (traditional setup)\n    const origin = getOrigin(baseUrl);\n    const authServerMetadata = await discoverAuthorizationServerMetadata(origin);\n\n    if (authServerMetadata) {\n      const supportsDcr = !!authServerMetadata.registration_endpoint;\n      const capabilities: AuthCapabilities = { supportsDcr };\n\n      if (authServerMetadata.registration_endpoint) {\n        capabilities.registrationEndpoint = authServerMetadata.registration_endpoint;\n      }\n      if (authServerMetadata.authorization_endpoint) {\n        capabilities.authorizationEndpoint = authServerMetadata.authorization_endpoint;\n      }\n      if (authServerMetadata.token_endpoint) capabilities.tokenEndpoint = authServerMetadata.token_endpoint;\n      if (authServerMetadata.introspection_endpoint) {\n        capabilities.introspectionEndpoint = authServerMetadata.introspection_endpoint;\n      }\n      if (authServerMetadata.scopes_supported) capabilities.scopes = authServerMetadata.scopes_supported;\n\n      return capabilities;\n    }\n\n    // No OAuth metadata found\n    return { supportsDcr: false };\n  } catch (_error) {\n    // Network error, invalid JSON, or other fetch failure\n    // Gracefully degrade - assume no DCR support\n    return { supportsDcr: false };\n  }\n}\n"],"names":["discoverAuthorizationServerMetadata","discoverProtectedResourceMetadata","getOrigin","url","URL","origin","probeAuthCapabilities","baseUrl","resourceMetadata","authorization_servers","length","authServerUrl","supportsDcr","authServerMetadata","registration_endpoint","capabilities","registrationEndpoint","authorization_endpoint","authorizationEndpoint","token_endpoint","tokenEndpoint","introspection_endpoint","introspectionEndpoint","scopes","scopes_supported","_error"],"mappings":"AAAA;;;CAGC,GAED,SAASA,mCAAmC,EAAEC,iCAAiC,QAAQ,yBAAyB;AAGhH;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,OAAO,eAAeG,sBAAsBC,OAAe;IACzD,IAAI;QACF,iEAAiE;QACjE,oFAAoF;QACpF,MAAMC,mBAAmB,MAAMP,kCAAkCM;QAEjE,IAAIC,oBAAoBA,iBAAiBC,qBAAqB,CAACC,MAAM,GAAG,GAAG;YACzE,+DAA+D;YAC/D,0DAA0D;YAC1D,MAAMC,gBAAgBH,iBAAiBC,qBAAqB,CAAC,EAAE;YAC/D,IAAI,CAACE,eAAe;gBAClB,4EAA4E;gBAC5E,OAAO;oBAAEC,aAAa;gBAAM;YAC9B;YACA,MAAMC,qBAAqB,MAAMb,oCAAoCW;YAErE,IAAIE,oBAAoB;gBACtB,4EAA4E;gBAC5E,MAAMD,cAAc,CAAC,CAACC,mBAAmBC,qBAAqB;gBAC9D,MAAMC,eAAiC;oBAAEH;gBAAY;gBAErD,IAAIC,mBAAmBC,qBAAqB,EAAE;oBAC5CC,aAAaC,oBAAoB,GAAGH,mBAAmBC,qBAAqB;gBAC9E;gBACA,IAAID,mBAAmBI,sBAAsB,EAAE;oBAC7CF,aAAaG,qBAAqB,GAAGL,mBAAmBI,sBAAsB;gBAChF;gBACA,IAAIJ,mBAAmBM,cAAc,EAAEJ,aAAaK,aAAa,GAAGP,mBAAmBM,cAAc;gBACrG,IAAIN,mBAAmBQ,sBAAsB,EAAE;oBAC7CN,aAAaO,qBAAqB,GAAGT,mBAAmBQ,sBAAsB;gBAChF;gBAEA,iDAAiD;gBACjD,MAAME,SAASf,iBAAiBgB,gBAAgB,IAAIX,mBAAmBW,gBAAgB;gBACvF,IAAID,QAAQR,aAAaQ,MAAM,GAAGA;gBAElC,OAAOR;YACT;QACF;QAEA,wEAAwE;QACxE,qDAAqD;QACrD,MAAMV,SAASH,UAAUK;QACzB,MAAMM,qBAAqB,MAAMb,oCAAoCK;QAErE,IAAIQ,oBAAoB;YACtB,MAAMD,cAAc,CAAC,CAACC,mBAAmBC,qBAAqB;YAC9D,MAAMC,eAAiC;gBAAEH;YAAY;YAErD,IAAIC,mBAAmBC,qBAAqB,EAAE;gBAC5CC,aAAaC,oBAAoB,GAAGH,mBAAmBC,qBAAqB;YAC9E;YACA,IAAID,mBAAmBI,sBAAsB,EAAE;gBAC7CF,aAAaG,qBAAqB,GAAGL,mBAAmBI,sBAAsB;YAChF;YACA,IAAIJ,mBAAmBM,cAAc,EAAEJ,aAAaK,aAAa,GAAGP,mBAAmBM,cAAc;YACrG,IAAIN,mBAAmBQ,sBAAsB,EAAE;gBAC7CN,aAAaO,qBAAqB,GAAGT,mBAAmBQ,sBAAsB;YAChF;YACA,IAAIR,mBAAmBW,gBAAgB,EAAET,aAAaQ,MAAM,GAAGV,mBAAmBW,gBAAgB;YAElG,OAAOT;QACT;QAEA,0BAA0B;QAC1B,OAAO;YAAEH,aAAa;QAAM;IAC9B,EAAE,OAAOa,QAAQ;QACf,sDAAsD;QACtD,6CAA6C;QAC7C,OAAO;YAAEb,aAAa;QAAM;IAC9B;AACF"}

package/dist/esm/auth/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Authentication Module
+ * Exports public API for OAuth authentication only (DCR moved to ../dcr/)
+ */
+export { probeAuthCapabilities } from './capability-discovery.js';
+export { InteractiveOAuthFlow } from './interactive-oauth-flow.js';
+export type { OAuthCallbackListenerOptions } from './oauth-callback-listener.js';
+export { OAuthCallbackListener } from './oauth-callback-listener.js';
+export type { AuthCapabilities, CallbackResult, OAuthFlowOptions, TokenSet } from './types.js';

package/dist/esm/auth/index.js

@@ -0,0 +1,6 @@
+/**
+ * Authentication Module
+ * Exports public API for OAuth authentication only (DCR moved to ../dcr/)
+ */ export { probeAuthCapabilities } from './capability-discovery.js';
+export { InteractiveOAuthFlow } from './interactive-oauth-flow.js';
+export { OAuthCallbackListener } from './oauth-callback-listener.js';

package/dist/esm/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/index.ts"],"sourcesContent":["/**\n * Authentication Module\n * Exports public API for OAuth authentication only (DCR moved to ../dcr/)\n */\n\nexport { probeAuthCapabilities } from './capability-discovery.ts';\nexport { InteractiveOAuthFlow } from './interactive-oauth-flow.ts';\nexport type { OAuthCallbackListenerOptions } from './oauth-callback-listener.ts';\nexport { OAuthCallbackListener } from './oauth-callback-listener.ts';\nexport type { AuthCapabilities, CallbackResult, OAuthFlowOptions, TokenSet } from './types.ts';\n"],"names":["probeAuthCapabilities","InteractiveOAuthFlow","OAuthCallbackListener"],"mappings":"AAAA;;;CAGC,GAED,SAASA,qBAAqB,QAAQ,4BAA4B;AAClE,SAASC,oBAAoB,QAAQ,8BAA8B;AAEnE,SAASC,qBAAqB,QAAQ,+BAA+B"}

package/dist/esm/auth/interactive-oauth-flow.d.ts

@@ -0,0 +1,58 @@
+/**
+ * OAuth Authorization Flow Handler
+ * Manages browser-based OAuth flows and token exchange with PKCE support
+ */
+import type { OAuthFlowOptions, TokenSet } from './types.js';
+/**
+ * InteractiveOAuthFlow manages the complete OAuth authorization code flow
+ */
+export declare class InteractiveOAuthFlow {
+    /**
+     * Perform OAuth authorization code flow
+     *
+     * @param authorizationEndpoint - OAuth authorization endpoint URL
+     * @param tokenEndpoint - OAuth token endpoint URL
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param options - Flow options (port is required - use get-port to find available port)
+     * @returns Token set with access and refresh tokens
+     *
+     * @throws Error if flow fails or times out
+     *
+     * @example
+     * import getPort from 'get-port';
+     *
+     * const flow = new InteractiveOAuthFlow();
+     * const port = await getPort();
+     * const tokens = await flow.performAuthFlow(
+     *   'https://example.com/oauth/authorize',
+     *   'https://example.com/oauth/token',
+     *   'client-id',
+     *   'client-secret',
+     *   { port, scopes: ['read', 'write'] }
+     * );
+     */
+    performAuthFlow(authorizationEndpoint: string, tokenEndpoint: string, clientId: string, clientSecret: string, options: OAuthFlowOptions): Promise<TokenSet>;
+    /**
+     * Exchange authorization code for access and refresh tokens
+     * @param codeVerifier - Optional PKCE code verifier (RFC 7636)
+     */
+    private exchangeCodeForTokens;
+    /**
+     * Refresh access token using refresh token
+     *
+     * @param tokenEndpoint - OAuth token endpoint URL
+     * @param refreshToken - Refresh token from previous token set
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @returns New token set with refreshed access token
+     *
+     * @throws Error if refresh fails
+     */
+    refreshTokens(tokenEndpoint: string, refreshToken: string, clientId: string, clientSecret: string): Promise<TokenSet>;
+    /**
+     * Open browser to authorization URL
+     * Uses platform-specific command to open default browser
+     */
+    private openBrowser;
+}

package/dist/esm/auth/interactive-oauth-flow.js

@@ -0,0 +1,217 @@
+/**
+ * OAuth Authorization Flow Handler
+ * Manages browser-based OAuth flows and token exchange with PKCE support
+ */ import * as child_process from 'node:child_process';
+import { logger as defaultLogger } from '../utils/logger.js';
+import { OAuthCallbackListener } from './oauth-callback-listener.js';
+import { generatePkce } from './pkce.js';
+/**
+ * InteractiveOAuthFlow manages the complete OAuth authorization code flow
+ */ export class InteractiveOAuthFlow {
+    /**
+   * Perform OAuth authorization code flow
+   *
+   * @param authorizationEndpoint - OAuth authorization endpoint URL
+   * @param tokenEndpoint - OAuth token endpoint URL
+   * @param clientId - OAuth client ID
+   * @param clientSecret - OAuth client secret
+   * @param options - Flow options (port is required - use get-port to find available port)
+   * @returns Token set with access and refresh tokens
+   *
+   * @throws Error if flow fails or times out
+   *
+   * @example
+   * import getPort from 'get-port';
+   *
+   * const flow = new InteractiveOAuthFlow();
+   * const port = await getPort();
+   * const tokens = await flow.performAuthFlow(
+   *   'https://example.com/oauth/authorize',
+   *   'https://example.com/oauth/token',
+   *   'client-id',
+   *   'client-secret',
+   *   { port, scopes: ['read', 'write'] }
+   * );
+   */ async performAuthFlow(authorizationEndpoint, tokenEndpoint, clientId, clientSecret, options) {
+        var _options_logger;
+        const logger = (_options_logger = options.logger) !== null && _options_logger !== void 0 ? _options_logger : defaultLogger;
+        const callbackListener = new OAuthCallbackListener({
+            port: options.port,
+            logger
+        });
+        // Generate PKCE parameters if requested (RFC 7636)
+        let pkce;
+        if (options.pkce) {
+            logger.debug('🔐 Generating PKCE parameters...');
+            pkce = await generatePkce();
+        }
+        try {
+            // Start callback server
+            await callbackListener.start();
+            // Build redirect URI
+            const redirectUri = options.redirectUri || `http://localhost:${options.port}/callback`;
+            // Build authorization URL
+            const authUrl = new URL(authorizationEndpoint);
+            authUrl.searchParams.set('client_id', clientId);
+            authUrl.searchParams.set('redirect_uri', redirectUri);
+            authUrl.searchParams.set('response_type', 'code');
+            if (options.scopes && options.scopes.length > 0) {
+                authUrl.searchParams.set('scope', options.scopes.join(' '));
+            }
+            // Add resource parameter if specified (RFC 8707)
+            if (options.resource) {
+                authUrl.searchParams.set('resource', options.resource);
+            }
+            // Add PKCE parameters if generated (RFC 7636)
+            if (pkce) {
+                authUrl.searchParams.set('code_challenge', pkce.codeChallenge);
+                authUrl.searchParams.set('code_challenge_method', pkce.codeChallengeMethod);
+            }
+            // Open browser or print URL for headless mode
+            if (options.headless) {
+                logger.info('🔗 Please visit this URL to authorize:');
+                logger.info(authUrl.toString());
+                logger.info('Waiting for callback...');
+            } else {
+                logger.debug('🌐 Opening browser for OAuth authorization...');
+                // Try to open browser (requires 'open' package or native command)
+                await this.openBrowser(authUrl.toString());
+            }
+            // Wait for callback with timeout
+            const timeout = options.timeout || (options.headless ? 60000 : 300000);
+            const result = await callbackListener.waitForCallback(timeout);
+            // Exchange authorization code for tokens (with PKCE verifier if used)
+            const tokens = await this.exchangeCodeForTokens(tokenEndpoint, result.code, clientId, clientSecret, redirectUri, pkce === null || pkce === void 0 ? void 0 : pkce.codeVerifier);
+            return tokens;
+        } catch (error) {
+            logger.error('❌ OAuth flow failed:', error instanceof Error ? error.message : String(error));
+            throw error;
+        } finally{
+            // Always close callback server
+            await callbackListener.stop();
+        }
+    }
+    /**
+   * Exchange authorization code for access and refresh tokens
+   * @param codeVerifier - Optional PKCE code verifier (RFC 7636)
+   */ async exchangeCodeForTokens(tokenEndpoint, code, clientId, clientSecret, redirectUri, codeVerifier) {
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            client_id: clientId,
+            client_secret: clientSecret
+        });
+        // Add PKCE code verifier if provided (RFC 7636)
+        if (codeVerifier) {
+            params.set('code_verifier', codeVerifier);
+        }
+        const response = await fetch(tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+                Connection: 'close'
+            },
+            body: params
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new Error(`Token exchange failed (${response.status}): ${errorText}`);
+        }
+        const data = await response.json();
+        if (!data.access_token) {
+            throw new Error('Token response missing access_token');
+        }
+        const tokenSet = {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token || '',
+            expiresAt: Date.now() + data.expires_in * 1000,
+            clientId,
+            clientSecret
+        };
+        if (data.scope) {
+            tokenSet.scopes = data.scope.split(' ');
+        }
+        return tokenSet;
+    }
+    /**
+   * Refresh access token using refresh token
+   *
+   * @param tokenEndpoint - OAuth token endpoint URL
+   * @param refreshToken - Refresh token from previous token set
+   * @param clientId - OAuth client ID
+   * @param clientSecret - OAuth client secret
+   * @returns New token set with refreshed access token
+   *
+   * @throws Error if refresh fails
+   */ async refreshTokens(tokenEndpoint, refreshToken, clientId, clientSecret) {
+        const response = await fetch(tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+                Connection: 'close'
+            },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_id: clientId,
+                client_secret: clientSecret
+            })
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new Error(`Token refresh failed (${response.status}): ${errorText}`);
+        }
+        const data = await response.json();
+        if (!data.access_token) {
+            throw new Error('Token refresh response missing access_token');
+        }
+        const tokenSet = {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token || refreshToken,
+            expiresAt: Date.now() + data.expires_in * 1000,
+            clientId,
+            clientSecret
+        };
+        if (data.scope) {
+            tokenSet.scopes = data.scope.split(' ');
+        }
+        return tokenSet;
+    }
+    /**
+   * Open browser to authorization URL
+   * Uses platform-specific command to open default browser
+   */ async openBrowser(url) {
+        // Determine platform-specific command
+        const platform = process.platform;
+        let command;
+        let args;
+        if (platform === 'darwin') {
+            command = 'open';
+            args = [
+                url
+            ];
+        } else if (platform === 'win32') {
+            command = 'cmd';
+            args = [
+                '/c',
+                'start',
+                url
+            ];
+        } else {
+            // Linux and others
+            command = 'xdg-open';
+            args = [
+                url
+            ];
+        }
+        // Spawn browser process
+        const child = child_process.spawn(command, args, {
+            detached: true,
+            stdio: 'ignore'
+        });
+        child.unref();
+    }
+}

package/dist/esm/auth/interactive-oauth-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/interactive-oauth-flow.ts"],"sourcesContent":["/**\n * OAuth Authorization Flow Handler\n * Manages browser-based OAuth flows and token exchange with PKCE support\n */\n\nimport * as child_process from 'node:child_process';\nimport { logger as defaultLogger } from '../utils/logger.ts';\nimport { OAuthCallbackListener } from './oauth-callback-listener.ts';\nimport { generatePkce } from './pkce.ts';\nimport type { OAuthFlowOptions, PkceParams, TokenSet } from './types.ts';\n\n/**\n * OAuth token response from token endpoint\n */\ninterface TokenResponse {\n  access_token: string;\n  refresh_token?: string;\n  expires_in: number;\n  scope?: string;\n  token_type?: string;\n}\n\n/**\n * InteractiveOAuthFlow manages the complete OAuth authorization code flow\n */\nexport class InteractiveOAuthFlow {\n  /**\n   * Perform OAuth authorization code flow\n   *\n   * @param authorizationEndpoint - OAuth authorization endpoint URL\n   * @param tokenEndpoint - OAuth token endpoint URL\n   * @param clientId - OAuth client ID\n   * @param clientSecret - OAuth client secret\n   * @param options - Flow options (port is required - use get-port to find available port)\n   * @returns Token set with access and refresh tokens\n   *\n   * @throws Error if flow fails or times out\n   *\n   * @example\n   * import getPort from 'get-port';\n   *\n   * const flow = new InteractiveOAuthFlow();\n   * const port = await getPort();\n   * const tokens = await flow.performAuthFlow(\n   *   'https://example.com/oauth/authorize',\n   *   'https://example.com/oauth/token',\n   *   'client-id',\n   *   'client-secret',\n   *   { port, scopes: ['read', 'write'] }\n   * );\n   */\n  async performAuthFlow(authorizationEndpoint: string, tokenEndpoint: string, clientId: string, clientSecret: string, options: OAuthFlowOptions): Promise<TokenSet> {\n    const logger = options.logger ?? defaultLogger;\n    const callbackListener = new OAuthCallbackListener({ port: options.port, logger });\n\n    // Generate PKCE parameters if requested (RFC 7636)\n    let pkce: PkceParams | undefined;\n    if (options.pkce) {\n      logger.debug('🔐 Generating PKCE parameters...');\n      pkce = await generatePkce();\n    }\n\n    try {\n      // Start callback server\n      await callbackListener.start();\n\n      // Build redirect URI\n      const redirectUri = options.redirectUri || `http://localhost:${options.port}/callback`;\n\n      // Build authorization URL\n      const authUrl = new URL(authorizationEndpoint);\n      authUrl.searchParams.set('client_id', clientId);\n      authUrl.searchParams.set('redirect_uri', redirectUri);\n      authUrl.searchParams.set('response_type', 'code');\n\n      if (options.scopes && options.scopes.length > 0) {\n        authUrl.searchParams.set('scope', options.scopes.join(' '));\n      }\n\n      // Add resource parameter if specified (RFC 8707)\n      if (options.resource) {\n        authUrl.searchParams.set('resource', options.resource);\n      }\n\n      // Add PKCE parameters if generated (RFC 7636)\n      if (pkce) {\n        authUrl.searchParams.set('code_challenge', pkce.codeChallenge);\n        authUrl.searchParams.set('code_challenge_method', pkce.codeChallengeMethod);\n      }\n\n      // Open browser or print URL for headless mode\n      if (options.headless) {\n        logger.info('🔗 Please visit this URL to authorize:');\n        logger.info(authUrl.toString());\n        logger.info('Waiting for callback...');\n      } else {\n        logger.debug('🌐 Opening browser for OAuth authorization...');\n        // Try to open browser (requires 'open' package or native command)\n        await this.openBrowser(authUrl.toString());\n      }\n\n      // Wait for callback with timeout\n      const timeout = options.timeout || (options.headless ? 60000 : 300000);\n      const result = await callbackListener.waitForCallback(timeout);\n\n      // Exchange authorization code for tokens (with PKCE verifier if used)\n      const tokens = await this.exchangeCodeForTokens(tokenEndpoint, result.code, clientId, clientSecret, redirectUri, pkce?.codeVerifier);\n\n      return tokens;\n    } catch (error) {\n      logger.error('❌ OAuth flow failed:', error instanceof Error ? error.message : String(error));\n      throw error;\n    } finally {\n      // Always close callback server\n      await callbackListener.stop();\n    }\n  }\n\n  /**\n   * Exchange authorization code for access and refresh tokens\n   * @param codeVerifier - Optional PKCE code verifier (RFC 7636)\n   */\n  private async exchangeCodeForTokens(tokenEndpoint: string, code: string, clientId: string, clientSecret: string, redirectUri: string, codeVerifier?: string): Promise<TokenSet> {\n    const params = new URLSearchParams({\n      grant_type: 'authorization_code',\n      code,\n      redirect_uri: redirectUri,\n      client_id: clientId,\n      client_secret: clientSecret,\n    });\n\n    // Add PKCE code verifier if provided (RFC 7636)\n    if (codeVerifier) {\n      params.set('code_verifier', codeVerifier);\n    }\n\n    const response = await fetch(tokenEndpoint, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n        Accept: 'application/json',\n        Connection: 'close',\n      },\n      body: params,\n    });\n\n    if (!response.ok) {\n      const errorText = await response.text();\n      throw new Error(`Token exchange failed (${response.status}): ${errorText}`);\n    }\n\n    const data = (await response.json()) as TokenResponse;\n\n    if (!data.access_token) {\n      throw new Error('Token response missing access_token');\n    }\n\n    const tokenSet: TokenSet = {\n      accessToken: data.access_token,\n      refreshToken: data.refresh_token || '',\n      expiresAt: Date.now() + data.expires_in * 1000,\n      clientId,\n      clientSecret,\n    };\n\n    if (data.scope) {\n      tokenSet.scopes = data.scope.split(' ');\n    }\n\n    return tokenSet;\n  }\n\n  /**\n   * Refresh access token using refresh token\n   *\n   * @param tokenEndpoint - OAuth token endpoint URL\n   * @param refreshToken - Refresh token from previous token set\n   * @param clientId - OAuth client ID\n   * @param clientSecret - OAuth client secret\n   * @returns New token set with refreshed access token\n   *\n   * @throws Error if refresh fails\n   */\n  async refreshTokens(tokenEndpoint: string, refreshToken: string, clientId: string, clientSecret: string): Promise<TokenSet> {\n    const response = await fetch(tokenEndpoint, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n        Accept: 'application/json',\n        Connection: 'close',\n      },\n      body: new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: refreshToken,\n        client_id: clientId,\n        client_secret: clientSecret,\n      }),\n    });\n\n    if (!response.ok) {\n      const errorText = await response.text();\n      throw new Error(`Token refresh failed (${response.status}): ${errorText}`);\n    }\n\n    const data = (await response.json()) as TokenResponse;\n\n    if (!data.access_token) {\n      throw new Error('Token refresh response missing access_token');\n    }\n\n    const tokenSet: TokenSet = {\n      accessToken: data.access_token,\n      refreshToken: data.refresh_token || refreshToken, // Reuse old refresh token if not provided\n      expiresAt: Date.now() + data.expires_in * 1000,\n      clientId,\n      clientSecret,\n    };\n\n    if (data.scope) {\n      tokenSet.scopes = data.scope.split(' ');\n    }\n\n    return tokenSet;\n  }\n\n  /**\n   * Open browser to authorization URL\n   * Uses platform-specific command to open default browser\n   */\n  private async openBrowser(url: string): Promise<void> {\n    // Determine platform-specific command\n    const platform = process.platform;\n    let command: string;\n    let args: string[];\n\n    if (platform === 'darwin') {\n      command = 'open';\n      args = [url];\n    } else if (platform === 'win32') {\n      command = 'cmd';\n      args = ['/c', 'start', url];\n    } else {\n      // Linux and others\n      command = 'xdg-open';\n      args = [url];\n    }\n\n    // Spawn browser process\n    const child = child_process.spawn(command, args, {\n      detached: true,\n      stdio: 'ignore',\n    });\n\n    child.unref();\n  }\n}\n"],"names":["child_process","logger","defaultLogger","OAuthCallbackListener","generatePkce","InteractiveOAuthFlow","performAuthFlow","authorizationEndpoint","tokenEndpoint","clientId","clientSecret","options","callbackListener","port","pkce","debug","start","redirectUri","authUrl","URL","searchParams","set","scopes","length","join","resource","codeChallenge","codeChallengeMethod","headless","info","toString","openBrowser","timeout","result","waitForCallback","tokens","exchangeCodeForTokens","code","codeVerifier","error","Error","message","String","stop","params","URLSearchParams","grant_type","redirect_uri","client_id","client_secret","response","fetch","method","headers","Accept","Connection","body","ok","errorText","text","status","data","json","access_token","tokenSet","accessToken","refreshToken","refresh_token","expiresAt","Date","now","expires_in","scope","split","refreshTokens","url","platform","process","command","args","child","spawn","detached","stdio","unref"],"mappings":"AAAA;;;CAGC,GAED,YAAYA,mBAAmB,qBAAqB;AACpD,SAASC,UAAUC,aAAa,QAAQ,qBAAqB;AAC7D,SAASC,qBAAqB,QAAQ,+BAA+B;AACrE,SAASC,YAAY,QAAQ,YAAY;AAczC;;CAEC,GACD,OAAO,MAAMC;IACX;;;;;;;;;;;;;;;;;;;;;;;;GAwBC,GACD,MAAMC,gBAAgBC,qBAA6B,EAAEC,aAAqB,EAAEC,QAAgB,EAAEC,YAAoB,EAAEC,OAAyB,EAAqB;YACjJA;QAAf,MAAMV,UAASU,kBAAAA,QAAQV,MAAM,cAAdU,6BAAAA,kBAAkBT;QACjC,MAAMU,mBAAmB,IAAIT,sBAAsB;YAAEU,MAAMF,QAAQE,IAAI;YAAEZ;QAAO;QAEhF,mDAAmD;QACnD,IAAIa;QACJ,IAAIH,QAAQG,IAAI,EAAE;YAChBb,OAAOc,KAAK,CAAC;YACbD,OAAO,MAAMV;QACf;QAEA,IAAI;YACF,wBAAwB;YACxB,MAAMQ,iBAAiBI,KAAK;YAE5B,qBAAqB;YACrB,MAAMC,cAAcN,QAAQM,WAAW,IAAI,CAAC,iBAAiB,EAAEN,QAAQE,IAAI,CAAC,SAAS,CAAC;YAEtF,0BAA0B;YAC1B,MAAMK,UAAU,IAAIC,IAAIZ;YACxBW,QAAQE,YAAY,CAACC,GAAG,CAAC,aAAaZ;YACtCS,QAAQE,YAAY,CAACC,GAAG,CAAC,gBAAgBJ;YACzCC,QAAQE,YAAY,CAACC,GAAG,CAAC,iBAAiB;YAE1C,IAAIV,QAAQW,MAAM,IAAIX,QAAQW,MAAM,CAACC,MAAM,GAAG,GAAG;gBAC/CL,QAAQE,YAAY,CAACC,GAAG,CAAC,SAASV,QAAQW,MAAM,CAACE,IAAI,CAAC;YACxD;YAEA,iDAAiD;YACjD,IAAIb,QAAQc,QAAQ,EAAE;gBACpBP,QAAQE,YAAY,CAACC,GAAG,CAAC,YAAYV,QAAQc,QAAQ;YACvD;YAEA,8CAA8C;YAC9C,IAAIX,MAAM;gBACRI,QAAQE,YAAY,CAACC,GAAG,CAAC,kBAAkBP,KAAKY,aAAa;gBAC7DR,QAAQE,YAAY,CAACC,GAAG,CAAC,yBAAyBP,KAAKa,mBAAmB;YAC5E;YAEA,8CAA8C;YAC9C,IAAIhB,QAAQiB,QAAQ,EAAE;gBACpB3B,OAAO4B,IAAI,CAAC;gBACZ5B,OAAO4B,IAAI,CAACX,QAAQY,QAAQ;gBAC5B7B,OAAO4B,IAAI,CAAC;YACd,OAAO;gBACL5B,OAAOc,KAAK,CAAC;gBACb,kEAAkE;gBAClE,MAAM,IAAI,CAACgB,WAAW,CAACb,QAAQY,QAAQ;YACzC;YAEA,iCAAiC;YACjC,MAAME,UAAUrB,QAAQqB,OAAO,IAAKrB,CAAAA,QAAQiB,QAAQ,GAAG,QAAQ,MAAK;YACpE,MAAMK,SAAS,MAAMrB,iBAAiBsB,eAAe,CAACF;YAEtD,sEAAsE;YACtE,MAAMG,SAAS,MAAM,IAAI,CAACC,qBAAqB,CAAC5B,eAAeyB,OAAOI,IAAI,EAAE5B,UAAUC,cAAcO,aAAaH,iBAAAA,2BAAAA,KAAMwB,YAAY;YAEnI,OAAOH;QACT,EAAE,OAAOI,OAAO;YACdtC,OAAOsC,KAAK,CAAC,wBAAwBA,iBAAiBC,QAAQD,MAAME,OAAO,GAAGC,OAAOH;YACrF,MAAMA;QACR,SAAU;YACR,+BAA+B;YAC/B,MAAM3B,iBAAiB+B,IAAI;QAC7B;IACF;IAEA;;;GAGC,GACD,MAAcP,sBAAsB5B,aAAqB,EAAE6B,IAAY,EAAE5B,QAAgB,EAAEC,YAAoB,EAAEO,WAAmB,EAAEqB,YAAqB,EAAqB;QAC9K,MAAMM,SAAS,IAAIC,gBAAgB;YACjCC,YAAY;YACZT;YACAU,cAAc9B;YACd+B,WAAWvC;YACXwC,eAAevC;QACjB;QAEA,gDAAgD;QAChD,IAAI4B,cAAc;YAChBM,OAAOvB,GAAG,CAAC,iBAAiBiB;QAC9B;QAEA,MAAMY,WAAW,MAAMC,MAAM3C,eAAe;YAC1C4C,QAAQ;YACRC,SAAS;gBACP,gBAAgB;gBAChBC,QAAQ;gBACRC,YAAY;YACd;YACAC,MAAMZ;QACR;QAEA,IAAI,CAACM,SAASO,EAAE,EAAE;YAChB,MAAMC,YAAY,MAAMR,SAASS,IAAI;YACrC,MAAM,IAAInB,MAAM,CAAC,uBAAuB,EAAEU,SAASU,MAAM,CAAC,GAAG,EAAEF,WAAW;QAC5E;QAEA,MAAMG,OAAQ,MAAMX,SAASY,IAAI;QAEjC,IAAI,CAACD,KAAKE,YAAY,EAAE;YACtB,MAAM,IAAIvB,MAAM;QAClB;QAEA,MAAMwB,WAAqB;YACzBC,aAAaJ,KAAKE,YAAY;YAC9BG,cAAcL,KAAKM,aAAa,IAAI;YACpCC,WAAWC,KAAKC,GAAG,KAAKT,KAAKU,UAAU,GAAG;YAC1C9D;YACAC;QACF;QAEA,IAAImD,KAAKW,KAAK,EAAE;YACdR,SAAS1C,MAAM,GAAGuC,KAAKW,KAAK,CAACC,KAAK,CAAC;QACrC;QAEA,OAAOT;IACT;IAEA;;;;;;;;;;GAUC,GACD,MAAMU,cAAclE,aAAqB,EAAE0D,YAAoB,EAAEzD,QAAgB,EAAEC,YAAoB,EAAqB;QAC1H,MAAMwC,WAAW,MAAMC,MAAM3C,eAAe;YAC1C4C,QAAQ;YACRC,SAAS;gBACP,gBAAgB;gBAChBC,QAAQ;gBACRC,YAAY;YACd;YACAC,MAAM,IAAIX,gBAAgB;gBACxBC,YAAY;gBACZqB,eAAeD;gBACflB,WAAWvC;gBACXwC,eAAevC;YACjB;QACF;QAEA,IAAI,CAACwC,SAASO,EAAE,EAAE;YAChB,MAAMC,YAAY,MAAMR,SAASS,IAAI;YACrC,MAAM,IAAInB,MAAM,CAAC,sBAAsB,EAAEU,SAASU,MAAM,CAAC,GAAG,EAAEF,WAAW;QAC3E;QAEA,MAAMG,OAAQ,MAAMX,SAASY,IAAI;QAEjC,IAAI,CAACD,KAAKE,YAAY,EAAE;YACtB,MAAM,IAAIvB,MAAM;QAClB;QAEA,MAAMwB,WAAqB;YACzBC,aAAaJ,KAAKE,YAAY;YAC9BG,cAAcL,KAAKM,aAAa,IAAID;YACpCE,WAAWC,KAAKC,GAAG,KAAKT,KAAKU,UAAU,GAAG;YAC1C9D;YACAC;QACF;QAEA,IAAImD,KAAKW,KAAK,EAAE;YACdR,SAAS1C,MAAM,GAAGuC,KAAKW,KAAK,CAACC,KAAK,CAAC;QACrC;QAEA,OAAOT;IACT;IAEA;;;GAGC,GACD,MAAcjC,YAAY4C,GAAW,EAAiB;QACpD,sCAAsC;QACtC,MAAMC,WAAWC,QAAQD,QAAQ;QACjC,IAAIE;QACJ,IAAIC;QAEJ,IAAIH,aAAa,UAAU;YACzBE,UAAU;YACVC,OAAO;gBAACJ;aAAI;QACd,OAAO,IAAIC,aAAa,SAAS;YAC/BE,UAAU;YACVC,OAAO;gBAAC;gBAAM;gBAASJ;aAAI;QAC7B,OAAO;YACL,mBAAmB;YACnBG,UAAU;YACVC,OAAO;gBAACJ;aAAI;QACd;QAEA,wBAAwB;QACxB,MAAMK,QAAQhF,cAAciF,KAAK,CAACH,SAASC,MAAM;YAC/CG,UAAU;YACVC,OAAO;QACT;QAEAH,MAAMI,KAAK;IACb;AACF"}