@nexusts/crypto 0.7.0 → 0.7.1

package/README.md

@@ -15,7 +15,7 @@ This module is part of the NexusTS monorepo. Each module is published as its own
 Most apps start with just the core:
 
 ```bash
-bun add @nexusts/core reflect-metadata zod hono
+bun add @nexusts/core
 ```
 
 Then add this module only if you need it:
@@ -26,7 +26,7 @@ bun add @nexusts/crypto
 
 ## Peer dependencies
 
-None. This module is fully self-contained.
+**None.** No external dependencies. Uses Node's built-in `crypto` module.
 
 ## Usage
 

package/dist/encryption.d.ts

@@ -0,0 +1,70 @@
+/**
+ * `EncryptionService` — AES-256-GCM symmetric encryption + HMAC
+ * sign/unsign helpers.
+ *
+ * Use cases:
+ * - **Encrypt** sensitive data before storing it (e.g. session
+ *   blobs in cookies or DB).
+ * - **Sign** stateless values that need to be tamper-proof (e.g.
+ *   session IDs, CSRF tokens, password-reset links, signed URLs).
+ *
+ * The service derives two 32-byte keys from the user's master
+ * `key` config: one for AES-GCM, one for HMAC. The keys are
+ * distinct (HKDF-SHA256 with a per-purpose salt) so a leak of one
+ * doesn't compromise the other.
+ *
+ * Encrypted format (v1):
+ *   `v1.<base64url(iv)>.<base64url(tag)>.<base64url(ciphertext)>`
+ *   where `iv` is 12 bytes and `tag` is 16 bytes (GCM auth tag).
+ *
+ * Signed format:
+ *   `<base64url(value)>.<base64url(hmac)>`
+ */
+import type { EncryptedValue, EncryptOptions, SignedValue } from "./types.js";
+export declare class EncryptionService {
+    private readonly aesKey;
+    private readonly hmacKey;
+    constructor(masterKey: string);
+    /**
+     * Encrypt a string. The output is self-describing and includes
+     * the IV, auth tag, expiry, and purpose (if any) in the MAC.
+     *
+     * Format: `v1.<iv>.<tag>.<ciphertext>.<mac>`
+     */
+    encrypt(value: string, options?: EncryptOptions): EncryptedValue;
+    /**
+     * Decrypt a value previously produced by `encrypt()`. Throws
+     * if the value is malformed, the MAC doesn't match, the
+     * purpose doesn't match, or the expiry has passed.
+     */
+    decrypt<T = string>(payload: string): T;
+    /** True if the string was produced by `encrypt()`. */
+    isEncrypted(value: string): boolean;
+    /**
+     * Sign a string with the framework's HMAC key. The output is
+     * `<base64url(value)>.<base64url(hmac)>`.
+     *
+     * Useful for stateless session cookies, CSRF tokens, etc.
+     */
+    sign(value: string, purpose?: string): SignedValue;
+    /**
+     * Sign a pre-encoded value (no extra b64-encoding). The output
+     * is just the base64url MAC. Useful for cookie / token formats
+     * where the value is already b64-encoded.
+     *
+     * The caller is responsible for joining the value and signature.
+     */
+    signRaw(value: string, purpose?: string): string;
+    /**
+     * Verify a raw signature (from `signRaw`) against a pre-encoded
+     * value. Returns `true` on match, `false` otherwise.
+     */
+    verifyRaw(value: string, signature: string, purpose?: string): boolean;
+    /**
+     * Verify and extract a previously signed value. Returns the
+     * original value on success, `null` on failure (malformed,
+     * wrong purpose, MAC mismatch).
+     */
+    unsign(signed: string, purpose?: string): string | null;
+    private macOver;
+}

package/dist/hash.d.ts

@@ -0,0 +1,74 @@
+/**
+ * `HashService` — secure password hashing.
+ *
+ * Algorithms:
+ * - `scrypt` (default) — built into Node, no extra deps. Memory-
+ *   hard and CPU-hard. Recommended for new apps.
+ * - `argon2` (optional) — the @node-rs/argon2 package is the
+ *   reference implementation. Install it as a peer dep:
+ *
+ *     bun add @node-rs/argon2
+ *
+ *   When installed, the service auto-detects it.
+ *
+ * Output format (scrypt): a base64 string with the cost parameters
+ * encoded: `$scrypt$N=16384,r=8,p=1$<saltB64>$<hashB64>`.
+ * This is similar to the well-known `passlib` / PHC format and
+ * lets us verify hashes that were generated with different
+ * parameters.
+ */
+import type { HashConfig, HashOptions, HashedPassword } from "./types.js";
+export declare class HashService {
+    readonly algorithm: "scrypt" | "argon2";
+    private readonly scryptCost;
+    private readonly scryptBlockSize;
+    private readonly scryptParallelization;
+    private readonly scryptKeyLength;
+    private readonly argon2MemoryCost;
+    private readonly argon2TimeCost;
+    private readonly argon2Parallelism;
+    constructor(config?: HashConfig);
+    /**
+     * Hash a password. Returns a self-describing string that
+     * includes the algorithm and cost parameters.
+     */
+    hash(password: string, options?: HashOptions): Promise<HashedPassword>;
+    /**
+     * Verify a password against a previously generated hash.
+     * Returns `true` on match, `false` otherwise.
+     */
+    verify(hashed: HashedPassword, password: string): Promise<boolean>;
+    /**
+     * True if a hash was generated with parameters that are below
+     * the current security floor. The caller should re-hash and
+     * update the stored value.
+     */
+    needsRehash(hashed: HashedPassword): boolean;
+    private hashScrypt;
+    private verifyScrypt;
+    private hashArgon2;
+    private verifyArgon2;
+}
+/**
+ * Standalone `hash` function — uses scrypt by default, argon2 if
+ * `@node-rs/argon2` is installed.
+ *
+ * @param password - The plaintext password to hash.
+ * @param options - Optional overrides for algorithm + cost params.
+ * @returns The encoded hash string (PHC-style).
+ */
+export declare function hash(password: string, options?: HashOptions): Promise<string>;
+/**
+ * Standalone `verify` function — verifies a plaintext password
+ * against a previously encoded hash.
+ */
+export declare function verify(hashed: HashedPassword, password: string): Promise<boolean>;
+/**
+ * Convenience: scrypt-specific hash. Useful when you want to
+ * guarantee the algorithm regardless of installed peer deps.
+ */
+export declare function scryptHash(password: string): Promise<string>;
+/**
+ * Convenience: scrypt-specific verify.
+ */
+export declare function scryptVerify(hashed: string, password: string): Promise<boolean>;

package/dist/index.d.ts

@@ -0,0 +1,57 @@
+/**
+ * `nexusjs/crypto` — encryption + password hashing.
+ *
+ * Public API:
+ * - `EncryptionService` — AES-256-GCM + HMAC sign/unsign.
+ * - `HashService`       — scrypt (default) or argon2 (optional).
+ * - `CryptoModule.forRoot({ key })` — wires both into the DI
+ *   container.
+ * - `hash()` / `verify()` — standalone helpers that wrap a
+ *   `HashService` instance. Useful outside the DI container
+ *   (CLI scripts, seeders, smoke tests).
+ * - `scryptHash()` / `scryptVerify()` — same, but locked to scrypt.
+ *
+ * Zero external dependencies. All primitives come from Node's
+ * built-in `crypto` module.
+ *
+ *   bun add nexus
+ *   # Optional (only if you use argon2):
+ *   bun add @node-rs/argon2
+ *
+ * Quick start:
+ *
+ *   import { Module } from "nexusjs";
+ *   import { CryptoModule, EncryptionService, HashService } from "nexusjs/crypto";
+ *
+ *   @Module({
+ *     imports: [CryptoModule.forRoot({ key: process.env.APP_KEY! })],
+ *   })
+ *   class AppModule {}
+ *
+ *   @Injectable()
+ *   class UserService {
+ *     constructor(
+ *       @Inject(EncryptionService.TOKEN) private enc: EncryptionService,
+ *       @Inject(HashService.TOKEN) private hash: HashService,
+ *     ) {}
+ *
+ *     async createUser(email: string, password: string) {
+ *       const passwordHash = await this.hash.hash(password);
+ *       const apiToken = this.enc.sign(email);
+ *       // ... store
+ *     }
+ *
+ *     async verifyPassword(plain: string, stored: string) {
+ *       return this.hash.verify(stored, plain);
+ *     }
+ *   }
+ *
+ *   // Or use the standalone helpers without DI:
+ *   import { scryptHash, scryptVerify } from "nexusjs/crypto";
+ *   const hash = await scryptHash("hunter2");
+ *   const ok = await scryptVerify(hash, "hunter2");
+ */
+export { EncryptionService } from "./encryption.js";
+export { HashService, hash, verify, scryptHash, scryptVerify } from "./hash.js";
+export { CryptoModule, ENCRYPTION_SERVICE_TOKEN, HASH_SERVICE_TOKEN } from "./module.js";
+export type { EncryptionConfig, EncryptOptions, HashConfig, HashOptions, HashAlgorithm, HmacConfig, EncryptedValue, SignedValue, HashedPassword, } from "./types.js";

package/dist/index.js

@@ -1,20 +1,4 @@
 // @bun
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
 var __legacyDecorateClassTS = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function")
@@ -383,8 +367,22 @@ async function loadArgon2() {
     throw new Error("argon2 is not installed. Install with: bun add @node-rs/argon2");
   }
 }
+async function hash(password, options = {}) {
+  const svc = new HashService;
+  return svc.hash(password, options);
+}
+async function verify(hashed, password) {
+  const svc = new HashService;
+  return svc.verify(hashed, password);
+}
+async function scryptHash(password) {
+  return hash(password, { algorithm: "scrypt" });
+}
+async function scryptVerify(hashed, password) {
+  return verify(hashed, password);
+}
 // packages/crypto/src/module.ts
-import { Module } from "@nexusts/core/decorators/module.js";
+import { Module } from "@nexusts/core";
 var ENCRYPTION_SERVICE_TOKEN = Symbol.for("nexus:EncryptionService");
 var HASH_SERVICE_TOKEN = Symbol.for("nexus:HashService");
 
@@ -446,6 +444,10 @@ CryptoModule = __legacyDecorateClassTS([
   })
 ], CryptoModule);
 export {
+  verify,
+  scryptVerify,
+  scryptHash,
+  hash,
   HashService,
   HASH_SERVICE_TOKEN,
   EncryptionService,
@@ -453,5 +455,5 @@ export {
   CryptoModule
 };
 
-//# debugId=68D8BB427FD50CFB64756E2164756E21
+//# debugId=4F353992A3BC692264756E2164756E21
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -3,10 +3,10 @@
   "sources": ["../src/encryption.ts", "../src/hash.ts", "../src/module.ts"],
   "sourcesContent": [
     "/**\n * `EncryptionService` — AES-256-GCM symmetric encryption + HMAC\n * sign/unsign helpers.\n *\n * Use cases:\n * - **Encrypt** sensitive data before storing it (e.g. session\n *   blobs in cookies or DB).\n * - **Sign** stateless values that need to be tamper-proof (e.g.\n *   session IDs, CSRF tokens, password-reset links, signed URLs).\n *\n * The service derives two 32-byte keys from the user's master\n * `key` config: one for AES-GCM, one for HMAC. The keys are\n * distinct (HKDF-SHA256 with a per-purpose salt) so a leak of one\n * doesn't compromise the other.\n *\n * Encrypted format (v1):\n *   `v1.<base64url(iv)>.<base64url(tag)>.<base64url(ciphertext)>`\n *   where `iv` is 12 bytes and `tag` is 16 bytes (GCM auth tag).\n *\n * Signed format:\n *   `<base64url(value)>.<base64url(hmac)>`\n */\n\nimport {\n\tcreateCipheriv,\n\tcreateDecipheriv,\n\tcreateHmac,\n\thkdfSync,\n\trandomBytes,\n\ttimingSafeEqual,\n} from \"node:crypto\";\nimport type { EncryptedValue, EncryptOptions, SignedValue } from \"./types.js\";\n\nconst VERSION = \"v1\";\nconst IV_BYTES = 12;\nconst TAG_BYTES = 16;\n\nexport class EncryptionService {\n\tprivate readonly aesKey: Buffer;\n\tprivate readonly hmacKey: Buffer;\n\n\tconstructor(masterKey: string) {\n\t\tconst derived = deriveKeys(masterKey);\n\t\tthis.aesKey = derived.aes;\n\t\tthis.hmacKey = derived.hmac;\n\t}\n\n\t/* ---------------- encrypt / decrypt ---------------- */\n\n\t/**\n\t * Encrypt a string. The output is self-describing and includes\n\t * the IV, auth tag, expiry, and purpose (if any) in the MAC.\n\t *\n\t * Format: `v1.<iv>.<tag>.<ciphertext>.<mac>`\n\t */\n\tencrypt(value: string, options: EncryptOptions = {}): EncryptedValue {\n\t\tconst iv = randomBytes(IV_BYTES);\n\t\tconst cipher = createCipheriv(\"aes-256-gcm\", this.aesKey, iv);\n\t\tconst plaintext = Buffer.from(value, \"utf8\");\n\t\tconst ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n\t\tconst tag = cipher.getAuthTag();\n\n\t\tconst expiry = encodeExpiry(options.expiresAt);\n\t\tconst purposeBuf = Buffer.from(options.purpose ?? \"\", \"utf8\");\n\t\tconst mac = this.macOver([VERSION, iv, tag, ciphertext, expiry, purposeBuf]);\n\n\t\treturn [\n\t\t\tVERSION,\n\t\t\tb64(iv),\n\t\t\tb64(tag),\n\t\t\tb64(ciphertext),\n\t\t\tb64(expiry),\n\t\t\tb64(purposeBuf),\n\t\t\tb64(mac),\n\t\t].join(\".\");\n\t}\n\n\t/**\n\t * Decrypt a value previously produced by `encrypt()`. Throws\n\t * if the value is malformed, the MAC doesn't match, the\n\t * purpose doesn't match, or the expiry has passed.\n\t */\n\tdecrypt<T = string>(payload: string): T {\n\t\tconst parsed = parseV1(payload);\n\t\tif (!parsed) throw new Error(\"Encrypted payload is malformed\");\n\n\t\t// Verify MAC over the canonical (VERSION, IV, tag, ct, expiry, purpose) tuple.\n\t\tconst expectedMac = this.macOver([\n\t\t\tVERSION,\n\t\t\tparsed.iv,\n\t\t\tparsed.tag,\n\t\t\tparsed.ciphertext,\n\t\t\tparsed.expiry,\n\t\t\tparsed.purpose,\n\t\t]);\n\t\tif (!constantTimeEqual(expectedMac, parsed.mac)) {\n\t\t\tthrow new Error(\"Encrypted payload failed integrity check\");\n\t\t}\n\n\t\t// Check expiry.\n\t\tif (parsed.expiry.length > 0) {\n\t\t\tconst expiryMs = parseExpiry(parsed.expiry.toString(\"utf8\"));\n\t\t\tif (expiryMs > 0 && Date.now() > expiryMs) {\n\t\t\t\tthrow new Error(\"Encrypted payload has expired\");\n\t\t\t}\n\t\t}\n\n\t\tconst decipher = createDecipheriv(\"aes-256-gcm\", this.aesKey, parsed.iv);\n\t\tdecipher.setAuthTag(parsed.tag);\n\t\tconst plaintext = Buffer.concat([\n\t\t\tdecipher.update(parsed.ciphertext),\n\t\t\tdecipher.final(),\n\t\t]);\n\t\treturn plaintext.toString(\"utf8\") as unknown as T;\n\t}\n\n\t/** True if the string was produced by `encrypt()`. */\n\tisEncrypted(value: string): boolean {\n\t\tif (typeof value !== \"string\") return false;\n\t\treturn value.startsWith(VERSION + \".\");\n\t}\n\n\t/* ---------------- HMAC sign / unsign ---------------- */\n\n\t/**\n\t * Sign a string with the framework's HMAC key. The output is\n\t * `<base64url(value)>.<base64url(hmac)>`.\n\t *\n\t * Useful for stateless session cookies, CSRF tokens, etc.\n\t */\n\tsign(value: string, purpose = \"\"): SignedValue {\n\t\tconst mac = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\treturn `${b64(Buffer.from(value, \"utf8\"))}.${b64(mac)}`;\n\t}\n\n\t/**\n\t * Sign a pre-encoded value (no extra b64-encoding). The output\n\t * is just the base64url MAC. Useful for cookie / token formats\n\t * where the value is already b64-encoded.\n\t *\n\t * The caller is responsible for joining the value and signature.\n\t */\n\tsignRaw(value: string, purpose = \"\"): string {\n\t\tconst mac = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\treturn b64(mac);\n\t}\n\n\t/**\n\t * Verify a raw signature (from `signRaw`) against a pre-encoded\n\t * value. Returns `true` on match, `false` otherwise.\n\t */\n\tverifyRaw(value: string, signature: string, purpose = \"\"): boolean {\n\t\tconst expected = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\tconst given = fromB64(signature);\n\t\tif (!given) return false;\n\t\treturn constantTimeEqual(given, expected);\n\t}\n\n\t/**\n\t * Verify and extract a previously signed value. Returns the\n\t * original value on success, `null` on failure (malformed,\n\t * wrong purpose, MAC mismatch).\n\t */\n\tunsign(signed: string, purpose = \"\"): string | null {\n\t\tconst dot = signed.lastIndexOf(\".\");\n\t\tif (dot < 1 || dot === signed.length - 1) return null;\n\t\tconst valueB64 = signed.slice(0, dot);\n\t\tconst macB64 = signed.slice(dot + 1);\n\t\tconst value = fromB64(valueB64);\n\t\tconst mac = fromB64(macB64);\n\t\tif (!value || !mac) return null;\n\t\tconst expected = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\tif (!constantTimeEqual(mac, expected)) return null;\n\t\treturn value.toString(\"utf8\");\n\t}\n\n\t/* ---------------- internals ---------------- */\n\n\tprivate macOver(parts: Array<Buffer | string>): Buffer {\n\t\tconst h = createHmac(\"sha256\", this.hmacKey);\n\t\tfor (const p of parts) {\n\t\t\th.update(\"|\");\n\t\t\th.update(p as Buffer);\n\t\t}\n\t\treturn h.digest();\n\t}\n}\n\n/* ------------------------------------------------------------------ *\n * Helpers\n * ------------------------------------------------------------------ */\n\nfunction b64(buf: Buffer): string {\n\treturn buf.toString(\"base64url\");\n}\n\nfunction fromB64(s: string): Buffer | null {\n\ttry {\n\t\treturn Buffer.from(s, \"base64url\");\n\t} catch {\n\t\treturn null;\n\t}\n}\n\nfunction constantTimeEqual(a: Buffer, b: Buffer): boolean {\n\tif (a.length !== b.length) return false;\n\treturn timingSafeEqual(a, b);\n}\n\nfunction encodeExpiry(expiresAt: number | string | Date | undefined): Buffer {\n\tif (expiresAt === undefined) return Buffer.alloc(0);\n\tlet ms: number;\n\tif (typeof expiresAt === \"number\") {\n\t\tms = expiresAt > 1e12 ? expiresAt : Date.now() + expiresAt * 1000;\n\t} else if (typeof expiresAt === \"string\") {\n\t\t// Numeric string = seconds from now\n\t\tconst asNum = Number(expiresAt);\n\t\tif (!isNaN(asNum) && asNum > 0) {\n\t\t\tms = asNum > 1e12 ? asNum : Date.now() + asNum * 1000;\n\t\t} else {\n\t\t\tms = Date.parse(expiresAt);\n\t\t}\n\t} else {\n\t\tms = expiresAt.getTime();\n\t}\n\tif (!isFinite(ms)) return Buffer.alloc(0);\n\treturn Buffer.from(String(ms), \"utf8\");\n}\n\nfunction parseExpiry(s: string): number {\n\tconst n = Number(s);\n\treturn isFinite(n) ? n : 0;\n}\n\ninterface ParsedV1 {\n\tiv: Buffer;\n\ttag: Buffer;\n\tciphertext: Buffer;\n\texpiry: Buffer;\n\tpurpose: Buffer;\n\tmac: Buffer;\n}\n\nfunction parseV1(s: string): ParsedV1 | null {\n\tif (typeof s !== \"string\" || !s.startsWith(VERSION + \".\")) return null;\n\tconst parts = s.split(\".\");\n\t// v1, iv, tag, ct, expiry, purpose, mac = 7 parts\n\tif (parts.length !== 7) return null;\n\tconst [, ivB64, tagB64, ctB64, expB64, purposeB64, macB64] = parts;\n\tconst iv = fromB64(ivB64);\n\tconst tag = fromB64(tagB64);\n\tconst ct = fromB64(ctB64);\n\tconst exp = fromB64(expB64);\n\tconst purpose = fromB64(purposeB64);\n\tconst mac = fromB64(macB64);\n\tif (!iv || !tag || !ct || !exp || !purpose || !mac) return null;\n\tif (iv.length !== IV_BYTES) return null;\n\tif (tag.length !== TAG_BYTES) return null;\n\treturn { iv, tag, ciphertext: ct, expiry: exp, purpose, mac };\n}\n\n/* ------------------------------------------------------------------ *\n * Key derivation — HKDF-SHA256, two sub-keys\n * ------------------------------------------------------------------ */\n\nfunction deriveKeys(masterKey: string): { aes: Buffer; hmac: Buffer } {\n\t// Convert the master to bytes. We accept any string; if it\n\t// happens to be base64 and is at least 32 bytes, decode it.\n\tlet input: Buffer;\n\ttry {\n\t\tconst decoded = Buffer.from(masterKey, \"base64\");\n\t\tif (\n\t\t\tdecoded.length >= 32 &&\n\t\t\t// The \"decoded\" path is valid only if the string is\n\t\t\t// actually base64 (would be a real try/catch).\n\t\t\tmasterKey.length % 4 === 0\n\t\t) {\n\t\t\tinput = decoded;\n\t\t} else {\n\t\t\tinput = Buffer.from(masterKey, \"utf8\");\n\t\t}\n\t} catch {\n\t\tinput = Buffer.from(masterKey, \"utf8\");\n\t}\n\n\tconst ikm = input.length < 32 ? padKey(input) : input;\n\tconst out = hkdfSync(\"sha256\", ikm, Buffer.alloc(0), \"nexus:crypto:v1\", 64);\n\tconst outBuf = Buffer.from(out);\n\treturn {\n\t\taes: Buffer.from(outBuf.subarray(0, 32)),\n\t\thmac: Buffer.from(outBuf.subarray(32, 64)),\n\t};\n}\n\nfunction padKey(input: Buffer): Buffer {\n\t// Pad to 32 bytes by appending SHA-256 of the key (so the\n\t// result is deterministic and at least 32 bytes long).\n\tconst hash = createHmac(\"sha256\", \"nexus:crypto:pad\").update(input).digest();\n\tconst out = Buffer.alloc(32);\n\tinput.copy(out, 0, 0, Math.min(input.length, 32));\n\thash.copy(out, input.length < 32 ? input.length : 0, 0, 32 - Math.min(input.length, 32));\n\treturn out;\n}\n",
-    "/**\n * `HashService` — secure password hashing.\n *\n * Algorithms:\n * - `scrypt` (default) — built into Node, no extra deps. Memory-\n *   hard and CPU-hard. Recommended for new apps.\n * - `argon2` (optional) — the @node-rs/argon2 package is the\n *   reference implementation. Install it as a peer dep:\n *\n *     bun add @node-rs/argon2\n *\n *   When installed, the service auto-detects it.\n *\n * Output format (scrypt): a base64 string with the cost parameters\n * encoded: `$scrypt$N=16384,r=8,p=1$<saltB64>$<hashB64>`.\n * This is similar to the well-known `passlib` / PHC format and\n * lets us verify hashes that were generated with different\n * parameters.\n */\n\nimport { scrypt as scryptCb, randomBytes, timingSafeEqual } from \"node:crypto\";\n\n// scrypt's callback signature is (err, derivedKey) but it takes\n// (password, salt, keylen, options) before the callback, so we\n// can't use util.promisify directly. Wrap manually.\nfunction scrypt(\n\tpassword: string | Buffer,\n\tsalt: Buffer,\n\tkeylen: number,\n\toptions: { N: number; r: number; p: number; maxmem?: number },\n): Promise<Buffer> {\n\treturn new Promise((resolve, reject) => {\n\t\tscryptCb(password, salt, keylen, options, (err, derived) => {\n\t\t\tif (err) reject(err);\n\t\t\telse resolve(derived);\n\t\t});\n\t});\n}\nimport type { HashConfig, HashOptions, HashedPassword } from \"./types.js\";\n\nconst PREFIX_SCRYPT = \"$scrypt$\";\nconst PREFIX_ARGON2 = \"$argon2\";\n\nexport class HashService {\n\treadonly algorithm: \"scrypt\" | \"argon2\";\n\tprivate readonly scryptCost: number;\n\tprivate readonly scryptBlockSize: number;\n\tprivate readonly scryptParallelization: number;\n\tprivate readonly scryptKeyLength: number;\n\tprivate readonly argon2MemoryCost: number;\n\tprivate readonly argon2TimeCost: number;\n\tprivate readonly argon2Parallelism: number;\n\n\tconstructor(config: HashConfig = {}) {\n\t\tthis.algorithm = config.algorithm ?? \"scrypt\";\n\t\tthis.scryptCost = config.scryptCost ?? 16384;\n\t\tthis.scryptBlockSize = config.scryptBlockSize ?? 8;\n\t\tthis.scryptParallelization = config.scryptParallelization ?? 1;\n\t\tthis.scryptKeyLength = config.scryptKeyLength ?? 64;\n\t\tthis.argon2MemoryCost = config.argon2MemoryCost ?? 65536;\n\t\tthis.argon2TimeCost = config.argon2TimeCost ?? 3;\n\t\tthis.argon2Parallelism = config.argon2Parallelism ?? 4;\n\t}\n\n\t/**\n\t * Hash a password. Returns a self-describing string that\n\t * includes the algorithm and cost parameters.\n\t */\n\tasync hash(password: string, options: HashOptions = {}): Promise<HashedPassword> {\n\t\tconst algo = options.algorithm ?? this.algorithm;\n\t\tif (algo === \"scrypt\") return this.hashScrypt(password);\n\t\tif (algo === \"argon2\") return this.hashArgon2(password);\n\t\tthrow new Error(`Unknown hash algorithm: ${algo}`);\n\t}\n\n\t/**\n\t * Verify a password against a previously generated hash.\n\t * Returns `true` on match, `false` otherwise.\n\t */\n\tasync verify(hashed: HashedPassword, password: string): Promise<boolean> {\n\t\tif (typeof hashed !== \"string\" || hashed.length === 0) return false;\n\t\tif (hashed.startsWith(PREFIX_SCRYPT)) return this.verifyScrypt(hashed, password);\n\t\tif (hashed.startsWith(PREFIX_ARGON2)) return this.verifyArgon2(hashed, password);\n\t\t// Unknown format — try scrypt with default params for backward-compat\n\t\t// (e.g. raw SHA-256 / bcrypt / etc. — caller should migrate).\n\t\treturn false;\n\t}\n\n\t/**\n\t * True if a hash was generated with parameters that are below\n\t * the current security floor. The caller should re-hash and\n\t * update the stored value.\n\t */\n\tneedsRehash(hashed: HashedPassword): boolean {\n\t\tif (typeof hashed !== \"string\" || !hashed.startsWith(PREFIX_SCRYPT)) {\n\t\t\t// Foreign hash format — always re-hash to bring in the\n\t\t\t// canonical scrypt format.\n\t\t\treturn true;\n\t\t}\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return true;\n\t\tif (params.N < this.scryptCost) return true;\n\t\tif (params.r < this.scryptBlockSize) return true;\n\t\tif (params.p < this.scryptParallelization) return true;\n\t\tif (params.keyLen < this.scryptKeyLength) return true;\n\t\treturn false;\n\t}\n\n\t/* ---------------- scrypt ---------------- */\n\n\tprivate async hashScrypt(password: string): Promise<string> {\n\t\tconst salt = randomBytes(16);\n\t\tconst derived = (await scrypt(password, salt, this.scryptKeyLength, {\n\t\t\tN: this.scryptCost,\n\t\t\tr: this.scryptBlockSize,\n\t\t\tp: this.scryptParallelization,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\treturn [\n\t\t\tPREFIX_SCRYPT,\n\t\t\t`N=${this.scryptCost},r=${this.scryptBlockSize},p=${this.scryptParallelization},keyLen=${this.scryptKeyLength}`,\n\t\t\t`$${salt.toString(\"base64url\")}`,\n\t\t\t`$${derived.toString(\"base64url\")}`,\n\t\t].join(\"\");\n\t}\n\n\tprivate async verifyScrypt(hashed: string, password: string): Promise<boolean> {\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return false;\n\t\t// Format: \\\\ (split by \\$ gives 5 parts)\n\t\tconst [, , , saltB64, hashB64] = hashed.split(\"$\");\n\t\tif (!saltB64 || !hashB64) return false;\n\t\tconst salt = Buffer.from(saltB64, \"base64url\");\n\t\tconst expected = Buffer.from(hashB64, \"base64url\");\n\t\tconst derived = (await scrypt(password, salt, expected.length, {\n\t\t\tN: params.N,\n\t\t\tr: params.r,\n\t\t\tp: params.p,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\tif (derived.length !== expected.length) return false;\n\t\treturn timingSafeEqual(derived, expected);\n\t}\n\n\t/* ---------------- argon2 ---------------- */\n\n\tprivate async hashArgon2(password: string): Promise<string> {\n\t\tconst mod = await loadArgon2();\n\t\tconst hash = await mod.hash(password, {\n\t\t\tmemoryCost: this.argon2MemoryCost,\n\t\t\ttimeCost: this.argon2TimeCost,\n\t\t\tparallelism: this.argon2Parallelism,\n\t\t});\n\t\treturn hash; // argon2 already returns a self-describing string\n\t}\n\n\tprivate async verifyArgon2(hashed: string, password: string): Promise<boolean> {\n\t\tconst mod = await loadArgon2();\n\t\ttry {\n\t\t\treturn await mod.verify(hashed, password);\n\t\t} catch {\n\t\t\treturn false;\n\t\t}\n\t}\n}\n\n/* ------------------------------------------------------------------ *\n * Parsing\n * ------------------------------------------------------------------ */\n\nfunction parseScryptParams(hashed: string): {\n\tN: number;\n\tr: number;\n\tp: number;\n\tkeyLen: number;\n} | null {\n\t// $scrypt$N=16384,r=8,p=1,keyLen=64$<salt>$<hash>\n\tconst parts = hashed.split(\"$\");\n\tif (parts.length !== 5) return null;\n\tconst paramsPart = parts[2];\n\tif (!paramsPart) return null;\n\tconst m: Record<string, number> = {};\n\tfor (const kv of paramsPart.split(\",\")) {\n\t\tconst [k, v] = kv.split(\"=\");\n\t\tif (k && v) m[k] = Number(v);\n\t}\n\tif (!m.N || !m.r || !m.p || !m.keyLen) return null;\n\treturn { N: m.N, r: m.r, p: m.p, keyLen: m.keyLen };\n}\n\n/* ------------------------------------------------------------------ *\n * Optional argon2 peer dep\n * ------------------------------------------------------------------ */\n\ninterface Argon2Module {\n\thash(password: string, opts: { memoryCost: number; timeCost: number; parallelism: number }): Promise<string>;\n\tverify(hash: string, password: string): Promise<boolean>;\n}\n\nlet _argon2: Argon2Module | null | undefined; // undefined = not yet loaded\n\nasync function loadArgon2(): Promise<Argon2Module> {\n\tif (_argon2 !== undefined) {\n\t\tif (_argon2 === null) {\n\t\t\tthrow new Error(\n\t\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t\t);\n\t\t}\n\t\treturn _argon2;\n\t}\n\ttry {\n\t\t// @ts-ignore - optional peer dep\n\t\tconst mod = await import(\"@node-rs/argon2\");\n\t\t_argon2 = (mod as any).default ?? (mod as any);\n\t\tif (!_argon2) throw new Error(\"invalid argon2 module\");\n\t\treturn _argon2!;\n\t} catch {\n\t\t_argon2 = null;\n\t\tthrow new Error(\n\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t);\n\t}\n}\n",
-    "/**\n * `CryptoModule` — wires `EncryptionService` and `HashService`\n * into the DI container.\n *\n *   @Module({\n *     imports: [CryptoModule.forRoot({ key: process.env.APP_KEY! })],\n *   })\n *   class AppModule {}\n *\n * The `key` is required for `EncryptionService` (32 bytes). For\n * `HashService` only the algorithm config is required — there's no\n * shared key.\n *\n * If you only need `HashService` (and don't use encryption), you\n * can pass an empty config:\n *\n *   CryptoModule.forRoot({ key: \\\"x\\\" })\n *   // Encryption will pad the key to 32 bytes via HKDF.\n */\n\nimport { Module } from \"@nexusts/core/decorators/module.js\";\nimport { EncryptionService } from \"./encryption.js\";\nimport { HashService } from \"./hash.js\";\nimport type { EncryptionConfig, HashConfig } from \"./types.js\";\n\nexport const ENCRYPTION_SERVICE_TOKEN = Symbol.for(\"nexus:EncryptionService\");\nexport const HASH_SERVICE_TOKEN = Symbol.for(\"nexus:HashService\");\n\n@Module({\n\tproviders: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t],\n\texports: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\tENCRYPTION_SERVICE_TOKEN,\n\t\tHASH_SERVICE_TOKEN,\n\t],\n})\nexport class CryptoModule {\n\tstatic forRoot(config: EncryptionConfig & { hash?: HashConfig } = { key: \"\" }) {\n\t\tconst fullEncryptionConfig = {\n\t\t\tkey: config.key,\n\t\t\talgorithm: config.algorithm ?? \"aes-256-gcm\",\n\t\t\tdefaultExpiresIn: config.defaultExpiresIn,\n\t\t} as Required<EncryptionConfig>;\n\t\tconst fullHashConfig = config.hash ?? {};\n\n\t\t@Module({\n\t\t\tproviders: [\n\t\t\t\t{ provide: \"ENCRYPTION_CONFIG\", useValue: fullEncryptionConfig },\n\t\t\t\t{ provide: \"HASH_CONFIG\", useValue: fullHashConfig },\n\t\t\t\t{\n\t\t\t\t\tprovide: EncryptionService,\n\t\t\t\t\tuseFactory: () => new EncryptionService(fullEncryptionConfig.key),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tprovide: HashService,\n\t\t\t\t\tuseFactory: () => new HashService(fullHashConfig),\n\t\t\t\t},\n\t\t\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t\t\t],\n\t\t\texports: [\n\t\t\t\tEncryptionService,\n\t\t\t\tHashService,\n\t\t\t\tENCRYPTION_SERVICE_TOKEN,\n\t\t\t\tHASH_SERVICE_TOKEN,\n\t\t\t],\n\t\t})\n\t\tclass ConfiguredCryptoModule {}\n\t\tObject.defineProperty(ConfiguredCryptoModule, \"name\", {\n\t\t\tvalue: \"ConfiguredCryptoModule\",\n\t\t});\n\n\t\treturn ConfiguredCryptoModule as unknown as typeof CryptoModule;\n\t}\n}\n"
+    "/**\n * `HashService` — secure password hashing.\n *\n * Algorithms:\n * - `scrypt` (default) — built into Node, no extra deps. Memory-\n *   hard and CPU-hard. Recommended for new apps.\n * - `argon2` (optional) — the @node-rs/argon2 package is the\n *   reference implementation. Install it as a peer dep:\n *\n *     bun add @node-rs/argon2\n *\n *   When installed, the service auto-detects it.\n *\n * Output format (scrypt): a base64 string with the cost parameters\n * encoded: `$scrypt$N=16384,r=8,p=1$<saltB64>$<hashB64>`.\n * This is similar to the well-known `passlib` / PHC format and\n * lets us verify hashes that were generated with different\n * parameters.\n */\n\nimport { scrypt as scryptCb, randomBytes, timingSafeEqual } from \"node:crypto\";\n\n// scrypt's callback signature is (err, derivedKey) but it takes\n// (password, salt, keylen, options) before the callback, so we\n// can't use util.promisify directly. Wrap manually.\nfunction scrypt(\n\tpassword: string | Buffer,\n\tsalt: Buffer,\n\tkeylen: number,\n\toptions: { N: number; r: number; p: number; maxmem?: number },\n): Promise<Buffer> {\n\treturn new Promise((resolve, reject) => {\n\t\tscryptCb(password, salt, keylen, options, (err, derived) => {\n\t\t\tif (err) reject(err);\n\t\t\telse resolve(derived);\n\t\t});\n\t});\n}\nimport type { HashConfig, HashOptions, HashedPassword } from \"./types.js\";\n\nconst PREFIX_SCRYPT = \"$scrypt$\";\nconst PREFIX_ARGON2 = \"$argon2\";\n\nexport class HashService {\n\treadonly algorithm: \"scrypt\" | \"argon2\";\n\tprivate readonly scryptCost: number;\n\tprivate readonly scryptBlockSize: number;\n\tprivate readonly scryptParallelization: number;\n\tprivate readonly scryptKeyLength: number;\n\tprivate readonly argon2MemoryCost: number;\n\tprivate readonly argon2TimeCost: number;\n\tprivate readonly argon2Parallelism: number;\n\n\tconstructor(config: HashConfig = {}) {\n\t\tthis.algorithm = config.algorithm ?? \"scrypt\";\n\t\tthis.scryptCost = config.scryptCost ?? 16384;\n\t\tthis.scryptBlockSize = config.scryptBlockSize ?? 8;\n\t\tthis.scryptParallelization = config.scryptParallelization ?? 1;\n\t\tthis.scryptKeyLength = config.scryptKeyLength ?? 64;\n\t\tthis.argon2MemoryCost = config.argon2MemoryCost ?? 65536;\n\t\tthis.argon2TimeCost = config.argon2TimeCost ?? 3;\n\t\tthis.argon2Parallelism = config.argon2Parallelism ?? 4;\n\t}\n\n\t/**\n\t * Hash a password. Returns a self-describing string that\n\t * includes the algorithm and cost parameters.\n\t */\n\tasync hash(password: string, options: HashOptions = {}): Promise<HashedPassword> {\n\t\tconst algo = options.algorithm ?? this.algorithm;\n\t\tif (algo === \"scrypt\") return this.hashScrypt(password);\n\t\tif (algo === \"argon2\") return this.hashArgon2(password);\n\t\tthrow new Error(`Unknown hash algorithm: ${algo}`);\n\t}\n\n\t/**\n\t * Verify a password against a previously generated hash.\n\t * Returns `true` on match, `false` otherwise.\n\t */\n\tasync verify(hashed: HashedPassword, password: string): Promise<boolean> {\n\t\tif (typeof hashed !== \"string\" || hashed.length === 0) return false;\n\t\tif (hashed.startsWith(PREFIX_SCRYPT)) return this.verifyScrypt(hashed, password);\n\t\tif (hashed.startsWith(PREFIX_ARGON2)) return this.verifyArgon2(hashed, password);\n\t\t// Unknown format — try scrypt with default params for backward-compat\n\t\t// (e.g. raw SHA-256 / bcrypt / etc. — caller should migrate).\n\t\treturn false;\n\t}\n\n\t/**\n\t * True if a hash was generated with parameters that are below\n\t * the current security floor. The caller should re-hash and\n\t * update the stored value.\n\t */\n\tneedsRehash(hashed: HashedPassword): boolean {\n\t\tif (typeof hashed !== \"string\" || !hashed.startsWith(PREFIX_SCRYPT)) {\n\t\t\t// Foreign hash format — always re-hash to bring in the\n\t\t\t// canonical scrypt format.\n\t\t\treturn true;\n\t\t}\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return true;\n\t\tif (params.N < this.scryptCost) return true;\n\t\tif (params.r < this.scryptBlockSize) return true;\n\t\tif (params.p < this.scryptParallelization) return true;\n\t\tif (params.keyLen < this.scryptKeyLength) return true;\n\t\treturn false;\n\t}\n\n\t/* ---------------- scrypt ---------------- */\n\n\tprivate async hashScrypt(password: string): Promise<string> {\n\t\tconst salt = randomBytes(16);\n\t\tconst derived = (await scrypt(password, salt, this.scryptKeyLength, {\n\t\t\tN: this.scryptCost,\n\t\t\tr: this.scryptBlockSize,\n\t\t\tp: this.scryptParallelization,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\treturn [\n\t\t\tPREFIX_SCRYPT,\n\t\t\t`N=${this.scryptCost},r=${this.scryptBlockSize},p=${this.scryptParallelization},keyLen=${this.scryptKeyLength}`,\n\t\t\t`$${salt.toString(\"base64url\")}`,\n\t\t\t`$${derived.toString(\"base64url\")}`,\n\t\t].join(\"\");\n\t}\n\n\tprivate async verifyScrypt(hashed: string, password: string): Promise<boolean> {\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return false;\n\t\t// Format: \\\\ (split by \\$ gives 5 parts)\n\t\tconst [, , , saltB64, hashB64] = hashed.split(\"$\");\n\t\tif (!saltB64 || !hashB64) return false;\n\t\tconst salt = Buffer.from(saltB64, \"base64url\");\n\t\tconst expected = Buffer.from(hashB64, \"base64url\");\n\t\tconst derived = (await scrypt(password, salt, expected.length, {\n\t\t\tN: params.N,\n\t\t\tr: params.r,\n\t\t\tp: params.p,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\tif (derived.length !== expected.length) return false;\n\t\treturn timingSafeEqual(derived, expected);\n\t}\n\n\t/* ---------------- argon2 ---------------- */\n\n\tprivate async hashArgon2(password: string): Promise<string> {\n\t\tconst mod = await loadArgon2();\n\t\tconst hash = await mod.hash(password, {\n\t\t\tmemoryCost: this.argon2MemoryCost,\n\t\t\ttimeCost: this.argon2TimeCost,\n\t\t\tparallelism: this.argon2Parallelism,\n\t\t});\n\t\treturn hash; // argon2 already returns a self-describing string\n\t}\n\n\tprivate async verifyArgon2(hashed: string, password: string): Promise<boolean> {\n\t\tconst mod = await loadArgon2();\n\t\ttry {\n\t\t\treturn await mod.verify(hashed, password);\n\t\t} catch {\n\t\t\treturn false;\n\t\t}\n\t}\n}\n\n/* ------------------------------------------------------------------ *\n * Parsing\n * ------------------------------------------------------------------ */\n\nfunction parseScryptParams(hashed: string): {\n\tN: number;\n\tr: number;\n\tp: number;\n\tkeyLen: number;\n} | null {\n\t// $scrypt$N=16384,r=8,p=1,keyLen=64$<salt>$<hash>\n\tconst parts = hashed.split(\"$\");\n\tif (parts.length !== 5) return null;\n\tconst paramsPart = parts[2];\n\tif (!paramsPart) return null;\n\tconst m: Record<string, number> = {};\n\tfor (const kv of paramsPart.split(\",\")) {\n\t\tconst [k, v] = kv.split(\"=\");\n\t\tif (k && v) m[k] = Number(v);\n\t}\n\tif (!m.N || !m.r || !m.p || !m.keyLen) return null;\n\treturn { N: m.N, r: m.r, p: m.p, keyLen: m.keyLen };\n}\n\n/* ------------------------------------------------------------------ *\n * Optional argon2 peer dep\n * ------------------------------------------------------------------ */\n\ninterface Argon2Module {\n\thash(password: string, opts: { memoryCost: number; timeCost: number; parallelism: number }): Promise<string>;\n\tverify(hash: string, password: string): Promise<boolean>;\n}\n\nlet _argon2: Argon2Module | null | undefined; // undefined = not yet loaded\n\nasync function loadArgon2(): Promise<Argon2Module> {\n\tif (_argon2 !== undefined) {\n\t\tif (_argon2 === null) {\n\t\t\tthrow new Error(\n\t\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t\t);\n\t\t}\n\t\treturn _argon2;\n\t}\n\ttry {\n\t\t// @ts-ignore - optional peer dep\n\t\tconst mod = await import(\"@node-rs/argon2\");\n\t\t_argon2 = (mod as any).default ?? (mod as any);\n\t\tif (!_argon2) throw new Error(\"invalid argon2 module\");\n\t\treturn _argon2!;\n\t} catch {\n\t\t_argon2 = null;\n\t\tthrow new Error(\n\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t);\n\t}\n}\n\n// =====================================================================\n// Standalone helpers\n// =====================================================================\n//\n// These mirror the `HashService` API but do not require instantiating\n// the class. Useful for one-off hashing tasks (e.g. CLI scripts,\n// database seeders, smoke tests) where pulling the full DI container\n// is overkill.\n//\n// For production code with a controller or service, prefer the\n// `HashService` class via DI so the algorithm + cost parameters are\n// configured once at the module level.\n\n/**\n * Standalone `hash` function — uses scrypt by default, argon2 if\n * `@node-rs/argon2` is installed.\n *\n * @param password - The plaintext password to hash.\n * @param options - Optional overrides for algorithm + cost params.\n * @returns The encoded hash string (PHC-style).\n */\nexport async function hash(\n\tpassword: string,\n\toptions: HashOptions = {},\n): Promise<string> {\n\tconst svc = new HashService();\n\treturn svc.hash(password, options);\n}\n\n/**\n * Standalone `verify` function — verifies a plaintext password\n * against a previously encoded hash.\n */\nexport async function verify(\n\thashed: HashedPassword,\n\tpassword: string,\n): Promise<boolean> {\n\tconst svc = new HashService();\n\treturn svc.verify(hashed, password);\n}\n\n/**\n * Convenience: scrypt-specific hash. Useful when you want to\n * guarantee the algorithm regardless of installed peer deps.\n */\nexport async function scryptHash(password: string): Promise<string> {\n\treturn hash(password, { algorithm: \"scrypt\" });\n}\n\n/**\n * Convenience: scrypt-specific verify.\n */\nexport async function scryptVerify(\n\thashed: string,\n\tpassword: string,\n): Promise<boolean> {\n\treturn verify(hashed, password);\n}\n",
+    "/**\n * `CryptoModule` — wires `EncryptionService` and `HashService`\n * into the DI container.\n *\n *   @Module({\n *     imports: [CryptoModule.forRoot({ key: process.env.APP_KEY! })],\n *   })\n *   class AppModule {}\n *\n * The `key` is required for `EncryptionService` (32 bytes). For\n * `HashService` only the algorithm config is required — there's no\n * shared key.\n *\n * If you only need `HashService` (and don't use encryption), you\n * can pass an empty config:\n *\n *   CryptoModule.forRoot({ key: \\\"x\\\" })\n *   // Encryption will pad the key to 32 bytes via HKDF.\n */\n\nimport { Module } from \"@nexusts/core\";\nimport { EncryptionService } from \"./encryption.js\";\nimport { HashService } from \"./hash.js\";\nimport type { EncryptionConfig, HashConfig } from \"./types.js\";\n\nexport const ENCRYPTION_SERVICE_TOKEN = Symbol.for(\"nexus:EncryptionService\");\nexport const HASH_SERVICE_TOKEN = Symbol.for(\"nexus:HashService\");\n\n@Module({\n\tproviders: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t],\n\texports: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\tENCRYPTION_SERVICE_TOKEN,\n\t\tHASH_SERVICE_TOKEN,\n\t],\n})\nexport class CryptoModule {\n\tstatic forRoot(config: EncryptionConfig & { hash?: HashConfig } = { key: \"\" }) {\n\t\tconst fullEncryptionConfig = {\n\t\t\tkey: config.key,\n\t\t\talgorithm: config.algorithm ?? \"aes-256-gcm\",\n\t\t\tdefaultExpiresIn: config.defaultExpiresIn,\n\t\t} as Required<EncryptionConfig>;\n\t\tconst fullHashConfig = config.hash ?? {};\n\n\t\t@Module({\n\t\t\tproviders: [\n\t\t\t\t{ provide: \"ENCRYPTION_CONFIG\", useValue: fullEncryptionConfig },\n\t\t\t\t{ provide: \"HASH_CONFIG\", useValue: fullHashConfig },\n\t\t\t\t{\n\t\t\t\t\tprovide: EncryptionService,\n\t\t\t\t\tuseFactory: () => new EncryptionService(fullEncryptionConfig.key),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tprovide: HashService,\n\t\t\t\t\tuseFactory: () => new HashService(fullHashConfig),\n\t\t\t\t},\n\t\t\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t\t\t],\n\t\t\texports: [\n\t\t\t\tEncryptionService,\n\t\t\t\tHashService,\n\t\t\t\tENCRYPTION_SERVICE_TOKEN,\n\t\t\t\tHASH_SERVICE_TOKEN,\n\t\t\t],\n\t\t})\n\t\tclass ConfiguredCryptoModule {}\n\t\tObject.defineProperty(ConfiguredCryptoModule, \"name\", {\n\t\t\tvalue: \"ConfiguredCryptoModule\",\n\t\t});\n\n\t\treturn ConfiguredCryptoModule as unknown as typeof CryptoModule;\n\t}\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUA,IAAM,UAAU;AAChB,IAAM,WAAW;AACjB,IAAM,YAAY;AAAA;AAEX,MAAM,kBAAkB;AAAA,EACb;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,WAAmB;AAAA,IAC9B,MAAM,UAAU,WAAW,SAAS;AAAA,IACpC,KAAK,SAAS,QAAQ;AAAA,IACtB,KAAK,UAAU,QAAQ;AAAA;AAAA,EAWxB,OAAO,CAAC,OAAe,UAA0B,CAAC,GAAmB;AAAA,IACpE,MAAM,KAAK,YAAY,QAAQ;AAAA,IAC/B,MAAM,SAAS,eAAe,eAAe,KAAK,QAAQ,EAAE;AAAA,IAC5D,MAAM,YAAY,OAAO,KAAK,OAAO,MAAM;AAAA,IAC3C,MAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,SAAS,GAAG,OAAO,MAAM,CAAC,CAAC;AAAA,IAC3E,MAAM,MAAM,OAAO,WAAW;AAAA,IAE9B,MAAM,SAAS,aAAa,QAAQ,SAAS;AAAA,IAC7C,MAAM,aAAa,OAAO,KAAK,QAAQ,WAAW,IAAI,MAAM;AAAA,IAC5D,MAAM,MAAM,KAAK,QAAQ,CAAC,SAAS,IAAI,KAAK,YAAY,QAAQ,UAAU,CAAC;AAAA,IAE3E,OAAO;AAAA,MACN;AAAA,MACA,IAAI,EAAE;AAAA,MACN,IAAI,GAAG;AAAA,MACP,IAAI,UAAU;AAAA,MACd,IAAI,MAAM;AAAA,MACV,IAAI,UAAU;AAAA,MACd,IAAI,GAAG;AAAA,IACR,EAAE,KAAK,GAAG;AAAA;AAAA,EAQX,OAAmB,CAAC,SAAoB;AAAA,IACvC,MAAM,SAAS,QAAQ,OAAO;AAAA,IAC9B,IAAI,CAAC;AAAA,MAAQ,MAAM,IAAI,MAAM,gCAAgC;AAAA,IAG7D,MAAM,cAAc,KAAK,QAAQ;AAAA,MAChC;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACR,CAAC;AAAA,IACD,IAAI,CAAC,kBAAkB,aAAa,OAAO,GAAG,GAAG;AAAA,MAChD,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IAGA,IAAI,OAAO,OAAO,SAAS,GAAG;AAAA,MAC7B,MAAM,WAAW,YAAY,OAAO,OAAO,SAAS,MAAM,CAAC;AAAA,MAC3D,IAAI,WAAW,KAAK,KAAK,IAAI,IAAI,UAAU;AAAA,QAC1C,MAAM,IAAI,MAAM,+BAA+B;AAAA,MAChD;AAAA,IACD;AAAA,IAEA,MAAM,WAAW,iBAAiB,eAAe,KAAK,QAAQ,OAAO,EAAE;AAAA,IACvE,SAAS,WAAW,OAAO,GAAG;AAAA,IAC9B,MAAM,YAAY,OAAO,OAAO;AAAA,MAC/B,SAAS,OAAO,OAAO,UAAU;AAAA,MACjC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO,UAAU,SAAS,MAAM;AAAA;AAAA,EAIjC,WAAW,CAAC,OAAwB;AAAA,IACnC,IAAI,OAAO,UAAU;AAAA,MAAU,OAAO;AAAA,IACtC,OAAO,MAAM,WAAW,UAAU,GAAG;AAAA;AAAA,EAWtC,IAAI,CAAC,OAAe,UAAU,IAAiB;AAAA,IAC9C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,GAAG,IAAI,OAAO,KAAK,OAAO,MAAM,CAAC,KAAK,IAAI,GAAG;AAAA;AAAA,EAUrD,OAAO,CAAC,OAAe,UAAU,IAAY;AAAA,IAC5C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,IAAI,GAAG;AAAA;AAAA,EAOf,SAAS,CAAC,OAAe,WAAmB,UAAU,IAAa;AAAA,IAClE,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,MAAM,QAAQ,QAAQ,SAAS;AAAA,IAC/B,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,kBAAkB,OAAO,QAAQ;AAAA;AAAA,EAQzC,MAAM,CAAC,QAAgB,UAAU,IAAmB;AAAA,IACnD,MAAM,MAAM,OAAO,YAAY,GAAG;AAAA,IAClC,IAAI,MAAM,KAAK,QAAQ,OAAO,SAAS;AAAA,MAAG,OAAO;AAAA,IACjD,MAAM,WAAW,OAAO,MAAM,GAAG,GAAG;AAAA,IACpC,MAAM,SAAS,OAAO,MAAM,MAAM,CAAC;AAAA,IACnC,MAAM,QAAQ,QAAQ,QAAQ;AAAA,IAC9B,MAAM,MAAM,QAAQ,MAAM;AAAA,IAC1B,IAAI,CAAC,SAAS,CAAC;AAAA,MAAK,OAAO;AAAA,IAC3B,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,IAAI,CAAC,kBAAkB,KAAK,QAAQ;AAAA,MAAG,OAAO;AAAA,IAC9C,OAAO,MAAM,SAAS,MAAM;AAAA;AAAA,EAKrB,OAAO,CAAC,OAAuC;AAAA,IACtD,MAAM,IAAI,WAAW,UAAU,KAAK,OAAO;AAAA,IAC3C,WAAW,KAAK,OAAO;AAAA,MACtB,EAAE,OAAO,GAAG;AAAA,MACZ,EAAE,OAAO,CAAW;AAAA,IACrB;AAAA,IACA,OAAO,EAAE,OAAO;AAAA;AAElB;AAMA,SAAS,GAAG,CAAC,KAAqB;AAAA,EACjC,OAAO,IAAI,SAAS,WAAW;AAAA;AAGhC,SAAS,OAAO,CAAC,GAA0B;AAAA,EAC1C,IAAI;AAAA,IACH,OAAO,OAAO,KAAK,GAAG,WAAW;AAAA,IAChC,MAAM;AAAA,IACP,OAAO;AAAA;AAAA;AAIT,SAAS,iBAAiB,CAAC,GAAW,GAAoB;AAAA,EACzD,IAAI,EAAE,WAAW,EAAE;AAAA,IAAQ,OAAO;AAAA,EAClC,OAAO,gBAAgB,GAAG,CAAC;AAAA;AAG5B,SAAS,YAAY,CAAC,WAAuD;AAAA,EAC5E,IAAI,cAAc;AAAA,IAAW,OAAO,OAAO,MAAM,CAAC;AAAA,EAClD,IAAI;AAAA,EACJ,IAAI,OAAO,cAAc,UAAU;AAAA,IAClC,KAAK,YAAY,gBAAO,YAAY,KAAK,IAAI,IAAI,YAAY;AAAA,EAC9D,EAAO,SAAI,OAAO,cAAc,UAAU;AAAA,IAEzC,MAAM,QAAQ,OAAO,SAAS;AAAA,IAC9B,IAAI,CAAC,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,MAC/B,KAAK,QAAQ,gBAAO,QAAQ,KAAK,IAAI,IAAI,QAAQ;AAAA,IAClD,EAAO;AAAA,MACN,KAAK,KAAK,MAAM,SAAS;AAAA;AAAA,EAE3B,EAAO;AAAA,IACN,KAAK,UAAU,QAAQ;AAAA;AAAA,EAExB,IAAI,CAAC,SAAS,EAAE;AAAA,IAAG,OAAO,OAAO,MAAM,CAAC;AAAA,EACxC,OAAO,OAAO,KAAK,OAAO,EAAE,GAAG,MAAM;AAAA;AAGtC,SAAS,WAAW,CAAC,GAAmB;AAAA,EACvC,MAAM,IAAI,OAAO,CAAC;AAAA,EAClB,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA;AAY1B,SAAS,OAAO,CAAC,GAA4B;AAAA,EAC5C,IAAI,OAAO,MAAM,YAAY,CAAC,EAAE,WAAW,UAAU,GAAG;AAAA,IAAG,OAAO;AAAA,EAClE,MAAM,QAAQ,EAAE,MAAM,GAAG;AAAA,EAEzB,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,SAAS,OAAO,QAAQ,OAAO,QAAQ,YAAY,UAAU;AAAA,EAC7D,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,UAAU,QAAQ,UAAU;AAAA,EAClC,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;AAAA,IAAK,OAAO;AAAA,EAC3D,IAAI,GAAG,WAAW;AAAA,IAAU,OAAO;AAAA,EACnC,IAAI,IAAI,WAAW;AAAA,IAAW,OAAO;AAAA,EACrC,OAAO,EAAE,IAAI,KAAK,YAAY,IAAI,QAAQ,KAAK,SAAS,IAAI;AAAA;AAO7D,SAAS,UAAU,CAAC,WAAkD;AAAA,EAGrE,IAAI;AAAA,EACJ,IAAI;AAAA,IACH,MAAM,UAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IAC/C,IACC,QAAQ,UAAU,MAGlB,UAAU,SAAS,MAAM,GACxB;AAAA,MACD,QAAQ;AAAA,IACT,EAAO;AAAA,MACN,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,IAErC,MAAM;AAAA,IACP,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,EAGtC,MAAM,MAAM,MAAM,SAAS,KAAK,OAAO,KAAK,IAAI;AAAA,EAChD,MAAM,MAAM,SAAS,UAAU,KAAK,OAAO,MAAM,CAAC,GAAG,mBAAmB,EAAE;AAAA,EAC1E,MAAM,SAAS,OAAO,KAAK,GAAG;AAAA,EAC9B,OAAO;AAAA,IACN,KAAK,OAAO,KAAK,OAAO,SAAS,GAAG,EAAE,CAAC;AAAA,IACvC,MAAM,OAAO,KAAK,OAAO,SAAS,IAAI,EAAE,CAAC;AAAA,EAC1C;AAAA;AAGD,SAAS,MAAM,CAAC,OAAuB;AAAA,EAGtC,MAAM,OAAO,WAAW,UAAU,kBAAkB,EAAE,OAAO,KAAK,EAAE,OAAO;AAAA,EAC3E,MAAM,MAAM,OAAO,MAAM,EAAE;AAAA,EAC3B,MAAM,KAAK,KAAK,GAAG,GAAG,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EAChD,KAAK,KAAK,KAAK,MAAM,SAAS,KAAK,MAAM,SAAS,GAAG,GAAG,KAAK,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EACvF,OAAO;AAAA;;ACzSR,mBAAS,yBAAoB,iCAAa;AAK1C,SAAS,MAAM,CACd,UACA,MACA,QACA,SACkB;AAAA,EAClB,OAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AAAA,IACvC,SAAS,UAAU,MAAM,QAAQ,SAAS,CAAC,KAAK,YAAY;AAAA,MAC3D,IAAI;AAAA,QAAK,OAAO,GAAG;AAAA,MACd;AAAA,gBAAQ,OAAO;AAAA,KACpB;AAAA,GACD;AAAA;AAIF,IAAM,gBAAgB;AACtB,IAAM,gBAAgB;AAAA;AAEf,MAAM,YAAY;AAAA,EACf;AAAA,EACQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,SAAqB,CAAC,GAAG;AAAA,IACpC,KAAK,YAAY,OAAO,aAAa;AAAA,IACrC,KAAK,aAAa,OAAO,cAAc;AAAA,IACvC,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,wBAAwB,OAAO,yBAAyB;AAAA,IAC7D,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,mBAAmB,OAAO,oBAAoB;AAAA,IACnD,KAAK,iBAAiB,OAAO,kBAAkB;AAAA,IAC/C,KAAK,oBAAoB,OAAO,qBAAqB;AAAA;AAAA,OAOhD,KAAI,CAAC,UAAkB,UAAuB,CAAC,GAA4B;AAAA,IAChF,MAAM,OAAO,QAAQ,aAAa,KAAK;AAAA,IACvC,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,MAAM,IAAI,MAAM,2BAA2B,MAAM;AAAA;AAAA,OAO5C,OAAM,CAAC,QAAwB,UAAoC;AAAA,IACxE,IAAI,OAAO,WAAW,YAAY,OAAO,WAAW;AAAA,MAAG,OAAO;AAAA,IAC9D,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAC/E,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAG/E,OAAO;AAAA;AAAA,EAQR,WAAW,CAAC,QAAiC;AAAA,IAC5C,IAAI,OAAO,WAAW,YAAY,CAAC,OAAO,WAAW,aAAa,GAAG;AAAA,MAGpE,OAAO;AAAA,IACR;AAAA,IACA,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IACpB,IAAI,OAAO,IAAI,KAAK;AAAA,MAAY,OAAO;AAAA,IACvC,IAAI,OAAO,IAAI,KAAK;AAAA,MAAiB,OAAO;AAAA,IAC5C,IAAI,OAAO,IAAI,KAAK;AAAA,MAAuB,OAAO;AAAA,IAClD,IAAI,OAAO,SAAS,KAAK;AAAA,MAAiB,OAAO;AAAA,IACjD,OAAO;AAAA;AAAA,OAKM,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,OAAO,aAAY,EAAE;AAAA,IAC3B,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,KAAK,iBAAiB;AAAA,MACnE,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,OAAO;AAAA,MACN;AAAA,MACA,KAAK,KAAK,gBAAgB,KAAK,qBAAqB,KAAK,gCAAgC,KAAK;AAAA,MAC9F,IAAI,KAAK,SAAS,WAAW;AAAA,MAC7B,IAAI,QAAQ,SAAS,WAAW;AAAA,IACjC,EAAE,KAAK,EAAE;AAAA;AAAA,OAGI,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IAEpB,aAAa,SAAS,WAAW,OAAO,MAAM,GAAG;AAAA,IACjD,IAAI,CAAC,WAAW,CAAC;AAAA,MAAS,OAAO;AAAA,IACjC,MAAM,OAAO,OAAO,KAAK,SAAS,WAAW;AAAA,IAC7C,MAAM,WAAW,OAAO,KAAK,SAAS,WAAW;AAAA,IACjD,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,SAAS,QAAQ;AAAA,MAC9D,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,IAAI,QAAQ,WAAW,SAAS;AAAA,MAAQ,OAAO;AAAA,IAC/C,OAAO,iBAAgB,SAAS,QAAQ;AAAA;AAAA,OAK3B,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,MAAM,OAAO,MAAM,IAAI,KAAK,UAAU;AAAA,MACrC,YAAY,KAAK;AAAA,MACjB,UAAU,KAAK;AAAA,MACf,aAAa,KAAK;AAAA,IACnB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAGM,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,IAAI;AAAA,MACH,OAAO,MAAM,IAAI,OAAO,QAAQ,QAAQ;AAAA,MACvC,MAAM;AAAA,MACP,OAAO;AAAA;AAAA;AAGV;AAMA,SAAS,iBAAiB,CAAC,QAKlB;AAAA,EAER,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,MAAM,aAAa,MAAM;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,OAAO;AAAA,EACxB,MAAM,IAA4B,CAAC;AAAA,EACnC,WAAW,MAAM,WAAW,MAAM,GAAG,GAAG;AAAA,IACvC,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG,EAAE,KAAK,OAAO,CAAC;AAAA,EAC5B;AAAA,EACA,IAAI,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE;AAAA,IAAQ,OAAO;AAAA,EAC9C,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO;AAAA;AAYnD,IAAI;AAEJ,eAAe,UAAU,GAA0B;AAAA,EAClD,IAAI,YAAY,WAAW;AAAA,IAC1B,IAAI,YAAY,MAAM;AAAA,MACrB,MAAM,IAAI,MACT,gEACD;AAAA,IACD;AAAA,IACA,OAAO;AAAA,EACR;AAAA,EACA,IAAI;AAAA,IAEH,MAAM,MAAM,MAAa;AAAA,IACzB,UAAW,IAAY,WAAY;AAAA,IACnC,IAAI,CAAC;AAAA,MAAS,MAAM,IAAI,MAAM,uBAAuB;AAAA,IACrD,OAAO;AAAA,IACN,MAAM;AAAA,IACP,UAAU;AAAA,IACV,MAAM,IAAI,MACT,gEACD;AAAA;AAAA;;ACxMF;AAKO,IAAM,2BAA2B,OAAO,IAAI,yBAAyB;AACrE,IAAM,qBAAqB,OAAO,IAAI,mBAAmB;AAAA;AAgBzD,MAAM,aAAa;AAAA,SAClB,OAAO,CAAC,SAAmD,EAAE,KAAK,GAAG,GAAG;AAAA,IAC9E,MAAM,uBAAuB;AAAA,MAC5B,KAAK,OAAO;AAAA,MACZ,WAAW,OAAO,aAAa;AAAA,MAC/B,kBAAkB,OAAO;AAAA,IAC1B;AAAA,IACA,MAAM,iBAAiB,OAAO,QAAQ,CAAC;AAAA;AAAA,IAwBvC,MAAM,uBAAuB;AAAA,IAAC;AAAA,IAAxB,yBAAN;AAAA,MAtBC,OAAO;AAAA,QACP,WAAW;AAAA,UACV,EAAE,SAAS,qBAAqB,UAAU,qBAAqB;AAAA,UAC/D,EAAE,SAAS,eAAe,UAAU,eAAe;AAAA,UACnD;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,kBAAkB,qBAAqB,GAAG;AAAA,UACjE;AAAA,UACA;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,YAAY,cAAc;AAAA,UACjD;AAAA,UACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,UACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,QACzD;AAAA,QACA,SAAS;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACD;AAAA,MACD,CAAC;AAAA,OACK;AAAA,IACN,OAAO,eAAe,wBAAwB,QAAQ;AAAA,MACrD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AAtCa,eAAN;AAAA,EAdN,OAAO;AAAA,IACP,WAAW;AAAA,MACV;AAAA,MACA;AAAA,MACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,MACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,IACzD;AAAA,IACA,SAAS;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD;AAAA,EACD,CAAC;AAAA,GACY;",
-  "debugId": "68D8BB427FD50CFB64756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;AAuBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUA,IAAM,UAAU;AAChB,IAAM,WAAW;AACjB,IAAM,YAAY;AAAA;AAEX,MAAM,kBAAkB;AAAA,EACb;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,WAAmB;AAAA,IAC9B,MAAM,UAAU,WAAW,SAAS;AAAA,IACpC,KAAK,SAAS,QAAQ;AAAA,IACtB,KAAK,UAAU,QAAQ;AAAA;AAAA,EAWxB,OAAO,CAAC,OAAe,UAA0B,CAAC,GAAmB;AAAA,IACpE,MAAM,KAAK,YAAY,QAAQ;AAAA,IAC/B,MAAM,SAAS,eAAe,eAAe,KAAK,QAAQ,EAAE;AAAA,IAC5D,MAAM,YAAY,OAAO,KAAK,OAAO,MAAM;AAAA,IAC3C,MAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,SAAS,GAAG,OAAO,MAAM,CAAC,CAAC;AAAA,IAC3E,MAAM,MAAM,OAAO,WAAW;AAAA,IAE9B,MAAM,SAAS,aAAa,QAAQ,SAAS;AAAA,IAC7C,MAAM,aAAa,OAAO,KAAK,QAAQ,WAAW,IAAI,MAAM;AAAA,IAC5D,MAAM,MAAM,KAAK,QAAQ,CAAC,SAAS,IAAI,KAAK,YAAY,QAAQ,UAAU,CAAC;AAAA,IAE3E,OAAO;AAAA,MACN;AAAA,MACA,IAAI,EAAE;AAAA,MACN,IAAI,GAAG;AAAA,MACP,IAAI,UAAU;AAAA,MACd,IAAI,MAAM;AAAA,MACV,IAAI,UAAU;AAAA,MACd,IAAI,GAAG;AAAA,IACR,EAAE,KAAK,GAAG;AAAA;AAAA,EAQX,OAAmB,CAAC,SAAoB;AAAA,IACvC,MAAM,SAAS,QAAQ,OAAO;AAAA,IAC9B,IAAI,CAAC;AAAA,MAAQ,MAAM,IAAI,MAAM,gCAAgC;AAAA,IAG7D,MAAM,cAAc,KAAK,QAAQ;AAAA,MAChC;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACR,CAAC;AAAA,IACD,IAAI,CAAC,kBAAkB,aAAa,OAAO,GAAG,GAAG;AAAA,MAChD,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IAGA,IAAI,OAAO,OAAO,SAAS,GAAG;AAAA,MAC7B,MAAM,WAAW,YAAY,OAAO,OAAO,SAAS,MAAM,CAAC;AAAA,MAC3D,IAAI,WAAW,KAAK,KAAK,IAAI,IAAI,UAAU;AAAA,QAC1C,MAAM,IAAI,MAAM,+BAA+B;AAAA,MAChD;AAAA,IACD;AAAA,IAEA,MAAM,WAAW,iBAAiB,eAAe,KAAK,QAAQ,OAAO,EAAE;AAAA,IACvE,SAAS,WAAW,OAAO,GAAG;AAAA,IAC9B,MAAM,YAAY,OAAO,OAAO;AAAA,MAC/B,SAAS,OAAO,OAAO,UAAU;AAAA,MACjC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO,UAAU,SAAS,MAAM;AAAA;AAAA,EAIjC,WAAW,CAAC,OAAwB;AAAA,IACnC,IAAI,OAAO,UAAU;AAAA,MAAU,OAAO;AAAA,IACtC,OAAO,MAAM,WAAW,UAAU,GAAG;AAAA;AAAA,EAWtC,IAAI,CAAC,OAAe,UAAU,IAAiB;AAAA,IAC9C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,GAAG,IAAI,OAAO,KAAK,OAAO,MAAM,CAAC,KAAK,IAAI,GAAG;AAAA;AAAA,EAUrD,OAAO,CAAC,OAAe,UAAU,IAAY;AAAA,IAC5C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,IAAI,GAAG;AAAA;AAAA,EAOf,SAAS,CAAC,OAAe,WAAmB,UAAU,IAAa;AAAA,IAClE,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,MAAM,QAAQ,QAAQ,SAAS;AAAA,IAC/B,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,kBAAkB,OAAO,QAAQ;AAAA;AAAA,EAQzC,MAAM,CAAC,QAAgB,UAAU,IAAmB;AAAA,IACnD,MAAM,MAAM,OAAO,YAAY,GAAG;AAAA,IAClC,IAAI,MAAM,KAAK,QAAQ,OAAO,SAAS;AAAA,MAAG,OAAO;AAAA,IACjD,MAAM,WAAW,OAAO,MAAM,GAAG,GAAG;AAAA,IACpC,MAAM,SAAS,OAAO,MAAM,MAAM,CAAC;AAAA,IACnC,MAAM,QAAQ,QAAQ,QAAQ;AAAA,IAC9B,MAAM,MAAM,QAAQ,MAAM;AAAA,IAC1B,IAAI,CAAC,SAAS,CAAC;AAAA,MAAK,OAAO;AAAA,IAC3B,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,IAAI,CAAC,kBAAkB,KAAK,QAAQ;AAAA,MAAG,OAAO;AAAA,IAC9C,OAAO,MAAM,SAAS,MAAM;AAAA;AAAA,EAKrB,OAAO,CAAC,OAAuC;AAAA,IACtD,MAAM,IAAI,WAAW,UAAU,KAAK,OAAO;AAAA,IAC3C,WAAW,KAAK,OAAO;AAAA,MACtB,EAAE,OAAO,GAAG;AAAA,MACZ,EAAE,OAAO,CAAW;AAAA,IACrB;AAAA,IACA,OAAO,EAAE,OAAO;AAAA;AAElB;AAMA,SAAS,GAAG,CAAC,KAAqB;AAAA,EACjC,OAAO,IAAI,SAAS,WAAW;AAAA;AAGhC,SAAS,OAAO,CAAC,GAA0B;AAAA,EAC1C,IAAI;AAAA,IACH,OAAO,OAAO,KAAK,GAAG,WAAW;AAAA,IAChC,MAAM;AAAA,IACP,OAAO;AAAA;AAAA;AAIT,SAAS,iBAAiB,CAAC,GAAW,GAAoB;AAAA,EACzD,IAAI,EAAE,WAAW,EAAE;AAAA,IAAQ,OAAO;AAAA,EAClC,OAAO,gBAAgB,GAAG,CAAC;AAAA;AAG5B,SAAS,YAAY,CAAC,WAAuD;AAAA,EAC5E,IAAI,cAAc;AAAA,IAAW,OAAO,OAAO,MAAM,CAAC;AAAA,EAClD,IAAI;AAAA,EACJ,IAAI,OAAO,cAAc,UAAU;AAAA,IAClC,KAAK,YAAY,gBAAO,YAAY,KAAK,IAAI,IAAI,YAAY;AAAA,EAC9D,EAAO,SAAI,OAAO,cAAc,UAAU;AAAA,IAEzC,MAAM,QAAQ,OAAO,SAAS;AAAA,IAC9B,IAAI,CAAC,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,MAC/B,KAAK,QAAQ,gBAAO,QAAQ,KAAK,IAAI,IAAI,QAAQ;AAAA,IAClD,EAAO;AAAA,MACN,KAAK,KAAK,MAAM,SAAS;AAAA;AAAA,EAE3B,EAAO;AAAA,IACN,KAAK,UAAU,QAAQ;AAAA;AAAA,EAExB,IAAI,CAAC,SAAS,EAAE;AAAA,IAAG,OAAO,OAAO,MAAM,CAAC;AAAA,EACxC,OAAO,OAAO,KAAK,OAAO,EAAE,GAAG,MAAM;AAAA;AAGtC,SAAS,WAAW,CAAC,GAAmB;AAAA,EACvC,MAAM,IAAI,OAAO,CAAC;AAAA,EAClB,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA;AAY1B,SAAS,OAAO,CAAC,GAA4B;AAAA,EAC5C,IAAI,OAAO,MAAM,YAAY,CAAC,EAAE,WAAW,UAAU,GAAG;AAAA,IAAG,OAAO;AAAA,EAClE,MAAM,QAAQ,EAAE,MAAM,GAAG;AAAA,EAEzB,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,SAAS,OAAO,QAAQ,OAAO,QAAQ,YAAY,UAAU;AAAA,EAC7D,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,UAAU,QAAQ,UAAU;AAAA,EAClC,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;AAAA,IAAK,OAAO;AAAA,EAC3D,IAAI,GAAG,WAAW;AAAA,IAAU,OAAO;AAAA,EACnC,IAAI,IAAI,WAAW;AAAA,IAAW,OAAO;AAAA,EACrC,OAAO,EAAE,IAAI,KAAK,YAAY,IAAI,QAAQ,KAAK,SAAS,IAAI;AAAA;AAO7D,SAAS,UAAU,CAAC,WAAkD;AAAA,EAGrE,IAAI;AAAA,EACJ,IAAI;AAAA,IACH,MAAM,UAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IAC/C,IACC,QAAQ,UAAU,MAGlB,UAAU,SAAS,MAAM,GACxB;AAAA,MACD,QAAQ;AAAA,IACT,EAAO;AAAA,MACN,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,IAErC,MAAM;AAAA,IACP,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,EAGtC,MAAM,MAAM,MAAM,SAAS,KAAK,OAAO,KAAK,IAAI;AAAA,EAChD,MAAM,MAAM,SAAS,UAAU,KAAK,OAAO,MAAM,CAAC,GAAG,mBAAmB,EAAE;AAAA,EAC1E,MAAM,SAAS,OAAO,KAAK,GAAG;AAAA,EAC9B,OAAO;AAAA,IACN,KAAK,OAAO,KAAK,OAAO,SAAS,GAAG,EAAE,CAAC;AAAA,IACvC,MAAM,OAAO,KAAK,OAAO,SAAS,IAAI,EAAE,CAAC;AAAA,EAC1C;AAAA;AAGD,SAAS,MAAM,CAAC,OAAuB;AAAA,EAGtC,MAAM,OAAO,WAAW,UAAU,kBAAkB,EAAE,OAAO,KAAK,EAAE,OAAO;AAAA,EAC3E,MAAM,MAAM,OAAO,MAAM,EAAE;AAAA,EAC3B,MAAM,KAAK,KAAK,GAAG,GAAG,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EAChD,KAAK,KAAK,KAAK,MAAM,SAAS,KAAK,MAAM,SAAS,GAAG,GAAG,KAAK,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EACvF,OAAO;AAAA;;ACzSR,mBAAS,yBAAoB,iCAAa;AAK1C,SAAS,MAAM,CACd,UACA,MACA,QACA,SACkB;AAAA,EAClB,OAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AAAA,IACvC,SAAS,UAAU,MAAM,QAAQ,SAAS,CAAC,KAAK,YAAY;AAAA,MAC3D,IAAI;AAAA,QAAK,OAAO,GAAG;AAAA,MACd;AAAA,gBAAQ,OAAO;AAAA,KACpB;AAAA,GACD;AAAA;AAIF,IAAM,gBAAgB;AACtB,IAAM,gBAAgB;AAAA;AAEf,MAAM,YAAY;AAAA,EACf;AAAA,EACQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,SAAqB,CAAC,GAAG;AAAA,IACpC,KAAK,YAAY,OAAO,aAAa;AAAA,IACrC,KAAK,aAAa,OAAO,cAAc;AAAA,IACvC,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,wBAAwB,OAAO,yBAAyB;AAAA,IAC7D,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,mBAAmB,OAAO,oBAAoB;AAAA,IACnD,KAAK,iBAAiB,OAAO,kBAAkB;AAAA,IAC/C,KAAK,oBAAoB,OAAO,qBAAqB;AAAA;AAAA,OAOhD,KAAI,CAAC,UAAkB,UAAuB,CAAC,GAA4B;AAAA,IAChF,MAAM,OAAO,QAAQ,aAAa,KAAK;AAAA,IACvC,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,MAAM,IAAI,MAAM,2BAA2B,MAAM;AAAA;AAAA,OAO5C,OAAM,CAAC,QAAwB,UAAoC;AAAA,IACxE,IAAI,OAAO,WAAW,YAAY,OAAO,WAAW;AAAA,MAAG,OAAO;AAAA,IAC9D,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAC/E,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAG/E,OAAO;AAAA;AAAA,EAQR,WAAW,CAAC,QAAiC;AAAA,IAC5C,IAAI,OAAO,WAAW,YAAY,CAAC,OAAO,WAAW,aAAa,GAAG;AAAA,MAGpE,OAAO;AAAA,IACR;AAAA,IACA,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IACpB,IAAI,OAAO,IAAI,KAAK;AAAA,MAAY,OAAO;AAAA,IACvC,IAAI,OAAO,IAAI,KAAK;AAAA,MAAiB,OAAO;AAAA,IAC5C,IAAI,OAAO,IAAI,KAAK;AAAA,MAAuB,OAAO;AAAA,IAClD,IAAI,OAAO,SAAS,KAAK;AAAA,MAAiB,OAAO;AAAA,IACjD,OAAO;AAAA;AAAA,OAKM,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,OAAO,aAAY,EAAE;AAAA,IAC3B,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,KAAK,iBAAiB;AAAA,MACnE,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,OAAO;AAAA,MACN;AAAA,MACA,KAAK,KAAK,gBAAgB,KAAK,qBAAqB,KAAK,gCAAgC,KAAK;AAAA,MAC9F,IAAI,KAAK,SAAS,WAAW;AAAA,MAC7B,IAAI,QAAQ,SAAS,WAAW;AAAA,IACjC,EAAE,KAAK,EAAE;AAAA;AAAA,OAGI,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IAEpB,aAAa,SAAS,WAAW,OAAO,MAAM,GAAG;AAAA,IACjD,IAAI,CAAC,WAAW,CAAC;AAAA,MAAS,OAAO;AAAA,IACjC,MAAM,OAAO,OAAO,KAAK,SAAS,WAAW;AAAA,IAC7C,MAAM,WAAW,OAAO,KAAK,SAAS,WAAW;AAAA,IACjD,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,SAAS,QAAQ;AAAA,MAC9D,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,IAAI,QAAQ,WAAW,SAAS;AAAA,MAAQ,OAAO;AAAA,IAC/C,OAAO,iBAAgB,SAAS,QAAQ;AAAA;AAAA,OAK3B,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,MAAM,OAAO,MAAM,IAAI,KAAK,UAAU;AAAA,MACrC,YAAY,KAAK;AAAA,MACjB,UAAU,KAAK;AAAA,MACf,aAAa,KAAK;AAAA,IACnB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAGM,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,IAAI;AAAA,MACH,OAAO,MAAM,IAAI,OAAO,QAAQ,QAAQ;AAAA,MACvC,MAAM;AAAA,MACP,OAAO;AAAA;AAAA;AAGV;AAMA,SAAS,iBAAiB,CAAC,QAKlB;AAAA,EAER,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,MAAM,aAAa,MAAM;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,OAAO;AAAA,EACxB,MAAM,IAA4B,CAAC;AAAA,EACnC,WAAW,MAAM,WAAW,MAAM,GAAG,GAAG;AAAA,IACvC,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG,EAAE,KAAK,OAAO,CAAC;AAAA,EAC5B;AAAA,EACA,IAAI,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE;AAAA,IAAQ,OAAO;AAAA,EAC9C,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO;AAAA;AAYnD,IAAI;AAEJ,eAAe,UAAU,GAA0B;AAAA,EAClD,IAAI,YAAY,WAAW;AAAA,IAC1B,IAAI,YAAY,MAAM;AAAA,MACrB,MAAM,IAAI,MACT,gEACD;AAAA,IACD;AAAA,IACA,OAAO;AAAA,EACR;AAAA,EACA,IAAI;AAAA,IAEH,MAAM,MAAM,MAAa;AAAA,IACzB,UAAW,IAAY,WAAY;AAAA,IACnC,IAAI,CAAC;AAAA,MAAS,MAAM,IAAI,MAAM,uBAAuB;AAAA,IACrD,OAAO;AAAA,IACN,MAAM;AAAA,IACP,UAAU;AAAA,IACV,MAAM,IAAI,MACT,gEACD;AAAA;AAAA;AAyBF,eAAsB,IAAI,CACzB,UACA,UAAuB,CAAC,GACN;AAAA,EAClB,MAAM,MAAM,IAAI;AAAA,EAChB,OAAO,IAAI,KAAK,UAAU,OAAO;AAAA;AAOlC,eAAsB,MAAM,CAC3B,QACA,UACmB;AAAA,EACnB,MAAM,MAAM,IAAI;AAAA,EAChB,OAAO,IAAI,OAAO,QAAQ,QAAQ;AAAA;AAOnC,eAAsB,UAAU,CAAC,UAAmC;AAAA,EACnE,OAAO,KAAK,UAAU,EAAE,WAAW,SAAS,CAAC;AAAA;AAM9C,eAAsB,YAAY,CACjC,QACA,UACmB;AAAA,EACnB,OAAO,OAAO,QAAQ,QAAQ;AAAA;;ACpQ/B;AAKO,IAAM,2BAA2B,OAAO,IAAI,yBAAyB;AACrE,IAAM,qBAAqB,OAAO,IAAI,mBAAmB;AAAA;AAgBzD,MAAM,aAAa;AAAA,SAClB,OAAO,CAAC,SAAmD,EAAE,KAAK,GAAG,GAAG;AAAA,IAC9E,MAAM,uBAAuB;AAAA,MAC5B,KAAK,OAAO;AAAA,MACZ,WAAW,OAAO,aAAa;AAAA,MAC/B,kBAAkB,OAAO;AAAA,IAC1B;AAAA,IACA,MAAM,iBAAiB,OAAO,QAAQ,CAAC;AAAA;AAAA,IAwBvC,MAAM,uBAAuB;AAAA,IAAC;AAAA,IAAxB,yBAAN;AAAA,MAtBC,OAAO;AAAA,QACP,WAAW;AAAA,UACV,EAAE,SAAS,qBAAqB,UAAU,qBAAqB;AAAA,UAC/D,EAAE,SAAS,eAAe,UAAU,eAAe;AAAA,UACnD;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,kBAAkB,qBAAqB,GAAG;AAAA,UACjE;AAAA,UACA;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,YAAY,cAAc;AAAA,UACjD;AAAA,UACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,UACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,QACzD;AAAA,QACA,SAAS;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACD;AAAA,MACD,CAAC;AAAA,OACK;AAAA,IACN,OAAO,eAAe,wBAAwB,QAAQ;AAAA,MACrD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AAtCa,eAAN;AAAA,EAdN,OAAO;AAAA,IACP,WAAW;AAAA,MACV;AAAA,MACA;AAAA,MACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,MACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,IACzD;AAAA,IACA,SAAS;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD;AAAA,EACD,CAAC;AAAA,GACY;",
+  "debugId": "4F353992A3BC692264756E2164756E21",
   "names": []
 }

package/dist/module.d.ts

@@ -0,0 +1,27 @@
+/**
+ * `CryptoModule` — wires `EncryptionService` and `HashService`
+ * into the DI container.
+ *
+ *   @Module({
+ *     imports: [CryptoModule.forRoot({ key: process.env.APP_KEY! })],
+ *   })
+ *   class AppModule {}
+ *
+ * The `key` is required for `EncryptionService` (32 bytes). For
+ * `HashService` only the algorithm config is required — there's no
+ * shared key.
+ *
+ * If you only need `HashService` (and don't use encryption), you
+ * can pass an empty config:
+ *
+ *   CryptoModule.forRoot({ key: \"x\" })
+ *   // Encryption will pad the key to 32 bytes via HKDF.
+ */
+import type { EncryptionConfig, HashConfig } from "./types.js";
+export declare const ENCRYPTION_SERVICE_TOKEN: unique symbol;
+export declare const HASH_SERVICE_TOKEN: unique symbol;
+export declare class CryptoModule {
+    static forRoot(config?: EncryptionConfig & {
+        hash?: HashConfig;
+    }): typeof CryptoModule;
+}

package/dist/types.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Public types for `nexusjs/crypto`.
+ *
+ * `nexusjs/crypto` provides:
+ * - `EncryptionService` — AES-256-GCM symmetric encryption +
+ *   HMAC sign/unsign (for stateless session cookies, CSRF tokens,
+ *   signed URLs, etc.).
+ * - `HashService` — scrypt password hashing (argon2 available as
+ *   an optional peer dep when the user installs `@node-rs/argon2`).
+ *
+ * No external dependencies. All primitives come from Node's
+ * built-in `crypto` module.
+ */
+export interface EncryptionConfig {
+    /**
+     * Master key as a string or base64-encoded bytes. Must be at
+     * least 32 bytes after decoding. The framework derives separate
+     * 32-byte keys for AES and HMAC from this master.
+     *
+     * If the key is shorter, the framework pads / hashes it with
+     * SHA-256 — but the user is encouraged to provide a 32-byte
+     * random value (`openssl rand -base64 32`).
+     */
+    key: string;
+    /**
+     * Algorithm. Currently only "aes-256-gcm" is supported.
+     * Default: "aes-256-gcm".
+     */
+    algorithm?: "aes-256-gcm";
+    /**
+     * Default expiry for encrypted payloads. The decryptor
+     * throws if the payload was created with a past `expiresAt`.
+     * Default: never.
+     */
+    defaultExpiresIn?: number | string;
+}
+export interface EncryptOptions {
+    /** Expiry in seconds, or a future Date, or an absolute timestamp. */
+    expiresAt?: number | string | Date;
+    /** Purpose / namespace — included in the MAC, so a payload signed
+     * for "session" can't be replayed as a "csrf" token. */
+    purpose?: string;
+}
+export interface HmacConfig {
+    /** The secret key. Must be at least 16 bytes; longer is better. */
+    secret: string;
+    /** Algorithm. Default: "sha256". */
+    algorithm?: "sha256" | "sha512";
+    /** Optional purpose / namespace. */
+    purpose?: string;
+}
+export type HashAlgorithm = "scrypt" | "argon2";
+export interface HashConfig {
+    /** Algorithm. Default: "scrypt". "argon2" requires the optional peer. */
+    algorithm?: HashAlgorithm;
+    /** scrypt N cost parameter. Default: 16384. */
+    scryptCost?: number;
+    /** scrypt block size. Default: 8. */
+    scryptBlockSize?: number;
+    /** scrypt parallelization. Default: 1. */
+    scryptParallelization?: number;
+    /** Output key length for scrypt. Default: 64. */
+    scryptKeyLength?: number;
+    /** Argon2 memory cost (KB). Default: 65536. */
+    argon2MemoryCost?: number;
+    /** Argon2 time cost. Default: 3. */
+    argon2TimeCost?: number;
+    /** Argon2 parallelism. Default: 4. */
+    argon2Parallelism?: number;
+}
+export interface HashOptions {
+    /** Custom algorithm override for this call. */
+    algorithm?: HashAlgorithm;
+}
+/** A hashed password in the framework's canonical string format. */
+export type HashedPassword = string;
+/** An encrypted payload — base64url-encoded, self-describing. */
+export type EncryptedValue = string;
+/** A signed value — base64url-encoded `<value>.<signature>`. */
+export type SignedValue = string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nexusts/crypto",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "AES-256-GCM encryption + HMAC + scrypt/argon2",
   "type": "module",
   "main": "./dist/index.js",
@@ -12,20 +12,15 @@
       "import": "./dist/index.js"
     }
   },
-  "files": [
-    "dist",
-    "README.md"
-  ],
+  "files": ["dist", "README.md"],
   "scripts": {
     "build": "bun run ../../build.ts"
   },
-  "keywords": [
-    "nexusts",
-    "framework",
-    "bun"
-  ],
+  "keywords": ["nexusts", "framework", "bun"],
   "license": "MIT",
+  
+  
   "dependencies": {
-    "@nexusts/core": "^0.7.0"
+    "@nexusts/core": "file:../core"
   }
 }