@nexpress/core 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/dist/auth.d.ts +26 -3
  2. package/dist/auth.js +5 -3
  3. package/dist/{can-FKIEV54H.js → can-UJ2NAOIR.js} +3 -3
  4. package/dist/{chunk-CHQJG4BB.js → chunk-2N53KKIL.js} +2 -2
  5. package/dist/{chunk-DWG3RZH2.js → chunk-2VZZ7M26.js} +2 -2
  6. package/dist/{chunk-5LCLS6VE.js → chunk-56ZK5PWM.js} +19 -19
  7. package/dist/{chunk-S37WWNBB.js → chunk-6IEYOY2L.js} +28 -121
  8. package/dist/chunk-6IEYOY2L.js.map +1 -0
  9. package/dist/{chunk-QYP6E5FP.js → chunk-6UV2P5MW.js} +63 -50
  10. package/dist/chunk-6UV2P5MW.js.map +1 -0
  11. package/dist/{chunk-26RYBFTF.js → chunk-AEKO4MXK.js} +21 -4
  12. package/dist/chunk-AEKO4MXK.js.map +1 -0
  13. package/dist/{chunk-L4F5RAQ5.js → chunk-DKOCKZVG.js} +9 -9
  14. package/dist/{chunk-KSUS4UNN.js → chunk-HUESWYZJ.js} +2 -2
  15. package/dist/{chunk-CTUHJHLH.js → chunk-HVHV3IHF.js} +2 -2
  16. package/dist/chunk-P5WGQRSG.js +180 -0
  17. package/dist/chunk-P5WGQRSG.js.map +1 -0
  18. package/dist/{chunk-HM46WM45.js → chunk-RDTTK27V.js} +6 -6
  19. package/dist/{chunk-PQBJWZ7D.js → chunk-RJ76SKWQ.js} +4 -4
  20. package/dist/{chunk-74CGJJDY.js → chunk-RKM4GDWM.js} +1 -1
  21. package/dist/{chunk-7GNVXRLG.js → chunk-UIQYA3Y7.js} +5 -5
  22. package/dist/{chunk-CKT4QZDC.js → chunk-WJJ5MBH5.js} +5 -5
  23. package/dist/community.d.ts +1 -1
  24. package/dist/community.js +20 -19
  25. package/dist/{config-65OBL4YH.js → config-44MFLLIX.js} +8 -7
  26. package/dist/db-schema.d.ts +2 -2
  27. package/dist/db.d.ts +3 -3
  28. package/dist/db.js +1 -1
  29. package/dist/fields.d.ts +54 -0
  30. package/dist/fields.js +14 -0
  31. package/dist/{host-55D6RX3U.js → host-DKOWZWKA.js} +6 -5
  32. package/dist/i18n.d.ts +1 -1
  33. package/dist/i18n.js +1 -1
  34. package/dist/{index-Ccw0AkXh.d.ts → index-BmR3Z8Y5.d.ts} +1 -1
  35. package/dist/{index-BWsQUGRZ.d.ts → index-C-jKU1St.d.ts} +2 -2
  36. package/dist/{index-D6Q7DOl7.d.ts → index-Ca-WUDH5.d.ts} +1 -1
  37. package/dist/{index-BpW3PGhP.d.ts → index-lACZ9sON.d.ts} +1 -1
  38. package/dist/index.d.ts +10 -12
  39. package/dist/index.js +189 -78
  40. package/dist/index.js.map +1 -1
  41. package/dist/jobs.d.ts +2 -2
  42. package/dist/jobs.js +2 -2
  43. package/dist/media.d.ts +2 -2
  44. package/dist/media.js +2 -2
  45. package/dist/{mentions-NCQR4B72.js → mentions-U4JACYI6.js} +3 -3
  46. package/dist/{mutes-FJSSU2JP.js → mutes-MNQP6ACF.js} +3 -3
  47. package/dist/{scheduled-UC7O2HBQ.js → scheduled-VEOGI5EW.js} +7 -6
  48. package/dist/seo.js +6 -5
  49. package/dist/{settings-JODDWMDB.js → settings-OZWM6L2K.js} +2 -2
  50. package/dist/settings-OZWM6L2K.js.map +1 -0
  51. package/dist/strings-4EWJYDOG.js +1 -1
  52. package/dist/{types-C-r01wmU.d.ts → types-BY1UmEiY.d.ts} +267 -2
  53. package/package.json +6 -1
  54. package/dist/chunk-26RYBFTF.js.map +0 -1
  55. package/dist/chunk-QYP6E5FP.js.map +0 -1
  56. package/dist/chunk-S37WWNBB.js.map +0 -1
  57. /package/dist/{can-FKIEV54H.js.map → can-UJ2NAOIR.js.map} +0 -0
  58. /package/dist/{chunk-CHQJG4BB.js.map → chunk-2N53KKIL.js.map} +0 -0
  59. /package/dist/{chunk-DWG3RZH2.js.map → chunk-2VZZ7M26.js.map} +0 -0
  60. /package/dist/{chunk-5LCLS6VE.js.map → chunk-56ZK5PWM.js.map} +0 -0
  61. /package/dist/{chunk-L4F5RAQ5.js.map → chunk-DKOCKZVG.js.map} +0 -0
  62. /package/dist/{chunk-KSUS4UNN.js.map → chunk-HUESWYZJ.js.map} +0 -0
  63. /package/dist/{chunk-CTUHJHLH.js.map → chunk-HVHV3IHF.js.map} +0 -0
  64. /package/dist/{chunk-HM46WM45.js.map → chunk-RDTTK27V.js.map} +0 -0
  65. /package/dist/{chunk-PQBJWZ7D.js.map → chunk-RJ76SKWQ.js.map} +0 -0
  66. /package/dist/{chunk-74CGJJDY.js.map → chunk-RKM4GDWM.js.map} +0 -0
  67. /package/dist/{chunk-7GNVXRLG.js.map → chunk-UIQYA3Y7.js.map} +0 -0
  68. /package/dist/{chunk-CKT4QZDC.js.map → chunk-WJJ5MBH5.js.map} +0 -0
  69. /package/dist/{config-65OBL4YH.js.map → config-44MFLLIX.js.map} +0 -0
  70. /package/dist/{host-55D6RX3U.js.map → fields.js.map} +0 -0
  71. /package/dist/{mentions-NCQR4B72.js.map → host-DKOWZWKA.js.map} +0 -0
  72. /package/dist/{mutes-FJSSU2JP.js.map → mentions-U4JACYI6.js.map} +0 -0
  73. /package/dist/{scheduled-UC7O2HBQ.js.map → mutes-MNQP6ACF.js.map} +0 -0
  74. /package/dist/{settings-JODDWMDB.js.map → scheduled-VEOGI5EW.js.map} +0 -0
package/dist/chunk-26RYBFTF.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/db/connection.ts","../src/db/generator.ts","../src/db/type-generator.ts"],"sourcesContent":["import { drizzle } from \"drizzle-orm/node-postgres\";\nimport { Pool } from \"pg\";\n\nimport { readEnvPositiveInt } from \"../config/env.js\";\nimport * as schema from \"./schema/index.js\";\n\nexport interface CreateDbConnectionConfig {\n connectionString: string;\n pool?: Pool;\n /**\n * Override Pool option defaults. Useful for tests, or for sites that need\n * to tune connection limits / timeouts. The fields explicitly set below\n * (`connectionTimeoutMillis`, `statement_timeout`) win unless callers\n * override them here.\n */\n poolOptions?: ConstructorParameters<typeof Pool>[0];\n}\n\n/**\n * Defaults chosen so a wedged Postgres (network drop, container paused,\n * lock storm) surfaces a clear error in single-digit seconds rather than\n * letting a Next.js request handler hang past the platform's request\n * deadline. Both bounds can be raised on a per-site basis via `poolOptions`\n * or globally via `NP_DB_CONNECTION_TIMEOUT_MS` / `NP_DB_STATEMENT_TIMEOUT_MS`.\n *\n * - `connectionTimeoutMillis` caps `pool.connect()` waits — kicks in when\n * the daemon TCP-accepts but never completes the Postgres handshake (the\n * Docker-Desktop-stuck failure mode).\n * - `statement_timeout` is enforced server-side by Postgres and bounds any\n * single query, including the catch-all \"select * from np_users where\n * email = $1\" path that has to be fast on the auth hot path. Sites with\n * legitimately heavy admin workloads (large audit searches, bulk\n * exports) raise this rather than dropping the bound entirely.\n */\nconst DEFAULT_CONNECTION_TIMEOUT_MS = readEnvPositiveInt(\"NP_DB_CONNECTION_TIMEOUT_MS\", 5_000);\nconst DEFAULT_STATEMENT_TIMEOUT_MS = readEnvPositiveInt(\"NP_DB_STATEMENT_TIMEOUT_MS\", 10_000);\n\nexport function createDbConnection(config: CreateDbConnectionConfig) {\n const pool =\n config.pool ??\n new Pool({\n connectionString: config.connectionString,\n connectionTimeoutMillis: DEFAULT_CONNECTION_TIMEOUT_MS,\n statement_timeout: DEFAULT_STATEMENT_TIMEOUT_MS,\n ...config.poolOptions,\n });\n\n return drizzle(pool, { schema });\n}\n","import {\n type NpArrayField,\n type NpCollectionConfig,\n type NpFieldConfig,\n type NpRelationshipField,\n} from \"../config/types.js\";\n\ninterface TableRelation {\n key: string;\n kind: \"one\" | \"many\";\n targetIdentifier: string;\n fields?: string[];\n references?: string[];\n}\n\ninterface GeneratedTable {\n identifier: string;\n tableName: string;\n columns: string[];\n indexes: string[];\n relations: TableRelation[];\n}\n\ninterface ScalarFieldResult {\n columns: string[];\n relations: TableRelation[];\n}\n\ninterface TableContext {\n collectionSlug: string;\n tableIdentifier: string;\n tableName: string;\n relationKeyPrefix: string;\n fieldPath: string[];\n parentReferenceName: string;\n parentTargetIdentifier?: string;\n}\n\nexport interface GenerateDrizzleSchemaOptions {\n /**\n * Module specifier to import the core schema tables (npUsers, npMedia) from.\n * Defaults to \"@nexpress/core\". Override when the consumer's tooling\n * (e.g. drizzle-kit's CJS resolver) can't load the core package via its\n * exports map — point at a relative path to core's source in that case.\n */\n schemaImport?: string;\n}\n\nexport function generateDrizzleSchema(\n collections: NpCollectionConfig[],\n options?: GenerateDrizzleSchemaOptions,\n): string {\n const schemaImport = options?.schemaImport ?? \"@nexpress/core\";\n const collectionTables = new Map<string, string>();\n\n for (const collection of collections) {\n collectionTables.set(collection.slug, getCollectionTableIdentifier(collection.slug));\n }\n\n const tables: GeneratedTable[] = [];\n\n for (const collection of collections) {\n const tableIdentifier = getCollectionTableIdentifier(collection.slug);\n const tableName = `np_c_${collection.slug}`;\n const columns = getBaseColumns(collection);\n const indexes = [`index(\"${tableName}_status_idx\").on(table.status)`];\n const relations: TableRelation[] = [\n {\n key: \"createdByUser\",\n kind: \"one\",\n targetIdentifier: \"npUsers\",\n fields: [\"createdBy\"],\n references: [\"id\"],\n },\n {\n key: \"updatedByUser\",\n kind: \"one\",\n targetIdentifier: \"npUsers\",\n fields: [\"updatedBy\"],\n references: [\"id\"],\n },\n ];\n\n // Phase 9.7b: collections that opt into member-write track the\n // member-author on the row itself so update/delete can perform\n // the owner check without a separate audit-log lookup. Nullable\n // because staff-authored docs in the same table leave it null;\n // the FK to np_members keeps the column safe under member\n // deletes (cascade).\n const memberAuthored = Boolean(collection.community?.memberWrite?.create);\n if (memberAuthored) {\n columns.push(\n 'memberAuthorId: uuid(\"member_author_id\").references(() => npMembers.id, { onDelete: \"set null\" })',\n );\n indexes.push(\n `index(\"${tableName}_member_author_idx\").on(table.memberAuthorId)`,\n );\n relations.push({\n key: \"memberAuthor\",\n kind: \"one\",\n targetIdentifier: \"npMembers\",\n fields: [\"memberAuthorId\"],\n references: [\"id\"],\n });\n }\n\n const scalarResult = collectScalarColumns(collection.fields, [], collectionTables);\n columns.push(...scalarResult.columns);\n relations.push(...scalarResult.relations);\n\n if (hasSlugField(collection)) {\n columns.push('slug: text(\"slug\").notNull()');\n // Phase 15.2 — multi-site scoping. Every collection\n // table gets a `site_id` column so the same slug can\n // exist in multiple sites (e.g., `/about` on the main\n // site and on `acme.example.com`). i18n collections\n // additionally key on locale, so the unique becomes\n // `(site_id, locale, slug)`; non-i18n becomes\n // `(site_id, slug)`. Single-tenant installs leave\n // every row at `site_id = 'default'`, so the\n // uniqueness constraint behaves identically to the\n // pre-15.2 `slug-only` index.\n if (collection.i18n) {\n indexes.push(\n `uniqueIndex(\"${tableName}_site_locale_slug_idx\").on(table.siteId, table.locale, table.slug)`,\n );\n } else {\n indexes.push(\n `uniqueIndex(\"${tableName}_site_slug_idx\").on(table.siteId, table.slug)`,\n );\n }\n }\n\n if (collection.i18n) {\n columns.push('locale: text(\"locale\").notNull()');\n columns.push('translationGroupId: uuid(\"translation_group_id\").notNull()');\n indexes.push(\n `index(\"${tableName}_translation_group_idx\").on(table.translationGroupId)`,\n );\n indexes.push(\n `index(\"${tableName}_locale_idx\").on(table.locale)`,\n );\n }\n\n // Phase 15.2 — multi-site scoping column. Default is\n // 'default' so existing single-tenant deployments keep\n // working without operator intervention; the migration\n // backfills existing rows. NOT NULL so writes always\n // commit a site id; pipeline reads `getCurrentSiteId()`\n // (or falls back to 'default') and stamps every row.\n // FK to `np_sites.id` is intentionally omitted from\n // codegen — adding it forces every test fixture to\n // create the default site row first; the framework\n // invariant (default site always exists post-migration)\n // gives us the same safety without the schema-level FK.\n columns.push(\n 'siteId: text(\"site_id\").default(\"default\").notNull()',\n );\n indexes.push(`index(\"${tableName}_site_idx\").on(table.siteId)`);\n\n if (hasDraftVersions(collection)) {\n columns.push(\n '_status: text(\"_status\", { enum: [\"draft\", \"published\"] }).default(\"draft\").notNull()',\n );\n }\n\n columns.push('searchVector: tsvector(\"search_vector\")');\n\n tables.push({\n identifier: tableIdentifier,\n tableName,\n columns,\n indexes,\n relations,\n });\n\n createNestedTables(\n {\n collectionSlug: collection.slug,\n tableIdentifier,\n tableName,\n relationKeyPrefix: toCamelCase(collection.slug),\n fieldPath: [],\n parentReferenceName: `${toCamelCase(collection.slug)}Id`,\n },\n collection.fields,\n tables,\n collectionTables,\n );\n }\n\n const body = tables.map(renderTable).join(\"\\n\\n\");\n const usesMembers = collections.some((c) => c.community?.memberWrite?.create);\n const schemaImports = [\"npMedia\", \"npUsers\", ...(usesMembers ? [\"npMembers\"] : [])];\n\n return [\n 'import { relations } from \"drizzle-orm\";',\n 'import { boolean, customType, doublePrecision, index, integer, jsonb, pgTable, text, timestamp, uniqueIndex, uuid } from \"drizzle-orm/pg-core\";',\n `import { ${schemaImports.join(\", \")} } from \"${schemaImport}\";`,\n '',\n 'const tsvector = customType<{ data: string }>({',\n ' dataType() {',\n ' return \"tsvector\";',\n ' },',\n '});',\n '',\n body,\n ].join(\"\\n\");\n}\n\nfunction createNestedTables(\n context: TableContext,\n fields: NpFieldConfig[],\n tables: GeneratedTable[],\n collectionTables: Map<string, string>,\n): void {\n for (const field of fields) {\n if (field.type === \"group\") {\n createNestedTables(context, field.fields, tables, collectionTables);\n continue;\n }\n\n if (field.type === \"row\" || field.type === \"collapsible\") {\n createNestedTables(context, field.fields, tables, collectionTables);\n continue;\n }\n\n if (field.type === \"array\") {\n tables.push(createArrayTable(context, field, tables, collectionTables));\n continue;\n }\n\n if (field.type === \"relationship\" && field.hasMany && typeof field.relationTo === \"string\") {\n tables.push(\n createHasManyJoinTable(context, { ...field, relationTo: field.relationTo, hasMany: true }, collectionTables),\n );\n }\n }\n}\n\nfunction createArrayTable(\n context: TableContext,\n field: NpArrayField,\n tables: GeneratedTable[],\n collectionTables: Map<string, string>,\n): GeneratedTable {\n const path = [...context.fieldPath, field.name];\n const tableName = `np_c_${context.collectionSlug}__${path.join(\"__\")}`;\n const identifier = getNestedTableIdentifier(context.collectionSlug, path);\n const columns = [\n 'id: uuid(\"id\").defaultRandom().primaryKey()',\n `parentId: uuid(\"parent_id\").notNull().references(() => ${context.tableIdentifier}.id, { onDelete: \"cascade\" })`,\n 'order: integer(\"order\").default(0).notNull()',\n ];\n const relations: TableRelation[] = [\n {\n key: \"parent\",\n kind: \"one\",\n targetIdentifier: context.tableIdentifier,\n fields: [\"parentId\"],\n references: [\"id\"],\n },\n ];\n const scalarResult = collectScalarColumns(field.fields, [], collectionTables);\n columns.push(...scalarResult.columns);\n relations.push(...scalarResult.relations);\n\n const nestedContext: TableContext = {\n collectionSlug: context.collectionSlug,\n tableIdentifier: identifier,\n tableName,\n relationKeyPrefix: `${context.relationKeyPrefix}${toPascalCase(field.name)}`,\n fieldPath: path,\n parentReferenceName: \"parentId\",\n parentTargetIdentifier: context.tableIdentifier,\n };\n\n createNestedTables(nestedContext, field.fields, tables, collectionTables);\n\n return {\n identifier,\n tableName,\n columns,\n indexes: [`index(\"${tableName}_parent_idx\").on(table.parentId)`],\n relations,\n };\n}\n\nfunction createHasManyJoinTable(\n context: TableContext,\n field: NpRelationshipField & { relationTo: string; hasMany: true },\n collectionTables: Map<string, string>,\n): GeneratedTable {\n const path = [...context.fieldPath, field.name];\n const tableName = `np_c_${context.collectionSlug}__${path.join(\"__\")}`;\n const identifier = getNestedTableIdentifier(context.collectionSlug, path);\n const targetIdentifier = resolveRelationTarget(field.relationTo, collectionTables);\n const parentReferenceName = context.fieldPath.length === 0 ? `${toCamelCase(context.collectionSlug)}Id` : \"parentId\";\n\n return {\n identifier,\n tableName,\n columns: [\n 'id: uuid(\"id\").defaultRandom().primaryKey()',\n `${parentReferenceName}: uuid(\"${toSnakeCase(parentReferenceName)}\").notNull().references(() => ${context.tableIdentifier}.id, { onDelete: \"cascade\" })`,\n `targetId: uuid(\"target_id\").notNull().references(() => ${targetIdentifier}.id, { onDelete: \"cascade\" })`,\n 'order: integer(\"order\").default(0).notNull()',\n ],\n indexes: [\n `index(\"${tableName}_${toSnakeCase(parentReferenceName)}_idx\").on(table.${parentReferenceName})`,\n `uniqueIndex(\"${tableName}_parent_target_uidx\").on(table.${parentReferenceName}, table.targetId)`,\n ],\n relations: [\n {\n key: \"parent\",\n kind: \"one\",\n targetIdentifier: context.tableIdentifier,\n fields: [parentReferenceName],\n references: [\"id\"],\n },\n {\n key: \"target\",\n kind: \"one\",\n targetIdentifier,\n fields: [\"targetId\"],\n references: [\"id\"],\n },\n ],\n };\n}\n\nfunction collectScalarColumns(\n fields: NpFieldConfig[],\n prefix: string[],\n collectionTables: Map<string, string>,\n): ScalarFieldResult {\n const columns: string[] = [];\n const relations: TableRelation[] = [];\n\n for (const field of fields) {\n if (field.type === \"group\") {\n const nested = collectScalarColumns(field.fields, [...prefix, field.name], collectionTables);\n columns.push(...nested.columns);\n relations.push(...nested.relations);\n continue;\n }\n\n if (field.type === \"row\" || field.type === \"collapsible\") {\n const nested = collectScalarColumns(field.fields, prefix, collectionTables);\n columns.push(...nested.columns);\n relations.push(...nested.relations);\n continue;\n }\n\n if (field.type === \"array\") {\n continue;\n }\n\n if (field.type === \"relationship\" && field.hasMany) {\n continue;\n }\n\n const propertyName = getFlattenedFieldName(prefix, field.name);\n const columnName = toSnakeCase(propertyName);\n const column = buildScalarColumn(field, propertyName, columnName, collectionTables);\n\n if (!column) {\n continue;\n }\n\n columns.push(...column.columns);\n relations.push(...column.relations);\n }\n\n return { columns, relations };\n}\n\nfunction buildScalarColumn(\n field: Exclude<NpFieldConfig, { type: \"row\" | \"collapsible\" | \"group\" | \"array\" }> ,\n propertyName: string,\n columnName: string,\n collectionTables: Map<string, string>,\n): ScalarFieldResult | null {\n const notNull = field.required ? \".notNull()\" : \"\";\n\n switch (field.type) {\n case \"text\":\n case \"textarea\":\n case \"email\":\n case \"select\":\n case \"radio\":\n return { columns: [`${propertyName}: text(\"${columnName}\")${notNull}`], relations: [] };\n case \"number\": {\n const builder = field.integerOnly ? \"integer\" : \"doublePrecision\";\n return { columns: [`${propertyName}: ${builder}(\"${columnName}\")${notNull}`], relations: [] };\n }\n case \"richText\":\n case \"blocks\":\n case \"json\":\n return { columns: [`${propertyName}: jsonb(\"${columnName}\")${notNull}`], relations: [] };\n case \"checkbox\":\n return { columns: [`${propertyName}: boolean(\"${columnName}\")${notNull}`], relations: [] };\n case \"date\":\n return {\n columns: [`${propertyName}: timestamp(\"${columnName}\", { withTimezone: true })${notNull}`],\n relations: [],\n };\n case \"upload\": {\n return {\n columns: [`${propertyName}: uuid(\"${columnName}\").references(() => npMedia.id)${notNull}`],\n relations: [\n {\n key: propertyName,\n kind: \"one\",\n targetIdentifier: \"npMedia\",\n fields: [propertyName],\n references: [\"id\"],\n },\n ],\n };\n }\n case \"relationship\": {\n if (typeof field.relationTo !== \"string\") {\n return null;\n }\n\n const targetIdentifier = resolveRelationTarget(field.relationTo, collectionTables);\n return {\n columns: [`${propertyName}: uuid(\"${columnName}\").references(() => ${targetIdentifier}.id)${notNull}`],\n relations: [\n {\n key: propertyName,\n kind: \"one\",\n targetIdentifier,\n fields: [propertyName],\n references: [\"id\"],\n },\n ],\n };\n }\n default:\n return null;\n }\n}\n\nfunction getBaseColumns(collection: NpCollectionConfig): string[] {\n const columns = ['id: uuid(\"id\").defaultRandom().primaryKey()'];\n\n columns.push(\n 'status: text(\"status\", { enum: [\"draft\", \"scheduled\", \"published\", \"archived\", \"pending\"] }).default(\"draft\").notNull()',\n );\n\n columns.push('createdAt: timestamp(\"created_at\", { withTimezone: true }).defaultNow().notNull()');\n columns.push('updatedAt: timestamp(\"updated_at\", { withTimezone: true }).defaultNow().notNull()');\n columns.push('createdBy: uuid(\"created_by\").references(() => npUsers.id)');\n columns.push('updatedBy: uuid(\"updated_by\").references(() => npUsers.id)');\n\n // Phase 21.17 — per-doc visibility flag. Orthogonal to\n // `status` (workflow state): a row can be published-public,\n // published-private, draft-public, etc. Anonymous reads in\n // `findDocuments` auto-filter to `visibility = \"public\"` so a\n // newly-imported \"private\" row never leaks to crawlers; an\n // authenticated principal (member or staff) sees both. WP\n // imports use this to round-trip `<wp:status>private</wp:status>`\n // posts as `status=published, visibility=private` rather than\n // the old draft-coercion that lost the publish state.\n const visibility =\n 'visibility: text(\"visibility\", { enum: [\"public\", \"private\"] }).default(\"public\").notNull()';\n\n if (collection.timestamps === false) {\n return [columns[0], columns[1], columns[4], columns[5], visibility];\n }\n\n columns.push(visibility);\n return columns;\n}\n\nfunction renderTable(table: GeneratedTable): string {\n const tableSource = [\n `export const ${table.identifier} = pgTable(`,\n ` \"${table.tableName}\",`,\n \" {\",\n ...table.columns.map((column) => ` ${column},`),\n \" },\",\n ` (table) => [${table.indexes.join(\", \")}],`,\n \");\",\n ].join(\"\\n\");\n\n const relationsSource = [\n `export const ${table.identifier}Relations = relations(${table.identifier}, ({ many, one }) => ({`,\n ...table.relations.map((relation) => renderRelation(relation, table.identifier)),\n \"}));\",\n ].join(\"\\n\");\n\n return `${tableSource}\\n\\n${relationsSource}`;\n}\n\nfunction renderRelation(relation: TableRelation, ownerIdentifier: string): string {\n if (relation.kind === \"many\") {\n return ` ${relation.key}: many(${relation.targetIdentifier}),`;\n }\n\n const fields = (relation.fields ?? [])\n .map((field) => `${ownerIdentifier}.${field}`)\n .join(\", \");\n const references = (relation.references ?? [])\n .map((reference) => `${relation.targetIdentifier}.${reference}`)\n .join(\", \");\n\n return ` ${relation.key}: one(${relation.targetIdentifier}, { fields: [${fields}], references: [${references}] }),`;\n}\n\nfunction hasSlugField(collection: NpCollectionConfig): boolean {\n return collection.slugField !== undefined && collection.slugField !== false;\n}\n\nfunction hasDraftVersions(collection: NpCollectionConfig): boolean {\n return Boolean(collection.versions?.drafts);\n}\n\nfunction resolveRelationTarget(\n relationTo: string,\n collectionTables: Map<string, string>,\n): string {\n if (relationTo === \"media\") {\n return \"npMedia\";\n }\n\n if (relationTo === \"users\") {\n return \"npUsers\";\n }\n\n return collectionTables.get(relationTo) ?? getCollectionTableIdentifier(relationTo);\n}\n\nfunction getCollectionTableIdentifier(slug: string): string {\n return `${toCamelCase(slug)}Table`;\n}\n\nfunction getNestedTableIdentifier(collectionSlug: string, path: string[]): string {\n return `${toCamelCase(collectionSlug)}${path.map(toPascalCase).join(\"\")}Table`;\n}\n\nfunction getFlattenedFieldName(prefix: string[], name: string): string {\n if (prefix.length === 0) {\n return toCamelCase(name);\n }\n\n return `${prefix.map(toPascalCase).join(\"\")}${toPascalCase(name)}`.replace(/^./u, (char) => char.toLowerCase());\n}\n\nfunction toCamelCase(value: string): string {\n const parts = splitName(value);\n const [first = \"\", ...rest] = parts;\n return `${first}${rest.map(capitalize).join(\"\")}`;\n}\n\nfunction toPascalCase(value: string): string {\n return splitName(value).map(capitalize).join(\"\");\n}\n\nfunction toSnakeCase(value: string): string {\n return value\n .replace(/([a-z0-9])([A-Z])/g, \"$1_$2\")\n .replace(/[^a-zA-Z0-9]+/g, \"_\")\n .toLowerCase();\n}\n\nfunction splitName(value: string): string[] {\n return value\n .replace(/([a-z0-9])([A-Z])/g, \"$1 $2\")\n .split(/[^a-zA-Z0-9]+/)\n .map((part) => part.toLowerCase())\n .filter(Boolean);\n}\n\nfunction capitalize(value: string): string {\n return value.charAt(0).toUpperCase() + value.slice(1);\n}\n","import { type NpCollectionConfig, type NpFieldConfig } from \"../config/types.js\";\n\nexport function generateTypeScript(collections: NpCollectionConfig[]): string {\n const interfaces = collections.map((collection) => renderCollectionInterface(collection));\n return interfaces.join(\"\\n\\n\");\n}\n\ninterface HasManyDescriptor {\n /** Field name on the collection (the where clause key). */\n fieldName: string;\n /** Generated join-table import name (e.g., `postsCategoriesTable`). */\n joinTable: string;\n /** Parent FK column on the join table (e.g., `postsId`). */\n parentColumn: string;\n}\n\nfunction collectHasManyFields(collection: NpCollectionConfig): HasManyDescriptor[] {\n const collCamel = toCamelCase(collection.slug);\n const parentColumn = `${collCamel}Id`;\n const out: HasManyDescriptor[] = [];\n // Only top-level fields participate. Nested hasMany (inside row /\n // collapsible / group / array) is rare in practice and the join-\n // table naming convention doesn't carry through nesting cleanly.\n for (const field of collection.fields) {\n if (field.type === \"relationship\" && field.hasMany === true) {\n const joinTable = `${collCamel}${toPascalCase(field.name)}Table`;\n out.push({ fieldName: field.name, joinTable, parentColumn });\n }\n }\n return out;\n}\n\n/**\n * Renders a complete `documents.ts` module: imports from\n * `@nexpress/core`, per-collection `${Pascal}Document` interfaces,\n * and typed read-helper wrappers (`find${Pascal}` /\n * `get${Pascal}Document`) that bind the type generic so call sites\n * don't have to.\n *\n * Collections with hasMany relationship fields get a smarter\n * wrapper: when the caller's `where` clause names a hasMany\n * field, the wrapper queries the join table for matching parent\n * ids first, intersects across multiple hasMany filters, and\n * delegates to `findDocuments` with `id: idList`. That covers\n * the friction surfaced in #540's category-page dogfood — a\n * `where: { categories: id }` filter looked typed but failed at\n * runtime because `categories` isn't a column on the parent\n * table; this wrapper makes it work.\n *\n * The output is meant for `apps/<app>/src/db/generated/documents.ts`\n * and is a direct counterpart to `generateDrizzleSchema`'s\n * `collections.ts` (Drizzle schema). Both files come from the same\n * `nexpressConfig.collections` source so they stay in sync.\n */\nexport function generateDocumentsModule(collections: NpCollectionConfig[]): string {\n const hasManyByCollection = new Map(\n collections.map((c) => [c.slug, collectHasManyFields(c)]),\n );\n const anyHasMany = Array.from(hasManyByCollection.values()).some(\n (list) => list.length > 0,\n );\n\n const coreImports = [\n `import {`,\n ` findDocuments,`,\n ...(anyHasMany ? [` getDb,`] : []),\n ` getDocumentById,`,\n ` type NpAuthUser,`,\n ` type NpFindOptions,`,\n ` type NpFindResult,`,\n `} from \"@nexpress/core\";`,\n ].join(\"\\n\");\n\n // Drizzle + join-table imports only when at least one collection\n // has a hasMany relationship — keeps the file lean for sites\n // that don't use them.\n const drizzleImports = anyHasMany\n ? [\n `import { inArray } from \"drizzle-orm\";`,\n `import type { NodePgDatabase } from \"drizzle-orm/node-postgres\";`,\n ].join(\"\\n\")\n : \"\";\n const joinTables = Array.from(\n new Set(\n Array.from(hasManyByCollection.values())\n .flat()\n .map((d) => d.joinTable),\n ),\n ).sort();\n // Emit without the `.js` extension. The reference app's\n // `apps/web/tsconfig.json` uses `moduleResolution: \"Bundler\"`\n // (Next 16's standard); Bundler resolution + Turbopack don't\n // rewrite `.js` → `.ts` for relative imports the way tsc's\n // NodeNext resolution does, so the explicit extension breaks\n // `next build` even though `pnpm typecheck` passes (tsc handles\n // both shapes). Extension-less imports work under both\n // resolution strategies — Bundler resolves to the `.ts` file\n // directly, NodeNext does the same when the file extension\n // is omitted in TS source. See\n // https://github.com/vercel/next.js/issues for the long\n // history of `.js`-extension friction with Turbopack.\n const joinTableImports =\n joinTables.length > 0\n ? `import { ${joinTables.join(\", \")} } from \"./collections\";`\n : \"\";\n\n const imports = [coreImports, drizzleImports, joinTableImports]\n .filter(Boolean)\n .join(\"\\n\");\n\n const interfaces = collections.map((c) => renderCollectionInterface(c)).join(\"\\n\\n\");\n const helpers = collections\n .map((c) => renderReadHelpers(c, hasManyByCollection.get(c.slug) ?? []))\n .join(\"\\n\\n\");\n\n return [imports, \"\", interfaces, \"\", helpers, \"\"].join(\"\\n\");\n}\n\nfunction renderReadHelpers(\n collection: NpCollectionConfig,\n hasMany: HasManyDescriptor[],\n): string {\n const docType = `${toPascalCase(collection.slug)}Document`;\n const findFnName = `find${toPascalCase(collection.slug)}`;\n const getFnName = `get${toPascalCase(collection.slug)}Document`;\n const slug = JSON.stringify(collection.slug);\n\n const findFn =\n hasMany.length === 0\n ? renderSimpleFindFn(findFnName, slug, docType, collection.slug)\n : renderHasManyFindFn(findFnName, slug, docType, collection.slug, hasMany);\n\n return [\n findFn,\n \"\",\n `/** Typed by-id fetch for the \\`${collection.slug}\\` collection. */`,\n `export function ${getFnName}(`,\n ` id: string,`,\n ` user?: NpAuthUser,`,\n `): Promise<${docType} | null> {`,\n ` return getDocumentById<${docType}>(${slug}, id, user);`,\n `}`,\n ].join(\"\\n\");\n}\n\nfunction renderSimpleFindFn(\n findFnName: string,\n slug: string,\n docType: string,\n slugLabel: string,\n): string {\n return [\n `/** Typed listing query for the \\`${slugLabel}\\` collection. */`,\n `export function ${findFnName}(`,\n ` options: NpFindOptions<${docType}> = {},`,\n ` user?: NpAuthUser,`,\n `): Promise<NpFindResult<${docType}>> {`,\n ` return findDocuments<${docType}>(${slug}, options, user);`,\n `}`,\n ].join(\"\\n\");\n}\n\nfunction renderHasManyFindFn(\n findFnName: string,\n slug: string,\n docType: string,\n slugLabel: string,\n hasMany: HasManyDescriptor[],\n): string {\n // Build a literal array of `{ field, table, column }` for\n // runtime iteration. Keep it inline (instead of a loose const)\n // so the wrapper is one self-contained function — no helpers\n // bleed into consumer code completion.\n const descriptors = hasMany\n .map(\n (d) =>\n ` { field: ${JSON.stringify(d.fieldName)}, table: ${d.joinTable}, parent: ${d.joinTable}.${d.parentColumn} },`,\n )\n .join(\"\\n\");\n\n return [\n `/**`,\n ` * Typed listing query for the \\`${slugLabel}\\` collection.`,\n ` *`,\n ` * Pre-resolves hasMany relationship filters in the where`,\n ` * clause (${hasMany.map((d) => `\\`${d.fieldName}\\``).join(\", \")}) by`,\n ` * subquerying the join table for matching parent ids. Each`,\n ` * field accepts a single target id (most common) or an array`,\n ` * of target ids (OR semantics). Multiple hasMany filters`,\n ` * intersect — \\`where: { categories: catId, tags: tagId }\\``,\n ` * matches rows that have BOTH.`,\n ` */`,\n `export async function ${findFnName}(`,\n ` options: NpFindOptions<${docType}> = {},`,\n ` user?: NpAuthUser,`,\n `): Promise<NpFindResult<${docType}>> {`,\n ` const where = options.where ? { ...options.where } : {};`,\n ` const hasManyDescriptors = [`,\n descriptors,\n ` ];`,\n ``,\n ` const matched: string[][] = [];`,\n ` let touchedHasMany = false;`,\n ` for (const { field, table, parent } of hasManyDescriptors) {`,\n ` const value = (where as Record<string, unknown>)[field];`,\n ` if (value === undefined) continue;`,\n ` touchedHasMany = true;`,\n ` delete (where as Record<string, unknown>)[field];`,\n ` const targets = (Array.isArray(value) ? value : [value]).filter(`,\n ` (v): v is string => typeof v === \"string\" && v.length > 0,`,\n ` );`,\n ` if (targets.length === 0) {`,\n ` // Empty array short-circuits to no rows — match the`,\n ` // pipeline's array-where semantics.`,\n ` matched.push([]);`,\n ` continue;`,\n ` }`,\n ` // Cast getDb() to NodePgDatabase so the drizzle builder`,\n ` // chain (.select.from.where) carries proper return types.`,\n ` // The empty-schema generic narrows the return shape away`,\n ` // from any specific tables; the explicit \\`{ id: string }[]\\` `,\n ` // cast at the end matches the projection.`,\n ` const db = getDb() as unknown as NodePgDatabase<Record<string, never>>;`,\n ` const rows = (await db`,\n ` .select({ id: parent })`,\n ` .from(table)`,\n ` .where(inArray(table.targetId, targets))) as Array<{ id: string }>;`,\n ` matched.push(rows.map((r) => r.id));`,\n ` }`,\n ``,\n ` if (touchedHasMany) {`,\n ` // Intersect across all hasMany filters. Empty intersection`,\n ` // → return immediately; findDocuments would short-circuit`,\n ` // on the empty-array where clause anyway, but the early`,\n ` // exit saves a round-trip.`,\n ` let ids = matched[0] ?? [];`,\n ` for (let i = 1; i < matched.length; i++) {`,\n ` const set = new Set(matched[i]);`,\n ` ids = ids.filter((id) => set.has(id));`,\n ` }`,\n ``,\n ` // Honor any pre-existing user id constraint. Without this,`,\n ` // \\`where: { id: someId, categories: catId }\\` would silently`,\n ` // drop the user's id filter and return every post in that`,\n ` // category — a real foot-gun. Intersect instead.`,\n ` const existingId = (where as Record<string, unknown>).id;`,\n ` if (typeof existingId === \"string\") {`,\n ` ids = ids.includes(existingId) ? [existingId] : [];`,\n ` } else if (Array.isArray(existingId)) {`,\n ` const allowed = new Set(`,\n ` existingId.filter((v): v is string => typeof v === \"string\"),`,\n ` );`,\n ` ids = ids.filter((id) => allowed.has(id));`,\n ` }`,\n ``,\n ` if (ids.length === 0) {`,\n ` return {`,\n ` docs: [],`,\n ` totalDocs: 0,`,\n ` totalPages: 0,`,\n ` page: options.page ?? 1,`,\n ` limit: options.limit ?? 20,`,\n ` hasNextPage: false,`,\n ` hasPrevPage: false,`,\n ` };`,\n ` }`,\n ` (where as Record<string, unknown>).id = ids;`,\n ` }`,\n ``,\n ` return findDocuments<${docType}>(${slug}, { ...options, where }, user);`,\n `}`,\n ].join(\"\\n\");\n}\n\nfunction renderCollectionInterface(collection: NpCollectionConfig): string {\n const interfaceName = `${toPascalCase(collection.slug)}Document`;\n const fields = [\n 'id: string;',\n 'status: \"draft\" | \"published\" | \"archived\" | \"pending\";',\n 'createdAt: Date;',\n 'updatedAt: Date;',\n 'createdBy: string | null;',\n 'updatedBy: string | null;',\n ];\n\n if (collection.community?.memberWrite?.create) {\n fields.push('memberAuthorId: string | null;');\n }\n\n if (collection.slugField) {\n fields.push(\"slug: string;\");\n }\n\n if (collection.versions?.drafts) {\n fields.push('_status: \"draft\" | \"published\";');\n }\n\n fields.push(...renderFields(collection.fields));\n\n return [`export interface ${interfaceName} {`, ...fields.map((field) => ` ${field}`), \"}\"].join(\"\\n\");\n}\n\nfunction renderFields(fields: NpFieldConfig[], prefix: string[] = []): string[] {\n const lines: string[] = [];\n\n for (const field of fields) {\n if (field.type === \"row\" || field.type === \"collapsible\") {\n lines.push(...renderFields(field.fields, prefix));\n continue;\n }\n\n const fieldName = field.type === \"group\" ? getPropertyName(prefix, field.name) : \"\";\n\n if (field.type === \"group\") {\n const groupType = renderObjectType(field.fields);\n lines.push(`${fieldName}: ${applyNullability(groupType, field.required)};`);\n continue;\n }\n\n const propertyName = getPropertyName(prefix, field.name);\n const typeSource = getTypeSource(field);\n lines.push(`${propertyName}: ${applyNullability(typeSource, field.required)};`);\n }\n\n return lines;\n}\n\nfunction renderObjectType(fields: NpFieldConfig[]): string {\n const members = renderFields(fields).map((field) => ` ${field}`);\n return [`{`, ...members, `}`].join(\"\\n\");\n}\n\nfunction getTypeSource(field: Exclude<NpFieldConfig, { type: \"row\" | \"collapsible\" | \"group\" }>): string {\n switch (field.type) {\n case \"text\":\n case \"textarea\":\n case \"email\":\n case \"select\":\n case \"radio\":\n return \"string\";\n case \"number\":\n return \"number\";\n case \"checkbox\":\n return \"boolean\";\n case \"date\":\n return \"Date\";\n case \"upload\":\n return \"string\";\n case \"relationship\":\n return field.hasMany ? \"string[]\" : \"string\";\n case \"array\":\n return `Array<${renderObjectType(field.fields)}>`;\n case \"richText\":\n case \"blocks\":\n case \"json\":\n return \"unknown\";\n default:\n return \"unknown\";\n }\n}\n\nfunction applyNullability(typeSource: string, required?: boolean): string {\n return required ? typeSource : `${typeSource} | null`;\n}\n\nfunction getPropertyName(prefix: string[], name: string): string {\n if (prefix.length === 0) {\n return toCamelCase(name);\n }\n\n return `${prefix[0]}${prefix.slice(1).map(toPascalCase).join(\"\")}${toPascalCase(name)}`;\n}\n\nfunction toCamelCase(value: string): string {\n const parts = splitName(value);\n const [first = \"\", ...rest] = parts;\n return `${first}${rest.map(toPascalCase).join(\"\")}`;\n}\n\nfunction toPascalCase(value: string): string {\n return splitName(value)\n .map((part) => part.charAt(0).toUpperCase() + part.slice(1))\n .join(\"\");\n}\n\nfunction splitName(value: string): string[] {\n return value\n .replace(/([a-z0-9])([A-Z])/g, \"$1 $2\")\n .split(/[^a-zA-Z0-9]+/)\n .map((part) => part.toLowerCase())\n .filter(Boolean);\n}\n"],"mappings":";;;;;;;;AAAA,SAAS,eAAe;AACxB,SAAS,YAAY;AAiCrB,IAAM,gCAAgC,mBAAmB,+BAA+B,GAAK;AAC7F,IAAM,+BAA+B,mBAAmB,8BAA8B,GAAM;AAErF,SAAS,mBAAmB,QAAkC;AACnE,QAAM,OACJ,OAAO,QACP,IAAI,KAAK;AAAA,IACP,kBAAkB,OAAO;AAAA,IACzB,yBAAyB;AAAA,IACzB,mBAAmB;AAAA,IACnB,GAAG,OAAO;AAAA,EACZ,CAAC;AAEH,SAAO,QAAQ,MAAM,EAAE,uBAAO,CAAC;AACjC;;;ACAO,SAAS,sBACd,aACA,SACQ;AACR,QAAM,eAAe,SAAS,gBAAgB;AAC9C,QAAM,mBAAmB,oBAAI,IAAoB;AAEjD,aAAW,cAAc,aAAa;AACpC,qBAAiB,IAAI,WAAW,MAAM,6BAA6B,WAAW,IAAI,CAAC;AAAA,EACrF;AAEA,QAAM,SAA2B,CAAC;AAElC,aAAW,cAAc,aAAa;AACpC,UAAM,kBAAkB,6BAA6B,WAAW,IAAI;AACpE,UAAM,YAAY,QAAQ,WAAW,IAAI;AACzC,UAAM,UAAU,eAAe,UAAU;AACzC,UAAM,UAAU,CAAC,UAAU,SAAS,gCAAgC;AACpE,UAAM,YAA6B;AAAA,MACjC;AAAA,QACE,KAAK;AAAA,QACL,MAAM;AAAA,QACN,kBAAkB;AAAA,QAClB,QAAQ,CAAC,WAAW;AAAA,QACpB,YAAY,CAAC,IAAI;AAAA,MACnB;AAAA,MACA;AAAA,QACE,KAAK;AAAA,QACL,MAAM;AAAA,QACN,kBAAkB;AAAA,QAClB,QAAQ,CAAC,WAAW;AAAA,QACpB,YAAY,CAAC,IAAI;AAAA,MACnB;AAAA,IACF;AAQA,UAAM,iBAAiB,QAAQ,WAAW,WAAW,aAAa,MAAM;AACxE,QAAI,gBAAgB;AAClB,cAAQ;AAAA,QACN;AAAA,MACF;AACA,cAAQ;AAAA,QACN,UAAU,SAAS;AAAA,MACrB;AACA,gBAAU,KAAK;AAAA,QACb,KAAK;AAAA,QACL,MAAM;AAAA,QACN,kBAAkB;AAAA,QAClB,QAAQ,CAAC,gBAAgB;AAAA,QACzB,YAAY,CAAC,IAAI;AAAA,MACnB,CAAC;AAAA,IACH;AAEA,UAAM,eAAe,qBAAqB,WAAW,QAAQ,CAAC,GAAG,gBAAgB;AACjF,YAAQ,KAAK,GAAG,aAAa,OAAO;AACpC,cAAU,KAAK,GAAG,aAAa,SAAS;AAExC,QAAI,aAAa,UAAU,GAAG;AAC5B,cAAQ,KAAK,8BAA8B;AAW3C,UAAI,WAAW,MAAM;AACnB,gBAAQ;AAAA,UACN,gBAAgB,SAAS;AAAA,QAC3B;AAAA,MACF,OAAO;AACL,gBAAQ;AAAA,UACN,gBAAgB,SAAS;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAEA,QAAI,WAAW,MAAM;AACnB,cAAQ,KAAK,kCAAkC;AAC/C,cAAQ,KAAK,4DAA4D;AACzE,cAAQ;AAAA,QACN,UAAU,SAAS;AAAA,MACrB;AACA,cAAQ;AAAA,QACN,UAAU,SAAS;AAAA,MACrB;AAAA,IACF;AAaA,YAAQ;AAAA,MACN;AAAA,IACF;AACA,YAAQ,KAAK,UAAU,SAAS,8BAA8B;AAE9D,QAAI,iBAAiB,UAAU,GAAG;AAChC,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AAEA,YAAQ,KAAK,yCAAyC;AAEtD,WAAO,KAAK;AAAA,MACV,YAAY;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED;AAAA,MACE;AAAA,QACE,gBAAgB,WAAW;AAAA,QAC3B;AAAA,QACA;AAAA,QACA,mBAAmB,YAAY,WAAW,IAAI;AAAA,QAC9C,WAAW,CAAC;AAAA,QACZ,qBAAqB,GAAG,YAAY,WAAW,IAAI,CAAC;AAAA,MACtD;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,QAAM,OAAO,OAAO,IAAI,WAAW,EAAE,KAAK,MAAM;AAChD,QAAM,cAAc,YAAY,KAAK,CAAC,MAAM,EAAE,WAAW,aAAa,MAAM;AAC5E,QAAM,gBAAgB,CAAC,WAAW,WAAW,GAAI,cAAc,CAAC,WAAW,IAAI,CAAC,CAAE;AAElF,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,YAAY,cAAc,KAAK,IAAI,CAAC,YAAY,YAAY;AAAA,IAC5D;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,mBACP,SACA,QACA,QACA,kBACM;AACN,aAAW,SAAS,QAAQ;AAC1B,QAAI,MAAM,SAAS,SAAS;AAC1B,yBAAmB,SAAS,MAAM,QAAQ,QAAQ,gBAAgB;AAClE;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,SAAS,MAAM,SAAS,eAAe;AACxD,yBAAmB,SAAS,MAAM,QAAQ,QAAQ,gBAAgB;AAClE;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,SAAS;AAC1B,aAAO,KAAK,iBAAiB,SAAS,OAAO,QAAQ,gBAAgB,CAAC;AACtE;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,kBAAkB,MAAM,WAAW,OAAO,MAAM,eAAe,UAAU;AAC1F,aAAO;AAAA,QACL,uBAAuB,SAAS,EAAE,GAAG,OAAO,YAAY,MAAM,YAAY,SAAS,KAAK,GAAG,gBAAgB;AAAA,MAC7G;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,iBACP,SACA,OACA,QACA,kBACgB;AAChB,QAAM,OAAO,CAAC,GAAG,QAAQ,WAAW,MAAM,IAAI;AAC9C,QAAM,YAAY,QAAQ,QAAQ,cAAc,KAAK,KAAK,KAAK,IAAI,CAAC;AACpE,QAAM,aAAa,yBAAyB,QAAQ,gBAAgB,IAAI;AACxE,QAAM,UAAU;AAAA,IACd;AAAA,IACA,0DAA0D,QAAQ,eAAe;AAAA,IACjF;AAAA,EACF;AACA,QAAM,YAA6B;AAAA,IACjC;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,kBAAkB,QAAQ;AAAA,MAC1B,QAAQ,CAAC,UAAU;AAAA,MACnB,YAAY,CAAC,IAAI;AAAA,IACnB;AAAA,EACF;AACA,QAAM,eAAe,qBAAqB,MAAM,QAAQ,CAAC,GAAG,gBAAgB;AAC5E,UAAQ,KAAK,GAAG,aAAa,OAAO;AACpC,YAAU,KAAK,GAAG,aAAa,SAAS;AAExC,QAAM,gBAA8B;AAAA,IAClC,gBAAgB,QAAQ;AAAA,IACxB,iBAAiB;AAAA,IACjB;AAAA,IACA,mBAAmB,GAAG,QAAQ,iBAAiB,GAAG,aAAa,MAAM,IAAI,CAAC;AAAA,IAC1E,WAAW;AAAA,IACX,qBAAqB;AAAA,IACrB,wBAAwB,QAAQ;AAAA,EAClC;AAEA,qBAAmB,eAAe,MAAM,QAAQ,QAAQ,gBAAgB;AAExE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS,CAAC,UAAU,SAAS,kCAAkC;AAAA,IAC/D;AAAA,EACF;AACF;AAEA,SAAS,uBACP,SACA,OACA,kBACgB;AAChB,QAAM,OAAO,CAAC,GAAG,QAAQ,WAAW,MAAM,IAAI;AAC9C,QAAM,YAAY,QAAQ,QAAQ,cAAc,KAAK,KAAK,KAAK,IAAI,CAAC;AACpE,QAAM,aAAa,yBAAyB,QAAQ,gBAAgB,IAAI;AACxE,QAAM,mBAAmB,sBAAsB,MAAM,YAAY,gBAAgB;AACjF,QAAM,sBAAsB,QAAQ,UAAU,WAAW,IAAI,GAAG,YAAY,QAAQ,cAAc,CAAC,OAAO;AAE1G,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,SAAS;AAAA,MACP;AAAA,MACA,GAAG,mBAAmB,WAAW,YAAY,mBAAmB,CAAC,iCAAiC,QAAQ,eAAe;AAAA,MACzH,0DAA0D,gBAAgB;AAAA,MAC1E;AAAA,IACF;AAAA,IACA,SAAS;AAAA,MACP,UAAU,SAAS,IAAI,YAAY,mBAAmB,CAAC,mBAAmB,mBAAmB;AAAA,MAC7F,gBAAgB,SAAS,kCAAkC,mBAAmB;AAAA,IAChF;AAAA,IACA,WAAW;AAAA,MACT;AAAA,QACE,KAAK;AAAA,QACL,MAAM;AAAA,QACN,kBAAkB,QAAQ;AAAA,QAC1B,QAAQ,CAAC,mBAAmB;AAAA,QAC5B,YAAY,CAAC,IAAI;AAAA,MACnB;AAAA,MACA;AAAA,QACE,KAAK;AAAA,QACL,MAAM;AAAA,QACN;AAAA,QACA,QAAQ,CAAC,UAAU;AAAA,QACnB,YAAY,CAAC,IAAI;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,qBACP,QACA,QACA,kBACmB;AACnB,QAAM,UAAoB,CAAC;AAC3B,QAAM,YAA6B,CAAC;AAEpC,aAAW,SAAS,QAAQ;AAC1B,QAAI,MAAM,SAAS,SAAS;AAC1B,YAAM,SAAS,qBAAqB,MAAM,QAAQ,CAAC,GAAG,QAAQ,MAAM,IAAI,GAAG,gBAAgB;AAC3F,cAAQ,KAAK,GAAG,OAAO,OAAO;AAC9B,gBAAU,KAAK,GAAG,OAAO,SAAS;AAClC;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,SAAS,MAAM,SAAS,eAAe;AACxD,YAAM,SAAS,qBAAqB,MAAM,QAAQ,QAAQ,gBAAgB;AAC1E,cAAQ,KAAK,GAAG,OAAO,OAAO;AAC9B,gBAAU,KAAK,GAAG,OAAO,SAAS;AAClC;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,SAAS;AAC1B;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,kBAAkB,MAAM,SAAS;AAClD;AAAA,IACF;AAEA,UAAM,eAAe,sBAAsB,QAAQ,MAAM,IAAI;AAC7D,UAAM,aAAa,YAAY,YAAY;AAC3C,UAAM,SAAS,kBAAkB,OAAO,cAAc,YAAY,gBAAgB;AAElF,QAAI,CAAC,QAAQ;AACX;AAAA,IACF;AAEA,YAAQ,KAAK,GAAG,OAAO,OAAO;AAC9B,cAAU,KAAK,GAAG,OAAO,SAAS;AAAA,EACpC;AAEA,SAAO,EAAE,SAAS,UAAU;AAC9B;AAEA,SAAS,kBACP,OACA,cACA,YACA,kBAC0B;AAC1B,QAAM,UAAU,MAAM,WAAW,eAAe;AAEhD,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,aAAO,EAAE,SAAS,CAAC,GAAG,YAAY,WAAW,UAAU,KAAK,OAAO,EAAE,GAAG,WAAW,CAAC,EAAE;AAAA,IACxF,KAAK,UAAU;AACb,YAAM,UAAU,MAAM,cAAc,YAAY;AAChD,aAAO,EAAE,SAAS,CAAC,GAAG,YAAY,KAAK,OAAO,KAAK,UAAU,KAAK,OAAO,EAAE,GAAG,WAAW,CAAC,EAAE;AAAA,IAC9F;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,aAAO,EAAE,SAAS,CAAC,GAAG,YAAY,YAAY,UAAU,KAAK,OAAO,EAAE,GAAG,WAAW,CAAC,EAAE;AAAA,IACzF,KAAK;AACH,aAAO,EAAE,SAAS,CAAC,GAAG,YAAY,cAAc,UAAU,KAAK,OAAO,EAAE,GAAG,WAAW,CAAC,EAAE;AAAA,IAC3F,KAAK;AACH,aAAO;AAAA,QACL,SAAS,CAAC,GAAG,YAAY,gBAAgB,UAAU,6BAA6B,OAAO,EAAE;AAAA,QACzF,WAAW,CAAC;AAAA,MACd;AAAA,IACF,KAAK,UAAU;AACb,aAAO;AAAA,QACL,SAAS,CAAC,GAAG,YAAY,WAAW,UAAU,kCAAkC,OAAO,EAAE;AAAA,QACzF,WAAW;AAAA,UACT;AAAA,YACE,KAAK;AAAA,YACL,MAAM;AAAA,YACN,kBAAkB;AAAA,YAClB,QAAQ,CAAC,YAAY;AAAA,YACrB,YAAY,CAAC,IAAI;AAAA,UACnB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,IACA,KAAK,gBAAgB;AACnB,UAAI,OAAO,MAAM,eAAe,UAAU;AACxC,eAAO;AAAA,MACT;AAEA,YAAM,mBAAmB,sBAAsB,MAAM,YAAY,gBAAgB;AACjF,aAAO;AAAA,QACL,SAAS,CAAC,GAAG,YAAY,WAAW,UAAU,uBAAuB,gBAAgB,OAAO,OAAO,EAAE;AAAA,QACrG,WAAW;AAAA,UACT;AAAA,YACE,KAAK;AAAA,YACL,MAAM;AAAA,YACN;AAAA,YACA,QAAQ,CAAC,YAAY;AAAA,YACrB,YAAY,CAAC,IAAI;AAAA,UACnB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,IACA;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,eAAe,YAA0C;AAChE,QAAM,UAAU,CAAC,6CAA6C;AAE9D,UAAQ;AAAA,IACN;AAAA,EACF;AAEA,UAAQ,KAAK,mFAAmF;AAChG,UAAQ,KAAK,mFAAmF;AAChG,UAAQ,KAAK,4DAA4D;AACzE,UAAQ,KAAK,4DAA4D;AAWzE,QAAM,aACJ;AAEF,MAAI,WAAW,eAAe,OAAO;AACnC,WAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,GAAG,QAAQ,CAAC,GAAG,QAAQ,CAAC,GAAG,UAAU;AAAA,EACpE;AAEA,UAAQ,KAAK,UAAU;AACvB,SAAO;AACT;AAEA,SAAS,YAAY,OAA+B;AAClD,QAAM,cAAc;AAAA,IAClB,gBAAgB,MAAM,UAAU;AAAA,IAChC,MAAM,MAAM,SAAS;AAAA,IACrB;AAAA,IACA,GAAG,MAAM,QAAQ,IAAI,CAAC,WAAW,OAAO,MAAM,GAAG;AAAA,IACjD;AAAA,IACA,iBAAiB,MAAM,QAAQ,KAAK,IAAI,CAAC;AAAA,IACzC;AAAA,EACF,EAAE,KAAK,IAAI;AAEX,QAAM,kBAAkB;AAAA,IACtB,gBAAgB,MAAM,UAAU,yBAAyB,MAAM,UAAU;AAAA,IACzE,GAAG,MAAM,UAAU,IAAI,CAAC,aAAa,eAAe,UAAU,MAAM,UAAU,CAAC;AAAA,IAC/E;AAAA,EACF,EAAE,KAAK,IAAI;AAEX,SAAO,GAAG,WAAW;AAAA;AAAA,EAAO,eAAe;AAC7C;AAEA,SAAS,eAAe,UAAyB,iBAAiC;AAChF,MAAI,SAAS,SAAS,QAAQ;AAC5B,WAAO,KAAK,SAAS,GAAG,UAAU,SAAS,gBAAgB;AAAA,EAC7D;AAEA,QAAM,UAAU,SAAS,UAAU,CAAC,GACjC,IAAI,CAAC,UAAU,GAAG,eAAe,IAAI,KAAK,EAAE,EAC5C,KAAK,IAAI;AACZ,QAAM,cAAc,SAAS,cAAc,CAAC,GACzC,IAAI,CAAC,cAAc,GAAG,SAAS,gBAAgB,IAAI,SAAS,EAAE,EAC9D,KAAK,IAAI;AAEZ,SAAO,KAAK,SAAS,GAAG,SAAS,SAAS,gBAAgB,gBAAgB,MAAM,mBAAmB,UAAU;AAC/G;AAEA,SAAS,aAAa,YAAyC;AAC7D,SAAO,WAAW,cAAc,UAAa,WAAW,cAAc;AACxE;AAEA,SAAS,iBAAiB,YAAyC;AACjE,SAAO,QAAQ,WAAW,UAAU,MAAM;AAC5C;AAEA,SAAS,sBACP,YACA,kBACQ;AACR,MAAI,eAAe,SAAS;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,eAAe,SAAS;AAC1B,WAAO;AAAA,EACT;AAEA,SAAO,iBAAiB,IAAI,UAAU,KAAK,6BAA6B,UAAU;AACpF;AAEA,SAAS,6BAA6B,MAAsB;AAC1D,SAAO,GAAG,YAAY,IAAI,CAAC;AAC7B;AAEA,SAAS,yBAAyB,gBAAwB,MAAwB;AAChF,SAAO,GAAG,YAAY,cAAc,CAAC,GAAG,KAAK,IAAI,YAAY,EAAE,KAAK,EAAE,CAAC;AACzE;AAEA,SAAS,sBAAsB,QAAkB,MAAsB;AACrE,MAAI,OAAO,WAAW,GAAG;AACvB,WAAO,YAAY,IAAI;AAAA,EACzB;AAEA,SAAO,GAAG,OAAO,IAAI,YAAY,EAAE,KAAK,EAAE,CAAC,GAAG,aAAa,IAAI,CAAC,GAAG,QAAQ,OAAO,CAAC,SAAS,KAAK,YAAY,CAAC;AAChH;AAEA,SAAS,YAAY,OAAuB;AAC1C,QAAM,QAAQ,UAAU,KAAK;AAC7B,QAAM,CAAC,QAAQ,IAAI,GAAG,IAAI,IAAI;AAC9B,SAAO,GAAG,KAAK,GAAG,KAAK,IAAI,UAAU,EAAE,KAAK,EAAE,CAAC;AACjD;AAEA,SAAS,aAAa,OAAuB;AAC3C,SAAO,UAAU,KAAK,EAAE,IAAI,UAAU,EAAE,KAAK,EAAE;AACjD;AAEA,SAAS,YAAY,OAAuB;AAC1C,SAAO,MACJ,QAAQ,sBAAsB,OAAO,EACrC,QAAQ,kBAAkB,GAAG,EAC7B,YAAY;AACjB;AAEA,SAAS,UAAU,OAAyB;AAC1C,SAAO,MACJ,QAAQ,sBAAsB,OAAO,EACrC,MAAM,eAAe,EACrB,IAAI,CAAC,SAAS,KAAK,YAAY,CAAC,EAChC,OAAO,OAAO;AACnB;AAEA,SAAS,WAAW,OAAuB;AACzC,SAAO,MAAM,OAAO,CAAC,EAAE,YAAY,IAAI,MAAM,MAAM,CAAC;AACtD;;;AChkBO,SAAS,mBAAmB,aAA2C;AAC5E,QAAM,aAAa,YAAY,IAAI,CAAC,eAAe,0BAA0B,UAAU,CAAC;AACxF,SAAO,WAAW,KAAK,MAAM;AAC/B;AAWA,SAAS,qBAAqB,YAAqD;AACjF,QAAM,YAAYA,aAAY,WAAW,IAAI;AAC7C,QAAM,eAAe,GAAG,SAAS;AACjC,QAAM,MAA2B,CAAC;AAIlC,aAAW,SAAS,WAAW,QAAQ;AACrC,QAAI,MAAM,SAAS,kBAAkB,MAAM,YAAY,MAAM;AAC3D,YAAM,YAAY,GAAG,SAAS,GAAGC,cAAa,MAAM,IAAI,CAAC;AACzD,UAAI,KAAK,EAAE,WAAW,MAAM,MAAM,WAAW,aAAa,CAAC;AAAA,IAC7D;AAAA,EACF;AACA,SAAO;AACT;AAwBO,SAAS,wBAAwB,aAA2C;AACjF,QAAM,sBAAsB,IAAI;AAAA,IAC9B,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,qBAAqB,CAAC,CAAC,CAAC;AAAA,EAC1D;AACA,QAAM,aAAa,MAAM,KAAK,oBAAoB,OAAO,CAAC,EAAE;AAAA,IAC1D,CAAC,SAAS,KAAK,SAAS;AAAA,EAC1B;AAEA,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,GAAI,aAAa,CAAC,UAAU,IAAI,CAAC;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI;AAKX,QAAM,iBAAiB,aACnB;AAAA,IACE;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI,IACX;AACJ,QAAM,aAAa,MAAM;AAAA,IACvB,IAAI;AAAA,MACF,MAAM,KAAK,oBAAoB,OAAO,CAAC,EACpC,KAAK,EACL,IAAI,CAAC,MAAM,EAAE,SAAS;AAAA,IAC3B;AAAA,EACF,EAAE,KAAK;AAaP,QAAM,mBACJ,WAAW,SAAS,IAChB,YAAY,WAAW,KAAK,IAAI,CAAC,6BACjC;AAEN,QAAM,UAAU,CAAC,aAAa,gBAAgB,gBAAgB,EAC3D,OAAO,OAAO,EACd,KAAK,IAAI;AAEZ,QAAM,aAAa,YAAY,IAAI,CAAC,MAAM,0BAA0B,CAAC,CAAC,EAAE,KAAK,MAAM;AACnF,QAAM,UAAU,YACb,IAAI,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,IAAI,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,EACtE,KAAK,MAAM;AAEd,SAAO,CAAC,SAAS,IAAI,YAAY,IAAI,SAAS,EAAE,EAAE,KAAK,IAAI;AAC7D;AAEA,SAAS,kBACP,YACA,SACQ;AACR,QAAM,UAAU,GAAGA,cAAa,WAAW,IAAI,CAAC;AAChD,QAAM,aAAa,OAAOA,cAAa,WAAW,IAAI,CAAC;AACvD,QAAM,YAAY,MAAMA,cAAa,WAAW,IAAI,CAAC;AACrD,QAAM,OAAO,KAAK,UAAU,WAAW,IAAI;AAE3C,QAAM,SACJ,QAAQ,WAAW,IACf,mBAAmB,YAAY,MAAM,SAAS,WAAW,IAAI,IAC7D,oBAAoB,YAAY,MAAM,SAAS,WAAW,MAAM,OAAO;AAE7E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,mCAAmC,WAAW,IAAI;AAAA,IAClD,mBAAmB,SAAS;AAAA,IAC5B;AAAA,IACA;AAAA,IACA,cAAc,OAAO;AAAA,IACrB,4BAA4B,OAAO,KAAK,IAAI;AAAA,IAC5C;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,mBACP,YACA,MACA,SACA,WACQ;AACR,SAAO;AAAA,IACL,qCAAqC,SAAS;AAAA,IAC9C,mBAAmB,UAAU;AAAA,IAC7B,4BAA4B,OAAO;AAAA,IACnC;AAAA,IACA,2BAA2B,OAAO;AAAA,IAClC,0BAA0B,OAAO,KAAK,IAAI;AAAA,IAC1C;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,oBACP,YACA,MACA,SACA,WACA,SACQ;AAKR,QAAM,cAAc,QACjB;AAAA,IACC,CAAC,MACC,gBAAgB,KAAK,UAAU,EAAE,SAAS,CAAC,YAAY,EAAE,SAAS,aAAa,EAAE,SAAS,IAAI,EAAE,YAAY;AAAA,EAChH,EACC,KAAK,IAAI;AAEZ,SAAO;AAAA,IACL;AAAA,IACA,oCAAoC,SAAS;AAAA,IAC7C;AAAA,IACA;AAAA,IACA,cAAc,QAAQ,IAAI,CAAC,MAAM,KAAK,EAAE,SAAS,IAAI,EAAE,KAAK,IAAI,CAAC;AAAA,IACjE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,yBAAyB,UAAU;AAAA,IACnC,4BAA4B,OAAO;AAAA,IACnC;AAAA,IACA,2BAA2B,OAAO;AAAA,IAClC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,0BAA0B,OAAO,KAAK,IAAI;AAAA,IAC1C;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,0BAA0B,YAAwC;AACzE,QAAM,gBAAgB,GAAGA,cAAa,WAAW,IAAI,CAAC;AACtD,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,WAAW,WAAW,aAAa,QAAQ;AAC7C,WAAO,KAAK,gCAAgC;AAAA,EAC9C;AAEA,MAAI,WAAW,WAAW;AACxB,WAAO,KAAK,eAAe;AAAA,EAC7B;AAEA,MAAI,WAAW,UAAU,QAAQ;AAC/B,WAAO,KAAK,iCAAiC;AAAA,EAC/C;AAEA,SAAO,KAAK,GAAG,aAAa,WAAW,MAAM,CAAC;AAE9C,SAAO,CAAC,oBAAoB,aAAa,MAAM,GAAG,OAAO,IAAI,CAAC,UAAU,KAAK,KAAK,EAAE,GAAG,GAAG,EAAE,KAAK,IAAI;AACvG;AAEA,SAAS,aAAa,QAAyB,SAAmB,CAAC,GAAa;AAC9E,QAAM,QAAkB,CAAC;AAEzB,aAAW,SAAS,QAAQ;AAC1B,QAAI,MAAM,SAAS,SAAS,MAAM,SAAS,eAAe;AACxD,YAAM,KAAK,GAAG,aAAa,MAAM,QAAQ,MAAM,CAAC;AAChD;AAAA,IACF;AAEA,UAAM,YAAY,MAAM,SAAS,UAAU,gBAAgB,QAAQ,MAAM,IAAI,IAAI;AAEjF,QAAI,MAAM,SAAS,SAAS;AAC1B,YAAM,YAAY,iBAAiB,MAAM,MAAM;AAC/C,YAAM,KAAK,GAAG,SAAS,KAAK,iBAAiB,WAAW,MAAM,QAAQ,CAAC,GAAG;AAC1E;AAAA,IACF;AAEA,UAAM,eAAe,gBAAgB,QAAQ,MAAM,IAAI;AACvD,UAAM,aAAa,cAAc,KAAK;AACtC,UAAM,KAAK,GAAG,YAAY,KAAK,iBAAiB,YAAY,MAAM,QAAQ,CAAC,GAAG;AAAA,EAChF;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,QAAiC;AACzD,QAAM,UAAU,aAAa,MAAM,EAAE,IAAI,CAAC,UAAU,KAAK,KAAK,EAAE;AAChE,SAAO,CAAC,KAAK,GAAG,SAAS,GAAG,EAAE,KAAK,IAAI;AACzC;AAEA,SAAS,cAAc,OAAkF;AACvG,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO,MAAM,UAAU,aAAa;AAAA,IACtC,KAAK;AACH,aAAO,SAAS,iBAAiB,MAAM,MAAM,CAAC;AAAA,IAChD,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,iBAAiB,YAAoB,UAA4B;AACxE,SAAO,WAAW,aAAa,GAAG,UAAU;AAC9C;AAEA,SAAS,gBAAgB,QAAkB,MAAsB;AAC/D,MAAI,OAAO,WAAW,GAAG;AACvB,WAAOD,aAAY,IAAI;AAAA,EACzB;AAEA,SAAO,GAAG,OAAO,CAAC,CAAC,GAAG,OAAO,MAAM,CAAC,EAAE,IAAIC,aAAY,EAAE,KAAK,EAAE,CAAC,GAAGA,cAAa,IAAI,CAAC;AACvF;AAEA,SAASD,aAAY,OAAuB;AAC1C,QAAM,QAAQE,WAAU,KAAK;AAC7B,QAAM,CAAC,QAAQ,IAAI,GAAG,IAAI,IAAI;AAC9B,SAAO,GAAG,KAAK,GAAG,KAAK,IAAID,aAAY,EAAE,KAAK,EAAE,CAAC;AACnD;AAEA,SAASA,cAAa,OAAuB;AAC3C,SAAOC,WAAU,KAAK,EACnB,IAAI,CAAC,SAAS,KAAK,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,MAAM,CAAC,CAAC,EAC1D,KAAK,EAAE;AACZ;AAEA,SAASA,WAAU,OAAyB;AAC1C,SAAO,MACJ,QAAQ,sBAAsB,OAAO,EACrC,MAAM,eAAe,EACrB,IAAI,CAAC,SAAS,KAAK,YAAY,CAAC,EAChC,OAAO,OAAO;AACnB;","names":["toCamelCase","toPascalCase","splitName"]}
package/dist/chunk-QYP6E5FP.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/config/access.ts","../src/auth/token.ts","../src/auth/password.ts","../src/auth/csrf.ts","../src/auth/oauth-providers.ts","../src/auth/oauth-resolve.ts","../src/auth/oauth-resolve-member.ts","../src/auth/oauth-state.ts","../src/auth/oauth-arctic.ts","../src/auth/session.ts","../src/auth/identities-admin.ts","../src/auth/reset-token.ts","../src/auth/member-token.ts","../src/auth/member-session.ts","../src/auth/member-credentials.ts"],"sourcesContent":["import { type NpAccessFunction } from \"./types.js\";\n\nexport const authenticated: NpAccessFunction = ({ user }) => !!user;\n\nexport const isAdmin: NpAccessFunction = ({ user }) => user?.role === \"admin\";\n\nexport const isEditorOrAbove: NpAccessFunction = ({ user }) =>\n !!user && (user.role === \"admin\" || user.role === \"editor\");\n\nexport const isOwnerOrAdmin: NpAccessFunction = ({ user, doc }) =>\n user?.role === \"admin\" || doc?.createdBy === user?.id;\n","import { randomBytes } from \"node:crypto\";\nimport { jwtVerify, SignJWT, errors as joseErrors, type JWTPayload } from \"jose\";\n\nimport type { NpUserRole } from \"../config/types.js\";\nimport { NpAuthError } from \"../errors.js\";\n\n/**\n * Staff-side JWT helpers. Both access (`np-session`) and refresh\n * (`np-refresh`) cookies are signed with this module; the\n * `use: \"access\" | \"refresh\"` claim separates them so a stolen\n * refresh JWT cannot be replayed as a session cookie. Without this\n * separation a leaked 7-day refresh became a 7-day admin bearer\n * because both cookies decoded to the same `{ sub, role, ver }`\n * payload through `verifyToken` (#94).\n *\n * The fix mirrors the member-side fix from #92/#93: the `use` claim\n * is required, no legacy fallback for tokens missing the claim. The\n * cost is one forced re-login for staff sessions issued before the\n * deploy; bounded by the 7-day refresh TTL.\n */\nexport type NpTokenUse = \"access\" | \"refresh\";\n\nexport interface NpTokenPayload {\n sub: string;\n role: NpUserRole;\n ver: number;\n /** Required. `verifyToken` refuses tokens missing this claim so\n * legacy refresh JWTs cannot be smuggled into the session\n * cookie path. */\n use: NpTokenUse;\n /** Random per-token id — needed if rotation lands on the staff\n * side (mirrors the member-side `jti` for #45). Optional today\n * but populated on every newly-minted token. */\n jti?: string;\n iat: number;\n exp: number;\n}\n\nconst textEncoder = new TextEncoder();\n\nexport async function signToken(\n user: { id: string; role: NpUserRole; tokenVersion: number },\n secret: string,\n expirationSeconds: number = 7200,\n tokenUse: NpTokenUse = \"access\",\n): Promise<string> {\n const secretKey = textEncoder.encode(secret);\n\n return new SignJWT({\n sub: user.id,\n role: user.role,\n ver: user.tokenVersion,\n use: tokenUse,\n })\n .setProtectedHeader({ alg: \"HS256\" })\n .setJti(randomBytes(16).toString(\"base64url\"))\n .setIssuedAt()\n .setExpirationTime(Math.floor(Date.now() / 1000) + expirationSeconds)\n .sign(secretKey);\n}\n\n/**\n * Verify a staff JWT. When `expectedUse` is provided, refuses tokens\n * whose `use` claim doesn't match — that's how `getSessionUser`\n * rejects a refresh token used as a session cookie and how the\n * refresh route rejects an access token as a refresh trigger.\n *\n * Tokens minted before the `use` claim landed have NO `use` payload\n * field. We refuse those outright rather than treating them as\n * `access` — the prior fallback would let still-live legacy refresh\n * JWTs be smuggled into the session cookie and pass the access\n * check. Cost: staff logged in before this deploy must log in once.\n * Bounded by the refresh-token TTL (default 7 days).\n */\nexport async function verifyToken(\n token: string,\n secret: string,\n expectedUse?: NpTokenUse,\n): Promise<NpTokenPayload> {\n const secretKey = textEncoder.encode(secret);\n const { payload } = await jwtVerify(token, secretKey);\n const typed = payload as JWTPayload & {\n sub: string;\n role: NpUserRole;\n ver: number;\n iat: number;\n exp: number;\n use?: NpTokenUse;\n };\n if (typed.use !== \"access\" && typed.use !== \"refresh\") {\n throw new NpAuthError(\"Staff token missing `use` claim\");\n }\n const use: NpTokenUse = typed.use;\n if (expectedUse && use !== expectedUse) {\n throw new NpAuthError(\n `Staff token use mismatch: expected ${expectedUse}, got ${use}`,\n );\n }\n return { ...typed, use };\n}\n\n/**\n * True when `err` represents a token-verification failure rather than\n * an unrelated runtime fault (DB outage, misconfiguration, …). Auth\n * helpers use this to keep the existing \"bad token → 401\" behavior\n * silent while letting infrastructure failures surface as 5xx.\n *\n * Covers:\n * - `NpAuthError` — `verifyToken` / `verifyMemberToken` rejecting a\n * missing or wrong `use` claim, or `verifyCsrf` failing.\n * - `jose.errors.JOSEError` — every JWT signature / format /\n * expiration failure, including subclasses like `JWTExpired`,\n * `JWSSignatureVerificationFailed`, `JWTInvalid`.\n */\nexport function isTokenVerificationError(err: unknown): boolean {\n if (err instanceof NpAuthError) return true;\n if (err instanceof joseErrors.JOSEError) return true;\n return false;\n}\n","import { hash, verify, type Options } from \"@node-rs/argon2\";\n\nexport const ARGON2_OPTIONS: Options = {\n memoryCost: 19456,\n timeCost: 2,\n outputLen: 32,\n parallelism: 1,\n};\n\n// Test-only weak params — drops a hash from ~75ms to <1ms. Only kicks in\n// when NP_TEST_FAST_HASH=1 is explicitly set (vitest's setup-env.ts does\n// this) so production / dev never see weakened security.\nconst TEST_ARGON2_OPTIONS: Options = {\n memoryCost: 8,\n timeCost: 1,\n outputLen: 32,\n parallelism: 1,\n};\n\nexport function hashPassword(password: string): Promise<string> {\n return hash(\n password,\n process.env.NP_TEST_FAST_HASH === \"1\" ? TEST_ARGON2_OPTIONS : ARGON2_OPTIONS,\n );\n}\n\nexport function verifyPassword(\n passwordHash: string,\n password: string,\n): Promise<boolean> {\n return verify(passwordHash, password);\n}\n","const SAFE_METHODS = new Set([\"GET\", \"HEAD\", \"OPTIONS\"]);\n\nexport function verifyCsrf(\n method: string,\n cookieToken: string | undefined,\n headerToken: string | undefined,\n): boolean {\n if (SAFE_METHODS.has(method.toUpperCase())) {\n return true;\n }\n\n return Boolean(cookieToken && headerToken && cookieToken === headerToken);\n}\n","/**\n * OAuth provider registry — extension point for SSO. A provider plugin\n * (e.g. `@nexpress/plugin-oauth-github`) registers itself at startup\n * via `registerOAuthProvider()`; the framework's `/api/auth/oauth/{id}`\n * routes look it up by id.\n *\n * The provider is responsible for:\n * - Building the authorize URL (`authorize`).\n * - Exchanging the callback code for a normalized profile (`exchange`).\n *\n * The framework owns state-cookie signing, identity ↔ user resolution,\n * session minting, and audit. Providers must NOT touch cookies, the DB,\n * or response objects directly.\n */\n\n/**\n * Profile returned from a successful `exchange()`. The framework uses\n * `providerUserId` as the durable identifier — `email` may change at the\n * provider but `providerUserId` should not. If the provider doesn't\n * surface `email`, the framework falls back to creating a synthetic\n * placeholder (`<providerUserId>@<provider>.oauth.local`) so the\n * `np_users.email NOT NULL UNIQUE` constraint is still satisfied.\n */\nexport interface OAuthProfile {\n /** Stable per-user id from the provider. Required. */\n providerUserId: string;\n /** Optional — falls back to synthetic if missing. */\n email?: string | null;\n /** Optional — defaults to email local-part on user creation. */\n name?: string | null;\n /** Optional — written into `np_user_oauth_identities.metadata`. */\n avatarUrl?: string | null;\n /** Optional — full payload the provider wants to remember (e.g. scopes). */\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Inputs the provider receives at the two callback boundaries. The\n * framework picks `redirectUri` from `SITE_URL` (or the request origin\n * in dev) so the provider doesn't have to know its own deployment URL.\n */\nexport interface OAuthAuthorizeParams {\n state: string;\n redirectUri: string;\n /**\n * PKCE code verifier (32+ char URL-safe random). The framework\n * generates one for every login and threads it through the state\n * cookie. Providers that don't support PKCE (e.g. GitHub) ignore it;\n * providers that require it (e.g. Google) hash it into the\n * `code_challenge` query param.\n */\n codeVerifier: string;\n}\n\nexport interface OAuthExchangeParams {\n code: string;\n state: string;\n redirectUri: string;\n /** Same verifier minted at /start, recovered from the state cookie. */\n codeVerifier: string;\n}\n\nexport interface OAuthProvider {\n /** Stable id used in route paths and `np_user_oauth_identities.provider`. */\n id: string;\n /** Human-readable label for admin UI / login buttons. */\n label?: string;\n /**\n * Returns a fully-qualified URL the framework should redirect the\n * browser to. Async to allow providers that need to mint per-request\n * client credentials.\n */\n authorize(params: OAuthAuthorizeParams): Promise<string> | string;\n /**\n * Validates the callback and returns the normalized profile.\n * Throwing here aborts the login with `OAUTH_EXCHANGE_FAILED`.\n */\n exchange(params: OAuthExchangeParams): Promise<OAuthProfile>;\n}\n\nconst providers = new Map<string, OAuthProvider>();\n\n/**\n * Register a provider. Idempotent: re-registering with the same id\n * overwrites — useful in dev when a plugin's `setup()` runs again on\n * reload.\n */\nexport function registerOAuthProvider(provider: OAuthProvider): void {\n if (!provider.id || typeof provider.id !== \"string\") {\n throw new Error(\"OAuth provider must have a non-empty string id\");\n }\n if (typeof provider.authorize !== \"function\" || typeof provider.exchange !== \"function\") {\n throw new Error(\n `OAuth provider \"${provider.id}\" must implement authorize() and exchange()`,\n );\n }\n providers.set(provider.id, provider);\n}\n\nexport function getOAuthProvider(id: string): OAuthProvider | undefined {\n return providers.get(id);\n}\n\nexport function listOAuthProviders(): OAuthProvider[] {\n return Array.from(providers.values());\n}\n\n/** Reset the registry — tests use this between cases. Not for runtime use. */\nexport function resetOAuthProviders(): void {\n providers.clear();\n}\n","import { eq, and, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { getDb } from \"../db/runtime.js\";\nimport { npUserOAuthIdentities, npUsers } from \"../db/schema/system.js\";\nimport type { NpUserRole } from \"../config/types.js\";\n\nimport { hashPassword } from \"./password.js\";\nimport type { OAuthProfile } from \"./oauth-providers.js\";\n\n/**\n * Resolves an `OAuthProfile` to a real `np_users` row, in this order:\n *\n * 1. Lookup by `(provider, provider_user_id)` — the durable link. This\n * is the only path that survives an email change at the provider.\n * 2. Email-match — if the provider gave us an email and an existing\n * user has it, link the OAuth identity to that user. Lets a staff\n * member who originally signed up with a password later \"sign in\n * with Google\" and have it just work, without an explicit linking\n * UI.\n * 3. Create — auto-provision a new user with the provider's profile,\n * default role `viewer`. The password column is filled with an\n * unrecoverable Argon2 hash of a random secret so the column\n * constraints are satisfied; the user can later run the\n * forgot-password flow to set a real password if they want one.\n *\n * Side effects: writes a row into `np_user_oauth_identities` for paths\n * 2 and 3, updates `metadata` for path 1.\n */\nexport interface ResolveOAuthLoginResult {\n user: ResolvedOAuthUser;\n /** Tells the caller whether this login created the underlying user. */\n created: boolean;\n /** Tells the caller whether this login linked a new identity row. */\n linked: boolean;\n}\n\nexport interface ResolvedOAuthUser {\n id: string;\n email: string;\n name: string;\n role: NpUserRole;\n tokenVersion: number;\n}\n\nexport interface ResolveOAuthLoginInput {\n provider: string;\n profile: OAuthProfile;\n /** Default role for auto-created users. Defaults to `\"viewer\"`. */\n defaultRole?: NpUserRole;\n}\n\nconst SYNTHETIC_EMAIL_SUFFIX = \".oauth.local\";\n\nfunction syntheticEmail(provider: string, providerUserId: string): string {\n // Stable, namespaced, doesn't collide with real provider domains.\n return `${providerUserId}@${provider}${SYNTHETIC_EMAIL_SUFFIX}`;\n}\n\nfunction deriveName(profile: OAuthProfile, fallbackEmail: string): string {\n if (profile.name && profile.name.trim().length > 0) return profile.name.trim();\n const localPart = fallbackEmail.split(\"@\")[0];\n return localPart && localPart.length > 0 ? localPart : \"Member\";\n}\n\nexport async function resolveOAuthLogin(\n input: ResolveOAuthLoginInput,\n): Promise<ResolveOAuthLoginResult> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const provider = input.provider;\n const profile = input.profile;\n const role: NpUserRole = input.defaultRole ?? \"viewer\";\n\n // Step 1: lookup by durable provider link.\n const [existingLink] = (await db\n .select({\n userId: npUserOAuthIdentities.userId,\n identityId: npUserOAuthIdentities.id,\n })\n .from(npUserOAuthIdentities)\n .where(\n and(\n eq(npUserOAuthIdentities.provider, provider),\n eq(npUserOAuthIdentities.providerUserId, profile.providerUserId),\n ),\n )\n .limit(1)) as Array<{ userId: string; identityId: string }>;\n\n if (existingLink) {\n // Refresh metadata so the most recent provider info is captured.\n const metadata = mergeMetadata(profile);\n await db\n .update(npUserOAuthIdentities)\n .set({ metadata, updatedAt: new Date() })\n .where(eq(npUserOAuthIdentities.id, existingLink.identityId));\n\n const user = await loadUser(db, existingLink.userId);\n return { user, created: false, linked: false };\n }\n\n // Step 2: email match. Skipped when the provider doesn't surface an\n // email — we can't risk linking by guesswork.\n if (profile.email) {\n const normalizedEmail = profile.email.trim().toLowerCase();\n const [existingUser] = (await db\n .select({\n id: npUsers.id,\n email: npUsers.email,\n name: npUsers.name,\n role: npUsers.role,\n tokenVersion: npUsers.tokenVersion,\n })\n .from(npUsers)\n .where(eq(sql`lower(${npUsers.email})`, normalizedEmail))\n .limit(1)) as ResolvedOAuthUser[];\n\n if (existingUser) {\n await db.insert(npUserOAuthIdentities).values({\n userId: existingUser.id,\n provider,\n providerUserId: profile.providerUserId,\n metadata: mergeMetadata(profile),\n });\n return { user: existingUser, created: false, linked: true };\n }\n }\n\n // Step 3: auto-provision.\n const email =\n profile.email && profile.email.trim().length > 0\n ? profile.email.trim().toLowerCase()\n : syntheticEmail(provider, profile.providerUserId);\n const name = deriveName(profile, email);\n const placeholderPassword = await hashPassword(\n crypto.randomUUID() + crypto.randomUUID(),\n );\n\n const [created] = (await db\n .insert(npUsers)\n .values({\n email,\n name,\n password: placeholderPassword,\n role,\n })\n .returning({\n id: npUsers.id,\n email: npUsers.email,\n name: npUsers.name,\n role: npUsers.role,\n tokenVersion: npUsers.tokenVersion,\n })) as ResolvedOAuthUser[];\n\n await db.insert(npUserOAuthIdentities).values({\n userId: created.id,\n provider,\n providerUserId: profile.providerUserId,\n metadata: mergeMetadata(profile),\n });\n\n return { user: created, created: true, linked: true };\n}\n\nfunction mergeMetadata(profile: OAuthProfile): Record<string, unknown> {\n const base: Record<string, unknown> = {};\n if (profile.avatarUrl) base.avatarUrl = profile.avatarUrl;\n if (profile.email) base.email = profile.email;\n if (profile.name) base.name = profile.name;\n if (profile.metadata) Object.assign(base, profile.metadata);\n return base;\n}\n\nasync function loadUser(\n db: NodePgDatabase<Record<string, unknown>>,\n userId: string,\n): Promise<ResolvedOAuthUser> {\n const [row] = (await db\n .select({\n id: npUsers.id,\n email: npUsers.email,\n name: npUsers.name,\n role: npUsers.role,\n tokenVersion: npUsers.tokenVersion,\n })\n .from(npUsers)\n .where(eq(npUsers.id, userId))\n .limit(1)) as ResolvedOAuthUser[];\n if (!row) {\n throw new Error(`User ${userId} referenced by oauth identity is missing`);\n }\n return row;\n}\n","import { and, eq, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { getDb } from \"../db/runtime.js\";\nimport { getCommunitySettings } from \"../community/settings.js\";\nimport { npMemberIdentities, npMembers } from \"../db/schema/community.js\";\nimport { NpForbiddenError } from \"../errors.js\";\n\nimport { hashPassword } from \"./password.js\";\nimport type { OAuthProfile } from \"./oauth-providers.js\";\n\n/**\n * Member-side mirror of `resolveOAuthLogin` (the staff resolver in\n * `oauth-resolve.ts`). Walks the same three-step ladder:\n *\n * 1. Lookup by `(provider, subject)` in `np_member_identities` —\n * durable provider link.\n * 2. Email match — if the profile carries an email, link the\n * identity to the existing `np_members` row.\n * 3. Auto-provision a new member with status=`active`, default\n * password = unrecoverable Argon2 of a random secret. The user\n * can later run forgot-password to set a real password if they\n * want one (or stay SSO-only).\n *\n * Members are kept distinct from staff users at every layer\n * (different table, different cookies, different audience claim on\n * the JWT). This resolver intentionally never touches `np_users`.\n */\nexport interface ResolvedOAuthMember {\n id: string;\n email: string;\n handle: string;\n displayName: string;\n status: \"active\" | \"pending\" | \"suspended\" | \"deleted\";\n tokenVersion: number;\n}\n\nexport interface ResolveMemberOAuthLoginInput {\n provider: string;\n profile: OAuthProfile;\n}\n\nexport interface ResolveMemberOAuthLoginResult {\n member: ResolvedOAuthMember;\n /** True when this login auto-provisioned the underlying member. */\n created: boolean;\n /** True when this login linked a new identity row (covers steps 2 + 3). */\n linked: boolean;\n}\n\nconst SYNTHETIC_EMAIL_SUFFIX = \".oauth.local\";\nconst HANDLE_FALLBACK = \"user\";\nconst HANDLE_RANDOM_SUFFIX_BYTES = 4;\n\nfunction syntheticEmail(provider: string, providerUserId: string): string {\n return `${providerUserId}@${provider}${SYNTHETIC_EMAIL_SUFFIX}`;\n}\n\n/**\n * Members have a unique `handle` field. Build a candidate from the\n * provider's profile, sanitize to the project's handle regex, and add\n * a short random suffix to dodge collisions on common values like\n * \"alice\" / \"octocat\".\n *\n * Handle regex (per `register/route.ts`):\n * /^[a-z0-9][a-z0-9_-]{2,29}$/\n */\nfunction generateHandle(profile: OAuthProfile, fallbackEmail: string): string {\n const seed =\n (profile.metadata && typeof profile.metadata.login === \"string\" && profile.metadata.login) ||\n profile.name ||\n fallbackEmail.split(\"@\")[0] ||\n HANDLE_FALLBACK;\n const sanitized = String(seed)\n .toLowerCase()\n .replace(/[^a-z0-9_-]/g, \"-\")\n .replace(/^[-_]+/, \"\")\n .slice(0, 20);\n const base = sanitized.length >= 3 ? sanitized : HANDLE_FALLBACK;\n // Random suffix keeps handles unique across the OAuth user pool —\n // accept the cost of \"alice-9k2x\" rather than fighting a tight loop\n // of insert-and-retry on every collision.\n const suffix = Math.random()\n .toString(36)\n .slice(2, 2 + HANDLE_RANDOM_SUFFIX_BYTES);\n return `${base}-${suffix}`.slice(0, 30);\n}\n\nfunction deriveDisplayName(profile: OAuthProfile, fallbackEmail: string): string {\n if (profile.name && profile.name.trim().length > 0) return profile.name.trim();\n const localPart = fallbackEmail.split(\"@\")[0];\n return localPart && localPart.length > 0 ? localPart : \"Member\";\n}\n\nfunction mergeMetadata(profile: OAuthProfile): Record<string, unknown> {\n const base: Record<string, unknown> = {};\n if (profile.avatarUrl) base.avatarUrl = profile.avatarUrl;\n if (profile.email) base.email = profile.email;\n if (profile.name) base.name = profile.name;\n if (profile.metadata) Object.assign(base, profile.metadata);\n return base;\n}\n\nasync function loadMember(\n db: NodePgDatabase<Record<string, unknown>>,\n memberId: string,\n): Promise<ResolvedOAuthMember> {\n const [row] = (await db\n .select({\n id: npMembers.id,\n email: npMembers.email,\n handle: npMembers.handle,\n displayName: npMembers.displayName,\n status: npMembers.status,\n tokenVersion: npMembers.tokenVersion,\n })\n .from(npMembers)\n .where(eq(npMembers.id, memberId))\n .limit(1)) as ResolvedOAuthMember[];\n if (!row) {\n throw new Error(`Member ${memberId} referenced by oauth identity is missing`);\n }\n return row;\n}\n\nexport async function resolveMemberOAuthLogin(\n input: ResolveMemberOAuthLoginInput,\n): Promise<ResolveMemberOAuthLoginResult> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const { provider, profile } = input;\n\n // Step 1: durable lookup.\n const [existingLink] = (await db\n .select({ memberId: npMemberIdentities.memberId, identityId: npMemberIdentities.id })\n .from(npMemberIdentities)\n .where(\n and(\n eq(npMemberIdentities.provider, provider),\n eq(npMemberIdentities.subject, profile.providerUserId),\n ),\n )\n .limit(1)) as Array<{ memberId: string; identityId: string }>;\n\n if (existingLink) {\n await db\n .update(npMemberIdentities)\n .set({ metadata: mergeMetadata(profile), updatedAt: new Date() })\n .where(eq(npMemberIdentities.id, existingLink.identityId));\n const member = await loadMember(db, existingLink.memberId);\n return { member, created: false, linked: false };\n }\n\n // Step 2: email match.\n if (profile.email) {\n const normalizedEmail = profile.email.trim().toLowerCase();\n const [existingMember] = (await db\n .select({\n id: npMembers.id,\n email: npMembers.email,\n handle: npMembers.handle,\n displayName: npMembers.displayName,\n status: npMembers.status,\n tokenVersion: npMembers.tokenVersion,\n })\n .from(npMembers)\n .where(eq(sql`lower(${npMembers.email})`, normalizedEmail))\n .limit(1)) as ResolvedOAuthMember[];\n\n if (existingMember) {\n // Refuse to auto-link an OAuth identity to a non-active member.\n // Without this guard an attacker who controls an OAuth account\n // with a victim's email could pre-link an identity to the\n // victim's pending (unverified) row; once the victim later\n // activates, the attacker's identity is already attached and\n // they can sign in as the victim. The callback would still\n // refuse the immediate login (status check below), but the\n // dangling link would persist.\n //\n // Active members are the only ones we'll cross-link\n // automatically — pending / suspended / deleted are returned\n // as-is and the route's status check refuses the login.\n if (existingMember.status !== \"active\") {\n return { member: existingMember, created: false, linked: false };\n }\n await db.insert(npMemberIdentities).values({\n memberId: existingMember.id,\n provider,\n subject: profile.providerUserId,\n email: profile.email,\n metadata: mergeMetadata(profile),\n });\n return { member: existingMember, created: false, linked: true };\n }\n }\n\n // Step 3: auto-provision a brand-new member account. This is the\n // step the `community.registrationEnabled` site setting gates —\n // an invite-only site that disables password sign-up via\n // `/api/members/register` would otherwise be joined through OAuth\n // (the password endpoint and OAuth callback both create new\n // member rows from an unauthenticated request, so they're the\n // same surface from a policy point of view).\n //\n // Steps 1 and 2 are NOT gated: durable links and email matches\n // log an EXISTING member back in, which isn't a new\n // registration. An admin who flips `registrationEnabled = false`\n // expects existing members to keep working — only new accounts\n // should be refused.\n const settings = await getCommunitySettings();\n if (!settings.registrationEnabled) {\n throw new NpForbiddenError(\"members\", \"register\");\n }\n\n const email =\n profile.email && profile.email.trim().length > 0\n ? profile.email.trim().toLowerCase()\n : syntheticEmail(provider, profile.providerUserId);\n const displayName = deriveDisplayName(profile, email);\n const handle = generateHandle(profile, email);\n const placeholderPassword = await hashPassword(\n crypto.randomUUID() + crypto.randomUUID(),\n );\n\n const [created] = (await db\n .insert(npMembers)\n .values({\n email,\n handle,\n displayName,\n password: placeholderPassword,\n // OAuth verifies the address out-of-band (the provider showed the\n // user a real login screen for it), so skip the email-verify\n // dance that password registration goes through.\n emailVerified: true,\n status: \"active\",\n })\n .returning({\n id: npMembers.id,\n email: npMembers.email,\n handle: npMembers.handle,\n displayName: npMembers.displayName,\n status: npMembers.status,\n tokenVersion: npMembers.tokenVersion,\n })) as ResolvedOAuthMember[];\n\n await db.insert(npMemberIdentities).values({\n memberId: created.id,\n provider,\n subject: profile.providerUserId,\n email: profile.email ?? null,\n metadata: mergeMetadata(profile),\n });\n\n return { member: created, created: true, linked: true };\n}\n","import { createHmac, randomBytes, timingSafeEqual } from \"node:crypto\";\n\nimport { readEnvPositiveInt } from \"../config/env.js\";\n\n/**\n * HMAC-signed state tokens for the OAuth start ↔ callback handshake.\n * The framework (not the provider) issues + verifies these — providers\n * only see them as opaque strings.\n *\n * Token shape: `<base64url(payload)>.<base64url(hmac)>` where payload is\n * JSON `{ providerId, nonce, expSeconds, codeVerifier }`. Using an HMAC\n * instead of a JWT keeps this self-contained — no jose import, no key\n * rotation surface — and the payload stays comfortably under the\n * cookie size cap.\n *\n * The `codeVerifier` is a 32-byte URL-safe random string that providers\n * supporting PKCE (Google, etc.) hash into the authorize URL. Providers\n * that don't use PKCE (GitHub) ignore it. We always generate one so the\n * flow is uniform.\n *\n * Default state TTL is 10 minutes — long enough for slow IdP redirects\n * (corporate SSO with MFA prompts), short enough that a stale state\n * cookie doesn't sit around forever. Override via\n * `NP_OAUTH_STATE_TTL_SECONDS`.\n */\n\nconst STATE_TTL_SECONDS = readEnvPositiveInt(\"NP_OAUTH_STATE_TTL_SECONDS\", 600);\nconst CODE_VERIFIER_BYTES = 32;\n\nexport interface OAuthStatePayload {\n providerId: string;\n nonce: string;\n expSeconds: number;\n codeVerifier: string;\n}\n\nexport interface IssuedOAuthState {\n /** The serialized state token (cookie + redirect query value). */\n token: string;\n /** The PKCE verifier — also embedded in the token, surfaced here so\n * the route can pass it to `provider.authorize()` without re-parsing. */\n codeVerifier: string;\n}\n\nfunction b64url(input: string | Buffer): string {\n return Buffer.from(input).toString(\"base64url\");\n}\n\nfunction sign(payload: string, secret: string): string {\n return createHmac(\"sha256\", secret).update(payload).digest(\"base64url\");\n}\n\nexport function issueOAuthState(providerId: string, secret: string): IssuedOAuthState {\n const nonce = randomBytes(16).toString(\"base64url\");\n const codeVerifier = randomBytes(CODE_VERIFIER_BYTES).toString(\"base64url\");\n const expSeconds = Math.floor(Date.now() / 1000) + STATE_TTL_SECONDS;\n const payload: OAuthStatePayload = { providerId, nonce, expSeconds, codeVerifier };\n const encoded = b64url(JSON.stringify(payload));\n const sig = sign(encoded, secret);\n return { token: `${encoded}.${sig}`, codeVerifier };\n}\n\nexport interface VerifyOAuthStateResult {\n ok: boolean;\n payload?: OAuthStatePayload;\n reason?: \"format\" | \"signature\" | \"expired\";\n}\n\n/**\n * Strict verification:\n * - Format must be `<payload>.<sig>` with two segments.\n * - HMAC must match (constant-time compare).\n * - `expSeconds` must be in the future.\n * - `providerId` in the payload must match the route's expected provider.\n * - `codeVerifier` must be a non-empty string.\n */\nexport function verifyOAuthState(\n token: string,\n expectedProviderId: string,\n secret: string,\n): VerifyOAuthStateResult {\n if (typeof token !== \"string\" || !token.includes(\".\")) {\n return { ok: false, reason: \"format\" };\n }\n const [encoded, sig] = token.split(\".\") as [string, string];\n if (!encoded || !sig) {\n return { ok: false, reason: \"format\" };\n }\n const expectedSig = sign(encoded, secret);\n const sigBuf = Buffer.from(sig);\n const expectedBuf = Buffer.from(expectedSig);\n if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) {\n return { ok: false, reason: \"signature\" };\n }\n\n let payload: OAuthStatePayload;\n try {\n payload = JSON.parse(Buffer.from(encoded, \"base64url\").toString(\"utf8\"));\n } catch {\n return { ok: false, reason: \"format\" };\n }\n\n if (\n !payload ||\n typeof payload.providerId !== \"string\" ||\n typeof payload.nonce !== \"string\" ||\n typeof payload.expSeconds !== \"number\" ||\n typeof payload.codeVerifier !== \"string\" ||\n payload.codeVerifier.length === 0\n ) {\n return { ok: false, reason: \"format\" };\n }\n\n if (payload.providerId !== expectedProviderId) {\n return { ok: false, reason: \"signature\" };\n }\n\n if (payload.expSeconds <= Math.floor(Date.now() / 1000)) {\n return { ok: false, reason: \"expired\" };\n }\n\n return { ok: true, payload };\n}\n","import type { OAuthProfile, OAuthProvider } from \"./oauth-providers.js\";\n\n/**\n * Adapter that bridges any [arctic](https://arctic.js.org/) provider\n * (`new GitHub(...)`, `new Google(...)`, `new Apple(...)`, etc.) to\n * NexPress's `OAuthProvider` interface.\n *\n * Why this exists: arctic ships ~25 maintained providers and handles\n * the OAuth dance — token exchange, PKCE hashing, refresh-token\n * support — so plugin authors only have to write the **profile fetch**\n * (the part that varies most by provider). Our framework still owns\n * state cookies, identity ↔ user resolution, and session minting; this\n * adapter just lets users skip the boilerplate token POST.\n *\n * Usage from a plugin:\n *\n * import { Apple } from \"arctic\";\n * import { fromArctic, registerOAuthProvider } from \"@nexpress/core\";\n *\n * registerOAuthProvider(fromArctic(\n * // Factory: framework calls this each request with the freshly-\n * // resolved redirectUri (matters in dev when Next.js may bind a\n * // non-default port).\n * (redirectUri) => new Apple(clientId, teamId, keyId, privateKey, redirectUri),\n * {\n * id: \"apple\",\n * scopes: [\"name\", \"email\"],\n * fetchProfile: async (accessToken, tokens) => {\n * // Apple returns the user payload INSIDE the token response\n * // (not a separate userinfo endpoint) — pull it from\n * // `tokens.idToken()` here and parse the JWT body.\n * return { providerUserId: parseAppleSub(tokens.idToken()), email: null };\n * },\n * },\n * ));\n */\n\n/**\n * Minimal slice of arctic's provider classes that the adapter actually\n * needs. Both `GitHub` (no PKCE) and `Google` (PKCE-required) match\n * this — the third positional arg is \"second positional\" for\n * non-PKCE providers (just unused) and \"code verifier\" for PKCE ones.\n *\n * Declared structurally so we don't drag arctic into the public type\n * graph of `@nexpress/core`. Plugins that import a real arctic class\n * pass it directly; the structural match keeps the signature lined up.\n */\nexport interface ArcticLikeProvider {\n createAuthorizationURL(state: string, ...rest: never[]): URL;\n validateAuthorizationCode(code: string, ...rest: never[]): Promise<ArcticLikeTokens>;\n}\n\nexport interface ArcticLikeTokens {\n accessToken(): string;\n hasRefreshToken?(): boolean;\n refreshToken?(): string;\n idToken?(): string;\n}\n\nexport interface FromArcticOptions {\n /** Provider id used in route paths and `np_user_oauth_identities.provider`. */\n id: string;\n /** Human label for admin UI / login buttons. */\n label?: string;\n /** Scopes passed to `createAuthorizationURL`. Most providers default\n * to nothing useful — set this. */\n scopes?: string[];\n /**\n * Whether the underlying arctic provider expects a PKCE code verifier\n * as the second arg to `createAuthorizationURL` and\n * `validateAuthorizationCode`. Default `true` (Google, Apple, etc.).\n * Set `false` for non-PKCE providers like GitHub.\n */\n pkce?: boolean;\n /**\n * Turns an access token (and the full token response, useful for\n * providers like Apple that return the profile in the token) into the\n * normalized `OAuthProfile` consumed by `resolveOAuthLogin`.\n *\n * Throwing aborts the login with `oauth_error=exchange_failed`.\n */\n fetchProfile: (\n accessToken: string,\n tokens: ArcticLikeTokens,\n ) => Promise<OAuthProfile>;\n}\n\n/**\n * Wraps an arctic provider into the framework's `OAuthProvider`\n * shape. The framework calls `authorize` and `exchange`; this adapter\n * builds a fresh arctic instance per request via `factory(redirectUri)`\n * so the redirect URI always matches what the framework computed for\n * THIS request — critical in dev where Next.js may fall back to a\n * non-3000 port and a setup-time-frozen redirectUri would diverge.\n *\n * Arctic provider classes are cheap to construct (just hold the three\n * credential strings), so the per-request factory call has no\n * meaningful cost.\n */\nexport function fromArctic(\n factory: (redirectUri: string) => ArcticLikeProvider,\n opts: FromArcticOptions,\n): OAuthProvider {\n const usePkce = opts.pkce !== false;\n const scopes = opts.scopes ?? [];\n\n return {\n id: opts.id,\n label: opts.label,\n authorize({ state, redirectUri, codeVerifier }) {\n const arctic = factory(redirectUri);\n // Arctic's signatures vary: `(state, scopes)` for non-PKCE,\n // `(state, codeVerifier, scopes)` for PKCE. The structural type\n // hides this; do the dispatch here so plugin code stays clean.\n const url = usePkce\n ? (arctic.createAuthorizationURL as unknown as (\n state: string,\n verifier: string,\n scopes: string[],\n ) => URL)(state, codeVerifier, scopes)\n : (arctic.createAuthorizationURL as unknown as (\n state: string,\n scopes: string[],\n ) => URL)(state, scopes);\n return url.toString();\n },\n async exchange({ code, redirectUri, codeVerifier }) {\n const arctic = factory(redirectUri);\n const tokens = usePkce\n ? await (arctic.validateAuthorizationCode as unknown as (\n code: string,\n verifier: string,\n ) => Promise<ArcticLikeTokens>)(code, codeVerifier)\n : await (arctic.validateAuthorizationCode as unknown as (\n code: string,\n ) => Promise<ArcticLikeTokens>)(code);\n return opts.fetchProfile(tokens.accessToken(), tokens);\n },\n };\n}\n","import { webcrypto } from \"node:crypto\";\n\nimport { eq, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport type { NpAuthUser } from \"../config/types.js\";\nimport { verifyToken, type NpTokenUse } from \"./token.js\";\nimport { npSessions, npUsers } from \"../db/schema/system.js\";\n\n/**\n * Loose Drizzle handle type — every staff-auth caller passes\n * the same NodePgDatabase, but TS over-narrows when the\n * generated schema record is folded in. Using\n * `Record<string, unknown>` keeps the helper portable across\n * schema generations without surfacing as `any`.\n */\ntype SessionDb = NodePgDatabase<Record<string, unknown>>;\n\nexport async function sha256(input: string): Promise<string> {\n const digest = await webcrypto.subtle.digest(\n \"SHA-256\",\n new TextEncoder().encode(input),\n );\n\n return Array.from(new Uint8Array(digest), (byte) =>\n byte.toString(16).padStart(2, \"0\"),\n ).join(\"\");\n}\n\n/**\n * Verify a staff JWT and resolve the active user.\n *\n * `expectedUse` defaults to `\"access\"` because every caller of this\n * helper outside the rotation endpoint reads `np-session` (server\n * components, route handlers, the bootstrap layout). Defaulting\n * means a fresh route or RSC page can't accidentally tolerate a\n * refresh JWT in the session cookie just by forgetting the\n * argument. The rotation route explicitly passes `\"refresh\"` for\n * its `np-refresh` read.\n *\n * Tokens missing the `use` claim throw via `verifyToken`; we let\n * that propagate so a `NpAuthError` surfaces as 401 at the API\n * layer.\n */\nexport async function verifyTokenFull(\n token: string,\n secret: string,\n db: SessionDb,\n expectedUse: NpTokenUse = \"access\",\n): Promise<NpAuthUser | null> {\n const payload = await verifyToken(token, secret, expectedUse);\n const [user] = await db\n .select({\n id: npUsers.id,\n email: npUsers.email,\n name: npUsers.name,\n role: npUsers.role,\n tokenVersion: npUsers.tokenVersion,\n })\n .from(npUsers)\n .where(eq(npUsers.id, payload.sub))\n .limit(1);\n\n if (!user || user.tokenVersion !== payload.ver) {\n return null;\n }\n\n return user;\n}\n\nexport async function invalidateAllSessions(\n userId: string,\n db: SessionDb,\n): Promise<void> {\n await db.transaction(async (tx) => {\n await tx\n .update(npUsers)\n .set({\n tokenVersion: sql`${npUsers.tokenVersion} + 1`,\n })\n .where(eq(npUsers.id, userId));\n\n await tx.delete(npSessions).where(eq(npSessions.userId, userId));\n });\n}\n","import { and, desc, eq } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { getDb } from \"../db/runtime.js\";\nimport { recordAuditEvent } from \"../community/audit.js\";\nimport {\n npMemberIdentities,\n npMembers,\n} from \"../db/schema/community.js\";\nimport { npUserOAuthIdentities, npUsers } from \"../db/schema/system.js\";\nimport { NpNotFoundError } from \"../errors.js\";\n\n/**\n * Admin-side helpers for listing and revoking OAuth identity links.\n * Both staff (`np_user_oauth_identities`) and member\n * (`np_member_identities`) tables use the same shape: one row per\n * (account, provider) pair, holding the durable provider subject\n * plus arbitrary metadata. These helpers are the source of truth for\n * `/api/admin/users/[id]/identities` and the member equivalent.\n *\n * Revoking does not invalidate sessions — the user / member can\n * re-link by signing in via OAuth again, which creates a fresh\n * identity row through the resolver. Revocation is intentionally\n * reversible because the durable link is the only thing dropped;\n * the underlying account remains.\n */\n\nexport interface NpUserIdentityRow {\n id: string;\n userId: string;\n provider: string;\n providerUserId: string;\n metadata: Record<string, unknown>;\n createdAt: Date;\n updatedAt: Date;\n}\n\nexport interface NpMemberIdentityRow {\n id: string;\n memberId: string;\n provider: string;\n subject: string;\n email: string | null;\n metadata: Record<string, unknown>;\n createdAt: Date;\n updatedAt: Date;\n}\n\nasync function assertUserExists(userId: string): Promise<void> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const [row] = (await db\n .select({ id: npUsers.id })\n .from(npUsers)\n .where(eq(npUsers.id, userId))\n .limit(1)) as Array<{ id: string }>;\n if (!row) throw new NpNotFoundError(\"user\", userId);\n}\n\nasync function assertMemberExists(memberId: string): Promise<void> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const [row] = (await db\n .select({ id: npMembers.id })\n .from(npMembers)\n .where(eq(npMembers.id, memberId))\n .limit(1)) as Array<{ id: string }>;\n if (!row) throw new NpNotFoundError(\"member\", memberId);\n}\n\nexport async function listUserIdentities(userId: string): Promise<NpUserIdentityRow[]> {\n await assertUserExists(userId);\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const rows = (await db\n .select()\n .from(npUserOAuthIdentities)\n .where(eq(npUserOAuthIdentities.userId, userId))\n .orderBy(desc(npUserOAuthIdentities.createdAt))) as NpUserIdentityRow[];\n return rows;\n}\n\nexport async function listMemberIdentities(memberId: string): Promise<NpMemberIdentityRow[]> {\n await assertMemberExists(memberId);\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const rows = (await db\n .select()\n .from(npMemberIdentities)\n .where(eq(npMemberIdentities.memberId, memberId))\n .orderBy(desc(npMemberIdentities.createdAt))) as NpMemberIdentityRow[];\n return rows;\n}\n\nexport interface RevokeIdentityInput {\n /** Staff user id whose identity is being revoked (`actorKind: \"staff\"`). */\n staffUserId: string;\n}\n\nexport async function revokeUserIdentity(\n userId: string,\n identityId: string,\n actor: RevokeIdentityInput,\n): Promise<void> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n // Fetch the row first so the audit event captures the provider /\n // subject — once deleted we'd lose the forensic context.\n const [existing] = (await db\n .select()\n .from(npUserOAuthIdentities)\n .where(\n and(\n eq(npUserOAuthIdentities.id, identityId),\n eq(npUserOAuthIdentities.userId, userId),\n ),\n )\n .limit(1)) as NpUserIdentityRow[];\n if (!existing) {\n // Either the identity doesn't exist or it belongs to a different\n // user — both surface as 404 to avoid leaking cross-user\n // existence to staff who don't have the right grants.\n throw new NpNotFoundError(\"identity\", identityId);\n }\n // Use `.returning()` so we can tell whether OUR call did the\n // delete. Two concurrent revokes both pass the select check\n // above; if we record an audit event unconditionally we'd\n // double-log the revocation. The second caller's delete returns\n // zero rows — we skip the audit there.\n const deleted = (await db\n .delete(npUserOAuthIdentities)\n .where(eq(npUserOAuthIdentities.id, identityId))\n .returning({ id: npUserOAuthIdentities.id })) as Array<{ id: string }>;\n if (deleted.length === 0) return;\n await recordAuditEvent({\n actor: { kind: \"staff\", userId: actor.staffUserId },\n action: \"user.identity.revoke\",\n targetType: \"user\",\n targetId: userId,\n payload: {\n identityId,\n provider: existing.provider,\n providerUserId: existing.providerUserId,\n },\n });\n}\n\nexport async function revokeMemberIdentity(\n memberId: string,\n identityId: string,\n actor: RevokeIdentityInput,\n): Promise<void> {\n const db = getDb() as unknown as NodePgDatabase<Record<string, unknown>>;\n const [existing] = (await db\n .select()\n .from(npMemberIdentities)\n .where(\n and(\n eq(npMemberIdentities.id, identityId),\n eq(npMemberIdentities.memberId, memberId),\n ),\n )\n .limit(1)) as NpMemberIdentityRow[];\n if (!existing) throw new NpNotFoundError(\"identity\", identityId);\n const deleted = (await db\n .delete(npMemberIdentities)\n .where(eq(npMemberIdentities.id, identityId))\n .returning({ id: npMemberIdentities.id })) as Array<{ id: string }>;\n if (deleted.length === 0) return;\n await recordAuditEvent({\n actor: { kind: \"staff\", userId: actor.staffUserId },\n action: \"member.identity.revoke\",\n targetType: \"member\",\n targetId: memberId,\n payload: {\n identityId,\n provider: existing.provider,\n subject: existing.subject,\n },\n });\n}\n","import { randomBytes } from \"node:crypto\";\n\nimport { and, eq, gt, isNotNull, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { NpValidationError } from \"../errors.js\";\nimport { npSessions, npUsers } from \"../db/schema/system.js\";\nimport { hashPassword } from \"./password.js\";\nimport { sha256 } from \"./session.js\";\n\nexport type NpPasswordResetPurpose = \"invite\" | \"reset\";\n\nexport interface NpIssuedResetToken {\n /** The raw token — deliver to the user, never persist. */\n token: string;\n /** Matches `np_users.password_reset_expires_at`. */\n expiresAt: Date;\n purpose: NpPasswordResetPurpose;\n}\n\nexport interface NpCreateResetTokenOptions {\n userId: string;\n purpose: NpPasswordResetPurpose;\n ttlMs: number;\n}\n\nconst MIN_PASSWORD_LENGTH = 8;\n\nfunction generateRawToken(): string {\n // 32 bytes → 64 hex chars. Wide enough that brute force is hopeless.\n return randomBytes(32).toString(\"hex\");\n}\n\n/**\n * Issues a new password reset token for `userId`. Stores the **hash** of the\n * token in the `np_users` row alongside the expiry and purpose, then returns\n * the raw token for the caller to deliver (email/link).\n *\n * Any previously-outstanding reset token for the user is replaced.\n */\nexport async function createPasswordResetToken(\n db: NodePgDatabase<Record<string, unknown>>,\n options: NpCreateResetTokenOptions,\n): Promise<NpIssuedResetToken> {\n const token = generateRawToken();\n const tokenHash = await sha256(token);\n const expiresAt = new Date(Date.now() + options.ttlMs);\n\n await db\n .update(npUsers)\n .set({\n passwordResetTokenHash: tokenHash,\n passwordResetExpiresAt: expiresAt,\n passwordResetPurpose: options.purpose,\n updatedAt: new Date(),\n })\n .where(eq(npUsers.id, options.userId));\n\n return { token, expiresAt, purpose: options.purpose };\n}\n\nexport interface NpResetRequestResult {\n userId: string | null;\n name: string | null;\n email: string | null;\n issued: NpIssuedResetToken | null;\n}\n\n/**\n * Handles the \"forgot password\" flow. If the email matches a user, issues a\n * reset token and returns their name so the mailer can personalise the email.\n * If not, silently returns nulls so callers can respond with a constant\n * message and avoid email enumeration.\n */\nexport async function requestPasswordReset(\n db: NodePgDatabase<Record<string, unknown>>,\n email: string,\n ttlMs: number,\n): Promise<NpResetRequestResult> {\n const normalizedEmail = email.trim().toLowerCase();\n const [user] = await db\n .select({\n id: npUsers.id,\n email: npUsers.email,\n name: npUsers.name,\n })\n .from(npUsers)\n .where(eq(npUsers.email, normalizedEmail))\n .limit(1);\n\n if (!user) {\n return { userId: null, name: null, email: null, issued: null };\n }\n\n const issued = await createPasswordResetToken(db, {\n userId: user.id,\n purpose: \"reset\",\n ttlMs,\n });\n\n return { userId: user.id, name: user.name, email: user.email, issued };\n}\n\nexport interface NpConsumeResetTokenOptions {\n token: string;\n newPassword: string;\n}\n\nexport interface NpConsumeResetTokenResult {\n userId: string;\n email: string;\n purpose: NpPasswordResetPurpose;\n}\n\n/**\n * Verifies a password reset token and atomically:\n * - sets the new password hash\n * - bumps `tokenVersion` and deletes all sessions (force logout everywhere)\n * - clears the reset columns on the user row\n *\n * Throws `NpValidationError` when the token is unknown, expired, or the\n * password is too short. Uses a single DB transaction for atomicity.\n */\nexport async function consumePasswordResetToken(\n db: NodePgDatabase<Record<string, unknown>>,\n options: NpConsumeResetTokenOptions,\n): Promise<NpConsumeResetTokenResult> {\n if (!options.token || typeof options.token !== \"string\") {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Reset token is required.\" },\n ]);\n }\n\n if (!options.newPassword || options.newPassword.length < MIN_PASSWORD_LENGTH) {\n throw new NpValidationError(\"Invalid input\", [\n {\n field: \"password\",\n message: `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`,\n },\n ]);\n }\n\n const tokenHash = await sha256(options.token);\n const now = new Date();\n\n const [user] = await db\n .select({\n id: npUsers.id,\n email: npUsers.email,\n purpose: npUsers.passwordResetPurpose,\n })\n .from(npUsers)\n .where(\n and(\n eq(npUsers.passwordResetTokenHash, tokenHash),\n isNotNull(npUsers.passwordResetExpiresAt),\n gt(npUsers.passwordResetExpiresAt, now),\n ),\n )\n .limit(1);\n\n if (!user) {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Reset link is invalid or has expired.\" },\n ]);\n }\n\n const newPasswordHash = await hashPassword(options.newPassword);\n\n // We inline the tokenVersion bump + session delete instead of calling\n // invalidateAllSessions because we need them to land in the same\n // transaction as the password write + reset-column clear. Splitting into\n // two transactions could leave the user with a new password but still-\n // valid old JWTs if the second call failed.\n await db.transaction(async (tx) => {\n await tx\n .update(npUsers)\n .set({\n password: newPasswordHash,\n passwordResetTokenHash: null,\n passwordResetExpiresAt: null,\n passwordResetPurpose: null,\n loginAttempts: 0,\n lockUntil: null,\n tokenVersion: sql`${npUsers.tokenVersion} + 1`,\n updatedAt: new Date(),\n })\n .where(eq(npUsers.id, user.id));\n\n await tx.delete(npSessions).where(eq(npSessions.userId, user.id));\n });\n\n return {\n userId: user.id,\n email: user.email,\n purpose: (user.purpose ?? \"reset\") as NpPasswordResetPurpose,\n };\n}\n","import { randomBytes } from \"node:crypto\";\nimport { jwtVerify, SignJWT, type JWTPayload } from \"jose\";\n\nimport { NpAuthError } from \"../errors.js\";\n\n/**\n * Member-side JWT helpers. Mirrors `signToken` / `verifyToken` for\n * staff but adds a fixed `aud: \"member\"` claim so a forged JWT signed\n * for a staff user can't be replayed against member-only routes (and\n * vice-versa).\n *\n * The signing secret is the same `NP_SECRET`; rotating it invalidates\n * both staff and member sessions, which is the desired behavior.\n *\n * Every token gets a random `jti` so two tokens minted within the\n * same second for the same member produce DIFFERENT JWT strings —\n * needed for refresh-token rotation: without it, the rotated token\n * hash would collide with the prior token hash and revocation by\n * tokenHash would still resolve the rotated row.\n *\n * `use: \"access\" | \"refresh\"` separates the two token purposes. A\n * refresh JWT cannot be presented as the `np-mb-session` cookie and\n * a session JWT cannot drive the rotation endpoint — without this\n * separation a leaked refresh token effectively became a long-lived\n * bearer access token because both kinds were stored as fungible\n * rows in `np_member_sessions` with no row-level kind column.\n */\nexport type NpMemberTokenUse = \"access\" | \"refresh\";\n\nexport interface NpMemberTokenPayload {\n sub: string;\n aud: \"member\";\n ver: number;\n /** Required. `verifyMemberToken` refuses tokens missing this claim\n * so legacy refresh JWTs from before #92 cannot be smuggled into\n * the session cookie path (#91 reopen). */\n use: NpMemberTokenUse;\n /** Optional only for the deploy window; new tokens always carry\n * one. */\n jti?: string;\n iat: number;\n exp: number;\n}\n\nconst textEncoder = new TextEncoder();\nconst MEMBER_AUDIENCE = \"member\";\n\nexport async function signMemberToken(\n member: { id: string; tokenVersion: number },\n secret: string,\n expirationSeconds: number = 7200,\n tokenUse: NpMemberTokenUse = \"access\",\n): Promise<string> {\n const secretKey = textEncoder.encode(secret);\n return new SignJWT({ sub: member.id, ver: member.tokenVersion, use: tokenUse })\n .setProtectedHeader({ alg: \"HS256\" })\n .setAudience(MEMBER_AUDIENCE)\n .setJti(randomBytes(16).toString(\"base64url\"))\n .setIssuedAt()\n .setExpirationTime(Math.floor(Date.now() / 1000) + expirationSeconds)\n .sign(secretKey);\n}\n\n/**\n * Verify a member JWT and return the parsed payload. When\n * `expectedUse` is provided, refuses tokens whose `use` claim doesn't\n * match — that's how `getSessionMember` rejects a refresh token used\n * as a session cookie and how the refresh route rejects an access\n * token as a refresh trigger.\n *\n * Tokens minted before the `use` claim landed have NO `use` payload\n * field. We refuse those outright rather than treating them as\n * `access` — the prior fallback let still-live legacy refresh JWTs\n * (already persisted in `np_member_sessions` per #45's fix) be\n * smuggled into the session cookie and pass the access check (#91\n * reopen). The cost: members logged in before this deploy must log\n * in once. That's bounded by the access-token TTL (default 2h);\n * legacy session rows that don't match a new login age out via\n * `expiresAt` within 7 days regardless.\n */\nexport async function verifyMemberToken(\n token: string,\n secret: string,\n expectedUse?: NpMemberTokenUse,\n): Promise<NpMemberTokenPayload> {\n const secretKey = textEncoder.encode(secret);\n const { payload } = await jwtVerify(token, secretKey, { audience: MEMBER_AUDIENCE });\n // jwtVerify already validated `aud === MEMBER_AUDIENCE`; cast through\n // JWTPayload to lock in the fields we know land on member tokens.\n const typed = payload as JWTPayload & {\n sub: string;\n ver: number;\n iat: number;\n exp: number;\n use?: NpMemberTokenUse;\n };\n if (typed.use !== \"access\" && typed.use !== \"refresh\") {\n throw new NpAuthError(\"Member token missing `use` claim\");\n }\n const use: NpMemberTokenUse = typed.use;\n if (expectedUse && use !== expectedUse) {\n // Throw `NpAuthError` so the response mapper emits 401 instead of\n // a plain 500 — this is an auth failure, not a server failure.\n throw new NpAuthError(\n `Member token use mismatch: expected ${expectedUse}, got ${use}`,\n );\n }\n return { ...typed, aud: MEMBER_AUDIENCE, use };\n}\n","import { and, eq, gt, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { npMemberSessions, npMembers } from \"../db/schema/community.js\";\nimport { sha256 } from \"./session.js\";\n\n/**\n * Member-side session lookups, mirroring the staff helpers in session.ts\n * but for `np_members` / `np_member_sessions`. The sha256 helper is\n * reused (sessions store hashed tokens regardless of the principal kind).\n */\n\nexport interface NpMemberAuthRow {\n id: string;\n email: string;\n handle: string;\n displayName: string;\n status: \"active\" | \"pending\" | \"suspended\" | \"deleted\";\n tokenVersion: number;\n}\n\n/**\n * Resolve a member from a verified JWT payload AND the raw access\n * token. We hash the token and require a live row in\n * `np_member_sessions` — without that row check, deleting a session in\n * `/api/members/logout` had no effect and a stolen token kept working\n * until JWT expiry. (#45)\n *\n * Backward-compat: when no `accessToken` is passed (legacy callers in\n * tests / older routes), we fall back to the previous tokenVersion\n * check only. New paths should always pass the token.\n */\nexport async function getMemberFromTokenPayload(\n db: NodePgDatabase<Record<string, unknown>>,\n payload: { sub: string; ver: number },\n accessToken?: string,\n): Promise<NpMemberAuthRow | null> {\n const [row] = await db\n .select({\n id: npMembers.id,\n email: npMembers.email,\n handle: npMembers.handle,\n displayName: npMembers.displayName,\n status: npMembers.status,\n tokenVersion: npMembers.tokenVersion,\n })\n .from(npMembers)\n .where(eq(npMembers.id, payload.sub))\n .limit(1);\n\n if (!row) return null;\n if (row.tokenVersion !== payload.ver) return null;\n\n if (accessToken) {\n const tokenHash = await sha256(accessToken);\n const now = new Date();\n const [session] = (await db\n .select({ id: npMemberSessions.id })\n .from(npMemberSessions)\n .where(\n and(\n eq(npMemberSessions.memberId, row.id),\n eq(npMemberSessions.tokenHash, tokenHash),\n gt(npMemberSessions.expiresAt, now),\n ),\n )\n .limit(1)) as Array<{ id: string }>;\n if (!session) return null;\n }\n\n return row as NpMemberAuthRow;\n}\n\n/**\n * Bumps a member's tokenVersion + drops every session row, force-logging\n * them out everywhere. Call inside the same transaction as a password\n * change / soft-delete so a leaked old JWT can't outlive the change.\n */\nexport async function invalidateAllMemberSessions(\n db: NodePgDatabase<Record<string, unknown>>,\n memberId: string,\n): Promise<void> {\n await db.transaction(async (tx) => {\n await tx\n .update(npMembers)\n .set({\n tokenVersion: sql`${npMembers.tokenVersion} + 1`,\n updatedAt: new Date(),\n })\n .where(eq(npMembers.id, memberId));\n await tx.delete(npMemberSessions).where(eq(npMemberSessions.memberId, memberId));\n });\n}\n","import { randomBytes } from \"node:crypto\";\n\nimport { and, eq, gt, isNotNull, sql } from \"drizzle-orm\";\nimport type { NodePgDatabase } from \"drizzle-orm/node-postgres\";\n\nimport { NpValidationError } from \"../errors.js\";\nimport { npMemberSessions, npMembers } from \"../db/schema/community.js\";\nimport { hashPassword } from \"./password.js\";\nimport { sha256 } from \"./session.js\";\n\n/**\n * Member-side credential flows: email verification on registration,\n * password reset, password change. Mirrors the staff equivalents in\n * `reset-token.ts` but writes to `np_members` and uses dedicated\n * verify columns (`email_verify_token_hash` / `email_verify_expires_at`)\n * so a verify and a reset can coexist on the same member row.\n */\n\nconst MIN_PASSWORD_LENGTH = 8;\n\nexport interface NpIssuedMemberToken {\n /** The raw token to ship to the user. Never persist. */\n token: string;\n expiresAt: Date;\n}\n\nfunction generateRawToken(): string {\n return randomBytes(32).toString(\"hex\");\n}\n\n// ── Email verification ────────────────────────────────────────────────\n\nexport async function createMemberEmailVerifyToken(\n db: NodePgDatabase<Record<string, unknown>>,\n memberId: string,\n ttlMs: number,\n): Promise<NpIssuedMemberToken> {\n const token = generateRawToken();\n const tokenHash = await sha256(token);\n const expiresAt = new Date(Date.now() + ttlMs);\n\n await db\n .update(npMembers)\n .set({\n emailVerifyTokenHash: tokenHash,\n emailVerifyExpiresAt: expiresAt,\n updatedAt: new Date(),\n })\n .where(eq(npMembers.id, memberId));\n\n return { token, expiresAt };\n}\n\nexport interface NpConsumeMemberEmailVerifyResult {\n memberId: string;\n email: string;\n handle: string;\n displayName: string;\n}\n\nexport async function consumeMemberEmailVerifyToken(\n db: NodePgDatabase<Record<string, unknown>>,\n token: string,\n): Promise<NpConsumeMemberEmailVerifyResult> {\n if (!token || typeof token !== \"string\") {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Verification token is required.\" },\n ]);\n }\n const tokenHash = await sha256(token);\n const now = new Date();\n\n const [member] = await db\n .select({\n id: npMembers.id,\n email: npMembers.email,\n handle: npMembers.handle,\n displayName: npMembers.displayName,\n })\n .from(npMembers)\n .where(\n and(\n eq(npMembers.emailVerifyTokenHash, tokenHash),\n isNotNull(npMembers.emailVerifyExpiresAt),\n gt(npMembers.emailVerifyExpiresAt, now),\n ),\n )\n .limit(1);\n\n if (!member) {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Verification link is invalid or has expired.\" },\n ]);\n }\n\n await db\n .update(npMembers)\n .set({\n emailVerified: true,\n // Pending → active on first verify so login can succeed afterwards.\n // Suspended/deleted members stay where they are; the mod UI flips\n // those statuses, never the verify endpoint.\n status: sql`case when ${npMembers.status} = 'pending' then 'active' else ${npMembers.status} end`,\n emailVerifyTokenHash: null,\n emailVerifyExpiresAt: null,\n updatedAt: now,\n })\n .where(eq(npMembers.id, member.id));\n\n return {\n memberId: member.id,\n email: member.email,\n handle: member.handle,\n displayName: member.displayName,\n };\n}\n\n// ── Password reset ────────────────────────────────────────────────────\n\nexport interface NpMemberResetRequestResult {\n memberId: string | null;\n displayName: string | null;\n email: string | null;\n issued: NpIssuedMemberToken | null;\n}\n\nexport async function requestMemberPasswordReset(\n db: NodePgDatabase<Record<string, unknown>>,\n email: string,\n ttlMs: number,\n): Promise<NpMemberResetRequestResult> {\n const normalizedEmail = email.trim().toLowerCase();\n const [member] = await db\n .select({\n id: npMembers.id,\n email: npMembers.email,\n displayName: npMembers.displayName,\n status: npMembers.status,\n })\n .from(npMembers)\n .where(eq(npMembers.email, normalizedEmail))\n .limit(1);\n\n if (!member || member.status === \"deleted\") {\n return { memberId: null, displayName: null, email: null, issued: null };\n }\n\n const token = generateRawToken();\n const tokenHash = await sha256(token);\n const expiresAt = new Date(Date.now() + ttlMs);\n\n await db\n .update(npMembers)\n .set({\n passwordResetTokenHash: tokenHash,\n passwordResetExpiresAt: expiresAt,\n updatedAt: new Date(),\n })\n .where(eq(npMembers.id, member.id));\n\n return {\n memberId: member.id,\n displayName: member.displayName,\n email: member.email,\n issued: { token, expiresAt },\n };\n}\n\nexport interface NpConsumeMemberResetResult {\n memberId: string;\n email: string;\n}\n\nexport async function consumeMemberPasswordReset(\n db: NodePgDatabase<Record<string, unknown>>,\n token: string,\n newPassword: string,\n): Promise<NpConsumeMemberResetResult> {\n if (!token || typeof token !== \"string\") {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Reset token is required.\" },\n ]);\n }\n if (!newPassword || newPassword.length < MIN_PASSWORD_LENGTH) {\n throw new NpValidationError(\"Invalid input\", [\n {\n field: \"password\",\n message: `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`,\n },\n ]);\n }\n\n const tokenHash = await sha256(token);\n const now = new Date();\n\n const [member] = await db\n .select({ id: npMembers.id, email: npMembers.email })\n .from(npMembers)\n .where(\n and(\n eq(npMembers.passwordResetTokenHash, tokenHash),\n isNotNull(npMembers.passwordResetExpiresAt),\n gt(npMembers.passwordResetExpiresAt, now),\n ),\n )\n .limit(1);\n\n if (!member) {\n throw new NpValidationError(\"Invalid input\", [\n { field: \"token\", message: \"Reset link is invalid or has expired.\" },\n ]);\n }\n\n const newPasswordHash = await hashPassword(newPassword);\n\n await db.transaction(async (tx) => {\n await tx\n .update(npMembers)\n .set({\n password: newPasswordHash,\n passwordResetTokenHash: null,\n passwordResetExpiresAt: null,\n loginAttempts: 0,\n lockUntil: null,\n // Bump tokenVersion in-place so existing JWTs are invalidated. Also\n // mark email as verified — completing a reset on an unverified\n // account is itself proof of email ownership.\n tokenVersion: sql`${npMembers.tokenVersion} + 1`,\n emailVerified: true,\n status: sql`case when ${npMembers.status} = 'pending' then 'active' else ${npMembers.status} end`,\n updatedAt: new Date(),\n })\n .where(eq(npMembers.id, member.id));\n\n await tx.delete(npMemberSessions).where(eq(npMemberSessions.memberId, member.id));\n });\n\n return { memberId: member.id, email: member.email };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEO,IAAM,gBAAkC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;AAExD,IAAM,UAA4B,CAAC,EAAE,KAAK,MAAM,MAAM,SAAS;AAE/D,IAAM,kBAAoC,CAAC,EAAE,KAAK,MACvD,CAAC,CAAC,SAAS,KAAK,SAAS,WAAW,KAAK,SAAS;AAE7C,IAAM,iBAAmC,CAAC,EAAE,MAAM,IAAI,MAC3D,MAAM,SAAS,WAAW,KAAK,cAAc,MAAM;;;ACVrD,SAAS,mBAAmB;AAC5B,SAAS,WAAW,SAAS,UAAU,kBAAmC;AAqC1E,IAAM,cAAc,IAAI,YAAY;AAEpC,eAAsB,UACpB,MACA,QACA,oBAA4B,MAC5B,WAAuB,UACN;AACjB,QAAM,YAAY,YAAY,OAAO,MAAM;AAE3C,SAAO,IAAI,QAAQ;AAAA,IACjB,KAAK,KAAK;AAAA,IACV,MAAM,KAAK;AAAA,IACX,KAAK,KAAK;AAAA,IACV,KAAK;AAAA,EACP,CAAC,EACE,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,OAAO,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC,EAC5C,YAAY,EACZ,kBAAkB,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,iBAAiB,EACnE,KAAK,SAAS;AACnB;AAeA,eAAsB,YACpB,OACA,QACA,aACyB;AACzB,QAAM,YAAY,YAAY,OAAO,MAAM;AAC3C,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,SAAS;AACpD,QAAM,QAAQ;AAQd,MAAI,MAAM,QAAQ,YAAY,MAAM,QAAQ,WAAW;AACrD,UAAM,IAAI,YAAY,iCAAiC;AAAA,EACzD;AACA,QAAM,MAAkB,MAAM;AAC9B,MAAI,eAAe,QAAQ,aAAa;AACtC,UAAM,IAAI;AAAA,MACR,sCAAsC,WAAW,SAAS,GAAG;AAAA,IAC/D;AAAA,EACF;AACA,SAAO,EAAE,GAAG,OAAO,IAAI;AACzB;AAeO,SAAS,yBAAyB,KAAuB;AAC9D,MAAI,eAAe,YAAa,QAAO;AACvC,MAAI,eAAe,WAAW,UAAW,QAAO;AAChD,SAAO;AACT;;;ACtHA,SAAS,MAAM,cAA4B;AAEpC,IAAM,iBAA0B;AAAA,EACrC,YAAY;AAAA,EACZ,UAAU;AAAA,EACV,WAAW;AAAA,EACX,aAAa;AACf;AAKA,IAAM,sBAA+B;AAAA,EACnC,YAAY;AAAA,EACZ,UAAU;AAAA,EACV,WAAW;AAAA,EACX,aAAa;AACf;AAEO,SAAS,aAAa,UAAmC;AAC9D,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,IAAI,sBAAsB,MAAM,sBAAsB;AAAA,EAChE;AACF;AAEO,SAAS,eACd,cACA,UACkB;AAClB,SAAO,OAAO,cAAc,QAAQ;AACtC;;;AC/BA,IAAM,eAAe,oBAAI,IAAI,CAAC,OAAO,QAAQ,SAAS,CAAC;AAEhD,SAAS,WACd,QACA,aACA,aACS;AACT,MAAI,aAAa,IAAI,OAAO,YAAY,CAAC,GAAG;AAC1C,WAAO;AAAA,EACT;AAEA,SAAO,QAAQ,eAAe,eAAe,gBAAgB,WAAW;AAC1E;;;ACoEA,IAAM,YAAY,oBAAI,IAA2B;AAO1C,SAAS,sBAAsB,UAA+B;AACnE,MAAI,CAAC,SAAS,MAAM,OAAO,SAAS,OAAO,UAAU;AACnD,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,SAAS,cAAc,cAAc,OAAO,SAAS,aAAa,YAAY;AACvF,UAAM,IAAI;AAAA,MACR,mBAAmB,SAAS,EAAE;AAAA,IAChC;AAAA,EACF;AACA,YAAU,IAAI,SAAS,IAAI,QAAQ;AACrC;AAEO,SAAS,iBAAiB,IAAuC;AACtE,SAAO,UAAU,IAAI,EAAE;AACzB;AAEO,SAAS,qBAAsC;AACpD,SAAO,MAAM,KAAK,UAAU,OAAO,CAAC;AACtC;AAGO,SAAS,sBAA4B;AAC1C,YAAU,MAAM;AAClB;;;AC9GA,SAAS,IAAI,KAAK,WAAW;AAoD7B,IAAM,yBAAyB;AAE/B,SAAS,eAAe,UAAkB,gBAAgC;AAExE,SAAO,GAAG,cAAc,IAAI,QAAQ,GAAG,sBAAsB;AAC/D;AAEA,SAAS,WAAW,SAAuB,eAA+B;AACxE,MAAI,QAAQ,QAAQ,QAAQ,KAAK,KAAK,EAAE,SAAS,EAAG,QAAO,QAAQ,KAAK,KAAK;AAC7E,QAAM,YAAY,cAAc,MAAM,GAAG,EAAE,CAAC;AAC5C,SAAO,aAAa,UAAU,SAAS,IAAI,YAAY;AACzD;AAEA,eAAsB,kBACpB,OACkC;AAClC,QAAM,KAAK,MAAM;AACjB,QAAM,WAAW,MAAM;AACvB,QAAM,UAAU,MAAM;AACtB,QAAM,OAAmB,MAAM,eAAe;AAG9C,QAAM,CAAC,YAAY,IAAK,MAAM,GAC3B,OAAO;AAAA,IACN,QAAQ,sBAAsB;AAAA,IAC9B,YAAY,sBAAsB;AAAA,EACpC,CAAC,EACA,KAAK,qBAAqB,EAC1B;AAAA,IACC;AAAA,MACE,GAAG,sBAAsB,UAAU,QAAQ;AAAA,MAC3C,GAAG,sBAAsB,gBAAgB,QAAQ,cAAc;AAAA,IACjE;AAAA,EACF,EACC,MAAM,CAAC;AAEV,MAAI,cAAc;AAEhB,UAAM,WAAW,cAAc,OAAO;AACtC,UAAM,GACH,OAAO,qBAAqB,EAC5B,IAAI,EAAE,UAAU,WAAW,oBAAI,KAAK,EAAE,CAAC,EACvC,MAAM,GAAG,sBAAsB,IAAI,aAAa,UAAU,CAAC;AAE9D,UAAM,OAAO,MAAM,SAAS,IAAI,aAAa,MAAM;AACnD,WAAO,EAAE,MAAM,SAAS,OAAO,QAAQ,MAAM;AAAA,EAC/C;AAIA,MAAI,QAAQ,OAAO;AACjB,UAAM,kBAAkB,QAAQ,MAAM,KAAK,EAAE,YAAY;AACzD,UAAM,CAAC,YAAY,IAAK,MAAM,GAC3B,OAAO;AAAA,MACN,IAAI,QAAQ;AAAA,MACZ,OAAO,QAAQ;AAAA,MACf,MAAM,QAAQ;AAAA,MACd,MAAM,QAAQ;AAAA,MACd,cAAc,QAAQ;AAAA,IACxB,CAAC,EACA,KAAK,OAAO,EACZ,MAAM,GAAG,YAAY,QAAQ,KAAK,KAAK,eAAe,CAAC,EACvD,MAAM,CAAC;AAEV,QAAI,cAAc;AAChB,YAAM,GAAG,OAAO,qBAAqB,EAAE,OAAO;AAAA,QAC5C,QAAQ,aAAa;AAAA,QACrB;AAAA,QACA,gBAAgB,QAAQ;AAAA,QACxB,UAAU,cAAc,OAAO;AAAA,MACjC,CAAC;AACD,aAAO,EAAE,MAAM,cAAc,SAAS,OAAO,QAAQ,KAAK;AAAA,IAC5D;AAAA,EACF;AAGA,QAAM,QACJ,QAAQ,SAAS,QAAQ,MAAM,KAAK,EAAE,SAAS,IAC3C,QAAQ,MAAM,KAAK,EAAE,YAAY,IACjC,eAAe,UAAU,QAAQ,cAAc;AACrD,QAAM,OAAO,WAAW,SAAS,KAAK;AACtC,QAAM,sBAAsB,MAAM;AAAA,IAChC,OAAO,WAAW,IAAI,OAAO,WAAW;AAAA,EAC1C;AAEA,QAAM,CAAC,OAAO,IAAK,MAAM,GACtB,OAAO,OAAO,EACd,OAAO;AAAA,IACN;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,EACF,CAAC,EACA,UAAU;AAAA,IACT,IAAI,QAAQ;AAAA,IACZ,OAAO,QAAQ;AAAA,IACf,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,cAAc,QAAQ;AAAA,EACxB,CAAC;AAEH,QAAM,GAAG,OAAO,qBAAqB,EAAE,OAAO;AAAA,IAC5C,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,gBAAgB,QAAQ;AAAA,IACxB,UAAU,cAAc,OAAO;AAAA,EACjC,CAAC;AAED,SAAO,EAAE,MAAM,SAAS,SAAS,MAAM,QAAQ,KAAK;AACtD;AAEA,SAAS,cAAc,SAAgD;AACrE,QAAM,OAAgC,CAAC;AACvC,MAAI,QAAQ,UAAW,MAAK,YAAY,QAAQ;AAChD,MAAI,QAAQ,MAAO,MAAK,QAAQ,QAAQ;AACxC,MAAI,QAAQ,KAAM,MAAK,OAAO,QAAQ;AACtC,MAAI,QAAQ,SAAU,QAAO,OAAO,MAAM,QAAQ,QAAQ;AAC1D,SAAO;AACT;AAEA,eAAe,SACb,IACA,QAC4B;AAC5B,QAAM,CAAC,GAAG,IAAK,MAAM,GAClB,OAAO;AAAA,IACN,IAAI,QAAQ;AAAA,IACZ,OAAO,QAAQ;AAAA,IACf,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,cAAc,QAAQ;AAAA,EACxB,CAAC,EACA,KAAK,OAAO,EACZ,MAAM,GAAG,QAAQ,IAAI,MAAM,CAAC,EAC5B,MAAM,CAAC;AACV,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,QAAQ,MAAM,0CAA0C;AAAA,EAC1E;AACA,SAAO;AACT;;;AC/LA,SAAS,OAAAA,MAAK,MAAAC,KAAI,OAAAC,YAAW;AAkD7B,IAAMC,0BAAyB;AAC/B,IAAM,kBAAkB;AACxB,IAAM,6BAA6B;AAEnC,SAASC,gBAAe,UAAkB,gBAAgC;AACxE,SAAO,GAAG,cAAc,IAAI,QAAQ,GAAGD,uBAAsB;AAC/D;AAWA,SAAS,eAAe,SAAuB,eAA+B;AAC5E,QAAM,OACH,QAAQ,YAAY,OAAO,QAAQ,SAAS,UAAU,YAAY,QAAQ,SAAS,SACpF,QAAQ,QACR,cAAc,MAAM,GAAG,EAAE,CAAC,KAC1B;AACF,QAAM,YAAY,OAAO,IAAI,EAC1B,YAAY,EACZ,QAAQ,gBAAgB,GAAG,EAC3B,QAAQ,UAAU,EAAE,EACpB,MAAM,GAAG,EAAE;AACd,QAAM,OAAO,UAAU,UAAU,IAAI,YAAY;AAIjD,QAAM,SAAS,KAAK,OAAO,EACxB,SAAS,EAAE,EACX,MAAM,GAAG,IAAI,0BAA0B;AAC1C,SAAO,GAAG,IAAI,IAAI,MAAM,GAAG,MAAM,GAAG,EAAE;AACxC;AAEA,SAAS,kBAAkB,SAAuB,eAA+B;AAC/E,MAAI,QAAQ,QAAQ,QAAQ,KAAK,KAAK,EAAE,SAAS,EAAG,QAAO,QAAQ,KAAK,KAAK;AAC7E,QAAM,YAAY,cAAc,MAAM,GAAG,EAAE,CAAC;AAC5C,SAAO,aAAa,UAAU,SAAS,IAAI,YAAY;AACzD;AAEA,SAASE,eAAc,SAAgD;AACrE,QAAM,OAAgC,CAAC;AACvC,MAAI,QAAQ,UAAW,MAAK,YAAY,QAAQ;AAChD,MAAI,QAAQ,MAAO,MAAK,QAAQ,QAAQ;AACxC,MAAI,QAAQ,KAAM,MAAK,OAAO,QAAQ;AACtC,MAAI,QAAQ,SAAU,QAAO,OAAO,MAAM,QAAQ,QAAQ;AAC1D,SAAO;AACT;AAEA,eAAe,WACb,IACA,UAC8B;AAC9B,QAAM,CAAC,GAAG,IAAK,MAAM,GAClB,OAAO;AAAA,IACN,IAAI,UAAU;AAAA,IACd,OAAO,UAAU;AAAA,IACjB,QAAQ,UAAU;AAAA,IAClB,aAAa,UAAU;AAAA,IACvB,QAAQ,UAAU;AAAA,IAClB,cAAc,UAAU;AAAA,EAC1B,CAAC,EACA,KAAK,SAAS,EACd,MAAMC,IAAG,UAAU,IAAI,QAAQ,CAAC,EAChC,MAAM,CAAC;AACV,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,UAAU,QAAQ,0CAA0C;AAAA,EAC9E;AACA,SAAO;AACT;AAEA,eAAsB,wBACpB,OACwC;AACxC,QAAM,KAAK,MAAM;AACjB,QAAM,EAAE,UAAU,QAAQ,IAAI;AAG9B,QAAM,CAAC,YAAY,IAAK,MAAM,GAC3B,OAAO,EAAE,UAAU,mBAAmB,UAAU,YAAY,mBAAmB,GAAG,CAAC,EACnF,KAAK,kBAAkB,EACvB;AAAA,IACCC;AAAA,MACED,IAAG,mBAAmB,UAAU,QAAQ;AAAA,MACxCA,IAAG,mBAAmB,SAAS,QAAQ,cAAc;AAAA,IACvD;AAAA,EACF,EACC,MAAM,CAAC;AAEV,MAAI,cAAc;AAChB,UAAM,GACH,OAAO,kBAAkB,EACzB,IAAI,EAAE,UAAUD,eAAc,OAAO,GAAG,WAAW,oBAAI,KAAK,EAAE,CAAC,EAC/D,MAAMC,IAAG,mBAAmB,IAAI,aAAa,UAAU,CAAC;AAC3D,UAAM,SAAS,MAAM,WAAW,IAAI,aAAa,QAAQ;AACzD,WAAO,EAAE,QAAQ,SAAS,OAAO,QAAQ,MAAM;AAAA,EACjD;AAGA,MAAI,QAAQ,OAAO;AACjB,UAAM,kBAAkB,QAAQ,MAAM,KAAK,EAAE,YAAY;AACzD,UAAM,CAAC,cAAc,IAAK,MAAM,GAC7B,OAAO;AAAA,MACN,IAAI,UAAU;AAAA,MACd,OAAO,UAAU;AAAA,MACjB,QAAQ,UAAU;AAAA,MAClB,aAAa,UAAU;AAAA,MACvB,QAAQ,UAAU;AAAA,MAClB,cAAc,UAAU;AAAA,IAC1B,CAAC,EACA,KAAK,SAAS,EACd,MAAMA,IAAGE,aAAY,UAAU,KAAK,KAAK,eAAe,CAAC,EACzD,MAAM,CAAC;AAEV,QAAI,gBAAgB;AAalB,UAAI,eAAe,WAAW,UAAU;AACtC,eAAO,EAAE,QAAQ,gBAAgB,SAAS,OAAO,QAAQ,MAAM;AAAA,MACjE;AACA,YAAM,GAAG,OAAO,kBAAkB,EAAE,OAAO;AAAA,QACzC,UAAU,eAAe;AAAA,QACzB;AAAA,QACA,SAAS,QAAQ;AAAA,QACjB,OAAO,QAAQ;AAAA,QACf,UAAUH,eAAc,OAAO;AAAA,MACjC,CAAC;AACD,aAAO,EAAE,QAAQ,gBAAgB,SAAS,OAAO,QAAQ,KAAK;AAAA,IAChE;AAAA,EACF;AAeA,QAAM,WAAW,MAAM,qBAAqB;AAC5C,MAAI,CAAC,SAAS,qBAAqB;AACjC,UAAM,IAAI,iBAAiB,WAAW,UAAU;AAAA,EAClD;AAEA,QAAM,QACJ,QAAQ,SAAS,QAAQ,MAAM,KAAK,EAAE,SAAS,IAC3C,QAAQ,MAAM,KAAK,EAAE,YAAY,IACjCD,gBAAe,UAAU,QAAQ,cAAc;AACrD,QAAM,cAAc,kBAAkB,SAAS,KAAK;AACpD,QAAM,SAAS,eAAe,SAAS,KAAK;AAC5C,QAAM,sBAAsB,MAAM;AAAA,IAChC,OAAO,WAAW,IAAI,OAAO,WAAW;AAAA,EAC1C;AAEA,QAAM,CAAC,OAAO,IAAK,MAAM,GACtB,OAAO,SAAS,EAChB,OAAO;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA,IACA,UAAU;AAAA;AAAA;AAAA;AAAA,IAIV,eAAe;AAAA,IACf,QAAQ;AAAA,EACV,CAAC,EACA,UAAU;AAAA,IACT,IAAI,UAAU;AAAA,IACd,OAAO,UAAU;AAAA,IACjB,QAAQ,UAAU;AAAA,IAClB,aAAa,UAAU;AAAA,IACvB,QAAQ,UAAU;AAAA,IAClB,cAAc,UAAU;AAAA,EAC1B,CAAC;AAEH,QAAM,GAAG,OAAO,kBAAkB,EAAE,OAAO;AAAA,IACzC,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,SAAS,QAAQ;AAAA,IACjB,OAAO,QAAQ,SAAS;AAAA,IACxB,UAAUC,eAAc,OAAO;AAAA,EACjC,CAAC;AAED,SAAO,EAAE,QAAQ,SAAS,SAAS,MAAM,QAAQ,KAAK;AACxD;;;AC9PA,SAAS,YAAY,eAAAI,cAAa,uBAAuB;AA0BzD,IAAM,oBAAoB,mBAAmB,8BAA8B,GAAG;AAC9E,IAAM,sBAAsB;AAiB5B,SAAS,OAAO,OAAgC;AAC9C,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,WAAW;AAChD;AAEA,SAAS,KAAK,SAAiB,QAAwB;AACrD,SAAO,WAAW,UAAU,MAAM,EAAE,OAAO,OAAO,EAAE,OAAO,WAAW;AACxE;AAEO,SAAS,gBAAgB,YAAoB,QAAkC;AACpF,QAAM,QAAQC,aAAY,EAAE,EAAE,SAAS,WAAW;AAClD,QAAM,eAAeA,aAAY,mBAAmB,EAAE,SAAS,WAAW;AAC1E,QAAM,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI;AACnD,QAAM,UAA6B,EAAE,YAAY,OAAO,YAAY,aAAa;AACjF,QAAM,UAAU,OAAO,KAAK,UAAU,OAAO,CAAC;AAC9C,QAAM,MAAM,KAAK,SAAS,MAAM;AAChC,SAAO,EAAE,OAAO,GAAG,OAAO,IAAI,GAAG,IAAI,aAAa;AACpD;AAgBO,SAAS,iBACd,OACA,oBACA,QACwB;AACxB,MAAI,OAAO,UAAU,YAAY,CAAC,MAAM,SAAS,GAAG,GAAG;AACrD,WAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAAA,EACvC;AACA,QAAM,CAAC,SAAS,GAAG,IAAI,MAAM,MAAM,GAAG;AACtC,MAAI,CAAC,WAAW,CAAC,KAAK;AACpB,WAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAAA,EACvC;AACA,QAAM,cAAc,KAAK,SAAS,MAAM;AACxC,QAAM,SAAS,OAAO,KAAK,GAAG;AAC9B,QAAM,cAAc,OAAO,KAAK,WAAW;AAC3C,MAAI,OAAO,WAAW,YAAY,UAAU,CAAC,gBAAgB,QAAQ,WAAW,GAAG;AACjF,WAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AAAA,EAC1C;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,OAAO,KAAK,SAAS,WAAW,EAAE,SAAS,MAAM,CAAC;AAAA,EACzE,QAAQ;AACN,WAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAAA,EACvC;AAEA,MACE,CAAC,WACD,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,UAAU,YACzB,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,iBAAiB,YAChC,QAAQ,aAAa,WAAW,GAChC;AACA,WAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAAA,EACvC;AAEA,MAAI,QAAQ,eAAe,oBAAoB;AAC7C,WAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AAAA,EAC1C;AAEA,MAAI,QAAQ,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,GAAG;AACvD,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AAEA,SAAO,EAAE,IAAI,MAAM,QAAQ;AAC7B;;;ACvBO,SAAS,WACd,SACA,MACe;AACf,QAAM,UAAU,KAAK,SAAS;AAC9B,QAAM,SAAS,KAAK,UAAU,CAAC;AAE/B,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,EAAE,OAAO,aAAa,aAAa,GAAG;AAC9C,YAAM,SAAS,QAAQ,WAAW;AAIlC,YAAM,MAAM,UACP,OAAO,uBAIE,OAAO,cAAc,MAAM,IACpC,OAAO,uBAGE,OAAO,MAAM;AAC3B,aAAO,IAAI,SAAS;AAAA,IACtB;AAAA,IACA,MAAM,SAAS,EAAE,MAAM,aAAa,aAAa,GAAG;AAClD,YAAM,SAAS,QAAQ,WAAW;AAClC,YAAM,SAAS,UACX,MAAO,OAAO,0BAGkB,MAAM,YAAY,IAClD,MAAO,OAAO,0BAEkB,IAAI;AACxC,aAAO,KAAK,aAAa,OAAO,YAAY,GAAG,MAAM;AAAA,IACvD;AAAA,EACF;AACF;;;AC3IA,SAAS,iBAAiB;AAE1B,SAAS,MAAAC,KAAI,OAAAC,YAAW;AAgBxB,eAAsB,OAAO,OAAgC;AAC3D,QAAM,SAAS,MAAM,UAAU,OAAO;AAAA,IACpC;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,KAAK;AAAA,EAChC;AAEA,SAAO,MAAM;AAAA,IAAK,IAAI,WAAW,MAAM;AAAA,IAAG,CAAC,SACzC,KAAK,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACnC,EAAE,KAAK,EAAE;AACX;AAiBA,eAAsB,gBACpB,OACA,QACA,IACA,cAA0B,UACE;AAC5B,QAAM,UAAU,MAAM,YAAY,OAAO,QAAQ,WAAW;AAC5D,QAAM,CAAC,IAAI,IAAI,MAAM,GAClB,OAAO;AAAA,IACN,IAAI,QAAQ;AAAA,IACZ,OAAO,QAAQ;AAAA,IACf,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,cAAc,QAAQ;AAAA,EACxB,CAAC,EACA,KAAK,OAAO,EACZ,MAAMC,IAAG,QAAQ,IAAI,QAAQ,GAAG,CAAC,EACjC,MAAM,CAAC;AAEV,MAAI,CAAC,QAAQ,KAAK,iBAAiB,QAAQ,KAAK;AAC9C,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,eAAsB,sBACpB,QACA,IACe;AACf,QAAM,GAAG,YAAY,OAAO,OAAO;AACjC,UAAM,GACH,OAAO,OAAO,EACd,IAAI;AAAA,MACH,cAAcC,OAAM,QAAQ,YAAY;AAAA,IAC1C,CAAC,EACA,MAAMD,IAAG,QAAQ,IAAI,MAAM,CAAC;AAE/B,UAAM,GAAG,OAAO,UAAU,EAAE,MAAMA,IAAG,WAAW,QAAQ,MAAM,CAAC;AAAA,EACjE,CAAC;AACH;;;ACpFA,SAAS,OAAAE,MAAK,MAAM,MAAAC,WAAU;AAgD9B,eAAe,iBAAiB,QAA+B;AAC7D,QAAM,KAAK,MAAM;AACjB,QAAM,CAAC,GAAG,IAAK,MAAM,GAClB,OAAO,EAAE,IAAI,QAAQ,GAAG,CAAC,EACzB,KAAK,OAAO,EACZ,MAAMC,IAAG,QAAQ,IAAI,MAAM,CAAC,EAC5B,MAAM,CAAC;AACV,MAAI,CAAC,IAAK,OAAM,IAAI,gBAAgB,QAAQ,MAAM;AACpD;AAEA,eAAe,mBAAmB,UAAiC;AACjE,QAAM,KAAK,MAAM;AACjB,QAAM,CAAC,GAAG,IAAK,MAAM,GAClB,OAAO,EAAE,IAAI,UAAU,GAAG,CAAC,EAC3B,KAAK,SAAS,EACd,MAAMA,IAAG,UAAU,IAAI,QAAQ,CAAC,EAChC,MAAM,CAAC;AACV,MAAI,CAAC,IAAK,OAAM,IAAI,gBAAgB,UAAU,QAAQ;AACxD;AAEA,eAAsB,mBAAmB,QAA8C;AACrF,QAAM,iBAAiB,MAAM;AAC7B,QAAM,KAAK,MAAM;AACjB,QAAM,OAAQ,MAAM,GACjB,OAAO,EACP,KAAK,qBAAqB,EAC1B,MAAMA,IAAG,sBAAsB,QAAQ,MAAM,CAAC,EAC9C,QAAQ,KAAK,sBAAsB,SAAS,CAAC;AAChD,SAAO;AACT;AAEA,eAAsB,qBAAqB,UAAkD;AAC3F,QAAM,mBAAmB,QAAQ;AACjC,QAAM,KAAK,MAAM;AACjB,QAAM,OAAQ,MAAM,GACjB,OAAO,EACP,KAAK,kBAAkB,EACvB,MAAMA,IAAG,mBAAmB,UAAU,QAAQ,CAAC,EAC/C,QAAQ,KAAK,mBAAmB,SAAS,CAAC;AAC7C,SAAO;AACT;AAOA,eAAsB,mBACpB,QACA,YACA,OACe;AACf,QAAM,KAAK,MAAM;AAGjB,QAAM,CAAC,QAAQ,IAAK,MAAM,GACvB,OAAO,EACP,KAAK,qBAAqB,EAC1B;AAAA,IACCC;AAAA,MACED,IAAG,sBAAsB,IAAI,UAAU;AAAA,MACvCA,IAAG,sBAAsB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF,EACC,MAAM,CAAC;AACV,MAAI,CAAC,UAAU;AAIb,UAAM,IAAI,gBAAgB,YAAY,UAAU;AAAA,EAClD;AAMA,QAAM,UAAW,MAAM,GACpB,OAAO,qBAAqB,EAC5B,MAAMA,IAAG,sBAAsB,IAAI,UAAU,CAAC,EAC9C,UAAU,EAAE,IAAI,sBAAsB,GAAG,CAAC;AAC7C,MAAI,QAAQ,WAAW,EAAG;AAC1B,QAAM,iBAAiB;AAAA,IACrB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,YAAY;AAAA,IAClD,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,MACA,UAAU,SAAS;AAAA,MACnB,gBAAgB,SAAS;AAAA,IAC3B;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,qBACpB,UACA,YACA,OACe;AACf,QAAM,KAAK,MAAM;AACjB,QAAM,CAAC,QAAQ,IAAK,MAAM,GACvB,OAAO,EACP,KAAK,kBAAkB,EACvB;AAAA,IACCC;AAAA,MACED,IAAG,mBAAmB,IAAI,UAAU;AAAA,MACpCA,IAAG,mBAAmB,UAAU,QAAQ;AAAA,IAC1C;AAAA,EACF,EACC,MAAM,CAAC;AACV,MAAI,CAAC,SAAU,OAAM,IAAI,gBAAgB,YAAY,UAAU;AAC/D,QAAM,UAAW,MAAM,GACpB,OAAO,kBAAkB,EACzB,MAAMA,IAAG,mBAAmB,IAAI,UAAU,CAAC,EAC3C,UAAU,EAAE,IAAI,mBAAmB,GAAG,CAAC;AAC1C,MAAI,QAAQ,WAAW,EAAG;AAC1B,QAAM,iBAAiB;AAAA,IACrB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,YAAY;AAAA,IAClD,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,MACA,UAAU,SAAS;AAAA,MACnB,SAAS,SAAS;AAAA,IACpB;AAAA,EACF,CAAC;AACH;;;AC/KA,SAAS,eAAAE,oBAAmB;AAE5B,SAAS,OAAAC,MAAK,MAAAC,KAAI,IAAI,WAAW,OAAAC,YAAW;AAwB5C,IAAM,sBAAsB;AAE5B,SAAS,mBAA2B;AAElC,SAAOC,aAAY,EAAE,EAAE,SAAS,KAAK;AACvC;AASA,eAAsB,yBACpB,IACA,SAC6B;AAC7B,QAAM,QAAQ,iBAAiB;AAC/B,QAAM,YAAY,MAAM,OAAO,KAAK;AACpC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK;AAErD,QAAM,GACH,OAAO,OAAO,EACd,IAAI;AAAA,IACH,wBAAwB;AAAA,IACxB,wBAAwB;AAAA,IACxB,sBAAsB,QAAQ;AAAA,IAC9B,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC,EACA,MAAMC,IAAG,QAAQ,IAAI,QAAQ,MAAM,CAAC;AAEvC,SAAO,EAAE,OAAO,WAAW,SAAS,QAAQ,QAAQ;AACtD;AAeA,eAAsB,qBACpB,IACA,OACA,OAC+B;AAC/B,QAAM,kBAAkB,MAAM,KAAK,EAAE,YAAY;AACjD,QAAM,CAAC,IAAI,IAAI,MAAM,GAClB,OAAO;AAAA,IACN,IAAI,QAAQ;AAAA,IACZ,OAAO,QAAQ;AAAA,IACf,MAAM,QAAQ;AAAA,EAChB,CAAC,EACA,KAAK,OAAO,EACZ,MAAMA,IAAG,QAAQ,OAAO,eAAe,CAAC,EACxC,MAAM,CAAC;AAEV,MAAI,CAAC,MAAM;AACT,WAAO,EAAE,QAAQ,MAAM,MAAM,MAAM,OAAO,MAAM,QAAQ,KAAK;AAAA,EAC/D;AAEA,QAAM,SAAS,MAAM,yBAAyB,IAAI;AAAA,IAChD,QAAQ,KAAK;AAAA,IACb,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AAED,SAAO,EAAE,QAAQ,KAAK,IAAI,MAAM,KAAK,MAAM,OAAO,KAAK,OAAO,OAAO;AACvE;AAsBA,eAAsB,0BACpB,IACA,SACoC;AACpC,MAAI,CAAC,QAAQ,SAAS,OAAO,QAAQ,UAAU,UAAU;AACvD,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,2BAA2B;AAAA,IACxD,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,QAAQ,eAAe,QAAQ,YAAY,SAAS,qBAAqB;AAC5E,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C;AAAA,QACE,OAAO;AAAA,QACP,SAAS,6BAA6B,mBAAmB;AAAA,MAC3D;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,YAAY,MAAM,OAAO,QAAQ,KAAK;AAC5C,QAAM,MAAM,oBAAI,KAAK;AAErB,QAAM,CAAC,IAAI,IAAI,MAAM,GAClB,OAAO;AAAA,IACN,IAAI,QAAQ;AAAA,IACZ,OAAO,QAAQ;AAAA,IACf,SAAS,QAAQ;AAAA,EACnB,CAAC,EACA,KAAK,OAAO,EACZ;AAAA,IACCC;AAAA,MACED,IAAG,QAAQ,wBAAwB,SAAS;AAAA,MAC5C,UAAU,QAAQ,sBAAsB;AAAA,MACxC,GAAG,QAAQ,wBAAwB,GAAG;AAAA,IACxC;AAAA,EACF,EACC,MAAM,CAAC;AAEV,MAAI,CAAC,MAAM;AACT,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,wCAAwC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,kBAAkB,MAAM,aAAa,QAAQ,WAAW;AAO9D,QAAM,GAAG,YAAY,OAAO,OAAO;AACjC,UAAM,GACH,OAAO,OAAO,EACd,IAAI;AAAA,MACH,UAAU;AAAA,MACV,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,sBAAsB;AAAA,MACtB,eAAe;AAAA,MACf,WAAW;AAAA,MACX,cAAcE,OAAM,QAAQ,YAAY;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC,EACA,MAAMF,IAAG,QAAQ,IAAI,KAAK,EAAE,CAAC;AAEhC,UAAM,GAAG,OAAO,UAAU,EAAE,MAAMA,IAAG,WAAW,QAAQ,KAAK,EAAE,CAAC;AAAA,EAClE,CAAC;AAED,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK;AAAA,IACZ,SAAU,KAAK,WAAW;AAAA,EAC5B;AACF;;;ACrMA,SAAS,eAAAG,oBAAmB;AAC5B,SAAS,aAAAC,YAAW,WAAAC,gBAAgC;AA2CpD,IAAMC,eAAc,IAAI,YAAY;AACpC,IAAM,kBAAkB;AAExB,eAAsB,gBACpB,QACA,QACA,oBAA4B,MAC5B,WAA6B,UACZ;AACjB,QAAM,YAAYA,aAAY,OAAO,MAAM;AAC3C,SAAO,IAAIC,SAAQ,EAAE,KAAK,OAAO,IAAI,KAAK,OAAO,cAAc,KAAK,SAAS,CAAC,EAC3E,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,eAAe,EAC3B,OAAOC,aAAY,EAAE,EAAE,SAAS,WAAW,CAAC,EAC5C,YAAY,EACZ,kBAAkB,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,iBAAiB,EACnE,KAAK,SAAS;AACnB;AAmBA,eAAsB,kBACpB,OACA,QACA,aAC+B;AAC/B,QAAM,YAAYF,aAAY,OAAO,MAAM;AAC3C,QAAM,EAAE,QAAQ,IAAI,MAAMG,WAAU,OAAO,WAAW,EAAE,UAAU,gBAAgB,CAAC;AAGnF,QAAM,QAAQ;AAOd,MAAI,MAAM,QAAQ,YAAY,MAAM,QAAQ,WAAW;AACrD,UAAM,IAAI,YAAY,kCAAkC;AAAA,EAC1D;AACA,QAAM,MAAwB,MAAM;AACpC,MAAI,eAAe,QAAQ,aAAa;AAGtC,UAAM,IAAI;AAAA,MACR,uCAAuC,WAAW,SAAS,GAAG;AAAA,IAChE;AAAA,EACF;AACA,SAAO,EAAE,GAAG,OAAO,KAAK,iBAAiB,IAAI;AAC/C;;;AC5GA,SAAS,OAAAC,MAAK,MAAAC,KAAI,MAAAC,KAAI,OAAAC,YAAW;AAgCjC,eAAsB,0BACpB,IACA,SACA,aACiC;AACjC,QAAM,CAAC,GAAG,IAAI,MAAM,GACjB,OAAO;AAAA,IACN,IAAI,UAAU;AAAA,IACd,OAAO,UAAU;AAAA,IACjB,QAAQ,UAAU;AAAA,IAClB,aAAa,UAAU;AAAA,IACvB,QAAQ,UAAU;AAAA,IAClB,cAAc,UAAU;AAAA,EAC1B,CAAC,EACA,KAAK,SAAS,EACd,MAAMC,IAAG,UAAU,IAAI,QAAQ,GAAG,CAAC,EACnC,MAAM,CAAC;AAEV,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI,IAAI,iBAAiB,QAAQ,IAAK,QAAO;AAE7C,MAAI,aAAa;AACf,UAAM,YAAY,MAAM,OAAO,WAAW;AAC1C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,CAAC,OAAO,IAAK,MAAM,GACtB,OAAO,EAAE,IAAI,iBAAiB,GAAG,CAAC,EAClC,KAAK,gBAAgB,EACrB;AAAA,MACCC;AAAA,QACED,IAAG,iBAAiB,UAAU,IAAI,EAAE;AAAA,QACpCA,IAAG,iBAAiB,WAAW,SAAS;AAAA,QACxCE,IAAG,iBAAiB,WAAW,GAAG;AAAA,MACpC;AAAA,IACF,EACC,MAAM,CAAC;AACV,QAAI,CAAC,QAAS,QAAO;AAAA,EACvB;AAEA,SAAO;AACT;AAOA,eAAsB,4BACpB,IACA,UACe;AACf,QAAM,GAAG,YAAY,OAAO,OAAO;AACjC,UAAM,GACH,OAAO,SAAS,EAChB,IAAI;AAAA,MACH,cAAcC,OAAM,UAAU,YAAY;AAAA,MAC1C,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC,EACA,MAAMH,IAAG,UAAU,IAAI,QAAQ,CAAC;AACnC,UAAM,GAAG,OAAO,gBAAgB,EAAE,MAAMA,IAAG,iBAAiB,UAAU,QAAQ,CAAC;AAAA,EACjF,CAAC;AACH;;;AC5FA,SAAS,eAAAI,oBAAmB;AAE5B,SAAS,OAAAC,MAAK,MAAAC,KAAI,MAAAC,KAAI,aAAAC,YAAW,OAAAC,YAAW;AAgB5C,IAAMC,uBAAsB;AAQ5B,SAASC,oBAA2B;AAClC,SAAOC,aAAY,EAAE,EAAE,SAAS,KAAK;AACvC;AAIA,eAAsB,6BACpB,IACA,UACA,OAC8B;AAC9B,QAAM,QAAQD,kBAAiB;AAC/B,QAAM,YAAY,MAAM,OAAO,KAAK;AACpC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK;AAE7C,QAAM,GACH,OAAO,SAAS,EAChB,IAAI;AAAA,IACH,sBAAsB;AAAA,IACtB,sBAAsB;AAAA,IACtB,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC,EACA,MAAME,IAAG,UAAU,IAAI,QAAQ,CAAC;AAEnC,SAAO,EAAE,OAAO,UAAU;AAC5B;AASA,eAAsB,8BACpB,IACA,OAC2C;AAC3C,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,kCAAkC;AAAA,IAC/D,CAAC;AAAA,EACH;AACA,QAAM,YAAY,MAAM,OAAO,KAAK;AACpC,QAAM,MAAM,oBAAI,KAAK;AAErB,QAAM,CAAC,MAAM,IAAI,MAAM,GACpB,OAAO;AAAA,IACN,IAAI,UAAU;AAAA,IACd,OAAO,UAAU;AAAA,IACjB,QAAQ,UAAU;AAAA,IAClB,aAAa,UAAU;AAAA,EACzB,CAAC,EACA,KAAK,SAAS,EACd;AAAA,IACCC;AAAA,MACED,IAAG,UAAU,sBAAsB,SAAS;AAAA,MAC5CE,WAAU,UAAU,oBAAoB;AAAA,MACxCC,IAAG,UAAU,sBAAsB,GAAG;AAAA,IACxC;AAAA,EACF,EACC,MAAM,CAAC;AAEV,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,+CAA+C;AAAA,IAC5E,CAAC;AAAA,EACH;AAEA,QAAM,GACH,OAAO,SAAS,EAChB,IAAI;AAAA,IACH,eAAe;AAAA;AAAA;AAAA;AAAA,IAIf,QAAQC,iBAAgB,UAAU,MAAM,mCAAmC,UAAU,MAAM;AAAA,IAC3F,sBAAsB;AAAA,IACtB,sBAAsB;AAAA,IACtB,WAAW;AAAA,EACb,CAAC,EACA,MAAMJ,IAAG,UAAU,IAAI,OAAO,EAAE,CAAC;AAEpC,SAAO;AAAA,IACL,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,EACtB;AACF;AAWA,eAAsB,2BACpB,IACA,OACA,OACqC;AACrC,QAAM,kBAAkB,MAAM,KAAK,EAAE,YAAY;AACjD,QAAM,CAAC,MAAM,IAAI,MAAM,GACpB,OAAO;AAAA,IACN,IAAI,UAAU;AAAA,IACd,OAAO,UAAU;AAAA,IACjB,aAAa,UAAU;AAAA,IACvB,QAAQ,UAAU;AAAA,EACpB,CAAC,EACA,KAAK,SAAS,EACd,MAAMA,IAAG,UAAU,OAAO,eAAe,CAAC,EAC1C,MAAM,CAAC;AAEV,MAAI,CAAC,UAAU,OAAO,WAAW,WAAW;AAC1C,WAAO,EAAE,UAAU,MAAM,aAAa,MAAM,OAAO,MAAM,QAAQ,KAAK;AAAA,EACxE;AAEA,QAAM,QAAQF,kBAAiB;AAC/B,QAAM,YAAY,MAAM,OAAO,KAAK;AACpC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK;AAE7C,QAAM,GACH,OAAO,SAAS,EAChB,IAAI;AAAA,IACH,wBAAwB;AAAA,IACxB,wBAAwB;AAAA,IACxB,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC,EACA,MAAME,IAAG,UAAU,IAAI,OAAO,EAAE,CAAC;AAEpC,SAAO;AAAA,IACL,UAAU,OAAO;AAAA,IACjB,aAAa,OAAO;AAAA,IACpB,OAAO,OAAO;AAAA,IACd,QAAQ,EAAE,OAAO,UAAU;AAAA,EAC7B;AACF;AAOA,eAAsB,2BACpB,IACA,OACA,aACqC;AACrC,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,2BAA2B;AAAA,IACxD,CAAC;AAAA,EACH;AACA,MAAI,CAAC,eAAe,YAAY,SAASH,sBAAqB;AAC5D,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C;AAAA,QACE,OAAO;AAAA,QACP,SAAS,6BAA6BA,oBAAmB;AAAA,MAC3D;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,YAAY,MAAM,OAAO,KAAK;AACpC,QAAM,MAAM,oBAAI,KAAK;AAErB,QAAM,CAAC,MAAM,IAAI,MAAM,GACpB,OAAO,EAAE,IAAI,UAAU,IAAI,OAAO,UAAU,MAAM,CAAC,EACnD,KAAK,SAAS,EACd;AAAA,IACCI;AAAA,MACED,IAAG,UAAU,wBAAwB,SAAS;AAAA,MAC9CE,WAAU,UAAU,sBAAsB;AAAA,MAC1CC,IAAG,UAAU,wBAAwB,GAAG;AAAA,IAC1C;AAAA,EACF,EACC,MAAM,CAAC;AAEV,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,kBAAkB,iBAAiB;AAAA,MAC3C,EAAE,OAAO,SAAS,SAAS,wCAAwC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,kBAAkB,MAAM,aAAa,WAAW;AAEtD,QAAM,GAAG,YAAY,OAAO,OAAO;AACjC,UAAM,GACH,OAAO,SAAS,EAChB,IAAI;AAAA,MACH,UAAU;AAAA,MACV,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,eAAe;AAAA,MACf,WAAW;AAAA;AAAA;AAAA;AAAA,MAIX,cAAcC,OAAM,UAAU,YAAY;AAAA,MAC1C,eAAe;AAAA,MACf,QAAQA,iBAAgB,UAAU,MAAM,mCAAmC,UAAU,MAAM;AAAA,MAC3F,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC,EACA,MAAMJ,IAAG,UAAU,IAAI,OAAO,EAAE,CAAC;AAEpC,UAAM,GAAG,OAAO,gBAAgB,EAAE,MAAMA,IAAG,iBAAiB,UAAU,OAAO,EAAE,CAAC;AAAA,EAClF,CAAC;AAED,SAAO,EAAE,UAAU,OAAO,IAAI,OAAO,OAAO,MAAM;AACpD;","names":["and","eq","sql","SYNTHETIC_EMAIL_SUFFIX","syntheticEmail","mergeMetadata","eq","and","sql","randomBytes","randomBytes","eq","sql","eq","sql","and","eq","eq","and","randomBytes","and","eq","sql","randomBytes","eq","and","sql","randomBytes","jwtVerify","SignJWT","textEncoder","SignJWT","randomBytes","jwtVerify","and","eq","gt","sql","eq","and","gt","sql","randomBytes","and","eq","gt","isNotNull","sql","MIN_PASSWORD_LENGTH","generateRawToken","randomBytes","eq","and","isNotNull","gt","sql"]}