@memberjunction/server 5.38.0 → 5.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/README.md +67 -0
  2. package/dist/apolloServer/index.d.ts +0 -8
  3. package/dist/apolloServer/index.d.ts.map +1 -1
  4. package/dist/apolloServer/index.js +61 -0
  5. package/dist/apolloServer/index.js.map +1 -1
  6. package/dist/auth/index.js +1 -1
  7. package/dist/auth/index.js.map +1 -1
  8. package/dist/auth/magicLink/MagicLinkKeys.d.ts +58 -0
  9. package/dist/auth/magicLink/MagicLinkKeys.d.ts.map +1 -0
  10. package/dist/auth/magicLink/MagicLinkKeys.js +99 -0
  11. package/dist/auth/magicLink/MagicLinkKeys.js.map +1 -0
  12. package/dist/auth/magicLink/MagicLinkRouter.d.ts +33 -0
  13. package/dist/auth/magicLink/MagicLinkRouter.d.ts.map +1 -0
  14. package/dist/auth/magicLink/MagicLinkRouter.js +184 -0
  15. package/dist/auth/magicLink/MagicLinkRouter.js.map +1 -0
  16. package/dist/auth/magicLink/MagicLinkService.d.ts +123 -0
  17. package/dist/auth/magicLink/MagicLinkService.d.ts.map +1 -0
  18. package/dist/auth/magicLink/MagicLinkService.js +605 -0
  19. package/dist/auth/magicLink/MagicLinkService.js.map +1 -0
  20. package/dist/auth/magicLink/index.d.ts +6 -0
  21. package/dist/auth/magicLink/index.d.ts.map +1 -0
  22. package/dist/auth/magicLink/index.js +6 -0
  23. package/dist/auth/magicLink/index.js.map +1 -0
  24. package/dist/auth/magicLink/magicLinkCore.d.ts +82 -0
  25. package/dist/auth/magicLink/magicLinkCore.d.ts.map +1 -0
  26. package/dist/auth/magicLink/magicLinkCore.js +164 -0
  27. package/dist/auth/magicLink/magicLinkCore.js.map +1 -0
  28. package/dist/auth/magicLink/redeemLanding.d.ts +22 -0
  29. package/dist/auth/magicLink/redeemLanding.d.ts.map +1 -0
  30. package/dist/auth/magicLink/redeemLanding.js +61 -0
  31. package/dist/auth/magicLink/redeemLanding.js.map +1 -0
  32. package/dist/auth/magicLink/types.d.ts +131 -0
  33. package/dist/auth/magicLink/types.d.ts.map +1 -0
  34. package/dist/auth/magicLink/types.js +6 -0
  35. package/dist/auth/magicLink/types.js.map +1 -0
  36. package/dist/config.d.ts +479 -0
  37. package/dist/config.d.ts.map +1 -1
  38. package/dist/config.js +84 -0
  39. package/dist/config.js.map +1 -1
  40. package/dist/context.d.ts.map +1 -1
  41. package/dist/context.js +223 -19
  42. package/dist/context.js.map +1 -1
  43. package/dist/generated/generated.d.ts +952 -4
  44. package/dist/generated/generated.d.ts.map +1 -1
  45. package/dist/generated/generated.js +25663 -20321
  46. package/dist/generated/generated.js.map +1 -1
  47. package/dist/generic/FireAndForgetHeartbeat.d.ts +51 -0
  48. package/dist/generic/FireAndForgetHeartbeat.d.ts.map +1 -0
  49. package/dist/generic/FireAndForgetHeartbeat.js +44 -0
  50. package/dist/generic/FireAndForgetHeartbeat.js.map +1 -0
  51. package/dist/generic/ResolverBase.d.ts.map +1 -1
  52. package/dist/generic/ResolverBase.js +35 -7
  53. package/dist/generic/ResolverBase.js.map +1 -1
  54. package/dist/index.d.ts +5 -0
  55. package/dist/index.d.ts.map +1 -1
  56. package/dist/index.js +145 -2
  57. package/dist/index.js.map +1 -1
  58. package/dist/logging/NoLog.d.ts +50 -0
  59. package/dist/logging/NoLog.d.ts.map +1 -0
  60. package/dist/logging/NoLog.js +80 -0
  61. package/dist/logging/NoLog.js.map +1 -0
  62. package/dist/logging/bootAudit.d.ts +43 -0
  63. package/dist/logging/bootAudit.d.ts.map +1 -0
  64. package/dist/logging/bootAudit.js +83 -0
  65. package/dist/logging/bootAudit.js.map +1 -0
  66. package/dist/logging/boundaryLogPayload.d.ts +18 -0
  67. package/dist/logging/boundaryLogPayload.d.ts.map +1 -0
  68. package/dist/logging/boundaryLogPayload.js +18 -0
  69. package/dist/logging/boundaryLogPayload.js.map +1 -0
  70. package/dist/logging/secretRedactor.d.ts +23 -0
  71. package/dist/logging/secretRedactor.d.ts.map +1 -0
  72. package/dist/logging/secretRedactor.js +53 -0
  73. package/dist/logging/secretRedactor.js.map +1 -0
  74. package/dist/logging/shortenForLog.d.ts +8 -0
  75. package/dist/logging/shortenForLog.d.ts.map +1 -0
  76. package/dist/logging/shortenForLog.js +21 -0
  77. package/dist/logging/shortenForLog.js.map +1 -0
  78. package/dist/logging/variablesLoggingMiddleware.d.ts +22 -0
  79. package/dist/logging/variablesLoggingMiddleware.d.ts.map +1 -0
  80. package/dist/logging/variablesLoggingMiddleware.js +127 -0
  81. package/dist/logging/variablesLoggingMiddleware.js.map +1 -0
  82. package/dist/resolvers/CurrentUserContextResolver.d.ts +9 -3
  83. package/dist/resolvers/CurrentUserContextResolver.d.ts.map +1 -1
  84. package/dist/resolvers/CurrentUserContextResolver.js +19 -5
  85. package/dist/resolvers/CurrentUserContextResolver.js.map +1 -1
  86. package/dist/resolvers/EntityResolver.d.ts.map +1 -1
  87. package/dist/resolvers/EntityResolver.js +13 -2
  88. package/dist/resolvers/EntityResolver.js.map +1 -1
  89. package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts +28 -0
  90. package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts.map +1 -0
  91. package/dist/resolvers/GenerateSeedTaxonomyResolver.js +100 -0
  92. package/dist/resolvers/GenerateSeedTaxonomyResolver.js.map +1 -0
  93. package/dist/resolvers/GetDataResolver.d.ts.map +1 -1
  94. package/dist/resolvers/GetDataResolver.js +8 -4
  95. package/dist/resolvers/GetDataResolver.js.map +1 -1
  96. package/dist/resolvers/IntegrationDiscoveryResolver.d.ts +259 -2
  97. package/dist/resolvers/IntegrationDiscoveryResolver.d.ts.map +1 -1
  98. package/dist/resolvers/IntegrationDiscoveryResolver.js +1276 -117
  99. package/dist/resolvers/IntegrationDiscoveryResolver.js.map +1 -1
  100. package/dist/resolvers/IntegrationProgressResolver.d.ts +90 -0
  101. package/dist/resolvers/IntegrationProgressResolver.d.ts.map +1 -0
  102. package/dist/resolvers/IntegrationProgressResolver.js +196 -0
  103. package/dist/resolvers/IntegrationProgressResolver.js.map +1 -0
  104. package/dist/resolvers/MCPResolver.d.ts.map +1 -1
  105. package/dist/resolvers/MCPResolver.js +19 -14
  106. package/dist/resolvers/MCPResolver.js.map +1 -1
  107. package/dist/resolvers/RunAIAgentResolver.d.ts.map +1 -1
  108. package/dist/resolvers/RunAIAgentResolver.js +26 -5
  109. package/dist/resolvers/RunAIAgentResolver.js.map +1 -1
  110. package/dist/resolvers/RunClusterAnalysisResolver.d.ts +74 -0
  111. package/dist/resolvers/RunClusterAnalysisResolver.d.ts.map +1 -0
  112. package/dist/resolvers/RunClusterAnalysisResolver.js +243 -0
  113. package/dist/resolvers/RunClusterAnalysisResolver.js.map +1 -0
  114. package/dist/resolvers/RunTestResolver.d.ts.map +1 -1
  115. package/dist/resolvers/RunTestResolver.js +12 -2
  116. package/dist/resolvers/RunTestResolver.js.map +1 -1
  117. package/dist/resolvers/SearchEntitiesResolver.d.ts +46 -0
  118. package/dist/resolvers/SearchEntitiesResolver.d.ts.map +1 -0
  119. package/dist/resolvers/SearchEntitiesResolver.js +216 -0
  120. package/dist/resolvers/SearchEntitiesResolver.js.map +1 -0
  121. package/dist/resolvers/UserResolver.d.ts +16 -2
  122. package/dist/resolvers/UserResolver.d.ts.map +1 -1
  123. package/dist/resolvers/UserResolver.js +45 -2
  124. package/dist/resolvers/UserResolver.js.map +1 -1
  125. package/dist/resolvers/VectorizeEntityResolver.d.ts.map +1 -1
  126. package/dist/resolvers/VectorizeEntityResolver.js +14 -1
  127. package/dist/resolvers/VectorizeEntityResolver.js.map +1 -1
  128. package/dist/rest/SignatureWebhookHandler.d.ts +19 -0
  129. package/dist/rest/SignatureWebhookHandler.d.ts.map +1 -0
  130. package/dist/rest/SignatureWebhookHandler.js +86 -0
  131. package/dist/rest/SignatureWebhookHandler.js.map +1 -0
  132. package/dist/services/ScheduledJobsService.d.ts.map +1 -1
  133. package/dist/services/ScheduledJobsService.js +14 -2
  134. package/dist/services/ScheduledJobsService.js.map +1 -1
  135. package/package.json +79 -74
  136. package/src/__tests__/NoLog.test.ts +76 -0
  137. package/src/__tests__/bootAudit.test.ts +188 -0
  138. package/src/__tests__/boundaryLogPayload.test.ts +31 -0
  139. package/src/__tests__/getDataTokenRedaction.test.ts +84 -0
  140. package/src/__tests__/magicLink.test.ts +387 -0
  141. package/src/__tests__/secretRedactor.test.ts +163 -0
  142. package/src/__tests__/subscriptionRedaction.test.ts +217 -0
  143. package/src/apolloServer/index.ts +58 -0
  144. package/src/auth/index.ts +2 -2
  145. package/src/auth/magicLink/MagicLinkKeys.ts +122 -0
  146. package/src/auth/magicLink/MagicLinkRouter.ts +209 -0
  147. package/src/auth/magicLink/MagicLinkService.ts +724 -0
  148. package/src/auth/magicLink/index.ts +17 -0
  149. package/src/auth/magicLink/magicLinkCore.ts +216 -0
  150. package/src/auth/magicLink/redeemLanding.ts +62 -0
  151. package/src/auth/magicLink/types.ts +137 -0
  152. package/src/config.ts +89 -0
  153. package/src/context.ts +249 -17
  154. package/src/generated/generated.ts +12528 -8866
  155. package/src/generic/FireAndForgetHeartbeat.ts +85 -0
  156. package/src/generic/ResolverBase.ts +35 -7
  157. package/src/generic/__tests__/FireAndForgetHeartbeat.test.ts +99 -0
  158. package/src/index.ts +165 -2
  159. package/src/logging/NoLog.ts +88 -0
  160. package/src/logging/bootAudit.ts +117 -0
  161. package/src/logging/boundaryLogPayload.ts +19 -0
  162. package/src/logging/secretRedactor.ts +82 -0
  163. package/src/logging/shortenForLog.ts +17 -0
  164. package/src/logging/variablesLoggingMiddleware.ts +191 -0
  165. package/src/resolvers/CurrentUserContextResolver.ts +21 -5
  166. package/src/resolvers/EntityResolver.ts +17 -5
  167. package/src/resolvers/GenerateSeedTaxonomyResolver.ts +90 -0
  168. package/src/resolvers/GetDataResolver.ts +9 -5
  169. package/src/resolvers/IntegrationDiscoveryResolver.ts +1111 -120
  170. package/src/resolvers/IntegrationProgressResolver.ts +220 -0
  171. package/src/resolvers/MCPResolver.ts +18 -14
  172. package/src/resolvers/RunAIAgentResolver.ts +28 -5
  173. package/src/resolvers/RunClusterAnalysisResolver.ts +249 -0
  174. package/src/resolvers/RunTestResolver.ts +14 -2
  175. package/src/resolvers/SearchEntitiesResolver.ts +173 -0
  176. package/src/resolvers/UserResolver.ts +38 -2
  177. package/src/resolvers/VectorizeEntityResolver.ts +14 -1
  178. package/src/resolvers/__tests__/IntegrationProgressResolver.test.ts +170 -0
  179. package/src/rest/SignatureWebhookHandler.ts +103 -0
  180. package/src/services/ScheduledJobsService.ts +15 -2
package/dist/config.d.ts CHANGED
@@ -487,6 +487,32 @@ declare const cacheSettingsSchema: z.ZodObject<{
487
487
  evictionSweepIntervalSeconds?: number;
488
488
  verboseLogging?: boolean;
489
489
  }>;
490
+ declare const loggingSettingsSchema: z.ZodObject<{
491
+ graphql: z.ZodDefault<z.ZodOptional<z.ZodObject<{
492
+ /**
493
+ * When true, emit a redacted variables block per root resolver call via the
494
+ * type-graphql global middleware. Default: false in all environments regardless
495
+ * of NODE_ENV. Env override: `MJ_LOG_GRAPHQL_VARIABLES`.
496
+ *
497
+ * SECURITY: this is an opt-in verbose-echo path for developers debugging locally.
498
+ * The always-on request log line in `context.ts` does NOT emit variables — that
499
+ * is the load-bearing leak fix. This flag is additive on top of the always-on log.
500
+ */
501
+ logVariables: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
502
+ }, "strip", z.ZodTypeAny, {
503
+ logVariables?: boolean;
504
+ }, {
505
+ logVariables?: boolean;
506
+ }>>>;
507
+ }, "strip", z.ZodTypeAny, {
508
+ graphql?: {
509
+ logVariables?: boolean;
510
+ };
511
+ }, {
512
+ graphql?: {
513
+ logVariables?: boolean;
514
+ };
515
+ }>;
490
516
  declare const feedbackGithubSettingsSchema: z.ZodObject<{
491
517
  owner: z.ZodOptional<z.ZodString>;
492
518
  repo: z.ZodOptional<z.ZodString>;
@@ -556,6 +582,181 @@ declare const feedbackSettingsSchema: z.ZodObject<{
556
582
  assignees?: string[];
557
583
  };
558
584
  }>;
585
+ declare const magicLinkSchema: z.ZodObject<{
586
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
587
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
588
+ /**
589
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
590
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
591
+ * (dev only — restarting the server invalidates all outstanding sessions).
592
+ */
593
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
594
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
595
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
596
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
597
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
598
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
599
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
600
+ /**
601
+ * Role names (besides Owner) whose members may issue invites via POST /create.
602
+ * Empty (default) means Owner-only — the secure default. The restricted role
603
+ * must never be listed here, or external users could mint their own invites.
604
+ */
605
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
606
+ /**
607
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
608
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
609
+ * the restricted role or appears here. This is the guard that stops a caller
610
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
611
+ */
612
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
613
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
614
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
615
+ /**
616
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
617
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
618
+ * recipient email is all it takes to hand a colleague an external role otherwise.
619
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
620
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
621
+ * affected.
622
+ */
623
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
624
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
625
+ communicationProvider: z.ZodOptional<z.ZodString>;
626
+ /** From address for invite emails. */
627
+ fromAddress: z.ZodOptional<z.ZodString>;
628
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
629
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
630
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
631
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
632
+ /** Max /redeem attempts per IP per window. Default 20. */
633
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
634
+ /** Max /create requests per IP per window. Default 30. */
635
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
636
+ /**
637
+ * Base URL of the Explorer instance that redeems land in. When set, GET
638
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
639
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
640
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
641
+ */
642
+ explorerUrl: z.ZodOptional<z.ZodString>;
643
+ }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
644
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
645
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
646
+ /**
647
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
648
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
649
+ * (dev only — restarting the server invalidates all outstanding sessions).
650
+ */
651
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
652
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
653
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
654
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
655
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
656
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
657
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
658
+ /**
659
+ * Role names (besides Owner) whose members may issue invites via POST /create.
660
+ * Empty (default) means Owner-only — the secure default. The restricted role
661
+ * must never be listed here, or external users could mint their own invites.
662
+ */
663
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
664
+ /**
665
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
666
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
667
+ * the restricted role or appears here. This is the guard that stops a caller
668
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
669
+ */
670
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
671
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
672
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
673
+ /**
674
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
675
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
676
+ * recipient email is all it takes to hand a colleague an external role otherwise.
677
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
678
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
679
+ * affected.
680
+ */
681
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
682
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
683
+ communicationProvider: z.ZodOptional<z.ZodString>;
684
+ /** From address for invite emails. */
685
+ fromAddress: z.ZodOptional<z.ZodString>;
686
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
687
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
688
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
689
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
690
+ /** Max /redeem attempts per IP per window. Default 20. */
691
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
692
+ /** Max /create requests per IP per window. Default 30. */
693
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
694
+ /**
695
+ * Base URL of the Explorer instance that redeems land in. When set, GET
696
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
697
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
698
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
699
+ */
700
+ explorerUrl: z.ZodOptional<z.ZodString>;
701
+ }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
702
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
703
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
704
+ /**
705
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
706
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
707
+ * (dev only — restarting the server invalidates all outstanding sessions).
708
+ */
709
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
710
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
711
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
712
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
713
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
714
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
715
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
716
+ /**
717
+ * Role names (besides Owner) whose members may issue invites via POST /create.
718
+ * Empty (default) means Owner-only — the secure default. The restricted role
719
+ * must never be listed here, or external users could mint their own invites.
720
+ */
721
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
722
+ /**
723
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
724
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
725
+ * the restricted role or appears here. This is the guard that stops a caller
726
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
727
+ */
728
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
729
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
730
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
731
+ /**
732
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
733
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
734
+ * recipient email is all it takes to hand a colleague an external role otherwise.
735
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
736
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
737
+ * affected.
738
+ */
739
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
740
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
741
+ communicationProvider: z.ZodOptional<z.ZodString>;
742
+ /** From address for invite emails. */
743
+ fromAddress: z.ZodOptional<z.ZodString>;
744
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
745
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
746
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
747
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
748
+ /** Max /redeem attempts per IP per window. Default 20. */
749
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
750
+ /** Max /create requests per IP per window. Default 30. */
751
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
752
+ /**
753
+ * Base URL of the Explorer instance that redeems land in. When set, GET
754
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
755
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
756
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
757
+ */
758
+ explorerUrl: z.ZodOptional<z.ZodString>;
759
+ }, z.ZodTypeAny, "passthrough">>;
559
760
  declare const configInfoSchema: z.ZodObject<{
560
761
  userHandling: z.ZodObject<{
561
762
  autoCreateNewUsers: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
@@ -588,6 +789,181 @@ declare const configInfoSchema: z.ZodObject<{
588
789
  CreateUserApplicationRecords?: boolean;
589
790
  UserApplications?: string[];
590
791
  }>;
792
+ magicLink: z.ZodDefault<z.ZodOptional<z.ZodObject<{
793
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
794
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
795
+ /**
796
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
797
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
798
+ * (dev only — restarting the server invalidates all outstanding sessions).
799
+ */
800
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
801
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
802
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
803
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
804
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
805
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
806
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
807
+ /**
808
+ * Role names (besides Owner) whose members may issue invites via POST /create.
809
+ * Empty (default) means Owner-only — the secure default. The restricted role
810
+ * must never be listed here, or external users could mint their own invites.
811
+ */
812
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
813
+ /**
814
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
815
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
816
+ * the restricted role or appears here. This is the guard that stops a caller
817
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
818
+ */
819
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
820
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
821
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
822
+ /**
823
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
824
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
825
+ * recipient email is all it takes to hand a colleague an external role otherwise.
826
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
827
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
828
+ * affected.
829
+ */
830
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
831
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
832
+ communicationProvider: z.ZodOptional<z.ZodString>;
833
+ /** From address for invite emails. */
834
+ fromAddress: z.ZodOptional<z.ZodString>;
835
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
836
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
837
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
838
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
839
+ /** Max /redeem attempts per IP per window. Default 20. */
840
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
841
+ /** Max /create requests per IP per window. Default 30. */
842
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
843
+ /**
844
+ * Base URL of the Explorer instance that redeems land in. When set, GET
845
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
846
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
847
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
848
+ */
849
+ explorerUrl: z.ZodOptional<z.ZodString>;
850
+ }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
851
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
852
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
853
+ /**
854
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
855
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
856
+ * (dev only — restarting the server invalidates all outstanding sessions).
857
+ */
858
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
859
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
860
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
861
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
862
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
863
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
864
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
865
+ /**
866
+ * Role names (besides Owner) whose members may issue invites via POST /create.
867
+ * Empty (default) means Owner-only — the secure default. The restricted role
868
+ * must never be listed here, or external users could mint their own invites.
869
+ */
870
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
871
+ /**
872
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
873
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
874
+ * the restricted role or appears here. This is the guard that stops a caller
875
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
876
+ */
877
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
878
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
879
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
880
+ /**
881
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
882
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
883
+ * recipient email is all it takes to hand a colleague an external role otherwise.
884
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
885
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
886
+ * affected.
887
+ */
888
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
889
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
890
+ communicationProvider: z.ZodOptional<z.ZodString>;
891
+ /** From address for invite emails. */
892
+ fromAddress: z.ZodOptional<z.ZodString>;
893
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
894
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
895
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
896
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
897
+ /** Max /redeem attempts per IP per window. Default 20. */
898
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
899
+ /** Max /create requests per IP per window. Default 30. */
900
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
901
+ /**
902
+ * Base URL of the Explorer instance that redeems land in. When set, GET
903
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
904
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
905
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
906
+ */
907
+ explorerUrl: z.ZodOptional<z.ZodString>;
908
+ }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
909
+ /** Master switch for the magic-link feature. When false, routes are not mounted and the auth provider is not registered. */
910
+ enabled: z.ZodDefault<z.ZodEffects<z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodString, z.ZodNumber]>>>, boolean, string | number | boolean>>;
911
+ /**
912
+ * PEM-encoded RS256 private key used to sign session JWTs. May be raw PEM or
913
+ * base64-encoded PEM. If omitted, an ephemeral keypair is generated at startup
914
+ * (dev only — restarting the server invalidates all outstanding sessions).
915
+ */
916
+ rsaPrivateKey: z.ZodDefault<z.ZodOptional<z.ZodString>>;
917
+ /** Hours an unredeemed invite link remains valid (hard expiry). Default 72. */
918
+ defaultExpiresInHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
919
+ /** Hours the minted session JWT remains valid after redemption. No refresh tokens. Default 8. */
920
+ sessionTokenTtlHours: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
921
+ /** Name of the restricted Role assigned to redeeming users when an invite does not specify one. */
922
+ restrictedRoleName: z.ZodDefault<z.ZodOptional<z.ZodString>>;
923
+ /**
924
+ * Role names (besides Owner) whose members may issue invites via POST /create.
925
+ * Empty (default) means Owner-only — the secure default. The restricted role
926
+ * must never be listed here, or external users could mint their own invites.
927
+ */
928
+ inviteIssuerRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
929
+ /**
930
+ * Role names an invite may grant, IN ADDITION to restrictedRoleName (which is
931
+ * always allowed). A caller-supplied roleId is rejected unless its role name is
932
+ * the restricted role or appears here. This is the guard that stops a caller
933
+ * from attaching a privileged role (e.g. Owner) to an external magic-link user.
934
+ */
935
+ grantableRoleNames: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
936
+ /** Email of the internal user whose context provisions magic-link users (falls back to userHandling.contextUserForNewUserCreation). */
937
+ contextUserForProvisioning: z.ZodOptional<z.ZodString>;
938
+ /**
939
+ * Guard against bolting an external magic-link role/app onto an EXISTING account
940
+ * that is an Owner or already holds non-restricted ("real") roles. One mistyped
941
+ * recipient email is all it takes to hand a colleague an external role otherwise.
942
+ * `block` (default) refuses to provision onto such accounts; `warn` logs loudly
943
+ * and proceeds. Provisioning onto brand-new or already-external accounts is never
944
+ * affected.
945
+ */
946
+ provisioningGuard: z.ZodDefault<z.ZodOptional<z.ZodEnum<["block", "warn"]>>>;
947
+ /** CommunicationEngine provider name used to deliver invite emails (e.g. 'SendGrid', 'Microsoft Graph'). When unset, emails are not sent and the redemption link is returned to the caller instead. */
948
+ communicationProvider: z.ZodOptional<z.ZodString>;
949
+ /** From address for invite emails. */
950
+ fromAddress: z.ZodOptional<z.ZodString>;
951
+ /** Audience claim for minted JWTs and the auto-registered magic-link auth provider. */
952
+ audience: z.ZodDefault<z.ZodOptional<z.ZodString>>;
953
+ /** Rate-limit window (ms) for the public /redeem and authenticated /create endpoints. Default 60s. */
954
+ rateLimitWindowMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
955
+ /** Max /redeem attempts per IP per window. Default 20. */
956
+ redeemRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
957
+ /** Max /create requests per IP per window. Default 30. */
958
+ createRateLimitMax: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
959
+ /**
960
+ * Base URL of the Explorer instance that redeems land in. When set, GET
961
+ * /magic-link/redeem 302-redirects the browser to `${explorerUrl}/#token=<jwt>`
962
+ * (Explorer's magic-link auth provider reads the fragment). When unset, redeem
963
+ * returns the token as JSON. Append `?format=json` to force JSON regardless.
964
+ */
965
+ explorerUrl: z.ZodOptional<z.ZodString>;
966
+ }, z.ZodTypeAny, "passthrough">>>>;
591
967
  databaseSettings: z.ZodObject<{
592
968
  connectionTimeout: z.ZodNumber;
593
969
  requestTimeout: z.ZodNumber;
@@ -1010,6 +1386,32 @@ declare const configInfoSchema: z.ZodObject<{
1010
1386
  evictionSweepIntervalSeconds?: number;
1011
1387
  verboseLogging?: boolean;
1012
1388
  }>>>;
1389
+ loggingSettings: z.ZodDefault<z.ZodOptional<z.ZodObject<{
1390
+ graphql: z.ZodDefault<z.ZodOptional<z.ZodObject<{
1391
+ /**
1392
+ * When true, emit a redacted variables block per root resolver call via the
1393
+ * type-graphql global middleware. Default: false in all environments regardless
1394
+ * of NODE_ENV. Env override: `MJ_LOG_GRAPHQL_VARIABLES`.
1395
+ *
1396
+ * SECURITY: this is an opt-in verbose-echo path for developers debugging locally.
1397
+ * The always-on request log line in `context.ts` does NOT emit variables — that
1398
+ * is the load-bearing leak fix. This flag is additive on top of the always-on log.
1399
+ */
1400
+ logVariables: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
1401
+ }, "strip", z.ZodTypeAny, {
1402
+ logVariables?: boolean;
1403
+ }, {
1404
+ logVariables?: boolean;
1405
+ }>>>;
1406
+ }, "strip", z.ZodTypeAny, {
1407
+ graphql?: {
1408
+ logVariables?: boolean;
1409
+ };
1410
+ }, {
1411
+ graphql?: {
1412
+ logVariables?: boolean;
1413
+ };
1414
+ }>>>;
1013
1415
  feedbackSettings: z.ZodDefault<z.ZodOptional<z.ZodObject<{
1014
1416
  /** Org-level kill switch for the in-app feedback feature. Defaults to true (enabled). */
1015
1417
  enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
@@ -1093,6 +1495,26 @@ declare const configInfoSchema: z.ZodObject<{
1093
1495
  CreateUserApplicationRecords?: boolean;
1094
1496
  UserApplications?: string[];
1095
1497
  };
1498
+ magicLink?: {
1499
+ enabled?: boolean;
1500
+ audience?: string;
1501
+ rsaPrivateKey?: string;
1502
+ defaultExpiresInHours?: number;
1503
+ sessionTokenTtlHours?: number;
1504
+ restrictedRoleName?: string;
1505
+ inviteIssuerRoleNames?: string[];
1506
+ grantableRoleNames?: string[];
1507
+ contextUserForProvisioning?: string;
1508
+ provisioningGuard?: "block" | "warn";
1509
+ communicationProvider?: string;
1510
+ fromAddress?: string;
1511
+ rateLimitWindowMs?: number;
1512
+ redeemRateLimitMax?: number;
1513
+ createRateLimitMax?: number;
1514
+ explorerUrl?: string;
1515
+ } & {
1516
+ [k: string]: unknown;
1517
+ };
1096
1518
  databaseSettings?: {
1097
1519
  connectionTimeout?: number;
1098
1520
  requestTimeout?: number;
@@ -1223,6 +1645,11 @@ declare const configInfoSchema: z.ZodObject<{
1223
1645
  evictionSweepIntervalSeconds?: number;
1224
1646
  verboseLogging?: boolean;
1225
1647
  };
1648
+ loggingSettings?: {
1649
+ graphql?: {
1650
+ logVariables?: boolean;
1651
+ };
1652
+ };
1226
1653
  feedbackSettings?: {
1227
1654
  enabled?: boolean;
1228
1655
  github?: {
@@ -1267,6 +1694,26 @@ declare const configInfoSchema: z.ZodObject<{
1267
1694
  CreateUserApplicationRecords?: boolean;
1268
1695
  UserApplications?: string[];
1269
1696
  };
1697
+ magicLink?: {
1698
+ enabled?: string | number | boolean;
1699
+ audience?: string;
1700
+ rsaPrivateKey?: string;
1701
+ defaultExpiresInHours?: number;
1702
+ sessionTokenTtlHours?: number;
1703
+ restrictedRoleName?: string;
1704
+ inviteIssuerRoleNames?: string[];
1705
+ grantableRoleNames?: string[];
1706
+ contextUserForProvisioning?: string;
1707
+ provisioningGuard?: "block" | "warn";
1708
+ communicationProvider?: string;
1709
+ fromAddress?: string;
1710
+ rateLimitWindowMs?: number;
1711
+ redeemRateLimitMax?: number;
1712
+ createRateLimitMax?: number;
1713
+ explorerUrl?: string;
1714
+ } & {
1715
+ [k: string]: unknown;
1716
+ };
1270
1717
  databaseSettings?: {
1271
1718
  connectionTimeout?: number;
1272
1719
  requestTimeout?: number;
@@ -1397,6 +1844,11 @@ declare const configInfoSchema: z.ZodObject<{
1397
1844
  evictionSweepIntervalSeconds?: number;
1398
1845
  verboseLogging?: boolean;
1399
1846
  };
1847
+ loggingSettings?: {
1848
+ graphql?: {
1849
+ logVariables?: boolean;
1850
+ };
1851
+ };
1400
1852
  feedbackSettings?: {
1401
1853
  enabled?: boolean;
1402
1854
  github?: {
@@ -1428,6 +1880,7 @@ declare const configInfoSchema: z.ZodObject<{
1428
1880
  mjCoreSchema?: string;
1429
1881
  }>;
1430
1882
  export type UserHandlingInfo = z.infer<typeof userHandlingInfoSchema>;
1883
+ export type MagicLinkConfig = z.infer<typeof magicLinkSchema>;
1431
1884
  export type DatabaseSettingsInfo = z.infer<typeof databaseSettingsInfoSchema>;
1432
1885
  export type ViewingSystemSettingsInfo = z.infer<typeof viewingSystemInfoSchema>;
1433
1886
  export type RESTApiOptions = z.infer<typeof restApiOptionsSchema>;
@@ -1442,6 +1895,7 @@ export type QueryDialectConfig = z.infer<typeof queryDialectSchema>;
1442
1895
  export type MultiTenancyConfig = z.infer<typeof multiTenancySchema>;
1443
1896
  export type ServerExtensionConfig = z.infer<typeof serverExtensionSchema>;
1444
1897
  export type CacheSettingsConfig = z.infer<typeof cacheSettingsSchema>;
1898
+ export type LoggingSettingsConfig = z.infer<typeof loggingSettingsSchema>;
1445
1899
  export type FeedbackGithubSettingsConfig = z.infer<typeof feedbackGithubSettingsSchema>;
1446
1900
  export type FeedbackSettingsConfig = z.infer<typeof feedbackSettingsSchema>;
1447
1901
  export type ConfigInfo = z.infer<typeof configInfoSchema>;
@@ -1481,6 +1935,26 @@ export declare function loadConfig(): {
1481
1935
  CreateUserApplicationRecords?: boolean;
1482
1936
  UserApplications?: string[];
1483
1937
  };
1938
+ magicLink?: {
1939
+ enabled?: boolean;
1940
+ audience?: string;
1941
+ rsaPrivateKey?: string;
1942
+ defaultExpiresInHours?: number;
1943
+ sessionTokenTtlHours?: number;
1944
+ restrictedRoleName?: string;
1945
+ inviteIssuerRoleNames?: string[];
1946
+ grantableRoleNames?: string[];
1947
+ contextUserForProvisioning?: string;
1948
+ provisioningGuard?: "block" | "warn";
1949
+ communicationProvider?: string;
1950
+ fromAddress?: string;
1951
+ rateLimitWindowMs?: number;
1952
+ redeemRateLimitMax?: number;
1953
+ createRateLimitMax?: number;
1954
+ explorerUrl?: string;
1955
+ } & {
1956
+ [k: string]: unknown;
1957
+ };
1484
1958
  databaseSettings?: {
1485
1959
  connectionTimeout?: number;
1486
1960
  requestTimeout?: number;
@@ -1611,6 +2085,11 @@ export declare function loadConfig(): {
1611
2085
  evictionSweepIntervalSeconds?: number;
1612
2086
  verboseLogging?: boolean;
1613
2087
  };
2088
+ loggingSettings?: {
2089
+ graphql?: {
2090
+ logVariables?: boolean;
2091
+ };
2092
+ };
1614
2093
  feedbackSettings?: {
1615
2094
  enabled?: boolean;
1616
2095
  github?: {
@@ -1 +1 @@
1
- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB,QAAA,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU1B,CAAC;AAEH,QAAA,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,QAAA,MAAM,uBAAuB;;;;;;EAE3B,CAAC;AAEH,QAAA,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;EAMxB,CAAC;AA2BH,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBrB,CAAC;AAEH,QAAA,MAAM,uBAAuB;;;;IAI3B;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;EAMH,CAAC;AAEH,QAAA,MAAM,gBAAgB;;;;;;QAdpB;;;;;;WAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAeH,CAAC;AAEH,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAUR,CAAC;AAEjB,QAAA,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAab,CAAC;AAEjB,QAAA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;EAMvB,CAAC;AAEH,QAAA,MAAM,kBAAkB;IACtB,sGAAsG;;IAEtG,sFAAsF;;;;;;;;EAEtF,CAAC;AAEH,QAAA,MAAM,kBAAkB;IACtB,2EAA2E;;IAE3E,uDAAuD;;IAEvD,2DAA2D;;IAE3D,+EAA+E;;IAE/E,gFAAgF;;IAEhF,4EAA4E;;IAE5E,2DAA2D;;IAE3D,sFAAsF;;IAEtF,kDAAkD;;IAElD,mFAAmF;;;;;;;;;;;;;;;;;;;;;;;;EAEnF,CAAC;AAEH,QAAA,MAAM,eAAe;;;;;;;;;EAKnB,CAAC;AAEH,QAAA,MAAM,qBAAqB;;;;;;;;;;;;;;;gCAKX,CAAC;AAEjB,QAAA,MAAM,mBAAmB;IACvB,4HAA4H;;IAE5H,oHAAoH;;IAEpH,wFAAwF;;IAExF,+FAA+F;;IAE/F,8EAA8E;;;;;;;;;;;;;;EAE9E,CAAC;AAEH,QAAA,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;EAOhC,CAAC;AAEH,QAAA,MAAM,sBAAsB;IAC1B,yFAAyF;;IAEzF,uEAAuE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvE,CAAC;AAEH,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;YAnIpB;;;;;;eAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAqDH,sGAAsG;;QAEtG,sFAAsF;;;;;;;;;;QAKtF,2EAA2E;;QAE3E,uDAAuD;;QAEvD,2DAA2D;;QAE3D,+EAA+E;;QAE/E,gFAAgF;;QAEhF,4EAA4E;;QAE5E,2DAA2D;;QAE3D,sFAAsF;;QAEtF,kDAAkD;;QAElD,mFAAmF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmBnF,4HAA4H;;QAE5H,oHAAoH;;QAEpH,wFAAwF;;QAExF,+FAA+F;;QAE/F,8EAA8E;;;;;;;;;;;;;;;;QAc9E,yFAAyF;;QAEzF,uEAAuE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkDvE,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAChF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAC9E,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACtE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACtE,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AACxF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC5E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,EAAE,OAAO,CAAC,UAAU,CA6JrD,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAAyB,CAAC;AAEnD,eAAO,MACL,UAAU,UACV,UAAU,UACV,MAAM,UACN,UAAU,UACV,MAAM,UACN,wBAAwB,aACxB,cAAc,UACd,WAAW,UACX,gBAAgB,UAChB,iBAAiB,UACjB,4BAA4B,UAC5B,eAAe,UACf,mBAAmB,WACnB,qBAAqB,UACrB,YAAY,0BACZ,MAAM,UACN,OAAO,UACP,SAAS,UACK,cAAc,UAC5B,kBAAkB,UAClB,kBAAkB,UACF,cAAc;;;;;;CAClB,CAAC;AAEf,wBAAgB,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBzB"}
1
+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB,QAAA,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU1B,CAAC;AAEH,QAAA,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,QAAA,MAAM,uBAAuB;;;;;;EAE3B,CAAC;AAEH,QAAA,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;EAMxB,CAAC;AA2BH,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBrB,CAAC;AAEH,QAAA,MAAM,uBAAuB;;;;IAI3B;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;EAMH,CAAC;AAEH,QAAA,MAAM,gBAAgB;;;;;;QAdpB;;;;;;WAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAeH,CAAC;AAEH,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAUR,CAAC;AAEjB,QAAA,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAab,CAAC;AAEjB,QAAA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;EAMvB,CAAC;AAEH,QAAA,MAAM,kBAAkB;IACtB,sGAAsG;;IAEtG,sFAAsF;;;;;;;;EAEtF,CAAC;AAEH,QAAA,MAAM,kBAAkB;IACtB,2EAA2E;;IAE3E,uDAAuD;;IAEvD,2DAA2D;;IAE3D,+EAA+E;;IAE/E,gFAAgF;;IAEhF,4EAA4E;;IAE5E,2DAA2D;;IAE3D,sFAAsF;;IAEtF,kDAAkD;;IAElD,mFAAmF;;;;;;;;;;;;;;;;;;;;;;;;EAEnF,CAAC;AAEH,QAAA,MAAM,eAAe;;;;;;;;;EAKnB,CAAC;AAEH,QAAA,MAAM,qBAAqB;;;;;;;;;;;;;;;gCAKX,CAAC;AAEjB,QAAA,MAAM,mBAAmB;IACvB,4HAA4H;;IAE5H,oHAAoH;;IAEpH,wFAAwF;;IAExF,+FAA+F;;IAE/F,8EAA8E;;;;;;;;;;;;;;EAE9E,CAAC;AAEH,QAAA,MAAM,qBAAqB;;QAEvB;;;;;;;;WAQG;;;;;;;;;;;;;;;EAGL,CAAC;AAEH,QAAA,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;EAOhC,CAAC;AAEH,QAAA,MAAM,sBAAsB;IAC1B,yFAAyF;;IAEzF,uEAAuE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvE,CAAC;AAEH,QAAA,MAAM,eAAe;IACnB,4HAA4H;;IAE5H;;;;OAIG;;IAEH,+EAA+E;;IAE/E,iGAAiG;;IAEjG,mGAAmG;;IAEnG;;;;OAIG;;IAEH;;;;;OAKG;;IAEH,uIAAuI;;IAEvI;;;;;;;OAOG;;IAEH,uMAAuM;;IAEvM,sCAAsC;;IAEtC,uFAAuF;;IAEvF,sGAAsG;;IAEtG,0DAA0D;;IAE1D,0DAA0D;;IAE1D;;;;;OAKG;;;IAvDH,4HAA4H;;IAE5H;;;;OAIG;;IAEH,+EAA+E;;IAE/E,iGAAiG;;IAEjG,mGAAmG;;IAEnG;;;;OAIG;;IAEH;;;;;OAKG;;IAEH,uIAAuI;;IAEvI;;;;;;;OAOG;;IAEH,uMAAuM;;IAEvM,sCAAsC;;IAEtC,uFAAuF;;IAEvF,sGAAsG;;IAEtG,0DAA0D;;IAE1D,0DAA0D;;IAE1D;;;;;OAKG;;;IAvDH,4HAA4H;;IAE5H;;;;OAIG;;IAEH,+EAA+E;;IAE/E,iGAAiG;;IAEjG,mGAAmG;;IAEnG;;;;OAIG;;IAEH;;;;;OAKG;;IAEH,uIAAuI;;IAEvI;;;;;;;OAOG;;IAEH,uMAAuM;;IAEvM,sCAAsC;;IAEtC,uFAAuF;;IAEvF,sGAAsG;;IAEtG,0DAA0D;;IAE1D,0DAA0D;;IAE1D;;;;;OAKG;;gCAEW,CAAC;AAEjB,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA3DpB,4HAA4H;;QAE5H;;;;WAIG;;QAEH,+EAA+E;;QAE/E,iGAAiG;;QAEjG,mGAAmG;;QAEnG;;;;WAIG;;QAEH;;;;;WAKG;;QAEH,uIAAuI;;QAEvI;;;;;;;WAOG;;QAEH,uMAAuM;;QAEvM,sCAAsC;;QAEtC,uFAAuF;;QAEvF,sGAAsG;;QAEtG,0DAA0D;;QAE1D,0DAA0D;;QAE1D;;;;;WAKG;;;QAvDH,4HAA4H;;QAE5H;;;;WAIG;;QAEH,+EAA+E;;QAE/E,iGAAiG;;QAEjG,mGAAmG;;QAEnG;;;;WAIG;;QAEH;;;;;WAKG;;QAEH,uIAAuI;;QAEvI;;;;;;;WAOG;;QAEH,uMAAuM;;QAEvM,sCAAsC;;QAEtC,uFAAuF;;QAEvF,sGAAsG;;QAEtG,0DAA0D;;QAE1D,0DAA0D;;QAE1D;;;;;WAKG;;;QAvDH,4HAA4H;;QAE5H;;;;WAIG;;QAEH,+EAA+E;;QAE/E,iGAAiG;;QAEjG,mGAAmG;;QAEnG;;;;WAIG;;QAEH;;;;;WAKG;;QAEH,uIAAuI;;QAEvI;;;;;;;WAOG;;QAEH,uMAAuM;;QAEvM,sCAAsC;;QAEtC,uFAAuF;;QAEvF,sGAAsG;;QAEtG,0DAA0D;;QAE1D,0DAA0D;;QAE1D;;;;;WAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;YA1MH;;;;;;eAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAqDH,sGAAsG;;QAEtG,sFAAsF;;;;;;;;;;QAKtF,2EAA2E;;QAE3E,uDAAuD;;QAEvD,2DAA2D;;QAE3D,+EAA+E;;QAE/E,gFAAgF;;QAEhF,4EAA4E;;QAE5E,2DAA2D;;QAE3D,sFAAsF;;QAEtF,kDAAkD;;QAElD,mFAAmF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmBnF,4HAA4H;;QAE5H,oHAAoH;;QAEpH,wFAAwF;;QAExF,+FAA+F;;QAE/F,8EAA8E;;;;;;;;;;;;;;;;;YAM5E;;;;;;;;eAQG;;;;;;;;;;;;;;;;;QAeL,yFAAyF;;QAEzF,uEAAuE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgHvE,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAC9D,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAChF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAC9E,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACtE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACpE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACtE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AACxF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC5E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,EAAE,OAAO,CAAC,UAAU,CAuKrD,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAAyB,CAAC;AAEnD,eAAO,MACL,UAAU,UACV,UAAU,UACV,MAAM,UACN,UAAU,UACV,MAAM,UACN,wBAAwB,aACxB,cAAc,UACd,WAAW,UACX,gBAAgB,UAChB,iBAAiB,UACjB,4BAA4B,UAC5B,eAAe,UACf,mBAAmB,WACnB,qBAAqB,UACrB,YAAY,0BACZ,MAAM,UACN,OAAO,UACP,SAAS,UACK,cAAc,UAC5B,kBAAkB,UAClB,kBAAkB,UACF,cAAc;;;;;;CAClB,CAAC;AAEf,wBAAgB,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBzB"}