@nexus_js/graphql 0.9.3

package/dist/index.js

@@ -0,0 +1,62 @@
+/**
+ * @nexus_js/graphql — GraphQL integration for Nexus.js
+ *
+ * Provides a security-first GraphQL adapter that integrates with the Nexus
+ * server pipeline without Express, without CORS conflicts, and without
+ * external runtime dependencies beyond `graphql` itself.
+ *
+ * Quick-start
+ * ───────────
+ *  ```ts
+ *  // nexus.config.ts or server startup
+ *  import { createGraphQLHandler, createBatchLoader, createJwtService } from '@nexus_js/graphql';
+ *  import { nexusVault } from '@nexus_js/security';
+ *  import { schema } from './graphql/schema.js';
+ *
+ *  const jwtSvc = createJwtService(nexusVault, { vaultKey: 'JWT_SECRET', issuer: 'my-app' });
+ *
+ *  const gqlHandler = createGraphQLHandler({
+ *    schema,
+ *    dev:    process.env.NODE_ENV !== 'production',
+ *    cors:   { origins: ['https://app.example.com'], credentials: true },
+ *    shield: { maxCost: 500, maxDepth: 8, allowIntrospection: false },
+ *    mask:   { 'User.passwordHash': null, 'PaymentCard.cvv': 'REDACTED' },
+ *    context: (req, ctx) => ({
+ *      ...ctx,
+ *      user:    jwtSvc.verify(req.headers.get('authorization')?.replace('Bearer ', '') ?? ''),
+ *      loaders: { user: createBatchLoader(ids => db.users.findMany(ids)) },
+ *    }),
+ *  });
+ *
+ *  // Add to createNexusServer:
+ *  mounts: [{ path: '/graphql', handler: gqlHandler }]
+ *  ```
+ *
+ * Architecture
+ * ────────────
+ *  Handler pipeline per request:
+ *  1. CORS preflight (OPTIONS) → 204 with Access-Control headers
+ *  2. GraphiQL HTML (dev GET with Accept: text/html)
+ *  3. Rate limiting (sliding window, per IP)
+ *  4. Parse GET/POST JSON/application/graphql body
+ *  5. graphql.parse() + graphql.validate()
+ *  6. Shield: complexity + depth + introspection gate
+ *  7. Context factory call
+ *  8. graphql.execute()
+ *  9. Field masking
+ * 10. JSON response
+ */
+// ── Handler ──────────────────────────────────────────────────────────────────
+export { createGraphQLHandler, } from './handler.js';
+// ── Complexity Shield ─────────────────────────────────────────────────────────
+export { analyseComplexity, } from './complexity.js';
+// ── Field masking ─────────────────────────────────────────────────────────────
+export { maskResult, allowWhen, redactUnless, } from './mask.js';
+// ── JWT + Vault rotation ──────────────────────────────────────────────────────
+export { createJwtService, signJwt, verifyJwt, } from './jwt.js';
+// ── DataLoader (N+1 prevention) ───────────────────────────────────────────────
+export { BatchLoader, createBatchLoader, createLoaderRegistry, } from './dataloader.js';
+// ── Legacy Bridge: Remote executor & stitching ────────────────────────────────
+export { createRemoteExecutor, createRemoteExecutorWithSchema, } from './remote-executor.js';
+export { stitchSchemas, createGatewayResolver, } from './stitching.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AAEH,gFAAgF;AAChF,OAAO,EACL,oBAAoB,GAMrB,MAAM,cAAc,CAAC;AAEtB,iFAAiF;AACjF,OAAO,EACL,iBAAiB,GAGlB,MAAM,iBAAiB,CAAC;AAEzB,iFAAiF;AACjF,OAAO,EACL,UAAU,EACV,SAAS,EACT,YAAY,GAIb,MAAM,WAAW,CAAC;AAEnB,iFAAiF;AACjF,OAAO,EACL,gBAAgB,EAChB,OAAO,EACP,SAAS,GAIV,MAAM,UAAU,CAAC;AAElB,iFAAiF;AACjF,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,oBAAoB,GAGrB,MAAM,iBAAiB,CAAC;AAEzB,iFAAiF;AACjF,OAAO,EACL,oBAAoB,EACpB,8BAA8B,GAI/B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,aAAa,EACb,qBAAqB,GAGtB,MAAM,gBAAgB,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Nexus JWT — HS256 signing and verification backed by the Vault.
+ *
+ * Key design goals
+ * ────────────────
+ *  1. Zero external JWT library — uses only Node.js `node:crypto` to avoid
+ *     supply-chain risk and keep the package small.
+ *
+ *  2. Vault-backed key rotation with a grace period so existing valid tokens
+ *     are not instantly invalidated when you rotate the secret.
+ *     On vault patch: old key stays valid for `gracePeriodMs` (default 5 min),
+ *     then all tokens signed with it are rejected.
+ *
+ *  3. timingSafeEqual comparison everywhere to prevent timing attacks.
+ *
+ * Usage
+ * ─────
+ *  // In your Nexus server init:
+ *  const jwtService = createJwtService({
+ *    vaultKey:  'JWT_SECRET',   // vault key that holds the signing secret
+ *    issuer:    'my-app',
+ *    expiresIn: 3600,           // 1 hour
+ *  });
+ *
+ *  // Sign:
+ *  const token = jwtService.sign({ sub: userId, role: 'user' });
+ *
+ *  // Verify (in GraphQL resolver / action):
+ *  const payload = jwtService.verify(token);  // throws on invalid
+ *
+ *  // Rotate (call from vault hot-reload handler, or schedule):
+ *  jwtService.rotate('new-secret-at-least-32-chars');
+ */
+import type { NexusVault } from '@nexus_js/security';
+export interface JwtPayload {
+    /** Subject — typically user ID */
+    sub: string;
+    /** Issued-at (epoch seconds) */
+    iat: number;
+    /** Expiry (epoch seconds) */
+    exp: number;
+    /** Issuer */
+    iss?: string;
+    /** JWT ID — random, useful for revocation lists */
+    jti?: string;
+    /** Arbitrary custom claims */
+    [key: string]: unknown;
+}
+export interface JwtServiceOptions {
+    /**
+     * Vault key whose value is used as the HMAC signing secret.
+     * Must be ≥ 32 bytes (the vault value is used as UTF-8).
+     */
+    vaultKey: string;
+    /**
+     * Issuer claim (`iss`). Include in tokens and verified on decode.
+     */
+    issuer?: string;
+    /**
+     * Token lifetime in **seconds**. Default: 3600 (1 hour).
+     */
+    expiresIn?: number;
+    /**
+     * How long (ms) the **old** key remains valid after rotation.
+     * Default: 300 000 (5 minutes). During this window tokens signed with the
+     * old key are still accepted so users are not force-logged-out mid-session.
+     */
+    gracePeriodMs?: number;
+    /**
+     * Whether to include a unique `jti` (JWT ID) in every token.
+     * Needed for single-use / revocation scenarios. Default: false.
+     */
+    includeJti?: boolean;
+}
+export interface JwtService {
+    /** Create a signed JWT containing the given payload additions. */
+    sign(claims: Omit<JwtPayload, 'iat' | 'exp' | 'iss' | 'jti'>): string;
+    /**
+     * Verify and decode a JWT.
+     * Throws an informative error (without leaking secret) on any failure.
+     */
+    verify(token: string): JwtPayload;
+    /**
+     * Immediately rotate the signing key.
+     * The old key enters the grace window and is discarded after `gracePeriodMs`.
+     * Normally called automatically when the vault patches `vaultKey`.
+     */
+    rotate(newSecret: string): void;
+}
+/**
+ * Create a JWT service bound to a Vault instance.
+ * Vault updates to `vaultKey` automatically trigger key rotation.
+ *
+ * @param vault   Nexus vault instance (from `nexusVault` or your own)
+ * @param opts    Service configuration
+ */
+export declare function createJwtService(vault: NexusVault, opts: JwtServiceOptions): JwtService;
+/**
+ * Sign a JWT with an explicit secret (not vault-backed).
+ * Useful in tests or edge cases where you don't need hot rotation.
+ */
+export declare function signJwt(payload: Omit<JwtPayload, 'iat' | 'exp'> & {
+    sub: string;
+}, secret: string, expiresIn?: number): string;
+/**
+ * Verify a JWT with an explicit secret (not vault-backed).
+ */
+export declare function verifyJwt(token: string, secret: string, issuer?: string): JwtPayload;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAIrD,MAAM,WAAW,UAAU;IACzB,kCAAkC;IAClC,GAAG,EAAI,MAAM,CAAC;IACd,gCAAgC;IAChC,GAAG,EAAI,MAAM,CAAC;IACd,6BAA6B;IAC7B,GAAG,EAAI,MAAM,CAAC;IACd,aAAa;IACb,GAAG,CAAC,EAAG,MAAM,CAAC;IACd,mDAAmD;IACnD,GAAG,CAAC,EAAG,MAAM,CAAC;IACd,8BAA8B;IAC9B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,QAAQ,EAAI,MAAM,CAAC;IACnB;;OAEG;IACH,MAAM,CAAC,EAAK,MAAM,CAAC;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,kEAAkE;IAClE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM,CAAC;IACtE;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC;;;;OAIG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAWD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,UAAU,EACjB,IAAI,EAAG,iBAAiB,GACvB,UAAU,CAyIZ;AAID;;;GAGG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EAC1D,MAAM,EAAG,MAAM,EACf,SAAS,SAAO,GACf,MAAM,CAOR;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,UAAU,CA+BpF"}

package/dist/jwt.js

@@ -0,0 +1,197 @@
+/**
+ * Nexus JWT — HS256 signing and verification backed by the Vault.
+ *
+ * Key design goals
+ * ────────────────
+ *  1. Zero external JWT library — uses only Node.js `node:crypto` to avoid
+ *     supply-chain risk and keep the package small.
+ *
+ *  2. Vault-backed key rotation with a grace period so existing valid tokens
+ *     are not instantly invalidated when you rotate the secret.
+ *     On vault patch: old key stays valid for `gracePeriodMs` (default 5 min),
+ *     then all tokens signed with it are rejected.
+ *
+ *  3. timingSafeEqual comparison everywhere to prevent timing attacks.
+ *
+ * Usage
+ * ─────
+ *  // In your Nexus server init:
+ *  const jwtService = createJwtService({
+ *    vaultKey:  'JWT_SECRET',   // vault key that holds the signing secret
+ *    issuer:    'my-app',
+ *    expiresIn: 3600,           // 1 hour
+ *  });
+ *
+ *  // Sign:
+ *  const token = jwtService.sign({ sub: userId, role: 'user' });
+ *
+ *  // Verify (in GraphQL resolver / action):
+ *  const payload = jwtService.verify(token);  // throws on invalid
+ *
+ *  // Rotate (call from vault hot-reload handler, or schedule):
+ *  jwtService.rotate('new-secret-at-least-32-chars');
+ */
+import { createHmac, timingSafeEqual, randomBytes } from 'node:crypto';
+// ── Factory ──────────────────────────────────────────────────────────────────
+/**
+ * Create a JWT service bound to a Vault instance.
+ * Vault updates to `vaultKey` automatically trigger key rotation.
+ *
+ * @param vault   Nexus vault instance (from `nexusVault` or your own)
+ * @param opts    Service configuration
+ */
+export function createJwtService(vault, opts) {
+    const { vaultKey, issuer, expiresIn = 3600, gracePeriodMs = 300_000, includeJti = false, } = opts;
+    let currentSecret = vault.get(vaultKey) ?? '';
+    const graceKeys = [];
+    // Subscribe to vault hot-reload
+    vault.subscribe(() => {
+        const next = vault.get(vaultKey);
+        if (next && next !== currentSecret) {
+            service.rotate(next);
+        }
+    });
+    // ── Internal helpers ───────────────────────────────────────────────────────
+    function b64url(str) {
+        return Buffer.from(str).toString('base64url');
+    }
+    function makeHeader() {
+        return b64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+    }
+    function signParts(header, body, secret) {
+        return createHmac('sha256', secret)
+            .update(`${header}.${body}`)
+            .digest('base64url');
+    }
+    function pruneGraceKeys() {
+        const now = Date.now();
+        // Remove expired grace keys from the back
+        while (graceKeys.length > 0 && graceKeys[graceKeys.length - 1].expiresAt < now) {
+            graceKeys.pop();
+        }
+    }
+    // ── Service implementation ─────────────────────────────────────────────────
+    const service = {
+        sign(claims) {
+            if (!currentSecret || currentSecret.length < 32) {
+                throw new Error(`[Nexus JWT] Vault key "${vaultKey}" is missing or shorter than 32 characters. ` +
+                    'Set it via NEXUS_SECRET / vault.patch().');
+            }
+            const now = Math.floor(Date.now() / 1000);
+            const payload = {
+                sub: String(claims.sub ?? ''),
+                ...claims,
+                iat: now,
+                exp: now + expiresIn,
+                ...(issuer ? { iss: issuer } : {}),
+                ...(includeJti ? { jti: randomBytes(16).toString('hex') } : {}),
+            };
+            const header = makeHeader();
+            const body = b64url(JSON.stringify(payload));
+            const sig = signParts(header, body, currentSecret);
+            return `${header}.${body}.${sig}`;
+        },
+        verify(token) {
+            const parts = token.split('.');
+            if (parts.length !== 3) {
+                throw new Error('[Nexus JWT] Malformed token: expected 3 segments.');
+            }
+            const [header, body, sig] = parts;
+            pruneGraceKeys();
+            // Try current key first, then grace keys
+            const candidates = [
+                currentSecret,
+                ...graceKeys.map(k => k.secret),
+            ].filter(Boolean);
+            let payload = null;
+            for (const secret of candidates) {
+                const expected = Buffer.from(signParts(header, body, secret));
+                const actual = Buffer.from(sig);
+                // Lengths must match for timingSafeEqual
+                if (expected.length === actual.length && timingSafeEqual(expected, actual)) {
+                    try {
+                        payload = JSON.parse(Buffer.from(body, 'base64url').toString());
+                    }
+                    catch {
+                        throw new Error('[Nexus JWT] Token body is not valid JSON.');
+                    }
+                    break;
+                }
+            }
+            if (!payload) {
+                throw new Error('[Nexus JWT] Invalid signature.');
+            }
+            const now = Math.floor(Date.now() / 1000);
+            if (payload.exp !== undefined && now > payload.exp) {
+                throw new Error('[Nexus JWT] Token has expired.');
+            }
+            // Clock-skew guard: issued more than 5 seconds in the future → reject
+            if (payload.iat !== undefined && payload.iat > now + 5) {
+                throw new Error('[Nexus JWT] Token issued-at is in the future (clock skew).');
+            }
+            if (issuer && payload.iss !== issuer) {
+                throw new Error(`[Nexus JWT] Token issuer "${payload.iss}" does not match expected "${issuer}".`);
+            }
+            return payload;
+        },
+        rotate(newSecret) {
+            if (!newSecret || newSecret.length < 32) {
+                throw new Error('[Nexus JWT] New secret must be at least 32 characters.');
+            }
+            if (currentSecret) {
+                graceKeys.unshift({ secret: currentSecret, expiresAt: Date.now() + gracePeriodMs });
+                // Cap grace list to prevent unbounded growth (keep at most 5 old keys)
+                while (graceKeys.length > 5)
+                    graceKeys.pop();
+            }
+            currentSecret = newSecret;
+        },
+    };
+    return service;
+}
+// ── Standalone helpers (for apps that manage their own key) ──────────────────
+/**
+ * Sign a JWT with an explicit secret (not vault-backed).
+ * Useful in tests or edge cases where you don't need hot rotation.
+ */
+export function signJwt(payload, secret, expiresIn = 3600) {
+    const now = Math.floor(Date.now() / 1000);
+    const full = { ...payload, iat: now, exp: now + expiresIn };
+    const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+    const body = Buffer.from(JSON.stringify(full)).toString('base64url');
+    const sig = createHmac('sha256', secret).update(`${header}.${body}`).digest('base64url');
+    return `${header}.${body}.${sig}`;
+}
+/**
+ * Verify a JWT with an explicit secret (not vault-backed).
+ */
+export function verifyJwt(token, secret, issuer) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        throw new Error('[Nexus JWT] Malformed token.');
+    const [header, body, sig] = parts;
+    const expected = Buffer.from(createHmac('sha256', secret).update(`${header}.${body}`).digest('base64url'));
+    const actual = Buffer.from(sig);
+    if (expected.length !== actual.length || !timingSafeEqual(expected, actual)) {
+        throw new Error('[Nexus JWT] Invalid signature.');
+    }
+    let payload;
+    try {
+        payload = JSON.parse(Buffer.from(body, 'base64url').toString());
+    }
+    catch {
+        throw new Error('[Nexus JWT] Token body is not valid JSON.');
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp !== undefined && now > payload.exp) {
+        throw new Error('[Nexus JWT] Token has expired.');
+    }
+    if (payload.iat !== undefined && payload.iat > now + 5) {
+        throw new Error('[Nexus JWT] Token issued in the future.');
+    }
+    if (issuer && payload.iss !== issuer) {
+        throw new Error(`[Nexus JWT] Issuer mismatch.`);
+    }
+    return payload;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAsEvE,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,KAAiB,EACjB,IAAwB;IAExB,MAAM,EACJ,QAAQ,EACR,MAAM,EACN,SAAS,GAAM,IAAI,EACnB,aAAa,GAAG,OAAO,EACvB,UAAU,GAAK,KAAK,GACrB,GAAG,IAAI,CAAC;IAET,IAAI,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,SAAS,GAAe,EAAE,CAAC;IAEjC,gCAAgC;IAChC,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE;QACnB,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,IAAI,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAE9E,SAAS,MAAM,CAAC,GAAW;QACzB,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAChD,CAAC;IAED,SAAS,UAAU;QACjB,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,SAAS,SAAS,CAAC,MAAc,EAAE,IAAY,EAAE,MAAc;QAC7D,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;aAChC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;aAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;IACzB,CAAC;IAED,SAAS,cAAc;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,0CAA0C;QAC1C,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YAChF,SAAS,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;IAED,8EAA8E;IAE9E,MAAM,OAAO,GAAe;QAC1B,IAAI,CAAC,MAAM;YACT,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CACb,0BAA0B,QAAQ,8CAA8C;oBAChF,0CAA0C,CAC3C,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,OAAO,GAAe;gBAC1B,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC;gBAC7B,GAAG,MAAM;gBACT,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,GAAG,GAAG,SAAS;gBACpB,GAAG,CAAC,MAAM,CAAK,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAW,CAAC,CAAC,EAAE,CAAC;gBAChD,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChE,CAAC;YACF,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAK,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAM,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;YACtD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,CAAC,KAAK;YACV,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YACD,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAiC,CAAC;YAE9D,cAAc,EAAE,CAAC;YAEjB,yCAAyC;YACzC,MAAM,UAAU,GAAG;gBACjB,aAAa;gBACb,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;aAChC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAElB,IAAI,OAAO,GAAsB,IAAI,CAAC;YAEtC,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAK,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAElC,yCAAyC;gBACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;oBAC3E,IAAI,CAAC;wBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAe,CAAC;oBAChF,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;oBAC/D,CAAC;oBACD,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAE1C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;gBACnD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,sEAAsE;YACtE,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;YAChF,CAAC;YAED,IAAI,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,CAAC,GAAG,8BAA8B,MAAM,IAAI,CAAC,CAAC;YACpG,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,MAAM,CAAC,SAAiB;YACtB,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,aAAa,EAAE,CAAC;gBAClB,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,EAAE,CAAC,CAAC;gBACpF,uEAAuE;gBACvE,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS,CAAC,GAAG,EAAE,CAAC;YAC/C,CAAC;YACD,aAAa,GAAG,SAAS,CAAC;QAC5B,CAAC;KACF,CAAC;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,UAAU,OAAO,CACrB,OAA0D,EAC1D,MAAe,EACf,SAAS,GAAG,IAAI;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAe,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,EAAE,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/F,MAAM,IAAI,GAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvE,MAAM,GAAG,GAAM,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5F,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc,EAAE,MAAe;IACtE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IACxE,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAiC,CAAC;IAE9D,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAC1B,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAC7E,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAe,CAAC;IAChF,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/mask.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Nexus GraphQL Field Masking
+ *
+ * Intercepts GraphQL execution results *after* resolution to null-out or
+ * redact fields the caller is not authorised to see.
+ *
+ * This is a last-resort defence layer — it does NOT replace resolver-level
+ * auth guards. Its purpose:
+ *  - Prevent accidental secret leakage when a resolver returns a full DB row
+ *  - Mask PII in logs / analytics pipelines without modifying every resolver
+ *  - Provide a single policy source-of-truth instead of scattered checks
+ *
+ * Usage
+ * ─────
+ *  const policy: MaskPolicy = {
+ *    'User.passwordHash': 'REDACTED',
+ *    'User.apiKey':       (value, ctx) => ctx.user?.role === 'admin' ? value : '••••••••',
+ *    'PaymentMethod.cvv': null,
+ *  };
+ *
+ *  const masked = maskResult(result, policy, gqlCtx);
+ */
+/**
+ * Called when a masked field is accessed.
+ * Return the replacement value (or null/undefined to strip the field).
+ * `rawValue` is the resolved value before masking.
+ * `ctx` is whatever context you passed to `maskResult`.
+ */
+export type MaskFn<Ctx = unknown> = (rawValue: unknown, ctx: Ctx) => unknown;
+/**
+ * Policy map: key is "TypeName.fieldName" or just "fieldName" (matches any type).
+ * Value is either:
+ *   - A static replacement  (string, number, null, undefined …)
+ *   - A `MaskFn` for dynamic decisions (e.g. role-based access)
+ */
+export type MaskPolicy<Ctx = unknown> = Record<string, unknown | MaskFn<Ctx>>;
+export interface GraphQLExecutionResult {
+    data?: Record<string, unknown> | null;
+    errors?: Array<{
+        message: string;
+        [key: string]: unknown;
+    }>;
+    extensions?: Record<string, unknown>;
+}
+/**
+ * Walk the GraphQL execution result and apply the mask policy.
+ * Returns a new result object — the original is never mutated.
+ *
+ * @param result   Raw result from `graphql.execute()`
+ * @param policy   Field masking policy
+ * @param ctx      Arbitrary context forwarded to MaskFn handlers
+ * @param typePath Current object type path for nested resolution (internal use)
+ */
+export declare function maskResult<Ctx = unknown>(result: GraphQLExecutionResult, policy: MaskPolicy<Ctx>, ctx: Ctx): GraphQLExecutionResult;
+/**
+ * Convenience factory: returns null when `guardFn` returns false, otherwise
+ * passes the raw value through unchanged.
+ *
+ * @example
+ *   'User.apiKey': allowWhen((ctx: MyCtx) => ctx.user?.role === 'admin')
+ */
+export declare function allowWhen<Ctx>(guardFn: (ctx: Ctx, rawValue: unknown) => boolean): MaskFn<Ctx>;
+/**
+ * Convenience factory: return `replacement` when the guard fails.
+ *
+ * @example
+ *   'User.email': redactUnless((ctx: MyCtx) => ctx.user?.id === ctx.vars?.userId, '***@***.***')
+ */
+export declare function redactUnless<Ctx>(guardFn: (ctx: Ctx, rawValue: unknown) => boolean, replacement?: unknown): MaskFn<Ctx>;
+//# sourceMappingURL=mask.d.ts.map

package/dist/mask.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask.d.ts","sourceRoot":"","sources":["../src/mask.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAIH;;;;;GAKG;AACH,MAAM,MAAM,MAAM,CAAC,GAAG,GAAG,OAAO,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC;AAE7E;;;;;GAKG;AACH,MAAM,MAAM,UAAU,CAAC,GAAG,GAAG,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AAE9E,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,EAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACxC,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC,CAAC;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAID;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,GAAG,GAAG,OAAO,EACtC,MAAM,EAAE,sBAAsB,EAC9B,MAAM,EAAE,UAAU,CAAC,GAAG,CAAC,EACvB,GAAG,EAAE,GAAG,GACP,sBAAsB,CAMxB;AAkDD;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAC3B,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,KAAK,OAAO,GAChD,MAAM,CAAC,GAAG,CAAC,CAEb;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAC9B,OAAO,EAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,KAAK,OAAO,EACrD,WAAW,GAAE,OAAoB,GAChC,MAAM,CAAC,GAAG,CAAC,CAEb"}

package/dist/mask.js

@@ -0,0 +1,98 @@
+/**
+ * Nexus GraphQL Field Masking
+ *
+ * Intercepts GraphQL execution results *after* resolution to null-out or
+ * redact fields the caller is not authorised to see.
+ *
+ * This is a last-resort defence layer — it does NOT replace resolver-level
+ * auth guards. Its purpose:
+ *  - Prevent accidental secret leakage when a resolver returns a full DB row
+ *  - Mask PII in logs / analytics pipelines without modifying every resolver
+ *  - Provide a single policy source-of-truth instead of scattered checks
+ *
+ * Usage
+ * ─────
+ *  const policy: MaskPolicy = {
+ *    'User.passwordHash': 'REDACTED',
+ *    'User.apiKey':       (value, ctx) => ctx.user?.role === 'admin' ? value : '••••••••',
+ *    'PaymentMethod.cvv': null,
+ *  };
+ *
+ *  const masked = maskResult(result, policy, gqlCtx);
+ */
+// ── Core masking ─────────────────────────────────────────────────────────────
+/**
+ * Walk the GraphQL execution result and apply the mask policy.
+ * Returns a new result object — the original is never mutated.
+ *
+ * @param result   Raw result from `graphql.execute()`
+ * @param policy   Field masking policy
+ * @param ctx      Arbitrary context forwarded to MaskFn handlers
+ * @param typePath Current object type path for nested resolution (internal use)
+ */
+export function maskResult(result, policy, ctx) {
+    if (!result.data)
+        return result;
+    return {
+        ...result,
+        data: maskValue(result.data, '__ROOT__', policy, ctx),
+    };
+}
+// ── Internal walker ─────────────────────────────────────────────────────────
+function maskValue(value, typePath, policy, ctx) {
+    if (value === null || value === undefined)
+        return value;
+    if (Array.isArray(value)) {
+        return value.map(item => maskValue(item, typePath, policy, ctx));
+    }
+    if (typeof value === 'object') {
+        const obj = value;
+        // Detect GraphQL __typename for type-aware masking
+        const typeName = typeof obj['__typename'] === 'string'
+            ? obj['__typename']
+            : typePath;
+        const masked = {};
+        for (const [key, val] of Object.entries(obj)) {
+            // Build lookup keys: "TypeName.fieldName" first, then bare "fieldName"
+            const qualifiedKey = `${typeName}.${key}`;
+            const hasMasked = qualifiedKey in policy || key in policy;
+            if (hasMasked) {
+                const policyEntry = qualifiedKey in policy ? policy[qualifiedKey] : policy[key];
+                if (typeof policyEntry === 'function') {
+                    masked[key] = policyEntry(val, ctx);
+                }
+                else {
+                    masked[key] = policyEntry;
+                }
+            }
+            else {
+                // Recurse into nested objects — pass the field name as a type hint
+                // (if the nested object has __typename we'll pick it up there)
+                masked[key] = maskValue(val, key, policy, ctx);
+            }
+        }
+        return masked;
+    }
+    return value;
+}
+// ── Helper: build a role-based mask function ─────────────────────────────────
+/**
+ * Convenience factory: returns null when `guardFn` returns false, otherwise
+ * passes the raw value through unchanged.
+ *
+ * @example
+ *   'User.apiKey': allowWhen((ctx: MyCtx) => ctx.user?.role === 'admin')
+ */
+export function allowWhen(guardFn) {
+    return (rawValue, ctx) => (guardFn(ctx, rawValue) ? rawValue : null);
+}
+/**
+ * Convenience factory: return `replacement` when the guard fails.
+ *
+ * @example
+ *   'User.email': redactUnless((ctx: MyCtx) => ctx.user?.id === ctx.vars?.userId, '***@***.***')
+ */
+export function redactUnless(guardFn, replacement = 'REDACTED') {
+    return (rawValue, ctx) => (guardFn(ctx, rawValue) ? rawValue : replacement);
+}
+//# sourceMappingURL=mask.js.map

package/dist/mask.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask.js","sourceRoot":"","sources":["../src/mask.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AA0BH,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACxB,MAA8B,EAC9B,MAAuB,EACvB,GAAQ;IAER,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,OAAO;QACL,GAAG,MAAM;QACT,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,CAA4B;KACjF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E,SAAS,SAAS,CAChB,KAAiB,EACjB,QAAgB,EAChB,MAAyB,EACzB,GAAa;IAEb,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAExD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,mDAAmD;QACnD,MAAM,QAAQ,GAAW,OAAO,GAAG,CAAC,YAAY,CAAC,KAAK,QAAQ;YAC5D,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;YACnB,CAAC,CAAC,QAAQ,CAAC;QAEb,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7C,uEAAuE;YACvE,MAAM,YAAY,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;YAC1C,MAAM,SAAS,GAAM,YAAY,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC;YAE7D,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,WAAW,GAAG,YAAY,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChF,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE,CAAC;oBACtC,MAAM,CAAC,GAAG,CAAC,GAAI,WAA2B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACvD,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC;gBAC5B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,mEAAmE;gBACnE,+DAA+D;gBAC/D,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CACvB,OAAiD;IAEjD,OAAO,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AACvE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,OAAqD,EACrD,cAAuB,UAAU;IAEjC,OAAO,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AAC9E,CAAC"}