@objectstack/spec 2.0.4 → 2.0.5

package/dist/security/index.mjs

@@ -0,0 +1,616 @@
+// src/security/permission.zod.ts
+import { z as z3 } from "zod";
+
+// src/shared/identifiers.zod.ts
+import { z } from "zod";
+var SystemIdentifierSchema = z.string().min(2, { message: "System identifier must be at least 2 characters" }).regex(/^[a-z][a-z0-9_.]*$/, {
+  message: 'System identifier must be lowercase, starting with a letter, and may contain letters, numbers, underscores, or dots (e.g., "user_profile" or "order.created")'
+}).describe("System identifier (lowercase with underscores or dots)");
+var SnakeCaseIdentifierSchema = z.string().min(2, { message: "Identifier must be at least 2 characters" }).regex(/^[a-z][a-z0-9_]*$/, {
+  message: 'Identifier must be lowercase snake_case, starting with a letter, and may contain only letters, numbers, and underscores (e.g., "user_profile")'
+}).describe("Snake case identifier (lowercase with underscores only)");
+var EventNameSchema = z.string().min(3, { message: "Event name must be at least 3 characters" }).regex(/^[a-z][a-z0-9_.]*$/, {
+  message: 'Event name must be lowercase with dots for namespacing (e.g., "user.created", "order.paid")'
+}).describe("Event name (lowercase with dot notation for namespacing)");
+
+// src/security/rls.zod.ts
+import { z as z2 } from "zod";
+var RLSOperation = z2.enum(["select", "insert", "update", "delete", "all"]);
+var RowLevelSecurityPolicySchema = z2.object({
+  /**
+   * Unique identifier for this policy.
+   * Must be unique within the object.
+   * Use snake_case following ObjectStack naming conventions.
+   * 
+   * @example "tenant_isolation", "owner_access", "manager_team_view"
+   */
+  name: z2.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Policy unique identifier (snake_case)"),
+  /**
+   * Human-readable label for the policy.
+   * Used in admin UI and logs.
+   * 
+   * @example "Multi-Tenant Data Isolation", "Owner-Based Access"
+   */
+  label: z2.string().optional().describe("Human-readable policy label"),
+  /**
+   * Description explaining what this policy does and why.
+   * Helps with governance and compliance.
+   * 
+   * @example "Ensures users can only access records from their own tenant organization"
+   */
+  description: z2.string().optional().describe("Policy description and business justification"),
+  /**
+   * Target object (table) this policy applies to.
+   * Must reference a valid ObjectStack object name.
+   * 
+   * @example "account", "opportunity", "contact", "custom_object"
+   */
+  object: z2.string().describe("Target object name"),
+  /**
+   * Database operation(s) this policy applies to.
+   * 
+   * - **select**: Controls read access (SELECT queries)
+   * - **insert**: Controls insert access (INSERT statements)
+   * - **update**: Controls update access (UPDATE statements)
+   * - **delete**: Controls delete access (DELETE statements)
+   * - **all**: Applies to all operations
+   * 
+   * @example "select" - Most common, controls what users can view
+   * @example "all" - Apply same rule to all operations
+   */
+  operation: RLSOperation.describe("Database operation this policy applies to"),
+  /**
+   * USING clause - Filter condition for SELECT/UPDATE/DELETE.
+   * 
+   * This is a SQL-like expression evaluated for each row.
+   * Only rows where this expression returns TRUE are accessible.
+   * 
+   * **Note**: For INSERT-only policies, USING is not required (only CHECK is needed).
+   * For SELECT/UPDATE/DELETE operations, USING is required.
+   * 
+   * **Security Note**: RLS conditions are executed at the database level with
+   * parameterized queries. The implementation must use prepared statements
+   * to prevent SQL injection. Never concatenate user input directly into
+   * RLS conditions.
+   * 
+   * **SQL Dialect**: Compatible with PostgreSQL SQL syntax. Implementations
+   * may adapt to other databases (MySQL, SQL Server, etc.) but should maintain
+   * semantic equivalence.
+   * 
+   * Available context variables:
+   * - `current_user.id` - Current user's ID
+   * - `current_user.tenant_id` - Current user's tenant (maps to `tenantId` in RLSUserContext)
+   * - `current_user.role` - Current user's role
+   * - `current_user.department` - Current user's department
+   * - `current_user.*` - Any custom user field
+   * - `NOW()` - Current timestamp
+   * - `CURRENT_DATE` - Current date
+   * - `CURRENT_TIME` - Current time
+   * 
+   * **Context Variable Mapping**: The RLSUserContext schema uses camelCase (e.g., `tenantId`),
+   * but expressions use snake_case with `current_user.` prefix (e.g., `current_user.tenant_id`).
+   * Implementations must handle this mapping.
+   * 
+   * Supported operators:
+   * - Comparison: =, !=, <, >, <=, >=, <> (not equal)
+   * - Logical: AND, OR, NOT
+   * - NULL checks: IS NULL, IS NOT NULL
+   * - Set operations: IN, NOT IN
+   * - String: LIKE, NOT LIKE, ILIKE (case-insensitive)
+   * - Pattern matching: ~ (regex), !~ (not regex)
+   * - Subqueries: (SELECT ...)
+   * - Array operations: ANY, ALL
+   * 
+   * **Prohibited**: Dynamic SQL, DDL statements, DML statements (INSERT/UPDATE/DELETE)
+   * 
+   * @example "tenant_id = current_user.tenant_id"
+   * @example "owner_id = current_user.id OR created_by = current_user.id"
+   * @example "department IN (SELECT department FROM user_departments WHERE user_id = current_user.id)"
+   * @example "status = 'active' AND expiry_date > NOW()"
+   */
+  using: z2.string().optional().describe("Filter condition for SELECT/UPDATE/DELETE (PostgreSQL SQL WHERE clause syntax with parameterized context variables). Optional for INSERT-only policies."),
+  /**
+   * CHECK clause - Validation for INSERT/UPDATE operations.
+   * 
+   * Similar to USING but applies to new/modified rows.
+   * Prevents users from creating/updating rows they wouldn't be able to see.
+   * 
+   * **Default Behavior**: If not specified, implementations should use the
+   * USING clause as the CHECK clause. This ensures data integrity by preventing
+   * users from creating records they cannot view.
+   * 
+   * Use cases:
+   * - Prevent cross-tenant data creation
+   * - Enforce mandatory field values
+   * - Validate data integrity rules
+   * - Restrict certain operations (e.g., only allow creating "draft" status)
+   * 
+   * @example "tenant_id = current_user.tenant_id"
+   * @example "status IN ('draft', 'pending')" - Only allow certain statuses
+   * @example "created_by = current_user.id" - Must be the creator
+   */
+  check: z2.string().optional().describe("Validation condition for INSERT/UPDATE (defaults to USING clause if not specified - enforced at application level)"),
+  /**
+   * Restrict this policy to specific roles.
+   * If specified, only users with these roles will have this policy applied.
+   * If omitted, policy applies to all users (except those with bypassRLS permission).
+   * 
+   * Role names must match defined roles in the system.
+   * 
+   * @example ["sales_rep", "account_manager"]
+   * @example ["employee"] - Apply to all employees
+   * @example ["guest"] - Special restrictions for guests
+   */
+  roles: z2.array(z2.string()).optional().describe("Roles this policy applies to (omit for all roles)"),
+  /**
+   * Whether this policy is currently active.
+   * Disabled policies are not evaluated.
+   * Useful for temporary policy changes without deletion.
+   * 
+   * @default true
+   */
+  enabled: z2.boolean().default(true).describe("Whether this policy is active"),
+  /**
+   * Policy priority for conflict resolution.
+   * Higher numbers = higher priority.
+   * When multiple policies apply, the most permissive wins (OR logic).
+   * Priority is only used for ordering evaluation (performance).
+   * 
+   * @default 0
+   */
+  priority: z2.number().int().default(0).describe("Policy evaluation priority (higher = evaluated first)"),
+  /**
+   * Tags for policy categorization and reporting.
+   * Useful for governance, compliance, and auditing.
+   * 
+   * @example ["compliance", "gdpr", "pci"]
+   * @example ["multi-tenant", "security"]
+   */
+  tags: z2.array(z2.string()).optional().describe("Policy categorization tags")
+}).superRefine((data, ctx) => {
+  if (!data.using && !data.check) {
+    ctx.addIssue({
+      code: z2.ZodIssueCode.custom,
+      message: 'At least one of "using" or "check" must be specified. For SELECT/UPDATE/DELETE operations, provide "using". For INSERT operations, provide "check".'
+    });
+  }
+});
+var RLSConfigSchema = z2.object({
+  /**
+   * Global RLS enable/disable flag.
+   * When false, all RLS policies are ignored (use with caution!).
+   * 
+   * @default true
+   */
+  enabled: z2.boolean().default(true).describe("Enable RLS enforcement globally"),
+  /**
+   * Default behavior when no policies match.
+   * 
+   * - **deny**: Deny access (secure default)
+   * - **allow**: Allow access (permissive mode, not recommended)
+   * 
+   * @default "deny"
+   */
+  defaultPolicy: z2.enum(["deny", "allow"]).default("deny").describe("Default action when no policies match"),
+  /**
+   * Whether to allow superusers to bypass RLS.
+   * Superusers include system administrators and service accounts.
+   * 
+   * @default true
+   */
+  allowSuperuserBypass: z2.boolean().default(true).describe("Allow superusers to bypass RLS"),
+  /**
+   * List of roles that can bypass RLS.
+   * Users with these roles see all records regardless of policies.
+   * 
+   * @example ["system_admin", "data_auditor"]
+   */
+  bypassRoles: z2.array(z2.string()).optional().describe("Roles that bypass RLS (see all data)"),
+  /**
+   * Whether to log RLS policy evaluations.
+   * Useful for debugging and auditing.
+   * Can impact performance if enabled globally.
+   * 
+   * @default false
+   */
+  logEvaluations: z2.boolean().default(false).describe("Log RLS policy evaluations for debugging"),
+  /**
+   * Cache RLS policy evaluation results.
+   * Can improve performance for frequently accessed records.
+   * Cache is invalidated when policies change or user context changes.
+   * 
+   * @default true
+   */
+  cacheResults: z2.boolean().default(true).describe("Cache RLS evaluation results"),
+  /**
+   * Cache TTL in seconds.
+   * How long to cache RLS evaluation results.
+   * 
+   * @default 300 (5 minutes)
+   */
+  cacheTtlSeconds: z2.number().int().positive().default(300).describe("Cache TTL in seconds"),
+  /**
+   * Performance optimization: Pre-fetch user context.
+   * Load user context once per request instead of per-query.
+   * 
+   * @default true
+   */
+  prefetchUserContext: z2.boolean().default(true).describe("Pre-fetch user context for performance")
+});
+var RLSUserContextSchema = z2.object({
+  /**
+   * User ID
+   */
+  id: z2.string().describe("User ID"),
+  /**
+   * User email
+   */
+  email: z2.string().email().optional().describe("User email"),
+  /**
+   * Tenant/Organization ID
+   */
+  tenantId: z2.string().optional().describe("Tenant/Organization ID"),
+  /**
+   * User role(s)
+   */
+  role: z2.union([
+    z2.string(),
+    z2.array(z2.string())
+  ]).optional().describe("User role(s)"),
+  /**
+   * User department
+   */
+  department: z2.string().optional().describe("User department"),
+  /**
+   * Additional custom attributes
+   * Can include any custom user fields for RLS evaluation
+   */
+  attributes: z2.record(z2.string(), z2.unknown()).optional().describe("Additional custom user attributes")
+});
+var RLSEvaluationResultSchema = z2.object({
+  /**
+   * Policy name that was evaluated
+   */
+  policyName: z2.string().describe("Policy name"),
+  /**
+   * Whether access was granted
+   */
+  granted: z2.boolean().describe("Whether access was granted"),
+  /**
+   * Evaluation duration in milliseconds
+   */
+  durationMs: z2.number().optional().describe("Evaluation duration in milliseconds"),
+  /**
+   * Error message if evaluation failed
+   */
+  error: z2.string().optional().describe("Error message if evaluation failed"),
+  /**
+   * Evaluated USING clause result
+   */
+  usingResult: z2.boolean().optional().describe("USING clause evaluation result"),
+  /**
+   * Evaluated CHECK clause result (for INSERT/UPDATE)
+   */
+  checkResult: z2.boolean().optional().describe("CHECK clause evaluation result")
+});
+var RLS = {
+  /**
+   * Create a simple owner-based policy
+   */
+  ownerPolicy: (object, ownerField = "owner_id") => ({
+    name: `${object}_owner_access`,
+    label: `Owner Access for ${object}`,
+    object,
+    operation: "all",
+    using: `${ownerField} = current_user.id`,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a tenant isolation policy
+   */
+  tenantPolicy: (object, tenantField = "tenant_id") => ({
+    name: `${object}_tenant_isolation`,
+    label: `Tenant Isolation for ${object}`,
+    object,
+    operation: "all",
+    using: `${tenantField} = current_user.tenant_id`,
+    check: `${tenantField} = current_user.tenant_id`,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a role-based policy
+   */
+  rolePolicy: (object, roles, condition) => ({
+    name: `${object}_${roles.join("_")}_access`,
+    label: `${roles.join(", ")} Access for ${object}`,
+    object,
+    operation: "select",
+    using: condition,
+    roles,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a permissive policy (allow all for specific roles)
+   */
+  allowAllPolicy: (object, roles) => ({
+    name: `${object}_${roles.join("_")}_full_access`,
+    label: `Full Access for ${roles.join(", ")}`,
+    object,
+    operation: "all",
+    using: "1 = 1",
+    // Always true
+    roles,
+    enabled: true,
+    priority: 0
+  })
+};
+
+// src/security/permission.zod.ts
+var ObjectPermissionSchema = z3.object({
+  /** C: Create */
+  allowCreate: z3.boolean().default(false).describe("Create permission"),
+  /** R: Read (Owned records or Shared records) */
+  allowRead: z3.boolean().default(false).describe("Read permission"),
+  /** U: Edit (Owned records or Shared records) */
+  allowEdit: z3.boolean().default(false).describe("Edit permission"),
+  /** D: Delete (Owned records or Shared records) */
+  allowDelete: z3.boolean().default(false).describe("Delete permission"),
+  /** Lifecycle Operations */
+  allowTransfer: z3.boolean().default(false).describe("Change record ownership"),
+  allowRestore: z3.boolean().default(false).describe("Restore from trash (Undelete)"),
+  allowPurge: z3.boolean().default(false).describe("Permanently delete (Hard Delete/GDPR)"),
+  /** 
+   * View All Records: Super-user read access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level read access.
+   */
+  viewAllRecords: z3.boolean().default(false).describe("View All Data (Bypass Sharing)"),
+  /** 
+   * Modify All Records: Super-user write access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level write access.
+   */
+  modifyAllRecords: z3.boolean().default(false).describe("Modify All Data (Bypass Sharing)")
+});
+var FieldPermissionSchema = z3.object({
+  /** Can see this field */
+  readable: z3.boolean().default(true).describe("Field read access"),
+  /** Can edit this field */
+  editable: z3.boolean().default(false).describe("Field edit access")
+});
+var PermissionSetSchema = z3.object({
+  /** Unique permission set name */
+  name: SnakeCaseIdentifierSchema.describe("Permission set unique name (lowercase snake_case)"),
+  /** Display label */
+  label: z3.string().optional().describe("Display label"),
+  /** Is this a Profile? (Base set for a user) */
+  isProfile: z3.boolean().default(false).describe("Whether this is a user profile"),
+  /** Object Permissions Map: <entity_name> -> permissions */
+  objects: z3.record(z3.string(), ObjectPermissionSchema).describe("Entity permissions"),
+  /** Field Permissions Map: <entity_name>.<field_name> -> permissions */
+  fields: z3.record(z3.string(), FieldPermissionSchema).optional().describe("Field level security"),
+  /** System permissions (e.g., "manage_users") */
+  systemPermissions: z3.array(z3.string()).optional().describe("System level capabilities"),
+  /** 
+   * Row-Level Security Rules
+   * 
+   * Row-level security policies that filter records based on user context.
+   * These rules are applied in addition to object-level permissions.
+   * 
+   * Uses the canonical RLS protocol from rls.zod.ts for comprehensive
+   * row-level security features including PostgreSQL-style USING and CHECK clauses.
+   * 
+   * @see {@link RowLevelSecurityPolicySchema} for full RLS specification
+   * @see {@link file://./rls.zod.ts} for comprehensive RLS documentation
+   * 
+   * @example Multi-tenant isolation
+   * ```typescript
+   * rls: [{
+   *   name: 'tenant_filter',
+   *   object: 'account',
+   *   operation: 'select',
+   *   using: 'tenant_id = current_user.tenant_id'
+   * }]
+   * ```
+   */
+  rowLevelSecurity: z3.array(RowLevelSecurityPolicySchema).optional().describe("Row-level security policies (see rls.zod.ts for full spec)"),
+  /**
+   * Context-Based Access Control Variables
+   * 
+   * Custom context variables that can be referenced in RLS rules.
+   * These variables are evaluated at runtime based on the user's session.
+   * 
+   * Common context variables:
+   * - `current_user.id` - Current user ID
+   * - `current_user.tenant_id` - User's tenant/organization ID
+   * - `current_user.department` - User's department
+   * - `current_user.role` - User's role
+   * - `current_user.region` - User's geographic region
+   * 
+   * @example Custom context
+   * ```typescript
+   * contextVariables: {
+   *   allowed_regions: ['US', 'EU'],
+   *   access_level: 2,
+   *   custom_attribute: 'value'
+   * }
+   * ```
+   */
+  contextVariables: z3.record(z3.string(), z3.unknown()).optional().describe("Context variables for RLS evaluation")
+});
+
+// src/security/sharing.zod.ts
+import { z as z4 } from "zod";
+var OWDModel = z4.enum([
+  "private",
+  // Only owner can see
+  "public_read",
+  // Everyone can see, owner can edit
+  "public_read_write",
+  // Everyone can see and edit
+  "controlled_by_parent"
+  // Access derived from parent record (Master-Detail)
+]);
+var SharingRuleType = z4.enum([
+  "owner",
+  // Based on record ownership (Role Hierarchy)
+  "criteria"
+  // Based on field values (e.g. Status = 'Open')
+]);
+var SharingLevel = z4.enum([
+  "read",
+  // Read Only
+  "edit",
+  // Read / Write
+  "full"
+  // Full Access (Transfer, Share, Delete)
+]);
+var ShareRecipientType = z4.enum([
+  "user",
+  "group",
+  "role",
+  "role_and_subordinates",
+  "guest"
+  // for public sharing
+]);
+var BaseSharingRuleSchema = z4.object({
+  // Identification
+  name: z4.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Unique rule name (snake_case)"),
+  label: z4.string().optional().describe("Human-readable label"),
+  description: z4.string().optional().describe("Administrative notes"),
+  // Scope
+  object: z4.string().describe("Target Object Name"),
+  active: z4.boolean().default(true),
+  // Access
+  accessLevel: SharingLevel.default("read"),
+  // Recipient (Whom to share with)
+  sharedWith: z4.object({
+    type: ShareRecipientType,
+    value: z4.string().describe("ID or Code of the User/Group/Role")
+  }).describe("The recipient of the shared access")
+});
+var CriteriaSharingRuleSchema = BaseSharingRuleSchema.extend({
+  type: z4.literal("criteria"),
+  condition: z4.string().describe(`Formula condition (e.g. "department = 'Sales'")`)
+});
+var OwnerSharingRuleSchema = BaseSharingRuleSchema.extend({
+  type: z4.literal("owner"),
+  ownedBy: z4.object({
+    type: ShareRecipientType,
+    value: z4.string()
+  }).describe("Source group/role whose records are being shared")
+});
+var SharingRuleSchema = z4.discriminatedUnion("type", [
+  CriteriaSharingRuleSchema,
+  OwnerSharingRuleSchema
+]);
+
+// src/security/territory.zod.ts
+import { z as z5 } from "zod";
+var TerritoryType = z5.enum([
+  "geography",
+  // Region/Country/City
+  "industry",
+  // Vertical
+  "named_account",
+  // Key Accounts
+  "product_line"
+  // Product Specialty
+]);
+var TerritoryModelSchema = z5.object({
+  name: z5.string().describe("Model Name (e.g. FY24 Planning)"),
+  state: z5.enum(["planning", "active", "archived"]).default("planning"),
+  startDate: z5.string().optional(),
+  endDate: z5.string().optional()
+});
+var TerritorySchema = z5.object({
+  /** Identity */
+  name: SnakeCaseIdentifierSchema.describe("Territory unique name (lowercase snake_case)"),
+  label: z5.string().describe('Territory Label (e.g. "West Coast")'),
+  /** Structure */
+  modelId: z5.string().describe("Belongs to which Territory Model"),
+  parent: z5.string().optional().describe("Parent Territory"),
+  type: TerritoryType.default("geography"),
+  /** 
+   * Assignment Rules (The "Magic")
+   * How do accounts automatically fall into this territory?
+   * e.g. "BillingCountry = 'US' AND BillingState = 'CA'"
+   */
+  assignmentRule: z5.string().optional().describe("Criteria based assignment rule"),
+  /**
+   * User Assignment
+   * Users assigned to work this territory.
+   */
+  assignedUsers: z5.array(z5.string()).optional(),
+  /** Access Level */
+  accountAccess: z5.enum(["read", "edit"]).default("read"),
+  opportunityAccess: z5.enum(["read", "edit"]).default("read"),
+  caseAccess: z5.enum(["read", "edit"]).default("read")
+});
+
+// src/security/policy.zod.ts
+import { z as z6 } from "zod";
+var PasswordPolicySchema = z6.object({
+  minLength: z6.number().default(8),
+  requireUppercase: z6.boolean().default(true),
+  requireLowercase: z6.boolean().default(true),
+  requireNumbers: z6.boolean().default(true),
+  requireSymbols: z6.boolean().default(false),
+  expirationDays: z6.number().optional().describe("Force password change every X days"),
+  historyCount: z6.number().default(3).describe("Prevent reusing last X passwords")
+});
+var NetworkPolicySchema = z6.object({
+  trustedRanges: z6.array(z6.string()).describe("CIDR ranges allowed to access (e.g. 10.0.0.0/8)"),
+  blockUnknown: z6.boolean().default(false).describe("Block all IPs not in trusted ranges"),
+  vpnRequired: z6.boolean().default(false)
+});
+var SessionPolicySchema = z6.object({
+  idleTimeout: z6.number().default(30).describe("Minutes before idle session logout"),
+  absoluteTimeout: z6.number().default(480).describe("Max session duration (minutes)"),
+  forceMfa: z6.boolean().default(false).describe("Require 2FA for all users")
+});
+var AuditPolicySchema = z6.object({
+  logRetentionDays: z6.number().default(180),
+  sensitiveFields: z6.array(z6.string()).describe("Fields to redact in logs (e.g. password, ssn)"),
+  captureRead: z6.boolean().default(false).describe("Log read access (High volume!)")
+});
+var PolicySchema = z6.object({
+  name: z6.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Policy Name"),
+  password: PasswordPolicySchema.optional(),
+  network: NetworkPolicySchema.optional(),
+  session: SessionPolicySchema.optional(),
+  audit: AuditPolicySchema.optional(),
+  /** Assignment */
+  isDefault: z6.boolean().default(false).describe("Apply to all users by default"),
+  assignedProfiles: z6.array(z6.string()).optional().describe("Apply to specific profiles")
+});
+export {
+  AuditPolicySchema,
+  CriteriaSharingRuleSchema,
+  FieldPermissionSchema,
+  NetworkPolicySchema,
+  OWDModel,
+  ObjectPermissionSchema,
+  OwnerSharingRuleSchema,
+  PasswordPolicySchema,
+  PermissionSetSchema,
+  PolicySchema,
+  RLS,
+  RLSConfigSchema,
+  RLSEvaluationResultSchema,
+  RLSOperation,
+  RLSUserContextSchema,
+  RowLevelSecurityPolicySchema,
+  SessionPolicySchema,
+  ShareRecipientType,
+  SharingLevel,
+  SharingRuleSchema,
+  SharingRuleType,
+  TerritoryModelSchema,
+  TerritorySchema,
+  TerritoryType
+};
+//# sourceMappingURL=index.mjs.map