@nauth-toolkit/core 0.1.14 → 0.1.18

package/dist/services/adaptive-mfa-decision.service.d.ts

@@ -7,15 +7,73 @@ import { RiskScoringService } from './risk-scoring.service';
 import { ClientInfoService } from './client-info.service';
 import { NAuthConfig, AdaptiveMFARiskEventPayload } from '../interfaces/config.interface';
 import { NAuthLogger } from '../utils/nauth-logger';
+/**
+ * Adaptive MFA decision result
+ */
 export interface AdaptiveMFADecision {
+    /**
+     * Action to take
+     */
     action: 'allow' | 'require_mfa' | 'block_signin';
+    /**
+     * Risk score (0-100)
+     */
     riskScore: number;
+    /**
+     * Risk level classification
+     */
     riskLevel: 'low' | 'medium' | 'high';
+    /**
+     * Detected risk factors
+     * Array of RiskFactor enum values (stored as strings at runtime)
+     */
     riskFactors: RiskFactor[];
+    /**
+     * Whether user should be notified
+     */
     notifyUser: boolean;
+    /**
+     * Whether lifecycle hook overrode the decision
+     */
     hookOverride: boolean;
+    /**
+     * Risk event payload (included when action requires it or notifyUser is true)
+     * Contains full client context for use in blockUserSignIn or audit logging
+     */
     payload?: AdaptiveMFARiskEventPayload;
 }
+/**
+ * Adaptive MFA Decision Service
+ *
+ * Makes context-aware MFA requirement decisions based on risk analysis.
+ * Supports multiple actions (allow, require_mfa, block_signin) based on risk level.
+ *
+ * **Decision Flow:**
+ * 1. Detect risk factors (via RiskDetectionService)
+ * 2. Calculate risk score (via RiskScoringService)
+ * 3. Determine risk level and action from configuration
+ * 4. Call lifecycle hooks if notifyUser is true
+ * 5. Record audit event (non-blocking)
+ * 6. Return decision object
+ *
+ * **Default Risk Levels:**
+ * - Low (0-20): action 'allow', notifyUser false
+ * - Medium (21-50): action 'require_mfa', notifyUser true
+ * - High (51-100): action 'require_mfa', notifyUser true (conservative default)
+ *
+ * **User Blocking:**
+ * When action is 'block_signin', user is blocked in storage adapter with optional TTL.
+ * Block status is checked before evaluation to prevent blocked users from attempting sign-in.
+ *
+ * @example
+ * ```typescript
+ * const decision = await adaptiveMFADecisionService.evaluateAdaptiveMFA(user, 'password');
+ * if (decision.action === 'block_signin') {
+ *   throw new NAuthException(AuthErrorCode.SIGNIN_BLOCKED_HIGH_RISK, 'Sign-in blocked');
+ * }
+ * return decision.action === 'require_mfa';
+ * ```
+ */
 export declare class AdaptiveMFADecisionService {
     private readonly riskDetectionService;
     private readonly riskScoringService;
@@ -24,16 +82,102 @@ export declare class AdaptiveMFADecisionService {
     private readonly config;
     private readonly logger;
     private readonly auditService?;
+    /**
+     * Default risk level configuration
+     *
+     * Conservative defaults that prioritize security:
+     * - Low risk: Allow without MFA (normal flow)
+     * - Medium risk: Require MFA
+     * - High risk: Require MFA (conservative - don't block by default)
+     */
     private readonly defaultRiskLevels;
     constructor(riskDetectionService: RiskDetectionService, riskScoringService: RiskScoringService, storageAdapter: StorageAdapter, clientInfoService: ClientInfoService, config: NAuthConfig, logger: NAuthLogger, auditService?: AuthAuditService | undefined);
+    /**
+     * Evaluate adaptive MFA requirement with risk-based actions
+     *
+     * Main entry point for adaptive MFA evaluation. Analyzes current login context,
+     * calculates risk score, determines action, and calls lifecycle hooks.
+     *
+     * @param user - User being authenticated
+     * @param authMethod - Authentication method ('password', 'google', 'apple', etc.)
+     * @returns Decision object with action, risk details, and hook override status
+     *
+     * @example
+     * ```typescript
+     * const decision = await adaptiveMFADecisionService.evaluateAdaptiveMFA(user, 'password');
+     * if (decision.action === 'block_signin') {
+     *   // Handle blocking
+     * }
+     * ```
+     */
     evaluateAdaptiveMFA(user: IUser, authMethod: string): Promise<AdaptiveMFADecision>;
+    /**
+     * Determine risk level and action based on score and configured thresholds
+     *
+     * Evaluates risk score against configured thresholds in order: low → medium → high.
+     * Returns the first level that the score falls within.
+     *
+     * @param riskScore - Calculated risk score (0-100)
+     * @param riskLevels - Configured risk level thresholds
+     * @returns Risk level, action, and notifyUser flag
+     * @private
+     */
     private determineRiskLevelAndAction;
+    /**
+     * Check if user is currently blocked due to high-risk sign-in
+     *
+     * Uses storage adapter to check for existing block. Block is stored with
+     * key format: `adaptive_mfa_block:{userId}`.
+     *
+     * @param userId - Internal user ID (integer)
+     * @returns Block status with expiration and message if blocked
+     *
+     * @example
+     * ```typescript
+     * const blockStatus = await adaptiveMFADecisionService.isUserBlocked(user.id);
+     * if (blockStatus.blocked) {
+     *   throw new NAuthException(AuthErrorCode.SIGNIN_BLOCKED_HIGH_RISK, blockStatus.message);
+     * }
+     * ```
+     */
     isUserBlocked(userId: number): Promise<{
         blocked: boolean;
         expiresAt?: Date;
         message?: string;
     }>;
+    /**
+     * Block user sign-in due to high risk
+     *
+     * Stores block in storage adapter with optional TTL. Block data includes:
+     * - userId, userSub (for reference)
+     * - message (shown to user)
+     * - riskScore, riskFactors (for audit)
+     * - blockedAt, expiresAt (timestamps)
+     *
+     * Also calls onSignInBlocked lifecycle hook if configured.
+     *
+     * @param user - User to block
+     * @param payload - Risk event payload with all context
+     *
+     * @example
+     * ```typescript
+     * await adaptiveMFADecisionService.blockUserSignIn(user, payload);
+     * ```
+     */
     blockUserSignIn(user: IUser, payload: AdaptiveMFARiskEventPayload): Promise<void>;
+    /**
+     * Clear user block (manual unblock)
+     *
+     * Removes the block from storage adapter, allowing user to sign in again.
+     * Useful for admin actions or when risk situation has improved.
+     *
+     * @param userId - Internal user ID (integer)
+     *
+     * @example
+     * ```typescript
+     * await adaptiveMFADecisionService.clearUserBlock(user.id);
+     * ```
+     */
     clearUserBlock(userId: number): Promise<void>;
 }
 //# sourceMappingURL=adaptive-mfa-decision.service.d.ts.map

package/dist/services/adaptive-mfa-decision.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"adaptive-mfa-decision.service.d.ts","sourceRoot":"","sources":["../../src/services/adaptive-mfa-decision.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,kCAAkC,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,wBAAwB,IAAI,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAEpF,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAAE,2BAA2B,EAAwB,MAAM,gCAAgC,CAAC;AAChH,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAKpD,MAAM,WAAW,mBAAmB;IAIlC,MAAM,EAAE,OAAO,GAAG,aAAa,GAAG,cAAc,CAAC;IAKjD,SAAS,EAAE,MAAM,CAAC;IAKlB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAMrC,WAAW,EAAE,UAAU,EAAE,CAAC;IAK1B,UAAU,EAAE,OAAO,CAAC;IAKpB,YAAY,EAAE,OAAO,CAAC;IAMtB,OAAO,CAAC,EAAE,2BAA2B,CAAC;CACvC;AAkCD,qBAAa,0BAA0B;IAgCnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IACrC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IA7BhC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAoBhC;gBAGiB,oBAAoB,EAAE,oBAAoB,EAC1C,kBAAkB,EAAE,kBAAkB,EACtC,cAAc,EAAE,cAAc,EAC9B,iBAAiB,EAAE,iBAAiB,EACpC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,YAAY,CAAC,EAAE,gBAAgB,YAAA;IAqB5C,mBAAmB,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAwIxF,OAAO,CAAC,2BAA2B;IAqD7B,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAC3C,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,CAAC,EAAE,IAAI,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IAmDI,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAwDjF,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWpD"}
+{"version":3,"file":"adaptive-mfa-decision.service.d.ts","sourceRoot":"","sources":["../../src/services/adaptive-mfa-decision.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,kCAAkC,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,wBAAwB,IAAI,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAEpF,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAAE,2BAA2B,EAAwB,MAAM,gCAAgC,CAAC;AAChH,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,MAAM,EAAE,OAAO,GAAG,aAAa,GAAG,cAAc,CAAC;IAEjD;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAErC;;;OAGG;IACH,WAAW,EAAE,UAAU,EAAE,CAAC;IAE1B;;OAEG;IACH,UAAU,EAAE,OAAO,CAAC;IAEpB;;OAEG;IACH,YAAY,EAAE,OAAO,CAAC;IAEtB;;;OAGG;IACH,OAAO,CAAC,EAAE,2BAA2B,CAAC;CACvC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,qBAAa,0BAA0B;IAgCnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IACrC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IArChC;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAoBhC;gBAGiB,oBAAoB,EAAE,oBAAoB,EAC1C,kBAAkB,EAAE,kBAAkB,EACtC,cAAc,EAAE,cAAc,EAC9B,iBAAiB,EAAE,iBAAiB,EACpC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,YAAY,CAAC,EAAE,gBAAgB,YAAA;IAGlD;;;;;;;;;;;;;;;;;OAiBG;IACG,mBAAmB,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IA6HxF;;;;;;;;;;OAUG;IACH,OAAO,CAAC,2BAA2B;IAoCnC;;;;;;;;;;;;;;;;OAgBG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAC3C,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,CAAC,EAAE,IAAI,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IAgCF;;;;;;;;;;;;;;;;;;OAkBG;IACG,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CvF;;;;;;;;;;;;OAYG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWpD"}

package/dist/services/adaptive-mfa-decision.service.js

@@ -3,6 +3,38 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AdaptiveMFADecisionService = void 0;
 const auth_audit_event_type_enum_1 = require("../enums/auth-audit-event-type.enum");
 const risk_factor_enum_1 = require("../enums/risk-factor.enum");
+/**
+ * Adaptive MFA Decision Service
+ *
+ * Makes context-aware MFA requirement decisions based on risk analysis.
+ * Supports multiple actions (allow, require_mfa, block_signin) based on risk level.
+ *
+ * **Decision Flow:**
+ * 1. Detect risk factors (via RiskDetectionService)
+ * 2. Calculate risk score (via RiskScoringService)
+ * 3. Determine risk level and action from configuration
+ * 4. Call lifecycle hooks if notifyUser is true
+ * 5. Record audit event (non-blocking)
+ * 6. Return decision object
+ *
+ * **Default Risk Levels:**
+ * - Low (0-20): action 'allow', notifyUser false
+ * - Medium (21-50): action 'require_mfa', notifyUser true
+ * - High (51-100): action 'require_mfa', notifyUser true (conservative default)
+ *
+ * **User Blocking:**
+ * When action is 'block_signin', user is blocked in storage adapter with optional TTL.
+ * Block status is checked before evaluation to prevent blocked users from attempting sign-in.
+ *
+ * @example
+ * ```typescript
+ * const decision = await adaptiveMFADecisionService.evaluateAdaptiveMFA(user, 'password');
+ * if (decision.action === 'block_signin') {
+ *   throw new NAuthException(AuthErrorCode.SIGNIN_BLOCKED_HIGH_RISK, 'Sign-in blocked');
+ * }
+ * return decision.action === 'require_mfa';
+ * ```
+ */
 class AdaptiveMFADecisionService {
     riskDetectionService;
     riskScoringService;
@@ -11,6 +43,14 @@ class AdaptiveMFADecisionService {
     config;
     logger;
     auditService;
+    /**
+     * Default risk level configuration
+     *
+     * Conservative defaults that prioritize security:
+     * - Low risk: Allow without MFA (normal flow)
+     * - Medium risk: Require MFA
+     * - High risk: Require MFA (conservative - don't block by default)
+     */
     defaultRiskLevels = {
         low: {
             maxScore: 20,
@@ -24,7 +64,7 @@ class AdaptiveMFADecisionService {
         },
         high: {
             maxScore: 100,
-            action: 'require_mfa',
+            action: 'require_mfa', // Conservative default (don't block)
             notifyUser: true,
         },
     };
@@ -37,7 +77,26 @@ class AdaptiveMFADecisionService {
         this.logger = logger;
         this.auditService = auditService;
     }
+    /**
+     * Evaluate adaptive MFA requirement with risk-based actions
+     *
+     * Main entry point for adaptive MFA evaluation. Analyzes current login context,
+     * calculates risk score, determines action, and calls lifecycle hooks.
+     *
+     * @param user - User being authenticated
+     * @param authMethod - Authentication method ('password', 'google', 'apple', etc.)
+     * @returns Decision object with action, risk details, and hook override status
+     *
+     * @example
+     * ```typescript
+     * const decision = await adaptiveMFADecisionService.evaluateAdaptiveMFA(user, 'password');
+     * if (decision.action === 'block_signin') {
+     *   // Handle blocking
+     * }
+     * ```
+     */
     async evaluateAdaptiveMFA(user, authMethod) {
+        // Validate email is present (required by IUser interface but runtime check for safety)
         if (!user.email) {
             this.logger?.error?.(`User ${user.sub} missing email - cannot evaluate adaptive MFA`, {
                 userId: user.id,
@@ -45,16 +104,22 @@ class AdaptiveMFADecisionService {
             });
             throw new Error(`User email is required for adaptive MFA evaluation`);
         }
+        // Get current client context
         const clientInfo = this.clientInfoService.get();
+        // Detect risk factors
         const riskFactors = await this.riskDetectionService.detectRiskFactors(user, clientInfo);
+        // Calculate risk score
         const riskScore = this.riskScoringService.calculateRiskScore(riskFactors);
+        // Determine risk level and action
         const riskLevels = this.config.mfa?.adaptive?.riskLevels || this.defaultRiskLevels;
         const { level, action, notifyUser } = this.determineRiskLevelAndAction(riskScore, riskLevels);
         this.logger?.log?.(`Adaptive MFA evaluation: user=${user.sub}, score=${riskScore}, level=${level}, action=${action}, notify=${notifyUser}, factors=[${riskFactors.join(', ')}]`);
+        // Prepare payload for hooks and audit
+        // Include payload when action requires it (block_signin) or when notifyUser is true
         const payload = {
             user: {
                 sub: user.sub,
-                email: user.email,
+                email: user.email, // Safe after validation above
                 username: user.username || undefined,
                 phoneNumber: user.phone || undefined,
             },
@@ -66,7 +131,7 @@ class AdaptiveMFADecisionService {
                 ipAddress: clientInfo.ipAddress,
                 ipCountry: clientInfo.ipCountry,
                 ipCity: clientInfo.ipCity,
-                deviceId: clientInfo.deviceToken,
+                deviceId: clientInfo.deviceToken, // deviceToken maps to deviceId in sessions
                 deviceName: clientInfo.deviceName,
                 deviceType: clientInfo.deviceType,
                 userAgent: clientInfo.userAgent,
@@ -76,20 +141,30 @@ class AdaptiveMFADecisionService {
             authMethod,
             timestamp: new Date(),
         };
+        // Call lifecycle hook if configured and user should be notified
         let hookOverride = false;
         if (notifyUser && this.config.hooks?.onAdaptiveMFATriggered) {
             try {
                 const result = await this.config.hooks.onAdaptiveMFATriggered(payload);
+                // Hook can return false to override and allow sign-in
                 if (result === false) {
                     hookOverride = true;
                     this.logger?.warn?.(`Adaptive MFA action overridden by hook: user=${user.sub}`);
                 }
             }
             catch (error) {
+                // Non-blocking: Log error but continue with original action
                 const errorMessage = error instanceof Error ? error.message : 'Unknown error';
                 this.logger?.error?.(`Adaptive MFA hook failed: ${errorMessage}`, { error, userId: user.sub });
             }
         }
+        // Record in audit trail (non-blocking)
+        // This logs the risk assessment result
+        // Determine event status based on risk level and action:
+        // - block_signin: SUSPICIOUS (security violation)
+        // - require_mfa with high/medium risk or suspicious factors: SUSPICIOUS
+        // - require_mfa with low risk: INFO (normal security measure)
+        // - allow: INFO (no risk detected)
         const hasSuspiciousFactors = riskFactors.includes(risk_factor_enum_1.RiskFactor.SUSPICIOUS_ACTIVITY) ||
             riskFactors.includes(risk_factor_enum_1.RiskFactor.IMPOSSIBLE_TRAVEL) ||
             level === 'high';
@@ -114,6 +189,7 @@ class AdaptiveMFADecisionService {
                 action,
                 riskFactors,
             },
+            // Client info automatically included from context
         })
             .catch((err) => {
             this.logger?.warn?.(`Failed to record ADAPTIVE_MFA_RISK_ASSESSED audit: ${err.message}`);
@@ -125,10 +201,24 @@ class AdaptiveMFADecisionService {
             riskFactors,
             notifyUser,
             hookOverride,
+            // Include payload when action requires it or when notifyUser is true
+            // This ensures consistent clientInfo data for blockUserSignIn and audit logs
             payload: action === 'block_signin' || notifyUser ? payload : undefined,
         };
     }
+    /**
+     * Determine risk level and action based on score and configured thresholds
+     *
+     * Evaluates risk score against configured thresholds in order: low → medium → high.
+     * Returns the first level that the score falls within.
+     *
+     * @param riskScore - Calculated risk score (0-100)
+     * @param riskLevels - Configured risk level thresholds
+     * @returns Risk level, action, and notifyUser flag
+     * @private
+     */
     determineRiskLevelAndAction(riskScore, riskLevels) {
+        // Check in order: low → medium → high
         if (riskScore <= (riskLevels.low?.maxScore ?? 20)) {
             return {
                 level: 'low',
@@ -149,6 +239,23 @@ class AdaptiveMFADecisionService {
             notifyUser: riskLevels.high?.notifyUser ?? true,
         };
     }
+    /**
+     * Check if user is currently blocked due to high-risk sign-in
+     *
+     * Uses storage adapter to check for existing block. Block is stored with
+     * key format: `adaptive_mfa_block:{userId}`.
+     *
+     * @param userId - Internal user ID (integer)
+     * @returns Block status with expiration and message if blocked
+     *
+     * @example
+     * ```typescript
+     * const blockStatus = await adaptiveMFADecisionService.isUserBlocked(user.id);
+     * if (blockStatus.blocked) {
+     *   throw new NAuthException(AuthErrorCode.SIGNIN_BLOCKED_HIGH_RISK, blockStatus.message);
+     * }
+     * ```
+     */
     async isUserBlocked(userId) {
         try {
             const blockKey = `adaptive_mfa_block:${userId}`;
@@ -158,7 +265,9 @@ class AdaptiveMFADecisionService {
             }
             const parsed = JSON.parse(blockData);
             const expiresAt = parsed.expiresAt ? new Date(parsed.expiresAt) : undefined;
+            // Check if block has expired (if temporary)
             if (expiresAt && expiresAt < new Date()) {
+                // Block expired - clean up
                 await this.storageAdapter.del(blockKey);
                 return { blocked: false };
             }
@@ -169,15 +278,36 @@ class AdaptiveMFADecisionService {
             };
         }
         catch (error) {
+            // Non-blocking: Log error but assume not blocked (safer for UX)
             const errorMessage = error instanceof Error ? error.message : 'Unknown error';
             this.logger?.warn?.(`Failed to check user block status: ${errorMessage}`, { error, userId });
             return { blocked: false };
         }
     }
+    /**
+     * Block user sign-in due to high risk
+     *
+     * Stores block in storage adapter with optional TTL. Block data includes:
+     * - userId, userSub (for reference)
+     * - message (shown to user)
+     * - riskScore, riskFactors (for audit)
+     * - blockedAt, expiresAt (timestamps)
+     *
+     * Also calls onSignInBlocked lifecycle hook if configured.
+     *
+     * @param user - User to block
+     * @param payload - Risk event payload with all context
+     *
+     * @example
+     * ```typescript
+     * await adaptiveMFADecisionService.blockUserSignIn(user, payload);
+     * ```
+     */
     async blockUserSignIn(user, payload) {
         const blockConfig = this.config.mfa?.adaptive?.blockedSignIn;
-        const blockDuration = blockConfig?.blockDuration;
+        const blockDuration = blockConfig?.blockDuration; // minutes
         const message = blockConfig?.message || 'Sign-in blocked due to suspicious activity. Please contact support.';
+        // Store block in storage adapter
         const blockKey = `adaptive_mfa_block:${user.id}`;
         const blockData = {
             userId: user.id,
@@ -188,9 +318,10 @@ class AdaptiveMFADecisionService {
             blockedAt: new Date().toISOString(),
             expiresAt: blockDuration ? new Date(Date.now() + blockDuration * 60 * 1000).toISOString() : undefined,
         };
-        const ttl = blockDuration ? blockDuration * 60 : undefined;
+        const ttl = blockDuration ? blockDuration * 60 : undefined; // Convert to seconds
         await this.storageAdapter.set(blockKey, JSON.stringify(blockData), ttl);
         this.logger?.warn?.(`User sign-in blocked: user=${user.sub}, score=${payload.riskScore}, duration=${blockDuration ? `${blockDuration}min` : 'permanent'}`);
+        // Call sign-in blocked hook if configured
         if (this.config.hooks?.onSignInBlocked) {
             const blockedPayload = {
                 ...payload,
@@ -202,11 +333,25 @@ class AdaptiveMFADecisionService {
                 await this.config.hooks.onSignInBlocked(blockedPayload);
             }
             catch (error) {
+                // Non-blocking
                 const errorMessage = error instanceof Error ? error.message : 'Unknown error';
                 this.logger?.error?.(`Sign-in blocked hook failed: ${errorMessage}`, { error, userId: user.sub });
             }
         }
     }
+    /**
+     * Clear user block (manual unblock)
+     *
+     * Removes the block from storage adapter, allowing user to sign in again.
+     * Useful for admin actions or when risk situation has improved.
+     *
+     * @param userId - Internal user ID (integer)
+     *
+     * @example
+     * ```typescript
+     * await adaptiveMFADecisionService.clearUserBlock(user.id);
+     * ```
+     */
     async clearUserBlock(userId) {
         try {
             const blockKey = `adaptive_mfa_block:${userId}`;
@@ -214,6 +359,7 @@ class AdaptiveMFADecisionService {
             this.logger?.log?.(`User block cleared: userId=${userId}`);
         }
         catch (error) {
+            // Non-blocking: Log error but continue
             const errorMessage = error instanceof Error ? error.message : 'Unknown error';
             this.logger?.warn?.(`Failed to clear user block: ${errorMessage}`, { error, userId });
         }

package/dist/services/adaptive-mfa-decision.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"adaptive-mfa-decision.service.js","sourceRoot":"","sources":["../../src/services/adaptive-mfa-decision.service.ts"],"names":[],"mappings":";;;AAGA,oFAAyE;AACzE,gEAAuD;AAkFvD,MAAa,0BAA0B;IAgClB;IACA;IACA;IACA;IACA;IACA;IACA;IA7BF,iBAAiB,GAI9B;QACF,GAAG,EAAE;YACH,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,OAAO;YACf,UAAU,EAAE,KAAK;SAClB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,aAAa;YACrB,UAAU,EAAE,IAAI;SACjB;QACD,IAAI,EAAE;YACJ,QAAQ,EAAE,GAAG;YACb,MAAM,EAAE,aAAa;YACrB,UAAU,EAAE,IAAI;SACjB;KACF,CAAC;IAEF,YACmB,oBAA0C,EAC1C,kBAAsC,EACtC,cAA8B,EAC9B,iBAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,YAA+B;QAN/B,yBAAoB,GAApB,oBAAoB,CAAsB;QAC1C,uBAAkB,GAAlB,kBAAkB,CAAoB;QACtC,mBAAc,GAAd,cAAc,CAAgB;QAC9B,sBAAiB,GAAjB,iBAAiB,CAAmB;QACpC,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAa;QACnB,iBAAY,GAAZ,YAAY,CAAmB;IAC/C,CAAC;IAoBJ,KAAK,CAAC,mBAAmB,CAAC,IAAW,EAAE,UAAkB;QAEvD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,QAAQ,IAAI,CAAC,GAAG,+CAA+C,EAAE;gBACpF,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,OAAO,EAAE,IAAI,CAAC,GAAG;aAClB,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QAGD,MAAM,UAAU,GAAe,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAG5D,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAGxF,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAG1E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,IAAI,IAAI,CAAC,iBAAiB,CAAC;QACnF,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,2BAA2B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAE9F,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAChB,iCAAiC,IAAI,CAAC,GAAG,WAAW,SAAS,WAAW,KAAK,YAAY,MAAM,YAAY,UAAU,cAAc,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC7J,CAAC;QAIF,MAAM,OAAO,GAAgC;YAC3C,IAAI,EAAE;gBACJ,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;gBACpC,WAAW,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;aACrC;YACD,SAAS;YACT,SAAS,EAAE,KAAK;YAChB,WAAW;YACX,MAAM;YACN,UAAU,EAAE;gBACV,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ,EAAE,UAAU,CAAC,WAAW;gBAChC,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,OAAO,EAAE,UAAU,CAAC,OAAO;aAC5B;YACD,UAAU;YACV,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QAGF,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,IAAI,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBAEvE,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;oBACrB,YAAY,GAAG,IAAI,CAAC;oBACpB,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,gDAAgD,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAEf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,6BAA6B,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACjG,CAAC;QACH,CAAC;QASD,MAAM,oBAAoB,GACxB,WAAW,CAAC,QAAQ,CAAC,6BAAU,CAAC,mBAAmB,CAAC;YACpD,WAAW,CAAC,QAAQ,CAAC,6BAAU,CAAC,iBAAiB,CAAC;YAClD,KAAK,KAAK,MAAM,CAAC;QACnB,MAAM,WAAW,GACf,MAAM,KAAK,cAAc;YACvB,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,MAAM,KAAK,aAAa,IAAI,oBAAoB;gBAChD,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,MAAM,CAAC;QAEf,IAAI,CAAC,YAAY;YACf,EAAE,WAAW,CAAC;YACZ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,+CAAkB,CAAC,0BAA0B;YACxD,WAAW;YACX,UAAU,EAAE,SAAS;YACrB,WAAW;YACX,oBAAoB,EAAE,MAAM,KAAK,OAAO;YACxC,WAAW,EAAE,iCAAiC,MAAM,YAAY,SAAS,YAAY,KAAK,GAAG;YAC7F,UAAU;YACV,QAAQ,EAAE;gBACR,SAAS;gBACT,SAAS,EAAE,KAAK;gBAChB,MAAM;gBACN,WAAW;aACZ;SAEF,CAAC;aACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,sDAAsD,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;QAEL,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YACvC,SAAS;YACT,SAAS,EAAE,KAAK;YAChB,WAAW;YACX,UAAU;YACV,YAAY;YAGZ,OAAO,EAAE,MAAM,KAAK,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;SACvE,CAAC;IACJ,CAAC;IAaO,2BAA2B,CACjC,SAAiB,EACjB,UAIC;QAOD,IAAI,SAAS,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,UAAU,CAAC,GAAG,EAAE,MAAM,IAAI,OAAO;gBACzC,UAAU,EAAE,UAAU,CAAC,GAAG,EAAE,UAAU,IAAI,KAAK;aAChD,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,MAAM,IAAI,aAAa;gBAClD,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,IAAI,IAAI;aAClD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,MAAM,IAAI,aAAa;YAChD,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,IAAI,IAAI;SAChD,CAAC;IACJ,CAAC;IAmBD,KAAK,CAAC,aAAa,CAAC,MAAc;QAKhC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,sBAAsB,MAAM,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAG5E,IAAI,SAAS,IAAI,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAExC,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS;gBACT,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,sCAAsC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC7F,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAqBD,KAAK,CAAC,eAAe,CAAC,IAAW,EAAE,OAAoC;QACrE,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC;QAC7D,MAAM,aAAa,GAAG,WAAW,EAAE,aAAa,CAAC;QACjD,MAAM,OAAO,GAAG,WAAW,EAAE,OAAO,IAAI,qEAAqE,CAAC;QAG9G,MAAM,QAAQ,GAAG,sBAAsB,IAAI,CAAC,EAAE,EAAE,CAAC;QACjD,MAAM,SAAS,GAAG;YAChB,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,OAAO;YACP,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;SACtG,CAAC;QAEF,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3D,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QAExE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CACjB,8BAA8B,IAAI,CAAC,GAAG,WAAW,OAAO,CAAC,SAAS,cAAc,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,KAAK,CAAC,CAAC,CAAC,WAAW,EAAE,CACtI,CAAC;QAGF,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;YACvC,MAAM,cAAc,GAAyB;gBAC3C,GAAG,OAAO;gBACV,aAAa;gBACb,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC5F,OAAO;aACR,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAEf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,gCAAgC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACpG,CAAC;QACH,CAAC;IACH,CAAC;IAeD,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,sBAAsB,MAAM,EAAE,CAAC;YAChD,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,8BAA8B,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,+BAA+B,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;CACF;AAlXD,gEAkXC"}
+{"version":3,"file":"adaptive-mfa-decision.service.js","sourceRoot":"","sources":["../../src/services/adaptive-mfa-decision.service.ts"],"names":[],"mappings":";;;AAGA,oFAAyE;AACzE,gEAAuD;AAkDvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAa,0BAA0B;IAgClB;IACA;IACA;IACA;IACA;IACA;IACA;IArCnB;;;;;;;OAOG;IACc,iBAAiB,GAI9B;QACF,GAAG,EAAE;YACH,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,OAAO;YACf,UAAU,EAAE,KAAK;SAClB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,aAAa;YACrB,UAAU,EAAE,IAAI;SACjB;QACD,IAAI,EAAE;YACJ,QAAQ,EAAE,GAAG;YACb,MAAM,EAAE,aAAa,EAAE,qCAAqC;YAC5D,UAAU,EAAE,IAAI;SACjB;KACF,CAAC;IAEF,YACmB,oBAA0C,EAC1C,kBAAsC,EACtC,cAA8B,EAC9B,iBAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,YAA+B;QAN/B,yBAAoB,GAApB,oBAAoB,CAAsB;QAC1C,uBAAkB,GAAlB,kBAAkB,CAAoB;QACtC,mBAAc,GAAd,cAAc,CAAgB;QAC9B,sBAAiB,GAAjB,iBAAiB,CAAmB;QACpC,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAa;QACnB,iBAAY,GAAZ,YAAY,CAAmB;IAC/C,CAAC;IAEJ;;;;;;;;;;;;;;;;;OAiBG;IACH,KAAK,CAAC,mBAAmB,CAAC,IAAW,EAAE,UAAkB;QACvD,uFAAuF;QACvF,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,QAAQ,IAAI,CAAC,GAAG,+CAA+C,EAAE;gBACpF,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,OAAO,EAAE,IAAI,CAAC,GAAG;aAClB,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QAED,6BAA6B;QAC7B,MAAM,UAAU,GAAe,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAE5D,sBAAsB;QACtB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAExF,uBAAuB;QACvB,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAE1E,kCAAkC;QAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,IAAI,IAAI,CAAC,iBAAiB,CAAC;QACnF,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,2BAA2B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAE9F,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAChB,iCAAiC,IAAI,CAAC,GAAG,WAAW,SAAS,WAAW,KAAK,YAAY,MAAM,YAAY,UAAU,cAAc,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC7J,CAAC;QAEF,sCAAsC;QACtC,oFAAoF;QACpF,MAAM,OAAO,GAAgC;YAC3C,IAAI,EAAE;gBACJ,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,8BAA8B;gBACjD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;gBACpC,WAAW,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;aACrC;YACD,SAAS;YACT,SAAS,EAAE,KAAK;YAChB,WAAW;YACX,MAAM;YACN,UAAU,EAAE;gBACV,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ,EAAE,UAAU,CAAC,WAAW,EAAE,2CAA2C;gBAC7E,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,OAAO,EAAE,UAAU,CAAC,OAAO;aAC5B;YACD,UAAU;YACV,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QAEF,gEAAgE;QAChE,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,IAAI,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBACvE,sDAAsD;gBACtD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;oBACrB,YAAY,GAAG,IAAI,CAAC;oBACpB,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,gDAAgD,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,4DAA4D;gBAC5D,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,6BAA6B,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACjG,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,uCAAuC;QACvC,yDAAyD;QACzD,kDAAkD;QAClD,wEAAwE;QACxE,8DAA8D;QAC9D,mCAAmC;QACnC,MAAM,oBAAoB,GACxB,WAAW,CAAC,QAAQ,CAAC,6BAAU,CAAC,mBAAmB,CAAC;YACpD,WAAW,CAAC,QAAQ,CAAC,6BAAU,CAAC,iBAAiB,CAAC;YAClD,KAAK,KAAK,MAAM,CAAC;QACnB,MAAM,WAAW,GACf,MAAM,KAAK,cAAc;YACvB,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,MAAM,KAAK,aAAa,IAAI,oBAAoB;gBAChD,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,MAAM,CAAC;QAEf,IAAI,CAAC,YAAY;YACf,EAAE,WAAW,CAAC;YACZ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,+CAAkB,CAAC,0BAA0B;YACxD,WAAW;YACX,UAAU,EAAE,SAAS;YACrB,WAAW;YACX,oBAAoB,EAAE,MAAM,KAAK,OAAO;YACxC,WAAW,EAAE,iCAAiC,MAAM,YAAY,SAAS,YAAY,KAAK,GAAG;YAC7F,UAAU;YACV,QAAQ,EAAE;gBACR,SAAS;gBACT,SAAS,EAAE,KAAK;gBAChB,MAAM;gBACN,WAAW;aACZ;YACD,kDAAkD;SACnD,CAAC;aACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,sDAAsD,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;QAEL,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YACvC,SAAS;YACT,SAAS,EAAE,KAAK;YAChB,WAAW;YACX,UAAU;YACV,YAAY;YACZ,qEAAqE;YACrE,6EAA6E;YAC7E,OAAO,EAAE,MAAM,KAAK,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;SACvE,CAAC;IACJ,CAAC;IAED;;;;;;;;;;OAUG;IACK,2BAA2B,CACjC,SAAiB,EACjB,UAIC;QAMD,sCAAsC;QACtC,IAAI,SAAS,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,UAAU,CAAC,GAAG,EAAE,MAAM,IAAI,OAAO;gBACzC,UAAU,EAAE,UAAU,CAAC,GAAG,EAAE,UAAU,IAAI,KAAK;aAChD,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,MAAM,IAAI,aAAa;gBAClD,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,IAAI,IAAI;aAClD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,MAAM,IAAI,aAAa;YAChD,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,IAAI,IAAI;SAChD,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,aAAa,CAAC,MAAc;QAKhC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,sBAAsB,MAAM,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAE5E,4CAA4C;YAC5C,IAAI,SAAS,IAAI,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBACxC,2BAA2B;gBAC3B,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS;gBACT,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gEAAgE;YAChE,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,sCAAsC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC7F,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,KAAK,CAAC,eAAe,CAAC,IAAW,EAAE,OAAoC;QACrE,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC;QAC7D,MAAM,aAAa,GAAG,WAAW,EAAE,aAAa,CAAC,CAAC,UAAU;QAC5D,MAAM,OAAO,GAAG,WAAW,EAAE,OAAO,IAAI,qEAAqE,CAAC;QAE9G,iCAAiC;QACjC,MAAM,QAAQ,GAAG,sBAAsB,IAAI,CAAC,EAAE,EAAE,CAAC;QACjD,MAAM,SAAS,GAAG;YAChB,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,OAAO;YACP,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;SACtG,CAAC;QAEF,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,qBAAqB;QACjF,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QAExE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CACjB,8BAA8B,IAAI,CAAC,GAAG,WAAW,OAAO,CAAC,SAAS,cAAc,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,KAAK,CAAC,CAAC,CAAC,WAAW,EAAE,CACtI,CAAC;QAEF,0CAA0C;QAC1C,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;YACvC,MAAM,cAAc,GAAyB;gBAC3C,GAAG,OAAO;gBACV,aAAa;gBACb,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC5F,OAAO;aACR,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe;gBACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,gCAAgC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACpG,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,sBAAsB,MAAM,EAAE,CAAC;YAChD,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,8BAA8B,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uCAAuC;YACvC,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,+BAA+B,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;CACF;AAlXD,gEAkXC"}