@nexusrt/nexus-auth 1.0.0

package/dist/index.js

@@ -0,0 +1,613 @@
+(function (global, factory) {
+    typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
+    typeof define === 'function' && define.amd ? define(['exports'], factory) :
+    (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.AuthSDK = {}));
+})(this, (function (exports) { 'use strict';
+
+    /**
+     * Lightweight fetch wrapper used internally by the SDK.
+     * All requests automatically include credentials (cookies) for session support.
+     */
+    async function request(url, options = {}) {
+        const response = await fetch(url, {
+            ...options,
+            credentials: "include", // required for cookie-based sessions
+            headers: {
+                "Content-Type": "application/json",
+                ...options.headers,
+            },
+        });
+        const data = await response.json().catch(() => null);
+        if (!response.ok) {
+            const message = data?.message ??
+                `Request failed with status ${response.status}`;
+            throw new AuthError(message, response.status, data);
+        }
+        return data;
+    }
+    // ─────────────────────────────────────────────
+    //  Typed error class so callers can catch and inspect failures
+    // ─────────────────────────────────────────────
+    class AuthError extends Error {
+        constructor(message, status, body = null) {
+            super(message);
+            this.status = status;
+            this.body = body;
+            this.name = "AuthError";
+        }
+    }
+
+    /**
+     * Manages the in-memory access token and exposes token-based auth helpers.
+     *
+     * Storage strategy:
+     *   - Access tokens are kept in memory only (never localStorage) for security.
+     *   - Refresh tokens are stored in an HttpOnly cookie by the server.
+     */
+    class TokenManager {
+        constructor() {
+            this.accessToken = null;
+        }
+        // ── Getters / Setters ───────────────────────────────────────────────────
+        getAccessToken() {
+            return this.accessToken;
+        }
+        setAccessToken(token) {
+            this.accessToken = token;
+        }
+        clearAccessToken() {
+            this.accessToken = null;
+        }
+        // ── JWT helpers ─────────────────────────────────────────────────────────
+        /**
+         * Decodes the JWT payload without verifying the signature.
+         * Useful for reading user info (email, avatar) on the client side.
+         */
+        decodeToken(token) {
+            try {
+                const payload = token.split(".")[1];
+                return JSON.parse(atob(payload));
+            }
+            catch {
+                return null;
+            }
+        }
+        /**
+         * Reads user info directly from the stored access token.
+         * Returns null if no token is set or it cannot be decoded.
+         */
+        getUserFromToken() {
+            if (!this.accessToken)
+                return null;
+            const payload = this.decodeToken(this.accessToken);
+            if (!payload)
+                return null;
+            return {
+                email: payload.email,
+                avatar_url: payload.avatar_url,
+            };
+        }
+        // ── Refresh ─────────────────────────────────────────────────────────────
+        /**
+         * Attempts to get a new access token using the HttpOnly refresh-token cookie.
+         * Call this once on app startup to restore an existing session.
+         *
+         * @returns The decoded user info on success, or null if no refresh token exists.
+         */
+        async refresh(baseUrl) {
+            try {
+                const data = await request(`${baseUrl}/auth/refresh`, { method: "POST" });
+                this.setAccessToken(data.access_token);
+                return this.getUserFromToken();
+            }
+            catch {
+                // No refresh token cookie present — user is not logged in
+                return null;
+            }
+        }
+    }
+
+    /**
+     * Session-based auth helpers.
+     *
+     * When the developer chooses sessions over JWTs, the server sets an
+     * HttpOnly session cookie.  These methods let you read and verify
+     * that session without managing tokens yourself.
+     *
+     * Note: An access token is still returned by the server even in session
+     * mode, so you can use it to authenticate with downstream services if needed.
+     */
+    class SessionManager {
+        // ── Get Current User ────────────────────────────────────────────────────
+        /**
+         * Fetches the currently authenticated user from the server.
+         * Relies on the session cookie being present in the browser.
+         *
+         * Use this instead of decoding the JWT when you want the
+         * authoritative user object from your database.
+         */
+        async getUser(baseUrl) {
+            return request(`${baseUrl}/me`, { method: "GET" });
+        }
+        // ── Verify Session ──────────────────────────────────────────────────────
+        /**
+         * Verifies that a session is still valid for a given email address.
+         * Useful for server-side checks or sensitive operations.
+         */
+        async verifySession(baseUrl, email) {
+            await request(`${baseUrl}/auth/verify_session`, {
+                method: "POST",
+                body: JSON.stringify({ email }),
+            });
+        }
+    }
+
+    // ─────────────────────────────────────────────
+    //  Core User & Session Types
+    // ─────────────────────────────────────────────
+    // ─────────────────────────────────────────────
+    //  MFA / Sign-In Status Codes
+    //  Export these so developers can do comparisons
+    // ─────────────────────────────────────────────
+    const SignInStatus = {
+        /** Standard email+password sign-in succeeded — no MFA required */
+        SUCCESS: "SUCCESS",
+        /** Server requires the user to complete an Email MFA challenge */
+        MFA_REQUIRED: "MFA_REQUIRED",
+        /** Server requires the user to complete a TOTP challenge */
+        TOTP_REQUIRED: "TOTP_REQUIRED",
+        /** Server sent a magic link/code to the user's email */
+        MAGIC_LINK: "MAGIC_LINK",
+        /** Server sent a password-reset code to the user's email */
+        RESET_PASSWORD: "RESET_PASSWORD",
+    };
+
+    /**
+     * Email + Password authentication methods.
+     *
+     * Sign-in has three possible outcomes depending on what the user has enabled:
+     *
+     *   1. Plain sign-in     → status is undefined / SUCCESS  (no MFA)
+     *   2. Email MFA         → status === SignInStatus.MFA_REQUIRED
+     *   3. TOTP              → status === SignInStatus.TOTP_REQUIRED
+     *
+     * In cases 2 & 3 the response includes a `mfa` session ID that you must
+     * pass to the corresponding verify method.
+     *
+     * Import `SignInStatus` to compare against the status value:
+     *   import { SignInStatus } from "jobtrk-auth-sdk";
+     */
+    class EmailPasswordAuth {
+        // ── Sign Up ─────────────────────────────────────────────────────────────
+        /**
+         * Creates a new account with an email address and password.
+         */
+        async signUp(baseUrl, credentials) {
+            return request(`${baseUrl}/auth/email_password/signup`, {
+                method: "POST",
+                body: JSON.stringify({
+                    email: credentials.email,
+                    password: credentials.password,
+                    userName: credentials.userName,
+                    firstName: credentials.firstName,
+                    lastName: credentials.lastName,
+                }),
+            });
+        }
+        // ── Sign In ─────────────────────────────────────────────────────────────
+        /**
+         * Signs in with email + password.
+         *
+         * Check `response.status` to determine the next step:
+         *
+         * ```ts
+         * const result = await auth.email.signIn({ email, password });
+         *
+         * if (result.status === SignInStatus.MFA_REQUIRED) {
+         *   // prompt for email OTP, then call auth.email.verifyMfa()
+         * } else if (result.status === SignInStatus.TOTP_REQUIRED) {
+         *   // prompt for TOTP code, then call auth.totp.verifySignIn()
+         * } else {
+         *   // user is signed in — store result.access_token if using JWT mode
+         * }
+         * ```
+         */
+        async signIn(baseUrl, credentials) {
+            return request(`${baseUrl}/auth/email_password/signin`, {
+                method: "POST",
+                body: JSON.stringify({
+                    email: credentials.email,
+                    password: credentials.password,
+                }),
+            });
+        }
+        // ── Email MFA verify ────────────────────────────────────────────────────
+        /**
+         * Confirms the one-time code sent to the user's email after a sign-in
+         * that returned `status === SignInStatus.MFA_REQUIRED`.
+         */
+        async verifyMfa(baseUrl, input) {
+            return request(`${baseUrl}/auth/email_mfa_signin`, {
+                method: "POST",
+                body: JSON.stringify({
+                    sessionid: input.sessionId,
+                    code: input.code,
+                }),
+            });
+        }
+        // ── Get username ────────────────────────────────────────────────────────
+        /**
+         * Looks up the username associated with an email address.
+         */
+        async getUsername(baseUrl, email) {
+            return request(`${baseUrl}/auth/getusername`, {
+                method: "POST",
+                body: JSON.stringify({ email }),
+            });
+        }
+    }
+
+    /**
+     * Email Magic Link authentication.
+     *
+     * Flow:
+     *   1. Call `send(email)` → server emails a one-time code to the user.
+     *   2. Response contains a `mfa` session ID.
+     *   3. User enters the code; call `verify({ sessionId, code })` to complete sign-in.
+     */
+    class MagicLinkAuth {
+        /**
+         * Sends a magic-link code to the provided email address.
+         *
+         * @returns A session ID (`mfa` field) that you must pass to `verify()`.
+         *
+         * ```ts
+         * const { mfa: sessionId } = await auth.magicLink.send(email);
+         * // store sessionId, prompt user for code
+         * ```
+         */
+        async send(baseUrl, email) {
+            return request(`${baseUrl}/auth/email_magic_link`, {
+                method: "POST",
+                body: JSON.stringify({ email }),
+            });
+        }
+        /**
+         * Verifies the code the user received and completes sign-in.
+         */
+        async verify(baseUrl, input) {
+            return request(`${baseUrl}/auth/verify_magic_link`, {
+                method: "POST",
+                body: JSON.stringify({
+                    sessionid: input.sessionId,
+                    code: input.code,
+                }),
+            });
+        }
+    }
+
+    /**
+     * TOTP (Time-based One-Time Password) MFA management.
+     *
+     * Setup flow:
+     *   1. Call `setup()` → server returns a QR code / TOTP secret.
+     *   2. User scans with their authenticator app.
+     *   3. Call `confirmSetup(code)` with the first code to activate TOTP.
+     *
+     * Sign-in flow (when signIn returns `status === SignInStatus.TOTP_REQUIRED`):
+     *   1. Prompt user for their TOTP code.
+     *   2. Call `verifySignIn({ sessionId: data.mfa, code })` to complete sign-in.
+     */
+    class TotpAuth {
+        /**
+         * Starts TOTP registration — returns the secret / QR code to display.
+         */
+        async setup(baseUrl) {
+            return request(`${baseUrl}/auth/mfa/totp/start`, { method: "POST" });
+        }
+        /**
+         * Confirms the TOTP setup by verifying the first code from the
+         * authenticator app.
+         */
+        async confirmSetup(baseUrl, code) {
+            return request(`${baseUrl}/auth/mfa/totp/confirm`, {
+                method: "POST",
+                body: JSON.stringify({ code }),
+            });
+        }
+        /**
+         * Completes a TOTP sign-in challenge.
+         * Use the `mfa` session ID returned by `emailPassword.signIn()` as `sessionId`.
+         */
+        async verifySignIn(baseUrl, input) {
+            return request(`${baseUrl}/auth/mfa/totp/signin`, {
+                method: "POST",
+                body: JSON.stringify({
+                    challenge_id: input.sessionId,
+                    code: input.code,
+                }),
+            });
+        }
+        /**
+         * Removes TOTP from the currently authenticated user's account.
+         */
+        async delete(baseUrl) {
+            await request(`${baseUrl}/auth/mfa/totp/delete`, { method: "POST" });
+        }
+    }
+
+    /**
+     * Password management methods.
+     *
+     * ── Reset password (authenticated user) ──────────────────────────────
+     *   The user knows their current password and wants to change it.
+     *   Call `reset({ oldPassword, newPassword })`.
+     *
+     * ── Forgot password (unauthenticated) ────────────────────────────────
+     *   1. Call `forgot(email)` → server emails a code and returns a session ID.
+     *   2. User enters the code from their email.
+     *   3. Call `confirmForgot({ sessionId, code, password })` to set the new password.
+     */
+    class PasswordAuth {
+        /**
+         * Changes the password for an already authenticated user.
+         */
+        async reset(baseUrl, input) {
+            return request(`${baseUrl}/auth/password/reset`, {
+                method: "POST",
+                body: JSON.stringify({
+                    oldPassword: input.oldPassword,
+                    newPassword: input.newPassword,
+                }),
+            });
+        }
+        /**
+         * Initiates the forgot-password flow by sending a reset code to the
+         * user's email address.
+         *
+         * @returns A session ID (`mfa` field) required by `confirmForgot()`.
+         *
+         * ```ts
+         * const { mfa: sessionId } = await auth.password.forgot(email);
+         * // prompt user for code
+         * ```
+         */
+        async forgot(baseUrl, email) {
+            return request(`${baseUrl}/auth/password/forgot`, {
+                method: "POST",
+                body: JSON.stringify({ email }),
+            });
+        }
+        /**
+         * Completes the forgot-password flow by verifying the emailed code
+         * and setting the new password.
+         */
+        async confirmForgot(baseUrl, input) {
+            return request(`${baseUrl}/auth/password/forgot/confirm`, {
+                method: "POST",
+                body: JSON.stringify({
+                    sessionID: input.sessionId,
+                    code: input.code,
+                    password: input.password,
+                }),
+            });
+        }
+    }
+
+    /**
+     * Multi-tenant SSO (Single Sign-On) methods.
+     *
+     * Two roles exist:
+     *
+     *   Organization Admin  → registers their company IDP via `registerProvider()`.
+     *   End User            → signs in through their company's IDP via `signIn()`.
+     *
+     * Sign-in flow:
+     *   1. Call `signIn(email)` → server resolves the org and returns a redirect URL.
+     *   2. Redirect the user to `auth_url` to complete sign-in with their IDP.
+     *
+     * ```ts
+     * const { auth_url } = await auth.sso.signIn(email);
+     * window.location.href = auth_url;
+     * ```
+     */
+    class SsoAuth {
+        /**
+         * Registers an organisation's Identity Provider (IDP) with the auth system.
+         * This is typically called once by an organisation admin during onboarding.
+         */
+        async registerProvider(baseUrl, input) {
+            return request(`${baseUrl}/sso/providers/register`, {
+                method: "POST",
+                body: JSON.stringify({
+                    provider_name: input.providerName,
+                    provider_end_email: input.providerEndEmail,
+                    client_id: input.clientId,
+                    client_secret: input.clientSecret,
+                    issuer: input.issuer,
+                    callback_url: input.callbackUrl,
+                }),
+            });
+        }
+        /**
+         * Starts the SSO sign-in flow for an end user.
+         *
+         * The server resolves the correct IDP from the user's email domain
+         * and returns a redirect URL.  Redirect the user to that URL to
+         * complete sign-in with their organisation's IDP.
+         */
+        async signIn(baseUrl, email) {
+            return request(`${baseUrl}/sso/start`, {
+                method: "POST",
+                body: JSON.stringify({ email }),
+            });
+        }
+    }
+
+    /**
+     * Email MFA management.
+     *
+     * These methods manage whether a user has Email MFA enabled on their account.
+     * They are separate from the sign-in verify step (see EmailPasswordAuth.verifyMfa).
+     */
+    class EmailMfaManager {
+        /**
+         * Enables Email MFA for the currently authenticated user.
+         * Once enabled, future sign-ins will require a one-time code sent to email.
+         */
+        async create(baseUrl) {
+            await request(`${baseUrl}/auth/mfa/email/create`, { method: "POST" });
+        }
+        /**
+         * Disables Email MFA for the currently authenticated user.
+         */
+        async delete(baseUrl) {
+            await request(`${baseUrl}/auth/mfa/email/delete`, { method: "POST" });
+        }
+    }
+
+    /**
+     * Social / OAuth provider sign-in methods.
+     *
+     * Each method redirects the browser to the provider's OAuth flow.
+     * After successful authentication the server will redirect back to
+     * your application with a session cookie (or access token, depending
+     * on your server configuration).
+     *
+     * These are simple redirects — no async call is needed.
+     */
+    class SocialAuth {
+        constructor(baseUrl) {
+            this.baseUrl = baseUrl;
+        }
+        /** Redirects to Google OAuth sign-in. */
+        signInWithGoogle() {
+            window.location.href = `${this.baseUrl}/auth/google`;
+        }
+        /** Redirects to GitHub OAuth sign-in. */
+        signInWithGithub() {
+            window.location.href = `${this.baseUrl}/auth/github`;
+        }
+        /** Redirects to LinkedIn OAuth sign-in. */
+        signInWithLinkedIn() {
+            window.location.href = `${this.baseUrl}/auth/linkedin`;
+        }
+        /** Redirects to Okta OAuth sign-in. */
+        signInWithOkta() {
+            window.location.href = `${this.baseUrl}/auth/okta`;
+        }
+    }
+
+    /**
+     * AuthClient
+     *
+     * The single entry point for the JobTrk auth SDK.
+     * Framework-agnostic — works in React, Vue, Svelte, vanilla JS, etc.
+     *
+     * ── Quick start ──────────────────────────────────────────────────────
+     *
+     * ```ts
+     * import { AuthClient, SignInStatus } from "jobtrk-auth-sdk";
+     *
+     * const auth = new AuthClient({ baseUrl: "https://auth.yourapp.com" });
+     *
+     * // Restore session on app startup
+     * const user = await auth.token.refresh();
+     *
+     * // Social sign-in
+     * auth.social.signInWithGoogle();
+     *
+     * // Email + password sign-in (with MFA branching)
+     * const result = await auth.email.signIn({ email, password });
+     * if (result.status === SignInStatus.MFA_REQUIRED) { ... }
+     * if (result.status === SignInStatus.TOTP_REQUIRED) { ... }
+     *
+     * // Magic link
+     * const { mfa: sessionId } = await auth.magicLink.send(email);
+     * await auth.magicLink.verify({ sessionId, code });
+     *
+     * // SSO
+     * const { auth_url } = await auth.sso.signIn(email);
+     * window.location.href = auth_url;
+     * ```
+     */
+    class AuthClient {
+        constructor(config = {}) {
+            this.baseUrl = config.baseUrl ?? "https://auth.jobtrk.com";
+            this.token = new TokenManager();
+            this.session = new SessionManager();
+            this.social = new SocialAuth(this.baseUrl);
+            this.email = new EmailPasswordAuth();
+            this.magicLink = new MagicLinkAuth();
+            this.totp = new TotpAuth();
+            this.emailMfa = new EmailMfaManager();
+            this.password = new PasswordAuth();
+            this.sso = new SsoAuth();
+        }
+        // ── Logout helpers ───────────────────────────────────────────────────────
+        /**
+         * Signs the user out of the current session/device.
+         * Clears the in-memory access token after a successful server response.
+         */
+        async logout() {
+            await request(`${this.baseUrl}/auth/logout`, { method: "POST" });
+            this.token.clearAccessToken();
+        }
+        /**
+         * Signs the user out of ALL active sessions / devices.
+         * Clears the in-memory access token after a successful server response.
+         */
+        async logoutAllSessions() {
+            await request(`${this.baseUrl}/auth/logoutsessions`, { method: "POST" });
+            this.token.clearAccessToken();
+        }
+    }
+    function bindBaseUrl(module, baseUrl) {
+        return new Proxy(module, {
+            get(target, prop) {
+                const value = target[prop];
+                if (typeof value === "function") {
+                    return (...args) => value.call(target, baseUrl, ...args);
+                }
+                return value;
+            },
+        });
+    }
+    /**
+     * Creates an `AuthClient` where all sub-module methods have the `baseUrl`
+     * argument pre-bound.  This is the recommended way to instantiate the SDK.
+     *
+     * ```ts
+     * const auth = createAuthClient({ baseUrl: "https://auth.yourapp.com" });
+     *
+     * // No need to pass baseUrl to individual methods:
+     * await auth.email.signIn({ email, password });
+     * await auth.token.refresh();
+     * ```
+     */
+    function createAuthClient(config = {}) {
+        const baseUrl = config.baseUrl ?? "";
+        const client = new AuthClient(config);
+        return {
+            ...client,
+            token: bindBaseUrl(client.token, baseUrl),
+            session: bindBaseUrl(client.session, baseUrl),
+            email: bindBaseUrl(client.email, baseUrl),
+            magicLink: bindBaseUrl(client.magicLink, baseUrl),
+            totp: bindBaseUrl(client.totp, baseUrl),
+            emailMfa: bindBaseUrl(client.emailMfa, baseUrl),
+            password: bindBaseUrl(client.password, baseUrl),
+            sso: bindBaseUrl(client.sso, baseUrl),
+            social: client.social, // already has baseUrl from constructor
+            logout: () => client.logout(),
+            logoutAllSessions: () => client.logoutAllSessions(),
+        };
+    }
+
+    exports.AuthClient = AuthClient;
+    exports.AuthError = AuthError;
+    exports.SignInStatus = SignInStatus;
+    exports.createAuthClient = createAuthClient;
+
+}));
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":["../src/http.ts","../src/methods/token.ts","../src/methods/session.ts","../src/types/index.ts","../src/methods/emailPassword.ts","../src/methods/magicLink.ts","../src/methods/totp.ts","../src/methods/password.ts","../src/methods/sso.ts","../src/methods/emailMfa.ts","../src/providers/social.ts","../src/client.ts"],"sourcesContent":[null,null,null,null,null,null,null,null,null,null,null,null],"names":[],"mappings":";;;;;;IAAA;;;IAGG;IACI,eAAe,OAAO,CAC3B,GAAW,EACX,UAAuB,EAAE,EAAA;IAEzB,IAAA,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;IAChC,QAAA,GAAG,OAAO;YACV,WAAW,EAAE,SAAS;IACtB,QAAA,OAAO,EAAE;IACP,YAAA,cAAc,EAAE,kBAAkB;gBAClC,GAAG,OAAO,CAAC,OAAO;IACnB,SAAA;IACF,KAAA,CAAC;IAEF,IAAA,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC;IAEpD,IAAA,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;IAChB,QAAA,MAAM,OAAO,GACV,IAA6B,EAAE,OAAO;IACvC,YAAA,CAAA,2BAAA,EAA8B,QAAQ,CAAC,MAAM,CAAA,CAAE;YACjD,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC;QACrD;IAEA,IAAA,OAAO,IAAS;IAClB;IAEA;IACA;IACA;IAEM,MAAO,SAAU,SAAQ,KAAK,CAAA;IAClC,IAAA,WAAA,CACE,OAAe,EACC,MAAc,EACd,OAAgB,IAAI,EAAA;YAEpC,KAAK,CAAC,OAAO,CAAC;YAHE,IAAA,CAAA,MAAM,GAAN,MAAM;YACN,IAAA,CAAA,IAAI,GAAJ,IAAI;IAGpB,QAAA,IAAI,CAAC,IAAI,GAAG,WAAW;QACzB;IACD;;ICnCD;;;;;;IAMG;UACU,YAAY,CAAA;IAAzB,IAAA,WAAA,GAAA;YACU,IAAA,CAAA,WAAW,GAAkB,IAAI;QAqE3C;;QAjEE,cAAc,GAAA;YACZ,OAAO,IAAI,CAAC,WAAW;QACzB;IAEA,IAAA,cAAc,CAAC,KAAa,EAAA;IAC1B,QAAA,IAAI,CAAC,WAAW,GAAG,KAAK;QAC1B;QAEA,gBAAgB,GAAA;IACd,QAAA,IAAI,CAAC,WAAW,GAAG,IAAI;QACzB;;IAIA;;;IAGG;IACH,IAAA,WAAW,CAAC,KAAa,EAAA;IACvB,QAAA,IAAI;gBACF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAe;YAChD;IAAE,QAAA,MAAM;IACN,YAAA,OAAO,IAAI;YACb;QACF;IAEA;;;IAGG;QACH,gBAAgB,GAAA;YACd,IAAI,CAAC,IAAI,CAAC,WAAW;IAAE,YAAA,OAAO,IAAI;YAClC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC;IAClD,QAAA,IAAI,CAAC,OAAO;IAAE,YAAA,OAAO,IAAI;YACzB,OAAO;gBACL,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B;QACH;;IAIA;;;;;IAKG;QACH,MAAM,OAAO,CACX,OAAe,EAAA;IAEf,QAAA,IAAI;IACF,YAAA,MAAM,IAAI,GAAG,MAAM,OAAO,CACxB,CAAA,EAAG,OAAO,CAAA,aAAA,CAAe,EACzB,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB;IAED,YAAA,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC;IACtC,YAAA,OAAO,IAAI,CAAC,gBAAgB,EAAE;YAChC;IAAE,QAAA,MAAM;;IAEN,YAAA,OAAO,IAAI;YACb;QACF;IACD;;ICjFD;;;;;;;;;IASG;UACU,cAAc,CAAA;;IAGzB;;;;;;IAMG;QACH,MAAM,OAAO,CAAC,OAAe,EAAA;IAC3B,QAAA,OAAO,OAAO,CAAW,CAAA,EAAG,OAAO,CAAA,GAAA,CAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC9D;;IAIA;;;IAGG;IACH,IAAA,MAAM,aAAa,CAAC,OAAe,EAAE,KAAa,EAAA;IAChD,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,OAAO,sBAAsB,EAAE;IAC9C,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;IAChC,SAAA,CAAC;QACJ;IACD;;ICvCD;IACA;IACA;IAsDA;IACA;IACA;IACA;AAEO,UAAM,YAAY,GAAG;;IAE1B,IAAA,OAAO,EAAE,SAAS;;IAGlB,IAAA,YAAY,EAAE,cAAc;;IAG5B,IAAA,aAAa,EAAE,eAAe;;IAG9B,IAAA,UAAU,EAAE,YAAY;;IAGxB,IAAA,cAAc,EAAE,gBAAgB;;;IClElC;;;;;;;;;;;;;;IAcG;UACU,iBAAiB,CAAA;;IAG5B;;IAEG;IACH,IAAA,MAAM,MAAM,CACV,OAAe,EACf,WAAqC,EAAA;IAErC,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,6BAA6B,EACvC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,WAAW,CAAC,KAAK;oBACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;oBAC9B,QAAQ,EAAE,WAAW,CAAC,QAAQ;oBAC9B,SAAS,EAAE,WAAW,CAAC,SAAS;oBAChC,QAAQ,EAAE,WAAW,CAAC,QAAQ;iBAC/B,CAAC;IACH,SAAA,CACF;QACH;;IAIA;;;;;;;;;;;;;;;;IAgBG;IACH,IAAA,MAAM,MAAM,CACV,OAAe,EACf,WAAqC,EAAA;IAErC,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,6BAA6B,EACvC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,WAAW,CAAC,KAAK;oBACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;iBAC/B,CAAC;IACH,SAAA,CACF;QACH;;IAIA;;;IAGG;IACH,IAAA,MAAM,SAAS,CACb,OAAe,EACf,KAAqB,EAAA;IAErB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,wBAAwB,EAClC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;iBACjB,CAAC;IACH,SAAA,CACF;QACH;;IAIA;;IAEG;IACH,IAAA,MAAM,WAAW,CACf,OAAe,EACf,KAAa,EAAA;IAEb,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,mBAAmB,EAC7B;IACE,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;IAChC,SAAA,CACF;QACH;IACD;;ICpHD;;;;;;;IAOG;UACU,aAAa,CAAA;IACxB;;;;;;;;;IASG;IACH,IAAA,MAAM,IAAI,CAAC,OAAe,EAAE,KAAa,EAAA;IACvC,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,wBAAwB,EAClC;IACE,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;IAChC,SAAA,CACF;QACH;IAEA;;IAEG;IACH,IAAA,MAAM,MAAM,CACV,OAAe,EACf,KAAqB,EAAA;IAErB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,yBAAyB,EACnC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;iBACjB,CAAC;IACH,SAAA,CACF;QACH;IACD;;IC/CD;;;;;;;;;;;IAWG;UACU,QAAQ,CAAA;IACnB;;IAEG;QACH,MAAM,KAAK,CAAC,OAAe,EAAA;IACzB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,CAAA,oBAAA,CAAsB,EAChC,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB;QACH;IAEA;;;IAGG;IACH,IAAA,MAAM,YAAY,CAChB,OAAe,EACf,IAAY,EAAA;IAEZ,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,wBAAwB,EAClC;IACE,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/B,SAAA,CACF;QACH;IAEA;;;IAGG;IACH,IAAA,MAAM,YAAY,CAChB,OAAe,EACf,KAAqB,EAAA;IAErB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,uBAAuB,EACjC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,YAAY,EAAE,KAAK,CAAC,SAAS;oBAC7B,IAAI,EAAE,KAAK,CAAC,IAAI;iBACjB,CAAC;IACH,SAAA,CACF;QACH;IAEA;;IAEG;QACH,MAAM,MAAM,CAAC,OAAe,EAAA;IAC1B,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,OAAO,CAAA,qBAAA,CAAuB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACtE;IACD;;ICjED;;;;;;;;;;;IAWG;UACU,YAAY,CAAA;IACvB;;IAEG;IACH,IAAA,MAAM,KAAK,CACT,OAAe,EACf,KAAyB,EAAA;IAEzB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,sBAAsB,EAChC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,WAAW,EAAE,KAAK,CAAC,WAAW;oBAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;iBAC/B,CAAC;IACH,SAAA,CACF;QACH;IAEA;;;;;;;;;;IAUG;IACH,IAAA,MAAM,MAAM,CACV,OAAe,EACf,KAAa,EAAA;IAEb,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,uBAAuB,EACjC;IACE,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;IAChC,SAAA,CACF;QACH;IAEA;;;IAGG;IACH,IAAA,MAAM,aAAa,CACjB,OAAe,EACf,KAAiC,EAAA;IAEjC,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,+BAA+B,EACzC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;iBACzB,CAAC;IACH,SAAA,CACF;QACH;IACD;;IC7ED;;;;;;;;;;;;;;;;IAgBG;UACU,OAAO,CAAA;IAClB;;;IAGG;IACH,IAAA,MAAM,gBAAgB,CACpB,OAAe,EACf,KAAuB,EAAA;IAEvB,QAAA,OAAO,OAAO,CACZ,CAAA,EAAG,OAAO,yBAAyB,EACnC;IACE,YAAA,MAAM,EAAE,MAAM;IACd,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,aAAa,EAAE,KAAK,CAAC,YAAY;oBACjC,kBAAkB,EAAE,KAAK,CAAC,gBAAgB;oBAC1C,SAAS,EAAE,KAAK,CAAC,QAAQ;oBACzB,aAAa,EAAE,KAAK,CAAC,YAAY;oBACjC,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,YAAY,EAAE,KAAK,CAAC,WAAW;iBAChC,CAAC;IACH,SAAA,CACF;QACH;IAEA;;;;;;IAMG;IACH,IAAA,MAAM,MAAM,CAAC,OAAe,EAAE,KAAa,EAAA;IACzC,QAAA,OAAO,OAAO,CAAmB,CAAA,EAAG,OAAO,YAAY,EAAE;IACvD,YAAA,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;IAChC,SAAA,CAAC;QACJ;IACD;;IC5DD;;;;;IAKG;UACU,eAAe,CAAA;IAC1B;;;IAGG;QACH,MAAM,MAAM,CAAC,OAAe,EAAA;IAC1B,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,OAAO,CAAA,sBAAA,CAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACvE;IAEA;;IAEG;QACH,MAAM,MAAM,CAAC,OAAe,EAAA;IAC1B,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,OAAO,CAAA,sBAAA,CAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACvE;IACD;;ICvBD;;;;;;;;;IASG;UACU,UAAU,CAAA;IACrB,IAAA,WAAA,CAA6B,OAAe,EAAA;YAAf,IAAA,CAAA,OAAO,GAAP,OAAO;QAAW;;QAG/C,gBAAgB,GAAA;YACd,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAA,YAAA,CAAc;QACtD;;QAGA,gBAAgB,GAAA;YACd,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAA,YAAA,CAAc;QACtD;;QAGA,kBAAkB,GAAA;YAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAA,cAAA,CAAgB;QACxD;;QAGA,cAAc,GAAA;YACZ,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAA,UAAA,CAAY;QACpD;IACD;;ICpBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAgCG;UACU,UAAU,CAAA;IAgCrB,IAAA,WAAA,CAAY,SAA2B,EAAE,EAAA;YACvC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,yBAAyB;IAE1D,QAAA,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,EAAE;IAC/B,QAAA,IAAI,CAAC,OAAO,GAAG,IAAI,cAAc,EAAE;YACnC,IAAI,CAAC,MAAM,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;IAC1C,QAAA,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAiB,EAAE;IACpC,QAAA,IAAI,CAAC,SAAS,GAAG,IAAI,aAAa,EAAE;IACpC,QAAA,IAAI,CAAC,IAAI,GAAG,IAAI,QAAQ,EAAE;IAC1B,QAAA,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,EAAE;IACrC,QAAA,IAAI,CAAC,QAAQ,GAAG,IAAI,YAAY,EAAE;IAClC,QAAA,IAAI,CAAC,GAAG,GAAG,IAAI,OAAO,EAAE;QAC1B;;IAIA;;;IAGG;IACH,IAAA,MAAM,MAAM,GAAA;IACV,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,IAAI,CAAC,OAAO,CAAA,YAAA,CAAc,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAChE,QAAA,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;QAC/B;IAEA;;;IAGG;IACH,IAAA,MAAM,iBAAiB,GAAA;IACrB,QAAA,MAAM,OAAO,CAAC,CAAA,EAAG,IAAI,CAAC,OAAO,CAAA,oBAAA,CAAsB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACxE,QAAA,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;QAC/B;IAUD;IAiBD,SAAS,WAAW,CAClB,MAAS,EACT,OAAe,EAAA;IAEf,IAAA,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE;YACvB,GAAG,CAAC,MAAM,EAAE,IAAI,EAAA;IACd,YAAA,MAAM,KAAK,GAAI,MAA2C,CACxD,IAAuB,CACxB;IACD,YAAA,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE;IAC/B,gBAAA,OAAO,CAAC,GAAG,IAAe,KACvB,KAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;gBACtD;IACA,YAAA,OAAO,KAAK;YACd,CAAC;IACF,KAAA,CAAmB;IACtB;IAEA;;;;;;;;;;;IAWG;IACG,SAAU,gBAAgB,CAAC,MAAA,GAA2B,EAAE,EAAA;IAC5D,IAAA,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE;IACpC,IAAA,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC;QAErC,OAAO;IACL,QAAA,GAAG,MAAM;YACT,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC;YAC7C,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;YACjD,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC;YACvC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC/C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC/C,GAAG,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC;IACrC,QAAA,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,QAAA,MAAM,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE;IAC7B,QAAA,iBAAiB,EAAE,MAAM,MAAM,CAAC,iBAAiB,EAAE;SACpD;IACH;;;;;;;;;;;"}