@nitrostack/core 1.0.0

package/dist/auth/token-validation.js

@@ -0,0 +1,241 @@
+/**
+ * Token Validation Utilities
+ *
+ * Validates Bearer tokens using either:
+ * 1. Token Introspection (RFC 7662)
+ * 2. JWT validation with JWKS (RFC 7517, RFC 7519)
+ *
+ * Note: Uses dynamic import for 'jose' to avoid ES module issues
+ */
+// Lazy-load jose to avoid ES module import issues
+let jose = null;
+async function getJose() {
+    if (!jose) {
+        jose = await import('jose');
+    }
+    return jose;
+}
+/**
+ * In-memory cache for token introspection results
+ * Reduces load on authorization server
+ */
+const tokenCache = new Map();
+/**
+ * Validate a Bearer token
+ *
+ * @param token - The access token to validate
+ * @param config - Auth configuration
+ * @returns Validation result with token introspection data
+ */
+export async function validateToken(token, config) {
+    // Check cache first
+    const cached = getFromCache(token);
+    if (cached) {
+        return { valid: true, introspection: cached };
+    }
+    try {
+        let introspection;
+        if (config.tokenIntrospectionEndpoint) {
+            // Method 1: Token Introspection (RFC 7662)
+            introspection = await introspectToken(token, config);
+        }
+        else if (config.jwksUri) {
+            // Method 2: JWT validation with JWKS
+            introspection = await validateJWT(token, config);
+        }
+        else {
+            return {
+                valid: false,
+                error: 'No token validation method configured. Set tokenIntrospectionEndpoint or jwksUri.',
+            };
+        }
+        if (!introspection.active) {
+            return { valid: false, error: 'Token is not active' };
+        }
+        // Validate audience (CRITICAL for security)
+        if (!validateAudience(introspection, config.audience)) {
+            return {
+                valid: false,
+                error: 'Token audience mismatch. Token not intended for this resource.',
+            };
+        }
+        // Cache the result
+        cacheToken(token, introspection, config.tokenCacheSeconds || 300);
+        return { valid: true, introspection };
+    }
+    catch (error) {
+        return { valid: false, error: error instanceof Error ? error.message : String(error) };
+    }
+}
+/**
+ * Introspect token using OAuth 2.0 Token Introspection (RFC 7662)
+ *
+ * @internal - Exported for testing
+ */
+export async function introspectToken(token, config) {
+    if (!config.tokenIntrospectionEndpoint) {
+        throw new Error('Token introspection endpoint not configured');
+    }
+    // Prepare request with client authentication
+    const params = new URLSearchParams();
+    params.append('token', token);
+    params.append('token_type_hint', 'access_token');
+    const headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json',
+    };
+    // Client authentication (if configured)
+    if (config.tokenIntrospectionClientId && config.tokenIntrospectionClientSecret) {
+        const credentials = Buffer.from(`${config.tokenIntrospectionClientId}:${config.tokenIntrospectionClientSecret}`).toString('base64');
+        headers['Authorization'] = `Basic ${credentials}`;
+    }
+    const response = await fetch(config.tokenIntrospectionEndpoint, {
+        method: 'POST',
+        headers,
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        throw new Error(`Token introspection failed: ${response.status} ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result;
+}
+/**
+ * Validate JWT using JWKS
+ *
+ * @internal - Exported for testing
+ */
+export async function validateJWT(token, config) {
+    if (!config.jwksUri) {
+        throw new Error('JWKS URI not configured');
+    }
+    // Fetch JWKS
+    const joseLib = await getJose();
+    const JWKS = joseLib.createRemoteJWKSet(new URL(config.jwksUri));
+    // Verify JWT
+    const { payload } = await joseLib.jwtVerify(token, JWKS, {
+        issuer: config.issuer,
+        audience: config.audience,
+    });
+    // Convert JWT payload to TokenIntrospection format
+    const introspection = {
+        active: true,
+        scope: typeof payload.scope === 'string' ? payload.scope : undefined,
+        client_id: typeof payload.client_id === 'string' ? payload.client_id : payload.azp,
+        username: typeof payload.username === 'string' ? payload.username : undefined,
+        token_type: 'Bearer',
+        exp: payload.exp,
+        iat: payload.iat,
+        nbf: payload.nbf,
+        sub: payload.sub,
+        aud: Array.isArray(payload.aud) ? payload.aud : payload.aud ? [payload.aud] : undefined,
+        iss: payload.iss,
+        jti: typeof payload.jti === 'string' ? payload.jti : undefined,
+    };
+    return introspection;
+}
+/**
+ * Validate token audience (RFC 8707)
+ *
+ * CRITICAL: This prevents confused deputy attacks
+ * Token MUST be issued specifically for this resource
+ *
+ * @param introspection - Token introspection result
+ * @param expectedAudience - Expected audience value(s)
+ * @returns true if audience is valid
+ */
+export function validateAudience(introspection, expectedAudience) {
+    if (!expectedAudience) {
+        // If no audience expected, skip validation
+        // (Not recommended for production)
+        return true;
+    }
+    const expected = Array.isArray(expectedAudience) ? expectedAudience : [expectedAudience];
+    const tokenAud = Array.isArray(introspection.aud)
+        ? introspection.aud
+        : introspection.aud
+            ? [introspection.aud]
+            : [];
+    // Token audience must include at least one expected audience
+    return expected.some((aud) => tokenAud.includes(aud));
+}
+/**
+ * Validate scopes
+ *
+ * @param introspection - Token introspection result
+ * @param requiredScopes - Scopes required for the operation
+ * @returns true if token has all required scopes
+ */
+export function validateScopes(introspection, requiredScopes) {
+    if (!requiredScopes || requiredScopes.length === 0) {
+        return true;
+    }
+    if (!introspection.scope) {
+        return false;
+    }
+    const tokenScopes = introspection.scope.split(' ');
+    return requiredScopes.every((scope) => tokenScopes.includes(scope));
+}
+/**
+ * Extract Bearer token from Authorization header
+ */
+export function extractBearerToken(authHeader) {
+    if (!authHeader) {
+        return null;
+    }
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : null;
+}
+/**
+ * Check if token is expired
+ */
+export function isTokenExpired(introspection) {
+    if (!introspection.exp) {
+        return false; // No expiration set
+    }
+    const now = Math.floor(Date.now() / 1000);
+    return introspection.exp < now;
+}
+/**
+ * Cache token introspection result
+ */
+function cacheToken(token, result, seconds) {
+    const expiresAt = Date.now() + seconds * 1000;
+    tokenCache.set(token, { result, expiresAt });
+    // Clean up cache periodically
+    if (tokenCache.size > 1000) {
+        cleanupCache();
+    }
+}
+/**
+ * Get token from cache if valid
+ */
+function getFromCache(token) {
+    const cached = tokenCache.get(token);
+    if (!cached) {
+        return null;
+    }
+    if (Date.now() > cached.expiresAt) {
+        tokenCache.delete(token);
+        return null;
+    }
+    return cached.result;
+}
+/**
+ * Remove expired entries from cache
+ */
+function cleanupCache() {
+    const now = Date.now();
+    for (const [token, cached] of tokenCache.entries()) {
+        if (now > cached.expiresAt) {
+            tokenCache.delete(token);
+        }
+    }
+}
+/**
+ * Clear token cache (useful for testing)
+ */
+export function clearTokenCache() {
+    tokenCache.clear();
+}
+//# sourceMappingURL=token-validation.js.map

package/dist/auth/token-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validation.js","sourceRoot":"","sources":["../../src/auth/token-validation.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,kDAAkD;AAClD,IAAI,IAAI,GAAiC,IAAI,CAAC;AAC9C,KAAK,UAAU,OAAO;IACpB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAQD;;;GAGG;AACH,MAAM,UAAU,GAAG,IAAI,GAAG,EAA6D,CAAC;AAExF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,MAAqB;IAErB,oBAAoB;IACpB,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,CAAC;QACH,IAAI,aAAiC,CAAC;QAEtC,IAAI,MAAM,CAAC,0BAA0B,EAAE,CAAC;YACtC,2CAA2C;YAC3C,aAAa,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1B,qCAAqC;YACrC,aAAa,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,mFAAmF;aAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,gEAAgE;aACxE,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,UAAU,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC,CAAC;QAElE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,MAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,6CAA6C;IAC7C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9B,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;IAEjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;QACnD,QAAQ,EAAE,kBAAkB;KAC7B,CAAC;IAEF,wCAAwC;IACxC,IAAI,MAAM,CAAC,0BAA0B,IAAI,MAAM,CAAC,8BAA8B,EAAE,CAAC;QAC/E,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,MAAM,CAAC,0BAA0B,IAAI,MAAM,CAAC,8BAA8B,EAAE,CAChF,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,0BAA0B,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;KACxB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,MAA4B,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,MAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAED,aAAa;IACb,MAAM,OAAO,GAAG,MAAM,OAAO,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAEjE,aAAa;IACb,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QACvD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,aAAa,GAAuB;QACxC,MAAM,EAAE,IAAI;QACZ,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpE,SAAS,EAAE,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAa;QAC5F,QAAQ,EAAE,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC7E,UAAU,EAAE,QAAQ;QACpB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAa,CAAC,CAAC,CAAC,CAAC,SAAS;QACjG,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;KAC/D,CAAC;IAEF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,aAAiC,EACjC,gBAAoC;IAEpC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,2CAA2C;QAC3C,mCAAmC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;IACzF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC;QAC/C,CAAC,CAAC,aAAa,CAAC,GAAG;QACnB,CAAC,CAAC,aAAa,CAAC,GAAG;YACjB,CAAC,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC;YACrB,CAAC,CAAC,EAAE,CAAC;IAET,6DAA6D;IAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,aAAiC,EACjC,cAAwB;IAExB,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAA8B;IAC/D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACnD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,aAAiC;IAC9D,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,CAAC,oBAAoB;IACpC,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,KAAa,EAAE,MAA0B,EAAE,OAAe;IAC5E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,GAAG,IAAI,CAAC;IAC9C,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAE7C,8BAA8B;IAC9B,IAAI,UAAU,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QAC3B,YAAY,EAAE,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QACnD,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,215 @@
+/**
+ * Authentication Types for NitroStack
+ * Based on OAuth 2.1 and MCP Authorization Specification
+ */
+/**
+ * OAuth 2.1 Token Response
+ */
+export interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+}
+/**
+ * Token introspection result
+ */
+export interface TokenIntrospection {
+    active: boolean;
+    scope?: string;
+    client_id?: string;
+    username?: string;
+    token_type?: string;
+    exp?: number;
+    iat?: number;
+    nbf?: number;
+    sub?: string;
+    aud?: string | string[];
+    iss?: string;
+    jti?: string;
+}
+/**
+ * Protected Resource Metadata (RFC 9728)
+ */
+export interface ProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    scopes_supported?: string[];
+    bearer_methods_supported?: ('header' | 'body' | 'query')[];
+    resource_signing_alg_values_supported?: string[];
+    resource_encryption_alg_values_supported?: string[];
+    resource_encryption_enc_values_supported?: string[];
+}
+/**
+ * Authorization Server Metadata (RFC 8414)
+ */
+export interface AuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    jwks_uri?: string;
+    registration_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    response_modes_supported?: string[];
+    grant_types_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+    revocation_endpoint?: string;
+    revocation_endpoint_auth_methods_supported?: string[];
+    introspection_endpoint?: string;
+    introspection_endpoint_auth_methods_supported?: string[];
+    code_challenge_methods_supported: string[];
+    service_documentation?: string;
+    ui_locales_supported?: string[];
+}
+/**
+ * Dynamic Client Registration Request (RFC 7591)
+ */
+export interface ClientRegistrationRequest {
+    redirect_uris: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * Dynamic Client Registration Response
+ */
+export interface ClientRegistrationResponse {
+    client_id: string;
+    client_secret?: string;
+    client_id_issued_at?: number;
+    client_secret_expires_at?: number;
+    redirect_uris: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    software_id?: string;
+    software_version?: string;
+    registration_client_uri?: string;
+    registration_access_token?: string;
+}
+/**
+ * PKCE (Proof Key for Code Exchange) parameters
+ */
+export interface PKCEParams {
+    code_verifier: string;
+    code_challenge: string;
+    code_challenge_method: 'S256' | 'plain';
+}
+/**
+ * Authorization request parameters
+ */
+export interface AuthorizationRequest {
+    response_type: 'code';
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state: string;
+    code_challenge: string;
+    code_challenge_method: 'S256' | 'plain';
+    resource?: string;
+}
+/**
+ * Token request parameters
+ */
+export interface TokenRequest {
+    grant_type: 'authorization_code' | 'refresh_token' | 'client_credentials';
+    code?: string;
+    redirect_uri?: string;
+    client_id: string;
+    client_secret?: string;
+    code_verifier?: string;
+    refresh_token?: string;
+    resource?: string;
+    scope?: string;
+}
+/**
+ * OAuth 2.1 Error Response
+ */
+export interface OAuth2Error {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+    state?: string;
+}
+/**
+ * WWW-Authenticate Challenge (RFC 6750)
+ */
+export interface WWWAuthenticateChallenge {
+    scheme: 'Bearer';
+    realm?: string;
+    scope?: string;
+    error?: string;
+    error_description?: string;
+    resource_metadata?: string;
+}
+/**
+ * Auth configuration for MCP Server
+ */
+export interface McpAuthConfig {
+    resourceUri: string;
+    authorizationServers: string[];
+    scopesSupported?: string[];
+    tokenIntrospectionEndpoint?: string;
+    tokenIntrospectionClientId?: string;
+    tokenIntrospectionClientSecret?: string;
+    jwksUri?: string;
+    audience?: string;
+    issuer?: string;
+    requireHttps?: boolean;
+    tokenCacheSeconds?: number;
+}
+/**
+ * Auth configuration for MCP Client
+ */
+export interface McpAuthClientConfig {
+    clientId?: string;
+    clientSecret?: string;
+    authorizationServerUrl: string;
+    redirectUri?: string;
+    scopes?: string[];
+    resource?: string;
+    autoRegister?: boolean;
+    registrationMetadata?: Partial<ClientRegistrationRequest>;
+}
+/**
+ * Stored token information
+ */
+export interface StoredToken {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_at: number;
+    refresh_token?: string;
+    scope?: string;
+    resource?: string;
+}
+/**
+ * Auth context passed to handlers
+ */
+export interface AuthContext {
+    authenticated: boolean;
+    tokenInfo?: TokenIntrospection;
+    scopes: string[];
+    clientId?: string;
+    subject?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,CAAC,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC3D,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,wCAAwC,CAAC,EAAE,MAAM,EAAE,CAAC;IACpD,wCAAwC,CAAC,EAAE,MAAM,EAAE,CAAC;CACrD;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0CAA0C,CAAC,EAAE,MAAM,EAAE,CAAC;IACtD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,6CAA6C,CAAC,EAAE,MAAM,EAAE,CAAC;IACzD,gCAAgC,EAAE,MAAM,EAAE,CAAC;IAC3C,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,yBAAyB,CAAC,EAAE,MAAM,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,oBAAoB,GAAG,eAAe,GAAG,oBAAoB,CAAC;IAC1E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,QAAQ,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAE5B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAG3B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,8BAA8B,CAAC,EAAE,MAAM,CAAC;IAGxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAGhB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAElC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,sBAAsB,EAAE,MAAM,CAAC;IAG/B,WAAW,CAAC,EAAE,MAAM,CAAC;IAGrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAGlB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oBAAoB,CAAC,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAC3D;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/types.js

@@ -0,0 +1,6 @@
+/**
+ * Authentication Types for NitroStack
+ * Based on OAuth 2.1 and MCP Authorization Specification
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/core/apikey-module.d.ts

@@ -0,0 +1,69 @@
+import 'reflect-metadata';
+/**
+ * API Key Module Configuration
+ */
+export interface ApiKeyModuleConfig {
+    /** Array of valid API keys (or env var names to read from) */
+    keys?: string[];
+    /** Environment variable prefix to read keys from (e.g., 'API_KEY' reads API_KEY_1, API_KEY_2, etc.) */
+    keysEnvPrefix?: string;
+    /** If true, keys are stored as SHA-256 hashes */
+    hashed?: boolean;
+    /** Header name to extract API key from (default: 'x-api-key') */
+    headerName?: string;
+    /** Metadata field name in MCP requests (default: 'apiKey') */
+    metadataField?: string;
+    /** Custom validation function */
+    customValidation?: (key: string) => Promise<boolean> | boolean;
+}
+/**
+ * API Key Module - Enable API key authentication in your MCP server
+ *
+ * Import this module to indicate your server uses API key authentication.
+ * Then use @UseGuards(ApiKeyGuard) on your tools to protect them.
+ *
+ * @example
+ * ```typescript
+ * import { McpApplicationFactory, ApiKeyModule } from 'nitrostack';
+ * import { AppModule } from './app.module.js';
+ *
+ * async function bootstrap() {
+ *   const app = await McpApplicationFactory.create(AppModule, {
+ *     // Enable API key authentication
+ *     apiKey: ApiKeyModule.forRoot({
+ *       keysEnvPrefix: 'API_KEY', // Reads API_KEY_1, API_KEY_2, etc.
+ *       headerName: 'x-api-key',
+ *     }),
+ *   });
+ *   await app.start();
+ * }
+ * ```
+ */
+export declare class ApiKeyModule {
+    private static config;
+    /**
+     * Configure API Key module for the application
+     */
+    static forRoot(config: ApiKeyModuleConfig): ApiKeyModuleConfig;
+    /**
+     * Get current API Key configuration
+     */
+    static getConfig(): ApiKeyModuleConfig;
+    /**
+     * Get valid API keys from config or environment
+     */
+    static getKeys(): string[];
+    /**
+     * Validate an API key
+     */
+    static validate(key: string): Promise<boolean>;
+    /**
+     * Hash an API key (SHA-256)
+     */
+    static hashKey(key: string): string;
+    /**
+     * Generate a secure API key
+     */
+    static generateKey(prefix?: string): string;
+}
+//# sourceMappingURL=apikey-module.d.ts.map

package/dist/core/apikey-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apikey-module.d.ts","sourceRoot":"","sources":["../../src/core/apikey-module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAG1B;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAEhB,uGAAuG;IACvG,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,iDAAiD;IACjD,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,8DAA8D;IAC9D,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,iCAAiC;IACjC,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;CAChE;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAC,MAAM,CAKnB;IAEF;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,GAAG,kBAAkB;IAK9D;;OAEG;IACH,MAAM,CAAC,SAAS,IAAI,kBAAkB;IAItC;;OAEG;IACH,MAAM,CAAC,OAAO,IAAI,MAAM,EAAE;IA6B1B;;OAEG;WACU,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA2BpD;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAInC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,MAAM,GAAE,MAAa,GAAG,MAAM;CAKlD"}

package/dist/core/apikey-module.js

@@ -0,0 +1,114 @@
+import 'reflect-metadata';
+import crypto from 'crypto';
+/**
+ * API Key Module - Enable API key authentication in your MCP server
+ *
+ * Import this module to indicate your server uses API key authentication.
+ * Then use @UseGuards(ApiKeyGuard) on your tools to protect them.
+ *
+ * @example
+ * ```typescript
+ * import { McpApplicationFactory, ApiKeyModule } from 'nitrostack';
+ * import { AppModule } from './app.module.js';
+ *
+ * async function bootstrap() {
+ *   const app = await McpApplicationFactory.create(AppModule, {
+ *     // Enable API key authentication
+ *     apiKey: ApiKeyModule.forRoot({
+ *       keysEnvPrefix: 'API_KEY', // Reads API_KEY_1, API_KEY_2, etc.
+ *       headerName: 'x-api-key',
+ *     }),
+ *   });
+ *   await app.start();
+ * }
+ * ```
+ */
+export class ApiKeyModule {
+    static config = {
+        keysEnvPrefix: 'API_KEY',
+        headerName: 'x-api-key',
+        metadataField: 'apiKey',
+        hashed: false,
+    };
+    /**
+     * Configure API Key module for the application
+     */
+    static forRoot(config) {
+        this.config = { ...this.config, ...config };
+        return this.config;
+    }
+    /**
+     * Get current API Key configuration
+     */
+    static getConfig() {
+        return this.config;
+    }
+    /**
+     * Get valid API keys from config or environment
+     */
+    static getKeys() {
+        const keys = [];
+        // Add keys from config
+        if (this.config.keys && this.config.keys.length > 0) {
+            keys.push(...this.config.keys);
+        }
+        // Read from environment variables
+        if (this.config.keysEnvPrefix) {
+            let i = 1;
+            while (true) {
+                const envKey = `${this.config.keysEnvPrefix}_${i}`;
+                const value = process.env[envKey];
+                if (!value)
+                    break;
+                keys.push(value);
+                i++;
+            }
+            // Also check for non-numbered version
+            const singleKey = process.env[this.config.keysEnvPrefix];
+            if (singleKey && !keys.includes(singleKey)) {
+                keys.push(singleKey);
+            }
+        }
+        return keys;
+    }
+    /**
+     * Validate an API key
+     */
+    static async validate(key) {
+        const keys = this.getKeys();
+        if (keys.length === 0) {
+            return false; // No keys configured
+        }
+        let isValid = false;
+        if (this.config.hashed) {
+            // Compare hashed values
+            const hashedKey = this.hashKey(key);
+            isValid = keys.includes(hashedKey);
+        }
+        else {
+            // Direct comparison
+            isValid = keys.includes(key);
+        }
+        // Custom validation
+        if (this.config.customValidation) {
+            const customValid = await this.config.customValidation(key);
+            isValid = isValid && customValid;
+        }
+        return isValid;
+    }
+    /**
+     * Hash an API key (SHA-256)
+     */
+    static hashKey(key) {
+        return crypto.createHash('sha256').update(key).digest('hex');
+    }
+    /**
+     * Generate a secure API key
+     */
+    static generateKey(prefix = 'sk') {
+        const randomBytes = crypto.randomBytes(32);
+        const key = randomBytes.toString('base64url');
+        return `${prefix}_${key}`;
+    }
+}
+//# sourceMappingURL=apikey-module.js.map

package/dist/core/apikey-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apikey-module.js","sourceRoot":"","sources":["../../src/core/apikey-module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAyB5B;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,YAAY;IACf,MAAM,CAAC,MAAM,GAAuB;QAC1C,aAAa,EAAE,SAAS;QACxB,UAAU,EAAE,WAAW;QACvB,aAAa,EAAE,QAAQ;QACvB,MAAM,EAAE,KAAK;KACd,CAAC;IAEF;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,MAA0B;QACvC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAAS;QACd,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO;QACZ,MAAM,IAAI,GAAa,EAAE,CAAC;QAE1B,uBAAuB;QACvB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC9B,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,IAAI,EAAE,CAAC;gBACZ,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAClC,IAAI,CAAC,KAAK;oBAAE,MAAM;gBAClB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACjB,CAAC,EAAE,CAAC;YACN,CAAC;YAED,sCAAsC;YACtC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YACzD,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAW;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAE5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC,CAAC,qBAAqB;QACrC,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,wBAAwB;YACxB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACpC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,oBAAoB;YACpB,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QAED,oBAAoB;QACpB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACjC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YAC5D,OAAO,GAAG,OAAO,IAAI,WAAW,CAAC;QACnC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,GAAW;QACxB,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,SAAiB,IAAI;QACtC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC9C,OAAO,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC;IAC5B,CAAC"}