@mcp-z/oauth-microsoft 1.0.0

package/dist/cjs/lib/dcr-router.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-microsoft/src/lib/dcr-router.ts"],"sourcesContent":["/**\n * DCR Router - OAuth 2.0 Authorization Server\n *\n * Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n *\n * Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n */\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport * as dcrUtils from './dcr-utils.ts';\n\n/**\n * Configuration for DCR Router (self-hosted mode only)\n */\nexport interface DcrRouterConfig {\n  /** Single Keyv store for all DCR data */\n  store: Keyv;\n\n  /** Authorization Server issuer URL */\n  issuerUrl: string;\n\n  /** Base URL for OAuth endpoints */\n  baseUrl: string;\n\n  /** Supported OAuth scopes */\n  scopesSupported: string[];\n\n  /** OAuth client configuration for upstream provider */\n  clientConfig: OAuthClientConfig;\n}\n\n/**\n * Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n *\n * For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n *\n * @param config - Router configuration\n * @returns Express router with OAuth endpoints\n */\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n  const router = express.Router();\n  const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n  // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)\n  router.use(express.json()); // For /oauth/register (application/json)\n  router.use(express.urlencoded({ extended: true })); // For /oauth/token (application/x-www-form-urlencoded)\n\n  /**\n   * OAuth Authorization Server Metadata (RFC 8414)\n   * GET /.well-known/oauth-authorization-server\n   */\n  router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n    const metadata: RFC8414Metadata = {\n      issuer: issuerUrl,\n      authorization_endpoint: `${baseUrl}/oauth/authorize`,\n      token_endpoint: `${baseUrl}/oauth/token`,\n      registration_endpoint: `${baseUrl}/oauth/register`,\n      revocation_endpoint: `${baseUrl}/oauth/revoke`,\n      scopes_supported: scopesSupported,\n      response_types_supported: ['code'],\n      grant_types_supported: ['authorization_code', 'refresh_token'],\n      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n      code_challenge_methods_supported: ['S256', 'plain'],\n      service_documentation: `${baseUrl}/docs`,\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Root)\n   * GET /.well-known/oauth-protected-resource\n   */\n  router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: baseUrl,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n   * GET /.well-known/oauth-protected-resource/mcp\n   */\n  router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: `${baseUrl}/mcp`,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * Dynamic Client Registration (RFC 7591)\n   * POST /oauth/register\n   */\n  router.post('/oauth/register', async (req: Request, res: Response) => {\n    try {\n      const registrationRequest = req.body;\n\n      // Register the client\n      const client = await dcrUtils.registerClient(store, registrationRequest);\n\n      // Return client information (RFC 7591 Section 3.2.1)\n      res.status(201).json(client);\n    } catch (error) {\n      res.status(400).json({\n        error: 'invalid_client_metadata',\n        error_description: error instanceof Error ? error.message : 'Invalid registration request',\n      });\n    }\n  });\n\n  /**\n   * OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n   * GET /oauth/authorize\n   *\n   * Initiates Microsoft OAuth flow, then generates DCR authorization code\n   */\n  router.get('/oauth/authorize', async (req: Request, res: Response) => {\n    const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n    // Validate required parameters\n    if (response_type !== 'code') {\n      return res.status(400).json({\n        error: 'unsupported_response_type',\n        error_description: 'Only response_type=code is supported',\n      });\n    }\n\n    if (!client_id || typeof client_id !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'client_id is required',\n      });\n    }\n\n    if (!redirect_uri || typeof redirect_uri !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'redirect_uri is required',\n      });\n    }\n\n    // Validate client\n    const client = await dcrUtils.getClient(store, client_id);\n    if (!client) {\n      return res.status(400).json({\n        error: 'invalid_client',\n        error_description: 'Unknown client_id',\n      });\n    }\n\n    // Validate redirect_uri\n    const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n    if (!isValidRedirect) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid redirect_uri',\n      });\n    }\n\n    // Store DCR request state for Microsoft OAuth callback\n    const msState = randomUUID();\n    const dcrRequestState = {\n      client_id,\n      redirect_uri,\n      scope: typeof scope === 'string' ? scope : '',\n      state: typeof state === 'string' ? state : undefined,\n      code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n      code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await store.set(`dcr:ms-state:${msState}`, dcrRequestState, 600000); // 10 min TTL\n\n    // Build Microsoft authorization URL\n    const msAuthUrl = new URL(`https://login.microsoftonline.com/${clientConfig.tenantId || 'common'}/oauth2/v2.0/authorize`);\n    msAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n    msAuthUrl.searchParams.set('response_type', 'code');\n    msAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n    msAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n    msAuthUrl.searchParams.set('state', msState);\n    msAuthUrl.searchParams.set('response_mode', 'query');\n\n    // Redirect user to Microsoft for authorization\n    return res.redirect(msAuthUrl.toString());\n  });\n\n  /**\n   * OAuth Callback Handler\n   * GET /oauth/callback\n   *\n   * Handles callback from Microsoft after user authorization\n   */\n  router.get('/oauth/callback', async (req: Request, res: Response) => {\n    const { code: msCode, state: msState, error, error_description } = req.query;\n\n    // Handle Microsoft OAuth errors\n    if (error) {\n      return res.status(400).json({\n        error,\n        error_description: error_description || 'Microsoft OAuth authorization failed',\n      });\n    }\n\n    if (!msCode || typeof msCode !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Authorization code is required',\n      });\n    }\n\n    if (!msState || typeof msState !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'State parameter is required',\n      });\n    }\n\n    // Retrieve original DCR request state\n    const dcrRequestState = await store.get(`dcr:ms-state:${msState}`);\n    if (!dcrRequestState) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid or expired state parameter',\n      });\n    }\n\n    // Delete state (one-time use)\n    await store.delete(`dcr:ms-state:${msState}`);\n\n    // Exchange Microsoft authorization code for tokens\n    try {\n      const tokenUrl = `https://login.microsoftonline.com/${clientConfig.tenantId || 'common'}/oauth2/v2.0/token`;\n      const tokenParams = new URLSearchParams({\n        grant_type: 'authorization_code',\n        code: msCode,\n        client_id: clientConfig.clientId,\n        redirect_uri: `${baseUrl}/oauth/callback`,\n        scope: dcrRequestState.scope,\n      });\n\n      // Add client_secret if available (confidential client)\n      if (clientConfig.clientSecret) {\n        tokenParams.set('client_secret', clientConfig.clientSecret);\n      }\n\n      const tokenResponse = await fetch(tokenUrl, {\n        method: 'POST',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n        body: tokenParams.toString(),\n      });\n\n      if (!tokenResponse.ok) {\n        const errorData = (await tokenResponse.json()) as { error?: string; error_description?: string };\n        throw new Error(`Microsoft token exchange failed: ${errorData.error_description || errorData.error}`);\n      }\n\n      const tokenData = (await tokenResponse.json()) as {\n        access_token: string;\n        refresh_token?: string;\n        expires_in: number;\n        scope: string;\n      };\n\n      // Create provider tokens from Microsoft response\n      const providerTokens: ProviderTokens = {\n        accessToken: tokenData.access_token,\n        ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n        expiresAt: Date.now() + tokenData.expires_in * 1000,\n        scope: tokenData.scope,\n      };\n\n      // Generate DCR authorization code with real provider tokens\n      const dcrCode = randomUUID();\n      const authCode: AuthorizationCode = {\n        code: dcrCode,\n        client_id: dcrRequestState.client_id,\n        redirect_uri: dcrRequestState.redirect_uri,\n        scope: dcrRequestState.scope,\n        ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n        ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n        providerTokens,\n        created_at: Date.now(),\n        expires_at: Date.now() + 600000, // 10 minutes\n      };\n\n      await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n      // Redirect back to MCP client with DCR authorization code\n      const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n      clientRedirectUrl.searchParams.set('code', dcrCode);\n      if (dcrRequestState.state) {\n        clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n      }\n\n      return res.redirect(clientRedirectUrl.toString());\n    } catch (error) {\n      return res.status(500).json({\n        error: 'server_error',\n        error_description: error instanceof Error ? error.message : 'Failed to exchange authorization code',\n      });\n    }\n  });\n\n  /**\n   * OAuth Token Endpoint (RFC 6749 Section 3.2)\n   * POST /oauth/token\n   */\n  router.post('/oauth/token', async (req: Request, res: Response) => {\n    // Extract client credentials from either body or Basic Auth header\n    let client_id = req.body.client_id;\n    let client_secret = req.body.client_secret;\n\n    // Support client_secret_basic authentication (RFC 6749 Section 2.3.1)\n    const authHeader = req.headers.authorization;\n    if (authHeader && authHeader.startsWith('Basic ')) {\n      const base64Credentials = authHeader.substring(6);\n      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n      const [id, secret] = credentials.split(':');\n      client_id = id;\n      client_secret = secret;\n    }\n\n    const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n    // Validate grant_type\n    if (!grant_type) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'grant_type is required',\n      });\n    }\n\n    if (grant_type === 'authorization_code') {\n      // Authorization Code Grant\n      if (!code || !client_id || !redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'code, client_id, and redirect_uri are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      // Get authorization code\n      const authCode = await dcrUtils.getAuthCode(store, code);\n      if (!authCode) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid or expired authorization code',\n        });\n      }\n\n      // Validate authorization code\n      if (authCode.client_id !== client_id || authCode.redirect_uri !== redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code mismatch',\n        });\n      }\n\n      if (Date.now() > authCode.expires_at) {\n        await dcrUtils.deleteAuthCode(store, code);\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code expired',\n        });\n      }\n\n      // Validate PKCE if used\n      if (authCode.code_challenge) {\n        if (!code_verifier) {\n          return res.status(400).json({\n            error: 'invalid_request',\n            error_description: 'code_verifier is required for PKCE',\n          });\n        }\n\n        // Validate code_verifier against code_challenge\n        const method = authCode.code_challenge_method ?? 'plain';\n        const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n        if (computedChallenge !== authCode.code_challenge) {\n          return res.status(400).json({\n            error: 'invalid_grant',\n            error_description: 'Invalid code_verifier',\n          });\n        }\n      }\n\n      // Delete authorization code (one-time use)\n      await dcrUtils.deleteAuthCode(store, code);\n\n      // Generate DCR access token\n      const accessToken = randomUUID();\n      const refreshTokenValue = randomUUID();\n\n      const tokenData: AccessToken = {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 3600,\n        refresh_token: refreshTokenValue,\n        scope: authCode.scope,\n        client_id,\n        providerTokens: authCode.providerTokens,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, accessToken, tokenData);\n      await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n\n      // Store provider tokens indexed by DCR access token\n      await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n      // Return token response\n      return res.json({\n        access_token: tokenData.access_token,\n        token_type: tokenData.token_type,\n        expires_in: tokenData.expires_in,\n        refresh_token: tokenData.refresh_token,\n        scope: tokenData.scope,\n      });\n    }\n    if (grant_type === 'refresh_token') {\n      // Refresh Token Grant\n      if (!refresh_token || !client_id) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'refresh_token and client_id are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      // Get refresh token\n      const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n      if (!tokenData || tokenData.client_id !== client_id) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid refresh token',\n        });\n      }\n\n      // Refresh provider tokens if available\n      let refreshedProviderTokens = tokenData.providerTokens;\n      if (tokenData.providerTokens.refreshToken) {\n        try {\n          // Create DcrOAuthProvider instance to refresh Microsoft tokens\n          const provider = new DcrOAuthProvider({\n            clientId: clientConfig.clientId,\n            ...(clientConfig.clientSecret && { clientSecret: clientConfig.clientSecret }),\n            tenantId: clientConfig.tenantId ?? 'common',\n            scope: tokenData.scope,\n            verifyEndpoint: `${baseUrl}/oauth/verify`,\n            logger: {\n              info: console.log,\n              error: console.error,\n              warn: console.warn,\n              debug: () => {},\n            },\n          });\n\n          // Refresh the Microsoft access token\n          refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n        } catch (error) {\n          // If refresh fails, continue with existing tokens (they may still be valid)\n          console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n        }\n      }\n\n      // Generate new DCR access token\n      const newAccessToken = randomUUID();\n      const newTokenData: AccessToken = {\n        ...tokenData,\n        access_token: newAccessToken,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n\n      // Store refreshed provider tokens indexed by new DCR access token\n      await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n      return res.json({\n        access_token: newTokenData.access_token,\n        token_type: newTokenData.token_type,\n        expires_in: newTokenData.expires_in,\n        scope: newTokenData.scope,\n      });\n    }\n    return res.status(400).json({\n      error: 'unsupported_grant_type',\n      error_description: 'Only authorization_code and refresh_token grants are supported',\n    });\n  });\n\n  /**\n   * OAuth Token Revocation (RFC 7009)\n   * POST /oauth/revoke\n   */\n  router.post('/oauth/revoke', async (req: Request, res: Response) => {\n    const { token, token_type_hint, client_id, client_secret } = req.body;\n\n    if (!token) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'token is required',\n      });\n    }\n\n    // Validate client if credentials provided\n    if (client_id && client_secret) {\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n    }\n\n    // Revoke the token\n    if (token_type_hint === 'refresh_token') {\n      await dcrUtils.deleteRefreshToken(store, token);\n    } else if (token_type_hint === 'access_token') {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    } else {\n      // No hint - try both\n      await dcrUtils.deleteRefreshToken(store, token);\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    }\n\n    // RFC 7009: Return 200 even if token not found\n    return res.status(200).send();\n  });\n\n  /**\n   * Token Verification Endpoint\n   * GET /oauth/verify\n   *\n   * Validates bearer tokens for Resource Server.\n   * Returns AuthInfo with provider tokens for stateless DCR pattern.\n   */\n  router.get('/oauth/verify', async (req: Request, res: Response) => {\n    // Extract bearer token from Authorization header\n    const authHeader = req.headers.authorization;\n\n    if (!authHeader || !authHeader.startsWith('Bearer ')) {\n      return res.status(401).json({\n        error: 'invalid_request',\n        error_description: 'Missing or invalid Authorization header',\n      });\n    }\n\n    const token = authHeader.substring(7); // Remove 'Bearer ' prefix\n\n    // Validate token exists in access tokens store\n    const tokenData = await dcrUtils.getAccessToken(store, token);\n\n    if (!tokenData) {\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Unknown or expired access token',\n      });\n    }\n\n    // Check if token is expired\n    const now = Date.now();\n    const expiresAt = tokenData.created_at + tokenData.expires_in * 1000;\n\n    if (now > expiresAt) {\n      // Remove expired token\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Access token has expired',\n      });\n    }\n\n    // Return AuthInfo with provider tokens for stateless DCR\n    const authInfo = {\n      token,\n      clientId: tokenData.client_id,\n      scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n      expiresAt,\n      providerTokens: tokenData.providerTokens,\n    };\n\n    return res.json(authInfo);\n  });\n\n  /**\n   * Debug endpoint to list registered clients (development only)\n   */\n  router.get('/debug/clients', async (_req: Request, res: Response) => {\n    const clients = await dcrUtils.listClients(store);\n    res.json(clients);\n  });\n\n  return router;\n}\n"],"names":["createDcrRouter","config","router","express","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","json","urlencoded","extended","get","_req","res","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","req","registrationRequest","client","error","body","dcrUtils","registerClient","status","error_description","Error","message","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","isValidRedirect","msState","dcrRequestState","msAuthUrl","query","getClient","validateRedirectUri","randomUUID","undefined","created_at","Date","now","expires_at","set","URL","tenantId","searchParams","clientId","redirect","toString","msCode","tokenUrl","tokenParams","tokenResponse","errorData","tokenData","providerTokens","dcrCode","authCode","clientRedirectUrl","code","delete","URLSearchParams","grant_type","clientSecret","fetch","method","headers","ok","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","setAuthCode","client_secret","authHeader","base64Credentials","credentials","id","secret","code_verifier","isValidClient","computedChallenge","refreshTokenValue","refreshedProviderTokens","provider","newAccessToken","newTokenData","authorization","startsWith","substring","Buffer","from","split","validateClient","getAuthCode","deleteAuthCode","createHash","update","digest","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","DcrOAuthProvider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","authInfo","getAccessToken","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC;;;;+BAwCeA;;;eAAAA;;;sBArCuB;8DAEnB;qBAEa;kEAEP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BnB,SAASA,gBAAgBC,MAAuB;IACrD,IAAMC,SAASC,gBAAO,CAACC,MAAM;IAC7B,IAAQC,QAA6DJ,OAA7DI,OAAOC,YAAsDL,OAAtDK,WAAWC,UAA2CN,OAA3CM,SAASC,kBAAkCP,OAAlCO,iBAAiBC,eAAiBR,OAAjBQ;IAEpD,+DAA+D;IAC/DP,OAAOQ,GAAG,CAACP,gBAAO,CAACQ,IAAI,KAAK,yCAAyC;IACrET,OAAOQ,GAAG,CAACP,gBAAO,CAACS,UAAU,CAAC;QAAEC,UAAU;IAAK,KAAK,uDAAuD;IAE3G;;;GAGC,GACDX,OAAOY,GAAG,CAAC,2CAA2C,SAACC,MAAeC;QACpE,IAAMC,WAA4B;YAChCC,QAAQZ;YACRa,wBAAwB,AAAC,GAAU,OAARZ,SAAQ;YACnCa,gBAAgB,AAAC,GAAU,OAARb,SAAQ;YAC3Bc,uBAAuB,AAAC,GAAU,OAARd,SAAQ;YAClCe,qBAAqB,AAAC,GAAU,OAARf,SAAQ;YAChCgB,kBAAkBf;YAClBgB,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,AAAC,GAAU,OAARrB,SAAQ;QACpC;QACAS,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,yCAAyC,SAACC,MAAeC;QAClE,IAAMC,WAA4B;YAChCY,UAAUtB;YACVuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,6CAA6C,SAACC,MAAeC;QACtE,IAAMC,WAA4B;YAChCY,UAAU,AAAC,GAAU,OAARtB,SAAQ;YACrBuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAO8B,IAAI,CAAC,mBAAmB,SAAOC,KAAcjB;;gBAE1CkB,qBAGAC,QAICC;;;;;;;;;;wBAPDF,sBAAsBD,IAAII,IAAI;wBAGrB;;4BAAMC,YAASC,cAAc,CAAClC,OAAO6B;;;wBAA9CC,SAAS;wBAEf,qDAAqD;wBACrDnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAACwB;;;;;;wBACdC;wBACPpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;4BACnByB,OAAO;4BACPK,mBAAmBL,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG;wBAC9D;;;;;;;;;;;QAEJ;;IAEA;;;;;GAKC,GACDzC,OAAOY,GAAG,CAAC,oBAAoB,SAAOmB,KAAcjB;;gBACgEiB,YAA1GW,eAAeC,WAAWC,gCAAcC,yBAAYC,OAAYC,gBAAgBC,uBAyBlFf,QASAgB,iBASAC,SACAC,iBAcAC;;;;wBA1D4GrB,aAAAA,IAAIsB,KAAK,EAAnHX,gBAA0GX,WAA1GW,eAAeC,YAA2FZ,WAA3FY,WAAWC,eAAgFb,WAAhFa,iCAAgFb,WAAlEc,OAAAA,sCAAQ,0CAA0Dd,WAAtDe,OAAAA,sCAAQ,uBAAIC,iBAA0ChB,WAA1CgB,gBAAgBC,wBAA0BjB,WAA1BiB;wBAExF,+BAA+B;wBAC/B,IAAIN,kBAAkB,QAAQ;4BAC5B;;gCAAO5B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACI,aAAa,OAAOA,cAAc,UAAU;4BAC/C;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACK,gBAAgB,OAAOA,iBAAiB,UAAU;4BACrD;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGe;;4BAAMH,YAASkB,SAAS,CAACnD,OAAOwC;;;wBAAzCV,SAAS;wBACf,IAAI,CAACA,QAAQ;4BACX;;gCAAOnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMH,YAASmB,mBAAmB,CAACpD,OAAOwC,WAAWC;;;wBAAvEK,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOnC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,uDAAuD;wBACjDW,UAAUM,IAAAA,kBAAU;wBACpBL,kBAAkB;4BACtBR,WAAAA;4BACAC,cAAAA;4BACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;4BAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQW;4BAC3CV,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBU;4BACtET,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBS;4BAC3FC,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;wBAC3B;wBAEA;;4BAAMzD,MAAM2D,GAAG,CAAC,AAAC,gBAAuB,OAARZ,UAAWC,iBAAiB;;;wBAA5D,eAAqE,aAAa;wBAElF,oCAAoC;wBAC9BC,YAAY,IAAIW,IAAI,AAAC,qCAAsE,OAAlCxD,aAAayD,QAAQ,IAAI,UAAS;wBACjGZ,UAAUa,YAAY,CAACH,GAAG,CAAC,aAAavD,aAAa2D,QAAQ;wBAC7Dd,UAAUa,YAAY,CAACH,GAAG,CAAC,iBAAiB;wBAC5CV,UAAUa,YAAY,CAACH,GAAG,CAAC,gBAAgB,AAAC,GAAU,OAARzD,SAAQ;wBACtD+C,UAAUa,YAAY,CAACH,GAAG,CAAC,SAAS,OAAOjB,UAAU,WAAWA,QAAQ;wBACxEO,UAAUa,YAAY,CAACH,GAAG,CAAC,SAASZ;wBACpCE,UAAUa,YAAY,CAACH,GAAG,CAAC,iBAAiB;wBAE5C,+CAA+C;wBAC/C;;4BAAOhD,IAAIqD,QAAQ,CAACf,UAAUgB,QAAQ;;;;QACxC;;IAEA;;;;;GAKC,GACDpE,OAAOY,GAAG,CAAC,mBAAmB,SAAOmB,KAAcjB;;gBACkBiB,YAArDsC,QAAenB,SAAShB,SAAOK,mBAyBvCY,iBAaEmB,UACAC,aAaAC,eAOEC,WAIFC,WAQAC,gBAQAC,SACAC,UAeAC,mBAOC5C;;;;wBAtG0DH,aAAAA,IAAIsB,KAAK,EAA9DgB,SAAqDtC,WAA3DgD,MAAqB7B,UAAsCnB,WAA7Ce,OAAgBZ,UAA6BH,WAA7BG,OAAOK,oBAAsBR,WAAtBQ;wBAE7C,gCAAgC;wBAChC,IAAIL,SAAO;4BACT;;gCAAOpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAAA;oCACAK,mBAAmBA,qBAAqB;gCAC1C;;wBACF;wBAEA,IAAI,CAAC8B,UAAU,OAAOA,WAAW,UAAU;4BACzC;;gCAAOvD,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACW,WAAW,OAAOA,YAAY,UAAU;4BAC3C;;gCAAOpC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMpC,MAAMS,GAAG,CAAC,AAAC,gBAAuB,OAARsC;;;wBAAlDC,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOrC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B;;4BAAMpC,MAAM6E,MAAM,CAAC,AAAC,gBAAuB,OAAR9B;;;wBAAnC;;;;;;;;;wBAIQoB,WAAW,AAAC,qCAAsE,OAAlC/D,aAAayD,QAAQ,IAAI,UAAS;wBAClFO,cAAc,IAAIU,gBAAgB;4BACtCC,YAAY;4BACZH,MAAMV;4BACN1B,WAAWpC,aAAa2D,QAAQ;4BAChCtB,cAAc,AAAC,GAAU,OAARvC,SAAQ;4BACzBwC,OAAOM,gBAAgBN,KAAK;wBAC9B;wBAEA,uDAAuD;wBACvD,IAAItC,aAAa4E,YAAY,EAAE;4BAC7BZ,YAAYT,GAAG,CAAC,iBAAiBvD,aAAa4E,YAAY;wBAC5D;wBAEsB;;4BAAMC,MAAMd,UAAU;gCAC1Ce,QAAQ;gCACRC,SAAS;oCAAE,gBAAgB;gCAAoC;gCAC/DnD,MAAMoC,YAAYH,QAAQ;4BAC5B;;;wBAJMI,gBAAgB;6BAMlB,CAACA,cAAce,EAAE,EAAjB;;;;wBACiB;;4BAAMf,cAAc/D,IAAI;;;wBAArCgE,YAAa;wBACnB,MAAM,IAAIjC,MAAM,AAAC,oCAAkF,OAA/CiC,UAAUlC,iBAAiB,IAAIkC,UAAUvC,KAAK;;wBAGjF;;4BAAMsC,cAAc/D,IAAI;;;wBAArCiE,YAAa;wBAOnB,iDAAiD;wBAC3CC,iBAAiC;4BACrCa,aAAad,UAAUe,YAAY;2BAC/Bf,UAAUgB,aAAa,IAAI;4BAAEC,cAAcjB,UAAUgB,aAAa;wBAAC;4BACvEE,WAAWjC,KAAKC,GAAG,KAAKc,UAAUmB,UAAU,GAAG;4BAC/ChD,OAAO6B,UAAU7B,KAAK;;wBAGxB,4DAA4D;wBACtD+B,UAAUpB,IAAAA,kBAAU;wBACpBqB,WAA8B;4BAClCE,MAAMH;4BACNjC,WAAWQ,gBAAgBR,SAAS;4BACpCC,cAAcO,gBAAgBP,YAAY;4BAC1CC,OAAOM,gBAAgBN,KAAK;2BACxBM,gBAAgBJ,cAAc,IAAI;4BAAEA,gBAAgBI,gBAAgBJ,cAAc;wBAAC,GACnFI,gBAAgBH,qBAAqB,IAAI;4BAAEA,uBAAuBG,gBAAgBH,qBAAqB;wBAAC;4BAC5G2B,gBAAAA;4BACAjB,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;;wBAG3B;;4BAAMxB,YAAS0D,WAAW,CAAC3F,OAAOyE,SAASC;;;wBAA3C;wBAEA,0DAA0D;wBACpDC,oBAAoB,IAAIf,IAAIZ,gBAAgBP,YAAY;wBAC9DkC,kBAAkBb,YAAY,CAACH,GAAG,CAAC,QAAQc;wBAC3C,IAAIzB,gBAAgBL,KAAK,EAAE;4BACzBgC,kBAAkBb,YAAY,CAACH,GAAG,CAAC,SAASX,gBAAgBL,KAAK;wBACnE;wBAEA;;4BAAOhC,IAAIqD,QAAQ,CAACW,kBAAkBV,QAAQ;;;wBACvClC;wBACP;;4BAAOpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmBL,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG;4BAC9D;;;;;;;;QAEJ;;IAEA;;;GAGC,GACDzC,OAAO8B,IAAI,CAAC,gBAAgB,SAAOC,KAAcjB;;gBAE3C6B,WACAoD,eAGEC,YAEEC,mBACAC,aACeA,oBAAdC,IAAIC,QAK4DrE,WAAjEmD,YAAYH,MAAMnC,cAAc8C,eAAeW,eAoB/CC,eASAzB,UAkCWA,iCAATQ,QACAkB,mBAcFf,aACAgB,mBAEA9B,WAoCA4B,gBASA5B,YASF+B,yBAOYlG,wBAHNmG,UAgBCxE,OAOLyE,gBACAC;;;;wBAjLR,mEAAmE;wBAC/DjE,YAAYZ,IAAII,IAAI,CAACQ,SAAS;wBAC9BoD,gBAAgBhE,IAAII,IAAI,CAAC4D,aAAa;wBAE1C,sEAAsE;wBAChEC,aAAajE,IAAIuD,OAAO,CAACuB,aAAa;wBAC5C,IAAIb,cAAcA,WAAWc,UAAU,CAAC,WAAW;4BAC3Cb,oBAAoBD,WAAWe,SAAS,CAAC;4BACzCb,cAAcc,OAAOC,IAAI,CAAChB,mBAAmB,UAAU7B,QAAQ,CAAC;4BACjD8B,sCAAAA,YAAYgB,KAAK,CAAC,UAAhCf,KAAcD,uBAAVE,SAAUF;4BACrBvD,YAAYwD;4BACZJ,gBAAgBK;wBAClB;wBAEyErE,YAAAA,IAAII,IAAI,EAAzE+C,aAAiEnD,UAAjEmD,YAAYH,OAAqDhD,UAArDgD,MAAMnC,eAA+Cb,UAA/Ca,cAAc8C,gBAAiC3D,UAAjC2D,eAAeW,gBAAkBtE,UAAlBsE;wBAEvD,sBAAsB;wBACtB,IAAI,CAACnB,YAAY;4BACf;;gCAAOpE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEI2C,CAAAA,eAAe,oBAAmB,GAAlCA;;;;wBACF,2BAA2B;wBAC3B,IAAI,CAACH,QAAQ,CAACpC,aAAa,CAACC,cAAc;4BACxC;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMH,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFO,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGiB;;4BAAMH,YAASgF,WAAW,CAACjH,OAAO4E;;;wBAA7CF,WAAW;wBACjB,IAAI,CAACA,UAAU;4BACb;;gCAAO/D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B,IAAIsC,SAASlC,SAAS,KAAKA,aAAakC,SAASjC,YAAY,KAAKA,cAAc;4BAC9E;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEIoB,CAAAA,KAAKC,GAAG,KAAKiB,SAAShB,UAAU,AAAD,GAA/BF;;;;wBACF;;4BAAMvB,YAASiF,cAAc,CAAClH,OAAO4E;;;wBAArC;wBACA;;4BAAOjE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGF,wBAAwB;wBACxB,IAAIsC,SAAS9B,cAAc,EAAE;;4BAC3B,IAAI,CAACsD,eAAe;gCAClB;;oCAAOvF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;4BAEA,gDAAgD;4BAC1C8C,UAASR,kCAAAA,SAAS7B,qBAAqB,cAA9B6B,6CAAAA,kCAAkC;4BAC3C0B,oBAAoBlB,WAAW,SAASiC,IAAAA,kBAAU,EAAC,UAAUC,MAAM,CAAClB,eAAemB,MAAM,CAAC,eAAenB;4BAE/G,IAAIE,sBAAsB1B,SAAS9B,cAAc,EAAE;gCACjD;;oCAAOjC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;wBACF;wBAEA,2CAA2C;wBAC3C;;4BAAMH,YAASiF,cAAc,CAAClH,OAAO4E;;;wBAArC;wBAEA,4BAA4B;wBACtBS,cAAchC,IAAAA,kBAAU;wBACxBgD,oBAAoBhD,IAAAA,kBAAU;wBAE9BkB,YAAyB;4BAC7Be,cAAcD;4BACdiC,YAAY;4BACZ5B,YAAY;4BACZH,eAAec;4BACf3D,OAAOgC,SAAShC,KAAK;4BACrBF,WAAAA;4BACAgC,gBAAgBE,SAASF,cAAc;4BACvCjB,YAAYC,KAAKC,GAAG;wBACtB;wBAEA;;4BAAMxB,YAASsF,cAAc,CAACvH,OAAOqF,aAAad;;;wBAAlD;wBACA;;4BAAMtC,YAASuF,eAAe,CAACxH,OAAOqG,mBAAmB9B;;;wBAAzD;wBAEA,oDAAoD;wBACpD;;4BAAMtC,YAASwF,iBAAiB,CAACzH,OAAOqF,aAAaX,SAASF,cAAc;;;wBAA5E;wBAEA,wBAAwB;wBACxB;;4BAAO7D,IAAIL,IAAI,CAAC;gCACdgF,cAAcf,UAAUe,YAAY;gCACpCgC,YAAY/C,UAAU+C,UAAU;gCAChC5B,YAAYnB,UAAUmB,UAAU;gCAChCH,eAAehB,UAAUgB,aAAa;gCACtC7C,OAAO6B,UAAU7B,KAAK;4BACxB;;;6BAEEqC,CAAAA,eAAe,eAAc,GAA7BA;;;;wBACF,sBAAsB;wBACtB,IAAI,CAACQ,iBAAiB,CAAC/C,WAAW;4BAChC;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMH,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFO,iBAAgB;wBACtB,IAAI,CAACA,gBAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGkB;;4BAAMH,YAASyF,eAAe,CAAC1H,OAAOuF;;;wBAAlDhB,aAAY;wBAClB,IAAI,CAACA,cAAaA,WAAU/B,SAAS,KAAKA,WAAW;4BACnD;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,uCAAuC;wBACnCkE,0BAA0B/B,WAAUC,cAAc;6BAClDD,WAAUC,cAAc,CAACgB,YAAY,EAArCjB;;;;;;;;;;;;wBAEA,+DAA+D;wBACzDgC,WAAW,IAAIoB,uBAAgB,CAAC;4BACpC5D,UAAU3D,aAAa2D,QAAQ;2BAC3B3D,aAAa4E,YAAY,IAAI;4BAAEA,cAAc5E,aAAa4E,YAAY;wBAAC;4BAC3EnB,QAAQ,GAAEzD,yBAAAA,aAAayD,QAAQ,cAArBzD,oCAAAA,yBAAyB;4BACnCsC,OAAO6B,WAAU7B,KAAK;4BACtBkF,gBAAgB,AAAC,GAAU,OAAR1H,SAAQ;4BAC3B2H,QAAQ;gCACNC,MAAMC,QAAQC,GAAG;gCACjBjG,OAAOgG,QAAQhG,KAAK;gCACpBkG,MAAMF,QAAQE,IAAI;gCAClBC,OAAO,YAAO;4BAChB;;wBAIwB;;4BAAM3B,SAAS4B,kBAAkB,CAAC5D,WAAUC,cAAc,CAACgB,YAAY;;;wBADjG,qCAAqC;wBACrCc,0BAA0B;;;;;;wBACnBvE;wBACP,4EAA4E;wBAC5EgG,QAAQE,IAAI,CAAC,yDAAyDlG,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG8F,OAAOrG;;;;;;wBAI1H,gCAAgC;wBAC1ByE,iBAAiBnD,IAAAA,kBAAU;wBAC3BoD,eAA4B,wCAC7BlC;4BACHe,cAAckB;4BACdjD,YAAYC,KAAKC,GAAG;;wBAGtB;;4BAAMxB,YAASsF,cAAc,CAACvH,OAAOwG,gBAAgBC;;;wBAArD;wBAEA,kEAAkE;wBAClE;;4BAAMxE,YAASwF,iBAAiB,CAACzH,OAAOwG,gBAAgBF;;;wBAAxD;wBAEA;;4BAAO3F,IAAIL,IAAI,CAAC;gCACdgF,cAAcmB,aAAanB,YAAY;gCACvCgC,YAAYb,aAAaa,UAAU;gCACnC5B,YAAYe,aAAaf,UAAU;gCACnChD,OAAO+D,aAAa/D,KAAK;4BAC3B;;;wBAEF;;4BAAO/B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;;QACF;;IAEA;;;GAGC,GACDvC,OAAO8B,IAAI,CAAC,iBAAiB,SAAOC,KAAcjB;;gBACaiB,WAArDyG,OAAOC,iBAAiB9F,WAAWoD,eAWnCO;;;;wBAXqDvE,YAAAA,IAAII,IAAI,EAA7DqG,QAAqDzG,UAArDyG,OAAOC,kBAA8C1G,UAA9C0G,iBAAiB9F,YAA6BZ,UAA7BY,WAAWoD,gBAAkBhE,UAAlBgE;wBAE3C,IAAI,CAACyC,OAAO;4BACV;;gCAAO1H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAGII,CAAAA,aAAaoD,aAAY,GAAzBpD;;;;wBACoB;;4BAAMP,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD;;;wBAAhEO,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;;;6BAIEkG,CAAAA,oBAAoB,eAAc,GAAlCA;;;;wBACF;;4BAAMrG,YAASsG,kBAAkB,CAACvI,OAAOqI;;;wBAAzC;;;;;;6BACSC,CAAAA,oBAAoB,cAAa,GAAjCA;;;;wBACT;;4BAAMrG,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;;;;;;wBAEA,qBAAqB;wBACrB;;4BAAMpG,YAASsG,kBAAkB,CAACvI,OAAOqI;;;wBAAzC;wBACA;;4BAAMpG,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;;;wBAGF,+CAA+C;wBAC/C;;4BAAO1H,IAAIwB,MAAM,CAAC,KAAKuG,IAAI;;;;QAC7B;;IAEA;;;;;;GAMC,GACD7I,OAAOY,GAAG,CAAC,iBAAiB,SAAOmB,KAAcjB;;gBAEzCkF,YASAwC,OAGA9D,WAUAd,KACAgC,WAaAkD;;;;wBArCN,iDAAiD;wBAC3C9C,aAAajE,IAAIuD,OAAO,CAACuB,aAAa;wBAE5C,IAAI,CAACb,cAAc,CAACA,WAAWc,UAAU,CAAC,YAAY;4BACpD;;gCAAOhG,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEMiG,QAAQxC,WAAWe,SAAS,CAAC,IAAI,0BAA0B;wBAG/C;;4BAAM3E,YAAS2G,cAAc,CAAC5I,OAAOqI;;;wBAAjD9D,YAAY;wBAElB,IAAI,CAACA,WAAW;4BACd;;gCAAO5D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,4BAA4B;wBACtBqB,MAAMD,KAAKC,GAAG;wBACdgC,YAAYlB,UAAUhB,UAAU,GAAGgB,UAAUmB,UAAU,GAAG;6BAE5DjC,CAAAA,MAAMgC,SAAQ,GAAdhC;;;;wBACF,uBAAuB;wBACvB;;4BAAMxB,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;wBACA;;4BAAO1H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGF,yDAAyD;wBACnDuG,WAAW;4BACfN,OAAAA;4BACAtE,UAAUQ,UAAU/B,SAAS;4BAC7BqG,QAAQtE,UAAU7B,KAAK,GAAG6B,UAAU7B,KAAK,CAACqE,KAAK,CAAC;4BAChDtB,WAAAA;4BACAjB,gBAAgBD,UAAUC,cAAc;wBAC1C;wBAEA;;4BAAO7D,IAAIL,IAAI,CAACqI;;;;QAClB;;IAEA;;GAEC,GACD9I,OAAOY,GAAG,CAAC,kBAAkB,SAAOC,MAAeC;;gBAC3CmI;;;;wBAAU;;4BAAM7G,YAAS8G,WAAW,CAAC/I;;;wBAArC8I,UAAU;wBAChBnI,IAAIL,IAAI,CAACwI;;;;;;QACX;;IAEA,OAAOjJ;AACT"}

package/dist/cjs/lib/dcr-utils.d.cts

@@ -0,0 +1,160 @@
+/**
+ * DCR Storage Utilities
+ *
+ * Keyv-based storage utilities for Dynamic Client Registration.
+ * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.
+ *
+ * Key Patterns:
+ * - dcr:client:{clientId} -> RegisteredClient
+ * - dcr:provider:{dcrToken} -> ProviderTokens
+ * - dcr:authcode:{code} -> AuthorizationCode
+ * - dcr:access:{token} -> AccessToken
+ * - dcr:refresh:{token} -> AccessToken
+ */
+import type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';
+import type { Keyv } from 'keyv';
+import type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.js';
+/**
+ * Register a new OAuth client (RFC 7591 Section 3.1)
+ *
+ * @param store - Keyv store for all DCR data
+ * @param metadata - Client registration metadata
+ * @returns Registered client with credentials
+ * @throws Error if validation fails
+ */
+export declare function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation>;
+/**
+ * Get a registered client by ID
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @returns Registered client or undefined if not found
+ */
+export declare function getClient(store: Keyv, clientId: string): Promise<RegisteredClient | undefined>;
+/**
+ * Validate client credentials
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param clientSecret - Client secret
+ * @returns True if credentials are valid
+ */
+export declare function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean>;
+/**
+ * Validate redirect URI for a client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param redirectUri - Redirect URI to validate
+ * @returns True if redirect URI is registered
+ */
+export declare function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean>;
+/**
+ * List all registered clients (for debugging)
+ *
+ * Note: This method uses Keyv's iterator which may not be available on all storage adapters.
+ * For production use, consider maintaining a separate index of client IDs.
+ *
+ * @param store - Keyv store for all DCR data
+ * @returns Array of all registered clients
+ */
+export declare function listClients(store: Keyv): Promise<RegisteredClient[]>;
+/**
+ * Delete a registered client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ */
+export declare function deleteClient(store: Keyv, clientId: string): Promise<void>;
+/**
+ * Store provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token (used as key)
+ * @param tokens - Microsoft provider tokens (access, refresh, expiry)
+ */
+export declare function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void>;
+/**
+ * Retrieve provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ * @returns Provider tokens or undefined if not found
+ */
+export declare function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens | undefined>;
+/**
+ * Delete provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ */
+export declare function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void>;
+/**
+ * Store an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @param authCode - Authorization code data
+ */
+export declare function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void>;
+/**
+ * Get an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @returns Authorization code data or undefined if not found
+ */
+export declare function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode | undefined>;
+/**
+ * Delete an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ */
+export declare function deleteAuthCode(store: Keyv, code: string): Promise<void>;
+/**
+ * Store an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @param tokenData - Access token data
+ */
+export declare function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getAccessToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ */
+export declare function deleteAccessToken(store: Keyv, token: string): Promise<void>;
+/**
+ * Store a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @param tokenData - Access token data (contains refresh token context)
+ */
+export declare function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getRefreshToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ */
+export declare function deleteRefreshToken(store: Keyv, token: string): Promise<void>;

package/dist/cjs/lib/dcr-utils.d.ts

@@ -0,0 +1,160 @@
+/**
+ * DCR Storage Utilities
+ *
+ * Keyv-based storage utilities for Dynamic Client Registration.
+ * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.
+ *
+ * Key Patterns:
+ * - dcr:client:{clientId} -> RegisteredClient
+ * - dcr:provider:{dcrToken} -> ProviderTokens
+ * - dcr:authcode:{code} -> AuthorizationCode
+ * - dcr:access:{token} -> AccessToken
+ * - dcr:refresh:{token} -> AccessToken
+ */
+import type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';
+import type { Keyv } from 'keyv';
+import type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.js';
+/**
+ * Register a new OAuth client (RFC 7591 Section 3.1)
+ *
+ * @param store - Keyv store for all DCR data
+ * @param metadata - Client registration metadata
+ * @returns Registered client with credentials
+ * @throws Error if validation fails
+ */
+export declare function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation>;
+/**
+ * Get a registered client by ID
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @returns Registered client or undefined if not found
+ */
+export declare function getClient(store: Keyv, clientId: string): Promise<RegisteredClient | undefined>;
+/**
+ * Validate client credentials
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param clientSecret - Client secret
+ * @returns True if credentials are valid
+ */
+export declare function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean>;
+/**
+ * Validate redirect URI for a client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param redirectUri - Redirect URI to validate
+ * @returns True if redirect URI is registered
+ */
+export declare function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean>;
+/**
+ * List all registered clients (for debugging)
+ *
+ * Note: This method uses Keyv's iterator which may not be available on all storage adapters.
+ * For production use, consider maintaining a separate index of client IDs.
+ *
+ * @param store - Keyv store for all DCR data
+ * @returns Array of all registered clients
+ */
+export declare function listClients(store: Keyv): Promise<RegisteredClient[]>;
+/**
+ * Delete a registered client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ */
+export declare function deleteClient(store: Keyv, clientId: string): Promise<void>;
+/**
+ * Store provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token (used as key)
+ * @param tokens - Microsoft provider tokens (access, refresh, expiry)
+ */
+export declare function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void>;
+/**
+ * Retrieve provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ * @returns Provider tokens or undefined if not found
+ */
+export declare function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens | undefined>;
+/**
+ * Delete provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ */
+export declare function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void>;
+/**
+ * Store an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @param authCode - Authorization code data
+ */
+export declare function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void>;
+/**
+ * Get an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @returns Authorization code data or undefined if not found
+ */
+export declare function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode | undefined>;
+/**
+ * Delete an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ */
+export declare function deleteAuthCode(store: Keyv, code: string): Promise<void>;
+/**
+ * Store an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @param tokenData - Access token data
+ */
+export declare function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getAccessToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ */
+export declare function deleteAccessToken(store: Keyv, token: string): Promise<void>;
+/**
+ * Store a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @param tokenData - Access token data (contains refresh token context)
+ */
+export declare function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getRefreshToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ */
+export declare function deleteRefreshToken(store: Keyv, token: string): Promise<void>;