@nitrostack/core 1.0.0

package/dist/auth/client.d.ts

@@ -0,0 +1,151 @@
+import { ProtectedResourceMetadata, AuthorizationServerMetadata, ClientRegistrationRequest, ClientRegistrationResponse, TokenResponse, McpAuthClientConfig } from './types.js';
+import { PKCEParams } from './pkce.js';
+/**
+ * OAuth 2.1 Client for MCP
+ *
+ * Handles:
+ * - Protected Resource Metadata discovery (RFC 9728)
+ * - Authorization Server Metadata discovery (RFC 8414)
+ * - Dynamic Client Registration (RFC 7591)
+ * - Authorization Code Flow with PKCE (OAuth 2.1)
+ * - Token refresh and revocation
+ */
+export declare class OAuth2Client {
+    private config;
+    constructor(config: McpAuthClientConfig);
+    /**
+     * Discover Protected Resource Metadata (RFC 9728)
+     *
+     * Tries:
+     * 1. WWW-Authenticate header from 401 response
+     * 2. Well-known URI at resource path
+     * 3. Well-known URI at root
+     *
+     * @param resourceUrl - URL of the MCP server
+     */
+    discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata>;
+    /**
+     * Discover Authorization Server Metadata (RFC 8414)
+     *
+     * Supports both:
+     * - OAuth 2.0 Authorization Server Metadata (RFC 8414)
+     * - OpenID Connect Discovery 1.0
+     *
+     * @param issuer - Authorization server issuer URL
+     */
+    discoverAuthorizationServerMetadata(issuer: string): Promise<AuthorizationServerMetadata>;
+    /**
+     * Register client dynamically (RFC 7591)
+     *
+     * @param registrationEndpoint - Client registration endpoint
+     * @param metadata - Client metadata
+     */
+    registerClient(registrationEndpoint: string, metadata: ClientRegistrationRequest): Promise<ClientRegistrationResponse>;
+    /**
+     * Start authorization flow
+     *
+     * Generates authorization URL with PKCE parameters
+     *
+     * @param authzEndpoint - Authorization endpoint
+     * @param clientId - OAuth client ID
+     * @param redirectUri - Redirect URI
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     * @returns Authorization URL and PKCE parameters (store for token exchange)
+     */
+    startAuthorizationFlow(options: {
+        authorizationEndpoint: string;
+        clientId: string;
+        redirectUri: string;
+        scope?: string;
+        resource?: string;
+        state?: string;
+    }): Promise<{
+        authUrl: string;
+        state: string;
+        pkce: PKCEParams;
+    }>;
+    /**
+     * Exchange authorization code for access token
+     *
+     * @param code - Authorization code from callback
+     * @param pkce - PKCE parameters from startAuthorizationFlow
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret (for confidential clients)
+     * @param redirectUri - Redirect URI (must match authorization request)
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    exchangeCodeForToken(options: {
+        code: string;
+        pkce: PKCEParams;
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        redirectUri: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Refresh access token
+     *
+     * @param refreshToken - Refresh token
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Optional: request different scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    refreshToken(options: {
+        refreshToken: string;
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        scope?: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Get client credentials token (for server-to-server)
+     *
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    getClientCredentialsToken(options: {
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret: string;
+        scope?: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Revoke token (access or refresh)
+     *
+     * @param token - Token to revoke
+     * @param revocationEndpoint - Revocation endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param tokenTypeHint - 'access_token' or 'refresh_token'
+     */
+    revokeToken(options: {
+        token: string;
+        revocationEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        tokenTypeHint?: 'access_token' | 'refresh_token';
+    }): Promise<void>;
+    /**
+     * Make token request
+     */
+    private tokenRequest;
+    /**
+     * Fetch metadata from URL
+     */
+    private fetchMetadata;
+    /**
+     * Generate random state for CSRF protection
+     */
+    private generateState;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/auth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/auth/client.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,2BAA2B,EAC3B,yBAAyB,EACzB,0BAA0B,EAC1B,aAAa,EAIb,mBAAmB,EACpB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAsB,UAAU,EAAuB,MAAM,WAAW,CAAC;AAGhF;;;;;;;;;GASG;AAEH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIvC;;;;;;;;;OASG;IACG,iCAAiC,CACrC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,yBAAyB,CAAC;IAyCrC;;;;;;;;OAQG;IACG,mCAAmC,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,2BAA2B,CAAC;IAmDvC;;;;;OAKG;IACG,cAAc,CAClB,oBAAoB,EAAE,MAAM,EAC5B,QAAQ,EAAE,yBAAyB,GAClC,OAAO,CAAC,0BAA0B,CAAC;IAqBtC;;;;;;;;;;;OAWG;IACG,sBAAsB,CAAC,OAAO,EAAE;QACpC,qBAAqB,EAAE,MAAM,CAAC;QAC9B,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,OAAO,CAAC;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,UAAU,CAAC;KAClB,CAAC;IA+BF;;;;;;;;;;OAUG;IACG,oBAAoB,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,UAAU,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IA6B1B;;;;;;;;;OASG;IACG,YAAY,CAAC,OAAO,EAAE;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IA8B1B;;;;;;;;OAQG;IACG,yBAAyB,CAAC,OAAO,EAAE;QACvC,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IAyB1B;;;;;;;;OAQG;IACG,WAAW,CAAC,OAAO,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC;QACd,kBAAkB,EAAE,MAAM,CAAC;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,aAAa,CAAC,EAAE,cAAc,GAAG,eAAe,CAAC;KAClD,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCjB;;OAEG;YACW,YAAY;IAuB1B;;OAEG;YACW,aAAa;IAa3B;;OAEG;IACH,OAAO,CAAC,aAAa;CAGtB"}

package/dist/auth/client.js

@@ -0,0 +1,330 @@
+import crypto from 'crypto';
+import { generatePKCEParams, validatePKCESupport } from './pkce.js';
+import { parseWWWAuthenticateHeader, getWellKnownMetadataUris } from './server-metadata.js';
+/**
+ * OAuth 2.1 Client for MCP
+ *
+ * Handles:
+ * - Protected Resource Metadata discovery (RFC 9728)
+ * - Authorization Server Metadata discovery (RFC 8414)
+ * - Dynamic Client Registration (RFC 7591)
+ * - Authorization Code Flow with PKCE (OAuth 2.1)
+ * - Token refresh and revocation
+ */
+export class OAuth2Client {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Discover Protected Resource Metadata (RFC 9728)
+     *
+     * Tries:
+     * 1. WWW-Authenticate header from 401 response
+     * 2. Well-known URI at resource path
+     * 3. Well-known URI at root
+     *
+     * @param resourceUrl - URL of the MCP server
+     */
+    async discoverProtectedResourceMetadata(resourceUrl) {
+        // Step 1: Try making a request to get 401 with WWW-Authenticate header
+        try {
+            const response = await fetch(resourceUrl, {
+                method: 'GET',
+                headers: { Accept: 'application/json' },
+            });
+            if (response.status === 401) {
+                const wwwAuth = response.headers.get('WWW-Authenticate');
+                if (wwwAuth) {
+                    const parsed = parseWWWAuthenticateHeader(wwwAuth);
+                    if (parsed?.resourceMetadata) {
+                        // Found metadata URL in header
+                        return await this.fetchMetadata(parsed.resourceMetadata);
+                    }
+                }
+            }
+        }
+        catch (error) {
+            // Ignore errors, try well-known URIs
+        }
+        // Step 2: Try well-known URIs
+        const url = new URL(resourceUrl);
+        const wellKnownUris = getWellKnownMetadataUris(url);
+        for (const uri of wellKnownUris) {
+            try {
+                return await this.fetchMetadata(uri);
+            }
+            catch (error) {
+                // Try next URI
+                continue;
+            }
+        }
+        throw new Error(`Failed to discover protected resource metadata for ${resourceUrl}. ` +
+            'Server must implement RFC 9728 (Protected Resource Metadata).');
+    }
+    /**
+     * Discover Authorization Server Metadata (RFC 8414)
+     *
+     * Supports both:
+     * - OAuth 2.0 Authorization Server Metadata (RFC 8414)
+     * - OpenID Connect Discovery 1.0
+     *
+     * @param issuer - Authorization server issuer URL
+     */
+    async discoverAuthorizationServerMetadata(issuer) {
+        const issuerUrl = new URL(issuer);
+        const wellKnownUrls = [];
+        // For issuer URLs with path components
+        if (issuerUrl.pathname && issuerUrl.pathname !== '/') {
+            const path = issuerUrl.pathname;
+            // OAuth 2.0 with path insertion
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/oauth-authorization-server${path}`);
+            // OpenID Connect with path insertion
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/openid-configuration${path}`);
+            // OpenID Connect with path appending
+            wellKnownUrls.push(`${issuer}/.well-known/openid-configuration`);
+        }
+        else {
+            // For issuer URLs without path components
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/oauth-authorization-server`);
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/openid-configuration`);
+        }
+        // Try each URL
+        for (const url of wellKnownUrls) {
+            try {
+                const metadata = await this.fetchMetadata(url);
+                // Validate PKCE support (REQUIRED by OAuth 2.1)
+                if (!validatePKCESupport(metadata.code_challenge_methods_supported)) {
+                    throw new Error('Authorization server does not support PKCE (S256). ' +
+                        'OAuth 2.1 requires PKCE support. Cannot proceed.');
+                }
+                return metadata;
+            }
+            catch (error) {
+                // Try next URL
+                continue;
+            }
+        }
+        throw new Error(`Failed to discover authorization server metadata for ${issuer}. ` +
+            'Server must implement RFC 8414 or OpenID Connect Discovery.');
+    }
+    /**
+     * Register client dynamically (RFC 7591)
+     *
+     * @param registrationEndpoint - Client registration endpoint
+     * @param metadata - Client metadata
+     */
+    async registerClient(registrationEndpoint, metadata) {
+        const response = await fetch(registrationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Accept': 'application/json',
+            },
+            body: JSON.stringify(metadata),
+        });
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({}));
+            throw new Error(`Client registration failed: ${response.status} - ${error.error_description || error.error || 'Unknown error'}`);
+        }
+        const result = await response.json();
+        return result;
+    }
+    /**
+     * Start authorization flow
+     *
+     * Generates authorization URL with PKCE parameters
+     *
+     * @param authzEndpoint - Authorization endpoint
+     * @param clientId - OAuth client ID
+     * @param redirectUri - Redirect URI
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     * @returns Authorization URL and PKCE parameters (store for token exchange)
+     */
+    async startAuthorizationFlow(options) {
+        // Generate PKCE parameters (S256 required by OAuth 2.1)
+        const pkce = generatePKCEParams('S256');
+        // Generate state for CSRF protection
+        const state = options.state || this.generateState();
+        // Build authorization URL
+        const params = new URLSearchParams({
+            response_type: 'code',
+            client_id: options.clientId,
+            redirect_uri: options.redirectUri,
+            state,
+            code_challenge: pkce.code_challenge,
+            code_challenge_method: pkce.code_challenge_method,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            // RFC 8707 - Resource Indicators
+            params.append('resource', options.resource);
+        }
+        const authUrl = `${options.authorizationEndpoint}?${params.toString()}`;
+        return { authUrl, state, pkce };
+    }
+    /**
+     * Exchange authorization code for access token
+     *
+     * @param code - Authorization code from callback
+     * @param pkce - PKCE parameters from startAuthorizationFlow
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret (for confidential clients)
+     * @param redirectUri - Redirect URI (must match authorization request)
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async exchangeCodeForToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: options.code,
+            redirect_uri: options.redirectUri,
+            client_id: options.clientId,
+            code_verifier: options.pkce.code_verifier,
+        });
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        };
+        // Client authentication
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Refresh access token
+     *
+     * @param refreshToken - Refresh token
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Optional: request different scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async refreshToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: options.refreshToken,
+            client_id: options.clientId,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        };
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Get client credentials token (for server-to-server)
+     *
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async getClientCredentialsToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: options.clientId,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+            'Authorization': `Basic ${Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64')}`,
+        };
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Revoke token (access or refresh)
+     *
+     * @param token - Token to revoke
+     * @param revocationEndpoint - Revocation endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param tokenTypeHint - 'access_token' or 'refresh_token'
+     */
+    async revokeToken(options) {
+        const params = new URLSearchParams({
+            token: options.token,
+            client_id: options.clientId,
+        });
+        if (options.tokenTypeHint) {
+            params.append('token_type_hint', options.tokenTypeHint);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        };
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        const response = await fetch(options.revocationEndpoint, {
+            method: 'POST',
+            headers,
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`Token revocation failed: ${response.status} ${response.statusText}`);
+        }
+    }
+    /**
+     * Make token request
+     */
+    async tokenRequest(endpoint, params, headers) {
+        const response = await fetch(endpoint, {
+            method: 'POST',
+            headers,
+            body: params.toString(),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            const error = data;
+            throw new Error(`Token request failed: ${error.error} - ${error.error_description || 'Unknown error'}`);
+        }
+        return data;
+    }
+    /**
+     * Fetch metadata from URL
+     */
+    async fetchMetadata(url) {
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: { Accept: 'application/json' },
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to fetch metadata from ${url}: ${response.status}`);
+        }
+        return await response.json();
+    }
+    /**
+     * Generate random state for CSRF protection
+     */
+    generateState() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/auth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/auth/client.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAY5B,OAAO,EAAE,kBAAkB,EAAc,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAChF,OAAO,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAE5F;;;;;;;;;GASG;AAEH,MAAM,OAAO,YAAY;IACf,MAAM,CAAsB;IAEpC,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,iCAAiC,CACrC,WAAmB;QAEnB,uEAAuE;QACvE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBACxC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;aACxC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBACzD,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,MAAM,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;oBACnD,IAAI,MAAM,EAAE,gBAAgB,EAAE,CAAC;wBAC7B,+BAA+B;wBAC/B,OAAO,MAAM,IAAI,CAAC,aAAa,CAA4B,MAAM,CAAC,gBAAgB,CAAC,CAAC;oBACtF,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qCAAqC;QACvC,CAAC;QAED,8BAA8B;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACjC,MAAM,aAAa,GAAG,wBAAwB,CAAC,GAAG,CAAC,CAAC;QAEpD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAA4B,GAAG,CAAC,CAAC;YAClE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe;gBACf,SAAS;YACX,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,sDAAsD,WAAW,IAAI;YACrE,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,mCAAmC,CACvC,MAAc;QAEd,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,uCAAuC;QACvC,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YACrD,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;YAChC,gCAAgC;YAChC,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,0CAA0C,IAAI,EAAE,CACpE,CAAC;YACF,qCAAqC;YACrC,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,oCAAoC,IAAI,EAAE,CAC9D,CAAC;YACF,qCAAqC;YACrC,aAAa,CAAC,IAAI,CAAC,GAAG,MAAM,mCAAmC,CAAC,CAAC;QACnE,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,yCAAyC,CAC7D,CAAC;YACF,aAAa,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,mCAAmC,CAAC,CAAC;QAC7E,CAAC;QAED,eAAe;QACf,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAA8B,GAAG,CAAC,CAAC;gBAE5E,gDAAgD;gBAChD,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,CAAC;oBACpE,MAAM,IAAI,KAAK,CACb,qDAAqD;wBACrD,kDAAkD,CACnD,CAAC;gBACJ,CAAC;gBAED,OAAO,QAAQ,CAAC;YAClB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe;gBACf,SAAS;YACX,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,wDAAwD,MAAM,IAAI;YAClE,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAClB,oBAA4B,EAC5B,QAAmC;QAEnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oBAAoB,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;aAC7B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAmD,CAAC;YACxG,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,MAAM,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,IAAI,eAAe,EAAE,CAChH,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAgC,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,sBAAsB,CAAC,OAO5B;QAKC,wDAAwD;QACxD,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAExC,qCAAqC;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QAEpD,0BAA0B;QAC1B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,aAAa,EAAE,MAAM;YACrB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,YAAY,EAAE,OAAO,CAAC,WAAW;YACjC,KAAK;YACL,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;SAClD,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,iCAAiC;YACjC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,OAAO,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAExE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,oBAAoB,CAAC,OAQ1B;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,WAAW;YACjC,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,aAAa,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa;SAC1C,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B,CAAC;QAEF,wBAAwB;QACxB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAAC,OAOlB;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,OAAO,CAAC,YAAY;YACnC,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B,CAAC;QAEF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,yBAAyB,CAAC,OAM/B;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;YAC5B,eAAe,EAAE,SAAS,MAAM,CAAC,IAAI,CACnC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;SACvB,CAAC;QAEF,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,WAAW,CAAC,OAMjB;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,QAAgB,EAChB,MAAuB,EACvB,OAA+B;QAE/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,IAAmB,CAAC;YAClC,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,CAAC,KAAK,MAAM,KAAK,CAAC,iBAAiB,IAAI,eAAe,EAAE,CACvF,CAAC;QACJ,CAAC;QAED,OAAO,IAAqB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa,CAAc,GAAW;QAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAO,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,aAAa;QACnB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;CACF"}

package/dist/auth/index.d.ts

@@ -0,0 +1,31 @@
+/**
+ * NitroStack Authentication Module
+ *
+ * Multiple authentication options:
+ * 1. Simple JWT - For 70% of use cases (internal tools, APIs)
+ * 2. API Keys - For simple scenarios (service-to-service)
+ * 3. OAuth 2.1 - For enterprise/SaaS (full compliance)
+ *
+ * Standards:
+ * - OAuth 2.1 (IETF draft-ietf-oauth-v2-1-13)
+ * - RFC 9728 - Protected Resource Metadata
+ * - RFC 8414 - Authorization Server Metadata
+ * - RFC 7591 - Dynamic Client Registration
+ * - RFC 8707 - Resource Indicators (Token Audience Binding)
+ * - RFC 7636 - PKCE
+ * - RFC 7662 - Token Introspection
+ * - RFC 6750 - Bearer Token Usage
+ */
+export { SecretValue, isSecretValue, unwrapSecret, type SecretString, type FromValueOptions, } from './secure-secret.js';
+export { createSimpleJWTAuth, generateJWT, verifyJWT, decodeJWT, type SimpleJWTConfig, type JWTPayload, type StandardJWTClaims, type CustomJWTClaims, type GenerateJWTOptions, } from './simple-jwt.js';
+export { createAPIKeyAuth, generateAPIKey, hashAPIKey, isValidAPIKeyFormat, generateAPIKeyWithMetadata, validateAPIKeyWithMetadata, type APIKeyConfig, type APIKeyWithMetadata, } from './api-key.js';
+export { setupJWTAuth, setupAPIKeyAuth, setupOAuthAuth, generateTestCredentials, printAuthSetupInstructions, validateAuthEnv, } from './quick-setup.js';
+export * from './types.js';
+export * from './pkce.js';
+export * from './server-metadata.js';
+export * from './token-validation.js';
+export { createAuthMiddleware, requireScopes, optionalAuth, RequireScopes, isAuthenticated, hasScope, hasAnyScope, hasAllScopes, } from './middleware.js';
+export { OAuth2Client } from './client.js';
+export { TokenStore, MemoryTokenStore, FileTokenStore, createDefaultTokenStore, isTokenExpired, calculateExpiration, tokenResponseToStored, } from './token-store.js';
+export { configureServerAuth, createScopeGuards, createMCPScopeGuards, getStandardMCPScopes, validateAuthConfig, } from './server-integration.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,OAAO,EACL,WAAW,EACX,aAAa,EACb,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,gBAAgB,GACtB,MAAM,oBAAoB,CAAC;AAK5B,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,kBAAkB,GACxB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,KAAK,YAAY,EACjB,KAAK,kBAAkB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,YAAY,EACZ,eAAe,EACf,cAAc,EACd,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAK1B,cAAc,YAAY,CAAC;AAG3B,cAAc,WAAW,CAAC;AAG1B,cAAc,sBAAsB,CAAC;AAGrC,cAAc,uBAAuB,CAAC;AAGtC,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,QAAQ,EACR,WAAW,EACX,YAAY,GACb,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,cAAc,EACd,uBAAuB,EACvB,cAAc,EACd,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,46 @@
+/**
+ * NitroStack Authentication Module
+ *
+ * Multiple authentication options:
+ * 1. Simple JWT - For 70% of use cases (internal tools, APIs)
+ * 2. API Keys - For simple scenarios (service-to-service)
+ * 3. OAuth 2.1 - For enterprise/SaaS (full compliance)
+ *
+ * Standards:
+ * - OAuth 2.1 (IETF draft-ietf-oauth-v2-1-13)
+ * - RFC 9728 - Protected Resource Metadata
+ * - RFC 8414 - Authorization Server Metadata
+ * - RFC 7591 - Dynamic Client Registration
+ * - RFC 8707 - Resource Indicators (Token Audience Binding)
+ * - RFC 7636 - PKCE
+ * - RFC 7662 - Token Introspection
+ * - RFC 6750 - Bearer Token Usage
+ */
+// ==================== SECURE SECRET HANDLING ====================
+// Secure secret value wrapper (prevents hardcoding secrets)
+export { SecretValue, isSecretValue, unwrapSecret, } from './secure-secret.js';
+// ==================== SIMPLE AUTH (Recommended for most users) ====================
+// Simple JWT Auth (no OAuth complexity!)
+export { createSimpleJWTAuth, generateJWT, verifyJWT, decodeJWT, } from './simple-jwt.js';
+// API Key Auth (simplest option)
+export { createAPIKeyAuth, generateAPIKey, hashAPIKey, isValidAPIKeyFormat, generateAPIKeyWithMetadata, validateAPIKeyWithMetadata, } from './api-key.js';
+// Quick Setup Helpers (1-liner auth!)
+export { setupJWTAuth, setupAPIKeyAuth, setupOAuthAuth, generateTestCredentials, printAuthSetupInstructions, validateAuthEnv, } from './quick-setup.js';
+// ==================== OAUTH 2.1 (Advanced users) ====================
+// Types
+export * from './types.js';
+// PKCE utilities
+export * from './pkce.js';
+// Server metadata
+export * from './server-metadata.js';
+// Token validation
+export * from './token-validation.js';
+// Middleware (for servers)
+export { createAuthMiddleware, requireScopes, optionalAuth, RequireScopes, isAuthenticated, hasScope, hasAnyScope, hasAllScopes, } from './middleware.js';
+// OAuth client (for clients)
+export { OAuth2Client } from './client.js';
+// Token storage
+export { MemoryTokenStore, FileTokenStore, createDefaultTokenStore, isTokenExpired, calculateExpiration, tokenResponseToStored, } from './token-store.js';
+// Server integration helpers
+export { configureServerAuth, createScopeGuards, createMCPScopeGuards, getStandardMCPScopes, validateAuthConfig, } from './server-integration.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,mEAAmE;AAEnE,4DAA4D;AAC5D,OAAO,EACL,WAAW,EACX,aAAa,EACb,YAAY,GAGb,MAAM,oBAAoB,CAAC;AAE5B,qFAAqF;AAErF,yCAAyC;AACzC,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,SAAS,GAMV,MAAM,iBAAiB,CAAC;AAEzB,iCAAiC;AACjC,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,GAG3B,MAAM,cAAc,CAAC;AAEtB,sCAAsC;AACtC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,cAAc,EACd,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,uEAAuE;AAEvE,QAAQ;AACR,cAAc,YAAY,CAAC;AAE3B,iBAAiB;AACjB,cAAc,WAAW,CAAC;AAE1B,kBAAkB;AAClB,cAAc,sBAAsB,CAAC;AAErC,mBAAmB;AACnB,cAAc,uBAAuB,CAAC;AAEtC,2BAA2B;AAC3B,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,QAAQ,EACR,WAAW,EACX,YAAY,GACb,MAAM,iBAAiB,CAAC;AAEzB,6BAA6B;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,gBAAgB;AAChB,OAAO,EAEL,gBAAgB,EAChB,cAAc,EACd,uBAAuB,EACvB,cAAc,EACd,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAE1B,6BAA6B;AAC7B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC"}